Run Events as different users

[generalredneck]

Please explain your request and its importance in the form of a user story.

As a developer, I would like to built events that can run as root so that I can alter files in the /etc/ folder.

Please provide some detail on how lando can help solve this problem

Some detail around this. I need to move an ecryption key to /etc/encrypt/encrypt_key.key. I can do this using Tooling but then it's up to me to document that you MUST run that command every time you start a fresh lando environment (eg: after destroy or on first build). I would like to be able to use simular syntax in an event as we can in tooling, specifying the user.

Is your feature request related to a problem? Please describe.

The challenge I see is that Tooling actually supports a couple of different syntaxes that allow either commands on a single container, or multiple containers. One of which you can specify user and the other which you can't.

tooling:
  fire-everything:
    service: node
    description: Runs a seemingly random assortment of commands
    cmd:
      - source ~/.bashrc && npm install "$DEP_SET_BY_ENVVAR_SOURCED_BEFORE"
      - /helpers/my-custom-script.sh --max-power
      - ls -lsa
      - env | grep LANDO_
    user: root

versus

tooling:
  build:
    description: Manually invokes all our build steps
    cmd:
      - appserver: composer install
      - node: yarn install
      - node: yarn sass

I get that the second allows you to run commands against separate containers in order, but lacks options.

Describe the solution you'd like

For the sake of simplicity, I would love to for events to support

events:
  post-start:
    service: appserver
    cmd: "whoami"
    user: root

Describe alternatives you've considered
Later it would be nice if we could do this in both tooling and events as I feel it is more verbose and provides an "interface object" for commands.

events:
  post-start:
    -
      service: appserver
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root
    -
      service: database
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root
     -
      service: appserver
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root
tooling:
  build:
    -
      service: appserver
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root
    -
      service: database
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root
     -
      service: appserver
      cmd: 
        -  "whoami"
        - "echo 'second command'
      user: root

[pirog]

@generalredneck we try to limit root access to build steps. we dont think its a good idea for event tasks to be able to run as root.

Is it not possible to do what you want by running a build step as the root user?

[generalredneck]

Your right. I'll try a build step. I was ignorant to the existence of build steps in this case. I ran across events and assumed that's how tasks like that were handled. Just in case someone comes across this on Google with the same issue I had. https://docs.devwithlando.io/config/services.html#build-steps

[thursdaybw]

First off, big thanks for all you're doing with Lando. I totally get the idea behind limiting root access to build steps—it's a smart move for most setups.

But here's my jam: I've got an existing post-start event that kicks off a pretty hefty application. This app generates some crucial values that I need to write to /etc/crontab. Problem is, these values aren't around during the build step, so I'm kinda stuck.

Any chance we could get an opt-in flag or something to let us run wild with root during events? I reckon it'd be a game-changer for those of us dealing with more complex setups. And hey, make it opt-in so only the devs who know what they're doing can flip the switch.

Cheers for considering this. Can't wait to hear your thoughts.

[pirog]

@thursdaybw we plan to support this in Lando 4

[thursdaybw]

@pirog thanks for that positive reply.

I kept cracking at it and found I could achieve my goals with out this feature. You see I mention "That I need to write to /etc/crontab". I was not realising that I could instead write the cron entry to a text file and run crontab cron.txt as the www-data user.

[pirog]

@thursdaybw sure thing!