Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow admins to set up checks (e.g. security) when Content is uploaded into Pulp #5788

Open
daviddavis opened this issue Sep 11, 2024 · 3 comments
Open

Allow admins to set up checks (e.g. security) when Content is uploaded into Pulp #5788

daviddavis opened this issue Sep 11, 2024 · 3 comments
Labels
Feature

Comments

@daviddavis
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Currently, when a package is uploaded into our system, we perform a series of checks before passing the package to Pulp. These include things like security/antivirus checks, etc. But we're running into several problems: the uploader has to wait on these checks since we don't process things in the background (we only use Pulp's background tasking system) and web requests can time out. Also, we can't use some of Pulp's features like chunked uploads since we have to see the entire file to run our checks on them.

Describe the solution you'd like
What we'd like is some sort of solution where we could pass the upload to Pulp and Pulp could call our package validation container as part of the package creation task. Ideally, Pulp wouldn't create the package if our checks fail. One option might be to have something similar to Pulp's signing service where we can configure a shell command that Pulp would call and based on the return code, the package creation task would fail.

Describe alternatives you've considered
I was thinking about how we could maybe leverage Kafka in Pulp to support this feature. Maybe we could listen for the package upload and then run our checks. But then we'd need (a) some easy way to download packages from Pulp that haven't been published and (b) some way to mark packages as bad (or delete them immediately). I think ideally though packages wouldn't get created in Pulp if they don't pass our checks.
@daviddavis
Copy link
Contributor Author

It seems like there was a similar request a couple years ago but for syncing: #1957

@mdellweg
Copy link
Member

[...] But then we'd need (a) some easy way to download packages from Pulp that haven't been published [...]

There is function to generate a link for use with the artifact distribution. And i think we can attach the resulting preauthenticated url to any message we send out.

@mdellweg
Copy link
Member

It's this one

pulpcore/pulpcore/app/util.py

Line 402 in a41f396

def get_artifact_url(artifact, headers=None, http_method=None):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@daviddavis @dkliban @mdellweg