-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow admins to set up checks (e.g. security) when Content is uploaded into Pulp #5788
Labels
Comments
It seems like there was a similar request a couple years ago but for syncing: #1957 |
There is function to generate a link for use with the artifact distribution. And i think we can attach the resulting preauthenticated url to any message we send out. |
It's this one Line 402 in a41f396
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, when a package is uploaded into our system, we perform a series of checks before passing the package to Pulp. These include things like security/antivirus checks, etc. But we're running into several problems: the uploader has to wait on these checks since we don't process things in the background (we only use Pulp's background tasking system) and web requests can time out. Also, we can't use some of Pulp's features like chunked uploads since we have to see the entire file to run our checks on them.
Describe the solution you'd like
What we'd like is some sort of solution where we could pass the upload to Pulp and Pulp could call our package validation container as part of the package creation task. Ideally, Pulp wouldn't create the package if our checks fail. One option might be to have something similar to Pulp's signing service where we can configure a shell command that Pulp would call and based on the return code, the package creation task would fail.
Describe alternatives you've considered
I was thinking about how we could maybe leverage Kafka in Pulp to support this feature. Maybe we could listen for the package upload and then run our checks. But then we'd need (a) some easy way to download packages from Pulp that haven't been published and (b) some way to mark packages as bad (or delete them immediately). I think ideally though packages wouldn't get created in Pulp if they don't pass our checks.
The text was updated successfully, but these errors were encountered: