Story #8088

implementing virus scan on on_demand repository

Added by ByteSore 11 days ago. Updated 7 days ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Sprint Candidate:


I've setup a on_demand PyPi remote. Business policy here is that all downloaded files should be scanned for virusses. I'd like to use a virus scanner in between the download from PyPi and the publish / stream to the client.

bmbouter pointed out the file is being streamed to the client right away so maybe there can implemented some kind of hook to support scans in between..?

I've attached IRC log for reference.

irclog.txt (2.14 KB) irclog.txt IRC log ByteSore, 01/13/2021 03:34 PM


#1 Updated by bmbouter 11 days ago

Extending the content app to make a call during the workflow could be pretty straight forward. This would cause the entire file to be downloaded before any part of it could be served, is that ok?

So the workflow for the content app would be:

  1. User requests the file to be downloaded from a repo with, e.g. policy="on_demand"
  2. pulpcore-content downloads that file (not streaming any bit to the user yet)
  3. Calls out to the virus scanner knowing the file path
  4. Reads an "ok" to proceed based on the return code maybe?
  5. Serves and saves the file per the on_demand policy.

For steps 3 and 4, I imagined there could be a system-wide config with a script that pulp would call that an admin would configure. The path to the file would be the first positional argument to the script. Then for set 4, the script would return an exit code of 0 would tell pulp to proceed, anything else to not.

@ByteSore what do you think about all this?

#2 Updated by ByteSore 11 days ago

Sounds like a plan.

#3 Updated by fao89 9 days ago

  • Tracker changed from Issue to Story
  • % Done set to 0
  • Severity deleted (2. Medium)
  • OS deleted (RHEL 7)
  • Triaged deleted (No)

#4 Updated by ByteSore 7 days ago

I was thinking..
Since the scanner takes a while to spin up, scan all the files and do it's thing maybe it's a good thing to check if there are multiple files being downloaded. (ie package with all dependencies)
Park them all in a folder or store all the file path's to a textfile which can be used by the scanner.
if you look at clamav, it knows an option to scan files listed in a textfile: --file-list=FILE

Please register to edit this issue

Also available in: Atom PDF