Separate antivirus

Bioconductor · Jan 9, 2025 · 4f91808 · 4f91808
1 parent 3d82e71
commit 4f91808
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 15 deletions.
diff --git a/.github/workflows/scan_data.yaml b/.github/workflows/scan_data.yaml
@@ -0,0 +1,35 @@
+name: Scan Data for Viruses
+
+on:
+  workflow_dispatch:
+    inputs:
+      username:
+        description: 'Username of the endpoint to scan'
+        required: true
+        type: string
+
+env:
+  BIOC_HUBSINGEST_PATH: "${{ github.workspace }}"
+
+jobs:
+  scan-data:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: save kubeconfig
+        shell: bash
+        run: mkdir -p ~/.kube && echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config
+
+      - name: Install Kubectl
+        run: |
+          curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" && \
+          chmod +x ./kubectl && \
+          sudo mv ./kubectl /usr/local/bin/kubectl && \
+          kubectl version
+      
+      - name: Run virus scan
+        run: |
+          bash install_hubsingest.sh
+          export PATH="$PATH:$BIOC_HUBSINGEST_PATH"
+          hubsingest scan_data "${{ inputs.username }}"
diff --git a/hubsingest b/hubsingest
@@ -18,8 +18,12 @@ case "$1" in
     shift
     bash $HUBSINGESTPATH/scripts/hubsingest_launch_rstudio.sh "$@"
     ;;
+  scan_data)
+    shift
+    bash $HUBSINGESTPATH/scripts/hubsingest_scan_data.sh "$@"
+    ;;
   *)
-    echo "Usage: hubsingest {create_endpoint|delete_endpoint|test_endpoint|launch_rstudio} [options]"
+    echo "Usage: hubsingest {create_endpoint|delete_endpoint|test_endpoint|launch_rstudio|scan_data} [options]"
     exit 1
     ;;
 esac
diff --git a/scripts/hubsingest_launch_rstudio.sh b/scripts/hubsingest_launch_rstudio.sh
@@ -33,16 +33,6 @@ spec:
       labels:
         app: rstudio
     spec:
-      initContainers:
-      - name: clamav-scan
-        image: clamav/clamav:stable
-        command: ["sh", "-c", "clamscan -r /scandir 2>&1 > /results/av-scan-report.txt"]
-        volumeMounts:
-        - name: data-volume
-          mountPath: /scandir
-          readOnly: true
-        - name: scan-results
-          mountPath: /results
       containers:
       - name: rstudio
         image: ghcr.io/bioconductor/bioconductor:$BIOC_VERSION
@@ -54,14 +44,10 @@ spec:
         volumeMounts:
         - name: data-volume
           mountPath: /home/rstudio/shareddata
-        - name: scan-results
-          mountPath: /home/rstudio/av-scan-report
       volumes:
       - name: data-volume
         persistentVolumeClaim:
           claimName: versitygw-data
-      - name: scan-results
-        emptyDir: {}
 EOF
 
 # Create Service

diff --git a/scripts/hubsingest_scan_data.sh b/scripts/hubsingest_scan_data.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+DEFAULTCMD="hubsingest scan_data"
+set -e
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $DEFAULTCMD <username>"
+    echo "Example: $DEFAULTCMD testuser"
+    exit 1
+fi
+
+USERNAME=$1
+NAMESPACE="${USERNAME}-ns"
+
+cat <<EOF | kubectl apply -f -
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: virus-scan
+  namespace: $NAMESPACE
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: clamav-scan
+        image: clamav/clamav:stable
+        command: ["sh", "-c", "clamscan -r /scandir > /results/av-scan-report.txt 2>&1"]
+        volumeMounts:
+        - name: data-volume
+          mountPath: /scandir
+          readOnly: true
+        - name: results
+          mountPath: /results
+      containers:
+      - name: holder
+        image: busybox
+        command: ['sh', '-c', 'sleep infinity']
+        volumeMounts:
+        - name: results
+          mountPath: /results
+      volumes:
+      - name: data-volume
+        persistentVolumeClaim:
+          claimName: versitygw-data
+      - name: results
+        emptyDir: {}
+      restartPolicy: Never
+  backoffLimit: 1
+EOF
+
+echo "Waiting for scan init container to complete..."
+kubectl wait -n "$NAMESPACE" --for=condition=initialized pod -l job-name=virus-scan --timeout=600s
+
+echo "Extracting scan report..."
+POD_NAME=$(kubectl get pods -n "$NAMESPACE" -l job-name=virus-scan -o jsonpath='{.items[0].metadata.name}')
+kubectl cp "$NAMESPACE/$POD_NAME:/results/av-scan-report.txt" /tmp/av-scan-report.txt -c holder
+
+echo "Scan Report Contents:"
+cat /tmp/av-scan-report.txt
+
+rm /tmp/av-scan-report.txt
+kubectl delete job virus-scan -n "$NAMESPACE"
+