Cob, yet another yum S3 plugin, provides the way to accessing yum repository hosted on AWS S3.
What's the difference between Cob and original yum s3 plugin?
- Support more secure AWS Signature Version 4 while original one still in version 2, especially for the new region eu-central-1 only SigV4 allowed
- Hook on higher layer of Yum built-in library to avoid complicated low-level handlings
- Support static AWS credentials prior to IAM role
- Add retry mechanism to fetch IAM role credentials
-
Installation
- ./install.sh
- plugin conf: cob.conf --> /etc/yum/pluginconf.d/cob.conf
- plugin code: cob.py --> /usr/lib/yum-plugins/cob.py
-
Setup minimal IAM Role Policy for Cob
{ "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" } ] }
-
For cross-account access, setup the policy of yum s3 bucket
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::37ABC0340XYZ:root", "arn:aws:iam::24ABC3058XYZ:root" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::yum-s3-bucket-XYZ/*" } ] }
- "37ABC0340XYZ", "24ABC3058XYZ": AWS account id with the permission to access
- "yum-s3-bucket-XYZ": S3 bucket for yum access
-
-
Configure your yum repo conf under /etc/yum.repos.d/, like the example below cob.repo
[cob] name=cob baseurl=https://your-bucket-name-0.s3.amazonaws.com/repo-name/arch/ https://your-bucket-name-1.s3-eu-west-1.amazonaws.com/repo-name/arch/ https://your-bucket-name-2.s3-us-west-2.amazonaws.com/repo-name/arch/ failovermethod=priority enabled=1 gpgcheck=0
- add the bucket region name in the baseurl as shown in the example, especially for us-east-1, like your-bucket-name-0, no region name needed there
- s3 endpoint reference: http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
-
An example from cob.conf is taken to indicate its usages:
[main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=1 debuglevel=4 logfile=/var/log/yum.log exactarch=1 obsoletes=0 gpgcheck=0 plugins=1 distroverpkg=centos-release enabled=1 [aws] # access_key = # secret_key = timeout = 60 retries = 5 metadata_server = http://169.254.169.254
- set main/enabled=1 to enable this yum plugin
- for static AWS credentials, you could specify via aws/access_key, aws/secret_key
- aws/timeout and aws/retries, used to indicate params in the way of fetching IAM role credentials
- metadata_server used to help testing
-
Enable verbose log to help troubleshoot the Cob issue:
URLGRABBER_DEBUG=1 yum -v makecache