Skip to content
/ cob Public
forked from henrysher/cob

Yet Another Yum S3 Plugin (AWS SigV4)

License

Notifications You must be signed in to change notification settings

tuapuikia/cob

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cob

Cob, yet another yum S3 plugin, provides the way to accessing yum repository hosted on AWS S3.

What's the difference between Cob and original yum s3 plugin?

  • Support more secure AWS Signature Version 4 while original one still in version 2, especially for the new region eu-central-1 only SigV4 allowed
  • Hook on higher layer of Yum built-in library to avoid complicated low-level handlings
  • Support static AWS credentials prior to IAM role
  • Add retry mechanism to fetch IAM role credentials

Quick Start

  • Installation

    • ./install.sh
    • plugin conf: cob.conf --> /etc/yum/pluginconf.d/cob.conf
    • plugin code: cob.py --> /usr/lib/yum-plugins/cob.py
  • Setup minimal IAM Role Policy for Cob

    {
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject"
          ],
          "Resource": "*"
        }
      ]
    }
    • For cross-account access, setup the policy of yum s3 bucket

      {
        "Version": "2008-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": [
                "arn:aws:iam::37ABC0340XYZ:root",
                "arn:aws:iam::24ABC3058XYZ:root"
              ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::yum-s3-bucket-XYZ/*"
          }
        ]
      }
      • "37ABC0340XYZ", "24ABC3058XYZ": AWS account id with the permission to access
      • "yum-s3-bucket-XYZ": S3 bucket for yum access
  • Configure your yum repo conf under /etc/yum.repos.d/, like the example below cob.repo

    [cob]
    name=cob
    baseurl=https://your-bucket-name-0.s3.amazonaws.com/repo-name/arch/
            https://your-bucket-name-1.s3-eu-west-1.amazonaws.com/repo-name/arch/
            https://your-bucket-name-2.s3-us-west-2.amazonaws.com/repo-name/arch/
    failovermethod=priority
    enabled=1
    gpgcheck=0
  • An example from cob.conf is taken to indicate its usages:

    [main]
    cachedir=/var/cache/yum/$basearch/$releasever
    keepcache=1
    debuglevel=4
    logfile=/var/log/yum.log
    exactarch=1
    obsoletes=0
    gpgcheck=0
    plugins=1
    distroverpkg=centos-release
    enabled=1
    
    [aws]
    # access_key = 
    # secret_key =
    timeout = 60
    retries = 5
    metadata_server = http://169.254.169.254
    • set main/enabled=1 to enable this yum plugin
    • for static AWS credentials, you could specify via aws/access_key, aws/secret_key
    • aws/timeout and aws/retries, used to indicate params in the way of fetching IAM role credentials
    • metadata_server used to help testing
  • Enable verbose log to help troubleshoot the Cob issue:

    URLGRABBER_DEBUG=1 yum -v makecache

About

Yet Another Yum S3 Plugin (AWS SigV4)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 95.5%
  • Shell 4.5%