Skip to content
/ cob Public
forked from henrysher/cob

Yet Another Yum S3 Plugin (AWS SigV4)

License

View license
1 star 15 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

syskill/cob

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cob.conf
cob.conf
 
 
cob.py
cob.py
 
 
cob.repo
cob.repo
 
 
install.sh
install.sh
 
 
yum-plugin-cob.spec
yum-plugin-cob.spec
 
 

Repository files navigation

Cob

Cob, yet another yum S3 plugin, provides a way to accessing yum repositories hosted on AWS S3.

What's the difference between Cob and original yum s3 plugin?

  • Support more secure AWS Signature Version 4 while original one still in version 2, especially for the new region eu-central-1 only SigV4 allowed
  • Hook on higher layer of Yum built-in library to avoid complicated low-level handlings
  • Support static AWS credentials prior to IAM role
  • Add retry mechanism to fetch IAM role credentials

Quick Start

  • Installation

    • ./install.sh
    • plugin conf: cob.conf --> /etc/yum/pluginconf.d/cob.conf
    • plugin code: cob.py --> /usr/lib/yum-plugins/cob.py

  • Setup minimal IAM Role Policy for Cob

    {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "*"
    }
  ]
}

    • For cross-account access, setup the policy of yum s3 bucket

      {
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::37ABC0340XYZ:root",
          "arn:aws:iam::24ABC3058XYZ:root"
        ]
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::yum-s3-bucket-XYZ/*"
    }
  ]
}
      • "37ABC0340XYZ", "24ABC3058XYZ": AWS account id with the permission to access
      • "yum-s3-bucket-XYZ": S3 bucket for yum access

  • Configure your yum repo conf under /etc/yum.repos.d/, like the example below cob.repo

    [cob]
name=cob
baseurl=https://your-bucket-name-0.s3.amazonaws.com/repo-name/arch/
        https://your-bucket-name-1.s3-eu-west-1.amazonaws.com/repo-name/arch/
        https://your-bucket-name-2.s3-us-west-2.amazonaws.com/repo-name/arch/
failovermethod=priority
enabled=1
gpgcheck=0

  • An example from cob.conf is taken to indicate its usages:

    [main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=1
debuglevel=4
logfile=/var/log/yum.log
exactarch=1
obsoletes=0
gpgcheck=0
plugins=1
distroverpkg=centos-release
enabled=1

[aws]
# access_key = 
# secret_key =
timeout = 60
retries = 5
metadata_server = http://169.254.169.254
    • set main/enabled=1 to enable this yum plugin
    • for static AWS credentials, you could specify via aws/access_key, aws/secret_key
    • aws/timeout and aws/retries, used to indicate params in the way of fetching IAM role credentials
    • metadata_server used to help testing

  • Enable verbose log to help troubleshoot the Cob issue:

    URLGRABBER_DEBUG=1 yum -v makecache

About

Yet Another Yum S3 Plugin (AWS SigV4)

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages

  • Python 96.0%
  • Shell 4.0%