Skip to content

Instantly share code, notes, and snippets.

@phrawzty

phrawzty/S3_as_Yum_repo.md

Last active November 10, 2023 19:20
Show Gist options
  • Star 18 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save phrawzty/ca3453addc92a13a9c19 to your computer and use it in GitHub Desktop.
Save phrawzty/ca3453addc92a13a9c19 to your computer and use it in GitHub Desktop.
Download ZIP
Use S3 as a Yum repo
Raw
S3_as_Yum_repo.md

S3 as Yum repo

There are two parts to this:

  • Managing access to non-public S3 resources.
  • Building RPM repositories in an automated, deterministic way that Yum can use.

Environment

In general, a CentOS 7 x86_64 box in AWS EC2; in specific, this Packer profile.

Access management

From an ACL perspective, setting up a public repository in S3 is easy: just turn on Static Website Hosting and you're off to the races.

Access to a non-public bucket involves IAM, support for which is not included in Yum by default - a plugin is required. We're going to use yum-s3-iam; and if that doesn't work, we'll try cob, which is newer.

Keep this blog post open in another tab for reference.

S3

Make your S3 bucket now; in this overview, it shall be named yum-bucket-of-awesome.

IAM

n.b. The IAM interface has changed a fair amount over the years and will likely continue to do so; the following instructions are valid as of 2015-02-24.

  • Load up the IAM interface, navigate to Roles and then Create New Role.
  • Give it a name such as s3_private_yum_access or whatever.
  • Select the Amazon EC2 item from AWS Service Roles.
  • We're going to insert our own policy, so ignore the pre-sets and click Next Step, then Create Role.
  • The policy should now be in the list; click to edit.
  • Expand the Inline Policies menu and then click here (not here, there) to create a policy manually.
  • Select a Custom Policy. (The generator works, but if you've already got a policy resource, this is faster.)
  • Give it a name like s3_private_yum_access or whatever, then paste the policy and Apply:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1424867341000",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::yum-bucket-of-awesome"
      ]
    },
    {
      "Sid": "Stmt1424867403000",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::yum-bucket-of-awesome/*"
      ]
    }
  ]
}

Spin spin sugar

Launch the EC2 instance as normal but with one crucial difference: apply the s3_private_yum_access IAM role. This can only be done pre-launch in the Step 3: Configure Instance Details menu.

Get with the plugin

Let's get this party started! SSH into the new instance and let the good times roll.

  • Now is a good time to install createrepo:
$ sudo yum install createrepo.noarch
  • Clone the yum-s3-iam repo:
$ git clone https://github.com/seporaitis/yum-s3-iam
  • Initialise the rpmbuild tree:
$ rpmdev-setuptree
  • Make dat package, run dem tests:
$ cd yum-s3-iam; make test
   [...]
Wrote: /home/centos/rpmbuild/RPMS/noarch/yum-plugin-s3-iam-1.0-1.noarch.rpm
   [...]
Ran 3 tests in 0.488s

OK
  • A package that allows you to install repos that allow you to install packages.
$ sudo rpm -i /home/centos/rpmbuild/RPMS/noarch/yum-plugin-s3-iam-1.0-1.noarch.rpm

Building and maintaining an RPM repo

TODO.

This page has some info, as does this one.

@robertcurcio
Copy link

nice!!!

@lining-ops
Copy link

good solutions for centos7 !!! seems not working for centos8, any good solutions for centos8?

@phrawzty
Copy link
Author

@lining-ops This gist is… very old. I have no idea how well it's held up or what would need to change for today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment