Skip to main content
Home
badllama.com
  • Search
  • Log In

How to set up a local mirror of an Amazon Linux Repository using S3

cpeters's picture

Sun, 01/10/2016 - 17:56 by cpeters

The article explains how to leverage S3 to present an Amazon Linux package repository to your local VPC. I implemented this because I didn't want to enable any public routes to my private VPC subnets, and I also wanted centrally manage patch levels.

Part 1 – Create the local repository

  1. Create a new EC2 instance on your public subnet
  2. Execute the following commands: 
    sudo -i
mkdir /repo
mkdir /repo/amzn-2015.09
reposync --gpgcheck -l --repoid=amzn-main -p /repo/amzn-2015.09 --downloadcomps --download-metadata
yum install createrepo -y
createrepo -v /repo/amzn-2015.09/

Part 2 – Set up an S3 instance to host the repository

    Create a new S3 instance: 
    aws s3 mb --region us-west-2 s3://s3-amzn-repo
  1. Create a user for this instance: 
    aws iam create-user --user-name s3-amzn-repo-account
  2. Create an access key for the user: (You'll need this information to complete step 6 below) 
    aws iam create-access-key --user-name s3-amzn-repo-account
  3. Create permissions for the user: 
    cat <s3-amzn-repo_policy.json
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::s3-amzn-repo/*", "arn:aws:s3:::s3-amzn-repo"]
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}
JSON
  4. Upload the policy to AWS 
    aws iam put-user-policy --user-name s3-amzn-repo-account --policy-name \
S3-amzn-repo-Bucket-Access --policy-document file://s3-amzn-repo_policy.json
  5. Configure s3cmd to use the access key 
    yum install s3cmd --enablerepo=epel -y
alternatives --set python /usr/bin/python2.6
s3cmd --configure
  6. Check the result 
    aws iam list-user-policies --user-name s3-amzn-repo-account
  7. Enable website hosting for the new S3 instance using the AWS console.

Part 3 – Sync the repository to the S3 instance

  1. Setup a repository file for the clients to use. I've found that the best URL to use is the one that points to repomod.xml. You can find this by using browsing the s3 service and looking at the properties of the file object. 
    cat <local-repository.repo
[local_amzn-2015.09]
name=amzn-2015.09
enabled=yes
baseurl=https://s3-us-west-2.amazonaws.com/s3-amzn-repo/
gpgcheck=no
REPO
  2. Setup a blank index.html file for the S3 base URL 
    <htm>
 <head>
  <title>local repository</title>
 </head>
 <body>
 </body>
</html>
  3. Perform the initial sync 
    s3cmd -P sync /repo/amzn-2015.09/ s3://s3-amzn-repo/ --delete-removed
  4. Setup a bash script in your home directory to sync the repository on command 
    [root@ip-10-0-2-162 ~]# cat <<SCRIPT >syncme.sh
#!/bin/bash
reposync --gpgcheck -l --repoid=amzn-main -p /repo/amzn-2015.09 --downloadcomps --download-metadata
s3cmd -P sync /repo/amzn-2015.09/ s3://fran04-reci-repo/ --delete-removed
echo "Synchronization Complete!"
SCRIPT
[root@ip-10-0-2-162 ~]# chmod 755 syncme.sh

Part 4 – Set up the client

If, like me, your setting up this repository so that you can have instances within a private VPC use it for patching, then you'll need to complete a few extra steps.

  1. Set up an S3 end-point
    1. From the AWS dashboard, click VPC
    2. Select Endpoints from the menu on the left
    3. select Create Endpoint
    4. Select the VPC to which you would like to connect your S3 instance (note that you can only connect VPCs to S3s within the same region!)
    5. Click Next Step
    6. Select the route you to which you would like to attach the endpoint
    7. Click Create Endpoint
  2. On the client machine
    1. Test the endpoint by downloading the local-repository.repo file to /etc/yum.repos.d
    2. Edit /etc/yum/pluginconf.d/priorities.conf and set enabled=0
    3. Attempt a yum update. If you don't get any errors then you're home free!
Powered by Backdrop CMS