[PATCH v2 3/4] erofs-utils: mkfs: introduce `--s3=...` option

Hongbo Li lihongbo22 at huawei.com
Fri Aug 1 19:10:21 AEST 2025



On 2025/8/1 16:37, Gao Xiang wrote:
> Hi Hongbo,
> 
> On 2025/8/1 16:31, Hongbo Li wrote:
> 
> ...
> 
>>>> +#ifdef HAVE_S3
>>>
>>> HAVE_S3 is a bit odd, how about using
>>> S3_ENABLED (like LZ4_ENABLED?)
>>>
>>>
>>>> +        " --s3=X                generate an index-only image from 
>>>> s3-compatible object store backend\n"
>>>> +        "   [,passwd_file=Y]    X=endpoint, Y=s3 credentials file\n"
>>>
>>> What's s3 credentials file? Is it documented
>>> somewhere? Why is it named as passwd_file?
>>>
>>> Can we have an option to pass in accesskey
>>> too?
>>
>> This follows the format of s3fs-fuse. Storing the ak/sk in a file is 
>> for security purposes. The file permission is set to 600 to prevent 
>> non-root users from accessing the ak/sk.
> 
> Understood, I wonder if the format is documented in
> the AWS website or somewhere?

AFAIK, the user should download the file which records ak/sk at the 
first time when access the target console page. The ak/sk may be saved 
in the csv format file. And the AWS website only shows the way to help 
user to obtain the ak/sk, such as [1]?

[1] 
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-key-self-managed.html

Thanks,
Hongbo
> 
> If it's only an implementation in s3fs-fuse, we might
> need to document the format in the mkfs.erofs manpage
> for example. (Although it's not needed in this patch,
> maybe a follow-up patch.)
> 
> Also even I agree it's useful for security purposes,
> it's still useful to have an _alternative_ way to
> pass in plain ak/sk if possible.
> 
> `passwd_file` makes sense to me now since s3fs-fuse
> uses this name too!
> 
> Thanks,
> Gao Xiang
> 
>>
>> [1] https://github.com/s3fs-fuse/s3fs-fuse
>>
>> Thanks,
>> Hongbo
>>


More information about the Linux-erofs mailing list