[PATCH v2 3/4] erofs-utils: mkfs: introduce `--s3=...` option
Hongbo Li
lihongbo22 at huawei.com
Fri Aug 1 19:10:21 AEST 2025
On 2025/8/1 16:37, Gao Xiang wrote:
> Hi Hongbo,
>
> On 2025/8/1 16:31, Hongbo Li wrote:
>
> ...
>
>>>> +#ifdef HAVE_S3
>>>
>>> HAVE_S3 is a bit odd, how about using
>>> S3_ENABLED (like LZ4_ENABLED?)
>>>
>>>
>>>> + " --s3=X generate an index-only image from
>>>> s3-compatible object store backend\n"
>>>> + " [,passwd_file=Y] X=endpoint, Y=s3 credentials file\n"
>>>
>>> What's s3 credentials file? Is it documented
>>> somewhere? Why is it named as passwd_file?
>>>
>>> Can we have an option to pass in accesskey
>>> too?
>>
>> This follows the format of s3fs-fuse. Storing the ak/sk in a file is
>> for security purposes. The file permission is set to 600 to prevent
>> non-root users from accessing the ak/sk.
>
> Understood, I wonder if the format is documented in
> the AWS website or somewhere?
AFAIK, the user should download the file which records ak/sk at the
first time when access the target console page. The ak/sk may be saved
in the csv format file. And the AWS website only shows the way to help
user to obtain the ak/sk, such as [1]?
[1]
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-key-self-managed.html
Thanks,
Hongbo
>
> If it's only an implementation in s3fs-fuse, we might
> need to document the format in the mkfs.erofs manpage
> for example. (Although it's not needed in this patch,
> maybe a follow-up patch.)
>
> Also even I agree it's useful for security purposes,
> it's still useful to have an _alternative_ way to
> pass in plain ak/sk if possible.
>
> `passwd_file` makes sense to me now since s3fs-fuse
> uses this name too!
>
> Thanks,
> Gao Xiang
>
>>
>> [1] https://github.com/s3fs-fuse/s3fs-fuse
>>
>> Thanks,
>> Hongbo
>>
More information about the Linux-erofs
mailing list