blob: 05fc3037847353273ac81f61481793a34a3c72cf [file] [log] [blame]
manojkiran.eda@gmail.coma250e502020-05-18 04:57:44 -05001OBMC_IMAGE_EXTRA_INSTALL_append_ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname"
Adriana Kobylak30c32652021-03-25 16:43:21 +00002OBMC_IMAGE_EXTRA_INSTALL_append_p10bmc = " mboxd ibmtpm2tss"
Klaus Heinrich Kiwi7edf23a2021-01-11 20:26:30 +00003OBMC_IMAGE_EXTRA_INSTALL_append_witherspoon-tacoma = " ibmtpm2tss"
manojkiran.eda@gmail.coma250e502020-05-18 04:57:44 -05004OBMC_IMAGE_EXTRA_INSTALL_append_mihawk = " mboxd liberation-fonts uart-render-controller "
Andrew Geisslerd1b5b202021-01-04 12:16:39 -06005
6# remove so things fit in available flash space
7IMAGE_FEATURES_remove_witherspoon = "obmc-user-mgmt-ldap"
Joseph Reynolds68e567f2021-02-24 17:20:01 -06008
9# Optionally configure IBM service accounts
10#
11# To configure your distro, add the following line to its config:
12# DISTRO_FEATURES += "ibm-service-account-policy"
13#
14# The service account policy is as follows:
15# root - The root account remains present. It is needed for internal
16# accounting purposes and for debugging service access.
17# admin - Provides administrative control over the BMC. The role is
18# SystemAdministrator. Admin users have access to interfaces including:
19# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical
20# console, SSH to the BMC's command line.
21# IPMI access is not granted by default, but admins can authorize
22# themselves and enable the IPMI service.
23# The admin has access to the host console: ssh -p2200 admin@${bmc}.
24# The admin account does not have a home directory.
25# service - Provides IBM service and support representatives (SSRs, formerly
26# known as customer engineers or CEs) access to the BMC. The role is
27# OemIBMServiceAgent. The service user has full admin access, plus access
28# to BMC interfaces intended only to service the BMC and host, including
29# SSH access to the BMC's command line.
30# The service account is not authorized to IPMI because of the inherent
31# security weakness in the IPMI spec and also because the IPMI
32# implementation was not enhanced to use the ACF support.
33# The service account does not have a home directory. The home directory is
34# set to / (the root directory) to allow dropbear ssh connections.
35
Joseph Reynolds516363e2021-08-04 10:01:42 -050036# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
Joseph Reynolds68e567f2021-02-24 17:20:01 -060037inherit extrausers
38
Joseph Reynolds68e567f2021-02-24 17:20:01 -060039#IBM_EXTRA_USERS_PARAMS += " \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050040# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060041# "
42
43# Add group "wheel" (before adding the "service" account).
44IBM_EXTRA_USERS_PARAMS += " \
45 groupadd wheel; \
46 "
47
48# Add the "admin" account.
49IBM_EXTRA_USERS_PARAMS += " \
50 useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050051 usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060052 "
53
54# Add the "service" account.
55IBM_EXTRA_USERS_PARAMS += " \
56 useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050057 usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060058 "
59
60# This is recipe specific to ensure it takes effect.
61EXTRA_USERS_PARAMS_pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
62
63# The service account needs sudo.
64IMAGE_INSTALL_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"