manojkiran.eda@gmail.com | a250e50 | 2020-05-18 04:57:44 -0500 | [diff] [blame] | 1 | OBMC_IMAGE_EXTRA_INSTALL_append_ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname" |
Adriana Kobylak | 30c3265 | 2021-03-25 16:43:21 +0000 | [diff] [blame] | 2 | OBMC_IMAGE_EXTRA_INSTALL_append_p10bmc = " mboxd ibmtpm2tss" |
Klaus Heinrich Kiwi | 7edf23a | 2021-01-11 20:26:30 +0000 | [diff] [blame] | 3 | OBMC_IMAGE_EXTRA_INSTALL_append_witherspoon-tacoma = " ibmtpm2tss" |
manojkiran.eda@gmail.com | a250e50 | 2020-05-18 04:57:44 -0500 | [diff] [blame] | 4 | OBMC_IMAGE_EXTRA_INSTALL_append_mihawk = " mboxd liberation-fonts uart-render-controller " |
Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 5 | |
| 6 | # remove so things fit in available flash space |
| 7 | IMAGE_FEATURES_remove_witherspoon = "obmc-user-mgmt-ldap" |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 8 | |
| 9 | # Optionally configure IBM service accounts |
| 10 | # |
| 11 | # To configure your distro, add the following line to its config: |
| 12 | # DISTRO_FEATURES += "ibm-service-account-policy" |
| 13 | # |
| 14 | # The service account policy is as follows: |
| 15 | # root - The root account remains present. It is needed for internal |
| 16 | # accounting purposes and for debugging service access. |
| 17 | # admin - Provides administrative control over the BMC. The role is |
| 18 | # SystemAdministrator. Admin users have access to interfaces including: |
| 19 | # Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical |
| 20 | # console, SSH to the BMC's command line. |
| 21 | # IPMI access is not granted by default, but admins can authorize |
| 22 | # themselves and enable the IPMI service. |
| 23 | # The admin has access to the host console: ssh -p2200 admin@${bmc}. |
| 24 | # The admin account does not have a home directory. |
| 25 | # service - Provides IBM service and support representatives (SSRs, formerly |
| 26 | # known as customer engineers or CEs) access to the BMC. The role is |
| 27 | # OemIBMServiceAgent. The service user has full admin access, plus access |
| 28 | # to BMC interfaces intended only to service the BMC and host, including |
| 29 | # SSH access to the BMC's command line. |
| 30 | # The service account is not authorized to IPMI because of the inherent |
| 31 | # security weakness in the IPMI spec and also because the IPMI |
| 32 | # implementation was not enhanced to use the ACF support. |
| 33 | # The service account does not have a home directory. The home directory is |
| 34 | # set to / (the root directory) to allow dropbear ssh connections. |
| 35 | |
Joseph Reynolds | 516363e | 2021-08-04 10:01:42 -0500 | [diff] [blame] | 36 | # Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 37 | inherit extrausers |
| 38 | |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 39 | #IBM_EXTRA_USERS_PARAMS += " \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame^] | 40 | # usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 41 | # " |
| 42 | |
| 43 | # Add group "wheel" (before adding the "service" account). |
| 44 | IBM_EXTRA_USERS_PARAMS += " \ |
| 45 | groupadd wheel; \ |
| 46 | " |
| 47 | |
| 48 | # Add the "admin" account. |
| 49 | IBM_EXTRA_USERS_PARAMS += " \ |
| 50 | useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame^] | 51 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 52 | " |
| 53 | |
| 54 | # Add the "service" account. |
| 55 | IBM_EXTRA_USERS_PARAMS += " \ |
| 56 | useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame^] | 57 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 58 | " |
| 59 | |
| 60 | # This is recipe specific to ensure it takes effect. |
| 61 | EXTRA_USERS_PARAMS_pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" |
| 62 | |
| 63 | # The service account needs sudo. |
| 64 | IMAGE_INSTALL_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" |