Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 1 | OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname" |
Andrew Geissler | 0c3e5ee | 2021-12-17 19:30:02 +0000 | [diff] [blame] | 2 | OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd" |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 3 | OBMC_IMAGE_EXTRA_INSTALL:append:mihawk = " mboxd liberation-fonts uart-render-controller " |
Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 4 | |
Patrick Williams | c0201c9 | 2022-04-18 14:29:31 -0500 | [diff] [blame] | 5 | IMAGE_FEATURES:append = " obmc-dbus-monitor" |
| 6 | |
Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 7 | # remove so things fit in available flash space |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 8 | IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap" |
Andrew Geissler | 3475f83 | 2021-08-12 09:09:41 -0400 | [diff] [blame] | 9 | IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry" |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 10 | |
Andrew Geissler | 0f80cda | 2021-08-31 15:50:20 -0500 | [diff] [blame] | 11 | # Generic IPMI FRU vpd collection not needed on p10bmc |
| 12 | IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi" |
| 13 | |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 14 | # Optionally configure IBM service accounts |
| 15 | # |
| 16 | # To configure your distro, add the following line to its config: |
| 17 | # DISTRO_FEATURES += "ibm-service-account-policy" |
| 18 | # |
| 19 | # The service account policy is as follows: |
| 20 | # root - The root account remains present. It is needed for internal |
| 21 | # accounting purposes and for debugging service access. |
| 22 | # admin - Provides administrative control over the BMC. The role is |
| 23 | # SystemAdministrator. Admin users have access to interfaces including: |
| 24 | # Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical |
| 25 | # console, SSH to the BMC's command line. |
| 26 | # IPMI access is not granted by default, but admins can authorize |
| 27 | # themselves and enable the IPMI service. |
| 28 | # The admin has access to the host console: ssh -p2200 admin@${bmc}. |
| 29 | # The admin account does not have a home directory. |
| 30 | # service - Provides IBM service and support representatives (SSRs, formerly |
| 31 | # known as customer engineers or CEs) access to the BMC. The role is |
| 32 | # OemIBMServiceAgent. The service user has full admin access, plus access |
| 33 | # to BMC interfaces intended only to service the BMC and host, including |
| 34 | # SSH access to the BMC's command line. |
| 35 | # The service account is not authorized to IPMI because of the inherent |
| 36 | # security weakness in the IPMI spec and also because the IPMI |
| 37 | # implementation was not enhanced to use the ACF support. |
| 38 | # The service account does not have a home directory. The home directory is |
| 39 | # set to / (the root directory) to allow dropbear ssh connections. |
| 40 | |
Joseph Reynolds | 516363e | 2021-08-04 10:01:42 -0500 | [diff] [blame] | 41 | # Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 42 | inherit extrausers |
| 43 | |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 44 | #IBM_EXTRA_USERS_PARAMS += " \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 45 | # usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 46 | # " |
| 47 | |
| 48 | # Add group "wheel" (before adding the "service" account). |
| 49 | IBM_EXTRA_USERS_PARAMS += " \ |
| 50 | groupadd wheel; \ |
| 51 | " |
| 52 | |
| 53 | # Add the "admin" account. |
| 54 | IBM_EXTRA_USERS_PARAMS += " \ |
| 55 | useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 56 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 57 | " |
| 58 | |
| 59 | # Add the "service" account. |
| 60 | IBM_EXTRA_USERS_PARAMS += " \ |
| 61 | useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 62 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 63 | " |
| 64 | |
| 65 | # This is recipe specific to ensure it takes effect. |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 66 | EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 67 | |
| 68 | # The service account needs sudo. |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 69 | IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" |