blob: cc9e507b04d512176876e702a892160db8424046 [file] [log] [blame]
Adriana Kobylakb96c7502021-08-06 16:25:30 +00001OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname"
2OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd ibmtpm2tss"
3OBMC_IMAGE_EXTRA_INSTALL:append:witherspoon-tacoma = " ibmtpm2tss"
4OBMC_IMAGE_EXTRA_INSTALL:append:mihawk = " mboxd liberation-fonts uart-render-controller "
Andrew Geisslerd1b5b202021-01-04 12:16:39 -06005
6# remove so things fit in available flash space
Adriana Kobylakb96c7502021-08-06 16:25:30 +00007IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap"
Andrew Geissler3475f832021-08-12 09:09:41 -04008IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry"
Joseph Reynolds68e567f2021-02-24 17:20:01 -06009
Andrew Geissler0f80cda2021-08-31 15:50:20 -050010# Generic IPMI FRU vpd collection not needed on p10bmc
11IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi"
12
Joseph Reynolds68e567f2021-02-24 17:20:01 -060013# Optionally configure IBM service accounts
14#
15# To configure your distro, add the following line to its config:
16# DISTRO_FEATURES += "ibm-service-account-policy"
17#
18# The service account policy is as follows:
19# root - The root account remains present. It is needed for internal
20# accounting purposes and for debugging service access.
21# admin - Provides administrative control over the BMC. The role is
22# SystemAdministrator. Admin users have access to interfaces including:
23# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical
24# console, SSH to the BMC's command line.
25# IPMI access is not granted by default, but admins can authorize
26# themselves and enable the IPMI service.
27# The admin has access to the host console: ssh -p2200 admin@${bmc}.
28# The admin account does not have a home directory.
29# service - Provides IBM service and support representatives (SSRs, formerly
30# known as customer engineers or CEs) access to the BMC. The role is
31# OemIBMServiceAgent. The service user has full admin access, plus access
32# to BMC interfaces intended only to service the BMC and host, including
33# SSH access to the BMC's command line.
34# The service account is not authorized to IPMI because of the inherent
35# security weakness in the IPMI spec and also because the IPMI
36# implementation was not enhanced to use the ACF support.
37# The service account does not have a home directory. The home directory is
38# set to / (the root directory) to allow dropbear ssh connections.
39
Joseph Reynolds516363e2021-08-04 10:01:42 -050040# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
Joseph Reynolds68e567f2021-02-24 17:20:01 -060041inherit extrausers
42
Joseph Reynolds68e567f2021-02-24 17:20:01 -060043#IBM_EXTRA_USERS_PARAMS += " \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050044# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060045# "
46
47# Add group "wheel" (before adding the "service" account).
48IBM_EXTRA_USERS_PARAMS += " \
49 groupadd wheel; \
50 "
51
52# Add the "admin" account.
53IBM_EXTRA_USERS_PARAMS += " \
54 useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050055 usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060056 "
57
58# Add the "service" account.
59IBM_EXTRA_USERS_PARAMS += " \
60 useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
Joseph Reynolds356f9e12021-07-23 20:15:32 -050061 usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
Joseph Reynolds68e567f2021-02-24 17:20:01 -060062 "
63
64# This is recipe specific to ensure it takes effect.
Adriana Kobylakb96c7502021-08-06 16:25:30 +000065EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
Joseph Reynolds68e567f2021-02-24 17:20:01 -060066
67# The service account needs sudo.
Adriana Kobylakb96c7502021-08-06 16:25:30 +000068IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"