Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 1 | OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname" |
| 2 | OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd ibmtpm2tss" |
| 3 | OBMC_IMAGE_EXTRA_INSTALL:append:witherspoon-tacoma = " ibmtpm2tss" |
| 4 | OBMC_IMAGE_EXTRA_INSTALL:append:mihawk = " mboxd liberation-fonts uart-render-controller " |
Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 5 | |
| 6 | # remove so things fit in available flash space |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 7 | IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap" |
Andrew Geissler | 3475f83 | 2021-08-12 09:09:41 -0400 | [diff] [blame] | 8 | IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry" |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 9 | |
Andrew Geissler | 0f80cda | 2021-08-31 15:50:20 -0500 | [diff] [blame] | 10 | # Generic IPMI FRU vpd collection not needed on p10bmc |
| 11 | IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi" |
| 12 | |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 13 | # Optionally configure IBM service accounts |
| 14 | # |
| 15 | # To configure your distro, add the following line to its config: |
| 16 | # DISTRO_FEATURES += "ibm-service-account-policy" |
| 17 | # |
| 18 | # The service account policy is as follows: |
| 19 | # root - The root account remains present. It is needed for internal |
| 20 | # accounting purposes and for debugging service access. |
| 21 | # admin - Provides administrative control over the BMC. The role is |
| 22 | # SystemAdministrator. Admin users have access to interfaces including: |
| 23 | # Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical |
| 24 | # console, SSH to the BMC's command line. |
| 25 | # IPMI access is not granted by default, but admins can authorize |
| 26 | # themselves and enable the IPMI service. |
| 27 | # The admin has access to the host console: ssh -p2200 admin@${bmc}. |
| 28 | # The admin account does not have a home directory. |
| 29 | # service - Provides IBM service and support representatives (SSRs, formerly |
| 30 | # known as customer engineers or CEs) access to the BMC. The role is |
| 31 | # OemIBMServiceAgent. The service user has full admin access, plus access |
| 32 | # to BMC interfaces intended only to service the BMC and host, including |
| 33 | # SSH access to the BMC's command line. |
| 34 | # The service account is not authorized to IPMI because of the inherent |
| 35 | # security weakness in the IPMI spec and also because the IPMI |
| 36 | # implementation was not enhanced to use the ACF support. |
| 37 | # The service account does not have a home directory. The home directory is |
| 38 | # set to / (the root directory) to allow dropbear ssh connections. |
| 39 | |
Joseph Reynolds | 516363e | 2021-08-04 10:01:42 -0500 | [diff] [blame] | 40 | # Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 41 | inherit extrausers |
| 42 | |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 43 | #IBM_EXTRA_USERS_PARAMS += " \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 44 | # usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 45 | # " |
| 46 | |
| 47 | # Add group "wheel" (before adding the "service" account). |
| 48 | IBM_EXTRA_USERS_PARAMS += " \ |
| 49 | groupadd wheel; \ |
| 50 | " |
| 51 | |
| 52 | # Add the "admin" account. |
| 53 | IBM_EXTRA_USERS_PARAMS += " \ |
| 54 | useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 55 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 56 | " |
| 57 | |
| 58 | # Add the "service" account. |
| 59 | IBM_EXTRA_USERS_PARAMS += " \ |
| 60 | useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ |
Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 61 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \ |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 62 | " |
| 63 | |
| 64 | # This is recipe specific to ensure it takes effect. |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 65 | EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" |
Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 66 | |
| 67 | # The service account needs sudo. |
Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 68 | IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" |