Allow configuring user
Add a new option to allow configuring bmcweb to run as a 'bmcweb' user
instead of root. This option is disabled by default, and the behavior
is very broken at this point, but should serve as a starting point for
getting the issues resolved.
Tested:
Enabled option. Observed with ps, that bmcweb launched correctly, and
was running as the bmcweb user. With authentication disabled, passes
redfish service validator.
Booted without option enabled, and saw bmcweb boot and function.
Change-Id: Iac0335697020308bb632f5522b712f5eea0b2486
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/config/bmcweb.service.in b/config/bmcweb.service.in
index a430317..847c106 100644
--- a/config/bmcweb.service.in
+++ b/config/bmcweb.service.in
@@ -8,10 +8,16 @@
ExecReload=kill -s HUP $MAINPID
ExecStart=@MESON_INSTALL_PREFIX@/bin/bmcweb daemon
Type=simple
-StateDirectory=/home/root
-WorkingDirectory=/home/root
+User=@BMCWEB_USER@
+Group=@BMCWEB_GROUP@
+DynamicUser=@BMCWEB_DYNAMICUSER@
+StateDirectory=@BMCWEB_STATE_DIRECTORY@
SyslogLevelPrefix=true
WatchdogSec=@BMCWEB_WATCHDOG_TIMEOUT_SECONDS@s
+WorkingDirectory=@BMCWEB_WORKING_DIRECTORY@
+
+# bmcweb currently uses /tmp as a mechanism to share files.
+PrivateTmp=no
[Install]
WantedBy=network.target
diff --git a/config/meson.build b/config/meson.build
index 9668f5c..61478e9 100644
--- a/config/meson.build
+++ b/config/meson.build
@@ -5,6 +5,7 @@
feature_options = [
'basic-auth',
'cookie-auth',
+ 'experimental-bmcweb-user',
'experimental-redfish-dbus-log-subscription',
'experimental-redfish-multi-computer-system',
'google-api',
@@ -171,6 +172,20 @@
)
endforeach
+if get_option('experimental-bmcweb-user').allowed()
+ user = 'bmcweb'
+ group = 'bmcweb'
+ dynamic_user = 'yes'
+ state_directory = 'bmcweb'
+ work_dir = '-~'
+else
+ user = 'root'
+ group = 'root'
+ dynamic_user = 'no'
+ state_directory = '/home/root'
+ work_dir = '/home/root'
+endif
+
configure_file(
input: 'bmcweb.service.in',
output: 'bmcweb.service',
@@ -179,6 +194,11 @@
configuration: configuration_data(
{
'MESON_INSTALL_PREFIX': get_option('prefix'),
+ 'BMCWEB_USER': user,
+ 'BMCWEB_GROUP': group,
+ 'BMCWEB_STATE_DIRECTORY': state_directory,
+ 'BMCWEB_DYNAMICUSER': dynamic_user,
+ 'BMCWEB_WORKING_DIRECTORY': work_dir,
'BMCWEB_WATCHDOG_TIMEOUT_SECONDS': get_option(
'watchdog-timeout-seconds',
),
diff --git a/meson.options b/meson.options
index 5ec28cd..bf44d11 100644
--- a/meson.options
+++ b/meson.options
@@ -467,6 +467,17 @@
production environment, or where API stability is required.''',
)
+# BMCWEB_EXPERIMENTAL_BMCWEB_USER
+option(
+ 'experimental-bmcweb-user',
+ type: 'feature',
+ value: 'disabled',
+ description: '''Enable to run bmcweb as the bmcweb user. This is
+ experimental. Expect many things to be broken if you enable this
+ option, and this should not be used for production usage. This
+ option will be removed Q1 2026.''',
+)
+
# BMCWEB_HTTP2
option(
'http2',