| Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 1 | OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname" |
| Andrew Geissler | ed45991 | 2023-02-22 16:50:25 -0600 | [diff] [blame] | 2 | OBMC_IMAGE_EXTRA_INSTALL:remove:witherspoon-tacoma = " uart-render-controller" |
| Andrew Geissler | 0c3e5ee | 2021-12-17 19:30:02 +0000 | [diff] [blame] | 3 | OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd" |
| Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 4 | |
| Patrick Williams | c0201c9 | 2022-04-18 14:29:31 -0500 | [diff] [blame] | 5 | IMAGE_FEATURES:append = " obmc-dbus-monitor" |
| 6 | |
| Andrew Geissler | d1b5b20 | 2021-01-04 12:16:39 -0600 | [diff] [blame] | 7 | # remove so things fit in available flash space |
| Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 8 | IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap" |
| Andrew Geissler | 3475f83 | 2021-08-12 09:09:41 -0400 | [diff] [blame] | 9 | IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry" |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 10 | |
| Priyanga Ramasamy | 3b64b4e | 2022-11-18 15:32:37 +0000 | [diff] [blame] | 11 | # Remove unused rsyslog service in P10BMC |
| 12 | IMAGE_FEATURES:remove:p10bmc = "obmc-remote-logging-mgmt" |
| 13 | |
| Andrew Geissler | 0f80cda | 2021-08-31 15:50:20 -0500 | [diff] [blame] | 14 | # Generic IPMI FRU vpd collection not needed on p10bmc |
| 15 | IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi" |
| 16 | |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 17 | # Optionally configure IBM service accounts |
| 18 | # |
| 19 | # To configure your distro, add the following line to its config: |
| 20 | # DISTRO_FEATURES += "ibm-service-account-policy" |
| 21 | # |
| 22 | # The service account policy is as follows: |
| 23 | # root - The root account remains present. It is needed for internal |
| 24 | # accounting purposes and for debugging service access. |
| 25 | # admin - Provides administrative control over the BMC. The role is |
| 26 | # SystemAdministrator. Admin users have access to interfaces including: |
| 27 | # Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical |
| 28 | # console, SSH to the BMC's command line. |
| 29 | # IPMI access is not granted by default, but admins can authorize |
| 30 | # themselves and enable the IPMI service. |
| 31 | # The admin has access to the host console: ssh -p2200 admin@${bmc}. |
| 32 | # The admin account does not have a home directory. |
| 33 | # service - Provides IBM service and support representatives (SSRs, formerly |
| 34 | # known as customer engineers or CEs) access to the BMC. The role is |
| 35 | # OemIBMServiceAgent. The service user has full admin access, plus access |
| 36 | # to BMC interfaces intended only to service the BMC and host, including |
| 37 | # SSH access to the BMC's command line. |
| 38 | # The service account is not authorized to IPMI because of the inherent |
| 39 | # security weakness in the IPMI spec and also because the IPMI |
| 40 | # implementation was not enhanced to use the ACF support. |
| 41 | # The service account does not have a home directory. The home directory is |
| 42 | # set to / (the root directory) to allow dropbear ssh connections. |
| 43 | |
| Joseph Reynolds | 516363e | 2021-08-04 10:01:42 -0500 | [diff] [blame] | 44 | # Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 45 | |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 46 | #IBM_EXTRA_USERS_PARAMS += " \ |
| Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 47 | # usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 48 | # " |
| 49 | |
| 50 | # Add group "wheel" (before adding the "service" account). |
| 51 | IBM_EXTRA_USERS_PARAMS += " \ |
| 52 | groupadd wheel; \ |
| 53 | " |
| 54 | |
| 55 | # Add the "admin" account. |
| 56 | IBM_EXTRA_USERS_PARAMS += " \ |
| 57 | useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \ |
| Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 58 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \ |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 59 | " |
| 60 | |
| 61 | # Add the "service" account. |
| 62 | IBM_EXTRA_USERS_PARAMS += " \ |
| 63 | useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ |
| Joseph Reynolds | 356f9e1 | 2021-07-23 20:15:32 -0500 | [diff] [blame] | 64 | usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \ |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 65 | " |
| 66 | |
| 67 | # This is recipe specific to ensure it takes effect. |
| Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 68 | EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" |
| Joseph Reynolds | 68e567f | 2021-02-24 17:20:01 -0600 | [diff] [blame] | 69 | |
| 70 | # The service account needs sudo. |
| Adriana Kobylak | b96c750 | 2021-08-06 16:25:30 +0000 | [diff] [blame] | 71 | IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" |