| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This feature is not needed on p10bmc systems and causes unwanted probing
of i2c hardware and journal entries.
Tested:
- Booted p10bmc machine and made sure it still worked as expected
and no new errors arose
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Idff2477060f5719ad85529daff28ef945e77700e
|
|
Running out of flash space on our witherspoon system so need to cut
back some function. Telemetry is fairly new and takes a sizeable chunk
of flash space (200KB)
Tested:
- Verified squashfs went from 19.20MB to 19.00MB with this change
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I1741649f573cd25363167d69b4a802f2f261d93a
|
|
Change-Id: I9116ed7260e369136acb39eec15075db2d4dbeba
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
|
Background:
OpenBMC provisions the BMC firmware image with the root account password
in a form which is no longer acceptable to Linux-PAM version 1.5.1.
Specifically, [phosphor-defaults.inc][] sets the password hash into
/etc/shadow as "\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/", where $1
indicates the deprecated [MD5 hash algorithm][]. Ref: [wikipedia passwd
entry][]. Beginning around PAM version 1.5.1, when you log in, the
[pam_unix.so module][] authenticates okay but requires the password to
be changed. (For example, you'll get a message like "You are required
to change your password immediately (administrator enforced)." This
behavior is undesirable for OpenBMC project defaults, and is not
tolerated by the project's current continuous integration tools.)
This change is to replace the password hash to keep the same cleartext
password but hashed with an acceptable algorithm.
Specifically, the password hash supplied in phosphor-defaults.inc is
updated to use the same password as before but encoded
with the SHA-512 algorithm. The hash was generated by the
`openssl passwd -6 0penBmc` command. This change ought to be
transparent and forward and backward compatible.
Note various meta-layers use this same hash string in
conf/local.conf.sample files. They are changed to match.
References:
[phosphor-defaults.inc]: https://github.com/openbmc/openbmc/blob/1a977b269ed437bebb9ae7810e3157746ec9174d/meta-phosphor/conf/distro/include/phosphor-defa
ults.inc#L245
[wikipedia passwd entry]: https://en.wikipedia.org/wiki/Passwd
[pam_unix.so module]: https://github.com/linux-pam/linux-pam/tree/master/modules/pam_unix
[MD5 hash algorithm]: https://en.wikipedia.org/wiki/MD5
Tested:
Created image with new password hash and PAM 1.5.1 and checked that
login works okay and does not require the passwod to be changed.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I5b189374f08ba506dbed7f8b9b991f2808cc3bc5
|
|
Background: The OpenBmc project default root account password is set
in meta-phosphor/conf/distro/include/phosphor-defaults.inc and can be
customized in each layer's local.conf file.
Many of these local.conf.sample files had redundant code to set the
password, which probably should not have been there. Removing them
allows the defaults in phosphor-defaults.inc to take effect.
Tested: No. Only meta-ibm was tested.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I76dce00d269d7afa005d7bcfd63f846d3cf45596
|
|
This creates a new DISTRO_FEATURE "ibm-service-account-policy" which
- Adds an admin account which cannot SSH to the BMC's command shell.
- Adds a service account which can SSH and has passwordless sudo access.
This feature is applied to witherspoon-tacoma and p10bmc (rainier).
Tested:
The image behaves as before when the distro feature is not configured.
When the distro feature is configured:
The root user has the same access as before.
The admin user:
- Is not allowed to access the BMC's command shell.
- Console login gets: This account is currently not available.
- SSH login gets: Permission denied, please try again.
- Redfish and REST API access works with role=Administrator.
The service user:
- Console login to the BMC's command shell works. The home
directory is /. Passwordless sudo works.
- SSH login works and using sudo from a SSH session works.
- Redfish and REST API access works with role=Administrator.
Change-Id: Icac5ba7f4fa663047709ab55007bbcfec8158f5e
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
|
|
The IBM rainier machine name is being replaced with the generic p10bmc.
Change-Id: I0a265a7eb9d763a8385a7139dae47bf2f475c672
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
|
|
The ibmtpm2tss tools are required to use the Nuvoton NPCT750A TPM
from userland.
The ibmtpm2tss package also required OpenSSL camellia support, so
remove the override disabling that for those two machines.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Change-Id: Ifc0afc58f4a31ea4b6d1750d470738d0d0e82754
|
|
openbmc master has exceeded the available flash space on witherspoon.
Remove LDAP so it fits again and we can continue to use witherspoon for
HW CI validation of openbmc master commits.
IBM has forked off its own openbmc repo for maintenance of customer
witherspoon systems. Therefore it is not necessary for openbmc
master to continue to support everything.
Tested:
- Verified generated image flashes on witherspoon and HW CI tests passed
- obmc-phosphor-image-witherspoon.squashfs-xz 19.27MB -> 18.53MB
(From meta-ibm rev: 6390f0999f00b1cdfe19daf2d7e8868c25808497)
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I39b5d785919bdcd54b6bcf04217439050442f119
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
- This commit removes the first-boot-set-mac service as the
similar and a better functionaly is now implemented in
phosphor-networkd service.
- Here are the few disadvantages of the first-boot-set-mac service
1. The first-boot-set-mac is a script is not scalable with the
increase in the number of ethernet interfaces.
2. Why do we need a new service just for setting the MAC Address
when the network service alone can do it , and it makes sense
to tie up this feature with Network as setting MAC address
functionality is implemented and owned by networkd.
3. With first-boot-set MAC, we need to make sure the VPD is populated
before , if for any reason the VPD is not generated the first-boot
service cannot help set the MAC.
(From meta-ibm rev: 8638c6eb8d54507b632088b329c104e859cd8d19)
Signed-off-by: manojkiran.eda@gmail.com <manojeda@in.ibm.com>
Change-Id: I955834b56c28f9a311563dd40607c8f2ba305d40
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
The metadata common to all IBM systems is confusingly split between
meta-ibm and meta-witherspoon. Move everything to meta-ibm.
The meta-ibm README is re-written to more accurately reflect the scope
of the layer.
Allow the configuration samples (bblayers.conf.sample,
local.conf.sample) to be sourced from either meta-ibm or
meta-witherspoon until such a time that any workflows and tooling have
had the opportunity to move to meta-ibm.
(From meta-ibm rev: 6e05ef2e90b214eaf4e43ee7027bbbb1d8d09442)
Change-Id: I3ec890d5300f9649c974ea6b9dca93a2e8a889ab
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
