1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname"
OBMC_IMAGE_EXTRA_INSTALL:remove:witherspoon-tacoma = " liberation-fonts uart-render-controller"
OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd"
IMAGE_FEATURES:append = " obmc-dbus-monitor"
# remove so things fit in available flash space
IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap"
IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry"
# Generic IPMI FRU vpd collection not needed on p10bmc
IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi"
# Optionally configure IBM service accounts
#
# To configure your distro, add the following line to its config:
# DISTRO_FEATURES += "ibm-service-account-policy"
#
# The service account policy is as follows:
# root - The root account remains present. It is needed for internal
# accounting purposes and for debugging service access.
# admin - Provides administrative control over the BMC. The role is
# SystemAdministrator. Admin users have access to interfaces including:
# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical
# console, SSH to the BMC's command line.
# IPMI access is not granted by default, but admins can authorize
# themselves and enable the IPMI service.
# The admin has access to the host console: ssh -p2200 admin@${bmc}.
# The admin account does not have a home directory.
# service - Provides IBM service and support representatives (SSRs, formerly
# known as customer engineers or CEs) access to the BMC. The role is
# OemIBMServiceAgent. The service user has full admin access, plus access
# to BMC interfaces intended only to service the BMC and host, including
# SSH access to the BMC's command line.
# The service account is not authorized to IPMI because of the inherent
# security weakness in the IPMI spec and also because the IPMI
# implementation was not enhanced to use the ACF support.
# The service account does not have a home directory. The home directory is
# set to / (the root directory) to allow dropbear ssh connections.
# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
#IBM_EXTRA_USERS_PARAMS += " \
# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
# "
# Add group "wheel" (before adding the "service" account).
IBM_EXTRA_USERS_PARAMS += " \
groupadd wheel; \
"
# Add the "admin" account.
IBM_EXTRA_USERS_PARAMS += " \
useradd --groups priv-admin,redfish,web -s /sbin/nologin admin; \
usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
"
# Add the "service" account.
IBM_EXTRA_USERS_PARAMS += " \
useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
"
# This is recipe specific to ensure it takes effect.
EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
# The service account needs sudo.
IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"
|
