Your Name
70 lines
3.2 KiB
Plaintext
70 lines
3.2 KiB
Plaintext
OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname"
|
|
OBMC_IMAGE_EXTRA_INSTALL:remove:witherspoon-tacoma = " liberation-fonts uart-render-controller"
|
|
OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd"
|
|
OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc-distributed = " etcd"
|
|
|
|
IMAGE_FEATURES:append = " obmc-dbus-monitor"
|
|
|
|
# remove so things fit in available flash space
|
|
IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap"
|
|
IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry"
|
|
|
|
# Generic IPMI FRU vpd collection not needed on p10bmc
|
|
IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi"
|
|
|
|
# Optionally configure IBM service accounts
|
|
#
|
|
# To configure your distro, add the following line to its config:
|
|
# DISTRO_FEATURES += "ibm-service-account-policy"
|
|
#
|
|
# The service account policy is as follows:
|
|
# root - The root account remains present. It is needed for internal
|
|
# accounting purposes and for debugging service access.
|
|
# admin - Provides administrative control over the BMC. The role is
|
|
# SystemAdministrator. Admin users have access to interfaces including:
|
|
# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical
|
|
# console, SSH to the BMC's command line.
|
|
# IPMI access is not granted by default, but admins can authorize
|
|
# themselves and enable the IPMI service.
|
|
# The admin has access to the host console: ssh -p2200 admin@${bmc}.
|
|
# The admin account does not have a home directory.
|
|
# service - Provides IBM service and support representatives (SSRs, formerly
|
|
# known as customer engineers or CEs) access to the BMC. The role is
|
|
# OemIBMServiceAgent. The service user has full admin access, plus access
|
|
# to BMC interfaces intended only to service the BMC and host, including
|
|
# SSH access to the BMC's command line.
|
|
# The service account is not authorized to IPMI because of the inherent
|
|
# security weakness in the IPMI spec and also because the IPMI
|
|
# implementation was not enhanced to use the ACF support.
|
|
# The service account does not have a home directory. The home directory is
|
|
# set to / (the root directory) to allow dropbear ssh connections.
|
|
|
|
# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
|
|
|
|
#IBM_EXTRA_USERS_PARAMS += " \
|
|
# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
|
|
# "
|
|
|
|
# Add group "wheel" (before adding the "service" account).
|
|
IBM_EXTRA_USERS_PARAMS += " \
|
|
groupadd wheel; \
|
|
"
|
|
|
|
# Add the "admin" account.
|
|
IBM_EXTRA_USERS_PARAMS += " \
|
|
useradd --groups priv-admin,redfish,web -s /sbin/nologin admin; \
|
|
usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
|
|
"
|
|
|
|
# Add the "service" account.
|
|
IBM_EXTRA_USERS_PARAMS += " \
|
|
useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
|
|
usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
|
|
"
|
|
|
|
# This is recipe specific to ensure it takes effect.
|
|
EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
|
|
|
|
# The service account needs sudo.
|
|
IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"
|