1OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname" 2OBMC_IMAGE_EXTRA_INSTALL:remove:witherspoon-tacoma = " liberation-fonts uart-render-controller" 3OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd" 4# No host firmware related features for huygens wanted yet 5OBMC_IMAGE_EXTRA_INSTALL:remove:huygens = " mboxd" 6OBMC_IMAGE_EXTRA_INSTALL:append:df-chrony = " chrony" 7 8IMAGE_FEATURES:append = " obmc-dbus-monitor" 9 10# remove so things fit in available flash space 11IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap" 12IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry" 13 14# Generic IPMI FRU vpd collection not needed on p10bmc 15IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi" 16 17# Optionally configure IBM service accounts 18# 19# To configure your distro, add the following line to its config: 20# DISTRO_FEATURES += "ibm-service-account-policy" 21# 22# The service account policy is as follows: 23# root - The root account remains present. It is needed for internal 24# accounting purposes and for debugging service access. 25# admin - Provides administrative control over the BMC. The role is 26# SystemAdministrator. Admin users have access to interfaces including: 27# Redfish, REST APIs, Web. No access to the BMC via: the BMC's physical 28# console, SSH to the BMC's command line. 29# IPMI access is not granted by default, but admins can authorize 30# themselves and enable the IPMI service. 31# The admin has access to the host console: ssh -p2200 admin@${bmc}. 32# The admin account does not have a home directory. 33# service - Provides IBM service and support representatives (SSRs, formerly 34# known as customer engineers or CEs) access to the BMC. The role is 35# OemIBMServiceAgent. The service user has full admin access, plus access 36# to BMC interfaces intended only to service the BMC and host, including 37# SSH access to the BMC's command line. 38# The service account is not authorized to IPMI because of the inherent 39# security weakness in the IPMI spec and also because the IPMI 40# implementation was not enhanced to use the ACF support. 41# The service account does not have a home directory. The home directory is 42# set to / (the root directory) to allow dropbear ssh connections. 43 44# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc 45 46#IBM_EXTRA_USERS_PARAMS += " \ 47# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ 48# " 49 50# Add group "wheel" (before adding the "service" account). 51IBM_EXTRA_USERS_PARAMS += " \ 52 groupadd wheel; \ 53 " 54 55# Add the "admin" account. 56IBM_EXTRA_USERS_PARAMS += " \ 57 useradd --groups priv-admin,redfish,web -s /sbin/nologin admin; \ 58 usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \ 59 " 60 61# Add the "service" account. 62IBM_EXTRA_USERS_PARAMS += " \ 63 useradd -M -d / --groups priv-admin,redfish,web,wheel service; \ 64 usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \ 65 " 66 67# This is recipe specific to ensure it takes effect. 68EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}" 69 70# The service account needs sudo. 71IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}" 72