1OBMC_IMAGE_EXTRA_INSTALL:append:ibm-ac-server = " mboxd max31785-msl phosphor-msl-verify liberation-fonts uart-render-controller first-boot-set-hostname"
2OBMC_IMAGE_EXTRA_INSTALL:remove:witherspoon-tacoma = " liberation-fonts uart-render-controller"
3OBMC_IMAGE_EXTRA_INSTALL:append:p10bmc = " mboxd"
4# No host firmware related features for huygens wanted yet
5OBMC_IMAGE_EXTRA_INSTALL:remove:huygens = " mboxd"
6OBMC_IMAGE_EXTRA_INSTALL:append:df-chrony = " chrony"
7
8IMAGE_FEATURES:append = " obmc-dbus-monitor"
9
10# remove so things fit in available flash space
11IMAGE_FEATURES:remove:witherspoon = "obmc-user-mgmt-ldap"
12IMAGE_FEATURES:remove:witherspoon = "obmc-telemetry"
13
14# Generic IPMI FRU vpd collection not needed on p10bmc
15IMAGE_FEATURES:remove:p10bmc = "obmc-fru-ipmi"
16
17# Optionally configure IBM service accounts
18#
19# To configure your distro, add the following line to its config:
20#     DISTRO_FEATURES += "ibm-service-account-policy"
21#
22# The service account policy is as follows:
23#   root - The root account remains present.  It is needed for internal
24#     accounting purposes and for debugging service access.
25#   admin - Provides administrative control over the BMC.  The role is
26#     SystemAdministrator.  Admin users have access to interfaces including:
27#     Redfish, REST APIs, Web.  No access to the BMC via: the BMC's physical
28#     console, SSH to the BMC's command line.
29#     IPMI access is not granted by default, but admins can authorize
30#     themselves and enable the IPMI service.
31#     The admin has access to the host console: ssh -p2200 admin@${bmc}.
32#     The admin account does not have a home directory.
33#   service - Provides IBM service and support representatives (SSRs, formerly
34#     known as customer engineers or CEs) access to the BMC.  The role is
35#     OemIBMServiceAgent.  The service user has full admin access, plus access
36#     to BMC interfaces intended only to service the BMC and host, including
37#     SSH access to the BMC's command line.
38#     The service account is not authorized to IPMI because of the inherent
39#     security weakness in the IPMI spec and also because the IPMI
40#     implementation was not enhanced to use the ACF support.
41#     The service account does not have a home directory.  The home directory is
42#     set to / (the root directory) to allow dropbear ssh connections.
43
44# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
45
46#IBM_EXTRA_USERS_PARAMS += " \
47#  usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
48#  "
49
50# Add group "wheel" (before adding the "service" account).
51IBM_EXTRA_USERS_PARAMS += " \
52  groupadd wheel; \
53  "
54
55# Add the "admin" account.
56IBM_EXTRA_USERS_PARAMS += " \
57  useradd --groups priv-admin,redfish,web -s /sbin/nologin admin; \
58  usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
59  "
60
61# Add the "service" account.
62IBM_EXTRA_USERS_PARAMS += " \
63  useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
64  usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
65  "
66
67# This is recipe specific to ensure it takes effect.
68EXTRA_USERS_PARAMS:pn-obmc-phosphor-image += "${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', "${IBM_EXTRA_USERS_PARAMS}", '', d)}"
69
70# The service account needs sudo.
71IMAGE_INSTALL:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ibm-service-account-policy', 'sudo', '', d)}"
72