Configuring groups and users
Configuring groups and users¶
Configure security and isolation for your image by granting role-based access to the QM and ASIL partitions or specific directories within those partitions.
OSBuild manifests built by the automotive-image-builder tool reference variables set in ipp.yml files stored in include/ and targets/.
You can override these default variables by adding new or modified variable values in the mpp-var
section at the beginning or within the body of your manifest,
as shown in the users.mpp.yml example,
or redefining them in the build command by using --define VAR=VALUE.
Prerequisites
- A custom manifest file, such as the manifest file that you created in Embedding RPM packages in the AutoSD image or the Sample custom OSBuild manifest
Procedure
To configure groups and users for your OS image, add the following stages to your custom image manifest.
org.osbuild.groups
: Creates group accounts with configurable group IDs (gid).
org.osbuild.users
: Adds or modifies user accounts with configurable user IDs (uid).
For more information about these stages, see the OSBuild documentation about org.osbuild.groups and org.osbuild.users.
-
Optional: To add new variables or override default variable values that you can call later with
mpp-evalin the manifest, define each in thempp-varssection at the top of the manifest:console version: '2' mpp-vars: name: <manifest_name> use_qm: true # defaults to false in `defaults.mpp.yml` <ipp_var>: <modified_value> <new_var>: <value> <asil_container_uid>: <value> -
Optional: Create directories for users if they don't already exist:
console - type: org.osbuild.mkdir options: paths: - path: /var/guest parents: true -
Create groups for the guest user and QM and ASIL namespaces:
console - type: org.osbuild.groups options: groups: guest: gid: mpp-eval: guest_gid qm_group: gid: <manual_gid_value> asil_group: gid: <manual_gid_value> -
Create the guest user and one or more QM and ASIL namespaces within their respective pipelines:
```console pipelines: - name: qm_rootfs build: name:build stages: ... - type: org.osbuild.users options: users: guest: password: mpp-eval: guest_password gid: mpp-eval: guest_gid uid: mpp-eval: guest_uid home: /var/guest
: gid: qm_group uid: home: /usr/share/qm shell: /usr/sbin/nologin - name: rootfs
build: name:build
stages:
...
- type: org.osbuild.users
options:
users:
: gid: asil_group uid: mpp-eval: asil_container_uid home: /etc/containers/systemd shell: /usr/sbin/nologin ```
- type: org.osbuild.users
options:
users:
- name: rootfs
build: name:build
stages:
...