Skip to content

Configuring groups and users

Configure security and isolation for your image by granting role-based access to the QM and ASIL partitions or specific directories within those partitions.

OSBuild manifests built by the automotive-image-builder tool reference variables set in ipp.yml files stored in include/ and targets/. You can override these default variables by adding new or modified variable values in the mpp-var section at the beginning or within the body of your manifest, as shown in the users.mpp.yml example, or redefining them in the build command by using --define VAR=VALUE.

Prerequisites

Procedure

To configure groups and users for your OS image, add the following stages to your custom image manifest.

org.osbuild.groups
Creates group accounts with configurable group IDs (gid).
org.osbuild.users
Adds or modifies user accounts with configurable user IDs (uid).

For more information about these stages, see the OSBuild documentation about org.osbuild.groups and org.osbuild.users.

  1. Optional: To add new variables or override default variable values that you can call later with mpp-eval in the manifest, define each in the mpp-vars section at the top of the manifest:

    version: '2'
mpp-vars:
    name: <manifest_name>
    use_qm: true # defaults to false in `defaults.mpp.yml`
    <ipp_var>: <modified_value>
    <new_var>: <value>
    <asil_container_uid>: <value>

  2. Optional: Create directories for users if they don’t already exist:

    - type: org.osbuild.mkdir
    options:
    paths:
    - path: /var/guest
        parents: true

  3. Create groups for the guest user and QM and ASIL namespaces:

    - type: org.osbuild.groups
    options:
    groups:
        guest:
        gid:
            mpp-eval: guest_gid
        qm_group:
        gid: <manual_gid_value>
        asil_group:
        gid: <manual_gid_value>

  4. Create the guest user and one or more QM and ASIL namespaces within their respective pipelines:

    pipelines:
- name: qm_rootfs
  build: name:build
  stages:
...
    - type: org.osbuild.users
        options:
        users:
            guest:
            password:
                mpp-eval: guest_password
            gid:
                mpp-eval: guest_gid
            uid:
                mpp-eval: guest_uid
            home: /var/guest
            <qm_namespace>:
            gid: qm_group
            uid: <manual_uid_value>
            home: /usr/share/qm
            shell: /usr/sbin/nologin

- name: rootfs
  build: name:build
  stages:
  ...
    - type: org.osbuild.users
        options:
        users:
            <asil_container>:
            gid: asil_group
            uid:
                mpp-eval: asil_container_uid
            home: /etc/containers/systemd
            shell: /usr/sbin/nologin

© Red Hat