diff --git a/README.md b/README.md index b46c742..6ded691 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ ENABLE_UBOOT=true ./rpi2-gen-image.sh ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh +ENABLE_MINBASE=true ./rpi2-gen-image.sh ``` #### APT settings: @@ -27,54 +28,57 @@ Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will sp #### General system settings: ##### `HOSTNAME`="rpi2-jessie" -Set system host name. It is recommended that the host name is unique in the corresponding subnet. +Set system host name. It's recommended that the host name is unique in the corresponding subnet. ##### `PASSWORD`="raspberry" -Set system root password. It is **STRONGLY** recommended that you choose a custom password. +Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password. ##### `DEFLOCAL`="en_US.UTF-8" -Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. +Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`. ##### `TIMEZONE`="Europe/Berlin" Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. #### Basic system features: ##### `ENABLE_CONSOLE`=true -Enable console output +Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. ##### `ENABLE_IPV6`=true -Enable IPv6 support +Enable IPv6 support. The network interface configuration is managed via systemd-networkd. ##### `ENABLE_SSHD`=true -Install and enable OpenSSH service +Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. ##### `ENABLE_SOUND`=true -Enable sound hardware and install Advanced Linux Sound Architecture +Enable sound hardware and install Advanced Linux Sound Architecture. ##### `ENABLE_HWRANDOM`=true -Enable Hardware Random Number Generator +Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled. ##### `ENABLE_MINGPU`=false -Minimize the amount of shared memory reserverd for the GPU +Minimize the amount of shared memory reserverd for the GPU. It doesn't seem to be possible to fully disable the GPU. ##### `ENABLE_DBUS`=true -Install and enable D-Bus message bus +Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled. ##### `ENABLE_XORG`=false -Install Xorg open-source X Window System +Install Xorg open-source X Window System. ##### `ENABLE_FLUXBOX`=false -Install Fluxbox window manager for the X Window System +Install Fluxbox window manager for the X Window System. #### Advanced sytem features: +##### `ENABLE_MINBASE`=false +Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. + ##### `ENABLE_UBOOT`=false -Replace default RPi bootloader with U-Boot bootloader +Replace default RPi bootloader with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. ##### `ENABLE_IPTABLES`=false -Enable iptables IPv4/IPv6 firewall +Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. ##### `ENABLE_HARDNET`=false -Enable IPv4/IPv6 network stack hardening settings +Enable IPv4/IPv6 network stack hardening settings. ## Logging of the bootstrapping process All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose: diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index cc0a968..5b6a2ff 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -60,6 +60,7 @@ ENABLE_XORG=${ENABLE_XORG:=false} ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false} # Advanced settings +ENABLE_MINBASE=${ENABLE_MINBASE:=false} ENABLE_UBOOT=${ENABLE_UBOOT:=false} ENABLE_HARDNET=${ENABLE_HARDNET:=false} ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} @@ -74,7 +75,7 @@ REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstool MISSING_PACKAGES="" # Packages required in the chroot build enviroment -APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales" +APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" set +x @@ -120,6 +121,13 @@ trap cleanup 0 1 2 3 6 # Set up chroot directory mkdir -p $R +# Add required packages for the minbase installation +if [ "$ENABLE_MINBASE" = true ] ; then + APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools" +else + APT_INCLUDES="${APT_INCLUDES},locales" +fi + # Add dbus package, recommended if using systemd if [ "$ENABLE_DBUS" = true ] ; then APT_INCLUDES="${APT_INCLUDES},dbus" @@ -145,12 +153,19 @@ if [ "$ENABLE_FLUXBOX" = true ] ; then APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm" fi +# Set empty proxy string if [ -z "$APT_PROXY" ] ; then APT_PROXY="http://" fi # Base debootstrap (unpack only) -debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian +if [ "$ENABLE_MINBASE" = true ] ; then + debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian +else + debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian +fi + +# Copy qemu emulator binary to chroot cp /usr/bin/qemu-arm-static $R/usr/bin # Copy debian-archive-keyring.pgp @@ -182,8 +197,10 @@ echo ${TIMEZONE} >$R/etc/timezone LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata # Set up default locales to "en_US.UTF-8" default -LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen -LANG=C chroot $R locale-gen ${DEFLOCAL} +if [ "$ENABLE_MINBASE" = false ] ; then + LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen + LANG=C chroot $R locale-gen ${DEFLOCAL} +fi # Upgrade collabora package index and install collabora keyring echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list @@ -679,9 +696,26 @@ EOM LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr # Remove gcc/c++ build enviroment - LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make + LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make fi +# Enable systemd-networkd DHCP configuration for the eth0 interface +printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network + +# Set DHCP configuration to IPv4 only +if [ "$ENABLE_IPV6" = false ] ; then + sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network +fi + +# Enable systemd-networkd service +LANG=C chroot $R systemctl enable systemd-networkd + +# Place hint about netowrk configuration +cat <$R/etc/network/interfaces +# Debian switched to systemd-networkd configuration files. +# please configure your networks in '/etc/systemd/network/' +EOM + # Clean cached downloads LANG=C chroot $R apt-get -y clean LANG=C chroot $R apt-get -y autoclean