From 69e22e063597ae540d175a6044eedede3b012a4b 2016-03-12 16:18:39 From: Jan Wagner Date: 2016-03-12 16:18:39 Subject: [PATCH] vknecht-master-merge --- diff --git a/README.md b/README.md index ee8ee9b..f7d8795 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,9 @@ password, use only in trusted environments. ##### `ENABLE_HARDNET`=false Enable IPv4/IPv6 network stack hardening settings. +##### `ENABLE_SPLITFS`=false +Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. + ##### `CHROOT_SCRIPTS`="" Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. @@ -212,3 +215,8 @@ After the image file was successfully created by the `rpi2-gen-image.sh` script bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 ``` +If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive: +```shell +bmaptool copy ./images/jessie/2015-12-13-debian-jessie-frmw.img /dev/mmcblk0 +bmaptool copy ./images/jessie/2015-12-13-debian-jessie-root.img /dev/sdc +``` diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 87a33b7..8fa3b08 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -61,7 +61,11 @@ else fi # Set up firmware boot cmdline -CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" +if [ "$ENABLE_SPLITFS" = true ] ; then + CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" +else + CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" +fi # Set up serial console support (if requested) if [ "$ENABLE_CONSOLE" = true ] ; then @@ -110,6 +114,9 @@ install_readonly files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-b # Create default fstab install_readonly files/mount/fstab $R/etc/fstab +if [ "$ENABLE_SPLITFS" = true ] ; then + sed -i 's/mmcblk0p2/sda1/' $R/etc/fstab +fi # Avoid swapping and increase cache sizes install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 051c172..61270d4 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -60,7 +60,7 @@ chroot_exec systemctl enable systemd-networkd # Enable network stack hardening if [ "$ENABLE_HARDNET" = true ] ; then - install_readonly files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf + install_readonly files/sysctl.d/82-rpi-net-hardening.conf $R/etc/sysctl.d/82-rpi-net-hardening.conf # Enable resolver warnings about spoofed addresses cat <>$R/etc/host.conf diff --git a/functions.sh b/functions.sh index f64fb97..36f6bc3 100644 --- a/functions.sh +++ b/functions.sh @@ -17,8 +17,8 @@ cleanup (){ umount -l $R/dev/pts 2> /dev/null umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null umount "$BUILDDIR/mount" 2> /dev/null - losetup -d "$EXT4_LOOP" 2> /dev/null - losetup -d "$VFAT_LOOP" 2> /dev/null + losetup -d "$ROOT_LOOP" 2> /dev/null + losetup -d "$FRMW_LOOP" 2> /dev/null trap - 0 1 2 3 6 } diff --git a/rpi2-gen-image.sh b/rpi2-gen-image.sh index 2cb1277..39d5a76 100755 --- a/rpi2-gen-image.sh +++ b/rpi2-gen-image.sh @@ -81,6 +81,7 @@ ENABLE_UBOOT=${ENABLE_UBOOT:=false} ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} ENABLE_HARDNET=${ENABLE_HARDNET:=false} ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} +ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} # Kernel compilation settings BUILD_KERNEL=${BUILD_KERNEL:=false} @@ -259,8 +260,8 @@ CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`) # Calculate the amount of needed 512 Byte sectors TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) -BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) -ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) +FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) +ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS}) # The root partition is EXT4 # This means more space than the actual used space of the chroot is used. @@ -268,37 +269,64 @@ ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) # Calculate required image size in 512 Byte sectors -IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS}) +IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS}) # Prepare date string for image file name DATE="$(date +%Y-%m-%d)" # Prepare image file -dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} -dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} +if [ "$ENABLE_SPLITFS" = true ] ; then + dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS} + dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} + dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} + dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} + # Write partition tables + sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <