##// END OF EJS Templates
Merge pull request #13 from voltagex/system-timezone...
drtyhlpr -
r28:087b377b1fd5 Fusion
parent child
Show More
@@ -1,846 +1,846
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 set -e
34 34 set -x
35 35
36 36 # Debian release
37 37 RELEASE=${RELEASE:=jessie}
38 38
39 39 # Build settings
40 40 BASEDIR=./images/${RELEASE}
41 41 BUILDDIR=${BASEDIR}/build
42 42
43 43 # General settings
44 44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 45 PASSWORD=${PASSWORD:=raspberry}
46 46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
47 TIMEZONE=${TIMEZONE:="`cat /etc/timezone`"}
48 48
49 49 # APT settings
50 50 APT_PROXY=${APT_PROXY:=""}
51 51 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
52 52
53 53 # Feature settings
54 54 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
55 55 ENABLE_IPV6=${ENABLE_IPV6:=true}
56 56 ENABLE_SSHD=${ENABLE_SSHD:=true}
57 57 ENABLE_SOUND=${ENABLE_SOUND:=true}
58 58 ENABLE_DBUS=${ENABLE_DBUS:=true}
59 59 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
60 60 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
61 61 ENABLE_XORG=${ENABLE_XORG:=false}
62 62 ENABLE_WM=${ENABLE_WM:=""}
63 63
64 64 # Advanced settings
65 65 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
66 66 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
67 67 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
68 68 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
69 69 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
70 70
71 71 # Image chroot path
72 72 R=${BUILDDIR}/chroot
73 73
74 74 # Packages required for bootstrapping
75 75 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
76 76
77 77 # Missing packages that need to be installed
78 78 MISSING_PACKAGES=""
79 79
80 80 # Packages required in the chroot build environment
81 81 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
82 82
83 83 set +x
84 84
85 85 # Are we running as root?
86 86 if [ "$(id -u)" -ne "0" ] ; then
87 87 echo "this script must be executed with root privileges"
88 88 exit 1
89 89 fi
90 90
91 91 # Check if all required packages are installed
92 92 for package in $REQUIRED_PACKAGES ; do
93 93 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
94 94 MISSING_PACKAGES="$MISSING_PACKAGES $package"
95 95 fi
96 96 done
97 97
98 98 # Ask if missing packages should get installed right now
99 99 if [ -n "$MISSING_PACKAGES" ] ; then
100 100 echo "the following packages needed by this script are not installed:"
101 101 echo "$MISSING_PACKAGES"
102 102
103 103 echo -n "\ndo you want to install the missing packages right now? [y/n] "
104 104 read confirm
105 105 if [ "$confirm" != "y" ] ; then
106 106 exit 1
107 107 fi
108 108 fi
109 109
110 110 # Make sure all required packages are installed
111 111 apt-get -qq -y install ${REQUIRED_PACKAGES}
112 112
113 113 # Don't clobber an old build
114 114 if [ -e "$BUILDDIR" ]; then
115 115 echo "directory $BUILDDIR already exists, not proceeding"
116 116 exit 1
117 117 fi
118 118
119 119 set -x
120 120
121 121 # Call "cleanup" function on various signals and errors
122 122 trap cleanup 0 1 2 3 6
123 123
124 124 # Set up chroot directory
125 125 mkdir -p $R
126 126
127 127 # Add required packages for the minbase installation
128 128 if [ "$ENABLE_MINBASE" = true ] ; then
129 129 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
130 130 else
131 131 APT_INCLUDES="${APT_INCLUDES},locales"
132 132 fi
133 133
134 134 # Add dbus package, recommended if using systemd
135 135 if [ "$ENABLE_DBUS" = true ] ; then
136 136 APT_INCLUDES="${APT_INCLUDES},dbus"
137 137 fi
138 138
139 139 # Add iptables IPv4/IPv6 package
140 140 if [ "$ENABLE_IPTABLES" = true ] ; then
141 141 APT_INCLUDES="${APT_INCLUDES},iptables"
142 142 fi
143 143
144 144 # Add openssh server package
145 145 if [ "$ENABLE_SSHD" = true ] ; then
146 146 APT_INCLUDES="${APT_INCLUDES},openssh-server"
147 147 fi
148 148
149 149 # Add alsa-utils package
150 150 if [ "$ENABLE_SOUND" = true ] ; then
151 151 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
152 152 fi
153 153
154 154 # Add rng-tools package
155 155 if [ "$ENABLE_HWRANDOM" = true ] ; then
156 156 APT_INCLUDES="${APT_INCLUDES},rng-tools"
157 157 fi
158 158
159 159 # Add fbturbo video driver
160 160 if [ "$ENABLE_FBTURBO" = true ] ; then
161 161 # Enable xorg package dependencies
162 162 ENABLE_XORG=true
163 163 fi
164 164
165 165 # Add user defined window manager package
166 166 if [ -n "$ENABLE_WM" ] ; then
167 167 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
168 168
169 169 # Enable xorg package dependencies
170 170 ENABLE_XORG=true
171 171 fi
172 172
173 173 # Add xorg package
174 174 if [ "$ENABLE_XORG" = true ] ; then
175 175 APT_INCLUDES="${APT_INCLUDES},xorg"
176 176 fi
177 177
178 178 # Set empty proxy string
179 179 if [ -z "$APT_PROXY" ] ; then
180 180 APT_PROXY="http://"
181 181 fi
182 182
183 183 # Base debootstrap (unpack only)
184 184 if [ "$ENABLE_MINBASE" = true ] ; then
185 185 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
186 186 else
187 187 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
188 188 fi
189 189
190 190 # Copy qemu emulator binary to chroot
191 191 cp /usr/bin/qemu-arm-static $R/usr/bin
192 192
193 193 # Copy debian-archive-keyring.pgp
194 194 chroot $R mkdir -p /usr/share/keyrings
195 195 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
196 196
197 197 # Complete the bootstrapping process
198 198 chroot $R /debootstrap/debootstrap --second-stage
199 199
200 200 # Mount required filesystems
201 201 mount -t proc none $R/proc
202 202 mount -t sysfs none $R/sys
203 203 mount --bind /dev/pts $R/dev/pts
204 204
205 205 # Use proxy inside chroot
206 206 if [ -z "$APT_PROXY" ] ; then
207 207 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
208 208 fi
209 209
210 210 # Pin package flash-kernel to repositories.collabora.co.uk
211 211 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
212 212 Package: flash-kernel
213 213 Pin: origin repositories.collabora.co.uk
214 214 Pin-Priority: 1000
215 215 EOM
216 216
217 217 # Set up timezone
218 218 echo ${TIMEZONE} >$R/etc/timezone
219 219 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
220 220
221 221 # Set up default locales to "en_US.UTF-8" default
222 222 if [ "$ENABLE_MINBASE" = false ] ; then
223 223 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
224 224 LANG=C chroot $R locale-gen ${DEFLOCAL}
225 225 fi
226 226
227 227 # Upgrade collabora package index and install collabora keyring
228 228 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
229 229 LANG=C chroot $R apt-get -qq -y update
230 230 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
231 231
232 232 # Set up initial sources.list
233 233 cat <<EOM >$R/etc/apt/sources.list
234 234 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
235 235 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
236 236
237 237 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
238 238 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
239 239
240 240 deb http://security.debian.org/ ${RELEASE}/updates main contrib
241 241 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
242 242
243 243 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
244 244 EOM
245 245
246 246 # Upgrade package index and update all installed packages and changed dependencies
247 247 LANG=C chroot $R apt-get -qq -y update
248 248 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
249 249
250 250 # Kernel installation
251 251 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
252 252 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
253 253 LANG=C chroot $R apt-get -qq -y install flash-kernel
254 254
255 255 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
256 256 [ -z "$VMLINUZ" ] && exit 1
257 257 mkdir -p $R/boot/firmware
258 258
259 259 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
260 260 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
261 261 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
262 262 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
263 263 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
264 264 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
265 265 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
266 266 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
267 267 cp $VMLINUZ $R/boot/firmware/kernel7.img
268 268
269 269 # Set up IPv4 hosts
270 270 echo ${HOSTNAME} >$R/etc/hostname
271 271 cat <<EOM >$R/etc/hosts
272 272 127.0.0.1 localhost
273 273 127.0.1.1 ${HOSTNAME}
274 274 EOM
275 275
276 276 # Set up IPv6 hosts
277 277 if [ "$ENABLE_IPV6" = true ] ; then
278 278 cat <<EOM >>$R/etc/hosts
279 279
280 280 ::1 localhost ip6-localhost ip6-loopback
281 281 ff02::1 ip6-allnodes
282 282 ff02::2 ip6-allrouters
283 283 EOM
284 284 fi
285 285
286 286 # Place hint about network configuration
287 287 cat <<EOM >$R/etc/network/interfaces
288 288 # Debian switched to systemd-networkd configuration files.
289 289 # please configure your networks in '/etc/systemd/network/'
290 290 EOM
291 291
292 292 # Enable systemd-networkd DHCP configuration for interface eth0
293 293 cat <<EOM >$R/etc/systemd/network/eth.network
294 294 [Match]
295 295 Name=eth0
296 296
297 297 [Network]
298 298 DHCP=yes
299 299 EOM
300 300
301 301 # Set DHCP configuration to IPv4 only
302 302 if [ "$ENABLE_IPV6" = false ] ; then
303 303 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
304 304 fi
305 305
306 306 # Enable systemd-networkd service
307 307 LANG=C chroot $R systemctl enable systemd-networkd
308 308
309 309 # Generate crypt(3) password string
310 310 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
311 311
312 312 # Set up default user
313 313 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
314 314 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
315 315
316 316 # Set up root password
317 317 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
318 318
319 319 # Set up firmware boot cmdline
320 320 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
321 321
322 322 # Set up serial console support (if requested)
323 323 if [ "$ENABLE_CONSOLE" = true ] ; then
324 324 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
325 325 fi
326 326
327 327 # Set up IPv6 networking support
328 328 if [ "$ENABLE_IPV6" = false ] ; then
329 329 CMDLINE="${CMDLINE} ipv6.disable=1"
330 330 fi
331 331
332 332 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
333 333
334 334 # Set up firmware config
335 335 cat <<EOM >$R/boot/firmware/config.txt
336 336 # For more options and information see
337 337 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
338 338 # Some settings may impact device functionality. See link above for details
339 339
340 340 # uncomment if you get no picture on HDMI for a default "safe" mode
341 341 #hdmi_safe=1
342 342
343 343 # uncomment this if your display has a black border of unused pixels visible
344 344 # and your display can output without overscan
345 345 #disable_overscan=1
346 346
347 347 # uncomment the following to adjust overscan. Use positive numbers if console
348 348 # goes off screen, and negative if there is too much border
349 349 #overscan_left=16
350 350 #overscan_right=16
351 351 #overscan_top=16
352 352 #overscan_bottom=16
353 353
354 354 # uncomment to force a console size. By default it will be display's size minus
355 355 # overscan.
356 356 #framebuffer_width=1280
357 357 #framebuffer_height=720
358 358
359 359 # uncomment if hdmi display is not detected and composite is being output
360 360 #hdmi_force_hotplug=1
361 361
362 362 # uncomment to force a specific HDMI mode (this will force VGA)
363 363 #hdmi_group=1
364 364 #hdmi_mode=1
365 365
366 366 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
367 367 # DMT (computer monitor) modes
368 368 #hdmi_drive=2
369 369
370 370 # uncomment to increase signal to HDMI, if you have interference, blanking, or
371 371 # no display
372 372 #config_hdmi_boost=4
373 373
374 374 # uncomment for composite PAL
375 375 #sdtv_mode=2
376 376
377 377 # uncomment to overclock the arm. 700 MHz is the default.
378 378 #arm_freq=800
379 379 EOM
380 380
381 381 # Load snd_bcm2835 kernel module at boot time
382 382 if [ "$ENABLE_SOUND" = true ] ; then
383 383 echo "snd_bcm2835" >>$R/etc/modules
384 384 fi
385 385
386 386 # Set smallest possible GPU memory allocation size: 16MB (no X)
387 387 if [ "$ENABLE_MINGPU" = true ] ; then
388 388 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
389 389 fi
390 390
391 391 # Create symlinks
392 392 ln -sf firmware/config.txt $R/boot/config.txt
393 393 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
394 394
395 395 # Prepare modules-load.d directory
396 396 mkdir -p $R/lib/modules-load.d/
397 397
398 398 # Load random module on boot
399 399 if [ "$ENABLE_HWRANDOM" = true ] ; then
400 400 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
401 401 bcm2708_rng
402 402 EOM
403 403 fi
404 404
405 405 # Prepare modprobe.d directory
406 406 mkdir -p $R/etc/modprobe.d/
407 407
408 408 # Blacklist sound modules
409 409 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
410 410 blacklist snd_soc_core
411 411 blacklist snd_pcm
412 412 blacklist snd_pcm_dmaengine
413 413 blacklist snd_timer
414 414 blacklist snd_compress
415 415 blacklist snd_soc_pcm512x_i2c
416 416 blacklist snd_soc_pcm512x
417 417 blacklist snd_soc_tas5713
418 418 blacklist snd_soc_wm8804
419 419 EOM
420 420
421 421 # Create default fstab
422 422 cat <<EOM >$R/etc/fstab
423 423 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
424 424 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
425 425 EOM
426 426
427 427 # Avoid swapping and increase cache sizes
428 428 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
429 429
430 430 # Avoid swapping and increase cache sizes
431 431 vm.swappiness=1
432 432 vm.dirty_background_ratio=20
433 433 vm.dirty_ratio=40
434 434 vm.dirty_writeback_centisecs=500
435 435 vm.dirty_expire_centisecs=6000
436 436 EOM
437 437
438 438 # Enable network stack hardening
439 439 if [ "$ENABLE_HARDNET" = true ] ; then
440 440 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
441 441
442 442 # Enable network stack hardening
443 443 net.ipv4.tcp_timestamps=0
444 444 net.ipv4.tcp_syncookies=1
445 445 net.ipv4.conf.all.rp_filter=1
446 446 net.ipv4.conf.all.accept_redirects=0
447 447 net.ipv4.conf.all.send_redirects=0
448 448 net.ipv4.conf.all.accept_source_route=0
449 449 net.ipv4.conf.default.rp_filter=1
450 450 net.ipv4.conf.default.accept_redirects=0
451 451 net.ipv4.conf.default.send_redirects=0
452 452 net.ipv4.conf.default.accept_source_route=0
453 453 net.ipv4.conf.lo.accept_redirects=0
454 454 net.ipv4.conf.lo.send_redirects=0
455 455 net.ipv4.conf.lo.accept_source_route=0
456 456 net.ipv4.conf.eth0.accept_redirects=0
457 457 net.ipv4.conf.eth0.send_redirects=0
458 458 net.ipv4.conf.eth0.accept_source_route=0
459 459 net.ipv4.icmp_echo_ignore_broadcasts=1
460 460 net.ipv4.icmp_ignore_bogus_error_responses=1
461 461
462 462 net.ipv6.conf.all.accept_redirects=0
463 463 net.ipv6.conf.all.accept_source_route=0
464 464 net.ipv6.conf.all.router_solicitations=0
465 465 net.ipv6.conf.all.accept_ra_rtr_pref=0
466 466 net.ipv6.conf.all.accept_ra_pinfo=0
467 467 net.ipv6.conf.all.accept_ra_defrtr=0
468 468 net.ipv6.conf.all.autoconf=0
469 469 net.ipv6.conf.all.dad_transmits=0
470 470 net.ipv6.conf.all.max_addresses=1
471 471
472 472 net.ipv6.conf.default.accept_redirects=0
473 473 net.ipv6.conf.default.accept_source_route=0
474 474 net.ipv6.conf.default.router_solicitations=0
475 475 net.ipv6.conf.default.accept_ra_rtr_pref=0
476 476 net.ipv6.conf.default.accept_ra_pinfo=0
477 477 net.ipv6.conf.default.accept_ra_defrtr=0
478 478 net.ipv6.conf.default.autoconf=0
479 479 net.ipv6.conf.default.dad_transmits=0
480 480 net.ipv6.conf.default.max_addresses=1
481 481
482 482 net.ipv6.conf.lo.accept_redirects=0
483 483 net.ipv6.conf.lo.accept_source_route=0
484 484 net.ipv6.conf.lo.router_solicitations=0
485 485 net.ipv6.conf.lo.accept_ra_rtr_pref=0
486 486 net.ipv6.conf.lo.accept_ra_pinfo=0
487 487 net.ipv6.conf.lo.accept_ra_defrtr=0
488 488 net.ipv6.conf.lo.autoconf=0
489 489 net.ipv6.conf.lo.dad_transmits=0
490 490 net.ipv6.conf.lo.max_addresses=1
491 491
492 492 net.ipv6.conf.eth0.accept_redirects=0
493 493 net.ipv6.conf.eth0.accept_source_route=0
494 494 net.ipv6.conf.eth0.router_solicitations=0
495 495 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
496 496 net.ipv6.conf.eth0.accept_ra_pinfo=0
497 497 net.ipv6.conf.eth0.accept_ra_defrtr=0
498 498 net.ipv6.conf.eth0.autoconf=0
499 499 net.ipv6.conf.eth0.dad_transmits=0
500 500 net.ipv6.conf.eth0.max_addresses=1
501 501 EOM
502 502
503 503 # Enable resolver warnings about spoofed addresses
504 504 cat <<EOM >>$R/etc/host.conf
505 505 spoof warn
506 506 EOM
507 507 fi
508 508
509 509 # Regenerate openssh server host keys
510 510 if [ "$ENABLE_SSHD" = true ] ; then
511 511 rm -fr $R/etc/ssh/ssh_host_*
512 512 LANG=C chroot $R dpkg-reconfigure openssh-server
513 513 fi
514 514
515 515 # Enable serial console systemd style
516 516 if [ "$ENABLE_CONSOLE" = true ] ; then
517 517 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
518 518 fi
519 519
520 520 # Enable firewall based on iptables started by systemd service
521 521 if [ "$ENABLE_IPTABLES" = true ] ; then
522 522 # Create iptables configuration directory
523 523 mkdir -p "$R/etc/iptables"
524 524
525 525 # Create iptables systemd service
526 526 cat <<EOM >$R/etc/systemd/system/iptables.service
527 527 [Unit]
528 528 Description=Packet Filtering Framework
529 529 DefaultDependencies=no
530 530 After=systemd-sysctl.service
531 531 Before=sysinit.target
532 532 [Service]
533 533 Type=oneshot
534 534 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
535 535 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
536 536 ExecStop=/etc/iptables/flush-iptables.sh
537 537 RemainAfterExit=yes
538 538 [Install]
539 539 WantedBy=multi-user.target
540 540 EOM
541 541
542 542 # Create flush-table script called by iptables service
543 543 cat <<EOM >$R/etc/iptables/flush-iptables.sh
544 544 #!/bin/sh
545 545 iptables -F
546 546 iptables -X
547 547 iptables -t nat -F
548 548 iptables -t nat -X
549 549 iptables -t mangle -F
550 550 iptables -t mangle -X
551 551 iptables -P INPUT ACCEPT
552 552 iptables -P FORWARD ACCEPT
553 553 iptables -P OUTPUT ACCEPT
554 554 EOM
555 555
556 556 # Create iptables rule file
557 557 cat <<EOM >$R/etc/iptables/iptables.rules
558 558 *filter
559 559 :INPUT DROP [0:0]
560 560 :FORWARD DROP [0:0]
561 561 :OUTPUT ACCEPT [0:0]
562 562 :TCP - [0:0]
563 563 :UDP - [0:0]
564 564 :SSH - [0:0]
565 565
566 566 # Rate limit ping requests
567 567 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
568 568 -A INPUT -p icmp --icmp-type echo-request -j DROP
569 569
570 570 # Accept established connections
571 571 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
572 572
573 573 # Accept all traffic on loopback interface
574 574 -A INPUT -i lo -j ACCEPT
575 575
576 576 # Drop packets declared invalid
577 577 -A INPUT -m conntrack --ctstate INVALID -j DROP
578 578
579 579 # SSH rate limiting
580 580 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
581 581 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
582 582 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
583 583 -A SSH -m recent --name sshbf --set -j ACCEPT
584 584
585 585 # Send TCP and UDP connections to their respective rules chain
586 586 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
587 587 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
588 588
589 589 # Reject dropped packets with a RFC compliant responce
590 590 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
591 591 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
592 592 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
593 593
594 594 ## TCP PORT RULES
595 595 # -A TCP -p tcp -j LOG
596 596
597 597 ## UDP PORT RULES
598 598 # -A UDP -p udp -j LOG
599 599
600 600 COMMIT
601 601 EOM
602 602
603 603 # Reload systemd configuration and enable iptables service
604 604 LANG=C chroot $R systemctl daemon-reload
605 605 LANG=C chroot $R systemctl enable iptables.service
606 606
607 607 if [ "$ENABLE_IPV6" = true ] ; then
608 608 # Create ip6tables systemd service
609 609 cat <<EOM >$R/etc/systemd/system/ip6tables.service
610 610 [Unit]
611 611 Description=Packet Filtering Framework
612 612 DefaultDependencies=no
613 613 After=systemd-sysctl.service
614 614 Before=sysinit.target
615 615 [Service]
616 616 Type=oneshot
617 617 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
618 618 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
619 619 ExecStop=/etc/iptables/flush-ip6tables.sh
620 620 RemainAfterExit=yes
621 621 [Install]
622 622 WantedBy=multi-user.target
623 623 EOM
624 624
625 625 # Create ip6tables file
626 626 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
627 627 #!/bin/sh
628 628 ip6tables -F
629 629 ip6tables -X
630 630 ip6tables -Z
631 631 for table in $(</proc/net/ip6_tables_names)
632 632 do
633 633 ip6tables -t \$table -F
634 634 ip6tables -t \$table -X
635 635 ip6tables -t \$table -Z
636 636 done
637 637 ip6tables -P INPUT ACCEPT
638 638 ip6tables -P OUTPUT ACCEPT
639 639 ip6tables -P FORWARD ACCEPT
640 640 EOM
641 641
642 642 # Create ip6tables rule file
643 643 cat <<EOM >$R/etc/iptables/ip6tables.rules
644 644 *filter
645 645 :INPUT DROP [0:0]
646 646 :FORWARD DROP [0:0]
647 647 :OUTPUT ACCEPT [0:0]
648 648 :TCP - [0:0]
649 649 :UDP - [0:0]
650 650 :SSH - [0:0]
651 651
652 652 # Drop packets with RH0 headers
653 653 -A INPUT -m rt --rt-type 0 -j DROP
654 654 -A OUTPUT -m rt --rt-type 0 -j DROP
655 655 -A FORWARD -m rt --rt-type 0 -j DROP
656 656
657 657 # Rate limit ping requests
658 658 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
659 659 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
660 660
661 661 # Accept established connections
662 662 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
663 663
664 664 # Accept all traffic on loopback interface
665 665 -A INPUT -i lo -j ACCEPT
666 666
667 667 # Drop packets declared invalid
668 668 -A INPUT -m conntrack --ctstate INVALID -j DROP
669 669
670 670 # SSH rate limiting
671 671 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
672 672 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
673 673 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
674 674 -A SSH -m recent --name sshbf --set -j ACCEPT
675 675
676 676 # Send TCP and UDP connections to their respective rules chain
677 677 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
678 678 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
679 679
680 680 # Reject dropped packets with a RFC compliant responce
681 681 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
682 682 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
683 683 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
684 684
685 685 ## TCP PORT RULES
686 686 # -A TCP -p tcp -j LOG
687 687
688 688 ## UDP PORT RULES
689 689 # -A UDP -p udp -j LOG
690 690
691 691 COMMIT
692 692 EOM
693 693
694 694 # Reload systemd configuration and enable iptables service
695 695 LANG=C chroot $R systemctl daemon-reload
696 696 LANG=C chroot $R systemctl enable ip6tables.service
697 697 fi
698 698 fi
699 699
700 700 # Remove SSHD related iptables rules
701 701 if [ "$ENABLE_SSHD" = false ] ; then
702 702 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
703 703 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
704 704 fi
705 705
706 706 # Install gcc/c++ build environment inside the chroot
707 707 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
708 708 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
709 709 fi
710 710
711 711 # Fetch and build U-Boot bootloader
712 712 if [ "$ENABLE_UBOOT" = true ] ; then
713 713 # Fetch U-Boot bootloader sources
714 714 git -C $R/tmp clone git://git.denx.de/u-boot.git
715 715
716 716 # Build and install U-Boot inside chroot
717 717 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
718 718
719 719 # Copy compiled bootloader binary and set config.txt to load it
720 720 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
721 721 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
722 722
723 723 # Set U-Boot command file
724 724 cat <<EOM >$R/boot/firmware/uboot.mkimage
725 725 # Tell Linux that it is booting on a Raspberry Pi2
726 726 setenv machid 0x00000c42
727 727
728 728 # Set the kernel boot command line
729 729 setenv bootargs "earlyprintk ${CMDLINE}"
730 730
731 731 # Save these changes to u-boot's environment
732 732 saveenv
733 733
734 734 # Load the existing Linux kernel into RAM
735 735 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
736 736
737 737 # Boot the kernel we have just loaded
738 738 bootz \${kernel_addr_r}
739 739 EOM
740 740
741 741 # Generate U-Boot image from command file
742 742 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
743 743 fi
744 744
745 745 # Fetch and build fbturbo Xorg driver
746 746 if [ "$ENABLE_FBTURBO" = true ] ; then
747 747 # Fetch fbturbo driver sources
748 748 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
749 749
750 750 # Install Xorg build dependencies
751 751 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
752 752
753 753 # Build and install fbturbo driver inside chroot
754 754 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
755 755
756 756 # Add fbturbo driver to Xorg configuration
757 757 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
758 758 Section "Device"
759 759 Identifier "Allwinner A10/A13 FBDEV"
760 760 Driver "fbturbo"
761 761 Option "fbdev" "/dev/fb0"
762 762 Option "SwapbuffersWait" "true"
763 763 EndSection
764 764 EOM
765 765
766 766 # Remove Xorg build dependencies
767 767 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
768 768 fi
769 769
770 770 # Remove gcc/c++ build environment from the chroot
771 771 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
772 772 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
773 773 fi
774 774
775 775 # Clean cached downloads
776 776 LANG=C chroot $R apt-get -y clean
777 777 LANG=C chroot $R apt-get -y autoclean
778 778 LANG=C chroot $R apt-get -y autoremove
779 779
780 780 # Unmount mounted filesystems
781 781 umount -l $R/proc
782 782 umount -l $R/sys
783 783
784 784 # Clean up files
785 785 rm -f $R/etc/apt/sources.list.save
786 786 rm -f $R/etc/resolvconf/resolv.conf.d/original
787 787 rm -rf $R/run
788 788 mkdir -p $R/run
789 789 rm -f $R/etc/*-
790 790 rm -f $R/root/.bash_history
791 791 rm -rf $R/tmp/*
792 792 rm -f $R/var/lib/urandom/random-seed
793 793 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
794 794 rm -f $R/etc/machine-id
795 795 rm -fr $R/etc/apt/apt.conf.d/10proxy
796 796
797 797 # Calculate size of the chroot directory
798 798 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
799 799
800 800 # Calculate required image size
801 801 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
802 802
803 803 # Calculate number of sectors for the partition
804 804 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
805 805
806 806 # Prepare date string for image file name
807 807 DATE="$(date +%Y-%m-%d)"
808 808
809 809 # Prepare image file
810 810 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
811 811 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
812 812
813 813 # Write partition table
814 814 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
815 815 unit: sectors
816 816
817 817 1 : start= 2048, size= 131072, Id= c, bootable
818 818 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
819 819 3 : start= 0, size= 0, Id= 0
820 820 4 : start= 0, size= 0, Id= 0
821 821 EOM
822 822
823 823 # Set up temporary loop devices and build filesystems
824 824 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
825 825 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
826 826 mkfs.vfat "$VFAT_LOOP"
827 827 mkfs.ext4 "$EXT4_LOOP"
828 828
829 829 # Mount the temporary loop devices
830 830 mkdir -p "$BUILDDIR/mount"
831 831 mount "$EXT4_LOOP" "$BUILDDIR/mount"
832 832
833 833 mkdir -p "$BUILDDIR/mount/boot/firmware"
834 834 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
835 835
836 836 # Copy all files from the chroot to the loop device mount point directory
837 837 rsync -a "$R/" "$BUILDDIR/mount/"
838 838
839 839 # Unmount all temporary loop devices and mount points
840 840 cleanup
841 841
842 842 # (optinal) create block map file for "bmaptool"
843 843 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
844 844
845 845 # Image was successfully created
846 846 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant