##// END OF EJS Templates
Added support for keyboard configuration
Vincent Knecht -
r27:16487517311f
parent child
Show More
@@ -1,101 +1,109
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 ```
22 22
23 23 #### APT settings:
24 24 ##### `APT_SERVER`="ftp.debian.org"
25 25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26 26
27 27 ##### `APT_PROXY`=""
28 28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29 29
30 30 #### General system settings:
31 31 ##### `HOSTNAME`="rpi2-jessie"
32 32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
33 33
34 34 ##### `PASSWORD`="raspberry"
35 35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
36 36
37 37 ##### `DEFLOCAL`="en_US.UTF-8"
38 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
39
39 40
40 41 ##### `TIMEZONE`="Europe/Berlin"
41 42 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
42 43
44 #### Keyboard settings:
45 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
46 ##### `XKBMODEL`=""
47 ##### `XKBLAYOUT`=""
48 ##### `XKBVARIANT`=""
49 ##### `XKBOPTIONS`=""
50
43 51 #### Basic system features:
44 52 ##### `ENABLE_CONSOLE`=true
45 53 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
46 54
47 55 ##### `ENABLE_IPV6`=true
48 56 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
49 57
50 58 ##### `ENABLE_SSHD`=true
51 59 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
52 60
53 61 ##### `ENABLE_SOUND`=true
54 62 Enable sound hardware and install Advanced Linux Sound Architecture.
55 63
56 64 ##### `ENABLE_HWRANDOM`=true
57 65 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
58 66
59 67 ##### `ENABLE_MINGPU`=false
60 68 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
61 69
62 70 ##### `ENABLE_DBUS`=true
63 71 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
64 72
65 73 ##### `ENABLE_XORG`=false
66 74 Install Xorg open-source X Window System.
67 75
68 76 ##### `ENABLE_WM`=""
69 77 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
70 78
71 79 #### Advanced sytem features:
72 80 ##### `ENABLE_MINBASE`=false
73 81 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
74 82
75 83 ##### `ENABLE_UBOOT`=false
76 84 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
77 85
78 86 ##### `ENABLE_FBTURBO`=false
79 87 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
80 88
81 89 ##### `ENABLE_IPTABLES`=false
82 90 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
83 91
84 92 ##### `ENABLE_HARDNET`=false
85 93 Enable IPv4/IPv6 network stack hardening settings.
86 94
87 95 ## Logging of the bootstrapping process
88 96 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
89 97
90 98 ```shell
91 99 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
92 100 ```
93 101
94 102 ## Flashing the image file
95 103 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
96 104
97 105 #####Flashing examples:
98 106 ```shell
99 107 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
100 108 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
101 109 ```
@@ -1,858 +1,887
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 set -e
34 34 set -x
35 35
36 36 # Debian release
37 37 RELEASE=${RELEASE:=jessie}
38 38
39 39 # Build settings
40 40 BASEDIR=./images/${RELEASE}
41 41 BUILDDIR=${BASEDIR}/build
42 42
43 43 # General settings
44 44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 45 PASSWORD=${PASSWORD:=raspberry}
46 46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
48 52
49 53 # APT settings
50 54 APT_PROXY=${APT_PROXY:=""}
51 55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
52 56
53 57 # Feature settings
54 58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
55 59 ENABLE_IPV6=${ENABLE_IPV6:=true}
56 60 ENABLE_SSHD=${ENABLE_SSHD:=true}
57 61 ENABLE_SOUND=${ENABLE_SOUND:=true}
58 62 ENABLE_DBUS=${ENABLE_DBUS:=true}
59 63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
60 64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
61 65 ENABLE_XORG=${ENABLE_XORG:=false}
62 66 ENABLE_WM=${ENABLE_WM:=""}
63 67
64 68 # Advanced settings
65 69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
66 70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
67 71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
68 72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
69 73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
70 74
71 75 # Image chroot path
72 76 R=${BUILDDIR}/chroot
73 77
74 78 # Packages required for bootstrapping
75 79 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
76 80
77 81 # Missing packages that need to be installed
78 82 MISSING_PACKAGES=""
79 83
80 84 # Packages required in the chroot build environment
81 85 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
82 86
83 87 set +x
84 88
85 89 # Are we running as root?
86 90 if [ "$(id -u)" -ne "0" ] ; then
87 91 echo "this script must be executed with root privileges"
88 92 exit 1
89 93 fi
90 94
91 95 # Check if all required packages are installed
92 96 for package in $REQUIRED_PACKAGES ; do
93 97 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
94 98 MISSING_PACKAGES="$MISSING_PACKAGES $package"
95 99 fi
96 100 done
97 101
98 102 # Ask if missing packages should get installed right now
99 103 if [ -n "$MISSING_PACKAGES" ] ; then
100 104 echo "the following packages needed by this script are not installed:"
101 105 echo "$MISSING_PACKAGES"
102 106
103 107 echo -n "\ndo you want to install the missing packages right now? [y/n] "
104 108 read confirm
105 109 if [ "$confirm" != "y" ] ; then
106 110 exit 1
107 111 fi
108 112 fi
109 113
110 114 # Make sure all required packages are installed
111 115 apt-get -qq -y install ${REQUIRED_PACKAGES}
112 116
113 117 # Don't clobber an old build
114 118 if [ -e "$BUILDDIR" ]; then
115 119 echo "directory $BUILDDIR already exists, not proceeding"
116 120 exit 1
117 121 fi
118 122
119 123 set -x
120 124
121 125 # Call "cleanup" function on various signals and errors
122 126 trap cleanup 0 1 2 3 6
123 127
124 128 # Set up chroot directory
125 129 mkdir -p $R
126 130
127 131 # Add required packages for the minbase installation
128 132 if [ "$ENABLE_MINBASE" = true ] ; then
129 133 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
130 134 else
131 APT_INCLUDES="${APT_INCLUDES},locales"
135 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
132 136 fi
133 137
134 138 # Add dbus package, recommended if using systemd
135 139 if [ "$ENABLE_DBUS" = true ] ; then
136 140 APT_INCLUDES="${APT_INCLUDES},dbus"
137 141 fi
138 142
139 143 # Add iptables IPv4/IPv6 package
140 144 if [ "$ENABLE_IPTABLES" = true ] ; then
141 145 APT_INCLUDES="${APT_INCLUDES},iptables"
142 146 fi
143 147
144 148 # Add openssh server package
145 149 if [ "$ENABLE_SSHD" = true ] ; then
146 150 APT_INCLUDES="${APT_INCLUDES},openssh-server"
147 151 fi
148 152
149 153 # Add alsa-utils package
150 154 if [ "$ENABLE_SOUND" = true ] ; then
151 155 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
152 156 fi
153 157
154 158 # Add rng-tools package
155 159 if [ "$ENABLE_HWRANDOM" = true ] ; then
156 160 APT_INCLUDES="${APT_INCLUDES},rng-tools"
157 161 fi
158 162
159 163 # Add fbturbo video driver
160 164 if [ "$ENABLE_FBTURBO" = true ] ; then
161 165 # Enable xorg package dependencies
162 166 ENABLE_XORG=true
163 167 fi
164 168
165 169 # Add user defined window manager package
166 170 if [ -n "$ENABLE_WM" ] ; then
167 171 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
168 172
169 173 # Enable xorg package dependencies
170 174 ENABLE_XORG=true
171 175 fi
172 176
173 177 # Add xorg package
174 178 if [ "$ENABLE_XORG" = true ] ; then
175 179 APT_INCLUDES="${APT_INCLUDES},xorg"
176 180 fi
177 181
178 182 # Set empty proxy string
179 183 if [ -z "$APT_PROXY" ] ; then
180 184 APT_PROXY="http://"
181 185 fi
182 186
183 187 # Base debootstrap (unpack only)
184 188 if [ "$ENABLE_MINBASE" = true ] ; then
185 189 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
186 190 else
187 191 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
188 192 fi
189 193
190 194 # Copy qemu emulator binary to chroot
191 195 cp /usr/bin/qemu-arm-static $R/usr/bin
192 196
193 197 # Copy debian-archive-keyring.pgp
194 198 chroot $R mkdir -p /usr/share/keyrings
195 199 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
196 200
197 201 # Complete the bootstrapping process
198 202 chroot $R /debootstrap/debootstrap --second-stage
199 203
200 204 # Mount required filesystems
201 205 mount -t proc none $R/proc
202 206 mount -t sysfs none $R/sys
203 207 mount --bind /dev/pts $R/dev/pts
204 208
205 209 # Use proxy inside chroot
206 210 if [ -z "$APT_PROXY" ] ; then
207 211 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
208 212 fi
209 213
210 214 # Pin package flash-kernel to repositories.collabora.co.uk
211 215 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
212 216 Package: flash-kernel
213 217 Pin: origin repositories.collabora.co.uk
214 218 Pin-Priority: 1000
215 219 EOM
216 220
217 221 # Set up timezone
218 222 echo ${TIMEZONE} >$R/etc/timezone
219 223 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
220 224
221 225 # Upgrade collabora package index and install collabora keyring
222 226 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
223 227 LANG=C chroot $R apt-get -qq -y update
224 228 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
225 229
226 230 # Set up initial sources.list
227 231 cat <<EOM >$R/etc/apt/sources.list
228 232 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
229 233 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
230 234
231 235 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
232 236 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
233 237
234 238 deb http://security.debian.org/ ${RELEASE}/updates main contrib
235 239 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
236 240
237 241 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
238 242 EOM
239 243
240 244 # Upgrade package index and update all installed packages and changed dependencies
241 245 LANG=C chroot $R apt-get -qq -y update
242 246 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
243 247
244 # Set up default locales to "en_US.UTF-8" default
248 # Set up default locale and keyboard configuration
245 249 if [ "$ENABLE_MINBASE" = false ] ; then
246 250 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
247 251 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
248 252 # ... so we have to set locales manually
249 253 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
250 254 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
251 255 else
252 256 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
253 257 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
254 258 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
255 259 fi
256 260 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
257 261 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
258 262 LANG=C chroot $R locale-gen
259 263 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
264
265 # Keyboard configuration, if requested
266 if [ "$XKBMODEL" != "" ] ; then
267 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
268 fi
269 if [ "$XKBLAYOUT" != "" ] ; then
270 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
271 fi
272 if [ "$XKBVARIANT" != "" ] ; then
273 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
274 fi
275 if [ "$XKBOPTIONS" != "" ] ; then
276 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
277 fi
278 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
279 # Set up font console
280 case "${DEFLOCAL}" in
281 *UTF-8)
282 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
283 ;;
284 *)
285 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
286 ;;
287 esac
288 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
260 289 fi
261 290
262 291 # Kernel installation
263 292 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
264 293 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
265 294 LANG=C chroot $R apt-get -qq -y install flash-kernel
266 295
267 296 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
268 297 [ -z "$VMLINUZ" ] && exit 1
269 298 mkdir -p $R/boot/firmware
270 299
271 300 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
272 301 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
273 302 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
274 303 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
275 304 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
276 305 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
277 306 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
278 307 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
279 308 cp $VMLINUZ $R/boot/firmware/kernel7.img
280 309
281 310 # Set up IPv4 hosts
282 311 echo ${HOSTNAME} >$R/etc/hostname
283 312 cat <<EOM >$R/etc/hosts
284 313 127.0.0.1 localhost
285 314 127.0.1.1 ${HOSTNAME}
286 315 EOM
287 316
288 317 # Set up IPv6 hosts
289 318 if [ "$ENABLE_IPV6" = true ] ; then
290 319 cat <<EOM >>$R/etc/hosts
291 320
292 321 ::1 localhost ip6-localhost ip6-loopback
293 322 ff02::1 ip6-allnodes
294 323 ff02::2 ip6-allrouters
295 324 EOM
296 325 fi
297 326
298 327 # Place hint about network configuration
299 328 cat <<EOM >$R/etc/network/interfaces
300 329 # Debian switched to systemd-networkd configuration files.
301 330 # please configure your networks in '/etc/systemd/network/'
302 331 EOM
303 332
304 333 # Enable systemd-networkd DHCP configuration for interface eth0
305 334 cat <<EOM >$R/etc/systemd/network/eth.network
306 335 [Match]
307 336 Name=eth0
308 337
309 338 [Network]
310 339 DHCP=yes
311 340 EOM
312 341
313 342 # Set DHCP configuration to IPv4 only
314 343 if [ "$ENABLE_IPV6" = false ] ; then
315 344 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
316 345 fi
317 346
318 347 # Enable systemd-networkd service
319 348 LANG=C chroot $R systemctl enable systemd-networkd
320 349
321 350 # Generate crypt(3) password string
322 351 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
323 352
324 353 # Set up default user
325 354 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
326 355 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
327 356
328 357 # Set up root password
329 358 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
330 359
331 360 # Set up firmware boot cmdline
332 361 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
333 362
334 363 # Set up serial console support (if requested)
335 364 if [ "$ENABLE_CONSOLE" = true ] ; then
336 365 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
337 366 fi
338 367
339 368 # Set up IPv6 networking support
340 369 if [ "$ENABLE_IPV6" = false ] ; then
341 370 CMDLINE="${CMDLINE} ipv6.disable=1"
342 371 fi
343 372
344 373 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
345 374
346 375 # Set up firmware config
347 376 cat <<EOM >$R/boot/firmware/config.txt
348 377 # For more options and information see
349 378 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
350 379 # Some settings may impact device functionality. See link above for details
351 380
352 381 # uncomment if you get no picture on HDMI for a default "safe" mode
353 382 #hdmi_safe=1
354 383
355 384 # uncomment this if your display has a black border of unused pixels visible
356 385 # and your display can output without overscan
357 386 #disable_overscan=1
358 387
359 388 # uncomment the following to adjust overscan. Use positive numbers if console
360 389 # goes off screen, and negative if there is too much border
361 390 #overscan_left=16
362 391 #overscan_right=16
363 392 #overscan_top=16
364 393 #overscan_bottom=16
365 394
366 395 # uncomment to force a console size. By default it will be display's size minus
367 396 # overscan.
368 397 #framebuffer_width=1280
369 398 #framebuffer_height=720
370 399
371 400 # uncomment if hdmi display is not detected and composite is being output
372 401 #hdmi_force_hotplug=1
373 402
374 403 # uncomment to force a specific HDMI mode (this will force VGA)
375 404 #hdmi_group=1
376 405 #hdmi_mode=1
377 406
378 407 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
379 408 # DMT (computer monitor) modes
380 409 #hdmi_drive=2
381 410
382 411 # uncomment to increase signal to HDMI, if you have interference, blanking, or
383 412 # no display
384 413 #config_hdmi_boost=4
385 414
386 415 # uncomment for composite PAL
387 416 #sdtv_mode=2
388 417
389 418 # uncomment to overclock the arm. 700 MHz is the default.
390 419 #arm_freq=800
391 420 EOM
392 421
393 422 # Load snd_bcm2835 kernel module at boot time
394 423 if [ "$ENABLE_SOUND" = true ] ; then
395 424 echo "snd_bcm2835" >>$R/etc/modules
396 425 fi
397 426
398 427 # Set smallest possible GPU memory allocation size: 16MB (no X)
399 428 if [ "$ENABLE_MINGPU" = true ] ; then
400 429 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
401 430 fi
402 431
403 432 # Create symlinks
404 433 ln -sf firmware/config.txt $R/boot/config.txt
405 434 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
406 435
407 436 # Prepare modules-load.d directory
408 437 mkdir -p $R/lib/modules-load.d/
409 438
410 439 # Load random module on boot
411 440 if [ "$ENABLE_HWRANDOM" = true ] ; then
412 441 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
413 442 bcm2708_rng
414 443 EOM
415 444 fi
416 445
417 446 # Prepare modprobe.d directory
418 447 mkdir -p $R/etc/modprobe.d/
419 448
420 449 # Blacklist sound modules
421 450 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
422 451 blacklist snd_soc_core
423 452 blacklist snd_pcm
424 453 blacklist snd_pcm_dmaengine
425 454 blacklist snd_timer
426 455 blacklist snd_compress
427 456 blacklist snd_soc_pcm512x_i2c
428 457 blacklist snd_soc_pcm512x
429 458 blacklist snd_soc_tas5713
430 459 blacklist snd_soc_wm8804
431 460 EOM
432 461
433 462 # Create default fstab
434 463 cat <<EOM >$R/etc/fstab
435 464 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
436 465 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
437 466 EOM
438 467
439 468 # Avoid swapping and increase cache sizes
440 469 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
441 470
442 471 # Avoid swapping and increase cache sizes
443 472 vm.swappiness=1
444 473 vm.dirty_background_ratio=20
445 474 vm.dirty_ratio=40
446 475 vm.dirty_writeback_centisecs=500
447 476 vm.dirty_expire_centisecs=6000
448 477 EOM
449 478
450 479 # Enable network stack hardening
451 480 if [ "$ENABLE_HARDNET" = true ] ; then
452 481 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
453 482
454 483 # Enable network stack hardening
455 484 net.ipv4.tcp_timestamps=0
456 485 net.ipv4.tcp_syncookies=1
457 486 net.ipv4.conf.all.rp_filter=1
458 487 net.ipv4.conf.all.accept_redirects=0
459 488 net.ipv4.conf.all.send_redirects=0
460 489 net.ipv4.conf.all.accept_source_route=0
461 490 net.ipv4.conf.default.rp_filter=1
462 491 net.ipv4.conf.default.accept_redirects=0
463 492 net.ipv4.conf.default.send_redirects=0
464 493 net.ipv4.conf.default.accept_source_route=0
465 494 net.ipv4.conf.lo.accept_redirects=0
466 495 net.ipv4.conf.lo.send_redirects=0
467 496 net.ipv4.conf.lo.accept_source_route=0
468 497 net.ipv4.conf.eth0.accept_redirects=0
469 498 net.ipv4.conf.eth0.send_redirects=0
470 499 net.ipv4.conf.eth0.accept_source_route=0
471 500 net.ipv4.icmp_echo_ignore_broadcasts=1
472 501 net.ipv4.icmp_ignore_bogus_error_responses=1
473 502
474 503 net.ipv6.conf.all.accept_redirects=0
475 504 net.ipv6.conf.all.accept_source_route=0
476 505 net.ipv6.conf.all.router_solicitations=0
477 506 net.ipv6.conf.all.accept_ra_rtr_pref=0
478 507 net.ipv6.conf.all.accept_ra_pinfo=0
479 508 net.ipv6.conf.all.accept_ra_defrtr=0
480 509 net.ipv6.conf.all.autoconf=0
481 510 net.ipv6.conf.all.dad_transmits=0
482 511 net.ipv6.conf.all.max_addresses=1
483 512
484 513 net.ipv6.conf.default.accept_redirects=0
485 514 net.ipv6.conf.default.accept_source_route=0
486 515 net.ipv6.conf.default.router_solicitations=0
487 516 net.ipv6.conf.default.accept_ra_rtr_pref=0
488 517 net.ipv6.conf.default.accept_ra_pinfo=0
489 518 net.ipv6.conf.default.accept_ra_defrtr=0
490 519 net.ipv6.conf.default.autoconf=0
491 520 net.ipv6.conf.default.dad_transmits=0
492 521 net.ipv6.conf.default.max_addresses=1
493 522
494 523 net.ipv6.conf.lo.accept_redirects=0
495 524 net.ipv6.conf.lo.accept_source_route=0
496 525 net.ipv6.conf.lo.router_solicitations=0
497 526 net.ipv6.conf.lo.accept_ra_rtr_pref=0
498 527 net.ipv6.conf.lo.accept_ra_pinfo=0
499 528 net.ipv6.conf.lo.accept_ra_defrtr=0
500 529 net.ipv6.conf.lo.autoconf=0
501 530 net.ipv6.conf.lo.dad_transmits=0
502 531 net.ipv6.conf.lo.max_addresses=1
503 532
504 533 net.ipv6.conf.eth0.accept_redirects=0
505 534 net.ipv6.conf.eth0.accept_source_route=0
506 535 net.ipv6.conf.eth0.router_solicitations=0
507 536 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
508 537 net.ipv6.conf.eth0.accept_ra_pinfo=0
509 538 net.ipv6.conf.eth0.accept_ra_defrtr=0
510 539 net.ipv6.conf.eth0.autoconf=0
511 540 net.ipv6.conf.eth0.dad_transmits=0
512 541 net.ipv6.conf.eth0.max_addresses=1
513 542 EOM
514 543
515 544 # Enable resolver warnings about spoofed addresses
516 545 cat <<EOM >>$R/etc/host.conf
517 546 spoof warn
518 547 EOM
519 548 fi
520 549
521 550 # Regenerate openssh server host keys
522 551 if [ "$ENABLE_SSHD" = true ] ; then
523 552 rm -fr $R/etc/ssh/ssh_host_*
524 553 LANG=C chroot $R dpkg-reconfigure openssh-server
525 554 fi
526 555
527 556 # Enable serial console systemd style
528 557 if [ "$ENABLE_CONSOLE" = true ] ; then
529 558 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
530 559 fi
531 560
532 561 # Enable firewall based on iptables started by systemd service
533 562 if [ "$ENABLE_IPTABLES" = true ] ; then
534 563 # Create iptables configuration directory
535 564 mkdir -p "$R/etc/iptables"
536 565
537 566 # Create iptables systemd service
538 567 cat <<EOM >$R/etc/systemd/system/iptables.service
539 568 [Unit]
540 569 Description=Packet Filtering Framework
541 570 DefaultDependencies=no
542 571 After=systemd-sysctl.service
543 572 Before=sysinit.target
544 573 [Service]
545 574 Type=oneshot
546 575 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
547 576 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
548 577 ExecStop=/etc/iptables/flush-iptables.sh
549 578 RemainAfterExit=yes
550 579 [Install]
551 580 WantedBy=multi-user.target
552 581 EOM
553 582
554 583 # Create flush-table script called by iptables service
555 584 cat <<EOM >$R/etc/iptables/flush-iptables.sh
556 585 #!/bin/sh
557 586 iptables -F
558 587 iptables -X
559 588 iptables -t nat -F
560 589 iptables -t nat -X
561 590 iptables -t mangle -F
562 591 iptables -t mangle -X
563 592 iptables -P INPUT ACCEPT
564 593 iptables -P FORWARD ACCEPT
565 594 iptables -P OUTPUT ACCEPT
566 595 EOM
567 596
568 597 # Create iptables rule file
569 598 cat <<EOM >$R/etc/iptables/iptables.rules
570 599 *filter
571 600 :INPUT DROP [0:0]
572 601 :FORWARD DROP [0:0]
573 602 :OUTPUT ACCEPT [0:0]
574 603 :TCP - [0:0]
575 604 :UDP - [0:0]
576 605 :SSH - [0:0]
577 606
578 607 # Rate limit ping requests
579 608 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
580 609 -A INPUT -p icmp --icmp-type echo-request -j DROP
581 610
582 611 # Accept established connections
583 612 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
584 613
585 614 # Accept all traffic on loopback interface
586 615 -A INPUT -i lo -j ACCEPT
587 616
588 617 # Drop packets declared invalid
589 618 -A INPUT -m conntrack --ctstate INVALID -j DROP
590 619
591 620 # SSH rate limiting
592 621 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
593 622 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
594 623 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
595 624 -A SSH -m recent --name sshbf --set -j ACCEPT
596 625
597 626 # Send TCP and UDP connections to their respective rules chain
598 627 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
599 628 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
600 629
601 630 # Reject dropped packets with a RFC compliant responce
602 631 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
603 632 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
604 633 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
605 634
606 635 ## TCP PORT RULES
607 636 # -A TCP -p tcp -j LOG
608 637
609 638 ## UDP PORT RULES
610 639 # -A UDP -p udp -j LOG
611 640
612 641 COMMIT
613 642 EOM
614 643
615 644 # Reload systemd configuration and enable iptables service
616 645 LANG=C chroot $R systemctl daemon-reload
617 646 LANG=C chroot $R systemctl enable iptables.service
618 647
619 648 if [ "$ENABLE_IPV6" = true ] ; then
620 649 # Create ip6tables systemd service
621 650 cat <<EOM >$R/etc/systemd/system/ip6tables.service
622 651 [Unit]
623 652 Description=Packet Filtering Framework
624 653 DefaultDependencies=no
625 654 After=systemd-sysctl.service
626 655 Before=sysinit.target
627 656 [Service]
628 657 Type=oneshot
629 658 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
630 659 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
631 660 ExecStop=/etc/iptables/flush-ip6tables.sh
632 661 RemainAfterExit=yes
633 662 [Install]
634 663 WantedBy=multi-user.target
635 664 EOM
636 665
637 666 # Create ip6tables file
638 667 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
639 668 #!/bin/sh
640 669 ip6tables -F
641 670 ip6tables -X
642 671 ip6tables -Z
643 672 for table in $(</proc/net/ip6_tables_names)
644 673 do
645 674 ip6tables -t \$table -F
646 675 ip6tables -t \$table -X
647 676 ip6tables -t \$table -Z
648 677 done
649 678 ip6tables -P INPUT ACCEPT
650 679 ip6tables -P OUTPUT ACCEPT
651 680 ip6tables -P FORWARD ACCEPT
652 681 EOM
653 682
654 683 # Create ip6tables rule file
655 684 cat <<EOM >$R/etc/iptables/ip6tables.rules
656 685 *filter
657 686 :INPUT DROP [0:0]
658 687 :FORWARD DROP [0:0]
659 688 :OUTPUT ACCEPT [0:0]
660 689 :TCP - [0:0]
661 690 :UDP - [0:0]
662 691 :SSH - [0:0]
663 692
664 693 # Drop packets with RH0 headers
665 694 -A INPUT -m rt --rt-type 0 -j DROP
666 695 -A OUTPUT -m rt --rt-type 0 -j DROP
667 696 -A FORWARD -m rt --rt-type 0 -j DROP
668 697
669 698 # Rate limit ping requests
670 699 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
671 700 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
672 701
673 702 # Accept established connections
674 703 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
675 704
676 705 # Accept all traffic on loopback interface
677 706 -A INPUT -i lo -j ACCEPT
678 707
679 708 # Drop packets declared invalid
680 709 -A INPUT -m conntrack --ctstate INVALID -j DROP
681 710
682 711 # SSH rate limiting
683 712 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
684 713 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
685 714 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
686 715 -A SSH -m recent --name sshbf --set -j ACCEPT
687 716
688 717 # Send TCP and UDP connections to their respective rules chain
689 718 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
690 719 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
691 720
692 721 # Reject dropped packets with a RFC compliant responce
693 722 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
694 723 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
695 724 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
696 725
697 726 ## TCP PORT RULES
698 727 # -A TCP -p tcp -j LOG
699 728
700 729 ## UDP PORT RULES
701 730 # -A UDP -p udp -j LOG
702 731
703 732 COMMIT
704 733 EOM
705 734
706 735 # Reload systemd configuration and enable iptables service
707 736 LANG=C chroot $R systemctl daemon-reload
708 737 LANG=C chroot $R systemctl enable ip6tables.service
709 738 fi
710 739 fi
711 740
712 741 # Remove SSHD related iptables rules
713 742 if [ "$ENABLE_SSHD" = false ] ; then
714 743 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
715 744 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
716 745 fi
717 746
718 747 # Install gcc/c++ build environment inside the chroot
719 748 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
720 749 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
721 750 fi
722 751
723 752 # Fetch and build U-Boot bootloader
724 753 if [ "$ENABLE_UBOOT" = true ] ; then
725 754 # Fetch U-Boot bootloader sources
726 755 git -C $R/tmp clone git://git.denx.de/u-boot.git
727 756
728 757 # Build and install U-Boot inside chroot
729 758 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
730 759
731 760 # Copy compiled bootloader binary and set config.txt to load it
732 761 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
733 762 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
734 763
735 764 # Set U-Boot command file
736 765 cat <<EOM >$R/boot/firmware/uboot.mkimage
737 766 # Tell Linux that it is booting on a Raspberry Pi2
738 767 setenv machid 0x00000c42
739 768
740 769 # Set the kernel boot command line
741 770 setenv bootargs "earlyprintk ${CMDLINE}"
742 771
743 772 # Save these changes to u-boot's environment
744 773 saveenv
745 774
746 775 # Load the existing Linux kernel into RAM
747 776 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
748 777
749 778 # Boot the kernel we have just loaded
750 779 bootz \${kernel_addr_r}
751 780 EOM
752 781
753 782 # Generate U-Boot image from command file
754 783 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
755 784 fi
756 785
757 786 # Fetch and build fbturbo Xorg driver
758 787 if [ "$ENABLE_FBTURBO" = true ] ; then
759 788 # Fetch fbturbo driver sources
760 789 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
761 790
762 791 # Install Xorg build dependencies
763 792 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
764 793
765 794 # Build and install fbturbo driver inside chroot
766 795 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
767 796
768 797 # Add fbturbo driver to Xorg configuration
769 798 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
770 799 Section "Device"
771 800 Identifier "Allwinner A10/A13 FBDEV"
772 801 Driver "fbturbo"
773 802 Option "fbdev" "/dev/fb0"
774 803 Option "SwapbuffersWait" "true"
775 804 EndSection
776 805 EOM
777 806
778 807 # Remove Xorg build dependencies
779 808 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
780 809 fi
781 810
782 811 # Remove gcc/c++ build environment from the chroot
783 812 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
784 813 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
785 814 fi
786 815
787 816 # Clean cached downloads
788 817 LANG=C chroot $R apt-get -y clean
789 818 LANG=C chroot $R apt-get -y autoclean
790 819 LANG=C chroot $R apt-get -y autoremove
791 820
792 821 # Unmount mounted filesystems
793 822 umount -l $R/proc
794 823 umount -l $R/sys
795 824
796 825 # Clean up files
797 826 rm -f $R/etc/apt/sources.list.save
798 827 rm -f $R/etc/resolvconf/resolv.conf.d/original
799 828 rm -rf $R/run
800 829 mkdir -p $R/run
801 830 rm -f $R/etc/*-
802 831 rm -f $R/root/.bash_history
803 832 rm -rf $R/tmp/*
804 833 rm -f $R/var/lib/urandom/random-seed
805 834 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
806 835 rm -f $R/etc/machine-id
807 836 rm -fr $R/etc/apt/apt.conf.d/10proxy
808 837
809 838 # Calculate size of the chroot directory
810 839 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
811 840
812 841 # Calculate required image size
813 842 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
814 843
815 844 # Calculate number of sectors for the partition
816 845 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
817 846
818 847 # Prepare date string for image file name
819 848 DATE="$(date +%Y-%m-%d)"
820 849
821 850 # Prepare image file
822 851 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
823 852 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
824 853
825 854 # Write partition table
826 855 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
827 856 unit: sectors
828 857
829 858 1 : start= 2048, size= 131072, Id= c, bootable
830 859 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
831 860 3 : start= 0, size= 0, Id= 0
832 861 4 : start= 0, size= 0, Id= 0
833 862 EOM
834 863
835 864 # Set up temporary loop devices and build filesystems
836 865 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
837 866 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
838 867 mkfs.vfat "$VFAT_LOOP"
839 868 mkfs.ext4 "$EXT4_LOOP"
840 869
841 870 # Mount the temporary loop devices
842 871 mkdir -p "$BUILDDIR/mount"
843 872 mount "$EXT4_LOOP" "$BUILDDIR/mount"
844 873
845 874 mkdir -p "$BUILDDIR/mount/boot/firmware"
846 875 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
847 876
848 877 # Copy all files from the chroot to the loop device mount point directory
849 878 rsync -a "$R/" "$BUILDDIR/mount/"
850 879
851 880 # Unmount all temporary loop devices and mount points
852 881 cleanup
853 882
854 883 # (optinal) create block map file for "bmaptool"
855 884 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
856 885
857 886 # Image was successfully created
858 887 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant