Raspi2-3_GenImage Commit - r27:16487517311f · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

# Clean up all temporary mount points

18

# Clean up all temporary mount points

19

cleanup (){

19

cleanup (){

20

set +x

20

set +x

21

set +e

21

set +e

22

echo "removing temporary mount points ..."

22

echo "removing temporary mount points ..."

23

umount -l $R/proc 2> /dev/null

23

umount -l $R/proc 2> /dev/null

24

umount -l $R/sys 2> /dev/null

24

umount -l $R/sys 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

30

trap - 0 1 2 3 6

30

trap - 0 1 2 3 6

31

}

31

}

32

33

set -e

33

set -e

34

set -x

34

set -x

35

36

# Debian release

36

# Debian release

37

RELEASE=${RELEASE:=jessie}

37

RELEASE=${RELEASE:=jessie}

38

39

# Build settings

39

# Build settings

40

BASEDIR=./images/${RELEASE}

40

BASEDIR=./images/${RELEASE}

41

BUILDDIR=${BASEDIR}/build

41

BUILDDIR=${BASEDIR}/build

42

43

# General settings

43

# General settings

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

45

PASSWORD=${PASSWORD:=raspberry}

45

PASSWORD=${PASSWORD:=raspberry}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

48

XKBMODEL=${XKBMODEL:=""}

49

XKBLAYOUT=${XKBLAYOUT:=""}

50

XKBVARIANT=${XKBVARIANT:=""}

51

XKBOPTIONS=${XKBOPTIONS:=""}

48

52

49

# APT settings

53

# APT settings

50

APT_PROXY=${APT_PROXY:=""}

54

APT_PROXY=${APT_PROXY:=""}

51

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

55

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

52

56

53

# Feature settings

57

# Feature settings

54

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

58

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

55

ENABLE_IPV6=${ENABLE_IPV6:=true}

59

ENABLE_IPV6=${ENABLE_IPV6:=true}

56

ENABLE_SSHD=${ENABLE_SSHD:=true}

60

ENABLE_SSHD=${ENABLE_SSHD:=true}

57

ENABLE_SOUND=${ENABLE_SOUND:=true}

61

ENABLE_SOUND=${ENABLE_SOUND:=true}

58

ENABLE_DBUS=${ENABLE_DBUS:=true}

62

ENABLE_DBUS=${ENABLE_DBUS:=true}

59

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

63

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

60

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

64

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

61

ENABLE_XORG=${ENABLE_XORG:=false}

65

ENABLE_XORG=${ENABLE_XORG:=false}

62

ENABLE_WM=${ENABLE_WM:=""}

66

ENABLE_WM=${ENABLE_WM:=""}

63

67

64

# Advanced settings

68

# Advanced settings

65

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

69

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

66

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

70

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

67

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

71

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

68

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

72

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

69

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

73

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

70

74

71

# Image chroot path

75

# Image chroot path

72

R=${BUILDDIR}/chroot

76

R=${BUILDDIR}/chroot

73

77

74

# Packages required for bootstrapping

78

# Packages required for bootstrapping

75

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

79

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

76

80

77

# Missing packages that need to be installed

81

# Missing packages that need to be installed

78

MISSING_PACKAGES=""

82

MISSING_PACKAGES=""

79

83

80

# Packages required in the chroot build environment

84

# Packages required in the chroot build environment

81

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

85

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

82

86

83

set +x

87

set +x

84

88

85

# Are we running as root?

89

# Are we running as root?

86

if [ "$(id -u)" -ne "0" ] ; then

90

if [ "$(id -u)" -ne "0" ] ; then

87

echo "this script must be executed with root privileges"

91

echo "this script must be executed with root privileges"

88

exit 1

92

exit 1

89

fi

93

fi

90

94

91

# Check if all required packages are installed

95

# Check if all required packages are installed

92

for package in $REQUIRED_PACKAGES ; do

96

for package in $REQUIRED_PACKAGES ; do

93

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

97

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

94

MISSING_PACKAGES="$MISSING_PACKAGES $package"

98

MISSING_PACKAGES="$MISSING_PACKAGES $package"

95

fi

99

fi

96

done

100

done

97

101

98

# Ask if missing packages should get installed right now

102

# Ask if missing packages should get installed right now

99

if [ -n "$MISSING_PACKAGES" ] ; then

103

if [ -n "$MISSING_PACKAGES" ] ; then

100

echo "the following packages needed by this script are not installed:"

104

echo "the following packages needed by this script are not installed:"

101

echo "$MISSING_PACKAGES"

105

echo "$MISSING_PACKAGES"

102

106

103

echo -n "\ndo you want to install the missing packages right now? [y/n] "

107

echo -n "\ndo you want to install the missing packages right now? [y/n] "

104

read confirm

108

read confirm

105

if [ "$confirm" != "y" ] ; then

109

if [ "$confirm" != "y" ] ; then

106

exit 1

110

exit 1

107

fi

111

fi

108

fi

112

fi

109

113

110

# Make sure all required packages are installed

114

# Make sure all required packages are installed

111

apt-get -qq -y install ${REQUIRED_PACKAGES}

115

apt-get -qq -y install ${REQUIRED_PACKAGES}

112

116

113

# Don't clobber an old build

117

# Don't clobber an old build

114

if [ -e "$BUILDDIR" ]; then

118

if [ -e "$BUILDDIR" ]; then

115

echo "directory $BUILDDIR already exists, not proceeding"

119

echo "directory $BUILDDIR already exists, not proceeding"

116

exit 1

120

exit 1

117

fi

121

fi

118

122

119

set -x

123

set -x

120

124

121

# Call "cleanup" function on various signals and errors

125

# Call "cleanup" function on various signals and errors

122

trap cleanup 0 1 2 3 6

126

trap cleanup 0 1 2 3 6

123

127

124

# Set up chroot directory

128

# Set up chroot directory

125

mkdir -p $R

129

mkdir -p $R

126

130

127

# Add required packages for the minbase installation

131

# Add required packages for the minbase installation

128

if [ "$ENABLE_MINBASE" = true ] ; then

132

if [ "$ENABLE_MINBASE" = true ] ; then

129

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

133

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

130

else

134

else

131

APT_INCLUDES="${APT_INCLUDES},locales"

135

APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"

132

fi

136

fi

133

137

134

# Add dbus package, recommended if using systemd

138

# Add dbus package, recommended if using systemd

135

if [ "$ENABLE_DBUS" = true ] ; then

139

if [ "$ENABLE_DBUS" = true ] ; then

136

APT_INCLUDES="${APT_INCLUDES},dbus"

140

APT_INCLUDES="${APT_INCLUDES},dbus"

137

fi

141

fi

138

142

139

# Add iptables IPv4/IPv6 package

143

# Add iptables IPv4/IPv6 package

140

if [ "$ENABLE_IPTABLES" = true ] ; then

144

if [ "$ENABLE_IPTABLES" = true ] ; then

141

APT_INCLUDES="${APT_INCLUDES},iptables"

145

APT_INCLUDES="${APT_INCLUDES},iptables"

142

fi

146

fi

143

147

144

# Add openssh server package

148

# Add openssh server package

145

if [ "$ENABLE_SSHD" = true ] ; then

149

if [ "$ENABLE_SSHD" = true ] ; then

146

APT_INCLUDES="${APT_INCLUDES},openssh-server"

150

APT_INCLUDES="${APT_INCLUDES},openssh-server"

147

fi

151

fi

148

152

149

# Add alsa-utils package

153

# Add alsa-utils package

150

if [ "$ENABLE_SOUND" = true ] ; then

154

if [ "$ENABLE_SOUND" = true ] ; then

151

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

155

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

152

fi

156

fi

153

157

154

# Add rng-tools package

158

# Add rng-tools package

155

if [ "$ENABLE_HWRANDOM" = true ] ; then

159

if [ "$ENABLE_HWRANDOM" = true ] ; then

156

APT_INCLUDES="${APT_INCLUDES},rng-tools"

160

APT_INCLUDES="${APT_INCLUDES},rng-tools"

157

fi

161

fi

158

162

159

# Add fbturbo video driver

163

# Add fbturbo video driver

160

if [ "$ENABLE_FBTURBO" = true ] ; then

164

if [ "$ENABLE_FBTURBO" = true ] ; then

161

# Enable xorg package dependencies

165

# Enable xorg package dependencies

162

ENABLE_XORG=true

166

ENABLE_XORG=true

163

fi

167

fi

164

168

165

# Add user defined window manager package

169

# Add user defined window manager package

166

if [ -n "$ENABLE_WM" ] ; then

170

if [ -n "$ENABLE_WM" ] ; then

167

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

171

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

168

172

169

# Enable xorg package dependencies

173

# Enable xorg package dependencies

170

ENABLE_XORG=true

174

ENABLE_XORG=true

171

fi

175

fi

172

176

173

# Add xorg package

177

# Add xorg package

174

if [ "$ENABLE_XORG" = true ] ; then

178

if [ "$ENABLE_XORG" = true ] ; then

175

APT_INCLUDES="${APT_INCLUDES},xorg"

179

APT_INCLUDES="${APT_INCLUDES},xorg"

176

fi

180

fi

177

181

178

# Set empty proxy string

182

# Set empty proxy string

179

if [ -z "$APT_PROXY" ] ; then

183

if [ -z "$APT_PROXY" ] ; then

180

APT_PROXY="http://"

184

APT_PROXY="http://"

181

fi

185

fi

182

186

183

# Base debootstrap (unpack only)

187

# Base debootstrap (unpack only)

184

if [ "$ENABLE_MINBASE" = true ] ; then

188

if [ "$ENABLE_MINBASE" = true ] ; then

185

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

189

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

186

else

190

else

187

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

191

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

188

fi

192

fi

189

193

190

# Copy qemu emulator binary to chroot

194

# Copy qemu emulator binary to chroot

191

cp /usr/bin/qemu-arm-static $R/usr/bin

195

cp /usr/bin/qemu-arm-static $R/usr/bin

192

196

193

# Copy debian-archive-keyring.pgp

197

# Copy debian-archive-keyring.pgp

194

chroot $R mkdir -p /usr/share/keyrings

198

chroot $R mkdir -p /usr/share/keyrings

195

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

199

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

196

200

197

# Complete the bootstrapping process

201

# Complete the bootstrapping process

198

chroot $R /debootstrap/debootstrap --second-stage

202

chroot $R /debootstrap/debootstrap --second-stage

199

203

200

# Mount required filesystems

204

# Mount required filesystems

201

mount -t proc none $R/proc

205

mount -t proc none $R/proc

202

mount -t sysfs none $R/sys

206

mount -t sysfs none $R/sys

203

mount --bind /dev/pts $R/dev/pts

207

mount --bind /dev/pts $R/dev/pts

204

208

205

# Use proxy inside chroot

209

# Use proxy inside chroot

206

if [ -z "$APT_PROXY" ] ; then

210

if [ -z "$APT_PROXY" ] ; then

207

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

211

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

208

fi

212

fi

209

213

210

# Pin package flash-kernel to repositories.collabora.co.uk

214

# Pin package flash-kernel to repositories.collabora.co.uk

211

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

215

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

212

Package: flash-kernel

216

Package: flash-kernel

213

Pin: origin repositories.collabora.co.uk

217

Pin: origin repositories.collabora.co.uk

214

Pin-Priority: 1000

218

Pin-Priority: 1000

215

EOM

219

EOM

216

220

217

# Set up timezone

221

# Set up timezone

218

echo ${TIMEZONE} >$R/etc/timezone

222

echo ${TIMEZONE} >$R/etc/timezone

219

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

223

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

220

224

221

# Upgrade collabora package index and install collabora keyring

225

# Upgrade collabora package index and install collabora keyring

222

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

226

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

223

LANG=C chroot $R apt-get -qq -y update

227

LANG=C chroot $R apt-get -qq -y update

224

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

228

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

225

229

226

# Set up initial sources.list

230

# Set up initial sources.list

227

cat <<EOM >$R/etc/apt/sources.list

231

cat <<EOM >$R/etc/apt/sources.list

228

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

232

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

229

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

233

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

230

234

231

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

235

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

232

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

236

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

233

237

234

deb http://security.debian.org/ ${RELEASE}/updates main contrib

238

deb http://security.debian.org/ ${RELEASE}/updates main contrib

235

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

239

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

236

240

237

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

241

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

238

EOM

242

EOM

239

243

240

# Upgrade package index and update all installed packages and changed dependencies

244

# Upgrade package index and update all installed packages and changed dependencies

241

LANG=C chroot $R apt-get -qq -y update

245

LANG=C chroot $R apt-get -qq -y update

242

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

246

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

243

247

244

# Set up default locales to "en_US.UTF-8" default

248

# Set up default locale and keyboard configuration

245

if [ "$ENABLE_MINBASE" = false ] ; then

249

if [ "$ENABLE_MINBASE" = false ] ; then

246

# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug

250

# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug

247

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957

251

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957

248

# ... so we have to set locales manually

252

# ... so we have to set locales manually

249

if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then

253

if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then

250

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections

254

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections

251

else

255

else

252

# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale

256

# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale

253

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections

257

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections

254

LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen

258

LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen

255

fi

259

fi

256

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

260

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

257

LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections

261

LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections

258

LANG=C chroot $R locale-gen

262

LANG=C chroot $R locale-gen

259

LANG=C chroot $R update-locale LANG=${DEFLOCAL}

263

LANG=C chroot $R update-locale LANG=${DEFLOCAL}

264

265

# Keyboard configuration, if requested

266

if [ "$XKBMODEL" != "" ] ; then

267

LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard

268

fi

269

if [ "$XKBLAYOUT" != "" ] ; then

270

LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard

271

fi

272

if [ "$XKBVARIANT" != "" ] ; then

273

LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard

274

fi

275

if [ "$XKBOPTIONS" != "" ] ; then

276

LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard

277

fi

278

LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration

279

# Set up font console

280

case "${DEFLOCAL}" in

281

*UTF-8)

282

LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup

283

;;

284

*)

285

LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup

286

;;

287

esac

288

LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup

260

fi

289

fi

261

290

262

# Kernel installation

291

# Kernel installation

263

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

292

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

264

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

293

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

265

LANG=C chroot $R apt-get -qq -y install flash-kernel

294

LANG=C chroot $R apt-get -qq -y install flash-kernel

266

295

267

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

296

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

268

[ -z "$VMLINUZ" ] && exit 1

297

[ -z "$VMLINUZ" ] && exit 1

269

mkdir -p $R/boot/firmware

298

mkdir -p $R/boot/firmware

270

299

271

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

300

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

272

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

301

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

273

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

302

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

274

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

303

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

275

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

304

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

276

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

305

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

277

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

306

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

278

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

307

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

279

cp $VMLINUZ $R/boot/firmware/kernel7.img

308

cp $VMLINUZ $R/boot/firmware/kernel7.img

280

309

281

# Set up IPv4 hosts

310

# Set up IPv4 hosts

282

echo ${HOSTNAME} >$R/etc/hostname

311

echo ${HOSTNAME} >$R/etc/hostname

283

cat <<EOM >$R/etc/hosts

312

cat <<EOM >$R/etc/hosts

284

127.0.0.1 localhost

313

127.0.0.1 localhost

285

127.0.1.1 ${HOSTNAME}

314

127.0.1.1 ${HOSTNAME}

286

EOM

315

EOM

287

316

288

# Set up IPv6 hosts

317

# Set up IPv6 hosts

289

if [ "$ENABLE_IPV6" = true ] ; then

318

if [ "$ENABLE_IPV6" = true ] ; then

290

cat <<EOM >>$R/etc/hosts

319

cat <<EOM >>$R/etc/hosts

291

320

292

::1 localhost ip6-localhost ip6-loopback

321

::1 localhost ip6-localhost ip6-loopback

293

ff02::1 ip6-allnodes

322

ff02::1 ip6-allnodes

294

ff02::2 ip6-allrouters

323

ff02::2 ip6-allrouters

295

EOM

324

EOM

296

fi

325

fi

297

326

298

# Place hint about network configuration

327

# Place hint about network configuration

299

cat <<EOM >$R/etc/network/interfaces

328

cat <<EOM >$R/etc/network/interfaces

300

# Debian switched to systemd-networkd configuration files.

329

# Debian switched to systemd-networkd configuration files.

301

# please configure your networks in '/etc/systemd/network/'

330

# please configure your networks in '/etc/systemd/network/'

302

EOM

331

EOM

303

332

304

# Enable systemd-networkd DHCP configuration for interface eth0

333

# Enable systemd-networkd DHCP configuration for interface eth0

305

cat <<EOM >$R/etc/systemd/network/eth.network

334

cat <<EOM >$R/etc/systemd/network/eth.network

306

[Match]

335

[Match]

307

Name=eth0

336

Name=eth0

308

337

309

[Network]

338

[Network]

310

DHCP=yes

339

DHCP=yes

311

EOM

340

EOM

312

341

313

# Set DHCP configuration to IPv4 only

342

# Set DHCP configuration to IPv4 only

314

if [ "$ENABLE_IPV6" = false ] ; then

343

if [ "$ENABLE_IPV6" = false ] ; then

315

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

344

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

316

fi

345

fi

317

346

318

# Enable systemd-networkd service

347

# Enable systemd-networkd service

319

LANG=C chroot $R systemctl enable systemd-networkd

348

LANG=C chroot $R systemctl enable systemd-networkd

320

349

321

# Generate crypt(3) password string

350

# Generate crypt(3) password string

322

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

351

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

323

352

324

# Set up default user

353

# Set up default user

325

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

354

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

326

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

355

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

327

356

328

# Set up root password

357

# Set up root password

329

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

358

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

330

359

331

# Set up firmware boot cmdline

360

# Set up firmware boot cmdline

332

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

361

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

333

362

334

# Set up serial console support (if requested)

363

# Set up serial console support (if requested)

335

if [ "$ENABLE_CONSOLE" = true ] ; then

364

if [ "$ENABLE_CONSOLE" = true ] ; then

336

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

365

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

337

fi

366

fi

338

367

339

# Set up IPv6 networking support

368

# Set up IPv6 networking support

340

if [ "$ENABLE_IPV6" = false ] ; then

369

if [ "$ENABLE_IPV6" = false ] ; then

341

CMDLINE="${CMDLINE} ipv6.disable=1"

370

CMDLINE="${CMDLINE} ipv6.disable=1"

342

fi

371

fi

343

372

344

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

373

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

345

374

346

# Set up firmware config

375

# Set up firmware config

347

cat <<EOM >$R/boot/firmware/config.txt

376

cat <<EOM >$R/boot/firmware/config.txt

348

# For more options and information see

377

# For more options and information see

349

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

378

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

350

# Some settings may impact device functionality. See link above for details

379

# Some settings may impact device functionality. See link above for details

351

380

352

# uncomment if you get no picture on HDMI for a default "safe" mode

381

# uncomment if you get no picture on HDMI for a default "safe" mode

353

#hdmi_safe=1

382

#hdmi_safe=1

354

383

355

# uncomment this if your display has a black border of unused pixels visible

384

# uncomment this if your display has a black border of unused pixels visible

356

# and your display can output without overscan

385

# and your display can output without overscan

357

#disable_overscan=1

386

#disable_overscan=1

358

387

359

# uncomment the following to adjust overscan. Use positive numbers if console

388

# uncomment the following to adjust overscan. Use positive numbers if console

360

# goes off screen, and negative if there is too much border

389

# goes off screen, and negative if there is too much border

361

#overscan_left=16

390

#overscan_left=16

362

#overscan_right=16

391

#overscan_right=16

363

#overscan_top=16

392

#overscan_top=16

364

#overscan_bottom=16

393

#overscan_bottom=16

365

394

366

# uncomment to force a console size. By default it will be display's size minus

395

# uncomment to force a console size. By default it will be display's size minus

367

# overscan.

396

# overscan.

368

#framebuffer_width=1280

397

#framebuffer_width=1280

369

#framebuffer_height=720

398

#framebuffer_height=720

370

399

371

# uncomment if hdmi display is not detected and composite is being output

400

# uncomment if hdmi display is not detected and composite is being output

372

#hdmi_force_hotplug=1

401

#hdmi_force_hotplug=1

373

402

374

# uncomment to force a specific HDMI mode (this will force VGA)

403

# uncomment to force a specific HDMI mode (this will force VGA)

375

#hdmi_group=1

404

#hdmi_group=1

376

#hdmi_mode=1

405

#hdmi_mode=1

377

406

378

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

407

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

379

# DMT (computer monitor) modes

408

# DMT (computer monitor) modes

380

#hdmi_drive=2

409

#hdmi_drive=2

381

410

382

# uncomment to increase signal to HDMI, if you have interference, blanking, or

411

# uncomment to increase signal to HDMI, if you have interference, blanking, or

383

# no display

412

# no display

384

#config_hdmi_boost=4

413

#config_hdmi_boost=4

385

414

386

# uncomment for composite PAL

415

# uncomment for composite PAL

387

#sdtv_mode=2

416

#sdtv_mode=2

388

417

389

# uncomment to overclock the arm. 700 MHz is the default.

418

# uncomment to overclock the arm. 700 MHz is the default.

390

#arm_freq=800

419

#arm_freq=800

391

EOM

420

EOM

392

421

393

# Load snd_bcm2835 kernel module at boot time

422

# Load snd_bcm2835 kernel module at boot time

394

if [ "$ENABLE_SOUND" = true ] ; then

423

if [ "$ENABLE_SOUND" = true ] ; then

395

echo "snd_bcm2835" >>$R/etc/modules

424

echo "snd_bcm2835" >>$R/etc/modules

396

fi

425

fi

397

426

398

# Set smallest possible GPU memory allocation size: 16MB (no X)

427

# Set smallest possible GPU memory allocation size: 16MB (no X)

399

if [ "$ENABLE_MINGPU" = true ] ; then

428

if [ "$ENABLE_MINGPU" = true ] ; then

400

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

429

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

401

fi

430

fi

402

431

403

# Create symlinks

432

# Create symlinks

404

ln -sf firmware/config.txt $R/boot/config.txt

433

ln -sf firmware/config.txt $R/boot/config.txt

405

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

434

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

406

435

407

# Prepare modules-load.d directory

436

# Prepare modules-load.d directory

408

mkdir -p $R/lib/modules-load.d/

437

mkdir -p $R/lib/modules-load.d/

409

438

410

# Load random module on boot

439

# Load random module on boot

411

if [ "$ENABLE_HWRANDOM" = true ] ; then

440

if [ "$ENABLE_HWRANDOM" = true ] ; then

412

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

441

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

413

bcm2708_rng

442

bcm2708_rng

414

EOM

443

EOM

415

fi

444

fi

416

445

417

# Prepare modprobe.d directory

446

# Prepare modprobe.d directory

418

mkdir -p $R/etc/modprobe.d/

447

mkdir -p $R/etc/modprobe.d/

419

448

420

# Blacklist sound modules

449

# Blacklist sound modules

421

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

450

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

422

blacklist snd_soc_core

451

blacklist snd_soc_core

423

blacklist snd_pcm

452

blacklist snd_pcm

424

blacklist snd_pcm_dmaengine

453

blacklist snd_pcm_dmaengine

425

blacklist snd_timer

454

blacklist snd_timer

426

blacklist snd_compress

455

blacklist snd_compress

427

blacklist snd_soc_pcm512x_i2c

456

blacklist snd_soc_pcm512x_i2c

428

blacklist snd_soc_pcm512x

457

blacklist snd_soc_pcm512x

429

blacklist snd_soc_tas5713

458

blacklist snd_soc_tas5713

430

blacklist snd_soc_wm8804

459

blacklist snd_soc_wm8804

431

EOM

460

EOM

432

461

433

# Create default fstab

462

# Create default fstab

434

cat <<EOM >$R/etc/fstab

463

cat <<EOM >$R/etc/fstab

435

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

464

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

436

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

465

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

437

EOM

466

EOM

438

467

439

# Avoid swapping and increase cache sizes

468

# Avoid swapping and increase cache sizes

440

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

469

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

441

470

442

# Avoid swapping and increase cache sizes

471

# Avoid swapping and increase cache sizes

443

vm.swappiness=1

472

vm.swappiness=1

444

vm.dirty_background_ratio=20

473

vm.dirty_background_ratio=20

445

vm.dirty_ratio=40

474

vm.dirty_ratio=40

446

vm.dirty_writeback_centisecs=500

475

vm.dirty_writeback_centisecs=500

447

vm.dirty_expire_centisecs=6000

476

vm.dirty_expire_centisecs=6000

448

EOM

477

EOM

449

478

450

# Enable network stack hardening

479

# Enable network stack hardening

451

if [ "$ENABLE_HARDNET" = true ] ; then

480

if [ "$ENABLE_HARDNET" = true ] ; then

452

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

481

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

453

482

454

# Enable network stack hardening

483

# Enable network stack hardening

455

net.ipv4.tcp_timestamps=0

484

net.ipv4.tcp_timestamps=0

456

net.ipv4.tcp_syncookies=1

485

net.ipv4.tcp_syncookies=1

457

net.ipv4.conf.all.rp_filter=1

486

net.ipv4.conf.all.rp_filter=1

458

net.ipv4.conf.all.accept_redirects=0

487

net.ipv4.conf.all.accept_redirects=0

459

net.ipv4.conf.all.send_redirects=0

488

net.ipv4.conf.all.send_redirects=0

460

net.ipv4.conf.all.accept_source_route=0

489

net.ipv4.conf.all.accept_source_route=0

461

net.ipv4.conf.default.rp_filter=1

490

net.ipv4.conf.default.rp_filter=1

462

net.ipv4.conf.default.accept_redirects=0

491

net.ipv4.conf.default.accept_redirects=0

463

net.ipv4.conf.default.send_redirects=0

492

net.ipv4.conf.default.send_redirects=0

464

net.ipv4.conf.default.accept_source_route=0

493

net.ipv4.conf.default.accept_source_route=0

465

net.ipv4.conf.lo.accept_redirects=0

494

net.ipv4.conf.lo.accept_redirects=0

466

net.ipv4.conf.lo.send_redirects=0

495

net.ipv4.conf.lo.send_redirects=0

467

net.ipv4.conf.lo.accept_source_route=0

496

net.ipv4.conf.lo.accept_source_route=0

468

net.ipv4.conf.eth0.accept_redirects=0

497

net.ipv4.conf.eth0.accept_redirects=0

469

net.ipv4.conf.eth0.send_redirects=0

498

net.ipv4.conf.eth0.send_redirects=0

470

net.ipv4.conf.eth0.accept_source_route=0

499

net.ipv4.conf.eth0.accept_source_route=0

471

net.ipv4.icmp_echo_ignore_broadcasts=1

500

net.ipv4.icmp_echo_ignore_broadcasts=1

472

net.ipv4.icmp_ignore_bogus_error_responses=1

501

net.ipv4.icmp_ignore_bogus_error_responses=1

473

502

474

net.ipv6.conf.all.accept_redirects=0

503

net.ipv6.conf.all.accept_redirects=0

475

net.ipv6.conf.all.accept_source_route=0

504

net.ipv6.conf.all.accept_source_route=0

476

net.ipv6.conf.all.router_solicitations=0

505

net.ipv6.conf.all.router_solicitations=0

477

net.ipv6.conf.all.accept_ra_rtr_pref=0

506

net.ipv6.conf.all.accept_ra_rtr_pref=0

478

net.ipv6.conf.all.accept_ra_pinfo=0

507

net.ipv6.conf.all.accept_ra_pinfo=0

479

net.ipv6.conf.all.accept_ra_defrtr=0

508

net.ipv6.conf.all.accept_ra_defrtr=0

480

net.ipv6.conf.all.autoconf=0

509

net.ipv6.conf.all.autoconf=0

481

net.ipv6.conf.all.dad_transmits=0

510

net.ipv6.conf.all.dad_transmits=0

482

net.ipv6.conf.all.max_addresses=1

511

net.ipv6.conf.all.max_addresses=1

483

512

484

net.ipv6.conf.default.accept_redirects=0

513

net.ipv6.conf.default.accept_redirects=0

485

net.ipv6.conf.default.accept_source_route=0

514

net.ipv6.conf.default.accept_source_route=0

486

net.ipv6.conf.default.router_solicitations=0

515

net.ipv6.conf.default.router_solicitations=0

487

net.ipv6.conf.default.accept_ra_rtr_pref=0

516

net.ipv6.conf.default.accept_ra_rtr_pref=0

488

net.ipv6.conf.default.accept_ra_pinfo=0

517

net.ipv6.conf.default.accept_ra_pinfo=0

489

net.ipv6.conf.default.accept_ra_defrtr=0

518

net.ipv6.conf.default.accept_ra_defrtr=0

490

net.ipv6.conf.default.autoconf=0

519

net.ipv6.conf.default.autoconf=0

491

net.ipv6.conf.default.dad_transmits=0

520

net.ipv6.conf.default.dad_transmits=0

492

net.ipv6.conf.default.max_addresses=1

521

net.ipv6.conf.default.max_addresses=1

493

522

494

net.ipv6.conf.lo.accept_redirects=0

523

net.ipv6.conf.lo.accept_redirects=0

495

net.ipv6.conf.lo.accept_source_route=0

524

net.ipv6.conf.lo.accept_source_route=0

496

net.ipv6.conf.lo.router_solicitations=0

525

net.ipv6.conf.lo.router_solicitations=0

497

net.ipv6.conf.lo.accept_ra_rtr_pref=0

526

net.ipv6.conf.lo.accept_ra_rtr_pref=0

498

net.ipv6.conf.lo.accept_ra_pinfo=0

527

net.ipv6.conf.lo.accept_ra_pinfo=0

499

net.ipv6.conf.lo.accept_ra_defrtr=0

528

net.ipv6.conf.lo.accept_ra_defrtr=0

500

net.ipv6.conf.lo.autoconf=0

529

net.ipv6.conf.lo.autoconf=0

501

net.ipv6.conf.lo.dad_transmits=0

530

net.ipv6.conf.lo.dad_transmits=0

502

net.ipv6.conf.lo.max_addresses=1

531

net.ipv6.conf.lo.max_addresses=1

503

532

504

net.ipv6.conf.eth0.accept_redirects=0

533

net.ipv6.conf.eth0.accept_redirects=0

505

net.ipv6.conf.eth0.accept_source_route=0

534

net.ipv6.conf.eth0.accept_source_route=0

506

net.ipv6.conf.eth0.router_solicitations=0

535

net.ipv6.conf.eth0.router_solicitations=0

507

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

536

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

508

net.ipv6.conf.eth0.accept_ra_pinfo=0

537

net.ipv6.conf.eth0.accept_ra_pinfo=0

509

net.ipv6.conf.eth0.accept_ra_defrtr=0

538

net.ipv6.conf.eth0.accept_ra_defrtr=0

510

net.ipv6.conf.eth0.autoconf=0

539

net.ipv6.conf.eth0.autoconf=0

511

net.ipv6.conf.eth0.dad_transmits=0

540

net.ipv6.conf.eth0.dad_transmits=0

512

net.ipv6.conf.eth0.max_addresses=1

541

net.ipv6.conf.eth0.max_addresses=1

513

EOM

542

EOM

514

543

515

# Enable resolver warnings about spoofed addresses

544

# Enable resolver warnings about spoofed addresses

516

cat <<EOM >>$R/etc/host.conf

545

cat <<EOM >>$R/etc/host.conf

517

spoof warn

546

spoof warn

518

EOM

547

EOM

519

fi

548

fi

520

549

521

# Regenerate openssh server host keys

550

# Regenerate openssh server host keys

522

if [ "$ENABLE_SSHD" = true ] ; then

551

if [ "$ENABLE_SSHD" = true ] ; then

523

rm -fr $R/etc/ssh/ssh_host_*

552

rm -fr $R/etc/ssh/ssh_host_*

524

LANG=C chroot $R dpkg-reconfigure openssh-server

553

LANG=C chroot $R dpkg-reconfigure openssh-server

525

fi

554

fi

526

555

527

# Enable serial console systemd style

556

# Enable serial console systemd style

528

if [ "$ENABLE_CONSOLE" = true ] ; then

557

if [ "$ENABLE_CONSOLE" = true ] ; then

529

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

558

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

530

fi

559

fi

531

560

532

# Enable firewall based on iptables started by systemd service

561

# Enable firewall based on iptables started by systemd service

533

if [ "$ENABLE_IPTABLES" = true ] ; then

562

if [ "$ENABLE_IPTABLES" = true ] ; then

534

# Create iptables configuration directory

563

# Create iptables configuration directory

535

mkdir -p "$R/etc/iptables"

564

mkdir -p "$R/etc/iptables"

536

565

537

# Create iptables systemd service

566

# Create iptables systemd service

538

cat <<EOM >$R/etc/systemd/system/iptables.service

567

cat <<EOM >$R/etc/systemd/system/iptables.service

539

[Unit]

568

[Unit]

540

Description=Packet Filtering Framework

569

Description=Packet Filtering Framework

541

DefaultDependencies=no

570

DefaultDependencies=no

542

After=systemd-sysctl.service

571

After=systemd-sysctl.service

543

Before=sysinit.target

572

Before=sysinit.target

544

[Service]

573

[Service]

545

Type=oneshot

574

Type=oneshot

546

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

575

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

547

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

576

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

548

ExecStop=/etc/iptables/flush-iptables.sh

577

ExecStop=/etc/iptables/flush-iptables.sh

549

RemainAfterExit=yes

578

RemainAfterExit=yes

550

[Install]

579

[Install]

551

WantedBy=multi-user.target

580

WantedBy=multi-user.target

552

EOM

581

EOM

553

582

554

# Create flush-table script called by iptables service

583

# Create flush-table script called by iptables service

555

cat <<EOM >$R/etc/iptables/flush-iptables.sh

584

cat <<EOM >$R/etc/iptables/flush-iptables.sh

556

#!/bin/sh

585

#!/bin/sh

557

iptables -F

586

iptables -F

558

iptables -X

587

iptables -X

559

iptables -t nat -F

588

iptables -t nat -F

560

iptables -t nat -X

589

iptables -t nat -X

561

iptables -t mangle -F

590

iptables -t mangle -F

562

iptables -t mangle -X

591

iptables -t mangle -X

563

iptables -P INPUT ACCEPT

592

iptables -P INPUT ACCEPT

564

iptables -P FORWARD ACCEPT

593

iptables -P FORWARD ACCEPT

565

iptables -P OUTPUT ACCEPT

594

iptables -P OUTPUT ACCEPT

566

EOM

595

EOM

567

596

568

# Create iptables rule file

597

# Create iptables rule file

569

cat <<EOM >$R/etc/iptables/iptables.rules

598

cat <<EOM >$R/etc/iptables/iptables.rules

570

*filter

599

*filter

571

:INPUT DROP [0:0]

600

:INPUT DROP [0:0]

572

:FORWARD DROP [0:0]

601

:FORWARD DROP [0:0]

573

:OUTPUT ACCEPT [0:0]

602

:OUTPUT ACCEPT [0:0]

574

:TCP - [0:0]

603

:TCP - [0:0]

575

:UDP - [0:0]

604

:UDP - [0:0]

576

:SSH - [0:0]

605

:SSH - [0:0]

577

606

578

# Rate limit ping requests

607

# Rate limit ping requests

579

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

608

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

580

-A INPUT -p icmp --icmp-type echo-request -j DROP

609

-A INPUT -p icmp --icmp-type echo-request -j DROP

581

610

582

# Accept established connections

611

# Accept established connections

583

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

612

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

584

613

585

# Accept all traffic on loopback interface

614

# Accept all traffic on loopback interface

586

-A INPUT -i lo -j ACCEPT

615

-A INPUT -i lo -j ACCEPT

587

616

588

# Drop packets declared invalid

617

# Drop packets declared invalid

589

-A INPUT -m conntrack --ctstate INVALID -j DROP

618

-A INPUT -m conntrack --ctstate INVALID -j DROP

590

619

591

# SSH rate limiting

620

# SSH rate limiting

592

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

621

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

593

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

622

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

594

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

623

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

595

-A SSH -m recent --name sshbf --set -j ACCEPT

624

-A SSH -m recent --name sshbf --set -j ACCEPT

596

625

597

# Send TCP and UDP connections to their respective rules chain

626

# Send TCP and UDP connections to their respective rules chain

598

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

627

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

599

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

628

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

600

629

601

# Reject dropped packets with a RFC compliant responce

630

# Reject dropped packets with a RFC compliant responce

602

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

631

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

603

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

632

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

604

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

633

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

605

634

606

## TCP PORT RULES

635

## TCP PORT RULES

607

# -A TCP -p tcp -j LOG

636

# -A TCP -p tcp -j LOG

608

637

609

## UDP PORT RULES

638

## UDP PORT RULES

610

# -A UDP -p udp -j LOG

639

# -A UDP -p udp -j LOG

611

640

612

COMMIT

641

COMMIT

613

EOM

642

EOM

614

643

615

# Reload systemd configuration and enable iptables service

644

# Reload systemd configuration and enable iptables service

616

LANG=C chroot $R systemctl daemon-reload

645

LANG=C chroot $R systemctl daemon-reload

617

LANG=C chroot $R systemctl enable iptables.service

646

LANG=C chroot $R systemctl enable iptables.service

618

647

619

if [ "$ENABLE_IPV6" = true ] ; then

648

if [ "$ENABLE_IPV6" = true ] ; then

620

# Create ip6tables systemd service

649

# Create ip6tables systemd service

621

cat <<EOM >$R/etc/systemd/system/ip6tables.service

650

cat <<EOM >$R/etc/systemd/system/ip6tables.service

622

[Unit]

651

[Unit]

623

Description=Packet Filtering Framework

652

Description=Packet Filtering Framework

624

DefaultDependencies=no

653

DefaultDependencies=no

625

After=systemd-sysctl.service

654

After=systemd-sysctl.service

626

Before=sysinit.target

655

Before=sysinit.target

627

[Service]

656

[Service]

628

Type=oneshot

657

Type=oneshot

629

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

658

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

630

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

659

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

631

ExecStop=/etc/iptables/flush-ip6tables.sh

660

ExecStop=/etc/iptables/flush-ip6tables.sh

632

RemainAfterExit=yes

661

RemainAfterExit=yes

633

[Install]

662

[Install]

634

WantedBy=multi-user.target

663

WantedBy=multi-user.target

635

EOM

664

EOM

636

665

637

# Create ip6tables file

666

# Create ip6tables file

638

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

667

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

639

#!/bin/sh

668

#!/bin/sh

640

ip6tables -F

669

ip6tables -F

641

ip6tables -X

670

ip6tables -X

642

ip6tables -Z

671

ip6tables -Z

643

for table in $(</proc/net/ip6_tables_names)

672

for table in $(</proc/net/ip6_tables_names)

644

do

673

do

645

ip6tables -t \$table -F

674

ip6tables -t \$table -F

646

ip6tables -t \$table -X

675

ip6tables -t \$table -X

647

ip6tables -t \$table -Z

676

ip6tables -t \$table -Z

648

done

677

done

649

ip6tables -P INPUT ACCEPT

678

ip6tables -P INPUT ACCEPT

650

ip6tables -P OUTPUT ACCEPT

679

ip6tables -P OUTPUT ACCEPT

651

ip6tables -P FORWARD ACCEPT

680

ip6tables -P FORWARD ACCEPT

652

EOM

681

EOM

653

682

654

# Create ip6tables rule file

683

# Create ip6tables rule file

655

cat <<EOM >$R/etc/iptables/ip6tables.rules

684

cat <<EOM >$R/etc/iptables/ip6tables.rules

656

*filter

685

*filter

657

:INPUT DROP [0:0]

686

:INPUT DROP [0:0]

658

:FORWARD DROP [0:0]

687

:FORWARD DROP [0:0]

659

:OUTPUT ACCEPT [0:0]

688

:OUTPUT ACCEPT [0:0]

660

:TCP - [0:0]

689

:TCP - [0:0]

661

:UDP - [0:0]

690

:UDP - [0:0]

662

:SSH - [0:0]

691

:SSH - [0:0]

663

692

664

# Drop packets with RH0 headers

693

# Drop packets with RH0 headers

665

-A INPUT -m rt --rt-type 0 -j DROP

694

-A INPUT -m rt --rt-type 0 -j DROP

666

-A OUTPUT -m rt --rt-type 0 -j DROP

695

-A OUTPUT -m rt --rt-type 0 -j DROP

667

-A FORWARD -m rt --rt-type 0 -j DROP

696

-A FORWARD -m rt --rt-type 0 -j DROP

668

697

669

# Rate limit ping requests

698

# Rate limit ping requests

670

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

699

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

671

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

700

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

672

701

673

# Accept established connections

702

# Accept established connections

674

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

703

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

675

704

676

# Accept all traffic on loopback interface

705

# Accept all traffic on loopback interface

677

-A INPUT -i lo -j ACCEPT

706

-A INPUT -i lo -j ACCEPT

678

707

679

# Drop packets declared invalid

708

# Drop packets declared invalid

680

-A INPUT -m conntrack --ctstate INVALID -j DROP

709

-A INPUT -m conntrack --ctstate INVALID -j DROP

681

710

682

# SSH rate limiting

711

# SSH rate limiting

683

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

712

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

684

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

713

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

685

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

714

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

686

-A SSH -m recent --name sshbf --set -j ACCEPT

715

-A SSH -m recent --name sshbf --set -j ACCEPT

687

716

688

# Send TCP and UDP connections to their respective rules chain

717

# Send TCP and UDP connections to their respective rules chain

689

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

718

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

690

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

719

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

691

720

692

# Reject dropped packets with a RFC compliant responce

721

# Reject dropped packets with a RFC compliant responce

693

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

722

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

694

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

723

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

695

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

724

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

696

725

697

## TCP PORT RULES

726

## TCP PORT RULES

698

# -A TCP -p tcp -j LOG

727

# -A TCP -p tcp -j LOG

699

728

700

## UDP PORT RULES

729

## UDP PORT RULES

701

# -A UDP -p udp -j LOG

730

# -A UDP -p udp -j LOG

702

731

703

COMMIT

732

COMMIT

704

EOM

733

EOM

705

734

706

# Reload systemd configuration and enable iptables service

735

# Reload systemd configuration and enable iptables service

707

LANG=C chroot $R systemctl daemon-reload

736

LANG=C chroot $R systemctl daemon-reload

708

LANG=C chroot $R systemctl enable ip6tables.service

737

LANG=C chroot $R systemctl enable ip6tables.service

709

fi

738

fi

710

fi

739

fi

711

740

712

# Remove SSHD related iptables rules

741

# Remove SSHD related iptables rules

713

if [ "$ENABLE_SSHD" = false ] ; then

742

if [ "$ENABLE_SSHD" = false ] ; then

714

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

743

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

715

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

744

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

716

fi

745

fi

717

746

718

# Install gcc/c++ build environment inside the chroot

747

# Install gcc/c++ build environment inside the chroot

719

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

748

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

720

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

749

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

721

fi

750

fi

722

751

723

# Fetch and build U-Boot bootloader

752

# Fetch and build U-Boot bootloader

724

if [ "$ENABLE_UBOOT" = true ] ; then

753

if [ "$ENABLE_UBOOT" = true ] ; then

725

# Fetch U-Boot bootloader sources

754

# Fetch U-Boot bootloader sources

726

git -C $R/tmp clone git://git.denx.de/u-boot.git

755

git -C $R/tmp clone git://git.denx.de/u-boot.git

727

756

728

# Build and install U-Boot inside chroot

757

# Build and install U-Boot inside chroot

729

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

758

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

730

759

731

# Copy compiled bootloader binary and set config.txt to load it

760

# Copy compiled bootloader binary and set config.txt to load it

732

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

761

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

733

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

762

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

734

763

735

# Set U-Boot command file

764

# Set U-Boot command file

736

cat <<EOM >$R/boot/firmware/uboot.mkimage

765

cat <<EOM >$R/boot/firmware/uboot.mkimage

737

# Tell Linux that it is booting on a Raspberry Pi2

766

# Tell Linux that it is booting on a Raspberry Pi2

738

setenv machid 0x00000c42

767

setenv machid 0x00000c42

739

768

740

# Set the kernel boot command line

769

# Set the kernel boot command line

741

setenv bootargs "earlyprintk ${CMDLINE}"

770

setenv bootargs "earlyprintk ${CMDLINE}"

742

771

743

# Save these changes to u-boot's environment

772

# Save these changes to u-boot's environment

744

saveenv

773

saveenv

745

774

746

# Load the existing Linux kernel into RAM

775

# Load the existing Linux kernel into RAM

747

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

776

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

748

777

749

# Boot the kernel we have just loaded

778

# Boot the kernel we have just loaded

750

bootz \${kernel_addr_r}

779

bootz \${kernel_addr_r}

751

EOM

780

EOM

752

781

753

# Generate U-Boot image from command file

782

# Generate U-Boot image from command file

754

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

783

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

755

fi

784

fi

756

785

757

# Fetch and build fbturbo Xorg driver

786

# Fetch and build fbturbo Xorg driver

758

if [ "$ENABLE_FBTURBO" = true ] ; then

787

if [ "$ENABLE_FBTURBO" = true ] ; then

759

# Fetch fbturbo driver sources

788

# Fetch fbturbo driver sources

760

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

789

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

761

790

762

# Install Xorg build dependencies

791

# Install Xorg build dependencies

763

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

792

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

764

793

765

# Build and install fbturbo driver inside chroot

794

# Build and install fbturbo driver inside chroot

766

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

795

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

767

796

768

# Add fbturbo driver to Xorg configuration

797

# Add fbturbo driver to Xorg configuration

769

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

798

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

770

Section "Device"

799

Section "Device"

771

Identifier "Allwinner A10/A13 FBDEV"

800

Identifier "Allwinner A10/A13 FBDEV"

772

Driver "fbturbo"

801

Driver "fbturbo"

773

Option "fbdev" "/dev/fb0"

802

Option "fbdev" "/dev/fb0"

774

Option "SwapbuffersWait" "true"

803

Option "SwapbuffersWait" "true"

775

EndSection

804

EndSection

776

EOM

805

EOM

777

806

778

# Remove Xorg build dependencies

807

# Remove Xorg build dependencies

779

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

808

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

780

fi

809

fi

781

810

782

# Remove gcc/c++ build environment from the chroot

811

# Remove gcc/c++ build environment from the chroot

783

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

812

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

784

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

813

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

785

fi

814

fi

786

815

787

# Clean cached downloads

816

# Clean cached downloads

788

LANG=C chroot $R apt-get -y clean

817

LANG=C chroot $R apt-get -y clean

789

LANG=C chroot $R apt-get -y autoclean

818

LANG=C chroot $R apt-get -y autoclean

790

LANG=C chroot $R apt-get -y autoremove

819

LANG=C chroot $R apt-get -y autoremove

791

820

792

# Unmount mounted filesystems

821

# Unmount mounted filesystems

793

umount -l $R/proc

822

umount -l $R/proc

794

umount -l $R/sys

823

umount -l $R/sys

795

824

796

# Clean up files

825

# Clean up files

797

rm -f $R/etc/apt/sources.list.save

826

rm -f $R/etc/apt/sources.list.save

798

rm -f $R/etc/resolvconf/resolv.conf.d/original

827

rm -f $R/etc/resolvconf/resolv.conf.d/original

799

rm -rf $R/run

828

rm -rf $R/run

800

mkdir -p $R/run

829

mkdir -p $R/run

801

rm -f $R/etc/*-

830

rm -f $R/etc/*-

802

rm -f $R/root/.bash_history

831

rm -f $R/root/.bash_history

803

rm -rf $R/tmp/*

832

rm -rf $R/tmp/*

804

rm -f $R/var/lib/urandom/random-seed

833

rm -f $R/var/lib/urandom/random-seed

805

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

834

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

806

rm -f $R/etc/machine-id

835

rm -f $R/etc/machine-id

807

rm -fr $R/etc/apt/apt.conf.d/10proxy

836

rm -fr $R/etc/apt/apt.conf.d/10proxy

808

837

809

# Calculate size of the chroot directory

838

# Calculate size of the chroot directory

810

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

839

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

811

840

812

# Calculate required image size

841

# Calculate required image size

813

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

842

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

814

843

815

# Calculate number of sectors for the partition

844

# Calculate number of sectors for the partition

816

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

845

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

817

846

818

# Prepare date string for image file name

847

# Prepare date string for image file name

819

DATE="$(date +%Y-%m-%d)"

848

DATE="$(date +%Y-%m-%d)"

820

849

821

# Prepare image file

850

# Prepare image file

822

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

851

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

823

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

852

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

824

853

825

# Write partition table

854

# Write partition table

826

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

855

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

827

unit: sectors

856

unit: sectors

828

857

829

1 : start= 2048, size= 131072, Id= c, bootable

858

1 : start= 2048, size= 131072, Id= c, bootable

830

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

859

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

831

3 : start= 0, size= 0, Id= 0

860

3 : start= 0, size= 0, Id= 0

832

4 : start= 0, size= 0, Id= 0

861

4 : start= 0, size= 0, Id= 0

833

EOM

862

EOM

834

863

835

# Set up temporary loop devices and build filesystems

864

# Set up temporary loop devices and build filesystems

836

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

865

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

837

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

866

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

838

mkfs.vfat "$VFAT_LOOP"

867

mkfs.vfat "$VFAT_LOOP"

839

mkfs.ext4 "$EXT4_LOOP"

868

mkfs.ext4 "$EXT4_LOOP"

840

869

841

# Mount the temporary loop devices

870

# Mount the temporary loop devices

842

mkdir -p "$BUILDDIR/mount"

871

mkdir -p "$BUILDDIR/mount"

843

mount "$EXT4_LOOP" "$BUILDDIR/mount"

872

mount "$EXT4_LOOP" "$BUILDDIR/mount"

844

873

845

mkdir -p "$BUILDDIR/mount/boot/firmware"

874

mkdir -p "$BUILDDIR/mount/boot/firmware"

846

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

875

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

847

876

848

# Copy all files from the chroot to the loop device mount point directory

877

# Copy all files from the chroot to the loop device mount point directory

849

rsync -a "$R/" "$BUILDDIR/mount/"

878

rsync -a "$R/" "$BUILDDIR/mount/"

850

879

851

# Unmount all temporary loop devices and mount points

880

# Unmount all temporary loop devices and mount points

852

cleanup

881

cleanup

853

882

854

# (optinal) create block map file for "bmaptool"

883

# (optinal) create block map file for "bmaptool"

855

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

884

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

856

885

857

# Image was successfully created

886

# Image was successfully created

858

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

887

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # rpi2-gen-image
             ## Introduction
             `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
             #####Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi2-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
             ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
             ENABLE_MINBASE=true ./rpi2-gen-image.sh
              ```
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
             Set system host name. It's recommended that the host name is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
             Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
-            Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
+            Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
+            #### Keyboard settings:
+            These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
+            ##### `XKBMODEL`=""
+            ##### `XKBLAYOUT`=""
+            ##### `XKBVARIANT`=""
+            ##### `XKBOPTIONS`=""
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
             Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
             ##### `ENABLE_IPV6`=true
             Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
             Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_SOUND`=true
             Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
             Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
             Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
             Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
             Install Xorg open-source X Window System.
             ##### `ENABLE_WM`=""
             Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
             #### Advanced sytem features:
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_UBOOT`=false
             Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             ##### `ENABLE_FBTURBO`=false
             Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_HARDNET`=false
             Enable IPv4/IPv6 network stack hardening settings.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
             After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             #####Flashing examples:
             ```shell
             bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
             ```

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             # Clean up all temporary mount points
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             # Debian release
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
+            XKBMODEL=${XKBMODEL:=""}
+            XKBLAYOUT=${XKBLAYOUT:=""}
+            XKBVARIANT=${XKBVARIANT:=""}
+            XKBOPTIONS=${XKBOPTIONS:=""}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_WM=${ENABLE_WM:=""}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build environment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
-              APT_INCLUDES="${APT_INCLUDES},locales"
+              APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add alsa-utils package
             if [ "$ENABLE_SOUND" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},alsa-utils"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add fbturbo video driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add user defined window manager package
             if [ -n "$ENABLE_WM" ] ; then
               APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping process
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
-            # Set up default locales to "en_US.UTF-8" default
+            # Set up default locale and keyboard configuration
             if [ "$ENABLE_MINBASE" = false ] ; then
               # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
               # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
               # ... so we have to set locales manually
               if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
                 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
               else
                 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
                 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
                 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
               fi
               LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
               LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
               LANG=C chroot $R locale-gen
               LANG=C chroot $R update-locale LANG=${DEFLOCAL}
+              # Keyboard configuration, if requested
+              if [ "$XKBMODEL" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBLAYOUT" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBVARIANT" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBOPTIONS" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
+              fi
+              LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
+              # Set up font console
+              case "${DEFLOCAL}" in
+                *UTF-8)
+                  LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
+                  ;;
+                *)
+                  LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
+                  ;;
+              esac
+              LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
             fi
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up IPv4 hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             # Set up IPv6 hosts
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Place hint about network configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
             # Enable systemd-networkd DHCP configuration for interface eth0
             cat <<EOM >$R/etc/systemd/network/eth.network
             [Match]
             Name=eth0
             [Network]
             DHCP=yes
             EOM
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Load snd_bcm2835 kernel module at boot time
             if [ "$ENABLE_SOUND" = true ] ; then
               echo "snd_bcm2835" >>$R/etc/modules
             fi
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             # Remove SSHD related iptables rules
             if [ "$ENABLE_SSHD" = false ] ; then
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
             fi
             # Install gcc/c++ build environment inside the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
             fi
             # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch U-Boot bootloader sources
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Build and install U-Boot inside chroot
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set U-Boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate U-Boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
             fi
             # Fetch and build fbturbo Xorg driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Fetch fbturbo driver sources
               git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
               # Install Xorg build dependencies
               LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               # Build and install fbturbo driver inside chroot
               LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
               # Add fbturbo driver to Xorg configuration
               cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
             Section "Device"
                     Identifier "Allwinner A10/A13 FBDEV"
                     Driver "fbturbo"
                     Option "fbdev" "/dev/fb0"
                     Option "SwapbuffersWait" "true"
             EndSection
             EOM
               # Remove Xorg build dependencies
               LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
             fi
             # Remove gcc/c++ build environment from the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"