##// END OF EJS Templates
Replaced: ENABLE_FLUXBOX -\> ENABLE_WM
Jan Wagner -
r22:18e5215871dd
parent child
Show More
@@ -1,100 +1,101
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ```
21 ```
21
22
22 #### APT settings:
23 #### APT settings:
23 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
24 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25
26
26 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
27 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28
29
29 #### General system settings:
30 #### General system settings:
30 ##### `HOSTNAME`="rpi2-jessie"
31 ##### `HOSTNAME`="rpi2-jessie"
31 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
32
33
33 ##### `PASSWORD`="raspberry"
34 ##### `PASSWORD`="raspberry"
34 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
35
36
36 ##### `DEFLOCAL`="en_US.UTF-8"
37 ##### `DEFLOCAL`="en_US.UTF-8"
37 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
38 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
38
39
39 ##### `TIMEZONE`="Europe/Berlin"
40 ##### `TIMEZONE`="Europe/Berlin"
40 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
41 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
41
42
42 #### Basic system features:
43 #### Basic system features:
43 ##### `ENABLE_CONSOLE`=true
44 ##### `ENABLE_CONSOLE`=true
44 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
45 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
45
46
46 ##### `ENABLE_IPV6`=true
47 ##### `ENABLE_IPV6`=true
47 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
48 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
48
49
49 ##### `ENABLE_SSHD`=true
50 ##### `ENABLE_SSHD`=true
50 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
51 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
51
52
52 ##### `ENABLE_SOUND`=true
53 ##### `ENABLE_SOUND`=true
53 Enable sound hardware and install Advanced Linux Sound Architecture.
54 Enable sound hardware and install Advanced Linux Sound Architecture.
54
55
55 ##### `ENABLE_HWRANDOM`=true
56 ##### `ENABLE_HWRANDOM`=true
56 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
57 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
57
58
58 ##### `ENABLE_MINGPU`=false
59 ##### `ENABLE_MINGPU`=false
59 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
60 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
60
61
61 ##### `ENABLE_DBUS`=true
62 ##### `ENABLE_DBUS`=true
62 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
63 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
63
64
64 ##### `ENABLE_XORG`=false
65 ##### `ENABLE_XORG`=false
65 Install Xorg open-source X Window System.
66 Install Xorg open-source X Window System.
66
67
67 ##### `ENABLE_FLUXBOX`=false
68 ##### `ENABLE_WM`=""
68 Install Fluxbox window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_FLUXBOX` is used.
69 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
69
70
70 #### Advanced sytem features:
71 #### Advanced sytem features:
71 ##### `ENABLE_MINBASE`=false
72 ##### `ENABLE_MINBASE`=false
72 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
73 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
73
74
74 ##### `ENABLE_UBOOT`=false
75 ##### `ENABLE_UBOOT`=false
75 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
76 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
76
77
77 ##### `ENABLE_FBTURBO`=false
78 ##### `ENABLE_FBTURBO`=false
78 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
79 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
79
80
80 ##### `ENABLE_IPTABLES`=false
81 ##### `ENABLE_IPTABLES`=false
81 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
82 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
82
83
83 ##### `ENABLE_HARDNET`=false
84 ##### `ENABLE_HARDNET`=false
84 Enable IPv4/IPv6 network stack hardening settings.
85 Enable IPv4/IPv6 network stack hardening settings.
85
86
86 ## Logging of the bootstrapping process
87 ## Logging of the bootstrapping process
87 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
88 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
88
89
89 ```shell
90 ```shell
90 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
91 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
91 ```
92 ```
92
93
93 ## Flashing the image file
94 ## Flashing the image file
94 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
95 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
95
96
96 #####Flashing examples:
97 #####Flashing examples:
97 ```shell
98 ```shell
98 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
99 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
99 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
100 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
100 ```
101 ```
@@ -1,846 +1,846
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 set -e
33 set -e
34 set -x
34 set -x
35
35
36 # Debian release
36 # Debian release
37 RELEASE=${RELEASE:=jessie}
37 RELEASE=${RELEASE:=jessie}
38
38
39 # Build settings
39 # Build settings
40 BASEDIR=./images/${RELEASE}
40 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
41 BUILDDIR=${BASEDIR}/build
42
42
43 # General settings
43 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
45 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48
48
49 # APT settings
49 # APT settings
50 APT_PROXY=${APT_PROXY:=""}
50 APT_PROXY=${APT_PROXY:=""}
51 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
51 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
52
52
53 # Feature settings
53 # Feature settings
54 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
54 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
55 ENABLE_IPV6=${ENABLE_IPV6:=true}
55 ENABLE_IPV6=${ENABLE_IPV6:=true}
56 ENABLE_SSHD=${ENABLE_SSHD:=true}
56 ENABLE_SSHD=${ENABLE_SSHD:=true}
57 ENABLE_SOUND=${ENABLE_SOUND:=true}
57 ENABLE_SOUND=${ENABLE_SOUND:=true}
58 ENABLE_DBUS=${ENABLE_DBUS:=true}
58 ENABLE_DBUS=${ENABLE_DBUS:=true}
59 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
59 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
60 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
60 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
61 ENABLE_XORG=${ENABLE_XORG:=false}
61 ENABLE_XORG=${ENABLE_XORG:=false}
62 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
62 ENABLE_WM=${ENABLE_WM:=""}
63
63
64 # Advanced settings
64 # Advanced settings
65 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
65 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
66 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
66 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
67 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
67 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
68 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
68 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
69 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
69 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
70
70
71 # Image chroot path
71 # Image chroot path
72 R=${BUILDDIR}/chroot
72 R=${BUILDDIR}/chroot
73
73
74 # Packages required for bootstrapping
74 # Packages required for bootstrapping
75 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
75 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
76
76
77 # Missing packages that need to be installed
77 # Missing packages that need to be installed
78 MISSING_PACKAGES=""
78 MISSING_PACKAGES=""
79
79
80 # Packages required in the chroot build environment
80 # Packages required in the chroot build environment
81 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
81 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
82
82
83 set +x
83 set +x
84
84
85 # Are we running as root?
85 # Are we running as root?
86 if [ "$(id -u)" -ne "0" ] ; then
86 if [ "$(id -u)" -ne "0" ] ; then
87 echo "this script must be executed with root privileges"
87 echo "this script must be executed with root privileges"
88 exit 1
88 exit 1
89 fi
89 fi
90
90
91 # Check if all required packages are installed
91 # Check if all required packages are installed
92 for package in $REQUIRED_PACKAGES ; do
92 for package in $REQUIRED_PACKAGES ; do
93 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
93 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
94 MISSING_PACKAGES="$MISSING_PACKAGES $package"
94 MISSING_PACKAGES="$MISSING_PACKAGES $package"
95 fi
95 fi
96 done
96 done
97
97
98 # Ask if missing packages should get installed right now
98 # Ask if missing packages should get installed right now
99 if [ -n "$MISSING_PACKAGES" ] ; then
99 if [ -n "$MISSING_PACKAGES" ] ; then
100 echo "the following packages needed by this script are not installed:"
100 echo "the following packages needed by this script are not installed:"
101 echo "$MISSING_PACKAGES"
101 echo "$MISSING_PACKAGES"
102
102
103 echo -n "\ndo you want to install the missing packages right now? [y/n] "
103 echo -n "\ndo you want to install the missing packages right now? [y/n] "
104 read confirm
104 read confirm
105 if [ "$confirm" != "y" ] ; then
105 if [ "$confirm" != "y" ] ; then
106 exit 1
106 exit 1
107 fi
107 fi
108 fi
108 fi
109
109
110 # Make sure all required packages are installed
110 # Make sure all required packages are installed
111 apt-get -qq -y install ${REQUIRED_PACKAGES}
111 apt-get -qq -y install ${REQUIRED_PACKAGES}
112
112
113 # Don't clobber an old build
113 # Don't clobber an old build
114 if [ -e "$BUILDDIR" ]; then
114 if [ -e "$BUILDDIR" ]; then
115 echo "directory $BUILDDIR already exists, not proceeding"
115 echo "directory $BUILDDIR already exists, not proceeding"
116 exit 1
116 exit 1
117 fi
117 fi
118
118
119 set -x
119 set -x
120
120
121 # Call "cleanup" function on various signals and errors
121 # Call "cleanup" function on various signals and errors
122 trap cleanup 0 1 2 3 6
122 trap cleanup 0 1 2 3 6
123
123
124 # Set up chroot directory
124 # Set up chroot directory
125 mkdir -p $R
125 mkdir -p $R
126
126
127 # Add required packages for the minbase installation
127 # Add required packages for the minbase installation
128 if [ "$ENABLE_MINBASE" = true ] ; then
128 if [ "$ENABLE_MINBASE" = true ] ; then
129 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
129 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
130 else
130 else
131 APT_INCLUDES="${APT_INCLUDES},locales"
131 APT_INCLUDES="${APT_INCLUDES},locales"
132 fi
132 fi
133
133
134 # Add dbus package, recommended if using systemd
134 # Add dbus package, recommended if using systemd
135 if [ "$ENABLE_DBUS" = true ] ; then
135 if [ "$ENABLE_DBUS" = true ] ; then
136 APT_INCLUDES="${APT_INCLUDES},dbus"
136 APT_INCLUDES="${APT_INCLUDES},dbus"
137 fi
137 fi
138
138
139 # Add iptables IPv4/IPv6 package
139 # Add iptables IPv4/IPv6 package
140 if [ "$ENABLE_IPTABLES" = true ] ; then
140 if [ "$ENABLE_IPTABLES" = true ] ; then
141 APT_INCLUDES="${APT_INCLUDES},iptables"
141 APT_INCLUDES="${APT_INCLUDES},iptables"
142 fi
142 fi
143
143
144 # Add openssh server package
144 # Add openssh server package
145 if [ "$ENABLE_SSHD" = true ] ; then
145 if [ "$ENABLE_SSHD" = true ] ; then
146 APT_INCLUDES="${APT_INCLUDES},openssh-server"
146 APT_INCLUDES="${APT_INCLUDES},openssh-server"
147 fi
147 fi
148
148
149 # Add alsa-utils package
149 # Add alsa-utils package
150 if [ "$ENABLE_SOUND" = true ] ; then
150 if [ "$ENABLE_SOUND" = true ] ; then
151 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
151 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
152 fi
152 fi
153
153
154 # Add rng-tools package
154 # Add rng-tools package
155 if [ "$ENABLE_HWRANDOM" = true ] ; then
155 if [ "$ENABLE_HWRANDOM" = true ] ; then
156 APT_INCLUDES="${APT_INCLUDES},rng-tools"
156 APT_INCLUDES="${APT_INCLUDES},rng-tools"
157 fi
157 fi
158
158
159 # Add fbturbo video driver
159 # Add fbturbo video driver
160 if [ "$ENABLE_FBTURBO" = true ] ; then
160 if [ "$ENABLE_FBTURBO" = true ] ; then
161 # Enable xorg package dependencies
161 # Enable xorg package dependencies
162 ENABLE_XORG=true
162 ENABLE_XORG=true
163 fi
163 fi
164
164
165 # Add fluxbox package with eterm
165 # Add user defined window manager package
166 if [ "$ENABLE_FLUXBOX" = true ] ; then
166 if [ -n "$ENABLE_WM" ] ; then
167 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
167 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
168
168
169 # Enable xorg package dependencies
169 # Enable xorg package dependencies
170 ENABLE_XORG=true
170 ENABLE_XORG=true
171 fi
171 fi
172
172
173 # Add xorg package
173 # Add xorg package
174 if [ "$ENABLE_XORG" = true ] ; then
174 if [ "$ENABLE_XORG" = true ] ; then
175 APT_INCLUDES="${APT_INCLUDES},xorg"
175 APT_INCLUDES="${APT_INCLUDES},xorg"
176 fi
176 fi
177
177
178 # Set empty proxy string
178 # Set empty proxy string
179 if [ -z "$APT_PROXY" ] ; then
179 if [ -z "$APT_PROXY" ] ; then
180 APT_PROXY="http://"
180 APT_PROXY="http://"
181 fi
181 fi
182
182
183 # Base debootstrap (unpack only)
183 # Base debootstrap (unpack only)
184 if [ "$ENABLE_MINBASE" = true ] ; then
184 if [ "$ENABLE_MINBASE" = true ] ; then
185 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
185 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
186 else
186 else
187 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
187 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
188 fi
188 fi
189
189
190 # Copy qemu emulator binary to chroot
190 # Copy qemu emulator binary to chroot
191 cp /usr/bin/qemu-arm-static $R/usr/bin
191 cp /usr/bin/qemu-arm-static $R/usr/bin
192
192
193 # Copy debian-archive-keyring.pgp
193 # Copy debian-archive-keyring.pgp
194 chroot $R mkdir -p /usr/share/keyrings
194 chroot $R mkdir -p /usr/share/keyrings
195 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
195 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
196
196
197 # Complete the bootstrapping process
197 # Complete the bootstrapping process
198 chroot $R /debootstrap/debootstrap --second-stage
198 chroot $R /debootstrap/debootstrap --second-stage
199
199
200 # Mount required filesystems
200 # Mount required filesystems
201 mount -t proc none $R/proc
201 mount -t proc none $R/proc
202 mount -t sysfs none $R/sys
202 mount -t sysfs none $R/sys
203 mount --bind /dev/pts $R/dev/pts
203 mount --bind /dev/pts $R/dev/pts
204
204
205 # Use proxy inside chroot
205 # Use proxy inside chroot
206 if [ -z "$APT_PROXY" ] ; then
206 if [ -z "$APT_PROXY" ] ; then
207 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
207 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
208 fi
208 fi
209
209
210 # Pin package flash-kernel to repositories.collabora.co.uk
210 # Pin package flash-kernel to repositories.collabora.co.uk
211 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
211 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
212 Package: flash-kernel
212 Package: flash-kernel
213 Pin: origin repositories.collabora.co.uk
213 Pin: origin repositories.collabora.co.uk
214 Pin-Priority: 1000
214 Pin-Priority: 1000
215 EOM
215 EOM
216
216
217 # Set up timezone
217 # Set up timezone
218 echo ${TIMEZONE} >$R/etc/timezone
218 echo ${TIMEZONE} >$R/etc/timezone
219 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
219 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
220
220
221 # Set up default locales to "en_US.UTF-8" default
221 # Set up default locales to "en_US.UTF-8" default
222 if [ "$ENABLE_MINBASE" = false ] ; then
222 if [ "$ENABLE_MINBASE" = false ] ; then
223 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
223 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
224 LANG=C chroot $R locale-gen ${DEFLOCAL}
224 LANG=C chroot $R locale-gen ${DEFLOCAL}
225 fi
225 fi
226
226
227 # Upgrade collabora package index and install collabora keyring
227 # Upgrade collabora package index and install collabora keyring
228 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
228 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
229 LANG=C chroot $R apt-get -qq -y update
229 LANG=C chroot $R apt-get -qq -y update
230 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
230 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
231
231
232 # Set up initial sources.list
232 # Set up initial sources.list
233 cat <<EOM >$R/etc/apt/sources.list
233 cat <<EOM >$R/etc/apt/sources.list
234 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
234 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
235 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
235 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
236
236
237 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
237 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
238 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
238 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
239
239
240 deb http://security.debian.org/ ${RELEASE}/updates main contrib
240 deb http://security.debian.org/ ${RELEASE}/updates main contrib
241 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
241 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
242
242
243 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
243 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
244 EOM
244 EOM
245
245
246 # Upgrade package index and update all installed packages and changed dependencies
246 # Upgrade package index and update all installed packages and changed dependencies
247 LANG=C chroot $R apt-get -qq -y update
247 LANG=C chroot $R apt-get -qq -y update
248 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
248 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
249
249
250 # Kernel installation
250 # Kernel installation
251 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
251 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
252 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
252 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
253 LANG=C chroot $R apt-get -qq -y install flash-kernel
253 LANG=C chroot $R apt-get -qq -y install flash-kernel
254
254
255 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
255 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
256 [ -z "$VMLINUZ" ] && exit 1
256 [ -z "$VMLINUZ" ] && exit 1
257 mkdir -p $R/boot/firmware
257 mkdir -p $R/boot/firmware
258
258
259 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
259 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
260 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
260 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
261 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
261 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
262 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
262 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
263 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
263 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
264 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
264 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
265 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
265 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
266 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
266 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
267 cp $VMLINUZ $R/boot/firmware/kernel7.img
267 cp $VMLINUZ $R/boot/firmware/kernel7.img
268
268
269 # Set up IPv4 hosts
269 # Set up IPv4 hosts
270 echo ${HOSTNAME} >$R/etc/hostname
270 echo ${HOSTNAME} >$R/etc/hostname
271 cat <<EOM >$R/etc/hosts
271 cat <<EOM >$R/etc/hosts
272 127.0.0.1 localhost
272 127.0.0.1 localhost
273 127.0.1.1 ${HOSTNAME}
273 127.0.1.1 ${HOSTNAME}
274 EOM
274 EOM
275
275
276 # Set up IPv6 hosts
276 # Set up IPv6 hosts
277 if [ "$ENABLE_IPV6" = true ] ; then
277 if [ "$ENABLE_IPV6" = true ] ; then
278 cat <<EOM >>$R/etc/hosts
278 cat <<EOM >>$R/etc/hosts
279
279
280 ::1 localhost ip6-localhost ip6-loopback
280 ::1 localhost ip6-localhost ip6-loopback
281 ff02::1 ip6-allnodes
281 ff02::1 ip6-allnodes
282 ff02::2 ip6-allrouters
282 ff02::2 ip6-allrouters
283 EOM
283 EOM
284 fi
284 fi
285
285
286 # Place hint about network configuration
286 # Place hint about network configuration
287 cat <<EOM >$R/etc/network/interfaces
287 cat <<EOM >$R/etc/network/interfaces
288 # Debian switched to systemd-networkd configuration files.
288 # Debian switched to systemd-networkd configuration files.
289 # please configure your networks in '/etc/systemd/network/'
289 # please configure your networks in '/etc/systemd/network/'
290 EOM
290 EOM
291
291
292 # Enable systemd-networkd DHCP configuration for interface eth0
292 # Enable systemd-networkd DHCP configuration for interface eth0
293 cat <<EOM >$R/etc/systemd/network/eth.network
293 cat <<EOM >$R/etc/systemd/network/eth.network
294 [Match]
294 [Match]
295 Name=eth0
295 Name=eth0
296
296
297 [Network]
297 [Network]
298 DHCP=yes
298 DHCP=yes
299 EOM
299 EOM
300
300
301 # Set DHCP configuration to IPv4 only
301 # Set DHCP configuration to IPv4 only
302 if [ "$ENABLE_IPV6" = false ] ; then
302 if [ "$ENABLE_IPV6" = false ] ; then
303 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
303 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
304 fi
304 fi
305
305
306 # Enable systemd-networkd service
306 # Enable systemd-networkd service
307 LANG=C chroot $R systemctl enable systemd-networkd
307 LANG=C chroot $R systemctl enable systemd-networkd
308
308
309 # Generate crypt(3) password string
309 # Generate crypt(3) password string
310 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
310 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
311
311
312 # Set up default user
312 # Set up default user
313 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
313 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
314 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
314 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
315
315
316 # Set up root password
316 # Set up root password
317 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
317 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
318
318
319 # Set up firmware boot cmdline
319 # Set up firmware boot cmdline
320 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
320 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
321
321
322 # Set up serial console support (if requested)
322 # Set up serial console support (if requested)
323 if [ "$ENABLE_CONSOLE" = true ] ; then
323 if [ "$ENABLE_CONSOLE" = true ] ; then
324 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
324 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
325 fi
325 fi
326
326
327 # Set up IPv6 networking support
327 # Set up IPv6 networking support
328 if [ "$ENABLE_IPV6" = false ] ; then
328 if [ "$ENABLE_IPV6" = false ] ; then
329 CMDLINE="${CMDLINE} ipv6.disable=1"
329 CMDLINE="${CMDLINE} ipv6.disable=1"
330 fi
330 fi
331
331
332 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
332 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
333
333
334 # Set up firmware config
334 # Set up firmware config
335 cat <<EOM >$R/boot/firmware/config.txt
335 cat <<EOM >$R/boot/firmware/config.txt
336 # For more options and information see
336 # For more options and information see
337 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
337 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
338 # Some settings may impact device functionality. See link above for details
338 # Some settings may impact device functionality. See link above for details
339
339
340 # uncomment if you get no picture on HDMI for a default "safe" mode
340 # uncomment if you get no picture on HDMI for a default "safe" mode
341 #hdmi_safe=1
341 #hdmi_safe=1
342
342
343 # uncomment this if your display has a black border of unused pixels visible
343 # uncomment this if your display has a black border of unused pixels visible
344 # and your display can output without overscan
344 # and your display can output without overscan
345 #disable_overscan=1
345 #disable_overscan=1
346
346
347 # uncomment the following to adjust overscan. Use positive numbers if console
347 # uncomment the following to adjust overscan. Use positive numbers if console
348 # goes off screen, and negative if there is too much border
348 # goes off screen, and negative if there is too much border
349 #overscan_left=16
349 #overscan_left=16
350 #overscan_right=16
350 #overscan_right=16
351 #overscan_top=16
351 #overscan_top=16
352 #overscan_bottom=16
352 #overscan_bottom=16
353
353
354 # uncomment to force a console size. By default it will be display's size minus
354 # uncomment to force a console size. By default it will be display's size minus
355 # overscan.
355 # overscan.
356 #framebuffer_width=1280
356 #framebuffer_width=1280
357 #framebuffer_height=720
357 #framebuffer_height=720
358
358
359 # uncomment if hdmi display is not detected and composite is being output
359 # uncomment if hdmi display is not detected and composite is being output
360 #hdmi_force_hotplug=1
360 #hdmi_force_hotplug=1
361
361
362 # uncomment to force a specific HDMI mode (this will force VGA)
362 # uncomment to force a specific HDMI mode (this will force VGA)
363 #hdmi_group=1
363 #hdmi_group=1
364 #hdmi_mode=1
364 #hdmi_mode=1
365
365
366 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
366 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
367 # DMT (computer monitor) modes
367 # DMT (computer monitor) modes
368 #hdmi_drive=2
368 #hdmi_drive=2
369
369
370 # uncomment to increase signal to HDMI, if you have interference, blanking, or
370 # uncomment to increase signal to HDMI, if you have interference, blanking, or
371 # no display
371 # no display
372 #config_hdmi_boost=4
372 #config_hdmi_boost=4
373
373
374 # uncomment for composite PAL
374 # uncomment for composite PAL
375 #sdtv_mode=2
375 #sdtv_mode=2
376
376
377 # uncomment to overclock the arm. 700 MHz is the default.
377 # uncomment to overclock the arm. 700 MHz is the default.
378 #arm_freq=800
378 #arm_freq=800
379 EOM
379 EOM
380
380
381 # Load snd_bcm2835 kernel module at boot time
381 # Load snd_bcm2835 kernel module at boot time
382 if [ "$ENABLE_SOUND" = true ] ; then
382 if [ "$ENABLE_SOUND" = true ] ; then
383 echo "snd_bcm2835" >>$R/etc/modules
383 echo "snd_bcm2835" >>$R/etc/modules
384 fi
384 fi
385
385
386 # Set smallest possible GPU memory allocation size: 16MB (no X)
386 # Set smallest possible GPU memory allocation size: 16MB (no X)
387 if [ "$ENABLE_MINGPU" = true ] ; then
387 if [ "$ENABLE_MINGPU" = true ] ; then
388 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
388 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
389 fi
389 fi
390
390
391 # Create symlinks
391 # Create symlinks
392 ln -sf firmware/config.txt $R/boot/config.txt
392 ln -sf firmware/config.txt $R/boot/config.txt
393 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
393 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
394
394
395 # Prepare modules-load.d directory
395 # Prepare modules-load.d directory
396 mkdir -p $R/lib/modules-load.d/
396 mkdir -p $R/lib/modules-load.d/
397
397
398 # Load random module on boot
398 # Load random module on boot
399 if [ "$ENABLE_HWRANDOM" = true ] ; then
399 if [ "$ENABLE_HWRANDOM" = true ] ; then
400 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
400 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
401 bcm2708_rng
401 bcm2708_rng
402 EOM
402 EOM
403 fi
403 fi
404
404
405 # Prepare modprobe.d directory
405 # Prepare modprobe.d directory
406 mkdir -p $R/etc/modprobe.d/
406 mkdir -p $R/etc/modprobe.d/
407
407
408 # Blacklist sound modules
408 # Blacklist sound modules
409 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
409 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
410 blacklist snd_soc_core
410 blacklist snd_soc_core
411 blacklist snd_pcm
411 blacklist snd_pcm
412 blacklist snd_pcm_dmaengine
412 blacklist snd_pcm_dmaengine
413 blacklist snd_timer
413 blacklist snd_timer
414 blacklist snd_compress
414 blacklist snd_compress
415 blacklist snd_soc_pcm512x_i2c
415 blacklist snd_soc_pcm512x_i2c
416 blacklist snd_soc_pcm512x
416 blacklist snd_soc_pcm512x
417 blacklist snd_soc_tas5713
417 blacklist snd_soc_tas5713
418 blacklist snd_soc_wm8804
418 blacklist snd_soc_wm8804
419 EOM
419 EOM
420
420
421 # Create default fstab
421 # Create default fstab
422 cat <<EOM >$R/etc/fstab
422 cat <<EOM >$R/etc/fstab
423 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
423 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
424 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
424 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
425 EOM
425 EOM
426
426
427 # Avoid swapping and increase cache sizes
427 # Avoid swapping and increase cache sizes
428 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
428 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
429
429
430 # Avoid swapping and increase cache sizes
430 # Avoid swapping and increase cache sizes
431 vm.swappiness=1
431 vm.swappiness=1
432 vm.dirty_background_ratio=20
432 vm.dirty_background_ratio=20
433 vm.dirty_ratio=40
433 vm.dirty_ratio=40
434 vm.dirty_writeback_centisecs=500
434 vm.dirty_writeback_centisecs=500
435 vm.dirty_expire_centisecs=6000
435 vm.dirty_expire_centisecs=6000
436 EOM
436 EOM
437
437
438 # Enable network stack hardening
438 # Enable network stack hardening
439 if [ "$ENABLE_HARDNET" = true ] ; then
439 if [ "$ENABLE_HARDNET" = true ] ; then
440 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
440 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
441
441
442 # Enable network stack hardening
442 # Enable network stack hardening
443 net.ipv4.tcp_timestamps=0
443 net.ipv4.tcp_timestamps=0
444 net.ipv4.tcp_syncookies=1
444 net.ipv4.tcp_syncookies=1
445 net.ipv4.conf.all.rp_filter=1
445 net.ipv4.conf.all.rp_filter=1
446 net.ipv4.conf.all.accept_redirects=0
446 net.ipv4.conf.all.accept_redirects=0
447 net.ipv4.conf.all.send_redirects=0
447 net.ipv4.conf.all.send_redirects=0
448 net.ipv4.conf.all.accept_source_route=0
448 net.ipv4.conf.all.accept_source_route=0
449 net.ipv4.conf.default.rp_filter=1
449 net.ipv4.conf.default.rp_filter=1
450 net.ipv4.conf.default.accept_redirects=0
450 net.ipv4.conf.default.accept_redirects=0
451 net.ipv4.conf.default.send_redirects=0
451 net.ipv4.conf.default.send_redirects=0
452 net.ipv4.conf.default.accept_source_route=0
452 net.ipv4.conf.default.accept_source_route=0
453 net.ipv4.conf.lo.accept_redirects=0
453 net.ipv4.conf.lo.accept_redirects=0
454 net.ipv4.conf.lo.send_redirects=0
454 net.ipv4.conf.lo.send_redirects=0
455 net.ipv4.conf.lo.accept_source_route=0
455 net.ipv4.conf.lo.accept_source_route=0
456 net.ipv4.conf.eth0.accept_redirects=0
456 net.ipv4.conf.eth0.accept_redirects=0
457 net.ipv4.conf.eth0.send_redirects=0
457 net.ipv4.conf.eth0.send_redirects=0
458 net.ipv4.conf.eth0.accept_source_route=0
458 net.ipv4.conf.eth0.accept_source_route=0
459 net.ipv4.icmp_echo_ignore_broadcasts=1
459 net.ipv4.icmp_echo_ignore_broadcasts=1
460 net.ipv4.icmp_ignore_bogus_error_responses=1
460 net.ipv4.icmp_ignore_bogus_error_responses=1
461
461
462 net.ipv6.conf.all.accept_redirects=0
462 net.ipv6.conf.all.accept_redirects=0
463 net.ipv6.conf.all.accept_source_route=0
463 net.ipv6.conf.all.accept_source_route=0
464 net.ipv6.conf.all.router_solicitations=0
464 net.ipv6.conf.all.router_solicitations=0
465 net.ipv6.conf.all.accept_ra_rtr_pref=0
465 net.ipv6.conf.all.accept_ra_rtr_pref=0
466 net.ipv6.conf.all.accept_ra_pinfo=0
466 net.ipv6.conf.all.accept_ra_pinfo=0
467 net.ipv6.conf.all.accept_ra_defrtr=0
467 net.ipv6.conf.all.accept_ra_defrtr=0
468 net.ipv6.conf.all.autoconf=0
468 net.ipv6.conf.all.autoconf=0
469 net.ipv6.conf.all.dad_transmits=0
469 net.ipv6.conf.all.dad_transmits=0
470 net.ipv6.conf.all.max_addresses=1
470 net.ipv6.conf.all.max_addresses=1
471
471
472 net.ipv6.conf.default.accept_redirects=0
472 net.ipv6.conf.default.accept_redirects=0
473 net.ipv6.conf.default.accept_source_route=0
473 net.ipv6.conf.default.accept_source_route=0
474 net.ipv6.conf.default.router_solicitations=0
474 net.ipv6.conf.default.router_solicitations=0
475 net.ipv6.conf.default.accept_ra_rtr_pref=0
475 net.ipv6.conf.default.accept_ra_rtr_pref=0
476 net.ipv6.conf.default.accept_ra_pinfo=0
476 net.ipv6.conf.default.accept_ra_pinfo=0
477 net.ipv6.conf.default.accept_ra_defrtr=0
477 net.ipv6.conf.default.accept_ra_defrtr=0
478 net.ipv6.conf.default.autoconf=0
478 net.ipv6.conf.default.autoconf=0
479 net.ipv6.conf.default.dad_transmits=0
479 net.ipv6.conf.default.dad_transmits=0
480 net.ipv6.conf.default.max_addresses=1
480 net.ipv6.conf.default.max_addresses=1
481
481
482 net.ipv6.conf.lo.accept_redirects=0
482 net.ipv6.conf.lo.accept_redirects=0
483 net.ipv6.conf.lo.accept_source_route=0
483 net.ipv6.conf.lo.accept_source_route=0
484 net.ipv6.conf.lo.router_solicitations=0
484 net.ipv6.conf.lo.router_solicitations=0
485 net.ipv6.conf.lo.accept_ra_rtr_pref=0
485 net.ipv6.conf.lo.accept_ra_rtr_pref=0
486 net.ipv6.conf.lo.accept_ra_pinfo=0
486 net.ipv6.conf.lo.accept_ra_pinfo=0
487 net.ipv6.conf.lo.accept_ra_defrtr=0
487 net.ipv6.conf.lo.accept_ra_defrtr=0
488 net.ipv6.conf.lo.autoconf=0
488 net.ipv6.conf.lo.autoconf=0
489 net.ipv6.conf.lo.dad_transmits=0
489 net.ipv6.conf.lo.dad_transmits=0
490 net.ipv6.conf.lo.max_addresses=1
490 net.ipv6.conf.lo.max_addresses=1
491
491
492 net.ipv6.conf.eth0.accept_redirects=0
492 net.ipv6.conf.eth0.accept_redirects=0
493 net.ipv6.conf.eth0.accept_source_route=0
493 net.ipv6.conf.eth0.accept_source_route=0
494 net.ipv6.conf.eth0.router_solicitations=0
494 net.ipv6.conf.eth0.router_solicitations=0
495 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
495 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
496 net.ipv6.conf.eth0.accept_ra_pinfo=0
496 net.ipv6.conf.eth0.accept_ra_pinfo=0
497 net.ipv6.conf.eth0.accept_ra_defrtr=0
497 net.ipv6.conf.eth0.accept_ra_defrtr=0
498 net.ipv6.conf.eth0.autoconf=0
498 net.ipv6.conf.eth0.autoconf=0
499 net.ipv6.conf.eth0.dad_transmits=0
499 net.ipv6.conf.eth0.dad_transmits=0
500 net.ipv6.conf.eth0.max_addresses=1
500 net.ipv6.conf.eth0.max_addresses=1
501 EOM
501 EOM
502
502
503 # Enable resolver warnings about spoofed addresses
503 # Enable resolver warnings about spoofed addresses
504 cat <<EOM >>$R/etc/host.conf
504 cat <<EOM >>$R/etc/host.conf
505 spoof warn
505 spoof warn
506 EOM
506 EOM
507 fi
507 fi
508
508
509 # Regenerate openssh server host keys
509 # Regenerate openssh server host keys
510 if [ "$ENABLE_SSHD" = true ] ; then
510 if [ "$ENABLE_SSHD" = true ] ; then
511 rm -fr $R/etc/ssh/ssh_host_*
511 rm -fr $R/etc/ssh/ssh_host_*
512 LANG=C chroot $R dpkg-reconfigure openssh-server
512 LANG=C chroot $R dpkg-reconfigure openssh-server
513 fi
513 fi
514
514
515 # Enable serial console systemd style
515 # Enable serial console systemd style
516 if [ "$ENABLE_CONSOLE" = true ] ; then
516 if [ "$ENABLE_CONSOLE" = true ] ; then
517 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
517 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
518 fi
518 fi
519
519
520 # Enable firewall based on iptables started by systemd service
520 # Enable firewall based on iptables started by systemd service
521 if [ "$ENABLE_IPTABLES" = true ] ; then
521 if [ "$ENABLE_IPTABLES" = true ] ; then
522 # Create iptables configuration directory
522 # Create iptables configuration directory
523 mkdir -p "$R/etc/iptables"
523 mkdir -p "$R/etc/iptables"
524
524
525 # Create iptables systemd service
525 # Create iptables systemd service
526 cat <<EOM >$R/etc/systemd/system/iptables.service
526 cat <<EOM >$R/etc/systemd/system/iptables.service
527 [Unit]
527 [Unit]
528 Description=Packet Filtering Framework
528 Description=Packet Filtering Framework
529 DefaultDependencies=no
529 DefaultDependencies=no
530 After=systemd-sysctl.service
530 After=systemd-sysctl.service
531 Before=sysinit.target
531 Before=sysinit.target
532 [Service]
532 [Service]
533 Type=oneshot
533 Type=oneshot
534 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
534 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
535 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
535 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
536 ExecStop=/etc/iptables/flush-iptables.sh
536 ExecStop=/etc/iptables/flush-iptables.sh
537 RemainAfterExit=yes
537 RemainAfterExit=yes
538 [Install]
538 [Install]
539 WantedBy=multi-user.target
539 WantedBy=multi-user.target
540 EOM
540 EOM
541
541
542 # Create flush-table script called by iptables service
542 # Create flush-table script called by iptables service
543 cat <<EOM >$R/etc/iptables/flush-iptables.sh
543 cat <<EOM >$R/etc/iptables/flush-iptables.sh
544 #!/bin/sh
544 #!/bin/sh
545 iptables -F
545 iptables -F
546 iptables -X
546 iptables -X
547 iptables -t nat -F
547 iptables -t nat -F
548 iptables -t nat -X
548 iptables -t nat -X
549 iptables -t mangle -F
549 iptables -t mangle -F
550 iptables -t mangle -X
550 iptables -t mangle -X
551 iptables -P INPUT ACCEPT
551 iptables -P INPUT ACCEPT
552 iptables -P FORWARD ACCEPT
552 iptables -P FORWARD ACCEPT
553 iptables -P OUTPUT ACCEPT
553 iptables -P OUTPUT ACCEPT
554 EOM
554 EOM
555
555
556 # Create iptables rule file
556 # Create iptables rule file
557 cat <<EOM >$R/etc/iptables/iptables.rules
557 cat <<EOM >$R/etc/iptables/iptables.rules
558 *filter
558 *filter
559 :INPUT DROP [0:0]
559 :INPUT DROP [0:0]
560 :FORWARD DROP [0:0]
560 :FORWARD DROP [0:0]
561 :OUTPUT ACCEPT [0:0]
561 :OUTPUT ACCEPT [0:0]
562 :TCP - [0:0]
562 :TCP - [0:0]
563 :UDP - [0:0]
563 :UDP - [0:0]
564 :SSH - [0:0]
564 :SSH - [0:0]
565
565
566 # Rate limit ping requests
566 # Rate limit ping requests
567 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
567 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
568 -A INPUT -p icmp --icmp-type echo-request -j DROP
568 -A INPUT -p icmp --icmp-type echo-request -j DROP
569
569
570 # Accept established connections
570 # Accept established connections
571 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
571 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
572
572
573 # Accept all traffic on loopback interface
573 # Accept all traffic on loopback interface
574 -A INPUT -i lo -j ACCEPT
574 -A INPUT -i lo -j ACCEPT
575
575
576 # Drop packets declared invalid
576 # Drop packets declared invalid
577 -A INPUT -m conntrack --ctstate INVALID -j DROP
577 -A INPUT -m conntrack --ctstate INVALID -j DROP
578
578
579 # SSH rate limiting
579 # SSH rate limiting
580 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
580 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
581 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
581 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
582 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
582 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
583 -A SSH -m recent --name sshbf --set -j ACCEPT
583 -A SSH -m recent --name sshbf --set -j ACCEPT
584
584
585 # Send TCP and UDP connections to their respective rules chain
585 # Send TCP and UDP connections to their respective rules chain
586 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
586 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
587 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
587 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
588
588
589 # Reject dropped packets with a RFC compliant responce
589 # Reject dropped packets with a RFC compliant responce
590 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
590 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
591 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
591 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
592 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
592 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
593
593
594 ## TCP PORT RULES
594 ## TCP PORT RULES
595 # -A TCP -p tcp -j LOG
595 # -A TCP -p tcp -j LOG
596
596
597 ## UDP PORT RULES
597 ## UDP PORT RULES
598 # -A UDP -p udp -j LOG
598 # -A UDP -p udp -j LOG
599
599
600 COMMIT
600 COMMIT
601 EOM
601 EOM
602
602
603 # Reload systemd configuration and enable iptables service
603 # Reload systemd configuration and enable iptables service
604 LANG=C chroot $R systemctl daemon-reload
604 LANG=C chroot $R systemctl daemon-reload
605 LANG=C chroot $R systemctl enable iptables.service
605 LANG=C chroot $R systemctl enable iptables.service
606
606
607 if [ "$ENABLE_IPV6" = true ] ; then
607 if [ "$ENABLE_IPV6" = true ] ; then
608 # Create ip6tables systemd service
608 # Create ip6tables systemd service
609 cat <<EOM >$R/etc/systemd/system/ip6tables.service
609 cat <<EOM >$R/etc/systemd/system/ip6tables.service
610 [Unit]
610 [Unit]
611 Description=Packet Filtering Framework
611 Description=Packet Filtering Framework
612 DefaultDependencies=no
612 DefaultDependencies=no
613 After=systemd-sysctl.service
613 After=systemd-sysctl.service
614 Before=sysinit.target
614 Before=sysinit.target
615 [Service]
615 [Service]
616 Type=oneshot
616 Type=oneshot
617 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
617 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
618 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
618 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
619 ExecStop=/etc/iptables/flush-ip6tables.sh
619 ExecStop=/etc/iptables/flush-ip6tables.sh
620 RemainAfterExit=yes
620 RemainAfterExit=yes
621 [Install]
621 [Install]
622 WantedBy=multi-user.target
622 WantedBy=multi-user.target
623 EOM
623 EOM
624
624
625 # Create ip6tables file
625 # Create ip6tables file
626 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
626 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
627 #!/bin/sh
627 #!/bin/sh
628 ip6tables -F
628 ip6tables -F
629 ip6tables -X
629 ip6tables -X
630 ip6tables -Z
630 ip6tables -Z
631 for table in $(</proc/net/ip6_tables_names)
631 for table in $(</proc/net/ip6_tables_names)
632 do
632 do
633 ip6tables -t \$table -F
633 ip6tables -t \$table -F
634 ip6tables -t \$table -X
634 ip6tables -t \$table -X
635 ip6tables -t \$table -Z
635 ip6tables -t \$table -Z
636 done
636 done
637 ip6tables -P INPUT ACCEPT
637 ip6tables -P INPUT ACCEPT
638 ip6tables -P OUTPUT ACCEPT
638 ip6tables -P OUTPUT ACCEPT
639 ip6tables -P FORWARD ACCEPT
639 ip6tables -P FORWARD ACCEPT
640 EOM
640 EOM
641
641
642 # Create ip6tables rule file
642 # Create ip6tables rule file
643 cat <<EOM >$R/etc/iptables/ip6tables.rules
643 cat <<EOM >$R/etc/iptables/ip6tables.rules
644 *filter
644 *filter
645 :INPUT DROP [0:0]
645 :INPUT DROP [0:0]
646 :FORWARD DROP [0:0]
646 :FORWARD DROP [0:0]
647 :OUTPUT ACCEPT [0:0]
647 :OUTPUT ACCEPT [0:0]
648 :TCP - [0:0]
648 :TCP - [0:0]
649 :UDP - [0:0]
649 :UDP - [0:0]
650 :SSH - [0:0]
650 :SSH - [0:0]
651
651
652 # Drop packets with RH0 headers
652 # Drop packets with RH0 headers
653 -A INPUT -m rt --rt-type 0 -j DROP
653 -A INPUT -m rt --rt-type 0 -j DROP
654 -A OUTPUT -m rt --rt-type 0 -j DROP
654 -A OUTPUT -m rt --rt-type 0 -j DROP
655 -A FORWARD -m rt --rt-type 0 -j DROP
655 -A FORWARD -m rt --rt-type 0 -j DROP
656
656
657 # Rate limit ping requests
657 # Rate limit ping requests
658 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
658 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
659 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
659 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
660
660
661 # Accept established connections
661 # Accept established connections
662 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
662 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
663
663
664 # Accept all traffic on loopback interface
664 # Accept all traffic on loopback interface
665 -A INPUT -i lo -j ACCEPT
665 -A INPUT -i lo -j ACCEPT
666
666
667 # Drop packets declared invalid
667 # Drop packets declared invalid
668 -A INPUT -m conntrack --ctstate INVALID -j DROP
668 -A INPUT -m conntrack --ctstate INVALID -j DROP
669
669
670 # SSH rate limiting
670 # SSH rate limiting
671 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
671 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
672 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
672 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
673 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
673 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
674 -A SSH -m recent --name sshbf --set -j ACCEPT
674 -A SSH -m recent --name sshbf --set -j ACCEPT
675
675
676 # Send TCP and UDP connections to their respective rules chain
676 # Send TCP and UDP connections to their respective rules chain
677 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
677 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
678 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
678 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
679
679
680 # Reject dropped packets with a RFC compliant responce
680 # Reject dropped packets with a RFC compliant responce
681 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
681 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
682 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
682 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
683 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
683 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
684
684
685 ## TCP PORT RULES
685 ## TCP PORT RULES
686 # -A TCP -p tcp -j LOG
686 # -A TCP -p tcp -j LOG
687
687
688 ## UDP PORT RULES
688 ## UDP PORT RULES
689 # -A UDP -p udp -j LOG
689 # -A UDP -p udp -j LOG
690
690
691 COMMIT
691 COMMIT
692 EOM
692 EOM
693
693
694 # Reload systemd configuration and enable iptables service
694 # Reload systemd configuration and enable iptables service
695 LANG=C chroot $R systemctl daemon-reload
695 LANG=C chroot $R systemctl daemon-reload
696 LANG=C chroot $R systemctl enable ip6tables.service
696 LANG=C chroot $R systemctl enable ip6tables.service
697 fi
697 fi
698 fi
698 fi
699
699
700 # Remove SSHD related iptables rules
700 # Remove SSHD related iptables rules
701 if [ "$ENABLE_SSHD" = false ] ; then
701 if [ "$ENABLE_SSHD" = false ] ; then
702 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
702 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
703 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
703 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
704 fi
704 fi
705
705
706 # Install gcc/c++ build environment inside the chroot
706 # Install gcc/c++ build environment inside the chroot
707 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
707 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
708 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
708 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
709 fi
709 fi
710
710
711 # Fetch and build U-Boot bootloader
711 # Fetch and build U-Boot bootloader
712 if [ "$ENABLE_UBOOT" = true ] ; then
712 if [ "$ENABLE_UBOOT" = true ] ; then
713 # Fetch U-Boot bootloader sources
713 # Fetch U-Boot bootloader sources
714 git -C $R/tmp clone git://git.denx.de/u-boot.git
714 git -C $R/tmp clone git://git.denx.de/u-boot.git
715
715
716 # Build and install U-Boot inside chroot
716 # Build and install U-Boot inside chroot
717 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
717 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
718
718
719 # Copy compiled bootloader binary and set config.txt to load it
719 # Copy compiled bootloader binary and set config.txt to load it
720 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
720 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
721 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
721 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
722
722
723 # Set U-Boot command file
723 # Set U-Boot command file
724 cat <<EOM >$R/boot/firmware/uboot.mkimage
724 cat <<EOM >$R/boot/firmware/uboot.mkimage
725 # Tell Linux that it is booting on a Raspberry Pi2
725 # Tell Linux that it is booting on a Raspberry Pi2
726 setenv machid 0x00000c42
726 setenv machid 0x00000c42
727
727
728 # Set the kernel boot command line
728 # Set the kernel boot command line
729 setenv bootargs "earlyprintk ${CMDLINE}"
729 setenv bootargs "earlyprintk ${CMDLINE}"
730
730
731 # Save these changes to u-boot's environment
731 # Save these changes to u-boot's environment
732 saveenv
732 saveenv
733
733
734 # Load the existing Linux kernel into RAM
734 # Load the existing Linux kernel into RAM
735 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
735 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
736
736
737 # Boot the kernel we have just loaded
737 # Boot the kernel we have just loaded
738 bootz \${kernel_addr_r}
738 bootz \${kernel_addr_r}
739 EOM
739 EOM
740
740
741 # Generate U-Boot image from command file
741 # Generate U-Boot image from command file
742 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
742 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
743 fi
743 fi
744
744
745 # Fetch and build fbturbo Xorg driver
745 # Fetch and build fbturbo Xorg driver
746 if [ "$ENABLE_FBTURBO" = true ] ; then
746 if [ "$ENABLE_FBTURBO" = true ] ; then
747 # Fetch fbturbo driver sources
747 # Fetch fbturbo driver sources
748 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
748 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
749
749
750 # Install Xorg build dependencies
750 # Install Xorg build dependencies
751 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
751 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
752
752
753 # Build and install fbturbo driver inside chroot
753 # Build and install fbturbo driver inside chroot
754 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
754 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
755
755
756 # Add fbturbo driver to Xorg configuration
756 # Add fbturbo driver to Xorg configuration
757 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
757 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
758 Section "Device"
758 Section "Device"
759 Identifier "Allwinner A10/A13 FBDEV"
759 Identifier "Allwinner A10/A13 FBDEV"
760 Driver "fbturbo"
760 Driver "fbturbo"
761 Option "fbdev" "/dev/fb0"
761 Option "fbdev" "/dev/fb0"
762 Option "SwapbuffersWait" "true"
762 Option "SwapbuffersWait" "true"
763 EndSection
763 EndSection
764 EOM
764 EOM
765
765
766 # Remove Xorg build dependencies
766 # Remove Xorg build dependencies
767 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
767 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
768 fi
768 fi
769
769
770 # Remove gcc/c++ build environment from the chroot
770 # Remove gcc/c++ build environment from the chroot
771 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
771 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
772 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
772 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
773 fi
773 fi
774
774
775 # Clean cached downloads
775 # Clean cached downloads
776 LANG=C chroot $R apt-get -y clean
776 LANG=C chroot $R apt-get -y clean
777 LANG=C chroot $R apt-get -y autoclean
777 LANG=C chroot $R apt-get -y autoclean
778 LANG=C chroot $R apt-get -y autoremove
778 LANG=C chroot $R apt-get -y autoremove
779
779
780 # Unmount mounted filesystems
780 # Unmount mounted filesystems
781 umount -l $R/proc
781 umount -l $R/proc
782 umount -l $R/sys
782 umount -l $R/sys
783
783
784 # Clean up files
784 # Clean up files
785 rm -f $R/etc/apt/sources.list.save
785 rm -f $R/etc/apt/sources.list.save
786 rm -f $R/etc/resolvconf/resolv.conf.d/original
786 rm -f $R/etc/resolvconf/resolv.conf.d/original
787 rm -rf $R/run
787 rm -rf $R/run
788 mkdir -p $R/run
788 mkdir -p $R/run
789 rm -f $R/etc/*-
789 rm -f $R/etc/*-
790 rm -f $R/root/.bash_history
790 rm -f $R/root/.bash_history
791 rm -rf $R/tmp/*
791 rm -rf $R/tmp/*
792 rm -f $R/var/lib/urandom/random-seed
792 rm -f $R/var/lib/urandom/random-seed
793 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
793 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
794 rm -f $R/etc/machine-id
794 rm -f $R/etc/machine-id
795 rm -fr $R/etc/apt/apt.conf.d/10proxy
795 rm -fr $R/etc/apt/apt.conf.d/10proxy
796
796
797 # Calculate size of the chroot directory
797 # Calculate size of the chroot directory
798 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
798 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
799
799
800 # Calculate required image size
800 # Calculate required image size
801 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
801 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
802
802
803 # Calculate number of sectors for the partition
803 # Calculate number of sectors for the partition
804 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
804 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
805
805
806 # Prepare date string for image file name
806 # Prepare date string for image file name
807 DATE="$(date +%Y-%m-%d)"
807 DATE="$(date +%Y-%m-%d)"
808
808
809 # Prepare image file
809 # Prepare image file
810 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
810 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
811 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
811 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
812
812
813 # Write partition table
813 # Write partition table
814 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
814 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
815 unit: sectors
815 unit: sectors
816
816
817 1 : start= 2048, size= 131072, Id= c, bootable
817 1 : start= 2048, size= 131072, Id= c, bootable
818 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
818 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
819 3 : start= 0, size= 0, Id= 0
819 3 : start= 0, size= 0, Id= 0
820 4 : start= 0, size= 0, Id= 0
820 4 : start= 0, size= 0, Id= 0
821 EOM
821 EOM
822
822
823 # Set up temporary loop devices and build filesystems
823 # Set up temporary loop devices and build filesystems
824 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
824 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
825 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
825 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
826 mkfs.vfat "$VFAT_LOOP"
826 mkfs.vfat "$VFAT_LOOP"
827 mkfs.ext4 "$EXT4_LOOP"
827 mkfs.ext4 "$EXT4_LOOP"
828
828
829 # Mount the temporary loop devices
829 # Mount the temporary loop devices
830 mkdir -p "$BUILDDIR/mount"
830 mkdir -p "$BUILDDIR/mount"
831 mount "$EXT4_LOOP" "$BUILDDIR/mount"
831 mount "$EXT4_LOOP" "$BUILDDIR/mount"
832
832
833 mkdir -p "$BUILDDIR/mount/boot/firmware"
833 mkdir -p "$BUILDDIR/mount/boot/firmware"
834 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
834 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
835
835
836 # Copy all files from the chroot to the loop device mount point directory
836 # Copy all files from the chroot to the loop device mount point directory
837 rsync -a "$R/" "$BUILDDIR/mount/"
837 rsync -a "$R/" "$BUILDDIR/mount/"
838
838
839 # Unmount all temporary loop devices and mount points
839 # Unmount all temporary loop devices and mount points
840 cleanup
840 cleanup
841
841
842 # (optinal) create block map file for "bmaptool"
842 # (optinal) create block map file for "bmaptool"
843 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
843 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
844
844
845 # Image was successfully created
845 # Image was successfully created
846 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
846 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant