##// END OF EJS Templates
Merge branch 'fpytloun-master'
Jan Wagner -
r52:1f5000be9fe2 Fusion
parent child
Show More
@@ -0,0 +1,43
1 # For more options and information see
2 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
3 # Some settings may impact device functionality. See link above for details
4
5 # uncomment if you get no picture on HDMI for a default "safe" mode
6 #hdmi_safe=1
7
8 # uncomment this if your display has a black border of unused pixels visible
9 # and your display can output without overscan
10 #disable_overscan=1
11
12 # uncomment the following to adjust overscan. Use positive numbers if console
13 # goes off screen, and negative if there is too much border
14 #overscan_left=16
15 #overscan_right=16
16 #overscan_top=16
17 #overscan_bottom=16
18
19 # uncomment to force a console size. By default it will be display's size minus
20 # overscan.
21 #framebuffer_width=1280
22 #framebuffer_height=720
23
24 # uncomment if hdmi display is not detected and composite is being output
25 #hdmi_force_hotplug=1
26
27 # uncomment to force a specific HDMI mode (this will force VGA)
28 #hdmi_group=1
29 #hdmi_mode=1
30
31 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
32 # DMT (computer monitor) modes
33 #hdmi_drive=2
34
35 # uncomment to increase signal to HDMI, if you have interference, blanking, or
36 # no display
37 #config_hdmi_boost=4
38
39 # uncomment for composite PAL
40 #sdtv_mode=2
41
42 # uncomment to overclock the arm. 700 MHz is the default.
43 #arm_freq=800
@@ -0,0 +1,2
1 #!/bin/sh -e
2 logger -t "rc.firstboot" "Starting first boot actions"
@@ -0,0 +1,8
1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7
8 systemctl restart sshd
@@ -0,0 +1,52
1 logger -t "rc.firstboot" "Expanding root"
2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 case "${ROOT_PART}" in
5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 sda*) ROOT_DEV=sda ;;
7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 return 0
11 fi
12
13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 return 0
18 fi
19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 return 0
23 fi
24
25 # Get the starting offset of the root partition
26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
28
29 # Get the possible last sector for the root partition
30 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
32
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 p
38 d
39 $PART_NUM
40 n
41 p
42 $PART_NUM
43 $PART_START
44 $PART_LAST
45 p
46 w
47 EOF2
48
49 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 partprobe &&
51 resize2fs /dev/${ROOT_PART} &&
52 logger -t "rc.firstboot" "Root partition successfuly resized."
@@ -0,0 +1,3
1 logger -t "rc.firstboot" "First boot actions finished"
2 rm -f /etc/rc.firstboot
3 sed -i '/.*rc.firstboot/d' /etc/rc.local
@@ -0,0 +1,2
1 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
2 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
@@ -0,0 +1,15
1 #!/bin/sh
2 ip6tables -F
3 ip6tables -X
4 ip6tables -Z
5
6 for table in $(</proc/net/ip6_tables_names)
7 do
8 ip6tables -t \$table -F
9 ip6tables -t \$table -X
10 ip6tables -t \$table -Z
11 done
12
13 ip6tables -P INPUT ACCEPT
14 ip6tables -P OUTPUT ACCEPT
15 ip6tables -P FORWARD ACCEPT
@@ -0,0 +1,10
1 #!/bin/sh
2 iptables -F
3 iptables -X
4 iptables -t nat -F
5 iptables -t nat -X
6 iptables -t mangle -F
7 iptables -t mangle -X
8 iptables -P INPUT ACCEPT
9 iptables -P FORWARD ACCEPT
10 iptables -P OUTPUT ACCEPT
@@ -0,0 +1,48
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Drop packets with RH0 headers
10 -A INPUT -m rt --rt-type 0 -j DROP
11 -A OUTPUT -m rt --rt-type 0 -j DROP
12 -A FORWARD -m rt --rt-type 0 -j DROP
13
14 # Rate limit ping requests
15 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
16 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
17
18 # Accept established connections
19 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
20
21 # Accept all traffic on loopback interface
22 -A INPUT -i lo -j ACCEPT
23
24 # Drop packets declared invalid
25 -A INPUT -m conntrack --ctstate INVALID -j DROP
26
27 # SSH rate limiting
28 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
29 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
30 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
31 -A SSH -m recent --name sshbf --set -j ACCEPT
32
33 # Send TCP and UDP connections to their respective rules chain
34 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
35 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
36
37 # Reject dropped packets with a RFC compliant responce
38 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
39 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
40 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
41
42 ## TCP PORT RULES
43 # -A TCP -p tcp -j LOG
44
45 ## UDP PORT RULES
46 # -A UDP -p udp -j LOG
47
48 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
10 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
11 ExecStop=/etc/iptables/flush-ip6tables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,43
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Rate limit ping requests
10 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
11 -A INPUT -p icmp --icmp-type echo-request -j DROP
12
13 # Accept established connections
14 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
15
16 # Accept all traffic on loopback interface
17 -A INPUT -i lo -j ACCEPT
18
19 # Drop packets declared invalid
20 -A INPUT -m conntrack --ctstate INVALID -j DROP
21
22 # SSH rate limiting
23 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
24 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
25 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
26 -A SSH -m recent --name sshbf --set -j ACCEPT
27
28 # Send TCP and UDP connections to their respective rules chain
29 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
30 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
31
32 # Reject dropped packets with a RFC compliant responce
33 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
34 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
35 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
36
37 ## TCP PORT RULES
38 # -A TCP -p tcp -j LOG
39
40 ## UDP PORT RULES
41 # -A UDP -p udp -j LOG
42
43 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
10 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
11 ExecStop=/etc/iptables/flush-iptables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,9
1 blacklist snd_soc_core
2 blacklist snd_pcm
3 blacklist snd_pcm_dmaengine
4 blacklist snd_timer
5 blacklist snd_compress
6 blacklist snd_soc_pcm512x_i2c
7 blacklist snd_soc_pcm512x
8 blacklist snd_soc_tas5713
9 blacklist snd_soc_wm8804
@@ -0,0 +1,6
1 # Avoid swapping and increase cache sizes
2 vm.swappiness=1
3 vm.dirty_background_ratio=20
4 vm.dirty_ratio=40
5 vm.dirty_writeback_centisecs=500
6 vm.dirty_expire_centisecs=6000
@@ -0,0 +1,59
1 # Enable network stack hardening
2 net.ipv4.tcp_timestamps=0
3 net.ipv4.tcp_syncookies=1
4 net.ipv4.conf.all.rp_filter=1
5 net.ipv4.conf.all.accept_redirects=0
6 net.ipv4.conf.all.send_redirects=0
7 net.ipv4.conf.all.accept_source_route=0
8 net.ipv4.conf.default.rp_filter=1
9 net.ipv4.conf.default.accept_redirects=0
10 net.ipv4.conf.default.send_redirects=0
11 net.ipv4.conf.default.accept_source_route=0
12 net.ipv4.conf.lo.accept_redirects=0
13 net.ipv4.conf.lo.send_redirects=0
14 net.ipv4.conf.lo.accept_source_route=0
15 net.ipv4.conf.eth0.accept_redirects=0
16 net.ipv4.conf.eth0.send_redirects=0
17 net.ipv4.conf.eth0.accept_source_route=0
18 net.ipv4.icmp_echo_ignore_broadcasts=1
19 net.ipv4.icmp_ignore_bogus_error_responses=1
20
21 net.ipv6.conf.all.accept_redirects=0
22 net.ipv6.conf.all.accept_source_route=0
23 net.ipv6.conf.all.router_solicitations=0
24 net.ipv6.conf.all.accept_ra_rtr_pref=0
25 net.ipv6.conf.all.accept_ra_pinfo=0
26 net.ipv6.conf.all.accept_ra_defrtr=0
27 net.ipv6.conf.all.autoconf=0
28 net.ipv6.conf.all.dad_transmits=0
29 net.ipv6.conf.all.max_addresses=1
30
31 net.ipv6.conf.default.accept_redirects=0
32 net.ipv6.conf.default.accept_source_route=0
33 net.ipv6.conf.default.router_solicitations=0
34 net.ipv6.conf.default.accept_ra_rtr_pref=0
35 net.ipv6.conf.default.accept_ra_pinfo=0
36 net.ipv6.conf.default.accept_ra_defrtr=0
37 net.ipv6.conf.default.autoconf=0
38 net.ipv6.conf.default.dad_transmits=0
39 net.ipv6.conf.default.max_addresses=1
40
41 net.ipv6.conf.lo.accept_redirects=0
42 net.ipv6.conf.lo.accept_source_route=0
43 net.ipv6.conf.lo.router_solicitations=0
44 net.ipv6.conf.lo.accept_ra_rtr_pref=0
45 net.ipv6.conf.lo.accept_ra_pinfo=0
46 net.ipv6.conf.lo.accept_ra_defrtr=0
47 net.ipv6.conf.lo.autoconf=0
48 net.ipv6.conf.lo.dad_transmits=0
49 net.ipv6.conf.lo.max_addresses=1
50
51 net.ipv6.conf.eth0.accept_redirects=0
52 net.ipv6.conf.eth0.accept_source_route=0
53 net.ipv6.conf.eth0.router_solicitations=0
54 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
55 net.ipv6.conf.eth0.accept_ra_pinfo=0
56 net.ipv6.conf.eth0.accept_ra_defrtr=0
57 net.ipv6.conf.eth0.autoconf=0
58 net.ipv6.conf.eth0.dad_transmits=0
59 net.ipv6.conf.eth0.max_addresses=1
@@ -1,138 +1,155
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 ##### `APT_INCLUDES`=""
30 ##### `APT_INCLUDES`=""
31 A comma seperated list of additional packages to be installed during bootstrapping.
31 A comma seperated list of additional packages to be installed during bootstrapping.
32
32
33 #### General system settings:
33 #### General system settings:
34 ##### `HOSTNAME`="rpi2-jessie"
34 ##### `HOSTNAME`="rpi2-jessie"
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
36
36
37 ##### `PASSWORD`="raspberry"
37 ##### `PASSWORD`="raspberry"
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
39
39
40 ##### `DEFLOCAL`="en_US.UTF-8"
40 ##### `DEFLOCAL`="en_US.UTF-8"
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
42
42
43 ##### `TIMEZONE`="Europe/Berlin"
43 ##### `TIMEZONE`="Europe/Berlin"
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45
45
46 ##### `EXPANDROOT`=true
47 Expand the root partition and filesystem automatically on first boot.
48
46 #### Keyboard settings:
49 #### Keyboard settings:
47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 ##### `XKBMODEL`=""
51 ##### `XKBMODEL`=""
49 ##### `XKBLAYOUT`=""
52 ##### `XKBLAYOUT`=""
50 ##### `XKBVARIANT`=""
53 ##### `XKBVARIANT`=""
51 ##### `XKBOPTIONS`=""
54 ##### `XKBOPTIONS`=""
52
55
53 #### Networking settings
56 #### Networking settings
54 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
57 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
55
58
56 #####`ENABLE_DHCP`=true
59 #####`ENABLE_DHCP`=true
57 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
60 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
58
61
59 #####`NET_ADDRESS`=""
62 #####`NET_ADDRESS`=""
60 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
63 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
61
64
62 #####`NET_GATEWAY`=""
65 #####`NET_GATEWAY`=""
63 Set the IP address for the default gateway.
66 Set the IP address for the default gateway.
64
67
65 #####`NET_DNS_1`=""
68 #####`NET_DNS_1`=""
66 Set the IP address for the first DNS server.
69 Set the IP address for the first DNS server.
67
70
68 #####`NET_DNS_2`=""
71 #####`NET_DNS_2`=""
69 Set the IP address for the second DNS server.
72 Set the IP address for the second DNS server.
70
73
71 #####`NET_DNS_DOMAINS`=""
74 #####`NET_DNS_DOMAINS`=""
72 Set the default DNS search domains to use for non fully qualified host names.
75 Set the default DNS search domains to use for non fully qualified host names.
73
76
74 #####`NET_NTP_1`=""
77 #####`NET_NTP_1`=""
75 Set the IP address for the first NTP server.
78 Set the IP address for the first NTP server.
76
79
77 #####`NET_NTP_2`=""
80 #####`NET_NTP_2`=""
78 Set the IP address for the second NTP server.
81 Set the IP address for the second NTP server.
79
82
80 #### Basic system features:
83 #### Basic system features:
81 ##### `ENABLE_CONSOLE`=true
84 ##### `ENABLE_CONSOLE`=true
82 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
85 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
83
86
84 ##### `ENABLE_IPV6`=true
87 ##### `ENABLE_IPV6`=true
85 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
88 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
86
89
87 ##### `ENABLE_SSHD`=true
90 ##### `ENABLE_SSHD`=true
88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
91 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89
92
93 ##### `ENABLE_RSYSLOG`=true
94 If set to false, disable and uninstall rsyslog (so logs will be available only
95 in journal files)
96
90 ##### `ENABLE_SOUND`=true
97 ##### `ENABLE_SOUND`=true
91 Enable sound hardware and install Advanced Linux Sound Architecture.
98 Enable sound hardware and install Advanced Linux Sound Architecture.
92
99
93 ##### `ENABLE_HWRANDOM`=true
100 ##### `ENABLE_HWRANDOM`=true
94 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
101 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
95
102
96 ##### `ENABLE_MINGPU`=false
103 ##### `ENABLE_MINGPU`=false
97 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
104 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
98
105
99 ##### `ENABLE_DBUS`=true
106 ##### `ENABLE_DBUS`=true
100 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
107 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
101
108
102 ##### `ENABLE_XORG`=false
109 ##### `ENABLE_XORG`=false
103 Install Xorg open-source X Window System.
110 Install Xorg open-source X Window System.
104
111
105 ##### `ENABLE_WM`=""
112 ##### `ENABLE_WM`=""
106 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
113 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
107
114
108 #### Advanced sytem features:
115 #### Advanced sytem features:
109 ##### `ENABLE_MINBASE`=false
116 ##### `ENABLE_MINBASE`=false
110 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
117 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
111
118
112 ##### `ENABLE_UBOOT`=false
119 ##### `ENABLE_UBOOT`=false
113 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
120 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
114
121
115 ##### `ENABLE_FBTURBO`=false
122 ##### `ENABLE_FBTURBO`=false
116 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
123 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
117
124
118 ##### `ENABLE_IPTABLES`=false
125 ##### `ENABLE_IPTABLES`=false
119 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
126 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120
127
128 ##### `ENABLE_USER`=true
129 Create pi user with password raspberry
130
131 ##### `ENABLE_ROOT`=true
132 Set root user password so root login will be enabled
133
134 ##### `ENABLE_ROOT_SSH`=true
135 Enable password root login via SSH. May be a security risk with default
136 password, use only in trusted environments.
137
121 ##### `ENABLE_HARDNET`=false
138 ##### `ENABLE_HARDNET`=false
122 Enable IPv4/IPv6 network stack hardening settings.
139 Enable IPv4/IPv6 network stack hardening settings.
123
140
124 ## Logging of the bootstrapping process
141 ## Logging of the bootstrapping process
125 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
142 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
126
143
127 ```shell
144 ```shell
128 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
145 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
129 ```
146 ```
130
147
131 ## Flashing the image file
148 ## Flashing the image file
132 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
149 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
133
150
134 #####Flashing examples:
151 #####Flashing examples:
135 ```shell
152 ```shell
136 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
153 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
137 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
154 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
138 ```
155 ```
@@ -1,923 +1,691
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 set -e
38 set -e
34 set -x
39 set -x
35
40
36 # Debian release
41 # Debian release
37 RELEASE=${RELEASE:=jessie}
42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38
44
39 # Build settings
45 # Build settings
40 BASEDIR=./images/${RELEASE}
46 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
47 BUILDDIR=${BASEDIR}/build
42
48
43 # General settings
49 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
51 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
54 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
52
59
53 # Network settings
60 # Network settings
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
61 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 # NET_* settings are ignored when ENABLE_DHCP=true
62 # NET_* settings are ignored when ENABLE_DHCP=true
56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
63 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 NET_ADDRESS=${NET_ADDRESS:=""}
64 NET_ADDRESS=${NET_ADDRESS:=""}
58 NET_GATEWAY=${NET_GATEWAY:=""}
65 NET_GATEWAY=${NET_GATEWAY:=""}
59 NET_DNS_1=${NET_DNS_1:=""}
66 NET_DNS_1=${NET_DNS_1:=""}
60 NET_DNS_2=${NET_DNS_2:=""}
67 NET_DNS_2=${NET_DNS_2:=""}
61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
68 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 NET_NTP_1=${NET_NTP_1:=""}
69 NET_NTP_1=${NET_NTP_1:=""}
63 NET_NTP_2=${NET_NTP_2:=""}
70 NET_NTP_2=${NET_NTP_2:=""}
64
71
65 # APT settings
72 # APT settings
66 APT_PROXY=${APT_PROXY:=""}
73 APT_PROXY=${APT_PROXY:=""}
67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
74 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
68
75
69 # Feature settings
76 # Feature settings
70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
77 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
71 ENABLE_IPV6=${ENABLE_IPV6:=true}
78 ENABLE_IPV6=${ENABLE_IPV6:=true}
72 ENABLE_SSHD=${ENABLE_SSHD:=true}
79 ENABLE_SSHD=${ENABLE_SSHD:=true}
73 ENABLE_SOUND=${ENABLE_SOUND:=true}
80 ENABLE_SOUND=${ENABLE_SOUND:=true}
74 ENABLE_DBUS=${ENABLE_DBUS:=true}
81 ENABLE_DBUS=${ENABLE_DBUS:=true}
75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
82 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
84 ENABLE_XORG=${ENABLE_XORG:=false}
78 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_WM=${ENABLE_WM:=""}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79
90
80 # Advanced settings
91 # Advanced settings
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
93 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
94 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
95 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
96 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
86
97
87 # Image chroot path
98 # Image chroot path
88 R=${BUILDDIR}/chroot
99 R=${BUILDDIR}/chroot
89
100
90 # Packages required for bootstrapping
101 # Packages required for bootstrapping
91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
102 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
92
103
93 # Missing packages that need to be installed
104 # Missing packages that need to be installed
94 MISSING_PACKAGES=""
105 MISSING_PACKAGES=""
95
106
96 # Packages required in the chroot build environment
107 # Packages required in the chroot build environment
97 APT_INCLUDES=${APT_INCLUDES:=""}
108 APT_INCLUDES=${APT_INCLUDES:=""}
98 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
109 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
99
110
100 set +x
111 set +x
101
112
102 # Are we running as root?
113 # Are we running as root?
103 if [ "$(id -u)" -ne "0" ] ; then
114 if [ "$(id -u)" -ne "0" ] ; then
104 echo "this script must be executed with root privileges"
115 echo "this script must be executed with root privileges"
105 exit 1
116 exit 1
106 fi
117 fi
107
118
108 # Check if all required packages are installed
119 # Check if all required packages are installed
109 for package in $REQUIRED_PACKAGES ; do
120 for package in $REQUIRED_PACKAGES ; do
110 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
121 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
111 MISSING_PACKAGES="$MISSING_PACKAGES $package"
122 MISSING_PACKAGES="$MISSING_PACKAGES $package"
112 fi
123 fi
113 done
124 done
114
125
115 # Ask if missing packages should get installed right now
126 # Ask if missing packages should get installed right now
116 if [ -n "$MISSING_PACKAGES" ] ; then
127 if [ -n "$MISSING_PACKAGES" ] ; then
117 echo "the following packages needed by this script are not installed:"
128 echo "the following packages needed by this script are not installed:"
118 echo "$MISSING_PACKAGES"
129 echo "$MISSING_PACKAGES"
119
130
120 echo -n "\ndo you want to install the missing packages right now? [y/n] "
131 echo -n "\ndo you want to install the missing packages right now? [y/n] "
121 read confirm
132 read confirm
122 if [ "$confirm" != "y" ] ; then
133 if [ "$confirm" != "y" ] ; then
123 exit 1
134 exit 1
124 fi
135 fi
125 fi
136 fi
126
137
127 # Make sure all required packages are installed
138 # Make sure all required packages are installed
128 apt-get -qq -y install ${REQUIRED_PACKAGES}
139 apt-get -qq -y install ${REQUIRED_PACKAGES}
129
140
130 # Don't clobber an old build
141 # Don't clobber an old build
131 if [ -e "$BUILDDIR" ]; then
142 if [ -e "$BUILDDIR" ]; then
132 echo "directory $BUILDDIR already exists, not proceeding"
143 echo "directory $BUILDDIR already exists, not proceeding"
133 exit 1
144 exit 1
134 fi
145 fi
135
146
136 set -x
147 set -x
137
148
138 # Call "cleanup" function on various signals and errors
149 # Call "cleanup" function on various signals and errors
139 trap cleanup 0 1 2 3 6
150 trap cleanup 0 1 2 3 6
140
151
141 # Set up chroot directory
152 # Set up chroot directory
142 mkdir -p $R
153 mkdir -p $R
143
154
144 # Add required packages for the minbase installation
155 # Add required packages for the minbase installation
145 if [ "$ENABLE_MINBASE" = true ] ; then
156 if [ "$ENABLE_MINBASE" = true ] ; then
146 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
157 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
147 else
158 else
148 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 fi
160 fi
150
161
162 # Add parted package, required to get partprobe utility
163 if [ "$EXPANDROOT" = true ] ; then
164 APT_INCLUDES="${APT_INCLUDES},parted"
165 fi
166
151 # Add dbus package, recommended if using systemd
167 # Add dbus package, recommended if using systemd
152 if [ "$ENABLE_DBUS" = true ] ; then
168 if [ "$ENABLE_DBUS" = true ] ; then
153 APT_INCLUDES="${APT_INCLUDES},dbus"
169 APT_INCLUDES="${APT_INCLUDES},dbus"
154 fi
170 fi
155
171
156 # Add iptables IPv4/IPv6 package
172 # Add iptables IPv4/IPv6 package
157 if [ "$ENABLE_IPTABLES" = true ] ; then
173 if [ "$ENABLE_IPTABLES" = true ] ; then
158 APT_INCLUDES="${APT_INCLUDES},iptables"
174 APT_INCLUDES="${APT_INCLUDES},iptables"
159 fi
175 fi
160
176
161 # Add openssh server package
177 # Add openssh server package
162 if [ "$ENABLE_SSHD" = true ] ; then
178 if [ "$ENABLE_SSHD" = true ] ; then
163 APT_INCLUDES="${APT_INCLUDES},openssh-server"
179 APT_INCLUDES="${APT_INCLUDES},openssh-server"
164 fi
180 fi
165
181
166 # Add alsa-utils package
182 # Add alsa-utils package
167 if [ "$ENABLE_SOUND" = true ] ; then
183 if [ "$ENABLE_SOUND" = true ] ; then
168 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
184 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
169 fi
185 fi
170
186
171 # Add rng-tools package
187 # Add rng-tools package
172 if [ "$ENABLE_HWRANDOM" = true ] ; then
188 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 APT_INCLUDES="${APT_INCLUDES},rng-tools"
189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 fi
190 fi
175
191
192 if [ "$ENABLE_USER" = true ]; then
193 APT_INCLUDES="${APT_INCLUDES},sudo"
194 fi
195
176 # Add fbturbo video driver
196 # Add fbturbo video driver
177 if [ "$ENABLE_FBTURBO" = true ] ; then
197 if [ "$ENABLE_FBTURBO" = true ] ; then
178 # Enable xorg package dependencies
198 # Enable xorg package dependencies
179 ENABLE_XORG=true
199 ENABLE_XORG=true
180 fi
200 fi
181
201
182 # Add user defined window manager package
202 # Add user defined window manager package
183 if [ -n "$ENABLE_WM" ] ; then
203 if [ -n "$ENABLE_WM" ] ; then
184 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
204 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
185
205
186 # Enable xorg package dependencies
206 # Enable xorg package dependencies
187 ENABLE_XORG=true
207 ENABLE_XORG=true
188 fi
208 fi
189
209
190 # Add xorg package
210 # Add xorg package
191 if [ "$ENABLE_XORG" = true ] ; then
211 if [ "$ENABLE_XORG" = true ] ; then
192 APT_INCLUDES="${APT_INCLUDES},xorg"
212 APT_INCLUDES="${APT_INCLUDES},xorg"
193 fi
213 fi
194
214
195 # Base debootstrap (unpack only)
215 # Base debootstrap (unpack only)
196 if [ "$ENABLE_MINBASE" = true ] ; then
216 if [ "$ENABLE_MINBASE" = true ] ; then
197 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
217 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
198 else
218 else
199 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
219 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
200 fi
220 fi
201
221
202 # Copy qemu emulator binary to chroot
222 # Copy qemu emulator binary to chroot
203 cp /usr/bin/qemu-arm-static $R/usr/bin
223 cp /usr/bin/qemu-arm-static $R/usr/bin
204
224
205 # Copy debian-archive-keyring.pgp
225 # Copy debian-archive-keyring.pgp
206 chroot $R mkdir -p /usr/share/keyrings
226 chroot $R mkdir -p /usr/share/keyrings
207 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
227 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
208
228
209 # Complete the bootstrapping process
229 # Complete the bootstrapping process
210 chroot $R /debootstrap/debootstrap --second-stage
230 chroot $R /debootstrap/debootstrap --second-stage
211
231
212 # Mount required filesystems
232 # Mount required filesystems
213 mount -t proc none $R/proc
233 mount -t proc none $R/proc
214 mount -t sysfs none $R/sys
234 mount -t sysfs none $R/sys
215 mount --bind /dev/pts $R/dev/pts
235 mount --bind /dev/pts $R/dev/pts
216
236
217 # Use proxy inside chroot
237 # Use proxy inside chroot
218 if [ -z "$APT_PROXY" ] ; then
238 if [ -z "$APT_PROXY" ] ; then
219 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
239 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
220 fi
240 fi
221
241
222 # Pin package flash-kernel to repositories.collabora.co.uk
242 # Pin package flash-kernel to repositories.collabora.co.uk
223 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
243 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
224 Package: flash-kernel
244 Package: flash-kernel
225 Pin: origin repositories.collabora.co.uk
245 Pin: origin repositories.collabora.co.uk
226 Pin-Priority: 1000
246 Pin-Priority: 1000
227 EOM
247 EOM
228
248
229 # Set up timezone
249 # Set up timezone
230 echo ${TIMEZONE} >$R/etc/timezone
250 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232
252
233 # Upgrade collabora package index and install collabora keyring
253 # Upgrade collabora package index and install collabora keyring
234 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
255 chroot_exec apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237
257
238 # Set up initial sources.list
258 # Set up initial sources.list
239 cat <<EOM >$R/etc/apt/sources.list
259 cat <<EOM >$R/etc/apt/sources.list
240 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
260 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
241 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
261 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
242
262
243 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
263 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
264 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
245
265
246 deb http://security.debian.org/ ${RELEASE}/updates main contrib
266 deb http://security.debian.org/ ${RELEASE}/updates main contrib
247 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
267 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
248
268
249 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
269 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 EOM
270 EOM
251
271
252 # Upgrade package index and update all installed packages and changed dependencies
272 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
273 chroot_exec apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
274 chroot_exec apt-get -qq -y -u dist-upgrade
255
275
256 # Set up default locale and keyboard configuration
276 # Set up default locale and keyboard configuration
257 if [ "$ENABLE_MINBASE" = false ] ; then
277 if [ "$ENABLE_MINBASE" = false ] ; then
258 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
278 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
259 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 # ... so we have to set locales manually
280 # ... so we have to set locales manually
261 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 else
283 else
264 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 fi
287 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
290 chroot_exec locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
291 chroot_exec update-locale LANG=${DEFLOCAL}
272
292
273 # Keyboard configuration, if requested
293 # Keyboard configuration, if requested
274 if [ "$XKBMODEL" != "" ] ; then
294 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 fi
296 fi
277 if [ "$XKBLAYOUT" != "" ] ; then
297 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 fi
299 fi
280 if [ "$XKBVARIANT" != "" ] ; then
300 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 fi
302 fi
283 if [ "$XKBOPTIONS" != "" ] ; then
303 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 fi
305 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 # Set up font console
307 # Set up font console
288 case "${DEFLOCAL}" in
308 case "${DEFLOCAL}" in
289 *UTF-8)
309 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 ;;
311 ;;
292 *)
312 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 ;;
314 ;;
295 esac
315 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 fi
317 fi
298
318
299 # Kernel installation
319 # Kernel installation
300 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
322 chroot_exec apt-get -qq -y install flash-kernel
303
323
304 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 [ -z "$VMLINUZ" ] && exit 1
325 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 cp $VMLINUZ $R/boot/firmware/kernel7.img
326 cp $VMLINUZ $R/boot/firmware/kernel7.img
317
327
318 # Set up IPv4 hosts
328 # Set up IPv4 hosts
319 echo ${HOSTNAME} >$R/etc/hostname
329 echo ${HOSTNAME} >$R/etc/hostname
320 cat <<EOM >$R/etc/hosts
330 cat <<EOM >$R/etc/hosts
321 127.0.0.1 localhost
331 127.0.0.1 localhost
322 127.0.1.1 ${HOSTNAME}
332 127.0.1.1 ${HOSTNAME}
323 EOM
333 EOM
324 if [ "$NET_ADDRESS" != "" ] ; then
334 if [ "$NET_ADDRESS" != "" ] ; then
325 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
335 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
326 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
336 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
327 fi
337 fi
328
338
329 # Set up IPv6 hosts
339 # Set up IPv6 hosts
330 if [ "$ENABLE_IPV6" = true ] ; then
340 if [ "$ENABLE_IPV6" = true ] ; then
331 cat <<EOM >>$R/etc/hosts
341 cat <<EOM >>$R/etc/hosts
332
342
333 ::1 localhost ip6-localhost ip6-loopback
343 ::1 localhost ip6-localhost ip6-loopback
334 ff02::1 ip6-allnodes
344 ff02::1 ip6-allnodes
335 ff02::2 ip6-allrouters
345 ff02::2 ip6-allrouters
336 EOM
346 EOM
337 fi
347 fi
338
348
339 # Place hint about network configuration
349 # Place hint about network configuration
340 cat <<EOM >$R/etc/network/interfaces
350 cat <<EOM >$R/etc/network/interfaces
341 # Debian switched to systemd-networkd configuration files.
351 # Debian switched to systemd-networkd configuration files.
342 # please configure your networks in '/etc/systemd/network/'
352 # please configure your networks in '/etc/systemd/network/'
343 EOM
353 EOM
344
354
345 if [ "$ENABLE_DHCP" = true ] ; then
355 if [ "$ENABLE_DHCP" = true ] ; then
346 # Enable systemd-networkd DHCP configuration for interface eth0
356 # Enable systemd-networkd DHCP configuration for interface eth0
347 cat <<EOM >$R/etc/systemd/network/eth.network
357 cat <<EOM >$R/etc/systemd/network/eth.network
348 [Match]
358 [Match]
349 Name=eth0
359 Name=eth0
350
360
351 [Network]
361 [Network]
352 DHCP=yes
362 DHCP=yes
353 EOM
363 EOM
354
364
355 # Set DHCP configuration to IPv4 only
365 # Set DHCP configuration to IPv4 only
356 if [ "$ENABLE_IPV6" = false ] ; then
366 if [ "$ENABLE_IPV6" = false ] ; then
357 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
367 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
358 fi
368 fi
359 else # ENABLE_DHCP=false
369 else # ENABLE_DHCP=false
360 cat <<EOM >$R/etc/systemd/network/eth.network
370 cat <<EOM >$R/etc/systemd/network/eth.network
361 [Match]
371 [Match]
362 Name=eth0
372 Name=eth0
363
373
364 [Network]
374 [Network]
365 DHCP=no
375 DHCP=no
366 Address=${NET_ADDRESS}
376 Address=${NET_ADDRESS}
367 Gateway=${NET_GATEWAY}
377 Gateway=${NET_GATEWAY}
368 DNS=${NET_DNS_1}
378 DNS=${NET_DNS_1}
369 DNS=${NET_DNS_2}
379 DNS=${NET_DNS_2}
370 Domains=${NET_DNS_DOMAINS}
380 Domains=${NET_DNS_DOMAINS}
371 NTP=${NET_NTP_1}
381 NTP=${NET_NTP_1}
372 NTP=${NET_NTP_2}
382 NTP=${NET_NTP_2}
373 EOM
383 EOM
374 fi
384 fi
375
385
376 # Enable systemd-networkd service
386 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
387 chroot_exec systemctl enable systemd-networkd
378
388
379 # Generate crypt(3) password string
389 # Generate crypt(3) password string
380 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381
391
382 # Set up default user
392 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
393 if [ "$ENABLE_USER" = true ] ; then
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
394 chroot_exec adduser --gecos pi --add_extra_groups --disabled-password pi
395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
396 fi
397
398 # Set up root password or not
399 if [ "$ENABLE_ROOT" = true ]; then
400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
385
401
386 # Set up root password
402 if [ "$ENABLE_ROOT_SSH" = true ]; then
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
404 fi
405 else
406 chroot_exec usermod -p \'!\' root
407 fi
388
408
389 # Set up firmware boot cmdline
409 # Set up firmware boot cmdline
390 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
391
411
392 # Set up serial console support (if requested)
412 # Set up serial console support (if requested)
393 if [ "$ENABLE_CONSOLE" = true ] ; then
413 if [ "$ENABLE_CONSOLE" = true ] ; then
394 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
414 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
395 fi
415 fi
396
416
397 # Set up IPv6 networking support
417 # Set up IPv6 networking support
398 if [ "$ENABLE_IPV6" = false ] ; then
418 if [ "$ENABLE_IPV6" = false ] ; then
399 CMDLINE="${CMDLINE} ipv6.disable=1"
419 CMDLINE="${CMDLINE} ipv6.disable=1"
400 fi
420 fi
401
421
402 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403
423
404 # Set up firmware config
424 # Set up firmware config
405 cat <<EOM >$R/boot/firmware/config.txt
425 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
406 # For more options and information see
407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 # Some settings may impact device functionality. See link above for details
409
410 # uncomment if you get no picture on HDMI for a default "safe" mode
411 #hdmi_safe=1
412
413 # uncomment this if your display has a black border of unused pixels visible
414 # and your display can output without overscan
415 #disable_overscan=1
416
417 # uncomment the following to adjust overscan. Use positive numbers if console
418 # goes off screen, and negative if there is too much border
419 #overscan_left=16
420 #overscan_right=16
421 #overscan_top=16
422 #overscan_bottom=16
423
424 # uncomment to force a console size. By default it will be display's size minus
425 # overscan.
426 #framebuffer_width=1280
427 #framebuffer_height=720
428
429 # uncomment if hdmi display is not detected and composite is being output
430 #hdmi_force_hotplug=1
431
432 # uncomment to force a specific HDMI mode (this will force VGA)
433 #hdmi_group=1
434 #hdmi_mode=1
435
436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 # DMT (computer monitor) modes
438 #hdmi_drive=2
439
440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 # no display
442 #config_hdmi_boost=4
443
444 # uncomment for composite PAL
445 #sdtv_mode=2
446
447 # uncomment to overclock the arm. 700 MHz is the default.
448 #arm_freq=800
449 EOM
450
426
451 # Load snd_bcm2835 kernel module at boot time
427 # Load snd_bcm2835 kernel module at boot time
452 if [ "$ENABLE_SOUND" = true ] ; then
428 if [ "$ENABLE_SOUND" = true ] ; then
453 echo "snd_bcm2835" >>$R/etc/modules
429 echo "snd_bcm2835" >>$R/etc/modules
454 fi
430 fi
455
431
456 # Set smallest possible GPU memory allocation size: 16MB (no X)
432 # Set smallest possible GPU memory allocation size: 16MB (no X)
457 if [ "$ENABLE_MINGPU" = true ] ; then
433 if [ "$ENABLE_MINGPU" = true ] ; then
458 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
434 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
459 fi
435 fi
460
436
461 # Create symlinks
437 # Create symlinks
462 ln -sf firmware/config.txt $R/boot/config.txt
438 ln -sf firmware/config.txt $R/boot/config.txt
463 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
439 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
464
440
465 # Prepare modules-load.d directory
441 # Prepare modules-load.d directory
466 mkdir -p $R/lib/modules-load.d/
442 mkdir -p $R/lib/modules-load.d/
467
443
468 # Load random module on boot
444 # Load random module on boot
469 if [ "$ENABLE_HWRANDOM" = true ] ; then
445 if [ "$ENABLE_HWRANDOM" = true ] ; then
470 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
446 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
471 bcm2708_rng
447 bcm2708_rng
472 EOM
448 EOM
473 fi
449 fi
474
450
475 # Prepare modprobe.d directory
451 # Prepare modprobe.d directory
476 mkdir -p $R/etc/modprobe.d/
452 mkdir -p $R/etc/modprobe.d/
477
453
478 # Blacklist sound modules
454 # Blacklist sound modules
479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
455 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
480 blacklist snd_soc_core
481 blacklist snd_pcm
482 blacklist snd_pcm_dmaengine
483 blacklist snd_timer
484 blacklist snd_compress
485 blacklist snd_soc_pcm512x_i2c
486 blacklist snd_soc_pcm512x
487 blacklist snd_soc_tas5713
488 blacklist snd_soc_wm8804
489 EOM
490
456
491 # Create default fstab
457 # Create default fstab
492 cat <<EOM >$R/etc/fstab
458 install -o root -g root -m 644 files/fstab $R/etc/fstab
493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 EOM
496
497 # Avoid swapping and increase cache sizes
498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
499
459
500 # Avoid swapping and increase cache sizes
460 # Avoid swapping and increase cache sizes
501 vm.swappiness=1
461 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
502 vm.dirty_background_ratio=20
503 vm.dirty_ratio=40
504 vm.dirty_writeback_centisecs=500
505 vm.dirty_expire_centisecs=6000
506 EOM
507
462
508 # Enable network stack hardening
463 # Enable network stack hardening
509 if [ "$ENABLE_HARDNET" = true ] ; then
464 if [ "$ENABLE_HARDNET" = true ] ; then
510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
511
512 # Enable network stack hardening
513 net.ipv4.tcp_timestamps=0
514 net.ipv4.tcp_syncookies=1
515 net.ipv4.conf.all.rp_filter=1
516 net.ipv4.conf.all.accept_redirects=0
517 net.ipv4.conf.all.send_redirects=0
518 net.ipv4.conf.all.accept_source_route=0
519 net.ipv4.conf.default.rp_filter=1
520 net.ipv4.conf.default.accept_redirects=0
521 net.ipv4.conf.default.send_redirects=0
522 net.ipv4.conf.default.accept_source_route=0
523 net.ipv4.conf.lo.accept_redirects=0
524 net.ipv4.conf.lo.send_redirects=0
525 net.ipv4.conf.lo.accept_source_route=0
526 net.ipv4.conf.eth0.accept_redirects=0
527 net.ipv4.conf.eth0.send_redirects=0
528 net.ipv4.conf.eth0.accept_source_route=0
529 net.ipv4.icmp_echo_ignore_broadcasts=1
530 net.ipv4.icmp_ignore_bogus_error_responses=1
531
532 net.ipv6.conf.all.accept_redirects=0
533 net.ipv6.conf.all.accept_source_route=0
534 net.ipv6.conf.all.router_solicitations=0
535 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 net.ipv6.conf.all.accept_ra_pinfo=0
537 net.ipv6.conf.all.accept_ra_defrtr=0
538 net.ipv6.conf.all.autoconf=0
539 net.ipv6.conf.all.dad_transmits=0
540 net.ipv6.conf.all.max_addresses=1
541
542 net.ipv6.conf.default.accept_redirects=0
543 net.ipv6.conf.default.accept_source_route=0
544 net.ipv6.conf.default.router_solicitations=0
545 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 net.ipv6.conf.default.accept_ra_pinfo=0
547 net.ipv6.conf.default.accept_ra_defrtr=0
548 net.ipv6.conf.default.autoconf=0
549 net.ipv6.conf.default.dad_transmits=0
550 net.ipv6.conf.default.max_addresses=1
551
552 net.ipv6.conf.lo.accept_redirects=0
553 net.ipv6.conf.lo.accept_source_route=0
554 net.ipv6.conf.lo.router_solicitations=0
555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 net.ipv6.conf.lo.accept_ra_pinfo=0
557 net.ipv6.conf.lo.accept_ra_defrtr=0
558 net.ipv6.conf.lo.autoconf=0
559 net.ipv6.conf.lo.dad_transmits=0
560 net.ipv6.conf.lo.max_addresses=1
561
562 net.ipv6.conf.eth0.accept_redirects=0
563 net.ipv6.conf.eth0.accept_source_route=0
564 net.ipv6.conf.eth0.router_solicitations=0
565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 net.ipv6.conf.eth0.autoconf=0
569 net.ipv6.conf.eth0.dad_transmits=0
570 net.ipv6.conf.eth0.max_addresses=1
571 EOM
572
466
573 # Enable resolver warnings about spoofed addresses
467 # Enable resolver warnings about spoofed addresses
574 cat <<EOM >>$R/etc/host.conf
468 cat <<EOM >>$R/etc/host.conf
575 spoof warn
469 spoof warn
576 EOM
470 EOM
577 fi
471 fi
578
472
579 # Regenerate openssh server host keys
473 # First boot actions
474 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
475
476 # Ensure openssh server host keys are regenerated on first boot
580 if [ "$ENABLE_SSHD" = true ] ; then
477 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
478 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
582 LANG=C chroot $R dpkg-reconfigure openssh-server
479 rm -f $R/etc/ssh/ssh_host_*
480 fi
481
482 if [ "$EXPANDROOT" = true ] ; then
483 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
484 fi
485
486 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
487 chmod +x $R/etc/rc.firstboot
488
489 sed -i '/exit 0/d' $R/etc/rc.local
490 echo /etc/rc.firstboot >> $R/etc/rc.local
491 echo exit 0 >> $R/etc/rc.local
492
493 # Disable rsyslog
494 if [ "$ENABLE_RSYSLOG" = false ]; then
495 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
496 chroot_exec systemctl disable rsyslog
497 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 fi
498 fi
584
499
585 # Enable serial console systemd style
500 # Enable serial console systemd style
586 if [ "$ENABLE_CONSOLE" = true ] ; then
501 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
502 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 fi
503 fi
589
504
590 # Enable firewall based on iptables started by systemd service
505 # Enable firewall based on iptables started by systemd service
591 if [ "$ENABLE_IPTABLES" = true ] ; then
506 if [ "$ENABLE_IPTABLES" = true ] ; then
592 # Create iptables configuration directory
507 # Create iptables configuration directory
593 mkdir -p "$R/etc/iptables"
508 mkdir -p "$R/etc/iptables"
594
509
595 # Create iptables systemd service
510 # Create iptables systemd service
596 cat <<EOM >$R/etc/systemd/system/iptables.service
511 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
597 [Unit]
598 Description=Packet Filtering Framework
599 DefaultDependencies=no
600 After=systemd-sysctl.service
601 Before=sysinit.target
602 [Service]
603 Type=oneshot
604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 ExecStop=/etc/iptables/flush-iptables.sh
607 RemainAfterExit=yes
608 [Install]
609 WantedBy=multi-user.target
610 EOM
611
512
612 # Create flush-table script called by iptables service
513 # Create flush-table script called by iptables service
613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
514 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
614 #!/bin/sh
615 iptables -F
616 iptables -X
617 iptables -t nat -F
618 iptables -t nat -X
619 iptables -t mangle -F
620 iptables -t mangle -X
621 iptables -P INPUT ACCEPT
622 iptables -P FORWARD ACCEPT
623 iptables -P OUTPUT ACCEPT
624 EOM
625
515
626 # Create iptables rule file
516 # Create iptables rule file
627 cat <<EOM >$R/etc/iptables/iptables.rules
517 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
628 *filter
629 :INPUT DROP [0:0]
630 :FORWARD DROP [0:0]
631 :OUTPUT ACCEPT [0:0]
632 :TCP - [0:0]
633 :UDP - [0:0]
634 :SSH - [0:0]
635
636 # Rate limit ping requests
637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 -A INPUT -p icmp --icmp-type echo-request -j DROP
639
640 # Accept established connections
641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642
643 # Accept all traffic on loopback interface
644 -A INPUT -i lo -j ACCEPT
645
646 # Drop packets declared invalid
647 -A INPUT -m conntrack --ctstate INVALID -j DROP
648
649 # SSH rate limiting
650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 -A SSH -m recent --name sshbf --set -j ACCEPT
654
655 # Send TCP and UDP connections to their respective rules chain
656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658
659 # Reject dropped packets with a RFC compliant responce
660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663
664 ## TCP PORT RULES
665 # -A TCP -p tcp -j LOG
666
667 ## UDP PORT RULES
668 # -A UDP -p udp -j LOG
669
670 COMMIT
671 EOM
672
518
673 # Reload systemd configuration and enable iptables service
519 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
520 chroot_exec systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
521 chroot_exec systemctl enable iptables.service
676
522
677 if [ "$ENABLE_IPV6" = true ] ; then
523 if [ "$ENABLE_IPV6" = true ] ; then
678 # Create ip6tables systemd service
524 # Create ip6tables systemd service
679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
525 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
680 [Unit]
681 Description=Packet Filtering Framework
682 DefaultDependencies=no
683 After=systemd-sysctl.service
684 Before=sysinit.target
685 [Service]
686 Type=oneshot
687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 ExecStop=/etc/iptables/flush-ip6tables.sh
690 RemainAfterExit=yes
691 [Install]
692 WantedBy=multi-user.target
693 EOM
694
526
695 # Create ip6tables file
527 # Create ip6tables file
696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
528 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
697 #!/bin/sh
698 ip6tables -F
699 ip6tables -X
700 ip6tables -Z
701 for table in $(</proc/net/ip6_tables_names)
702 do
703 ip6tables -t \$table -F
704 ip6tables -t \$table -X
705 ip6tables -t \$table -Z
706 done
707 ip6tables -P INPUT ACCEPT
708 ip6tables -P OUTPUT ACCEPT
709 ip6tables -P FORWARD ACCEPT
710 EOM
711
712 # Create ip6tables rule file
713 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 *filter
715 :INPUT DROP [0:0]
716 :FORWARD DROP [0:0]
717 :OUTPUT ACCEPT [0:0]
718 :TCP - [0:0]
719 :UDP - [0:0]
720 :SSH - [0:0]
721
529
722 # Drop packets with RH0 headers
530 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
723 -A INPUT -m rt --rt-type 0 -j DROP
724 -A OUTPUT -m rt --rt-type 0 -j DROP
725 -A FORWARD -m rt --rt-type 0 -j DROP
726
727 # Rate limit ping requests
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
730
731 # Accept established connections
732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733
734 # Accept all traffic on loopback interface
735 -A INPUT -i lo -j ACCEPT
736
737 # Drop packets declared invalid
738 -A INPUT -m conntrack --ctstate INVALID -j DROP
739
740 # SSH rate limiting
741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 -A SSH -m recent --name sshbf --set -j ACCEPT
745
746 # Send TCP and UDP connections to their respective rules chain
747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749
750 # Reject dropped packets with a RFC compliant responce
751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754
755 ## TCP PORT RULES
756 # -A TCP -p tcp -j LOG
757
758 ## UDP PORT RULES
759 # -A UDP -p udp -j LOG
760
761 COMMIT
762 EOM
763
531
764 # Reload systemd configuration and enable iptables service
532 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
533 chroot_exec systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
534 chroot_exec systemctl enable ip6tables.service
767 fi
535 fi
768 fi
536 fi
769
537
770 # Remove SSHD related iptables rules
538 # Remove SSHD related iptables rules
771 if [ "$ENABLE_SSHD" = false ] ; then
539 if [ "$ENABLE_SSHD" = false ] ; then
772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
540 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
773 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
541 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
774 fi
542 fi
775
543
776 # Install gcc/c++ build environment inside the chroot
544 # Install gcc/c++ build environment inside the chroot
777 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
545 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
546 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 fi
547 fi
780
548
781 # Fetch and build U-Boot bootloader
549 # Fetch and build U-Boot bootloader
782 if [ "$ENABLE_UBOOT" = true ] ; then
550 if [ "$ENABLE_UBOOT" = true ] ; then
783 # Fetch U-Boot bootloader sources
551 # Fetch U-Boot bootloader sources
784 git -C $R/tmp clone git://git.denx.de/u-boot.git
552 git -C $R/tmp clone git://git.denx.de/u-boot.git
785
553
786 # Build and install U-Boot inside chroot
554 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
555 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788
556
789 # Copy compiled bootloader binary and set config.txt to load it
557 # Copy compiled bootloader binary and set config.txt to load it
790 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
558 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
791 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
559 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
792
560
793 # Set U-Boot command file
561 # Set U-Boot command file
794 cat <<EOM >$R/boot/firmware/uboot.mkimage
562 cat <<EOM >$R/boot/firmware/uboot.mkimage
795 # Tell Linux that it is booting on a Raspberry Pi2
563 # Tell Linux that it is booting on a Raspberry Pi2
796 setenv machid 0x00000c42
564 setenv machid 0x00000c42
797
565
798 # Set the kernel boot command line
566 # Set the kernel boot command line
799 setenv bootargs "earlyprintk ${CMDLINE}"
567 setenv bootargs "earlyprintk ${CMDLINE}"
800
568
801 # Save these changes to u-boot's environment
569 # Save these changes to u-boot's environment
802 saveenv
570 saveenv
803
571
804 # Load the existing Linux kernel into RAM
572 # Load the existing Linux kernel into RAM
805 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
573 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
806
574
807 # Boot the kernel we have just loaded
575 # Boot the kernel we have just loaded
808 bootz \${kernel_addr_r}
576 bootz \${kernel_addr_r}
809 EOM
577 EOM
810
578
811 # Generate U-Boot image from command file
579 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
580 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 fi
581 fi
814
582
815 # Fetch and build fbturbo Xorg driver
583 # Fetch and build fbturbo Xorg driver
816 if [ "$ENABLE_FBTURBO" = true ] ; then
584 if [ "$ENABLE_FBTURBO" = true ] ; then
817 # Fetch fbturbo driver sources
585 # Fetch fbturbo driver sources
818 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
586 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819
587
820 # Install Xorg build dependencies
588 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
589 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822
590
823 # Build and install fbturbo driver inside chroot
591 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
592 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825
593
826 # Add fbturbo driver to Xorg configuration
594 # Add fbturbo driver to Xorg configuration
827 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
595 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
828 Section "Device"
596 Section "Device"
829 Identifier "Allwinner A10/A13 FBDEV"
597 Identifier "Allwinner A10/A13 FBDEV"
830 Driver "fbturbo"
598 Driver "fbturbo"
831 Option "fbdev" "/dev/fb0"
599 Option "fbdev" "/dev/fb0"
832 Option "SwapbuffersWait" "true"
600 Option "SwapbuffersWait" "true"
833 EndSection
601 EndSection
834 EOM
602 EOM
835
603
836 # Remove Xorg build dependencies
604 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
605 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 fi
606 fi
839
607
840 # Remove gcc/c++ build environment from the chroot
608 # Remove gcc/c++ build environment from the chroot
841 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
609 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
610 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 fi
611 fi
844
612
845 # Clean cached downloads
613 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
614 chroot_exec apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
615 chroot_exec apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
616 chroot_exec apt-get -y autoremove
849
617
850 # Unmount mounted filesystems
618 # Unmount mounted filesystems
851 umount -l $R/proc
619 umount -l $R/proc
852 umount -l $R/sys
620 umount -l $R/sys
853
621
854 # Clean up files
622 # Clean up files
855 rm -f $R/etc/apt/sources.list.save
623 rm -f $R/etc/apt/sources.list.save
856 rm -f $R/etc/resolvconf/resolv.conf.d/original
624 rm -f $R/etc/resolvconf/resolv.conf.d/original
857 rm -rf $R/run
625 rm -rf $R/run
858 mkdir -p $R/run
626 mkdir -p $R/run
859 rm -f $R/etc/*-
627 rm -f $R/etc/*-
860 rm -f $R/root/.bash_history
628 rm -f $R/root/.bash_history
861 rm -rf $R/tmp/*
629 rm -rf $R/tmp/*
862 rm -f $R/var/lib/urandom/random-seed
630 rm -f $R/var/lib/urandom/random-seed
863 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
631 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
864 rm -f $R/etc/machine-id
632 rm -f $R/etc/machine-id
865 rm -fr $R/etc/apt/apt.conf.d/10proxy
633 rm -fr $R/etc/apt/apt.conf.d/10proxy
866
634
867 # Calculate size of the chroot directory in KB
635 # Calculate size of the chroot directory in KB
868 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
636 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
869
637
870 # Calculate the amount of needed 512 Byte sectors
638 # Calculate the amount of needed 512 Byte sectors
871 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
639 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
872 BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
640 BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
873 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
641 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
874
642
875 # The root partition is EXT4
643 # The root partition is EXT4
876 # This means more space than the actual used space of the chroot is used.
644 # This means more space than the actual used space of the chroot is used.
877 # As overhead for journaling and reserved blocks 20% are added.
645 # As overhead for journaling and reserved blocks 20% are added.
878 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
646 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
879
647
880 # Calculate required image size in 512 Byte sectors
648 # Calculate required image size in 512 Byte sectors
881 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
649 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
882
650
883 # Prepare date string for image file name
651 # Prepare date string for image file name
884 DATE="$(date +%Y-%m-%d)"
652 DATE="$(date +%Y-%m-%d)"
885
653
886 # Prepare image file
654 # Prepare image file
887 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
655 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
888 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
656 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
889
657
890 # Write partition table
658 # Write partition table
891 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
659 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
892 unit: sectors
660 unit: sectors
893
661
894 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable
662 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable
895 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
663 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
896 3 : start= 0, size= 0, Id= 0
664 3 : start= 0, size= 0, Id= 0
897 4 : start= 0, size= 0, Id= 0
665 4 : start= 0, size= 0, Id= 0
898 EOM
666 EOM
899
667
900 # Set up temporary loop devices and build filesystems
668 # Set up temporary loop devices and build filesystems
901 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
669 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
902 EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
670 EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
903 mkfs.vfat "$VFAT_LOOP"
671 mkfs.vfat "$VFAT_LOOP"
904 mkfs.ext4 "$EXT4_LOOP"
672 mkfs.ext4 "$EXT4_LOOP"
905
673
906 # Mount the temporary loop devices
674 # Mount the temporary loop devices
907 mkdir -p "$BUILDDIR/mount"
675 mkdir -p "$BUILDDIR/mount"
908 mount "$EXT4_LOOP" "$BUILDDIR/mount"
676 mount "$EXT4_LOOP" "$BUILDDIR/mount"
909
677
910 mkdir -p "$BUILDDIR/mount/boot/firmware"
678 mkdir -p "$BUILDDIR/mount/boot/firmware"
911 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
679 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
912
680
913 # Copy all files from the chroot to the loop device mount point directory
681 # Copy all files from the chroot to the loop device mount point directory
914 rsync -a "$R/" "$BUILDDIR/mount/"
682 rsync -a "$R/" "$BUILDDIR/mount/"
915
683
916 # Unmount all temporary loop devices and mount points
684 # Unmount all temporary loop devices and mount points
917 cleanup
685 cleanup
918
686
919 # (optinal) create block map file for "bmaptool"
687 # (optinal) create block map file for "bmaptool"
920 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
688 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
921
689
922 # Image was successfully created
690 # Image was successfully created
923 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
691 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant