##// END OF EJS Templates
Merge branch 'fpytloun-master'
Jan Wagner -
r62:2120d5c52161 Fusion
parent child
Show More
@@ -0,0 +1,3
1 images
2 custom.d
3 *.swp
@@ -0,0 +1,27
1 #
2 # Debootstrap basic system
3 #
4
5 . ./functions.sh
6
7 # Base debootstrap (unpack only)
8 if [ "$ENABLE_MINBASE" = true ] ; then
9 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
10 else
11 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
12 fi
13
14 # Copy qemu emulator binary to chroot
15 cp /usr/bin/qemu-arm-static $R/usr/bin
16
17 # Copy debian-archive-keyring.pgp
18 mkdir -p $R/usr/share/keyrings
19 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
20
21 # Complete the bootstrapping process
22 chroot_exec /debootstrap/debootstrap --second-stage
23
24 # Mount required filesystems
25 mount -t proc none $R/proc
26 mount -t sysfs none $R/sys
27 mount --bind /dev/pts $R/dev/pts
@@ -0,0 +1,40
1 #
2 # Setup APT repositories
3 #
4
5 . ./functions.sh
6
7 # Use proxy inside chroot
8 if [ -z "$APT_PROXY" ] ; then
9 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
10 fi
11
12 # Pin package flash-kernel to repositories.collabora.co.uk
13 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
14 Package: flash-kernel
15 Pin: origin repositories.collabora.co.uk
16 Pin-Priority: 1000
17 EOM
18
19 # Upgrade collabora package index and install collabora keyring
20 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
21 chroot_exec apt-get -qq -y update
22 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
23
24 # Set up initial sources.list
25 cat <<EOM >$R/etc/apt/sources.list
26 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
27 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
28
29 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
30 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
31
32 deb http://security.debian.org/ ${RELEASE}/updates main contrib
33 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
34
35 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
36 EOM
37
38 # Upgrade package index and update all installed packages and changed dependencies
39 chroot_exec apt-get -qq -y update
40 chroot_exec apt-get -qq -y -u dist-upgrade
@@ -0,0 +1,52
1 #
2 # Setup locales and keyboard settings
3 #
4
5 . ./functions.sh
6
7 # Set up timezone
8 echo ${TIMEZONE} >$R/etc/timezone
9 chroot_exec dpkg-reconfigure -f noninteractive tzdata
10
11 # Set up default locale and keyboard configuration
12 if [ "$ENABLE_MINBASE" = false ] ; then
13 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
14 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
15 # ... so we have to set locales manually
16 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
17 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
18 else
19 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
20 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
21 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
22 fi
23 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
24 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
25 chroot_exec locale-gen
26 chroot_exec update-locale LANG=${DEFLOCAL}
27
28 # Keyboard configuration, if requested
29 if [ "$XKBMODEL" != "" ] ; then
30 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
31 fi
32 if [ "$XKBLAYOUT" != "" ] ; then
33 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
34 fi
35 if [ "$XKBVARIANT" != "" ] ; then
36 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
37 fi
38 if [ "$XKBOPTIONS" != "" ] ; then
39 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
40 fi
41 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
42 # Set up font console
43 case "${DEFLOCAL}" in
44 *UTF-8)
45 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
46 ;;
47 *)
48 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
49 ;;
50 esac
51 chroot_exec dpkg-reconfigure -f noninteractive console-setup
52 fi
@@ -0,0 +1,102
1 #
2 # Kernel installation
3 #
4
5 . ./functions.sh
6
7 # Fetch and build latest raspberry kernel
8 if [ "$BUILD_KERNEL" = true ] ; then
9 # Fetch current raspberrypi kernel sources
10 git -C $R/usr/local/src clone --depth=1 https://github.com/raspberrypi/linux
11
12 # Load default raspberry kernel configuration
13 make -C $R/usr/local/src/linux ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2709_defconfig
14
15 # Cross compile kernel and modules
16 make -C $R/usr/local/src/linux -j$(grep -c processor /proc/cpuinfo) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs
17
18 # Install kernel modules
19 make -C $R/usr/local/src/linux ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=../.. modules_install
20
21 # Install kernel headers
22 if [ "$KERNEL_HEADERS" = true ]; then
23 make -C $R/usr/local/src/linux ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_HDR_PATH=../../usr headers_install
24 fi
25
26 # Copy and rename compiled kernel to boot directory
27 mkdir $R/boot/firmware/
28 $R/usr/local/src/linux/scripts/mkknlimg $R/usr/local/src/linux/arch/arm/boot/zImage $R/boot/firmware/kernel7.img
29
30 # Copy dts and dtb device definitions
31 mkdir $R/boot/firmware/overlays/
32 cp $R/usr/local/src/linux/arch/arm/boot/dts/*.dtb $R/boot/firmware/
33 cp $R/usr/local/src/linux/arch/arm/boot/dts/overlays/*.dtb* $R/boot/firmware/overlays/
34 cp $R/usr/local/src/linux/arch/arm/boot/dts/overlays/README $R/boot/firmware/overlays/
35
36 # Install raspberry bootloader and flash-kernel
37 chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel
38 else
39 # Kernel installation
40 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
41
42 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
43 chroot_exec apt-get -qq -y install flash-kernel
44
45 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
46 [ -z "$VMLINUZ" ] && exit 1
47 cp $VMLINUZ $R/boot/firmware/kernel7.img
48 fi
49
50 # Set up firmware boot cmdline
51 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}"
52
53 # Set up serial console support (if requested)
54 if [ "$ENABLE_CONSOLE" = true ] ; then
55 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
56 fi
57
58 # Set up IPv6 networking support
59 if [ "$ENABLE_IPV6" = false ] ; then
60 CMDLINE="${CMDLINE} ipv6.disable=1"
61 fi
62
63 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
64
65 # Set up firmware config
66 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
67
68 # Load snd_bcm2835 kernel module at boot time
69 if [ "$ENABLE_SOUND" = true ] ; then
70 echo "snd_bcm2835" >>$R/etc/modules
71 fi
72
73 # Set smallest possible GPU memory allocation size: 16MB (no X)
74 if [ "$ENABLE_MINGPU" = true ] ; then
75 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
76 fi
77
78 # Create symlinks
79 ln -sf firmware/config.txt $R/boot/config.txt
80 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
81
82 # Prepare modules-load.d directory
83 mkdir -p $R/lib/modules-load.d/
84
85 # Load random module on boot
86 if [ "$ENABLE_HWRANDOM" = true ] ; then
87 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
88 bcm2708_rng
89 EOM
90 fi
91
92 # Prepare modprobe.d directory
93 mkdir -p $R/etc/modprobe.d/
94
95 # Blacklist sound modules
96 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
97
98 # Create default fstab
99 install -o root -g root -m 644 files/fstab $R/etc/fstab
100
101 # Avoid swapping and increase cache sizes
102 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
@@ -0,0 +1,78
1 #
2 # Setup networking
3 #
4
5 . ./functions.sh
6
7 # Set up IPv4 hosts
8 echo ${HOSTNAME} >$R/etc/hostname
9 cat <<EOM >$R/etc/hosts
10 127.0.0.1 localhost
11 127.0.1.1 ${HOSTNAME}
12 EOM
13
14 if [ "$NET_ADDRESS" != "" ] ; then
15 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
16 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
17 fi
18
19 # Set up IPv6 hosts
20 if [ "$ENABLE_IPV6" = true ] ; then
21 cat <<EOM >>$R/etc/hosts
22
23 ::1 localhost ip6-localhost ip6-loopback
24 ff02::1 ip6-allnodes
25 ff02::2 ip6-allrouters
26 EOM
27 fi
28
29 # Place hint about network configuration
30 cat <<EOM >$R/etc/network/interfaces
31 # Debian switched to systemd-networkd configuration files.
32 # please configure your networks in '/etc/systemd/network/'
33 source /etc/interfaces.d/*.conf
34 EOM
35
36 if [ "$ENABLE_DHCP" = true ] ; then
37 # Enable systemd-networkd DHCP configuration for interface eth0
38 cat <<EOM >$R/etc/systemd/network/eth.network
39 [Match]
40 Name=eth0
41
42 [Network]
43 DHCP=yes
44 EOM
45
46 # Set DHCP configuration to IPv4 only
47 if [ "$ENABLE_IPV6" = false ] ; then
48 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
49 fi
50 else # ENABLE_DHCP=false
51 cat <<EOM >$R/etc/systemd/network/eth.network
52 [Match]
53 Name=eth0
54
55 [Network]
56 DHCP=no
57 Address=${NET_ADDRESS}
58 Gateway=${NET_GATEWAY}
59 DNS=${NET_DNS_1}
60 DNS=${NET_DNS_2}
61 Domains=${NET_DNS_DOMAINS}
62 NTP=${NET_NTP_1}
63 NTP=${NET_NTP_2}
64 EOM
65 fi
66
67 # Enable systemd-networkd service
68 chroot_exec systemctl enable systemd-networkd
69
70 # Enable network stack hardening
71 if [ "$ENABLE_HARDNET" = true ] ; then
72 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
73
74 # Enable resolver warnings about spoofed addresses
75 cat <<EOM >>$R/etc/host.conf
76 spoof warn
77 EOM
78 fi
@@ -0,0 +1,43
1 #
2 # Enable firewall based on iptables started by systemd service
3 #
4
5 . ./functions.sh
6
7 if [ "$ENABLE_IPTABLES" = true ] ; then
8 # Create iptables configuration directory
9 mkdir -p "$R/etc/iptables"
10
11 # Create iptables systemd service
12 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
13
14 # Create flush-table script called by iptables service
15 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
16
17 # Create iptables rule file
18 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
19
20 # Reload systemd configuration and enable iptables service
21 chroot_exec systemctl daemon-reload
22 chroot_exec systemctl enable iptables.service
23
24 if [ "$ENABLE_IPV6" = true ] ; then
25 # Create ip6tables systemd service
26 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
27
28 # Create ip6tables file
29 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
30
31 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
32
33 # Reload systemd configuration and enable iptables service
34 chroot_exec systemctl daemon-reload
35 chroot_exec systemctl enable ip6tables.service
36 fi
37 fi
38
39 # Remove SSHD related iptables rules
40 if [ "$ENABLE_SSHD" = false ] ; then
41 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
42 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
43 fi
@@ -0,0 +1,30
1 #
2 # Setup users and security settings
3 #
4
5 . ./functions.sh
6
7 # Generate crypt(3) password string
8 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
9
10 # Set up default user
11 if [ "$ENABLE_USER" = true ] ; then
12 chroot_exec adduser --gecos pi --add_extra_groups --disabled-password pi
13 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
14 fi
15
16 # Set up root password or not
17 if [ "$ENABLE_ROOT" = true ]; then
18 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
19
20 if [ "$ENABLE_ROOT_SSH" = true ]; then
21 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
22 fi
23 else
24 chroot_exec usermod -p \'!\' root
25 fi
26
27 # Enable serial console systemd style
28 if [ "$ENABLE_CONSOLE" = true ] ; then
29 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
30 fi
@@ -0,0 +1,12
1 #
2 # Setup logging
3 #
4
5 . ./functions.sh
6
7 # Disable rsyslog
8 if [ "$ENABLE_RSYSLOG" = false ]; then
9 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
10 chroot_exec systemctl disable rsyslog
11 chroot_exec apt-get purge -q -y --force-yes rsyslog
12 fi
@@ -0,0 +1,44
1 #
2 # Setup Uboot
3 #
4
5 . ./functions.sh
6
7 # Install gcc/c++ build environment inside the chroot
8 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
9 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
10 fi
11
12 # Fetch and build U-Boot bootloader
13 if [ "$ENABLE_UBOOT" = true ] ; then
14 # Fetch U-Boot bootloader sources
15 git -C $R/tmp clone git://git.denx.de/u-boot.git
16
17 # Build and install U-Boot inside chroot
18 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
19
20 # Copy compiled bootloader binary and set config.txt to load it
21 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
22 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
23
24 # Set U-Boot command file
25 cat <<EOM >$R/boot/firmware/uboot.mkimage
26 # Tell Linux that it is booting on a Raspberry Pi2
27 setenv machid 0x00000c42
28
29 # Set the kernel boot command line
30 setenv bootargs "earlyprintk ${CMDLINE}"
31
32 # Save these changes to u-boot's environment
33 saveenv
34
35 # Load the existing Linux kernel into RAM
36 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
37
38 # Boot the kernel we have just loaded
39 bootz \${kernel_addr_r}
40 EOM
41
42 # Generate U-Boot image from command file
43 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
44 fi
@@ -0,0 +1,34
1 #
2 # Fetch and build fbturbo Xorg driver
3 #
4
5 . ./functions.sh
6
7 if [ "$ENABLE_FBTURBO" = true ] ; then
8 # Fetch fbturbo driver sources
9 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
10
11 # Install Xorg build dependencies
12 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
13
14 # Build and install fbturbo driver inside chroot
15 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
16
17 # Add fbturbo driver to Xorg configuration
18 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
19 Section "Device"
20 Identifier "Allwinner A10/A13 FBDEV"
21 Driver "fbturbo"
22 Option "fbdev" "/dev/fb0"
23 Option "SwapbuffersWait" "true"
24 EndSection
25 EOM
26
27 # Remove Xorg build dependencies
28 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
29 fi
30
31 # Remove gcc/c++ build environment from the chroot
32 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
33 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
34 fi
@@ -0,0 +1,24
1 #
2 # First boot actions
3 #
4
5 . ./functions.sh
6
7 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
8
9 # Ensure openssh server host keys are regenerated on first boot
10 if [ "$ENABLE_SSHD" = true ] ; then
11 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
12 rm -f $R/etc/ssh/ssh_host_*
13 fi
14
15 if [ "$EXPANDROOT" = true ] ; then
16 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
17 fi
18
19 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
20 chmod +x $R/etc/rc.firstboot
21
22 sed -i '/exit 0/d' $R/etc/rc.local
23 echo /etc/rc.firstboot >> $R/etc/rc.local
24 echo exit 0 >> $R/etc/rc.local
@@ -0,0 +1,23
1 cleanup (){
2 # Clean up all temporary mount points
3 set +x
4 set +e
5 echo "killing processes using mount point ..."
6 fuser -k $R
7 sleep 3
8 fuser -9 -k -v $R
9 echo "removing temporary mount points ..."
10 umount -l $R/proc 2> /dev/null
11 umount -l $R/sys 2> /dev/null
12 umount -l $R/dev/pts 2> /dev/null
13 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
14 umount "$BUILDDIR/mount" 2> /dev/null
15 losetup -d "$EXT4_LOOP" 2> /dev/null
16 losetup -d "$VFAT_LOOP" 2> /dev/null
17 trap - 0 1 2 3 6
18 }
19
20 chroot_exec() {
21 # Exec command in chroot
22 LANG=C LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot $R $*
23 }
@@ -1,173 +1,176
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 ##### `APT_INCLUDES`=""
30 ##### `APT_INCLUDES`=""
31 A comma seperated list of additional packages to be installed during bootstrapping.
31 A comma seperated list of additional packages to be installed during bootstrapping.
32
32
33 #### General system settings:
33 #### General system settings:
34 ##### `HOSTNAME`="rpi2-jessie"
34 ##### `HOSTNAME`="rpi2-jessie"
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
36
36
37 ##### `PASSWORD`="raspberry"
37 ##### `PASSWORD`="raspberry"
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
39
39
40 ##### `DEFLOCAL`="en_US.UTF-8"
40 ##### `DEFLOCAL`="en_US.UTF-8"
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
42
42
43 ##### `TIMEZONE`="Europe/Berlin"
43 ##### `TIMEZONE`="Europe/Berlin"
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45
45
46 ##### `EXPANDROOT`=true
46 ##### `EXPANDROOT`=true
47 Expand the root partition and filesystem automatically on first boot.
47 Expand the root partition and filesystem automatically on first boot.
48
48
49 #### Keyboard settings:
49 #### Keyboard settings:
50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
51
51
52 ##### `XKBMODEL`=""
52 ##### `XKBMODEL`=""
53 Set the name of the model of your keyboard type.
53 Set the name of the model of your keyboard type.
54
54
55 ##### `XKBLAYOUT`=""
55 ##### `XKBLAYOUT`=""
56 Set the supported keyboard layout(s).
56 Set the supported keyboard layout(s).
57
57
58 ##### `XKBVARIANT`=""
58 ##### `XKBVARIANT`=""
59 Set the supported variant(s) of the keyboard layout(s).
59 Set the supported variant(s) of the keyboard layout(s).
60
60
61 ##### `XKBOPTIONS`=""
61 ##### `XKBOPTIONS`=""
62 Set extra xkb configuration options.
62 Set extra xkb configuration options.
63
63
64 #### Networking settings (DHCP)
64 #### Networking settings (DHCP)
65 This setting is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
65 This setting is used to set up networking auto configuration in `/etc/systemd/network/eth.network`.
66
66
67 #####`ENABLE_DHCP`=true
67 #####`ENABLE_DHCP`=true
68 Set the system to use DHCP. This requires an DHCP server.
68 Set the system to use DHCP. This requires an DHCP server.
69
69
70 #### Networking settings (static)
70 #### Networking settings (static)
71 These settings are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking settings are only supported if `ENABLE_DHCP` was set to `false`.
71 These settings are used to set up a static networking configuration in /etc/systemd/network/eth.network. The following static networking settings are only supported if `ENABLE_DHCP` was set to `false`.
72
72
73 #####`NET_ADDRESS`=""
73 #####`NET_ADDRESS`=""
74 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
74 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
75
75
76 #####`NET_GATEWAY`=""
76 #####`NET_GATEWAY`=""
77 Set the IP address for the default gateway.
77 Set the IP address for the default gateway.
78
78
79 #####`NET_DNS_1`=""
79 #####`NET_DNS_1`=""
80 Set the IP address for the first DNS server.
80 Set the IP address for the first DNS server.
81
81
82 #####`NET_DNS_2`=""
82 #####`NET_DNS_2`=""
83 Set the IP address for the second DNS server.
83 Set the IP address for the second DNS server.
84
84
85 #####`NET_DNS_DOMAINS`=""
85 #####`NET_DNS_DOMAINS`=""
86 Set the default DNS search domains to use for non fully qualified host names.
86 Set the default DNS search domains to use for non fully qualified host names.
87
87
88 #####`NET_NTP_1`=""
88 #####`NET_NTP_1`=""
89 Set the IP address for the first NTP server.
89 Set the IP address for the first NTP server.
90
90
91 #####`NET_NTP_2`=""
91 #####`NET_NTP_2`=""
92 Set the IP address for the second NTP server.
92 Set the IP address for the second NTP server.
93
93
94 #### Basic system features:
94 #### Basic system features:
95 ##### `ENABLE_CONSOLE`=true
95 ##### `ENABLE_CONSOLE`=true
96 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
96 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
97
97
98 ##### `ENABLE_IPV6`=true
98 ##### `ENABLE_IPV6`=true
99 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
99 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
100
100
101 ##### `ENABLE_SSHD`=true
101 ##### `ENABLE_SSHD`=true
102 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
102 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
103
103
104 ##### `ENABLE_RSYSLOG`=true
104 ##### `ENABLE_RSYSLOG`=true
105 If set to false, disable and uninstall rsyslog (so logs will be available only
105 If set to false, disable and uninstall rsyslog (so logs will be available only
106 in journal files)
106 in journal files)
107
107
108 ##### `ENABLE_SOUND`=true
108 ##### `ENABLE_SOUND`=true
109 Enable sound hardware and install Advanced Linux Sound Architecture.
109 Enable sound hardware and install Advanced Linux Sound Architecture.
110
110
111 ##### `ENABLE_HWRANDOM`=true
111 ##### `ENABLE_HWRANDOM`=true
112 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
112 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
113
113
114 ##### `ENABLE_MINGPU`=false
114 ##### `ENABLE_MINGPU`=false
115 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
115 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
116
116
117 ##### `ENABLE_DBUS`=true
117 ##### `ENABLE_DBUS`=true
118 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
118 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
119
119
120 ##### `ENABLE_XORG`=false
120 ##### `ENABLE_XORG`=false
121 Install Xorg open-source X Window System.
121 Install Xorg open-source X Window System.
122
122
123 ##### `ENABLE_WM`=""
123 ##### `ENABLE_WM`=""
124 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
124 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
125
125
126 #### Advanced sytem features:
126 #### Advanced sytem features:
127 ##### `ENABLE_MINBASE`=false
127 ##### `ENABLE_MINBASE`=false
128 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
128 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
129
129
130 ##### `ENABLE_UBOOT`=false
130 ##### `ENABLE_UBOOT`=false
131 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
131 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
132
132
133 ##### `ENABLE_FBTURBO`=false
133 ##### `ENABLE_FBTURBO`=false
134 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
134 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
135
135
136 ##### `ENABLE_IPTABLES`=false
136 ##### `ENABLE_IPTABLES`=false
137 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
137 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
138
138
139 ##### `ENABLE_USER`=true
139 ##### `ENABLE_USER`=true
140 Create pi user with password raspberry
140 Create pi user with password raspberry
141
141
142 ##### `ENABLE_ROOT`=true
142 ##### `ENABLE_ROOT`=true
143 Set root user password so root login will be enabled
143 Set root user password so root login will be enabled
144
144
145 ##### `ENABLE_ROOT_SSH`=true
145 ##### `ENABLE_ROOT_SSH`=true
146 Enable password root login via SSH. May be a security risk with default
146 Enable password root login via SSH. May be a security risk with default
147 password, use only in trusted environments.
147 password, use only in trusted environments.
148
148
149 ##### `ENABLE_HARDNET`=false
149 ##### `ENABLE_HARDNET`=false
150 Enable IPv4/IPv6 network stack hardening settings.
150 Enable IPv4/IPv6 network stack hardening settings.
151
151
152 ##### `CHROOT_SCRIPTS`=""
152 ##### `CHROOT_SCRIPTS`=""
153 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
153 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
154
154
155 #### Kernel compilation:
155 #### Kernel compilation:
156 ##### `BUILD_KERNEL`=false
156 ##### `BUILD_KERNEL`=false
157 Build and install the latest RPi2 linux kernel. Currently only the default RPi2 kernel configuration is used. Detailed configuration parameters for customizing the kernel and minor bug fixes still need to get implemented. feel free to help.
157 Build and install the latest RPi2 linux kernel. Currently only the default RPi2 kernel configuration is used. Detailed configuration parameters for customizing the kernel and minor bug fixes still need to get implemented. feel free to help.
158
158
159 ##### `KERNEL_HEADERS`=true
160 If true, also install kernel headers with built kernel.
161
159 ## Logging of the bootstrapping process
162 ## Logging of the bootstrapping process
160 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
163 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
161
164
162 ```shell
165 ```shell
163 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
166 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
164 ```
167 ```
165
168
166 ## Flashing the image file
169 ## Flashing the image file
167 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
170 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
168
171
169 #####Flashing examples:
172 #####Flashing examples:
170 ```shell
173 ```shell
171 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
174 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
172 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
175 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
173 ```
176 ```
@@ -1,736 +1,302
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 source ./functions.sh
19 cleanup (){
20 set +x
21 set +e
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
31 }
32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
19
38 set -e
20 set -e
39 set -x
21 set -x
40
22
41 # Debian release
23 # Debian release
42 RELEASE=${RELEASE:=jessie}
24 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
25 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
44
26
45 # Build settings
27 # Build settings
46 BASEDIR=./images/${RELEASE}
28 BASEDIR=$(pwd)/images/${RELEASE}
47 BUILDDIR=${BASEDIR}/build
29 BUILDDIR=${BASEDIR}/build
48
30
49 # General settings
31 # General settings
50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
32 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
51 PASSWORD=${PASSWORD:=raspberry}
33 PASSWORD=${PASSWORD:=raspberry}
52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
34 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
35 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
54 XKBMODEL=${XKBMODEL:=""}
36 XKBMODEL=${XKBMODEL:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
37 XKBLAYOUT=${XKBLAYOUT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
38 XKBVARIANT=${XKBVARIANT:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
39 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
40 EXPANDROOT=${EXPANDROOT:=true}
59
41
60 # Network settings
42 # Network settings
61 ENABLE_DHCP=${ENABLE_DHCP:=true}
43 ENABLE_DHCP=${ENABLE_DHCP:=true}
62 # NET_* settings are ignored when ENABLE_DHCP=true
44 # NET_* settings are ignored when ENABLE_DHCP=true
63 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
45 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
64 NET_ADDRESS=${NET_ADDRESS:=""}
46 NET_ADDRESS=${NET_ADDRESS:=""}
65 NET_GATEWAY=${NET_GATEWAY:=""}
47 NET_GATEWAY=${NET_GATEWAY:=""}
66 NET_DNS_1=${NET_DNS_1:=""}
48 NET_DNS_1=${NET_DNS_1:=""}
67 NET_DNS_2=${NET_DNS_2:=""}
49 NET_DNS_2=${NET_DNS_2:=""}
68 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
50 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
69 NET_NTP_1=${NET_NTP_1:=""}
51 NET_NTP_1=${NET_NTP_1:=""}
70 NET_NTP_2=${NET_NTP_2:=""}
52 NET_NTP_2=${NET_NTP_2:=""}
71
53
72 # APT settings
54 # APT settings
73 APT_PROXY=${APT_PROXY:=""}
55 APT_PROXY=${APT_PROXY:=""}
74 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
56 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
75
57
76 # Feature settings
58 # Feature settings
77 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
59 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
78 ENABLE_IPV6=${ENABLE_IPV6:=true}
60 ENABLE_IPV6=${ENABLE_IPV6:=true}
79 ENABLE_SSHD=${ENABLE_SSHD:=true}
61 ENABLE_SSHD=${ENABLE_SSHD:=true}
80 ENABLE_SOUND=${ENABLE_SOUND:=true}
62 ENABLE_SOUND=${ENABLE_SOUND:=true}
81 ENABLE_DBUS=${ENABLE_DBUS:=true}
63 ENABLE_DBUS=${ENABLE_DBUS:=true}
82 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
64 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
65 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
84 ENABLE_XORG=${ENABLE_XORG:=false}
66 ENABLE_XORG=${ENABLE_XORG:=false}
85 ENABLE_WM=${ENABLE_WM:=""}
67 ENABLE_WM=${ENABLE_WM:=""}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
68 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
69 ENABLE_USER=${ENABLE_USER:=true}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
70 ENABLE_ROOT=${ENABLE_ROOT:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
71 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
90
72
91 # Advanced settings
73 # Advanced settings
92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
74 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
93 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
75 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
94 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
76 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
95 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
77 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
96 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
78 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
97
79
98 # Kernel compilation settings
80 # Kernel compilation settings
99 BUILD_KERNEL=${BUILD_KERNEL:=false}
81 BUILD_KERNEL=${BUILD_KERNEL:=false}
82 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
100
83
101 # Image chroot path
84 # Image chroot path
102 R=${BUILDDIR}/chroot
85 R=${BUILDDIR}/chroot
103 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
86 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
104
87
105 # Packages required for bootstrapping
88 # Packages required for bootstrapping
106 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
89 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
107
90
108 # Missing packages that need to be installed
91 # Missing packages that need to be installed
109 MISSING_PACKAGES=""
92 MISSING_PACKAGES=""
110
93
111 # Packages required in the chroot build environment
94 # Packages required in the chroot build environment
112 APT_INCLUDES=${APT_INCLUDES:=""}
95 APT_INCLUDES=${APT_INCLUDES:=""}
113 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
96 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
114
97
115 set +x
98 set +x
116
99
117 # Are we running as root?
100 # Are we running as root?
118 if [ "$(id -u)" -ne "0" ] ; then
101 if [ "$(id -u)" -ne "0" ] ; then
119 echo "this script must be executed with root privileges"
102 echo "this script must be executed with root privileges"
120 exit 1
103 exit 1
121 fi
104 fi
122
105
123 # Add packages required for kernel cross compilation
106 # Add packages required for kernel cross compilation
124 if [ "$BUILD_KERNEL" = true ] ; then
107 if [ "$BUILD_KERNEL" = true ] ; then
125 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
108 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
126 fi
109 fi
127
110
128 # Check if all required packages are installed
111 # Check if all required packages are installed
129 for package in $REQUIRED_PACKAGES ; do
112 for package in $REQUIRED_PACKAGES ; do
130 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
113 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
131 MISSING_PACKAGES="$MISSING_PACKAGES $package"
114 MISSING_PACKAGES="$MISSING_PACKAGES $package"
132 fi
115 fi
133 done
116 done
134
117
135 # Ask if missing packages should get installed right now
118 # Ask if missing packages should get installed right now
136 if [ -n "$MISSING_PACKAGES" ] ; then
119 if [ -n "$MISSING_PACKAGES" ] ; then
137 echo "the following packages needed by this script are not installed:"
120 echo "the following packages needed by this script are not installed:"
138 echo "$MISSING_PACKAGES"
121 echo "$MISSING_PACKAGES"
139
122
140 echo -n "\ndo you want to install the missing packages right now? [y/n] "
123 echo -n "\ndo you want to install the missing packages right now? [y/n] "
141 read confirm
124 read confirm
142 if [ "$confirm" != "y" ] ; then
125 if [ "$confirm" != "y" ] ; then
143 exit 1
126 exit 1
144 fi
127 fi
145 fi
128 fi
146
129
147 # Make sure all required packages are installed
130 # Make sure all required packages are installed
148 apt-get -qq -y install ${REQUIRED_PACKAGES}
131 apt-get -qq -y install ${REQUIRED_PACKAGES}
149
132
150 # Don't clobber an old build
133 # Don't clobber an old build
151 if [ -e "$BUILDDIR" ]; then
134 if [ -e "$BUILDDIR" ]; then
152 echo "directory $BUILDDIR already exists, not proceeding"
135 echo "directory $BUILDDIR already exists, not proceeding"
153 exit 1
136 exit 1
154 fi
137 fi
155
138
156 set -x
139 set -x
157
140
158 # Call "cleanup" function on various signals and errors
141 # Call "cleanup" function on various signals and errors
159 trap cleanup 0 1 2 3 6
142 trap cleanup 0 1 2 3 6
160
143
161 # Set up chroot directory
144 # Set up chroot directory
162 mkdir -p $R
145 mkdir -p $R
163
146
164 # Add required packages for the minbase installation
147 # Add required packages for the minbase installation
165 if [ "$ENABLE_MINBASE" = true ] ; then
148 if [ "$ENABLE_MINBASE" = true ] ; then
166 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
149 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
167 else
150 else
168 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
151 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
169 fi
152 fi
170
153
171 # Add parted package, required to get partprobe utility
154 # Add parted package, required to get partprobe utility
172 if [ "$EXPANDROOT" = true ] ; then
155 if [ "$EXPANDROOT" = true ] ; then
173 APT_INCLUDES="${APT_INCLUDES},parted"
156 APT_INCLUDES="${APT_INCLUDES},parted"
174 fi
157 fi
175
158
176 # Add dbus package, recommended if using systemd
159 # Add dbus package, recommended if using systemd
177 if [ "$ENABLE_DBUS" = true ] ; then
160 if [ "$ENABLE_DBUS" = true ] ; then
178 APT_INCLUDES="${APT_INCLUDES},dbus"
161 APT_INCLUDES="${APT_INCLUDES},dbus"
179 fi
162 fi
180
163
181 # Add iptables IPv4/IPv6 package
164 # Add iptables IPv4/IPv6 package
182 if [ "$ENABLE_IPTABLES" = true ] ; then
165 if [ "$ENABLE_IPTABLES" = true ] ; then
183 APT_INCLUDES="${APT_INCLUDES},iptables"
166 APT_INCLUDES="${APT_INCLUDES},iptables"
184 fi
167 fi
185
168
186 # Add openssh server package
169 # Add openssh server package
187 if [ "$ENABLE_SSHD" = true ] ; then
170 if [ "$ENABLE_SSHD" = true ] ; then
188 APT_INCLUDES="${APT_INCLUDES},openssh-server"
171 APT_INCLUDES="${APT_INCLUDES},openssh-server"
189 fi
172 fi
190
173
191 # Add alsa-utils package
174 # Add alsa-utils package
192 if [ "$ENABLE_SOUND" = true ] ; then
175 if [ "$ENABLE_SOUND" = true ] ; then
193 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
176 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
194 fi
177 fi
195
178
196 # Add rng-tools package
179 # Add rng-tools package
197 if [ "$ENABLE_HWRANDOM" = true ] ; then
180 if [ "$ENABLE_HWRANDOM" = true ] ; then
198 APT_INCLUDES="${APT_INCLUDES},rng-tools"
181 APT_INCLUDES="${APT_INCLUDES},rng-tools"
199 fi
182 fi
200
183
201 if [ "$ENABLE_USER" = true ]; then
184 if [ "$ENABLE_USER" = true ]; then
202 APT_INCLUDES="${APT_INCLUDES},sudo"
185 APT_INCLUDES="${APT_INCLUDES},sudo"
203 fi
186 fi
204
187
205 # Add fbturbo video driver
188 # Add fbturbo video driver
206 if [ "$ENABLE_FBTURBO" = true ] ; then
189 if [ "$ENABLE_FBTURBO" = true ] ; then
207 # Enable xorg package dependencies
190 # Enable xorg package dependencies
208 ENABLE_XORG=true
191 ENABLE_XORG=true
209 fi
192 fi
210
193
211 # Add user defined window manager package
194 # Add user defined window manager package
212 if [ -n "$ENABLE_WM" ] ; then
195 if [ -n "$ENABLE_WM" ] ; then
213 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
196 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
214
197
215 # Enable xorg package dependencies
198 # Enable xorg package dependencies
216 ENABLE_XORG=true
199 ENABLE_XORG=true
217 fi
200 fi
218
201
219 # Add xorg package
202 # Add xorg package
220 if [ "$ENABLE_XORG" = true ] ; then
203 if [ "$ENABLE_XORG" = true ] ; then
221 APT_INCLUDES="${APT_INCLUDES},xorg"
204 APT_INCLUDES="${APT_INCLUDES},xorg"
222 fi
205 fi
223
206
224 # Base debootstrap (unpack only)
207 ## Main bootstrap
225 if [ "$ENABLE_MINBASE" = true ] ; then
208 for i in bootstrap.d/*.sh; do
226 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
209 . $i
227 else
210 done
228 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
229 fi
230
231 # Copy qemu emulator binary to chroot
232 cp /usr/bin/qemu-arm-static $R/usr/bin
233
234 # Copy debian-archive-keyring.pgp
235 chroot $R mkdir -p /usr/share/keyrings
236 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
237
238 # Complete the bootstrapping process
239 chroot $R /debootstrap/debootstrap --second-stage
240
241 # Mount required filesystems
242 mount -t proc none $R/proc
243 mount -t sysfs none $R/sys
244 mount --bind /dev/pts $R/dev/pts
245
246 # Use proxy inside chroot
247 if [ -z "$APT_PROXY" ] ; then
248 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
249 fi
250
251 # Pin package flash-kernel to repositories.collabora.co.uk
252 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
253 Package: flash-kernel
254 Pin: origin repositories.collabora.co.uk
255 Pin-Priority: 1000
256 EOM
257
258 # Set up timezone
259 echo ${TIMEZONE} >$R/etc/timezone
260 chroot_exec dpkg-reconfigure -f noninteractive tzdata
261
262 # Upgrade collabora package index and install collabora keyring
263 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
264 chroot_exec apt-get -qq -y update
265 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
266
267 # Set up initial sources.list
268 cat <<EOM >$R/etc/apt/sources.list
269 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
270 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
271
272 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
273 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
274
275 deb http://security.debian.org/ ${RELEASE}/updates main contrib
276 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
277
278 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
279 EOM
280
281 # Upgrade package index and update all installed packages and changed dependencies
282 chroot_exec apt-get -qq -y update
283 chroot_exec apt-get -qq -y -u dist-upgrade
284
285 # Set up default locale and keyboard configuration
286 if [ "$ENABLE_MINBASE" = false ] ; then
287 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
288 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
289 # ... so we have to set locales manually
290 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
291 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
292 else
293 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
294 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
295 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
296 fi
297 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
298 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
299 chroot_exec locale-gen
300 chroot_exec update-locale LANG=${DEFLOCAL}
301
302 # Keyboard configuration, if requested
303 if [ "$XKBMODEL" != "" ] ; then
304 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
305 fi
306 if [ "$XKBLAYOUT" != "" ] ; then
307 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
308 fi
309 if [ "$XKBVARIANT" != "" ] ; then
310 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
311 fi
312 if [ "$XKBOPTIONS" != "" ] ; then
313 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
314 fi
315 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
316 # Set up font console
317 case "${DEFLOCAL}" in
318 *UTF-8)
319 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
320 ;;
321 *)
322 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
323 ;;
324 esac
325 chroot_exec dpkg-reconfigure -f noninteractive console-setup
326 fi
327
328 # Fetch and build latest raspberry kernel
329 if [ "$BUILD_KERNEL" = true ] ; then
330 # Fetch current raspberrypi kernel sources
331 git -C $R/tmp clone --depth=1 https://github.com/raspberrypi/linux
332
333 # Load default raspberry kernel configuration
334 make -C $R/tmp/linux ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2709_defconfig
335
336 # Cross compile kernel and modules
337 make -C $R/tmp/linux -j 8 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs
338
339 # Install kernel modules
340 make -C $R/tmp/linux ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=../.. modules_install
341
342 # Copy and rename compiled kernel to boot directory
343 mkdir $R/boot/firmware/
344 $R/tmp/linux/scripts/mkknlimg $R/tmp/linux/arch/arm/boot/zImage $R/boot/firmware/kernel7.img
345
346 # Copy dts and dtb device definitions
347 mkdir $R/boot/firmware/overlays/
348 cp $R/tmp/linux/arch/arm/boot/dts/*.dtb $R/boot/firmware/
349 cp $R/tmp/linux/arch/arm/boot/dts/overlays/*.dtb* $R/boot/firmware/overlays/
350 cp $R/tmp/linux/arch/arm/boot/dts/overlays/README $R/boot/firmware/overlays/
351
352 # Install raspberry bootloader and flash-kernel
353 chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel
354 else
355 # Kernel installation
356 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
357
358 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
359 chroot_exec apt-get -qq -y install flash-kernel
360
361 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
362 [ -z "$VMLINUZ" ] && exit 1
363 cp $VMLINUZ $R/boot/firmware/kernel7.img
364 fi
365
366 # Set up IPv4 hosts
367 echo ${HOSTNAME} >$R/etc/hostname
368 cat <<EOM >$R/etc/hosts
369 127.0.0.1 localhost
370 127.0.1.1 ${HOSTNAME}
371 EOM
372 if [ "$NET_ADDRESS" != "" ] ; then
373 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
374 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
375 fi
376
377 # Set up IPv6 hosts
378 if [ "$ENABLE_IPV6" = true ] ; then
379 cat <<EOM >>$R/etc/hosts
380
381 ::1 localhost ip6-localhost ip6-loopback
382 ff02::1 ip6-allnodes
383 ff02::2 ip6-allrouters
384 EOM
385 fi
386
387 # Place hint about network configuration
388 cat <<EOM >$R/etc/network/interfaces
389 # Debian switched to systemd-networkd configuration files.
390 # please configure your networks in '/etc/systemd/network/'
391 EOM
392
393 if [ "$ENABLE_DHCP" = true ] ; then
394 # Enable systemd-networkd DHCP configuration for interface eth0
395 cat <<EOM >$R/etc/systemd/network/eth.network
396 [Match]
397 Name=eth0
398
399 [Network]
400 DHCP=yes
401 EOM
402
403 # Set DHCP configuration to IPv4 only
404 if [ "$ENABLE_IPV6" = false ] ; then
405 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
406 fi
407 else # ENABLE_DHCP=false
408 cat <<EOM >$R/etc/systemd/network/eth.network
409 [Match]
410 Name=eth0
411
412 [Network]
413 DHCP=no
414 Address=${NET_ADDRESS}
415 Gateway=${NET_GATEWAY}
416 DNS=${NET_DNS_1}
417 DNS=${NET_DNS_2}
418 Domains=${NET_DNS_DOMAINS}
419 NTP=${NET_NTP_1}
420 NTP=${NET_NTP_2}
421 EOM
422 fi
423
424 # Enable systemd-networkd service
425 chroot_exec systemctl enable systemd-networkd
426
427 # Generate crypt(3) password string
428 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
429
430 # Set up default user
431 if [ "$ENABLE_USER" = true ] ; then
432 chroot_exec adduser --gecos pi --add_extra_groups --disabled-password pi
433 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
434 fi
435
436 # Set up root password or not
437 if [ "$ENABLE_ROOT" = true ]; then
438 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
439
440 if [ "$ENABLE_ROOT_SSH" = true ]; then
441 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
442 fi
443 else
444 chroot_exec usermod -p \'!\' root
445 fi
446
447 # Set up firmware boot cmdline
448 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
449
450 # Set up serial console support (if requested)
451 if [ "$ENABLE_CONSOLE" = true ] ; then
452 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
453 fi
454
455 # Set up IPv6 networking support
456 if [ "$ENABLE_IPV6" = false ] ; then
457 CMDLINE="${CMDLINE} ipv6.disable=1"
458 fi
459
460 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
461
462 # Set up firmware config
463 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
464
465 # Load snd_bcm2835 kernel module at boot time
466 if [ "$ENABLE_SOUND" = true ] ; then
467 echo "snd_bcm2835" >>$R/etc/modules
468 fi
469
470 # Set smallest possible GPU memory allocation size: 16MB (no X)
471 if [ "$ENABLE_MINGPU" = true ] ; then
472 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
473 fi
474
475 # Create symlinks
476 ln -sf firmware/config.txt $R/boot/config.txt
477 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
478
479 # Prepare modules-load.d directory
480 mkdir -p $R/lib/modules-load.d/
481
482 # Load random module on boot
483 if [ "$ENABLE_HWRANDOM" = true ] ; then
484 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
485 bcm2708_rng
486 EOM
487 fi
488
489 # Prepare modprobe.d directory
490 mkdir -p $R/etc/modprobe.d/
491
492 # Blacklist sound modules
493 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
494
495 # Create default fstab
496 install -o root -g root -m 644 files/fstab $R/etc/fstab
497
498 # Avoid swapping and increase cache sizes
499 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
500
501 # Enable network stack hardening
502 if [ "$ENABLE_HARDNET" = true ] ; then
503 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
504
505 # Enable resolver warnings about spoofed addresses
506 cat <<EOM >>$R/etc/host.conf
507 spoof warn
508 EOM
509 fi
510
511 # First boot actions
512 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
513
514 # Ensure openssh server host keys are regenerated on first boot
515 if [ "$ENABLE_SSHD" = true ] ; then
516 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
517 rm -f $R/etc/ssh/ssh_host_*
518 fi
519
520 if [ "$EXPANDROOT" = true ] ; then
521 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
522 fi
523
524 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
525 chmod +x $R/etc/rc.firstboot
526
527 sed -i '/exit 0/d' $R/etc/rc.local
528 echo /etc/rc.firstboot >> $R/etc/rc.local
529 echo exit 0 >> $R/etc/rc.local
530
531 # Disable rsyslog
532 if [ "$ENABLE_RSYSLOG" = false ]; then
533 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
534 chroot_exec systemctl disable rsyslog
535 chroot_exec apt-get purge -q -y --force-yes rsyslog
536 fi
537
538 # Enable serial console systemd style
539 if [ "$ENABLE_CONSOLE" = true ] ; then
540 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
541 fi
542
543 # Enable firewall based on iptables started by systemd service
544 if [ "$ENABLE_IPTABLES" = true ] ; then
545 # Create iptables configuration directory
546 mkdir -p "$R/etc/iptables"
547
548 # Create iptables systemd service
549 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
550
551 # Create flush-table script called by iptables service
552 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
553
554 # Create iptables rule file
555 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
556
557 # Reload systemd configuration and enable iptables service
558 chroot_exec systemctl daemon-reload
559 chroot_exec systemctl enable iptables.service
560
561 if [ "$ENABLE_IPV6" = true ] ; then
562 # Create ip6tables systemd service
563 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
564
565 # Create ip6tables file
566 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
567
568 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
569
570 # Reload systemd configuration and enable iptables service
571 chroot_exec systemctl daemon-reload
572 chroot_exec systemctl enable ip6tables.service
573 fi
574 fi
575
576 # Remove SSHD related iptables rules
577 if [ "$ENABLE_SSHD" = false ] ; then
578 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
579 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
580 fi
581
582 # Install gcc/c++ build environment inside the chroot
583 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
584 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
585 fi
586
587 # Fetch and build U-Boot bootloader
588 if [ "$ENABLE_UBOOT" = true ] ; then
589 # Fetch U-Boot bootloader sources
590 git -C $R/tmp clone git://git.denx.de/u-boot.git
591
592 # Build and install U-Boot inside chroot
593 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
594
595 # Copy compiled bootloader binary and set config.txt to load it
596 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
597 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
598
599 # Set U-Boot command file
600 cat <<EOM >$R/boot/firmware/uboot.mkimage
601 # Tell Linux that it is booting on a Raspberry Pi2
602 setenv machid 0x00000c42
603
604 # Set the kernel boot command line
605 setenv bootargs "earlyprintk ${CMDLINE}"
606
607 # Save these changes to u-boot's environment
608 saveenv
609
610 # Load the existing Linux kernel into RAM
611 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
612
613 # Boot the kernel we have just loaded
614 bootz \${kernel_addr_r}
615 EOM
616
617 # Generate U-Boot image from command file
618 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
619 fi
620
621 # Fetch and build fbturbo Xorg driver
622 if [ "$ENABLE_FBTURBO" = true ] ; then
623 # Fetch fbturbo driver sources
624 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
625
626 # Install Xorg build dependencies
627 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
628
629 # Build and install fbturbo driver inside chroot
630 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
631
632 # Add fbturbo driver to Xorg configuration
633 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
634 Section "Device"
635 Identifier "Allwinner A10/A13 FBDEV"
636 Driver "fbturbo"
637 Option "fbdev" "/dev/fb0"
638 Option "SwapbuffersWait" "true"
639 EndSection
640 EOM
641
642 # Remove Xorg build dependencies
643 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
644 fi
645
646 # Remove gcc/c++ build environment from the chroot
647 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
648 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
649 fi
650
211
651 # Clean cached downloads
212 for i in custom.d/*.sh; do
652 chroot_exec apt-get -y clean
213 . $i
653 chroot_exec apt-get -y autoclean
214 done
654 chroot_exec apt-get -y autoremove
655
215
656 # Invoke custom scripts
216 # Invoke custom scripts
657 if [ -n "${CHROOT_SCRIPTS}" ]; then
217 if [ -n "${CHROOT_SCRIPTS}" ]; then
658 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
218 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
659 LANG=C chroot $R bash -c 'for SCRIPT in /chroot_scripts/*; do if [ -f $SCRIPT -a -x $SCRIPT ]; then $SCRIPT; fi done;'
219 LANG=C chroot $R bash -c 'for SCRIPT in /chroot_scripts/*; do if [ -f $SCRIPT -a -x $SCRIPT ]; then $SCRIPT; fi done;'
660 rm -rf "${R}/chroot_scripts"
220 rm -rf "${R}/chroot_scripts"
661 fi
221 fi
662
222
223 ## Cleanup
224 chroot_exec apt-get -y clean
225 chroot_exec apt-get -y autoclean
226 chroot_exec apt-get -y autoremove
227
663 # Unmount mounted filesystems
228 # Unmount mounted filesystems
664 umount -l $R/proc
229 umount -l $R/proc
665 umount -l $R/sys
230 umount -l $R/sys
666
231
667 # Clean up files
232 # Clean up files
668 rm -f $R/etc/apt/sources.list.save
233 rm -f $R/etc/apt/sources.list.save
669 rm -f $R/etc/resolvconf/resolv.conf.d/original
234 rm -f $R/etc/resolvconf/resolv.conf.d/original
670 rm -rf $R/run
235 rm -rf $R/run
671 mkdir -p $R/run
236 mkdir -p $R/run
672 rm -f $R/etc/*-
237 rm -f $R/etc/*-
673 rm -f $R/root/.bash_history
238 rm -f $R/root/.bash_history
674 rm -rf $R/tmp/*
239 rm -rf $R/tmp/*
675 rm -f $R/var/lib/urandom/random-seed
240 rm -f $R/var/lib/urandom/random-seed
676 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
241 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
677 rm -f $R/etc/machine-id
242 rm -f $R/etc/machine-id
678 rm -fr $R/etc/apt/apt.conf.d/10proxy
243 rm -fr $R/etc/apt/apt.conf.d/10proxy
244 rm -f $R/etc/resolv.conf
679
245
680 # Calculate size of the chroot directory in KB
246 # Calculate size of the chroot directory in KB
681 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
247 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
682
248
683 # Calculate the amount of needed 512 Byte sectors
249 # Calculate the amount of needed 512 Byte sectors
684 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
250 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
685 BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
251 BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
686 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
252 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
687
253
688 # The root partition is EXT4
254 # The root partition is EXT4
689 # This means more space than the actual used space of the chroot is used.
255 # This means more space than the actual used space of the chroot is used.
690 # As overhead for journaling and reserved blocks 20% are added.
256 # As overhead for journaling and reserved blocks 20% are added.
691 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
257 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
692
258
693 # Calculate required image size in 512 Byte sectors
259 # Calculate required image size in 512 Byte sectors
694 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
260 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
695
261
696 # Prepare date string for image file name
262 # Prepare date string for image file name
697 DATE="$(date +%Y-%m-%d)"
263 DATE="$(date +%Y-%m-%d)"
698
264
699 # Prepare image file
265 # Prepare image file
700 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
266 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
701 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
267 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
702
268
703 # Write partition table
269 # Write partition table
704 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
270 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
705 unit: sectors
271 unit: sectors
706
272
707 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable
273 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable
708 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
274 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
709 3 : start= 0, size= 0, Id= 0
275 3 : start= 0, size= 0, Id= 0
710 4 : start= 0, size= 0, Id= 0
276 4 : start= 0, size= 0, Id= 0
711 EOM
277 EOM
712
278
713 # Set up temporary loop devices and build filesystems
279 # Set up temporary loop devices and build filesystems
714 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
280 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
715 EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
281 EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
716 mkfs.vfat "$VFAT_LOOP"
282 mkfs.vfat "$VFAT_LOOP"
717 mkfs.ext4 "$EXT4_LOOP"
283 mkfs.ext4 "$EXT4_LOOP"
718
284
719 # Mount the temporary loop devices
285 # Mount the temporary loop devices
720 mkdir -p "$BUILDDIR/mount"
286 mkdir -p "$BUILDDIR/mount"
721 mount "$EXT4_LOOP" "$BUILDDIR/mount"
287 mount "$EXT4_LOOP" "$BUILDDIR/mount"
722
288
723 mkdir -p "$BUILDDIR/mount/boot/firmware"
289 mkdir -p "$BUILDDIR/mount/boot/firmware"
724 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
290 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
725
291
726 # Copy all files from the chroot to the loop device mount point directory
292 # Copy all files from the chroot to the loop device mount point directory
727 rsync -a "$R/" "$BUILDDIR/mount/"
293 rsync -a "$R/" "$BUILDDIR/mount/"
728
294
729 # Unmount all temporary loop devices and mount points
295 # Unmount all temporary loop devices and mount points
730 cleanup
296 cleanup
731
297
732 # (optinal) create block map file for "bmaptool"
298 # (optinal) create block map file for "bmaptool"
733 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
299 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
734
300
735 # Image was successfully created
301 # Image was successfully created
736 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
302 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant