##// END OF EJS Templates
Option to expand partition and rootfs on first boot...
Filip Pytloun -
r46:33668aa2768a
parent child
Show More
@@ -1,152 +1,155
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 ```
22 22
23 23 #### APT settings:
24 24 ##### `APT_SERVER`="ftp.debian.org"
25 25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26 26
27 27 ##### `APT_PROXY`=""
28 28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29 29
30 30 ##### `APT_INCLUDES`=""
31 31 A comma seperated list of additional packages to be installed during bootstrapping.
32 32
33 33 #### General system settings:
34 34 ##### `HOSTNAME`="rpi2-jessie"
35 35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
36 36
37 37 ##### `PASSWORD`="raspberry"
38 38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
39 39
40 40 ##### `DEFLOCAL`="en_US.UTF-8"
41 41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
42 42
43 43 ##### `TIMEZONE`="Europe/Berlin"
44 44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45 45
46 ##### `EXPANDROOT`=true
47 Expand the root partition and filesystem automatically on first boot.
48
46 49 #### Keyboard settings:
47 50 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 51 ##### `XKBMODEL`=""
49 52 ##### `XKBLAYOUT`=""
50 53 ##### `XKBVARIANT`=""
51 54 ##### `XKBOPTIONS`=""
52 55
53 56 #### Networking settings
54 57 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
55 58
56 59 #####`ENABLE_DHCP`=true
57 60 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
58 61
59 62 #####`NET_ADDRESS`=""
60 63 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
61 64
62 65 #####`NET_GATEWAY`=""
63 66 Set the IP address for the default gateway.
64 67
65 68 #####`NET_DNS_1`=""
66 69 Set the IP address for the first DNS server.
67 70
68 71 #####`NET_DNS_2`=""
69 72 Set the IP address for the second DNS server.
70 73
71 74 #####`NET_DNS_DOMAINS`=""
72 75 Set the default DNS search domains to use for non fully qualified host names.
73 76
74 77 #####`NET_NTP_1`=""
75 78 Set the IP address for the first NTP server.
76 79
77 80 #####`NET_NTP_2`=""
78 81 Set the IP address for the second NTP server.
79 82
80 83 #### Basic system features:
81 84 ##### `ENABLE_CONSOLE`=true
82 85 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
83 86
84 87 ##### `ENABLE_IPV6`=true
85 88 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
86 89
87 90 ##### `ENABLE_SSHD`=true
88 91 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89 92
90 93 ##### `ENABLE_RSYSLOG`=true
91 94 If set to false, disable and uninstall rsyslog (so logs will be available only
92 95 in journal files)
93 96
94 97 ##### `ENABLE_SOUND`=true
95 98 Enable sound hardware and install Advanced Linux Sound Architecture.
96 99
97 100 ##### `ENABLE_HWRANDOM`=true
98 101 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
99 102
100 103 ##### `ENABLE_MINGPU`=false
101 104 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
102 105
103 106 ##### `ENABLE_DBUS`=true
104 107 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
105 108
106 109 ##### `ENABLE_XORG`=false
107 110 Install Xorg open-source X Window System.
108 111
109 112 ##### `ENABLE_WM`=""
110 113 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
111 114
112 115 #### Advanced sytem features:
113 116 ##### `ENABLE_MINBASE`=false
114 117 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
115 118
116 119 ##### `ENABLE_UBOOT`=false
117 120 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
118 121
119 122 ##### `ENABLE_FBTURBO`=false
120 123 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
121 124
122 125 ##### `ENABLE_IPTABLES`=false
123 126 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
124 127
125 128 ##### `ENABLE_USER`=true
126 129 Create pi user with password raspberry
127 130
128 131 ##### `ENABLE_ROOT`=true
129 132 Set root user password so root login will be enabled
130 133
131 134 ##### `ENABLE_ROOT_SSH`=true
132 135 Enable password root login via SSH. May be a security risk with default
133 136 password, use only in trusted environments.
134 137
135 138 ##### `ENABLE_HARDNET`=false
136 139 Enable IPv4/IPv6 network stack hardening settings.
137 140
138 141 ## Logging of the bootstrapping process
139 142 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
140 143
141 144 ```shell
142 145 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
143 146 ```
144 147
145 148 ## Flashing the image file
146 149 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
147 150
148 151 #####Flashing examples:
149 152 ```shell
150 153 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
151 154 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
152 155 ```
@@ -1,951 +1,1016
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 # Exec command in chroot
34 34 chroot_exec() {
35 35 LANG=C LC_ALL=C chroot $R $*
36 36 }
37 37
38 38 set -e
39 39 set -x
40 40
41 41 # Debian release
42 42 RELEASE=${RELEASE:=jessie}
43 43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
44 44
45 45 # Build settings
46 46 BASEDIR=./images/${RELEASE}
47 47 BUILDDIR=${BASEDIR}/build
48 48
49 49 # General settings
50 50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
51 51 PASSWORD=${PASSWORD:=raspberry}
52 52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
53 53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
54 54 XKBMODEL=${XKBMODEL:=""}
55 55 XKBLAYOUT=${XKBLAYOUT:=""}
56 56 XKBVARIANT=${XKBVARIANT:=""}
57 57 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
58 59
59 60 # Network settings
60 61 ENABLE_DHCP=${ENABLE_DHCP:=true}
61 62 # NET_* settings are ignored when ENABLE_DHCP=true
62 63 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
63 64 NET_ADDRESS=${NET_ADDRESS:=""}
64 65 NET_GATEWAY=${NET_GATEWAY:=""}
65 66 NET_DNS_1=${NET_DNS_1:=""}
66 67 NET_DNS_2=${NET_DNS_2:=""}
67 68 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
68 69 NET_NTP_1=${NET_NTP_1:=""}
69 70 NET_NTP_2=${NET_NTP_2:=""}
70 71
71 72 # APT settings
72 73 APT_PROXY=${APT_PROXY:=""}
73 74 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
74 75
75 76 # Feature settings
76 77 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
77 78 ENABLE_IPV6=${ENABLE_IPV6:=true}
78 79 ENABLE_SSHD=${ENABLE_SSHD:=true}
79 80 ENABLE_SOUND=${ENABLE_SOUND:=true}
80 81 ENABLE_DBUS=${ENABLE_DBUS:=true}
81 82 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
82 83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
83 84 ENABLE_XORG=${ENABLE_XORG:=false}
84 85 ENABLE_WM=${ENABLE_WM:=""}
85 86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
86 87 ENABLE_USER=${ENABLE_USER:=true}
87 88 ENABLE_ROOT=${ENABLE_ROOT:=false}
88 89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
89 90
90 91 # Advanced settings
91 92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
92 93 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
93 94 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
94 95 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
95 96 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
96 97
97 98 # Image chroot path
98 99 R=${BUILDDIR}/chroot
99 100
100 101 # Packages required for bootstrapping
101 102 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
102 103
103 104 # Missing packages that need to be installed
104 105 MISSING_PACKAGES=""
105 106
106 107 # Packages required in the chroot build environment
107 108 APT_INCLUDES=${APT_INCLUDES:=""}
108 109 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
109 110
110 111 set +x
111 112
112 113 # Are we running as root?
113 114 if [ "$(id -u)" -ne "0" ] ; then
114 115 echo "this script must be executed with root privileges"
115 116 exit 1
116 117 fi
117 118
118 119 # Check if all required packages are installed
119 120 for package in $REQUIRED_PACKAGES ; do
120 121 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
121 122 MISSING_PACKAGES="$MISSING_PACKAGES $package"
122 123 fi
123 124 done
124 125
125 126 # Ask if missing packages should get installed right now
126 127 if [ -n "$MISSING_PACKAGES" ] ; then
127 128 echo "the following packages needed by this script are not installed:"
128 129 echo "$MISSING_PACKAGES"
129 130
130 131 echo -n "\ndo you want to install the missing packages right now? [y/n] "
131 132 read confirm
132 133 if [ "$confirm" != "y" ] ; then
133 134 exit 1
134 135 fi
135 136 fi
136 137
137 138 # Make sure all required packages are installed
138 139 apt-get -qq -y install ${REQUIRED_PACKAGES}
139 140
140 141 # Don't clobber an old build
141 142 if [ -e "$BUILDDIR" ]; then
142 143 echo "directory $BUILDDIR already exists, not proceeding"
143 144 exit 1
144 145 fi
145 146
146 147 set -x
147 148
148 149 # Call "cleanup" function on various signals and errors
149 150 trap cleanup 0 1 2 3 6
150 151
151 152 # Set up chroot directory
152 153 mkdir -p $R
153 154
154 155 # Add required packages for the minbase installation
155 156 if [ "$ENABLE_MINBASE" = true ] ; then
156 157 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
157 158 else
158 159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
159 160 fi
160 161
162 # Add parted package, required to get partprobe utility
163 if [ "$EXPANDROOT" = true ] ; then
164 APT_INCLUDES="${APT_INCLUDES},parted"
165 fi
166
161 167 # Add dbus package, recommended if using systemd
162 168 if [ "$ENABLE_DBUS" = true ] ; then
163 169 APT_INCLUDES="${APT_INCLUDES},dbus"
164 170 fi
165 171
166 172 # Add iptables IPv4/IPv6 package
167 173 if [ "$ENABLE_IPTABLES" = true ] ; then
168 174 APT_INCLUDES="${APT_INCLUDES},iptables"
169 175 fi
170 176
171 177 # Add openssh server package
172 178 if [ "$ENABLE_SSHD" = true ] ; then
173 179 APT_INCLUDES="${APT_INCLUDES},openssh-server"
174 180 fi
175 181
176 182 # Add alsa-utils package
177 183 if [ "$ENABLE_SOUND" = true ] ; then
178 184 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
179 185 fi
180 186
181 187 # Add rng-tools package
182 188 if [ "$ENABLE_HWRANDOM" = true ] ; then
183 189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
184 190 fi
185 191
186 192 if [ "$ENABLE_USER" = true ]; then
187 193 APT_INCLUDES="${APT_INCLUDES},sudo"
188 194 fi
189 195
190 196 # Add fbturbo video driver
191 197 if [ "$ENABLE_FBTURBO" = true ] ; then
192 198 # Enable xorg package dependencies
193 199 ENABLE_XORG=true
194 200 fi
195 201
196 202 # Add user defined window manager package
197 203 if [ -n "$ENABLE_WM" ] ; then
198 204 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
199 205
200 206 # Enable xorg package dependencies
201 207 ENABLE_XORG=true
202 208 fi
203 209
204 210 # Add xorg package
205 211 if [ "$ENABLE_XORG" = true ] ; then
206 212 APT_INCLUDES="${APT_INCLUDES},xorg"
207 213 fi
208 214
209 215 # Base debootstrap (unpack only)
210 216 if [ "$ENABLE_MINBASE" = true ] ; then
211 217 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
212 218 else
213 219 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
214 220 fi
215 221
216 222 # Copy qemu emulator binary to chroot
217 223 cp /usr/bin/qemu-arm-static $R/usr/bin
218 224
219 225 # Copy debian-archive-keyring.pgp
220 226 chroot $R mkdir -p /usr/share/keyrings
221 227 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
222 228
223 229 # Complete the bootstrapping process
224 230 chroot $R /debootstrap/debootstrap --second-stage
225 231
226 232 # Mount required filesystems
227 233 mount -t proc none $R/proc
228 234 mount -t sysfs none $R/sys
229 235 mount --bind /dev/pts $R/dev/pts
230 236
231 237 # Use proxy inside chroot
232 238 if [ -z "$APT_PROXY" ] ; then
233 239 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
234 240 fi
235 241
236 242 # Pin package flash-kernel to repositories.collabora.co.uk
237 243 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
238 244 Package: flash-kernel
239 245 Pin: origin repositories.collabora.co.uk
240 246 Pin-Priority: 1000
241 247 EOM
242 248
243 249 # Set up timezone
244 250 echo ${TIMEZONE} >$R/etc/timezone
245 251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
246 252
247 253 # Upgrade collabora package index and install collabora keyring
248 254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
249 255 chroot_exec apt-get -qq -y update
250 256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
251 257
252 258 # Set up initial sources.list
253 259 cat <<EOM >$R/etc/apt/sources.list
254 260 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
255 261 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
256 262
257 263 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
258 264 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
259 265
260 266 deb http://security.debian.org/ ${RELEASE}/updates main contrib
261 267 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
262 268
263 269 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
264 270 EOM
265 271
266 272 # Upgrade package index and update all installed packages and changed dependencies
267 273 chroot_exec apt-get -qq -y update
268 274 chroot_exec apt-get -qq -y -u dist-upgrade
269 275
270 276 # Set up default locale and keyboard configuration
271 277 if [ "$ENABLE_MINBASE" = false ] ; then
272 278 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
273 279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
274 280 # ... so we have to set locales manually
275 281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
276 282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
277 283 else
278 284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
279 285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
280 286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
281 287 fi
282 288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
283 289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
284 290 chroot_exec locale-gen
285 291 chroot_exec update-locale LANG=${DEFLOCAL}
286 292
287 293 # Keyboard configuration, if requested
288 294 if [ "$XKBMODEL" != "" ] ; then
289 295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
290 296 fi
291 297 if [ "$XKBLAYOUT" != "" ] ; then
292 298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
293 299 fi
294 300 if [ "$XKBVARIANT" != "" ] ; then
295 301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
296 302 fi
297 303 if [ "$XKBOPTIONS" != "" ] ; then
298 304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
299 305 fi
300 306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
301 307 # Set up font console
302 308 case "${DEFLOCAL}" in
303 309 *UTF-8)
304 310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
305 311 ;;
306 312 *)
307 313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
308 314 ;;
309 315 esac
310 316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
311 317 fi
312 318
313 319 # Kernel installation
314 320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
315 321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
316 322 chroot_exec apt-get -qq -y install flash-kernel
317 323
318 324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
319 325 [ -z "$VMLINUZ" ] && exit 1
320 326 cp $VMLINUZ $R/boot/firmware/kernel7.img
321 327
322 328 # Set up IPv4 hosts
323 329 echo ${HOSTNAME} >$R/etc/hostname
324 330 cat <<EOM >$R/etc/hosts
325 331 127.0.0.1 localhost
326 332 127.0.1.1 ${HOSTNAME}
327 333 EOM
328 334 if [ "$NET_ADDRESS" != "" ] ; then
329 335 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
330 336 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
331 337 fi
332 338
333 339 # Set up IPv6 hosts
334 340 if [ "$ENABLE_IPV6" = true ] ; then
335 341 cat <<EOM >>$R/etc/hosts
336 342
337 343 ::1 localhost ip6-localhost ip6-loopback
338 344 ff02::1 ip6-allnodes
339 345 ff02::2 ip6-allrouters
340 346 EOM
341 347 fi
342 348
343 349 # Place hint about network configuration
344 350 cat <<EOM >$R/etc/network/interfaces
345 351 # Debian switched to systemd-networkd configuration files.
346 352 # please configure your networks in '/etc/systemd/network/'
347 353 EOM
348 354
349 355 if [ "$ENABLE_DHCP" = true ] ; then
350 356 # Enable systemd-networkd DHCP configuration for interface eth0
351 357 cat <<EOM >$R/etc/systemd/network/eth.network
352 358 [Match]
353 359 Name=eth0
354 360
355 361 [Network]
356 362 DHCP=yes
357 363 EOM
358 364
359 365 # Set DHCP configuration to IPv4 only
360 366 if [ "$ENABLE_IPV6" = false ] ; then
361 367 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
362 368 fi
363 369 else # ENABLE_DHCP=false
364 370 cat <<EOM >$R/etc/systemd/network/eth.network
365 371 [Match]
366 372 Name=eth0
367 373
368 374 [Network]
369 375 DHCP=no
370 376 Address=${NET_ADDRESS}
371 377 Gateway=${NET_GATEWAY}
372 378 DNS=${NET_DNS_1}
373 379 DNS=${NET_DNS_2}
374 380 Domains=${NET_DNS_DOMAINS}
375 381 NTP=${NET_NTP_1}
376 382 NTP=${NET_NTP_2}
377 383 EOM
378 384 fi
379 385
380 386 # Enable systemd-networkd service
381 387 chroot_exec systemctl enable systemd-networkd
382 388
383 389 # Generate crypt(3) password string
384 390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
385 391
386 392 # Set up default user
387 393 if [ "$ENABLE_USER" = true ] ; then
388 394 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
389 395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
390 396 fi
391 397
392 398 # Set up root password or not
393 399 if [ "$ENABLE_ROOT" = true ]; then
394 400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
395 401
396 402 if [ "$ENABLE_ROOT_SSH" = true ]; then
397 403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
398 404 fi
399 405 else
400 406 chroot_exec usermod -p \'!\' root
401 407 fi
402 408
403 409 # Set up firmware boot cmdline
404 410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
405 411
406 412 # Set up serial console support (if requested)
407 413 if [ "$ENABLE_CONSOLE" = true ] ; then
408 414 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
409 415 fi
410 416
411 417 # Set up IPv6 networking support
412 418 if [ "$ENABLE_IPV6" = false ] ; then
413 419 CMDLINE="${CMDLINE} ipv6.disable=1"
414 420 fi
415 421
416 422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
417 423
418 424 # Set up firmware config
419 425 cat <<EOM >$R/boot/firmware/config.txt
420 426 # For more options and information see
421 427 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
422 428 # Some settings may impact device functionality. See link above for details
423 429
424 430 # uncomment if you get no picture on HDMI for a default "safe" mode
425 431 #hdmi_safe=1
426 432
427 433 # uncomment this if your display has a black border of unused pixels visible
428 434 # and your display can output without overscan
429 435 #disable_overscan=1
430 436
431 437 # uncomment the following to adjust overscan. Use positive numbers if console
432 438 # goes off screen, and negative if there is too much border
433 439 #overscan_left=16
434 440 #overscan_right=16
435 441 #overscan_top=16
436 442 #overscan_bottom=16
437 443
438 444 # uncomment to force a console size. By default it will be display's size minus
439 445 # overscan.
440 446 #framebuffer_width=1280
441 447 #framebuffer_height=720
442 448
443 449 # uncomment if hdmi display is not detected and composite is being output
444 450 #hdmi_force_hotplug=1
445 451
446 452 # uncomment to force a specific HDMI mode (this will force VGA)
447 453 #hdmi_group=1
448 454 #hdmi_mode=1
449 455
450 456 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
451 457 # DMT (computer monitor) modes
452 458 #hdmi_drive=2
453 459
454 460 # uncomment to increase signal to HDMI, if you have interference, blanking, or
455 461 # no display
456 462 #config_hdmi_boost=4
457 463
458 464 # uncomment for composite PAL
459 465 #sdtv_mode=2
460 466
461 467 # uncomment to overclock the arm. 700 MHz is the default.
462 468 #arm_freq=800
463 469 EOM
464 470
465 471 # Load snd_bcm2835 kernel module at boot time
466 472 if [ "$ENABLE_SOUND" = true ] ; then
467 473 echo "snd_bcm2835" >>$R/etc/modules
468 474 fi
469 475
470 476 # Set smallest possible GPU memory allocation size: 16MB (no X)
471 477 if [ "$ENABLE_MINGPU" = true ] ; then
472 478 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
473 479 fi
474 480
475 481 # Create symlinks
476 482 ln -sf firmware/config.txt $R/boot/config.txt
477 483 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
478 484
479 485 # Prepare modules-load.d directory
480 486 mkdir -p $R/lib/modules-load.d/
481 487
482 488 # Load random module on boot
483 489 if [ "$ENABLE_HWRANDOM" = true ] ; then
484 490 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
485 491 bcm2708_rng
486 492 EOM
487 493 fi
488 494
489 495 # Prepare modprobe.d directory
490 496 mkdir -p $R/etc/modprobe.d/
491 497
492 498 # Blacklist sound modules
493 499 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
494 500 blacklist snd_soc_core
495 501 blacklist snd_pcm
496 502 blacklist snd_pcm_dmaengine
497 503 blacklist snd_timer
498 504 blacklist snd_compress
499 505 blacklist snd_soc_pcm512x_i2c
500 506 blacklist snd_soc_pcm512x
501 507 blacklist snd_soc_tas5713
502 508 blacklist snd_soc_wm8804
503 509 EOM
504 510
505 511 # Create default fstab
506 512 cat <<EOM >$R/etc/fstab
507 513 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
508 514 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
509 515 EOM
510 516
511 517 # Avoid swapping and increase cache sizes
512 518 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
513 519
514 520 # Avoid swapping and increase cache sizes
515 521 vm.swappiness=1
516 522 vm.dirty_background_ratio=20
517 523 vm.dirty_ratio=40
518 524 vm.dirty_writeback_centisecs=500
519 525 vm.dirty_expire_centisecs=6000
520 526 EOM
521 527
522 528 # Enable network stack hardening
523 529 if [ "$ENABLE_HARDNET" = true ] ; then
524 530 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
525 531
526 532 # Enable network stack hardening
527 533 net.ipv4.tcp_timestamps=0
528 534 net.ipv4.tcp_syncookies=1
529 535 net.ipv4.conf.all.rp_filter=1
530 536 net.ipv4.conf.all.accept_redirects=0
531 537 net.ipv4.conf.all.send_redirects=0
532 538 net.ipv4.conf.all.accept_source_route=0
533 539 net.ipv4.conf.default.rp_filter=1
534 540 net.ipv4.conf.default.accept_redirects=0
535 541 net.ipv4.conf.default.send_redirects=0
536 542 net.ipv4.conf.default.accept_source_route=0
537 543 net.ipv4.conf.lo.accept_redirects=0
538 544 net.ipv4.conf.lo.send_redirects=0
539 545 net.ipv4.conf.lo.accept_source_route=0
540 546 net.ipv4.conf.eth0.accept_redirects=0
541 547 net.ipv4.conf.eth0.send_redirects=0
542 548 net.ipv4.conf.eth0.accept_source_route=0
543 549 net.ipv4.icmp_echo_ignore_broadcasts=1
544 550 net.ipv4.icmp_ignore_bogus_error_responses=1
545 551
546 552 net.ipv6.conf.all.accept_redirects=0
547 553 net.ipv6.conf.all.accept_source_route=0
548 554 net.ipv6.conf.all.router_solicitations=0
549 555 net.ipv6.conf.all.accept_ra_rtr_pref=0
550 556 net.ipv6.conf.all.accept_ra_pinfo=0
551 557 net.ipv6.conf.all.accept_ra_defrtr=0
552 558 net.ipv6.conf.all.autoconf=0
553 559 net.ipv6.conf.all.dad_transmits=0
554 560 net.ipv6.conf.all.max_addresses=1
555 561
556 562 net.ipv6.conf.default.accept_redirects=0
557 563 net.ipv6.conf.default.accept_source_route=0
558 564 net.ipv6.conf.default.router_solicitations=0
559 565 net.ipv6.conf.default.accept_ra_rtr_pref=0
560 566 net.ipv6.conf.default.accept_ra_pinfo=0
561 567 net.ipv6.conf.default.accept_ra_defrtr=0
562 568 net.ipv6.conf.default.autoconf=0
563 569 net.ipv6.conf.default.dad_transmits=0
564 570 net.ipv6.conf.default.max_addresses=1
565 571
566 572 net.ipv6.conf.lo.accept_redirects=0
567 573 net.ipv6.conf.lo.accept_source_route=0
568 574 net.ipv6.conf.lo.router_solicitations=0
569 575 net.ipv6.conf.lo.accept_ra_rtr_pref=0
570 576 net.ipv6.conf.lo.accept_ra_pinfo=0
571 577 net.ipv6.conf.lo.accept_ra_defrtr=0
572 578 net.ipv6.conf.lo.autoconf=0
573 579 net.ipv6.conf.lo.dad_transmits=0
574 580 net.ipv6.conf.lo.max_addresses=1
575 581
576 582 net.ipv6.conf.eth0.accept_redirects=0
577 583 net.ipv6.conf.eth0.accept_source_route=0
578 584 net.ipv6.conf.eth0.router_solicitations=0
579 585 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
580 586 net.ipv6.conf.eth0.accept_ra_pinfo=0
581 587 net.ipv6.conf.eth0.accept_ra_defrtr=0
582 588 net.ipv6.conf.eth0.autoconf=0
583 589 net.ipv6.conf.eth0.dad_transmits=0
584 590 net.ipv6.conf.eth0.max_addresses=1
585 591 EOM
586 592
587 593 # Enable resolver warnings about spoofed addresses
588 594 cat <<EOM >>$R/etc/host.conf
589 595 spoof warn
590 596 EOM
591 597 fi
592 598
593 599 # Ensure openssh server host keys are regenerated on first boot
594 600 if [ "$ENABLE_SSHD" = true ] ; then
595 601 cat <<EOM >>$R/etc/rc.firstboot
596 602 #!/bin/sh
597 603 rm -f /etc/ssh/ssh_host_*
598 604 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
599 605 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
600 606 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
601 607 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
602 608 sync
603 609
604 610 systemctl restart sshd
605 sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local
611 sed -i '/.*rc.firstboot/d' /etc/rc.local
606 612 rm -f /etc/rc.firstboot
607 613 EOM
608 614 chmod +x $R/etc/rc.firstboot
609 sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local
615 sed -i '/exit 0/d' $R/etc/rc.local
616 echo /etc/rc.firstboot >> $R/etc/rc.local
610 617 rm -f $R/etc/ssh/ssh_host_*
611 618 fi
612 619
620 if [ "$EXPANDROOT" = true ] ; then
621 cat <<EOF > $R/etc/rc.expandroot
622 #!/bin/sh
623
624 ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
625 PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$')
626 case "\${ROOT_PART}" in
627 mmcblk0*) ROOT_DEV=mmcblk0 ;;
628 sda*) ROOT_DEV=sda ;;
629 esac
630 if [ "\$PART_NUM" = "\$ROOT_PART" ]; then
631 logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand"
632 return 0
633 fi
634 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
635 # agree to work with a sufficiently simple partition layout
636 if [ "\$PART_NUM" -gt 2 ]; then
637 logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool."
638 return 0
639 fi
640 LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
641 if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then
642 logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand"
643 return 0
644 fi
645 # Get the starting offset of the root partition
646 PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
647 [ "\$PART_START" ] || return 1
648 # Get the possible last sector for the root partition
649 PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }')
650 [ "\$PART_LAST" ] || return 1
651 # Return value will likely be error for fdisk as it fails to reload the
652 # partition table because the root fs is mounted
653 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
654 fdisk /dev/\${ROOT_DEV} <<EOF2 || true
655 p
656 d
657 \$PART_NUM
658 n
659 p
660 \$PART_NUM
661 \$PART_START
662 \$PART_LAST
663 p
664 w
665 EOF2
666 # Reload the partition table, resize root filesystem then remove resizing code from this file
667 partprobe &&
668 resize2fs /dev/\${ROOT_PART} &&
669 logger -t "rc.expandroot" "Root partition successfuly resized." &&
670 sed -i '/.*rc.expandroot/d' /etc/rc.local
671 rm -f /etc/rc.expandroot
672 EOF
673 chmod +x $R/etc/rc.expandroot
674 sed -i '/exit 0/d' $R/etc/rc.local
675 echo /etc/rc.expandroot >> $R/etc/rc.local
676 fi
677
613 678 # Disable rsyslog
614 679 if [ "$ENABLE_RSYSLOG" = false ]; then
615 680 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
616 681 chroot_exec systemctl disable rsyslog
617 682 chroot_exec apt-get purge -q -y --force-yes rsyslog
618 683 fi
619 684
620 685 # Enable serial console systemd style
621 686 if [ "$ENABLE_CONSOLE" = true ] ; then
622 687 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
623 688 fi
624 689
625 690 # Enable firewall based on iptables started by systemd service
626 691 if [ "$ENABLE_IPTABLES" = true ] ; then
627 692 # Create iptables configuration directory
628 693 mkdir -p "$R/etc/iptables"
629 694
630 695 # Create iptables systemd service
631 696 cat <<EOM >$R/etc/systemd/system/iptables.service
632 697 [Unit]
633 698 Description=Packet Filtering Framework
634 699 DefaultDependencies=no
635 700 After=systemd-sysctl.service
636 701 Before=sysinit.target
637 702 [Service]
638 703 Type=oneshot
639 704 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
640 705 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
641 706 ExecStop=/etc/iptables/flush-iptables.sh
642 707 RemainAfterExit=yes
643 708 [Install]
644 709 WantedBy=multi-user.target
645 710 EOM
646 711
647 712 # Create flush-table script called by iptables service
648 713 cat <<EOM >$R/etc/iptables/flush-iptables.sh
649 714 #!/bin/sh
650 715 iptables -F
651 716 iptables -X
652 717 iptables -t nat -F
653 718 iptables -t nat -X
654 719 iptables -t mangle -F
655 720 iptables -t mangle -X
656 721 iptables -P INPUT ACCEPT
657 722 iptables -P FORWARD ACCEPT
658 723 iptables -P OUTPUT ACCEPT
659 724 EOM
660 725
661 726 # Create iptables rule file
662 727 cat <<EOM >$R/etc/iptables/iptables.rules
663 728 *filter
664 729 :INPUT DROP [0:0]
665 730 :FORWARD DROP [0:0]
666 731 :OUTPUT ACCEPT [0:0]
667 732 :TCP - [0:0]
668 733 :UDP - [0:0]
669 734 :SSH - [0:0]
670 735
671 736 # Rate limit ping requests
672 737 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
673 738 -A INPUT -p icmp --icmp-type echo-request -j DROP
674 739
675 740 # Accept established connections
676 741 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
677 742
678 743 # Accept all traffic on loopback interface
679 744 -A INPUT -i lo -j ACCEPT
680 745
681 746 # Drop packets declared invalid
682 747 -A INPUT -m conntrack --ctstate INVALID -j DROP
683 748
684 749 # SSH rate limiting
685 750 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
686 751 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
687 752 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
688 753 -A SSH -m recent --name sshbf --set -j ACCEPT
689 754
690 755 # Send TCP and UDP connections to their respective rules chain
691 756 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
692 757 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
693 758
694 759 # Reject dropped packets with a RFC compliant responce
695 760 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
696 761 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
697 762 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
698 763
699 764 ## TCP PORT RULES
700 765 # -A TCP -p tcp -j LOG
701 766
702 767 ## UDP PORT RULES
703 768 # -A UDP -p udp -j LOG
704 769
705 770 COMMIT
706 771 EOM
707 772
708 773 # Reload systemd configuration and enable iptables service
709 774 chroot_exec systemctl daemon-reload
710 775 chroot_exec systemctl enable iptables.service
711 776
712 777 if [ "$ENABLE_IPV6" = true ] ; then
713 778 # Create ip6tables systemd service
714 779 cat <<EOM >$R/etc/systemd/system/ip6tables.service
715 780 [Unit]
716 781 Description=Packet Filtering Framework
717 782 DefaultDependencies=no
718 783 After=systemd-sysctl.service
719 784 Before=sysinit.target
720 785 [Service]
721 786 Type=oneshot
722 787 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
723 788 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
724 789 ExecStop=/etc/iptables/flush-ip6tables.sh
725 790 RemainAfterExit=yes
726 791 [Install]
727 792 WantedBy=multi-user.target
728 793 EOM
729 794
730 795 # Create ip6tables file
731 796 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
732 797 #!/bin/sh
733 798 ip6tables -F
734 799 ip6tables -X
735 800 ip6tables -Z
736 801 for table in $(</proc/net/ip6_tables_names)
737 802 do
738 803 ip6tables -t \$table -F
739 804 ip6tables -t \$table -X
740 805 ip6tables -t \$table -Z
741 806 done
742 807 ip6tables -P INPUT ACCEPT
743 808 ip6tables -P OUTPUT ACCEPT
744 809 ip6tables -P FORWARD ACCEPT
745 810 EOM
746 811
747 812 # Create ip6tables rule file
748 813 cat <<EOM >$R/etc/iptables/ip6tables.rules
749 814 *filter
750 815 :INPUT DROP [0:0]
751 816 :FORWARD DROP [0:0]
752 817 :OUTPUT ACCEPT [0:0]
753 818 :TCP - [0:0]
754 819 :UDP - [0:0]
755 820 :SSH - [0:0]
756 821
757 822 # Drop packets with RH0 headers
758 823 -A INPUT -m rt --rt-type 0 -j DROP
759 824 -A OUTPUT -m rt --rt-type 0 -j DROP
760 825 -A FORWARD -m rt --rt-type 0 -j DROP
761 826
762 827 # Rate limit ping requests
763 828 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
764 829 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
765 830
766 831 # Accept established connections
767 832 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
768 833
769 834 # Accept all traffic on loopback interface
770 835 -A INPUT -i lo -j ACCEPT
771 836
772 837 # Drop packets declared invalid
773 838 -A INPUT -m conntrack --ctstate INVALID -j DROP
774 839
775 840 # SSH rate limiting
776 841 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
777 842 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
778 843 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
779 844 -A SSH -m recent --name sshbf --set -j ACCEPT
780 845
781 846 # Send TCP and UDP connections to their respective rules chain
782 847 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
783 848 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
784 849
785 850 # Reject dropped packets with a RFC compliant responce
786 851 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
787 852 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
788 853 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
789 854
790 855 ## TCP PORT RULES
791 856 # -A TCP -p tcp -j LOG
792 857
793 858 ## UDP PORT RULES
794 859 # -A UDP -p udp -j LOG
795 860
796 861 COMMIT
797 862 EOM
798 863
799 864 # Reload systemd configuration and enable iptables service
800 865 chroot_exec systemctl daemon-reload
801 866 chroot_exec systemctl enable ip6tables.service
802 867 fi
803 868 fi
804 869
805 870 # Remove SSHD related iptables rules
806 871 if [ "$ENABLE_SSHD" = false ] ; then
807 872 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
808 873 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
809 874 fi
810 875
811 876 # Install gcc/c++ build environment inside the chroot
812 877 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
813 878 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
814 879 fi
815 880
816 881 # Fetch and build U-Boot bootloader
817 882 if [ "$ENABLE_UBOOT" = true ] ; then
818 883 # Fetch U-Boot bootloader sources
819 884 git -C $R/tmp clone git://git.denx.de/u-boot.git
820 885
821 886 # Build and install U-Boot inside chroot
822 887 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
823 888
824 889 # Copy compiled bootloader binary and set config.txt to load it
825 890 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
826 891 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
827 892
828 893 # Set U-Boot command file
829 894 cat <<EOM >$R/boot/firmware/uboot.mkimage
830 895 # Tell Linux that it is booting on a Raspberry Pi2
831 896 setenv machid 0x00000c42
832 897
833 898 # Set the kernel boot command line
834 899 setenv bootargs "earlyprintk ${CMDLINE}"
835 900
836 901 # Save these changes to u-boot's environment
837 902 saveenv
838 903
839 904 # Load the existing Linux kernel into RAM
840 905 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
841 906
842 907 # Boot the kernel we have just loaded
843 908 bootz \${kernel_addr_r}
844 909 EOM
845 910
846 911 # Generate U-Boot image from command file
847 912 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
848 913 fi
849 914
850 915 # Fetch and build fbturbo Xorg driver
851 916 if [ "$ENABLE_FBTURBO" = true ] ; then
852 917 # Fetch fbturbo driver sources
853 918 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
854 919
855 920 # Install Xorg build dependencies
856 921 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
857 922
858 923 # Build and install fbturbo driver inside chroot
859 924 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
860 925
861 926 # Add fbturbo driver to Xorg configuration
862 927 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
863 928 Section "Device"
864 929 Identifier "Allwinner A10/A13 FBDEV"
865 930 Driver "fbturbo"
866 931 Option "fbdev" "/dev/fb0"
867 932 Option "SwapbuffersWait" "true"
868 933 EndSection
869 934 EOM
870 935
871 936 # Remove Xorg build dependencies
872 937 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
873 938 fi
874 939
875 940 # Remove gcc/c++ build environment from the chroot
876 941 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
877 942 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
878 943 fi
879 944
880 945 # Clean cached downloads
881 946 chroot_exec apt-get -y clean
882 947 chroot_exec apt-get -y autoclean
883 948 chroot_exec apt-get -y autoremove
884 949
885 950 # Unmount mounted filesystems
886 951 umount -l $R/proc
887 952 umount -l $R/sys
888 953
889 954 # Clean up files
890 955 rm -f $R/etc/apt/sources.list.save
891 956 rm -f $R/etc/resolvconf/resolv.conf.d/original
892 957 rm -rf $R/run
893 958 mkdir -p $R/run
894 959 rm -f $R/etc/*-
895 960 rm -f $R/root/.bash_history
896 961 rm -rf $R/tmp/*
897 962 rm -f $R/var/lib/urandom/random-seed
898 963 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
899 964 rm -f $R/etc/machine-id
900 965 rm -fr $R/etc/apt/apt.conf.d/10proxy
901 966
902 967 # Calculate size of the chroot directory
903 968 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
904 969
905 970 # Calculate required image size
906 971 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
907 972
908 973 # Calculate number of sectors for the partition
909 974 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
910 975
911 976 # Prepare date string for image file name
912 977 DATE="$(date +%Y-%m-%d)"
913 978
914 979 # Prepare image file
915 980 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
916 981 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
917 982
918 983 # Write partition table
919 984 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
920 985 unit: sectors
921 986
922 987 1 : start= 2048, size= 131072, Id= c, bootable
923 988 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
924 989 3 : start= 0, size= 0, Id= 0
925 990 4 : start= 0, size= 0, Id= 0
926 991 EOM
927 992
928 993 # Set up temporary loop devices and build filesystems
929 994 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
930 995 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
931 996 mkfs.vfat "$VFAT_LOOP"
932 997 mkfs.ext4 "$EXT4_LOOP"
933 998
934 999 # Mount the temporary loop devices
935 1000 mkdir -p "$BUILDDIR/mount"
936 1001 mount "$EXT4_LOOP" "$BUILDDIR/mount"
937 1002
938 1003 mkdir -p "$BUILDDIR/mount/boot/firmware"
939 1004 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
940 1005
941 1006 # Copy all files from the chroot to the loop device mount point directory
942 1007 rsync -a "$R/" "$BUILDDIR/mount/"
943 1008
944 1009 # Unmount all temporary loop devices and mount points
945 1010 cleanup
946 1011
947 1012 # (optinal) create block map file for "bmaptool"
948 1013 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
949 1014
950 1015 # Image was successfully created
951 1016 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant