Raspi2-3_GenImage Commit - r33:4b9b197735e4 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

# Clean up all temporary mount points

18

# Clean up all temporary mount points

19

cleanup (){

19

cleanup (){

20

set +x

20

set +x

21

set +e

21

set +e

22

echo "removing temporary mount points ..."

22

echo "removing temporary mount points ..."

23

umount -l $R/proc 2> /dev/null

23

umount -l $R/proc 2> /dev/null

24

umount -l $R/sys 2> /dev/null

24

umount -l $R/sys 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

30

trap - 0 1 2 3 6

30

trap - 0 1 2 3 6

31

}

31

}

32

33

set -e

33

set -e

34

set -x

34

set -x

35

36

# Debian release

36

# Debian release

37

RELEASE=${RELEASE:=jessie}

37

RELEASE=${RELEASE:=jessie}

38

39

# Build settings

39

# Build settings

40

BASEDIR=./images/${RELEASE}

40

BASEDIR=./images/${RELEASE}

41

BUILDDIR=${BASEDIR}/build

41

BUILDDIR=${BASEDIR}/build

42

43

# General settings

43

# General settings

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

45

PASSWORD=${PASSWORD:=raspberry}

45

PASSWORD=${PASSWORD:=raspberry}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

48

XKBMODEL=${XKBMODEL:=""}

49

XKBLAYOUT=${XKBLAYOUT:=""}

50

XKBVARIANT=${XKBVARIANT:=""}

51

XKBOPTIONS=${XKBOPTIONS:=""}

48

52

49

# APT settings

53

# APT settings

50

APT_PROXY=${APT_PROXY:=""}

54

APT_PROXY=${APT_PROXY:=""}

51

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

55

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

52

56

53

# Feature settings

57

# Feature settings

54

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

58

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

55

ENABLE_IPV6=${ENABLE_IPV6:=true}

59

ENABLE_IPV6=${ENABLE_IPV6:=true}

56

ENABLE_SSHD=${ENABLE_SSHD:=true}

60

ENABLE_SSHD=${ENABLE_SSHD:=true}

57

ENABLE_SOUND=${ENABLE_SOUND:=true}

61

ENABLE_SOUND=${ENABLE_SOUND:=true}

58

ENABLE_DBUS=${ENABLE_DBUS:=true}

62

ENABLE_DBUS=${ENABLE_DBUS:=true}

59

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

63

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

60

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

64

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

61

ENABLE_XORG=${ENABLE_XORG:=false}

65

ENABLE_XORG=${ENABLE_XORG:=false}

62

ENABLE_WM=${ENABLE_WM:=""}

66

ENABLE_WM=${ENABLE_WM:=""}

63

67

64

# Advanced settings

68

# Advanced settings

65

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

69

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

66

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

70

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

67

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

71

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

68

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

72

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

69

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

73

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

70

74

71

# Image chroot path

75

# Image chroot path

72

R=${BUILDDIR}/chroot

76

R=${BUILDDIR}/chroot

73

77

74

# Packages required for bootstrapping

78

# Packages required for bootstrapping

75

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"

79

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"

76

80

77

# Missing packages that need to be installed

81

# Missing packages that need to be installed

78

MISSING_PACKAGES=""

82

MISSING_PACKAGES=""

79

83

80

# Packages required in the chroot build environment

84

# Packages required in the chroot build environment

81

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

85

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

82

86

83

set +x

87

set +x

84

88

85

# Are we running as root?

89

# Are we running as root?

86

if [ "$(id -u)" -ne "0" ] ; then

90

if [ "$(id -u)" -ne "0" ] ; then

87

echo "this script must be executed with root privileges"

91

echo "this script must be executed with root privileges"

88

exit 1

92

exit 1

89

fi

93

fi

90

94

91

# Check if all required packages are installed

95

# Check if all required packages are installed

92

for package in $REQUIRED_PACKAGES ; do

96

for package in $REQUIRED_PACKAGES ; do

93

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

97

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

94

MISSING_PACKAGES="$MISSING_PACKAGES $package"

98

MISSING_PACKAGES="$MISSING_PACKAGES $package"

95

fi

99

fi

96

done

100

done

97

101

98

# Ask if missing packages should get installed right now

102

# Ask if missing packages should get installed right now

99

if [ -n "$MISSING_PACKAGES" ] ; then

103

if [ -n "$MISSING_PACKAGES" ] ; then

100

echo "the following packages needed by this script are not installed:"

104

echo "the following packages needed by this script are not installed:"

101

echo "$MISSING_PACKAGES"

105

echo "$MISSING_PACKAGES"

102

106

103

echo -n "\ndo you want to install the missing packages right now? [y/n] "

107

echo -n "\ndo you want to install the missing packages right now? [y/n] "

104

read confirm

108

read confirm

105

if [ "$confirm" != "y" ] ; then

109

if [ "$confirm" != "y" ] ; then

106

exit 1

110

exit 1

107

fi

111

fi

108

fi

112

fi

109

113

110

# Make sure all required packages are installed

114

# Make sure all required packages are installed

111

apt-get -qq -y install ${REQUIRED_PACKAGES}

115

apt-get -qq -y install ${REQUIRED_PACKAGES}

112

116

113

# Don't clobber an old build

117

# Don't clobber an old build

114

if [ -e "$BUILDDIR" ]; then

118

if [ -e "$BUILDDIR" ]; then

115

echo "directory $BUILDDIR already exists, not proceeding"

119

echo "directory $BUILDDIR already exists, not proceeding"

116

exit 1

120

exit 1

117

fi

121

fi

118

122

119

set -x

123

set -x

120

124

121

# Call "cleanup" function on various signals and errors

125

# Call "cleanup" function on various signals and errors

122

trap cleanup 0 1 2 3 6

126

trap cleanup 0 1 2 3 6

123

127

124

# Set up chroot directory

128

# Set up chroot directory

125

mkdir -p $R

129

mkdir -p $R

126

130

127

# Add required packages for the minbase installation

131

# Add required packages for the minbase installation

128

if [ "$ENABLE_MINBASE" = true ] ; then

132

if [ "$ENABLE_MINBASE" = true ] ; then

129

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

133

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

130

else

134

else

131

APT_INCLUDES="${APT_INCLUDES},locales"

135

APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"

132

fi

136

fi

133

137

134

# Add dbus package, recommended if using systemd

138

# Add dbus package, recommended if using systemd

135

if [ "$ENABLE_DBUS" = true ] ; then

139

if [ "$ENABLE_DBUS" = true ] ; then

136

APT_INCLUDES="${APT_INCLUDES},dbus"

140

APT_INCLUDES="${APT_INCLUDES},dbus"

137

fi

141

fi

138

142

139

# Add iptables IPv4/IPv6 package

143

# Add iptables IPv4/IPv6 package

140

if [ "$ENABLE_IPTABLES" = true ] ; then

144

if [ "$ENABLE_IPTABLES" = true ] ; then

141

APT_INCLUDES="${APT_INCLUDES},iptables"

145

APT_INCLUDES="${APT_INCLUDES},iptables"

142

fi

146

fi

143

147

144

# Add openssh server package

148

# Add openssh server package

145

if [ "$ENABLE_SSHD" = true ] ; then

149

if [ "$ENABLE_SSHD" = true ] ; then

146

APT_INCLUDES="${APT_INCLUDES},openssh-server"

150

APT_INCLUDES="${APT_INCLUDES},openssh-server"

147

fi

151

fi

148

152

149

# Add alsa-utils package

153

# Add alsa-utils package

150

if [ "$ENABLE_SOUND" = true ] ; then

154

if [ "$ENABLE_SOUND" = true ] ; then

151

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

155

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

152

fi

156

fi

153

157

154

# Add rng-tools package

158

# Add rng-tools package

155

if [ "$ENABLE_HWRANDOM" = true ] ; then

159

if [ "$ENABLE_HWRANDOM" = true ] ; then

156

APT_INCLUDES="${APT_INCLUDES},rng-tools"

160

APT_INCLUDES="${APT_INCLUDES},rng-tools"

157

fi

161

fi

158

162

159

# Add fbturbo video driver

163

# Add fbturbo video driver

160

if [ "$ENABLE_FBTURBO" = true ] ; then

164

if [ "$ENABLE_FBTURBO" = true ] ; then

161

# Enable xorg package dependencies

165

# Enable xorg package dependencies

162

ENABLE_XORG=true

166

ENABLE_XORG=true

163

fi

167

fi

164

168

165

# Add user defined window manager package

169

# Add user defined window manager package

166

if [ -n "$ENABLE_WM" ] ; then

170

if [ -n "$ENABLE_WM" ] ; then

167

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

171

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

168

172

169

# Enable xorg package dependencies

173

# Enable xorg package dependencies

170

ENABLE_XORG=true

174

ENABLE_XORG=true

171

fi

175

fi

172

176

173

# Add xorg package

177

# Add xorg package

174

if [ "$ENABLE_XORG" = true ] ; then

178

if [ "$ENABLE_XORG" = true ] ; then

175

APT_INCLUDES="${APT_INCLUDES},xorg"

179

APT_INCLUDES="${APT_INCLUDES},xorg"

176

fi

180

fi

177

181

178

# Set empty proxy string

182

# Set empty proxy string

179

if [ -z "$APT_PROXY" ] ; then

183

if [ -z "$APT_PROXY" ] ; then

180

APT_PROXY="http://"

184

APT_PROXY="http://"

181

fi

185

fi

182

186

183

# Base debootstrap (unpack only)

187

# Base debootstrap (unpack only)

184

if [ "$ENABLE_MINBASE" = true ] ; then

188

if [ "$ENABLE_MINBASE" = true ] ; then

185

http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian

189

http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian

186

else

190

else

187

http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian

191

http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian

188

fi

192

fi

189

193

190

# Copy qemu emulator binary to chroot

194

# Copy qemu emulator binary to chroot

191

cp /usr/bin/qemu-arm-static $R/usr/bin

195

cp /usr/bin/qemu-arm-static $R/usr/bin

192

196

193

# Copy debian-archive-keyring.pgp

197

# Copy debian-archive-keyring.pgp

194

chroot $R mkdir -p /usr/share/keyrings

198

chroot $R mkdir -p /usr/share/keyrings

195

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

199

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

196

200

197

# Complete the bootstrapping process

201

# Complete the bootstrapping process

198

chroot $R /debootstrap/debootstrap --second-stage

202

chroot $R /debootstrap/debootstrap --second-stage

199

203

200

# Mount required filesystems

204

# Mount required filesystems

201

mount -t proc none $R/proc

205

mount -t proc none $R/proc

202

mount -t sysfs none $R/sys

206

mount -t sysfs none $R/sys

203

mount --bind /dev/pts $R/dev/pts

207

mount --bind /dev/pts $R/dev/pts

204

208

205

# Use proxy inside chroot

209

# Use proxy inside chroot

206

if [ -z "$APT_PROXY" ] ; then

210

if [ -z "$APT_PROXY" ] ; then

207

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

211

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

208

fi

212

fi

209

213

210

# Pin package flash-kernel to repositories.collabora.co.uk

214

# Pin package flash-kernel to repositories.collabora.co.uk

211

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

215

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

212

Package: flash-kernel

216

Package: flash-kernel

213

Pin: origin repositories.collabora.co.uk

217

Pin: origin repositories.collabora.co.uk

214

Pin-Priority: 1000

218

Pin-Priority: 1000

215

EOM

219

EOM

216

220

217

# Set up timezone

221

# Set up timezone

218

echo ${TIMEZONE} >$R/etc/timezone

222

echo ${TIMEZONE} >$R/etc/timezone

219

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

223

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

220

224

221

# Set up default locales to "en_US.UTF-8" default

222

if [ "$ENABLE_MINBASE" = false ] ; then

223

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

224

LANG=C chroot $R locale-gen ${DEFLOCAL}

225

fi

226

227

# Upgrade collabora package index and install collabora keyring

225

# Upgrade collabora package index and install collabora keyring

228

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

226

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

229

LANG=C chroot $R apt-get -qq -y update

227

LANG=C chroot $R apt-get -qq -y update

230

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

228

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

231

229

232

# Set up initial sources.list

230

# Set up initial sources.list

233

cat <<EOM >$R/etc/apt/sources.list

231

cat <<EOM >$R/etc/apt/sources.list

234

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

232

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

235

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

233

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

236

234

237

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

235

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

238

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

236

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

239

237

240

deb http://security.debian.org/ ${RELEASE}/updates main contrib

238

deb http://security.debian.org/ ${RELEASE}/updates main contrib

241

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

239

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

242

240

243

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

241

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

244

EOM

242

EOM

245

243

246

# Upgrade package index and update all installed packages and changed dependencies

244

# Upgrade package index and update all installed packages and changed dependencies

247

LANG=C chroot $R apt-get -qq -y update

245

LANG=C chroot $R apt-get -qq -y update

248

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

246

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

249

247

248

# Set up default locale and keyboard configuration

249

if [ "$ENABLE_MINBASE" = false ] ; then

250

# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug

251

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957

252

# ... so we have to set locales manually

253

if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then

254

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections

255

else

256

# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale

257

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections

258

LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen

259

fi

260

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

261

LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections

262

LANG=C chroot $R locale-gen

263

LANG=C chroot $R update-locale LANG=${DEFLOCAL}

264

265

# Keyboard configuration, if requested

266

if [ "$XKBMODEL" != "" ] ; then

267

LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard

268

fi

269

if [ "$XKBLAYOUT" != "" ] ; then

270

LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard

271

fi

272

if [ "$XKBVARIANT" != "" ] ; then

273

LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard

274

fi

275

if [ "$XKBOPTIONS" != "" ] ; then

276

LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard

277

fi

278

LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration

279

# Set up font console

280

case "${DEFLOCAL}" in

281

*UTF-8)

282

LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup

283

;;

284

*)

285

LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup

286

;;

287

esac

288

LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup

289

fi

290

250

# Kernel installation

291

# Kernel installation

251

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

292

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

252

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

293

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

253

LANG=C chroot $R apt-get -qq -y install flash-kernel

294

LANG=C chroot $R apt-get -qq -y install flash-kernel

254

295

255

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

296

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

256

[ -z "$VMLINUZ" ] && exit 1

297

[ -z "$VMLINUZ" ] && exit 1

257

mkdir -p $R/boot/firmware

298

mkdir -p $R/boot/firmware

258

299

259

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

300

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

260

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

301

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

261

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

302

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

262

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

303

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

263

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

304

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

264

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

305

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

265

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

306

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

266

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

307

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

267

cp $VMLINUZ $R/boot/firmware/kernel7.img

308

cp $VMLINUZ $R/boot/firmware/kernel7.img

268

309

269

# Set up IPv4 hosts

310

# Set up IPv4 hosts

270

echo ${HOSTNAME} >$R/etc/hostname

311

echo ${HOSTNAME} >$R/etc/hostname

271

cat <<EOM >$R/etc/hosts

312

cat <<EOM >$R/etc/hosts

272

127.0.0.1 localhost

313

127.0.0.1 localhost

273

127.0.1.1 ${HOSTNAME}

314

127.0.1.1 ${HOSTNAME}

274

EOM

315

EOM

275

316

276

# Set up IPv6 hosts

317

# Set up IPv6 hosts

277

if [ "$ENABLE_IPV6" = true ] ; then

318

if [ "$ENABLE_IPV6" = true ] ; then

278

cat <<EOM >>$R/etc/hosts

319

cat <<EOM >>$R/etc/hosts

279

320

280

::1 localhost ip6-localhost ip6-loopback

321

::1 localhost ip6-localhost ip6-loopback

281

ff02::1 ip6-allnodes

322

ff02::1 ip6-allnodes

282

ff02::2 ip6-allrouters

323

ff02::2 ip6-allrouters

283

EOM

324

EOM

284

fi

325

fi

285

326

286

# Place hint about network configuration

327

# Place hint about network configuration

287

cat <<EOM >$R/etc/network/interfaces

328

cat <<EOM >$R/etc/network/interfaces

288

# Debian switched to systemd-networkd configuration files.

329

# Debian switched to systemd-networkd configuration files.

289

# please configure your networks in '/etc/systemd/network/'

330

# please configure your networks in '/etc/systemd/network/'

290

EOM

331

EOM

291

332

292

# Enable systemd-networkd DHCP configuration for interface eth0

333

# Enable systemd-networkd DHCP configuration for interface eth0

293

cat <<EOM >$R/etc/systemd/network/eth.network

334

cat <<EOM >$R/etc/systemd/network/eth.network

294

[Match]

335

[Match]

295

Name=eth0

336

Name=eth0

296

337

297

[Network]

338

[Network]

298

DHCP=yes

339

DHCP=yes

299

EOM

340

EOM

300

341

301

# Set DHCP configuration to IPv4 only

342

# Set DHCP configuration to IPv4 only

302

if [ "$ENABLE_IPV6" = false ] ; then

343

if [ "$ENABLE_IPV6" = false ] ; then

303

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

344

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

304

fi

345

fi

305

346

306

# Enable systemd-networkd service

347

# Enable systemd-networkd service

307

LANG=C chroot $R systemctl enable systemd-networkd

348

LANG=C chroot $R systemctl enable systemd-networkd

308

349

309

# Generate crypt(3) password string

350

# Generate crypt(3) password string

310

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

351

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

311

352

312

# Set up default user

353

# Set up default user

313

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

354

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

314

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

355

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

315

356

316

# Set up root password

357

# Set up root password

317

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

358

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

318

359

319

# Set up firmware boot cmdline

360

# Set up firmware boot cmdline

320

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

361

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

321

362

322

# Set up serial console support (if requested)

363

# Set up serial console support (if requested)

323

if [ "$ENABLE_CONSOLE" = true ] ; then

364

if [ "$ENABLE_CONSOLE" = true ] ; then

324

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

365

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

325

fi

366

fi

326

367

327

# Set up IPv6 networking support

368

# Set up IPv6 networking support

328

if [ "$ENABLE_IPV6" = false ] ; then

369

if [ "$ENABLE_IPV6" = false ] ; then

329

CMDLINE="${CMDLINE} ipv6.disable=1"

370

CMDLINE="${CMDLINE} ipv6.disable=1"

330

fi

371

fi

331

372

332

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

373

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

333

374

334

# Set up firmware config

375

# Set up firmware config

335

cat <<EOM >$R/boot/firmware/config.txt

376

cat <<EOM >$R/boot/firmware/config.txt

336

# For more options and information see

377

# For more options and information see

337

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

378

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

338

# Some settings may impact device functionality. See link above for details

379

# Some settings may impact device functionality. See link above for details

339

380

340

# uncomment if you get no picture on HDMI for a default "safe" mode

381

# uncomment if you get no picture on HDMI for a default "safe" mode

341

#hdmi_safe=1

382

#hdmi_safe=1

342

383

343

# uncomment this if your display has a black border of unused pixels visible

384

# uncomment this if your display has a black border of unused pixels visible

344

# and your display can output without overscan

385

# and your display can output without overscan

345

#disable_overscan=1

386

#disable_overscan=1

346

387

347

# uncomment the following to adjust overscan. Use positive numbers if console

388

# uncomment the following to adjust overscan. Use positive numbers if console

348

# goes off screen, and negative if there is too much border

389

# goes off screen, and negative if there is too much border

349

#overscan_left=16

390

#overscan_left=16

350

#overscan_right=16

391

#overscan_right=16

351

#overscan_top=16

392

#overscan_top=16

352

#overscan_bottom=16

393

#overscan_bottom=16

353

394

354

# uncomment to force a console size. By default it will be display's size minus

395

# uncomment to force a console size. By default it will be display's size minus

355

# overscan.

396

# overscan.

356

#framebuffer_width=1280

397

#framebuffer_width=1280

357

#framebuffer_height=720

398

#framebuffer_height=720

358

399

359

# uncomment if hdmi display is not detected and composite is being output

400

# uncomment if hdmi display is not detected and composite is being output

360

#hdmi_force_hotplug=1

401

#hdmi_force_hotplug=1

361

402

362

# uncomment to force a specific HDMI mode (this will force VGA)

403

# uncomment to force a specific HDMI mode (this will force VGA)

363

#hdmi_group=1

404

#hdmi_group=1

364

#hdmi_mode=1

405

#hdmi_mode=1

365

406

366

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

407

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

367

# DMT (computer monitor) modes

408

# DMT (computer monitor) modes

368

#hdmi_drive=2

409

#hdmi_drive=2

369

410

370

# uncomment to increase signal to HDMI, if you have interference, blanking, or

411

# uncomment to increase signal to HDMI, if you have interference, blanking, or

371

# no display

412

# no display

372

#config_hdmi_boost=4

413

#config_hdmi_boost=4

373

414

374

# uncomment for composite PAL

415

# uncomment for composite PAL

375

#sdtv_mode=2

416

#sdtv_mode=2

376

417

377

# uncomment to overclock the arm. 700 MHz is the default.

418

# uncomment to overclock the arm. 700 MHz is the default.

378

#arm_freq=800

419

#arm_freq=800

379

EOM

420

EOM

380

421

381

# Load snd_bcm2835 kernel module at boot time

422

# Load snd_bcm2835 kernel module at boot time

382

if [ "$ENABLE_SOUND" = true ] ; then

423

if [ "$ENABLE_SOUND" = true ] ; then

383

echo "snd_bcm2835" >>$R/etc/modules

424

echo "snd_bcm2835" >>$R/etc/modules

384

fi

425

fi

385

426

386

# Set smallest possible GPU memory allocation size: 16MB (no X)

427

# Set smallest possible GPU memory allocation size: 16MB (no X)

387

if [ "$ENABLE_MINGPU" = true ] ; then

428

if [ "$ENABLE_MINGPU" = true ] ; then

388

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

429

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

389

fi

430

fi

390

431

391

# Create symlinks

432

# Create symlinks

392

ln -sf firmware/config.txt $R/boot/config.txt

433

ln -sf firmware/config.txt $R/boot/config.txt

393

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

434

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

394

435

395

# Prepare modules-load.d directory

436

# Prepare modules-load.d directory

396

mkdir -p $R/lib/modules-load.d/

437

mkdir -p $R/lib/modules-load.d/

397

438

398

# Load random module on boot

439

# Load random module on boot

399

if [ "$ENABLE_HWRANDOM" = true ] ; then

440

if [ "$ENABLE_HWRANDOM" = true ] ; then

400

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

441

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

401

bcm2708_rng

442

bcm2708_rng

402

EOM

443

EOM

403

fi

444

fi

404

445

405

# Prepare modprobe.d directory

446

# Prepare modprobe.d directory

406

mkdir -p $R/etc/modprobe.d/

447

mkdir -p $R/etc/modprobe.d/

407

448

408

# Blacklist sound modules

449

# Blacklist sound modules

409

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

450

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

410

blacklist snd_soc_core

451

blacklist snd_soc_core

411

blacklist snd_pcm

452

blacklist snd_pcm

412

blacklist snd_pcm_dmaengine

453

blacklist snd_pcm_dmaengine

413

blacklist snd_timer

454

blacklist snd_timer

414

blacklist snd_compress

455

blacklist snd_compress

415

blacklist snd_soc_pcm512x_i2c

456

blacklist snd_soc_pcm512x_i2c

416

blacklist snd_soc_pcm512x

457

blacklist snd_soc_pcm512x

417

blacklist snd_soc_tas5713

458

blacklist snd_soc_tas5713

418

blacklist snd_soc_wm8804

459

blacklist snd_soc_wm8804

419

EOM

460

EOM

420

461

421

# Create default fstab

462

# Create default fstab

422

cat <<EOM >$R/etc/fstab

463

cat <<EOM >$R/etc/fstab

423

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

464

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

424

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

465

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

425

EOM

466

EOM

426

467

427

# Avoid swapping and increase cache sizes

468

# Avoid swapping and increase cache sizes

428

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

469

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

429

470

430

# Avoid swapping and increase cache sizes

471

# Avoid swapping and increase cache sizes

431

vm.swappiness=1

472

vm.swappiness=1

432

vm.dirty_background_ratio=20

473

vm.dirty_background_ratio=20

433

vm.dirty_ratio=40

474

vm.dirty_ratio=40

434

vm.dirty_writeback_centisecs=500

475

vm.dirty_writeback_centisecs=500

435

vm.dirty_expire_centisecs=6000

476

vm.dirty_expire_centisecs=6000

436

EOM

477

EOM

437

478

438

# Enable network stack hardening

479

# Enable network stack hardening

439

if [ "$ENABLE_HARDNET" = true ] ; then

480

if [ "$ENABLE_HARDNET" = true ] ; then

440

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

481

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

441

482

442

# Enable network stack hardening

483

# Enable network stack hardening

443

net.ipv4.tcp_timestamps=0

484

net.ipv4.tcp_timestamps=0

444

net.ipv4.tcp_syncookies=1

485

net.ipv4.tcp_syncookies=1

445

net.ipv4.conf.all.rp_filter=1

486

net.ipv4.conf.all.rp_filter=1

446

net.ipv4.conf.all.accept_redirects=0

487

net.ipv4.conf.all.accept_redirects=0

447

net.ipv4.conf.all.send_redirects=0

488

net.ipv4.conf.all.send_redirects=0

448

net.ipv4.conf.all.accept_source_route=0

489

net.ipv4.conf.all.accept_source_route=0

449

net.ipv4.conf.default.rp_filter=1

490

net.ipv4.conf.default.rp_filter=1

450

net.ipv4.conf.default.accept_redirects=0

491

net.ipv4.conf.default.accept_redirects=0

451

net.ipv4.conf.default.send_redirects=0

492

net.ipv4.conf.default.send_redirects=0

452

net.ipv4.conf.default.accept_source_route=0

493

net.ipv4.conf.default.accept_source_route=0

453

net.ipv4.conf.lo.accept_redirects=0

494

net.ipv4.conf.lo.accept_redirects=0

454

net.ipv4.conf.lo.send_redirects=0

495

net.ipv4.conf.lo.send_redirects=0

455

net.ipv4.conf.lo.accept_source_route=0

496

net.ipv4.conf.lo.accept_source_route=0

456

net.ipv4.conf.eth0.accept_redirects=0

497

net.ipv4.conf.eth0.accept_redirects=0

457

net.ipv4.conf.eth0.send_redirects=0

498

net.ipv4.conf.eth0.send_redirects=0

458

net.ipv4.conf.eth0.accept_source_route=0

499

net.ipv4.conf.eth0.accept_source_route=0

459

net.ipv4.icmp_echo_ignore_broadcasts=1

500

net.ipv4.icmp_echo_ignore_broadcasts=1

460

net.ipv4.icmp_ignore_bogus_error_responses=1

501

net.ipv4.icmp_ignore_bogus_error_responses=1

461

502

462

net.ipv6.conf.all.accept_redirects=0

503

net.ipv6.conf.all.accept_redirects=0

463

net.ipv6.conf.all.accept_source_route=0

504

net.ipv6.conf.all.accept_source_route=0

464

net.ipv6.conf.all.router_solicitations=0

505

net.ipv6.conf.all.router_solicitations=0

465

net.ipv6.conf.all.accept_ra_rtr_pref=0

506

net.ipv6.conf.all.accept_ra_rtr_pref=0

466

net.ipv6.conf.all.accept_ra_pinfo=0

507

net.ipv6.conf.all.accept_ra_pinfo=0

467

net.ipv6.conf.all.accept_ra_defrtr=0

508

net.ipv6.conf.all.accept_ra_defrtr=0

468

net.ipv6.conf.all.autoconf=0

509

net.ipv6.conf.all.autoconf=0

469

net.ipv6.conf.all.dad_transmits=0

510

net.ipv6.conf.all.dad_transmits=0

470

net.ipv6.conf.all.max_addresses=1

511

net.ipv6.conf.all.max_addresses=1

471

512

472

net.ipv6.conf.default.accept_redirects=0

513

net.ipv6.conf.default.accept_redirects=0

473

net.ipv6.conf.default.accept_source_route=0

514

net.ipv6.conf.default.accept_source_route=0

474

net.ipv6.conf.default.router_solicitations=0

515

net.ipv6.conf.default.router_solicitations=0

475

net.ipv6.conf.default.accept_ra_rtr_pref=0

516

net.ipv6.conf.default.accept_ra_rtr_pref=0

476

net.ipv6.conf.default.accept_ra_pinfo=0

517

net.ipv6.conf.default.accept_ra_pinfo=0

477

net.ipv6.conf.default.accept_ra_defrtr=0

518

net.ipv6.conf.default.accept_ra_defrtr=0

478

net.ipv6.conf.default.autoconf=0

519

net.ipv6.conf.default.autoconf=0

479

net.ipv6.conf.default.dad_transmits=0

520

net.ipv6.conf.default.dad_transmits=0

480

net.ipv6.conf.default.max_addresses=1

521

net.ipv6.conf.default.max_addresses=1

481

522

482

net.ipv6.conf.lo.accept_redirects=0

523

net.ipv6.conf.lo.accept_redirects=0

483

net.ipv6.conf.lo.accept_source_route=0

524

net.ipv6.conf.lo.accept_source_route=0

484

net.ipv6.conf.lo.router_solicitations=0

525

net.ipv6.conf.lo.router_solicitations=0

485

net.ipv6.conf.lo.accept_ra_rtr_pref=0

526

net.ipv6.conf.lo.accept_ra_rtr_pref=0

486

net.ipv6.conf.lo.accept_ra_pinfo=0

527

net.ipv6.conf.lo.accept_ra_pinfo=0

487

net.ipv6.conf.lo.accept_ra_defrtr=0

528

net.ipv6.conf.lo.accept_ra_defrtr=0

488

net.ipv6.conf.lo.autoconf=0

529

net.ipv6.conf.lo.autoconf=0

489

net.ipv6.conf.lo.dad_transmits=0

530

net.ipv6.conf.lo.dad_transmits=0

490

net.ipv6.conf.lo.max_addresses=1

531

net.ipv6.conf.lo.max_addresses=1

491

532

492

net.ipv6.conf.eth0.accept_redirects=0

533

net.ipv6.conf.eth0.accept_redirects=0

493

net.ipv6.conf.eth0.accept_source_route=0

534

net.ipv6.conf.eth0.accept_source_route=0

494

net.ipv6.conf.eth0.router_solicitations=0

535

net.ipv6.conf.eth0.router_solicitations=0

495

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

536

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

496

net.ipv6.conf.eth0.accept_ra_pinfo=0

537

net.ipv6.conf.eth0.accept_ra_pinfo=0

497

net.ipv6.conf.eth0.accept_ra_defrtr=0

538

net.ipv6.conf.eth0.accept_ra_defrtr=0

498

net.ipv6.conf.eth0.autoconf=0

539

net.ipv6.conf.eth0.autoconf=0

499

net.ipv6.conf.eth0.dad_transmits=0

540

net.ipv6.conf.eth0.dad_transmits=0

500

net.ipv6.conf.eth0.max_addresses=1

541

net.ipv6.conf.eth0.max_addresses=1

501

EOM

542

EOM

502

543

503

# Enable resolver warnings about spoofed addresses

544

# Enable resolver warnings about spoofed addresses

504

cat <<EOM >>$R/etc/host.conf

545

cat <<EOM >>$R/etc/host.conf

505

spoof warn

546

spoof warn

506

EOM

547

EOM

507

fi

548

fi

508

549

509

# Regenerate openssh server host keys

550

# Regenerate openssh server host keys

510

if [ "$ENABLE_SSHD" = true ] ; then

551

if [ "$ENABLE_SSHD" = true ] ; then

511

rm -fr $R/etc/ssh/ssh_host_*

552

rm -fr $R/etc/ssh/ssh_host_*

512

LANG=C chroot $R dpkg-reconfigure openssh-server

553

LANG=C chroot $R dpkg-reconfigure openssh-server

513

fi

554

fi

514

555

515

# Enable serial console systemd style

556

# Enable serial console systemd style

516

if [ "$ENABLE_CONSOLE" = true ] ; then

557

if [ "$ENABLE_CONSOLE" = true ] ; then

517

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

558

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

518

fi

559

fi

519

560

520

# Enable firewall based on iptables started by systemd service

561

# Enable firewall based on iptables started by systemd service

521

if [ "$ENABLE_IPTABLES" = true ] ; then

562

if [ "$ENABLE_IPTABLES" = true ] ; then

522

# Create iptables configuration directory

563

# Create iptables configuration directory

523

mkdir -p "$R/etc/iptables"

564

mkdir -p "$R/etc/iptables"

524

565

525

# Create iptables systemd service

566

# Create iptables systemd service

526

cat <<EOM >$R/etc/systemd/system/iptables.service

567

cat <<EOM >$R/etc/systemd/system/iptables.service

527

[Unit]

568

[Unit]

528

Description=Packet Filtering Framework

569

Description=Packet Filtering Framework

529

DefaultDependencies=no

570

DefaultDependencies=no

530

After=systemd-sysctl.service

571

After=systemd-sysctl.service

531

Before=sysinit.target

572

Before=sysinit.target

532

[Service]

573

[Service]

533

Type=oneshot

574

Type=oneshot

534

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

575

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

535

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

576

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

536

ExecStop=/etc/iptables/flush-iptables.sh

577

ExecStop=/etc/iptables/flush-iptables.sh

537

RemainAfterExit=yes

578

RemainAfterExit=yes

538

[Install]

579

[Install]

539

WantedBy=multi-user.target

580

WantedBy=multi-user.target

540

EOM

581

EOM

541

582

542

# Create flush-table script called by iptables service

583

# Create flush-table script called by iptables service

543

cat <<EOM >$R/etc/iptables/flush-iptables.sh

584

cat <<EOM >$R/etc/iptables/flush-iptables.sh

544

#!/bin/sh

585

#!/bin/sh

545

iptables -F

586

iptables -F

546

iptables -X

587

iptables -X

547

iptables -t nat -F

588

iptables -t nat -F

548

iptables -t nat -X

589

iptables -t nat -X

549

iptables -t mangle -F

590

iptables -t mangle -F

550

iptables -t mangle -X

591

iptables -t mangle -X

551

iptables -P INPUT ACCEPT

592

iptables -P INPUT ACCEPT

552

iptables -P FORWARD ACCEPT

593

iptables -P FORWARD ACCEPT

553

iptables -P OUTPUT ACCEPT

594

iptables -P OUTPUT ACCEPT

554

EOM

595

EOM

555

596

556

# Create iptables rule file

597

# Create iptables rule file

557

cat <<EOM >$R/etc/iptables/iptables.rules

598

cat <<EOM >$R/etc/iptables/iptables.rules

558

*filter

599

*filter

559

:INPUT DROP [0:0]

600

:INPUT DROP [0:0]

560

:FORWARD DROP [0:0]

601

:FORWARD DROP [0:0]

561

:OUTPUT ACCEPT [0:0]

602

:OUTPUT ACCEPT [0:0]

562

:TCP - [0:0]

603

:TCP - [0:0]

563

:UDP - [0:0]

604

:UDP - [0:0]

564

:SSH - [0:0]

605

:SSH - [0:0]

565

606

566

# Rate limit ping requests

607

# Rate limit ping requests

567

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

608

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

568

-A INPUT -p icmp --icmp-type echo-request -j DROP

609

-A INPUT -p icmp --icmp-type echo-request -j DROP

569

610

570

# Accept established connections

611

# Accept established connections

571

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

612

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

572

613

573

# Accept all traffic on loopback interface

614

# Accept all traffic on loopback interface

574

-A INPUT -i lo -j ACCEPT

615

-A INPUT -i lo -j ACCEPT

575

616

576

# Drop packets declared invalid

617

# Drop packets declared invalid

577

-A INPUT -m conntrack --ctstate INVALID -j DROP

618

-A INPUT -m conntrack --ctstate INVALID -j DROP

578

619

579

# SSH rate limiting

620

# SSH rate limiting

580

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

621

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

581

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

622

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

582

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

623

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

583

-A SSH -m recent --name sshbf --set -j ACCEPT

624

-A SSH -m recent --name sshbf --set -j ACCEPT

584

625

585

# Send TCP and UDP connections to their respective rules chain

626

# Send TCP and UDP connections to their respective rules chain

586

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

627

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

587

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

628

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

588

629

589

# Reject dropped packets with a RFC compliant responce

630

# Reject dropped packets with a RFC compliant responce

590

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

631

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

591

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

632

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

592

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

633

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

593

634

594

## TCP PORT RULES

635

## TCP PORT RULES

595

# -A TCP -p tcp -j LOG

636

# -A TCP -p tcp -j LOG

596

637

597

## UDP PORT RULES

638

## UDP PORT RULES

598

# -A UDP -p udp -j LOG

639

# -A UDP -p udp -j LOG

599

640

600

COMMIT

641

COMMIT

601

EOM

642

EOM

602

643

603

# Reload systemd configuration and enable iptables service

644

# Reload systemd configuration and enable iptables service

604

LANG=C chroot $R systemctl daemon-reload

645

LANG=C chroot $R systemctl daemon-reload

605

LANG=C chroot $R systemctl enable iptables.service

646

LANG=C chroot $R systemctl enable iptables.service

606

647

607

if [ "$ENABLE_IPV6" = true ] ; then

648

if [ "$ENABLE_IPV6" = true ] ; then

608

# Create ip6tables systemd service

649

# Create ip6tables systemd service

609

cat <<EOM >$R/etc/systemd/system/ip6tables.service

650

cat <<EOM >$R/etc/systemd/system/ip6tables.service

610

[Unit]

651

[Unit]

611

Description=Packet Filtering Framework

652

Description=Packet Filtering Framework

612

DefaultDependencies=no

653

DefaultDependencies=no

613

After=systemd-sysctl.service

654

After=systemd-sysctl.service

614

Before=sysinit.target

655

Before=sysinit.target

615

[Service]

656

[Service]

616

Type=oneshot

657

Type=oneshot

617

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

658

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

618

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

659

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

619

ExecStop=/etc/iptables/flush-ip6tables.sh

660

ExecStop=/etc/iptables/flush-ip6tables.sh

620

RemainAfterExit=yes

661

RemainAfterExit=yes

621

[Install]

662

[Install]

622

WantedBy=multi-user.target

663

WantedBy=multi-user.target

623

EOM

664

EOM

624

665

625

# Create ip6tables file

666

# Create ip6tables file

626

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

667

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

627

#!/bin/sh

668

#!/bin/sh

628

ip6tables -F

669

ip6tables -F

629

ip6tables -X

670

ip6tables -X

630

ip6tables -Z

671

ip6tables -Z

631

for table in $(</proc/net/ip6_tables_names)

672

for table in $(</proc/net/ip6_tables_names)

632

do

673

do

633

ip6tables -t \$table -F

674

ip6tables -t \$table -F

634

ip6tables -t \$table -X

675

ip6tables -t \$table -X

635

ip6tables -t \$table -Z

676

ip6tables -t \$table -Z

636

done

677

done

637

ip6tables -P INPUT ACCEPT

678

ip6tables -P INPUT ACCEPT

638

ip6tables -P OUTPUT ACCEPT

679

ip6tables -P OUTPUT ACCEPT

639

ip6tables -P FORWARD ACCEPT

680

ip6tables -P FORWARD ACCEPT

640

EOM

681

EOM

641

682

642

# Create ip6tables rule file

683

# Create ip6tables rule file

643

cat <<EOM >$R/etc/iptables/ip6tables.rules

684

cat <<EOM >$R/etc/iptables/ip6tables.rules

644

*filter

685

*filter

645

:INPUT DROP [0:0]

686

:INPUT DROP [0:0]

646

:FORWARD DROP [0:0]

687

:FORWARD DROP [0:0]

647

:OUTPUT ACCEPT [0:0]

688

:OUTPUT ACCEPT [0:0]

648

:TCP - [0:0]

689

:TCP - [0:0]

649

:UDP - [0:0]

690

:UDP - [0:0]

650

:SSH - [0:0]

691

:SSH - [0:0]

651

692

652

# Drop packets with RH0 headers

693

# Drop packets with RH0 headers

653

-A INPUT -m rt --rt-type 0 -j DROP

694

-A INPUT -m rt --rt-type 0 -j DROP

654

-A OUTPUT -m rt --rt-type 0 -j DROP

695

-A OUTPUT -m rt --rt-type 0 -j DROP

655

-A FORWARD -m rt --rt-type 0 -j DROP

696

-A FORWARD -m rt --rt-type 0 -j DROP

656

697

657

# Rate limit ping requests

698

# Rate limit ping requests

658

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

699

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

659

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

700

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

660

701

661

# Accept established connections

702

# Accept established connections

662

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

703

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

663

704

664

# Accept all traffic on loopback interface

705

# Accept all traffic on loopback interface

665

-A INPUT -i lo -j ACCEPT

706

-A INPUT -i lo -j ACCEPT

666

707

667

# Drop packets declared invalid

708

# Drop packets declared invalid

668

-A INPUT -m conntrack --ctstate INVALID -j DROP

709

-A INPUT -m conntrack --ctstate INVALID -j DROP

669

710

670

# SSH rate limiting

711

# SSH rate limiting

671

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

712

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

672

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

713

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

673

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

714

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

674

-A SSH -m recent --name sshbf --set -j ACCEPT

715

-A SSH -m recent --name sshbf --set -j ACCEPT

675

716

676

# Send TCP and UDP connections to their respective rules chain

717

# Send TCP and UDP connections to their respective rules chain

677

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

718

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

678

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

719

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

679

720

680

# Reject dropped packets with a RFC compliant responce

721

# Reject dropped packets with a RFC compliant responce

681

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

722

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

682

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

723

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

683

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

724

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

684

725

685

## TCP PORT RULES

726

## TCP PORT RULES

686

# -A TCP -p tcp -j LOG

727

# -A TCP -p tcp -j LOG

687

728

688

## UDP PORT RULES

729

## UDP PORT RULES

689

# -A UDP -p udp -j LOG

730

# -A UDP -p udp -j LOG

690

731

691

COMMIT

732

COMMIT

692

EOM

733

EOM

693

734

694

# Reload systemd configuration and enable iptables service

735

# Reload systemd configuration and enable iptables service

695

LANG=C chroot $R systemctl daemon-reload

736

LANG=C chroot $R systemctl daemon-reload

696

LANG=C chroot $R systemctl enable ip6tables.service

737

LANG=C chroot $R systemctl enable ip6tables.service

697

fi

738

fi

698

fi

739

fi

699

740

700

# Remove SSHD related iptables rules

741

# Remove SSHD related iptables rules

701

if [ "$ENABLE_SSHD" = false ] ; then

742

if [ "$ENABLE_SSHD" = false ] ; then

702

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

743

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

703

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

744

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

704

fi

745

fi

705

746

706

# Install gcc/c++ build environment inside the chroot

747

# Install gcc/c++ build environment inside the chroot

707

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

748

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

708

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

749

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

709

fi

750

fi

710

751

711

# Fetch and build U-Boot bootloader

752

# Fetch and build U-Boot bootloader

712

if [ "$ENABLE_UBOOT" = true ] ; then

753

if [ "$ENABLE_UBOOT" = true ] ; then

713

# Fetch U-Boot bootloader sources

754

# Fetch U-Boot bootloader sources

714

git -C $R/tmp clone git://git.denx.de/u-boot.git

755

git -C $R/tmp clone git://git.denx.de/u-boot.git

715

756

716

# Build and install U-Boot inside chroot

757

# Build and install U-Boot inside chroot

717

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

758

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

718

759

719

# Copy compiled bootloader binary and set config.txt to load it

760

# Copy compiled bootloader binary and set config.txt to load it

720

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

761

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

721

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

762

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

722

763

723

# Set U-Boot command file

764

# Set U-Boot command file

724

cat <<EOM >$R/boot/firmware/uboot.mkimage

765

cat <<EOM >$R/boot/firmware/uboot.mkimage

725

# Tell Linux that it is booting on a Raspberry Pi2

766

# Tell Linux that it is booting on a Raspberry Pi2

726

setenv machid 0x00000c42

767

setenv machid 0x00000c42

727

768

728

# Set the kernel boot command line

769

# Set the kernel boot command line

729

setenv bootargs "earlyprintk ${CMDLINE}"

770

setenv bootargs "earlyprintk ${CMDLINE}"

730

771

731

# Save these changes to u-boot's environment

772

# Save these changes to u-boot's environment

732

saveenv

773

saveenv

733

774

734

# Load the existing Linux kernel into RAM

775

# Load the existing Linux kernel into RAM

735

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

776

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

736

777

737

# Boot the kernel we have just loaded

778

# Boot the kernel we have just loaded

738

bootz \${kernel_addr_r}

779

bootz \${kernel_addr_r}

739

EOM

780

EOM

740

781

741

# Generate U-Boot image from command file

782

# Generate U-Boot image from command file

742

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

783

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

743

fi

784

fi

744

785

745

# Fetch and build fbturbo Xorg driver

786

# Fetch and build fbturbo Xorg driver

746

if [ "$ENABLE_FBTURBO" = true ] ; then

787

if [ "$ENABLE_FBTURBO" = true ] ; then

747

# Fetch fbturbo driver sources

788

# Fetch fbturbo driver sources

748

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

789

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

749

790

750

# Install Xorg build dependencies

791

# Install Xorg build dependencies

751

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

792

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

752

793

753

# Build and install fbturbo driver inside chroot

794

# Build and install fbturbo driver inside chroot

754

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

795

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

755

796

756

# Add fbturbo driver to Xorg configuration

797

# Add fbturbo driver to Xorg configuration

757

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

798

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

758

Section "Device"

799

Section "Device"

759

Identifier "Allwinner A10/A13 FBDEV"

800

Identifier "Allwinner A10/A13 FBDEV"

760

Driver "fbturbo"

801

Driver "fbturbo"

761

Option "fbdev" "/dev/fb0"

802

Option "fbdev" "/dev/fb0"

762

Option "SwapbuffersWait" "true"

803

Option "SwapbuffersWait" "true"

763

EndSection

804

EndSection

764

EOM

805

EOM

765

806

766

# Remove Xorg build dependencies

807

# Remove Xorg build dependencies

767

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

808

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

768

fi

809

fi

769

810

770

# Remove gcc/c++ build environment from the chroot

811

# Remove gcc/c++ build environment from the chroot

771

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

812

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

772

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

813

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

773

fi

814

fi

774

815

775

# Clean cached downloads

816

# Clean cached downloads

776

LANG=C chroot $R apt-get -y clean

817

LANG=C chroot $R apt-get -y clean

777

LANG=C chroot $R apt-get -y autoclean

818

LANG=C chroot $R apt-get -y autoclean

778

LANG=C chroot $R apt-get -y autoremove

819

LANG=C chroot $R apt-get -y autoremove

779

820

780

# Unmount mounted filesystems

821

# Unmount mounted filesystems

781

umount -l $R/proc

822

umount -l $R/proc

782

umount -l $R/sys

823

umount -l $R/sys

783

824

784

# Clean up files

825

# Clean up files

785

rm -f $R/etc/apt/sources.list.save

826

rm -f $R/etc/apt/sources.list.save

786

rm -f $R/etc/resolvconf/resolv.conf.d/original

827

rm -f $R/etc/resolvconf/resolv.conf.d/original

787

rm -rf $R/run

828

rm -rf $R/run

788

mkdir -p $R/run

829

mkdir -p $R/run

789

rm -f $R/etc/*-

830

rm -f $R/etc/*-

790

rm -f $R/root/.bash_history

831

rm -f $R/root/.bash_history

791

rm -rf $R/tmp/*

832

rm -rf $R/tmp/*

792

rm -f $R/var/lib/urandom/random-seed

833

rm -f $R/var/lib/urandom/random-seed

793

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

834

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

794

rm -f $R/etc/machine-id

835

rm -f $R/etc/machine-id

795

rm -fr $R/etc/apt/apt.conf.d/10proxy

836

rm -fr $R/etc/apt/apt.conf.d/10proxy

796

837

797

# Calculate size of the chroot directory

838

# Calculate size of the chroot directory

798

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

839

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

799

840

800

# Calculate required image size

841

# Calculate required image size

801

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

842

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

802

843

803

# Calculate number of sectors for the partition

844

# Calculate number of sectors for the partition

804

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

845

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

805

846

806

# Prepare date string for image file name

847

# Prepare date string for image file name

807

DATE="$(date +%Y-%m-%d)"

848

DATE="$(date +%Y-%m-%d)"

808

849

809

# Prepare image file

850

# Prepare image file

810

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

851

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

811

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

852

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

812

853

813

# Write partition table

854

# Write partition table

814

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

855

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

815

unit: sectors

856

unit: sectors

816

857

817

1 : start= 2048, size= 131072, Id= c, bootable

858

1 : start= 2048, size= 131072, Id= c, bootable

818

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

859

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

819

3 : start= 0, size= 0, Id= 0

860

3 : start= 0, size= 0, Id= 0

820

4 : start= 0, size= 0, Id= 0

861

4 : start= 0, size= 0, Id= 0

821

EOM

862

EOM

822

863

823

# Set up temporary loop devices and build filesystems

864

# Set up temporary loop devices and build filesystems

824

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

865

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

825

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

866

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

826

mkfs.vfat "$VFAT_LOOP"

867

mkfs.vfat "$VFAT_LOOP"

827

mkfs.ext4 "$EXT4_LOOP"

868

mkfs.ext4 "$EXT4_LOOP"

828

869

829

# Mount the temporary loop devices

870

# Mount the temporary loop devices

830

mkdir -p "$BUILDDIR/mount"

871

mkdir -p "$BUILDDIR/mount"

831

mount "$EXT4_LOOP" "$BUILDDIR/mount"

872

mount "$EXT4_LOOP" "$BUILDDIR/mount"

832

873

833

mkdir -p "$BUILDDIR/mount/boot/firmware"

874

mkdir -p "$BUILDDIR/mount/boot/firmware"

834

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

875

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

835

876

836

# Copy all files from the chroot to the loop device mount point directory

877

# Copy all files from the chroot to the loop device mount point directory

837

rsync -a "$R/" "$BUILDDIR/mount/"

878

rsync -a "$R/" "$BUILDDIR/mount/"

838

879

839

# Unmount all temporary loop devices and mount points

880

# Unmount all temporary loop devices and mount points

840

cleanup

881

cleanup

841

882

842

# (optinal) create block map file for "bmaptool"

883

# (optinal) create block map file for "bmaptool"

843

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

884

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

844

885

845

# Image was successfully created

886

# Image was successfully created

846

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

887

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # rpi2-gen-image
             ## Introduction
             `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
             #####Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi2-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
             ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
             ENABLE_MINBASE=true ./rpi2-gen-image.sh
              ```
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
             Set system host name. It's recommended that the host name is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
             Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
-            Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
+            Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
+            #### Keyboard settings:
+            These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
+            ##### `XKBMODEL`=""
+            ##### `XKBLAYOUT`=""
+            ##### `XKBVARIANT`=""
+            ##### `XKBOPTIONS`=""
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
             Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
             ##### `ENABLE_IPV6`=true
             Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
             Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_SOUND`=true
             Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
             Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
             Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
             Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
             Install Xorg open-source X Window System.
             ##### `ENABLE_WM`=""
             Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
             #### Advanced sytem features:
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_UBOOT`=false
             Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             ##### `ENABLE_FBTURBO`=false
             Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_HARDNET`=false
             Enable IPv4/IPv6 network stack hardening settings.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
             After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             #####Flashing examples:
             ```shell
             bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
             ```

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             # Clean up all temporary mount points
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             # Debian release
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
+            XKBMODEL=${XKBMODEL:=""}
+            XKBLAYOUT=${XKBLAYOUT:=""}
+            XKBVARIANT=${XKBVARIANT:=""}
+            XKBOPTIONS=${XKBOPTIONS:=""}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_WM=${ENABLE_WM:=""}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build environment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
-              APT_INCLUDES="${APT_INCLUDES},locales"
+              APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add alsa-utils package
             if [ "$ENABLE_SOUND" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},alsa-utils"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add fbturbo video driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add user defined window manager package
             if [ -n "$ENABLE_WM" ] ; then
               APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
             else
               http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping process
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
-            # Set up default locales to "en_US.UTF-8" default
-            if [ "$ENABLE_MINBASE" = false ] ; then
-              LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
-              LANG=C chroot $R locale-gen ${DEFLOCAL}
-            fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
+            # Set up default locale and keyboard configuration
+            if [ "$ENABLE_MINBASE" = false ] ; then
+              # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
+              # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
+              # ... so we have to set locales manually
+              if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
+                LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
+              else
+                # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
+                LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
+                LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
+              fi
+              LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
+              LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
+              LANG=C chroot $R locale-gen
+              LANG=C chroot $R update-locale LANG=${DEFLOCAL}
+              # Keyboard configuration, if requested
+              if [ "$XKBMODEL" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBLAYOUT" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBVARIANT" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
+              fi
+              if [ "$XKBOPTIONS" != "" ] ; then
+                LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
+              fi
+              LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
+              # Set up font console
+              case "${DEFLOCAL}" in
+                *UTF-8)
+                  LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
+                  ;;
+                *)
+                  LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
+                  ;;
+              esac
+              LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
+            fi
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up IPv4 hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             # Set up IPv6 hosts
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Place hint about network configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
             # Enable systemd-networkd DHCP configuration for interface eth0
             cat <<EOM >$R/etc/systemd/network/eth.network
             [Match]
             Name=eth0
             [Network]
             DHCP=yes
             EOM
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Load snd_bcm2835 kernel module at boot time
             if [ "$ENABLE_SOUND" = true ] ; then
               echo "snd_bcm2835" >>$R/etc/modules
             fi
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             # Remove SSHD related iptables rules
             if [ "$ENABLE_SSHD" = false ] ; then
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
             fi
             # Install gcc/c++ build environment inside the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
             fi
             # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch U-Boot bootloader sources
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Build and install U-Boot inside chroot
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set U-Boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate U-Boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
             fi
             # Fetch and build fbturbo Xorg driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Fetch fbturbo driver sources
               git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
               # Install Xorg build dependencies
               LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               # Build and install fbturbo driver inside chroot
               LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
               # Add fbturbo driver to Xorg configuration
               cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
             Section "Device"
                     Identifier "Allwinner A10/A13 FBDEV"
                     Driver "fbturbo"
                     Option "fbdev" "/dev/fb0"
                     Option "SwapbuffersWait" "true"
             EndSection
             EOM
               # Remove Xorg build dependencies
               LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
             fi
             # Remove gcc/c++ build environment from the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"