##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

static ip patch by vknecht
Jan Wagner -
r37:507dc9d2f06c Fusion
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,109 +1,135
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 #### General system settings:
30 #### General system settings:
31 ##### `HOSTNAME`="rpi2-jessie"
31 ##### `HOSTNAME`="rpi2-jessie"
32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
33
33
34 ##### `PASSWORD`="raspberry"
34 ##### `PASSWORD`="raspberry"
35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
36
36
37 ##### `DEFLOCAL`="en_US.UTF-8"
37 ##### `DEFLOCAL`="en_US.UTF-8"
38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
39
39
40
41 ##### `TIMEZONE`="Europe/Berlin"
40 ##### `TIMEZONE`="Europe/Berlin"
42 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
41 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
43
42
44 #### Keyboard settings:
43 #### Keyboard settings:
45 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
44 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
46 ##### `XKBMODEL`=""
45 ##### `XKBMODEL`=""
47 ##### `XKBLAYOUT`=""
46 ##### `XKBLAYOUT`=""
48 ##### `XKBVARIANT`=""
47 ##### `XKBVARIANT`=""
49 ##### `XKBOPTIONS`=""
48 ##### `XKBOPTIONS`=""
50
49
50 #### Networking settings
51 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
52
53 #####`ENABLE_DHCP`=true
54 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
55
56 #####`NET_ADDRESS`=""
57 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
58
59 #####`NET_GATEWAY`=""
60 Set the IP address for the default gateway.
61
62 #####`NET_DNS_1`=""
63 Set the IP address for the first DNS server.
64
65 #####`NET_DNS_2`=""
66 Set the IP address for the second DNS server.
67
68 #####`NET_DNS_DOMAINS`=""
69 Set the default DNS search domains to use for non fully qualified host names.
70
71 #####`NET_NTP_1`=""
72 Set the IP address for the first NTP server.
73
74 #####`NET_NTP_2`=""
75 Set the IP address for the second NTP server.
76
51 #### Basic system features:
77 #### Basic system features:
52 ##### `ENABLE_CONSOLE`=true
78 ##### `ENABLE_CONSOLE`=true
53 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
79 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
54
80
55 ##### `ENABLE_IPV6`=true
81 ##### `ENABLE_IPV6`=true
56 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
82 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
57
83
58 ##### `ENABLE_SSHD`=true
84 ##### `ENABLE_SSHD`=true
59 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
85 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
60
86
61 ##### `ENABLE_SOUND`=true
87 ##### `ENABLE_SOUND`=true
62 Enable sound hardware and install Advanced Linux Sound Architecture.
88 Enable sound hardware and install Advanced Linux Sound Architecture.
63
89
64 ##### `ENABLE_HWRANDOM`=true
90 ##### `ENABLE_HWRANDOM`=true
65 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
91 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
66
92
67 ##### `ENABLE_MINGPU`=false
93 ##### `ENABLE_MINGPU`=false
68 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
94 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
69
95
70 ##### `ENABLE_DBUS`=true
96 ##### `ENABLE_DBUS`=true
71 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
97 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
72
98
73 ##### `ENABLE_XORG`=false
99 ##### `ENABLE_XORG`=false
74 Install Xorg open-source X Window System.
100 Install Xorg open-source X Window System.
75
101
76 ##### `ENABLE_WM`=""
102 ##### `ENABLE_WM`=""
77 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
103 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
78
104
79 #### Advanced sytem features:
105 #### Advanced sytem features:
80 ##### `ENABLE_MINBASE`=false
106 ##### `ENABLE_MINBASE`=false
81 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
107 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
82
108
83 ##### `ENABLE_UBOOT`=false
109 ##### `ENABLE_UBOOT`=false
84 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
110 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
85
111
86 ##### `ENABLE_FBTURBO`=false
112 ##### `ENABLE_FBTURBO`=false
87 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
113 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
88
114
89 ##### `ENABLE_IPTABLES`=false
115 ##### `ENABLE_IPTABLES`=false
90 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
116 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
91
117
92 ##### `ENABLE_HARDNET`=false
118 ##### `ENABLE_HARDNET`=false
93 Enable IPv4/IPv6 network stack hardening settings.
119 Enable IPv4/IPv6 network stack hardening settings.
94
120
95 ## Logging of the bootstrapping process
121 ## Logging of the bootstrapping process
96 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
122 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
97
123
98 ```shell
124 ```shell
99 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
125 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
100 ```
126 ```
101
127
102 ## Flashing the image file
128 ## Flashing the image file
103 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
129 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
104
130
105 #####Flashing examples:
131 #####Flashing examples:
106 ```shell
132 ```shell
107 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
133 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
108 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
134 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
109 ```
135 ```
Show file before | Show file after | Hide comments
@@ -1,882 +1,915
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 set -e
33 set -e
34 set -x
34 set -x
35
35
36 # Debian release
36 # Debian release
37 RELEASE=${RELEASE:=jessie}
37 RELEASE=${RELEASE:=jessie}
38
38
39 # Build settings
39 # Build settings
40 BASEDIR=./images/${RELEASE}
40 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
41 BUILDDIR=${BASEDIR}/build
42
42
43 # General settings
43 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
45 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
48 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
52
52
53 # Network settings
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 # NET_* settings are ignored when ENABLE_DHCP=true
56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 NET_ADDRESS=${NET_ADDRESS:=""}
58 NET_GATEWAY=${NET_GATEWAY:=""}
59 NET_DNS_1=${NET_DNS_1:=""}
60 NET_DNS_2=${NET_DNS_2:=""}
61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 NET_NTP_1=${NET_NTP_1:=""}
63 NET_NTP_2=${NET_NTP_2:=""}
64
53 # APT settings
65 # APT settings
54 APT_PROXY=${APT_PROXY:=""}
66 APT_PROXY=${APT_PROXY:=""}
55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
56
68
57 # Feature settings
69 # Feature settings
58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
59 ENABLE_IPV6=${ENABLE_IPV6:=true}
71 ENABLE_IPV6=${ENABLE_IPV6:=true}
60 ENABLE_SSHD=${ENABLE_SSHD:=true}
72 ENABLE_SSHD=${ENABLE_SSHD:=true}
61 ENABLE_SOUND=${ENABLE_SOUND:=true}
73 ENABLE_SOUND=${ENABLE_SOUND:=true}
62 ENABLE_DBUS=${ENABLE_DBUS:=true}
74 ENABLE_DBUS=${ENABLE_DBUS:=true}
63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
65 ENABLE_XORG=${ENABLE_XORG:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
66 ENABLE_WM=${ENABLE_WM:=""}
78 ENABLE_WM=${ENABLE_WM:=""}
67
79
68 # Advanced settings
80 # Advanced settings
69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
74
86
75 # Image chroot path
87 # Image chroot path
76 R=${BUILDDIR}/chroot
88 R=${BUILDDIR}/chroot
77
89
78 # Packages required for bootstrapping
90 # Packages required for bootstrapping
79 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
80
92
81 # Missing packages that need to be installed
93 # Missing packages that need to be installed
82 MISSING_PACKAGES=""
94 MISSING_PACKAGES=""
83
95
84 # Packages required in the chroot build environment
96 # Packages required in the chroot build environment
85 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
97 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
86
98
87 set +x
99 set +x
88
100
89 # Are we running as root?
101 # Are we running as root?
90 if [ "$(id -u)" -ne "0" ] ; then
102 if [ "$(id -u)" -ne "0" ] ; then
91 echo "this script must be executed with root privileges"
103 echo "this script must be executed with root privileges"
92 exit 1
104 exit 1
93 fi
105 fi
94
106
95 # Check if all required packages are installed
107 # Check if all required packages are installed
96 for package in $REQUIRED_PACKAGES ; do
108 for package in $REQUIRED_PACKAGES ; do
97 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
109 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
98 MISSING_PACKAGES="$MISSING_PACKAGES $package"
110 MISSING_PACKAGES="$MISSING_PACKAGES $package"
99 fi
111 fi
100 done
112 done
101
113
102 # Ask if missing packages should get installed right now
114 # Ask if missing packages should get installed right now
103 if [ -n "$MISSING_PACKAGES" ] ; then
115 if [ -n "$MISSING_PACKAGES" ] ; then
104 echo "the following packages needed by this script are not installed:"
116 echo "the following packages needed by this script are not installed:"
105 echo "$MISSING_PACKAGES"
117 echo "$MISSING_PACKAGES"
106
118
107 echo -n "\ndo you want to install the missing packages right now? [y/n] "
119 echo -n "\ndo you want to install the missing packages right now? [y/n] "
108 read confirm
120 read confirm
109 if [ "$confirm" != "y" ] ; then
121 if [ "$confirm" != "y" ] ; then
110 exit 1
122 exit 1
111 fi
123 fi
112 fi
124 fi
113
125
114 # Make sure all required packages are installed
126 # Make sure all required packages are installed
115 apt-get -qq -y install ${REQUIRED_PACKAGES}
127 apt-get -qq -y install ${REQUIRED_PACKAGES}
116
128
117 # Don't clobber an old build
129 # Don't clobber an old build
118 if [ -e "$BUILDDIR" ]; then
130 if [ -e "$BUILDDIR" ]; then
119 echo "directory $BUILDDIR already exists, not proceeding"
131 echo "directory $BUILDDIR already exists, not proceeding"
120 exit 1
132 exit 1
121 fi
133 fi
122
134
123 set -x
135 set -x
124
136
125 # Call "cleanup" function on various signals and errors
137 # Call "cleanup" function on various signals and errors
126 trap cleanup 0 1 2 3 6
138 trap cleanup 0 1 2 3 6
127
139
128 # Set up chroot directory
140 # Set up chroot directory
129 mkdir -p $R
141 mkdir -p $R
130
142
131 # Add required packages for the minbase installation
143 # Add required packages for the minbase installation
132 if [ "$ENABLE_MINBASE" = true ] ; then
144 if [ "$ENABLE_MINBASE" = true ] ; then
133 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
145 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
134 else
146 else
135 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
147 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
136 fi
148 fi
137
149
138 # Add dbus package, recommended if using systemd
150 # Add dbus package, recommended if using systemd
139 if [ "$ENABLE_DBUS" = true ] ; then
151 if [ "$ENABLE_DBUS" = true ] ; then
140 APT_INCLUDES="${APT_INCLUDES},dbus"
152 APT_INCLUDES="${APT_INCLUDES},dbus"
141 fi
153 fi
142
154
143 # Add iptables IPv4/IPv6 package
155 # Add iptables IPv4/IPv6 package
144 if [ "$ENABLE_IPTABLES" = true ] ; then
156 if [ "$ENABLE_IPTABLES" = true ] ; then
145 APT_INCLUDES="${APT_INCLUDES},iptables"
157 APT_INCLUDES="${APT_INCLUDES},iptables"
146 fi
158 fi
147
159
148 # Add openssh server package
160 # Add openssh server package
149 if [ "$ENABLE_SSHD" = true ] ; then
161 if [ "$ENABLE_SSHD" = true ] ; then
150 APT_INCLUDES="${APT_INCLUDES},openssh-server"
162 APT_INCLUDES="${APT_INCLUDES},openssh-server"
151 fi
163 fi
152
164
153 # Add alsa-utils package
165 # Add alsa-utils package
154 if [ "$ENABLE_SOUND" = true ] ; then
166 if [ "$ENABLE_SOUND" = true ] ; then
155 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
167 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
156 fi
168 fi
157
169
158 # Add rng-tools package
170 # Add rng-tools package
159 if [ "$ENABLE_HWRANDOM" = true ] ; then
171 if [ "$ENABLE_HWRANDOM" = true ] ; then
160 APT_INCLUDES="${APT_INCLUDES},rng-tools"
172 APT_INCLUDES="${APT_INCLUDES},rng-tools"
161 fi
173 fi
162
174
163 # Add fbturbo video driver
175 # Add fbturbo video driver
164 if [ "$ENABLE_FBTURBO" = true ] ; then
176 if [ "$ENABLE_FBTURBO" = true ] ; then
165 # Enable xorg package dependencies
177 # Enable xorg package dependencies
166 ENABLE_XORG=true
178 ENABLE_XORG=true
167 fi
179 fi
168
180
169 # Add user defined window manager package
181 # Add user defined window manager package
170 if [ -n "$ENABLE_WM" ] ; then
182 if [ -n "$ENABLE_WM" ] ; then
171 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
183 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
172
184
173 # Enable xorg package dependencies
185 # Enable xorg package dependencies
174 ENABLE_XORG=true
186 ENABLE_XORG=true
175 fi
187 fi
176
188
177 # Add xorg package
189 # Add xorg package
178 if [ "$ENABLE_XORG" = true ] ; then
190 if [ "$ENABLE_XORG" = true ] ; then
179 APT_INCLUDES="${APT_INCLUDES},xorg"
191 APT_INCLUDES="${APT_INCLUDES},xorg"
180 fi
192 fi
181
193
182 # Base debootstrap (unpack only)
194 # Base debootstrap (unpack only)
183 if [ "$ENABLE_MINBASE" = true ] ; then
195 if [ "$ENABLE_MINBASE" = true ] ; then
184 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
196 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
185 else
197 else
186 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
198 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
187 fi
199 fi
188
200
189 # Copy qemu emulator binary to chroot
201 # Copy qemu emulator binary to chroot
190 cp /usr/bin/qemu-arm-static $R/usr/bin
202 cp /usr/bin/qemu-arm-static $R/usr/bin
191
203
192 # Copy debian-archive-keyring.pgp
204 # Copy debian-archive-keyring.pgp
193 chroot $R mkdir -p /usr/share/keyrings
205 chroot $R mkdir -p /usr/share/keyrings
194 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
206 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
195
207
196 # Complete the bootstrapping process
208 # Complete the bootstrapping process
197 chroot $R /debootstrap/debootstrap --second-stage
209 chroot $R /debootstrap/debootstrap --second-stage
198
210
199 # Mount required filesystems
211 # Mount required filesystems
200 mount -t proc none $R/proc
212 mount -t proc none $R/proc
201 mount -t sysfs none $R/sys
213 mount -t sysfs none $R/sys
202 mount --bind /dev/pts $R/dev/pts
214 mount --bind /dev/pts $R/dev/pts
203
215
204 # Use proxy inside chroot
216 # Use proxy inside chroot
205 if [ -z "$APT_PROXY" ] ; then
217 if [ -z "$APT_PROXY" ] ; then
206 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
218 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
207 fi
219 fi
208
220
209 # Pin package flash-kernel to repositories.collabora.co.uk
221 # Pin package flash-kernel to repositories.collabora.co.uk
210 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
222 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
211 Package: flash-kernel
223 Package: flash-kernel
212 Pin: origin repositories.collabora.co.uk
224 Pin: origin repositories.collabora.co.uk
213 Pin-Priority: 1000
225 Pin-Priority: 1000
214 EOM
226 EOM
215
227
216 # Set up timezone
228 # Set up timezone
217 echo ${TIMEZONE} >$R/etc/timezone
229 echo ${TIMEZONE} >$R/etc/timezone
218 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
230 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
219
231
220 # Upgrade collabora package index and install collabora keyring
232 # Upgrade collabora package index and install collabora keyring
221 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
233 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
222 LANG=C chroot $R apt-get -qq -y update
234 LANG=C chroot $R apt-get -qq -y update
223 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
235 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
224
236
225 # Set up initial sources.list
237 # Set up initial sources.list
226 cat <<EOM >$R/etc/apt/sources.list
238 cat <<EOM >$R/etc/apt/sources.list
227 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
239 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
228 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
240 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
229
241
230 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
242 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
231 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
243 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
232
244
233 deb http://security.debian.org/ ${RELEASE}/updates main contrib
245 deb http://security.debian.org/ ${RELEASE}/updates main contrib
234 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
246 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
235
247
236 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
248 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
237 EOM
249 EOM
238
250
239 # Upgrade package index and update all installed packages and changed dependencies
251 # Upgrade package index and update all installed packages and changed dependencies
240 LANG=C chroot $R apt-get -qq -y update
252 LANG=C chroot $R apt-get -qq -y update
241 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
253 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
242
254
243 # Set up default locale and keyboard configuration
255 # Set up default locale and keyboard configuration
244 if [ "$ENABLE_MINBASE" = false ] ; then
256 if [ "$ENABLE_MINBASE" = false ] ; then
245 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
257 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
246 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
258 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
247 # ... so we have to set locales manually
259 # ... so we have to set locales manually
248 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
260 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
249 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
261 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
250 else
262 else
251 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
263 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
252 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
264 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
253 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
265 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
254 fi
266 fi
255 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
267 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
256 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
268 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
257 LANG=C chroot $R locale-gen
269 LANG=C chroot $R locale-gen
258 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
270 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
259
271
260 # Keyboard configuration, if requested
272 # Keyboard configuration, if requested
261 if [ "$XKBMODEL" != "" ] ; then
273 if [ "$XKBMODEL" != "" ] ; then
262 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
274 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
263 fi
275 fi
264 if [ "$XKBLAYOUT" != "" ] ; then
276 if [ "$XKBLAYOUT" != "" ] ; then
265 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
277 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
266 fi
278 fi
267 if [ "$XKBVARIANT" != "" ] ; then
279 if [ "$XKBVARIANT" != "" ] ; then
268 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
280 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
269 fi
281 fi
270 if [ "$XKBOPTIONS" != "" ] ; then
282 if [ "$XKBOPTIONS" != "" ] ; then
271 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
283 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
272 fi
284 fi
273 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
285 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
274 # Set up font console
286 # Set up font console
275 case "${DEFLOCAL}" in
287 case "${DEFLOCAL}" in
276 *UTF-8)
288 *UTF-8)
277 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
289 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
278 ;;
290 ;;
279 *)
291 *)
280 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
292 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
281 ;;
293 ;;
282 esac
294 esac
283 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
295 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
284 fi
296 fi
285
297
286 # Kernel installation
298 # Kernel installation
287 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
299 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
288 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
300 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
289 LANG=C chroot $R apt-get -qq -y install flash-kernel
301 LANG=C chroot $R apt-get -qq -y install flash-kernel
290
302
291 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
303 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
292 [ -z "$VMLINUZ" ] && exit 1
304 [ -z "$VMLINUZ" ] && exit 1
293 mkdir -p $R/boot/firmware
305 mkdir -p $R/boot/firmware
294
306
295 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
307 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
296 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
308 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
297 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
309 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
298 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
310 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
299 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
311 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
300 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
312 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
301 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
313 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
302 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
314 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
303 cp $VMLINUZ $R/boot/firmware/kernel7.img
315 cp $VMLINUZ $R/boot/firmware/kernel7.img
304
316
305 # Set up IPv4 hosts
317 # Set up IPv4 hosts
306 echo ${HOSTNAME} >$R/etc/hostname
318 echo ${HOSTNAME} >$R/etc/hostname
307 cat <<EOM >$R/etc/hosts
319 cat <<EOM >$R/etc/hosts
308 127.0.0.1 localhost
320 127.0.0.1 localhost
309 127.0.1.1 ${HOSTNAME}
321 127.0.1.1 ${HOSTNAME}
310 EOM
322 EOM
323 if [ "$NET_ADDRESS" != "" ] ; then
324 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
325 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
326 fi
311
327
312 # Set up IPv6 hosts
328 # Set up IPv6 hosts
313 if [ "$ENABLE_IPV6" = true ] ; then
329 if [ "$ENABLE_IPV6" = true ] ; then
314 cat <<EOM >>$R/etc/hosts
330 cat <<EOM >>$R/etc/hosts
315
331
316 ::1 localhost ip6-localhost ip6-loopback
332 ::1 localhost ip6-localhost ip6-loopback
317 ff02::1 ip6-allnodes
333 ff02::1 ip6-allnodes
318 ff02::2 ip6-allrouters
334 ff02::2 ip6-allrouters
319 EOM
335 EOM
320 fi
336 fi
321
337
322 # Place hint about network configuration
338 # Place hint about network configuration
323 cat <<EOM >$R/etc/network/interfaces
339 cat <<EOM >$R/etc/network/interfaces
324 # Debian switched to systemd-networkd configuration files.
340 # Debian switched to systemd-networkd configuration files.
325 # please configure your networks in '/etc/systemd/network/'
341 # please configure your networks in '/etc/systemd/network/'
326 EOM
342 EOM
327
343
344 if [ "$ENABLE_DHCP" = true ] ; then
328 # Enable systemd-networkd DHCP configuration for interface eth0
345 # Enable systemd-networkd DHCP configuration for interface eth0
329 cat <<EOM >$R/etc/systemd/network/eth.network
346 cat <<EOM >$R/etc/systemd/network/eth.network
330 [Match]
347 [Match]
331 Name=eth0
348 Name=eth0
332
349
333 [Network]
350 [Network]
334 DHCP=yes
351 DHCP=yes
335 EOM
352 EOM
336
353
337 # Set DHCP configuration to IPv4 only
354 # Set DHCP configuration to IPv4 only
338 if [ "$ENABLE_IPV6" = false ] ; then
355 if [ "$ENABLE_IPV6" = false ] ; then
339 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
356 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
357 fi
358 else # ENABLE_DHCP=false
359 cat <<EOM >$R/etc/systemd/network/eth.network
360 [Match]
361 Name=eth0
362
363 [Network]
364 DHCP=no
365 Address=${NET_ADDRESS}
366 Gateway=${NET_GATEWAY}
367 DNS=${NET_DNS_1}
368 DNS=${NET_DNS_2}
369 Domains=${NET_DNS_DOMAINS}
370 NTP=${NET_NTP_1}
371 NTP=${NET_NTP_2}
372 EOM
340 fi
373 fi
341
374
342 # Enable systemd-networkd service
375 # Enable systemd-networkd service
343 LANG=C chroot $R systemctl enable systemd-networkd
376 LANG=C chroot $R systemctl enable systemd-networkd
344
377
345 # Generate crypt(3) password string
378 # Generate crypt(3) password string
346 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
379 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
347
380
348 # Set up default user
381 # Set up default user
349 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
382 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
350 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
383 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
351
384
352 # Set up root password
385 # Set up root password
353 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
386 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
354
387
355 # Set up firmware boot cmdline
388 # Set up firmware boot cmdline
356 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
389 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
357
390
358 # Set up serial console support (if requested)
391 # Set up serial console support (if requested)
359 if [ "$ENABLE_CONSOLE" = true ] ; then
392 if [ "$ENABLE_CONSOLE" = true ] ; then
360 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
393 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
361 fi
394 fi
362
395
363 # Set up IPv6 networking support
396 # Set up IPv6 networking support
364 if [ "$ENABLE_IPV6" = false ] ; then
397 if [ "$ENABLE_IPV6" = false ] ; then
365 CMDLINE="${CMDLINE} ipv6.disable=1"
398 CMDLINE="${CMDLINE} ipv6.disable=1"
366 fi
399 fi
367
400
368 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
401 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
369
402
370 # Set up firmware config
403 # Set up firmware config
371 cat <<EOM >$R/boot/firmware/config.txt
404 cat <<EOM >$R/boot/firmware/config.txt
372 # For more options and information see
405 # For more options and information see
373 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
406 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
374 # Some settings may impact device functionality. See link above for details
407 # Some settings may impact device functionality. See link above for details
375
408
376 # uncomment if you get no picture on HDMI for a default "safe" mode
409 # uncomment if you get no picture on HDMI for a default "safe" mode
377 #hdmi_safe=1
410 #hdmi_safe=1
378
411
379 # uncomment this if your display has a black border of unused pixels visible
412 # uncomment this if your display has a black border of unused pixels visible
380 # and your display can output without overscan
413 # and your display can output without overscan
381 #disable_overscan=1
414 #disable_overscan=1
382
415
383 # uncomment the following to adjust overscan. Use positive numbers if console
416 # uncomment the following to adjust overscan. Use positive numbers if console
384 # goes off screen, and negative if there is too much border
417 # goes off screen, and negative if there is too much border
385 #overscan_left=16
418 #overscan_left=16
386 #overscan_right=16
419 #overscan_right=16
387 #overscan_top=16
420 #overscan_top=16
388 #overscan_bottom=16
421 #overscan_bottom=16
389
422
390 # uncomment to force a console size. By default it will be display's size minus
423 # uncomment to force a console size. By default it will be display's size minus
391 # overscan.
424 # overscan.
392 #framebuffer_width=1280
425 #framebuffer_width=1280
393 #framebuffer_height=720
426 #framebuffer_height=720
394
427
395 # uncomment if hdmi display is not detected and composite is being output
428 # uncomment if hdmi display is not detected and composite is being output
396 #hdmi_force_hotplug=1
429 #hdmi_force_hotplug=1
397
430
398 # uncomment to force a specific HDMI mode (this will force VGA)
431 # uncomment to force a specific HDMI mode (this will force VGA)
399 #hdmi_group=1
432 #hdmi_group=1
400 #hdmi_mode=1
433 #hdmi_mode=1
401
434
402 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
435 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
403 # DMT (computer monitor) modes
436 # DMT (computer monitor) modes
404 #hdmi_drive=2
437 #hdmi_drive=2
405
438
406 # uncomment to increase signal to HDMI, if you have interference, blanking, or
439 # uncomment to increase signal to HDMI, if you have interference, blanking, or
407 # no display
440 # no display
408 #config_hdmi_boost=4
441 #config_hdmi_boost=4
409
442
410 # uncomment for composite PAL
443 # uncomment for composite PAL
411 #sdtv_mode=2
444 #sdtv_mode=2
412
445
413 # uncomment to overclock the arm. 700 MHz is the default.
446 # uncomment to overclock the arm. 700 MHz is the default.
414 #arm_freq=800
447 #arm_freq=800
415 EOM
448 EOM
416
449
417 # Load snd_bcm2835 kernel module at boot time
450 # Load snd_bcm2835 kernel module at boot time
418 if [ "$ENABLE_SOUND" = true ] ; then
451 if [ "$ENABLE_SOUND" = true ] ; then
419 echo "snd_bcm2835" >>$R/etc/modules
452 echo "snd_bcm2835" >>$R/etc/modules
420 fi
453 fi
421
454
422 # Set smallest possible GPU memory allocation size: 16MB (no X)
455 # Set smallest possible GPU memory allocation size: 16MB (no X)
423 if [ "$ENABLE_MINGPU" = true ] ; then
456 if [ "$ENABLE_MINGPU" = true ] ; then
424 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
457 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
425 fi
458 fi
426
459
427 # Create symlinks
460 # Create symlinks
428 ln -sf firmware/config.txt $R/boot/config.txt
461 ln -sf firmware/config.txt $R/boot/config.txt
429 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
462 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
430
463
431 # Prepare modules-load.d directory
464 # Prepare modules-load.d directory
432 mkdir -p $R/lib/modules-load.d/
465 mkdir -p $R/lib/modules-load.d/
433
466
434 # Load random module on boot
467 # Load random module on boot
435 if [ "$ENABLE_HWRANDOM" = true ] ; then
468 if [ "$ENABLE_HWRANDOM" = true ] ; then
436 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
469 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
437 bcm2708_rng
470 bcm2708_rng
438 EOM
471 EOM
439 fi
472 fi
440
473
441 # Prepare modprobe.d directory
474 # Prepare modprobe.d directory
442 mkdir -p $R/etc/modprobe.d/
475 mkdir -p $R/etc/modprobe.d/
443
476
444 # Blacklist sound modules
477 # Blacklist sound modules
445 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
478 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
446 blacklist snd_soc_core
479 blacklist snd_soc_core
447 blacklist snd_pcm
480 blacklist snd_pcm
448 blacklist snd_pcm_dmaengine
481 blacklist snd_pcm_dmaengine
449 blacklist snd_timer
482 blacklist snd_timer
450 blacklist snd_compress
483 blacklist snd_compress
451 blacklist snd_soc_pcm512x_i2c
484 blacklist snd_soc_pcm512x_i2c
452 blacklist snd_soc_pcm512x
485 blacklist snd_soc_pcm512x
453 blacklist snd_soc_tas5713
486 blacklist snd_soc_tas5713
454 blacklist snd_soc_wm8804
487 blacklist snd_soc_wm8804
455 EOM
488 EOM
456
489
457 # Create default fstab
490 # Create default fstab
458 cat <<EOM >$R/etc/fstab
491 cat <<EOM >$R/etc/fstab
459 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
492 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
460 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
493 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
461 EOM
494 EOM
462
495
463 # Avoid swapping and increase cache sizes
496 # Avoid swapping and increase cache sizes
464 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
497 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465
498
466 # Avoid swapping and increase cache sizes
499 # Avoid swapping and increase cache sizes
467 vm.swappiness=1
500 vm.swappiness=1
468 vm.dirty_background_ratio=20
501 vm.dirty_background_ratio=20
469 vm.dirty_ratio=40
502 vm.dirty_ratio=40
470 vm.dirty_writeback_centisecs=500
503 vm.dirty_writeback_centisecs=500
471 vm.dirty_expire_centisecs=6000
504 vm.dirty_expire_centisecs=6000
472 EOM
505 EOM
473
506
474 # Enable network stack hardening
507 # Enable network stack hardening
475 if [ "$ENABLE_HARDNET" = true ] ; then
508 if [ "$ENABLE_HARDNET" = true ] ; then
476 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
509 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
477
510
478 # Enable network stack hardening
511 # Enable network stack hardening
479 net.ipv4.tcp_timestamps=0
512 net.ipv4.tcp_timestamps=0
480 net.ipv4.tcp_syncookies=1
513 net.ipv4.tcp_syncookies=1
481 net.ipv4.conf.all.rp_filter=1
514 net.ipv4.conf.all.rp_filter=1
482 net.ipv4.conf.all.accept_redirects=0
515 net.ipv4.conf.all.accept_redirects=0
483 net.ipv4.conf.all.send_redirects=0
516 net.ipv4.conf.all.send_redirects=0
484 net.ipv4.conf.all.accept_source_route=0
517 net.ipv4.conf.all.accept_source_route=0
485 net.ipv4.conf.default.rp_filter=1
518 net.ipv4.conf.default.rp_filter=1
486 net.ipv4.conf.default.accept_redirects=0
519 net.ipv4.conf.default.accept_redirects=0
487 net.ipv4.conf.default.send_redirects=0
520 net.ipv4.conf.default.send_redirects=0
488 net.ipv4.conf.default.accept_source_route=0
521 net.ipv4.conf.default.accept_source_route=0
489 net.ipv4.conf.lo.accept_redirects=0
522 net.ipv4.conf.lo.accept_redirects=0
490 net.ipv4.conf.lo.send_redirects=0
523 net.ipv4.conf.lo.send_redirects=0
491 net.ipv4.conf.lo.accept_source_route=0
524 net.ipv4.conf.lo.accept_source_route=0
492 net.ipv4.conf.eth0.accept_redirects=0
525 net.ipv4.conf.eth0.accept_redirects=0
493 net.ipv4.conf.eth0.send_redirects=0
526 net.ipv4.conf.eth0.send_redirects=0
494 net.ipv4.conf.eth0.accept_source_route=0
527 net.ipv4.conf.eth0.accept_source_route=0
495 net.ipv4.icmp_echo_ignore_broadcasts=1
528 net.ipv4.icmp_echo_ignore_broadcasts=1
496 net.ipv4.icmp_ignore_bogus_error_responses=1
529 net.ipv4.icmp_ignore_bogus_error_responses=1
497
530
498 net.ipv6.conf.all.accept_redirects=0
531 net.ipv6.conf.all.accept_redirects=0
499 net.ipv6.conf.all.accept_source_route=0
532 net.ipv6.conf.all.accept_source_route=0
500 net.ipv6.conf.all.router_solicitations=0
533 net.ipv6.conf.all.router_solicitations=0
501 net.ipv6.conf.all.accept_ra_rtr_pref=0
534 net.ipv6.conf.all.accept_ra_rtr_pref=0
502 net.ipv6.conf.all.accept_ra_pinfo=0
535 net.ipv6.conf.all.accept_ra_pinfo=0
503 net.ipv6.conf.all.accept_ra_defrtr=0
536 net.ipv6.conf.all.accept_ra_defrtr=0
504 net.ipv6.conf.all.autoconf=0
537 net.ipv6.conf.all.autoconf=0
505 net.ipv6.conf.all.dad_transmits=0
538 net.ipv6.conf.all.dad_transmits=0
506 net.ipv6.conf.all.max_addresses=1
539 net.ipv6.conf.all.max_addresses=1
507
540
508 net.ipv6.conf.default.accept_redirects=0
541 net.ipv6.conf.default.accept_redirects=0
509 net.ipv6.conf.default.accept_source_route=0
542 net.ipv6.conf.default.accept_source_route=0
510 net.ipv6.conf.default.router_solicitations=0
543 net.ipv6.conf.default.router_solicitations=0
511 net.ipv6.conf.default.accept_ra_rtr_pref=0
544 net.ipv6.conf.default.accept_ra_rtr_pref=0
512 net.ipv6.conf.default.accept_ra_pinfo=0
545 net.ipv6.conf.default.accept_ra_pinfo=0
513 net.ipv6.conf.default.accept_ra_defrtr=0
546 net.ipv6.conf.default.accept_ra_defrtr=0
514 net.ipv6.conf.default.autoconf=0
547 net.ipv6.conf.default.autoconf=0
515 net.ipv6.conf.default.dad_transmits=0
548 net.ipv6.conf.default.dad_transmits=0
516 net.ipv6.conf.default.max_addresses=1
549 net.ipv6.conf.default.max_addresses=1
517
550
518 net.ipv6.conf.lo.accept_redirects=0
551 net.ipv6.conf.lo.accept_redirects=0
519 net.ipv6.conf.lo.accept_source_route=0
552 net.ipv6.conf.lo.accept_source_route=0
520 net.ipv6.conf.lo.router_solicitations=0
553 net.ipv6.conf.lo.router_solicitations=0
521 net.ipv6.conf.lo.accept_ra_rtr_pref=0
554 net.ipv6.conf.lo.accept_ra_rtr_pref=0
522 net.ipv6.conf.lo.accept_ra_pinfo=0
555 net.ipv6.conf.lo.accept_ra_pinfo=0
523 net.ipv6.conf.lo.accept_ra_defrtr=0
556 net.ipv6.conf.lo.accept_ra_defrtr=0
524 net.ipv6.conf.lo.autoconf=0
557 net.ipv6.conf.lo.autoconf=0
525 net.ipv6.conf.lo.dad_transmits=0
558 net.ipv6.conf.lo.dad_transmits=0
526 net.ipv6.conf.lo.max_addresses=1
559 net.ipv6.conf.lo.max_addresses=1
527
560
528 net.ipv6.conf.eth0.accept_redirects=0
561 net.ipv6.conf.eth0.accept_redirects=0
529 net.ipv6.conf.eth0.accept_source_route=0
562 net.ipv6.conf.eth0.accept_source_route=0
530 net.ipv6.conf.eth0.router_solicitations=0
563 net.ipv6.conf.eth0.router_solicitations=0
531 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
564 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
532 net.ipv6.conf.eth0.accept_ra_pinfo=0
565 net.ipv6.conf.eth0.accept_ra_pinfo=0
533 net.ipv6.conf.eth0.accept_ra_defrtr=0
566 net.ipv6.conf.eth0.accept_ra_defrtr=0
534 net.ipv6.conf.eth0.autoconf=0
567 net.ipv6.conf.eth0.autoconf=0
535 net.ipv6.conf.eth0.dad_transmits=0
568 net.ipv6.conf.eth0.dad_transmits=0
536 net.ipv6.conf.eth0.max_addresses=1
569 net.ipv6.conf.eth0.max_addresses=1
537 EOM
570 EOM
538
571
539 # Enable resolver warnings about spoofed addresses
572 # Enable resolver warnings about spoofed addresses
540 cat <<EOM >>$R/etc/host.conf
573 cat <<EOM >>$R/etc/host.conf
541 spoof warn
574 spoof warn
542 EOM
575 EOM
543 fi
576 fi
544
577
545 # Regenerate openssh server host keys
578 # Regenerate openssh server host keys
546 if [ "$ENABLE_SSHD" = true ] ; then
579 if [ "$ENABLE_SSHD" = true ] ; then
547 rm -fr $R/etc/ssh/ssh_host_*
580 rm -fr $R/etc/ssh/ssh_host_*
548 LANG=C chroot $R dpkg-reconfigure openssh-server
581 LANG=C chroot $R dpkg-reconfigure openssh-server
549 fi
582 fi
550
583
551 # Enable serial console systemd style
584 # Enable serial console systemd style
552 if [ "$ENABLE_CONSOLE" = true ] ; then
585 if [ "$ENABLE_CONSOLE" = true ] ; then
553 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
586 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
554 fi
587 fi
555
588
556 # Enable firewall based on iptables started by systemd service
589 # Enable firewall based on iptables started by systemd service
557 if [ "$ENABLE_IPTABLES" = true ] ; then
590 if [ "$ENABLE_IPTABLES" = true ] ; then
558 # Create iptables configuration directory
591 # Create iptables configuration directory
559 mkdir -p "$R/etc/iptables"
592 mkdir -p "$R/etc/iptables"
560
593
561 # Create iptables systemd service
594 # Create iptables systemd service
562 cat <<EOM >$R/etc/systemd/system/iptables.service
595 cat <<EOM >$R/etc/systemd/system/iptables.service
563 [Unit]
596 [Unit]
564 Description=Packet Filtering Framework
597 Description=Packet Filtering Framework
565 DefaultDependencies=no
598 DefaultDependencies=no
566 After=systemd-sysctl.service
599 After=systemd-sysctl.service
567 Before=sysinit.target
600 Before=sysinit.target
568 [Service]
601 [Service]
569 Type=oneshot
602 Type=oneshot
570 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
603 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
571 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
604 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
572 ExecStop=/etc/iptables/flush-iptables.sh
605 ExecStop=/etc/iptables/flush-iptables.sh
573 RemainAfterExit=yes
606 RemainAfterExit=yes
574 [Install]
607 [Install]
575 WantedBy=multi-user.target
608 WantedBy=multi-user.target
576 EOM
609 EOM
577
610
578 # Create flush-table script called by iptables service
611 # Create flush-table script called by iptables service
579 cat <<EOM >$R/etc/iptables/flush-iptables.sh
612 cat <<EOM >$R/etc/iptables/flush-iptables.sh
580 #!/bin/sh
613 #!/bin/sh
581 iptables -F
614 iptables -F
582 iptables -X
615 iptables -X
583 iptables -t nat -F
616 iptables -t nat -F
584 iptables -t nat -X
617 iptables -t nat -X
585 iptables -t mangle -F
618 iptables -t mangle -F
586 iptables -t mangle -X
619 iptables -t mangle -X
587 iptables -P INPUT ACCEPT
620 iptables -P INPUT ACCEPT
588 iptables -P FORWARD ACCEPT
621 iptables -P FORWARD ACCEPT
589 iptables -P OUTPUT ACCEPT
622 iptables -P OUTPUT ACCEPT
590 EOM
623 EOM
591
624
592 # Create iptables rule file
625 # Create iptables rule file
593 cat <<EOM >$R/etc/iptables/iptables.rules
626 cat <<EOM >$R/etc/iptables/iptables.rules
594 *filter
627 *filter
595 :INPUT DROP [0:0]
628 :INPUT DROP [0:0]
596 :FORWARD DROP [0:0]
629 :FORWARD DROP [0:0]
597 :OUTPUT ACCEPT [0:0]
630 :OUTPUT ACCEPT [0:0]
598 :TCP - [0:0]
631 :TCP - [0:0]
599 :UDP - [0:0]
632 :UDP - [0:0]
600 :SSH - [0:0]
633 :SSH - [0:0]
601
634
602 # Rate limit ping requests
635 # Rate limit ping requests
603 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
636 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
604 -A INPUT -p icmp --icmp-type echo-request -j DROP
637 -A INPUT -p icmp --icmp-type echo-request -j DROP
605
638
606 # Accept established connections
639 # Accept established connections
607 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
640 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
608
641
609 # Accept all traffic on loopback interface
642 # Accept all traffic on loopback interface
610 -A INPUT -i lo -j ACCEPT
643 -A INPUT -i lo -j ACCEPT
611
644
612 # Drop packets declared invalid
645 # Drop packets declared invalid
613 -A INPUT -m conntrack --ctstate INVALID -j DROP
646 -A INPUT -m conntrack --ctstate INVALID -j DROP
614
647
615 # SSH rate limiting
648 # SSH rate limiting
616 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
649 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
617 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
650 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
618 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
619 -A SSH -m recent --name sshbf --set -j ACCEPT
652 -A SSH -m recent --name sshbf --set -j ACCEPT
620
653
621 # Send TCP and UDP connections to their respective rules chain
654 # Send TCP and UDP connections to their respective rules chain
622 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
655 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
623 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
656 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
624
657
625 # Reject dropped packets with a RFC compliant responce
658 # Reject dropped packets with a RFC compliant responce
626 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
659 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
627 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
660 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
628 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
661 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
629
662
630 ## TCP PORT RULES
663 ## TCP PORT RULES
631 # -A TCP -p tcp -j LOG
664 # -A TCP -p tcp -j LOG
632
665
633 ## UDP PORT RULES
666 ## UDP PORT RULES
634 # -A UDP -p udp -j LOG
667 # -A UDP -p udp -j LOG
635
668
636 COMMIT
669 COMMIT
637 EOM
670 EOM
638
671
639 # Reload systemd configuration and enable iptables service
672 # Reload systemd configuration and enable iptables service
640 LANG=C chroot $R systemctl daemon-reload
673 LANG=C chroot $R systemctl daemon-reload
641 LANG=C chroot $R systemctl enable iptables.service
674 LANG=C chroot $R systemctl enable iptables.service
642
675
643 if [ "$ENABLE_IPV6" = true ] ; then
676 if [ "$ENABLE_IPV6" = true ] ; then
644 # Create ip6tables systemd service
677 # Create ip6tables systemd service
645 cat <<EOM >$R/etc/systemd/system/ip6tables.service
678 cat <<EOM >$R/etc/systemd/system/ip6tables.service
646 [Unit]
679 [Unit]
647 Description=Packet Filtering Framework
680 Description=Packet Filtering Framework
648 DefaultDependencies=no
681 DefaultDependencies=no
649 After=systemd-sysctl.service
682 After=systemd-sysctl.service
650 Before=sysinit.target
683 Before=sysinit.target
651 [Service]
684 [Service]
652 Type=oneshot
685 Type=oneshot
653 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
686 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
654 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
687 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
655 ExecStop=/etc/iptables/flush-ip6tables.sh
688 ExecStop=/etc/iptables/flush-ip6tables.sh
656 RemainAfterExit=yes
689 RemainAfterExit=yes
657 [Install]
690 [Install]
658 WantedBy=multi-user.target
691 WantedBy=multi-user.target
659 EOM
692 EOM
660
693
661 # Create ip6tables file
694 # Create ip6tables file
662 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
695 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
663 #!/bin/sh
696 #!/bin/sh
664 ip6tables -F
697 ip6tables -F
665 ip6tables -X
698 ip6tables -X
666 ip6tables -Z
699 ip6tables -Z
667 for table in $(</proc/net/ip6_tables_names)
700 for table in $(</proc/net/ip6_tables_names)
668 do
701 do
669 ip6tables -t \$table -F
702 ip6tables -t \$table -F
670 ip6tables -t \$table -X
703 ip6tables -t \$table -X
671 ip6tables -t \$table -Z
704 ip6tables -t \$table -Z
672 done
705 done
673 ip6tables -P INPUT ACCEPT
706 ip6tables -P INPUT ACCEPT
674 ip6tables -P OUTPUT ACCEPT
707 ip6tables -P OUTPUT ACCEPT
675 ip6tables -P FORWARD ACCEPT
708 ip6tables -P FORWARD ACCEPT
676 EOM
709 EOM
677
710
678 # Create ip6tables rule file
711 # Create ip6tables rule file
679 cat <<EOM >$R/etc/iptables/ip6tables.rules
712 cat <<EOM >$R/etc/iptables/ip6tables.rules
680 *filter
713 *filter
681 :INPUT DROP [0:0]
714 :INPUT DROP [0:0]
682 :FORWARD DROP [0:0]
715 :FORWARD DROP [0:0]
683 :OUTPUT ACCEPT [0:0]
716 :OUTPUT ACCEPT [0:0]
684 :TCP - [0:0]
717 :TCP - [0:0]
685 :UDP - [0:0]
718 :UDP - [0:0]
686 :SSH - [0:0]
719 :SSH - [0:0]
687
720
688 # Drop packets with RH0 headers
721 # Drop packets with RH0 headers
689 -A INPUT -m rt --rt-type 0 -j DROP
722 -A INPUT -m rt --rt-type 0 -j DROP
690 -A OUTPUT -m rt --rt-type 0 -j DROP
723 -A OUTPUT -m rt --rt-type 0 -j DROP
691 -A FORWARD -m rt --rt-type 0 -j DROP
724 -A FORWARD -m rt --rt-type 0 -j DROP
692
725
693 # Rate limit ping requests
726 # Rate limit ping requests
694 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
727 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
695 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
696
729
697 # Accept established connections
730 # Accept established connections
698 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
731 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
699
732
700 # Accept all traffic on loopback interface
733 # Accept all traffic on loopback interface
701 -A INPUT -i lo -j ACCEPT
734 -A INPUT -i lo -j ACCEPT
702
735
703 # Drop packets declared invalid
736 # Drop packets declared invalid
704 -A INPUT -m conntrack --ctstate INVALID -j DROP
737 -A INPUT -m conntrack --ctstate INVALID -j DROP
705
738
706 # SSH rate limiting
739 # SSH rate limiting
707 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
740 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
708 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
741 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
709 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
710 -A SSH -m recent --name sshbf --set -j ACCEPT
743 -A SSH -m recent --name sshbf --set -j ACCEPT
711
744
712 # Send TCP and UDP connections to their respective rules chain
745 # Send TCP and UDP connections to their respective rules chain
713 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
746 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
714 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
747 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
715
748
716 # Reject dropped packets with a RFC compliant responce
749 # Reject dropped packets with a RFC compliant responce
717 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
750 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
718 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
751 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
719 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
720
753
721 ## TCP PORT RULES
754 ## TCP PORT RULES
722 # -A TCP -p tcp -j LOG
755 # -A TCP -p tcp -j LOG
723
756
724 ## UDP PORT RULES
757 ## UDP PORT RULES
725 # -A UDP -p udp -j LOG
758 # -A UDP -p udp -j LOG
726
759
727 COMMIT
760 COMMIT
728 EOM
761 EOM
729
762
730 # Reload systemd configuration and enable iptables service
763 # Reload systemd configuration and enable iptables service
731 LANG=C chroot $R systemctl daemon-reload
764 LANG=C chroot $R systemctl daemon-reload
732 LANG=C chroot $R systemctl enable ip6tables.service
765 LANG=C chroot $R systemctl enable ip6tables.service
733 fi
766 fi
734 fi
767 fi
735
768
736 # Remove SSHD related iptables rules
769 # Remove SSHD related iptables rules
737 if [ "$ENABLE_SSHD" = false ] ; then
770 if [ "$ENABLE_SSHD" = false ] ; then
738 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
771 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
739 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
740 fi
773 fi
741
774
742 # Install gcc/c++ build environment inside the chroot
775 # Install gcc/c++ build environment inside the chroot
743 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
776 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
744 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
777 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
745 fi
778 fi
746
779
747 # Fetch and build U-Boot bootloader
780 # Fetch and build U-Boot bootloader
748 if [ "$ENABLE_UBOOT" = true ] ; then
781 if [ "$ENABLE_UBOOT" = true ] ; then
749 # Fetch U-Boot bootloader sources
782 # Fetch U-Boot bootloader sources
750 git -C $R/tmp clone git://git.denx.de/u-boot.git
783 git -C $R/tmp clone git://git.denx.de/u-boot.git
751
784
752 # Build and install U-Boot inside chroot
785 # Build and install U-Boot inside chroot
753 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
786 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
754
787
755 # Copy compiled bootloader binary and set config.txt to load it
788 # Copy compiled bootloader binary and set config.txt to load it
756 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
789 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
757 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
790 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
758
791
759 # Set U-Boot command file
792 # Set U-Boot command file
760 cat <<EOM >$R/boot/firmware/uboot.mkimage
793 cat <<EOM >$R/boot/firmware/uboot.mkimage
761 # Tell Linux that it is booting on a Raspberry Pi2
794 # Tell Linux that it is booting on a Raspberry Pi2
762 setenv machid 0x00000c42
795 setenv machid 0x00000c42
763
796
764 # Set the kernel boot command line
797 # Set the kernel boot command line
765 setenv bootargs "earlyprintk ${CMDLINE}"
798 setenv bootargs "earlyprintk ${CMDLINE}"
766
799
767 # Save these changes to u-boot's environment
800 # Save these changes to u-boot's environment
768 saveenv
801 saveenv
769
802
770 # Load the existing Linux kernel into RAM
803 # Load the existing Linux kernel into RAM
771 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
804 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
772
805
773 # Boot the kernel we have just loaded
806 # Boot the kernel we have just loaded
774 bootz \${kernel_addr_r}
807 bootz \${kernel_addr_r}
775 EOM
808 EOM
776
809
777 # Generate U-Boot image from command file
810 # Generate U-Boot image from command file
778 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
811 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
779 fi
812 fi
780
813
781 # Fetch and build fbturbo Xorg driver
814 # Fetch and build fbturbo Xorg driver
782 if [ "$ENABLE_FBTURBO" = true ] ; then
815 if [ "$ENABLE_FBTURBO" = true ] ; then
783 # Fetch fbturbo driver sources
816 # Fetch fbturbo driver sources
784 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
817 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
785
818
786 # Install Xorg build dependencies
819 # Install Xorg build dependencies
787 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
820 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
788
821
789 # Build and install fbturbo driver inside chroot
822 # Build and install fbturbo driver inside chroot
790 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
823 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
791
824
792 # Add fbturbo driver to Xorg configuration
825 # Add fbturbo driver to Xorg configuration
793 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
826 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
794 Section "Device"
827 Section "Device"
795 Identifier "Allwinner A10/A13 FBDEV"
828 Identifier "Allwinner A10/A13 FBDEV"
796 Driver "fbturbo"
829 Driver "fbturbo"
797 Option "fbdev" "/dev/fb0"
830 Option "fbdev" "/dev/fb0"
798 Option "SwapbuffersWait" "true"
831 Option "SwapbuffersWait" "true"
799 EndSection
832 EndSection
800 EOM
833 EOM
801
834
802 # Remove Xorg build dependencies
835 # Remove Xorg build dependencies
803 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
836 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
804 fi
837 fi
805
838
806 # Remove gcc/c++ build environment from the chroot
839 # Remove gcc/c++ build environment from the chroot
807 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
840 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
808 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
841 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
809 fi
842 fi
810
843
811 # Clean cached downloads
844 # Clean cached downloads
812 LANG=C chroot $R apt-get -y clean
845 LANG=C chroot $R apt-get -y clean
813 LANG=C chroot $R apt-get -y autoclean
846 LANG=C chroot $R apt-get -y autoclean
814 LANG=C chroot $R apt-get -y autoremove
847 LANG=C chroot $R apt-get -y autoremove
815
848
816 # Unmount mounted filesystems
849 # Unmount mounted filesystems
817 umount -l $R/proc
850 umount -l $R/proc
818 umount -l $R/sys
851 umount -l $R/sys
819
852
820 # Clean up files
853 # Clean up files
821 rm -f $R/etc/apt/sources.list.save
854 rm -f $R/etc/apt/sources.list.save
822 rm -f $R/etc/resolvconf/resolv.conf.d/original
855 rm -f $R/etc/resolvconf/resolv.conf.d/original
823 rm -rf $R/run
856 rm -rf $R/run
824 mkdir -p $R/run
857 mkdir -p $R/run
825 rm -f $R/etc/*-
858 rm -f $R/etc/*-
826 rm -f $R/root/.bash_history
859 rm -f $R/root/.bash_history
827 rm -rf $R/tmp/*
860 rm -rf $R/tmp/*
828 rm -f $R/var/lib/urandom/random-seed
861 rm -f $R/var/lib/urandom/random-seed
829 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
862 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
830 rm -f $R/etc/machine-id
863 rm -f $R/etc/machine-id
831 rm -fr $R/etc/apt/apt.conf.d/10proxy
864 rm -fr $R/etc/apt/apt.conf.d/10proxy
832
865
833 # Calculate size of the chroot directory
866 # Calculate size of the chroot directory
834 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
867 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
835
868
836 # Calculate required image size
869 # Calculate required image size
837 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
870 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
838
871
839 # Calculate number of sectors for the partition
872 # Calculate number of sectors for the partition
840 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
873 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
841
874
842 # Prepare date string for image file name
875 # Prepare date string for image file name
843 DATE="$(date +%Y-%m-%d)"
876 DATE="$(date +%Y-%m-%d)"
844
877
845 # Prepare image file
878 # Prepare image file
846 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
879 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
847 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
880 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
848
881
849 # Write partition table
882 # Write partition table
850 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
883 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
851 unit: sectors
884 unit: sectors
852
885
853 1 : start= 2048, size= 131072, Id= c, bootable
886 1 : start= 2048, size= 131072, Id= c, bootable
854 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
887 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
855 3 : start= 0, size= 0, Id= 0
888 3 : start= 0, size= 0, Id= 0
856 4 : start= 0, size= 0, Id= 0
889 4 : start= 0, size= 0, Id= 0
857 EOM
890 EOM
858
891
859 # Set up temporary loop devices and build filesystems
892 # Set up temporary loop devices and build filesystems
860 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
893 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
861 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
894 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
862 mkfs.vfat "$VFAT_LOOP"
895 mkfs.vfat "$VFAT_LOOP"
863 mkfs.ext4 "$EXT4_LOOP"
896 mkfs.ext4 "$EXT4_LOOP"
864
897
865 # Mount the temporary loop devices
898 # Mount the temporary loop devices
866 mkdir -p "$BUILDDIR/mount"
899 mkdir -p "$BUILDDIR/mount"
867 mount "$EXT4_LOOP" "$BUILDDIR/mount"
900 mount "$EXT4_LOOP" "$BUILDDIR/mount"
868
901
869 mkdir -p "$BUILDDIR/mount/boot/firmware"
902 mkdir -p "$BUILDDIR/mount/boot/firmware"
870 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
903 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
871
904
872 # Copy all files from the chroot to the loop device mount point directory
905 # Copy all files from the chroot to the loop device mount point directory
873 rsync -a "$R/" "$BUILDDIR/mount/"
906 rsync -a "$R/" "$BUILDDIR/mount/"
874
907
875 # Unmount all temporary loop devices and mount points
908 # Unmount all temporary loop devices and mount points
876 cleanup
909 cleanup
877
910
878 # (optinal) create block map file for "bmaptool"
911 # (optinal) create block map file for "bmaptool"
879 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
912 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
880
913
881 # Image was successfully created
914 # Image was successfully created
882 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
915 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant