##// END OF EJS Templates
another proxy fix - now even without proxy, heh
Jan Wagner -
r34:57c039de88cb
parent child
Show More
@@ -1,887 +1,882
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 set -e
34 34 set -x
35 35
36 36 # Debian release
37 37 RELEASE=${RELEASE:=jessie}
38 38
39 39 # Build settings
40 40 BASEDIR=./images/${RELEASE}
41 41 BUILDDIR=${BASEDIR}/build
42 42
43 43 # General settings
44 44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 45 PASSWORD=${PASSWORD:=raspberry}
46 46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 48 XKBMODEL=${XKBMODEL:=""}
49 49 XKBLAYOUT=${XKBLAYOUT:=""}
50 50 XKBVARIANT=${XKBVARIANT:=""}
51 51 XKBOPTIONS=${XKBOPTIONS:=""}
52 52
53 53 # APT settings
54 54 APT_PROXY=${APT_PROXY:=""}
55 55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
56 56
57 57 # Feature settings
58 58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
59 59 ENABLE_IPV6=${ENABLE_IPV6:=true}
60 60 ENABLE_SSHD=${ENABLE_SSHD:=true}
61 61 ENABLE_SOUND=${ENABLE_SOUND:=true}
62 62 ENABLE_DBUS=${ENABLE_DBUS:=true}
63 63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
64 64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
65 65 ENABLE_XORG=${ENABLE_XORG:=false}
66 66 ENABLE_WM=${ENABLE_WM:=""}
67 67
68 68 # Advanced settings
69 69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
70 70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
71 71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
72 72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
73 73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
74 74
75 75 # Image chroot path
76 76 R=${BUILDDIR}/chroot
77 77
78 78 # Packages required for bootstrapping
79 79 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
80 80
81 81 # Missing packages that need to be installed
82 82 MISSING_PACKAGES=""
83 83
84 84 # Packages required in the chroot build environment
85 85 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
86 86
87 87 set +x
88 88
89 89 # Are we running as root?
90 90 if [ "$(id -u)" -ne "0" ] ; then
91 91 echo "this script must be executed with root privileges"
92 92 exit 1
93 93 fi
94 94
95 95 # Check if all required packages are installed
96 96 for package in $REQUIRED_PACKAGES ; do
97 97 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
98 98 MISSING_PACKAGES="$MISSING_PACKAGES $package"
99 99 fi
100 100 done
101 101
102 102 # Ask if missing packages should get installed right now
103 103 if [ -n "$MISSING_PACKAGES" ] ; then
104 104 echo "the following packages needed by this script are not installed:"
105 105 echo "$MISSING_PACKAGES"
106 106
107 107 echo -n "\ndo you want to install the missing packages right now? [y/n] "
108 108 read confirm
109 109 if [ "$confirm" != "y" ] ; then
110 110 exit 1
111 111 fi
112 112 fi
113 113
114 114 # Make sure all required packages are installed
115 115 apt-get -qq -y install ${REQUIRED_PACKAGES}
116 116
117 117 # Don't clobber an old build
118 118 if [ -e "$BUILDDIR" ]; then
119 119 echo "directory $BUILDDIR already exists, not proceeding"
120 120 exit 1
121 121 fi
122 122
123 123 set -x
124 124
125 125 # Call "cleanup" function on various signals and errors
126 126 trap cleanup 0 1 2 3 6
127 127
128 128 # Set up chroot directory
129 129 mkdir -p $R
130 130
131 131 # Add required packages for the minbase installation
132 132 if [ "$ENABLE_MINBASE" = true ] ; then
133 133 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
134 134 else
135 135 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
136 136 fi
137 137
138 138 # Add dbus package, recommended if using systemd
139 139 if [ "$ENABLE_DBUS" = true ] ; then
140 140 APT_INCLUDES="${APT_INCLUDES},dbus"
141 141 fi
142 142
143 143 # Add iptables IPv4/IPv6 package
144 144 if [ "$ENABLE_IPTABLES" = true ] ; then
145 145 APT_INCLUDES="${APT_INCLUDES},iptables"
146 146 fi
147 147
148 148 # Add openssh server package
149 149 if [ "$ENABLE_SSHD" = true ] ; then
150 150 APT_INCLUDES="${APT_INCLUDES},openssh-server"
151 151 fi
152 152
153 153 # Add alsa-utils package
154 154 if [ "$ENABLE_SOUND" = true ] ; then
155 155 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
156 156 fi
157 157
158 158 # Add rng-tools package
159 159 if [ "$ENABLE_HWRANDOM" = true ] ; then
160 160 APT_INCLUDES="${APT_INCLUDES},rng-tools"
161 161 fi
162 162
163 163 # Add fbturbo video driver
164 164 if [ "$ENABLE_FBTURBO" = true ] ; then
165 165 # Enable xorg package dependencies
166 166 ENABLE_XORG=true
167 167 fi
168 168
169 169 # Add user defined window manager package
170 170 if [ -n "$ENABLE_WM" ] ; then
171 171 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
172 172
173 173 # Enable xorg package dependencies
174 174 ENABLE_XORG=true
175 175 fi
176 176
177 177 # Add xorg package
178 178 if [ "$ENABLE_XORG" = true ] ; then
179 179 APT_INCLUDES="${APT_INCLUDES},xorg"
180 180 fi
181 181
182 # Set empty proxy string
183 if [ -z "$APT_PROXY" ] ; then
184 APT_PROXY="http://"
185 fi
186
187 182 # Base debootstrap (unpack only)
188 183 if [ "$ENABLE_MINBASE" = true ] ; then
189 184 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
190 185 else
191 186 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
192 187 fi
193 188
194 189 # Copy qemu emulator binary to chroot
195 190 cp /usr/bin/qemu-arm-static $R/usr/bin
196 191
197 192 # Copy debian-archive-keyring.pgp
198 193 chroot $R mkdir -p /usr/share/keyrings
199 194 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
200 195
201 196 # Complete the bootstrapping process
202 197 chroot $R /debootstrap/debootstrap --second-stage
203 198
204 199 # Mount required filesystems
205 200 mount -t proc none $R/proc
206 201 mount -t sysfs none $R/sys
207 202 mount --bind /dev/pts $R/dev/pts
208 203
209 204 # Use proxy inside chroot
210 205 if [ -z "$APT_PROXY" ] ; then
211 206 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
212 207 fi
213 208
214 209 # Pin package flash-kernel to repositories.collabora.co.uk
215 210 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
216 211 Package: flash-kernel
217 212 Pin: origin repositories.collabora.co.uk
218 213 Pin-Priority: 1000
219 214 EOM
220 215
221 216 # Set up timezone
222 217 echo ${TIMEZONE} >$R/etc/timezone
223 218 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
224 219
225 220 # Upgrade collabora package index and install collabora keyring
226 221 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
227 222 LANG=C chroot $R apt-get -qq -y update
228 223 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
229 224
230 225 # Set up initial sources.list
231 226 cat <<EOM >$R/etc/apt/sources.list
232 227 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
233 228 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
234 229
235 230 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
236 231 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
237 232
238 233 deb http://security.debian.org/ ${RELEASE}/updates main contrib
239 234 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
240 235
241 236 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
242 237 EOM
243 238
244 239 # Upgrade package index and update all installed packages and changed dependencies
245 240 LANG=C chroot $R apt-get -qq -y update
246 241 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
247 242
248 243 # Set up default locale and keyboard configuration
249 244 if [ "$ENABLE_MINBASE" = false ] ; then
250 245 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
251 246 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
252 247 # ... so we have to set locales manually
253 248 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
254 249 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
255 250 else
256 251 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
257 252 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
258 253 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
259 254 fi
260 255 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
261 256 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
262 257 LANG=C chroot $R locale-gen
263 258 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
264 259
265 260 # Keyboard configuration, if requested
266 261 if [ "$XKBMODEL" != "" ] ; then
267 262 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
268 263 fi
269 264 if [ "$XKBLAYOUT" != "" ] ; then
270 265 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
271 266 fi
272 267 if [ "$XKBVARIANT" != "" ] ; then
273 268 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
274 269 fi
275 270 if [ "$XKBOPTIONS" != "" ] ; then
276 271 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
277 272 fi
278 273 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
279 274 # Set up font console
280 275 case "${DEFLOCAL}" in
281 276 *UTF-8)
282 277 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
283 278 ;;
284 279 *)
285 280 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
286 281 ;;
287 282 esac
288 283 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
289 284 fi
290 285
291 286 # Kernel installation
292 287 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
293 288 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
294 289 LANG=C chroot $R apt-get -qq -y install flash-kernel
295 290
296 291 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
297 292 [ -z "$VMLINUZ" ] && exit 1
298 293 mkdir -p $R/boot/firmware
299 294
300 295 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
301 296 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
302 297 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
303 298 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
304 299 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
305 300 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
306 301 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
307 302 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
308 303 cp $VMLINUZ $R/boot/firmware/kernel7.img
309 304
310 305 # Set up IPv4 hosts
311 306 echo ${HOSTNAME} >$R/etc/hostname
312 307 cat <<EOM >$R/etc/hosts
313 308 127.0.0.1 localhost
314 309 127.0.1.1 ${HOSTNAME}
315 310 EOM
316 311
317 312 # Set up IPv6 hosts
318 313 if [ "$ENABLE_IPV6" = true ] ; then
319 314 cat <<EOM >>$R/etc/hosts
320 315
321 316 ::1 localhost ip6-localhost ip6-loopback
322 317 ff02::1 ip6-allnodes
323 318 ff02::2 ip6-allrouters
324 319 EOM
325 320 fi
326 321
327 322 # Place hint about network configuration
328 323 cat <<EOM >$R/etc/network/interfaces
329 324 # Debian switched to systemd-networkd configuration files.
330 325 # please configure your networks in '/etc/systemd/network/'
331 326 EOM
332 327
333 328 # Enable systemd-networkd DHCP configuration for interface eth0
334 329 cat <<EOM >$R/etc/systemd/network/eth.network
335 330 [Match]
336 331 Name=eth0
337 332
338 333 [Network]
339 334 DHCP=yes
340 335 EOM
341 336
342 337 # Set DHCP configuration to IPv4 only
343 338 if [ "$ENABLE_IPV6" = false ] ; then
344 339 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
345 340 fi
346 341
347 342 # Enable systemd-networkd service
348 343 LANG=C chroot $R systemctl enable systemd-networkd
349 344
350 345 # Generate crypt(3) password string
351 346 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
352 347
353 348 # Set up default user
354 349 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
355 350 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
356 351
357 352 # Set up root password
358 353 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
359 354
360 355 # Set up firmware boot cmdline
361 356 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
362 357
363 358 # Set up serial console support (if requested)
364 359 if [ "$ENABLE_CONSOLE" = true ] ; then
365 360 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
366 361 fi
367 362
368 363 # Set up IPv6 networking support
369 364 if [ "$ENABLE_IPV6" = false ] ; then
370 365 CMDLINE="${CMDLINE} ipv6.disable=1"
371 366 fi
372 367
373 368 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
374 369
375 370 # Set up firmware config
376 371 cat <<EOM >$R/boot/firmware/config.txt
377 372 # For more options and information see
378 373 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
379 374 # Some settings may impact device functionality. See link above for details
380 375
381 376 # uncomment if you get no picture on HDMI for a default "safe" mode
382 377 #hdmi_safe=1
383 378
384 379 # uncomment this if your display has a black border of unused pixels visible
385 380 # and your display can output without overscan
386 381 #disable_overscan=1
387 382
388 383 # uncomment the following to adjust overscan. Use positive numbers if console
389 384 # goes off screen, and negative if there is too much border
390 385 #overscan_left=16
391 386 #overscan_right=16
392 387 #overscan_top=16
393 388 #overscan_bottom=16
394 389
395 390 # uncomment to force a console size. By default it will be display's size minus
396 391 # overscan.
397 392 #framebuffer_width=1280
398 393 #framebuffer_height=720
399 394
400 395 # uncomment if hdmi display is not detected and composite is being output
401 396 #hdmi_force_hotplug=1
402 397
403 398 # uncomment to force a specific HDMI mode (this will force VGA)
404 399 #hdmi_group=1
405 400 #hdmi_mode=1
406 401
407 402 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
408 403 # DMT (computer monitor) modes
409 404 #hdmi_drive=2
410 405
411 406 # uncomment to increase signal to HDMI, if you have interference, blanking, or
412 407 # no display
413 408 #config_hdmi_boost=4
414 409
415 410 # uncomment for composite PAL
416 411 #sdtv_mode=2
417 412
418 413 # uncomment to overclock the arm. 700 MHz is the default.
419 414 #arm_freq=800
420 415 EOM
421 416
422 417 # Load snd_bcm2835 kernel module at boot time
423 418 if [ "$ENABLE_SOUND" = true ] ; then
424 419 echo "snd_bcm2835" >>$R/etc/modules
425 420 fi
426 421
427 422 # Set smallest possible GPU memory allocation size: 16MB (no X)
428 423 if [ "$ENABLE_MINGPU" = true ] ; then
429 424 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
430 425 fi
431 426
432 427 # Create symlinks
433 428 ln -sf firmware/config.txt $R/boot/config.txt
434 429 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
435 430
436 431 # Prepare modules-load.d directory
437 432 mkdir -p $R/lib/modules-load.d/
438 433
439 434 # Load random module on boot
440 435 if [ "$ENABLE_HWRANDOM" = true ] ; then
441 436 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
442 437 bcm2708_rng
443 438 EOM
444 439 fi
445 440
446 441 # Prepare modprobe.d directory
447 442 mkdir -p $R/etc/modprobe.d/
448 443
449 444 # Blacklist sound modules
450 445 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
451 446 blacklist snd_soc_core
452 447 blacklist snd_pcm
453 448 blacklist snd_pcm_dmaengine
454 449 blacklist snd_timer
455 450 blacklist snd_compress
456 451 blacklist snd_soc_pcm512x_i2c
457 452 blacklist snd_soc_pcm512x
458 453 blacklist snd_soc_tas5713
459 454 blacklist snd_soc_wm8804
460 455 EOM
461 456
462 457 # Create default fstab
463 458 cat <<EOM >$R/etc/fstab
464 459 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
465 460 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
466 461 EOM
467 462
468 463 # Avoid swapping and increase cache sizes
469 464 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
470 465
471 466 # Avoid swapping and increase cache sizes
472 467 vm.swappiness=1
473 468 vm.dirty_background_ratio=20
474 469 vm.dirty_ratio=40
475 470 vm.dirty_writeback_centisecs=500
476 471 vm.dirty_expire_centisecs=6000
477 472 EOM
478 473
479 474 # Enable network stack hardening
480 475 if [ "$ENABLE_HARDNET" = true ] ; then
481 476 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
482 477
483 478 # Enable network stack hardening
484 479 net.ipv4.tcp_timestamps=0
485 480 net.ipv4.tcp_syncookies=1
486 481 net.ipv4.conf.all.rp_filter=1
487 482 net.ipv4.conf.all.accept_redirects=0
488 483 net.ipv4.conf.all.send_redirects=0
489 484 net.ipv4.conf.all.accept_source_route=0
490 485 net.ipv4.conf.default.rp_filter=1
491 486 net.ipv4.conf.default.accept_redirects=0
492 487 net.ipv4.conf.default.send_redirects=0
493 488 net.ipv4.conf.default.accept_source_route=0
494 489 net.ipv4.conf.lo.accept_redirects=0
495 490 net.ipv4.conf.lo.send_redirects=0
496 491 net.ipv4.conf.lo.accept_source_route=0
497 492 net.ipv4.conf.eth0.accept_redirects=0
498 493 net.ipv4.conf.eth0.send_redirects=0
499 494 net.ipv4.conf.eth0.accept_source_route=0
500 495 net.ipv4.icmp_echo_ignore_broadcasts=1
501 496 net.ipv4.icmp_ignore_bogus_error_responses=1
502 497
503 498 net.ipv6.conf.all.accept_redirects=0
504 499 net.ipv6.conf.all.accept_source_route=0
505 500 net.ipv6.conf.all.router_solicitations=0
506 501 net.ipv6.conf.all.accept_ra_rtr_pref=0
507 502 net.ipv6.conf.all.accept_ra_pinfo=0
508 503 net.ipv6.conf.all.accept_ra_defrtr=0
509 504 net.ipv6.conf.all.autoconf=0
510 505 net.ipv6.conf.all.dad_transmits=0
511 506 net.ipv6.conf.all.max_addresses=1
512 507
513 508 net.ipv6.conf.default.accept_redirects=0
514 509 net.ipv6.conf.default.accept_source_route=0
515 510 net.ipv6.conf.default.router_solicitations=0
516 511 net.ipv6.conf.default.accept_ra_rtr_pref=0
517 512 net.ipv6.conf.default.accept_ra_pinfo=0
518 513 net.ipv6.conf.default.accept_ra_defrtr=0
519 514 net.ipv6.conf.default.autoconf=0
520 515 net.ipv6.conf.default.dad_transmits=0
521 516 net.ipv6.conf.default.max_addresses=1
522 517
523 518 net.ipv6.conf.lo.accept_redirects=0
524 519 net.ipv6.conf.lo.accept_source_route=0
525 520 net.ipv6.conf.lo.router_solicitations=0
526 521 net.ipv6.conf.lo.accept_ra_rtr_pref=0
527 522 net.ipv6.conf.lo.accept_ra_pinfo=0
528 523 net.ipv6.conf.lo.accept_ra_defrtr=0
529 524 net.ipv6.conf.lo.autoconf=0
530 525 net.ipv6.conf.lo.dad_transmits=0
531 526 net.ipv6.conf.lo.max_addresses=1
532 527
533 528 net.ipv6.conf.eth0.accept_redirects=0
534 529 net.ipv6.conf.eth0.accept_source_route=0
535 530 net.ipv6.conf.eth0.router_solicitations=0
536 531 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
537 532 net.ipv6.conf.eth0.accept_ra_pinfo=0
538 533 net.ipv6.conf.eth0.accept_ra_defrtr=0
539 534 net.ipv6.conf.eth0.autoconf=0
540 535 net.ipv6.conf.eth0.dad_transmits=0
541 536 net.ipv6.conf.eth0.max_addresses=1
542 537 EOM
543 538
544 539 # Enable resolver warnings about spoofed addresses
545 540 cat <<EOM >>$R/etc/host.conf
546 541 spoof warn
547 542 EOM
548 543 fi
549 544
550 545 # Regenerate openssh server host keys
551 546 if [ "$ENABLE_SSHD" = true ] ; then
552 547 rm -fr $R/etc/ssh/ssh_host_*
553 548 LANG=C chroot $R dpkg-reconfigure openssh-server
554 549 fi
555 550
556 551 # Enable serial console systemd style
557 552 if [ "$ENABLE_CONSOLE" = true ] ; then
558 553 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
559 554 fi
560 555
561 556 # Enable firewall based on iptables started by systemd service
562 557 if [ "$ENABLE_IPTABLES" = true ] ; then
563 558 # Create iptables configuration directory
564 559 mkdir -p "$R/etc/iptables"
565 560
566 561 # Create iptables systemd service
567 562 cat <<EOM >$R/etc/systemd/system/iptables.service
568 563 [Unit]
569 564 Description=Packet Filtering Framework
570 565 DefaultDependencies=no
571 566 After=systemd-sysctl.service
572 567 Before=sysinit.target
573 568 [Service]
574 569 Type=oneshot
575 570 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
576 571 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
577 572 ExecStop=/etc/iptables/flush-iptables.sh
578 573 RemainAfterExit=yes
579 574 [Install]
580 575 WantedBy=multi-user.target
581 576 EOM
582 577
583 578 # Create flush-table script called by iptables service
584 579 cat <<EOM >$R/etc/iptables/flush-iptables.sh
585 580 #!/bin/sh
586 581 iptables -F
587 582 iptables -X
588 583 iptables -t nat -F
589 584 iptables -t nat -X
590 585 iptables -t mangle -F
591 586 iptables -t mangle -X
592 587 iptables -P INPUT ACCEPT
593 588 iptables -P FORWARD ACCEPT
594 589 iptables -P OUTPUT ACCEPT
595 590 EOM
596 591
597 592 # Create iptables rule file
598 593 cat <<EOM >$R/etc/iptables/iptables.rules
599 594 *filter
600 595 :INPUT DROP [0:0]
601 596 :FORWARD DROP [0:0]
602 597 :OUTPUT ACCEPT [0:0]
603 598 :TCP - [0:0]
604 599 :UDP - [0:0]
605 600 :SSH - [0:0]
606 601
607 602 # Rate limit ping requests
608 603 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
609 604 -A INPUT -p icmp --icmp-type echo-request -j DROP
610 605
611 606 # Accept established connections
612 607 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
613 608
614 609 # Accept all traffic on loopback interface
615 610 -A INPUT -i lo -j ACCEPT
616 611
617 612 # Drop packets declared invalid
618 613 -A INPUT -m conntrack --ctstate INVALID -j DROP
619 614
620 615 # SSH rate limiting
621 616 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
622 617 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
623 618 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
624 619 -A SSH -m recent --name sshbf --set -j ACCEPT
625 620
626 621 # Send TCP and UDP connections to their respective rules chain
627 622 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
628 623 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
629 624
630 625 # Reject dropped packets with a RFC compliant responce
631 626 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
632 627 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
633 628 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
634 629
635 630 ## TCP PORT RULES
636 631 # -A TCP -p tcp -j LOG
637 632
638 633 ## UDP PORT RULES
639 634 # -A UDP -p udp -j LOG
640 635
641 636 COMMIT
642 637 EOM
643 638
644 639 # Reload systemd configuration and enable iptables service
645 640 LANG=C chroot $R systemctl daemon-reload
646 641 LANG=C chroot $R systemctl enable iptables.service
647 642
648 643 if [ "$ENABLE_IPV6" = true ] ; then
649 644 # Create ip6tables systemd service
650 645 cat <<EOM >$R/etc/systemd/system/ip6tables.service
651 646 [Unit]
652 647 Description=Packet Filtering Framework
653 648 DefaultDependencies=no
654 649 After=systemd-sysctl.service
655 650 Before=sysinit.target
656 651 [Service]
657 652 Type=oneshot
658 653 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
659 654 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
660 655 ExecStop=/etc/iptables/flush-ip6tables.sh
661 656 RemainAfterExit=yes
662 657 [Install]
663 658 WantedBy=multi-user.target
664 659 EOM
665 660
666 661 # Create ip6tables file
667 662 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
668 663 #!/bin/sh
669 664 ip6tables -F
670 665 ip6tables -X
671 666 ip6tables -Z
672 667 for table in $(</proc/net/ip6_tables_names)
673 668 do
674 669 ip6tables -t \$table -F
675 670 ip6tables -t \$table -X
676 671 ip6tables -t \$table -Z
677 672 done
678 673 ip6tables -P INPUT ACCEPT
679 674 ip6tables -P OUTPUT ACCEPT
680 675 ip6tables -P FORWARD ACCEPT
681 676 EOM
682 677
683 678 # Create ip6tables rule file
684 679 cat <<EOM >$R/etc/iptables/ip6tables.rules
685 680 *filter
686 681 :INPUT DROP [0:0]
687 682 :FORWARD DROP [0:0]
688 683 :OUTPUT ACCEPT [0:0]
689 684 :TCP - [0:0]
690 685 :UDP - [0:0]
691 686 :SSH - [0:0]
692 687
693 688 # Drop packets with RH0 headers
694 689 -A INPUT -m rt --rt-type 0 -j DROP
695 690 -A OUTPUT -m rt --rt-type 0 -j DROP
696 691 -A FORWARD -m rt --rt-type 0 -j DROP
697 692
698 693 # Rate limit ping requests
699 694 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
700 695 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
701 696
702 697 # Accept established connections
703 698 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
704 699
705 700 # Accept all traffic on loopback interface
706 701 -A INPUT -i lo -j ACCEPT
707 702
708 703 # Drop packets declared invalid
709 704 -A INPUT -m conntrack --ctstate INVALID -j DROP
710 705
711 706 # SSH rate limiting
712 707 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
713 708 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
714 709 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
715 710 -A SSH -m recent --name sshbf --set -j ACCEPT
716 711
717 712 # Send TCP and UDP connections to their respective rules chain
718 713 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
719 714 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
720 715
721 716 # Reject dropped packets with a RFC compliant responce
722 717 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
723 718 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
724 719 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
725 720
726 721 ## TCP PORT RULES
727 722 # -A TCP -p tcp -j LOG
728 723
729 724 ## UDP PORT RULES
730 725 # -A UDP -p udp -j LOG
731 726
732 727 COMMIT
733 728 EOM
734 729
735 730 # Reload systemd configuration and enable iptables service
736 731 LANG=C chroot $R systemctl daemon-reload
737 732 LANG=C chroot $R systemctl enable ip6tables.service
738 733 fi
739 734 fi
740 735
741 736 # Remove SSHD related iptables rules
742 737 if [ "$ENABLE_SSHD" = false ] ; then
743 738 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
744 739 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
745 740 fi
746 741
747 742 # Install gcc/c++ build environment inside the chroot
748 743 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
749 744 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
750 745 fi
751 746
752 747 # Fetch and build U-Boot bootloader
753 748 if [ "$ENABLE_UBOOT" = true ] ; then
754 749 # Fetch U-Boot bootloader sources
755 750 git -C $R/tmp clone git://git.denx.de/u-boot.git
756 751
757 752 # Build and install U-Boot inside chroot
758 753 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
759 754
760 755 # Copy compiled bootloader binary and set config.txt to load it
761 756 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
762 757 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
763 758
764 759 # Set U-Boot command file
765 760 cat <<EOM >$R/boot/firmware/uboot.mkimage
766 761 # Tell Linux that it is booting on a Raspberry Pi2
767 762 setenv machid 0x00000c42
768 763
769 764 # Set the kernel boot command line
770 765 setenv bootargs "earlyprintk ${CMDLINE}"
771 766
772 767 # Save these changes to u-boot's environment
773 768 saveenv
774 769
775 770 # Load the existing Linux kernel into RAM
776 771 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
777 772
778 773 # Boot the kernel we have just loaded
779 774 bootz \${kernel_addr_r}
780 775 EOM
781 776
782 777 # Generate U-Boot image from command file
783 778 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
784 779 fi
785 780
786 781 # Fetch and build fbturbo Xorg driver
787 782 if [ "$ENABLE_FBTURBO" = true ] ; then
788 783 # Fetch fbturbo driver sources
789 784 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
790 785
791 786 # Install Xorg build dependencies
792 787 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
793 788
794 789 # Build and install fbturbo driver inside chroot
795 790 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
796 791
797 792 # Add fbturbo driver to Xorg configuration
798 793 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
799 794 Section "Device"
800 795 Identifier "Allwinner A10/A13 FBDEV"
801 796 Driver "fbturbo"
802 797 Option "fbdev" "/dev/fb0"
803 798 Option "SwapbuffersWait" "true"
804 799 EndSection
805 800 EOM
806 801
807 802 # Remove Xorg build dependencies
808 803 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
809 804 fi
810 805
811 806 # Remove gcc/c++ build environment from the chroot
812 807 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
813 808 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
814 809 fi
815 810
816 811 # Clean cached downloads
817 812 LANG=C chroot $R apt-get -y clean
818 813 LANG=C chroot $R apt-get -y autoclean
819 814 LANG=C chroot $R apt-get -y autoremove
820 815
821 816 # Unmount mounted filesystems
822 817 umount -l $R/proc
823 818 umount -l $R/sys
824 819
825 820 # Clean up files
826 821 rm -f $R/etc/apt/sources.list.save
827 822 rm -f $R/etc/resolvconf/resolv.conf.d/original
828 823 rm -rf $R/run
829 824 mkdir -p $R/run
830 825 rm -f $R/etc/*-
831 826 rm -f $R/root/.bash_history
832 827 rm -rf $R/tmp/*
833 828 rm -f $R/var/lib/urandom/random-seed
834 829 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
835 830 rm -f $R/etc/machine-id
836 831 rm -fr $R/etc/apt/apt.conf.d/10proxy
837 832
838 833 # Calculate size of the chroot directory
839 834 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
840 835
841 836 # Calculate required image size
842 837 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
843 838
844 839 # Calculate number of sectors for the partition
845 840 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
846 841
847 842 # Prepare date string for image file name
848 843 DATE="$(date +%Y-%m-%d)"
849 844
850 845 # Prepare image file
851 846 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
852 847 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
853 848
854 849 # Write partition table
855 850 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
856 851 unit: sectors
857 852
858 853 1 : start= 2048, size= 131072, Id= c, bootable
859 854 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
860 855 3 : start= 0, size= 0, Id= 0
861 856 4 : start= 0, size= 0, Id= 0
862 857 EOM
863 858
864 859 # Set up temporary loop devices and build filesystems
865 860 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
866 861 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
867 862 mkfs.vfat "$VFAT_LOOP"
868 863 mkfs.ext4 "$EXT4_LOOP"
869 864
870 865 # Mount the temporary loop devices
871 866 mkdir -p "$BUILDDIR/mount"
872 867 mount "$EXT4_LOOP" "$BUILDDIR/mount"
873 868
874 869 mkdir -p "$BUILDDIR/mount/boot/firmware"
875 870 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
876 871
877 872 # Copy all files from the chroot to the loop device mount point directory
878 873 rsync -a "$R/" "$BUILDDIR/mount/"
879 874
880 875 # Unmount all temporary loop devices and mount points
881 876 cleanup
882 877
883 878 # (optinal) create block map file for "bmaptool"
884 879 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
885 880
886 881 # Image was successfully created
887 882 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant