| @@ -1,916 +1,923 | |||||
| 1 | #!/bin/sh |
|
1 | #!/bin/sh | |
| 2 |
|
2 | |||
| 3 | ######################################################################## |
|
3 | ######################################################################## | |
| 4 | # rpi2-gen-image.sh ver2a 12/2015 |
|
4 | # rpi2-gen-image.sh ver2a 12/2015 | |
| 5 | # |
|
5 | # | |
| 6 | # Advanced debian "jessie" bootstrap script for RPi2 |
|
6 | # Advanced debian "jessie" bootstrap script for RPi2 | |
| 7 | # |
|
7 | # | |
| 8 | # This program is free software; you can redistribute it and/or |
|
8 | # This program is free software; you can redistribute it and/or | |
| 9 | # modify it under the terms of the GNU General Public License |
|
9 | # modify it under the terms of the GNU General Public License | |
| 10 | # as published by the Free Software Foundation; either version 2 |
|
10 | # as published by the Free Software Foundation; either version 2 | |
| 11 | # of the License, or (at your option) any later version. |
|
11 | # of the License, or (at your option) any later version. | |
| 12 | # |
|
12 | # | |
| 13 | # some parts based on rpi2-build-image: |
|
13 | # some parts based on rpi2-build-image: | |
| 14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> |
|
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> | |
| 15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> |
|
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> | |
| 16 | ######################################################################## |
|
16 | ######################################################################## | |
| 17 |
|
17 | |||
| 18 | # Clean up all temporary mount points |
|
18 | # Clean up all temporary mount points | |
| 19 | cleanup (){ |
|
19 | cleanup (){ | |
| 20 | set +x |
|
20 | set +x | |
| 21 | set +e |
|
21 | set +e | |
| 22 | echo "removing temporary mount points ..." |
|
22 | echo "removing temporary mount points ..." | |
| 23 | umount -l $R/proc 2> /dev/null |
|
23 | umount -l $R/proc 2> /dev/null | |
| 24 | umount -l $R/sys 2> /dev/null |
|
24 | umount -l $R/sys 2> /dev/null | |
| 25 | umount -l $R/dev/pts 2> /dev/null |
|
25 | umount -l $R/dev/pts 2> /dev/null | |
| 26 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
26 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
| 27 | umount "$BUILDDIR/mount" 2> /dev/null |
|
27 | umount "$BUILDDIR/mount" 2> /dev/null | |
| 28 | losetup -d "$EXT4_LOOP" 2> /dev/null |
|
28 | losetup -d "$EXT4_LOOP" 2> /dev/null | |
| 29 | losetup -d "$VFAT_LOOP" 2> /dev/null |
|
29 | losetup -d "$VFAT_LOOP" 2> /dev/null | |
| 30 | trap - 0 1 2 3 6 |
|
30 | trap - 0 1 2 3 6 | |
| 31 | } |
|
31 | } | |
| 32 |
|
32 | |||
| 33 | set -e |
|
33 | set -e | |
| 34 | set -x |
|
34 | set -x | |
| 35 |
|
35 | |||
| 36 | # Debian release |
|
36 | # Debian release | |
| 37 | RELEASE=${RELEASE:=jessie} |
|
37 | RELEASE=${RELEASE:=jessie} | |
| 38 |
|
38 | |||
| 39 | # Build settings |
|
39 | # Build settings | |
| 40 | BASEDIR=./images/${RELEASE} |
|
40 | BASEDIR=./images/${RELEASE} | |
| 41 | BUILDDIR=${BASEDIR}/build |
|
41 | BUILDDIR=${BASEDIR}/build | |
| 42 |
|
42 | |||
| 43 | # General settings |
|
43 | # General settings | |
| 44 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
44 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} | |
| 45 | PASSWORD=${PASSWORD:=raspberry} |
|
45 | PASSWORD=${PASSWORD:=raspberry} | |
| 46 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} |
|
46 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} | |
| 47 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} |
|
47 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} | |
| 48 | XKBMODEL=${XKBMODEL:=""} |
|
48 | XKBMODEL=${XKBMODEL:=""} | |
| 49 | XKBLAYOUT=${XKBLAYOUT:=""} |
|
49 | XKBLAYOUT=${XKBLAYOUT:=""} | |
| 50 | XKBVARIANT=${XKBVARIANT:=""} |
|
50 | XKBVARIANT=${XKBVARIANT:=""} | |
| 51 | XKBOPTIONS=${XKBOPTIONS:=""} |
|
51 | XKBOPTIONS=${XKBOPTIONS:=""} | |
| 52 |
|
52 | |||
| 53 | # Network settings |
|
53 | # Network settings | |
| 54 | ENABLE_DHCP=${ENABLE_DHCP:=true} |
|
54 | ENABLE_DHCP=${ENABLE_DHCP:=true} | |
| 55 | # NET_* settings are ignored when ENABLE_DHCP=true |
|
55 | # NET_* settings are ignored when ENABLE_DHCP=true | |
| 56 | # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/" |
|
56 | # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/" | |
| 57 | NET_ADDRESS=${NET_ADDRESS:=""} |
|
57 | NET_ADDRESS=${NET_ADDRESS:=""} | |
| 58 | NET_GATEWAY=${NET_GATEWAY:=""} |
|
58 | NET_GATEWAY=${NET_GATEWAY:=""} | |
| 59 | NET_DNS_1=${NET_DNS_1:=""} |
|
59 | NET_DNS_1=${NET_DNS_1:=""} | |
| 60 | NET_DNS_2=${NET_DNS_2:=""} |
|
60 | NET_DNS_2=${NET_DNS_2:=""} | |
| 61 | NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""} |
|
61 | NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""} | |
| 62 | NET_NTP_1=${NET_NTP_1:=""} |
|
62 | NET_NTP_1=${NET_NTP_1:=""} | |
| 63 | NET_NTP_2=${NET_NTP_2:=""} |
|
63 | NET_NTP_2=${NET_NTP_2:=""} | |
| 64 |
|
64 | |||
| 65 | # APT settings |
|
65 | # APT settings | |
| 66 | APT_PROXY=${APT_PROXY:=""} |
|
66 | APT_PROXY=${APT_PROXY:=""} | |
| 67 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
67 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} | |
| 68 |
|
68 | |||
| 69 | # Feature settings |
|
69 | # Feature settings | |
| 70 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} |
|
70 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} | |
| 71 | ENABLE_IPV6=${ENABLE_IPV6:=true} |
|
71 | ENABLE_IPV6=${ENABLE_IPV6:=true} | |
| 72 | ENABLE_SSHD=${ENABLE_SSHD:=true} |
|
72 | ENABLE_SSHD=${ENABLE_SSHD:=true} | |
| 73 | ENABLE_SOUND=${ENABLE_SOUND:=true} |
|
73 | ENABLE_SOUND=${ENABLE_SOUND:=true} | |
| 74 | ENABLE_DBUS=${ENABLE_DBUS:=true} |
|
74 | ENABLE_DBUS=${ENABLE_DBUS:=true} | |
| 75 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} |
|
75 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |
| 76 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
76 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} | |
| 77 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
77 | ENABLE_XORG=${ENABLE_XORG:=false} | |
| 78 | ENABLE_WM=${ENABLE_WM:=""} |
|
78 | ENABLE_WM=${ENABLE_WM:=""} | |
| 79 |
|
79 | |||
| 80 | # Advanced settings |
|
80 | # Advanced settings | |
| 81 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
|
81 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |
| 82 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
82 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |
| 83 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
83 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |
| 84 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
84 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
| 85 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
85 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
| 86 |
|
86 | |||
| 87 | # Image chroot path |
|
87 | # Image chroot path | |
| 88 | R=${BUILDDIR}/chroot |
|
88 | R=${BUILDDIR}/chroot | |
| 89 |
|
89 | |||
| 90 | # Packages required for bootstrapping |
|
90 | # Packages required for bootstrapping | |
| 91 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core" |
|
91 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core" | |
| 92 |
|
92 | |||
| 93 | # Missing packages that need to be installed |
|
93 | # Missing packages that need to be installed | |
| 94 | MISSING_PACKAGES="" |
|
94 | MISSING_PACKAGES="" | |
| 95 |
|
95 | |||
| 96 | # Packages required in the chroot build environment |
|
96 | # Packages required in the chroot build environment | |
| 97 | APT_INCLUDES=${APT_INCLUDES:=""} |
|
97 | APT_INCLUDES=${APT_INCLUDES:=""} | |
| 98 | APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" |
|
98 | APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" | |
| 99 |
|
99 | |||
| 100 | set +x |
|
100 | set +x | |
| 101 |
|
101 | |||
| 102 | # Are we running as root? |
|
102 | # Are we running as root? | |
| 103 | if [ "$(id -u)" -ne "0" ] ; then |
|
103 | if [ "$(id -u)" -ne "0" ] ; then | |
| 104 | echo "this script must be executed with root privileges" |
|
104 | echo "this script must be executed with root privileges" | |
| 105 | exit 1 |
|
105 | exit 1 | |
| 106 | fi |
|
106 | fi | |
| 107 |
|
107 | |||
| 108 | # Check if all required packages are installed |
|
108 | # Check if all required packages are installed | |
| 109 | for package in $REQUIRED_PACKAGES ; do |
|
109 | for package in $REQUIRED_PACKAGES ; do | |
| 110 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
|
110 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then | |
| 111 | MISSING_PACKAGES="$MISSING_PACKAGES $package" |
|
111 | MISSING_PACKAGES="$MISSING_PACKAGES $package" | |
| 112 | fi |
|
112 | fi | |
| 113 | done |
|
113 | done | |
| 114 |
|
114 | |||
| 115 | # Ask if missing packages should get installed right now |
|
115 | # Ask if missing packages should get installed right now | |
| 116 | if [ -n "$MISSING_PACKAGES" ] ; then |
|
116 | if [ -n "$MISSING_PACKAGES" ] ; then | |
| 117 | echo "the following packages needed by this script are not installed:" |
|
117 | echo "the following packages needed by this script are not installed:" | |
| 118 | echo "$MISSING_PACKAGES" |
|
118 | echo "$MISSING_PACKAGES" | |
| 119 |
|
119 | |||
| 120 | echo -n "\ndo you want to install the missing packages right now? [y/n] " |
|
120 | echo -n "\ndo you want to install the missing packages right now? [y/n] " | |
| 121 | read confirm |
|
121 | read confirm | |
| 122 | if [ "$confirm" != "y" ] ; then |
|
122 | if [ "$confirm" != "y" ] ; then | |
| 123 | exit 1 |
|
123 | exit 1 | |
| 124 | fi |
|
124 | fi | |
| 125 | fi |
|
125 | fi | |
| 126 |
|
126 | |||
| 127 | # Make sure all required packages are installed |
|
127 | # Make sure all required packages are installed | |
| 128 | apt-get -qq -y install ${REQUIRED_PACKAGES} |
|
128 | apt-get -qq -y install ${REQUIRED_PACKAGES} | |
| 129 |
|
129 | |||
| 130 | # Don't clobber an old build |
|
130 | # Don't clobber an old build | |
| 131 | if [ -e "$BUILDDIR" ]; then |
|
131 | if [ -e "$BUILDDIR" ]; then | |
| 132 | echo "directory $BUILDDIR already exists, not proceeding" |
|
132 | echo "directory $BUILDDIR already exists, not proceeding" | |
| 133 | exit 1 |
|
133 | exit 1 | |
| 134 | fi |
|
134 | fi | |
| 135 |
|
135 | |||
| 136 | set -x |
|
136 | set -x | |
| 137 |
|
137 | |||
| 138 | # Call "cleanup" function on various signals and errors |
|
138 | # Call "cleanup" function on various signals and errors | |
| 139 | trap cleanup 0 1 2 3 6 |
|
139 | trap cleanup 0 1 2 3 6 | |
| 140 |
|
140 | |||
| 141 | # Set up chroot directory |
|
141 | # Set up chroot directory | |
| 142 | mkdir -p $R |
|
142 | mkdir -p $R | |
| 143 |
|
143 | |||
| 144 | # Add required packages for the minbase installation |
|
144 | # Add required packages for the minbase installation | |
| 145 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
145 | if [ "$ENABLE_MINBASE" = true ] ; then | |
| 146 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" |
|
146 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" | |
| 147 | else |
|
147 | else | |
| 148 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
148 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" | |
| 149 | fi |
|
149 | fi | |
| 150 |
|
150 | |||
| 151 | # Add dbus package, recommended if using systemd |
|
151 | # Add dbus package, recommended if using systemd | |
| 152 | if [ "$ENABLE_DBUS" = true ] ; then |
|
152 | if [ "$ENABLE_DBUS" = true ] ; then | |
| 153 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
153 | APT_INCLUDES="${APT_INCLUDES},dbus" | |
| 154 | fi |
|
154 | fi | |
| 155 |
|
155 | |||
| 156 | # Add iptables IPv4/IPv6 package |
|
156 | # Add iptables IPv4/IPv6 package | |
| 157 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
157 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
| 158 | APT_INCLUDES="${APT_INCLUDES},iptables" |
|
158 | APT_INCLUDES="${APT_INCLUDES},iptables" | |
| 159 | fi |
|
159 | fi | |
| 160 |
|
160 | |||
| 161 | # Add openssh server package |
|
161 | # Add openssh server package | |
| 162 | if [ "$ENABLE_SSHD" = true ] ; then |
|
162 | if [ "$ENABLE_SSHD" = true ] ; then | |
| 163 | APT_INCLUDES="${APT_INCLUDES},openssh-server" |
|
163 | APT_INCLUDES="${APT_INCLUDES},openssh-server" | |
| 164 | fi |
|
164 | fi | |
| 165 |
|
165 | |||
| 166 | # Add alsa-utils package |
|
166 | # Add alsa-utils package | |
| 167 | if [ "$ENABLE_SOUND" = true ] ; then |
|
167 | if [ "$ENABLE_SOUND" = true ] ; then | |
| 168 | APT_INCLUDES="${APT_INCLUDES},alsa-utils" |
|
168 | APT_INCLUDES="${APT_INCLUDES},alsa-utils" | |
| 169 | fi |
|
169 | fi | |
| 170 |
|
170 | |||
| 171 | # Add rng-tools package |
|
171 | # Add rng-tools package | |
| 172 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
172 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
| 173 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
173 | APT_INCLUDES="${APT_INCLUDES},rng-tools" | |
| 174 | fi |
|
174 | fi | |
| 175 |
|
175 | |||
| 176 | # Add fbturbo video driver |
|
176 | # Add fbturbo video driver | |
| 177 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
177 | if [ "$ENABLE_FBTURBO" = true ] ; then | |
| 178 | # Enable xorg package dependencies |
|
178 | # Enable xorg package dependencies | |
| 179 | ENABLE_XORG=true |
|
179 | ENABLE_XORG=true | |
| 180 | fi |
|
180 | fi | |
| 181 |
|
181 | |||
| 182 | # Add user defined window manager package |
|
182 | # Add user defined window manager package | |
| 183 | if [ -n "$ENABLE_WM" ] ; then |
|
183 | if [ -n "$ENABLE_WM" ] ; then | |
| 184 | APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}" |
|
184 | APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}" | |
| 185 |
|
185 | |||
| 186 | # Enable xorg package dependencies |
|
186 | # Enable xorg package dependencies | |
| 187 | ENABLE_XORG=true |
|
187 | ENABLE_XORG=true | |
| 188 | fi |
|
188 | fi | |
| 189 |
|
189 | |||
| 190 | # Add xorg package |
|
190 | # Add xorg package | |
| 191 | if [ "$ENABLE_XORG" = true ] ; then |
|
191 | if [ "$ENABLE_XORG" = true ] ; then | |
| 192 | APT_INCLUDES="${APT_INCLUDES},xorg" |
|
192 | APT_INCLUDES="${APT_INCLUDES},xorg" | |
| 193 | fi |
|
193 | fi | |
| 194 |
|
194 | |||
| 195 | # Base debootstrap (unpack only) |
|
195 | # Base debootstrap (unpack only) | |
| 196 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
196 | if [ "$ENABLE_MINBASE" = true ] ; then | |
| 197 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
197 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian | |
| 198 | else |
|
198 | else | |
| 199 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
199 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian | |
| 200 | fi |
|
200 | fi | |
| 201 |
|
201 | |||
| 202 | # Copy qemu emulator binary to chroot |
|
202 | # Copy qemu emulator binary to chroot | |
| 203 | cp /usr/bin/qemu-arm-static $R/usr/bin |
|
203 | cp /usr/bin/qemu-arm-static $R/usr/bin | |
| 204 |
|
204 | |||
| 205 | # Copy debian-archive-keyring.pgp |
|
205 | # Copy debian-archive-keyring.pgp | |
| 206 | chroot $R mkdir -p /usr/share/keyrings |
|
206 | chroot $R mkdir -p /usr/share/keyrings | |
| 207 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg |
|
207 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg | |
| 208 |
|
208 | |||
| 209 | # Complete the bootstrapping process |
|
209 | # Complete the bootstrapping process | |
| 210 | chroot $R /debootstrap/debootstrap --second-stage |
|
210 | chroot $R /debootstrap/debootstrap --second-stage | |
| 211 |
|
211 | |||
| 212 | # Mount required filesystems |
|
212 | # Mount required filesystems | |
| 213 | mount -t proc none $R/proc |
|
213 | mount -t proc none $R/proc | |
| 214 | mount -t sysfs none $R/sys |
|
214 | mount -t sysfs none $R/sys | |
| 215 | mount --bind /dev/pts $R/dev/pts |
|
215 | mount --bind /dev/pts $R/dev/pts | |
| 216 |
|
216 | |||
| 217 | # Use proxy inside chroot |
|
217 | # Use proxy inside chroot | |
| 218 | if [ -z "$APT_PROXY" ] ; then |
|
218 | if [ -z "$APT_PROXY" ] ; then | |
| 219 | echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy |
|
219 | echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy | |
| 220 | fi |
|
220 | fi | |
| 221 |
|
221 | |||
| 222 | # Pin package flash-kernel to repositories.collabora.co.uk |
|
222 | # Pin package flash-kernel to repositories.collabora.co.uk | |
| 223 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel |
|
223 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel | |
| 224 | Package: flash-kernel |
|
224 | Package: flash-kernel | |
| 225 | Pin: origin repositories.collabora.co.uk |
|
225 | Pin: origin repositories.collabora.co.uk | |
| 226 | Pin-Priority: 1000 |
|
226 | Pin-Priority: 1000 | |
| 227 | EOM |
|
227 | EOM | |
| 228 |
|
228 | |||
| 229 | # Set up timezone |
|
229 | # Set up timezone | |
| 230 | echo ${TIMEZONE} >$R/etc/timezone |
|
230 | echo ${TIMEZONE} >$R/etc/timezone | |
| 231 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata |
|
231 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata | |
| 232 |
|
232 | |||
| 233 | # Upgrade collabora package index and install collabora keyring |
|
233 | # Upgrade collabora package index and install collabora keyring | |
| 234 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
234 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list | |
| 235 | LANG=C chroot $R apt-get -qq -y update |
|
235 | LANG=C chroot $R apt-get -qq -y update | |
| 236 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring |
|
236 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
| 237 |
|
237 | |||
| 238 | # Set up initial sources.list |
|
238 | # Set up initial sources.list | |
| 239 | cat <<EOM >$R/etc/apt/sources.list |
|
239 | cat <<EOM >$R/etc/apt/sources.list | |
| 240 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
240 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib | |
| 241 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
241 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib | |
| 242 |
|
242 | |||
| 243 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
243 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
| 244 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
244 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
| 245 |
|
245 | |||
| 246 | deb http://security.debian.org/ ${RELEASE}/updates main contrib |
|
246 | deb http://security.debian.org/ ${RELEASE}/updates main contrib | |
| 247 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib |
|
247 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib | |
| 248 |
|
248 | |||
| 249 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 |
|
249 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |
| 250 | EOM |
|
250 | EOM | |
| 251 |
|
251 | |||
| 252 | # Upgrade package index and update all installed packages and changed dependencies |
|
252 | # Upgrade package index and update all installed packages and changed dependencies | |
| 253 | LANG=C chroot $R apt-get -qq -y update |
|
253 | LANG=C chroot $R apt-get -qq -y update | |
| 254 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade |
|
254 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade | |
| 255 |
|
255 | |||
| 256 | # Set up default locale and keyboard configuration |
|
256 | # Set up default locale and keyboard configuration | |
| 257 | if [ "$ENABLE_MINBASE" = false ] ; then |
|
257 | if [ "$ENABLE_MINBASE" = false ] ; then | |
| 258 | # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug |
|
258 | # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug | |
| 259 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 |
|
259 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 | |
| 260 | # ... so we have to set locales manually |
|
260 | # ... so we have to set locales manually | |
| 261 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then |
|
261 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then | |
| 262 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
262 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections | |
| 263 | else |
|
263 | else | |
| 264 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale |
|
264 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale | |
| 265 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
265 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections | |
| 266 | LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen |
|
266 | LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen | |
| 267 | fi |
|
267 | fi | |
| 268 | LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen |
|
268 | LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen | |
| 269 | LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections |
|
269 | LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections | |
| 270 | LANG=C chroot $R locale-gen |
|
270 | LANG=C chroot $R locale-gen | |
| 271 | LANG=C chroot $R update-locale LANG=${DEFLOCAL} |
|
271 | LANG=C chroot $R update-locale LANG=${DEFLOCAL} | |
| 272 |
|
272 | |||
| 273 | # Keyboard configuration, if requested |
|
273 | # Keyboard configuration, if requested | |
| 274 | if [ "$XKBMODEL" != "" ] ; then |
|
274 | if [ "$XKBMODEL" != "" ] ; then | |
| 275 | LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard |
|
275 | LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard | |
| 276 | fi |
|
276 | fi | |
| 277 | if [ "$XKBLAYOUT" != "" ] ; then |
|
277 | if [ "$XKBLAYOUT" != "" ] ; then | |
| 278 | LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard |
|
278 | LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard | |
| 279 | fi |
|
279 | fi | |
| 280 | if [ "$XKBVARIANT" != "" ] ; then |
|
280 | if [ "$XKBVARIANT" != "" ] ; then | |
| 281 | LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard |
|
281 | LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard | |
| 282 | fi |
|
282 | fi | |
| 283 | if [ "$XKBOPTIONS" != "" ] ; then |
|
283 | if [ "$XKBOPTIONS" != "" ] ; then | |
| 284 | LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard |
|
284 | LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard | |
| 285 | fi |
|
285 | fi | |
| 286 | LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration |
|
286 | LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration | |
| 287 | # Set up font console |
|
287 | # Set up font console | |
| 288 | case "${DEFLOCAL}" in |
|
288 | case "${DEFLOCAL}" in | |
| 289 | *UTF-8) |
|
289 | *UTF-8) | |
| 290 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup |
|
290 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup | |
| 291 | ;; |
|
291 | ;; | |
| 292 | *) |
|
292 | *) | |
| 293 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup |
|
293 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup | |
| 294 | ;; |
|
294 | ;; | |
| 295 | esac |
|
295 | esac | |
| 296 | LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup |
|
296 | LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup | |
| 297 | fi |
|
297 | fi | |
| 298 |
|
298 | |||
| 299 | # Kernel installation |
|
299 | # Kernel installation | |
| 300 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
300 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
| 301 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 |
|
301 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 | |
| 302 | LANG=C chroot $R apt-get -qq -y install flash-kernel |
|
302 | LANG=C chroot $R apt-get -qq -y install flash-kernel | |
| 303 |
|
303 | |||
| 304 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
304 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
| 305 | [ -z "$VMLINUZ" ] && exit 1 |
|
305 | [ -z "$VMLINUZ" ] && exit 1 | |
| 306 | mkdir -p $R/boot/firmware |
|
306 | mkdir -p $R/boot/firmware | |
| 307 |
|
307 | |||
| 308 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
308 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") | |
| 309 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
309 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin | |
| 310 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
310 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat | |
| 311 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
311 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat | |
| 312 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
312 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat | |
| 313 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
313 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf | |
| 314 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
314 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf | |
| 315 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
315 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf | |
| 316 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
316 | cp $VMLINUZ $R/boot/firmware/kernel7.img | |
| 317 |
|
317 | |||
| 318 | # Set up IPv4 hosts |
|
318 | # Set up IPv4 hosts | |
| 319 | echo ${HOSTNAME} >$R/etc/hostname |
|
319 | echo ${HOSTNAME} >$R/etc/hostname | |
| 320 | cat <<EOM >$R/etc/hosts |
|
320 | cat <<EOM >$R/etc/hosts | |
| 321 | 127.0.0.1 localhost |
|
321 | 127.0.0.1 localhost | |
| 322 | 127.0.1.1 ${HOSTNAME} |
|
322 | 127.0.1.1 ${HOSTNAME} | |
| 323 | EOM |
|
323 | EOM | |
| 324 | if [ "$NET_ADDRESS" != "" ] ; then |
|
324 | if [ "$NET_ADDRESS" != "" ] ; then | |
| 325 | NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/') |
|
325 | NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/') | |
| 326 | sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts |
|
326 | sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts | |
| 327 | fi |
|
327 | fi | |
| 328 |
|
328 | |||
| 329 | # Set up IPv6 hosts |
|
329 | # Set up IPv6 hosts | |
| 330 | if [ "$ENABLE_IPV6" = true ] ; then |
|
330 | if [ "$ENABLE_IPV6" = true ] ; then | |
| 331 | cat <<EOM >>$R/etc/hosts |
|
331 | cat <<EOM >>$R/etc/hosts | |
| 332 |
|
332 | |||
| 333 | ::1 localhost ip6-localhost ip6-loopback |
|
333 | ::1 localhost ip6-localhost ip6-loopback | |
| 334 | ff02::1 ip6-allnodes |
|
334 | ff02::1 ip6-allnodes | |
| 335 | ff02::2 ip6-allrouters |
|
335 | ff02::2 ip6-allrouters | |
| 336 | EOM |
|
336 | EOM | |
| 337 | fi |
|
337 | fi | |
| 338 |
|
338 | |||
| 339 | # Place hint about network configuration |
|
339 | # Place hint about network configuration | |
| 340 | cat <<EOM >$R/etc/network/interfaces |
|
340 | cat <<EOM >$R/etc/network/interfaces | |
| 341 | # Debian switched to systemd-networkd configuration files. |
|
341 | # Debian switched to systemd-networkd configuration files. | |
| 342 | # please configure your networks in '/etc/systemd/network/' |
|
342 | # please configure your networks in '/etc/systemd/network/' | |
| 343 | EOM |
|
343 | EOM | |
| 344 |
|
344 | |||
| 345 | if [ "$ENABLE_DHCP" = true ] ; then |
|
345 | if [ "$ENABLE_DHCP" = true ] ; then | |
| 346 | # Enable systemd-networkd DHCP configuration for interface eth0 |
|
346 | # Enable systemd-networkd DHCP configuration for interface eth0 | |
| 347 | cat <<EOM >$R/etc/systemd/network/eth.network |
|
347 | cat <<EOM >$R/etc/systemd/network/eth.network | |
| 348 | [Match] |
|
348 | [Match] | |
| 349 | Name=eth0 |
|
349 | Name=eth0 | |
| 350 |
|
350 | |||
| 351 | [Network] |
|
351 | [Network] | |
| 352 | DHCP=yes |
|
352 | DHCP=yes | |
| 353 | EOM |
|
353 | EOM | |
| 354 |
|
354 | |||
| 355 | # Set DHCP configuration to IPv4 only |
|
355 | # Set DHCP configuration to IPv4 only | |
| 356 | if [ "$ENABLE_IPV6" = false ] ; then |
|
356 | if [ "$ENABLE_IPV6" = false ] ; then | |
| 357 | sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network |
|
357 | sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network | |
| 358 | fi |
|
358 | fi | |
| 359 | else # ENABLE_DHCP=false |
|
359 | else # ENABLE_DHCP=false | |
| 360 | cat <<EOM >$R/etc/systemd/network/eth.network |
|
360 | cat <<EOM >$R/etc/systemd/network/eth.network | |
| 361 | [Match] |
|
361 | [Match] | |
| 362 | Name=eth0 |
|
362 | Name=eth0 | |
| 363 |
|
363 | |||
| 364 | [Network] |
|
364 | [Network] | |
| 365 | DHCP=no |
|
365 | DHCP=no | |
| 366 | Address=${NET_ADDRESS} |
|
366 | Address=${NET_ADDRESS} | |
| 367 | Gateway=${NET_GATEWAY} |
|
367 | Gateway=${NET_GATEWAY} | |
| 368 | DNS=${NET_DNS_1} |
|
368 | DNS=${NET_DNS_1} | |
| 369 | DNS=${NET_DNS_2} |
|
369 | DNS=${NET_DNS_2} | |
| 370 | Domains=${NET_DNS_DOMAINS} |
|
370 | Domains=${NET_DNS_DOMAINS} | |
| 371 | NTP=${NET_NTP_1} |
|
371 | NTP=${NET_NTP_1} | |
| 372 | NTP=${NET_NTP_2} |
|
372 | NTP=${NET_NTP_2} | |
| 373 | EOM |
|
373 | EOM | |
| 374 | fi |
|
374 | fi | |
| 375 |
|
375 | |||
| 376 | # Enable systemd-networkd service |
|
376 | # Enable systemd-networkd service | |
| 377 | LANG=C chroot $R systemctl enable systemd-networkd |
|
377 | LANG=C chroot $R systemctl enable systemd-networkd | |
| 378 |
|
378 | |||
| 379 | # Generate crypt(3) password string |
|
379 | # Generate crypt(3) password string | |
| 380 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
380 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` | |
| 381 |
|
381 | |||
| 382 | # Set up default user |
|
382 | # Set up default user | |
| 383 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
383 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi | |
| 384 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
384 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
| 385 |
|
385 | |||
| 386 | # Set up root password |
|
386 | # Set up root password | |
| 387 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
387 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root | |
| 388 |
|
388 | |||
| 389 | # Set up firmware boot cmdline |
|
389 | # Set up firmware boot cmdline | |
| 390 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
390 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" | |
| 391 |
|
391 | |||
| 392 | # Set up serial console support (if requested) |
|
392 | # Set up serial console support (if requested) | |
| 393 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
393 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
| 394 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" |
|
394 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" | |
| 395 | fi |
|
395 | fi | |
| 396 |
|
396 | |||
| 397 | # Set up IPv6 networking support |
|
397 | # Set up IPv6 networking support | |
| 398 | if [ "$ENABLE_IPV6" = false ] ; then |
|
398 | if [ "$ENABLE_IPV6" = false ] ; then | |
| 399 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
399 | CMDLINE="${CMDLINE} ipv6.disable=1" | |
| 400 | fi |
|
400 | fi | |
| 401 |
|
401 | |||
| 402 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
402 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
| 403 |
|
403 | |||
| 404 | # Set up firmware config |
|
404 | # Set up firmware config | |
| 405 | cat <<EOM >$R/boot/firmware/config.txt |
|
405 | cat <<EOM >$R/boot/firmware/config.txt | |
| 406 | # For more options and information see |
|
406 | # For more options and information see | |
| 407 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
407 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |
| 408 | # Some settings may impact device functionality. See link above for details |
|
408 | # Some settings may impact device functionality. See link above for details | |
| 409 |
|
409 | |||
| 410 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
410 | # uncomment if you get no picture on HDMI for a default "safe" mode | |
| 411 | #hdmi_safe=1 |
|
411 | #hdmi_safe=1 | |
| 412 |
|
412 | |||
| 413 | # uncomment this if your display has a black border of unused pixels visible |
|
413 | # uncomment this if your display has a black border of unused pixels visible | |
| 414 | # and your display can output without overscan |
|
414 | # and your display can output without overscan | |
| 415 | #disable_overscan=1 |
|
415 | #disable_overscan=1 | |
| 416 |
|
416 | |||
| 417 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
417 | # uncomment the following to adjust overscan. Use positive numbers if console | |
| 418 | # goes off screen, and negative if there is too much border |
|
418 | # goes off screen, and negative if there is too much border | |
| 419 | #overscan_left=16 |
|
419 | #overscan_left=16 | |
| 420 | #overscan_right=16 |
|
420 | #overscan_right=16 | |
| 421 | #overscan_top=16 |
|
421 | #overscan_top=16 | |
| 422 | #overscan_bottom=16 |
|
422 | #overscan_bottom=16 | |
| 423 |
|
423 | |||
| 424 | # uncomment to force a console size. By default it will be display's size minus |
|
424 | # uncomment to force a console size. By default it will be display's size minus | |
| 425 | # overscan. |
|
425 | # overscan. | |
| 426 | #framebuffer_width=1280 |
|
426 | #framebuffer_width=1280 | |
| 427 | #framebuffer_height=720 |
|
427 | #framebuffer_height=720 | |
| 428 |
|
428 | |||
| 429 | # uncomment if hdmi display is not detected and composite is being output |
|
429 | # uncomment if hdmi display is not detected and composite is being output | |
| 430 | #hdmi_force_hotplug=1 |
|
430 | #hdmi_force_hotplug=1 | |
| 431 |
|
431 | |||
| 432 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
432 | # uncomment to force a specific HDMI mode (this will force VGA) | |
| 433 | #hdmi_group=1 |
|
433 | #hdmi_group=1 | |
| 434 | #hdmi_mode=1 |
|
434 | #hdmi_mode=1 | |
| 435 |
|
435 | |||
| 436 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
436 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |
| 437 | # DMT (computer monitor) modes |
|
437 | # DMT (computer monitor) modes | |
| 438 | #hdmi_drive=2 |
|
438 | #hdmi_drive=2 | |
| 439 |
|
439 | |||
| 440 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
440 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |
| 441 | # no display |
|
441 | # no display | |
| 442 | #config_hdmi_boost=4 |
|
442 | #config_hdmi_boost=4 | |
| 443 |
|
443 | |||
| 444 | # uncomment for composite PAL |
|
444 | # uncomment for composite PAL | |
| 445 | #sdtv_mode=2 |
|
445 | #sdtv_mode=2 | |
| 446 |
|
446 | |||
| 447 | # uncomment to overclock the arm. 700 MHz is the default. |
|
447 | # uncomment to overclock the arm. 700 MHz is the default. | |
| 448 | #arm_freq=800 |
|
448 | #arm_freq=800 | |
| 449 | EOM |
|
449 | EOM | |
| 450 |
|
450 | |||
| 451 | # Load snd_bcm2835 kernel module at boot time |
|
451 | # Load snd_bcm2835 kernel module at boot time | |
| 452 | if [ "$ENABLE_SOUND" = true ] ; then |
|
452 | if [ "$ENABLE_SOUND" = true ] ; then | |
| 453 | echo "snd_bcm2835" >>$R/etc/modules |
|
453 | echo "snd_bcm2835" >>$R/etc/modules | |
| 454 | fi |
|
454 | fi | |
| 455 |
|
455 | |||
| 456 | # Set smallest possible GPU memory allocation size: 16MB (no X) |
|
456 | # Set smallest possible GPU memory allocation size: 16MB (no X) | |
| 457 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
457 | if [ "$ENABLE_MINGPU" = true ] ; then | |
| 458 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt |
|
458 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt | |
| 459 | fi |
|
459 | fi | |
| 460 |
|
460 | |||
| 461 | # Create symlinks |
|
461 | # Create symlinks | |
| 462 | ln -sf firmware/config.txt $R/boot/config.txt |
|
462 | ln -sf firmware/config.txt $R/boot/config.txt | |
| 463 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt |
|
463 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt | |
| 464 |
|
464 | |||
| 465 | # Prepare modules-load.d directory |
|
465 | # Prepare modules-load.d directory | |
| 466 | mkdir -p $R/lib/modules-load.d/ |
|
466 | mkdir -p $R/lib/modules-load.d/ | |
| 467 |
|
467 | |||
| 468 | # Load random module on boot |
|
468 | # Load random module on boot | |
| 469 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
469 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
| 470 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf |
|
470 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf | |
| 471 | bcm2708_rng |
|
471 | bcm2708_rng | |
| 472 | EOM |
|
472 | EOM | |
| 473 | fi |
|
473 | fi | |
| 474 |
|
474 | |||
| 475 | # Prepare modprobe.d directory |
|
475 | # Prepare modprobe.d directory | |
| 476 | mkdir -p $R/etc/modprobe.d/ |
|
476 | mkdir -p $R/etc/modprobe.d/ | |
| 477 |
|
477 | |||
| 478 | # Blacklist sound modules |
|
478 | # Blacklist sound modules | |
| 479 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
479 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf | |
| 480 | blacklist snd_soc_core |
|
480 | blacklist snd_soc_core | |
| 481 | blacklist snd_pcm |
|
481 | blacklist snd_pcm | |
| 482 | blacklist snd_pcm_dmaengine |
|
482 | blacklist snd_pcm_dmaengine | |
| 483 | blacklist snd_timer |
|
483 | blacklist snd_timer | |
| 484 | blacklist snd_compress |
|
484 | blacklist snd_compress | |
| 485 | blacklist snd_soc_pcm512x_i2c |
|
485 | blacklist snd_soc_pcm512x_i2c | |
| 486 | blacklist snd_soc_pcm512x |
|
486 | blacklist snd_soc_pcm512x | |
| 487 | blacklist snd_soc_tas5713 |
|
487 | blacklist snd_soc_tas5713 | |
| 488 | blacklist snd_soc_wm8804 |
|
488 | blacklist snd_soc_wm8804 | |
| 489 | EOM |
|
489 | EOM | |
| 490 |
|
490 | |||
| 491 | # Create default fstab |
|
491 | # Create default fstab | |
| 492 | cat <<EOM >$R/etc/fstab |
|
492 | cat <<EOM >$R/etc/fstab | |
| 493 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
493 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |
| 494 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
494 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 | |
| 495 | EOM |
|
495 | EOM | |
| 496 |
|
496 | |||
| 497 | # Avoid swapping and increase cache sizes |
|
497 | # Avoid swapping and increase cache sizes | |
| 498 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
498 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
| 499 |
|
499 | |||
| 500 | # Avoid swapping and increase cache sizes |
|
500 | # Avoid swapping and increase cache sizes | |
| 501 | vm.swappiness=1 |
|
501 | vm.swappiness=1 | |
| 502 | vm.dirty_background_ratio=20 |
|
502 | vm.dirty_background_ratio=20 | |
| 503 | vm.dirty_ratio=40 |
|
503 | vm.dirty_ratio=40 | |
| 504 | vm.dirty_writeback_centisecs=500 |
|
504 | vm.dirty_writeback_centisecs=500 | |
| 505 | vm.dirty_expire_centisecs=6000 |
|
505 | vm.dirty_expire_centisecs=6000 | |
| 506 | EOM |
|
506 | EOM | |
| 507 |
|
507 | |||
| 508 | # Enable network stack hardening |
|
508 | # Enable network stack hardening | |
| 509 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
509 | if [ "$ENABLE_HARDNET" = true ] ; then | |
| 510 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
510 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
| 511 |
|
511 | |||
| 512 | # Enable network stack hardening |
|
512 | # Enable network stack hardening | |
| 513 | net.ipv4.tcp_timestamps=0 |
|
513 | net.ipv4.tcp_timestamps=0 | |
| 514 | net.ipv4.tcp_syncookies=1 |
|
514 | net.ipv4.tcp_syncookies=1 | |
| 515 | net.ipv4.conf.all.rp_filter=1 |
|
515 | net.ipv4.conf.all.rp_filter=1 | |
| 516 | net.ipv4.conf.all.accept_redirects=0 |
|
516 | net.ipv4.conf.all.accept_redirects=0 | |
| 517 | net.ipv4.conf.all.send_redirects=0 |
|
517 | net.ipv4.conf.all.send_redirects=0 | |
| 518 | net.ipv4.conf.all.accept_source_route=0 |
|
518 | net.ipv4.conf.all.accept_source_route=0 | |
| 519 | net.ipv4.conf.default.rp_filter=1 |
|
519 | net.ipv4.conf.default.rp_filter=1 | |
| 520 | net.ipv4.conf.default.accept_redirects=0 |
|
520 | net.ipv4.conf.default.accept_redirects=0 | |
| 521 | net.ipv4.conf.default.send_redirects=0 |
|
521 | net.ipv4.conf.default.send_redirects=0 | |
| 522 | net.ipv4.conf.default.accept_source_route=0 |
|
522 | net.ipv4.conf.default.accept_source_route=0 | |
| 523 | net.ipv4.conf.lo.accept_redirects=0 |
|
523 | net.ipv4.conf.lo.accept_redirects=0 | |
| 524 | net.ipv4.conf.lo.send_redirects=0 |
|
524 | net.ipv4.conf.lo.send_redirects=0 | |
| 525 | net.ipv4.conf.lo.accept_source_route=0 |
|
525 | net.ipv4.conf.lo.accept_source_route=0 | |
| 526 | net.ipv4.conf.eth0.accept_redirects=0 |
|
526 | net.ipv4.conf.eth0.accept_redirects=0 | |
| 527 | net.ipv4.conf.eth0.send_redirects=0 |
|
527 | net.ipv4.conf.eth0.send_redirects=0 | |
| 528 | net.ipv4.conf.eth0.accept_source_route=0 |
|
528 | net.ipv4.conf.eth0.accept_source_route=0 | |
| 529 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
529 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |
| 530 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
530 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |
| 531 |
|
531 | |||
| 532 | net.ipv6.conf.all.accept_redirects=0 |
|
532 | net.ipv6.conf.all.accept_redirects=0 | |
| 533 | net.ipv6.conf.all.accept_source_route=0 |
|
533 | net.ipv6.conf.all.accept_source_route=0 | |
| 534 | net.ipv6.conf.all.router_solicitations=0 |
|
534 | net.ipv6.conf.all.router_solicitations=0 | |
| 535 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
535 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |
| 536 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
536 | net.ipv6.conf.all.accept_ra_pinfo=0 | |
| 537 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
537 | net.ipv6.conf.all.accept_ra_defrtr=0 | |
| 538 | net.ipv6.conf.all.autoconf=0 |
|
538 | net.ipv6.conf.all.autoconf=0 | |
| 539 | net.ipv6.conf.all.dad_transmits=0 |
|
539 | net.ipv6.conf.all.dad_transmits=0 | |
| 540 | net.ipv6.conf.all.max_addresses=1 |
|
540 | net.ipv6.conf.all.max_addresses=1 | |
| 541 |
|
541 | |||
| 542 | net.ipv6.conf.default.accept_redirects=0 |
|
542 | net.ipv6.conf.default.accept_redirects=0 | |
| 543 | net.ipv6.conf.default.accept_source_route=0 |
|
543 | net.ipv6.conf.default.accept_source_route=0 | |
| 544 | net.ipv6.conf.default.router_solicitations=0 |
|
544 | net.ipv6.conf.default.router_solicitations=0 | |
| 545 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
545 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |
| 546 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
546 | net.ipv6.conf.default.accept_ra_pinfo=0 | |
| 547 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
547 | net.ipv6.conf.default.accept_ra_defrtr=0 | |
| 548 | net.ipv6.conf.default.autoconf=0 |
|
548 | net.ipv6.conf.default.autoconf=0 | |
| 549 | net.ipv6.conf.default.dad_transmits=0 |
|
549 | net.ipv6.conf.default.dad_transmits=0 | |
| 550 | net.ipv6.conf.default.max_addresses=1 |
|
550 | net.ipv6.conf.default.max_addresses=1 | |
| 551 |
|
551 | |||
| 552 | net.ipv6.conf.lo.accept_redirects=0 |
|
552 | net.ipv6.conf.lo.accept_redirects=0 | |
| 553 | net.ipv6.conf.lo.accept_source_route=0 |
|
553 | net.ipv6.conf.lo.accept_source_route=0 | |
| 554 | net.ipv6.conf.lo.router_solicitations=0 |
|
554 | net.ipv6.conf.lo.router_solicitations=0 | |
| 555 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
555 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |
| 556 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
556 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |
| 557 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
557 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |
| 558 | net.ipv6.conf.lo.autoconf=0 |
|
558 | net.ipv6.conf.lo.autoconf=0 | |
| 559 | net.ipv6.conf.lo.dad_transmits=0 |
|
559 | net.ipv6.conf.lo.dad_transmits=0 | |
| 560 | net.ipv6.conf.lo.max_addresses=1 |
|
560 | net.ipv6.conf.lo.max_addresses=1 | |
| 561 |
|
561 | |||
| 562 | net.ipv6.conf.eth0.accept_redirects=0 |
|
562 | net.ipv6.conf.eth0.accept_redirects=0 | |
| 563 | net.ipv6.conf.eth0.accept_source_route=0 |
|
563 | net.ipv6.conf.eth0.accept_source_route=0 | |
| 564 | net.ipv6.conf.eth0.router_solicitations=0 |
|
564 | net.ipv6.conf.eth0.router_solicitations=0 | |
| 565 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
565 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |
| 566 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
566 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |
| 567 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
567 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |
| 568 | net.ipv6.conf.eth0.autoconf=0 |
|
568 | net.ipv6.conf.eth0.autoconf=0 | |
| 569 | net.ipv6.conf.eth0.dad_transmits=0 |
|
569 | net.ipv6.conf.eth0.dad_transmits=0 | |
| 570 | net.ipv6.conf.eth0.max_addresses=1 |
|
570 | net.ipv6.conf.eth0.max_addresses=1 | |
| 571 | EOM |
|
571 | EOM | |
| 572 |
|
572 | |||
| 573 | # Enable resolver warnings about spoofed addresses |
|
573 | # Enable resolver warnings about spoofed addresses | |
| 574 | cat <<EOM >>$R/etc/host.conf |
|
574 | cat <<EOM >>$R/etc/host.conf | |
| 575 | spoof warn |
|
575 | spoof warn | |
| 576 | EOM |
|
576 | EOM | |
| 577 | fi |
|
577 | fi | |
| 578 |
|
578 | |||
| 579 | # Regenerate openssh server host keys |
|
579 | # Regenerate openssh server host keys | |
| 580 | if [ "$ENABLE_SSHD" = true ] ; then |
|
580 | if [ "$ENABLE_SSHD" = true ] ; then | |
| 581 | rm -fr $R/etc/ssh/ssh_host_* |
|
581 | rm -fr $R/etc/ssh/ssh_host_* | |
| 582 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
582 | LANG=C chroot $R dpkg-reconfigure openssh-server | |
| 583 | fi |
|
583 | fi | |
| 584 |
|
584 | |||
| 585 | # Enable serial console systemd style |
|
585 | # Enable serial console systemd style | |
| 586 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
586 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
| 587 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service |
|
587 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service | |
| 588 | fi |
|
588 | fi | |
| 589 |
|
589 | |||
| 590 | # Enable firewall based on iptables started by systemd service |
|
590 | # Enable firewall based on iptables started by systemd service | |
| 591 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
591 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
| 592 | # Create iptables configuration directory |
|
592 | # Create iptables configuration directory | |
| 593 | mkdir -p "$R/etc/iptables" |
|
593 | mkdir -p "$R/etc/iptables" | |
| 594 |
|
594 | |||
| 595 | # Create iptables systemd service |
|
595 | # Create iptables systemd service | |
| 596 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
596 | cat <<EOM >$R/etc/systemd/system/iptables.service | |
| 597 | [Unit] |
|
597 | [Unit] | |
| 598 | Description=Packet Filtering Framework |
|
598 | Description=Packet Filtering Framework | |
| 599 | DefaultDependencies=no |
|
599 | DefaultDependencies=no | |
| 600 | After=systemd-sysctl.service |
|
600 | After=systemd-sysctl.service | |
| 601 | Before=sysinit.target |
|
601 | Before=sysinit.target | |
| 602 | [Service] |
|
602 | [Service] | |
| 603 | Type=oneshot |
|
603 | Type=oneshot | |
| 604 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
604 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |
| 605 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
605 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |
| 606 | ExecStop=/etc/iptables/flush-iptables.sh |
|
606 | ExecStop=/etc/iptables/flush-iptables.sh | |
| 607 | RemainAfterExit=yes |
|
607 | RemainAfterExit=yes | |
| 608 | [Install] |
|
608 | [Install] | |
| 609 | WantedBy=multi-user.target |
|
609 | WantedBy=multi-user.target | |
| 610 | EOM |
|
610 | EOM | |
| 611 |
|
611 | |||
| 612 | # Create flush-table script called by iptables service |
|
612 | # Create flush-table script called by iptables service | |
| 613 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
613 | cat <<EOM >$R/etc/iptables/flush-iptables.sh | |
| 614 | #!/bin/sh |
|
614 | #!/bin/sh | |
| 615 | iptables -F |
|
615 | iptables -F | |
| 616 | iptables -X |
|
616 | iptables -X | |
| 617 | iptables -t nat -F |
|
617 | iptables -t nat -F | |
| 618 | iptables -t nat -X |
|
618 | iptables -t nat -X | |
| 619 | iptables -t mangle -F |
|
619 | iptables -t mangle -F | |
| 620 | iptables -t mangle -X |
|
620 | iptables -t mangle -X | |
| 621 | iptables -P INPUT ACCEPT |
|
621 | iptables -P INPUT ACCEPT | |
| 622 | iptables -P FORWARD ACCEPT |
|
622 | iptables -P FORWARD ACCEPT | |
| 623 | iptables -P OUTPUT ACCEPT |
|
623 | iptables -P OUTPUT ACCEPT | |
| 624 | EOM |
|
624 | EOM | |
| 625 |
|
625 | |||
| 626 | # Create iptables rule file |
|
626 | # Create iptables rule file | |
| 627 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
627 | cat <<EOM >$R/etc/iptables/iptables.rules | |
| 628 | *filter |
|
628 | *filter | |
| 629 | :INPUT DROP [0:0] |
|
629 | :INPUT DROP [0:0] | |
| 630 | :FORWARD DROP [0:0] |
|
630 | :FORWARD DROP [0:0] | |
| 631 | :OUTPUT ACCEPT [0:0] |
|
631 | :OUTPUT ACCEPT [0:0] | |
| 632 | :TCP - [0:0] |
|
632 | :TCP - [0:0] | |
| 633 | :UDP - [0:0] |
|
633 | :UDP - [0:0] | |
| 634 | :SSH - [0:0] |
|
634 | :SSH - [0:0] | |
| 635 |
|
635 | |||
| 636 | # Rate limit ping requests |
|
636 | # Rate limit ping requests | |
| 637 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
637 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
| 638 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
638 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |
| 639 |
|
639 | |||
| 640 | # Accept established connections |
|
640 | # Accept established connections | |
| 641 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
641 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| 642 |
|
642 | |||
| 643 | # Accept all traffic on loopback interface |
|
643 | # Accept all traffic on loopback interface | |
| 644 | -A INPUT -i lo -j ACCEPT |
|
644 | -A INPUT -i lo -j ACCEPT | |
| 645 |
|
645 | |||
| 646 | # Drop packets declared invalid |
|
646 | # Drop packets declared invalid | |
| 647 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
647 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| 648 |
|
648 | |||
| 649 | # SSH rate limiting |
|
649 | # SSH rate limiting | |
| 650 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
650 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
| 651 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
651 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
| 652 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
652 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
| 653 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
653 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
| 654 |
|
654 | |||
| 655 | # Send TCP and UDP connections to their respective rules chain |
|
655 | # Send TCP and UDP connections to their respective rules chain | |
| 656 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
656 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| 657 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
657 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| 658 |
|
658 | |||
| 659 | # Reject dropped packets with a RFC compliant responce |
|
659 | # Reject dropped packets with a RFC compliant responce | |
| 660 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
660 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
| 661 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
661 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
| 662 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
662 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
| 663 |
|
663 | |||
| 664 | ## TCP PORT RULES |
|
664 | ## TCP PORT RULES | |
| 665 | # -A TCP -p tcp -j LOG |
|
665 | # -A TCP -p tcp -j LOG | |
| 666 |
|
666 | |||
| 667 | ## UDP PORT RULES |
|
667 | ## UDP PORT RULES | |
| 668 | # -A UDP -p udp -j LOG |
|
668 | # -A UDP -p udp -j LOG | |
| 669 |
|
669 | |||
| 670 | COMMIT |
|
670 | COMMIT | |
| 671 | EOM |
|
671 | EOM | |
| 672 |
|
672 | |||
| 673 | # Reload systemd configuration and enable iptables service |
|
673 | # Reload systemd configuration and enable iptables service | |
| 674 | LANG=C chroot $R systemctl daemon-reload |
|
674 | LANG=C chroot $R systemctl daemon-reload | |
| 675 | LANG=C chroot $R systemctl enable iptables.service |
|
675 | LANG=C chroot $R systemctl enable iptables.service | |
| 676 |
|
676 | |||
| 677 | if [ "$ENABLE_IPV6" = true ] ; then |
|
677 | if [ "$ENABLE_IPV6" = true ] ; then | |
| 678 | # Create ip6tables systemd service |
|
678 | # Create ip6tables systemd service | |
| 679 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
679 | cat <<EOM >$R/etc/systemd/system/ip6tables.service | |
| 680 | [Unit] |
|
680 | [Unit] | |
| 681 | Description=Packet Filtering Framework |
|
681 | Description=Packet Filtering Framework | |
| 682 | DefaultDependencies=no |
|
682 | DefaultDependencies=no | |
| 683 | After=systemd-sysctl.service |
|
683 | After=systemd-sysctl.service | |
| 684 | Before=sysinit.target |
|
684 | Before=sysinit.target | |
| 685 | [Service] |
|
685 | [Service] | |
| 686 | Type=oneshot |
|
686 | Type=oneshot | |
| 687 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
687 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
| 688 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
688 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
| 689 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
689 | ExecStop=/etc/iptables/flush-ip6tables.sh | |
| 690 | RemainAfterExit=yes |
|
690 | RemainAfterExit=yes | |
| 691 | [Install] |
|
691 | [Install] | |
| 692 | WantedBy=multi-user.target |
|
692 | WantedBy=multi-user.target | |
| 693 | EOM |
|
693 | EOM | |
| 694 |
|
694 | |||
| 695 | # Create ip6tables file |
|
695 | # Create ip6tables file | |
| 696 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
696 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh | |
| 697 | #!/bin/sh |
|
697 | #!/bin/sh | |
| 698 | ip6tables -F |
|
698 | ip6tables -F | |
| 699 | ip6tables -X |
|
699 | ip6tables -X | |
| 700 | ip6tables -Z |
|
700 | ip6tables -Z | |
| 701 | for table in $(</proc/net/ip6_tables_names) |
|
701 | for table in $(</proc/net/ip6_tables_names) | |
| 702 | do |
|
702 | do | |
| 703 | ip6tables -t \$table -F |
|
703 | ip6tables -t \$table -F | |
| 704 | ip6tables -t \$table -X |
|
704 | ip6tables -t \$table -X | |
| 705 | ip6tables -t \$table -Z |
|
705 | ip6tables -t \$table -Z | |
| 706 | done |
|
706 | done | |
| 707 | ip6tables -P INPUT ACCEPT |
|
707 | ip6tables -P INPUT ACCEPT | |
| 708 | ip6tables -P OUTPUT ACCEPT |
|
708 | ip6tables -P OUTPUT ACCEPT | |
| 709 | ip6tables -P FORWARD ACCEPT |
|
709 | ip6tables -P FORWARD ACCEPT | |
| 710 | EOM |
|
710 | EOM | |
| 711 |
|
711 | |||
| 712 | # Create ip6tables rule file |
|
712 | # Create ip6tables rule file | |
| 713 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
713 | cat <<EOM >$R/etc/iptables/ip6tables.rules | |
| 714 | *filter |
|
714 | *filter | |
| 715 | :INPUT DROP [0:0] |
|
715 | :INPUT DROP [0:0] | |
| 716 | :FORWARD DROP [0:0] |
|
716 | :FORWARD DROP [0:0] | |
| 717 | :OUTPUT ACCEPT [0:0] |
|
717 | :OUTPUT ACCEPT [0:0] | |
| 718 | :TCP - [0:0] |
|
718 | :TCP - [0:0] | |
| 719 | :UDP - [0:0] |
|
719 | :UDP - [0:0] | |
| 720 | :SSH - [0:0] |
|
720 | :SSH - [0:0] | |
| 721 |
|
721 | |||
| 722 | # Drop packets with RH0 headers |
|
722 | # Drop packets with RH0 headers | |
| 723 | -A INPUT -m rt --rt-type 0 -j DROP |
|
723 | -A INPUT -m rt --rt-type 0 -j DROP | |
| 724 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
724 | -A OUTPUT -m rt --rt-type 0 -j DROP | |
| 725 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
725 | -A FORWARD -m rt --rt-type 0 -j DROP | |
| 726 |
|
726 | |||
| 727 | # Rate limit ping requests |
|
727 | # Rate limit ping requests | |
| 728 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
728 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
| 729 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
729 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |
| 730 |
|
730 | |||
| 731 | # Accept established connections |
|
731 | # Accept established connections | |
| 732 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
732 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| 733 |
|
733 | |||
| 734 | # Accept all traffic on loopback interface |
|
734 | # Accept all traffic on loopback interface | |
| 735 | -A INPUT -i lo -j ACCEPT |
|
735 | -A INPUT -i lo -j ACCEPT | |
| 736 |
|
736 | |||
| 737 | # Drop packets declared invalid |
|
737 | # Drop packets declared invalid | |
| 738 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
738 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
| 739 |
|
739 | |||
| 740 | # SSH rate limiting |
|
740 | # SSH rate limiting | |
| 741 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
741 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
| 742 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
742 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
| 743 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
743 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
| 744 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
744 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
| 745 |
|
745 | |||
| 746 | # Send TCP and UDP connections to their respective rules chain |
|
746 | # Send TCP and UDP connections to their respective rules chain | |
| 747 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
747 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
| 748 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
748 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
| 749 |
|
749 | |||
| 750 | # Reject dropped packets with a RFC compliant responce |
|
750 | # Reject dropped packets with a RFC compliant responce | |
| 751 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
751 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |
| 752 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
752 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |
| 753 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
753 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
| 754 |
|
754 | |||
| 755 | ## TCP PORT RULES |
|
755 | ## TCP PORT RULES | |
| 756 | # -A TCP -p tcp -j LOG |
|
756 | # -A TCP -p tcp -j LOG | |
| 757 |
|
757 | |||
| 758 | ## UDP PORT RULES |
|
758 | ## UDP PORT RULES | |
| 759 | # -A UDP -p udp -j LOG |
|
759 | # -A UDP -p udp -j LOG | |
| 760 |
|
760 | |||
| 761 | COMMIT |
|
761 | COMMIT | |
| 762 | EOM |
|
762 | EOM | |
| 763 |
|
763 | |||
| 764 | # Reload systemd configuration and enable iptables service |
|
764 | # Reload systemd configuration and enable iptables service | |
| 765 | LANG=C chroot $R systemctl daemon-reload |
|
765 | LANG=C chroot $R systemctl daemon-reload | |
| 766 | LANG=C chroot $R systemctl enable ip6tables.service |
|
766 | LANG=C chroot $R systemctl enable ip6tables.service | |
| 767 | fi |
|
767 | fi | |
| 768 | fi |
|
768 | fi | |
| 769 |
|
769 | |||
| 770 | # Remove SSHD related iptables rules |
|
770 | # Remove SSHD related iptables rules | |
| 771 | if [ "$ENABLE_SSHD" = false ] ; then |
|
771 | if [ "$ENABLE_SSHD" = false ] ; then | |
| 772 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null |
|
772 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null | |
| 773 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null |
|
773 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null | |
| 774 | fi |
|
774 | fi | |
| 775 |
|
775 | |||
| 776 | # Install gcc/c++ build environment inside the chroot |
|
776 | # Install gcc/c++ build environment inside the chroot | |
| 777 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
777 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
| 778 | LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc |
|
778 | LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
| 779 | fi |
|
779 | fi | |
| 780 |
|
780 | |||
| 781 | # Fetch and build U-Boot bootloader |
|
781 | # Fetch and build U-Boot bootloader | |
| 782 | if [ "$ENABLE_UBOOT" = true ] ; then |
|
782 | if [ "$ENABLE_UBOOT" = true ] ; then | |
| 783 | # Fetch U-Boot bootloader sources |
|
783 | # Fetch U-Boot bootloader sources | |
| 784 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
784 | git -C $R/tmp clone git://git.denx.de/u-boot.git | |
| 785 |
|
785 | |||
| 786 | # Build and install U-Boot inside chroot |
|
786 | # Build and install U-Boot inside chroot | |
| 787 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all |
|
787 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all | |
| 788 |
|
788 | |||
| 789 | # Copy compiled bootloader binary and set config.txt to load it |
|
789 | # Copy compiled bootloader binary and set config.txt to load it | |
| 790 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
790 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ | |
| 791 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt |
|
791 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt | |
| 792 |
|
792 | |||
| 793 | # Set U-Boot command file |
|
793 | # Set U-Boot command file | |
| 794 | cat <<EOM >$R/boot/firmware/uboot.mkimage |
|
794 | cat <<EOM >$R/boot/firmware/uboot.mkimage | |
| 795 | # Tell Linux that it is booting on a Raspberry Pi2 |
|
795 | # Tell Linux that it is booting on a Raspberry Pi2 | |
| 796 | setenv machid 0x00000c42 |
|
796 | setenv machid 0x00000c42 | |
| 797 |
|
797 | |||
| 798 | # Set the kernel boot command line |
|
798 | # Set the kernel boot command line | |
| 799 | setenv bootargs "earlyprintk ${CMDLINE}" |
|
799 | setenv bootargs "earlyprintk ${CMDLINE}" | |
| 800 |
|
800 | |||
| 801 | # Save these changes to u-boot's environment |
|
801 | # Save these changes to u-boot's environment | |
| 802 | saveenv |
|
802 | saveenv | |
| 803 |
|
803 | |||
| 804 | # Load the existing Linux kernel into RAM |
|
804 | # Load the existing Linux kernel into RAM | |
| 805 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img |
|
805 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img | |
| 806 |
|
806 | |||
| 807 | # Boot the kernel we have just loaded |
|
807 | # Boot the kernel we have just loaded | |
| 808 | bootz \${kernel_addr_r} |
|
808 | bootz \${kernel_addr_r} | |
| 809 | EOM |
|
809 | EOM | |
| 810 |
|
810 | |||
| 811 | # Generate U-Boot image from command file |
|
811 | # Generate U-Boot image from command file | |
| 812 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr |
|
812 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
| 813 | fi |
|
813 | fi | |
| 814 |
|
814 | |||
| 815 | # Fetch and build fbturbo Xorg driver |
|
815 | # Fetch and build fbturbo Xorg driver | |
| 816 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
816 | if [ "$ENABLE_FBTURBO" = true ] ; then | |
| 817 | # Fetch fbturbo driver sources |
|
817 | # Fetch fbturbo driver sources | |
| 818 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git |
|
818 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git | |
| 819 |
|
819 | |||
| 820 | # Install Xorg build dependencies |
|
820 | # Install Xorg build dependencies | |
| 821 | LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
821 | LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
| 822 |
|
822 | |||
| 823 | # Build and install fbturbo driver inside chroot |
|
823 | # Build and install fbturbo driver inside chroot | |
| 824 | LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" |
|
824 | LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" | |
| 825 |
|
825 | |||
| 826 | # Add fbturbo driver to Xorg configuration |
|
826 | # Add fbturbo driver to Xorg configuration | |
| 827 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf |
|
827 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf | |
| 828 | Section "Device" |
|
828 | Section "Device" | |
| 829 | Identifier "Allwinner A10/A13 FBDEV" |
|
829 | Identifier "Allwinner A10/A13 FBDEV" | |
| 830 | Driver "fbturbo" |
|
830 | Driver "fbturbo" | |
| 831 | Option "fbdev" "/dev/fb0" |
|
831 | Option "fbdev" "/dev/fb0" | |
| 832 | Option "SwapbuffersWait" "true" |
|
832 | Option "SwapbuffersWait" "true" | |
| 833 | EndSection |
|
833 | EndSection | |
| 834 | EOM |
|
834 | EOM | |
| 835 |
|
835 | |||
| 836 | # Remove Xorg build dependencies |
|
836 | # Remove Xorg build dependencies | |
| 837 | LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
837 | LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
| 838 | fi |
|
838 | fi | |
| 839 |
|
839 | |||
| 840 | # Remove gcc/c++ build environment from the chroot |
|
840 | # Remove gcc/c++ build environment from the chroot | |
| 841 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
841 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
| 842 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make |
|
842 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
| 843 | fi |
|
843 | fi | |
| 844 |
|
844 | |||
| 845 | # Clean cached downloads |
|
845 | # Clean cached downloads | |
| 846 | LANG=C chroot $R apt-get -y clean |
|
846 | LANG=C chroot $R apt-get -y clean | |
| 847 | LANG=C chroot $R apt-get -y autoclean |
|
847 | LANG=C chroot $R apt-get -y autoclean | |
| 848 | LANG=C chroot $R apt-get -y autoremove |
|
848 | LANG=C chroot $R apt-get -y autoremove | |
| 849 |
|
849 | |||
| 850 | # Unmount mounted filesystems |
|
850 | # Unmount mounted filesystems | |
| 851 | umount -l $R/proc |
|
851 | umount -l $R/proc | |
| 852 | umount -l $R/sys |
|
852 | umount -l $R/sys | |
| 853 |
|
853 | |||
| 854 | # Clean up files |
|
854 | # Clean up files | |
| 855 | rm -f $R/etc/apt/sources.list.save |
|
855 | rm -f $R/etc/apt/sources.list.save | |
| 856 | rm -f $R/etc/resolvconf/resolv.conf.d/original |
|
856 | rm -f $R/etc/resolvconf/resolv.conf.d/original | |
| 857 | rm -rf $R/run |
|
857 | rm -rf $R/run | |
| 858 | mkdir -p $R/run |
|
858 | mkdir -p $R/run | |
| 859 | rm -f $R/etc/*- |
|
859 | rm -f $R/etc/*- | |
| 860 | rm -f $R/root/.bash_history |
|
860 | rm -f $R/root/.bash_history | |
| 861 | rm -rf $R/tmp/* |
|
861 | rm -rf $R/tmp/* | |
| 862 | rm -f $R/var/lib/urandom/random-seed |
|
862 | rm -f $R/var/lib/urandom/random-seed | |
| 863 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id |
|
863 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id | |
| 864 | rm -f $R/etc/machine-id |
|
864 | rm -f $R/etc/machine-id | |
| 865 | rm -fr $R/etc/apt/apt.conf.d/10proxy |
|
865 | rm -fr $R/etc/apt/apt.conf.d/10proxy | |
| 866 |
|
866 | |||
| 867 | # Calculate size of the chroot directory |
|
867 | # Calculate size of the chroot directory in KB | |
| 868 |
CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` |
|
868 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`) | |
| 869 |
|
869 | |||
| 870 | # Calculate required image size |
|
870 | # Calculate the amount of needed 512 Byte sectors | |
| 871 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` |
|
871 | TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) | |
|
|
872 | BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) | |||
|
|
873 | ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) | |||
| 872 |
|
874 | |||
| 873 | # Calculate number of sectors for the partition |
|
875 | # The root partition is EXT4 | |
| 874 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` |
|
876 | # This means more space than the actual used space of the chroot is used. | |
|
|
877 | # As overhead for journaling and reserved blocks 20% are added. | |||
|
|
878 | ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) | |||
|
|
879 | ||||
|
|
880 | # Calculate required image size in 512 Byte sectors | |||
|
|
881 | IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS}) | |||
| 875 |
|
882 | |||
| 876 | # Prepare date string for image file name |
|
883 | # Prepare date string for image file name | |
| 877 | DATE="$(date +%Y-%m-%d)" |
|
884 | DATE="$(date +%Y-%m-%d)" | |
| 878 |
|
885 | |||
| 879 | # Prepare image file |
|
886 | # Prepare image file | |
| 880 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs= |
|
887 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
| 881 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs= |
|
888 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |
| 882 |
|
889 | |||
| 883 | # Write partition table |
|
890 | # Write partition table | |
| 884 |
sfdisk -q |
|
891 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
| 885 | unit: sectors |
|
892 | unit: sectors | |
| 886 |
|
893 | |||
| 887 |
1 : start= |
|
894 | 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable | |
| 888 |
2 : start= |
|
895 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 | |
| 889 | 3 : start= 0, size= 0, Id= 0 |
|
896 | 3 : start= 0, size= 0, Id= 0 | |
| 890 | 4 : start= 0, size= 0, Id= 0 |
|
897 | 4 : start= 0, size= 0, Id= 0 | |
| 891 | EOM |
|
898 | EOM | |
| 892 |
|
899 | |||
| 893 | # Set up temporary loop devices and build filesystems |
|
900 | # Set up temporary loop devices and build filesystems | |
| 894 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
901 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
| 895 |
EXT4_LOOP="$(losetup -o 65M |
|
902 | EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
| 896 | mkfs.vfat "$VFAT_LOOP" |
|
903 | mkfs.vfat "$VFAT_LOOP" | |
| 897 | mkfs.ext4 "$EXT4_LOOP" |
|
904 | mkfs.ext4 "$EXT4_LOOP" | |
| 898 |
|
905 | |||
| 899 | # Mount the temporary loop devices |
|
906 | # Mount the temporary loop devices | |
| 900 | mkdir -p "$BUILDDIR/mount" |
|
907 | mkdir -p "$BUILDDIR/mount" | |
| 901 | mount "$EXT4_LOOP" "$BUILDDIR/mount" |
|
908 | mount "$EXT4_LOOP" "$BUILDDIR/mount" | |
| 902 |
|
909 | |||
| 903 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
910 | mkdir -p "$BUILDDIR/mount/boot/firmware" | |
| 904 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" |
|
911 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" | |
| 905 |
|
912 | |||
| 906 | # Copy all files from the chroot to the loop device mount point directory |
|
913 | # Copy all files from the chroot to the loop device mount point directory | |
| 907 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
914 | rsync -a "$R/" "$BUILDDIR/mount/" | |
| 908 |
|
915 | |||
| 909 | # Unmount all temporary loop devices and mount points |
|
916 | # Unmount all temporary loop devices and mount points | |
| 910 | cleanup |
|
917 | cleanup | |
| 911 |
|
918 | |||
| 912 | # (optinal) create block map file for "bmaptool" |
|
919 | # (optinal) create block map file for "bmaptool" | |
| 913 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
920 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
| 914 |
|
921 | |||
| 915 | # Image was successfully created |
|
922 | # Image was successfully created | |
| 916 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
|
923 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" | |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
