##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

fix some typos in comments
Felix Gruber -
r5:6f30bb4ae85d
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,739 +1,739
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 cleanup (){
19 19 set +x
20 20 set +e
21 21 echo "removing temporary mount points ..."
22 22 umount -l $R/proc 2> /dev/null
23 23 umount -l $R/sys 2> /dev/null
24 24 umount -l $R/dev/pts 2> /dev/null
25 25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 26 umount "$BUILDDIR/mount" 2> /dev/null
27 27 losetup -d "$EXT4_LOOP" 2> /dev/null
28 28 losetup -d "$VFAT_LOOP" 2> /dev/null
29 29 trap - 0 1 2 3 6
30 30 }
31 31
32 32 set -e
33 33 set -x
34 34
35 35 RELEASE=${RELEASE:=jessie}
36 36
37 37 # Build settings
38 38 BASEDIR=./images/${RELEASE}
39 39 BUILDDIR=${BASEDIR}/build
40 40
41 41 # General settings
42 42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
43 43 PASSWORD=${PASSWORD:=raspberry}
44 44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
45 45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
46 46
47 47 # APT settings
48 48 APT_PROXY=${APT_PROXY:=""}
49 49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
50 50
51 51 # Feature settings
52 52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
53 53 ENABLE_IPV6=${ENABLE_IPV6:=true}
54 54 ENABLE_SSHD=${ENABLE_SSHD:=true}
55 55 ENABLE_SOUND=${ENABLE_SOUND:=true}
56 56 ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
57 57 ENABLE_DBUS=${ENABLE_DBUS:=true}
58 58 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
59 59 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
60 60 ENABLE_XORG=${ENABLE_XORG:=false}
61 61 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
62 62
63 63 # Advanced settings
64 64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
65 65 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
66 66 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
67 67
68 68 # Image chroot path
69 69 R=${BUILDDIR}/chroot
70 70
71 71 # Packages required for bootstrapping
72 72 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
73 73
74 74 # Packages required in the chroot build enviroment
75 75 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
76 76
77 77 set +x
78 78
79 79 # Are we running as root?
80 80 if [ "$(id -u)" -ne "0" ] ; then
81 81 echo "this script must be executed with root privileges"
82 82 exit 1
83 83 fi
84 84
85 85 # Don't clobber an old build
86 86 if [ -e "$BUILDDIR" ]; then
87 87 echo "directory $BUILDDIR already exists, not proceeding"
88 88 exit 1
89 89 fi
90 90
91 91 set -x
92 92
93 93 # Call "cleanup" function on various signals and errors
94 94 trap cleanup 0 1 2 3 6
95 95
96 96 # Set up chroot directory
97 97 mkdir -p $R
98 98
99 99 # Install dependencies
100 100 apt-get -q -y install ${REQUIRED_PACKAGES}
101 101
102 102 # Use traditional SystemV init instead of systemd services
103 103 if [ "$ENABLE_SYSTEMD" = false ] ; then
104 104 APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
105 105 fi
106 106
107 107 # Add dbus package, recommended if using systemd
108 108 if [ "$ENABLE_DBUS" = true ] ; then
109 109 APT_INCLUDES="${APT_INCLUDES},dbus"
110 110 fi
111 111
112 112 # Add openssh server package
113 113 if [ "$ENABLE_SSHD" = true ] ; then
114 114 APT_INCLUDES="${APT_INCLUDES},openssh-server"
115 115 fi
116 116
117 117 # Add rng-tools package
118 118 if [ "$ENABLE_HWRANDOM" = true ] ; then
119 119 APT_INCLUDES="${APT_INCLUDES},rng-tools"
120 120 fi
121 121
122 122 # Add xorg package
123 123 if [ "$ENABLE_XORG" = true ] ; then
124 124 APT_INCLUDES="${APT_INCLUDES},xorg"
125 125 fi
126 126
127 127 # Add fluxbox package with eterm
128 128 if [ "$ENABLE_FLUXBOX" = true ] ; then
129 129 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
130 130 fi
131 131
132 132 if [ -z "$APT_PROXY" ] ; then
133 133 APT_PROXY="http://"
134 134 fi
135 135
136 136 # Base debootstrap (unpack only)
137 137 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
138 138 cp /usr/bin/qemu-arm-static $R/usr/bin
139 139
140 # Remove systemd releated packages from list of packages to be bootsrapped
140 # Remove systemd related packages from list of packages to be bootstrapped
141 141 if [ "$ENABLE_SYSTEMD" = false ] ; then
142 142 chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
143 143 fi
144 144
145 145 # Copy debian-archive-keyring.pgp
146 146 chroot $R mkdir -p /usr/share/keyrings
147 147 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
148 148
149 149 # Complete the bootstrapping proccess
150 150 chroot $R /debootstrap/debootstrap --second-stage
151 151
152 152 # Mount required filesystems
153 153 mount -t proc none $R/proc
154 154 mount -t sysfs none $R/sys
155 155 mount --bind /dev/pts $R/dev/pts
156 156
157 157 # Set up initial sources.list
158 158 cat <<EOM >$R/etc/apt/sources.list
159 159 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
160 160 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
161 161
162 162 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
163 163 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
164 164
165 165 deb http://security.debian.org/ ${RELEASE}/updates main contrib
166 166 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
167 167
168 168 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
169 169 EOM
170 170
171 171 # Pin package flash-kernel to repositories.collabora.co.uk
172 172 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
173 173 Package: flash-kernel
174 174 Pin: origin repositories.collabora.co.uk
175 175 Pin-Priority: 1000
176 176 EOM
177 177
178 178 # Set up timezone
179 179 echo ${TIMEZONE} >$R/etc/timezone
180 180 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
181 181
182 182 # Set up default locales to "en_US.UTF-8" default
183 183 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
184 184 LANG=C chroot $R locale-gen ${DEFLOCAL}
185 185
186 186 # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"
187 187 LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5
188 188
189 189 # Upgrade package index and update all installed packages and changed dependencies
190 190 LANG=C chroot $R apt-get -q -y update
191 191 LANG=C chroot $R apt-get -q -y -u dist-upgrade
192 192
193 193 # Kernel installation
194 194 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
195 195
196 196 LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2
197 197 LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel
198 198
199 199 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
200 200 [ -z "$VMLINUZ" ] && exit 1
201 201 mkdir -p $R/boot/firmware
202 202
203 203 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
204 204 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
205 205 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
206 206 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
207 207 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
208 208 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
209 209 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
210 210 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
211 211 cp $VMLINUZ $R/boot/firmware/kernel7.img
212 212
213 213 # Set up hosts
214 214 echo ${HOSTNAME} >$R/etc/hostname
215 215 cat <<EOM >$R/etc/hosts
216 216 127.0.0.1 localhost
217 217 127.0.1.1 ${HOSTNAME}
218 218 EOM
219 219
220 220 if [ "$ENABLE_IPV6" = true ] ; then
221 221 cat <<EOM >>$R/etc/hosts
222 222
223 223 ::1 localhost ip6-localhost ip6-loopback
224 224 ff02::1 ip6-allnodes
225 225 ff02::2 ip6-allrouters
226 226 EOM
227 227 fi
228 228
229 229 # Generate crypt(3) password string
230 230 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
231 231
232 232 # Set up default user
233 233 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
234 234 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
235 235
236 236 # Set up root password
237 237 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
238 238
239 239
240 240 # Set up interfaces
241 241 cat <<EOM >$R/etc/network/interfaces
242 242 # interfaces(5) file used by ifup(8) and ifdown(8)
243 243 # Include files from /etc/network/interfaces.d:
244 244 source-directory /etc/network/interfaces.d
245 245
246 246 # The loopback network interface
247 247 auto lo
248 248 iface lo inet loopback
249 249
250 250 # The primary network interface
251 251 allow-hotplug eth0
252 252 iface eth0 inet dhcp
253 253 EOM
254 254
255 255 # Set up firmware boot cmdline
256 256 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
257 257
258 258 # Set up serial console support (if requested)
259 259 if [ "$ENABLE_CONSOLE" = true ] ; then
260 260 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
261 261 fi
262 262
263 263 # Set up ipv6 support (if requested)
264 264 if [ "$ENABLE_IPV6" = false ] ; then
265 265 CMDLINE="${CMDLINE} ipv6.disable=1"
266 266 fi
267 267
268 268 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
269 269
270 270 # Set up firmware config
271 271 cat <<EOM >$R/boot/firmware/config.txt
272 272 # For more options and information see
273 273 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
274 274 # Some settings may impact device functionality. See link above for details
275 275
276 276 # uncomment if you get no picture on HDMI for a default "safe" mode
277 277 #hdmi_safe=1
278 278
279 279 # uncomment this if your display has a black border of unused pixels visible
280 280 # and your display can output without overscan
281 281 #disable_overscan=1
282 282
283 283 # uncomment the following to adjust overscan. Use positive numbers if console
284 284 # goes off screen, and negative if there is too much border
285 285 #overscan_left=16
286 286 #overscan_right=16
287 287 #overscan_top=16
288 288 #overscan_bottom=16
289 289
290 290 # uncomment to force a console size. By default it will be display's size minus
291 291 # overscan.
292 292 #framebuffer_width=1280
293 293 #framebuffer_height=720
294 294
295 295 # uncomment if hdmi display is not detected and composite is being output
296 296 #hdmi_force_hotplug=1
297 297
298 298 # uncomment to force a specific HDMI mode (this will force VGA)
299 299 #hdmi_group=1
300 300 #hdmi_mode=1
301 301
302 302 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
303 303 # DMT (computer monitor) modes
304 304 #hdmi_drive=2
305 305
306 306 # uncomment to increase signal to HDMI, if you have interference, blanking, or
307 307 # no display
308 308 #config_hdmi_boost=4
309 309
310 310 # uncomment for composite PAL
311 311 #sdtv_mode=2
312 312
313 #uncomment to overclock the arm. 700 MHz is the default.
313 # uncomment to overclock the arm. 700 MHz is the default.
314 314 #arm_freq=800
315 315 EOM
316 316
317 317 # Set smallest possible GPU memory allocation size: 16MB (no X)
318 318 if [ "$ENABLE_MINGPU" = true ] ; then
319 319 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
320 320 fi
321 321
322 322 # Create symlinks
323 323 ln -sf firmware/config.txt $R/boot/config.txt
324 324 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
325 325
326 326 # Prepare modules-load.d directory
327 327 mkdir -p $R/lib/modules-load.d/
328 328
329 329 # Load random module on boot
330 330 if [ "$ENABLE_HWRANDOM" = true ] ; then
331 331 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
332 332 bcm2708_rng
333 333 EOM
334 334 fi
335 335
336 336 # Prepare modprobe.d directory
337 337 mkdir -p $R/etc/modprobe.d/
338 338
339 339 # Blacklist sound modules
340 340 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
341 341 blacklist snd_soc_core
342 342 blacklist snd_pcm
343 343 blacklist snd_pcm_dmaengine
344 344 blacklist snd_timer
345 345 blacklist snd_compress
346 346 blacklist snd_soc_pcm512x_i2c
347 347 blacklist snd_soc_pcm512x
348 348 blacklist snd_soc_tas5713
349 349 blacklist snd_soc_wm8804
350 350 EOM
351 351
352 352 # Create default fstab
353 353 cat <<EOM >$R/etc/fstab
354 354 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
355 355 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
356 356 EOM
357 357
358 358 # Avoid swapping and increase cache sizes
359 359 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
360 360
361 361 # Avoid swapping and increase cache sizes
362 362 vm.swappiness=1
363 363 vm.dirty_background_ratio=20
364 364 vm.dirty_ratio=40
365 365 vm.dirty_writeback_centisecs=500
366 366 vm.dirty_expire_centisecs=6000
367 367 EOM
368 368
369 369 # Enable network stack hardening
370 370 if [ "$ENABLE_HARDNET" = true ] ; then
371 371 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
372 372
373 373 # Enable network stack hardening
374 374 net.ipv4.tcp_timestamps=0
375 375 net.ipv4.tcp_syncookies=1
376 376 net.ipv4.conf.all.rp_filter=1
377 377 net.ipv4.conf.all.accept_redirects=0
378 378 net.ipv4.conf.all.send_redirects=0
379 379 net.ipv4.conf.all.accept_source_route=0
380 380 net.ipv4.conf.default.rp_filter=1
381 381 net.ipv4.conf.default.accept_redirects=0
382 382 net.ipv4.conf.default.send_redirects=0
383 383 net.ipv4.conf.default.accept_source_route=0
384 384 net.ipv4.conf.lo.accept_redirects=0
385 385 net.ipv4.conf.lo.send_redirects=0
386 386 net.ipv4.conf.lo.accept_source_route=0
387 387 net.ipv4.conf.eth0.accept_redirects=0
388 388 net.ipv4.conf.eth0.send_redirects=0
389 389 net.ipv4.conf.eth0.accept_source_route=0
390 390 net.ipv4.icmp_echo_ignore_broadcasts=1
391 391 net.ipv4.icmp_ignore_bogus_error_responses=1
392 392
393 393 net.ipv6.conf.all.accept_redirects=0
394 394 net.ipv6.conf.all.accept_source_route=0
395 395 net.ipv6.conf.all.router_solicitations=0
396 396 net.ipv6.conf.all.accept_ra_rtr_pref=0
397 397 net.ipv6.conf.all.accept_ra_pinfo=0
398 398 net.ipv6.conf.all.accept_ra_defrtr=0
399 399 net.ipv6.conf.all.autoconf=0
400 400 net.ipv6.conf.all.dad_transmits=0
401 401 net.ipv6.conf.all.max_addresses=1
402 402
403 403 net.ipv6.conf.default.accept_redirects=0
404 404 net.ipv6.conf.default.accept_source_route=0
405 405 net.ipv6.conf.default.router_solicitations=0
406 406 net.ipv6.conf.default.accept_ra_rtr_pref=0
407 407 net.ipv6.conf.default.accept_ra_pinfo=0
408 408 net.ipv6.conf.default.accept_ra_defrtr=0
409 409 net.ipv6.conf.default.autoconf=0
410 410 net.ipv6.conf.default.dad_transmits=0
411 411 net.ipv6.conf.default.max_addresses=1
412 412
413 413 net.ipv6.conf.lo.accept_redirects=0
414 414 net.ipv6.conf.lo.accept_source_route=0
415 415 net.ipv6.conf.lo.router_solicitations=0
416 416 net.ipv6.conf.lo.accept_ra_rtr_pref=0
417 417 net.ipv6.conf.lo.accept_ra_pinfo=0
418 418 net.ipv6.conf.lo.accept_ra_defrtr=0
419 419 net.ipv6.conf.lo.autoconf=0
420 420 net.ipv6.conf.lo.dad_transmits=0
421 421 net.ipv6.conf.lo.max_addresses=1
422 422
423 423 net.ipv6.conf.eth0.accept_redirects=0
424 424 net.ipv6.conf.eth0.accept_source_route=0
425 425 net.ipv6.conf.eth0.router_solicitations=0
426 426 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
427 427 net.ipv6.conf.eth0.accept_ra_pinfo=0
428 428 net.ipv6.conf.eth0.accept_ra_defrtr=0
429 429 net.ipv6.conf.eth0.autoconf=0
430 430 net.ipv6.conf.eth0.dad_transmits=0
431 431 net.ipv6.conf.eth0.max_addresses=1
432 432 EOM
433 433
434 434 # Enable resolver warnings about spoofed addresses
435 435 cat <<EOM >>$R/etc/host.conf
436 436 spoof warn
437 437 EOM
438 438 fi
439 439
440 440 # Regenerate openssh server host keys
441 441 if [ "$ENABLE_SSHD" = true ] ; then
442 442 rm -fr $R/etc/ssh/ssh_host_*
443 443 LANG=C chroot $R dpkg-reconfigure openssh-server
444 444 fi
445 445
446 446 # Enable serial console systemd style
447 447 if [ "$ENABLE_CONSOLE" = true ] ; then
448 448 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
449 449 fi
450 450
451 451 # Enable firewall based on iptables started by systemd service
452 452 if [ "$ENABLE_IPTABLES" = true ] ; then
453 453 # Create iptables configuration directory
454 454 mkdir -p "$R/etc/iptables"
455 455
456 456 # Create iptables systemd service
457 457 cat <<EOM >$R/etc/systemd/system/iptables.service
458 458 [Unit]
459 459 Description=Packet Filtering Framework
460 460 DefaultDependencies=no
461 461 After=systemd-sysctl.service
462 462 Before=sysinit.target
463 463 [Service]
464 464 Type=oneshot
465 465 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
466 466 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
467 467 ExecStop=/etc/iptables/flush-iptables.sh
468 468 RemainAfterExit=yes
469 469 [Install]
470 470 WantedBy=multi-user.target
471 471 EOM
472 472
473 473 # Create flush-table script called by iptables service
474 474 cat <<EOM >$R/etc/iptables/flush-iptables.sh
475 475 #!/bin/sh
476 476 iptables -F
477 477 iptables -X
478 478 iptables -t nat -F
479 479 iptables -t nat -X
480 480 iptables -t mangle -F
481 481 iptables -t mangle -X
482 482 iptables -P INPUT ACCEPT
483 483 iptables -P FORWARD ACCEPT
484 484 iptables -P OUTPUT ACCEPT
485 485 EOM
486 486
487 487 # Create iptables rule file
488 488 cat <<EOM >$R/etc/iptables/iptables.rules
489 489 *filter
490 490 :INPUT DROP [0:0]
491 491 :FORWARD DROP [0:0]
492 492 :OUTPUT ACCEPT [0:0]
493 493 :TCP - [0:0]
494 494 :UDP - [0:0]
495 495 :SSH - [0:0]
496 496
497 497 # Rate limit ping requests
498 498 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
499 499 -A INPUT -p icmp --icmp-type echo-request -j DROP
500 500
501 501 # Accept established connections
502 502 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
503 503
504 504 # Accept all traffic on loopback interface
505 505 -A INPUT -i lo -j ACCEPT
506 506
507 507 # Drop packets declared invalid
508 508 -A INPUT -m conntrack --ctstate INVALID -j DROP
509 509
510 510 # SSH rate limiting
511 511 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
512 512 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
513 513 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
514 514 -A SSH -m recent --name sshbf --set -j ACCEPT
515 515
516 516 # Send TCP and UDP connections to their respective rules chain
517 517 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
518 518 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
519 519
520 520 # Reject dropped packets with a RFC compliant responce
521 521 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
522 522 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
523 523 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
524 524
525 525 ## TCP PORT RULES
526 526 # -A TCP -p tcp -j LOG
527 527
528 528 ## UDP PORT RULES
529 529 # -A UDP -p udp -j LOG
530 530
531 531 COMMIT
532 532 EOM
533 533
534 534 # Reload systemd configuration and enable iptables service
535 535 LANG=C chroot $R systemctl daemon-reload
536 536 LANG=C chroot $R systemctl enable iptables.service
537 537
538 538 if [ "$ENABLE_IPV6" = true ] ; then
539 539 # Create ip6tables systemd service
540 540 cat <<EOM >$R/etc/systemd/system/ip6tables.service
541 541 [Unit]
542 542 Description=Packet Filtering Framework
543 543 DefaultDependencies=no
544 544 After=systemd-sysctl.service
545 545 Before=sysinit.target
546 546 [Service]
547 547 Type=oneshot
548 548 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
549 549 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
550 550 ExecStop=/etc/iptables/flush-ip6tables.sh
551 551 RemainAfterExit=yes
552 552 [Install]
553 553 WantedBy=multi-user.target
554 554 EOM
555 555
556 556 # Create ip6tables file
557 557 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
558 558 #!/bin/sh
559 559 ip6tables -F
560 560 ip6tables -X
561 561 ip6tables -Z
562 562 for table in $(</proc/net/ip6_tables_names)
563 563 do
564 564 ip6tables -t \$table -F
565 565 ip6tables -t \$table -X
566 566 ip6tables -t \$table -Z
567 567 done
568 568 ip6tables -P INPUT ACCEPT
569 569 ip6tables -P OUTPUT ACCEPT
570 570 ip6tables -P FORWARD ACCEPT
571 571 EOM
572 572
573 573 # Create ip6tables rule file
574 574 cat <<EOM >$R/etc/iptables/ip6tables.rules
575 575 *filter
576 576 :INPUT DROP [0:0]
577 577 :FORWARD DROP [0:0]
578 578 :OUTPUT ACCEPT [0:0]
579 579 :TCP - [0:0]
580 580 :UDP - [0:0]
581 581 :SSH - [0:0]
582 582
583 583 # Drop packets with RH0 headers
584 584 -A INPUT -m rt --rt-type 0 -j DROP
585 585 -A OUTPUT -m rt --rt-type 0 -j DROP
586 586 -A FORWARD -m rt --rt-type 0 -j DROP
587 587
588 588 # Rate limit ping requests
589 589 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
590 590 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
591 591
592 592 # Accept established connections
593 593 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
594 594
595 595 # Accept all traffic on loopback interface
596 596 -A INPUT -i lo -j ACCEPT
597 597
598 598 # Drop packets declared invalid
599 599 -A INPUT -m conntrack --ctstate INVALID -j DROP
600 600
601 601 # SSH rate limiting
602 602 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
603 603 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
604 604 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
605 605 -A SSH -m recent --name sshbf --set -j ACCEPT
606 606
607 607 # Send TCP and UDP connections to their respective rules chain
608 608 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
609 609 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
610 610
611 611 # Reject dropped packets with a RFC compliant responce
612 612 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
613 613 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
614 614 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
615 615
616 616 ## TCP PORT RULES
617 617 # -A TCP -p tcp -j LOG
618 618
619 619 ## UDP PORT RULES
620 620 # -A UDP -p udp -j LOG
621 621
622 622 COMMIT
623 623 EOM
624 624
625 625 # Reload systemd configuration and enable iptables service
626 626 LANG=C chroot $R systemctl daemon-reload
627 627 LANG=C chroot $R systemctl enable ip6tables.service
628 628
629 629 fi
630 630 fi
631 631
632 632 if [ "$ENABLE_UBOOT" = true ] ; then
633 633 # Fetch u-boot github
634 634 git -C $R/tmp clone git://git.denx.de/u-boot.git
635 635
636 # Install minimal gcc/g++ build enviroment and build u-boot inside chroot
636 # Install minimal gcc/g++ build environment and build u-boot inside chroot
637 637 LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
638 638 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
639 639
640 640 # Copy compiled bootloader binary and set config.txt to load it
641 641 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
642 642 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
643 643
644 644 # Set u-boot command file
645 645 cat <<EOM >$R/boot/firmware/uboot.mkimage
646 646 # Tell Linux that it is booting on a Raspberry Pi2
647 647 setenv machid 0x00000c42
648 648
649 649 # Set the kernel boot command line
650 650 setenv bootargs "earlyprintk ${CMDLINE}"
651 651
652 652 # Save these changes to u-boot's environment
653 653 saveenv
654 654
655 655 # Load the existing Linux kernel into RAM
656 656 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
657 657
658 658 # Boot the kernel we have just loaded
659 659 bootz \${kernel_addr_r}
660 660 EOM
661 661
662 662 # Generate u-boot image from command file
663 663 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
664 664
665 665 # Remove gcc/c++ build enviroment
666 666 LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
667 667 fi
668 668
669 669 # Clean cached downloads
670 670 LANG=C chroot $R apt-get -y clean
671 671 LANG=C chroot $R apt-get -y autoclean
672 672 LANG=C chroot $R apt-get -y autoremove
673 673
674 674 # Unmount mounted filesystems
675 675 umount -l $R/proc
676 676 umount -l $R/sys
677 677
678 678 # Clean up files
679 679 rm -f $R/etc/apt/sources.list.save
680 680 rm -f $R/etc/resolvconf/resolv.conf.d/original
681 681 rm -rf $R/run
682 682 mkdir -p $R/run
683 683 rm -f $R/etc/*-
684 684 rm -f $R/root/.bash_history
685 685 rm -rf $R/tmp/*
686 686 rm -f $R/var/lib/urandom/random-seed
687 687 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
688 688 rm -f $R/etc/machine-id
689 689
690 690 # Calculate size of the chroot directory
691 691 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
692 692
693 693 # Calculate required image size
694 694 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
695 695
696 696 # Calculate number of sectors for the partition
697 697 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
698 698
699 699 # Prepare date string for image file name
700 700 DATE="$(date +%Y-%m-%d)"
701 701
702 702 # Prepare image file
703 703 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
704 704 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
705 705
706 706 # Write partition table
707 707 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
708 708 unit: sectors
709 709
710 710 1 : start= 2048, size= 131072, Id= c, bootable
711 711 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
712 712 3 : start= 0, size= 0, Id= 0
713 713 4 : start= 0, size= 0, Id= 0
714 714 EOM
715 715
716 716 # Set up temporary loop devices and build filesystems
717 717 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
718 718 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
719 719 mkfs.vfat "$VFAT_LOOP"
720 720 mkfs.ext4 "$EXT4_LOOP"
721 721
722 722 # Mount the temporary loop devices
723 723 mkdir -p "$BUILDDIR/mount"
724 724 mount "$EXT4_LOOP" "$BUILDDIR/mount"
725 725
726 726 mkdir -p "$BUILDDIR/mount/boot/firmware"
727 727 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
728 728
729 729 # Copy all files from the chroot to the loop device mount point directory
730 730 rsync -a "$R/" "$BUILDDIR/mount/"
731 731
732 732 # Unmount all temporary loop devices and mount points
733 733 cleanup
734 734
735 735 # (optinal) create block map file for "bmaptool"
736 736 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
737 737
738 738 # Image was successfully created
739 739 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant