##// END OF EJS Templates
Merge branch 'stylesuxx-rootfs-size-calculation-improvement'
Jan Wagner -
r49:a03e217233d1 Fusion
parent child
Show More
@@ -1,916 +1,923
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 set -e
34 34 set -x
35 35
36 36 # Debian release
37 37 RELEASE=${RELEASE:=jessie}
38 38
39 39 # Build settings
40 40 BASEDIR=./images/${RELEASE}
41 41 BUILDDIR=${BASEDIR}/build
42 42
43 43 # General settings
44 44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 45 PASSWORD=${PASSWORD:=raspberry}
46 46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 48 XKBMODEL=${XKBMODEL:=""}
49 49 XKBLAYOUT=${XKBLAYOUT:=""}
50 50 XKBVARIANT=${XKBVARIANT:=""}
51 51 XKBOPTIONS=${XKBOPTIONS:=""}
52 52
53 53 # Network settings
54 54 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 55 # NET_* settings are ignored when ENABLE_DHCP=true
56 56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 57 NET_ADDRESS=${NET_ADDRESS:=""}
58 58 NET_GATEWAY=${NET_GATEWAY:=""}
59 59 NET_DNS_1=${NET_DNS_1:=""}
60 60 NET_DNS_2=${NET_DNS_2:=""}
61 61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 62 NET_NTP_1=${NET_NTP_1:=""}
63 63 NET_NTP_2=${NET_NTP_2:=""}
64 64
65 65 # APT settings
66 66 APT_PROXY=${APT_PROXY:=""}
67 67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
68 68
69 69 # Feature settings
70 70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
71 71 ENABLE_IPV6=${ENABLE_IPV6:=true}
72 72 ENABLE_SSHD=${ENABLE_SSHD:=true}
73 73 ENABLE_SOUND=${ENABLE_SOUND:=true}
74 74 ENABLE_DBUS=${ENABLE_DBUS:=true}
75 75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 77 ENABLE_XORG=${ENABLE_XORG:=false}
78 78 ENABLE_WM=${ENABLE_WM:=""}
79 79
80 80 # Advanced settings
81 81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
82 82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
83 83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
84 84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
85 85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
86 86
87 87 # Image chroot path
88 88 R=${BUILDDIR}/chroot
89 89
90 90 # Packages required for bootstrapping
91 91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
92 92
93 93 # Missing packages that need to be installed
94 94 MISSING_PACKAGES=""
95 95
96 96 # Packages required in the chroot build environment
97 97 APT_INCLUDES=${APT_INCLUDES:=""}
98 98 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
99 99
100 100 set +x
101 101
102 102 # Are we running as root?
103 103 if [ "$(id -u)" -ne "0" ] ; then
104 104 echo "this script must be executed with root privileges"
105 105 exit 1
106 106 fi
107 107
108 108 # Check if all required packages are installed
109 109 for package in $REQUIRED_PACKAGES ; do
110 110 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
111 111 MISSING_PACKAGES="$MISSING_PACKAGES $package"
112 112 fi
113 113 done
114 114
115 115 # Ask if missing packages should get installed right now
116 116 if [ -n "$MISSING_PACKAGES" ] ; then
117 117 echo "the following packages needed by this script are not installed:"
118 118 echo "$MISSING_PACKAGES"
119 119
120 120 echo -n "\ndo you want to install the missing packages right now? [y/n] "
121 121 read confirm
122 122 if [ "$confirm" != "y" ] ; then
123 123 exit 1
124 124 fi
125 125 fi
126 126
127 127 # Make sure all required packages are installed
128 128 apt-get -qq -y install ${REQUIRED_PACKAGES}
129 129
130 130 # Don't clobber an old build
131 131 if [ -e "$BUILDDIR" ]; then
132 132 echo "directory $BUILDDIR already exists, not proceeding"
133 133 exit 1
134 134 fi
135 135
136 136 set -x
137 137
138 138 # Call "cleanup" function on various signals and errors
139 139 trap cleanup 0 1 2 3 6
140 140
141 141 # Set up chroot directory
142 142 mkdir -p $R
143 143
144 144 # Add required packages for the minbase installation
145 145 if [ "$ENABLE_MINBASE" = true ] ; then
146 146 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
147 147 else
148 148 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 149 fi
150 150
151 151 # Add dbus package, recommended if using systemd
152 152 if [ "$ENABLE_DBUS" = true ] ; then
153 153 APT_INCLUDES="${APT_INCLUDES},dbus"
154 154 fi
155 155
156 156 # Add iptables IPv4/IPv6 package
157 157 if [ "$ENABLE_IPTABLES" = true ] ; then
158 158 APT_INCLUDES="${APT_INCLUDES},iptables"
159 159 fi
160 160
161 161 # Add openssh server package
162 162 if [ "$ENABLE_SSHD" = true ] ; then
163 163 APT_INCLUDES="${APT_INCLUDES},openssh-server"
164 164 fi
165 165
166 166 # Add alsa-utils package
167 167 if [ "$ENABLE_SOUND" = true ] ; then
168 168 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
169 169 fi
170 170
171 171 # Add rng-tools package
172 172 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 173 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 174 fi
175 175
176 176 # Add fbturbo video driver
177 177 if [ "$ENABLE_FBTURBO" = true ] ; then
178 178 # Enable xorg package dependencies
179 179 ENABLE_XORG=true
180 180 fi
181 181
182 182 # Add user defined window manager package
183 183 if [ -n "$ENABLE_WM" ] ; then
184 184 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
185 185
186 186 # Enable xorg package dependencies
187 187 ENABLE_XORG=true
188 188 fi
189 189
190 190 # Add xorg package
191 191 if [ "$ENABLE_XORG" = true ] ; then
192 192 APT_INCLUDES="${APT_INCLUDES},xorg"
193 193 fi
194 194
195 195 # Base debootstrap (unpack only)
196 196 if [ "$ENABLE_MINBASE" = true ] ; then
197 197 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
198 198 else
199 199 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
200 200 fi
201 201
202 202 # Copy qemu emulator binary to chroot
203 203 cp /usr/bin/qemu-arm-static $R/usr/bin
204 204
205 205 # Copy debian-archive-keyring.pgp
206 206 chroot $R mkdir -p /usr/share/keyrings
207 207 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
208 208
209 209 # Complete the bootstrapping process
210 210 chroot $R /debootstrap/debootstrap --second-stage
211 211
212 212 # Mount required filesystems
213 213 mount -t proc none $R/proc
214 214 mount -t sysfs none $R/sys
215 215 mount --bind /dev/pts $R/dev/pts
216 216
217 217 # Use proxy inside chroot
218 218 if [ -z "$APT_PROXY" ] ; then
219 219 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
220 220 fi
221 221
222 222 # Pin package flash-kernel to repositories.collabora.co.uk
223 223 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
224 224 Package: flash-kernel
225 225 Pin: origin repositories.collabora.co.uk
226 226 Pin-Priority: 1000
227 227 EOM
228 228
229 229 # Set up timezone
230 230 echo ${TIMEZONE} >$R/etc/timezone
231 231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
232 232
233 233 # Upgrade collabora package index and install collabora keyring
234 234 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 235 LANG=C chroot $R apt-get -qq -y update
236 236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237 237
238 238 # Set up initial sources.list
239 239 cat <<EOM >$R/etc/apt/sources.list
240 240 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
241 241 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
242 242
243 243 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244 244 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
245 245
246 246 deb http://security.debian.org/ ${RELEASE}/updates main contrib
247 247 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
248 248
249 249 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 250 EOM
251 251
252 252 # Upgrade package index and update all installed packages and changed dependencies
253 253 LANG=C chroot $R apt-get -qq -y update
254 254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
255 255
256 256 # Set up default locale and keyboard configuration
257 257 if [ "$ENABLE_MINBASE" = false ] ; then
258 258 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
259 259 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 260 # ... so we have to set locales manually
261 261 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 263 else
264 264 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 267 fi
268 268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 270 LANG=C chroot $R locale-gen
271 271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
272 272
273 273 # Keyboard configuration, if requested
274 274 if [ "$XKBMODEL" != "" ] ; then
275 275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 276 fi
277 277 if [ "$XKBLAYOUT" != "" ] ; then
278 278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 279 fi
280 280 if [ "$XKBVARIANT" != "" ] ; then
281 281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 282 fi
283 283 if [ "$XKBOPTIONS" != "" ] ; then
284 284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 285 fi
286 286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
287 287 # Set up font console
288 288 case "${DEFLOCAL}" in
289 289 *UTF-8)
290 290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 291 ;;
292 292 *)
293 293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 294 ;;
295 295 esac
296 296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
297 297 fi
298 298
299 299 # Kernel installation
300 300 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
302 302 LANG=C chroot $R apt-get -qq -y install flash-kernel
303 303
304 304 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 305 [ -z "$VMLINUZ" ] && exit 1
306 306 mkdir -p $R/boot/firmware
307 307
308 308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 316 cp $VMLINUZ $R/boot/firmware/kernel7.img
317 317
318 318 # Set up IPv4 hosts
319 319 echo ${HOSTNAME} >$R/etc/hostname
320 320 cat <<EOM >$R/etc/hosts
321 321 127.0.0.1 localhost
322 322 127.0.1.1 ${HOSTNAME}
323 323 EOM
324 324 if [ "$NET_ADDRESS" != "" ] ; then
325 325 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
326 326 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
327 327 fi
328 328
329 329 # Set up IPv6 hosts
330 330 if [ "$ENABLE_IPV6" = true ] ; then
331 331 cat <<EOM >>$R/etc/hosts
332 332
333 333 ::1 localhost ip6-localhost ip6-loopback
334 334 ff02::1 ip6-allnodes
335 335 ff02::2 ip6-allrouters
336 336 EOM
337 337 fi
338 338
339 339 # Place hint about network configuration
340 340 cat <<EOM >$R/etc/network/interfaces
341 341 # Debian switched to systemd-networkd configuration files.
342 342 # please configure your networks in '/etc/systemd/network/'
343 343 EOM
344 344
345 345 if [ "$ENABLE_DHCP" = true ] ; then
346 346 # Enable systemd-networkd DHCP configuration for interface eth0
347 347 cat <<EOM >$R/etc/systemd/network/eth.network
348 348 [Match]
349 349 Name=eth0
350 350
351 351 [Network]
352 352 DHCP=yes
353 353 EOM
354 354
355 355 # Set DHCP configuration to IPv4 only
356 356 if [ "$ENABLE_IPV6" = false ] ; then
357 357 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
358 358 fi
359 359 else # ENABLE_DHCP=false
360 360 cat <<EOM >$R/etc/systemd/network/eth.network
361 361 [Match]
362 362 Name=eth0
363 363
364 364 [Network]
365 365 DHCP=no
366 366 Address=${NET_ADDRESS}
367 367 Gateway=${NET_GATEWAY}
368 368 DNS=${NET_DNS_1}
369 369 DNS=${NET_DNS_2}
370 370 Domains=${NET_DNS_DOMAINS}
371 371 NTP=${NET_NTP_1}
372 372 NTP=${NET_NTP_2}
373 373 EOM
374 374 fi
375 375
376 376 # Enable systemd-networkd service
377 377 LANG=C chroot $R systemctl enable systemd-networkd
378 378
379 379 # Generate crypt(3) password string
380 380 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381 381
382 382 # Set up default user
383 383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
384 384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
385 385
386 386 # Set up root password
387 387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
388 388
389 389 # Set up firmware boot cmdline
390 390 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
391 391
392 392 # Set up serial console support (if requested)
393 393 if [ "$ENABLE_CONSOLE" = true ] ; then
394 394 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
395 395 fi
396 396
397 397 # Set up IPv6 networking support
398 398 if [ "$ENABLE_IPV6" = false ] ; then
399 399 CMDLINE="${CMDLINE} ipv6.disable=1"
400 400 fi
401 401
402 402 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403 403
404 404 # Set up firmware config
405 405 cat <<EOM >$R/boot/firmware/config.txt
406 406 # For more options and information see
407 407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 408 # Some settings may impact device functionality. See link above for details
409 409
410 410 # uncomment if you get no picture on HDMI for a default "safe" mode
411 411 #hdmi_safe=1
412 412
413 413 # uncomment this if your display has a black border of unused pixels visible
414 414 # and your display can output without overscan
415 415 #disable_overscan=1
416 416
417 417 # uncomment the following to adjust overscan. Use positive numbers if console
418 418 # goes off screen, and negative if there is too much border
419 419 #overscan_left=16
420 420 #overscan_right=16
421 421 #overscan_top=16
422 422 #overscan_bottom=16
423 423
424 424 # uncomment to force a console size. By default it will be display's size minus
425 425 # overscan.
426 426 #framebuffer_width=1280
427 427 #framebuffer_height=720
428 428
429 429 # uncomment if hdmi display is not detected and composite is being output
430 430 #hdmi_force_hotplug=1
431 431
432 432 # uncomment to force a specific HDMI mode (this will force VGA)
433 433 #hdmi_group=1
434 434 #hdmi_mode=1
435 435
436 436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 437 # DMT (computer monitor) modes
438 438 #hdmi_drive=2
439 439
440 440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 441 # no display
442 442 #config_hdmi_boost=4
443 443
444 444 # uncomment for composite PAL
445 445 #sdtv_mode=2
446 446
447 447 # uncomment to overclock the arm. 700 MHz is the default.
448 448 #arm_freq=800
449 449 EOM
450 450
451 451 # Load snd_bcm2835 kernel module at boot time
452 452 if [ "$ENABLE_SOUND" = true ] ; then
453 453 echo "snd_bcm2835" >>$R/etc/modules
454 454 fi
455 455
456 456 # Set smallest possible GPU memory allocation size: 16MB (no X)
457 457 if [ "$ENABLE_MINGPU" = true ] ; then
458 458 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
459 459 fi
460 460
461 461 # Create symlinks
462 462 ln -sf firmware/config.txt $R/boot/config.txt
463 463 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
464 464
465 465 # Prepare modules-load.d directory
466 466 mkdir -p $R/lib/modules-load.d/
467 467
468 468 # Load random module on boot
469 469 if [ "$ENABLE_HWRANDOM" = true ] ; then
470 470 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
471 471 bcm2708_rng
472 472 EOM
473 473 fi
474 474
475 475 # Prepare modprobe.d directory
476 476 mkdir -p $R/etc/modprobe.d/
477 477
478 478 # Blacklist sound modules
479 479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
480 480 blacklist snd_soc_core
481 481 blacklist snd_pcm
482 482 blacklist snd_pcm_dmaengine
483 483 blacklist snd_timer
484 484 blacklist snd_compress
485 485 blacklist snd_soc_pcm512x_i2c
486 486 blacklist snd_soc_pcm512x
487 487 blacklist snd_soc_tas5713
488 488 blacklist snd_soc_wm8804
489 489 EOM
490 490
491 491 # Create default fstab
492 492 cat <<EOM >$R/etc/fstab
493 493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 495 EOM
496 496
497 497 # Avoid swapping and increase cache sizes
498 498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
499 499
500 500 # Avoid swapping and increase cache sizes
501 501 vm.swappiness=1
502 502 vm.dirty_background_ratio=20
503 503 vm.dirty_ratio=40
504 504 vm.dirty_writeback_centisecs=500
505 505 vm.dirty_expire_centisecs=6000
506 506 EOM
507 507
508 508 # Enable network stack hardening
509 509 if [ "$ENABLE_HARDNET" = true ] ; then
510 510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
511 511
512 512 # Enable network stack hardening
513 513 net.ipv4.tcp_timestamps=0
514 514 net.ipv4.tcp_syncookies=1
515 515 net.ipv4.conf.all.rp_filter=1
516 516 net.ipv4.conf.all.accept_redirects=0
517 517 net.ipv4.conf.all.send_redirects=0
518 518 net.ipv4.conf.all.accept_source_route=0
519 519 net.ipv4.conf.default.rp_filter=1
520 520 net.ipv4.conf.default.accept_redirects=0
521 521 net.ipv4.conf.default.send_redirects=0
522 522 net.ipv4.conf.default.accept_source_route=0
523 523 net.ipv4.conf.lo.accept_redirects=0
524 524 net.ipv4.conf.lo.send_redirects=0
525 525 net.ipv4.conf.lo.accept_source_route=0
526 526 net.ipv4.conf.eth0.accept_redirects=0
527 527 net.ipv4.conf.eth0.send_redirects=0
528 528 net.ipv4.conf.eth0.accept_source_route=0
529 529 net.ipv4.icmp_echo_ignore_broadcasts=1
530 530 net.ipv4.icmp_ignore_bogus_error_responses=1
531 531
532 532 net.ipv6.conf.all.accept_redirects=0
533 533 net.ipv6.conf.all.accept_source_route=0
534 534 net.ipv6.conf.all.router_solicitations=0
535 535 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 536 net.ipv6.conf.all.accept_ra_pinfo=0
537 537 net.ipv6.conf.all.accept_ra_defrtr=0
538 538 net.ipv6.conf.all.autoconf=0
539 539 net.ipv6.conf.all.dad_transmits=0
540 540 net.ipv6.conf.all.max_addresses=1
541 541
542 542 net.ipv6.conf.default.accept_redirects=0
543 543 net.ipv6.conf.default.accept_source_route=0
544 544 net.ipv6.conf.default.router_solicitations=0
545 545 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 546 net.ipv6.conf.default.accept_ra_pinfo=0
547 547 net.ipv6.conf.default.accept_ra_defrtr=0
548 548 net.ipv6.conf.default.autoconf=0
549 549 net.ipv6.conf.default.dad_transmits=0
550 550 net.ipv6.conf.default.max_addresses=1
551 551
552 552 net.ipv6.conf.lo.accept_redirects=0
553 553 net.ipv6.conf.lo.accept_source_route=0
554 554 net.ipv6.conf.lo.router_solicitations=0
555 555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 556 net.ipv6.conf.lo.accept_ra_pinfo=0
557 557 net.ipv6.conf.lo.accept_ra_defrtr=0
558 558 net.ipv6.conf.lo.autoconf=0
559 559 net.ipv6.conf.lo.dad_transmits=0
560 560 net.ipv6.conf.lo.max_addresses=1
561 561
562 562 net.ipv6.conf.eth0.accept_redirects=0
563 563 net.ipv6.conf.eth0.accept_source_route=0
564 564 net.ipv6.conf.eth0.router_solicitations=0
565 565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 566 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 567 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 568 net.ipv6.conf.eth0.autoconf=0
569 569 net.ipv6.conf.eth0.dad_transmits=0
570 570 net.ipv6.conf.eth0.max_addresses=1
571 571 EOM
572 572
573 573 # Enable resolver warnings about spoofed addresses
574 574 cat <<EOM >>$R/etc/host.conf
575 575 spoof warn
576 576 EOM
577 577 fi
578 578
579 579 # Regenerate openssh server host keys
580 580 if [ "$ENABLE_SSHD" = true ] ; then
581 581 rm -fr $R/etc/ssh/ssh_host_*
582 582 LANG=C chroot $R dpkg-reconfigure openssh-server
583 583 fi
584 584
585 585 # Enable serial console systemd style
586 586 if [ "$ENABLE_CONSOLE" = true ] ; then
587 587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
588 588 fi
589 589
590 590 # Enable firewall based on iptables started by systemd service
591 591 if [ "$ENABLE_IPTABLES" = true ] ; then
592 592 # Create iptables configuration directory
593 593 mkdir -p "$R/etc/iptables"
594 594
595 595 # Create iptables systemd service
596 596 cat <<EOM >$R/etc/systemd/system/iptables.service
597 597 [Unit]
598 598 Description=Packet Filtering Framework
599 599 DefaultDependencies=no
600 600 After=systemd-sysctl.service
601 601 Before=sysinit.target
602 602 [Service]
603 603 Type=oneshot
604 604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 606 ExecStop=/etc/iptables/flush-iptables.sh
607 607 RemainAfterExit=yes
608 608 [Install]
609 609 WantedBy=multi-user.target
610 610 EOM
611 611
612 612 # Create flush-table script called by iptables service
613 613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
614 614 #!/bin/sh
615 615 iptables -F
616 616 iptables -X
617 617 iptables -t nat -F
618 618 iptables -t nat -X
619 619 iptables -t mangle -F
620 620 iptables -t mangle -X
621 621 iptables -P INPUT ACCEPT
622 622 iptables -P FORWARD ACCEPT
623 623 iptables -P OUTPUT ACCEPT
624 624 EOM
625 625
626 626 # Create iptables rule file
627 627 cat <<EOM >$R/etc/iptables/iptables.rules
628 628 *filter
629 629 :INPUT DROP [0:0]
630 630 :FORWARD DROP [0:0]
631 631 :OUTPUT ACCEPT [0:0]
632 632 :TCP - [0:0]
633 633 :UDP - [0:0]
634 634 :SSH - [0:0]
635 635
636 636 # Rate limit ping requests
637 637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 638 -A INPUT -p icmp --icmp-type echo-request -j DROP
639 639
640 640 # Accept established connections
641 641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642 642
643 643 # Accept all traffic on loopback interface
644 644 -A INPUT -i lo -j ACCEPT
645 645
646 646 # Drop packets declared invalid
647 647 -A INPUT -m conntrack --ctstate INVALID -j DROP
648 648
649 649 # SSH rate limiting
650 650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 653 -A SSH -m recent --name sshbf --set -j ACCEPT
654 654
655 655 # Send TCP and UDP connections to their respective rules chain
656 656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658 658
659 659 # Reject dropped packets with a RFC compliant responce
660 660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663 663
664 664 ## TCP PORT RULES
665 665 # -A TCP -p tcp -j LOG
666 666
667 667 ## UDP PORT RULES
668 668 # -A UDP -p udp -j LOG
669 669
670 670 COMMIT
671 671 EOM
672 672
673 673 # Reload systemd configuration and enable iptables service
674 674 LANG=C chroot $R systemctl daemon-reload
675 675 LANG=C chroot $R systemctl enable iptables.service
676 676
677 677 if [ "$ENABLE_IPV6" = true ] ; then
678 678 # Create ip6tables systemd service
679 679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
680 680 [Unit]
681 681 Description=Packet Filtering Framework
682 682 DefaultDependencies=no
683 683 After=systemd-sysctl.service
684 684 Before=sysinit.target
685 685 [Service]
686 686 Type=oneshot
687 687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 689 ExecStop=/etc/iptables/flush-ip6tables.sh
690 690 RemainAfterExit=yes
691 691 [Install]
692 692 WantedBy=multi-user.target
693 693 EOM
694 694
695 695 # Create ip6tables file
696 696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
697 697 #!/bin/sh
698 698 ip6tables -F
699 699 ip6tables -X
700 700 ip6tables -Z
701 701 for table in $(</proc/net/ip6_tables_names)
702 702 do
703 703 ip6tables -t \$table -F
704 704 ip6tables -t \$table -X
705 705 ip6tables -t \$table -Z
706 706 done
707 707 ip6tables -P INPUT ACCEPT
708 708 ip6tables -P OUTPUT ACCEPT
709 709 ip6tables -P FORWARD ACCEPT
710 710 EOM
711 711
712 712 # Create ip6tables rule file
713 713 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 714 *filter
715 715 :INPUT DROP [0:0]
716 716 :FORWARD DROP [0:0]
717 717 :OUTPUT ACCEPT [0:0]
718 718 :TCP - [0:0]
719 719 :UDP - [0:0]
720 720 :SSH - [0:0]
721 721
722 722 # Drop packets with RH0 headers
723 723 -A INPUT -m rt --rt-type 0 -j DROP
724 724 -A OUTPUT -m rt --rt-type 0 -j DROP
725 725 -A FORWARD -m rt --rt-type 0 -j DROP
726 726
727 727 # Rate limit ping requests
728 728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
729 729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
730 730
731 731 # Accept established connections
732 732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733 733
734 734 # Accept all traffic on loopback interface
735 735 -A INPUT -i lo -j ACCEPT
736 736
737 737 # Drop packets declared invalid
738 738 -A INPUT -m conntrack --ctstate INVALID -j DROP
739 739
740 740 # SSH rate limiting
741 741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 744 -A SSH -m recent --name sshbf --set -j ACCEPT
745 745
746 746 # Send TCP and UDP connections to their respective rules chain
747 747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749 749
750 750 # Reject dropped packets with a RFC compliant responce
751 751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754 754
755 755 ## TCP PORT RULES
756 756 # -A TCP -p tcp -j LOG
757 757
758 758 ## UDP PORT RULES
759 759 # -A UDP -p udp -j LOG
760 760
761 761 COMMIT
762 762 EOM
763 763
764 764 # Reload systemd configuration and enable iptables service
765 765 LANG=C chroot $R systemctl daemon-reload
766 766 LANG=C chroot $R systemctl enable ip6tables.service
767 767 fi
768 768 fi
769 769
770 770 # Remove SSHD related iptables rules
771 771 if [ "$ENABLE_SSHD" = false ] ; then
772 772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
773 773 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
774 774 fi
775 775
776 776 # Install gcc/c++ build environment inside the chroot
777 777 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 779 fi
780 780
781 781 # Fetch and build U-Boot bootloader
782 782 if [ "$ENABLE_UBOOT" = true ] ; then
783 783 # Fetch U-Boot bootloader sources
784 784 git -C $R/tmp clone git://git.denx.de/u-boot.git
785 785
786 786 # Build and install U-Boot inside chroot
787 787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
788 788
789 789 # Copy compiled bootloader binary and set config.txt to load it
790 790 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
791 791 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
792 792
793 793 # Set U-Boot command file
794 794 cat <<EOM >$R/boot/firmware/uboot.mkimage
795 795 # Tell Linux that it is booting on a Raspberry Pi2
796 796 setenv machid 0x00000c42
797 797
798 798 # Set the kernel boot command line
799 799 setenv bootargs "earlyprintk ${CMDLINE}"
800 800
801 801 # Save these changes to u-boot's environment
802 802 saveenv
803 803
804 804 # Load the existing Linux kernel into RAM
805 805 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
806 806
807 807 # Boot the kernel we have just loaded
808 808 bootz \${kernel_addr_r}
809 809 EOM
810 810
811 811 # Generate U-Boot image from command file
812 812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 813 fi
814 814
815 815 # Fetch and build fbturbo Xorg driver
816 816 if [ "$ENABLE_FBTURBO" = true ] ; then
817 817 # Fetch fbturbo driver sources
818 818 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819 819
820 820 # Install Xorg build dependencies
821 821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822 822
823 823 # Build and install fbturbo driver inside chroot
824 824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825 825
826 826 # Add fbturbo driver to Xorg configuration
827 827 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
828 828 Section "Device"
829 829 Identifier "Allwinner A10/A13 FBDEV"
830 830 Driver "fbturbo"
831 831 Option "fbdev" "/dev/fb0"
832 832 Option "SwapbuffersWait" "true"
833 833 EndSection
834 834 EOM
835 835
836 836 # Remove Xorg build dependencies
837 837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 838 fi
839 839
840 840 # Remove gcc/c++ build environment from the chroot
841 841 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 843 fi
844 844
845 845 # Clean cached downloads
846 846 LANG=C chroot $R apt-get -y clean
847 847 LANG=C chroot $R apt-get -y autoclean
848 848 LANG=C chroot $R apt-get -y autoremove
849 849
850 850 # Unmount mounted filesystems
851 851 umount -l $R/proc
852 852 umount -l $R/sys
853 853
854 854 # Clean up files
855 855 rm -f $R/etc/apt/sources.list.save
856 856 rm -f $R/etc/resolvconf/resolv.conf.d/original
857 857 rm -rf $R/run
858 858 mkdir -p $R/run
859 859 rm -f $R/etc/*-
860 860 rm -f $R/root/.bash_history
861 861 rm -rf $R/tmp/*
862 862 rm -f $R/var/lib/urandom/random-seed
863 863 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
864 864 rm -f $R/etc/machine-id
865 865 rm -fr $R/etc/apt/apt.conf.d/10proxy
866 866
867 # Calculate size of the chroot directory
868 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
867 # Calculate size of the chroot directory in KB
868 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`)
869 869
870 # Calculate required image size
871 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
870 # Calculate the amount of needed 512 Byte sectors
871 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
872 BOOT_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
873 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS})
872 874
873 # Calculate number of sectors for the partition
874 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
875 # The root partition is EXT4
876 # This means more space than the actual used space of the chroot is used.
877 # As overhead for journaling and reserved blocks 20% are added.
878 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512)
879
880 # Calculate required image size in 512 Byte sectors
881 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS} + ${ROOT_SECTORS})
875 882
876 883 # Prepare date string for image file name
877 884 DATE="$(date +%Y-%m-%d)"
878 885
879 886 # Prepare image file
880 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
881 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
887 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
888 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
882 889
883 890 # Write partition table
884 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
891 sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
885 892 unit: sectors
886 893
887 1 : start= 2048, size= 131072, Id= c, bootable
888 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
889 3 : start= 0, size= 0, Id= 0
890 4 : start= 0, size= 0, Id= 0
894 1 : start= ${TABLE_SECTORS}, size= ${BOOT_SECTORS}, Id= c, bootable
895 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83
896 3 : start= 0, size= 0, Id= 0
897 4 : start= 0, size= 0, Id= 0
891 898 EOM
892 899
893 900 # Set up temporary loop devices and build filesystems
894 901 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
895 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
902 EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
896 903 mkfs.vfat "$VFAT_LOOP"
897 904 mkfs.ext4 "$EXT4_LOOP"
898 905
899 906 # Mount the temporary loop devices
900 907 mkdir -p "$BUILDDIR/mount"
901 908 mount "$EXT4_LOOP" "$BUILDDIR/mount"
902 909
903 910 mkdir -p "$BUILDDIR/mount/boot/firmware"
904 911 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
905 912
906 913 # Copy all files from the chroot to the loop device mount point directory
907 914 rsync -a "$R/" "$BUILDDIR/mount/"
908 915
909 916 # Unmount all temporary loop devices and mount points
910 917 cleanup
911 918
912 919 # (optinal) create block map file for "bmaptool"
913 920 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
914 921
915 922 # Image was successfully created
916 923 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant