##// END OF EJS Templates
Cleanup code by spliting files
Filip Pytloun -
r47:a2923b42dbd0
parent child
Show More
@@ -0,0 +1,43
1 # For more options and information see
2 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
3 # Some settings may impact device functionality. See link above for details
4
5 # uncomment if you get no picture on HDMI for a default "safe" mode
6 #hdmi_safe=1
7
8 # uncomment this if your display has a black border of unused pixels visible
9 # and your display can output without overscan
10 #disable_overscan=1
11
12 # uncomment the following to adjust overscan. Use positive numbers if console
13 # goes off screen, and negative if there is too much border
14 #overscan_left=16
15 #overscan_right=16
16 #overscan_top=16
17 #overscan_bottom=16
18
19 # uncomment to force a console size. By default it will be display's size minus
20 # overscan.
21 #framebuffer_width=1280
22 #framebuffer_height=720
23
24 # uncomment if hdmi display is not detected and composite is being output
25 #hdmi_force_hotplug=1
26
27 # uncomment to force a specific HDMI mode (this will force VGA)
28 #hdmi_group=1
29 #hdmi_mode=1
30
31 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
32 # DMT (computer monitor) modes
33 #hdmi_drive=2
34
35 # uncomment to increase signal to HDMI, if you have interference, blanking, or
36 # no display
37 #config_hdmi_boost=4
38
39 # uncomment for composite PAL
40 #sdtv_mode=2
41
42 # uncomment to overclock the arm. 700 MHz is the default.
43 #arm_freq=800
@@ -0,0 +1,2
1 #!/bin/sh -e
2 logger -t "rc.firstboot" "Starting first boot actions"
@@ -0,0 +1,8
1 logger -t "rc.firstboot" "Generating SSH host keys"
2 rm -f /etc/ssh/ssh_host_*
3 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
4 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
5 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
6 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
7
8 systemctl restart sshd
@@ -0,0 +1,52
1 logger -t "rc.firstboot" "Expanding root"
2 ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
3 PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$')
4 case "${ROOT_PART}" in
5 mmcblk0*) ROOT_DEV=mmcblk0 ;;
6 sda*) ROOT_DEV=sda ;;
7 esac
8 if [ "$PART_NUM" = "$ROOT_PART" ]; then
9 logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand"
10 return 0
11 fi
12
13 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
14 # agree to work with a sufficiently simple partition layout
15 if [ "$PART_NUM" -gt 2 ]; then
16 logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool."
17 return 0
18 fi
19 LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
20 if [ $LAST_PART_NUM -ne $PART_NUM ]; then
21 logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand"
22 return 0
23 fi
24
25 # Get the starting offset of the root partition
26 PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
27 [ "$PART_START" ] || return 1
28
29 # Get the possible last sector for the root partition
30 PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }')
31 [ "$PART_LAST" ] || return 1
32
33 # Return value will likely be error for fdisk as it fails to reload the
34 # partition table because the root fs is mounted
35 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
36 fdisk /dev/${ROOT_DEV} <<EOF2 || true
37 p
38 d
39 $PART_NUM
40 n
41 p
42 $PART_NUM
43 $PART_START
44 $PART_LAST
45 p
46 w
47 EOF2
48
49 # Reload the partition table, resize root filesystem then remove resizing code from this file
50 partprobe &&
51 resize2fs /dev/${ROOT_PART} &&
52 logger -t "rc.firstboot" "Root partition successfuly resized."
@@ -0,0 +1,3
1 logger -t "rc.firstboot" "First boot actions finished"
2 rm -f /etc/rc.firstboot
3 sed -i '/.*rc.firstboot/d' /etc/rc.local
@@ -0,0 +1,2
1 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
2 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
@@ -0,0 +1,15
1 #!/bin/sh
2 ip6tables -F
3 ip6tables -X
4 ip6tables -Z
5
6 for table in $(</proc/net/ip6_tables_names)
7 do
8 ip6tables -t \$table -F
9 ip6tables -t \$table -X
10 ip6tables -t \$table -Z
11 done
12
13 ip6tables -P INPUT ACCEPT
14 ip6tables -P OUTPUT ACCEPT
15 ip6tables -P FORWARD ACCEPT
@@ -0,0 +1,10
1 #!/bin/sh
2 iptables -F
3 iptables -X
4 iptables -t nat -F
5 iptables -t nat -X
6 iptables -t mangle -F
7 iptables -t mangle -X
8 iptables -P INPUT ACCEPT
9 iptables -P FORWARD ACCEPT
10 iptables -P OUTPUT ACCEPT
@@ -0,0 +1,48
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Drop packets with RH0 headers
10 -A INPUT -m rt --rt-type 0 -j DROP
11 -A OUTPUT -m rt --rt-type 0 -j DROP
12 -A FORWARD -m rt --rt-type 0 -j DROP
13
14 # Rate limit ping requests
15 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
16 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
17
18 # Accept established connections
19 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
20
21 # Accept all traffic on loopback interface
22 -A INPUT -i lo -j ACCEPT
23
24 # Drop packets declared invalid
25 -A INPUT -m conntrack --ctstate INVALID -j DROP
26
27 # SSH rate limiting
28 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
29 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
30 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
31 -A SSH -m recent --name sshbf --set -j ACCEPT
32
33 # Send TCP and UDP connections to their respective rules chain
34 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
35 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
36
37 # Reject dropped packets with a RFC compliant responce
38 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
39 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
40 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
41
42 ## TCP PORT RULES
43 # -A TCP -p tcp -j LOG
44
45 ## UDP PORT RULES
46 # -A UDP -p udp -j LOG
47
48 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
10 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
11 ExecStop=/etc/iptables/flush-ip6tables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,43
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5 :TCP - [0:0]
6 :UDP - [0:0]
7 :SSH - [0:0]
8
9 # Rate limit ping requests
10 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
11 -A INPUT -p icmp --icmp-type echo-request -j DROP
12
13 # Accept established connections
14 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
15
16 # Accept all traffic on loopback interface
17 -A INPUT -i lo -j ACCEPT
18
19 # Drop packets declared invalid
20 -A INPUT -m conntrack --ctstate INVALID -j DROP
21
22 # SSH rate limiting
23 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
24 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
25 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
26 -A SSH -m recent --name sshbf --set -j ACCEPT
27
28 # Send TCP and UDP connections to their respective rules chain
29 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
30 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
31
32 # Reject dropped packets with a RFC compliant responce
33 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
34 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
35 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
36
37 ## TCP PORT RULES
38 # -A TCP -p tcp -j LOG
39
40 ## UDP PORT RULES
41 # -A UDP -p udp -j LOG
42
43 COMMIT
@@ -0,0 +1,15
1 [Unit]
2 Description=Packet Filtering Framework
3 DefaultDependencies=no
4 After=systemd-sysctl.service
5 Before=sysinit.target
6
7 [Service]
8 Type=oneshot
9 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
10 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
11 ExecStop=/etc/iptables/flush-iptables.sh
12 RemainAfterExit=yes
13
14 [Install]
15 WantedBy=multi-user.target
@@ -0,0 +1,9
1 blacklist snd_soc_core
2 blacklist snd_pcm
3 blacklist snd_pcm_dmaengine
4 blacklist snd_timer
5 blacklist snd_compress
6 blacklist snd_soc_pcm512x_i2c
7 blacklist snd_soc_pcm512x
8 blacklist snd_soc_tas5713
9 blacklist snd_soc_wm8804
@@ -0,0 +1,6
1 # Avoid swapping and increase cache sizes
2 vm.swappiness=1
3 vm.dirty_background_ratio=20
4 vm.dirty_ratio=40
5 vm.dirty_writeback_centisecs=500
6 vm.dirty_expire_centisecs=6000
@@ -0,0 +1,59
1 # Enable network stack hardening
2 net.ipv4.tcp_timestamps=0
3 net.ipv4.tcp_syncookies=1
4 net.ipv4.conf.all.rp_filter=1
5 net.ipv4.conf.all.accept_redirects=0
6 net.ipv4.conf.all.send_redirects=0
7 net.ipv4.conf.all.accept_source_route=0
8 net.ipv4.conf.default.rp_filter=1
9 net.ipv4.conf.default.accept_redirects=0
10 net.ipv4.conf.default.send_redirects=0
11 net.ipv4.conf.default.accept_source_route=0
12 net.ipv4.conf.lo.accept_redirects=0
13 net.ipv4.conf.lo.send_redirects=0
14 net.ipv4.conf.lo.accept_source_route=0
15 net.ipv4.conf.eth0.accept_redirects=0
16 net.ipv4.conf.eth0.send_redirects=0
17 net.ipv4.conf.eth0.accept_source_route=0
18 net.ipv4.icmp_echo_ignore_broadcasts=1
19 net.ipv4.icmp_ignore_bogus_error_responses=1
20
21 net.ipv6.conf.all.accept_redirects=0
22 net.ipv6.conf.all.accept_source_route=0
23 net.ipv6.conf.all.router_solicitations=0
24 net.ipv6.conf.all.accept_ra_rtr_pref=0
25 net.ipv6.conf.all.accept_ra_pinfo=0
26 net.ipv6.conf.all.accept_ra_defrtr=0
27 net.ipv6.conf.all.autoconf=0
28 net.ipv6.conf.all.dad_transmits=0
29 net.ipv6.conf.all.max_addresses=1
30
31 net.ipv6.conf.default.accept_redirects=0
32 net.ipv6.conf.default.accept_source_route=0
33 net.ipv6.conf.default.router_solicitations=0
34 net.ipv6.conf.default.accept_ra_rtr_pref=0
35 net.ipv6.conf.default.accept_ra_pinfo=0
36 net.ipv6.conf.default.accept_ra_defrtr=0
37 net.ipv6.conf.default.autoconf=0
38 net.ipv6.conf.default.dad_transmits=0
39 net.ipv6.conf.default.max_addresses=1
40
41 net.ipv6.conf.lo.accept_redirects=0
42 net.ipv6.conf.lo.accept_source_route=0
43 net.ipv6.conf.lo.router_solicitations=0
44 net.ipv6.conf.lo.accept_ra_rtr_pref=0
45 net.ipv6.conf.lo.accept_ra_pinfo=0
46 net.ipv6.conf.lo.accept_ra_defrtr=0
47 net.ipv6.conf.lo.autoconf=0
48 net.ipv6.conf.lo.dad_transmits=0
49 net.ipv6.conf.lo.max_addresses=1
50
51 net.ipv6.conf.eth0.accept_redirects=0
52 net.ipv6.conf.eth0.accept_source_route=0
53 net.ipv6.conf.eth0.router_solicitations=0
54 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
55 net.ipv6.conf.eth0.accept_ra_pinfo=0
56 net.ipv6.conf.eth0.accept_ra_defrtr=0
57 net.ipv6.conf.eth0.autoconf=0
58 net.ipv6.conf.eth0.dad_transmits=0
59 net.ipv6.conf.eth0.max_addresses=1
@@ -1,1016 +1,684
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 # Exec command in chroot
33 # Exec command in chroot
34 chroot_exec() {
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
35 LANG=C LC_ALL=C chroot $R $*
36 }
36 }
37
37
38 set -e
38 set -e
39 set -x
39 set -x
40
40
41 # Debian release
41 # Debian release
42 RELEASE=${RELEASE:=jessie}
42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
44
44
45 # Build settings
45 # Build settings
46 BASEDIR=./images/${RELEASE}
46 BASEDIR=./images/${RELEASE}
47 BUILDDIR=${BASEDIR}/build
47 BUILDDIR=${BASEDIR}/build
48
48
49 # General settings
49 # General settings
50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
51 PASSWORD=${PASSWORD:=raspberry}
51 PASSWORD=${PASSWORD:=raspberry}
52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
54 XKBMODEL=${XKBMODEL:=""}
54 XKBMODEL=${XKBMODEL:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
58 EXPANDROOT=${EXPANDROOT:=true}
58 EXPANDROOT=${EXPANDROOT:=true}
59
59
60 # Network settings
60 # Network settings
61 ENABLE_DHCP=${ENABLE_DHCP:=true}
61 ENABLE_DHCP=${ENABLE_DHCP:=true}
62 # NET_* settings are ignored when ENABLE_DHCP=true
62 # NET_* settings are ignored when ENABLE_DHCP=true
63 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
63 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
64 NET_ADDRESS=${NET_ADDRESS:=""}
64 NET_ADDRESS=${NET_ADDRESS:=""}
65 NET_GATEWAY=${NET_GATEWAY:=""}
65 NET_GATEWAY=${NET_GATEWAY:=""}
66 NET_DNS_1=${NET_DNS_1:=""}
66 NET_DNS_1=${NET_DNS_1:=""}
67 NET_DNS_2=${NET_DNS_2:=""}
67 NET_DNS_2=${NET_DNS_2:=""}
68 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
68 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
69 NET_NTP_1=${NET_NTP_1:=""}
69 NET_NTP_1=${NET_NTP_1:=""}
70 NET_NTP_2=${NET_NTP_2:=""}
70 NET_NTP_2=${NET_NTP_2:=""}
71
71
72 # APT settings
72 # APT settings
73 APT_PROXY=${APT_PROXY:=""}
73 APT_PROXY=${APT_PROXY:=""}
74 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
74 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
75
75
76 # Feature settings
76 # Feature settings
77 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
77 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
78 ENABLE_IPV6=${ENABLE_IPV6:=true}
78 ENABLE_IPV6=${ENABLE_IPV6:=true}
79 ENABLE_SSHD=${ENABLE_SSHD:=true}
79 ENABLE_SSHD=${ENABLE_SSHD:=true}
80 ENABLE_SOUND=${ENABLE_SOUND:=true}
80 ENABLE_SOUND=${ENABLE_SOUND:=true}
81 ENABLE_DBUS=${ENABLE_DBUS:=true}
81 ENABLE_DBUS=${ENABLE_DBUS:=true}
82 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
82 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
83 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
84 ENABLE_XORG=${ENABLE_XORG:=false}
84 ENABLE_XORG=${ENABLE_XORG:=false}
85 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_WM=${ENABLE_WM:=""}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
86 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
87 ENABLE_USER=${ENABLE_USER:=true}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
88 ENABLE_ROOT=${ENABLE_ROOT:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
89 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
90
90
91 # Advanced settings
91 # Advanced settings
92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
92 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
93 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
93 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
94 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
94 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
95 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
95 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
96 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
96 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
97
97
98 # Image chroot path
98 # Image chroot path
99 R=${BUILDDIR}/chroot
99 R=${BUILDDIR}/chroot
100
100
101 # Packages required for bootstrapping
101 # Packages required for bootstrapping
102 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
102 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
103
103
104 # Missing packages that need to be installed
104 # Missing packages that need to be installed
105 MISSING_PACKAGES=""
105 MISSING_PACKAGES=""
106
106
107 # Packages required in the chroot build environment
107 # Packages required in the chroot build environment
108 APT_INCLUDES=${APT_INCLUDES:=""}
108 APT_INCLUDES=${APT_INCLUDES:=""}
109 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
109 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
110
110
111 set +x
111 set +x
112
112
113 # Are we running as root?
113 # Are we running as root?
114 if [ "$(id -u)" -ne "0" ] ; then
114 if [ "$(id -u)" -ne "0" ] ; then
115 echo "this script must be executed with root privileges"
115 echo "this script must be executed with root privileges"
116 exit 1
116 exit 1
117 fi
117 fi
118
118
119 # Check if all required packages are installed
119 # Check if all required packages are installed
120 for package in $REQUIRED_PACKAGES ; do
120 for package in $REQUIRED_PACKAGES ; do
121 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
121 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
122 MISSING_PACKAGES="$MISSING_PACKAGES $package"
122 MISSING_PACKAGES="$MISSING_PACKAGES $package"
123 fi
123 fi
124 done
124 done
125
125
126 # Ask if missing packages should get installed right now
126 # Ask if missing packages should get installed right now
127 if [ -n "$MISSING_PACKAGES" ] ; then
127 if [ -n "$MISSING_PACKAGES" ] ; then
128 echo "the following packages needed by this script are not installed:"
128 echo "the following packages needed by this script are not installed:"
129 echo "$MISSING_PACKAGES"
129 echo "$MISSING_PACKAGES"
130
130
131 echo -n "\ndo you want to install the missing packages right now? [y/n] "
131 echo -n "\ndo you want to install the missing packages right now? [y/n] "
132 read confirm
132 read confirm
133 if [ "$confirm" != "y" ] ; then
133 if [ "$confirm" != "y" ] ; then
134 exit 1
134 exit 1
135 fi
135 fi
136 fi
136 fi
137
137
138 # Make sure all required packages are installed
138 # Make sure all required packages are installed
139 apt-get -qq -y install ${REQUIRED_PACKAGES}
139 apt-get -qq -y install ${REQUIRED_PACKAGES}
140
140
141 # Don't clobber an old build
141 # Don't clobber an old build
142 if [ -e "$BUILDDIR" ]; then
142 if [ -e "$BUILDDIR" ]; then
143 echo "directory $BUILDDIR already exists, not proceeding"
143 echo "directory $BUILDDIR already exists, not proceeding"
144 exit 1
144 exit 1
145 fi
145 fi
146
146
147 set -x
147 set -x
148
148
149 # Call "cleanup" function on various signals and errors
149 # Call "cleanup" function on various signals and errors
150 trap cleanup 0 1 2 3 6
150 trap cleanup 0 1 2 3 6
151
151
152 # Set up chroot directory
152 # Set up chroot directory
153 mkdir -p $R
153 mkdir -p $R
154
154
155 # Add required packages for the minbase installation
155 # Add required packages for the minbase installation
156 if [ "$ENABLE_MINBASE" = true ] ; then
156 if [ "$ENABLE_MINBASE" = true ] ; then
157 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
157 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
158 else
158 else
159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
159 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
160 fi
160 fi
161
161
162 # Add parted package, required to get partprobe utility
162 # Add parted package, required to get partprobe utility
163 if [ "$EXPANDROOT" = true ] ; then
163 if [ "$EXPANDROOT" = true ] ; then
164 APT_INCLUDES="${APT_INCLUDES},parted"
164 APT_INCLUDES="${APT_INCLUDES},parted"
165 fi
165 fi
166
166
167 # Add dbus package, recommended if using systemd
167 # Add dbus package, recommended if using systemd
168 if [ "$ENABLE_DBUS" = true ] ; then
168 if [ "$ENABLE_DBUS" = true ] ; then
169 APT_INCLUDES="${APT_INCLUDES},dbus"
169 APT_INCLUDES="${APT_INCLUDES},dbus"
170 fi
170 fi
171
171
172 # Add iptables IPv4/IPv6 package
172 # Add iptables IPv4/IPv6 package
173 if [ "$ENABLE_IPTABLES" = true ] ; then
173 if [ "$ENABLE_IPTABLES" = true ] ; then
174 APT_INCLUDES="${APT_INCLUDES},iptables"
174 APT_INCLUDES="${APT_INCLUDES},iptables"
175 fi
175 fi
176
176
177 # Add openssh server package
177 # Add openssh server package
178 if [ "$ENABLE_SSHD" = true ] ; then
178 if [ "$ENABLE_SSHD" = true ] ; then
179 APT_INCLUDES="${APT_INCLUDES},openssh-server"
179 APT_INCLUDES="${APT_INCLUDES},openssh-server"
180 fi
180 fi
181
181
182 # Add alsa-utils package
182 # Add alsa-utils package
183 if [ "$ENABLE_SOUND" = true ] ; then
183 if [ "$ENABLE_SOUND" = true ] ; then
184 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
184 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
185 fi
185 fi
186
186
187 # Add rng-tools package
187 # Add rng-tools package
188 if [ "$ENABLE_HWRANDOM" = true ] ; then
188 if [ "$ENABLE_HWRANDOM" = true ] ; then
189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
189 APT_INCLUDES="${APT_INCLUDES},rng-tools"
190 fi
190 fi
191
191
192 if [ "$ENABLE_USER" = true ]; then
192 if [ "$ENABLE_USER" = true ]; then
193 APT_INCLUDES="${APT_INCLUDES},sudo"
193 APT_INCLUDES="${APT_INCLUDES},sudo"
194 fi
194 fi
195
195
196 # Add fbturbo video driver
196 # Add fbturbo video driver
197 if [ "$ENABLE_FBTURBO" = true ] ; then
197 if [ "$ENABLE_FBTURBO" = true ] ; then
198 # Enable xorg package dependencies
198 # Enable xorg package dependencies
199 ENABLE_XORG=true
199 ENABLE_XORG=true
200 fi
200 fi
201
201
202 # Add user defined window manager package
202 # Add user defined window manager package
203 if [ -n "$ENABLE_WM" ] ; then
203 if [ -n "$ENABLE_WM" ] ; then
204 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
204 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
205
205
206 # Enable xorg package dependencies
206 # Enable xorg package dependencies
207 ENABLE_XORG=true
207 ENABLE_XORG=true
208 fi
208 fi
209
209
210 # Add xorg package
210 # Add xorg package
211 if [ "$ENABLE_XORG" = true ] ; then
211 if [ "$ENABLE_XORG" = true ] ; then
212 APT_INCLUDES="${APT_INCLUDES},xorg"
212 APT_INCLUDES="${APT_INCLUDES},xorg"
213 fi
213 fi
214
214
215 # Base debootstrap (unpack only)
215 # Base debootstrap (unpack only)
216 if [ "$ENABLE_MINBASE" = true ] ; then
216 if [ "$ENABLE_MINBASE" = true ] ; then
217 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
217 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
218 else
218 else
219 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
219 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
220 fi
220 fi
221
221
222 # Copy qemu emulator binary to chroot
222 # Copy qemu emulator binary to chroot
223 cp /usr/bin/qemu-arm-static $R/usr/bin
223 cp /usr/bin/qemu-arm-static $R/usr/bin
224
224
225 # Copy debian-archive-keyring.pgp
225 # Copy debian-archive-keyring.pgp
226 chroot $R mkdir -p /usr/share/keyrings
226 chroot $R mkdir -p /usr/share/keyrings
227 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
227 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
228
228
229 # Complete the bootstrapping process
229 # Complete the bootstrapping process
230 chroot $R /debootstrap/debootstrap --second-stage
230 chroot $R /debootstrap/debootstrap --second-stage
231
231
232 # Mount required filesystems
232 # Mount required filesystems
233 mount -t proc none $R/proc
233 mount -t proc none $R/proc
234 mount -t sysfs none $R/sys
234 mount -t sysfs none $R/sys
235 mount --bind /dev/pts $R/dev/pts
235 mount --bind /dev/pts $R/dev/pts
236
236
237 # Use proxy inside chroot
237 # Use proxy inside chroot
238 if [ -z "$APT_PROXY" ] ; then
238 if [ -z "$APT_PROXY" ] ; then
239 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
239 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
240 fi
240 fi
241
241
242 # Pin package flash-kernel to repositories.collabora.co.uk
242 # Pin package flash-kernel to repositories.collabora.co.uk
243 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
243 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
244 Package: flash-kernel
244 Package: flash-kernel
245 Pin: origin repositories.collabora.co.uk
245 Pin: origin repositories.collabora.co.uk
246 Pin-Priority: 1000
246 Pin-Priority: 1000
247 EOM
247 EOM
248
248
249 # Set up timezone
249 # Set up timezone
250 echo ${TIMEZONE} >$R/etc/timezone
250 echo ${TIMEZONE} >$R/etc/timezone
251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
251 chroot_exec dpkg-reconfigure -f noninteractive tzdata
252
252
253 # Upgrade collabora package index and install collabora keyring
253 # Upgrade collabora package index and install collabora keyring
254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
254 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
255 chroot_exec apt-get -qq -y update
255 chroot_exec apt-get -qq -y update
256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
256 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
257
257
258 # Set up initial sources.list
258 # Set up initial sources.list
259 cat <<EOM >$R/etc/apt/sources.list
259 cat <<EOM >$R/etc/apt/sources.list
260 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
260 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
261 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
261 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
262
262
263 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
263 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
264 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
264 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
265
265
266 deb http://security.debian.org/ ${RELEASE}/updates main contrib
266 deb http://security.debian.org/ ${RELEASE}/updates main contrib
267 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
267 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
268
268
269 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
269 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
270 EOM
270 EOM
271
271
272 # Upgrade package index and update all installed packages and changed dependencies
272 # Upgrade package index and update all installed packages and changed dependencies
273 chroot_exec apt-get -qq -y update
273 chroot_exec apt-get -qq -y update
274 chroot_exec apt-get -qq -y -u dist-upgrade
274 chroot_exec apt-get -qq -y -u dist-upgrade
275
275
276 # Set up default locale and keyboard configuration
276 # Set up default locale and keyboard configuration
277 if [ "$ENABLE_MINBASE" = false ] ; then
277 if [ "$ENABLE_MINBASE" = false ] ; then
278 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
278 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
279 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
280 # ... so we have to set locales manually
280 # ... so we have to set locales manually
281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
281 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
282 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
283 else
283 else
284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
284 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
285 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
286 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
287 fi
287 fi
288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
288 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
289 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
290 chroot_exec locale-gen
290 chroot_exec locale-gen
291 chroot_exec update-locale LANG=${DEFLOCAL}
291 chroot_exec update-locale LANG=${DEFLOCAL}
292
292
293 # Keyboard configuration, if requested
293 # Keyboard configuration, if requested
294 if [ "$XKBMODEL" != "" ] ; then
294 if [ "$XKBMODEL" != "" ] ; then
295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
296 fi
296 fi
297 if [ "$XKBLAYOUT" != "" ] ; then
297 if [ "$XKBLAYOUT" != "" ] ; then
298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
299 fi
299 fi
300 if [ "$XKBVARIANT" != "" ] ; then
300 if [ "$XKBVARIANT" != "" ] ; then
301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
301 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
302 fi
302 fi
303 if [ "$XKBOPTIONS" != "" ] ; then
303 if [ "$XKBOPTIONS" != "" ] ; then
304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
304 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
305 fi
305 fi
306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
306 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
307 # Set up font console
307 # Set up font console
308 case "${DEFLOCAL}" in
308 case "${DEFLOCAL}" in
309 *UTF-8)
309 *UTF-8)
310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
310 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
311 ;;
311 ;;
312 *)
312 *)
313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
313 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
314 ;;
314 ;;
315 esac
315 esac
316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
316 chroot_exec dpkg-reconfigure -f noninteractive console-setup
317 fi
317 fi
318
318
319 # Kernel installation
319 # Kernel installation
320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
320 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
321 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
322 chroot_exec apt-get -qq -y install flash-kernel
322 chroot_exec apt-get -qq -y install flash-kernel
323
323
324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
324 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
325 [ -z "$VMLINUZ" ] && exit 1
325 [ -z "$VMLINUZ" ] && exit 1
326 cp $VMLINUZ $R/boot/firmware/kernel7.img
326 cp $VMLINUZ $R/boot/firmware/kernel7.img
327
327
328 # Set up IPv4 hosts
328 # Set up IPv4 hosts
329 echo ${HOSTNAME} >$R/etc/hostname
329 echo ${HOSTNAME} >$R/etc/hostname
330 cat <<EOM >$R/etc/hosts
330 cat <<EOM >$R/etc/hosts
331 127.0.0.1 localhost
331 127.0.0.1 localhost
332 127.0.1.1 ${HOSTNAME}
332 127.0.1.1 ${HOSTNAME}
333 EOM
333 EOM
334 if [ "$NET_ADDRESS" != "" ] ; then
334 if [ "$NET_ADDRESS" != "" ] ; then
335 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
335 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
336 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
336 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
337 fi
337 fi
338
338
339 # Set up IPv6 hosts
339 # Set up IPv6 hosts
340 if [ "$ENABLE_IPV6" = true ] ; then
340 if [ "$ENABLE_IPV6" = true ] ; then
341 cat <<EOM >>$R/etc/hosts
341 cat <<EOM >>$R/etc/hosts
342
342
343 ::1 localhost ip6-localhost ip6-loopback
343 ::1 localhost ip6-localhost ip6-loopback
344 ff02::1 ip6-allnodes
344 ff02::1 ip6-allnodes
345 ff02::2 ip6-allrouters
345 ff02::2 ip6-allrouters
346 EOM
346 EOM
347 fi
347 fi
348
348
349 # Place hint about network configuration
349 # Place hint about network configuration
350 cat <<EOM >$R/etc/network/interfaces
350 cat <<EOM >$R/etc/network/interfaces
351 # Debian switched to systemd-networkd configuration files.
351 # Debian switched to systemd-networkd configuration files.
352 # please configure your networks in '/etc/systemd/network/'
352 # please configure your networks in '/etc/systemd/network/'
353 EOM
353 EOM
354
354
355 if [ "$ENABLE_DHCP" = true ] ; then
355 if [ "$ENABLE_DHCP" = true ] ; then
356 # Enable systemd-networkd DHCP configuration for interface eth0
356 # Enable systemd-networkd DHCP configuration for interface eth0
357 cat <<EOM >$R/etc/systemd/network/eth.network
357 cat <<EOM >$R/etc/systemd/network/eth.network
358 [Match]
358 [Match]
359 Name=eth0
359 Name=eth0
360
360
361 [Network]
361 [Network]
362 DHCP=yes
362 DHCP=yes
363 EOM
363 EOM
364
364
365 # Set DHCP configuration to IPv4 only
365 # Set DHCP configuration to IPv4 only
366 if [ "$ENABLE_IPV6" = false ] ; then
366 if [ "$ENABLE_IPV6" = false ] ; then
367 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
367 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
368 fi
368 fi
369 else # ENABLE_DHCP=false
369 else # ENABLE_DHCP=false
370 cat <<EOM >$R/etc/systemd/network/eth.network
370 cat <<EOM >$R/etc/systemd/network/eth.network
371 [Match]
371 [Match]
372 Name=eth0
372 Name=eth0
373
373
374 [Network]
374 [Network]
375 DHCP=no
375 DHCP=no
376 Address=${NET_ADDRESS}
376 Address=${NET_ADDRESS}
377 Gateway=${NET_GATEWAY}
377 Gateway=${NET_GATEWAY}
378 DNS=${NET_DNS_1}
378 DNS=${NET_DNS_1}
379 DNS=${NET_DNS_2}
379 DNS=${NET_DNS_2}
380 Domains=${NET_DNS_DOMAINS}
380 Domains=${NET_DNS_DOMAINS}
381 NTP=${NET_NTP_1}
381 NTP=${NET_NTP_1}
382 NTP=${NET_NTP_2}
382 NTP=${NET_NTP_2}
383 EOM
383 EOM
384 fi
384 fi
385
385
386 # Enable systemd-networkd service
386 # Enable systemd-networkd service
387 chroot_exec systemctl enable systemd-networkd
387 chroot_exec systemctl enable systemd-networkd
388
388
389 # Generate crypt(3) password string
389 # Generate crypt(3) password string
390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
390 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
391
391
392 # Set up default user
392 # Set up default user
393 if [ "$ENABLE_USER" = true ] ; then
393 if [ "$ENABLE_USER" = true ] ; then
394 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
394 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
395 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
396 fi
396 fi
397
397
398 # Set up root password or not
398 # Set up root password or not
399 if [ "$ENABLE_ROOT" = true ]; then
399 if [ "$ENABLE_ROOT" = true ]; then
400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
400 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
401
401
402 if [ "$ENABLE_ROOT_SSH" = true ]; then
402 if [ "$ENABLE_ROOT_SSH" = true ]; then
403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
403 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
404 fi
404 fi
405 else
405 else
406 chroot_exec usermod -p \'!\' root
406 chroot_exec usermod -p \'!\' root
407 fi
407 fi
408
408
409 # Set up firmware boot cmdline
409 # Set up firmware boot cmdline
410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
410 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
411
411
412 # Set up serial console support (if requested)
412 # Set up serial console support (if requested)
413 if [ "$ENABLE_CONSOLE" = true ] ; then
413 if [ "$ENABLE_CONSOLE" = true ] ; then
414 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
414 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
415 fi
415 fi
416
416
417 # Set up IPv6 networking support
417 # Set up IPv6 networking support
418 if [ "$ENABLE_IPV6" = false ] ; then
418 if [ "$ENABLE_IPV6" = false ] ; then
419 CMDLINE="${CMDLINE} ipv6.disable=1"
419 CMDLINE="${CMDLINE} ipv6.disable=1"
420 fi
420 fi
421
421
422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
422 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
423
423
424 # Set up firmware config
424 # Set up firmware config
425 cat <<EOM >$R/boot/firmware/config.txt
425 install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
426 # For more options and information see
427 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
428 # Some settings may impact device functionality. See link above for details
429
430 # uncomment if you get no picture on HDMI for a default "safe" mode
431 #hdmi_safe=1
432
433 # uncomment this if your display has a black border of unused pixels visible
434 # and your display can output without overscan
435 #disable_overscan=1
436
437 # uncomment the following to adjust overscan. Use positive numbers if console
438 # goes off screen, and negative if there is too much border
439 #overscan_left=16
440 #overscan_right=16
441 #overscan_top=16
442 #overscan_bottom=16
443
444 # uncomment to force a console size. By default it will be display's size minus
445 # overscan.
446 #framebuffer_width=1280
447 #framebuffer_height=720
448
449 # uncomment if hdmi display is not detected and composite is being output
450 #hdmi_force_hotplug=1
451
452 # uncomment to force a specific HDMI mode (this will force VGA)
453 #hdmi_group=1
454 #hdmi_mode=1
455
456 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
457 # DMT (computer monitor) modes
458 #hdmi_drive=2
459
460 # uncomment to increase signal to HDMI, if you have interference, blanking, or
461 # no display
462 #config_hdmi_boost=4
463
464 # uncomment for composite PAL
465 #sdtv_mode=2
466
467 # uncomment to overclock the arm. 700 MHz is the default.
468 #arm_freq=800
469 EOM
470
426
471 # Load snd_bcm2835 kernel module at boot time
427 # Load snd_bcm2835 kernel module at boot time
472 if [ "$ENABLE_SOUND" = true ] ; then
428 if [ "$ENABLE_SOUND" = true ] ; then
473 echo "snd_bcm2835" >>$R/etc/modules
429 echo "snd_bcm2835" >>$R/etc/modules
474 fi
430 fi
475
431
476 # Set smallest possible GPU memory allocation size: 16MB (no X)
432 # Set smallest possible GPU memory allocation size: 16MB (no X)
477 if [ "$ENABLE_MINGPU" = true ] ; then
433 if [ "$ENABLE_MINGPU" = true ] ; then
478 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
434 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
479 fi
435 fi
480
436
481 # Create symlinks
437 # Create symlinks
482 ln -sf firmware/config.txt $R/boot/config.txt
438 ln -sf firmware/config.txt $R/boot/config.txt
483 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
439 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
484
440
485 # Prepare modules-load.d directory
441 # Prepare modules-load.d directory
486 mkdir -p $R/lib/modules-load.d/
442 mkdir -p $R/lib/modules-load.d/
487
443
488 # Load random module on boot
444 # Load random module on boot
489 if [ "$ENABLE_HWRANDOM" = true ] ; then
445 if [ "$ENABLE_HWRANDOM" = true ] ; then
490 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
446 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
491 bcm2708_rng
447 bcm2708_rng
492 EOM
448 EOM
493 fi
449 fi
494
450
495 # Prepare modprobe.d directory
451 # Prepare modprobe.d directory
496 mkdir -p $R/etc/modprobe.d/
452 mkdir -p $R/etc/modprobe.d/
497
453
498 # Blacklist sound modules
454 # Blacklist sound modules
499 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
455 install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
500 blacklist snd_soc_core
501 blacklist snd_pcm
502 blacklist snd_pcm_dmaengine
503 blacklist snd_timer
504 blacklist snd_compress
505 blacklist snd_soc_pcm512x_i2c
506 blacklist snd_soc_pcm512x
507 blacklist snd_soc_tas5713
508 blacklist snd_soc_wm8804
509 EOM
510
456
511 # Create default fstab
457 # Create default fstab
512 cat <<EOM >$R/etc/fstab
458 install -o root -g root -m 644 files/fstab $R/etc/fstab
513 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
514 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
515 EOM
516
517 # Avoid swapping and increase cache sizes
518 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
519
459
520 # Avoid swapping and increase cache sizes
460 # Avoid swapping and increase cache sizes
521 vm.swappiness=1
461 install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
522 vm.dirty_background_ratio=20
523 vm.dirty_ratio=40
524 vm.dirty_writeback_centisecs=500
525 vm.dirty_expire_centisecs=6000
526 EOM
527
462
528 # Enable network stack hardening
463 # Enable network stack hardening
529 if [ "$ENABLE_HARDNET" = true ] ; then
464 if [ "$ENABLE_HARDNET" = true ] ; then
530 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465 install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
531
532 # Enable network stack hardening
533 net.ipv4.tcp_timestamps=0
534 net.ipv4.tcp_syncookies=1
535 net.ipv4.conf.all.rp_filter=1
536 net.ipv4.conf.all.accept_redirects=0
537 net.ipv4.conf.all.send_redirects=0
538 net.ipv4.conf.all.accept_source_route=0
539 net.ipv4.conf.default.rp_filter=1
540 net.ipv4.conf.default.accept_redirects=0
541 net.ipv4.conf.default.send_redirects=0
542 net.ipv4.conf.default.accept_source_route=0
543 net.ipv4.conf.lo.accept_redirects=0
544 net.ipv4.conf.lo.send_redirects=0
545 net.ipv4.conf.lo.accept_source_route=0
546 net.ipv4.conf.eth0.accept_redirects=0
547 net.ipv4.conf.eth0.send_redirects=0
548 net.ipv4.conf.eth0.accept_source_route=0
549 net.ipv4.icmp_echo_ignore_broadcasts=1
550 net.ipv4.icmp_ignore_bogus_error_responses=1
551
552 net.ipv6.conf.all.accept_redirects=0
553 net.ipv6.conf.all.accept_source_route=0
554 net.ipv6.conf.all.router_solicitations=0
555 net.ipv6.conf.all.accept_ra_rtr_pref=0
556 net.ipv6.conf.all.accept_ra_pinfo=0
557 net.ipv6.conf.all.accept_ra_defrtr=0
558 net.ipv6.conf.all.autoconf=0
559 net.ipv6.conf.all.dad_transmits=0
560 net.ipv6.conf.all.max_addresses=1
561
562 net.ipv6.conf.default.accept_redirects=0
563 net.ipv6.conf.default.accept_source_route=0
564 net.ipv6.conf.default.router_solicitations=0
565 net.ipv6.conf.default.accept_ra_rtr_pref=0
566 net.ipv6.conf.default.accept_ra_pinfo=0
567 net.ipv6.conf.default.accept_ra_defrtr=0
568 net.ipv6.conf.default.autoconf=0
569 net.ipv6.conf.default.dad_transmits=0
570 net.ipv6.conf.default.max_addresses=1
571
572 net.ipv6.conf.lo.accept_redirects=0
573 net.ipv6.conf.lo.accept_source_route=0
574 net.ipv6.conf.lo.router_solicitations=0
575 net.ipv6.conf.lo.accept_ra_rtr_pref=0
576 net.ipv6.conf.lo.accept_ra_pinfo=0
577 net.ipv6.conf.lo.accept_ra_defrtr=0
578 net.ipv6.conf.lo.autoconf=0
579 net.ipv6.conf.lo.dad_transmits=0
580 net.ipv6.conf.lo.max_addresses=1
581
582 net.ipv6.conf.eth0.accept_redirects=0
583 net.ipv6.conf.eth0.accept_source_route=0
584 net.ipv6.conf.eth0.router_solicitations=0
585 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
586 net.ipv6.conf.eth0.accept_ra_pinfo=0
587 net.ipv6.conf.eth0.accept_ra_defrtr=0
588 net.ipv6.conf.eth0.autoconf=0
589 net.ipv6.conf.eth0.dad_transmits=0
590 net.ipv6.conf.eth0.max_addresses=1
591 EOM
592
466
593 # Enable resolver warnings about spoofed addresses
467 # Enable resolver warnings about spoofed addresses
594 cat <<EOM >>$R/etc/host.conf
468 cat <<EOM >>$R/etc/host.conf
595 spoof warn
469 spoof warn
596 EOM
470 EOM
597 fi
471 fi
598
472
473 # First boot actions
474 cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
475
599 # Ensure openssh server host keys are regenerated on first boot
476 # Ensure openssh server host keys are regenerated on first boot
600 if [ "$ENABLE_SSHD" = true ] ; then
477 if [ "$ENABLE_SSHD" = true ] ; then
601 cat <<EOM >>$R/etc/rc.firstboot
478 cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
602 #!/bin/sh
603 rm -f /etc/ssh/ssh_host_*
604 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
605 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
606 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
607 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
608 sync
609
610 systemctl restart sshd
611 sed -i '/.*rc.firstboot/d' /etc/rc.local
612 rm -f /etc/rc.firstboot
613 EOM
614 chmod +x $R/etc/rc.firstboot
615 sed -i '/exit 0/d' $R/etc/rc.local
616 echo /etc/rc.firstboot >> $R/etc/rc.local
617 rm -f $R/etc/ssh/ssh_host_*
479 rm -f $R/etc/ssh/ssh_host_*
618 fi
480 fi
619
481
620 if [ "$EXPANDROOT" = true ] ; then
482 if [ "$EXPANDROOT" = true ] ; then
621 cat <<EOF > $R/etc/rc.expandroot
483 cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
622 #!/bin/sh
623
624 ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
625 PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$')
626 case "\${ROOT_PART}" in
627 mmcblk0*) ROOT_DEV=mmcblk0 ;;
628 sda*) ROOT_DEV=sda ;;
629 esac
630 if [ "\$PART_NUM" = "\$ROOT_PART" ]; then
631 logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand"
632 return 0
633 fi
634 # NOTE: the NOOBS partition layout confuses parted. For now, let's only
635 # agree to work with a sufficiently simple partition layout
636 if [ "\$PART_NUM" -gt 2 ]; then
637 logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool."
638 return 0
639 fi
640 LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
641 if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then
642 logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand"
643 return 0
644 fi
645 # Get the starting offset of the root partition
646 PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
647 [ "\$PART_START" ] || return 1
648 # Get the possible last sector for the root partition
649 PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }')
650 [ "\$PART_LAST" ] || return 1
651 # Return value will likely be error for fdisk as it fails to reload the
652 # partition table because the root fs is mounted
653 ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
654 fdisk /dev/\${ROOT_DEV} <<EOF2 || true
655 p
656 d
657 \$PART_NUM
658 n
659 p
660 \$PART_NUM
661 \$PART_START
662 \$PART_LAST
663 p
664 w
665 EOF2
666 # Reload the partition table, resize root filesystem then remove resizing code from this file
667 partprobe &&
668 resize2fs /dev/\${ROOT_PART} &&
669 logger -t "rc.expandroot" "Root partition successfuly resized." &&
670 sed -i '/.*rc.expandroot/d' /etc/rc.local
671 rm -f /etc/rc.expandroot
672 EOF
673 chmod +x $R/etc/rc.expandroot
674 sed -i '/exit 0/d' $R/etc/rc.local
675 echo /etc/rc.expandroot >> $R/etc/rc.local
676 fi
484 fi
677
485
486 cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
487 chmod +x $R/etc/rc.firstboot
488
489 sed -i '/exit 0/d' $R/etc/rc.local
490 echo /etc/rc.firstboot >> $R/etc/rc.local
491 echo exit 0 >> $R/etc/rc.local
492
678 # Disable rsyslog
493 # Disable rsyslog
679 if [ "$ENABLE_RSYSLOG" = false ]; then
494 if [ "$ENABLE_RSYSLOG" = false ]; then
680 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
495 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
681 chroot_exec systemctl disable rsyslog
496 chroot_exec systemctl disable rsyslog
682 chroot_exec apt-get purge -q -y --force-yes rsyslog
497 chroot_exec apt-get purge -q -y --force-yes rsyslog
683 fi
498 fi
684
499
685 # Enable serial console systemd style
500 # Enable serial console systemd style
686 if [ "$ENABLE_CONSOLE" = true ] ; then
501 if [ "$ENABLE_CONSOLE" = true ] ; then
687 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
502 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
688 fi
503 fi
689
504
690 # Enable firewall based on iptables started by systemd service
505 # Enable firewall based on iptables started by systemd service
691 if [ "$ENABLE_IPTABLES" = true ] ; then
506 if [ "$ENABLE_IPTABLES" = true ] ; then
692 # Create iptables configuration directory
507 # Create iptables configuration directory
693 mkdir -p "$R/etc/iptables"
508 mkdir -p "$R/etc/iptables"
694
509
695 # Create iptables systemd service
510 # Create iptables systemd service
696 cat <<EOM >$R/etc/systemd/system/iptables.service
511 install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
697 [Unit]
698 Description=Packet Filtering Framework
699 DefaultDependencies=no
700 After=systemd-sysctl.service
701 Before=sysinit.target
702 [Service]
703 Type=oneshot
704 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
705 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
706 ExecStop=/etc/iptables/flush-iptables.sh
707 RemainAfterExit=yes
708 [Install]
709 WantedBy=multi-user.target
710 EOM
711
512
712 # Create flush-table script called by iptables service
513 # Create flush-table script called by iptables service
713 cat <<EOM >$R/etc/iptables/flush-iptables.sh
514 install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
714 #!/bin/sh
715 iptables -F
716 iptables -X
717 iptables -t nat -F
718 iptables -t nat -X
719 iptables -t mangle -F
720 iptables -t mangle -X
721 iptables -P INPUT ACCEPT
722 iptables -P FORWARD ACCEPT
723 iptables -P OUTPUT ACCEPT
724 EOM
725
515
726 # Create iptables rule file
516 # Create iptables rule file
727 cat <<EOM >$R/etc/iptables/iptables.rules
517 install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
728 *filter
729 :INPUT DROP [0:0]
730 :FORWARD DROP [0:0]
731 :OUTPUT ACCEPT [0:0]
732 :TCP - [0:0]
733 :UDP - [0:0]
734 :SSH - [0:0]
735
736 # Rate limit ping requests
737 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
738 -A INPUT -p icmp --icmp-type echo-request -j DROP
739
740 # Accept established connections
741 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
742
743 # Accept all traffic on loopback interface
744 -A INPUT -i lo -j ACCEPT
745
746 # Drop packets declared invalid
747 -A INPUT -m conntrack --ctstate INVALID -j DROP
748
749 # SSH rate limiting
750 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
751 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
752 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
753 -A SSH -m recent --name sshbf --set -j ACCEPT
754
755 # Send TCP and UDP connections to their respective rules chain
756 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
757 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
758
759 # Reject dropped packets with a RFC compliant responce
760 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
761 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
762 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
763
764 ## TCP PORT RULES
765 # -A TCP -p tcp -j LOG
766
767 ## UDP PORT RULES
768 # -A UDP -p udp -j LOG
769
770 COMMIT
771 EOM
772
518
773 # Reload systemd configuration and enable iptables service
519 # Reload systemd configuration and enable iptables service
774 chroot_exec systemctl daemon-reload
520 chroot_exec systemctl daemon-reload
775 chroot_exec systemctl enable iptables.service
521 chroot_exec systemctl enable iptables.service
776
522
777 if [ "$ENABLE_IPV6" = true ] ; then
523 if [ "$ENABLE_IPV6" = true ] ; then
778 # Create ip6tables systemd service
524 # Create ip6tables systemd service
779 cat <<EOM >$R/etc/systemd/system/ip6tables.service
525 install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
780 [Unit]
781 Description=Packet Filtering Framework
782 DefaultDependencies=no
783 After=systemd-sysctl.service
784 Before=sysinit.target
785 [Service]
786 Type=oneshot
787 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
788 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
789 ExecStop=/etc/iptables/flush-ip6tables.sh
790 RemainAfterExit=yes
791 [Install]
792 WantedBy=multi-user.target
793 EOM
794
526
795 # Create ip6tables file
527 # Create ip6tables file
796 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
528 install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
797 #!/bin/sh
798 ip6tables -F
799 ip6tables -X
800 ip6tables -Z
801 for table in $(</proc/net/ip6_tables_names)
802 do
803 ip6tables -t \$table -F
804 ip6tables -t \$table -X
805 ip6tables -t \$table -Z
806 done
807 ip6tables -P INPUT ACCEPT
808 ip6tables -P OUTPUT ACCEPT
809 ip6tables -P FORWARD ACCEPT
810 EOM
811
812 # Create ip6tables rule file
813 cat <<EOM >$R/etc/iptables/ip6tables.rules
814 *filter
815 :INPUT DROP [0:0]
816 :FORWARD DROP [0:0]
817 :OUTPUT ACCEPT [0:0]
818 :TCP - [0:0]
819 :UDP - [0:0]
820 :SSH - [0:0]
821
822 # Drop packets with RH0 headers
823 -A INPUT -m rt --rt-type 0 -j DROP
824 -A OUTPUT -m rt --rt-type 0 -j DROP
825 -A FORWARD -m rt --rt-type 0 -j DROP
826
827 # Rate limit ping requests
828 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
829 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
830
831 # Accept established connections
832 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
833
834 # Accept all traffic on loopback interface
835 -A INPUT -i lo -j ACCEPT
836
529
837 # Drop packets declared invalid
530 install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
838 -A INPUT -m conntrack --ctstate INVALID -j DROP
839
531
840 # SSH rate limiting
532 # Reload systemd configuration and enable iptables service
841 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
533 chroot_exec systemctl daemon-reload
842 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
534 chroot_exec systemctl enable ip6tables.service
843 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
844 -A SSH -m recent --name sshbf --set -j ACCEPT
845
846 # Send TCP and UDP connections to their respective rules chain
847 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
848 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
849
850 # Reject dropped packets with a RFC compliant responce
851 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
852 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
853 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
854
855 ## TCP PORT RULES
856 # -A TCP -p tcp -j LOG
857
858 ## UDP PORT RULES
859 # -A UDP -p udp -j LOG
860
861 COMMIT
862 EOM
863
864 # Reload systemd configuration and enable iptables service
865 chroot_exec systemctl daemon-reload
866 chroot_exec systemctl enable ip6tables.service
867 fi
535 fi
868 fi
536 fi
869
537
870 # Remove SSHD related iptables rules
538 # Remove SSHD related iptables rules
871 if [ "$ENABLE_SSHD" = false ] ; then
539 if [ "$ENABLE_SSHD" = false ] ; then
872 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
540 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
873 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
541 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
874 fi
542 fi
875
543
876 # Install gcc/c++ build environment inside the chroot
544 # Install gcc/c++ build environment inside the chroot
877 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
545 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
878 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
546 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
879 fi
547 fi
880
548
881 # Fetch and build U-Boot bootloader
549 # Fetch and build U-Boot bootloader
882 if [ "$ENABLE_UBOOT" = true ] ; then
550 if [ "$ENABLE_UBOOT" = true ] ; then
883 # Fetch U-Boot bootloader sources
551 # Fetch U-Boot bootloader sources
884 git -C $R/tmp clone git://git.denx.de/u-boot.git
552 git -C $R/tmp clone git://git.denx.de/u-boot.git
885
553
886 # Build and install U-Boot inside chroot
554 # Build and install U-Boot inside chroot
887 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
555 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
888
556
889 # Copy compiled bootloader binary and set config.txt to load it
557 # Copy compiled bootloader binary and set config.txt to load it
890 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
558 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
891 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
559 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
892
560
893 # Set U-Boot command file
561 # Set U-Boot command file
894 cat <<EOM >$R/boot/firmware/uboot.mkimage
562 cat <<EOM >$R/boot/firmware/uboot.mkimage
895 # Tell Linux that it is booting on a Raspberry Pi2
563 # Tell Linux that it is booting on a Raspberry Pi2
896 setenv machid 0x00000c42
564 setenv machid 0x00000c42
897
565
898 # Set the kernel boot command line
566 # Set the kernel boot command line
899 setenv bootargs "earlyprintk ${CMDLINE}"
567 setenv bootargs "earlyprintk ${CMDLINE}"
900
568
901 # Save these changes to u-boot's environment
569 # Save these changes to u-boot's environment
902 saveenv
570 saveenv
903
571
904 # Load the existing Linux kernel into RAM
572 # Load the existing Linux kernel into RAM
905 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
573 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
906
574
907 # Boot the kernel we have just loaded
575 # Boot the kernel we have just loaded
908 bootz \${kernel_addr_r}
576 bootz \${kernel_addr_r}
909 EOM
577 EOM
910
578
911 # Generate U-Boot image from command file
579 # Generate U-Boot image from command file
912 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
580 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
913 fi
581 fi
914
582
915 # Fetch and build fbturbo Xorg driver
583 # Fetch and build fbturbo Xorg driver
916 if [ "$ENABLE_FBTURBO" = true ] ; then
584 if [ "$ENABLE_FBTURBO" = true ] ; then
917 # Fetch fbturbo driver sources
585 # Fetch fbturbo driver sources
918 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
586 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
919
587
920 # Install Xorg build dependencies
588 # Install Xorg build dependencies
921 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
589 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
922
590
923 # Build and install fbturbo driver inside chroot
591 # Build and install fbturbo driver inside chroot
924 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
592 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
925
593
926 # Add fbturbo driver to Xorg configuration
594 # Add fbturbo driver to Xorg configuration
927 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
595 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
928 Section "Device"
596 Section "Device"
929 Identifier "Allwinner A10/A13 FBDEV"
597 Identifier "Allwinner A10/A13 FBDEV"
930 Driver "fbturbo"
598 Driver "fbturbo"
931 Option "fbdev" "/dev/fb0"
599 Option "fbdev" "/dev/fb0"
932 Option "SwapbuffersWait" "true"
600 Option "SwapbuffersWait" "true"
933 EndSection
601 EndSection
934 EOM
602 EOM
935
603
936 # Remove Xorg build dependencies
604 # Remove Xorg build dependencies
937 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
605 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
938 fi
606 fi
939
607
940 # Remove gcc/c++ build environment from the chroot
608 # Remove gcc/c++ build environment from the chroot
941 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
609 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
942 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
610 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
943 fi
611 fi
944
612
945 # Clean cached downloads
613 # Clean cached downloads
946 chroot_exec apt-get -y clean
614 chroot_exec apt-get -y clean
947 chroot_exec apt-get -y autoclean
615 chroot_exec apt-get -y autoclean
948 chroot_exec apt-get -y autoremove
616 chroot_exec apt-get -y autoremove
949
617
950 # Unmount mounted filesystems
618 # Unmount mounted filesystems
951 umount -l $R/proc
619 umount -l $R/proc
952 umount -l $R/sys
620 umount -l $R/sys
953
621
954 # Clean up files
622 # Clean up files
955 rm -f $R/etc/apt/sources.list.save
623 rm -f $R/etc/apt/sources.list.save
956 rm -f $R/etc/resolvconf/resolv.conf.d/original
624 rm -f $R/etc/resolvconf/resolv.conf.d/original
957 rm -rf $R/run
625 rm -rf $R/run
958 mkdir -p $R/run
626 mkdir -p $R/run
959 rm -f $R/etc/*-
627 rm -f $R/etc/*-
960 rm -f $R/root/.bash_history
628 rm -f $R/root/.bash_history
961 rm -rf $R/tmp/*
629 rm -rf $R/tmp/*
962 rm -f $R/var/lib/urandom/random-seed
630 rm -f $R/var/lib/urandom/random-seed
963 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
631 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
964 rm -f $R/etc/machine-id
632 rm -f $R/etc/machine-id
965 rm -fr $R/etc/apt/apt.conf.d/10proxy
633 rm -fr $R/etc/apt/apt.conf.d/10proxy
966
634
967 # Calculate size of the chroot directory
635 # Calculate size of the chroot directory
968 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
636 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
969
637
970 # Calculate required image size
638 # Calculate required image size
971 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
639 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
972
640
973 # Calculate number of sectors for the partition
641 # Calculate number of sectors for the partition
974 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
642 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
975
643
976 # Prepare date string for image file name
644 # Prepare date string for image file name
977 DATE="$(date +%Y-%m-%d)"
645 DATE="$(date +%Y-%m-%d)"
978
646
979 # Prepare image file
647 # Prepare image file
980 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
648 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
981 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
649 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
982
650
983 # Write partition table
651 # Write partition table
984 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
652 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
985 unit: sectors
653 unit: sectors
986
654
987 1 : start= 2048, size= 131072, Id= c, bootable
655 1 : start= 2048, size= 131072, Id= c, bootable
988 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
656 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
989 3 : start= 0, size= 0, Id= 0
657 3 : start= 0, size= 0, Id= 0
990 4 : start= 0, size= 0, Id= 0
658 4 : start= 0, size= 0, Id= 0
991 EOM
659 EOM
992
660
993 # Set up temporary loop devices and build filesystems
661 # Set up temporary loop devices and build filesystems
994 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
662 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
995 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
663 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
996 mkfs.vfat "$VFAT_LOOP"
664 mkfs.vfat "$VFAT_LOOP"
997 mkfs.ext4 "$EXT4_LOOP"
665 mkfs.ext4 "$EXT4_LOOP"
998
666
999 # Mount the temporary loop devices
667 # Mount the temporary loop devices
1000 mkdir -p "$BUILDDIR/mount"
668 mkdir -p "$BUILDDIR/mount"
1001 mount "$EXT4_LOOP" "$BUILDDIR/mount"
669 mount "$EXT4_LOOP" "$BUILDDIR/mount"
1002
670
1003 mkdir -p "$BUILDDIR/mount/boot/firmware"
671 mkdir -p "$BUILDDIR/mount/boot/firmware"
1004 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
672 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
1005
673
1006 # Copy all files from the chroot to the loop device mount point directory
674 # Copy all files from the chroot to the loop device mount point directory
1007 rsync -a "$R/" "$BUILDDIR/mount/"
675 rsync -a "$R/" "$BUILDDIR/mount/"
1008
676
1009 # Unmount all temporary loop devices and mount points
677 # Unmount all temporary loop devices and mount points
1010 cleanup
678 cleanup
1011
679
1012 # (optinal) create block map file for "bmaptool"
680 # (optinal) create block map file for "bmaptool"
1013 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
681 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
1014
682
1015 # Image was successfully created
683 # Image was successfully created
1016 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
684 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant