|
@@
-1,1016
+1,684
|
|
1
|
#!/bin/sh
|
|
1
|
#!/bin/sh
|
|
2
|
|
|
2
|
|
|
3
|
########################################################################
|
|
3
|
########################################################################
|
|
4
|
# rpi2-gen-image.sh ver2a 12/2015
|
|
4
|
# rpi2-gen-image.sh ver2a 12/2015
|
|
5
|
#
|
|
5
|
#
|
|
6
|
# Advanced debian "jessie" bootstrap script for RPi2
|
|
6
|
# Advanced debian "jessie" bootstrap script for RPi2
|
|
7
|
#
|
|
7
|
#
|
|
8
|
# This program is free software; you can redistribute it and/or
|
|
8
|
# This program is free software; you can redistribute it and/or
|
|
9
|
# modify it under the terms of the GNU General Public License
|
|
9
|
# modify it under the terms of the GNU General Public License
|
|
10
|
# as published by the Free Software Foundation; either version 2
|
|
10
|
# as published by the Free Software Foundation; either version 2
|
|
11
|
# of the License, or (at your option) any later version.
|
|
11
|
# of the License, or (at your option) any later version.
|
|
12
|
#
|
|
12
|
#
|
|
13
|
# some parts based on rpi2-build-image:
|
|
13
|
# some parts based on rpi2-build-image:
|
|
14
|
# Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
|
|
14
|
# Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
|
|
15
|
# Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
|
|
15
|
# Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
|
|
16
|
########################################################################
|
|
16
|
########################################################################
|
|
17
|
|
|
17
|
|
|
18
|
# Clean up all temporary mount points
|
|
18
|
# Clean up all temporary mount points
|
|
19
|
cleanup (){
|
|
19
|
cleanup (){
|
|
20
|
set +x
|
|
20
|
set +x
|
|
21
|
set +e
|
|
21
|
set +e
|
|
22
|
echo "removing temporary mount points ..."
|
|
22
|
echo "removing temporary mount points ..."
|
|
23
|
umount -l $R/proc 2> /dev/null
|
|
23
|
umount -l $R/proc 2> /dev/null
|
|
24
|
umount -l $R/sys 2> /dev/null
|
|
24
|
umount -l $R/sys 2> /dev/null
|
|
25
|
umount -l $R/dev/pts 2> /dev/null
|
|
25
|
umount -l $R/dev/pts 2> /dev/null
|
|
26
|
umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
|
|
26
|
umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
|
|
27
|
umount "$BUILDDIR/mount" 2> /dev/null
|
|
27
|
umount "$BUILDDIR/mount" 2> /dev/null
|
|
28
|
losetup -d "$EXT4_LOOP" 2> /dev/null
|
|
28
|
losetup -d "$EXT4_LOOP" 2> /dev/null
|
|
29
|
losetup -d "$VFAT_LOOP" 2> /dev/null
|
|
29
|
losetup -d "$VFAT_LOOP" 2> /dev/null
|
|
30
|
trap - 0 1 2 3 6
|
|
30
|
trap - 0 1 2 3 6
|
|
31
|
}
|
|
31
|
}
|
|
32
|
|
|
32
|
|
|
33
|
# Exec command in chroot
|
|
33
|
# Exec command in chroot
|
|
34
|
chroot_exec() {
|
|
34
|
chroot_exec() {
|
|
35
|
LANG=C LC_ALL=C chroot $R $*
|
|
35
|
LANG=C LC_ALL=C chroot $R $*
|
|
36
|
}
|
|
36
|
}
|
|
37
|
|
|
37
|
|
|
38
|
set -e
|
|
38
|
set -e
|
|
39
|
set -x
|
|
39
|
set -x
|
|
40
|
|
|
40
|
|
|
41
|
# Debian release
|
|
41
|
# Debian release
|
|
42
|
RELEASE=${RELEASE:=jessie}
|
|
42
|
RELEASE=${RELEASE:=jessie}
|
|
43
|
KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
|
|
43
|
KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
|
|
44
|
|
|
44
|
|
|
45
|
# Build settings
|
|
45
|
# Build settings
|
|
46
|
BASEDIR=./images/${RELEASE}
|
|
46
|
BASEDIR=./images/${RELEASE}
|
|
47
|
BUILDDIR=${BASEDIR}/build
|
|
47
|
BUILDDIR=${BASEDIR}/build
|
|
48
|
|
|
48
|
|
|
49
|
# General settings
|
|
49
|
# General settings
|
|
50
|
HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
|
|
50
|
HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
|
|
51
|
PASSWORD=${PASSWORD:=raspberry}
|
|
51
|
PASSWORD=${PASSWORD:=raspberry}
|
|
52
|
DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
|
|
52
|
DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
|
|
53
|
TIMEZONE=${TIMEZONE:="Europe/Berlin"}
|
|
53
|
TIMEZONE=${TIMEZONE:="Europe/Berlin"}
|
|
54
|
XKBMODEL=${XKBMODEL:=""}
|
|
54
|
XKBMODEL=${XKBMODEL:=""}
|
|
55
|
XKBLAYOUT=${XKBLAYOUT:=""}
|
|
55
|
XKBLAYOUT=${XKBLAYOUT:=""}
|
|
56
|
XKBVARIANT=${XKBVARIANT:=""}
|
|
56
|
XKBVARIANT=${XKBVARIANT:=""}
|
|
57
|
XKBOPTIONS=${XKBOPTIONS:=""}
|
|
57
|
XKBOPTIONS=${XKBOPTIONS:=""}
|
|
58
|
EXPANDROOT=${EXPANDROOT:=true}
|
|
58
|
EXPANDROOT=${EXPANDROOT:=true}
|
|
59
|
|
|
59
|
|
|
60
|
# Network settings
|
|
60
|
# Network settings
|
|
61
|
ENABLE_DHCP=${ENABLE_DHCP:=true}
|
|
61
|
ENABLE_DHCP=${ENABLE_DHCP:=true}
|
|
62
|
# NET_* settings are ignored when ENABLE_DHCP=true
|
|
62
|
# NET_* settings are ignored when ENABLE_DHCP=true
|
|
63
|
# NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
|
|
63
|
# NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
|
|
64
|
NET_ADDRESS=${NET_ADDRESS:=""}
|
|
64
|
NET_ADDRESS=${NET_ADDRESS:=""}
|
|
65
|
NET_GATEWAY=${NET_GATEWAY:=""}
|
|
65
|
NET_GATEWAY=${NET_GATEWAY:=""}
|
|
66
|
NET_DNS_1=${NET_DNS_1:=""}
|
|
66
|
NET_DNS_1=${NET_DNS_1:=""}
|
|
67
|
NET_DNS_2=${NET_DNS_2:=""}
|
|
67
|
NET_DNS_2=${NET_DNS_2:=""}
|
|
68
|
NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
|
|
68
|
NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
|
|
69
|
NET_NTP_1=${NET_NTP_1:=""}
|
|
69
|
NET_NTP_1=${NET_NTP_1:=""}
|
|
70
|
NET_NTP_2=${NET_NTP_2:=""}
|
|
70
|
NET_NTP_2=${NET_NTP_2:=""}
|
|
71
|
|
|
71
|
|
|
72
|
# APT settings
|
|
72
|
# APT settings
|
|
73
|
APT_PROXY=${APT_PROXY:=""}
|
|
73
|
APT_PROXY=${APT_PROXY:=""}
|
|
74
|
APT_SERVER=${APT_SERVER:="ftp.debian.org"}
|
|
74
|
APT_SERVER=${APT_SERVER:="ftp.debian.org"}
|
|
75
|
|
|
75
|
|
|
76
|
# Feature settings
|
|
76
|
# Feature settings
|
|
77
|
ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
|
|
77
|
ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
|
|
78
|
ENABLE_IPV6=${ENABLE_IPV6:=true}
|
|
78
|
ENABLE_IPV6=${ENABLE_IPV6:=true}
|
|
79
|
ENABLE_SSHD=${ENABLE_SSHD:=true}
|
|
79
|
ENABLE_SSHD=${ENABLE_SSHD:=true}
|
|
80
|
ENABLE_SOUND=${ENABLE_SOUND:=true}
|
|
80
|
ENABLE_SOUND=${ENABLE_SOUND:=true}
|
|
81
|
ENABLE_DBUS=${ENABLE_DBUS:=true}
|
|
81
|
ENABLE_DBUS=${ENABLE_DBUS:=true}
|
|
82
|
ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
|
|
82
|
ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
|
|
83
|
ENABLE_MINGPU=${ENABLE_MINGPU:=false}
|
|
83
|
ENABLE_MINGPU=${ENABLE_MINGPU:=false}
|
|
84
|
ENABLE_XORG=${ENABLE_XORG:=false}
|
|
84
|
ENABLE_XORG=${ENABLE_XORG:=false}
|
|
85
|
ENABLE_WM=${ENABLE_WM:=""}
|
|
85
|
ENABLE_WM=${ENABLE_WM:=""}
|
|
86
|
ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
|
|
86
|
ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
|
|
87
|
ENABLE_USER=${ENABLE_USER:=true}
|
|
87
|
ENABLE_USER=${ENABLE_USER:=true}
|
|
88
|
ENABLE_ROOT=${ENABLE_ROOT:=false}
|
|
88
|
ENABLE_ROOT=${ENABLE_ROOT:=false}
|
|
89
|
ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
|
|
89
|
ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
|
|
90
|
|
|
90
|
|
|
91
|
# Advanced settings
|
|
91
|
# Advanced settings
|
|
92
|
ENABLE_MINBASE=${ENABLE_MINBASE:=false}
|
|
92
|
ENABLE_MINBASE=${ENABLE_MINBASE:=false}
|
|
93
|
ENABLE_UBOOT=${ENABLE_UBOOT:=false}
|
|
93
|
ENABLE_UBOOT=${ENABLE_UBOOT:=false}
|
|
94
|
ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
|
|
94
|
ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
|
|
95
|
ENABLE_HARDNET=${ENABLE_HARDNET:=false}
|
|
95
|
ENABLE_HARDNET=${ENABLE_HARDNET:=false}
|
|
96
|
ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
|
|
96
|
ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
|
|
97
|
|
|
97
|
|
|
98
|
# Image chroot path
|
|
98
|
# Image chroot path
|
|
99
|
R=${BUILDDIR}/chroot
|
|
99
|
R=${BUILDDIR}/chroot
|
|
100
|
|
|
100
|
|
|
101
|
# Packages required for bootstrapping
|
|
101
|
# Packages required for bootstrapping
|
|
102
|
REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
|
|
102
|
REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
|
|
103
|
|
|
103
|
|
|
104
|
# Missing packages that need to be installed
|
|
104
|
# Missing packages that need to be installed
|
|
105
|
MISSING_PACKAGES=""
|
|
105
|
MISSING_PACKAGES=""
|
|
106
|
|
|
106
|
|
|
107
|
# Packages required in the chroot build environment
|
|
107
|
# Packages required in the chroot build environment
|
|
108
|
APT_INCLUDES=${APT_INCLUDES:=""}
|
|
108
|
APT_INCLUDES=${APT_INCLUDES:=""}
|
|
109
|
APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
|
|
109
|
APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
|
|
110
|
|
|
110
|
|
|
111
|
set +x
|
|
111
|
set +x
|
|
112
|
|
|
112
|
|
|
113
|
# Are we running as root?
|
|
113
|
# Are we running as root?
|
|
114
|
if [ "$(id -u)" -ne "0" ] ; then
|
|
114
|
if [ "$(id -u)" -ne "0" ] ; then
|
|
115
|
echo "this script must be executed with root privileges"
|
|
115
|
echo "this script must be executed with root privileges"
|
|
116
|
exit 1
|
|
116
|
exit 1
|
|
117
|
fi
|
|
117
|
fi
|
|
118
|
|
|
118
|
|
|
119
|
# Check if all required packages are installed
|
|
119
|
# Check if all required packages are installed
|
|
120
|
for package in $REQUIRED_PACKAGES ; do
|
|
120
|
for package in $REQUIRED_PACKAGES ; do
|
|
121
|
if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
|
|
121
|
if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
|
|
122
|
MISSING_PACKAGES="$MISSING_PACKAGES $package"
|
|
122
|
MISSING_PACKAGES="$MISSING_PACKAGES $package"
|
|
123
|
fi
|
|
123
|
fi
|
|
124
|
done
|
|
124
|
done
|
|
125
|
|
|
125
|
|
|
126
|
# Ask if missing packages should get installed right now
|
|
126
|
# Ask if missing packages should get installed right now
|
|
127
|
if [ -n "$MISSING_PACKAGES" ] ; then
|
|
127
|
if [ -n "$MISSING_PACKAGES" ] ; then
|
|
128
|
echo "the following packages needed by this script are not installed:"
|
|
128
|
echo "the following packages needed by this script are not installed:"
|
|
129
|
echo "$MISSING_PACKAGES"
|
|
129
|
echo "$MISSING_PACKAGES"
|
|
130
|
|
|
130
|
|
|
131
|
echo -n "\ndo you want to install the missing packages right now? [y/n] "
|
|
131
|
echo -n "\ndo you want to install the missing packages right now? [y/n] "
|
|
132
|
read confirm
|
|
132
|
read confirm
|
|
133
|
if [ "$confirm" != "y" ] ; then
|
|
133
|
if [ "$confirm" != "y" ] ; then
|
|
134
|
exit 1
|
|
134
|
exit 1
|
|
135
|
fi
|
|
135
|
fi
|
|
136
|
fi
|
|
136
|
fi
|
|
137
|
|
|
137
|
|
|
138
|
# Make sure all required packages are installed
|
|
138
|
# Make sure all required packages are installed
|
|
139
|
apt-get -qq -y install ${REQUIRED_PACKAGES}
|
|
139
|
apt-get -qq -y install ${REQUIRED_PACKAGES}
|
|
140
|
|
|
140
|
|
|
141
|
# Don't clobber an old build
|
|
141
|
# Don't clobber an old build
|
|
142
|
if [ -e "$BUILDDIR" ]; then
|
|
142
|
if [ -e "$BUILDDIR" ]; then
|
|
143
|
echo "directory $BUILDDIR already exists, not proceeding"
|
|
143
|
echo "directory $BUILDDIR already exists, not proceeding"
|
|
144
|
exit 1
|
|
144
|
exit 1
|
|
145
|
fi
|
|
145
|
fi
|
|
146
|
|
|
146
|
|
|
147
|
set -x
|
|
147
|
set -x
|
|
148
|
|
|
148
|
|
|
149
|
# Call "cleanup" function on various signals and errors
|
|
149
|
# Call "cleanup" function on various signals and errors
|
|
150
|
trap cleanup 0 1 2 3 6
|
|
150
|
trap cleanup 0 1 2 3 6
|
|
151
|
|
|
151
|
|
|
152
|
# Set up chroot directory
|
|
152
|
# Set up chroot directory
|
|
153
|
mkdir -p $R
|
|
153
|
mkdir -p $R
|
|
154
|
|
|
154
|
|
|
155
|
# Add required packages for the minbase installation
|
|
155
|
# Add required packages for the minbase installation
|
|
156
|
if [ "$ENABLE_MINBASE" = true ] ; then
|
|
156
|
if [ "$ENABLE_MINBASE" = true ] ; then
|
|
157
|
APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
|
|
157
|
APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
|
|
158
|
else
|
|
158
|
else
|
|
159
|
APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
|
|
159
|
APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
|
|
160
|
fi
|
|
160
|
fi
|
|
161
|
|
|
161
|
|
|
162
|
# Add parted package, required to get partprobe utility
|
|
162
|
# Add parted package, required to get partprobe utility
|
|
163
|
if [ "$EXPANDROOT" = true ] ; then
|
|
163
|
if [ "$EXPANDROOT" = true ] ; then
|
|
164
|
APT_INCLUDES="${APT_INCLUDES},parted"
|
|
164
|
APT_INCLUDES="${APT_INCLUDES},parted"
|
|
165
|
fi
|
|
165
|
fi
|
|
166
|
|
|
166
|
|
|
167
|
# Add dbus package, recommended if using systemd
|
|
167
|
# Add dbus package, recommended if using systemd
|
|
168
|
if [ "$ENABLE_DBUS" = true ] ; then
|
|
168
|
if [ "$ENABLE_DBUS" = true ] ; then
|
|
169
|
APT_INCLUDES="${APT_INCLUDES},dbus"
|
|
169
|
APT_INCLUDES="${APT_INCLUDES},dbus"
|
|
170
|
fi
|
|
170
|
fi
|
|
171
|
|
|
171
|
|
|
172
|
# Add iptables IPv4/IPv6 package
|
|
172
|
# Add iptables IPv4/IPv6 package
|
|
173
|
if [ "$ENABLE_IPTABLES" = true ] ; then
|
|
173
|
if [ "$ENABLE_IPTABLES" = true ] ; then
|
|
174
|
APT_INCLUDES="${APT_INCLUDES},iptables"
|
|
174
|
APT_INCLUDES="${APT_INCLUDES},iptables"
|
|
175
|
fi
|
|
175
|
fi
|
|
176
|
|
|
176
|
|
|
177
|
# Add openssh server package
|
|
177
|
# Add openssh server package
|
|
178
|
if [ "$ENABLE_SSHD" = true ] ; then
|
|
178
|
if [ "$ENABLE_SSHD" = true ] ; then
|
|
179
|
APT_INCLUDES="${APT_INCLUDES},openssh-server"
|
|
179
|
APT_INCLUDES="${APT_INCLUDES},openssh-server"
|
|
180
|
fi
|
|
180
|
fi
|
|
181
|
|
|
181
|
|
|
182
|
# Add alsa-utils package
|
|
182
|
# Add alsa-utils package
|
|
183
|
if [ "$ENABLE_SOUND" = true ] ; then
|
|
183
|
if [ "$ENABLE_SOUND" = true ] ; then
|
|
184
|
APT_INCLUDES="${APT_INCLUDES},alsa-utils"
|
|
184
|
APT_INCLUDES="${APT_INCLUDES},alsa-utils"
|
|
185
|
fi
|
|
185
|
fi
|
|
186
|
|
|
186
|
|
|
187
|
# Add rng-tools package
|
|
187
|
# Add rng-tools package
|
|
188
|
if [ "$ENABLE_HWRANDOM" = true ] ; then
|
|
188
|
if [ "$ENABLE_HWRANDOM" = true ] ; then
|
|
189
|
APT_INCLUDES="${APT_INCLUDES},rng-tools"
|
|
189
|
APT_INCLUDES="${APT_INCLUDES},rng-tools"
|
|
190
|
fi
|
|
190
|
fi
|
|
191
|
|
|
191
|
|
|
192
|
if [ "$ENABLE_USER" = true ]; then
|
|
192
|
if [ "$ENABLE_USER" = true ]; then
|
|
193
|
APT_INCLUDES="${APT_INCLUDES},sudo"
|
|
193
|
APT_INCLUDES="${APT_INCLUDES},sudo"
|
|
194
|
fi
|
|
194
|
fi
|
|
195
|
|
|
195
|
|
|
196
|
# Add fbturbo video driver
|
|
196
|
# Add fbturbo video driver
|
|
197
|
if [ "$ENABLE_FBTURBO" = true ] ; then
|
|
197
|
if [ "$ENABLE_FBTURBO" = true ] ; then
|
|
198
|
# Enable xorg package dependencies
|
|
198
|
# Enable xorg package dependencies
|
|
199
|
ENABLE_XORG=true
|
|
199
|
ENABLE_XORG=true
|
|
200
|
fi
|
|
200
|
fi
|
|
201
|
|
|
201
|
|
|
202
|
# Add user defined window manager package
|
|
202
|
# Add user defined window manager package
|
|
203
|
if [ -n "$ENABLE_WM" ] ; then
|
|
203
|
if [ -n "$ENABLE_WM" ] ; then
|
|
204
|
APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
|
|
204
|
APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
|
|
205
|
|
|
205
|
|
|
206
|
# Enable xorg package dependencies
|
|
206
|
# Enable xorg package dependencies
|
|
207
|
ENABLE_XORG=true
|
|
207
|
ENABLE_XORG=true
|
|
208
|
fi
|
|
208
|
fi
|
|
209
|
|
|
209
|
|
|
210
|
# Add xorg package
|
|
210
|
# Add xorg package
|
|
211
|
if [ "$ENABLE_XORG" = true ] ; then
|
|
211
|
if [ "$ENABLE_XORG" = true ] ; then
|
|
212
|
APT_INCLUDES="${APT_INCLUDES},xorg"
|
|
212
|
APT_INCLUDES="${APT_INCLUDES},xorg"
|
|
213
|
fi
|
|
213
|
fi
|
|
214
|
|
|
214
|
|
|
215
|
# Base debootstrap (unpack only)
|
|
215
|
# Base debootstrap (unpack only)
|
|
216
|
if [ "$ENABLE_MINBASE" = true ] ; then
|
|
216
|
if [ "$ENABLE_MINBASE" = true ] ; then
|
|
217
|
http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
|
|
217
|
http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
|
|
218
|
else
|
|
218
|
else
|
|
219
|
http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
|
|
219
|
http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
|
|
220
|
fi
|
|
220
|
fi
|
|
221
|
|
|
221
|
|
|
222
|
# Copy qemu emulator binary to chroot
|
|
222
|
# Copy qemu emulator binary to chroot
|
|
223
|
cp /usr/bin/qemu-arm-static $R/usr/bin
|
|
223
|
cp /usr/bin/qemu-arm-static $R/usr/bin
|
|
224
|
|
|
224
|
|
|
225
|
# Copy debian-archive-keyring.pgp
|
|
225
|
# Copy debian-archive-keyring.pgp
|
|
226
|
chroot $R mkdir -p /usr/share/keyrings
|
|
226
|
chroot $R mkdir -p /usr/share/keyrings
|
|
227
|
cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
|
|
227
|
cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
|
|
228
|
|
|
228
|
|
|
229
|
# Complete the bootstrapping process
|
|
229
|
# Complete the bootstrapping process
|
|
230
|
chroot $R /debootstrap/debootstrap --second-stage
|
|
230
|
chroot $R /debootstrap/debootstrap --second-stage
|
|
231
|
|
|
231
|
|
|
232
|
# Mount required filesystems
|
|
232
|
# Mount required filesystems
|
|
233
|
mount -t proc none $R/proc
|
|
233
|
mount -t proc none $R/proc
|
|
234
|
mount -t sysfs none $R/sys
|
|
234
|
mount -t sysfs none $R/sys
|
|
235
|
mount --bind /dev/pts $R/dev/pts
|
|
235
|
mount --bind /dev/pts $R/dev/pts
|
|
236
|
|
|
236
|
|
|
237
|
# Use proxy inside chroot
|
|
237
|
# Use proxy inside chroot
|
|
238
|
if [ -z "$APT_PROXY" ] ; then
|
|
238
|
if [ -z "$APT_PROXY" ] ; then
|
|
239
|
echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
|
|
239
|
echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
|
|
240
|
fi
|
|
240
|
fi
|
|
241
|
|
|
241
|
|
|
242
|
# Pin package flash-kernel to repositories.collabora.co.uk
|
|
242
|
# Pin package flash-kernel to repositories.collabora.co.uk
|
|
243
|
cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
|
|
243
|
cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
|
|
244
|
Package: flash-kernel
|
|
244
|
Package: flash-kernel
|
|
245
|
Pin: origin repositories.collabora.co.uk
|
|
245
|
Pin: origin repositories.collabora.co.uk
|
|
246
|
Pin-Priority: 1000
|
|
246
|
Pin-Priority: 1000
|
|
247
|
EOM
|
|
247
|
EOM
|
|
248
|
|
|
248
|
|
|
249
|
# Set up timezone
|
|
249
|
# Set up timezone
|
|
250
|
echo ${TIMEZONE} >$R/etc/timezone
|
|
250
|
echo ${TIMEZONE} >$R/etc/timezone
|
|
251
|
chroot_exec dpkg-reconfigure -f noninteractive tzdata
|
|
251
|
chroot_exec dpkg-reconfigure -f noninteractive tzdata
|
|
252
|
|
|
252
|
|
|
253
|
# Upgrade collabora package index and install collabora keyring
|
|
253
|
# Upgrade collabora package index and install collabora keyring
|
|
254
|
echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
|
|
254
|
echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
|
|
255
|
chroot_exec apt-get -qq -y update
|
|
255
|
chroot_exec apt-get -qq -y update
|
|
256
|
chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
|
|
256
|
chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
|
|
257
|
|
|
257
|
|
|
258
|
# Set up initial sources.list
|
|
258
|
# Set up initial sources.list
|
|
259
|
cat <<EOM >$R/etc/apt/sources.list
|
|
259
|
cat <<EOM >$R/etc/apt/sources.list
|
|
260
|
deb http://${APT_SERVER}/debian ${RELEASE} main contrib
|
|
260
|
deb http://${APT_SERVER}/debian ${RELEASE} main contrib
|
|
261
|
#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
|
|
261
|
#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
|
|
262
|
|
|
262
|
|
|
263
|
deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
|
|
263
|
deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
|
|
264
|
#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
|
|
264
|
#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
|
|
265
|
|
|
265
|
|
|
266
|
deb http://security.debian.org/ ${RELEASE}/updates main contrib
|
|
266
|
deb http://security.debian.org/ ${RELEASE}/updates main contrib
|
|
267
|
#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
|
|
267
|
#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
|
|
268
|
|
|
268
|
|
|
269
|
deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
|
|
269
|
deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
|
|
270
|
EOM
|
|
270
|
EOM
|
|
271
|
|
|
271
|
|
|
272
|
# Upgrade package index and update all installed packages and changed dependencies
|
|
272
|
# Upgrade package index and update all installed packages and changed dependencies
|
|
273
|
chroot_exec apt-get -qq -y update
|
|
273
|
chroot_exec apt-get -qq -y update
|
|
274
|
chroot_exec apt-get -qq -y -u dist-upgrade
|
|
274
|
chroot_exec apt-get -qq -y -u dist-upgrade
|
|
275
|
|
|
275
|
|
|
276
|
# Set up default locale and keyboard configuration
|
|
276
|
# Set up default locale and keyboard configuration
|
|
277
|
if [ "$ENABLE_MINBASE" = false ] ; then
|
|
277
|
if [ "$ENABLE_MINBASE" = false ] ; then
|
|
278
|
# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
|
|
278
|
# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
|
|
279
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
|
|
279
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
|
|
280
|
# ... so we have to set locales manually
|
|
280
|
# ... so we have to set locales manually
|
|
281
|
if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
|
|
281
|
if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
|
|
282
|
chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
|
|
282
|
chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
|
|
283
|
else
|
|
283
|
else
|
|
284
|
# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
|
|
284
|
# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
|
|
285
|
chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
|
|
285
|
chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
|
|
286
|
chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
|
|
286
|
chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
|
|
287
|
fi
|
|
287
|
fi
|
|
288
|
chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
|
|
288
|
chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
|
|
289
|
chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
|
|
289
|
chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
|
|
290
|
chroot_exec locale-gen
|
|
290
|
chroot_exec locale-gen
|
|
291
|
chroot_exec update-locale LANG=${DEFLOCAL}
|
|
291
|
chroot_exec update-locale LANG=${DEFLOCAL}
|
|
292
|
|
|
292
|
|
|
293
|
# Keyboard configuration, if requested
|
|
293
|
# Keyboard configuration, if requested
|
|
294
|
if [ "$XKBMODEL" != "" ] ; then
|
|
294
|
if [ "$XKBMODEL" != "" ] ; then
|
|
295
|
chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
|
|
295
|
chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
|
|
296
|
fi
|
|
296
|
fi
|
|
297
|
if [ "$XKBLAYOUT" != "" ] ; then
|
|
297
|
if [ "$XKBLAYOUT" != "" ] ; then
|
|
298
|
chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
|
|
298
|
chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
|
|
299
|
fi
|
|
299
|
fi
|
|
300
|
if [ "$XKBVARIANT" != "" ] ; then
|
|
300
|
if [ "$XKBVARIANT" != "" ] ; then
|
|
301
|
chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
|
|
301
|
chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
|
|
302
|
fi
|
|
302
|
fi
|
|
303
|
if [ "$XKBOPTIONS" != "" ] ; then
|
|
303
|
if [ "$XKBOPTIONS" != "" ] ; then
|
|
304
|
chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
|
|
304
|
chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
|
|
305
|
fi
|
|
305
|
fi
|
|
306
|
chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
|
|
306
|
chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
|
|
307
|
# Set up font console
|
|
307
|
# Set up font console
|
|
308
|
case "${DEFLOCAL}" in
|
|
308
|
case "${DEFLOCAL}" in
|
|
309
|
*UTF-8)
|
|
309
|
*UTF-8)
|
|
310
|
chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
|
|
310
|
chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
|
|
311
|
;;
|
|
311
|
;;
|
|
312
|
*)
|
|
312
|
*)
|
|
313
|
chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
|
|
313
|
chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
|
|
314
|
;;
|
|
314
|
;;
|
|
315
|
esac
|
|
315
|
esac
|
|
316
|
chroot_exec dpkg-reconfigure -f noninteractive console-setup
|
|
316
|
chroot_exec dpkg-reconfigure -f noninteractive console-setup
|
|
317
|
fi
|
|
317
|
fi
|
|
318
|
|
|
318
|
|
|
319
|
# Kernel installation
|
|
319
|
# Kernel installation
|
|
320
|
# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
|
|
320
|
# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
|
|
321
|
chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
|
|
321
|
chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
|
|
322
|
chroot_exec apt-get -qq -y install flash-kernel
|
|
322
|
chroot_exec apt-get -qq -y install flash-kernel
|
|
323
|
|
|
323
|
|
|
324
|
VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
|
|
324
|
VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
|
|
325
|
[ -z "$VMLINUZ" ] && exit 1
|
|
325
|
[ -z "$VMLINUZ" ] && exit 1
|
|
326
|
cp $VMLINUZ $R/boot/firmware/kernel7.img
|
|
326
|
cp $VMLINUZ $R/boot/firmware/kernel7.img
|
|
327
|
|
|
327
|
|
|
328
|
# Set up IPv4 hosts
|
|
328
|
# Set up IPv4 hosts
|
|
329
|
echo ${HOSTNAME} >$R/etc/hostname
|
|
329
|
echo ${HOSTNAME} >$R/etc/hostname
|
|
330
|
cat <<EOM >$R/etc/hosts
|
|
330
|
cat <<EOM >$R/etc/hosts
|
|
331
|
127.0.0.1 localhost
|
|
331
|
127.0.0.1 localhost
|
|
332
|
127.0.1.1 ${HOSTNAME}
|
|
332
|
127.0.1.1 ${HOSTNAME}
|
|
333
|
EOM
|
|
333
|
EOM
|
|
334
|
if [ "$NET_ADDRESS" != "" ] ; then
|
|
334
|
if [ "$NET_ADDRESS" != "" ] ; then
|
|
335
|
NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
|
|
335
|
NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
|
|
336
|
sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
|
|
336
|
sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
|
|
337
|
fi
|
|
337
|
fi
|
|
338
|
|
|
338
|
|
|
339
|
# Set up IPv6 hosts
|
|
339
|
# Set up IPv6 hosts
|
|
340
|
if [ "$ENABLE_IPV6" = true ] ; then
|
|
340
|
if [ "$ENABLE_IPV6" = true ] ; then
|
|
341
|
cat <<EOM >>$R/etc/hosts
|
|
341
|
cat <<EOM >>$R/etc/hosts
|
|
342
|
|
|
342
|
|
|
343
|
::1 localhost ip6-localhost ip6-loopback
|
|
343
|
::1 localhost ip6-localhost ip6-loopback
|
|
344
|
ff02::1 ip6-allnodes
|
|
344
|
ff02::1 ip6-allnodes
|
|
345
|
ff02::2 ip6-allrouters
|
|
345
|
ff02::2 ip6-allrouters
|
|
346
|
EOM
|
|
346
|
EOM
|
|
347
|
fi
|
|
347
|
fi
|
|
348
|
|
|
348
|
|
|
349
|
# Place hint about network configuration
|
|
349
|
# Place hint about network configuration
|
|
350
|
cat <<EOM >$R/etc/network/interfaces
|
|
350
|
cat <<EOM >$R/etc/network/interfaces
|
|
351
|
# Debian switched to systemd-networkd configuration files.
|
|
351
|
# Debian switched to systemd-networkd configuration files.
|
|
352
|
# please configure your networks in '/etc/systemd/network/'
|
|
352
|
# please configure your networks in '/etc/systemd/network/'
|
|
353
|
EOM
|
|
353
|
EOM
|
|
354
|
|
|
354
|
|
|
355
|
if [ "$ENABLE_DHCP" = true ] ; then
|
|
355
|
if [ "$ENABLE_DHCP" = true ] ; then
|
|
356
|
# Enable systemd-networkd DHCP configuration for interface eth0
|
|
356
|
# Enable systemd-networkd DHCP configuration for interface eth0
|
|
357
|
cat <<EOM >$R/etc/systemd/network/eth.network
|
|
357
|
cat <<EOM >$R/etc/systemd/network/eth.network
|
|
358
|
[Match]
|
|
358
|
[Match]
|
|
359
|
Name=eth0
|
|
359
|
Name=eth0
|
|
360
|
|
|
360
|
|
|
361
|
[Network]
|
|
361
|
[Network]
|
|
362
|
DHCP=yes
|
|
362
|
DHCP=yes
|
|
363
|
EOM
|
|
363
|
EOM
|
|
364
|
|
|
364
|
|
|
365
|
# Set DHCP configuration to IPv4 only
|
|
365
|
# Set DHCP configuration to IPv4 only
|
|
366
|
if [ "$ENABLE_IPV6" = false ] ; then
|
|
366
|
if [ "$ENABLE_IPV6" = false ] ; then
|
|
367
|
sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
|
|
367
|
sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
|
|
368
|
fi
|
|
368
|
fi
|
|
369
|
else # ENABLE_DHCP=false
|
|
369
|
else # ENABLE_DHCP=false
|
|
370
|
cat <<EOM >$R/etc/systemd/network/eth.network
|
|
370
|
cat <<EOM >$R/etc/systemd/network/eth.network
|
|
371
|
[Match]
|
|
371
|
[Match]
|
|
372
|
Name=eth0
|
|
372
|
Name=eth0
|
|
373
|
|
|
373
|
|
|
374
|
[Network]
|
|
374
|
[Network]
|
|
375
|
DHCP=no
|
|
375
|
DHCP=no
|
|
376
|
Address=${NET_ADDRESS}
|
|
376
|
Address=${NET_ADDRESS}
|
|
377
|
Gateway=${NET_GATEWAY}
|
|
377
|
Gateway=${NET_GATEWAY}
|
|
378
|
DNS=${NET_DNS_1}
|
|
378
|
DNS=${NET_DNS_1}
|
|
379
|
DNS=${NET_DNS_2}
|
|
379
|
DNS=${NET_DNS_2}
|
|
380
|
Domains=${NET_DNS_DOMAINS}
|
|
380
|
Domains=${NET_DNS_DOMAINS}
|
|
381
|
NTP=${NET_NTP_1}
|
|
381
|
NTP=${NET_NTP_1}
|
|
382
|
NTP=${NET_NTP_2}
|
|
382
|
NTP=${NET_NTP_2}
|
|
383
|
EOM
|
|
383
|
EOM
|
|
384
|
fi
|
|
384
|
fi
|
|
385
|
|
|
385
|
|
|
386
|
# Enable systemd-networkd service
|
|
386
|
# Enable systemd-networkd service
|
|
387
|
chroot_exec systemctl enable systemd-networkd
|
|
387
|
chroot_exec systemctl enable systemd-networkd
|
|
388
|
|
|
388
|
|
|
389
|
# Generate crypt(3) password string
|
|
389
|
# Generate crypt(3) password string
|
|
390
|
ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
|
|
390
|
ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
|
|
391
|
|
|
391
|
|
|
392
|
# Set up default user
|
|
392
|
# Set up default user
|
|
393
|
if [ "$ENABLE_USER" = true ] ; then
|
|
393
|
if [ "$ENABLE_USER" = true ] ; then
|
|
394
|
chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
|
|
394
|
chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
|
|
395
|
chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
|
|
395
|
chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
|
|
396
|
fi
|
|
396
|
fi
|
|
397
|
|
|
397
|
|
|
398
|
# Set up root password or not
|
|
398
|
# Set up root password or not
|
|
399
|
if [ "$ENABLE_ROOT" = true ]; then
|
|
399
|
if [ "$ENABLE_ROOT" = true ]; then
|
|
400
|
chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
|
|
400
|
chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
|
|
401
|
|
|
401
|
|
|
402
|
if [ "$ENABLE_ROOT_SSH" = true ]; then
|
|
402
|
if [ "$ENABLE_ROOT_SSH" = true ]; then
|
|
403
|
sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
|
|
403
|
sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
|
|
404
|
fi
|
|
404
|
fi
|
|
405
|
else
|
|
405
|
else
|
|
406
|
chroot_exec usermod -p \'!\' root
|
|
406
|
chroot_exec usermod -p \'!\' root
|
|
407
|
fi
|
|
407
|
fi
|
|
408
|
|
|
408
|
|
|
409
|
# Set up firmware boot cmdline
|
|
409
|
# Set up firmware boot cmdline
|
|
410
|
CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
|
|
410
|
CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
|
|
411
|
|
|
411
|
|
|
412
|
# Set up serial console support (if requested)
|
|
412
|
# Set up serial console support (if requested)
|
|
413
|
if [ "$ENABLE_CONSOLE" = true ] ; then
|
|
413
|
if [ "$ENABLE_CONSOLE" = true ] ; then
|
|
414
|
CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
|
|
414
|
CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
|
|
415
|
fi
|
|
415
|
fi
|
|
416
|
|
|
416
|
|
|
417
|
# Set up IPv6 networking support
|
|
417
|
# Set up IPv6 networking support
|
|
418
|
if [ "$ENABLE_IPV6" = false ] ; then
|
|
418
|
if [ "$ENABLE_IPV6" = false ] ; then
|
|
419
|
CMDLINE="${CMDLINE} ipv6.disable=1"
|
|
419
|
CMDLINE="${CMDLINE} ipv6.disable=1"
|
|
420
|
fi
|
|
420
|
fi
|
|
421
|
|
|
421
|
|
|
422
|
echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
|
|
422
|
echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
|
|
423
|
|
|
423
|
|
|
424
|
# Set up firmware config
|
|
424
|
# Set up firmware config
|
|
425
|
cat <<EOM >$R/boot/firmware/config.txt
|
|
425
|
install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt
|
|
426
|
# For more options and information see
|
|
|
|
|
427
|
# http://www.raspberrypi.org/documentation/configuration/config-txt.md
|
|
|
|
|
428
|
# Some settings may impact device functionality. See link above for details
|
|
|
|
|
429
|
|
|
|
|
|
430
|
# uncomment if you get no picture on HDMI for a default "safe" mode
|
|
|
|
|
431
|
#hdmi_safe=1
|
|
|
|
|
432
|
|
|
|
|
|
433
|
# uncomment this if your display has a black border of unused pixels visible
|
|
|
|
|
434
|
# and your display can output without overscan
|
|
|
|
|
435
|
#disable_overscan=1
|
|
|
|
|
436
|
|
|
|
|
|
437
|
# uncomment the following to adjust overscan. Use positive numbers if console
|
|
|
|
|
438
|
# goes off screen, and negative if there is too much border
|
|
|
|
|
439
|
#overscan_left=16
|
|
|
|
|
440
|
#overscan_right=16
|
|
|
|
|
441
|
#overscan_top=16
|
|
|
|
|
442
|
#overscan_bottom=16
|
|
|
|
|
443
|
|
|
|
|
|
444
|
# uncomment to force a console size. By default it will be display's size minus
|
|
|
|
|
445
|
# overscan.
|
|
|
|
|
446
|
#framebuffer_width=1280
|
|
|
|
|
447
|
#framebuffer_height=720
|
|
|
|
|
448
|
|
|
|
|
|
449
|
# uncomment if hdmi display is not detected and composite is being output
|
|
|
|
|
450
|
#hdmi_force_hotplug=1
|
|
|
|
|
451
|
|
|
|
|
|
452
|
# uncomment to force a specific HDMI mode (this will force VGA)
|
|
|
|
|
453
|
#hdmi_group=1
|
|
|
|
|
454
|
#hdmi_mode=1
|
|
|
|
|
455
|
|
|
|
|
|
456
|
# uncomment to force a HDMI mode rather than DVI. This can make audio work in
|
|
|
|
|
457
|
# DMT (computer monitor) modes
|
|
|
|
|
458
|
#hdmi_drive=2
|
|
|
|
|
459
|
|
|
|
|
|
460
|
# uncomment to increase signal to HDMI, if you have interference, blanking, or
|
|
|
|
|
461
|
# no display
|
|
|
|
|
462
|
#config_hdmi_boost=4
|
|
|
|
|
463
|
|
|
|
|
|
464
|
# uncomment for composite PAL
|
|
|
|
|
465
|
#sdtv_mode=2
|
|
|
|
|
466
|
|
|
|
|
|
467
|
# uncomment to overclock the arm. 700 MHz is the default.
|
|
|
|
|
468
|
#arm_freq=800
|
|
|
|
|
469
|
EOM
|
|
|
|
|
470
|
|
|
426
|
|
|
471
|
# Load snd_bcm2835 kernel module at boot time
|
|
427
|
# Load snd_bcm2835 kernel module at boot time
|
|
472
|
if [ "$ENABLE_SOUND" = true ] ; then
|
|
428
|
if [ "$ENABLE_SOUND" = true ] ; then
|
|
473
|
echo "snd_bcm2835" >>$R/etc/modules
|
|
429
|
echo "snd_bcm2835" >>$R/etc/modules
|
|
474
|
fi
|
|
430
|
fi
|
|
475
|
|
|
431
|
|
|
476
|
# Set smallest possible GPU memory allocation size: 16MB (no X)
|
|
432
|
# Set smallest possible GPU memory allocation size: 16MB (no X)
|
|
477
|
if [ "$ENABLE_MINGPU" = true ] ; then
|
|
433
|
if [ "$ENABLE_MINGPU" = true ] ; then
|
|
478
|
echo "gpu_mem=16" >>$R/boot/firmware/config.txt
|
|
434
|
echo "gpu_mem=16" >>$R/boot/firmware/config.txt
|
|
479
|
fi
|
|
435
|
fi
|
|
480
|
|
|
436
|
|
|
481
|
# Create symlinks
|
|
437
|
# Create symlinks
|
|
482
|
ln -sf firmware/config.txt $R/boot/config.txt
|
|
438
|
ln -sf firmware/config.txt $R/boot/config.txt
|
|
483
|
ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
|
|
439
|
ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
|
|
484
|
|
|
440
|
|
|
485
|
# Prepare modules-load.d directory
|
|
441
|
# Prepare modules-load.d directory
|
|
486
|
mkdir -p $R/lib/modules-load.d/
|
|
442
|
mkdir -p $R/lib/modules-load.d/
|
|
487
|
|
|
443
|
|
|
488
|
# Load random module on boot
|
|
444
|
# Load random module on boot
|
|
489
|
if [ "$ENABLE_HWRANDOM" = true ] ; then
|
|
445
|
if [ "$ENABLE_HWRANDOM" = true ] ; then
|
|
490
|
cat <<EOM >$R/lib/modules-load.d/rpi2.conf
|
|
446
|
cat <<EOM >$R/lib/modules-load.d/rpi2.conf
|
|
491
|
bcm2708_rng
|
|
447
|
bcm2708_rng
|
|
492
|
EOM
|
|
448
|
EOM
|
|
493
|
fi
|
|
449
|
fi
|
|
494
|
|
|
450
|
|
|
495
|
# Prepare modprobe.d directory
|
|
451
|
# Prepare modprobe.d directory
|
|
496
|
mkdir -p $R/etc/modprobe.d/
|
|
452
|
mkdir -p $R/etc/modprobe.d/
|
|
497
|
|
|
453
|
|
|
498
|
# Blacklist sound modules
|
|
454
|
# Blacklist sound modules
|
|
499
|
cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
|
|
455
|
install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf
|
|
500
|
blacklist snd_soc_core
|
|
|
|
|
501
|
blacklist snd_pcm
|
|
|
|
|
502
|
blacklist snd_pcm_dmaengine
|
|
|
|
|
503
|
blacklist snd_timer
|
|
|
|
|
504
|
blacklist snd_compress
|
|
|
|
|
505
|
blacklist snd_soc_pcm512x_i2c
|
|
|
|
|
506
|
blacklist snd_soc_pcm512x
|
|
|
|
|
507
|
blacklist snd_soc_tas5713
|
|
|
|
|
508
|
blacklist snd_soc_wm8804
|
|
|
|
|
509
|
EOM
|
|
|
|
|
510
|
|
|
456
|
|
|
511
|
# Create default fstab
|
|
457
|
# Create default fstab
|
|
512
|
cat <<EOM >$R/etc/fstab
|
|
458
|
install -o root -g root -m 644 files/fstab $R/etc/fstab
|
|
513
|
/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
|
|
|
|
|
514
|
/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
|
|
|
|
|
515
|
EOM
|
|
|
|
|
516
|
|
|
459
|
|
|
517
|
# Avoid swapping and increase cache sizes
|
|
460
|
# Avoid swapping and increase cache sizes
|
|
518
|
cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
|
|
461
|
install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf
|
|
519
|
|
|
|
|
|
520
|
# Avoid swapping and increase cache sizes
|
|
|
|
|
521
|
vm.swappiness=1
|
|
|
|
|
522
|
vm.dirty_background_ratio=20
|
|
|
|
|
523
|
vm.dirty_ratio=40
|
|
|
|
|
524
|
vm.dirty_writeback_centisecs=500
|
|
|
|
|
525
|
vm.dirty_expire_centisecs=6000
|
|
|
|
|
526
|
EOM
|
|
|
|
|
527
|
|
|
462
|
|
|
528
|
# Enable network stack hardening
|
|
463
|
# Enable network stack hardening
|
|
529
|
if [ "$ENABLE_HARDNET" = true ] ; then
|
|
464
|
if [ "$ENABLE_HARDNET" = true ] ; then
|
|
530
|
cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
|
|
465
|
install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf
|
|
531
|
|
|
|
|
|
532
|
# Enable network stack hardening
|
|
|
|
|
533
|
net.ipv4.tcp_timestamps=0
|
|
|
|
|
534
|
net.ipv4.tcp_syncookies=1
|
|
|
|
|
535
|
net.ipv4.conf.all.rp_filter=1
|
|
|
|
|
536
|
net.ipv4.conf.all.accept_redirects=0
|
|
|
|
|
537
|
net.ipv4.conf.all.send_redirects=0
|
|
|
|
|
538
|
net.ipv4.conf.all.accept_source_route=0
|
|
|
|
|
539
|
net.ipv4.conf.default.rp_filter=1
|
|
|
|
|
540
|
net.ipv4.conf.default.accept_redirects=0
|
|
|
|
|
541
|
net.ipv4.conf.default.send_redirects=0
|
|
|
|
|
542
|
net.ipv4.conf.default.accept_source_route=0
|
|
|
|
|
543
|
net.ipv4.conf.lo.accept_redirects=0
|
|
|
|
|
544
|
net.ipv4.conf.lo.send_redirects=0
|
|
|
|
|
545
|
net.ipv4.conf.lo.accept_source_route=0
|
|
|
|
|
546
|
net.ipv4.conf.eth0.accept_redirects=0
|
|
|
|
|
547
|
net.ipv4.conf.eth0.send_redirects=0
|
|
|
|
|
548
|
net.ipv4.conf.eth0.accept_source_route=0
|
|
|
|
|
549
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
|
|
|
550
|
net.ipv4.icmp_ignore_bogus_error_responses=1
|
|
|
|
|
551
|
|
|
|
|
|
552
|
net.ipv6.conf.all.accept_redirects=0
|
|
|
|
|
553
|
net.ipv6.conf.all.accept_source_route=0
|
|
|
|
|
554
|
net.ipv6.conf.all.router_solicitations=0
|
|
|
|
|
555
|
net.ipv6.conf.all.accept_ra_rtr_pref=0
|
|
|
|
|
556
|
net.ipv6.conf.all.accept_ra_pinfo=0
|
|
|
|
|
557
|
net.ipv6.conf.all.accept_ra_defrtr=0
|
|
|
|
|
558
|
net.ipv6.conf.all.autoconf=0
|
|
|
|
|
559
|
net.ipv6.conf.all.dad_transmits=0
|
|
|
|
|
560
|
net.ipv6.conf.all.max_addresses=1
|
|
|
|
|
561
|
|
|
|
|
|
562
|
net.ipv6.conf.default.accept_redirects=0
|
|
|
|
|
563
|
net.ipv6.conf.default.accept_source_route=0
|
|
|
|
|
564
|
net.ipv6.conf.default.router_solicitations=0
|
|
|
|
|
565
|
net.ipv6.conf.default.accept_ra_rtr_pref=0
|
|
|
|
|
566
|
net.ipv6.conf.default.accept_ra_pinfo=0
|
|
|
|
|
567
|
net.ipv6.conf.default.accept_ra_defrtr=0
|
|
|
|
|
568
|
net.ipv6.conf.default.autoconf=0
|
|
|
|
|
569
|
net.ipv6.conf.default.dad_transmits=0
|
|
|
|
|
570
|
net.ipv6.conf.default.max_addresses=1
|
|
|
|
|
571
|
|
|
|
|
|
572
|
net.ipv6.conf.lo.accept_redirects=0
|
|
|
|
|
573
|
net.ipv6.conf.lo.accept_source_route=0
|
|
|
|
|
574
|
net.ipv6.conf.lo.router_solicitations=0
|
|
|
|
|
575
|
net.ipv6.conf.lo.accept_ra_rtr_pref=0
|
|
|
|
|
576
|
net.ipv6.conf.lo.accept_ra_pinfo=0
|
|
|
|
|
577
|
net.ipv6.conf.lo.accept_ra_defrtr=0
|
|
|
|
|
578
|
net.ipv6.conf.lo.autoconf=0
|
|
|
|
|
579
|
net.ipv6.conf.lo.dad_transmits=0
|
|
|
|
|
580
|
net.ipv6.conf.lo.max_addresses=1
|
|
|
|
|
581
|
|
|
|
|
|
582
|
net.ipv6.conf.eth0.accept_redirects=0
|
|
|
|
|
583
|
net.ipv6.conf.eth0.accept_source_route=0
|
|
|
|
|
584
|
net.ipv6.conf.eth0.router_solicitations=0
|
|
|
|
|
585
|
net.ipv6.conf.eth0.accept_ra_rtr_pref=0
|
|
|
|
|
586
|
net.ipv6.conf.eth0.accept_ra_pinfo=0
|
|
|
|
|
587
|
net.ipv6.conf.eth0.accept_ra_defrtr=0
|
|
|
|
|
588
|
net.ipv6.conf.eth0.autoconf=0
|
|
|
|
|
589
|
net.ipv6.conf.eth0.dad_transmits=0
|
|
|
|
|
590
|
net.ipv6.conf.eth0.max_addresses=1
|
|
|
|
|
591
|
EOM
|
|
|
|
|
592
|
|
|
466
|
|
|
593
|
# Enable resolver warnings about spoofed addresses
|
|
467
|
# Enable resolver warnings about spoofed addresses
|
|
594
|
cat <<EOM >>$R/etc/host.conf
|
|
468
|
cat <<EOM >>$R/etc/host.conf
|
|
595
|
spoof warn
|
|
469
|
spoof warn
|
|
596
|
EOM
|
|
470
|
EOM
|
|
597
|
fi
|
|
471
|
fi
|
|
598
|
|
|
472
|
|
|
|
|
|
473
|
# First boot actions
|
|
|
|
|
474
|
cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot
|
|
|
|
|
475
|
|
|
599
|
# Ensure openssh server host keys are regenerated on first boot
|
|
476
|
# Ensure openssh server host keys are regenerated on first boot
|
|
600
|
if [ "$ENABLE_SSHD" = true ] ; then
|
|
477
|
if [ "$ENABLE_SSHD" = true ] ; then
|
|
601
|
cat <<EOM >>$R/etc/rc.firstboot
|
|
478
|
cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot
|
|
602
|
#!/bin/sh
|
|
|
|
|
603
|
rm -f /etc/ssh/ssh_host_*
|
|
|
|
|
604
|
ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
|
|
|
|
|
605
|
ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
|
|
|
|
|
606
|
ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
|
607
|
ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
|
|
|
|
|
608
|
sync
|
|
|
|
|
609
|
|
|
|
|
|
610
|
systemctl restart sshd
|
|
|
|
|
611
|
sed -i '/.*rc.firstboot/d' /etc/rc.local
|
|
|
|
|
612
|
rm -f /etc/rc.firstboot
|
|
|
|
|
613
|
EOM
|
|
|
|
|
614
|
chmod +x $R/etc/rc.firstboot
|
|
|
|
|
615
|
sed -i '/exit 0/d' $R/etc/rc.local
|
|
|
|
|
616
|
echo /etc/rc.firstboot >> $R/etc/rc.local
|
|
|
|
|
617
|
rm -f $R/etc/ssh/ssh_host_*
|
|
479
|
rm -f $R/etc/ssh/ssh_host_*
|
|
618
|
fi
|
|
480
|
fi
|
|
619
|
|
|
481
|
|
|
620
|
if [ "$EXPANDROOT" = true ] ; then
|
|
482
|
if [ "$EXPANDROOT" = true ] ; then
|
|
621
|
cat <<EOF > $R/etc/rc.expandroot
|
|
483
|
cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot
|
|
622
|
#!/bin/sh
|
|
484
|
fi
|
|
|
|
|
485
|
|
|
|
|
|
486
|
cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot
|
|
|
|
|
487
|
chmod +x $R/etc/rc.firstboot
|
|
623
|
|
|
488
|
|
|
624
|
ROOT_PART=\$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p')
|
|
|
|
|
625
|
PART_NUM=\$(echo \${ROOT_PART} | grep -o '[1-9][0-9]*$')
|
|
|
|
|
626
|
case "\${ROOT_PART}" in
|
|
|
|
|
627
|
mmcblk0*) ROOT_DEV=mmcblk0 ;;
|
|
|
|
|
628
|
sda*) ROOT_DEV=sda ;;
|
|
|
|
|
629
|
esac
|
|
|
|
|
630
|
if [ "\$PART_NUM" = "\$ROOT_PART" ]; then
|
|
|
|
|
631
|
logger -t "rc.expandroot" "\$ROOT_PART is not an SD card. Don't know how to expand"
|
|
|
|
|
632
|
return 0
|
|
|
|
|
633
|
fi
|
|
|
|
|
634
|
# NOTE: the NOOBS partition layout confuses parted. For now, let's only
|
|
|
|
|
635
|
# agree to work with a sufficiently simple partition layout
|
|
|
|
|
636
|
if [ "\$PART_NUM" -gt 2 ]; then
|
|
|
|
|
637
|
logger -t "rc.expandroot" "Your partition layout is not currently supported by this tool."
|
|
|
|
|
638
|
return 0
|
|
|
|
|
639
|
fi
|
|
|
|
|
640
|
LAST_PART_NUM=\$(parted /dev/\${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:)
|
|
|
|
|
641
|
if [ \$LAST_PART_NUM -ne \$PART_NUM ]; then
|
|
|
|
|
642
|
logger -t "rc.expandroot" "\$ROOT_PART is not the last partition. Don't know how to expand"
|
|
|
|
|
643
|
return 0
|
|
|
|
|
644
|
fi
|
|
|
|
|
645
|
# Get the starting offset of the root partition
|
|
|
|
|
646
|
PART_START=\$(parted /dev/\${ROOT_DEV} -ms unit s p | grep "^\${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g')
|
|
|
|
|
647
|
[ "\$PART_START" ] || return 1
|
|
|
|
|
648
|
# Get the possible last sector for the root partition
|
|
|
|
|
649
|
PART_LAST=\$(fdisk -l /dev/\${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print \$7 - 1 }')
|
|
|
|
|
650
|
[ "\$PART_LAST" ] || return 1
|
|
|
|
|
651
|
# Return value will likely be error for fdisk as it fails to reload the
|
|
|
|
|
652
|
# partition table because the root fs is mounted
|
|
|
|
|
653
|
### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit
|
|
|
|
|
654
|
fdisk /dev/\${ROOT_DEV} <<EOF2 || true
|
|
|
|
|
655
|
p
|
|
|
|
|
656
|
d
|
|
|
|
|
657
|
\$PART_NUM
|
|
|
|
|
658
|
n
|
|
|
|
|
659
|
p
|
|
|
|
|
660
|
\$PART_NUM
|
|
|
|
|
661
|
\$PART_START
|
|
|
|
|
662
|
\$PART_LAST
|
|
|
|
|
663
|
p
|
|
|
|
|
664
|
w
|
|
|
|
|
665
|
EOF2
|
|
|
|
|
666
|
# Reload the partition table, resize root filesystem then remove resizing code from this file
|
|
|
|
|
667
|
partprobe &&
|
|
|
|
|
668
|
resize2fs /dev/\${ROOT_PART} &&
|
|
|
|
|
669
|
logger -t "rc.expandroot" "Root partition successfuly resized." &&
|
|
|
|
|
670
|
sed -i '/.*rc.expandroot/d' /etc/rc.local
|
|
|
|
|
671
|
rm -f /etc/rc.expandroot
|
|
|
|
|
672
|
EOF
|
|
|
|
|
673
|
chmod +x $R/etc/rc.expandroot
|
|
|
|
|
674
|
sed -i '/exit 0/d' $R/etc/rc.local
|
|
489
|
sed -i '/exit 0/d' $R/etc/rc.local
|
|
675
|
echo /etc/rc.expandroot >> $R/etc/rc.local
|
|
490
|
echo /etc/rc.firstboot >> $R/etc/rc.local
|
|
676
|
fi
|
|
491
|
echo exit 0 >> $R/etc/rc.local
|
|
677
|
|
|
492
|
|
|
678
|
# Disable rsyslog
|
|
493
|
# Disable rsyslog
|
|
679
|
if [ "$ENABLE_RSYSLOG" = false ]; then
|
|
494
|
if [ "$ENABLE_RSYSLOG" = false ]; then
|
|
680
|
sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
|
|
495
|
sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
|
|
681
|
chroot_exec systemctl disable rsyslog
|
|
496
|
chroot_exec systemctl disable rsyslog
|
|
682
|
chroot_exec apt-get purge -q -y --force-yes rsyslog
|
|
497
|
chroot_exec apt-get purge -q -y --force-yes rsyslog
|
|
683
|
fi
|
|
498
|
fi
|
|
684
|
|
|
499
|
|
|
685
|
# Enable serial console systemd style
|
|
500
|
# Enable serial console systemd style
|
|
686
|
if [ "$ENABLE_CONSOLE" = true ] ; then
|
|
501
|
if [ "$ENABLE_CONSOLE" = true ] ; then
|
|
687
|
chroot_exec systemctl enable serial-getty\@ttyAMA0.service
|
|
502
|
chroot_exec systemctl enable serial-getty\@ttyAMA0.service
|
|
688
|
fi
|
|
503
|
fi
|
|
689
|
|
|
504
|
|
|
690
|
# Enable firewall based on iptables started by systemd service
|
|
505
|
# Enable firewall based on iptables started by systemd service
|
|
691
|
if [ "$ENABLE_IPTABLES" = true ] ; then
|
|
506
|
if [ "$ENABLE_IPTABLES" = true ] ; then
|
|
692
|
# Create iptables configuration directory
|
|
507
|
# Create iptables configuration directory
|
|
693
|
mkdir -p "$R/etc/iptables"
|
|
508
|
mkdir -p "$R/etc/iptables"
|
|
694
|
|
|
509
|
|
|
695
|
# Create iptables systemd service
|
|
510
|
# Create iptables systemd service
|
|
696
|
cat <<EOM >$R/etc/systemd/system/iptables.service
|
|
511
|
install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service
|
|
697
|
[Unit]
|
|
|
|
|
698
|
Description=Packet Filtering Framework
|
|
|
|
|
699
|
DefaultDependencies=no
|
|
|
|
|
700
|
After=systemd-sysctl.service
|
|
|
|
|
701
|
Before=sysinit.target
|
|
|
|
|
702
|
[Service]
|
|
|
|
|
703
|
Type=oneshot
|
|
|
|
|
704
|
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
|
|
|
|
|
705
|
ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
|
|
|
|
|
706
|
ExecStop=/etc/iptables/flush-iptables.sh
|
|
|
|
|
707
|
RemainAfterExit=yes
|
|
|
|
|
708
|
[Install]
|
|
|
|
|
709
|
WantedBy=multi-user.target
|
|
|
|
|
710
|
EOM
|
|
|
|
|
711
|
|
|
512
|
|
|
712
|
# Create flush-table script called by iptables service
|
|
513
|
# Create flush-table script called by iptables service
|
|
713
|
cat <<EOM >$R/etc/iptables/flush-iptables.sh
|
|
514
|
install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh
|
|
714
|
#!/bin/sh
|
|
|
|
|
715
|
iptables -F
|
|
|
|
|
716
|
iptables -X
|
|
|
|
|
717
|
iptables -t nat -F
|
|
|
|
|
718
|
iptables -t nat -X
|
|
|
|
|
719
|
iptables -t mangle -F
|
|
|
|
|
720
|
iptables -t mangle -X
|
|
|
|
|
721
|
iptables -P INPUT ACCEPT
|
|
|
|
|
722
|
iptables -P FORWARD ACCEPT
|
|
|
|
|
723
|
iptables -P OUTPUT ACCEPT
|
|
|
|
|
724
|
EOM
|
|
|
|
|
725
|
|
|
515
|
|
|
726
|
# Create iptables rule file
|
|
516
|
# Create iptables rule file
|
|
727
|
cat <<EOM >$R/etc/iptables/iptables.rules
|
|
517
|
install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules
|
|
728
|
*filter
|
|
|
|
|
729
|
:INPUT DROP [0:0]
|
|
|
|
|
730
|
:FORWARD DROP [0:0]
|
|
|
|
|
731
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
|
732
|
:TCP - [0:0]
|
|
|
|
|
733
|
:UDP - [0:0]
|
|
|
|
|
734
|
:SSH - [0:0]
|
|
|
|
|
735
|
|
|
|
|
|
736
|
# Rate limit ping requests
|
|
|
|
|
737
|
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
|
|
|
|
|
738
|
-A INPUT -p icmp --icmp-type echo-request -j DROP
|
|
|
|
|
739
|
|
|
|
|
|
740
|
# Accept established connections
|
|
|
|
|
741
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
742
|
|
|
|
|
|
743
|
# Accept all traffic on loopback interface
|
|
|
|
|
744
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
|
745
|
|
|
|
|
|
746
|
# Drop packets declared invalid
|
|
|
|
|
747
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
748
|
|
|
|
|
|
749
|
# SSH rate limiting
|
|
|
|
|
750
|
-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
|
|
|
|
|
751
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
|
|
|
|
752
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
|
|
|
|
|
753
|
-A SSH -m recent --name sshbf --set -j ACCEPT
|
|
|
|
|
754
|
|
|
|
|
|
755
|
# Send TCP and UDP connections to their respective rules chain
|
|
|
|
|
756
|
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
|
|
|
|
|
757
|
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
|
|
|
|
|
758
|
|
|
|
|
|
759
|
# Reject dropped packets with a RFC compliant responce
|
|
|
|
|
760
|
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
|
761
|
-A INPUT -p tcp -j REJECT --reject-with tcp-rst
|
|
|
|
|
762
|
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
|
|
|
|
|
763
|
|
|
|
|
|
764
|
## TCP PORT RULES
|
|
|
|
|
765
|
# -A TCP -p tcp -j LOG
|
|
|
|
|
766
|
|
|
|
|
|
767
|
## UDP PORT RULES
|
|
|
|
|
768
|
# -A UDP -p udp -j LOG
|
|
|
|
|
769
|
|
|
|
|
|
770
|
COMMIT
|
|
|
|
|
771
|
EOM
|
|
|
|
|
772
|
|
|
518
|
|
|
773
|
# Reload systemd configuration and enable iptables service
|
|
519
|
# Reload systemd configuration and enable iptables service
|
|
774
|
chroot_exec systemctl daemon-reload
|
|
520
|
chroot_exec systemctl daemon-reload
|
|
775
|
chroot_exec systemctl enable iptables.service
|
|
521
|
chroot_exec systemctl enable iptables.service
|
|
776
|
|
|
522
|
|
|
777
|
if [ "$ENABLE_IPV6" = true ] ; then
|
|
523
|
if [ "$ENABLE_IPV6" = true ] ; then
|
|
778
|
# Create ip6tables systemd service
|
|
524
|
# Create ip6tables systemd service
|
|
779
|
cat <<EOM >$R/etc/systemd/system/ip6tables.service
|
|
525
|
install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service
|
|
780
|
[Unit]
|
|
|
|
|
781
|
Description=Packet Filtering Framework
|
|
|
|
|
782
|
DefaultDependencies=no
|
|
|
|
|
783
|
After=systemd-sysctl.service
|
|
|
|
|
784
|
Before=sysinit.target
|
|
|
|
|
785
|
[Service]
|
|
|
|
|
786
|
Type=oneshot
|
|
|
|
|
787
|
ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
|
|
|
|
|
788
|
ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
|
|
|
|
|
789
|
ExecStop=/etc/iptables/flush-ip6tables.sh
|
|
|
|
|
790
|
RemainAfterExit=yes
|
|
|
|
|
791
|
[Install]
|
|
|
|
|
792
|
WantedBy=multi-user.target
|
|
|
|
|
793
|
EOM
|
|
|
|
|
794
|
|
|
526
|
|
|
795
|
# Create ip6tables file
|
|
527
|
# Create ip6tables file
|
|
796
|
cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
|
|
528
|
install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh
|
|
797
|
#!/bin/sh
|
|
|
|
|
798
|
ip6tables -F
|
|
|
|
|
799
|
ip6tables -X
|
|
|
|
|
800
|
ip6tables -Z
|
|
|
|
|
801
|
for table in $(</proc/net/ip6_tables_names)
|
|
|
|
|
802
|
do
|
|
|
|
|
803
|
ip6tables -t \$table -F
|
|
|
|
|
804
|
ip6tables -t \$table -X
|
|
|
|
|
805
|
ip6tables -t \$table -Z
|
|
|
|
|
806
|
done
|
|
|
|
|
807
|
ip6tables -P INPUT ACCEPT
|
|
|
|
|
808
|
ip6tables -P OUTPUT ACCEPT
|
|
|
|
|
809
|
ip6tables -P FORWARD ACCEPT
|
|
|
|
|
810
|
EOM
|
|
|
|
|
811
|
|
|
|
|
|
812
|
# Create ip6tables rule file
|
|
|
|
|
813
|
cat <<EOM >$R/etc/iptables/ip6tables.rules
|
|
|
|
|
814
|
*filter
|
|
|
|
|
815
|
:INPUT DROP [0:0]
|
|
|
|
|
816
|
:FORWARD DROP [0:0]
|
|
|
|
|
817
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
|
818
|
:TCP - [0:0]
|
|
|
|
|
819
|
:UDP - [0:0]
|
|
|
|
|
820
|
:SSH - [0:0]
|
|
|
|
|
821
|
|
|
|
|
|
822
|
# Drop packets with RH0 headers
|
|
|
|
|
823
|
-A INPUT -m rt --rt-type 0 -j DROP
|
|
|
|
|
824
|
-A OUTPUT -m rt --rt-type 0 -j DROP
|
|
|
|
|
825
|
-A FORWARD -m rt --rt-type 0 -j DROP
|
|
|
|
|
826
|
|
|
529
|
|
|
827
|
# Rate limit ping requests
|
|
530
|
install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules
|
|
828
|
-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
|
|
|
|
|
829
|
-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
|
|
|
|
|
830
|
|
|
|
|
|
831
|
# Accept established connections
|
|
|
|
|
832
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
|
833
|
|
|
|
|
|
834
|
# Accept all traffic on loopback interface
|
|
|
|
|
835
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
|
836
|
|
|
|
|
|
837
|
# Drop packets declared invalid
|
|
|
|
|
838
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
|
|
|
839
|
|
|
|
|
|
840
|
# SSH rate limiting
|
|
|
|
|
841
|
-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
|
|
|
|
|
842
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
|
|
|
|
843
|
-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
|
|
|
|
|
844
|
-A SSH -m recent --name sshbf --set -j ACCEPT
|
|
|
|
|
845
|
|
|
|
|
|
846
|
# Send TCP and UDP connections to their respective rules chain
|
|
|
|
|
847
|
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
|
|
|
|
|
848
|
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
|
|
|
|
|
849
|
|
|
|
|
|
850
|
# Reject dropped packets with a RFC compliant responce
|
|
|
|
|
851
|
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
|
852
|
-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
|
853
|
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
|
854
|
|
|
|
|
|
855
|
## TCP PORT RULES
|
|
|
|
|
856
|
# -A TCP -p tcp -j LOG
|
|
|
|
|
857
|
|
|
|
|
|
858
|
## UDP PORT RULES
|
|
|
|
|
859
|
# -A UDP -p udp -j LOG
|
|
|
|
|
860
|
|
|
|
|
|
861
|
COMMIT
|
|
|
|
|
862
|
EOM
|
|
|
|
|
863
|
|
|
531
|
|
|
864
|
# Reload systemd configuration and enable iptables service
|
|
532
|
# Reload systemd configuration and enable iptables service
|
|
865
|
chroot_exec systemctl daemon-reload
|
|
533
|
chroot_exec systemctl daemon-reload
|
|
866
|
chroot_exec systemctl enable ip6tables.service
|
|
534
|
chroot_exec systemctl enable ip6tables.service
|
|
867
|
fi
|
|
535
|
fi
|
|
868
|
fi
|
|
536
|
fi
|
|
869
|
|
|
537
|
|
|
870
|
# Remove SSHD related iptables rules
|
|
538
|
# Remove SSHD related iptables rules
|
|
871
|
if [ "$ENABLE_SSHD" = false ] ; then
|
|
539
|
if [ "$ENABLE_SSHD" = false ] ; then
|
|
872
|
sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
|
|
540
|
sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
|
|
873
|
sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
|
|
541
|
sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
|
|
874
|
fi
|
|
542
|
fi
|
|
875
|
|
|
543
|
|
|
876
|
# Install gcc/c++ build environment inside the chroot
|
|
544
|
# Install gcc/c++ build environment inside the chroot
|
|
877
|
if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
|
|
545
|
if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
|
|
878
|
chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
|
|
546
|
chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
|
|
879
|
fi
|
|
547
|
fi
|
|
880
|
|
|
548
|
|
|
881
|
# Fetch and build U-Boot bootloader
|
|
549
|
# Fetch and build U-Boot bootloader
|
|
882
|
if [ "$ENABLE_UBOOT" = true ] ; then
|
|
550
|
if [ "$ENABLE_UBOOT" = true ] ; then
|
|
883
|
# Fetch U-Boot bootloader sources
|
|
551
|
# Fetch U-Boot bootloader sources
|
|
884
|
git -C $R/tmp clone git://git.denx.de/u-boot.git
|
|
552
|
git -C $R/tmp clone git://git.denx.de/u-boot.git
|
|
885
|
|
|
553
|
|
|
886
|
# Build and install U-Boot inside chroot
|
|
554
|
# Build and install U-Boot inside chroot
|
|
887
|
chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
|
|
555
|
chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
|
|
888
|
|
|
556
|
|
|
889
|
# Copy compiled bootloader binary and set config.txt to load it
|
|
557
|
# Copy compiled bootloader binary and set config.txt to load it
|
|
890
|
cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
|
|
558
|
cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
|
|
891
|
printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
|
|
559
|
printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
|
|
892
|
|
|
560
|
|
|
893
|
# Set U-Boot command file
|
|
561
|
# Set U-Boot command file
|
|
894
|
cat <<EOM >$R/boot/firmware/uboot.mkimage
|
|
562
|
cat <<EOM >$R/boot/firmware/uboot.mkimage
|
|
895
|
# Tell Linux that it is booting on a Raspberry Pi2
|
|
563
|
# Tell Linux that it is booting on a Raspberry Pi2
|
|
896
|
setenv machid 0x00000c42
|
|
564
|
setenv machid 0x00000c42
|
|
897
|
|
|
565
|
|
|
898
|
# Set the kernel boot command line
|
|
566
|
# Set the kernel boot command line
|
|
899
|
setenv bootargs "earlyprintk ${CMDLINE}"
|
|
567
|
setenv bootargs "earlyprintk ${CMDLINE}"
|
|
900
|
|
|
568
|
|
|
901
|
# Save these changes to u-boot's environment
|
|
569
|
# Save these changes to u-boot's environment
|
|
902
|
saveenv
|
|
570
|
saveenv
|
|
903
|
|
|
571
|
|
|
904
|
# Load the existing Linux kernel into RAM
|
|
572
|
# Load the existing Linux kernel into RAM
|
|
905
|
fatload mmc 0:1 \${kernel_addr_r} kernel7.img
|
|
573
|
fatload mmc 0:1 \${kernel_addr_r} kernel7.img
|
|
906
|
|
|
574
|
|
|
907
|
# Boot the kernel we have just loaded
|
|
575
|
# Boot the kernel we have just loaded
|
|
908
|
bootz \${kernel_addr_r}
|
|
576
|
bootz \${kernel_addr_r}
|
|
909
|
EOM
|
|
577
|
EOM
|
|
910
|
|
|
578
|
|
|
911
|
# Generate U-Boot image from command file
|
|
579
|
# Generate U-Boot image from command file
|
|
912
|
chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
|
|
580
|
chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
|
|
913
|
fi
|
|
581
|
fi
|
|
914
|
|
|
582
|
|
|
915
|
# Fetch and build fbturbo Xorg driver
|
|
583
|
# Fetch and build fbturbo Xorg driver
|
|
916
|
if [ "$ENABLE_FBTURBO" = true ] ; then
|
|
584
|
if [ "$ENABLE_FBTURBO" = true ] ; then
|
|
917
|
# Fetch fbturbo driver sources
|
|
585
|
# Fetch fbturbo driver sources
|
|
918
|
git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
|
|
586
|
git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
|
|
919
|
|
|
587
|
|
|
920
|
# Install Xorg build dependencies
|
|
588
|
# Install Xorg build dependencies
|
|
921
|
chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
|
|
589
|
chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
|
|
922
|
|
|
590
|
|
|
923
|
# Build and install fbturbo driver inside chroot
|
|
591
|
# Build and install fbturbo driver inside chroot
|
|
924
|
chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
|
|
592
|
chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
|
|
925
|
|
|
593
|
|
|
926
|
# Add fbturbo driver to Xorg configuration
|
|
594
|
# Add fbturbo driver to Xorg configuration
|
|
927
|
cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
|
|
595
|
cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
|
|
928
|
Section "Device"
|
|
596
|
Section "Device"
|
|
929
|
Identifier "Allwinner A10/A13 FBDEV"
|
|
597
|
Identifier "Allwinner A10/A13 FBDEV"
|
|
930
|
Driver "fbturbo"
|
|
598
|
Driver "fbturbo"
|
|
931
|
Option "fbdev" "/dev/fb0"
|
|
599
|
Option "fbdev" "/dev/fb0"
|
|
932
|
Option "SwapbuffersWait" "true"
|
|
600
|
Option "SwapbuffersWait" "true"
|
|
933
|
EndSection
|
|
601
|
EndSection
|
|
934
|
EOM
|
|
602
|
EOM
|
|
935
|
|
|
603
|
|
|
936
|
# Remove Xorg build dependencies
|
|
604
|
# Remove Xorg build dependencies
|
|
937
|
chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
|
|
605
|
chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
|
|
938
|
fi
|
|
606
|
fi
|
|
939
|
|
|
607
|
|
|
940
|
# Remove gcc/c++ build environment from the chroot
|
|
608
|
# Remove gcc/c++ build environment from the chroot
|
|
941
|
if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
|
|
609
|
if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
|
|
942
|
chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
|
|
610
|
chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
|
|
943
|
fi
|
|
611
|
fi
|
|
944
|
|
|
612
|
|
|
945
|
# Clean cached downloads
|
|
613
|
# Clean cached downloads
|
|
946
|
chroot_exec apt-get -y clean
|
|
614
|
chroot_exec apt-get -y clean
|
|
947
|
chroot_exec apt-get -y autoclean
|
|
615
|
chroot_exec apt-get -y autoclean
|
|
948
|
chroot_exec apt-get -y autoremove
|
|
616
|
chroot_exec apt-get -y autoremove
|
|
949
|
|
|
617
|
|
|
950
|
# Unmount mounted filesystems
|
|
618
|
# Unmount mounted filesystems
|
|
951
|
umount -l $R/proc
|
|
619
|
umount -l $R/proc
|
|
952
|
umount -l $R/sys
|
|
620
|
umount -l $R/sys
|
|
953
|
|
|
621
|
|
|
954
|
# Clean up files
|
|
622
|
# Clean up files
|
|
955
|
rm -f $R/etc/apt/sources.list.save
|
|
623
|
rm -f $R/etc/apt/sources.list.save
|
|
956
|
rm -f $R/etc/resolvconf/resolv.conf.d/original
|
|
624
|
rm -f $R/etc/resolvconf/resolv.conf.d/original
|
|
957
|
rm -rf $R/run
|
|
625
|
rm -rf $R/run
|
|
958
|
mkdir -p $R/run
|
|
626
|
mkdir -p $R/run
|
|
959
|
rm -f $R/etc/*-
|
|
627
|
rm -f $R/etc/*-
|
|
960
|
rm -f $R/root/.bash_history
|
|
628
|
rm -f $R/root/.bash_history
|
|
961
|
rm -rf $R/tmp/*
|
|
629
|
rm -rf $R/tmp/*
|
|
962
|
rm -f $R/var/lib/urandom/random-seed
|
|
630
|
rm -f $R/var/lib/urandom/random-seed
|
|
963
|
[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
|
|
631
|
[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
|
|
964
|
rm -f $R/etc/machine-id
|
|
632
|
rm -f $R/etc/machine-id
|
|
965
|
rm -fr $R/etc/apt/apt.conf.d/10proxy
|
|
633
|
rm -fr $R/etc/apt/apt.conf.d/10proxy
|
|
966
|
|
|
634
|
|
|
967
|
# Calculate size of the chroot directory
|
|
635
|
# Calculate size of the chroot directory
|
|
968
|
CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
|
|
636
|
CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
|
|
969
|
|
|
637
|
|
|
970
|
# Calculate required image size
|
|
638
|
# Calculate required image size
|
|
971
|
IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
|
|
639
|
IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
|
|
972
|
|
|
640
|
|
|
973
|
# Calculate number of sectors for the partition
|
|
641
|
# Calculate number of sectors for the partition
|
|
974
|
IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
|
|
642
|
IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
|
|
975
|
|
|
643
|
|
|
976
|
# Prepare date string for image file name
|
|
644
|
# Prepare date string for image file name
|
|
977
|
DATE="$(date +%Y-%m-%d)"
|
|
645
|
DATE="$(date +%Y-%m-%d)"
|
|
978
|
|
|
646
|
|
|
979
|
# Prepare image file
|
|
647
|
# Prepare image file
|
|
980
|
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
|
|
648
|
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
|
|
981
|
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
|
|
649
|
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
|
|
982
|
|
|
650
|
|
|
983
|
# Write partition table
|
|
651
|
# Write partition table
|
|
984
|
sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
|
|
652
|
sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
|
|
985
|
unit: sectors
|
|
653
|
unit: sectors
|
|
986
|
|
|
654
|
|
|
987
|
1 : start= 2048, size= 131072, Id= c, bootable
|
|
655
|
1 : start= 2048, size= 131072, Id= c, bootable
|
|
988
|
2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
|
|
656
|
2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
|
|
989
|
3 : start= 0, size= 0, Id= 0
|
|
657
|
3 : start= 0, size= 0, Id= 0
|
|
990
|
4 : start= 0, size= 0, Id= 0
|
|
658
|
4 : start= 0, size= 0, Id= 0
|
|
991
|
EOM
|
|
659
|
EOM
|
|
992
|
|
|
660
|
|
|
993
|
# Set up temporary loop devices and build filesystems
|
|
661
|
# Set up temporary loop devices and build filesystems
|
|
994
|
VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
|
|
662
|
VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
|
|
995
|
EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
|
|
663
|
EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
|
|
996
|
mkfs.vfat "$VFAT_LOOP"
|
|
664
|
mkfs.vfat "$VFAT_LOOP"
|
|
997
|
mkfs.ext4 "$EXT4_LOOP"
|
|
665
|
mkfs.ext4 "$EXT4_LOOP"
|
|
998
|
|
|
666
|
|
|
999
|
# Mount the temporary loop devices
|
|
667
|
# Mount the temporary loop devices
|
|
1000
|
mkdir -p "$BUILDDIR/mount"
|
|
668
|
mkdir -p "$BUILDDIR/mount"
|
|
1001
|
mount "$EXT4_LOOP" "$BUILDDIR/mount"
|
|
669
|
mount "$EXT4_LOOP" "$BUILDDIR/mount"
|
|
1002
|
|
|
670
|
|
|
1003
|
mkdir -p "$BUILDDIR/mount/boot/firmware"
|
|
671
|
mkdir -p "$BUILDDIR/mount/boot/firmware"
|
|
1004
|
mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
|
|
672
|
mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
|
|
1005
|
|
|
673
|
|
|
1006
|
# Copy all files from the chroot to the loop device mount point directory
|
|
674
|
# Copy all files from the chroot to the loop device mount point directory
|
|
1007
|
rsync -a "$R/" "$BUILDDIR/mount/"
|
|
675
|
rsync -a "$R/" "$BUILDDIR/mount/"
|
|
1008
|
|
|
676
|
|
|
1009
|
# Unmount all temporary loop devices and mount points
|
|
677
|
# Unmount all temporary loop devices and mount points
|
|
1010
|
cleanup
|
|
678
|
cleanup
|
|
1011
|
|
|
679
|
|
|
1012
|
# (optinal) create block map file for "bmaptool"
|
|
680
|
# (optinal) create block map file for "bmaptool"
|
|
1013
|
bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
|
|
681
|
bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
|
|
1014
|
|
|
682
|
|
|
1015
|
# Image was successfully created
|
|
683
|
# Image was successfully created
|
|
1016
|
echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
|
|
684
|
echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
|