Raspi2-3_GenImage Commit - r16:b5764ed82a73 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

cleanup (){

18

cleanup (){

19

set +x

19

set +x

20

set +e

20

set +e

21

echo "removing temporary mount points ..."

21

echo "removing temporary mount points ..."

22

umount -l $R/proc 2> /dev/null

22

umount -l $R/proc 2> /dev/null

23

umount -l $R/sys 2> /dev/null

23

umount -l $R/sys 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

29

trap - 0 1 2 3 6

29

trap - 0 1 2 3 6

30

}

30

}

31

32

set -e

32

set -e

33

set -x

33

set -x

34

35

RELEASE=${RELEASE:=jessie}

35

RELEASE=${RELEASE:=jessie}

36

37

# Build settings

37

# Build settings

38

BASEDIR=./images/${RELEASE}

38

BASEDIR=./images/${RELEASE}

39

BUILDDIR=${BASEDIR}/build

39

BUILDDIR=${BASEDIR}/build

40

41

# General settings

41

# General settings

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

43

PASSWORD=${PASSWORD:=raspberry}

43

PASSWORD=${PASSWORD:=raspberry}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

46

47

# APT settings

47

# APT settings

48

APT_PROXY=${APT_PROXY:=""}

48

APT_PROXY=${APT_PROXY:=""}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

50

51

# Feature settings

51

# Feature settings

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

61

62

# Advanced settings

62

# Advanced settings

63

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

63

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

64

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

65

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

66

67

# Image chroot path

68

# Image chroot path

68

R=${BUILDDIR}/chroot

69

R=${BUILDDIR}/chroot

69

70

# Packages required for bootstrapping

71

# Packages required for bootstrapping

71

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

72

73

# Missing packages that need to be installed

74

# Missing packages that need to be installed

74

MISSING_PACKAGES=""

75

MISSING_PACKAGES=""

75

76

# Packages required in the chroot build enviroment

77

# Packages required in the chroot build enviroment

77

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,~~locales~~"

78

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

78

79

set +x

80

set +x

80

81

# Are we running as root?

82

# Are we running as root?

82

if [ "$(id -u)" -ne "0" ] ; then

83

if [ "$(id -u)" -ne "0" ] ; then

83

echo "this script must be executed with root privileges"

84

echo "this script must be executed with root privileges"

84

exit 1

85

exit 1

85

fi

86

fi

86

87

# Check if all required packages are installed

88

# Check if all required packages are installed

88

for package in $REQUIRED_PACKAGES ; do

89

for package in $REQUIRED_PACKAGES ; do

89

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

90

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

90

MISSING_PACKAGES="$MISSING_PACKAGES $package"

91

MISSING_PACKAGES="$MISSING_PACKAGES $package"

91

fi

92

fi

92

done

93

done

93

94

# Ask if missing packages should get installed right now

95

# Ask if missing packages should get installed right now

95

if [ -n "$MISSING_PACKAGES" ] ; then

96

if [ -n "$MISSING_PACKAGES" ] ; then

96

echo "the following packages needed by this script are not installed:"

97

echo "the following packages needed by this script are not installed:"

97

echo "$MISSING_PACKAGES"

98

echo "$MISSING_PACKAGES"

98

99

echo -n "\ndo you want to install the missing packages right now? [y/n] "

100

echo -n "\ndo you want to install the missing packages right now? [y/n] "

100

read confirm

101

read confirm

101

if [ "$confirm" != "y" ] ; then

102

if [ "$confirm" != "y" ] ; then

102

exit 1

103

exit 1

103

fi

104

fi

104

fi

105

fi

105

106

# Make sure all required packages are installed

107

# Make sure all required packages are installed

107

apt-get -qq -y install ${REQUIRED_PACKAGES}

108

apt-get -qq -y install ${REQUIRED_PACKAGES}

108

109

# Don't clobber an old build

110

# Don't clobber an old build

110

if [ -e "$BUILDDIR" ]; then

111

if [ -e "$BUILDDIR" ]; then

111

echo "directory $BUILDDIR already exists, not proceeding"

112

echo "directory $BUILDDIR already exists, not proceeding"

112

exit 1

113

exit 1

113

fi

114

fi

114

115

set -x

116

set -x

116

117

# Call "cleanup" function on various signals and errors

118

# Call "cleanup" function on various signals and errors

118

trap cleanup 0 1 2 3 6

119

trap cleanup 0 1 2 3 6

119

120

# Set up chroot directory

121

# Set up chroot directory

121

mkdir -p $R

122

mkdir -p $R

122

123

124

# Add required packages for the minbase installation

125

if [ "$ENABLE_MINBASE" = true ] ; then

126

APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools"

127

else

128

APT_INCLUDES="${APT_INCLUDES},locales"

129

fi

130

123

# Add dbus package, recommended if using systemd

131

# Add dbus package, recommended if using systemd

124

if [ "$ENABLE_DBUS" = true ] ; then

132

if [ "$ENABLE_DBUS" = true ] ; then

125

APT_INCLUDES="${APT_INCLUDES},dbus"

133

APT_INCLUDES="${APT_INCLUDES},dbus"

126

fi

134

fi

127

135

128

# Add openssh server package

136

# Add openssh server package

129

if [ "$ENABLE_SSHD" = true ] ; then

137

if [ "$ENABLE_SSHD" = true ] ; then

130

APT_INCLUDES="${APT_INCLUDES},openssh-server"

138

APT_INCLUDES="${APT_INCLUDES},openssh-server"

131

fi

139

fi

132

140

133

# Add rng-tools package

141

# Add rng-tools package

134

if [ "$ENABLE_HWRANDOM" = true ] ; then

142

if [ "$ENABLE_HWRANDOM" = true ] ; then

135

APT_INCLUDES="${APT_INCLUDES},rng-tools"

143

APT_INCLUDES="${APT_INCLUDES},rng-tools"

136

fi

144

fi

137

145

138

# Add xorg package

146

# Add xorg package

139

if [ "$ENABLE_XORG" = true ] ; then

147

if [ "$ENABLE_XORG" = true ] ; then

140

APT_INCLUDES="${APT_INCLUDES},xorg"

148

APT_INCLUDES="${APT_INCLUDES},xorg"

141

fi

149

fi

142

150

143

# Add fluxbox package with eterm

151

# Add fluxbox package with eterm

144

if [ "$ENABLE_FLUXBOX" = true ] ; then

152

if [ "$ENABLE_FLUXBOX" = true ] ; then

145

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

153

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

146

fi

154

fi

147

155

156

# Set empty proxy string

148

if [ -z "$APT_PROXY" ] ; then

157

if [ -z "$APT_PROXY" ] ; then

149

APT_PROXY="http://"

158

APT_PROXY="http://"

150

fi

159

fi

151

160

152

# Base debootstrap (unpack only)

161

# Base debootstrap (unpack only)

162

if [ "$ENABLE_MINBASE" = true ] ; then

163

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

164

else

153

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

165

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

166

fi

167

168

# Copy qemu emulator binary to chroot

154

cp /usr/bin/qemu-arm-static $R/usr/bin

169

cp /usr/bin/qemu-arm-static $R/usr/bin

155

170

156

# Copy debian-archive-keyring.pgp

171

# Copy debian-archive-keyring.pgp

157

chroot $R mkdir -p /usr/share/keyrings

172

chroot $R mkdir -p /usr/share/keyrings

158

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

173

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

159

174

160

# Complete the bootstrapping proccess

175

# Complete the bootstrapping proccess

161

chroot $R /debootstrap/debootstrap --second-stage

176

chroot $R /debootstrap/debootstrap --second-stage

162

177

163

# Mount required filesystems

178

# Mount required filesystems

164

mount -t proc none $R/proc

179

mount -t proc none $R/proc

165

mount -t sysfs none $R/sys

180

mount -t sysfs none $R/sys

166

mount --bind /dev/pts $R/dev/pts

181

mount --bind /dev/pts $R/dev/pts

167

182

168

# Use proxy inside chroot

183

# Use proxy inside chroot

169

if [ -z "$APT_PROXY" ] ; then

184

if [ -z "$APT_PROXY" ] ; then

170

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

185

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

171

fi

186

fi

172

187

173

# Pin package flash-kernel to repositories.collabora.co.uk

188

# Pin package flash-kernel to repositories.collabora.co.uk

174

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

189

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

175

Package: flash-kernel

190

Package: flash-kernel

176

Pin: origin repositories.collabora.co.uk

191

Pin: origin repositories.collabora.co.uk

177

Pin-Priority: 1000

192

Pin-Priority: 1000

178

EOM

193

EOM

179

194

180

# Set up timezone

195

# Set up timezone

181

echo ${TIMEZONE} >$R/etc/timezone

196

echo ${TIMEZONE} >$R/etc/timezone

182

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

197

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

183

198

184

# Set up default locales to "en_US.UTF-8" default

199

# Set up default locales to "en_US.UTF-8" default

200

if [ "$ENABLE_MINBASE" = false ] ; then

185

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

201

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

186

LANG=C chroot $R locale-gen ${DEFLOCAL}

202

LANG=C chroot $R locale-gen ${DEFLOCAL}

203

fi

187

204

188

# Upgrade collabora package index and install collabora keyring

205

# Upgrade collabora package index and install collabora keyring

189

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

206

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

190

LANG=C chroot $R apt-get -qq -y update

207

LANG=C chroot $R apt-get -qq -y update

191

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

208

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

192

209

193

# Set up initial sources.list

210

# Set up initial sources.list

194

cat <<EOM >$R/etc/apt/sources.list

211

cat <<EOM >$R/etc/apt/sources.list

195

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

212

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

196

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

213

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

197

214

198

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

215

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

199

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

216

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

200

217

201

deb http://security.debian.org/ ${RELEASE}/updates main contrib

218

deb http://security.debian.org/ ${RELEASE}/updates main contrib

202

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

219

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

203

220

204

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

221

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

205

EOM

222

EOM

206

223

207

# Upgrade package index and update all installed packages and changed dependencies

224

# Upgrade package index and update all installed packages and changed dependencies

208

LANG=C chroot $R apt-get -qq -y update

225

LANG=C chroot $R apt-get -qq -y update

209

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

226

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

210

227

211

# Kernel installation

228

# Kernel installation

212

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

229

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

213

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

230

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

214

LANG=C chroot $R apt-get -qq -y install flash-kernel

231

LANG=C chroot $R apt-get -qq -y install flash-kernel

215

232

216

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

233

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

217

[ -z "$VMLINUZ" ] && exit 1

234

[ -z "$VMLINUZ" ] && exit 1

218

mkdir -p $R/boot/firmware

235

mkdir -p $R/boot/firmware

219

236

220

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

237

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

221

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

238

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

222

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

239

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

223

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

240

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

224

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

241

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

225

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

242

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

226

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

243

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

227

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

244

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

228

cp $VMLINUZ $R/boot/firmware/kernel7.img

245

cp $VMLINUZ $R/boot/firmware/kernel7.img

229

246

230

# Set up hosts

247

# Set up hosts

231

echo ${HOSTNAME} >$R/etc/hostname

248

echo ${HOSTNAME} >$R/etc/hostname

232

cat <<EOM >$R/etc/hosts

249

cat <<EOM >$R/etc/hosts

233

127.0.0.1 localhost

250

127.0.0.1 localhost

234

127.0.1.1 ${HOSTNAME}

251

127.0.1.1 ${HOSTNAME}

235

EOM

252

EOM

236

253

237

if [ "$ENABLE_IPV6" = true ] ; then

254

if [ "$ENABLE_IPV6" = true ] ; then

238

cat <<EOM >>$R/etc/hosts

255

cat <<EOM >>$R/etc/hosts

239

256

240

::1 localhost ip6-localhost ip6-loopback

257

::1 localhost ip6-localhost ip6-loopback

241

ff02::1 ip6-allnodes

258

ff02::1 ip6-allnodes

242

ff02::2 ip6-allrouters

259

ff02::2 ip6-allrouters

243

EOM

260

EOM

244

fi

261

fi

245

262

246

# Generate crypt(3) password string

263

# Generate crypt(3) password string

247

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

264

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

248

265

249

# Set up default user

266

# Set up default user

250

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

267

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

251

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

268

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

252

269

253

# Set up root password

270

# Set up root password

254

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

271

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

255

272

256

# Set up interfaces

273

# Set up interfaces

257

cat <<EOM >$R/etc/network/interfaces

274

cat <<EOM >$R/etc/network/interfaces

258

# interfaces(5) file used by ifup(8) and ifdown(8)

275

# interfaces(5) file used by ifup(8) and ifdown(8)

259

# Include files from /etc/network/interfaces.d:

276

# Include files from /etc/network/interfaces.d:

260

source-directory /etc/network/interfaces.d

277

source-directory /etc/network/interfaces.d

261

278

262

# The loopback network interface

279

# The loopback network interface

263

auto lo

280

auto lo

264

iface lo inet loopback

281

iface lo inet loopback

265

282

266

# The primary network interface

283

# The primary network interface

267

allow-hotplug eth0

284

allow-hotplug eth0

268

iface eth0 inet dhcp

285

iface eth0 inet dhcp

269

EOM

286

EOM

270

287

271

# Set up firmware boot cmdline

288

# Set up firmware boot cmdline

272

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

289

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

273

290

274

# Set up serial console support (if requested)

291

# Set up serial console support (if requested)

275

if [ "$ENABLE_CONSOLE" = true ] ; then

292

if [ "$ENABLE_CONSOLE" = true ] ; then

276

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

293

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

277

fi

294

fi

278

295

279

# Set up ipv6 support (if requested)

296

# Set up ipv6 support (if requested)

280

if [ "$ENABLE_IPV6" = false ] ; then

297

if [ "$ENABLE_IPV6" = false ] ; then

281

CMDLINE="${CMDLINE} ipv6.disable=1"

298

CMDLINE="${CMDLINE} ipv6.disable=1"

282

fi

299

fi

283

300

284

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

301

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

285

302

286

# Set up firmware config

303

# Set up firmware config

287

cat <<EOM >$R/boot/firmware/config.txt

304

cat <<EOM >$R/boot/firmware/config.txt

288

# For more options and information see

305

# For more options and information see

289

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

306

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

290

# Some settings may impact device functionality. See link above for details

307

# Some settings may impact device functionality. See link above for details

291

308

292

# uncomment if you get no picture on HDMI for a default "safe" mode

309

# uncomment if you get no picture on HDMI for a default "safe" mode

293

#hdmi_safe=1

310

#hdmi_safe=1

294

311

295

# uncomment this if your display has a black border of unused pixels visible

312

# uncomment this if your display has a black border of unused pixels visible

296

# and your display can output without overscan

313

# and your display can output without overscan

297

#disable_overscan=1

314

#disable_overscan=1

298

315

299

# uncomment the following to adjust overscan. Use positive numbers if console

316

# uncomment the following to adjust overscan. Use positive numbers if console

300

# goes off screen, and negative if there is too much border

317

# goes off screen, and negative if there is too much border

301

#overscan_left=16

318

#overscan_left=16

302

#overscan_right=16

319

#overscan_right=16

303

#overscan_top=16

320

#overscan_top=16

304

#overscan_bottom=16

321

#overscan_bottom=16

305

322

306

# uncomment to force a console size. By default it will be display's size minus

323

# uncomment to force a console size. By default it will be display's size minus

307

# overscan.

324

# overscan.

308

#framebuffer_width=1280

325

#framebuffer_width=1280

309

#framebuffer_height=720

326

#framebuffer_height=720

310

327

311

# uncomment if hdmi display is not detected and composite is being output

328

# uncomment if hdmi display is not detected and composite is being output

312

#hdmi_force_hotplug=1

329

#hdmi_force_hotplug=1

313

330

314

# uncomment to force a specific HDMI mode (this will force VGA)

331

# uncomment to force a specific HDMI mode (this will force VGA)

315

#hdmi_group=1

332

#hdmi_group=1

316

#hdmi_mode=1

333

#hdmi_mode=1

317

334

318

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

335

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

319

# DMT (computer monitor) modes

336

# DMT (computer monitor) modes

320

#hdmi_drive=2

337

#hdmi_drive=2

321

338

322

# uncomment to increase signal to HDMI, if you have interference, blanking, or

339

# uncomment to increase signal to HDMI, if you have interference, blanking, or

323

# no display

340

# no display

324

#config_hdmi_boost=4

341

#config_hdmi_boost=4

325

342

326

# uncomment for composite PAL

343

# uncomment for composite PAL

327

#sdtv_mode=2

344

#sdtv_mode=2

328

345

329

# uncomment to overclock the arm. 700 MHz is the default.

346

# uncomment to overclock the arm. 700 MHz is the default.

330

#arm_freq=800

347

#arm_freq=800

331

EOM

348

EOM

332

349

333

# Set smallest possible GPU memory allocation size: 16MB (no X)

350

# Set smallest possible GPU memory allocation size: 16MB (no X)

334

if [ "$ENABLE_MINGPU" = true ] ; then

351

if [ "$ENABLE_MINGPU" = true ] ; then

335

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

352

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

336

fi

353

fi

337

354

338

# Create symlinks

355

# Create symlinks

339

ln -sf firmware/config.txt $R/boot/config.txt

356

ln -sf firmware/config.txt $R/boot/config.txt

340

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

357

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

341

358

342

# Prepare modules-load.d directory

359

# Prepare modules-load.d directory

343

mkdir -p $R/lib/modules-load.d/

360

mkdir -p $R/lib/modules-load.d/

344

361

345

# Load random module on boot

362

# Load random module on boot

346

if [ "$ENABLE_HWRANDOM" = true ] ; then

363

if [ "$ENABLE_HWRANDOM" = true ] ; then

347

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

364

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

348

bcm2708_rng

365

bcm2708_rng

349

EOM

366

EOM

350

fi

367

fi

351

368

352

# Prepare modprobe.d directory

369

# Prepare modprobe.d directory

353

mkdir -p $R/etc/modprobe.d/

370

mkdir -p $R/etc/modprobe.d/

354

371

355

# Blacklist sound modules

372

# Blacklist sound modules

356

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

373

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

357

blacklist snd_soc_core

374

blacklist snd_soc_core

358

blacklist snd_pcm

375

blacklist snd_pcm

359

blacklist snd_pcm_dmaengine

376

blacklist snd_pcm_dmaengine

360

blacklist snd_timer

377

blacklist snd_timer

361

blacklist snd_compress

378

blacklist snd_compress

362

blacklist snd_soc_pcm512x_i2c

379

blacklist snd_soc_pcm512x_i2c

363

blacklist snd_soc_pcm512x

380

blacklist snd_soc_pcm512x

364

blacklist snd_soc_tas5713

381

blacklist snd_soc_tas5713

365

blacklist snd_soc_wm8804

382

blacklist snd_soc_wm8804

366

EOM

383

EOM

367

384

368

# Create default fstab

385

# Create default fstab

369

cat <<EOM >$R/etc/fstab

386

cat <<EOM >$R/etc/fstab

370

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

387

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

371

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

388

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

372

EOM

389

EOM

373

390

374

# Avoid swapping and increase cache sizes

391

# Avoid swapping and increase cache sizes

375

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

392

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

376

393

377

# Avoid swapping and increase cache sizes

394

# Avoid swapping and increase cache sizes

378

vm.swappiness=1

395

vm.swappiness=1

379

vm.dirty_background_ratio=20

396

vm.dirty_background_ratio=20

380

vm.dirty_ratio=40

397

vm.dirty_ratio=40

381

vm.dirty_writeback_centisecs=500

398

vm.dirty_writeback_centisecs=500

382

vm.dirty_expire_centisecs=6000

399

vm.dirty_expire_centisecs=6000

383

EOM

400

EOM

384

401

385

# Enable network stack hardening

402

# Enable network stack hardening

386

if [ "$ENABLE_HARDNET" = true ] ; then

403

if [ "$ENABLE_HARDNET" = true ] ; then

387

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

404

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

388

405

389

# Enable network stack hardening

406

# Enable network stack hardening

390

net.ipv4.tcp_timestamps=0

407

net.ipv4.tcp_timestamps=0

391

net.ipv4.tcp_syncookies=1

408

net.ipv4.tcp_syncookies=1

392

net.ipv4.conf.all.rp_filter=1

409

net.ipv4.conf.all.rp_filter=1

393

net.ipv4.conf.all.accept_redirects=0

410

net.ipv4.conf.all.accept_redirects=0

394

net.ipv4.conf.all.send_redirects=0

411

net.ipv4.conf.all.send_redirects=0

395

net.ipv4.conf.all.accept_source_route=0

412

net.ipv4.conf.all.accept_source_route=0

396

net.ipv4.conf.default.rp_filter=1

413

net.ipv4.conf.default.rp_filter=1

397

net.ipv4.conf.default.accept_redirects=0

414

net.ipv4.conf.default.accept_redirects=0

398

net.ipv4.conf.default.send_redirects=0

415

net.ipv4.conf.default.send_redirects=0

399

net.ipv4.conf.default.accept_source_route=0

416

net.ipv4.conf.default.accept_source_route=0

400

net.ipv4.conf.lo.accept_redirects=0

417

net.ipv4.conf.lo.accept_redirects=0

401

net.ipv4.conf.lo.send_redirects=0

418

net.ipv4.conf.lo.send_redirects=0

402

net.ipv4.conf.lo.accept_source_route=0

419

net.ipv4.conf.lo.accept_source_route=0

403

net.ipv4.conf.eth0.accept_redirects=0

420

net.ipv4.conf.eth0.accept_redirects=0

404

net.ipv4.conf.eth0.send_redirects=0

421

net.ipv4.conf.eth0.send_redirects=0

405

net.ipv4.conf.eth0.accept_source_route=0

422

net.ipv4.conf.eth0.accept_source_route=0

406

net.ipv4.icmp_echo_ignore_broadcasts=1

423

net.ipv4.icmp_echo_ignore_broadcasts=1

407

net.ipv4.icmp_ignore_bogus_error_responses=1

424

net.ipv4.icmp_ignore_bogus_error_responses=1

408

425

409

net.ipv6.conf.all.accept_redirects=0

426

net.ipv6.conf.all.accept_redirects=0

410

net.ipv6.conf.all.accept_source_route=0

427

net.ipv6.conf.all.accept_source_route=0

411

net.ipv6.conf.all.router_solicitations=0

428

net.ipv6.conf.all.router_solicitations=0

412

net.ipv6.conf.all.accept_ra_rtr_pref=0

429

net.ipv6.conf.all.accept_ra_rtr_pref=0

413

net.ipv6.conf.all.accept_ra_pinfo=0

430

net.ipv6.conf.all.accept_ra_pinfo=0

414

net.ipv6.conf.all.accept_ra_defrtr=0

431

net.ipv6.conf.all.accept_ra_defrtr=0

415

net.ipv6.conf.all.autoconf=0

432

net.ipv6.conf.all.autoconf=0

416

net.ipv6.conf.all.dad_transmits=0

433

net.ipv6.conf.all.dad_transmits=0

417

net.ipv6.conf.all.max_addresses=1

434

net.ipv6.conf.all.max_addresses=1

418

435

419

net.ipv6.conf.default.accept_redirects=0

436

net.ipv6.conf.default.accept_redirects=0

420

net.ipv6.conf.default.accept_source_route=0

437

net.ipv6.conf.default.accept_source_route=0

421

net.ipv6.conf.default.router_solicitations=0

438

net.ipv6.conf.default.router_solicitations=0

422

net.ipv6.conf.default.accept_ra_rtr_pref=0

439

net.ipv6.conf.default.accept_ra_rtr_pref=0

423

net.ipv6.conf.default.accept_ra_pinfo=0

440

net.ipv6.conf.default.accept_ra_pinfo=0

424

net.ipv6.conf.default.accept_ra_defrtr=0

441

net.ipv6.conf.default.accept_ra_defrtr=0

425

net.ipv6.conf.default.autoconf=0

442

net.ipv6.conf.default.autoconf=0

426

net.ipv6.conf.default.dad_transmits=0

443

net.ipv6.conf.default.dad_transmits=0

427

net.ipv6.conf.default.max_addresses=1

444

net.ipv6.conf.default.max_addresses=1

428

445

429

net.ipv6.conf.lo.accept_redirects=0

446

net.ipv6.conf.lo.accept_redirects=0

430

net.ipv6.conf.lo.accept_source_route=0

447

net.ipv6.conf.lo.accept_source_route=0

431

net.ipv6.conf.lo.router_solicitations=0

448

net.ipv6.conf.lo.router_solicitations=0

432

net.ipv6.conf.lo.accept_ra_rtr_pref=0

449

net.ipv6.conf.lo.accept_ra_rtr_pref=0

433

net.ipv6.conf.lo.accept_ra_pinfo=0

450

net.ipv6.conf.lo.accept_ra_pinfo=0

434

net.ipv6.conf.lo.accept_ra_defrtr=0

451

net.ipv6.conf.lo.accept_ra_defrtr=0

435

net.ipv6.conf.lo.autoconf=0

452

net.ipv6.conf.lo.autoconf=0

436

net.ipv6.conf.lo.dad_transmits=0

453

net.ipv6.conf.lo.dad_transmits=0

437

net.ipv6.conf.lo.max_addresses=1

454

net.ipv6.conf.lo.max_addresses=1

438

455

439

net.ipv6.conf.eth0.accept_redirects=0

456

net.ipv6.conf.eth0.accept_redirects=0

440

net.ipv6.conf.eth0.accept_source_route=0

457

net.ipv6.conf.eth0.accept_source_route=0

441

net.ipv6.conf.eth0.router_solicitations=0

458

net.ipv6.conf.eth0.router_solicitations=0

442

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

459

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

443

net.ipv6.conf.eth0.accept_ra_pinfo=0

460

net.ipv6.conf.eth0.accept_ra_pinfo=0

444

net.ipv6.conf.eth0.accept_ra_defrtr=0

461

net.ipv6.conf.eth0.accept_ra_defrtr=0

445

net.ipv6.conf.eth0.autoconf=0

462

net.ipv6.conf.eth0.autoconf=0

446

net.ipv6.conf.eth0.dad_transmits=0

463

net.ipv6.conf.eth0.dad_transmits=0

447

net.ipv6.conf.eth0.max_addresses=1

464

net.ipv6.conf.eth0.max_addresses=1

448

EOM

465

EOM

449

466

450

# Enable resolver warnings about spoofed addresses

467

# Enable resolver warnings about spoofed addresses

451

cat <<EOM >>$R/etc/host.conf

468

cat <<EOM >>$R/etc/host.conf

452

spoof warn

469

spoof warn

453

EOM

470

EOM

454

fi

471

fi

455

472

456

# Regenerate openssh server host keys

473

# Regenerate openssh server host keys

457

if [ "$ENABLE_SSHD" = true ] ; then

474

if [ "$ENABLE_SSHD" = true ] ; then

458

rm -fr $R/etc/ssh/ssh_host_*

475

rm -fr $R/etc/ssh/ssh_host_*

459

LANG=C chroot $R dpkg-reconfigure openssh-server

476

LANG=C chroot $R dpkg-reconfigure openssh-server

460

fi

477

fi

461

478

462

# Enable serial console systemd style

479

# Enable serial console systemd style

463

if [ "$ENABLE_CONSOLE" = true ] ; then

480

if [ "$ENABLE_CONSOLE" = true ] ; then

464

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

481

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

465

fi

482

fi

466

483

467

# Enable firewall based on iptables started by systemd service

484

# Enable firewall based on iptables started by systemd service

468

if [ "$ENABLE_IPTABLES" = true ] ; then

485

if [ "$ENABLE_IPTABLES" = true ] ; then

469

# Create iptables configuration directory

486

# Create iptables configuration directory

470

mkdir -p "$R/etc/iptables"

487

mkdir -p "$R/etc/iptables"

471

488

472

# Create iptables systemd service

489

# Create iptables systemd service

473

cat <<EOM >$R/etc/systemd/system/iptables.service

490

cat <<EOM >$R/etc/systemd/system/iptables.service

474

[Unit]

491

[Unit]

475

Description=Packet Filtering Framework

492

Description=Packet Filtering Framework

476

DefaultDependencies=no

493

DefaultDependencies=no

477

After=systemd-sysctl.service

494

After=systemd-sysctl.service

478

Before=sysinit.target

495

Before=sysinit.target

479

[Service]

496

[Service]

480

Type=oneshot

497

Type=oneshot

481

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

498

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

482

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

499

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

483

ExecStop=/etc/iptables/flush-iptables.sh

500

ExecStop=/etc/iptables/flush-iptables.sh

484

RemainAfterExit=yes

501

RemainAfterExit=yes

485

[Install]

502

[Install]

486

WantedBy=multi-user.target

503

WantedBy=multi-user.target

487

EOM

504

EOM

488

505

489

# Create flush-table script called by iptables service

506

# Create flush-table script called by iptables service

490

cat <<EOM >$R/etc/iptables/flush-iptables.sh

507

cat <<EOM >$R/etc/iptables/flush-iptables.sh

491

#!/bin/sh

508

#!/bin/sh

492

iptables -F

509

iptables -F

493

iptables -X

510

iptables -X

494

iptables -t nat -F

511

iptables -t nat -F

495

iptables -t nat -X

512

iptables -t nat -X

496

iptables -t mangle -F

513

iptables -t mangle -F

497

iptables -t mangle -X

514

iptables -t mangle -X

498

iptables -P INPUT ACCEPT

515

iptables -P INPUT ACCEPT

499

iptables -P FORWARD ACCEPT

516

iptables -P FORWARD ACCEPT

500

iptables -P OUTPUT ACCEPT

517

iptables -P OUTPUT ACCEPT

501

EOM

518

EOM

502

519

503

# Create iptables rule file

520

# Create iptables rule file

504

cat <<EOM >$R/etc/iptables/iptables.rules

521

cat <<EOM >$R/etc/iptables/iptables.rules

505

*filter

522

*filter

506

:INPUT DROP [0:0]

523

:INPUT DROP [0:0]

507

:FORWARD DROP [0:0]

524

:FORWARD DROP [0:0]

508

:OUTPUT ACCEPT [0:0]

525

:OUTPUT ACCEPT [0:0]

509

:TCP - [0:0]

526

:TCP - [0:0]

510

:UDP - [0:0]

527

:UDP - [0:0]

511

:SSH - [0:0]

528

:SSH - [0:0]

512

529

513

# Rate limit ping requests

530

# Rate limit ping requests

514

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

531

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

515

-A INPUT -p icmp --icmp-type echo-request -j DROP

532

-A INPUT -p icmp --icmp-type echo-request -j DROP

516

533

517

# Accept established connections

534

# Accept established connections

518

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

535

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

519

536

520

# Accept all traffic on loopback interface

537

# Accept all traffic on loopback interface

521

-A INPUT -i lo -j ACCEPT

538

-A INPUT -i lo -j ACCEPT

522

539

523

# Drop packets declared invalid

540

# Drop packets declared invalid

524

-A INPUT -m conntrack --ctstate INVALID -j DROP

541

-A INPUT -m conntrack --ctstate INVALID -j DROP

525

542

526

# SSH rate limiting

543

# SSH rate limiting

527

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

544

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

528

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

545

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

529

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

546

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

530

-A SSH -m recent --name sshbf --set -j ACCEPT

547

-A SSH -m recent --name sshbf --set -j ACCEPT

531

548

532

# Send TCP and UDP connections to their respective rules chain

549

# Send TCP and UDP connections to their respective rules chain

533

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

550

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

534

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

551

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

535

552

536

# Reject dropped packets with a RFC compliant responce

553

# Reject dropped packets with a RFC compliant responce

537

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

554

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

538

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

555

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

539

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

556

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

540

557

541

## TCP PORT RULES

558

## TCP PORT RULES

542

# -A TCP -p tcp -j LOG

559

# -A TCP -p tcp -j LOG

543

560

544

## UDP PORT RULES

561

## UDP PORT RULES

545

# -A UDP -p udp -j LOG

562

# -A UDP -p udp -j LOG

546

563

547

COMMIT

564

COMMIT

548

EOM

565

EOM

549

566

550

# Reload systemd configuration and enable iptables service

567

# Reload systemd configuration and enable iptables service

551

LANG=C chroot $R systemctl daemon-reload

568

LANG=C chroot $R systemctl daemon-reload

552

LANG=C chroot $R systemctl enable iptables.service

569

LANG=C chroot $R systemctl enable iptables.service

553

570

554

if [ "$ENABLE_IPV6" = true ] ; then

571

if [ "$ENABLE_IPV6" = true ] ; then

555

# Create ip6tables systemd service

572

# Create ip6tables systemd service

556

cat <<EOM >$R/etc/systemd/system/ip6tables.service

573

cat <<EOM >$R/etc/systemd/system/ip6tables.service

557

[Unit]

574

[Unit]

558

Description=Packet Filtering Framework

575

Description=Packet Filtering Framework

559

DefaultDependencies=no

576

DefaultDependencies=no

560

After=systemd-sysctl.service

577

After=systemd-sysctl.service

561

Before=sysinit.target

578

Before=sysinit.target

562

[Service]

579

[Service]

563

Type=oneshot

580

Type=oneshot

564

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

581

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

565

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

582

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

566

ExecStop=/etc/iptables/flush-ip6tables.sh

583

ExecStop=/etc/iptables/flush-ip6tables.sh

567

RemainAfterExit=yes

584

RemainAfterExit=yes

568

[Install]

585

[Install]

569

WantedBy=multi-user.target

586

WantedBy=multi-user.target

570

EOM

587

EOM

571

588

572

# Create ip6tables file

589

# Create ip6tables file

573

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

590

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

574

#!/bin/sh

591

#!/bin/sh

575

ip6tables -F

592

ip6tables -F

576

ip6tables -X

593

ip6tables -X

577

ip6tables -Z

594

ip6tables -Z

578

for table in $(</proc/net/ip6_tables_names)

595

for table in $(</proc/net/ip6_tables_names)

579

do

596

do

580

ip6tables -t \$table -F

597

ip6tables -t \$table -F

581

ip6tables -t \$table -X

598

ip6tables -t \$table -X

582

ip6tables -t \$table -Z

599

ip6tables -t \$table -Z

583

done

600

done

584

ip6tables -P INPUT ACCEPT

601

ip6tables -P INPUT ACCEPT

585

ip6tables -P OUTPUT ACCEPT

602

ip6tables -P OUTPUT ACCEPT

586

ip6tables -P FORWARD ACCEPT

603

ip6tables -P FORWARD ACCEPT

587

EOM

604

EOM

588

605

589

# Create ip6tables rule file

606

# Create ip6tables rule file

590

cat <<EOM >$R/etc/iptables/ip6tables.rules

607

cat <<EOM >$R/etc/iptables/ip6tables.rules

591

*filter

608

*filter

592

:INPUT DROP [0:0]

609

:INPUT DROP [0:0]

593

:FORWARD DROP [0:0]

610

:FORWARD DROP [0:0]

594

:OUTPUT ACCEPT [0:0]

611

:OUTPUT ACCEPT [0:0]

595

:TCP - [0:0]

612

:TCP - [0:0]

596

:UDP - [0:0]

613

:UDP - [0:0]

597

:SSH - [0:0]

614

:SSH - [0:0]

598

615

599

# Drop packets with RH0 headers

616

# Drop packets with RH0 headers

600

-A INPUT -m rt --rt-type 0 -j DROP

617

-A INPUT -m rt --rt-type 0 -j DROP

601

-A OUTPUT -m rt --rt-type 0 -j DROP

618

-A OUTPUT -m rt --rt-type 0 -j DROP

602

-A FORWARD -m rt --rt-type 0 -j DROP

619

-A FORWARD -m rt --rt-type 0 -j DROP

603

620

604

# Rate limit ping requests

621

# Rate limit ping requests

605

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

622

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

606

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

623

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

607

624

608

# Accept established connections

625

# Accept established connections

609

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

626

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

610

627

611

# Accept all traffic on loopback interface

628

# Accept all traffic on loopback interface

612

-A INPUT -i lo -j ACCEPT

629

-A INPUT -i lo -j ACCEPT

613

630

614

# Drop packets declared invalid

631

# Drop packets declared invalid

615

-A INPUT -m conntrack --ctstate INVALID -j DROP

632

-A INPUT -m conntrack --ctstate INVALID -j DROP

616

633

617

# SSH rate limiting

634

# SSH rate limiting

618

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

635

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

619

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

636

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

620

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

637

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

621

-A SSH -m recent --name sshbf --set -j ACCEPT

638

-A SSH -m recent --name sshbf --set -j ACCEPT

622

639

623

# Send TCP and UDP connections to their respective rules chain

640

# Send TCP and UDP connections to their respective rules chain

624

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

641

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

625

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

642

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

626

643

627

# Reject dropped packets with a RFC compliant responce

644

# Reject dropped packets with a RFC compliant responce

628

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

645

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

629

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

646

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

630

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

647

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

631

648

632

## TCP PORT RULES

649

## TCP PORT RULES

633

# -A TCP -p tcp -j LOG

650

# -A TCP -p tcp -j LOG

634

651

635

## UDP PORT RULES

652

## UDP PORT RULES

636

# -A UDP -p udp -j LOG

653

# -A UDP -p udp -j LOG

637

654

638

COMMIT

655

COMMIT

639

EOM

656

EOM

640

657

641

# Reload systemd configuration and enable iptables service

658

# Reload systemd configuration and enable iptables service

642

LANG=C chroot $R systemctl daemon-reload

659

LANG=C chroot $R systemctl daemon-reload

643

LANG=C chroot $R systemctl enable ip6tables.service

660

LANG=C chroot $R systemctl enable ip6tables.service

644

661

645

fi

662

fi

646

fi

663

fi

647

664

648

if [ "$ENABLE_UBOOT" = true ] ; then

665

if [ "$ENABLE_UBOOT" = true ] ; then

649

# Fetch u-boot github

666

# Fetch u-boot github

650

git -C $R/tmp clone git://git.denx.de/u-boot.git

667

git -C $R/tmp clone git://git.denx.de/u-boot.git

651

668

652

# Install minimal gcc/g++ build environment and build u-boot inside chroot

669

# Install minimal gcc/g++ build environment and build u-boot inside chroot

653

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

670

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

654

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

671

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

655

672

656

# Copy compiled bootloader binary and set config.txt to load it

673

# Copy compiled bootloader binary and set config.txt to load it

657

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

674

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

658

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

675

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

659

676

660

# Set u-boot command file

677

# Set u-boot command file

661

cat <<EOM >$R/boot/firmware/uboot.mkimage

678

cat <<EOM >$R/boot/firmware/uboot.mkimage

662

# Tell Linux that it is booting on a Raspberry Pi2

679

# Tell Linux that it is booting on a Raspberry Pi2

663

setenv machid 0x00000c42

680

setenv machid 0x00000c42

664

681

665

# Set the kernel boot command line

682

# Set the kernel boot command line

666

setenv bootargs "earlyprintk ${CMDLINE}"

683

setenv bootargs "earlyprintk ${CMDLINE}"

667

684

668

# Save these changes to u-boot's environment

685

# Save these changes to u-boot's environment

669

saveenv

686

saveenv

670

687

671

# Load the existing Linux kernel into RAM

688

# Load the existing Linux kernel into RAM

672

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

689

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

673

690

674

# Boot the kernel we have just loaded

691

# Boot the kernel we have just loaded

675

bootz \${kernel_addr_r}

692

bootz \${kernel_addr_r}

676

EOM

693

EOM

677

694

678

# Generate u-boot image from command file

695

# Generate u-boot image from command file

679

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

696

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

680

697

681

# Remove gcc/c++ build enviroment

698

# Remove gcc/c++ build enviroment

682

LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

699

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

683

fi

700

fi

684

701

702

# Enable systemd-networkd DHCP configuration for the eth0 interface

703

printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network

704

705

# Set DHCP configuration to IPv4 only

706

if [ "$ENABLE_IPV6" = false ] ; then

707

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

708

fi

709

710

# Enable systemd-networkd service

711

LANG=C chroot $R systemctl enable systemd-networkd

712

713

# Place hint about netowrk configuration

714

cat <<EOM >$R/etc/network/interfaces

715

# Debian switched to systemd-networkd configuration files.

716

# please configure your networks in '/etc/systemd/network/'

717

EOM

718

685

# Clean cached downloads

719

# Clean cached downloads

686

LANG=C chroot $R apt-get -y clean

720

LANG=C chroot $R apt-get -y clean

687

LANG=C chroot $R apt-get -y autoclean

721

LANG=C chroot $R apt-get -y autoclean

688

LANG=C chroot $R apt-get -y autoremove

722

LANG=C chroot $R apt-get -y autoremove

689

723

690

# Unmount mounted filesystems

724

# Unmount mounted filesystems

691

umount -l $R/proc

725

umount -l $R/proc

692

umount -l $R/sys

726

umount -l $R/sys

693

727

694

# Clean up files

728

# Clean up files

695

rm -f $R/etc/apt/sources.list.save

729

rm -f $R/etc/apt/sources.list.save

696

rm -f $R/etc/resolvconf/resolv.conf.d/original

730

rm -f $R/etc/resolvconf/resolv.conf.d/original

697

rm -rf $R/run

731

rm -rf $R/run

698

mkdir -p $R/run

732

mkdir -p $R/run

699

rm -f $R/etc/*-

733

rm -f $R/etc/*-

700

rm -f $R/root/.bash_history

734

rm -f $R/root/.bash_history

701

rm -rf $R/tmp/*

735

rm -rf $R/tmp/*

702

rm -f $R/var/lib/urandom/random-seed

736

rm -f $R/var/lib/urandom/random-seed

703

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

737

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

704

rm -f $R/etc/machine-id

738

rm -f $R/etc/machine-id

705

rm -fr $R/etc/apt/apt.conf.d/10proxy

739

rm -fr $R/etc/apt/apt.conf.d/10proxy

706

740

707

# Calculate size of the chroot directory

741

# Calculate size of the chroot directory

708

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

742

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

709

743

710

# Calculate required image size

744

# Calculate required image size

711

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

745

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

712

746

713

# Calculate number of sectors for the partition

747

# Calculate number of sectors for the partition

714

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

748

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

715

749

716

# Prepare date string for image file name

750

# Prepare date string for image file name

717

DATE="$(date +%Y-%m-%d)"

751

DATE="$(date +%Y-%m-%d)"

718

752

719

# Prepare image file

753

# Prepare image file

720

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

754

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

721

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

755

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

722

756

723

# Write partition table

757

# Write partition table

724

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

758

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

725

unit: sectors

759

unit: sectors

726

760

727

1 : start= 2048, size= 131072, Id= c, bootable

761

1 : start= 2048, size= 131072, Id= c, bootable

728

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

762

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

729

3 : start= 0, size= 0, Id= 0

763

3 : start= 0, size= 0, Id= 0

730

4 : start= 0, size= 0, Id= 0

764

4 : start= 0, size= 0, Id= 0

731

EOM

765

EOM

732

766

733

# Set up temporary loop devices and build filesystems

767

# Set up temporary loop devices and build filesystems

734

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

768

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

735

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

769

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

736

mkfs.vfat "$VFAT_LOOP"

770

mkfs.vfat "$VFAT_LOOP"

737

mkfs.ext4 "$EXT4_LOOP"

771

mkfs.ext4 "$EXT4_LOOP"

738

772

739

# Mount the temporary loop devices

773

# Mount the temporary loop devices

740

mkdir -p "$BUILDDIR/mount"

774

mkdir -p "$BUILDDIR/mount"

741

mount "$EXT4_LOOP" "$BUILDDIR/mount"

775

mount "$EXT4_LOOP" "$BUILDDIR/mount"

742

776

743

mkdir -p "$BUILDDIR/mount/boot/firmware"

777

mkdir -p "$BUILDDIR/mount/boot/firmware"

744

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

778

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

745

779

746

# Copy all files from the chroot to the loop device mount point directory

780

# Copy all files from the chroot to the loop device mount point directory

747

rsync -a "$R/" "$BUILDDIR/mount/"

781

rsync -a "$R/" "$BUILDDIR/mount/"

748

782

749

# Unmount all temporary loop devices and mount points

783

# Unmount all temporary loop devices and mount points

750

cleanup

784

cleanup

751

785

752

# (optinal) create block map file for "bmaptool"

786

# (optinal) create block map file for "bmaptool"

753

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

787

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

754

788

755

# Image was successfully created

789

# Image was successfully created

756

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

790

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # rpi2-gen-image
             ## Introduction
             `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike enviroment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
             #####Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi2-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
+            ENABLE_MINBASE=true ./rpi2-gen-image.sh
              ```
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian wordwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
-            Set system host name. It is recommended that the host name is unique in the corresponding subnet.
+            Set system host name. It's recommended that the host name is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
-            Set system root password. It is **STRONGLY** recommended that you choose a custom password.
+            Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
-            Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command.
+            Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
-            Enable console output
+            Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
             ##### `ENABLE_IPV6`=true
-            Enable IPv6 support
+            Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
-            Install and enable OpenSSH service
+            Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_SOUND`=true
-            Enable sound hardware and install Advanced Linux Sound Architecture
+            Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
-            Enable Hardware Random Number Generator
+            Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
-            Minimize the amount of shared memory reserverd for the GPU
+            Minimize the amount of shared memory reserverd for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
-            Install and enable D-Bus message bus
+            Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
-            Install Xorg open-source X Window System
+            Install Xorg open-source X Window System.
             ##### `ENABLE_FLUXBOX`=false
-            Install Fluxbox window manager for the X Window System
+            Install Fluxbox window manager for the X Window System.
             #### Advanced sytem features:
+            ##### `ENABLE_MINBASE`=false
+            Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_UBOOT`=false
-            Replace default RPi bootloader with U-Boot bootloader
+            Replace default RPi bootloader with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             ##### `ENABLE_IPTABLES`=false
-            Enable iptables IPv4/IPv6 firewall
+            Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_HARDNET`=false
-            Enable IPv4/IPv6 network stack hardening settings
+            Enable IPv4/IPv6 network stack hardening settings.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
             After the image file was succesfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             #####Flashing examples:
             ```shell
             bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
             ```

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
             # Advanced settings
+            ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build enviroment
-            APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales"
+            APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
+            # Add required packages for the minbase installation
+            if [ "$ENABLE_MINBASE" = true ] ; then
+              APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools"
+            else
+              APT_INCLUDES="${APT_INCLUDES},locales"
+            fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Add fluxbox package with eterm
             if [ "$ENABLE_FLUXBOX" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
             fi
+            # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
+            if [ "$ENABLE_MINBASE" = true ] ; then
+              debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
+            else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
+            fi
+            # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping proccess
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
+            if [ "$ENABLE_MINBASE" = false ] ; then
               LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
               LANG=C chroot $R locale-gen ${DEFLOCAL}
+            fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up interfaces
             cat <<EOM >$R/etc/network/interfaces
             # interfaces(5) file used by ifup(8) and ifdown(8)
             # Include files from /etc/network/interfaces.d:
             source-directory /etc/network/interfaces.d
             # The loopback network interface
             auto lo
             iface lo inet loopback
             # The primary network interface
             allow-hotplug eth0
             iface eth0 inet dhcp
             EOM
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up ipv6 support (if requested)
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch u-boot github
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Install minimal gcc/g++ build environment and build u-boot inside chroot
               LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set u-boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate u-boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
               # Remove gcc/c++ build enviroment
-              LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
+              LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
+            # Enable systemd-networkd DHCP configuration for the eth0 interface
+            printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network
+            # Set DHCP configuration to IPv4 only
+            if [ "$ENABLE_IPV6" = false ] ; then
+              sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
+            fi
+            # Enable systemd-networkd service
+            LANG=C chroot $R systemctl enable systemd-networkd
+            # Place hint about netowrk configuration
+            cat <<EOM >$R/etc/network/interfaces
+            # Debian switched to systemd-networkd configuration files.
+            # please configure your networks in '/etc/systemd/network/'
+            EOM
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"