@@ -1,93 +1,97 | |||||
1 | # rpi2-gen-image |
|
1 | # rpi2-gen-image | |
2 | ## Introduction |
|
2 | ## Introduction | |
3 | `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release. |
|
3 | `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release. | |
4 |
|
4 | |||
5 | ## Build dependencies |
|
5 | ## Build dependencies | |
6 | The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. |
|
6 | The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. | |
7 |
|
7 | |||
8 | ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core``` |
|
8 | ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core``` | |
9 |
|
9 | |||
10 | ## Command-line parameters |
|
10 | ## Command-line parameters | |
11 | The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike enviroment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script. |
|
11 | The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike enviroment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script. | |
12 |
|
12 | |||
13 | #####Command-line examples: |
|
13 | #####Command-line examples: | |
14 | ```shell |
|
14 | ```shell | |
15 | ENABLE_UBOOT=true ./rpi2-gen-image.sh |
|
15 | ENABLE_UBOOT=true ./rpi2-gen-image.sh | |
16 | ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh |
|
16 | ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh | |
17 | ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh |
|
17 | ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh | |
18 | APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh |
|
18 | APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh | |
|
19 | ENABLE_MINBASE=true ./rpi2-gen-image.sh | |||
19 | ``` |
|
20 | ``` | |
20 |
|
21 | |||
21 | #### APT settings: |
|
22 | #### APT settings: | |
22 | ##### `APT_SERVER`="ftp.debian.org" |
|
23 | ##### `APT_SERVER`="ftp.debian.org" | |
23 | Set Debian packages server address. Choose a server from the list of Debian wordwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process. |
|
24 | Set Debian packages server address. Choose a server from the list of Debian wordwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process. | |
24 |
|
25 | |||
25 | ##### `APT_PROXY`="" |
|
26 | ##### `APT_PROXY`="" | |
26 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. |
|
27 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. | |
27 |
|
28 | |||
28 | #### General system settings: |
|
29 | #### General system settings: | |
29 | ##### `HOSTNAME`="rpi2-jessie" |
|
30 | ##### `HOSTNAME`="rpi2-jessie" | |
30 |
Set system host name. It |
|
31 | Set system host name. It's recommended that the host name is unique in the corresponding subnet. | |
31 |
|
32 | |||
32 |
|
|
33 | ##### `PASSWORD`="raspberry" | |
33 |
Set system root password. |
|
34 | Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password. | |
34 |
|
35 | |||
35 | ##### `DEFLOCAL`="en_US.UTF-8" |
|
36 | ##### `DEFLOCAL`="en_US.UTF-8" | |
36 | Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. |
|
37 | Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`. | |
37 |
|
38 | |||
38 |
|
|
39 | ##### `TIMEZONE`="Europe/Berlin" | |
39 | Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. |
|
40 | Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. | |
40 |
|
41 | |||
41 |
|
|
42 | #### Basic system features: | |
42 |
|
|
43 | ##### `ENABLE_CONSOLE`=true | |
43 | Enable console output |
|
44 | Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. | |
44 |
|
45 | |||
45 |
|
|
46 | ##### `ENABLE_IPV6`=true | |
46 | Enable IPv6 support |
|
47 | Enable IPv6 support. The network interface configuration is managed via systemd-networkd. | |
47 |
|
48 | |||
48 |
|
|
49 | ##### `ENABLE_SSHD`=true | |
49 | Install and enable OpenSSH service |
|
50 | Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. | |
50 |
|
51 | |||
51 | ##### `ENABLE_SOUND`=true |
|
52 | ##### `ENABLE_SOUND`=true | |
52 | Enable sound hardware and install Advanced Linux Sound Architecture |
|
53 | Enable sound hardware and install Advanced Linux Sound Architecture. | |
53 |
|
54 | |||
54 | ##### `ENABLE_HWRANDOM`=true |
|
55 | ##### `ENABLE_HWRANDOM`=true | |
55 | Enable Hardware Random Number Generator |
|
56 | Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled. | |
56 |
|
57 | |||
57 |
|
|
58 | ##### `ENABLE_MINGPU`=false | |
58 |
Minimize the |
|
59 | Minimize the amount of shared memory reserverd for the GPU. It doesn't seem to be possible to fully disable the GPU. | |
59 |
|
60 | |||
60 | ##### `ENABLE_DBUS`=true |
|
61 | ##### `ENABLE_DBUS`=true | |
61 | Install and enable D-Bus message bus |
|
62 | Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled. | |
62 |
|
63 | |||
63 |
|
|
64 | ##### `ENABLE_XORG`=false | |
64 | Install Xorg open-source X Window System |
|
65 | Install Xorg open-source X Window System. | |
65 |
|
66 | |||
66 |
|
|
67 | ##### `ENABLE_FLUXBOX`=false | |
67 | Install Fluxbox window manager for the X Window System |
|
68 | Install Fluxbox window manager for the X Window System. | |
68 |
|
69 | |||
69 |
|
|
70 | #### Advanced sytem features: | |
|
71 | ##### `ENABLE_MINBASE`=false | |||
|
72 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. | |||
|
73 | ||||
70 |
|
|
74 | ##### `ENABLE_UBOOT`=false | |
71 | Replace default RPi bootloader with U-Boot bootloader |
|
75 | Replace default RPi bootloader with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. | |
72 |
|
76 | |||
73 |
|
|
77 | ##### `ENABLE_IPTABLES`=false | |
74 | Enable iptables IPv4/IPv6 firewall |
|
78 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. | |
75 |
|
79 | |||
76 |
|
|
80 | ##### `ENABLE_HARDNET`=false | |
77 | Enable IPv4/IPv6 network stack hardening settings |
|
81 | Enable IPv4/IPv6 network stack hardening settings. | |
78 |
|
82 | |||
79 |
|
|
83 | ## Logging of the bootstrapping process | |
80 | All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose: |
|
84 | All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose: | |
81 |
|
85 | |||
82 | ```shell |
|
86 | ```shell | |
83 |
script |
|
87 | script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log | |
84 | ``` |
|
88 | ``` | |
85 |
|
89 | |||
86 | ## Flashing the image file |
|
90 | ## Flashing the image file | |
87 | After the image file was succesfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`. |
|
91 | After the image file was succesfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`. | |
88 |
|
92 | |||
89 | #####Flashing examples: |
|
93 | #####Flashing examples: | |
90 | ```shell |
|
94 | ```shell | |
91 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 |
|
95 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 | |
92 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 |
|
96 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 | |
93 | ``` |
|
97 | ``` |
@@ -1,756 +1,790 | |||||
1 | #!/bin/sh |
|
1 | #!/bin/sh | |
2 |
|
2 | |||
3 | ######################################################################## |
|
3 | ######################################################################## | |
4 | # rpi2-gen-image.sh ver2a 12/2015 |
|
4 | # rpi2-gen-image.sh ver2a 12/2015 | |
5 | # |
|
5 | # | |
6 | # Advanced debian "jessie" bootstrap script for RPi2 |
|
6 | # Advanced debian "jessie" bootstrap script for RPi2 | |
7 | # |
|
7 | # | |
8 | # This program is free software; you can redistribute it and/or |
|
8 | # This program is free software; you can redistribute it and/or | |
9 | # modify it under the terms of the GNU General Public License |
|
9 | # modify it under the terms of the GNU General Public License | |
10 | # as published by the Free Software Foundation; either version 2 |
|
10 | # as published by the Free Software Foundation; either version 2 | |
11 | # of the License, or (at your option) any later version. |
|
11 | # of the License, or (at your option) any later version. | |
12 | # |
|
12 | # | |
13 | # some parts based on rpi2-build-image: |
|
13 | # some parts based on rpi2-build-image: | |
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> |
|
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> | |
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> |
|
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> | |
16 | ######################################################################## |
|
16 | ######################################################################## | |
17 |
|
17 | |||
18 | cleanup (){ |
|
18 | cleanup (){ | |
19 | set +x |
|
19 | set +x | |
20 | set +e |
|
20 | set +e | |
21 | echo "removing temporary mount points ..." |
|
21 | echo "removing temporary mount points ..." | |
22 | umount -l $R/proc 2> /dev/null |
|
22 | umount -l $R/proc 2> /dev/null | |
23 | umount -l $R/sys 2> /dev/null |
|
23 | umount -l $R/sys 2> /dev/null | |
24 | umount -l $R/dev/pts 2> /dev/null |
|
24 | umount -l $R/dev/pts 2> /dev/null | |
25 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
25 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
26 | umount "$BUILDDIR/mount" 2> /dev/null |
|
26 | umount "$BUILDDIR/mount" 2> /dev/null | |
27 | losetup -d "$EXT4_LOOP" 2> /dev/null |
|
27 | losetup -d "$EXT4_LOOP" 2> /dev/null | |
28 | losetup -d "$VFAT_LOOP" 2> /dev/null |
|
28 | losetup -d "$VFAT_LOOP" 2> /dev/null | |
29 | trap - 0 1 2 3 6 |
|
29 | trap - 0 1 2 3 6 | |
30 | } |
|
30 | } | |
31 |
|
31 | |||
32 | set -e |
|
32 | set -e | |
33 | set -x |
|
33 | set -x | |
34 |
|
34 | |||
35 | RELEASE=${RELEASE:=jessie} |
|
35 | RELEASE=${RELEASE:=jessie} | |
36 |
|
36 | |||
37 | # Build settings |
|
37 | # Build settings | |
38 | BASEDIR=./images/${RELEASE} |
|
38 | BASEDIR=./images/${RELEASE} | |
39 | BUILDDIR=${BASEDIR}/build |
|
39 | BUILDDIR=${BASEDIR}/build | |
40 |
|
40 | |||
41 | # General settings |
|
41 | # General settings | |
42 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
42 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} | |
43 | PASSWORD=${PASSWORD:=raspberry} |
|
43 | PASSWORD=${PASSWORD:=raspberry} | |
44 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} |
|
44 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} | |
45 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} |
|
45 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} | |
46 |
|
46 | |||
47 | # APT settings |
|
47 | # APT settings | |
48 | APT_PROXY=${APT_PROXY:=""} |
|
48 | APT_PROXY=${APT_PROXY:=""} | |
49 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
49 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} | |
50 |
|
50 | |||
51 | # Feature settings |
|
51 | # Feature settings | |
52 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} |
|
52 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} | |
53 | ENABLE_IPV6=${ENABLE_IPV6:=true} |
|
53 | ENABLE_IPV6=${ENABLE_IPV6:=true} | |
54 | ENABLE_SSHD=${ENABLE_SSHD:=true} |
|
54 | ENABLE_SSHD=${ENABLE_SSHD:=true} | |
55 | ENABLE_SOUND=${ENABLE_SOUND:=true} |
|
55 | ENABLE_SOUND=${ENABLE_SOUND:=true} | |
56 | ENABLE_DBUS=${ENABLE_DBUS:=true} |
|
56 | ENABLE_DBUS=${ENABLE_DBUS:=true} | |
57 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} |
|
57 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |
58 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
58 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} | |
59 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
59 | ENABLE_XORG=${ENABLE_XORG:=false} | |
60 | ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false} |
|
60 | ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false} | |
61 |
|
61 | |||
62 | # Advanced settings |
|
62 | # Advanced settings | |
|
63 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |||
63 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
64 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |
64 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
65 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
65 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
66 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
66 |
|
67 | |||
67 | # Image chroot path |
|
68 | # Image chroot path | |
68 | R=${BUILDDIR}/chroot |
|
69 | R=${BUILDDIR}/chroot | |
69 |
|
70 | |||
70 | # Packages required for bootstrapping |
|
71 | # Packages required for bootstrapping | |
71 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core" |
|
72 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core" | |
72 |
|
73 | |||
73 | # Missing packages that need to be installed |
|
74 | # Missing packages that need to be installed | |
74 | MISSING_PACKAGES="" |
|
75 | MISSING_PACKAGES="" | |
75 |
|
76 | |||
76 | # Packages required in the chroot build enviroment |
|
77 | # Packages required in the chroot build enviroment | |
77 |
APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog, |
|
78 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" | |
78 |
|
79 | |||
79 | set +x |
|
80 | set +x | |
80 |
|
81 | |||
81 | # Are we running as root? |
|
82 | # Are we running as root? | |
82 | if [ "$(id -u)" -ne "0" ] ; then |
|
83 | if [ "$(id -u)" -ne "0" ] ; then | |
83 | echo "this script must be executed with root privileges" |
|
84 | echo "this script must be executed with root privileges" | |
84 | exit 1 |
|
85 | exit 1 | |
85 | fi |
|
86 | fi | |
86 |
|
87 | |||
87 | # Check if all required packages are installed |
|
88 | # Check if all required packages are installed | |
88 | for package in $REQUIRED_PACKAGES ; do |
|
89 | for package in $REQUIRED_PACKAGES ; do | |
89 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
|
90 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then | |
90 | MISSING_PACKAGES="$MISSING_PACKAGES $package" |
|
91 | MISSING_PACKAGES="$MISSING_PACKAGES $package" | |
91 | fi |
|
92 | fi | |
92 | done |
|
93 | done | |
93 |
|
94 | |||
94 | # Ask if missing packages should get installed right now |
|
95 | # Ask if missing packages should get installed right now | |
95 | if [ -n "$MISSING_PACKAGES" ] ; then |
|
96 | if [ -n "$MISSING_PACKAGES" ] ; then | |
96 | echo "the following packages needed by this script are not installed:" |
|
97 | echo "the following packages needed by this script are not installed:" | |
97 | echo "$MISSING_PACKAGES" |
|
98 | echo "$MISSING_PACKAGES" | |
98 |
|
99 | |||
99 | echo -n "\ndo you want to install the missing packages right now? [y/n] " |
|
100 | echo -n "\ndo you want to install the missing packages right now? [y/n] " | |
100 | read confirm |
|
101 | read confirm | |
101 | if [ "$confirm" != "y" ] ; then |
|
102 | if [ "$confirm" != "y" ] ; then | |
102 | exit 1 |
|
103 | exit 1 | |
103 | fi |
|
104 | fi | |
104 | fi |
|
105 | fi | |
105 |
|
106 | |||
106 | # Make sure all required packages are installed |
|
107 | # Make sure all required packages are installed | |
107 | apt-get -qq -y install ${REQUIRED_PACKAGES} |
|
108 | apt-get -qq -y install ${REQUIRED_PACKAGES} | |
108 |
|
109 | |||
109 | # Don't clobber an old build |
|
110 | # Don't clobber an old build | |
110 | if [ -e "$BUILDDIR" ]; then |
|
111 | if [ -e "$BUILDDIR" ]; then | |
111 | echo "directory $BUILDDIR already exists, not proceeding" |
|
112 | echo "directory $BUILDDIR already exists, not proceeding" | |
112 | exit 1 |
|
113 | exit 1 | |
113 | fi |
|
114 | fi | |
114 |
|
115 | |||
115 | set -x |
|
116 | set -x | |
116 |
|
117 | |||
117 | # Call "cleanup" function on various signals and errors |
|
118 | # Call "cleanup" function on various signals and errors | |
118 | trap cleanup 0 1 2 3 6 |
|
119 | trap cleanup 0 1 2 3 6 | |
119 |
|
120 | |||
120 | # Set up chroot directory |
|
121 | # Set up chroot directory | |
121 | mkdir -p $R |
|
122 | mkdir -p $R | |
122 |
|
123 | |||
|
124 | # Add required packages for the minbase installation | |||
|
125 | if [ "$ENABLE_MINBASE" = true ] ; then | |||
|
126 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools" | |||
|
127 | else | |||
|
128 | APT_INCLUDES="${APT_INCLUDES},locales" | |||
|
129 | fi | |||
|
130 | ||||
123 | # Add dbus package, recommended if using systemd |
|
131 | # Add dbus package, recommended if using systemd | |
124 | if [ "$ENABLE_DBUS" = true ] ; then |
|
132 | if [ "$ENABLE_DBUS" = true ] ; then | |
125 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
133 | APT_INCLUDES="${APT_INCLUDES},dbus" | |
126 | fi |
|
134 | fi | |
127 |
|
135 | |||
128 | # Add openssh server package |
|
136 | # Add openssh server package | |
129 | if [ "$ENABLE_SSHD" = true ] ; then |
|
137 | if [ "$ENABLE_SSHD" = true ] ; then | |
130 | APT_INCLUDES="${APT_INCLUDES},openssh-server" |
|
138 | APT_INCLUDES="${APT_INCLUDES},openssh-server" | |
131 | fi |
|
139 | fi | |
132 |
|
140 | |||
133 | # Add rng-tools package |
|
141 | # Add rng-tools package | |
134 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
142 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
135 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
143 | APT_INCLUDES="${APT_INCLUDES},rng-tools" | |
136 | fi |
|
144 | fi | |
137 |
|
145 | |||
138 | # Add xorg package |
|
146 | # Add xorg package | |
139 | if [ "$ENABLE_XORG" = true ] ; then |
|
147 | if [ "$ENABLE_XORG" = true ] ; then | |
140 | APT_INCLUDES="${APT_INCLUDES},xorg" |
|
148 | APT_INCLUDES="${APT_INCLUDES},xorg" | |
141 | fi |
|
149 | fi | |
142 |
|
150 | |||
143 | # Add fluxbox package with eterm |
|
151 | # Add fluxbox package with eterm | |
144 | if [ "$ENABLE_FLUXBOX" = true ] ; then |
|
152 | if [ "$ENABLE_FLUXBOX" = true ] ; then | |
145 | APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm" |
|
153 | APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm" | |
146 | fi |
|
154 | fi | |
147 |
|
155 | |||
|
156 | # Set empty proxy string | |||
148 | if [ -z "$APT_PROXY" ] ; then |
|
157 | if [ -z "$APT_PROXY" ] ; then | |
149 | APT_PROXY="http://" |
|
158 | APT_PROXY="http://" | |
150 | fi |
|
159 | fi | |
151 |
|
160 | |||
152 | # Base debootstrap (unpack only) |
|
161 | # Base debootstrap (unpack only) | |
|
162 | if [ "$ENABLE_MINBASE" = true ] ; then | |||
|
163 | debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian | |||
|
164 | else | |||
153 | debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian |
|
165 | debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian | |
|
166 | fi | |||
|
167 | ||||
|
168 | # Copy qemu emulator binary to chroot | |||
154 | cp /usr/bin/qemu-arm-static $R/usr/bin |
|
169 | cp /usr/bin/qemu-arm-static $R/usr/bin | |
155 |
|
170 | |||
156 | # Copy debian-archive-keyring.pgp |
|
171 | # Copy debian-archive-keyring.pgp | |
157 | chroot $R mkdir -p /usr/share/keyrings |
|
172 | chroot $R mkdir -p /usr/share/keyrings | |
158 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg |
|
173 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg | |
159 |
|
174 | |||
160 | # Complete the bootstrapping proccess |
|
175 | # Complete the bootstrapping proccess | |
161 | chroot $R /debootstrap/debootstrap --second-stage |
|
176 | chroot $R /debootstrap/debootstrap --second-stage | |
162 |
|
177 | |||
163 | # Mount required filesystems |
|
178 | # Mount required filesystems | |
164 | mount -t proc none $R/proc |
|
179 | mount -t proc none $R/proc | |
165 | mount -t sysfs none $R/sys |
|
180 | mount -t sysfs none $R/sys | |
166 | mount --bind /dev/pts $R/dev/pts |
|
181 | mount --bind /dev/pts $R/dev/pts | |
167 |
|
182 | |||
168 | # Use proxy inside chroot |
|
183 | # Use proxy inside chroot | |
169 | if [ -z "$APT_PROXY" ] ; then |
|
184 | if [ -z "$APT_PROXY" ] ; then | |
170 | echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy |
|
185 | echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy | |
171 | fi |
|
186 | fi | |
172 |
|
187 | |||
173 | # Pin package flash-kernel to repositories.collabora.co.uk |
|
188 | # Pin package flash-kernel to repositories.collabora.co.uk | |
174 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel |
|
189 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel | |
175 | Package: flash-kernel |
|
190 | Package: flash-kernel | |
176 | Pin: origin repositories.collabora.co.uk |
|
191 | Pin: origin repositories.collabora.co.uk | |
177 | Pin-Priority: 1000 |
|
192 | Pin-Priority: 1000 | |
178 | EOM |
|
193 | EOM | |
179 |
|
194 | |||
180 | # Set up timezone |
|
195 | # Set up timezone | |
181 | echo ${TIMEZONE} >$R/etc/timezone |
|
196 | echo ${TIMEZONE} >$R/etc/timezone | |
182 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata |
|
197 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata | |
183 |
|
198 | |||
184 | # Set up default locales to "en_US.UTF-8" default |
|
199 | # Set up default locales to "en_US.UTF-8" default | |
|
200 | if [ "$ENABLE_MINBASE" = false ] ; then | |||
185 | LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen |
|
201 | LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen | |
186 | LANG=C chroot $R locale-gen ${DEFLOCAL} |
|
202 | LANG=C chroot $R locale-gen ${DEFLOCAL} | |
|
203 | fi | |||
187 |
|
204 | |||
188 | # Upgrade collabora package index and install collabora keyring |
|
205 | # Upgrade collabora package index and install collabora keyring | |
189 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
206 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list | |
190 | LANG=C chroot $R apt-get -qq -y update |
|
207 | LANG=C chroot $R apt-get -qq -y update | |
191 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring |
|
208 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
192 |
|
209 | |||
193 | # Set up initial sources.list |
|
210 | # Set up initial sources.list | |
194 | cat <<EOM >$R/etc/apt/sources.list |
|
211 | cat <<EOM >$R/etc/apt/sources.list | |
195 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
212 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib | |
196 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
213 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib | |
197 |
|
214 | |||
198 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
215 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
199 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
216 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
200 |
|
217 | |||
201 | deb http://security.debian.org/ ${RELEASE}/updates main contrib |
|
218 | deb http://security.debian.org/ ${RELEASE}/updates main contrib | |
202 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib |
|
219 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib | |
203 |
|
220 | |||
204 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 |
|
221 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |
205 | EOM |
|
222 | EOM | |
206 |
|
223 | |||
207 | # Upgrade package index and update all installed packages and changed dependencies |
|
224 | # Upgrade package index and update all installed packages and changed dependencies | |
208 | LANG=C chroot $R apt-get -qq -y update |
|
225 | LANG=C chroot $R apt-get -qq -y update | |
209 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade |
|
226 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade | |
210 |
|
227 | |||
211 | # Kernel installation |
|
228 | # Kernel installation | |
212 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
229 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
213 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 |
|
230 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 | |
214 | LANG=C chroot $R apt-get -qq -y install flash-kernel |
|
231 | LANG=C chroot $R apt-get -qq -y install flash-kernel | |
215 |
|
232 | |||
216 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
233 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
217 | [ -z "$VMLINUZ" ] && exit 1 |
|
234 | [ -z "$VMLINUZ" ] && exit 1 | |
218 | mkdir -p $R/boot/firmware |
|
235 | mkdir -p $R/boot/firmware | |
219 |
|
236 | |||
220 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
237 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") | |
221 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
238 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin | |
222 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
239 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat | |
223 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
240 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat | |
224 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
241 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat | |
225 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
242 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf | |
226 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
243 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf | |
227 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
244 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf | |
228 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
245 | cp $VMLINUZ $R/boot/firmware/kernel7.img | |
229 |
|
246 | |||
230 | # Set up hosts |
|
247 | # Set up hosts | |
231 | echo ${HOSTNAME} >$R/etc/hostname |
|
248 | echo ${HOSTNAME} >$R/etc/hostname | |
232 | cat <<EOM >$R/etc/hosts |
|
249 | cat <<EOM >$R/etc/hosts | |
233 | 127.0.0.1 localhost |
|
250 | 127.0.0.1 localhost | |
234 | 127.0.1.1 ${HOSTNAME} |
|
251 | 127.0.1.1 ${HOSTNAME} | |
235 | EOM |
|
252 | EOM | |
236 |
|
253 | |||
237 | if [ "$ENABLE_IPV6" = true ] ; then |
|
254 | if [ "$ENABLE_IPV6" = true ] ; then | |
238 | cat <<EOM >>$R/etc/hosts |
|
255 | cat <<EOM >>$R/etc/hosts | |
239 |
|
256 | |||
240 | ::1 localhost ip6-localhost ip6-loopback |
|
257 | ::1 localhost ip6-localhost ip6-loopback | |
241 | ff02::1 ip6-allnodes |
|
258 | ff02::1 ip6-allnodes | |
242 | ff02::2 ip6-allrouters |
|
259 | ff02::2 ip6-allrouters | |
243 | EOM |
|
260 | EOM | |
244 | fi |
|
261 | fi | |
245 |
|
262 | |||
246 | # Generate crypt(3) password string |
|
263 | # Generate crypt(3) password string | |
247 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
264 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` | |
248 |
|
265 | |||
249 | # Set up default user |
|
266 | # Set up default user | |
250 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
267 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi | |
251 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
268 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
252 |
|
269 | |||
253 | # Set up root password |
|
270 | # Set up root password | |
254 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
271 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root | |
255 |
|
272 | |||
256 | # Set up interfaces |
|
273 | # Set up interfaces | |
257 | cat <<EOM >$R/etc/network/interfaces |
|
274 | cat <<EOM >$R/etc/network/interfaces | |
258 | # interfaces(5) file used by ifup(8) and ifdown(8) |
|
275 | # interfaces(5) file used by ifup(8) and ifdown(8) | |
259 | # Include files from /etc/network/interfaces.d: |
|
276 | # Include files from /etc/network/interfaces.d: | |
260 | source-directory /etc/network/interfaces.d |
|
277 | source-directory /etc/network/interfaces.d | |
261 |
|
278 | |||
262 | # The loopback network interface |
|
279 | # The loopback network interface | |
263 | auto lo |
|
280 | auto lo | |
264 | iface lo inet loopback |
|
281 | iface lo inet loopback | |
265 |
|
282 | |||
266 | # The primary network interface |
|
283 | # The primary network interface | |
267 | allow-hotplug eth0 |
|
284 | allow-hotplug eth0 | |
268 | iface eth0 inet dhcp |
|
285 | iface eth0 inet dhcp | |
269 | EOM |
|
286 | EOM | |
270 |
|
287 | |||
271 | # Set up firmware boot cmdline |
|
288 | # Set up firmware boot cmdline | |
272 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
289 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" | |
273 |
|
290 | |||
274 | # Set up serial console support (if requested) |
|
291 | # Set up serial console support (if requested) | |
275 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
292 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
276 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" |
|
293 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" | |
277 | fi |
|
294 | fi | |
278 |
|
295 | |||
279 | # Set up ipv6 support (if requested) |
|
296 | # Set up ipv6 support (if requested) | |
280 | if [ "$ENABLE_IPV6" = false ] ; then |
|
297 | if [ "$ENABLE_IPV6" = false ] ; then | |
281 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
298 | CMDLINE="${CMDLINE} ipv6.disable=1" | |
282 | fi |
|
299 | fi | |
283 |
|
300 | |||
284 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
301 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
285 |
|
302 | |||
286 | # Set up firmware config |
|
303 | # Set up firmware config | |
287 | cat <<EOM >$R/boot/firmware/config.txt |
|
304 | cat <<EOM >$R/boot/firmware/config.txt | |
288 | # For more options and information see |
|
305 | # For more options and information see | |
289 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
306 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |
290 | # Some settings may impact device functionality. See link above for details |
|
307 | # Some settings may impact device functionality. See link above for details | |
291 |
|
308 | |||
292 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
309 | # uncomment if you get no picture on HDMI for a default "safe" mode | |
293 | #hdmi_safe=1 |
|
310 | #hdmi_safe=1 | |
294 |
|
311 | |||
295 | # uncomment this if your display has a black border of unused pixels visible |
|
312 | # uncomment this if your display has a black border of unused pixels visible | |
296 | # and your display can output without overscan |
|
313 | # and your display can output without overscan | |
297 | #disable_overscan=1 |
|
314 | #disable_overscan=1 | |
298 |
|
315 | |||
299 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
316 | # uncomment the following to adjust overscan. Use positive numbers if console | |
300 | # goes off screen, and negative if there is too much border |
|
317 | # goes off screen, and negative if there is too much border | |
301 | #overscan_left=16 |
|
318 | #overscan_left=16 | |
302 | #overscan_right=16 |
|
319 | #overscan_right=16 | |
303 | #overscan_top=16 |
|
320 | #overscan_top=16 | |
304 | #overscan_bottom=16 |
|
321 | #overscan_bottom=16 | |
305 |
|
322 | |||
306 | # uncomment to force a console size. By default it will be display's size minus |
|
323 | # uncomment to force a console size. By default it will be display's size minus | |
307 | # overscan. |
|
324 | # overscan. | |
308 | #framebuffer_width=1280 |
|
325 | #framebuffer_width=1280 | |
309 | #framebuffer_height=720 |
|
326 | #framebuffer_height=720 | |
310 |
|
327 | |||
311 | # uncomment if hdmi display is not detected and composite is being output |
|
328 | # uncomment if hdmi display is not detected and composite is being output | |
312 | #hdmi_force_hotplug=1 |
|
329 | #hdmi_force_hotplug=1 | |
313 |
|
330 | |||
314 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
331 | # uncomment to force a specific HDMI mode (this will force VGA) | |
315 | #hdmi_group=1 |
|
332 | #hdmi_group=1 | |
316 | #hdmi_mode=1 |
|
333 | #hdmi_mode=1 | |
317 |
|
334 | |||
318 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
335 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |
319 | # DMT (computer monitor) modes |
|
336 | # DMT (computer monitor) modes | |
320 | #hdmi_drive=2 |
|
337 | #hdmi_drive=2 | |
321 |
|
338 | |||
322 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
339 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |
323 | # no display |
|
340 | # no display | |
324 | #config_hdmi_boost=4 |
|
341 | #config_hdmi_boost=4 | |
325 |
|
342 | |||
326 | # uncomment for composite PAL |
|
343 | # uncomment for composite PAL | |
327 | #sdtv_mode=2 |
|
344 | #sdtv_mode=2 | |
328 |
|
345 | |||
329 | # uncomment to overclock the arm. 700 MHz is the default. |
|
346 | # uncomment to overclock the arm. 700 MHz is the default. | |
330 | #arm_freq=800 |
|
347 | #arm_freq=800 | |
331 | EOM |
|
348 | EOM | |
332 |
|
349 | |||
333 | # Set smallest possible GPU memory allocation size: 16MB (no X) |
|
350 | # Set smallest possible GPU memory allocation size: 16MB (no X) | |
334 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
351 | if [ "$ENABLE_MINGPU" = true ] ; then | |
335 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt |
|
352 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt | |
336 | fi |
|
353 | fi | |
337 |
|
354 | |||
338 | # Create symlinks |
|
355 | # Create symlinks | |
339 | ln -sf firmware/config.txt $R/boot/config.txt |
|
356 | ln -sf firmware/config.txt $R/boot/config.txt | |
340 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt |
|
357 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt | |
341 |
|
358 | |||
342 | # Prepare modules-load.d directory |
|
359 | # Prepare modules-load.d directory | |
343 | mkdir -p $R/lib/modules-load.d/ |
|
360 | mkdir -p $R/lib/modules-load.d/ | |
344 |
|
361 | |||
345 | # Load random module on boot |
|
362 | # Load random module on boot | |
346 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
363 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
347 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf |
|
364 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf | |
348 | bcm2708_rng |
|
365 | bcm2708_rng | |
349 | EOM |
|
366 | EOM | |
350 | fi |
|
367 | fi | |
351 |
|
368 | |||
352 | # Prepare modprobe.d directory |
|
369 | # Prepare modprobe.d directory | |
353 | mkdir -p $R/etc/modprobe.d/ |
|
370 | mkdir -p $R/etc/modprobe.d/ | |
354 |
|
371 | |||
355 | # Blacklist sound modules |
|
372 | # Blacklist sound modules | |
356 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
373 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf | |
357 | blacklist snd_soc_core |
|
374 | blacklist snd_soc_core | |
358 | blacklist snd_pcm |
|
375 | blacklist snd_pcm | |
359 | blacklist snd_pcm_dmaengine |
|
376 | blacklist snd_pcm_dmaengine | |
360 | blacklist snd_timer |
|
377 | blacklist snd_timer | |
361 | blacklist snd_compress |
|
378 | blacklist snd_compress | |
362 | blacklist snd_soc_pcm512x_i2c |
|
379 | blacklist snd_soc_pcm512x_i2c | |
363 | blacklist snd_soc_pcm512x |
|
380 | blacklist snd_soc_pcm512x | |
364 | blacklist snd_soc_tas5713 |
|
381 | blacklist snd_soc_tas5713 | |
365 | blacklist snd_soc_wm8804 |
|
382 | blacklist snd_soc_wm8804 | |
366 | EOM |
|
383 | EOM | |
367 |
|
384 | |||
368 | # Create default fstab |
|
385 | # Create default fstab | |
369 | cat <<EOM >$R/etc/fstab |
|
386 | cat <<EOM >$R/etc/fstab | |
370 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
387 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |
371 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
388 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 | |
372 | EOM |
|
389 | EOM | |
373 |
|
390 | |||
374 | # Avoid swapping and increase cache sizes |
|
391 | # Avoid swapping and increase cache sizes | |
375 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
392 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
376 |
|
393 | |||
377 | # Avoid swapping and increase cache sizes |
|
394 | # Avoid swapping and increase cache sizes | |
378 | vm.swappiness=1 |
|
395 | vm.swappiness=1 | |
379 | vm.dirty_background_ratio=20 |
|
396 | vm.dirty_background_ratio=20 | |
380 | vm.dirty_ratio=40 |
|
397 | vm.dirty_ratio=40 | |
381 | vm.dirty_writeback_centisecs=500 |
|
398 | vm.dirty_writeback_centisecs=500 | |
382 | vm.dirty_expire_centisecs=6000 |
|
399 | vm.dirty_expire_centisecs=6000 | |
383 | EOM |
|
400 | EOM | |
384 |
|
401 | |||
385 | # Enable network stack hardening |
|
402 | # Enable network stack hardening | |
386 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
403 | if [ "$ENABLE_HARDNET" = true ] ; then | |
387 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
404 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
388 |
|
405 | |||
389 | # Enable network stack hardening |
|
406 | # Enable network stack hardening | |
390 | net.ipv4.tcp_timestamps=0 |
|
407 | net.ipv4.tcp_timestamps=0 | |
391 | net.ipv4.tcp_syncookies=1 |
|
408 | net.ipv4.tcp_syncookies=1 | |
392 | net.ipv4.conf.all.rp_filter=1 |
|
409 | net.ipv4.conf.all.rp_filter=1 | |
393 | net.ipv4.conf.all.accept_redirects=0 |
|
410 | net.ipv4.conf.all.accept_redirects=0 | |
394 | net.ipv4.conf.all.send_redirects=0 |
|
411 | net.ipv4.conf.all.send_redirects=0 | |
395 | net.ipv4.conf.all.accept_source_route=0 |
|
412 | net.ipv4.conf.all.accept_source_route=0 | |
396 | net.ipv4.conf.default.rp_filter=1 |
|
413 | net.ipv4.conf.default.rp_filter=1 | |
397 | net.ipv4.conf.default.accept_redirects=0 |
|
414 | net.ipv4.conf.default.accept_redirects=0 | |
398 | net.ipv4.conf.default.send_redirects=0 |
|
415 | net.ipv4.conf.default.send_redirects=0 | |
399 | net.ipv4.conf.default.accept_source_route=0 |
|
416 | net.ipv4.conf.default.accept_source_route=0 | |
400 | net.ipv4.conf.lo.accept_redirects=0 |
|
417 | net.ipv4.conf.lo.accept_redirects=0 | |
401 | net.ipv4.conf.lo.send_redirects=0 |
|
418 | net.ipv4.conf.lo.send_redirects=0 | |
402 | net.ipv4.conf.lo.accept_source_route=0 |
|
419 | net.ipv4.conf.lo.accept_source_route=0 | |
403 | net.ipv4.conf.eth0.accept_redirects=0 |
|
420 | net.ipv4.conf.eth0.accept_redirects=0 | |
404 | net.ipv4.conf.eth0.send_redirects=0 |
|
421 | net.ipv4.conf.eth0.send_redirects=0 | |
405 | net.ipv4.conf.eth0.accept_source_route=0 |
|
422 | net.ipv4.conf.eth0.accept_source_route=0 | |
406 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
423 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |
407 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
424 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |
408 |
|
425 | |||
409 | net.ipv6.conf.all.accept_redirects=0 |
|
426 | net.ipv6.conf.all.accept_redirects=0 | |
410 | net.ipv6.conf.all.accept_source_route=0 |
|
427 | net.ipv6.conf.all.accept_source_route=0 | |
411 | net.ipv6.conf.all.router_solicitations=0 |
|
428 | net.ipv6.conf.all.router_solicitations=0 | |
412 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
429 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |
413 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
430 | net.ipv6.conf.all.accept_ra_pinfo=0 | |
414 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
431 | net.ipv6.conf.all.accept_ra_defrtr=0 | |
415 | net.ipv6.conf.all.autoconf=0 |
|
432 | net.ipv6.conf.all.autoconf=0 | |
416 | net.ipv6.conf.all.dad_transmits=0 |
|
433 | net.ipv6.conf.all.dad_transmits=0 | |
417 | net.ipv6.conf.all.max_addresses=1 |
|
434 | net.ipv6.conf.all.max_addresses=1 | |
418 |
|
435 | |||
419 | net.ipv6.conf.default.accept_redirects=0 |
|
436 | net.ipv6.conf.default.accept_redirects=0 | |
420 | net.ipv6.conf.default.accept_source_route=0 |
|
437 | net.ipv6.conf.default.accept_source_route=0 | |
421 | net.ipv6.conf.default.router_solicitations=0 |
|
438 | net.ipv6.conf.default.router_solicitations=0 | |
422 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
439 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |
423 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
440 | net.ipv6.conf.default.accept_ra_pinfo=0 | |
424 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
441 | net.ipv6.conf.default.accept_ra_defrtr=0 | |
425 | net.ipv6.conf.default.autoconf=0 |
|
442 | net.ipv6.conf.default.autoconf=0 | |
426 | net.ipv6.conf.default.dad_transmits=0 |
|
443 | net.ipv6.conf.default.dad_transmits=0 | |
427 | net.ipv6.conf.default.max_addresses=1 |
|
444 | net.ipv6.conf.default.max_addresses=1 | |
428 |
|
445 | |||
429 | net.ipv6.conf.lo.accept_redirects=0 |
|
446 | net.ipv6.conf.lo.accept_redirects=0 | |
430 | net.ipv6.conf.lo.accept_source_route=0 |
|
447 | net.ipv6.conf.lo.accept_source_route=0 | |
431 | net.ipv6.conf.lo.router_solicitations=0 |
|
448 | net.ipv6.conf.lo.router_solicitations=0 | |
432 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
449 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |
433 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
450 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |
434 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
451 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |
435 | net.ipv6.conf.lo.autoconf=0 |
|
452 | net.ipv6.conf.lo.autoconf=0 | |
436 | net.ipv6.conf.lo.dad_transmits=0 |
|
453 | net.ipv6.conf.lo.dad_transmits=0 | |
437 | net.ipv6.conf.lo.max_addresses=1 |
|
454 | net.ipv6.conf.lo.max_addresses=1 | |
438 |
|
455 | |||
439 | net.ipv6.conf.eth0.accept_redirects=0 |
|
456 | net.ipv6.conf.eth0.accept_redirects=0 | |
440 | net.ipv6.conf.eth0.accept_source_route=0 |
|
457 | net.ipv6.conf.eth0.accept_source_route=0 | |
441 | net.ipv6.conf.eth0.router_solicitations=0 |
|
458 | net.ipv6.conf.eth0.router_solicitations=0 | |
442 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
459 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |
443 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
460 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |
444 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
461 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |
445 | net.ipv6.conf.eth0.autoconf=0 |
|
462 | net.ipv6.conf.eth0.autoconf=0 | |
446 | net.ipv6.conf.eth0.dad_transmits=0 |
|
463 | net.ipv6.conf.eth0.dad_transmits=0 | |
447 | net.ipv6.conf.eth0.max_addresses=1 |
|
464 | net.ipv6.conf.eth0.max_addresses=1 | |
448 | EOM |
|
465 | EOM | |
449 |
|
466 | |||
450 | # Enable resolver warnings about spoofed addresses |
|
467 | # Enable resolver warnings about spoofed addresses | |
451 | cat <<EOM >>$R/etc/host.conf |
|
468 | cat <<EOM >>$R/etc/host.conf | |
452 | spoof warn |
|
469 | spoof warn | |
453 | EOM |
|
470 | EOM | |
454 | fi |
|
471 | fi | |
455 |
|
472 | |||
456 | # Regenerate openssh server host keys |
|
473 | # Regenerate openssh server host keys | |
457 | if [ "$ENABLE_SSHD" = true ] ; then |
|
474 | if [ "$ENABLE_SSHD" = true ] ; then | |
458 | rm -fr $R/etc/ssh/ssh_host_* |
|
475 | rm -fr $R/etc/ssh/ssh_host_* | |
459 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
476 | LANG=C chroot $R dpkg-reconfigure openssh-server | |
460 | fi |
|
477 | fi | |
461 |
|
478 | |||
462 | # Enable serial console systemd style |
|
479 | # Enable serial console systemd style | |
463 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
480 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
464 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service |
|
481 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service | |
465 | fi |
|
482 | fi | |
466 |
|
483 | |||
467 | # Enable firewall based on iptables started by systemd service |
|
484 | # Enable firewall based on iptables started by systemd service | |
468 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
485 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
469 | # Create iptables configuration directory |
|
486 | # Create iptables configuration directory | |
470 | mkdir -p "$R/etc/iptables" |
|
487 | mkdir -p "$R/etc/iptables" | |
471 |
|
488 | |||
472 | # Create iptables systemd service |
|
489 | # Create iptables systemd service | |
473 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
490 | cat <<EOM >$R/etc/systemd/system/iptables.service | |
474 | [Unit] |
|
491 | [Unit] | |
475 | Description=Packet Filtering Framework |
|
492 | Description=Packet Filtering Framework | |
476 | DefaultDependencies=no |
|
493 | DefaultDependencies=no | |
477 | After=systemd-sysctl.service |
|
494 | After=systemd-sysctl.service | |
478 | Before=sysinit.target |
|
495 | Before=sysinit.target | |
479 | [Service] |
|
496 | [Service] | |
480 | Type=oneshot |
|
497 | Type=oneshot | |
481 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
498 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |
482 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
499 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |
483 | ExecStop=/etc/iptables/flush-iptables.sh |
|
500 | ExecStop=/etc/iptables/flush-iptables.sh | |
484 | RemainAfterExit=yes |
|
501 | RemainAfterExit=yes | |
485 | [Install] |
|
502 | [Install] | |
486 | WantedBy=multi-user.target |
|
503 | WantedBy=multi-user.target | |
487 | EOM |
|
504 | EOM | |
488 |
|
505 | |||
489 | # Create flush-table script called by iptables service |
|
506 | # Create flush-table script called by iptables service | |
490 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
507 | cat <<EOM >$R/etc/iptables/flush-iptables.sh | |
491 | #!/bin/sh |
|
508 | #!/bin/sh | |
492 | iptables -F |
|
509 | iptables -F | |
493 | iptables -X |
|
510 | iptables -X | |
494 | iptables -t nat -F |
|
511 | iptables -t nat -F | |
495 | iptables -t nat -X |
|
512 | iptables -t nat -X | |
496 | iptables -t mangle -F |
|
513 | iptables -t mangle -F | |
497 | iptables -t mangle -X |
|
514 | iptables -t mangle -X | |
498 | iptables -P INPUT ACCEPT |
|
515 | iptables -P INPUT ACCEPT | |
499 | iptables -P FORWARD ACCEPT |
|
516 | iptables -P FORWARD ACCEPT | |
500 | iptables -P OUTPUT ACCEPT |
|
517 | iptables -P OUTPUT ACCEPT | |
501 | EOM |
|
518 | EOM | |
502 |
|
519 | |||
503 | # Create iptables rule file |
|
520 | # Create iptables rule file | |
504 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
521 | cat <<EOM >$R/etc/iptables/iptables.rules | |
505 | *filter |
|
522 | *filter | |
506 | :INPUT DROP [0:0] |
|
523 | :INPUT DROP [0:0] | |
507 | :FORWARD DROP [0:0] |
|
524 | :FORWARD DROP [0:0] | |
508 | :OUTPUT ACCEPT [0:0] |
|
525 | :OUTPUT ACCEPT [0:0] | |
509 | :TCP - [0:0] |
|
526 | :TCP - [0:0] | |
510 | :UDP - [0:0] |
|
527 | :UDP - [0:0] | |
511 | :SSH - [0:0] |
|
528 | :SSH - [0:0] | |
512 |
|
529 | |||
513 | # Rate limit ping requests |
|
530 | # Rate limit ping requests | |
514 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
531 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
515 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
532 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |
516 |
|
533 | |||
517 | # Accept established connections |
|
534 | # Accept established connections | |
518 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
535 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
519 |
|
536 | |||
520 | # Accept all traffic on loopback interface |
|
537 | # Accept all traffic on loopback interface | |
521 | -A INPUT -i lo -j ACCEPT |
|
538 | -A INPUT -i lo -j ACCEPT | |
522 |
|
539 | |||
523 | # Drop packets declared invalid |
|
540 | # Drop packets declared invalid | |
524 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
541 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
525 |
|
542 | |||
526 | # SSH rate limiting |
|
543 | # SSH rate limiting | |
527 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
544 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
528 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
545 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
529 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
546 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
530 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
547 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
531 |
|
548 | |||
532 | # Send TCP and UDP connections to their respective rules chain |
|
549 | # Send TCP and UDP connections to their respective rules chain | |
533 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
550 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
534 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
551 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
535 |
|
552 | |||
536 | # Reject dropped packets with a RFC compliant responce |
|
553 | # Reject dropped packets with a RFC compliant responce | |
537 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
554 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
538 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
555 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
539 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
556 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
540 |
|
557 | |||
541 | ## TCP PORT RULES |
|
558 | ## TCP PORT RULES | |
542 | # -A TCP -p tcp -j LOG |
|
559 | # -A TCP -p tcp -j LOG | |
543 |
|
560 | |||
544 | ## UDP PORT RULES |
|
561 | ## UDP PORT RULES | |
545 | # -A UDP -p udp -j LOG |
|
562 | # -A UDP -p udp -j LOG | |
546 |
|
563 | |||
547 | COMMIT |
|
564 | COMMIT | |
548 | EOM |
|
565 | EOM | |
549 |
|
566 | |||
550 | # Reload systemd configuration and enable iptables service |
|
567 | # Reload systemd configuration and enable iptables service | |
551 | LANG=C chroot $R systemctl daemon-reload |
|
568 | LANG=C chroot $R systemctl daemon-reload | |
552 | LANG=C chroot $R systemctl enable iptables.service |
|
569 | LANG=C chroot $R systemctl enable iptables.service | |
553 |
|
570 | |||
554 | if [ "$ENABLE_IPV6" = true ] ; then |
|
571 | if [ "$ENABLE_IPV6" = true ] ; then | |
555 | # Create ip6tables systemd service |
|
572 | # Create ip6tables systemd service | |
556 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
573 | cat <<EOM >$R/etc/systemd/system/ip6tables.service | |
557 | [Unit] |
|
574 | [Unit] | |
558 | Description=Packet Filtering Framework |
|
575 | Description=Packet Filtering Framework | |
559 | DefaultDependencies=no |
|
576 | DefaultDependencies=no | |
560 | After=systemd-sysctl.service |
|
577 | After=systemd-sysctl.service | |
561 | Before=sysinit.target |
|
578 | Before=sysinit.target | |
562 | [Service] |
|
579 | [Service] | |
563 | Type=oneshot |
|
580 | Type=oneshot | |
564 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
581 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
565 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
582 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
566 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
583 | ExecStop=/etc/iptables/flush-ip6tables.sh | |
567 | RemainAfterExit=yes |
|
584 | RemainAfterExit=yes | |
568 | [Install] |
|
585 | [Install] | |
569 | WantedBy=multi-user.target |
|
586 | WantedBy=multi-user.target | |
570 | EOM |
|
587 | EOM | |
571 |
|
588 | |||
572 | # Create ip6tables file |
|
589 | # Create ip6tables file | |
573 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
590 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh | |
574 | #!/bin/sh |
|
591 | #!/bin/sh | |
575 | ip6tables -F |
|
592 | ip6tables -F | |
576 | ip6tables -X |
|
593 | ip6tables -X | |
577 | ip6tables -Z |
|
594 | ip6tables -Z | |
578 | for table in $(</proc/net/ip6_tables_names) |
|
595 | for table in $(</proc/net/ip6_tables_names) | |
579 | do |
|
596 | do | |
580 | ip6tables -t \$table -F |
|
597 | ip6tables -t \$table -F | |
581 | ip6tables -t \$table -X |
|
598 | ip6tables -t \$table -X | |
582 | ip6tables -t \$table -Z |
|
599 | ip6tables -t \$table -Z | |
583 | done |
|
600 | done | |
584 | ip6tables -P INPUT ACCEPT |
|
601 | ip6tables -P INPUT ACCEPT | |
585 | ip6tables -P OUTPUT ACCEPT |
|
602 | ip6tables -P OUTPUT ACCEPT | |
586 | ip6tables -P FORWARD ACCEPT |
|
603 | ip6tables -P FORWARD ACCEPT | |
587 | EOM |
|
604 | EOM | |
588 |
|
605 | |||
589 | # Create ip6tables rule file |
|
606 | # Create ip6tables rule file | |
590 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
607 | cat <<EOM >$R/etc/iptables/ip6tables.rules | |
591 | *filter |
|
608 | *filter | |
592 | :INPUT DROP [0:0] |
|
609 | :INPUT DROP [0:0] | |
593 | :FORWARD DROP [0:0] |
|
610 | :FORWARD DROP [0:0] | |
594 | :OUTPUT ACCEPT [0:0] |
|
611 | :OUTPUT ACCEPT [0:0] | |
595 | :TCP - [0:0] |
|
612 | :TCP - [0:0] | |
596 | :UDP - [0:0] |
|
613 | :UDP - [0:0] | |
597 | :SSH - [0:0] |
|
614 | :SSH - [0:0] | |
598 |
|
615 | |||
599 | # Drop packets with RH0 headers |
|
616 | # Drop packets with RH0 headers | |
600 | -A INPUT -m rt --rt-type 0 -j DROP |
|
617 | -A INPUT -m rt --rt-type 0 -j DROP | |
601 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
618 | -A OUTPUT -m rt --rt-type 0 -j DROP | |
602 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
619 | -A FORWARD -m rt --rt-type 0 -j DROP | |
603 |
|
620 | |||
604 | # Rate limit ping requests |
|
621 | # Rate limit ping requests | |
605 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
622 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
606 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
623 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |
607 |
|
624 | |||
608 | # Accept established connections |
|
625 | # Accept established connections | |
609 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
626 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
610 |
|
627 | |||
611 | # Accept all traffic on loopback interface |
|
628 | # Accept all traffic on loopback interface | |
612 | -A INPUT -i lo -j ACCEPT |
|
629 | -A INPUT -i lo -j ACCEPT | |
613 |
|
630 | |||
614 | # Drop packets declared invalid |
|
631 | # Drop packets declared invalid | |
615 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
632 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
616 |
|
633 | |||
617 | # SSH rate limiting |
|
634 | # SSH rate limiting | |
618 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
635 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
619 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
636 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
620 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
637 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
621 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
638 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
622 |
|
639 | |||
623 | # Send TCP and UDP connections to their respective rules chain |
|
640 | # Send TCP and UDP connections to their respective rules chain | |
624 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
641 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
625 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
642 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
626 |
|
643 | |||
627 | # Reject dropped packets with a RFC compliant responce |
|
644 | # Reject dropped packets with a RFC compliant responce | |
628 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
645 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |
629 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
646 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |
630 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
647 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
631 |
|
648 | |||
632 | ## TCP PORT RULES |
|
649 | ## TCP PORT RULES | |
633 | # -A TCP -p tcp -j LOG |
|
650 | # -A TCP -p tcp -j LOG | |
634 |
|
651 | |||
635 | ## UDP PORT RULES |
|
652 | ## UDP PORT RULES | |
636 | # -A UDP -p udp -j LOG |
|
653 | # -A UDP -p udp -j LOG | |
637 |
|
654 | |||
638 | COMMIT |
|
655 | COMMIT | |
639 | EOM |
|
656 | EOM | |
640 |
|
657 | |||
641 | # Reload systemd configuration and enable iptables service |
|
658 | # Reload systemd configuration and enable iptables service | |
642 | LANG=C chroot $R systemctl daemon-reload |
|
659 | LANG=C chroot $R systemctl daemon-reload | |
643 | LANG=C chroot $R systemctl enable ip6tables.service |
|
660 | LANG=C chroot $R systemctl enable ip6tables.service | |
644 |
|
661 | |||
645 | fi |
|
662 | fi | |
646 | fi |
|
663 | fi | |
647 |
|
664 | |||
648 | if [ "$ENABLE_UBOOT" = true ] ; then |
|
665 | if [ "$ENABLE_UBOOT" = true ] ; then | |
649 | # Fetch u-boot github |
|
666 | # Fetch u-boot github | |
650 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
667 | git -C $R/tmp clone git://git.denx.de/u-boot.git | |
651 |
|
668 | |||
652 | # Install minimal gcc/g++ build environment and build u-boot inside chroot |
|
669 | # Install minimal gcc/g++ build environment and build u-boot inside chroot | |
653 | LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc |
|
670 | LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
654 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all |
|
671 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all | |
655 |
|
672 | |||
656 | # Copy compiled bootloader binary and set config.txt to load it |
|
673 | # Copy compiled bootloader binary and set config.txt to load it | |
657 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
674 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ | |
658 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt |
|
675 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt | |
659 |
|
676 | |||
660 | # Set u-boot command file |
|
677 | # Set u-boot command file | |
661 | cat <<EOM >$R/boot/firmware/uboot.mkimage |
|
678 | cat <<EOM >$R/boot/firmware/uboot.mkimage | |
662 | # Tell Linux that it is booting on a Raspberry Pi2 |
|
679 | # Tell Linux that it is booting on a Raspberry Pi2 | |
663 | setenv machid 0x00000c42 |
|
680 | setenv machid 0x00000c42 | |
664 |
|
681 | |||
665 | # Set the kernel boot command line |
|
682 | # Set the kernel boot command line | |
666 | setenv bootargs "earlyprintk ${CMDLINE}" |
|
683 | setenv bootargs "earlyprintk ${CMDLINE}" | |
667 |
|
684 | |||
668 | # Save these changes to u-boot's environment |
|
685 | # Save these changes to u-boot's environment | |
669 | saveenv |
|
686 | saveenv | |
670 |
|
687 | |||
671 | # Load the existing Linux kernel into RAM |
|
688 | # Load the existing Linux kernel into RAM | |
672 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img |
|
689 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img | |
673 |
|
690 | |||
674 | # Boot the kernel we have just loaded |
|
691 | # Boot the kernel we have just loaded | |
675 | bootz \${kernel_addr_r} |
|
692 | bootz \${kernel_addr_r} | |
676 | EOM |
|
693 | EOM | |
677 |
|
694 | |||
678 | # Generate u-boot image from command file |
|
695 | # Generate u-boot image from command file | |
679 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr |
|
696 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
680 |
|
697 | |||
681 | # Remove gcc/c++ build enviroment |
|
698 | # Remove gcc/c++ build enviroment | |
682 |
LANG=C chroot $R apt-get purge - |
|
699 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
683 | fi |
|
700 | fi | |
684 |
|
701 | |||
|
702 | # Enable systemd-networkd DHCP configuration for the eth0 interface | |||
|
703 | printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network | |||
|
704 | ||||
|
705 | # Set DHCP configuration to IPv4 only | |||
|
706 | if [ "$ENABLE_IPV6" = false ] ; then | |||
|
707 | sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network | |||
|
708 | fi | |||
|
709 | ||||
|
710 | # Enable systemd-networkd service | |||
|
711 | LANG=C chroot $R systemctl enable systemd-networkd | |||
|
712 | ||||
|
713 | # Place hint about netowrk configuration | |||
|
714 | cat <<EOM >$R/etc/network/interfaces | |||
|
715 | # Debian switched to systemd-networkd configuration files. | |||
|
716 | # please configure your networks in '/etc/systemd/network/' | |||
|
717 | EOM | |||
|
718 | ||||
685 | # Clean cached downloads |
|
719 | # Clean cached downloads | |
686 | LANG=C chroot $R apt-get -y clean |
|
720 | LANG=C chroot $R apt-get -y clean | |
687 | LANG=C chroot $R apt-get -y autoclean |
|
721 | LANG=C chroot $R apt-get -y autoclean | |
688 | LANG=C chroot $R apt-get -y autoremove |
|
722 | LANG=C chroot $R apt-get -y autoremove | |
689 |
|
723 | |||
690 | # Unmount mounted filesystems |
|
724 | # Unmount mounted filesystems | |
691 | umount -l $R/proc |
|
725 | umount -l $R/proc | |
692 | umount -l $R/sys |
|
726 | umount -l $R/sys | |
693 |
|
727 | |||
694 | # Clean up files |
|
728 | # Clean up files | |
695 | rm -f $R/etc/apt/sources.list.save |
|
729 | rm -f $R/etc/apt/sources.list.save | |
696 | rm -f $R/etc/resolvconf/resolv.conf.d/original |
|
730 | rm -f $R/etc/resolvconf/resolv.conf.d/original | |
697 | rm -rf $R/run |
|
731 | rm -rf $R/run | |
698 | mkdir -p $R/run |
|
732 | mkdir -p $R/run | |
699 | rm -f $R/etc/*- |
|
733 | rm -f $R/etc/*- | |
700 | rm -f $R/root/.bash_history |
|
734 | rm -f $R/root/.bash_history | |
701 | rm -rf $R/tmp/* |
|
735 | rm -rf $R/tmp/* | |
702 | rm -f $R/var/lib/urandom/random-seed |
|
736 | rm -f $R/var/lib/urandom/random-seed | |
703 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id |
|
737 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id | |
704 | rm -f $R/etc/machine-id |
|
738 | rm -f $R/etc/machine-id | |
705 | rm -fr $R/etc/apt/apt.conf.d/10proxy |
|
739 | rm -fr $R/etc/apt/apt.conf.d/10proxy | |
706 |
|
740 | |||
707 | # Calculate size of the chroot directory |
|
741 | # Calculate size of the chroot directory | |
708 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024) |
|
742 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024) | |
709 |
|
743 | |||
710 | # Calculate required image size |
|
744 | # Calculate required image size | |
711 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` |
|
745 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` | |
712 |
|
746 | |||
713 | # Calculate number of sectors for the partition |
|
747 | # Calculate number of sectors for the partition | |
714 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` |
|
748 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` | |
715 |
|
749 | |||
716 | # Prepare date string for image file name |
|
750 | # Prepare date string for image file name | |
717 | DATE="$(date +%Y-%m-%d)" |
|
751 | DATE="$(date +%Y-%m-%d)" | |
718 |
|
752 | |||
719 | # Prepare image file |
|
753 | # Prepare image file | |
720 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1 |
|
754 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1 | |
721 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE} |
|
755 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE} | |
722 |
|
756 | |||
723 | # Write partition table |
|
757 | # Write partition table | |
724 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM |
|
758 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
725 | unit: sectors |
|
759 | unit: sectors | |
726 |
|
760 | |||
727 | 1 : start= 2048, size= 131072, Id= c, bootable |
|
761 | 1 : start= 2048, size= 131072, Id= c, bootable | |
728 | 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83 |
|
762 | 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83 | |
729 | 3 : start= 0, size= 0, Id= 0 |
|
763 | 3 : start= 0, size= 0, Id= 0 | |
730 | 4 : start= 0, size= 0, Id= 0 |
|
764 | 4 : start= 0, size= 0, Id= 0 | |
731 | EOM |
|
765 | EOM | |
732 |
|
766 | |||
733 | # Set up temporary loop devices and build filesystems |
|
767 | # Set up temporary loop devices and build filesystems | |
734 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
768 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
735 | EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
769 | EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
736 | mkfs.vfat "$VFAT_LOOP" |
|
770 | mkfs.vfat "$VFAT_LOOP" | |
737 | mkfs.ext4 "$EXT4_LOOP" |
|
771 | mkfs.ext4 "$EXT4_LOOP" | |
738 |
|
772 | |||
739 | # Mount the temporary loop devices |
|
773 | # Mount the temporary loop devices | |
740 | mkdir -p "$BUILDDIR/mount" |
|
774 | mkdir -p "$BUILDDIR/mount" | |
741 | mount "$EXT4_LOOP" "$BUILDDIR/mount" |
|
775 | mount "$EXT4_LOOP" "$BUILDDIR/mount" | |
742 |
|
776 | |||
743 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
777 | mkdir -p "$BUILDDIR/mount/boot/firmware" | |
744 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" |
|
778 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" | |
745 |
|
779 | |||
746 | # Copy all files from the chroot to the loop device mount point directory |
|
780 | # Copy all files from the chroot to the loop device mount point directory | |
747 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
781 | rsync -a "$R/" "$BUILDDIR/mount/" | |
748 |
|
782 | |||
749 | # Unmount all temporary loop devices and mount points |
|
783 | # Unmount all temporary loop devices and mount points | |
750 | cleanup |
|
784 | cleanup | |
751 |
|
785 | |||
752 | # (optinal) create block map file for "bmaptool" |
|
786 | # (optinal) create block map file for "bmaptool" | |
753 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
787 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
754 |
|
788 | |||
755 | # Image was successfully created |
|
789 | # Image was successfully created | |
756 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
|
790 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant