##// END OF EJS Templates
Added: ENABLE_MINBASE, Fix: Use systemd-networkd
Jan Wagner -
r16:b5764ed82a73
parent child
Show More
@@ -1,93 +1,97
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike enviroment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 18 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 ENABLE_MINBASE=true ./rpi2-gen-image.sh
19 20 ```
20 21
21 22 #### APT settings:
22 23 ##### `APT_SERVER`="ftp.debian.org"
23 24 Set Debian packages server address. Choose a server from the list of Debian wordwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
24 25
25 26 ##### `APT_PROXY`=""
26 27 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
27 28
28 29 #### General system settings:
29 30 ##### `HOSTNAME`="rpi2-jessie"
30 Set system host name. It is recommended that the host name is unique in the corresponding subnet.
31 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
31 32
32 33 ##### `PASSWORD`="raspberry"
33 Set system root password. It is **STRONGLY** recommended that you choose a custom password.
34 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
34 35
35 36 ##### `DEFLOCAL`="en_US.UTF-8"
36 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command.
37 Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
37 38
38 39 ##### `TIMEZONE`="Europe/Berlin"
39 40 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
40 41
41 42 #### Basic system features:
42 43 ##### `ENABLE_CONSOLE`=true
43 Enable console output
44 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
44 45
45 46 ##### `ENABLE_IPV6`=true
46 Enable IPv6 support
47 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
47 48
48 49 ##### `ENABLE_SSHD`=true
49 Install and enable OpenSSH service
50 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
50 51
51 52 ##### `ENABLE_SOUND`=true
52 Enable sound hardware and install Advanced Linux Sound Architecture
53 Enable sound hardware and install Advanced Linux Sound Architecture.
53 54
54 55 ##### `ENABLE_HWRANDOM`=true
55 Enable Hardware Random Number Generator
56 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
56 57
57 58 ##### `ENABLE_MINGPU`=false
58 Minimize the amount of shared memory reserverd for the GPU
59 Minimize the amount of shared memory reserverd for the GPU. It doesn't seem to be possible to fully disable the GPU.
59 60
60 61 ##### `ENABLE_DBUS`=true
61 Install and enable D-Bus message bus
62 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
62 63
63 64 ##### `ENABLE_XORG`=false
64 Install Xorg open-source X Window System
65 Install Xorg open-source X Window System.
65 66
66 67 ##### `ENABLE_FLUXBOX`=false
67 Install Fluxbox window manager for the X Window System
68 Install Fluxbox window manager for the X Window System.
68 69
69 70 #### Advanced sytem features:
71 ##### `ENABLE_MINBASE`=false
72 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
73
70 74 ##### `ENABLE_UBOOT`=false
71 Replace default RPi bootloader with U-Boot bootloader
75 Replace default RPi bootloader with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
72 76
73 77 ##### `ENABLE_IPTABLES`=false
74 Enable iptables IPv4/IPv6 firewall
78 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
75 79
76 80 ##### `ENABLE_HARDNET`=false
77 Enable IPv4/IPv6 network stack hardening settings
81 Enable IPv4/IPv6 network stack hardening settings.
78 82
79 83 ## Logging of the bootstrapping process
80 84 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
81 85
82 86 ```shell
83 87 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
84 88 ```
85 89
86 90 ## Flashing the image file
87 91 After the image file was succesfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
88 92
89 93 #####Flashing examples:
90 94 ```shell
91 95 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
92 96 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
93 97 ```
@@ -1,756 +1,790
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 cleanup (){
19 19 set +x
20 20 set +e
21 21 echo "removing temporary mount points ..."
22 22 umount -l $R/proc 2> /dev/null
23 23 umount -l $R/sys 2> /dev/null
24 24 umount -l $R/dev/pts 2> /dev/null
25 25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 26 umount "$BUILDDIR/mount" 2> /dev/null
27 27 losetup -d "$EXT4_LOOP" 2> /dev/null
28 28 losetup -d "$VFAT_LOOP" 2> /dev/null
29 29 trap - 0 1 2 3 6
30 30 }
31 31
32 32 set -e
33 33 set -x
34 34
35 35 RELEASE=${RELEASE:=jessie}
36 36
37 37 # Build settings
38 38 BASEDIR=./images/${RELEASE}
39 39 BUILDDIR=${BASEDIR}/build
40 40
41 41 # General settings
42 42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
43 43 PASSWORD=${PASSWORD:=raspberry}
44 44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
45 45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
46 46
47 47 # APT settings
48 48 APT_PROXY=${APT_PROXY:=""}
49 49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
50 50
51 51 # Feature settings
52 52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
53 53 ENABLE_IPV6=${ENABLE_IPV6:=true}
54 54 ENABLE_SSHD=${ENABLE_SSHD:=true}
55 55 ENABLE_SOUND=${ENABLE_SOUND:=true}
56 56 ENABLE_DBUS=${ENABLE_DBUS:=true}
57 57 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
58 58 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
59 59 ENABLE_XORG=${ENABLE_XORG:=false}
60 60 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
61 61
62 62 # Advanced settings
63 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
63 64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
64 65 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
65 66 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
66 67
67 68 # Image chroot path
68 69 R=${BUILDDIR}/chroot
69 70
70 71 # Packages required for bootstrapping
71 72 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
72 73
73 74 # Missing packages that need to be installed
74 75 MISSING_PACKAGES=""
75 76
76 77 # Packages required in the chroot build enviroment
77 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales"
78 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
78 79
79 80 set +x
80 81
81 82 # Are we running as root?
82 83 if [ "$(id -u)" -ne "0" ] ; then
83 84 echo "this script must be executed with root privileges"
84 85 exit 1
85 86 fi
86 87
87 88 # Check if all required packages are installed
88 89 for package in $REQUIRED_PACKAGES ; do
89 90 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
90 91 MISSING_PACKAGES="$MISSING_PACKAGES $package"
91 92 fi
92 93 done
93 94
94 95 # Ask if missing packages should get installed right now
95 96 if [ -n "$MISSING_PACKAGES" ] ; then
96 97 echo "the following packages needed by this script are not installed:"
97 98 echo "$MISSING_PACKAGES"
98 99
99 100 echo -n "\ndo you want to install the missing packages right now? [y/n] "
100 101 read confirm
101 102 if [ "$confirm" != "y" ] ; then
102 103 exit 1
103 104 fi
104 105 fi
105 106
106 107 # Make sure all required packages are installed
107 108 apt-get -qq -y install ${REQUIRED_PACKAGES}
108 109
109 110 # Don't clobber an old build
110 111 if [ -e "$BUILDDIR" ]; then
111 112 echo "directory $BUILDDIR already exists, not proceeding"
112 113 exit 1
113 114 fi
114 115
115 116 set -x
116 117
117 118 # Call "cleanup" function on various signals and errors
118 119 trap cleanup 0 1 2 3 6
119 120
120 121 # Set up chroot directory
121 122 mkdir -p $R
122 123
124 # Add required packages for the minbase installation
125 if [ "$ENABLE_MINBASE" = true ] ; then
126 APT_INCLUDES="${APT_INCLUDES},vim-tiny,net-tools"
127 else
128 APT_INCLUDES="${APT_INCLUDES},locales"
129 fi
130
123 131 # Add dbus package, recommended if using systemd
124 132 if [ "$ENABLE_DBUS" = true ] ; then
125 133 APT_INCLUDES="${APT_INCLUDES},dbus"
126 134 fi
127 135
128 136 # Add openssh server package
129 137 if [ "$ENABLE_SSHD" = true ] ; then
130 138 APT_INCLUDES="${APT_INCLUDES},openssh-server"
131 139 fi
132 140
133 141 # Add rng-tools package
134 142 if [ "$ENABLE_HWRANDOM" = true ] ; then
135 143 APT_INCLUDES="${APT_INCLUDES},rng-tools"
136 144 fi
137 145
138 146 # Add xorg package
139 147 if [ "$ENABLE_XORG" = true ] ; then
140 148 APT_INCLUDES="${APT_INCLUDES},xorg"
141 149 fi
142 150
143 151 # Add fluxbox package with eterm
144 152 if [ "$ENABLE_FLUXBOX" = true ] ; then
145 153 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
146 154 fi
147 155
156 # Set empty proxy string
148 157 if [ -z "$APT_PROXY" ] ; then
149 158 APT_PROXY="http://"
150 159 fi
151 160
152 161 # Base debootstrap (unpack only)
162 if [ "$ENABLE_MINBASE" = true ] ; then
163 debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
164 else
153 165 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
166 fi
167
168 # Copy qemu emulator binary to chroot
154 169 cp /usr/bin/qemu-arm-static $R/usr/bin
155 170
156 171 # Copy debian-archive-keyring.pgp
157 172 chroot $R mkdir -p /usr/share/keyrings
158 173 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
159 174
160 175 # Complete the bootstrapping proccess
161 176 chroot $R /debootstrap/debootstrap --second-stage
162 177
163 178 # Mount required filesystems
164 179 mount -t proc none $R/proc
165 180 mount -t sysfs none $R/sys
166 181 mount --bind /dev/pts $R/dev/pts
167 182
168 183 # Use proxy inside chroot
169 184 if [ -z "$APT_PROXY" ] ; then
170 185 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
171 186 fi
172 187
173 188 # Pin package flash-kernel to repositories.collabora.co.uk
174 189 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
175 190 Package: flash-kernel
176 191 Pin: origin repositories.collabora.co.uk
177 192 Pin-Priority: 1000
178 193 EOM
179 194
180 195 # Set up timezone
181 196 echo ${TIMEZONE} >$R/etc/timezone
182 197 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
183 198
184 199 # Set up default locales to "en_US.UTF-8" default
200 if [ "$ENABLE_MINBASE" = false ] ; then
185 201 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
186 202 LANG=C chroot $R locale-gen ${DEFLOCAL}
203 fi
187 204
188 205 # Upgrade collabora package index and install collabora keyring
189 206 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
190 207 LANG=C chroot $R apt-get -qq -y update
191 208 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
192 209
193 210 # Set up initial sources.list
194 211 cat <<EOM >$R/etc/apt/sources.list
195 212 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
196 213 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
197 214
198 215 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
199 216 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
200 217
201 218 deb http://security.debian.org/ ${RELEASE}/updates main contrib
202 219 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
203 220
204 221 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
205 222 EOM
206 223
207 224 # Upgrade package index and update all installed packages and changed dependencies
208 225 LANG=C chroot $R apt-get -qq -y update
209 226 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
210 227
211 228 # Kernel installation
212 229 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
213 230 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
214 231 LANG=C chroot $R apt-get -qq -y install flash-kernel
215 232
216 233 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
217 234 [ -z "$VMLINUZ" ] && exit 1
218 235 mkdir -p $R/boot/firmware
219 236
220 237 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
221 238 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
222 239 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
223 240 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
224 241 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
225 242 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
226 243 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
227 244 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
228 245 cp $VMLINUZ $R/boot/firmware/kernel7.img
229 246
230 247 # Set up hosts
231 248 echo ${HOSTNAME} >$R/etc/hostname
232 249 cat <<EOM >$R/etc/hosts
233 250 127.0.0.1 localhost
234 251 127.0.1.1 ${HOSTNAME}
235 252 EOM
236 253
237 254 if [ "$ENABLE_IPV6" = true ] ; then
238 255 cat <<EOM >>$R/etc/hosts
239 256
240 257 ::1 localhost ip6-localhost ip6-loopback
241 258 ff02::1 ip6-allnodes
242 259 ff02::2 ip6-allrouters
243 260 EOM
244 261 fi
245 262
246 263 # Generate crypt(3) password string
247 264 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
248 265
249 266 # Set up default user
250 267 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
251 268 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
252 269
253 270 # Set up root password
254 271 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
255 272
256 273 # Set up interfaces
257 274 cat <<EOM >$R/etc/network/interfaces
258 275 # interfaces(5) file used by ifup(8) and ifdown(8)
259 276 # Include files from /etc/network/interfaces.d:
260 277 source-directory /etc/network/interfaces.d
261 278
262 279 # The loopback network interface
263 280 auto lo
264 281 iface lo inet loopback
265 282
266 283 # The primary network interface
267 284 allow-hotplug eth0
268 285 iface eth0 inet dhcp
269 286 EOM
270 287
271 288 # Set up firmware boot cmdline
272 289 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
273 290
274 291 # Set up serial console support (if requested)
275 292 if [ "$ENABLE_CONSOLE" = true ] ; then
276 293 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
277 294 fi
278 295
279 296 # Set up ipv6 support (if requested)
280 297 if [ "$ENABLE_IPV6" = false ] ; then
281 298 CMDLINE="${CMDLINE} ipv6.disable=1"
282 299 fi
283 300
284 301 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
285 302
286 303 # Set up firmware config
287 304 cat <<EOM >$R/boot/firmware/config.txt
288 305 # For more options and information see
289 306 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
290 307 # Some settings may impact device functionality. See link above for details
291 308
292 309 # uncomment if you get no picture on HDMI for a default "safe" mode
293 310 #hdmi_safe=1
294 311
295 312 # uncomment this if your display has a black border of unused pixels visible
296 313 # and your display can output without overscan
297 314 #disable_overscan=1
298 315
299 316 # uncomment the following to adjust overscan. Use positive numbers if console
300 317 # goes off screen, and negative if there is too much border
301 318 #overscan_left=16
302 319 #overscan_right=16
303 320 #overscan_top=16
304 321 #overscan_bottom=16
305 322
306 323 # uncomment to force a console size. By default it will be display's size minus
307 324 # overscan.
308 325 #framebuffer_width=1280
309 326 #framebuffer_height=720
310 327
311 328 # uncomment if hdmi display is not detected and composite is being output
312 329 #hdmi_force_hotplug=1
313 330
314 331 # uncomment to force a specific HDMI mode (this will force VGA)
315 332 #hdmi_group=1
316 333 #hdmi_mode=1
317 334
318 335 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
319 336 # DMT (computer monitor) modes
320 337 #hdmi_drive=2
321 338
322 339 # uncomment to increase signal to HDMI, if you have interference, blanking, or
323 340 # no display
324 341 #config_hdmi_boost=4
325 342
326 343 # uncomment for composite PAL
327 344 #sdtv_mode=2
328 345
329 346 # uncomment to overclock the arm. 700 MHz is the default.
330 347 #arm_freq=800
331 348 EOM
332 349
333 350 # Set smallest possible GPU memory allocation size: 16MB (no X)
334 351 if [ "$ENABLE_MINGPU" = true ] ; then
335 352 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
336 353 fi
337 354
338 355 # Create symlinks
339 356 ln -sf firmware/config.txt $R/boot/config.txt
340 357 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
341 358
342 359 # Prepare modules-load.d directory
343 360 mkdir -p $R/lib/modules-load.d/
344 361
345 362 # Load random module on boot
346 363 if [ "$ENABLE_HWRANDOM" = true ] ; then
347 364 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
348 365 bcm2708_rng
349 366 EOM
350 367 fi
351 368
352 369 # Prepare modprobe.d directory
353 370 mkdir -p $R/etc/modprobe.d/
354 371
355 372 # Blacklist sound modules
356 373 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
357 374 blacklist snd_soc_core
358 375 blacklist snd_pcm
359 376 blacklist snd_pcm_dmaengine
360 377 blacklist snd_timer
361 378 blacklist snd_compress
362 379 blacklist snd_soc_pcm512x_i2c
363 380 blacklist snd_soc_pcm512x
364 381 blacklist snd_soc_tas5713
365 382 blacklist snd_soc_wm8804
366 383 EOM
367 384
368 385 # Create default fstab
369 386 cat <<EOM >$R/etc/fstab
370 387 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
371 388 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
372 389 EOM
373 390
374 391 # Avoid swapping and increase cache sizes
375 392 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
376 393
377 394 # Avoid swapping and increase cache sizes
378 395 vm.swappiness=1
379 396 vm.dirty_background_ratio=20
380 397 vm.dirty_ratio=40
381 398 vm.dirty_writeback_centisecs=500
382 399 vm.dirty_expire_centisecs=6000
383 400 EOM
384 401
385 402 # Enable network stack hardening
386 403 if [ "$ENABLE_HARDNET" = true ] ; then
387 404 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
388 405
389 406 # Enable network stack hardening
390 407 net.ipv4.tcp_timestamps=0
391 408 net.ipv4.tcp_syncookies=1
392 409 net.ipv4.conf.all.rp_filter=1
393 410 net.ipv4.conf.all.accept_redirects=0
394 411 net.ipv4.conf.all.send_redirects=0
395 412 net.ipv4.conf.all.accept_source_route=0
396 413 net.ipv4.conf.default.rp_filter=1
397 414 net.ipv4.conf.default.accept_redirects=0
398 415 net.ipv4.conf.default.send_redirects=0
399 416 net.ipv4.conf.default.accept_source_route=0
400 417 net.ipv4.conf.lo.accept_redirects=0
401 418 net.ipv4.conf.lo.send_redirects=0
402 419 net.ipv4.conf.lo.accept_source_route=0
403 420 net.ipv4.conf.eth0.accept_redirects=0
404 421 net.ipv4.conf.eth0.send_redirects=0
405 422 net.ipv4.conf.eth0.accept_source_route=0
406 423 net.ipv4.icmp_echo_ignore_broadcasts=1
407 424 net.ipv4.icmp_ignore_bogus_error_responses=1
408 425
409 426 net.ipv6.conf.all.accept_redirects=0
410 427 net.ipv6.conf.all.accept_source_route=0
411 428 net.ipv6.conf.all.router_solicitations=0
412 429 net.ipv6.conf.all.accept_ra_rtr_pref=0
413 430 net.ipv6.conf.all.accept_ra_pinfo=0
414 431 net.ipv6.conf.all.accept_ra_defrtr=0
415 432 net.ipv6.conf.all.autoconf=0
416 433 net.ipv6.conf.all.dad_transmits=0
417 434 net.ipv6.conf.all.max_addresses=1
418 435
419 436 net.ipv6.conf.default.accept_redirects=0
420 437 net.ipv6.conf.default.accept_source_route=0
421 438 net.ipv6.conf.default.router_solicitations=0
422 439 net.ipv6.conf.default.accept_ra_rtr_pref=0
423 440 net.ipv6.conf.default.accept_ra_pinfo=0
424 441 net.ipv6.conf.default.accept_ra_defrtr=0
425 442 net.ipv6.conf.default.autoconf=0
426 443 net.ipv6.conf.default.dad_transmits=0
427 444 net.ipv6.conf.default.max_addresses=1
428 445
429 446 net.ipv6.conf.lo.accept_redirects=0
430 447 net.ipv6.conf.lo.accept_source_route=0
431 448 net.ipv6.conf.lo.router_solicitations=0
432 449 net.ipv6.conf.lo.accept_ra_rtr_pref=0
433 450 net.ipv6.conf.lo.accept_ra_pinfo=0
434 451 net.ipv6.conf.lo.accept_ra_defrtr=0
435 452 net.ipv6.conf.lo.autoconf=0
436 453 net.ipv6.conf.lo.dad_transmits=0
437 454 net.ipv6.conf.lo.max_addresses=1
438 455
439 456 net.ipv6.conf.eth0.accept_redirects=0
440 457 net.ipv6.conf.eth0.accept_source_route=0
441 458 net.ipv6.conf.eth0.router_solicitations=0
442 459 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
443 460 net.ipv6.conf.eth0.accept_ra_pinfo=0
444 461 net.ipv6.conf.eth0.accept_ra_defrtr=0
445 462 net.ipv6.conf.eth0.autoconf=0
446 463 net.ipv6.conf.eth0.dad_transmits=0
447 464 net.ipv6.conf.eth0.max_addresses=1
448 465 EOM
449 466
450 467 # Enable resolver warnings about spoofed addresses
451 468 cat <<EOM >>$R/etc/host.conf
452 469 spoof warn
453 470 EOM
454 471 fi
455 472
456 473 # Regenerate openssh server host keys
457 474 if [ "$ENABLE_SSHD" = true ] ; then
458 475 rm -fr $R/etc/ssh/ssh_host_*
459 476 LANG=C chroot $R dpkg-reconfigure openssh-server
460 477 fi
461 478
462 479 # Enable serial console systemd style
463 480 if [ "$ENABLE_CONSOLE" = true ] ; then
464 481 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
465 482 fi
466 483
467 484 # Enable firewall based on iptables started by systemd service
468 485 if [ "$ENABLE_IPTABLES" = true ] ; then
469 486 # Create iptables configuration directory
470 487 mkdir -p "$R/etc/iptables"
471 488
472 489 # Create iptables systemd service
473 490 cat <<EOM >$R/etc/systemd/system/iptables.service
474 491 [Unit]
475 492 Description=Packet Filtering Framework
476 493 DefaultDependencies=no
477 494 After=systemd-sysctl.service
478 495 Before=sysinit.target
479 496 [Service]
480 497 Type=oneshot
481 498 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
482 499 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
483 500 ExecStop=/etc/iptables/flush-iptables.sh
484 501 RemainAfterExit=yes
485 502 [Install]
486 503 WantedBy=multi-user.target
487 504 EOM
488 505
489 506 # Create flush-table script called by iptables service
490 507 cat <<EOM >$R/etc/iptables/flush-iptables.sh
491 508 #!/bin/sh
492 509 iptables -F
493 510 iptables -X
494 511 iptables -t nat -F
495 512 iptables -t nat -X
496 513 iptables -t mangle -F
497 514 iptables -t mangle -X
498 515 iptables -P INPUT ACCEPT
499 516 iptables -P FORWARD ACCEPT
500 517 iptables -P OUTPUT ACCEPT
501 518 EOM
502 519
503 520 # Create iptables rule file
504 521 cat <<EOM >$R/etc/iptables/iptables.rules
505 522 *filter
506 523 :INPUT DROP [0:0]
507 524 :FORWARD DROP [0:0]
508 525 :OUTPUT ACCEPT [0:0]
509 526 :TCP - [0:0]
510 527 :UDP - [0:0]
511 528 :SSH - [0:0]
512 529
513 530 # Rate limit ping requests
514 531 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
515 532 -A INPUT -p icmp --icmp-type echo-request -j DROP
516 533
517 534 # Accept established connections
518 535 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
519 536
520 537 # Accept all traffic on loopback interface
521 538 -A INPUT -i lo -j ACCEPT
522 539
523 540 # Drop packets declared invalid
524 541 -A INPUT -m conntrack --ctstate INVALID -j DROP
525 542
526 543 # SSH rate limiting
527 544 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
528 545 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
529 546 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
530 547 -A SSH -m recent --name sshbf --set -j ACCEPT
531 548
532 549 # Send TCP and UDP connections to their respective rules chain
533 550 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
534 551 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
535 552
536 553 # Reject dropped packets with a RFC compliant responce
537 554 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
538 555 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
539 556 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
540 557
541 558 ## TCP PORT RULES
542 559 # -A TCP -p tcp -j LOG
543 560
544 561 ## UDP PORT RULES
545 562 # -A UDP -p udp -j LOG
546 563
547 564 COMMIT
548 565 EOM
549 566
550 567 # Reload systemd configuration and enable iptables service
551 568 LANG=C chroot $R systemctl daemon-reload
552 569 LANG=C chroot $R systemctl enable iptables.service
553 570
554 571 if [ "$ENABLE_IPV6" = true ] ; then
555 572 # Create ip6tables systemd service
556 573 cat <<EOM >$R/etc/systemd/system/ip6tables.service
557 574 [Unit]
558 575 Description=Packet Filtering Framework
559 576 DefaultDependencies=no
560 577 After=systemd-sysctl.service
561 578 Before=sysinit.target
562 579 [Service]
563 580 Type=oneshot
564 581 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
565 582 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
566 583 ExecStop=/etc/iptables/flush-ip6tables.sh
567 584 RemainAfterExit=yes
568 585 [Install]
569 586 WantedBy=multi-user.target
570 587 EOM
571 588
572 589 # Create ip6tables file
573 590 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
574 591 #!/bin/sh
575 592 ip6tables -F
576 593 ip6tables -X
577 594 ip6tables -Z
578 595 for table in $(</proc/net/ip6_tables_names)
579 596 do
580 597 ip6tables -t \$table -F
581 598 ip6tables -t \$table -X
582 599 ip6tables -t \$table -Z
583 600 done
584 601 ip6tables -P INPUT ACCEPT
585 602 ip6tables -P OUTPUT ACCEPT
586 603 ip6tables -P FORWARD ACCEPT
587 604 EOM
588 605
589 606 # Create ip6tables rule file
590 607 cat <<EOM >$R/etc/iptables/ip6tables.rules
591 608 *filter
592 609 :INPUT DROP [0:0]
593 610 :FORWARD DROP [0:0]
594 611 :OUTPUT ACCEPT [0:0]
595 612 :TCP - [0:0]
596 613 :UDP - [0:0]
597 614 :SSH - [0:0]
598 615
599 616 # Drop packets with RH0 headers
600 617 -A INPUT -m rt --rt-type 0 -j DROP
601 618 -A OUTPUT -m rt --rt-type 0 -j DROP
602 619 -A FORWARD -m rt --rt-type 0 -j DROP
603 620
604 621 # Rate limit ping requests
605 622 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
606 623 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
607 624
608 625 # Accept established connections
609 626 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
610 627
611 628 # Accept all traffic on loopback interface
612 629 -A INPUT -i lo -j ACCEPT
613 630
614 631 # Drop packets declared invalid
615 632 -A INPUT -m conntrack --ctstate INVALID -j DROP
616 633
617 634 # SSH rate limiting
618 635 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
619 636 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
620 637 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
621 638 -A SSH -m recent --name sshbf --set -j ACCEPT
622 639
623 640 # Send TCP and UDP connections to their respective rules chain
624 641 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
625 642 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
626 643
627 644 # Reject dropped packets with a RFC compliant responce
628 645 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
629 646 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
630 647 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
631 648
632 649 ## TCP PORT RULES
633 650 # -A TCP -p tcp -j LOG
634 651
635 652 ## UDP PORT RULES
636 653 # -A UDP -p udp -j LOG
637 654
638 655 COMMIT
639 656 EOM
640 657
641 658 # Reload systemd configuration and enable iptables service
642 659 LANG=C chroot $R systemctl daemon-reload
643 660 LANG=C chroot $R systemctl enable ip6tables.service
644 661
645 662 fi
646 663 fi
647 664
648 665 if [ "$ENABLE_UBOOT" = true ] ; then
649 666 # Fetch u-boot github
650 667 git -C $R/tmp clone git://git.denx.de/u-boot.git
651 668
652 669 # Install minimal gcc/g++ build environment and build u-boot inside chroot
653 670 LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
654 671 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
655 672
656 673 # Copy compiled bootloader binary and set config.txt to load it
657 674 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
658 675 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
659 676
660 677 # Set u-boot command file
661 678 cat <<EOM >$R/boot/firmware/uboot.mkimage
662 679 # Tell Linux that it is booting on a Raspberry Pi2
663 680 setenv machid 0x00000c42
664 681
665 682 # Set the kernel boot command line
666 683 setenv bootargs "earlyprintk ${CMDLINE}"
667 684
668 685 # Save these changes to u-boot's environment
669 686 saveenv
670 687
671 688 # Load the existing Linux kernel into RAM
672 689 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
673 690
674 691 # Boot the kernel we have just loaded
675 692 bootz \${kernel_addr_r}
676 693 EOM
677 694
678 695 # Generate u-boot image from command file
679 696 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
680 697
681 698 # Remove gcc/c++ build enviroment
682 LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
699 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
683 700 fi
684 701
702 # Enable systemd-networkd DHCP configuration for the eth0 interface
703 printf "[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n" > $R/etc/systemd/network/eth.network
704
705 # Set DHCP configuration to IPv4 only
706 if [ "$ENABLE_IPV6" = false ] ; then
707 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
708 fi
709
710 # Enable systemd-networkd service
711 LANG=C chroot $R systemctl enable systemd-networkd
712
713 # Place hint about netowrk configuration
714 cat <<EOM >$R/etc/network/interfaces
715 # Debian switched to systemd-networkd configuration files.
716 # please configure your networks in '/etc/systemd/network/'
717 EOM
718
685 719 # Clean cached downloads
686 720 LANG=C chroot $R apt-get -y clean
687 721 LANG=C chroot $R apt-get -y autoclean
688 722 LANG=C chroot $R apt-get -y autoremove
689 723
690 724 # Unmount mounted filesystems
691 725 umount -l $R/proc
692 726 umount -l $R/sys
693 727
694 728 # Clean up files
695 729 rm -f $R/etc/apt/sources.list.save
696 730 rm -f $R/etc/resolvconf/resolv.conf.d/original
697 731 rm -rf $R/run
698 732 mkdir -p $R/run
699 733 rm -f $R/etc/*-
700 734 rm -f $R/root/.bash_history
701 735 rm -rf $R/tmp/*
702 736 rm -f $R/var/lib/urandom/random-seed
703 737 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
704 738 rm -f $R/etc/machine-id
705 739 rm -fr $R/etc/apt/apt.conf.d/10proxy
706 740
707 741 # Calculate size of the chroot directory
708 742 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
709 743
710 744 # Calculate required image size
711 745 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
712 746
713 747 # Calculate number of sectors for the partition
714 748 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
715 749
716 750 # Prepare date string for image file name
717 751 DATE="$(date +%Y-%m-%d)"
718 752
719 753 # Prepare image file
720 754 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
721 755 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
722 756
723 757 # Write partition table
724 758 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
725 759 unit: sectors
726 760
727 761 1 : start= 2048, size= 131072, Id= c, bootable
728 762 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
729 763 3 : start= 0, size= 0, Id= 0
730 764 4 : start= 0, size= 0, Id= 0
731 765 EOM
732 766
733 767 # Set up temporary loop devices and build filesystems
734 768 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
735 769 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
736 770 mkfs.vfat "$VFAT_LOOP"
737 771 mkfs.ext4 "$EXT4_LOOP"
738 772
739 773 # Mount the temporary loop devices
740 774 mkdir -p "$BUILDDIR/mount"
741 775 mount "$EXT4_LOOP" "$BUILDDIR/mount"
742 776
743 777 mkdir -p "$BUILDDIR/mount/boot/firmware"
744 778 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
745 779
746 780 # Copy all files from the chroot to the loop device mount point directory
747 781 rsync -a "$R/" "$BUILDDIR/mount/"
748 782
749 783 # Unmount all temporary loop devices and mount points
750 784 cleanup
751 785
752 786 # (optinal) create block map file for "bmaptool"
753 787 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
754 788
755 789 # Image was successfully created
756 790 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant