##// END OF EJS Templates
fix: confirm y/n installation of required packages
Jan Wagner -
r8:ba0ef8aae187
parent child
Show More
@@ -1,739 +1,762
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 cleanup (){
18 cleanup (){
19 set +x
19 set +x
20 set +e
20 set +e
21 echo "removing temporary mount points ..."
21 echo "removing temporary mount points ..."
22 umount -l $R/proc 2> /dev/null
22 umount -l $R/proc 2> /dev/null
23 umount -l $R/sys 2> /dev/null
23 umount -l $R/sys 2> /dev/null
24 umount -l $R/dev/pts 2> /dev/null
24 umount -l $R/dev/pts 2> /dev/null
25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount" 2> /dev/null
26 umount "$BUILDDIR/mount" 2> /dev/null
27 losetup -d "$EXT4_LOOP" 2> /dev/null
27 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$VFAT_LOOP" 2> /dev/null
28 losetup -d "$VFAT_LOOP" 2> /dev/null
29 trap - 0 1 2 3 6
29 trap - 0 1 2 3 6
30 }
30 }
31
31
32 set -e
32 set -e
33 set -x
33 set -x
34
34
35 RELEASE=${RELEASE:=jessie}
35 RELEASE=${RELEASE:=jessie}
36
36
37 # Build settings
37 # Build settings
38 BASEDIR=./images/${RELEASE}
38 BASEDIR=./images/${RELEASE}
39 BUILDDIR=${BASEDIR}/build
39 BUILDDIR=${BASEDIR}/build
40
40
41 # General settings
41 # General settings
42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
43 PASSWORD=${PASSWORD:=raspberry}
43 PASSWORD=${PASSWORD:=raspberry}
44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
46
46
47 # APT settings
47 # APT settings
48 APT_PROXY=${APT_PROXY:=""}
48 APT_PROXY=${APT_PROXY:=""}
49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
50
50
51 # Feature settings
51 # Feature settings
52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
53 ENABLE_IPV6=${ENABLE_IPV6:=true}
53 ENABLE_IPV6=${ENABLE_IPV6:=true}
54 ENABLE_SSHD=${ENABLE_SSHD:=true}
54 ENABLE_SSHD=${ENABLE_SSHD:=true}
55 ENABLE_SOUND=${ENABLE_SOUND:=true}
55 ENABLE_SOUND=${ENABLE_SOUND:=true}
56 ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
56 ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
57 ENABLE_DBUS=${ENABLE_DBUS:=true}
57 ENABLE_DBUS=${ENABLE_DBUS:=true}
58 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
58 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
59 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
59 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
60 ENABLE_XORG=${ENABLE_XORG:=false}
60 ENABLE_XORG=${ENABLE_XORG:=false}
61 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
61 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
62
62
63 # Advanced settings
63 # Advanced settings
64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
65 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
65 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
66 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
66 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
67
67
68 # Image chroot path
68 # Image chroot path
69 R=${BUILDDIR}/chroot
69 R=${BUILDDIR}/chroot
70
70
71 # Packages required for bootstrapping
71 # Packages required for bootstrapping
72 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
72 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
73
73
74 # Missing packages that need to be installed
75 MISSING_PACKAGES=""
76
74 # Packages required in the chroot build enviroment
77 # Packages required in the chroot build enviroment
75 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
78 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
76
79
77 set +x
80 set +x
78
81
79 # Are we running as root?
82 # Are we running as root?
80 if [ "$(id -u)" -ne "0" ] ; then
83 if [ "$(id -u)" -ne "0" ] ; then
81 echo "this script must be executed with root privileges"
84 echo "this script must be executed with root privileges"
82 exit 1
85 exit 1
83 fi
86 fi
84
87
88 # Check if all required packages are installed
89 for package in $REQUIRED_PACKAGES ; do
90 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
91 MISSING_PACKAGES="$MISSING_PACKAGES $package"
92 fi
93 done
94
95 # Ask if missing packages should get installed right now
96 if [ -n "$MISSING_PACKAGES" ] ; then
97 echo "the following packages needed by this script are not installed:"
98 echo "$MISSING_PACKAGES"
99
100 echo -n "\ndo you want to install the missing packages right now? [y/n] "
101 read confirm
102 if [ "$confirm" != "y" ] ; then
103 exit 1
104 fi
105 fi
106
107 # Make sure all required packages are installed
108 apt-get -qq -y install ${REQUIRED_PACKAGES}
109 exit
110
85 # Don't clobber an old build
111 # Don't clobber an old build
86 if [ -e "$BUILDDIR" ]; then
112 if [ -e "$BUILDDIR" ]; then
87 echo "directory $BUILDDIR already exists, not proceeding"
113 echo "directory $BUILDDIR already exists, not proceeding"
88 exit 1
114 exit 1
89 fi
115 fi
90
116
91 set -x
117 set -x
92
118
93 # Call "cleanup" function on various signals and errors
119 # Call "cleanup" function on various signals and errors
94 trap cleanup 0 1 2 3 6
120 trap cleanup 0 1 2 3 6
95
121
96 # Set up chroot directory
122 # Set up chroot directory
97 mkdir -p $R
123 mkdir -p $R
98
124
99 # Install dependencies
100 apt-get -q -y install ${REQUIRED_PACKAGES}
101
102 # Use traditional SystemV init instead of systemd services
125 # Use traditional SystemV init instead of systemd services
103 if [ "$ENABLE_SYSTEMD" = false ] ; then
126 if [ "$ENABLE_SYSTEMD" = false ] ; then
104 APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
127 APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
105 fi
128 fi
106
129
107 # Add dbus package, recommended if using systemd
130 # Add dbus package, recommended if using systemd
108 if [ "$ENABLE_DBUS" = true ] ; then
131 if [ "$ENABLE_DBUS" = true ] ; then
109 APT_INCLUDES="${APT_INCLUDES},dbus"
132 APT_INCLUDES="${APT_INCLUDES},dbus"
110 fi
133 fi
111
134
112 # Add openssh server package
135 # Add openssh server package
113 if [ "$ENABLE_SSHD" = true ] ; then
136 if [ "$ENABLE_SSHD" = true ] ; then
114 APT_INCLUDES="${APT_INCLUDES},openssh-server"
137 APT_INCLUDES="${APT_INCLUDES},openssh-server"
115 fi
138 fi
116
139
117 # Add rng-tools package
140 # Add rng-tools package
118 if [ "$ENABLE_HWRANDOM" = true ] ; then
141 if [ "$ENABLE_HWRANDOM" = true ] ; then
119 APT_INCLUDES="${APT_INCLUDES},rng-tools"
142 APT_INCLUDES="${APT_INCLUDES},rng-tools"
120 fi
143 fi
121
144
122 # Add xorg package
145 # Add xorg package
123 if [ "$ENABLE_XORG" = true ] ; then
146 if [ "$ENABLE_XORG" = true ] ; then
124 APT_INCLUDES="${APT_INCLUDES},xorg"
147 APT_INCLUDES="${APT_INCLUDES},xorg"
125 fi
148 fi
126
149
127 # Add fluxbox package with eterm
150 # Add fluxbox package with eterm
128 if [ "$ENABLE_FLUXBOX" = true ] ; then
151 if [ "$ENABLE_FLUXBOX" = true ] ; then
129 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
152 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
130 fi
153 fi
131
154
132 if [ -z "$APT_PROXY" ] ; then
155 if [ -z "$APT_PROXY" ] ; then
133 APT_PROXY="http://"
156 APT_PROXY="http://"
134 fi
157 fi
135
158
136 # Base debootstrap (unpack only)
159 # Base debootstrap (unpack only)
137 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
160 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
138 cp /usr/bin/qemu-arm-static $R/usr/bin
161 cp /usr/bin/qemu-arm-static $R/usr/bin
139
162
140 # Remove systemd related packages from list of packages to be bootstrapped
163 # Remove systemd related packages from list of packages to be bootstrapped
141 if [ "$ENABLE_SYSTEMD" = false ] ; then
164 if [ "$ENABLE_SYSTEMD" = false ] ; then
142 chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
165 chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
143 fi
166 fi
144
167
145 # Copy debian-archive-keyring.pgp
168 # Copy debian-archive-keyring.pgp
146 chroot $R mkdir -p /usr/share/keyrings
169 chroot $R mkdir -p /usr/share/keyrings
147 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
170 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
148
171
149 # Complete the bootstrapping proccess
172 # Complete the bootstrapping proccess
150 chroot $R /debootstrap/debootstrap --second-stage
173 chroot $R /debootstrap/debootstrap --second-stage
151
174
152 # Mount required filesystems
175 # Mount required filesystems
153 mount -t proc none $R/proc
176 mount -t proc none $R/proc
154 mount -t sysfs none $R/sys
177 mount -t sysfs none $R/sys
155 mount --bind /dev/pts $R/dev/pts
178 mount --bind /dev/pts $R/dev/pts
156
179
157 # Set up initial sources.list
180 # Set up initial sources.list
158 cat <<EOM >$R/etc/apt/sources.list
181 cat <<EOM >$R/etc/apt/sources.list
159 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
182 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
160 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
183 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
161
184
162 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
185 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
163 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
186 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
164
187
165 deb http://security.debian.org/ ${RELEASE}/updates main contrib
188 deb http://security.debian.org/ ${RELEASE}/updates main contrib
166 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
189 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
167
190
168 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
191 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
169 EOM
192 EOM
170
193
171 # Pin package flash-kernel to repositories.collabora.co.uk
194 # Pin package flash-kernel to repositories.collabora.co.uk
172 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
195 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
173 Package: flash-kernel
196 Package: flash-kernel
174 Pin: origin repositories.collabora.co.uk
197 Pin: origin repositories.collabora.co.uk
175 Pin-Priority: 1000
198 Pin-Priority: 1000
176 EOM
199 EOM
177
200
178 # Set up timezone
201 # Set up timezone
179 echo ${TIMEZONE} >$R/etc/timezone
202 echo ${TIMEZONE} >$R/etc/timezone
180 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
203 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
181
204
182 # Set up default locales to "en_US.UTF-8" default
205 # Set up default locales to "en_US.UTF-8" default
183 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
206 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
184 LANG=C chroot $R locale-gen ${DEFLOCAL}
207 LANG=C chroot $R locale-gen ${DEFLOCAL}
185
208
186 # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"
209 # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>"
187 LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5
210 LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5
188
211
189 # Upgrade package index and update all installed packages and changed dependencies
212 # Upgrade package index and update all installed packages and changed dependencies
190 LANG=C chroot $R apt-get -q -y update
213 LANG=C chroot $R apt-get -q -y update
191 LANG=C chroot $R apt-get -q -y -u dist-upgrade
214 LANG=C chroot $R apt-get -q -y -u dist-upgrade
192
215
193 # Kernel installation
216 # Kernel installation
194 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
217 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
195
218
196 LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2
219 LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2
197 LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel
220 LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel
198
221
199 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
222 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
200 [ -z "$VMLINUZ" ] && exit 1
223 [ -z "$VMLINUZ" ] && exit 1
201 mkdir -p $R/boot/firmware
224 mkdir -p $R/boot/firmware
202
225
203 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
226 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
204 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
227 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
205 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
228 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
206 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
229 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
207 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
230 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
208 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
231 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
209 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
232 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
210 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
233 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
211 cp $VMLINUZ $R/boot/firmware/kernel7.img
234 cp $VMLINUZ $R/boot/firmware/kernel7.img
212
235
213 # Set up hosts
236 # Set up hosts
214 echo ${HOSTNAME} >$R/etc/hostname
237 echo ${HOSTNAME} >$R/etc/hostname
215 cat <<EOM >$R/etc/hosts
238 cat <<EOM >$R/etc/hosts
216 127.0.0.1 localhost
239 127.0.0.1 localhost
217 127.0.1.1 ${HOSTNAME}
240 127.0.1.1 ${HOSTNAME}
218 EOM
241 EOM
219
242
220 if [ "$ENABLE_IPV6" = true ] ; then
243 if [ "$ENABLE_IPV6" = true ] ; then
221 cat <<EOM >>$R/etc/hosts
244 cat <<EOM >>$R/etc/hosts
222
245
223 ::1 localhost ip6-localhost ip6-loopback
246 ::1 localhost ip6-localhost ip6-loopback
224 ff02::1 ip6-allnodes
247 ff02::1 ip6-allnodes
225 ff02::2 ip6-allrouters
248 ff02::2 ip6-allrouters
226 EOM
249 EOM
227 fi
250 fi
228
251
229 # Generate crypt(3) password string
252 # Generate crypt(3) password string
230 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
253 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
231
254
232 # Set up default user
255 # Set up default user
233 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
256 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
234 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
257 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
235
258
236 # Set up root password
259 # Set up root password
237 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
260 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
238
261
239
262
240 # Set up interfaces
263 # Set up interfaces
241 cat <<EOM >$R/etc/network/interfaces
264 cat <<EOM >$R/etc/network/interfaces
242 # interfaces(5) file used by ifup(8) and ifdown(8)
265 # interfaces(5) file used by ifup(8) and ifdown(8)
243 # Include files from /etc/network/interfaces.d:
266 # Include files from /etc/network/interfaces.d:
244 source-directory /etc/network/interfaces.d
267 source-directory /etc/network/interfaces.d
245
268
246 # The loopback network interface
269 # The loopback network interface
247 auto lo
270 auto lo
248 iface lo inet loopback
271 iface lo inet loopback
249
272
250 # The primary network interface
273 # The primary network interface
251 allow-hotplug eth0
274 allow-hotplug eth0
252 iface eth0 inet dhcp
275 iface eth0 inet dhcp
253 EOM
276 EOM
254
277
255 # Set up firmware boot cmdline
278 # Set up firmware boot cmdline
256 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
279 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
257
280
258 # Set up serial console support (if requested)
281 # Set up serial console support (if requested)
259 if [ "$ENABLE_CONSOLE" = true ] ; then
282 if [ "$ENABLE_CONSOLE" = true ] ; then
260 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
283 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
261 fi
284 fi
262
285
263 # Set up ipv6 support (if requested)
286 # Set up ipv6 support (if requested)
264 if [ "$ENABLE_IPV6" = false ] ; then
287 if [ "$ENABLE_IPV6" = false ] ; then
265 CMDLINE="${CMDLINE} ipv6.disable=1"
288 CMDLINE="${CMDLINE} ipv6.disable=1"
266 fi
289 fi
267
290
268 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
291 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
269
292
270 # Set up firmware config
293 # Set up firmware config
271 cat <<EOM >$R/boot/firmware/config.txt
294 cat <<EOM >$R/boot/firmware/config.txt
272 # For more options and information see
295 # For more options and information see
273 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
296 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
274 # Some settings may impact device functionality. See link above for details
297 # Some settings may impact device functionality. See link above for details
275
298
276 # uncomment if you get no picture on HDMI for a default "safe" mode
299 # uncomment if you get no picture on HDMI for a default "safe" mode
277 #hdmi_safe=1
300 #hdmi_safe=1
278
301
279 # uncomment this if your display has a black border of unused pixels visible
302 # uncomment this if your display has a black border of unused pixels visible
280 # and your display can output without overscan
303 # and your display can output without overscan
281 #disable_overscan=1
304 #disable_overscan=1
282
305
283 # uncomment the following to adjust overscan. Use positive numbers if console
306 # uncomment the following to adjust overscan. Use positive numbers if console
284 # goes off screen, and negative if there is too much border
307 # goes off screen, and negative if there is too much border
285 #overscan_left=16
308 #overscan_left=16
286 #overscan_right=16
309 #overscan_right=16
287 #overscan_top=16
310 #overscan_top=16
288 #overscan_bottom=16
311 #overscan_bottom=16
289
312
290 # uncomment to force a console size. By default it will be display's size minus
313 # uncomment to force a console size. By default it will be display's size minus
291 # overscan.
314 # overscan.
292 #framebuffer_width=1280
315 #framebuffer_width=1280
293 #framebuffer_height=720
316 #framebuffer_height=720
294
317
295 # uncomment if hdmi display is not detected and composite is being output
318 # uncomment if hdmi display is not detected and composite is being output
296 #hdmi_force_hotplug=1
319 #hdmi_force_hotplug=1
297
320
298 # uncomment to force a specific HDMI mode (this will force VGA)
321 # uncomment to force a specific HDMI mode (this will force VGA)
299 #hdmi_group=1
322 #hdmi_group=1
300 #hdmi_mode=1
323 #hdmi_mode=1
301
324
302 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
325 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
303 # DMT (computer monitor) modes
326 # DMT (computer monitor) modes
304 #hdmi_drive=2
327 #hdmi_drive=2
305
328
306 # uncomment to increase signal to HDMI, if you have interference, blanking, or
329 # uncomment to increase signal to HDMI, if you have interference, blanking, or
307 # no display
330 # no display
308 #config_hdmi_boost=4
331 #config_hdmi_boost=4
309
332
310 # uncomment for composite PAL
333 # uncomment for composite PAL
311 #sdtv_mode=2
334 #sdtv_mode=2
312
335
313 # uncomment to overclock the arm. 700 MHz is the default.
336 # uncomment to overclock the arm. 700 MHz is the default.
314 #arm_freq=800
337 #arm_freq=800
315 EOM
338 EOM
316
339
317 # Set smallest possible GPU memory allocation size: 16MB (no X)
340 # Set smallest possible GPU memory allocation size: 16MB (no X)
318 if [ "$ENABLE_MINGPU" = true ] ; then
341 if [ "$ENABLE_MINGPU" = true ] ; then
319 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
342 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
320 fi
343 fi
321
344
322 # Create symlinks
345 # Create symlinks
323 ln -sf firmware/config.txt $R/boot/config.txt
346 ln -sf firmware/config.txt $R/boot/config.txt
324 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
347 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
325
348
326 # Prepare modules-load.d directory
349 # Prepare modules-load.d directory
327 mkdir -p $R/lib/modules-load.d/
350 mkdir -p $R/lib/modules-load.d/
328
351
329 # Load random module on boot
352 # Load random module on boot
330 if [ "$ENABLE_HWRANDOM" = true ] ; then
353 if [ "$ENABLE_HWRANDOM" = true ] ; then
331 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
354 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
332 bcm2708_rng
355 bcm2708_rng
333 EOM
356 EOM
334 fi
357 fi
335
358
336 # Prepare modprobe.d directory
359 # Prepare modprobe.d directory
337 mkdir -p $R/etc/modprobe.d/
360 mkdir -p $R/etc/modprobe.d/
338
361
339 # Blacklist sound modules
362 # Blacklist sound modules
340 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
363 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
341 blacklist snd_soc_core
364 blacklist snd_soc_core
342 blacklist snd_pcm
365 blacklist snd_pcm
343 blacklist snd_pcm_dmaengine
366 blacklist snd_pcm_dmaengine
344 blacklist snd_timer
367 blacklist snd_timer
345 blacklist snd_compress
368 blacklist snd_compress
346 blacklist snd_soc_pcm512x_i2c
369 blacklist snd_soc_pcm512x_i2c
347 blacklist snd_soc_pcm512x
370 blacklist snd_soc_pcm512x
348 blacklist snd_soc_tas5713
371 blacklist snd_soc_tas5713
349 blacklist snd_soc_wm8804
372 blacklist snd_soc_wm8804
350 EOM
373 EOM
351
374
352 # Create default fstab
375 # Create default fstab
353 cat <<EOM >$R/etc/fstab
376 cat <<EOM >$R/etc/fstab
354 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
377 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
355 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
378 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
356 EOM
379 EOM
357
380
358 # Avoid swapping and increase cache sizes
381 # Avoid swapping and increase cache sizes
359 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
382 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
360
383
361 # Avoid swapping and increase cache sizes
384 # Avoid swapping and increase cache sizes
362 vm.swappiness=1
385 vm.swappiness=1
363 vm.dirty_background_ratio=20
386 vm.dirty_background_ratio=20
364 vm.dirty_ratio=40
387 vm.dirty_ratio=40
365 vm.dirty_writeback_centisecs=500
388 vm.dirty_writeback_centisecs=500
366 vm.dirty_expire_centisecs=6000
389 vm.dirty_expire_centisecs=6000
367 EOM
390 EOM
368
391
369 # Enable network stack hardening
392 # Enable network stack hardening
370 if [ "$ENABLE_HARDNET" = true ] ; then
393 if [ "$ENABLE_HARDNET" = true ] ; then
371 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
394 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
372
395
373 # Enable network stack hardening
396 # Enable network stack hardening
374 net.ipv4.tcp_timestamps=0
397 net.ipv4.tcp_timestamps=0
375 net.ipv4.tcp_syncookies=1
398 net.ipv4.tcp_syncookies=1
376 net.ipv4.conf.all.rp_filter=1
399 net.ipv4.conf.all.rp_filter=1
377 net.ipv4.conf.all.accept_redirects=0
400 net.ipv4.conf.all.accept_redirects=0
378 net.ipv4.conf.all.send_redirects=0
401 net.ipv4.conf.all.send_redirects=0
379 net.ipv4.conf.all.accept_source_route=0
402 net.ipv4.conf.all.accept_source_route=0
380 net.ipv4.conf.default.rp_filter=1
403 net.ipv4.conf.default.rp_filter=1
381 net.ipv4.conf.default.accept_redirects=0
404 net.ipv4.conf.default.accept_redirects=0
382 net.ipv4.conf.default.send_redirects=0
405 net.ipv4.conf.default.send_redirects=0
383 net.ipv4.conf.default.accept_source_route=0
406 net.ipv4.conf.default.accept_source_route=0
384 net.ipv4.conf.lo.accept_redirects=0
407 net.ipv4.conf.lo.accept_redirects=0
385 net.ipv4.conf.lo.send_redirects=0
408 net.ipv4.conf.lo.send_redirects=0
386 net.ipv4.conf.lo.accept_source_route=0
409 net.ipv4.conf.lo.accept_source_route=0
387 net.ipv4.conf.eth0.accept_redirects=0
410 net.ipv4.conf.eth0.accept_redirects=0
388 net.ipv4.conf.eth0.send_redirects=0
411 net.ipv4.conf.eth0.send_redirects=0
389 net.ipv4.conf.eth0.accept_source_route=0
412 net.ipv4.conf.eth0.accept_source_route=0
390 net.ipv4.icmp_echo_ignore_broadcasts=1
413 net.ipv4.icmp_echo_ignore_broadcasts=1
391 net.ipv4.icmp_ignore_bogus_error_responses=1
414 net.ipv4.icmp_ignore_bogus_error_responses=1
392
415
393 net.ipv6.conf.all.accept_redirects=0
416 net.ipv6.conf.all.accept_redirects=0
394 net.ipv6.conf.all.accept_source_route=0
417 net.ipv6.conf.all.accept_source_route=0
395 net.ipv6.conf.all.router_solicitations=0
418 net.ipv6.conf.all.router_solicitations=0
396 net.ipv6.conf.all.accept_ra_rtr_pref=0
419 net.ipv6.conf.all.accept_ra_rtr_pref=0
397 net.ipv6.conf.all.accept_ra_pinfo=0
420 net.ipv6.conf.all.accept_ra_pinfo=0
398 net.ipv6.conf.all.accept_ra_defrtr=0
421 net.ipv6.conf.all.accept_ra_defrtr=0
399 net.ipv6.conf.all.autoconf=0
422 net.ipv6.conf.all.autoconf=0
400 net.ipv6.conf.all.dad_transmits=0
423 net.ipv6.conf.all.dad_transmits=0
401 net.ipv6.conf.all.max_addresses=1
424 net.ipv6.conf.all.max_addresses=1
402
425
403 net.ipv6.conf.default.accept_redirects=0
426 net.ipv6.conf.default.accept_redirects=0
404 net.ipv6.conf.default.accept_source_route=0
427 net.ipv6.conf.default.accept_source_route=0
405 net.ipv6.conf.default.router_solicitations=0
428 net.ipv6.conf.default.router_solicitations=0
406 net.ipv6.conf.default.accept_ra_rtr_pref=0
429 net.ipv6.conf.default.accept_ra_rtr_pref=0
407 net.ipv6.conf.default.accept_ra_pinfo=0
430 net.ipv6.conf.default.accept_ra_pinfo=0
408 net.ipv6.conf.default.accept_ra_defrtr=0
431 net.ipv6.conf.default.accept_ra_defrtr=0
409 net.ipv6.conf.default.autoconf=0
432 net.ipv6.conf.default.autoconf=0
410 net.ipv6.conf.default.dad_transmits=0
433 net.ipv6.conf.default.dad_transmits=0
411 net.ipv6.conf.default.max_addresses=1
434 net.ipv6.conf.default.max_addresses=1
412
435
413 net.ipv6.conf.lo.accept_redirects=0
436 net.ipv6.conf.lo.accept_redirects=0
414 net.ipv6.conf.lo.accept_source_route=0
437 net.ipv6.conf.lo.accept_source_route=0
415 net.ipv6.conf.lo.router_solicitations=0
438 net.ipv6.conf.lo.router_solicitations=0
416 net.ipv6.conf.lo.accept_ra_rtr_pref=0
439 net.ipv6.conf.lo.accept_ra_rtr_pref=0
417 net.ipv6.conf.lo.accept_ra_pinfo=0
440 net.ipv6.conf.lo.accept_ra_pinfo=0
418 net.ipv6.conf.lo.accept_ra_defrtr=0
441 net.ipv6.conf.lo.accept_ra_defrtr=0
419 net.ipv6.conf.lo.autoconf=0
442 net.ipv6.conf.lo.autoconf=0
420 net.ipv6.conf.lo.dad_transmits=0
443 net.ipv6.conf.lo.dad_transmits=0
421 net.ipv6.conf.lo.max_addresses=1
444 net.ipv6.conf.lo.max_addresses=1
422
445
423 net.ipv6.conf.eth0.accept_redirects=0
446 net.ipv6.conf.eth0.accept_redirects=0
424 net.ipv6.conf.eth0.accept_source_route=0
447 net.ipv6.conf.eth0.accept_source_route=0
425 net.ipv6.conf.eth0.router_solicitations=0
448 net.ipv6.conf.eth0.router_solicitations=0
426 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
449 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
427 net.ipv6.conf.eth0.accept_ra_pinfo=0
450 net.ipv6.conf.eth0.accept_ra_pinfo=0
428 net.ipv6.conf.eth0.accept_ra_defrtr=0
451 net.ipv6.conf.eth0.accept_ra_defrtr=0
429 net.ipv6.conf.eth0.autoconf=0
452 net.ipv6.conf.eth0.autoconf=0
430 net.ipv6.conf.eth0.dad_transmits=0
453 net.ipv6.conf.eth0.dad_transmits=0
431 net.ipv6.conf.eth0.max_addresses=1
454 net.ipv6.conf.eth0.max_addresses=1
432 EOM
455 EOM
433
456
434 # Enable resolver warnings about spoofed addresses
457 # Enable resolver warnings about spoofed addresses
435 cat <<EOM >>$R/etc/host.conf
458 cat <<EOM >>$R/etc/host.conf
436 spoof warn
459 spoof warn
437 EOM
460 EOM
438 fi
461 fi
439
462
440 # Regenerate openssh server host keys
463 # Regenerate openssh server host keys
441 if [ "$ENABLE_SSHD" = true ] ; then
464 if [ "$ENABLE_SSHD" = true ] ; then
442 rm -fr $R/etc/ssh/ssh_host_*
465 rm -fr $R/etc/ssh/ssh_host_*
443 LANG=C chroot $R dpkg-reconfigure openssh-server
466 LANG=C chroot $R dpkg-reconfigure openssh-server
444 fi
467 fi
445
468
446 # Enable serial console systemd style
469 # Enable serial console systemd style
447 if [ "$ENABLE_CONSOLE" = true ] ; then
470 if [ "$ENABLE_CONSOLE" = true ] ; then
448 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
471 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
449 fi
472 fi
450
473
451 # Enable firewall based on iptables started by systemd service
474 # Enable firewall based on iptables started by systemd service
452 if [ "$ENABLE_IPTABLES" = true ] ; then
475 if [ "$ENABLE_IPTABLES" = true ] ; then
453 # Create iptables configuration directory
476 # Create iptables configuration directory
454 mkdir -p "$R/etc/iptables"
477 mkdir -p "$R/etc/iptables"
455
478
456 # Create iptables systemd service
479 # Create iptables systemd service
457 cat <<EOM >$R/etc/systemd/system/iptables.service
480 cat <<EOM >$R/etc/systemd/system/iptables.service
458 [Unit]
481 [Unit]
459 Description=Packet Filtering Framework
482 Description=Packet Filtering Framework
460 DefaultDependencies=no
483 DefaultDependencies=no
461 After=systemd-sysctl.service
484 After=systemd-sysctl.service
462 Before=sysinit.target
485 Before=sysinit.target
463 [Service]
486 [Service]
464 Type=oneshot
487 Type=oneshot
465 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
488 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
466 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
489 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
467 ExecStop=/etc/iptables/flush-iptables.sh
490 ExecStop=/etc/iptables/flush-iptables.sh
468 RemainAfterExit=yes
491 RemainAfterExit=yes
469 [Install]
492 [Install]
470 WantedBy=multi-user.target
493 WantedBy=multi-user.target
471 EOM
494 EOM
472
495
473 # Create flush-table script called by iptables service
496 # Create flush-table script called by iptables service
474 cat <<EOM >$R/etc/iptables/flush-iptables.sh
497 cat <<EOM >$R/etc/iptables/flush-iptables.sh
475 #!/bin/sh
498 #!/bin/sh
476 iptables -F
499 iptables -F
477 iptables -X
500 iptables -X
478 iptables -t nat -F
501 iptables -t nat -F
479 iptables -t nat -X
502 iptables -t nat -X
480 iptables -t mangle -F
503 iptables -t mangle -F
481 iptables -t mangle -X
504 iptables -t mangle -X
482 iptables -P INPUT ACCEPT
505 iptables -P INPUT ACCEPT
483 iptables -P FORWARD ACCEPT
506 iptables -P FORWARD ACCEPT
484 iptables -P OUTPUT ACCEPT
507 iptables -P OUTPUT ACCEPT
485 EOM
508 EOM
486
509
487 # Create iptables rule file
510 # Create iptables rule file
488 cat <<EOM >$R/etc/iptables/iptables.rules
511 cat <<EOM >$R/etc/iptables/iptables.rules
489 *filter
512 *filter
490 :INPUT DROP [0:0]
513 :INPUT DROP [0:0]
491 :FORWARD DROP [0:0]
514 :FORWARD DROP [0:0]
492 :OUTPUT ACCEPT [0:0]
515 :OUTPUT ACCEPT [0:0]
493 :TCP - [0:0]
516 :TCP - [0:0]
494 :UDP - [0:0]
517 :UDP - [0:0]
495 :SSH - [0:0]
518 :SSH - [0:0]
496
519
497 # Rate limit ping requests
520 # Rate limit ping requests
498 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
521 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
499 -A INPUT -p icmp --icmp-type echo-request -j DROP
522 -A INPUT -p icmp --icmp-type echo-request -j DROP
500
523
501 # Accept established connections
524 # Accept established connections
502 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
525 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
503
526
504 # Accept all traffic on loopback interface
527 # Accept all traffic on loopback interface
505 -A INPUT -i lo -j ACCEPT
528 -A INPUT -i lo -j ACCEPT
506
529
507 # Drop packets declared invalid
530 # Drop packets declared invalid
508 -A INPUT -m conntrack --ctstate INVALID -j DROP
531 -A INPUT -m conntrack --ctstate INVALID -j DROP
509
532
510 # SSH rate limiting
533 # SSH rate limiting
511 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
534 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
512 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
535 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
513 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
536 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
514 -A SSH -m recent --name sshbf --set -j ACCEPT
537 -A SSH -m recent --name sshbf --set -j ACCEPT
515
538
516 # Send TCP and UDP connections to their respective rules chain
539 # Send TCP and UDP connections to their respective rules chain
517 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
540 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
518 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
541 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
519
542
520 # Reject dropped packets with a RFC compliant responce
543 # Reject dropped packets with a RFC compliant responce
521 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
544 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
522 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
545 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
523 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
546 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
524
547
525 ## TCP PORT RULES
548 ## TCP PORT RULES
526 # -A TCP -p tcp -j LOG
549 # -A TCP -p tcp -j LOG
527
550
528 ## UDP PORT RULES
551 ## UDP PORT RULES
529 # -A UDP -p udp -j LOG
552 # -A UDP -p udp -j LOG
530
553
531 COMMIT
554 COMMIT
532 EOM
555 EOM
533
556
534 # Reload systemd configuration and enable iptables service
557 # Reload systemd configuration and enable iptables service
535 LANG=C chroot $R systemctl daemon-reload
558 LANG=C chroot $R systemctl daemon-reload
536 LANG=C chroot $R systemctl enable iptables.service
559 LANG=C chroot $R systemctl enable iptables.service
537
560
538 if [ "$ENABLE_IPV6" = true ] ; then
561 if [ "$ENABLE_IPV6" = true ] ; then
539 # Create ip6tables systemd service
562 # Create ip6tables systemd service
540 cat <<EOM >$R/etc/systemd/system/ip6tables.service
563 cat <<EOM >$R/etc/systemd/system/ip6tables.service
541 [Unit]
564 [Unit]
542 Description=Packet Filtering Framework
565 Description=Packet Filtering Framework
543 DefaultDependencies=no
566 DefaultDependencies=no
544 After=systemd-sysctl.service
567 After=systemd-sysctl.service
545 Before=sysinit.target
568 Before=sysinit.target
546 [Service]
569 [Service]
547 Type=oneshot
570 Type=oneshot
548 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
571 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
549 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
572 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
550 ExecStop=/etc/iptables/flush-ip6tables.sh
573 ExecStop=/etc/iptables/flush-ip6tables.sh
551 RemainAfterExit=yes
574 RemainAfterExit=yes
552 [Install]
575 [Install]
553 WantedBy=multi-user.target
576 WantedBy=multi-user.target
554 EOM
577 EOM
555
578
556 # Create ip6tables file
579 # Create ip6tables file
557 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
580 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
558 #!/bin/sh
581 #!/bin/sh
559 ip6tables -F
582 ip6tables -F
560 ip6tables -X
583 ip6tables -X
561 ip6tables -Z
584 ip6tables -Z
562 for table in $(</proc/net/ip6_tables_names)
585 for table in $(</proc/net/ip6_tables_names)
563 do
586 do
564 ip6tables -t \$table -F
587 ip6tables -t \$table -F
565 ip6tables -t \$table -X
588 ip6tables -t \$table -X
566 ip6tables -t \$table -Z
589 ip6tables -t \$table -Z
567 done
590 done
568 ip6tables -P INPUT ACCEPT
591 ip6tables -P INPUT ACCEPT
569 ip6tables -P OUTPUT ACCEPT
592 ip6tables -P OUTPUT ACCEPT
570 ip6tables -P FORWARD ACCEPT
593 ip6tables -P FORWARD ACCEPT
571 EOM
594 EOM
572
595
573 # Create ip6tables rule file
596 # Create ip6tables rule file
574 cat <<EOM >$R/etc/iptables/ip6tables.rules
597 cat <<EOM >$R/etc/iptables/ip6tables.rules
575 *filter
598 *filter
576 :INPUT DROP [0:0]
599 :INPUT DROP [0:0]
577 :FORWARD DROP [0:0]
600 :FORWARD DROP [0:0]
578 :OUTPUT ACCEPT [0:0]
601 :OUTPUT ACCEPT [0:0]
579 :TCP - [0:0]
602 :TCP - [0:0]
580 :UDP - [0:0]
603 :UDP - [0:0]
581 :SSH - [0:0]
604 :SSH - [0:0]
582
605
583 # Drop packets with RH0 headers
606 # Drop packets with RH0 headers
584 -A INPUT -m rt --rt-type 0 -j DROP
607 -A INPUT -m rt --rt-type 0 -j DROP
585 -A OUTPUT -m rt --rt-type 0 -j DROP
608 -A OUTPUT -m rt --rt-type 0 -j DROP
586 -A FORWARD -m rt --rt-type 0 -j DROP
609 -A FORWARD -m rt --rt-type 0 -j DROP
587
610
588 # Rate limit ping requests
611 # Rate limit ping requests
589 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
612 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
590 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
613 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
591
614
592 # Accept established connections
615 # Accept established connections
593 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
616 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
594
617
595 # Accept all traffic on loopback interface
618 # Accept all traffic on loopback interface
596 -A INPUT -i lo -j ACCEPT
619 -A INPUT -i lo -j ACCEPT
597
620
598 # Drop packets declared invalid
621 # Drop packets declared invalid
599 -A INPUT -m conntrack --ctstate INVALID -j DROP
622 -A INPUT -m conntrack --ctstate INVALID -j DROP
600
623
601 # SSH rate limiting
624 # SSH rate limiting
602 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
625 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
603 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
626 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
604 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
627 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
605 -A SSH -m recent --name sshbf --set -j ACCEPT
628 -A SSH -m recent --name sshbf --set -j ACCEPT
606
629
607 # Send TCP and UDP connections to their respective rules chain
630 # Send TCP and UDP connections to their respective rules chain
608 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
631 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
609 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
632 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
610
633
611 # Reject dropped packets with a RFC compliant responce
634 # Reject dropped packets with a RFC compliant responce
612 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
635 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
613 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
636 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
614 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
637 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
615
638
616 ## TCP PORT RULES
639 ## TCP PORT RULES
617 # -A TCP -p tcp -j LOG
640 # -A TCP -p tcp -j LOG
618
641
619 ## UDP PORT RULES
642 ## UDP PORT RULES
620 # -A UDP -p udp -j LOG
643 # -A UDP -p udp -j LOG
621
644
622 COMMIT
645 COMMIT
623 EOM
646 EOM
624
647
625 # Reload systemd configuration and enable iptables service
648 # Reload systemd configuration and enable iptables service
626 LANG=C chroot $R systemctl daemon-reload
649 LANG=C chroot $R systemctl daemon-reload
627 LANG=C chroot $R systemctl enable ip6tables.service
650 LANG=C chroot $R systemctl enable ip6tables.service
628
651
629 fi
652 fi
630 fi
653 fi
631
654
632 if [ "$ENABLE_UBOOT" = true ] ; then
655 if [ "$ENABLE_UBOOT" = true ] ; then
633 # Fetch u-boot github
656 # Fetch u-boot github
634 git -C $R/tmp clone git://git.denx.de/u-boot.git
657 git -C $R/tmp clone git://git.denx.de/u-boot.git
635
658
636 # Install minimal gcc/g++ build environment and build u-boot inside chroot
659 # Install minimal gcc/g++ build environment and build u-boot inside chroot
637 LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
660 LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
638 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
661 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
639
662
640 # Copy compiled bootloader binary and set config.txt to load it
663 # Copy compiled bootloader binary and set config.txt to load it
641 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
664 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
642 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
665 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
643
666
644 # Set u-boot command file
667 # Set u-boot command file
645 cat <<EOM >$R/boot/firmware/uboot.mkimage
668 cat <<EOM >$R/boot/firmware/uboot.mkimage
646 # Tell Linux that it is booting on a Raspberry Pi2
669 # Tell Linux that it is booting on a Raspberry Pi2
647 setenv machid 0x00000c42
670 setenv machid 0x00000c42
648
671
649 # Set the kernel boot command line
672 # Set the kernel boot command line
650 setenv bootargs "earlyprintk ${CMDLINE}"
673 setenv bootargs "earlyprintk ${CMDLINE}"
651
674
652 # Save these changes to u-boot's environment
675 # Save these changes to u-boot's environment
653 saveenv
676 saveenv
654
677
655 # Load the existing Linux kernel into RAM
678 # Load the existing Linux kernel into RAM
656 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
679 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
657
680
658 # Boot the kernel we have just loaded
681 # Boot the kernel we have just loaded
659 bootz \${kernel_addr_r}
682 bootz \${kernel_addr_r}
660 EOM
683 EOM
661
684
662 # Generate u-boot image from command file
685 # Generate u-boot image from command file
663 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
686 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
664
687
665 # Remove gcc/c++ build enviroment
688 # Remove gcc/c++ build enviroment
666 LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
689 LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
667 fi
690 fi
668
691
669 # Clean cached downloads
692 # Clean cached downloads
670 LANG=C chroot $R apt-get -y clean
693 LANG=C chroot $R apt-get -y clean
671 LANG=C chroot $R apt-get -y autoclean
694 LANG=C chroot $R apt-get -y autoclean
672 LANG=C chroot $R apt-get -y autoremove
695 LANG=C chroot $R apt-get -y autoremove
673
696
674 # Unmount mounted filesystems
697 # Unmount mounted filesystems
675 umount -l $R/proc
698 umount -l $R/proc
676 umount -l $R/sys
699 umount -l $R/sys
677
700
678 # Clean up files
701 # Clean up files
679 rm -f $R/etc/apt/sources.list.save
702 rm -f $R/etc/apt/sources.list.save
680 rm -f $R/etc/resolvconf/resolv.conf.d/original
703 rm -f $R/etc/resolvconf/resolv.conf.d/original
681 rm -rf $R/run
704 rm -rf $R/run
682 mkdir -p $R/run
705 mkdir -p $R/run
683 rm -f $R/etc/*-
706 rm -f $R/etc/*-
684 rm -f $R/root/.bash_history
707 rm -f $R/root/.bash_history
685 rm -rf $R/tmp/*
708 rm -rf $R/tmp/*
686 rm -f $R/var/lib/urandom/random-seed
709 rm -f $R/var/lib/urandom/random-seed
687 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
710 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
688 rm -f $R/etc/machine-id
711 rm -f $R/etc/machine-id
689
712
690 # Calculate size of the chroot directory
713 # Calculate size of the chroot directory
691 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
714 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
692
715
693 # Calculate required image size
716 # Calculate required image size
694 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
717 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
695
718
696 # Calculate number of sectors for the partition
719 # Calculate number of sectors for the partition
697 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
720 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
698
721
699 # Prepare date string for image file name
722 # Prepare date string for image file name
700 DATE="$(date +%Y-%m-%d)"
723 DATE="$(date +%Y-%m-%d)"
701
724
702 # Prepare image file
725 # Prepare image file
703 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
726 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
704 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
727 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
705
728
706 # Write partition table
729 # Write partition table
707 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
730 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
708 unit: sectors
731 unit: sectors
709
732
710 1 : start= 2048, size= 131072, Id= c, bootable
733 1 : start= 2048, size= 131072, Id= c, bootable
711 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
734 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
712 3 : start= 0, size= 0, Id= 0
735 3 : start= 0, size= 0, Id= 0
713 4 : start= 0, size= 0, Id= 0
736 4 : start= 0, size= 0, Id= 0
714 EOM
737 EOM
715
738
716 # Set up temporary loop devices and build filesystems
739 # Set up temporary loop devices and build filesystems
717 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
740 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
718 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
741 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
719 mkfs.vfat "$VFAT_LOOP"
742 mkfs.vfat "$VFAT_LOOP"
720 mkfs.ext4 "$EXT4_LOOP"
743 mkfs.ext4 "$EXT4_LOOP"
721
744
722 # Mount the temporary loop devices
745 # Mount the temporary loop devices
723 mkdir -p "$BUILDDIR/mount"
746 mkdir -p "$BUILDDIR/mount"
724 mount "$EXT4_LOOP" "$BUILDDIR/mount"
747 mount "$EXT4_LOOP" "$BUILDDIR/mount"
725
748
726 mkdir -p "$BUILDDIR/mount/boot/firmware"
749 mkdir -p "$BUILDDIR/mount/boot/firmware"
727 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
750 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
728
751
729 # Copy all files from the chroot to the loop device mount point directory
752 # Copy all files from the chroot to the loop device mount point directory
730 rsync -a "$R/" "$BUILDDIR/mount/"
753 rsync -a "$R/" "$BUILDDIR/mount/"
731
754
732 # Unmount all temporary loop devices and mount points
755 # Unmount all temporary loop devices and mount points
733 cleanup
756 cleanup
734
757
735 # (optinal) create block map file for "bmaptool"
758 # (optinal) create block map file for "bmaptool"
736 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
759 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
737
760
738 # Image was successfully created
761 # Image was successfully created
739 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
762 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant