@@ -1,739 +1,762 | |||||
1 | #!/bin/sh |
|
1 | #!/bin/sh | |
2 |
|
2 | |||
3 | ######################################################################## |
|
3 | ######################################################################## | |
4 | # rpi2-gen-image.sh ver2a 12/2015 |
|
4 | # rpi2-gen-image.sh ver2a 12/2015 | |
5 | # |
|
5 | # | |
6 | # Advanced debian "jessie" bootstrap script for RPi2 |
|
6 | # Advanced debian "jessie" bootstrap script for RPi2 | |
7 | # |
|
7 | # | |
8 | # This program is free software; you can redistribute it and/or |
|
8 | # This program is free software; you can redistribute it and/or | |
9 | # modify it under the terms of the GNU General Public License |
|
9 | # modify it under the terms of the GNU General Public License | |
10 | # as published by the Free Software Foundation; either version 2 |
|
10 | # as published by the Free Software Foundation; either version 2 | |
11 | # of the License, or (at your option) any later version. |
|
11 | # of the License, or (at your option) any later version. | |
12 | # |
|
12 | # | |
13 | # some parts based on rpi2-build-image: |
|
13 | # some parts based on rpi2-build-image: | |
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> |
|
14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> | |
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> |
|
15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> | |
16 | ######################################################################## |
|
16 | ######################################################################## | |
17 |
|
17 | |||
18 | cleanup (){ |
|
18 | cleanup (){ | |
19 | set +x |
|
19 | set +x | |
20 | set +e |
|
20 | set +e | |
21 | echo "removing temporary mount points ..." |
|
21 | echo "removing temporary mount points ..." | |
22 | umount -l $R/proc 2> /dev/null |
|
22 | umount -l $R/proc 2> /dev/null | |
23 | umount -l $R/sys 2> /dev/null |
|
23 | umount -l $R/sys 2> /dev/null | |
24 | umount -l $R/dev/pts 2> /dev/null |
|
24 | umount -l $R/dev/pts 2> /dev/null | |
25 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
25 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
26 | umount "$BUILDDIR/mount" 2> /dev/null |
|
26 | umount "$BUILDDIR/mount" 2> /dev/null | |
27 | losetup -d "$EXT4_LOOP" 2> /dev/null |
|
27 | losetup -d "$EXT4_LOOP" 2> /dev/null | |
28 | losetup -d "$VFAT_LOOP" 2> /dev/null |
|
28 | losetup -d "$VFAT_LOOP" 2> /dev/null | |
29 | trap - 0 1 2 3 6 |
|
29 | trap - 0 1 2 3 6 | |
30 | } |
|
30 | } | |
31 |
|
31 | |||
32 | set -e |
|
32 | set -e | |
33 | set -x |
|
33 | set -x | |
34 |
|
34 | |||
35 | RELEASE=${RELEASE:=jessie} |
|
35 | RELEASE=${RELEASE:=jessie} | |
36 |
|
36 | |||
37 | # Build settings |
|
37 | # Build settings | |
38 | BASEDIR=./images/${RELEASE} |
|
38 | BASEDIR=./images/${RELEASE} | |
39 | BUILDDIR=${BASEDIR}/build |
|
39 | BUILDDIR=${BASEDIR}/build | |
40 |
|
40 | |||
41 | # General settings |
|
41 | # General settings | |
42 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
42 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} | |
43 | PASSWORD=${PASSWORD:=raspberry} |
|
43 | PASSWORD=${PASSWORD:=raspberry} | |
44 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} |
|
44 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} | |
45 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} |
|
45 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} | |
46 |
|
46 | |||
47 | # APT settings |
|
47 | # APT settings | |
48 | APT_PROXY=${APT_PROXY:=""} |
|
48 | APT_PROXY=${APT_PROXY:=""} | |
49 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
49 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} | |
50 |
|
50 | |||
51 | # Feature settings |
|
51 | # Feature settings | |
52 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} |
|
52 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} | |
53 | ENABLE_IPV6=${ENABLE_IPV6:=true} |
|
53 | ENABLE_IPV6=${ENABLE_IPV6:=true} | |
54 | ENABLE_SSHD=${ENABLE_SSHD:=true} |
|
54 | ENABLE_SSHD=${ENABLE_SSHD:=true} | |
55 | ENABLE_SOUND=${ENABLE_SOUND:=true} |
|
55 | ENABLE_SOUND=${ENABLE_SOUND:=true} | |
56 | ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true} |
|
56 | ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true} | |
57 | ENABLE_DBUS=${ENABLE_DBUS:=true} |
|
57 | ENABLE_DBUS=${ENABLE_DBUS:=true} | |
58 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} |
|
58 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |
59 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
59 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} | |
60 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
60 | ENABLE_XORG=${ENABLE_XORG:=false} | |
61 | ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false} |
|
61 | ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false} | |
62 |
|
62 | |||
63 | # Advanced settings |
|
63 | # Advanced settings | |
64 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
64 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |
65 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
65 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
66 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
66 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
67 |
|
67 | |||
68 | # Image chroot path |
|
68 | # Image chroot path | |
69 | R=${BUILDDIR}/chroot |
|
69 | R=${BUILDDIR}/chroot | |
70 |
|
70 | |||
71 | # Packages required for bootstrapping |
|
71 | # Packages required for bootstrapping | |
72 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core" |
|
72 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core" | |
73 |
|
73 | |||
|
74 | # Missing packages that need to be installed | |||
|
75 | MISSING_PACKAGES="" | |||
|
76 | ||||
74 | # Packages required in the chroot build enviroment |
|
77 | # Packages required in the chroot build enviroment | |
75 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny" |
|
78 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny" | |
76 |
|
79 | |||
77 | set +x |
|
80 | set +x | |
78 |
|
81 | |||
79 | # Are we running as root? |
|
82 | # Are we running as root? | |
80 | if [ "$(id -u)" -ne "0" ] ; then |
|
83 | if [ "$(id -u)" -ne "0" ] ; then | |
81 | echo "this script must be executed with root privileges" |
|
84 | echo "this script must be executed with root privileges" | |
82 | exit 1 |
|
85 | exit 1 | |
83 | fi |
|
86 | fi | |
84 |
|
87 | |||
|
88 | # Check if all required packages are installed | |||
|
89 | for package in $REQUIRED_PACKAGES ; do | |||
|
90 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then | |||
|
91 | MISSING_PACKAGES="$MISSING_PACKAGES $package" | |||
|
92 | fi | |||
|
93 | done | |||
|
94 | ||||
|
95 | # Ask if missing packages should get installed right now | |||
|
96 | if [ -n "$MISSING_PACKAGES" ] ; then | |||
|
97 | echo "the following packages needed by this script are not installed:" | |||
|
98 | echo "$MISSING_PACKAGES" | |||
|
99 | ||||
|
100 | echo -n "\ndo you want to install the missing packages right now? [y/n] " | |||
|
101 | read confirm | |||
|
102 | if [ "$confirm" != "y" ] ; then | |||
|
103 | exit 1 | |||
|
104 | fi | |||
|
105 | fi | |||
|
106 | ||||
|
107 | # Make sure all required packages are installed | |||
|
108 | apt-get -qq -y install ${REQUIRED_PACKAGES} | |||
|
109 | exit | |||
|
110 | ||||
85 | # Don't clobber an old build |
|
111 | # Don't clobber an old build | |
86 | if [ -e "$BUILDDIR" ]; then |
|
112 | if [ -e "$BUILDDIR" ]; then | |
87 | echo "directory $BUILDDIR already exists, not proceeding" |
|
113 | echo "directory $BUILDDIR already exists, not proceeding" | |
88 | exit 1 |
|
114 | exit 1 | |
89 | fi |
|
115 | fi | |
90 |
|
116 | |||
91 | set -x |
|
117 | set -x | |
92 |
|
118 | |||
93 | # Call "cleanup" function on various signals and errors |
|
119 | # Call "cleanup" function on various signals and errors | |
94 | trap cleanup 0 1 2 3 6 |
|
120 | trap cleanup 0 1 2 3 6 | |
95 |
|
121 | |||
96 | # Set up chroot directory |
|
122 | # Set up chroot directory | |
97 | mkdir -p $R |
|
123 | mkdir -p $R | |
98 |
|
124 | |||
99 | # Install dependencies |
|
|||
100 | apt-get -q -y install ${REQUIRED_PACKAGES} |
|
|||
101 |
|
||||
102 | # Use traditional SystemV init instead of systemd services |
|
125 | # Use traditional SystemV init instead of systemd services | |
103 | if [ "$ENABLE_SYSTEMD" = false ] ; then |
|
126 | if [ "$ENABLE_SYSTEMD" = false ] ; then | |
104 | APT_INCLUDES="${APT_INCLUDES},sysvinit-core" |
|
127 | APT_INCLUDES="${APT_INCLUDES},sysvinit-core" | |
105 | fi |
|
128 | fi | |
106 |
|
129 | |||
107 | # Add dbus package, recommended if using systemd |
|
130 | # Add dbus package, recommended if using systemd | |
108 | if [ "$ENABLE_DBUS" = true ] ; then |
|
131 | if [ "$ENABLE_DBUS" = true ] ; then | |
109 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
132 | APT_INCLUDES="${APT_INCLUDES},dbus" | |
110 | fi |
|
133 | fi | |
111 |
|
134 | |||
112 | # Add openssh server package |
|
135 | # Add openssh server package | |
113 | if [ "$ENABLE_SSHD" = true ] ; then |
|
136 | if [ "$ENABLE_SSHD" = true ] ; then | |
114 | APT_INCLUDES="${APT_INCLUDES},openssh-server" |
|
137 | APT_INCLUDES="${APT_INCLUDES},openssh-server" | |
115 | fi |
|
138 | fi | |
116 |
|
139 | |||
117 | # Add rng-tools package |
|
140 | # Add rng-tools package | |
118 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
141 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
119 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
142 | APT_INCLUDES="${APT_INCLUDES},rng-tools" | |
120 | fi |
|
143 | fi | |
121 |
|
144 | |||
122 | # Add xorg package |
|
145 | # Add xorg package | |
123 | if [ "$ENABLE_XORG" = true ] ; then |
|
146 | if [ "$ENABLE_XORG" = true ] ; then | |
124 | APT_INCLUDES="${APT_INCLUDES},xorg" |
|
147 | APT_INCLUDES="${APT_INCLUDES},xorg" | |
125 | fi |
|
148 | fi | |
126 |
|
149 | |||
127 | # Add fluxbox package with eterm |
|
150 | # Add fluxbox package with eterm | |
128 | if [ "$ENABLE_FLUXBOX" = true ] ; then |
|
151 | if [ "$ENABLE_FLUXBOX" = true ] ; then | |
129 | APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm" |
|
152 | APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm" | |
130 | fi |
|
153 | fi | |
131 |
|
154 | |||
132 | if [ -z "$APT_PROXY" ] ; then |
|
155 | if [ -z "$APT_PROXY" ] ; then | |
133 | APT_PROXY="http://" |
|
156 | APT_PROXY="http://" | |
134 | fi |
|
157 | fi | |
135 |
|
158 | |||
136 | # Base debootstrap (unpack only) |
|
159 | # Base debootstrap (unpack only) | |
137 | debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian |
|
160 | debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian | |
138 | cp /usr/bin/qemu-arm-static $R/usr/bin |
|
161 | cp /usr/bin/qemu-arm-static $R/usr/bin | |
139 |
|
162 | |||
140 | # Remove systemd related packages from list of packages to be bootstrapped |
|
163 | # Remove systemd related packages from list of packages to be bootstrapped | |
141 | if [ "$ENABLE_SYSTEMD" = false ] ; then |
|
164 | if [ "$ENABLE_SYSTEMD" = false ] ; then | |
142 | chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required |
|
165 | chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required | |
143 | fi |
|
166 | fi | |
144 |
|
167 | |||
145 | # Copy debian-archive-keyring.pgp |
|
168 | # Copy debian-archive-keyring.pgp | |
146 | chroot $R mkdir -p /usr/share/keyrings |
|
169 | chroot $R mkdir -p /usr/share/keyrings | |
147 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg |
|
170 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg | |
148 |
|
171 | |||
149 | # Complete the bootstrapping proccess |
|
172 | # Complete the bootstrapping proccess | |
150 | chroot $R /debootstrap/debootstrap --second-stage |
|
173 | chroot $R /debootstrap/debootstrap --second-stage | |
151 |
|
174 | |||
152 | # Mount required filesystems |
|
175 | # Mount required filesystems | |
153 | mount -t proc none $R/proc |
|
176 | mount -t proc none $R/proc | |
154 | mount -t sysfs none $R/sys |
|
177 | mount -t sysfs none $R/sys | |
155 | mount --bind /dev/pts $R/dev/pts |
|
178 | mount --bind /dev/pts $R/dev/pts | |
156 |
|
179 | |||
157 | # Set up initial sources.list |
|
180 | # Set up initial sources.list | |
158 | cat <<EOM >$R/etc/apt/sources.list |
|
181 | cat <<EOM >$R/etc/apt/sources.list | |
159 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
182 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib | |
160 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
183 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib | |
161 |
|
184 | |||
162 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
185 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
163 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
186 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib | |
164 |
|
187 | |||
165 | deb http://security.debian.org/ ${RELEASE}/updates main contrib |
|
188 | deb http://security.debian.org/ ${RELEASE}/updates main contrib | |
166 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib |
|
189 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib | |
167 |
|
190 | |||
168 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 |
|
191 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |
169 | EOM |
|
192 | EOM | |
170 |
|
193 | |||
171 | # Pin package flash-kernel to repositories.collabora.co.uk |
|
194 | # Pin package flash-kernel to repositories.collabora.co.uk | |
172 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel |
|
195 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel | |
173 | Package: flash-kernel |
|
196 | Package: flash-kernel | |
174 | Pin: origin repositories.collabora.co.uk |
|
197 | Pin: origin repositories.collabora.co.uk | |
175 | Pin-Priority: 1000 |
|
198 | Pin-Priority: 1000 | |
176 | EOM |
|
199 | EOM | |
177 |
|
200 | |||
178 | # Set up timezone |
|
201 | # Set up timezone | |
179 | echo ${TIMEZONE} >$R/etc/timezone |
|
202 | echo ${TIMEZONE} >$R/etc/timezone | |
180 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata |
|
203 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata | |
181 |
|
204 | |||
182 | # Set up default locales to "en_US.UTF-8" default |
|
205 | # Set up default locales to "en_US.UTF-8" default | |
183 | LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen |
|
206 | LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen | |
184 | LANG=C chroot $R locale-gen ${DEFLOCAL} |
|
207 | LANG=C chroot $R locale-gen ${DEFLOCAL} | |
185 |
|
208 | |||
186 | # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>" |
|
209 | # Fetch APT public key "Collabora Raspbian Archive Signing Key <daniels@collabora.com>" | |
187 | LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5 |
|
210 | LANG=C chroot $R apt-key adv --keyserver hkp://pool.sks-keyservers.net --recv-keys ED4BF9140C50B1C5 | |
188 |
|
211 | |||
189 | # Upgrade package index and update all installed packages and changed dependencies |
|
212 | # Upgrade package index and update all installed packages and changed dependencies | |
190 | LANG=C chroot $R apt-get -q -y update |
|
213 | LANG=C chroot $R apt-get -q -y update | |
191 | LANG=C chroot $R apt-get -q -y -u dist-upgrade |
|
214 | LANG=C chroot $R apt-get -q -y -u dist-upgrade | |
192 |
|
215 | |||
193 | # Kernel installation |
|
216 | # Kernel installation | |
194 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
217 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
195 |
|
218 | |||
196 | LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2 |
|
219 | LANG=C chroot $R apt-get -q -y --force-yes --no-install-recommends install linux-image-3.18.0-trunk-rpi2 | |
197 | LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel |
|
220 | LANG=C chroot $R apt-get -q -y --force-yes install flash-kernel | |
198 |
|
221 | |||
199 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
222 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
200 | [ -z "$VMLINUZ" ] && exit 1 |
|
223 | [ -z "$VMLINUZ" ] && exit 1 | |
201 | mkdir -p $R/boot/firmware |
|
224 | mkdir -p $R/boot/firmware | |
202 |
|
225 | |||
203 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
226 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") | |
204 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
227 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin | |
205 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
228 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat | |
206 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
229 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat | |
207 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
230 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat | |
208 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
231 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf | |
209 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
232 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf | |
210 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
233 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf | |
211 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
234 | cp $VMLINUZ $R/boot/firmware/kernel7.img | |
212 |
|
235 | |||
213 | # Set up hosts |
|
236 | # Set up hosts | |
214 | echo ${HOSTNAME} >$R/etc/hostname |
|
237 | echo ${HOSTNAME} >$R/etc/hostname | |
215 | cat <<EOM >$R/etc/hosts |
|
238 | cat <<EOM >$R/etc/hosts | |
216 | 127.0.0.1 localhost |
|
239 | 127.0.0.1 localhost | |
217 | 127.0.1.1 ${HOSTNAME} |
|
240 | 127.0.1.1 ${HOSTNAME} | |
218 | EOM |
|
241 | EOM | |
219 |
|
242 | |||
220 | if [ "$ENABLE_IPV6" = true ] ; then |
|
243 | if [ "$ENABLE_IPV6" = true ] ; then | |
221 | cat <<EOM >>$R/etc/hosts |
|
244 | cat <<EOM >>$R/etc/hosts | |
222 |
|
245 | |||
223 | ::1 localhost ip6-localhost ip6-loopback |
|
246 | ::1 localhost ip6-localhost ip6-loopback | |
224 | ff02::1 ip6-allnodes |
|
247 | ff02::1 ip6-allnodes | |
225 | ff02::2 ip6-allrouters |
|
248 | ff02::2 ip6-allrouters | |
226 | EOM |
|
249 | EOM | |
227 | fi |
|
250 | fi | |
228 |
|
251 | |||
229 | # Generate crypt(3) password string |
|
252 | # Generate crypt(3) password string | |
230 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
253 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` | |
231 |
|
254 | |||
232 | # Set up default user |
|
255 | # Set up default user | |
233 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
256 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi | |
234 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
257 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
235 |
|
258 | |||
236 | # Set up root password |
|
259 | # Set up root password | |
237 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
260 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root | |
238 |
|
261 | |||
239 |
|
262 | |||
240 | # Set up interfaces |
|
263 | # Set up interfaces | |
241 | cat <<EOM >$R/etc/network/interfaces |
|
264 | cat <<EOM >$R/etc/network/interfaces | |
242 | # interfaces(5) file used by ifup(8) and ifdown(8) |
|
265 | # interfaces(5) file used by ifup(8) and ifdown(8) | |
243 | # Include files from /etc/network/interfaces.d: |
|
266 | # Include files from /etc/network/interfaces.d: | |
244 | source-directory /etc/network/interfaces.d |
|
267 | source-directory /etc/network/interfaces.d | |
245 |
|
268 | |||
246 | # The loopback network interface |
|
269 | # The loopback network interface | |
247 | auto lo |
|
270 | auto lo | |
248 | iface lo inet loopback |
|
271 | iface lo inet loopback | |
249 |
|
272 | |||
250 | # The primary network interface |
|
273 | # The primary network interface | |
251 | allow-hotplug eth0 |
|
274 | allow-hotplug eth0 | |
252 | iface eth0 inet dhcp |
|
275 | iface eth0 inet dhcp | |
253 | EOM |
|
276 | EOM | |
254 |
|
277 | |||
255 | # Set up firmware boot cmdline |
|
278 | # Set up firmware boot cmdline | |
256 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
279 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" | |
257 |
|
280 | |||
258 | # Set up serial console support (if requested) |
|
281 | # Set up serial console support (if requested) | |
259 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
282 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
260 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" |
|
283 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" | |
261 | fi |
|
284 | fi | |
262 |
|
285 | |||
263 | # Set up ipv6 support (if requested) |
|
286 | # Set up ipv6 support (if requested) | |
264 | if [ "$ENABLE_IPV6" = false ] ; then |
|
287 | if [ "$ENABLE_IPV6" = false ] ; then | |
265 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
288 | CMDLINE="${CMDLINE} ipv6.disable=1" | |
266 | fi |
|
289 | fi | |
267 |
|
290 | |||
268 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
291 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
269 |
|
292 | |||
270 | # Set up firmware config |
|
293 | # Set up firmware config | |
271 | cat <<EOM >$R/boot/firmware/config.txt |
|
294 | cat <<EOM >$R/boot/firmware/config.txt | |
272 | # For more options and information see |
|
295 | # For more options and information see | |
273 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
296 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |
274 | # Some settings may impact device functionality. See link above for details |
|
297 | # Some settings may impact device functionality. See link above for details | |
275 |
|
298 | |||
276 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
299 | # uncomment if you get no picture on HDMI for a default "safe" mode | |
277 | #hdmi_safe=1 |
|
300 | #hdmi_safe=1 | |
278 |
|
301 | |||
279 | # uncomment this if your display has a black border of unused pixels visible |
|
302 | # uncomment this if your display has a black border of unused pixels visible | |
280 | # and your display can output without overscan |
|
303 | # and your display can output without overscan | |
281 | #disable_overscan=1 |
|
304 | #disable_overscan=1 | |
282 |
|
305 | |||
283 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
306 | # uncomment the following to adjust overscan. Use positive numbers if console | |
284 | # goes off screen, and negative if there is too much border |
|
307 | # goes off screen, and negative if there is too much border | |
285 | #overscan_left=16 |
|
308 | #overscan_left=16 | |
286 | #overscan_right=16 |
|
309 | #overscan_right=16 | |
287 | #overscan_top=16 |
|
310 | #overscan_top=16 | |
288 | #overscan_bottom=16 |
|
311 | #overscan_bottom=16 | |
289 |
|
312 | |||
290 | # uncomment to force a console size. By default it will be display's size minus |
|
313 | # uncomment to force a console size. By default it will be display's size minus | |
291 | # overscan. |
|
314 | # overscan. | |
292 | #framebuffer_width=1280 |
|
315 | #framebuffer_width=1280 | |
293 | #framebuffer_height=720 |
|
316 | #framebuffer_height=720 | |
294 |
|
317 | |||
295 | # uncomment if hdmi display is not detected and composite is being output |
|
318 | # uncomment if hdmi display is not detected and composite is being output | |
296 | #hdmi_force_hotplug=1 |
|
319 | #hdmi_force_hotplug=1 | |
297 |
|
320 | |||
298 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
321 | # uncomment to force a specific HDMI mode (this will force VGA) | |
299 | #hdmi_group=1 |
|
322 | #hdmi_group=1 | |
300 | #hdmi_mode=1 |
|
323 | #hdmi_mode=1 | |
301 |
|
324 | |||
302 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
325 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |
303 | # DMT (computer monitor) modes |
|
326 | # DMT (computer monitor) modes | |
304 | #hdmi_drive=2 |
|
327 | #hdmi_drive=2 | |
305 |
|
328 | |||
306 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
329 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |
307 | # no display |
|
330 | # no display | |
308 | #config_hdmi_boost=4 |
|
331 | #config_hdmi_boost=4 | |
309 |
|
332 | |||
310 | # uncomment for composite PAL |
|
333 | # uncomment for composite PAL | |
311 | #sdtv_mode=2 |
|
334 | #sdtv_mode=2 | |
312 |
|
335 | |||
313 | # uncomment to overclock the arm. 700 MHz is the default. |
|
336 | # uncomment to overclock the arm. 700 MHz is the default. | |
314 | #arm_freq=800 |
|
337 | #arm_freq=800 | |
315 | EOM |
|
338 | EOM | |
316 |
|
339 | |||
317 | # Set smallest possible GPU memory allocation size: 16MB (no X) |
|
340 | # Set smallest possible GPU memory allocation size: 16MB (no X) | |
318 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
341 | if [ "$ENABLE_MINGPU" = true ] ; then | |
319 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt |
|
342 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt | |
320 | fi |
|
343 | fi | |
321 |
|
344 | |||
322 | # Create symlinks |
|
345 | # Create symlinks | |
323 | ln -sf firmware/config.txt $R/boot/config.txt |
|
346 | ln -sf firmware/config.txt $R/boot/config.txt | |
324 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt |
|
347 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt | |
325 |
|
348 | |||
326 | # Prepare modules-load.d directory |
|
349 | # Prepare modules-load.d directory | |
327 | mkdir -p $R/lib/modules-load.d/ |
|
350 | mkdir -p $R/lib/modules-load.d/ | |
328 |
|
351 | |||
329 | # Load random module on boot |
|
352 | # Load random module on boot | |
330 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
353 | if [ "$ENABLE_HWRANDOM" = true ] ; then | |
331 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf |
|
354 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf | |
332 | bcm2708_rng |
|
355 | bcm2708_rng | |
333 | EOM |
|
356 | EOM | |
334 | fi |
|
357 | fi | |
335 |
|
358 | |||
336 | # Prepare modprobe.d directory |
|
359 | # Prepare modprobe.d directory | |
337 | mkdir -p $R/etc/modprobe.d/ |
|
360 | mkdir -p $R/etc/modprobe.d/ | |
338 |
|
361 | |||
339 | # Blacklist sound modules |
|
362 | # Blacklist sound modules | |
340 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
363 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf | |
341 | blacklist snd_soc_core |
|
364 | blacklist snd_soc_core | |
342 | blacklist snd_pcm |
|
365 | blacklist snd_pcm | |
343 | blacklist snd_pcm_dmaengine |
|
366 | blacklist snd_pcm_dmaengine | |
344 | blacklist snd_timer |
|
367 | blacklist snd_timer | |
345 | blacklist snd_compress |
|
368 | blacklist snd_compress | |
346 | blacklist snd_soc_pcm512x_i2c |
|
369 | blacklist snd_soc_pcm512x_i2c | |
347 | blacklist snd_soc_pcm512x |
|
370 | blacklist snd_soc_pcm512x | |
348 | blacklist snd_soc_tas5713 |
|
371 | blacklist snd_soc_tas5713 | |
349 | blacklist snd_soc_wm8804 |
|
372 | blacklist snd_soc_wm8804 | |
350 | EOM |
|
373 | EOM | |
351 |
|
374 | |||
352 | # Create default fstab |
|
375 | # Create default fstab | |
353 | cat <<EOM >$R/etc/fstab |
|
376 | cat <<EOM >$R/etc/fstab | |
354 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
377 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |
355 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
378 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 | |
356 | EOM |
|
379 | EOM | |
357 |
|
380 | |||
358 | # Avoid swapping and increase cache sizes |
|
381 | # Avoid swapping and increase cache sizes | |
359 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
382 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
360 |
|
383 | |||
361 | # Avoid swapping and increase cache sizes |
|
384 | # Avoid swapping and increase cache sizes | |
362 | vm.swappiness=1 |
|
385 | vm.swappiness=1 | |
363 | vm.dirty_background_ratio=20 |
|
386 | vm.dirty_background_ratio=20 | |
364 | vm.dirty_ratio=40 |
|
387 | vm.dirty_ratio=40 | |
365 | vm.dirty_writeback_centisecs=500 |
|
388 | vm.dirty_writeback_centisecs=500 | |
366 | vm.dirty_expire_centisecs=6000 |
|
389 | vm.dirty_expire_centisecs=6000 | |
367 | EOM |
|
390 | EOM | |
368 |
|
391 | |||
369 | # Enable network stack hardening |
|
392 | # Enable network stack hardening | |
370 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
393 | if [ "$ENABLE_HARDNET" = true ] ; then | |
371 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
394 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf | |
372 |
|
395 | |||
373 | # Enable network stack hardening |
|
396 | # Enable network stack hardening | |
374 | net.ipv4.tcp_timestamps=0 |
|
397 | net.ipv4.tcp_timestamps=0 | |
375 | net.ipv4.tcp_syncookies=1 |
|
398 | net.ipv4.tcp_syncookies=1 | |
376 | net.ipv4.conf.all.rp_filter=1 |
|
399 | net.ipv4.conf.all.rp_filter=1 | |
377 | net.ipv4.conf.all.accept_redirects=0 |
|
400 | net.ipv4.conf.all.accept_redirects=0 | |
378 | net.ipv4.conf.all.send_redirects=0 |
|
401 | net.ipv4.conf.all.send_redirects=0 | |
379 | net.ipv4.conf.all.accept_source_route=0 |
|
402 | net.ipv4.conf.all.accept_source_route=0 | |
380 | net.ipv4.conf.default.rp_filter=1 |
|
403 | net.ipv4.conf.default.rp_filter=1 | |
381 | net.ipv4.conf.default.accept_redirects=0 |
|
404 | net.ipv4.conf.default.accept_redirects=0 | |
382 | net.ipv4.conf.default.send_redirects=0 |
|
405 | net.ipv4.conf.default.send_redirects=0 | |
383 | net.ipv4.conf.default.accept_source_route=0 |
|
406 | net.ipv4.conf.default.accept_source_route=0 | |
384 | net.ipv4.conf.lo.accept_redirects=0 |
|
407 | net.ipv4.conf.lo.accept_redirects=0 | |
385 | net.ipv4.conf.lo.send_redirects=0 |
|
408 | net.ipv4.conf.lo.send_redirects=0 | |
386 | net.ipv4.conf.lo.accept_source_route=0 |
|
409 | net.ipv4.conf.lo.accept_source_route=0 | |
387 | net.ipv4.conf.eth0.accept_redirects=0 |
|
410 | net.ipv4.conf.eth0.accept_redirects=0 | |
388 | net.ipv4.conf.eth0.send_redirects=0 |
|
411 | net.ipv4.conf.eth0.send_redirects=0 | |
389 | net.ipv4.conf.eth0.accept_source_route=0 |
|
412 | net.ipv4.conf.eth0.accept_source_route=0 | |
390 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
413 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |
391 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
414 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |
392 |
|
415 | |||
393 | net.ipv6.conf.all.accept_redirects=0 |
|
416 | net.ipv6.conf.all.accept_redirects=0 | |
394 | net.ipv6.conf.all.accept_source_route=0 |
|
417 | net.ipv6.conf.all.accept_source_route=0 | |
395 | net.ipv6.conf.all.router_solicitations=0 |
|
418 | net.ipv6.conf.all.router_solicitations=0 | |
396 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
419 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |
397 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
420 | net.ipv6.conf.all.accept_ra_pinfo=0 | |
398 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
421 | net.ipv6.conf.all.accept_ra_defrtr=0 | |
399 | net.ipv6.conf.all.autoconf=0 |
|
422 | net.ipv6.conf.all.autoconf=0 | |
400 | net.ipv6.conf.all.dad_transmits=0 |
|
423 | net.ipv6.conf.all.dad_transmits=0 | |
401 | net.ipv6.conf.all.max_addresses=1 |
|
424 | net.ipv6.conf.all.max_addresses=1 | |
402 |
|
425 | |||
403 | net.ipv6.conf.default.accept_redirects=0 |
|
426 | net.ipv6.conf.default.accept_redirects=0 | |
404 | net.ipv6.conf.default.accept_source_route=0 |
|
427 | net.ipv6.conf.default.accept_source_route=0 | |
405 | net.ipv6.conf.default.router_solicitations=0 |
|
428 | net.ipv6.conf.default.router_solicitations=0 | |
406 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
429 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |
407 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
430 | net.ipv6.conf.default.accept_ra_pinfo=0 | |
408 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
431 | net.ipv6.conf.default.accept_ra_defrtr=0 | |
409 | net.ipv6.conf.default.autoconf=0 |
|
432 | net.ipv6.conf.default.autoconf=0 | |
410 | net.ipv6.conf.default.dad_transmits=0 |
|
433 | net.ipv6.conf.default.dad_transmits=0 | |
411 | net.ipv6.conf.default.max_addresses=1 |
|
434 | net.ipv6.conf.default.max_addresses=1 | |
412 |
|
435 | |||
413 | net.ipv6.conf.lo.accept_redirects=0 |
|
436 | net.ipv6.conf.lo.accept_redirects=0 | |
414 | net.ipv6.conf.lo.accept_source_route=0 |
|
437 | net.ipv6.conf.lo.accept_source_route=0 | |
415 | net.ipv6.conf.lo.router_solicitations=0 |
|
438 | net.ipv6.conf.lo.router_solicitations=0 | |
416 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
439 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |
417 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
440 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |
418 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
441 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |
419 | net.ipv6.conf.lo.autoconf=0 |
|
442 | net.ipv6.conf.lo.autoconf=0 | |
420 | net.ipv6.conf.lo.dad_transmits=0 |
|
443 | net.ipv6.conf.lo.dad_transmits=0 | |
421 | net.ipv6.conf.lo.max_addresses=1 |
|
444 | net.ipv6.conf.lo.max_addresses=1 | |
422 |
|
445 | |||
423 | net.ipv6.conf.eth0.accept_redirects=0 |
|
446 | net.ipv6.conf.eth0.accept_redirects=0 | |
424 | net.ipv6.conf.eth0.accept_source_route=0 |
|
447 | net.ipv6.conf.eth0.accept_source_route=0 | |
425 | net.ipv6.conf.eth0.router_solicitations=0 |
|
448 | net.ipv6.conf.eth0.router_solicitations=0 | |
426 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
449 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |
427 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
450 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |
428 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
451 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |
429 | net.ipv6.conf.eth0.autoconf=0 |
|
452 | net.ipv6.conf.eth0.autoconf=0 | |
430 | net.ipv6.conf.eth0.dad_transmits=0 |
|
453 | net.ipv6.conf.eth0.dad_transmits=0 | |
431 | net.ipv6.conf.eth0.max_addresses=1 |
|
454 | net.ipv6.conf.eth0.max_addresses=1 | |
432 | EOM |
|
455 | EOM | |
433 |
|
456 | |||
434 | # Enable resolver warnings about spoofed addresses |
|
457 | # Enable resolver warnings about spoofed addresses | |
435 | cat <<EOM >>$R/etc/host.conf |
|
458 | cat <<EOM >>$R/etc/host.conf | |
436 | spoof warn |
|
459 | spoof warn | |
437 | EOM |
|
460 | EOM | |
438 | fi |
|
461 | fi | |
439 |
|
462 | |||
440 | # Regenerate openssh server host keys |
|
463 | # Regenerate openssh server host keys | |
441 | if [ "$ENABLE_SSHD" = true ] ; then |
|
464 | if [ "$ENABLE_SSHD" = true ] ; then | |
442 | rm -fr $R/etc/ssh/ssh_host_* |
|
465 | rm -fr $R/etc/ssh/ssh_host_* | |
443 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
466 | LANG=C chroot $R dpkg-reconfigure openssh-server | |
444 | fi |
|
467 | fi | |
445 |
|
468 | |||
446 | # Enable serial console systemd style |
|
469 | # Enable serial console systemd style | |
447 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
470 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
448 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service |
|
471 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service | |
449 | fi |
|
472 | fi | |
450 |
|
473 | |||
451 | # Enable firewall based on iptables started by systemd service |
|
474 | # Enable firewall based on iptables started by systemd service | |
452 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
475 | if [ "$ENABLE_IPTABLES" = true ] ; then | |
453 | # Create iptables configuration directory |
|
476 | # Create iptables configuration directory | |
454 | mkdir -p "$R/etc/iptables" |
|
477 | mkdir -p "$R/etc/iptables" | |
455 |
|
478 | |||
456 | # Create iptables systemd service |
|
479 | # Create iptables systemd service | |
457 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
480 | cat <<EOM >$R/etc/systemd/system/iptables.service | |
458 | [Unit] |
|
481 | [Unit] | |
459 | Description=Packet Filtering Framework |
|
482 | Description=Packet Filtering Framework | |
460 | DefaultDependencies=no |
|
483 | DefaultDependencies=no | |
461 | After=systemd-sysctl.service |
|
484 | After=systemd-sysctl.service | |
462 | Before=sysinit.target |
|
485 | Before=sysinit.target | |
463 | [Service] |
|
486 | [Service] | |
464 | Type=oneshot |
|
487 | Type=oneshot | |
465 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
488 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |
466 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
489 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |
467 | ExecStop=/etc/iptables/flush-iptables.sh |
|
490 | ExecStop=/etc/iptables/flush-iptables.sh | |
468 | RemainAfterExit=yes |
|
491 | RemainAfterExit=yes | |
469 | [Install] |
|
492 | [Install] | |
470 | WantedBy=multi-user.target |
|
493 | WantedBy=multi-user.target | |
471 | EOM |
|
494 | EOM | |
472 |
|
495 | |||
473 | # Create flush-table script called by iptables service |
|
496 | # Create flush-table script called by iptables service | |
474 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
497 | cat <<EOM >$R/etc/iptables/flush-iptables.sh | |
475 | #!/bin/sh |
|
498 | #!/bin/sh | |
476 | iptables -F |
|
499 | iptables -F | |
477 | iptables -X |
|
500 | iptables -X | |
478 | iptables -t nat -F |
|
501 | iptables -t nat -F | |
479 | iptables -t nat -X |
|
502 | iptables -t nat -X | |
480 | iptables -t mangle -F |
|
503 | iptables -t mangle -F | |
481 | iptables -t mangle -X |
|
504 | iptables -t mangle -X | |
482 | iptables -P INPUT ACCEPT |
|
505 | iptables -P INPUT ACCEPT | |
483 | iptables -P FORWARD ACCEPT |
|
506 | iptables -P FORWARD ACCEPT | |
484 | iptables -P OUTPUT ACCEPT |
|
507 | iptables -P OUTPUT ACCEPT | |
485 | EOM |
|
508 | EOM | |
486 |
|
509 | |||
487 | # Create iptables rule file |
|
510 | # Create iptables rule file | |
488 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
511 | cat <<EOM >$R/etc/iptables/iptables.rules | |
489 | *filter |
|
512 | *filter | |
490 | :INPUT DROP [0:0] |
|
513 | :INPUT DROP [0:0] | |
491 | :FORWARD DROP [0:0] |
|
514 | :FORWARD DROP [0:0] | |
492 | :OUTPUT ACCEPT [0:0] |
|
515 | :OUTPUT ACCEPT [0:0] | |
493 | :TCP - [0:0] |
|
516 | :TCP - [0:0] | |
494 | :UDP - [0:0] |
|
517 | :UDP - [0:0] | |
495 | :SSH - [0:0] |
|
518 | :SSH - [0:0] | |
496 |
|
519 | |||
497 | # Rate limit ping requests |
|
520 | # Rate limit ping requests | |
498 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
521 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
499 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
522 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |
500 |
|
523 | |||
501 | # Accept established connections |
|
524 | # Accept established connections | |
502 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
525 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
503 |
|
526 | |||
504 | # Accept all traffic on loopback interface |
|
527 | # Accept all traffic on loopback interface | |
505 | -A INPUT -i lo -j ACCEPT |
|
528 | -A INPUT -i lo -j ACCEPT | |
506 |
|
529 | |||
507 | # Drop packets declared invalid |
|
530 | # Drop packets declared invalid | |
508 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
531 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
509 |
|
532 | |||
510 | # SSH rate limiting |
|
533 | # SSH rate limiting | |
511 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
534 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
512 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
535 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
513 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
536 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
514 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
537 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
515 |
|
538 | |||
516 | # Send TCP and UDP connections to their respective rules chain |
|
539 | # Send TCP and UDP connections to their respective rules chain | |
517 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
540 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
518 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
541 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
519 |
|
542 | |||
520 | # Reject dropped packets with a RFC compliant responce |
|
543 | # Reject dropped packets with a RFC compliant responce | |
521 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
544 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |
522 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
545 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |
523 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
546 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |
524 |
|
547 | |||
525 | ## TCP PORT RULES |
|
548 | ## TCP PORT RULES | |
526 | # -A TCP -p tcp -j LOG |
|
549 | # -A TCP -p tcp -j LOG | |
527 |
|
550 | |||
528 | ## UDP PORT RULES |
|
551 | ## UDP PORT RULES | |
529 | # -A UDP -p udp -j LOG |
|
552 | # -A UDP -p udp -j LOG | |
530 |
|
553 | |||
531 | COMMIT |
|
554 | COMMIT | |
532 | EOM |
|
555 | EOM | |
533 |
|
556 | |||
534 | # Reload systemd configuration and enable iptables service |
|
557 | # Reload systemd configuration and enable iptables service | |
535 | LANG=C chroot $R systemctl daemon-reload |
|
558 | LANG=C chroot $R systemctl daemon-reload | |
536 | LANG=C chroot $R systemctl enable iptables.service |
|
559 | LANG=C chroot $R systemctl enable iptables.service | |
537 |
|
560 | |||
538 | if [ "$ENABLE_IPV6" = true ] ; then |
|
561 | if [ "$ENABLE_IPV6" = true ] ; then | |
539 | # Create ip6tables systemd service |
|
562 | # Create ip6tables systemd service | |
540 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
563 | cat <<EOM >$R/etc/systemd/system/ip6tables.service | |
541 | [Unit] |
|
564 | [Unit] | |
542 | Description=Packet Filtering Framework |
|
565 | Description=Packet Filtering Framework | |
543 | DefaultDependencies=no |
|
566 | DefaultDependencies=no | |
544 | After=systemd-sysctl.service |
|
567 | After=systemd-sysctl.service | |
545 | Before=sysinit.target |
|
568 | Before=sysinit.target | |
546 | [Service] |
|
569 | [Service] | |
547 | Type=oneshot |
|
570 | Type=oneshot | |
548 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
571 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
549 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
572 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |
550 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
573 | ExecStop=/etc/iptables/flush-ip6tables.sh | |
551 | RemainAfterExit=yes |
|
574 | RemainAfterExit=yes | |
552 | [Install] |
|
575 | [Install] | |
553 | WantedBy=multi-user.target |
|
576 | WantedBy=multi-user.target | |
554 | EOM |
|
577 | EOM | |
555 |
|
578 | |||
556 | # Create ip6tables file |
|
579 | # Create ip6tables file | |
557 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
580 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh | |
558 | #!/bin/sh |
|
581 | #!/bin/sh | |
559 | ip6tables -F |
|
582 | ip6tables -F | |
560 | ip6tables -X |
|
583 | ip6tables -X | |
561 | ip6tables -Z |
|
584 | ip6tables -Z | |
562 | for table in $(</proc/net/ip6_tables_names) |
|
585 | for table in $(</proc/net/ip6_tables_names) | |
563 | do |
|
586 | do | |
564 | ip6tables -t \$table -F |
|
587 | ip6tables -t \$table -F | |
565 | ip6tables -t \$table -X |
|
588 | ip6tables -t \$table -X | |
566 | ip6tables -t \$table -Z |
|
589 | ip6tables -t \$table -Z | |
567 | done |
|
590 | done | |
568 | ip6tables -P INPUT ACCEPT |
|
591 | ip6tables -P INPUT ACCEPT | |
569 | ip6tables -P OUTPUT ACCEPT |
|
592 | ip6tables -P OUTPUT ACCEPT | |
570 | ip6tables -P FORWARD ACCEPT |
|
593 | ip6tables -P FORWARD ACCEPT | |
571 | EOM |
|
594 | EOM | |
572 |
|
595 | |||
573 | # Create ip6tables rule file |
|
596 | # Create ip6tables rule file | |
574 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
597 | cat <<EOM >$R/etc/iptables/ip6tables.rules | |
575 | *filter |
|
598 | *filter | |
576 | :INPUT DROP [0:0] |
|
599 | :INPUT DROP [0:0] | |
577 | :FORWARD DROP [0:0] |
|
600 | :FORWARD DROP [0:0] | |
578 | :OUTPUT ACCEPT [0:0] |
|
601 | :OUTPUT ACCEPT [0:0] | |
579 | :TCP - [0:0] |
|
602 | :TCP - [0:0] | |
580 | :UDP - [0:0] |
|
603 | :UDP - [0:0] | |
581 | :SSH - [0:0] |
|
604 | :SSH - [0:0] | |
582 |
|
605 | |||
583 | # Drop packets with RH0 headers |
|
606 | # Drop packets with RH0 headers | |
584 | -A INPUT -m rt --rt-type 0 -j DROP |
|
607 | -A INPUT -m rt --rt-type 0 -j DROP | |
585 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
608 | -A OUTPUT -m rt --rt-type 0 -j DROP | |
586 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
609 | -A FORWARD -m rt --rt-type 0 -j DROP | |
587 |
|
610 | |||
588 | # Rate limit ping requests |
|
611 | # Rate limit ping requests | |
589 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
612 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |
590 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
613 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |
591 |
|
614 | |||
592 | # Accept established connections |
|
615 | # Accept established connections | |
593 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
616 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
594 |
|
617 | |||
595 | # Accept all traffic on loopback interface |
|
618 | # Accept all traffic on loopback interface | |
596 | -A INPUT -i lo -j ACCEPT |
|
619 | -A INPUT -i lo -j ACCEPT | |
597 |
|
620 | |||
598 | # Drop packets declared invalid |
|
621 | # Drop packets declared invalid | |
599 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
622 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |
600 |
|
623 | |||
601 | # SSH rate limiting |
|
624 | # SSH rate limiting | |
602 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
625 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |
603 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
626 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |
604 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
627 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |
605 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
628 | -A SSH -m recent --name sshbf --set -j ACCEPT | |
606 |
|
629 | |||
607 | # Send TCP and UDP connections to their respective rules chain |
|
630 | # Send TCP and UDP connections to their respective rules chain | |
608 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
631 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |
609 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
632 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |
610 |
|
633 | |||
611 | # Reject dropped packets with a RFC compliant responce |
|
634 | # Reject dropped packets with a RFC compliant responce | |
612 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
635 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |
613 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
636 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |
614 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
637 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
615 |
|
638 | |||
616 | ## TCP PORT RULES |
|
639 | ## TCP PORT RULES | |
617 | # -A TCP -p tcp -j LOG |
|
640 | # -A TCP -p tcp -j LOG | |
618 |
|
641 | |||
619 | ## UDP PORT RULES |
|
642 | ## UDP PORT RULES | |
620 | # -A UDP -p udp -j LOG |
|
643 | # -A UDP -p udp -j LOG | |
621 |
|
644 | |||
622 | COMMIT |
|
645 | COMMIT | |
623 | EOM |
|
646 | EOM | |
624 |
|
647 | |||
625 | # Reload systemd configuration and enable iptables service |
|
648 | # Reload systemd configuration and enable iptables service | |
626 | LANG=C chroot $R systemctl daemon-reload |
|
649 | LANG=C chroot $R systemctl daemon-reload | |
627 | LANG=C chroot $R systemctl enable ip6tables.service |
|
650 | LANG=C chroot $R systemctl enable ip6tables.service | |
628 |
|
651 | |||
629 | fi |
|
652 | fi | |
630 | fi |
|
653 | fi | |
631 |
|
654 | |||
632 | if [ "$ENABLE_UBOOT" = true ] ; then |
|
655 | if [ "$ENABLE_UBOOT" = true ] ; then | |
633 | # Fetch u-boot github |
|
656 | # Fetch u-boot github | |
634 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
657 | git -C $R/tmp clone git://git.denx.de/u-boot.git | |
635 |
|
658 | |||
636 | # Install minimal gcc/g++ build environment and build u-boot inside chroot |
|
659 | # Install minimal gcc/g++ build environment and build u-boot inside chroot | |
637 | LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc |
|
660 | LANG=C chroot $R apt-get install -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
638 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all |
|
661 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all | |
639 |
|
662 | |||
640 | # Copy compiled bootloader binary and set config.txt to load it |
|
663 | # Copy compiled bootloader binary and set config.txt to load it | |
641 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
664 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ | |
642 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt |
|
665 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt | |
643 |
|
666 | |||
644 | # Set u-boot command file |
|
667 | # Set u-boot command file | |
645 | cat <<EOM >$R/boot/firmware/uboot.mkimage |
|
668 | cat <<EOM >$R/boot/firmware/uboot.mkimage | |
646 | # Tell Linux that it is booting on a Raspberry Pi2 |
|
669 | # Tell Linux that it is booting on a Raspberry Pi2 | |
647 | setenv machid 0x00000c42 |
|
670 | setenv machid 0x00000c42 | |
648 |
|
671 | |||
649 | # Set the kernel boot command line |
|
672 | # Set the kernel boot command line | |
650 | setenv bootargs "earlyprintk ${CMDLINE}" |
|
673 | setenv bootargs "earlyprintk ${CMDLINE}" | |
651 |
|
674 | |||
652 | # Save these changes to u-boot's environment |
|
675 | # Save these changes to u-boot's environment | |
653 | saveenv |
|
676 | saveenv | |
654 |
|
677 | |||
655 | # Load the existing Linux kernel into RAM |
|
678 | # Load the existing Linux kernel into RAM | |
656 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img |
|
679 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img | |
657 |
|
680 | |||
658 | # Boot the kernel we have just loaded |
|
681 | # Boot the kernel we have just loaded | |
659 | bootz \${kernel_addr_r} |
|
682 | bootz \${kernel_addr_r} | |
660 | EOM |
|
683 | EOM | |
661 |
|
684 | |||
662 | # Generate u-boot image from command file |
|
685 | # Generate u-boot image from command file | |
663 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr |
|
686 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
664 |
|
687 | |||
665 | # Remove gcc/c++ build enviroment |
|
688 | # Remove gcc/c++ build enviroment | |
666 | LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make |
|
689 | LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
667 | fi |
|
690 | fi | |
668 |
|
691 | |||
669 | # Clean cached downloads |
|
692 | # Clean cached downloads | |
670 | LANG=C chroot $R apt-get -y clean |
|
693 | LANG=C chroot $R apt-get -y clean | |
671 | LANG=C chroot $R apt-get -y autoclean |
|
694 | LANG=C chroot $R apt-get -y autoclean | |
672 | LANG=C chroot $R apt-get -y autoremove |
|
695 | LANG=C chroot $R apt-get -y autoremove | |
673 |
|
696 | |||
674 | # Unmount mounted filesystems |
|
697 | # Unmount mounted filesystems | |
675 | umount -l $R/proc |
|
698 | umount -l $R/proc | |
676 | umount -l $R/sys |
|
699 | umount -l $R/sys | |
677 |
|
700 | |||
678 | # Clean up files |
|
701 | # Clean up files | |
679 | rm -f $R/etc/apt/sources.list.save |
|
702 | rm -f $R/etc/apt/sources.list.save | |
680 | rm -f $R/etc/resolvconf/resolv.conf.d/original |
|
703 | rm -f $R/etc/resolvconf/resolv.conf.d/original | |
681 | rm -rf $R/run |
|
704 | rm -rf $R/run | |
682 | mkdir -p $R/run |
|
705 | mkdir -p $R/run | |
683 | rm -f $R/etc/*- |
|
706 | rm -f $R/etc/*- | |
684 | rm -f $R/root/.bash_history |
|
707 | rm -f $R/root/.bash_history | |
685 | rm -rf $R/tmp/* |
|
708 | rm -rf $R/tmp/* | |
686 | rm -f $R/var/lib/urandom/random-seed |
|
709 | rm -f $R/var/lib/urandom/random-seed | |
687 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id |
|
710 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id | |
688 | rm -f $R/etc/machine-id |
|
711 | rm -f $R/etc/machine-id | |
689 |
|
712 | |||
690 | # Calculate size of the chroot directory |
|
713 | # Calculate size of the chroot directory | |
691 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024) |
|
714 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024) | |
692 |
|
715 | |||
693 | # Calculate required image size |
|
716 | # Calculate required image size | |
694 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` |
|
717 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` | |
695 |
|
718 | |||
696 | # Calculate number of sectors for the partition |
|
719 | # Calculate number of sectors for the partition | |
697 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` |
|
720 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` | |
698 |
|
721 | |||
699 | # Prepare date string for image file name |
|
722 | # Prepare date string for image file name | |
700 | DATE="$(date +%Y-%m-%d)" |
|
723 | DATE="$(date +%Y-%m-%d)" | |
701 |
|
724 | |||
702 | # Prepare image file |
|
725 | # Prepare image file | |
703 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1 |
|
726 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1 | |
704 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE} |
|
727 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE} | |
705 |
|
728 | |||
706 | # Write partition table |
|
729 | # Write partition table | |
707 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM |
|
730 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |
708 | unit: sectors |
|
731 | unit: sectors | |
709 |
|
732 | |||
710 | 1 : start= 2048, size= 131072, Id= c, bootable |
|
733 | 1 : start= 2048, size= 131072, Id= c, bootable | |
711 | 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83 |
|
734 | 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83 | |
712 | 3 : start= 0, size= 0, Id= 0 |
|
735 | 3 : start= 0, size= 0, Id= 0 | |
713 | 4 : start= 0, size= 0, Id= 0 |
|
736 | 4 : start= 0, size= 0, Id= 0 | |
714 | EOM |
|
737 | EOM | |
715 |
|
738 | |||
716 | # Set up temporary loop devices and build filesystems |
|
739 | # Set up temporary loop devices and build filesystems | |
717 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
740 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
718 | EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
741 | EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |
719 | mkfs.vfat "$VFAT_LOOP" |
|
742 | mkfs.vfat "$VFAT_LOOP" | |
720 | mkfs.ext4 "$EXT4_LOOP" |
|
743 | mkfs.ext4 "$EXT4_LOOP" | |
721 |
|
744 | |||
722 | # Mount the temporary loop devices |
|
745 | # Mount the temporary loop devices | |
723 | mkdir -p "$BUILDDIR/mount" |
|
746 | mkdir -p "$BUILDDIR/mount" | |
724 | mount "$EXT4_LOOP" "$BUILDDIR/mount" |
|
747 | mount "$EXT4_LOOP" "$BUILDDIR/mount" | |
725 |
|
748 | |||
726 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
749 | mkdir -p "$BUILDDIR/mount/boot/firmware" | |
727 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" |
|
750 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" | |
728 |
|
751 | |||
729 | # Copy all files from the chroot to the loop device mount point directory |
|
752 | # Copy all files from the chroot to the loop device mount point directory | |
730 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
753 | rsync -a "$R/" "$BUILDDIR/mount/" | |
731 |
|
754 | |||
732 | # Unmount all temporary loop devices and mount points |
|
755 | # Unmount all temporary loop devices and mount points | |
733 | cleanup |
|
756 | cleanup | |
734 |
|
757 | |||
735 | # (optinal) create block map file for "bmaptool" |
|
758 | # (optinal) create block map file for "bmaptool" | |
736 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
759 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |
737 |
|
760 | |||
738 | # Image was successfully created |
|
761 | # Image was successfully created | |
739 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
|
762 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant