##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

fix: APT_PROXY enabled inside chroot
Jan Wagner -
r11:be69a54e1e9d
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,761 +1,767
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 cleanup (){
19 19 set +x
20 20 set +e
21 21 echo "removing temporary mount points ..."
22 22 umount -l $R/proc 2> /dev/null
23 23 umount -l $R/sys 2> /dev/null
24 24 umount -l $R/dev/pts 2> /dev/null
25 25 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 26 umount "$BUILDDIR/mount" 2> /dev/null
27 27 losetup -d "$EXT4_LOOP" 2> /dev/null
28 28 losetup -d "$VFAT_LOOP" 2> /dev/null
29 29 trap - 0 1 2 3 6
30 30 }
31 31
32 32 set -e
33 33 set -x
34 34
35 35 RELEASE=${RELEASE:=jessie}
36 36
37 37 # Build settings
38 38 BASEDIR=./images/${RELEASE}
39 39 BUILDDIR=${BASEDIR}/build
40 40
41 41 # General settings
42 42 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
43 43 PASSWORD=${PASSWORD:=raspberry}
44 44 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
45 45 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
46 46
47 47 # APT settings
48 48 APT_PROXY=${APT_PROXY:=""}
49 49 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
50 50
51 51 # Feature settings
52 52 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
53 53 ENABLE_IPV6=${ENABLE_IPV6:=true}
54 54 ENABLE_SSHD=${ENABLE_SSHD:=true}
55 55 ENABLE_SOUND=${ENABLE_SOUND:=true}
56 56 ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
57 57 ENABLE_DBUS=${ENABLE_DBUS:=true}
58 58 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
59 59 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
60 60 ENABLE_XORG=${ENABLE_XORG:=false}
61 61 ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
62 62
63 63 # Advanced settings
64 64 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
65 65 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
66 66 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
67 67
68 68 # Image chroot path
69 69 R=${BUILDDIR}/chroot
70 70
71 71 # Packages required for bootstrapping
72 72 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
73 73
74 74 # Missing packages that need to be installed
75 75 MISSING_PACKAGES=""
76 76
77 77 # Packages required in the chroot build enviroment
78 78 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
79 79
80 80 set +x
81 81
82 82 # Are we running as root?
83 83 if [ "$(id -u)" -ne "0" ] ; then
84 84 echo "this script must be executed with root privileges"
85 85 exit 1
86 86 fi
87 87
88 88 # Check if all required packages are installed
89 89 for package in $REQUIRED_PACKAGES ; do
90 90 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
91 91 MISSING_PACKAGES="$MISSING_PACKAGES $package"
92 92 fi
93 93 done
94 94
95 95 # Ask if missing packages should get installed right now
96 96 if [ -n "$MISSING_PACKAGES" ] ; then
97 97 echo "the following packages needed by this script are not installed:"
98 98 echo "$MISSING_PACKAGES"
99 99
100 100 echo -n "\ndo you want to install the missing packages right now? [y/n] "
101 101 read confirm
102 102 if [ "$confirm" != "y" ] ; then
103 103 exit 1
104 104 fi
105 105 fi
106 106
107 107 # Make sure all required packages are installed
108 108 apt-get -qq -y install ${REQUIRED_PACKAGES}
109 109
110 110 # Don't clobber an old build
111 111 if [ -e "$BUILDDIR" ]; then
112 112 echo "directory $BUILDDIR already exists, not proceeding"
113 113 exit 1
114 114 fi
115 115
116 116 set -x
117 117
118 118 # Call "cleanup" function on various signals and errors
119 119 trap cleanup 0 1 2 3 6
120 120
121 121 # Set up chroot directory
122 122 mkdir -p $R
123 123
124 124 # Use traditional SystemV init instead of systemd services
125 125 if [ "$ENABLE_SYSTEMD" = false ] ; then
126 126 APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
127 127 fi
128 128
129 129 # Add dbus package, recommended if using systemd
130 130 if [ "$ENABLE_DBUS" = true ] ; then
131 131 APT_INCLUDES="${APT_INCLUDES},dbus"
132 132 fi
133 133
134 134 # Add openssh server package
135 135 if [ "$ENABLE_SSHD" = true ] ; then
136 136 APT_INCLUDES="${APT_INCLUDES},openssh-server"
137 137 fi
138 138
139 139 # Add rng-tools package
140 140 if [ "$ENABLE_HWRANDOM" = true ] ; then
141 141 APT_INCLUDES="${APT_INCLUDES},rng-tools"
142 142 fi
143 143
144 144 # Add xorg package
145 145 if [ "$ENABLE_XORG" = true ] ; then
146 146 APT_INCLUDES="${APT_INCLUDES},xorg"
147 147 fi
148 148
149 149 # Add fluxbox package with eterm
150 150 if [ "$ENABLE_FLUXBOX" = true ] ; then
151 151 APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
152 152 fi
153 153
154 154 if [ -z "$APT_PROXY" ] ; then
155 155 APT_PROXY="http://"
156 156 fi
157 157
158 158 # Base debootstrap (unpack only)
159 159 debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
160 160 cp /usr/bin/qemu-arm-static $R/usr/bin
161 161
162 162 # Remove systemd related packages from list of packages to be bootstrapped
163 163 if [ "$ENABLE_SYSTEMD" = false ] ; then
164 164 chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
165 165 fi
166 166
167 167 # Copy debian-archive-keyring.pgp
168 168 chroot $R mkdir -p /usr/share/keyrings
169 169 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
170 170
171 171 # Complete the bootstrapping proccess
172 172 chroot $R /debootstrap/debootstrap --second-stage
173 173
174 174 # Mount required filesystems
175 175 mount -t proc none $R/proc
176 176 mount -t sysfs none $R/sys
177 177 mount --bind /dev/pts $R/dev/pts
178 178
179 # Use proxy inside chroot
180 if [ -z "$APT_PROXY" ] ; then
181 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
182 fi
183
179 184 # Pin package flash-kernel to repositories.collabora.co.uk
180 185 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
181 186 Package: flash-kernel
182 187 Pin: origin repositories.collabora.co.uk
183 188 Pin-Priority: 1000
184 189 EOM
185 190
186 191 # Set up timezone
187 192 echo ${TIMEZONE} >$R/etc/timezone
188 193 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
189 194
190 195 # Set up default locales to "en_US.UTF-8" default
191 196 LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
192 197 LANG=C chroot $R locale-gen ${DEFLOCAL}
193 198
194 199 # Upgrade collabora package index and install collabora keyring
195 200 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
196 201 LANG=C chroot $R apt-get -qq -y update
197 202 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
198 203
199 204 # Set up initial sources.list
200 205 cat <<EOM >$R/etc/apt/sources.list
201 206 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
202 207 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
203 208
204 209 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
205 210 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
206 211
207 212 deb http://security.debian.org/ ${RELEASE}/updates main contrib
208 213 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
209 214
210 215 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
211 216 EOM
212 217
213 218 # Upgrade package index and update all installed packages and changed dependencies
214 219 LANG=C chroot $R apt-get -qq -y update
215 220 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
216 221
217 222 # Kernel installation
218 223 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
219 224 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
220 225 LANG=C chroot $R apt-get -qq -y install flash-kernel
221 226
222 227 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
223 228 [ -z "$VMLINUZ" ] && exit 1
224 229 mkdir -p $R/boot/firmware
225 230
226 231 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
227 232 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
228 233 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
229 234 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
230 235 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
231 236 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
232 237 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
233 238 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
234 239 cp $VMLINUZ $R/boot/firmware/kernel7.img
235 240
236 241 # Set up hosts
237 242 echo ${HOSTNAME} >$R/etc/hostname
238 243 cat <<EOM >$R/etc/hosts
239 244 127.0.0.1 localhost
240 245 127.0.1.1 ${HOSTNAME}
241 246 EOM
242 247
243 248 if [ "$ENABLE_IPV6" = true ] ; then
244 249 cat <<EOM >>$R/etc/hosts
245 250
246 251 ::1 localhost ip6-localhost ip6-loopback
247 252 ff02::1 ip6-allnodes
248 253 ff02::2 ip6-allrouters
249 254 EOM
250 255 fi
251 256
252 257 # Generate crypt(3) password string
253 258 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
254 259
255 260 # Set up default user
256 261 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
257 262 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
258 263
259 264 # Set up root password
260 265 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
261 266
262 267 # Set up interfaces
263 268 cat <<EOM >$R/etc/network/interfaces
264 269 # interfaces(5) file used by ifup(8) and ifdown(8)
265 270 # Include files from /etc/network/interfaces.d:
266 271 source-directory /etc/network/interfaces.d
267 272
268 273 # The loopback network interface
269 274 auto lo
270 275 iface lo inet loopback
271 276
272 277 # The primary network interface
273 278 allow-hotplug eth0
274 279 iface eth0 inet dhcp
275 280 EOM
276 281
277 282 # Set up firmware boot cmdline
278 283 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
279 284
280 285 # Set up serial console support (if requested)
281 286 if [ "$ENABLE_CONSOLE" = true ] ; then
282 287 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
283 288 fi
284 289
285 290 # Set up ipv6 support (if requested)
286 291 if [ "$ENABLE_IPV6" = false ] ; then
287 292 CMDLINE="${CMDLINE} ipv6.disable=1"
288 293 fi
289 294
290 295 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
291 296
292 297 # Set up firmware config
293 298 cat <<EOM >$R/boot/firmware/config.txt
294 299 # For more options and information see
295 300 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
296 301 # Some settings may impact device functionality. See link above for details
297 302
298 303 # uncomment if you get no picture on HDMI for a default "safe" mode
299 304 #hdmi_safe=1
300 305
301 306 # uncomment this if your display has a black border of unused pixels visible
302 307 # and your display can output without overscan
303 308 #disable_overscan=1
304 309
305 310 # uncomment the following to adjust overscan. Use positive numbers if console
306 311 # goes off screen, and negative if there is too much border
307 312 #overscan_left=16
308 313 #overscan_right=16
309 314 #overscan_top=16
310 315 #overscan_bottom=16
311 316
312 317 # uncomment to force a console size. By default it will be display's size minus
313 318 # overscan.
314 319 #framebuffer_width=1280
315 320 #framebuffer_height=720
316 321
317 322 # uncomment if hdmi display is not detected and composite is being output
318 323 #hdmi_force_hotplug=1
319 324
320 325 # uncomment to force a specific HDMI mode (this will force VGA)
321 326 #hdmi_group=1
322 327 #hdmi_mode=1
323 328
324 329 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
325 330 # DMT (computer monitor) modes
326 331 #hdmi_drive=2
327 332
328 333 # uncomment to increase signal to HDMI, if you have interference, blanking, or
329 334 # no display
330 335 #config_hdmi_boost=4
331 336
332 337 # uncomment for composite PAL
333 338 #sdtv_mode=2
334 339
335 340 # uncomment to overclock the arm. 700 MHz is the default.
336 341 #arm_freq=800
337 342 EOM
338 343
339 344 # Set smallest possible GPU memory allocation size: 16MB (no X)
340 345 if [ "$ENABLE_MINGPU" = true ] ; then
341 346 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
342 347 fi
343 348
344 349 # Create symlinks
345 350 ln -sf firmware/config.txt $R/boot/config.txt
346 351 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
347 352
348 353 # Prepare modules-load.d directory
349 354 mkdir -p $R/lib/modules-load.d/
350 355
351 356 # Load random module on boot
352 357 if [ "$ENABLE_HWRANDOM" = true ] ; then
353 358 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
354 359 bcm2708_rng
355 360 EOM
356 361 fi
357 362
358 363 # Prepare modprobe.d directory
359 364 mkdir -p $R/etc/modprobe.d/
360 365
361 366 # Blacklist sound modules
362 367 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
363 368 blacklist snd_soc_core
364 369 blacklist snd_pcm
365 370 blacklist snd_pcm_dmaengine
366 371 blacklist snd_timer
367 372 blacklist snd_compress
368 373 blacklist snd_soc_pcm512x_i2c
369 374 blacklist snd_soc_pcm512x
370 375 blacklist snd_soc_tas5713
371 376 blacklist snd_soc_wm8804
372 377 EOM
373 378
374 379 # Create default fstab
375 380 cat <<EOM >$R/etc/fstab
376 381 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
377 382 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
378 383 EOM
379 384
380 385 # Avoid swapping and increase cache sizes
381 386 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
382 387
383 388 # Avoid swapping and increase cache sizes
384 389 vm.swappiness=1
385 390 vm.dirty_background_ratio=20
386 391 vm.dirty_ratio=40
387 392 vm.dirty_writeback_centisecs=500
388 393 vm.dirty_expire_centisecs=6000
389 394 EOM
390 395
391 396 # Enable network stack hardening
392 397 if [ "$ENABLE_HARDNET" = true ] ; then
393 398 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
394 399
395 400 # Enable network stack hardening
396 401 net.ipv4.tcp_timestamps=0
397 402 net.ipv4.tcp_syncookies=1
398 403 net.ipv4.conf.all.rp_filter=1
399 404 net.ipv4.conf.all.accept_redirects=0
400 405 net.ipv4.conf.all.send_redirects=0
401 406 net.ipv4.conf.all.accept_source_route=0
402 407 net.ipv4.conf.default.rp_filter=1
403 408 net.ipv4.conf.default.accept_redirects=0
404 409 net.ipv4.conf.default.send_redirects=0
405 410 net.ipv4.conf.default.accept_source_route=0
406 411 net.ipv4.conf.lo.accept_redirects=0
407 412 net.ipv4.conf.lo.send_redirects=0
408 413 net.ipv4.conf.lo.accept_source_route=0
409 414 net.ipv4.conf.eth0.accept_redirects=0
410 415 net.ipv4.conf.eth0.send_redirects=0
411 416 net.ipv4.conf.eth0.accept_source_route=0
412 417 net.ipv4.icmp_echo_ignore_broadcasts=1
413 418 net.ipv4.icmp_ignore_bogus_error_responses=1
414 419
415 420 net.ipv6.conf.all.accept_redirects=0
416 421 net.ipv6.conf.all.accept_source_route=0
417 422 net.ipv6.conf.all.router_solicitations=0
418 423 net.ipv6.conf.all.accept_ra_rtr_pref=0
419 424 net.ipv6.conf.all.accept_ra_pinfo=0
420 425 net.ipv6.conf.all.accept_ra_defrtr=0
421 426 net.ipv6.conf.all.autoconf=0
422 427 net.ipv6.conf.all.dad_transmits=0
423 428 net.ipv6.conf.all.max_addresses=1
424 429
425 430 net.ipv6.conf.default.accept_redirects=0
426 431 net.ipv6.conf.default.accept_source_route=0
427 432 net.ipv6.conf.default.router_solicitations=0
428 433 net.ipv6.conf.default.accept_ra_rtr_pref=0
429 434 net.ipv6.conf.default.accept_ra_pinfo=0
430 435 net.ipv6.conf.default.accept_ra_defrtr=0
431 436 net.ipv6.conf.default.autoconf=0
432 437 net.ipv6.conf.default.dad_transmits=0
433 438 net.ipv6.conf.default.max_addresses=1
434 439
435 440 net.ipv6.conf.lo.accept_redirects=0
436 441 net.ipv6.conf.lo.accept_source_route=0
437 442 net.ipv6.conf.lo.router_solicitations=0
438 443 net.ipv6.conf.lo.accept_ra_rtr_pref=0
439 444 net.ipv6.conf.lo.accept_ra_pinfo=0
440 445 net.ipv6.conf.lo.accept_ra_defrtr=0
441 446 net.ipv6.conf.lo.autoconf=0
442 447 net.ipv6.conf.lo.dad_transmits=0
443 448 net.ipv6.conf.lo.max_addresses=1
444 449
445 450 net.ipv6.conf.eth0.accept_redirects=0
446 451 net.ipv6.conf.eth0.accept_source_route=0
447 452 net.ipv6.conf.eth0.router_solicitations=0
448 453 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
449 454 net.ipv6.conf.eth0.accept_ra_pinfo=0
450 455 net.ipv6.conf.eth0.accept_ra_defrtr=0
451 456 net.ipv6.conf.eth0.autoconf=0
452 457 net.ipv6.conf.eth0.dad_transmits=0
453 458 net.ipv6.conf.eth0.max_addresses=1
454 459 EOM
455 460
456 461 # Enable resolver warnings about spoofed addresses
457 462 cat <<EOM >>$R/etc/host.conf
458 463 spoof warn
459 464 EOM
460 465 fi
461 466
462 467 # Regenerate openssh server host keys
463 468 if [ "$ENABLE_SSHD" = true ] ; then
464 469 rm -fr $R/etc/ssh/ssh_host_*
465 470 LANG=C chroot $R dpkg-reconfigure openssh-server
466 471 fi
467 472
468 473 # Enable serial console systemd style
469 474 if [ "$ENABLE_CONSOLE" = true ] ; then
470 475 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
471 476 fi
472 477
473 478 # Enable firewall based on iptables started by systemd service
474 479 if [ "$ENABLE_IPTABLES" = true ] ; then
475 480 # Create iptables configuration directory
476 481 mkdir -p "$R/etc/iptables"
477 482
478 483 # Create iptables systemd service
479 484 cat <<EOM >$R/etc/systemd/system/iptables.service
480 485 [Unit]
481 486 Description=Packet Filtering Framework
482 487 DefaultDependencies=no
483 488 After=systemd-sysctl.service
484 489 Before=sysinit.target
485 490 [Service]
486 491 Type=oneshot
487 492 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
488 493 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
489 494 ExecStop=/etc/iptables/flush-iptables.sh
490 495 RemainAfterExit=yes
491 496 [Install]
492 497 WantedBy=multi-user.target
493 498 EOM
494 499
495 500 # Create flush-table script called by iptables service
496 501 cat <<EOM >$R/etc/iptables/flush-iptables.sh
497 502 #!/bin/sh
498 503 iptables -F
499 504 iptables -X
500 505 iptables -t nat -F
501 506 iptables -t nat -X
502 507 iptables -t mangle -F
503 508 iptables -t mangle -X
504 509 iptables -P INPUT ACCEPT
505 510 iptables -P FORWARD ACCEPT
506 511 iptables -P OUTPUT ACCEPT
507 512 EOM
508 513
509 514 # Create iptables rule file
510 515 cat <<EOM >$R/etc/iptables/iptables.rules
511 516 *filter
512 517 :INPUT DROP [0:0]
513 518 :FORWARD DROP [0:0]
514 519 :OUTPUT ACCEPT [0:0]
515 520 :TCP - [0:0]
516 521 :UDP - [0:0]
517 522 :SSH - [0:0]
518 523
519 524 # Rate limit ping requests
520 525 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
521 526 -A INPUT -p icmp --icmp-type echo-request -j DROP
522 527
523 528 # Accept established connections
524 529 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
525 530
526 531 # Accept all traffic on loopback interface
527 532 -A INPUT -i lo -j ACCEPT
528 533
529 534 # Drop packets declared invalid
530 535 -A INPUT -m conntrack --ctstate INVALID -j DROP
531 536
532 537 # SSH rate limiting
533 538 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
534 539 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
535 540 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
536 541 -A SSH -m recent --name sshbf --set -j ACCEPT
537 542
538 543 # Send TCP and UDP connections to their respective rules chain
539 544 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
540 545 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
541 546
542 547 # Reject dropped packets with a RFC compliant responce
543 548 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
544 549 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
545 550 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
546 551
547 552 ## TCP PORT RULES
548 553 # -A TCP -p tcp -j LOG
549 554
550 555 ## UDP PORT RULES
551 556 # -A UDP -p udp -j LOG
552 557
553 558 COMMIT
554 559 EOM
555 560
556 561 # Reload systemd configuration and enable iptables service
557 562 LANG=C chroot $R systemctl daemon-reload
558 563 LANG=C chroot $R systemctl enable iptables.service
559 564
560 565 if [ "$ENABLE_IPV6" = true ] ; then
561 566 # Create ip6tables systemd service
562 567 cat <<EOM >$R/etc/systemd/system/ip6tables.service
563 568 [Unit]
564 569 Description=Packet Filtering Framework
565 570 DefaultDependencies=no
566 571 After=systemd-sysctl.service
567 572 Before=sysinit.target
568 573 [Service]
569 574 Type=oneshot
570 575 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
571 576 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
572 577 ExecStop=/etc/iptables/flush-ip6tables.sh
573 578 RemainAfterExit=yes
574 579 [Install]
575 580 WantedBy=multi-user.target
576 581 EOM
577 582
578 583 # Create ip6tables file
579 584 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
580 585 #!/bin/sh
581 586 ip6tables -F
582 587 ip6tables -X
583 588 ip6tables -Z
584 589 for table in $(</proc/net/ip6_tables_names)
585 590 do
586 591 ip6tables -t \$table -F
587 592 ip6tables -t \$table -X
588 593 ip6tables -t \$table -Z
589 594 done
590 595 ip6tables -P INPUT ACCEPT
591 596 ip6tables -P OUTPUT ACCEPT
592 597 ip6tables -P FORWARD ACCEPT
593 598 EOM
594 599
595 600 # Create ip6tables rule file
596 601 cat <<EOM >$R/etc/iptables/ip6tables.rules
597 602 *filter
598 603 :INPUT DROP [0:0]
599 604 :FORWARD DROP [0:0]
600 605 :OUTPUT ACCEPT [0:0]
601 606 :TCP - [0:0]
602 607 :UDP - [0:0]
603 608 :SSH - [0:0]
604 609
605 610 # Drop packets with RH0 headers
606 611 -A INPUT -m rt --rt-type 0 -j DROP
607 612 -A OUTPUT -m rt --rt-type 0 -j DROP
608 613 -A FORWARD -m rt --rt-type 0 -j DROP
609 614
610 615 # Rate limit ping requests
611 616 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
612 617 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
613 618
614 619 # Accept established connections
615 620 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
616 621
617 622 # Accept all traffic on loopback interface
618 623 -A INPUT -i lo -j ACCEPT
619 624
620 625 # Drop packets declared invalid
621 626 -A INPUT -m conntrack --ctstate INVALID -j DROP
622 627
623 628 # SSH rate limiting
624 629 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
625 630 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
626 631 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
627 632 -A SSH -m recent --name sshbf --set -j ACCEPT
628 633
629 634 # Send TCP and UDP connections to their respective rules chain
630 635 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
631 636 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
632 637
633 638 # Reject dropped packets with a RFC compliant responce
634 639 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
635 640 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
636 641 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
637 642
638 643 ## TCP PORT RULES
639 644 # -A TCP -p tcp -j LOG
640 645
641 646 ## UDP PORT RULES
642 647 # -A UDP -p udp -j LOG
643 648
644 649 COMMIT
645 650 EOM
646 651
647 652 # Reload systemd configuration and enable iptables service
648 653 LANG=C chroot $R systemctl daemon-reload
649 654 LANG=C chroot $R systemctl enable ip6tables.service
650 655
651 656 fi
652 657 fi
653 658
654 659 if [ "$ENABLE_UBOOT" = true ] ; then
655 660 # Fetch u-boot github
656 661 git -C $R/tmp clone git://git.denx.de/u-boot.git
657 662
658 663 # Install minimal gcc/g++ build environment and build u-boot inside chroot
659 664 LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
660 665 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
661 666
662 667 # Copy compiled bootloader binary and set config.txt to load it
663 668 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
664 669 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
665 670
666 671 # Set u-boot command file
667 672 cat <<EOM >$R/boot/firmware/uboot.mkimage
668 673 # Tell Linux that it is booting on a Raspberry Pi2
669 674 setenv machid 0x00000c42
670 675
671 676 # Set the kernel boot command line
672 677 setenv bootargs "earlyprintk ${CMDLINE}"
673 678
674 679 # Save these changes to u-boot's environment
675 680 saveenv
676 681
677 682 # Load the existing Linux kernel into RAM
678 683 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
679 684
680 685 # Boot the kernel we have just loaded
681 686 bootz \${kernel_addr_r}
682 687 EOM
683 688
684 689 # Generate u-boot image from command file
685 690 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
686 691
687 692 # Remove gcc/c++ build enviroment
688 693 LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
689 694 fi
690 695
691 696 # Clean cached downloads
692 697 LANG=C chroot $R apt-get -y clean
693 698 LANG=C chroot $R apt-get -y autoclean
694 699 LANG=C chroot $R apt-get -y autoremove
695 700
696 701 # Unmount mounted filesystems
697 702 umount -l $R/proc
698 703 umount -l $R/sys
699 704
700 705 # Clean up files
701 706 rm -f $R/etc/apt/sources.list.save
702 707 rm -f $R/etc/resolvconf/resolv.conf.d/original
703 708 rm -rf $R/run
704 709 mkdir -p $R/run
705 710 rm -f $R/etc/*-
706 711 rm -f $R/root/.bash_history
707 712 rm -rf $R/tmp/*
708 713 rm -f $R/var/lib/urandom/random-seed
709 714 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
710 715 rm -f $R/etc/machine-id
716 rm -fr $R/etc/apt/apt.conf.d/10proxy
711 717
712 718 # Calculate size of the chroot directory
713 719 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
714 720
715 721 # Calculate required image size
716 722 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
717 723
718 724 # Calculate number of sectors for the partition
719 725 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
720 726
721 727 # Prepare date string for image file name
722 728 DATE="$(date +%Y-%m-%d)"
723 729
724 730 # Prepare image file
725 731 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
726 732 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
727 733
728 734 # Write partition table
729 735 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
730 736 unit: sectors
731 737
732 738 1 : start= 2048, size= 131072, Id= c, bootable
733 739 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
734 740 3 : start= 0, size= 0, Id= 0
735 741 4 : start= 0, size= 0, Id= 0
736 742 EOM
737 743
738 744 # Set up temporary loop devices and build filesystems
739 745 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
740 746 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
741 747 mkfs.vfat "$VFAT_LOOP"
742 748 mkfs.ext4 "$EXT4_LOOP"
743 749
744 750 # Mount the temporary loop devices
745 751 mkdir -p "$BUILDDIR/mount"
746 752 mount "$EXT4_LOOP" "$BUILDDIR/mount"
747 753
748 754 mkdir -p "$BUILDDIR/mount/boot/firmware"
749 755 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
750 756
751 757 # Copy all files from the chroot to the loop device mount point directory
752 758 rsync -a "$R/" "$BUILDDIR/mount/"
753 759
754 760 # Unmount all temporary loop devices and mount points
755 761 cleanup
756 762
757 763 # (optinal) create block map file for "bmaptool"
758 764 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
759 765
760 766 # Image was successfully created
761 767 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant