Raspi2-3_GenImage Commit - r25:cb91ab1abbae · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

# Clean up all temporary mount points

18

# Clean up all temporary mount points

19

cleanup (){

19

cleanup (){

20

set +x

20

set +x

21

set +e

21

set +e

22

echo "removing temporary mount points ..."

22

echo "removing temporary mount points ..."

23

umount -l $R/proc 2> /dev/null

23

umount -l $R/proc 2> /dev/null

24

umount -l $R/sys 2> /dev/null

24

umount -l $R/sys 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

30

trap - 0 1 2 3 6

30

trap - 0 1 2 3 6

31

}

31

}

32

33

set -e

33

set -e

34

set -x

34

set -x

35

36

# Debian release

36

# Debian release

37

RELEASE=${RELEASE:=jessie}

37

RELEASE=${RELEASE:=jessie}

38

39

# Build settings

39

# Build settings

40

BASEDIR=./images/${RELEASE}

40

BASEDIR=./images/${RELEASE}

41

BUILDDIR=${BASEDIR}/build

41

BUILDDIR=${BASEDIR}/build

42

43

# General settings

43

# General settings

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

45

PASSWORD=${PASSWORD:=raspberry}

45

PASSWORD=${PASSWORD:=raspberry}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

48

49

# Network settings

50

ENABLE_DHCP=${ENABLE_DHCP:=true}

51

# NET_* settings are ignored when ENABLE_DHCP=true

52

# NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"

53

NET_ADDRESS=${NET_ADDRESS:=""}

54

NET_GATEWAY=${NET_GATEWAY:=""}

55

NET_DNS_1=${NET_DNS_1:=""}

56

NET_DNS_2=${NET_DNS_2:=""}

57

NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}

58

NET_NTP_1=${NET_NTP_1:=""}

59

NET_NTP_2=${NET_NTP_2:=""}

60

49

# APT settings

61

# APT settings

50

APT_PROXY=${APT_PROXY:=""}

62

APT_PROXY=${APT_PROXY:=""}

51

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

63

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

52

64

53

# Feature settings

65

# Feature settings

54

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

66

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

55

ENABLE_IPV6=${ENABLE_IPV6:=true}

67

ENABLE_IPV6=${ENABLE_IPV6:=true}

56

ENABLE_SSHD=${ENABLE_SSHD:=true}

68

ENABLE_SSHD=${ENABLE_SSHD:=true}

57

ENABLE_SOUND=${ENABLE_SOUND:=true}

69

ENABLE_SOUND=${ENABLE_SOUND:=true}

58

ENABLE_DBUS=${ENABLE_DBUS:=true}

70

ENABLE_DBUS=${ENABLE_DBUS:=true}

59

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

71

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

60

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

72

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

61

ENABLE_XORG=${ENABLE_XORG:=false}

73

ENABLE_XORG=${ENABLE_XORG:=false}

62

ENABLE_WM=${ENABLE_WM:=""}

74

ENABLE_WM=${ENABLE_WM:=""}

63

75

64

# Advanced settings

76

# Advanced settings

65

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

77

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

66

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

78

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

67

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

79

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

68

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

80

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

69

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

81

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

70

82

71

# Image chroot path

83

# Image chroot path

72

R=${BUILDDIR}/chroot

84

R=${BUILDDIR}/chroot

73

85

74

# Packages required for bootstrapping

86

# Packages required for bootstrapping

75

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

87

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

76

88

77

# Missing packages that need to be installed

89

# Missing packages that need to be installed

78

MISSING_PACKAGES=""

90

MISSING_PACKAGES=""

79

91

80

# Packages required in the chroot build environment

92

# Packages required in the chroot build environment

81

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

93

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

82

94

83

set +x

95

set +x

84

96

85

# Are we running as root?

97

# Are we running as root?

86

if [ "$(id -u)" -ne "0" ] ; then

98

if [ "$(id -u)" -ne "0" ] ; then

87

echo "this script must be executed with root privileges"

99

echo "this script must be executed with root privileges"

88

exit 1

100

exit 1

89

fi

101

fi

90

102

91

# Check if all required packages are installed

103

# Check if all required packages are installed

92

for package in $REQUIRED_PACKAGES ; do

104

for package in $REQUIRED_PACKAGES ; do

93

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

105

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

94

MISSING_PACKAGES="$MISSING_PACKAGES $package"

106

MISSING_PACKAGES="$MISSING_PACKAGES $package"

95

fi

107

fi

96

done

108

done

97

109

98

# Ask if missing packages should get installed right now

110

# Ask if missing packages should get installed right now

99

if [ -n "$MISSING_PACKAGES" ] ; then

111

if [ -n "$MISSING_PACKAGES" ] ; then

100

echo "the following packages needed by this script are not installed:"

112

echo "the following packages needed by this script are not installed:"

101

echo "$MISSING_PACKAGES"

113

echo "$MISSING_PACKAGES"

102

114

103

echo -n "\ndo you want to install the missing packages right now? [y/n] "

115

echo -n "\ndo you want to install the missing packages right now? [y/n] "

104

read confirm

116

read confirm

105

if [ "$confirm" != "y" ] ; then

117

if [ "$confirm" != "y" ] ; then

106

exit 1

118

exit 1

107

fi

119

fi

108

fi

120

fi

109

121

110

# Make sure all required packages are installed

122

# Make sure all required packages are installed

111

apt-get -qq -y install ${REQUIRED_PACKAGES}

123

apt-get -qq -y install ${REQUIRED_PACKAGES}

112

124

113

# Don't clobber an old build

125

# Don't clobber an old build

114

if [ -e "$BUILDDIR" ]; then

126

if [ -e "$BUILDDIR" ]; then

115

echo "directory $BUILDDIR already exists, not proceeding"

127

echo "directory $BUILDDIR already exists, not proceeding"

116

exit 1

128

exit 1

117

fi

129

fi

118

130

119

set -x

131

set -x

120

132

121

# Call "cleanup" function on various signals and errors

133

# Call "cleanup" function on various signals and errors

122

trap cleanup 0 1 2 3 6

134

trap cleanup 0 1 2 3 6

123

135

124

# Set up chroot directory

136

# Set up chroot directory

125

mkdir -p $R

137

mkdir -p $R

126

138

127

# Add required packages for the minbase installation

139

# Add required packages for the minbase installation

128

if [ "$ENABLE_MINBASE" = true ] ; then

140

if [ "$ENABLE_MINBASE" = true ] ; then

129

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

141

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

130

else

142

else

131

APT_INCLUDES="${APT_INCLUDES},locales"

143

APT_INCLUDES="${APT_INCLUDES},locales"

132

fi

144

fi

133

145

134

# Add dbus package, recommended if using systemd

146

# Add dbus package, recommended if using systemd

135

if [ "$ENABLE_DBUS" = true ] ; then

147

if [ "$ENABLE_DBUS" = true ] ; then

136

APT_INCLUDES="${APT_INCLUDES},dbus"

148

APT_INCLUDES="${APT_INCLUDES},dbus"

137

fi

149

fi

138

150

139

# Add iptables IPv4/IPv6 package

151

# Add iptables IPv4/IPv6 package

140

if [ "$ENABLE_IPTABLES" = true ] ; then

152

if [ "$ENABLE_IPTABLES" = true ] ; then

141

APT_INCLUDES="${APT_INCLUDES},iptables"

153

APT_INCLUDES="${APT_INCLUDES},iptables"

142

fi

154

fi

143

155

144

# Add openssh server package

156

# Add openssh server package

145

if [ "$ENABLE_SSHD" = true ] ; then

157

if [ "$ENABLE_SSHD" = true ] ; then

146

APT_INCLUDES="${APT_INCLUDES},openssh-server"

158

APT_INCLUDES="${APT_INCLUDES},openssh-server"

147

fi

159

fi

148

160

149

# Add alsa-utils package

161

# Add alsa-utils package

150

if [ "$ENABLE_SOUND" = true ] ; then

162

if [ "$ENABLE_SOUND" = true ] ; then

151

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

163

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

152

fi

164

fi

153

165

154

# Add rng-tools package

166

# Add rng-tools package

155

if [ "$ENABLE_HWRANDOM" = true ] ; then

167

if [ "$ENABLE_HWRANDOM" = true ] ; then

156

APT_INCLUDES="${APT_INCLUDES},rng-tools"

168

APT_INCLUDES="${APT_INCLUDES},rng-tools"

157

fi

169

fi

158

170

159

# Add fbturbo video driver

171

# Add fbturbo video driver

160

if [ "$ENABLE_FBTURBO" = true ] ; then

172

if [ "$ENABLE_FBTURBO" = true ] ; then

161

# Enable xorg package dependencies

173

# Enable xorg package dependencies

162

ENABLE_XORG=true

174

ENABLE_XORG=true

163

fi

175

fi

164

176

165

# Add user defined window manager package

177

# Add user defined window manager package

166

if [ -n "$ENABLE_WM" ] ; then

178

if [ -n "$ENABLE_WM" ] ; then

167

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

179

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

168

180

169

# Enable xorg package dependencies

181

# Enable xorg package dependencies

170

ENABLE_XORG=true

182

ENABLE_XORG=true

171

fi

183

fi

172

184

173

# Add xorg package

185

# Add xorg package

174

if [ "$ENABLE_XORG" = true ] ; then

186

if [ "$ENABLE_XORG" = true ] ; then

175

APT_INCLUDES="${APT_INCLUDES},xorg"

187

APT_INCLUDES="${APT_INCLUDES},xorg"

176

fi

188

fi

177

189

178

# Set empty proxy string

190

# Set empty proxy string

179

if [ -z "$APT_PROXY" ] ; then

191

if [ -z "$APT_PROXY" ] ; then

180

APT_PROXY="http://"

192

APT_PROXY="http://"

181

fi

193

fi

182

194

183

# Base debootstrap (unpack only)

195

# Base debootstrap (unpack only)

184

if [ "$ENABLE_MINBASE" = true ] ; then

196

if [ "$ENABLE_MINBASE" = true ] ; then

185

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

197

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

186

else

198

else

187

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

199

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

188

fi

200

fi

189

201

190

# Copy qemu emulator binary to chroot

202

# Copy qemu emulator binary to chroot

191

cp /usr/bin/qemu-arm-static $R/usr/bin

203

cp /usr/bin/qemu-arm-static $R/usr/bin

192

204

193

# Copy debian-archive-keyring.pgp

205

# Copy debian-archive-keyring.pgp

194

chroot $R mkdir -p /usr/share/keyrings

206

chroot $R mkdir -p /usr/share/keyrings

195

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

207

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

196

208

197

# Complete the bootstrapping process

209

# Complete the bootstrapping process

198

chroot $R /debootstrap/debootstrap --second-stage

210

chroot $R /debootstrap/debootstrap --second-stage

199

211

200

# Mount required filesystems

212

# Mount required filesystems

201

mount -t proc none $R/proc

213

mount -t proc none $R/proc

202

mount -t sysfs none $R/sys

214

mount -t sysfs none $R/sys

203

mount --bind /dev/pts $R/dev/pts

215

mount --bind /dev/pts $R/dev/pts

204

216

205

# Use proxy inside chroot

217

# Use proxy inside chroot

206

if [ -z "$APT_PROXY" ] ; then

218

if [ -z "$APT_PROXY" ] ; then

207

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

219

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

208

fi

220

fi

209

221

210

# Pin package flash-kernel to repositories.collabora.co.uk

222

# Pin package flash-kernel to repositories.collabora.co.uk

211

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

223

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

212

Package: flash-kernel

224

Package: flash-kernel

213

Pin: origin repositories.collabora.co.uk

225

Pin: origin repositories.collabora.co.uk

214

Pin-Priority: 1000

226

Pin-Priority: 1000

215

EOM

227

EOM

216

228

217

# Set up timezone

229

# Set up timezone

218

echo ${TIMEZONE} >$R/etc/timezone

230

echo ${TIMEZONE} >$R/etc/timezone

219

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

231

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

220

232

221

# Set up default locales to "en_US.UTF-8" default

233

# Set up default locales to "en_US.UTF-8" default

222

if [ "$ENABLE_MINBASE" = false ] ; then

234

if [ "$ENABLE_MINBASE" = false ] ; then

223

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

235

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

224

LANG=C chroot $R locale-gen ${DEFLOCAL}

236

LANG=C chroot $R locale-gen ${DEFLOCAL}

225

fi

237

fi

226

238

227

# Upgrade collabora package index and install collabora keyring

239

# Upgrade collabora package index and install collabora keyring

228

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

240

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

229

LANG=C chroot $R apt-get -qq -y update

241

LANG=C chroot $R apt-get -qq -y update

230

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

242

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

231

243

232

# Set up initial sources.list

244

# Set up initial sources.list

233

cat <<EOM >$R/etc/apt/sources.list

245

cat <<EOM >$R/etc/apt/sources.list

234

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

246

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

235

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

247

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

236

248

237

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

249

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

238

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

250

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

239

251

240

deb http://security.debian.org/ ${RELEASE}/updates main contrib

252

deb http://security.debian.org/ ${RELEASE}/updates main contrib

241

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

253

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

242

254

243

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

255

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

244

EOM

256

EOM

245

257

246

# Upgrade package index and update all installed packages and changed dependencies

258

# Upgrade package index and update all installed packages and changed dependencies

247

LANG=C chroot $R apt-get -qq -y update

259

LANG=C chroot $R apt-get -qq -y update

248

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

260

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

249

261

250

# Kernel installation

262

# Kernel installation

251

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

263

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

252

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

264

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

253

LANG=C chroot $R apt-get -qq -y install flash-kernel

265

LANG=C chroot $R apt-get -qq -y install flash-kernel

254

266

255

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

267

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

256

[ -z "$VMLINUZ" ] && exit 1

268

[ -z "$VMLINUZ" ] && exit 1

257

mkdir -p $R/boot/firmware

269

mkdir -p $R/boot/firmware

258

270

259

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

271

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

260

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

272

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

261

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

273

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

262

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

274

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

263

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

275

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

264

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

276

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

265

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

277

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

266

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

278

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

267

cp $VMLINUZ $R/boot/firmware/kernel7.img

279

cp $VMLINUZ $R/boot/firmware/kernel7.img

268

280

269

# Set up IPv4 hosts

281

# Set up IPv4 hosts

270

echo ${HOSTNAME} >$R/etc/hostname

282

echo ${HOSTNAME} >$R/etc/hostname

271

cat <<EOM >$R/etc/hosts

283

cat <<EOM >$R/etc/hosts

272

127.0.0.1 localhost

284

127.0.0.1 localhost

273

127.0.1.1 ${HOSTNAME}

285

127.0.1.1 ${HOSTNAME}

274

EOM

286

EOM

287

if [ "$NET_ADDRESS" != "" ] ; then

288

NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')

289

sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts

290

fi

275

291

276

# Set up IPv6 hosts

292

# Set up IPv6 hosts

277

if [ "$ENABLE_IPV6" = true ] ; then

293

if [ "$ENABLE_IPV6" = true ] ; then

278

cat <<EOM >>$R/etc/hosts

294

cat <<EOM >>$R/etc/hosts

279

295

280

::1 localhost ip6-localhost ip6-loopback

296

::1 localhost ip6-localhost ip6-loopback

281

ff02::1 ip6-allnodes

297

ff02::1 ip6-allnodes

282

ff02::2 ip6-allrouters

298

ff02::2 ip6-allrouters

283

EOM

299

EOM

284

fi

300

fi

285

301

286

# Place hint about network configuration

302

# Place hint about network configuration

287

cat <<EOM >$R/etc/network/interfaces

303

cat <<EOM >$R/etc/network/interfaces

288

# Debian switched to systemd-networkd configuration files.

304

# Debian switched to systemd-networkd configuration files.

289

# please configure your networks in '/etc/systemd/network/'

305

# please configure your networks in '/etc/systemd/network/'

290

EOM

306

EOM

291

307

308

if [ "$ENABLE_DHCP" = true ] ; then

292

# Enable systemd-networkd DHCP configuration for interface eth0

309

# Enable systemd-networkd DHCP configuration for interface eth0

293

cat <<EOM >$R/etc/systemd/network/eth.network

310

cat <<EOM >$R/etc/systemd/network/eth.network

294

[Match]

311

[Match]

295

Name=eth0

312

Name=eth0

296

313

297

[Network]

314

[Network]

298

DHCP=yes

315

DHCP=yes

299

EOM

316

EOM

300

317

301

# Set DHCP configuration to IPv4 only

318

# Set DHCP configuration to IPv4 only

302

if [ "$ENABLE_IPV6" = false ] ; then

319

if [ "$ENABLE_IPV6" = false ] ; then

303

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

320

sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network

321

fi

322

else # ENABLE_DHCP=false

323

cat <<EOM >$R/etc/systemd/network/eth.network

324

[Match]

325

Name=eth0

326

327

[Network]

328

DHCP=no

329

Address=${NET_ADDRESS}

330

Gateway=${NET_GATEWAY}

331

DNS=${NET_DNS_1}

332

DNS=${NET_DNS_2}

333

Domains=${NET_DNS_DOMAINS}

334

NTP=${NET_NTP_1}

335

NTP=${NET_NTP_2}

336

EOM

304

fi

337

fi

305

338

306

# Enable systemd-networkd service

339

# Enable systemd-networkd service

307

LANG=C chroot $R systemctl enable systemd-networkd

340

LANG=C chroot $R systemctl enable systemd-networkd

308

341

309

# Generate crypt(3) password string

342

# Generate crypt(3) password string

310

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

343

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

311

344

312

# Set up default user

345

# Set up default user

313

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

346

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

314

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

347

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

315

348

316

# Set up root password

349

# Set up root password

317

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

350

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

318

351

319

# Set up firmware boot cmdline

352

# Set up firmware boot cmdline

320

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

353

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

321

354

322

# Set up serial console support (if requested)

355

# Set up serial console support (if requested)

323

if [ "$ENABLE_CONSOLE" = true ] ; then

356

if [ "$ENABLE_CONSOLE" = true ] ; then

324

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

357

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

325

fi

358

fi

326

359

327

# Set up IPv6 networking support

360

# Set up IPv6 networking support

328

if [ "$ENABLE_IPV6" = false ] ; then

361

if [ "$ENABLE_IPV6" = false ] ; then

329

CMDLINE="${CMDLINE} ipv6.disable=1"

362

CMDLINE="${CMDLINE} ipv6.disable=1"

330

fi

363

fi

331

364

332

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

365

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

333

366

334

# Set up firmware config

367

# Set up firmware config

335

cat <<EOM >$R/boot/firmware/config.txt

368

cat <<EOM >$R/boot/firmware/config.txt

336

# For more options and information see

369

# For more options and information see

337

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

370

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

338

# Some settings may impact device functionality. See link above for details

371

# Some settings may impact device functionality. See link above for details

339

372

340

# uncomment if you get no picture on HDMI for a default "safe" mode

373

# uncomment if you get no picture on HDMI for a default "safe" mode

341

#hdmi_safe=1

374

#hdmi_safe=1

342

375

343

# uncomment this if your display has a black border of unused pixels visible

376

# uncomment this if your display has a black border of unused pixels visible

344

# and your display can output without overscan

377

# and your display can output without overscan

345

#disable_overscan=1

378

#disable_overscan=1

346

379

347

# uncomment the following to adjust overscan. Use positive numbers if console

380

# uncomment the following to adjust overscan. Use positive numbers if console

348

# goes off screen, and negative if there is too much border

381

# goes off screen, and negative if there is too much border

349

#overscan_left=16

382

#overscan_left=16

350

#overscan_right=16

383

#overscan_right=16

351

#overscan_top=16

384

#overscan_top=16

352

#overscan_bottom=16

385

#overscan_bottom=16

353

386

354

# uncomment to force a console size. By default it will be display's size minus

387

# uncomment to force a console size. By default it will be display's size minus

355

# overscan.

388

# overscan.

356

#framebuffer_width=1280

389

#framebuffer_width=1280

357

#framebuffer_height=720

390

#framebuffer_height=720

358

391

359

# uncomment if hdmi display is not detected and composite is being output

392

# uncomment if hdmi display is not detected and composite is being output

360

#hdmi_force_hotplug=1

393

#hdmi_force_hotplug=1

361

394

362

# uncomment to force a specific HDMI mode (this will force VGA)

395

# uncomment to force a specific HDMI mode (this will force VGA)

363

#hdmi_group=1

396

#hdmi_group=1

364

#hdmi_mode=1

397

#hdmi_mode=1

365

398

366

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

399

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

367

# DMT (computer monitor) modes

400

# DMT (computer monitor) modes

368

#hdmi_drive=2

401

#hdmi_drive=2

369

402

370

# uncomment to increase signal to HDMI, if you have interference, blanking, or

403

# uncomment to increase signal to HDMI, if you have interference, blanking, or

371

# no display

404

# no display

372

#config_hdmi_boost=4

405

#config_hdmi_boost=4

373

406

374

# uncomment for composite PAL

407

# uncomment for composite PAL

375

#sdtv_mode=2

408

#sdtv_mode=2

376

409

377

# uncomment to overclock the arm. 700 MHz is the default.

410

# uncomment to overclock the arm. 700 MHz is the default.

378

#arm_freq=800

411

#arm_freq=800

379

EOM

412

EOM

380

413

381

# Load snd_bcm2835 kernel module at boot time

414

# Load snd_bcm2835 kernel module at boot time

382

if [ "$ENABLE_SOUND" = true ] ; then

415

if [ "$ENABLE_SOUND" = true ] ; then

383

echo "snd_bcm2835" >>$R/etc/modules

416

echo "snd_bcm2835" >>$R/etc/modules

384

fi

417

fi

385

418

386

# Set smallest possible GPU memory allocation size: 16MB (no X)

419

# Set smallest possible GPU memory allocation size: 16MB (no X)

387

if [ "$ENABLE_MINGPU" = true ] ; then

420

if [ "$ENABLE_MINGPU" = true ] ; then

388

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

421

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

389

fi

422

fi

390

423

391

# Create symlinks

424

# Create symlinks

392

ln -sf firmware/config.txt $R/boot/config.txt

425

ln -sf firmware/config.txt $R/boot/config.txt

393

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

426

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

394

427

395

# Prepare modules-load.d directory

428

# Prepare modules-load.d directory

396

mkdir -p $R/lib/modules-load.d/

429

mkdir -p $R/lib/modules-load.d/

397

430

398

# Load random module on boot

431

# Load random module on boot

399

if [ "$ENABLE_HWRANDOM" = true ] ; then

432

if [ "$ENABLE_HWRANDOM" = true ] ; then

400

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

433

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

401

bcm2708_rng

434

bcm2708_rng

402

EOM

435

EOM

403

fi

436

fi

404

437

405

# Prepare modprobe.d directory

438

# Prepare modprobe.d directory

406

mkdir -p $R/etc/modprobe.d/

439

mkdir -p $R/etc/modprobe.d/

407

440

408

# Blacklist sound modules

441

# Blacklist sound modules

409

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

442

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

410

blacklist snd_soc_core

443

blacklist snd_soc_core

411

blacklist snd_pcm

444

blacklist snd_pcm

412

blacklist snd_pcm_dmaengine

445

blacklist snd_pcm_dmaengine

413

blacklist snd_timer

446

blacklist snd_timer

414

blacklist snd_compress

447

blacklist snd_compress

415

blacklist snd_soc_pcm512x_i2c

448

blacklist snd_soc_pcm512x_i2c

416

blacklist snd_soc_pcm512x

449

blacklist snd_soc_pcm512x

417

blacklist snd_soc_tas5713

450

blacklist snd_soc_tas5713

418

blacklist snd_soc_wm8804

451

blacklist snd_soc_wm8804

419

EOM

452

EOM

420

453

421

# Create default fstab

454

# Create default fstab

422

cat <<EOM >$R/etc/fstab

455

cat <<EOM >$R/etc/fstab

423

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

456

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

424

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

457

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

425

EOM

458

EOM

426

459

427

# Avoid swapping and increase cache sizes

460

# Avoid swapping and increase cache sizes

428

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

461

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

429

462

430

# Avoid swapping and increase cache sizes

463

# Avoid swapping and increase cache sizes

431

vm.swappiness=1

464

vm.swappiness=1

432

vm.dirty_background_ratio=20

465

vm.dirty_background_ratio=20

433

vm.dirty_ratio=40

466

vm.dirty_ratio=40

434

vm.dirty_writeback_centisecs=500

467

vm.dirty_writeback_centisecs=500

435

vm.dirty_expire_centisecs=6000

468

vm.dirty_expire_centisecs=6000

436

EOM

469

EOM

437

470

438

# Enable network stack hardening

471

# Enable network stack hardening

439

if [ "$ENABLE_HARDNET" = true ] ; then

472

if [ "$ENABLE_HARDNET" = true ] ; then

440

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

473

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

441

474

442

# Enable network stack hardening

475

# Enable network stack hardening

443

net.ipv4.tcp_timestamps=0

476

net.ipv4.tcp_timestamps=0

444

net.ipv4.tcp_syncookies=1

477

net.ipv4.tcp_syncookies=1

445

net.ipv4.conf.all.rp_filter=1

478

net.ipv4.conf.all.rp_filter=1

446

net.ipv4.conf.all.accept_redirects=0

479

net.ipv4.conf.all.accept_redirects=0

447

net.ipv4.conf.all.send_redirects=0

480

net.ipv4.conf.all.send_redirects=0

448

net.ipv4.conf.all.accept_source_route=0

481

net.ipv4.conf.all.accept_source_route=0

449

net.ipv4.conf.default.rp_filter=1

482

net.ipv4.conf.default.rp_filter=1

450

net.ipv4.conf.default.accept_redirects=0

483

net.ipv4.conf.default.accept_redirects=0

451

net.ipv4.conf.default.send_redirects=0

484

net.ipv4.conf.default.send_redirects=0

452

net.ipv4.conf.default.accept_source_route=0

485

net.ipv4.conf.default.accept_source_route=0

453

net.ipv4.conf.lo.accept_redirects=0

486

net.ipv4.conf.lo.accept_redirects=0

454

net.ipv4.conf.lo.send_redirects=0

487

net.ipv4.conf.lo.send_redirects=0

455

net.ipv4.conf.lo.accept_source_route=0

488

net.ipv4.conf.lo.accept_source_route=0

456

net.ipv4.conf.eth0.accept_redirects=0

489

net.ipv4.conf.eth0.accept_redirects=0

457

net.ipv4.conf.eth0.send_redirects=0

490

net.ipv4.conf.eth0.send_redirects=0

458

net.ipv4.conf.eth0.accept_source_route=0

491

net.ipv4.conf.eth0.accept_source_route=0

459

net.ipv4.icmp_echo_ignore_broadcasts=1

492

net.ipv4.icmp_echo_ignore_broadcasts=1

460

net.ipv4.icmp_ignore_bogus_error_responses=1

493

net.ipv4.icmp_ignore_bogus_error_responses=1

461

494

462

net.ipv6.conf.all.accept_redirects=0

495

net.ipv6.conf.all.accept_redirects=0

463

net.ipv6.conf.all.accept_source_route=0

496

net.ipv6.conf.all.accept_source_route=0

464

net.ipv6.conf.all.router_solicitations=0

497

net.ipv6.conf.all.router_solicitations=0

465

net.ipv6.conf.all.accept_ra_rtr_pref=0

498

net.ipv6.conf.all.accept_ra_rtr_pref=0

466

net.ipv6.conf.all.accept_ra_pinfo=0

499

net.ipv6.conf.all.accept_ra_pinfo=0

467

net.ipv6.conf.all.accept_ra_defrtr=0

500

net.ipv6.conf.all.accept_ra_defrtr=0

468

net.ipv6.conf.all.autoconf=0

501

net.ipv6.conf.all.autoconf=0

469

net.ipv6.conf.all.dad_transmits=0

502

net.ipv6.conf.all.dad_transmits=0

470

net.ipv6.conf.all.max_addresses=1

503

net.ipv6.conf.all.max_addresses=1

471

504

472

net.ipv6.conf.default.accept_redirects=0

505

net.ipv6.conf.default.accept_redirects=0

473

net.ipv6.conf.default.accept_source_route=0

506

net.ipv6.conf.default.accept_source_route=0

474

net.ipv6.conf.default.router_solicitations=0

507

net.ipv6.conf.default.router_solicitations=0

475

net.ipv6.conf.default.accept_ra_rtr_pref=0

508

net.ipv6.conf.default.accept_ra_rtr_pref=0

476

net.ipv6.conf.default.accept_ra_pinfo=0

509

net.ipv6.conf.default.accept_ra_pinfo=0

477

net.ipv6.conf.default.accept_ra_defrtr=0

510

net.ipv6.conf.default.accept_ra_defrtr=0

478

net.ipv6.conf.default.autoconf=0

511

net.ipv6.conf.default.autoconf=0

479

net.ipv6.conf.default.dad_transmits=0

512

net.ipv6.conf.default.dad_transmits=0

480

net.ipv6.conf.default.max_addresses=1

513

net.ipv6.conf.default.max_addresses=1

481

514

482

net.ipv6.conf.lo.accept_redirects=0

515

net.ipv6.conf.lo.accept_redirects=0

483

net.ipv6.conf.lo.accept_source_route=0

516

net.ipv6.conf.lo.accept_source_route=0

484

net.ipv6.conf.lo.router_solicitations=0

517

net.ipv6.conf.lo.router_solicitations=0

485

net.ipv6.conf.lo.accept_ra_rtr_pref=0

518

net.ipv6.conf.lo.accept_ra_rtr_pref=0

486

net.ipv6.conf.lo.accept_ra_pinfo=0

519

net.ipv6.conf.lo.accept_ra_pinfo=0

487

net.ipv6.conf.lo.accept_ra_defrtr=0

520

net.ipv6.conf.lo.accept_ra_defrtr=0

488

net.ipv6.conf.lo.autoconf=0

521

net.ipv6.conf.lo.autoconf=0

489

net.ipv6.conf.lo.dad_transmits=0

522

net.ipv6.conf.lo.dad_transmits=0

490

net.ipv6.conf.lo.max_addresses=1

523

net.ipv6.conf.lo.max_addresses=1

491

524

492

net.ipv6.conf.eth0.accept_redirects=0

525

net.ipv6.conf.eth0.accept_redirects=0

493

net.ipv6.conf.eth0.accept_source_route=0

526

net.ipv6.conf.eth0.accept_source_route=0

494

net.ipv6.conf.eth0.router_solicitations=0

527

net.ipv6.conf.eth0.router_solicitations=0

495

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

528

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

496

net.ipv6.conf.eth0.accept_ra_pinfo=0

529

net.ipv6.conf.eth0.accept_ra_pinfo=0

497

net.ipv6.conf.eth0.accept_ra_defrtr=0

530

net.ipv6.conf.eth0.accept_ra_defrtr=0

498

net.ipv6.conf.eth0.autoconf=0

531

net.ipv6.conf.eth0.autoconf=0

499

net.ipv6.conf.eth0.dad_transmits=0

532

net.ipv6.conf.eth0.dad_transmits=0

500

net.ipv6.conf.eth0.max_addresses=1

533

net.ipv6.conf.eth0.max_addresses=1

501

EOM

534

EOM

502

535

503

# Enable resolver warnings about spoofed addresses

536

# Enable resolver warnings about spoofed addresses

504

cat <<EOM >>$R/etc/host.conf

537

cat <<EOM >>$R/etc/host.conf

505

spoof warn

538

spoof warn

506

EOM

539

EOM

507

fi

540

fi

508

541

509

# Regenerate openssh server host keys

542

# Regenerate openssh server host keys

510

if [ "$ENABLE_SSHD" = true ] ; then

543

if [ "$ENABLE_SSHD" = true ] ; then

511

rm -fr $R/etc/ssh/ssh_host_*

544

rm -fr $R/etc/ssh/ssh_host_*

512

LANG=C chroot $R dpkg-reconfigure openssh-server

545

LANG=C chroot $R dpkg-reconfigure openssh-server

513

fi

546

fi

514

547

515

# Enable serial console systemd style

548

# Enable serial console systemd style

516

if [ "$ENABLE_CONSOLE" = true ] ; then

549

if [ "$ENABLE_CONSOLE" = true ] ; then

517

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

550

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

518

fi

551

fi

519

552

520

# Enable firewall based on iptables started by systemd service

553

# Enable firewall based on iptables started by systemd service

521

if [ "$ENABLE_IPTABLES" = true ] ; then

554

if [ "$ENABLE_IPTABLES" = true ] ; then

522

# Create iptables configuration directory

555

# Create iptables configuration directory

523

mkdir -p "$R/etc/iptables"

556

mkdir -p "$R/etc/iptables"

524

557

525

# Create iptables systemd service

558

# Create iptables systemd service

526

cat <<EOM >$R/etc/systemd/system/iptables.service

559

cat <<EOM >$R/etc/systemd/system/iptables.service

527

[Unit]

560

[Unit]

528

Description=Packet Filtering Framework

561

Description=Packet Filtering Framework

529

DefaultDependencies=no

562

DefaultDependencies=no

530

After=systemd-sysctl.service

563

After=systemd-sysctl.service

531

Before=sysinit.target

564

Before=sysinit.target

532

[Service]

565

[Service]

533

Type=oneshot

566

Type=oneshot

534

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

567

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

535

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

568

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

536

ExecStop=/etc/iptables/flush-iptables.sh

569

ExecStop=/etc/iptables/flush-iptables.sh

537

RemainAfterExit=yes

570

RemainAfterExit=yes

538

[Install]

571

[Install]

539

WantedBy=multi-user.target

572

WantedBy=multi-user.target

540

EOM

573

EOM

541

574

542

# Create flush-table script called by iptables service

575

# Create flush-table script called by iptables service

543

cat <<EOM >$R/etc/iptables/flush-iptables.sh

576

cat <<EOM >$R/etc/iptables/flush-iptables.sh

544

#!/bin/sh

577

#!/bin/sh

545

iptables -F

578

iptables -F

546

iptables -X

579

iptables -X

547

iptables -t nat -F

580

iptables -t nat -F

548

iptables -t nat -X

581

iptables -t nat -X

549

iptables -t mangle -F

582

iptables -t mangle -F

550

iptables -t mangle -X

583

iptables -t mangle -X

551

iptables -P INPUT ACCEPT

584

iptables -P INPUT ACCEPT

552

iptables -P FORWARD ACCEPT

585

iptables -P FORWARD ACCEPT

553

iptables -P OUTPUT ACCEPT

586

iptables -P OUTPUT ACCEPT

554

EOM

587

EOM

555

588

556

# Create iptables rule file

589

# Create iptables rule file

557

cat <<EOM >$R/etc/iptables/iptables.rules

590

cat <<EOM >$R/etc/iptables/iptables.rules

558

*filter

591

*filter

559

:INPUT DROP [0:0]

592

:INPUT DROP [0:0]

560

:FORWARD DROP [0:0]

593

:FORWARD DROP [0:0]

561

:OUTPUT ACCEPT [0:0]

594

:OUTPUT ACCEPT [0:0]

562

:TCP - [0:0]

595

:TCP - [0:0]

563

:UDP - [0:0]

596

:UDP - [0:0]

564

:SSH - [0:0]

597

:SSH - [0:0]

565

598

566

# Rate limit ping requests

599

# Rate limit ping requests

567

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

600

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

568

-A INPUT -p icmp --icmp-type echo-request -j DROP

601

-A INPUT -p icmp --icmp-type echo-request -j DROP

569

602

570

# Accept established connections

603

# Accept established connections

571

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

604

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

572

605

573

# Accept all traffic on loopback interface

606

# Accept all traffic on loopback interface

574

-A INPUT -i lo -j ACCEPT

607

-A INPUT -i lo -j ACCEPT

575

608

576

# Drop packets declared invalid

609

# Drop packets declared invalid

577

-A INPUT -m conntrack --ctstate INVALID -j DROP

610

-A INPUT -m conntrack --ctstate INVALID -j DROP

578

611

579

# SSH rate limiting

612

# SSH rate limiting

580

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

613

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

581

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

614

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

582

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

615

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

583

-A SSH -m recent --name sshbf --set -j ACCEPT

616

-A SSH -m recent --name sshbf --set -j ACCEPT

584

617

585

# Send TCP and UDP connections to their respective rules chain

618

# Send TCP and UDP connections to their respective rules chain

586

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

619

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

587

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

620

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

588

621

589

# Reject dropped packets with a RFC compliant responce

622

# Reject dropped packets with a RFC compliant responce

590

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

623

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

591

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

624

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

592

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

625

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

593

626

594

## TCP PORT RULES

627

## TCP PORT RULES

595

# -A TCP -p tcp -j LOG

628

# -A TCP -p tcp -j LOG

596

629

597

## UDP PORT RULES

630

## UDP PORT RULES

598

# -A UDP -p udp -j LOG

631

# -A UDP -p udp -j LOG

599

632

600

COMMIT

633

COMMIT

601

EOM

634

EOM

602

635

603

# Reload systemd configuration and enable iptables service

636

# Reload systemd configuration and enable iptables service

604

LANG=C chroot $R systemctl daemon-reload

637

LANG=C chroot $R systemctl daemon-reload

605

LANG=C chroot $R systemctl enable iptables.service

638

LANG=C chroot $R systemctl enable iptables.service

606

639

607

if [ "$ENABLE_IPV6" = true ] ; then

640

if [ "$ENABLE_IPV6" = true ] ; then

608

# Create ip6tables systemd service

641

# Create ip6tables systemd service

609

cat <<EOM >$R/etc/systemd/system/ip6tables.service

642

cat <<EOM >$R/etc/systemd/system/ip6tables.service

610

[Unit]

643

[Unit]

611

Description=Packet Filtering Framework

644

Description=Packet Filtering Framework

612

DefaultDependencies=no

645

DefaultDependencies=no

613

After=systemd-sysctl.service

646

After=systemd-sysctl.service

614

Before=sysinit.target

647

Before=sysinit.target

615

[Service]

648

[Service]

616

Type=oneshot

649

Type=oneshot

617

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

650

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

618

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

651

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

619

ExecStop=/etc/iptables/flush-ip6tables.sh

652

ExecStop=/etc/iptables/flush-ip6tables.sh

620

RemainAfterExit=yes

653

RemainAfterExit=yes

621

[Install]

654

[Install]

622

WantedBy=multi-user.target

655

WantedBy=multi-user.target

623

EOM

656

EOM

624

657

625

# Create ip6tables file

658

# Create ip6tables file

626

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

659

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

627

#!/bin/sh

660

#!/bin/sh

628

ip6tables -F

661

ip6tables -F

629

ip6tables -X

662

ip6tables -X

630

ip6tables -Z

663

ip6tables -Z

631

for table in $(</proc/net/ip6_tables_names)

664

for table in $(</proc/net/ip6_tables_names)

632

do

665

do

633

ip6tables -t \$table -F

666

ip6tables -t \$table -F

634

ip6tables -t \$table -X

667

ip6tables -t \$table -X

635

ip6tables -t \$table -Z

668

ip6tables -t \$table -Z

636

done

669

done

637

ip6tables -P INPUT ACCEPT

670

ip6tables -P INPUT ACCEPT

638

ip6tables -P OUTPUT ACCEPT

671

ip6tables -P OUTPUT ACCEPT

639

ip6tables -P FORWARD ACCEPT

672

ip6tables -P FORWARD ACCEPT

640

EOM

673

EOM

641

674

642

# Create ip6tables rule file

675

# Create ip6tables rule file

643

cat <<EOM >$R/etc/iptables/ip6tables.rules

676

cat <<EOM >$R/etc/iptables/ip6tables.rules

644

*filter

677

*filter

645

:INPUT DROP [0:0]

678

:INPUT DROP [0:0]

646

:FORWARD DROP [0:0]

679

:FORWARD DROP [0:0]

647

:OUTPUT ACCEPT [0:0]

680

:OUTPUT ACCEPT [0:0]

648

:TCP - [0:0]

681

:TCP - [0:0]

649

:UDP - [0:0]

682

:UDP - [0:0]

650

:SSH - [0:0]

683

:SSH - [0:0]

651

684

652

# Drop packets with RH0 headers

685

# Drop packets with RH0 headers

653

-A INPUT -m rt --rt-type 0 -j DROP

686

-A INPUT -m rt --rt-type 0 -j DROP

654

-A OUTPUT -m rt --rt-type 0 -j DROP

687

-A OUTPUT -m rt --rt-type 0 -j DROP

655

-A FORWARD -m rt --rt-type 0 -j DROP

688

-A FORWARD -m rt --rt-type 0 -j DROP

656

689

657

# Rate limit ping requests

690

# Rate limit ping requests

658

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

691

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

659

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

692

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

660

693

661

# Accept established connections

694

# Accept established connections

662

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

695

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

663

696

664

# Accept all traffic on loopback interface

697

# Accept all traffic on loopback interface

665

-A INPUT -i lo -j ACCEPT

698

-A INPUT -i lo -j ACCEPT

666

699

667

# Drop packets declared invalid

700

# Drop packets declared invalid

668

-A INPUT -m conntrack --ctstate INVALID -j DROP

701

-A INPUT -m conntrack --ctstate INVALID -j DROP

669

702

670

# SSH rate limiting

703

# SSH rate limiting

671

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

704

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

672

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

705

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

673

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

706

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

674

-A SSH -m recent --name sshbf --set -j ACCEPT

707

-A SSH -m recent --name sshbf --set -j ACCEPT

675

708

676

# Send TCP and UDP connections to their respective rules chain

709

# Send TCP and UDP connections to their respective rules chain

677

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

710

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

678

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

711

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

679

712

680

# Reject dropped packets with a RFC compliant responce

713

# Reject dropped packets with a RFC compliant responce

681

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

714

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

682

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

715

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

683

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

716

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

684

717

685

## TCP PORT RULES

718

## TCP PORT RULES

686

# -A TCP -p tcp -j LOG

719

# -A TCP -p tcp -j LOG

687

720

688

## UDP PORT RULES

721

## UDP PORT RULES

689

# -A UDP -p udp -j LOG

722

# -A UDP -p udp -j LOG

690

723

691

COMMIT

724

COMMIT

692

EOM

725

EOM

693

726

694

# Reload systemd configuration and enable iptables service

727

# Reload systemd configuration and enable iptables service

695

LANG=C chroot $R systemctl daemon-reload

728

LANG=C chroot $R systemctl daemon-reload

696

LANG=C chroot $R systemctl enable ip6tables.service

729

LANG=C chroot $R systemctl enable ip6tables.service

697

fi

730

fi

698

fi

731

fi

699

732

700

# Remove SSHD related iptables rules

733

# Remove SSHD related iptables rules

701

if [ "$ENABLE_SSHD" = false ] ; then

734

if [ "$ENABLE_SSHD" = false ] ; then

702

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

735

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

703

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

736

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

704

fi

737

fi

705

738

706

# Install gcc/c++ build environment inside the chroot

739

# Install gcc/c++ build environment inside the chroot

707

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

740

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

708

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

741

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

709

fi

742

fi

710

743

711

# Fetch and build U-Boot bootloader

744

# Fetch and build U-Boot bootloader

712

if [ "$ENABLE_UBOOT" = true ] ; then

745

if [ "$ENABLE_UBOOT" = true ] ; then

713

# Fetch U-Boot bootloader sources

746

# Fetch U-Boot bootloader sources

714

git -C $R/tmp clone git://git.denx.de/u-boot.git

747

git -C $R/tmp clone git://git.denx.de/u-boot.git

715

748

716

# Build and install U-Boot inside chroot

749

# Build and install U-Boot inside chroot

717

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

750

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

718

751

719

# Copy compiled bootloader binary and set config.txt to load it

752

# Copy compiled bootloader binary and set config.txt to load it

720

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

753

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

721

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

754

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

722

755

723

# Set U-Boot command file

756

# Set U-Boot command file

724

cat <<EOM >$R/boot/firmware/uboot.mkimage

757

cat <<EOM >$R/boot/firmware/uboot.mkimage

725

# Tell Linux that it is booting on a Raspberry Pi2

758

# Tell Linux that it is booting on a Raspberry Pi2

726

setenv machid 0x00000c42

759

setenv machid 0x00000c42

727

760

728

# Set the kernel boot command line

761

# Set the kernel boot command line

729

setenv bootargs "earlyprintk ${CMDLINE}"

762

setenv bootargs "earlyprintk ${CMDLINE}"

730

763

731

# Save these changes to u-boot's environment

764

# Save these changes to u-boot's environment

732

saveenv

765

saveenv

733

766

734

# Load the existing Linux kernel into RAM

767

# Load the existing Linux kernel into RAM

735

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

768

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

736

769

737

# Boot the kernel we have just loaded

770

# Boot the kernel we have just loaded

738

bootz \${kernel_addr_r}

771

bootz \${kernel_addr_r}

739

EOM

772

EOM

740

773

741

# Generate U-Boot image from command file

774

# Generate U-Boot image from command file

742

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

775

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

743

fi

776

fi

744

777

745

# Fetch and build fbturbo Xorg driver

778

# Fetch and build fbturbo Xorg driver

746

if [ "$ENABLE_FBTURBO" = true ] ; then

779

if [ "$ENABLE_FBTURBO" = true ] ; then

747

# Fetch fbturbo driver sources

780

# Fetch fbturbo driver sources

748

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

781

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

749

782

750

# Install Xorg build dependencies

783

# Install Xorg build dependencies

751

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

784

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

752

785

753

# Build and install fbturbo driver inside chroot

786

# Build and install fbturbo driver inside chroot

754

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

787

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

755

788

756

# Add fbturbo driver to Xorg configuration

789

# Add fbturbo driver to Xorg configuration

757

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

790

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

758

Section "Device"

791

Section "Device"

759

Identifier "Allwinner A10/A13 FBDEV"

792

Identifier "Allwinner A10/A13 FBDEV"

760

Driver "fbturbo"

793

Driver "fbturbo"

761

Option "fbdev" "/dev/fb0"

794

Option "fbdev" "/dev/fb0"

762

Option "SwapbuffersWait" "true"

795

Option "SwapbuffersWait" "true"

763

EndSection

796

EndSection

764

EOM

797

EOM

765

798

766

# Remove Xorg build dependencies

799

# Remove Xorg build dependencies

767

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

800

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

768

fi

801

fi

769

802

770

# Remove gcc/c++ build environment from the chroot

803

# Remove gcc/c++ build environment from the chroot

771

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

804

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

772

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

805

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

773

fi

806

fi

774

807

775

# Clean cached downloads

808

# Clean cached downloads

776

LANG=C chroot $R apt-get -y clean

809

LANG=C chroot $R apt-get -y clean

777

LANG=C chroot $R apt-get -y autoclean

810

LANG=C chroot $R apt-get -y autoclean

778

LANG=C chroot $R apt-get -y autoremove

811

LANG=C chroot $R apt-get -y autoremove

779

812

780

# Unmount mounted filesystems

813

# Unmount mounted filesystems

781

umount -l $R/proc

814

umount -l $R/proc

782

umount -l $R/sys

815

umount -l $R/sys

783

816

784

# Clean up files

817

# Clean up files

785

rm -f $R/etc/apt/sources.list.save

818

rm -f $R/etc/apt/sources.list.save

786

rm -f $R/etc/resolvconf/resolv.conf.d/original

819

rm -f $R/etc/resolvconf/resolv.conf.d/original

787

rm -rf $R/run

820

rm -rf $R/run

788

mkdir -p $R/run

821

mkdir -p $R/run

789

rm -f $R/etc/*-

822

rm -f $R/etc/*-

790

rm -f $R/root/.bash_history

823

rm -f $R/root/.bash_history

791

rm -rf $R/tmp/*

824

rm -rf $R/tmp/*

792

rm -f $R/var/lib/urandom/random-seed

825

rm -f $R/var/lib/urandom/random-seed

793

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

826

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

794

rm -f $R/etc/machine-id

827

rm -f $R/etc/machine-id

795

rm -fr $R/etc/apt/apt.conf.d/10proxy

828

rm -fr $R/etc/apt/apt.conf.d/10proxy

796

829

797

# Calculate size of the chroot directory

830

# Calculate size of the chroot directory

798

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

831

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

799

832

800

# Calculate required image size

833

# Calculate required image size

801

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

834

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

802

835

803

# Calculate number of sectors for the partition

836

# Calculate number of sectors for the partition

804

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

837

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

805

838

806

# Prepare date string for image file name

839

# Prepare date string for image file name

807

DATE="$(date +%Y-%m-%d)"

840

DATE="$(date +%Y-%m-%d)"

808

841

809

# Prepare image file

842

# Prepare image file

810

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

843

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

811

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

844

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

812

845

813

# Write partition table

846

# Write partition table

814

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

847

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

815

unit: sectors

848

unit: sectors

816

849

817

1 : start= 2048, size= 131072, Id= c, bootable

850

1 : start= 2048, size= 131072, Id= c, bootable

818

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

851

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

819

3 : start= 0, size= 0, Id= 0

852

3 : start= 0, size= 0, Id= 0

820

4 : start= 0, size= 0, Id= 0

853

4 : start= 0, size= 0, Id= 0

821

EOM

854

EOM

822

855

823

# Set up temporary loop devices and build filesystems

856

# Set up temporary loop devices and build filesystems

824

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

857

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

825

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

858

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

826

mkfs.vfat "$VFAT_LOOP"

859

mkfs.vfat "$VFAT_LOOP"

827

mkfs.ext4 "$EXT4_LOOP"

860

mkfs.ext4 "$EXT4_LOOP"

828

861

829

# Mount the temporary loop devices

862

# Mount the temporary loop devices

830

mkdir -p "$BUILDDIR/mount"

863

mkdir -p "$BUILDDIR/mount"

831

mount "$EXT4_LOOP" "$BUILDDIR/mount"

864

mount "$EXT4_LOOP" "$BUILDDIR/mount"

832

865

833

mkdir -p "$BUILDDIR/mount/boot/firmware"

866

mkdir -p "$BUILDDIR/mount/boot/firmware"

834

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

867

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

835

868

836

# Copy all files from the chroot to the loop device mount point directory

869

# Copy all files from the chroot to the loop device mount point directory

837

rsync -a "$R/" "$BUILDDIR/mount/"

870

rsync -a "$R/" "$BUILDDIR/mount/"

838

871

839

# Unmount all temporary loop devices and mount points

872

# Unmount all temporary loop devices and mount points

840

cleanup

873

cleanup

841

874

842

# (optinal) create block map file for "bmaptool"

875

# (optinal) create block map file for "bmaptool"

843

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

876

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

844

877

845

# Image was successfully created

878

# Image was successfully created

846

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

879

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # rpi2-gen-image
             ## Introduction
             `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
             ## Build dependencies
             The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
               ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
             ## Command-line parameters
             The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
             #####Command-line examples:
             ```shell
             ENABLE_UBOOT=true ./rpi2-gen-image.sh
             ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
             ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
             ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
             APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
             ENABLE_MINBASE=true ./rpi2-gen-image.sh
              ```
             #### APT settings:
             ##### `APT_SERVER`="ftp.debian.org"
             Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
             ##### `APT_PROXY`=""
             Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
             #### General system settings:
             ##### `HOSTNAME`="rpi2-jessie"
             Set system host name. It's recommended that the host name is unique in the corresponding subnet.
             ##### `PASSWORD`="raspberry"
             Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
             ##### `DEFLOCAL`="en_US.UTF-8"
             Set default system locale and keyboard layout. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
             ##### `TIMEZONE`="Europe/Berlin"
             Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
+            #### Networking settings
+            These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
+            #####`ENABLE_DHCP`=true
+            Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
+            #####`NET_ADDRESS`=""
+            Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
+            #####`NET_GATEWAY`=""
+            Set the IP address for the default gateway.
+            #####`NET_DNS_1`=""
+            Set the IP address for the first DNS server.
+            #####`NET_DNS_2`=""
+            Set the IP address for the second DNS server.
+            #####`NET_DNS_DOMAINS`=""
+            Set the default DNS search domains to use for non fully qualified host names.
+            #####`NET_NTP_1`=""
+            Set the IP address for the first NTP server.
+            #####`NET_NTP_2`=""
+            Set the IP address for the second NTP server.
             #### Basic system features:
             ##### `ENABLE_CONSOLE`=true
             Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
             ##### `ENABLE_IPV6`=true
             Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
             ##### `ENABLE_SSHD`=true
             Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
             ##### `ENABLE_SOUND`=true
             Enable sound hardware and install Advanced Linux Sound Architecture.
             ##### `ENABLE_HWRANDOM`=true
             Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
             ##### `ENABLE_MINGPU`=false
             Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
             ##### `ENABLE_DBUS`=true
             Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
             ##### `ENABLE_XORG`=false
             Install Xorg open-source X Window System.
             ##### `ENABLE_WM`=""
             Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
             #### Advanced sytem features:
             ##### `ENABLE_MINBASE`=false
             Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
             ##### `ENABLE_UBOOT`=false
             Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
             ##### `ENABLE_FBTURBO`=false
             Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
             ##### `ENABLE_IPTABLES`=false
             Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
             ##### `ENABLE_HARDNET`=false
             Enable IPv4/IPv6 network stack hardening settings.
             ## Logging of the bootstrapping process
             All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
             ```shell
             script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
             ```
             ## Flashing the image file
             After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
             #####Flashing examples:
             ```shell
             bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
             dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
             ```

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             # Clean up all temporary mount points
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             # Debian release
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
+            # Network settings
+            ENABLE_DHCP=${ENABLE_DHCP:=true}
+            # NET_* settings are ignored when ENABLE_DHCP=true
+            # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
+            NET_ADDRESS=${NET_ADDRESS:=""}
+            NET_GATEWAY=${NET_GATEWAY:=""}
+            NET_DNS_1=${NET_DNS_1:=""}
+            NET_DNS_2=${NET_DNS_2:=""}
+            NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
+            NET_NTP_1=${NET_NTP_1:=""}
+            NET_NTP_2=${NET_NTP_2:=""}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_WM=${ENABLE_WM:=""}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build environment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
               APT_INCLUDES="${APT_INCLUDES},locales"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add alsa-utils package
             if [ "$ENABLE_SOUND" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},alsa-utils"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add fbturbo video driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add user defined window manager package
             if [ -n "$ENABLE_WM" ] ; then
               APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping process
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
             if [ "$ENABLE_MINBASE" = false ] ; then
               LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
               LANG=C chroot $R locale-gen ${DEFLOCAL}
             fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up IPv4 hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
+            if [ "$NET_ADDRESS" != "" ] ; then
+            NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
+            sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
+            fi
             # Set up IPv6 hosts
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Place hint about network configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
+            if [ "$ENABLE_DHCP" = true ] ; then
             # Enable systemd-networkd DHCP configuration for interface eth0
             cat <<EOM >$R/etc/systemd/network/eth.network
             [Match]
             Name=eth0
             [Network]
             DHCP=yes
             EOM
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
-              sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
+              sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
+            fi
+            else # ENABLE_DHCP=false
+            cat <<EOM >$R/etc/systemd/network/eth.network
+            [Match]
+            Name=eth0
+            [Network]
+            DHCP=no
+            Address=${NET_ADDRESS}
+            Gateway=${NET_GATEWAY}
+            DNS=${NET_DNS_1}
+            DNS=${NET_DNS_2}
+            Domains=${NET_DNS_DOMAINS}
+            NTP=${NET_NTP_1}
+            NTP=${NET_NTP_2}
+            EOM
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Load snd_bcm2835 kernel module at boot time
             if [ "$ENABLE_SOUND" = true ] ; then
               echo "snd_bcm2835" >>$R/etc/modules
             fi
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             # Remove SSHD related iptables rules
             if [ "$ENABLE_SSHD" = false ] ; then
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
             fi
             # Install gcc/c++ build environment inside the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
             fi
             # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch U-Boot bootloader sources
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Build and install U-Boot inside chroot
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set U-Boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate U-Boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
             fi
             # Fetch and build fbturbo Xorg driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Fetch fbturbo driver sources
               git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
               # Install Xorg build dependencies
               LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               # Build and install fbturbo driver inside chroot
               LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
               # Add fbturbo driver to Xorg configuration
               cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
             Section "Device"
                     Identifier "Allwinner A10/A13 FBDEV"
                     Driver "fbturbo"
                     Option "fbdev" "/dev/fb0"
                     Option "SwapbuffersWait" "true"
             EndSection
             EOM
               # Remove Xorg build dependencies
               LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
             fi
             # Remove gcc/c++ build environment from the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"