@@ -150,6 +150,9 password, use only in trusted environments. | |||||
150 | ##### `ENABLE_HARDNET`=false |
|
150 | ##### `ENABLE_HARDNET`=false | |
151 | Enable IPv4/IPv6 network stack hardening settings. |
|
151 | Enable IPv4/IPv6 network stack hardening settings. | |
152 |
|
152 | |||
|
153 | ##### `ENABLE_SPLITFS`=false | |||
|
154 | Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`. | |||
|
155 | ||||
153 | ##### `CHROOT_SCRIPTS`="" |
|
156 | ##### `CHROOT_SCRIPTS`="" | |
154 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. |
|
157 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. | |
155 |
|
158 | |||
@@ -212,3 +215,8 After the image file was successfully created by the `rpi2-gen-image.sh` script | |||||
212 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 |
|
215 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 | |
213 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 |
|
216 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 | |
214 | ``` |
|
217 | ``` | |
|
218 | If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive: | |||
|
219 | ```shell | |||
|
220 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie-frmw.img /dev/mmcblk0 | |||
|
221 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie-root.img /dev/sdc | |||
|
222 | ``` |
@@ -61,7 +61,11 else | |||||
61 | fi |
|
61 | fi | |
62 |
|
62 | |||
63 | # Set up firmware boot cmdline |
|
63 | # Set up firmware boot cmdline | |
64 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" |
|
64 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
65 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" | |||
|
66 | else | |||
|
67 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1 ${CMDLINE}" | |||
|
68 | fi | |||
65 |
|
69 | |||
66 | # Set up serial console support (if requested) |
|
70 | # Set up serial console support (if requested) | |
67 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
71 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
@@ -110,6 +114,9 install_readonly files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-b | |||||
110 |
|
114 | |||
111 | # Create default fstab |
|
115 | # Create default fstab | |
112 | install_readonly files/mount/fstab $R/etc/fstab |
|
116 | install_readonly files/mount/fstab $R/etc/fstab | |
|
117 | if [ "$ENABLE_SPLITFS" = true ] ; then | |||
|
118 | sed -i 's/mmcblk0p2/sda1/' $R/etc/fstab | |||
|
119 | fi | |||
113 |
|
120 | |||
114 | # Avoid swapping and increase cache sizes |
|
121 | # Avoid swapping and increase cache sizes | |
115 | install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf |
|
122 | install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf |
@@ -60,7 +60,7 chroot_exec systemctl enable systemd-networkd | |||||
60 |
|
60 | |||
61 | # Enable network stack hardening |
|
61 | # Enable network stack hardening | |
62 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
62 | if [ "$ENABLE_HARDNET" = true ] ; then | |
63 |
install_readonly files/sysctl.d/8 |
|
63 | install_readonly files/sysctl.d/82-rpi-net-hardening.conf $R/etc/sysctl.d/82-rpi-net-hardening.conf | |
64 |
|
64 | |||
65 | # Enable resolver warnings about spoofed addresses |
|
65 | # Enable resolver warnings about spoofed addresses | |
66 | cat <<EOM >>$R/etc/host.conf |
|
66 | cat <<EOM >>$R/etc/host.conf |
@@ -17,8 +17,8 cleanup (){ | |||||
17 | umount -l $R/dev/pts 2> /dev/null |
|
17 | umount -l $R/dev/pts 2> /dev/null | |
18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
18 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null | |
19 | umount "$BUILDDIR/mount" 2> /dev/null |
|
19 | umount "$BUILDDIR/mount" 2> /dev/null | |
20 |
losetup -d "$ |
|
20 | losetup -d "$ROOT_LOOP" 2> /dev/null | |
21 |
losetup -d "$ |
|
21 | losetup -d "$FRMW_LOOP" 2> /dev/null | |
22 | trap - 0 1 2 3 6 |
|
22 | trap - 0 1 2 3 6 | |
23 | } |
|
23 | } | |
24 |
|
24 |
@@ -81,6 +81,7 ENABLE_UBOOT=${ENABLE_UBOOT:=false} | |||||
81 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
81 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} | |
82 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
82 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} | |
83 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
83 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} | |
|
84 | ENABLE_SPLITFS=${ENABLE_SPLITFS:=false} | |||
84 |
|
85 | |||
85 | # Kernel compilation settings |
|
86 | # Kernel compilation settings | |
86 | BUILD_KERNEL=${BUILD_KERNEL:=false} |
|
87 | BUILD_KERNEL=${BUILD_KERNEL:=false} | |
@@ -259,8 +260,8 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'`) | |||||
259 |
|
260 | |||
260 | # Calculate the amount of needed 512 Byte sectors |
|
261 | # Calculate the amount of needed 512 Byte sectors | |
261 | TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) |
|
262 | TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512) | |
262 |
|
|
263 | FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512) | |
263 |
ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${ |
|
264 | ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS}) | |
264 |
|
265 | |||
265 | # The root partition is EXT4 |
|
266 | # The root partition is EXT4 | |
266 | # This means more space than the actual used space of the chroot is used. |
|
267 | # This means more space than the actual used space of the chroot is used. | |
@@ -268,37 +269,64 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${BOOT_SECTORS}) | |||||
268 | ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) |
|
269 | ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 20) \* 1024 \/ 512) | |
269 |
|
270 | |||
270 | # Calculate required image size in 512 Byte sectors |
|
271 | # Calculate required image size in 512 Byte sectors | |
271 |
IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${ |
|
272 | IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS}) | |
272 |
|
273 | |||
273 | # Prepare date string for image file name |
|
274 | # Prepare date string for image file name | |
274 | DATE="$(date +%Y-%m-%d)" |
|
275 | DATE="$(date +%Y-%m-%d)" | |
275 |
|
276 | |||
276 | # Prepare image file |
|
277 | # Prepare image file | |
277 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} |
|
278 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
278 |
dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count= |
|
279 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS} | |
|
280 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} | |||
|
281 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} | |||
|
282 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} | |||
|
283 | # Write partition tables | |||
|
284 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" <<EOM | |||
|
285 | unit: sectors | |||
279 |
|
286 | |||
280 | # Write partition table |
|
287 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
281 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM |
|
288 | 2 : start= 0, size= 0, Id= 0 | |
|
289 | 3 : start= 0, size= 0, Id= 0 | |||
|
290 | 4 : start= 0, size= 0, Id= 0 | |||
|
291 | EOM | |||
|
292 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" <<EOM | |||
|
293 | unit: sectors | |||
|
294 | ||||
|
295 | 1 : start= ${TABLE_SECTORS}, size= ${ROOT_SECTORS}, Id=83 | |||
|
296 | 2 : start= 0, size= 0, Id= 0 | |||
|
297 | 3 : start= 0, size= 0, Id= 0 | |||
|
298 | 4 : start= 0, size= 0, Id= 0 | |||
|
299 | EOM | |||
|
300 | # Set up temporary loop devices | |||
|
301 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)" | |||
|
302 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)" | |||
|
303 | else | |||
|
304 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |||
|
305 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |||
|
306 | # Write partition table | |||
|
307 | sfdisk -q -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM | |||
282 | unit: sectors |
|
308 | unit: sectors | |
283 |
|
309 | |||
284 |
1 : start= ${TABLE_SECTORS}, size= ${ |
|
310 | 1 : start= ${TABLE_SECTORS}, size= ${FRMW_SECTORS}, Id= c, bootable | |
285 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 |
|
311 | 2 : start= ${ROOT_OFFSET}, size= ${ROOT_SECTORS}, Id=83 | |
286 | 3 : start= 0, size= 0, Id= 0 |
|
312 | 3 : start= 0, size= 0, Id= 0 | |
287 | 4 : start= 0, size= 0, Id= 0 |
|
313 | 4 : start= 0, size= 0, Id= 0 | |
288 | EOM |
|
314 | EOM | |
|
315 | # Set up temporary loop devices | |||
|
316 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |||
|
317 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" | |||
|
318 | fi | |||
289 |
|
319 | |||
290 | # Set up temporary loop devices and build filesystems |
|
320 | # Build filesystems | |
291 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
321 | mkfs.vfat "$FRMW_LOOP" | |
292 | EXT4_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
322 | mkfs.ext4 "$ROOT_LOOP" | |
293 | mkfs.vfat "$VFAT_LOOP" |
|
|||
294 | mkfs.ext4 "$EXT4_LOOP" |
|
|||
295 |
|
323 | |||
296 | # Mount the temporary loop devices |
|
324 | # Mount the temporary loop devices | |
297 | mkdir -p "$BUILDDIR/mount" |
|
325 | mkdir -p "$BUILDDIR/mount" | |
298 |
mount "$ |
|
326 | mount "$ROOT_LOOP" "$BUILDDIR/mount" | |
299 |
|
327 | |||
300 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
328 | mkdir -p "$BUILDDIR/mount/boot/firmware" | |
301 |
mount "$ |
|
329 | mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware" | |
302 |
|
330 | |||
303 | # Copy all files from the chroot to the loop device mount point directory |
|
331 | # Copy all files from the chroot to the loop device mount point directory | |
304 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
332 | rsync -a "$R/" "$BUILDDIR/mount/" | |
@@ -306,8 +334,19 rsync -a "$R/" "$BUILDDIR/mount/" | |||||
306 | # Unmount all temporary loop devices and mount points |
|
334 | # Unmount all temporary loop devices and mount points | |
307 | cleanup |
|
335 | cleanup | |
308 |
|
336 | |||
309 |
# Create block map file |
|
337 | # Create block map file(s) of image(s) | |
310 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
338 | if [ "$ENABLE_SPLITFS" = true ] ; then | |
|
339 | # Create block map files for "bmaptool" | |||
|
340 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" | |||
|
341 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" | |||
311 |
|
342 | |||
312 | # Image was successfully created |
|
343 | # Image was successfully created | |
313 |
echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${ |
|
344 | echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
345 | echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr ${TABLE_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |||
|
346 | else | |||
|
347 | # Create block map file for "bmaptool" | |||
|
348 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" | |||
|
349 | ||||
|
350 | # Image was successfully created | |||
|
351 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |||
|
352 | fi |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant