##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Merge branch 'stylesuxx-add-custom-packages'
Jan Wagner -
r43:e92606bf4198 Fusion
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,135 +1,138
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 ##### `APT_INCLUDES`=""
31 A comma seperated list of additional packages to be installed during bootstrapping.
32
30 #### General system settings:
33 #### General system settings:
31 ##### `HOSTNAME`="rpi2-jessie"
34 ##### `HOSTNAME`="rpi2-jessie"
32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
33
36
34 ##### `PASSWORD`="raspberry"
37 ##### `PASSWORD`="raspberry"
35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
36
39
37 ##### `DEFLOCAL`="en_US.UTF-8"
40 ##### `DEFLOCAL`="en_US.UTF-8"
38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
39
42
40 ##### `TIMEZONE`="Europe/Berlin"
43 ##### `TIMEZONE`="Europe/Berlin"
41 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
42
45
43 #### Keyboard settings:
46 #### Keyboard settings:
44 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
45 ##### `XKBMODEL`=""
48 ##### `XKBMODEL`=""
46 ##### `XKBLAYOUT`=""
49 ##### `XKBLAYOUT`=""
47 ##### `XKBVARIANT`=""
50 ##### `XKBVARIANT`=""
48 ##### `XKBOPTIONS`=""
51 ##### `XKBOPTIONS`=""
49
52
50 #### Networking settings
53 #### Networking settings
51 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
54 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
52
55
53 #####`ENABLE_DHCP`=true
56 #####`ENABLE_DHCP`=true
54 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
57 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
55
58
56 #####`NET_ADDRESS`=""
59 #####`NET_ADDRESS`=""
57 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
60 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
58
61
59 #####`NET_GATEWAY`=""
62 #####`NET_GATEWAY`=""
60 Set the IP address for the default gateway.
63 Set the IP address for the default gateway.
61
64
62 #####`NET_DNS_1`=""
65 #####`NET_DNS_1`=""
63 Set the IP address for the first DNS server.
66 Set the IP address for the first DNS server.
64
67
65 #####`NET_DNS_2`=""
68 #####`NET_DNS_2`=""
66 Set the IP address for the second DNS server.
69 Set the IP address for the second DNS server.
67
70
68 #####`NET_DNS_DOMAINS`=""
71 #####`NET_DNS_DOMAINS`=""
69 Set the default DNS search domains to use for non fully qualified host names.
72 Set the default DNS search domains to use for non fully qualified host names.
70
73
71 #####`NET_NTP_1`=""
74 #####`NET_NTP_1`=""
72 Set the IP address for the first NTP server.
75 Set the IP address for the first NTP server.
73
76
74 #####`NET_NTP_2`=""
77 #####`NET_NTP_2`=""
75 Set the IP address for the second NTP server.
78 Set the IP address for the second NTP server.
76
79
77 #### Basic system features:
80 #### Basic system features:
78 ##### `ENABLE_CONSOLE`=true
81 ##### `ENABLE_CONSOLE`=true
79 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
82 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
80
83
81 ##### `ENABLE_IPV6`=true
84 ##### `ENABLE_IPV6`=true
82 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
85 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
83
86
84 ##### `ENABLE_SSHD`=true
87 ##### `ENABLE_SSHD`=true
85 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
86
89
87 ##### `ENABLE_SOUND`=true
90 ##### `ENABLE_SOUND`=true
88 Enable sound hardware and install Advanced Linux Sound Architecture.
91 Enable sound hardware and install Advanced Linux Sound Architecture.
89
92
90 ##### `ENABLE_HWRANDOM`=true
93 ##### `ENABLE_HWRANDOM`=true
91 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
94 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
92
95
93 ##### `ENABLE_MINGPU`=false
96 ##### `ENABLE_MINGPU`=false
94 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
97 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
95
98
96 ##### `ENABLE_DBUS`=true
99 ##### `ENABLE_DBUS`=true
97 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
100 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
98
101
99 ##### `ENABLE_XORG`=false
102 ##### `ENABLE_XORG`=false
100 Install Xorg open-source X Window System.
103 Install Xorg open-source X Window System.
101
104
102 ##### `ENABLE_WM`=""
105 ##### `ENABLE_WM`=""
103 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
106 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
104
107
105 #### Advanced sytem features:
108 #### Advanced sytem features:
106 ##### `ENABLE_MINBASE`=false
109 ##### `ENABLE_MINBASE`=false
107 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
110 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
108
111
109 ##### `ENABLE_UBOOT`=false
112 ##### `ENABLE_UBOOT`=false
110 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
113 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
111
114
112 ##### `ENABLE_FBTURBO`=false
115 ##### `ENABLE_FBTURBO`=false
113 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
116 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
114
117
115 ##### `ENABLE_IPTABLES`=false
118 ##### `ENABLE_IPTABLES`=false
116 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
119 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
117
120
118 ##### `ENABLE_HARDNET`=false
121 ##### `ENABLE_HARDNET`=false
119 Enable IPv4/IPv6 network stack hardening settings.
122 Enable IPv4/IPv6 network stack hardening settings.
120
123
121 ## Logging of the bootstrapping process
124 ## Logging of the bootstrapping process
122 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
125 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
123
126
124 ```shell
127 ```shell
125 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
128 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
126 ```
129 ```
127
130
128 ## Flashing the image file
131 ## Flashing the image file
129 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
132 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
130
133
131 #####Flashing examples:
134 #####Flashing examples:
132 ```shell
135 ```shell
133 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
136 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
134 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
137 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
135 ```
138 ```
Show file before | Show file after | Hide comments
@@ -1,915 +1,916
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 set -e
33 set -e
34 set -x
34 set -x
35
35
36 # Debian release
36 # Debian release
37 RELEASE=${RELEASE:=jessie}
37 RELEASE=${RELEASE:=jessie}
38
38
39 # Build settings
39 # Build settings
40 BASEDIR=./images/${RELEASE}
40 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
41 BUILDDIR=${BASEDIR}/build
42
42
43 # General settings
43 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
45 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
48 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
52
52
53 # Network settings
53 # Network settings
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 # NET_* settings are ignored when ENABLE_DHCP=true
55 # NET_* settings are ignored when ENABLE_DHCP=true
56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 NET_ADDRESS=${NET_ADDRESS:=""}
57 NET_ADDRESS=${NET_ADDRESS:=""}
58 NET_GATEWAY=${NET_GATEWAY:=""}
58 NET_GATEWAY=${NET_GATEWAY:=""}
59 NET_DNS_1=${NET_DNS_1:=""}
59 NET_DNS_1=${NET_DNS_1:=""}
60 NET_DNS_2=${NET_DNS_2:=""}
60 NET_DNS_2=${NET_DNS_2:=""}
61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 NET_NTP_1=${NET_NTP_1:=""}
62 NET_NTP_1=${NET_NTP_1:=""}
63 NET_NTP_2=${NET_NTP_2:=""}
63 NET_NTP_2=${NET_NTP_2:=""}
64
64
65 # APT settings
65 # APT settings
66 APT_PROXY=${APT_PROXY:=""}
66 APT_PROXY=${APT_PROXY:=""}
67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
68
68
69 # Feature settings
69 # Feature settings
70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
71 ENABLE_IPV6=${ENABLE_IPV6:=true}
71 ENABLE_IPV6=${ENABLE_IPV6:=true}
72 ENABLE_SSHD=${ENABLE_SSHD:=true}
72 ENABLE_SSHD=${ENABLE_SSHD:=true}
73 ENABLE_SOUND=${ENABLE_SOUND:=true}
73 ENABLE_SOUND=${ENABLE_SOUND:=true}
74 ENABLE_DBUS=${ENABLE_DBUS:=true}
74 ENABLE_DBUS=${ENABLE_DBUS:=true}
75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
78 ENABLE_WM=${ENABLE_WM:=""}
78 ENABLE_WM=${ENABLE_WM:=""}
79
79
80 # Advanced settings
80 # Advanced settings
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
86
86
87 # Image chroot path
87 # Image chroot path
88 R=${BUILDDIR}/chroot
88 R=${BUILDDIR}/chroot
89
89
90 # Packages required for bootstrapping
90 # Packages required for bootstrapping
91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
92
92
93 # Missing packages that need to be installed
93 # Missing packages that need to be installed
94 MISSING_PACKAGES=""
94 MISSING_PACKAGES=""
95
95
96 # Packages required in the chroot build environment
96 # Packages required in the chroot build environment
97 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
97 APT_INCLUDES=${APT_INCLUDES:=""}
98 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
98
99
99 set +x
100 set +x
100
101
101 # Are we running as root?
102 # Are we running as root?
102 if [ "$(id -u)" -ne "0" ] ; then
103 if [ "$(id -u)" -ne "0" ] ; then
103 echo "this script must be executed with root privileges"
104 echo "this script must be executed with root privileges"
104 exit 1
105 exit 1
105 fi
106 fi
106
107
107 # Check if all required packages are installed
108 # Check if all required packages are installed
108 for package in $REQUIRED_PACKAGES ; do
109 for package in $REQUIRED_PACKAGES ; do
109 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
110 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
110 MISSING_PACKAGES="$MISSING_PACKAGES $package"
111 MISSING_PACKAGES="$MISSING_PACKAGES $package"
111 fi
112 fi
112 done
113 done
113
114
114 # Ask if missing packages should get installed right now
115 # Ask if missing packages should get installed right now
115 if [ -n "$MISSING_PACKAGES" ] ; then
116 if [ -n "$MISSING_PACKAGES" ] ; then
116 echo "the following packages needed by this script are not installed:"
117 echo "the following packages needed by this script are not installed:"
117 echo "$MISSING_PACKAGES"
118 echo "$MISSING_PACKAGES"
118
119
119 echo -n "\ndo you want to install the missing packages right now? [y/n] "
120 echo -n "\ndo you want to install the missing packages right now? [y/n] "
120 read confirm
121 read confirm
121 if [ "$confirm" != "y" ] ; then
122 if [ "$confirm" != "y" ] ; then
122 exit 1
123 exit 1
123 fi
124 fi
124 fi
125 fi
125
126
126 # Make sure all required packages are installed
127 # Make sure all required packages are installed
127 apt-get -qq -y install ${REQUIRED_PACKAGES}
128 apt-get -qq -y install ${REQUIRED_PACKAGES}
128
129
129 # Don't clobber an old build
130 # Don't clobber an old build
130 if [ -e "$BUILDDIR" ]; then
131 if [ -e "$BUILDDIR" ]; then
131 echo "directory $BUILDDIR already exists, not proceeding"
132 echo "directory $BUILDDIR already exists, not proceeding"
132 exit 1
133 exit 1
133 fi
134 fi
134
135
135 set -x
136 set -x
136
137
137 # Call "cleanup" function on various signals and errors
138 # Call "cleanup" function on various signals and errors
138 trap cleanup 0 1 2 3 6
139 trap cleanup 0 1 2 3 6
139
140
140 # Set up chroot directory
141 # Set up chroot directory
141 mkdir -p $R
142 mkdir -p $R
142
143
143 # Add required packages for the minbase installation
144 # Add required packages for the minbase installation
144 if [ "$ENABLE_MINBASE" = true ] ; then
145 if [ "$ENABLE_MINBASE" = true ] ; then
145 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
146 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
146 else
147 else
147 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
148 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
148 fi
149 fi
149
150
150 # Add dbus package, recommended if using systemd
151 # Add dbus package, recommended if using systemd
151 if [ "$ENABLE_DBUS" = true ] ; then
152 if [ "$ENABLE_DBUS" = true ] ; then
152 APT_INCLUDES="${APT_INCLUDES},dbus"
153 APT_INCLUDES="${APT_INCLUDES},dbus"
153 fi
154 fi
154
155
155 # Add iptables IPv4/IPv6 package
156 # Add iptables IPv4/IPv6 package
156 if [ "$ENABLE_IPTABLES" = true ] ; then
157 if [ "$ENABLE_IPTABLES" = true ] ; then
157 APT_INCLUDES="${APT_INCLUDES},iptables"
158 APT_INCLUDES="${APT_INCLUDES},iptables"
158 fi
159 fi
159
160
160 # Add openssh server package
161 # Add openssh server package
161 if [ "$ENABLE_SSHD" = true ] ; then
162 if [ "$ENABLE_SSHD" = true ] ; then
162 APT_INCLUDES="${APT_INCLUDES},openssh-server"
163 APT_INCLUDES="${APT_INCLUDES},openssh-server"
163 fi
164 fi
164
165
165 # Add alsa-utils package
166 # Add alsa-utils package
166 if [ "$ENABLE_SOUND" = true ] ; then
167 if [ "$ENABLE_SOUND" = true ] ; then
167 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
168 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
168 fi
169 fi
169
170
170 # Add rng-tools package
171 # Add rng-tools package
171 if [ "$ENABLE_HWRANDOM" = true ] ; then
172 if [ "$ENABLE_HWRANDOM" = true ] ; then
172 APT_INCLUDES="${APT_INCLUDES},rng-tools"
173 APT_INCLUDES="${APT_INCLUDES},rng-tools"
173 fi
174 fi
174
175
175 # Add fbturbo video driver
176 # Add fbturbo video driver
176 if [ "$ENABLE_FBTURBO" = true ] ; then
177 if [ "$ENABLE_FBTURBO" = true ] ; then
177 # Enable xorg package dependencies
178 # Enable xorg package dependencies
178 ENABLE_XORG=true
179 ENABLE_XORG=true
179 fi
180 fi
180
181
181 # Add user defined window manager package
182 # Add user defined window manager package
182 if [ -n "$ENABLE_WM" ] ; then
183 if [ -n "$ENABLE_WM" ] ; then
183 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
184 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
184
185
185 # Enable xorg package dependencies
186 # Enable xorg package dependencies
186 ENABLE_XORG=true
187 ENABLE_XORG=true
187 fi
188 fi
188
189
189 # Add xorg package
190 # Add xorg package
190 if [ "$ENABLE_XORG" = true ] ; then
191 if [ "$ENABLE_XORG" = true ] ; then
191 APT_INCLUDES="${APT_INCLUDES},xorg"
192 APT_INCLUDES="${APT_INCLUDES},xorg"
192 fi
193 fi
193
194
194 # Base debootstrap (unpack only)
195 # Base debootstrap (unpack only)
195 if [ "$ENABLE_MINBASE" = true ] ; then
196 if [ "$ENABLE_MINBASE" = true ] ; then
196 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
197 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
197 else
198 else
198 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
199 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
199 fi
200 fi
200
201
201 # Copy qemu emulator binary to chroot
202 # Copy qemu emulator binary to chroot
202 cp /usr/bin/qemu-arm-static $R/usr/bin
203 cp /usr/bin/qemu-arm-static $R/usr/bin
203
204
204 # Copy debian-archive-keyring.pgp
205 # Copy debian-archive-keyring.pgp
205 chroot $R mkdir -p /usr/share/keyrings
206 chroot $R mkdir -p /usr/share/keyrings
206 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
207 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
207
208
208 # Complete the bootstrapping process
209 # Complete the bootstrapping process
209 chroot $R /debootstrap/debootstrap --second-stage
210 chroot $R /debootstrap/debootstrap --second-stage
210
211
211 # Mount required filesystems
212 # Mount required filesystems
212 mount -t proc none $R/proc
213 mount -t proc none $R/proc
213 mount -t sysfs none $R/sys
214 mount -t sysfs none $R/sys
214 mount --bind /dev/pts $R/dev/pts
215 mount --bind /dev/pts $R/dev/pts
215
216
216 # Use proxy inside chroot
217 # Use proxy inside chroot
217 if [ -z "$APT_PROXY" ] ; then
218 if [ -z "$APT_PROXY" ] ; then
218 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
219 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
219 fi
220 fi
220
221
221 # Pin package flash-kernel to repositories.collabora.co.uk
222 # Pin package flash-kernel to repositories.collabora.co.uk
222 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
223 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
223 Package: flash-kernel
224 Package: flash-kernel
224 Pin: origin repositories.collabora.co.uk
225 Pin: origin repositories.collabora.co.uk
225 Pin-Priority: 1000
226 Pin-Priority: 1000
226 EOM
227 EOM
227
228
228 # Set up timezone
229 # Set up timezone
229 echo ${TIMEZONE} >$R/etc/timezone
230 echo ${TIMEZONE} >$R/etc/timezone
230 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
231
232
232 # Upgrade collabora package index and install collabora keyring
233 # Upgrade collabora package index and install collabora keyring
233 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
234 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
234 LANG=C chroot $R apt-get -qq -y update
235 LANG=C chroot $R apt-get -qq -y update
235 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
236
237
237 # Set up initial sources.list
238 # Set up initial sources.list
238 cat <<EOM >$R/etc/apt/sources.list
239 cat <<EOM >$R/etc/apt/sources.list
239 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
240 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
240 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
241 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
241
242
242 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
243 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
243 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244
245
245 deb http://security.debian.org/ ${RELEASE}/updates main contrib
246 deb http://security.debian.org/ ${RELEASE}/updates main contrib
246 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
247 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
247
248
248 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
249 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
249 EOM
250 EOM
250
251
251 # Upgrade package index and update all installed packages and changed dependencies
252 # Upgrade package index and update all installed packages and changed dependencies
252 LANG=C chroot $R apt-get -qq -y update
253 LANG=C chroot $R apt-get -qq -y update
253 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
254
255
255 # Set up default locale and keyboard configuration
256 # Set up default locale and keyboard configuration
256 if [ "$ENABLE_MINBASE" = false ] ; then
257 if [ "$ENABLE_MINBASE" = false ] ; then
257 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
258 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
258 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
259 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
259 # ... so we have to set locales manually
260 # ... so we have to set locales manually
260 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
261 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
261 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
262 else
263 else
263 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
264 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
264 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
265 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
266 fi
267 fi
267 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
268 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
269 LANG=C chroot $R locale-gen
270 LANG=C chroot $R locale-gen
270 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
271
272
272 # Keyboard configuration, if requested
273 # Keyboard configuration, if requested
273 if [ "$XKBMODEL" != "" ] ; then
274 if [ "$XKBMODEL" != "" ] ; then
274 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
275 fi
276 fi
276 if [ "$XKBLAYOUT" != "" ] ; then
277 if [ "$XKBLAYOUT" != "" ] ; then
277 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
278 fi
279 fi
279 if [ "$XKBVARIANT" != "" ] ; then
280 if [ "$XKBVARIANT" != "" ] ; then
280 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
281 fi
282 fi
282 if [ "$XKBOPTIONS" != "" ] ; then
283 if [ "$XKBOPTIONS" != "" ] ; then
283 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
284 fi
285 fi
285 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
286 # Set up font console
287 # Set up font console
287 case "${DEFLOCAL}" in
288 case "${DEFLOCAL}" in
288 *UTF-8)
289 *UTF-8)
289 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
290 ;;
291 ;;
291 *)
292 *)
292 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
293 ;;
294 ;;
294 esac
295 esac
295 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
296 fi
297 fi
297
298
298 # Kernel installation
299 # Kernel installation
299 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
300 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
300 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
301 LANG=C chroot $R apt-get -qq -y install flash-kernel
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
302
303
303 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
304 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
304 [ -z "$VMLINUZ" ] && exit 1
305 [ -z "$VMLINUZ" ] && exit 1
305 mkdir -p $R/boot/firmware
306 mkdir -p $R/boot/firmware
306
307
307 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
308 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
309 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
310 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
311 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
312 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
313 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
314 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
315 cp $VMLINUZ $R/boot/firmware/kernel7.img
316 cp $VMLINUZ $R/boot/firmware/kernel7.img
316
317
317 # Set up IPv4 hosts
318 # Set up IPv4 hosts
318 echo ${HOSTNAME} >$R/etc/hostname
319 echo ${HOSTNAME} >$R/etc/hostname
319 cat <<EOM >$R/etc/hosts
320 cat <<EOM >$R/etc/hosts
320 127.0.0.1 localhost
321 127.0.0.1 localhost
321 127.0.1.1 ${HOSTNAME}
322 127.0.1.1 ${HOSTNAME}
322 EOM
323 EOM
323 if [ "$NET_ADDRESS" != "" ] ; then
324 if [ "$NET_ADDRESS" != "" ] ; then
324 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
325 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
325 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
326 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
326 fi
327 fi
327
328
328 # Set up IPv6 hosts
329 # Set up IPv6 hosts
329 if [ "$ENABLE_IPV6" = true ] ; then
330 if [ "$ENABLE_IPV6" = true ] ; then
330 cat <<EOM >>$R/etc/hosts
331 cat <<EOM >>$R/etc/hosts
331
332
332 ::1 localhost ip6-localhost ip6-loopback
333 ::1 localhost ip6-localhost ip6-loopback
333 ff02::1 ip6-allnodes
334 ff02::1 ip6-allnodes
334 ff02::2 ip6-allrouters
335 ff02::2 ip6-allrouters
335 EOM
336 EOM
336 fi
337 fi
337
338
338 # Place hint about network configuration
339 # Place hint about network configuration
339 cat <<EOM >$R/etc/network/interfaces
340 cat <<EOM >$R/etc/network/interfaces
340 # Debian switched to systemd-networkd configuration files.
341 # Debian switched to systemd-networkd configuration files.
341 # please configure your networks in '/etc/systemd/network/'
342 # please configure your networks in '/etc/systemd/network/'
342 EOM
343 EOM
343
344
344 if [ "$ENABLE_DHCP" = true ] ; then
345 if [ "$ENABLE_DHCP" = true ] ; then
345 # Enable systemd-networkd DHCP configuration for interface eth0
346 # Enable systemd-networkd DHCP configuration for interface eth0
346 cat <<EOM >$R/etc/systemd/network/eth.network
347 cat <<EOM >$R/etc/systemd/network/eth.network
347 [Match]
348 [Match]
348 Name=eth0
349 Name=eth0
349
350
350 [Network]
351 [Network]
351 DHCP=yes
352 DHCP=yes
352 EOM
353 EOM
353
354
354 # Set DHCP configuration to IPv4 only
355 # Set DHCP configuration to IPv4 only
355 if [ "$ENABLE_IPV6" = false ] ; then
356 if [ "$ENABLE_IPV6" = false ] ; then
356 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
357 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
357 fi
358 fi
358 else # ENABLE_DHCP=false
359 else # ENABLE_DHCP=false
359 cat <<EOM >$R/etc/systemd/network/eth.network
360 cat <<EOM >$R/etc/systemd/network/eth.network
360 [Match]
361 [Match]
361 Name=eth0
362 Name=eth0
362
363
363 [Network]
364 [Network]
364 DHCP=no
365 DHCP=no
365 Address=${NET_ADDRESS}
366 Address=${NET_ADDRESS}
366 Gateway=${NET_GATEWAY}
367 Gateway=${NET_GATEWAY}
367 DNS=${NET_DNS_1}
368 DNS=${NET_DNS_1}
368 DNS=${NET_DNS_2}
369 DNS=${NET_DNS_2}
369 Domains=${NET_DNS_DOMAINS}
370 Domains=${NET_DNS_DOMAINS}
370 NTP=${NET_NTP_1}
371 NTP=${NET_NTP_1}
371 NTP=${NET_NTP_2}
372 NTP=${NET_NTP_2}
372 EOM
373 EOM
373 fi
374 fi
374
375
375 # Enable systemd-networkd service
376 # Enable systemd-networkd service
376 LANG=C chroot $R systemctl enable systemd-networkd
377 LANG=C chroot $R systemctl enable systemd-networkd
377
378
378 # Generate crypt(3) password string
379 # Generate crypt(3) password string
379 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
380 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
380
381
381 # Set up default user
382 # Set up default user
382 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
383 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
384
385
385 # Set up root password
386 # Set up root password
386 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
387
388
388 # Set up firmware boot cmdline
389 # Set up firmware boot cmdline
389 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
390 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
390
391
391 # Set up serial console support (if requested)
392 # Set up serial console support (if requested)
392 if [ "$ENABLE_CONSOLE" = true ] ; then
393 if [ "$ENABLE_CONSOLE" = true ] ; then
393 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
394 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
394 fi
395 fi
395
396
396 # Set up IPv6 networking support
397 # Set up IPv6 networking support
397 if [ "$ENABLE_IPV6" = false ] ; then
398 if [ "$ENABLE_IPV6" = false ] ; then
398 CMDLINE="${CMDLINE} ipv6.disable=1"
399 CMDLINE="${CMDLINE} ipv6.disable=1"
399 fi
400 fi
400
401
401 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
402 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
402
403
403 # Set up firmware config
404 # Set up firmware config
404 cat <<EOM >$R/boot/firmware/config.txt
405 cat <<EOM >$R/boot/firmware/config.txt
405 # For more options and information see
406 # For more options and information see
406 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
407 # Some settings may impact device functionality. See link above for details
408 # Some settings may impact device functionality. See link above for details
408
409
409 # uncomment if you get no picture on HDMI for a default "safe" mode
410 # uncomment if you get no picture on HDMI for a default "safe" mode
410 #hdmi_safe=1
411 #hdmi_safe=1
411
412
412 # uncomment this if your display has a black border of unused pixels visible
413 # uncomment this if your display has a black border of unused pixels visible
413 # and your display can output without overscan
414 # and your display can output without overscan
414 #disable_overscan=1
415 #disable_overscan=1
415
416
416 # uncomment the following to adjust overscan. Use positive numbers if console
417 # uncomment the following to adjust overscan. Use positive numbers if console
417 # goes off screen, and negative if there is too much border
418 # goes off screen, and negative if there is too much border
418 #overscan_left=16
419 #overscan_left=16
419 #overscan_right=16
420 #overscan_right=16
420 #overscan_top=16
421 #overscan_top=16
421 #overscan_bottom=16
422 #overscan_bottom=16
422
423
423 # uncomment to force a console size. By default it will be display's size minus
424 # uncomment to force a console size. By default it will be display's size minus
424 # overscan.
425 # overscan.
425 #framebuffer_width=1280
426 #framebuffer_width=1280
426 #framebuffer_height=720
427 #framebuffer_height=720
427
428
428 # uncomment if hdmi display is not detected and composite is being output
429 # uncomment if hdmi display is not detected and composite is being output
429 #hdmi_force_hotplug=1
430 #hdmi_force_hotplug=1
430
431
431 # uncomment to force a specific HDMI mode (this will force VGA)
432 # uncomment to force a specific HDMI mode (this will force VGA)
432 #hdmi_group=1
433 #hdmi_group=1
433 #hdmi_mode=1
434 #hdmi_mode=1
434
435
435 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
436 # DMT (computer monitor) modes
437 # DMT (computer monitor) modes
437 #hdmi_drive=2
438 #hdmi_drive=2
438
439
439 # uncomment to increase signal to HDMI, if you have interference, blanking, or
440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
440 # no display
441 # no display
441 #config_hdmi_boost=4
442 #config_hdmi_boost=4
442
443
443 # uncomment for composite PAL
444 # uncomment for composite PAL
444 #sdtv_mode=2
445 #sdtv_mode=2
445
446
446 # uncomment to overclock the arm. 700 MHz is the default.
447 # uncomment to overclock the arm. 700 MHz is the default.
447 #arm_freq=800
448 #arm_freq=800
448 EOM
449 EOM
449
450
450 # Load snd_bcm2835 kernel module at boot time
451 # Load snd_bcm2835 kernel module at boot time
451 if [ "$ENABLE_SOUND" = true ] ; then
452 if [ "$ENABLE_SOUND" = true ] ; then
452 echo "snd_bcm2835" >>$R/etc/modules
453 echo "snd_bcm2835" >>$R/etc/modules
453 fi
454 fi
454
455
455 # Set smallest possible GPU memory allocation size: 16MB (no X)
456 # Set smallest possible GPU memory allocation size: 16MB (no X)
456 if [ "$ENABLE_MINGPU" = true ] ; then
457 if [ "$ENABLE_MINGPU" = true ] ; then
457 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
458 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
458 fi
459 fi
459
460
460 # Create symlinks
461 # Create symlinks
461 ln -sf firmware/config.txt $R/boot/config.txt
462 ln -sf firmware/config.txt $R/boot/config.txt
462 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
463 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
463
464
464 # Prepare modules-load.d directory
465 # Prepare modules-load.d directory
465 mkdir -p $R/lib/modules-load.d/
466 mkdir -p $R/lib/modules-load.d/
466
467
467 # Load random module on boot
468 # Load random module on boot
468 if [ "$ENABLE_HWRANDOM" = true ] ; then
469 if [ "$ENABLE_HWRANDOM" = true ] ; then
469 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
470 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
470 bcm2708_rng
471 bcm2708_rng
471 EOM
472 EOM
472 fi
473 fi
473
474
474 # Prepare modprobe.d directory
475 # Prepare modprobe.d directory
475 mkdir -p $R/etc/modprobe.d/
476 mkdir -p $R/etc/modprobe.d/
476
477
477 # Blacklist sound modules
478 # Blacklist sound modules
478 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
479 blacklist snd_soc_core
480 blacklist snd_soc_core
480 blacklist snd_pcm
481 blacklist snd_pcm
481 blacklist snd_pcm_dmaengine
482 blacklist snd_pcm_dmaengine
482 blacklist snd_timer
483 blacklist snd_timer
483 blacklist snd_compress
484 blacklist snd_compress
484 blacklist snd_soc_pcm512x_i2c
485 blacklist snd_soc_pcm512x_i2c
485 blacklist snd_soc_pcm512x
486 blacklist snd_soc_pcm512x
486 blacklist snd_soc_tas5713
487 blacklist snd_soc_tas5713
487 blacklist snd_soc_wm8804
488 blacklist snd_soc_wm8804
488 EOM
489 EOM
489
490
490 # Create default fstab
491 # Create default fstab
491 cat <<EOM >$R/etc/fstab
492 cat <<EOM >$R/etc/fstab
492 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
493 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
494 EOM
495 EOM
495
496
496 # Avoid swapping and increase cache sizes
497 # Avoid swapping and increase cache sizes
497 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
498
499
499 # Avoid swapping and increase cache sizes
500 # Avoid swapping and increase cache sizes
500 vm.swappiness=1
501 vm.swappiness=1
501 vm.dirty_background_ratio=20
502 vm.dirty_background_ratio=20
502 vm.dirty_ratio=40
503 vm.dirty_ratio=40
503 vm.dirty_writeback_centisecs=500
504 vm.dirty_writeback_centisecs=500
504 vm.dirty_expire_centisecs=6000
505 vm.dirty_expire_centisecs=6000
505 EOM
506 EOM
506
507
507 # Enable network stack hardening
508 # Enable network stack hardening
508 if [ "$ENABLE_HARDNET" = true ] ; then
509 if [ "$ENABLE_HARDNET" = true ] ; then
509 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
510
511
511 # Enable network stack hardening
512 # Enable network stack hardening
512 net.ipv4.tcp_timestamps=0
513 net.ipv4.tcp_timestamps=0
513 net.ipv4.tcp_syncookies=1
514 net.ipv4.tcp_syncookies=1
514 net.ipv4.conf.all.rp_filter=1
515 net.ipv4.conf.all.rp_filter=1
515 net.ipv4.conf.all.accept_redirects=0
516 net.ipv4.conf.all.accept_redirects=0
516 net.ipv4.conf.all.send_redirects=0
517 net.ipv4.conf.all.send_redirects=0
517 net.ipv4.conf.all.accept_source_route=0
518 net.ipv4.conf.all.accept_source_route=0
518 net.ipv4.conf.default.rp_filter=1
519 net.ipv4.conf.default.rp_filter=1
519 net.ipv4.conf.default.accept_redirects=0
520 net.ipv4.conf.default.accept_redirects=0
520 net.ipv4.conf.default.send_redirects=0
521 net.ipv4.conf.default.send_redirects=0
521 net.ipv4.conf.default.accept_source_route=0
522 net.ipv4.conf.default.accept_source_route=0
522 net.ipv4.conf.lo.accept_redirects=0
523 net.ipv4.conf.lo.accept_redirects=0
523 net.ipv4.conf.lo.send_redirects=0
524 net.ipv4.conf.lo.send_redirects=0
524 net.ipv4.conf.lo.accept_source_route=0
525 net.ipv4.conf.lo.accept_source_route=0
525 net.ipv4.conf.eth0.accept_redirects=0
526 net.ipv4.conf.eth0.accept_redirects=0
526 net.ipv4.conf.eth0.send_redirects=0
527 net.ipv4.conf.eth0.send_redirects=0
527 net.ipv4.conf.eth0.accept_source_route=0
528 net.ipv4.conf.eth0.accept_source_route=0
528 net.ipv4.icmp_echo_ignore_broadcasts=1
529 net.ipv4.icmp_echo_ignore_broadcasts=1
529 net.ipv4.icmp_ignore_bogus_error_responses=1
530 net.ipv4.icmp_ignore_bogus_error_responses=1
530
531
531 net.ipv6.conf.all.accept_redirects=0
532 net.ipv6.conf.all.accept_redirects=0
532 net.ipv6.conf.all.accept_source_route=0
533 net.ipv6.conf.all.accept_source_route=0
533 net.ipv6.conf.all.router_solicitations=0
534 net.ipv6.conf.all.router_solicitations=0
534 net.ipv6.conf.all.accept_ra_rtr_pref=0
535 net.ipv6.conf.all.accept_ra_rtr_pref=0
535 net.ipv6.conf.all.accept_ra_pinfo=0
536 net.ipv6.conf.all.accept_ra_pinfo=0
536 net.ipv6.conf.all.accept_ra_defrtr=0
537 net.ipv6.conf.all.accept_ra_defrtr=0
537 net.ipv6.conf.all.autoconf=0
538 net.ipv6.conf.all.autoconf=0
538 net.ipv6.conf.all.dad_transmits=0
539 net.ipv6.conf.all.dad_transmits=0
539 net.ipv6.conf.all.max_addresses=1
540 net.ipv6.conf.all.max_addresses=1
540
541
541 net.ipv6.conf.default.accept_redirects=0
542 net.ipv6.conf.default.accept_redirects=0
542 net.ipv6.conf.default.accept_source_route=0
543 net.ipv6.conf.default.accept_source_route=0
543 net.ipv6.conf.default.router_solicitations=0
544 net.ipv6.conf.default.router_solicitations=0
544 net.ipv6.conf.default.accept_ra_rtr_pref=0
545 net.ipv6.conf.default.accept_ra_rtr_pref=0
545 net.ipv6.conf.default.accept_ra_pinfo=0
546 net.ipv6.conf.default.accept_ra_pinfo=0
546 net.ipv6.conf.default.accept_ra_defrtr=0
547 net.ipv6.conf.default.accept_ra_defrtr=0
547 net.ipv6.conf.default.autoconf=0
548 net.ipv6.conf.default.autoconf=0
548 net.ipv6.conf.default.dad_transmits=0
549 net.ipv6.conf.default.dad_transmits=0
549 net.ipv6.conf.default.max_addresses=1
550 net.ipv6.conf.default.max_addresses=1
550
551
551 net.ipv6.conf.lo.accept_redirects=0
552 net.ipv6.conf.lo.accept_redirects=0
552 net.ipv6.conf.lo.accept_source_route=0
553 net.ipv6.conf.lo.accept_source_route=0
553 net.ipv6.conf.lo.router_solicitations=0
554 net.ipv6.conf.lo.router_solicitations=0
554 net.ipv6.conf.lo.accept_ra_rtr_pref=0
555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
555 net.ipv6.conf.lo.accept_ra_pinfo=0
556 net.ipv6.conf.lo.accept_ra_pinfo=0
556 net.ipv6.conf.lo.accept_ra_defrtr=0
557 net.ipv6.conf.lo.accept_ra_defrtr=0
557 net.ipv6.conf.lo.autoconf=0
558 net.ipv6.conf.lo.autoconf=0
558 net.ipv6.conf.lo.dad_transmits=0
559 net.ipv6.conf.lo.dad_transmits=0
559 net.ipv6.conf.lo.max_addresses=1
560 net.ipv6.conf.lo.max_addresses=1
560
561
561 net.ipv6.conf.eth0.accept_redirects=0
562 net.ipv6.conf.eth0.accept_redirects=0
562 net.ipv6.conf.eth0.accept_source_route=0
563 net.ipv6.conf.eth0.accept_source_route=0
563 net.ipv6.conf.eth0.router_solicitations=0
564 net.ipv6.conf.eth0.router_solicitations=0
564 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
565 net.ipv6.conf.eth0.accept_ra_pinfo=0
566 net.ipv6.conf.eth0.accept_ra_pinfo=0
566 net.ipv6.conf.eth0.accept_ra_defrtr=0
567 net.ipv6.conf.eth0.accept_ra_defrtr=0
567 net.ipv6.conf.eth0.autoconf=0
568 net.ipv6.conf.eth0.autoconf=0
568 net.ipv6.conf.eth0.dad_transmits=0
569 net.ipv6.conf.eth0.dad_transmits=0
569 net.ipv6.conf.eth0.max_addresses=1
570 net.ipv6.conf.eth0.max_addresses=1
570 EOM
571 EOM
571
572
572 # Enable resolver warnings about spoofed addresses
573 # Enable resolver warnings about spoofed addresses
573 cat <<EOM >>$R/etc/host.conf
574 cat <<EOM >>$R/etc/host.conf
574 spoof warn
575 spoof warn
575 EOM
576 EOM
576 fi
577 fi
577
578
578 # Regenerate openssh server host keys
579 # Regenerate openssh server host keys
579 if [ "$ENABLE_SSHD" = true ] ; then
580 if [ "$ENABLE_SSHD" = true ] ; then
580 rm -fr $R/etc/ssh/ssh_host_*
581 rm -fr $R/etc/ssh/ssh_host_*
581 LANG=C chroot $R dpkg-reconfigure openssh-server
582 LANG=C chroot $R dpkg-reconfigure openssh-server
582 fi
583 fi
583
584
584 # Enable serial console systemd style
585 # Enable serial console systemd style
585 if [ "$ENABLE_CONSOLE" = true ] ; then
586 if [ "$ENABLE_CONSOLE" = true ] ; then
586 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
587 fi
588 fi
588
589
589 # Enable firewall based on iptables started by systemd service
590 # Enable firewall based on iptables started by systemd service
590 if [ "$ENABLE_IPTABLES" = true ] ; then
591 if [ "$ENABLE_IPTABLES" = true ] ; then
591 # Create iptables configuration directory
592 # Create iptables configuration directory
592 mkdir -p "$R/etc/iptables"
593 mkdir -p "$R/etc/iptables"
593
594
594 # Create iptables systemd service
595 # Create iptables systemd service
595 cat <<EOM >$R/etc/systemd/system/iptables.service
596 cat <<EOM >$R/etc/systemd/system/iptables.service
596 [Unit]
597 [Unit]
597 Description=Packet Filtering Framework
598 Description=Packet Filtering Framework
598 DefaultDependencies=no
599 DefaultDependencies=no
599 After=systemd-sysctl.service
600 After=systemd-sysctl.service
600 Before=sysinit.target
601 Before=sysinit.target
601 [Service]
602 [Service]
602 Type=oneshot
603 Type=oneshot
603 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
604 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecStop=/etc/iptables/flush-iptables.sh
606 ExecStop=/etc/iptables/flush-iptables.sh
606 RemainAfterExit=yes
607 RemainAfterExit=yes
607 [Install]
608 [Install]
608 WantedBy=multi-user.target
609 WantedBy=multi-user.target
609 EOM
610 EOM
610
611
611 # Create flush-table script called by iptables service
612 # Create flush-table script called by iptables service
612 cat <<EOM >$R/etc/iptables/flush-iptables.sh
613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
613 #!/bin/sh
614 #!/bin/sh
614 iptables -F
615 iptables -F
615 iptables -X
616 iptables -X
616 iptables -t nat -F
617 iptables -t nat -F
617 iptables -t nat -X
618 iptables -t nat -X
618 iptables -t mangle -F
619 iptables -t mangle -F
619 iptables -t mangle -X
620 iptables -t mangle -X
620 iptables -P INPUT ACCEPT
621 iptables -P INPUT ACCEPT
621 iptables -P FORWARD ACCEPT
622 iptables -P FORWARD ACCEPT
622 iptables -P OUTPUT ACCEPT
623 iptables -P OUTPUT ACCEPT
623 EOM
624 EOM
624
625
625 # Create iptables rule file
626 # Create iptables rule file
626 cat <<EOM >$R/etc/iptables/iptables.rules
627 cat <<EOM >$R/etc/iptables/iptables.rules
627 *filter
628 *filter
628 :INPUT DROP [0:0]
629 :INPUT DROP [0:0]
629 :FORWARD DROP [0:0]
630 :FORWARD DROP [0:0]
630 :OUTPUT ACCEPT [0:0]
631 :OUTPUT ACCEPT [0:0]
631 :TCP - [0:0]
632 :TCP - [0:0]
632 :UDP - [0:0]
633 :UDP - [0:0]
633 :SSH - [0:0]
634 :SSH - [0:0]
634
635
635 # Rate limit ping requests
636 # Rate limit ping requests
636 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
637 -A INPUT -p icmp --icmp-type echo-request -j DROP
638 -A INPUT -p icmp --icmp-type echo-request -j DROP
638
639
639 # Accept established connections
640 # Accept established connections
640 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
641
642
642 # Accept all traffic on loopback interface
643 # Accept all traffic on loopback interface
643 -A INPUT -i lo -j ACCEPT
644 -A INPUT -i lo -j ACCEPT
644
645
645 # Drop packets declared invalid
646 # Drop packets declared invalid
646 -A INPUT -m conntrack --ctstate INVALID -j DROP
647 -A INPUT -m conntrack --ctstate INVALID -j DROP
647
648
648 # SSH rate limiting
649 # SSH rate limiting
649 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
650 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
652 -A SSH -m recent --name sshbf --set -j ACCEPT
653 -A SSH -m recent --name sshbf --set -j ACCEPT
653
654
654 # Send TCP and UDP connections to their respective rules chain
655 # Send TCP and UDP connections to their respective rules chain
655 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
656 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
657
658
658 # Reject dropped packets with a RFC compliant responce
659 # Reject dropped packets with a RFC compliant responce
659 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
660 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
661 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
662
663
663 ## TCP PORT RULES
664 ## TCP PORT RULES
664 # -A TCP -p tcp -j LOG
665 # -A TCP -p tcp -j LOG
665
666
666 ## UDP PORT RULES
667 ## UDP PORT RULES
667 # -A UDP -p udp -j LOG
668 # -A UDP -p udp -j LOG
668
669
669 COMMIT
670 COMMIT
670 EOM
671 EOM
671
672
672 # Reload systemd configuration and enable iptables service
673 # Reload systemd configuration and enable iptables service
673 LANG=C chroot $R systemctl daemon-reload
674 LANG=C chroot $R systemctl daemon-reload
674 LANG=C chroot $R systemctl enable iptables.service
675 LANG=C chroot $R systemctl enable iptables.service
675
676
676 if [ "$ENABLE_IPV6" = true ] ; then
677 if [ "$ENABLE_IPV6" = true ] ; then
677 # Create ip6tables systemd service
678 # Create ip6tables systemd service
678 cat <<EOM >$R/etc/systemd/system/ip6tables.service
679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
679 [Unit]
680 [Unit]
680 Description=Packet Filtering Framework
681 Description=Packet Filtering Framework
681 DefaultDependencies=no
682 DefaultDependencies=no
682 After=systemd-sysctl.service
683 After=systemd-sysctl.service
683 Before=sysinit.target
684 Before=sysinit.target
684 [Service]
685 [Service]
685 Type=oneshot
686 Type=oneshot
686 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
687 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecStop=/etc/iptables/flush-ip6tables.sh
689 ExecStop=/etc/iptables/flush-ip6tables.sh
689 RemainAfterExit=yes
690 RemainAfterExit=yes
690 [Install]
691 [Install]
691 WantedBy=multi-user.target
692 WantedBy=multi-user.target
692 EOM
693 EOM
693
694
694 # Create ip6tables file
695 # Create ip6tables file
695 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
696 #!/bin/sh
697 #!/bin/sh
697 ip6tables -F
698 ip6tables -F
698 ip6tables -X
699 ip6tables -X
699 ip6tables -Z
700 ip6tables -Z
700 for table in $(</proc/net/ip6_tables_names)
701 for table in $(</proc/net/ip6_tables_names)
701 do
702 do
702 ip6tables -t \$table -F
703 ip6tables -t \$table -F
703 ip6tables -t \$table -X
704 ip6tables -t \$table -X
704 ip6tables -t \$table -Z
705 ip6tables -t \$table -Z
705 done
706 done
706 ip6tables -P INPUT ACCEPT
707 ip6tables -P INPUT ACCEPT
707 ip6tables -P OUTPUT ACCEPT
708 ip6tables -P OUTPUT ACCEPT
708 ip6tables -P FORWARD ACCEPT
709 ip6tables -P FORWARD ACCEPT
709 EOM
710 EOM
710
711
711 # Create ip6tables rule file
712 # Create ip6tables rule file
712 cat <<EOM >$R/etc/iptables/ip6tables.rules
713 cat <<EOM >$R/etc/iptables/ip6tables.rules
713 *filter
714 *filter
714 :INPUT DROP [0:0]
715 :INPUT DROP [0:0]
715 :FORWARD DROP [0:0]
716 :FORWARD DROP [0:0]
716 :OUTPUT ACCEPT [0:0]
717 :OUTPUT ACCEPT [0:0]
717 :TCP - [0:0]
718 :TCP - [0:0]
718 :UDP - [0:0]
719 :UDP - [0:0]
719 :SSH - [0:0]
720 :SSH - [0:0]
720
721
721 # Drop packets with RH0 headers
722 # Drop packets with RH0 headers
722 -A INPUT -m rt --rt-type 0 -j DROP
723 -A INPUT -m rt --rt-type 0 -j DROP
723 -A OUTPUT -m rt --rt-type 0 -j DROP
724 -A OUTPUT -m rt --rt-type 0 -j DROP
724 -A FORWARD -m rt --rt-type 0 -j DROP
725 -A FORWARD -m rt --rt-type 0 -j DROP
725
726
726 # Rate limit ping requests
727 # Rate limit ping requests
727 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
729
730
730 # Accept established connections
731 # Accept established connections
731 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
732
733
733 # Accept all traffic on loopback interface
734 # Accept all traffic on loopback interface
734 -A INPUT -i lo -j ACCEPT
735 -A INPUT -i lo -j ACCEPT
735
736
736 # Drop packets declared invalid
737 # Drop packets declared invalid
737 -A INPUT -m conntrack --ctstate INVALID -j DROP
738 -A INPUT -m conntrack --ctstate INVALID -j DROP
738
739
739 # SSH rate limiting
740 # SSH rate limiting
740 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
741 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
743 -A SSH -m recent --name sshbf --set -j ACCEPT
744 -A SSH -m recent --name sshbf --set -j ACCEPT
744
745
745 # Send TCP and UDP connections to their respective rules chain
746 # Send TCP and UDP connections to their respective rules chain
746 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
747 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
748
749
749 # Reject dropped packets with a RFC compliant responce
750 # Reject dropped packets with a RFC compliant responce
750 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
751 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
753
754
754 ## TCP PORT RULES
755 ## TCP PORT RULES
755 # -A TCP -p tcp -j LOG
756 # -A TCP -p tcp -j LOG
756
757
757 ## UDP PORT RULES
758 ## UDP PORT RULES
758 # -A UDP -p udp -j LOG
759 # -A UDP -p udp -j LOG
759
760
760 COMMIT
761 COMMIT
761 EOM
762 EOM
762
763
763 # Reload systemd configuration and enable iptables service
764 # Reload systemd configuration and enable iptables service
764 LANG=C chroot $R systemctl daemon-reload
765 LANG=C chroot $R systemctl daemon-reload
765 LANG=C chroot $R systemctl enable ip6tables.service
766 LANG=C chroot $R systemctl enable ip6tables.service
766 fi
767 fi
767 fi
768 fi
768
769
769 # Remove SSHD related iptables rules
770 # Remove SSHD related iptables rules
770 if [ "$ENABLE_SSHD" = false ] ; then
771 if [ "$ENABLE_SSHD" = false ] ; then
771 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
773 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
773 fi
774 fi
774
775
775 # Install gcc/c++ build environment inside the chroot
776 # Install gcc/c++ build environment inside the chroot
776 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
777 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
777 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
778 fi
779 fi
779
780
780 # Fetch and build U-Boot bootloader
781 # Fetch and build U-Boot bootloader
781 if [ "$ENABLE_UBOOT" = true ] ; then
782 if [ "$ENABLE_UBOOT" = true ] ; then
782 # Fetch U-Boot bootloader sources
783 # Fetch U-Boot bootloader sources
783 git -C $R/tmp clone git://git.denx.de/u-boot.git
784 git -C $R/tmp clone git://git.denx.de/u-boot.git
784
785
785 # Build and install U-Boot inside chroot
786 # Build and install U-Boot inside chroot
786 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
787
788
788 # Copy compiled bootloader binary and set config.txt to load it
789 # Copy compiled bootloader binary and set config.txt to load it
789 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
790 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
790 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
791 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
791
792
792 # Set U-Boot command file
793 # Set U-Boot command file
793 cat <<EOM >$R/boot/firmware/uboot.mkimage
794 cat <<EOM >$R/boot/firmware/uboot.mkimage
794 # Tell Linux that it is booting on a Raspberry Pi2
795 # Tell Linux that it is booting on a Raspberry Pi2
795 setenv machid 0x00000c42
796 setenv machid 0x00000c42
796
797
797 # Set the kernel boot command line
798 # Set the kernel boot command line
798 setenv bootargs "earlyprintk ${CMDLINE}"
799 setenv bootargs "earlyprintk ${CMDLINE}"
799
800
800 # Save these changes to u-boot's environment
801 # Save these changes to u-boot's environment
801 saveenv
802 saveenv
802
803
803 # Load the existing Linux kernel into RAM
804 # Load the existing Linux kernel into RAM
804 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
805 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
805
806
806 # Boot the kernel we have just loaded
807 # Boot the kernel we have just loaded
807 bootz \${kernel_addr_r}
808 bootz \${kernel_addr_r}
808 EOM
809 EOM
809
810
810 # Generate U-Boot image from command file
811 # Generate U-Boot image from command file
811 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
812 fi
813 fi
813
814
814 # Fetch and build fbturbo Xorg driver
815 # Fetch and build fbturbo Xorg driver
815 if [ "$ENABLE_FBTURBO" = true ] ; then
816 if [ "$ENABLE_FBTURBO" = true ] ; then
816 # Fetch fbturbo driver sources
817 # Fetch fbturbo driver sources
817 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
818 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
818
819
819 # Install Xorg build dependencies
820 # Install Xorg build dependencies
820 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
821
822
822 # Build and install fbturbo driver inside chroot
823 # Build and install fbturbo driver inside chroot
823 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
824
825
825 # Add fbturbo driver to Xorg configuration
826 # Add fbturbo driver to Xorg configuration
826 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
827 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
827 Section "Device"
828 Section "Device"
828 Identifier "Allwinner A10/A13 FBDEV"
829 Identifier "Allwinner A10/A13 FBDEV"
829 Driver "fbturbo"
830 Driver "fbturbo"
830 Option "fbdev" "/dev/fb0"
831 Option "fbdev" "/dev/fb0"
831 Option "SwapbuffersWait" "true"
832 Option "SwapbuffersWait" "true"
832 EndSection
833 EndSection
833 EOM
834 EOM
834
835
835 # Remove Xorg build dependencies
836 # Remove Xorg build dependencies
836 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
837 fi
838 fi
838
839
839 # Remove gcc/c++ build environment from the chroot
840 # Remove gcc/c++ build environment from the chroot
840 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
841 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
841 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
842 fi
843 fi
843
844
844 # Clean cached downloads
845 # Clean cached downloads
845 LANG=C chroot $R apt-get -y clean
846 LANG=C chroot $R apt-get -y clean
846 LANG=C chroot $R apt-get -y autoclean
847 LANG=C chroot $R apt-get -y autoclean
847 LANG=C chroot $R apt-get -y autoremove
848 LANG=C chroot $R apt-get -y autoremove
848
849
849 # Unmount mounted filesystems
850 # Unmount mounted filesystems
850 umount -l $R/proc
851 umount -l $R/proc
851 umount -l $R/sys
852 umount -l $R/sys
852
853
853 # Clean up files
854 # Clean up files
854 rm -f $R/etc/apt/sources.list.save
855 rm -f $R/etc/apt/sources.list.save
855 rm -f $R/etc/resolvconf/resolv.conf.d/original
856 rm -f $R/etc/resolvconf/resolv.conf.d/original
856 rm -rf $R/run
857 rm -rf $R/run
857 mkdir -p $R/run
858 mkdir -p $R/run
858 rm -f $R/etc/*-
859 rm -f $R/etc/*-
859 rm -f $R/root/.bash_history
860 rm -f $R/root/.bash_history
860 rm -rf $R/tmp/*
861 rm -rf $R/tmp/*
861 rm -f $R/var/lib/urandom/random-seed
862 rm -f $R/var/lib/urandom/random-seed
862 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
863 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
863 rm -f $R/etc/machine-id
864 rm -f $R/etc/machine-id
864 rm -fr $R/etc/apt/apt.conf.d/10proxy
865 rm -fr $R/etc/apt/apt.conf.d/10proxy
865
866
866 # Calculate size of the chroot directory
867 # Calculate size of the chroot directory
867 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
868 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
868
869
869 # Calculate required image size
870 # Calculate required image size
870 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
871 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
871
872
872 # Calculate number of sectors for the partition
873 # Calculate number of sectors for the partition
873 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
874 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
874
875
875 # Prepare date string for image file name
876 # Prepare date string for image file name
876 DATE="$(date +%Y-%m-%d)"
877 DATE="$(date +%Y-%m-%d)"
877
878
878 # Prepare image file
879 # Prepare image file
879 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
880 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
880 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
881 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
881
882
882 # Write partition table
883 # Write partition table
883 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
884 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
884 unit: sectors
885 unit: sectors
885
886
886 1 : start= 2048, size= 131072, Id= c, bootable
887 1 : start= 2048, size= 131072, Id= c, bootable
887 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
888 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
888 3 : start= 0, size= 0, Id= 0
889 3 : start= 0, size= 0, Id= 0
889 4 : start= 0, size= 0, Id= 0
890 4 : start= 0, size= 0, Id= 0
890 EOM
891 EOM
891
892
892 # Set up temporary loop devices and build filesystems
893 # Set up temporary loop devices and build filesystems
893 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
894 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
894 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
895 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
895 mkfs.vfat "$VFAT_LOOP"
896 mkfs.vfat "$VFAT_LOOP"
896 mkfs.ext4 "$EXT4_LOOP"
897 mkfs.ext4 "$EXT4_LOOP"
897
898
898 # Mount the temporary loop devices
899 # Mount the temporary loop devices
899 mkdir -p "$BUILDDIR/mount"
900 mkdir -p "$BUILDDIR/mount"
900 mount "$EXT4_LOOP" "$BUILDDIR/mount"
901 mount "$EXT4_LOOP" "$BUILDDIR/mount"
901
902
902 mkdir -p "$BUILDDIR/mount/boot/firmware"
903 mkdir -p "$BUILDDIR/mount/boot/firmware"
903 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
904 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
904
905
905 # Copy all files from the chroot to the loop device mount point directory
906 # Copy all files from the chroot to the loop device mount point directory
906 rsync -a "$R/" "$BUILDDIR/mount/"
907 rsync -a "$R/" "$BUILDDIR/mount/"
907
908
908 # Unmount all temporary loop devices and mount points
909 # Unmount all temporary loop devices and mount points
909 cleanup
910 cleanup
910
911
911 # (optinal) create block map file for "bmaptool"
912 # (optinal) create block map file for "bmaptool"
912 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
913 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
913
914
914 # Image was successfully created
915 # Image was successfully created
915 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
916 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant