Raspi2-3_GenImage Commit - r26:efb801e4d116 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

# Clean up all temporary mount points

18

# Clean up all temporary mount points

19

cleanup (){

19

cleanup (){

20

set +x

20

set +x

21

set +e

21

set +e

22

echo "removing temporary mount points ..."

22

echo "removing temporary mount points ..."

23

umount -l $R/proc 2> /dev/null

23

umount -l $R/proc 2> /dev/null

24

umount -l $R/sys 2> /dev/null

24

umount -l $R/sys 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

25

umount -l $R/dev/pts 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

27

umount "$BUILDDIR/mount" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$EXT4_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

29

losetup -d "$VFAT_LOOP" 2> /dev/null

30

trap - 0 1 2 3 6

30

trap - 0 1 2 3 6

31

}

31

}

32

33

set -e

33

set -e

34

set -x

34

set -x

35

36

# Debian release

36

# Debian release

37

RELEASE=${RELEASE:=jessie}

37

RELEASE=${RELEASE:=jessie}

38

39

# Build settings

39

# Build settings

40

BASEDIR=./images/${RELEASE}

40

BASEDIR=./images/${RELEASE}

41

BUILDDIR=${BASEDIR}/build

41

BUILDDIR=${BASEDIR}/build

42

43

# General settings

43

# General settings

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

44

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

45

PASSWORD=${PASSWORD:=raspberry}

45

PASSWORD=${PASSWORD:=raspberry}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

46

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

47

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

48

49

# APT settings

49

# APT settings

50

APT_PROXY=${APT_PROXY:=""}

50

APT_PROXY=${APT_PROXY:=""}

51

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

51

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

52

53

# Feature settings

53

# Feature settings

54

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

54

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

55

ENABLE_IPV6=${ENABLE_IPV6:=true}

55

ENABLE_IPV6=${ENABLE_IPV6:=true}

56

ENABLE_SSHD=${ENABLE_SSHD:=true}

56

ENABLE_SSHD=${ENABLE_SSHD:=true}

57

ENABLE_SOUND=${ENABLE_SOUND:=true}

57

ENABLE_SOUND=${ENABLE_SOUND:=true}

58

ENABLE_DBUS=${ENABLE_DBUS:=true}

58

ENABLE_DBUS=${ENABLE_DBUS:=true}

59

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

59

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

60

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

60

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

61

ENABLE_XORG=${ENABLE_XORG:=false}

61

ENABLE_XORG=${ENABLE_XORG:=false}

62

ENABLE_WM=${ENABLE_WM:=""}

62

ENABLE_WM=${ENABLE_WM:=""}

63

64

# Advanced settings

64

# Advanced settings

65

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

65

ENABLE_MINBASE=${ENABLE_MINBASE:=false}

66

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

66

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

67

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

67

ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}

68

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

68

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

69

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

69

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

70

71

# Image chroot path

71

# Image chroot path

72

R=${BUILDDIR}/chroot

72

R=${BUILDDIR}/chroot

73

74

# Packages required for bootstrapping

74

# Packages required for bootstrapping

75

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

75

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

76

77

# Missing packages that need to be installed

77

# Missing packages that need to be installed

78

MISSING_PACKAGES=""

78

MISSING_PACKAGES=""

79

80

# Packages required in the chroot build environment

80

# Packages required in the chroot build environment

81

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

81

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"

82

83

set +x

83

set +x

84

85

# Are we running as root?

85

# Are we running as root?

86

if [ "$(id -u)" -ne "0" ] ; then

86

if [ "$(id -u)" -ne "0" ] ; then

87

echo "this script must be executed with root privileges"

87

echo "this script must be executed with root privileges"

88

exit 1

88

exit 1

89

fi

89

fi

90

91

# Check if all required packages are installed

91

# Check if all required packages are installed

92

for package in $REQUIRED_PACKAGES ; do

92

for package in $REQUIRED_PACKAGES ; do

93

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

93

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

94

MISSING_PACKAGES="$MISSING_PACKAGES $package"

94

MISSING_PACKAGES="$MISSING_PACKAGES $package"

95

fi

95

fi

96

done

96

done

97

98

# Ask if missing packages should get installed right now

98

# Ask if missing packages should get installed right now

99

if [ -n "$MISSING_PACKAGES" ] ; then

99

if [ -n "$MISSING_PACKAGES" ] ; then

100

echo "the following packages needed by this script are not installed:"

100

echo "the following packages needed by this script are not installed:"

101

echo "$MISSING_PACKAGES"

101

echo "$MISSING_PACKAGES"

102

103

echo -n "\ndo you want to install the missing packages right now? [y/n] "

103

echo -n "\ndo you want to install the missing packages right now? [y/n] "

104

read confirm

104

read confirm

105

if [ "$confirm" != "y" ] ; then

105

if [ "$confirm" != "y" ] ; then

106

exit 1

106

exit 1

107

fi

107

fi

108

fi

108

fi

109

110

# Make sure all required packages are installed

110

# Make sure all required packages are installed

111

apt-get -qq -y install ${REQUIRED_PACKAGES}

111

apt-get -qq -y install ${REQUIRED_PACKAGES}

112

113

# Don't clobber an old build

113

# Don't clobber an old build

114

if [ -e "$BUILDDIR" ]; then

114

if [ -e "$BUILDDIR" ]; then

115

echo "directory $BUILDDIR already exists, not proceeding"

115

echo "directory $BUILDDIR already exists, not proceeding"

116

exit 1

116

exit 1

117

fi

117

fi

118

119

set -x

119

set -x

120

121

# Call "cleanup" function on various signals and errors

121

# Call "cleanup" function on various signals and errors

122

trap cleanup 0 1 2 3 6

122

trap cleanup 0 1 2 3 6

123

124

# Set up chroot directory

124

# Set up chroot directory

125

mkdir -p $R

125

mkdir -p $R

126

127

# Add required packages for the minbase installation

127

# Add required packages for the minbase installation

128

if [ "$ENABLE_MINBASE" = true ] ; then

128

if [ "$ENABLE_MINBASE" = true ] ; then

129

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

129

APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"

130

else

130

else

131

APT_INCLUDES="${APT_INCLUDES},locales"

131

APT_INCLUDES="${APT_INCLUDES},locales"

132

fi

132

fi

133

134

# Add dbus package, recommended if using systemd

134

# Add dbus package, recommended if using systemd

135

if [ "$ENABLE_DBUS" = true ] ; then

135

if [ "$ENABLE_DBUS" = true ] ; then

136

APT_INCLUDES="${APT_INCLUDES},dbus"

136

APT_INCLUDES="${APT_INCLUDES},dbus"

137

fi

137

fi

138

139

# Add iptables IPv4/IPv6 package

139

# Add iptables IPv4/IPv6 package

140

if [ "$ENABLE_IPTABLES" = true ] ; then

140

if [ "$ENABLE_IPTABLES" = true ] ; then

141

APT_INCLUDES="${APT_INCLUDES},iptables"

141

APT_INCLUDES="${APT_INCLUDES},iptables"

142

fi

142

fi

143

144

# Add openssh server package

144

# Add openssh server package

145

if [ "$ENABLE_SSHD" = true ] ; then

145

if [ "$ENABLE_SSHD" = true ] ; then

146

APT_INCLUDES="${APT_INCLUDES},openssh-server"

146

APT_INCLUDES="${APT_INCLUDES},openssh-server"

147

fi

147

fi

148

149

# Add alsa-utils package

149

# Add alsa-utils package

150

if [ "$ENABLE_SOUND" = true ] ; then

150

if [ "$ENABLE_SOUND" = true ] ; then

151

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

151

APT_INCLUDES="${APT_INCLUDES},alsa-utils"

152

fi

152

fi

153

154

# Add rng-tools package

154

# Add rng-tools package

155

if [ "$ENABLE_HWRANDOM" = true ] ; then

155

if [ "$ENABLE_HWRANDOM" = true ] ; then

156

APT_INCLUDES="${APT_INCLUDES},rng-tools"

156

APT_INCLUDES="${APT_INCLUDES},rng-tools"

157

fi

157

fi

158

159

# Add fbturbo video driver

159

# Add fbturbo video driver

160

if [ "$ENABLE_FBTURBO" = true ] ; then

160

if [ "$ENABLE_FBTURBO" = true ] ; then

161

# Enable xorg package dependencies

161

# Enable xorg package dependencies

162

ENABLE_XORG=true

162

ENABLE_XORG=true

163

fi

163

fi

164

165

# Add user defined window manager package

165

# Add user defined window manager package

166

if [ -n "$ENABLE_WM" ] ; then

166

if [ -n "$ENABLE_WM" ] ; then

167

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

167

APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"

168

169

# Enable xorg package dependencies

169

# Enable xorg package dependencies

170

ENABLE_XORG=true

170

ENABLE_XORG=true

171

fi

171

fi

172

173

# Add xorg package

173

# Add xorg package

174

if [ "$ENABLE_XORG" = true ] ; then

174

if [ "$ENABLE_XORG" = true ] ; then

175

APT_INCLUDES="${APT_INCLUDES},xorg"

175

APT_INCLUDES="${APT_INCLUDES},xorg"

176

fi

176

fi

177

178

# Set empty proxy string

178

# Set empty proxy string

179

if [ -z "$APT_PROXY" ] ; then

179

if [ -z "$APT_PROXY" ] ; then

180

APT_PROXY="http://"

180

APT_PROXY="http://"

181

fi

181

fi

182

183

# Base debootstrap (unpack only)

183

# Base debootstrap (unpack only)

184

if [ "$ENABLE_MINBASE" = true ] ; then

184

if [ "$ENABLE_MINBASE" = true ] ; then

185

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

185

debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

186

else

186

else

187

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

187

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

188

fi

188

fi

189

190

# Copy qemu emulator binary to chroot

190

# Copy qemu emulator binary to chroot

191

cp /usr/bin/qemu-arm-static $R/usr/bin

191

cp /usr/bin/qemu-arm-static $R/usr/bin

192

193

# Copy debian-archive-keyring.pgp

193

# Copy debian-archive-keyring.pgp

194

chroot $R mkdir -p /usr/share/keyrings

194

chroot $R mkdir -p /usr/share/keyrings

195

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

195

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

196

197

# Complete the bootstrapping process

197

# Complete the bootstrapping process

198

chroot $R /debootstrap/debootstrap --second-stage

198

chroot $R /debootstrap/debootstrap --second-stage

199

200

# Mount required filesystems

200

# Mount required filesystems

201

mount -t proc none $R/proc

201

mount -t proc none $R/proc

202

mount -t sysfs none $R/sys

202

mount -t sysfs none $R/sys

203

mount --bind /dev/pts $R/dev/pts

203

mount --bind /dev/pts $R/dev/pts

204

205

# Use proxy inside chroot

205

# Use proxy inside chroot

206

if [ -z "$APT_PROXY" ] ; then

206

if [ -z "$APT_PROXY" ] ; then

207

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

207

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

208

fi

208

fi

209

210

# Pin package flash-kernel to repositories.collabora.co.uk

210

# Pin package flash-kernel to repositories.collabora.co.uk

211

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

211

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

212

Package: flash-kernel

212

Package: flash-kernel

213

Pin: origin repositories.collabora.co.uk

213

Pin: origin repositories.collabora.co.uk

214

Pin-Priority: 1000

214

Pin-Priority: 1000

215

EOM

215

EOM

216

217

# Set up timezone

217

# Set up timezone

218

echo ${TIMEZONE} >$R/etc/timezone

218

echo ${TIMEZONE} >$R/etc/timezone

219

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

219

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

220

221

# Set up default locales to "en_US.UTF-8" default

222

if [ "$ENABLE_MINBASE" = false ] ; then

223

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

224

LANG=C chroot $R locale-gen ${DEFLOCAL}

225

fi

226

227

# Upgrade collabora package index and install collabora keyring

221

# Upgrade collabora package index and install collabora keyring

228

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

222

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

229

LANG=C chroot $R apt-get -qq -y update

223

LANG=C chroot $R apt-get -qq -y update

230

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

224

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

231

225

232

# Set up initial sources.list

226

# Set up initial sources.list

233

cat <<EOM >$R/etc/apt/sources.list

227

cat <<EOM >$R/etc/apt/sources.list

234

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

228

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

235

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

229

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

236

230

237

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

231

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

238

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

232

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

239

233

240

deb http://security.debian.org/ ${RELEASE}/updates main contrib

234

deb http://security.debian.org/ ${RELEASE}/updates main contrib

241

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

235

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

242

236

243

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

237

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

244

EOM

238

EOM

245

239

246

# Upgrade package index and update all installed packages and changed dependencies

240

# Upgrade package index and update all installed packages and changed dependencies

247

LANG=C chroot $R apt-get -qq -y update

241

LANG=C chroot $R apt-get -qq -y update

248

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

242

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

249

243

244

# Set up default locales to "en_US.UTF-8" default

245

if [ "$ENABLE_MINBASE" = false ] ; then

246

# Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug

247

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957

248

# ... so we have to set locales manually

249

if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then

250

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections

251

else

252

# en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale

253

LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections

254

LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen

255

fi

256

LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen

257

LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections

258

LANG=C chroot $R locale-gen

259

LANG=C chroot $R update-locale LANG=${DEFLOCAL}

260

fi

261

250

# Kernel installation

262

# Kernel installation

251

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

263

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

252

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

264

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

253

LANG=C chroot $R apt-get -qq -y install flash-kernel

265

LANG=C chroot $R apt-get -qq -y install flash-kernel

254

266

255

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

267

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

256

[ -z "$VMLINUZ" ] && exit 1

268

[ -z "$VMLINUZ" ] && exit 1

257

mkdir -p $R/boot/firmware

269

mkdir -p $R/boot/firmware

258

270

259

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

271

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

260

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

272

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

261

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

273

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

262

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

274

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

263

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

275

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

264

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

276

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

265

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

277

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

266

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

278

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

267

cp $VMLINUZ $R/boot/firmware/kernel7.img

279

cp $VMLINUZ $R/boot/firmware/kernel7.img

268

280

269

# Set up IPv4 hosts

281

# Set up IPv4 hosts

270

echo ${HOSTNAME} >$R/etc/hostname

282

echo ${HOSTNAME} >$R/etc/hostname

271

cat <<EOM >$R/etc/hosts

283

cat <<EOM >$R/etc/hosts

272

127.0.0.1 localhost

284

127.0.0.1 localhost

273

127.0.1.1 ${HOSTNAME}

285

127.0.1.1 ${HOSTNAME}

274

EOM

286

EOM

275

287

276

# Set up IPv6 hosts

288

# Set up IPv6 hosts

277

if [ "$ENABLE_IPV6" = true ] ; then

289

if [ "$ENABLE_IPV6" = true ] ; then

278

cat <<EOM >>$R/etc/hosts

290

cat <<EOM >>$R/etc/hosts

279

291

280

::1 localhost ip6-localhost ip6-loopback

292

::1 localhost ip6-localhost ip6-loopback

281

ff02::1 ip6-allnodes

293

ff02::1 ip6-allnodes

282

ff02::2 ip6-allrouters

294

ff02::2 ip6-allrouters

283

EOM

295

EOM

284

fi

296

fi

285

297

286

# Place hint about network configuration

298

# Place hint about network configuration

287

cat <<EOM >$R/etc/network/interfaces

299

cat <<EOM >$R/etc/network/interfaces

288

# Debian switched to systemd-networkd configuration files.

300

# Debian switched to systemd-networkd configuration files.

289

# please configure your networks in '/etc/systemd/network/'

301

# please configure your networks in '/etc/systemd/network/'

290

EOM

302

EOM

291

303

292

# Enable systemd-networkd DHCP configuration for interface eth0

304

# Enable systemd-networkd DHCP configuration for interface eth0

293

cat <<EOM >$R/etc/systemd/network/eth.network

305

cat <<EOM >$R/etc/systemd/network/eth.network

294

[Match]

306

[Match]

295

Name=eth0

307

Name=eth0

296

308

297

[Network]

309

[Network]

298

DHCP=yes

310

DHCP=yes

299

EOM

311

EOM

300

312

301

# Set DHCP configuration to IPv4 only

313

# Set DHCP configuration to IPv4 only

302

if [ "$ENABLE_IPV6" = false ] ; then

314

if [ "$ENABLE_IPV6" = false ] ; then

303

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

315

sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network

304

fi

316

fi

305

317

306

# Enable systemd-networkd service

318

# Enable systemd-networkd service

307

LANG=C chroot $R systemctl enable systemd-networkd

319

LANG=C chroot $R systemctl enable systemd-networkd

308

320

309

# Generate crypt(3) password string

321

# Generate crypt(3) password string

310

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

322

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

311

323

312

# Set up default user

324

# Set up default user

313

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

325

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

314

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

326

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

315

327

316

# Set up root password

328

# Set up root password

317

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

329

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

318

330

319

# Set up firmware boot cmdline

331

# Set up firmware boot cmdline

320

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

332

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

321

333

322

# Set up serial console support (if requested)

334

# Set up serial console support (if requested)

323

if [ "$ENABLE_CONSOLE" = true ] ; then

335

if [ "$ENABLE_CONSOLE" = true ] ; then

324

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

336

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

325

fi

337

fi

326

338

327

# Set up IPv6 networking support

339

# Set up IPv6 networking support

328

if [ "$ENABLE_IPV6" = false ] ; then

340

if [ "$ENABLE_IPV6" = false ] ; then

329

CMDLINE="${CMDLINE} ipv6.disable=1"

341

CMDLINE="${CMDLINE} ipv6.disable=1"

330

fi

342

fi

331

343

332

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

344

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

333

345

334

# Set up firmware config

346

# Set up firmware config

335

cat <<EOM >$R/boot/firmware/config.txt

347

cat <<EOM >$R/boot/firmware/config.txt

336

# For more options and information see

348

# For more options and information see

337

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

349

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

338

# Some settings may impact device functionality. See link above for details

350

# Some settings may impact device functionality. See link above for details

339

351

340

# uncomment if you get no picture on HDMI for a default "safe" mode

352

# uncomment if you get no picture on HDMI for a default "safe" mode

341

#hdmi_safe=1

353

#hdmi_safe=1

342

354

343

# uncomment this if your display has a black border of unused pixels visible

355

# uncomment this if your display has a black border of unused pixels visible

344

# and your display can output without overscan

356

# and your display can output without overscan

345

#disable_overscan=1

357

#disable_overscan=1

346

358

347

# uncomment the following to adjust overscan. Use positive numbers if console

359

# uncomment the following to adjust overscan. Use positive numbers if console

348

# goes off screen, and negative if there is too much border

360

# goes off screen, and negative if there is too much border

349

#overscan_left=16

361

#overscan_left=16

350

#overscan_right=16

362

#overscan_right=16

351

#overscan_top=16

363

#overscan_top=16

352

#overscan_bottom=16

364

#overscan_bottom=16

353

365

354

# uncomment to force a console size. By default it will be display's size minus

366

# uncomment to force a console size. By default it will be display's size minus

355

# overscan.

367

# overscan.

356

#framebuffer_width=1280

368

#framebuffer_width=1280

357

#framebuffer_height=720

369

#framebuffer_height=720

358

370

359

# uncomment if hdmi display is not detected and composite is being output

371

# uncomment if hdmi display is not detected and composite is being output

360

#hdmi_force_hotplug=1

372

#hdmi_force_hotplug=1

361

373

362

# uncomment to force a specific HDMI mode (this will force VGA)

374

# uncomment to force a specific HDMI mode (this will force VGA)

363

#hdmi_group=1

375

#hdmi_group=1

364

#hdmi_mode=1

376

#hdmi_mode=1

365

377

366

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

378

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

367

# DMT (computer monitor) modes

379

# DMT (computer monitor) modes

368

#hdmi_drive=2

380

#hdmi_drive=2

369

381

370

# uncomment to increase signal to HDMI, if you have interference, blanking, or

382

# uncomment to increase signal to HDMI, if you have interference, blanking, or

371

# no display

383

# no display

372

#config_hdmi_boost=4

384

#config_hdmi_boost=4

373

385

374

# uncomment for composite PAL

386

# uncomment for composite PAL

375

#sdtv_mode=2

387

#sdtv_mode=2

376

388

377

# uncomment to overclock the arm. 700 MHz is the default.

389

# uncomment to overclock the arm. 700 MHz is the default.

378

#arm_freq=800

390

#arm_freq=800

379

EOM

391

EOM

380

392

381

# Load snd_bcm2835 kernel module at boot time

393

# Load snd_bcm2835 kernel module at boot time

382

if [ "$ENABLE_SOUND" = true ] ; then

394

if [ "$ENABLE_SOUND" = true ] ; then

383

echo "snd_bcm2835" >>$R/etc/modules

395

echo "snd_bcm2835" >>$R/etc/modules

384

fi

396

fi

385

397

386

# Set smallest possible GPU memory allocation size: 16MB (no X)

398

# Set smallest possible GPU memory allocation size: 16MB (no X)

387

if [ "$ENABLE_MINGPU" = true ] ; then

399

if [ "$ENABLE_MINGPU" = true ] ; then

388

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

400

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

389

fi

401

fi

390

402

391

# Create symlinks

403

# Create symlinks

392

ln -sf firmware/config.txt $R/boot/config.txt

404

ln -sf firmware/config.txt $R/boot/config.txt

393

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

405

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

394

406

395

# Prepare modules-load.d directory

407

# Prepare modules-load.d directory

396

mkdir -p $R/lib/modules-load.d/

408

mkdir -p $R/lib/modules-load.d/

397

409

398

# Load random module on boot

410

# Load random module on boot

399

if [ "$ENABLE_HWRANDOM" = true ] ; then

411

if [ "$ENABLE_HWRANDOM" = true ] ; then

400

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

412

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

401

bcm2708_rng

413

bcm2708_rng

402

EOM

414

EOM

403

fi

415

fi

404

416

405

# Prepare modprobe.d directory

417

# Prepare modprobe.d directory

406

mkdir -p $R/etc/modprobe.d/

418

mkdir -p $R/etc/modprobe.d/

407

419

408

# Blacklist sound modules

420

# Blacklist sound modules

409

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

421

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

410

blacklist snd_soc_core

422

blacklist snd_soc_core

411

blacklist snd_pcm

423

blacklist snd_pcm

412

blacklist snd_pcm_dmaengine

424

blacklist snd_pcm_dmaengine

413

blacklist snd_timer

425

blacklist snd_timer

414

blacklist snd_compress

426

blacklist snd_compress

415

blacklist snd_soc_pcm512x_i2c

427

blacklist snd_soc_pcm512x_i2c

416

blacklist snd_soc_pcm512x

428

blacklist snd_soc_pcm512x

417

blacklist snd_soc_tas5713

429

blacklist snd_soc_tas5713

418

blacklist snd_soc_wm8804

430

blacklist snd_soc_wm8804

419

EOM

431

EOM

420

432

421

# Create default fstab

433

# Create default fstab

422

cat <<EOM >$R/etc/fstab

434

cat <<EOM >$R/etc/fstab

423

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

435

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

424

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

436

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

425

EOM

437

EOM

426

438

427

# Avoid swapping and increase cache sizes

439

# Avoid swapping and increase cache sizes

428

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

440

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

429

441

430

# Avoid swapping and increase cache sizes

442

# Avoid swapping and increase cache sizes

431

vm.swappiness=1

443

vm.swappiness=1

432

vm.dirty_background_ratio=20

444

vm.dirty_background_ratio=20

433

vm.dirty_ratio=40

445

vm.dirty_ratio=40

434

vm.dirty_writeback_centisecs=500

446

vm.dirty_writeback_centisecs=500

435

vm.dirty_expire_centisecs=6000

447

vm.dirty_expire_centisecs=6000

436

EOM

448

EOM

437

449

438

# Enable network stack hardening

450

# Enable network stack hardening

439

if [ "$ENABLE_HARDNET" = true ] ; then

451

if [ "$ENABLE_HARDNET" = true ] ; then

440

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

452

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

441

453

442

# Enable network stack hardening

454

# Enable network stack hardening

443

net.ipv4.tcp_timestamps=0

455

net.ipv4.tcp_timestamps=0

444

net.ipv4.tcp_syncookies=1

456

net.ipv4.tcp_syncookies=1

445

net.ipv4.conf.all.rp_filter=1

457

net.ipv4.conf.all.rp_filter=1

446

net.ipv4.conf.all.accept_redirects=0

458

net.ipv4.conf.all.accept_redirects=0

447

net.ipv4.conf.all.send_redirects=0

459

net.ipv4.conf.all.send_redirects=0

448

net.ipv4.conf.all.accept_source_route=0

460

net.ipv4.conf.all.accept_source_route=0

449

net.ipv4.conf.default.rp_filter=1

461

net.ipv4.conf.default.rp_filter=1

450

net.ipv4.conf.default.accept_redirects=0

462

net.ipv4.conf.default.accept_redirects=0

451

net.ipv4.conf.default.send_redirects=0

463

net.ipv4.conf.default.send_redirects=0

452

net.ipv4.conf.default.accept_source_route=0

464

net.ipv4.conf.default.accept_source_route=0

453

net.ipv4.conf.lo.accept_redirects=0

465

net.ipv4.conf.lo.accept_redirects=0

454

net.ipv4.conf.lo.send_redirects=0

466

net.ipv4.conf.lo.send_redirects=0

455

net.ipv4.conf.lo.accept_source_route=0

467

net.ipv4.conf.lo.accept_source_route=0

456

net.ipv4.conf.eth0.accept_redirects=0

468

net.ipv4.conf.eth0.accept_redirects=0

457

net.ipv4.conf.eth0.send_redirects=0

469

net.ipv4.conf.eth0.send_redirects=0

458

net.ipv4.conf.eth0.accept_source_route=0

470

net.ipv4.conf.eth0.accept_source_route=0

459

net.ipv4.icmp_echo_ignore_broadcasts=1

471

net.ipv4.icmp_echo_ignore_broadcasts=1

460

net.ipv4.icmp_ignore_bogus_error_responses=1

472

net.ipv4.icmp_ignore_bogus_error_responses=1

461

473

462

net.ipv6.conf.all.accept_redirects=0

474

net.ipv6.conf.all.accept_redirects=0

463

net.ipv6.conf.all.accept_source_route=0

475

net.ipv6.conf.all.accept_source_route=0

464

net.ipv6.conf.all.router_solicitations=0

476

net.ipv6.conf.all.router_solicitations=0

465

net.ipv6.conf.all.accept_ra_rtr_pref=0

477

net.ipv6.conf.all.accept_ra_rtr_pref=0

466

net.ipv6.conf.all.accept_ra_pinfo=0

478

net.ipv6.conf.all.accept_ra_pinfo=0

467

net.ipv6.conf.all.accept_ra_defrtr=0

479

net.ipv6.conf.all.accept_ra_defrtr=0

468

net.ipv6.conf.all.autoconf=0

480

net.ipv6.conf.all.autoconf=0

469

net.ipv6.conf.all.dad_transmits=0

481

net.ipv6.conf.all.dad_transmits=0

470

net.ipv6.conf.all.max_addresses=1

482

net.ipv6.conf.all.max_addresses=1

471

483

472

net.ipv6.conf.default.accept_redirects=0

484

net.ipv6.conf.default.accept_redirects=0

473

net.ipv6.conf.default.accept_source_route=0

485

net.ipv6.conf.default.accept_source_route=0

474

net.ipv6.conf.default.router_solicitations=0

486

net.ipv6.conf.default.router_solicitations=0

475

net.ipv6.conf.default.accept_ra_rtr_pref=0

487

net.ipv6.conf.default.accept_ra_rtr_pref=0

476

net.ipv6.conf.default.accept_ra_pinfo=0

488

net.ipv6.conf.default.accept_ra_pinfo=0

477

net.ipv6.conf.default.accept_ra_defrtr=0

489

net.ipv6.conf.default.accept_ra_defrtr=0

478

net.ipv6.conf.default.autoconf=0

490

net.ipv6.conf.default.autoconf=0

479

net.ipv6.conf.default.dad_transmits=0

491

net.ipv6.conf.default.dad_transmits=0

480

net.ipv6.conf.default.max_addresses=1

492

net.ipv6.conf.default.max_addresses=1

481

493

482

net.ipv6.conf.lo.accept_redirects=0

494

net.ipv6.conf.lo.accept_redirects=0

483

net.ipv6.conf.lo.accept_source_route=0

495

net.ipv6.conf.lo.accept_source_route=0

484

net.ipv6.conf.lo.router_solicitations=0

496

net.ipv6.conf.lo.router_solicitations=0

485

net.ipv6.conf.lo.accept_ra_rtr_pref=0

497

net.ipv6.conf.lo.accept_ra_rtr_pref=0

486

net.ipv6.conf.lo.accept_ra_pinfo=0

498

net.ipv6.conf.lo.accept_ra_pinfo=0

487

net.ipv6.conf.lo.accept_ra_defrtr=0

499

net.ipv6.conf.lo.accept_ra_defrtr=0

488

net.ipv6.conf.lo.autoconf=0

500

net.ipv6.conf.lo.autoconf=0

489

net.ipv6.conf.lo.dad_transmits=0

501

net.ipv6.conf.lo.dad_transmits=0

490

net.ipv6.conf.lo.max_addresses=1

502

net.ipv6.conf.lo.max_addresses=1

491

503

492

net.ipv6.conf.eth0.accept_redirects=0

504

net.ipv6.conf.eth0.accept_redirects=0

493

net.ipv6.conf.eth0.accept_source_route=0

505

net.ipv6.conf.eth0.accept_source_route=0

494

net.ipv6.conf.eth0.router_solicitations=0

506

net.ipv6.conf.eth0.router_solicitations=0

495

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

507

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

496

net.ipv6.conf.eth0.accept_ra_pinfo=0

508

net.ipv6.conf.eth0.accept_ra_pinfo=0

497

net.ipv6.conf.eth0.accept_ra_defrtr=0

509

net.ipv6.conf.eth0.accept_ra_defrtr=0

498

net.ipv6.conf.eth0.autoconf=0

510

net.ipv6.conf.eth0.autoconf=0

499

net.ipv6.conf.eth0.dad_transmits=0

511

net.ipv6.conf.eth0.dad_transmits=0

500

net.ipv6.conf.eth0.max_addresses=1

512

net.ipv6.conf.eth0.max_addresses=1

501

EOM

513

EOM

502

514

503

# Enable resolver warnings about spoofed addresses

515

# Enable resolver warnings about spoofed addresses

504

cat <<EOM >>$R/etc/host.conf

516

cat <<EOM >>$R/etc/host.conf

505

spoof warn

517

spoof warn

506

EOM

518

EOM

507

fi

519

fi

508

520

509

# Regenerate openssh server host keys

521

# Regenerate openssh server host keys

510

if [ "$ENABLE_SSHD" = true ] ; then

522

if [ "$ENABLE_SSHD" = true ] ; then

511

rm -fr $R/etc/ssh/ssh_host_*

523

rm -fr $R/etc/ssh/ssh_host_*

512

LANG=C chroot $R dpkg-reconfigure openssh-server

524

LANG=C chroot $R dpkg-reconfigure openssh-server

513

fi

525

fi

514

526

515

# Enable serial console systemd style

527

# Enable serial console systemd style

516

if [ "$ENABLE_CONSOLE" = true ] ; then

528

if [ "$ENABLE_CONSOLE" = true ] ; then

517

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

529

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

518

fi

530

fi

519

531

520

# Enable firewall based on iptables started by systemd service

532

# Enable firewall based on iptables started by systemd service

521

if [ "$ENABLE_IPTABLES" = true ] ; then

533

if [ "$ENABLE_IPTABLES" = true ] ; then

522

# Create iptables configuration directory

534

# Create iptables configuration directory

523

mkdir -p "$R/etc/iptables"

535

mkdir -p "$R/etc/iptables"

524

536

525

# Create iptables systemd service

537

# Create iptables systemd service

526

cat <<EOM >$R/etc/systemd/system/iptables.service

538

cat <<EOM >$R/etc/systemd/system/iptables.service

527

[Unit]

539

[Unit]

528

Description=Packet Filtering Framework

540

Description=Packet Filtering Framework

529

DefaultDependencies=no

541

DefaultDependencies=no

530

After=systemd-sysctl.service

542

After=systemd-sysctl.service

531

Before=sysinit.target

543

Before=sysinit.target

532

[Service]

544

[Service]

533

Type=oneshot

545

Type=oneshot

534

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

546

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

535

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

547

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

536

ExecStop=/etc/iptables/flush-iptables.sh

548

ExecStop=/etc/iptables/flush-iptables.sh

537

RemainAfterExit=yes

549

RemainAfterExit=yes

538

[Install]

550

[Install]

539

WantedBy=multi-user.target

551

WantedBy=multi-user.target

540

EOM

552

EOM

541

553

542

# Create flush-table script called by iptables service

554

# Create flush-table script called by iptables service

543

cat <<EOM >$R/etc/iptables/flush-iptables.sh

555

cat <<EOM >$R/etc/iptables/flush-iptables.sh

544

#!/bin/sh

556

#!/bin/sh

545

iptables -F

557

iptables -F

546

iptables -X

558

iptables -X

547

iptables -t nat -F

559

iptables -t nat -F

548

iptables -t nat -X

560

iptables -t nat -X

549

iptables -t mangle -F

561

iptables -t mangle -F

550

iptables -t mangle -X

562

iptables -t mangle -X

551

iptables -P INPUT ACCEPT

563

iptables -P INPUT ACCEPT

552

iptables -P FORWARD ACCEPT

564

iptables -P FORWARD ACCEPT

553

iptables -P OUTPUT ACCEPT

565

iptables -P OUTPUT ACCEPT

554

EOM

566

EOM

555

567

556

# Create iptables rule file

568

# Create iptables rule file

557

cat <<EOM >$R/etc/iptables/iptables.rules

569

cat <<EOM >$R/etc/iptables/iptables.rules

558

*filter

570

*filter

559

:INPUT DROP [0:0]

571

:INPUT DROP [0:0]

560

:FORWARD DROP [0:0]

572

:FORWARD DROP [0:0]

561

:OUTPUT ACCEPT [0:0]

573

:OUTPUT ACCEPT [0:0]

562

:TCP - [0:0]

574

:TCP - [0:0]

563

:UDP - [0:0]

575

:UDP - [0:0]

564

:SSH - [0:0]

576

:SSH - [0:0]

565

577

566

# Rate limit ping requests

578

# Rate limit ping requests

567

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

579

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

568

-A INPUT -p icmp --icmp-type echo-request -j DROP

580

-A INPUT -p icmp --icmp-type echo-request -j DROP

569

581

570

# Accept established connections

582

# Accept established connections

571

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

583

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

572

584

573

# Accept all traffic on loopback interface

585

# Accept all traffic on loopback interface

574

-A INPUT -i lo -j ACCEPT

586

-A INPUT -i lo -j ACCEPT

575

587

576

# Drop packets declared invalid

588

# Drop packets declared invalid

577

-A INPUT -m conntrack --ctstate INVALID -j DROP

589

-A INPUT -m conntrack --ctstate INVALID -j DROP

578

590

579

# SSH rate limiting

591

# SSH rate limiting

580

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

592

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

581

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

593

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

582

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

594

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

583

-A SSH -m recent --name sshbf --set -j ACCEPT

595

-A SSH -m recent --name sshbf --set -j ACCEPT

584

596

585

# Send TCP and UDP connections to their respective rules chain

597

# Send TCP and UDP connections to their respective rules chain

586

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

598

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

587

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

599

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

588

600

589

# Reject dropped packets with a RFC compliant responce

601

# Reject dropped packets with a RFC compliant responce

590

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

602

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

591

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

603

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

592

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

604

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

593

605

594

## TCP PORT RULES

606

## TCP PORT RULES

595

# -A TCP -p tcp -j LOG

607

# -A TCP -p tcp -j LOG

596

608

597

## UDP PORT RULES

609

## UDP PORT RULES

598

# -A UDP -p udp -j LOG

610

# -A UDP -p udp -j LOG

599

611

600

COMMIT

612

COMMIT

601

EOM

613

EOM

602

614

603

# Reload systemd configuration and enable iptables service

615

# Reload systemd configuration and enable iptables service

604

LANG=C chroot $R systemctl daemon-reload

616

LANG=C chroot $R systemctl daemon-reload

605

LANG=C chroot $R systemctl enable iptables.service

617

LANG=C chroot $R systemctl enable iptables.service

606

618

607

if [ "$ENABLE_IPV6" = true ] ; then

619

if [ "$ENABLE_IPV6" = true ] ; then

608

# Create ip6tables systemd service

620

# Create ip6tables systemd service

609

cat <<EOM >$R/etc/systemd/system/ip6tables.service

621

cat <<EOM >$R/etc/systemd/system/ip6tables.service

610

[Unit]

622

[Unit]

611

Description=Packet Filtering Framework

623

Description=Packet Filtering Framework

612

DefaultDependencies=no

624

DefaultDependencies=no

613

After=systemd-sysctl.service

625

After=systemd-sysctl.service

614

Before=sysinit.target

626

Before=sysinit.target

615

[Service]

627

[Service]

616

Type=oneshot

628

Type=oneshot

617

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

629

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

618

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

630

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

619

ExecStop=/etc/iptables/flush-ip6tables.sh

631

ExecStop=/etc/iptables/flush-ip6tables.sh

620

RemainAfterExit=yes

632

RemainAfterExit=yes

621

[Install]

633

[Install]

622

WantedBy=multi-user.target

634

WantedBy=multi-user.target

623

EOM

635

EOM

624

636

625

# Create ip6tables file

637

# Create ip6tables file

626

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

638

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

627

#!/bin/sh

639

#!/bin/sh

628

ip6tables -F

640

ip6tables -F

629

ip6tables -X

641

ip6tables -X

630

ip6tables -Z

642

ip6tables -Z

631

for table in $(</proc/net/ip6_tables_names)

643

for table in $(</proc/net/ip6_tables_names)

632

do

644

do

633

ip6tables -t \$table -F

645

ip6tables -t \$table -F

634

ip6tables -t \$table -X

646

ip6tables -t \$table -X

635

ip6tables -t \$table -Z

647

ip6tables -t \$table -Z

636

done

648

done

637

ip6tables -P INPUT ACCEPT

649

ip6tables -P INPUT ACCEPT

638

ip6tables -P OUTPUT ACCEPT

650

ip6tables -P OUTPUT ACCEPT

639

ip6tables -P FORWARD ACCEPT

651

ip6tables -P FORWARD ACCEPT

640

EOM

652

EOM

641

653

642

# Create ip6tables rule file

654

# Create ip6tables rule file

643

cat <<EOM >$R/etc/iptables/ip6tables.rules

655

cat <<EOM >$R/etc/iptables/ip6tables.rules

644

*filter

656

*filter

645

:INPUT DROP [0:0]

657

:INPUT DROP [0:0]

646

:FORWARD DROP [0:0]

658

:FORWARD DROP [0:0]

647

:OUTPUT ACCEPT [0:0]

659

:OUTPUT ACCEPT [0:0]

648

:TCP - [0:0]

660

:TCP - [0:0]

649

:UDP - [0:0]

661

:UDP - [0:0]

650

:SSH - [0:0]

662

:SSH - [0:0]

651

663

652

# Drop packets with RH0 headers

664

# Drop packets with RH0 headers

653

-A INPUT -m rt --rt-type 0 -j DROP

665

-A INPUT -m rt --rt-type 0 -j DROP

654

-A OUTPUT -m rt --rt-type 0 -j DROP

666

-A OUTPUT -m rt --rt-type 0 -j DROP

655

-A FORWARD -m rt --rt-type 0 -j DROP

667

-A FORWARD -m rt --rt-type 0 -j DROP

656

668

657

# Rate limit ping requests

669

# Rate limit ping requests

658

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

670

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

659

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

671

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

660

672

661

# Accept established connections

673

# Accept established connections

662

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

674

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

663

675

664

# Accept all traffic on loopback interface

676

# Accept all traffic on loopback interface

665

-A INPUT -i lo -j ACCEPT

677

-A INPUT -i lo -j ACCEPT

666

678

667

# Drop packets declared invalid

679

# Drop packets declared invalid

668

-A INPUT -m conntrack --ctstate INVALID -j DROP

680

-A INPUT -m conntrack --ctstate INVALID -j DROP

669

681

670

# SSH rate limiting

682

# SSH rate limiting

671

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

683

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

672

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

684

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

673

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

685

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

674

-A SSH -m recent --name sshbf --set -j ACCEPT

686

-A SSH -m recent --name sshbf --set -j ACCEPT

675

687

676

# Send TCP and UDP connections to their respective rules chain

688

# Send TCP and UDP connections to their respective rules chain

677

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

689

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

678

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

690

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

679

691

680

# Reject dropped packets with a RFC compliant responce

692

# Reject dropped packets with a RFC compliant responce

681

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

693

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

682

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

694

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

683

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

695

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

684

696

685

## TCP PORT RULES

697

## TCP PORT RULES

686

# -A TCP -p tcp -j LOG

698

# -A TCP -p tcp -j LOG

687

699

688

## UDP PORT RULES

700

## UDP PORT RULES

689

# -A UDP -p udp -j LOG

701

# -A UDP -p udp -j LOG

690

702

691

COMMIT

703

COMMIT

692

EOM

704

EOM

693

705

694

# Reload systemd configuration and enable iptables service

706

# Reload systemd configuration and enable iptables service

695

LANG=C chroot $R systemctl daemon-reload

707

LANG=C chroot $R systemctl daemon-reload

696

LANG=C chroot $R systemctl enable ip6tables.service

708

LANG=C chroot $R systemctl enable ip6tables.service

697

fi

709

fi

698

fi

710

fi

699

711

700

# Remove SSHD related iptables rules

712

# Remove SSHD related iptables rules

701

if [ "$ENABLE_SSHD" = false ] ; then

713

if [ "$ENABLE_SSHD" = false ] ; then

702

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

714

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null

703

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

715

sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null

704

fi

716

fi

705

717

706

# Install gcc/c++ build environment inside the chroot

718

# Install gcc/c++ build environment inside the chroot

707

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

719

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

708

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

720

LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

709

fi

721

fi

710

722

711

# Fetch and build U-Boot bootloader

723

# Fetch and build U-Boot bootloader

712

if [ "$ENABLE_UBOOT" = true ] ; then

724

if [ "$ENABLE_UBOOT" = true ] ; then

713

# Fetch U-Boot bootloader sources

725

# Fetch U-Boot bootloader sources

714

git -C $R/tmp clone git://git.denx.de/u-boot.git

726

git -C $R/tmp clone git://git.denx.de/u-boot.git

715

727

716

# Build and install U-Boot inside chroot

728

# Build and install U-Boot inside chroot

717

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

729

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

718

730

719

# Copy compiled bootloader binary and set config.txt to load it

731

# Copy compiled bootloader binary and set config.txt to load it

720

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

732

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

721

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

733

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

722

734

723

# Set U-Boot command file

735

# Set U-Boot command file

724

cat <<EOM >$R/boot/firmware/uboot.mkimage

736

cat <<EOM >$R/boot/firmware/uboot.mkimage

725

# Tell Linux that it is booting on a Raspberry Pi2

737

# Tell Linux that it is booting on a Raspberry Pi2

726

setenv machid 0x00000c42

738

setenv machid 0x00000c42

727

739

728

# Set the kernel boot command line

740

# Set the kernel boot command line

729

setenv bootargs "earlyprintk ${CMDLINE}"

741

setenv bootargs "earlyprintk ${CMDLINE}"

730

742

731

# Save these changes to u-boot's environment

743

# Save these changes to u-boot's environment

732

saveenv

744

saveenv

733

745

734

# Load the existing Linux kernel into RAM

746

# Load the existing Linux kernel into RAM

735

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

747

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

736

748

737

# Boot the kernel we have just loaded

749

# Boot the kernel we have just loaded

738

bootz \${kernel_addr_r}

750

bootz \${kernel_addr_r}

739

EOM

751

EOM

740

752

741

# Generate U-Boot image from command file

753

# Generate U-Boot image from command file

742

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

754

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

743

fi

755

fi

744

756

745

# Fetch and build fbturbo Xorg driver

757

# Fetch and build fbturbo Xorg driver

746

if [ "$ENABLE_FBTURBO" = true ] ; then

758

if [ "$ENABLE_FBTURBO" = true ] ; then

747

# Fetch fbturbo driver sources

759

# Fetch fbturbo driver sources

748

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

760

git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git

749

761

750

# Install Xorg build dependencies

762

# Install Xorg build dependencies

751

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

763

LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

752

764

753

# Build and install fbturbo driver inside chroot

765

# Build and install fbturbo driver inside chroot

754

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

766

LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"

755

767

756

# Add fbturbo driver to Xorg configuration

768

# Add fbturbo driver to Xorg configuration

757

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

769

cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf

758

Section "Device"

770

Section "Device"

759

Identifier "Allwinner A10/A13 FBDEV"

771

Identifier "Allwinner A10/A13 FBDEV"

760

Driver "fbturbo"

772

Driver "fbturbo"

761

Option "fbdev" "/dev/fb0"

773

Option "fbdev" "/dev/fb0"

762

Option "SwapbuffersWait" "true"

774

Option "SwapbuffersWait" "true"

763

EndSection

775

EndSection

764

EOM

776

EOM

765

777

766

# Remove Xorg build dependencies

778

# Remove Xorg build dependencies

767

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

779

LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev

768

fi

780

fi

769

781

770

# Remove gcc/c++ build environment from the chroot

782

# Remove gcc/c++ build environment from the chroot

771

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

783

if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then

772

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

784

LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

773

fi

785

fi

774

786

775

# Clean cached downloads

787

# Clean cached downloads

776

LANG=C chroot $R apt-get -y clean

788

LANG=C chroot $R apt-get -y clean

777

LANG=C chroot $R apt-get -y autoclean

789

LANG=C chroot $R apt-get -y autoclean

778

LANG=C chroot $R apt-get -y autoremove

790

LANG=C chroot $R apt-get -y autoremove

779

791

780

# Unmount mounted filesystems

792

# Unmount mounted filesystems

781

umount -l $R/proc

793

umount -l $R/proc

782

umount -l $R/sys

794

umount -l $R/sys

783

795

784

# Clean up files

796

# Clean up files

785

rm -f $R/etc/apt/sources.list.save

797

rm -f $R/etc/apt/sources.list.save

786

rm -f $R/etc/resolvconf/resolv.conf.d/original

798

rm -f $R/etc/resolvconf/resolv.conf.d/original

787

rm -rf $R/run

799

rm -rf $R/run

788

mkdir -p $R/run

800

mkdir -p $R/run

789

rm -f $R/etc/*-

801

rm -f $R/etc/*-

790

rm -f $R/root/.bash_history

802

rm -f $R/root/.bash_history

791

rm -rf $R/tmp/*

803

rm -rf $R/tmp/*

792

rm -f $R/var/lib/urandom/random-seed

804

rm -f $R/var/lib/urandom/random-seed

793

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

805

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

794

rm -f $R/etc/machine-id

806

rm -f $R/etc/machine-id

795

rm -fr $R/etc/apt/apt.conf.d/10proxy

807

rm -fr $R/etc/apt/apt.conf.d/10proxy

796

808

797

# Calculate size of the chroot directory

809

# Calculate size of the chroot directory

798

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

810

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

799

811

800

# Calculate required image size

812

# Calculate required image size

801

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

813

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

802

814

803

# Calculate number of sectors for the partition

815

# Calculate number of sectors for the partition

804

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

816

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

805

817

806

# Prepare date string for image file name

818

# Prepare date string for image file name

807

DATE="$(date +%Y-%m-%d)"

819

DATE="$(date +%Y-%m-%d)"

808

820

809

# Prepare image file

821

# Prepare image file

810

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

822

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

811

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

823

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

812

824

813

# Write partition table

825

# Write partition table

814

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

826

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

815

unit: sectors

827

unit: sectors

816

828

817

1 : start= 2048, size= 131072, Id= c, bootable

829

1 : start= 2048, size= 131072, Id= c, bootable

818

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

830

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

819

3 : start= 0, size= 0, Id= 0

831

3 : start= 0, size= 0, Id= 0

820

4 : start= 0, size= 0, Id= 0

832

4 : start= 0, size= 0, Id= 0

821

EOM

833

EOM

822

834

823

# Set up temporary loop devices and build filesystems

835

# Set up temporary loop devices and build filesystems

824

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

836

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

825

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

837

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

826

mkfs.vfat "$VFAT_LOOP"

838

mkfs.vfat "$VFAT_LOOP"

827

mkfs.ext4 "$EXT4_LOOP"

839

mkfs.ext4 "$EXT4_LOOP"

828

840

829

# Mount the temporary loop devices

841

# Mount the temporary loop devices

830

mkdir -p "$BUILDDIR/mount"

842

mkdir -p "$BUILDDIR/mount"

831

mount "$EXT4_LOOP" "$BUILDDIR/mount"

843

mount "$EXT4_LOOP" "$BUILDDIR/mount"

832

844

833

mkdir -p "$BUILDDIR/mount/boot/firmware"

845

mkdir -p "$BUILDDIR/mount/boot/firmware"

834

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

846

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

835

847

836

# Copy all files from the chroot to the loop device mount point directory

848

# Copy all files from the chroot to the loop device mount point directory

837

rsync -a "$R/" "$BUILDDIR/mount/"

849

rsync -a "$R/" "$BUILDDIR/mount/"

838

850

839

# Unmount all temporary loop devices and mount points

851

# Unmount all temporary loop devices and mount points

840

cleanup

852

cleanup

841

853

842

# (optinal) create block map file for "bmaptool"

854

# (optinal) create block map file for "bmaptool"

843

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

855

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

844

856

845

# Image was successfully created

857

# Image was successfully created

846

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

858

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             # Clean up all temporary mount points
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             # Debian release
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_WM=${ENABLE_WM:=""}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build environment
             APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
             # Add required packages for the minbase installation
             if [ "$ENABLE_MINBASE" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
             else
               APT_INCLUDES="${APT_INCLUDES},locales"
             fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add iptables IPv4/IPv6 package
             if [ "$ENABLE_IPTABLES" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},iptables"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add alsa-utils package
             if [ "$ENABLE_SOUND" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},alsa-utils"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add fbturbo video driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add user defined window manager package
             if [ -n "$ENABLE_WM" ] ; then
               APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
               # Enable xorg package dependencies
               ENABLE_XORG=true
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Set empty proxy string
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             if [ "$ENABLE_MINBASE" = true ] ; then
               debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             else
               debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             fi
             # Copy qemu emulator binary to chroot
             cp /usr/bin/qemu-arm-static $R/usr/bin
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping process
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
-            # Set up default locales to "en_US.UTF-8" default
-            if [ "$ENABLE_MINBASE" = false ] ; then
-              LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
-              LANG=C chroot $R locale-gen ${DEFLOCAL}
-            fi
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
+            # Set up default locales to "en_US.UTF-8" default
+            if [ "$ENABLE_MINBASE" = false ] ; then
+              # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
+              # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
+              # ... so we have to set locales manually
+              if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
+                LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
+              else
+                # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
+                LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
+                LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
+              fi
+              LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
+              LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
+              LANG=C chroot $R locale-gen
+              LANG=C chroot $R update-locale LANG=${DEFLOCAL}
+            fi
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up IPv4 hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             # Set up IPv6 hosts
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Place hint about network configuration
             cat <<EOM >$R/etc/network/interfaces
             # Debian switched to systemd-networkd configuration files.
             # please configure your networks in '/etc/systemd/network/'
             EOM
             # Enable systemd-networkd DHCP configuration for interface eth0
             cat <<EOM >$R/etc/systemd/network/eth.network
             [Match]
             Name=eth0
             [Network]
             DHCP=yes
             EOM
             # Set DHCP configuration to IPv4 only
             if [ "$ENABLE_IPV6" = false ] ; then
               sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
             fi
             # Enable systemd-networkd service
             LANG=C chroot $R systemctl enable systemd-networkd
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up IPv6 networking support
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Load snd_bcm2835 kernel module at boot time
             if [ "$ENABLE_SOUND" = true ] ; then
               echo "snd_bcm2835" >>$R/etc/modules
             fi
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             # Remove SSHD related iptables rules
             if [ "$ENABLE_SSHD" = false ] ; then
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
              sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
             fi
             # Install gcc/c++ build environment inside the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
             fi
             # Fetch and build U-Boot bootloader
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch U-Boot bootloader sources
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Build and install U-Boot inside chroot
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set U-Boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate U-Boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
             fi
             # Fetch and build fbturbo Xorg driver
             if [ "$ENABLE_FBTURBO" = true ] ; then
               # Fetch fbturbo driver sources
               git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
               # Install Xorg build dependencies
               LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
               # Build and install fbturbo driver inside chroot
               LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
               # Add fbturbo driver to Xorg configuration
               cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
             Section "Device"
                     Identifier "Allwinner A10/A13 FBDEV"
                     Driver "fbturbo"
                     Option "fbdev" "/dev/fb0"
                     Option "SwapbuffersWait" "true"
             EndSection
             EOM
               # Remove Xorg build dependencies
               LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
             fi
             # Remove gcc/c++ build environment from the chroot
             if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
               LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"