##// END OF EJS Templates
Added functionality to run custom scripts after base bootstrap
Chris Landa -
r40:f13fca1705c4
parent child
Show More
@@ -1,109 +1,112
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 ```
22 22
23 23 #### APT settings:
24 24 ##### `APT_SERVER`="ftp.debian.org"
25 25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26 26
27 27 ##### `APT_PROXY`=""
28 28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29 29
30 30 #### General system settings:
31 31 ##### `HOSTNAME`="rpi2-jessie"
32 32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
33 33
34 34 ##### `PASSWORD`="raspberry"
35 35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
36 36
37 37 ##### `DEFLOCAL`="en_US.UTF-8"
38 38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
39 39
40 40
41 41 ##### `TIMEZONE`="Europe/Berlin"
42 42 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
43 43
44 44 #### Keyboard settings:
45 45 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
46 46 ##### `XKBMODEL`=""
47 47 ##### `XKBLAYOUT`=""
48 48 ##### `XKBVARIANT`=""
49 49 ##### `XKBOPTIONS`=""
50 50
51 51 #### Basic system features:
52 52 ##### `ENABLE_CONSOLE`=true
53 53 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
54 54
55 55 ##### `ENABLE_IPV6`=true
56 56 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
57 57
58 58 ##### `ENABLE_SSHD`=true
59 59 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
60 60
61 61 ##### `ENABLE_SOUND`=true
62 62 Enable sound hardware and install Advanced Linux Sound Architecture.
63 63
64 64 ##### `ENABLE_HWRANDOM`=true
65 65 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
66 66
67 67 ##### `ENABLE_MINGPU`=false
68 68 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
69 69
70 70 ##### `ENABLE_DBUS`=true
71 71 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
72 72
73 73 ##### `ENABLE_XORG`=false
74 74 Install Xorg open-source X Window System.
75 75
76 76 ##### `ENABLE_WM`=""
77 77 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
78 78
79 79 #### Advanced sytem features:
80 80 ##### `ENABLE_MINBASE`=false
81 81 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
82 82
83 83 ##### `ENABLE_UBOOT`=false
84 84 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
85 85
86 86 ##### `ENABLE_FBTURBO`=false
87 87 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
88 88
89 89 ##### `ENABLE_IPTABLES`=false
90 90 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
91 91
92 92 ##### `ENABLE_HARDNET`=false
93 93 Enable IPv4/IPv6 network stack hardening settings.
94 94
95 ##### `CHROOT_SCRIPTS`=""
96 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order.
97
95 98 ## Logging of the bootstrapping process
96 99 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
97 100
98 101 ```shell
99 102 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
100 103 ```
101 104
102 105 ## Flashing the image file
103 106 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
104 107
105 108 #####Flashing examples:
106 109 ```shell
107 110 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
108 111 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
109 112 ```
@@ -1,882 +1,890
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 33 set -e
34 34 set -x
35 35
36 36 # Debian release
37 37 RELEASE=${RELEASE:=jessie}
38 38
39 39 # Build settings
40 40 BASEDIR=./images/${RELEASE}
41 41 BUILDDIR=${BASEDIR}/build
42 42
43 43 # General settings
44 44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 45 PASSWORD=${PASSWORD:=raspberry}
46 46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 48 XKBMODEL=${XKBMODEL:=""}
49 49 XKBLAYOUT=${XKBLAYOUT:=""}
50 50 XKBVARIANT=${XKBVARIANT:=""}
51 51 XKBOPTIONS=${XKBOPTIONS:=""}
52 52
53 53 # APT settings
54 54 APT_PROXY=${APT_PROXY:=""}
55 55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
56 56
57 57 # Feature settings
58 58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
59 59 ENABLE_IPV6=${ENABLE_IPV6:=true}
60 60 ENABLE_SSHD=${ENABLE_SSHD:=true}
61 61 ENABLE_SOUND=${ENABLE_SOUND:=true}
62 62 ENABLE_DBUS=${ENABLE_DBUS:=true}
63 63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
64 64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
65 65 ENABLE_XORG=${ENABLE_XORG:=false}
66 66 ENABLE_WM=${ENABLE_WM:=""}
67 67
68 68 # Advanced settings
69 69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
70 70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
71 71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
72 72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
73 73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
74 74
75 75 # Image chroot path
76 76 R=${BUILDDIR}/chroot
77 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
77 78
78 79 # Packages required for bootstrapping
79 80 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
80 81
81 82 # Missing packages that need to be installed
82 83 MISSING_PACKAGES=""
83 84
84 85 # Packages required in the chroot build environment
85 86 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
86 87
87 88 set +x
88 89
89 90 # Are we running as root?
90 91 if [ "$(id -u)" -ne "0" ] ; then
91 92 echo "this script must be executed with root privileges"
92 93 exit 1
93 94 fi
94 95
95 96 # Check if all required packages are installed
96 97 for package in $REQUIRED_PACKAGES ; do
97 98 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
98 99 MISSING_PACKAGES="$MISSING_PACKAGES $package"
99 100 fi
100 101 done
101 102
102 103 # Ask if missing packages should get installed right now
103 104 if [ -n "$MISSING_PACKAGES" ] ; then
104 105 echo "the following packages needed by this script are not installed:"
105 106 echo "$MISSING_PACKAGES"
106 107
107 108 echo -n "\ndo you want to install the missing packages right now? [y/n] "
108 109 read confirm
109 110 if [ "$confirm" != "y" ] ; then
110 111 exit 1
111 112 fi
112 113 fi
113 114
114 115 # Make sure all required packages are installed
115 116 apt-get -qq -y install ${REQUIRED_PACKAGES}
116 117
117 118 # Don't clobber an old build
118 119 if [ -e "$BUILDDIR" ]; then
119 120 echo "directory $BUILDDIR already exists, not proceeding"
120 121 exit 1
121 122 fi
122 123
123 124 set -x
124 125
125 126 # Call "cleanup" function on various signals and errors
126 127 trap cleanup 0 1 2 3 6
127 128
128 129 # Set up chroot directory
129 130 mkdir -p $R
130 131
131 132 # Add required packages for the minbase installation
132 133 if [ "$ENABLE_MINBASE" = true ] ; then
133 134 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
134 135 else
135 136 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
136 137 fi
137 138
138 139 # Add dbus package, recommended if using systemd
139 140 if [ "$ENABLE_DBUS" = true ] ; then
140 141 APT_INCLUDES="${APT_INCLUDES},dbus"
141 142 fi
142 143
143 144 # Add iptables IPv4/IPv6 package
144 145 if [ "$ENABLE_IPTABLES" = true ] ; then
145 146 APT_INCLUDES="${APT_INCLUDES},iptables"
146 147 fi
147 148
148 149 # Add openssh server package
149 150 if [ "$ENABLE_SSHD" = true ] ; then
150 151 APT_INCLUDES="${APT_INCLUDES},openssh-server"
151 152 fi
152 153
153 154 # Add alsa-utils package
154 155 if [ "$ENABLE_SOUND" = true ] ; then
155 156 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
156 157 fi
157 158
158 159 # Add rng-tools package
159 160 if [ "$ENABLE_HWRANDOM" = true ] ; then
160 161 APT_INCLUDES="${APT_INCLUDES},rng-tools"
161 162 fi
162 163
163 164 # Add fbturbo video driver
164 165 if [ "$ENABLE_FBTURBO" = true ] ; then
165 166 # Enable xorg package dependencies
166 167 ENABLE_XORG=true
167 168 fi
168 169
169 170 # Add user defined window manager package
170 171 if [ -n "$ENABLE_WM" ] ; then
171 172 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
172 173
173 174 # Enable xorg package dependencies
174 175 ENABLE_XORG=true
175 176 fi
176 177
177 178 # Add xorg package
178 179 if [ "$ENABLE_XORG" = true ] ; then
179 180 APT_INCLUDES="${APT_INCLUDES},xorg"
180 181 fi
181 182
182 183 # Base debootstrap (unpack only)
183 184 if [ "$ENABLE_MINBASE" = true ] ; then
184 185 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
185 186 else
186 187 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
187 188 fi
188 189
189 190 # Copy qemu emulator binary to chroot
190 191 cp /usr/bin/qemu-arm-static $R/usr/bin
191 192
192 193 # Copy debian-archive-keyring.pgp
193 194 chroot $R mkdir -p /usr/share/keyrings
194 195 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
195 196
196 197 # Complete the bootstrapping process
197 198 chroot $R /debootstrap/debootstrap --second-stage
198 199
199 200 # Mount required filesystems
200 201 mount -t proc none $R/proc
201 202 mount -t sysfs none $R/sys
202 203 mount --bind /dev/pts $R/dev/pts
203 204
204 205 # Use proxy inside chroot
205 206 if [ -z "$APT_PROXY" ] ; then
206 207 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
207 208 fi
208 209
209 210 # Pin package flash-kernel to repositories.collabora.co.uk
210 211 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
211 212 Package: flash-kernel
212 213 Pin: origin repositories.collabora.co.uk
213 214 Pin-Priority: 1000
214 215 EOM
215 216
216 217 # Set up timezone
217 218 echo ${TIMEZONE} >$R/etc/timezone
218 219 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
219 220
220 221 # Upgrade collabora package index and install collabora keyring
221 222 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
222 223 LANG=C chroot $R apt-get -qq -y update
223 224 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
224 225
225 226 # Set up initial sources.list
226 227 cat <<EOM >$R/etc/apt/sources.list
227 228 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
228 229 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
229 230
230 231 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
231 232 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
232 233
233 234 deb http://security.debian.org/ ${RELEASE}/updates main contrib
234 235 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
235 236
236 237 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
237 238 EOM
238 239
239 240 # Upgrade package index and update all installed packages and changed dependencies
240 241 LANG=C chroot $R apt-get -qq -y update
241 242 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
242 243
243 244 # Set up default locale and keyboard configuration
244 245 if [ "$ENABLE_MINBASE" = false ] ; then
245 246 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
246 247 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
247 248 # ... so we have to set locales manually
248 249 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
249 250 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
250 251 else
251 252 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
252 253 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
253 254 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
254 255 fi
255 256 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
256 257 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
257 258 LANG=C chroot $R locale-gen
258 259 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
259 260
260 261 # Keyboard configuration, if requested
261 262 if [ "$XKBMODEL" != "" ] ; then
262 263 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
263 264 fi
264 265 if [ "$XKBLAYOUT" != "" ] ; then
265 266 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
266 267 fi
267 268 if [ "$XKBVARIANT" != "" ] ; then
268 269 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
269 270 fi
270 271 if [ "$XKBOPTIONS" != "" ] ; then
271 272 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
272 273 fi
273 274 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
274 275 # Set up font console
275 276 case "${DEFLOCAL}" in
276 277 *UTF-8)
277 278 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
278 279 ;;
279 280 *)
280 281 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
281 282 ;;
282 283 esac
283 284 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
284 285 fi
285 286
286 287 # Kernel installation
287 288 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
288 289 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
289 290 LANG=C chroot $R apt-get -qq -y install flash-kernel
290 291
291 292 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
292 293 [ -z "$VMLINUZ" ] && exit 1
293 294 mkdir -p $R/boot/firmware
294 295
295 296 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
296 297 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
297 298 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
298 299 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
299 300 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
300 301 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
301 302 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
302 303 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
303 304 cp $VMLINUZ $R/boot/firmware/kernel7.img
304 305
305 306 # Set up IPv4 hosts
306 307 echo ${HOSTNAME} >$R/etc/hostname
307 308 cat <<EOM >$R/etc/hosts
308 309 127.0.0.1 localhost
309 310 127.0.1.1 ${HOSTNAME}
310 311 EOM
311 312
312 313 # Set up IPv6 hosts
313 314 if [ "$ENABLE_IPV6" = true ] ; then
314 315 cat <<EOM >>$R/etc/hosts
315 316
316 317 ::1 localhost ip6-localhost ip6-loopback
317 318 ff02::1 ip6-allnodes
318 319 ff02::2 ip6-allrouters
319 320 EOM
320 321 fi
321 322
322 323 # Place hint about network configuration
323 324 cat <<EOM >$R/etc/network/interfaces
324 325 # Debian switched to systemd-networkd configuration files.
325 326 # please configure your networks in '/etc/systemd/network/'
326 327 EOM
327 328
328 329 # Enable systemd-networkd DHCP configuration for interface eth0
329 330 cat <<EOM >$R/etc/systemd/network/eth.network
330 331 [Match]
331 332 Name=eth0
332 333
333 334 [Network]
334 335 DHCP=yes
335 336 EOM
336 337
337 338 # Set DHCP configuration to IPv4 only
338 339 if [ "$ENABLE_IPV6" = false ] ; then
339 340 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
340 341 fi
341 342
342 343 # Enable systemd-networkd service
343 344 LANG=C chroot $R systemctl enable systemd-networkd
344 345
345 346 # Generate crypt(3) password string
346 347 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
347 348
348 349 # Set up default user
349 350 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
350 351 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
351 352
352 353 # Set up root password
353 354 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
354 355
355 356 # Set up firmware boot cmdline
356 357 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
357 358
358 359 # Set up serial console support (if requested)
359 360 if [ "$ENABLE_CONSOLE" = true ] ; then
360 361 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
361 362 fi
362 363
363 364 # Set up IPv6 networking support
364 365 if [ "$ENABLE_IPV6" = false ] ; then
365 366 CMDLINE="${CMDLINE} ipv6.disable=1"
366 367 fi
367 368
368 369 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
369 370
370 371 # Set up firmware config
371 372 cat <<EOM >$R/boot/firmware/config.txt
372 373 # For more options and information see
373 374 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
374 375 # Some settings may impact device functionality. See link above for details
375 376
376 377 # uncomment if you get no picture on HDMI for a default "safe" mode
377 378 #hdmi_safe=1
378 379
379 380 # uncomment this if your display has a black border of unused pixels visible
380 381 # and your display can output without overscan
381 382 #disable_overscan=1
382 383
383 384 # uncomment the following to adjust overscan. Use positive numbers if console
384 385 # goes off screen, and negative if there is too much border
385 386 #overscan_left=16
386 387 #overscan_right=16
387 388 #overscan_top=16
388 389 #overscan_bottom=16
389 390
390 391 # uncomment to force a console size. By default it will be display's size minus
391 392 # overscan.
392 393 #framebuffer_width=1280
393 394 #framebuffer_height=720
394 395
395 396 # uncomment if hdmi display is not detected and composite is being output
396 397 #hdmi_force_hotplug=1
397 398
398 399 # uncomment to force a specific HDMI mode (this will force VGA)
399 400 #hdmi_group=1
400 401 #hdmi_mode=1
401 402
402 403 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
403 404 # DMT (computer monitor) modes
404 405 #hdmi_drive=2
405 406
406 407 # uncomment to increase signal to HDMI, if you have interference, blanking, or
407 408 # no display
408 409 #config_hdmi_boost=4
409 410
410 411 # uncomment for composite PAL
411 412 #sdtv_mode=2
412 413
413 414 # uncomment to overclock the arm. 700 MHz is the default.
414 415 #arm_freq=800
415 416 EOM
416 417
417 418 # Load snd_bcm2835 kernel module at boot time
418 419 if [ "$ENABLE_SOUND" = true ] ; then
419 420 echo "snd_bcm2835" >>$R/etc/modules
420 421 fi
421 422
422 423 # Set smallest possible GPU memory allocation size: 16MB (no X)
423 424 if [ "$ENABLE_MINGPU" = true ] ; then
424 425 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
425 426 fi
426 427
427 428 # Create symlinks
428 429 ln -sf firmware/config.txt $R/boot/config.txt
429 430 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
430 431
431 432 # Prepare modules-load.d directory
432 433 mkdir -p $R/lib/modules-load.d/
433 434
434 435 # Load random module on boot
435 436 if [ "$ENABLE_HWRANDOM" = true ] ; then
436 437 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
437 438 bcm2708_rng
438 439 EOM
439 440 fi
440 441
441 442 # Prepare modprobe.d directory
442 443 mkdir -p $R/etc/modprobe.d/
443 444
444 445 # Blacklist sound modules
445 446 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
446 447 blacklist snd_soc_core
447 448 blacklist snd_pcm
448 449 blacklist snd_pcm_dmaengine
449 450 blacklist snd_timer
450 451 blacklist snd_compress
451 452 blacklist snd_soc_pcm512x_i2c
452 453 blacklist snd_soc_pcm512x
453 454 blacklist snd_soc_tas5713
454 455 blacklist snd_soc_wm8804
455 456 EOM
456 457
457 458 # Create default fstab
458 459 cat <<EOM >$R/etc/fstab
459 460 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
460 461 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
461 462 EOM
462 463
463 464 # Avoid swapping and increase cache sizes
464 465 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465 466
466 467 # Avoid swapping and increase cache sizes
467 468 vm.swappiness=1
468 469 vm.dirty_background_ratio=20
469 470 vm.dirty_ratio=40
470 471 vm.dirty_writeback_centisecs=500
471 472 vm.dirty_expire_centisecs=6000
472 473 EOM
473 474
474 475 # Enable network stack hardening
475 476 if [ "$ENABLE_HARDNET" = true ] ; then
476 477 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
477 478
478 479 # Enable network stack hardening
479 480 net.ipv4.tcp_timestamps=0
480 481 net.ipv4.tcp_syncookies=1
481 482 net.ipv4.conf.all.rp_filter=1
482 483 net.ipv4.conf.all.accept_redirects=0
483 484 net.ipv4.conf.all.send_redirects=0
484 485 net.ipv4.conf.all.accept_source_route=0
485 486 net.ipv4.conf.default.rp_filter=1
486 487 net.ipv4.conf.default.accept_redirects=0
487 488 net.ipv4.conf.default.send_redirects=0
488 489 net.ipv4.conf.default.accept_source_route=0
489 490 net.ipv4.conf.lo.accept_redirects=0
490 491 net.ipv4.conf.lo.send_redirects=0
491 492 net.ipv4.conf.lo.accept_source_route=0
492 493 net.ipv4.conf.eth0.accept_redirects=0
493 494 net.ipv4.conf.eth0.send_redirects=0
494 495 net.ipv4.conf.eth0.accept_source_route=0
495 496 net.ipv4.icmp_echo_ignore_broadcasts=1
496 497 net.ipv4.icmp_ignore_bogus_error_responses=1
497 498
498 499 net.ipv6.conf.all.accept_redirects=0
499 500 net.ipv6.conf.all.accept_source_route=0
500 501 net.ipv6.conf.all.router_solicitations=0
501 502 net.ipv6.conf.all.accept_ra_rtr_pref=0
502 503 net.ipv6.conf.all.accept_ra_pinfo=0
503 504 net.ipv6.conf.all.accept_ra_defrtr=0
504 505 net.ipv6.conf.all.autoconf=0
505 506 net.ipv6.conf.all.dad_transmits=0
506 507 net.ipv6.conf.all.max_addresses=1
507 508
508 509 net.ipv6.conf.default.accept_redirects=0
509 510 net.ipv6.conf.default.accept_source_route=0
510 511 net.ipv6.conf.default.router_solicitations=0
511 512 net.ipv6.conf.default.accept_ra_rtr_pref=0
512 513 net.ipv6.conf.default.accept_ra_pinfo=0
513 514 net.ipv6.conf.default.accept_ra_defrtr=0
514 515 net.ipv6.conf.default.autoconf=0
515 516 net.ipv6.conf.default.dad_transmits=0
516 517 net.ipv6.conf.default.max_addresses=1
517 518
518 519 net.ipv6.conf.lo.accept_redirects=0
519 520 net.ipv6.conf.lo.accept_source_route=0
520 521 net.ipv6.conf.lo.router_solicitations=0
521 522 net.ipv6.conf.lo.accept_ra_rtr_pref=0
522 523 net.ipv6.conf.lo.accept_ra_pinfo=0
523 524 net.ipv6.conf.lo.accept_ra_defrtr=0
524 525 net.ipv6.conf.lo.autoconf=0
525 526 net.ipv6.conf.lo.dad_transmits=0
526 527 net.ipv6.conf.lo.max_addresses=1
527 528
528 529 net.ipv6.conf.eth0.accept_redirects=0
529 530 net.ipv6.conf.eth0.accept_source_route=0
530 531 net.ipv6.conf.eth0.router_solicitations=0
531 532 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
532 533 net.ipv6.conf.eth0.accept_ra_pinfo=0
533 534 net.ipv6.conf.eth0.accept_ra_defrtr=0
534 535 net.ipv6.conf.eth0.autoconf=0
535 536 net.ipv6.conf.eth0.dad_transmits=0
536 537 net.ipv6.conf.eth0.max_addresses=1
537 538 EOM
538 539
539 540 # Enable resolver warnings about spoofed addresses
540 541 cat <<EOM >>$R/etc/host.conf
541 542 spoof warn
542 543 EOM
543 544 fi
544 545
545 546 # Regenerate openssh server host keys
546 547 if [ "$ENABLE_SSHD" = true ] ; then
547 548 rm -fr $R/etc/ssh/ssh_host_*
548 549 LANG=C chroot $R dpkg-reconfigure openssh-server
549 550 fi
550 551
551 552 # Enable serial console systemd style
552 553 if [ "$ENABLE_CONSOLE" = true ] ; then
553 554 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
554 555 fi
555 556
556 557 # Enable firewall based on iptables started by systemd service
557 558 if [ "$ENABLE_IPTABLES" = true ] ; then
558 559 # Create iptables configuration directory
559 560 mkdir -p "$R/etc/iptables"
560 561
561 562 # Create iptables systemd service
562 563 cat <<EOM >$R/etc/systemd/system/iptables.service
563 564 [Unit]
564 565 Description=Packet Filtering Framework
565 566 DefaultDependencies=no
566 567 After=systemd-sysctl.service
567 568 Before=sysinit.target
568 569 [Service]
569 570 Type=oneshot
570 571 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
571 572 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
572 573 ExecStop=/etc/iptables/flush-iptables.sh
573 574 RemainAfterExit=yes
574 575 [Install]
575 576 WantedBy=multi-user.target
576 577 EOM
577 578
578 579 # Create flush-table script called by iptables service
579 580 cat <<EOM >$R/etc/iptables/flush-iptables.sh
580 581 #!/bin/sh
581 582 iptables -F
582 583 iptables -X
583 584 iptables -t nat -F
584 585 iptables -t nat -X
585 586 iptables -t mangle -F
586 587 iptables -t mangle -X
587 588 iptables -P INPUT ACCEPT
588 589 iptables -P FORWARD ACCEPT
589 590 iptables -P OUTPUT ACCEPT
590 591 EOM
591 592
592 593 # Create iptables rule file
593 594 cat <<EOM >$R/etc/iptables/iptables.rules
594 595 *filter
595 596 :INPUT DROP [0:0]
596 597 :FORWARD DROP [0:0]
597 598 :OUTPUT ACCEPT [0:0]
598 599 :TCP - [0:0]
599 600 :UDP - [0:0]
600 601 :SSH - [0:0]
601 602
602 603 # Rate limit ping requests
603 604 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
604 605 -A INPUT -p icmp --icmp-type echo-request -j DROP
605 606
606 607 # Accept established connections
607 608 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
608 609
609 610 # Accept all traffic on loopback interface
610 611 -A INPUT -i lo -j ACCEPT
611 612
612 613 # Drop packets declared invalid
613 614 -A INPUT -m conntrack --ctstate INVALID -j DROP
614 615
615 616 # SSH rate limiting
616 617 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
617 618 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
618 619 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
619 620 -A SSH -m recent --name sshbf --set -j ACCEPT
620 621
621 622 # Send TCP and UDP connections to their respective rules chain
622 623 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
623 624 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
624 625
625 626 # Reject dropped packets with a RFC compliant responce
626 627 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
627 628 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
628 629 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
629 630
630 631 ## TCP PORT RULES
631 632 # -A TCP -p tcp -j LOG
632 633
633 634 ## UDP PORT RULES
634 635 # -A UDP -p udp -j LOG
635 636
636 637 COMMIT
637 638 EOM
638 639
639 640 # Reload systemd configuration and enable iptables service
640 641 LANG=C chroot $R systemctl daemon-reload
641 642 LANG=C chroot $R systemctl enable iptables.service
642 643
643 644 if [ "$ENABLE_IPV6" = true ] ; then
644 645 # Create ip6tables systemd service
645 646 cat <<EOM >$R/etc/systemd/system/ip6tables.service
646 647 [Unit]
647 648 Description=Packet Filtering Framework
648 649 DefaultDependencies=no
649 650 After=systemd-sysctl.service
650 651 Before=sysinit.target
651 652 [Service]
652 653 Type=oneshot
653 654 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
654 655 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
655 656 ExecStop=/etc/iptables/flush-ip6tables.sh
656 657 RemainAfterExit=yes
657 658 [Install]
658 659 WantedBy=multi-user.target
659 660 EOM
660 661
661 662 # Create ip6tables file
662 663 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
663 664 #!/bin/sh
664 665 ip6tables -F
665 666 ip6tables -X
666 667 ip6tables -Z
667 668 for table in $(</proc/net/ip6_tables_names)
668 669 do
669 670 ip6tables -t \$table -F
670 671 ip6tables -t \$table -X
671 672 ip6tables -t \$table -Z
672 673 done
673 674 ip6tables -P INPUT ACCEPT
674 675 ip6tables -P OUTPUT ACCEPT
675 676 ip6tables -P FORWARD ACCEPT
676 677 EOM
677 678
678 679 # Create ip6tables rule file
679 680 cat <<EOM >$R/etc/iptables/ip6tables.rules
680 681 *filter
681 682 :INPUT DROP [0:0]
682 683 :FORWARD DROP [0:0]
683 684 :OUTPUT ACCEPT [0:0]
684 685 :TCP - [0:0]
685 686 :UDP - [0:0]
686 687 :SSH - [0:0]
687 688
688 689 # Drop packets with RH0 headers
689 690 -A INPUT -m rt --rt-type 0 -j DROP
690 691 -A OUTPUT -m rt --rt-type 0 -j DROP
691 692 -A FORWARD -m rt --rt-type 0 -j DROP
692 693
693 694 # Rate limit ping requests
694 695 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
695 696 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
696 697
697 698 # Accept established connections
698 699 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
699 700
700 701 # Accept all traffic on loopback interface
701 702 -A INPUT -i lo -j ACCEPT
702 703
703 704 # Drop packets declared invalid
704 705 -A INPUT -m conntrack --ctstate INVALID -j DROP
705 706
706 707 # SSH rate limiting
707 708 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
708 709 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
709 710 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
710 711 -A SSH -m recent --name sshbf --set -j ACCEPT
711 712
712 713 # Send TCP and UDP connections to their respective rules chain
713 714 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
714 715 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
715 716
716 717 # Reject dropped packets with a RFC compliant responce
717 718 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
718 719 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
719 720 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
720 721
721 722 ## TCP PORT RULES
722 723 # -A TCP -p tcp -j LOG
723 724
724 725 ## UDP PORT RULES
725 726 # -A UDP -p udp -j LOG
726 727
727 728 COMMIT
728 729 EOM
729 730
730 731 # Reload systemd configuration and enable iptables service
731 732 LANG=C chroot $R systemctl daemon-reload
732 733 LANG=C chroot $R systemctl enable ip6tables.service
733 734 fi
734 735 fi
735 736
736 737 # Remove SSHD related iptables rules
737 738 if [ "$ENABLE_SSHD" = false ] ; then
738 739 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
739 740 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
740 741 fi
741 742
742 743 # Install gcc/c++ build environment inside the chroot
743 744 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
744 745 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
745 746 fi
746 747
747 748 # Fetch and build U-Boot bootloader
748 749 if [ "$ENABLE_UBOOT" = true ] ; then
749 750 # Fetch U-Boot bootloader sources
750 751 git -C $R/tmp clone git://git.denx.de/u-boot.git
751 752
752 753 # Build and install U-Boot inside chroot
753 754 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
754 755
755 756 # Copy compiled bootloader binary and set config.txt to load it
756 757 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
757 758 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
758 759
759 760 # Set U-Boot command file
760 761 cat <<EOM >$R/boot/firmware/uboot.mkimage
761 762 # Tell Linux that it is booting on a Raspberry Pi2
762 763 setenv machid 0x00000c42
763 764
764 765 # Set the kernel boot command line
765 766 setenv bootargs "earlyprintk ${CMDLINE}"
766 767
767 768 # Save these changes to u-boot's environment
768 769 saveenv
769 770
770 771 # Load the existing Linux kernel into RAM
771 772 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
772 773
773 774 # Boot the kernel we have just loaded
774 775 bootz \${kernel_addr_r}
775 776 EOM
776 777
777 778 # Generate U-Boot image from command file
778 779 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
779 780 fi
780 781
781 782 # Fetch and build fbturbo Xorg driver
782 783 if [ "$ENABLE_FBTURBO" = true ] ; then
783 784 # Fetch fbturbo driver sources
784 785 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
785 786
786 787 # Install Xorg build dependencies
787 788 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
788 789
789 790 # Build and install fbturbo driver inside chroot
790 791 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
791 792
792 793 # Add fbturbo driver to Xorg configuration
793 794 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
794 795 Section "Device"
795 796 Identifier "Allwinner A10/A13 FBDEV"
796 797 Driver "fbturbo"
797 798 Option "fbdev" "/dev/fb0"
798 799 Option "SwapbuffersWait" "true"
799 800 EndSection
800 801 EOM
801 802
802 803 # Remove Xorg build dependencies
803 804 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
804 805 fi
805 806
806 807 # Remove gcc/c++ build environment from the chroot
807 808 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
808 809 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
809 810 fi
810 811
811 812 # Clean cached downloads
812 813 LANG=C chroot $R apt-get -y clean
813 814 LANG=C chroot $R apt-get -y autoclean
814 815 LANG=C chroot $R apt-get -y autoremove
815 816
817 # Invoke custom scripts
818 if [ -n "${CHROOT_SCRIPTS}" ]; then
819 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
820 LANG=C chroot $R bash -c 'for SCRIPT in /chroot_scripts/*; do if [ -f $SCRIPT -a -x $SCRIPT ]; then $SCRIPT; fi done;'
821 rm -rf "${R}/chroot_scripts"
822 fi
823
816 824 # Unmount mounted filesystems
817 825 umount -l $R/proc
818 826 umount -l $R/sys
819 827
820 828 # Clean up files
821 829 rm -f $R/etc/apt/sources.list.save
822 830 rm -f $R/etc/resolvconf/resolv.conf.d/original
823 831 rm -rf $R/run
824 832 mkdir -p $R/run
825 833 rm -f $R/etc/*-
826 834 rm -f $R/root/.bash_history
827 835 rm -rf $R/tmp/*
828 836 rm -f $R/var/lib/urandom/random-seed
829 837 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
830 838 rm -f $R/etc/machine-id
831 839 rm -fr $R/etc/apt/apt.conf.d/10proxy
832 840
833 841 # Calculate size of the chroot directory
834 842 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
835 843
836 844 # Calculate required image size
837 845 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
838 846
839 847 # Calculate number of sectors for the partition
840 848 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
841 849
842 850 # Prepare date string for image file name
843 851 DATE="$(date +%Y-%m-%d)"
844 852
845 853 # Prepare image file
846 854 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
847 855 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
848 856
849 857 # Write partition table
850 858 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
851 859 unit: sectors
852 860
853 861 1 : start= 2048, size= 131072, Id= c, bootable
854 862 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
855 863 3 : start= 0, size= 0, Id= 0
856 864 4 : start= 0, size= 0, Id= 0
857 865 EOM
858 866
859 867 # Set up temporary loop devices and build filesystems
860 868 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
861 869 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
862 870 mkfs.vfat "$VFAT_LOOP"
863 871 mkfs.ext4 "$EXT4_LOOP"
864 872
865 873 # Mount the temporary loop devices
866 874 mkdir -p "$BUILDDIR/mount"
867 875 mount "$EXT4_LOOP" "$BUILDDIR/mount"
868 876
869 877 mkdir -p "$BUILDDIR/mount/boot/firmware"
870 878 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
871 879
872 880 # Copy all files from the chroot to the loop device mount point directory
873 881 rsync -a "$R/" "$BUILDDIR/mount/"
874 882
875 883 # Unmount all temporary loop devices and mount points
876 884 cleanup
877 885
878 886 # (optinal) create block map file for "bmaptool"
879 887 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
880 888
881 889 # Image was successfully created
882 890 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant