@@ -1,109 +1,112 | |||
|
1 | 1 | # rpi2-gen-image |
|
2 | 2 | ## Introduction |
|
3 | 3 | `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release. |
|
4 | 4 | |
|
5 | 5 | ## Build dependencies |
|
6 | 6 | The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user. |
|
7 | 7 | |
|
8 | 8 | ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core``` |
|
9 | 9 | |
|
10 | 10 | ## Command-line parameters |
|
11 | 11 | The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script. |
|
12 | 12 | |
|
13 | 13 | #####Command-line examples: |
|
14 | 14 | ```shell |
|
15 | 15 | ENABLE_UBOOT=true ./rpi2-gen-image.sh |
|
16 | 16 | ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh |
|
17 | 17 | ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh |
|
18 | 18 | ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh |
|
19 | 19 | APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh |
|
20 | 20 | ENABLE_MINBASE=true ./rpi2-gen-image.sh |
|
21 | 21 | ``` |
|
22 | 22 | |
|
23 | 23 | #### APT settings: |
|
24 | 24 | ##### `APT_SERVER`="ftp.debian.org" |
|
25 | 25 | Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process. |
|
26 | 26 | |
|
27 | 27 | ##### `APT_PROXY`="" |
|
28 | 28 | Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once. |
|
29 | 29 | |
|
30 | 30 | #### General system settings: |
|
31 | 31 | ##### `HOSTNAME`="rpi2-jessie" |
|
32 | 32 | Set system host name. It's recommended that the host name is unique in the corresponding subnet. |
|
33 | 33 | |
|
34 | 34 | ##### `PASSWORD`="raspberry" |
|
35 | 35 | Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password. |
|
36 | 36 | |
|
37 | 37 | ##### `DEFLOCAL`="en_US.UTF-8" |
|
38 | 38 | Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`. |
|
39 | 39 | |
|
40 | 40 | |
|
41 | 41 | ##### `TIMEZONE`="Europe/Berlin" |
|
42 | 42 | Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. |
|
43 | 43 | |
|
44 | 44 | #### Keyboard settings: |
|
45 | 45 | These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command. |
|
46 | 46 | ##### `XKBMODEL`="" |
|
47 | 47 | ##### `XKBLAYOUT`="" |
|
48 | 48 | ##### `XKBVARIANT`="" |
|
49 | 49 | ##### `XKBOPTIONS`="" |
|
50 | 50 | |
|
51 | 51 | #### Basic system features: |
|
52 | 52 | ##### `ENABLE_CONSOLE`=true |
|
53 | 53 | Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system. |
|
54 | 54 | |
|
55 | 55 | ##### `ENABLE_IPV6`=true |
|
56 | 56 | Enable IPv6 support. The network interface configuration is managed via systemd-networkd. |
|
57 | 57 | |
|
58 | 58 | ##### `ENABLE_SSHD`=true |
|
59 | 59 | Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. |
|
60 | 60 | |
|
61 | 61 | ##### `ENABLE_SOUND`=true |
|
62 | 62 | Enable sound hardware and install Advanced Linux Sound Architecture. |
|
63 | 63 | |
|
64 | 64 | ##### `ENABLE_HWRANDOM`=true |
|
65 | 65 | Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled. |
|
66 | 66 | |
|
67 | 67 | ##### `ENABLE_MINGPU`=false |
|
68 | 68 | Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU. |
|
69 | 69 | |
|
70 | 70 | ##### `ENABLE_DBUS`=true |
|
71 | 71 | Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled. |
|
72 | 72 | |
|
73 | 73 | ##### `ENABLE_XORG`=false |
|
74 | 74 | Install Xorg open-source X Window System. |
|
75 | 75 | |
|
76 | 76 | ##### `ENABLE_WM`="" |
|
77 | 77 | Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`. |
|
78 | 78 | |
|
79 | 79 | #### Advanced sytem features: |
|
80 | 80 | ##### `ENABLE_MINBASE`=false |
|
81 | 81 | Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB. |
|
82 | 82 | |
|
83 | 83 | ##### `ENABLE_UBOOT`=false |
|
84 | 84 | Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol. |
|
85 | 85 | |
|
86 | 86 | ##### `ENABLE_FBTURBO`=false |
|
87 | 87 | Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling. |
|
88 | 88 | |
|
89 | 89 | ##### `ENABLE_IPTABLES`=false |
|
90 | 90 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. |
|
91 | 91 | |
|
92 | 92 | ##### `ENABLE_HARDNET`=false |
|
93 | 93 | Enable IPv4/IPv6 network stack hardening settings. |
|
94 | 94 | |
|
95 | ##### `CHROOT_SCRIPTS`="" | |
|
96 | Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this direcory is run in lexicographical order. | |
|
97 | ||
|
95 | 98 | ## Logging of the bootstrapping process |
|
96 | 99 | All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose: |
|
97 | 100 | |
|
98 | 101 | ```shell |
|
99 | 102 | script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log |
|
100 | 103 | ``` |
|
101 | 104 | |
|
102 | 105 | ## Flashing the image file |
|
103 | 106 | After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`. |
|
104 | 107 | |
|
105 | 108 | #####Flashing examples: |
|
106 | 109 | ```shell |
|
107 | 110 | bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0 |
|
108 | 111 | dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0 |
|
109 | 112 | ``` |
@@ -1,882 +1,890 | |||
|
1 | 1 | #!/bin/sh |
|
2 | 2 | |
|
3 | 3 | ######################################################################## |
|
4 | 4 | # rpi2-gen-image.sh ver2a 12/2015 |
|
5 | 5 | # |
|
6 | 6 | # Advanced debian "jessie" bootstrap script for RPi2 |
|
7 | 7 | # |
|
8 | 8 | # This program is free software; you can redistribute it and/or |
|
9 | 9 | # modify it under the terms of the GNU General Public License |
|
10 | 10 | # as published by the Free Software Foundation; either version 2 |
|
11 | 11 | # of the License, or (at your option) any later version. |
|
12 | 12 | # |
|
13 | 13 | # some parts based on rpi2-build-image: |
|
14 | 14 | # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org> |
|
15 | 15 | # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org> |
|
16 | 16 | ######################################################################## |
|
17 | 17 | |
|
18 | 18 | # Clean up all temporary mount points |
|
19 | 19 | cleanup (){ |
|
20 | 20 | set +x |
|
21 | 21 | set +e |
|
22 | 22 | echo "removing temporary mount points ..." |
|
23 | 23 | umount -l $R/proc 2> /dev/null |
|
24 | 24 | umount -l $R/sys 2> /dev/null |
|
25 | 25 | umount -l $R/dev/pts 2> /dev/null |
|
26 | 26 | umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null |
|
27 | 27 | umount "$BUILDDIR/mount" 2> /dev/null |
|
28 | 28 | losetup -d "$EXT4_LOOP" 2> /dev/null |
|
29 | 29 | losetup -d "$VFAT_LOOP" 2> /dev/null |
|
30 | 30 | trap - 0 1 2 3 6 |
|
31 | 31 | } |
|
32 | 32 | |
|
33 | 33 | set -e |
|
34 | 34 | set -x |
|
35 | 35 | |
|
36 | 36 | # Debian release |
|
37 | 37 | RELEASE=${RELEASE:=jessie} |
|
38 | 38 | |
|
39 | 39 | # Build settings |
|
40 | 40 | BASEDIR=./images/${RELEASE} |
|
41 | 41 | BUILDDIR=${BASEDIR}/build |
|
42 | 42 | |
|
43 | 43 | # General settings |
|
44 | 44 | HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}} |
|
45 | 45 | PASSWORD=${PASSWORD:=raspberry} |
|
46 | 46 | DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"} |
|
47 | 47 | TIMEZONE=${TIMEZONE:="Europe/Berlin"} |
|
48 | 48 | XKBMODEL=${XKBMODEL:=""} |
|
49 | 49 | XKBLAYOUT=${XKBLAYOUT:=""} |
|
50 | 50 | XKBVARIANT=${XKBVARIANT:=""} |
|
51 | 51 | XKBOPTIONS=${XKBOPTIONS:=""} |
|
52 | 52 | |
|
53 | 53 | # APT settings |
|
54 | 54 | APT_PROXY=${APT_PROXY:=""} |
|
55 | 55 | APT_SERVER=${APT_SERVER:="ftp.debian.org"} |
|
56 | 56 | |
|
57 | 57 | # Feature settings |
|
58 | 58 | ENABLE_CONSOLE=${ENABLE_CONSOLE:=true} |
|
59 | 59 | ENABLE_IPV6=${ENABLE_IPV6:=true} |
|
60 | 60 | ENABLE_SSHD=${ENABLE_SSHD:=true} |
|
61 | 61 | ENABLE_SOUND=${ENABLE_SOUND:=true} |
|
62 | 62 | ENABLE_DBUS=${ENABLE_DBUS:=true} |
|
63 | 63 | ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} |
|
64 | 64 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
65 | 65 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
66 | 66 | ENABLE_WM=${ENABLE_WM:=""} |
|
67 | 67 | |
|
68 | 68 | # Advanced settings |
|
69 | 69 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
|
70 | 70 | ENABLE_UBOOT=${ENABLE_UBOOT:=false} |
|
71 | 71 | ENABLE_FBTURBO=${ENABLE_FBTURBO:=false} |
|
72 | 72 | ENABLE_HARDNET=${ENABLE_HARDNET:=false} |
|
73 | 73 | ENABLE_IPTABLES=${ENABLE_IPTABLES:=false} |
|
74 | 74 | |
|
75 | 75 | # Image chroot path |
|
76 | 76 | R=${BUILDDIR}/chroot |
|
77 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} | |
|
77 | 78 | |
|
78 | 79 | # Packages required for bootstrapping |
|
79 | 80 | REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core" |
|
80 | 81 | |
|
81 | 82 | # Missing packages that need to be installed |
|
82 | 83 | MISSING_PACKAGES="" |
|
83 | 84 | |
|
84 | 85 | # Packages required in the chroot build environment |
|
85 | 86 | APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo" |
|
86 | 87 | |
|
87 | 88 | set +x |
|
88 | 89 | |
|
89 | 90 | # Are we running as root? |
|
90 | 91 | if [ "$(id -u)" -ne "0" ] ; then |
|
91 | 92 | echo "this script must be executed with root privileges" |
|
92 | 93 | exit 1 |
|
93 | 94 | fi |
|
94 | 95 | |
|
95 | 96 | # Check if all required packages are installed |
|
96 | 97 | for package in $REQUIRED_PACKAGES ; do |
|
97 | 98 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
|
98 | 99 | MISSING_PACKAGES="$MISSING_PACKAGES $package" |
|
99 | 100 | fi |
|
100 | 101 | done |
|
101 | 102 | |
|
102 | 103 | # Ask if missing packages should get installed right now |
|
103 | 104 | if [ -n "$MISSING_PACKAGES" ] ; then |
|
104 | 105 | echo "the following packages needed by this script are not installed:" |
|
105 | 106 | echo "$MISSING_PACKAGES" |
|
106 | 107 | |
|
107 | 108 | echo -n "\ndo you want to install the missing packages right now? [y/n] " |
|
108 | 109 | read confirm |
|
109 | 110 | if [ "$confirm" != "y" ] ; then |
|
110 | 111 | exit 1 |
|
111 | 112 | fi |
|
112 | 113 | fi |
|
113 | 114 | |
|
114 | 115 | # Make sure all required packages are installed |
|
115 | 116 | apt-get -qq -y install ${REQUIRED_PACKAGES} |
|
116 | 117 | |
|
117 | 118 | # Don't clobber an old build |
|
118 | 119 | if [ -e "$BUILDDIR" ]; then |
|
119 | 120 | echo "directory $BUILDDIR already exists, not proceeding" |
|
120 | 121 | exit 1 |
|
121 | 122 | fi |
|
122 | 123 | |
|
123 | 124 | set -x |
|
124 | 125 | |
|
125 | 126 | # Call "cleanup" function on various signals and errors |
|
126 | 127 | trap cleanup 0 1 2 3 6 |
|
127 | 128 | |
|
128 | 129 | # Set up chroot directory |
|
129 | 130 | mkdir -p $R |
|
130 | 131 | |
|
131 | 132 | # Add required packages for the minbase installation |
|
132 | 133 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
133 | 134 | APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools" |
|
134 | 135 | else |
|
135 | 136 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
136 | 137 | fi |
|
137 | 138 | |
|
138 | 139 | # Add dbus package, recommended if using systemd |
|
139 | 140 | if [ "$ENABLE_DBUS" = true ] ; then |
|
140 | 141 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
141 | 142 | fi |
|
142 | 143 | |
|
143 | 144 | # Add iptables IPv4/IPv6 package |
|
144 | 145 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
145 | 146 | APT_INCLUDES="${APT_INCLUDES},iptables" |
|
146 | 147 | fi |
|
147 | 148 | |
|
148 | 149 | # Add openssh server package |
|
149 | 150 | if [ "$ENABLE_SSHD" = true ] ; then |
|
150 | 151 | APT_INCLUDES="${APT_INCLUDES},openssh-server" |
|
151 | 152 | fi |
|
152 | 153 | |
|
153 | 154 | # Add alsa-utils package |
|
154 | 155 | if [ "$ENABLE_SOUND" = true ] ; then |
|
155 | 156 | APT_INCLUDES="${APT_INCLUDES},alsa-utils" |
|
156 | 157 | fi |
|
157 | 158 | |
|
158 | 159 | # Add rng-tools package |
|
159 | 160 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
160 | 161 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
161 | 162 | fi |
|
162 | 163 | |
|
163 | 164 | # Add fbturbo video driver |
|
164 | 165 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
165 | 166 | # Enable xorg package dependencies |
|
166 | 167 | ENABLE_XORG=true |
|
167 | 168 | fi |
|
168 | 169 | |
|
169 | 170 | # Add user defined window manager package |
|
170 | 171 | if [ -n "$ENABLE_WM" ] ; then |
|
171 | 172 | APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}" |
|
172 | 173 | |
|
173 | 174 | # Enable xorg package dependencies |
|
174 | 175 | ENABLE_XORG=true |
|
175 | 176 | fi |
|
176 | 177 | |
|
177 | 178 | # Add xorg package |
|
178 | 179 | if [ "$ENABLE_XORG" = true ] ; then |
|
179 | 180 | APT_INCLUDES="${APT_INCLUDES},xorg" |
|
180 | 181 | fi |
|
181 | 182 | |
|
182 | 183 | # Base debootstrap (unpack only) |
|
183 | 184 | if [ "$ENABLE_MINBASE" = true ] ; then |
|
184 | 185 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
185 | 186 | else |
|
186 | 187 | http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian |
|
187 | 188 | fi |
|
188 | 189 | |
|
189 | 190 | # Copy qemu emulator binary to chroot |
|
190 | 191 | cp /usr/bin/qemu-arm-static $R/usr/bin |
|
191 | 192 | |
|
192 | 193 | # Copy debian-archive-keyring.pgp |
|
193 | 194 | chroot $R mkdir -p /usr/share/keyrings |
|
194 | 195 | cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg |
|
195 | 196 | |
|
196 | 197 | # Complete the bootstrapping process |
|
197 | 198 | chroot $R /debootstrap/debootstrap --second-stage |
|
198 | 199 | |
|
199 | 200 | # Mount required filesystems |
|
200 | 201 | mount -t proc none $R/proc |
|
201 | 202 | mount -t sysfs none $R/sys |
|
202 | 203 | mount --bind /dev/pts $R/dev/pts |
|
203 | 204 | |
|
204 | 205 | # Use proxy inside chroot |
|
205 | 206 | if [ -z "$APT_PROXY" ] ; then |
|
206 | 207 | echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy |
|
207 | 208 | fi |
|
208 | 209 | |
|
209 | 210 | # Pin package flash-kernel to repositories.collabora.co.uk |
|
210 | 211 | cat <<EOM >$R/etc/apt/preferences.d/flash-kernel |
|
211 | 212 | Package: flash-kernel |
|
212 | 213 | Pin: origin repositories.collabora.co.uk |
|
213 | 214 | Pin-Priority: 1000 |
|
214 | 215 | EOM |
|
215 | 216 | |
|
216 | 217 | # Set up timezone |
|
217 | 218 | echo ${TIMEZONE} >$R/etc/timezone |
|
218 | 219 | LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata |
|
219 | 220 | |
|
220 | 221 | # Upgrade collabora package index and install collabora keyring |
|
221 | 222 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
222 | 223 | LANG=C chroot $R apt-get -qq -y update |
|
223 | 224 | LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring |
|
224 | 225 | |
|
225 | 226 | # Set up initial sources.list |
|
226 | 227 | cat <<EOM >$R/etc/apt/sources.list |
|
227 | 228 | deb http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
228 | 229 | #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib |
|
229 | 230 | |
|
230 | 231 | deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
231 | 232 | #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib |
|
232 | 233 | |
|
233 | 234 | deb http://security.debian.org/ ${RELEASE}/updates main contrib |
|
234 | 235 | #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib |
|
235 | 236 | |
|
236 | 237 | deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 |
|
237 | 238 | EOM |
|
238 | 239 | |
|
239 | 240 | # Upgrade package index and update all installed packages and changed dependencies |
|
240 | 241 | LANG=C chroot $R apt-get -qq -y update |
|
241 | 242 | LANG=C chroot $R apt-get -qq -y -u dist-upgrade |
|
242 | 243 | |
|
243 | 244 | # Set up default locale and keyboard configuration |
|
244 | 245 | if [ "$ENABLE_MINBASE" = false ] ; then |
|
245 | 246 | # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug |
|
246 | 247 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 |
|
247 | 248 | # ... so we have to set locales manually |
|
248 | 249 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then |
|
249 | 250 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
250 | 251 | else |
|
251 | 252 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale |
|
252 | 253 | LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections |
|
253 | 254 | LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen |
|
254 | 255 | fi |
|
255 | 256 | LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen |
|
256 | 257 | LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections |
|
257 | 258 | LANG=C chroot $R locale-gen |
|
258 | 259 | LANG=C chroot $R update-locale LANG=${DEFLOCAL} |
|
259 | 260 | |
|
260 | 261 | # Keyboard configuration, if requested |
|
261 | 262 | if [ "$XKBMODEL" != "" ] ; then |
|
262 | 263 | LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard |
|
263 | 264 | fi |
|
264 | 265 | if [ "$XKBLAYOUT" != "" ] ; then |
|
265 | 266 | LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard |
|
266 | 267 | fi |
|
267 | 268 | if [ "$XKBVARIANT" != "" ] ; then |
|
268 | 269 | LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard |
|
269 | 270 | fi |
|
270 | 271 | if [ "$XKBOPTIONS" != "" ] ; then |
|
271 | 272 | LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard |
|
272 | 273 | fi |
|
273 | 274 | LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration |
|
274 | 275 | # Set up font console |
|
275 | 276 | case "${DEFLOCAL}" in |
|
276 | 277 | *UTF-8) |
|
277 | 278 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup |
|
278 | 279 | ;; |
|
279 | 280 | *) |
|
280 | 281 | LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup |
|
281 | 282 | ;; |
|
282 | 283 | esac |
|
283 | 284 | LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup |
|
284 | 285 | fi |
|
285 | 286 | |
|
286 | 287 | # Kernel installation |
|
287 | 288 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
288 | 289 | LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2 |
|
289 | 290 | LANG=C chroot $R apt-get -qq -y install flash-kernel |
|
290 | 291 | |
|
291 | 292 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
292 | 293 | [ -z "$VMLINUZ" ] && exit 1 |
|
293 | 294 | mkdir -p $R/boot/firmware |
|
294 | 295 | |
|
295 | 296 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
296 | 297 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
297 | 298 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
298 | 299 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
299 | 300 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
300 | 301 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
301 | 302 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
302 | 303 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
303 | 304 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
304 | 305 | |
|
305 | 306 | # Set up IPv4 hosts |
|
306 | 307 | echo ${HOSTNAME} >$R/etc/hostname |
|
307 | 308 | cat <<EOM >$R/etc/hosts |
|
308 | 309 | 127.0.0.1 localhost |
|
309 | 310 | 127.0.1.1 ${HOSTNAME} |
|
310 | 311 | EOM |
|
311 | 312 | |
|
312 | 313 | # Set up IPv6 hosts |
|
313 | 314 | if [ "$ENABLE_IPV6" = true ] ; then |
|
314 | 315 | cat <<EOM >>$R/etc/hosts |
|
315 | 316 | |
|
316 | 317 | ::1 localhost ip6-localhost ip6-loopback |
|
317 | 318 | ff02::1 ip6-allnodes |
|
318 | 319 | ff02::2 ip6-allrouters |
|
319 | 320 | EOM |
|
320 | 321 | fi |
|
321 | 322 | |
|
322 | 323 | # Place hint about network configuration |
|
323 | 324 | cat <<EOM >$R/etc/network/interfaces |
|
324 | 325 | # Debian switched to systemd-networkd configuration files. |
|
325 | 326 | # please configure your networks in '/etc/systemd/network/' |
|
326 | 327 | EOM |
|
327 | 328 | |
|
328 | 329 | # Enable systemd-networkd DHCP configuration for interface eth0 |
|
329 | 330 | cat <<EOM >$R/etc/systemd/network/eth.network |
|
330 | 331 | [Match] |
|
331 | 332 | Name=eth0 |
|
332 | 333 | |
|
333 | 334 | [Network] |
|
334 | 335 | DHCP=yes |
|
335 | 336 | EOM |
|
336 | 337 | |
|
337 | 338 | # Set DHCP configuration to IPv4 only |
|
338 | 339 | if [ "$ENABLE_IPV6" = false ] ; then |
|
339 | 340 | sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network |
|
340 | 341 | fi |
|
341 | 342 | |
|
342 | 343 | # Enable systemd-networkd service |
|
343 | 344 | LANG=C chroot $R systemctl enable systemd-networkd |
|
344 | 345 | |
|
345 | 346 | # Generate crypt(3) password string |
|
346 | 347 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
347 | 348 | |
|
348 | 349 | # Set up default user |
|
349 | 350 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
350 | 351 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
351 | 352 | |
|
352 | 353 | # Set up root password |
|
353 | 354 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
354 | 355 | |
|
355 | 356 | # Set up firmware boot cmdline |
|
356 | 357 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
357 | 358 | |
|
358 | 359 | # Set up serial console support (if requested) |
|
359 | 360 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
360 | 361 | CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200" |
|
361 | 362 | fi |
|
362 | 363 | |
|
363 | 364 | # Set up IPv6 networking support |
|
364 | 365 | if [ "$ENABLE_IPV6" = false ] ; then |
|
365 | 366 | CMDLINE="${CMDLINE} ipv6.disable=1" |
|
366 | 367 | fi |
|
367 | 368 | |
|
368 | 369 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
369 | 370 | |
|
370 | 371 | # Set up firmware config |
|
371 | 372 | cat <<EOM >$R/boot/firmware/config.txt |
|
372 | 373 | # For more options and information see |
|
373 | 374 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
374 | 375 | # Some settings may impact device functionality. See link above for details |
|
375 | 376 | |
|
376 | 377 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
377 | 378 | #hdmi_safe=1 |
|
378 | 379 | |
|
379 | 380 | # uncomment this if your display has a black border of unused pixels visible |
|
380 | 381 | # and your display can output without overscan |
|
381 | 382 | #disable_overscan=1 |
|
382 | 383 | |
|
383 | 384 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
384 | 385 | # goes off screen, and negative if there is too much border |
|
385 | 386 | #overscan_left=16 |
|
386 | 387 | #overscan_right=16 |
|
387 | 388 | #overscan_top=16 |
|
388 | 389 | #overscan_bottom=16 |
|
389 | 390 | |
|
390 | 391 | # uncomment to force a console size. By default it will be display's size minus |
|
391 | 392 | # overscan. |
|
392 | 393 | #framebuffer_width=1280 |
|
393 | 394 | #framebuffer_height=720 |
|
394 | 395 | |
|
395 | 396 | # uncomment if hdmi display is not detected and composite is being output |
|
396 | 397 | #hdmi_force_hotplug=1 |
|
397 | 398 | |
|
398 | 399 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
399 | 400 | #hdmi_group=1 |
|
400 | 401 | #hdmi_mode=1 |
|
401 | 402 | |
|
402 | 403 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
403 | 404 | # DMT (computer monitor) modes |
|
404 | 405 | #hdmi_drive=2 |
|
405 | 406 | |
|
406 | 407 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
407 | 408 | # no display |
|
408 | 409 | #config_hdmi_boost=4 |
|
409 | 410 | |
|
410 | 411 | # uncomment for composite PAL |
|
411 | 412 | #sdtv_mode=2 |
|
412 | 413 | |
|
413 | 414 | # uncomment to overclock the arm. 700 MHz is the default. |
|
414 | 415 | #arm_freq=800 |
|
415 | 416 | EOM |
|
416 | 417 | |
|
417 | 418 | # Load snd_bcm2835 kernel module at boot time |
|
418 | 419 | if [ "$ENABLE_SOUND" = true ] ; then |
|
419 | 420 | echo "snd_bcm2835" >>$R/etc/modules |
|
420 | 421 | fi |
|
421 | 422 | |
|
422 | 423 | # Set smallest possible GPU memory allocation size: 16MB (no X) |
|
423 | 424 | if [ "$ENABLE_MINGPU" = true ] ; then |
|
424 | 425 | echo "gpu_mem=16" >>$R/boot/firmware/config.txt |
|
425 | 426 | fi |
|
426 | 427 | |
|
427 | 428 | # Create symlinks |
|
428 | 429 | ln -sf firmware/config.txt $R/boot/config.txt |
|
429 | 430 | ln -sf firmware/cmdline.txt $R/boot/cmdline.txt |
|
430 | 431 | |
|
431 | 432 | # Prepare modules-load.d directory |
|
432 | 433 | mkdir -p $R/lib/modules-load.d/ |
|
433 | 434 | |
|
434 | 435 | # Load random module on boot |
|
435 | 436 | if [ "$ENABLE_HWRANDOM" = true ] ; then |
|
436 | 437 | cat <<EOM >$R/lib/modules-load.d/rpi2.conf |
|
437 | 438 | bcm2708_rng |
|
438 | 439 | EOM |
|
439 | 440 | fi |
|
440 | 441 | |
|
441 | 442 | # Prepare modprobe.d directory |
|
442 | 443 | mkdir -p $R/etc/modprobe.d/ |
|
443 | 444 | |
|
444 | 445 | # Blacklist sound modules |
|
445 | 446 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
446 | 447 | blacklist snd_soc_core |
|
447 | 448 | blacklist snd_pcm |
|
448 | 449 | blacklist snd_pcm_dmaengine |
|
449 | 450 | blacklist snd_timer |
|
450 | 451 | blacklist snd_compress |
|
451 | 452 | blacklist snd_soc_pcm512x_i2c |
|
452 | 453 | blacklist snd_soc_pcm512x |
|
453 | 454 | blacklist snd_soc_tas5713 |
|
454 | 455 | blacklist snd_soc_wm8804 |
|
455 | 456 | EOM |
|
456 | 457 | |
|
457 | 458 | # Create default fstab |
|
458 | 459 | cat <<EOM >$R/etc/fstab |
|
459 | 460 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
460 | 461 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
461 | 462 | EOM |
|
462 | 463 | |
|
463 | 464 | # Avoid swapping and increase cache sizes |
|
464 | 465 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
465 | 466 | |
|
466 | 467 | # Avoid swapping and increase cache sizes |
|
467 | 468 | vm.swappiness=1 |
|
468 | 469 | vm.dirty_background_ratio=20 |
|
469 | 470 | vm.dirty_ratio=40 |
|
470 | 471 | vm.dirty_writeback_centisecs=500 |
|
471 | 472 | vm.dirty_expire_centisecs=6000 |
|
472 | 473 | EOM |
|
473 | 474 | |
|
474 | 475 | # Enable network stack hardening |
|
475 | 476 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
476 | 477 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
477 | 478 | |
|
478 | 479 | # Enable network stack hardening |
|
479 | 480 | net.ipv4.tcp_timestamps=0 |
|
480 | 481 | net.ipv4.tcp_syncookies=1 |
|
481 | 482 | net.ipv4.conf.all.rp_filter=1 |
|
482 | 483 | net.ipv4.conf.all.accept_redirects=0 |
|
483 | 484 | net.ipv4.conf.all.send_redirects=0 |
|
484 | 485 | net.ipv4.conf.all.accept_source_route=0 |
|
485 | 486 | net.ipv4.conf.default.rp_filter=1 |
|
486 | 487 | net.ipv4.conf.default.accept_redirects=0 |
|
487 | 488 | net.ipv4.conf.default.send_redirects=0 |
|
488 | 489 | net.ipv4.conf.default.accept_source_route=0 |
|
489 | 490 | net.ipv4.conf.lo.accept_redirects=0 |
|
490 | 491 | net.ipv4.conf.lo.send_redirects=0 |
|
491 | 492 | net.ipv4.conf.lo.accept_source_route=0 |
|
492 | 493 | net.ipv4.conf.eth0.accept_redirects=0 |
|
493 | 494 | net.ipv4.conf.eth0.send_redirects=0 |
|
494 | 495 | net.ipv4.conf.eth0.accept_source_route=0 |
|
495 | 496 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
496 | 497 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
497 | 498 | |
|
498 | 499 | net.ipv6.conf.all.accept_redirects=0 |
|
499 | 500 | net.ipv6.conf.all.accept_source_route=0 |
|
500 | 501 | net.ipv6.conf.all.router_solicitations=0 |
|
501 | 502 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
502 | 503 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
503 | 504 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
504 | 505 | net.ipv6.conf.all.autoconf=0 |
|
505 | 506 | net.ipv6.conf.all.dad_transmits=0 |
|
506 | 507 | net.ipv6.conf.all.max_addresses=1 |
|
507 | 508 | |
|
508 | 509 | net.ipv6.conf.default.accept_redirects=0 |
|
509 | 510 | net.ipv6.conf.default.accept_source_route=0 |
|
510 | 511 | net.ipv6.conf.default.router_solicitations=0 |
|
511 | 512 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
512 | 513 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
513 | 514 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
514 | 515 | net.ipv6.conf.default.autoconf=0 |
|
515 | 516 | net.ipv6.conf.default.dad_transmits=0 |
|
516 | 517 | net.ipv6.conf.default.max_addresses=1 |
|
517 | 518 | |
|
518 | 519 | net.ipv6.conf.lo.accept_redirects=0 |
|
519 | 520 | net.ipv6.conf.lo.accept_source_route=0 |
|
520 | 521 | net.ipv6.conf.lo.router_solicitations=0 |
|
521 | 522 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
522 | 523 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
523 | 524 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
524 | 525 | net.ipv6.conf.lo.autoconf=0 |
|
525 | 526 | net.ipv6.conf.lo.dad_transmits=0 |
|
526 | 527 | net.ipv6.conf.lo.max_addresses=1 |
|
527 | 528 | |
|
528 | 529 | net.ipv6.conf.eth0.accept_redirects=0 |
|
529 | 530 | net.ipv6.conf.eth0.accept_source_route=0 |
|
530 | 531 | net.ipv6.conf.eth0.router_solicitations=0 |
|
531 | 532 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
532 | 533 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
533 | 534 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
534 | 535 | net.ipv6.conf.eth0.autoconf=0 |
|
535 | 536 | net.ipv6.conf.eth0.dad_transmits=0 |
|
536 | 537 | net.ipv6.conf.eth0.max_addresses=1 |
|
537 | 538 | EOM |
|
538 | 539 | |
|
539 | 540 | # Enable resolver warnings about spoofed addresses |
|
540 | 541 | cat <<EOM >>$R/etc/host.conf |
|
541 | 542 | spoof warn |
|
542 | 543 | EOM |
|
543 | 544 | fi |
|
544 | 545 | |
|
545 | 546 | # Regenerate openssh server host keys |
|
546 | 547 | if [ "$ENABLE_SSHD" = true ] ; then |
|
547 | 548 | rm -fr $R/etc/ssh/ssh_host_* |
|
548 | 549 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
549 | 550 | fi |
|
550 | 551 | |
|
551 | 552 | # Enable serial console systemd style |
|
552 | 553 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
553 | 554 | LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service |
|
554 | 555 | fi |
|
555 | 556 | |
|
556 | 557 | # Enable firewall based on iptables started by systemd service |
|
557 | 558 | if [ "$ENABLE_IPTABLES" = true ] ; then |
|
558 | 559 | # Create iptables configuration directory |
|
559 | 560 | mkdir -p "$R/etc/iptables" |
|
560 | 561 | |
|
561 | 562 | # Create iptables systemd service |
|
562 | 563 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
563 | 564 | [Unit] |
|
564 | 565 | Description=Packet Filtering Framework |
|
565 | 566 | DefaultDependencies=no |
|
566 | 567 | After=systemd-sysctl.service |
|
567 | 568 | Before=sysinit.target |
|
568 | 569 | [Service] |
|
569 | 570 | Type=oneshot |
|
570 | 571 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
571 | 572 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
572 | 573 | ExecStop=/etc/iptables/flush-iptables.sh |
|
573 | 574 | RemainAfterExit=yes |
|
574 | 575 | [Install] |
|
575 | 576 | WantedBy=multi-user.target |
|
576 | 577 | EOM |
|
577 | 578 | |
|
578 | 579 | # Create flush-table script called by iptables service |
|
579 | 580 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
580 | 581 | #!/bin/sh |
|
581 | 582 | iptables -F |
|
582 | 583 | iptables -X |
|
583 | 584 | iptables -t nat -F |
|
584 | 585 | iptables -t nat -X |
|
585 | 586 | iptables -t mangle -F |
|
586 | 587 | iptables -t mangle -X |
|
587 | 588 | iptables -P INPUT ACCEPT |
|
588 | 589 | iptables -P FORWARD ACCEPT |
|
589 | 590 | iptables -P OUTPUT ACCEPT |
|
590 | 591 | EOM |
|
591 | 592 | |
|
592 | 593 | # Create iptables rule file |
|
593 | 594 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
594 | 595 | *filter |
|
595 | 596 | :INPUT DROP [0:0] |
|
596 | 597 | :FORWARD DROP [0:0] |
|
597 | 598 | :OUTPUT ACCEPT [0:0] |
|
598 | 599 | :TCP - [0:0] |
|
599 | 600 | :UDP - [0:0] |
|
600 | 601 | :SSH - [0:0] |
|
601 | 602 | |
|
602 | 603 | # Rate limit ping requests |
|
603 | 604 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
604 | 605 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
605 | 606 | |
|
606 | 607 | # Accept established connections |
|
607 | 608 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
608 | 609 | |
|
609 | 610 | # Accept all traffic on loopback interface |
|
610 | 611 | -A INPUT -i lo -j ACCEPT |
|
611 | 612 | |
|
612 | 613 | # Drop packets declared invalid |
|
613 | 614 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
614 | 615 | |
|
615 | 616 | # SSH rate limiting |
|
616 | 617 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
617 | 618 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
618 | 619 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
619 | 620 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
620 | 621 | |
|
621 | 622 | # Send TCP and UDP connections to their respective rules chain |
|
622 | 623 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
623 | 624 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
624 | 625 | |
|
625 | 626 | # Reject dropped packets with a RFC compliant responce |
|
626 | 627 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
627 | 628 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
628 | 629 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
629 | 630 | |
|
630 | 631 | ## TCP PORT RULES |
|
631 | 632 | # -A TCP -p tcp -j LOG |
|
632 | 633 | |
|
633 | 634 | ## UDP PORT RULES |
|
634 | 635 | # -A UDP -p udp -j LOG |
|
635 | 636 | |
|
636 | 637 | COMMIT |
|
637 | 638 | EOM |
|
638 | 639 | |
|
639 | 640 | # Reload systemd configuration and enable iptables service |
|
640 | 641 | LANG=C chroot $R systemctl daemon-reload |
|
641 | 642 | LANG=C chroot $R systemctl enable iptables.service |
|
642 | 643 | |
|
643 | 644 | if [ "$ENABLE_IPV6" = true ] ; then |
|
644 | 645 | # Create ip6tables systemd service |
|
645 | 646 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
646 | 647 | [Unit] |
|
647 | 648 | Description=Packet Filtering Framework |
|
648 | 649 | DefaultDependencies=no |
|
649 | 650 | After=systemd-sysctl.service |
|
650 | 651 | Before=sysinit.target |
|
651 | 652 | [Service] |
|
652 | 653 | Type=oneshot |
|
653 | 654 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
654 | 655 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
655 | 656 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
656 | 657 | RemainAfterExit=yes |
|
657 | 658 | [Install] |
|
658 | 659 | WantedBy=multi-user.target |
|
659 | 660 | EOM |
|
660 | 661 | |
|
661 | 662 | # Create ip6tables file |
|
662 | 663 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
663 | 664 | #!/bin/sh |
|
664 | 665 | ip6tables -F |
|
665 | 666 | ip6tables -X |
|
666 | 667 | ip6tables -Z |
|
667 | 668 | for table in $(</proc/net/ip6_tables_names) |
|
668 | 669 | do |
|
669 | 670 | ip6tables -t \$table -F |
|
670 | 671 | ip6tables -t \$table -X |
|
671 | 672 | ip6tables -t \$table -Z |
|
672 | 673 | done |
|
673 | 674 | ip6tables -P INPUT ACCEPT |
|
674 | 675 | ip6tables -P OUTPUT ACCEPT |
|
675 | 676 | ip6tables -P FORWARD ACCEPT |
|
676 | 677 | EOM |
|
677 | 678 | |
|
678 | 679 | # Create ip6tables rule file |
|
679 | 680 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
680 | 681 | *filter |
|
681 | 682 | :INPUT DROP [0:0] |
|
682 | 683 | :FORWARD DROP [0:0] |
|
683 | 684 | :OUTPUT ACCEPT [0:0] |
|
684 | 685 | :TCP - [0:0] |
|
685 | 686 | :UDP - [0:0] |
|
686 | 687 | :SSH - [0:0] |
|
687 | 688 | |
|
688 | 689 | # Drop packets with RH0 headers |
|
689 | 690 | -A INPUT -m rt --rt-type 0 -j DROP |
|
690 | 691 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
691 | 692 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
692 | 693 | |
|
693 | 694 | # Rate limit ping requests |
|
694 | 695 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
695 | 696 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
696 | 697 | |
|
697 | 698 | # Accept established connections |
|
698 | 699 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
699 | 700 | |
|
700 | 701 | # Accept all traffic on loopback interface |
|
701 | 702 | -A INPUT -i lo -j ACCEPT |
|
702 | 703 | |
|
703 | 704 | # Drop packets declared invalid |
|
704 | 705 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
705 | 706 | |
|
706 | 707 | # SSH rate limiting |
|
707 | 708 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
708 | 709 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
709 | 710 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
710 | 711 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
711 | 712 | |
|
712 | 713 | # Send TCP and UDP connections to their respective rules chain |
|
713 | 714 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
714 | 715 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
715 | 716 | |
|
716 | 717 | # Reject dropped packets with a RFC compliant responce |
|
717 | 718 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
718 | 719 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
719 | 720 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
720 | 721 | |
|
721 | 722 | ## TCP PORT RULES |
|
722 | 723 | # -A TCP -p tcp -j LOG |
|
723 | 724 | |
|
724 | 725 | ## UDP PORT RULES |
|
725 | 726 | # -A UDP -p udp -j LOG |
|
726 | 727 | |
|
727 | 728 | COMMIT |
|
728 | 729 | EOM |
|
729 | 730 | |
|
730 | 731 | # Reload systemd configuration and enable iptables service |
|
731 | 732 | LANG=C chroot $R systemctl daemon-reload |
|
732 | 733 | LANG=C chroot $R systemctl enable ip6tables.service |
|
733 | 734 | fi |
|
734 | 735 | fi |
|
735 | 736 | |
|
736 | 737 | # Remove SSHD related iptables rules |
|
737 | 738 | if [ "$ENABLE_SSHD" = false ] ; then |
|
738 | 739 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null |
|
739 | 740 | sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null |
|
740 | 741 | fi |
|
741 | 742 | |
|
742 | 743 | # Install gcc/c++ build environment inside the chroot |
|
743 | 744 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
744 | 745 | LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc |
|
745 | 746 | fi |
|
746 | 747 | |
|
747 | 748 | # Fetch and build U-Boot bootloader |
|
748 | 749 | if [ "$ENABLE_UBOOT" = true ] ; then |
|
749 | 750 | # Fetch U-Boot bootloader sources |
|
750 | 751 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
751 | 752 | |
|
752 | 753 | # Build and install U-Boot inside chroot |
|
753 | 754 | LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all |
|
754 | 755 | |
|
755 | 756 | # Copy compiled bootloader binary and set config.txt to load it |
|
756 | 757 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
757 | 758 | printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt |
|
758 | 759 | |
|
759 | 760 | # Set U-Boot command file |
|
760 | 761 | cat <<EOM >$R/boot/firmware/uboot.mkimage |
|
761 | 762 | # Tell Linux that it is booting on a Raspberry Pi2 |
|
762 | 763 | setenv machid 0x00000c42 |
|
763 | 764 | |
|
764 | 765 | # Set the kernel boot command line |
|
765 | 766 | setenv bootargs "earlyprintk ${CMDLINE}" |
|
766 | 767 | |
|
767 | 768 | # Save these changes to u-boot's environment |
|
768 | 769 | saveenv |
|
769 | 770 | |
|
770 | 771 | # Load the existing Linux kernel into RAM |
|
771 | 772 | fatload mmc 0:1 \${kernel_addr_r} kernel7.img |
|
772 | 773 | |
|
773 | 774 | # Boot the kernel we have just loaded |
|
774 | 775 | bootz \${kernel_addr_r} |
|
775 | 776 | EOM |
|
776 | 777 | |
|
777 | 778 | # Generate U-Boot image from command file |
|
778 | 779 | LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr |
|
779 | 780 | fi |
|
780 | 781 | |
|
781 | 782 | # Fetch and build fbturbo Xorg driver |
|
782 | 783 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
783 | 784 | # Fetch fbturbo driver sources |
|
784 | 785 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git |
|
785 | 786 | |
|
786 | 787 | # Install Xorg build dependencies |
|
787 | 788 | LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
788 | 789 | |
|
789 | 790 | # Build and install fbturbo driver inside chroot |
|
790 | 791 | LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" |
|
791 | 792 | |
|
792 | 793 | # Add fbturbo driver to Xorg configuration |
|
793 | 794 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf |
|
794 | 795 | Section "Device" |
|
795 | 796 | Identifier "Allwinner A10/A13 FBDEV" |
|
796 | 797 | Driver "fbturbo" |
|
797 | 798 | Option "fbdev" "/dev/fb0" |
|
798 | 799 | Option "SwapbuffersWait" "true" |
|
799 | 800 | EndSection |
|
800 | 801 | EOM |
|
801 | 802 | |
|
802 | 803 | # Remove Xorg build dependencies |
|
803 | 804 | LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev |
|
804 | 805 | fi |
|
805 | 806 | |
|
806 | 807 | # Remove gcc/c++ build environment from the chroot |
|
807 | 808 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
808 | 809 | LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make |
|
809 | 810 | fi |
|
810 | 811 | |
|
811 | 812 | # Clean cached downloads |
|
812 | 813 | LANG=C chroot $R apt-get -y clean |
|
813 | 814 | LANG=C chroot $R apt-get -y autoclean |
|
814 | 815 | LANG=C chroot $R apt-get -y autoremove |
|
815 | 816 | |
|
817 | # Invoke custom scripts | |
|
818 | if [ -n "${CHROOT_SCRIPTS}" ]; then | |
|
819 | cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts" | |
|
820 | LANG=C chroot $R bash -c 'for SCRIPT in /chroot_scripts/*; do if [ -f $SCRIPT -a -x $SCRIPT ]; then $SCRIPT; fi done;' | |
|
821 | rm -rf "${R}/chroot_scripts" | |
|
822 | fi | |
|
823 | ||
|
816 | 824 | # Unmount mounted filesystems |
|
817 | 825 | umount -l $R/proc |
|
818 | 826 | umount -l $R/sys |
|
819 | 827 | |
|
820 | 828 | # Clean up files |
|
821 | 829 | rm -f $R/etc/apt/sources.list.save |
|
822 | 830 | rm -f $R/etc/resolvconf/resolv.conf.d/original |
|
823 | 831 | rm -rf $R/run |
|
824 | 832 | mkdir -p $R/run |
|
825 | 833 | rm -f $R/etc/*- |
|
826 | 834 | rm -f $R/root/.bash_history |
|
827 | 835 | rm -rf $R/tmp/* |
|
828 | 836 | rm -f $R/var/lib/urandom/random-seed |
|
829 | 837 | [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id |
|
830 | 838 | rm -f $R/etc/machine-id |
|
831 | 839 | rm -fr $R/etc/apt/apt.conf.d/10proxy |
|
832 | 840 | |
|
833 | 841 | # Calculate size of the chroot directory |
|
834 | 842 | CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024) |
|
835 | 843 | |
|
836 | 844 | # Calculate required image size |
|
837 | 845 | IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024` |
|
838 | 846 | |
|
839 | 847 | # Calculate number of sectors for the partition |
|
840 | 848 | IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120` |
|
841 | 849 | |
|
842 | 850 | # Prepare date string for image file name |
|
843 | 851 | DATE="$(date +%Y-%m-%d)" |
|
844 | 852 | |
|
845 | 853 | # Prepare image file |
|
846 | 854 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1 |
|
847 | 855 | dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE} |
|
848 | 856 | |
|
849 | 857 | # Write partition table |
|
850 | 858 | sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM |
|
851 | 859 | unit: sectors |
|
852 | 860 | |
|
853 | 861 | 1 : start= 2048, size= 131072, Id= c, bootable |
|
854 | 862 | 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83 |
|
855 | 863 | 3 : start= 0, size= 0, Id= 0 |
|
856 | 864 | 4 : start= 0, size= 0, Id= 0 |
|
857 | 865 | EOM |
|
858 | 866 | |
|
859 | 867 | # Set up temporary loop devices and build filesystems |
|
860 | 868 | VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
861 | 869 | EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)" |
|
862 | 870 | mkfs.vfat "$VFAT_LOOP" |
|
863 | 871 | mkfs.ext4 "$EXT4_LOOP" |
|
864 | 872 | |
|
865 | 873 | # Mount the temporary loop devices |
|
866 | 874 | mkdir -p "$BUILDDIR/mount" |
|
867 | 875 | mount "$EXT4_LOOP" "$BUILDDIR/mount" |
|
868 | 876 | |
|
869 | 877 | mkdir -p "$BUILDDIR/mount/boot/firmware" |
|
870 | 878 | mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware" |
|
871 | 879 | |
|
872 | 880 | # Copy all files from the chroot to the loop device mount point directory |
|
873 | 881 | rsync -a "$R/" "$BUILDDIR/mount/" |
|
874 | 882 | |
|
875 | 883 | # Unmount all temporary loop devices and mount points |
|
876 | 884 | cleanup |
|
877 | 885 | |
|
878 | 886 | # (optinal) create block map file for "bmaptool" |
|
879 | 887 | bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img" |
|
880 | 888 | |
|
881 | 889 | # Image was successfully created |
|
882 | 890 | echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created" |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant