##// END OF EJS Templates
Added functionality to add custom packages to APT_INCLUDES
Chris Landa -
r39:f1f69f479670
parent child
Show More
@@ -1,109 +1,112
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 ##### `APT_INCLUDES`=""
31 A comma seperated list of additional packages to be installed during bootstrapping.
32
30 #### General system settings:
33 #### General system settings:
31 ##### `HOSTNAME`="rpi2-jessie"
34 ##### `HOSTNAME`="rpi2-jessie"
32 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
33
36
34 ##### `PASSWORD`="raspberry"
37 ##### `PASSWORD`="raspberry"
35 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
36
39
37 ##### `DEFLOCAL`="en_US.UTF-8"
40 ##### `DEFLOCAL`="en_US.UTF-8"
38 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
39
42
40
43
41 ##### `TIMEZONE`="Europe/Berlin"
44 ##### `TIMEZONE`="Europe/Berlin"
42 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
43
46
44 #### Keyboard settings:
47 #### Keyboard settings:
45 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
46 ##### `XKBMODEL`=""
49 ##### `XKBMODEL`=""
47 ##### `XKBLAYOUT`=""
50 ##### `XKBLAYOUT`=""
48 ##### `XKBVARIANT`=""
51 ##### `XKBVARIANT`=""
49 ##### `XKBOPTIONS`=""
52 ##### `XKBOPTIONS`=""
50
53
51 #### Basic system features:
54 #### Basic system features:
52 ##### `ENABLE_CONSOLE`=true
55 ##### `ENABLE_CONSOLE`=true
53 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
56 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
54
57
55 ##### `ENABLE_IPV6`=true
58 ##### `ENABLE_IPV6`=true
56 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
59 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
57
60
58 ##### `ENABLE_SSHD`=true
61 ##### `ENABLE_SSHD`=true
59 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
62 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
60
63
61 ##### `ENABLE_SOUND`=true
64 ##### `ENABLE_SOUND`=true
62 Enable sound hardware and install Advanced Linux Sound Architecture.
65 Enable sound hardware and install Advanced Linux Sound Architecture.
63
66
64 ##### `ENABLE_HWRANDOM`=true
67 ##### `ENABLE_HWRANDOM`=true
65 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
68 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
66
69
67 ##### `ENABLE_MINGPU`=false
70 ##### `ENABLE_MINGPU`=false
68 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
71 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
69
72
70 ##### `ENABLE_DBUS`=true
73 ##### `ENABLE_DBUS`=true
71 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
74 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
72
75
73 ##### `ENABLE_XORG`=false
76 ##### `ENABLE_XORG`=false
74 Install Xorg open-source X Window System.
77 Install Xorg open-source X Window System.
75
78
76 ##### `ENABLE_WM`=""
79 ##### `ENABLE_WM`=""
77 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
80 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
78
81
79 #### Advanced sytem features:
82 #### Advanced sytem features:
80 ##### `ENABLE_MINBASE`=false
83 ##### `ENABLE_MINBASE`=false
81 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
84 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
82
85
83 ##### `ENABLE_UBOOT`=false
86 ##### `ENABLE_UBOOT`=false
84 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
87 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
85
88
86 ##### `ENABLE_FBTURBO`=false
89 ##### `ENABLE_FBTURBO`=false
87 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
90 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
88
91
89 ##### `ENABLE_IPTABLES`=false
92 ##### `ENABLE_IPTABLES`=false
90 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
93 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
91
94
92 ##### `ENABLE_HARDNET`=false
95 ##### `ENABLE_HARDNET`=false
93 Enable IPv4/IPv6 network stack hardening settings.
96 Enable IPv4/IPv6 network stack hardening settings.
94
97
95 ## Logging of the bootstrapping process
98 ## Logging of the bootstrapping process
96 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
99 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
97
100
98 ```shell
101 ```shell
99 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
102 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
100 ```
103 ```
101
104
102 ## Flashing the image file
105 ## Flashing the image file
103 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
106 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
104
107
105 #####Flashing examples:
108 #####Flashing examples:
106 ```shell
109 ```shell
107 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
110 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
108 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
111 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
109 ```
112 ```
@@ -1,882 +1,883
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 set -e
33 set -e
34 set -x
34 set -x
35
35
36 # Debian release
36 # Debian release
37 RELEASE=${RELEASE:=jessie}
37 RELEASE=${RELEASE:=jessie}
38
38
39 # Build settings
39 # Build settings
40 BASEDIR=./images/${RELEASE}
40 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
41 BUILDDIR=${BASEDIR}/build
42
42
43 # General settings
43 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
45 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
48 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
52
52
53 # APT settings
53 # APT settings
54 APT_PROXY=${APT_PROXY:=""}
54 APT_PROXY=${APT_PROXY:=""}
55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
55 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
56
56
57 # Feature settings
57 # Feature settings
58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
58 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
59 ENABLE_IPV6=${ENABLE_IPV6:=true}
59 ENABLE_IPV6=${ENABLE_IPV6:=true}
60 ENABLE_SSHD=${ENABLE_SSHD:=true}
60 ENABLE_SSHD=${ENABLE_SSHD:=true}
61 ENABLE_SOUND=${ENABLE_SOUND:=true}
61 ENABLE_SOUND=${ENABLE_SOUND:=true}
62 ENABLE_DBUS=${ENABLE_DBUS:=true}
62 ENABLE_DBUS=${ENABLE_DBUS:=true}
63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
63 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
64 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
65 ENABLE_XORG=${ENABLE_XORG:=false}
65 ENABLE_XORG=${ENABLE_XORG:=false}
66 ENABLE_WM=${ENABLE_WM:=""}
66 ENABLE_WM=${ENABLE_WM:=""}
67
67
68 # Advanced settings
68 # Advanced settings
69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
69 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
70 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
71 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
72 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
73 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
74
74
75 # Image chroot path
75 # Image chroot path
76 R=${BUILDDIR}/chroot
76 R=${BUILDDIR}/chroot
77
77
78 # Packages required for bootstrapping
78 # Packages required for bootstrapping
79 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
79 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
80
80
81 # Missing packages that need to be installed
81 # Missing packages that need to be installed
82 MISSING_PACKAGES=""
82 MISSING_PACKAGES=""
83
83
84 # Packages required in the chroot build environment
84 # Packages required in the chroot build environment
85 APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
85 APT_INCLUDES=${APT_INCLUDES:=""}
86 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
86
87
87 set +x
88 set +x
88
89
89 # Are we running as root?
90 # Are we running as root?
90 if [ "$(id -u)" -ne "0" ] ; then
91 if [ "$(id -u)" -ne "0" ] ; then
91 echo "this script must be executed with root privileges"
92 echo "this script must be executed with root privileges"
92 exit 1
93 exit 1
93 fi
94 fi
94
95
95 # Check if all required packages are installed
96 # Check if all required packages are installed
96 for package in $REQUIRED_PACKAGES ; do
97 for package in $REQUIRED_PACKAGES ; do
97 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
98 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
98 MISSING_PACKAGES="$MISSING_PACKAGES $package"
99 MISSING_PACKAGES="$MISSING_PACKAGES $package"
99 fi
100 fi
100 done
101 done
101
102
102 # Ask if missing packages should get installed right now
103 # Ask if missing packages should get installed right now
103 if [ -n "$MISSING_PACKAGES" ] ; then
104 if [ -n "$MISSING_PACKAGES" ] ; then
104 echo "the following packages needed by this script are not installed:"
105 echo "the following packages needed by this script are not installed:"
105 echo "$MISSING_PACKAGES"
106 echo "$MISSING_PACKAGES"
106
107
107 echo -n "\ndo you want to install the missing packages right now? [y/n] "
108 echo -n "\ndo you want to install the missing packages right now? [y/n] "
108 read confirm
109 read confirm
109 if [ "$confirm" != "y" ] ; then
110 if [ "$confirm" != "y" ] ; then
110 exit 1
111 exit 1
111 fi
112 fi
112 fi
113 fi
113
114
114 # Make sure all required packages are installed
115 # Make sure all required packages are installed
115 apt-get -qq -y install ${REQUIRED_PACKAGES}
116 apt-get -qq -y install ${REQUIRED_PACKAGES}
116
117
117 # Don't clobber an old build
118 # Don't clobber an old build
118 if [ -e "$BUILDDIR" ]; then
119 if [ -e "$BUILDDIR" ]; then
119 echo "directory $BUILDDIR already exists, not proceeding"
120 echo "directory $BUILDDIR already exists, not proceeding"
120 exit 1
121 exit 1
121 fi
122 fi
122
123
123 set -x
124 set -x
124
125
125 # Call "cleanup" function on various signals and errors
126 # Call "cleanup" function on various signals and errors
126 trap cleanup 0 1 2 3 6
127 trap cleanup 0 1 2 3 6
127
128
128 # Set up chroot directory
129 # Set up chroot directory
129 mkdir -p $R
130 mkdir -p $R
130
131
131 # Add required packages for the minbase installation
132 # Add required packages for the minbase installation
132 if [ "$ENABLE_MINBASE" = true ] ; then
133 if [ "$ENABLE_MINBASE" = true ] ; then
133 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
134 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
134 else
135 else
135 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
136 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
136 fi
137 fi
137
138
138 # Add dbus package, recommended if using systemd
139 # Add dbus package, recommended if using systemd
139 if [ "$ENABLE_DBUS" = true ] ; then
140 if [ "$ENABLE_DBUS" = true ] ; then
140 APT_INCLUDES="${APT_INCLUDES},dbus"
141 APT_INCLUDES="${APT_INCLUDES},dbus"
141 fi
142 fi
142
143
143 # Add iptables IPv4/IPv6 package
144 # Add iptables IPv4/IPv6 package
144 if [ "$ENABLE_IPTABLES" = true ] ; then
145 if [ "$ENABLE_IPTABLES" = true ] ; then
145 APT_INCLUDES="${APT_INCLUDES},iptables"
146 APT_INCLUDES="${APT_INCLUDES},iptables"
146 fi
147 fi
147
148
148 # Add openssh server package
149 # Add openssh server package
149 if [ "$ENABLE_SSHD" = true ] ; then
150 if [ "$ENABLE_SSHD" = true ] ; then
150 APT_INCLUDES="${APT_INCLUDES},openssh-server"
151 APT_INCLUDES="${APT_INCLUDES},openssh-server"
151 fi
152 fi
152
153
153 # Add alsa-utils package
154 # Add alsa-utils package
154 if [ "$ENABLE_SOUND" = true ] ; then
155 if [ "$ENABLE_SOUND" = true ] ; then
155 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
156 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
156 fi
157 fi
157
158
158 # Add rng-tools package
159 # Add rng-tools package
159 if [ "$ENABLE_HWRANDOM" = true ] ; then
160 if [ "$ENABLE_HWRANDOM" = true ] ; then
160 APT_INCLUDES="${APT_INCLUDES},rng-tools"
161 APT_INCLUDES="${APT_INCLUDES},rng-tools"
161 fi
162 fi
162
163
163 # Add fbturbo video driver
164 # Add fbturbo video driver
164 if [ "$ENABLE_FBTURBO" = true ] ; then
165 if [ "$ENABLE_FBTURBO" = true ] ; then
165 # Enable xorg package dependencies
166 # Enable xorg package dependencies
166 ENABLE_XORG=true
167 ENABLE_XORG=true
167 fi
168 fi
168
169
169 # Add user defined window manager package
170 # Add user defined window manager package
170 if [ -n "$ENABLE_WM" ] ; then
171 if [ -n "$ENABLE_WM" ] ; then
171 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
172 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
172
173
173 # Enable xorg package dependencies
174 # Enable xorg package dependencies
174 ENABLE_XORG=true
175 ENABLE_XORG=true
175 fi
176 fi
176
177
177 # Add xorg package
178 # Add xorg package
178 if [ "$ENABLE_XORG" = true ] ; then
179 if [ "$ENABLE_XORG" = true ] ; then
179 APT_INCLUDES="${APT_INCLUDES},xorg"
180 APT_INCLUDES="${APT_INCLUDES},xorg"
180 fi
181 fi
181
182
182 # Base debootstrap (unpack only)
183 # Base debootstrap (unpack only)
183 if [ "$ENABLE_MINBASE" = true ] ; then
184 if [ "$ENABLE_MINBASE" = true ] ; then
184 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
185 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
185 else
186 else
186 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
187 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
187 fi
188 fi
188
189
189 # Copy qemu emulator binary to chroot
190 # Copy qemu emulator binary to chroot
190 cp /usr/bin/qemu-arm-static $R/usr/bin
191 cp /usr/bin/qemu-arm-static $R/usr/bin
191
192
192 # Copy debian-archive-keyring.pgp
193 # Copy debian-archive-keyring.pgp
193 chroot $R mkdir -p /usr/share/keyrings
194 chroot $R mkdir -p /usr/share/keyrings
194 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
195 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
195
196
196 # Complete the bootstrapping process
197 # Complete the bootstrapping process
197 chroot $R /debootstrap/debootstrap --second-stage
198 chroot $R /debootstrap/debootstrap --second-stage
198
199
199 # Mount required filesystems
200 # Mount required filesystems
200 mount -t proc none $R/proc
201 mount -t proc none $R/proc
201 mount -t sysfs none $R/sys
202 mount -t sysfs none $R/sys
202 mount --bind /dev/pts $R/dev/pts
203 mount --bind /dev/pts $R/dev/pts
203
204
204 # Use proxy inside chroot
205 # Use proxy inside chroot
205 if [ -z "$APT_PROXY" ] ; then
206 if [ -z "$APT_PROXY" ] ; then
206 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
207 echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
207 fi
208 fi
208
209
209 # Pin package flash-kernel to repositories.collabora.co.uk
210 # Pin package flash-kernel to repositories.collabora.co.uk
210 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
211 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
211 Package: flash-kernel
212 Package: flash-kernel
212 Pin: origin repositories.collabora.co.uk
213 Pin: origin repositories.collabora.co.uk
213 Pin-Priority: 1000
214 Pin-Priority: 1000
214 EOM
215 EOM
215
216
216 # Set up timezone
217 # Set up timezone
217 echo ${TIMEZONE} >$R/etc/timezone
218 echo ${TIMEZONE} >$R/etc/timezone
218 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
219 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
219
220
220 # Upgrade collabora package index and install collabora keyring
221 # Upgrade collabora package index and install collabora keyring
221 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
222 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
222 LANG=C chroot $R apt-get -qq -y update
223 LANG=C chroot $R apt-get -qq -y update
223 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
224 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
224
225
225 # Set up initial sources.list
226 # Set up initial sources.list
226 cat <<EOM >$R/etc/apt/sources.list
227 cat <<EOM >$R/etc/apt/sources.list
227 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
228 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
228 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
229 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
229
230
230 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
231 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
231 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
232 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
232
233
233 deb http://security.debian.org/ ${RELEASE}/updates main contrib
234 deb http://security.debian.org/ ${RELEASE}/updates main contrib
234 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
235 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
235
236
236 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
237 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
237 EOM
238 EOM
238
239
239 # Upgrade package index and update all installed packages and changed dependencies
240 # Upgrade package index and update all installed packages and changed dependencies
240 LANG=C chroot $R apt-get -qq -y update
241 LANG=C chroot $R apt-get -qq -y update
241 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
242 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
242
243
243 # Set up default locale and keyboard configuration
244 # Set up default locale and keyboard configuration
244 if [ "$ENABLE_MINBASE" = false ] ; then
245 if [ "$ENABLE_MINBASE" = false ] ; then
245 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
246 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
246 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
247 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
247 # ... so we have to set locales manually
248 # ... so we have to set locales manually
248 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
249 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
249 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
250 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
250 else
251 else
251 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
252 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
252 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
253 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
253 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
254 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
254 fi
255 fi
255 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
256 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
256 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
257 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
257 LANG=C chroot $R locale-gen
258 LANG=C chroot $R locale-gen
258 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
259 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
259
260
260 # Keyboard configuration, if requested
261 # Keyboard configuration, if requested
261 if [ "$XKBMODEL" != "" ] ; then
262 if [ "$XKBMODEL" != "" ] ; then
262 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
263 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
263 fi
264 fi
264 if [ "$XKBLAYOUT" != "" ] ; then
265 if [ "$XKBLAYOUT" != "" ] ; then
265 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
266 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
266 fi
267 fi
267 if [ "$XKBVARIANT" != "" ] ; then
268 if [ "$XKBVARIANT" != "" ] ; then
268 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
269 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
269 fi
270 fi
270 if [ "$XKBOPTIONS" != "" ] ; then
271 if [ "$XKBOPTIONS" != "" ] ; then
271 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
272 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
272 fi
273 fi
273 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
274 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
274 # Set up font console
275 # Set up font console
275 case "${DEFLOCAL}" in
276 case "${DEFLOCAL}" in
276 *UTF-8)
277 *UTF-8)
277 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
278 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
278 ;;
279 ;;
279 *)
280 *)
280 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
281 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
281 ;;
282 ;;
282 esac
283 esac
283 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
284 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
284 fi
285 fi
285
286
286 # Kernel installation
287 # Kernel installation
287 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
288 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
288 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
289 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
289 LANG=C chroot $R apt-get -qq -y install flash-kernel
290 LANG=C chroot $R apt-get -qq -y install flash-kernel
290
291
291 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
292 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
292 [ -z "$VMLINUZ" ] && exit 1
293 [ -z "$VMLINUZ" ] && exit 1
293 mkdir -p $R/boot/firmware
294 mkdir -p $R/boot/firmware
294
295
295 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
296 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
296 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
297 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
297 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
298 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
298 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
299 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
299 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
300 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
300 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
301 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
301 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
302 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
302 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
303 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
303 cp $VMLINUZ $R/boot/firmware/kernel7.img
304 cp $VMLINUZ $R/boot/firmware/kernel7.img
304
305
305 # Set up IPv4 hosts
306 # Set up IPv4 hosts
306 echo ${HOSTNAME} >$R/etc/hostname
307 echo ${HOSTNAME} >$R/etc/hostname
307 cat <<EOM >$R/etc/hosts
308 cat <<EOM >$R/etc/hosts
308 127.0.0.1 localhost
309 127.0.0.1 localhost
309 127.0.1.1 ${HOSTNAME}
310 127.0.1.1 ${HOSTNAME}
310 EOM
311 EOM
311
312
312 # Set up IPv6 hosts
313 # Set up IPv6 hosts
313 if [ "$ENABLE_IPV6" = true ] ; then
314 if [ "$ENABLE_IPV6" = true ] ; then
314 cat <<EOM >>$R/etc/hosts
315 cat <<EOM >>$R/etc/hosts
315
316
316 ::1 localhost ip6-localhost ip6-loopback
317 ::1 localhost ip6-localhost ip6-loopback
317 ff02::1 ip6-allnodes
318 ff02::1 ip6-allnodes
318 ff02::2 ip6-allrouters
319 ff02::2 ip6-allrouters
319 EOM
320 EOM
320 fi
321 fi
321
322
322 # Place hint about network configuration
323 # Place hint about network configuration
323 cat <<EOM >$R/etc/network/interfaces
324 cat <<EOM >$R/etc/network/interfaces
324 # Debian switched to systemd-networkd configuration files.
325 # Debian switched to systemd-networkd configuration files.
325 # please configure your networks in '/etc/systemd/network/'
326 # please configure your networks in '/etc/systemd/network/'
326 EOM
327 EOM
327
328
328 # Enable systemd-networkd DHCP configuration for interface eth0
329 # Enable systemd-networkd DHCP configuration for interface eth0
329 cat <<EOM >$R/etc/systemd/network/eth.network
330 cat <<EOM >$R/etc/systemd/network/eth.network
330 [Match]
331 [Match]
331 Name=eth0
332 Name=eth0
332
333
333 [Network]
334 [Network]
334 DHCP=yes
335 DHCP=yes
335 EOM
336 EOM
336
337
337 # Set DHCP configuration to IPv4 only
338 # Set DHCP configuration to IPv4 only
338 if [ "$ENABLE_IPV6" = false ] ; then
339 if [ "$ENABLE_IPV6" = false ] ; then
339 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
340 sed -i "s/=yes/=v4/" $R/etc/systemd/network/eth.network
340 fi
341 fi
341
342
342 # Enable systemd-networkd service
343 # Enable systemd-networkd service
343 LANG=C chroot $R systemctl enable systemd-networkd
344 LANG=C chroot $R systemctl enable systemd-networkd
344
345
345 # Generate crypt(3) password string
346 # Generate crypt(3) password string
346 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
347 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
347
348
348 # Set up default user
349 # Set up default user
349 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
350 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
350 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
351 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
351
352
352 # Set up root password
353 # Set up root password
353 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
354 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
354
355
355 # Set up firmware boot cmdline
356 # Set up firmware boot cmdline
356 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
357 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
357
358
358 # Set up serial console support (if requested)
359 # Set up serial console support (if requested)
359 if [ "$ENABLE_CONSOLE" = true ] ; then
360 if [ "$ENABLE_CONSOLE" = true ] ; then
360 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
361 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
361 fi
362 fi
362
363
363 # Set up IPv6 networking support
364 # Set up IPv6 networking support
364 if [ "$ENABLE_IPV6" = false ] ; then
365 if [ "$ENABLE_IPV6" = false ] ; then
365 CMDLINE="${CMDLINE} ipv6.disable=1"
366 CMDLINE="${CMDLINE} ipv6.disable=1"
366 fi
367 fi
367
368
368 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
369 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
369
370
370 # Set up firmware config
371 # Set up firmware config
371 cat <<EOM >$R/boot/firmware/config.txt
372 cat <<EOM >$R/boot/firmware/config.txt
372 # For more options and information see
373 # For more options and information see
373 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
374 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
374 # Some settings may impact device functionality. See link above for details
375 # Some settings may impact device functionality. See link above for details
375
376
376 # uncomment if you get no picture on HDMI for a default "safe" mode
377 # uncomment if you get no picture on HDMI for a default "safe" mode
377 #hdmi_safe=1
378 #hdmi_safe=1
378
379
379 # uncomment this if your display has a black border of unused pixels visible
380 # uncomment this if your display has a black border of unused pixels visible
380 # and your display can output without overscan
381 # and your display can output without overscan
381 #disable_overscan=1
382 #disable_overscan=1
382
383
383 # uncomment the following to adjust overscan. Use positive numbers if console
384 # uncomment the following to adjust overscan. Use positive numbers if console
384 # goes off screen, and negative if there is too much border
385 # goes off screen, and negative if there is too much border
385 #overscan_left=16
386 #overscan_left=16
386 #overscan_right=16
387 #overscan_right=16
387 #overscan_top=16
388 #overscan_top=16
388 #overscan_bottom=16
389 #overscan_bottom=16
389
390
390 # uncomment to force a console size. By default it will be display's size minus
391 # uncomment to force a console size. By default it will be display's size minus
391 # overscan.
392 # overscan.
392 #framebuffer_width=1280
393 #framebuffer_width=1280
393 #framebuffer_height=720
394 #framebuffer_height=720
394
395
395 # uncomment if hdmi display is not detected and composite is being output
396 # uncomment if hdmi display is not detected and composite is being output
396 #hdmi_force_hotplug=1
397 #hdmi_force_hotplug=1
397
398
398 # uncomment to force a specific HDMI mode (this will force VGA)
399 # uncomment to force a specific HDMI mode (this will force VGA)
399 #hdmi_group=1
400 #hdmi_group=1
400 #hdmi_mode=1
401 #hdmi_mode=1
401
402
402 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
403 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
403 # DMT (computer monitor) modes
404 # DMT (computer monitor) modes
404 #hdmi_drive=2
405 #hdmi_drive=2
405
406
406 # uncomment to increase signal to HDMI, if you have interference, blanking, or
407 # uncomment to increase signal to HDMI, if you have interference, blanking, or
407 # no display
408 # no display
408 #config_hdmi_boost=4
409 #config_hdmi_boost=4
409
410
410 # uncomment for composite PAL
411 # uncomment for composite PAL
411 #sdtv_mode=2
412 #sdtv_mode=2
412
413
413 # uncomment to overclock the arm. 700 MHz is the default.
414 # uncomment to overclock the arm. 700 MHz is the default.
414 #arm_freq=800
415 #arm_freq=800
415 EOM
416 EOM
416
417
417 # Load snd_bcm2835 kernel module at boot time
418 # Load snd_bcm2835 kernel module at boot time
418 if [ "$ENABLE_SOUND" = true ] ; then
419 if [ "$ENABLE_SOUND" = true ] ; then
419 echo "snd_bcm2835" >>$R/etc/modules
420 echo "snd_bcm2835" >>$R/etc/modules
420 fi
421 fi
421
422
422 # Set smallest possible GPU memory allocation size: 16MB (no X)
423 # Set smallest possible GPU memory allocation size: 16MB (no X)
423 if [ "$ENABLE_MINGPU" = true ] ; then
424 if [ "$ENABLE_MINGPU" = true ] ; then
424 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
425 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
425 fi
426 fi
426
427
427 # Create symlinks
428 # Create symlinks
428 ln -sf firmware/config.txt $R/boot/config.txt
429 ln -sf firmware/config.txt $R/boot/config.txt
429 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
430 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
430
431
431 # Prepare modules-load.d directory
432 # Prepare modules-load.d directory
432 mkdir -p $R/lib/modules-load.d/
433 mkdir -p $R/lib/modules-load.d/
433
434
434 # Load random module on boot
435 # Load random module on boot
435 if [ "$ENABLE_HWRANDOM" = true ] ; then
436 if [ "$ENABLE_HWRANDOM" = true ] ; then
436 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
437 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
437 bcm2708_rng
438 bcm2708_rng
438 EOM
439 EOM
439 fi
440 fi
440
441
441 # Prepare modprobe.d directory
442 # Prepare modprobe.d directory
442 mkdir -p $R/etc/modprobe.d/
443 mkdir -p $R/etc/modprobe.d/
443
444
444 # Blacklist sound modules
445 # Blacklist sound modules
445 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
446 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
446 blacklist snd_soc_core
447 blacklist snd_soc_core
447 blacklist snd_pcm
448 blacklist snd_pcm
448 blacklist snd_pcm_dmaengine
449 blacklist snd_pcm_dmaengine
449 blacklist snd_timer
450 blacklist snd_timer
450 blacklist snd_compress
451 blacklist snd_compress
451 blacklist snd_soc_pcm512x_i2c
452 blacklist snd_soc_pcm512x_i2c
452 blacklist snd_soc_pcm512x
453 blacklist snd_soc_pcm512x
453 blacklist snd_soc_tas5713
454 blacklist snd_soc_tas5713
454 blacklist snd_soc_wm8804
455 blacklist snd_soc_wm8804
455 EOM
456 EOM
456
457
457 # Create default fstab
458 # Create default fstab
458 cat <<EOM >$R/etc/fstab
459 cat <<EOM >$R/etc/fstab
459 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
460 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
460 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
461 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
461 EOM
462 EOM
462
463
463 # Avoid swapping and increase cache sizes
464 # Avoid swapping and increase cache sizes
464 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
465
466
466 # Avoid swapping and increase cache sizes
467 # Avoid swapping and increase cache sizes
467 vm.swappiness=1
468 vm.swappiness=1
468 vm.dirty_background_ratio=20
469 vm.dirty_background_ratio=20
469 vm.dirty_ratio=40
470 vm.dirty_ratio=40
470 vm.dirty_writeback_centisecs=500
471 vm.dirty_writeback_centisecs=500
471 vm.dirty_expire_centisecs=6000
472 vm.dirty_expire_centisecs=6000
472 EOM
473 EOM
473
474
474 # Enable network stack hardening
475 # Enable network stack hardening
475 if [ "$ENABLE_HARDNET" = true ] ; then
476 if [ "$ENABLE_HARDNET" = true ] ; then
476 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
477 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
477
478
478 # Enable network stack hardening
479 # Enable network stack hardening
479 net.ipv4.tcp_timestamps=0
480 net.ipv4.tcp_timestamps=0
480 net.ipv4.tcp_syncookies=1
481 net.ipv4.tcp_syncookies=1
481 net.ipv4.conf.all.rp_filter=1
482 net.ipv4.conf.all.rp_filter=1
482 net.ipv4.conf.all.accept_redirects=0
483 net.ipv4.conf.all.accept_redirects=0
483 net.ipv4.conf.all.send_redirects=0
484 net.ipv4.conf.all.send_redirects=0
484 net.ipv4.conf.all.accept_source_route=0
485 net.ipv4.conf.all.accept_source_route=0
485 net.ipv4.conf.default.rp_filter=1
486 net.ipv4.conf.default.rp_filter=1
486 net.ipv4.conf.default.accept_redirects=0
487 net.ipv4.conf.default.accept_redirects=0
487 net.ipv4.conf.default.send_redirects=0
488 net.ipv4.conf.default.send_redirects=0
488 net.ipv4.conf.default.accept_source_route=0
489 net.ipv4.conf.default.accept_source_route=0
489 net.ipv4.conf.lo.accept_redirects=0
490 net.ipv4.conf.lo.accept_redirects=0
490 net.ipv4.conf.lo.send_redirects=0
491 net.ipv4.conf.lo.send_redirects=0
491 net.ipv4.conf.lo.accept_source_route=0
492 net.ipv4.conf.lo.accept_source_route=0
492 net.ipv4.conf.eth0.accept_redirects=0
493 net.ipv4.conf.eth0.accept_redirects=0
493 net.ipv4.conf.eth0.send_redirects=0
494 net.ipv4.conf.eth0.send_redirects=0
494 net.ipv4.conf.eth0.accept_source_route=0
495 net.ipv4.conf.eth0.accept_source_route=0
495 net.ipv4.icmp_echo_ignore_broadcasts=1
496 net.ipv4.icmp_echo_ignore_broadcasts=1
496 net.ipv4.icmp_ignore_bogus_error_responses=1
497 net.ipv4.icmp_ignore_bogus_error_responses=1
497
498
498 net.ipv6.conf.all.accept_redirects=0
499 net.ipv6.conf.all.accept_redirects=0
499 net.ipv6.conf.all.accept_source_route=0
500 net.ipv6.conf.all.accept_source_route=0
500 net.ipv6.conf.all.router_solicitations=0
501 net.ipv6.conf.all.router_solicitations=0
501 net.ipv6.conf.all.accept_ra_rtr_pref=0
502 net.ipv6.conf.all.accept_ra_rtr_pref=0
502 net.ipv6.conf.all.accept_ra_pinfo=0
503 net.ipv6.conf.all.accept_ra_pinfo=0
503 net.ipv6.conf.all.accept_ra_defrtr=0
504 net.ipv6.conf.all.accept_ra_defrtr=0
504 net.ipv6.conf.all.autoconf=0
505 net.ipv6.conf.all.autoconf=0
505 net.ipv6.conf.all.dad_transmits=0
506 net.ipv6.conf.all.dad_transmits=0
506 net.ipv6.conf.all.max_addresses=1
507 net.ipv6.conf.all.max_addresses=1
507
508
508 net.ipv6.conf.default.accept_redirects=0
509 net.ipv6.conf.default.accept_redirects=0
509 net.ipv6.conf.default.accept_source_route=0
510 net.ipv6.conf.default.accept_source_route=0
510 net.ipv6.conf.default.router_solicitations=0
511 net.ipv6.conf.default.router_solicitations=0
511 net.ipv6.conf.default.accept_ra_rtr_pref=0
512 net.ipv6.conf.default.accept_ra_rtr_pref=0
512 net.ipv6.conf.default.accept_ra_pinfo=0
513 net.ipv6.conf.default.accept_ra_pinfo=0
513 net.ipv6.conf.default.accept_ra_defrtr=0
514 net.ipv6.conf.default.accept_ra_defrtr=0
514 net.ipv6.conf.default.autoconf=0
515 net.ipv6.conf.default.autoconf=0
515 net.ipv6.conf.default.dad_transmits=0
516 net.ipv6.conf.default.dad_transmits=0
516 net.ipv6.conf.default.max_addresses=1
517 net.ipv6.conf.default.max_addresses=1
517
518
518 net.ipv6.conf.lo.accept_redirects=0
519 net.ipv6.conf.lo.accept_redirects=0
519 net.ipv6.conf.lo.accept_source_route=0
520 net.ipv6.conf.lo.accept_source_route=0
520 net.ipv6.conf.lo.router_solicitations=0
521 net.ipv6.conf.lo.router_solicitations=0
521 net.ipv6.conf.lo.accept_ra_rtr_pref=0
522 net.ipv6.conf.lo.accept_ra_rtr_pref=0
522 net.ipv6.conf.lo.accept_ra_pinfo=0
523 net.ipv6.conf.lo.accept_ra_pinfo=0
523 net.ipv6.conf.lo.accept_ra_defrtr=0
524 net.ipv6.conf.lo.accept_ra_defrtr=0
524 net.ipv6.conf.lo.autoconf=0
525 net.ipv6.conf.lo.autoconf=0
525 net.ipv6.conf.lo.dad_transmits=0
526 net.ipv6.conf.lo.dad_transmits=0
526 net.ipv6.conf.lo.max_addresses=1
527 net.ipv6.conf.lo.max_addresses=1
527
528
528 net.ipv6.conf.eth0.accept_redirects=0
529 net.ipv6.conf.eth0.accept_redirects=0
529 net.ipv6.conf.eth0.accept_source_route=0
530 net.ipv6.conf.eth0.accept_source_route=0
530 net.ipv6.conf.eth0.router_solicitations=0
531 net.ipv6.conf.eth0.router_solicitations=0
531 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
532 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
532 net.ipv6.conf.eth0.accept_ra_pinfo=0
533 net.ipv6.conf.eth0.accept_ra_pinfo=0
533 net.ipv6.conf.eth0.accept_ra_defrtr=0
534 net.ipv6.conf.eth0.accept_ra_defrtr=0
534 net.ipv6.conf.eth0.autoconf=0
535 net.ipv6.conf.eth0.autoconf=0
535 net.ipv6.conf.eth0.dad_transmits=0
536 net.ipv6.conf.eth0.dad_transmits=0
536 net.ipv6.conf.eth0.max_addresses=1
537 net.ipv6.conf.eth0.max_addresses=1
537 EOM
538 EOM
538
539
539 # Enable resolver warnings about spoofed addresses
540 # Enable resolver warnings about spoofed addresses
540 cat <<EOM >>$R/etc/host.conf
541 cat <<EOM >>$R/etc/host.conf
541 spoof warn
542 spoof warn
542 EOM
543 EOM
543 fi
544 fi
544
545
545 # Regenerate openssh server host keys
546 # Regenerate openssh server host keys
546 if [ "$ENABLE_SSHD" = true ] ; then
547 if [ "$ENABLE_SSHD" = true ] ; then
547 rm -fr $R/etc/ssh/ssh_host_*
548 rm -fr $R/etc/ssh/ssh_host_*
548 LANG=C chroot $R dpkg-reconfigure openssh-server
549 LANG=C chroot $R dpkg-reconfigure openssh-server
549 fi
550 fi
550
551
551 # Enable serial console systemd style
552 # Enable serial console systemd style
552 if [ "$ENABLE_CONSOLE" = true ] ; then
553 if [ "$ENABLE_CONSOLE" = true ] ; then
553 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
554 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
554 fi
555 fi
555
556
556 # Enable firewall based on iptables started by systemd service
557 # Enable firewall based on iptables started by systemd service
557 if [ "$ENABLE_IPTABLES" = true ] ; then
558 if [ "$ENABLE_IPTABLES" = true ] ; then
558 # Create iptables configuration directory
559 # Create iptables configuration directory
559 mkdir -p "$R/etc/iptables"
560 mkdir -p "$R/etc/iptables"
560
561
561 # Create iptables systemd service
562 # Create iptables systemd service
562 cat <<EOM >$R/etc/systemd/system/iptables.service
563 cat <<EOM >$R/etc/systemd/system/iptables.service
563 [Unit]
564 [Unit]
564 Description=Packet Filtering Framework
565 Description=Packet Filtering Framework
565 DefaultDependencies=no
566 DefaultDependencies=no
566 After=systemd-sysctl.service
567 After=systemd-sysctl.service
567 Before=sysinit.target
568 Before=sysinit.target
568 [Service]
569 [Service]
569 Type=oneshot
570 Type=oneshot
570 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
571 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
571 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
572 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
572 ExecStop=/etc/iptables/flush-iptables.sh
573 ExecStop=/etc/iptables/flush-iptables.sh
573 RemainAfterExit=yes
574 RemainAfterExit=yes
574 [Install]
575 [Install]
575 WantedBy=multi-user.target
576 WantedBy=multi-user.target
576 EOM
577 EOM
577
578
578 # Create flush-table script called by iptables service
579 # Create flush-table script called by iptables service
579 cat <<EOM >$R/etc/iptables/flush-iptables.sh
580 cat <<EOM >$R/etc/iptables/flush-iptables.sh
580 #!/bin/sh
581 #!/bin/sh
581 iptables -F
582 iptables -F
582 iptables -X
583 iptables -X
583 iptables -t nat -F
584 iptables -t nat -F
584 iptables -t nat -X
585 iptables -t nat -X
585 iptables -t mangle -F
586 iptables -t mangle -F
586 iptables -t mangle -X
587 iptables -t mangle -X
587 iptables -P INPUT ACCEPT
588 iptables -P INPUT ACCEPT
588 iptables -P FORWARD ACCEPT
589 iptables -P FORWARD ACCEPT
589 iptables -P OUTPUT ACCEPT
590 iptables -P OUTPUT ACCEPT
590 EOM
591 EOM
591
592
592 # Create iptables rule file
593 # Create iptables rule file
593 cat <<EOM >$R/etc/iptables/iptables.rules
594 cat <<EOM >$R/etc/iptables/iptables.rules
594 *filter
595 *filter
595 :INPUT DROP [0:0]
596 :INPUT DROP [0:0]
596 :FORWARD DROP [0:0]
597 :FORWARD DROP [0:0]
597 :OUTPUT ACCEPT [0:0]
598 :OUTPUT ACCEPT [0:0]
598 :TCP - [0:0]
599 :TCP - [0:0]
599 :UDP - [0:0]
600 :UDP - [0:0]
600 :SSH - [0:0]
601 :SSH - [0:0]
601
602
602 # Rate limit ping requests
603 # Rate limit ping requests
603 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
604 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
604 -A INPUT -p icmp --icmp-type echo-request -j DROP
605 -A INPUT -p icmp --icmp-type echo-request -j DROP
605
606
606 # Accept established connections
607 # Accept established connections
607 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
608 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
608
609
609 # Accept all traffic on loopback interface
610 # Accept all traffic on loopback interface
610 -A INPUT -i lo -j ACCEPT
611 -A INPUT -i lo -j ACCEPT
611
612
612 # Drop packets declared invalid
613 # Drop packets declared invalid
613 -A INPUT -m conntrack --ctstate INVALID -j DROP
614 -A INPUT -m conntrack --ctstate INVALID -j DROP
614
615
615 # SSH rate limiting
616 # SSH rate limiting
616 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
617 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
617 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
618 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
618 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
619 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
619 -A SSH -m recent --name sshbf --set -j ACCEPT
620 -A SSH -m recent --name sshbf --set -j ACCEPT
620
621
621 # Send TCP and UDP connections to their respective rules chain
622 # Send TCP and UDP connections to their respective rules chain
622 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
623 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
623 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
624 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
624
625
625 # Reject dropped packets with a RFC compliant responce
626 # Reject dropped packets with a RFC compliant responce
626 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
627 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
627 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
628 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
628 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
629 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
629
630
630 ## TCP PORT RULES
631 ## TCP PORT RULES
631 # -A TCP -p tcp -j LOG
632 # -A TCP -p tcp -j LOG
632
633
633 ## UDP PORT RULES
634 ## UDP PORT RULES
634 # -A UDP -p udp -j LOG
635 # -A UDP -p udp -j LOG
635
636
636 COMMIT
637 COMMIT
637 EOM
638 EOM
638
639
639 # Reload systemd configuration and enable iptables service
640 # Reload systemd configuration and enable iptables service
640 LANG=C chroot $R systemctl daemon-reload
641 LANG=C chroot $R systemctl daemon-reload
641 LANG=C chroot $R systemctl enable iptables.service
642 LANG=C chroot $R systemctl enable iptables.service
642
643
643 if [ "$ENABLE_IPV6" = true ] ; then
644 if [ "$ENABLE_IPV6" = true ] ; then
644 # Create ip6tables systemd service
645 # Create ip6tables systemd service
645 cat <<EOM >$R/etc/systemd/system/ip6tables.service
646 cat <<EOM >$R/etc/systemd/system/ip6tables.service
646 [Unit]
647 [Unit]
647 Description=Packet Filtering Framework
648 Description=Packet Filtering Framework
648 DefaultDependencies=no
649 DefaultDependencies=no
649 After=systemd-sysctl.service
650 After=systemd-sysctl.service
650 Before=sysinit.target
651 Before=sysinit.target
651 [Service]
652 [Service]
652 Type=oneshot
653 Type=oneshot
653 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
654 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
654 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
655 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
655 ExecStop=/etc/iptables/flush-ip6tables.sh
656 ExecStop=/etc/iptables/flush-ip6tables.sh
656 RemainAfterExit=yes
657 RemainAfterExit=yes
657 [Install]
658 [Install]
658 WantedBy=multi-user.target
659 WantedBy=multi-user.target
659 EOM
660 EOM
660
661
661 # Create ip6tables file
662 # Create ip6tables file
662 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
663 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
663 #!/bin/sh
664 #!/bin/sh
664 ip6tables -F
665 ip6tables -F
665 ip6tables -X
666 ip6tables -X
666 ip6tables -Z
667 ip6tables -Z
667 for table in $(</proc/net/ip6_tables_names)
668 for table in $(</proc/net/ip6_tables_names)
668 do
669 do
669 ip6tables -t \$table -F
670 ip6tables -t \$table -F
670 ip6tables -t \$table -X
671 ip6tables -t \$table -X
671 ip6tables -t \$table -Z
672 ip6tables -t \$table -Z
672 done
673 done
673 ip6tables -P INPUT ACCEPT
674 ip6tables -P INPUT ACCEPT
674 ip6tables -P OUTPUT ACCEPT
675 ip6tables -P OUTPUT ACCEPT
675 ip6tables -P FORWARD ACCEPT
676 ip6tables -P FORWARD ACCEPT
676 EOM
677 EOM
677
678
678 # Create ip6tables rule file
679 # Create ip6tables rule file
679 cat <<EOM >$R/etc/iptables/ip6tables.rules
680 cat <<EOM >$R/etc/iptables/ip6tables.rules
680 *filter
681 *filter
681 :INPUT DROP [0:0]
682 :INPUT DROP [0:0]
682 :FORWARD DROP [0:0]
683 :FORWARD DROP [0:0]
683 :OUTPUT ACCEPT [0:0]
684 :OUTPUT ACCEPT [0:0]
684 :TCP - [0:0]
685 :TCP - [0:0]
685 :UDP - [0:0]
686 :UDP - [0:0]
686 :SSH - [0:0]
687 :SSH - [0:0]
687
688
688 # Drop packets with RH0 headers
689 # Drop packets with RH0 headers
689 -A INPUT -m rt --rt-type 0 -j DROP
690 -A INPUT -m rt --rt-type 0 -j DROP
690 -A OUTPUT -m rt --rt-type 0 -j DROP
691 -A OUTPUT -m rt --rt-type 0 -j DROP
691 -A FORWARD -m rt --rt-type 0 -j DROP
692 -A FORWARD -m rt --rt-type 0 -j DROP
692
693
693 # Rate limit ping requests
694 # Rate limit ping requests
694 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
695 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
695 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
696 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
696
697
697 # Accept established connections
698 # Accept established connections
698 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
699 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
699
700
700 # Accept all traffic on loopback interface
701 # Accept all traffic on loopback interface
701 -A INPUT -i lo -j ACCEPT
702 -A INPUT -i lo -j ACCEPT
702
703
703 # Drop packets declared invalid
704 # Drop packets declared invalid
704 -A INPUT -m conntrack --ctstate INVALID -j DROP
705 -A INPUT -m conntrack --ctstate INVALID -j DROP
705
706
706 # SSH rate limiting
707 # SSH rate limiting
707 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
708 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
708 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
709 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
709 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
710 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
710 -A SSH -m recent --name sshbf --set -j ACCEPT
711 -A SSH -m recent --name sshbf --set -j ACCEPT
711
712
712 # Send TCP and UDP connections to their respective rules chain
713 # Send TCP and UDP connections to their respective rules chain
713 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
714 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
714 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
715 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
715
716
716 # Reject dropped packets with a RFC compliant responce
717 # Reject dropped packets with a RFC compliant responce
717 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
718 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
718 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
719 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
719 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
720 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
720
721
721 ## TCP PORT RULES
722 ## TCP PORT RULES
722 # -A TCP -p tcp -j LOG
723 # -A TCP -p tcp -j LOG
723
724
724 ## UDP PORT RULES
725 ## UDP PORT RULES
725 # -A UDP -p udp -j LOG
726 # -A UDP -p udp -j LOG
726
727
727 COMMIT
728 COMMIT
728 EOM
729 EOM
729
730
730 # Reload systemd configuration and enable iptables service
731 # Reload systemd configuration and enable iptables service
731 LANG=C chroot $R systemctl daemon-reload
732 LANG=C chroot $R systemctl daemon-reload
732 LANG=C chroot $R systemctl enable ip6tables.service
733 LANG=C chroot $R systemctl enable ip6tables.service
733 fi
734 fi
734 fi
735 fi
735
736
736 # Remove SSHD related iptables rules
737 # Remove SSHD related iptables rules
737 if [ "$ENABLE_SSHD" = false ] ; then
738 if [ "$ENABLE_SSHD" = false ] ; then
738 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
739 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
739 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
740 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
740 fi
741 fi
741
742
742 # Install gcc/c++ build environment inside the chroot
743 # Install gcc/c++ build environment inside the chroot
743 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
744 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
744 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
745 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
745 fi
746 fi
746
747
747 # Fetch and build U-Boot bootloader
748 # Fetch and build U-Boot bootloader
748 if [ "$ENABLE_UBOOT" = true ] ; then
749 if [ "$ENABLE_UBOOT" = true ] ; then
749 # Fetch U-Boot bootloader sources
750 # Fetch U-Boot bootloader sources
750 git -C $R/tmp clone git://git.denx.de/u-boot.git
751 git -C $R/tmp clone git://git.denx.de/u-boot.git
751
752
752 # Build and install U-Boot inside chroot
753 # Build and install U-Boot inside chroot
753 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
754 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
754
755
755 # Copy compiled bootloader binary and set config.txt to load it
756 # Copy compiled bootloader binary and set config.txt to load it
756 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
757 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
757 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
758 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
758
759
759 # Set U-Boot command file
760 # Set U-Boot command file
760 cat <<EOM >$R/boot/firmware/uboot.mkimage
761 cat <<EOM >$R/boot/firmware/uboot.mkimage
761 # Tell Linux that it is booting on a Raspberry Pi2
762 # Tell Linux that it is booting on a Raspberry Pi2
762 setenv machid 0x00000c42
763 setenv machid 0x00000c42
763
764
764 # Set the kernel boot command line
765 # Set the kernel boot command line
765 setenv bootargs "earlyprintk ${CMDLINE}"
766 setenv bootargs "earlyprintk ${CMDLINE}"
766
767
767 # Save these changes to u-boot's environment
768 # Save these changes to u-boot's environment
768 saveenv
769 saveenv
769
770
770 # Load the existing Linux kernel into RAM
771 # Load the existing Linux kernel into RAM
771 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
772 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
772
773
773 # Boot the kernel we have just loaded
774 # Boot the kernel we have just loaded
774 bootz \${kernel_addr_r}
775 bootz \${kernel_addr_r}
775 EOM
776 EOM
776
777
777 # Generate U-Boot image from command file
778 # Generate U-Boot image from command file
778 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
779 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
779 fi
780 fi
780
781
781 # Fetch and build fbturbo Xorg driver
782 # Fetch and build fbturbo Xorg driver
782 if [ "$ENABLE_FBTURBO" = true ] ; then
783 if [ "$ENABLE_FBTURBO" = true ] ; then
783 # Fetch fbturbo driver sources
784 # Fetch fbturbo driver sources
784 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
785 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
785
786
786 # Install Xorg build dependencies
787 # Install Xorg build dependencies
787 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
788 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
788
789
789 # Build and install fbturbo driver inside chroot
790 # Build and install fbturbo driver inside chroot
790 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
791 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
791
792
792 # Add fbturbo driver to Xorg configuration
793 # Add fbturbo driver to Xorg configuration
793 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
794 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
794 Section "Device"
795 Section "Device"
795 Identifier "Allwinner A10/A13 FBDEV"
796 Identifier "Allwinner A10/A13 FBDEV"
796 Driver "fbturbo"
797 Driver "fbturbo"
797 Option "fbdev" "/dev/fb0"
798 Option "fbdev" "/dev/fb0"
798 Option "SwapbuffersWait" "true"
799 Option "SwapbuffersWait" "true"
799 EndSection
800 EndSection
800 EOM
801 EOM
801
802
802 # Remove Xorg build dependencies
803 # Remove Xorg build dependencies
803 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
804 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
804 fi
805 fi
805
806
806 # Remove gcc/c++ build environment from the chroot
807 # Remove gcc/c++ build environment from the chroot
807 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
808 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
808 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
809 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
809 fi
810 fi
810
811
811 # Clean cached downloads
812 # Clean cached downloads
812 LANG=C chroot $R apt-get -y clean
813 LANG=C chroot $R apt-get -y clean
813 LANG=C chroot $R apt-get -y autoclean
814 LANG=C chroot $R apt-get -y autoclean
814 LANG=C chroot $R apt-get -y autoremove
815 LANG=C chroot $R apt-get -y autoremove
815
816
816 # Unmount mounted filesystems
817 # Unmount mounted filesystems
817 umount -l $R/proc
818 umount -l $R/proc
818 umount -l $R/sys
819 umount -l $R/sys
819
820
820 # Clean up files
821 # Clean up files
821 rm -f $R/etc/apt/sources.list.save
822 rm -f $R/etc/apt/sources.list.save
822 rm -f $R/etc/resolvconf/resolv.conf.d/original
823 rm -f $R/etc/resolvconf/resolv.conf.d/original
823 rm -rf $R/run
824 rm -rf $R/run
824 mkdir -p $R/run
825 mkdir -p $R/run
825 rm -f $R/etc/*-
826 rm -f $R/etc/*-
826 rm -f $R/root/.bash_history
827 rm -f $R/root/.bash_history
827 rm -rf $R/tmp/*
828 rm -rf $R/tmp/*
828 rm -f $R/var/lib/urandom/random-seed
829 rm -f $R/var/lib/urandom/random-seed
829 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
830 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
830 rm -f $R/etc/machine-id
831 rm -f $R/etc/machine-id
831 rm -fr $R/etc/apt/apt.conf.d/10proxy
832 rm -fr $R/etc/apt/apt.conf.d/10proxy
832
833
833 # Calculate size of the chroot directory
834 # Calculate size of the chroot directory
834 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
835 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
835
836
836 # Calculate required image size
837 # Calculate required image size
837 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
838 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
838
839
839 # Calculate number of sectors for the partition
840 # Calculate number of sectors for the partition
840 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
841 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
841
842
842 # Prepare date string for image file name
843 # Prepare date string for image file name
843 DATE="$(date +%Y-%m-%d)"
844 DATE="$(date +%Y-%m-%d)"
844
845
845 # Prepare image file
846 # Prepare image file
846 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
847 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
847 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
848 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
848
849
849 # Write partition table
850 # Write partition table
850 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
851 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
851 unit: sectors
852 unit: sectors
852
853
853 1 : start= 2048, size= 131072, Id= c, bootable
854 1 : start= 2048, size= 131072, Id= c, bootable
854 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
855 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
855 3 : start= 0, size= 0, Id= 0
856 3 : start= 0, size= 0, Id= 0
856 4 : start= 0, size= 0, Id= 0
857 4 : start= 0, size= 0, Id= 0
857 EOM
858 EOM
858
859
859 # Set up temporary loop devices and build filesystems
860 # Set up temporary loop devices and build filesystems
860 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
861 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
861 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
862 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
862 mkfs.vfat "$VFAT_LOOP"
863 mkfs.vfat "$VFAT_LOOP"
863 mkfs.ext4 "$EXT4_LOOP"
864 mkfs.ext4 "$EXT4_LOOP"
864
865
865 # Mount the temporary loop devices
866 # Mount the temporary loop devices
866 mkdir -p "$BUILDDIR/mount"
867 mkdir -p "$BUILDDIR/mount"
867 mount "$EXT4_LOOP" "$BUILDDIR/mount"
868 mount "$EXT4_LOOP" "$BUILDDIR/mount"
868
869
869 mkdir -p "$BUILDDIR/mount/boot/firmware"
870 mkdir -p "$BUILDDIR/mount/boot/firmware"
870 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
871 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
871
872
872 # Copy all files from the chroot to the loop device mount point directory
873 # Copy all files from the chroot to the loop device mount point directory
873 rsync -a "$R/" "$BUILDDIR/mount/"
874 rsync -a "$R/" "$BUILDDIR/mount/"
874
875
875 # Unmount all temporary loop devices and mount points
876 # Unmount all temporary loop devices and mount points
876 cleanup
877 cleanup
877
878
878 # (optinal) create block map file for "bmaptool"
879 # (optinal) create block map file for "bmaptool"
879 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
880 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
880
881
881 # Image was successfully created
882 # Image was successfully created
882 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
883 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant