Raspi2-3_GenImage Commit - r14:f33a610b0e30 · Collaboration Tremplin des Sciences

1

#!/bin/sh

1

#!/bin/sh

2

3

########################################################################

3

########################################################################

4

# rpi2-gen-image.sh ver2a 12/2015

4

# rpi2-gen-image.sh ver2a 12/2015

5

#

5

#

6

# Advanced debian "jessie" bootstrap script for RPi2

6

# Advanced debian "jessie" bootstrap script for RPi2

7

#

7

#

8

# This program is free software; you can redistribute it and/or

8

# This program is free software; you can redistribute it and/or

9

# modify it under the terms of the GNU General Public License

9

# modify it under the terms of the GNU General Public License

10

# as published by the Free Software Foundation; either version 2

10

# as published by the Free Software Foundation; either version 2

11

# of the License, or (at your option) any later version.

11

# of the License, or (at your option) any later version.

12

#

12

#

13

# some parts based on rpi2-build-image:

13

# some parts based on rpi2-build-image:

14

15

16

########################################################################

16

########################################################################

17

18

cleanup (){

18

cleanup (){

19

set +x

19

set +x

20

set +e

20

set +e

21

echo "removing temporary mount points ..."

21

echo "removing temporary mount points ..."

22

umount -l $R/proc 2> /dev/null

22

umount -l $R/proc 2> /dev/null

23

umount -l $R/sys 2> /dev/null

23

umount -l $R/sys 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

24

umount -l $R/dev/pts 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

25

umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

26

umount "$BUILDDIR/mount" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

27

losetup -d "$EXT4_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

28

losetup -d "$VFAT_LOOP" 2> /dev/null

29

trap - 0 1 2 3 6

29

trap - 0 1 2 3 6

30

}

30

}

31

32

set -e

32

set -e

33

set -x

33

set -x

34

35

RELEASE=${RELEASE:=jessie}

35

RELEASE=${RELEASE:=jessie}

36

37

# Build settings

37

# Build settings

38

BASEDIR=./images/${RELEASE}

38

BASEDIR=./images/${RELEASE}

39

BUILDDIR=${BASEDIR}/build

39

BUILDDIR=${BASEDIR}/build

40

41

# General settings

41

# General settings

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

42

HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}

43

PASSWORD=${PASSWORD:=raspberry}

43

PASSWORD=${PASSWORD:=raspberry}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

44

DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

45

TIMEZONE=${TIMEZONE:="Europe/Berlin"}

46

47

# APT settings

47

# APT settings

48

APT_PROXY=${APT_PROXY:=""}

48

APT_PROXY=${APT_PROXY:=""}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

49

APT_SERVER=${APT_SERVER:="ftp.debian.org"}

50

51

# Feature settings

51

# Feature settings

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

52

ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

53

ENABLE_IPV6=${ENABLE_IPV6:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

54

ENABLE_SSHD=${ENABLE_SSHD:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

55

ENABLE_SOUND=${ENABLE_SOUND:=true}

56

ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}

57

ENABLE_DBUS=${ENABLE_DBUS:=true}

56

ENABLE_DBUS=${ENABLE_DBUS:=true}

58

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

57

ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}

59

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

58

ENABLE_MINGPU=${ENABLE_MINGPU:=false}

60

ENABLE_XORG=${ENABLE_XORG:=false}

59

ENABLE_XORG=${ENABLE_XORG:=false}

61

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

60

ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}

62

61

63

# Advanced settings

62

# Advanced settings

64

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

63

ENABLE_UBOOT=${ENABLE_UBOOT:=false}

65

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

64

ENABLE_HARDNET=${ENABLE_HARDNET:=false}

66

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

65

ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}

67

66

68

# Image chroot path

67

# Image chroot path

69

R=${BUILDDIR}/chroot

68

R=${BUILDDIR}/chroot

70

69

71

# Packages required for bootstrapping

70

# Packages required for bootstrapping

72

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

71

REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"

73

72

74

# Missing packages that need to be installed

73

# Missing packages that need to be installed

75

MISSING_PACKAGES=""

74

MISSING_PACKAGES=""

76

75

77

# Packages required in the chroot build enviroment

76

# Packages required in the chroot build enviroment

78

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales~~,apt-utils,vim-tiny~~"

77

APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales"

79

78

80

set +x

79

set +x

81

80

82

# Are we running as root?

81

# Are we running as root?

83

if [ "$(id -u)" -ne "0" ] ; then

82

if [ "$(id -u)" -ne "0" ] ; then

84

echo "this script must be executed with root privileges"

83

echo "this script must be executed with root privileges"

85

exit 1

84

exit 1

86

fi

85

fi

87

86

88

# Check if all required packages are installed

87

# Check if all required packages are installed

89

for package in $REQUIRED_PACKAGES ; do

88

for package in $REQUIRED_PACKAGES ; do

90

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

89

if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then

91

MISSING_PACKAGES="$MISSING_PACKAGES $package"

90

MISSING_PACKAGES="$MISSING_PACKAGES $package"

92

fi

91

fi

93

done

92

done

94

93

95

# Ask if missing packages should get installed right now

94

# Ask if missing packages should get installed right now

96

if [ -n "$MISSING_PACKAGES" ] ; then

95

if [ -n "$MISSING_PACKAGES" ] ; then

97

echo "the following packages needed by this script are not installed:"

96

echo "the following packages needed by this script are not installed:"

98

echo "$MISSING_PACKAGES"

97

echo "$MISSING_PACKAGES"

99

98

100

echo -n "\ndo you want to install the missing packages right now? [y/n] "

99

echo -n "\ndo you want to install the missing packages right now? [y/n] "

101

read confirm

100

read confirm

102

if [ "$confirm" != "y" ] ; then

101

if [ "$confirm" != "y" ] ; then

103

exit 1

102

exit 1

104

fi

103

fi

105

fi

104

fi

106

105

107

# Make sure all required packages are installed

106

# Make sure all required packages are installed

108

apt-get -qq -y install ${REQUIRED_PACKAGES}

107

apt-get -qq -y install ${REQUIRED_PACKAGES}

109

108

110

# Don't clobber an old build

109

# Don't clobber an old build

111

if [ -e "$BUILDDIR" ]; then

110

if [ -e "$BUILDDIR" ]; then

112

echo "directory $BUILDDIR already exists, not proceeding"

111

echo "directory $BUILDDIR already exists, not proceeding"

113

exit 1

112

exit 1

114

fi

113

fi

115

114

116

set -x

115

set -x

117

116

118

# Call "cleanup" function on various signals and errors

117

# Call "cleanup" function on various signals and errors

119

trap cleanup 0 1 2 3 6

118

trap cleanup 0 1 2 3 6

120

119

121

# Set up chroot directory

120

# Set up chroot directory

122

mkdir -p $R

121

mkdir -p $R

123

122

124

# Use traditional SystemV init instead of systemd services

125

if [ "$ENABLE_SYSTEMD" = false ] ; then

126

APT_INCLUDES="${APT_INCLUDES},sysvinit-core"

127

fi

128

129

# Add dbus package, recommended if using systemd

123

# Add dbus package, recommended if using systemd

130

if [ "$ENABLE_DBUS" = true ] ; then

124

if [ "$ENABLE_DBUS" = true ] ; then

131

APT_INCLUDES="${APT_INCLUDES},dbus"

125

APT_INCLUDES="${APT_INCLUDES},dbus"

132

fi

126

fi

133

127

134

# Add openssh server package

128

# Add openssh server package

135

if [ "$ENABLE_SSHD" = true ] ; then

129

if [ "$ENABLE_SSHD" = true ] ; then

136

APT_INCLUDES="${APT_INCLUDES},openssh-server"

130

APT_INCLUDES="${APT_INCLUDES},openssh-server"

137

fi

131

fi

138

132

139

# Add rng-tools package

133

# Add rng-tools package

140

if [ "$ENABLE_HWRANDOM" = true ] ; then

134

if [ "$ENABLE_HWRANDOM" = true ] ; then

141

APT_INCLUDES="${APT_INCLUDES},rng-tools"

135

APT_INCLUDES="${APT_INCLUDES},rng-tools"

142

fi

136

fi

143

137

144

# Add xorg package

138

# Add xorg package

145

if [ "$ENABLE_XORG" = true ] ; then

139

if [ "$ENABLE_XORG" = true ] ; then

146

APT_INCLUDES="${APT_INCLUDES},xorg"

140

APT_INCLUDES="${APT_INCLUDES},xorg"

147

fi

141

fi

148

142

149

# Add fluxbox package with eterm

143

# Add fluxbox package with eterm

150

if [ "$ENABLE_FLUXBOX" = true ] ; then

144

if [ "$ENABLE_FLUXBOX" = true ] ; then

151

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

145

APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"

152

fi

146

fi

153

147

154

if [ -z "$APT_PROXY" ] ; then

148

if [ -z "$APT_PROXY" ] ; then

155

APT_PROXY="http://"

149

APT_PROXY="http://"

156

fi

150

fi

157

151

158

# Base debootstrap (unpack only)

152

# Base debootstrap (unpack only)

159

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

153

debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian

160

cp /usr/bin/qemu-arm-static $R/usr/bin

154

cp /usr/bin/qemu-arm-static $R/usr/bin

161

155

162

# Remove systemd related packages from list of packages to be bootstrapped

163

if [ "$ENABLE_SYSTEMD" = false ] ; then

164

chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required

165

fi

166

167

# Copy debian-archive-keyring.pgp

156

# Copy debian-archive-keyring.pgp

168

chroot $R mkdir -p /usr/share/keyrings

157

chroot $R mkdir -p /usr/share/keyrings

169

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

158

cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg

170

159

171

# Complete the bootstrapping proccess

160

# Complete the bootstrapping proccess

172

chroot $R /debootstrap/debootstrap --second-stage

161

chroot $R /debootstrap/debootstrap --second-stage

173

162

174

# Mount required filesystems

163

# Mount required filesystems

175

mount -t proc none $R/proc

164

mount -t proc none $R/proc

176

mount -t sysfs none $R/sys

165

mount -t sysfs none $R/sys

177

mount --bind /dev/pts $R/dev/pts

166

mount --bind /dev/pts $R/dev/pts

178

167

179

# Use proxy inside chroot

168

# Use proxy inside chroot

180

if [ -z "$APT_PROXY" ] ; then

169

if [ -z "$APT_PROXY" ] ; then

181

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

170

echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy

182

fi

171

fi

183

172

184

# Pin package flash-kernel to repositories.collabora.co.uk

173

# Pin package flash-kernel to repositories.collabora.co.uk

185

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

174

cat <<EOM >$R/etc/apt/preferences.d/flash-kernel

186

Package: flash-kernel

175

Package: flash-kernel

187

Pin: origin repositories.collabora.co.uk

176

Pin: origin repositories.collabora.co.uk

188

Pin-Priority: 1000

177

Pin-Priority: 1000

189

EOM

178

EOM

190

179

191

# Set up timezone

180

# Set up timezone

192

echo ${TIMEZONE} >$R/etc/timezone

181

echo ${TIMEZONE} >$R/etc/timezone

193

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

182

LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata

194

183

195

# Set up default locales to "en_US.UTF-8" default

184

# Set up default locales to "en_US.UTF-8" default

196

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

185

LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen

197

LANG=C chroot $R locale-gen ${DEFLOCAL}

186

LANG=C chroot $R locale-gen ${DEFLOCAL}

198

187

199

# Upgrade collabora package index and install collabora keyring

188

# Upgrade collabora package index and install collabora keyring

200

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

189

echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list

201

LANG=C chroot $R apt-get -qq -y update

190

LANG=C chroot $R apt-get -qq -y update

202

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

191

LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring

203

192

204

# Set up initial sources.list

193

# Set up initial sources.list

205

cat <<EOM >$R/etc/apt/sources.list

194

cat <<EOM >$R/etc/apt/sources.list

206

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

195

deb http://${APT_SERVER}/debian ${RELEASE} main contrib

207

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

196

#deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib

208

197

209

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

198

deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

210

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

199

#deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib

211

200

212

deb http://security.debian.org/ ${RELEASE}/updates main contrib

201

deb http://security.debian.org/ ${RELEASE}/updates main contrib

213

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

202

#deb-src http://security.debian.org/ ${RELEASE}/updates main contrib

214

203

215

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

204

deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2

216

EOM

205

EOM

217

206

218

# Upgrade package index and update all installed packages and changed dependencies

207

# Upgrade package index and update all installed packages and changed dependencies

219

LANG=C chroot $R apt-get -qq -y update

208

LANG=C chroot $R apt-get -qq -y update

220

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

209

LANG=C chroot $R apt-get -qq -y -u dist-upgrade

221

210

222

# Kernel installation

211

# Kernel installation

223

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

212

# Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot

224

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

213

LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2

225

LANG=C chroot $R apt-get -qq -y install flash-kernel

214

LANG=C chroot $R apt-get -qq -y install flash-kernel

226

215

227

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

216

VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"

228

[ -z "$VMLINUZ" ] && exit 1

217

[ -z "$VMLINUZ" ] && exit 1

229

mkdir -p $R/boot/firmware

218

mkdir -p $R/boot/firmware

230

219

231

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

220

# required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")

232

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

221

wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin

233

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

222

wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat

234

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

223

wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat

235

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

224

wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat

236

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

225

wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf

237

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

226

wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf

238

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

227

wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf

239

cp $VMLINUZ $R/boot/firmware/kernel7.img

228

cp $VMLINUZ $R/boot/firmware/kernel7.img

240

229

241

# Set up hosts

230

# Set up hosts

242

echo ${HOSTNAME} >$R/etc/hostname

231

echo ${HOSTNAME} >$R/etc/hostname

243

cat <<EOM >$R/etc/hosts

232

cat <<EOM >$R/etc/hosts

244

127.0.0.1 localhost

233

127.0.0.1 localhost

245

127.0.1.1 ${HOSTNAME}

234

127.0.1.1 ${HOSTNAME}

246

EOM

235

EOM

247

236

248

if [ "$ENABLE_IPV6" = true ] ; then

237

if [ "$ENABLE_IPV6" = true ] ; then

249

cat <<EOM >>$R/etc/hosts

238

cat <<EOM >>$R/etc/hosts

250

239

251

::1 localhost ip6-localhost ip6-loopback

240

::1 localhost ip6-localhost ip6-loopback

252

ff02::1 ip6-allnodes

241

ff02::1 ip6-allnodes

253

ff02::2 ip6-allrouters

242

ff02::2 ip6-allrouters

254

EOM

243

EOM

255

fi

244

fi

256

245

257

# Generate crypt(3) password string

246

# Generate crypt(3) password string

258

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

247

ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`

259

248

260

# Set up default user

249

# Set up default user

261

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

250

LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi

262

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

251

LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi

263

252

264

# Set up root password

253

# Set up root password

265

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

254

LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root

266

255

267

# Set up interfaces

256

# Set up interfaces

268

cat <<EOM >$R/etc/network/interfaces

257

cat <<EOM >$R/etc/network/interfaces

269

# interfaces(5) file used by ifup(8) and ifdown(8)

258

# interfaces(5) file used by ifup(8) and ifdown(8)

270

# Include files from /etc/network/interfaces.d:

259

# Include files from /etc/network/interfaces.d:

271

source-directory /etc/network/interfaces.d

260

source-directory /etc/network/interfaces.d

272

261

273

# The loopback network interface

262

# The loopback network interface

274

auto lo

263

auto lo

275

iface lo inet loopback

264

iface lo inet loopback

276

265

277

# The primary network interface

266

# The primary network interface

278

allow-hotplug eth0

267

allow-hotplug eth0

279

iface eth0 inet dhcp

268

iface eth0 inet dhcp

280

EOM

269

EOM

281

270

282

# Set up firmware boot cmdline

271

# Set up firmware boot cmdline

283

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

272

CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"

284

273

285

# Set up serial console support (if requested)

274

# Set up serial console support (if requested)

286

if [ "$ENABLE_CONSOLE" = true ] ; then

275

if [ "$ENABLE_CONSOLE" = true ] ; then

287

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

276

CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"

288

fi

277

fi

289

278

290

# Set up ipv6 support (if requested)

279

# Set up ipv6 support (if requested)

291

if [ "$ENABLE_IPV6" = false ] ; then

280

if [ "$ENABLE_IPV6" = false ] ; then

292

CMDLINE="${CMDLINE} ipv6.disable=1"

281

CMDLINE="${CMDLINE} ipv6.disable=1"

293

fi

282

fi

294

283

295

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

284

echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt

296

285

297

# Set up firmware config

286

# Set up firmware config

298

cat <<EOM >$R/boot/firmware/config.txt

287

cat <<EOM >$R/boot/firmware/config.txt

299

# For more options and information see

288

# For more options and information see

300

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

289

# http://www.raspberrypi.org/documentation/configuration/config-txt.md

301

# Some settings may impact device functionality. See link above for details

290

# Some settings may impact device functionality. See link above for details

302

291

303

# uncomment if you get no picture on HDMI for a default "safe" mode

292

# uncomment if you get no picture on HDMI for a default "safe" mode

304

#hdmi_safe=1

293

#hdmi_safe=1

305

294

306

# uncomment this if your display has a black border of unused pixels visible

295

# uncomment this if your display has a black border of unused pixels visible

307

# and your display can output without overscan

296

# and your display can output without overscan

308

#disable_overscan=1

297

#disable_overscan=1

309

298

310

# uncomment the following to adjust overscan. Use positive numbers if console

299

# uncomment the following to adjust overscan. Use positive numbers if console

311

# goes off screen, and negative if there is too much border

300

# goes off screen, and negative if there is too much border

312

#overscan_left=16

301

#overscan_left=16

313

#overscan_right=16

302

#overscan_right=16

314

#overscan_top=16

303

#overscan_top=16

315

#overscan_bottom=16

304

#overscan_bottom=16

316

305

317

# uncomment to force a console size. By default it will be display's size minus

306

# uncomment to force a console size. By default it will be display's size minus

318

# overscan.

307

# overscan.

319

#framebuffer_width=1280

308

#framebuffer_width=1280

320

#framebuffer_height=720

309

#framebuffer_height=720

321

310

322

# uncomment if hdmi display is not detected and composite is being output

311

# uncomment if hdmi display is not detected and composite is being output

323

#hdmi_force_hotplug=1

312

#hdmi_force_hotplug=1

324

313

325

# uncomment to force a specific HDMI mode (this will force VGA)

314

# uncomment to force a specific HDMI mode (this will force VGA)

326

#hdmi_group=1

315

#hdmi_group=1

327

#hdmi_mode=1

316

#hdmi_mode=1

328

317

329

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

318

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

330

# DMT (computer monitor) modes

319

# DMT (computer monitor) modes

331

#hdmi_drive=2

320

#hdmi_drive=2

332

321

333

# uncomment to increase signal to HDMI, if you have interference, blanking, or

322

# uncomment to increase signal to HDMI, if you have interference, blanking, or

334

# no display

323

# no display

335

#config_hdmi_boost=4

324

#config_hdmi_boost=4

336

325

337

# uncomment for composite PAL

326

# uncomment for composite PAL

338

#sdtv_mode=2

327

#sdtv_mode=2

339

328

340

# uncomment to overclock the arm. 700 MHz is the default.

329

# uncomment to overclock the arm. 700 MHz is the default.

341

#arm_freq=800

330

#arm_freq=800

342

EOM

331

EOM

343

332

344

# Set smallest possible GPU memory allocation size: 16MB (no X)

333

# Set smallest possible GPU memory allocation size: 16MB (no X)

345

if [ "$ENABLE_MINGPU" = true ] ; then

334

if [ "$ENABLE_MINGPU" = true ] ; then

346

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

335

echo "gpu_mem=16" >>$R/boot/firmware/config.txt

347

fi

336

fi

348

337

349

# Create symlinks

338

# Create symlinks

350

ln -sf firmware/config.txt $R/boot/config.txt

339

ln -sf firmware/config.txt $R/boot/config.txt

351

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

340

ln -sf firmware/cmdline.txt $R/boot/cmdline.txt

352

341

353

# Prepare modules-load.d directory

342

# Prepare modules-load.d directory

354

mkdir -p $R/lib/modules-load.d/

343

mkdir -p $R/lib/modules-load.d/

355

344

356

# Load random module on boot

345

# Load random module on boot

357

if [ "$ENABLE_HWRANDOM" = true ] ; then

346

if [ "$ENABLE_HWRANDOM" = true ] ; then

358

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

347

cat <<EOM >$R/lib/modules-load.d/rpi2.conf

359

bcm2708_rng

348

bcm2708_rng

360

EOM

349

EOM

361

fi

350

fi

362

351

363

# Prepare modprobe.d directory

352

# Prepare modprobe.d directory

364

mkdir -p $R/etc/modprobe.d/

353

mkdir -p $R/etc/modprobe.d/

365

354

366

# Blacklist sound modules

355

# Blacklist sound modules

367

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

356

cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf

368

blacklist snd_soc_core

357

blacklist snd_soc_core

369

blacklist snd_pcm

358

blacklist snd_pcm

370

blacklist snd_pcm_dmaengine

359

blacklist snd_pcm_dmaengine

371

blacklist snd_timer

360

blacklist snd_timer

372

blacklist snd_compress

361

blacklist snd_compress

373

blacklist snd_soc_pcm512x_i2c

362

blacklist snd_soc_pcm512x_i2c

374

blacklist snd_soc_pcm512x

363

blacklist snd_soc_pcm512x

375

blacklist snd_soc_tas5713

364

blacklist snd_soc_tas5713

376

blacklist snd_soc_wm8804

365

blacklist snd_soc_wm8804

377

EOM

366

EOM

378

367

379

# Create default fstab

368

# Create default fstab

380

cat <<EOM >$R/etc/fstab

369

cat <<EOM >$R/etc/fstab

381

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

370

/dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1

382

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

371

/dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2

383

EOM

372

EOM

384

373

385

# Avoid swapping and increase cache sizes

374

# Avoid swapping and increase cache sizes

386

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

375

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

387

376

388

# Avoid swapping and increase cache sizes

377

# Avoid swapping and increase cache sizes

389

vm.swappiness=1

378

vm.swappiness=1

390

vm.dirty_background_ratio=20

379

vm.dirty_background_ratio=20

391

vm.dirty_ratio=40

380

vm.dirty_ratio=40

392

vm.dirty_writeback_centisecs=500

381

vm.dirty_writeback_centisecs=500

393

vm.dirty_expire_centisecs=6000

382

vm.dirty_expire_centisecs=6000

394

EOM

383

EOM

395

384

396

# Enable network stack hardening

385

# Enable network stack hardening

397

if [ "$ENABLE_HARDNET" = true ] ; then

386

if [ "$ENABLE_HARDNET" = true ] ; then

398

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

387

cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf

399

388

400

# Enable network stack hardening

389

# Enable network stack hardening

401

net.ipv4.tcp_timestamps=0

390

net.ipv4.tcp_timestamps=0

402

net.ipv4.tcp_syncookies=1

391

net.ipv4.tcp_syncookies=1

403

net.ipv4.conf.all.rp_filter=1

392

net.ipv4.conf.all.rp_filter=1

404

net.ipv4.conf.all.accept_redirects=0

393

net.ipv4.conf.all.accept_redirects=0

405

net.ipv4.conf.all.send_redirects=0

394

net.ipv4.conf.all.send_redirects=0

406

net.ipv4.conf.all.accept_source_route=0

395

net.ipv4.conf.all.accept_source_route=0

407

net.ipv4.conf.default.rp_filter=1

396

net.ipv4.conf.default.rp_filter=1

408

net.ipv4.conf.default.accept_redirects=0

397

net.ipv4.conf.default.accept_redirects=0

409

net.ipv4.conf.default.send_redirects=0

398

net.ipv4.conf.default.send_redirects=0

410

net.ipv4.conf.default.accept_source_route=0

399

net.ipv4.conf.default.accept_source_route=0

411

net.ipv4.conf.lo.accept_redirects=0

400

net.ipv4.conf.lo.accept_redirects=0

412

net.ipv4.conf.lo.send_redirects=0

401

net.ipv4.conf.lo.send_redirects=0

413

net.ipv4.conf.lo.accept_source_route=0

402

net.ipv4.conf.lo.accept_source_route=0

414

net.ipv4.conf.eth0.accept_redirects=0

403

net.ipv4.conf.eth0.accept_redirects=0

415

net.ipv4.conf.eth0.send_redirects=0

404

net.ipv4.conf.eth0.send_redirects=0

416

net.ipv4.conf.eth0.accept_source_route=0

405

net.ipv4.conf.eth0.accept_source_route=0

417

net.ipv4.icmp_echo_ignore_broadcasts=1

406

net.ipv4.icmp_echo_ignore_broadcasts=1

418

net.ipv4.icmp_ignore_bogus_error_responses=1

407

net.ipv4.icmp_ignore_bogus_error_responses=1

419

408

420

net.ipv6.conf.all.accept_redirects=0

409

net.ipv6.conf.all.accept_redirects=0

421

net.ipv6.conf.all.accept_source_route=0

410

net.ipv6.conf.all.accept_source_route=0

422

net.ipv6.conf.all.router_solicitations=0

411

net.ipv6.conf.all.router_solicitations=0

423

net.ipv6.conf.all.accept_ra_rtr_pref=0

412

net.ipv6.conf.all.accept_ra_rtr_pref=0

424

net.ipv6.conf.all.accept_ra_pinfo=0

413

net.ipv6.conf.all.accept_ra_pinfo=0

425

net.ipv6.conf.all.accept_ra_defrtr=0

414

net.ipv6.conf.all.accept_ra_defrtr=0

426

net.ipv6.conf.all.autoconf=0

415

net.ipv6.conf.all.autoconf=0

427

net.ipv6.conf.all.dad_transmits=0

416

net.ipv6.conf.all.dad_transmits=0

428

net.ipv6.conf.all.max_addresses=1

417

net.ipv6.conf.all.max_addresses=1

429

418

430

net.ipv6.conf.default.accept_redirects=0

419

net.ipv6.conf.default.accept_redirects=0

431

net.ipv6.conf.default.accept_source_route=0

420

net.ipv6.conf.default.accept_source_route=0

432

net.ipv6.conf.default.router_solicitations=0

421

net.ipv6.conf.default.router_solicitations=0

433

net.ipv6.conf.default.accept_ra_rtr_pref=0

422

net.ipv6.conf.default.accept_ra_rtr_pref=0

434

net.ipv6.conf.default.accept_ra_pinfo=0

423

net.ipv6.conf.default.accept_ra_pinfo=0

435

net.ipv6.conf.default.accept_ra_defrtr=0

424

net.ipv6.conf.default.accept_ra_defrtr=0

436

net.ipv6.conf.default.autoconf=0

425

net.ipv6.conf.default.autoconf=0

437

net.ipv6.conf.default.dad_transmits=0

426

net.ipv6.conf.default.dad_transmits=0

438

net.ipv6.conf.default.max_addresses=1

427

net.ipv6.conf.default.max_addresses=1

439

428

440

net.ipv6.conf.lo.accept_redirects=0

429

net.ipv6.conf.lo.accept_redirects=0

441

net.ipv6.conf.lo.accept_source_route=0

430

net.ipv6.conf.lo.accept_source_route=0

442

net.ipv6.conf.lo.router_solicitations=0

431

net.ipv6.conf.lo.router_solicitations=0

443

net.ipv6.conf.lo.accept_ra_rtr_pref=0

432

net.ipv6.conf.lo.accept_ra_rtr_pref=0

444

net.ipv6.conf.lo.accept_ra_pinfo=0

433

net.ipv6.conf.lo.accept_ra_pinfo=0

445

net.ipv6.conf.lo.accept_ra_defrtr=0

434

net.ipv6.conf.lo.accept_ra_defrtr=0

446

net.ipv6.conf.lo.autoconf=0

435

net.ipv6.conf.lo.autoconf=0

447

net.ipv6.conf.lo.dad_transmits=0

436

net.ipv6.conf.lo.dad_transmits=0

448

net.ipv6.conf.lo.max_addresses=1

437

net.ipv6.conf.lo.max_addresses=1

449

438

450

net.ipv6.conf.eth0.accept_redirects=0

439

net.ipv6.conf.eth0.accept_redirects=0

451

net.ipv6.conf.eth0.accept_source_route=0

440

net.ipv6.conf.eth0.accept_source_route=0

452

net.ipv6.conf.eth0.router_solicitations=0

441

net.ipv6.conf.eth0.router_solicitations=0

453

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

442

net.ipv6.conf.eth0.accept_ra_rtr_pref=0

454

net.ipv6.conf.eth0.accept_ra_pinfo=0

443

net.ipv6.conf.eth0.accept_ra_pinfo=0

455

net.ipv6.conf.eth0.accept_ra_defrtr=0

444

net.ipv6.conf.eth0.accept_ra_defrtr=0

456

net.ipv6.conf.eth0.autoconf=0

445

net.ipv6.conf.eth0.autoconf=0

457

net.ipv6.conf.eth0.dad_transmits=0

446

net.ipv6.conf.eth0.dad_transmits=0

458

net.ipv6.conf.eth0.max_addresses=1

447

net.ipv6.conf.eth0.max_addresses=1

459

EOM

448

EOM

460

449

461

# Enable resolver warnings about spoofed addresses

450

# Enable resolver warnings about spoofed addresses

462

cat <<EOM >>$R/etc/host.conf

451

cat <<EOM >>$R/etc/host.conf

463

spoof warn

452

spoof warn

464

EOM

453

EOM

465

fi

454

fi

466

455

467

# Regenerate openssh server host keys

456

# Regenerate openssh server host keys

468

if [ "$ENABLE_SSHD" = true ] ; then

457

if [ "$ENABLE_SSHD" = true ] ; then

469

rm -fr $R/etc/ssh/ssh_host_*

458

rm -fr $R/etc/ssh/ssh_host_*

470

LANG=C chroot $R dpkg-reconfigure openssh-server

459

LANG=C chroot $R dpkg-reconfigure openssh-server

471

fi

460

fi

472

461

473

# Enable serial console systemd style

462

# Enable serial console systemd style

474

if [ "$ENABLE_CONSOLE" = true ] ; then

463

if [ "$ENABLE_CONSOLE" = true ] ; then

475

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

464

LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service

476

fi

465

fi

477

466

478

# Enable firewall based on iptables started by systemd service

467

# Enable firewall based on iptables started by systemd service

479

if [ "$ENABLE_IPTABLES" = true ] ; then

468

if [ "$ENABLE_IPTABLES" = true ] ; then

480

# Create iptables configuration directory

469

# Create iptables configuration directory

481

mkdir -p "$R/etc/iptables"

470

mkdir -p "$R/etc/iptables"

482

471

483

# Create iptables systemd service

472

# Create iptables systemd service

484

cat <<EOM >$R/etc/systemd/system/iptables.service

473

cat <<EOM >$R/etc/systemd/system/iptables.service

485

[Unit]

474

[Unit]

486

Description=Packet Filtering Framework

475

Description=Packet Filtering Framework

487

DefaultDependencies=no

476

DefaultDependencies=no

488

After=systemd-sysctl.service

477

After=systemd-sysctl.service

489

Before=sysinit.target

478

Before=sysinit.target

490

[Service]

479

[Service]

491

Type=oneshot

480

Type=oneshot

492

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

481

ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules

493

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

482

ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules

494

ExecStop=/etc/iptables/flush-iptables.sh

483

ExecStop=/etc/iptables/flush-iptables.sh

495

RemainAfterExit=yes

484

RemainAfterExit=yes

496

[Install]

485

[Install]

497

WantedBy=multi-user.target

486

WantedBy=multi-user.target

498

EOM

487

EOM

499

488

500

# Create flush-table script called by iptables service

489

# Create flush-table script called by iptables service

501

cat <<EOM >$R/etc/iptables/flush-iptables.sh

490

cat <<EOM >$R/etc/iptables/flush-iptables.sh

502

#!/bin/sh

491

#!/bin/sh

503

iptables -F

492

iptables -F

504

iptables -X

493

iptables -X

505

iptables -t nat -F

494

iptables -t nat -F

506

iptables -t nat -X

495

iptables -t nat -X

507

iptables -t mangle -F

496

iptables -t mangle -F

508

iptables -t mangle -X

497

iptables -t mangle -X

509

iptables -P INPUT ACCEPT

498

iptables -P INPUT ACCEPT

510

iptables -P FORWARD ACCEPT

499

iptables -P FORWARD ACCEPT

511

iptables -P OUTPUT ACCEPT

500

iptables -P OUTPUT ACCEPT

512

EOM

501

EOM

513

502

514

# Create iptables rule file

503

# Create iptables rule file

515

cat <<EOM >$R/etc/iptables/iptables.rules

504

cat <<EOM >$R/etc/iptables/iptables.rules

516

*filter

505

*filter

517

:INPUT DROP [0:0]

506

:INPUT DROP [0:0]

518

:FORWARD DROP [0:0]

507

:FORWARD DROP [0:0]

519

:OUTPUT ACCEPT [0:0]

508

:OUTPUT ACCEPT [0:0]

520

:TCP - [0:0]

509

:TCP - [0:0]

521

:UDP - [0:0]

510

:UDP - [0:0]

522

:SSH - [0:0]

511

:SSH - [0:0]

523

512

524

# Rate limit ping requests

513

# Rate limit ping requests

525

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

514

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

526

-A INPUT -p icmp --icmp-type echo-request -j DROP

515

-A INPUT -p icmp --icmp-type echo-request -j DROP

527

516

528

# Accept established connections

517

# Accept established connections

529

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

518

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

530

519

531

# Accept all traffic on loopback interface

520

# Accept all traffic on loopback interface

532

-A INPUT -i lo -j ACCEPT

521

-A INPUT -i lo -j ACCEPT

533

522

534

# Drop packets declared invalid

523

# Drop packets declared invalid

535

-A INPUT -m conntrack --ctstate INVALID -j DROP

524

-A INPUT -m conntrack --ctstate INVALID -j DROP

536

525

537

# SSH rate limiting

526

# SSH rate limiting

538

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

527

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

539

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

528

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

540

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

529

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

541

-A SSH -m recent --name sshbf --set -j ACCEPT

530

-A SSH -m recent --name sshbf --set -j ACCEPT

542

531

543

# Send TCP and UDP connections to their respective rules chain

532

# Send TCP and UDP connections to their respective rules chain

544

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

533

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

545

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

534

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

546

535

547

# Reject dropped packets with a RFC compliant responce

536

# Reject dropped packets with a RFC compliant responce

548

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

537

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

549

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

538

-A INPUT -p tcp -j REJECT --reject-with tcp-rst

550

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

539

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

551

540

552

## TCP PORT RULES

541

## TCP PORT RULES

553

# -A TCP -p tcp -j LOG

542

# -A TCP -p tcp -j LOG

554

543

555

## UDP PORT RULES

544

## UDP PORT RULES

556

# -A UDP -p udp -j LOG

545

# -A UDP -p udp -j LOG

557

546

558

COMMIT

547

COMMIT

559

EOM

548

EOM

560

549

561

# Reload systemd configuration and enable iptables service

550

# Reload systemd configuration and enable iptables service

562

LANG=C chroot $R systemctl daemon-reload

551

LANG=C chroot $R systemctl daemon-reload

563

LANG=C chroot $R systemctl enable iptables.service

552

LANG=C chroot $R systemctl enable iptables.service

564

553

565

if [ "$ENABLE_IPV6" = true ] ; then

554

if [ "$ENABLE_IPV6" = true ] ; then

566

# Create ip6tables systemd service

555

# Create ip6tables systemd service

567

cat <<EOM >$R/etc/systemd/system/ip6tables.service

556

cat <<EOM >$R/etc/systemd/system/ip6tables.service

568

[Unit]

557

[Unit]

569

Description=Packet Filtering Framework

558

Description=Packet Filtering Framework

570

DefaultDependencies=no

559

DefaultDependencies=no

571

After=systemd-sysctl.service

560

After=systemd-sysctl.service

572

Before=sysinit.target

561

Before=sysinit.target

573

[Service]

562

[Service]

574

Type=oneshot

563

Type=oneshot

575

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

564

ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

576

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

565

ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules

577

ExecStop=/etc/iptables/flush-ip6tables.sh

566

ExecStop=/etc/iptables/flush-ip6tables.sh

578

RemainAfterExit=yes

567

RemainAfterExit=yes

579

[Install]

568

[Install]

580

WantedBy=multi-user.target

569

WantedBy=multi-user.target

581

EOM

570

EOM

582

571

583

# Create ip6tables file

572

# Create ip6tables file

584

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

573

cat <<EOM >$R/etc/iptables/flush-ip6tables.sh

585

#!/bin/sh

574

#!/bin/sh

586

ip6tables -F

575

ip6tables -F

587

ip6tables -X

576

ip6tables -X

588

ip6tables -Z

577

ip6tables -Z

589

for table in $(</proc/net/ip6_tables_names)

578

for table in $(</proc/net/ip6_tables_names)

590

do

579

do

591

ip6tables -t \$table -F

580

ip6tables -t \$table -F

592

ip6tables -t \$table -X

581

ip6tables -t \$table -X

593

ip6tables -t \$table -Z

582

ip6tables -t \$table -Z

594

done

583

done

595

ip6tables -P INPUT ACCEPT

584

ip6tables -P INPUT ACCEPT

596

ip6tables -P OUTPUT ACCEPT

585

ip6tables -P OUTPUT ACCEPT

597

ip6tables -P FORWARD ACCEPT

586

ip6tables -P FORWARD ACCEPT

598

EOM

587

EOM

599

588

600

# Create ip6tables rule file

589

# Create ip6tables rule file

601

cat <<EOM >$R/etc/iptables/ip6tables.rules

590

cat <<EOM >$R/etc/iptables/ip6tables.rules

602

*filter

591

*filter

603

:INPUT DROP [0:0]

592

:INPUT DROP [0:0]

604

:FORWARD DROP [0:0]

593

:FORWARD DROP [0:0]

605

:OUTPUT ACCEPT [0:0]

594

:OUTPUT ACCEPT [0:0]

606

:TCP - [0:0]

595

:TCP - [0:0]

607

:UDP - [0:0]

596

:UDP - [0:0]

608

:SSH - [0:0]

597

:SSH - [0:0]

609

598

610

# Drop packets with RH0 headers

599

# Drop packets with RH0 headers

611

-A INPUT -m rt --rt-type 0 -j DROP

600

-A INPUT -m rt --rt-type 0 -j DROP

612

-A OUTPUT -m rt --rt-type 0 -j DROP

601

-A OUTPUT -m rt --rt-type 0 -j DROP

613

-A FORWARD -m rt --rt-type 0 -j DROP

602

-A FORWARD -m rt --rt-type 0 -j DROP

614

603

615

# Rate limit ping requests

604

# Rate limit ping requests

616

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

605

-A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT

617

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

606

-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

618

607

619

# Accept established connections

608

# Accept established connections

620

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

609

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

621

610

622

# Accept all traffic on loopback interface

611

# Accept all traffic on loopback interface

623

-A INPUT -i lo -j ACCEPT

612

-A INPUT -i lo -j ACCEPT

624

613

625

# Drop packets declared invalid

614

# Drop packets declared invalid

626

-A INPUT -m conntrack --ctstate INVALID -j DROP

615

-A INPUT -m conntrack --ctstate INVALID -j DROP

627

616

628

# SSH rate limiting

617

# SSH rate limiting

629

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

618

-A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH

630

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

619

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP

631

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

620

-A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP

632

-A SSH -m recent --name sshbf --set -j ACCEPT

621

-A SSH -m recent --name sshbf --set -j ACCEPT

633

622

634

# Send TCP and UDP connections to their respective rules chain

623

# Send TCP and UDP connections to their respective rules chain

635

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

624

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP

636

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

625

-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

637

626

638

# Reject dropped packets with a RFC compliant responce

627

# Reject dropped packets with a RFC compliant responce

639

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

628

-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited

640

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

629

-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited

641

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

630

-A INPUT -j REJECT --reject-with icmp6-adm-prohibited

642

631

643

## TCP PORT RULES

632

## TCP PORT RULES

644

# -A TCP -p tcp -j LOG

633

# -A TCP -p tcp -j LOG

645

634

646

## UDP PORT RULES

635

## UDP PORT RULES

647

# -A UDP -p udp -j LOG

636

# -A UDP -p udp -j LOG

648

637

649

COMMIT

638

COMMIT

650

EOM

639

EOM

651

640

652

# Reload systemd configuration and enable iptables service

641

# Reload systemd configuration and enable iptables service

653

LANG=C chroot $R systemctl daemon-reload

642

LANG=C chroot $R systemctl daemon-reload

654

LANG=C chroot $R systemctl enable ip6tables.service

643

LANG=C chroot $R systemctl enable ip6tables.service

655

644

656

fi

645

fi

657

fi

646

fi

658

647

659

if [ "$ENABLE_UBOOT" = true ] ; then

648

if [ "$ENABLE_UBOOT" = true ] ; then

660

# Fetch u-boot github

649

# Fetch u-boot github

661

git -C $R/tmp clone git://git.denx.de/u-boot.git

650

git -C $R/tmp clone git://git.denx.de/u-boot.git

662

651

663

# Install minimal gcc/g++ build environment and build u-boot inside chroot

652

# Install minimal gcc/g++ build environment and build u-boot inside chroot

664

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

653

LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc

665

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

654

LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all

666

655

667

# Copy compiled bootloader binary and set config.txt to load it

656

# Copy compiled bootloader binary and set config.txt to load it

668

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

657

cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/

669

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

658

printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt

670

659

671

# Set u-boot command file

660

# Set u-boot command file

672

cat <<EOM >$R/boot/firmware/uboot.mkimage

661

cat <<EOM >$R/boot/firmware/uboot.mkimage

673

# Tell Linux that it is booting on a Raspberry Pi2

662

# Tell Linux that it is booting on a Raspberry Pi2

674

setenv machid 0x00000c42

663

setenv machid 0x00000c42

675

664

676

# Set the kernel boot command line

665

# Set the kernel boot command line

677

setenv bootargs "earlyprintk ${CMDLINE}"

666

setenv bootargs "earlyprintk ${CMDLINE}"

678

667

679

# Save these changes to u-boot's environment

668

# Save these changes to u-boot's environment

680

saveenv

669

saveenv

681

670

682

# Load the existing Linux kernel into RAM

671

# Load the existing Linux kernel into RAM

683

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

672

fatload mmc 0:1 \${kernel_addr_r} kernel7.img

684

673

685

# Boot the kernel we have just loaded

674

# Boot the kernel we have just loaded

686

bootz \${kernel_addr_r}

675

bootz \${kernel_addr_r}

687

EOM

676

EOM

688

677

689

# Generate u-boot image from command file

678

# Generate u-boot image from command file

690

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

679

LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr

691

680

692

# Remove gcc/c++ build enviroment

681

# Remove gcc/c++ build enviroment

693

LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

682

LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make

694

fi

683

fi

695

684

696

# Clean cached downloads

685

# Clean cached downloads

697

LANG=C chroot $R apt-get -y clean

686

LANG=C chroot $R apt-get -y clean

698

LANG=C chroot $R apt-get -y autoclean

687

LANG=C chroot $R apt-get -y autoclean

699

LANG=C chroot $R apt-get -y autoremove

688

LANG=C chroot $R apt-get -y autoremove

700

689

701

# Unmount mounted filesystems

690

# Unmount mounted filesystems

702

umount -l $R/proc

691

umount -l $R/proc

703

umount -l $R/sys

692

umount -l $R/sys

704

693

705

# Clean up files

694

# Clean up files

706

rm -f $R/etc/apt/sources.list.save

695

rm -f $R/etc/apt/sources.list.save

707

rm -f $R/etc/resolvconf/resolv.conf.d/original

696

rm -f $R/etc/resolvconf/resolv.conf.d/original

708

rm -rf $R/run

697

rm -rf $R/run

709

mkdir -p $R/run

698

mkdir -p $R/run

710

rm -f $R/etc/*-

699

rm -f $R/etc/*-

711

rm -f $R/root/.bash_history

700

rm -f $R/root/.bash_history

712

rm -rf $R/tmp/*

701

rm -rf $R/tmp/*

713

rm -f $R/var/lib/urandom/random-seed

702

rm -f $R/var/lib/urandom/random-seed

714

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

703

[ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id

715

rm -f $R/etc/machine-id

704

rm -f $R/etc/machine-id

716

rm -fr $R/etc/apt/apt.conf.d/10proxy

705

rm -fr $R/etc/apt/apt.conf.d/10proxy

717

706

718

# Calculate size of the chroot directory

707

# Calculate size of the chroot directory

719

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

708

CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)

720

709

721

# Calculate required image size

710

# Calculate required image size

722

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

711

IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`

723

712

724

# Calculate number of sectors for the partition

713

# Calculate number of sectors for the partition

725

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

714

IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`

726

715

727

# Prepare date string for image file name

716

# Prepare date string for image file name

728

DATE="$(date +%Y-%m-%d)"

717

DATE="$(date +%Y-%m-%d)"

729

718

730

# Prepare image file

719

# Prepare image file

731

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

720

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1

732

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

721

dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}

733

722

734

# Write partition table

723

# Write partition table

735

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

724

sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM

736

unit: sectors

725

unit: sectors

737

726

738

1 : start= 2048, size= 131072, Id= c, bootable

727

1 : start= 2048, size= 131072, Id= c, bootable

739

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

728

2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83

740

3 : start= 0, size= 0, Id= 0

729

3 : start= 0, size= 0, Id= 0

741

4 : start= 0, size= 0, Id= 0

730

4 : start= 0, size= 0, Id= 0

742

EOM

731

EOM

743

732

744

# Set up temporary loop devices and build filesystems

733

# Set up temporary loop devices and build filesystems

745

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

734

VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

746

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

735

EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"

747

mkfs.vfat "$VFAT_LOOP"

736

mkfs.vfat "$VFAT_LOOP"

748

mkfs.ext4 "$EXT4_LOOP"

737

mkfs.ext4 "$EXT4_LOOP"

749

738

750

# Mount the temporary loop devices

739

# Mount the temporary loop devices

751

mkdir -p "$BUILDDIR/mount"

740

mkdir -p "$BUILDDIR/mount"

752

mount "$EXT4_LOOP" "$BUILDDIR/mount"

741

mount "$EXT4_LOOP" "$BUILDDIR/mount"

753

742

754

mkdir -p "$BUILDDIR/mount/boot/firmware"

743

mkdir -p "$BUILDDIR/mount/boot/firmware"

755

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

744

mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"

756

745

757

# Copy all files from the chroot to the loop device mount point directory

746

# Copy all files from the chroot to the loop device mount point directory

758

rsync -a "$R/" "$BUILDDIR/mount/"

747

rsync -a "$R/" "$BUILDDIR/mount/"

759

748

760

# Unmount all temporary loop devices and mount points

749

# Unmount all temporary loop devices and mount points

761

cleanup

750

cleanup

762

751

763

# (optinal) create block map file for "bmaptool"

752

# (optinal) create block map file for "bmaptool"

764

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

753

bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"

765

754

766

# Image was successfully created

755

# Image was successfully created

767

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

756

echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/bin/sh
             ########################################################################
             # rpi2-gen-image.sh					   ver2a 12/2015
             #
             # Advanced debian "jessie" bootstrap script for RPi2
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # some parts based on rpi2-build-image:
             # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
             # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
             ########################################################################
             cleanup (){
               set +x
               set +e
               echo "removing temporary mount points ..."
               umount -l $R/proc 2> /dev/null
               umount -l $R/sys 2> /dev/null
               umount -l $R/dev/pts 2> /dev/null
               umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
               umount "$BUILDDIR/mount" 2> /dev/null
               losetup -d "$EXT4_LOOP" 2> /dev/null
               losetup -d "$VFAT_LOOP" 2> /dev/null
               trap - 0 1 2 3 6
             }
             set -e
             set -x
             RELEASE=${RELEASE:=jessie}
             # Build settings
             BASEDIR=./images/${RELEASE}
             BUILDDIR=${BASEDIR}/build
             # General settings
             HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
             PASSWORD=${PASSWORD:=raspberry}
             DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
             TIMEZONE=${TIMEZONE:="Europe/Berlin"}
             # APT settings
             APT_PROXY=${APT_PROXY:=""}
             APT_SERVER=${APT_SERVER:="ftp.debian.org"}
             # Feature settings
             ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
             ENABLE_IPV6=${ENABLE_IPV6:=true}
             ENABLE_SSHD=${ENABLE_SSHD:=true}
             ENABLE_SOUND=${ENABLE_SOUND:=true}
-            ENABLE_SYSTEMD=${ENABLE_SYSTEMD:=true}
             ENABLE_DBUS=${ENABLE_DBUS:=true}
             ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
             ENABLE_MINGPU=${ENABLE_MINGPU:=false}
             ENABLE_XORG=${ENABLE_XORG:=false}
             ENABLE_FLUXBOX=${ENABLE_FLUXBOX:=false}
             # Advanced settings
             ENABLE_UBOOT=${ENABLE_UBOOT:=false}
             ENABLE_HARDNET=${ENABLE_HARDNET:=false}
             ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
             # Image chroot path
             R=${BUILDDIR}/chroot
             # Packages required for bootstrapping
             REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core"
             # Missing packages that need to be installed
             MISSING_PACKAGES=""
             # Packages required in the chroot build enviroment
-            APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales,apt-utils,vim-tiny"
+            APT_INCLUDES="apt-transport-https,ca-certificates,debian-archive-keyring,dialog,locales"
             set +x
             # Are we running as root?
             if [ "$(id -u)" -ne "0" ] ; then
               echo "this script must be executed with root privileges"
               exit 1
             fi
             # Check if all required packages are installed
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
                 MISSING_PACKAGES="$MISSING_PACKAGES $package"
               fi
             done
             # Ask if missing packages should get installed right now
             if [ -n "$MISSING_PACKAGES" ] ; then
               echo "the following packages needed by this script are not installed:"
               echo "$MISSING_PACKAGES"
               echo -n "\ndo you want to install the missing packages right now? [y/n] "
               read confirm
               if [ "$confirm" != "y" ] ; then
                 exit 1
               fi
             fi
             # Make sure all required packages are installed
             apt-get -qq -y install ${REQUIRED_PACKAGES}
             # Don't clobber an old build
             if [ -e "$BUILDDIR" ]; then
               echo "directory $BUILDDIR already exists, not proceeding"
               exit 1
             fi
             set -x
             # Call "cleanup" function on various signals and errors
             trap cleanup 0 1 2 3 6
             # Set up chroot directory
             mkdir -p $R
-            # Use traditional SystemV init instead of systemd services
-            if [ "$ENABLE_SYSTEMD" = false ] ; then
-              APT_INCLUDES="${APT_INCLUDES},sysvinit-core"
-            fi
             # Add dbus package, recommended if using systemd
             if [ "$ENABLE_DBUS" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},dbus"
             fi
             # Add openssh server package
             if [ "$ENABLE_SSHD" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},openssh-server"
             fi
             # Add rng-tools package
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},rng-tools"
             fi
             # Add xorg package
             if [ "$ENABLE_XORG" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},xorg"
             fi
             # Add fluxbox package with eterm
             if [ "$ENABLE_FLUXBOX" = true ] ; then
               APT_INCLUDES="${APT_INCLUDES},fluxbox,eterm"
             fi
             if [ -z "$APT_PROXY" ] ; then
               APT_PROXY="http://"
             fi
             # Base debootstrap (unpack only)
             debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R ${APT_PROXY}${APT_SERVER}/debian
             cp /usr/bin/qemu-arm-static $R/usr/bin
-            # Remove systemd related packages from list of packages to be bootstrapped
-            if [ "$ENABLE_SYSTEMD" = false ] ; then
-              chroot $R sed -i -e 's/systemd systemd-sysv //g' /debootstrap/required
-            fi
             # Copy debian-archive-keyring.pgp
             chroot $R mkdir -p /usr/share/keyrings
             cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
             # Complete the bootstrapping proccess
             chroot $R /debootstrap/debootstrap --second-stage
             # Mount required filesystems
             mount -t proc none $R/proc
             mount -t sysfs none $R/sys
             mount --bind /dev/pts $R/dev/pts
             # Use proxy inside chroot
             if [ -z "$APT_PROXY" ] ; then
               echo "Acquire::http::Proxy \"$APT_PROXY\"" >> $R/etc/apt/apt.conf.d/10proxy
             fi
             # Pin package flash-kernel to repositories.collabora.co.uk
             cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
             Package: flash-kernel
             Pin: origin repositories.collabora.co.uk
             Pin-Priority: 1000
             EOM
             # Set up timezone
             echo ${TIMEZONE} >$R/etc/timezone
             LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
             # Set up default locales to "en_US.UTF-8" default
             LANG=C chroot $R sed -i '/${DEFLOCAL}/s/^#//' /etc/locale.gen
             LANG=C chroot $R locale-gen ${DEFLOCAL}
             # Upgrade collabora package index and install collabora keyring
             echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
             # Set up initial sources.list
             cat <<EOM >$R/etc/apt/sources.list
             deb http://${APT_SERVER}/debian ${RELEASE} main contrib
             #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
             deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
             deb http://security.debian.org/ ${RELEASE}/updates main contrib
             #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
             deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
             EOM
             # Upgrade package index and update all installed packages and changed dependencies
             LANG=C chroot $R apt-get -qq -y update
             LANG=C chroot $R apt-get -qq -y -u dist-upgrade
             # Kernel installation
             # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
             LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
             LANG=C chroot $R apt-get -qq -y install flash-kernel
             VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
             [ -z "$VMLINUZ" ] && exit 1
             mkdir -p $R/boot/firmware
             # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
             wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
             wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
             wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
             wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
             wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
             wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
             wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
             cp $VMLINUZ $R/boot/firmware/kernel7.img
             # Set up hosts
             echo ${HOSTNAME} >$R/etc/hostname
             cat <<EOM >$R/etc/hosts
 .0.0.1       localhost
 .0.1.1       ${HOSTNAME}
             EOM
             if [ "$ENABLE_IPV6" = true ] ; then
             cat <<EOM >>$R/etc/hosts
             ::1             localhost ip6-localhost ip6-loopback
             ff02::1         ip6-allnodes
             ff02::2         ip6-allrouters
             EOM
             fi
             # Generate crypt(3) password string
             ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
             # Set up default user
             LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
             LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
             # Set up root password
             LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
             # Set up interfaces
             cat <<EOM >$R/etc/network/interfaces
             # interfaces(5) file used by ifup(8) and ifdown(8)
             # Include files from /etc/network/interfaces.d:
             source-directory /etc/network/interfaces.d
             # The loopback network interface
             auto lo
             iface lo inet loopback
             # The primary network interface
             allow-hotplug eth0
             iface eth0 inet dhcp
             EOM
             # Set up firmware boot cmdline
             CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
             # Set up serial console support (if requested)
             if [ "$ENABLE_CONSOLE" = true ] ; then
               CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
             fi
             # Set up ipv6 support (if requested)
             if [ "$ENABLE_IPV6" = false ] ; then
               CMDLINE="${CMDLINE} ipv6.disable=1"
             fi
             echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
             # Set up firmware config
             cat <<EOM >$R/boot/firmware/config.txt
             # For more options and information see
             # http://www.raspberrypi.org/documentation/configuration/config-txt.md
             # Some settings may impact device functionality. See link above for details
             # uncomment if you get no picture on HDMI for a default "safe" mode
             #hdmi_safe=1
             # uncomment this if your display has a black border of unused pixels visible
             # and your display can output without overscan
             #disable_overscan=1
             # uncomment the following to adjust overscan. Use positive numbers if console
             # goes off screen, and negative if there is too much border
             #overscan_left=16
             #overscan_right=16
             #overscan_top=16
             #overscan_bottom=16
             # uncomment to force a console size. By default it will be display's size minus
             # overscan.
             #framebuffer_width=1280
             #framebuffer_height=720
             # uncomment if hdmi display is not detected and composite is being output
             #hdmi_force_hotplug=1
             # uncomment to force a specific HDMI mode (this will force VGA)
             #hdmi_group=1
             #hdmi_mode=1
             # uncomment to force a HDMI mode rather than DVI. This can make audio work in
             # DMT (computer monitor) modes
             #hdmi_drive=2
             # uncomment to increase signal to HDMI, if you have interference, blanking, or
             # no display
             #config_hdmi_boost=4
             # uncomment for composite PAL
             #sdtv_mode=2
             # uncomment to overclock the arm. 700 MHz is the default.
             #arm_freq=800
             EOM
             # Set smallest possible GPU memory allocation size: 16MB (no X)
             if [ "$ENABLE_MINGPU" = true ] ; then
               echo "gpu_mem=16" >>$R/boot/firmware/config.txt
             fi
             # Create symlinks
             ln -sf firmware/config.txt $R/boot/config.txt
             ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
             # Prepare modules-load.d directory
             mkdir -p $R/lib/modules-load.d/
             # Load random module on boot
             if [ "$ENABLE_HWRANDOM" = true ] ; then
               cat <<EOM >$R/lib/modules-load.d/rpi2.conf
             bcm2708_rng
             EOM
             fi
             # Prepare modprobe.d directory
             mkdir -p $R/etc/modprobe.d/
             # Blacklist sound modules
             cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
             blacklist snd_soc_core
             blacklist snd_pcm
             blacklist snd_pcm_dmaengine
             blacklist snd_timer
             blacklist snd_compress
             blacklist snd_soc_pcm512x_i2c
             blacklist snd_soc_pcm512x
             blacklist snd_soc_tas5713
             blacklist snd_soc_wm8804
             EOM
             # Create default fstab
             cat <<EOM >$R/etc/fstab
             /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
             /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
             EOM
             # Avoid swapping and increase cache sizes
             cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Avoid swapping and increase cache sizes
             vm.swappiness=1
             vm.dirty_background_ratio=20
             vm.dirty_ratio=40
             vm.dirty_writeback_centisecs=500
             vm.dirty_expire_centisecs=6000
             EOM
             # Enable network stack hardening
             if [ "$ENABLE_HARDNET" = true ] ; then
               cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
             # Enable network stack hardening
             net.ipv4.tcp_timestamps=0
             net.ipv4.tcp_syncookies=1
             net.ipv4.conf.all.rp_filter=1
             net.ipv4.conf.all.accept_redirects=0
             net.ipv4.conf.all.send_redirects=0
             net.ipv4.conf.all.accept_source_route=0
             net.ipv4.conf.default.rp_filter=1
             net.ipv4.conf.default.accept_redirects=0
             net.ipv4.conf.default.send_redirects=0
             net.ipv4.conf.default.accept_source_route=0
             net.ipv4.conf.lo.accept_redirects=0
             net.ipv4.conf.lo.send_redirects=0
             net.ipv4.conf.lo.accept_source_route=0
             net.ipv4.conf.eth0.accept_redirects=0
             net.ipv4.conf.eth0.send_redirects=0
             net.ipv4.conf.eth0.accept_source_route=0
             net.ipv4.icmp_echo_ignore_broadcasts=1
             net.ipv4.icmp_ignore_bogus_error_responses=1
             net.ipv6.conf.all.accept_redirects=0
             net.ipv6.conf.all.accept_source_route=0
             net.ipv6.conf.all.router_solicitations=0
             net.ipv6.conf.all.accept_ra_rtr_pref=0
             net.ipv6.conf.all.accept_ra_pinfo=0
             net.ipv6.conf.all.accept_ra_defrtr=0
             net.ipv6.conf.all.autoconf=0
             net.ipv6.conf.all.dad_transmits=0
             net.ipv6.conf.all.max_addresses=1
             net.ipv6.conf.default.accept_redirects=0
             net.ipv6.conf.default.accept_source_route=0
             net.ipv6.conf.default.router_solicitations=0
             net.ipv6.conf.default.accept_ra_rtr_pref=0
             net.ipv6.conf.default.accept_ra_pinfo=0
             net.ipv6.conf.default.accept_ra_defrtr=0
             net.ipv6.conf.default.autoconf=0
             net.ipv6.conf.default.dad_transmits=0
             net.ipv6.conf.default.max_addresses=1
             net.ipv6.conf.lo.accept_redirects=0
             net.ipv6.conf.lo.accept_source_route=0
             net.ipv6.conf.lo.router_solicitations=0
             net.ipv6.conf.lo.accept_ra_rtr_pref=0
             net.ipv6.conf.lo.accept_ra_pinfo=0
             net.ipv6.conf.lo.accept_ra_defrtr=0
             net.ipv6.conf.lo.autoconf=0
             net.ipv6.conf.lo.dad_transmits=0
             net.ipv6.conf.lo.max_addresses=1
             net.ipv6.conf.eth0.accept_redirects=0
             net.ipv6.conf.eth0.accept_source_route=0
             net.ipv6.conf.eth0.router_solicitations=0
             net.ipv6.conf.eth0.accept_ra_rtr_pref=0
             net.ipv6.conf.eth0.accept_ra_pinfo=0
             net.ipv6.conf.eth0.accept_ra_defrtr=0
             net.ipv6.conf.eth0.autoconf=0
             net.ipv6.conf.eth0.dad_transmits=0
             net.ipv6.conf.eth0.max_addresses=1
             EOM
             # Enable resolver warnings about spoofed addresses
               cat <<EOM >>$R/etc/host.conf
             spoof warn
             EOM
             fi
             # Regenerate openssh server host keys
             if [ "$ENABLE_SSHD" = true ] ; then
               rm -fr $R/etc/ssh/ssh_host_*
               LANG=C chroot $R dpkg-reconfigure openssh-server
             fi
             # Enable serial console systemd style
             if [ "$ENABLE_CONSOLE" = true ] ; then
               LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
             fi
             # Enable firewall based on iptables started by systemd service
             if [ "$ENABLE_IPTABLES" = true ] ; then
               # Create iptables configuration directory
               mkdir -p "$R/etc/iptables"
               # Create iptables systemd service
               cat <<EOM >$R/etc/systemd/system/iptables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
             ExecStop=/etc/iptables/flush-iptables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
               # Create flush-table script called by iptables service
               cat <<EOM >$R/etc/iptables/flush-iptables.sh
             #!/bin/sh
             iptables -F
             iptables -X
             iptables -t nat -F
             iptables -t nat -X
             iptables -t mangle -F
             iptables -t mangle -X
             iptables -P INPUT ACCEPT
             iptables -P FORWARD ACCEPT
             iptables -P OUTPUT ACCEPT
             EOM
               # Create iptables rule file
               cat <<EOM >$R/etc/iptables/iptables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Rate limit ping requests
             -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmp --icmp-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
             -A INPUT -p tcp -j REJECT --reject-with tcp-rst
             -A INPUT -j REJECT --reject-with icmp-proto-unreachable
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable iptables.service
               if [ "$ENABLE_IPV6" = true ] ; then
                 # Create ip6tables systemd service
                 cat <<EOM >$R/etc/systemd/system/ip6tables.service
             [Unit]
             Description=Packet Filtering Framework
             DefaultDependencies=no
             After=systemd-sysctl.service
             Before=sysinit.target
             [Service]
             Type=oneshot
             ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
             ExecStop=/etc/iptables/flush-ip6tables.sh
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
             EOM
                 # Create ip6tables file
                 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
             #!/bin/sh
             ip6tables -F
             ip6tables -X
             ip6tables -Z
             for table in $(</proc/net/ip6_tables_names)
             do
                     ip6tables -t \$table -F
                     ip6tables -t \$table -X
                     ip6tables -t \$table -Z
             done
             ip6tables -P INPUT ACCEPT
             ip6tables -P OUTPUT ACCEPT
             ip6tables -P FORWARD ACCEPT
             EOM
                 # Create ip6tables rule file
                 cat <<EOM >$R/etc/iptables/ip6tables.rules
             *filter
             :INPUT DROP [0:0]
             :FORWARD DROP [0:0]
             :OUTPUT ACCEPT [0:0]
             :TCP - [0:0]
             :UDP - [0:0]
             :SSH - [0:0]
             # Drop packets with RH0 headers
             -A INPUT -m rt --rt-type 0 -j DROP
             -A OUTPUT -m rt --rt-type 0 -j DROP
             -A FORWARD -m rt --rt-type 0 -j DROP
             # Rate limit ping requests
             -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
             -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
             # Accept established connections
             -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
             # Accept all traffic on loopback interface
             -A INPUT -i lo -j ACCEPT
             # Drop packets declared invalid
             -A INPUT -m conntrack --ctstate INVALID -j DROP
             # SSH rate limiting
             -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
             -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
             -A SSH -m recent --name sshbf --set -j ACCEPT
             # Send TCP and UDP connections to their respective rules chain
             -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
             -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
             # Reject dropped packets with a RFC compliant responce
             -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
             -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
             ## TCP PORT RULES
             # -A TCP -p tcp -j LOG
             ## UDP PORT RULES
             # -A UDP -p udp -j LOG
             COMMIT
             EOM
               # Reload systemd configuration and enable iptables service
               LANG=C chroot $R systemctl daemon-reload
               LANG=C chroot $R systemctl enable ip6tables.service
               fi
             fi
             if [ "$ENABLE_UBOOT" = true ] ; then
               # Fetch u-boot github
               git -C $R/tmp clone git://git.denx.de/u-boot.git
               # Install minimal gcc/g++ build environment and build u-boot inside chroot
               LANG=C chroot $R apt-get install -qq -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
               LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
               # Copy compiled bootloader binary and set config.txt to load it
               cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
               printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
               # Set u-boot command file
               cat <<EOM >$R/boot/firmware/uboot.mkimage
             # Tell Linux that it is booting on a Raspberry Pi2
             setenv machid 0x00000c42
             # Set the kernel boot command line
             setenv bootargs "earlyprintk ${CMDLINE}"
             # Save these changes to u-boot's environment
             saveenv
             # Load the existing Linux kernel into RAM
             fatload mmc 0:1 \${kernel_addr_r} kernel7.img
             # Boot the kernel we have just loaded
             bootz \${kernel_addr_r}
             EOM
               # Generate u-boot image from command file
               LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
               # Remove gcc/c++ build enviroment
               LANG=C chroot $R apt-get purge -y bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
             fi
             # Clean cached downloads
             LANG=C chroot $R apt-get -y clean
             LANG=C chroot $R apt-get -y autoclean
             LANG=C chroot $R apt-get -y autoremove
             # Unmount mounted filesystems
             umount -l $R/proc
             umount -l $R/sys
             # Clean up files
             rm -f $R/etc/apt/sources.list.save
             rm -f $R/etc/resolvconf/resolv.conf.d/original
             rm -rf $R/run
             mkdir -p $R/run
             rm -f $R/etc/*-
             rm -f $R/root/.bash_history
             rm -rf $R/tmp/*
             rm -f $R/var/lib/urandom/random-seed
             [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
             rm -f $R/etc/machine-id
             rm -fr $R/etc/apt/apt.conf.d/10proxy
             # Calculate size of the chroot directory
             CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
             # Calculate required image size
             IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
             # Calculate number of sectors for the partition
             IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
             # Prepare date string for image file name
             DATE="$(date +%Y-%m-%d)"
             # Prepare image file
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
             dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
             # Write partition table
             sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
             unit: sectors
 : start=     2048, size=   131072, Id= c, bootable
 : start=   133120, size=  ${IMAGE_SECTORS}, Id=83
 : start=        0, size=        0, Id= 0
 : start=        0, size=        0, Id= 0
             EOM
             # Set up temporary loop devices and build filesystems
             VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
             mkfs.vfat "$VFAT_LOOP"
             mkfs.ext4 "$EXT4_LOOP"
             # Mount the temporary loop devices
             mkdir -p "$BUILDDIR/mount"
             mount "$EXT4_LOOP" "$BUILDDIR/mount"
             mkdir -p "$BUILDDIR/mount/boot/firmware"
             mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
             # Copy all files from the chroot to the loop device mount point directory
             rsync -a "$R/" "$BUILDDIR/mount/"
             # Unmount all temporary loop devices and mount points
             cleanup
             # (optinal) create block map file for "bmaptool"
             bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
             # Image was successfully created
             echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"