##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Fixed: Use authorized_keys file instead of authorized_keys2
drtyhlpr -
r123:f35e7443794e
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,386 +1,386
1 1 # rpi23-gen-image
2 2 ## Introduction
3 3 `rpi23-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for Raspberry Pi 2 (RPi2) and Raspberry Pi 3 (RPi3) computers. The script at this time supports the bootstrapping of the Debian (armhf) releases `jessie` and `stretch`. Raspberry Pi 3 images are currently generated for 32-bit mode only.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc```
9 9
10 10 It is recommended to configure the `rpi23-gen-image.sh` script to build and install the latest Raspberry Pi Linux kernel. For the RPi3 this is mandetory. Kernel compilation and linking will be performed on the build system using an ARM (armhf) cross-compiler toolchain.
11 11
12 12 The script has been tested using the default `crossbuild-essential-armhf` toolchain meta package on Debian Linux `jessie` and `stretch` build systems. Please check the [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains) for further information.
13 13
14 14 If a Debian Linux `jessie` build system is used it will be required to add the [Debian Cross-toolchains repository](http://emdebian.org/tools/debian/) first:
15 15
16 16 ```
17 17 echo "deb http://emdebian.org/tools/debian/ jessie main" > /etc/apt/sources.list.d/crosstools.list
18 18 sudo -u nobody wget -O - http://emdebian.org/tools/debian/emdebian-toolchain-archive.key | apt-key add -
19 19 dpkg --add-architecture armhf
20 20 apt-get update
21 21 ```
22 22
23 23 ## Command-line parameters
24 24 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi23-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi23-gen-image.sh` script.
25 25
26 26 #####Command-line examples:
27 27 ```shell
28 28 ENABLE_UBOOT=true ./rpi23-gen-image.sh
29 29 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi23-gen-image.sh
30 30 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi23-gen-image.sh
31 31 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi23-gen-image.sh
32 32 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi23-gen-image.sh
33 33 ENABLE_MINBASE=true ./rpi23-gen-image.sh
34 34 BUILD_KERNEL=true ENABLE_MINBASE=true ENABLE_IPV6=false ./rpi23-gen-image.sh
35 35 BUILD_KERNEL=true KERNELSRC_DIR=/tmp/linux ./rpi23-gen-image.sh
36 36 ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
37 37 ENABLE_CRYPTFS=true CRYPTFS_PASSWORD=changeme EXPANDROOT=false ENABLE_MINBASE=true ENABLE_REDUCE=true ENABLE_MINGPU=true BUILD_KERNEL=true ./rpi23-gen-image.sh
38 38 RELEASE=stretch BUILD_KERNEL=true ./rpi23-gen-image.sh
39 39 RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
40 40 RELEASE=stretch RPI_MODEL=3 ENABLE_WIRELESS=true ENABLE_MINBASE=true BUILD_KERNEL=true ./rpi23-gen-image.sh
41 41 ```
42 42
43 43 ## Configuration template files
44 44 To avoid long lists of command-line parameters and to help to store the favourite parameter configurations the `rpi23-gen-image.sh` script supports so called configuration template files (`CONFIG_TEMPLATE`=template). These are simple text files located in the `./templates` directory that contain the list of configuration parameters that will be used. New configuration template files can be added to the `./templates` directory.
45 45
46 46 #####Command-line examples:
47 47 ```shell
48 48 CONFIG_TEMPLATE=rpi3stretch ./rpi23-gen-image.sh
49 49 CONFIG_TEMPLATE=rpi2stretch ./rpi23-gen-image.sh
50 50 ```
51 51
52 52 ## Supported parameters and settings
53 53 #### APT settings:
54 54 ##### `APT_SERVER`="ftp.debian.org"
55 55 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
56 56
57 57 ##### `APT_PROXY`=""
58 58 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
59 59
60 60 ##### `APT_INCLUDES`=""
61 61 A comma separated list of additional packages to be installed during bootstrapping.
62 62
63 63 #### General system settings:
64 64 ##### `RPI_MODEL`=2
65 65 Specifiy the target Raspberry Pi hardware model. The script at this time supports the Raspberry Pi models `2` and `3`. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
66 66
67 67 ##### `RELEASE`="jessie"
68 68 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases "jessie" and "stretch". `BUILD_KERNEL`=true will automatically be set if the Debian release `stretch` is used.
69 69
70 70 ##### `HOSTNAME`="rpi$RPI_MODEL-$RELEASE"
71 71 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
72 72
73 73 ##### `PASSWORD`="raspberry"
74 74 Set system `root` password. It's **STRONGLY** recommended that you choose a custom password.
75 75
76 76 ##### `USER_PASSWORD`="raspberry"
77 77 Set password for the created non-root user `USER_NAME`=pi. Ignored if `ENABLE_USER`=false. It's **STRONGLY** recommended that you choose a custom password.
78 78
79 79 ##### `DEFLOCAL`="en_US.UTF-8"
80 80 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. Please note that on using this parameter the script will automatically install the required packages `locales`, `keyboard-configuration` and `console-setup`.
81 81
82 82 ##### `TIMEZONE`="Europe/Berlin"
83 83 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
84 84
85 85 ##### `EXPANDROOT`=true
86 86 Expand the root partition and filesystem automatically on first boot.
87 87
88 88 #### Keyboard settings:
89 89 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
90 90
91 91 ##### `XKB_MODEL`=""
92 92 Set the name of the model of your keyboard type.
93 93
94 94 ##### `XKB_LAYOUT`=""
95 95 Set the supported keyboard layout(s).
96 96
97 97 ##### `XKB_VARIANT`=""
98 98 Set the supported variant(s) of the keyboard layout(s).
99 99
100 100 ##### `XKB_OPTIONS`=""
101 101 Set extra xkb configuration options.
102 102
103 103 #### Networking settings (DHCP):
104 104 This parameter is used to set up networking auto configuration in `/etc/systemd/network/eth.network`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.`
105 105
106 106 #####`ENABLE_DHCP`=true
107 107 Set the system to use DHCP. This requires an DHCP server.
108 108
109 109 #### Networking settings (static):
110 110 These parameters are used to set up a static networking configuration in `/etc/systemd/network/eth.network`. The following static networking parameters are only supported if `ENABLE_DHCP` was set to `false`. The default location of network configuration files in the Debian `stretch` release was changed to `/lib/systemd/network`.
111 111
112 112 #####`NET_ADDRESS`=""
113 113 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
114 114
115 115 #####`NET_GATEWAY`=""
116 116 Set the IP address for the default gateway.
117 117
118 118 #####`NET_DNS_1`=""
119 119 Set the IP address for the first DNS server.
120 120
121 121 #####`NET_DNS_2`=""
122 122 Set the IP address for the second DNS server.
123 123
124 124 #####`NET_DNS_DOMAINS`=""
125 125 Set the default DNS search domains to use for non fully qualified host names.
126 126
127 127 #####`NET_NTP_1`=""
128 128 Set the IP address for the first NTP server.
129 129
130 130 #####`NET_NTP_2`=""
131 131 Set the IP address for the second NTP server.
132 132
133 133 #### Basic system features:
134 134 ##### `ENABLE_CONSOLE`=true
135 135 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2/3. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
136 136
137 137 ##### `ENABLE_IPV6`=true
138 138 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
139 139
140 140 ##### `ENABLE_SSHD`=true
141 141 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
142 142
143 143 ##### `ENABLE_NONFREE`=false
144 144 Allow the installation of non-free Debian packages that do not comply with the DFSG. This is required to install closed-source firmware binary blobs.
145 145
146 146 ##### `ENABLE_WIRELESS`=false
147 147 Download and install the [closed-source firmware binary blob](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm) that is required to run the internal wireless interface of the Raspberry Pi model `3`. This parameter is ignored if the specified `RPI_MODEL` is not `3`.
148 148
149 149 ##### `ENABLE_RSYSLOG`=true
150 150 If set to false, disable and uninstall rsyslog (so logs will be available only
151 151 in journal files)
152 152
153 153 ##### `ENABLE_SOUND`=true
154 154 Enable sound hardware and install Advanced Linux Sound Architecture.
155 155
156 156 ##### `ENABLE_HWRANDOM`=true
157 157 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
158 158
159 159 ##### `ENABLE_MINGPU`=false
160 160 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
161 161
162 162 ##### `ENABLE_DBUS`=true
163 163 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
164 164
165 165 ##### `ENABLE_XORG`=false
166 166 Install Xorg open-source X Window System.
167 167
168 168 ##### `ENABLE_WM`=""
169 169 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi23-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
170 170
171 171 #### Advanced system features:
172 172 ##### `ENABLE_MINBASE`=false
173 173 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
174 174
175 175 ##### `ENABLE_REDUCE`=false
176 176 Reduce the disk space usage by deleting packages and files. See `REDUCE_*` parameters for detailed information.
177 177
178 178 ##### `ENABLE_UBOOT`=false
179 179 Replace the default RPi2/3 second stage bootloader (bootcode.bin) with [U-Boot bootloader](http://git.denx.de/?p=u-boot.git;a=summary). U-Boot can boot images via the network using the BOOTP/TFTP protocol.
180 180
181 181 ##### `ENABLE_FBTURBO`=false
182 182 Install and enable the [hardware accelerated Xorg video driver](https://github.com/ssvb/xf86-video-fbturbo) `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
183 183
184 184 ##### `ENABLE_IPTABLES`=false
185 185 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
186 186
187 187 ##### `ENABLE_USER`=true
188 188 Create non-root user with password `USER_PASSWORD`=raspberry. Unless overridden with `USER_NAME`=user, username will be `pi`.
189 189
190 190 ##### `USER_NAME`=pi
191 191 Non-root user to create. Ignored if `ENABLE_USER`=false
192 192
193 193 ##### `ENABLE_ROOT`=false
194 194 Set root user password so root login will be enabled
195 195
196 196 ##### `ENABLE_HARDNET`=false
197 197 Enable IPv4/IPv6 network stack hardening settings.
198 198
199 199 ##### `ENABLE_SPLITFS`=false
200 200 Enable having root partition on an USB drive by creating two image files: one for the `/boot/firmware` mount point, and another for `/`.
201 201
202 202 ##### `CHROOT_SCRIPTS`=""
203 203 Path to a directory with scripts that should be run in the chroot before the image is finally built. Every executable file in this directory is run in lexicographical order.
204 204
205 205 ##### `ENABLE_INITRAMFS`=false
206 206 Create an initramfs that that will be loaded during the Linux startup process. `ENABLE_INITRAMFS` will automatically get enabled if `ENABLE_CRYPTFS`=true. This parameter will be ignored if `BUILD_KERNEL`=false.
207 207
208 208 ##### `ENABLE_IFNAMES`=true
209 209 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used.
210 210
211 211 #### SSH settings:
212 212 ##### `SSH_ENABLE_ROOT`=false
213 213 Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
214 214
215 215 ##### `SSH_DISABLE_PASSWORD_AUTH`=false
216 216 Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported.
217 217
218 218 ##### `SSH_LIMIT_USERS`=false
219 219 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
220 220
221 221 ##### `SSH_ROOT_AUTHORIZED_KEYS`=""
222 Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
222 Add specified SSH `authorized_keys` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
223 223
224 224 ##### `SSH_ROOT_PUB_KEY`=""
225 Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
225 Add specified SSH (v2) public key file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
226 226
227 227 ##### `SSH_USER_AUTHORIZED_KEYS`=""
228 Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
228 Add specified SSH `authorized_keys` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
229 229
230 230 ##### `SSH_USER_PUB_KEY`=""
231 Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
231 Add specified SSH (v2) public key file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
232 232
233 233 #### Kernel compilation:
234 234 ##### `BUILD_KERNEL`=false
235 235 Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
236 236
237 237 ##### `KERNEL_REDUCE`=false
238 238 Reduce the size of the generated kernel by removing unwanted device, network and filesystem drivers (experimental).
239 239
240 240 ##### `KERNEL_THREADS`=1
241 241 Number of parallel kernel building threads. If the parameter is left untouched the script will automatically determine the number of CPU cores to set the number of parallel threads to speed the kernel compilation.
242 242
243 243 ##### `KERNEL_HEADERS`=true
244 244 Install kernel headers with built kernel.
245 245
246 246 ##### `KERNEL_MENUCONFIG`=false
247 247 Start `make menuconfig` interactive menu-driven kernel configuration. The script will continue after `make menuconfig` was terminated.
248 248
249 249 ##### `KERNEL_REMOVESRC`=true
250 250 Remove all kernel sources from the generated OS image after it was built and installed.
251 251
252 252 ##### `KERNELSRC_DIR`=""
253 253 Path to a directory of [RaspberryPi Linux kernel sources](https://github.com/raspberrypi/linux) that will be copied, configured, build and installed inside the chroot.
254 254
255 255 ##### `KERNELSRC_CLEAN`=false
256 256 Clean the existing kernel sources directory `KERNELSRC_DIR` (using `make mrproper`) after it was copied to the chroot and before the compilation of the kernel has started. This parameter will be ignored if no `KERNELSRC_DIR` was specified or if `KERNELSRC_PREBUILT`=true.
257 257
258 258 ##### `KERNELSRC_CONFIG`=true
259 259 Run `make bcm2709_defconfig` (and optional `make menuconfig`) to configure the kernel sources before building. This parameter is automatically set to `true` if no existing kernel sources directory was specified using `KERNELSRC_DIR`. This parameter is ignored if `KERNELSRC_PREBUILT`=true.
260 260
261 261 ##### `KERNELSRC_USRCONFIG`=""
262 262 Copy own config file to kernel `.config`. If `KERNEL_MENUCONFIG`=true then running after copy.
263 263
264 264 ##### `KERNELSRC_PREBUILT`=false
265 265 With this parameter set to true the script expects the existing kernel sources directory to be already successfully cross-compiled. The parameters `KERNELSRC_CLEAN`, `KERNELSRC_CONFIG`, `KERNELSRC_USRCONFIG` and `KERNEL_MENUCONFIG` are ignored and no kernel compilation tasks are performed.
266 266
267 267 ##### `RPI_FIRMWARE_DIR`=""
268 268 The directory containing a local copy of the firmware from the [RaspberryPi firmware project](https://github.com/raspberrypi/firmware). Default is to download the latest firmware directly from the project.
269 269
270 270 #### Reduce disk usage:
271 271 The following list of parameters is ignored if `ENABLE_REDUCE`=false.
272 272
273 273 ##### `REDUCE_APT`=true
274 274 Configure APT to use compressed package repository lists and no package caching files.
275 275
276 276 ##### `REDUCE_DOC`=true
277 277 Remove all doc files (harsh). Configure APT to not include doc files on future `apt-get` package installations.
278 278
279 279 ##### `REDUCE_MAN`=true
280 280 Remove all man pages and info files (harsh). Configure APT to not include man pages on future `apt-get` package installations.
281 281
282 282 ##### `REDUCE_VIM`=false
283 283 Replace `vim-tiny` package by `levee` a tiny vim clone.
284 284
285 285 ##### `REDUCE_BASH`=false
286 286 Remove `bash` package and switch to `dash` shell (experimental).
287 287
288 288 ##### `REDUCE_HWDB`=true
289 289 Remove PCI related hwdb files (experimental).
290 290
291 291 ##### `REDUCE_SSHD`=true
292 292 Replace `openssh-server` with `dropbear`.
293 293
294 294 ##### `REDUCE_LOCALE`=true
295 295 Remove all `locale` translation files.
296 296
297 297 #### Encrypted root partition:
298 298
299 299 ##### `ENABLE_CRYPTFS`=false
300 300 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
301 301
302 302 ##### `CRYPTFS_PASSWORD`=""
303 303 Set password of the encrypted root partition. This parameter is mandatory if `ENABLE_CRYPTFS`=true.
304 304
305 305 ##### `CRYPTFS_MAPPING`="secure"
306 306 Set name of dm-crypt managed device-mapper mapping.
307 307
308 308 ##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
309 309 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
310 310
311 311 ##### `CRYPTFS_XTSKEYSIZE`=512
312 312 Sets key size in bits. The argument has to be a multiple of 8.
313 313
314 314 ## Understanding the script
315 315 The functions of this script that are required for the different stages of the bootstrapping are split up into single files located inside the `bootstrap.d` directory. During the bootstrapping every script in this directory gets executed in lexicographical order:
316 316
317 317 | Script | Description |
318 318 | --- | --- |
319 319 | `10-bootstrap.sh` | Debootstrap basic system |
320 320 | `11-apt.sh` | Setup APT repositories |
321 321 | `12-locale.sh` | Setup Locales and keyboard settings |
322 322 | `13-kernel.sh` | Build and install RPi2/3 Kernel |
323 323 | `20-networking.sh` | Setup Networking |
324 324 | `21-firewall.sh` | Setup Firewall |
325 325 | `30-security.sh` | Setup Users and Security settings |
326 326 | `31-logging.sh` | Setup Logging |
327 327 | `32-sshd.sh` | Setup SSH and public keys |
328 328 | `41-uboot.sh` | Build and Setup U-Boot |
329 329 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
330 330 | `50-firstboot.sh` | First boot actions |
331 331 | `99-reduce.sh` | Reduce the disk space usage |
332 332
333 333 All the required configuration files that will be copied to the generated OS image are located inside the `files` directory. It is not recommended to modify these configuration files manually.
334 334
335 335 | Directory | Description |
336 336 | --- | --- |
337 337 | `apt` | APT management configuration files |
338 338 | `boot` | Boot and RPi2/3 configuration files |
339 339 | `dpkg` | Package Manager configuration |
340 340 | `etc` | Configuration files and rc scripts |
341 341 | `firstboot` | Scripts that get executed on first boot |
342 342 | `initramfs` | Initramfs scripts |
343 343 | `iptables` | Firewall configuration files |
344 344 | `locales` | Locales configuration |
345 345 | `modules` | Kernel Modules configuration |
346 346 | `mount` | Fstab configuration |
347 347 | `network` | Networking configuration files |
348 348 | `sysctl.d` | Swapping and Network Hardening configuration |
349 349 | `xorg` | fbturbo Xorg driver configuration |
350 350
351 351 ## Custom packages and scripts
352 352 Debian custom packages, i.e. those not in the debian repositories, can be installed by placing them in the `packages` directory. They are installed immediately after packages from the repositories are installed. Any dependencies listed in the custom packages will be downloaded automatically from the repositories. Do not list these custom packages in `APT_INCLUDES`.
353 353
354 354 Scripts in the custom.d directory will be executed after all other installation is complete but before the image is created.
355 355
356 356 ## Logging of the bootstrapping process
357 357 All information related to the bootstrapping process and the commands executed by the `rpi23-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
358 358
359 359 ```shell
360 360 script -c 'APT_SERVER=ftp.de.debian.org ./rpi23-gen-image.sh' ./build.log
361 361 ```
362 362
363 363 ## Flashing the image file
364 364 After the image file was successfully created by the `rpi23-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2/3 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
365 365
366 366 #####Flashing examples:
367 367 ```shell
368 368 bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie.img /dev/mmcblk0
369 369 dd bs=4M if=./images/jessie/2017-01-23-rpi3-jessie.img of=/dev/mmcblk0
370 370 ```
371 371 If you have set `ENABLE_SPLITFS`, copy the `-frmw` image on the microSD card, then the `-root` one on the USB drive:
372 372 ```shell
373 373 bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-frmw.img /dev/mmcblk0
374 374 bmaptool copy ./images/jessie/2017-01-23-rpi3-jessie-root.img /dev/sdc
375 375 ```
376 376
377 377 ## External links and references
378 378 * [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
379 379 * [Debian Raspberry Pi 2 Wiki](https://wiki.debian.org/RaspberryPi2)
380 380 * [Debian CrossToolchains Wiki](https://wiki.debian.org/CrossToolchains)
381 381 * [Official Raspberry Pi Firmware on github](https://github.com/raspberrypi/firmware)
382 382 * [Official Raspberry Pi Kernel on github](https://github.com/raspberrypi/linux)
383 383 * [U-BOOT git repository](http://git.denx.de/?p=u-boot.git;a=summary)
384 384 * [Xorg DDX driver fbturbo](https://github.com/ssvb/xf86-video-fbturbo)
385 385 * [RPi3 Wireless interface firmware](https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm80211/brcm)
386 386 * [Collabora RPi2 Kernel precompiled](https://repositories.collabora.co.uk/debian/)
Show file before | Show file after | Hide comments
@@ -1,99 +1,99
1 1 #
2 2 # Setup SSH settings and public keys
3 3 #
4 4
5 5 # Load utility functions
6 6 . ./functions.sh
7 7
8 8 if [ "$ENABLE_SSHD" = true ] ; then
9 9 if [ "$SSH_ENABLE_ROOT" = false ] ; then
10 10 # User root is not allowed to log in
11 11 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
12 12 fi
13 13
14 14 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
15 15 # Permit SSH root login
16 16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
17 17
18 18 # Create root SSH config directory
19 19 mkdir -p "${R}/root/.ssh"
20 20
21 21 # Set permissions of root SSH config directory
22 22 chroot_exec chmod 700 "/root/.ssh"
23 23 chroot_exec chown root:root "/root/.ssh"
24 24
25 25 # Install SSH (v2) authorized keys file for user root
26 26 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys"
28 28 fi
29 29
30 30 # Add SSH (v2) public key for user root
31 31 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"
33 33 fi
34 34
35 35 # Set permissions of root SSH authorized keys file
36 if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys2"
36 if [ -f "${R}/root/.ssh/authorized_keys" ] ; then
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys"
39 39
40 40 # Allow SSH public key authentication
41 41 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
42 42 fi
43 43 fi
44 44
45 45 if [ "$ENABLE_USER" = true ] ; then
46 46 # Create $USER_NAME SSH config directory
47 47 mkdir -p "${R}/home/${USER_NAME}/.ssh"
48 48
49 49 # Set permissions of $USER_NAME SSH config directory
50 50 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
51 51 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
52 52
53 53 # Install SSH (v2) authorized keys file for user $USER_NAME
54 54 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
55 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
55 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys"
56 56 fi
57 57
58 58 # Add SSH (v2) public key for user $USER_NAME
59 59 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
60 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
60 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"
61 61 fi
62 62
63 63 # Set permissions of $USER_NAME SSH authorized keys file
64 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
65 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
66 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
64 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys" ] ; then
65 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"
66 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys"
67 67
68 68 # Allow SSH public key authentication
69 69 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
70 70 fi
71 71 fi
72 72
73 73 # Limit the users that are allowed to login via SSH
74 74 if [ "$SSH_LIMIT_USERS" = true ] ; then
75 75 allowed_users=""
76 76 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
77 77 allowed_users="root"
78 78 fi
79 79
80 80 if [ "$ENABLE_USER" = true ] ; then
81 81 allowed_users="${allowed_users} ${USER_NAME}"
82 82 fi
83 83
84 84 if [ ! -z "$allowed_users" ] ; then
85 85 echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"
86 86 fi
87 87 fi
88 88
89 89 # Disable password-based authentication
90 90 if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
91 91 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
92 92 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
93 93 fi
94 94
95 95 sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
96 96 sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
97 97 sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
98 98 fi
99 99 fi
Show file before | Show file after | Hide comments
@@ -1,621 +1,621
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi23-gen-image.sh 2015-2017
5 5 #
6 6 # Advanced Debian "jessie" and "stretch" bootstrap script for RPi2/3
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # Copyright (C) 2015 Jan Wagner <mail@jwagner.eu>
14 14 #
15 15 # Big thanks for patches and enhancements by 10+ github contributors!
16 16 ########################################################################
17 17
18 18 # Are we running as root?
19 19 if [ "$(id -u)" -ne "0" ] ; then
20 20 echo "error: this script must be executed with root privileges!"
21 21 exit 1
22 22 fi
23 23
24 24 # Check if ./functions.sh script exists
25 25 if [ ! -r "./functions.sh" ] ; then
26 26 echo "error: './functions.sh' required script not found!"
27 27 exit 1
28 28 fi
29 29
30 30 # Load utility functions
31 31 . ./functions.sh
32 32
33 33 # Load parameters from configuration template file
34 34 if [ ! -z "$CONFIG_TEMPLATE" ] ; then
35 35 use_template
36 36 fi
37 37
38 38 # Introduce settings
39 39 set -e
40 40 echo -n -e "\n#\n# RPi2/3 Bootstrap Settings\n#\n"
41 41 set -x
42 42
43 43 # Raspberry Pi model configuration
44 44 RPI_MODEL=${RPI_MODEL:=2}
45 45 RPI2_DTB_FILE=${RPI2_DTB_FILE:=bcm2709-rpi-2-b.dtb}
46 46 RPI2_UBOOT_CONFIG=${RPI2_UBOOT_CONFIG:=rpi_2_defconfig}
47 47 RPI3_DTB_FILE=${RPI3_DTB_FILE:=bcm2710-rpi-3-b.dtb}
48 48 RPI3_UBOOT_CONFIG=${RPI3_UBOOT_CONFIG:=rpi_3_32b_defconfig}
49 49
50 50 # Debian release
51 51 RELEASE=${RELEASE:=jessie}
52 52 KERNEL_ARCH=${KERNEL_ARCH:=arm}
53 53 RELEASE_ARCH=${RELEASE_ARCH:=armhf}
54 54 CROSS_COMPILE=${CROSS_COMPILE:=arm-linux-gnueabihf-}
55 55 COLLABORA_KERNEL=${COLLABORA_KERNEL:=3.18.0-trunk-rpi2}
56 56 KERNEL_DEFCONFIG=${KERNEL_DEFCONFIG:=bcm2709_defconfig}
57 57 KERNEL_IMAGE=${KERNEL_IMAGE:=kernel7.img}
58 58 QEMU_BINARY=${QEMU_BINARY:=/usr/bin/qemu-arm-static}
59 59
60 60 # URLs
61 61 KERNEL_URL=${KERNEL_URL:=https://github.com/raspberrypi/linux}
62 62 FIRMWARE_URL=${FIRMWARE_URL:=https://github.com/raspberrypi/firmware/raw/master/boot}
63 63 WLAN_FIRMWARE_URL=${WLAN_FIRMWARE_URL:=https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm80211/brcm}
64 64 COLLABORA_URL=${COLLABORA_URL:=https://repositories.collabora.co.uk/debian}
65 65 FBTURBO_URL=${FBTURBO_URL:=https://github.com/ssvb/xf86-video-fbturbo.git}
66 66 UBOOT_URL=${UBOOT_URL:=git://git.denx.de/u-boot.git}
67 67
68 68 # Build directories
69 69 BASEDIR="$(pwd)/images/${RELEASE}"
70 70 BUILDDIR="${BASEDIR}/build"
71 71
72 72 # Chroot directories
73 73 R="${BUILDDIR}/chroot"
74 74 ETC_DIR="${R}/etc"
75 75 LIB_DIR="${R}/lib"
76 76 BOOT_DIR="${R}/boot/firmware"
77 77 KERNEL_DIR="${R}/usr/src/linux"
78 78 WLAN_FIRMWARE_DIR="${R}/lib/firmware/brcm"
79 79
80 80 # Firmware directory: Blank if download from github
81 81 RPI_FIRMWARE_DIR=${RPI_FIRMWARE_DIR:=""}
82 82
83 83 # General settings
84 84 HOSTNAME=${HOSTNAME:=rpi${RPI_MODEL}-${RELEASE}}
85 85 PASSWORD=${PASSWORD:=raspberry}
86 86 USER_PASSWORD=${USER_PASSWORD:=raspberry}
87 87 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
88 88 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
89 89 EXPANDROOT=${EXPANDROOT:=true}
90 90
91 91 # Keyboard settings
92 92 XKB_MODEL=${XKB_MODEL:=""}
93 93 XKB_LAYOUT=${XKB_LAYOUT:=""}
94 94 XKB_VARIANT=${XKB_VARIANT:=""}
95 95 XKB_OPTIONS=${XKB_OPTIONS:=""}
96 96
97 97 # Network settings (DHCP)
98 98 ENABLE_DHCP=${ENABLE_DHCP:=true}
99 99
100 100 # Network settings (static)
101 101 NET_ADDRESS=${NET_ADDRESS:=""}
102 102 NET_GATEWAY=${NET_GATEWAY:=""}
103 103 NET_DNS_1=${NET_DNS_1:=""}
104 104 NET_DNS_2=${NET_DNS_2:=""}
105 105 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
106 106 NET_NTP_1=${NET_NTP_1:=""}
107 107 NET_NTP_2=${NET_NTP_2:=""}
108 108
109 109 # APT settings
110 110 APT_PROXY=${APT_PROXY:=""}
111 111 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
112 112
113 113 # Feature settings
114 114 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
115 115 ENABLE_IPV6=${ENABLE_IPV6:=true}
116 116 ENABLE_SSHD=${ENABLE_SSHD:=true}
117 117 ENABLE_NONFREE=${ENABLE_NONFREE:=false}
118 118 ENABLE_WIRELESS=${ENABLE_WIRELESS:=false}
119 119 ENABLE_SOUND=${ENABLE_SOUND:=true}
120 120 ENABLE_DBUS=${ENABLE_DBUS:=true}
121 121 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
122 122 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
123 123 ENABLE_XORG=${ENABLE_XORG:=false}
124 124 ENABLE_WM=${ENABLE_WM:=""}
125 125 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
126 126 ENABLE_USER=${ENABLE_USER:=true}
127 127 USER_NAME=${USER_NAME:="pi"}
128 128 ENABLE_ROOT=${ENABLE_ROOT:=false}
129 129
130 130 # SSH settings
131 131 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
132 132 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
133 133 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
134 134 SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""}
135 135 SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""}
136 136 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
137 137 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
138 138
139 139 # Advanced settings
140 140 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
141 141 ENABLE_REDUCE=${ENABLE_REDUCE:=false}
142 142 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
143 143 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
144 144 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
145 145 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
146 146 ENABLE_SPLITFS=${ENABLE_SPLITFS:=false}
147 147 ENABLE_INITRAMFS=${ENABLE_INITRAMFS:=false}
148 148 ENABLE_IFNAMES=${ENABLE_IFNAMES:=true}
149 149
150 150 # Kernel compilation settings
151 151 BUILD_KERNEL=${BUILD_KERNEL:=false}
152 152 KERNEL_REDUCE=${KERNEL_REDUCE:=false}
153 153 KERNEL_THREADS=${KERNEL_THREADS:=1}
154 154 KERNEL_HEADERS=${KERNEL_HEADERS:=true}
155 155 KERNEL_MENUCONFIG=${KERNEL_MENUCONFIG:=false}
156 156 KERNEL_REMOVESRC=${KERNEL_REMOVESRC:=true}
157 157
158 158 # Kernel compilation from source directory settings
159 159 KERNELSRC_DIR=${KERNELSRC_DIR:=""}
160 160 KERNELSRC_CLEAN=${KERNELSRC_CLEAN:=false}
161 161 KERNELSRC_CONFIG=${KERNELSRC_CONFIG:=true}
162 162 KERNELSRC_PREBUILT=${KERNELSRC_PREBUILT:=false}
163 163
164 164 # Reduce disk usage settings
165 165 REDUCE_APT=${REDUCE_APT:=true}
166 166 REDUCE_DOC=${REDUCE_DOC:=true}
167 167 REDUCE_MAN=${REDUCE_MAN:=true}
168 168 REDUCE_VIM=${REDUCE_VIM:=false}
169 169 REDUCE_BASH=${REDUCE_BASH:=false}
170 170 REDUCE_HWDB=${REDUCE_HWDB:=true}
171 171 REDUCE_SSHD=${REDUCE_SSHD:=true}
172 172 REDUCE_LOCALE=${REDUCE_LOCALE:=true}
173 173
174 174 # Encrypted filesystem settings
175 175 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
176 176 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
177 177 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
178 178 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
179 179 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
180 180
181 181 # Stop the Crypto Wars
182 182 DISABLE_FBI=${DISABLE_FBI:=false}
183 183
184 184 # Chroot scripts directory
185 185 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
186 186
187 187 # Packages required in the chroot build environment
188 188 APT_INCLUDES=${APT_INCLUDES:=""}
189 189 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,apt-utils,ca-certificates,debian-archive-keyring,dialog,sudo,systemd,sysvinit-utils"
190 190
191 191 # Packages required for bootstrapping
192 192 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git bc psmisc"
193 193 MISSING_PACKAGES=""
194 194
195 195 set +x
196 196
197 197 # Set Raspberry Pi model specific configuration
198 198 if [ "$RPI_MODEL" = 2 ] ; then
199 199 DTB_FILE=${RPI2_DTB_FILE}
200 200 UBOOT_CONFIG=${RPI2_UBOOT_CONFIG}
201 201 elif [ "$RPI_MODEL" = 3 ] ; then
202 202 DTB_FILE=${RPI3_DTB_FILE}
203 203 UBOOT_CONFIG=${RPI3_UBOOT_CONFIG}
204 204 BUILD_KERNEL=true
205 205 else
206 206 echo "error: Raspberry Pi model ${RPI_MODEL} is not supported!"
207 207 exit 1
208 208 fi
209 209
210 210 # Check if the internal wireless interface is supported by the RPi model
211 211 if [ "$ENABLE_WIRELESS" = true ] && [ "$RPI_MODEL" != 3 ] ; then
212 212 echo "error: The selected Raspberry Pi model has no internal wireless interface"
213 213 exit 1
214 214 fi
215 215
216 216 # Set compiler packages and build RPi2/3 Linux kernel if required by Debian release
217 217 if [ "$RELEASE" = "jessie" ] ; then
218 218 COMPILER_PACKAGES="linux-compiler-gcc-4.8-arm g++ make bc"
219 219 elif [ "$RELEASE" = "stretch" ] ; then
220 220 COMPILER_PACKAGES="linux-compiler-gcc-5-arm g++ make bc"
221 221 BUILD_KERNEL=true
222 222 else
223 223 echo "error: Debian release ${RELEASE} is not supported!"
224 224 exit 1
225 225 fi
226 226
227 227 # Add packages required for kernel cross compilation
228 228 if [ "$BUILD_KERNEL" = true ] ; then
229 229 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} crossbuild-essential-armhf"
230 230 fi
231 231
232 232 # Add libncurses5 to enable kernel menuconfig
233 233 if [ "$KERNEL_MENUCONFIG" = true ] ; then
234 234 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} libncurses5-dev"
235 235 fi
236 236
237 237 # Stop the Crypto Wars
238 238 if [ "$DISABLE_FBI" = true ] ; then
239 239 ENABLE_CRYPTFS=true
240 240 fi
241 241
242 242 # Add cryptsetup package to enable filesystem encryption
243 243 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
244 244 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
245 245 APT_INCLUDES="${APT_INCLUDES},cryptsetup"
246 246
247 247 if [ -z "$CRYPTFS_PASSWORD" ] ; then
248 248 echo "error: no password defined (CRYPTFS_PASSWORD)!"
249 249 exit 1
250 250 fi
251 251 ENABLE_INITRAMFS=true
252 252 fi
253 253
254 254 # Add initramfs generation tools
255 255 if [ "$ENABLE_INITRAMFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
256 256 APT_INCLUDES="${APT_INCLUDES},initramfs-tools"
257 257 fi
258 258
259 259 # Add device-tree-compiler required for building the U-Boot bootloader
260 260 if [ "$ENABLE_UBOOT" = true ] ; then
261 261 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
262 262 fi
263 263
264 # Check if root SSH (v2) authorized keys file exists
264 # Check if root SSH authorized keys file exists
265 265 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
266 266 if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
267 267 echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!"
268 268 exit 1
269 269 fi
270 270 fi
271 271
272 # Check if $USER_NAME SSH (v2) authorized keys file exists
272 # Check if $USER_NAME SSH authorized keys file exists
273 273 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
274 274 if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then
275 275 echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!"
276 276 exit 1
277 277 fi
278 278 fi
279 279
280 280 # Check if root SSH (v2) public key file exists
281 281 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
282 282 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
283 283 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
284 284 exit 1
285 285 fi
286 286 fi
287 287
288 288 # Check if $USER_NAME SSH (v2) public key file exists
289 289 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
290 290 if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
291 291 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
292 292 exit 1
293 293 fi
294 294 fi
295 295
296 296 # Check if all required packages are installed on the build system
297 297 for package in $REQUIRED_PACKAGES ; do
298 298 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
299 299 MISSING_PACKAGES="${MISSING_PACKAGES} $package"
300 300 fi
301 301 done
302 302
303 303 # If there are missing packages ask confirmation for install, or exit
304 304 if [ -n "$MISSING_PACKAGES" ] ; then
305 305 echo "the following packages needed by this script are not installed:"
306 306 echo "$MISSING_PACKAGES"
307 307
308 308 echo -n "\ndo you want to install the missing packages right now? [y/n] "
309 309 read confirm
310 310 [ "$confirm" != "y" ] && exit 1
311 311
312 312 # Make sure all missing required packages are installed
313 313 apt-get -qq -y install ${MISSING_PACKAGES}
314 314 fi
315 315
316 316 # Check if ./bootstrap.d directory exists
317 317 if [ ! -d "./bootstrap.d/" ] ; then
318 318 echo "error: './bootstrap.d' required directory not found!"
319 319 exit 1
320 320 fi
321 321
322 322 # Check if ./files directory exists
323 323 if [ ! -d "./files/" ] ; then
324 324 echo "error: './files' required directory not found!"
325 325 exit 1
326 326 fi
327 327
328 328 # Check if specified KERNELSRC_DIR directory exists
329 329 if [ -n "$KERNELSRC_DIR" ] && [ ! -d "$KERNELSRC_DIR" ] ; then
330 330 echo "error: '${KERNELSRC_DIR}' specified directory not found (KERNELSRC_DIR)!"
331 331 exit 1
332 332 fi
333 333
334 334 # Check if specified CHROOT_SCRIPTS directory exists
335 335 if [ -n "$CHROOT_SCRIPTS" ] && [ ! -d "$CHROOT_SCRIPTS" ] ; then
336 336 echo "error: ${CHROOT_SCRIPTS} specified directory not found (CHROOT_SCRIPTS)!"
337 337 exit 1
338 338 fi
339 339
340 340 # Check if specified device mapping already exists (will be used by cryptsetup)
341 341 if [ -r "/dev/mapping/${CRYPTFS_MAPPING}" ] ; then
342 342 echo "error: mapping /dev/mapping/${CRYPTFS_MAPPING} already exists, not proceeding"
343 343 exit 1
344 344 fi
345 345
346 346 # Don't clobber an old build
347 347 if [ -e "$BUILDDIR" ] ; then
348 348 echo "error: directory ${BUILDDIR} already exists, not proceeding"
349 349 exit 1
350 350 fi
351 351
352 352 # Setup chroot directory
353 353 mkdir -p "${R}"
354 354
355 355 # Check if build directory has enough of free disk space >512MB
356 356 if [ "$(df --output=avail ${BUILDDIR} | sed "1d")" -le "524288" ] ; then
357 357 echo "error: ${BUILDDIR} not enough space left to generate the output image!"
358 358 exit 1
359 359 fi
360 360
361 361 set -x
362 362
363 363 # Call "cleanup" function on various signals and errors
364 364 trap cleanup 0 1 2 3 6
365 365
366 366 # Add required packages for the minbase installation
367 367 if [ "$ENABLE_MINBASE" = true ] ; then
368 368 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools,ifupdown"
369 369 fi
370 370
371 371 # Add required locales packages
372 372 if [ "$DEFLOCAL" != "en_US.UTF-8" ] ; then
373 373 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
374 374 fi
375 375
376 376 # Add parted package, required to get partprobe utility
377 377 if [ "$EXPANDROOT" = true ] ; then
378 378 APT_INCLUDES="${APT_INCLUDES},parted"
379 379 fi
380 380
381 381 # Add dbus package, recommended if using systemd
382 382 if [ "$ENABLE_DBUS" = true ] ; then
383 383 APT_INCLUDES="${APT_INCLUDES},dbus"
384 384 fi
385 385
386 386 # Add iptables IPv4/IPv6 package
387 387 if [ "$ENABLE_IPTABLES" = true ] ; then
388 388 APT_INCLUDES="${APT_INCLUDES},iptables"
389 389 fi
390 390
391 391 # Add openssh server package
392 392 if [ "$ENABLE_SSHD" = true ] ; then
393 393 APT_INCLUDES="${APT_INCLUDES},openssh-server"
394 394 fi
395 395
396 396 # Add alsa-utils package
397 397 if [ "$ENABLE_SOUND" = true ] ; then
398 398 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
399 399 fi
400 400
401 401 # Add rng-tools package
402 402 if [ "$ENABLE_HWRANDOM" = true ] ; then
403 403 APT_INCLUDES="${APT_INCLUDES},rng-tools"
404 404 fi
405 405
406 406 # Add fbturbo video driver
407 407 if [ "$ENABLE_FBTURBO" = true ] ; then
408 408 # Enable xorg package dependencies
409 409 ENABLE_XORG=true
410 410 fi
411 411
412 412 # Add user defined window manager package
413 413 if [ -n "$ENABLE_WM" ] ; then
414 414 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
415 415
416 416 # Enable xorg package dependencies
417 417 ENABLE_XORG=true
418 418 fi
419 419
420 420 # Add xorg package
421 421 if [ "$ENABLE_XORG" = true ] ; then
422 422 APT_INCLUDES="${APT_INCLUDES},xorg"
423 423 fi
424 424
425 425 # Replace selected packages with smaller clones
426 426 if [ "$ENABLE_REDUCE" = true ] ; then
427 427 # Add levee package instead of vim-tiny
428 428 if [ "$REDUCE_VIM" = true ] ; then
429 429 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/vim-tiny/levee/")"
430 430 fi
431 431
432 432 # Add dropbear package instead of openssh-server
433 433 if [ "$REDUCE_SSHD" = true ] ; then
434 434 APT_INCLUDES="$(echo ${APT_INCLUDES} | sed "s/openssh-server/dropbear/")"
435 435 fi
436 436 fi
437 437
438 438 # Configure kernel sources if no KERNELSRC_DIR
439 439 if [ "$BUILD_KERNEL" = true ] && [ -z "$KERNELSRC_DIR" ] ; then
440 440 KERNELSRC_CONFIG=true
441 441 fi
442 442
443 443 # Configure reduced kernel
444 444 if [ "$KERNEL_REDUCE" = true ] ; then
445 445 KERNELSRC_CONFIG=false
446 446 fi
447 447
448 448 # Execute bootstrap scripts
449 449 for SCRIPT in bootstrap.d/*.sh; do
450 450 head -n 3 "$SCRIPT"
451 451 . "$SCRIPT"
452 452 done
453 453
454 454 ## Execute custom bootstrap scripts
455 455 if [ -d "custom.d" ] ; then
456 456 for SCRIPT in custom.d/*.sh; do
457 457 . "$SCRIPT"
458 458 done
459 459 fi
460 460
461 461 # Execute custom scripts inside the chroot
462 462 if [ -n "$CHROOT_SCRIPTS" ] && [ -d "$CHROOT_SCRIPTS" ] ; then
463 463 cp -r "${CHROOT_SCRIPTS}" "${R}/chroot_scripts"
464 464 chroot_exec /bin/bash -x <<'EOF'
465 465 for SCRIPT in /chroot_scripts/* ; do
466 466 if [ -f $SCRIPT -a -x $SCRIPT ] ; then
467 467 $SCRIPT
468 468 fi
469 469 done
470 470 EOF
471 471 rm -rf "${R}/chroot_scripts"
472 472 fi
473 473
474 474 # Remove apt-utils
475 475 if [ "$RELEASE" = "jessie" ] ; then
476 476 chroot_exec apt-get purge -qq -y --force-yes apt-utils
477 477 fi
478 478
479 479 # Generate required machine-id
480 480 MACHINE_ID=$(dbus-uuidgen)
481 481 echo -n "${MACHINE_ID}" > "${R}/var/lib/dbus/machine-id"
482 482 echo -n "${MACHINE_ID}" > "${ETC_DIR}/machine-id"
483 483
484 484 # APT Cleanup
485 485 chroot_exec apt-get -y clean
486 486 chroot_exec apt-get -y autoclean
487 487 chroot_exec apt-get -y autoremove
488 488
489 489 # Unmount mounted filesystems
490 490 umount -l "${R}/proc"
491 491 umount -l "${R}/sys"
492 492
493 493 # Clean up directories
494 494 rm -rf "${R}/run/*"
495 495 rm -rf "${R}/tmp/*"
496 496
497 497 # Clean up files
498 498 rm -f "${ETC_DIR}/ssh/ssh_host_*"
499 499 rm -f "${ETC_DIR}/dropbear/dropbear_*"
500 500 rm -f "${ETC_DIR}/apt/sources.list.save"
501 501 rm -f "${ETC_DIR}/resolvconf/resolv.conf.d/original"
502 502 rm -f "${ETC_DIR}/*-"
503 503 rm -f "${ETC_DIR}/apt/apt.conf.d/10proxy"
504 504 rm -f "${ETC_DIR}/resolv.conf"
505 505 rm -f "${R}/root/.bash_history"
506 506 rm -f "${R}/var/lib/urandom/random-seed"
507 507 rm -f "${R}/initrd.img"
508 508 rm -f "${R}/vmlinuz"
509 509 rm -f "${R}${QEMU_BINARY}"
510 510
511 511 # Calculate size of the chroot directory in KB
512 512 CHROOT_SIZE=$(expr `du -s "${R}" | awk '{ print $1 }'`)
513 513
514 514 # Calculate the amount of needed 512 Byte sectors
515 515 TABLE_SECTORS=$(expr 1 \* 1024 \* 1024 \/ 512)
516 516 FRMW_SECTORS=$(expr 64 \* 1024 \* 1024 \/ 512)
517 517 ROOT_OFFSET=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS})
518 518
519 519 # The root partition is EXT4
520 520 # This means more space than the actual used space of the chroot is used.
521 521 # As overhead for journaling and reserved blocks 25% are added.
522 522 ROOT_SECTORS=$(expr $(expr ${CHROOT_SIZE} + ${CHROOT_SIZE} \/ 100 \* 25) \* 1024 \/ 512)
523 523
524 524 # Calculate required image size in 512 Byte sectors
525 525 IMAGE_SECTORS=$(expr ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS})
526 526
527 527 # Prepare date string for image file name
528 528 DATE="$(date +%Y-%m-%d)"
529 529
530 530 # Prepare image file
531 531 if [ "$ENABLE_SPLITFS" = true ] ; then
532 532 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
533 533 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
534 534 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
535 535 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
536 536
537 537 # Write firmware/boot partition tables
538 538 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" 2> /dev/null <<EOM
539 539 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
540 540 EOM
541 541
542 542 # Write root partition table
543 543 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" 2> /dev/null <<EOM
544 544 ${TABLE_SECTORS},${ROOT_SECTORS},83
545 545 EOM
546 546
547 547 # Setup temporary loop devices
548 548 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img)"
549 549 ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img)"
550 550 else # ENABLE_SPLITFS=false
551 551 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
552 552 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
553 553
554 554 # Write partition table
555 555 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" 2> /dev/null <<EOM
556 556 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
557 557 ${ROOT_OFFSET},${ROOT_SECTORS},83
558 558 EOM
559 559
560 560 # Setup temporary loop devices
561 561 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
562 562 ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
563 563 fi
564 564
565 565 if [ "$ENABLE_CRYPTFS" = true ] ; then
566 566 # Create dummy ext4 fs
567 567 mkfs.ext4 "$ROOT_LOOP"
568 568
569 569 # Setup password keyfile
570 570 echo -n ${CRYPTFS_PASSWORD} > .password
571 571 chmod 600 .password
572 572
573 573 # Initialize encrypted partition
574 574 echo "YES" | cryptsetup luksFormat "${ROOT_LOOP}" -c "${CRYPTFS_CIPHER}" -s "${CRYPTFS_XTSKEYSIZE}" .password
575 575
576 576 # Open encrypted partition and setup mapping
577 577 cryptsetup luksOpen "${ROOT_LOOP}" -d .password "${CRYPTFS_MAPPING}"
578 578
579 579 # Secure delete password keyfile
580 580 shred -zu .password
581 581
582 582 # Update temporary loop device
583 583 ROOT_LOOP="/dev/mapper/${CRYPTFS_MAPPING}"
584 584
585 585 # Wipe encrypted partition (encryption cipher is used for randomness)
586 586 dd if=/dev/zero of="${ROOT_LOOP}" bs=512 count=$(blockdev --getsz "${ROOT_LOOP}")
587 587 fi
588 588
589 589 # Build filesystems
590 590 mkfs.vfat "$FRMW_LOOP"
591 591 mkfs.ext4 "$ROOT_LOOP"
592 592
593 593 # Mount the temporary loop devices
594 594 mkdir -p "$BUILDDIR/mount"
595 595 mount "$ROOT_LOOP" "$BUILDDIR/mount"
596 596
597 597 mkdir -p "$BUILDDIR/mount/boot/firmware"
598 598 mount "$FRMW_LOOP" "$BUILDDIR/mount/boot/firmware"
599 599
600 600 # Copy all files from the chroot to the loop device mount point directory
601 601 rsync -a "${R}/" "$BUILDDIR/mount/"
602 602
603 603 # Unmount all temporary loop devices and mount points
604 604 cleanup
605 605
606 606 # Create block map file(s) of image(s)
607 607 if [ "$ENABLE_SPLITFS" = true ] ; then
608 608 # Create block map files for "bmaptool"
609 609 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img"
610 610 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img"
611 611
612 612 # Image was successfully created
613 613 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
614 614 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
615 615 else
616 616 # Create block map file for "bmaptool"
617 617 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img"
618 618
619 619 # Image was successfully created
620 620 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
621 621 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant