##// END OF EJS Templates
Option to disable rsyslog and improvements (also security)...
Filip Pytloun -
r45:fc8abfcaa9c7
parent child
Show More
@@ -1,138 +1,152
1 1 # rpi2-gen-image
2 2 ## Introduction
3 3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4 4
5 5 ## Build dependencies
6 6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7 7
8 8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9 9
10 10 ## Command-line parameters
11 11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12 12
13 13 #####Command-line examples:
14 14 ```shell
15 15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 21 ```
22 22
23 23 #### APT settings:
24 24 ##### `APT_SERVER`="ftp.debian.org"
25 25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26 26
27 27 ##### `APT_PROXY`=""
28 28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29 29
30 30 ##### `APT_INCLUDES`=""
31 31 A comma seperated list of additional packages to be installed during bootstrapping.
32 32
33 33 #### General system settings:
34 34 ##### `HOSTNAME`="rpi2-jessie"
35 35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
36 36
37 37 ##### `PASSWORD`="raspberry"
38 38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
39 39
40 40 ##### `DEFLOCAL`="en_US.UTF-8"
41 41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
42 42
43 43 ##### `TIMEZONE`="Europe/Berlin"
44 44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45 45
46 46 #### Keyboard settings:
47 47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 48 ##### `XKBMODEL`=""
49 49 ##### `XKBLAYOUT`=""
50 50 ##### `XKBVARIANT`=""
51 51 ##### `XKBOPTIONS`=""
52 52
53 53 #### Networking settings
54 54 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
55 55
56 56 #####`ENABLE_DHCP`=true
57 57 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
58 58
59 59 #####`NET_ADDRESS`=""
60 60 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
61 61
62 62 #####`NET_GATEWAY`=""
63 63 Set the IP address for the default gateway.
64 64
65 65 #####`NET_DNS_1`=""
66 66 Set the IP address for the first DNS server.
67 67
68 68 #####`NET_DNS_2`=""
69 69 Set the IP address for the second DNS server.
70 70
71 71 #####`NET_DNS_DOMAINS`=""
72 72 Set the default DNS search domains to use for non fully qualified host names.
73 73
74 74 #####`NET_NTP_1`=""
75 75 Set the IP address for the first NTP server.
76 76
77 77 #####`NET_NTP_2`=""
78 78 Set the IP address for the second NTP server.
79 79
80 80 #### Basic system features:
81 81 ##### `ENABLE_CONSOLE`=true
82 82 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
83 83
84 84 ##### `ENABLE_IPV6`=true
85 85 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
86 86
87 87 ##### `ENABLE_SSHD`=true
88 88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89 89
90 ##### `ENABLE_RSYSLOG`=true
91 If set to false, disable and uninstall rsyslog (so logs will be available only
92 in journal files)
93
90 94 ##### `ENABLE_SOUND`=true
91 95 Enable sound hardware and install Advanced Linux Sound Architecture.
92 96
93 97 ##### `ENABLE_HWRANDOM`=true
94 98 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
95 99
96 100 ##### `ENABLE_MINGPU`=false
97 101 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
98 102
99 103 ##### `ENABLE_DBUS`=true
100 104 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
101 105
102 106 ##### `ENABLE_XORG`=false
103 107 Install Xorg open-source X Window System.
104 108
105 109 ##### `ENABLE_WM`=""
106 110 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
107 111
108 112 #### Advanced sytem features:
109 113 ##### `ENABLE_MINBASE`=false
110 114 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
111 115
112 116 ##### `ENABLE_UBOOT`=false
113 117 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
114 118
115 119 ##### `ENABLE_FBTURBO`=false
116 120 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
117 121
118 122 ##### `ENABLE_IPTABLES`=false
119 123 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120 124
125 ##### `ENABLE_USER`=true
126 Create pi user with password raspberry
127
128 ##### `ENABLE_ROOT`=true
129 Set root user password so root login will be enabled
130
131 ##### `ENABLE_ROOT_SSH`=true
132 Enable password root login via SSH. May be a security risk with default
133 password, use only in trusted environments.
134
121 135 ##### `ENABLE_HARDNET`=false
122 136 Enable IPv4/IPv6 network stack hardening settings.
123 137
124 138 ## Logging of the bootstrapping process
125 139 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
126 140
127 141 ```shell
128 142 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
129 143 ```
130 144
131 145 ## Flashing the image file
132 146 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
133 147
134 148 #####Flashing examples:
135 149 ```shell
136 150 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
137 151 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
138 152 ```
@@ -1,916 +1,951
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 4 # rpi2-gen-image.sh ver2a 12/2015
5 5 #
6 6 # Advanced debian "jessie" bootstrap script for RPi2
7 7 #
8 8 # This program is free software; you can redistribute it and/or
9 9 # modify it under the terms of the GNU General Public License
10 10 # as published by the Free Software Foundation; either version 2
11 11 # of the License, or (at your option) any later version.
12 12 #
13 13 # some parts based on rpi2-build-image:
14 14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 16 ########################################################################
17 17
18 18 # Clean up all temporary mount points
19 19 cleanup (){
20 20 set +x
21 21 set +e
22 22 echo "removing temporary mount points ..."
23 23 umount -l $R/proc 2> /dev/null
24 24 umount -l $R/sys 2> /dev/null
25 25 umount -l $R/dev/pts 2> /dev/null
26 26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 27 umount "$BUILDDIR/mount" 2> /dev/null
28 28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 38 set -e
34 39 set -x
35 40
36 41 # Debian release
37 42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38 44
39 45 # Build settings
40 46 BASEDIR=./images/${RELEASE}
41 47 BUILDDIR=${BASEDIR}/build
42 48
43 49 # General settings
44 50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 51 PASSWORD=${PASSWORD:=raspberry}
46 52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 54 XKBMODEL=${XKBMODEL:=""}
49 55 XKBLAYOUT=${XKBLAYOUT:=""}
50 56 XKBVARIANT=${XKBVARIANT:=""}
51 57 XKBOPTIONS=${XKBOPTIONS:=""}
52 58
53 59 # Network settings
54 60 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 61 # NET_* settings are ignored when ENABLE_DHCP=true
56 62 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 63 NET_ADDRESS=${NET_ADDRESS:=""}
58 64 NET_GATEWAY=${NET_GATEWAY:=""}
59 65 NET_DNS_1=${NET_DNS_1:=""}
60 66 NET_DNS_2=${NET_DNS_2:=""}
61 67 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 68 NET_NTP_1=${NET_NTP_1:=""}
63 69 NET_NTP_2=${NET_NTP_2:=""}
64 70
65 71 # APT settings
66 72 APT_PROXY=${APT_PROXY:=""}
67 73 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
68 74
69 75 # Feature settings
70 76 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
71 77 ENABLE_IPV6=${ENABLE_IPV6:=true}
72 78 ENABLE_SSHD=${ENABLE_SSHD:=true}
73 79 ENABLE_SOUND=${ENABLE_SOUND:=true}
74 80 ENABLE_DBUS=${ENABLE_DBUS:=true}
75 81 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 82 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 83 ENABLE_XORG=${ENABLE_XORG:=false}
78 84 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
86 ENABLE_USER=${ENABLE_USER:=true}
87 ENABLE_ROOT=${ENABLE_ROOT:=false}
88 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79 89
80 90 # Advanced settings
81 91 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
82 92 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
83 93 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
84 94 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
85 95 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
86 96
87 97 # Image chroot path
88 98 R=${BUILDDIR}/chroot
89 99
90 100 # Packages required for bootstrapping
91 101 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
92 102
93 103 # Missing packages that need to be installed
94 104 MISSING_PACKAGES=""
95 105
96 106 # Packages required in the chroot build environment
97 107 APT_INCLUDES=${APT_INCLUDES:=""}
98 108 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
99 109
100 110 set +x
101 111
102 112 # Are we running as root?
103 113 if [ "$(id -u)" -ne "0" ] ; then
104 114 echo "this script must be executed with root privileges"
105 115 exit 1
106 116 fi
107 117
108 118 # Check if all required packages are installed
109 119 for package in $REQUIRED_PACKAGES ; do
110 120 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
111 121 MISSING_PACKAGES="$MISSING_PACKAGES $package"
112 122 fi
113 123 done
114 124
115 125 # Ask if missing packages should get installed right now
116 126 if [ -n "$MISSING_PACKAGES" ] ; then
117 127 echo "the following packages needed by this script are not installed:"
118 128 echo "$MISSING_PACKAGES"
119 129
120 130 echo -n "\ndo you want to install the missing packages right now? [y/n] "
121 131 read confirm
122 132 if [ "$confirm" != "y" ] ; then
123 133 exit 1
124 134 fi
125 135 fi
126 136
127 137 # Make sure all required packages are installed
128 138 apt-get -qq -y install ${REQUIRED_PACKAGES}
129 139
130 140 # Don't clobber an old build
131 141 if [ -e "$BUILDDIR" ]; then
132 142 echo "directory $BUILDDIR already exists, not proceeding"
133 143 exit 1
134 144 fi
135 145
136 146 set -x
137 147
138 148 # Call "cleanup" function on various signals and errors
139 149 trap cleanup 0 1 2 3 6
140 150
141 151 # Set up chroot directory
142 152 mkdir -p $R
143 153
144 154 # Add required packages for the minbase installation
145 155 if [ "$ENABLE_MINBASE" = true ] ; then
146 156 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
147 157 else
148 158 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 159 fi
150 160
151 161 # Add dbus package, recommended if using systemd
152 162 if [ "$ENABLE_DBUS" = true ] ; then
153 163 APT_INCLUDES="${APT_INCLUDES},dbus"
154 164 fi
155 165
156 166 # Add iptables IPv4/IPv6 package
157 167 if [ "$ENABLE_IPTABLES" = true ] ; then
158 168 APT_INCLUDES="${APT_INCLUDES},iptables"
159 169 fi
160 170
161 171 # Add openssh server package
162 172 if [ "$ENABLE_SSHD" = true ] ; then
163 173 APT_INCLUDES="${APT_INCLUDES},openssh-server"
164 174 fi
165 175
166 176 # Add alsa-utils package
167 177 if [ "$ENABLE_SOUND" = true ] ; then
168 178 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
169 179 fi
170 180
171 181 # Add rng-tools package
172 182 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 183 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 184 fi
175 185
186 if [ "$ENABLE_USER" = true ]; then
187 APT_INCLUDES="${APT_INCLUDES},sudo"
188 fi
189
176 190 # Add fbturbo video driver
177 191 if [ "$ENABLE_FBTURBO" = true ] ; then
178 192 # Enable xorg package dependencies
179 193 ENABLE_XORG=true
180 194 fi
181 195
182 196 # Add user defined window manager package
183 197 if [ -n "$ENABLE_WM" ] ; then
184 198 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
185 199
186 200 # Enable xorg package dependencies
187 201 ENABLE_XORG=true
188 202 fi
189 203
190 204 # Add xorg package
191 205 if [ "$ENABLE_XORG" = true ] ; then
192 206 APT_INCLUDES="${APT_INCLUDES},xorg"
193 207 fi
194 208
195 209 # Base debootstrap (unpack only)
196 210 if [ "$ENABLE_MINBASE" = true ] ; then
197 211 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
198 212 else
199 213 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
200 214 fi
201 215
202 216 # Copy qemu emulator binary to chroot
203 217 cp /usr/bin/qemu-arm-static $R/usr/bin
204 218
205 219 # Copy debian-archive-keyring.pgp
206 220 chroot $R mkdir -p /usr/share/keyrings
207 221 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
208 222
209 223 # Complete the bootstrapping process
210 224 chroot $R /debootstrap/debootstrap --second-stage
211 225
212 226 # Mount required filesystems
213 227 mount -t proc none $R/proc
214 228 mount -t sysfs none $R/sys
215 229 mount --bind /dev/pts $R/dev/pts
216 230
217 231 # Use proxy inside chroot
218 232 if [ -z "$APT_PROXY" ] ; then
219 233 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
220 234 fi
221 235
222 236 # Pin package flash-kernel to repositories.collabora.co.uk
223 237 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
224 238 Package: flash-kernel
225 239 Pin: origin repositories.collabora.co.uk
226 240 Pin-Priority: 1000
227 241 EOM
228 242
229 243 # Set up timezone
230 244 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
245 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232 246
233 247 # Upgrade collabora package index and install collabora keyring
234 248 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
249 chroot_exec apt-get -qq -y update
250 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237 251
238 252 # Set up initial sources.list
239 253 cat <<EOM >$R/etc/apt/sources.list
240 254 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
241 255 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
242 256
243 257 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244 258 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
245 259
246 260 deb http://security.debian.org/ ${RELEASE}/updates main contrib
247 261 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
248 262
249 263 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 264 EOM
251 265
252 266 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
267 chroot_exec apt-get -qq -y update
268 chroot_exec apt-get -qq -y -u dist-upgrade
255 269
256 270 # Set up default locale and keyboard configuration
257 271 if [ "$ENABLE_MINBASE" = false ] ; then
258 272 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
259 273 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 274 # ... so we have to set locales manually
261 275 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
276 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 277 else
264 278 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
279 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
280 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 281 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
282 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
283 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
284 chroot_exec locale-gen
285 chroot_exec update-locale LANG=${DEFLOCAL}
272 286
273 287 # Keyboard configuration, if requested
274 288 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
289 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 290 fi
277 291 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
292 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 293 fi
280 294 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 296 fi
283 297 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 299 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
300 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 301 # Set up font console
288 302 case "${DEFLOCAL}" in
289 303 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
304 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 305 ;;
292 306 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
307 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 308 ;;
295 309 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
310 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 311 fi
298 312
299 313 # Kernel installation
300 314 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
315 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
316 chroot_exec apt-get -qq -y install flash-kernel
303 317
304 318 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 319 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 320 cp $VMLINUZ $R/boot/firmware/kernel7.img
317 321
318 322 # Set up IPv4 hosts
319 323 echo ${HOSTNAME} >$R/etc/hostname
320 324 cat <<EOM >$R/etc/hosts
321 325 127.0.0.1 localhost
322 326 127.0.1.1 ${HOSTNAME}
323 327 EOM
324 328 if [ "$NET_ADDRESS" != "" ] ; then
325 329 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
326 330 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
327 331 fi
328 332
329 333 # Set up IPv6 hosts
330 334 if [ "$ENABLE_IPV6" = true ] ; then
331 335 cat <<EOM >>$R/etc/hosts
332 336
333 337 ::1 localhost ip6-localhost ip6-loopback
334 338 ff02::1 ip6-allnodes
335 339 ff02::2 ip6-allrouters
336 340 EOM
337 341 fi
338 342
339 343 # Place hint about network configuration
340 344 cat <<EOM >$R/etc/network/interfaces
341 345 # Debian switched to systemd-networkd configuration files.
342 346 # please configure your networks in '/etc/systemd/network/'
343 347 EOM
344 348
345 349 if [ "$ENABLE_DHCP" = true ] ; then
346 350 # Enable systemd-networkd DHCP configuration for interface eth0
347 351 cat <<EOM >$R/etc/systemd/network/eth.network
348 352 [Match]
349 353 Name=eth0
350 354
351 355 [Network]
352 356 DHCP=yes
353 357 EOM
354 358
355 359 # Set DHCP configuration to IPv4 only
356 360 if [ "$ENABLE_IPV6" = false ] ; then
357 361 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
358 362 fi
359 363 else # ENABLE_DHCP=false
360 364 cat <<EOM >$R/etc/systemd/network/eth.network
361 365 [Match]
362 366 Name=eth0
363 367
364 368 [Network]
365 369 DHCP=no
366 370 Address=${NET_ADDRESS}
367 371 Gateway=${NET_GATEWAY}
368 372 DNS=${NET_DNS_1}
369 373 DNS=${NET_DNS_2}
370 374 Domains=${NET_DNS_DOMAINS}
371 375 NTP=${NET_NTP_1}
372 376 NTP=${NET_NTP_2}
373 377 EOM
374 378 fi
375 379
376 380 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
381 chroot_exec systemctl enable systemd-networkd
378 382
379 383 # Generate crypt(3) password string
380 384 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381 385
382 386 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
387 if [ "$ENABLE_USER" = true ] ; then
388 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
389 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
390 fi
385 391
386 # Set up root password
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
392 # Set up root password or not
393 if [ "$ENABLE_ROOT" = true ]; then
394 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
395
396 if [ "$ENABLE_ROOT_SSH" = true ]; then
397 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
398 fi
399 else
400 chroot_exec usermod -p \'!\' root
401 fi
388 402
389 403 # Set up firmware boot cmdline
390 404 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
391 405
392 406 # Set up serial console support (if requested)
393 407 if [ "$ENABLE_CONSOLE" = true ] ; then
394 408 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
395 409 fi
396 410
397 411 # Set up IPv6 networking support
398 412 if [ "$ENABLE_IPV6" = false ] ; then
399 413 CMDLINE="${CMDLINE} ipv6.disable=1"
400 414 fi
401 415
402 416 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403 417
404 418 # Set up firmware config
405 419 cat <<EOM >$R/boot/firmware/config.txt
406 420 # For more options and information see
407 421 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 422 # Some settings may impact device functionality. See link above for details
409 423
410 424 # uncomment if you get no picture on HDMI for a default "safe" mode
411 425 #hdmi_safe=1
412 426
413 427 # uncomment this if your display has a black border of unused pixels visible
414 428 # and your display can output without overscan
415 429 #disable_overscan=1
416 430
417 431 # uncomment the following to adjust overscan. Use positive numbers if console
418 432 # goes off screen, and negative if there is too much border
419 433 #overscan_left=16
420 434 #overscan_right=16
421 435 #overscan_top=16
422 436 #overscan_bottom=16
423 437
424 438 # uncomment to force a console size. By default it will be display's size minus
425 439 # overscan.
426 440 #framebuffer_width=1280
427 441 #framebuffer_height=720
428 442
429 443 # uncomment if hdmi display is not detected and composite is being output
430 444 #hdmi_force_hotplug=1
431 445
432 446 # uncomment to force a specific HDMI mode (this will force VGA)
433 447 #hdmi_group=1
434 448 #hdmi_mode=1
435 449
436 450 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 451 # DMT (computer monitor) modes
438 452 #hdmi_drive=2
439 453
440 454 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 455 # no display
442 456 #config_hdmi_boost=4
443 457
444 458 # uncomment for composite PAL
445 459 #sdtv_mode=2
446 460
447 461 # uncomment to overclock the arm. 700 MHz is the default.
448 462 #arm_freq=800
449 463 EOM
450 464
451 465 # Load snd_bcm2835 kernel module at boot time
452 466 if [ "$ENABLE_SOUND" = true ] ; then
453 467 echo "snd_bcm2835" >>$R/etc/modules
454 468 fi
455 469
456 470 # Set smallest possible GPU memory allocation size: 16MB (no X)
457 471 if [ "$ENABLE_MINGPU" = true ] ; then
458 472 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
459 473 fi
460 474
461 475 # Create symlinks
462 476 ln -sf firmware/config.txt $R/boot/config.txt
463 477 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
464 478
465 479 # Prepare modules-load.d directory
466 480 mkdir -p $R/lib/modules-load.d/
467 481
468 482 # Load random module on boot
469 483 if [ "$ENABLE_HWRANDOM" = true ] ; then
470 484 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
471 485 bcm2708_rng
472 486 EOM
473 487 fi
474 488
475 489 # Prepare modprobe.d directory
476 490 mkdir -p $R/etc/modprobe.d/
477 491
478 492 # Blacklist sound modules
479 493 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
480 494 blacklist snd_soc_core
481 495 blacklist snd_pcm
482 496 blacklist snd_pcm_dmaengine
483 497 blacklist snd_timer
484 498 blacklist snd_compress
485 499 blacklist snd_soc_pcm512x_i2c
486 500 blacklist snd_soc_pcm512x
487 501 blacklist snd_soc_tas5713
488 502 blacklist snd_soc_wm8804
489 503 EOM
490 504
491 505 # Create default fstab
492 506 cat <<EOM >$R/etc/fstab
493 507 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 508 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 509 EOM
496 510
497 511 # Avoid swapping and increase cache sizes
498 512 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
499 513
500 514 # Avoid swapping and increase cache sizes
501 515 vm.swappiness=1
502 516 vm.dirty_background_ratio=20
503 517 vm.dirty_ratio=40
504 518 vm.dirty_writeback_centisecs=500
505 519 vm.dirty_expire_centisecs=6000
506 520 EOM
507 521
508 522 # Enable network stack hardening
509 523 if [ "$ENABLE_HARDNET" = true ] ; then
510 524 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
511 525
512 526 # Enable network stack hardening
513 527 net.ipv4.tcp_timestamps=0
514 528 net.ipv4.tcp_syncookies=1
515 529 net.ipv4.conf.all.rp_filter=1
516 530 net.ipv4.conf.all.accept_redirects=0
517 531 net.ipv4.conf.all.send_redirects=0
518 532 net.ipv4.conf.all.accept_source_route=0
519 533 net.ipv4.conf.default.rp_filter=1
520 534 net.ipv4.conf.default.accept_redirects=0
521 535 net.ipv4.conf.default.send_redirects=0
522 536 net.ipv4.conf.default.accept_source_route=0
523 537 net.ipv4.conf.lo.accept_redirects=0
524 538 net.ipv4.conf.lo.send_redirects=0
525 539 net.ipv4.conf.lo.accept_source_route=0
526 540 net.ipv4.conf.eth0.accept_redirects=0
527 541 net.ipv4.conf.eth0.send_redirects=0
528 542 net.ipv4.conf.eth0.accept_source_route=0
529 543 net.ipv4.icmp_echo_ignore_broadcasts=1
530 544 net.ipv4.icmp_ignore_bogus_error_responses=1
531 545
532 546 net.ipv6.conf.all.accept_redirects=0
533 547 net.ipv6.conf.all.accept_source_route=0
534 548 net.ipv6.conf.all.router_solicitations=0
535 549 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 550 net.ipv6.conf.all.accept_ra_pinfo=0
537 551 net.ipv6.conf.all.accept_ra_defrtr=0
538 552 net.ipv6.conf.all.autoconf=0
539 553 net.ipv6.conf.all.dad_transmits=0
540 554 net.ipv6.conf.all.max_addresses=1
541 555
542 556 net.ipv6.conf.default.accept_redirects=0
543 557 net.ipv6.conf.default.accept_source_route=0
544 558 net.ipv6.conf.default.router_solicitations=0
545 559 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 560 net.ipv6.conf.default.accept_ra_pinfo=0
547 561 net.ipv6.conf.default.accept_ra_defrtr=0
548 562 net.ipv6.conf.default.autoconf=0
549 563 net.ipv6.conf.default.dad_transmits=0
550 564 net.ipv6.conf.default.max_addresses=1
551 565
552 566 net.ipv6.conf.lo.accept_redirects=0
553 567 net.ipv6.conf.lo.accept_source_route=0
554 568 net.ipv6.conf.lo.router_solicitations=0
555 569 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 570 net.ipv6.conf.lo.accept_ra_pinfo=0
557 571 net.ipv6.conf.lo.accept_ra_defrtr=0
558 572 net.ipv6.conf.lo.autoconf=0
559 573 net.ipv6.conf.lo.dad_transmits=0
560 574 net.ipv6.conf.lo.max_addresses=1
561 575
562 576 net.ipv6.conf.eth0.accept_redirects=0
563 577 net.ipv6.conf.eth0.accept_source_route=0
564 578 net.ipv6.conf.eth0.router_solicitations=0
565 579 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 580 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 581 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 582 net.ipv6.conf.eth0.autoconf=0
569 583 net.ipv6.conf.eth0.dad_transmits=0
570 584 net.ipv6.conf.eth0.max_addresses=1
571 585 EOM
572 586
573 587 # Enable resolver warnings about spoofed addresses
574 588 cat <<EOM >>$R/etc/host.conf
575 589 spoof warn
576 590 EOM
577 591 fi
578 592
579 # Regenerate openssh server host keys
593 # Ensure openssh server host keys are regenerated on first boot
580 594 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
582 LANG=C chroot $R dpkg-reconfigure openssh-server
595 cat <<EOM >>$R/etc/rc.firstboot
596 #!/bin/sh
597 rm -f /etc/ssh/ssh_host_*
598 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
599 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
600 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
601 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
602 sync
603
604 systemctl restart sshd
605 sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local
606 rm -f /etc/rc.firstboot
607 EOM
608 chmod +x $R/etc/rc.firstboot
609 sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local
610 rm -f $R/etc/ssh/ssh_host_*
611 fi
612
613 # Disable rsyslog
614 if [ "$ENABLE_RSYSLOG" = false ]; then
615 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
616 chroot_exec systemctl disable rsyslog
617 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 618 fi
584 619
585 620 # Enable serial console systemd style
586 621 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
622 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 623 fi
589 624
590 625 # Enable firewall based on iptables started by systemd service
591 626 if [ "$ENABLE_IPTABLES" = true ] ; then
592 627 # Create iptables configuration directory
593 628 mkdir -p "$R/etc/iptables"
594 629
595 630 # Create iptables systemd service
596 631 cat <<EOM >$R/etc/systemd/system/iptables.service
597 632 [Unit]
598 633 Description=Packet Filtering Framework
599 634 DefaultDependencies=no
600 635 After=systemd-sysctl.service
601 636 Before=sysinit.target
602 637 [Service]
603 638 Type=oneshot
604 639 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 640 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 641 ExecStop=/etc/iptables/flush-iptables.sh
607 642 RemainAfterExit=yes
608 643 [Install]
609 644 WantedBy=multi-user.target
610 645 EOM
611 646
612 647 # Create flush-table script called by iptables service
613 648 cat <<EOM >$R/etc/iptables/flush-iptables.sh
614 649 #!/bin/sh
615 650 iptables -F
616 651 iptables -X
617 652 iptables -t nat -F
618 653 iptables -t nat -X
619 654 iptables -t mangle -F
620 655 iptables -t mangle -X
621 656 iptables -P INPUT ACCEPT
622 657 iptables -P FORWARD ACCEPT
623 658 iptables -P OUTPUT ACCEPT
624 659 EOM
625 660
626 661 # Create iptables rule file
627 662 cat <<EOM >$R/etc/iptables/iptables.rules
628 663 *filter
629 664 :INPUT DROP [0:0]
630 665 :FORWARD DROP [0:0]
631 666 :OUTPUT ACCEPT [0:0]
632 667 :TCP - [0:0]
633 668 :UDP - [0:0]
634 669 :SSH - [0:0]
635 670
636 671 # Rate limit ping requests
637 672 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 673 -A INPUT -p icmp --icmp-type echo-request -j DROP
639 674
640 675 # Accept established connections
641 676 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642 677
643 678 # Accept all traffic on loopback interface
644 679 -A INPUT -i lo -j ACCEPT
645 680
646 681 # Drop packets declared invalid
647 682 -A INPUT -m conntrack --ctstate INVALID -j DROP
648 683
649 684 # SSH rate limiting
650 685 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 686 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 687 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 688 -A SSH -m recent --name sshbf --set -j ACCEPT
654 689
655 690 # Send TCP and UDP connections to their respective rules chain
656 691 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 692 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658 693
659 694 # Reject dropped packets with a RFC compliant responce
660 695 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 696 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 697 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663 698
664 699 ## TCP PORT RULES
665 700 # -A TCP -p tcp -j LOG
666 701
667 702 ## UDP PORT RULES
668 703 # -A UDP -p udp -j LOG
669 704
670 705 COMMIT
671 706 EOM
672 707
673 708 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
709 chroot_exec systemctl daemon-reload
710 chroot_exec systemctl enable iptables.service
676 711
677 712 if [ "$ENABLE_IPV6" = true ] ; then
678 713 # Create ip6tables systemd service
679 714 cat <<EOM >$R/etc/systemd/system/ip6tables.service
680 715 [Unit]
681 716 Description=Packet Filtering Framework
682 717 DefaultDependencies=no
683 718 After=systemd-sysctl.service
684 719 Before=sysinit.target
685 720 [Service]
686 721 Type=oneshot
687 722 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 723 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 724 ExecStop=/etc/iptables/flush-ip6tables.sh
690 725 RemainAfterExit=yes
691 726 [Install]
692 727 WantedBy=multi-user.target
693 728 EOM
694 729
695 730 # Create ip6tables file
696 731 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
697 732 #!/bin/sh
698 733 ip6tables -F
699 734 ip6tables -X
700 735 ip6tables -Z
701 736 for table in $(</proc/net/ip6_tables_names)
702 737 do
703 738 ip6tables -t \$table -F
704 739 ip6tables -t \$table -X
705 740 ip6tables -t \$table -Z
706 741 done
707 742 ip6tables -P INPUT ACCEPT
708 743 ip6tables -P OUTPUT ACCEPT
709 744 ip6tables -P FORWARD ACCEPT
710 745 EOM
711 746
712 747 # Create ip6tables rule file
713 748 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 749 *filter
715 750 :INPUT DROP [0:0]
716 751 :FORWARD DROP [0:0]
717 752 :OUTPUT ACCEPT [0:0]
718 753 :TCP - [0:0]
719 754 :UDP - [0:0]
720 755 :SSH - [0:0]
721 756
722 757 # Drop packets with RH0 headers
723 758 -A INPUT -m rt --rt-type 0 -j DROP
724 759 -A OUTPUT -m rt --rt-type 0 -j DROP
725 760 -A FORWARD -m rt --rt-type 0 -j DROP
726 761
727 762 # Rate limit ping requests
728 763 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
729 764 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
730 765
731 766 # Accept established connections
732 767 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733 768
734 769 # Accept all traffic on loopback interface
735 770 -A INPUT -i lo -j ACCEPT
736 771
737 772 # Drop packets declared invalid
738 773 -A INPUT -m conntrack --ctstate INVALID -j DROP
739 774
740 775 # SSH rate limiting
741 776 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 777 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 778 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 779 -A SSH -m recent --name sshbf --set -j ACCEPT
745 780
746 781 # Send TCP and UDP connections to their respective rules chain
747 782 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 783 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749 784
750 785 # Reject dropped packets with a RFC compliant responce
751 786 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 787 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 788 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754 789
755 790 ## TCP PORT RULES
756 791 # -A TCP -p tcp -j LOG
757 792
758 793 ## UDP PORT RULES
759 794 # -A UDP -p udp -j LOG
760 795
761 796 COMMIT
762 797 EOM
763 798
764 799 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
800 chroot_exec systemctl daemon-reload
801 chroot_exec systemctl enable ip6tables.service
767 802 fi
768 803 fi
769 804
770 805 # Remove SSHD related iptables rules
771 806 if [ "$ENABLE_SSHD" = false ] ; then
772 807 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
773 808 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
774 809 fi
775 810
776 811 # Install gcc/c++ build environment inside the chroot
777 812 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
813 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 814 fi
780 815
781 816 # Fetch and build U-Boot bootloader
782 817 if [ "$ENABLE_UBOOT" = true ] ; then
783 818 # Fetch U-Boot bootloader sources
784 819 git -C $R/tmp clone git://git.denx.de/u-boot.git
785 820
786 821 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
822 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788 823
789 824 # Copy compiled bootloader binary and set config.txt to load it
790 825 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
791 826 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
792 827
793 828 # Set U-Boot command file
794 829 cat <<EOM >$R/boot/firmware/uboot.mkimage
795 830 # Tell Linux that it is booting on a Raspberry Pi2
796 831 setenv machid 0x00000c42
797 832
798 833 # Set the kernel boot command line
799 834 setenv bootargs "earlyprintk ${CMDLINE}"
800 835
801 836 # Save these changes to u-boot's environment
802 837 saveenv
803 838
804 839 # Load the existing Linux kernel into RAM
805 840 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
806 841
807 842 # Boot the kernel we have just loaded
808 843 bootz \${kernel_addr_r}
809 844 EOM
810 845
811 846 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
847 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 848 fi
814 849
815 850 # Fetch and build fbturbo Xorg driver
816 851 if [ "$ENABLE_FBTURBO" = true ] ; then
817 852 # Fetch fbturbo driver sources
818 853 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819 854
820 855 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
856 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822 857
823 858 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
859 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825 860
826 861 # Add fbturbo driver to Xorg configuration
827 862 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
828 863 Section "Device"
829 864 Identifier "Allwinner A10/A13 FBDEV"
830 865 Driver "fbturbo"
831 866 Option "fbdev" "/dev/fb0"
832 867 Option "SwapbuffersWait" "true"
833 868 EndSection
834 869 EOM
835 870
836 871 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
872 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 873 fi
839 874
840 875 # Remove gcc/c++ build environment from the chroot
841 876 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
877 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 878 fi
844 879
845 880 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
881 chroot_exec apt-get -y clean
882 chroot_exec apt-get -y autoclean
883 chroot_exec apt-get -y autoremove
849 884
850 885 # Unmount mounted filesystems
851 886 umount -l $R/proc
852 887 umount -l $R/sys
853 888
854 889 # Clean up files
855 890 rm -f $R/etc/apt/sources.list.save
856 891 rm -f $R/etc/resolvconf/resolv.conf.d/original
857 892 rm -rf $R/run
858 893 mkdir -p $R/run
859 894 rm -f $R/etc/*-
860 895 rm -f $R/root/.bash_history
861 896 rm -rf $R/tmp/*
862 897 rm -f $R/var/lib/urandom/random-seed
863 898 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
864 899 rm -f $R/etc/machine-id
865 900 rm -fr $R/etc/apt/apt.conf.d/10proxy
866 901
867 902 # Calculate size of the chroot directory
868 903 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
869 904
870 905 # Calculate required image size
871 906 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
872 907
873 908 # Calculate number of sectors for the partition
874 909 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
875 910
876 911 # Prepare date string for image file name
877 912 DATE="$(date +%Y-%m-%d)"
878 913
879 914 # Prepare image file
880 915 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
881 916 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
882 917
883 918 # Write partition table
884 919 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
885 920 unit: sectors
886 921
887 922 1 : start= 2048, size= 131072, Id= c, bootable
888 923 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
889 924 3 : start= 0, size= 0, Id= 0
890 925 4 : start= 0, size= 0, Id= 0
891 926 EOM
892 927
893 928 # Set up temporary loop devices and build filesystems
894 929 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
895 930 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
896 931 mkfs.vfat "$VFAT_LOOP"
897 932 mkfs.ext4 "$EXT4_LOOP"
898 933
899 934 # Mount the temporary loop devices
900 935 mkdir -p "$BUILDDIR/mount"
901 936 mount "$EXT4_LOOP" "$BUILDDIR/mount"
902 937
903 938 mkdir -p "$BUILDDIR/mount/boot/firmware"
904 939 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
905 940
906 941 # Copy all files from the chroot to the loop device mount point directory
907 942 rsync -a "$R/" "$BUILDDIR/mount/"
908 943
909 944 # Unmount all temporary loop devices and mount points
910 945 cleanup
911 946
912 947 # (optinal) create block map file for "bmaptool"
913 948 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
914 949
915 950 # Image was successfully created
916 951 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant