@@ -87,6 +87,10 Enable IPv6 support. The network interface configuration is managed via systemd- | |||
|
87 | 87 | ##### `ENABLE_SSHD`=true |
|
88 | 88 | Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. |
|
89 | 89 | |
|
90 | ##### `ENABLE_RSYSLOG`=true | |
|
91 | If set to false, disable and uninstall rsyslog (so logs will be available only | |
|
92 | in journal files) | |
|
93 | ||
|
90 | 94 | ##### `ENABLE_SOUND`=true |
|
91 | 95 | Enable sound hardware and install Advanced Linux Sound Architecture. |
|
92 | 96 | |
@@ -118,6 +122,16 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please | |||
|
118 | 122 | ##### `ENABLE_IPTABLES`=false |
|
119 | 123 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. |
|
120 | 124 | |
|
125 | ##### `ENABLE_USER`=true | |
|
126 | Create pi user with password raspberry | |
|
127 | ||
|
128 | ##### `ENABLE_ROOT`=true | |
|
129 | Set root user password so root login will be enabled | |
|
130 | ||
|
131 | ##### `ENABLE_ROOT_SSH`=true | |
|
132 | Enable password root login via SSH. May be a security risk with default | |
|
133 | password, use only in trusted environments. | |
|
134 | ||
|
121 | 135 | ##### `ENABLE_HARDNET`=false |
|
122 | 136 | Enable IPv4/IPv6 network stack hardening settings. |
|
123 | 137 |
@@ -30,11 +30,17 cleanup (){ | |||
|
30 | 30 | trap - 0 1 2 3 6 |
|
31 | 31 | } |
|
32 | 32 | |
|
33 | # Exec command in chroot | |
|
34 | chroot_exec() { | |
|
35 | LANG=C LC_ALL=C chroot $R $* | |
|
36 | } | |
|
37 | ||
|
33 | 38 | set -e |
|
34 | 39 | set -x |
|
35 | 40 | |
|
36 | 41 | # Debian release |
|
37 | 42 | RELEASE=${RELEASE:=jessie} |
|
43 | KERNEL=${KERNEL:=3.18.0-trunk-rpi2} | |
|
38 | 44 | |
|
39 | 45 | # Build settings |
|
40 | 46 | BASEDIR=./images/${RELEASE} |
@@ -76,6 +82,10 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |||
|
76 | 82 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
77 | 83 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
78 | 84 | ENABLE_WM=${ENABLE_WM:=""} |
|
85 | ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true} | |
|
86 | ENABLE_USER=${ENABLE_USER:=true} | |
|
87 | ENABLE_ROOT=${ENABLE_ROOT:=false} | |
|
88 | ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false} | |
|
79 | 89 | |
|
80 | 90 | # Advanced settings |
|
81 | 91 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
@@ -173,6 +183,10 if [ "$ENABLE_HWRANDOM" = true ] ; then | |||
|
173 | 183 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
174 | 184 | fi |
|
175 | 185 | |
|
186 | if [ "$ENABLE_USER" = true ]; then | |
|
187 | APT_INCLUDES="${APT_INCLUDES},sudo" | |
|
188 | fi | |
|
189 | ||
|
176 | 190 | # Add fbturbo video driver |
|
177 | 191 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
178 | 192 | # Enable xorg package dependencies |
@@ -228,12 +242,12 EOM | |||
|
228 | 242 | |
|
229 | 243 | # Set up timezone |
|
230 | 244 | echo ${TIMEZONE} >$R/etc/timezone |
|
231 |
|
|
|
245 | chroot_exec dpkg-reconfigure -f noninteractive tzdata | |
|
232 | 246 | |
|
233 | 247 | # Upgrade collabora package index and install collabora keyring |
|
234 | 248 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
235 |
|
|
|
236 |
|
|
|
249 | chroot_exec apt-get -qq -y update | |
|
250 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
|
237 | 251 | |
|
238 | 252 | # Set up initial sources.list |
|
239 | 253 | cat <<EOM >$R/etc/apt/sources.list |
@@ -250,8 +264,8 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |||
|
250 | 264 | EOM |
|
251 | 265 | |
|
252 | 266 | # Upgrade package index and update all installed packages and changed dependencies |
|
253 |
|
|
|
254 |
|
|
|
267 | chroot_exec apt-get -qq -y update | |
|
268 | chroot_exec apt-get -qq -y -u dist-upgrade | |
|
255 | 269 | |
|
256 | 270 | # Set up default locale and keyboard configuration |
|
257 | 271 | if [ "$ENABLE_MINBASE" = false ] ; then |
@@ -259,60 +273,50 if [ "$ENABLE_MINBASE" = false ] ; then | |||
|
259 | 273 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 |
|
260 | 274 | # ... so we have to set locales manually |
|
261 | 275 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then |
|
262 |
|
|
|
276 | chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections | |
|
263 | 277 | else |
|
264 | 278 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale |
|
265 |
|
|
|
266 |
|
|
|
279 | chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections | |
|
280 | chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen | |
|
267 | 281 | fi |
|
268 |
|
|
|
269 |
|
|
|
270 |
|
|
|
271 |
|
|
|
282 | chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen | |
|
283 | chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections | |
|
284 | chroot_exec locale-gen | |
|
285 | chroot_exec update-locale LANG=${DEFLOCAL} | |
|
272 | 286 | |
|
273 | 287 | # Keyboard configuration, if requested |
|
274 | 288 | if [ "$XKBMODEL" != "" ] ; then |
|
275 |
|
|
|
289 | chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard | |
|
276 | 290 | fi |
|
277 | 291 | if [ "$XKBLAYOUT" != "" ] ; then |
|
278 |
|
|
|
292 | chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard | |
|
279 | 293 | fi |
|
280 | 294 | if [ "$XKBVARIANT" != "" ] ; then |
|
281 |
|
|
|
295 | chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard | |
|
282 | 296 | fi |
|
283 | 297 | if [ "$XKBOPTIONS" != "" ] ; then |
|
284 |
|
|
|
298 | chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard | |
|
285 | 299 | fi |
|
286 |
|
|
|
300 | chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration | |
|
287 | 301 | # Set up font console |
|
288 | 302 | case "${DEFLOCAL}" in |
|
289 | 303 | *UTF-8) |
|
290 |
|
|
|
304 | chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup | |
|
291 | 305 | ;; |
|
292 | 306 | *) |
|
293 |
|
|
|
307 | chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup | |
|
294 | 308 | ;; |
|
295 | 309 | esac |
|
296 |
|
|
|
310 | chroot_exec dpkg-reconfigure -f noninteractive console-setup | |
|
297 | 311 | fi |
|
298 | 312 | |
|
299 | 313 | # Kernel installation |
|
300 | 314 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
301 |
|
|
|
302 |
|
|
|
315 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel | |
|
316 | chroot_exec apt-get -qq -y install flash-kernel | |
|
303 | 317 | |
|
304 | 318 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
305 | 319 | [ -z "$VMLINUZ" ] && exit 1 |
|
306 | mkdir -p $R/boot/firmware | |
|
307 | ||
|
308 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") | |
|
309 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin | |
|
310 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat | |
|
311 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat | |
|
312 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat | |
|
313 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf | |
|
314 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf | |
|
315 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf | |
|
316 | 320 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
317 | 321 | |
|
318 | 322 | # Set up IPv4 hosts |
@@ -374,17 +378,27 EOM | |||
|
374 | 378 | fi |
|
375 | 379 | |
|
376 | 380 | # Enable systemd-networkd service |
|
377 |
|
|
|
381 | chroot_exec systemctl enable systemd-networkd | |
|
378 | 382 | |
|
379 | 383 | # Generate crypt(3) password string |
|
380 | 384 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
381 | 385 | |
|
382 | 386 | # Set up default user |
|
383 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi | |
|
384 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
|
387 | if [ "$ENABLE_USER" = true ] ; then | |
|
388 | chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi | |
|
389 | chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |
|
390 | fi | |
|
385 | 391 | |
|
386 | # Set up root password | |
|
387 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root | |
|
392 | # Set up root password or not | |
|
393 | if [ "$ENABLE_ROOT" = true ]; then | |
|
394 | chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root | |
|
395 | ||
|
396 | if [ "$ENABLE_ROOT_SSH" = true ]; then | |
|
397 | sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config | |
|
398 | fi | |
|
399 | else | |
|
400 | chroot_exec usermod -p \'!\' root | |
|
401 | fi | |
|
388 | 402 | |
|
389 | 403 | # Set up firmware boot cmdline |
|
390 | 404 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
@@ -576,15 +590,36 spoof warn | |||
|
576 | 590 | EOM |
|
577 | 591 | fi |
|
578 | 592 | |
|
579 |
# |
|
|
593 | # Ensure openssh server host keys are regenerated on first boot | |
|
580 | 594 | if [ "$ENABLE_SSHD" = true ] ; then |
|
581 | rm -fr $R/etc/ssh/ssh_host_* | |
|
582 | LANG=C chroot $R dpkg-reconfigure openssh-server | |
|
595 | cat <<EOM >>$R/etc/rc.firstboot | |
|
596 | #!/bin/sh | |
|
597 | rm -f /etc/ssh/ssh_host_* | |
|
598 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |
|
599 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |
|
600 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |
|
601 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |
|
602 | sync | |
|
603 | ||
|
604 | systemctl restart sshd | |
|
605 | sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local | |
|
606 | rm -f /etc/rc.firstboot | |
|
607 | EOM | |
|
608 | chmod +x $R/etc/rc.firstboot | |
|
609 | sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local | |
|
610 | rm -f $R/etc/ssh/ssh_host_* | |
|
611 | fi | |
|
612 | ||
|
613 | # Disable rsyslog | |
|
614 | if [ "$ENABLE_RSYSLOG" = false ]; then | |
|
615 | sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf | |
|
616 | chroot_exec systemctl disable rsyslog | |
|
617 | chroot_exec apt-get purge -q -y --force-yes rsyslog | |
|
583 | 618 | fi |
|
584 | 619 | |
|
585 | 620 | # Enable serial console systemd style |
|
586 | 621 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
587 |
|
|
|
622 | chroot_exec systemctl enable serial-getty\@ttyAMA0.service | |
|
588 | 623 | fi |
|
589 | 624 | |
|
590 | 625 | # Enable firewall based on iptables started by systemd service |
@@ -671,8 +706,8 COMMIT | |||
|
671 | 706 | EOM |
|
672 | 707 | |
|
673 | 708 | # Reload systemd configuration and enable iptables service |
|
674 |
|
|
|
675 |
|
|
|
709 | chroot_exec systemctl daemon-reload | |
|
710 | chroot_exec systemctl enable iptables.service | |
|
676 | 711 | |
|
677 | 712 | if [ "$ENABLE_IPV6" = true ] ; then |
|
678 | 713 | # Create ip6tables systemd service |
@@ -762,8 +797,8 COMMIT | |||
|
762 | 797 | EOM |
|
763 | 798 | |
|
764 | 799 | # Reload systemd configuration and enable iptables service |
|
765 |
|
|
|
766 |
|
|
|
800 | chroot_exec systemctl daemon-reload | |
|
801 | chroot_exec systemctl enable ip6tables.service | |
|
767 | 802 | fi |
|
768 | 803 | fi |
|
769 | 804 | |
@@ -775,7 +810,7 fi | |||
|
775 | 810 | |
|
776 | 811 | # Install gcc/c++ build environment inside the chroot |
|
777 | 812 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
778 |
|
|
|
813 | chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
|
779 | 814 | fi |
|
780 | 815 | |
|
781 | 816 | # Fetch and build U-Boot bootloader |
@@ -784,7 +819,7 if [ "$ENABLE_UBOOT" = true ] ; then | |||
|
784 | 819 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
785 | 820 | |
|
786 | 821 | # Build and install U-Boot inside chroot |
|
787 |
|
|
|
822 | chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all | |
|
788 | 823 | |
|
789 | 824 | # Copy compiled bootloader binary and set config.txt to load it |
|
790 | 825 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
@@ -809,7 +844,7 bootz \${kernel_addr_r} | |||
|
809 | 844 | EOM |
|
810 | 845 | |
|
811 | 846 | # Generate U-Boot image from command file |
|
812 |
|
|
|
847 | chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
|
813 | 848 | fi |
|
814 | 849 | |
|
815 | 850 | # Fetch and build fbturbo Xorg driver |
@@ -818,10 +853,10 if [ "$ENABLE_FBTURBO" = true ] ; then | |||
|
818 | 853 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git |
|
819 | 854 | |
|
820 | 855 | # Install Xorg build dependencies |
|
821 |
|
|
|
856 | chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
|
822 | 857 | |
|
823 | 858 | # Build and install fbturbo driver inside chroot |
|
824 |
|
|
|
859 | chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" | |
|
825 | 860 | |
|
826 | 861 | # Add fbturbo driver to Xorg configuration |
|
827 | 862 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf |
@@ -834,18 +869,18 EndSection | |||
|
834 | 869 | EOM |
|
835 | 870 | |
|
836 | 871 | # Remove Xorg build dependencies |
|
837 |
|
|
|
872 | chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
|
838 | 873 | fi |
|
839 | 874 | |
|
840 | 875 | # Remove gcc/c++ build environment from the chroot |
|
841 | 876 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
842 |
|
|
|
877 | chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
|
843 | 878 | fi |
|
844 | 879 | |
|
845 | 880 | # Clean cached downloads |
|
846 |
|
|
|
847 |
|
|
|
848 |
|
|
|
881 | chroot_exec apt-get -y clean | |
|
882 | chroot_exec apt-get -y autoclean | |
|
883 | chroot_exec apt-get -y autoremove | |
|
849 | 884 | |
|
850 | 885 | # Unmount mounted filesystems |
|
851 | 886 | umount -l $R/proc |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant