##// END OF EJS Templates
Option to disable rsyslog and improvements (also security)...
Filip Pytloun -
r45:fc8abfcaa9c7
parent child
Show More
@@ -87,6 +87,10 Enable IPv6 support. The network interface configuration is managed via systemd-
87 87 ##### `ENABLE_SSHD`=true
88 88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89 89
90 ##### `ENABLE_RSYSLOG`=true
91 If set to false, disable and uninstall rsyslog (so logs will be available only
92 in journal files)
93
90 94 ##### `ENABLE_SOUND`=true
91 95 Enable sound hardware and install Advanced Linux Sound Architecture.
92 96
@@ -118,6 +122,16 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please
118 122 ##### `ENABLE_IPTABLES`=false
119 123 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120 124
125 ##### `ENABLE_USER`=true
126 Create pi user with password raspberry
127
128 ##### `ENABLE_ROOT`=true
129 Set root user password so root login will be enabled
130
131 ##### `ENABLE_ROOT_SSH`=true
132 Enable password root login via SSH. May be a security risk with default
133 password, use only in trusted environments.
134
121 135 ##### `ENABLE_HARDNET`=false
122 136 Enable IPv4/IPv6 network stack hardening settings.
123 137
@@ -30,11 +30,17 cleanup (){
30 30 trap - 0 1 2 3 6
31 31 }
32 32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 38 set -e
34 39 set -x
35 40
36 41 # Debian release
37 42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38 44
39 45 # Build settings
40 46 BASEDIR=./images/${RELEASE}
@@ -76,6 +82,10 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 82 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 83 ENABLE_XORG=${ENABLE_XORG:=false}
78 84 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
86 ENABLE_USER=${ENABLE_USER:=true}
87 ENABLE_ROOT=${ENABLE_ROOT:=false}
88 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79 89
80 90 # Advanced settings
81 91 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
@@ -173,6 +183,10 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 183 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 184 fi
175 185
186 if [ "$ENABLE_USER" = true ]; then
187 APT_INCLUDES="${APT_INCLUDES},sudo"
188 fi
189
176 190 # Add fbturbo video driver
177 191 if [ "$ENABLE_FBTURBO" = true ] ; then
178 192 # Enable xorg package dependencies
@@ -228,12 +242,12 EOM
228 242
229 243 # Set up timezone
230 244 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
245 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232 246
233 247 # Upgrade collabora package index and install collabora keyring
234 248 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
249 chroot_exec apt-get -qq -y update
250 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237 251
238 252 # Set up initial sources.list
239 253 cat <<EOM >$R/etc/apt/sources.list
@@ -250,8 +264,8 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 264 EOM
251 265
252 266 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
267 chroot_exec apt-get -qq -y update
268 chroot_exec apt-get -qq -y -u dist-upgrade
255 269
256 270 # Set up default locale and keyboard configuration
257 271 if [ "$ENABLE_MINBASE" = false ] ; then
@@ -259,60 +273,50 if [ "$ENABLE_MINBASE" = false ] ; then
259 273 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 274 # ... so we have to set locales manually
261 275 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
276 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 277 else
264 278 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
279 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
280 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 281 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
282 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
283 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
284 chroot_exec locale-gen
285 chroot_exec update-locale LANG=${DEFLOCAL}
272 286
273 287 # Keyboard configuration, if requested
274 288 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
289 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 290 fi
277 291 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
292 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 293 fi
280 294 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 296 fi
283 297 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 299 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
300 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 301 # Set up font console
288 302 case "${DEFLOCAL}" in
289 303 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
304 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 305 ;;
292 306 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
307 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 308 ;;
295 309 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
310 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 311 fi
298 312
299 313 # Kernel installation
300 314 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
315 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
316 chroot_exec apt-get -qq -y install flash-kernel
303 317
304 318 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 319 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 320 cp $VMLINUZ $R/boot/firmware/kernel7.img
317 321
318 322 # Set up IPv4 hosts
@@ -374,17 +378,27 EOM
374 378 fi
375 379
376 380 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
381 chroot_exec systemctl enable systemd-networkd
378 382
379 383 # Generate crypt(3) password string
380 384 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381 385
382 386 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
387 if [ "$ENABLE_USER" = true ] ; then
388 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
389 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
390 fi
385 391
386 # Set up root password
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
392 # Set up root password or not
393 if [ "$ENABLE_ROOT" = true ]; then
394 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
395
396 if [ "$ENABLE_ROOT_SSH" = true ]; then
397 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
398 fi
399 else
400 chroot_exec usermod -p \'!\' root
401 fi
388 402
389 403 # Set up firmware boot cmdline
390 404 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
@@ -576,15 +590,36 spoof warn
576 590 EOM
577 591 fi
578 592
579 # Regenerate openssh server host keys
593 # Ensure openssh server host keys are regenerated on first boot
580 594 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
582 LANG=C chroot $R dpkg-reconfigure openssh-server
595 cat <<EOM >>$R/etc/rc.firstboot
596 #!/bin/sh
597 rm -f /etc/ssh/ssh_host_*
598 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
599 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
600 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
601 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
602 sync
603
604 systemctl restart sshd
605 sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local
606 rm -f /etc/rc.firstboot
607 EOM
608 chmod +x $R/etc/rc.firstboot
609 sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local
610 rm -f $R/etc/ssh/ssh_host_*
611 fi
612
613 # Disable rsyslog
614 if [ "$ENABLE_RSYSLOG" = false ]; then
615 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
616 chroot_exec systemctl disable rsyslog
617 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 618 fi
584 619
585 620 # Enable serial console systemd style
586 621 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
622 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 623 fi
589 624
590 625 # Enable firewall based on iptables started by systemd service
@@ -671,8 +706,8 COMMIT
671 706 EOM
672 707
673 708 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
709 chroot_exec systemctl daemon-reload
710 chroot_exec systemctl enable iptables.service
676 711
677 712 if [ "$ENABLE_IPV6" = true ] ; then
678 713 # Create ip6tables systemd service
@@ -762,8 +797,8 COMMIT
762 797 EOM
763 798
764 799 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
800 chroot_exec systemctl daemon-reload
801 chroot_exec systemctl enable ip6tables.service
767 802 fi
768 803 fi
769 804
@@ -775,7 +810,7 fi
775 810
776 811 # Install gcc/c++ build environment inside the chroot
777 812 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
813 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 814 fi
780 815
781 816 # Fetch and build U-Boot bootloader
@@ -784,7 +819,7 if [ "$ENABLE_UBOOT" = true ] ; then
784 819 git -C $R/tmp clone git://git.denx.de/u-boot.git
785 820
786 821 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
822 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788 823
789 824 # Copy compiled bootloader binary and set config.txt to load it
790 825 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
@@ -809,7 +844,7 bootz \${kernel_addr_r}
809 844 EOM
810 845
811 846 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
847 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 848 fi
814 849
815 850 # Fetch and build fbturbo Xorg driver
@@ -818,10 +853,10 if [ "$ENABLE_FBTURBO" = true ] ; then
818 853 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819 854
820 855 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
856 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822 857
823 858 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
859 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825 860
826 861 # Add fbturbo driver to Xorg configuration
827 862 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
@@ -834,18 +869,18 EndSection
834 869 EOM
835 870
836 871 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
872 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 873 fi
839 874
840 875 # Remove gcc/c++ build environment from the chroot
841 876 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
877 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 878 fi
844 879
845 880 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
881 chroot_exec apt-get -y clean
882 chroot_exec apt-get -y autoclean
883 chroot_exec apt-get -y autoremove
849 884
850 885 # Unmount mounted filesystems
851 886 umount -l $R/proc
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant