##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Option to disable rsyslog and improvements (also security)...
Filip Pytloun -
r45:fc8abfcaa9c7
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,138 +1,152
1 # rpi2-gen-image
1 # rpi2-gen-image
2 ## Introduction
2 ## Introduction
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
3 `rpi2-gen-image.sh` is an advanced Debian Linux bootstrapping shell script for generating Debian OS images for the Raspberry 2 (RPi2) computer. The script at this time only supports the bootstrapping of the current stable Debian 8 "jessie" release.
4
4
5 ## Build dependencies
5 ## Build dependencies
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
6 The following list of Debian packages must be installed on the build system because they are essentially required for the bootstrapping process. The script will check if all required packages are installed and missing packages will be installed automatically if confirmed by the user.
7
7
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
8 ```debootstrap debian-archive-keyring qemu-user-static dosfstools rsync bmap-tools whois git-core```
9
9
10 ## Command-line parameters
10 ## Command-line parameters
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
11 The script accepts certain command-line parameters to enable or disable specific OS features, services and configuration settings. These parameters are passed to the `rpi2-gen-image.sh` script via (simple) shell-variables. Unlike environment shell-variables (simple) shell-variables are defined at the beginning of the command-line call of the `rpi2-gen-image.sh` script.
12
12
13 #####Command-line examples:
13 #####Command-line examples:
14 ```shell
14 ```shell
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
15 ENABLE_UBOOT=true ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
16 ENABLE_CONSOLE=false ENABLE_IPV6=false ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
17 ENABLE_WM=xfce4 ENABLE_FBTURBO=true ENABLE_MINBASE=true ./rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
18 ENABLE_HARDNET=true ENABLE_IPTABLES=true /rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
19 APT_SERVER=ftp.de.debian.org APT_PROXY="http://127.0.0.1:3142/" ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
20 ENABLE_MINBASE=true ./rpi2-gen-image.sh
21 ```
21 ```
22
22
23 #### APT settings:
23 #### APT settings:
24 ##### `APT_SERVER`="ftp.debian.org"
24 ##### `APT_SERVER`="ftp.debian.org"
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
25 Set Debian packages server address. Choose a server from the list of Debian worldwide [mirror sites](https://www.debian.org/mirror/list). Using a nearby server will probably speed-up all required downloads within the bootstrapping process.
26
26
27 ##### `APT_PROXY`=""
27 ##### `APT_PROXY`=""
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
28 Set Proxy server address. Using a local Proxy-Cache like `apt-cacher-ng` will speed-up the bootstrapping process because all required Debian packages will only be downloaded from the Debian mirror site once.
29
29
30 ##### `APT_INCLUDES`=""
30 ##### `APT_INCLUDES`=""
31 A comma seperated list of additional packages to be installed during bootstrapping.
31 A comma seperated list of additional packages to be installed during bootstrapping.
32
32
33 #### General system settings:
33 #### General system settings:
34 ##### `HOSTNAME`="rpi2-jessie"
34 ##### `HOSTNAME`="rpi2-jessie"
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
35 Set system host name. It's recommended that the host name is unique in the corresponding subnet.
36
36
37 ##### `PASSWORD`="raspberry"
37 ##### `PASSWORD`="raspberry"
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
38 Set system `root` password. The same password is used for the created user `pi`. It's **STRONGLY** recommended that you choose a custom password.
39
39
40 ##### `DEFLOCAL`="en_US.UTF-8"
40 ##### `DEFLOCAL`="en_US.UTF-8"
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
41 Set default system locale. This setting can also be changed inside the running OS using the `dpkg-reconfigure locales` command. The script variant `minbase` (ENABLE_MINBASE=true) doesn't install `locales`.
42
42
43 ##### `TIMEZONE`="Europe/Berlin"
43 ##### `TIMEZONE`="Europe/Berlin"
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
44 Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command.
45
45
46 #### Keyboard settings:
46 #### Keyboard settings:
47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
47 These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command.
48 ##### `XKBMODEL`=""
48 ##### `XKBMODEL`=""
49 ##### `XKBLAYOUT`=""
49 ##### `XKBLAYOUT`=""
50 ##### `XKBVARIANT`=""
50 ##### `XKBVARIANT`=""
51 ##### `XKBOPTIONS`=""
51 ##### `XKBOPTIONS`=""
52
52
53 #### Networking settings
53 #### Networking settings
54 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
54 These settings are used to set up networking configuration in `/etc/systemd/network/eth.network`.
55
55
56 #####`ENABLE_DHCP`=true
56 #####`ENABLE_DHCP`=true
57 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
57 Set the system to use DHCP. When set to "true", the following `NET_*` settings (used for static configuration) are ignored.
58
58
59 #####`NET_ADDRESS`=""
59 #####`NET_ADDRESS`=""
60 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
60 Set a static IPv4 or IPv6 address and its prefix, separated by "/", eg. "192.169.0.3/24".
61
61
62 #####`NET_GATEWAY`=""
62 #####`NET_GATEWAY`=""
63 Set the IP address for the default gateway.
63 Set the IP address for the default gateway.
64
64
65 #####`NET_DNS_1`=""
65 #####`NET_DNS_1`=""
66 Set the IP address for the first DNS server.
66 Set the IP address for the first DNS server.
67
67
68 #####`NET_DNS_2`=""
68 #####`NET_DNS_2`=""
69 Set the IP address for the second DNS server.
69 Set the IP address for the second DNS server.
70
70
71 #####`NET_DNS_DOMAINS`=""
71 #####`NET_DNS_DOMAINS`=""
72 Set the default DNS search domains to use for non fully qualified host names.
72 Set the default DNS search domains to use for non fully qualified host names.
73
73
74 #####`NET_NTP_1`=""
74 #####`NET_NTP_1`=""
75 Set the IP address for the first NTP server.
75 Set the IP address for the first NTP server.
76
76
77 #####`NET_NTP_2`=""
77 #####`NET_NTP_2`=""
78 Set the IP address for the second NTP server.
78 Set the IP address for the second NTP server.
79
79
80 #### Basic system features:
80 #### Basic system features:
81 ##### `ENABLE_CONSOLE`=true
81 ##### `ENABLE_CONSOLE`=true
82 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
82 Enable serial console interface. Recommended if no monitor or keyboard is connected to the RPi2. In case of problems fe. if the network (auto) configuration failed - the serial console can be used to access the system.
83
83
84 ##### `ENABLE_IPV6`=true
84 ##### `ENABLE_IPV6`=true
85 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
85 Enable IPv6 support. The network interface configuration is managed via systemd-networkd.
86
86
87 ##### `ENABLE_SSHD`=true
87 ##### `ENABLE_SSHD`=true
88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
88 Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root.
89
89
90 ##### `ENABLE_RSYSLOG`=true
91 If set to false, disable and uninstall rsyslog (so logs will be available only
92 in journal files)
93
90 ##### `ENABLE_SOUND`=true
94 ##### `ENABLE_SOUND`=true
91 Enable sound hardware and install Advanced Linux Sound Architecture.
95 Enable sound hardware and install Advanced Linux Sound Architecture.
92
96
93 ##### `ENABLE_HWRANDOM`=true
97 ##### `ENABLE_HWRANDOM`=true
94 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
98 Enable Hardware Random Number Generator. Strong random numbers are important for most network based communications that use encryption. It's recommended to be enabled.
95
99
96 ##### `ENABLE_MINGPU`=false
100 ##### `ENABLE_MINGPU`=false
97 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
101 Minimize the amount of shared memory reserved for the GPU. It doesn't seem to be possible to fully disable the GPU.
98
102
99 ##### `ENABLE_DBUS`=true
103 ##### `ENABLE_DBUS`=true
100 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
104 Install and enable D-Bus message bus. Please note that systemd should work without D-bus but it's recommended to be enabled.
101
105
102 ##### `ENABLE_XORG`=false
106 ##### `ENABLE_XORG`=false
103 Install Xorg open-source X Window System.
107 Install Xorg open-source X Window System.
104
108
105 ##### `ENABLE_WM`=""
109 ##### `ENABLE_WM`=""
106 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
110 Install a user defined window manager for the X Window System. To make sure all X related package dependencies are getting installed `ENABLE_XORG` will automatically get enabled if `ENABLE_WM` is used. The `rpi2-gen-image.sh` script has been tested with the following list of window managers: `blackbox`, `openbox`, `fluxbox`, `jwm`, `dwm`, `xfce4`, `awesome`.
107
111
108 #### Advanced sytem features:
112 #### Advanced sytem features:
109 ##### `ENABLE_MINBASE`=false
113 ##### `ENABLE_MINBASE`=false
110 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
114 Use debootstrap script variant `minbase` which only includes essential packages and apt. This will reduce the disk usage by about 65 MB.
111
115
112 ##### `ENABLE_UBOOT`=false
116 ##### `ENABLE_UBOOT`=false
113 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
117 Replace default RPi2 second stage bootloader (bootcode.bin) with U-Boot bootloader. U-Boot can boot images via the network using the BOOTP/TFTP protocol.
114
118
115 ##### `ENABLE_FBTURBO`=false
119 ##### `ENABLE_FBTURBO`=false
116 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
120 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please note that this driver is currently limited to hardware accelerated window moving and scrolling.
117
121
118 ##### `ENABLE_IPTABLES`=false
122 ##### `ENABLE_IPTABLES`=false
119 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
123 Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service.
120
124
125 ##### `ENABLE_USER`=true
126 Create pi user with password raspberry
127
128 ##### `ENABLE_ROOT`=true
129 Set root user password so root login will be enabled
130
131 ##### `ENABLE_ROOT_SSH`=true
132 Enable password root login via SSH. May be a security risk with default
133 password, use only in trusted environments.
134
121 ##### `ENABLE_HARDNET`=false
135 ##### `ENABLE_HARDNET`=false
122 Enable IPv4/IPv6 network stack hardening settings.
136 Enable IPv4/IPv6 network stack hardening settings.
123
137
124 ## Logging of the bootstrapping process
138 ## Logging of the bootstrapping process
125 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
139 All information related to the bootstrapping process and the commands executed by the `rpi2-gen-image.sh` script can easily be saved into a logfile. The common shell command `script` can be used for this purpose:
126
140
127 ```shell
141 ```shell
128 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
142 script -c 'APT_SERVER=ftp.de.debian.org ./rpi2-gen-image.sh' ./build.log
129 ```
143 ```
130
144
131 ## Flashing the image file
145 ## Flashing the image file
132 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
146 After the image file was successfully created by the `rpi2-gen-image.sh` script it can be copied to the microSD card that will be used by the RPi2 computer. This can be performed by using the tools `bmaptool` or `dd`. Using `bmaptool` will probably speed-up the copy process because `bmaptool` copies more wisely than `dd`.
133
147
134 #####Flashing examples:
148 #####Flashing examples:
135 ```shell
149 ```shell
136 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
150 bmaptool copy ./images/jessie/2015-12-13-debian-jessie.img /dev/mmcblk0
137 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
151 dd bs=4M if=./images/jessie/2015-12-13-debian-jessie.img of=/dev/mmcblk0
138 ```
152 ```
Show file before | Show file after | Hide comments
@@ -1,916 +1,951
1 #!/bin/sh
1 #!/bin/sh
2
2
3 ########################################################################
3 ########################################################################
4 # rpi2-gen-image.sh ver2a 12/2015
4 # rpi2-gen-image.sh ver2a 12/2015
5 #
5 #
6 # Advanced debian "jessie" bootstrap script for RPi2
6 # Advanced debian "jessie" bootstrap script for RPi2
7 #
7 #
8 # This program is free software; you can redistribute it and/or
8 # This program is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU General Public License
9 # modify it under the terms of the GNU General Public License
10 # as published by the Free Software Foundation; either version 2
10 # as published by the Free Software Foundation; either version 2
11 # of the License, or (at your option) any later version.
11 # of the License, or (at your option) any later version.
12 #
12 #
13 # some parts based on rpi2-build-image:
13 # some parts based on rpi2-build-image:
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
14 # Copyright (C) 2015 Ryan Finnie <ryan@finnie.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
15 # Copyright (C) 2015 Luca Falavigna <dktrkranz@debian.org>
16 ########################################################################
16 ########################################################################
17
17
18 # Clean up all temporary mount points
18 # Clean up all temporary mount points
19 cleanup (){
19 cleanup (){
20 set +x
20 set +x
21 set +e
21 set +e
22 echo "removing temporary mount points ..."
22 echo "removing temporary mount points ..."
23 umount -l $R/proc 2> /dev/null
23 umount -l $R/proc 2> /dev/null
24 umount -l $R/sys 2> /dev/null
24 umount -l $R/sys 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
25 umount -l $R/dev/pts 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
26 umount "$BUILDDIR/mount/boot/firmware" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
27 umount "$BUILDDIR/mount" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
28 losetup -d "$EXT4_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
29 losetup -d "$VFAT_LOOP" 2> /dev/null
30 trap - 0 1 2 3 6
30 trap - 0 1 2 3 6
31 }
31 }
32
32
33 # Exec command in chroot
34 chroot_exec() {
35 LANG=C LC_ALL=C chroot $R $*
36 }
37
33 set -e
38 set -e
34 set -x
39 set -x
35
40
36 # Debian release
41 # Debian release
37 RELEASE=${RELEASE:=jessie}
42 RELEASE=${RELEASE:=jessie}
43 KERNEL=${KERNEL:=3.18.0-trunk-rpi2}
38
44
39 # Build settings
45 # Build settings
40 BASEDIR=./images/${RELEASE}
46 BASEDIR=./images/${RELEASE}
41 BUILDDIR=${BASEDIR}/build
47 BUILDDIR=${BASEDIR}/build
42
48
43 # General settings
49 # General settings
44 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
50 HOSTNAME=${HOSTNAME:=rpi2-${RELEASE}}
45 PASSWORD=${PASSWORD:=raspberry}
51 PASSWORD=${PASSWORD:=raspberry}
46 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
52 DEFLOCAL=${DEFLOCAL:="en_US.UTF-8"}
47 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
53 TIMEZONE=${TIMEZONE:="Europe/Berlin"}
48 XKBMODEL=${XKBMODEL:=""}
54 XKBMODEL=${XKBMODEL:=""}
49 XKBLAYOUT=${XKBLAYOUT:=""}
55 XKBLAYOUT=${XKBLAYOUT:=""}
50 XKBVARIANT=${XKBVARIANT:=""}
56 XKBVARIANT=${XKBVARIANT:=""}
51 XKBOPTIONS=${XKBOPTIONS:=""}
57 XKBOPTIONS=${XKBOPTIONS:=""}
52
58
53 # Network settings
59 # Network settings
54 ENABLE_DHCP=${ENABLE_DHCP:=true}
60 ENABLE_DHCP=${ENABLE_DHCP:=true}
55 # NET_* settings are ignored when ENABLE_DHCP=true
61 # NET_* settings are ignored when ENABLE_DHCP=true
56 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
62 # NET_ADDRESS is an IPv4 or IPv6 address and its prefix, separated by "/"
57 NET_ADDRESS=${NET_ADDRESS:=""}
63 NET_ADDRESS=${NET_ADDRESS:=""}
58 NET_GATEWAY=${NET_GATEWAY:=""}
64 NET_GATEWAY=${NET_GATEWAY:=""}
59 NET_DNS_1=${NET_DNS_1:=""}
65 NET_DNS_1=${NET_DNS_1:=""}
60 NET_DNS_2=${NET_DNS_2:=""}
66 NET_DNS_2=${NET_DNS_2:=""}
61 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
67 NET_DNS_DOMAINS=${NET_DNS_DOMAINS:=""}
62 NET_NTP_1=${NET_NTP_1:=""}
68 NET_NTP_1=${NET_NTP_1:=""}
63 NET_NTP_2=${NET_NTP_2:=""}
69 NET_NTP_2=${NET_NTP_2:=""}
64
70
65 # APT settings
71 # APT settings
66 APT_PROXY=${APT_PROXY:=""}
72 APT_PROXY=${APT_PROXY:=""}
67 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
73 APT_SERVER=${APT_SERVER:="ftp.debian.org"}
68
74
69 # Feature settings
75 # Feature settings
70 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
76 ENABLE_CONSOLE=${ENABLE_CONSOLE:=true}
71 ENABLE_IPV6=${ENABLE_IPV6:=true}
77 ENABLE_IPV6=${ENABLE_IPV6:=true}
72 ENABLE_SSHD=${ENABLE_SSHD:=true}
78 ENABLE_SSHD=${ENABLE_SSHD:=true}
73 ENABLE_SOUND=${ENABLE_SOUND:=true}
79 ENABLE_SOUND=${ENABLE_SOUND:=true}
74 ENABLE_DBUS=${ENABLE_DBUS:=true}
80 ENABLE_DBUS=${ENABLE_DBUS:=true}
75 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
81 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true}
76 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
82 ENABLE_MINGPU=${ENABLE_MINGPU:=false}
77 ENABLE_XORG=${ENABLE_XORG:=false}
83 ENABLE_XORG=${ENABLE_XORG:=false}
78 ENABLE_WM=${ENABLE_WM:=""}
84 ENABLE_WM=${ENABLE_WM:=""}
85 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
86 ENABLE_USER=${ENABLE_USER:=true}
87 ENABLE_ROOT=${ENABLE_ROOT:=false}
88 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
79
89
80 # Advanced settings
90 # Advanced settings
81 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
91 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
82 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
92 ENABLE_UBOOT=${ENABLE_UBOOT:=false}
83 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
93 ENABLE_FBTURBO=${ENABLE_FBTURBO:=false}
84 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
94 ENABLE_HARDNET=${ENABLE_HARDNET:=false}
85 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
95 ENABLE_IPTABLES=${ENABLE_IPTABLES:=false}
86
96
87 # Image chroot path
97 # Image chroot path
88 R=${BUILDDIR}/chroot
98 R=${BUILDDIR}/chroot
89
99
90 # Packages required for bootstrapping
100 # Packages required for bootstrapping
91 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
101 REQUIRED_PACKAGES="debootstrap debian-archive-keyring qemu-user-static binfmt-support dosfstools rsync bmap-tools whois git-core"
92
102
93 # Missing packages that need to be installed
103 # Missing packages that need to be installed
94 MISSING_PACKAGES=""
104 MISSING_PACKAGES=""
95
105
96 # Packages required in the chroot build environment
106 # Packages required in the chroot build environment
97 APT_INCLUDES=${APT_INCLUDES:=""}
107 APT_INCLUDES=${APT_INCLUDES:=""}
98 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
108 APT_INCLUDES="${APT_INCLUDES},apt-transport-https,ca-certificates,debian-archive-keyring,dialog,sudo"
99
109
100 set +x
110 set +x
101
111
102 # Are we running as root?
112 # Are we running as root?
103 if [ "$(id -u)" -ne "0" ] ; then
113 if [ "$(id -u)" -ne "0" ] ; then
104 echo "this script must be executed with root privileges"
114 echo "this script must be executed with root privileges"
105 exit 1
115 exit 1
106 fi
116 fi
107
117
108 # Check if all required packages are installed
118 # Check if all required packages are installed
109 for package in $REQUIRED_PACKAGES ; do
119 for package in $REQUIRED_PACKAGES ; do
110 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
120 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
111 MISSING_PACKAGES="$MISSING_PACKAGES $package"
121 MISSING_PACKAGES="$MISSING_PACKAGES $package"
112 fi
122 fi
113 done
123 done
114
124
115 # Ask if missing packages should get installed right now
125 # Ask if missing packages should get installed right now
116 if [ -n "$MISSING_PACKAGES" ] ; then
126 if [ -n "$MISSING_PACKAGES" ] ; then
117 echo "the following packages needed by this script are not installed:"
127 echo "the following packages needed by this script are not installed:"
118 echo "$MISSING_PACKAGES"
128 echo "$MISSING_PACKAGES"
119
129
120 echo -n "\ndo you want to install the missing packages right now? [y/n] "
130 echo -n "\ndo you want to install the missing packages right now? [y/n] "
121 read confirm
131 read confirm
122 if [ "$confirm" != "y" ] ; then
132 if [ "$confirm" != "y" ] ; then
123 exit 1
133 exit 1
124 fi
134 fi
125 fi
135 fi
126
136
127 # Make sure all required packages are installed
137 # Make sure all required packages are installed
128 apt-get -qq -y install ${REQUIRED_PACKAGES}
138 apt-get -qq -y install ${REQUIRED_PACKAGES}
129
139
130 # Don't clobber an old build
140 # Don't clobber an old build
131 if [ -e "$BUILDDIR" ]; then
141 if [ -e "$BUILDDIR" ]; then
132 echo "directory $BUILDDIR already exists, not proceeding"
142 echo "directory $BUILDDIR already exists, not proceeding"
133 exit 1
143 exit 1
134 fi
144 fi
135
145
136 set -x
146 set -x
137
147
138 # Call "cleanup" function on various signals and errors
148 # Call "cleanup" function on various signals and errors
139 trap cleanup 0 1 2 3 6
149 trap cleanup 0 1 2 3 6
140
150
141 # Set up chroot directory
151 # Set up chroot directory
142 mkdir -p $R
152 mkdir -p $R
143
153
144 # Add required packages for the minbase installation
154 # Add required packages for the minbase installation
145 if [ "$ENABLE_MINBASE" = true ] ; then
155 if [ "$ENABLE_MINBASE" = true ] ; then
146 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
156 APT_INCLUDES="${APT_INCLUDES},vim-tiny,netbase,net-tools"
147 else
157 else
148 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
158 APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup"
149 fi
159 fi
150
160
151 # Add dbus package, recommended if using systemd
161 # Add dbus package, recommended if using systemd
152 if [ "$ENABLE_DBUS" = true ] ; then
162 if [ "$ENABLE_DBUS" = true ] ; then
153 APT_INCLUDES="${APT_INCLUDES},dbus"
163 APT_INCLUDES="${APT_INCLUDES},dbus"
154 fi
164 fi
155
165
156 # Add iptables IPv4/IPv6 package
166 # Add iptables IPv4/IPv6 package
157 if [ "$ENABLE_IPTABLES" = true ] ; then
167 if [ "$ENABLE_IPTABLES" = true ] ; then
158 APT_INCLUDES="${APT_INCLUDES},iptables"
168 APT_INCLUDES="${APT_INCLUDES},iptables"
159 fi
169 fi
160
170
161 # Add openssh server package
171 # Add openssh server package
162 if [ "$ENABLE_SSHD" = true ] ; then
172 if [ "$ENABLE_SSHD" = true ] ; then
163 APT_INCLUDES="${APT_INCLUDES},openssh-server"
173 APT_INCLUDES="${APT_INCLUDES},openssh-server"
164 fi
174 fi
165
175
166 # Add alsa-utils package
176 # Add alsa-utils package
167 if [ "$ENABLE_SOUND" = true ] ; then
177 if [ "$ENABLE_SOUND" = true ] ; then
168 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
178 APT_INCLUDES="${APT_INCLUDES},alsa-utils"
169 fi
179 fi
170
180
171 # Add rng-tools package
181 # Add rng-tools package
172 if [ "$ENABLE_HWRANDOM" = true ] ; then
182 if [ "$ENABLE_HWRANDOM" = true ] ; then
173 APT_INCLUDES="${APT_INCLUDES},rng-tools"
183 APT_INCLUDES="${APT_INCLUDES},rng-tools"
174 fi
184 fi
175
185
186 if [ "$ENABLE_USER" = true ]; then
187 APT_INCLUDES="${APT_INCLUDES},sudo"
188 fi
189
176 # Add fbturbo video driver
190 # Add fbturbo video driver
177 if [ "$ENABLE_FBTURBO" = true ] ; then
191 if [ "$ENABLE_FBTURBO" = true ] ; then
178 # Enable xorg package dependencies
192 # Enable xorg package dependencies
179 ENABLE_XORG=true
193 ENABLE_XORG=true
180 fi
194 fi
181
195
182 # Add user defined window manager package
196 # Add user defined window manager package
183 if [ -n "$ENABLE_WM" ] ; then
197 if [ -n "$ENABLE_WM" ] ; then
184 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
198 APT_INCLUDES="${APT_INCLUDES},${ENABLE_WM}"
185
199
186 # Enable xorg package dependencies
200 # Enable xorg package dependencies
187 ENABLE_XORG=true
201 ENABLE_XORG=true
188 fi
202 fi
189
203
190 # Add xorg package
204 # Add xorg package
191 if [ "$ENABLE_XORG" = true ] ; then
205 if [ "$ENABLE_XORG" = true ] ; then
192 APT_INCLUDES="${APT_INCLUDES},xorg"
206 APT_INCLUDES="${APT_INCLUDES},xorg"
193 fi
207 fi
194
208
195 # Base debootstrap (unpack only)
209 # Base debootstrap (unpack only)
196 if [ "$ENABLE_MINBASE" = true ] ; then
210 if [ "$ENABLE_MINBASE" = true ] ; then
197 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
211 http_proxy=${APT_PROXY} debootstrap --arch=armhf --variant=minbase --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
198 else
212 else
199 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
213 http_proxy=${APT_PROXY} debootstrap --arch=armhf --foreign --include=${APT_INCLUDES} $RELEASE $R http://${APT_SERVER}/debian
200 fi
214 fi
201
215
202 # Copy qemu emulator binary to chroot
216 # Copy qemu emulator binary to chroot
203 cp /usr/bin/qemu-arm-static $R/usr/bin
217 cp /usr/bin/qemu-arm-static $R/usr/bin
204
218
205 # Copy debian-archive-keyring.pgp
219 # Copy debian-archive-keyring.pgp
206 chroot $R mkdir -p /usr/share/keyrings
220 chroot $R mkdir -p /usr/share/keyrings
207 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
221 cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg
208
222
209 # Complete the bootstrapping process
223 # Complete the bootstrapping process
210 chroot $R /debootstrap/debootstrap --second-stage
224 chroot $R /debootstrap/debootstrap --second-stage
211
225
212 # Mount required filesystems
226 # Mount required filesystems
213 mount -t proc none $R/proc
227 mount -t proc none $R/proc
214 mount -t sysfs none $R/sys
228 mount -t sysfs none $R/sys
215 mount --bind /dev/pts $R/dev/pts
229 mount --bind /dev/pts $R/dev/pts
216
230
217 # Use proxy inside chroot
231 # Use proxy inside chroot
218 if [ -z "$APT_PROXY" ] ; then
232 if [ -z "$APT_PROXY" ] ; then
219 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
233 echo "Acquire::http::Proxy \"$APT_PROXY\";" >> $R/etc/apt/apt.conf.d/10proxy
220 fi
234 fi
221
235
222 # Pin package flash-kernel to repositories.collabora.co.uk
236 # Pin package flash-kernel to repositories.collabora.co.uk
223 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
237 cat <<EOM >$R/etc/apt/preferences.d/flash-kernel
224 Package: flash-kernel
238 Package: flash-kernel
225 Pin: origin repositories.collabora.co.uk
239 Pin: origin repositories.collabora.co.uk
226 Pin-Priority: 1000
240 Pin-Priority: 1000
227 EOM
241 EOM
228
242
229 # Set up timezone
243 # Set up timezone
230 echo ${TIMEZONE} >$R/etc/timezone
244 echo ${TIMEZONE} >$R/etc/timezone
231 LANG=C chroot $R dpkg-reconfigure -f noninteractive tzdata
245 chroot_exec dpkg-reconfigure -f noninteractive tzdata
232
246
233 # Upgrade collabora package index and install collabora keyring
247 # Upgrade collabora package index and install collabora keyring
234 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
248 echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list
235 LANG=C chroot $R apt-get -qq -y update
249 chroot_exec apt-get -qq -y update
236 LANG=C chroot $R apt-get -qq -y --force-yes install collabora-obs-archive-keyring
250 chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring
237
251
238 # Set up initial sources.list
252 # Set up initial sources.list
239 cat <<EOM >$R/etc/apt/sources.list
253 cat <<EOM >$R/etc/apt/sources.list
240 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
254 deb http://${APT_SERVER}/debian ${RELEASE} main contrib
241 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
255 #deb-src http://${APT_SERVER}/debian ${RELEASE} main contrib
242
256
243 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
257 deb http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
244 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
258 #deb-src http://${APT_SERVER}/debian/ ${RELEASE}-updates main contrib
245
259
246 deb http://security.debian.org/ ${RELEASE}/updates main contrib
260 deb http://security.debian.org/ ${RELEASE}/updates main contrib
247 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
261 #deb-src http://security.debian.org/ ${RELEASE}/updates main contrib
248
262
249 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
263 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2
250 EOM
264 EOM
251
265
252 # Upgrade package index and update all installed packages and changed dependencies
266 # Upgrade package index and update all installed packages and changed dependencies
253 LANG=C chroot $R apt-get -qq -y update
267 chroot_exec apt-get -qq -y update
254 LANG=C chroot $R apt-get -qq -y -u dist-upgrade
268 chroot_exec apt-get -qq -y -u dist-upgrade
255
269
256 # Set up default locale and keyboard configuration
270 # Set up default locale and keyboard configuration
257 if [ "$ENABLE_MINBASE" = false ] ; then
271 if [ "$ENABLE_MINBASE" = false ] ; then
258 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
272 # Set locale choice in debconf db, even though dpkg-reconfigure ignores and overwrites them due to some bug
259 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
273 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957
260 # ... so we have to set locales manually
274 # ... so we have to set locales manually
261 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
275 if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then
262 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
276 chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections
263 else
277 else
264 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
278 # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale
265 LANG=C chroot $R echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
279 chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections
266 LANG=C chroot $R sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
280 chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen
267 fi
281 fi
268 LANG=C chroot $R sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
282 chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen
269 LANG=C chroot $R echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
283 chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections
270 LANG=C chroot $R locale-gen
284 chroot_exec locale-gen
271 LANG=C chroot $R update-locale LANG=${DEFLOCAL}
285 chroot_exec update-locale LANG=${DEFLOCAL}
272
286
273 # Keyboard configuration, if requested
287 # Keyboard configuration, if requested
274 if [ "$XKBMODEL" != "" ] ; then
288 if [ "$XKBMODEL" != "" ] ; then
275 LANG=C chroot $R sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
289 chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard
276 fi
290 fi
277 if [ "$XKBLAYOUT" != "" ] ; then
291 if [ "$XKBLAYOUT" != "" ] ; then
278 LANG=C chroot $R sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
292 chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard
279 fi
293 fi
280 if [ "$XKBVARIANT" != "" ] ; then
294 if [ "$XKBVARIANT" != "" ] ; then
281 LANG=C chroot $R sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
295 chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard
282 fi
296 fi
283 if [ "$XKBOPTIONS" != "" ] ; then
297 if [ "$XKBOPTIONS" != "" ] ; then
284 LANG=C chroot $R sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
298 chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard
285 fi
299 fi
286 LANG=C chroot $R dpkg-reconfigure -f noninteractive keyboard-configuration
300 chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration
287 # Set up font console
301 # Set up font console
288 case "${DEFLOCAL}" in
302 case "${DEFLOCAL}" in
289 *UTF-8)
303 *UTF-8)
290 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
304 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup
291 ;;
305 ;;
292 *)
306 *)
293 LANG=C chroot $R sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
307 chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup
294 ;;
308 ;;
295 esac
309 esac
296 LANG=C chroot $R dpkg-reconfigure -f noninteractive console-setup
310 chroot_exec dpkg-reconfigure -f noninteractive console-setup
297 fi
311 fi
298
312
299 # Kernel installation
313 # Kernel installation
300 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
314 # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot
301 LANG=C chroot $R apt-get -qq -y --no-install-recommends install linux-image-3.18.0-trunk-rpi2
315 chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel
302 LANG=C chroot $R apt-get -qq -y install flash-kernel
316 chroot_exec apt-get -qq -y install flash-kernel
303
317
304 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
318 VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)"
305 [ -z "$VMLINUZ" ] && exit 1
319 [ -z "$VMLINUZ" ] && exit 1
306 mkdir -p $R/boot/firmware
307
308 # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10")
309 wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin
310 wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat
311 wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat
312 wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat
313 wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf
314 wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf
315 wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf
316 cp $VMLINUZ $R/boot/firmware/kernel7.img
320 cp $VMLINUZ $R/boot/firmware/kernel7.img
317
321
318 # Set up IPv4 hosts
322 # Set up IPv4 hosts
319 echo ${HOSTNAME} >$R/etc/hostname
323 echo ${HOSTNAME} >$R/etc/hostname
320 cat <<EOM >$R/etc/hosts
324 cat <<EOM >$R/etc/hosts
321 127.0.0.1 localhost
325 127.0.0.1 localhost
322 127.0.1.1 ${HOSTNAME}
326 127.0.1.1 ${HOSTNAME}
323 EOM
327 EOM
324 if [ "$NET_ADDRESS" != "" ] ; then
328 if [ "$NET_ADDRESS" != "" ] ; then
325 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
329 NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/')
326 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
330 sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts
327 fi
331 fi
328
332
329 # Set up IPv6 hosts
333 # Set up IPv6 hosts
330 if [ "$ENABLE_IPV6" = true ] ; then
334 if [ "$ENABLE_IPV6" = true ] ; then
331 cat <<EOM >>$R/etc/hosts
335 cat <<EOM >>$R/etc/hosts
332
336
333 ::1 localhost ip6-localhost ip6-loopback
337 ::1 localhost ip6-localhost ip6-loopback
334 ff02::1 ip6-allnodes
338 ff02::1 ip6-allnodes
335 ff02::2 ip6-allrouters
339 ff02::2 ip6-allrouters
336 EOM
340 EOM
337 fi
341 fi
338
342
339 # Place hint about network configuration
343 # Place hint about network configuration
340 cat <<EOM >$R/etc/network/interfaces
344 cat <<EOM >$R/etc/network/interfaces
341 # Debian switched to systemd-networkd configuration files.
345 # Debian switched to systemd-networkd configuration files.
342 # please configure your networks in '/etc/systemd/network/'
346 # please configure your networks in '/etc/systemd/network/'
343 EOM
347 EOM
344
348
345 if [ "$ENABLE_DHCP" = true ] ; then
349 if [ "$ENABLE_DHCP" = true ] ; then
346 # Enable systemd-networkd DHCP configuration for interface eth0
350 # Enable systemd-networkd DHCP configuration for interface eth0
347 cat <<EOM >$R/etc/systemd/network/eth.network
351 cat <<EOM >$R/etc/systemd/network/eth.network
348 [Match]
352 [Match]
349 Name=eth0
353 Name=eth0
350
354
351 [Network]
355 [Network]
352 DHCP=yes
356 DHCP=yes
353 EOM
357 EOM
354
358
355 # Set DHCP configuration to IPv4 only
359 # Set DHCP configuration to IPv4 only
356 if [ "$ENABLE_IPV6" = false ] ; then
360 if [ "$ENABLE_IPV6" = false ] ; then
357 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
361 sed -i "s/^DHCP=yes/DHCP=v4/" $R/etc/systemd/network/eth.network
358 fi
362 fi
359 else # ENABLE_DHCP=false
363 else # ENABLE_DHCP=false
360 cat <<EOM >$R/etc/systemd/network/eth.network
364 cat <<EOM >$R/etc/systemd/network/eth.network
361 [Match]
365 [Match]
362 Name=eth0
366 Name=eth0
363
367
364 [Network]
368 [Network]
365 DHCP=no
369 DHCP=no
366 Address=${NET_ADDRESS}
370 Address=${NET_ADDRESS}
367 Gateway=${NET_GATEWAY}
371 Gateway=${NET_GATEWAY}
368 DNS=${NET_DNS_1}
372 DNS=${NET_DNS_1}
369 DNS=${NET_DNS_2}
373 DNS=${NET_DNS_2}
370 Domains=${NET_DNS_DOMAINS}
374 Domains=${NET_DNS_DOMAINS}
371 NTP=${NET_NTP_1}
375 NTP=${NET_NTP_1}
372 NTP=${NET_NTP_2}
376 NTP=${NET_NTP_2}
373 EOM
377 EOM
374 fi
378 fi
375
379
376 # Enable systemd-networkd service
380 # Enable systemd-networkd service
377 LANG=C chroot $R systemctl enable systemd-networkd
381 chroot_exec systemctl enable systemd-networkd
378
382
379 # Generate crypt(3) password string
383 # Generate crypt(3) password string
380 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
384 ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}`
381
385
382 # Set up default user
386 # Set up default user
383 LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi
387 if [ "$ENABLE_USER" = true ] ; then
384 LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
388 chroot_exec adduser --gecos \"Raspberry PI user\" --add_extra_groups --disabled-password pi
389 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi
390 fi
385
391
386 # Set up root password
392 # Set up root password or not
387 LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root
393 if [ "$ENABLE_ROOT" = true ]; then
394 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
395
396 if [ "$ENABLE_ROOT_SSH" = true ]; then
397 sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config
398 fi
399 else
400 chroot_exec usermod -p \'!\' root
401 fi
388
402
389 # Set up firmware boot cmdline
403 # Set up firmware boot cmdline
390 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
404 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1"
391
405
392 # Set up serial console support (if requested)
406 # Set up serial console support (if requested)
393 if [ "$ENABLE_CONSOLE" = true ] ; then
407 if [ "$ENABLE_CONSOLE" = true ] ; then
394 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
408 CMDLINE="${CMDLINE} console=ttyAMA0,115200 kgdboc=ttyAMA0,115200"
395 fi
409 fi
396
410
397 # Set up IPv6 networking support
411 # Set up IPv6 networking support
398 if [ "$ENABLE_IPV6" = false ] ; then
412 if [ "$ENABLE_IPV6" = false ] ; then
399 CMDLINE="${CMDLINE} ipv6.disable=1"
413 CMDLINE="${CMDLINE} ipv6.disable=1"
400 fi
414 fi
401
415
402 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
416 echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt
403
417
404 # Set up firmware config
418 # Set up firmware config
405 cat <<EOM >$R/boot/firmware/config.txt
419 cat <<EOM >$R/boot/firmware/config.txt
406 # For more options and information see
420 # For more options and information see
407 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
421 # http://www.raspberrypi.org/documentation/configuration/config-txt.md
408 # Some settings may impact device functionality. See link above for details
422 # Some settings may impact device functionality. See link above for details
409
423
410 # uncomment if you get no picture on HDMI for a default "safe" mode
424 # uncomment if you get no picture on HDMI for a default "safe" mode
411 #hdmi_safe=1
425 #hdmi_safe=1
412
426
413 # uncomment this if your display has a black border of unused pixels visible
427 # uncomment this if your display has a black border of unused pixels visible
414 # and your display can output without overscan
428 # and your display can output without overscan
415 #disable_overscan=1
429 #disable_overscan=1
416
430
417 # uncomment the following to adjust overscan. Use positive numbers if console
431 # uncomment the following to adjust overscan. Use positive numbers if console
418 # goes off screen, and negative if there is too much border
432 # goes off screen, and negative if there is too much border
419 #overscan_left=16
433 #overscan_left=16
420 #overscan_right=16
434 #overscan_right=16
421 #overscan_top=16
435 #overscan_top=16
422 #overscan_bottom=16
436 #overscan_bottom=16
423
437
424 # uncomment to force a console size. By default it will be display's size minus
438 # uncomment to force a console size. By default it will be display's size minus
425 # overscan.
439 # overscan.
426 #framebuffer_width=1280
440 #framebuffer_width=1280
427 #framebuffer_height=720
441 #framebuffer_height=720
428
442
429 # uncomment if hdmi display is not detected and composite is being output
443 # uncomment if hdmi display is not detected and composite is being output
430 #hdmi_force_hotplug=1
444 #hdmi_force_hotplug=1
431
445
432 # uncomment to force a specific HDMI mode (this will force VGA)
446 # uncomment to force a specific HDMI mode (this will force VGA)
433 #hdmi_group=1
447 #hdmi_group=1
434 #hdmi_mode=1
448 #hdmi_mode=1
435
449
436 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
450 # uncomment to force a HDMI mode rather than DVI. This can make audio work in
437 # DMT (computer monitor) modes
451 # DMT (computer monitor) modes
438 #hdmi_drive=2
452 #hdmi_drive=2
439
453
440 # uncomment to increase signal to HDMI, if you have interference, blanking, or
454 # uncomment to increase signal to HDMI, if you have interference, blanking, or
441 # no display
455 # no display
442 #config_hdmi_boost=4
456 #config_hdmi_boost=4
443
457
444 # uncomment for composite PAL
458 # uncomment for composite PAL
445 #sdtv_mode=2
459 #sdtv_mode=2
446
460
447 # uncomment to overclock the arm. 700 MHz is the default.
461 # uncomment to overclock the arm. 700 MHz is the default.
448 #arm_freq=800
462 #arm_freq=800
449 EOM
463 EOM
450
464
451 # Load snd_bcm2835 kernel module at boot time
465 # Load snd_bcm2835 kernel module at boot time
452 if [ "$ENABLE_SOUND" = true ] ; then
466 if [ "$ENABLE_SOUND" = true ] ; then
453 echo "snd_bcm2835" >>$R/etc/modules
467 echo "snd_bcm2835" >>$R/etc/modules
454 fi
468 fi
455
469
456 # Set smallest possible GPU memory allocation size: 16MB (no X)
470 # Set smallest possible GPU memory allocation size: 16MB (no X)
457 if [ "$ENABLE_MINGPU" = true ] ; then
471 if [ "$ENABLE_MINGPU" = true ] ; then
458 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
472 echo "gpu_mem=16" >>$R/boot/firmware/config.txt
459 fi
473 fi
460
474
461 # Create symlinks
475 # Create symlinks
462 ln -sf firmware/config.txt $R/boot/config.txt
476 ln -sf firmware/config.txt $R/boot/config.txt
463 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
477 ln -sf firmware/cmdline.txt $R/boot/cmdline.txt
464
478
465 # Prepare modules-load.d directory
479 # Prepare modules-load.d directory
466 mkdir -p $R/lib/modules-load.d/
480 mkdir -p $R/lib/modules-load.d/
467
481
468 # Load random module on boot
482 # Load random module on boot
469 if [ "$ENABLE_HWRANDOM" = true ] ; then
483 if [ "$ENABLE_HWRANDOM" = true ] ; then
470 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
484 cat <<EOM >$R/lib/modules-load.d/rpi2.conf
471 bcm2708_rng
485 bcm2708_rng
472 EOM
486 EOM
473 fi
487 fi
474
488
475 # Prepare modprobe.d directory
489 # Prepare modprobe.d directory
476 mkdir -p $R/etc/modprobe.d/
490 mkdir -p $R/etc/modprobe.d/
477
491
478 # Blacklist sound modules
492 # Blacklist sound modules
479 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
493 cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf
480 blacklist snd_soc_core
494 blacklist snd_soc_core
481 blacklist snd_pcm
495 blacklist snd_pcm
482 blacklist snd_pcm_dmaengine
496 blacklist snd_pcm_dmaengine
483 blacklist snd_timer
497 blacklist snd_timer
484 blacklist snd_compress
498 blacklist snd_compress
485 blacklist snd_soc_pcm512x_i2c
499 blacklist snd_soc_pcm512x_i2c
486 blacklist snd_soc_pcm512x
500 blacklist snd_soc_pcm512x
487 blacklist snd_soc_tas5713
501 blacklist snd_soc_tas5713
488 blacklist snd_soc_wm8804
502 blacklist snd_soc_wm8804
489 EOM
503 EOM
490
504
491 # Create default fstab
505 # Create default fstab
492 cat <<EOM >$R/etc/fstab
506 cat <<EOM >$R/etc/fstab
493 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
507 /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1
494 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
508 /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2
495 EOM
509 EOM
496
510
497 # Avoid swapping and increase cache sizes
511 # Avoid swapping and increase cache sizes
498 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
512 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
499
513
500 # Avoid swapping and increase cache sizes
514 # Avoid swapping and increase cache sizes
501 vm.swappiness=1
515 vm.swappiness=1
502 vm.dirty_background_ratio=20
516 vm.dirty_background_ratio=20
503 vm.dirty_ratio=40
517 vm.dirty_ratio=40
504 vm.dirty_writeback_centisecs=500
518 vm.dirty_writeback_centisecs=500
505 vm.dirty_expire_centisecs=6000
519 vm.dirty_expire_centisecs=6000
506 EOM
520 EOM
507
521
508 # Enable network stack hardening
522 # Enable network stack hardening
509 if [ "$ENABLE_HARDNET" = true ] ; then
523 if [ "$ENABLE_HARDNET" = true ] ; then
510 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
524 cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf
511
525
512 # Enable network stack hardening
526 # Enable network stack hardening
513 net.ipv4.tcp_timestamps=0
527 net.ipv4.tcp_timestamps=0
514 net.ipv4.tcp_syncookies=1
528 net.ipv4.tcp_syncookies=1
515 net.ipv4.conf.all.rp_filter=1
529 net.ipv4.conf.all.rp_filter=1
516 net.ipv4.conf.all.accept_redirects=0
530 net.ipv4.conf.all.accept_redirects=0
517 net.ipv4.conf.all.send_redirects=0
531 net.ipv4.conf.all.send_redirects=0
518 net.ipv4.conf.all.accept_source_route=0
532 net.ipv4.conf.all.accept_source_route=0
519 net.ipv4.conf.default.rp_filter=1
533 net.ipv4.conf.default.rp_filter=1
520 net.ipv4.conf.default.accept_redirects=0
534 net.ipv4.conf.default.accept_redirects=0
521 net.ipv4.conf.default.send_redirects=0
535 net.ipv4.conf.default.send_redirects=0
522 net.ipv4.conf.default.accept_source_route=0
536 net.ipv4.conf.default.accept_source_route=0
523 net.ipv4.conf.lo.accept_redirects=0
537 net.ipv4.conf.lo.accept_redirects=0
524 net.ipv4.conf.lo.send_redirects=0
538 net.ipv4.conf.lo.send_redirects=0
525 net.ipv4.conf.lo.accept_source_route=0
539 net.ipv4.conf.lo.accept_source_route=0
526 net.ipv4.conf.eth0.accept_redirects=0
540 net.ipv4.conf.eth0.accept_redirects=0
527 net.ipv4.conf.eth0.send_redirects=0
541 net.ipv4.conf.eth0.send_redirects=0
528 net.ipv4.conf.eth0.accept_source_route=0
542 net.ipv4.conf.eth0.accept_source_route=0
529 net.ipv4.icmp_echo_ignore_broadcasts=1
543 net.ipv4.icmp_echo_ignore_broadcasts=1
530 net.ipv4.icmp_ignore_bogus_error_responses=1
544 net.ipv4.icmp_ignore_bogus_error_responses=1
531
545
532 net.ipv6.conf.all.accept_redirects=0
546 net.ipv6.conf.all.accept_redirects=0
533 net.ipv6.conf.all.accept_source_route=0
547 net.ipv6.conf.all.accept_source_route=0
534 net.ipv6.conf.all.router_solicitations=0
548 net.ipv6.conf.all.router_solicitations=0
535 net.ipv6.conf.all.accept_ra_rtr_pref=0
549 net.ipv6.conf.all.accept_ra_rtr_pref=0
536 net.ipv6.conf.all.accept_ra_pinfo=0
550 net.ipv6.conf.all.accept_ra_pinfo=0
537 net.ipv6.conf.all.accept_ra_defrtr=0
551 net.ipv6.conf.all.accept_ra_defrtr=0
538 net.ipv6.conf.all.autoconf=0
552 net.ipv6.conf.all.autoconf=0
539 net.ipv6.conf.all.dad_transmits=0
553 net.ipv6.conf.all.dad_transmits=0
540 net.ipv6.conf.all.max_addresses=1
554 net.ipv6.conf.all.max_addresses=1
541
555
542 net.ipv6.conf.default.accept_redirects=0
556 net.ipv6.conf.default.accept_redirects=0
543 net.ipv6.conf.default.accept_source_route=0
557 net.ipv6.conf.default.accept_source_route=0
544 net.ipv6.conf.default.router_solicitations=0
558 net.ipv6.conf.default.router_solicitations=0
545 net.ipv6.conf.default.accept_ra_rtr_pref=0
559 net.ipv6.conf.default.accept_ra_rtr_pref=0
546 net.ipv6.conf.default.accept_ra_pinfo=0
560 net.ipv6.conf.default.accept_ra_pinfo=0
547 net.ipv6.conf.default.accept_ra_defrtr=0
561 net.ipv6.conf.default.accept_ra_defrtr=0
548 net.ipv6.conf.default.autoconf=0
562 net.ipv6.conf.default.autoconf=0
549 net.ipv6.conf.default.dad_transmits=0
563 net.ipv6.conf.default.dad_transmits=0
550 net.ipv6.conf.default.max_addresses=1
564 net.ipv6.conf.default.max_addresses=1
551
565
552 net.ipv6.conf.lo.accept_redirects=0
566 net.ipv6.conf.lo.accept_redirects=0
553 net.ipv6.conf.lo.accept_source_route=0
567 net.ipv6.conf.lo.accept_source_route=0
554 net.ipv6.conf.lo.router_solicitations=0
568 net.ipv6.conf.lo.router_solicitations=0
555 net.ipv6.conf.lo.accept_ra_rtr_pref=0
569 net.ipv6.conf.lo.accept_ra_rtr_pref=0
556 net.ipv6.conf.lo.accept_ra_pinfo=0
570 net.ipv6.conf.lo.accept_ra_pinfo=0
557 net.ipv6.conf.lo.accept_ra_defrtr=0
571 net.ipv6.conf.lo.accept_ra_defrtr=0
558 net.ipv6.conf.lo.autoconf=0
572 net.ipv6.conf.lo.autoconf=0
559 net.ipv6.conf.lo.dad_transmits=0
573 net.ipv6.conf.lo.dad_transmits=0
560 net.ipv6.conf.lo.max_addresses=1
574 net.ipv6.conf.lo.max_addresses=1
561
575
562 net.ipv6.conf.eth0.accept_redirects=0
576 net.ipv6.conf.eth0.accept_redirects=0
563 net.ipv6.conf.eth0.accept_source_route=0
577 net.ipv6.conf.eth0.accept_source_route=0
564 net.ipv6.conf.eth0.router_solicitations=0
578 net.ipv6.conf.eth0.router_solicitations=0
565 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
579 net.ipv6.conf.eth0.accept_ra_rtr_pref=0
566 net.ipv6.conf.eth0.accept_ra_pinfo=0
580 net.ipv6.conf.eth0.accept_ra_pinfo=0
567 net.ipv6.conf.eth0.accept_ra_defrtr=0
581 net.ipv6.conf.eth0.accept_ra_defrtr=0
568 net.ipv6.conf.eth0.autoconf=0
582 net.ipv6.conf.eth0.autoconf=0
569 net.ipv6.conf.eth0.dad_transmits=0
583 net.ipv6.conf.eth0.dad_transmits=0
570 net.ipv6.conf.eth0.max_addresses=1
584 net.ipv6.conf.eth0.max_addresses=1
571 EOM
585 EOM
572
586
573 # Enable resolver warnings about spoofed addresses
587 # Enable resolver warnings about spoofed addresses
574 cat <<EOM >>$R/etc/host.conf
588 cat <<EOM >>$R/etc/host.conf
575 spoof warn
589 spoof warn
576 EOM
590 EOM
577 fi
591 fi
578
592
579 # Regenerate openssh server host keys
593 # Ensure openssh server host keys are regenerated on first boot
580 if [ "$ENABLE_SSHD" = true ] ; then
594 if [ "$ENABLE_SSHD" = true ] ; then
581 rm -fr $R/etc/ssh/ssh_host_*
595 cat <<EOM >>$R/etc/rc.firstboot
582 LANG=C chroot $R dpkg-reconfigure openssh-server
596 #!/bin/sh
597 rm -f /etc/ssh/ssh_host_*
598 ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
599 ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
600 ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
601 ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
602 sync
603
604 systemctl restart sshd
605 sed -i 's/.*rc.firstboot.*/exit 0/g' /etc/rc.local
606 rm -f /etc/rc.firstboot
607 EOM
608 chmod +x $R/etc/rc.firstboot
609 sed -i 's,exit 0,/etc/rc.firstboot,g' $R/etc/rc.local
610 rm -f $R/etc/ssh/ssh_host_*
611 fi
612
613 # Disable rsyslog
614 if [ "$ENABLE_RSYSLOG" = false ]; then
615 sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf
616 chroot_exec systemctl disable rsyslog
617 chroot_exec apt-get purge -q -y --force-yes rsyslog
583 fi
618 fi
584
619
585 # Enable serial console systemd style
620 # Enable serial console systemd style
586 if [ "$ENABLE_CONSOLE" = true ] ; then
621 if [ "$ENABLE_CONSOLE" = true ] ; then
587 LANG=C chroot $R systemctl enable serial-getty\@ttyAMA0.service
622 chroot_exec systemctl enable serial-getty\@ttyAMA0.service
588 fi
623 fi
589
624
590 # Enable firewall based on iptables started by systemd service
625 # Enable firewall based on iptables started by systemd service
591 if [ "$ENABLE_IPTABLES" = true ] ; then
626 if [ "$ENABLE_IPTABLES" = true ] ; then
592 # Create iptables configuration directory
627 # Create iptables configuration directory
593 mkdir -p "$R/etc/iptables"
628 mkdir -p "$R/etc/iptables"
594
629
595 # Create iptables systemd service
630 # Create iptables systemd service
596 cat <<EOM >$R/etc/systemd/system/iptables.service
631 cat <<EOM >$R/etc/systemd/system/iptables.service
597 [Unit]
632 [Unit]
598 Description=Packet Filtering Framework
633 Description=Packet Filtering Framework
599 DefaultDependencies=no
634 DefaultDependencies=no
600 After=systemd-sysctl.service
635 After=systemd-sysctl.service
601 Before=sysinit.target
636 Before=sysinit.target
602 [Service]
637 [Service]
603 Type=oneshot
638 Type=oneshot
604 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
639 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
605 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
640 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
606 ExecStop=/etc/iptables/flush-iptables.sh
641 ExecStop=/etc/iptables/flush-iptables.sh
607 RemainAfterExit=yes
642 RemainAfterExit=yes
608 [Install]
643 [Install]
609 WantedBy=multi-user.target
644 WantedBy=multi-user.target
610 EOM
645 EOM
611
646
612 # Create flush-table script called by iptables service
647 # Create flush-table script called by iptables service
613 cat <<EOM >$R/etc/iptables/flush-iptables.sh
648 cat <<EOM >$R/etc/iptables/flush-iptables.sh
614 #!/bin/sh
649 #!/bin/sh
615 iptables -F
650 iptables -F
616 iptables -X
651 iptables -X
617 iptables -t nat -F
652 iptables -t nat -F
618 iptables -t nat -X
653 iptables -t nat -X
619 iptables -t mangle -F
654 iptables -t mangle -F
620 iptables -t mangle -X
655 iptables -t mangle -X
621 iptables -P INPUT ACCEPT
656 iptables -P INPUT ACCEPT
622 iptables -P FORWARD ACCEPT
657 iptables -P FORWARD ACCEPT
623 iptables -P OUTPUT ACCEPT
658 iptables -P OUTPUT ACCEPT
624 EOM
659 EOM
625
660
626 # Create iptables rule file
661 # Create iptables rule file
627 cat <<EOM >$R/etc/iptables/iptables.rules
662 cat <<EOM >$R/etc/iptables/iptables.rules
628 *filter
663 *filter
629 :INPUT DROP [0:0]
664 :INPUT DROP [0:0]
630 :FORWARD DROP [0:0]
665 :FORWARD DROP [0:0]
631 :OUTPUT ACCEPT [0:0]
666 :OUTPUT ACCEPT [0:0]
632 :TCP - [0:0]
667 :TCP - [0:0]
633 :UDP - [0:0]
668 :UDP - [0:0]
634 :SSH - [0:0]
669 :SSH - [0:0]
635
670
636 # Rate limit ping requests
671 # Rate limit ping requests
637 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
672 -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
638 -A INPUT -p icmp --icmp-type echo-request -j DROP
673 -A INPUT -p icmp --icmp-type echo-request -j DROP
639
674
640 # Accept established connections
675 # Accept established connections
641 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
676 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
642
677
643 # Accept all traffic on loopback interface
678 # Accept all traffic on loopback interface
644 -A INPUT -i lo -j ACCEPT
679 -A INPUT -i lo -j ACCEPT
645
680
646 # Drop packets declared invalid
681 # Drop packets declared invalid
647 -A INPUT -m conntrack --ctstate INVALID -j DROP
682 -A INPUT -m conntrack --ctstate INVALID -j DROP
648
683
649 # SSH rate limiting
684 # SSH rate limiting
650 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
685 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
651 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
686 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
652 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
687 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
653 -A SSH -m recent --name sshbf --set -j ACCEPT
688 -A SSH -m recent --name sshbf --set -j ACCEPT
654
689
655 # Send TCP and UDP connections to their respective rules chain
690 # Send TCP and UDP connections to their respective rules chain
656 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
691 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
657 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
692 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
658
693
659 # Reject dropped packets with a RFC compliant responce
694 # Reject dropped packets with a RFC compliant responce
660 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
695 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
661 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
696 -A INPUT -p tcp -j REJECT --reject-with tcp-rst
662 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
697 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
663
698
664 ## TCP PORT RULES
699 ## TCP PORT RULES
665 # -A TCP -p tcp -j LOG
700 # -A TCP -p tcp -j LOG
666
701
667 ## UDP PORT RULES
702 ## UDP PORT RULES
668 # -A UDP -p udp -j LOG
703 # -A UDP -p udp -j LOG
669
704
670 COMMIT
705 COMMIT
671 EOM
706 EOM
672
707
673 # Reload systemd configuration and enable iptables service
708 # Reload systemd configuration and enable iptables service
674 LANG=C chroot $R systemctl daemon-reload
709 chroot_exec systemctl daemon-reload
675 LANG=C chroot $R systemctl enable iptables.service
710 chroot_exec systemctl enable iptables.service
676
711
677 if [ "$ENABLE_IPV6" = true ] ; then
712 if [ "$ENABLE_IPV6" = true ] ; then
678 # Create ip6tables systemd service
713 # Create ip6tables systemd service
679 cat <<EOM >$R/etc/systemd/system/ip6tables.service
714 cat <<EOM >$R/etc/systemd/system/ip6tables.service
680 [Unit]
715 [Unit]
681 Description=Packet Filtering Framework
716 Description=Packet Filtering Framework
682 DefaultDependencies=no
717 DefaultDependencies=no
683 After=systemd-sysctl.service
718 After=systemd-sysctl.service
684 Before=sysinit.target
719 Before=sysinit.target
685 [Service]
720 [Service]
686 Type=oneshot
721 Type=oneshot
687 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
722 ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
688 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
723 ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
689 ExecStop=/etc/iptables/flush-ip6tables.sh
724 ExecStop=/etc/iptables/flush-ip6tables.sh
690 RemainAfterExit=yes
725 RemainAfterExit=yes
691 [Install]
726 [Install]
692 WantedBy=multi-user.target
727 WantedBy=multi-user.target
693 EOM
728 EOM
694
729
695 # Create ip6tables file
730 # Create ip6tables file
696 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
731 cat <<EOM >$R/etc/iptables/flush-ip6tables.sh
697 #!/bin/sh
732 #!/bin/sh
698 ip6tables -F
733 ip6tables -F
699 ip6tables -X
734 ip6tables -X
700 ip6tables -Z
735 ip6tables -Z
701 for table in $(</proc/net/ip6_tables_names)
736 for table in $(</proc/net/ip6_tables_names)
702 do
737 do
703 ip6tables -t \$table -F
738 ip6tables -t \$table -F
704 ip6tables -t \$table -X
739 ip6tables -t \$table -X
705 ip6tables -t \$table -Z
740 ip6tables -t \$table -Z
706 done
741 done
707 ip6tables -P INPUT ACCEPT
742 ip6tables -P INPUT ACCEPT
708 ip6tables -P OUTPUT ACCEPT
743 ip6tables -P OUTPUT ACCEPT
709 ip6tables -P FORWARD ACCEPT
744 ip6tables -P FORWARD ACCEPT
710 EOM
745 EOM
711
746
712 # Create ip6tables rule file
747 # Create ip6tables rule file
713 cat <<EOM >$R/etc/iptables/ip6tables.rules
748 cat <<EOM >$R/etc/iptables/ip6tables.rules
714 *filter
749 *filter
715 :INPUT DROP [0:0]
750 :INPUT DROP [0:0]
716 :FORWARD DROP [0:0]
751 :FORWARD DROP [0:0]
717 :OUTPUT ACCEPT [0:0]
752 :OUTPUT ACCEPT [0:0]
718 :TCP - [0:0]
753 :TCP - [0:0]
719 :UDP - [0:0]
754 :UDP - [0:0]
720 :SSH - [0:0]
755 :SSH - [0:0]
721
756
722 # Drop packets with RH0 headers
757 # Drop packets with RH0 headers
723 -A INPUT -m rt --rt-type 0 -j DROP
758 -A INPUT -m rt --rt-type 0 -j DROP
724 -A OUTPUT -m rt --rt-type 0 -j DROP
759 -A OUTPUT -m rt --rt-type 0 -j DROP
725 -A FORWARD -m rt --rt-type 0 -j DROP
760 -A FORWARD -m rt --rt-type 0 -j DROP
726
761
727 # Rate limit ping requests
762 # Rate limit ping requests
728 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
763 -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
729 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
764 -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
730
765
731 # Accept established connections
766 # Accept established connections
732 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
767 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
733
768
734 # Accept all traffic on loopback interface
769 # Accept all traffic on loopback interface
735 -A INPUT -i lo -j ACCEPT
770 -A INPUT -i lo -j ACCEPT
736
771
737 # Drop packets declared invalid
772 # Drop packets declared invalid
738 -A INPUT -m conntrack --ctstate INVALID -j DROP
773 -A INPUT -m conntrack --ctstate INVALID -j DROP
739
774
740 # SSH rate limiting
775 # SSH rate limiting
741 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
776 -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH
742 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
777 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
743 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
778 -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
744 -A SSH -m recent --name sshbf --set -j ACCEPT
779 -A SSH -m recent --name sshbf --set -j ACCEPT
745
780
746 # Send TCP and UDP connections to their respective rules chain
781 # Send TCP and UDP connections to their respective rules chain
747 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
782 -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
748 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
783 -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
749
784
750 # Reject dropped packets with a RFC compliant responce
785 # Reject dropped packets with a RFC compliant responce
751 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
786 -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
752 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
787 -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
753 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
788 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
754
789
755 ## TCP PORT RULES
790 ## TCP PORT RULES
756 # -A TCP -p tcp -j LOG
791 # -A TCP -p tcp -j LOG
757
792
758 ## UDP PORT RULES
793 ## UDP PORT RULES
759 # -A UDP -p udp -j LOG
794 # -A UDP -p udp -j LOG
760
795
761 COMMIT
796 COMMIT
762 EOM
797 EOM
763
798
764 # Reload systemd configuration and enable iptables service
799 # Reload systemd configuration and enable iptables service
765 LANG=C chroot $R systemctl daemon-reload
800 chroot_exec systemctl daemon-reload
766 LANG=C chroot $R systemctl enable ip6tables.service
801 chroot_exec systemctl enable ip6tables.service
767 fi
802 fi
768 fi
803 fi
769
804
770 # Remove SSHD related iptables rules
805 # Remove SSHD related iptables rules
771 if [ "$ENABLE_SSHD" = false ] ; then
806 if [ "$ENABLE_SSHD" = false ] ; then
772 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
807 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/iptables.rules 2> /dev/null
773 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
808 sed -e '/^#/! {/SSH/ s/^/# /}' -i $R/etc/iptables/ip6tables.rules 2> /dev/null
774 fi
809 fi
775
810
776 # Install gcc/c++ build environment inside the chroot
811 # Install gcc/c++ build environment inside the chroot
777 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
812 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
778 LANG=C chroot $R apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
813 chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc
779 fi
814 fi
780
815
781 # Fetch and build U-Boot bootloader
816 # Fetch and build U-Boot bootloader
782 if [ "$ENABLE_UBOOT" = true ] ; then
817 if [ "$ENABLE_UBOOT" = true ] ; then
783 # Fetch U-Boot bootloader sources
818 # Fetch U-Boot bootloader sources
784 git -C $R/tmp clone git://git.denx.de/u-boot.git
819 git -C $R/tmp clone git://git.denx.de/u-boot.git
785
820
786 # Build and install U-Boot inside chroot
821 # Build and install U-Boot inside chroot
787 LANG=C chroot $R make -C /tmp/u-boot/ rpi_2_defconfig all
822 chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all
788
823
789 # Copy compiled bootloader binary and set config.txt to load it
824 # Copy compiled bootloader binary and set config.txt to load it
790 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
825 cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/
791 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
826 printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt
792
827
793 # Set U-Boot command file
828 # Set U-Boot command file
794 cat <<EOM >$R/boot/firmware/uboot.mkimage
829 cat <<EOM >$R/boot/firmware/uboot.mkimage
795 # Tell Linux that it is booting on a Raspberry Pi2
830 # Tell Linux that it is booting on a Raspberry Pi2
796 setenv machid 0x00000c42
831 setenv machid 0x00000c42
797
832
798 # Set the kernel boot command line
833 # Set the kernel boot command line
799 setenv bootargs "earlyprintk ${CMDLINE}"
834 setenv bootargs "earlyprintk ${CMDLINE}"
800
835
801 # Save these changes to u-boot's environment
836 # Save these changes to u-boot's environment
802 saveenv
837 saveenv
803
838
804 # Load the existing Linux kernel into RAM
839 # Load the existing Linux kernel into RAM
805 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
840 fatload mmc 0:1 \${kernel_addr_r} kernel7.img
806
841
807 # Boot the kernel we have just loaded
842 # Boot the kernel we have just loaded
808 bootz \${kernel_addr_r}
843 bootz \${kernel_addr_r}
809 EOM
844 EOM
810
845
811 # Generate U-Boot image from command file
846 # Generate U-Boot image from command file
812 LANG=C chroot $R mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
847 chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr
813 fi
848 fi
814
849
815 # Fetch and build fbturbo Xorg driver
850 # Fetch and build fbturbo Xorg driver
816 if [ "$ENABLE_FBTURBO" = true ] ; then
851 if [ "$ENABLE_FBTURBO" = true ] ; then
817 # Fetch fbturbo driver sources
852 # Fetch fbturbo driver sources
818 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
853 git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git
819
854
820 # Install Xorg build dependencies
855 # Install Xorg build dependencies
821 LANG=C chroot $R apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
856 chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
822
857
823 # Build and install fbturbo driver inside chroot
858 # Build and install fbturbo driver inside chroot
824 LANG=C chroot $R /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
859 chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install"
825
860
826 # Add fbturbo driver to Xorg configuration
861 # Add fbturbo driver to Xorg configuration
827 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
862 cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf
828 Section "Device"
863 Section "Device"
829 Identifier "Allwinner A10/A13 FBDEV"
864 Identifier "Allwinner A10/A13 FBDEV"
830 Driver "fbturbo"
865 Driver "fbturbo"
831 Option "fbdev" "/dev/fb0"
866 Option "fbdev" "/dev/fb0"
832 Option "SwapbuffersWait" "true"
867 Option "SwapbuffersWait" "true"
833 EndSection
868 EndSection
834 EOM
869 EOM
835
870
836 # Remove Xorg build dependencies
871 # Remove Xorg build dependencies
837 LANG=C chroot $R apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
872 chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev
838 fi
873 fi
839
874
840 # Remove gcc/c++ build environment from the chroot
875 # Remove gcc/c++ build environment from the chroot
841 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
876 if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then
842 LANG=C chroot $R apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
877 chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make
843 fi
878 fi
844
879
845 # Clean cached downloads
880 # Clean cached downloads
846 LANG=C chroot $R apt-get -y clean
881 chroot_exec apt-get -y clean
847 LANG=C chroot $R apt-get -y autoclean
882 chroot_exec apt-get -y autoclean
848 LANG=C chroot $R apt-get -y autoremove
883 chroot_exec apt-get -y autoremove
849
884
850 # Unmount mounted filesystems
885 # Unmount mounted filesystems
851 umount -l $R/proc
886 umount -l $R/proc
852 umount -l $R/sys
887 umount -l $R/sys
853
888
854 # Clean up files
889 # Clean up files
855 rm -f $R/etc/apt/sources.list.save
890 rm -f $R/etc/apt/sources.list.save
856 rm -f $R/etc/resolvconf/resolv.conf.d/original
891 rm -f $R/etc/resolvconf/resolv.conf.d/original
857 rm -rf $R/run
892 rm -rf $R/run
858 mkdir -p $R/run
893 mkdir -p $R/run
859 rm -f $R/etc/*-
894 rm -f $R/etc/*-
860 rm -f $R/root/.bash_history
895 rm -f $R/root/.bash_history
861 rm -rf $R/tmp/*
896 rm -rf $R/tmp/*
862 rm -f $R/var/lib/urandom/random-seed
897 rm -f $R/var/lib/urandom/random-seed
863 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
898 [ -L $R/var/lib/dbus/machine-id ] || rm -f $R/var/lib/dbus/machine-id
864 rm -f $R/etc/machine-id
899 rm -f $R/etc/machine-id
865 rm -fr $R/etc/apt/apt.conf.d/10proxy
900 rm -fr $R/etc/apt/apt.conf.d/10proxy
866
901
867 # Calculate size of the chroot directory
902 # Calculate size of the chroot directory
868 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
903 CHROOT_SIZE=$(expr `du -s $R | awk '{ print $1 }'` / 1024)
869
904
870 # Calculate required image size
905 # Calculate required image size
871 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
906 IMAGE_SIZE=`expr $(expr ${CHROOT_SIZE} / 1024 + 1) \* 1024`
872
907
873 # Calculate number of sectors for the partition
908 # Calculate number of sectors for the partition
874 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
909 IMAGE_SECTORS=`expr $(expr ${IMAGE_SIZE} \* 1048576) / 512 - 133120`
875
910
876 # Prepare date string for image file name
911 # Prepare date string for image file name
877 DATE="$(date +%Y-%m-%d)"
912 DATE="$(date +%Y-%m-%d)"
878
913
879 # Prepare image file
914 # Prepare image file
880 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
915 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=1
881 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
916 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=1M count=0 seek=${IMAGE_SIZE}
882
917
883 # Write partition table
918 # Write partition table
884 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
919 sfdisk -q -L -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" <<EOM
885 unit: sectors
920 unit: sectors
886
921
887 1 : start= 2048, size= 131072, Id= c, bootable
922 1 : start= 2048, size= 131072, Id= c, bootable
888 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
923 2 : start= 133120, size= ${IMAGE_SECTORS}, Id=83
889 3 : start= 0, size= 0, Id= 0
924 3 : start= 0, size= 0, Id= 0
890 4 : start= 0, size= 0, Id= 0
925 4 : start= 0, size= 0, Id= 0
891 EOM
926 EOM
892
927
893 # Set up temporary loop devices and build filesystems
928 # Set up temporary loop devices and build filesystems
894 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
929 VFAT_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
895 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
930 EXT4_LOOP="$(losetup -o 65M --sizelimit `expr ${IMAGE_SIZE} - 64`M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
896 mkfs.vfat "$VFAT_LOOP"
931 mkfs.vfat "$VFAT_LOOP"
897 mkfs.ext4 "$EXT4_LOOP"
932 mkfs.ext4 "$EXT4_LOOP"
898
933
899 # Mount the temporary loop devices
934 # Mount the temporary loop devices
900 mkdir -p "$BUILDDIR/mount"
935 mkdir -p "$BUILDDIR/mount"
901 mount "$EXT4_LOOP" "$BUILDDIR/mount"
936 mount "$EXT4_LOOP" "$BUILDDIR/mount"
902
937
903 mkdir -p "$BUILDDIR/mount/boot/firmware"
938 mkdir -p "$BUILDDIR/mount/boot/firmware"
904 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
939 mount "$VFAT_LOOP" "$BUILDDIR/mount/boot/firmware"
905
940
906 # Copy all files from the chroot to the loop device mount point directory
941 # Copy all files from the chroot to the loop device mount point directory
907 rsync -a "$R/" "$BUILDDIR/mount/"
942 rsync -a "$R/" "$BUILDDIR/mount/"
908
943
909 # Unmount all temporary loop devices and mount points
944 # Unmount all temporary loop devices and mount points
910 cleanup
945 cleanup
911
946
912 # (optinal) create block map file for "bmaptool"
947 # (optinal) create block map file for "bmaptool"
913 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
948 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
914
949
915 # Image was successfully created
950 # Image was successfully created
916 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
951 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img (${IMAGE_SIZE})" ": successfully created"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant