DPI908 -- Release 0.2
The release 0.2 aim to create a ARM image file that is built by a bash shell script. The script is provided from Seneca CDOT office staff Agreene, and the original script aims for configuring the Raspberry Pi. I modify the bash script to fulfill my project need. The script supposes to build the arm architecture system in armv5tel kernel for the Guruplug server, and then I can use dd command to transfer the image to the micro SD card.
Below is the script content:
#!/bin/bash
set -x
exec 2>&1 # Unify output
IMGSIZE=4096 # Image size in MB
echo "##### $(date) - Starting"
echo "##### $(date) - Creating SD card image"
# Image filename
image=/compose/gurunplug-$$.img
# Create image file, partition it
sudo dd if=/dev/zero of=${image} bs=1M count=${IMGSIZE}
echo -e "n\np\n1\n\n+501M\nn\np\n2\n\n\nt\n1\nc\na\n1\np\nw\n" | fdisk ${image}
#fdisk ${image}
# Mount the main image via loopback
sudo kpartx -av ${image}
# Get partitions and make them accessible via loopback+dm
sudo losetup -a
loopback=$( losetup -f | grep "$image" | cut -d":" -f1 | xargs -I {} basename {} )
# Create filesystems
mkfs -t vfat -n boot /dev/mapper/${loopback}p1
mkfs -t ext4 -L rootfs /dev/mapper/${loopback}p2
# Mount filesystems
fsdir=${image}p2
sudo mkdir -p ${fsdir}
sudo mount -o rw /dev/mapper/${loopback}p2 ${fsdir}
sudo mkdir -p ${fsdir}/boot
sudo mount -o rw /dev/mapper/${loopback}p1 ${fsdir}/boot
# Bind-mount system/kernel filesystems
sudo mkdir -p ${fsdir}/{proc,dev,sys}
sudo mount -o bind /proc ${fsdir}/proc/
sudo mount -o bind /dev ${fsdir}/dev/
sudo mount -o bind /sys ${fsdir}/sys
# Create basic device nodes and directories
sudo mknod ${fsdir}/dev/console c 5 1
sudo mknod ${fsdir}/dev/null c 1 3
sudo mknod ${fsdir}/dev/zero c 1 5
sudo mkdir -p ${fsdir}/var/lib/yum
sudo mkdir -p ${fsdir}/var/log
sudo mkdir -p ${fsdir}/etc
sudo touch ${fsdir}/etc/fstab
echo "##### $(date) - Installing packages"
# Install packages into image
sudo yum clean all
sudo yum \
install -y \
--disablerepo=\* \
--enablerepo=fedora \
--enablerepo=rpfr \
--enablerepo=updates \
--installroot="$fsdir" \
-x fedora-release \
-x fedora-release-notes \
-x fedora-logos \
-x generic-release \
-x system-config-date \
-x kernel \
-x firstboot \
-x smolt \
-x smolt-firstboot \
-x kernel-kirkwood \
-x ConsoleKit \
-x kernel-imx \
-x plymouth \
-x abrt* \
-x nfs-utils \
-x talk \
-x yp-tools \
-x ypbind \
-x coolkey \
@core \
@base \
@hardware-support \
mesa-dri-drivers \
dejavu-sans-fonts \
dejavu-serif-fonts \
dejavu-sans-mono-fonts \
dejavu-fonts-common \
liberation-sans-fonts \
liberation-serif-fonts \
liberation-mono-fonts \
liberation-narrow-fonts \
liberation-fonts-common \
setup \
yum \
rpm \
bash \
chrony \
strace \
shadow-utils \
mlocate \
ntpdate \
less \
sl \
units \
fpaste \
wget \
curl \
systemd \
systemd-units \
ruby \
midori \
libbcm2835 \
perl-Device-BCM2835 \
pi3d \
nortc \
wiringpi \
iptables \
openssh-server \
pulseaudio \
espeak
echo "##### $(date) - Post-installation file configuration"
# Re-install to fixup users
cp /etc/resolv.conf ${fsdir}/etc/resolv.conf
cat << EOF >${fsdir}/tmp/reinstall
#!/bin/bash
echo "Reinstalling within chroot."
yum reinstall -y \$(rpm -qa --qf "%{name}\n"|egrep -v "^setup$")
yum clean all
find / -name '*.rpmsave' -o -name '*.rpmnew' -delete
echo "Finished reinstalling within chroot. Exit status: $?"
EOF
chmod 0755 ${fsdir}/tmp/reinstall
chroot ${fsdir} /tmp/reinstall
rm ${fsdir}/tmp/reinstall ${fsdir}/etc/resolv.conf
# Post-installation
# /etc/fstab
cat << EOF >> $fsdir/etc/fstab
LABEL="rootfs" / ext4 defaults,noatime 1 1
LABEL="boot" /boot vfat noauto,comment=systemd.automount 1 2
EOF
# /etc/hosts
cat << EOF > $fsdir/etc/hosts
127.0.0.1 localhost localhost.localdomain firewall.local
EOF
# root password
sed -i 's|^root:.*|root:x:0:0:root:/root:/bin/bash|' ${fsdir}/etc/passwd
sed -i 's|^SELINUX=enforcing|SELINUX=permissive|' ${fsdir}/etc/selinux/config
# hostname
cat << EOF > ${fsdir}/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=firewall.local
NETWORKWAIT=1
EOF
# Agreene's suggestions for optimization on Boot
cat << EOF > ${fsdir}/tmp/optimize-systemd
#!/bin/bash
echo "Optimizing systemd within chroot."
for i in fedora-storage-init-late.service fedora-storage-init.service plymouth-halt.service plymouth-kexec.service plymouth-poweroff.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service plymouth-reboot.service plymouth-start.service mdmonitor.service mdmonitor-takeover.service auditd.service avahi-daemon.service avahi-daemon.socket bluetooth.target dev-hugepages.mount dev-mqueue.mount fedora-configure.service fedora-loadmodules.service fedora-readonly.service ip6tables.service sys-kernel-config.mount sys-kernel-debug.mount systemd-readahead-collect.service systemd-readahead-done.service systemd-readahead-done.timer systemd-readahead-replay.service
do
systemctl mask \$i
done
# Missing symlink for sendmail.pid
ln -s /var/run /run
# start sm-client
systemctl enable sm-client.service
echo "Finished optimizing within chroot. Exit status: \$?"
EOF
chmod 0755 ${fsdir}/tmp/optimize-systemd
chroot ${fsdir} /tmp/optimize-systemd
cp -fv ${fsdir}/boot/arm192_start.elf ${fsdir}/boot/start.elf
# selinux disabled (memory requirements)
sed -i "s|SELINUX=.*|SELINUX=disabled|" ${fsdir}/etc/selinux/config
# shadow file
#echo "############### INVOKING BASH SHELL FOR DEBUG OF USER ACCOUNTS"
#cd ${fsdir}/etc
#export PS1="debug> "
#bash
for X in passwd shadow group gshadow
do
echo "==================================== $X"
ls -l ${fsdir}/etc/$X
echo "------------------------------------"
cat ${fsdir}/etc/$X
done
echo "===================================="
chroot ${fsdir} pwconv
chroot ${fsdir} grpconv
chroot ${fsdir} systemctl enable nortc.service
# password for root (password=raspberrypi, overwritten by firstboot)
sed -i 's|root:.*:|root:$6$KW0GGbE5$zlEB9.PbHVh8kmXj1WMFGLJGwwthhU4oXn2oNxHZllbUSzTsVhTZ9jts8RC7uicuUCWyrsZ1e2yEj4ErDLOHQ/:15525:0:99999:7:::|' $fsdir/etc/shadow
# default network configuration (dhcp)
cat << EOF > $fsdir/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=yes
EOF
# default firewall setting
sudo /sbin/iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Access Invalid"
sudo /sbin/iptables -A INPUT -m state --state INVALID -j DROP
sudo /sbin/iptables -t filter -P INPUT DROP
sudo /sbin/iptables -t filter -P OUTPUT ACCEPT
sudo /sbin/iptables -t filter -P FORWARD DROP
sudo /sbin/iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "icmp-request"
sudo /sbin/iptables -t filter -A INPUT -p icmp --icmp-type echo-request -j DROP
sudo /sbin/iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo /sbin/iptables -t filter -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo /sbin/iptables -t filter -A INPUT -i lo -j ACCEP
# i18n settings
cat <<EOF > ${fsdir}/etc/sysconfig/i18n
LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16"
EOF
echo "##### $(date) - Unmount filesystems"
echo
echo "---- size info ---"
df -h
echo "------------------"
echo
# Unmount filesystems
sudo umount ${fsdir}/proc/
sudo umount ${fsdir}/dev/
sudo umount ${fsdir}/sys/
sudo umount ${image}p2/boot
sudo umount ${image}p2
sudo rmdir ${image}p2
#resize2fs -m /dev/mapper/${loopback}p2
kpartx -dv $image
echo "##### $(date) - Finished"
Explanation about the script:
The script must be run in arm OS. This script is to create the arm image file about 4096M big, and partition it for two partitions; one is the boot partition, which uses vFat 32 format, and the second is ext4 partition. Then, the partitions that need to be mount into an available the local loopback device. After creating the the necessary device nodes and directories, then starts to install the rpm packages into the image.
After finishing the the package installation, the script will pre-setup the system configuration file into the image, such as, /etc/fstab, /etc/hosts, network interface, root password. and the /etc/sysconfig/network. Next, the optimization section is the script section to optimize the booting process. The firewall setting section is the pre-config iptables for protecting the system, and the protection includes dropping INVALID package, defending outbound icmp ping attack, and executing default drop policy. The last part is to unmount the devices that already attach to the image.
# This is my first execution output from the script:
http://dl.dropbox.com/u/55298330/Seventh%20Semeter/DPI908A/release0-2.txt
# This is the script for downloading:
http://dl.dropbox.com/u/55298330/Seventh%20Semeter/DPI908A/guruplug-script2
# This is the script for downloading:
http://dl.dropbox.com/u/55298330/Seventh%20Semeter/DPI908A/guruplug-script2
This is the problem below that I can’t fix temporally. Since this script could run in one server platform, but may not run in others. I could run this script in 13-1 trimslice server, but not the 6-4 server. I am still testing on another arm OS to see any chances to fix the problem, which likes happen in server 6-4.
fdisk: unable to write /compose/gurunplug-1305.img: Bad file descriptor
The problem has been fixed. I ran the script in another machine, and it worked.
# This is the ARMv5tel image file, which could be downloaded.
http://dl.dropbox.com/u/55298330/guruplug-armv5tel.img
In the release 0.3, I will try to convert this image file to the Micro SD card, which is a bootable Fedora remix ARM-OS for the Guruplug-server with the firewall functionality.
