diff options
Diffstat (limited to 'bootstrap.d')
-rw-r--r-- | bootstrap.d/10-bootstrap.sh | 16 | ||||
-rw-r--r-- | bootstrap.d/11-apt.sh | 14 | ||||
-rw-r--r-- | bootstrap.d/12-locale.sh | 22 | ||||
-rw-r--r-- | bootstrap.d/13-kernel.sh | 113 | ||||
-rw-r--r-- | bootstrap.d/20-networking.sh | 32 | ||||
-rw-r--r-- | bootstrap.d/21-firewall.sh | 16 | ||||
-rw-r--r-- | bootstrap.d/30-security.sh | 4 | ||||
-rw-r--r-- | bootstrap.d/31-logging.sh | 2 | ||||
-rw-r--r-- | bootstrap.d/41-uboot.sh | 12 | ||||
-rw-r--r-- | bootstrap.d/42-fbturbo.sh | 4 | ||||
-rw-r--r-- | bootstrap.d/50-firstboot.sh | 22 |
11 files changed, 134 insertions, 123 deletions
diff --git a/bootstrap.d/10-bootstrap.sh b/bootstrap.d/10-bootstrap.sh index 8a142eb..f4a57cc 100644 --- a/bootstrap.d/10-bootstrap.sh +++ b/bootstrap.d/10-bootstrap.sh @@ -7,22 +7,22 @@ # Base debootstrap (unpack only) if [ "$ENABLE_MINBASE" = true ] ; then - http_proxy=${APT_PROXY} debootstrap --arch=${RELEASE_ARCH} --variant=minbase --foreign --include=${APT_INCLUDES} ${RELEASE} $R http://${APT_SERVER}/debian + http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --variant=minbase --foreign --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian" else - http_proxy=${APT_PROXY} debootstrap --arch=${RELEASE_ARCH} --foreign --include=${APT_INCLUDES} ${RELEASE} $R http://${APT_SERVER}/debian + http_proxy=${APT_PROXY} debootstrap --arch="${RELEASE_ARCH}" --foreign --include="${APT_INCLUDES}" "${RELEASE}" "$R" "http://${APT_SERVER}/debian" fi # Copy qemu emulator binary to chroot -cp ${QEMU_BINARY} $R/usr/bin +cp "${QEMU_BINARY}" "$R/usr/bin" # Copy debian-archive-keyring.pgp -mkdir -p $R/usr/share/keyrings -cp /usr/share/keyrings/debian-archive-keyring.gpg $R/usr/share/keyrings/debian-archive-keyring.gpg +mkdir -p "$R/usr/share/keyrings" +cp /usr/share/keyrings/debian-archive-keyring.gpg "$R/usr/share/keyrings/debian-archive-keyring.gpg" # Complete the bootstrapping process chroot_exec /debootstrap/debootstrap --second-stage # Mount required filesystems -mount -t proc none $R/proc -mount -t sysfs none $R/sys -mount --bind /dev/pts $R/dev/pts +mount -t proc none "$R/proc" +mount -t sysfs none "$R/sys" +mount --bind /dev/pts "$R/dev/pts" diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index f3a642e..9610832 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -7,22 +7,22 @@ # Install and setup APT proxy configuration if [ -z "$APT_PROXY" ] ; then - install_readonly files/apt/10proxy $R/etc/apt/apt.conf.d/10proxy - sed -i "s/\"\"/\"${APT_PROXY}\"/" $R/etc/apt/apt.conf.d/10proxy + install_readonly files/apt/10proxy "$R/etc/apt/apt.conf.d/10proxy" + sed -i "s/\"\"/\"${APT_PROXY}\"/" "$R/etc/apt/apt.conf.d/10proxy" fi # Install APT pinning configuration for flash-kernel package -install_readonly files/apt/flash-kernel $R/etc/apt/preferences.d/flash-kernel +install_readonly files/apt/flash-kernel "$R/etc/apt/preferences.d/flash-kernel" # Upgrade collabora package index and install collabora keyring -echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list +echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" > "$R/etc/apt/sources.list" chroot_exec apt-get -qq -y update chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring # Install APT sources.list -install_readonly files/apt/sources.list $R/etc/apt/sources.list -sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" $R/etc/apt/sources.list -sed -i "s/ jessie/ ${RELEASE}/" $R/etc/apt/sources.list +install_readonly files/apt/sources.list "$R/etc/apt/sources.list" +sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "$R/etc/apt/sources.list" +sed -i "s/ jessie/ ${RELEASE}/" "$R/etc/apt/sources.list" # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update diff --git a/bootstrap.d/12-locale.sh b/bootstrap.d/12-locale.sh index 06ad5a5..d82f212 100644 --- a/bootstrap.d/12-locale.sh +++ b/bootstrap.d/12-locale.sh @@ -6,7 +6,7 @@ . ./functions.sh # Install and setup timezone -echo ${TIMEZONE} >$R/etc/timezone +echo ${TIMEZONE} > "$R/etc/timezone" chroot_exec dpkg-reconfigure -f noninteractive tzdata # Install and setup default locale and keyboard configuration @@ -19,40 +19,40 @@ if [ "$ENABLE_MINBASE" = false ] ; then else # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections - sed -i "/en_US.UTF-8/s/^#//" $R/etc/locale.gen + sed -i "/en_US.UTF-8/s/^#//" "$R/etc/locale.gen" fi - sed -i "/${DEFLOCAL}/s/^#//" $R/etc/locale.gen + sed -i "/${DEFLOCAL}/s/^#//" "$R/etc/locale.gen" chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections chroot_exec locale-gen - chroot_exec update-locale LANG=${DEFLOCAL} + chroot_exec update-locale LANG="${DEFLOCAL}" # Install and setup default keyboard configuration if [ "$XKB_MODEL" != "" ] ; then - sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKB_MODEL}\"/" $R/etc/default/keyboard + sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKB_MODEL}\"/" "$R/etc/default/keyboard" fi if [ "$XKB_LAYOUT" != "" ] ; then - sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKB_LAYOUT}\"/" $R/etc/default/keyboard + sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKB_LAYOUT}\"/" "$R/etc/default/keyboard" fi if [ "$XKB_VARIANT" != "" ] ; then - sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKB_VARIANT}\"/" $R/etc/default/keyboard + sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKB_VARIANT}\"/" "$R/etc/default/keyboard" fi if [ "$XKB_OPTIONS" != "" ] ; then - sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKB_OPTIONS}\"/" $R/etc/default/keyboard + sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKB_OPTIONS}\"/" "$R/etc/default/keyboard" fi chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration # Install and setup font console case "${DEFLOCAL}" in *UTF-8) - sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' $R/etc/default/console-setup + sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' "$R/etc/default/console-setup" ;; *) - sed -i 's/^CHARMAP.*/CHARMAP="guess"/' $R/etc/default/console-setup + sed -i 's/^CHARMAP.*/CHARMAP="guess"/' "$R/etc/default/console-setup" ;; esac chroot_exec dpkg-reconfigure -f noninteractive console-setup else # ENABLE_MINBASE=true # Install POSIX default locale - install_readonly files/locales/locale $R/etc/default/locale + install_readonly files/locales/locale "$R/etc/default/locale" fi diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 798a5ce..a8e4f4a 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -8,88 +8,99 @@ # Fetch and build latest raspberry kernel if [ "$BUILD_KERNEL" = true ] ; then # Setup source directory - mkdir -p $R/usr/src + mkdir -p "$R/usr/src" # Copy existing kernel sources into chroot directory - if [ -n "$KERNEL_SRCDIR" ] && [ -d "$KERNEL_SRCDIR" ] ; then + if [ -n "$KERNELSRC_DIR" ] && [ -d "$KERNELSRC_DIR" ] ; then # Copy kernel sources - cp -r "${KERNEL_SRCDIR}" "${R}/usr/src" + cp -r "${KERNELSRC_DIR}" "${R}/usr/src" # Clean the kernel sources - if [ "$KERNEL_CLEANSRC" = true ] ; then - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} mrproper + if [ "$KERNELSRC_CLEAN" = true ] && [ "$KERNELSRC_PREBUILT" = false ] ; then + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" mrproper fi - else # KERNEL_SRCDIR="" + else # KERNELSRC_DIR="" # Fetch current raspberrypi kernel sources - git -C $R/usr/src clone --depth=1 https://github.com/raspberrypi/linux + git -C "$R/usr/src" clone --depth=1 https://github.com/raspberrypi/linux fi # Calculate optimal number of kernel building threads - if [ "$KERNEL_THREADS" = "1" ] ; then - if [ -r /proc/cpuinfo ] ; then - KERNEL_THREADS=$(grep -c processor /proc/cpuinfo) - fi + if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then + KERNEL_THREADS=$(grep -c processor /proc/cpuinfo) fi - if [ "$KERNEL_CONFIGSRC" = true ] ; then - # Load default raspberry kernel configuration - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} ${KERNEL_DEFCONFIG} + if [ "$KERNELSRC_PREBUILT" = false ] ; then + if [ "$KERNELSRC_CONFIG" = true ] ; then + # Load default raspberry kernel configuration + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" "${KERNEL_DEFCONFIG}" - # Start menu-driven kernel configuration (interactive) - if [ "$KERNEL_MENUCONFIG" = true ] ; then - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} menuconfig + # Start menu-driven kernel configuration (interactive) + if [ "$KERNEL_MENUCONFIG" = true ] ; then + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" menuconfig + fi fi - fi - # Cross compile kernel and modules - make -C $R/usr/src/linux -j${KERNEL_THREADS} ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} zImage modules dtbs + # Cross compile kernel and modules + make -C "$R/usr/src/linux" -j${KERNEL_THREADS} ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" zImage modules dtbs + fi # Check if kernel compilation was successful - if [ ! -r $R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage ] ; then - echo "error: kernel compilation failed!" + if [ ! -r "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" ] ; then + echo "error: kernel compilation failed! (zImage not found)" cleanup exit 1 fi # Install kernel modules if [ "$ENABLE_REDUCE" = true ] ; then - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=../../.. modules_install else - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} INSTALL_MOD_PATH=../../.. modules_install + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_MOD_PATH=../../.. modules_install + + # Install kernel firmware + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_FW_PATH=../../../lib firmware_install fi # Install kernel headers if [ "$KERNEL_HEADERS" = true ] ; then - make -C $R/usr/src/linux ARCH=${KERNEL_ARCH} CROSS_COMPILE=${CROSS_COMPILE} INSTALL_HDR_PATH=../.. headers_install + make -C "$R/usr/src/linux" ARCH="${KERNEL_ARCH}" CROSS_COMPILE="${CROSS_COMPILE}" INSTALL_HDR_PATH=../.. headers_install fi - # Copy and rename compiled kernel to boot directory - mkdir $R/boot/firmware/ - $R/usr/src/linux/scripts/mkknlimg $R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage $R/boot/firmware/kernel7.img + # Prepare boot (firmware) directory + mkdir "$R/boot/firmware/" + + # Get kernel release version + KERNEL_VERSION=`cat "$R/usr/src/linux/include/config/kernel.release"` + + # Copy kernel configuration file to the boot directory + cp "$R/usr/src/linux/.config" "$R/boot/config-${KERNEL_VERSION}" + + # Copy dts and dtb device tree sources and binaries + mkdir "$R/boot/firmware/overlays/" + cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/"*.dtb "$R/boot/firmware/" + cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/"*.dtb* "$R/boot/firmware/overlays/" + cp "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README" "$R/boot/firmware/overlays/" - # Copy dts and dtb device definitions - mkdir $R/boot/firmware/overlays/ - cp $R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/*.dtb $R/boot/firmware/ - cp $R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/*.dtb* $R/boot/firmware/overlays/ - cp $R/usr/src/linux/arch/${KERNEL_ARCH}/boot/dts/overlays/README $R/boot/firmware/overlays/ + # Convert kernel zImage and copy it to the boot directory + "$R/usr/src/linux/scripts/mkknlimg" "$R/usr/src/linux/arch/${KERNEL_ARCH}/boot/zImage" "$R/boot/firmware/kernel7.img" # Remove kernel sources - if [ "$KERNEL_RMSRC" = true ] ; then - rm -fr $R/usr/src/linux + if [ "$KERNEL_REMOVESRC" = true ] ; then + rm -fr "$R/usr/src/linux" fi # Install raspberry bootloader and flash-kernel packages chroot_exec apt-get -qq -y --no-install-recommends install raspberrypi-bootloader-nokernel else # BUILD_KERNEL=false # Kernel installation - chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${COLLABORA_KERNEL} raspberrypi-bootloader-nokernel + chroot_exec apt-get -qq -y --no-install-recommends install linux-image-"${COLLABORA_KERNEL}" raspberrypi-bootloader-nokernel # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot chroot_exec apt-get -qq -y install flash-kernel VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" [ -z "$VMLINUZ" ] && exit 1 - cp $VMLINUZ $R/boot/firmware/kernel7.img + cp "$VMLINUZ" "$R/boot/firmware/kernel7.img" fi # Setup firmware boot cmdline @@ -110,43 +121,43 @@ if [ "$ENABLE_IPV6" = false ] ; then fi # Install firmware boot cmdline -echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt +echo "${CMDLINE}" > "$R/boot/firmware/cmdline.txt" # Install firmware config -install_readonly files/boot/config.txt $R/boot/firmware/config.txt +install_readonly files/boot/config.txt "$R/boot/firmware/config.txt" # Setup minimal GPU memory allocation size: 16MB (no X) if [ "$ENABLE_MINGPU" = true ] ; then - echo "gpu_mem=16" >>$R/boot/firmware/config.txt + echo "gpu_mem=16" >> "$R/boot/firmware/config.txt" fi # Create firmware configuration and cmdline symlinks -ln -sf firmware/config.txt $R/boot/config.txt -ln -sf firmware/cmdline.txt $R/boot/cmdline.txt +ln -sf firmware/config.txt "$R/boot/config.txt" +ln -sf firmware/cmdline.txt "$R/boot/cmdline.txt" # Install and setup kernel modules to load at boot -mkdir -p $R/lib/modules-load.d/ -install_readonly files/modules/rpi2.conf $R/lib/modules-load.d/rpi2.conf +mkdir -p "$R/lib/modules-load.d/" +install_readonly files/modules/rpi2.conf "$R/lib/modules-load.d/rpi2.conf" # Load hardware random module at boot if [ "$ENABLE_HWRANDOM" = true ] ; then - sed -i "s/^# bcm2708_rng/bcm2708_rng/" $R/lib/modules-load.d/rpi2.conf + sed -i "s/^# bcm2708_rng/bcm2708_rng/" "$R/lib/modules-load.d/rpi2.conf" fi # Load sound module at boot if [ "$ENABLE_SOUND" = true ] ; then - sed -i "s/^# snd_bcm2835/snd_bcm2835/" $R/lib/modules-load.d/rpi2.conf + sed -i "s/^# snd_bcm2835/snd_bcm2835/" "$R/lib/modules-load.d/rpi2.conf" fi # Install kernel modules blacklist -mkdir -p $R/etc/modprobe.d/ -install_readonly files/modules/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf +mkdir -p "$R/etc/modprobe.d/" +install_readonly files/modules/raspi-blacklist.conf "$R/etc/modprobe.d/raspi-blacklist.conf" # Install and setup fstab -install_readonly files/mount/fstab $R/etc/fstab +install_readonly files/mount/fstab "$R/etc/fstab" if [ "$ENABLE_SPLITFS" = true ] ; then - sed -i 's/mmcblk0p2/sda1/' $R/etc/fstab + sed -i 's/mmcblk0p2/sda1/' "$R/etc/fstab" fi # Install sysctl.d configuration files -install_readonly files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf +install_readonly files/sysctl.d/81-rpi-vm.conf "$R/etc/sysctl.d/81-rpi-vm.conf" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 3216f4e..bd6e8db 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -6,37 +6,37 @@ . ./functions.sh # Install and setup hostname -install_readonly files/network/hostname $R/etc/hostname -sed -i "s/^rpi2-jessie/${HOSTNAME}/" $R/etc/hostname +install_readonly files/network/hostname "$R/etc/hostname" +sed -i "s/^rpi2-jessie/${HOSTNAME}/" "$R/etc/hostname" # Install and setup hosts -install_readonly files/network/hosts $R/etc/hosts -sed -i "s/rpi2-jessie/${HOSTNAME}/" $R/etc/hosts +install_readonly files/network/hosts "$R/etc/hosts" +sed -i "s/rpi2-jessie/${HOSTNAME}/" "$R/etc/hosts" # Setup hostname entry with static IP if [ "$NET_ADDRESS" != "" ] ; then - NET_IP=$(echo ${NET_ADDRESS} | cut -f 1 -d'/') - sed -i "s/^127.0.1.1/${NET_IP}/" $R/etc/hosts + NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/') + sed -i "s/^127.0.1.1/${NET_IP}/" "$R/etc/hosts" fi # Remove IPv6 hosts if [ "$ENABLE_IPV6" = false ] ; then - sed -i -e "/::[1-9]/d" -e "/^$/d" $R/etc/hosts + sed -i -e "/::[1-9]/d" -e "/^$/d" "$R/etc/hosts" fi # Install hint about network configuration -install_readonly files/network/interfaces $R/etc/network/interfaces +install_readonly files/network/interfaces "$R/etc/network/interfaces" # Install configuration for interface eth0 -install_readonly files/network/eth.network $R/etc/systemd/network/eth.network +install_readonly files/network/eth.network "$R/etc/systemd/network/eth.network" if [ "$ENABLE_DHCP" = true ] ; then # Enable DHCP configuration for interface eth0 - sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" $R/etc/systemd/network/eth.network + sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "$R/etc/systemd/network/eth.network" # Set DHCP configuration to IPv4 only if [ "$ENABLE_IPV6" = false ] ; then - sed -i "s/DHCP=.*/DHCP=v4/" $R/etc/systemd/network/eth.network + sed -i "s/DHCP=.*/DHCP=v4/" "$R/etc/systemd/network/eth.network" fi else # ENABLE_DHCP=false @@ -50,23 +50,23 @@ else # ENABLE_DHCP=false -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ - $R/etc/systemd/network/eth.network + "$R/etc/systemd/network/eth.network" fi # Remove empty settings from network configuration -sed -i "/.*=\$/d" $R/etc/systemd/network/eth.network +sed -i "/.*=\$/d" "$R/etc/systemd/network/eth.network" # Enable systemd-networkd service chroot_exec systemctl enable systemd-networkd # Install host.conf resolver configuration -install_readonly files/network/host.conf $R/etc/host.conf +install_readonly files/network/host.conf "$R/etc/host.conf" # Enable network stack hardening if [ "$ENABLE_HARDNET" = true ] ; then # Install sysctl.d configuration files - install_readonly files/sysctl.d/82-rpi-net-hardening.conf $R/etc/sysctl.d/82-rpi-net-hardening.conf + install_readonly files/sysctl.d/82-rpi-net-hardening.conf "$R/etc/sysctl.d/82-rpi-net-hardening.conf" # Setup resolver warnings about spoofed addresses - sed -i "s/^# spoof warn/spoof warn/" $R/etc/host.conf + sed -i "s/^# spoof warn/spoof warn/" "$R/etc/host.conf" fi diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index d2316e5..247325e 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -10,13 +10,13 @@ if [ "$ENABLE_IPTABLES" = true ] ; then mkdir -p "$R/etc/iptables" # Install iptables systemd service - install_readonly files/iptables/iptables.service $R/etc/systemd/system/iptables.service + install_readonly files/iptables/iptables.service "$R/etc/systemd/system/iptables.service" # Install flush-table script called by iptables service - install_exec files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh + install_exec files/iptables/flush-iptables.sh "$R/etc/iptables/flush-iptables.sh" # Install iptables rule file - install_readonly files/iptables/iptables.rules $R/etc/iptables/iptables.rules + install_readonly files/iptables/iptables.rules "$R/etc/iptables/iptables.rules" # Reload systemd configuration and enable iptables service chroot_exec systemctl daemon-reload @@ -24,12 +24,12 @@ if [ "$ENABLE_IPTABLES" = true ] ; then if [ "$ENABLE_IPV6" = true ] ; then # Install ip6tables systemd service - install_readonly files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service + install_readonly files/iptables/ip6tables.service "$R/etc/systemd/system/ip6tables.service" # Install ip6tables file - install_exec files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh + install_exec files/iptables/flush-ip6tables.sh "$R/etc/iptables/flush-ip6tables.sh" - install_readonly files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules + install_readonly files/iptables/ip6tables.rules "$R/etc/iptables/ip6tables.rules" # Reload systemd configuration and enable iptables service chroot_exec systemctl daemon-reload @@ -39,6 +39,6 @@ fi if [ "$ENABLE_SSHD" = false ] ; then # Remove SSHD related iptables rules - sed -i "/^#/! {/SSH/ s/^/# /}" $R/etc/iptables/iptables.rules 2> /dev/null - sed -i "/^#/! {/SSH/ s/^/# /}" $R/etc/iptables/ip6tables.rules 2> /dev/null + sed -i "/^#/! {/SSH/ s/^/# /}" "$R/etc/iptables/iptables.rules" 2> /dev/null + sed -i "/^#/! {/SSH/ s/^/# /}" "$R/etc/iptables/ip6tables.rules" 2> /dev/null fi diff --git a/bootstrap.d/30-security.sh b/bootstrap.d/30-security.sh index 2bdacd9..a07719d 100644 --- a/bootstrap.d/30-security.sh +++ b/bootstrap.d/30-security.sh @@ -6,7 +6,7 @@ . ./functions.sh # Generate crypt(3) password string -ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` +ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 "${PASSWORD}"` # Setup default user if [ "$ENABLE_USER" = true ] ; then @@ -19,7 +19,7 @@ if [ "$ENABLE_ROOT" = true ] ; then chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root if [ "$ENABLE_ROOT_SSH" = true ] ; then - sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" $R/etc/ssh/sshd_config + sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "$R/etc/ssh/sshd_config" fi else # Set no root password to disable root login diff --git a/bootstrap.d/31-logging.sh b/bootstrap.d/31-logging.sh index 740161b..00a9f86 100644 --- a/bootstrap.d/31-logging.sh +++ b/bootstrap.d/31-logging.sh @@ -7,7 +7,7 @@ # Disable rsyslog if [ "$ENABLE_RSYSLOG" = false ] ; then - sed -i "s|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g" $R/etc/systemd/journald.conf + sed -i "s|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g" "$R/etc/systemd/journald.conf" chroot_exec systemctl disable rsyslog chroot_exec apt-get -qq -y --force-yes purge rsyslog fi diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index 4968bdd..d3f13b9 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -13,19 +13,19 @@ fi # Fetch and build U-Boot bootloader if [ "$ENABLE_UBOOT" = true ] ; then # Fetch U-Boot bootloader sources - git -C $R/tmp clone git://git.denx.de/u-boot.git + git -C "$R/tmp" clone git://git.denx.de/u-boot.git # Build and install U-Boot inside chroot chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all # Copy compiled bootloader binary and set config.txt to load it - cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ - printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> $R/boot/firmware/config.txt + cp "$R/tmp/u-boot/u-boot.bin" "$R/boot/firmware/" + printf "\n# boot u-boot kernel\nkernel=u-boot.bin\n" >> "$R/boot/firmware/config.txt" # Install and setup U-Boot command file - install_readonly files/boot/uboot.mkimage $R/boot/firmware/uboot.mkimage - printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat $R/boot/firmware/uboot.mkimage)" > $R/boot/firmware/uboot.mkimage + install_readonly files/boot/uboot.mkimage "$R/boot/firmware/uboot.mkimage" + printf "# Set the kernel boot command line\nsetenv bootargs \"earlyprintk ${CMDLINE}\"\n\n$(cat $R/boot/firmware/uboot.mkimage)" > "$R/boot/firmware/uboot.mkimage" # Generate U-Boot bootloader image - chroot_exec /tmp/u-boot/tools/mkimage -A ${KERNEL_ARCH} -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n RPi2 -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr + chroot_exec /tmp/u-boot/tools/mkimage -A "${KERNEL_ARCH}" -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n RPi2 -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr fi diff --git a/bootstrap.d/42-fbturbo.sh b/bootstrap.d/42-fbturbo.sh index c02b38f..ca6b2fb 100644 --- a/bootstrap.d/42-fbturbo.sh +++ b/bootstrap.d/42-fbturbo.sh @@ -7,7 +7,7 @@ if [ "$ENABLE_FBTURBO" = true ] ; then # Fetch fbturbo driver sources - git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git + git -C "$R/tmp" clone https://github.com/ssvb/xf86-video-fbturbo.git # Install Xorg build dependencies chroot_exec apt-get -q -y --no-install-recommends install xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev @@ -22,7 +22,7 @@ make install EOF # Install fbturbo driver Xorg configuration - install_readonly files/xorg/99-fbturbo.conf $R/usr/share/X11/xorg.conf.d/99-fbturbo.conf + install_readonly files/xorg/99-fbturbo.conf "$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf" # Remove Xorg build dependencies chroot_exec apt-get -qq -y --auto-remove purge xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev diff --git a/bootstrap.d/50-firstboot.sh b/bootstrap.d/50-firstboot.sh index f3deb18..4892c4b 100644 --- a/bootstrap.d/50-firstboot.sh +++ b/bootstrap.d/50-firstboot.sh @@ -6,30 +6,30 @@ . ./functions.sh # Prepare rc.firstboot script -cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot +cat files/firstboot/10-begin.sh > "$R/etc/rc.firstboot" # Ensure openssh server host keys are regenerated on first boot if [ "$ENABLE_SSHD" = true ] ; then - cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot - rm -f $R/etc/ssh/ssh_host_* + cat files/firstboot/21-generate-ssh-keys.sh >> "$R/etc/rc.firstboot" + rm -f "$R/etc/ssh/ssh_host_*" fi # Prepare filesystem auto expand if [ "$EXPANDROOT" = true ] ; then - cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot + cat files/firstboot/22-expandroot.sh >> "$R/etc/rc.firstboot" fi # Ensure that dbus machine-id exists -cat files/firstboot/23-generate-machineid.sh >> $R/etc/rc.firstboot +cat files/firstboot/23-generate-machineid.sh >> "$R/etc/rc.firstboot" # Create /etc/resolv.conf symlink -cat files/firstboot/24-create-resolv-symlink.sh >> $R/etc/rc.firstboot +cat files/firstboot/24-create-resolv-symlink.sh >> "$R/etc/rc.firstboot" # Finalize rc.firstboot script -cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot -chmod +x $R/etc/rc.firstboot +cat files/firstboot/99-finish.sh >> "$R/etc/rc.firstboot" +chmod +x "$R/etc/rc.firstboot" # Add rc.firstboot script to rc.local -sed -i '/exit 0/d' $R/etc/rc.local -echo /etc/rc.firstboot >> $R/etc/rc.local -echo exit 0 >> $R/etc/rc.local +sed -i '/exit 0/d' "$R/etc/rc.local" +echo /etc/rc.firstboot >> "$R/etc/rc.local" +echo exit 0 >> "$R/etc/rc.local" |