diff options
author | Sven Gothel <[email protected]> | 2021-07-04 02:11:58 +0200 |
---|---|---|
committer | Sven Gothel <[email protected]> | 2021-07-04 02:11:58 +0200 |
commit | 0ea47789ea7e119df958a8a7d248e5e1db79bc31 (patch) | |
tree | ebea071ecbdfd1355302a6f2ad29d90381452b77 | |
parent | a1b92c358f57038ea3f13950e3afdfbae5b408e9 (diff) |
ROOTFS_RO: Have stage2 consider read-only or mutable rootfs (see README.md)
Additionally, we have CUSTOM_IOT as well, which might be a little dirty ..
-rw-r--r-- | README.md | 20 | ||||
-rwxr-xr-x | stage2/01-sys-tweaks/01-run.sh | 124 | ||||
-rwxr-xr-x | stage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt (renamed from stage2/01-sys-tweaks/files/boot/config.txt) | 0 | ||||
-rwxr-xr-x | stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt | 124 | ||||
-rwxr-xr-x | stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt (renamed from stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt) | 0 | ||||
-rwxr-xr-x | stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt | 1 | ||||
-rw-r--r-- | stage2/01-sys-tweaks/files/fstab-rootfs_ro | 3 |
7 files changed, 215 insertions, 57 deletions
@@ -55,15 +55,29 @@ The following environment variables are supported: * `ROOTFS_RO` (Default: unset) - If set to one, i.e. `ROOTFS_RO=1`, the root filesystem will be set read-only - and a `tmpfs` creating containing the `overlayfs` mutable storage for + If set to one, i.e. `ROOTFS_RO=1`, the root filesystem will be set read-only, + an `initramfs` is used to load it via `loopfs` + and a `tmpfs` created at boot containing the `overlayfs` mutable storage for ``` /etc /home /var + /srv ``` - Note that the `/srv` mapping has been excluded here! + + Further all `apt-daily` systemd tasks are disabled, + the ssh host keys are retained while `regenerate_ssh_host_keys` is disabled + and the final `/boot/config.txt` has `splash` disabled (no rainbow). +* `CUSTOM_IOT` (Default: unset) + + If set to one, i.e. `CUSTOM_IOT=1`, certain embedded low footprint settings + will be applied, e.g.: + ``` + - systemctl disable bluetooth + - systemctl mask bluetooth + - loading module i2c-bcm2708 + ``` * `BASE_QCOW2_SIZE` (Default: 15200M) diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh index c4c31f2..77d768d 100755 --- a/stage2/01-sys-tweaks/01-run.sh +++ b/stage2/01-sys-tweaks/01-run.sh @@ -1,5 +1,8 @@ #!/bin/bash -e +if [ "${ROOTFS_RO}" = "1" ] ; then + install -v -m 644 files/fstab-rootfs_ro "${ROOTFS_DIR}/etc/fstab" +fi install -m 644 files/overlay_mount.service "${ROOTFS_DIR}/lib/systemd/system/" install -m 755 files/overlay_mount "${ROOTFS_DIR}/etc/init.d/" @@ -39,27 +42,22 @@ on_chroot << EOF else systemctl disable ssh fi - systemctl enable regenerate_ssh_host_keys - - #mkdir -p /data/overlay_a - #cd /data/overlay_a - #mkdir -p etc/upper etc/work home/upper home/work srv/upper srv/work tmp/upper tmp/work var/upper var/work - # - #mkdir -p /data/overlay_b - #cd /data/overlay_b - #mkdir -p etc/upper etc/work home/upper home/work srv/upper srv/work tmp/upper tmp/work var/upper var/work - # - #cd /data - #ln -s overlay_a overlay - # - - sed -i -e 's/^D \/tmp/#D \/tmp/g' /usr/lib/tmpfiles.d/tmp.conf + if [ "${ROOTFS_RO}" = "1" ] ; then + systemctl disable regenerate_ssh_host_keys + systemctl mask regenerate_ssh_host_keys + else + systemctl enable regenerate_ssh_host_keys + fi - systemctl unmask overlay_mount - systemctl enable overlay_mount + if [ "${ROOTFS_RO}" = "1" ] ; then + sed -i -e 's/^D \/tmp/#D \/tmp/g' /usr/lib/tmpfiles.d/tmp.conf - #systemctl disable overlay_mount - #systemctl mask overlay_mount + systemctl unmask overlay_mount + systemctl enable overlay_mount + else + systemctl disable overlay_mount + systemctl mask overlay_mount + fi # Setup unique system folder /boot/sys_arm64_000 mkdir -p /boot/sys_arm64_000 @@ -85,46 +83,60 @@ on_chroot << EOF fi done - systemctl disable resize2fs_once - systemctl mask resize2fs_once + if [ "${ROOTFS_RO}" = "1" ] ; then + systemctl disable resize2fs_once + systemctl mask resize2fs_once - systemctl disable apt-daily - systemctl mask apt-daily - systemctl disable apt-daily.timer - systemctl mask apt-daily.timer - systemctl disable apt-daily-upgrade.timer - systemctl mask apt-daily-upgrade.timer + systemctl disable apt-daily + systemctl mask apt-daily + systemctl disable apt-daily.timer + systemctl mask apt-daily.timer + systemctl disable apt-daily-upgrade.timer + systemctl mask apt-daily-upgrade.timer - systemctl disable logrotate.timer - systemctl mask logrotate.time - systemctl disable man-db.timer - systemctl mask man-db.timer + systemctl disable logrotate.timer + systemctl mask logrotate.time + systemctl disable man-db.timer + systemctl mask man-db.timer - systemctl disable bluetooth - systemctl mask bluetooth + sed -i -e 's/#Storage=auto/Storage=volatile/g;s/#Compress=yes/Compress=yes/g;s/#RuntimeMaxUse=/RuntimeMaxUse=1M/g;s/#ForwardToSyslog=yes/ForwardToSyslog=no/g;s/#ForwardToWall=yes/ForwardToWall=no/g' /etc/systemd/journald.conf - sed -i -e 's/#Storage=auto/Storage=volatile/g;s/#Compress=yes/Compress=yes/g;s/#RuntimeMaxUse=/RuntimeMaxUse=1M/g;s/#ForwardToSyslog=yes/ForwardToSyslog=no/g;s/#ForwardToWall=yes/ForwardToWall=no/g' /etc/systemd/journald.conf + sed -i -e 's/MODULES=most/MODULES=dep/g;s/BUSYBOX=auto/BUSYBOX=y/g' /etc/initramfs-tools/initramfs.conf - sed -i -e 's/MODULES=most/MODULES=dep/g;s/BUSYBOX=auto/BUSYBOX=y/g' /etc/initramfs-tools/initramfs.conf - - echo "squashfs" >> /etc/modules - echo "i2c-bcm2708" >> /etc/modules - # echo "i2c-dev" >> /etc/modules - # echo "rtc-ds1307" >> /etc/modules + echo "squashfs" >> /etc/modules + echo "squashfs" >> /etc/initramfs-tools/modules + else + systemctl enable resize2fs_once + fi - echo "squashfs" >> /etc/initramfs-tools/modules - echo "i2c-bcm2708" >> /etc/initramfs-tools/modules - # echo "i2c-dev" >> /etc/initramfs-tools/modules - # echo "rtc-ds1307" >> /etc/initramfs-tools/modules -EOF + if [ "${CUSTOM_IOT}" = "1" ] ; then + systemctl disable bluetooth + systemctl mask bluetooth -install -m 644 files/boot/sys_arm64_000/cmdline.txt "${ROOTFS_DIR}/boot/sys_arm64_000/" + echo "i2c-bcm2708" >> /etc/modules + # echo "i2c-dev" >> /etc/modules + # echo "rtc-ds1307" >> /etc/modules -install -m 644 files/boot/config.txt "${ROOTFS_DIR}/boot/" -install -m 644 files/boot/config.txt "${ROOTFS_DIR}/boot/sys_arm64_000/" + if [ "${ROOTFS_RO}" = "1" ] ; then + echo "i2c-bcm2708" >> /etc/initramfs-tools/modules + # echo "i2c-dev" >> /etc/initramfs-tools/modules + # echo "rtc-ds1307" >> /etc/initramfs-tools/modules + fi + fi +EOF -install -m 755 files/initramfs/loop_rootfs "${ROOTFS_DIR}/etc/initramfs-tools/scripts/init-premount/" -install -m 755 files/initramfs/fsck_custom "${ROOTFS_DIR}/etc/initramfs-tools/hooks/" +if [ "${ROOTFS_RO}" = "1" ] ; then + install -m 644 files/boot/config-rootfs_ro.txt "${ROOTFS_DIR}/boot/" + install -m 644 files/boot/config-rootfs_ro.txt "${ROOTFS_DIR}/boot/sys_arm64_000/" + install -m 644 files/boot/sys_arm64_000/cmdline-rootfs_ro.txt "${ROOTFS_DIR}/boot/sys_arm64_000/cmdline.txt" + + install -m 755 files/initramfs/loop_rootfs "${ROOTFS_DIR}/etc/initramfs-tools/scripts/init-premount/" + install -m 755 files/initramfs/fsck_custom "${ROOTFS_DIR}/etc/initramfs-tools/hooks/" +else + install -m 644 files/boot/config-rootfs_rw.txt "${ROOTFS_DIR}/boot/" + install -m 644 files/boot/config-rootfs_rw.txt "${ROOTFS_DIR}/boot/sys_arm64_000/" + install -m 644 files/boot/sys_arm64_000/cmdline-rootfs_rw.txt "${ROOTFS_DIR}/boot/sys_arm64_000/cmdline.txt" +fi if [ "${USE_QEMU}" = "1" ]; then echo "enter QEMU mode" @@ -143,10 +155,14 @@ on_chroot <<EOF setupcon --force --save-only -v usermod --pass='*' root - KVERSION=\$(ls /lib/modules/ | tail -n 1) - echo "mkinitramfs for kernel version: \${KVERSION}" - /usr/sbin/mkinitramfs -o /boot/sys_arm64_000/initrd.img \${KVERSION} + if [ "${ROOTFS_RO}" = "1" ] ; then + KVERSION=\$(ls /lib/modules/ | tail -n 1) + echo "mkinitramfs for kernel version: \${KVERSION}" + /usr/sbin/mkinitramfs -o /boot/sys_arm64_000/initrd.img \${KVERSION} + fi EOF -rm -f "${ROOTFS_DIR}/etc/ssh/"ssh_host_*_key* +if [ "${ROOTFS_RO}" != "1" ] ; then + rm -f "${ROOTFS_DIR}/etc/ssh/"ssh_host_*_key* +fi diff --git a/stage2/01-sys-tweaks/files/boot/config.txt b/stage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt index 98caa17..98caa17 100755 --- a/stage2/01-sys-tweaks/files/boot/config.txt +++ b/stage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt diff --git a/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt b/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt new file mode 100755 index 0000000..f4fec02 --- /dev/null +++ b/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt @@ -0,0 +1,124 @@ +# For more options and information see +# http://rpf.io/configtxt +# Some settings may impact device functionality. See link above for details + +[all] +disable_splash=0 + +# Prepended to the name of any operating system files loaded by the firmware: +# kernels, initramfs, cmdline.txt, .dtb files and the overlays folder with .dtbo files. +os_prefix=sys_arm64_000/ + +# initramfs initrd.img followkernel + +#[pi3] +#start_file=system_rpi_arm64_a/start_x.elf +#fixup_file=system_rpi_arm64_a/fixup_x.dat +# +#[pi4] +#start_file=system_rpi_arm64_a/start4x.elf +#fixup_file=system_rpi_arm64_a/fixup4x.dat + +[all] +# uncomment if you get no picture on HDMI for a default "safe" mode +#hdmi_safe=1 + +# uncomment this if your display has a black border of unused pixels visible +# and your display can output without overscan +disable_overscan=1 + +# uncomment the following to adjust overscan. Use positive numbers if console +# goes off screen, and negative if there is too much border +#overscan_left=16 +#overscan_right=16 +#overscan_top=16 +#overscan_bottom=16 + +# uncomment to force a console size. By default it will be display's size minus +# overscan. +#framebuffer_width=1280 +#framebuffer_height=720 + +# uncomment if hdmi display is not detected and composite is being output +#hdmi_force_hotplug=1 + +# uncomment to force a specific HDMI mode (this will force VGA) +#hdmi_group=1 +#hdmi_mode=1 + +# uncomment to force a HDMI mode rather than DVI. This can make audio work in +# DMT (computer monitor) modes +#hdmi_drive=2 + +# uncomment to increase signal to HDMI, if you have interference, blanking, or +# no display +#config_hdmi_boost=4 + +# uncomment for composite PAL +#sdtv_mode=2 + +#uncomment to overclock the arm. 700 MHz is the default. +#arm_freq=800 + +# Uncomment some or all of these to enable the optional hardware interfaces +#dtparam=i2c_arm=on +#dtparam=i2c_arm=off,i2s=on,spi=on +#dtparam=i2s=on +#dtparam=spi=on + +# Uncomment this to enable infrared communication. +#dtoverlay=gpio-ir,gpio_pin=17 +#dtoverlay=gpio-ir-tx,gpio_pin=18 + +# Uncomment this to enable the lirc-rpi module +#dtoverlay=lirc-rpi + +# Additional overlays and parameters are documented /boot/overlays/README + +# Enable audio (loads snd_bcm2835) +#dtparam=audio=on + +# Merged Zafena settings (old pi-gen, newer zaf502 machine and my current raspi3/4 machines) + +# Tunes the bcm2835-sdhost SD/MMC DMA driver +# Also available kernel cmdline: +# 'bcm2835_mmc.mmc_debug=0x1000' -> Forcing PIO mode +# 'bcm2835_mmc.mmc_debug=0x2000' -> DMA channels allocated +# See https://github.com/raspberrypi/firmware/issues/397#issuecomment-94574578 + +# Turns off the bcm2835-sdhost SD/MMC DMA mode, enforces PIO mode +dtoverlay=sdtweak,force_pio=1 +#dtparam=sd_force_pio=on + +#dtparam=i2s=on +#dtparam=spi=on +#dtoverlay=zafena-rpi +#dtoverlay=rpi-dac + +## Zafena config 2 +#enable_uart=1 +#core_freq=250 +#dtoverlay=miniuart-bt,krnbt=on + +## Zafena config 0 (hciattach on) +#enable_uart=1 +#dtoverlay=pi3-miniuart-bt +#core_freq=250 + +# Zafena config 3 (hciattach on) +enable_uart=1 +core_freq=250 + +arm_64bit=1 + +#gpu_mem=128 +gpu_mem=64 + +[all] +# Enable DRM VC4 V3D driver on top of the dispmanx display stack +dtoverlay=vc4-fkms-v3d + +[pi4] +# Also have two framebuffer +max_framebuffers=2 + diff --git a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt index c98203a..c98203a 100755 --- a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt +++ b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt diff --git a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt new file mode 100755 index 0000000..79ccf3b --- /dev/null +++ b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt @@ -0,0 +1 @@ +dwc_otg.lpm_enable=0 console=tty3 root=ROOTDEV rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait diff --git a/stage2/01-sys-tweaks/files/fstab-rootfs_ro b/stage2/01-sys-tweaks/files/fstab-rootfs_ro new file mode 100644 index 0000000..9ea3a56 --- /dev/null +++ b/stage2/01-sys-tweaks/files/fstab-rootfs_ro @@ -0,0 +1,3 @@ +proc /proc proc defaults 0 0 +BOOTDEV /boot vfat defaults 0 2 +ROOTDEV / ext4 defaults,noatime,ro,errors=remount-ro 0 0 |