aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSven Gothel <[email protected]>2021-07-04 02:11:58 +0200
committerSven Gothel <[email protected]>2021-07-04 02:11:58 +0200
commit0ea47789ea7e119df958a8a7d248e5e1db79bc31 (patch)
treeebea071ecbdfd1355302a6f2ad29d90381452b77
parenta1b92c358f57038ea3f13950e3afdfbae5b408e9 (diff)
ROOTFS_RO: Have stage2 consider read-only or mutable rootfs (see README.md)
Additionally, we have CUSTOM_IOT as well, which might be a little dirty ..
-rw-r--r--README.md20
-rwxr-xr-xstage2/01-sys-tweaks/01-run.sh124
-rwxr-xr-xstage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt (renamed from stage2/01-sys-tweaks/files/boot/config.txt)0
-rwxr-xr-xstage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt124
-rwxr-xr-xstage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt (renamed from stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt)0
-rwxr-xr-xstage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt1
-rw-r--r--stage2/01-sys-tweaks/files/fstab-rootfs_ro3
7 files changed, 215 insertions, 57 deletions
diff --git a/README.md b/README.md
index cd7e383..f1b6a23 100644
--- a/README.md
+++ b/README.md
@@ -55,15 +55,29 @@ The following environment variables are supported:
* `ROOTFS_RO` (Default: unset)
- If set to one, i.e. `ROOTFS_RO=1`, the root filesystem will be set read-only
- and a `tmpfs` creating containing the `overlayfs` mutable storage for
+ If set to one, i.e. `ROOTFS_RO=1`, the root filesystem will be set read-only,
+ an `initramfs` is used to load it via `loopfs`
+ and a `tmpfs` created at boot containing the `overlayfs` mutable storage for
```
/etc
/home
/var
+ /srv
```
- Note that the `/srv` mapping has been excluded here!
+
+ Further all `apt-daily` systemd tasks are disabled,
+ the ssh host keys are retained while `regenerate_ssh_host_keys` is disabled
+ and the final `/boot/config.txt` has `splash` disabled (no rainbow).
+* `CUSTOM_IOT` (Default: unset)
+
+ If set to one, i.e. `CUSTOM_IOT=1`, certain embedded low footprint settings
+ will be applied, e.g.:
+ ```
+ - systemctl disable bluetooth
+ - systemctl mask bluetooth
+ - loading module i2c-bcm2708
+ ```
* `BASE_QCOW2_SIZE` (Default: 15200M)
diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh
index c4c31f2..77d768d 100755
--- a/stage2/01-sys-tweaks/01-run.sh
+++ b/stage2/01-sys-tweaks/01-run.sh
@@ -1,5 +1,8 @@
#!/bin/bash -e
+if [ "${ROOTFS_RO}" = "1" ] ; then
+ install -v -m 644 files/fstab-rootfs_ro "${ROOTFS_DIR}/etc/fstab"
+fi
install -m 644 files/overlay_mount.service "${ROOTFS_DIR}/lib/systemd/system/"
install -m 755 files/overlay_mount "${ROOTFS_DIR}/etc/init.d/"
@@ -39,27 +42,22 @@ on_chroot << EOF
else
systemctl disable ssh
fi
- systemctl enable regenerate_ssh_host_keys
-
- #mkdir -p /data/overlay_a
- #cd /data/overlay_a
- #mkdir -p etc/upper etc/work home/upper home/work srv/upper srv/work tmp/upper tmp/work var/upper var/work
- #
- #mkdir -p /data/overlay_b
- #cd /data/overlay_b
- #mkdir -p etc/upper etc/work home/upper home/work srv/upper srv/work tmp/upper tmp/work var/upper var/work
- #
- #cd /data
- #ln -s overlay_a overlay
- #
-
- sed -i -e 's/^D \/tmp/#D \/tmp/g' /usr/lib/tmpfiles.d/tmp.conf
+ if [ "${ROOTFS_RO}" = "1" ] ; then
+ systemctl disable regenerate_ssh_host_keys
+ systemctl mask regenerate_ssh_host_keys
+ else
+ systemctl enable regenerate_ssh_host_keys
+ fi
- systemctl unmask overlay_mount
- systemctl enable overlay_mount
+ if [ "${ROOTFS_RO}" = "1" ] ; then
+ sed -i -e 's/^D \/tmp/#D \/tmp/g' /usr/lib/tmpfiles.d/tmp.conf
- #systemctl disable overlay_mount
- #systemctl mask overlay_mount
+ systemctl unmask overlay_mount
+ systemctl enable overlay_mount
+ else
+ systemctl disable overlay_mount
+ systemctl mask overlay_mount
+ fi
# Setup unique system folder /boot/sys_arm64_000
mkdir -p /boot/sys_arm64_000
@@ -85,46 +83,60 @@ on_chroot << EOF
fi
done
- systemctl disable resize2fs_once
- systemctl mask resize2fs_once
+ if [ "${ROOTFS_RO}" = "1" ] ; then
+ systemctl disable resize2fs_once
+ systemctl mask resize2fs_once
- systemctl disable apt-daily
- systemctl mask apt-daily
- systemctl disable apt-daily.timer
- systemctl mask apt-daily.timer
- systemctl disable apt-daily-upgrade.timer
- systemctl mask apt-daily-upgrade.timer
+ systemctl disable apt-daily
+ systemctl mask apt-daily
+ systemctl disable apt-daily.timer
+ systemctl mask apt-daily.timer
+ systemctl disable apt-daily-upgrade.timer
+ systemctl mask apt-daily-upgrade.timer
- systemctl disable logrotate.timer
- systemctl mask logrotate.time
- systemctl disable man-db.timer
- systemctl mask man-db.timer
+ systemctl disable logrotate.timer
+ systemctl mask logrotate.time
+ systemctl disable man-db.timer
+ systemctl mask man-db.timer
- systemctl disable bluetooth
- systemctl mask bluetooth
+ sed -i -e 's/#Storage=auto/Storage=volatile/g;s/#Compress=yes/Compress=yes/g;s/#RuntimeMaxUse=/RuntimeMaxUse=1M/g;s/#ForwardToSyslog=yes/ForwardToSyslog=no/g;s/#ForwardToWall=yes/ForwardToWall=no/g' /etc/systemd/journald.conf
- sed -i -e 's/#Storage=auto/Storage=volatile/g;s/#Compress=yes/Compress=yes/g;s/#RuntimeMaxUse=/RuntimeMaxUse=1M/g;s/#ForwardToSyslog=yes/ForwardToSyslog=no/g;s/#ForwardToWall=yes/ForwardToWall=no/g' /etc/systemd/journald.conf
+ sed -i -e 's/MODULES=most/MODULES=dep/g;s/BUSYBOX=auto/BUSYBOX=y/g' /etc/initramfs-tools/initramfs.conf
- sed -i -e 's/MODULES=most/MODULES=dep/g;s/BUSYBOX=auto/BUSYBOX=y/g' /etc/initramfs-tools/initramfs.conf
-
- echo "squashfs" >> /etc/modules
- echo "i2c-bcm2708" >> /etc/modules
- # echo "i2c-dev" >> /etc/modules
- # echo "rtc-ds1307" >> /etc/modules
+ echo "squashfs" >> /etc/modules
+ echo "squashfs" >> /etc/initramfs-tools/modules
+ else
+ systemctl enable resize2fs_once
+ fi
- echo "squashfs" >> /etc/initramfs-tools/modules
- echo "i2c-bcm2708" >> /etc/initramfs-tools/modules
- # echo "i2c-dev" >> /etc/initramfs-tools/modules
- # echo "rtc-ds1307" >> /etc/initramfs-tools/modules
-EOF
+ if [ "${CUSTOM_IOT}" = "1" ] ; then
+ systemctl disable bluetooth
+ systemctl mask bluetooth
-install -m 644 files/boot/sys_arm64_000/cmdline.txt "${ROOTFS_DIR}/boot/sys_arm64_000/"
+ echo "i2c-bcm2708" >> /etc/modules
+ # echo "i2c-dev" >> /etc/modules
+ # echo "rtc-ds1307" >> /etc/modules
-install -m 644 files/boot/config.txt "${ROOTFS_DIR}/boot/"
-install -m 644 files/boot/config.txt "${ROOTFS_DIR}/boot/sys_arm64_000/"
+ if [ "${ROOTFS_RO}" = "1" ] ; then
+ echo "i2c-bcm2708" >> /etc/initramfs-tools/modules
+ # echo "i2c-dev" >> /etc/initramfs-tools/modules
+ # echo "rtc-ds1307" >> /etc/initramfs-tools/modules
+ fi
+ fi
+EOF
-install -m 755 files/initramfs/loop_rootfs "${ROOTFS_DIR}/etc/initramfs-tools/scripts/init-premount/"
-install -m 755 files/initramfs/fsck_custom "${ROOTFS_DIR}/etc/initramfs-tools/hooks/"
+if [ "${ROOTFS_RO}" = "1" ] ; then
+ install -m 644 files/boot/config-rootfs_ro.txt "${ROOTFS_DIR}/boot/"
+ install -m 644 files/boot/config-rootfs_ro.txt "${ROOTFS_DIR}/boot/sys_arm64_000/"
+ install -m 644 files/boot/sys_arm64_000/cmdline-rootfs_ro.txt "${ROOTFS_DIR}/boot/sys_arm64_000/cmdline.txt"
+
+ install -m 755 files/initramfs/loop_rootfs "${ROOTFS_DIR}/etc/initramfs-tools/scripts/init-premount/"
+ install -m 755 files/initramfs/fsck_custom "${ROOTFS_DIR}/etc/initramfs-tools/hooks/"
+else
+ install -m 644 files/boot/config-rootfs_rw.txt "${ROOTFS_DIR}/boot/"
+ install -m 644 files/boot/config-rootfs_rw.txt "${ROOTFS_DIR}/boot/sys_arm64_000/"
+ install -m 644 files/boot/sys_arm64_000/cmdline-rootfs_rw.txt "${ROOTFS_DIR}/boot/sys_arm64_000/cmdline.txt"
+fi
if [ "${USE_QEMU}" = "1" ]; then
echo "enter QEMU mode"
@@ -143,10 +155,14 @@ on_chroot <<EOF
setupcon --force --save-only -v
usermod --pass='*' root
- KVERSION=\$(ls /lib/modules/ | tail -n 1)
- echo "mkinitramfs for kernel version: \${KVERSION}"
- /usr/sbin/mkinitramfs -o /boot/sys_arm64_000/initrd.img \${KVERSION}
+ if [ "${ROOTFS_RO}" = "1" ] ; then
+ KVERSION=\$(ls /lib/modules/ | tail -n 1)
+ echo "mkinitramfs for kernel version: \${KVERSION}"
+ /usr/sbin/mkinitramfs -o /boot/sys_arm64_000/initrd.img \${KVERSION}
+ fi
EOF
-rm -f "${ROOTFS_DIR}/etc/ssh/"ssh_host_*_key*
+if [ "${ROOTFS_RO}" != "1" ] ; then
+ rm -f "${ROOTFS_DIR}/etc/ssh/"ssh_host_*_key*
+fi
diff --git a/stage2/01-sys-tweaks/files/boot/config.txt b/stage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt
index 98caa17..98caa17 100755
--- a/stage2/01-sys-tweaks/files/boot/config.txt
+++ b/stage2/01-sys-tweaks/files/boot/config-rootfs_ro.txt
diff --git a/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt b/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt
new file mode 100755
index 0000000..f4fec02
--- /dev/null
+++ b/stage2/01-sys-tweaks/files/boot/config-rootfs_rw.txt
@@ -0,0 +1,124 @@
+# For more options and information see
+# http://rpf.io/configtxt
+# Some settings may impact device functionality. See link above for details
+
+[all]
+disable_splash=0
+
+# Prepended to the name of any operating system files loaded by the firmware:
+# kernels, initramfs, cmdline.txt, .dtb files and the overlays folder with .dtbo files.
+os_prefix=sys_arm64_000/
+
+# initramfs initrd.img followkernel
+
+#[pi3]
+#start_file=system_rpi_arm64_a/start_x.elf
+#fixup_file=system_rpi_arm64_a/fixup_x.dat
+#
+#[pi4]
+#start_file=system_rpi_arm64_a/start4x.elf
+#fixup_file=system_rpi_arm64_a/fixup4x.dat
+
+[all]
+# uncomment if you get no picture on HDMI for a default "safe" mode
+#hdmi_safe=1
+
+# uncomment this if your display has a black border of unused pixels visible
+# and your display can output without overscan
+disable_overscan=1
+
+# uncomment the following to adjust overscan. Use positive numbers if console
+# goes off screen, and negative if there is too much border
+#overscan_left=16
+#overscan_right=16
+#overscan_top=16
+#overscan_bottom=16
+
+# uncomment to force a console size. By default it will be display's size minus
+# overscan.
+#framebuffer_width=1280
+#framebuffer_height=720
+
+# uncomment if hdmi display is not detected and composite is being output
+#hdmi_force_hotplug=1
+
+# uncomment to force a specific HDMI mode (this will force VGA)
+#hdmi_group=1
+#hdmi_mode=1
+
+# uncomment to force a HDMI mode rather than DVI. This can make audio work in
+# DMT (computer monitor) modes
+#hdmi_drive=2
+
+# uncomment to increase signal to HDMI, if you have interference, blanking, or
+# no display
+#config_hdmi_boost=4
+
+# uncomment for composite PAL
+#sdtv_mode=2
+
+#uncomment to overclock the arm. 700 MHz is the default.
+#arm_freq=800
+
+# Uncomment some or all of these to enable the optional hardware interfaces
+#dtparam=i2c_arm=on
+#dtparam=i2c_arm=off,i2s=on,spi=on
+#dtparam=i2s=on
+#dtparam=spi=on
+
+# Uncomment this to enable infrared communication.
+#dtoverlay=gpio-ir,gpio_pin=17
+#dtoverlay=gpio-ir-tx,gpio_pin=18
+
+# Uncomment this to enable the lirc-rpi module
+#dtoverlay=lirc-rpi
+
+# Additional overlays and parameters are documented /boot/overlays/README
+
+# Enable audio (loads snd_bcm2835)
+#dtparam=audio=on
+
+# Merged Zafena settings (old pi-gen, newer zaf502 machine and my current raspi3/4 machines)
+
+# Tunes the bcm2835-sdhost SD/MMC DMA driver
+# Also available kernel cmdline:
+# 'bcm2835_mmc.mmc_debug=0x1000' -> Forcing PIO mode
+# 'bcm2835_mmc.mmc_debug=0x2000' -> DMA channels allocated
+# See https://github.com/raspberrypi/firmware/issues/397#issuecomment-94574578
+
+# Turns off the bcm2835-sdhost SD/MMC DMA mode, enforces PIO mode
+dtoverlay=sdtweak,force_pio=1
+#dtparam=sd_force_pio=on
+
+#dtparam=i2s=on
+#dtparam=spi=on
+#dtoverlay=zafena-rpi
+#dtoverlay=rpi-dac
+
+## Zafena config 2
+#enable_uart=1
+#core_freq=250
+#dtoverlay=miniuart-bt,krnbt=on
+
+## Zafena config 0 (hciattach on)
+#enable_uart=1
+#dtoverlay=pi3-miniuart-bt
+#core_freq=250
+
+# Zafena config 3 (hciattach on)
+enable_uart=1
+core_freq=250
+
+arm_64bit=1
+
+#gpu_mem=128
+gpu_mem=64
+
+[all]
+# Enable DRM VC4 V3D driver on top of the dispmanx display stack
+dtoverlay=vc4-fkms-v3d
+
+[pi4]
+# Also have two framebuffer
+max_framebuffers=2
+
diff --git a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt
index c98203a..c98203a 100755
--- a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline.txt
+++ b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_ro.txt
diff --git a/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt
new file mode 100755
index 0000000..79ccf3b
--- /dev/null
+++ b/stage2/01-sys-tweaks/files/boot/sys_arm64_000/cmdline-rootfs_rw.txt
@@ -0,0 +1 @@
+dwc_otg.lpm_enable=0 console=tty3 root=ROOTDEV rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait
diff --git a/stage2/01-sys-tweaks/files/fstab-rootfs_ro b/stage2/01-sys-tweaks/files/fstab-rootfs_ro
new file mode 100644
index 0000000..9ea3a56
--- /dev/null
+++ b/stage2/01-sys-tweaks/files/fstab-rootfs_ro
@@ -0,0 +1,3 @@
+proc /proc proc defaults 0 0
+BOOTDEV /boot vfat defaults 0 2
+ROOTDEV / ext4 defaults,noatime,ro,errors=remount-ro 0 0