Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:additional-software:imagebuilder [2021/09/02 19:56] – [Creating a restricted user] vgaeteradocs:guide-user:additional-software:imagebuilder [2024/04/01 16:18] – [Arch / Manjaro / EndeavourOS] sixx
Line 3: Line 3:
 [[docs:guide-developer:imagebuilder_frontends|Image Builder frontends]], [[docs:guide-developer:imagebuilder_frontends|Image Builder frontends]],
 [[docs:guide-developer:start#using_the_toolchain|Using the toolchain]], [[docs:guide-developer:start#using_the_toolchain|Using the toolchain]],
-[[docs:guide-user:additional-software:beginners-build-guide|Quick image building guide]]+[[docs:guide-developer:toolchain:beginners-build-guide|Quick image building guide]]
  
 The Image Builder (previously called the Image Generator) is a pre-compiled environment suitable for creating custom images without the need for compiling them from source. The Image Builder (previously called the Image Generator) is a pre-compiled environment suitable for creating custom images without the need for compiling them from source.
Line 22: Line 22:
 <WRAP important> <WRAP important>
   * The Image Builder runs only in 64-bit Linux. You can however run a 64-bit Linux in PC or VM, e.g. VirtualBox, even from 32-bit Windows.   * The Image Builder runs only in 64-bit Linux. You can however run a 64-bit Linux in PC or VM, e.g. VirtualBox, even from 32-bit Windows.
-  * The Image Builder has similar prerequisites as the [[docs:guide-developer:build-system:install-buildsystem|Build system]].+  * The Image Builder has similar prerequisites as the [[docs:guide-developer:toolchain:install-buildsystem|Build system]].
 </WRAP> </WRAP>
  
 Example dependencies in the most common distros: Example dependencies in the most common distros:
  
-==== Arch / Manjaro ====+==== Arch ====
 <code bash> <code bash>
 sudo pacman -S --needed base-devel ncurses zlib gawk git gettext \ sudo pacman -S --needed base-devel ncurses zlib gawk git gettext \
Line 33: Line 33:
 </code> </code>
  
-==== CentOS / Fedora ====+==== Fedora ====
 <code bash> <code bash>
 sudo dnf install git gawk gettext ncurses-devel zlib-devel \ sudo dnf install git gawk gettext ncurses-devel zlib-devel \
 openssl-devel libxslt wget which @c-development @development-tools \ openssl-devel libxslt wget which @c-development @development-tools \
-@development-libs zlib-static which python3+@development-libs zlib-static which python3 perl
 </code> </code>
  
-==== Debian / Ubuntu ====+==== Debian 12+ / Ubuntu / Mint ====
 <code bash> <code bash>
-sudo apt install build-essential libncurses5-dev libncursesw5-dev \ +sudo apt install build-essential libncurses-dev zlib1g-dev gawk git 
-zlib1g-dev gawk git gettext libssl-dev xsltproc rsync wget unzip python+gettext libssl-dev xsltproc rsync wget unzip python3 python3-distutils
 </code> </code>
  
 +==== WSL ====
 +This method is NOT OFFICIALLY supported.
 +But it works.
 +
 +[[docs:guide-developer:toolchain:wsl|Build system setup WSL]]
 ===== Obtaining the Image Builder ===== ===== Obtaining the Image Builder =====
 You can download an archive that contains the **Image Builder**, it is usually located in the same download page where you find the firmware image for your device. You can download an archive that contains the **Image Builder**, it is usually located in the same download page where you find the firmware image for your device.
Line 75: Line 80:
 | ''BIN_DIR'' | Alternative output directory for the images | | ''BIN_DIR'' | Alternative output directory for the images |
 | ''EXTRA_IMAGE_NAME'' | Add this to the output image filename (sanitized) | | ''EXTRA_IMAGE_NAME'' | Add this to the output image filename (sanitized) |
-| ''DISABLED_SERVICES''The names of services from ''/etc/init.d'' to disable, e.g. ''dhcp'' for dnsmasq |+| ''DISABLED_SERVICES''A list of services to disable |
  
 Run ''make help'' to get [[docs:guide-user:additional-software:imagebuilder#detailed_help|detailed help]]. Run ''make help'' to get [[docs:guide-user:additional-software:imagebuilder#detailed_help|detailed help]].
Line 83: Line 88:
  
 <code bash> <code bash>
-PROFILE=profile-name+PROFILE="profile-name"
 </code> </code>
  
Line 126: Line 131:
  
 <code bash> <code bash>
-FILES=files+FILES="files"
 </code> </code>
  
-The ''files'' directory is best in the imagebuilder root folder (where you issue the make commandotherwise it is best to use an absolute (fullpath.+The ''files'' directory should be placed in the Image Builder root directory where you issue the make commandotherwise specify an absolute/full path.
  
 It is strongly recommended to use [[docs:guide-developer:uci-defaults|uci-defaults]] to incrementally integrate only the required customization. It is strongly recommended to use [[docs:guide-developer:uci-defaults|uci-defaults]] to incrementally integrate only the required customization.
 This helps minimize conflicts with auto-generated settings which can change between versions. This helps minimize conflicts with auto-generated settings which can change between versions.
 +
 +see: [[:docs:guide-user:additional-software:imagebuilder#restricting_root_access|uci-default_example]]
  
 ==== Building image ==== ==== Building image ====
Line 138: Line 145:
  
 <code bash> <code bash>
-make image PROFILE=profile-name PACKAGES="pkg1 pkg2 pkg3 -pkg4 -pkg5 -pkg6" FILES=files+make image 
 +PROFILE="profile-name" \ 
 +PACKAGES="pkg1 pkg2 pkg3 -pkg4 -pkg5 -pkg6" 
 +FILES="files" \ 
 +DISABLED_SERVICES="svc1 svc2 svc3"
 </code> </code>
  
Line 159: Line 170:
 scp root@192.168.1.1:/etc/config/wireless files/etc/config/ scp root@192.168.1.1:/etc/config/wireless files/etc/config/
 scp root@192.168.1.1:/etc/config/firewall files/etc/config/ scp root@192.168.1.1:/etc/config/firewall files/etc/config/
-make image PROFILE=wl500gp PACKAGES="nano openvpn -ppp -ppp-mod-pppoe" FILES=files+make image 
 +PROFILE="wl500gp" \ 
 +PACKAGES="nano openvpn -ppp -ppp-mod-pppoe" 
 +FILES="files" \ 
 +DISABLED_SERVICES="dnsmasq firewall odhcpd"
 </code> </code>
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
   - Did you run everything as a non-root user?   - Did you run everything as a non-root user?
-  - Check the log output are there package issues (conflicts, improper names) +  - Check the logged outputare there package issues (conflicts, improper names)
-  - Wait a few hours/day upstream packages may be in an inconsistent state+  - Check the logged output, did you exceed maximum space? 
 +  - Check the logged output, are there other obvious errors? 
 +  - Wait a few hours/day(s) upstream packages may be in an inconsistent state especially on master/snapshot
   - Verify you have a supported OS, prerequisites, file system and path naming   - Verify you have a supported OS, prerequisites, file system and path naming
  
Line 240: Line 257:
  
 In the graphical configuration, select "**Build the OpenWrt Image Builder**" to build the image builder, then  select **Global Build Settings -> Select all packages by default**, save and exit. In the graphical configuration, select "**Build the OpenWrt Image Builder**" to build the image builder, then  select **Global Build Settings -> Select all packages by default**, save and exit.
-Then build the image, including ''IGNORE_ERRORS=1'' as there might be unmaintained packages that fail to compile+You can [[docs:guide-developer:toolchain:use-buildsystem#ignore_build_errors|ignore build errors]] if you encounter unmaintained packages that fail to compile, assuming this doesn't affect kernel and core dependencies.
- +
-Enabling ''IGNORE_ERRORS=1'' should only be done **once the kernel and required packages are known to compile successfully**. +
- +
-<code bash> +
-make IGNORE_ERRORS=1 +
-</code>+
  
 Don't call ''make defconfig'' or leave an old ''.config'' file in the path as ''Select all packages by default'' will only set the package selection to ''[m]'' for packages that are not already configured otherwise! ''make defconfig'' will set most packages to ''[n]'', i.e. //do not build//. Don't call ''make defconfig'' or leave an old ''.config'' file in the path as ''Select all packages by default'' will only set the package selection to ''[m]'' for packages that are not already configured otherwise! ''make defconfig'' will set most packages to ''[n]'', i.e. //do not build//.
Line 277: Line 288:
 The ''repositories.conf'' in an imagebuilder you compile from source will lack the "Remote package repositories" links. The ''repositories.conf'' in an imagebuilder you compile from source will lack the "Remote package repositories" links.
  
-If you want to add a custom local repository, copy the ''%%src custom file:///usr/src/openwrt/bin/ramips/packages%%'' line and modify it to point to the local folder you have your packages and package lists in.+If you want to add a custom local repository, copy the ''%%src custom file:///usr/src/openwrt/bin/ramips/packages%%'' line and modify it to point to the local folder where you have your packages and package lists ([[https://downloads.openwrt.org/releases/21.02.3/targets/ramips/mt7621/packages/Packages|example package list]]).
 If you have problems with using you local repository because the "Signature check failed" then remove the line ''option check_signature'' from ''repositories.conf'' If you have problems with using you local repository because the "Signature check failed" then remove the line ''option check_signature'' from ''repositories.conf''
  
Line 283: Line 294:
  
 NOTE: if you want to override packages coming from an existing feed, you must write your custom feed ABOVE the line of the package feed containing the packages you want to override, as shown in the examples above. NOTE: if you want to override packages coming from an existing feed, you must write your custom feed ABOVE the line of the package feed containing the packages you want to override, as shown in the examples above.
 +
 +==== Restricting root access ====
 +Create a non-privileged admin user and lock root password.
 +Configure privilege elevation with sudo.
 +Set up key-based authentication and disable password authentication for Dropbear.
 +
 +<code bash>
 +mkdir -p files/etc/uci-defaults
 +cat << "EOF" > files/etc/uci-defaults/99-custom
 +USER_NAME="admin"
 +USER_SSHPUB="SSH_PUBLIC_KEY"
 +USER_SHELL="/bin/ash"
 +SUDO_USER="root"
 +SUDO_GROUP="sudo"
 +groupadd -r "${SUDO_GROUP}"
 +useradd -m -G "${SUDO_GROUP}" -s "${USER_SHELL}" "${USER_NAME}"
 +passwd -l "${SUDO_USER}"
 +cat << EOI > /etc/sudoers.d/00-custom
 +%${SUDO_GROUP} ALL=(ALL) ALL
 +EOI
 +USER_HOME="$(eval echo ~"${USER_NAME}")"
 +mkdir -p "${USER_HOME}"/.ssh
 +cat << EOI > "${USER_HOME}"/.ssh/authorized_keys
 +${USER_SSHPUB}
 +EOI
 +uci set dropbear.@dropbear[0].PasswordAuth="0"
 +uci set dropbear.@dropbear[0].RootPasswordAuth="0"
 +uci commit dropbear
 +/etc/init.d/dropbear restart
 +EOF
 +make image \
 +FILES="files" \
 +PACKAGES="nano shadow sudo"
 +</code>
  
 ==== Adding/modifying profiles ==== ==== Adding/modifying profiles ====
 +
 +<WRAP important>
 +Examples below may contain version dependent / legacy information and are for informational purposes. They are very low level so expect to have a good level of skill and familiarity with the ImageBuilder / OpenWrt in general. 
 +</WRAP>
 +
 The image building is tied to the profile names. The image building is tied to the profile names.
 If you add a new profile without also adding an appropriate macro to the image-generation Makefile, no suitable firmware file will get generated when using the custom profile. If you add a new profile without also adding an appropriate macro to the image-generation Makefile, no suitable firmware file will get generated when using the custom profile.
Line 318: Line 368:
  
 Note that it requires patching of the ''Makefile'' Note that it requires patching of the ''Makefile''
 +
 +It is based on older Chaos Calmer era code... and not applicable to modern ImageBuilders but useful as a reference...
 </WRAP> </WRAP>
  
Line 353: Line 405:
 <code bash> <code bash>
 make image \ make image \
-    PROFILE=tlwr841 \ +PROFILE="tlwr841
-    PACKAGES="igmpproxy ip iptraf kmod-ipt-nathelper-extra openvpn-polarssl tcpdump-mini -firewall -ip6tables -kmod-ip6tables -kmod-ipv6 -odhcp6c -ppp -ppp-mod-pppoe"+PACKAGES="igmpproxy ip iptraf kmod-ipt-nathelper-extra openvpn-polarssl tcpdump-mini -firewall -ip6tables -kmod-ip6tables -kmod-ipv6 -odhcp6c -ppp -ppp-mod-pppoe"
-    FILES_REMOVE="files_remove+FILES_REMOVE="files_remove"
-</code> +
- +
-==== Creating a restricted user ==== +
-Create a restricted user and lock root password. +
-Configure privilege elevation with sudo. +
-Set up key-based authentication and disable password authentication for Dropbear. +
- +
-<code bash> +
-mkdir -p files/etc/uci-defaults +
-cat << "EOF" > files/etc/uci-defaults/xx_custom +
-USER_NAME="test_user" +
-USER_GROUP="test_group" +
-USER_SSHPUB="test_key" +
-USER_SHELL="/bin/ash" +
-SUDO_USER="root" +
-SUDO_GROUP="wheel" +
-SUDO_GID="10" +
-uci set dropbear.@dropbear[0].PasswordAuth="0" +
-uci set dropbear.@dropbear[0].RootPasswordAuth="0" +
-uci commit dropbear +
-/etc/init.d/dropbear restart +
-passwd -l "${SUDO_USER}" +
-groupadd -r -g "${SUDO_GID}" "${SUDO_GROUP}" +
-touch /etc/environment +
-cat << EOI > /etc/sudoers.d/00-custom +
-%${SUDO_GROUP} ALL=(ALL) ALL +
-EOI +
-groupadd "${USER_GROUP}" +
-useradd -m -g "${USER_GROUP}" -G "${SUDO_GROUP}"+
--s "${USER_SHELL}" "${USER_NAME}" +
-busybox passwd -d "${USER_NAME}" +
-USER_HOME="$(eval echo ~"${USER_NAME}")" +
-mkdir -p "${USER_HOME}"/.ssh +
-cat << EOI > "${USER_HOME}"/.ssh/authorized_keys +
-${USER_SSHPUB} +
-EOI +
-chown -R "${USER_NAME}:${USER_GROUP}" "${USER_HOME}" +
-chmod -R go= "${USER_HOME}" +
-EOF +
-make image FILES="files" PACKAGES="nano shadow sudo"+
 </code> </code>
  • Last modified: 2024/09/20 19:32
  • by lessload