Howto create a minimal Debian Jessie bootable SD card for the Olimex A20-OLinuXIno-LIME2 board

Update 27.3.2015: In the meantime the debian installer allegedly supports this device, see here:
https://wiki.debian.org/InstallingDebianOn/Allwinner
Also this guy has a bunch of scripts automating the build process:
http://www.igorpecovnik.com/2014/11/18/olimex-lime-debian-sd-image/

I recently purchased one of these small ARM boards. Here are the instructions how to build your own bootable SD Card with Debian Jessie.
I was using Ubuntu 14.10 utopic.

References:
http://linux-sunxi.org/Olimex_A20-OLinuXino-Lime2
http://linux-sunxi.org/Manual_build_howto
http://linux-sunxi.org/Linux_Kernel
http://linux-sunxi.org/U-Boot
http://linux-sunxi.org/Ethernet
http://linux-sunxi.org/Bootable_SD_card
http://linux-sunxi.org/Toolchain
http://olimex.wordpress.com/2014/07/21/how-to-create-bare-minimum-debian-wheezy-rootfs-from-scratch/
https://www.olimex.com/forum/index.php?topic=2665.0
http://jamesbond3142.no-ip.org/wiki/wiki.cgi/FatdogArm/FirstBoot

Install needed packages:
sudo apt-get install gcc-arm-linux-gnueabihf git libncurses5-dev qemu-user-static debootstrap binfmt-support u-boot-tools sunxi-tools

BUILD UBOOT
mkdir ~/sunxi && cd ~/sunxi
git clone https://github.com/linux-sunxi/u-boot-sunxi.git
cd ~/sunxi/u-boot-sunxi
make CROSS_COMPILE=arm-linux-gnueabihf- A20-OLinuXino_Lime2_config
make -j4 CROSS_COMPILE=arm-linux-gnueabihf-

#get Board definitions
cd ~/sunxi
git clone git://github.com/linux-sunxi/sunxi-boards.git

#I had load always above 1, solution is here http://linux-sunxi.org/Frequently_asked_questions#In_uptime.2C_load_is_always_above_1
Also I needed to increase the voltage a little, otherwise the board freezes from time to time. I am using this values in the fex file and the board appears to be stable for now:
[dvfs_table]
max_freq = 1008000000
min_freq = 720000000
normal_freq = 720000000
LV_count = 7
LV1_freq = 1008000000
LV1_volt = 1500
LV2_freq = 912000000
LV2_volt = 1450
LV3_freq = 864000000
LV3_volt = 1400
LV4_freq = 720000000
LV4_volt = 1300
LV5_freq = 528000000
LV5_volt = 1200
LV6_freq = 312000000
LV6_volt = 1155
LV7_freq = 144000000
LV7_volt = 1150

fex2bin ~/sunxi/sunxi-boards/sys_config/a20/a20-olinuxino_lime2.fex ~/sunxi/script.bin

COMPILE KERNEL
cd ~/sunxi
git clone -b sunxi-3.4 https://github.com/linux-sunxi/linux-sunxi.git
cd ~/sunxi/linux-sunxi
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- sun7i_defconfig
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig
make -j4 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- uImage modules
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=output modules_install

SET UP ROOTFS
mkdir ~/sunxi/jessie_rootfs
sudo debootstrap --arch=armhf --foreign jessie ~/sunxi/jessie_rootfs
sudo cp /usr/bin/qemu-arm-static ~/sunxi/jessie_rootfs/usr/bin
sudo cp /etc/resolv.conf ~/sunxi/jessie_rootfs/etc
sudo chroot ~/sunxi/jessie_rootfs

####inside chroot#############
export LANG=C
/debootstrap/debootstrap --second-stage

cat <<EOT > /etc/apt/sources.list
deb http://mirror.netcologne.de/debian/ jessie main contrib non-free
deb http://mirror.netcologne.de/debian-security jessie/updates main contrib non-free
deb http://mirror.netcologne.de/debian/ jessie-updates main contrib non-free
EOT

#I want the system as tiny as possible, so I don’t install recommended/suggested packages. Officially this is not recommended.
cat <<EOT > /etc/apt/apt.conf.d/99no_recommends_suggests
APT::Install-Recommends "false";
APT::Install-Suggests "false";
EOT

cat <<EOT > /etc/network/interfaces
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.5
netmask 255.255.255.0
gateway 192.168.0.1
EOT

echo sunxi-gmac >> /etc/modules
echo "options sunxi-gmac mac_str=0a:91:a3:69:b5:b1" > /etc/modprobe.d/sunxi-gmac.conf
apt-get update
apt-get install locales dialog
dpkg-reconfigure locales
apt-get install aptitude

#systemd created problems so I am using sysvinit for now
aptitude -y install sysv-rc sysvinit sysvinit-core
aptitude purge systemd

#These are the basic tools I need – add here whatever you want
aptitude install openssh-server apt-file aptitude bootlogd bzip2 dnsutils dosfstools haveged hdparm localepurge lsof screen smartmontools usbutils vim ntp file fake-hwclock htop
#This enables you to change the uboot/kernel configuration directly within the running arm system
aptitude install sunxi-tools u-boot-tools
#Allow SSH root login
sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
#Set a Hostname
echo a20-test > /etc/hostname
#If you want serial console access
echo T0:2345:respawn:/sbin/getty -L ttyS0 115200 vt100 >> /etc/inittab
#Set a password
passwd
#Set timezone
dpkg-reconfigure tzdata
#If you want to set the keyboard-layout
aptitude install console-data --with-recommends
dpkg-reconfigure console-data

#Leave chroot
exit
####/inside chroot end#############
#Clean up
sudo rm ~/sunxi/jessie_rootfs/etc/resolv.conf
sudo rm ~/sunxi/jessie_rootfs/usr/bin/qemu-arm-static

PREPARE SDCARD
sudo fdisk -u /dev/sdx
o
n
p
1
2048
34815
t
c
n
p
2
34816
3862527
w

sudo mkfs.vfat /dev/sdx1
sudo mkfs.ext4 /dev/sdx2
sudo tune2fs -m0 /dev/sdx2

#Mount both sdcard partitions
sudo mkdir /mnt/dest
sudo mount /dev/sdx2 /mnt/dest
sudo mkdir /mnt/dest/boot
sudo mount /dev/sdx1 /mnt/dest/boot

PUT UBOOT ON SDCARD
cd ~/sunxi/u-boot-sunxi
sudo dd if=spl/sunxi-spl.bin of=/dev/sdx bs=1024 seek=8
sudo dd if=u-boot.img of=/dev/sdx bs=1024 seek=40
sudo cp ~/sunxi/sunxi-boards/sys_config/a20/a20-olinuxino_lime2.fex ~/sunxi/script.bin /mnt/dest/boot/

PUT KERNEL ON SDCARD
sudo cp ~/sunxi/linux-sunxi/arch/arm/boot/uImage /mnt/dest/boot
sudo mkdir -p /mnt/dest/lib/modules
sudo cp -rv ~/sunxi/linux-sunxi/output/lib /mnt/dest

CONFIGURE U-BOOT (boot.cmd / boot.scr)
cd ~/sunxi/

cat <<EOT > boot.cmd
fatload mmc 0 0x43000000 script.bin || ext2load mmc 0 0x43000000 boot/script.bin
fatload mmc 0 0x48000000 uImage || ext2load mmc 0 0x48000000 uImage boot/uImage
bootm 0x48000000
EOT

mkimage -C none -A arm -T script -d boot.cmd boot.scr
sudo cp boot.cmd boot.scr /mnt/dest/boot

CONFIGURE KERNEL (uEnv.txt)
echo "bootargs=console=ttyS0,115200 console=tty0 root=/dev/mmcblk0p2 rootwait loglevel=8 panic=10" > ~/sunxi/uEnv.txt
sudo cp uEnv.txt /mnt/dest/boot

COPY ROOTFS
cd ~/sunxi/jessie_rootfs/
sudo tar cpf - * | ( cd /mnt/dest && sudo tar xvpf - )
sudo umount /mnt/dest/boot/ /mnt/dest/

That’s it.
Plase the newly created SD Card into the board and boot it up. If all went well you should be able to reach it via ssh.

Apache-2.4 mit suexec+mod_fcgid unter Debian Jessie

#Dependencies
su -c 'apt-get install autoconf autotools-dev build-essential comerr-dev debhelper dpkg-dev g++ gettext html2text intltool-debian krb5-multidev libapr1-dev libaprutil1-dev libcap-dev libdpkg-perl libexpat1-dev libgettextpo0 libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-dev libldap2-dev libmysqlclient-dev libmysqlclient18 libpcre3-dev libpcrecpp0 libpq-dev libpq5 libsqlite3-dev libssl-dev libstdc++-4.9-dev mysql-common po-debconf sharutils uuid-dev zlib1g-dev libxml2-dev'

#Build directory
cd ~
mkdir apache_build && cd apache_build

#sources
wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2.tar.gz
wget http://www.eu.apache.org/dist/httpd/httpd-2.4.16.tar.bz2
wget http://www.eu.apache.org/dist/httpd/httpd-2.4.16-deps.tar.bz2
wget http://mirror.dkd.de/apache/httpd/mod_fcgid/mod_fcgid-2.3.9.tar.bz2

#unpack
tar xzpf libressl-2.2.2.tar.gz
tar xjpf httpd-2.4.16.tar.bz2
tar xjpf httpd-2.4.16-deps.tar.bz2
tar xjpf mod_fcgid-2.3.9.tar.bz2

#export some variables
export CFLAGS="-fPIC -fomit-frame-pointer -pipe -O2 -mtune=k8"
export CXXFLAGS="$CFLAGS"

#libressl
cd ~/apache_build/libressl-2.2.2
./configure --prefix=/opt/apache2 && make -j3 && make check
su -c 'make install'

#apache
cd ~/apache_build/httpd-2.4.16
./configure --prefix=/opt/apache2 --with-ssl=/opt/apache2 --enable-mpms-shared=all --enable-mods-shared="all ssl cache proxy proxy_html xml2enc authn_alias file_cache charset_lite dav_lock cache_disk cgi" --enable-ssl --with-included-apr --enable-suexec --with-suexec-caller=www-data --with-suexec-docroot=/var/www --with-suexec-logfile=/var/log/apache2/suexec_log
make -j3
su -c 'make install'

#mod_fcgid
cd ~/apache_build/mod_fcgid-2.3.9
APXS=/opt/apache2/bin/apxs ./configure.apxs
make
su -c 'make install'

su -c 'chown -R root:root /opt/apache2'
su -c 'chmod +s /opt/apache2/bin/suexec'

Danach sollte ein unter Debian lauffähiger Apache2.4 in /opt/apache2 liegen.

Dateien kopieren mit rsync

Der Vorteil gegenüber scp ist, dass man den Transfer einfach unterbrechen und fortsetzen kann:
rsync -P -e ssh user@host:remote_file local_file

Mit dem Parameter –bwlimit lässt sich weiterhin verhindern, dass die ganze Bandbreite verwendet wird, nützlich z.B. beim upload via DSL mit begrenzter Upload-Kapazität:
rsync --bwlimit=100 -P -e ssh user@host:remote_file local_file

openssl spreadsheet

anzeigen:

Zeige Zertifikate welche ein Server bei einem Request ausliefert:
openssl s_client -showcerts -connect wordpress.stephan-jansen.eu:443

Zeige ein Zertifikat als Text an
openssl x509 -in Zertifikat.pem -noout -text

Zeige einen Zertifikats-Request an (CSR = Certificate Signing Request)
openssl req -in Request.csr -noout -text

Zeigt an, mit welchen CA’s ein Client-Zertifikat signiert sein darf um vom Server akzeptiert zu werden
openssl s_client -connect www.example.com:443 -prexit

Verfallsdatum anzeigen:
echo "" | openssl s_client -connect wordpress.stephan-jansen.eu:443 | openssl x509 -noout -enddate

erzeugen:

Einen 2048 bit RSA Key erzeugen:
openssl genrsa -out wordpress.stephan-jansen.eu.key 2048

Einen Zertifikats-Request erzeugen (neuer key):
openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout wordpress.stephan-jansen.eu.key -out wordpress.stephan-jansen.eu.csr

Einen Zertifikats-Request erzeugen (bestehender key):
openssl req -new -sha256 -key wordpress.stephan-jansen.eu.key -out wordpress.stephan-jansen.eu.csr

Einen Zertifikats-Request mit SAN (Subject Alternative Name) erzeugen:
cat > openssl_SAN.cnf << EOF
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = server1.yourdomain.tld
DNS.2 = mail.yourdomain.tld
DNS.3 = www.yourdomain.tld
DNS.4 = www.sub.yourdomain.tld
DNS.5 = mx.yourdomain.tld
DNS.6 = support.yourdomain.tld
EOF

openssl req -new -sha256 -key wordpress.stephan-jansen.eu.key -out wordpress.stephan-jansen.eu.csr -config openssl_SAN.cnf

Ein selbst signiertes Zertifikat erzeugen:
openssl req -new -days 365 -x509 -out server_self.crt -key server.key

Passwortschutz eines Keys entfernen:
openssl rsa -in server.key.pem -out server_nopw.key

Passwortschutz einem Key hinzufügen:
openssl rsa -in server.key -out server.key_enc.pem -aes256

Manuelles erzeugen von „hash links“ im File-System (dasselbe was auch das tool c_rehash macht):
ln -s CA.pem $(openssl x509 -noout -hash -in CA.pem.pem).0

Eine (selbst signierte) Certification Authority erzeugen:

http://www.flatmtn.com/article/setting-openssl-create-certificates

verifizieren:

Überprüfen ob sich das Zertifikat „cert.pem“ gegen CA’s im Ordner CAPath verifizieren lässt:
openssl verify -verbose -CApath CAPath/ cert.pem
Hinweis: Die CA’s müssen „gehasht“ sein (c_rehash)

Überprüfe ob ein Server die SSL-Session cached:
openssl s_client -connect wordpress.stephan-jansen.eu:443 -sess_out ./sess.out
openssl s_client -connect wordpress.stephan-jansen.eu:443 -sess_in ./sess.out

-> Dann die Session-ID vergleichen

Andere Möglichkeit:
openssl s_client -connect wordpress.stephan-jansen.eu:443 -state -reconnect 2>&1 | grep "Session-ID:"

Testen, ob Zertifikat und Key zusammen passen:
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

konvertieren:

PKCS12 Zertifikat nach PEM (base64) konvertieren
1. Export key:
openssl pkcs12 -in cert_5070.pfx -nocerts -out cert_5070_key.pem
2. Export Zertifikat:
openssl pkcs12 -in cert_5070.pfx -clcerts -nokeys -out cert_5070_cert.pem
3. Passwort des Keys entfernen:
openssl rsa -in cert_5070_key.pem -out cert_5070_key_nopw.pem

PEM Zertifikat nach PKCS12 konvertieren:
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx

PEM Zertifikat nach DER konvertieren
openssl x509 -in input.crt -inform PEM –out output.crt -outform DER
openssl rsa -in input.key -inform PEM -out output.key -outform DER

DER Zertifikat nach PEM konvertieren:
openssl x509 -in input.crt -inform DER -out output.crt -outform PEM
openssl rsa -in input.key -inform DER -out output.key -outform PEM

Siehe auch:
http://www-user.tu-chemnitz.de/~hot/SSL/