From b248eb4ea1cd5f5c649ec275e7e02d182fdde16c Mon Sep 17 00:00:00 2001 From: hilschernetpi Date: Sun, 15 Sep 2019 17:41:14 +0200 Subject: [PATCH] Changed to Debian 10 Buster --- Dockerfile | 91 +++++++++++++++++++++++++++--------------------------- README.md | 41 ++++++++++++++---------- 2 files changed, 71 insertions(+), 61 deletions(-) diff --git a/Dockerfile b/Dockerfile index 556a990..12bbfaa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,41 +1,41 @@ #STEP 1 of multistage build ---Compile Bluetooth stack----- #use armv7hf compatible base image -FROM balenalib/armv7hf-debian:stretch as builder +FROM balenalib/armv7hf-debian:buster as builder -#enable building ARM container on x86 machinery on the web (comment out next line if built on Raspberry) +#enable cross compiling (comment out next line if built on Raspberry Pi) RUN [ "cross-build-start" ] #environment variables ENV BLUEZ_VERSION 5.50 -RUN apt-get update \ - && apt-get install -y build-essential wget \ - libical-dev libdbus-1-dev libglib2.0-dev libreadline-dev libudev-dev systemd +RUN apt-get update && apt-get install -y \ + build-essential wget \ + libical-dev libdbus-1-dev libglib2.0-dev libreadline-dev libudev-dev systemd RUN wget -P /tmp/ https://www.kernel.org/pub/linux/bluetooth/bluez-${BLUEZ_VERSION}.tar.gz \ - && tar xf /tmp/bluez-${BLUEZ_VERSION}.tar.gz -C /tmp \ + && tar xf /tmp/bluez-${BLUEZ_VERSION}.tar.gz -C /tmp \ #compile bluez - && cd /tmp/bluez-${BLUEZ_VERSION} \ - && ./configure --prefix=/usr \ - --mandir=/usr/share/man \ - --sysconfdir=/etc \ - --localstatedir=/var \ - --enable-library \ - --enable-experimental \ - --enable-maintainer-mode \ - --enable-deprecated \ - && make \ + && cd /tmp/bluez-${BLUEZ_VERSION} \ + && ./configure --prefix=/usr \ + --mandir=/usr/share/man \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --enable-library \ + --enable-experimental \ + --enable-maintainer-mode \ + --enable-deprecated \ + && make \ #install bluez tools - && make install -#stop processing ARM emulation (comment out next line if built on Raspberry) + && make install +#disable cross compiling (comment out next line if built on Raspberry Pi) RUN [ "cross-build-end" ] #STEP 2 of multistage build ----Create the final image----- #use armv7hf compatible base image -FROM balenalib/armv7hf-debian:stretch +FROM balenalib/armv7hf-debian:buster #dynamic build arguments coming from the /hooks/build file ARG BUILD_DATE @@ -46,11 +46,11 @@ LABEL org.label-schema.build-date=$BUILD_DATE \ org.label-schema.vcs-url="https://github.com/HilscherAutomation/netPI-bluetooth" \ org.label-schema.vcs-ref=$VCS_REF -#enable building ARM container on x86 machinery on the web (comment out next line if built on Raspberry) +#enable cross compiling (comment out next line if built on Raspberry Pi) RUN [ "cross-build-start" ] #version -ENV HILSCHERNETPI_BLUEZ_VERSION 1.2.1 +ENV HILSCHERNETPI_BLUEZ_VERSION 1.3.0 #labeling LABEL maintainer="netpi@hilscher.com" \ @@ -58,32 +58,33 @@ LABEL maintainer="netpi@hilscher.com" \ description="Bluetooth" #install prerequisites -RUN apt-get update \ - && apt-get install -y openssh-server dbus git curl libglib2.0-dev \ - && echo 'root:root' | chpasswd \ - && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \ - && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd \ - && mkdir /var/run/sshd \ +RUN apt-get update && apt-get install -y \ + openssh-server dbus git curl libglib2.0-dev \ +#create user + && echo 'root:root' | chpasswd \ + && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \ + && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd \ + && mkdir /var/run/sshd \ #get BCM chip firmware - && mkdir /etc/firmware \ - && curl -o /etc/firmware/BCM43430A1.hcd -L https://github.com/OpenELEC/misc-firmware/raw/master/firmware/brcm/BCM43430A1.hcd \ + && mkdir /etc/firmware \ + && curl -o /etc/firmware/BCM43430A1.hcd -L https://github.com/OpenELEC/misc-firmware/raw/master/firmware/brcm/BCM43430A1.hcd \ #create folders for bluetooth tools - && mkdir -p '/usr/bin' '/usr/libexec/bluetooth' '/usr/lib/cups/backend' '/etc/dbus-1/system.d' \ - '/usr/share/dbus-1/services' '/usr/share/dbus-1/system-services' '/usr/include/bluetooth' \ - '/usr/share/man/man1' '/usr/share/man/man8' '/usr/lib/pkgconfig' '/usr/lib/bluetooth/plugins' \ - '/lib/udev/rules.d' '/lib/systemd/system' '/usr/lib/systemd/user' '/lib/udev' \ -#install userland raspberry tools - && git clone --depth 1 https://github.com/raspberrypi/firmware /tmp/firmware \ - && mv /tmp/firmware/hardfp/opt/vc /opt \ - && echo "/opt/vc/lib" >/etc/ld.so.conf.d/00-vmcs.conf \ - && /sbin/ldconfig \ + && mkdir -p '/usr/bin' '/usr/libexec/bluetooth' '/usr/lib/cups/backend' '/etc/dbus-1/system.d' \ + '/usr/share/dbus-1/services' '/usr/share/dbus-1/system-services' '/usr/include/bluetooth' \ + '/usr/share/man/man1' '/usr/share/man/man8' '/usr/lib/pkgconfig' '/usr/lib/bluetooth/plugins' \ + '/lib/udev/rules.d' '/lib/systemd/system' '/usr/lib/systemd/user' '/lib/udev' \ +#install userland raspberry pi tools + && git clone --depth 1 https://github.com/raspberrypi/firmware /tmp/firmware \ + && mv /tmp/firmware/hardfp/opt/vc /opt \ + && echo "/opt/vc/lib" >/etc/ld.so.conf.d/00-vmcs.conf \ + && /sbin/ldconfig \ #clean up - && rm -rf /tmp/* \ - && rm -rf /opt/vc/src \ - && apt-get remove git curl \ - && apt-get -yqq autoremove \ - && apt-get -y clean \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /tmp/* \ + && rm -rf /opt/vc/src \ + && apt-get remove git curl \ + && apt-get -yqq autoremove \ + && apt-get -y clean \ + && rm -rf /var/lib/apt/lists/* #copy files COPY "./init.d/*" /etc/init.d/ #copy bluez tools from builder container @@ -117,5 +118,5 @@ ENTRYPOINT ["/etc/init.d/entrypoint.sh"] #set STOPSGINAL STOPSIGNAL SIGTERM -#stop processing ARM emulation (comment out next line if built on Raspberry) +#disable cross compiling (comment out next line if built on Raspberry Pi) RUN [ "cross-build-end" ] diff --git a/README.md b/README.md index 0dd33e2..2537e49 100644 --- a/README.md +++ b/README.md @@ -7,33 +7,39 @@ Made for [netPI](https://www.netiot.com/netpi/), the Raspberry Pi 3B Architecture based industrial suited Open Edge Connectivity Ecosystem -### Debian with SSH, dbus and latest bluez bluetooth stack +### Secured netPI Docker + +netPI features a restricted Docker protecting the system software's integrity by maximum. The restrictions are + +* privileged mode is not automatically adding all host devices `/dev/` to a container +* volume bind mounts to rootfs is not supported +* the devices `/dev`,`/dev/mem`,`/dev/sd*`,`/dev/dm*`,`/dev/mapper`,`/dev/mmcblk*` cannot be added to a container + +### Container features The image provided hereunder deploys a container with latest bluetooth protocol stack to enable netPI bluetooth communications in a container. Base of this image builds [debian](https://www.balena.io/docs/reference/base-images/base-images/) with enabled [SSH](https://en.wikipedia.org/wiki/Secure_Shell), a source code compiled bluez stack [bluez](http://www.bluez.org/) and [firmware](https://github.com/OpenELEC/misc-firmware/tree/master/firmware/brcm) for the onboard BCM bluetooth chip BCM43438. -#### Container prerequisites +### Container setup -##### Host network +#### Host network -The container needs the Docker "Host" network stack to be shared with the container. +The container needs to run in `host` network mode. -Hint: Using this mode makes port mapping unnecessary since all the container's used ports are exposed to the host. This is why the container's used SSH server port `22` is getting available on the host without a discrete port mapping. +Using this mode makes port mapping unnecessary since all the used container ports (like 22) are exposed to the host automatically. -##### Privileged mode +#### Privileged mode The privileged mode option needs to be activated to lift the standard Docker enforced container limitations. With this setting the container and the applications inside are the getting (almost) all capabilities as if running on the Host directly. -netPI's secure reference software architecture prohibits root access to the Host system always. Even if priviledged mode is activated the intrinsic security of the Host Linux Kernel can not be compromised. - -##### Host device +#### Host device -To grant access to the BCM chip the `/dev/ttyAMA0` host device needs to be exposed to the container. +To grant access to the BCM chip the `/dev/ttyAMA0` host device needs to be added to the container. To prevent the container from failing to load the BCM chip with firmware(when restarted), the BCM chip is physically reset by the container each time it is started. To grant access to the reset logic the `/dev/vcio` host device needs to be exposed to the container. -#### Getting started +### Container deployment STEP 1. Open netPI's website in your browser (https). @@ -50,12 +56,11 @@ Parameter | Value | Remark *Runtime > Devices > +add device* | *Host path* **/dev/vcio** -> *Container path* **/dev/vcio** | *Runtime > Privileged mode* | **On** | - STEP 4. Press the button *Actions > Start/Deploy container* Pulling the image may take a while (5-10mins). Sometimes it may take too long and a time out is indicated. In this case repeat STEP 4. -#### Accessing +### Container access The container starts the SSH server and the bluetooth device hci0 automatically. @@ -63,13 +68,17 @@ Login to it with an SSH client such as [putty](http://www.putty.org/) using netP Use bluez tools such as bluetoothctl, hciconfig, hcitool as usual. For a simple test call [bluetoothctl](https://wiki.archlinux.org/index.php/bluetooth) to start the bluetooth interactive command utility. Input `scan on` to discover nearby bluetooth devices. -#### Automated build +### Container tips & tricks + +For additional help or information visit the Hilscher Forum at https://forum.hilscher.com/ + +### Container Automated build The project complies with the scripting based [Dockerfile](https://docs.docker.com/engine/reference/builder/) method to build the image output file. Using this method is a precondition for an [automated](https://docs.docker.com/docker-hub/builds/) web based build process on DockerHub platform. -DockerHub web platform is x86 CPU based, but an ARM CPU coded output file is needed for Raspberry systems. This is why the Dockerfile includes the [balena](https://balena.io/blog/building-arm-containers-on-any-x86-machine-even-dockerhub/) steps. +DockerHub web platform is x86 CPU based, but an ARM CPU coded output file is needed for Raspberry Pi systems. This is why the Dockerfile includes the [balena](https://balena.io/blog/building-arm-containers-on-any-x86-machine-even-dockerhub/) steps. -#### License +### License View the license information for the software in the project. As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained). As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.ex.php/bluetooth) to start the bluetooth interactive command utility. Input `scan on` to discover nearby bluetooth devices.