Difference between revisions of "Bering-uClibc 7.x - User Guide - Advanced Topics - Setting Up a Raspberry PI"

From bering-uClibc
Jump to: navigation, search
Line 149: Line 149:
  
 
<s>The '''PI zero W''' is an interesting one, as it can be accessed thru WIFI... There is an example of it's use [[Bering-uClibc_7.x_-_User_Guide_-_Advanced_Topics_-_Raspberry_PI_Zero_W_direct_WIFI_logon|here]] which does not use the serial console.</s>
 
<s>The '''PI zero W''' is an interesting one, as it can be accessed thru WIFI... There is an example of it's use [[Bering-uClibc_7.x_-_User_Guide_-_Advanced_Topics_-_Raspberry_PI_Zero_W_direct_WIFI_logon|here]] which does not use the serial console.</s>
 
 
===Goal===
 
 
 
This setup shows how to use the LEAF tarball distribution for the raspberry PI, to access the serial communication port of a distant PC Engines APU2C2 using a simple SSH session. To access the serial port, we will first SSH to the Raspberry PI and then run a communication program like minicom or picocom. There is of course a USB to RS-232C cable, that connects the raspberry PI to the serial port of the device.
 
 
This setup can be generalized to make any "device serial communication port" accessible through an SSH network session. Knowing that RS-232C communication distances are short, why not use a wired network instead that can reach a lot farther.
 
 
All of this was initially done using the standard Raspberry PI Raspbian OS distribution, but using the LEAF distribution OS instead, really transforms the somewhat flaky PI into a very stable and dependable production platform, since everything will then run in rams and no writings to the SD card will ever occur once in operation... It is a well known fact that, it is only a matter of time for the Raspberry PI to corrupt it's SD card, thus making it fail to boot or run. This is mainly caused by random power fails occurring at the same time the PI is writing to the SD card (further readings: https://hackaday.com/2016/08/03/single-board-revolution-preventing-flash-memory-corruption/).
 
 
==You will need==
 
 
 
#- one raspberry pi 1 and power supply, (or PI2 or PI3 but it will be overkill...)
 
#- rs232c to USB cable
 
#- one db9 female to female null modem
 
#- LEAF tarball distribution for PI1, at https://sourceforge.net/projects/leaf/files/Bering-uClibc/6.1.4/Bering-uClibc_6.1.4_raspberry-rpi.tar.gz/download
 
#- One SD card, 4 gig. is plenty
 
#- a pc running a modern Linux distribution GUI...
 
#- an SD card programmer
 
 
==Setting up the SD==
 
 
#- Download the tarball and unpack it in a suitably named directory
 
#- Put the SD card in the programmer, then make a single Fat32 partition, and format it to Fat32
 
#- Copy all the files from the unpacked tarball to the SD
 
 
#- Looking at the SD content:
 
 
WARNING---WARNING---WARNING
 
The lower procedure will not work as such, because of the new signed lrp packages. Please consult  https://bering-uclibc.zetam.org/wiki/Bering-uClibc_6.x_-_User_Guide_-_Advanced_Topics_-_Unpacking_a_gpg_signed_lrp_package for a workaround to achieve the same result. Another "cleaner" way of doing this will be available with the upcoming LEAF distributions where you can log directly to LEAF using a Browser, have a look at: https://bering-uclibc.zetam.org/wiki/Bering-uClibc_7.x_-_User_Guide_-_Basic_Configuration_-_Booting_for_the_First_Time#Successful_Boot_using_the_web_Browser_connection.
 
 
- find the package dropbear.lrp
 
- rename it to dropbear.tgz
 
- doubleclick it
 
- add DB_OPTIONS=" -B " at the end of /etc/default/dropbear
 
    this will allow a first root login with no password
 
- save file and update archive dropbear.tgz
 
- rename dropbear.tgz back to dropbear.lrp
 
- again, in the archive, find the file LEAF.CFG, and in "LRP=" list remove "shorewall" and "dnsmasq",
 
  and add "local" and "picocom" or "minicom",
 
    you should now have:
 
    LRP="license root nano local dhcpcd keyboard dropbear lighttpd webconf picocom patch"...
 
    It is important to remove "shorewall" here, it's job is to block everything and "dnsmasq" is not needed !
 
- unmount the SD card...
 
 
==Starting the Raspberry PI==
 
 
#- Put the SD card in the Raspberry PI, and power it up
 
#- After ~ 30 seconds, find out the PI's Ip address, and ssh in it: ssh root@raspberry_pi_IP_address. On Android, the "fing" app does marvels ...
 
#- Set the new passwords for the OS and webconf, as you will be asked.
 
#- Open webconf from a browser http://raspberry_pi_IP_address to try it out
 
#- While you're there, it would be a good idea to comment-out eth1 in /etc/network/interfaces, look in Networking...
 
#- A good time also to do your "ssh-copy-id" to write ssh keys in /.ssh/authorized_keys (see https://bering-uclibc.zetam.org/wiki/Bering-uClibc_6.x_-_User_Guide_-_Advanced_Topics_-_Setting_Up_SSH_password-less_login_and_Port_Knocking )
 
 
==Correcting some bugs...==
 
 
from your already opened ssh session:
 
*- fix xterm: go to /etc/terminfo/x and "cp xterm xterm-256color" ... # the "lrcfg" menu needs xterm-256color so we make one up in B&W !
 
 
*- fix reboot: The busybox reboot command does not work, here is a hardware alternative done by connecting GPIO4 to the PI reset pin on P6 pin 1 (the square one). Solder a 2 pin header on P6 (https://i.imgur.com/jR8hmwG.jpg?1) and place a jumper wire between P6 pin 1 and GPIO4 on P1 pin 7 (https://i.imgur.com/R9dx5TH.jpg?1).
 
 
[[Image:JR8hmwG1.jpg|left|frame|alt=reset jumper|reset jumper]]
 
[[Image:P6_to_gpio4.jpg|center|frame|alt=reset jumper|reset jumper]]
 
 
 
*- create a new "reboot" command: first, make the script /root/GPIO4reboot.sh and second, change the old reboot command in /sbin...
 
 
the script /root/GPIO4reboot.sh will set gpio4 to low (0) which will reset the PI, a hard reboot !
 
 
cd /root
 
nano GPIOreboot.sh
 
 
fill with this content:
 
 
#!/bin/sh
 
#
 
# reset avec gpio4 connecte sur reset du PI, P6 pin 1 square.
 
#
 
echo "4" > /sys/class/gpio/export            # we will talk to gpio4
 
echo "out" > /sys/class/gpio/gpio4/direction  # gpio4 on boot is an high-z input, but defaults to low (0) as an output
 
 
don't forget to make the script executable with:
 
chmod 0755 GPIO4reboot.sh
 
 
Let's replace the non-working "reboot" command with our own hardware reboot command ...
 
 
cd /sbin
 
 
mv reboot old_reboot              # keep old command in case someone repairs/fixes busybox...
 
ln -s /root/GPIO4reboot.sh reboot  # the "reboot" command link now points to /root/GPIO4reboot.sh
 
 
 
 
*- set the local.local: everything we just did which is not part of the LEAF distribution has to be saved in /var/lib/lrpkg/local.local ...
 
 
lrcfg > 3) Packages configuration > 3) local > 1) list of files that should be saved >
 
 
fill with this content:
 
 
var/lib/lrpkg/local.local
 
etc/terminfo/x/xterm-256color
 
root/.ssh/authorized_keys
 
root/GPIO4reboot.sh
 
sbin/reboot
 
sbin/old_reboot
 
 
'''***and a very important final save:'''
 
 
lrcfg > s) save configuration
 
 
==Using the gateway==
 
 
#- now connect the RS-232C to USB cable with the null modem between your PI and your device serial port
 
#- open an ssh session to the PI
 
#- start picocom: picocom -b115200 /dev/ttyUSB0
 
#- hit return:... you should have the prompt to login in your router or whatever !
 
#- exit picocom with Cntl-a Cntl-x, help is Cntl-a Cntl-h
 
 
==Final thoughts==
 
 
 
*It would be a good idea to configure eth0 with a static IP address in /etc/network/interface. This would allow a network communication between your workstation and the PI Serial gateway even if your firewall and consequently DHCP server are down.
 
 
*You can also remove or comment out DB_OPTIONS=" -B " in /etc/default/dropbear, to bring the security level back.
 
 
*"picocom.lrp" is not part of the tarball yet, use "minicom.lrp" instead... or ask Kapeka !
 
 
*It's always nice to have a console if you "ever" :-) have to debug the PI, you will need a 3.3v ttl to usb adapter connected on Ground, GPIO14 (TX) and GPIO15 (RX) respectively pins 6, 8 and 10 on the header.
 
 
To enable  the console add to /etc/inittab:
 
ttyAMA0::respawn:/sbin/getty -L ttyAMA0 115200 vt100
 
and in /etc/securetty add:
 
ttyAMA0
 
and as usual: lrcfg >>> save !
 
 
*Using the PI as a full blown firewall has not been tested here, the feeling is that it would be too slow... volunteers are welcome ...
 
 
==Have fun==
 
by: jrb with kapeka's idea to use leaf !
 
 
----
 
{| summary="Navigation footer" width="100%"
 
| width="40%" align="left"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking|Prev]]
 
| width="20%" align="center" | [[Bering-uClibc 6.x - User Guide|Up]]
 
| width="40%" align="right"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Unpacking a gpg signed lrp package|Next]]
 
|}
 
 
[[Category:Bering-uClibc 6.x]]
 
[[Category:User Guide]]
 

Revision as of 21:07, 24 May 2021

Raspberry PIs installation of tarballs images

We will use:

Partition and format your SD card

We assume the PI will use an SD card for LEAF. As we said before the PI becomes very reliable when running LEAF so there is no appreciable gain to use a so called "more reliable" USB key.

On an external PC running Linux, insert your SD card, and run:

dmesg 
or
sudo fdisk -l

to see which device your SD card is assigned to (let's assume we get /dev/sdb)...

Start the fdisk utility to partition your SD card.

sudo fdisk /dev/sdb

The safest approach is to delete any existing partition. To delete a partition type "d", to create a new partition type "n", choose "p" for a new primary partition, "1" for the partition number, accept the default values for First and Last Sector. To change the partition system id to W95 FAT32, choose "t" and "b".

You may have a look before writing the changes to your SD with the command "p". It should show something like this:

Device      Boot      Start         End           Blocks      Id         System
/dev/sdb1             2048        524287         261120        b         W95 FAT32

Save your changes with the command "w".

Format the SD card:

sudo mkfs.vfat -r 1024 /dev/sdb1

Mount the SD card:

sudo mount /dev/sdb1 /mnt
cd /mnt

Extract your tarball: extract the contents of your PI(n) downloaded file with a command like the following

sudo tar -xvzf ~/Download/Bering-uClibc/7.0.1/Bering-uClibc_7.0.1_raspberry-rpi3.tar.gz

Note: that this assumes the downloaded file is located in your $HOME/Download directory.

sudo umount /dev/mnt

Insert the SD card in your PI.

Prepare your Raspberry PI

Connect your PI to your HDMI monitor and USB keyboard, and power it up ...

You will get a display on your HDMI screen just like on a VGA display and the keyboard will act like the Linux tty1 standard input device.

From here on you can configure everything on the PI. Let's look at some interesting and desirable setups...

Enabling the PI Linux serial console

As usual, there is a small catch 22 waiting for us... just have a look at the Raspberry Pis documentation on the UARTS here and you will find out that all PIs are not born equal... The important thing is that for LEAF the PI's /dev/ttyAMA0 should be the first PL011 (UART0).

... extracted from the PI's documentation:

By default, only UART0 is enabled. The following table summarises the assignment of the first two UARTs:
Model first PL011 (UART0) mini UART
Raspberry Pi Zero primary secondary
Raspberry Pi Zero W secondary (Bluetooth) primary
Raspberry Pi 1 primary secondary
Raspberry Pi 2 primary secondary
Raspberry Pi 3 secondary (Bluetooth) primary
Raspberry Pi 4 secondary (Bluetooth) primary

This means that for the PIs Zero W, 3 and 4, you will have to add dtoverlay=disable-bt at the end of the file config.txt to reassign UART0 as the primary UART .

mount /dev/mmcblk0p1 /mnt
cd /mnt
edit config.txt
... and add at the end dtoverlay=disable-bt

Doing so insures that the serial interface conveniently becomes /dev/ttyAMA0 for all PIs in LEAF.

Now for the Linux console

The Linux console is simply enabled by touching 2 files:

/etc/inittab
add: 
...
# Example how to put a getty on a serial line (for a terminal)
#
ttyAMA0::respawn:/sbin/getty -L ttyAMA0 115200 vt100
... 

and

/etc/securetty
... add at the end of the file:
ttyAMA0

The serial interface is available on the PI's GPIO pins 14(TX) and 15(RX). You can use any suitable converter to connect to it as long as it uses 3.3 volts DC.

Here are examples of a USB to TTL 3.3 volts converter: pins 14, 15 and ground...do not connect +3.3V.

PI2 ttl USB.jpg 20210413 165052.png


and an RS232C to TTL 3.3 volts converter: pins 14,15, +3.3V and ground

Rs232 ttl rpi2 APU2C2.jpg


If you are using a USB converter, before rebooting your PI, run on your external PC:

picocom -b115200 /dev/ttyUSB0

After rebooting your PI, if you have both HDMI and serial displays still enabled, you should now see on both the console boot messages and logging prompts.

You might be wondering what the push-button and the blue led are doing on the PI2 header ... they are leftovers for other OSs that are not as safe as LEAF regarding the SD card corruption on power failure, have a look here ...
Web browser method

You could have a look here at how LEAF now allows a secure web browser access on eth1 on platforms that have more than one NIC. The PIs (1,2,3,and 4), on the other hand, all have a single NIC, which will default to eth0, on LEAF. To ease and force a similar kind of access for your PI, when connected to your local network, you should first temporarily remove the shorwall entry from the LRP=" list " in leaf.cfg file:

On your external PC, with the SD card in the /mnt directory, edit the leaf.cfg file with

sudo nano leaf.cfg

find the line

LRP="license root nano dhcpcd keyboard shorwall dnsmasq dropbear lighttpd webconf patch"

and remove the shorwall entry ... save and exit nano, run sync and un-mount the SD card.

accessing your PI

Now insert the SD card in your PI, connect it to your local network, and power it up. Count to 100 :-)..., your local network DHCP server should assign an IP address to your PI. You can then access the PI from a web browser running on your external PC at http://dhcp.assigned.addr with admin:admin. To find out the IP address, use fing on Android or look in /var/lib/misc/dnsmasq.leases if you're already running a LEAF firewall local net.

You can always add other NICs with a suitable HAT add-on or a dongle, to your PI and use it more like the intended LEAF box router, but remember to restore the shorwall entry. The PI's might not be the best routers firewalls, but in these cases and for other networking purposes they become a very robust platform once loaded with LEAF since the code is then executed in rams only and no potentially destructive writes to SD card will ever happen while running.

As of this writing, a naked PI Zero can only be access with the serial console, using GPIO 14 and 15 and a ttl-usb converter, since there is no NIC... The console have to be enabled by adding the file configdb.lrp to the media files.

The PI zero W is an interesting one, as it can be accessed thru WIFI... There is an example of it's use here which does not use the serial console.