1#!/bin/sh
2
3set -ex
4
5apt-get -y install --no-install-recommends initramfs-tools libpng16-16 weston strace libsensors5
6passwd root -d
7chsh -s /bin/sh
8ln -s /bin/sh /init
9
10#######################################################################
11# Strip the image to a small minimal system without removing the debian
12# toolchain.
13
14# Copy timezone file and remove tzdata package
15rm -rf /etc/localtime
16cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
17
18
19UNNEEDED_PACKAGES=" libfdisk1"\
20" tzdata"\
21
22export DEBIAN_FRONTEND=noninteractive
23
24# Removing unused packages
25for PACKAGE in ${UNNEEDED_PACKAGES}
26do
27	echo ${PACKAGE}
28	if ! apt-get remove --purge --yes "${PACKAGE}"
29	then
30		echo "WARNING: ${PACKAGE} isn't installed"
31	fi
32done
33
34apt-get autoremove --yes || true
35
36# Dropping logs
37rm -rf /var/log/*
38
39# Dropping documentation, localization, i18n files, etc
40rm -rf /usr/share/doc/*
41rm -rf /usr/share/locale/*
42rm -rf /usr/share/man
43rm -rf /usr/share/i18n/*
44rm -rf /usr/share/info/*
45rm -rf /usr/share/lintian/*
46rm -rf /usr/share/common-licenses/*
47rm -rf /usr/share/mime/*
48
49# Dropping reportbug scripts
50rm -rf /usr/share/bug
51
52# Drop udev hwdb not required on a stripped system
53rm -rf /lib/udev/hwdb.bin /lib/udev/hwdb.d/*
54
55# Drop all gconv conversions && binaries
56rm -rf usr/bin/iconv
57rm -rf usr/sbin/iconvconfig
58rm -rf usr/lib/*/gconv/
59
60# Remove libusb database
61rm -rf usr/sbin/update-usbids
62rm -rf var/lib/usbutils/usb.ids
63rm -rf usr/share/misc/usb.ids
64
65#######################################################################
66# Crush into a minimal production image to be deployed via some type of image
67# updating system.
68# IMPORTANT: The Debian system is not longer functional at this point,
69# for example, apt and dpkg will stop working
70
71UNNEEDED_PACKAGES="apt libapt-pkg5.0 "\
72"ncurses-bin ncurses-base libncursesw5 libncurses5 "\
73"perl-base "\
74"debconf libdebconfclient0 "\
75"e2fsprogs e2fslibs libfdisk1 "\
76"insserv "\
77"udev "\
78"init-system-helpers "\
79"bash "\
80"cpio "\
81"passwd "\
82"libsemanage1 libsemanage-common "\
83"libsepol1 "\
84"gzip "\
85"gnupg "\
86"gpgv "\
87"hostname "\
88"adduser "\
89"debian-archive-keyring "\
90"libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libegl-mesa0 libgles2 "\
91"libllvm7 "\
92"libx11-data libthai-data "\
93"systemd dbus "\
94
95# Removing unneeded packages
96for PACKAGE in ${UNNEEDED_PACKAGES}
97do
98	echo "Forcing removal of ${PACKAGE}"
99	if ! dpkg --purge --force-remove-essential --force-depends "${PACKAGE}"
100	then
101		echo "WARNING: ${PACKAGE} isn't installed"
102	fi
103done
104
105# Show what's left package-wise before dropping dpkg itself
106COLUMNS=300 dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n
107
108# Drop dpkg
109dpkg --purge --force-remove-essential --force-depends  dpkg
110
111# No apt or dpkg, no need for its configuration archives
112rm -rf etc/apt
113rm -rf etc/dpkg
114
115# Drop directories not part of ostree
116# Note that /var needs to exist as ostree bind mounts the deployment /var over
117# it
118rm -rf var/* opt srv share
119
120# ca-certificates are in /etc drop the source
121rm -rf usr/share/ca-certificates
122
123# No bash, no need for completions
124rm -rf usr/share/bash-completion
125
126# No zsh, no need for comletions
127rm -rf usr/share/zsh/vendor-completions
128
129# drop gcc-6 python helpers
130rm -rf usr/share/gcc-6
131
132# Drop sysvinit leftovers
133rm -rf etc/init.d
134rm -rf etc/rc[0-6S].d
135
136# Drop upstart helpers
137rm -rf etc/init
138
139# Various xtables helpers
140rm -rf usr/lib/xtables
141
142# Drop all locales
143# TODO: only remaining locale is actually "C". Should we really remove it?
144rm -rf usr/lib/locale/*
145
146# partition helpers
147rm usr/sbin/*fdisk
148
149# local compiler
150rm usr/bin/localedef
151
152# Systemd dns resolver
153find usr etc -name '*systemd-resolve*' -prune -exec rm -r {} \;
154
155# Systemd network configuration
156find usr etc -name '*networkd*' -prune -exec rm -r {} \;
157
158# systemd ntp client
159find usr etc -name '*timesyncd*' -prune -exec rm -r {} \;
160
161# systemd hw database manager
162find usr etc -name '*systemd-hwdb*' -prune -exec rm -r {} \;
163
164# No need for fuse
165find usr etc -name '*fuse*' -prune -exec rm -r {} \;
166
167# lsb init function leftovers
168rm -rf usr/lib/lsb
169
170# Only needed when adding libraries
171rm usr/sbin/ldconfig*
172
173# Games, unused
174rmdir usr/games
175
176# Remove pam module to authenticate against a DB
177# plus libdb-5.3.so that is only used by this pam module
178rm usr/lib/*/security/pam_userdb.so
179rm usr/lib/*/libdb-5.3.so
180
181# remove NSS support for nis, nisplus and hesiod
182rm usr/lib/*/libnss_hesiod*
183rm usr/lib/*/libnss_nis*
184
185rm usr/bin/tar