User Tools

Site Tools


project:cchs:access_system:openwrt_tree

Access System OpenWRT Tree

As of January 2016, we have moved to an OpenWRT based system, replacing the previous, carefully-engineered Gentoo system.

Why OpenWRT?

Why are we running a router distribution on a Raspberry Pi, I hear you ask?

  • OpenWRT provides a framework for building an entire embedded system – right up to the SD card images you can flash.
  • OpenWRT eases the pain of developing for embedded targets, especially with a cross compiler that just works
  • OpenWRT has a very small footprint – the system image for the access system client is 10MB (this is the kernel and root filesystem, compressed)
  • I (Matt) happen to have quite a bit of experience building OpenWRT systems for actual products :)

Other distributions we could use include Buildroot (which OpenWRT was based on), or Yocto.

Access System Profiles

The OpenWRT base allows us to use the same tree for different use cases, and at some point in the future, different hardware platforms.

The three profiles available for the access system are:

  • Self Hosting – includes both the backend server and frontend (not implemented yet)
  • Client – Frontend only, accesses a server over the network. This is mainly intended for development purposes.
  • Thin Client – Runs entirely in RAM from the kernel boot onwards. Configuration is copied from the SD card on each boot.

The Thin Client profile is what is in production at CCHS.

Getting the source code

The source code is available from https://gitlab.com/mcbridematt-nfc-stuff/openwrt-raspi-cchs

Before configuring, a couple of external packages need to be imported from the OpenWRT package feeds.

Run:

./scripts/feeds update
./scripts/feeds install libnfc libfreefare libfreetype

Configuration and Build

NOTE: Currently, the tree has only been tested on the BCM2708 Raspberry Pi Models, i.e the original model B. Support for other targets (Raspberry Pi 2, BeagleBone, others) is planned.

The first step is to configure a profile

  1. From the terminal, run “make menuconfig”
  2. Select the desired hardware platform (BCM2835) and profile (see above)
  3. Save and exit the configuration system
  4. Build the system. The first time you do this, OpenWRT will build the cross-compiler, which might take a while.
  5. Run: make -j3

Build outputs:

In bin/brcm2708/ there will be the following files:

  • openwrt-brcm2708-bcm2708-AccessPiThinClient-ext4-sdcard.img{.gz} – this is a full SD card image, ready to run
  • openwrt-brcm2708-bcm2708-AccessPiThinClient-initramfs-kernel.bin - This is the kernel/initramfs image only, for the “Thin Client” profile. To upgrade thin clients – just copy this file over the existing kernel.img

Client Configuration

You will need to: - Log into your Pi over SSH, username “root”. (Assuming you are using DHCP - if you are not, you will need to generate a network configuration file for OpenWRT)

Until a root password is set, root logins are permitted without a password!!

Thin Client configuration

All configuration files are kept under the “cchs/” directory in the boot partition, these are copied to the relevant places in the ramdisk filesystem on boot. Under cchs, the following files are copied:

  • authorized_keys (SSH keys)
  • dropbear_rsa_host_key (SSH host key)
  • shadow (root and other passwords)
  • config (UCI configuration files → /etc/config)
  • copy_to_tmp – this folder is copied to /tmp/ as is

The process of copying the files is performed by /etc/init.d/mount-ro on boot:

Configure the access sytem
  • Set the CA and bundle path (if you are using SSL)
    • access.@access[0].cacertpath='/tmp/copy_to_tmp/ca.crt'
    • access.@access[0].clientbundlepath='/tmp/copy_to_tmp/client-certs.bundle'
  • Commit the UCI config and copy the config file to the SD card
    • uci commit access
  • Generate a root password, set it with passwd
  • Add your own SSH keys to /etc/dropbear/authorized_keys
    • Turn off password access to SSH, by editing /etc/config/dropbear:
      config dropbear
      
              option Port '22'
      
              option PasswordAuth 'off' 
      
              option RootPasswordAuth 'off' 

For a thin client, you will need to mount /boot and copy the files over:

mount /dev/mmcblk0p1 /boot
cp /etc/dropbear/authorized_keys /boot/cchs/
cp /etc/shadow /boot/cchs/
mkdir /boot/cchs/config/
cp /etc/config/{access,dropbear,network} /boot/cchs/config/

Then reboot – the client should be configured.

project/cchs/access_system/openwrt_tree.txt · Last modified: 2016/02/11 13:25 by mcbridematt