Archive Index (1999-2012) | 2013-current at | About  

Article: Embedding Debian GNU/Linux in a 32MB CompactFlash

Dec 26, 2002 — by LinuxDevices Staff — from the LinuxDevices Archive — 9 views

I started Hacom in November of 2002 to distribute the OpenBrick hardware platforms in the US. OpenBrick is a new kind of low-cost fan-less small computer targeting the Open Source / Free Software community, mainly Linux, FreeBSD, and OpenBSD. It is popular in Europe and attracted a large following of engineers, hackers, students, researchers, small Open Source companies, and ISPs to implement appliance-like applications in areas such as WiFi, broadband networks, communications, multimedia, and IP telephony.

The “OpenBrick-E” is an “enterprise” version of the OpenBrick, with three built-in RJ-45 LAN connectors. It is very small (8.6 x 6.5 x 1.6 in.) and light weight (less than 3 lbs). It has a fan-less 533 MHz x86-compatible VIA C3 processor. The default configuration includes 256MB of SDRAM and 32MB CompactFlash (CF) for persistent storage.

The guts of the OpenBrick-E

There are many software configurations that can be loaded into the OpenBrick-E, including: LEAF (Linux Emebbed Appliance Firewall), FreeBSD, and the Debian Linux and Mandrake Linux distributions. Unfortunately, only LEAF will fit into the 32MB CF, since the others require at least 64MB CF (FreeBSD), 128MB CF (Debian and Mandrake), or even a hard disk.

Although LEAF, especially the Bering and the WISP releases, makes the OpenBrick-E into a great Internet appliance, it is not easy to configure and requires specific technical knowledge of how LEAF works internally. Besides, LEAF fits very nicely in 4MB or less, and that leaves more than 28MB of CF unused in the default OpenBrick-E configuration. Being a Debian developer, I am also more comfortable working with the familiar Debian GNU/Linux desktop environment. I therefore decided to investigate how much of a command-line Debian desktop system I could be pack into the 32MB CF of the OpenBrick-E

Debian GNU/Linux

Debian is a full-featured Linux distribution that supports more than 11 architectures, including x86, m68k, Sparc, PowerPC, ARM/XScale, MIPS/mipsel, and SuperH. It has a reputation for reliability and security, plus a very powerful package manager. It would thus serve as a good base to create an embeddable Linux distribution that scales well from very large systems (100MB) down to very small systems (1MB), i.e. from the desktop down to the set-top.

Debootstrap is a utility in Debian's boot-floppy which is used to create a base system from scratch, without requiring the availability of other utilities from Debian package maintenance system. It does this by downloading Debian package files from a mirror site, and unpacking them into a designated directory which is then chrooted into later. Additional packages were added to the build script to allow debootstrap to build more than just a base Debian system. One of the advantages of using debootstrap is that it also takes care of the dependencies between different packages.

Since the OpenBrick-E has three built-in RJ-45 LAN connectors, it is ideal for use as a VPN/firewall/router system. The three network interfaces could easily be partitioned into Internet, DMZ, and local LAN.

Rear-panel I/O of the OpenBrick-E

The following packages were added to debootstrap's script to support these functionalities:

  • VPN (Virtual Private Network)
    • pptp-linux — Point-to-Point Tunneling Protocol (PPTP) Client. Client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based VPN as used by employers and some cable and ADSL service providers.
    • pptpd — PoPToP Point to Point Tunneling Server. This implements a Virtual Private Networking Server (VPN) that is compatible with Microsoft VPN clients. It allows windows users to connect to an internal firewalled network using their dialup.

  • freeswan — IPSEC utilities for FreeSWan. IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet.
  • Shoreline Firewall (Shorewall) — the Shoreline Firewall (Shorewall) is an iptables based firewall that can be used on a dedicated firewall system, a multi-function masquerade gateway/server or on a standalone Linux system. Shorewall supports these features:
    • Customizable using configuration files.
    • Supports status monitoring with an audible alarm when an “interesting” packet is detected.
    • Include a fallback script that backs out the installation of the most recent version of Shoreline Firewall and an uninstall script for completely uninstalling the firewall.
    • Static NAT is supported.
    • Proxy ARP is supported.
    • Provides DMZ functionality.
    • Support for IPSEC, GRE and IPIP Tunnels.
    • Support for Traffic Control/Shaping.

  • Zebra — a GPL'd, BGP/OSPF/RIP capable routing daemon — GNU Zebra is free software (distributed under the GNU Generic Public License) which manages TCP/IP based routing protocols. It supports BGP 4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng as well as the IPv6 versions of these. Zebra uses threading if the kernel supports it, but can also run on kernels that do not support threading. Zebra is more than a router replacement, it can be used as a Route Server and a Route Reflector. Zebra is unique in design in that it has a process for each protocol.

Debootstrap created a 121MB bootable Debian filesystem with the VPN/firewall/router functionality. It is of similar size as the minimal Debian system created by the installer available on the OpenBrick portal.

Size Reductions

Since the default CF of the OpenBrick-E is only 32MB in size, the Debian filesystem would require a CF of at least 128MB to be usable. Several techniques were then applied to reduce the size so it can be fit into a 32MB CF.

The first reduction technique is to remove the documentation from the root filesystem. They include the Perl .pod files and everything under the following directories:


Two others that should either be trimmed or eliminated are . . .


/usr/share/locale provides locale information, so that users can see the system in their own languages, currency formats, etc. /usr/share/zoneinfo provides timezone definitions, so that users can see local time and perform timezone conversions. Both of these could certainly be trimmed down — a server which is going to be administered by a single person does not need locale information for languages that person does not speak; and a server which will be used in one place, and does not do complex time-related applications (e.g. calendaring) will never use more than one timezone definitions.

However, removing all of the documentation, the locale, and timezone information only reduces the size of the Debian root filesystem to 88MB, which is still much too large to fit into a 32MB CF.

The next step is to compress the root filesystem. There are three approaches to compress a filesystem: cloop, cramfs, and JFFS2. Cloop is a kernel module written by Paul Russel to add support for filesystem-independent transparently decompressed, read-only block devices. Cramfs is compressed read-only ROM filesystem. JFFS2 is the journaling flash file system version 2, which also includes compression. Following are the size results of using the three compressed file systems.

    Cloop — 27.6MB
    Cramfs — 34.1MB
    JFFS2 — 31.3MB

Using the cloop utilities, the root filesystem is compressed down to less than 28MB to fit into a 32MB CF. It is then later mounted as a read-only filesystem through the cloop kernel module. JFFS2 would have been a better choice even with slightly less compression ratio than cloop. However, JFFS2 takes a very long time, several minutes, during boot up, which becomes unacceptable.

Mount in bind mode

Using cloop, the root filesystem is mounted as read-only. To allow changes in the configurations, the bind mode feature of mount is used. Following is the fstab file used in the 32MB CF filesystem

tmpfs / tmpfs defaults 0 0
/dev/hdc1 /initrd/mnt/flash ext2 defaults 0 0
/initrd/mnt/flash/etc /etc ext2 rw,bind 0 0
/initrd/mnt/flash/home /home ext2 rw,bind 0 0
/initrd/mnt/flash/root /root ext2 rw,bind 0 0
/dev/cloop /initrd/mnt/cloop ext2 ro,noauto 0 0
/initrd/mnt/cloop/bin /bin ext2 ro,bind 0 0
/initrd/mnt/cloop/lib /lib ext2 ro,bind 0 0
/initrd/mnt/cloop/sbin /sbin ext2 ro,bind 0 0
/initrd/mnt/cloop/usr /usr ext2 ro,bind 0 0
/initrd/mnt/cloop/var /var ext2 ro,bind 0 0
proc /proc proc defaults 0 0
tmpfs /tmp tmpfs defaults,noatime 0 0
tmpfs /var/run tmpfs defaults,noatime 0 0
tmpfs /var/log tmpfs defaults,noatime 0 0
tmpfs /var/lock tmpfs defaults,noatime 0 0
tmpfs /var/tmp tmpfs defaults,noatime 0 0

As indicated in the fstab file, the root filesystem is actually the ram disk, mounted as tmpfs by the initrd. The ext2 filesystem on the 32 MB CF contains the cloop compressed filesystem and also several other directories that should be mounted as writable, like /etc, /home, and /root. It is mounted at the /initrd/mnt/flash. The writable directories are then mounted individually using the bind option. The cloop compressed filesystem is also mounted as /initrd/mnt/cloop. Its read-only directories are then inidividually mounted again using the bind option as /bin, /lib, /sbin, /usr, and /var.

Configuration and setup of the 32MB CF system require a good system administration knowledge of the Debian GNU/Linux distribution. All of the configuration files are available to be setup at the command line level. The 32MB CF Debian-based system does need a more polished graphical user interface (GUI) to become a functional VPN appliances to general end-users.


A 32MB CompactFlash image can be downloaded here. There is also a brief installation guide there.

[Thanks go to John Stracke, for his comments regarding /usr/share/locale and /usr/share/zoneinfo.]

About the author: Bao C. Ha has been working in systems architecture, project management, design, development, and implementation ranging from embedded network appliances to enterprise N-tier e-commerce website server farms. He also teaches a section of the Analog Electronics Laboratory course at the UCLA Electrical Engineering department, and holds a PhD in Chemical Engineering from the University of Michigan.

This article was originally published on and has been donated to the open source community by QuinStreet Inc. Please visit for up-to-date news and articles about Linux and open source.

Comments are closed.