As per latest comments from Prakash incorporating debian/preinst changes here

justsanjeev · justsanjeev · commit 271dde189da7 · 2026-05-06T17:59:20.000+05:30
diff --git a/upgrade/upgrade-scripts/common.sh b/upgrade/upgrade-scripts/common.sh
@@ -530,32 +530,3 @@ function fix_and_migrate_services() {
 		telegraf.service
 	EOF
 }
-
-
-function update_fstab_for_upgrade() {
-  # shellcheck disable=SC2155
-  fstab_backup="/etc/fstab.bak.$(date +%s)"
-
-  # Backup current fstab
-  cp /etc/fstab "$fstab_backup" || die "failed to backup /etc/fstab to $fstab_backup"
-
-  # Update legacy /export/home paths to /home
-  sed -i 's|/export/home|/home|g' /etc/fstab /etc/passwd || warn "failed to update legacy /export/home paths"
-
-  # Ensure /home directory exists
-  mkdir -p /home || die "failed to create /home directory"
-
-  # Attempt to mount /home with new flags
-  if ! mount /home 2>/dev/null; then
-    warn "failed to mount /home with new fstab configuration"
-  fi
-
-  # Validate the entire fstab by attempting to mount all entries
-  if ! mount -a 2>/dev/null; then
-    warn "fstab validation failed, restoring backup"
-    cp "$fstab_backup" /etc/fstab || die "failed to restore fstab backup from $fstab_backup"
-    die "fstab modification failed validation; backup restored"
-  fi
-
-  echo "Successfully updated /etc/fstab with security compliance flags (nodev,nosuid)"
-}
diff --git a/upgrade/upgrade-scripts/execute b/upgrade/upgrade-scripts/execute
@@ -183,13 +183,6 @@ if [[ -n "$CURRENT_VERSION" ]]; then
 	[[ -n "$ROOTFS_CONTAINER" ]] ||
 		die "unable to determine currently mounted rootfs container"
 
-  #
-  # Update fstab for security compliance before performing any upgrade
-  # operations. This ensures the system is properly configured before
-  # package installation and snapshot creation.
-  #
-  update_fstab_for_upgrade
-
 	#
 	# It's possible for this script to be run multiple times,
 	# and each time this script is run, we want to keep a
@@ -228,6 +221,32 @@ if [[ -n "$CURRENT_VERSION" ]]; then
 		"$ROOTFS_CONTAINER" "$ROOTFS_CONTAINER@execute-upgrade.$UNIQUE"
 fi
 
+#
+# Home directories were previously mounted under /export/home, and this was
+# changed to /home. This upgrade logic updates the /etc/fstab and /etc/passwd
+# files to reflect that change.
+#
+# Home directories will be mounted in both /export/home and /home until the
+# system is rebooted to ensure that running processes referencing the old
+# /export/home paths continue to function while also enabling new logins
+# under /home to work.
+#
+# This check only runs outside a container and during upgrades, consistent
+# with the pattern used for the GRUB and nodev/nosuid updates.
+#
+if [[ -n "$CURRENT_VERSION" ]] && ! systemd-detect-virt -qc; then
+	if grep -q "/export/home" /etc/fstab; then
+		sed -i 's|/export/home|/home|g' /etc/fstab ||
+			die "failed to update /export/home to /home in /etc/fstab"
+		mount /home || die "failed to mount /home"
+	fi
+
+	if grep -q "/export/home" /etc/passwd; then
+		sed -i 's|/export/home|/home|g' /etc/passwd ||
+			die "failed to update /export/home to /home in /etc/passwd"
+	fi
+fi
+
 #
 # Delete the central /etc/apt/sources.list and also all files in
 # /etc/apt/sources.list.d/ because only the Delphix repository
@@ -761,6 +780,25 @@ if ! systemd-detect-virt -qc; then
 		die "failed to set-bootfs '$ROOTFS_CONTAINER'"
 fi
 
+#
+# Ensure nodev and nosuid mount options are present for the /home entry
+# in /etc/fstab on the running host system. This is required for CIS
+# compliance on systems being upgraded that predate this hardening.
+# New upgrade containers already have these options set by upgrade-container.
+# This check is idempotent and only runs outside a container, consistent
+# with the pattern used for the GRUB update above.
+#
+if ! systemd-detect-virt -qc; then
+	if grep -qE '^[^#].*[[:space:]]/home[[:space:]]' /etc/fstab; then
+		if ! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nodev' /etc/fstab ||
+			! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nosuid' /etc/fstab; then
+			sed -i '/^[^#].*[[:space:]]\/home[[:space:]]/ s/defaults/defaults,nodev,nosuid/' \
+				/etc/fstab ||
+				die "failed to add nodev,nosuid to /home entry in /etc/fstab"
+		fi
+	fi
+fi
+
 systemctl reload delphix-platform.service ||
 	die "failed to reload delphix-platform.service"
 
diff --git a/upgrade/upgrade-scripts/upgrade-container b/upgrade/upgrade-scripts/upgrade-container
@@ -212,19 +212,19 @@ function create_upgrade_container() {
 	# associated with that rootfs dataset. The mounts need to happen
 	# before the zfs-import service is run.
 	#
-    cat <<-EOF >"$DIRECTORY/etc/fstab"
-      rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
-      rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
-      rpool/ROOT/$CONTAINER/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
-      rpool/crashdump            /var/crash   zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
-    EOF
-
-    if $TMP_DATASETS_EXIST; then
-      cat <<-EOF >>"$DIRECTORY/etc/fstab"
-                 rpool/ROOT/$CONTAINER/tmp  /tmp         zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
-                 rpool/ROOT/$CONTAINER/vartmp  /var/tmp  zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
-      EOF
-    fi
+	cat <<-EOF >"$DIRECTORY/etc/fstab"
+		rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
+		rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+		rpool/ROOT/$CONTAINER/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+		rpool/crashdump            /var/crash   zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
+	EOF
+
+	if $TMP_DATASETS_EXIST; then
+		cat <<-EOF >>"$DIRECTORY/etc/fstab"
+			         rpool/ROOT/$CONTAINER/tmp  /tmp         zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
+			         rpool/ROOT/$CONTAINER/vartmp  /var/tmp  zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
+		EOF
+	fi
 
 	#
 	# DLPX-75089 - Since older versions of Delphix did not properly
