DLPX-86523 CIS: /home filesystem and mount options

Squash of #756: mount the home ZFS dataset at
/home instead of /export/home for CIS compliance, with nodev,nosuid on
the /home fstab entry. Includes the build-side fstab (90-raw-disk-image),
upgrade-container template, ansible role path updates, and the upgrade
execute changes as authored in #756.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: 2 people

live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -274,8 +274,8 @@ zfs create \
 # contents. During normal boot up, we'll rely on "/etc/fstab" to handle
 # these mounts.
 #
-mkdir -p "$DIRECTORY/export/home"
-mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/export/home"
+mkdir -p "$DIRECTORY/home"
+mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/home"
 
 mkdir -p "$DIRECTORY/var/delphix"
 mount -t zfs "$FSNAME/ROOT/$FSNAME/data" "$DIRECTORY/var/delphix"
@@ -314,7 +314,7 @@ rsync --info=stats3 -WaAX binary/* "$DIRECTORY/"
 # automatically whenever we boot into the crash kernel.
 #
 cat <<-EOF >"$DIRECTORY/etc/fstab"
-	rpool/ROOT/$FSNAME/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+	rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/tmp  /tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
@@ -440,7 +440,7 @@ done
 
 umount "$DIRECTORY/var/log"
 umount "$DIRECTORY/var/delphix"
-umount "$DIRECTORY/export/home"
+umount "$DIRECTORY/home"
 umount "$DIRECTORY/tmp"
 umount "$DIRECTORY/var/tmp"
 umount "/var/crash"

live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,14 +26,14 @@
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dms-core-gate.git"
     dest:
-      "/export/home/delphix/dms-core-gate"
+      "/home/delphix/dms-core-gate"
     version: "develop"
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/{{ item }}"
+    path: "/home/delphix/{{ item }}"
     owner: delphix
     group: staff
     mode: "g+w"

live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@
   no_log: true
 
 - file:
-    path: /export/home
+    path: /home
     state: directory
     mode: 0755
 
@@ -39,7 +39,7 @@
     shell: /bin/bash
     create_home: yes
     comment: Delphix User
-    home: /export/home/delphix
+    home: /home/delphix
     password:
       "{{ lookup('env', 'APPLIANCE_PASSWORD') | password_hash('sha512') }}"
 

live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml

@@ -34,6 +34,7 @@
   ansible.builtin.pip:
     name: awscli
     break_system_packages: true
+    extra_args: --no-cache-dir
   become: true
 
 # Add /usr/local/bin to the PATH (awscli needs it)

live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml

@@ -94,7 +94,7 @@
 - user:
     name: testrunner
     comment: "Delphix"
-    home: /export/home/testrunner
+    home: /home/testrunner
     groups: docker
     password:
       "$6$pWQE0MPZWgue7fNC$8RvR0u04Mt67792b.x4ao0G2Z/H/hrYPWezOqCkz59MIA\

live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -73,14 +73,14 @@
 
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dlpx-app-gate.git"
-    dest: "/export/home/delphix/dlpx-app-gate"
+    dest: "/home/delphix/dlpx-app-gate"
     version: "develop"
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/{{ item }}"
+    path: "/home/delphix/{{ item }}"
     owner: delphix
     group: staff
     mode: "g+w"

live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -67,26 +67,26 @@
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/zfs.git"
     dest:
-      "/export/home/delphix/zfs"
+      "/home/delphix/zfs"
     version: develop
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/zfs"
+    path: "/home/delphix/zfs"
     owner: delphix
     group: staff
     state: directory
     recurse: yes
 
 - file:
-    path: "/export/home/delphix/.cargo/"
+    path: "/home/delphix/.cargo/"
     state: directory
     owner: delphix
     group: staff
 - copy:
-    dest: "/export/home/delphix/.cargo/config.toml"
+    dest: "/home/delphix/.cargo/config.toml"
     content: |
         [target.x86_64-unknown-linux-gnu]
         rustflags = ["-C", "link-arg=-B/usr/libexec/mold"]

upgrade/FAQ.md

@@ -89,7 +89,7 @@ resemble the following:
 
 A "rootfs container" is a collection of ZFS datasets that can be used as
 the "root filesytsem" of the appliance. This includes a dataset for "/"
-of the appliance, but also seperate datasets for "/export/home" and
+of the appliance, but also seperate datasets for "/home" and
 "/var/delphix".
 
 Here's an example of the datasets for a rootfs container:

upgrade/upgrade-scripts/execute

@@ -221,6 +221,32 @@ if [[ -n "$CURRENT_VERSION" ]]; then
 		"$ROOTFS_CONTAINER" "$ROOTFS_CONTAINER@execute-upgrade.$UNIQUE"
 fi
 
+#
+# Home directories were previously mounted under /export/home, and this was
+# changed to /home. This upgrade logic updates the /etc/fstab and /etc/passwd
+# files to reflect that change.
+#
+# Home directories will be mounted in both /export/home and /home until the
+# system is rebooted to ensure that running processes referencing the old
+# /export/home paths continue to function while also enabling new logins
+# under /home to work.
+#
+# This check only runs outside a container and during upgrades, consistent
+# with the pattern used for the GRUB and nodev/nosuid updates.
+#
+if [[ -n "$CURRENT_VERSION" ]] && ! systemd-detect-virt -qc; then
+	if grep -q "/export/home" /etc/fstab; then
+		sed -i 's|/export/home|/home|g' /etc/fstab ||
+			die "failed to update /export/home to /home in /etc/fstab"
+		mount /home || die "failed to mount /home"
+	fi
+
+	if grep -q "/export/home" /etc/passwd; then
+		sed -i 's|/export/home|/home|g' /etc/passwd ||
+			die "failed to update /export/home to /home in /etc/passwd"
+	fi
+fi
+
 #
 # Delete the central /etc/apt/sources.list and also all files in
 # /etc/apt/sources.list.d/ because only the Delphix repository
@@ -752,6 +778,25 @@ if ! systemd-detect-virt -qc; then
 		die "failed to set-bootfs '$ROOTFS_CONTAINER'"
 fi
 
+#
+# Ensure nodev and nosuid mount options are present for the /home entry
+# in /etc/fstab on the running host system. This is required for CIS
+# compliance on systems being upgraded that predate this hardening.
+# New upgrade containers already have these options set by upgrade-container.
+# This check is idempotent and only runs outside a container, consistent
+# with the pattern used for the GRUB update above.
+#
+if ! systemd-detect-virt -qc; then
+	if grep -qE '^[^#].*[[:space:]]/home[[:space:]]' /etc/fstab; then
+		if ! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nodev' /etc/fstab ||
+			! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nosuid' /etc/fstab; then
+			sed -i '/^[^#].*[[:space:]]\/home[[:space:]]/ s/defaults/defaults,nodev,nosuid/' \
+				/etc/fstab ||
+				die "failed to add nodev,nosuid to /home entry in /etc/fstab"
+		fi
+	fi
+fi
+
 systemctl reload delphix-platform.service ||
 	die "failed to reload delphix-platform.service"
 

upgrade/upgrade-scripts/upgrade-container

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2018, 2025 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -177,7 +177,7 @@ function create_upgrade_container() {
 		-o mountpoint=legacy \
 		"$ROOTFS_DATASET/home@$SNAPSHOT_NAME" \
 		"rpool/ROOT/$CONTAINER/home" ||
-		die "failed to create upgrade /export/home clone"
+		die "failed to create upgrade /home clone"
 
 	zfs clone \
 		-o mountpoint=legacy \
@@ -213,7 +213,7 @@ function create_upgrade_container() {
 	# before the zfs-import service is run.
 	#
 	cat <<-EOF >"$DIRECTORY/etc/fstab"
-		rpool/ROOT/$CONTAINER/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+		rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/crashdump            /var/crash   zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0