Skip to content

DLPX-86523 CIS: /home filesystem and mount options#756

Open
justsanjeev wants to merge 18 commits into
developfrom
dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86
Open

DLPX-86523 CIS: /home filesystem and mount options#756
justsanjeev wants to merge 18 commits into
developfrom
dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86

Conversation

@justsanjeev

@justsanjeev justsanjeev commented Apr 18, 2024
edited
Loading

Copy link
Copy Markdown

Problem

CIS is looking or a single home directory filesystem mounted at the /home location, currently we have the home dataset is mounted on /export/home

Due to that we see the below issues in the CIS Report

  • (1.45) 7402 Status of the '/home' partition in the '/etc/fstab' file
  • (1.46) 13248 Status of Mount Partition '/home' using mount command
  • (1.47) 7403 Status of the 'nodev' mount option setting for the '/home partition' defined in the '/etc/ fstab' file
  • (1.48) 14601 Status of the 'nodev' option for '/home' partition using 'mount' command

Solution

Mounting the home dataset to `/home`.
  • Upgrade scripts are modified to mount the data set to a new mount path.
  • Ansible scripts modified for new home mount path.

Testing Done

I have worked on suggestions on PR(s) and posted new changes -

The major changes are

Build: https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/14047/console 🟢

  • Manual Upgrade with a unstructured source mounted and a vdb created. Upgrades are tested from 2026.3.0.0 to develop[s3://dev-de-images/builds/jenkins-selfservice/appliance-build/develop/pre-push/6578/upgrade-artifacts/internal-qa.upgrade.tar]

  • fstab for upgraded engines, has nosuid and nodev

delphix@ip-10-110-197-250:~$ cat /etc/fstab
rpool/ROOT/delphix.qCL48gW/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.qCL48gW/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.qCL48gW/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.qCL48gW/tmp  /tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.qCL48gW/vartmp  /var/tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
rpool/crashdump  /var/crash     zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0
delphix@ip-10-110-197-250:~$
  • Symlink Check
delphix@ip-10-110-197-250:~$ ls -ltr /export/
total 1
lrwxrwxrwx 1 root root 5 May 27 17:41 home -> /home
delphix@ip-10-110-197-250:~$

New Engine: sr-dev01.dlpxdc.co

  • fstab for new engine, has nosuid and nodev
delphix@ip-10-110-223-101:~$ cat /etc/fstab
rpool/ROOT/delphix.pYi7i0b/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.pYi7i0b/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.pYi7i0b/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.pYi7i0b/tmp  /tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
rpool/ROOT/delphix.pYi7i0b/vartmp  /var/tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
rpool/crashdump  /var/crash     zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0
tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0
delphix@ip-10-110-223-101:~$
  • Symlink Check
delphix@ip-10-110-223-101:~$ ls -ltr /export/
total 1
lrwxrwxrwx 1 root root 5 May 27 15:42 home -> /home
delphix@ip-10-110-223-101:~$

✳️ ✳️ ✳️ ✳️ ✳️ New SCA scan updates [Please note that with Ubuntu 24.04 , there are changes in the CIS test, we have Ran the CIS Scans now with a new policy. The controls 7402 , 7403, 14601 and 13248 are not present in the new policy instead we have 3 new controls.]

  • 29044 - 🟢
  • 29045 - 🟢
  • 29046 - 🟢

Compliance_Report_cisScanReport01_perfr3sr2_20260116.pdf

Build: git ab-pre-push : appliance-build-orchestrator-pre-push/12953/ - ✅

New Engine

  • dlpxdevsr001.dlpxdc.co - 🟢

Here, In a new engine we have successfully overcome the issue of backup dir creation problem observed with the last build.

 % ssh delphix@dlpxdevsr001.dlpxdc.co
Warning: Permanently added 'dlpxdevsr001.dlpxdc.co' (ED25519) to the list of known hosts.
(delphix@dlpxdevsr001.dlpxdc.co) Password: 
delphix@ip-10-110-227-161:~$ 
delphix@ip-10-110-227-161:~$ ls -ltr /export/
total 1
lrwxrwxrwx 1 root root 5 Jan 13 06:00 home -> /home
delphix@ip-10-110-227-161:~$

Manual Upgrades

sudo lsof +f -- /export/home results below shows that all active file handles are actually pointing to: /home/delphix. This means:

  • The Delphix services are not using /export/home directly
  • They are operating on /home/delphix
delphix@ip-10-110-239-15:~$  sudo lsof +f -- /export/home
COMMAND      PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
delphix-s   2133    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2138    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2139    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2141    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2150    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2157    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2164    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2207    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2208    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2209    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2244    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2250    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2253    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2257    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2258    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2260    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2263    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2270    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2292    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2307    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2309    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2318    root  cwd    DIR   0,40        8    3 /home/delphix
delphix-s   2335    root  cwd    DIR   0,40        8    3 /home/delphix
nfs_delet   2337    root  cwd    DIR   0,40        8    3 /home/delphix
bpftrace    2602    root  cwd    DIR   0,40        8    3 /home/delphix
nfs_delet   2603    root  cwd    DIR   0,40        8    3 /home/delphix
java        4364    root  cwd    DIR   0,40        8    3 /home/delphix
python3     5191    root  cwd    DIR   0,40        8    3 /home/delphix
python3     5195    root  cwd    DIR   0,40        8    3 /home/delphix
python3     5199    root  cwd    DIR   0,40        8    3 /home/delphix
python3     5203    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   112744    root  cwd    DIR   0,40        8    3 /home/delphix
iostat    112745    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   112747    root  cwd    DIR   0,40        8    3 /home/delphix
vmstat    112748    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   112750    root  cwd    DIR   0,40        8    3 /home/delphix
zpool     112751    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   112757    root  cwd    DIR   0,40        8    3 /home/delphix
zpool     112758    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     113720    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114212    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114216    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114222    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114335    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   114525    root  cwd    DIR   0,40        8    3 /home/delphix
mpstat    114526    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114689    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114690    root  cwd    DIR   0,40        8    3 /home/delphix
timeout   114874    root  cwd    DIR   0,40        8    3 /home/delphix
profile-b 114875    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114952    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114960    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114964    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114968    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114972    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114976    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     114992    root  cwd    DIR   0,40        8    3 /home/delphix
supportlo 115096 delphix  cwd    DIR   0,40        8    3 /home/delphix
supportlo 115109 delphix  cwd    DIR   0,40        8    3 /home/delphix
script    115110 delphix  cwd    DIR   0,40        8    3 /home/delphix
bash      115111 delphix  cwd    DIR   0,40        8    3 /home/delphix
sleep     115123    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     115129    root  cwd    DIR   0,40        8    3 /home/delphix
sleep     115134    root  cwd    DIR   0,40        8    3 /home/delphix
sudo      115144    root  cwd    DIR   0,40        8    3 /home/delphix
sudo      115145    root  cwd    DIR   0,40        8    3 /home/delphix
lsof      115146    root  cwd    DIR   0,40        8    3 /home/delphix
lsof      115147    root  cwd    DIR   0,40        8    3 /home/delphix
delphix@ip-10-110-239-15:~$

The /export/home -> /home is a symbolic link pointing from /export/home to /home. This means:

  • Any access to /export/home is transparently redirected to /home
  • /export/home/delphix is actually /home/delphix
  • There is no separate filesystem or directory tree under /export/home
delphix@ip-10-110-239-15:~$ ls -ltr /export/
total 1
lrwxrwxrwx 1 root root 5 Jan 13 05:25 home -> /home
delphix@ip-10-110-239-15:~$

@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 60315a7 to 2547134 Compare April 18, 2024 14:35
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch 3 times, most recently from 4447b5d to 70aaee3 Compare May 1, 2024 13:04
@justsanjeev justsanjeev mentioned this pull request May 6, 2024
Open
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch 5 times, most recently from 5a45f37 to 28406a7 Compare May 10, 2024 16:28
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 28406a7 to abd7103 Compare July 2, 2024 10:56
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from abd7103 to b8d8ec5 Compare July 11, 2024 10:06
@justsanjeev justsanjeev mentioned this pull request Jul 16, 2024
Closed
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from b8d8ec5 to 6497d9d Compare July 16, 2024 07:26
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 6497d9d to bacfefb Compare August 30, 2024 09:02
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch 2 times, most recently from 58d854c to fe722dd Compare September 24, 2024 08:53
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from fe722dd to 52199cc Compare October 1, 2024 06:57
@justsanjeev justsanjeev self-assigned this Oct 1, 2024
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 52199cc to c752b4f Compare October 8, 2024 17:47
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from c752b4f to 4c2f334 Compare October 22, 2024 12:28
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 4c2f334 to 823162d Compare November 4, 2024 07:52
@justsanjeev justsanjeev marked this pull request as ready for review November 19, 2024 10:22
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch 2 times, most recently from 554ea59 to b81c2e4 Compare January 16, 2025 06:30
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from b81c2e4 to 7c5bcea Compare February 14, 2025 10:07
sebroy
sebroy requested changes Mar 26, 2025
View reviewed changes
Comment thread live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary Outdated
Comment thread scripts/common.sh Outdated
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 7c5bcea to 5ce66b3 Compare April 9, 2025 15:45
sebroy
sebroy requested changes May 13, 2025
View reviewed changes
Comment thread live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary Outdated
Comment thread live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary Outdated
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from b061620 to 7cc9bcf Compare May 19, 2025 16:26
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 2309e84 to 332ae64 Compare April 17, 2026 08:16
@justsanjeev
DLPX-86523 CIS: /home filesystem and mount options
21f2b93 
Fixing the headers in the changed files.
Incoprorating new comments from Seb
Resolving comments from Seb on redundant nodev

PR URL: https://www.github.com/delphix/appliance-build/pull/756
@justsanjeev
Incorporating nosuid changes
7dfda9c
@justsanjeev
This code was creating cache inside /export/home/delphx/.cache/pip/ht…
a9d36e4 
…tp-v2, disabling cache is the cleaner approach here
@justsanjeev
This code was creating cache inside /export/home/delphx/.cache/pip/ht…
9e44b86 
…tp-v2, disabling cache is the cleaner approach here- Change #2
@justsanjeev
This code was creating cache inside /export/home/delphx/.cache/pip/ht…
f95b9de 
…tp-v2, disabling cache is the cleaner approach here- Change #3
@justsanjeev
Removing,'Clean up pip cache directory', since the 'Install awscli py…
a05dea3 
…thon package' woked in the removal of chache directorywith additional changes made.
@justsanjeev
Removing the change for deleting cache related to awscli instllation …
ce0f9bd 
…by pip.
@justsanjeev
adding the no-cache for pip installation
4972dca
@justsanjeev
Removing pip caching considering the latest changes done in delphix-p…
5ac2f40 
…latform for non empty /export/home
@justsanjeev
Removing pip caching considering the latest changes done in delphix-p…
1de8236 
…latform for non empty /export/home
@justsanjeev
removing pip caching from bootstrap/roles/appliance-build.bootstrap/t…
1a45afb 
…asks/main.yml as well
@justsanjeev
Updating copyright header
518c21e
@justsanjeev
Adding the no cache dir logic back so that the new engine doesn't hav…
fd5e561 
…e the /export/home back due to buildserver
@justsanjeev
fixing verification in container
964e052
@justsanjeev
removing cache removal logic because it blocking the verification.
81ea2d4
@justsanjeev
Removing the fstab updation logic from delphix-platform
c666bc4
@justsanjeev
Removing the nosuid and nodev implementation from upgrade scripts as …
8cbe3e3 
…per Prakash-s suggestion
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from 332ae64 to ed1b547 Compare May 6, 2026 12:00
@justsanjeev justsanjeev force-pushed the dlpx/pr/justsanjeev/d7de7bc9-e96b-43ee-b26a-76a6325f7d86 branch from ed1b547 to 271dde1 Compare May 6, 2026 12:31
justsanjeev
justsanjeev commented May 7, 2026
View reviewed changes
Comment thread qa_infra_logs/qa_infra_debug.log

@justsanjeev justsanjeev May 7, 2026
edited
Loading

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: An unrelated log/debug file was accidentally included in one of the earlier development commits. It is not part of the final intended change and will be cleaned up during the final squash/rebase before merge. Kindly ignore it during review.

prakashsurya
prakashsurya reviewed Jun 1, 2026
View reviewed changes
Comment thread upgrade/upgrade-scripts/execute
if grep -qE '^[^#].*[[:space:]]/home[[:space:]]' /etc/fstab; then
if ! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nodev' /etc/fstab ||
! grep -qE '^[^#].*[[:space:]]/home[[:space:]].*nosuid' /etc/fstab; then
sed -i '/^[^#].*[[:space:]]\/home[[:space:]]/ s/defaults/defaults,nodev,nosuid/' \

@prakashsurya prakashsurya Jun 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we do this here, and in the delphix-platform ansible logic via delphix/delphix-platform#477 ?

do we need to do the same configuration in 2 places?

@prakashsurya prakashsurya mentioned this pull request Jun 1, 2026
Closed
prakashsurya pushed a commit that referenced this pull request Jun 1, 2026
@justsanjeev @claude @prakashsurya
DLPX-86523 CIS: /home filesystem and mount options
f692156 
Squash of #756: mount the home ZFS dataset at
/home instead of /export/home for CIS compliance, with nodev,nosuid on
the /home fstab entry. Includes the build-side fstab (90-raw-disk-image),
upgrade-container template, ansible role path updates, and the upgrade
execute changes as authored in #756.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
prakashsurya added a commit that referenced this pull request Jun 1, 2026
@prakashsurya @claude
DLPX-86523 Re-implement /home upgrade migration; drop dev-only autofs…
21e4266 
… /home

Re-implements the upgrade-path migration from #756:

- common.sh: add an idempotent migrate_export_home_to_home() that
  repoints the home dataset's /etc/fstab entry and affected /etc/passwd
  home directories from /export/home to /home and mounts /home, leaving
  the old /export/home mount live until reboot. Self-guards on the fstab
  entry, so it is a no-op once migrated or inside an already-/home
  upgrade container.
- execute: replace #756's inline whole-file sed (which ran early) with a
  single guarded call to the function, placed late -- after the package
  phase and set-bootfs, before the nodev/nosuid block that hardens the
  /home entry it creates.
- delphix-ldap: stop adding the '/home auto_home -nobrowse' autofs map.
  This dev-only role's automount reasserts /home on its timeout cycle,
  shadowing the home dataset and breaking home-dir access and SSH login.
  Customer variants never applied it, so no upgrade migration handling
  is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
prakashsurya added a commit that referenced this pull request Jun 1, 2026
@prakashsurya @claude
DLPX-86523 Re-implement /home upgrade migration; drop dev-only autofs…
68d3ad4 
… /home

Re-implements the upgrade-path migration from #756:

- common.sh: add an idempotent migrate_export_home_to_home() that
  repoints the home dataset's /etc/fstab entry and affected /etc/passwd
  home directories from /export/home to /home and mounts /home, leaving
  the old /export/home mount live until reboot. Self-guards on the fstab
  entry, so it is a no-op once migrated or inside an already-/home
  upgrade container.
- execute: replace #756's inline whole-file sed (which ran early) with a
  single guarded call to the function, placed late -- after the package
  phase and set-bootfs, before the nodev/nosuid block that hardens the
  /home entry it creates.
- execute: drop the '! systemd-detect-virt -qc' guard around the
  nodev/nosuid fstab hardening. Unlike set-bootfs (which rewrites the
  host boot pointer and must stay host-only), this is a plain fstab edit
  whose inner grep checks already make it idempotent and a no-op where
  the options are present; running it regardless is safe and consistent
  with the unguarded migration call.
- delphix-ldap: stop adding the '/home auto_home -nobrowse' autofs map.
  This dev-only role's automount reasserts /home on its timeout cycle,
  shadowing the home dataset and breaking home-dir access and SSH login.
  Customer variants never applied it, so no upgrade migration handling
  is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
prakashsurya added a commit that referenced this pull request Jun 1, 2026
@prakashsurya @claude
DLPX-86523 Re-implement /home upgrade migration; drop dev-only autofs…
e80d363 
… /home

Re-implements the upgrade-path migration from #756:

- common.sh: add an idempotent migrate_export_home_to_home() that
  repoints the home dataset's /etc/fstab entry and affected /etc/passwd
  home directories from /export/home to /home and mounts /home, leaving
  the old /export/home mount live until reboot. Self-guards on the fstab
  entry, so it is a no-op once migrated or inside an already-/home
  upgrade container.
- execute: replace #756's inline whole-file sed (which ran early) with a
  single unconditional call to the function, placed late -- after the
  package phase and set-bootfs, before the nodev/nosuid block that
  hardens the /home entry it creates. No CURRENT_VERSION guard is needed:
  /etc/fstab maps the home dataset to /export/home only on an in-place
  upgrade of a pre-change engine, so the function's own fstab guard fully
  covers every other context (fresh installs and upgrade containers use
  the /home template).
- execute: drop the '! systemd-detect-virt -qc' guard around the
  nodev/nosuid fstab hardening. Unlike set-bootfs (which rewrites the
  host boot pointer and must stay host-only), this is a plain fstab edit
  whose inner grep checks already make it idempotent and a no-op where
  the options are present; running it regardless is safe and consistent
  with the unguarded migration call.
- delphix-ldap: stop adding the '/home auto_home -nobrowse' autofs map.
  This dev-only role's automount reasserts /home on its timeout cycle,
  shadowing the home dataset and breaking home-dir access and SSH login.
  Customer variants never applied it, so no upgrade migration handling
  is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
prakashsurya added a commit that referenced this pull request Jun 1, 2026
@prakashsurya @claude
DLPX-86523 Re-implement /home upgrade migration; drop dev-only autofs…
b7cade3 
… /home

Re-implements the upgrade-path migration from #756:

- common.sh: add an idempotent migrate_export_home_to_home() that
  repoints the home dataset's /etc/fstab entry and affected /etc/passwd
  home directories from /export/home to /home and mounts /home, leaving
  the old /export/home mount live until reboot. Self-guards on the fstab
  entry, so it is a no-op once migrated or inside an already-/home
  upgrade container.
- common.sh: add harden_home_mount_options(), which ensures the /home
  fstab entry carries nodev,nosuid for CIS compliance. Idempotent and a
  no-op where the options are already present.
- execute: replace #756's inline whole-file sed (which ran early) with a
  single unconditional call to migrate_export_home_to_home(), placed late
  -- after the package phase and set-bootfs, before the hardening call.
  No CURRENT_VERSION guard is needed: /etc/fstab maps the home dataset to
  /export/home only on an in-place upgrade of a pre-change engine, so the
  function's own fstab guard covers every other context.
- execute: replace #756's inline nodev/nosuid block with a call to
  harden_home_mount_options(). Drop the '! systemd-detect-virt -qc' guard
  it had: unlike set-bootfs (which rewrites the host boot pointer and must
  stay host-only), this is a plain fstab edit whose checks already make it
  idempotent and a no-op where the options are present, so running it
  regardless is safe and consistent with the migration call.
- delphix-ldap: stop adding the '/home auto_home -nobrowse' autofs map.
  This dev-only role's automount reasserts /home on its timeout cycle,
  shadowing the home dataset and breaking home-dir access and SSH login.
  Customer variants never applied it, so no upgrade migration handling
  is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@justsanjeev justsanjeev mentioned this pull request Jun 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prakashsurya prakashsurya prakashsurya left review comments

@sebroy sebroy sebroy approved these changes

@VenkatanadhanG VenkatanadhanG VenkatanadhanG approved these changes

Assignees

@justsanjeev justsanjeev

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@justsanjeev @prakashsurya @sebroy @VenkatanadhanG