Skip to content

DLPX-86523 CIS: /home filesystem and mount options#869

Open
prakashsurya wants to merge 1 commit into
developfrom
projects/cis-home-mount
Open

DLPX-86523 CIS: /home filesystem and mount options#869
prakashsurya wants to merge 1 commit into
developfrom
projects/cis-home-mount

Conversation

@prakashsurya
Copy link
Copy Markdown
Contributor

@prakashsurya prakashsurya commented Jun 1, 2026
edited
Loading

Problem

The appliance's home ZFS dataset is mounted at /export/home, without the nodev or
nosuid mount options. CIS requires a dedicated /home filesystem carrying those
options, so the current layout fails the relevant controls for the /home partition
and its mount options.

Solution

The solution taken in this PR is to mount the home dataset at /home, with
nodev,nosuid, on both fresh installs and in-place upgrades.

Fresh installs / build:

  • Create and mount the home dataset at /home (raw-disk-image hook and
    upgrade-container template), with nodev,nosuid on the /home fstab entry.
  • Update ansible roles and the FAQ for the new path, and set the delphix user's home
    to /home/delphix.

In-place upgrades (upgrade/upgrade-scripts):

  • migrate_export_home_to_home() (common.sh) repoints the home dataset's
    /etc/fstab entry, and any affected /etc/passwd home directories, from
    /export/home to /home, then mounts /home. The pre-existing /export/home
    mount is left live until the next reboot, so running processes that hold it open are
    not disrupted and a busy unmount cannot fail the upgrade. The function self-guards on
    the fstab entry, so it is a no-op once migrated, and on systems that already use
    /home.
  • harden_home_mount_options() (common.sh) ensures the /home fstab entry carries
    nodev,nosuid. It is idempotent.
  • execute calls both functions before the package phase, so package maintainer
    scripts (e.g. the delphix-platform postinst) operate on the home dataset already
    mounted at /home, rather than on a /home directory on the root filesystem that
    the dataset mount would later shadow. The migration runs before the hardening, which
    depends on the /home entry the migration creates. Neither call is host-only. The
    functions self-guard and no-op inside upgrade containers.

Dev images:

  • The delphix-ldap role (internal-dev / internal-dcenter only) no longer adds the
    /home auto_home -nobrowse autofs map. With the home dataset at /home, that
    automount reasserts /home on its timeout, shadowing the dataset and breaking
    home-directory access and SSH login. Customer variants never applied it.

Companion change

This must land together with two companion PRs that move the remaining /export/home
references to /home:

  • DLPX-86523 CIS: mount appliance user home at /home delphix-platform#565 moves the delphix user's home directory (and
    .bashrc) from /export/home/delphix to /home/delphix in the delphix-platform
    package. Without it, the internal-dev image build fails sourcing
    /export/home/delphix/.bashrc.
  • delphix/dlpx-app-gate#4346 repoints the remaining runtime/build /export/home
    references to /home, most notably the cli user's home (/home/cli) and the
    sshd_config AuthorizedKeysFile path in appliance/packaging/postinst.

Because that postinst now operates in terms of /home, the home-dataset migration
runs before the package phase (see Solution above), so the dataset is mounted at
/home by the time those maintainer scripts run.

Testing Done

Static: shellcheck (-e SC1090 -e SC1091 -e SC2329), shfmt, and bash -n
clean on common.sh and execute. The sed transforms were verified against
representative fstab and passwd samples, including boundary cases such as
/export/home2/..., which must not be rewritten.

On-engine (dcoa dlpx-develop, 2026.4.0.0, with the autofs /home map removed
to mirror the fixed config):

  • Migration function in isolation: /etc/fstab and /etc/passwd repointed to /home,
    dataset mounted at both /home and /export/home.
  • In-place upgrade (upgrade -v deferred, exit 0) followed by reboot: fstab to
    /home, passwd to /home/delphix, dual-mount pre-reboot, a single /home zfs mount
    after reboot, home-directory contents intact, SSH login works.
  • Idempotency: re-running the migration is a no-op (/etc/fstab and /etc/passwd
    byte-identical).
  • The /home autofs conflict surfaced here, and was fixed (the delphix-ldap change);
    /home is stable across reboot once the map is removed.

Full build and end-to-end upgrade: git ab-pre-push with this branch plus both
companion PRs (delphix-platform#565 and dlpx-app-gate#4346, via --extra-repo), and
upgrade testing from 2026.3.0.0:

🤖 Generated with Claude Code

@prakashsurya prakashsurya mentioned this pull request Jun 1, 2026
Closed
@prakashsurya prakashsurya force-pushed the projects/cis-home-mount branch from 8e514fc to 4bfe990 Compare June 1, 2026 23:33
@prakashsurya prakashsurya mentioned this pull request Jun 1, 2026
Open
@prakashsurya prakashsurya force-pushed the projects/cis-home-mount branch from 4bfe990 to 96a294e Compare June 2, 2026 00:02
@prakashsurya @justsanjeev @claude
DLPX-86523 CIS: /home filesystem and mount options
b975685 
Mount the home ZFS dataset at /home (with the nodev and nosuid options)
instead of /export/home, to satisfy the CIS requirement for a dedicated,
hardened /home filesystem.

Build / new installs:
- Create and mount the home dataset at /home in the raw-disk-image hook
  and the upgrade-container template, with nodev,nosuid on the /home
  fstab entry. Update ansible roles and the FAQ for the new path.

In-place upgrades (upgrade-scripts):
- common.sh: migrate_export_home_to_home() repoints the home dataset's
  /etc/fstab entry and any affected /etc/passwd home directories from
  /export/home to /home, then mounts /home -- leaving the existing
  /export/home mount live until the next reboot so processes holding it
  open are not disrupted and a busy unmount cannot fail the upgrade. It
  self-guards on the fstab entry, so it is a no-op once migrated and on
  fresh installs / upgrade containers that already use /home.
- common.sh: harden_home_mount_options() ensures the /home fstab entry
  carries nodev,nosuid. Idempotent (a no-op once the options are set).
- execute: call both functions before the package phase, so package
  maintainer scripts (e.g. the delphix-platform postinst) operate on the
  home dataset already mounted at /home, rather than on a /home directory
  on the root filesystem that the dataset mount would later shadow. The
  migration runs before the hardening, which depends on the /home entry
  the migration creates. Neither call is host-only; the functions
  self-guard and no-op in containers.

Dev images:
- delphix-ldap (internal-dev / internal-dcenter only): stop adding the
  '/home auto_home -nobrowse' autofs map. With the home dataset at /home,
  that automount reasserts /home on its timeout, shadowing the dataset
  and breaking home-directory access and SSH login. Customer variants
  never applied it, so no upgrade-time handling is required.

Co-Authored-By: Sanjeev Rohila <sanjeev.rohila@delphix.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@prakashsurya prakashsurya force-pushed the projects/cis-home-mount branch from 96a294e to b975685 Compare June 2, 2026 00:10
@prakashsurya prakashsurya requested a review from justsanjeev June 2, 2026 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justsanjeev justsanjeev Awaiting requested review from justsanjeev

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prakashsurya