DLPX-89763-3Apr copy

Author: justsanjeev

files/common/lib/systemd/system/delphix-platform.service

@@ -1,5 +1,5 @@
 #
-# Copyright 2019 Delphix
+# Copyright 2019, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ Before=rsync.service docker.service
 Type=oneshot
 ExecStart=/var/lib/delphix-platform/ansible/apply
 ExecStart=/var/lib/delphix-platform/dynamic-debug
+ExecStart=/var/lib/delphix-platform/export-home
 RemainAfterExit=yes
 
 #

files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018, 2023 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
 # it below; otherwise that task will fail.
 #
 - file:
-    path: /export/home
+    path: /home
     state: directory
     mode: 0755
 
@@ -35,7 +35,7 @@
     shell: /bin/bash
     create_home: yes
     comment: Delphix User
-    home: /export/home/delphix
+    home: /home/delphix
 
 #
 # In order for this locale to be used (e.g. by virtualization) we need
@@ -104,7 +104,7 @@
 # found in this directory, but also used by upgrade-scripts stored in
 # the appliace-build repository (which generates the upgrade image).
 # Thus, we need to be careful if/when changing this, as we'll need to
-# coordinate the change with the appliance-build upgrade-scripts.
+# coordinate the change with the appliance-build upgrade-scripts.aws
 #
 - file:
     path: /var/dlpx-update
@@ -637,7 +637,7 @@
 
 - name: Source bash completion
   blockinfile:
-    dest: "/export/home/delphix/.bashrc"
+    dest: "/home/delphix/.bashrc"
     block: |
       . /etc/bash_completion.d/systemctl
       . /etc/bash_completion.d/zfs
@@ -654,6 +654,27 @@
       # Set default umask value.
       umask 027
 
+#
+# Add nodev,nosuid to the /home fstab entry for security hardening (CIS).
+# New VMs have this handled during fresh provisioning; this covers upgrades
+# where the entry may lack these options.
+#
+- name: Check if /home fstab entry needs nodev,nosuid
+  shell: |
+    grep -qE '^[^#].*\s/home\s' /etc/fstab && \
+    (! grep -qE '^[^#].*\s/home\s.*nodev' /etc/fstab || \
+     ! grep -qE '^[^#].*\s/home\s.*nosuid' /etc/fstab)
+  register: home_fstab_needs_update
+  failed_when: false
+  changed_when: false
+
+- name: Add nodev,nosuid to /home fstab entry
+  replace:
+    path: /etc/fstab
+    regexp: '(^[^#].*\s/home\s.*)defaults'
+    replace: '\1defaults,nodev,nosuid'
+  when: home_fstab_needs_update.rc == 0
+
 - name: Mount /dev/shm with noexec,nosuid,nodev
   ansible.posix.mount:
     path: /dev/shm

files/common/var/lib/delphix-platform/export-home

@@ -0,0 +1,69 @@
+#!/bin/bash
+#
+# Copyright (c) 2026 by Delphix. All rights reserved.
+#
+
+#
+# This script ensures that the /export/home is a symlink
+# to /home.
+#
+
+# If /export/home is already a symlink to /home, do nothing
+if [ -L /export/home ]; then
+	echo '/export/home is already exists. Nothing to do.'
+	exit 0
+fi
+
+# if /export/home and /home both are mounted - Dont do anything
+# Since during the next boot /export/home will not be mounted
+# Since /export/home is there all tests will be passes
+if mountpoint -q /export/home; then
+	echo '/export/home is still mounted. Check if /home is also mounted'
+	if mountpoint -q /home; then
+		echo '/home is also mounted. Since during the next boot /export/home will not be mounted, exiting safely.'
+		exit 0
+	else
+		echo '/home is not mounted. Aborting!!'
+		exit 1
+	fi
+fi
+
+# /export/home is not mounted, check if /home is mounted
+if mountpoint -q /home; then
+	echo "/home is mounted. Proceeding with /export/home cleanup."
+	# If /export/home exists
+	if [ -d /export/home ]; then
+		echo "/export/home exists. Attempting to remove it..."
+		rmdir /export/home 2>/dev/null
+		if [ $? -eq 0 ]; then
+			echo "/export/home directory removed successfully."
+		else
+			# If rmdir fails, it means /export/home is not empty
+			# Move contents to a backup location for a seamless user experience.
+			echo "/export/home is not empty. Moving contents to /export/home.backup before cleanup..."
+			backup_dir="/export/home.backup.$(date +%Y%m%d_%H%M%S)"
+			mv /export/home "$backup_dir"
+			if [ $? -ne 0 ]; then
+				echo "Failed to move /export/home contents to backup. Manual intervention required."
+				exit 1
+			fi
+			echo "Contents of /export/home moved successfully to: $backup_dir"
+		fi
+	fi
+else
+	echo "/home is not mounted. Aborting to avoid risk of data loss."
+	exit 1
+fi
+
+# Ensure /export exists
+mkdir -p /export
+
+# Create symlink
+echo "Creating symlink: /export/home -> /home"
+ln -s /home /export/home
+if [ $? -eq 0 ]; then
+	echo "Symlink created successfully."
+else
+	echo "Failed to create symlink. Please check permissions and try again."
+	exit 1
+fi