diff --git a/files/common/lib/systemd/system/delphix-platform.service b/files/common/lib/systemd/system/delphix-platform.service index 89a809d67..b5fe500af 100644 --- a/files/common/lib/systemd/system/delphix-platform.service +++ b/files/common/lib/systemd/system/delphix-platform.service @@ -1,5 +1,5 @@ # -# Copyright 2019 Delphix +# Copyright 2019, 2026 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +24,7 @@ Before=rsync.service docker.service Type=oneshot ExecStart=/var/lib/delphix-platform/ansible/apply ExecStart=/var/lib/delphix-platform/dynamic-debug +ExecStart=/var/lib/delphix-platform/export-home RemainAfterExit=yes # diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml index 47a75d187..7c52c3506 100644 --- a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml +++ b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018, 2023 Delphix +# Copyright 2018, 2026 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ # it below; otherwise that task will fail. # - file: - path: /export/home + path: /home state: directory mode: 0755 @@ -35,7 +35,7 @@ shell: /bin/bash create_home: yes comment: Delphix User - home: /export/home/delphix + home: /home/delphix # # In order for this locale to be used (e.g. by virtualization) we need @@ -104,7 +104,7 @@ # found in this directory, but also used by upgrade-scripts stored in # the appliace-build repository (which generates the upgrade image). # Thus, we need to be careful if/when changing this, as we'll need to -# coordinate the change with the appliance-build upgrade-scripts. +# coordinate the change with the appliance-build upgrade-scripts.aws # - file: path: /var/dlpx-update @@ -637,7 +637,7 @@ - name: Source bash completion blockinfile: - dest: "/export/home/delphix/.bashrc" + dest: "/home/delphix/.bashrc" block: | . /etc/bash_completion.d/systemctl . /etc/bash_completion.d/zfs @@ -654,6 +654,27 @@ # Set default umask value. umask 027 +# +# Add nodev,nosuid to the /home fstab entry for security hardening (CIS). +# New VMs have this handled during fresh provisioning; this covers upgrades +# where the entry may lack these options. +# +- name: Check if /home fstab entry needs nodev,nosuid + shell: | + grep -qE '^[^#].*\s/home\s' /etc/fstab && \ + (! grep -qE '^[^#].*\s/home\s.*nodev' /etc/fstab || \ + ! grep -qE '^[^#].*\s/home\s.*nosuid' /etc/fstab) + register: home_fstab_needs_update + failed_when: false + changed_when: false + +- name: Add nodev,nosuid to /home fstab entry + replace: + path: /etc/fstab + regexp: '(^[^#].*\s/home\s.*)defaults' + replace: '\1defaults,nodev,nosuid' + when: home_fstab_needs_update.rc == 0 + - name: Mount /dev/shm with noexec,nosuid,nodev ansible.posix.mount: path: /dev/shm diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home new file mode 100755 index 000000000..87c05bfea --- /dev/null +++ b/files/common/var/lib/delphix-platform/export-home @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright (c) 2026 by Delphix. All rights reserved. +# + +# +# This script ensures that the /export/home is a symlink +# to /home. +# + +# If /export/home is already a symlink to /home, do nothing +if [ -L /export/home ]; then + echo '/export/home is already exists. Nothing to do.' + exit 0 +fi + +# if /export/home and /home both are mounted - Dont do anything +# Since during the next boot /export/home will not be mounted +# Since /export/home is there all tests will be passes +if mountpoint -q /export/home; then + echo '/export/home is still mounted. Check if /home is also mounted' + if mountpoint -q /home; then + echo '/home is also mounted. Since during the next boot /export/home will not be mounted, exiting safely.' + exit 0 + else + echo '/home is not mounted. Aborting!!' + exit 1 + fi +fi + +# /export/home is not mounted, check if /home is mounted +if mountpoint -q /home; then + echo "/home is mounted. Proceeding with /export/home cleanup." + # If /export/home exists + if [ -d /export/home ]; then + echo "/export/home exists. Attempting to remove it..." + rmdir /export/home 2>/dev/null + if [ $? -eq 0 ]; then + echo "/export/home directory removed successfully." + else + # If rmdir fails, it means /export/home is not empty + # Move contents to a backup location for a seamless user experience. + echo "/export/home is not empty. Moving contents to /export/home.backup before cleanup..." + backup_dir="/export/home.backup.$(date +%Y%m%d_%H%M%S)" + mv /export/home "$backup_dir" + if [ $? -ne 0 ]; then + echo "Failed to move /export/home contents to backup. Manual intervention required." + exit 1 + fi + echo "Contents of /export/home moved successfully to: $backup_dir" + fi + fi +else + echo "/home is not mounted. Aborting to avoid risk of data loss." + exit 1 +fi + +# Ensure /export exists +mkdir -p /export + +# Create symlink +echo "Creating symlink: /export/home -> /home" +if ln -s /home /export/home; then + echo "Symlink created successfully." +else + echo "Failed to create symlink /export/home -> /home. Check that /export exists, is writable, and no stale /export/home entry remains. Re-run this script after resolving." + exit 1 +fi