From d9eb0d2cd3615ce14f33c29cb2406be5d69a0aee Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Mon, 1 Sep 2025 11:47:06 +0530 Subject: [PATCH 1/8] Adding logic to take case the /export/home mount before delting /export/home Adding the mount point logic back to delphix-platform.sh script Changing as per Seb-s comment to alter the softlink logic. Changing the code to previous version to validate the comments. Changing the delphix-legacy-link.service to perform the same steps next reboot like deferred upgrade. Creating a different service for taking care of soft /export/home -> /home DLPX-89763 DLPX-86523 delphix-platform changes Moved the code to create symlink to different script Removing the autofs handling as per the concerns raised by Seb and our validation Removing the softlink loginc from main.yml Since /export/home has empty delphix directory, taking care Taking care the comments from Seb on 16 July 2025. handling /export/home and /home both mounted, validated in mount | grep home check PR URL: https://www.github.com/delphix/delphix-platform/pull/477 --- debian/preinst | 42 +++++++++++++++ .../systemd/system/delphix-platform.service | 1 + .../roles/delphix-platform/tasks/main.yml | 8 +-- .../var/lib/delphix-platform/export-home | 51 +++++++++++++++++++ 4 files changed, 98 insertions(+), 4 deletions(-) create mode 100644 debian/preinst create mode 100755 files/common/var/lib/delphix-platform/export-home diff --git a/debian/preinst b/debian/preinst new file mode 100644 index 000000000..a22ccb233 --- /dev/null +++ b/debian/preinst @@ -0,0 +1,42 @@ +#!/bin/bash -eux +# +# Copyright 2025 Delphix +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case $1 in +upgrade) + # Home directories were previously mounted under /export/home, + # and this was changed to /home. This is the upgrade logic that + # updates the /etc/fstab file to reflect that change. + # Home directories will be mounted in both /export/home and /home + # until the system is rebooted to ensure that running processes + # referencing the old /export/home paths continue to function + # while also enabling new logins under /home to work. + fs_tab=/etc/fstab + + if grep -q "\/export\/home" "$fs_tab"; then + sed -i 's|/export/home|/home|g' "$fs_tab" + mount /home + fi + + passwd_file=/etc/passwd + if grep -q "\/export\/home" "$passwd_file"; then + sed -i 's/\/export\/home/\/home/g' /etc/passwd + fi + + ;; +esac + +exit 0 diff --git a/files/common/lib/systemd/system/delphix-platform.service b/files/common/lib/systemd/system/delphix-platform.service index 89a809d67..70514fdbe 100644 --- a/files/common/lib/systemd/system/delphix-platform.service +++ b/files/common/lib/systemd/system/delphix-platform.service @@ -24,6 +24,7 @@ Before=rsync.service docker.service Type=oneshot ExecStart=/var/lib/delphix-platform/ansible/apply ExecStart=/var/lib/delphix-platform/dynamic-debug +ExecStart=/var/lib/delphix-platform/export-home RemainAfterExit=yes # diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml index 47a75d187..1a9a401be 100644 --- a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml +++ b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018, 2023 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ # it below; otherwise that task will fail. # - file: - path: /export/home + path: /home state: directory mode: 0755 @@ -35,7 +35,7 @@ shell: /bin/bash create_home: yes comment: Delphix User - home: /export/home/delphix + home: /home/delphix # # In order for this locale to be used (e.g. by virtualization) we need @@ -637,7 +637,7 @@ - name: Source bash completion blockinfile: - dest: "/export/home/delphix/.bashrc" + dest: "/home/delphix/.bashrc" block: | . /etc/bash_completion.d/systemctl . /etc/bash_completion.d/zfs diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home new file mode 100755 index 000000000..423065aae --- /dev/null +++ b/files/common/var/lib/delphix-platform/export-home @@ -0,0 +1,51 @@ +#!/bin/bash +# +# Copyright (c) 2025 by Delphix. All rights reserved. +# + +# +# This script ensures that the /export/home is a symlink +# to /home. +# + + +# If /export/home is already a symlink to /home, do nothing +if [ -L /export/home ]; then + echo '/export/home is already exists. Nothing to do.' + exit 0 +fi + +# if /export/home and /home both are mounted - Dont do anything +# Since during the next boot /export/home will not be mounted +# Since /export/home is there all tests will be passes +if mountpoint -q /export/home; then + echo '/export/home is still mounted. Check if /home is also mounted' + if mountpoint -q /home; then + echo '/home is also mounted. Since during the next boot /export/home will not be mounted, exiting safely.' + exit 0 + else + echo '/home is not mounted. Aborting!!' + exit 1 + fi +fi + +# /export/home is not mounted, check if /home is mounted +if mountpoint -q /home; then + echo '/home is mounted. Proceeding with the unmount check for /export/home.' +else + echo '/home is not mounted. Aborting to avoid risk of data loss.' + exit 1 +fi + +# Ensure /export directory exists +mkdir -p /export + +# Create symlink +echo 'Creating symlink: /export/home -> /home' +ln -s /home /export/home +if [ $? -eq 0 ]; then + echo 'Symlink created successfully.' +else + echo 'Failed to create symlink. Please check permissions and try again.' + exit 1 +fi From 968ecba2a25fe1fc78de46953818535016b94637 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Thu, 11 Sep 2025 13:09:28 +0530 Subject: [PATCH 2/8] removing /export/home since it was empty, found in manual check --- .../var/lib/delphix-platform/export-home | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home index 423065aae..30a6bc585 100755 --- a/files/common/var/lib/delphix-platform/export-home +++ b/files/common/var/lib/delphix-platform/export-home @@ -30,22 +30,34 @@ if mountpoint -q /export/home; then fi # /export/home is not mounted, check if /home is mounted +# Check if /home is mounted if mountpoint -q /home; then - echo '/home is mounted. Proceeding with the unmount check for /export/home.' + echo "/home is mounted. Proceeding with /export/home cleanup." + # If /export/home exists + if [ -d /export/home ]; then + echo "/export/home exists. Attempting to remove it..." + rmdir /export/home 2>/dev/null + if [ $? -eq 0 ]; then + echo "/export/home directory removed successfully." + else + echo "/export/home is not empty. Please clean it manually before running this script." + exit 1 + fi + fi else - echo '/home is not mounted. Aborting to avoid risk of data loss.' + echo "/home is not mounted. Aborting to avoid risk of data loss." exit 1 fi -# Ensure /export directory exists +# Ensure /export exists mkdir -p /export # Create symlink -echo 'Creating symlink: /export/home -> /home' +echo "Creating symlink: /export/home -> /home" ln -s /home /export/home if [ $? -eq 0 ]; then - echo 'Symlink created successfully.' + echo "Symlink created successfully." else - echo 'Failed to create symlink. Please check permissions and try again.' + echo "Failed to create symlink. Please check permissions and try again." exit 1 fi From 0a51c72af3817460c1fafe8fcfc9d26b38d37e93 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Tue, 16 Dec 2025 15:33:50 +0530 Subject: [PATCH 3/8] Adding the logic to move the contents of /export/home if its not empty, for a better user experience. --- .../var/lib/delphix-platform/export-home | 64 ++++++++++--------- 1 file changed, 35 insertions(+), 29 deletions(-) diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home index 30a6bc585..ab16cc00b 100755 --- a/files/common/var/lib/delphix-platform/export-home +++ b/files/common/var/lib/delphix-platform/export-home @@ -8,45 +8,51 @@ # to /home. # - # If /export/home is already a symlink to /home, do nothing if [ -L /export/home ]; then - echo '/export/home is already exists. Nothing to do.' - exit 0 + echo '/export/home is already exists. Nothing to do.' + exit 0 fi # if /export/home and /home both are mounted - Dont do anything # Since during the next boot /export/home will not be mounted # Since /export/home is there all tests will be passes if mountpoint -q /export/home; then - echo '/export/home is still mounted. Check if /home is also mounted' - if mountpoint -q /home; then - echo '/home is also mounted. Since during the next boot /export/home will not be mounted, exiting safely.' - exit 0 - else - echo '/home is not mounted. Aborting!!' - exit 1 - fi + echo '/export/home is still mounted. Check if /home is also mounted' + if mountpoint -q /home; then + echo '/home is also mounted. Since during the next boot /export/home will not be mounted, exiting safely.' + exit 0 + else + echo '/home is not mounted. Aborting!!' + exit 1 + fi fi # /export/home is not mounted, check if /home is mounted -# Check if /home is mounted if mountpoint -q /home; then - echo "/home is mounted. Proceeding with /export/home cleanup." - # If /export/home exists - if [ -d /export/home ]; then - echo "/export/home exists. Attempting to remove it..." - rmdir /export/home 2>/dev/null - if [ $? -eq 0 ]; then - echo "/export/home directory removed successfully." - else - echo "/export/home is not empty. Please clean it manually before running this script." - exit 1 - fi - fi + echo "/home is mounted. Proceeding with /export/home cleanup." + # If /export/home exists + if [ -d /export/home ]; then + echo "/export/home exists. Attempting to remove it..." + rmdir /export/home 2>/dev/null + if [ $? -eq 0 ]; then + echo "/export/home directory removed successfully." + else + # If rmdir fails, it means /export/home is not empty + # Move contents to a backup location for a seamless user experience. + echo "/export/home is not empty. Moving contents to /export/home.backup before cleanup..." + backup_dir="/export/home.backup.$(date +%Y%m%d_%H%M%S)" + mv /export/home "$backup_dir" + if [ $? -ne 0 ]; then + echo "Failed to move /export/home contents to backup. Manual intervention required." + exit 1 + fi + echo "Contents of /export/home moved successfully to: $backup_dir" + fi + fi else - echo "/home is not mounted. Aborting to avoid risk of data loss." - exit 1 + echo "/home is not mounted. Aborting to avoid risk of data loss." + exit 1 fi # Ensure /export exists @@ -56,8 +62,8 @@ mkdir -p /export echo "Creating symlink: /export/home -> /home" ln -s /home /export/home if [ $? -eq 0 ]; then - echo "Symlink created successfully." + echo "Symlink created successfully." else - echo "Failed to create symlink. Please check permissions and try again." - exit 1 + echo "Failed to create symlink. Please check permissions and try again." + exit 1 fi From 74a097e31e2b3f080b0e1b5270136974e7a80ed0 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Mon, 5 Jan 2026 16:01:52 +0530 Subject: [PATCH 4/8] Updating copyright header --- debian/preinst | 2 +- files/common/lib/systemd/system/delphix-platform.service | 2 +- .../10-delphix-platform/roles/delphix-platform/tasks/main.yml | 2 +- files/common/var/lib/delphix-platform/export-home | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/preinst b/debian/preinst index a22ccb233..177e0ef57 100644 --- a/debian/preinst +++ b/debian/preinst @@ -1,6 +1,6 @@ #!/bin/bash -eux # -# Copyright 2025 Delphix +# Copyright 2026 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/files/common/lib/systemd/system/delphix-platform.service b/files/common/lib/systemd/system/delphix-platform.service index 70514fdbe..b5fe500af 100644 --- a/files/common/lib/systemd/system/delphix-platform.service +++ b/files/common/lib/systemd/system/delphix-platform.service @@ -1,5 +1,5 @@ # -# Copyright 2019 Delphix +# Copyright 2019, 2026 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml index 1a9a401be..2ec399d74 100644 --- a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml +++ b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018, 2025 Delphix +# Copyright 2018, 2026 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home index ab16cc00b..e9f990cb5 100755 --- a/files/common/var/lib/delphix-platform/export-home +++ b/files/common/var/lib/delphix-platform/export-home @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright (c) 2025 by Delphix. All rights reserved. +# Copyright (c) 2026 by Delphix. All rights reserved. # # From 298ee158a658fff874dfa43e0f4c6bb23266771b Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Thu, 29 Jan 2026 19:27:14 +0530 Subject: [PATCH 5/8] Moving this logic to appliance-build, for testing purpose keeping file contents commented. --- debian/preinst | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/debian/preinst b/debian/preinst index 177e0ef57..f1e4d74d5 100644 --- a/debian/preinst +++ b/debian/preinst @@ -24,17 +24,17 @@ upgrade) # until the system is rebooted to ensure that running processes # referencing the old /export/home paths continue to function # while also enabling new logins under /home to work. - fs_tab=/etc/fstab - - if grep -q "\/export\/home" "$fs_tab"; then - sed -i 's|/export/home|/home|g' "$fs_tab" - mount /home - fi - - passwd_file=/etc/passwd - if grep -q "\/export\/home" "$passwd_file"; then - sed -i 's/\/export\/home/\/home/g' /etc/passwd - fi + fs_tab=/etc/fstab + # + # if grep -q "\/export\/home" "$fs_tab"; then + # sed -i 's|/export/home|/home|g' "$fs_tab" + # mount /home + # fi + # + # passwd_file=/etc/passwd + # if grep -q "\/export\/home" "$passwd_file"; then + # sed -i 's/\/export\/home/\/home/g' /etc/passwd + # fi ;; esac From f0a04c96acc9b808820d3f9c2d1c13f1c10c4a09 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Wed, 25 Mar 2026 14:10:26 +0530 Subject: [PATCH 6/8] Fixing the etc/fstab mount option during upgrade here. --- .../roles/delphix-platform/tasks/main.yml | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml index 2ec399d74..7c52c3506 100644 --- a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml +++ b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml @@ -104,7 +104,7 @@ # found in this directory, but also used by upgrade-scripts stored in # the appliace-build repository (which generates the upgrade image). # Thus, we need to be careful if/when changing this, as we'll need to -# coordinate the change with the appliance-build upgrade-scripts. +# coordinate the change with the appliance-build upgrade-scripts.aws # - file: path: /var/dlpx-update @@ -654,6 +654,27 @@ # Set default umask value. umask 027 +# +# Add nodev,nosuid to the /home fstab entry for security hardening (CIS). +# New VMs have this handled during fresh provisioning; this covers upgrades +# where the entry may lack these options. +# +- name: Check if /home fstab entry needs nodev,nosuid + shell: | + grep -qE '^[^#].*\s/home\s' /etc/fstab && \ + (! grep -qE '^[^#].*\s/home\s.*nodev' /etc/fstab || \ + ! grep -qE '^[^#].*\s/home\s.*nosuid' /etc/fstab) + register: home_fstab_needs_update + failed_when: false + changed_when: false + +- name: Add nodev,nosuid to /home fstab entry + replace: + path: /etc/fstab + regexp: '(^[^#].*\s/home\s.*)defaults' + replace: '\1defaults,nodev,nosuid' + when: home_fstab_needs_update.rc == 0 + - name: Mount /dev/shm with noexec,nosuid,nodev ansible.posix.mount: path: /dev/shm From 64fe7114a35070fcd54b0bfc48f7569a37c6e348 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Fri, 17 Apr 2026 13:35:55 +0530 Subject: [PATCH 7/8] Removing preinst script, the logic moved to appliance-build --- debian/preinst | 42 ------------------------------------------ 1 file changed, 42 deletions(-) delete mode 100644 debian/preinst diff --git a/debian/preinst b/debian/preinst deleted file mode 100644 index f1e4d74d5..000000000 --- a/debian/preinst +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -eux -# -# Copyright 2026 Delphix -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -case $1 in -upgrade) - # Home directories were previously mounted under /export/home, - # and this was changed to /home. This is the upgrade logic that - # updates the /etc/fstab file to reflect that change. - # Home directories will be mounted in both /export/home and /home - # until the system is rebooted to ensure that running processes - # referencing the old /export/home paths continue to function - # while also enabling new logins under /home to work. - fs_tab=/etc/fstab - # - # if grep -q "\/export\/home" "$fs_tab"; then - # sed -i 's|/export/home|/home|g' "$fs_tab" - # mount /home - # fi - # - # passwd_file=/etc/passwd - # if grep -q "\/export\/home" "$passwd_file"; then - # sed -i 's/\/export\/home/\/home/g' /etc/passwd - # fi - - ;; -esac - -exit 0 From 4e091fb64368ccd84cd16e179887dfb4ccf2cb11 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Wed, 6 May 2026 16:49:59 +0530 Subject: [PATCH 8/8] Fixing the message with proper handling suggestion in case of symlink creation failure. --- files/common/var/lib/delphix-platform/export-home | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/files/common/var/lib/delphix-platform/export-home b/files/common/var/lib/delphix-platform/export-home index e9f990cb5..87c05bfea 100755 --- a/files/common/var/lib/delphix-platform/export-home +++ b/files/common/var/lib/delphix-platform/export-home @@ -60,10 +60,9 @@ mkdir -p /export # Create symlink echo "Creating symlink: /export/home -> /home" -ln -s /home /export/home -if [ $? -eq 0 ]; then +if ln -s /home /export/home; then echo "Symlink created successfully." else - echo "Failed to create symlink. Please check permissions and try again." + echo "Failed to create symlink /export/home -> /home. Check that /export exists, is writable, and no stale /export/home entry remains. Re-run this script after resolving." exit 1 fi