Skip to content

DLPX-86523 CIS: mount appliance user home at /home#565

Open
prakashsurya wants to merge 1 commit into
developfrom
projects/cis-home-mount
Open

DLPX-86523 CIS: mount appliance user home at /home#565
prakashsurya wants to merge 1 commit into
developfrom
projects/cis-home-mount

Conversation

@prakashsurya
Copy link
Copy Markdown
Contributor

@prakashsurya prakashsurya commented Jun 1, 2026

Problem

CIS hardening requires the home filesystem to be mounted at the standard
/home location. Today the home dataset is mounted at /export/home,
which causes the following CIS report failures:

  • (1.45) 7402 Status of the /home partition in /etc/fstab
  • (1.46) 13248 Status of mount partition /home using the mount command
  • (1.47) 7403 Status of the nodev mount option for /home in /etc/fstab
  • (1.48) 14601 Status of the nodev option for /home using mount

Solution

Move the appliance delphix user's home directory from /export/home/delphix
to /home/delphix by updating the Ansible tasks to reference /home.

This is the delphix-platform half of a flag-day change. The dataset mount,
the /export/home -> /home backward-compat symlink, and the /home fstab
nodev,nosuid hardening are all handled on the appliance-build side:

Because appliance-build now owns the /home mount, the previous explicit
base-directory creation task (and its now-stale comment about a "non-standard"
home location) is dropped — /home is a standard mountpoint that already
exists when these tasks run, so create_home: yes populates /home/delphix
on its own.

Flag day: this PR and appliance-build #869 must land together, since
this change assumes /home is mounted at apply time.

Testing Done

Refer to the testing section in the appliance-build counterpart:
delphix/appliance-build#869

@justsanjeev @prakashsurya @claude
DLPX-86523 CIS: mount appliance user home at /home
bb80e7e 
Point the delphix user's home directory at /home/delphix instead of
/export/home/delphix so the home dataset can be mounted at /home,
satisfying the CIS checks for the /home partition.

The dataset mount and the upgrade-time migration (the /export/home
symlink and /home fstab hardening) are handled entirely in
appliance-build, so on this side we only update the ansible tasks to
reference /home. The explicit base-directory creation is also dropped,
since /home is a standard mountpoint that already exists by the time
these tasks run.

Co-Authored-By: Prakash Surya <prakash.surya@perforce.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@prakashsurya prakashsurya requested a review from justsanjeev June 1, 2026 23:36
@prakashsurya prakashsurya mentioned this pull request Jun 1, 2026
Open
dbjwhs-perforce
dbjwhs-perforce approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dbjwhs-perforce dbjwhs-perforce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbjwhs-perforce dbjwhs-perforce dbjwhs-perforce approved these changes

@justsanjeev justsanjeev Awaiting requested review from justsanjeev

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prakashsurya @dbjwhs-perforce @justsanjeev