DLPX-86523 CIS: /home filesystem and mount options

Fixing the headers in the changed files.
Incoprorating new comments from Seb
Resolving comments from Seb on redundant nodev

PR URL: https://www.github.com/delphix/appliance-build/pull/756

Author: justsanjeev

live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -275,8 +275,8 @@ zfs create \
 # contents. During normal boot up, we'll rely on "/etc/fstab" to handle
 # these mounts.
 #
-mkdir -p "$DIRECTORY/export/home"
-mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/export/home"
+mkdir -p "$DIRECTORY/home"
+mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/home"
 
 mkdir -p "$DIRECTORY/var/delphix"
 mount -t zfs "$FSNAME/ROOT/$FSNAME/data" "$DIRECTORY/var/delphix"
@@ -312,7 +312,7 @@ rsync --info=stats3 -WaAX binary/* "$DIRECTORY/"
 # automatically whenever we boot into the crash kernel.
 #
 cat <<-EOF >"$DIRECTORY/etc/fstab"
-	rpool/ROOT/$FSNAME/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+	rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 	rpool/ROOT/$FSNAME/tmp  /tmp     zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0
@@ -357,7 +357,7 @@ done
 
 umount "$DIRECTORY/var/log"
 umount "$DIRECTORY/var/delphix"
-umount "$DIRECTORY/export/home"
+umount "$DIRECTORY/home"
 umount "$DIRECTORY/tmp"
 umount "$DIRECTORY/var/tmp"
 umount "/var/crash"

live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,14 +26,14 @@
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dms-core-gate.git"
     dest:
-      "/export/home/delphix/dms-core-gate"
+      "/home/delphix/dms-core-gate"
     version: "develop"
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/{{ item }}"
+    path: "/home/delphix/{{ item }}"
     owner: delphix
     group: staff
     mode: "g+w"

live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@
   no_log: true
 
 - file:
-    path: /export/home
+    path: /home
     state: directory
     mode: 0755
 
@@ -39,7 +39,7 @@
     shell: /bin/bash
     create_home: yes
     comment: Delphix User
-    home: /export/home/delphix
+    home: /home/delphix
     password:
       "{{ lookup('env', 'APPLIANCE_PASSWORD') | password_hash('sha512') }}"
 

live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2019 Delphix
+# Copyright 2019, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -88,7 +88,7 @@
 - user:
     name: testrunner
     comment: "Delphix"
-    home: /export/home/testrunner
+    home: /home/testrunner
     groups: docker
     password:
       "$6$pWQE0MPZWgue7fNC$8RvR0u04Mt67792b.x4ao0G2Z/H/hrYPWezOqCkz59MIA\

live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -73,14 +73,14 @@
 
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dlpx-app-gate.git"
-    dest: "/export/home/delphix/dlpx-app-gate"
+    dest: "/home/delphix/dlpx-app-gate"
     version: "develop"
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/{{ item }}"
+    path: "/home/delphix/{{ item }}"
     owner: delphix
     group: staff
     mode: "g+w"

live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -67,26 +67,26 @@
 - git:
     repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/zfs.git"
     dest:
-      "/export/home/delphix/zfs"
+      "/home/delphix/zfs"
     version: develop
     accept_hostkey: yes
     update: no
   when: lookup('env', 'GITHUB_TOKEN') != ''
 
 - file:
-    path: "/export/home/delphix/zfs"
+    path: "/home/delphix/zfs"
     owner: delphix
     group: staff
     state: directory
     recurse: yes
 
 - file:
-    path: "/export/home/delphix/.cargo/"
+    path: "/home/delphix/.cargo/"
     state: directory
     owner: delphix
     group: staff
 - copy:
-    dest: "/export/home/delphix/.cargo/config.toml"
+    dest: "/home/delphix/.cargo/config.toml"
     content: |
         [target.x86_64-unknown-linux-gnu]
         rustflags = ["-C", "link-arg=-B/usr/libexec/mold"]

upgrade/FAQ.md

@@ -89,7 +89,7 @@ resemble the following:
 
 A "rootfs container" is a collection of ZFS datasets that can be used as
 the "root filesytsem" of the appliance. This includes a dataset for "/"
-of the appliance, but also seperate datasets for "/export/home" and
+of the appliance, but also seperate datasets for "/home" and
 "/var/delphix".
 
 Here's an example of the datasets for a rootfs container:

upgrade/upgrade-scripts/upgrade-container

@@ -177,7 +177,7 @@ function create_upgrade_container() {
 		-o mountpoint=legacy \
 		"$ROOTFS_DATASET/home@$SNAPSHOT_NAME" \
 		"rpool/ROOT/$CONTAINER/home" ||
-		die "failed to create upgrade /export/home clone"
+		die "failed to create upgrade /home clone"
 
 	zfs clone \
 		-o mountpoint=legacy \
@@ -205,6 +205,90 @@ function create_upgrade_container() {
 			die "failed to create upgrade /var/tmp clone"
 	fi
 
+	case "$type" in
+	not-in-place)
+		#
+		# We need to ensure all of the upgrade container's datasets
+		# are mounted before running "debootstrap". This way, if any
+		# packages installed by "debootstrap" happen to deliver
+		# files to any of these directories, they'll be propertly
+		# delivered to the correct dataset, rather than the root
+		# dataset.
+		#
+		mount_upgrade_container_dataset \
+			"rpool/ROOT/$CONTAINER/home" "$DIRECTORY/home"
+		mount_upgrade_container_dataset \
+			"rpool/ROOT/$CONTAINER/data" "$DIRECTORY/var/delphix"
+		mount_upgrade_container_dataset \
+			"rpool/ROOT/$CONTAINER/log" "$DIRECTORY/var/log"
+
+		if $TMP_DATASETS_EXIST; then
+			mount_upgrade_container_dataset \
+				"rpool/ROOT/$CONTAINER/tmp" "$DIRECTORY/tmp"
+			mount_upgrade_container_dataset \
+				"rpool/ROOT/$CONTAINER/vartmp" "$DIRECTORY/var/tmp"
+		fi
+
+		#
+		# This function needs to return the container's name to
+		# stdout, so that consumers of this function/script can
+		# consume that name and then later start/stop/destroy the
+		# container. Thus, we have to redirect the output from
+		# debootstrap away from stdout.
+		#
+		# Also, we need to include the "systemd-container" package
+		# when installing the base systemd with debootstrap so that
+		# starting the container will work properly. Otherwise,
+		# after starting the container, we won't be able to
+		# communicate and later run commands in the container with
+		# "systemd-run".
+		#
+		# On Ubuntu 20.04, in-order to satisfy some package
+		# dependencies, we must set the variant to "minbase" and list
+		# "ntp" in the include list before "systemd-container".
+		# Setting the variant to minbase removes systemd from the
+		# packages being installed by default. Systemd will still
+		# be installed, but in a later pass, as a dependency of
+		# systemd-container. The reason we need to go through those
+		# hoops is the following:
+		#  - systemd has a package dependency on a "time-daemon"
+		#    virtual package, which is provided by either "ntp" or
+		#    "systemd-timesyncd".
+		#  - If a time-deamon is not already installed when
+		#    installing systemd, then systemd will try to
+		#    install systemd-timesyncd.
+		#  - systemd-timesyncd is not available in our upgrade
+		#    images because we install ntp and ntp conflicts with
+		#    systemd-timesyncd.
+		#  - Setting variant as minbase and list ntp before
+		#    systemd-container in the include list allows debootstrap
+		#    to install ntp before systemd, thus satisfying the
+		#    package dependencies.
+		# Note that we do not run into those problems during live-build
+		# because debootstrap is already run with variant=minbase and
+		# systemd is not installed by debootstrap, but rather by
+		# delphix-platform which pulls both ntp and systemd.
+		#
+		debootstrap --no-check-gpg --variant=minbase \
+			--components=delphix --include=ntp,systemd-container \
+			focal "$DIRECTORY" "file://$IMAGE_PATH" 1>&2 ||
+			die "failed to debootstrap upgrade filesystem"
+
+		#
+		# Now that we've successfully run "deboostrap", we can
+		# unmount these datasets that were mounted above.
+		#
+		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/log"
+		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/data"
+		unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/home"
+
+		if $TMP_DATASETS_EXIST; then
+			unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/tmp"
+			unmount_upgrade_container_dataset "rpool/ROOT/$CONTAINER/vartmp"
+		fi
+		;;
+	esac
+
 	#
 	# We rely on the "/etc/fstab" file to mount the non-root ZFS
 	# filesystems, so that when a specific rootfs dataset is booted,
@@ -213,7 +297,7 @@ function create_upgrade_container() {
 	# before the zfs-import service is run.
 	#
 	cat <<-EOF >"$DIRECTORY/etc/fstab"
-		rpool/ROOT/$CONTAINER/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
+		rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/ROOT/$CONTAINER/log  /var/log     zfs defaults,x-systemd.before=zfs-import-cache.service 0 0
 		rpool/crashdump            /var/crash   zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0