From 4728fce9630da877b6649f42b1817d2928286a54 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Tue, 20 May 2025 13:43:40 +0530 Subject: [PATCH 1/8] DLPX-86523 CIS: /home filesystem and mount options Fixing the headers in the changed files. Incoprorating new comments from Seb Resolving comments from Seb on redundant nodev PR URL: https://www.github.com/delphix/appliance-build/pull/756 --- .../config/hooks/vm-artifacts/90-raw-disk-image.binary | 10 +++++----- .../appliance-build.masking-development/tasks/main.yml | 6 +++--- .../appliance-build.minimal-common/tasks/main.yml | 6 +++--- .../appliance-build.unittest-internal/tasks/main.yml | 4 ++-- .../tasks/main.yml | 6 +++--- .../tasks/main.yml | 10 +++++----- upgrade/FAQ.md | 2 +- upgrade/upgrade-scripts/upgrade-container | 4 ++-- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary index 34c2df9d..568b26c0 100755 --- a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary +++ b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary @@ -1,6 +1,6 @@ #!/bin/bash -ex # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -274,8 +274,8 @@ zfs create \ # contents. During normal boot up, we'll rely on "/etc/fstab" to handle # these mounts. # -mkdir -p "$DIRECTORY/export/home" -mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/export/home" +mkdir -p "$DIRECTORY/home" +mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/home" mkdir -p "$DIRECTORY/var/delphix" mount -t zfs "$FSNAME/ROOT/$FSNAME/data" "$DIRECTORY/var/delphix" @@ -314,7 +314,7 @@ rsync --info=stats3 -WaAX binary/* "$DIRECTORY/" # automatically whenever we boot into the crash kernel. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$FSNAME/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/tmp /tmp zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0 @@ -420,7 +420,7 @@ done umount "$DIRECTORY/var/log" umount "$DIRECTORY/var/delphix" -umount "$DIRECTORY/export/home" +umount "$DIRECTORY/home" umount "$DIRECTORY/tmp" umount "$DIRECTORY/var/tmp" umount "/var/crash" diff --git a/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml index 9fde6f6d..b3a9e4bd 100644 --- a/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,14 +26,14 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dms-core-gate.git" dest: - "/export/home/delphix/dms-core-gate" + "/home/delphix/dms-core-gate" version: "develop" accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/{{ item }}" + path: "/home/delphix/{{ item }}" owner: delphix group: staff mode: "g+w" diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml index d95545e6..3f99b3b9 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ no_log: true - file: - path: /export/home + path: /home state: directory mode: 0755 @@ -39,7 +39,7 @@ shell: /bin/bash create_home: yes comment: Delphix User - home: /export/home/delphix + home: /home/delphix password: "{{ lookup('env', 'APPLIANCE_PASSWORD') | password_hash('sha512') }}" diff --git a/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml index acae0b29..b022d915 100644 --- a/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2019 Delphix +# Copyright 2019, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -95,7 +95,7 @@ - user: name: testrunner comment: "Delphix" - home: /export/home/testrunner + home: /home/testrunner groups: docker password: "$6$pWQE0MPZWgue7fNC$8RvR0u04Mt67792b.x4ao0G2Z/H/hrYPWezOqCkz59MIA\ diff --git a/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml index 862376f6..4f5b7a4e 100644 --- a/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -73,14 +73,14 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dlpx-app-gate.git" - dest: "/export/home/delphix/dlpx-app-gate" + dest: "/home/delphix/dlpx-app-gate" version: "develop" accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/{{ item }}" + path: "/home/delphix/{{ item }}" owner: delphix group: staff mode: "g+w" diff --git a/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml index 7df32cf3..063c2eb2 100644 --- a/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,26 +67,26 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/zfs.git" dest: - "/export/home/delphix/zfs" + "/home/delphix/zfs" version: develop accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/zfs" + path: "/home/delphix/zfs" owner: delphix group: staff state: directory recurse: yes - file: - path: "/export/home/delphix/.cargo/" + path: "/home/delphix/.cargo/" state: directory owner: delphix group: staff - copy: - dest: "/export/home/delphix/.cargo/config.toml" + dest: "/home/delphix/.cargo/config.toml" content: | [target.x86_64-unknown-linux-gnu] rustflags = ["-C", "link-arg=-B/usr/libexec/mold"] diff --git a/upgrade/FAQ.md b/upgrade/FAQ.md index 4b4ff44e..08f7e442 100644 --- a/upgrade/FAQ.md +++ b/upgrade/FAQ.md @@ -89,7 +89,7 @@ resemble the following: A "rootfs container" is a collection of ZFS datasets that can be used as the "root filesytsem" of the appliance. This includes a dataset for "/" -of the appliance, but also seperate datasets for "/export/home" and +of the appliance, but also seperate datasets for "/home" and "/var/delphix". Here's an example of the datasets for a rootfs container: diff --git a/upgrade/upgrade-scripts/upgrade-container b/upgrade/upgrade-scripts/upgrade-container index 4bc6baa2..b1b06084 100755 --- a/upgrade/upgrade-scripts/upgrade-container +++ b/upgrade/upgrade-scripts/upgrade-container @@ -177,7 +177,7 @@ function create_upgrade_container() { -o mountpoint=legacy \ "$ROOTFS_DATASET/home@$SNAPSHOT_NAME" \ "rpool/ROOT/$CONTAINER/home" || - die "failed to create upgrade /export/home clone" + die "failed to create upgrade /home clone" zfs clone \ -o mountpoint=legacy \ @@ -213,7 +213,7 @@ function create_upgrade_container() { # before the zfs-import service is run. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$CONTAINER/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/crashdump /var/crash zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0 From 8be6a49f7f3c4ceffc97b32ab2bd8f99e318d4dc Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Sun, 13 Jul 2025 12:44:50 +0530 Subject: [PATCH 2/8] Incorporating nosuid changes --- live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary | 2 +- upgrade/upgrade-scripts/upgrade-container | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary index 568b26c0..e2529c91 100755 --- a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary +++ b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary @@ -314,7 +314,7 @@ rsync --info=stats3 -WaAX binary/* "$DIRECTORY/" # automatically whenever we boot into the crash kernel. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/tmp /tmp zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0 diff --git a/upgrade/upgrade-scripts/upgrade-container b/upgrade/upgrade-scripts/upgrade-container index b1b06084..427f8f41 100755 --- a/upgrade/upgrade-scripts/upgrade-container +++ b/upgrade/upgrade-scripts/upgrade-container @@ -213,7 +213,7 @@ function create_upgrade_container() { # before the zfs-import service is run. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/crashdump /var/crash zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0 From e972b9ee9c65f534d8a4ba569e5d1533fc89425b Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Wed, 23 Jul 2025 15:15:01 +0530 Subject: [PATCH 3/8] This code was creating cache inside /export/home/delphx/.cache/pip/http-v2, disabling cache is the cleaner approach here --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index 579a8399..3b516d1e 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -87,6 +87,7 @@ ansible.builtin.pip: name: awscli break_system_packages: true + extra_args: "--no-cache-dir" become: true - name: Load ZFS kernel module. From 6a8248120001c10cf0985cb79f1270ef79e29c3e Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Wed, 23 Jul 2025 21:40:24 +0530 Subject: [PATCH 4/8] This code was creating cache inside /export/home/delphx/.cache/pip/http-v2, disabling cache is the cleaner approach here- Change #2 --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index 3b516d1e..08a810cd 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -88,6 +88,14 @@ name: awscli break_system_packages: true extra_args: "--no-cache-dir" + environment: + PIP_NO_CACHE_DIR: "yes" + become: true + +- name: Remove pip cache directory + ansible.builtin.file: + path: "/export/home/delphix/.cache" + state: absent become: true - name: Load ZFS kernel module. From 27d264e7b516bd84d2f2b52a1fd58276eeafde48 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Thu, 24 Jul 2025 13:20:12 +0530 Subject: [PATCH 5/8] This code was creating cache inside /export/home/delphx/.cache/pip/http-v2, disabling cache is the cleaner approach here- Change #3 --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 2 +- .../appliance-build.minimal-internal/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index 08a810cd..e091f4c8 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -92,7 +92,7 @@ PIP_NO_CACHE_DIR: "yes" become: true -- name: Remove pip cache directory +- name: Clean up pip cache directory ansible.builtin.file: path: "/export/home/delphix/.cache" state: absent diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml index 7025c0eb..ca9a5da1 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml @@ -34,6 +34,15 @@ ansible.builtin.pip: name: awscli break_system_packages: true + extra_args: "--no-cache-dir" + environment: + PIP_NO_CACHE_DIR: "yes" + become: true + +- name: Clean up pip cache directory + ansible.builtin.file: + path: "/export/home/delphix/.cache" + state: absent become: true # Add /usr/local/bin to the PATH (awscli needs it) From 5840934958896452ff212b999493bcfac8227ad0 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Thu, 24 Jul 2025 18:34:33 +0530 Subject: [PATCH 6/8] Removing,'Clean up pip cache directory', since the 'Install awscli python package' woked in the removal of chache directorywith additional changes made. --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 6 ------ .../appliance-build.minimal-internal/tasks/main.yml | 6 ------ 2 files changed, 12 deletions(-) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index e091f4c8..60bc01f7 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -92,12 +92,6 @@ PIP_NO_CACHE_DIR: "yes" become: true -- name: Clean up pip cache directory - ansible.builtin.file: - path: "/export/home/delphix/.cache" - state: absent - become: true - - name: Load ZFS kernel module. community.general.modprobe: name: zfs diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml index ca9a5da1..ae9635e2 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml @@ -39,12 +39,6 @@ PIP_NO_CACHE_DIR: "yes" become: true -- name: Clean up pip cache directory - ansible.builtin.file: - path: "/export/home/delphix/.cache" - state: absent - become: true - # Add /usr/local/bin to the PATH (awscli needs it) - name: Create s3-bin-path.sh under profile.d ansible.builtin.copy: From 3a48d5da0052010900dea622ef20faf743c3a414 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Mon, 1 Sep 2025 12:01:41 +0530 Subject: [PATCH 7/8] Removing the change for deleting cache related to awscli instllation by pip. --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 3 --- .../appliance-build.minimal-internal/tasks/main.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index 60bc01f7..579a8399 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -87,9 +87,6 @@ ansible.builtin.pip: name: awscli break_system_packages: true - extra_args: "--no-cache-dir" - environment: - PIP_NO_CACHE_DIR: "yes" become: true - name: Load ZFS kernel module. diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml index ae9635e2..7025c0eb 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml @@ -34,9 +34,6 @@ ansible.builtin.pip: name: awscli break_system_packages: true - extra_args: "--no-cache-dir" - environment: - PIP_NO_CACHE_DIR: "yes" become: true # Add /usr/local/bin to the PATH (awscli needs it) From 5d365f539edfdf6e33e607da78b2e36bbbb3aaa7 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Tue, 7 Oct 2025 00:42:09 +0530 Subject: [PATCH 8/8] adding the no-cache for pip installation --- bootstrap/roles/appliance-build.bootstrap/tasks/main.yml | 3 +++ .../appliance-build.minimal-internal/tasks/main.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml index 579a8399..60bc01f7 100644 --- a/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml +++ b/bootstrap/roles/appliance-build.bootstrap/tasks/main.yml @@ -87,6 +87,9 @@ ansible.builtin.pip: name: awscli break_system_packages: true + extra_args: "--no-cache-dir" + environment: + PIP_NO_CACHE_DIR: "yes" become: true - name: Load ZFS kernel module. diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml index 7025c0eb..ae9635e2 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-internal/tasks/main.yml @@ -34,6 +34,9 @@ ansible.builtin.pip: name: awscli break_system_packages: true + extra_args: "--no-cache-dir" + environment: + PIP_NO_CACHE_DIR: "yes" become: true # Add /usr/local/bin to the PATH (awscli needs it)