DLPX-86523 CIS: /home filesystem and mount options

[justsanjeev]

Problem

CIS is looking or a single home directory filesystem mounted at the /home location, currently we have the home dataset is mounted on /export/home

Due to that we see the below issues in the CIS Report

• (1.45) 7402 Status of the '/home' partition in the '/etc/fstab' file
• (1.46) 13248 Status of Mount Partition '/home' using mount command
• (1.47) 7403 Status of the 'nodev' mount option setting for the '/home partition' defined in the '/etc/ fstab' file
• (1.48) 14601 Status of the 'nodev' option for '/home' partition using 'mount' command

Solution

Mounting the home dataset to `/home`.

• Upgrade scripts are modified to mount the data set to a new mount path.
• Ansible scripts modified for new home mount path.

Testing Done

Build: git ab-pre-push : appliance-build-orchestrator-pre-push/12448/ - ✅

With current Build's AMI [ami-04ca90fb823528076], A fresh engine is created successfully, https://cis-dev.dlpxdc.co/ - 🟢

Scan Results:

• (1.45) 7402 Status of the '/home' partition in the '/etc/fstab' file - ✅ - Page 33 in attached report

• (1.46) 13248 Status of Mount Partition '/home' using mount command - ✅ - Page 33 in attached report

• (1.47) 7403 Status of the 'nodev' mount option setting for the '/home partition' defined in the '/etc/ fstab' file - ✅ Page 34 in attached report

• (1.48) 14601 Status of the 'nodev' option for '/home' partition using 'mount' command - ✅ - Page 34 in attached report

Additionally we had to make changes to below repos to support this change

• delphix-platform -> delphix-platform
• dlpx-app-gate -> dlpx-app-gate

Scan Reports before & after Change

• Scan Report After Change

• The report before this change (The initial report (before our change) is also present in : https://perforce.atlassian.net/browse/CP-9773)

Clarification

• The dx-integration-test failed , since the pre_chckin was failed, the pre-checkin requires a minor fin in qa-infra
• After above said fix , the pre-checkin : pre-checkin - 🟢
• Additional Upgrade : We a rebuild to validate upgrade and the upgrade was successful in the re verification as well. blackbox-chained/8284/ - 🟢

Additional Details:

Earlier review session I was suggested to remove lines

• https://github.com/delphix/appliance-build/pull/756/files#diff-19dc47250a3e0892ef8e82e6a276b6c88a62b1dade2ee06e8f257109e72fe3d7R90-R92
• https://github.com/delphix/appliance-build/pull/756/files#diff-203852fe3ced2c760ad56ce84f1c641d4c7883ee4525ccf406798f32605d505cR37-R39 .

After removing these lines, we began seeing failures during first boot on a fresh engine: split-precommit-dxostest-sr001.dlpxdc.co ( Engine from previous build)

2025-10-09T14:50:50.506928+00:00 ip-10-110-207-64 export-home[6830]: /home is mounted. Proceeding with /export/home cleanup.
2025-10-09T14:50:50.507320+00:00 ip-10-110-207-64 export-home[6830]: /export/home exists. Attempting to remove it...
2025-10-09T14:50:50.511575+00:00 ip-10-110-207-64 export-home[6830]: /export/home is not empty. Please clean it manually before running this script.
2025-10-09T14:50:50.518441+00:00 ip-10-110-207-64 systemd[1]: delphix-platform.service: Main process exited, code=exited, status=1/FAILURE

Although /export/home is not mounted, the directory exists because of how the Linux build server is configured — its default home directory is /export/home. During the build process(appliance-build), AWS CLI creates cache files under /export/home/delphix/.cache, making the directory non-empty. This causes the cleanup logic to fail.

Example from the engine:

delphix@ip-10-110-228-175:/var/log$ mount | grep home
rpool/ROOT/delphix.2swC2jH/home on /home type zfs (rw,nosuid,nodev,relatime,xattr,noacl,casesensitive,x-systemd.before=zfs-import-cache.service)
delphix@ip-10-110-228-175:/var/log$ 

delphix@ip-10-110-228-175:/var/log$ ls -ltr /export/
total 2
drwxr-xr-x 3 root root 3 Oct  6 08:26 home
delphix@ip-10-110-228-175:/var/log$ 

delphix@ip-10-110-228-175:/var/log$ ls -la /export/home/delphix/
total 5
drwxr-xr-x 3 root root 3 Oct  6 08:26 .
drwxr-xr-x 3 root root 3 Oct  6 08:26 ..
drwxr-xr-x 3 root root 3 Oct  6 08:26 .cache
delphix@ip-10-110-228-175:/var/log$ 

Because /export/home is not empty, the script exits with failure and causes the delphix-platform.service to stop.

[sebroy]

I think this one is unnecessary, as the bootstrap ansible role doesn't run in the chroot. It's only run on the build server before the build starts.

[sebroy]

Let's add a comment here explaining why pip caching is bad at this stage of the build (because whatever files pip caches will end up in our production images, and we don't want that).