From a0175f68c065a1b272b97dcac3f469cfdefb7b98 Mon Sep 17 00:00:00 2001 From: Prakash Surya Date: Fri, 16 May 2025 12:26:29 -0700 Subject: [PATCH 1/2] nosuid change in appliance-build PR URL: https://www.github.com/delphix/appliance-build/pull/820 --- .../config/hooks/vm-artifacts/90-raw-disk-image.binary | 10 +++++----- .../appliance-build.masking-development/tasks/main.yml | 6 +++--- .../appliance-build.minimal-common/tasks/main.yml | 6 +++--- .../appliance-build.unittest-internal/tasks/main.yml | 4 ++-- .../tasks/main.yml | 6 +++--- .../tasks/main.yml | 10 +++++----- upgrade/FAQ.md | 2 +- upgrade/upgrade-scripts/upgrade-container | 4 ++-- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary index 6cc96f6f..159235ff 100755 --- a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary +++ b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary @@ -1,6 +1,6 @@ #!/bin/bash -ex # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -274,8 +274,8 @@ zfs create \ # contents. During normal boot up, we'll rely on "/etc/fstab" to handle # these mounts. # -mkdir -p "$DIRECTORY/export/home" -mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/export/home" +mkdir -p "$DIRECTORY/home" +mount -t zfs "$FSNAME/ROOT/$FSNAME/home" "$DIRECTORY/home" mkdir -p "$DIRECTORY/var/delphix" mount -t zfs "$FSNAME/ROOT/$FSNAME/data" "$DIRECTORY/var/delphix" @@ -314,7 +314,7 @@ rsync --info=stats3 -WaAX binary/* "$DIRECTORY/" # automatically whenever we boot into the crash kernel. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$FSNAME/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$FSNAME/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$FSNAME/tmp /tmp zfs defaults,nosuid,nodev,exec,x-systemd.before=zfs-import-cache.service 0 0 @@ -392,7 +392,7 @@ done umount "$DIRECTORY/var/log" umount "$DIRECTORY/var/delphix" -umount "$DIRECTORY/export/home" +umount "$DIRECTORY/home" umount "$DIRECTORY/tmp" umount "$DIRECTORY/var/tmp" umount "/var/crash" diff --git a/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml index 9fde6f6d..b3a9e4bd 100644 --- a/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.masking-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,14 +26,14 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dms-core-gate.git" dest: - "/export/home/delphix/dms-core-gate" + "/home/delphix/dms-core-gate" version: "develop" accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/{{ item }}" + path: "/home/delphix/{{ item }}" owner: delphix group: staff mode: "g+w" diff --git a/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml index d95545e6..3f99b3b9 100644 --- a/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.minimal-common/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ no_log: true - file: - path: /export/home + path: /home state: directory mode: 0755 @@ -39,7 +39,7 @@ shell: /bin/bash create_home: yes comment: Delphix User - home: /export/home/delphix + home: /home/delphix password: "{{ lookup('env', 'APPLIANCE_PASSWORD') | password_hash('sha512') }}" diff --git a/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml index 83357b66..9cb31132 100644 --- a/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.unittest-internal/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2019 Delphix +# Copyright 2019, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -88,7 +88,7 @@ - user: name: testrunner comment: "Delphix" - home: /export/home/testrunner + home: /home/testrunner groups: docker password: "$6$pWQE0MPZWgue7fNC$8RvR0u04Mt67792b.x4ao0G2Z/H/hrYPWezOqCkz59MIA\ diff --git a/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml index 862376f6..4f5b7a4e 100644 --- a/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.virtualization-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -73,14 +73,14 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/dlpx-app-gate.git" - dest: "/export/home/delphix/dlpx-app-gate" + dest: "/home/delphix/dlpx-app-gate" version: "develop" accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/{{ item }}" + path: "/home/delphix/{{ item }}" owner: delphix group: staff mode: "g+w" diff --git a/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml b/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml index 7df32cf3..063c2eb2 100644 --- a/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml +++ b/live-build/misc/ansible-roles/appliance-build.zfsonlinux-development/tasks/main.yml @@ -1,5 +1,5 @@ # -# Copyright 2018 Delphix +# Copyright 2018, 2025 Delphix # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,26 +67,26 @@ - git: repo: "https://{{ lookup('env', 'GITHUB_TOKEN') }}@github.com/delphix/zfs.git" dest: - "/export/home/delphix/zfs" + "/home/delphix/zfs" version: develop accept_hostkey: yes update: no when: lookup('env', 'GITHUB_TOKEN') != '' - file: - path: "/export/home/delphix/zfs" + path: "/home/delphix/zfs" owner: delphix group: staff state: directory recurse: yes - file: - path: "/export/home/delphix/.cargo/" + path: "/home/delphix/.cargo/" state: directory owner: delphix group: staff - copy: - dest: "/export/home/delphix/.cargo/config.toml" + dest: "/home/delphix/.cargo/config.toml" content: | [target.x86_64-unknown-linux-gnu] rustflags = ["-C", "link-arg=-B/usr/libexec/mold"] diff --git a/upgrade/FAQ.md b/upgrade/FAQ.md index 4b4ff44e..08f7e442 100644 --- a/upgrade/FAQ.md +++ b/upgrade/FAQ.md @@ -89,7 +89,7 @@ resemble the following: A "rootfs container" is a collection of ZFS datasets that can be used as the "root filesytsem" of the appliance. This includes a dataset for "/" -of the appliance, but also seperate datasets for "/export/home" and +of the appliance, but also seperate datasets for "/home" and "/var/delphix". Here's an example of the datasets for a rootfs container: diff --git a/upgrade/upgrade-scripts/upgrade-container b/upgrade/upgrade-scripts/upgrade-container index 4bc6baa2..427f8f41 100755 --- a/upgrade/upgrade-scripts/upgrade-container +++ b/upgrade/upgrade-scripts/upgrade-container @@ -177,7 +177,7 @@ function create_upgrade_container() { -o mountpoint=legacy \ "$ROOTFS_DATASET/home@$SNAPSHOT_NAME" \ "rpool/ROOT/$CONTAINER/home" || - die "failed to create upgrade /export/home clone" + die "failed to create upgrade /home clone" zfs clone \ -o mountpoint=legacy \ @@ -213,7 +213,7 @@ function create_upgrade_container() { # before the zfs-import service is run. # cat <<-EOF >"$DIRECTORY/etc/fstab" - rpool/ROOT/$CONTAINER/home /export/home zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 + rpool/ROOT/$CONTAINER/home /home zfs defaults,nodev,nosuid,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/data /var/delphix zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/ROOT/$CONTAINER/log /var/log zfs defaults,x-systemd.before=zfs-import-cache.service 0 0 rpool/crashdump /var/crash zfs defaults,x-systemd.before=zfs-import-cache.service,x-systemd.before=kdump-tools.service 0 0 From 234b374ae80f4a9a28945170d6a0008432c631e2 Mon Sep 17 00:00:00 2001 From: Sanjeev Rohila Date: Wed, 20 Aug 2025 22:59:07 +0530 Subject: [PATCH 2/2] security Issues fix --- .../hooks/vm-artifacts/90-raw-disk-image.binary | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary index 159235ff..4db857c2 100755 --- a/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary +++ b/live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary @@ -354,7 +354,16 @@ chroot "$DIRECTORY" mount /dev/mapper/${LOOPNAME}p2 $EFI_DIR # Copy the latest kernel into EFI boot directory chroot "$DIRECTORY" cp /boot/initrd.img $EFI_DIR chroot "$DIRECTORY" cp /boot/vmlinuz $EFI_DIR -chroot "$DIRECTORY" bootctl --esp-path=$EFI_DIR install --no-variables + +# Actual +# chroot "$DIRECTORY" bootctl --esp-path=$EFI_DIR install --no-variables + +# Alternative 1 +#chroot "$DIRECTORY" bootctl --esp-path=$EFI_DIR --no-variables --graceful install 2>/dev/null || true + +# Alternative - Going with this. +chroot "$DIRECTORY" mkdir -p $EFI_DIR/EFI/BOOT $EFI_DIR/loader/entries +chroot "$DIRECTORY" cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi $EFI_DIR/EFI/BOOT/BOOTX64.EFI # Use GRUB_CMDLINE_LINUX_DEFAULT boot options source $DIRECTORY/etc/default/grub.d/override.cfg