Merge branch 'develop' into dlpx/pr/dbshah12/acdec8ee-f597-451f-bf30-f6ad642718ee

dbshah12 · web-flow · commit 39cd94780569 · 2024-01-29T15:43:58.000+05:30
diff --git a/files/common/lib/systemd/system/zfs-import-cache.service.d/override.conf b/files/common/lib/systemd/system/zfs-import-cache.service.d/override.conf
@@ -0,0 +1,11 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-import-cache.service runs, it could potentially try to import
+# a pool, which is not desired.
+#
+# To prevent this behavior, we explicitly disable this service from
+# running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container
diff --git a/files/common/lib/systemd/system/zfs-import-scan.service.d/override.conf b/files/common/lib/systemd/system/zfs-import-scan.service.d/override.conf
@@ -0,0 +1,11 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-import-scan.service runs, it could potentially try to import
+# a pool, which is not desired.
+#
+# To prevent this behavior, we explicitly disable this service from
+# running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container
diff --git a/files/common/lib/systemd/system/zfs-mount.service.d/override.conf b/files/common/lib/systemd/system/zfs-mount.service.d/override.conf
@@ -0,0 +1,13 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-mount.service runs, it'll automatically mount all "domain0"
+# mountpoints (or "dcenter" mountpoints for our DCenter systems). These
+# mounts in the container can then impact software running outside of
+# the container; e.g. "zfs destroy" can fail with EBUSY.
+#
+# Thus, to workaround this problem, we explicitly disable this service
+# from running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container
diff --git a/files/common/lib/systemd/system/zfs-share.service.d/override.conf b/files/common/lib/systemd/system/zfs-share.service.d/override.conf
@@ -0,0 +1,13 @@
+#
+# During upgrade verification, the root filesystem will be booted as a
+# container using systemd-nspawn. We don't "sandbox" the container, so
+# when zfs-share.service runs, it'll automatically mount all "domain0"
+# mountpoints (or "dcenter" mountpoints for our DCenter systems). These
+# mounts in the container can then impact software running outside of
+# the container; e.g. "zfs destroy" can fail with EBUSY.
+#
+# Thus, to workaround this problem, we explicitly disable this service
+# from running when inside of the container.
+#
+[Unit]
+ConditionVirtualization=!container
diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -246,6 +246,8 @@
     - { key: "AllowStreamLocalForwarding", value: "no" }
     - { key: "AllowTcpForwarding", value: "no" }
     - { key: "X11Forwarding", value: "no" }
+    - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" }
+  notify: "sshd config changed"
 
 #
 # The CRA project mandated a 30 minute timeout for any idle connections.
@@ -300,12 +302,18 @@
     #
     - variant is regex("external-.*")
 #
-# Harden the appliance by disabling SFTP.
+# Harden the appliance by disabling SFTP on external variants.
 #
 - replace:
     path: /etc/ssh/sshd_config
     regexp: '^(Subsystem.*sftp.*)'
     replace: '#\1'
+  when:
+    #
+    # Disable sftp on external variants and leave it enabled on internal
+    # variants for developer convenience and to facilitate test automation.
+    #
+    - variant is regex("external-.*")
 
 #
 # Ssh leads to the CLI, not bash, so let's remove all the linuxy shell goodies,
@@ -321,6 +329,15 @@
     regexp: '^(session[\s]+optional[\s]+pam_motd\.so.*)$'
     replace: '#\1'
 
+#
+# Restrict su access to users that are part of the root group (gid 0).
+# On a Delphix engine, this is restricted to the delphix user.
+#
+- replace:
+    dest: /etc/pam.d/su
+    regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$'
+    replace: '\1'
+
 #
 # Prevent sshd from offering weak message authentication codes to clients.
 #
@@ -681,3 +698,19 @@
   when:
     - variant == "internal-buildserver"
     - not ansible_is_chroot
+
+- name: Add systemctl bash completion
+  copy:
+    dest: "/etc/bash_completion.d/systemctl"
+    content: |
+      if [[ -r /usr/share/bash-completion/completions/systemctl ]]; then
+        . /usr/share/bash-completion/completions/systemctl && complete -F _systemctl systemctl
+      fi
+
+- name: Source bash completion
+  blockinfile:
+    dest: "/export/home/delphix/.bashrc"
+    block: |
+      . /etc/bash_completion.d/systemctl
+      . /etc/bash_completion.d/zfs
+      PATH=$PATH:/opt/delphix/server/bin
