DLPX-94085 LTS 24.04: update delphix-platform for Ubuntu 24.04 appliance

PR URL: https://www.github.com/delphix/delphix-platform/pull/527

Author: palash-gandhi

.github/workflows/main.yml

@@ -7,6 +7,7 @@ jobs:
       - uses: actions/checkout@v2
       - run: docker build -t delphix-platform:latest docker
       - run: ./scripts/docker-run.sh make packages
+
   check-shellcheck:
     runs-on: ubuntu-latest
     steps:
@@ -17,31 +18,26 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: delphix/actions/shfmt@master
+
   check-pylint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
-        with:
-          python-version: '3.8'
+      - uses: actions/setup-python@v5
       - run: python3 -m pip install pylint
       - run: python3 -m pip install netifaces
       - run: pylint -d invalid-name,E0611 files/common/usr/bin/delphix-startup-screen
   check-yapf:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
-        with:
-          python-version: '3.8'
+      - uses: actions/setup-python@v5
       - run: python3 -m pip install yapf
       - run: yapf --diff --style google files/common/usr/bin/delphix-startup-screen
   check-mypy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v1
-        with:
-          python-version: '3.8'
+      - uses: actions/setup-python@v5
       - run: python3 -m pip install mypy
       - run: mypy --ignore-missing-imports files/common/usr/bin/delphix-startup-screen

debian/postinst

@@ -52,13 +52,23 @@ configure)
 	#
 	systemctl disable nullmailer.service
 
+	systemctl unmask auditd.service
 	systemctl enable auditd.service
-	systemctl enable delphix.target
-	systemctl enable delphix-platform.service
-	systemctl enable delphix-rpool-upgrade.service
+
+	systemctl unmask systemd-networkd.service
 	systemctl enable systemd-networkd.service
+
+	systemctl unmask iscsi-name-init.service
 	systemctl enable iscsi-name-init.service
 
+	systemctl unmask delphix-platform.service
+	systemctl unmask delphix-rpool-upgrade.service
+	systemctl unmask delphix.target
+
+	systemctl enable delphix-platform.service
+	systemctl enable delphix-rpool-upgrade.service
+	systemctl enable delphix.target
+
 	if ! id -u postgres >/dev/null; then
 		# When installing postgres, a postgres user is created unless it
 		# already exists. To have a consistent UID accross installations
@@ -70,6 +80,8 @@ configure)
 		# postgres UID. Note that we put this code here instead of the
 		# delphix-platform service as we need it to be executed before
 		# the postgres package gets installed.
+		sed -i 's/^UID_MAX.*/UID_MAX 65437/g' /etc/login.defs
+		sed -i 's/^GID_MAX.*/GID_MAX 65437/g' /etc/login.defs
 		addgroup postgres --gid 65437
 		adduser --home /var/lib/postgresql --no-create-home \
 			--shell /bin/bash --ingroup postgres \

debian/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 #
-# Copyright 2018, 2024 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -41,6 +41,7 @@ DEPENDS = delphix-kernel-$(KERNEL_TYPE.$(TARGET_PLATFORM)),
 # that are leveraging ZFS as their root filesystem.
 #
 DEPENDS += grub-pc, \
+	   grub-efi-amd64-bin, \
 	   delphix-zfs,
 
 #
@@ -59,6 +60,9 @@ DEPENDS += ansible, \
 	   debootstrap, \
 	   debsums, \
 	   dmidecode, \
+	   dosfstools, \
+	   efibootmgr, \
+	   efitools, \
 	   init, \
 	   iproute2, \
 	   iputils-ping, \
@@ -72,19 +76,22 @@ DEPENDS += ansible, \
 	   net-tools, \
 	   netbase, \
 	   netplan.io, \
-	   ntp, \
-		 nullmailer, \
+	   ntpsec, \
+	   nullmailer, \
 	   open-iscsi, \
 	   openssh-server, \
 	   openssl, \
 	   passwd, \
 	   policykit-1, \
 	   procps, \
 	   python3, \
+	   python3-netifaces, \
 	   rng-tools, \
 	   rsyslog, \
 	   sudo, \
+	   systemd-boot, \
 	   systemd-container, \
+	   systemd-resolved, \
 	   tzdata, \
 	   udev,
 
@@ -110,47 +117,27 @@ DEPENDS += $(DEPENDS.$(TARGET_PLATFORM))
 #
 DEPENDS += delphix-build-info,
 
-#
-# The usrmerge package modifies the layout of directories under root (/) upon
-# installation, to ensure that a Delphix Engine upgraded to Ubuntu 20.04 has
-# the same directory layout as a Delphix Engine that initially came on
-# Ubuntu 20.04 (or later).
-#
-DEPENDS += usrmerge,
-
-#
-# These packages help strengthen the security of the appliance by identifying
-# and preventing undesired behaviors.
-#
-DEPENDS += aide, \
-	   aide-common,
-
 #
 # These packages are tools that are intended for human convenience. The
 # product should not rely on them programmatically. They may be updated
 # or replaced without regard for backward compatibility.
 #
 DEPENDS += aptitude, \
-	   awscli, \
-	   bcc-tools, \
+	   bcc, \
 	   bpftrace, \
 	   crash-python, \
 	   delphix-rust, \
 	   dnsutils, \
 	   drgn, \
-	   dstat, \
-	   emacs-nox, \
 	   ethtool, \
 	   gdb, \
-	   gdb-python, \
 	   htop, \
 	   iftop, \
 	   inotify-tools, \
 	   iotop, \
 	   jq, \
 	   kdump-tools, \
 	   ldap-utils, \
-	   libkdumpfile, \
 	   linux-tools-common, \
 	   lsof, \
 	   man-db, \
@@ -229,4 +216,3 @@ override_dh_auto_test:
 	# testing via another mechanism, so running it during package
 	# builds is unnecessary.
 	#
-

files/azure/etc/ssh/sshd_config.d/0-delphix-azure.conf

@@ -0,0 +1,10 @@
+#
+# The 'ClientAliveInterval' setting determines the amount of time (in seconds)
+# the sshd server will wait to receive data from the client before sending a
+# request for response.
+#
+# The Azure marketplace does not allow a value greater than 3 minutes. So, when
+# running on Azure, we use 3 minutes.
+#
+ClientAliveCountMax 0
+ClientAliveInterval 180

files/common/etc/ssh/sshd_config.d/9-delphix.conf

@@ -0,0 +1,35 @@
+#
+# Configure SSH to allow PAM "conversations" (interactions with the user).
+#
+ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
+UsePam yes
+
+#
+# Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and X11
+# forwarding. Note that this doesn't improve security unless users are also
+# denied shell access.
+#
+AllowAgentForwarding no
+AllowStreamLocalForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
+HostKeyAlgorithms -ssh-rsa*
+
+#
+# The 'ClientAliveInterval' setting determines the amount of time (in seconds)
+# the sshd server will wait to receive data from the client before sending a
+# request for response.
+#
+ClientAliveCountMax 3
+ClientAliveInterval 300
+
+LoginGraceTime 60
+MaxAuthTries 4
+MaxStartups 10:30:60
+PermitRootLogin no
+PrintLastLog no

files/common/lib/modprobe.d/10-lockd.conf

@@ -27,7 +27,7 @@
   when: ansible_virtualization_type != "systemd-nspawn" and not ansible_is_chroot
 
 - systemd:
-    name: sshd
+    name: ssh
     state: reloaded
   listen: "sshd config changed"
   when: ansible_virtualization_type != "systemd-nspawn" and not ansible_is_chroot

files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/handlers/main.yaml

@@ -232,56 +232,6 @@
     - 'delphix'
     - 'root'
 
-#
-# The 'ClientAliveInterval' setting determines the amount of time
-# (in seconds) the sshd server will wait to receive data from the
-# client before sending a request for response.
-#
-- set_fact:
-    ssh_client_alive_interval: "300"
-    ssh_client_alive_count_max: "3"
-
-#
-# With that said (see comment above), the Azure marketplace does not
-# allow a value greater than 3 minutes. So, when running on Azure, we
-# use 3 minutes.
-#
-- set_fact:
-    ssh_client_alive_interval: "180"
-    ssh_client_alive_count_max: "0"
-  when:
-    - platform == "azure"
-
-- lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: "^#?{{ item.key }} "
-    line: "{{ item.key }} {{ item.value }}"
-  with_items:
-    #
-    # Configure SSH to allow PAM "conversations" (interactions with the user).
-    #
-    - { key: "ChallengeResponseAuthentication", value: "yes" }
-    #
-    # Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and
-    # X11 forwarding. Note that this doesn't improve security unless users are
-    # also denied shell access.
-    #
-    - { key: "AllowAgentForwarding", value: "no" }
-    - { key: "AllowStreamLocalForwarding", value: "no" }
-    - { key: "AllowTcpForwarding", value: "no" }
-    - { key: "Ciphers", value: "chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" }
-    - { key: "ClientAliveCountMax", value: "{{ ssh_client_alive_count_max }}" }
-    - { key: "ClientAliveInterval", value: "{{ ssh_client_alive_interval }}" }
-    - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" }
-    - { key: "KexAlgorithms", value: "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"}
-    - { key: "LoginGraceTime", value: "60"}
-    - { key: "MACs", value: "umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512"}
-    - { key: "MaxAuthTries", value: "4" }
-    - { key: "MaxStartups", value: "10:30:60"}
-    - { key: "PermitRootLogin", value: "no" }
-    - { key: "X11Forwarding", value: "no" }
-  notify: "sshd config changed"
-
 - blockinfile:
     path: /etc/profile
     insertafter: EOF
@@ -318,10 +268,6 @@
 # like last-login, "welcome to ubuntu", and help messages. This makes linux and
 # illumos look the same, too.
 #
-- replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^#?[\s]*PrintLastLog.*$'
-    replace: 'PrintLastLog no'
 - replace:
     dest: /etc/pam.d/sshd
     regexp: '^(session[\s]+optional[\s]+pam_motd\.so.*)$'
@@ -349,7 +295,7 @@
     regexp: '^{{ item.key }}='
     line: '{{ item.key }}="{{ item.value }}"'
   with_items:
-    - { key: 'JAVA_HOME', value: '/usr/lib/jvm/adoptopenjdk-java8-jdk-amd64' }
+    - { key: 'JAVA_HOME', value: '/usr/lib/jvm/java-8-openjdk-amd64' }
 
 #
 # Configure the Azure agent. Only run this on Azure, since that is the