Registering a process as a machine means a caller can get machined
to send sigterm to it, and more. If an unpriv user is registering,
ensure the registered process is actually owned by the user.
Follow-up for adaff8eb35
If the test VM reboots and the test re-runs, creating the images
fails as they already exist:
[ 218.227766] TEST-50-DISSECT.sh[889]: + mksquashfs testkit/ testkit.raw
[ 218.238754] TEST-50-DISSECT.sh[2964]: FATAL ERROR: Could not read $HOME, use -recovery-path or -no-recovery options
[ 218.239284] TEST-50-DISSECT.sh[2964]: Found a valid exportable SQUASHFS superblock on testkit.raw.
[ 218.239554] TEST-50-DISSECT.sh[2964]: Compression used gzip
[ 218.240176] TEST-50-DISSECT.sh[2964]: Inodes are compressed
[ 218.240459] TEST-50-DISSECT.sh[2964]: Data is compressed
[ 218.241072] TEST-50-DISSECT.sh[2964]: Fragments are compressed
[ 218.241526] TEST-50-DISSECT.sh[2964]: Xattrs are compressed
[ 218.241953] TEST-50-DISSECT.sh[2964]: Fragments are present in the filesystem
[ 218.242411] TEST-50-DISSECT.sh[2964]: Always-use-fragments option is not specified
[ 218.242843] TEST-50-DISSECT.sh[2964]: Duplicates are removed
[ 218.243560] TEST-50-DISSECT.sh[2964]: Xattrs are stored
[ 218.243889] TEST-50-DISSECT.sh[2964]: Filesystem size 0.38 Kbytes (0.00 Mbytes)
[ 218.244563] TEST-50-DISSECT.sh[2964]: Block size 131072
[ 218.245051] TEST-50-DISSECT.sh[2964]: Number of fragments 1
[ 218.245512] TEST-50-DISSECT.sh[2964]: Number of inodes 6
[ 218.245851] TEST-50-DISSECT.sh[2964]: Number of ids 1
[ 218.246393] TEST-50-DISSECT.sh[2964]: Parallel mksquashfs: Using 2 processors
[ 218.246820] TEST-50-DISSECT.sh[2964]: Scanning existing filesystem...
[ 218.247286] TEST-50-DISSECT.sh[2964]: Read existing filesystem, 5 inodes scanned
[ 218.252974] TEST-50-DISSECT.sh[2964]: Appending to existing 4.0 filesystem on testkit.raw, block size 131072
[ 218.253593] TEST-50-DISSECT.sh[2964]: All -b, -noI, -noD, -noF, -noX, -noId, -no-duplicates, -no-fragments,
[ 218.253848] TEST-50-DISSECT.sh[2964]: -always-use-fragments, -exportable and -comp options ignored
[ 218.257196] TEST-50-DISSECT.sh[2964]: If appending is not wanted, please re-run with -noappend specified!
https://github.com/systemd/systemd/actions/runs/17674609143/job/50233691148?pr=38867
The default is already to propagate the env vars, so this
was unnecessary and actually creates problem as it removes
custom PATHs
This reverts commit 994af53395.
When the test VM is accidentally rebooted, there exists the previously
created volume, and the command fails with the following:
```
TEST-64-UDEV-STORAGE.sh[282]: + lvm pvcreate -y /dev/md/mdlvm
TEST-64-UDEV-STORAGE.sh[442]: Can't initialize physical volume "/dev/md127" of volume group "mdlvm_vg" without -ff
TEST-64-UDEV-STORAGE.sh[442]: /dev/md127: physical volume not initialized.
[FAILED] Failed to start TEST-64-UDEV-STORAGE-mdadm_lvm.service.
```
Let's ignore the existence of previous volume and forcibly create new one.
Workaround for issue #38240.
Otherwise it remains there, and another test case accidentally
uses it on refresh, which then makes another later test fail,
as the hierarchy is already merged:
[ 203.969708] TEST-50-DISSECT.sh[890]: + systemd-sysext status
[ 203.981831] TEST-50-DISSECT.sh[2795]: HIERARCHY EXTENSIONS SINCE
[ 203.982196] TEST-50-DISSECT.sh[2795]: /opt app0 Mon 2025-09-08 11:49:11 UTC
[ 203.982551] TEST-50-DISSECT.sh[2795]: /usr app0 Mon 2025-09-08 11:49:11 UTC
[ 204.119772] TEST-50-DISSECT.sh[2799]: Hierarchy '/usr' is already merged.
Fixes https://github.com/systemd/systemd/issues/38282
The test occasionally fails with:
TEST-50-DISSECT.sh[3852]: Hierarchy '/usr' is already merged.
I can't really tell what is already merged as all previous ops
look as they are undone from the logs, so add status/list commands
just before the failing operation to hopefully give more info
For https://github.com/systemd/systemd/issues/38282
Previously, we have checked journal after TEST-XX-YYYYY.sh, but it was
forgotten when we switched to mkosi.
This re-enable the check but through ExecStartPost=, and drops unnecessary
workarounds for end.service. Then, this drops unnecessary end.service
and testsuite.target.
Otherwise, following debugging log will be saved and the checker for
the varlink-idl log triggers failure:
```
systemd-userwork: processing[3110]: varlink-6-6: Parameters for method
io.systemd.UserDatabase.GetUserRecord() didn't pass validation on field 'service': No anode
```
Follow-ups for ab56a96194.
Fixes the following failure:
```
TEST-87-AUX-UTILS-VM.sh[1196]: + systemd-run --user --wait --pipe -M testuser@.host -- coredumpctl
TEST-87-AUX-UTILS-VM.sh[1840]: Running as unit: run-p1840-i1841.service; invocation ID: 325a026377aa4cffb046c5a63a8906ab
TEST-87-AUX-UTILS-VM.sh[1853]: Hint: You are currently not seeing messages from other users and the system.
TEST-87-AUX-UTILS-VM.sh[1853]: Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
TEST-87-AUX-UTILS-VM.sh[1853]: Pass -q to turn off this notice.
TEST-87-AUX-UTILS-VM.sh[1853]: Journal file /var/log/journal/6835d335b6684b6197bf071ad66f2678/user-4711.journal is truncated, ignoring file.
TEST-87-AUX-UTILS-VM.sh[1853]: No coredumps found.
TEST-87-AUX-UTILS-VM.sh[1840]: Finished with result: exit-code
TEST-87-AUX-UTILS-VM.sh[1840]: Main processes terminated with: code=exited, status=1/FAILURE
TEST-87-AUX-UTILS-VM.sh[1840]: Service runtime: 154ms
TEST-87-AUX-UTILS-VM.sh[1840]: CPU time consumed: 78ms
TEST-87-AUX-UTILS-VM.sh[1840]: Memory peak: 21.9M (swap: 0B)
```
There are a lot of resolved.conf.d drop-ins used in these tests. Use
proper numeric prefixes, especially to avoid confusion with sorting
relative to test.conf.
Make the test base config 10-test.conf, and use 90-*.conf elsewhere.
Hence, we need to wait for the previous operation finished.
Fixes the following failure:
```
TEST-46-HOMED.sh[107]: + homectl unregister signtest
TEST-46-HOMED.sh[1449]: Failed to unregister home: Home signtest is currently being used, or an operation on home signtest is currently being executed.
```
Fixes#38643
Since c5de7b14ae
file searching implies a new mount api syscall by default,
to trigger automounts.
This is problematic in NSS plugins, as they are dlopen'ed inside
processes by glibc, for two reasons.
First of all, potentially searching on a networked filesystem
automount could lead to nasty surprises, such as the process
responsible for setting up the network filesystem trying to
search on that same filesystem.
More importantly, the new mount api syscall was never part of
the filesystem seccomp filter that we provide by default, and
given mounting/remounting/bind mounting is one of the possible
ways to bypass sandboxing it is very likely not allowed when
custom filters are used in sandboxed processes, if they don't
need to do these operations otherwise.
The filesystem seccomp mask we provide has been updated, however
this only takes effect on the next restart of a service. When
systemd is upgraded via a package upgrade, the new nss plugin is
installed and will be immediately dlopen'ed by glibc when needed,
without waiting for the process to restart, which means the existing
seccomp filter applies, causing the filter to trigger.
Given it's not really possible for any arbitrary program to
predict which NSS modules glibc will load, given programs do not
configure that and instead nsswitch is set up by the sysadmin,
it's impossible to handle at each process level. It's also not
possible to know when it will be triggered, given the plugin
is not linked in each binary tools like need-restart cannot
even pre-emptively restart services that may be affected.
This means in practice, upgrading from systemd << v258 to >= v258
requires a reboot to avoid either subtle or catastrophic system
failures.
By avoiding to trigger automounts in nss-systemd we can avoid
both issues.
userdb drop-ins are searched for in:
/etc/userdb/
/run/userdb/
/run/host/userdb/
/usr/local/lib/userdb/
/usr/lib/userdb/
none of which are supported as automounts anyway.
Note that this happens only when the userdbd service is not running,
as otherwise nss-systemd will go through the varlink IPC, rather than
doing the searches in-process.
So invert CHASE_NO_AUTOFS to CHASE_AUTOFS and set it in the places where
we do want to trigger automounts, like looking for the ESP.
Follow-up for c5de7b14ae
Fixes https://github.com/systemd/systemd/issues/38565
mkosi patches up /etc/os-release to add local IDs and fixup certain
issues, so when tests patch /usr/lib/ on the fly, copy to the version in
/etc/ too to avoid test failures when querying
6370s 10/98 systemd:integration-tests / TEST-07-PID1 FAIL 31.03s exit
status 1
6370s 25/98 systemd:integration-tests / TEST-29-PORTABLE FAIL 12.76s
exit status 1
6370s 33/98 systemd:integration-tests / TEST-43-PRIVATEUSER-UNPRIV FAIL
6.57s exit status 1
6370s 37/98 systemd:integration-tests / TEST-50-DISSECT FAIL 16.97s exit
status 1
This is particularly an issue when running these tests on debian unstable,
where mkosi has to fixup os-release to make it valid and avoid further
breakages:
https://github.com/systemd/mkosi/blob/main/mkosi/distributions/debian.py#L234
