test: call mksquashfs with -noappend to be safe on reruns

If the test VM reboots and the test re-runs, creating the images
fails as they already exist:

[  218.227766] TEST-50-DISSECT.sh[889]: + mksquashfs testkit/ testkit.raw
[  218.238754] TEST-50-DISSECT.sh[2964]: FATAL ERROR: Could not read $HOME, use -recovery-path or -no-recovery options
[  218.239284] TEST-50-DISSECT.sh[2964]: Found a valid exportable SQUASHFS superblock on testkit.raw.
[  218.239554] TEST-50-DISSECT.sh[2964]: 	Compression used gzip
[  218.240176] TEST-50-DISSECT.sh[2964]: 	Inodes are compressed
[  218.240459] TEST-50-DISSECT.sh[2964]: 	Data is compressed
[  218.241072] TEST-50-DISSECT.sh[2964]: 	Fragments are compressed
[  218.241526] TEST-50-DISSECT.sh[2964]: 	Xattrs are compressed
[  218.241953] TEST-50-DISSECT.sh[2964]: 	Fragments are present in the filesystem
[  218.242411] TEST-50-DISSECT.sh[2964]: 	Always-use-fragments option is not specified
[  218.242843] TEST-50-DISSECT.sh[2964]: 	Duplicates are removed
[  218.243560] TEST-50-DISSECT.sh[2964]: 	Xattrs are stored
[  218.243889] TEST-50-DISSECT.sh[2964]: 	Filesystem size 0.38 Kbytes (0.00 Mbytes)
[  218.244563] TEST-50-DISSECT.sh[2964]: 	Block size 131072
[  218.245051] TEST-50-DISSECT.sh[2964]: 	Number of fragments 1
[  218.245512] TEST-50-DISSECT.sh[2964]: 	Number of inodes 6
[  218.245851] TEST-50-DISSECT.sh[2964]: 	Number of ids 1
[  218.246393] TEST-50-DISSECT.sh[2964]: Parallel mksquashfs: Using 2 processors
[  218.246820] TEST-50-DISSECT.sh[2964]: Scanning existing filesystem...
[  218.247286] TEST-50-DISSECT.sh[2964]: Read existing filesystem, 5 inodes scanned
[  218.252974] TEST-50-DISSECT.sh[2964]: Appending to existing 4.0 filesystem on testkit.raw, block size 131072
[  218.253593] TEST-50-DISSECT.sh[2964]: All -b, -noI, -noD, -noF, -noX, -noId, -no-duplicates, -no-fragments,
[  218.253848] TEST-50-DISSECT.sh[2964]: -always-use-fragments, -exportable and -comp options ignored
[  218.257196] TEST-50-DISSECT.sh[2964]: If appending is not wanted, please re-run with -noappend specified!

https://github.com/systemd/systemd/actions/runs/17674609143/job/50233691148?pr=38867

meson.build

@@ -485,6 +485,7 @@ possible_link_flags = [
         '-Wl,--fatal-warnings',
         '-Wl,-z,now',
         '-Wl,-z,relro',
+        '-Wl,-z,gcs-report-dynamic=none',
         '-Wl,--gc-sections',
 ]
 

src/shared/generator.c

@@ -26,6 +26,14 @@
 #include "tmpfile-util.h"
 #include "unit-name.h"
 
+static int symlink_unless_exists(const char *to, const char *from) {
+        (void) mkdir_parents(from, 0755);
+
+        if (symlink(to, from) < 0 && errno != EEXIST)
+                return log_error_errno(errno, "Failed to create symlink %s: %m", from);
+        return 0;
+}
+
 int generator_open_unit_file_full(
                 const char *dir,
                 const char *source,
@@ -134,12 +142,7 @@ int generator_add_symlink_full(
         if (!to)
                 return log_oom();
 
-        (void) mkdir_parents_label(to, 0755);
+        return symlink_unless_exists(from, to);
-
-        if (symlink(from, to) < 0 && errno != EEXIST)
-                return log_error_errno(errno, "Failed to create symlink \"%s\": %m", to);
-
-        return 0;
 }
 
 static int generator_add_ordering(
@@ -331,19 +334,16 @@ int generator_write_fsck_deps(
         }
 
         if (path_equal(where, "/")) {
-                const char *lnk;
-
                 /* We support running the fsck instance for the root fs while it is already mounted, for
                  * compatibility with non-initrd boots. It's ugly, but it is how it is. Since – unlike for
                  * regular file systems – this means the ordering is reversed (i.e. mount *before* fsck) we
                  * have a separate fsck unit for this, independent of systemd-fsck@.service. */
 
-                lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
+                const char *lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
-
-                (void) mkdir_parents(lnk, 0755);
-                if (symlink(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk) < 0)
-                        return log_error_errno(errno, "Failed to create symlink %s: %m", lnk);
 
+                r = symlink_unless_exists(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk);
+                if (r < 0)
+                        return r;
         } else {
                 _cleanup_free_ char *_fsck = NULL;
                 const char *fsck, *dep;

test/run-unit-tests.py

@@ -35,12 +35,6 @@ def argument_parser():
 
 opts = argument_parser().parse_args()
 
-env = {}
-if 'SYSTEMD_LOG_LEVEL' in os.environ:
-    env['SYSTEMD_LOG_LEVEL'] = os.environ['SYSTEMD_LOG_LEVEL']
-if 'SYSTEMD_LOG_TARGET' in os.environ:
-    env['SYSTEMD_LOG_TARGET'] = os.environ['SYSTEMD_LOG_TARGET']
-
 unittestdir = pathlib.Path(__file__).parent.absolute() / 'unit-tests'
 
 tests = list(unittestdir.glob('test-*'))
@@ -59,7 +53,7 @@ for test in sorted(tests):
         total.skip += 1
         continue
 
-    ex = subprocess.run(test, stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env)
+    ex = subprocess.run(test, stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
     if ex.returncode == 0:
         print(f'{GREEN}PASS: {name}{RESET_ALL}')
         total.good += 1

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -1208,28 +1208,6 @@ EOF
     rm -fr "$root"
 }
 
-can_do_rootless_nspawn() {
-    # Our create_dummy_ddi() uses squashfs and openssl.
-    command -v mksquashfs &&
-    command -v openssl &&
-
-    # mountfsd must be enabled...
-    [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
-    # ...and have pidfd support for unprivileged operation.
-    systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
-    systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
-
-    # nsresourced must be enabled...
-    [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
-    # ...and must support the UserNamespaceInterface.
-    ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
-           /run/systemd/userdb/io.systemd.NamespaceResource \
-           io.systemd.NamespaceResource.AllocateUserRange \
-           '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
-           2>&1 || true) |
-        grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
-}
-
 create_dummy_ddi() {
     local outdir="${1:?}"
     local container_name="${2:?}"

test/units/TEST-13-NSPAWN.unpriv.sh

@@ -7,12 +7,7 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
-if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] ||
+if ! can_do_rootless_nspawn; then
-   [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] ||
-   ! grep -q bpf /sys/kernel/security/lsm ||
-   ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . ||
-   systemd-analyze compare-versions "$(uname -r)" lt 6.5 ||
-   systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then
     echo "Skipping unpriv nspawn test"
     exit 0
 fi
@@ -25,8 +20,6 @@ at_exit() {
 
 trap at_exit EXIT
 
-systemctl start systemd-mountfsd.socket systemd-nsresourced.socket
-
 run0 -u testuser mkdir -p .local/state/machines
 
 create_dummy_container /home/testuser/.local/state/machines/zurps

test/units/TEST-50-DISSECT.dissect.sh

@@ -371,7 +371,7 @@ systemctl start testservice-50d.service
 
 # Mount twice to exercise mount-beneath (on kernel 6.5+, on older kernels it will just overmount)
 mkdir -p /tmp/wrong/foo
-mksquashfs /tmp/wrong/foo /tmp/wrong.raw
+mksquashfs /tmp/wrong/foo /tmp/wrong.raw -noappend
 systemctl mount-image --mkdir testservice-50d.service /tmp/wrong.raw /tmp/img
 test "$(systemctl show -P SubState testservice-50d.service)" = "running"
 systemctl mount-image --mkdir testservice-50d.service "$MINIMAL_IMAGE.raw" /tmp/img root:nosuid
@@ -638,14 +638,14 @@ ExecStart=bash -x -c ' \\
     while true; do sleep 1; done; \\
 '
 EOF
-mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw" -noappend
 systemctl start testservice-50h.service
 systemctl is-active testservice-50h.service
 # First reload should pick up the v1 marker
 systemctl reload testservice-50h.service
 grep -q -F "${VBASE}_1.marker" /tmp/markers/50h
 # Second reload should pick up the v2 marker
-mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw" -noappend
 systemctl reload testservice-50h.service
 grep -q -F "${VBASE}_2.marker" /tmp/markers/50h
 # Test that removing all the extensions don't cause any issues
@@ -750,11 +750,11 @@ if [ "$verity_sig_supported" -eq 1 ]; then
     veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
 fi
 # First reload should pick up the v1 marker
-mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw" -noappend
 systemctl reload testservice-50k.service
 grep -q -F "${VBASE}_1.marker" /tmp/markers/50k
 # Second reload should pick up the v2 marker
-mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw" -noappend
 systemctl reload testservice-50k.service
 grep -q -F "${VBASE}_2.marker" /tmp/markers/50k
 # Test that removing all the extensions don't cause any issues
@@ -917,7 +917,7 @@ mkdir -p /run/extensions/ testkit/usr/lib/extension-release.d/
 echo "ID=_any" >testkit/usr/lib/extension-release.d/extension-release.testkit
 echo "ARCHITECTURE=_any" >>testkit/usr/lib/extension-release.d/extension-release.testkit
 echo "MARKER_SYSEXT_123" >testkit/usr/lib/testfile
-mksquashfs testkit/ testkit.raw
+mksquashfs testkit/ testkit.raw -noappend
 cp testkit.raw /run/extensions/
 unsquashfs -l /run/extensions/testkit.raw
 systemd-dissect --no-pager /run/extensions/testkit.raw | grep -q '✓ sysext for portable service'
@@ -933,7 +933,7 @@ mkdir -p /run/confexts/ testjob/etc/extension-release.d/
 echo "ID=_any" >testjob/etc/extension-release.d/extension-release.testjob
 echo "ARCHITECTURE=_any" >>testjob/etc/extension-release.d/extension-release.testjob
 echo "MARKER_CONFEXT_123" >testjob/etc/testfile
-mksquashfs testjob/ testjob.raw
+mksquashfs testjob/ testjob.raw -noappend
 cp testjob.raw /run/confexts/
 unsquashfs -l /run/confexts/testjob.raw
 systemd-dissect --no-pager /run/confexts/testjob.raw | grep -q '✓ confext for system'

test/units/util.sh

@@ -186,6 +186,36 @@ create_dummy_container() {
     coverage_create_nspawn_dropin "$root"
 }
 
+can_do_rootless_nspawn() {
+    # Our create_dummy_ddi() uses squashfs and openssl.
+    command -v mksquashfs &&
+    command -v openssl &&
+
+    # Need to have bpf-lsm
+    grep -q bpf /sys/kernel/security/lsm &&
+    # ...and libbpf installed
+    find /usr/lib* -name "libbpf.so.*" 2>/dev/null | grep -q . &&
+
+    # Ensure mountfsd/nsresourced are listening
+    systemctl start systemd-mountfsd.socket systemd-nsresourced.socket &&
+
+    # mountfsd must be enabled...
+    [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
+    # ...and have pidfd support for unprivileged operation.
+    systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
+    systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
+
+    # nsresourced must be enabled...
+    [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
+    # ...and must support the UserNamespaceInterface.
+    ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
+           /run/systemd/userdb/io.systemd.NamespaceResource \
+           io.systemd.NamespaceResource.AllocateUserRange \
+           '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
+           2>&1 || true) |
+        grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
+}
+
 # Bump the reboot counter and call systemctl with the given arguments
 systemctl_final() {
     local counter