Merge pull request #20884 from mrc0mmand/to-shellcheck-or-not-to-shellcheck

tree-wide: the last batch of shellcheck shenanigans

.github/workflows/build_test.sh

@@ -75,7 +75,7 @@ if [[ "$COMPILER" == clang ]]; then
     # Following snippet was borrowed from https://apt.llvm.org/llvm.sh
     wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
     add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/   llvm-toolchain-$RELEASE-$COMPILER_VERSION  main"
-    PACKAGES+=(clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION)
+    PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION")
 elif [[ "$COMPILER" == gcc ]]; then
     CC="gcc-$COMPILER_VERSION"
     CXX="g++-$COMPILER_VERSION"
@@ -83,7 +83,7 @@ elif [[ "$COMPILER" == gcc ]]; then
     # Latest gcc stack deb packages provided by
     # https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test
     add-apt-repository -y ppa:ubuntu-toolchain-r/test
-    PACKAGES+=(gcc-$COMPILER_VERSION)
+    PACKAGES+=("gcc-$COMPILER_VERSION")
 else
     fatal "Unknown compiler: $COMPILER"
 fi
@@ -108,6 +108,7 @@ for args in "${ARGS[@]}"; do
     SECONDS=0
 
     info "Checking build with $args"
+    # shellcheck disable=SC2086
     if ! AR="$AR" CC="$CC" CXX="$CXX" CFLAGS="-Werror" CXXFLAGS="-Werror" meson -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror $args build; then
         fatal "meson failed with $args"
     fi

.github/workflows/linter.yml

@@ -0,0 +1,38 @@
+---
+# https://github.com/marketplace/actions/super-linter
+
+name: Lint Code Base
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Lint Code Base
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Repo checkout
+        uses: actions/checkout@v2
+        with:
+          # We need a full repo clone
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: github/super-linter@v3
+        env:
+          DEFAULT_BRANCH: main
+          # Excludes:
+          #   - man/.* - all snippets in man pages (false positives due to
+          #              missing shebangs)
+          #   - kernel-install/.* - false-positives for dropins (and I'm afraid
+          #                         to touch kernel-install)
+          #   - .*\.(in|SKELETON) - all template/skeleton files
+          #   - tools/coverity\.sh - external file (with some modifications)
+          FILTER_REGEX_EXCLUDE: .*/(man/.*|src/kernel-install/.*|.*\.(in|SKELETON)|tools/coverity\.sh)$
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MULTI_STATUS: true
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BASH: true

.github/workflows/unit_tests.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck disable=SC2206
 PHASES=(${@:-SETUP RUN RUN_ASAN_UBSAN CLEANUP})
 RELEASE="$(lsb_release -cs)"
 ADDITIONAL_DEPS=(

.semaphore/semaphore-runner.sh

@@ -1,17 +1,19 @@
 #!/bin/bash
 
 set -eux
+set -o pipefail
 
 # default to Debian testing
-DISTRO=${DISTRO:-debian}
+DISTRO="${DISTRO:-debian}"
-RELEASE=${RELEASE:-bullseye}
+RELEASE="${RELEASE:-bullseye}"
-BRANCH=${BRANCH:-upstream-ci}
+BRANCH="${BRANCH:-upstream-ci}"
-ARCH=${ARCH:-amd64}
+ARCH="${ARCH:-amd64}"
-CONTAINER=${RELEASE}-${ARCH}
+CONTAINER="${RELEASE}-${ARCH}"
-CACHE_DIR=${SEMAPHORE_CACHE_DIR:=/tmp}
+CACHE_DIR="${SEMAPHORE_CACHE_DIR:-/tmp}"
 AUTOPKGTEST_DIR="${CACHE_DIR}/autopkgtest"
 # semaphore cannot expose these, but useful for interactive/local runs
 ARTIFACTS_DIR=/tmp/artifacts
+# shellcheck disable=SC2206
 PHASES=(${@:-SETUP RUN})
 UBUNTU_RELEASE="$(lsb_release -cs)"
 
@@ -20,18 +22,18 @@ create_container() {
     # GPG key from keyserver", so retry a few times with different keyservers.
     for keyserver in "" "keys.gnupg.net" "keys.openpgp.org" "keyserver.ubuntu.com"; do
         for retry in {1..5}; do
-            sudo lxc-create -n $CONTAINER -t download -- -d $DISTRO -r $RELEASE -a $ARCH ${keyserver:+--keyserver "$keyserver"} && break 2
+            sudo lxc-create -n "$CONTAINER" -t download -- -d "$DISTRO" -r "$RELEASE" -a "$ARCH" ${keyserver:+--keyserver "$keyserver"} && break 2
             sleep $((retry*retry))
         done
     done
 
     # unconfine the container, otherwise some tests fail
-    echo 'lxc.apparmor.profile = unconfined' | sudo tee -a /var/lib/lxc/$CONTAINER/config
+    echo 'lxc.apparmor.profile = unconfined' | sudo tee -a "/var/lib/lxc/$CONTAINER/config"
 
-    sudo lxc-start -n $CONTAINER
+    sudo lxc-start -n "$CONTAINER"
 
     # enable source repositories so that apt-get build-dep works
-    sudo lxc-attach -n $CONTAINER -- sh -ex <<EOF
+    sudo lxc-attach -n "$CONTAINER" -- sh -ex <<EOF
 sed 's/^deb/deb-src/' /etc/apt/sources.list >> /etc/apt/sources.list.d/sources.list
 # wait until online
 while [ -z "\$(ip route list 0/0)" ]; do sleep 1; done
@@ -44,11 +46,11 @@ apt-get purge --auto-remove -y unattended-upgrades
 systemctl unmask systemd-networkd
 systemctl enable systemd-networkd
 EOF
-    sudo lxc-stop -n $CONTAINER
+    sudo lxc-stop -n "$CONTAINER"
 }
 
 for phase in "${PHASES[@]}"; do
-    case $phase in
+    case "$phase" in
         SETUP)
             # remove semaphore repos, some of them don't work and cause error messages
             sudo rm -f /etc/apt/sources.list.d/*
@@ -59,17 +61,17 @@ for phase in "${PHASES[@]}"; do
             sudo apt-get install -y -t "$UBUNTU_RELEASE-backports" lxc
             sudo apt-get install -y python3-debian git dpkg-dev fakeroot python3-jinja2
 
-            [ -d $AUTOPKGTEST_DIR ] || git clone --quiet --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR"
+            [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR"
 
             create_container
         ;;
         RUN)
             # add current debian/ packaging
-            git fetch --depth=1 https://salsa.debian.org/systemd-team/systemd.git $BRANCH
+            git fetch --depth=1 https://salsa.debian.org/systemd-team/systemd.git "$BRANCH"
             git checkout FETCH_HEAD debian
 
             # craft changelog
-            UPSTREAM_VER=$(git describe | sed 's/^v//;s/-/./g')
+            UPSTREAM_VER="$(git describe | sed 's/^v//;s/-/./g')"
             cat << EOF > debian/changelog.new
 systemd (${UPSTREAM_VER}.0) UNRELEASED; urgency=low
 
@@ -91,15 +93,15 @@ EOF
             echo '1.0' > debian/source/format
 
             # build source package
-            dpkg-buildpackage -S -I -I$(basename "$CACHE_DIR") -d -us -uc -nc
+            dpkg-buildpackage -S -I -I"$(basename "$CACHE_DIR")" -d -us -uc -nc
 
             # now build the package and run the tests
             rm -rf "$ARTIFACTS_DIR"
             # autopkgtest exits with 2 for "some tests skipped", accept that
-            $AUTOPKGTEST_DIR/runner/autopkgtest --env DEB_BUILD_OPTIONS=noudeb \
+            "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS=noudeb \
                                                   --env TEST_UPSTREAM=1 ../systemd_*.dsc \
                                                   -o "$ARTIFACTS_DIR" \
-                                                -- lxc -s $CONTAINER \
+                                                  -- lxc -s "$CONTAINER" \
                 || [ $? -eq 2 ]
         ;;
         *)

coccinelle/run-coccinelle.sh

@@ -10,19 +10,20 @@ EXCLUDED_PATHS=(
     "src/libsystemd/sd-journal/lookup3.c"
 )
 
-top="$(git rev-parse --show-toplevel)"
+TOP_DIR="$(git rev-parse --show-toplevel)"
-args=
+ARGS=()
 
 # Create an array from files tracked by git...
-mapfile -t files < <(git ls-files ':/*.[ch]')
+mapfile -t FILES < <(git ls-files ':/*.[ch]')
 # ...and filter everything that matches patterns from EXCLUDED_PATHS
 for excl in "${EXCLUDED_PATHS[@]}"; do
-    files=(${files[@]//$excl})
+    # shellcheck disable=SC2206
+    FILES=(${FILES[@]//$excl})
 done
 
 case "$1" in
     -i)
-        args="$args --in-place"
+        ARGS+=(--in-place)
         shift
         ;;
 esac
@@ -32,12 +33,14 @@ if ! parallel -h >/dev/null; then
     exit 1
 fi
 
-for SCRIPT in ${@-$top/coccinelle/*.cocci}; do
+[[ ${#@} -ne 0 ]] && SCRIPTS=("$@") || SCRIPTS=("$TOP_DIR"/coccinelle/*.cocci)
-    echo "--x-- Processing $SCRIPT --x--"
+
-    TMPFILE=`mktemp`
+for script in "${SCRIPTS[@]}"; do
-    echo "+ spatch --sp-file $SCRIPT $args ..."
+    echo "--x-- Processing $script --x--"
+    TMPFILE="$(mktemp)"
+    echo "+ spatch --sp-file $script ${ARGS[*]} ..."
     parallel --halt now,fail=1 --keep-order --noswap --max-args=20 \
-             spatch --macro-file="$top/coccinelle/macros.h" --sp-file $SCRIPT $args ::: "${files[@]}" \
+             spatch --macro-file="$TOP_DIR/coccinelle/macros.h" --sp-file "$script" "${ARGS[@]}" ::: "${FILES[@]}" \
              2>"$TMPFILE" || cat "$TMPFILE"
-    echo -e "--x-- Processed $SCRIPT --x--\n"
+    echo -e "--x-- Processed $script --x--\n"
 done

configure

@@ -2,22 +2,23 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
-cflags=CFLAGS="$CFLAGS"
+cflags="CFLAGS=${CFLAGS-}"
-cxxflags=CXXFLAGS="$CXXFLAGS"
+cxxflags="CXXFLAGS=${CXXFLAGS-}"
-declare -a args
+args=()
-j=0
+
-for i in "$@"; do
+for arg in "$@"; do
-    case "$i" in
+    case "$arg" in
         CFLAGS=*)
-            cflags="$i";;
+            cflags="$arg"
+            ;;
         CXXFLAGS=*)
-            cxxflags="$i";;
+            cxxflags="$arg"
+            ;;
         *)
-	    args[$j]="$i"
+            args+=("$arg")
-	    j=$((j+1))
     esac
 done
 
-export "$cflags" "$cxxflags"
+export "${cflags?}" "${cxxflags?}"
 set -x
 exec meson build "${args[@]}"

test/TEST-13-NSPAWN-SMOKE/test.sh

@@ -14,7 +14,7 @@ test_append_files() {
 
         # On openSUSE the static linked version of busybox is named "busybox-static".
         busybox="$(type -P busybox-static || type -P busybox)"
-        inst_simple "$busybox" "$(dirname $busybox)/busybox"
+        inst_simple "$busybox" "$(dirname "$busybox")/busybox"
 
         if selinuxenabled >/dev/null; then
             image_install selinuxenabled

test/TEST-57-ONSUCCESS-UPHOLD/test.sh

@@ -2,6 +2,7 @@
 set -e
 
 TEST_DESCRIPTION="test OnSuccess= + Uphold= + PropagatesStopTo= + BindsTo="
-. $TEST_BASE_DIR/test-functions
+# shellcheck source=test/test-functions
+. "$TEST_BASE_DIR/test-functions"
 
 do_test "$@" 57

test/TEST-58-REPART/test.sh

@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
 set -e
+
 TEST_DESCRIPTION="test systemd-repart"
 TEST_NO_NSPAWN=1
-. $TEST_BASE_DIR/test-functions
+
+# shellcheck source=test/test-functions
+. "$TEST_BASE_DIR/test-functions"
 
 do_test "$@"

test/TEST-59-RELOADING-RESTART/test.sh

@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
 set -e
-TEST_DESCRIPTION="Test auto restart of exited services which are stuck in reloading state"
 
+TEST_DESCRIPTION="Test auto restart of exited services which are stuck in reloading state"
 TEST_NO_QEMU=1
 
-. $TEST_BASE_DIR/test-functions
+# shellcheck source=test/test-functions
+. "$TEST_BASE_DIR/test-functions"
 
 do_test "$@"

test/TEST-60-MOUNT-RATELIMIT/test.sh

@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 set -e
+
 TEST_DESCRIPTION="Test that mount/unmount storms can enter/exit rate limit state and will not leak units"
 
-. $TEST_BASE_DIR/test-functions
+# shellcheck source=test/test-functions
+. "$TEST_BASE_DIR/test-functions"
 
 do_test "$@"

test/TEST-62-RESTRICT-IFACES/test.sh

@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
+set -e
 
+TEST_DESCRIPTION="test RestrictNetworkInterfaces="
 TEST_NO_NSPAWN=1
 
-set -e
+# shellcheck source=test/test-functions
-TEST_DESCRIPTION="test RestrictNetworkInterfaces="
+. "$TEST_BASE_DIR/test-functions"
-. $TEST_BASE_DIR/test-functions
 
-do_test "$@" 62
+do_test "$@"

test/hwdb-test.sh

@@ -10,7 +10,7 @@
 set -e
 
 export SYSTEMD_LOG_LEVEL=info
-ROOTDIR=$(dirname $(dirname $(readlink -f $0)))
+ROOTDIR="$(dirname "$(dirname "$(readlink -f "$0")")")"
 SYSTEMD_HWDB="${1:?missing argument}"
 
 if [ ! -x "$SYSTEMD_HWDB" ]; then
@@ -18,7 +18,8 @@ if [ ! -x "$SYSTEMD_HWDB" ]; then
     exit 1
 fi
 
-D=$(mktemp --tmpdir --directory "hwdb-test.XXXXXXXXXX")
+D="$(mktemp --tmpdir --directory "hwdb-test.XXXXXXXXXX")"
+# shellcheck disable=SC2064
 trap "rm -rf '$D'" EXIT INT QUIT PIPE
 mkdir -p "$D/etc/udev"
 ln -s "$ROOTDIR/hwdb.d" "$D/etc/udev/hwdb.d"

test/mocks/fsck

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-fd=0
-
-OPTIND=1
-while getopts "C:aTlM" opt; do
-    case "$opt" in
-        C)
-            fd=$OPTARG
-            ;;
-        \?);;
-    esac
-done
-
-shift "$((OPTIND-1))"
-device=$1
-
-echo "Running fake fsck on $device"
-
-declare -a maxpass=(30 5 2 30 60)
-
-for pass in {1..5}; do
-    maxprogress=${maxpass[$((pass-1))]}
-    for (( current=0; current<=${maxprogress}; current++)); do
-        echo "$pass $current $maxprogress $device">&$fd
-        sleep 0.1
-    done
-done

test/run-integration-tests.sh

@@ -3,7 +3,7 @@ set -e
 
 if [ "$NO_BUILD" ]; then
     BUILD_DIR=""
-elif BUILD_DIR="$($(dirname "$0")/../tools/find-build-dir.sh)"; then
+elif BUILD_DIR="$("$(dirname "$0")/../tools/find-build-dir.sh")"; then
     ninja -C "$BUILD_DIR"
 else
     echo "No build found, please set BUILD_DIR or NO_BUILD" >&2
@@ -73,35 +73,36 @@ fi
 # Run actual tests (if requested)
 if [[ $args =~ [a-z] ]]; then
     for TEST in $SELECTED_TESTS; do
-        COUNT=$(($COUNT+1))
+        COUNT=$((COUNT+1))
 
-        pass_deny_list $TEST || continue
+        pass_deny_list "$TEST" || continue
         start=$(date +%s)
 
         echo -e "\n--x-- Running $TEST --x--"
         set +e
+        # shellcheck disable=SC2086
         ( set -x ; make -C "$TEST" $args )
         RESULT=$?
         set -e
         echo "--x-- Result of $TEST: $RESULT --x--"
 
         results["$TEST"]="$RESULT"
-        times["$TEST"]=$(( $(date +%s) - $start ))
+        times["$TEST"]=$(( $(date +%s) - start ))
 
-        [ "$RESULT" -ne "0" ] && FAILURES=$(($FAILURES+1))
+        [ "$RESULT" -ne "0" ] && FAILURES=$((FAILURES+1))
     done
 fi
 
 # Run clean-again, if requested, and if no tests failed
-if [ $FAILURES -eq 0 -a $CLEANAGAIN = 1 ]; then
+if [[ $FAILURES -eq 0 && $CLEANAGAIN -eq 1 ]]; then
-    for TEST in ${!results[@]}; do
+    for TEST in "${!results[@]}"; do
         ( set -x ; make -C "$TEST" clean-again )
     done
 fi
 
 echo ""
 
-for TEST in ${!results[@]}; do
+for TEST in "${!results[@]}"; do
     RESULT="${results[$TEST]}"
     time="${times[$TEST]}"
     string=$([ "$RESULT" = "0" ] && echo "SUCCESS" || echo "FAIL")

test/test-functions

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC2031
+# shellcheck disable=SC2030,SC2031
 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
 # ex: ts=8 sw=4 sts=4 et filetype=sh tw=180
 # Note: the shellcheck line above disables warning for variables which were
@@ -992,9 +992,11 @@ install_iscsi() {
         # dumps a list of files (perl modules) required by `tgt-admin` at
         # the runtime plus any DSOs loaded via DynaLoader. This list is then
         # passed to `inst_simple` which installs the necessary files into the image
+        #
+        # shellcheck disable=SC2016
         while read -r file; do
             inst_simple "$file"
-        done < <(perl -- <(cat $(command -v tgt-admin) <(echo -e 'use DynaLoader; print map { "$_\n" } values %INC; print join("\n", @DynaLoader::dl_shared_objects)')) -p | awk '/^\// { print $1 }')
+        done < <(perl -- <(cat "$(command -v tgt-admin)" <(echo -e 'use DynaLoader; print map { "$_\n" } values %INC; print join("\n", @DynaLoader::dl_shared_objects)')) -p | awk '/^\// { print $1 }')
     fi
 }
 
@@ -1529,7 +1531,7 @@ install_haveged() {
         dinfo "Install haveged files"
         inst /usr/sbin/haveged
         for u in /usr/lib/systemd/system/haveged*; do
-            inst $u
+            inst "$u"
         done
     fi
 }
@@ -1718,6 +1720,7 @@ install_pam() {
     done
 }
 
+# shellcheck disable=SC2120
 install_keymaps() {
     dinfo "Install keymaps"
     # The first three paths may be deprecated.

test/test-network-generator-conversion.sh

@@ -18,11 +18,13 @@ for f in "$src"/test-*.input; do
 
     (
         out=$(mktemp --tmpdir --directory "test-network-generator-conversion.XXXXXXXXXX")
+        # shellcheck disable=SC2064
         trap "rm -rf '$out'" EXIT INT QUIT PIPE
 
-        $generator --root "$out" -- $(cat $f)
+        # shellcheck disable=SC2046
+        $generator --root "$out" -- $(cat "$f")
 
-        if ! diff -u "$out"/run/systemd/network ${f%.input}.expected; then
+        if ! diff -u "$out/run/systemd/network" "${f%.input}.expected"; then
             echo "**** Unexpected output for $f"
             exit 1
         fi

test/test-path-util/script.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-echo "$0 $@"
+echo "$0 $*"
-test "$(basename $0)" = "script.sh" || exit 1
+test "$(basename "$0")" = "script.sh" || exit 1
 test "$1" = "--version" || exit 2
 echo "Life is good"

test/testsuite-16.units/extend-timeout.sh

@@ -1,62 +1,62 @@
 #!/usr/bin/env bash
-set -x
+set -eux
-set -e
 set -o pipefail
 
 # sleep interval (seconds)
-: ${sleep_interval:=1}
+sleep_interval="${sleep_interval:-1}"
 # extend_timeout_interval second(s)
-: ${extend_timeout_interval:=1}
+extend_timeout_interval="${extend_timeout_interval:-1}"
 # number of sleep_intervals before READY=1
-: ${start_intervals:=10}
+start_intervals="${start_intervals:-10}"
 # number of sleep_intervals before exiting
-: ${stop_intervals:=10}
+stop_intervals="${stop_intervals:-10}"
 # run intervals, number of sleep_intervals to run
-: ${run_intervals:=7}
+run_intervals="${run_intervals:-7}"
 
 # We convert to usec
-extend_timeout_interval=$(( $extend_timeout_interval * 1000000 ))
+extend_timeout_interval=$((extend_timeout_interval * 1000000))
 
+# shellcheck disable=SC2064
 trap "{ touch /${SERVICE}.terminated; exit 1; }" SIGTERM SIGABRT
 
-rm -f /${SERVICE}.*
+rm -f "/${SERVICE}".*
-touch /${SERVICE}.startfail
+touch "/${SERVICE}.startfail"
 
-systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
-while [ $start_intervals -gt 0 ]
+while [[ $start_intervals -gt 0 ]]
 do
-    sleep $sleep_interval
+    sleep "$sleep_interval"
-    start_intervals=$(( $start_intervals - 1 ))
+    start_intervals=$((start_intervals - 1))
-    systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+    systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
 done
 
 systemd-notify --ready --status="Waiting for your request"
 
-touch /${SERVICE}.runtimefail
+touch "/${SERVICE}.runtimefail"
-rm /${SERVICE}.startfail
+rm "/${SERVICE}.startfail"
 
-systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
-while [ $run_intervals -gt 0 ]
+while [[ $run_intervals -gt 0 ]]
 do
-    sleep $sleep_interval
+    sleep "$sleep_interval"
-    run_intervals=$(( $run_intervals - 1 ))
+    run_intervals=$((run_intervals - 1))
-    systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+    systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
 done
 
 systemd-notify STOPPING=1
 
-touch /${SERVICE}.stopfail
+touch "/${SERVICE}.stopfail"
-rm /${SERVICE}.runtimefail
+rm "/${SERVICE}.runtimefail"
 
-systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
-while [ $stop_intervals -gt 0 ]
+while [[ $stop_intervals -gt 0 ]]
 do
-    sleep $sleep_interval
+    sleep "$sleep_interval"
-    stop_intervals=$(( $stop_intervals - 1 ))
+    stop_intervals=$((stop_intervals - 1))
-    systemd-notify EXTEND_TIMEOUT_USEC=$extend_timeout_interval
+    systemd-notify EXTEND_TIMEOUT_USEC="$extend_timeout_interval"
 done
 
-touch /${SERVICE}.success
+touch "/${SERVICE}.success"
-rm /${SERVICE}.stopfail
+rm "/${SERVICE}.stopfail"
 
 exit 0

test/udev-dmi-memory-id-test.sh

@@ -8,10 +8,11 @@ input="$2"
 expected="$3"
 
 output=$(mktemp --tmpdir "test-udev-dmi-memory-id.XXXXXXXXXX")
+# shellcheck disable=SC2064
 trap "rm '$output'" EXIT INT QUIT PIPE
 
 (
     set -x
-    "$dmi_memory_id" -F "$input" >$output
+    "$dmi_memory_id" -F "$input" >"$output"
     diff -u "$output" "$expected"
 )

test/units/testsuite-04.sh

@@ -7,7 +7,7 @@ trap "journalctl --rotate --vacuum-size=16M" EXIT
 
 # Rotation/flush test, see https://github.com/systemd/systemd/issues/19895
 journalctl --relinquish-var
-for i in {0..50}; do
+for _ in {0..50}; do
     dd if=/dev/urandom bs=1M count=1 | base64 | systemd-cat
 done
 journalctl --rotate
@@ -116,7 +116,7 @@ cmp /expected /output
 # test that LogLevelMax can also suppress logging about services, not only by services
 systemctl start silent-success
 journalctl --sync
-[[ -z `journalctl -b -q -u silent-success.service` ]]
+[[ -z "$(journalctl -b -q -u silent-success.service)" ]]
 
 # Add new tests before here, the journald restarts below
 # may make tests flappy.

test/units/testsuite-17.06.sh

@@ -8,9 +8,9 @@ function check_validity() {
     local f ID_OR_HANDLE
 
     for f in /run/udev/watch/*; do
-        ID_OR_HANDLE=$(readlink $f)
+        ID_OR_HANDLE="$(readlink "$f")"
-        test -L /run/udev/watch/${ID_OR_HANDLE}
+        test -L "/run/udev/watch/${ID_OR_HANDLE}"
-        test $(readlink /run/udev/watch/${ID_OR_HANDLE}) = $(basename $f)
+        test "$(readlink "/run/udev/watch/${ID_OR_HANDLE}")" = "$(basename "$f")"
     done
 }
 
@@ -49,7 +49,7 @@ check
 
 MAJOR=$(udevadm info /dev/sda | grep -e '^E: MAJOR=' | sed -e 's/^E: MAJOR=//')
 MINOR=$(udevadm info /dev/sda | grep -e '^E: MINOR=' | sed -e 's/^E: MINOR=//')
-test -L /run/udev/watch/b${MAJOR}:${MINOR}
+test -L "/run/udev/watch/b${MAJOR}:${MINOR}"
 
 cat >/run/udev/rules.d/50-testsuite.rules <<EOF
 ACTION=="change", SUBSYSTEM=="block", KERNEL=="sda", OPTIONS:="nowatch"
@@ -59,7 +59,7 @@ check
 
 MAJOR=$(udevadm info /dev/sda | grep -e '^E: MAJOR=' | sed -e 's/^E: MAJOR=//')
 MINOR=$(udevadm info /dev/sda | grep -e '^E: MINOR=' | sed -e 's/^E: MINOR=//')
-test ! -e /run/udev/watch/b${MAJOR}:${MINOR}
+test ! -e "/run/udev/watch/b${MAJOR}:${MINOR}"
 
 rm /run/udev/rules.d/00-debug.rules
 rm /run/udev/rules.d/50-testsuite.rules

test/units/testsuite-54.sh

@@ -43,7 +43,7 @@ if systemctl --version | grep -q -- +OPENSSL ; then
     systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
     systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
 
-    systemd-run -p SetCredentialEncrypted=test-54:"`cat /tmp/test-54-ciphertext`" \
+    systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
                 --wait \
                 --pipe \
                 cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

test/units/testsuite-61.sh

@@ -3,6 +3,7 @@ set -eux
 set -o pipefail
 
 TESTS_GLOB="test-loop-block"
-. $(dirname $0)/testsuite-02.sh
+# shellcheck source=test/units/testsuite-02.sh
+. "$(dirname "$0")/testsuite-02.sh"
 
 exit 0

test/units/testsuite-62.sh

@@ -6,28 +6,28 @@ setup() {
     systemd-analyze log-level debug
     systemd-analyze log-target console
 
-    for i in `seq 0 3`;
+    for i in {0..3};
     do
-        ip netns del ns${i} || true
+        ip netns del "ns${i}" || true
-        ip link del veth${i} || true
+        ip link del "veth${i}" || true
-        ip netns add ns${i}
+        ip netns add "ns${i}"
-        ip link add veth${i} type veth peer name veth${i}_
+        ip link add "veth${i}" type veth peer name "veth${i}_"
-        ip link set veth${i}_ netns ns${i}
+        ip link set "veth${i}_" netns "ns${i}"
-        ip -n ns${i} link set dev veth${i}_ up
+        ip -n "ns${i}" link set dev "veth${i}_" up
-        ip -n ns${i} link set dev lo up
+        ip -n "ns${i}" link set dev lo up
-        ip -n ns${i} addr add "192.168.113."$((4*i+1))/30 dev veth${i}_
+        ip -n "ns${i}" addr add "192.168.113."$((4*i+1))/30 dev "veth${i}_"
-        ip link set dev veth${i} up
+        ip link set dev "veth${i}" up
-        ip addr add "192.168.113."$((4*i+2))/30 dev veth${i}
+        ip addr add "192.168.113."$((4*i+2))/30 dev "veth${i}"
     done
 }
 
 teardown() {
     set +e
 
-    for i in `seq 0 3`;
+    for i in {0..3};
     do
-        ip netns del ns${i}
+        ip netns del "ns${i}"
-        ip link del veth${i}
+        ip link del "veth${i}"
     done
 
     systemd-analyze log-level info

test/units/testsuite-64.sh

@@ -76,6 +76,8 @@ helper_wait_for_pvscan() {
     # Get major and minor numbers from the udev database
     # (udevadm returns MAJOR= and MINOR= expressions, so let's pull them into
     # the current environment via `source` for easier parsing)
+    #
+    # shellcheck source=/dev/null
     source <(udevadm info -q property "$real_dev" | grep -E "(MAJOR|MINOR)=")
     # Sanity check if we got correct major and minor numbers
     test -e "/sys/dev/block/$MAJOR:$MINOR/"

tools/get-coverity.sh

@@ -3,33 +3,37 @@
 
 # Download and extract coverity tool
 
+set -e
+set -o pipefail
+
 # Environment check
-[ -z "$COVERITY_SCAN_TOKEN" ] && echo 'ERROR: COVERITY_SCAN_TOKEN must be set' && exit 1
+if [ -z "$COVERITY_SCAN_TOKEN" ]; then
+    echo >&2 'ERROR: COVERITY_SCAN_TOKEN must be set'
+    exit 1
+fi
 
 # Use default values if not set
-PLATFORM=$(uname)
+PLATFORM="$(uname)"
-
+TOOL_BASE="${TOOL_BASE:-/tmp/coverity-scan-analysis}"
-TOOL_BASE=${TOOL_BASE:="/tmp/coverity-scan-analysis"}
+TOOL_ARCHIVE="${TOOL_ARCHIVE:-/tmp/cov-analysis-${PLATFORM}.tgz}"
-TOOL_ARCHIVE=${TOOL_ARCHIVE:="/tmp/cov-analysis-${PLATFORM}.tgz"}
-
 TOOL_URL="https://scan.coverity.com/download/${PLATFORM}"
 
 # Make sure wget is installed
 sudo apt-get update && sudo apt-get -y install wget
 
 # Get coverity tool
-if [ ! -d $TOOL_BASE ]; then
+if [ ! -d "$TOOL_BASE" ]; then
     # Download Coverity Scan Analysis Tool
-    if [ ! -e $TOOL_ARCHIVE ]; then
+    if [ ! -e "$TOOL_ARCHIVE" ]; then
         echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
-	wget -nv -O $TOOL_ARCHIVE $TOOL_URL --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN"
+        wget -nv -O "$TOOL_ARCHIVE" "$TOOL_URL" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN"
     fi
 
     # Extract Coverity Scan Analysis Tool
     echo -e "\033[33;1mExtracting Coverity Scan Analysis Tool...\033[0m"
-    mkdir -p $TOOL_BASE
+    mkdir -p "$TOOL_BASE"
-    pushd $TOOL_BASE
+    pushd "$TOOL_BASE"
-    tar xzf $TOOL_ARCHIVE
+    tar xzf "$TOOL_ARCHIVE"
     popd
 fi
 

tools/meson-build.sh

@@ -9,13 +9,14 @@ options="$4"
 CC="$5"
 CXX="$6"
 
+# shellcheck disable=SC2086
 [ -f "$dst/ninja.build" ] || CC="$CC" CXX="$CXX" meson "$src" "$dst" $options
 
 # Locate ninja binary, on CentOS 7 it is called ninja-build, so
 # use that name if available.
-ninja=ninja
+ninja="ninja"
 if which ninja-build >/dev/null 2>&1 ; then
-    ninja=ninja-build
+    ninja="ninja-build"
 fi
 
 "$ninja" -C "$dst" "$target"

tools/oss-fuzz.sh

@@ -21,11 +21,11 @@ export LDFLAGS=${LDFLAGS:--L${clang_lib}}
 
 export WORK=${WORK:-$(pwd)}
 export OUT=${OUT:-$(pwd)/out}
-mkdir -p $OUT
+mkdir -p "$OUT"
 
-build=$WORK/build
+build="$WORK/build"
-rm -rf $build
+rm -rf "$build"
-mkdir -p $build
+mkdir -p "$build"
 
 if [ -z "$FUZZING_ENGINE" ]; then
     fuzzflag="llvm-fuzz=true"
@@ -38,28 +38,28 @@ else
     fi
 fi
 
-if ! meson $build -D$fuzzflag -Db_lundef=false; then
+if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then
-    cat $build/meson-logs/meson-log.txt
+    cat "$build/meson-logs/meson-log.txt"
     exit 1
 fi
 
-ninja -v -C $build fuzzers
+ninja -v -C "$build" fuzzers
 
 # The seed corpus is a separate flat archive for each fuzzer,
 # with a fixed name ${fuzzer}_seed_corpus.zip.
 for d in "$(dirname "$0")/../test/fuzz/fuzz-"*; do
-    zip -jqr $OUT/$(basename "$d")_seed_corpus.zip "$d"
+    zip -jqr "$OUT/$(basename "$d")_seed_corpus.zip" "$d"
 done
 
 # get fuzz-dns-packet corpus
-df=$build/dns-fuzzing
+df="$build/dns-fuzzing"
-git clone --depth 1 https://github.com/CZ-NIC/dns-fuzzing $df
+git clone --depth 1 https://github.com/CZ-NIC/dns-fuzzing "$df"
-zip -jqr $OUT/fuzz-dns-packet_seed_corpus.zip $df/packet
+zip -jqr "$OUT/fuzz-dns-packet_seed_corpus.zip" "$df/packet"
 
-install -Dt $OUT/src/shared/ $build/src/shared/libsystemd-shared-*.so
+install -Dt "$OUT/src/shared/" "$build"/src/shared/libsystemd-shared-*.so
 
-wget -O $OUT/fuzz-json.dict https://raw.githubusercontent.com/rc0r/afl-fuzz/master/dictionaries/json.dict
+wget -O "$OUT/fuzz-json.dict" https://raw.githubusercontent.com/rc0r/afl-fuzz/master/dictionaries/json.dict
 
-find $build -maxdepth 1 -type f -executable -name "fuzz-*" -exec mv {} $OUT \;
+find "$build" -maxdepth 1 -type f -executable -name "fuzz-*" -exec mv {} "$OUT" \;
-find src -type f -name "fuzz-*.dict" -exec cp {} $OUT \;
+find src -type f -name "fuzz-*.dict" -exec cp {} "$OUT" \;
-cp src/fuzz/*.options $OUT
+cp src/fuzz/*.options "$OUT"

units/meson-add-wants.sh

@@ -1,5 +1,6 @@
 #!/bin/sh
 # SPDX-License-Identifier: LGPL-2.1-or-later
+# shellcheck disable=SC2154,SC2174
 set -eu
 
 i=1