test: Rename testsuite-XX units to match test name

[thirdparty/systemd.git] / test / test-functions

#!/usr/bin/env bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# shellcheck disable=SC2030,SC2031
# ex: ts=8 sw=4 sts=4 et filetype=sh tw=180
# Note: the shellcheck line above disables warning for variables which were
#       modified in a subshell. In our case this behavior is expected, but
#       `shellcheck` can't distinguish this because of poor variable tracking,
#       which results in warning for every instance of such variable used
#       throughout this file.
#       See:
#           * comment in function install_verity_minimal()
#           * koalaman/shellcheck#280
set -o pipefail

# Simple wrapper to unify boolean checks.
# Note: this function needs to stay near the top of the file, so we can use it
#       in code in the outermost scope.
get_bool() {
    # Make the value lowercase to make the regex matching simpler
    local _bool="${1,,}"

    # Consider empty value as "false"
    if [[ -z "$_bool" || "$_bool" =~ ^(0|no|false)$ ]]; then
        return 1
    elif [[ "$_bool" =~ ^(1|yes|true)$ ]]; then
        return 0
    else
        echo >&2 "Value '$_bool' is not a valid boolean value"
        exit 1
    fi
}

PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH

os_release=$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)
# shellcheck source=/dev/null
source "$os_release"
[[ "$ID" == "debian" || " $ID_LIKE " == *" debian "* ]] && LOOKS_LIKE_DEBIAN=yes || LOOKS_LIKE_DEBIAN=no
# shellcheck disable=SC2034
[[ "$ID" == "ubuntu" ]] && LOOKS_LIKE_UBUNTU=yes || LOOKS_LIKE_UBUNTU=no
[[ "$ID" == "arch" || " $ID_LIKE " == *" arch "* ]] && LOOKS_LIKE_ARCH=yes || LOOKS_LIKE_ARCH=no
[[ "$ID" == "fedora" ]] && LOOKS_LIKE_FEDORA=yes || LOOKS_LIKE_FEDORA=no
[[ " $ID_LIKE " == *" suse "* ]] && LOOKS_LIKE_SUSE=yes || LOOKS_LIKE_SUSE=no

KERNEL_VER="${KERNEL_VER-$(uname -r)}"
QEMU_TIMEOUT="${QEMU_TIMEOUT:-1800}"
NSPAWN_TIMEOUT="${NSPAWN_TIMEOUT:-1800}"
TIMED_OUT=  # will be 1 after run_* if *_TIMEOUT is set and test timed out
get_bool "$LOOKS_LIKE_SUSE" && FSTYPE="${FSTYPE:-btrfs}" || FSTYPE="${FSTYPE:-ext4}"
UNIFIED_CGROUP_HIERARCHY="${UNIFIED_CGROUP_HIERARCHY:-default}"
EFI_MOUNT="${EFI_MOUNT:-$(bootctl -x 2>/dev/null || echo /boot)}"
# Note that defining a different IMAGE_NAME in a test setup script will only result
# in default.img being copied and renamed. It can then be extended by defining
# a test_append_files() function. The $1 parameter will be the root directory.
# To force creating a new image from scratch (eg: to encrypt it), also define
# TEST_FORCE_NEWIMAGE=1 in the test setup script.
IMAGE_NAME=${IMAGE_NAME:-default}
TEST_REQUIRE_INSTALL_TESTS="${TEST_REQUIRE_INSTALL_TESTS:-1}"
TEST_PARALLELIZE="${TEST_PARALLELIZE:-0}"
TEST_SUPPORTING_SERVICES_SHOULD_BE_MASKED="${TEST_SUPPORTING_SERVICES_SHOULD_BE_MASKED:-1}"
LOOPDEV=

# Since in Bash we can have only one handler per signal, let's overcome this
# limitation by having one global handler for the EXIT signal which executes
# all registered handlers
_AT_EXIT_HANDLERS=()
_at_exit() {
    set +e

    # Run the EXIT handlers in reverse order
    for ((i = ${#_AT_EXIT_HANDLERS[@]} - 1; i >= 0; i--)); do
        ddebug "Running EXIT handler '${_AT_EXIT_HANDLERS[$i]}'"
        eval "${_AT_EXIT_HANDLERS[$i]}"
    done
}

trap _at_exit EXIT

add_at_exit_handler() {
    _AT_EXIT_HANDLERS+=("${1:?}")
}

# Decide if we can (and want to) run qemu with KVM acceleration.
# Check if nested KVM is explicitly enabled (TEST_NESTED_KVM). If not,
# check if it's not explicitly disabled (TEST_NO_KVM) and we're not already
# running under KVM. If these conditions are met, enable KVM (and possibly
# nested KVM), otherwise disable it.
if get_bool "${TEST_NESTED_KVM:=}" || (! get_bool "${TEST_NO_KVM:=}" && ! systemd-detect-virt -qv); then
    QEMU_KVM=yes
else
    QEMU_KVM=no
fi

if ! ROOTLIBDIR=$(pkg-config --variable=systemdutildir systemd); then
    echo "WARNING! Cannot determine libdir from pkg-config, assuming /usr/lib/systemd" >&2
    ROOTLIBDIR=/usr/lib/systemd
fi

# The calling test.sh scripts have TEST_BASE_DIR set via their Makefile, but we don't need them to provide it
TEST_BASE_DIR=${TEST_BASE_DIR:-$(realpath "$(dirname "${BASH_SOURCE[0]}")")}
TEST_UNITS_DIR="$(realpath "$TEST_BASE_DIR/units")"
SOURCE_DIR=$(realpath "$TEST_BASE_DIR/..")
# These variables are used by test scripts
export TEST_BASE_DIR TEST_UNITS_DIR SOURCE_DIR

TOOLS_DIR="$SOURCE_DIR/tools"
# note that find-build-dir.sh will return $BUILD_DIR if provided, else it will try to find it
if get_bool "${NO_BUILD:=}"; then
    BUILD_DIR="$SOURCE_DIR"
elif ! BUILD_DIR="$("$TOOLS_DIR"/find-build-dir.sh)"; then
    echo "ERROR: no build found, please set BUILD_DIR or use NO_BUILD" >&2
    exit 1
fi

PATH_TO_INIT="$ROOTLIBDIR/systemd"
SYSTEMD_JOURNALD="${SYSTEMD_JOURNALD:-$(command -v "$BUILD_DIR/systemd-journald" || command -v "$ROOTLIBDIR/systemd-journald")}"
SYSTEMD_JOURNAL_REMOTE="${SYSTEMD_JOURNAL_REMOTE:-$(command -v "$BUILD_DIR/systemd-journal-remote" || command -v "$ROOTLIBDIR/systemd-journal-remote" || echo "")}"
SYSTEMD="${SYSTEMD:-$(command -v "$BUILD_DIR/systemd" || command -v "$ROOTLIBDIR/systemd")}"
SYSTEMD_NSPAWN="${SYSTEMD_NSPAWN:-$(command -v "$BUILD_DIR/systemd-nspawn" || command -v systemd-nspawn)}"
JOURNALCTL="${JOURNALCTL:-$(command -v "$BUILD_DIR/journalctl" || command -v journalctl)}"
SYSTEMCTL="${SYSTEMCTL:-$(command -v "$BUILD_DIR/systemctl" || command -v systemctl)}"
SYSTEMD_ID128="${SYSTEMD_ID128:-$(command -v "$BUILD_DIR/systemd-id128" || command -v systemd-id128)}"

TESTFILE="${BASH_SOURCE[1]}"
if [ -z "$TESTFILE" ]; then
    echo "ERROR: test-functions must be sourced from one of the TEST-*/test.sh scripts" >&2
    exit 1
fi
TESTNAME="$(basename "$(dirname "$(realpath "$TESTFILE")")")"

WORKDIR="/var/tmp/systemd-tests"
if get_bool "${NO_BUILD:=}"; then
    STATEDIR="$WORKDIR/$TESTNAME"
else
    STATEDIR="$BUILD_DIR/test/$TESTNAME"
fi

STATEFILE="$STATEDIR/.testdir"
IMAGESTATEDIR="$STATEDIR/.."
TESTLOG="$STATEDIR/test.log"

if ! [[ "$TESTNAME" =~ ^TEST\-([0-9]+)\-.+$ ]]; then
    echo "ERROR: Test name '$TESTNAME' is not in the expected format: TEST-[0-9]+-*" >&2
    exit 1
fi

if [[ ! -f "$TEST_UNITS_DIR/$TESTNAME.service" ]]; then
    echo "ERROR: Test '$TESTNAME' is missing its service file '$TEST_UNITS_DIR/$TESTNAME.service" >&2
    exit 1
fi

BASICTOOLS=(
    awk
    base64
    basename
    bash
    capsh
    cat
    chgrp
    chmod
    chown
    chroot
    cmp
    cp
    cryptsetup
    cut
    date
    dd
    dhclient
    diff
    dirname
    dmsetup
    echo
    env
    false
    find
    findmnt
    flock
    getconf
    getent
    getfacl
    getfattr
    grep
    grep
    gunzip
    gzip
    head
    hostname
    id
    ionice
    ip
    jq
    killall
    ldd
    ln
    ln
    loadkeys
    login
    losetup
    ls
    lsattr
    lsblk
    lz4cat
    mkdir
    mkfifo
    mknod
    mktemp
    modprobe
    mount
    mountpoint
    mv
    nc
    nproc
    ping
    pkill
    ps
    readlink
    realpath
    rev
    rm
    rmdir
    rmmod
    script
    sed
    seq
    setfacl
    setfattr
    setfont
    setpriv
    setsid
    sfdisk
    sh
    sleep
    sort
    stat
    stty
    su
    sulogin
    sysctl
    tail
    tar
    tee
    test
    timeout
    touch
    tr
    true
    truncate
    tty
    umount
    uname
    unshare
    useradd
    userdel
    wc
    whoami
    xargs
    xzcat
)

DEBUGTOOLS=(
    df
    dmesg
    du
    free
    less
    strace
    vi
    /usr/libexec/vi
)

is_built_with_asan() {
    local _bin="${1:?}"

    if ! type -P objdump >/dev/null; then
        echo "Failed to find objdump, assuming systemd hasn't been built with ASAN."
        return 1
    fi

    # Borrowed from https://github.com/google/oss-fuzz/blob/cd9acd02f9d3f6e80011cc1e9549be526ce5f270/infra/base-images/base-runner/bad_build_check#L182
    local _asan_calls
    _asan_calls="$(objdump -dC "$_bin" | grep -E "(callq?|brasl?|bl)\s.+__asan" -c)"
    if ((_asan_calls < 1000)); then
        return 1
    else
        return 0
    fi
}

is_built_with_coverage() {
    if get_bool "${NO_BUILD:=}" || ! command -v meson >/dev/null; then
        return 1
    fi

    meson configure "${BUILD_DIR:?}" | grep 'b_coverage' | awk '{ print $2 }' | grep -q 'true'
}

IS_BUILT_WITH_ASAN=$(is_built_with_asan "$SYSTEMD_JOURNALD" && echo yes || echo no)
IS_BUILT_WITH_COVERAGE=$(is_built_with_coverage && echo yes || echo no)

if get_bool "$IS_BUILT_WITH_ASAN"; then
    PATH_TO_INIT="$ROOTLIBDIR/systemd-under-asan"
    QEMU_MEM="${QEMU_MEM:-2G}"
    QEMU_SMP="${QEMU_SMP:-4}"

    # We need to correctly distinguish between gcc's and clang's ASan DSOs.
    if ASAN_RT_NAME="$(awk '/libasan.so/ {x=$1; exit} END {print x; exit x==""}' < <(ldd "$SYSTEMD"))"; then
        ASAN_COMPILER=gcc
        ASAN_RT_PATH="$(readlink -f "$(${CC:-gcc} --print-file-name "$ASAN_RT_NAME")")"
    elif ASAN_RT_NAME="$(awk '/libclang_rt.asan/ {x=$1; exit} END {print x; exit x==""}' < <(ldd "$SYSTEMD"))"; then
        ASAN_COMPILER=clang
        ASAN_RT_PATH="$(readlink -f "$(${CC:-clang} --print-file-name "$ASAN_RT_NAME")")"

        # As clang's ASan DSO is usually in a non-standard path, let's check if
        # the environment is set accordingly. If not, warn the user and exit.
        # We're not setting the LD_LIBRARY_PATH automagically here, because
        # user should encounter (and fix) the same issue when running the unit
        # tests (meson test)
        if ldd "$SYSTEMD" | grep -q "libclang_rt.asan.*not found"; then
            echo >&2 "clang's ASan DSO ($ASAN_RT_NAME) is not present in the runtime library path"
            echo >&2 "Consider setting LD_LIBRARY_PATH=${ASAN_RT_PATH%/*}"
            exit 1
        fi
    else
        echo >&2 "systemd is not linked against the ASan DSO"
        echo >&2 "gcc does this by default, for clang compile with -shared-libasan"
        exit 1
    fi

    echo "Detected ASan RT '$ASAN_RT_NAME' located at '$ASAN_RT_PATH'"
fi

test_require_bin() {
    local bin

    for bin in "$@"; do
        if ! command -v "$bin" >/dev/null; then
            echo "Required binary $bin not available, skipping the test"
            exit 0
        fi
    done
}

find_qemu_bin() {
    QEMU_BIN="${QEMU_BIN:-""}"
    # SUSE and Red Hat call the binary qemu-kvm. Debian and Gentoo call it kvm.
    if get_bool "$QEMU_KVM"; then
        [[ -n "$QEMU_BIN" ]] || QEMU_BIN="$(command -v kvm qemu-kvm 2>/dev/null | grep '^/' -m1)"
    fi

    [[ -n "$ARCH" ]] || ARCH="$(uname -m)"
    case $ARCH in
    x86_64)
        # QEMU's own build system calls it qemu-system-x86_64
        [[ -n "$QEMU_BIN" ]] || QEMU_BIN="$(command -v qemu-system-x86_64 2>/dev/null | grep '^/' -m1)"
        ;;
    i*86)
        # new i386 version of QEMU
        [[ -n "$QEMU_BIN" ]] || QEMU_BIN="$(command -v qemu-system-i386 2>/dev/null | grep '^/' -m1)"

        # i386 version of QEMU
        [[ -n "$QEMU_BIN" ]] || QEMU_BIN="$(command -v qemu 2>/dev/null | grep '^/' -m1)"
        ;;
    ppc64*)
        [[ -n "$QEMU_BIN" ]] || QEMU_BIN="$(command -v qemu-system-ppc64 2>/dev/null | grep '^/' -m1)"
        ;;
    esac

    if [[ ! -e "$QEMU_BIN" ]]; then
        echo "Could not find a suitable qemu binary" >&2
        return 1
    fi
}

qemu_setup_swtpm_socket() {
    local pid state_dir tpm_device

    if ! tpm_device="$(qemu_get_tpm_device)"; then
        dinfo "Found QEMU version is too old for TPM2 on ppc64le"
        exit 0
    fi

    state_dir="$(mktemp -d)"
    swtpm socket --tpm2 --tpmstate dir="$state_dir" --ctrl type=unixio,path="$state_dir/sock" &
    pid=$!
    if ! kill -0 "$pid"; then
        derror "Failed to start swtpm"
        return 1
    fi

    if ! timeout 5 bash -c "until [[ -S $state_dir/sock ]]; do sleep .5; done"; then
        derror "Failed to setup swtpm socket"
        return 1
    fi

    dinfo "Started swtpm as PID $pid with state dir $state_dir"

    add_at_exit_handler "kill -TERM $pid 2>/dev/null; rm -rf '$state_dir'"

    QEMU_OPTIONS+=" -chardev socket,id=chrtpm,path=$state_dir/sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device $tpm_device,tpmdev=tpm0"
    dinfo "Configured emulated TPM2 device $tpm_device"

    return 0
}

qemu_get_tpm_device() {
    local tpm_device="tpm-tis"

    if [[ "$(uname -m)" == "ppc64le" ]]; then
        # tpm-spapr support was introduced in qemu 5.0.0
        if ! qemu_min_version "5.0.0"; then
            return 1
        fi

        tpm_device="tpm-spapr"
    fi

    echo "$tpm_device"
    return 0
}

# Compares argument #1=X.Y.Z (X&Y&Z = numeric) to the version of the installed qemu
# returns 0 if newer or equal
# returns 1 if older
# returns 2 if failing
qemu_min_version() {
    find_qemu_bin || return 2

    # get version from binary
    local qemu_ver
    qemu_ver="$("$QEMU_BIN" --version | awk '/^QEMU emulator version ([0-9]*\.[0-9]*\.[0-9]*)/ {print $4}')"

    # Check version string format
    echo "$qemu_ver" | grep -q '^[0-9]*\.[0-9]*\.[0-9]*$' || return 2
    echo "$1" | grep -q '^[0-9]*\.[0-9]*\.[0-9]*$' || return 2

    # compare as last command to return that value
    printf "%s\n%s\n" "$1" "$qemu_ver" | sort -V -C
}

# Pads a file to multiple of 4 bytes
pad4_file() {
    local size
    size=$(stat -c "%s" "$1")
    local padded
    padded=$((((size + 3) / 4) * 4))
    truncate -s "$padded" "$1"
}

# Return 0 if qemu did run (then you must check the result state/logs for actual
# success), or 1 if qemu is not available.
run_qemu() {
    if declare -F run_qemu_hook >/dev/null; then
        if ! run_qemu_hook "${workspace}"; then
            derror "check_qemu_hook() returned with EC > 0"
            ret=4
        fi
    fi

    # If the test provided its own initrd, use it (e.g. TEST-24)
    if [[ -z "$INITRD" && -f "${TESTDIR:?}/initrd.img" ]]; then
        INITRD="$TESTDIR/initrd.img"
    fi

    if [ -f /etc/machine-id ]; then
        read -r MACHINE_ID </etc/machine-id
        [ -z "$INITRD" ] && [ -e "$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/initrd" ] \
            && INITRD="$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/initrd"
        [ -z "$KERNEL_BIN" ] && [ -e "$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/linux" ] \
            && KERNEL_BIN="$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/linux"
    fi

    local CONSOLE=ttyS0

    find "${initdir:?}/var/tmp" -mindepth 1 -delete
    rm -f "$initdir"/{testok,failed,skipped}
    # make sure the initdir is not mounted to avoid concurrent access
    cleanup_initdir
    umount_loopback

    if [[ ! "$KERNEL_BIN" ]]; then
        if get_bool "$LOOKS_LIKE_ARCH"; then
            KERNEL_BIN=/boot/vmlinuz-linux
        else
            [ "$ARCH" ] || ARCH=$(uname -m)
            case $ARCH in
                ppc64*)
                    # Ubuntu ppc64* calls the kernel binary as vmlinux-*, RHEL/CentOS
                    # uses the "standard" vmlinuz- prefix
                    [[ -e "/boot/vmlinux-$KERNEL_VER" ]] && KERNEL_BIN="/boot/vmlinux-$KERNEL_VER" || KERNEL_BIN="/boot/vmlinuz-$KERNEL_VER"
                    CONSOLE=hvc0
                    ;;
                *)
                    KERNEL_BIN="/boot/vmlinuz-$KERNEL_VER"
                    ;;
            esac
        fi
    fi

    local default_fedora_initrd="/boot/initramfs-${KERNEL_VER}.img"
    local default_debian_initrd="/boot/initrd.img-${KERNEL_VER}"
    local default_arch_initrd="/boot/initramfs-linux-fallback.img"
    local default_suse_initrd="/boot/initrd-${KERNEL_VER}"
    if [[ ! "$INITRD" ]]; then
        if [[ -e "$default_fedora_initrd" ]]; then
            INITRD="$default_fedora_initrd"
        elif get_bool "$LOOKS_LIKE_DEBIAN" && [[ -e "$default_debian_initrd" ]]; then
            INITRD="$default_debian_initrd"
        elif get_bool "$LOOKS_LIKE_ARCH" && [[ -e "$default_arch_initrd" ]]; then
            INITRD="$default_arch_initrd"
        elif get_bool "$LOOKS_LIKE_SUSE" && [[ -e "$default_suse_initrd" ]]; then
            INITRD="$default_suse_initrd"
        fi
    fi

    # If QEMU_SMP was not explicitly set, try to determine the value 'dynamically'
    # i.e. use the number of online CPUs on the host machine. If the nproc utility
    # is not installed or there's some other error when calling it, fall back
    # to the original value (QEMU_SMP=1).
    if [[ -z "${QEMU_SMP:=}" ]]; then
        if ! QEMU_SMP=$(nproc); then
            dwarn "nproc utility is not installed, falling back to QEMU_SMP=1"
            QEMU_SMP=1
        fi
    fi

    find_qemu_bin || return 1

    if get_bool "${TEST_SETUP_SWTPM:-}"; then
        qemu_setup_swtpm_socket || return 1
    fi

    # Umount initdir to avoid concurrent access to the filesystem
    _umount_dir "$initdir"

    local kernel_params=()
    local qemu_options=()
    local qemu_cmd=("$QEMU_BIN")

    if [[ "$UNIFIED_CGROUP_HIERARCHY" = "yes" ]]; then
        kernel_params+=("systemd.unified_cgroup_hierarchy=yes")
    elif [[ "$UNIFIED_CGROUP_HIERARCHY" = "no" ]]; then
        kernel_params+=("systemd.unified_cgroup_hierarchy=no" "systemd.legacy_systemd_cgroup_controller=yes")
    elif [[ "$UNIFIED_CGROUP_HIERARCHY" = "hybrid" ]]; then
        kernel_params+=("systemd.unified_cgroup_hierarchy=no" "systemd.legacy_systemd_cgroup_controller=no")
    elif [[ "$UNIFIED_CGROUP_HIERARCHY" != "default" ]]; then
        dfatal "Unknown UNIFIED_CGROUP_HIERARCHY. Got $UNIFIED_CGROUP_HIERARCHY, expected [yes|no|hybrid|default]"
        exit 1
    fi

    if get_bool "$LOOKS_LIKE_SUSE"; then
        kernel_params+=("rd.hostonly=0")
    fi

    # Debian/Ubuntu's initramfs tries to check if it can resume from hibernation
    # and wastes a minute or so probing disks, skip that as it's not useful here
    kernel_params+=(
        "root=LABEL=systemd_boot"
        "rw"
        "raid=noautodetect"
        "rd.luks=0"
        "loglevel=2"
        "init=$PATH_TO_INIT"
        "console=$CONSOLE"
        "SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/$1.units:/usr/lib/systemd/tests/testdata/units:"
        "systemd.unit=testsuite.target"
        "systemd.wants=$1.service"
        "noresume"
        "oops=panic"
        ${TEST_MATCH_SUBTEST:+"systemd.setenv=TEST_MATCH_SUBTEST=$TEST_MATCH_SUBTEST"}
        ${TEST_MATCH_TESTCASE:+"systemd.setenv=TEST_MATCH_TESTCASE=$TEST_MATCH_TESTCASE"}
    )

    if ! get_bool "$INTERACTIVE_DEBUG" && ! get_bool "$TEST_SKIP_SHUTDOWN"; then
        kernel_params+=(
            "panic=1"
            "softlockup_panic=1"
            "systemd.wants=end.service"
        )
    fi

    [ -e "$IMAGE_PRIVATE" ] && image="$IMAGE_PRIVATE" || image="$IMAGE_PUBLIC"
    qemu_options+=(
        -smp "$QEMU_SMP"
        -net none
        -m "${QEMU_MEM:-768M}"
        -nographic
        -kernel "$KERNEL_BIN"
        -drive "format=raw,cache=unsafe,file=$image"
        -device "virtio-rng-pci,max-bytes=1024,period=1000"
    )

    if [[ -n "${QEMU_OPTIONS:=}" ]]; then
        local user_qemu_options
        read -ra user_qemu_options <<< "$QEMU_OPTIONS"
        qemu_options+=("${user_qemu_options[@]}")
    fi
    qemu_options+=(${QEMU_OPTIONS_ARRAY:+"${QEMU_OPTIONS_ARRAY[@]}"})

    if [[ -n "$INITRD" ]]; then
        if [[ -n "$INITRD_EXTRA" ]]; then
            # An addition initrd has been specified, let's combine it with the main one.
            local t="$WORKDIR"/initrd.combined."$RANDOM"

            # First, show contents of additional initrd
            echo "Additional initrd contents:"
            cpio -tv < "$INITRD_EXTRA"

            # Copy the main initrd
            zstd -d -c -f "$INITRD" > "$t"
            add_at_exit_handler "rm $t"
            # Kernel requires this to be padded to multiple of 4 bytes with zeroes
            pad4_file "$t"

            # Copy the additional initrd
            cat "$INITRD_EXTRA" >> "$t"
            pad4_file "$t"

            qemu_options+=(-initrd "$t")
        else
            qemu_options+=(-initrd "$INITRD")
        fi
    fi

    # Let's use KVM if possible
    if [[ -c /dev/kvm ]] && get_bool $QEMU_KVM; then
        qemu_options+=(-machine "accel=kvm" -enable-kvm -cpu host)
    fi

    if [[ "$QEMU_TIMEOUT" != "infinity" ]]; then
        qemu_cmd=(timeout --foreground "$QEMU_TIMEOUT" "$QEMU_BIN")
    fi

    (set -x; "${qemu_cmd[@]}" "${qemu_options[@]}" -append "${kernel_params[*]} ${KERNEL_APPEND:-}" |& tee "${TESTDIR:?}/console.log")
    rc=$?
    if [ "$rc" -eq 124 ] && [ "$QEMU_TIMEOUT" != "infinity" ]; then
        derror "Test timed out after ${QEMU_TIMEOUT}s"
        TIMED_OUT=1
    else
        [ "$rc" != 0 ] && derror "qemu failed with exit code $rc"
    fi
    return 0
}

# Return 0 if nspawn did run (then you must check the result state/logs for actual
# success), or 1 if nspawn is not available.
run_nspawn() {
    [[ -d /run/systemd/system ]] || return 1
    find "${initdir:?}/var/tmp" -mindepth 1 -delete
    rm -f "${initdir:?}"/{testok,failed,skipped}

    local nspawn_cmd=()
    local nspawn_options=(
        "--register=no"
        "--kill-signal=SIGKILL"
        "--directory=${1:?}"
        "--setenv=SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/$2.units:/usr/lib/systemd/tests/testdata/units:"
        "--machine=$2"
    )
    local kernel_params=(
        "$PATH_TO_INIT"
        "systemd.unit=testsuite.target"
        "systemd.wants=$2.service"
        ${TEST_MATCH_SUBTEST:+"systemd.setenv=TEST_MATCH_SUBTEST=$TEST_MATCH_SUBTEST"}
        ${TEST_MATCH_TESTCASE:+"systemd.setenv=TEST_MATCH_TESTCASE=$TEST_MATCH_TESTCASE"}
    )

    if get_bool "$INTERACTIVE_DEBUG"; then
        nspawn_options+=("--console=interactive")
    elif ! get_bool "$TEST_SKIP_SHUTDOWN"; then
        kernel_params+=("systemd.wants=end.service")
    fi

    if [[ -n "${NSPAWN_ARGUMENTS:=}" ]]; then
        local user_nspawn_arguments
        read -ra user_nspawn_arguments <<< "$NSPAWN_ARGUMENTS"
        nspawn_options+=("${user_nspawn_arguments[@]}")
    fi

    if [[ "$UNIFIED_CGROUP_HIERARCHY" = "hybrid" ]]; then
        dwarn "nspawn doesn't support SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=hybrid, skipping"
        exit
    elif [[ "$UNIFIED_CGROUP_HIERARCHY" = "yes" || "$UNIFIED_CGROUP_HIERARCHY" = "no" ]]; then
        nspawn_cmd+=(env "SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=$UNIFIED_CGROUP_HIERARCHY")
    elif [[ "$UNIFIED_CGROUP_HIERARCHY" = "default" ]]; then
        nspawn_cmd+=(env "--unset=UNIFIED_CGROUP_HIERARCHY" "--unset=SYSTEMD_NSPAWN_UNIFIED_HIERARCHY")
    else
        dfatal "Unknown UNIFIED_CGROUP_HIERARCHY. Got $UNIFIED_CGROUP_HIERARCHY, expected [yes|no|hybrid|default]"
        exit 1
    fi

    if [[ "$NSPAWN_TIMEOUT" != "infinity" ]]; then
        nspawn_cmd+=(timeout --foreground "$NSPAWN_TIMEOUT" "$SYSTEMD_NSPAWN")
    else
        nspawn_cmd+=("$SYSTEMD_NSPAWN")
    fi

    # Word splitting here is intentional
    # shellcheck disable=SC2086
    (set -x; "${nspawn_cmd[@]}" "${nspawn_options[@]}" "${kernel_params[@]}" ${KERNEL_APPEND:-} |& tee "${TESTDIR:?}/console.log")
    rc=$?
    if [ "$rc" -eq 124 ] && [ "$NSPAWN_TIMEOUT" != "infinity" ]; then
        derror "Test timed out after ${NSPAWN_TIMEOUT}s"
        TIMED_OUT=1
    else
        [ "$rc" != 0 ] && derror "nspawn failed with exit code $rc"
    fi
    return 0
}

# Build two very minimal root images, with two units, one is the same and one is different across them
install_verity_minimal() {
    dinfo "Set up a set of minimal images for verity verification"
    if [ -e "$initdir/usr/share/minimal.raw" ]; then
        return
    fi
    if ! command -v mksquashfs >/dev/null 2>&1; then
        dfatal "mksquashfs not found"
        exit 1
    fi
    if ! command -v veritysetup >/dev/null 2>&1; then
        dfatal "veritysetup not found"
        exit 1
    fi
    # Local modifications of some global variables is intentional in this
    # subshell (SC2030)
    # shellcheck disable=SC2030
    (
        BASICTOOLS=(
            bash
            cat
            echo
            grep
            mount
            sleep
            touch
        )
        oldinitdir="$initdir"
        rm -rfv "$TESTDIR/minimal"
        export initdir="$TESTDIR/minimal"
        # app0 will use TemporaryFileSystem=/var/lib, app1 will need the mount point in the base image
        mkdir -p "$initdir/usr/lib/systemd/system" "$initdir/usr/lib/extension-release.d" "$initdir/etc" "$initdir/var/tmp" "$initdir/opt" "$initdir/var/lib/app1"
        setup_basic_dirs
        install_basic_tools
        install_ld_so_conf
        # Shellcheck treats [[ -v VAR ]] as an assignment to avoid a different
        # issue, thus falsely triggering SC2030 in this case
        # See: koalaman/shellcheck#1409
        if [[ -v ASAN_RT_PATH ]]; then
            # If we're compiled with ASan, install the ASan RT (and its dependencies)
            # into the verity images to get rid of the annoying errors about
            # missing $LD_PRELOAD libraries.
            inst_libs "$ASAN_RT_PATH"
            inst_library "$ASAN_RT_PATH"
        fi
        cp "$os_release" "$initdir/usr/lib/os-release"
        ln -s ../usr/lib/os-release "$initdir/etc/os-release"
        touch "$initdir/etc/machine-id" "$initdir/etc/resolv.conf"
        touch "$initdir/opt/some_file"
        echo MARKER=1 >>"$initdir/usr/lib/os-release"
        echo "PORTABLE_PREFIXES=app0 minimal minimal-app0" >>"$initdir/usr/lib/os-release"
        cat >"$initdir/usr/lib/systemd/system/minimal-app0.service" <<EOF
[Service]
ExecStartPre=cat /usr/lib/os-release
ExecStart=sleep 120
EOF
        cp "$initdir/usr/lib/systemd/system/minimal-app0.service" "$initdir/usr/lib/systemd/system/minimal-app0-foo.service"

        mksquashfs "$initdir" "$oldinitdir/usr/share/minimal_0.raw" -noappend
        veritysetup format "$oldinitdir/usr/share/minimal_0.raw" "$oldinitdir/usr/share/minimal_0.verity" | \
            grep '^Root hash:' | cut -f2 | tr -d '\n' >"$oldinitdir/usr/share/minimal_0.roothash"

        sed -i "s/MARKER=1/MARKER=2/g" "$initdir/usr/lib/os-release"
        rm "$initdir/usr/lib/systemd/system/minimal-app0-foo.service"
        cp "$initdir/usr/lib/systemd/system/minimal-app0.service" "$initdir/usr/lib/systemd/system/minimal-app0-bar.service"

        mksquashfs "$initdir" "$oldinitdir/usr/share/minimal_1.raw" -noappend
        veritysetup format "$oldinitdir/usr/share/minimal_1.raw" "$oldinitdir/usr/share/minimal_1.verity" | \
            grep '^Root hash:' | cut -f2 | tr -d '\n' >"$oldinitdir/usr/share/minimal_1.roothash"
    )
}

setup_basic_environment() {
    # create the basic filesystem layout
    setup_basic_dirs

    install_systemd
    install_missing_libraries
    install_config_files
    install_zoneinfo
    create_rc_local
    install_basic_tools
    install_libnss
    install_pam
    install_dbus
    install_fonts
    install_locales
    install_keymaps
    install_x11_keymaps
    install_terminfo
    install_execs
    install_fs_tools
    install_modules
    install_plymouth
    install_haveged
    install_debug_tools
    install_ld_so_conf
    install_testuser
    has_user_dbus_socket && install_user_dbus
    setup_selinux
    install_depmod_files
    generate_module_dependencies
    if get_bool "$IS_BUILT_WITH_ASAN"; then
        create_asan_wrapper
    fi
    if get_bool "$TEST_INSTALL_VERITY_MINIMAL"; then
        install_verity_minimal
    fi
}

setup_selinux() {
    dinfo "Setup SELinux"
    # don't forget KERNEL_APPEND='... selinux=1 ...'
    if ! get_bool "$SETUP_SELINUX"; then
        dinfo "SETUP_SELINUX != yes, skipping SELinux configuration"
        return 0
    fi

    for dir in /etc/selinux /usr/share/selinux; do
        rm -rf "${initdir:?}/$dir"
        if ! cp -ar "$dir" "$initdir/$dir"; then
            dfatal "Failed to copy $dir"
            exit 1
        fi
    done

    # We use a custom autorelabel service instead of the SELinux provided set
    # of units & a generator, since the generator overrides the default target
    # to the SELinux one when it detects /.autorelabel. However, we use
    # systemd.unit= on the kernel command cmdline which always takes precedence,
    # rendering all SELinux efforts useless. Also, pulling in selinux-autorelabel.service
    # explicitly doesn't work either, as it doesn't check for the presence of /.autorelabel
    # and does the relabeling unconditionally which always ends with a reboot, so
    # we end up in a reboot loop (and it also spews quite a lot of errors as it
    # wants /etc/fstab and dracut-initramfs-restore).
    touch "$initdir/.autorelabel"
    mkdir -p "$initdir/usr/lib/systemd/tests/testdata/units/basic.target.wants"
    ln -sf ../autorelabel.service "$initdir/usr/lib/systemd/tests/testdata/units/basic.target.wants/"

    # Tools requires by fixfiles
    image_install awk bash cat chcon expr egrep find grep head secon setfiles rm sort uname uniq
    image_install fixfiles getenforce load_policy selinuxenabled sestatus
}

install_valgrind() {
    if ! type -p valgrind; then
        dfatal "Failed to install valgrind"
        exit 1
    fi

    local valgrind_bins valgrind_libs valgrind_supp

    readarray -t valgrind_bins < <(strace -e execve valgrind /bin/true 2>&1 >/dev/null |
                                       sed -r -n 's/execve\("([^"]*)".*/\1/p')
    image_install "${valgrind_bins[@]}"

    readarray -t valgrind_libs < <(LD_DEBUG=files valgrind /bin/true 2>&1 >/dev/null |
                                       sed -r -n 's|.*calling init: (/.*vgpreload_.*)|\1|p')
    image_install "${valgrind_libs[@]}"

    readarray -t valgrind_supp < <(strace -e open valgrind /bin/true 2>&1 >/dev/null |
                                       sed -r -n 's,open\("([^"]*(/debug[^"]*|\.supp))".*= [0-9].*,\1,p')
    image_install "${valgrind_supp[@]}"
}

create_valgrind_wrapper() {
    local valgrind_wrapper="$initdir/$ROOTLIBDIR/systemd-under-valgrind"
    ddebug "Create $valgrind_wrapper"
    cat >"$valgrind_wrapper" <<EOF
#!/usr/bin/env bash

mount -t proc proc /proc
exec valgrind --leak-check=full --track-fds=yes --log-file=/valgrind.out $ROOTLIBDIR/systemd "\$@"
EOF
    chmod 0755 "$valgrind_wrapper"
}

create_asan_wrapper() {
    local asan_wrapper default_asan_options default_ubsan_options default_environment manager_environment

    [[ -z "$ASAN_RT_PATH" ]] && dfatal "ASAN_RT_PATH is empty, but it shouldn't be"

    default_asan_options="${ASAN_OPTIONS:-strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:disable_coredump=0:use_madv_dontdump=1}"
    default_ubsan_options="${UBSAN_OPTIONS:-print_stacktrace=1:print_summary=1:halt_on_error=1}"

    if [[ "$ASAN_COMPILER" == "clang" ]]; then
        # clang: install llvm-symbolizer to generate useful reports
        # See: https://clang.llvm.org/docs/AddressSanitizer.html#symbolizing-the-reports
        image_install "llvm-symbolizer"

        # Let's add the ASan DSO's path to the dynamic linker's cache. This is pretty
        # unnecessary for gcc & libasan, however, for clang this is crucial, as its
        # runtime ASan DSO is in a non-standard (library) path.
        mkdir -p "${initdir:?}/etc/ld.so.conf.d/"
        echo "${ASAN_RT_PATH%/*}" >"${initdir:?}/etc/ld.so.conf.d/asan-path-override.conf"
        ldconfig -r "$initdir"
    fi

    # Create a simple environment file which can be included by systemd services
    # that need it (i.e. services that utilize DynamicUser=true and bash, etc.)
    cat >"${initdir:?}/usr/lib/systemd/systemd-asan-env" <<EOF
LD_PRELOAD=$ASAN_RT_PATH
ASAN_OPTIONS=$default_asan_options
LSAN_OPTIONS=detect_leaks=0
UBSAN_OPTIONS=$default_ubsan_options
EOF

    default_environment=(
        "ASAN_OPTIONS='$default_asan_options'"
        "UBSAN_OPTIONS='$default_ubsan_options'"
        "ASAN_RT_PATH='$ASAN_RT_PATH'"
    )
    manager_environment=(
        "ASAN_OPTIONS='$default_asan_options:log_path=/systemd-pid1.asan.log:log_to_syslog=1'"
        "UBSAN_OPTIONS='$default_ubsan_options:log_path=/systemd-pid1.ubsan.log:log_to_syslog=1'"
        "ASAN_RT_PATH='$ASAN_RT_PATH'"
    )

    mkdir -p "${initdir:?}/etc/systemd/system.conf.d/"
    cat >"${initdir:?}/etc/systemd/system.conf.d/asan.conf" <<EOF
[Manager]
DefaultEnvironment=${default_environment[*]}
ManagerEnvironment=${manager_environment[*]}
DefaultTimeoutStartSec=180s
EOF

    # ASAN and syscall filters aren't compatible with each other.
    find "${initdir:?}" -name '*.service' -type f -print0 | xargs -0 sed -i 's/^\(MemoryDeny\|SystemCall\)/#\1/'

    mkdir -p "${initdir:?}/etc/systemd/system/systemd-journald.service.d/"
    cat >"${initdir:?}/etc/systemd/system/systemd-journald.service.d/asan-env.conf" <<EOF
[Service]
# The redirection of ASAN reports to a file prevents them from ending up in /dev/null.
# But, apparently, sometimes it doesn't work: https://github.com/google/sanitizers/issues/886.
Environment=ASAN_OPTIONS=$default_asan_options:log_path=/systemd-journald.asan.log UBSAN_OPTIONS=$default_ubsan_options:log_path=/systemd-journald.ubsan.log

# Sometimes UBSan sends its reports to stderr regardless of what is specified in log_path
# Let's try to catch them by redirecting stderr (and stdout just in case) to a file
# See https://github.com/systemd/systemd/pull/12524#issuecomment-491108821
StandardOutput=file:/systemd-journald.out
EOF

    # 90s isn't enough for some services to finish when literally everything is run
    # under ASan+UBSan in containers, which, in turn, are run in VMs.
    # Let's limit which environments such services should be executed in.
    mkdir -p "${initdir:?}/etc/systemd/system/systemd-hwdb-update.service.d/"
    cat >"${initdir:?}/etc/systemd/system/systemd-hwdb-update.service.d/asan.conf" <<EOF
[Unit]
ConditionVirtualization=container

[Service]
TimeoutSec=240s
EOF

    # Let's override another hard-coded timeout that kicks in too early
    mkdir -p "${initdir:?}/etc/systemd/system/systemd-journal-flush.service.d/"
    cat >"${initdir:?}/etc/systemd/system/systemd-journal-flush.service.d/asan.conf" <<EOF
[Service]
TimeoutSec=180s
EOF

    asan_wrapper="${initdir:?}/${PATH_TO_INIT:?}"
    # Sanity check to make sure we don't overwrite something we shouldn't.
    [[ "$asan_wrapper" =~ systemd-under-asan$ ]]

    cat >"$asan_wrapper" <<EOF
#!/usr/bin/env bash
set -eux

export PATH="/sbin:/bin:/usr/sbin:/usr/bin"
export ${manager_environment[@]}
[[ -n "\$ASAN_OPTIONS" && -n "\$UBSAN_OPTIONS" ]]

exec "$ROOTLIBDIR/systemd" "\$@"
EOF
    chmod 0755 "$asan_wrapper"
}

create_strace_wrapper() {
    local strace_wrapper="$initdir/$ROOTLIBDIR/systemd-under-strace"
    ddebug "Create $strace_wrapper"
    cat >"$strace_wrapper" <<EOF
#!/usr/bin/env bash

exec strace -f -D -o /strace.out "$ROOTLIBDIR/systemd" "\$@"
EOF
    chmod 0755 "$strace_wrapper"
}

install_fs_tools() {
    dinfo "Install fsck"
    image_install /sbin/fsck*
    image_install -o /bin/fsck*

    # fskc.reiserfs calls reiserfsck. so, install it
    image_install -o reiserfsck

    # we use mkfs in system-repart tests
    image_install /sbin/mkfs.ext4
    image_install /sbin/mkfs.vfat

    # we use mkswap in udev-storage tests
    image_install /sbin/mkswap
}

install_modules() {
    dinfo "Install modules"

    instmods bridge dummy ext4 ipvlan macvlan vfat veth
    instmods loop =block
    instmods nls_ascii =nls
    instmods overlay =overlayfs
    instmods scsi_debug

    if get_bool "$LOOKS_LIKE_SUSE"; then
        instmods af_packet
    fi
}

install_dmevent() {
    instmods dm_crypt =crypto
    inst_binary dmeventd
    image_install "${ROOTLIBDIR:?}"/system/dm-event.{service,socket}
    if get_bool "$LOOKS_LIKE_DEBIAN"; then
        # dmsetup installs 55-dm and 60-persistent-storage-dm on Debian/Ubuntu
        # and since buster/bionic 95-dm-notify.rules
        # see https://gitlab.com/debian-lvm/lvm2/blob/master/debian/patches/udev.patch
        inst_rules 55-dm.rules 60-persistent-storage-dm.rules 95-dm-notify.rules
    else
        inst_rules 10-dm.rules 13-dm-disk.rules 95-dm-notify.rules
    fi
    if get_bool "$LOOKS_LIKE_SUSE"; then
        inst_rules 60-persistent-storage.rules 61-persistent-storage-compat.rules 99-systemd.rules
    fi
}

install_multipath() {
    instmods "=md" multipath
    image_install kpartx /lib/udev/kpartx_id lsmod mpathpersist multipath multipathd partx
    image_install "${ROOTLIBDIR:?}"/system/multipathd.{service,socket}
    if get_bool "$LOOKS_LIKE_DEBIAN"; then
        # Note: try both 60-kpartx.rules (as seen on Debian Sid with 0.9.4-7) and 95-kpartx.rules (as seen on
        # Ubuntu Jammy with 0.8.8-1ubuntu1.22.04.4)
        inst_rules 56-dm-parts.rules 56-dm-mpath.rules 60-kpartx.rules 60-multipath.rules 68-del-part-nodes.rules 95-kpartx.rules
    else
        inst_rules 11-dm-mpath.rules 11-dm-parts.rules 62-multipath.rules 66-kpartx.rules 68-del-part-nodes.rules
    fi
    mkdir -p "${initdir:?}/etc/multipath"

    local file
    while read -r file; do
        # Install libraries required by the given library
        inst_libs "$file"
        # Install the library itself and create necessary symlinks
        inst_library "$file"
    done < <(find /lib*/multipath -type f)
}

install_lvm() {
    local lvm_rules rule_prefix

    image_install lvm
    image_install "${ROOTLIBDIR:?}"/system/lvm2-lvmpolld.{service,socket}
    image_install "${ROOTLIBDIR:?}"/system/{blk-availability,lvm2-monitor}.service
    image_install -o "/lib/tmpfiles.d/lvm2.conf"

    if get_bool "$LOOKS_LIKE_DEBIAN"; then
        lvm_rules="56-lvm.rules"
        rule_prefix=""
    else
        lvm_rules="11-dm-lvm.rules"
        rule_prefix="dm-"
    fi

    # Support the new udev autoactivation introduced in lvm 2.03.14
    # https://sourceware.org/git/?p=lvm2.git;a=commit;h=67722b312390cdab29c076c912e14bd739c5c0f6
    # Static autoactivation (via lvm2-activation-generator) was dropped
    # in lvm 2.03.15
    # https://sourceware.org/git/?p=lvm2.git;a=commit;h=ee8fb0310c53ed003a43b324c99cdfd891dd1a7c
    if [[ -f "/lib/udev/rules.d/69-${rule_prefix}lvm.rules" ]]; then
        inst_rules "$lvm_rules" "69-${rule_prefix}lvm.rules"
    else
        image_install "${ROOTLIBDIR:?}"/system-generators/lvm2-activation-generator
        image_install "${ROOTLIBDIR:?}"/system/lvm2-pvscan@.service
        inst_rules "$lvm_rules" "69-${rule_prefix}lvm-metad.rules"
    fi

    mkdir -p "${initdir:?}/etc/lvm"
}

host_has_btrfs() (
    set -e
    modprobe -nv btrfs && command -v mkfs.btrfs && command -v btrfs || return $?
)

install_btrfs() {
    instmods btrfs
    # Not all utilities provided by btrfs-progs are listed here; extend the list
    # if necessary
    image_install btrfs btrfstune mkfs.btrfs
    inst_rules 64-btrfs-dm.rules
}

install_iscsi() {
    # Install both client and server side stuff by default
    local inst="${1:-}"
    local file

    # Install client-side stuff ("initiator" in iSCSI jargon) - Open-iSCSI in this case
    # (open-iscsi on Debian, iscsi-initiator-utils on Fedora, etc.)
    if [[ -z "$inst" || "$inst" =~ (client|initiator) ]]; then
        image_install iscsi-iname iscsiadm iscsid iscsistart
        image_install -o "${ROOTLIBDIR:?}"/system/iscsi-{init,onboot,shutdown}.service
        image_install "${ROOTLIBDIR:?}"/system/iscsid.{service,socket}
        image_install "${ROOTLIBDIR:?}"/system/iscsi.service
        mkdir -p "${initdir:?}"/var/lib/iscsi/{ifaces,isns,nodes,send_targets,slp,static}
        mkdir -p "${initdir:?}/etc/iscsi"
        echo "iscsid.startup = /bin/systemctl start iscsid.socket" >"${initdir:?}/etc/iscsi/iscsid.conf"
        # Since open-iscsi 2.1.2 [0] the initiator name should be generated via
        # a one-time service instead of distro package's post-install scripts.
        # However, some distros still use this approach even after this patch,
        # so prefer the already existing initiatorname.iscsi file if it exists.
        #
        # [0] https://github.com/open-iscsi/open-iscsi/commit/f37d5b653f9f251845db3f29b1a3dcb90ec89731
        if [[ ! -e /etc/iscsi/initiatorname.iscsi ]]; then
            image_install "${ROOTLIBDIR:?}"/system/iscsi-init.service
            if get_bool "$IS_BUILT_WITH_ASAN"; then
                # The iscsi-init.service calls `sh` which might, in certain circumstances,
                # pull in instrumented systemd NSS modules causing `sh` to fail. Let's mitigate
                # this by pulling in an env file crafted by `create_asan_wrapper()` that
                # (among others) pre-loads ASan's DSO.
                mkdir -p "${initdir:?}/etc/systemd/system/iscsi-init.service.d/"
                printf "[Service]\nEnvironmentFile=/usr/lib/systemd/systemd-asan-env" >"${initdir:?}/etc/systemd/system/iscsi-init.service.d/asan-env.conf"
            fi
        else
            inst_simple "/etc/iscsi/initiatorname.iscsi"
        fi
    fi

    # Install server-side stuff ("target" in iSCSI jargon) - TGT in this case
    # (tgt on Debian, scsi-target-utils on Fedora, etc.)
    if [[ -z "$inst" || "$inst" =~ (server|target) ]]; then
        image_install tgt-admin tgt-setup-lun tgtadm tgtd tgtimg
        image_install -o /etc/sysconfig/tgtd
        image_install "${ROOTLIBDIR:?}"/system/tgtd.service
        mkdir -p "${initdir:?}/etc/tgt"
        touch "${initdir:?}"/etc/tgt/{tgtd,targets}.conf
        # Install perl modules required by tgt-admin
        #
        # Forgive me father for I have sinned. The monstrosity below appends
        # a perl snippet to the `tgt-admin` perl script on the fly, which
        # dumps a list of files (perl modules) required by `tgt-admin` at
        # the runtime plus any DSOs loaded via DynaLoader. This list is then
        # passed to `inst_simple` which installs the necessary files into the image
        #
        # shellcheck disable=SC2016
        while read -r file; do
            inst_simple "$file"
        done < <(perl -- <(cat "$(command -v tgt-admin)" <(echo -e 'use DynaLoader; print map { "$_\n" } values %INC; print join("\n", @DynaLoader::dl_shared_objects)')) -p | awk '/^\// { print $1 }')
    fi
}

host_has_mdadm() (
    set -e
    command -v mdadm || return $?
)

install_mdadm() {
    local unit
    local mdadm_units=(
        system/mdadm-grow-continue@.service
        system/mdadm-last-resort@.service
        system/mdadm-last-resort@.timer
        system/mdmon@.service
        system/mdmonitor-oneshot.service
        system/mdmonitor-oneshot.timer
        system/mdmonitor.service
        system-shutdown/mdadm.shutdown
    )

    instmods "=md"
    image_install mdadm mdmon
    inst_rules 01-md-raid-creating.rules 63-md-raid-arrays.rules 64-md-raid-assembly.rules 69-md-clustered-confirm-device.rules
    # Fedora/CentOS/RHEL ships this rule file
    [[ -f /lib/udev/rules.d/65-md-incremental.rules ]] && inst_rules 65-md-incremental.rules

    for unit in "${mdadm_units[@]}"; do
        image_install "${ROOTLIBDIR:?}/$unit"
    done

    # Disable the mdmonitor service, since it fails if there's no valid email address
    # configured in /etc/mdadm.conf, which just unnecessarily pollutes the logs
    "${SYSTEMCTL:?}" mask --root "${initdir:?}" mdmonitor.service || :
}

install_compiled_systemd() {
    dinfo "Install compiled systemd"

    local ninja_bin
    ninja_bin="$(type -P ninja || type -P ninja-build)"
    if [[ -z "$ninja_bin" ]]; then
        dfatal "ninja was not found"
        exit 1
    fi
    (set -x; DESTDIR="$initdir" "$ninja_bin" -C "$BUILD_DIR" install)

    # If we are doing coverage runs, copy over the binary notes files, as lcov expects to
    # find them in the same directory as the runtime data counts
    if get_bool "$IS_BUILT_WITH_COVERAGE"; then
        mkdir -p "${initdir}/${BUILD_DIR:?}/"
        rsync -am --include='*/' --include='*.gcno' --exclude='*' "${BUILD_DIR:?}/" "${initdir}/${BUILD_DIR:?}/"
        # Set effective & default ACLs for the build dir so unprivileged
        # processes can write gcda files with coverage stats
        setfacl -R -m 'd:o:rwX' -m 'o:rwX' "${initdir}/${BUILD_DIR:?}/"
    fi
}

install_package_file() {
    local file="${1:?}"

    # Skip missing files (like /etc/machine-info)
    [[ ! -e "$file" ]] && return 0
    # Skip python unit tests, since the image_install machinery will try to pull
    # in the whole python stack in a very questionable state, making the tests fail.
    # And given we're trying to transition to mkosi-based images anyway I'm not even
    # going to bother
    [[ "$file" =~ /tests/unit-tests/.*.py$ ]] && return 0
    # If the current file is a directory, create it with the original
    # mode; if it's a symlink to a directory, copy it as-is
    if [[ -d "$file" ]]; then
        inst_dir "$file"
    else
        inst "$file"
    fi
}

install_debian_systemd() {
    dinfo "Install debian systemd"

    local deb file

    while read -r deb; do
        ddebug "Install debian files from package $deb"
        while read -r file; do
            install_package_file "$file"
        done < <(dpkg-query -L "$deb" 2>/dev/null)
    done < <(grep -E '^Package:' "${SOURCE_DIR}/debian/control" | cut -d ':' -f 2)
}

install_rpm() {
    local rpm="${1:?}"
    local file

    if ! rpm -q "$rpm" >/dev/null; then
        derror "RPM $rpm is not installed"
        return 1
    fi

    dinfo "Installing contents of RPM $rpm"
    while read -r file; do
        install_package_file "$file"
    done < <(rpm -ql "$rpm")
}

install_suse_systemd() {
    local pkgs

    dinfo "Install basic filesystem structure"
    install_rpm filesystem

    dinfo "Install SUSE systemd"

    pkgs=(
        systemd
        systemd-boot
        systemd-container
        systemd-coredump
        systemd-experimental
        systemd-homed
        systemd-journal-remote
        # Since commit fb6f25d7b979134a, systemd-resolved, which is shipped by
        # systemd-network sub-package on openSUSE, has its own testsuite.
        systemd-network
        systemd-portable
        udev
    )

    for p in "${pkgs[@]}"; do
        rpm -q "$p" &>/dev/null || continue

        install_rpm "$p"
    done

    dinfo "Install the data needed by the tests at runtime"
    inst_recursive "${SOURCE_DIR}/testdata"
    inst_recursive "${SOURCE_DIR}/unit-tests/manual"

    # On openSUSE, this directory is not created at package install, at least
    # for now.
    mkdir -p "$initdir/var/log/journal/remote"
}

install_fedora_systemd() {
    local required_packages=(
        systemd
        systemd-container
        systemd-libs
        systemd-pam
        systemd-tests
        systemd-udev
    )
    local optional_packages=(
        systemd-boot-unsigned
        systemd-bootchart
        systemd-journal-remote
        systemd-networkd
        systemd-oomd-defaults
        systemd-resolved
    )
    local package

    for package in "${required_packages[@]}"; do
        install_rpm "$package"
    done

    for package in "${optional_packages[@]}"; do
        rpm -q "$package" >/dev/null || continue
        install_rpm "$package"
    done
}

install_distro_systemd() {
    dinfo "Install distro systemd"

    if get_bool "$LOOKS_LIKE_DEBIAN"; then
        install_debian_systemd
    elif get_bool "$LOOKS_LIKE_SUSE"; then
        install_suse_systemd
    elif get_bool "$LOOKS_LIKE_FEDORA"; then
        install_fedora_systemd
    else
        dfatal "NO_BUILD not supported for this distro"
        exit 1
    fi
}

install_systemd() {
    dinfo "Install systemd"
    if get_bool "$NO_BUILD"; then
        install_distro_systemd
    else
        install_compiled_systemd
    fi

    # Remove unneeded documentation
    rm -fr "${initdir:?}"/usr/share/{man,doc}

    # Enable debug logging in PID1
    mkdir -p "$initdir/etc/systemd/system.conf.d/"
    echo -ne "[Manager]\nLogLevel=debug\n" >"$initdir/etc/systemd/system.conf.d/10-log-level.conf"
    if [[ -n "$TEST_SYSTEMD_LOG_LEVEL" ]]; then
        echo DefaultEnvironment=SYSTEMD_LOG_LEVEL="$TEST_SYSTEMD_LOG_LEVEL" >>"$initdir/etc/systemd/system.conf.d/99-log-level.conf"
    fi
    # Enable debug logging for user instances as well
    mkdir -p "$initdir/etc/systemd/user.conf.d/"
    echo -ne "[Manager]\nLogLevel=debug\n" >"$initdir/etc/systemd/user.conf.d/10-log-level.conf"
    # Store coredumps in journal
    mkdir -p "$initdir/etc/systemd/coredump.conf.d/"
    echo -ne "[Coredump]\nStorage=journal\n" >"$initdir/etc/systemd/coredump.conf.d/10-storage-journal.conf"
    # Propagate SYSTEMD_UNIT_PATH to user systemd managers
    mkdir -p "$initdir/etc/systemd/system/user@.service.d/"
    echo -ne "[Service]\nPassEnvironment=SYSTEMD_UNIT_PATH\n" >"$initdir/etc/systemd/system/user@.service.d/99-SYSTEMD_UNIT_PATH.conf"

    # When built with gcov, disable ProtectSystem= and ProtectHome= in the test
    # images, since it prevents gcov to write the coverage reports (*.gcda
    # files)
    if get_bool "$IS_BUILT_WITH_COVERAGE"; then
        mkdir -p "$initdir/etc/systemd/system/service.d/"
        echo -ne "[Service]\nProtectSystem=no\nProtectHome=no\n" >"$initdir/etc/systemd/system/service.d/99-gcov-override.conf"
        # Similarly, set ReadWritePaths= to the $BUILD_DIR in the test image to make the coverage work with
        # units using DynamicUser=yes. Do this only for services with test- prefix and a couple of
        # known-to-use DynamicUser=yes services, as setting this system-wide has many undesirable
        # side-effects, as it creates its own namespace.
        for service in capsule@ test- systemd-journal-{gatewayd,upload}; do
            mkdir -p "$initdir/etc/systemd/system/$service.service.d/"
            echo -ne "[Service]\nReadWritePaths=${BUILD_DIR:?}\n" >"$initdir/etc/systemd/system/$service.service.d/99-gcov-rwpaths-override.conf"
        done
        # Ditto, but for the user daemon
        mkdir -p "$initdir/etc/systemd/user/test-.service.d/"
        echo -ne "[Service]\nReadWritePaths=${BUILD_DIR:?}\n" >"$initdir/etc/systemd/user/test-.service.d/99-gcov-rwpaths-override.conf"
        # Bind the $BUILD_DIR into nspawn containers that are executed using
        # machinectl. Unfortunately, the .nspawn files don't support drop-ins
        # so we have to inject the bind mount directly into
        # the systemd-nspawn@.service unit.
        cp "$initdir/usr/lib/systemd/system/systemd-nspawn@.service" "$initdir/etc/systemd/system/systemd-nspawn@.service"
        sed -ri "s/^ExecStart=.+$/& --bind=${BUILD_DIR//\//\\\/}/" "$initdir/etc/systemd/system/systemd-nspawn@.service"
        # Pass the $BUILD_DIR as $COVERAGE_BUILD_DIR env variable to the system
        # manager, similarly to what we do with $ASAN_RT_PATH during sanitized
        # builds
        mkdir -p "$initdir/etc/systemd/system.conf.d/"
        echo -ne "[Manager]\nDefaultEnvironment=COVERAGE_BUILD_DIR=$BUILD_DIR\n" >"$initdir/etc/systemd/system.conf.d/99-COVERAGE_BUILD_DIR.conf"
    fi

    # If we're built with -Dportabled=false, tests with systemd-analyze
    # --profile will fail. Since we need just the profile (text) files, let's
    # copy them into the image if they don't exist there.
    local portable_dir="${initdir:?}${ROOTLIBDIR:?}/portable"
    if [[ ! -d "$portable_dir/profile/strict" ]]; then
        dinfo "Couldn't find portable profiles in the test image"
        dinfo "Copying them directly from the source tree"
        mkdir -p "$portable_dir"
        cp -frv "${SOURCE_DIR:?}/src/portable/profile" "$portable_dir"
    fi
}

get_ldpath() {
    local rpath
    rpath="$(objdump -p "${1:?}" 2>/dev/null | awk "/R(UN)?PATH/ { print \"$initdir\" \$2 }" | paste -sd :)"

    if [ -z "$rpath" ] ; then
        echo "$BUILD_DIR"
    else
        echo "$rpath"
    fi
}

install_missing_libraries() {
    dinfo "Install missing libraries"
    # install possible missing libraries
    for i in "${initdir:?}"{,/usr}/{sbin,bin}/* "$initdir"{,/usr}/lib/systemd/{,tests/unit-tests/{,manual/,unsafe/}}*; do
        LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$(get_ldpath "$i")" inst_libs "$i"
    done

    # Install libgcc_s.so if available, since it's dlopen()ed by libpthread
    # and might cause unexpected failures during pthread_exit()/pthread_cancel()
    # if not present
    # See: https://github.com/systemd/systemd/pull/23858
    while read -r libgcc_s; do
        [[ -e "$libgcc_s" ]] && inst_library "$libgcc_s"
    done < <(ldconfig -p | awk '/\/libgcc_s.so.1$/ { print $4 }')

    local lib path
    # A number of dependencies is now optional via dlopen, so the install
    # script will not pick them up, since it looks at linkage.
    for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu tss2-tcti-device libfido2 libbpf libelf libdw xkbcommon p11-kit-1 libarchive libgcrypt libkmod; do
        ddebug "Searching for $lib via pkg-config"
        if pkg-config --exists "$lib"; then
                path="$(pkg-config --variable=libdir "$lib")"
                if [ -z "${path}" ]; then
                    ddebug "$lib.pc does not contain a libdir variable, skipping"
                    continue
                fi

                if ! [[ ${lib} =~ ^lib ]]; then
                        lib="lib${lib}"
                fi
                # p11-kit-1's .so doesn't have the API level in the name
                if [[ ${lib} =~ p11-kit-1$ ]]; then
                        lib="libp11-kit"
                fi
                # Some pkg-config files are broken and give out the wrong paths
                # (eg: libcryptsetup), so just ignore them
                inst_libs "${path}/${lib}.so" || true
                inst_library "${path}/${lib}.so" || true

                if [[ "$lib" == "libxkbcommon" ]]; then
                    install_x11_keymaps full
                fi
        else
            ddebug "$lib.pc not found, skipping"
            continue
        fi
    done

    # Install extra openssl 3 stuff
    path="$(pkg-config --variable=libdir libcrypto)"
    inst_simple "${path}/ossl-modules/legacy.so" || true
    inst_simple "${path}/ossl-modules/fips.so" || true
    inst_simple "${path}/engines-3/afalg.so" || true
    inst_simple "${path}/engines-3/capi.so" || true
    inst_simple "${path}/engines-3/loader_attic.so" || true
    inst_simple "${path}/engines-3/padlock.so" || true

    # Binaries from mtools depend on the gconv modules to translate between codepages. Because there's no
    # pkg-config file for these, we copy every gconv/ directory we can find in /usr/lib and /usr/lib64.
    # shellcheck disable=SC2046
    inst_recursive $(find /usr/lib* -name gconv 2>/dev/null)
}

cleanup_loopdev() {
    if [ -n "${LOOPDEV:=}" ]; then
        ddebug "losetup -d $LOOPDEV"
        losetup -d "${LOOPDEV}"
        unset LOOPDEV
    fi
}

add_at_exit_handler cleanup_loopdev

create_empty_image() {
    if [[ -z "${IMAGE_NAME:=}" ]]; then
        echo "create_empty_image: \$IMAGE_NAME not set"
        exit 1
    fi

    # Partition sizes are in MiBs
    local root_size=768
    local data_size=100
    local esp_size=128
    local boot_size=128
    local total=
    if ! get_bool "$NO_BUILD"; then
        if meson configure "${BUILD_DIR:?}" | grep 'static-lib\|standalone-binaries' | awk '{ print $2 }' | grep -q 'true'; then
            root_size=$((root_size + 200))
        fi
        if meson configure "${BUILD_DIR:?}" | grep 'link-.*-shared' | awk '{ print $2 }' | grep -q 'false'; then
            root_size=$((root_size + 200))
        fi
        if get_bool "$IS_BUILT_WITH_COVERAGE"; then
            root_size=$((root_size + 250))
        fi
        if get_bool "$IS_BUILT_WITH_ASAN"; then
            root_size=$((root_size * 2))
        fi
    fi

    if [[ "${IMAGE_ADDITIONAL_ROOT_SIZE:-0}" -gt 0 ]]; then
        root_size=$((root_size + IMAGE_ADDITIONAL_ROOT_SIZE))
    fi
    if [[ "${IMAGE_ADDITIONAL_DATA_SIZE:-0}" -gt 0 ]]; then
        data_size=$((data_size + IMAGE_ADDITIONAL_DATA_SIZE))
    fi

    total=$((root_size + data_size + esp_size + boot_size))

    echo "Setting up ${IMAGE_PUBLIC:?} (${total} MB)"
    rm -f "${IMAGE_PRIVATE:?}" "$IMAGE_PUBLIC"

    # Create the blank file to use as a root filesystem
    truncate -s "${total}M" "$IMAGE_PUBLIC"

    LOOPDEV="$(losetup --show -P -f "$IMAGE_PUBLIC")"
    [[ -b "$LOOPDEV" ]] || return 1
    # Create two partitions - a root one and a data one (utilized by some tests)
    sfdisk "$LOOPDEV" <<EOF
label: gpt
type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B name=esp  size=${esp_size}M
type=$("${SYSTEMD_ID128:?}" show root -Pu) name=root size=${root_size}M bootable
type=BC13C2FF-59E6-4262-A352-B275FD6F7172 name=boot size=${boot_size}M
type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 name=data
EOF

    udevadm settle

    if ! mkfs -t vfat "${LOOPDEV}p1"; then
        dfatal "Failed to mkfs -t vfat ${LOOPDEV}p1"
        exit 1
    fi

    local label=(-L systemd_boot)
    # mkfs.reiserfs doesn't know -L. so, use --label instead
    [[ "$FSTYPE" == "reiserfs" ]] && label=(--label systemd_boot)
    if ! mkfs -t "${FSTYPE}" "${label[@]}" "${LOOPDEV}p2" -q; then
        dfatal "Failed to mkfs -t ${FSTYPE} ${label[*]} ${LOOPDEV}p2 -q"
        exit 1
    fi

    local label=(-L xbootldr)
    [[ "$FSTYPE" == "reiserfs" ]] && label=(--label xbootldr)
    if ! mkfs -t "${FSTYPE}" "${label[@]}" "${LOOPDEV}p3" -q; then
        dfatal "Failed to mkfs -t ${FSTYPE} ${label[*]} ${LOOPDEV}p3 -q"
        exit 1
    fi
}

mount_initdir() {
    if [ -z "${LOOPDEV:=}" ]; then
        [ -e "${IMAGE_PRIVATE:?}" ] && image="$IMAGE_PRIVATE" || image="${IMAGE_PUBLIC:?}"
        LOOPDEV="$(losetup --show -P -f "$image")"
        [ -b "$LOOPDEV" ] || return 1

        udevadm settle
    fi

    if ! mountpoint -q "${initdir:?}"; then
        mkdir -p "$initdir"
        mount "${LOOPDEV}p2" "$initdir"
        TEST_SETUP_CLEANUP_ROOTDIR=1
    fi
}

cleanup_initdir() {
    # only umount if create_empty_image_rootdir() was called to mount it
    if get_bool "$TEST_SETUP_CLEANUP_ROOTDIR"; then
        _umount_dir "${initdir:?}"
    fi
}

umount_loopback() {
    # unmount the loopback device from all places. Otherwise we risk file
    # system corruption.
    for device in $(losetup -l | awk '$6=="'"${IMAGE_PUBLIC:?}"'" {print $1}'); do
        ddebug "Unmounting all uses of $device"
        mount | awk '/^'"${device}"'p/{print $1}' | xargs --no-run-if-empty umount -v
    done
}

create_empty_image_rootdir() {
    create_empty_image
    mount_initdir
}

check_asan_reports() {
    local ret=0
    local root="${1:?}"
    local log report

    if get_bool "$IS_BUILT_WITH_ASAN"; then
        ls -l "$root"
        if [[ -e "$root/systemd.asan.log.1" ]]; then
            cat "$root/systemd.asan.log.1"
            ret=$((ret+1))
        fi

        for log in pid1 journald; do
            report="$(find "$root" -name "systemd-$log.*san.log*" -exec cat {} \;)"
            if [[ -n "$report" ]]; then
                printf "%s\n" "$report"
                # shellcheck disable=SC2015
                [[ "$log" == journald ]] && cat "$root/systemd-journald.out" || :
                ret=$((ret+1))
            fi
        done

        # May 08 13:23:31 H testleak[2907148]: SUMMARY: AddressSanitizer: 4 byte(s) leaked in 1 allocation(s).
        pids="$(
            "$JOURNALCTL" -D "$root/var/log/journal" --grep 'SUMMARY: .*Sanitizer:' |
                   grep -v -E 'dbus-daemon|dbus-broker-launch' |
                   sed -r -n 's/.* .+\[([0-9]+)\]: SUMMARY:.*/\1/p'
        )"

        if [[ -n "$pids" ]]; then
            ret=$((ret+1))
            for pid in $pids; do
                "$JOURNALCTL" -D "$root/var/log/journal" _PID="$pid" --no-pager
            done
        fi
    fi

    return $ret
}

check_coverage_reports() {
    local root="${1:?}"

    if get_bool "$NO_BUILD"; then
        return 0
    fi
    if ! get_bool "$IS_BUILT_WITH_COVERAGE"; then
        return 0
    fi

    if [ -n "${ARTIFACT_DIRECTORY}" ]; then
        dest="${ARTIFACT_DIRECTORY}/${testname:?}.coverage-info"
    else
        dest="${TESTDIR:?}/coverage-info"
    fi

    if [[ ! -e "${TESTDIR:?}/coverage-base" ]]; then
        # This shouldn't happen, as the report is generated during the setup
        # phase (test_setup()).
        derror "Missing base coverage report"
        return 1
    fi

    # Create a coverage report that will later be uploaded. Remove info about system
    # libraries/headers and generated files, as we don't really care about them.
    lcov --directory "${root}/${BUILD_DIR:?}" --capture --exclude "*.gperf" --output-file "${dest}.new"
    if [[ -f "$dest" ]]; then
        # If the destination report file already exists, don't overwrite it, but
        # merge it with the already present one - this usually happens when
        # running both "parts" of a test in one run (the qemu and the nspawn part).
        lcov --add-tracefile "${dest}" --add-tracefile "${dest}.new" -o "${dest}"
    else
        # If there's no prior coverage report, merge the new one with the base
        # report we did during the setup phase (see test_setup()).
        lcov --add-tracefile "${TESTDIR:?}/coverage-base" --add-tracefile "${dest}.new" -o "${dest}"
    fi
    lcov --remove "$dest" -o "$dest" '/usr/include/*' '/usr/lib/*' "${BUILD_DIR:?}/*"
    rm -f "${dest}.new"

    # If the test logs contain lines like:
    #
    # ...systemd-resolved[735885]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-250.a.p/base-filesystem.c.gcda:Cannot open
    #
    # it means we're possibly missing some coverage since gcov can't write the stats,
    # usually due to the sandbox being too restrictive (e.g. ProtectSystem=yes,
    # ProtectHome=yes) or the $BUILD_DIR being inaccessible to non-root users - see
    # `setfacl` stuff in install_compiled_systemd().
    #
    # Also, a note: some tests, like TEST-46, overmount /home with tmpfs, which
    # means if your build dir is under /home/your-user (which is usually the
    # case) you might get bogus errors and missing coverage.
    if ! get_bool "${IGNORE_MISSING_COVERAGE:=}" && \
       "${JOURNALCTL:?}" -q --no-pager -D "${root:?}/var/log/journal" --grep "profiling:.+?gcda:[Cc]annot open"; then
        derror "Detected possibly missing coverage, check the journal"
        return 1
    fi

    return 0
}

save_journal() {
    local source_dir="${1:?}"
    local state="${2:?}"
    # Default to always saving journal
    local save="yes"
    local dest_dir dest_name dest

    if [[ "${TEST_SAVE_JOURNAL:-}" == "no" ]]; then
        save="no"
    elif [[ "${TEST_SAVE_JOURNAL:-}" == "fail" && "$state" -eq 0 ]]; then
        save="no"
    fi

    if [[ -n "${ARTIFACT_DIRECTORY:-}" ]]; then
        dest_dir="$ARTIFACT_DIRECTORY"
        dest_name="${testname:?}.journal"
    else
        dest_dir="${TESTDIR:?}"
        dest_name="system.journal"
    fi

    # Show messages from the TEST-XX-XXX.service or messages with priority "warning" and higher
    echo " --- $source_dir ---"
    "$JOURNALCTL" --all --no-pager --no-hostname -o short-monotonic -D "$source_dir" \
        _SYSTEMD_UNIT="${TESTNAME:?}.service" + SYSLOG_IDENTIFIER="$TESTNAME.sh" + \
        PRIORITY=4 + PRIORITY=3 + PRIORITY=2 + PRIORITY=1 + PRIORITY=0

    if get_bool "$save"; then
        # If we don't have systemd-journal-remote copy all journals from /var/log/journal/
        # to $dest_dir/journals/ as is, otherwise merge all journals into a single .journal
        # file
        if [[ -z "${SYSTEMD_JOURNAL_REMOTE:-}" ]]; then
            dest="$dest_dir/journals"
            mkdir -p "$dest"
            cp -a "$source_dir/*" "$dest/"
        else
            dest="$dest_dir/$dest_name"
            "$SYSTEMD_JOURNAL_REMOTE" -o "$dest" --getter="$JOURNALCTL -o export -D $source_dir"
        fi

        if [[ -n "${SUDO_USER:-}" ]]; then
            setfacl -R -m "user:$SUDO_USER:r-X" "$dest"
        fi

        # we want to print this sometime later, so save this in a variable
        JOURNAL_LIST="$(ls -lR "$dest")"
    fi

    rm -rf "${source_dir:?}"/*
}

check_result_common() {
    local workspace="${1:?}"
    local ret

    if [ -s "$workspace/failed" ]; then
        # Non-empty …/failed has highest priority
        cp -a "$workspace/failed" "${TESTDIR:?}/"
        if [ -n "${SUDO_USER}" ]; then
            setfacl -m "user:${SUDO_USER:?}:r-X" "${TESTDIR:?}/"failed
        fi
        ret=1
    elif get_bool "$TIMED_OUT"; then
        echo "(timeout)" >"${TESTDIR:?}/failed"
        ret=2
    elif [ -e "$workspace/testok" ]; then
        # …/testok always counts (but with lower priority than …/failed)
        ret=0
    elif [ -e "$workspace/skipped" ]; then
        # …/skipped always counts (a message is expected)
        echo "${TESTNAME:?} was skipped:"
        cat "$workspace/skipped"
        ret=0
    else
        echo "(failed; see logs)" >"${TESTDIR:?}/failed"
        ret=3
    fi

    check_asan_reports "$workspace" || ret=4

    check_coverage_reports "$workspace" || ret=5

    save_journal "$workspace/var/log/journal" $ret

    if [ -d "${ARTIFACT_DIRECTORY}" ] && [ -f "$workspace/strace.out" ]; then
        cp "$workspace/strace.out" "${ARTIFACT_DIRECTORY}/"
    fi

    if [ ${ret:?} != 0 ] && [ -f "$TESTDIR/failed" ]; then
        echo -n "${TESTNAME:?}: "
        cat "$TESTDIR/failed"
    fi
    echo "${JOURNAL_LIST:-"No journals were saved"}"

    return ${ret:?}
}

check_result_nspawn() {
    local workspace="${1:?}"
    local ret=0

    # Run a test-specific checks if defined by check_result_nspawn_hook()
    if declare -F check_result_nspawn_hook >/dev/null; then
        if ! check_result_nspawn_hook "${workspace}"; then
            derror "check_result_nspawn_hook() returned with EC > 0"
            ret=4
        fi
    fi

    check_result_common "${workspace}" || ret=$?

    _umount_dir "${initdir:?}"

    return $ret
}

# can be overridden in specific test
check_result_qemu() {
    local ret=0
    mount_initdir

    # Run a test-specific checks if defined by check_result_qemu_hook()
    if declare -F check_result_qemu_hook >/dev/null; then
        if ! check_result_qemu_hook "${initdir:?}"; then
            derror "check_result_qemu_hook() returned with EC > 0"
            ret=4
        fi
    fi

    check_result_common "${initdir:?}" || ret=$?

    _umount_dir "${initdir:?}"

    return $ret
}

check_result_nspawn_unittests() {
    local workspace="${1:?}"
    local ret=1

    [[ -e "$workspace/testok" ]] && ret=0

    if [[ -s "$workspace/failed" ]]; then
        ret=$((ret + 1))
        echo "=== Failed test log ==="
        cat "$workspace/failed"
    else
        if [[ -s "$workspace/skipped" ]]; then
            echo "=== Skipped test log =="
            cat "$workspace/skipped"
            # We might have only skipped tests - that should not fail the job
            ret=0
        fi
        if [[ -s "$workspace/testok" ]]; then
            echo "=== Passed tests ==="
            cat "$workspace/testok"
        fi
    fi

    get_bool "${TIMED_OUT:=}" && ret=1
    check_coverage_reports "$workspace" || ret=5

    save_journal "$workspace/var/log/journal" $ret
    echo "${JOURNAL_LIST:-"No journals were saved"}"

    _umount_dir "${initdir:?}"

    return $ret
}

check_result_qemu_unittests() {
    local ret=1

    mount_initdir
    [[ -e "${initdir:?}/testok" ]] && ret=0

    if [[ -s "$initdir/failed" ]]; then
        ret=$((ret + 1))
        echo "=== Failed test log ==="
        cat "$initdir/failed"
    else
        if [[ -s "$initdir/skipped" ]]; then
            echo "=== Skipped test log =="
            cat "$initdir/skipped"
            # We might have only skipped tests - that should not fail the job
            ret=0
        fi
        if [[ -s "$initdir/testok" ]]; then
            echo "=== Passed tests ==="
            cat "$initdir/testok"
        fi
    fi

    get_bool "${TIMED_OUT:=}" && ret=1
    check_coverage_reports "$initdir" || ret=5

    save_journal "$initdir/var/log/journal" $ret
    echo "${JOURNAL_LIST:-"No journals were saved"}"

    _umount_dir "$initdir"

    return $ret
}

create_rc_local() {
    dinfo "Create rc.local"
    mkdir -p "${initdir:?}/etc/rc.d"
    cat >"$initdir/etc/rc.d/rc.local" <<EOF
#!/usr/bin/env bash
exit 0
EOF
    chmod 0755 "$initdir/etc/rc.d/rc.local"
}

install_execs() {
    ddebug "Install executables from the service files"

    local pkg_config_path="${BUILD_DIR:?}/src/core/"
    local systemunitdir userunitdir exe
    systemunitdir="$(PKG_CONFIG_PATH="$pkg_config_path" pkg-config --variable=systemdsystemunitdir systemd)"
    userunitdir="$(PKG_CONFIG_PATH="$pkg_config_path" pkg-config --variable=systemduserunitdir systemd)"
    while read -r exe; do
        # some {rc,halt}.local scripts and programs are okay to not exist, the rest should
        # also, plymouth is pulled in by rescue.service, but even there the exit code
        # is ignored; as it's not present on some distros, don't fail if it doesn't exist
        dinfo "Attempting to install $exe (based on unit file reference)"
        inst "$exe" || [ "${exe%.local}" != "$exe" ] || [ "${exe%systemd-update-done}" != "$exe" ] || [ "${exe##*/}" == "plymouth" ]
    done < <(sed -r -n 's|^Exec[a-zA-Z]*=[@+!-]*([^ ]+).*|\1|gp' "${initdir:?}"/{"$systemunitdir","$userunitdir"}/*.service | sort -u)
}

generate_module_dependencies() {
    dinfo "Generate modules dependencies"
    if [[ -d "${initdir:?}/lib/modules/${KERNEL_VER:?}" ]] && \
        ! depmod -a -b "$initdir" "$KERNEL_VER"; then
            dfatal "\"depmod -a $KERNEL_VER\" failed."
            exit 1
    fi
}

install_depmod_files() {
    dinfo "Install depmod files"
    inst "/lib/modules/${KERNEL_VER:?}/modules.order"
    inst "/lib/modules/$KERNEL_VER/modules.builtin"
}

install_plymouth() {
    dinfo "Install plymouth"
    # install plymouth, if found... else remove plymouth service files
    # if [ -x /usr/libexec/plymouth/plymouth-populate-initrd ]; then
    #     PLYMOUTH_POPULATE_SOURCE_FUNCTIONS="$TEST_BASE_DIR/test-functions" \
    #         /usr/libexec/plymouth/plymouth-populate-initrd -t $initdir
    #         image_install plymouth plymouthd
    # else
        rm -f "${initdir:?}"/{usr/lib,lib,etc}/systemd/system/plymouth* "$initdir"/{usr/lib,lib,etc}/systemd/system/*/plymouth*
    # fi
}

install_haveged() {
    # If haveged is installed, it's probably included in initrd and needs to be
    # installed in the image too.
    if [ -x /usr/sbin/haveged ]; then
        dinfo "Install haveged files"
        inst /usr/sbin/haveged
        for u in /usr/lib/systemd/system/haveged*; do
            inst "$u"
        done
    fi
}

install_ld_so_conf() {
    dinfo "Install /etc/ld.so.conf*"
    cp -a /etc/ld.so.conf* "${initdir:?}/etc"
    ldconfig -r "$initdir"
}

install_testuser() {
    dinfo "Set up a test user"
    # create unprivileged user for user manager tests
    mkdir -p "${initdir:?}/etc/sysusers.d"
    cat >"$initdir/etc/sysusers.d/testuser.conf" <<EOF
u testuser    4711     "Test User" /home/testuser /bin/bash
EOF

    mkdir -p "$initdir/home/testuser"
    chmod 0700 "$initdir/home/testuser"
    chown 4711:4711 "$initdir/home/testuser"
}

install_config_files() {
    dinfo "Install config files"
    inst /etc/sysconfig/init || :
    inst /etc/passwd
    inst /etc/shadow
    inst_any /etc/login.defs /usr/etc/login.defs
    inst /etc/group
    inst /etc/shells
    inst_any /etc/nsswitch.conf /usr/etc/nsswitch.conf
    inst /etc/pam.conf || :
    inst_any /etc/os-release /usr/lib/os-release
    inst /etc/localtime
    # we want an empty environment
    : >"${initdir:?}/etc/environment"
    : >"$initdir/etc/machine-id"
    : >"$initdir/etc/resolv.conf"

    # set the hostname
    echo 'H' >"$initdir/etc/hostname"

    # let's set up just one image with the traditional verbose output
    if [ "${IMAGE_NAME:?}" != "basic" ]; then
        mkdir -p "$initdir/etc/systemd/system.conf.d"
        echo -e '[Manager]\nStatusUnitFormat=name' >"$initdir/etc/systemd/system.conf.d/status.conf"
    fi
}

install_basic_tools() {
    dinfo "Install basic tools"
    image_install "${BASICTOOLS[@]}"
    image_install -o sushell
    # in Debian ldconfig is just a shell script wrapper around ldconfig.real
    image_install -o ldconfig.real
}

install_debug_tools() {
    dinfo "Install debug tools"
    image_install -o "${DEBUGTOOLS[@]}"

    if get_bool "$INTERACTIVE_DEBUG"; then
        # Set default TERM from vt220 to linux, so at least basic key shortcuts work
        local getty_override="${initdir:?}/etc/systemd/system/serial-getty@.service.d"
        mkdir -p "$getty_override"
        echo -e "[Service]\nEnvironment=TERM=linux" >"$getty_override/default-TERM.conf"
        echo 'export TERM=linux' >>"$initdir/etc/profile"

        if command -v resize >/dev/null; then
            image_install resize
            echo "resize" >>"$initdir/etc/profile"
        fi

        # Sometimes we might end up with plymouthd still running (especially
        # with the initrd -> asan_wrapper -> systemd transition), which will eat
        # our inputs and make debugging via tty impossible. Let's fix this by
        # killing plymouthd explicitly for the interactive sessions.
        # Note: we can't use pkill/pidof/etc. here due to a bug in libasan, see:
        #   - https://github.com/llvm/llvm-project/issues/49223
        #   - https://bugzilla.redhat.com/show_bug.cgi?id=2098125
        local plymouth_unit="${initdir:?}/etc/systemd/system/kill-plymouth.service"
        cat >"$plymouth_unit" <<EOF
[Unit]
After=multi-user.target

[Service]
ExecStart=sh -c 'killall --verbose plymouthd || :'

[Install]
WantedBy=multi-user.target
EOF
        "${SYSTEMCTL:?}" enable --root "${initdir:?}" kill-plymouth.service
    fi
}

install_libnss() {
    dinfo "Install libnss"
    # install libnss_files for login
    local NSS_LIBS
    mapfile -t NSS_LIBS < <(LD_DEBUG=files getent passwd 2>&1 >/dev/null | sed -n '/calling init: .*libnss_/ {s!^.* /!/!; p}')
    if [[ ${#NSS_LIBS[@]} -gt 0 ]]; then
        image_install "${NSS_LIBS[@]}"
    fi
}

install_dbus() {
    dinfo "Install dbus"
    inst "${ROOTLIBDIR:?}/system/dbus.socket"

    # Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
    if [ -f "$ROOTLIBDIR/system/dbus-broker.service" ]; then
        inst "$ROOTLIBDIR/system/dbus-broker.service"
        inst /usr/bin/dbus-broker
        inst /usr/bin/dbus-broker-launch
        image_install -o {/etc,/usr/lib}/systemd/system/dbus.service
    elif [ -f "$ROOTLIBDIR/system/dbus-daemon.service" ]; then
        # Fedora rawhide replaced dbus.service with dbus-daemon.service
        inst "$ROOTLIBDIR/system/dbus-daemon.service"
        # Alias symlink
        image_install -o {/etc,/usr/lib}/systemd/system/dbus.service
    else
        inst "$ROOTLIBDIR/system/dbus.service"
    fi

    while read -r file; do
        inst "$file"
    done < <(find /etc/dbus-1 /usr/share/dbus-1 -xtype f 2>/dev/null)

    # setup policy for Type=dbus test
    mkdir -p "${initdir:?}/etc/dbus-1/system.d"
    cat >"$initdir/etc/dbus-1/system.d/systemd.test.ExecStopPost.conf" <<EOF
<?xml version="1.0"?>
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
        "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
    <policy user="root">
        <allow own="systemd.test.ExecStopPost"/>
    </policy>
</busconfig>
EOF

    # If we run without KVM, bump the service start timeout
    if ! get_bool "$QEMU_KVM"; then
        cat >"$initdir/etc/dbus-1/system.d/service.timeout.conf" <<EOF
<?xml version="1.0"?>
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
        "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
    <limit name="service_start_timeout">120000</limit>
</busconfig>
EOF
        # Bump the client-side timeout in sd-bus as well
        mkdir -p "$initdir/etc/systemd/system.conf.d"
        echo -e '[Manager]\nDefaultEnvironment=SYSTEMD_BUS_TIMEOUT=120' >"$initdir/etc/systemd/system.conf.d/bus-timeout.conf"
    fi
}

install_user_dbus() {
    dinfo "Install user dbus"
    local userunitdir
    if ! userunitdir="$(pkg-config --variable=systemduserunitdir systemd)"; then
        dwarn "WARNING! Cannot determine userunitdir from pkg-config, assuming /usr/lib/systemd/user"
        userunitdir=/usr/lib/systemd/user
    fi

    inst "$userunitdir/dbus.socket"
    inst_symlink "$userunitdir/sockets.target.wants/dbus.socket" || inst_symlink /etc/systemd/user/sockets.target.wants/dbus.socket

    # Append the After= dependency on dbus in case it isn't already set up
    mkdir -p "${initdir:?}/etc/systemd/system/user@.service.d/"
    cat >"$initdir/etc/systemd/system/user@.service.d/dbus.conf" <<EOF
[Unit]
After=dbus.service
EOF

    # Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
    if [ -f "$userunitdir/dbus-broker.service" ]; then
        inst "$userunitdir/dbus-broker.service"
        image_install -o {/etc,/usr/lib}/systemd/user/dbus.service
    elif [ -f "${ROOTLIBDIR:?}/system/dbus-daemon.service" ]; then
        # Fedora rawhide replaced dbus.service with dbus-daemon.service
        inst "$userunitdir/dbus-daemon.service"
        # Alias symlink
        image_install -o {/etc,/usr/lib}/systemd/user/dbus.service
    else
        inst "$userunitdir/dbus.service"
    fi
}

install_pam() {
    dinfo "Install PAM"
    local paths=()

    if get_bool "$LOOKS_LIKE_DEBIAN" && type -p dpkg-architecture &>/dev/null; then
        paths+=("/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security")
    else
        paths+=(/lib*/security)
    fi

    for d in /etc/pam.d /{usr/,}etc/security /usr/{etc,lib}/pam.d; do
        [ -d "$d" ] && paths+=("$d")
    done

    while read -r file; do
        inst "$file"
    done < <(find "${paths[@]}" -xtype f)

    # pam_unix depends on unix_chkpwd.
    # see http://www.linux-pam.org/Linux-PAM-html/sag-pam_unix.html
    image_install -o unix_chkpwd

    # set empty root password for easy debugging
    sed -i 's/^root:x:/root::/' "${initdir:?}/etc/passwd"

    # And make sure pam_unix will accept it by making sure that
    # the PAM module has the nullok option.
    for d in /etc/pam.d /usr/{etc,lib}/pam.d; do
        [ -d "$initdir/$d" ] || continue
        sed -i '/^auth.*pam_unix.so/s/$/ nullok/' "$initdir/$d"/*
    done
}

install_locales() {
    # install only C.UTF-8 and English locales
    dinfo "Install locales"

    if command -v meson >/dev/null \
            && (meson configure "${BUILD_DIR:?}" | grep 'localegen-path */') \
            || get_bool "$LOOKS_LIKE_DEBIAN"; then
        # locale-gen support
        image_install -o locale-gen localedef
        inst /etc/locale.gen || :
        inst /usr/share/i18n/SUPPORTED || :
        inst_recursive /usr/share/i18n/charmaps
        inst_recursive /usr/share/i18n/locales
        inst_recursive /usr/share/locale/en*
        inst_recursive /usr/share/locale/de*
        image_install /usr/share/locale/locale.alias
        # locale-gen might either generate each locale separately or merge them
        # into a single archive
        if ! (inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 ||
              image_install /usr/lib/locale/locale-archive); then
            dfatal "Failed to install required locales"
            exit 1
        fi
    else
        inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8
    fi
}

# shellcheck disable=SC2120
install_keymaps() {
    local i p
    local -a prefix=(
        "/usr/lib"
        "/usr/share"
    )

    dinfo "Install console keymaps"

    if (( $# == 0 )); then
        for p in "${prefix[@]}"; do
            # The first three paths may be deprecated.
            # It seems now the last three paths are used by many distributions.
            for i in \
                "$p"/kbd/keymaps/include/* \
                "$p"/kbd/keymaps/i386/include/* \
                "$p"/kbd/keymaps/i386/qwerty/us.* \
                "$p"/kbd/keymaps/legacy/include/* \
                "$p"/kbd/keymaps/legacy/i386/qwerty/us.* \
                "$p"/kbd/keymaps/xkb/us*; do
                    [[ -f "$i" ]] || continue
                    inst "$i"
            done
        done
    else
        # When it takes any argument, then install more keymaps.
        for p in "${prefix[@]}"; do
            for i in \
                "$p"/kbd/keymaps/include/* \
                "$p"/kbd/keymaps/i386/*/* \
                "$p"/kbd/keymaps/legacy/i386/*/* \
                "$p"/kbd/keymaps/xkb/*; do
                    [[ -f "$i" ]] || continue
                    inst "$i"
            done
        done
    fi
}

install_x11_keymaps() {
    dinfo "Install x11 keymaps"

    if (( $# == 0 )); then
        # Install only keymap list.
        inst /usr/share/X11/xkb/rules/base.lst
    else
        # When it takes any argument, then install all keymaps.
        inst_recursive /usr/share/X11/xkb
    fi
}

install_zoneinfo() {
    dinfo "Install time zones"
    inst_any /usr/share/zoneinfo/Asia/Seoul
    inst_any /usr/share/zoneinfo/Asia/Vladivostok
    inst_any /usr/share/zoneinfo/Australia/Sydney
    inst_any /usr/share/zoneinfo/Europe/Berlin
    inst_any /usr/share/zoneinfo/Europe/Dublin
    inst_any /usr/share/zoneinfo/Europe/Kyiv
    inst_any /usr/share/zoneinfo/Pacific/Auckland
    inst_any /usr/share/zoneinfo/Pacific/Honolulu
    inst_any /usr/share/zoneinfo/CET
    inst_any /usr/share/zoneinfo/EET
    inst_any /usr/share/zoneinfo/UTC
}

install_fonts() {
    dinfo "Install system fonts"
    for i in \
        /usr/{lib,share}/kbd/consolefonts/eurlatgr* \
        /usr/{lib,share}/kbd/consolefonts/latarcyrheb-sun16*; do
            [[ -f "$i" ]] || continue
            inst "$i"
    done
}

install_terminfo() {
    dinfo "Install terminfo files"
    local terminfodir
    for terminfodir in /lib/terminfo /etc/terminfo /usr/share/terminfo; do
        [ -f "${terminfodir}/l/linux" ] && break
    done
    image_install -o "${terminfodir}/l/linux"
}

has_user_dbus_socket() {
    if [ -f /usr/lib/systemd/user/dbus.socket ] || [ -f /etc/systemd/user/dbus.socket ]; then
        return 0
    else
        echo "Per-user instances are not supported. Skipping..."
        return 1
    fi
}

setup_nspawn_root_hook() { :;}

setup_nspawn_root() {
    if [ -z "${initdir}" ]; then
        dfatal "\$initdir not defined"
        exit 1
    fi

    rm -rf "${TESTDIR:?}/unprivileged-nspawn-root"

    if get_bool "$RUN_IN_UNPRIVILEGED_CONTAINER"; then
        ddebug "cp -ar $initdir $TESTDIR/unprivileged-nspawn-root"
        cp -ar "$initdir" "$TESTDIR/unprivileged-nspawn-root"
    fi

    setup_nspawn_root_hook
}

setup_basic_dirs() {
    mkdir -p "${initdir:?}/run"
    mkdir -p "$initdir/etc/systemd/system"
    mkdir -p "$initdir/var/log/journal"


    for d in usr/bin usr/sbin bin etc lib "${libdir:?}" sbin tmp usr var var/log var/tmp dev proc sys sysroot root run run/lock run/initramfs; do
        if [ -L "/$d" ]; then
            inst_symlink "/$d"
        else
            inst_dir "/$d"
        fi
    done

    ln -sfn /run "$initdir/var/run"
    ln -sfn /run/lock "$initdir/var/lock"
}

mask_supporting_services() {
    # mask some services that we do not want to run in these tests
    ln -fsv /dev/null "${initdir:?}/etc/systemd/system/systemd-hwdb-update.service"
    ln -fsv /dev/null "$initdir/etc/systemd/system/systemd-journal-catalog-update.service"
    ln -fsv /dev/null "$initdir/etc/systemd/system/systemd-networkd.service"
    ln -fsv /dev/null "$initdir/etc/systemd/system/systemd-networkd.socket"
    ln -fsv /dev/null "$initdir/etc/systemd/system/systemd-resolved.service"
}

inst_libs() {
    local bin="${1:?}"
    local so_regex='([^ ]*/lib[^/]*/[^ ]*\.so[^ ]*)'
    local file line

    while read -r line; do
        [[ "$line" = 'not a dynamic executable' ]] && break
        # Ignore errors about our own stuff missing. This is most likely caused
        # by ldd attempting to use the unprefixed RPATH.
        [[ "$line" =~ (libsystemd|libudev).*\ not\ found ]] && continue

        if [[ "$line" =~ not\ found ]]; then
            dfatal "Missing a shared library required by $bin."
            dfatal "Run \"ldd $bin\" to find out what it is."
            dfatal "$line"
            dfatal "Cannot create a test image."
            exit 1
        fi

        if [[ "$line" =~ $so_regex ]]; then
            file="${BASH_REMATCH[1]}"
            [[ -e "${initdir:?}/$file" ]] && continue
            inst_library "$file"
        fi
    done < <(LC_ALL=C ldd "$bin" 2>/dev/null)
}

import_testdir() {
    # make sure we don't get a stale LOOPDEV value from old times
    local _LOOPDEV="${LOOPDEV:=}"
    # We don't want shellcheck to follow & check the $STATEFILE
    # shellcheck source=/dev/null
    [[ -e "$STATEFILE" ]] && . "$STATEFILE"
    LOOPDEV="$_LOOPDEV"
    if [[ ! -d "$TESTDIR" ]]; then
        if [[ -z "$TESTDIR" ]]; then
            TESTDIR="$(mktemp --tmpdir=$WORKDIR -d -t systemd-test.XXXXXX)"
        else
            mkdir -p "$TESTDIR"
        fi

        cat >"$STATEFILE" <<EOF
TESTDIR="$TESTDIR"
EOF
        export TESTDIR
    fi

    IMAGE_PRIVATE="${TESTDIR}/${IMAGE_NAME:?}.img"
    IMAGE_PUBLIC="${IMAGESTATEDIR:?}/${IMAGE_NAME}.img"
}

import_initdir() {
    initdir="${TESTDIR:?}/root"
    mkdir -p "$initdir"
    export initdir
}

get_cgroup_hierarchy() {
    case "$(stat -c '%T' -f /sys/fs/cgroup)" in
        cgroup2fs)
            echo "unified"
            ;;
        tmpfs)
            if [[ -d /sys/fs/cgroup/unified && "$(stat -c '%T' -f /sys/fs/cgroup/unified)" == cgroup2fs ]]; then
                echo "hybrid"
            else
                echo "legacy"
            fi
            ;;
        *)
            dfatal "Failed to determine host's cgroup hierarchy"
            exit 1
    esac
}

## @brief Converts numeric logging level to the first letter of level name.
#
# @param lvl Numeric logging level in range from 1 to 6.
# @retval 1 if @a lvl is out of range.
# @retval 0 if @a lvl is correct.
# @result Echoes first letter of level name.
_lvl2char() {
    case "$1" in
        1) echo F;;
        2) echo E;;
        3) echo W;;
        4) echo I;;
        5) echo D;;
        6) echo T;;
        *) return 1;;
    esac
}

## @brief Internal helper function for _do_dlog()
#
# @param lvl Numeric logging level.
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
#
# @note This function is not supposed to be called manually. Please use
# dtrace(), ddebug(), or others instead which wrap this one.
#
# This function calls _do_dlog() either with parameter msg, or if
# none is given, it will read standard input and will use every line as
# a message.
#
# This enables:
# dwarn "This is a warning"
# echo "This is a warning" | dwarn
LOG_LEVEL="${LOG_LEVEL:-4}"

dlog() {
    local lvl lvlc

    [ -z "$LOG_LEVEL" ] && return 0
    lvl="${1:?}"; shift
    [ "$lvl" -le "$LOG_LEVEL" ] || return 0
    lvlc="$(_lvl2char "$lvl")" || return 0

    if [ $# -ge 1 ]; then
        echo "$lvlc: $*"
    else
        while read -r line; do
            echo "$lvlc: " "$line"
        done
    fi
}

## @brief Logs message at TRACE level (6)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
dtrace() {
    set +x
    dlog 6 "$@"
    if get_bool "${debug:=}"; then
        set -x
    fi
}

## @brief Logs message at DEBUG level (5)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
ddebug() {
    dlog 5 "$@"
}

## @brief Logs message at INFO level (4)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
dinfo() {
    set +x
    dlog 4 "$@"
    if get_bool "${debug:=}"; then
        set -x
    fi
}

## @brief Logs message at WARN level (3)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
dwarn() {
    set +x
    dlog 3 "$@"
    if get_bool "${debug:=}"; then
        set -x
    fi
}

## @brief Logs message at ERROR level (2)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
derror() {
    dlog 2 "$@"
}

## @brief Logs message at FATAL level (1)
#
# @param msg Message.
# @retval 0 It's always returned, even if logging failed.
dfatal() {
    set +x
    dlog 1 "$@"
    if get_bool "${debug:=}"; then
        set -x
    fi
}


# Generic substring function.  If $2 is in $1, return 0.
strstr() { [ "${1#*"$2"*}" != "$1" ]; }

# normalize_path <path>
# Prints the normalized path, where it removes any duplicated
# and trailing slashes.
# Example:
# $ normalize_path ///test/test//
# /test/test
normalize_path() {
    shopt -q -s extglob
    set -- "${1//+(\/)//}"
    shopt -q -u extglob
    echo "${1%/}"
}

# convert_abs_rel <from> <to>
# Prints the relative path, when creating a symlink to <to> from <from>.
# Example:
# $ convert_abs_rel /usr/bin/test /bin/test-2
# ../../bin/test-2
# $ ln -s $(convert_abs_rel /usr/bin/test /bin/test-2) /usr/bin/test
convert_abs_rel() {
    local __current __absolute __abssize __cursize __newpath
    local -i __i __level

    set -- "$(normalize_path "${1:?}")" "$(normalize_path "${2:?}")"

    # corner case #1 - self looping link
    [[ "$1" == "$2" ]] && { echo "${1##*/}"; return; }

    # corner case #2 - own dir link
    [[ "${1%/*}" == "$2" ]] && { echo "."; return; }

    IFS="/" read -ra __current <<< "$1"
    IFS="/" read -ra __absolute <<< "$2"

    __abssize=${#__absolute[@]}
    __cursize=${#__current[@]}

    while [[ "${__absolute[__level]}" == "${__current[__level]}" ]]; do
        (( __level++ ))
        if (( __level > __abssize || __level > __cursize ))
        then
            break
        fi
    done

    for ((__i = __level; __i < __cursize-1; __i++)); do
        if ((__i > __level))
        then
            __newpath=$__newpath"/"
        fi
        __newpath=$__newpath".."
    done

    for ((__i = __level; __i < __abssize; __i++)); do
        if [[ -n $__newpath ]]
        then
            __newpath=$__newpath"/"
        fi
        __newpath=$__newpath${__absolute[__i]}
    done

    echo "$__newpath"
}


# Install a directory, keeping symlinks as on the original system.
# Example: if /lib points to /lib64 on the host, "inst_dir /lib/file"
# will create ${initdir}/lib64, ${initdir}/lib64/file,
# and a symlink ${initdir}/lib -> lib64.
inst_dir() {
    local dir="${1:?}"
    local part="${dir%/*}"
    local file

    [[ -e "${initdir:?}/${dir}" ]] && return 0  # already there

    while [[ "$part" != "${part%/*}" ]] && ! [[ -e "${initdir}/${part}" ]]; do
        dir="$part $dir"
        part="${part%/*}"
    done

    # iterate over parent directories
    for file in $dir; do
        [[ -e "${initdir}/$file" ]] && continue
        if [[ -L $file ]]; then
            inst_symlink "$file"
        else
            # create directory
            mkdir -m 0755 "${initdir}/$file" || return 1
            [[ -e "$file" ]] && chmod --reference="$file" "${initdir}/$file"
            chmod u+w "${initdir}/$file"
        fi
    done
}

# $1 = file to copy to ramdisk
# $2 (optional) Name for the file on the ramdisk
# Location of the image dir is assumed to be $initdir
# We never overwrite the target if it exists.
inst_simple() {
    [[ -f "${1:?}" ]] || return 1
    strstr "$1" "/" || return 1

    local src="$1"
    local target="${2:-$1}"
    if ! [[ -d ${initdir:?}/$target ]]; then
        [[ -e ${initdir}/$target ]] && return 0
        [[ -L ${initdir}/$target ]] && return 0
        [[ -d "${initdir}/${target%/*}" ]] || inst_dir "${target%/*}"
    fi
    # install checksum files also
    if [[ -e "${src%/*}/.${src##*/}.hmac" ]]; then
        inst "${src%/*}/.${src##*/}.hmac" "${target%/*}/.${target##*/}.hmac"
    fi
    ddebug "Installing $src"
    cp --sparse=always --force --dereference --preserve=all "$src" "${initdir}/$target"
}

# find symlinks linked to given library file
# $1 = library file
# Function searches for symlinks by stripping version numbers appended to
# library filename, checks if it points to the same target and finally
# prints the list of symlinks to stdout.
#
# Example:
# rev_lib_symlinks libfoo.so.8.1
# output: libfoo.so.8 libfoo.so
# (Only if libfoo.so.8 and libfoo.so exists on host system.)
rev_lib_symlinks() {
    local fn="${1:?}"
    local links=""
    local orig
    orig="$(readlink -f "$1")"

    [[ "${fn}" =~ .*\.so\..* ]] || return 1

    until [[ "${fn##*.}" == so ]]; do
        fn="${fn%.*}"
        [[ -L "${fn}" && "$(readlink -f "${fn}")" == "${orig}" ]] && links+=" ${fn}"
    done

    echo "${links}"
}

# Same as above, but specialized to handle dynamic libraries.
# It handles making symlinks according to how the original library
# is referenced.
inst_library() {
    local src="${1:?}"
    local dest="${2:-$1}"
    local reallib symlink

    strstr "$1" "/" || return 1
    [[ -e ${initdir:?}/$dest ]] && return 0
    if [[ -L $src ]]; then
        # install checksum files also
        if [[ -e "${src%/*}/.${src##*/}.hmac" ]]; then
            inst "${src%/*}/.${src##*/}.hmac" "${dest%/*}/.${dest##*/}.hmac"
        fi
        reallib="$(readlink -f "$src")"
        inst_simple "$reallib" "$reallib"
        inst_dir "${dest%/*}"
        [[ -d "${dest%/*}" ]] && dest="$(readlink -f "${dest%/*}")/${dest##*/}"
        ddebug "Creating symlink $reallib -> $dest"
        ln -sfn -- "$(convert_abs_rel "${dest}" "${reallib}")" "${initdir}/${dest}"
    else
        inst_simple "$src" "$dest"
    fi

    # Create additional symlinks.  See rev_symlinks description.
    for symlink in $(rev_lib_symlinks "$src") ${reallib:+$(rev_lib_symlinks "$reallib")}; do
        if [[ ! -e "$initdir/$symlink" ]]; then
            ddebug "Creating extra symlink: $symlink"
            inst_symlink "$symlink"
        fi
    done
}

# find a binary.  If we were not passed the full path directly,
# search in the usual places to find the binary.
find_binary() {
    local bin="${1:?}"
    if [[ -z ${bin##/*} ]]; then
        if [[ -x "$bin" ]] || { strstr "$bin" ".so" && ldd "$bin" &>/dev/null; }; then
            echo "$bin"
            return 0
        fi
    fi

    type -P "$bin"
}

# Same as above, but specialized to install binary executables.
# Install binary executable, and all shared library dependencies, if any.
inst_binary() {
    local bin="${1:?}"
    local path target

    # In certain cases we might attempt to install a binary which is already
    # present in the test image, yet it's missing from the host system.
    # In such cases, let's check if the binary indeed exists in the image
    # before doing any other checks. If it does, immediately return with
    # success.
    if [[ $# -eq 1 ]]; then
        for path in "" bin sbin usr/bin usr/sbin; do
            [[ -e "${initdir:?}${path:+/$path}/${bin}" ]] && return 0
        done
    fi

    bin="$(find_binary "$bin")" || return 1
    target="${2:-$bin}"
    [[ -e "${initdir:?}/$target" ]] && return 0
    [[ -L "$bin" ]] && inst_symlink "$bin" "$target" && return 0

    local file line
    local so_regex='([^ ]*/lib[^/]*/[^ ]*\.so[^ ]*)'
    # DSOs provided by systemd
    local systemd_so_regex='/(libudev|libsystemd.*|.+[\-_]systemd([\-_].+)?|libnss_(mymachines|myhostname|resolve)).so'
    local wrap_binary=0
    local enable_lsan=0
    # I love bash!
    while read -r line; do
        [[ "$line" = 'not a dynamic executable' ]] && break

        # Ignore errors about our own stuff missing. This is most likely caused
        # by ldd attempting to use the unprefixed RPATH.
        [[ "$line" =~ libsystemd.*\ not\ found ]] && continue

        # We're built with ASan and the target binary loads one of the systemd's
        # DSOs, so we need to tweak the environment before executing the binary
        if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$line" =~ $systemd_so_regex ]]; then
            wrap_binary=1
        fi

        if [[ "$line" =~ $so_regex ]]; then
            file="${BASH_REMATCH[1]}"
            [[ -e "${initdir}/$file" ]] && continue
            inst_library "$file"
            continue
        fi

        if [[ "$line" =~ not\ found ]]; then
            dfatal "Missing a shared library required by $bin."
            dfatal "Run \"ldd $bin\" to find out what it is."
            dfatal "$line"
            dfatal "Cannot create a test image."
            exit 1
        fi
    done < <(LC_ALL=C ldd "$bin" 2>/dev/null)

    # Same as above, but we need to wrap certain libraries unconditionally
    #
    # chgrp, chown, getent, login, setfacl, su, useradd, userdel
    #    - dlopen() (not only) systemd's PAM modules
    # ls, mkfs.*, mksquashfs, mkswap, setpriv, stat
    #   - pull in nss_systemd with certain options (like ls -l) when
    #     nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux)
    # delv, dig - pull in nss_resolve if `resolve` is in nsswitch.conf
    # tar - called by machinectl in TEST-25
    bin_rx='/(agetty|chgrp|chown|curl|delv|dig|getfacl|getent|id|login|ls|mkfs\.[a-z0-9]+|mksquashfs|mkswap|setfacl|setpriv|stat|su|tar|useradd|userdel)$'
    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ $bin_rx ]]; then
        wrap_binary=1
        # Ugh, so we want to disable LSan in most cases for the wrapped binaries, since
        # we don't care about memory leaks in such binaries. However, in certain cases
        # the external binary is the only interface for the systemd code, like for
        # the systemd NSS modules, where we want to detect memory leaks. So let's
        # do another check to decide if we want to enable LSan for given binary.
        if [[ "$bin" =~ /getent$ ]]; then
            enable_lsan=1
        fi
    fi

    # If the target binary is built with ASan support, we don't need to wrap
    # it, as it should handle everything by itself
    if get_bool "$wrap_binary" && ! is_built_with_asan "$bin"; then
        dinfo "Creating ASan-compatible wrapper for binary '$target'"
        # Install the target binary with a ".orig" suffix
        inst_simple "$bin" "${target}.orig"
        # Create a simple shell wrapper in place of the target binary, which
        # sets necessary ASan-related env variables and then exec()s the
        # suffixed target binary
        cat >"$initdir/$target" <<EOF
#!/bin/bash
# Preload the ASan runtime DSO, otherwise ASAn will complain
export LD_PRELOAD="$ASAN_RT_PATH"
# Disable LSan to speed things up, since we don't care about leak reports
# from 'external' binaries
export ASAN_OPTIONS=detect_leaks=$enable_lsan
# Set argv[0] to the original binary name without the ".orig" suffix
exec -a "\$0" -- "${target}.orig" "\$@"
EOF
        chmod +x "$initdir/$target"
    else
        inst_simple "$bin" "$target"
    fi
}

# same as above, except for shell scripts.
# If your shell script does not start with shebang, it is not a shell script.
inst_script() {
    local bin line shebang_regex
    bin="$(find_binary "${1:?}")" || return 1
    shift

    read -r -n 80 line <"$bin"
    # If debug is set, clean unprintable chars to prevent messing up the term
    get_bool "${debug:=}" && line="$(echo -n "$line" | tr -c -d '[:print:][:space:]')"
    shebang_regex='(#! *)(/[^ ]+).*'
    [[ "$line" =~ $shebang_regex ]] || return 1
    inst "${BASH_REMATCH[2]}" && inst_simple "$bin" "$@"
}

# same as above, but specialized for symlinks
inst_symlink() {
    local src="${1:?}"
    local target="${2:-$src}"
    local realsrc

    strstr "$src" "/" || return 1
    [[ -L "$src" ]] || return 1
    [[ -L "${initdir:?}/$target" ]] && return 0
    realsrc="$(readlink -f "$src")"
    if ! [[ -e "$initdir/$realsrc" ]]; then
        if [[ -d "$realsrc" ]]; then
            inst_dir "$realsrc"
        else
            inst "$realsrc"
        fi
    fi
    [[ ! -e "$initdir/${target%/*}" ]] && inst_dir "${target%/*}"
    [[ -d "${target%/*}" ]] && target="$(readlink -f "${target%/*}")/${target##*/}"
    ln -sfn -- "$(convert_abs_rel "${target}" "${realsrc}")" "$initdir/$target"
}

# attempt to install any programs specified in a udev rule
inst_rule_programs() {
    local rule="${1:?}"
    local prog bin

    sed -rn 's/^.*?PROGRAM==?"([^ "]+).*$/\1/p' "$rule" | while read -r prog; do
        if [ -x "/lib/udev/$prog" ]; then
            bin="/lib/udev/$prog"
        else
            if ! bin="$(find_binary "$prog")"; then
                dinfo "Skipping program $prog used in udev rule $(basename "$rule") as it cannot be found"
                continue
            fi
        fi

        #dinfo "Installing $_bin due to it's use in the udev rule $(basename $1)"
        image_install "$bin"
    done
}

# udev rules always get installed in the same place, so
# create a function to install them to make life simpler.
inst_rules() {
    local target=/etc/udev/rules.d
    local found rule

    inst_dir "/lib/udev/rules.d"
    inst_dir "$target"
    for rule in "$@"; do
        if [ "${rule#/}" = "$rule" ]; then
            for r in /lib/udev/rules.d /etc/udev/rules.d; do
                if [[ -f "$r/$rule" ]]; then
                    found="$r/$rule"
                    inst_simple "$found"
                    inst_rule_programs "$found"
                fi
            done
        fi
        for r in '' ./; do
            if [[ -f "${r}${rule}" ]]; then
                found="${r}${rule}"
                inst_simple "$found" "$target/${found##*/}"
                inst_rule_programs "$found"
            fi
        done
        [[ $found ]] || dinfo "Skipping udev rule: $rule"
        found=
    done
}

# general purpose installation function
# Same args as above.
inst() {
    case $# in
        1) ;;
        2)
            [[ ! "$initdir" && -d "$2" ]] && export initdir="$2"
            [[ "$initdir" = "$2" ]] && set "$1"
            ;;
        3)
            [[ -z "$initdir" ]] && export initdir="$2"
            set "$1" "$3"
            ;;
        *)
            dfatal "inst only takes 1 or 2 or 3 arguments"
            exit 1
            ;;
    esac

    local fun
    for fun in inst_symlink inst_script inst_binary inst_simple; do
        "$fun" "$@" && return 0
    done

    dwarn "Failed to install '$1'"
    return 1
}

# install any of listed files
#
# If first argument is '-d' and second some destination path, first accessible
# source is installed into this path, otherwise it will installed in the same
# path as source.  If none of listed files was installed, function return 1.
# On first successful installation it returns with 0 status.
#
# Example:
#
# inst_any -d /bin/foo /bin/bar /bin/baz
#
# Lets assume that /bin/baz exists, so it will be installed as /bin/foo in
# initrd.
inst_any() {
    local dest file

    [[ "${1:?}" = '-d' ]] && dest="${2:?}" && shift 2

    for file in "$@"; do
        if [[ -e "$file" ]]; then
            [[ -n "$dest" ]] && inst "$file" "$dest" && return 0
            inst "$file" && return 0
        fi
    done

    return 1
}

inst_recursive() {
    local p item

    for p in "$@"; do
        # Make sure the source exists, as the process substitution below
        # suppresses errors
        stat "$p" >/dev/null || return 1

        while read -r item; do
            if [[ -d "$item" ]]; then
                inst_dir "$item"
            elif [[ -f "$item" ]]; then
                inst_simple "$item"
            fi
        done < <(find "$p" 2>/dev/null)
    done
}

# image_install [-o ] <file> [<file> ... ]
# Install <file> to the test image
# -o optionally install the <file> and don't fail, if it is not there
image_install() {
    local optional=no
    local prog="${1:?}"

    if [[ "$prog" = '-o' ]]; then
        optional=yes
        shift
    fi

    for prog in "$@"; do
        if ! inst "$prog" ; then
            if get_bool "$optional"; then
                dinfo "Skipping program $prog as it cannot be found and is" \
                    "flagged to be optional"
            else
                dfatal "Failed to install $prog"
                exit 1
            fi
        fi
    done
}

# Install a single kernel module along with any firmware it may require.
# $1 = full path to kernel module to install
install_kmod_with_fw() {
    local module="${1:?}"
    # no need to go further if the module is already installed
    [[ -e "${initdir:?}/lib/modules/${KERNEL_VER:?}/${module##*"/lib/modules/$KERNEL_VER/"}" ]] && return 0
    [[ -e "$initdir/.kernelmodseen/${module##*/}" ]] && return 0

    [ -d "$initdir/.kernelmodseen" ] && : >"$initdir/.kernelmodseen/${module##*/}"

    inst_simple "$module" "/lib/modules/$KERNEL_VER/${module##*"/lib/modules/$KERNEL_VER/"}" || return $?

    local modname="${module##*/}"
    local fwdir found fw
    modname="${modname%.ko*}"

    while read -r fw; do
        found=
        for fwdir in /lib/firmware/updates /lib/firmware; do
            if [[ -d "$fwdir" && -f "$fwdir/$fw" ]]; then
                inst_simple "$fwdir/$fw" "/lib/firmware/$fw"
                found=yes
            fi
        done
        if ! get_bool "$found"; then
            if ! grep -qe "\<${modname//-/_}\>" /proc/modules; then
                dinfo "Possible missing firmware \"${fw}\" for kernel module" \
                    "\"${modname}.ko\""
            else
                dwarn "Possible missing firmware \"${fw}\" for kernel module" \
                    "\"${modname}.ko\""
            fi
        fi
    done < <(modinfo -k "$KERNEL_VER" -F firmware "$module" 2>/dev/null)
    return 0
}

# Do something with all the dependencies of a kernel module.
# Note that kernel modules depend on themselves using the technique we use
# $1 = function to call for each dependency we find
#      It will be passed the full path to the found kernel module
# $2 = module to get dependencies for
# rest of args = arguments to modprobe
for_each_kmod_dep() {
    local func="${1:?}"
    local kmod="${2:?}"
    local found=0
    local cmd modpath
    shift 2

    while read -r cmd modpath _; do
        [[ "$cmd" = insmod ]] || continue
        "$func" "$modpath" || return $?
        found=1
    done < <(modprobe "$@" --ignore-install --show-depends "$kmod")

    ! get_bool "$found" && return 1
    return 0
}

# instmods [-c] <kernel module> [<kernel module> ... ]
# instmods [-c] <kernel subsystem>
# install kernel modules along with all their dependencies.
# <kernel subsystem> can be e.g. "=block" or "=drivers/usb/storage"
# FIXME(?): dracutdevs/dracut@f4e38c0da8d6bf3764c1ad753d9d52aef63050e5
instmods() {
    local check=no
    if [[ $# -ge 0 && "$1" = '-c' ]]; then
        check=yes
        shift
    fi

    inst1mod() {
        local mod="${1:?}"
        local ret=0
        local mod_dir="/lib/modules/${KERNEL_VER:?}/"

        case "$mod" in
            =*)
                if [ -f "${mod_dir}/modules.${mod#=}" ]; then
                    (
                        [[ "$mpargs" ]] && echo "$mpargs"
                        cat "${mod_dir}/modules.${mod#=}"
                    ) | instmods
                else
                    (
                        [[ "$mpargs" ]] && echo "$mpargs"
                        find "$mod_dir" -path "*/${mod#=}/*" -name "*.ko*" -type f -printf '%f\n'
                    ) | instmods
                fi
                ;;
            --*)
                mpargs+=" $mod"
                ;;
            i2o_scsi)
                # Do not load this diagnostic-only module
                return
                ;;
            *)
                mod=${mod##*/}
                # if we are already installed, skip this module and go on
                # to the next one.
                [[ -f "${initdir:?}/.kernelmodseen/${mod%.ko}.ko" ]] && return

                # We use '-d' option in modprobe only if modules prefix path
                # differs from default '/'.  This allows us to use Dracut with
                # old version of modprobe which doesn't have '-d' option.
                local mod_dirname=${mod_dir%%/lib/modules/*}
                [[ -n ${mod_dirname} ]] && mod_dirname="-d ${mod_dirname}/"

                # ok, load the module, all its dependencies, and any firmware
                # it may require
                for_each_kmod_dep install_kmod_with_fw "$mod" \
                    --set-version "$KERNEL_VER" \
                    ${mod_dirname:+"$mod_dirname"} \
                    ${mpargs:+"$mpargs"}
                ((ret+=$?))
                ;;
        esac
        return "$ret"
    }

    local mod mpargs

    if [[ $# -eq 0 ]]; then  # filenames from stdin
        while read -r mod; do
            if ! inst1mod "${mod%.ko*}" && [ "$check" = "yes" ]; then
                dfatal "Failed to install $mod"
                return 1
            fi
        done
    fi

    for mod in "$@"; do # filenames as arguments
        if ! inst1mod "${mod%.ko*}" && [ "$check" = "yes" ]; then
            dfatal "Failed to install $mod"
            return 1
        fi
    done

    return 0
}

_umount_dir() {
    local mountpoint="${1:?}"
    if mountpoint -q "$mountpoint"; then
        ddebug "umount $mountpoint"
        umount "$mountpoint"
    fi
}

# can be overridden in specific test
test_setup_cleanup() {
    cleanup_initdir
}

_test_cleanup() {
    # (post-test) cleanup should always ignore failure and cleanup as much as possible
    (
        set +e
        [[ -n "$initdir" ]] && _umount_dir "$initdir"
        [[ -n "$IMAGE_PUBLIC" ]] && rm -vf "$IMAGE_PUBLIC"
        # If multiple setups/cleans are ran in parallel, this can cause a race
        if [[ -n "$IMAGESTATEDIR" && $TEST_PARALLELIZE -ne 1 ]]; then
            rm -vf "${IMAGESTATEDIR}/default.img"
        fi
        [[ -n "$TESTDIR" ]] && rm -vfr "$TESTDIR"
        [[ -n "$STATEFILE" ]] && rm -vf "$STATEFILE"
    ) || :
}

# can be overridden in specific test
test_cleanup() {
    _test_cleanup
}

test_cleanup_again() {
    [ -n "$TESTDIR" ] || return
    rm -rf "$TESTDIR/unprivileged-nspawn-root"
    [[ -n "$initdir" ]] && _umount_dir "$initdir"
    # Test specific images are not reused, so delete them or we run out of disk space
    if [[ -n "$IMAGE_PUBLIC" ]] && [ "$(basename "$IMAGE_PUBLIC")" != "default.img" ]; then
        rm -vf "$IMAGE_PUBLIC"
    fi
    if [[ -n "$IMAGE_PRIVATE" ]] && [ "$(basename "$IMAGE_PRIVATE")" != "default.img" ]; then
        rm -vf "$IMAGE_PRIVATE"
    fi
}

test_create_image() {
    create_empty_image_rootdir

    # Create what will eventually be our root filesystem onto an overlay
    (
        LOG_LEVEL=5
        setup_basic_environment
    )
}

test_setup() {
    if ! get_bool "$NO_BUILD" && \
         get_bool "${TEST_REQUIRE_INSTALL_TESTS:?}" && \
         command -v meson >/dev/null && \
         [[ "$(meson configure "${BUILD_DIR:?}" | grep install-tests | awk '{ print $2 }')" != "true" ]]; then
        dfatal "$BUILD_DIR needs to be built with -Dinstall-tests=true"
        exit 1
    fi

    if [ -e "${IMAGE_PRIVATE:?}" ]; then
        echo "Reusing existing image $IMAGE_PRIVATE → $(realpath "$IMAGE_PRIVATE")"
        mount_initdir
    else
        if [ ! -e "${IMAGE_PUBLIC:?}" ]; then
            # default.img is the base that every test uses and optionally appends to
            if [ ! -e "${IMAGESTATEDIR:?}/default.img" ] || [ -n "${TEST_FORCE_NEWIMAGE:=}" ]; then
                # Create the backing public image, but then completely unmount
                # it and drop the loopback device responsible for it, since we're
                # going to symlink/copy the image and mount it again from
                # elsewhere.
                local image_old="${IMAGE_PUBLIC}"
                if [ -z "${TEST_FORCE_NEWIMAGE}" ]; then
                    IMAGE_PUBLIC="${IMAGESTATEDIR}/default.img"
                fi
                test_create_image
                test_setup_cleanup
                umount_loopback
                cleanup_loopdev
                IMAGE_PUBLIC="${image_old}"
            fi
            if [ "${IMAGE_NAME:?}" != "default" ] && ! get_bool "${TEST_FORCE_NEWIMAGE}"; then
                cp -v "$(realpath "${IMAGESTATEDIR}/default.img")" "$IMAGE_PUBLIC"
            fi
        fi

        local hook_defined
        declare -f -F test_append_files >/dev/null && hook_defined=yes || hook_defined=no

        echo "Reusing existing cached image $IMAGE_PUBLIC → $(realpath "$IMAGE_PUBLIC")"
        if get_bool "$TEST_PARALLELIZE" || get_bool "$hook_defined"; then
            cp -v -- "$(realpath "$IMAGE_PUBLIC")" "$IMAGE_PRIVATE"
        else
            ln -sv -- "$(realpath "$IMAGE_PUBLIC")" "$IMAGE_PRIVATE"
        fi

        mount_initdir

        if get_bool "${TEST_SUPPORTING_SERVICES_SHOULD_BE_MASKED}"; then
            dinfo "Masking supporting services"
            mask_supporting_services
        fi

        if get_bool "$IS_BUILT_WITH_COVERAGE"; then
            # Do an initial coverage capture, to make sure the final report includes
            # files that the tests didn't touch at all
            lcov --initial --capture --directory "${initdir}/${BUILD_DIR:?}" --exclude "*.gperf" --output-file "${TESTDIR:?}/coverage-base"
        fi

        if get_bool "$hook_defined"; then
            test_append_files "${initdir:?}"
        fi
    fi

    setup_nspawn_root
}

test_run() {
    local test_name="${1:?}"
    mount_initdir

    if ! get_bool "${TEST_NO_QEMU:=}"; then
        if run_qemu "$test_name"; then
            check_result_qemu || { echo "qemu test failed"; return 1; }
        else
            dwarn "can't run qemu, skipping"
        fi
    fi
    if ! get_bool "${TEST_NO_NSPAWN:=}"; then
        mount_initdir
        if run_nspawn "${initdir:?}" "$test_name"; then
            check_result_nspawn "$initdir" || { echo "nspawn-root test failed"; return 1; }
        else
            dwarn "can't run systemd-nspawn, skipping"
        fi

        if get_bool "${RUN_IN_UNPRIVILEGED_CONTAINER:=}"; then
            dir="$TESTDIR/unprivileged-nspawn-root"
            if NSPAWN_ARGUMENTS="-U --private-network ${NSPAWN_ARGUMENTS:-}" run_nspawn "$dir" "$test_name"; then
                check_result_nspawn "$dir" || { echo "unprivileged-nspawn-root test failed"; return 1; }
            else
                dwarn "can't run systemd-nspawn, skipping"
            fi
        fi
    fi
    return 0
}

do_test() {
    if [[ $UID != "0" ]]; then
        echo "TEST: $TEST_DESCRIPTION [SKIPPED]: not root" >&2
        exit 0
    fi

    if get_bool "${TEST_NO_QEMU:=}" && get_bool "${TEST_NO_NSPAWN:=}"; then
        echo "TEST: $TEST_DESCRIPTION [SKIPPED]: both qemu and nspawn disabled" >&2
        exit 0
    fi

    if get_bool "${TEST_QEMU_ONLY:=}" && ! get_bool "$TEST_NO_NSPAWN"; then
        echo "TEST: $TEST_DESCRIPTION [SKIPPED]: qemu-only tests requested" >&2
        exit 0
    fi

    if get_bool "${TEST_PREFER_NSPAWN:=}" && ! get_bool "$TEST_NO_NSPAWN"; then
        TEST_NO_QEMU=1
    fi

    # Detect lib paths
    [[ "$libdir" ]] || for libdir in /lib64 /lib; do
        [[ -d $libdir ]] && libdirs+=" $libdir" && break
    done

    [[ "$usrlibdir" ]] || for usrlibdir in /usr/lib64 /usr/lib; do
        [[ -d $usrlibdir ]] && libdirs+=" $usrlibdir" && break
    done

    mkdir -p "$WORKDIR"
    mkdir -p "$STATEDIR"

    import_testdir
    import_initdir

    if [ -n "${SUDO_USER}" ]; then
        ddebug "Making ${TESTDIR:?} readable for ${SUDO_USER} (acquired from sudo)"
        setfacl -m "user:${SUDO_USER:?}:r-X" "${TESTDIR:?}"
    fi

    testname="$(basename "$PWD")"

    while (($# > 0)); do
        case $1 in
            --run)
                echo "${testname} RUN: $TEST_DESCRIPTION"
                test_run "$TESTNAME"
                ret=$?
                if [ $ret -eq 0 ]; then
                    echo "${testname} RUN: $TEST_DESCRIPTION [OK]"
                else
                    echo "${testname} RUN: $TEST_DESCRIPTION [FAILED]"
                fi
                exit $ret
                ;;
            --setup)
                echo "${testname} SETUP: $TEST_DESCRIPTION"
                test_setup
                test_setup_cleanup
                ;;
            --clean)
                echo "${testname} CLEANUP: $TEST_DESCRIPTION"
                test_cleanup
                ;;
            --clean-again)
                echo "${testname} CLEANUP AGAIN: $TEST_DESCRIPTION"
                test_cleanup_again
                ;;
            --all)
                ret=0
                echo -n "${testname}: $TEST_DESCRIPTION "
                # Do not use a subshell, otherwise cleanup variables (LOOPDEV) will be lost
                # and loop devices will leak
                test_setup </dev/null >"$TESTLOG" 2>&1 || ret=$?
                if [ $ret -eq 0 ]; then
                    test_setup_cleanup </dev/null >>"$TESTLOG" 2>&1 || ret=$?
                fi
                if [ $ret -eq 0 ]; then
                    test_run "$TESTNAME" </dev/null >>"$TESTLOG" 2>&1 || ret=$?
                fi
                test_cleanup
                if [ $ret -eq 0 ]; then
                    # $TESTLOG is in $STATEDIR, so clean it up only on success
                    [[ -n "$STATEDIR" ]] && rm -vfr "$STATEDIR"
                    echo "[OK]"
                else
                    echo "[FAILED]"
                    echo "see $TESTLOG"
                fi
                exit $ret
                ;;
            *)
                break
                ;;
        esac
        shift
    done
}