From 43588dd63d6dc35b7eb2099da24d3cb47a033ac1 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 25 Nov 2025 00:48:16 +0900
Subject: [PATCH] TEST-75-RESOLVED: move test cases for NFTSet= to TEST-07-PID1

The test cases are not related to systemd-resolved.

While moving the test cases, now userdbctl is used for obtaining UID/GID
for the dynamic user, as musl does not support nss module, hence getent
does not provide information about the dynamic user.
---
 test/units/TEST-07-PID1.nft.sh | 71 ++++++++++++++++++++++++++++++++++
 test/units/TEST-75-RESOLVED.sh | 58 +--------------------------
 2 files changed, 72 insertions(+), 57 deletions(-)
 create mode 100755 test/units/TEST-07-PID1.nft.sh

diff --git a/test/units/TEST-07-PID1.nft.sh b/test/units/TEST-07-PID1.nft.sh
new file mode 100755
index 00000000000..dbfefc281f9
--- /dev/null
+++ b/test/units/TEST-07-PID1.nft.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+if ! command -v nft >/dev/null; then
+    echo "nftables is not installed. Skipped NFTSet= tests."
+    exit 0
+fi
+
+RUN_OUT="$(mktemp)"
+
+run() {
+    "$@" |& tee "$RUN_OUT"
+}
+
+nft add table inet sd_test
+nft add set inet sd_test c '{ type cgroupsv2; }'
+nft add set inet sd_test u '{ typeof meta skuid; }'
+nft add set inet sd_test g '{ typeof meta skgid; }'
+
+# service
+systemd-run --unit test-nft.service --service-type=exec -p DynamicUser=yes \
+            -p 'NFTSet=cgroup:inet:sd_test:c user:inet:sd_test:u group:inet:sd_test:g' sleep 10000
+run nft list set inet sd_test c
+grep -qF "test-nft.service" "$RUN_OUT"
+uid=$(userdbctl user --json=short test-nft | jq .uid)
+run nft list set inet sd_test u
+grep -qF "$uid" "$RUN_OUT"
+gid=$(userdbctl user --json=short test-nft | jq .gid)
+run nft list set inet sd_test g
+grep -qF "$gid" "$RUN_OUT"
+systemctl stop test-nft.service
+
+# scope
+run systemd-run --scope -u test-nft.scope -p 'NFTSet=cgroup:inet:sd_test:c' nft list set inet sd_test c
+grep -qF "test-nft.scope" "$RUN_OUT"
+
+mkdir -p /run/systemd/system
+# socket
+{
+    echo "[Socket]"
+    echo "ListenStream=12345"
+    echo "BindToDevice=lo"
+    echo "NFTSet=cgroup:inet:sd_test:c"
+} >/run/systemd/system/test-nft.socket
+{
+    echo "[Service]"
+    echo "ExecStart=sleep 10000"
+} >/run/systemd/system/test-nft.service
+systemctl daemon-reload
+systemctl start test-nft.socket
+systemctl status test-nft.socket
+run nft list set inet sd_test c
+grep -qF "test-nft.socket" "$RUN_OUT"
+systemctl stop test-nft.socket
+rm -f /run/systemd/system/test-nft.{socket,service}
+
+# slice
+mkdir /run/systemd/system/system.slice.d
+{
+    echo "[Slice]"
+    echo "NFTSet=cgroup:inet:sd_test:c"
+} >/run/systemd/system/system.slice.d/00-test-nft.conf
+systemctl daemon-reload
+run nft list set inet sd_test c
+grep -qF "system.slice" "$RUN_OUT"
+rm -rf /run/systemd/system/system.slice.d
+
+nft flush ruleset
+exit 0
diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index a9504f5d1cf..35ca98d07f0 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -951,7 +951,7 @@ testcase_10_resolvectl_json() {
 # Test serve stale feature and NFTSet= if nftables is installed
 testcase_11_nft() {
     if ! command -v nft >/dev/null; then
-        echo "nftables is not installed. Skipped serve stale feature and NFTSet= tests."
+        echo "nftables is not installed. Skipped serve stale feature tests."
         return 0
     fi
 
@@ -1013,62 +1013,6 @@ testcase_11_nft() {
     grep -qE "NXDOMAIN" "$RUN_OUT"
 
     nft flush ruleset
-
-    ### NFTSet= test
-    nft add table inet sd_test
-    nft add set inet sd_test c '{ type cgroupsv2; }'
-    nft add set inet sd_test u '{ typeof meta skuid; }'
-    nft add set inet sd_test g '{ typeof meta skgid; }'
-
-    # service
-    systemd-run --unit test-nft.service --service-type=exec -p DynamicUser=yes \
-                -p 'NFTSet=cgroup:inet:sd_test:c user:inet:sd_test:u group:inet:sd_test:g' sleep 10000
-    run nft list set inet sd_test c
-    grep -qF "test-nft.service" "$RUN_OUT"
-    uid=$(getent passwd test-nft | cut -d':' -f3)
-    run nft list set inet sd_test u
-    grep -qF "$uid" "$RUN_OUT"
-    gid=$(getent passwd test-nft | cut -d':' -f4)
-    run nft list set inet sd_test g
-    grep -qF "$gid" "$RUN_OUT"
-    systemctl stop test-nft.service
-
-    # scope
-    run systemd-run --scope -u test-nft.scope -p 'NFTSet=cgroup:inet:sd_test:c' nft list set inet sd_test c
-    grep -qF "test-nft.scope" "$RUN_OUT"
-
-    mkdir -p /run/systemd/system
-    # socket
-    {
-        echo "[Socket]"
-        echo "ListenStream=12345"
-        echo "BindToDevice=lo"
-        echo "NFTSet=cgroup:inet:sd_test:c"
-    } >/run/systemd/system/test-nft.socket
-    {
-        echo "[Service]"
-        echo "ExecStart=sleep 10000"
-    } >/run/systemd/system/test-nft.service
-    systemctl daemon-reload
-    systemctl start test-nft.socket
-    systemctl status test-nft.socket
-    run nft list set inet sd_test c
-    grep -qF "test-nft.socket" "$RUN_OUT"
-    systemctl stop test-nft.socket
-    rm -f /run/systemd/system/test-nft.{socket,service}
-
-    # slice
-    mkdir /run/systemd/system/system.slice.d
-    {
-        echo "[Slice]"
-        echo "NFTSet=cgroup:inet:sd_test:c"
-    } >/run/systemd/system/system.slice.d/00-test-nft.conf
-    systemctl daemon-reload
-    run nft list set inet sd_test c
-    grep -qF "system.slice" "$RUN_OUT"
-    rm -rf /run/systemd/system/system.slice.d
-
-    nft flush ruleset
 }
 
 # Test resolvectl show-server-state
-- 
2.47.3