diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index a394e121cf7..d68d26fa554 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -59,40 +59,47 @@ jobs:
             sanitizers: ""
             llvm: 0
             cflags: "-O2 -D_FORTIFY_SOURCE=3"
+            relabel: no
           - distro: debian
             release: testing
             sanitizers: ""
             llvm: 0
             cflags: "-Og"
+            relabel: no
           - distro: ubuntu
             release: noble
             sanitizers: ""
             llvm: 0
             cflags: "-Og"
+            relabel: no
           - distro: fedora
             release: "40"
             sanitizers: ""
             llvm: 0
             cflags: "-Og"
+            relabel: yes
           - distro: fedora
             release: rawhide
             sanitizers: address,undefined
             llvm: 1
             cflags: "-Og"
+            relabel: yes
           - distro: opensuse
             release: tumbleweed
             sanitizers: ""
             llvm: 0
             cflags: "-Og"
+            relabel: no
           - distro: centos
             release: "9"
             sanitizers: ""
             llvm: 0
             cflags: "-Og"
+            relabel: yes
 
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-    - uses: systemd/mkosi@6b66aa9096948e0bc38154333687584e0351f450
+    - uses: systemd/mkosi@4681dd733a925cd048d0301af26221bce0c95eed
 
     # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
     # immediately, we remove the files in the background. However, we first move them to a different location
@@ -140,6 +147,9 @@ jobs:
                 SANITIZERS=${{ matrix.sanitizers }}
                 MESON_OPTIONS=--werror
                 LLVM=${{ matrix.llvm }}
+                SYSEXT=1
+
+        SELinuxRelabel=${{ matrix.relabel }}
 
         [Host]
         QemuMem=4G
@@ -187,7 +197,7 @@ jobs:
             -Dvmspawn=enabled
 
     - name: Build image
-      run: meson compile -C build mkosi
+      run: sudo meson compile -C build mkosi
 
     - name: Run integration tests
       run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))"
diff --git a/docs/HACKING.md b/docs/HACKING.md
index 5b1e3553277..a656f2ddb0e 100644
--- a/docs/HACKING.md
+++ b/docs/HACKING.md
@@ -58,15 +58,15 @@ RuntimeBuildSources=yes
 After enabling this setting, the source and build directories will be mounted to
 `/work/src` and `/work/build` respectively when booting the image as a container
 or virtual machine. To build the latest changes and re-install after booting the
-image, run `mkosi -t none` in another terminal on the host and run one of the
-following commands in the container or virtual machine depending on the
-distribution:
+image, run one of the following commands in another terminal on your host (
+choose the right one depending on the distribution of the container or virtual
+machine):
 
 ```sh
-dnf upgrade --disablerepo="*" /work/build/*.rpm # CentOS/Fedora
-apt install --reinstall /work/build/*.deb # Debian/Ubuntu
-pacman -U /work/build/*.pkg.tar # Arch Linux
-zypper install --allow-unsigned-rpm /work/build/*.rpm # OpenSUSE
+mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" "/work/build/*.rpm" # CentOS/Fedora
+mkosi -t none && mkosi ssh apt install --reinstall "/work/build/*.deb" # Debian/Ubuntu
+mkosi -t none && mkosi ssh pacman -U "/work/build/*.pkg.tar" # Arch Linux
+mkosi -t none && mkosi ssh zypper install --allow-unsigned-rpm "/work/build/*.rpm" # OpenSUSE
 ```
 
 and optionally restart the daemon(s) you're working on using
diff --git a/mkosi.clean b/mkosi.clean
index 64810b79571..bcd1ae42c89 100755
--- a/mkosi.clean
+++ b/mkosi.clean
@@ -2,4 +2,4 @@
 set -e
 set -o nounset
 
-rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar}
+rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar} "$OUTPUTDIR"/systemd.raw
diff --git a/mkosi.conf b/mkosi.conf
index c90f5bfc774..b47b30c98b9 100644
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -11,7 +11,6 @@ BuildDirectory=build/mkosi.builddir
 CacheDirectory=build/mkosi.cache
 
 [Content]
-SELinuxRelabel=no
 BuildSourcesEphemeral=yes
 Autologin=yes
 
@@ -24,6 +23,10 @@ ExtraTrees=
 Environment=
         SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F
 
+# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
+# and results in lots of errors when building images as a regular user.
+SELinuxRelabel=no
+
 # Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
 # various scenarios. Consider adding support for a credential instead if possible and using that.
 KernelCommandLine=systemd.crash_shell
@@ -83,6 +86,7 @@ Packages=
         dnsmasq
         dosfstools
         e2fsprogs
+        erofs-utils
         findutils
         gdb
         grep
diff --git a/mkosi.conf.d/10-arch/mkosi.build.chroot b/mkosi.conf.d/10-arch/mkosi.build.chroot
index 2c99a67a252..268bdc2ee74 100755
--- a/mkosi.conf.d/10-arch/mkosi.build.chroot
+++ b/mkosi.conf.d/10-arch/mkosi.build.chroot
@@ -33,7 +33,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
 fi
 
 MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
-if ((WIPE)); then
+if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi
 
diff --git a/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.conf.d/10-arch/mkosi.conf
index 96ae8c88b1c..d9f75c65d33 100644
--- a/mkosi.conf.d/10-arch/mkosi.conf
+++ b/mkosi.conf.d/10-arch/mkosi.conf
@@ -37,8 +37,8 @@ Packages=
         linux
         man-db
         multipath-tools
+        nmap
         open-iscsi
-        openbsd-netcat
         openssh
         openssl
         pacman
@@ -54,7 +54,7 @@ Packages=
         shadow
         softhsm
         squashfs-tools
-        stress
+        stress-ng
         tgt
         tpm2-tools
         tpm2-tss
diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot b/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
index 21f106292bb..dcb90c31ccd 100755
--- a/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
+++ b/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
+. mkosi.functions
+
 if ((NO_BUILD)); then
     exit 0
 fi
@@ -62,7 +64,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
 fi
 
 MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
-if ((WIPE)); then
+if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi
 
@@ -120,3 +122,5 @@ CXX_LD="$( ((LLVM)) && echo lld)" \
 
 cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
 cp "$OUTPUTDIR"/*.rpm "$BUILDDIR"
+
+make_sysext_unsigned /var/tmp/BUILD/*/BUILDROOT
diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf
index f200409d6f1..4c6109a5445 100644
--- a/mkosi.conf.d/10-centos-fedora/mkosi.conf
+++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -45,7 +45,7 @@ Packages=
         libcap-ng-utils
         libubsan
         man-db
-        netcat
+        nmap-ncat
         openssh-clients
         openssh-server
         pam
@@ -62,7 +62,7 @@ Packages=
         sbsigntools
         softhsm
         squashfs-tools
-        stress
+        stress-ng
         tpm2-tools
         util-linux
         veritysetup
diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
index 9fe5509695f..0a388f3c081 100644
--- a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
+++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -1,20 +1,13 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+
 [Match]
 Profile=!particle
 
 [Content]
-# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
-# building a /usr-only image.
 Packages=
         selinux-policy
         selinux-policy-targeted
         setools-console
-
-# We relabel on first boot instead of at build time because it is only possible to label without root
-# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
-SELinuxRelabel=no
-
-InitrdPackages=
-        selinux-policy
-        selinux-policy-targeted
diff --git a/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot b/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
index f1eed039246..1a03dcd9564 100755
--- a/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
+++ b/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
@@ -56,7 +56,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
 fi
 
 MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
-if ((WIPE)); then
+if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi
 
diff --git a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index 1620b037625..33e5cfe8ee9 100644
--- a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -65,7 +65,7 @@ Packages=
         locales
         man-db
         multipath-tools
-        netcat-openbsd
+        ncat
         open-iscsi
         openssh-client
         openssh-server
@@ -78,7 +78,7 @@ Packages=
         quota
         softhsm2
         squashfs-tools
-        stress
+        stress-ng
         tgt
         tpm2-tools
         tzdata
diff --git a/mkosi.conf.d/10-opensuse/mkosi.build.chroot b/mkosi.conf.d/10-opensuse/mkosi.build.chroot
index 67481d0b10c..0c598eae563 100755
--- a/mkosi.conf.d/10-opensuse/mkosi.build.chroot
+++ b/mkosi.conf.d/10-opensuse/mkosi.build.chroot
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
+. mkosi.functions
+
 if ((NO_BUILD)); then
     exit 0
 fi
@@ -63,7 +65,7 @@ if [[ -z "${MKOSI_LDFLAGS// }" ]]; then
 fi
 
 MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
-if ((WIPE)); then
+if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi
 
@@ -139,3 +141,5 @@ fi
 
 cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
 cp "$OUTPUTDIR"/*.rpm "$BUILDDIR"
+
+make_sysext_unsigned /var/tmp/BUILD/*/BUILDROOT
diff --git a/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.conf.d/10-opensuse/mkosi.conf
index c5a014f70bf..06edcbae413 100644
--- a/mkosi.conf.d/10-opensuse/mkosi.conf
+++ b/mkosi.conf.d/10-opensuse/mkosi.conf
@@ -8,13 +8,14 @@ InitrdInclude=initrd/
 
 [Distribution]
 Release=tumbleweed
+Repositories=non-oss
 PackageManagerTrees=macros.db_backend:/etc/rpm/macros.db_backend
 
 [Content]
 Environment=
-        GIT_URL=https://src.opensuse.org/rpm/systemd
-        GIT_BRANCH=devel
-        GIT_COMMIT=23bfa9d83b6e24a5395a704b816a351f3dc5b5316e580cacedd1b5d9e068c117
+        GIT_URL=https://code.opensuse.org/package/systemd
+        GIT_BRANCH=master
+        GIT_COMMIT=6812406e52a474568744c267e7bade1496bb26a5
 
 VolatilePackages=
         systemd
@@ -60,6 +61,7 @@ Packages=
         libkmod2
         libubsan1
         multipath-tools
+        ncat
         open-iscsi
         openssh-clients
         openssh-server
@@ -79,6 +81,7 @@ Packages=
         shadow
         softhsm
         squashfs
+        stress-ng
         tgt
         timezone
         tpm2.0-tools
diff --git a/mkosi.extra/.autorelabel b/mkosi.extra/.autorelabel
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
index c3640585e5c..5a15e6bcbbf 100644
--- a/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
+++ b/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -32,10 +32,10 @@ disable auditd.service
 # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
 enable systemd-timesyncd.service
 
-# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
-enable autorelabel.service
-
 # Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead.
 disable iscsi.service
 disable iscsid.socket
 disable iscsiuio.socket
+
+# mkosi relabels the image itself so no need to do it on boot.
+disable selinux-autorelabel-mark.service
diff --git a/mkosi.functions b/mkosi.functions
new file mode 100644
index 00000000000..c19c1aa6435
--- /dev/null
+++ b/mkosi.functions
@@ -0,0 +1,49 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+make_sysext_unsigned() {
+    if ! ((SYSEXT)); then
+        return
+    fi
+
+    mkdir -p /usr/lib/systemd/repart/definitions/sysext-unsigned.repart.d
+    cat >/usr/lib/systemd/repart/definitions/sysext-unsigned.repart.d/10-root.conf <<EOF
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/usr/
+Minimize=best
+EOF
+
+    . /usr/lib/os-release
+
+    mkdir -p "$1"/usr/lib/extension-release.d
+    cat >"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
+ID=$ID
+SYSEXT_ID=systemd
+SYSEXT_SCOPE=system
+ARCHITECTURE=$ARCHITECTURE
+EOF
+
+    if [[ -n "$VERSION_ID" ]]; then
+        cat >>"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
+VERSION_ID=$VERSION_ID
+EOF
+    fi
+
+    if [[ -n "$SYSEXT_LEVEL" ]]; then
+        cat >>"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
+SYSEXT_LEVEL=$SYSEXT_LEVEL
+EOF
+    fi
+
+    rm -f "$BUILDDIR"/systemd.raw
+
+    env --unset=SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT \
+    "$BUILDDIR"/systemd-repart \
+        --make-ddi=sysext-unsigned \
+        --copy-source="$1" \
+        --pretty=no \
+        "$BUILDDIR"/systemd.raw
+
+    cp "$BUILDDIR"/systemd.raw "$OUTPUTDIR"
+}
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
index 9b033975d64..4978ca5cf7b 100644
--- a/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
@@ -7,7 +7,7 @@ Distribution=arch
 Packages=
         inetutils
         iproute
-        openbsd-netcat
+        nmap
 
 RemoveFiles=
         # Arch Linux doesn't split their gcc-libs package so we manually remove
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
index 3a3e5286402..c0a43cba19d 100644
--- a/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
@@ -9,4 +9,4 @@ Packages=
         hostname
         iproute
         iproute-tc
-        netcat
+        nmap-ncat
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
index a715ec1f6c8..b293926b08d 100644
--- a/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
@@ -9,4 +9,4 @@ Packages=
         hostname
         iproute2
         mount
-        netcat-openbsd
+        ncat
diff --git a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
index 2e370ec04f4..c164d328745 100644
--- a/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
@@ -7,5 +7,5 @@ Distribution=opensuse
 Packages=
         hostname
         iproute2
-        netcat-openbsd
+        ncat
         patterns-base-minimal_base
diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot
index 46868020f6a..7f2666e0a43 100755
--- a/mkosi.postinst.chroot
+++ b/mkosi.postinst.chroot
@@ -32,7 +32,7 @@ done
 
 # We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
 # systemd-journald.
-rm -r "$BUILDROOT/var/log/journal"
+rm -rf "$BUILDROOT/var/log/journal"
 
 rm -f /etc/nsswitch.conf
 cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 5036b64d9a6..9261a49c49c 100644
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -3,7 +3,7 @@
 integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
-                'cmdline' : integration_test_template['cmdline'] + ['systemd.wants=autorelabel.service', 'selinux=1', 'lsm=selinux'],
+                'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
                 # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
                 # Use 'auto' to automatically fallback on non-uefi architectures.
                 'firmware' : 'auto',
diff --git a/test/TEST-13-NSPAWN/test.sh b/test/TEST-13-NSPAWN/test.sh
index 9a0404f4b0c..5c85b0c5dc8 100755
--- a/test/TEST-13-NSPAWN/test.sh
+++ b/test/TEST-13-NSPAWN/test.sh
@@ -32,7 +32,7 @@ test_append_files() {
         ls \
         md5sum \
         mountpoint \
-        nc \
+        ncat \
         ps \
         seq \
         sleep \
diff --git a/test/TEST-46-HOMED/test.sh b/test/TEST-46-HOMED/test.sh
index 923e00229e6..06034b7d177 100755
--- a/test/TEST-46-HOMED/test.sh
+++ b/test/TEST-46-HOMED/test.sh
@@ -24,6 +24,7 @@ test_append_files() {
     inst_binary ssh
     inst_binary sshd
     inst_binary ssh-keygen
+    image_install -o /usr/lib/ssh/sshd-session
 }
 
 do_test "$@"
diff --git a/test/TEST-55-OOMD/test.sh b/test/TEST-55-OOMD/test.sh
index 5e3096315ca..3b2f4710b0d 100755
--- a/test/TEST-55-OOMD/test.sh
+++ b/test/TEST-55-OOMD/test.sh
@@ -14,7 +14,7 @@ TEST_NO_NSPAWN=1
 test_append_files() {
     local workspace="${1:?}"
 
-    image_install mkswap swapon swapoff stress
+    image_install mkswap swapon swapoff stress-ng
     image_install -o btrfs
 
     mkdir -p "${workspace:?}/etc/systemd/system/init.scope.d/"
diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh
index 2ee4a7533ab..d47a0a20f29 100755
--- a/test/TEST-74-AUX-UTILS/test.sh
+++ b/test/TEST-74-AUX-UTILS/test.sh
@@ -31,6 +31,7 @@ test_append_files() {
     inst_binary ssh
     inst_binary sshd
     inst_binary ssh-keygen
+    image_install -o /usr/lib/ssh/sshd-session
     inst_binary usermod
     instmods vmw_vsock_virtio_transport
     instmods vsock_loopback
diff --git a/test/test-functions b/test/test-functions
index 03f188b0a25..e219812e726 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -208,7 +208,7 @@ BASICTOOLS=(
     mount
     mountpoint
     mv
-    nc
+    ncat
     nproc
     ping
     pkill
diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh
index a3379ef4020..cf39af08b2c 100755
--- a/test/units/TEST-07-PID1.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@@ -186,27 +186,27 @@ if ! systemd-detect-virt -cq; then
         )
 
         # We should fail with EPERM when trying to bind to a socket not on the allow list
-        # (nc exits with 2 in that case)
+        # (ncat exits with 2 in that case)
         systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42'
+            bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42'
         systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -l ::1 9999; exit 42'
+            bash -xec 'timeout 1s ncat -l ::1 9999; exit 42'
         systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42'
+            bash -xec 'timeout 1s ncat -6 -u -l ::1 9999; exit 42'
         systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42'
+            bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 6666; exit 42'
         systemd-run --wait -p SuccessExitStatus="1 2" --pipe -p SocketBindDeny=any \
-            bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42'
+            bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42'
         # Consequently, we should succeed when binding to a socket on the allow list
         # and keep listening on it until we're killed by `timeout` (EC 124)
         systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -4 -l 127.0.0.1 1234; exit 1'
+            bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 1234; exit 1'
         systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -4 -u -l 127.0.0.1 5678; exit 1'
+            bash -xec 'timeout 1s ncat -4 -u -l 127.0.0.1 5678; exit 1'
         systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -6 -l ::1 1234; exit 1'
+            bash -xec 'timeout 1s ncat -6 -l ::1 1234; exit 1'
         systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
-            bash -xec 'timeout 1s nc -6 -l ::1 6666; exit 1'
+            bash -xec 'timeout 1s ncat -6 -l ::1 6666; exit 1'
     fi
 
     losetup -d "$LODEV"
diff --git a/test/units/TEST-07-PID1.issue-2467.sh b/test/units/TEST-07-PID1.issue-2467.sh
index de0577b9780..083a1e723f3 100755
--- a/test/units/TEST-07-PID1.issue-2467.sh
+++ b/test/units/TEST-07-PID1.issue-2467.sh
@@ -8,7 +8,7 @@ set -o pipefail
 
 rm -f /tmp/nonexistent
 systemctl start issue2467.socket
-nc -i20 -w20 -U /run/test.ctl || :
+ncat -i20 -w20 -U /run/test.ctl || :
 
 # TriggerLimitIntervalSec= by default is set to 2s. A "sleep 10" should give
 # systemd enough time even on slower machines, to reach the trigger limit.
diff --git a/test/units/TEST-07-PID1.issue-3171.sh b/test/units/TEST-07-PID1.issue-3171.sh
index 374df542b8e..e1a4b6479f9 100755
--- a/test/units/TEST-07-PID1.issue-3171.sh
+++ b/test/units/TEST-07-PID1.issue-3171.sh
@@ -30,21 +30,21 @@ EOF
 systemctl start issue-3171.socket
 systemctl is-active issue-3171.socket
 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
-echo A | nc -w1 -U /run/issue-3171.socket
+echo A | ncat -w1 -U /run/issue-3171.socket
 
 mv $U ${U}.disabled
 systemctl daemon-reload
 systemctl is-active issue-3171.socket
 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
-echo B | nc -w1 -U /run/issue-3171.socket && exit 1
+echo B | ncat -w1 -U /run/issue-3171.socket && exit 1
 
 mv ${U}.disabled $U
 systemctl daemon-reload
 systemctl is-active issue-3171.socket
-echo C | nc -w1 -U /run/issue-3171.socket && exit 1
+echo C | ncat -w1 -U /run/issue-3171.socket && exit 1
 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
 
 systemctl restart issue-3171.socket
 systemctl is-active issue-3171.socket
-echo D | nc -w1 -U /run/issue-3171.socket
+echo D | ncat -w1 -U /run/issue-3171.socket
 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh
index 7901e9877bf..c73b49b1a54 100755
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -702,7 +702,7 @@ EOF
 testcase_notification_socket() {
     # https://github.com/systemd/systemd/issues/4944
     local root
-    local cmd='echo a | nc -U -u -w 1 /run/host/notify'
+    local cmd='echo a | ncat -U -u -w 1 /run/host/notify'
 
     root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.check_notification_socket.XXX)"
     create_dummy_container "$root"
diff --git a/test/units/TEST-55-OOMD-testbloat.service b/test/units/TEST-55-OOMD-testbloat.service
index ba4f2bc88c4..70c87727c8b 100644
--- a/test/units/TEST-55-OOMD-testbloat.service
+++ b/test/units/TEST-55-OOMD-testbloat.service
@@ -3,8 +3,8 @@
 Description=Create a lot of memory pressure
 
 [Service]
-# A VERY small memory.high will cause the 'stress' (trying to use a lot of memory)
+# A VERY small memory.high will cause the 'stress-ng' (trying to use a lot of memory)
 # to throttle and be put under heavy pressure.
 MemoryHigh=3M
 Slice=TEST-55-OOMD-workload.slice
-ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1
+ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep
diff --git a/test/units/TEST-55-OOMD-testmunch.service b/test/units/TEST-55-OOMD-testmunch.service
index 5659906ad1f..79bd01838e1 100644
--- a/test/units/TEST-55-OOMD-testmunch.service
+++ b/test/units/TEST-55-OOMD-testmunch.service
@@ -5,4 +5,4 @@ Description=Create some memory pressure
 [Service]
 MemoryHigh=12M
 Slice=TEST-55-OOMD-workload.slice
-ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1
+ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep
diff --git a/test/units/TEST-55-OOMD.sh b/test/units/TEST-55-OOMD.sh
index b04ebca7e21..944067c5413 100755
--- a/test/units/TEST-55-OOMD.sh
+++ b/test/units/TEST-55-OOMD.sh
@@ -6,14 +6,6 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
  . "$(dirname "$0")"/util.sh
 
-. /etc/os-release
-# OpenSUSE does not have the stress tool packaged. It does have stress-ng but the stress-ng does not support
-# --vm-stride which this test uses.
-if [[ "$ID" =~ "opensuse" ]]; then
-    echo "Skipping due to missing stress package in OpenSUSE" >>/skipped
-    exit 77
-fi
-
 systemd-analyze log-level debug
 
 # Ensure that the init.scope.d drop-in is applied on boot
diff --git a/tools/update-distro-hash.py b/tools/update-distro-hash.py
index 16ed2e707a2..fd23078aecb 100755
--- a/tools/update-distro-hash.py
+++ b/tools/update-distro-hash.py
@@ -69,7 +69,7 @@ def update_distro(args, distro: str):
     print(f"+ {shlex.join(cmd)}")
     changes = subprocess.check_output(cmd, text=True).strip()
 
-    conf_dir = Path('mkosi.images/system/mkosi.conf.d')
+    conf_dir = Path('mkosi.conf.d')
     files = conf_dir.glob('*/*.conf')
     for file in files:
         s = file.read_text()