Issues with systemd's DynamicUser and StateDirectory options

[winterqt]

When using systemd's DynamicUser and StateDirectory options together, and trying to persist /var/lib/<service name>, the service fails to start because systemd expects the directory not to exist in order to setup the directory. This is obviously incompatible with how we bind mount the directory, but a simple solution for this issue doesn't come to mind. This may be unfixable, but I figured I'd open a issue in case anyone has any ideas.

[linyinfeng]

According to systemd.exec(5).

If DynamicUser= is used, the logic for CacheDirectory=, LogsDirectory= and StateDirectory= is slightly altered: the directories are created below /var/cache/private, /var/log/private and /var/lib/private, respectively, which are host directories made inaccessible to unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host and from inside the unit, the relevant directories hence always appear directly below /var/cache, /var/log and /var/lib.

So you might want to persist /var/lib/private/<state directory name>.

[jackwilsdon]

Can confirm persisting /var/lib/private/<state directory name> works, thanks @linyinfeng!