2025-09-30 –, Main
The storage directory settings in systemd help define where services store their data. Two important features have been implemented for these directories. The first one is id-mapped mounts, which is a filesystem feature that allows a mount namespace to show a different UID than what is stored on a file. Storage directories now support id-mapping, so that the files within the mount namespace of a service defined with DynamicUser=yes are owned by its unprivileged UID/GID. The second feature is storage quota support. Storage limits can now be defined in terms of percentages or absolute values to enforce quotas on the consumption of State, Cache, and Logs directories. These features enhance the security and resource management of systemd services.
With id-mapping, UIDs and GIDs will be mapped from “nobody” on the host namespace to the unprivileged UIDs/GIDs in the service’s namespace when DynamicUser= is set. This is a security enhancement since files on the host namespace don’t necessarily have to be created world-writable anymore. Moreover, access to files will not be lost on unit restart, as systemd uses ephemeral UIDs.
With quota enforcement, unique project IDs are added per storage directory type and per service, so that different limits can be enforced for different types of storage directories, e.g. a service can have one limit for State directories and a different one for Logs directories.
I am a Software Engineer with 5 years of experience working with Linux systems for Microsoft Azure Boost. I have had contributions to the Yocto project, gRPC, and systemd, adding features for buildhistory, socket activation, DHCP, and quota support. I graduated from Case Western Reserve University and am currently pursuing a Masters degree in Systems by the Georgia Institute of Technology, USA. Based in Seattle, WA.