<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Instance variable %i not available for (Inaccessible|Read(Only|Write)Directories)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89875">89875</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Instance variable %i not available for (Inaccessible|Read(Only|Write)Directories)
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>berni@birkenwald.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>We're trying to run multiple DHCP processes on one system. They have
their data in a instance-specific configuration directory and we'd like
to limit (r/w for now) filesystem access to that directory for security
reasons.

==> dhcpd@.service <==
[Unit]
Description=DHCP Instance %i
After=syslog.target
After=network.target

[Service]
ExecStart=/usr/sbin/dhcpd -cf /var/lib/dhcp/%i/etc/dhcpd.conf -lf
/var/lib/dhcp/%i/db/dhcpd.leases -pf /var/lib/dhcp/%i/dhcpd.pid -f
Type=simple
Restart=on-failure
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ReadOnlyDirectories=/
ReadWriteDirectories=/var/lib/dhcp/%i

This does not work

Apr 02 11:02:38 dns-w-neu systemd[1]: Started DHCP Instance b1peer2.
Apr 02 11:02:38 dns-w-neu systemd[1]: Starting DHCP Instance b1peer2...
Apr 02 11:02:38 dns-w-neu systemd[7760]: Failed at step NAMESPACE
spawning /usr/sbin/dhcpd: No such file or directory
Apr 02 11:02:38 dns-w-neu systemd[1]: <a href="mailto:dhcpd@b1peer2.service">dhcpd@b1peer2.service</a>: main
process exited, code=exited, status=226/NAMESPACE
Apr 02 11:02:38 dns-w-neu systemd[1]: Unit <a href="mailto:dhcpd@b1peer2.service">dhcpd@b1peer2.service</a> entered
failed state.
Apr 02 11:02:38 dns-w-neu systemd[1]: <a href="mailto:dhcpd@b1peer2.service">dhcpd@b1peer2.service</a> failed.
Apr 02 11:02:38 dns-w-neu systemd[1]: <a href="mailto:dhcpd@b1peer2.service">dhcpd@b1peer2.service</a> holdoff time
over, scheduling restart.

The directory exists

root@dns-w-neu:/var/lib/dhcp# ls -lad b1peer2
drwxr-xr-x 4 root root 4096 Apr  1 16:40 b1peer2

it works fine with either

ReadWriteDirectories=/var/lib/dhcp

and 

ReadWriteDirectories=/var/lib/dhcp/b1peer2

(which obviously won't work with other instances, but that's not  the
point here).

So it seems that %i is not evaluated in ReadWriteDirectories (at least).</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>