Paths in ReadOnlyDirectories= and InaccessibleDirectories= may be prefixed with "-", in which case they will be ignored when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
The minus (-) means that if the folder at /path/to/folderdoes not exist when the service is run, then the service will be run as if that line ReadWriteDirectories=-/path/to/folder did not exist, so the service would not get read and write access to that folder (because the folder doesn't exist!). But the service will still be run. If you did not specify the minus sign, the service would fail entirely if the folder did not exist.
The difference is merely that one silently ignores any potential problems (useful if the service can cope without that directory), whereas the other fails if the directory doesn't exist (useful for instances where, for example, the service's job is to read files from one directory and move them to the read-write directory).
Note that interestingly, the man page @pavlos_kairis linked to implies that the minus sign can only be used in ReadOnlyDirectories= and InaccessibleDirectories= lines -- there is no explicit mention of ReadWriteDirectories= lines.
The prebuilt systemd program name.service which I have installed
comes with the following setting.
ProtectSystem=full ReadOnlyDirectories=/ (root) read-only ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/program name ReadWriteDirectories=-/var/log/program name ReadWriteDirectories=-/run
I wonder about this scenario here because
program name can write log files to "/var/log/program name"
although at "ReadWriteDirectories=-/var/log/program name"
the -minus flag is set.
Do you mean that you wondered about that scenario? If not, and you really mean what you said in the present tense, then clearly I haven't explained the minus flag well enough.
I'm wondered about that my program name can write log files
when the -minus flag ist at 'ReadWriteDirectories=-/var/log/program name'
It does not exist you say:
gordon:
The minus (-) means that if the folder at /path/to/folderdoes not exist when the service is run, then the service will be run as if that line ReadWriteDirectories=-/path/to/folder did not exist
I'm sorry, but past this point it's too difficult for me to understand what you're trying to say. I therefore shall not reply to this topic anymore -- but if someone else wants to pick this up, then go right on ahead.
@ gordon,
it has settled, understood it because of Systemd "ReadWriteDirectories=-"
Tried a little bit with the setting/config.
If my "program name.service" is running with these
config @ "program name.service":
ProtectSystem=full ReadOnlyDirectories=/ (root) read-only ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/program name ReadWriteDirectories=-/var/log/program name ReadWriteDirectories=-/run
All directories on ROOT / are in 'read-only' mode then.
Excluded 'read-only' directories are set with the "-/path/to/folder"
example:
ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/program name ReadWriteDirectories=-/var/log/program name ReadWriteDirectories=-/run
These directories have 'read & write access" on my config.