If I understand correctly, the container script produced by "guix system container" will allocate the same uid and gid for a service on each execution, but only if the corresponding entry in the service list has the same absolute position as it did before. I.e., if the services are reordered or if there are additions and removals, it's unlikely that the id allocations will be the same.

As long as a container's filesystems don't outlive the container itself, this works fine. But when host filesystems are bind-mounted inside the container with the --share or --expose options, it's important that each incarnation of a service uses the same uid and gid, because the bind mounts might be used to hold persistent state for those services.

At first, I thought that I could just define static uids and gids for these system accounts by adding corresponding user-account and user-group entries. But this doesn't work: rather than changing how the system accounts are defined for these services, it results in /etc files with duplicate entries. (See https://issues.guix.gnu.org/45570 for details.)