I noticed that virtualisation.oci-containers uses a type=simple systemd service while podman generate systemd uses a type=forking one.
Intuitively I like the run --rm approach but I tried to figure out why the podman folks seem to think type=forking and run -d seem to be better.
Someone seems to answer this here: stdout missing when running podman from systemd · Issue #4720 · containers/podman · GitHub
Our containers are not direct children of Podman. During container startup, we launch an instance of Conmon (an extremely lightweight monitor process) which double-forks to daemonize and then launches the container as its own child. As a result of this, once the container is running, you can hit
podman runwith SIGKILL, and it will go away - but the container will still be running fine, in the background. Systemd doesn’t know that, and also can’t see it with cgroups (the container makes its own cgroups), so it interpreted thepodman runprocess dying as the container dying, when it was still running - the states of Podman and systemd desynced, and nothing worked properly afterwards without manual intervention. The use of a pidfile might be able resolve this, but I’m not sure it will - we’ve never tested it that way.
This comment is from Dec 2019 so I am not sure if this is still the case.
Just to be clear: So far I haven’t had any problems with the current implementation I am just interested whether this was considered when implementing virtualisation.oci-containers.