[Podman] Why does conmon land in a different cgroup when using systemd and podman?

Given an alpine:3.10.1 image ``` podman pull alpine:3.10.1 ``` And a unit file foo.service ``` [Service] ExecStart=/usr/bin/podman run --name %N --rm --tty alpine:3.10.1 sleep 99999 ExecStop=/usr/bin/podman stop %N ``` And starting `foo.service` with `systemctl` ``` # systemctl daemon-reload # systemctl start foo.service ``` I don't see my `sleep` process in `foo.service` status: ``` # systemctl status foo.service | head ● foo.service Loaded: loaded (/etc/systemd/system/foo.service; static; vendor preset: enabled) Active: active (running) since Sat 2019-08-10 19:58:05 UTC; 40s ago Main PID: 15524 (podman) Tasks: 9 Memory: 7.3M CPU: 79ms CGroup: /system.slice/foo.service └─15524 /usr/bin/podman run --name foo --rm --tty alpine:3.10.1 sleep 99999 ``` I see `conmon` land in a different cgroup, visible with the `systemd-cgls` command: ``` # systemd-cgls Control group /: -.slice ├─init.scope │ └─1 /sbin/init ├─machine.slice │ ├─libpod-conmon-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a │ │ └─15648 /usr/bin/conmon -s -c c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0 │ └─libpod-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a5.scope │ └─15662 sleep 99999 ├─system.slice │ ├─mdadm.service │ │ └─880 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --s │ ├─foo.service │ │ └─15524 /usr/bin/podman run --name foo --rm --tty alpine:3.10.1 sleep 99999 ``` From listening to youtube presentations about podman I thought podman using a traditional fork exec model would imply all my processes would show up in the same `systemctl status` and be in the same control group controlled by systemd. Looking at the output of `ps` also shows that the `sleep` process is the parent of the `conmon` process and not the `podman` process: ``` # ps -Heo pid,ppid,comm,cgroup 15524 1 podman 11:memory:/system.slice/foo.service,8:pids:/system.sl 15648 1 conmon 11:memory:/machine.slice/libpod-conmon-c598f5a0c84881 15662 15648 sleep 11:memory:/machine.slice/libpod-c598f5a0c84881c69dcd6 ``` Instead it looks like `conmon` in a `scope` unit named: ``` libpod-conmon-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a5.scope ``` Why doesn't `conmon` and `sleep` land in the same `foo.service` systemd unit?