Thanks, I didn't really want to disable the cgroups but I checked the options again an option is actually `--cgroupns=host`. This way systemd is able to kill the podman process when the main process of the unit is being killed. Given that podman had no chance to react the state of the container is wrong after that and `podman ps` shows the container as running and an error is logged when stopping the container. So it's an option but I think it's cleaner to let my unit be restarted on-failure and then cleanup the state.

On 6/7/21 8:24 PM, Matt Heon wrote:
You could use `--cgroups=disabled` when starting Podman, which will keep it in the same cgroup as the systemd unit and allow systemd to kill the container process as well. This does require the use of the `crun` OCI runtime (the default everywhere what's not RHEL and CentOS) and disable some Podman features, though (most notably resource limits, but a few more as well).

Thanks,
Matt Heon

On Mon, Jun 7, 2021 at 11:57 AM Hendrik Haddorp <hendrik.haddorp@gmx.net> wrote:
I actually tested about the same. My outer process is running as a systemd service and then starts a podman container as part of its work. This also does not make sure that the container gets killed when the service gets kill. Systemd kills all process that are part of the service (using KillMode=mixed) but it is not able to kill all podman processes. I assume it is due to them not being in the same cgroup. I can only somewhat resolve it by systemd restarting my service on failure and then I can cleanup any still running container