minimum container setup to run with systemd

[flixman]

I am running a rootless container based on quay.io/podman/stable, to build and run containers (podman-in-podman). As per another discussion on this project, I have learned that the healthchecks make use of systemd service. Right now I am starting my outer container with the following flags:

--device /dev/fuse --device /dev/net/tun --security-opt=unmask=/proc/sys

The problem is: when I set up health checks, podman makes use of systemd timers... and systemd does not work with this flags. I have read I can use --privileged, but then I understand I would be lowering the protections provided by podman and the processes in the container would behave as running by the user on the bare metal. Is this a good idea? Is there any way to run systemd without taking down those protection layers?

Would work, maybe, to extend the image from quay.io/podman/stable with the layers stated on the ubi9-init? Then, that image would be able to run internally systemd, right?

[flixman]

@rhatdan excuse me for mentioning you here. I have come across this discussion, in which you are a participant... maybe you can give me a hand? I am looking around for clean ways of doing this, but I do not see any.