diff --git a/contrib/scripts/nm-in-container.d/data-_nm-in-container-setup.sh b/contrib/scripts/nm-in-container.d/data-_nm-in-container-setup.sh
new file mode 100755
index 0000000000..7f7d253304
--- /dev/null
+++ b/contrib/scripts/nm-in-container.d/data-_nm-in-container-setup.sh
@@ -0,0 +1,13 @@
+#!/bin/bash -e
+
+if [ ! -d /tmp/sys2 ]; then
+    # `ip -netns t exec ...` will try to mount sysfs. But kernel rejects that in
+    # the container, unless a writable sysfs is already mounted. Due to --priviledged,
+    # we have /sys mounted rw, however, ip will first unmount /sys before trying to
+    # remount it. We thus need it mounted as rw one additional time.
+    #
+    # Let's do this setup step once, and never clean it up.
+    # https://github.com/containers/podman/issues/11887#issuecomment-938706628
+    mkdir /tmp/sys2
+    mount -t sysfs --make-private /tmp/sys2
+fi
diff --git a/contrib/scripts/nm-in-container.d/data-etc-rc.local b/contrib/scripts/nm-in-container.d/data-etc-rc.local
new file mode 100755
index 0000000000..3677a8c334
--- /dev/null
+++ b/contrib/scripts/nm-in-container.d/data-etc-rc.local
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+/usr/bin/_nm-in-container-setup.sh
diff --git a/contrib/scripts/nm-in-container.d/data-nm-env-prepare.sh b/contrib/scripts/nm-in-container.d/data-nm-env-prepare.sh
index d82637efb0..aa8262e98d 100755
--- a/contrib/scripts/nm-in-container.d/data-nm-env-prepare.sh
+++ b/contrib/scripts/nm-in-container.d/data-nm-env-prepare.sh
@@ -116,27 +116,8 @@ do_redo() {
     do_setup "$@"
 }
 
-do_one_time_setup() {
-    if [ ! -d /tmp/sys2 ]; then
-        # `ip -netns t exec ...` will try to mount sysfs. But kernel rejects that in
-        # the container, unless a writable sysfs is already mounted. Due to --priviledged,
-        # we have /sys mounted rw, however, ip will first unmount /sys before trying to
-        # remount it. We thus need it mounted as rw one additional time.
-        #
-        # Let's do this setup step once, and never clean it up.
-        # https://github.com/containers/podman/issues/11887#issuecomment-938706628
-        mkdir /tmp/sys2
-        mount -t sysfs --make-private /tmp/sys2
-    fi
-}
-
 ###############################################################################
 
-# We do this one-time-setup always when the script runs, and never clean it
-# up.
-do_one_time_setup
-
-
 IDX=1
 NAME_PREFIX=net
 PEER_PREFIX=
diff --git a/contrib/scripts/nm-in-container.sh b/contrib/scripts/nm-in-container.sh
index 68c2a6d3d1..2c58d9e4fa 100755
--- a/contrib/scripts/nm-in-container.sh
+++ b/contrib/scripts/nm-in-container.sh
@@ -255,6 +255,9 @@ match-device=interface-name:net*,interface-name:eth*
 managed=1
 EOF
 
+    cat <<EOF | tmp_file "$BASEDIR/data-95-user.conf"
+EOF
+
     cat <<EOF | tmp_file "$BASEDIR/data-bash_history" 600
 NM-log
 NM-log /tmp/nm-log.txt
@@ -382,19 +385,21 @@ RUN dnf debuginfo-install --skip-broken \$(ldd /usr/sbin/NetworkManager | sed -n
 
 RUN pip3 install --user behave_html_formatter || true
 
-RUN systemctl enable NetworkManager
-
 COPY data-NM-log "/usr/bin/NM-log"
 COPY data-nm-env-prepare.sh "/usr/bin/nm-env-prepare.sh"
+COPY data-_nm-in-container-setup.sh "/usr/bin/_nm-in-container-setup.sh"
+COPY data-etc-rc.local "/etc/rc.d/rc.local"
 COPY data-motd /etc/motd
 COPY data-bashrc.my /etc/bashrc.my
 COPY data-90-my.conf /etc/NetworkManager/conf.d/90-my.conf
-RUN echo -n "" > /etc/NetworkManager/conf.d/95-user.conf
+COPY data-95-user.conf /etc/NetworkManager/conf.d/95-user.conf
 COPY data-bash_history /root/.bash_history
 COPY data-gdbinit /root/.gdbinit
 COPY data-gdb_history /root/.gdb_history
 COPY data-behaverc /root/.behaverc
 
+RUN systemctl enable NetworkManager
+
 # Generate a stable machine id.
 RUN echo "10001000100010001000100010001000" > /etc/machine-id
 
@@ -445,7 +450,7 @@ do_build() {
 
     CONTAINERFILE="$BASEDIR/containerfile"
     create_dockerfile "$CONTAINERFILE" "$BASE_IMAGE"
-    podman build --tag "$CONTAINER_NAME_REPOSITORY:$CONTAINER_NAME_TAG" -f "$CONTAINERFILE"
+    podman build --squash-all --tag "$CONTAINER_NAME_REPOSITORY:$CONTAINER_NAME_TAG" -f "$CONTAINERFILE"
 }
 
 do_run() {