diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml
index d24350c2d7..5911384f88 100644
--- a/docker/services/neutron-dhcp.yaml
+++ b/docker/services/neutron-dhcp.yaml
@@ -23,6 +23,20 @@ parameters:
     description: Generate a wrapper script so neutron launches haproxy in a separate container.
     type: boolean
     default: true
+  Debug:
+    type: boolean
+    default: false
+    description: Set to True to enable debugging on all services.
+  NeutronWrapperDebug:
+    type: boolean
+    default: false
+    description: Controls debugging for the wrapper scripts.
+  ContainerCli:
+    type: string
+    default: 'docker'
+    description: CLI tool used to manage containers.
+    constraints:
+      - allowed_values: ['docker', 'podman']
   NeutronDhcpAgentLoggingSource:
     type: json
     default:
@@ -68,6 +82,8 @@ conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   dnsmasq_wrapper_enabled: {equals: [{get_param: NeutronEnableDnsmasqDockerWrapper}, true]}
   haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
+  docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
+  service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
 
 resources:
 
@@ -108,6 +124,12 @@ outputs:
             tripleo::profile::base::neutron::dhcp_agent_wrappers::enable_haproxy_wrapper: {get_param: NeutronEnableHaproxyDockerWrapper}
             tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/dhcp_haproxy_wrapper'
             tripleo::profile::base::neutron::dhcp_agent_wrappers::haproxy_image: {get_param: DockerNeutronDHCPImage}
+            tripleo::profile::base::neutron::dhcp_agent_wrappers::debug:
+              if:
+                - service_debug_unset
+                - {get_param: Debug }
+                - {get_param: NeutronWrapperDebug}
+            tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
       service_config_settings:
         map_merge:
           - get_attr: [NeutronBase, role_data, service_config_settings]
@@ -203,7 +225,11 @@ outputs:
                   - /run/openvswitch:/run/openvswitch
                   - /var/lib/neutron:/var/lib/neutron
                   - /run/netns:/run/netns:shared
-                  - /var/lib/openstack:/var/lib/openstack
+                -
+                  if:
+                    - docker_enabled
+                    - - /var/lib/openstack:/var/lib/openstack
+                    - null
                 -
                   if:
                     - dnsmasq_wrapper_enabled
diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml
index bb5eb80653..34d3363a24 100644
--- a/docker/services/neutron-l3.yaml
+++ b/docker/services/neutron-l3.yaml
@@ -40,6 +40,20 @@ parameters:
                  once the fix to radvd is generally available across target distributions.
     type: boolean
     default: false
+  Debug:
+    type: boolean
+    default: false
+    description: Set to True to enable debugging on all services.
+  NeutronWrapperDebug:
+    type: boolean
+    default: false
+    description: Controls debugging for the wrapper scripts.
+  ContainerCli:
+    type: string
+    default: 'docker'
+    description: CLI tool used to manage containers.
+    constraints:
+      - allowed_values: ['docker', 'podman']
   ServiceData:
     default: {}
     description: Dictionary packing service data
@@ -72,6 +86,8 @@ conditions:
   haproxy_wrapper_enabled: {equals: [{get_param: NeutronEnableHaproxyDockerWrapper}, true]}
   dibbler_wrapper_enabled: {equals: [{get_param: NeutronEnableDibblerDockerWrapper}, true]}
   radvd_wrapper_enabled: {equals: [{get_param: NeutronEnableRadvdDockerWrapper}, true]}
+  docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
+  service_debug_unset: {equals : [{get_param: NeutronWrapperDebug}, false]}
 
 resources:
 
@@ -116,6 +132,12 @@ outputs:
             tripleo::profile::base::neutron::l3_agent_wrappers::enable_radvd_wrapper: {get_param: NeutronEnableRadvdDockerWrapper}
             tripleo::profile::base::neutron::l3_agent_wrappers::radvd_process_wrapper: '/var/lib/neutron/radvd_wrapper'
             tripleo::profile::base::neutron::l3_agent_wrappers::radvd_image: {get_param: DockerNeutronL3AgentImage}
+            tripleo::profile::base::neutron::l3_agent_wrappers::debug:
+              if:
+                - service_debug_unset
+                - {get_param: Debug }
+                - {get_param: NeutronWrapperDebug}
+            tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
 
       service_config_settings:
         map_merge:
@@ -202,7 +224,11 @@ outputs:
                   - /run/openvswitch:/run/openvswitch
                   - /var/lib/neutron:/var/lib/neutron
                   - /run/netns:/run/netns:shared
-                  - /var/lib/openstack:/var/lib/openstack
+                -
+                  if:
+                    - docker_enabled
+                    - - /var/lib/openstack:/var/lib/openstack
+                    - null
                 -
                   if:
                     - keepalived_wrapper_enabled
diff --git a/docker/services/ovn-metadata.yaml b/docker/services/ovn-metadata.yaml
index 9bf2ab7a61..f9ef2654ed 100644
--- a/docker/services/ovn-metadata.yaml
+++ b/docker/services/ovn-metadata.yaml
@@ -19,6 +19,20 @@ parameters:
     description: Generate a wrapper script so that haproxy is launched in a separate container.
     type: boolean
     default: true
+  Debug:
+    type: boolean
+    default: false
+    description: Set to True to enable debugging on all services.
+  OVNWrapperDebug:
+    type: boolean
+    default: false
+    description: Controls debugging for the wrapper scripts.
+  ContainerCli:
+    type: string
+    default: 'docker'
+    description: CLI tool used to manage containers.
+    constraints:
+      - allowed_values: ['docker', 'podman']
   ServiceData:
     default: {}
     description: Dictionary packing service data
@@ -47,7 +61,9 @@ parameters:
     type: json
 
 conditions:
-    haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
+  haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
+  docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
+  service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
 
 resources:
 
@@ -81,6 +97,12 @@ outputs:
           - tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::enable_haproxy_wrapper: {get_param: OVNEnableHaproxyDockerWrapper}
             tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_process_wrapper: '/var/lib/neutron/ovn_metadata_haproxy_wrapper'
             tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::haproxy_image: {get_param: DockerOvnMetadataImage}
+            tripleo::profile::base::neutron::ovn_metadata_agent_wrappers::debug:
+              if:
+                - service_debug_unset
+                - {get_param: Debug }
+                - {get_param: OVNWrapperDebug}
+            tripleo::profile::base::neutron::container_cli: {get_param: ContainerCli}
       puppet_config:
         puppet_tags: neutron_config,ovn_metadata_agent_config
         config_volume: neutron
@@ -171,7 +193,11 @@ outputs:
                   - /run/openvswitch:/run/openvswitch
                   - /var/lib/neutron:/var/lib/neutron
                   - /run/netns:/run/netns:shared
-                  - /var/lib/openstack:/var/lib/openstack
+                -
+                  if:
+                    - docker_enabled
+                    - - /var/lib/openstack:/var/lib/openstack
+                    - null
                 -
                   if:
                     - haproxy_wrapper_enabled
diff --git a/puppet/services/docker.yaml b/puppet/services/docker.yaml
index 92d08024e0..b6d29698dd 100644
--- a/puppet/services/docker.yaml
+++ b/puppet/services/docker.yaml
@@ -68,6 +68,15 @@ parameters:
     default: ''
     description: User added to the docker group in order to use container commands.
     type: string
+parameter_groups:
+- label: deprecated
+  description: |
+   The following parameters are deprecated and will be removed. They should not
+   be relied on for new deployments. If you have concerns regarding deprecated
+   parameters, please contact the TripleO development team on IRC or the
+   OpenStack mailing list.
+  parameters:
+  - DockerAdditionalSockets
 
 conditions:
   insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
diff --git a/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml b/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml
new file mode 100644
index 0000000000..fbb540701c
--- /dev/null
+++ b/releasenotes/notes/wrapper-containers-debug-844c13348c83de93.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    ``ContainerCli`` allows 'docker' (deprecated) and 'podman' for Neutron
+    L3/DHCP and OVN metadata rootwrap containers managed by agents.
+    Parameters ``OVNWrapperDebug`` and  ``NeutronWrapperDebug`` (Defaults to
+    `False`) allow to log debug messages for the wrapper scripts managing
+    rootwrap containers. It is also controled by the global ``Debug`` setting.
+fixes:
+  - |
+    Neutron/OVN rootwrap containers are managed by agents and will no longer
+    be deleted, when the parent container restarts.
+deprecations:
+  - |
+    Parameter ``DockerAdditionalSockets`` is deprecated. No sockets are
+    expected to bind mount for podman. So it only works for the docker runtime.