diff --git a/packages/os/bootstrap-containers-tmpfiles.conf b/packages/os/bootstrap-containers-tmpfiles.conf
index 7a7aa9b3a82..00c3c035e20 100644
--- a/packages/os/bootstrap-containers-tmpfiles.conf
+++ b/packages/os/bootstrap-containers-tmpfiles.conf
@@ -1,3 +1,4 @@
 d /etc/bootstrap-containers 0750 root root -
+d /run/bootstrap-containers 0755 root root -
 d /local/bootstrap-containers 0700 root root -
 T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:secret_t:s0
diff --git a/packages/os/bootstrap-containers@.service b/packages/os/bootstrap-containers@.service
index 72dbd64d742..7e35eaf01dd 100644
--- a/packages/os/bootstrap-containers@.service
+++ b/packages/os/bootstrap-containers@.service
@@ -7,10 +7,16 @@ Wants=host-containers.service
 # started by systemd
 RefuseManualStart=true
 RefuseManualStop=true
+# If a sentinel file exists for this bootstrap container, it means we should skip
+# since we've run this bootstrap container already.
+ConditionPathExists=!/run/bootstrap-containers/%i.ran
 
 [Service]
 Type=oneshot
 EnvironmentFile=/etc/bootstrap-containers/%i.env
+# Create a sentinel file to mark that we've run
+ExecStart=/usr/bin/touch /run/bootstrap-containers/%i.ran
+# Run the bootstrap container
 ExecStart=/usr/bin/host-ctr run \
     --container-id='%i' \
     --source='${CTR_SOURCE}' \