tjdett/systemd-rkt-pod-manifest.json

## systemd-rkt-pod-manifest.json
{
  "acVersion": "0.8.4",
  "acKind": "PodManifest",
  "apps": [
      {
          "name": "systemd",
          "image": {
              "id": "sha512-1a77404ea8db0b2577ca969cbc26bd57ee227a8b2e52b483e2581d11ccb64f22"
          },
          "app": {
              "exec": [ "/bin/bash", "-c", "umount /sys/fs && mount --bind /data/cgroup /sys/fs/cgroup && exec unshare --pid --fork --mount-proc /sbin/init" ],
              "environment": [ { "name": "container", "value": "rkt" } ],
              "user": "0",
              "group": "0",
              "mountPoints": [
                  {
                      "name": "host-cgroup",
                      "path": "/data/cgroup",
                      "readOnly": true
                  }
              ],
	"isolators": [
                  {
                      "name": "os/linux/capabilities-retain-set",
                      "value": {
                          "set": [
                              "CAP_MKNOD",
                              "CAP_CHOWN",
                              "CAP_LINUX_IMMUTABLE",
                              "CAP_SYS_MODULE",
                              "CAP_SYS_PTRACE",
                              "CAP_SYS_CHROOT",
                              "CAP_SYS_BOOT",
                              "CAP_SYS_TIME",
                              "CAP_AUDIT_WRITE",
                              "CAP_NET_BROADCAST",
                              "CAP_NET_RAW",
                              "CAP_IPC_LOCK",
                              "CAP_SYS_RAWIO",
                              "CAP_FSETID",
                              "CAP_WAKE_ALARM",
                              "CAP_MAC_OVERRIDE",
                              "CAP_BLOCK_SUSPEND",
                              "CAP_AUDIT_READ",
                              "CAP_DAC_READ_SEARCH",
                              "CAP_SETUID",
                              "CAP_SYS_TTY_CONFIG",
                              "CAP_AUDIT_CONTROL",
                              "CAP_DAC_OVERRIDE",
                              "CAP_NET_ADMIN",
                              "CAP_IPC_OWNER",
                              "CAP_SYS_RESOURCE",
                              "CAP_LEASE",
                              "CAP_SETFCAP",
                              "CAP_MAC_ADMIN",
                              "CAP_KILL",
                              "CAP_SETPCAP",
                              "CAP_NET_BIND_SERVICE",
                              "CAP_SYS_NICE",
                              "CAP_FOWNER",
                              "CAP_SETGID",
                              "CAP_SYS_PACCT",
                              "CAP_SYS_ADMIN",
                              "CAP_SYSLOG"
                          ]
                      }
                  }
              ]
          }
      }
  ],
  "volumes": [
      {
          "name": "host-cgroup",
          "kind": "host",
          "source": "/sys/fs/cgroup",
          "readOnly": true
      },
      {
          "name": "volume-sys-fs-cgroup",
          "kind": "host",
          "source": "/sys/fs/cgroup",
          "readOnly": true
      }
  ]
}
	{
	"acVersion": "0.8.4",
	"acKind": "PodManifest",
	"apps": [
	{
	"name": "systemd",
	"image": {
	"id": "sha512-1a77404ea8db0b2577ca969cbc26bd57ee227a8b2e52b483e2581d11ccb64f22"
	},
	"app": {
	"exec": [ "/bin/bash", "-c", "umount /sys/fs && mount --bind /data/cgroup /sys/fs/cgroup && exec unshare --pid --fork --mount-proc /sbin/init" ],
	"environment": [ { "name": "container", "value": "rkt" } ],
	"user": "0",
	"group": "0",
	"mountPoints": [
	{
	"name": "host-cgroup",
	"path": "/data/cgroup",
	"readOnly": true
	}
	],
	"isolators": [
	{
	"name": "os/linux/capabilities-retain-set",
	"value": {
	"set": [
	"CAP_MKNOD",
	"CAP_CHOWN",
	"CAP_LINUX_IMMUTABLE",
	"CAP_SYS_MODULE",
	"CAP_SYS_PTRACE",
	"CAP_SYS_CHROOT",
	"CAP_SYS_BOOT",
	"CAP_SYS_TIME",
	"CAP_AUDIT_WRITE",
	"CAP_NET_BROADCAST",
	"CAP_NET_RAW",
	"CAP_IPC_LOCK",
	"CAP_SYS_RAWIO",
	"CAP_FSETID",
	"CAP_WAKE_ALARM",
	"CAP_MAC_OVERRIDE",
	"CAP_BLOCK_SUSPEND",
	"CAP_AUDIT_READ",
	"CAP_DAC_READ_SEARCH",
	"CAP_SETUID",
	"CAP_SYS_TTY_CONFIG",
	"CAP_AUDIT_CONTROL",
	"CAP_DAC_OVERRIDE",
	"CAP_NET_ADMIN",
	"CAP_IPC_OWNER",
	"CAP_SYS_RESOURCE",
	"CAP_LEASE",
	"CAP_SETFCAP",
	"CAP_MAC_ADMIN",
	"CAP_KILL",
	"CAP_SETPCAP",
	"CAP_NET_BIND_SERVICE",
	"CAP_SYS_NICE",
	"CAP_FOWNER",
	"CAP_SETGID",
	"CAP_SYS_PACCT",
	"CAP_SYS_ADMIN",
	"CAP_SYSLOG"
	]
	}
	}
	]
	}
	}
	],
	"volumes": [
	{
	"name": "host-cgroup",
	"kind": "host",
	"source": "/sys/fs/cgroup",
	"readOnly": true
	},
	{
	"name": "volume-sys-fs-cgroup",
	"kind": "host",
	"source": "/sys/fs/cgroup",
	"readOnly": true
	}
	]
	}