Instead of keeping all the old mounts in the container namespace and
just using subtree as root we pivot_root so that the actual root in
the namespace is the root we want, and then we unmount the previous
mounts.
This has multiple advantages:
* The namespace mount tree is smaller (in the kernel)
* If you break out of the chroot you could previously access the host
filesystem. Now the host filesystem is fully invisible to the namespace.
* We get rid of all unrelated mounts from the parent namespace, which means
we don't hog these. This is important if we later switch to MS_PRIVATE instead
of MS_SLAVE as otherwise these mounts would be impossible to unmount from the
parent namespace.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 5b5c884cc8266d0c2a56da0bc2df14cc9d5d85e8
Component: engine
a4a84bcafe