-CMD="unshare -fp --mount-proc -i -u ip netns exec $NAME chroot $LIVE /bin/sh"
-echo "$CMD"
-
-config RAM_SIZE 50M
-
-cat <<EOF | $CMD
-set -x
-mount -t proc proc /proc
-mount -t devpts devpts /dev/pts
-mount -t sysfs sysfs /sys
-if [ "$RAM_SIZE" != "none" ] && ! grep -q '/run tmpfs' /proc/mounts ; then
- mount -t tmpfs -osize=$RAM_SIZE,mode=755 tmpfs /run
-fi
-for srv in $START ; do service \$srv start ; done
-dummy_service() {
- [ \$# -gt 3 ] && return 0
- echo "Starting dummy service" >&2
- set +x
- [ -p /run/dummy_service ] || mkfifo /run/dummy_service
- ( printf dummy_service > /proc/self/comm ; read X < /run/dummy_service ) &
- set -x
-}
-dummy_service /proc/*/comm
-exec /.reaper $NAME
-EOF
-echo "EXITED $CMD"
+# This process has an unshared mount namespace, so we unmount almost
+# everything before chroot. Exceptions are: $LIVE and anything mounted
+# below that, "/run/netns/$NAME" and its parent paths (incidentally
+# including "/" as well) and "/proc".
+sort -rk2,2 < /proc/mounts | while read D P A2 ; do
+ beginswith "$P" "$LIVE" && continue
+ beginswith "$P" "$(realpath $LIVE)" && continue
+ beginswith "/run/netns/$NAME" "$P" && continue
+ [ "$P" = /proc ] && continue
+ umount "$P"
+done
+
+echo "Starting $NAME"
+env CONFIG="$CONFIG" $INIT | \
+ unshare -fp --mount-proc -i -u \
+ ip netns exec $NAME chroot $LIVE /bin/sh
+echo "Exited $NAME"