pivot_root can't be called if / is on a ramfs. Currently chroot is
called before pivot_root. In this case the standard well-known
'chroot escape' technique allows to escape a container.

I think the best way to handle this situation is to make following actions:
* clean all mounts, which should not be visible in CT
* move CT's rootfs into /
* make chroot into /

I don't have a host, where / is on a ramfs, so I can't test this patch.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>