Here are two issues:
1. All mounts in a new user namespace are locked, so
we need to create a new root mount. We need to bind-mount root to
itself.
2. /proc and /sys must be mounted before umounting /proc and /sys
which were inhereted. It's a security policy.

"""
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Sun Mar 24 14:28:27 2013 -0700

    userns: Restrict when proc and sysfs can be mounted

    Only allow unprivileged mounts of proc and sysfs if they are already
    mounted when the user namespace is created.
"""
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>