diff --git a/lib/src/cli.rs b/lib/src/cli.rs
index 0ce2660d..aad8bce6 100644
--- a/lib/src/cli.rs
+++ b/lib/src/cli.rs
@@ -25,6 +25,7 @@ use serde::{Deserialize, Serialize};
 
 use crate::deploy::RequiredHostSpec;
 use crate::lints;
+use crate::mount::open_tree;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
@@ -991,7 +992,9 @@ impl Opt {
 
 /// Internal (non-generic/monomorphized) primary CLI entrypoint
 async fn run_from_opt(opt: Opt) -> Result<()> {
-    let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
+    // We want to open *only* the root filesystem of the container image
+    // ie: without /sys, /proc, /etc/resolve.conf bind mounts, etc.
+    let root: Dir = open_tree("/".into(), false)?.into();
     match opt {
         Opt::Upgrade(opts) => upgrade(opts).await,
         Opt::Switch(opts) => switch(opts).await,
@@ -1006,7 +1009,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                     );
                 }
 
-                lints::lint(root)?;
+                lints::lint(&root)?;
                 Ok(())
             }
         },
@@ -1071,7 +1074,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 late_dir: _,
             } => {
                 let unit_dir = &Dir::open_ambient_dir(normal_dir, cap_std::ambient_authority())?;
-                crate::generator::generator(root, unit_dir)
+                crate::generator::generator(&root, unit_dir)
             }
             InternalsOpts::OstreeExt { args } => {
                 ostree_ext::cli::run_from_iter(["ostree-ext".into()].into_iter().chain(args)).await