diff --git a/tools/catalyst-auto b/tools/catalyst-auto
index cf5a7c65..c06a42bf 100755
--- a/tools/catalyst-auto
+++ b/tools/catalyst-auto
@@ -2,21 +2,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-# First let's get our own namespaces to avoid leaking crap.
-if [[ -z ${UNSHARE} ]] ; then
-  if type -P unshare >&/dev/null ; then
-    uargs=()
-    # Probe the namespaces as some can be disabled (or we are not root).
-    unshare -m -- true >&/dev/null && uargs+=( -m )
-    unshare -u -- true >&/dev/null && uargs+=( -u )
-    unshare -i -- true >&/dev/null && uargs+=( -i )
-    unshare -p -- true >&/dev/null && uargs+=( -p -f --mount-proc )
-    # Re-exec ourselves in the new namespace.
-    UNSHARE=true exec unshare "${uargs[@]}" -- "$0" "$@"
-  fi
-fi
-unset UNSHARE
-
 CATALYST_CONFIG=/etc/catalyst/catalyst.conf
 
 # Probe the default source dir from this script name.
@@ -179,6 +164,26 @@ parse_args() {
 	done
 }
 
+# Let's get our own namespaces/etc... to avoid leaking crap.
+containerize() {
+	# If we've already relaunched, nothing to do.
+	if [[ ${UNSHARE} == "true" ]] ; then
+		return
+	fi
+
+	# Most systems have unshare available, but just in case.
+	if type -P unshare >&/dev/null ; then
+		local uargs=()
+		# Probe the namespaces as some can be disabled (or we are not root).
+		unshare -m -- true >&/dev/null && uargs+=( -m )
+		unshare -u -- true >&/dev/null && uargs+=( -u )
+		unshare -i -- true >&/dev/null && uargs+=( -i )
+		unshare -p -- true >&/dev/null && uargs+=( -p -f --mount-proc )
+		# Re-exec ourselves in the new namespace.
+		UNSHARE=true exec unshare "${uargs[@]}" -- "$0" "$@"
+	fi
+}
+
 run_catalyst_commands() {
 	doneconfig=0
 	for config_file in "${config_files[@]}"; do
@@ -388,6 +393,9 @@ main() {
 	# Parse user arguments before we try doing container logic.
 	parse_args "$@"
 
+	# Try to isolate ourselves from the rest of the system.
+	containerize "$@"
+
 	(
 	if [[ -n ${lock_file} ]]; then
 		if ! flock -n 9; then