B: mount gdn-init after other default mounts

I still don't 100% understand what went wrong in #6578, but some
weirdness with /run being a symlink to /tmp/ldconfig in the rootfs of
some base image (progrium/busybox) resulted in /tmp/gdn-init not being
present on the container, if we mounted /tmp/gdn-init before mounting
/run (mounting it after fixed the issue).

although we got rid of the /run mount, so that particular issue doesn't
matter, I worry that similar issues with symlinks may happen - so, let's
just mount it last and hope for the best

Signed-off-by: Aidan Oldershaw <aoldershaw@pivotal.io>

worker/runtime/spec/mounts.go

@@ -52,17 +52,14 @@ var (
 )
 
 func ContainerMounts(privileged bool, initBinPath string) []specs.Mount {
-	mounts := append(
-		[]specs.Mount{
-			{
-				Source:      initBinPath,
-				Destination: "/tmp/gdn-init",
-				Type:        "bind",
-				Options:     []string{"bind"},
-			},
-		},
-		DefaultContainerMounts...,
-	)
+	mounts := make([]specs.Mount, 0, len(DefaultContainerMounts)+1)
+	mounts = append(mounts, DefaultContainerMounts...)
+	mounts = append(mounts, specs.Mount{
+		Source:      initBinPath,
+		Destination: "/tmp/gdn-init",
+		Type:        "bind",
+		Options:     []string{"bind"},
+	})
 	// Following the current behaviour for privileged containers in Docker
 	if privileged {
 		for i, ociMount := range mounts {

worker/runtime/spec/spec_test.go

@@ -362,6 +362,9 @@ func (s *SpecSuite) TestContainerSpec() {
 				s.Equal([]string{"/tmp/gdn-init"}, oci.Process.Args)
 				s.Equal(oci.Mounts, spec.ContainerMounts(false, spec.DefaultInitBinPath))
 
+				s.Equal("/tmp/gdn-init", oci.Mounts[len(oci.Mounts)-1].Destination,
+					"gdn-init mount should be mounted after all the other default mounts")
+
 				s.Equal(minimalContainerSpec.Handle, oci.Hostname)
 				s.Equal(spec.AnyContainerDevices, oci.Linux.Resources.Devices)
 			},