This issue is due to the Lacework agent accessing the mounted paths whilst scanning them as part of its File Integrity Monitoring ("FIM") capability. While the paths are still in use, containerd is unable to unmount them. As per this containerd Github issue:

https://github.com/containerd/containerd/issues/5538

this problem can be triggered by any process that keeps the paths mounted for any amount of time; however it is noted that security scanning software is the most common use case. 

Also as per the Github issue, the resolution is to configure the relevant software to ignore/bypass the temp mount paths. As the paths are mounted as part of containerd's internal operations and are transient copies of paths that are persistently mounted elsewhere on the host, we are safe to exclude these temporary duplicates from the FIM scanning activity.

The specific action required in the case of the Lacework agent is to add the path(s) to the agent's "fileignore" FIM configuration property.

An example of adding such a path to an existing fileignore config might look like this:

Before:

"fim": {

    "fileignore": "/etc/mtab,/etc/mnttab,/etc/hosts.deny,/etc/mail/statistics"

}

After:

"fim": {

    "fileignore": "/etc/mtab,/etc/mnttab,/etc/hosts.deny,/etc/mail/statistics,/var/lib/containerd/tmpmounts/containerd-mount*"

}