If able to start containers, just leave the isolation:
docker run -it \
--privileged \
--pid=host \
alpine \
nsenter -t 1 -m -u -n -i sh
nsenter
Work with namespaces (nsenter)
Uses process tree of host (--pid=host)
Get namespace from PID 1 (-t 1)
Enter namespaces required for shell (-m -u -n -i)
–
Alternative container runtimes (instead of runc)
Isolates containers in a lightweight VM
Also supports firecracker
Application kernel written in Go
Implements Linux system calls
–
For example sockguard
No privileged containers
No host bind mounts
No host network
/sockguard \
-upstream-socket /var/run/docker-raw.sock \
-filename /var/run/docker.sock