This concept is introduced in one of the Project Atomic blogs, by Redhat. It provides the capability to use a special/privileged container as an agent to control the underlying host. If we ship only the application code, we risk turning the container into a black box. There are many benefits to the host of packaging up an agent as a Docker container with the right access. We can bind in devices via -v /dev:/dev, which will help to mount devices inside the container without needing super-privileged access.

Using nsenter trick, allows you to run commands in another namespace, that is, if Docker has its own private mount namespace, with nsenter and the right mode we can reach out to the host and mount things in its namespace. ...