(Sorry if this is a duplicate; but I remember that I had a very extensive conversation with @creack a while ago about this topic, and I thought that we had written our conclusions to a GitHub issue; but I cannot find said issue; so it looks like we hadn't, after all.)

Some people need to customize /etc/hosts, /etc/resolv.conf, or even /.dockerinit.
(See for instance #1951 and #2068, as well as this message on docker-user).
#1959 provides a naive implementation, making the bind-mounted files read-write. It works, but changes are lost since those files are regenerated.

The idea discussed with @creack was the following (as far as I can remember):

• instead of using a AUFS-specific mechanism to inject those files (top-level ro layer) and then a bind-mount on top of that, just inject the files before starting the container, unless those files are present (and non-empty) in the image: in that case, use whatever is in the image;
• when executing a docker commit or docker diff, check if the files have been changed (i.e. if they are different from what they were when the container was started), and include them only if they were changed (which means that dynamically generated files won't be included if they haven't been changed).

Those files are already listed in graph.go:203, and this comment in image.go:407 might indicate that the device mapper branch already implements part of what's needed.

The main outstanding issue is to decide whether to require a special flag to commit those special files, to avoid unwanted modifications (e.g. "Something changed the hostname or DNS configuration in my container, and all images derived from that container are broken!").

Requiring a special flag for docker commit makes sense (-f, like force?); however, for docker build, it's a bit more complex. Maybe the Dockerfile could include a special directive saying explicitly "this Dockerfile generates an image with a modified resolv.conf", e.g. CUSTOM /etc/resolv.conf /etc/hosts.

/cc @creack @metalivedev @shykes for feedback.