What is the meaning of mounting /dev/sda1 to /etc/hosts in Docker container

Question

I run a simple docker container with sudo docker run -it ubuntu:latest /bin/bash

When I examine mounted file system, with: df -h, one

Filesystem      Size  Used Avail Use% Mounted on
overlay          63G  4.3G   56G   8% /
tmpfs            64M     0   64M   0% /dev
tmpfs          1000M     0 1000M   0% /sys/fs/cgroup
/dev/sda1        63G  4.3G   56G   8% /etc/hosts
....

I fail to understand the last line, i.e. /dev/sda1 -> /etc/hosts, when I run df -h on the host machine, I get the mount /dev/sda1 -> /.

So /dev/sda1 is actually my hard drive, why is it mounted to /etc/hosts on the container, and how come /etc/hosts on the container is a file with correct content.

Any explanation of what is going on here? how does this work?

Answer 1

You have two questions in your post, let me cover them sequentially.

1) Why /etc/{hosts,hostname,resolv.conf} files are mounted from outside?

I see at least one reason for this.

Imagine what would happen if the container engine would simply write these files to the container's filesystem and the user would decide to mount /etc as a volume (which is perfectly legal and pretty useful - mounting /etc would allow the user to provide the container with multiple config files in one -v argument for docker run):

• first, the volume is mounted to container's /etc directory;
• then its content is changed by the container engine (a write to specific files in /etc).

After launching this container, the user tries to launch one more with the same /etc volume (again, this is perfectly legal and useful - e.g. the user scales up some service and shares config files in /etc among instances), and... The second container overwrites hostname, hosts and resolv.conf files on the volume, affecting the first container.

Now consider what happens when bind-mounting is used instead of direct writes:

• the volume is mounted to container's /etc directory;
• the container engine bind-mounts /etc/{hosts,hostname,resolv.conf} from somewhere on the host to the container's filesystem;
• bind-mounts hide the original versions (if any) of these files on the volume, hence the guarantee that the files on the volume will not be modified during the container setup and will not be propagated to other containers.

2) Why I see /dev/sda1 as the source of these mounts?

Check findmnt(8) instead of df(1):

$ docker run -it ubuntu
root@5a8ab4d6e716:/# findmnt
TARGET                           SOURCE
...
|-/etc/resolv.conf               /dev/sda1[/var/lib/docker/containers/5a8ab4d6e71691f279cbbcf5a295b5fa90fd138f10418c996ad7ea4440452816/resolv.conf]
|-/etc/hostname                  /dev/sda1[/var/lib/docker/containers/5a8ab4d6e71691f279cbbcf5a295b5fa90fd138f10418c996ad7ea4440452816/hostname]
`-/etc/hosts                     /dev/sda1[/var/lib/docker/containers/5a8ab4d6e71691f279cbbcf5a295b5fa90fd138f10418c996ad7ea4440452816/hosts]

Actually, each line of output here shows three fields (mount target /etc/hosts, mount source /dev/sda1 and FS root /var/lib/<...>/hosts), and the third one is not shown by df(1).

According to man procfs paragraph about /proc/PID/mountinfo file (which is the source of information about mounts for utilities):

(4)  root: the pathname of the directory in the filesystem which forms the root of this mount.
(5)  mount point: the pathname of the mount point relative to the process's root directory.
...
(10) mount source: filesystem-specific information or "none".

For most mounts, FS root is / (because you mount whole filesystem), so you don't loose too much information when you look at the df(1) output. However, this is not the case for bind-mounts of specific files.