What is the difference between CMD and ENTRYPOINT in a Dockerfile

Question

In Dockerfiles there are two commands that look similar to me  CMD and ENTRYPOINT  But I guess that there is a  subtle   difference between them - otherwise it would not make any sense to have two commands for the very same thing   The documentation states for CMD     The main purpose of a CMD is to provide defaults for an executing container    and for ENTRYPOINT      An ENTRYPOINT helps you to configure a container that you can run as an executable    So  what s the difference between those two commands

User · Answer

According to docker docs   Both CMD and ENTRYPOINT instructions define what command gets executed when running a container  There are few rules that describe their co-operation   Dockerfile should specify at least one of CMD or ENTRYPOINT commands  ENTRYPOINT should be defined when using the container as an executable  CMD should be used as a way of defining default arguments for an ENTRYPOINT command or for executing an ad-hoc command in a container  CMD will be overridden when running the container with alternative arguments    The tables below shows what command is executed for different ENTRYPOINT   CMD combinations  -- No ENTRYPOINT  ----------------------------------------------------------     No CMD                        error  not allowed               ---------------------------- -----------------------------      CMD   quot exec cmd quot    quot p1 cmd quot      exec cmd p1 cmd                  ---------------------------- -----------------------------      CMD   quot p1 cmd quot    quot p2 cmd quot        p1 cmd p2 cmd                    ---------------------------- -----------------------------      CMD exec cmd p1 cmd            bin sh -c exec cmd p1 cmd      ----------------------------------------------------------   -- ENTRYPOINT exec entry p1 entry  ---------------------------------------------------------------     No CMD                         bin sh -c exec entry p1 entry        ---------------------------- ----------------------------------      CMD   quot exec cmd quot    quot p1 cmd quot       bin sh -c exec entry p1 entry        ---------------------------- ----------------------------------      CMD   quot p1 cmd quot    quot p2 cmd quot         bin sh -c exec entry p1 entry        ---------------------------- ----------------------------------      CMD exec cmd p1 cmd            bin sh -c exec entry p1 entry       ---------------------------------------------------------------   -- ENTRYPOINT   quot exec entry quot    quot p1 entry quot    ------------------------------------------------------------------------------     No CMD                        exec entry p1 entry                                  ---------------------------- -------------------------------------------------      CMD   quot exec cmd quot    quot p1 cmd quot      exec entry p1 entry exec cmd p1 cmd                  ---------------------------- -------------------------------------------------      CMD   quot p1 cmd quot    quot p2 cmd quot        exec entry p1 entry p1 cmd p2 cmd                    ---------------------------- -------------------------------------------------      CMD exec cmd p1 cmd           exec entry p1 entry  bin sh -c exec cmd p1 cmd      ------------------------------------------------------------------------------

User · Answer

I run across this and at the beginning I found it really confusing to be honest and I think this confusion comes from using the word  quot CMD quot  because in fact what goes there acts as argument  So after digging a little bit I understood how it works  Basically  ENTRYPOINT -- gt  what you specify here would be the command to be executed when you container starts  If you omit this definition docker will use  bin sh -c bash to run your container  CMD -- gt  these are the arguments appended to the ENTRYPOINT unless the user specifies some custom argument  i e  docker run ubuntu  lt custom cmd gt  in this case instead of appending what s specified on the image in the CMD section  docker will  run ENTRYPOINT  lt custom cmd gt   In case ENTRYPOINT has not been specified  what goes here will be passed to  bin sh -c acting in fact as the command to be executed when starting the container  As everything it s better to explain what s going on by examples  So let s say I create a simple docker image by using the following specification Dockerfile  From ubuntu ENTRYPOINT   quot sleep quot    Then I build it by running the following  docker build   -t testimg  This will create a container that everytime you run it sleeps  So If I run it as following  docker run testimg  I ll get the following  sleep  missing operand Try  sleep --help  for more information   This happens because the entry point is the  quot sleep quot  command which needs an argument  So to fix this I ll just provide the amount to sleep  docker run testimg 5  This will run correctly and as consequence the container will run  sleeps 5 seconds and exits  As we can see in this example docker just appended what goes after the image name to the entry point binary docker run testimg  lt my cmd gt   What happens if we want to pass a default value  default argument  to the entry point  in this case we just need to specify it in the CMD section  for example  From ubuntu ENTRYPOINT   quot sleep quot   CMD   quot 10 quot    In this case if the user doesn t pass any argument the container will use the default value  10  and pass it to entry point sleep  Now let s use just CMD and omit ENTRYPOINT definition  FROM ubuntu CMD   quot sleep quot    quot 5 quot    If we rebuild and run this image it will basically sleeps for 5 seconds  So in summary  you can use ENTRYPOINT in order to make your container acts as an executable  You can use CMD to provide default arguments to your entry point or to run a custom command when starting your container that can be overridden from outside by user

User · Answer

CMD command mentioned inside Dockerfile file can be overridden via docker run command while ENTRYPOINT can not be

User · Answer

The accepted answer is fabulous in explaining the history  I find this table explain it very well from official doc on  how CMD and ENTRYPOINT interact

User · Answer

Most people explain it perfectly here  so I won t repeat all the answers  But to get a good feeling I would suggest testing it yourself by looking at the processes in the container   Create a tiny Dockerfile of the form   FROM ubuntu latest CMD  bin bash   Build it  run it in with docker run -it theimage and run ps -eo ppid pid args in the container  Compare this output to the output you receive from ps when using    docker run -it theimage bash Rebuilding the image but with ENTRYPOINT  bin bash and running it in both ways Using CMD    bin bash         This way you will easily see the differences between all possible methods for yourself

User · Answer

Difference between CMD and ENTRYPOINT by intuition    ENTRYPOINT  command to run when container starts  CMD  command to run when container starts or arguments to ENTRYPOINT if specified    Yes  it s mixing up   You can override any of them when running docker run   Difference between CMD and ENTRYPOINT by example   docker run -it --rm yourcontainer  bin bash             lt --  bin bash overrides CMD                                                         lt --  bin bash does not override ENTRYPOINT docker run -it --rm --entrypoint ls yourcontainer       lt -- overrides ENTRYPOINT with ls docker run -it --rm --entrypoint ls yourcontainer  -la   lt -- overrides ENTRYPOINT with ls and overrides CMD with -la   More on difference between CMD and ENTRYPOINT   Argument to docker run such as  bin bash overrides any CMD command we wrote in Dockerfile   ENTRYPOINT cannot be overriden at run time with normal commands such as docker run  args    The args at the end of docker run  args  are provided as arguments to ENTRYPOINT   In this way we can create a container which is like a normal binary such as ls   So CMD can act as default parameters to ENTRYPOINT and then we can override the CMD args from  args    ENTRYPOINT can be overriden with --entrypoint

User · Answer

In a nutshell    CMD sets default command and or parameters  which can be overwritten from command line when docker container runs  ENTRYPOINT command and parameters will not be overwritten from command line  Instead  all command line arguments will be added after ENTRYPOINT parameters    If you need more details or would like to see difference on example  there is a blog post that comprehensively compare CMD and ENTRYPOINT with lots of examples - http   goinbigdata com docker-run-vs-cmd-vs-entrypoint

User · Answer

A Dockerfile should specify at least one CMD or ENTRYPOINT instruction       Only the last CMD and ENTRYPOINT in a Dockerfile will be used       ENTRYPOINT should be defined when using the container as an executable       You should use the CMD instruction as a way of defining default arguments for the command defined as ENTRYPOINT or for executing an ad-hoc command in a container       CMD will be overridden when running the container with alternative arguments       ENTRYPOINT sets the concrete default application that is used every time a container is created using the image       If you couple ENTRYPOINT with CMD  you can remove an executable from CMD and just leave its arguments which will be passed to ENTRYPOINT       The best use for ENTRYPOINT is to set the image s main command  allowing that image to be run as though it was that command  and then use CMD as the default flags

User · Answer

The official documentation of Dockerfile best practices does a great job explaining the differences  Dockerfile best practices  CMD   The CMD instruction should be used to run the software contained by your image  along with any arguments  CMD should almost always be used in the form of CMD   executable    param1    param2       Thus  if the image is for a service  such as Apache and Rails  you would run something like CMD   apache2   -DFOREGROUND    Indeed  this form of the instruction is recommended for any service-based image   ENTRYPOINT   The best use for ENTRYPOINT is to set the image   s main command  allowing that image to be run as though it was that command  and then use CMD as the default flags

User · Answer

Comments on EntryPoint function in code     ENTRYPOINT  usr sbin nginx     Set the entrypoint  which defaults to sh -c  to  usr sbin nginx     Will accept the CMD as the arguments to  usr sbin nginx   Another reference from documents  You can use the exec form of ENTRYPOINT to set fairly stable default commands and arguments and then use CMD to set additional defaults that are more likely to be changed   Example  FROM ubuntu 14 04 3 ENTRYPOINT   quot  bin ping quot   CMD   quot localhost quot    quot -c quot    quot 2 quot    Build   sudo docker build -t ent cmd   CMD arguments are easy to override   NO argument  sudo docker -it ent cmd                    ping localhost  argument     sudo docker run -it ent cmd google com     ping google com    To override EntryPoint argument  you need to supply entrypoint sudo docker run -it --entrypoint  quot  bin bash quot  ent cmdd  p s  In presence of EntryPoint  CMD will hold arguments to fed to EntryPoint  In absense of EntryPoint  CMD will be the command which will be run

User · Answer

I have read all answers and I want to summarize for better understanding at first glance like following    Firstly  the whole command that gets executed in the container includes two parts   the command and  the arguments      ENTRYPOINT defines the executable invoked when the container is   started  for command      CMD specifies the arguments that get passed to the ENTRYPOINT  for arguments     In the Kubernetes In Action book points an important note about it   chapter 7      Although you can use the CMD instruction to specify the command you   want to execute when the image is run  the correct way is to do it   through the ENTRYPOINT instruction and to only specify the CMD if you   want to define the default arguments    You can also read this article for great explanation in a simple way

User · Answer

I ll add my answer as an example1 that might help you better understand the difference  Let s suppose we want to create an image that will always run a sleep command when it starts  We ll create our own image and specify a new command  FROM ubuntu CMD sleep 10  Building the image  docker build -t custom sleep   docker run custom sleep   sleeps for 10 seconds and exits  What if we want to change the number of seconds  We would have to change the Dockerfile since the value is hardcoded there  or override the command by providing a different one  docker run custom sleep sleep 20  While this works  it s not a good solution  as we have a redundant  quot sleep quot  command  Why redundant  Because the container s only purpose is to sleep  so having to specify the sleep command explicitly is a bit awkward  Now let s try using the ENTRYPOINT instruction  FROM ubuntu ENTRYPOINT sleep  This instruction specifies the program that will be run when the container starts  Now we can run  docker run custom sleep 20  What about a default value  Well  you guessed it right  FROM ubuntu ENTRYPOINT   quot sleep quot   CMD   quot 10 quot    The ENTRYPOINT is the program that will be run  and the value passed to the container will be appended to it  The ENTRYPOINT can be overridden by specifying an --entrypoint flag  followed by the new entry point you want to use  Not mine  I once watched a tutorial that provided this example

User · Answer

The ENTRYPOINT specifies a command that will always be executed when the container starts   The CMD specifies arguments that will be fed to the ENTRYPOINT   If you want to make an image dedicated to a specific command you will use ENTRYPOINT    path dedicated command    Otherwise  if you want to make an image for general purpose  you can leave ENTRYPOINT unspecified and use CMD    path dedicated command   as you will be able to override the setting by supplying arguments to docker run   For example  if your Dockerfile is   FROM debian wheezy ENTRYPOINT    bin ping   CMD   localhost     Running the image without any argument will ping the localhost     docker run -it test PING localhost  127 0 0 1   48 data bytes 56 bytes from 127 0 0 1  icmp seq 0 ttl 64 time 0 096 ms 56 bytes from 127 0 0 1  icmp seq 1 ttl 64 time 0 088 ms 56 bytes from 127 0 0 1  icmp seq 2 ttl 64 time 0 088 ms  C--- localhost ping statistics --- 3 packets transmitted  3 packets received  0  packet loss round-trip min avg max stddev   0 088 0 091 0 096 0 000 ms   Now  running the image with an argument will ping the argument     docker run -it test google com PING google com  173 194 45 70   48 data bytes 56 bytes from 173 194 45 70  icmp seq 0 ttl 55 time 32 583 ms 56 bytes from 173 194 45 70  icmp seq 2 ttl 55 time 30 327 ms 56 bytes from 173 194 45 70  icmp seq 4 ttl 55 time 46 379 ms  C--- google com ping statistics --- 5 packets transmitted  3 packets received  40  packet loss round-trip min avg max stddev   30 327 36 430 46 379 7 095 ms   For comparison  if your Dockerfile is   FROM debian wheezy CMD    bin ping    localhost     Running the image without any argument will ping the localhost     docker run -it test PING localhost  127 0 0 1   48 data bytes 56 bytes from 127 0 0 1  icmp seq 0 ttl 64 time 0 076 ms 56 bytes from 127 0 0 1  icmp seq 1 ttl 64 time 0 087 ms 56 bytes from 127 0 0 1  icmp seq 2 ttl 64 time 0 090 ms  C--- localhost ping statistics --- 3 packets transmitted  3 packets received  0  packet loss round-trip min avg max stddev   0 076 0 084 0 090 0 000 ms   But running the image with an argument will run the argument   docker run -it test bash root e8bb7249b843      See this article from Brian DeHamer for even more details  https   www ctl io developers blog post dockerfile-entrypoint-vs-cmd

User · Answer

Docker has a default entrypoint which is  bin sh -c but does not have a default command   When you run docker like this  docker run -i -t ubuntu bash the entrypoint is the default  bin sh -c  the image is ubuntu and the command is bash     The command is run via the entrypoint  i e   the actual thing that gets executed is  bin sh -c bash  This allowed Docker to implement RUN quickly by relying on the shell s parser   Later on  people asked to be able to customize this  so ENTRYPOINT and --entrypoint were introduced   Everything after ubuntu in the example above is the command and is passed to the entrypoint  When using the CMD instruction  it is exactly as if you were doing docker run -i -t ubuntu  lt cmd gt    lt cmd gt  will be the parameter of the entrypoint   You will also get the same result if you instead type this command docker run -i -t ubuntu  You will still start a bash shell in the container because of the ubuntu Dockerfile specified a default CMD  CMD   bash    As everything is passed to the entrypoint  you can have a very nice behavior from your images   Jiri example is good  it shows how to use an image as a  binary   When using    bin cat   as entrypoint and then doing docker run img  etc passwd  you get it   etc passwd is the command and is passed to the entrypoint so the end result execution is simply  bin cat  etc passwd   Another example would be to have any cli as entrypoint  For instance  if you have a redis image  instead of running docker run redisimg redis -H something -u toto get key  you can simply have ENTRYPOINT   redis    -H    something    -u    toto   and then run like this for the same result  docker run redisimg get key

User · Answer

There are some good answers for it  I want to explain it through demo per Doc  CMD  defines default commands and or parameters for a container  CMD is an instruction that is best to use if you need a default command which users can easily override  If a Dockerfile has multiple CMDs  it only applies the instructions from the last one  ENTRYPOINT  is preferred when you want to define a container with a specific executable   You cannot  override an ENTRYPOINT  when starting a container unless you add the  --entrypoint  flag   CMD  Docker file   FROM centos 8 1 1911    CMD   quot echo quot    quot Hello Docker quot    Run result   sudo docker run  lt image-id gt  Hello Docker   sudo docker run  lt image-id gt  hostname     hostname is exec to override CMD 244be5006f32   ENTRYPOINT  Docker file   FROM centos 8 1 1911    ENTRYPOINT   quot echo quot    quot Hello Docker quot    Run result   sudo docker run  lt image-id gt  Hello Docker   sudo docker run  lt image-id gt  hostname     hostname as parameter to exec Hello Docker hostname   There are many situations in which combining CMD and ENTRYPOINT would be the best solution for your Docker container  In such cases   the  executable is defined with ENTRYPOINT  while  CMD specifies the default parameter   Docker file   FROM centos 8 1 1911    ENTRYPOINT   quot echo quot    quot Hello quot     CMD   quot Docker quot    Run result   sudo docker run  lt image-id gt  Hello Docker   sudo docker run  lt image-id gt  Ben Hello Ben

User · Answer

CMD    CMD   executable   param1   param2      executable   param1   param2   is the first process  CMD command param1 param2   bin sh -c CMD command param1 param2 is the first process  CMD command param1 param2 is forked from the first process  CMD   param1   param2    This form is used to provide default arguments for ENTRYPOINT    ENTRYPOINT  The following list does not consider the case where CMD and ENTRYPOINT are used together     ENTRYPOINT   executable    param1    param2      executable    param1    param2   is the first process  ENTRYPOINT command param1 param2   bin sh -c command param1 param2 is the first process  command param1 param2 is forked from the first process    As creack said  CMD was developed first  Then ENTRYPOINT was developed for more customization  Since they are not designed together  there are some functionality overlaps between CMD and ENTRYPOINT  which often confuse people

User · Answer

Yes  that is a good question  I don t understand it fully yet  but   I understand that ENTRYPOINT is the binary that is being executed  You can overide entrypoint by --entrypoint      docker run -t -i --entrypoint   bin bash  ubuntu   CMD is the default argument to container  Without entrypoint  default argument is command that is executed  With entrypoint  cmd is passed to entrypoint as argument  You can emulate a command with entrypoint     no entrypoint docker run ubuntu  bin cat  etc passwd    with entry point  emulating cat command docker run --entrypoint   bin cat  ubuntu  etc passwd   So  main advantage is that with entrypoint you can pass arguments  cmd  to your container  To accomplish this  you need to use both     Dockerfile FROM ubuntu ENTRYPOINT    bin cat     and  docker build -t cat     then you can use   docker run cat  etc passwd                                                CMD                                 image  tag - using the default ENTRYPOINT

[docker] What is the difference between CMD and ENTRYPOINT in a Dockerfile?

Examples related to docker