Docker CMD vs ENTRYPOINT: What’s The Difference & How To

In a cloud-native configuration, Docker containers are essential elements that ensure an application runs effectively in different computing environments. These containers are designed to carry specific tasks and processes in an application workflow and are compatible with Docker images.

Images, on the other hand, are executed by executing Docker instructions through a Dockerfile. There are three types of statements (commands) that are used to compile and run Dockerfiles:

  • RUN. It is mainly used to create images and install applications and packages. Creates a new layer on top of an existing image by confirming the results.
  • CMD — Sets default parameters that can be overridden from the Docker command line interface (CLI) when a container is running.
  • ENTRY POINT. Default parameters that cannot be overridden when Docker containers are run with CLI parameters.

Any Docker image must have an ENTRYPOINT or CMD declaration for a container to start. Although the ENTRYPOINT and CMD statements may seem similar at first glance, there are fundamental differences in the way they create container images.

(This is part of our Docker Guide. Use the menu on the right to navigate.)

Shell form

vs executable form

First we need to understand how a Docker daemon processes instructions once passed


All types of Docker statements (commands) can be specified in shell or exec forms. Let’s create a sample Dockerfile to understand these two commands.

(Explore more Docker commands.)

Shell command

form As the

name suggests, a form of shell statement starts processes that run inside the shell. To execute this, invoke /bin/sh -c <command>. Typically, each execution through a shell command requires environment variables to go through validation before returning the results.

Shell command syntax is specified in the format:<instruction> <command> Examples of shell form commands include:

RUN yum -y update RUN yum -y install httpd COPY ./index.html/var/www/index.html CMD echo “Hello World”

A Dockerfile named Darwin that uses the shell command will have the following specifications:

Name ENV Darwin ENTRYPOINT /bin/echo “Welcome, $name”

(The command specifications used above are for reference. You can include any other shell commands based on your own requirements.)

According to the above specification, the output of the docker run -it Darwin command will be:

Welcome, Darwin

This command form invokes the shell to go through validation before returning the results, which often leads to performance bottlenecks. As a result, shell forms are generally not a preferred method unless there are specific command/environment validation requirements.

Executable command form Unlike the shell command type, a statement written in executable

form directly executes the executable binaries, bypassing shell validation and processing.

Executable command syntax is specified in the format

: <statement> [“executable”, “parameter

1″, “parameter 2”, …]

Some examples of executable commands are:

RUN [“yum”, “-y”, “update”] CMD [“yum”, “-y” “install” “httpd”] COPY [“./index.html/var/www/index.html”]

To build a Dockerfile called

Darwin in executive form: Name ENV Darwin ENTRYPOINT [“/bin/echo”, “Welcome, $name”]

Because this prevents shell processing, the output of the docker run -it Darwin command will be returned as: Welcome, $name

This is because the environment variable is not overridden in the Dockerfile. To run bash in exec form, specify

/bin/bash as executable, that is: name ENV Darwin ENTRYPOINT [“/bin/bash”, “-c” “echo Welcome, $name”]

This requests shell processing, so the output of the Dockerfile will be: Welcome, Darwin

Commands in a containerized configuration are essential instructions that are passed to the operating environment for a desired output. It is of utmost importance to use the correct command form to pass instructions in order to


  • Return the desired result
  • Make sure you don’t push the environment into unnecessary processing, impacting operational efficiency

CMD vs ENTRYPOINT: Fundamental Differences


Instructions and ENTRYPOINT have fundamental differences in how they work, making each suitable for different applications, environments, and scenarios.

Both specify programs that run when the container starts running, but:

  • CMD commands are ignored by Daemon when there are parameters set within the docker run command
  • .

  • ENTRYPOINT statements are not ignored, but appended as command-line parameters by treating them as command arguments.

Next, let’s take a closer look. We’ll use both command forms to go through the different stages of running a Docker container.


CMD Docker CMD commands are

passed through a Dockerfile consisting of:

  • Instructions for creating a Docker
  • image

  • Default binaries for running a container on top

of the image With a CMD instruction type, a

default command/program is executed even if no command is specified in the CLI.

Ideally, there should be a single CMD command within a Dockerfile.

  • For cases where there are multiple CMD commands in a Dockerfile, all but the last one are ignored for one execution.

An essential feature of a CMD command is its ability to be overridden. This allows users to execute commands through the CLI to override CMD statements within a Dockerfile.

A Docker CMD statement

can be written in Shell and

Exec forms as: Exec form: CMD [“executable”, “parameter1”, “parameter2

  • “] Shell form: CMD1
  • command parameter parameter2

Stage 1. Creating

a Dockerfile

When creating a Dockerfile, the CMD statement specifies the default program that will run once the container is executed. A quick point to note: CMD commands will only be used when command-line arguments are missing.

We will see a Dockerfile called Darwin with CMD

instructions and analyze its behavior

: The

Dockerfile specifications for

Darwin are: FROM centos:7 RUN apt-get update RUN apt-get -y install python COPY ./opt/source code CMD [“echo”, “Hello, Darwin”]

The CMD statement in the file above echoes the Hello, Darwin message when the container starts without a CLI argument


Stage 2. Creating an image

Docker images are created from Dockerfiles using the command:

$docker build -t Darwin.

The above command does two things:

  • It tells the Docker daemon to create an image
  • Set the tag name to Darwin located inside the current Stage 3 directory

. Running

a Docker container To run a Docker container, use the docker run command: $ docker run Darwin

Because this excludes a command-line argument, the container executes the default CMD statement and displays Hello, Darwin as output.

If we add an argument with the run command, it overrides the default statement, that is:


docker run Hostname


Darwin As a default CMD command is overridden, the above command will execute the container and display the hostname, thus ignoring the echo instruction in the Dockerfile with the following output:


which is

the hostname of the Darwin container


When to use


The best way to use a CMD statement is to specify the default programs to run when users do not enter arguments on the command line


This statement ensures that the container is in a running state by starting an application as soon as the container image runs. When you do this, the CMD argument loads the base image as soon as the container starts.

In addition, in

specific use cases, a docker run command can be executed through a CLI to override the instructions specified in the Dockerfile




In Dockerfiles, an ENTRYPOINT statement is used to set executables that will always run when the container starts. Unlike CMD commands, ENTRYPOINT commands cannot be ignored or overridden, even when the container is executed with command-line arguments set.

A Docker ENTRYPOINT statement

can be written in shell and exec forms

: Executive form: ENTRYPOINT [“executable”, “parameter1”, “parameter2

  • “] Shell form: ENTRYPOINT1 command parameter parameter2

Step 1. Creating

a Dockerfile ENTRYPOINT statements are

used to create Dockerfiles that are intended to execute specific commands

. Here are reference Dockerfile specifications

with an Entrypoint command

: FROM centos:7 RUN apt-get update RUN apt-get -y install python COPY ./opt/source code ENTRYPOINT [“echo”, “Hello, Darwin”]

The Dockerfile above uses an ENTRYPOINT statement that echoes Hello, Darwin when the container is running


Stage 2. Creating

an image

The next step is to create a Docker image. Use the command:

$ docker build -t Darwin.

When you create this image, the daemon looks for the ENTRYPOINT statement and specifies it as a default program to run with or without a command-line entry.

Stage 3. Running

a Docker

container When you run a Docker container using the Darwin image without command-line arguments, the default ENTRYPOINT statements are executed

, echoing Hello, Darwin. In case

additional command-line arguments are entered through the CLI, the ENTRYPOINT is not ignored. Instead, the command-line parameters are appended as arguments

to the ENTRYPOINT command, that is: $docker run Darwin hostname will execute the ENTRYPOINT, echoing Hello, Darwin,

and then displaying the hostname to return the following output: Hello, Darwin


When to use


ENTRYPOINT instructions are suitable for both single-purpose and multimode images where there is a need for a specific command to always be executed when the container is started.

One of its popular use cases is the creation of wrapper-image containers that encapsulate legacy programs for containerization, which leverages an ENTRYPOINT statement to ensure that the program always runs.


Instructions Together

While there are fundamental differences in their operations, CMD and ENTRYPOINT statements are not mutually exclusive. Several scenarios may require the use of their combined instructions in a Dockerfile.

A very popular use case for combining them is to automate container startup tasks. In such a case, the ENTRYPOINT statement can be used to define the executable while using CMD to define parameters.

Let’s walk through this with the Darwin Dockerfile with its specifications like:

FROM centos:7 RUN apt-get update RUN apt-get -y install python COPY ./opt/source code ENTRYPOINT [“echo”, “Hello”]CMD [“Darwin”]

The image is then constructed with the command:

$ docker build -t darwin .

If we run the container without CLI parameters, it will echo the message Hello, Darwin.

Appending the command with a parameter, such as User Name, will override the CMD statement and execute only the ENTRYPOINT statement using the CLI parameters as arguments. For example

, the command: $ docker run Darwin

will User_JDArwin return the output: Hello


This is because ENTRYPOINT statements cannot be ignored, whereas with CMD, command-line arguments override the statement

. Using ENTRYPOINT or CMD Both



CMD are essential for creating and running Dockerfiles, it simply depends on your use case. As a rule of thumb:

  • opt for ENTRYPOINT statements when creating a Docker executable image using commands that must always be executed
  • .

  • CMD statements are best for an additional set of arguments that act as default statements until there is explicit use of the command line when running a Docker container.

A container image requires different elements, including runtime statements, system tools, and libraries to run an application. To get the best out of a Docker configuration, it is highly recommended that administrators understand various functions, structures, and applications from these instructions, as they are critical functions that help create images and run containers efficiently.

Related reading

  • BMC
  • DevOps Blog Docker Security:

  • 14 Best Practices for Securing
  • Docker Containers

  • Kubernetes vs
  • Docker: A Quick Comparison How

  • to run MongoDB as a Docker container How
  • containers fit into a DevOps delivery pipeline
  • The current state of containers: a summary of the report

Contact US