✦ For everyone, free.

Practical knowledge for real and everyday life

Home

4.2.7.5 ENTRYPOINT CMD Pairing

A focused guide to ENTRYPOINT CMD Pairing, connecting core concepts with practical Docker and container operations.

ENTRYPOINT-CMD pairing, considered from ENTRYPOINT's perspective, is the design decision to keep the actual executed program fixed and non-negotiable, while delegating everything that legitimately varies between invocations to CMD's overridable default arguments.

ENTRYPOINT Defines Identity, CMD Defines Configuration

In this pairing, ENTRYPOINT answers "what is this container," while CMD answers "how should it behave by default this time" — a separation of concerns that keeps the image's fundamental purpose stable while still allowing flexible, situational configuration.

ENTRYPOINT ["myapp"]
CMD ["serve", "--port", "8080"]

No matter what arguments are supplied at run time, this image always runs myapp; only the specific arguments passed to it can vary.

Why This Separation Is Deliberate

If both identity and configuration were combined into a freely overridable CMD alone, a caller could accidentally (or maliciously) replace the entire program a container runs, which is a meaningfully larger surface for misuse than simply varying that program's arguments.

docker run myimage some-completely-unrelated-program

With ENTRYPOINT fixed, this kind of full replacement is not possible without explicitly using the --entrypoint override flag, adding a deliberate extra step before such a substitution could happen.

Designing the Split Deliberately

Deciding what belongs in ENTRYPOINT versus CMD is itself a design decision: anything that should never change belongs in ENTRYPOINT, while anything that represents a reasonable default, subject to legitimate variation, belongs in CMD.

ENTRYPOINT ["python", "manage.py"]
CMD ["runserver", "0.0.0.0:8000"]

Here, "run this Django management command" is fixed, while which specific subcommand and arguments to run is left flexible.

Why This Pairing Matters From ENTRYPOINT's Side

Thinking of ENTRYPOINT as defining an image's non-negotiable identity, with CMD providing everything that can reasonably vary around it, produces images with both a clear, stable purpose and practical flexibility — a balance that is harder to achieve using either instruction alone.

Related content