Docker Image Default Parameters

Posted on Edited on In

This blog is a follow-up of <<Docker Run Reference>>.

When builds an image from a Dockerfile or by committing from a running container, we can set startup parameters for the new image.

Four of the Dockerfile commands cannot be overridden at runtime: FROM, MAINTAINER, RUN, and ADD. Everything else has a corresponding override in docker run command.

CMD

The CMD can be the default startup command for a container or the arguments for entrypoint.

1
docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]

If the image has an ENTRYPOINT specified then the CMD or COMMAND is appended as arguments to the ENTRYPOINT(see next section).

For example, overrides the CMD in busybox by /bin/sh -c ls -ltr:

1
docker run -it busybox /bin/sh -c ls -ltr

You can use inspect to check the default CMD in image, it shows the default CMD for busybox is [sh]. If you override it by /bin/sh -c ls -ltr like above example, then you run

1
2
# There is also a "ContainerConfig" section, but it is not related to CMD.
docker inspect -f "{{.Config.Cmd}}" busybox

You can see under the COMMAND column, it changes to /bin/sh -c ls -ltr, easy to verify.

1
2
# --no-trunc: no truncate output
docker ps -a --no-trunc

ENTRYPOINT

The ENTRYPOINT is the default start point of the running container.

1
2
# Overwrite the default entrypoint set by the image
--entrypoint="":

The ENTRYPOINT of an image is similar to a COMMAND because it specifies what executable to run when the container starts, but it is (purposely) more difficult to override. The ENTRYPOINT gives a container its default nature or behavior, so that when you set an ENTRYPOINT you can run the container as if it was that binary, complete with default options, and you can pass in more options via the COMMAND.

Check the default entrypoint of a image by:

1
docker inspect -f "{{.Config.Entrypoint}}" <image or container>

To override the entrypoint as /bin/sh and pass parameters tail -f /dev/null to it:

1
2
3
4
docker run -d \
--entrypoint=/bin/sh \
<image>:<tag> \
-c "tail -f /dev/null"

NOTE: --entrypoint will clear out any default command in image.

EXPOSE

The EXPOSE is used for incoming traffic when published.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
--expose=[]: Expose a port or a range of ports inside the container.
             These are additional to those exposed by the `EXPOSE` instruction
-P         : Publish all exposed ports to the host interfaces
-p=[]      : Publish a container's port or a range of ports to the host
             format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
               Both hostPort and containerPort can be specified as a
               range of ports. When specifying ranges for both, the
               number of container ports in the range must match the
               number of host ports in the range, for example:
                   -p 1234-1236:1234-1236/tcp

               When specifying a range for hostPort only, the
               containerPort must not be a range.  In this case the
               container port is published somewhere within the
               specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)

               (use 'docker port' to see the actual mapping)

--link=""  : Add link to another container (<name or id>:alias or <name or id>)

With the exception of the EXPOSE directive, an image developer hasn’t got much control over networking. The EXPOSE instruction defines the initial incoming ports (listens on specific network ports) that provide services. These ports are available to processes inside the container. An operator can use the --expose option to add to the exposed ports.

NOTE: EXPOSE will not allow communication between container and host or other containers from different network. To allow this you need to publish the ports.

NOTE: using -P or -p rather than --net=host for incoming traffic.

To expose a container’s internal port, using the -P or -p flag. The exposed port is accessible by any client that can access the host.

NOTE: in K8s, if the pods are in the same namespace, the pods can communicate with each other, no additional config is needed except you want to access the pods from outside of the cluster.

USER

1
2
3
4
5
-u="", --user="": Sets the username or UID used and optionally the groupname o
                  GID for the specified command.

The followings examples are all valid:
--user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]

root (id = 0) is the default user in a container. The developer can create additional users.

ENV

Docker automatically sets some environment variables when creating a Linux container.

The following environment variables are set for Linux containers:

  • HOME: Set based on the value of USER
  • HOSTNAME: The hostname associated with the container
  • PATH: Includes popular directories, for example: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  • TERM: xterm if the container is allocated a pseudo-TTY

Additionally, the operator can set any environment variable in the container by using one or more -e flags. If the operator names an environment variable without specifying a value, then the current value of the named variable is populated into the container’s environment.

VOLUME

1
2
3
4
5
6
7
8
9
10
11
12
13
14
-v, --volume=[host-src:]container-dest[:<options>]: Bind mount a volume.
The comma-delimited `options` are [rw|ro], [z|Z],
[[r]shared|[r]slave|[r]private], and [nocopy].
The 'host-src' is an absolute path or a name value.

If neither 'rw' or 'ro' is specified then the volume is mounted in
read-write mode.

The `nocopy` mode is used to disable automatically copying the requested volume
path in the container to the volume storage location.
For named volumes, `copy` is the default mode. Copy modes are not supported
for bind-mounted volumes.

--volumes-from="": Mount all volumes from the given container(s)

The volumes commands are complex enough to have their own documentation.

The container-dest must always be an absolute path such as /src/docs. The host-src can either be an absolute path or a name value. If you supply an absolute path for the host-src, Docker bind-mounts to the path you specify. If you supply a name, Docker creates a named volume by that name.

For example, you can specify either /foo or foo for a host-src value. If you supply the /foo value, Docker creates a bind mount. If you supply the foo specification, Docker creates a named volume.

Other Resources

Docker run reference Dockerfile reference Expose vs publish: Docker port commands explained simply