JSONArgsRecommended
Output
JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals
Description
ENTRYPOINT
and CMD
instructions both support two different syntaxes for
arguments:
- Shell form:
CMD my-cmd start
- Exec form:
CMD ["my-cmd", "start"]
When you use shell form, the executable runs as a child process to a shell,
which doesn't pass signals. This means that the program running in the
container can't detect OS signals like SIGTERM
and SIGKILL
and respond to
them correctly.
Examples
❌ Bad: the ENTRYPOINT
command doesn't receive OS signals.
FROM alpine
ENTRYPOINT my-program start
# entrypoint becomes: /bin/sh -c my-program start
To make sure the executable can receive OS signals, use the exec form for CMD
and ENTRYPOINT
, which lets you run the executable as the main process (PID 1
) in the container, avoiding a shell parent process.
✅ Good: the ENTRYPOINT
receives OS signals.
FROM alpine
ENTRYPOINT ["my-program", "start"]
# entrypoint becomes: my-program start
Note that running programs as PID 1 means the program now has the special responsibilities and behaviors associated with PID 1 in Linux, such as reaping child processes.
Alternatively, if you want to ignore this lint rule because you do want your
executable to be invoked via a shell, you can use the
SHELL
Dockerfile
instruction to explicitly specify a shell to use.
✅ Good: shell is explicitly defined.
FROM alpine
RUN apk add bash
SHELL ["/bin/bash", "-c"]
ENTRYPOINT echo "hello world"