Understanding Docker Run

The docker run command is one of the first things new users learn — but it hides a lot of detail. In this note we’ll explain docker run syntax, how image tags really work, and the difference between CMD and ENTRYPOINT in Dockerfiles.

This note is part of the broader Docker Demystified series, where we break down the Docker CLI and common pitfalls.

Docker Run Command Syntax

As shown in docker run --help:

docker run --help
# Usage:  docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

The structure is:

• docker: CLI executable
• run: Subcommand
• [OPTIONS]: Options for run
• IMAGE: The image to use for the container
• [COMMAND]: The command to run inside the container
• [ARG...]: Arguments passed to that command

Examples:

docker run --rm node node -p "2+2"
# Prints “4”

docker run --rm python python -c "print(2+2)"
# Prints “4”

Here, the first node or python is the IMAGE. The second is the [COMMAND].

Docker Image Tags Explained

What happens if you omit [COMMAND]?

docker run --rm node -p "2+2"
# Prints “4”

docker run --rm python -c "print(2+2)"
# Error: no such file or directory

Adding :latest makes it clearer:

docker run --rm node:latest -p "2+2"
docker run --rm python:latest -c "print(2+2)"

Docker defaults to :latest, but that tag can move under your feet. To avoid breakage, pin image versions:

docker run --rm node:24.8.0 node -p "2+2"   # exact version
docker run --rm node:24.8 node -p "2+2"     # major+minor
docker run --rm node:24 node -p "2+2"       # major
docker run --rm node:24-alpine node -p "2+2" # variant

The Node.js team ships multiple variants (Debian Bookworm by default, Alpine, Slim, Bullseye, etc.).

Docker CMD vs ENTRYPOINT

Why does Node work without explicitly calling node, while Python doesn’t? It comes down to Dockerfile defaults.

• Node defines an ENTRYPOINT script that assumes node.
• Python doesn’t — so leaving off python fails.

Inspect Node’s entrypoint:

docker run --rm node cat /usr/local/bin/docker-entrypoint.sh

See it in the image history:

docker history node

CMD vs ENTRYPOINT summary:

• CMD → sets a default command, overridden by [COMMAND].
• ENTRYPOINT → defines a fixed script/binary; [COMMAND] [ARGS...] are passed to it.

Overriding CMD

docker run --rm -it node:24 sh
docker run --rm node:24 ls -l /etc

Overriding ENTRYPOINT

docker run --rm --entrypoint "" node:24 node -p "2+2"
docker run --rm --entrypoint ls node:24 -l /etc

If ENTRYPOINT is set, Docker runs it first and passes [COMMAND] [ARGS...]. If absent, Docker just runs [COMMAND].

Key Terms

IMAGE
The container base to run. Defaults to :latest if no tag is specified.

CMD
Default command in an image. Overridden by [COMMAND].

ENTRYPOINT
Fixed command or script the image always runs. [COMMAND] [ARGS...] get passed to it.

Tag
A label for an image version (e.g. :24.8.0, :alpine). Without a tag, Docker uses :latest.

Related Notes

• Dockerfile CMD vs ENTRYPOINT Explained
• Why You Should Pin Docker Image Tags
• Docker Compose vs Docker Run