JSONArgsRecommended: only warn if CMD/ENTRYPOINT has more than 1 arg

[alxndrsn]

Is this warning helpful when CMD/ENTRYPOINT only have a single argument?

$ (tmp=$(mktemp); echo "FROM alpine" >$tmp; echo "ENTRYPOINT /bin/bash" >>"$tmp"; echo "CMD yes" >>"$tmp"; docker build -f "$tmp" --check .)
[+] Building 1.4s (3/3) FINISHED                                                                                                   docker:default
 => [internal] load build definition from tmp.g2as9NYgR0                                                                                     0.2s
 => => transferring dockerfile: 82B                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                             0.9s
 => [internal] load .dockerignore                                                                                                            0.1s
 => => transferring context: 67B                                                                                                             0.0s
Check complete, 2 warnings have been found!

WARNING: JSONArgsRecommended - https://docs.docker.com/go/dockerfile/rule/json-args-recommended/
JSON arguments recommended for ENTRYPOINT to prevent unintended behavior related to OS signals
tmp.g2as9NYgR0:2
--------------------
   1 |     FROM alpine
   2 | >>> ENTRYPOINT /bin/bash
   3 |     CMD yes
   4 |     
--------------------

WARNING: JSONArgsRecommended - https://docs.docker.com/go/dockerfile/rule/json-args-recommended/
JSON arguments recommended for CMD to prevent unintended behavior related to OS signals
tmp.g2as9NYgR0:3
--------------------
   1 |     FROM alpine
   2 |     ENTRYPOINT /bin/bash
   3 | >>> CMD yes
   4 |     
--------------------

[tonistiigi]

Yes, if you don't use the JSON syntax then the CMD/ENTRYPOINT is expanded to sh -c cmd. This happens even if you have one arg.

@thaJeztah Should we consider changing the behavior when there is no custom shell? Or at least if the single arch is an absolute path? Has this ever been considered before?

[alxndrsn]

Yes, if you don't use the JSON syntax then the CMD/ENTRYPOINT is expanded to sh -c cmd. This happens even if you have one arg.

Ah, thank you! I hadn't appreciated the significance of this.

[thaJeztah]

Yes, if you don't use the JSON syntax then the CMD/ENTRYPOINT is expanded to sh -c cmd. This happens even if you have one arg.

Yes; was about to comment this; in the example case, the container will have /bin/sh -c '/bin/bash' as command (that's what the warning is about)

[thaJeztah]

Oh, there's an entrypoint as well. So even worse I think;

echo -e "FROM alpine\nENTRYPOINT /bin/bash\nCMD yes\n" | docker build -t foo -

docker image inspect foo | jq -c .[].Config.Entrypoint
["/bin/sh","-c","/bin/bash"]

docker image inspect foo | jq -c .[].Config.Cmd
["/bin/sh","-c","yes"]

LOL, not even sure what that actually runs; if both CMD and ENTRYPOINT are there, doesn't it take CMD as args for ENTRYPOINT ? Would that run something like;

["/bin/sh","-c","yes", "/bin/sh","-c","/bin/bash"]

[thaJeztah]

Should we consider changing the behavior when there is no custom shell? Or at least if the single arch is an absolute path? Has this ever been considered before?

@tonistiigi not sure if it was ever discussed before. Would there be cases where this would be problematic? I agree from a usability perspective perhaps (but "absolute path" may be the tricky one in a cross-platform world).

Guess that also implies the same for CMD (if both CMD and ENTRYPOINT are set?

[tonistiigi]

https://docs.docker.com/reference/dockerfile/#understand-how-cmd-and-entrypoint-interact

Maybe it is not a good idea to have more exceptions to this.