The big problem is that docker/container image creation is now buried deep inside an app's build system. This means that your build system is now a critical part of your infrastructure.

Isn't that the case with any continuous deployment pipeline?

Best to use the CD system to do the deploy, and avoid "hold my beer, I've got to emergency deploy this via SSH" which is high risk for minimal gain.

No I don't mean pushing patches to your App, I mean critical system libraries.

Because they are baked into the container, to do critical patches you need to rebake the image.

The Docker bit will be mostly painless, unless you've don't something stupid, however the bits around the app can and will changes.

The amount of times I've tried to use a build job from 3-6months ago and it fails horrifically is far too often.

author here.

I'm assuming you have your organization's docker files in soure control and Jenkins, MAYBE you are buildling on top of the Ubuntu base image. So it shouldn't be buried - you should be able to update in source control and rebuild.

(Also, this post is mostly applicable to AMIs).

And 100% absolutely, your build system SHOULD be a critical part of your infrastructure. Not mission critical in that it being down is a problem, but it's how you role out changes.

This also allows you to continuously test the software going into builds, have dependencies, and all of those things.

This is "continuous integration + continuous deployment", but it doesn't have to be continuous. But continuous is a (cough) continuum and there are steps down that road that yield benefits without going all the way.

What do I gain compared to creating a puppet deployment setup, and set my machines from there?

I see no benefit from Docker (but that's why I don't know it well). Any code that does not come directly from the source control is risky, and docker incentives the worst possible building workflow, that is the developer builds everything on his machine, and pass the binaries along for deployment. That's as bad as developing on production.

Well your build system should all be in version control, so that a red herring.

The issue with a developer building something and then throwing it over the wall to ops is one possible workflow, but I think it's a stretch to say that's what Docker "encourages". It only encourages that if you have inexperienced people doing your build system. Docker actually dovetails nicely with DevOps movement to break down those kind of throw-it-over-the-wall silos, and if you have someone experienced and skilled in charge of your build, this poor workflow won't happen.

So what do you gain? Well, you gain lightning fast, reproducible server deployments. You gain production / dev parity. You gain the ability to develop multi-node distributed systems locally without crippling performance overhead. Obviously this all comes at a significant complexity which may exceed your gains (hence why I say the jury is still out), but the problems it solves are very real, and not acequately addressed by pure configuration or VM technology.

> lightning fast

Depending on your bandwidth to the registry (and its availability).

> reproducible

As long as the tag wasn't overwritten by someone.

> production / dev parity

Which has been enabled for years via Vagrant, and by plain virtual machines even before that.

> develop multi-node distributed systems locally

Which won't match production, unless you put in a lot of networking effort in both regions: a set of linked docker containers will behave very differently than a set of docker containers on potentially separate hosts.

I'm not a cheerleader, you don't need to cherry-pick words to off-handedly dismiss. If you don't see the potential advantages that Docker brings to the table in terms of parity, immutability and performance, then you are being intellectually dishonest and there's no point having a discussion.