I can't quite decide if this title is ironic or not. I've been trying really hard to not be a build system guy, and I think I'm succeeding--mostly--but sometimes things come back at us. I may still be smarting from people proposing "just using docker" to solve any number of pretty irrelevant problems.

The thing is that docker does help solve many build problems: before docker, you had to either write code that supported any possible execution environment. This was a lot of work, and was generally really annoying. Because docker provides a (potentially) really stable execution environment, it can make a lot of sense to do your building inside of a docker container, in the same way that folks often do builds in chroot environments (or at least did). Really containers are kind of super-chroots, and it's a great thing to be able to give your development team a common starting point for doing development work. This is cool.

It's also the case that Docker makes a lot of sense as a de facto standard distribution or deployment form, and in this way it's kind of a really fat binary. Maybe it's too big, maybe it's the wrong tool, maybe it's not perfect, but for a lot of applications they'll end up running in containers anyway, and treating a docker container like your executable format makes it possible to avoid running into issues that only appear in one (set) of environments.

At the same time, I think it's important to keep these use-cases separate: try to avoid using the same container for deploying that you use for development, or even for build systems. This is good because "running the [deployment] container" shouldn't build software, and it'll also limit the size of your production containers, and avoid unintentionally picking up dependencies. This is, of course, less clear in runtimes that don't have a strong "compiled artifacts" story, but is still possible.

There are some notes/caveats:

  • Dockerfiles are actually kind of build systems, and under the hood they're just snapshotting the diffs of the filesystem between each step. So they work best if you treat them like build systems: make the steps discrete and small, keep the stable deterministic things early in the build, and push the more ephemeral steps later in the build to prevent unnecessary rebuilding.
  • "Build in one container and deploy in another," requires moving artifacts between containers, or being able to run docker-in-docker, which are both possible but may be less obvious than some other workflows.
  • Docker's "build system qualities," can improve the noop and rebuild-performance of some operations (e.g. the amount of time to rebuild things if you've just built or only made small changes.) which can be a good measure of the friction that developers experience, because of the way that docker can share/cache between builds. This is often at the expense of making artifacts huge and at greatly expanding the amount of time that the operations can take. This might be a reasonable tradeoff to make, but it's still a tradeoff.