However, some aspects of Docker leave me with concerns that it may not be the tool for me. I tried installing the official node image and it downloaded hundreds of megabytes of other images (probably over a GB). Not that much of a problem on my VPS but absolutely unusable anywhere else in my corner of the world.
Looks like I'll have to create my own images and use my own private local registry to make use of Docker outside of my VPS.
It would be pretty straightforward to adapt those Dockerfiles to create an image which includes only the dependencies for building node. It would end up looking a lot like 'node:slim'  (288MB).
Ideally, Docker will eventually have the functionality to more easily strip out transient requirements like build dependencies from the final images.
I can't say I've used many of the community images. We generally just use the base OS images and install packages as needed. The Dockerfile makes it pretty easy to do.
Quick question though: is the only reason for using Docker containers with LaTeX file compilation for providing isolation between documents? Isn't there a performance hit versus running file compilation directly on worker machines, perhaps with some sort of folder-based isolation (workers will only compile files in folders that the user has permissions to)?
Isolation is definitely one of the main benefits for us. Compared to e.g. a chroot, docker also lets us disable networking and restrict memory etc. for the process in the container. It's another important layer of security.
Another benefit is that the Dockerfile also makes it a lot easier to manage installation of all the LaTeX packages, fonts and various scientific software that we have installed.
The overheads seem to be very low --- less than 100ms extra startup and tear down time, and no significant difference in runtime speed.
Just curious, how do handle input and output? Do you prepare a volume with the input and then grab output from there as well, or the program inside the container is fetching input from somewhere first, runs exec latex and then uploads the output elsewhere?
I'd be interested in hearing more about the decision-making since Docker doesn't claim to provide protection from untrusted users.
I think you're better off installing the required version with Ruby Install  rather than adding the complexity of a version manager.
 - https://github.com/postmodern/ruby-install#readme
edit: I see: cleaver
You can see how it's set up in the github repo for the slides: https://github.com/jdleesmiller/ds-docker-demo