Major database upgrades happen less than once a year. Minor database upgrades don’t take very long and you can rebuild the data container, destroy and start the web container in a very few minutes. It seems that some people would rather have a pretty message saying that the site is down rather than reducing down time, so a second container is the way to do it.
Actually, maybe the easiest solution would be to just have a second nginx container with a “back soon” message that you ran by hand while doing an upgrade, like
./launcher stop app
docker run nginx --name back-soon # and some more stuff to see that a page was served
./launcher bootstrap app
./launcher destroy app
docker stop back-soon
./launcher start app
But then you have to get a cert and keep the cert updated for the back-soon container, which is complicated.
EDIT: Here is the canonical topic for this discussion Add an offline page to display when Discourse is rebuilding or starting up - #83 by amotl