├── Dockerfile └── README.md /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.6 2 | 3 | RUN apk update && apk add python2 py-pip 4 | 5 | RUN pip install mdv 6 | 7 | COPY README.md README.md 8 | 9 | CMD ["mdv","README.md"] 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ------------------------------------------------------ 2 | # THE ENTERPRISE IT CHECKLIST FOR DOCKER OPERATIONS 3 | 4 | Version:17.06 5 | 6 | Source: https://github.com/nicolaka/checklist 7 | 8 | `docker run -t nicolaka/checklist:17.06` 9 | 10 | ------------------------------------------------------ 11 | 12 | ## ☑ Infrastructure 13 | 14 | * Cluster Sizing and Zoning 15 | * Supported and Compatible ( OS, Docker Engine, UCP, DTR) 16 | * Adequate Resource ( Manager vs Worker Nodes) 17 | * Manager: 16G mem, 4 vCPU, 1+ Gbps, 32+ GB disk 18 | * Worker(minimum): 4G mem, 2 vCPU, 100+ Mbps, 8 GB disk 19 | * Resources 20 | * [Compatibility Matrix](https://success.docker.com/Policies/Compatibility_Matrix) 21 | * [System Requirements](https://success.docker.com/article/Docker_Reference_Architecture-_Docker_EE_Best_Practices_and_Design_Considerations_17_03#astandarddeploymentarchitecture) 22 | 23 | ## ☑ Orchestration Management 24 | 25 | * Redundant/Highly Available UCP managers 26 | * Deployed in odd numbers (3,5,7) to maintain quorum 27 | * Distributed across data centers or availability zones (1-1-1, 2-2-1..etc) 28 | * Fine-tuned orchestration settings 29 | * Upstream TCP load balancing 30 | * No application workloads on managers 31 | * Automated join and leave process 32 | * Labeled resources (networks, volumes, containers, services, secrets, nodes) 33 | * Resources 34 | * [Docker EE Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Docker_EE_Best_Practices_and_Design_Considerations_17_03#astandarddeploymentarchitecture) 35 | * [UCP Architecture](https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/) 36 | * [Limiting Application Deployment Workers](https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/) 37 | * [Resource Labeling](https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/) 38 | 39 | ## ☑ Image Distribution 40 | 41 | * Redundant (3,5,7) DTR Replicas 42 | * Replicated and secured image backend storage (NFS, S3, Azure Storage…etc) 43 | * Garbage collection enabled 44 | * Security scanning enabled 45 | * Resources 46 | * [Docker EE Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Docker_EE_Best_Practices_and_Design_Considerations_17_03#astandarddeploymentarchitecture) 47 | * [DTR High Availability](https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-high-availability/) 48 | * [Security Scanning](https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/) 49 | * [Garbage Collection](https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/garbage-collection/) 50 | 51 | ## ☑ Security 52 | 53 | * Utilize Docker EE RBAC Model ( Subjects, Grants, Roles, Collection, Resource) 54 | * AD/LDAP groups mapped to teams and organizations 55 | * Docker Content Trust Signing and Enforcement 56 | * Regular Run of Docker Security Bench 57 | * Restricted direct access (SSH/RDP) 58 | * Utilize built-in Secrets functionality (encrypted, controlled) 59 | * Rotate orchestration join keys 60 | * Use built-in or your own CA for intra-cluster mTLS (Node Identity, Mgmt Traffic) 61 | * Valid SSL/TLS certificates for UCP and DTR 62 | * Resources: 63 | * [Security Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices) 64 | * [Docker Security Bench](https://github.com/docker/docker-bench-security) 65 | * [Docker EE RBAC Example Use-Case ](https://success.docker.com/article/RBAC_Example-Overview) 66 | * [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) 67 | * [Introduction to User Namespaces in Docker Engine](https://success.docker.com/article/Introduction_to_User_Namespaces_in_Docker_Engine) 68 | 69 | ## ☑ Network 70 | 71 | * Pick right networking driver for your application 72 | * Select proper publishing mode ( Ingress vs. Host Mode) 73 | * Pick suitable load-balancing mode ( client side = dnsrr, server-side = vip) 74 | * Network latency < 100ms 75 | * Segment App at L3 with Overlays (1 App 1 Overlay Network) 76 | * Utilize built-in encrypted overlay feature ( app <--> app encrypted) 77 | * Pick the application subnet size carefully 78 | * Designated non-overlapping subnets to be used by Docker for overlay networks 79 | * Resources: 80 | * [Networking Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Designing_Scalable,_Portable_Docker_Container_Networks) 81 | * [Service Discovery and Loadbalancing Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing) 82 | 83 | ## ☑ Storage 84 | 85 | * Production-ready configured engine storage backend 86 | * Replicated and secure DTR storage backend 87 | * Certified and tested application data storage plugin for replicating application data 88 | * Resources: 89 | * [Configure Devicemapper for Production](https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/) 90 | * [DTR Storage Backend](https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/external-storage/) 91 | 92 | ## ☑ Logging and Monitoring 93 | 94 | * External centralized logging for engine and application containers logs 95 | * Local logging for active trouble-shooting 96 | * Host-level and container-level resource monitoring 97 | * DTR image backend storage monitoring 98 | * Docker engine storage monitoring 99 | * Use built-in application health checking functionality 100 | * Resources: 101 | - [Logging Reference Architecture](https://success.docker.com/article/Docker_Reference_Architecture-_Docker_Logging_Design_and_Best_Practices) 102 | 103 | ## ☑ Integration 104 | 105 | * UCP and DTR are well integrated ( SSO, DCT..etc) 106 | * CI/CD tooling ( Jenkins, Bamboo, CircleCI..etc) 107 | * Development tooling (dev machines, IDEs) 108 | * Configuration automation tools (Puppet, Chef, Ansible, Salt) 109 | * Resource provisioning systems (Terraform..etc) 110 | * Change management systems 111 | * Internal/external DNS or other service discovery and registration systems 112 | * Load balancing for both the management plane and each of the applications ( L4/L7) 113 | * Incident/ticketing management systems (ServiceNow..etc) 114 | 115 | 116 | ## ☑ Disaster Recovery 117 | 118 | * Regular (rec. weekly) backups (UCP, DTR, and Swarm) 119 | * Well-tested, automated, and documented 120 | * platform restoration 121 | * upgrade + downgrade 122 | * application recovery procedure 123 | * Resources: 124 | * [Entire Docker EE Upgrade Procedure](https://success.docker.com/article/Upgrade_an_entire_cluster_with_CentOS,_Docker_Engine,_UCP,_and_DTR) 125 | * [DTR Backup and Recovery](https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/) 126 | * [UCP Backup and Recovery](https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/) 127 | * [Swarm Backup and Recovery](https://docs.docker.com/engine/swarm/admin_guide/#recover-from-disaster) 128 | 129 | ## ☑ Testing 130 | 131 | * Multi-platform image pull and push to DTR 132 | * Confirm users have the right set of access to their respective resources 133 | * Confirm application resource limitation works as expected 134 | * End-to-end stack deployment from CLI and UI 135 | * Updating applications with new configuration, images, networks using rolling upgrade 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | --------------------------------------------------------------------------------