Docker pre-production checklist

Topic: Containers core

Use this checklist before running containers in production: image source and scan, non-root and read-only, resource limits, secrets handling, logging, and health checks. Ensures containers are built and run in a production-ready way.

Intent: Checklist

Quick answer

  • Image: from trusted registry; tagged with version (not only latest); scanned for critical/high vulnerabilities. Base image pinned (e.g. alpine:3.18 not alpine:latest).
  • Runtime: run as non-root; read-only root where possible; capabilities dropped; memory and CPU limits set. Secrets from env or secret store, not in image or compose file in repo.
  • Ops: logging to stdout/stderr or centralized; health check defined; restart policy set (e.g. unless-stopped). Network: only required ports published; containers on same network for internal communication.

Prerequisites

Steps

  1. Image and scan

    Confirm image source and tag; run vulnerability scan; fix or accept risk for known issues. Pin base image and key dependencies.

  2. Security and limits

    Non-root user; read-only root; capabilities dropped; memory and CPU limits. No secrets in image or in repo.

  3. Logging and health

    App logs to stdout or to a known path; log driver configured if needed. HEALTHCHECK in Dockerfile or compose; restart policy set.

  4. Network and dependencies

    Only required ports published; internal traffic on user network. depends_on or startup order documented; backup and restore for volumes if stateful.

Summary

Checklist for image, security, limits, secrets, logging, health, and network before production. Use this so containerized workloads are production-ready.

Prerequisites

Steps

Step 1: Image and scan

Verify image source, tag, and scan results; pin base and dependencies.

Step 2: Security and limits

Confirm non-root, read-only, capabilities, and resource limits; no secrets in image.

Step 3: Logging and health

Ensure logging and health check; set restart policy.

Step 4: Network and dependencies

Publish only required ports; document dependencies and volume backup.

Verification

  • All items checked; containers are ready for production use.

Troubleshooting

Scan failures — Update base and dependencies; or document accepted risk. App needs root — Prefer fixing the app; if not possible, document and minimize other exposure.

Next steps

Continue to