This guide provides a checklist to help you get up and running with, and comfortable using Portainer’s Business Edition (BE). We highly recommend our Academy course, Best Practice Install Guide when setting up your production environment. For a quicker start, check out our documentation."
Checklist
- Prepare the environment where Portainer server will be deployed
This can be a dedicated VM running Linux and Docker (or k3s/microk8s), or it can be a dedicated management cluster (swarm or Kubernetes).- Check – Does this node have off-node persistent storage? For example, a block storage device or NFS mount. If not, provision this first.
- Check – If this is a cluster, is the storage available across all nodes? If not, provision this first.
- Check – If this is a swarm cluster, is the overlay network functional? If so, create a global service, deploying a nginx container on each node, console into each and try to curl the nginx port on the other nodes. If this fails, check firewall ports and that VXLAN is able to be used.
- Check - Ensure you have root access to the Docker host and/or cluster-admin role against Kubernetes. If not, get the correct permissions.
- Deploy Portainer using the instructions that match your environment
- On first login, change the admin user to something non-standard
For example, <companyname>_admin, or <Portainer_admin>. Set a complex password for this user (you shouldn’t be logging in as the admin user anyway, so set a complex password and save it in a password safe). For more information, read “How to correctly secure Portainer when presented on the Internet”. - Add your Portainer license
Allows you to continue with the Portainer Business deployment (or click on Get a license to get one). - Add environments; Docker, Swarm, Kubernetes, ACI
Take a note of all the environments you want to add. Click on Environments, add the environment, then add each of your remote environments. Add tags (descriptive labels) as appropriate.- Check - If you are using Docker daemon over TCP, make sure you have the TLS certs.
- Check – If you are using Docker Swarm, make sure you have tested the overlay network (see 1c).
- Check – If you are using Kubernetes, validate if NodePort or LoadBalancer is best.
- Check – If you are deploying Edge Agents, ensure Port 8000 is open on your Portainer instance and that your URL is https://.
- Configure Portainer to use trusted SSL certs
Click on Settings and scroll down to SSL Certificate. Upload your REAL SSL certs, then click on Save. Reconnect to Portainer using the FDQN specified in your SSL cert. Once you have confirmed that this works, go back to Settings and toggle Force HTTPS only on. Make sure that your HTTPS configuration is working correctly before enabling this option or you may be locked out of your Portainer installation.
- Check – If you have intermediate certs in your chain, you may need to merge root and intermediate certs.
Helpful resource: What’s my chain cert?
Docs reference: Settings #ssl-cert
- Check – If you have intermediate certs in your chain, you may need to merge root and intermediate certs.
- Configure Portainer backups
Click on Settings, scroll down to Backup Portainer, and configure scheduled backups of Portainer to S3.- Check – You will need an AWS s3 bucket for this.
Docs reference: Settings #Backup Portainer
- Check – You will need an AWS s3 bucket for this.
- Create a Team structure
To prepare to connect external user directories, you should first create a team structure.- Go to Users >Teams. Create teams that best suit your operational model (these will later be mapped to groups in your directory service).
YouTube reference: Portainer Teams & OAuth group memberships synchronization
Docs reference: https://docs.portainer.io/admin/users/teams
- Go to Users >Teams. Create teams that best suit your operational model (these will later be mapped to groups in your directory service).
- Prepare for external authentication
Now that you have teams configured, it's time to connect Portainer to your internal user directory. Go to Settings > Authentication, and configure your auth provider.- Check – Enable SSO (and hide authentication prompt) if you want to auto-login.
- Check – Enable auto user provisioning if you want users to be auto-created in Portainer on successful login.
- Check - Enable auto team membership, if you want to automatically add users into teams based on their corresponding group memberships (make sure to set the team-to-group mappings).
Docs reference: https://docs.portainer.io/admin/settings/authentication
- Set up registries
Go to Settings > Registries, and add your registries. Note you can add multiple of the same types of registries.- Check - If you are using an insecure registry, make sure you update your daemon.json configuration on each Docker host, else pulls will fail.
Docs reference: https://docs.portainer.io/admin/registries/add
- Check - If you are using an insecure registry, make sure you update your daemon.json configuration on each Docker host, else pulls will fail.
- Manage Access for each environment
Click on Manage Access, and then grant the appropriate teams access with the appropriate role.
Docs reference: https://docs.portainer.io/admin/environments/access - Set base security and config options per environment
- Click on each Docker environment, one at a time. Click on cluster or host, click on Settings, and configure base security policies
Docs reference:
Docker standalone
Docker Swarm - Click on each Kubernetes environment, one at a time. Click on cluster, click on Settings, then configure base cluster capabilities.
Docs reference: Kubernetes
- Click on each Docker environment, one at a time. Click on cluster or host, click on Settings, and configure base security policies
COMMENTS