Portainer News and Blog

12 Step Guide to Get Portainer Running in a Production Environment

Written by Neil Cresswell, CEO | May 4, 2022

This guide provides a checklist to help you get up and running with, and comfortable using Portainer’s Business Edition (BE). We highly recommend our Academy course, Best Practice Install Guide when setting up your production environment. For a quicker start, check out our documentation."

 

Checklist

  1. Prepare the environment where Portainer server will be deployed
    This can be a dedicated VM running Linux and Docker (or k3s/microk8s), or it can be a dedicated management cluster (swarm or Kubernetes). 
    1. Check – Does this node have off-node persistent storage? For example, a block storage device or NFS mount. If not, provision this first.
    2. Check – If this is a cluster, is the storage available across all nodes? If not, provision this first.
    3. Check – If this is a swarm cluster, is the overlay network functional? If so, create a global service, deploying a nginx container on each node, console into each and try to curl the nginx port on the other nodes. If this fails, check firewall ports and that VXLAN is able to be used.
    4. Check - Ensure you have root access to the Docker host and/or cluster-admin role against Kubernetes. If not, get the correct permissions.

  2. Deploy Portainer using the instructions that match your environment

  3. On first login, change the admin user to something non-standard
    For example, <companyname>_admin, or <Portainer_admin>. Set a complex password for this user (you shouldn’t be logging in as the admin user anyway, so set a complex password and save it in a password safe). For more information, read “How to correctly secure Portainer when presented on the Internet”.

  4. Add your Portainer license
    Allows you to continue with the Portainer Business deployment (or click on Get a license to get one).

  5. Add environments; Docker, Swarm, Kubernetes, ACI
    Take a note of all the environments you want to add. Click on Environments, add the environment, then add each of your remote environments. Add tags (descriptive labels) as appropriate.
    1. Check - If you are using Docker daemon over TCP, make sure you have the TLS certs.
    2. Check – If you are using Docker Swarm, make sure you have tested the overlay network (see 1c).
    3. Check – If you are using Kubernetes, validate if NodePort or LoadBalancer is best.
    4. Check – If you are deploying Edge Agents, ensure Port 8000 is open on your Portainer instance and that your URL is https://.

  6. Configure Portainer to use trusted SSL certs
    Click on Settings and scroll down to SSL Certificate. Upload your REAL SSL certs, then click on Save. Reconnect to Portainer using the FDQN specified in your SSL cert. Once you have confirmed that this works, go back to Settings and toggle Force HTTPS only on. Make sure that your HTTPS configuration is working correctly before enabling this option or you may be locked out of your Portainer installation.
    1. Check – If you have intermediate certs in your chain, you may need to merge root and intermediate certs.
      Helpful resource: What’s my chain cert?
      Docs reference: Settings #ssl-cert


  7. Configure Portainer backups
    Click on Settings, scroll down to Backup Portainer, and configure scheduled backups of Portainer to S3.
    1. Check – You will need an AWS s3 bucket for this.
      Docs reference: Settings #Backup Portainer

  8. Create a Team structure
    To prepare to connect external user directories, you should first create a team structure.
    1. Go to Users >Teams. Create teams that best suit your operational model (these will later be mapped to groups in your directory service). 
      YouTube reference: Portainer Teams & OAuth group memberships synchronization 
      Docs reference: https://docs.portainer.io/admin/users/teams

  9. Prepare for external authentication
    Now that you have teams configured, it's time to connect Portainer to your internal user directory. Go to Settings > Authentication, and configure your auth provider.
    1. Check – Enable SSO (and hide authentication prompt) if you want to auto-login. 
    2. Check – Enable auto user provisioning if you want users to be auto-created in Portainer on successful login.
    3. Check -  Enable auto team membership, if you want to automatically add users into teams based on their corresponding group memberships (make sure to set the team-to-group mappings).
      Docs reference: https://docs.portainer.io/admin/settings/authentication

  10. Set up registries
    Go to Settings > Registries, and add your registries. Note you can add multiple of the same types of registries.
    1. Check - If you are using an insecure registry, make sure you update your daemon.json configuration on each Docker host, else pulls will fail.
      Docs reference: https://docs.portainer.io/admin/registries/add

  11. Manage Access for each environment
    Click on Manage Access, and then grant the appropriate teams access with the appropriate role.
    Docs reference: https://docs.portainer.io/admin/environments/access

  12. Set base security and config options per environment
    1. Click on each Docker environment, one at a time. Click on cluster or host, click on Settings, and configure base security policies
      Docs reference:
      Docker standalone
      Docker Swarm
    2. Click on each Kubernetes environment, one at a time. Click on cluster, click on Settings, then configure base cluster capabilities.
      Docs reference: Kubernetes 

    Now you are ready to start creating apps! 😀