The Go-Live Checklist

Before Any Container Faces Users

Everything in this track compresses into one reviewable list:

ItemModule that taught it
Pinned image tag (version/SHA, never latest)Images & Registries
.dockerignore in place; no secrets in layersWriting Dockerfiles
Multi-stage build; minimal baseWriting Dockerfiles
Runs as non-root (USER), cap-drop ALL, read-only rootfs where possibleSecurity
--memory, --cpus, --pids-limit setDebugging / Observability
Restart policy unless-stopped (or orchestrator-managed)Containers Day-to-Day
HEALTHCHECK probing a real dependency-aware endpointObservability
Log rotation (max-size/max-file) or shipping configuredObservability
State on named volumes; volumes in the backup planVolumes & Persistent Data
User-defined networks; ports bound to 127.0.0.1 unless truly publicNetworking
Secrets file-mounted or vault-fetched - never env/bakedSecurity
Image scanned in CI; version labels stampedDocker in CI/CD
Tip: Turn this into a PR template or a CI policy gate. Checklists beat memory at 2 AM, and they turn "tribal knowledge" into something a new hire enforces on day one.
Scenario: Re-read the checklist and notice: nearly every line exists because of an incident you've now debugged in the labs - the OOM kill, the 40GB log file, the wiped volume, the leaked .env, the privileged payments container. Production readiness is just incident memory, written down.