This tutorial shows you how to manually deploy a secure multi-node CockroachDB cluster on multiple machines, using HAProxy load balancers to distribute client traffic.
If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.
Requirements
- You must have CockroachDB installed locally. This is necessary for generating and managing your deployment's certificates.
- You must have SSH access to each machine. This is necessary for distributing binaries and certificates.
- Your network configuration must allow TCP communication on the following ports:
- 26257 (
tcp:26257
) for inter-node communication (i.e., working as a cluster) and for clients to connect to HAProxy - 8080 (
tcp:8080
) to expose your Admin UI
- 26257 (
Recommendations
For guidance on cluster topology, clock synchronization, and file descriptor limits, see Recommended Production Settings.
Step 1. Generate certificates
Locally, you'll need to create the following certificates and keys:
- A certificate authority (CA) key pair (
ca.crt
andca.key
). - A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP addresses and common names for machines running HAProxy.
- A client key pair for the
root
user.
Install CockroachDB on your local machine, if you haven't already.
Create two directories:
$ mkdir certs
$ mkdir my-safe-directory
certs
: You'll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.my-safe-directory
: You'll generate your CA key in this directory and then reference the key when generating node and client certificates. After that, you'll keep the key safe and secret; you will not upload it to your nodes.
Create the CA certificate and key:
$ cockroach cert create-ca \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to the HAProxy instances:
$ cockroach cert create-node \ <node1 internal IP address> \ <node1 external IP address> \ <node1 hostname> \ <other common names for node1> \ localhost \ 127.0.0.1 \ <haproxy internal IP addresses> \ <haproxy external IP addresses> \ <haproxy hostnames> \ <other common names for haproxy instances> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Upload certificates to the first node:
# Create the certs directory: $ ssh <username>@<node1 address> "mkdir certs"
# Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node1 address>:~/certs
Delete the local copy of the node certificate and key:
$ rm certs/node.crt certs/node.key
Note:This is necessary because the certificates and keys for additional nodes will also be namednode.crt
andnode.key
As an alternative to deleting these files, you can run the nextcockroach cert create-node
commands with the--overwrite
flag.Create the certificate and key for the second node, issued to all common names you might use to refer to the node as well as to the HAProxy instances:
$ cockroach cert create-node \ <node2 internal IP address> \ <node2 external IP address> \ <node2 hostname> \ <other common names for node1> \ localhost \ 127.0.0.1 \ <haproxy internal IP addresses> \ <haproxy external IP addresses> \ <haproxy hostnames> \ <other common names for haproxy instances> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Upload certificates to the second node:
# Create the certs directory: $ ssh <username>@<node2 address> "mkdir certs"
# Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node2 address>:~/certs
Repeat steps 6 - 8 for each additional node.
Create a client certificate and key for the
root
user:$ cockroach cert create-client \ root \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Tip:In later steps, you'll use theroot
user's certificate to runcockroach
client commands from your local machine. If you might also want to runcockroach
client commands directly on a node (e.g., for local debugging), you'll need to copy theroot
user's certificate and key to that node as well.
Step 2. Start the first node
SSH to your first machine.
Install CockroachDB from our latest binary:
# Get the latest CockroachDB tarball: $ curl https://binaries.cockroachdb.com/cockroach-v1.0.7.linux-amd64.tgz
# Extract the binary: $ tar -xzf cockroach-v1.0.7.linux-amd64.tgz \ --strip=1 cockroach-v1.0.7.linux-amd64/cockroach
# Move the binary: $ sudo mv cockroach /usr/local/bin/
Start a new CockroachDB cluster with a single node:
$ cockroach start --background \ --certs-dir=certs \ --host=<node1 address>
This command specifies the location of certificates and the address at which other nodes can reach it. Otherwise, it uses all available defaults. For example, the node stores data in the
cockroach-data
directory, binds internal and client communication to port 26257, and binds Admin UI HTTP requests to port 8080. To set these options manually, see Start a Node.
Step 3. Add nodes to the cluster
At this point, your cluster is live and operational but contains only a single node. Next, scale your cluster by starting and joining additional nodes.
SSH to another machine.
Install CockroachDB from our latest binary:
# Get the latest CockroachDB tarball: $ curl https://binaries.cockroachdb.com/cockroach-v1.0.7.linux-amd64.tgz
# Extract the binary: $ tar -xzf cockroach-v1.0.7.linux-amd64.tgz \ --strip=1 cockroach-v1.0.7.linux-amd64/cockroach
# Move the binary: $ sudo mv cockroach /usr/local/bin/
Start a new node that joins the cluster using the first node's address:
$ cockroach start --background \ --certs-dir=certs \ --host=<node address> \ --join=<node1 address>:26257
The only difference when adding a node is that you connect it to the cluster with the
--join
flag, which takes the address and port of the first node. Otherwise, it's fine to accept all defaults; since each node is on a unique machine, using identical ports will not cause conflicts.Repeat these steps for each node you want to add.
Step 4. Test your cluster
CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.
To test this, use the built-in SQL client locally as follows:
On your local machine, launch the built-in SQL client with the
--host
flag set to the address of node 1 and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs \ --host=<node1 address>
Create a
securenodetest
database:> CREATE DATABASE securenodetest;
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.Launch the built-in SQL client with the
--host
flag set to the address of node 2 and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs \ --host=<node2 address>
View the cluster's databases, which will include
securenodetest
:> SHOW DATABASES;
+--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | securenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.
Step 5. Set up HAProxy load balancers
Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:
Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).
Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.
Tip:With a single load balancer, client connections are resilient to node failure, but the load balancer itself is a point of failure. It's therefore best to make load balancing resilient as well by using multiple load balancing instances, with a mechanism like floating IPs or DNS to select load balancers for clients.
HAProxy is one of the most popular open-source TCP load balancers, and CockroachDB includes a built-in command for generating a configuration file that is preset to work with your running cluster, so we feature that tool here.
On your local machine, run the
cockroach gen haproxy
command with the--host
flag set to the address of any node and security flags pointing to the CA cert and the client cert and key:$ cockroach gen haproxy \ --certs-dir=certs \ --host=<address of any node> \ --port=26257
By default, the generated configuration file is called
haproxy.cfg
and looks as follows, with theserver
addresses pre-populated correctly:global maxconn 4096 defaults mode tcp timeout connect 10s timeout client 1m timeout server 1m listen psql bind :26257 mode tcp balance roundrobin server cockroach1 <node1 address>:26257 server cockroach2 <node2 address>:26257 server cockroach3 <node3 address>:26257
The file is preset with the minimal configurations needed to work with your running cluster:
Field Description timout connect
timeout client
timeout server
Timeout values that should be suitable for most deployments. bind
The port that HAProxy listens on. This is the port clients will connect to and thus needs to be allowed by your network configuration.
This tutorial assumes HAProxy is running on a separate machine from CockroachDB nodes. If you run HAProxy on the same machine as a node (not recommended), you'll need to change this port, as26257
is also used for inter-node communication.balance
The balancing algorithm. This is set to roundrobin
to ensure that connections get rotated amongst nodes (connection 1 on node 1, connection 2 on node 2, etc.). Check the HAProxy Configuration Manual for details about this and other balancing algorithms.server
For each node in the cluster, this field specifies the interface that the node listens on, i.e., the address passed in the --host
flag on node startup.Note:For full details on these and other configuration settings, see the HAProxy Configuration Manual.Upload the
haproxy.cfg
file to the machine where you want to run HAProxy:$ scp haproxy.cfg <username>@<haproxy address>:~/
SSH to the machine where you want to run HAProxy.
Install HAProxy:
$ apt-get install haproxy
Start HAProxy, with the
-f
flag pointing to thehaproxy.cfg
file:$ haproxy -f haproxy.cfg
Repeat these steps for each additional instance of HAProxy you want to run.
Step 6. Test load balancing
Now that HAProxy is running, it can serve as the client gateway to the cluster. Instead of connecting directly to a CockroachDB node, clients can connect to a HAProxy server, which will then redirect the connection to a CockroachDB node.
To test this, use the built-in SQL client locally as follows:
On your local machine, launch the built-in SQL client with the
--host
flag set to the address of any HAProxy server and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs \ --host=<haproxy address>
View the cluster's databases:
> SHOW DATABASES;
+--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | securenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
As you can see, HAProxy redirected the query to one of the CockroachDB nodes.
Check which node you were redirected to:
> SELECT node_id FROM crdb_internal.node_build_info LIMIT 1;
+---------+ | node_id | +---------+ | 3 | +---------+ (1 row)
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.
Step 7. Configure replication
In CockroachDB, you use replication zones to control the number and location of replicas for specific sets of data. Initially, there is a single, default replication zone for the entire cluster. You can adjust this default zone as well as add zones for individual databases and tables as needed.
For more information, see Configure Replication Zones.
Step 8. Use the cluster
Now that your deployment is working, you can:
- Implement your data model.
- Create users and grant them privileges.
- Connect your application. Be sure to connect your application to the HAProxy server, not to a CockroachDB node.
Step 9. Monitor the cluster
View your cluster's Admin UI by going to https://<any node's address>:8080
.
On this page, verify that the cluster is running as expected:
Click View nodes list on the right to ensure that all of your nodes successfully joined the cluster.
Also check the Replicas column. If you have nodes with 0 replicas, it's possible you didn't properly set the
--host
flag. This prevents the node from receiving replicas and working as part of the cluster.Click the Databases tab on the left to verify that
insecurenodetest
is listed.
See Also
- Cloud Deployment
- Orchestration
- Monitoring
- Start a Local Cluster
- Run CockroachDB in a VirtualBox VM (community-supported)