This page shows you how to manually deploy an insecure multi-node CockroachDB cluster on Google Cloud Platform's Compute Engine (GCE), using Google's TCP Proxy Load Balancing service to distribute client traffic.
Requirements
You must have SSH access to each machine. This is necessary for distributing and starting CockroachDB binaries.
Your network configuration must allow TCP communication on the following ports:
26257
for intra-cluster and client-cluster communication8080
to expose your Admin UI
Recommendations
If you plan to use CockroachDB in production, carefully review the Production Checklist.
Consider using a secure cluster instead. Using an insecure cluster comes with risks:
- Your cluster is open to any client that can access any node's IP addresses.
- Any user, even
root
, can log in without providing a password. - Any user, connecting as
root
, can read or write any data in your cluster. - There is no network encryption or authentication, and thus no confidentiality.
Decide how you want to access your Admin UI:
Access Level Description Partially open Set a firewall rule to allow only specific IP addresses to communicate on port 8080
.Completely open Set a firewall rule to allow all IP addresses to communicate on port 8080
.Completely closed Set a firewall rule to disallow all communication on port 8080
. In this case, a machine with SSH access to a node could use an SSH tunnel to access the Admin UI.
Step 1. Configure your network
CockroachDB requires TCP communication on two ports:
- 26257 (
tcp:26257
) for inter-node communication (i.e., working as a cluster) - 8080 (
tcp:8080
) for exposing your Admin UI
Inter-node communication works by default using your GCE instances' internal IP addresses, which allow communication with other instances on CockroachDB's default port 26257
. However, to expose your admin UI and allow traffic from the TCP proxy load balancer and health checker to your instances, you need to create firewall rules for your project.
Creating Firewall Rules
When creating firewall rules, we recommend using Google Cloud Platform's tag feature, which lets you specify that you want to apply the rule only to instance that include the same tag.
Admin UI
Field | Recommended Value |
---|---|
Name | cockroachadmin |
Source filter | IP ranges |
Source IP ranges | Your local network's IP ranges |
Allowed protocols... | tcp:8080 |
Target tags | cockroachdb |
Application Data
Applications will not connect directly to your CockroachDB nodes. Instead, they'll connect to GCE's TCP Proxy Load Balancing service, which automatically routes traffic to the instances that are closest to the user. Because this service is implemented at the edge of the Google Cloud, you'll need to create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is covered in Step 4.
Step 2. Create instances
Create an instance for each node you plan to have in your cluster.
Run at least 3 nodes to ensure survivability.
Use
n1-standard
orn1-highcpu
predefined VMs, or custom VMs, with Local SSDs or SSD persistent disks. For example, Cockroach Labs has used custom VMs (8 vCPUs and 16 GiB of RAM per VM) for internal testing.Do not use
f1
org1
shared-core machines, which limit the load on a single core.If you used a tag for your firewall rules, when you create the instance, select Management, disk, networking, SSH keys. Then on the Networking tab, in the Network tags field, enter cockroachdb.
For more details, see Hardware Recommendations and Cluster Topology.
Step 3. Synchronize clocks
CockroachDB requires moderate levels of clock synchronization to preserve data consistency. For this reason, when a node detects that its clock is out of sync with at least half of the other nodes in the cluster by 80% of the maximum offset allowed (500ms by default), it spontaneously shuts down. This avoids the risk of consistency anomalies, but it's best to prevent clocks from drifting too far in the first place by running clock synchronization software on each node.
Compute Engine instances are preconfigured to use NTP, which should keep offsets in the single-digit milliseconds. However, Google can’t predict how external NTP services, such as pool.ntp.org
, will handle the leap second. Therefore, you should:
- Configure each GCE instances to use Google's internal NTP service.
- If you plan to run a hybrid cluster across GCE and other cloud providers or environments, configure the non-GCE machines to use Google's external NTP service.
Step 4. Set up TCP Proxy Load Balancing
Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:
Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).
Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.
GCE offers fully-managed TCP Proxy Load Balancing. This service lets you use a single IP address for all users around the world, automatically routing traffic to the instances that are closest to the user.
To use GCE's TCP Proxy Load Balancing service:
- For each zone in which you're running an instance, create a distinct instance group.
- To ensure that the load balancer knows where to direct traffic, specify a port name mapping, with
tcp26257
as the Port name and26257
as the Port number.
- To ensure that the load balancer knows where to direct traffic, specify a port name mapping, with
- Add the relevant instances to each instance group.
- Configure Proxy Load Balancing.
- During backend configuration, create a health check, setting the Protocol to
HTTP
, the Port to8080
, and the Request path to/health
. If you want to maintain long-lived SQL connections that may be idle for more than tens of seconds, increase the backend timeout setting accordingly. - During frontend configuration, reserve a static IP address and choose a port. Note this address/port combination, as you'll use it for all of you client connections.
- During backend configuration, create a health check, setting the Protocol to
- Create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is necessary because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud.
- Be sure to set Source IP ranges to
130.211.0.0/22
and35.191.0.0/16
and set Target tags tocockroachdb
(not to the value specified in the linked instructions).
- Be sure to set Source IP ranges to
Step 5. Start nodes
You can start the nodes manually or automate the process using systemd.
For each initial node of your cluster, complete the following steps:
SSH to the machine where you want the node to run.
Download the CockroachDB archive for Linux, and extract the binary:
$ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
Copy the binary into the
PATH
:$ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
If you get a permissions error, prefix the command with
sudo
.Run the
cockroach start
command:$ cockroach start --insecure \ --host=<node1 address> \ --locality=<key-value pairs> \ --cache=.25 \ --max-sql-memory=.25 \ --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \ --background
This command primes the node to start, using the following flags:
Flag Description --insecure
Indicates that the cluster is insecure, with no network encryption or authentication. --host
Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.
If you want the node to listen on multiple interfaces, leave--host
out.
If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave--host
out and set the--advertise-host
flag to the internal address.--locality
Key-value pairs that describe the location of the node, e.g., country, region, datacenter, rack, etc. It is recommended to set --locality
when deploying across multiple datacenters or when there is otherwise high latency between nodes. It is also required to use certain enterprise features. For more details, see Locality.--cache
--max-sql-memory
Increases the node's cache and temporary SQL memory size to 25% of available system memory to improve read performance and increase capacity for in-memory SQL processing (see Recommended Production Settings for more details). --join
Identifies the address and port of 3-5 of the initial nodes of the cluster. --background
Starts the node in the background so you gain control of the terminal to issue more commands. For other flags not explicitly set, the command uses default values. For example, the node stores data in
--store=cockroach-data
, binds internal and client communication to--port=26257
, and binds Admin UI HTTP requests to--http-port=8080
. To set these options manually, see Start a Node.Repeat these steps for each additional node that you want in your cluster.
For each initial node of your cluster, complete the following steps:
SSH to the machine where you want the node to run. Ensure you are logged in as the
root
user.Download the CockroachDB archive for Linux, and extract the binary:
$ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
Copy the binary into the
PATH
:$ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
If you get a permissions error, prefix the command with
sudo
.Create the Cockroach directory:
$ mkdir /var/lib/cockroach
Create a Unix user named
cockroach
:$ useradd cockroach
Change the ownership of
Cockroach
directory to the usercockroach
:$ chown cockroach /var/lib/cockroach
Download the sample configuration template:
$ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/insecurecockroachdb.service
Alternatively, you can create the file yourself and copy the script into it:
[Unit] Description=Cockroach Database cluster node Requires=network.target [Service] Type=notify WorkingDirectory=/var/lib/cockroach ExecStart=/usr/local/bin/cockroach start --insecure --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25 TimeoutStopSec=60 Restart=always RestartSec=10 StandardOutput=syslog StandardError=syslog SyslogIdentifier=cockroach User=cockroach [Install] WantedBy=default.target
Save the file in the
/etc/systemd/system/
directoryCustomize the sample configuration template for your deployment:
Specify values for the following flags in the sample configuration template:
Flag Description --join
Identifies the address and port of 3-5 of the initial nodes of the cluster. --host
Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.
If you want the node to listen on multiple interfaces, leave--host
empty.
If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave--host
empty and set the--advertise-host
flag to the internal address.Start the CockroachDB cluster:
$ systemctl start insecurecockroachdb
Repeat these steps for each additional node that you want in your cluster.
systemd
handles node restarts in case of node failure. To stop a node without systemd
restarting it, run systemctl stop insecurecockroachdb
Step 6. Initialize the cluster
On your local machine, complete the node startup process and have them join together as a cluster:
Install CockroachDB on your local machine, if you haven't already.
Run the
cockroach init
command, with the--host
flag set to the address of any node:$ cockroach init --insecure --host=<address of any node>
Each node then prints helpful details to the standard output, such as the CockroachDB version, the URL for the admin UI, and the SQL URL for clients.
Step 7. Test the cluster
CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.
To test this, use the built-in SQL client locally as follows:
On your local machine, launch the built-in SQL client, with the
--host
flag set to the address of any node:$ cockroach sql --insecure --host=<address of any node>
Create an
insecurenodetest
database:> CREATE DATABASE insecurenodetest;
Use
\q
orctrl-d
to exit the SQL shell.Launch the built-in SQL client, with the
--host
flag set to the address of a different node:$ cockroach sql --insecure --host=<address of different node>
View the cluster's databases, which will include
insecurenodetest
:> SHOW DATABASES;
+--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | insecurenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
Use
\q
orctrl-d
to exit the SQL shell.
Step 8. Set up monitoring and alerting
Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.
For details about available monitoring options and the most important events and metrics to alert on, see Monitoring and Alerting.
Step 9. Scale the cluster
You can start the nodes manually or automate the process using systemd.
For each additional node you want to add to the cluster, complete the following steps:
SSH to the machine where you want the node to run.
Download the CockroachDB archive for Linux, and extract the binary:
$ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
Copy the binary into the
PATH
:$ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
If you get a permissions error, prefix the command with
sudo
.Run the
cockroach start
command just like you did for the initial nodes:$ cockroach start --insecure \ --host=<node4 address> \ --locality=<key-value pairs> \ --cache=.25 \ --max-sql-memory=.25 \ --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \ --background
Update your load balancer to recognize the new node.
For each additional node you want to add to the cluster, complete the following steps:
SSH to the machine where you want the node to run. Ensure you are logged in as the
root
user.Download the CockroachDB archive for Linux, and extract the binary:
$ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
Copy the binary into the
PATH
:$ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
If you get a permissions error, prefix the command with
sudo
.Create the Cockroach directory:
$ mkdir /var/lib/cockroach
Create a Unix user named
cockroach
:$ useradd cockroach
Change the ownership of
Cockroach
directory to the usercockroach
:$ chown cockroach /var/lib/cockroach
Download the sample configuration template:
$ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/insecurecockroachdb.service
Alternatively, you can create the file yourself and copy the script into it:
[Unit] Description=Cockroach Database cluster node Requires=network.target [Service] Type=notify WorkingDirectory=/var/lib/cockroach ExecStart=/usr/local/bin/cockroach start --insecure --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25 TimeoutStopSec=60 Restart=always RestartSec=10 StandardOutput=syslog StandardError=syslog SyslogIdentifier=cockroach User=cockroach [Install] WantedBy=default.target
Save the file in the
/etc/systemd/system/
directoryCustomize the sample configuration template for your deployment:
Specify values for the following flags in the sample configuration template:
Flag Description --host
Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.
If you want the node to listen on multiple interfaces, leave--host
empty.
If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave--host
empty and set the--advertise-host
flag to the internal address.--join
Identifies the address and port of 3-5 of the initial nodes of the cluster. Repeat these steps for each additional node that you want in your cluster.
Step 10. Use the cluster
Now that your deployment is working, you can:
- Implement your data model.
- Create users and grant them privileges.
- Connect your application. Be sure to connect your application to the GCE load balancer, not to a CockroachDB node.