Deploy CockroachDB On-Premises (Insecure)

On this page Carat arrow pointing down
Warning:
As of April 12, 2019, CockroachDB v1.1 is no longer supported. For more details, refer to the Release Support Policy.

This tutorial shows you how to manually deploy an insecure multi-node CockroachDB cluster on multiple machines, using HAProxy load balancers to distribute client traffic.

Warning:
If you plan to use CockroachDB in production, we strongly recommend using a secure cluster instead. Select Secure above for instructions.

Requirements

  • You must have SSH access to each machine. This is necessary for distributing and starting CockroachDB binaries.

  • Your network configuration must allow TCP communication on the following ports:

    • 26257 for intra-cluster and client-cluster communication
    • 8080 to expose your Admin UI

Recommendations

  • If you plan to use CockroachDB in production, carefully review the Production Checklist.

  • Consider using a secure cluster instead. Using an insecure cluster comes with risks:

    • Your cluster is open to any client that can access any node's IP addresses.
    • Any user, even root, can log in without providing a password.
    • Any user, connecting as root, can read or write any data in your cluster.
    • There is no network encryption or authentication, and thus no confidentiality.
  • Decide how you want to access your Admin UI:

    Access Level Description
    Partially open Set a firewall rule to allow only specific IP addresses to communicate on port 8080.
    Completely open Set a firewall rule to allow all IP addresses to communicate on port 8080.
    Completely closed Set a firewall rule to disallow all communication on port 8080. In this case, a machine with SSH access to a node could use an SSH tunnel to access the Admin UI.

Step 1. Synchronize clocks

CockroachDB requires moderate levels of clock synchronization to preserve data consistency. For this reason, when a node detects that its clock is out of sync with at least half of the other nodes in the cluster by 80% of the maximum offset allowed (500ms by default), it spontaneously shuts down. This avoids the risk of consistency anomalies, but it's best to prevent clocks from drifting too far in the first place by running clock synchronization software on each node.

ntpd should keep offsets in the single-digit milliseconds, so that software is featured here, but other methods of clock synchronization are suitable as well.

  1. SSH to the first machine.

  2. Disable timesyncd, which tends to be active by default on some Linux distributions:

    icon/buttons/copy
    $ sudo timedatectl set-ntp no
    

    Verify that timesyncd is off:

    icon/buttons/copy
    $ timedatectl
    

    Look for Network time on: no or NTP enabled: no in the output.

  3. Install the ntp package:

    icon/buttons/copy
    $ sudo apt-get install ntp
    
  4. Stop the NTP daemon:

    icon/buttons/copy
    $ sudo service ntp stop
    
  5. Sync the machine's clock with Google's NTP service:

    icon/buttons/copy
    $ sudo ntpd -b time.google.com
    

    To make this change permanent, in the /etc/ntp.conf file, remove or comment out any lines starting with server or pool and add the following lines:

    icon/buttons/copy
    server time1.google.com iburst
    server time2.google.com iburst
    server time3.google.com iburst
    server time4.google.com iburst
    

    Restart the NTP daemon:

    icon/buttons/copy
    $ sudo service ntp start
    
    Note:
    We recommend Google's external NTP service because they handle "smearing" the leap second. If you use a different NTP service that doesn't smear the leap second, you must configure client-side smearing manually and do so in the same way on each machine.
  6. Verify that the machine is using a Google NTP server:

    icon/buttons/copy
    $ sudo ntpq -p
    

    The active NTP server will be marked with an asterisk.

  7. Repeat these steps for each machine where a CockroachDB node will run.

Step 2. Start nodes

You can start the nodes manually or automate the process using systemd.

For each initial node of your cluster, complete the following steps:

Note:
After completing these steps, nodes will not yet be live. They will complete the startup process and join together to form a cluster as soon as the cluster is initialized in the next step.
  1. SSH to the machine where you want the node to run.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Run the cockroach start command:

    icon/buttons/copy
    $ cockroach start --insecure \
    --host=<node1 address> \
    --locality=<key-value pairs> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \
    --background
    

    This command primes the node to start, using the following flags:

    Flag Description
    --insecure Indicates that the cluster is insecure, with no network encryption or authentication.
    --host Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.

    If you want the node to listen on multiple interfaces, leave --host out.

    If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave --host out and set the --advertise-host flag to the internal address.
    --locality Key-value pairs that describe the location of the node, e.g., country, region, datacenter, rack, etc. It is recommended to set --locality when deploying across multiple datacenters or when there is otherwise high latency between nodes. It is also required to use certain enterprise features. For more details, see Locality.
    --cache
    --max-sql-memory
    Increases the node's cache and temporary SQL memory size to 25% of available system memory to improve read performance and increase capacity for in-memory SQL processing (see Recommended Production Settings for more details).
    --join Identifies the address and port of 3-5 of the initial nodes of the cluster.
    --background Starts the node in the background so you gain control of the terminal to issue more commands.

    For other flags not explicitly set, the command uses default values. For example, the node stores data in --store=cockroach-data, binds internal and client communication to --port=26257, and binds Admin UI HTTP requests to --http-port=8080. To set these options manually, see Start a Node.

  5. Repeat these steps for each additional node that you want in your cluster.

For each initial node of your cluster, complete the following steps:

Note:
After completing these steps, nodes will not yet be live. They will complete the startup process and join together to form a cluster as soon as the cluster is initialized in the next step.
  1. SSH to the machine where you want the node to run. Ensure you are logged in as the root user.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Create the Cockroach directory:

    icon/buttons/copy
    $ mkdir /var/lib/cockroach
    
  5. Create a Unix user named cockroach:

    icon/buttons/copy
    $ useradd cockroach
    
  6. Change the ownership of Cockroach directory to the user cockroach:

    icon/buttons/copy
    $ chown cockroach /var/lib/cockroach
    
  7. Download the sample configuration template:

    icon/buttons/copy
    $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/insecurecockroachdb.service
    

    Alternatively, you can create the file yourself and copy the script into it:

    icon/buttons/copy
    [Unit]
    Description=Cockroach Database cluster node
    Requires=network.target
    [Service]
    Type=notify
    WorkingDirectory=/var/lib/cockroach
    ExecStart=/usr/local/bin/cockroach start --insecure --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25
    TimeoutStopSec=60
    Restart=always
    RestartSec=10
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=cockroach
    User=cockroach
    [Install]
    WantedBy=default.target
    
    

    Save the file in the /etc/systemd/system/ directory

  8. Customize the sample configuration template for your deployment:

    Specify values for the following flags in the sample configuration template:

    Flag Description
    --join Identifies the address and port of 3-5 of the initial nodes of the cluster.
    --host Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.

    If you want the node to listen on multiple interfaces, leave --host empty.

    If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave --host empty and set the --advertise-host flag to the internal address.
  9. Start the CockroachDB cluster:

    icon/buttons/copy
    $ systemctl start insecurecockroachdb
    
  10. Repeat these steps for each additional node that you want in your cluster.

Note:

systemd handles node restarts in case of node failure. To stop a node without systemd restarting it, run systemctl stop insecurecockroachdb

Step 3. Initialize the cluster

On your local machine, complete the node startup process and have them join together as a cluster:

  1. Install CockroachDB on your local machine, if you haven't already.

  2. Run the cockroach init command, with the --host flag set to the address of any node:

    icon/buttons/copy
    $ cockroach init --insecure --host=<address of any node>
    

    Each node then prints helpful details to the standard output, such as the CockroachDB version, the URL for the admin UI, and the SQL URL for clients.

Step 4. Test the cluster

CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.

To test this, use the built-in SQL client locally as follows:

  1. On your local machine, launch the built-in SQL client, with the --host flag set to the address of any node:

    icon/buttons/copy
    $ cockroach sql --insecure --host=<address of any node>
    
  2. Create an insecurenodetest database:

    icon/buttons/copy
    > CREATE DATABASE insecurenodetest;
    
  3. Use \q or ctrl-d to exit the SQL shell.

  4. Launch the built-in SQL client, with the --host flag set to the address of a different node:

    icon/buttons/copy
    $ cockroach sql --insecure --host=<address of different node>
    
  5. View the cluster's databases, which will include insecurenodetest:

    icon/buttons/copy
    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | insecurenodetest   |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    
  6. Use \q or ctrl-d to exit the SQL shell.

Step 5. Set up HAProxy load balancers

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:

  • Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

  • Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

    Tip:
    With a single load balancer, client connections are resilient to node failure, but the load balancer itself is a point of failure. It's therefore best to make load balancing resilient as well by using multiple load balancing instances, with a mechanism like floating IPs or DNS to select load balancers for clients.

HAProxy is one of the most popular open-source TCP load balancers, and CockroachDB includes a built-in command for generating a configuration file that is preset to work with your running cluster, so we feature that tool here.

  1. SSH to the machine where you want to run HAProxy.

  2. Install HAProxy:

    icon/buttons/copy
    $ apt-get install haproxy
    
  3. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \
    | tar -xz
    
  4. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  5. Run the cockroach gen haproxy command, specifying the address of any CockroachDB node:

    icon/buttons/copy
      $ cockroach gen haproxy --insecure \
      --host=<address of any node> \
      --port=26257 \
    

    By default, the generated configuration file is called haproxy.cfg and looks as follows, with the server addresses pre-populated correctly:

    global
      maxconn 4096
    
    defaults
        mode                tcp
        # Timeout values should be configured for your specific use.
        # See: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-timeout%20connect
        timeout connect     10s
        timeout client      1m
        timeout server      1m
        # TCP keep-alive on client side. Server already enables them.
        option              clitcpka
    
    listen psql
        bind :26257
        mode tcp
        balance roundrobin
        server cockroach1 <node1 address>:26257 check
        server cockroach2 <node2 address>:26258 check
        server cockroach3 <node3 address>:26259 check
    

    The file is preset with the minimal configurations needed to work with your running cluster:

    Field Description
    timout connect
    timeout client
    timeout server
    Timeout values that should be suitable for most deployments.
    bind The port that HAProxy listens on. This is the port clients will connect to and thus needs to be allowed by your network configuration.

    This tutorial assumes HAProxy is running on a separate machine from CockroachDB nodes. If you run HAProxy on the same machine as a node (not recommended), you'll need to change this port, as 26257 is also used for inter-node communication.
    balance The balancing algorithm. This is set to roundrobin to ensure that connections get rotated amongst nodes (connection 1 on node 1, connection 2 on node 2, etc.). Check the HAProxy Configuration Manual for details about this and other balancing algorithms.
    server For each node in the cluster, this field specifies the interface that the node listens on, i.e., the address passed in the --host flag on node startup. check specifies that HAProxy will confirm that a connection can be established before sending data to a node.
    Note:
    For full details on these and other configuration settings, see the HAProxy Configuration Manual.
  6. Start HAProxy, with the -f flag pointing to the haproxy.cfg file:

    icon/buttons/copy
    $ haproxy -f haproxy.cfg
    
  7. Repeat these steps for each additional instance of HAProxy you want to run.

Step 6. Set up monitoring and alerting

Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.

For details about available monitoring options and the most important events and metrics to alert on, see Monitoring and Alerting.

Step 7. Scale the cluster

You can start the nodes manually or automate the process using systemd.

For each additional node you want to add to the cluster, complete the following steps:

  1. SSH to the machine where you want the node to run.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Run the cockroach start command just like you did for the initial nodes:

    icon/buttons/copy
    $ cockroach start --insecure \
    --host=<node4 address> \
    --locality=<key-value pairs> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \
    --background
    
  5. Update your load balancer to recognize the new node.

For each additional node you want to add to the cluster, complete the following steps:

  1. SSH to the machine where you want the node to run. Ensure you are logged in as the root user.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Create the Cockroach directory:

    icon/buttons/copy
    $ mkdir /var/lib/cockroach
    
  5. Create a Unix user named cockroach:

    icon/buttons/copy
    $ useradd cockroach
    
  6. Change the ownership of Cockroach directory to the user cockroach:

    icon/buttons/copy
    $ chown cockroach /var/lib/cockroach
    
  7. Download the sample configuration template:

    icon/buttons/copy
    $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/insecurecockroachdb.service
    

    Alternatively, you can create the file yourself and copy the script into it:

    icon/buttons/copy
    [Unit]
    Description=Cockroach Database cluster node
    Requires=network.target
    [Service]
    Type=notify
    WorkingDirectory=/var/lib/cockroach
    ExecStart=/usr/local/bin/cockroach start --insecure --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25
    TimeoutStopSec=60
    Restart=always
    RestartSec=10
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=cockroach
    User=cockroach
    [Install]
    WantedBy=default.target
    
    

    Save the file in the /etc/systemd/system/ directory

  8. Customize the sample configuration template for your deployment:

    Specify values for the following flags in the sample configuration template:

    Flag Description
    --host Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes.

    If you want the node to listen on multiple interfaces, leave --host empty.

    If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave --host empty and set the --advertise-host flag to the internal address.
    --join Identifies the address and port of 3-5 of the initial nodes of the cluster.
  9. Repeat these steps for each additional node that you want in your cluster.

Step 8. Use the cluster

Now that your deployment is working, you can:

  1. Implement your data model.
  2. Create users and grant them privileges.
  3. Connect your application. Be sure to connect your application to the load balancer, not to a CockroachDB node.

You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see Configure Replication Zones.

See Also


Yes No
On this page

Yes No