This tutorial shows you how to manually deploy a secure multi-node CockroachDB cluster on multiple machines, using HAProxy load balancers to distribute client traffic.

If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.

Requirements

  • You must have CockroachDB installed locally. This is necessary for generating and managing your deployment’s certificates.
  • You must have SSH access to each machine. This is necessary for distributing binaries and certificates.
  • Your network configuration must allow TCP communication on the following ports:
    • 26257 (tcp:26257) for inter-node communication (i.e., working as a cluster) and for clients to connect to HAProxy
    • 8080 (tcp:8080) to expose your Admin UI

Recommendations

For guidance on cluster topology, clock synchronization, and file descriptor limits, see Recommended Production Settings.

Step 1. Generate certificates

Locally, you’ll need to create the following certificates and keys:

  • A certificate authority (CA) key pair (ca.crt and ca.key)
  • A client key pair for the root user
  • A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP addresses and common names for machines running HAProxy.
Before beginning, it's useful to collect each of your machine's internal and external IP addresses, as well as any server names you want to issue certificates for.
  1. Create a certs directory and a safe directory to keep your CA key:

    $ mkdir certs
    $ mkdir my-safe-directory
    
  2. Create the CA key pair:

    $ cockroach cert create-ca \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  3. Create a client key pair for the root user:

    $ cockroach cert create-client \
    root \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  4. Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to the HAProxy instances:

    $ cockroach cert create-node \
    <node1 internal IP address> \
    <node1 external IP address> \
    <node1 hostname>  \
    <other common names for node1> \
    localhost \
    127.0.0.1 \
    <haproxy internal IP addresses> \
    <haproxy external IP addresses> \
    <haproxy hostnames>  \
    <other common names for haproxy instances> \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  5. Upload the certificates to first node:

    # Create the certs directory:
    $ ssh <username>@<node1 address> "mkdir certs"
    
    # Upload the CA certificate, client (root) certificate and key, and node certificate and key:
    $ scp certs/ca.crt \
    certs/client.root.crt \
    certs/client.root.key \
    certs/node.crt \
    certs/node.key \
    <username>@<node1 address>:~/certs
    
  6. Create the certificate and key for the second node, using the --overwrite flag to replace the files created for the first node:

    $ cockroach cert create-node --overwrite\
    <node2 internal IP address> \
    <node2 external IP address> \
    <node2 hostname>  \
    <other common names for node1> \
    localhost \
    127.0.0.1 \
    <haproxy internal IP addresses> \
    <haproxy external IP addresses> \
    <haproxy hostnames>  \
    <other common names for haproxy instances> \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  7. Upload the certificates to the second node:

    # Create the certs directory:
    $ ssh <username>@<node2 address> "mkdir certs"
    
    # Upload the CA certificate, client (root) certificate and key, and node certificate and key:
    $ scp certs/ca.crt \
    certs/client.root.crt \
    certs/client.root.key \
    certs/node.crt \
    certs/node.key \
    <username>@<node2 address>:~/certs
    
  8. Repeat steps 6 and 7 for each additional node.

Step 2. Start the first node

  1. SSH to your first machine.

  2. Install CockroachDB from our latest binary:

    # Get the latest CockroachDB tarball:
    $ wget https://binaries.cockroachdb.com/cockroach-latest.linux-amd64.tgz
    
    # Extract the binary:
    $ tar -xf cockroach-latest.linux-amd64.tgz  \
    --strip=1 cockroach-latest.linux-amd64/cockroach
    
    # Move the binary:
    $ sudo mv cockroach /usr/local/bin
    
  3. Start a new CockroachDB cluster with a single node:

    $ cockroach start --background \
    --certs-dir=certs \
    --host=<node1 address>
    

    This command specifies the location of certificates and the address at which other nodes can reach it. Otherwise, it uses all available defaults. For example, the node stores data in the cockroach-data directory, binds internal and client communication to port 26257, and binds Admin UI HTTP requests to port 8080. To set these options manually, see Start a Node.

Step 3. Add nodes to the cluster

At this point, your cluster is live and operational but contains only a single node. Next, scale your cluster by starting and joining additional nodes.

  1. SSH to another machine.

  2. Install CockroachDB from our latest binary:

    # Get the latest CockroachDB tarball:
    $ wget https://binaries.cockroachdb.com/cockroach-latest.linux-amd64.tgz
    
    # Extract the binary:
    $ tar -xf cockroach-latest.linux-amd64.tgz  \
    --strip=1 cockroach-latest.linux-amd64/cockroach
    
    # Move the binary:
    $ sudo mv cockroach /usr/local/bin
    
  3. Start a new node that joins the cluster using the first node’s address:

    $ cockroach start --background  \
    --certs-dir=certs \
    --host=<node address> \
    --join=<node1 address>:26257
    

    The only difference when adding a node is that you connect it to the cluster with the --join flag, which takes the address and port of the first node. Otherwise, it’s fine to accept all defaults; since each node is on a unique machine, using identical ports won’t cause conflicts.

  4. Repeat these steps for each node you want to add.

Step 4. Test your cluster

CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster. To test this, use the built-in SQL client as follows:

  1. SSH to your first node.

  2. Launch the built-in SQL client and create a database:

    $ cockroach sql \
    --certs-dir=certs
    
    > CREATE DATABASE securenodetest;
    
  3. In other terminal window, SSH to another node.

  4. Launch the built-in SQL client:

    $ cockroach sql \
    --certs-dir=certs
    
  5. View the cluster’s databases, which will include securenodetest:

    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | securenodetest     |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    
  6. Use CTRL + D, CTRL + C, or \q to exit the SQL shell.

Step 5. Set up HAProxy load balancers

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it’s important to use TCP load balancing:

  • Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

  • Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

    With a single load balancer, client connections are resilient to node failure, but the load balancer itself is a point of failure. It's therefore best to make load balancing resilient as well by using multiple load balancing instances, with a mechanism like floating IPs or DNS to select load balancers for clients.

HAProxy is one of the most popular open-source TCP load balancers, and CockroachDB includes a built-in command for generating a configuration file that is preset to work with your running cluster, so we feature that tool here.

  1. SSH to the machine where you want to run HAProxy.

  2. Install HAProxy:

    $ apt-get install haproxy
    
  3. Install CockroachDB from our latest binary:

    # Get the latest CockroachDB tarball.
    $ wget https://binaries.cockroachdb.com/cockroach-latest.linux-amd64.tgz
    
    # Extract the binary.
    $ tar -xf cockroach-latest.linux-amd64.tgz  \
    --strip=1 cockroach-latest.linux-amd64/cockroach
    
    # Move the binary.
    $ sudo mv cockroach /usr/local/bin
    
  4. Run the cockroach gen haproxy command, specifying the address of any instance running a CockroachDB node and security flags pointing to the CA cert and the client cert and key:

    $ cockroach gen haproxy \
    --certs-dir=certs \
    --host=<address of any node> \
    --port=26257
    

    By default, the generated configuration file is called haproxy.cfg and looks as follows, with the server addresses pre-populated correctly:

    global
      maxconn 4096
    
    defaults
        mode                tcp
        timeout connect     10s
        timeout client      1m
        timeout server      1m
    
    listen psql
        bind :26257
        mode tcp
        balance roundrobin
        server cockroach1 <node1 address>:26257
        server cockroach2 <node2 address>:26257
        server cockroach3 <node3 address>:26257
    

    The file is preset with the minimal configurations needed to work with your running cluster:

    Field Description
    timout connect
    timeout client
    timeout server
    Timeout values that should be suitable for most deployments.
    bind The port that HAProxy listens on. This is the port clients will connect to and thus needs to be allowed by your network configuration.

    This tutorial assumes HAProxy is running on a separate machine from CockroachDB nodes. If you run HAProxy on the same machine as a node (not recommended), you’ll need to change this port, as 26257 is also used for inter-node communication.
    balance The balancing algorithm. This is set to roundrobin to ensure that connections get rotated amongst nodes (connection 1 on node 1, connection 2 on node 2, etc.). Check the HAProxy Configuration Manual for details about this and other balancing algorithms.
    server For each node in the cluster, this field specifies the interface that the node listens on, i.e., the address passed in the --host flag on node startup.
    For full details on these and other configuration settings, see the HAProxy Configuration Manual.
  5. Start HAProxy, with the -f flag pointing to the haproxy.cfg file:

    $ haproxy -f haproxy.cfg
    
  6. Repeat these steps for each additional instance of HAProxy you want to run.

Step 6. Test load balancing

Now that HAProxy is running, it can serve as the client gateway to the cluster. Instead of connecting directly to a CockroachDB node, clients can connect to a HAProxy server, which will then redirect the connection to a CockroachDB node.

To test this, use the built-in SQL client locally as follows:

  1. On your local machine, launch the built-in SQL client, with the --host flag set to the address of any HAProxy server and security flags pointing to the CA cert and the client cert and key:

    $ cockroach sql \
    --certs-dir=certs \
    --host=<haproxy address>
    
  2. View the cluster’s databases:

    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | securenodetest     |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    

    As you can see, HAProxy redirected the query to one of the CockroachDB nodes.

  3. Check which node you were redirected to:

    > SELECT node_id FROM crdb_internal.node_build_info LIMIT 1;
    
    +---------+
    | node_id |
    +---------+
    |       3 |
    +---------+
    (1 row)
    
  4. Use CTRL + D, CTRL + C, or \q to exit the SQL shell.

Step 7. Configure replication

In CockroachDB, you use replication zones to control the number and location of replicas for specific sets of data. Initially, there is a single, default replication zone for the entire cluster. You can adjust this default zone as well as add zones for individual databases and tables as needed.

For more information, see Configure Replication Zones.

Step 8. Use the cluster

Now that your deployment is working, you can:

  1. Implement your data model.
  2. Create users and grant them privileges.
  3. Connect your application. Be sure to connect your application to the HAProxy server, not to a CockroachDB node.

Step 9. Monitor the cluster

View your cluster’s Admin UI by going to https://<any node's address>:8080.

On this page, verify that the cluster is running as expected:

  1. Click View nodes list on the right to ensure that all of your nodes successfully joined the cluster.

    Also check the Replicas column. If you have nodes with 0 replicas, it’s possible you didn’t properly set the --host flag. This prevents the node from receiving replicas and working as part of the cluster.

  2. Click the Databases tab on the left to verify that insecurenodetest is listed.

You can also use Prometheus and other third-party, open source tools to monitor and visualize cluster metrics and send notifications based on specified rules. For more details, see Monitor CockroachDB with Prometheus.

See Also



Yes No