Deploy CockroachDB on AWS EC2 (Insecure)

On this page Carat arrow pointing down

This page shows you how to manually deploy an insecure multi-node CockroachDB cluster on Amazon's AWS EC2 platform, using AWS's managed load balancing service to distribute client traffic.

Warning:
If you plan to use CockroachDB in production, we strongly recommend using a secure cluster instead. Select Secure above for instructions.

Before you begin

Requirements

  • You must have SSH access to each machine. This is necessary for distributing and starting CockroachDB binaries.

  • Your network configuration must allow TCP communication on the following ports:

    • 26257 for intra-cluster and client-cluster communication
    • 8080 to expose your Admin UI
  • Carefully review the Production Checklist and recommended Topology Patterns.

  • Run each node on a separate machine. Since CockroachDB replicates across nodes, running more than one node per machine increases the risk of data loss if a machine fails. Likewise, if a machine has multiple disks or SSDs, run one node with multiple --store flags and not one node per disk. For more details about stores, see Start a Node.

  • When starting each node, use the --locality flag to describe the node's location, for example, --locality=region=west,zone=us-west-1. The key-value pairs should be ordered from most to least inclusive, and the keys and order of key-value pairs must be the same on all nodes.

  • When deploying in a single availability zone:

    • To be able to tolerate the failure of any 1 node, use at least 3 nodes with the default 3-way replication factor. In this case, if 1 node fails, each range retains 2 of its 3 replicas, a majority.
    • To be able to tolerate 2 simultaneous node failures, use at least 5 nodes and increase the default replication factor for user data to 5. The replication factor for important internal data is 5 by default, so no adjustments are needed for internal data. In this case, if 2 nodes fail at the same time, each range retains 3 of its 5 replicas, a majority.
  • When deploying across multiple availability zones:

    • To be able to tolerate the failure of 1 entire AZ in a region, use at least 3 AZs per region and set --locality on each node to spread data evenly across regions and AZs. In this case, if 1 AZ goes offline, the 2 remaining AZs retain a majority of replicas.
    • To be able to tolerate the failure of 1 entire region, use at least 3 regions.

Recommendations

  • Consider using a secure cluster instead. Using an insecure cluster comes with risks:

    • Your cluster is open to any client that can access any node's IP addresses.
    • Any user, even root, can log in without providing a password.
    • Any user, connecting as root, can read or write any data in your cluster.
    • There is no network encryption or authentication, and thus no confidentiality.
  • Decide how you want to access your Admin UI:

    Access Level Description
    Partially open Set a firewall rule to allow only specific IP addresses to communicate on port 8080.
    Completely open Set a firewall rule to allow all IP addresses to communicate on port 8080.
    Completely closed Set a firewall rule to disallow all communication on port 8080. In this case, a machine with SSH access to a node could use an SSH tunnel to access the Admin UI.
  • All Amazon EC2 instances running CockroachDB should be members of the same security group.

Step 1. Create instances

Open the Amazon EC2 console and launch an instance for each node you plan to have in your cluster. If you plan to run our sample workload against the cluster, create a separate instance for that workload.

  • Run at least 3 nodes to ensure survivability.

  • Your instances will rely on Amazon Time Sync Service for clock synchronization. When choosing an AMI, note that some machines are preconfigured to use Amazon Time Sync Service (e.g., Amazon Linux AMIs) and others are not.

  • Use m (general purpose), c (compute-optimized), or i (storage-optimized) instance types, with SSD-backed EBS volumes or Instance Store volumes. For example, Cockroach Labs has used c5d.4xlarge (16 vCPUs and 32 GiB of RAM per instance, EBS) for internal testing.

  • Note the ID of the VPC you select. You will need to look up its IP range when setting inbound rules for your security group.

  • Make sure all your instances are in the same security group.

    • If you are creating a new security group, add the inbound rules from the next step. Otherwise note the ID of the security group.

For more details, see Hardware Recommendations and Cluster Topology.

Step 2. Configure your network

CockroachDB requires TCP communication on two ports:

  • 26257 for inter-node communication (i.e., working as a cluster), for applications to connect to the load balancer, and for routing from the load balancer to nodes
  • 8080 for exposing your Admin UI, and for routing from the load balancer to the health check

If you haven't already done so, create inbound rules for your security group.

Inter-node and load balancer-node communication

Field Recommended Value
Type Custom TCP Rule
Protocol TCP
Port Range 26257
Source The ID of your security group (e.g., sg-07ab277a)

Application data

Field Recommended Value
Type Custom TCP Rules
Protocol TCP
Port Range 26257
Source Your application's IP ranges

If you plan to run our sample workload on an instance, the traffic source is the internal (private) IP address of that instance. To find this, open the Instances section of the Amazon EC2 console and click on the instance.

Admin UI

Field Recommended Value
Type Custom TCP Rule
Protocol TCP
Port Range 8080
Source Your network's IP ranges

You can set your network IP by selecting "My IP" in the Source field.

Load balancer-health check communication

Field Recommended Value
Type Custom TCP Rule
Protocol TCP
Port Range 8080
Source The IP range of your VPC in CIDR notation (e.g., 10.12.0.0/16)

To get the IP range of a VPC, open the Amazon VPC console and find the VPC listed in the section called Your VPCs. You can also click on the VPC where it is listed in the EC2 console.

Step 3. Synchronize clocks

CockroachDB requires moderate levels of clock synchronization to preserve data consistency. For this reason, when a node detects that its clock is out of sync with at least half of the other nodes in the cluster by 80% of the maximum offset allowed (500ms by default), it spontaneously shuts down. This avoids the risk of consistency anomalies, but it's best to prevent clocks from drifting too far in the first place by running clock synchronization software on each node.

Amazon provides the Amazon Time Sync Service, which uses a fleet of satellite-connected and atomic reference clocks in each AWS Region to deliver accurate current time readings. The service also smears the leap second.

  • Configure each AWS instance to use the internal Amazon Time Sync Service.
    • Per the above instructions, ensure that etc/chrony.conf on the instance contains the line server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4 and that other server or pool lines are commented out.
    • To verify that Amazon Time Sync Service is being used, run chronyc sources -v and check for a line containing * 169.254.169.123. The * denotes the preferred time server.
  • If you plan to run a hybrid cluster across GCE and other cloud providers or environments, note that all of the nodes must be synced to the same time source, or to different sources that implement leap second smearing in the same way. See the Production Checklist for details.

Step 4. Set up load balancing

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:

  • Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

  • Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

AWS offers fully-managed load balancing to distribute traffic between instances.

  1. Add AWS load balancing. Be sure to:
    • Select a Network Load Balancer and use the ports we specify below.
    • Select the VPC and all availability zones of your instances. This is important, as you cannot change the availability zones once the load balancer is created. The availability zone of an instance is determined by its subnet, found by inspecting the instance in the Amazon EC2 Console.
    • Set the load balancer port to 26257.
    • Create a new target group that uses TCP port 26257. Traffic from your load balancer is routed to this target group, which contains your instances.
    • Configure health checks to use HTTP port 8080 and path /health?ready=1. This health endpoint ensures that load balancers do not direct traffic to nodes that are live but not ready to receive requests.
    • Register your instances with the target group you created, specifying port 26257. You can add and remove instances later.
  2. To test load balancing and connect your application to the cluster, you will need the provisioned internal (private) IP address for the load balancer. To find this, open the Network Interfaces section of the Amazon EC2 console and look up the load balancer by its name.
Note:
If you would prefer to use HAProxy instead of AWS's managed load balancing, see the On-Premises tutorial for guidance.

Step 5. Start nodes

You can start the nodes manually or automate the process using systemd.

For each initial node of your cluster, complete the following steps:

Note:

After completing these steps, nodes will not yet be live. They will complete the startup process and join together to form a cluster as soon as the cluster is initialized in the next step.

  1. SSH to the machine where you want the node to run.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v19.2.12.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v19.2.12.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Run the cockroach start command:

    icon/buttons/copy
    $ cockroach start \
    --insecure \
    --advertise-addr=<node1 address> \
    --join=<node1 address>,<node2 address>,<node3 address> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --background
    

    This command primes the node to start, using the following flags:

    Flag Description
    --insecure Indicates that the cluster is insecure, with no network encryption or authentication.
    --advertise-addr Specifies the IP address/hostname and port to tell other nodes to use. The port number can be omitted, in which case it defaults to 26257.

    This value must route to an IP address the node is listening on (with --listen-addr unspecified, the node listens on all IP addresses).

    In some networking scenarios, you may need to use --advertise-addr and/or --listen-addr differently. For more details, see Networking.
    --join Identifies the address of 3-5 of the initial nodes of the cluster. These addresses should match the addresses that the target nodes are advertising.
    --cache
    --max-sql-memory
    Increases the node's cache and temporary SQL memory size to 25% of available system memory to improve read performance and increase capacity for in-memory SQL processing. For more details, see Cache and SQL Memory Size.
    --background Starts the node in the background so you gain control of the terminal to issue more commands.

    When deploying across multiple datacenters, or when there is otherwise high latency between nodes, it is recommended to set --locality as well. It is also required to use certain enterprise features. For more details, see Locality.

    For other flags not explicitly set, the command uses default values. For example, the node stores data in --store=cockroach-data and binds Admin UI HTTP requests to --http-addr=localhost:8080. To set these options manually, see Start a Node.

  5. Repeat these steps for each additional node that you want in your cluster.

For each initial node of your cluster, complete the following steps:

Note:
After completing these steps, nodes will not yet be live. They will complete the startup process and join together to form a cluster as soon as the cluster is initialized in the next step.
  1. SSH to the machine where you want the node to run. Ensure you are logged in as the root user.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v19.2.12.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v19.2.12.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Create the Cockroach directory:

    icon/buttons/copy
    $ mkdir /var/lib/cockroach
    
  5. Create a Unix user named cockroach:

    icon/buttons/copy
    $ useradd cockroach
    
  6. Change the ownership of Cockroach directory to the user cockroach:

    icon/buttons/copy
    $ chown cockroach /var/lib/cockroach
    
  7. Download the sample configuration template and save the file in the /etc/systemd/system/ directory:

    icon/buttons/copy
    $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v19.2/prod-deployment/insecurecockroachdb.service
    

    Alternatively, you can create the file yourself and copy the script into it:

    icon/buttons/copy
    [Unit]
    Description=Cockroach Database cluster node
    Requires=network.target
    [Service]
    Type=notify
    WorkingDirectory=/var/lib/cockroach
    ExecStart=/usr/local/bin/cockroach start --insecure --advertise-addr=<node1 address> --join=<node1 address>,<node2 address>,<node3 address> --cache=.25 --max-sql-memory=.25
    TimeoutStopSec=60
    Restart=always
    RestartSec=10
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=cockroach
    User=cockroach
    [Install]
    WantedBy=default.target
    
    
  8. In the sample configuration template, specify values for the following flags:

    Flag Description
    --advertise-addr Specifies the IP address/hostname and port to tell other nodes to use. The port number can be omitted, in which case it defaults to 26257.

    This value must route to an IP address the node is listening on (with --listen-addr unspecified, the node listens on all IP addresses).

    In some networking scenarios, you may need to use --advertise-addr and/or --listen-addr differently. For more details, see Networking.
    --join Identifies the address of 3-5 of the initial nodes of the cluster. These addresses should match the addresses that the target nodes are advertising.

    When deploying across multiple datacenters, or when there is otherwise high latency between nodes, it is recommended to set --locality as well. It is also required to use certain enterprise features. For more details, see Locality.

    For other flags not explicitly set, the command uses default values. For example, the node stores data in --store=cockroach-data and binds Admin UI HTTP requests to --http-port=8080. To set these options manually, see Start a Node.

  9. Start the CockroachDB cluster:

    icon/buttons/copy
    $ systemctl start insecurecockroachdb
    
  10. Repeat these steps for each additional node that you want in your cluster.

Note:

systemd handles node restarts in case of node failure. To stop a node without systemd restarting it, run systemctl stop insecurecockroachdb

Step 6. Initialize the cluster

On your local machine, complete the node startup process and have them join together as a cluster:

  1. Install CockroachDB on your local machine, if you haven't already.

  2. Run the cockroach init command, with the --host flag set to the address of any node:

    icon/buttons/copy
    $ cockroach init --insecure --host=<address of any node>
    

    Each node then prints helpful details to the standard output, such as the CockroachDB version, the URL for the admin UI, and the SQL URL for clients.

Step 7. Test the cluster

CockroachDB replicates and distributes data behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster. Once a cluster is live, any node can be used as a SQL gateway.

When using a load balancer, you should issue commands directly to the load balancer, which then routes traffic to the nodes.

Use the built-in SQL client locally as follows:

  1. On your local machine, launch the built-in SQL client, with the --host flag set to the address of the load balancer:

    icon/buttons/copy
    $ cockroach sql --insecure --host=<address of load balancer>
    
  2. Create an insecurenodetest database:

    icon/buttons/copy
    > CREATE DATABASE insecurenodetest;
    
  3. View the cluster's databases, which will include insecurenodetest:

    icon/buttons/copy
    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | insecurenodetest   |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    
  4. Use \q to exit the SQL shell.

Step 8. Run a sample workload

CockroachDB offers a pre-built workload binary for Linux that includes several load generators for simulating client traffic against your cluster. This step features CockroachDB's version of the TPC-C workload.

Tip:
For comprehensive guidance on benchmarking CockroachDB with TPC-C, see our Performance Benchmarking white paper.
  1. SSH to the machine where you want the run the sample TPC-C workload.

    This should be a machine that is not running a CockroachDB node.

  2. Download workload and make it executable:

    icon/buttons/copy
    $ wget https://edge-binaries.cockroachdb.com/cockroach/workload.LATEST ; chmod 755 workload.LATEST
    
  3. Rename and copy workload into the PATH:

    icon/buttons/copy
    $ cp -i workload.LATEST /usr/local/bin/workload
    
  4. Start the TPC-C workload, pointing it at the IP address of the load balancer:

    icon/buttons/copy
    $ workload run tpcc \
    --drop \
    --init \
    --duration=20m \
    --tolerate-errors \
    "postgresql://root@<IP ADDRESS OF LOAD BALANCER>:26257/tpcc?sslmode=disable"
    

    This command runs the TPC-C workload against the cluster for 20 minutes, loading 1 "warehouse" of data initially and then issuing about 12 queries per minute via 10 "worker" threads. These workers share SQL connections since individual workers are idle for long periods of time between queries.

    Tip:
    For more tpcc options, use workload run tpcc --help. For details about other load generators included in workload, use workload run --help.

  5. To monitor the load generator's progress, open the Admin UI by pointing a browser to the address in the admin field in the standard output of any node on startup.

    Since the load generator is pointed at the load balancer, the connections will be evenly distributed across nodes. To verify this, click Metrics on the left, select the SQL dashboard, and then check the SQL Connections graph. You can use the Graph menu to filter the graph for specific nodes.

Step 9. Monitor the cluster

In the Target Groups section of the Amazon EC2 console, check the health of your instances by inspecting your target group and opening the Targets tab.

Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.

For details about available monitoring options and the most important events and metrics to alert on, see Monitoring and Alerting.

Step 10. Scale the cluster

Before adding a new node, create a new instance as you did earlier.

You can start the nodes manually or automate the process using systemd.

For each additional node you want to add to the cluster, complete the following steps:

  1. SSH to the machine where you want the node to run.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v19.2.12.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v19.2.12.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Run the cockroach start command, passing the new node's address as the --advertise-addr flag and pointing --join to the three existing nodes (also include --locality if you set it earlier).

    icon/buttons/copy
    $ cockroach start \
    --insecure \
    --advertise-addr=<node4 address> \
    --join=<node1 address>,<node2 address>,<node3 address> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --background
    
  5. Update your load balancer to recognize the new node.

For each additional node you want to add to the cluster, complete the following steps:

  1. SSH to the machine where you want the node to run. Ensure you are logged in as the root user.

  2. Download the CockroachDB archive for Linux, and extract the binary:

    icon/buttons/copy
    $ curl https://binaries.cockroachdb.com/cockroach-v19.2.12.linux-amd64.tgz \
    | tar -xz
    
  3. Copy the binary into the PATH:

    icon/buttons/copy
    $ cp -i cockroach-v19.2.12.linux-amd64/cockroach /usr/local/bin/
    

    If you get a permissions error, prefix the command with sudo.

  4. Create the Cockroach directory:

    icon/buttons/copy
    $ mkdir /var/lib/cockroach
    
  5. Create a Unix user named cockroach:

    icon/buttons/copy
    $ useradd cockroach
    
  6. Change the ownership of Cockroach directory to the user cockroach:

    icon/buttons/copy
    $ chown cockroach /var/lib/cockroach
    
  7. Download the sample configuration template:

    icon/buttons/copy
    $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v19.2/prod-deployment/insecurecockroachdb.service
    

    Alternatively, you can create the file yourself and copy the script into it:

    icon/buttons/copy
    [Unit]
    Description=Cockroach Database cluster node
    Requires=network.target
    [Service]
    Type=notify
    WorkingDirectory=/var/lib/cockroach
    ExecStart=/usr/local/bin/cockroach start --insecure --advertise-addr=<node1 address> --join=<node1 address>,<node2 address>,<node3 address> --cache=.25 --max-sql-memory=.25
    TimeoutStopSec=60
    Restart=always
    RestartSec=10
    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=cockroach
    User=cockroach
    [Install]
    WantedBy=default.target
    
    

    Save the file in the /etc/systemd/system/ directory

  8. Customize the sample configuration template for your deployment:

    Specify values for the following flags in the sample configuration template:

    Flag Description
    --advertise-addr Specifies the IP address/hostname and port to tell other nodes to use. The port number can be omitted, in which case it defaults to 26257.

    This value must route to an IP address the node is listening on (with --listen-addr unspecified, the node listens on all IP addresses).

    In some networking scenarios, you may need to use --advertise-addr and/or --listen-addr differently. For more details, see Networking.
    --join Identifies the address of 3-5 of the initial nodes of the cluster. These addresses should match the addresses that the target nodes are advertising.
  9. Repeat these steps for each additional node that you want in your cluster.

Step 11. Use the cluster

Now that your deployment is working, you can:

  1. Implement your data model.
  2. Create users and grant them privileges.
  3. Connect your application. Be sure to connect your application to the AWS load balancer, not to a CockroachDB node.

See also


Yes No
On this page

Yes No