This page shows you how to manually deploy a secure multi-node CockroachDB cluster on Digital Ocean, using Digital Ocean's managed load balancing service to distribute client traffic.
If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.
Requirements
- You must have CockroachDB installed locally. This is necessary for generating and managing your deployment's certificates. 
- You must have SSH access to each machine. This is necessary for distributing and starting CockroachDB binaries. 
- Your network configuration must allow TCP communication on the following ports: - 26257for intra-cluster and client-cluster communication
- 8080to expose your Admin UI
 
Recommendations
- If you plan to use CockroachDB in production, carefully review the Production Checklist. 
- Decide how you want to access your Admin UI: - Access Level - Description - Partially open - Set a firewall rule to allow only specific IP addresses to communicate on port - 8080.- Completely open - Set a firewall rule to allow all IP addresses to communicate on port - 8080.- Completely closed - Set a firewall rule to disallow all communication on port - 8080. In this case, a machine with SSH access to a node could use an SSH tunnel to access the Admin UI.
- If all of your CockroachDB nodes and clients will run on Droplets in a single region, consider using private networking. 
Step 1. Create Droplets
Create Droplets for each node you plan to have in your cluster.
- Run at least 3 nodes to ensure survivability. 
- Use any droplets except standard droplets with only 1 GB of RAM, which is below our minimum requirement. All Digital Ocean droplets use SSD storage. 
For more details, see Hardware Recommendations and Cluster Topology.
Step 2. Synchronize clocks
CockroachDB requires moderate levels of clock synchronization to preserve data consistency. For this reason, when a node detects that its clock is out of sync with at least half of the other nodes in the cluster by 80% of the maximum offset allowed (500ms by default), it spontaneously shuts down. This avoids the risk of consistency anomalies, but it's best to prevent clocks from drifting too far in the first place by running clock synchronization software on each node.
ntpd should keep offsets in the single-digit milliseconds, so that software is featured here, but other methods of clock synchronization are suitable as well.
- SSH to the first machine. 
- Disable - timesyncd, which tends to be active by default on some Linux distributions:- $ sudo timedatectl set-ntp no- Verify that - timesyncdis off:- $ timedatectl- Look for - Network time on: noor- NTP enabled: noin the output.
- Install the - ntppackage:- $ sudo apt-get install ntp
- Stop the NTP daemon: - $ sudo service ntp stop
- Sync the machine's clock with Google's NTP service: - $ sudo ntpd -b time.google.com- To make this change permanent, in the - /etc/ntp.conffile, remove or comment out any lines starting with- serveror- pooland add the following lines:- server time1.google.com iburst server time2.google.com iburst server time3.google.com iburst server time4.google.com iburst- Restart the NTP daemon: - $ sudo service ntp startNote:We recommend Google's external NTP service because they handle "smearing" the leap second. If you use a different NTP service that doesn't smear the leap second, you must configure client-side smearing manually and do so in the same way on each machine.
- Verify that the machine is using a Google NTP server: - $ sudo ntpq -p- The active NTP server will be marked with an asterisk. 
- Repeat these steps for each machine where a CockroachDB node will run. 
Step 3. Set up load balancing
Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:
- Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second). 
- Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes. 
Digital Ocean offers fully-managed load balancers to distribute traffic between Droplets.
- Create a Digital Ocean Load Balancer. Be sure to:
- Set forwarding rules to route TCP traffic from the load balancer's port 26257 to port 26257 on the node Droplets.
- Configure health checks to use HTTP port 8080 and path /health.
 
- Note the provisioned IP Address for the load balancer. You'll use this later to test load balancing and to connect your application to the cluster.
Step 4. Configure your network
Set up a firewall for each of your Droplets, allowing TCP communication on the following two ports:
- 26257 (tcp:26257) for inter-node communication (i.e., working as a cluster), for applications to connect to the load balancer, and for routing from the load balancer to nodes
- 8080 (tcp:8080) for exposing your Admin UI
For guidance, you can use Digital Ocean's guide to configuring firewalls based on the Droplet's OS:
- Ubuntu and Debian can use ufw.
- FreeBSD can use ipfw.
- Fedora can use iptables.
- CoreOS can use iptables.
- CentOS can use firewalld.
Step 5. Generate certificates
You can use either cockroach cert commands or openssl commands to generate security certificates. This section features the cockroach cert commands.
Locally, you'll need to create the following certificates and keys:
- A certificate authority (CA) key pair (ca.crtandca.key).
- A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP addresses and common names for machines running load balancers.
- A client key pair for the rootuser. You'll use this to run a sample workload against the cluster as well as somecockroachclient commands from your local machine.
- Install CockroachDB on your local machine, if you haven't already. 
- Create two directories: - $ mkdir certs- $ mkdir my-safe-directory- certs: You'll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.
- my-safe-directory: You'll generate your CA key in this directory and then reference the key when generating node and client certificates. After that, you'll keep the key safe and secret; you will not upload it to your nodes.
 
- Create the CA certificate and key: - $ cockroach cert create-ca \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
- Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to the load balancer instances: - $ cockroach cert create-node \ <node1 internal IP address> \ <node1 external IP address> \ <node1 hostname> \ <other common names for node1> \ localhost \ 127.0.0.1 \ <load balancer IP address> \ <load balancer hostname> \ <other common names for load balancer instances> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
- Upload certificates to the first node: - # Create the certs directory: $ ssh <username>@<node1 address> "mkdir certs"- # Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node1 address>:~/certs
- Delete the local copy of the node certificate and key: - $ rm certs/node.crt certs/node.keyNote:This is necessary because the certificates and keys for additional nodes will also be named- node.crtand- node.keyAs an alternative to deleting these files, you can run the next- cockroach cert create-nodecommands with the- --overwriteflag.
- Create the certificate and key for the second node, issued to all common names you might use to refer to the node as well as to the load balancer instances: - $ cockroach cert create-node \ <node2 internal IP address> \ <node2 external IP address> \ <node2 hostname> \ <other common names for node2> \ localhost \ 127.0.0.1 \ <load balancer IP address> \ <load balancer hostname> \ <other common names for load balancer instances> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
- Upload certificates to the second node: - # Create the certs directory: $ ssh <username>@<node2 address> "mkdir certs"- # Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node2 address>:~/certs
- Repeat steps 6 - 8 for each additional node. 
- Create a client certificate and key for the - rootuser:- $ cockroach cert create-client \ root \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
- Upload certificates to the machine where you will run a sample workload: - # Create the certs directory: $ ssh <username>@<workload address> "mkdir certs"- # Upload the CA certificate and client certificate and key: $ scp certs/ca.crt \ certs/client.root.crt \ certs/client.root.key \ <username>@<workload address>:~/certs- In later steps, you'll also use the - rootuser's certificate to run- cockroachclient commands from your local machine. If you might also want to run- cockroachclient commands directly on a node (e.g., for local debugging), you'll need to copy the- rootuser's certificate and key to that node as well.
Step 6. Start nodes
You can start the nodes manually or automate the process using systemd.
For each initial node of your cluster, complete the following steps:
- SSH to the machine where you want the node to run. 
- Download the CockroachDB archive for Linux, and extract the binary: - $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
- Copy the binary into the - PATH:- $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/- If you get a permissions error, prefix the command with - sudo.
- Run the - cockroach startcommand:- $ cockroach start \ --certs-dir=certs \ --host=<node1 address> \ --locality=<key-value pairs> \ --cache=.25 \ --max-sql-memory=.25 \ --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \ --background- This command primes the node to start, using the following flags: - Flag - Description - --certs-dir- Specifies the directory where you placed the - ca.crtfile and the- node.crtand- node.keyfiles for the node.- --host- Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes. 
 If you want the node to listen on multiple interfaces, leave- --hostout.
 If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave- --hostout and set the- --advertise-hostflag to the internal address.- --locality- Key-value pairs that describe the location of the node, e.g., country, region, datacenter, rack, etc. It is recommended to set - --localitywhen deploying across multiple datacenters or when there is otherwise high latency between nodes. It is also required to use certain enterprise features. For more details, see Locality.- --cache- --max-sql-memory- Increases the node's cache and temporary SQL memory size to 25% of available system memory to improve read performance and increase capacity for in-memory SQL processing (see Recommended Production Settings for more details). - --join- Identifies the address and port of 3-5 of the initial nodes of the cluster. - --background- Starts the node in the background so you gain control of the terminal to issue more commands. - For other flags not explicitly set, the command uses default values. For example, the node stores data in - --store=cockroach-data, binds internal and client communication to- --port=26257, and binds Admin UI HTTP requests to- --http-port=8080. To set these options manually, see Start a Node.
- Repeat these steps for each additional node that you want in your cluster. 
For each initial node of your cluster, complete the following steps:
- SSH to the machine where you want the node to run. Ensure you are logged in as the - rootuser.
- Download the CockroachDB archive for Linux, and extract the binary: - $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
- Copy the binary into the - PATH:- $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/- If you get a permissions error, prefix the command with - sudo.
- Create the Cockroach directory: - $ mkdir /var/lib/cockroach
- Create a Unix user named - cockroach:- $ useradd cockroach
- Move the - certsdirectory to the- cockroachdirectory.- $ mv certs /var/lib/cockroach/
- Change the ownership of - Cockroachdirectory to the user- cockroach:- $ chown -R cockroach.cockroach /var/lib/cockroach
- Download the sample configuration template: - $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/securecockroachdb.service- Alternatively, you can create the file yourself and copy the script into it: - [Unit] Description=Cockroach Database cluster node Requires=network.target [Service] Type=notify WorkingDirectory=/var/lib/cockroach ExecStart=/usr/local/bin/cockroach start --certs-dir=certs --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25 TimeoutStopSec=60 Restart=always RestartSec=10 StandardOutput=syslog StandardError=syslog SyslogIdentifier=cockroach User=cockroach [Install] WantedBy=default.target- Save the file in the - /etc/systemd/system/directory.
- Customize the sample configuration template for your deployment: - Specify values for the following flags in the sample configuration template: - Flag - Description - --join- Identifies the address and port of 3-5 of the initial nodes of the cluster. - --host- Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes. 
 If you want the node to listen on multiple interfaces, leave- --hostempty.
 If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave- --hostempty and set the- --advertise-hostflag to the internal address.
- Start the CockroachDB cluster: - $ systemctl start securecockroachdb
- Repeat these steps for each additional node that you want in your cluster. 
systemd handles node restarts in case of node failure. To stop a node without systemd restarting it, run systemctl stop securecockroachdb
Step 7. Initialize the cluster
On your local machine, run the cockroach init command to complete the node startup process and have them join together as a cluster:
$ cockroach init --certs-dir=certs --host=<address of any node>
This command requires the following flags:
| Flag | Description | 
|---|---|
| --certs-dir | Specifies the directory where you placed the ca.crtfile and theclient.root.crtandclient.root.keyfiles for therootuser. | 
| --host | Specifies the address of any node in the cluster. | 
After running this command, each node prints helpful details to the standard output, such as the CockroachDB version, the URL for the admin UI, and the SQL URL for clients.
Step 8. Test the cluster
CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.
To test this, use the built-in SQL client locally as follows:
- On your local machine, launch the built-in SQL client: - $ cockroach sql --certs-dir=certs --host=<address of any node>- This command requires the following flags: - Flag - Description - --certs-dir- Specifies the directory where you placed the - ca.crtfile and the- client.root.crtand- client.root.keyfiles for the- rootuser.- --host- Specifies the address of any node in the cluster. 
- Create a - securenodetestdatabase:- > CREATE DATABASE securenodetest;
- Use - \qor CTRL-C to exit the SQL shell.
- Launch the built-in SQL client against a different node: - $ cockroach sql --certs-dir=certs --host=<address of different node>
- View the cluster's databases, which will include - securenodetest:- > SHOW DATABASES;- +--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | securenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
- Use - \qor CTRL-C to exit the SQL shell.
Step 9. Set up monitoring and alerting
Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.
For details about available monitoring options and the most important events and metrics to alert on, see Monitoring and Alerting.
Step 10. Scale the cluster
You can start the nodes manually or automate the process using systemd.
For each additional node you want to add to the cluster, complete the following steps:
- SSH to the machine where you want the node to run. 
- Download the CockroachDB archive for Linux, and extract the binary: - $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
- Copy the binary into the - PATH:- $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/- If you get a permissions error, prefix the command with - sudo.
- Run the - cockroach startcommand just like you did for the initial nodes:- $ cockroach start \ --certs-dir=certs \ --host=<node4 address> \ --locality=<key-value pairs> \ --cache=.25 \ --max-sql-memory=.25 \ --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 \ --background
- Update your load balancer to recognize the new node. 
For each additional node you want to add to the cluster, complete the following steps:
- SSH to the machine where you want the node to run. Ensure you are logged in as the - rootuser.
- Download the CockroachDB archive for Linux, and extract the binary: - $ curl https://binaries.cockroachdb.com/cockroach-v1.1.9.linux-amd64.tgz \ | tar -xz
- Copy the binary into the - PATH:- $ cp -i cockroach-v1.1.9.linux-amd64/cockroach /usr/local/bin/- If you get a permissions error, prefix the command with - sudo.
- Create the Cockroach directory: - $ mkdir /var/lib/cockroach
- Create a Unix user named - cockroach:- $ useradd cockroach
- Move the - certsdirectory to the- cockroachdirectory.- $ mv certs /var/lib/cockroach/
- Change the ownership of - Cockroachdirectory to the user- cockroach:- $ chown -R cockroach.cockroach /var/lib/cockroach
- Download the sample configuration template: - $ wget -qO- https://raw.githubusercontent.com/cockroachdb/docs/master/_includes/v1.1/prod-deployment/securecockroachdb.service- Alternatively, you can create the file yourself and copy the script into it: - [Unit] Description=Cockroach Database cluster node Requires=network.target [Service] Type=notify WorkingDirectory=/var/lib/cockroach ExecStart=/usr/local/bin/cockroach start --certs-dir=certs --join=<node1 address>:26257,<node2 address>:26257,<node3 address>:26257 --cache=.25 --max-sql-memory=.25 TimeoutStopSec=60 Restart=always RestartSec=10 StandardOutput=syslog StandardError=syslog SyslogIdentifier=cockroach User=cockroach [Install] WantedBy=default.target- Save the file in the - /etc/systemd/system/directory.
- Customize the sample configuration template for your deployment: - Specify values for the following flags in the sample configuration template: - Flag - Description - --host- Specifies the hostname or IP address to listen on for intra-cluster and client communication, as well as to identify the node in the Admin UI. If it is a hostname, it must be resolvable from all nodes, and if it is an IP address, it must be routable from all nodes. 
 If you want the node to listen on multiple interfaces, leave- --hostempty.
 If you want the node to communicate with other nodes on an internal address (e.g., within a private network) while listening on all interfaces, leave- --hostempty and set the- --advertise-hostflag to the internal address.- --join- Identifies the address and port of 3-5 of the initial nodes of the cluster. 
- Repeat these steps for each additional node that you want in your cluster. 
Step 11. Use the database
Now that your deployment is working, you can:
- Implement your data model.
- Create users and grant them privileges.
- Connect your application. Be sure to connect your application to the load balancer, not to a CockroachDB node.
You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see Configure Replication Zones.