Orchestrate CockroachDB with Docker Swarm

This page shows you how to orchestrate the deployment and management of a secure three-node CockroachDB cluster as a swarm of Docker Engines.

If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.

Before you begin

Before you begin, it's helpful to review some terminology:

FeatureDescription
instanceA physical or virtual machine. In this tutorial, you'll use three, one per CockroachDB node.
Docker EngineThis is the core Docker application that creates and runs containers. In this tutorial, you'll install and start Docker Engine on each of your three instances.
swarmA swarm is a group of Docker Engines joined into a single, virtual host.
swarm nodeEach member of a swarm is considered a node. In this tutorial, each instance will be a swarm node, one as the master node and the two others as worker nodes. You'll submit service definitions to the master node, which will dispatch work to the worker nodes.
serviceA service is the definition of the tasks to execute on swarm nodes. In this tutorial, you'll define three services, each starting a CockrochDB node inside a container and joining it into a single cluster. Each service also ensures a stable network identity on restart via a resolvable DNS name.
secretA secret is Docker's mechanism for managing sensitive data that a container needs at runtime. Since CockroachDB uses TLS certificates to authenticate and encrypt inter-node and client/node communication, you'll create a secret per certificate and use the secrets in your services.
overlay networkAn overlay network enables communication between the nodes of a swarm. In this tutorial, you'll create an overlay network and use it in each of your services.

Step 1. Create instances

Create three instances, one for each node of your cluster.

  • For GCE-specific instructions, read through step 2 of Deploy CockroachDB on GCE.
  • For AWS-specific instructions, read through step 2 of Deploy CockroachDB on AWS.
    Be sure to configure your network to allow TCP communication on these ports:

  • 26257 for inter-node communication (i.e., working as a cluster) and connecting with applications

  • 8080 for exposing your Admin UI

Step 2. Install Docker Engine

On each instance:

  1. $ sudo docker version

Step 3. Start the swarm

Take note of the output for docker swarm init as it includes the command you'll use in the next step. It should look like this:

  1. $ sudo docker swarm init --advertise-addr 10.142.0.2
  1. Swarm initialized: current node (414z67gr5cgfalm4uriu4qdtm) is now a manager
  2. To add a worker to this swarm, run the following command
  3. $ docker swarm join \
  4. --toke SWMTKN-1-5vwxyi6zl3cc62lqlhi1jrweyspi8wblh2i3qa7kv277fgy74n-e5eg5c7ioxypjxlt3rpqorh15 \
  5. 10.142.0.2:237
  6. To add a manager to this swarm, run 'docker swarm join-token manager' and follow th instructions.
  1. $ sudo docker swarm join \
  2. --to SWMTKN-1-5vwxyi6zl3cc62lqlhi1jrweyspi8wblh2i3qa7kv277fgy74n-e5eg5c7ioxypjxlt3rpqorh15 \
  3. 10.142.0.2:2377
  1. This node joined a swarm as a worker.
  • On the instance running your manager node, verify that your swarm is running:
  1. $ sudo docker node ls
  1. ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
  2. 414z67gr5cgfalm4uriu4qdtm * instance-1 Ready Active Leader
  3. ae144s35dx1p1lcegh6bblyed instance-2 Ready Active
  4. aivjg2joxyvzvbksjsix27khy instance-3 Ready Active

Step 4. Create an overlay network

On the instance running your manager node, create an overlay network so that the containers in your swarm can talk to each other:

  1. $ sudo docker network create --driver overlay --attachable cockroachdb

+The —attachable option enables non-swarm containers running on Docker to access services on the network, which makes the service easier to use interactively.

Step 5. Create security resources

A secure CockroachDB cluster uses TLS certificates for encrypted inter-node and client/node authentication and communication. In this step, you'll install CockroachDB on the instance running your manager node, use the cockroach cert command to generate certificate authority (CA), node, and client certificate and key pairs, and use the docker secret create command to assign these files to Docker secrets for use by your Docker services.

  • On the instance running your manager node, install CockroachDB from our latest binary:
  1. # Get the latest CockroachDB tarball:
  2. $ wget https://binaries.cockroachdb.com/cockroach-v19.1.0.linux-amd64.tgz
  1. # Extract the binary:
  2. $ tar -xf cockroach-v19.1.0.linux-amd64.tgz \
  3. --strip=1 cockroach-v19.1.0.linux-amd64/cockroach
  1. # Move the binary:
  2. $ sudo mv cockroach /usr/local/bin
  • Create a certs directory and a safe directory to keep your CA key:
  1. $ mkdir certs
  1. $ mkdir my-safe-directory
  • Create the CA certificate and key:
  1. $ cockroach cert create-ca \
  2. --certs-dir=certs \
  3. --ca-key=my-safe-directory/ca.key
  1. $ ls certs
  1. ca.crt

Warning:
Store the ca.key file somewhere safe and keep a backup; if you lose it, you will not be able to add new nodes or clients to your cluster.

  1. $ sudo docker secret create ca-crt certs/ca.crt

This command assigns a name to the secret (ca-crt) and identifies the location of the cockroach-generated CA certificate file. You can use a different secret name, if you like, but be sure to reference the correct name when starting the CockroachDB nodes in the next step.

  • Create the certificate and key for the first node:
  1. $ cockroach cert create-node \
  2. cockroachdb-1 \
  3. localhost \
  4. 127.0.0.1 \
  5. --certs-dir=certs \
  6. --ca-key=my-safe-directory/ca.key
  1. $ ls certs
  1. ca.crt
  2. node.crt
  3. node.key

This command issues the certificate/key pair to the service name you will use for the node later (cockroachdb-1) as well as to local addresses that will make it easier to run the built-in SQL shell and other CockroachDB client commands in the same container as the node.

  • Create Docker secrets for the first node's certificate and key:
  1. $ sudo docker secret create cockroachdb-1-crt certs/node.crt
  1. $ sudo docker secret create cockroachdb-1-key certs/node.key

Again, these commands assign names to the secrets (cockroachdb-1-crt and cockroachdb-1-key) and identify the location of the cockroach-generated certificate and key files.

  • Create the certificate and key for the second node, using the —overwrite flag to replace the files created for the first node:
  1. $ cockroach cert create-node --overwrite \
  2. cockroachdb-2 \
  3. localhost \
  4. 127.0.0.1 \
  5. --certs-dir=certs \
  6. --ca-key=my-safe-directory/ca.key
  1. $ ls certs
  1. ca.crt
  2. node.crt
  3. node.key
  • Create Docker secrets for the second node's certificate and key:
  1. $ sudo docker secret create cockroachdb-2-crt certs/node.crt
  1. $ sudo docker secret create cockroachdb-2-key certs/node.key
  • Create the certificate and key for the third node, again using the —overwrite flag to replace the files created for the second node:
  1. $ cockroach cert create-node --overwrite \
  2. cockroachdb-3 \
  3. localhost \
  4. 127.0.0.1 \
  5. --certs-dir=certs \
  6. --ca-key=my-safe-directory/ca.key
  1. $ ls certs
  1. ca.crt
  2. node.crt
  3. node.key
  • Create Docker secrets for the third node's certificate and key:
  1. $ sudo docker secret create cockroachdb-3-crt certs/node.crt
  1. $ sudo docker secret create cockroachdb-3-key certs/node.key
  • Create a client certificate and key for the root user:
  1. $ cockroach cert create-client \
  2. root \
  3. --certs-dir=certs \
  4. --ca-key=my-safe-directory/ca.key
  • Create Docker secrets for the root user's certificate and key:
  1. $ sudo docker secret create cockroachdb-root-crt certs/client.root.crt
  1. $ sudo docker secret create cockroachdb-root-key certs/client.root.key

Step 6. Start the CockroachDB cluster

  • On the instance running your manager node, create one swarm service for each CockroachDB node:
  1. # Create the first service:
  2. $ sudo docker service create \
  3. --replicas 1 \
  4. --name cockroachdb-1 \
  5. --hostname cockroachdb-1 \
  6. --network cockroachdb \
  7. --mount type=volume,source=cockroachdb-1,target=/cockroach/cockroach-data,volume-driver=local \
  8. --stop-grace-period 60s \
  9. --publish 8080:8080 \
  10. --secret source=ca-crt,target=ca.crt \
  11. --secret source=cockroachdb-1-crt,target=node.crt \
  12. --secret source=cockroachdb-1-key,target=node.key,mode=0600 \
  13. --secret source=cockroachdb-root-crt,target=client.root.crt \
  14. --secret source=cockroachdb-root-key,target=client.root.key,mode=0600 \
  15. cockroachdb/cockroach:v19.1.0 start \
  16. --join=cockroachdb-1:26257,cockroachdb-2:26257,cockroachdb-3:26257 \
  17. --cache=.25 \
  18. --max-sql-memory=.25 \
  19. --logtostderr \
  20. --certs-dir=/run/secrets
  1. # Create the second service:
  2. $ sudo docker service create \
  3. --replicas 1 \
  4. --name cockroachdb-2 \
  5. --hostname cockroachdb-2 \
  6. --network cockroachdb \
  7. --stop-grace-period 60s \
  8. --mount type=volume,source=cockroachdb-2,target=/cockroach/cockroach-data,volume-driver=local \
  9. --secret source=ca-crt,target=ca.crt \
  10. --secret source=cockroachdb-2-crt,target=node.crt \
  11. --secret source=cockroachdb-2-key,target=node.key,mode=0600 \
  12. --secret source=cockroachdb-root-crt,target=client.root.crt \
  13. --secret source=cockroachdb-root-key,target=client.root.key,mode=0600 \
  14. cockroachdb/cockroach:v19.1.0 start \
  15. --join=cockroachdb-1:26257,cockroachdb-2:26257,cockroachdb-3:26257 \
  16. --cache=.25 \
  17. --max-sql-memory=.25 \
  18. --logtostderr \
  19. --certs-dir=/run/secrets
  1. # Create the third service:
  2. $ sudo docker service create \
  3. --replicas 1 \
  4. --name cockroachdb-3 \
  5. --hostname cockroachdb-3 \
  6. --network cockroachdb \
  7. --mount type=volume,source=cockroachdb-3,target=/cockroach/cockroach-data,volume-driver=local \
  8. --stop-grace-period 60s \
  9. --secret source=ca-crt,target=ca.crt \
  10. --secret source=cockroachdb-3-crt,target=node.crt \
  11. --secret source=cockroachdb-3-key,target=node.key,mode=0600 \
  12. --secret source=cockroachdb-root-crt,target=client.root.crt \
  13. --secret source=cockroachdb-root-key,target=client.root.key,mode=0600 \
  14. cockroachdb/cockroach:v19.1.0 start \
  15. --join=cockroachdb-1:26257,cockroachdb-2:26257,cockroachdb-3:26257 \
  16. --cache=.25 \
  17. --max-sql-memory=.25 \
  18. --logtostderr \
  19. --certs-dir=/run/secrets

These commands each create a service that starts a container securely, joins it to the overlay network, and starts a CockroachDB node inside the container mounted to a local volume for persistent storage. Let's look at each part:

  • sudo docker service create: The Docker command to create a new service.
  • —replicas: The number of containers controlled by the service. Since each service will control one container running one CockroachDB node, this will always be 1.
  • —name: The name for the service.
  • —hostname: The hostname of the container. It will listen for connections on this address.
  • —network: The overlay network for the container to join. See Step 4. Create an overlay network for more details.
  • —mount: This flag mounts a local volume with the same name as the service. This means that data and logs for the node running in this container will be stored in /cockroach/cockroach-data on the instance and will be reused on restart as long as restart happens on the same instance, which is not guaranteed.

Note:
If you plan on replacing or adding instances, it's recommended to use remote storage instead of local disk. To do so, create a remote volume for each CockroachDB instance using the volume driver of your choice, and then specify that volume driver instead of the volume-driver=local part of the command above, e.g., volume-driver=gce if using the GCE volume driver.

  • —stop-grace-period: This flag sets a grace period to give CockroachDB enough time to shut down gracefully, when possible.
  • —publish: This flag makes the Admin UI accessible at the IP of any instance running a swarm node on port 8080. Note that, even though this flag is defined only in the first node's service, the swarm exposes this port on every swarm node using a routing mesh. See Publishing ports for more details.
  • —secret: These flags identify the secrets to use in securing the node. They must reference the secret names defined in step 5. For the node and client certificate and key secrets, the source field identifies the relevant secret, and the target field defines the name to be used in cockroach start and cockroach sql flags. For the node and client key secrets, the mode field also sets the file permissions to 0600; if this isn't set, Docker will assign a default file permission of 0444, which will not work with CockroachDB's built-in SQL client.
  • cockroachdb/cockroach:v19.1.0 start …: The CockroachDB command to start a node in the container in insecure mode and instruct other cluster members to talk to each other using their persistent network addresses, which match the services' names.
    • Verify that all three services were created successfully:
  1. $ sudo docker service ls
  1. ID NAME MODE REPLICAS IMAGE
  2. a6g0ur6857j6 cockroachdb-1 replicated 1/1 cockroachdb/cockroach:v19.1.0
  3. dr81a756gaa6 cockroachdb-2 replicated 1/1 cockroachdb/cockroach:v19.1.0
  4. il4m7op1afg9 cockroachdb-3 replicated 1/1 cockroachdb/cockroach:v19.1.0

Tip:
The service definitions tell the CockroachDB nodes to log to stderr, so if you ever need access to a node's logs for troubleshooting, use sudo docker logs <container id> from the instance on which the container is running.

  • Now all the CockroachDB nodes are running, but we still have to explicitly tell them to initialize a new cluster together. To do so, use the sudo docker run command to run the cockroach init command against one of the nodes. The cockroach init command will initialize the cluster, bringing it into a usable state.
  1. $ sudo docker run -it --rm --network cockroachdb --mount type=bind,source="$(pwd)/certs",target=/cockroach/certs,readonly cockroachdb/cockroach:v19.1.0 init --host=cockroachdb-1 --certs-dir=certs

We mount the certs directory as a volume inside the container because it contains the root user's client certificate and key, which we need to talk to the cluster.

Step 7. Use the built-in SQL client

  • Use the sudo docker run command to start a new container attached to the CockroachDB network, run the built-in SQL shell, and connect it to the cluster:
  1. $ sudo docker run -it --rm --network cockroachdb --mount type=bind,source="$(pwd)/certs",target=/cockroach/certs,readonly cockroachdb/cockroach:v19.1.0 sql --host=cockroachdb-1 --certs-dir=certs
  • Create a securenodetest database:
  1. > CREATE DATABASE securenodetest;
  1. > CREATE USER roach WITH PASSWORD 'Q7gc8rEdS';

You will need this username and password to access the Admin UI in Step 8.

  • Use CTRL-D, CTRL-C, or \q to exit the SQL shell.

Step 8. Monitor the cluster

To access your cluster's Admin UI:

  • Open a browser and go to https://<any node's external IP address>:8080.

Note:
It's possible to access the Admin UI from outside of the swarm because you published port 8080 externally in the first node's service definition. However, your browser will consider the CockroachDB-created certificate invalid, so you’ll need to click through a warning message to get to the UI.

  • On accessing the Admin UI, you will see a Login screen, where you will need to enter your username and password created in Step 7.

  • On the Admin UI, verify that the cluster is running as expected:

    • View Node List to ensure that all of your nodes successfully joined the cluster.
    • Click the Databases tab on the left to verify that securenodetest is listed.

Step 9. Simulate node failure

Since we have three service definitions, one for each node, Docker Swarm will ensure that there are three nodes running at all times. If a node fails, Docker Swarm will automatically create another node with the same network identity and storage.

To see this in action:

  • On any instance, use the sudo docker ps command to get the ID of the container running the CockroachDB node:
  1. $ sudo docker ps | grep cockroachdb
  1. 32769a6dd664 cockroachdb/cockroach:v19.1.0 "/cockroach/cockroach" 10 minutes ago Up 10 minutes 8080/tcp, 26257/tcp cockroachdb-2.1.0wigdh8lx0ylhuzm4on9bbldq
  • Use sudo docker kill to remove the container, which implicitly stops the node:
  1. $ sudo docker kill <container ID>
  • Verify that the node was restarted in a new container:
  1. $ sudo docker ps | grep cockroachdb
  1. 4a58f86e3ced cockroachdb/cockroach:v19.1.0 "/cockroach/cockroach" 7 seconds ago Up 1 seconds 8080/tcp, 26257/tcp cockroachdb-2.1.cph86kmhhcp8xzq6a1nxtk9ng
  • Back in the Admin UI, view Node List and verify that all 3 nodes are live.

Step 10. Scale the cluster

To increase the number of nodes in your CockroachDB cluster:

  • Create an additional instance (see Step 1).
  • Install Docker Engine on the instance (see Step 2).
  • Join the instance to the swarm as a worker node (see Step 3.2).
  • Create security resources for the node (see Step 5.7 and 5.8).
  • Create a new service to start another node and join it to the CockroachDB cluster (see Step 6.1).

Step 11. Stop the cluster

To stop the CockroachDB cluster, on the instance running your manager node, remove the services:

  1. $ sudo docker service rm cockroachdb-1 cockroachdb-2 cockroachdb-3
  1. cockroachdb-1
  2. cockroachdb-2
  3. cockroachdb-3

You may want to remove the persistent volumes and secrets used by the services as well. To do this, on each instance:

  1. # Identify the name of the local volume:
  2. $ sudo docker volume ls
  1. cockroachdb-1
  1. # Remove the local volume:
  2. $ sudo docker volume rm cockroachdb-1
  1. # Identify the name of secrets:
  2. $ sudo docker secrets ls
  1. ca-crt
  2. cockroachdb-1-crt
  3. cockroachdb-1-key
  1. # Remove the secrets:
  2. $ sudo docker secret rm ca-crt cockroachdb-1-crt cockroachdb-1-key

See also

Was this page helpful?
YesNo