For testing environments where TLS encryption is not required, you can deploy an insecure cluster. However, secure clusters are strongly recommended for production.
Before you begin
Requirements
-
Multiple machines with sufficient resources:
- Minimum 4 vCPUs per node (8+ recommended for production)
- Minimum 4 GiB RAM per vCPU
- SSD storage with at least 500 IOPS per vCPU
- Network connectivity between all nodes
-
Operating system:
- Linux distribution with glibc (Ubuntu, RHEL, CentOS)
- Linux kernel from the last 5 years
- Transparent Huge Pages (THP) set to
madvise
-
Software:
- CockroachDB binary installed on each node
- HAProxy for load balancing
- NTP or other clock synchronization service
Recommendations
- Deploy at least 3 nodes for fault tolerance
- Use nodes with identical hardware specifications
- Configure at least 3 nodes per region for multi-region deployments
- Increase replication factor to 5 for local disk storage
- Provision 10-15% extra capacity for growth and maintenance
Deployment steps
Synchronize clocks
Ensure all nodes have synchronized clocks. CockroachDB requires clock synchronization to maintain data consistency.Install and configure NTP:Verify synchronization:
Generate certificates
Create a certificate authority (CA) and generate certificates for nodes and clients.Create directories for certificates:Generate CA certificate:Create node certificate (repeat for each node):Create client certificate for root user:
Store the CA key (
ca.key) in a secure location. You’ll need it to generate additional certificates.Start nodes
Start CockroachDB on each node:Replace:
<node-address>- This node’s IP address or hostname<nodeX-address>- Addresses of all nodes in the cluster
Initialize the cluster
From any node, initialize the cluster:This performs a one-time initialization that enables the nodes to start accepting client connections.
Set up load balancing
Configure HAProxy to distribute client connections across nodes.Generate HAProxy configuration:This creates an Install and start HAProxy:
haproxy.cfg file. Copy it to your HAProxy server:For high availability, deploy multiple HAProxy instances with floating IPs or DNS-based load balancing.
Load balancing configuration
Each CockroachDB node is an equally suitable SQL gateway. Load balancing provides:- Performance - Distributes client traffic to prevent node overload
- Reliability - Routes traffic away from failed nodes
HAProxy health checks
HAProxy should use CockroachDB’s readiness endpoint:Production recommendations
Hardware specifications
CPU
- Minimum: 4 vCPUs per node
- Recommended: 8-16 vCPUs
- Avoid burstable instances
Memory
- Minimum: 4 GiB per vCPU
- Recommended: 4 GiB per vCPU
- Disable swap
Storage
- SSD with 500 IOPS per vCPU
- 30 MB/s per vCPU throughput
- ext4 or XFS filesystem
Network
- Low latency between nodes
- Private network preferred
- Open ports: 26257, 8080
Cluster topology
- Single-region: At least 3 nodes in different availability zones
- Multi-region: At least 3 nodes per region
- Node distribution: Spread nodes across failure domains
Security
Use TLS certificates
Always use TLS certificates for production deployments. Never run insecure clusters in production.
Protect the CA key
Store the CA key in a secure location. It’s needed to generate additional certificates but should not be on cluster nodes.
Monitoring and maintenance
- Set up the DB Console on port 8080
- Configure Prometheus metrics collection
- Monitor disk usage, IOPS, and CPU
- Set up automated backups to cloud storage
- Configure alerting for node failures and resource exhaustion
Scaling the cluster
Add nodes to increase capacity:Next steps
- Configure backup and restore strategies
- Set up monitoring and alerting
- Review the production checklist
- Learn about connection pooling