This feature is in preview. This feature is subject to change. To share feedback and/or issues, contact Support.
New in v23.2: In this tutorial, you will set up physical cluster replication between a primary cluster and standby cluster. The primary cluster is active, serving application traffic. The standby cluster is passive, accepting updates from the primary cluster. The replication stream will send changes from the primary to the standby.
The unit of replication is a virtual cluster, which is part of the underlying infrastructure in the primary and standby clusters.
In this tutorial, you will connect to:
- The system interface for administration tasks in both clusters, and starting the replication stream from the standby cluster.
- The application virtual cluster on the primary cluster to work with databases, tables, workloads, and so on.
Overview
The high-level steps in this tutorial are:
- Create and start the primary cluster.
- Configure and create a user on the primary cluster.
- Create and start the standby cluster.
- Configure and create a user on the standby cluster.
- Securely copy certificates.
- Start the replication stream from the standby cluster.
Before you begin
This is an enterprise-only feature. Request a 30-day trial license to try it out.
- Two separate CockroachDB clusters (primary and standby) with a minimum of three nodes each, and each using the same CockroachDB v23.2 version.
- To set up each cluster, you can follow Deploy CockroachDB on Premises. When you start each node in your cluster with the
cockroach start
command, you must pass the--config-profile
flag with areplication
value. Refer to cluster creation steps for the primary cluster and for the standby cluster for details. - The Deploy CockroachDB on Premises tutorial creates a self-signed certificate for each Self-Hosted cluster. To create certificates signed by an external certificate authority, refer to Create Security Certificates using OpenSSL.
- To set up each cluster, you can follow Deploy CockroachDB on Premises. When you start each node in your cluster with the
- All nodes in each cluster will need access to the Certificate Authority for the other cluster. Refer to Copy certificates.
- An Enterprise license on the primary and standby clusters. You must use the system interface on the primary and standby clusters to enable your Enterprise license.
- The primary and standby clusters must have the same region topology. For example, replicating a multi-region primary cluster to a single-region standby cluster is not supported. Mismatching regions between a multi-region primary and standby cluster is also not supported.
Step 1. Create the primary cluster
Start the primary cluster
To enable physical cluster replication, it is necessary to start each node with the appropriate configuration profile set with the --config-profile
flag. A configuration profile applies a custom configuration to the server at initialization time. When using physical cluster replication, the replication-source
and replication-target
configuration profiles are used to create a virtualized cluster with a system interface and an application virtual cluster.
The primary cluster requires the following value:
--config-profile replication-source
For example, a cockroach start
command according to the prerequisite deployment guide:
cockroach start \
--certs-dir=certs \
--advertise-addr=<node1 address> \
--join=<node1 address>,<node2 address>,<node3 address> \
--cache=.25 \
--max-sql-memory=.25 \
--background \
--config-profile replication-source
Ensure that you follow the prerequisite deployment guide to initialize your cluster before continuing to set up physical cluster replication.
Connect to the primary cluster system interface
Connect to your primary cluster's system interface using cockroach sql
.
To connect to the system interface, pass the
options=-ccluster=system
parameter in the URL:cockroach sql --url \ "postgresql://root@{node IP or hostname}:26257/?options=-ccluster=system&sslmode=verify-full" \ --certs-dir "certs"
The prompt will include
system
when you are connected to the system interface.Note:You should only connect to the system interface for cluster administration. To work with databases, tables, or workloads, connect to the application virtual cluster.
Add your cluster organization and Enterprise license to the cluster:
SET CLUSTER SETTING cluster.organization = 'your organization';
SET CLUSTER SETTING enterprise.license = 'your enterprise license';
Confirm the status of your virtual cluster:
SHOW VIRTUAL CLUSTERS;
The output will include the
system
interface and theapplication
virtual cluster:id | name | data_state | service_mode ---+-------------+------------+--------------- 1 | system | ready | shared 2 | template | ready | none 3 | application | ready | shared (3 rows)
Because this is the primary cluster rather than the standby cluster,
data_state
of all rows isready
, rather thanreplicating
or another status.
Create a replication user and password
The standby cluster connects to the primary cluster's system interface using an identity with the REPLICATION
privilege. Connect to the primary cluster's system interface and create a user with a password:
From the primary's system interface SQL shell, create a user and password:
CREATE USER {your username} WITH PASSWORD '{your password}';
Grant the
REPLICATION
system privilege to your user:GRANT SYSTEM REPLICATION TO {your username};
If you need to change the password later, refer to
ALTER USER
.
Connect to the primary virtual cluster (optional)
If you would like to run a sample workload on the primary's application virtual cluster, open a new terminal window and use
cockroach workload
to run the workload.For example, to initiate the
movr
workload:cockroach workload init movr "postgresql://root@{node_advertise_address}:{node_advertise_port}/?options=-ccluster=application&sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.root.crt&sslkey=certs/client.root.key"
Replace
{node_advertise_address}
and{node_advertise_port}
with a node's--advertise-address
IP address or hostname and port.The
cockroach workload
command does not support connection or security flags like othercockroach
commands. Instead, you must use a connection string at the end of the command. As a result, for the example in this tutorial, you will need:options=-ccluster=application
sslmode=verify-full
sslrootcert={path}/certs/ca.crt
: the path to the CA certifcate.sslcert={path}/certs/client.root.crt
: the path to the client certificate.sslkey={path}/certs/client.root.key
: the path to the client private key.
For additional detail on the standard CockroachDB connection parameters, refer to Client Connection Parameters.
Run the
movr
workload for a set duration using the same connection string:cockroach workload run movr --duration=5m "postgresql://root@{node_advertise_address}:{node_advertise_port}/?options=-ccluster=application&sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.root.crt&sslkey=certs/client.root.key"
To connect to the primary cluster's application virtual cluster, use the
ccluster=application
parameter:cockroach sql --url \ "postgresql://root@{node IP or hostname}:26257/?options=-ccluster=application&sslmode=verify-full" \ --certs-dir "certs"
The prompt will include
application
when you are connected to the application virtual cluster.Create a user for your primary cluster's application virtual cluster:
CREATE USER {your username} WITH PASSWORD '{your password}';
You can connect to the DB Console with this user to observe activity on the primary cluster. Open a web browser at
https://{node IP or hostname}:8080/
and enter your credentials.
Step 2. Create the standby cluster
Start the standby cluster
Similarly to the primary cluster, each node on the standby cluster must be started with the --config-profile
flag set to replication-target
. This creates a virtualized cluster with a system interface and an application virtual cluster, and sets up all the required configuration for starting a replication stream.
For example, a cockroach start
command according to the prerequisite deployment guide:
cockroach start \
--certs-dir=certs \
--advertise-addr=<node1 address> \
--join=<node1 address>,<node2 address>,<node3 address> \
--cache=.25 \
--max-sql-memory=.25 \
--background \
--config-profile replication-target
Ensure that you follow the prerequisite deployment guide to initialize your cluster before continuing to set up physical cluster replication.
Connect to the standby cluster system interface
Connect to your standby cluster's system interface using cockroach sql
.
To connect to the system interface, pass the
options=-ccluster=system
parameter in the URL:cockroach sql --url \ "postgresql://root@{node IP or hostname}:26257/?options=-ccluster=system&sslmode=verify-full" \ --certs-dir "certs"
The prompt will include
system
when you are connected to the system interface.Add your cluster organization and Enterprise license to the cluster:
SET CLUSTER SETTING cluster.organization = 'your organization';
SET CLUSTER SETTING enterprise.license = 'your enterprise license';
Confirm the status of your virtual cluster:
SHOW VIRTUAL CLUSTERS;
The output will show the
system
interface, but noapplication
virtual cluster:id | name | data_state | service_mode ---+----------+------------+--------------- 1 | system | ready | shared 2 | template | ready | none (2 rows)
The configuration profile included at startup creates the
template
virtual cluster with the same set of capabilities per CockroachDB version. When you start a replication stream, you can specify thetemplate
VC withLIKE
to ensure other virtual clusters on the standby cluster will work in the same way. Refer to Step 4: Start replication for syntax details.
Create a user for the standby cluster
If you would like to access the DB Console to observe your replication, you will need to create a user:
Create a user:
CREATE USER {your username} WITH LOGIN PASSWORD {'your password'};
To observe the replication activity, your user will need
admin
privileges:GRANT admin TO {your username};
Open the DB Console in your web browser:
https://{node IP or hostname}:8080/
, where you will be prompted for these credentials. Refer to Physical Cluster Replication Monitoring for more detail on tracking relevant metrics for your replication stream.
Step 3. Copy certificates
At this point, the primary and standby clusters are both running. The next step allows the standby cluster to connect to the primary cluster and begin ingesting its data. Depending on how you manage certificates, you must ensure that all nodes on the primary and the standby cluster have access to the certificate of the other cluster.
It is important to carefully manage the exchange of CA certificates between clusters if you have generated self-signed certificates with cockroach cert
as part of the prerequisite deployment tutorial.
To create certificates signed by an external certificate authority, refer to Create Security Certificates using OpenSSL.
For example, if you followed the Deploy CockroachDB prerequisite, you need to add the ca.crt
from the primary cluster to the certs
directory on all the nodes in the standby cluster.
- Name the
ca.crt
from the primary cluster to a new name on the standby cluster. For example,ca_primary.crt
. - Securely copy
ca_primary.crt
to thecerts
directory of the standby cluster nodes.
You need to add the ca.crt
from the standby cluster to the certs
directory on all the nodes in the primary cluster.
- Name the
ca.crt
from the standby cluster to a new name on the primary cluster. For example,ca_standby.crt
. - Securely copy
ca_standby.crt
to thecerts
directory of the primary cluster nodes.
Step 4. Start replication
The system interface in the standby cluster initiates and controls the replication stream by pulling from the primary cluster. In this section, you will connect to the primary from the standby to initiate the replication stream.
From the standby cluster, use your connection string to the primary.
The connection string contains:
- The replication user and password that you created for the primary cluster.
- The node IP address or hostname of one node from the primary cluster.
- The path to the primary node's certificate on the standby cluster.
CREATE VIRTUAL CLUSTER application LIKE template FROM REPLICATION OF application ON 'postgresql://{replication user}:{password}@{node IP or hostname}:26257/?options=-ccluster=system&sslmode=verify-full&sslrootcert=certs/{primary cert}.crt';
Including the
LIKE template
parameter ensures that the virtual cluster on the standby is created with the correct capabilities, which manage what the virtual cluster can do.LIKE
will refer to a virtual cluster on the CockroachDB cluster you're running the statement from.Once the standby cluster has made a connection to the primary cluster, the standby will pull the topology of the primary cluster and will distribute the replication work across all nodes in the primary and standby.
To view the virtual clusters on the standby, run:
SHOW VIRTUAL CLUSTERS;
The standby cluster will show the
application
virtual cluster is in areplicating
state.id | name | data_state | service_mode ---+--------------------+--------------------+--------------- 1 | system | ready | shared 2 | template | ready | none 3 | application | replicating | none (3 rows)
The standby cluster's virtual cluster is offline while the replication stream is running. The virtual cluster will be online once you explicitly start its service after cutover.
To manage the replication stream, you can pause and resume the replication stream as well as show the current details for the job:
ALTER VIRTUAL CLUSTER application PAUSE REPLICATION;
ALTER VIRTUAL CLUSTER application RESUME REPLICATION;
SHOW VIRTUAL CLUSTER application WITH REPLICATION STATUS;
id | name | data_state | service_mode | source_tenant_name | source_cluster_uri | replication_job_id | replicated_time | retained_time | cutover_time ---+--------------------+--------------------+--------------+--------------------+----------------------------------------------------------------------------------------------------------------------+--------------------+-------------------------------+-------------------------------+--------------- 3 | application | replicating | none | application | postgresql://{user}:{password}@{hostname}:26257/?options=-ccluster%3Dsystem&sslmode=verify-full&sslrootcert=redacted | 899090689449132033 | 2023-09-11 22:29:35.085548+00 | 2023-09-11 16:51:43.612846+00 | NULL (1 row)s
With the replication stream running, you can monitor the job via the DB Console, SQL shell, or Prometheus. You can also verify data is correct on the standby cluster at a specific point in time. For more detail, refer to Physical Cluster Replication Monitoring.
Connection reference
This table outlines the connection strings you will need for this setup tutorial.
For additional detail on the standard CockroachDB connection parameters, refer to Client Connection Parameters.
Cluster | Interface | Usage | URL and Parameters |
---|---|---|---|
Primary | System | Set up a replication user and view running virtual clusters. Connect with cockroach sql . |
"postgresql://root@{node IP or hostname}:26257/?options=-ccluster=system&sslmode=verify-full"
--certs-dir flag to specify the path to your certificate. |
Primary | Application | Add and run a workload with cockroach workload . |
"postgresql://root@{node IP or hostname}:{26257}/?options=-ccluster=application&sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.root.crt&sslkey=certs/client.root.key" The cockroach workload command does not support connection or security flags like other cockroach commands. Instead, you must use a connection string at the end of the command. As a result, for the example in this tutorial, you will need:
|
Standby | System | Manage the replication stream. Connect with cockroach sql . |
"postgresql://root@{node IP or hostname}:26257/?options=-ccluster=system&sslmode=verify-full"
--certs-dir flag to specify the path to your certificate. |