Managing Connections using the Ruby SDK with Couchbase Server
This section describes how to connect the Ruby SDK to a Couchbase cluster. It contains best practices as well as information on TLS/SSL and other advanced connection options.
Connecting to a Cluster
A connection to a Couchbase Server cluster is represented by a Cluster
object.
A Cluster
provides access to Buckets, Scopes, and Collections, as well as various Couchbase services and management interfaces.
The simplest way to create a Cluster
object is to call Cluster.connect()
with a connection string, username, and password:
require "couchbase"
include Couchbase # to avoid repeating module name
options = Cluster::ClusterOptions.new
options.authenticate("Administrator", "password")
cluster = Cluster.connect("couchbase://localhost", options)
If you are connecting to a version of Couchbase Server older than 6.5, it will be more efficient if the addresses are those of data (KV) nodes.
You will in any case, with 6.0 and earlier, need to open a Bucket instance before connecting to any other HTTP services (such as Query or Search).
|
In a production environment, your connection string should include the addresses of multiple server nodes in case some are currently unavailable. Multiple addresses may be specified in a connection string by delimiting them with commas:
options = Couchbase::ClusterOptions.new
options.authenticator = Couchbase::PasswordAuthenticator.new("Administrator", "password")
cluster = Cluster.connect("couchbase://192.168.56.101,192.168.56.102", options)
You don’t need to include the address of every node in the cluster. The client fetches the full address list from the first node it is able to contact. |
Connection Strings
A Couchbase connection string is a comma-delimited list of IP addresses and/or hostnames, optionally followed by a list of parameters.
The parameter list is just like the query component of a URI; name-value pairs have an equals sign (=
) separating the name and value, with an ampersand (&
) between each pair.
Just as in a URI, the first parameter is prefixed by a question mark (?
).
couchbase://127.0.0.1
couchbase://nodeA.example.com,nodeB.example.com
couchbases://127.0.0.1?enable_dns_srv=false&query_timeout=10000
The full list of recognized parameters is in the table below.
A connection string must be prefixed by either couchbase://
or couchbases://
.
Connection Lifecycle
Most of the high-level classes in the Ruby SDK are designed to be safe for concurrent use by multiple threads.
We recommend creating a single Cluster
instance when your application starts up, and sharing this instance throughout your application.
If you know at startup time which buckets, scopes, and collections your application will use, we recommend obtaining them from the Cluster
at startup time and sharing those instances throughout your application as well.
Alternate Addresses and Custom Ports
If your Couchbase Server cluster is running in a containerized, port mapped, or otherwise NATed environment like Docker or Kubernetes, a client running outside that environment may need additional information in order to connect the cluster. Both the client and server require special configuration in this case.
On the server side, each server node must be configured to advertise its external address as well as any custom port mapping.
This is done with the setting-alternate-address
CLI command introduced in Couchbase Server 6.5.
A node configured in this way will advertise two addresses: one for connecting from the same network, and another for connecting from an external network.
This can also be set and retrieved through the REST API.
On the client side, the externally visible ports must be used when connecting. If the external ports are not the default, you can specify custom ports explicitly in the connection string.
options = Couchbase::ClusterOptions.new
options.authenticator = Couchbase::PasswordAuthenticator.new("Administrator", "password")
cluster = Cluster.connect("couchbase://192.168.42.101:12000,192.168.42.102:12002", options)
In a deployment that uses multi-dimensional scaling, a custom KV port is only applicable for nodes running the KV service. A custom manager port may be specified regardless of which services are running on the node. |
In many cases the client is able to automatically select the correct set of addresses to use when connecting to a cluster that advertises multiple addresses.
If the detection heuristic fails in your environment, you can override it by setting the network
client setting to default
if the client and server are on the same network, or`external` if they’re on different networks.
Any TLS certificates must be set up at the point where the connections are being made. |
Secure Connections
Couchbase Server Enterprise Edition supports full encryption of client-side traffic using Transport Layer Security (TLS). That includes key-value type operations, queries, and configuration communication. Make sure you have the Enterprise Edition of Couchbase Server before proceeding with configuring encryption on the client side.
To configure encryption for the Ruby SDK:
-
Get the CA certificate from the cluster and save it in a text file.
-
Enable encryption on the client side and point it to the file containing the certificate.
It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH or through a similar secure mechanism.
If you are running on localhost
and just want to enable TLS for a development machine, just copying and pasting it suffices — so long as you use 127.0.0.1
rather than localhost
in the connection string.
This is because the certificate will not match the name localhost.
Setting TLSSkipVerify
is a workaround if you need to use ` couchbases://localhost`.
Navigate in the admin UI to cluster.crt
).
It looks similar to this:
-----BEGIN CERTIFICATE----- MIICmDCCAYKgAwIBAgIIE4FSjsc3nyIwCwYJKoZIhvcNAQEFMAwxCjAIBgNVBAMT ASowHhcNMTMwMTAxMDAwMDAwWhcNNDkxMjMxMjM1OTU5WjAMMQowCAYDVQQDEwEq MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzz2I3Gi1XcOCNRVYwY5R ................................................................ mgDnQI8nw2arBRoseLpF6WNw22CawxHVOlMceQaGOW9gqKNBN948EvJJ55Dhl7qG BQp8sR0J6BsSc86jItQtK9eQWRg62+/XsgVCmDjrB5owHPz+vZPYhsMWixVhLjPJ mkzeUUj/kschgQ0BWT+N+pyKAFFafjwFYtD0e5NwFUUBfsOyQtYV9xu3fw+T2N8S itfGtmmlEfaplVGzGPaG0Eyr53g5g2BgQbi5l5Tt2awqhd22WOVbCalABd9t2IoI F4+FjEqAEIr1mQepDaNM0gEfVcgd2SzGhC3yhYFBAH//8W4DUot5ciEhoBs= -----END CERTIFICATE-----
The next step is to enable encryption by connecting to a cluster with the 'couchbases://' protocol in the connection string and pass it the path to the certificate file via '?trust_certificate=…' in the connection string itself.
options = Couchbase::ClusterOptions.new
options.authenticator = Couchbase::PasswordAuthenticator.new("Administrator", "password")
cluster = Cluster("couchbases://127.0.0.1?trust_certificate=/path/to/certificate.pem", options)
Then use this custom Cluster
when opening the connection to the cluster.
If you want to verify it’s actually working, you can use a tool like tcpdump
.
For example, an unencrypted upsert request looks like this (using sudo tcpdump -i lo0 -A -s 0 port 11210
):
E..e..@.@.............+......q{...#..Y..... .E...Ey........9........................id{"key":"value"}
After enabling encryption, you cannot inspect the traffic in cleartext (same upsert request, but watched on port 11207 which is the default encrypted port):
E.....@.@.............+....Z.'yZ..#........ ..... ...xuG.O=.#.........?.Q)8..D...S.W.4.-#....@7...^.Gk.4.t..C+......6..)}......N..m..o.3...d.,. ...W.....U.. .%v.....4....m*...A.2I.1.&.*,6+..#..#.5
Using DNS SRV records
As an alternative to specifying multiple hosts in your program, you can get the actual bootstrap node list from a DNS SRV record. The following steps are necessary to make it work:
-
Set up your DNS server to respond properly from a DNS SRV request.
-
Enable it on the SDK and point it towards the DNS SRV entry.
Your DNS server should be set up like this (one row for each bootstrap node):
_couchbase._tcp.example.com. 3600 IN SRV 0 0 11210 node1.example.com. _couchbase._tcp.example.com. 3600 IN SRV 0 0 11210 node2.example.com. _couchbase._tcp.example.com. 3600 IN SRV 0 0 11210 node3.example.com.
The ordering, priorities, and weighting are completely ignored and should not be set on the records to avoid ambiguities. |
If you plan to use secure connections, you use _couchbases
instead:
_couchbases._tcp.example.com. 3600 IN SRV 0 0 11207 node1.example.com. _couchbases._tcp.example.com. 3600 IN SRV 0 0 11207 node2.example.com. _couchbases._tcp.example.com. 3600 IN SRV 0 0 11207 node3.example.com.
DNS SRV bootstrapping is available in the Ruby SDK from version 3.0.
In order to make the SDK actually use the SRV records, you need to enable DNS SRV on the environment and pass in the host name from your records (here example.com
):
options = Couchbase::ClusterOptions.new
options.authenticator = Couchbase::PasswordAuthenticator.new("Administrator", "password")
cluster = Cluster.connect("couchbases://couchbase.example.org?enable_dns_srv=true", options)
If the DNS SRV records could not be loaded properly you’ll get the message logged and the given host name will be used as an A record lookup.
[2020-09-07 14:30:26.358] [186383,186390] [warning] 47ms, DNS SRV query returned 0 records for "localhost", assuming that cluster is listening this address
Also, if you pass in more than one node, DNS SRV bootstrap will not be initiated:
Working in the Cloud
For most use cases, connecting client software using a Couchbase SDK to the new Couchbase Capella service is similar to connecting to an on-premises Couchbase Cluster. The use of DNS-SRV. Alternate Address, and TLS is covered above.
We strongly recommend that the client and server are in the same LAN-like environment (e.g. AWS Availability Zone). As this may not always be possible during development, read the guidance on working with constrained network environments. More details on connecting your client code to Couchbase Capella can be found in the Cloud docs.
Troubleshooting Connections to Cloud
Some DNS caching providers (notably, home routers) can’t handle an SRV record that’s large — if you have DNS-SRV issues with such a set-up, reduce your DNS-SRV to only include three records. [For development only, not production.]. Our Troubleshooting Cloud Connections page will help you to diagnose this and other problems — as well as introducing the SDK doctor tool.
Further Reading
For more on RBAC, refer to the Server docs.