Private Clusters and Securing Your Bacalhau Environment
We introduced Private Clusters in Bacalhau 1.0 to enhance the security and privacy of your Bacalhau environment. With this, you can run Bacalhau in a completely isolated and disconnected network, providing a secure environment for processing private workloads and protecting sensitive data within your organization. You can read more about why we need it here.
How do we use Private Clusters on Bacalhau?
Setting up Private Clusters is very simple with Bacalhau! Let's consider a practical example involving the processing of sensitive financial data.
Setting Up a Private Cluster:
Start by setting up the initial requester node. This node acts as the entry point for the Private Cluster. Use the following command to start the requester node:
bacalhau serve --node-type requester --private-internal-ipfs --peer none
Make a note of the output details, including the host ID
, listening addresses
, and p2p addresses
. These details will be necessary for connecting additional nodes to the Private Cluster.
This command will output the following instructions:
To connect another node to this private one, run the following command in your shell:
bacalhau serve --private-internal-ipfs --peer <requester-node-connection-details> --ipfs-swarm-addr <requester-node-ipfs-swarm-address>
<requester-node-connection-details>
and <requester-node-ipfs-swarm-address>
will contain the actual connection details obtained from the output of the requester node command.
To use this requester node from the client, run the following commands in your shell:
export BACALHAU_IPFS_SWARM_ADDRESSES=<requester-node-ipfs-swarm-address>
export BACALHAU_API_HOST=0.0.0.0
export BACALHAU_API_PORT=1234
<requester-node-ipfs-swarm-address>
will contain the actual IPFS swarm address of the requester node.
Public IPFS Network Integration:
If you need to connect your Private Cluster to the public IPFS network, follow these additional steps:
Start IPFS on all nodes using the command:
ipfs init
Set the
IPFS_CONNECT
environment variable by running the following command:
export IPFS_CONNECT=$(ipfs id | grep tcp | grep 127.0.0.1 | sed s/4001/5001/ | sed s/,//g | sed 's/"//g')
On the first node, start the Bacalhau server with the following command:
export LOG_LEVEL=debug
bacalhau serve --peer none --ipfs-connect $IPFS_CONNECT --node-type requester,compute
Monitor the output log for the message indicating that the ComputeHandler has started on the host.
On each of the other nodes, execute the following command:
export PEER_ADDR=/ip4/<public-ip>/tcp/1235/p2p/<above>
Replace <public-ip>
and <above>
with the appropriate values for your setup.
Start the Bacalhau server on each node using the command:
bacalhau serve --peer $PEER_ADDR --ipfs-connect $IPFS_CONNECT --node-type compute
Ensure that the values for <public-ip>
and <above>
match the ones stated above.
By following these steps outlined above, you can deploy a Private Cluster and ensure the security of your workloads and data.