Product

We are thrilled to announce that CockroachDB Dedicated, the fully managed service of CockroachDB, is now PCI-DSS certified by a Qualified Security Assessor (QSA) as a PCI Level 1 Service Provider. The PCI-DSS was created by the PCI Security Standards Council - an organization formed in 2006 by the major credit card associations (Visa, American Express, MasterCard and JCB). The mission of this council is to establish a “minimum security standard” to protect customers’ payment information. Any business that handles credit card and payment data is required to conform to that minimum standard referred to as the Payment Card Industry (PCI) Data Security Standard (DSS).

If you’re working with CockroachDB, chances are that you care about transactional consistency. CockroachDB offers ACID transactional guarantees, including serializable isolation to ensure that no matter the volume of transactions or how many transactions are being processed in parallel, each transaction is committed to the database sequentially. These guarantees ensure that your database maintains ironclad consistency immediately, which is important for many transactional applications. (Every application has a range of business use cases that determine how consistent its database needs to be. For transactional workloads, an eventually consistent database is often not the right persistence tool). However, CockroachDB’s strong ACID guarantees do mean that occasionally transactions will fail and will need to be retried. Let’s take a closer look at why that happens, and how retries can be accomplished.

Charlie Custer

January 30, 2023

This is part 1 of a 3-part blog series about how we’ve improved the way CockroachDB stores and modifies data in bulk. We went way down into the deepest layers of our storage system, then up to our SQL schema changes and their transaction timestamps - all without anybody noticing (or at least we hope!)

When working with an OLTP database, customers’ data protection concerns manifest in different ways. Whether it is about the ability to encrypt data with one’s own keys, redacting cluster logs, field-level data masking or something else, we have partnered closely with our customers in providing more than what they were looking for. So, when we heard feedback that customers needed a way to obfuscate cloud resource credentials when running backup-restore or changefeed SQL commands, we decided to outdo that requirement. Backup-Restore and real-time changefeeds are two of the most critical capabilities in an OLTP database. The former applies to disaster recovery whereas the latter allows integration with analytics platforms or is sometimes used for replication.

Moving and processing data between systems is a common pain point. Users need up-to-date data across systems for use in business analytics, for event-driven architectures, for creating audit trails, or for archiving data. One way to do that is to set up an external service that regularly polls the database for changes.

For multi-tenant mixed-workload systems like CockroachDB, performance predictability and isolation are critical. Most forms of shared infrastructure approximate these properties, be it through physical isolation within data centers, virtualized resource limits, drastic over-provisioning, and more. For CockroachDB it’s not just about protecting latencies across workload/tenant boundaries, it’s also about isolation from the system’s internal/elastic work like LSM compactions, MVCC garbage collection, and backups, and also from user-initiated bulk work like changefeed backfills. For ill-considered reasons this is something they let me work on. Here we’ll describe generally applicable techniques we applied under the umbrella of admission control, how we arrived at them, and why they were effective. We’ll use control theory, study CPU scheduler latencies, build forms of cooperative scheduling, and patch the Go runtime. We hope for it to be relevant to most systems builders (and aspiring ones!), even if the problems motivating the work were found in this oddly-named database.

Secure authentication is a fundamental requirement when evaluating a database product. Architecture and Security teams prefer capabilities which could somehow be managed centrally, ideally using existing security tools in the enterprise tech stack. Over decades of advancements in the OLTP database ecosystem, we’ve seen a number of solutions emerge for secure authentication. Whether it be PKI/certificates, LDAP integration with enterprise identity directory, GSSAPI/Kerberos, SCRAM and so on, those mechanisms have enabled organizations to adopt a variety of new databases over time. We also support most of those capabilities in CockroachDB that are utilized by the majority of our security-conscious customers.

Efficiency matters. When you’re working with large amounts of data, it matters a lot. Every trip between your application and the database incurs real costs, both in terms of time and money. So how can you minimize those trips?

Charlie Custer

December 5, 2022

In case you hadn’t already heard, Heroku is shutting down its free plans. The change has left many developers scrambling to replace what Heroku offered with other free services. And while CockroachDB doesn’t replace everything Heroku’s free tier offered, developers looking to replace the free cloud Postgres database that Heroku offered can already access an excellent replacement in CockroachDB serverless, a forever-free cloud database that actually offers some major advantages over Heroku Postgres.

Charlie Custer

November 17, 2022