ArangoSync Master

The ArangoSync Master is responsible for managing all synchronization, creating tasks and assigning those to the ArangoSync Workers.

At least 2 instances must be deployed in each datacenter. One instance will be the "leader", the other will be an inactive slave. When the leader is gone for a short while, one of the other instances will take over.

With clusters of a significant size, the sync master will require a significant set of resources. Therefore it is recommended to deploy the sync masters on their own servers, equiped with sufficient CPU power and memory capacity.

To start an ArangoSync Master using a systemd service, use a unit like this:

[Unit]
Description=Run ArangoSync in master mode
After=network.target

[Service]
Restart=on-failure
EnvironmentFile=/etc/arangodb.env
EnvironmentFile=/etc/arangodb.env.local
LimitNOFILE=8192
ExecStart=/usr/sbin/arangosync run master \
    --log.level=debug \
    --cluster.endpoint=${CLUSTERENDPOINTS} \
    --cluster.jwtSecret=${CLUSTERSECRET} \
    --server.keyfile=${CERTIFICATEDIR}/tls.keyfile \
    --server.client-cafile=${CERTIFICATEDIR}/client-auth-ca.crt \
    --server.endpoint=https://${PRIVATEIP}:${MASTERPORT} \
    --server.port=${MASTERPORT} \
    --master.endpoint=${PUBLICMASTERENDPOINTS} \
    --master.jwtSecret=${MASTERSECRET} \
    --mq.type=direct
TimeoutStopSec=60

[Install]
WantedBy=multi-user.target

When using the kafka type message queue, replace --mq.type=direct with --mq.type=kafka and add the following arguments.

    --mq.kafka-addr=${KAFKAENDPOINTS} \
    --mq.kafka-client-keyfile=${CERTIFICATEDIR}/kafka-client.key \
    --mq.kafka-cacert=${CERTIFICATEDIR}/tls-ca.crt

The sync master needs a TLS server certificate and a If you want the service to create a TLS certificate & client authentication certificate, for authenticating with ArangoSync Masters in another datacenter, for every start, add this to the Service section.

ExecStartPre=/usr/bin/sh -c "mkdir -p ${CERTIFICATEDIR}"
ExecStartPre=/usr/sbin/arangosync create tls keyfile \
    --cacert=${CERTIFICATEDIR}/tls-ca.crt \
    --cakey=${CERTIFICATEDIR}/tls-ca.key \
    --keyfile=${CERTIFICATEDIR}/tls.keyfile \
    --host=${PUBLICIP} \
    --host=${PRIVATEIP} \
    --host=${HOST} \
    --host=${CLUSTERDNSNAME}
ExecStartPre=/usr/sbin/arangosync create client-auth keyfile \
    --cacert=${CERTIFICATEDIR}/tls-ca.crt \
    --cakey=${CERTIFICATEDIR}/tls-ca.key \
    --keyfile=${CERTIFICATEDIR}/kafka-client.key \
    --host=${PUBLICIP} \
    --host=${PRIVATEIP} \
    --host=${HOST}

The ArangoSync Master must be reachable on a TCP port ${MASTERPORT} (used with --server.port option). This port must be reachable from inside the datacenter (by sync workers and operations) and from inside of the other datacenter (by sync masters in the other datacenter).

Note that other sync masters in the same datacenter will contact this sync master through the endpoint specified in --server.endpoint. Sync masters (&sync workers) from the other datacenter will contains this sync master through the endpoint specified in --master.endpoint.

Since the sync masters can be CPU intensive when running lots of databases & collections, it is recommended to run them on dedicated machines with a lot of CPU power.

Consider these machines "pets".