Comment on page
Single VM deployment
Deploy CARTO Self-hosted using a Virtual Machine and Docker Compose
To deploy CARTO Self-Hosted based on a Single VM deployment, you need:
- A CARTO Self-Hosted installation package containing your environment configuration and a license key. The package has two files:
customer.env
andkey.json
. If you don't have it yet, you can ask for it at [email protected]. - A domain you own, to which you can add a DNS record.
CARTO Self-Hosted can be deployed in any Virtual Machine that meets the minimum requirements specified at Single VM deployments (docker-compose).
Google Cloud GCP Instance
AWS EC2 Instance
Azure VM
Create a new Linux VM in the Google Cloud console that meets the minimum requirements specified at Single VM deployments (docker-compose).
- Specify SSD persistent with a size that meets or exceeds the minimum requirements.
Create a new Linux EC2 instance in the Amazon EC2 console using the Ubuntu Server 22.04 LTS (x86) Amazon Machine Image (AMI).
- Specify SSD persistent with a size that meets or exceeds the minimum requirements.
- When creating the VM, use SSH public key authentication and provide a username. Generate a new key-pair and specify a name. Azure generates and stores the key in the Azure KeyVault to download later.
- Specify SSD persistent with a size that meets or exceeds the minimum requirements.
- Once the VM is initialized, download the private key when prompted. Update the permissions of the key-pair to ensure it has the required permissions for your SSH client.
chmod 400 <path_to_pem_file>
ssh -i <path_to_pem_file> <username>@<public_ip>
Ensure Delete public IP and NIC when VM is deleted is enabled.
Once, your VM is ready, you should log in via SSH and install the latest version of Docker Engine and Docker Compose.
Clone this repository:
git clone https://github.com/CartoDB/carto-selfhosted.git
cd carto-selfhosted
git checkout tags/2023.10.25
Copy into
carto-selfhosted
folder the two files of the installation packagecustomer.env
key.json
Configure your CARTO Self-hosted domain by updating the env var
SELFHOSTED_DOMAIN
to my.domain.com. A full domain is required. You cannot install CARTO in a domain path like https://my.domain.com/carto
Create a DNS record that points my.domain.com to the External IP of your VM. For debugging purposes, you might want to modify your /etc/hosts:
echo "34.172.214.74 my.domain.com" >> /etc/hosts
Add to customer.env the configuration of the external database. At this point, you need to provide a PostgreSQL admin user (typically
postgres
) with permission to create users and databases.- POSTGRES_ADMIN_USER: Your PostgreSQL admin user.
- POSTGRES_ADMIN_PASSWORD: The password of your admin user.
- WORKSPACE_POSTGRES_USER: The admin user to be created. It will be created with the previous admin user.
- WORKSPACE_POSTGRES_PASSWORD: The new password to be created.
- WORKSPACE_POSTGRES_DB: The database to be created.
For Azure Postgres instances you'll need a couple of extra env vars
- WORKSPACE_POSTGRES_INTERNAL_USER: Same value as
WORKSPACE_POSTGRES_USER
but without the@db-name
prefix. - POSTGRES_LOGIN_USER: Same value as
POSTGRES_ADMIN_USER
but without the@db-name
prefix.
# Set to 0 to not create the PostgreSQL container locally
LOCAL_POSTGRES_SCALE=0
WORKSPACE_POSTGRES_HOST=<YourServerIP>
WORKSPACE_POSTGRES_PORT=5432
WORKSPACE_POSTGRES_USER=carto_worskpace_admin
WORKSPACE_POSTGRES_PASSWORD=carto_worskpace_admin
WORKSPACE_POSTGRES_DB=carto_worskpace
# SSL will be enabled later.
WORKSPACE_POSTGRES_SSL_ENABLED=false
WORKSPACE_POSTGRES_SSL_MODE=disable
POSTGRES_ADMIN_USER=postgres
POSTGRES_ADMIN_PASSWORD=postgres
In some scenarios, it's required an SSL connection between the external database and the APIs. In that case, you should provide the SSL certificate and add to customer.env the SSL configuration of your server.
WORKSPACE_POSTGRES_SSL_ENABLED=true
WORKSPACE_POSTGRES_SSL_MODE=require
# Only applies if Postgres SSL certificate is self-signed
WORKSPACE_POSTGRES_SSL_CA=/usr/src/certs/<CERTIFICATE_NAME>.pem
Mutual TLS connections between the external database and the APIs are not supported, so client certificates can't be configured on your external database
You should copy your certificate in
.pem
format into the certs
folder located inside your installation route. We'll automatically mount the whole certs
folder inside the required containers so that they can use the SSL certificate.Run the
install.sh
script to generate the .env
file out of the customer.env
file:bash install.sh
Bring up the environment:
docker-compose up -d
Check all the containers are up and running:
docker-compose ps
All containers should be in the state
Up
, except for workspace-migrations
which state should be Exit 0
, meaning the database migrations finished correctly.A non-production-ready deployment of CARTO should be available at
https://my.domain.com.
CARTO Self-hosted platform needs access to some storage buckets to save some resources needed by the platform. These buckets are in charge of storing assets such as imported datasets, map snapshots and custom markers.
You can create and use your own storage buckets in any of the following supported storage providers:
And in order to configure them, there is a detailed guide available that you should follow to complete the Self-Hosted configuration process.
By default, CARTO Self-hosted will generate and use a self-signed certificate. In production environments, you need to provide your own SSL certificate.
If you don't have yet a valid certificate for the domain of your Self-hosted, you might be interested in using https://letsencrypt.org/ to get a valid one.
A valid certificate contains:
- A
.crt
file with your custom domain x509 certificate. - A
.key
file with your custom domain private key.
If your TLS certificate key is protected with a passphrase the CARTO Self-hosted installation won't be able to work as expected. You can easily generate a new key file without passphrase protection using the following command:
openssl rsa -in keyfile_with_passphrase.key -out new_keyfile.key
- 1.Create a
certs
folder in the current directory (carto-selfhosted
) - 2.Copy your
<cert>.crt
and<cert>.key
files in thecerts
folders - 3.Modify the following vars in the
customer.env
file:ROUTER_SSL_AUTOGENERATE=0ROUTER_SSL_CERTIFICATE_PATH=/etc/nginx/ssl/my.domain.com.crtROUTER_SSL_CERTIFICATE_KEY_PATH=/etc/nginx/ssl/my.domain.com.key
Refresh:
bash install.sh
docker-compose up -d
In order to verify CARTO Self Hosted was correctly installed, and it's functional, we recommend performing the following checks:
- 1.Sign in to your Self Hosted, create a user and a new organization.
- 2.Go to the
Connections
page, in the left-hand menu, create a new connection to one of the available providers. - 3.Go to the
Data Explorer
page, click on theUpload
button right next to theConnections
panel. Import a dataset from a local file. - 4.Go back to the
Maps
page, and create a new map. - 5.In this new map, add a new layer from a table using the connection created in step 3.
- 6.Create a new layer from a SQL Query to the same table. You can use a simple query like:
SELECT * FROM <dataset_name.table_name> LIMIT 100;
- 7.Create a new layer from the dataset imported in step 4.
- 8.Make the map public, copy the sharing URL, and open it in a new incognito window.
- 9.Go back to the
Maps
page, and verify your map appears there, and the map thumbnail represents the latest changes you made to the map.
Congrats! Once you've configured your custom buckets, you should have a production-ready deployment of CARTO Self-Hosted at
https://my.domain.com
The installation of CARTO Self-Hosted doesn't require root privileges. It can be performed using a regular system user with permission to execute the
docker
and docker-compose
binaries. This means that once the dependencies and prerequisites are satisfied, the operator that runs the installation only requires permission to run the docker and docker-compose binaries.
This is usually achieved by adding the system user to the docker group, but there is more detailed information here.
The following standard commands of docker-compose could be used to debug possible issues that might arise:
docker-compose logs
and docker-compose ps
The container workspace-migrations will be responsible for creating a new user carto_worskpace_admin and a database carto_workspace.
To debug possible errors with the connection of the external database, you might need to check the logs of this container:
docker-compose logs workspace-migrations
Last modified 22d ago