How to Deploy a Cluster Without Using SSH

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 集群部署如何不使用ssh

| username: TiDBer_eyHUd5pk

[TiDB Usage Environment] Production Environment
[TiDB Version] 6.0.0
[Encountered Problem: Problem Phenomenon and Impact]
Can the TiDB cluster deployment be done without using SSH? The SSH in the target environment is controlled, and servers cannot directly connect to each other using SSH. Does TiDB have other deployment methods?

| username: Jellybean | Original post link

Generally speaking, machines within a cluster need to have mutual SSH access, and your control machine also needs SSH access to all cluster machines for tasks such as scaling and daily management.

I’m not sure about the specific scenario where you are restricted, but even under control, you should still be able to limit it to a local area network. Machines within the local area network can then have SSH access enabled.

| username: TiDBer_eyHUd5pk | Original post link

In this scenario, all machines use a unified system for SSH connections, and only one machine can create SSH connections to other machines. Other machines cannot establish SSH connections between each other. Essentially, to establish an SSH connection, it must go through that specific software, and machines cannot establish their own internal connections.

| username: CuteRay | Original post link

Yes, you just need to ensure that your control node, which is the node where tiup is installed, can SSH into the other machines. It is not necessary for all machines to be able to SSH into each other.

| username: TiDBer_eyHUd5pk | Original post link

That’s right, the node that can access other machines via SSH is not the control machine. The control machine is a managed machine, and the top-level machine that can SSH into all other machines is not under our control.

| username: tidb菜鸟一只 | Original post link

Theoretically, it is possible to deploy each node without using tiup, but it should be very cumbersome. Currently, this content is no longer available on the official website, and using tiup is recommended.

| username: 啦啦啦啦啦 | Original post link

Although it is theoretically possible to deploy without SSH access to the central control machine, it will be very painful from deployment to later maintenance. It is best to apply for a separate whitelist.

| username: 裤衩儿飞上天 | Original post link

At times like this, you need to be assertive and tell them that the node must be activated, otherwise it won’t work. You can give an example: if they insist on installing Oracle RAC but the network is not connected, then it simply can’t be used. :smiling_imp:

| username: liuis | Original post link

Not allowing machine intercommunication, what’s the point of installing it~

| username: 孤君888 | Original post link

You can install tiup on your unified SSH management machine.

| username: TiDBer_pkQ5q1l0 | Original post link

The security team hopes you use a single machine if possible, and split the password into three parts. :grinning: :grinning

| username: TiDBer_eyHUd5pk | Original post link

This machine is not ours, we cannot install it on it.

| username: liuis | Original post link

No permissions, no installation :see_no_evil:

| username: 孤君888 | Original post link

Your requirement is unreasonable, unless you manually install each binary package one by one.