MemCachier Launches on Manifold

We’ve recently launched MemCachier on Manifold! A new company that aims to bring the developer app-store to everyone, rather than have it tied to a single specific PaaS player.

We are really excited by this partnership with Manifold and the mission they are on. Please check them out and give MemCachier a spin through them.

AWS Infrastructure Migration

The AWS infrastructure that MemCachier uses for direct sign-up and Heroku customers evolves over time. Amazon releases new EC2 instance types and new network infrastructure features on a regular basis. In order to exploit these new features, MemCachier occasionally needs to migrate caches to new infrastructure. We are planning to migrate all of our clusters to new AWS infrastructure over the course of the next few weeks, starting with development caches and production caches in less-used AWS regions next week. There is likely to be some limited impact on cache performance during the migration process, particularly as we retire existing EC2 instances in favor of new ones.

This migration should generally improve performance of our cache backends by switching to a newer generation of EC2 instance types, and it will also allow us to lock down security within our infrastrucutre in a more fine-grained way by switching all of our clusters over to using AWS VPC networking.

Please direct any questions about the migration process to support@memcachier.com. We will be reaching out to customers with larger caches and more exacting utilization patterns individually in the next few days.

Revamped Status Page

We are happy to announce some wide-ranging improvements to our status page. While it looks the same on the surface, it has been rewritten from scratch and is now much more tightly integrated with our monitoring infrastructure. For our customers, this has three main consequences.

Fully automated status updates

Status changes are now fully automated. Over the last few months we have carefully tuned the sensitivity of the status page to the point where we are now happy with its accuracy and responsiveness. While we continue to improve the algorithms that monitor our infrastructure, the status page reflects the health of our infrastructure better than ever.

Better differentiated status

We now differentiate between increased latency and reachability for the status of the proxies in our clusters. For convenience we use a simple traffic light approach: green means all proxies in a cluster are up and running and responding quickly enough, yellow means one or more proxies in a cluster are responding more slowly than usual, and red means that our monitoring infrastructure is unable to reach the proxy at all.

“Recently Resolved”

Previous support incidents have revealed that customers often visit our status page after an incident has already been resolved.  They are then puzzled because all our clusters show green statuses when they have clearly just had trouble connecting to our servers. To avoid this confusion, we now flag such clusters as “Recently Resolved” and highlight them with the color blue.

All these changes are also reflected in the status RSS feed. Please let us know if you think these changes are useful or what other features you would like to see next. We have an ongoing program of improvements in system monitoring and fault diagnosis, but we’re always very happy to hear ideas from customers that would make their experience using MemCachier better!

New Security Features

We have recently added some additional features to MemCachier. In brief, you can now have multiple sets of credentials for a cache, can rotate credentials, and can restrict some capabilities on a per-credential basis. These features are all controlled from the Credentials panel of the MemCachier dashboard for your cache:

credentials-panel

The features described in this article are also explained in the MemCachier documentation.

Credentials

Caches may now have multiple sets of username/password credentials. The credentials for a cache are listed in the table in the Credentials panel on your cache’s analytics dashboard. New credentials for a cache are created using the Add new credentials button, and credentials may be deleted using the X button next to the credentials row.

One set of credentials is distinguished as primary, while the rest are secondary credentials. For caches provided through our add-on with a third-party provider (e.g., Heroku or AppHarbor), the primary credentials are linked to the configuration variables stored with the provider. That is, these are the credentials you see when you look at your application’s environment.  Secondary credentials can be promoted to primary using the up-arrow button next to the credentials row. When secondary credentials are promoted to primary, the username and password for the credentials being promoted are pushed to the provider’s configuration variables.

In practice, this means that you can rotate the credentials for a MemCachier cache associated with a Heroku app by creating a new set of credentials and promoting them to primary. This will push the new username and password to the MEMCACHIER_USERNAME and MEMCACHIER_PASSWORD configuration variables in your Heroku app, and trigger a restart so your application will pick up the new MemCachier credentials.

This ability to have both a primary and many secondary credentials lets you to rotate your credentials with zero downtime!

Capabilities

We’ve further enhanced multiple credentials by adding a security extension to our memcache implementation: capabilities! These control the operations available to a client once they authenticate with the chosen credentials.

Each set of credentials for a cache has associated write and flush capabilities. By default, new credentials have both capabilities, meaning that the credentials can be used to update cache entries and flush the cache via the memcached API.

You can restrict a client to read-only access by switching off the write capability for its credentials, and prevent a client from using the memcached API to flush your cache by switching off the flush capability.

Per-credential capabilities are managed using the checkboxes on each credential row in the Credentials panel: if the checkbox is checked, the credential has the capability; if not, the capability is disabled for that credential.

Dashboard SSO rotation

The MemCachier dashboard for your cache is accessed via a persistent unique URL containing a cache-specific single-sign-on hash. For security, you may wish to rotate this cache-specific hash to generate a new unique URL for the cache dashboard. The Rotate SSO secret button in the Credentials panel of the dashboard does this hash rotation. Pressing this button generates a new hash and redirects the dashboard to the resulting new unique URL.

Security @ MemCachier

We value security and hope that you find these new features valuable to improve your own practices. As always, for a guide to MemCachier’s own internal security practices, see our documentation.

Flush Command Logging for Heroku

We are happy to announce a new feature for our Heroku customers. In the past we have had several requests from customer who wanted to know why their caches had been flushed. To help our clients find out how a flush command came about we now push a log message to the Heroku log whenever a cache is flushed.

The log message contains the hostname of the proxy the flush command was executed on as well as its origin. The origin can be one of the following:

  • memcache client: The flush command originates from a normal memcached client.
  • web interface: This happens when a client clicks “Flush Cache” on the analytics dashboard.
  • admin operation: MemCachier flushed the cache on your behalf. This can occur when you do perform operations like switching from one cluster to another.

We hope you find it useful! We’ll be looking to add more information to the Heroku log in the future and would love suggestions and feedback on this.