Skip to main content
Version: Develop

Using a9s KeyValue

This topic describes how to use a9s KeyValue.

Use a9s KeyValue with an Application

To use a9s KeyValue with an application, create a service instance and bind the service instance to your app. For more information about managing service instances, see Managing Service Instances with the cf CLI.

View the a9s KeyValue Service

After the tile is installed, you can see a9s-keyvalue and its service plans appear in your CF marketplace. Run cf marketplace to see the service listing:

$ cf marketplace
Getting services from marketplace in org test / space test as admin...
OK
service plans description
a9s-keyvalue keyvalue8-single-ssl, keyvalue8-replica-ssl, keyvalue8-single-no-logging-ssl This is the a9s KeyValue service.

Create a Service Instance

To provision a Valkey database, run cf create-service. For example.

cf create-service a9s-keyvalue keyvalue8-single-ssl my-keyvalue-service

Depending on your infrastructure and service broker utilization, it might take several minutes to create the a9s service instance.

Run the cf services command to view the creation status. This command displays a list of all your service instances. To view the status of a specific service instance, run cf service NAME-OF-YOUR-SERVICE.

Bind an Application to a Service Instance

After your database is created, run cf bind-service to bind the service to your application:

cf bind-service a9s-keyvalue-app my-keyvalue-service

Restage or Restart Your Application

To enable your application to access the service instance, run cf restage or cf restart to restage or restart your application.

Obtain Service Instance Access Credentials

After a service instance is bound to an application, the credentials of your Valkey database are stored in the environment variables of the application. Run cf env APP-NAME to display the environment variables.

You can find the credentials in the VCAP_SERVICES key.

cf env a9s-keyvalue-app
Getting env variables for app a9s-keyvalue-app in org test / space test as admin...

System-Provided:
{
"VCAP_SERVICES": {
"a9s-keyvalue": [
{
(...)
"credentials": {
"host": "EXAMPLE-master.service.dc1.a9ssvc",
"hosts": [
"EXAMPLE-valkey-0.node.dc1.a9ssvc",
"EXAMPLE-valkey-1.node.dc1.a9ssvc",
"EXAMPLE-valkey-2.node.dc1.a9ssvc"
],
"load_balanced_host": "EXAMPLE.service.dc1.a9ssvc",
"valkey": {
"password": "EXAMPLE-VALKEY-PASSWORD",
"port": 6379,
"username": "EXAMPLE-VALKEY-USERNAME"
},
"sentinel": {
"master_name": "EXAMPLE-master",
"password": "EXAMPLE-SENTINEL-PASSWORD",
"port": 26379,
"username": "EXAMPLE-SENTINEL-PASSWORD"
}
}
(...)
}
]
}
}

...
Check credentials for a9s KeyValue 8
$ cf env a9s-keyvalue-app
Getting env variables for app a9s-keyvalue-app in org test / space test as admin...

System-Provided:
{
"VCAP_SERVICES": {
"a9s-keyvalue": [
{
(...)
"credentials": {
"host": "EXAMPLE-master.service.dc1.consul",
"hosts": [
"EXAMPLE-valkey-0.node.dc1.consul",
"EXAMPLE-valkey-1.node.dc1.consul",
"EXAMPLE-valkey-2.node.dc1.consul"
],
"load_balanced_host": "EXAMPLE.service.dc1.consul",
"password": "EXAMPLE-PWD",
"port": 6379,
"sentinel_master_name": "EXAMPLE-master",
"sentinel_port": 26379
}
(...)
}
]
}
}
...

You can use the host and password values to connect to your database with a Valkey client, by using only the host variable, your application does not need to know anything about Valkey Sentinel. However if you use the hosts variable or the load_balanced_host, your application needs to know about Valkey Sentinel and being able to work with Valkey Sentinel. This means, by using the host variable, the failover is handled by the logic within our service and if you use one of the other variables, the failover needs to be handled by your application.

note

The sentinel information and its subfields are only present for service instances with cluster plans.

Access Credentials

The user access control is based on Valkey Access Control List (ACL). Each credential has some pre-configured permissions and does not have admin privileges.

Best Practices

There are some best practices for using service binding information in apps in a separate document.

Delete an a9s KeyValue Service Instance

caution

Before deleting a service instance, you must backup data stored in your database. This operation cannot be undone and all the data is lost when the service is deleted.

Before you can delete a service instance, you must unbind it from all apps.

List Available Services

Run cf services to list available services.

$ cf services

Getting services in org test / space test as admin...
OK

name service plan bound apps last operation
my-keyvalue-service a9s-keyvalue8 keyvalue8-single-ssl a9s-keyvalue-app create succeeded

This example shows that my-keyvalue-service is bound to the a9s-keyvalue-app application.

Unbind a Service Instance

Run cf unbind-service to unbind the service from your app:

cf unbind-service a9s-keyvalue-app my-keyvalue-service

Delete a Service Instance

After unbinding the service, it is no longer bound to an app. Run cf delete-service to delete the service:

cf delete-service my-keyvalue-service

It may take several minutes to delete the service. Deleting a service deprovisions the corresponding infrastructure resources. Run the cf services command to view the deletion status.

Upgrade the Service Instance to another Service Plan

Once created, you can upgrade your service instance to another, larger service plan. A larger service plan provides more CPU, RAM and storage. For more information, see the Update a Service Instance of the Managing Service Instances with the cf CLI topic.

cf update-service my-keyvalue-service -p a-bigger-plan

Change RDB Persistence Settings

a9s KeyValue supports RDB persistence with point in time snapshots. This setting can be changed by the user.

Default Behavior

By default, the persistency is disabled for a9s KeyValue service instances.

Note

When persistency is disabled, the a9s KeyValue ensures state consistency, which means no RDB (Redis Database) should exist. Therefore, manually creating an RDB via the API must be avoided, as it could lead to inconsistent behavior, such as recovering undesired data in some cases.

Please note that in a non-persistent scenario, if the Service Instance is a single plan and the Valkey process is restarted, data will be cleaned up. However, if the Service Instance is a replica plan, the replica will recover the data even if one of the nodes of the Service Instance has restarted the Valkey process.

Configuring RDB

You can configure RDB according to the needs of your apps by providing custom parameters as settings. This setting must follow the original Valkey configuration for RDB -c "{\"snapshot\": \"['save 900 1','save 300 10']\"}.

cf update-service my-keyvalue-service -c "{\"snapshot\": \"['save 900 1','save 300 10']\"}"

In this example, it configures to snapshot the Valkey database according to the following rules:

SettingEffect
save 900 1Create a snapshot after 900 seconds if 1 write operations occurred.
save 300 10Create a snapshot after 300 seconds if 10 write operations occurred.

Cache Only

You can disable snapshots and use Valkey as cache only by creating the service with the following custom parameter: -c "{\"snapshot\": \"[]\"}".

The command is:

cf update-service my-keyvalue-service -c "{\"snapshot\": \"[]\"}"

For more information, see the snapshot settings in the documentation of Valkey Persistence.

Change Maxmemory Policy

With the maxmemory_policy, you can configure a9s KeyValue which key to remove when maxmemory is reached. There are several configurable behaviors.

SettingEffect
volatile-lruRemove the key with an expire set using an LRU algorithm
This is the default value.
allkeys-lruRemove any key according to the LRU algorithm
volatile-randomRemove a random key with an expire set
allkeys-randomRemove a random key
volatile-ttlRemove the key with the nearest expire time (minor TTL)
noevictionDon't expire at all, just return an error on write operations

You can use -c {"maxmemory-policy": "volatile-ttl"} to update the maxmemory-policy.

cf update-service my-keyvalue-service -c {"maxmemory-policy": "volatile-ttl"}

For more information, see the maxmemory_policy settings in the self documented valkey.conf.

HA Cluster with Valkey Sentinel

a9s KeyValue uses Valkey Sentinel to provide a high available replication set. Valkey Sentinel is monitoring several nodes, takes care of the automatic failover and is able to send notifications when something in the cluster is changing.

a9s KeyValue provides some settings to adjust the cluster behavior. min-slaves-max-lag, down-after-milliseconds, and failover-timeout.

SettingEffect
min_replicas_max_lagTime in seconds how long the master waits before he stops accepting write operations, when replicas are no more reachable. Default is 10 seconds. min-replicas-to-write can not be changed, it is fixed set to 1.
See valkey.conf
down-after-millisecondsNumber of milliseconds the master is unreachable in order to mark it a S_DOWN state. Default is 10000 ms.
See sentinel.conf
failover-timeoutThe failover timeout value in milliseconds. Default is 30000 ms.
See sentinel.conf
cf update-service my-keyvalue-service -c {"min_replicas_max_lag": "10"}
cf update-service my-keyvalue-service -c '{"down-after-milliseconds": "10000"}'
cf update-service my-keyvalue-service -c '{"failover-timeout": "30000"}'

Add a Graphite Endpoint

caution

Streaming of logs and metrics might not be available for your plan! If unsure, please check your plan description.

If you want to monitor your service with Graphite, you can set the custom parameter graphite. It expects the host and port where the Graphite metrics should be sent to.

For example, in order to send Graphite metrics to an endpoint yourspace.your-graphite-endpoint.com:12345, you can use the following command:

cf update-service my-instance -c '{ "graphite": "yourspace.your-graphite-endpoint.com:12345" }'

The endpoint would then receive metrics in the format:

<service_guid>.<service_type>.<host>.<metric> <metric value> <metric timestamp>

Metrics Frequency

By default, metrics will be emitted every 10 seconds. You can change the interval via the custom parameter metrics_frequency.

For example, in order to send Graphite metrics to an endpoint every minute, you would set the custom parameter metrics_frequency to 60 using the following command:

cf update-service my-instance -c '{  "metrics_frequency": 60 }'

Metrics Prefix

Depending on your graphite provider, you might need to prefix the metrics with a certain value, like an API key for example. In this case you can leverage the custom parameter metrics_prefix.

cf update-service my-instance -c '{  "metrics_prefix": "my-api-key-for-a-certain-provider" }'

The resulting metric path would have the format:

<metrics_prefix>.<service_guid>.<service_type>.<host>.<metric>

Metrics

These are all metrics provided by a9s KeyValue.

Metric IdTypeDescription
blocked_clientsIntegerNumber of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH, BLMOVE, BZPOPMIN, BZPOPMAX). documentation
connected_clientsIntegerNumber of client connections (excluding connections from replicas). documentation
connected_slavesIntegerNumber of connected replicas. documentation
evicted_keysIntegerNumber of evicted keys due to maxmemory limit. documentation
expired_keysIntegerTotal number of key expiration events. documentation
instantaneous_ops_per_secIntegerNumber of commands processed per second. documentation
keyspace_hitsIntegerNumber of successful lookup of keys in the main dictionary. documentation
keyspace_missesIntegerNumber of failed lookup of keys in the main dictionary. documentation
master_last_io_seconds_agoIntegerNumber of seconds since the last interaction with master. documentation
master_link_down_since_secondsIntegerNumber of seconds since the link is down. documentation
master_link_statusTextStatus of the link (up/down). documentation
master_sync_last_io_seconds_agoIntegerNumber of seconds since last transfer I/O during a SYNC operation. documentation
mem_fragmentation_ratioFloatRatio between used_memory_rss and used_memory. Note that this doesn't only includes fragmentation, but also other process overheads (see the allocator_* metrics), and also overheads like code, shared libraries, stack, etc. documentation
min_slaves_good_slavesIntegerNumber of replicas currently considered good. documentation
rejected_connectionsIntegerNumber of connections rejected because of maxclients limit. documentation
roleTextValue is "master" if the instance is replica of no one, or "slave" if the instance is a replica of some master instance. documentation
slaveXX.lagIntegerThe read replication lag of the replica instance. documentation
slaveXX.offsetIntegerThe read replication offset of the replica instance. documentation
total_commands_processedIntegerTotal number of commands processed by the server. documentation
total_connections_receivedIntegerTotal number of connections accepted by the server. documentation
used_memoryIntegerTotal number of bytes allocated by Valkey using its allocator (either standard libc, jemalloc, or an alternative allocator such as tcmalloc) documentation
used_memory_luaIntegerNumber of bytes used by the Lua engine. documentation
used_memory_peakIntegerPeak memory consumed by Valkey (in bytes). documentation
used_memory_rssIntegerNumber of bytes that Valkey allocated as seen by the operating system (a.k.a resident set size). documentation
*.valkey.*.*.*.blocked_clients
*.valkey.*.*.*.connected_clients
*.valkey.*.*.*.connected_slaves
*.valkey.*.*.*.evicted_keys
*.valkey.*.*.*.expired_keys
*.valkey.*.*.*.instantaneous_ops_per_sec
*.valkey.*.*.*.keyspace_hits
*.valkey.*.*.*.keyspace_misses
*.valkey.*.*.*.master_last_io_seconds_ago
*.valkey.*.*.*.master_link_down_since_seconds
*.valkey.*.*.*.master_link_status
*.valkey.*.*.*.master_sync_last_io_seconds_ago
*.valkey.*.*.*.mem_fragmentation_ratio 4
*.valkey.*.*.*.min_slaves_good_slaves
*.valkey.*.*.*.rejected_connections
*.valkey.*.*.*.role
*.valkey.*.*.*.slaveXX.lag
*.valkey.*.*.*.slaveXX.offset
*.valkey.*.*.*.total_commands_processed
*.valkey.*.*.*.total_connections_received
*.valkey.*.*.*.used_memory
*.valkey.*.*.*.used_memory_lua
*.valkey.*.*.*.used_memory_peak
*.valkey.*.*.*.used_memory_rss

System Metrics

Aside from the metrics shown above, this Data Service also provides system metrics, common to all a9s Data Services. They can be seen in the Graphite metrics documentation.

Cloud Foundry Org and Space Guid

The platform operators can enable support on a global level to prefix the Graphite metrics with the CloudFoundry organization and space. This means that all metrics of all service instances (not only yours!) contain that information.

In this case the Graphite metric paths have the following format:

<organization_guid>.<space_guid>.<service_guid>.<service_type>.<host>.<metric>

When you enable in addition the metrics_prefix for your instance, you will end up with the metric path format:

<metrics_prefix>.<organization_guid>.<space_guid>.<service_guid>.<service_type>.<host>.<metric>

Add a Syslog Endpoint

The cf update-service command used with the -c flag can let you stream your syslog to a third-party service. In this case, the command expects a JSON string containing the syslog key. A single endpoint item for syslog can be provided, as well as an array of endpoints. host and port are mandatory parameters.

The protocol parameter is optional. The accepted values are:

  • udp sets rfc by default to rfc3164.
  • tcp sets rfc by default to rfc3164.
  • ssl-tcp sets rfc by default to rfc6587.
    • For ssl-tcp; ssl_cert and ssl_key are required parameters.
    • If ssl_verify is set to true, then ssl_cacert must also be provided.

To remove all endpoints, simply set syslog to [].

rfc values

Optionally, the rfc parameter can be explicitly overwritten. Valid values: rfc3164, rfc5424 and rfc6587.

cf update-service my-service \
-c '{
"syslog": [
{
"host": "logs4.your-syslog-endpoint.com",
"port": "6514",
"protocol": "ssl-tcp",
"rfc": "rfc6587",
"ssl_cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
"ssl_key": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
"ssl_cacert": "-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----",
"ssl_verify": "false"
}
]
}'
Syslog Endpoints' Legacy Format

The legacy format to specify syslog endpoints (["hostname1:port1", "hostname2:port2"]) is still supported.

Cloud Foundry Application Security Groups

This topic describes how to check whether a security group was created.

Each a9s Data Service will automatically create and update Cloud Foundry security groups in order to protected service instances to be accessed by applications not running in the same Cloud Foundry applications space. To get a better understanding about Security Groups you can have a look on the Understanding Application Security Groups topic.

Get Service Instance GUID

Run cf service INSTANCE_NAME --guid to get the guid of the service instance.

$ cf service my-keyvalue-service --guid
ca16f111-5073-40b7-973a-156c75dd3028

Check available Security Groups

To see all available security groups use cf security-groups.

$ cf security-groups
Getting security groups as demo@anynines.com
OK

Name Organization Space
#0 public_networks
#1 dns
#2 tcp_open
#3 guard_432fb752-876d-443b-a311-a075f4df2237 demonstrations demo
#4 guard_ca16f111-5073-40b7-973a-156c75dd3028 demonstrations demo

There we can see a security group with the named guard_ca16f111-5073-40b7-973a-156c75dd3028 was successfully created.

note

In some circumstances the connection between the application and the service instance is not possible, in this case check if a security group was created.

a9s KeyValue Custom Parameters

As an end user you have the opportunity to customize your service instance by using custom parameters. Custom parameters are passed on to a service instance by using the -c switch of the cf CLI commands cf create-service and cf update-service. For example

cf update-service mykeyvalue -c '{"maxclients": 1000}'

would set the maxclients limit to the value 1000 for the service instance mykeyvalue.

You don't have to utilize those settings. There are sane defaults in place that fit your service plan well.

Every parameter corresponds to a property in the configuration file for the respective Valkey version.

lazyfree-lazy-eviction

The default value is no. The allowed values are yes and no.

lazyfree-lazy-expire

The default value is no. The allowed values are yes and no.

lua-time-limit

The default value is 5000. The value must be an integer.

maxclients

The default value is 10000. The value must be an integer > 0.

maxmemory-policy

The default value is volatile-lru The allowed string values are:

  • volatile-lru
  • volatile-lfu
  • volatile-random
  • volatile-ttl
  • allkeys-lru
  • allkeys-lfu
  • allkeys-random
  • noeviction

For an explanation, see here.

maxmemory-samples

The default value is 5. The value must be an integer >= 0.

notify-keyspace-events

This parameter allows to configure the Valkey Keyspace Notifications.

The default value is '' which means by default keyspace events are disabled.

failover-timeout

It is a Valkey sentinel property that specifies the failover timeout in milliseconds. The default is 30 seconds.

The default value is 30000. The value must be an integer >= 0.

down-after-milliseconds

It is a Valkey sentinel property that specifies the milliseconds a node is unreacheable in order to consider it subjectively down. The default is 10 seconds.

The default value is 10000. The value must be an integer >= 0.

tls-protocols

You can explicitly specify TLS versions to support. Allowed values are "TLSv1.2" and "TLSv1.3" or any combination.

caution
  • Improper changes to this value can easily break existing instances.
  • When using TLSv1.3 only, Valkey specific metrics will not be provided.

The default value is null. In this case Valkey uses TLSv1.2 and TLSv1.3.

tls-ciphers

Configure allowed ciphers. See the ciphers(1ssl) manpage for more information about the syntax of this string.

caution

There is no validation enabled for the user provided values and therefore existing instances can break when applying this parameter.

The default value is null which comments out the Valkey config tls-ciphers in the Valkey and Sentinel configuration files.

tls-ciphersuites

Configure allowed ciphersuites. See the ciphers(1ssl) manpage for more information about the syntax of this string, and specifically for TLSv1.3 ciphersuites.

caution

There is no validation enabled for the user provided values and therefore existing instances can break when applying this parameter.

The default value is null which comments out the Valkey config tls-ciphersuites in the Valkey and Sentinel configuration files.

hostname-resolution

note
  • This feature specifically applies to a9s KeyValue Cluster instances.
caution
  • When enabling or disabling the feature in an existing a9s Service Instance, there might be an increased downtime during the first cluster update due to a temporary divergence in Sentinel's settings when switching between IP address and hostname.
  • When enabled, unexpected delays in address resolution may have a negative impact on Sentinel. For more information, refer to the Valkey documentation.

The feature provides the option to enable and disable DNS/hostname support in Valkey and Sentinel. When enabled, it will utilize the hostname for internal cluster communication and announce Valkey and Sentinel node information using the hostname instead of the typical IP address.

Using this feature is useful when Valkey clients use TLS to connect to service instances and require a hostname rather than an IP address in order to perform certificate ASN matching.

Using it

To enable or disable hostname-resolution, it is important to follow a series of steps to ensure safety and prevent significant downtime or data loss. Depending on its current state, the process may require adjusting a custom parameter in two steps. See the cases below:

  • To enable it in an existing Service Instance, follow these steps: disabled → resolve-only → enabled.
  • To disable it in an existing Service Instance, follow these steps: enabled → resolve-only → disabled.
  • When you create a new Service Instance, you can set any value directly. We suggest using either enabled or disabled.
note

Please note that transitioning directly from disabled to enabled, and vice versa, is not possible in an existing Service Instance.

States/ValuesDescription
disabledHostname resolution and announcement are fully disabled.
resolve-onlyHostname resolution is enabled but announcement is disabled.
enabledHostname resolution and announcement are fully enabled.

The default value is disabled.

Backup and Restore Service Instances

a9s KeyValue provides an easy way to create backups and restore if needed. For a more detailed description, please see the a9s Service Dashboard documentation.

Make a Service Instance Locally Available

It is possible to access any of the a9s Data Services locally. That means you can connect with a local client to the service for any purpose such as debugging. CF provides a smart way to create SSH forward tunnels via a pushed application. For more information about this feature see the Accessing Apps with SSH section of the CF documentation.

First of all you must have an application bound to the service. How to do this see Bind an Application to a Service Instance.

note

cf ssh support must be enabled in the platform. Ask your administrator if you are not sure.

Get The Service URL and Credentials

When you follow this instructions Obtain Service Instance Access Credentials you will get the hostname of the service and the user credentials.

$ cf env a9s-keyvalue-app
Getting env variables for app a9s-keyvalue-app in org test / space test as admin...
OK

System-Provided:
{
"VCAP_SERVICES": {
"a9s-keyvalue8": [
{
(...)
"credentials": {
"cacrt": "-----BEGIN CERTIFICATE-----\nMIIDGzCCAgOgAwIBAgIUJaCrwZnds7aY8+Jr+mvE....CMYZPYrlJ7jsTRt4NMrIp+jr+8tUd8J\n9eb7012/YK0d025ik2Qt\n-----END CERTIFICATE-----\n",
"host": "EXAMPLE-master.service.dc1.a9ssvc",
"valkey": {
"password": "EXAMPLE-VALKEY-PASSWORD",
"port": 6379,
"username": "EXAMPLE-VALKEY-USERNAME"
},
"sentinel": {
"master_name": "EXAMPLE-master",
"password": "EXAMPLE-SENTINEL-PASSWORD",
"port": 26379,
"username": "EXAMPLE-SENTINEL-PASSWORD"
}
}
(...)
}
]
}
}
...

Notice the host EXAMPLE.service.dc1.a9svs, the username EXAMPLE-VALKEY-USERNAME and the password EXAMPLE-VALKEY-PASSWORD. You will need this in the next step.

Create a Tunnel to The Service

With the cf ssh as mentioned before you can create a ssh forward tunnel to the management dashboard. Use port 6379 to connect to the a9s KeyValue Instance.

$ cf ssh a9s-keyvalue-app -L 6379:EXAMPLE.service.dc1.a9svs:6379
vcap@956aaf4e-6da9-4f69-4b1d-8e631a403312:~$

When the ssh tunnel is open you can access the instance over the address localhost:6379.

If the instance you have created is based on an SSL-plan, then you would need to provide a CA certificate when connecting to it using the tunnel approach. To do so you can rely on the certificate shown when executing cf env, as shown above.

You should save the certificate from the credentials.cacrt value of the VCAP_SERVICES object into some local file.

Then, while the tunnel is open you can use the redis-cli to interact with your KeyValue instance from your local machine:

valkey-cli -h 127.0.0.1 -p 6379 --user <user> --pass <password> --tls --cacert "$LOCAL_CA_CERT_FILE"
note

Don't forget to close the session with exit.

Setup Disk Usage Alerts

Each service comes with the a9s Parachute. This component monitors ephemeral and persistent disk usage. See the a9s Parachute documentation how to configure the component.