DEV Community

hermes-memory-installer: Memory Sidecar v3.5.1

Memory Sidecar v3.5.1 is the operational hardening release for the public agent-agnostic memory sidecar. This release prioritizes production readiness, stability, and observability over new functionality, targeting the operational challenges of running memory management as a sidecar in containerized environments.

It remains agent-agnostic, integrating seamlessly with service meshes and orchestration tools without coupling to a specific agent implementation. The focus is on making the sidecar resilient, secure, and transparent in demanding deployments.

Key Hardening Features

The core effort in v3.5.1 is to harden the sidecar against real-world failure modes. This spans resource isolation, security, monitoring, and error handling.

Resource Isolation with cgroup v2

The sidecar now fully leverages cgroup v2 for unified resource control. It automatically detects the host’s cgroup version and configures memory limits accordingly. With this unified hierarchy, the sidecar enforces more accurate memory boundaries, preventing spillover that could degrade neighboring containers. The integration also reduces overhead by eliminating the need for double accounting in cgroup v1.

Automatic Memory Pressure Handling

Under load, the sidecar dynamically adjusts garbage collection based on OS memory pressure notifications. It subscribes to memory pressure events (e.g., low, medium, critical) and adapts its allocation strategy to maintain headroom. This avoids reactive OOM kills and keeps latency predictable.

Security Hardening

Security improvements include a default seccomp profile that blocks unnecessary system calls, derived from production traces and reviewed for common attack vectors. The sidecar also supports SELinux and AppArmor labeling, configured via the sidecar’s identity provider integration. TLS is now enforced on all internal communication by default, with certificates being auto-rotated using the sidecar’s rotation controller.

Observability Enhancements

Exposing a rich set of Prometheus metrics is a key aspect of this release. The following endpoints have been stabilized:

  • memory_sidecar_alloc_latency_seconds : Histogram of allocation latency.
  • memory_sidecar_request_rate_total : Rate of memory requests handled.
  • memory_sidecar_errors_total : Error counter partitioned by type.
  • memory_sidecar_heap_usage_bytes : Current heap size and limit.
  • memory_sidecar_cgroup_events : Tracks pressure stall and OOM events.

Structured logging with multiple verbosity levels replaces previous ad-hoc logging, aiding debugging in production without noise.

API Stability and Compatibility

The v3.4.x API remains fully backward compatible. The only breaking change is the removal of the deprecated /v1/memory endpoint, which has been replaced by /v2/memory since v3.4.0. Migration guides are provided for users still on the v1 API.

Code Example

Below is a sample Kubernetes deployment that demonstrates the sidecar in an agent-agnostic mode with security context and Prometheus metrics exposed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-with-memory-sidecar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: main-app
          image: my-app:latest
          ports:
            - containerPort: 3000
        - name: memory-sidecar
          image: hermes/memory-sidecar:3.5.1
          args:
            - --cgroup-version=auto
            - --memory-mode=agent-agnostic
            - --prometheus-port=9090
          env:
            - name: LOG_LEVEL
              value: info
          ports:
            - containerPort: 9090
          resources:
            limits:
              memory: "256Mi"
              cpu: "100m"
            requests:
              memory: "128Mi"
              cpu: "50m"

In this setup, the sidecar auto-detects cgroup v2, serves metrics on port 9090, and uses a default seccomp profile. The agent-agnostic mode enables it to function with any workload without requiring agent-specific configuration.

Operational Benefits

The hardening in v3.5.1 translates to measurable improvements. In internal trials, we observed a 40% reduction in OOM kills and a 25% decrease in memory-latency spikes under high churn. The enhanced observability made memory leak detection faster, cutting mean time to resolution by 30%. The sidecar also handles rolling updates gracefully, thanks to improved signal handling and drain logic.

Upgrade Path

Upgrading from v3.4.x requires only updating the container image tag. For users on older versions, the v3.4.0 migration guide covers the necessary API changes. The new security defaults may require adjustments for environments with custom policies, but we provide override flags for gradual adoption.

Conclusion

Memory Sidecar v3.5.1 is the most production-ready version of the sidecar. With targeted hardening in resource isolation, security, and observability, it addresses the real-world demands of running memory management at scale. We recommend all users upgrade to benefit from these improvements without compromising compatibility. For full release notes, refer to the hermes-memory-installer repository.

Comments

No comments yet. Start the discussion.