Red Hat supports a major version of Cryostat for a minimum of 6 months. Red Hat bases this figure on the time that the product gets released on the Red Hat Customer Portal.

You can install and deploy Cryostat on Red Hat OpenShift Container Platform 4.10 or a later version that runs on an x86_64 architecture.

Cryostat 2.3 introduces new features that enhance your use of the Cryostat product.

Connection to GraalVM Native Images

From Cryostat 2.3.1 onward, Cryostat can connect to GraalVM Native Images over Java Management Extensions (JMX). This feature requires that the target applications are built with GraalVM or Mandrel 23.0 or later. You must also ensure that the target applications are correctly configured to support connections to Cryostat over JMX.

Cross-namespace target application discovery

In Cryostat 2.3, you can deploy a Cryostat instance that services multiple Red Hat OpenShift namespaces. The Red Hat build of Cryostat Operator introduces the Cluster Cryostat API, which you can use to create Cryostat instances that work across multiple namespaces.

Users who can access the multi-namespace Cryostat instance have access to all target applications in any namespace that is visible to that Cryostat instance. Therefore, when you deploy a multi-namespace Cryostat instance, you must consider which namespaces to select for monitoring, which namespace to install Cryostat into, and the users to which you want to grant access.

Topology view

In Cryostat 2.3, a new view is introduced to help you view and perform actions on your target Java Virtual Machines (JVM)s. The Topology view provides a visual representation of the target JVMs and all the resources that are associated with those JVMs. You can view your deployment scenarios on Cryostat and verify that your deployments are as you expect.

You can customize the Topology view according to your requirements. For example, you can switch from a graph display to a list display and use filters to specify the information that you want to show.

You can also use the Topology view to perform actions on one or more target applications at the same time. You can select a pod or a deployment and, by clicking the Actions menu, you can run various actions, for example, starting or stopping recordings, on all target applications in the selection.

QuickStart guides and guided tour

In Cryostat 2.3, Quick Start guides and an interactive guided tour are delivered to help you get started with Cryostat and learn more about its features and capabilities.

The Quick Start guides provide step-by-step instructions on how to perform tasks, such as starting a recording, using the Cryostat dashboard, or getting started with automated rules.

Cryostat 2.3 also delivers an interactive guided tour to help you navigate the Cryostat user interface (UI) and learn how to perform specific tasks. The tour guides you through the Cryostat UI, the navigation menus and the available functions. The tour opens automatically the first time you start Cryostat 2.3, however, you can skip or restart the tour at any time.

You access the Quick Start guides and the guided tour from the upper right corner of the Cryostat UI by clicking the "?" icon.

Cryostat agent

Cryostat 2.3 introduces a new Java instrumentation agent to help you detect and monitor your target JVM applications. The Cryostat agent is an HTTP API that acts as a plug-in for applications that run on the JVM and retrieves a wide range of information from the applications for analysis by Cryostat.

Previously, Cryostat required target applications to expose a Java Management Extensions (JMX) port. Cryostat then communicated with the application JVMs over this JMX port to start and stop Java Flight Recorder (JFR) recordings and to pull JFR data over the network.

The new Cryostat agent retrieves JFR data from the JVM and sends it back to Cryostat over HTTP. The agent exposes only a small, read-only HTTP API, making it easier to audit and secure than a JMX port.

Customizable features on the Cryostat dashboard

Cryostat 2.3 introduces several new features to enhance the Cryostat dashboard to help users view important information about their target JVMs. The following new features are delivered:

With these new features, you can better customize the dashboard to suit your requirements and have more flexibility in monitoring and analyzing your Java applications.

Label to denote beta features

In Cryostat 2.3, a new label is available to highlight beta features. You can use this label if you want to be aware of and preview any beta features. A beta feature might not yet be functionally complete and ready to use in production.

To be able to preview beta features, you can set this flag from the Settings view. On the Settings view, click Advanced and, from the Feature level menu, select Beta.

Cryostat 2.3 includes feature enhancements that build upon the Cryostat 2.2 offerings.

User actions on node groups disabled when performing back-end checks

From Cryostat 2.3.1 onward, the Topology view of the Cryostat web console automatically disables user actions on groups of target JVMs while back-end checks are in progress. This ensures that users cannot perform actions in the Cryostat web console when, for example, network latency might delay the completion of a back-end check.

Settings view

In Cryostat 2.3, the Settings view is updated with various enhancements to the visual display of the view and to provide additional settings that you can configure. The updates include the following enhancements:

Automated analysis reports

In Cryostat 2.3, the Automated analysis reports are enhanced. Enhancements include the following updates:

Ability to bookmark URL links

With Cryostat 2.3, you can create bookmarks on your browser to the direct URLs of different sections and views of your Cryostat instance.

Multiple file upload

With Cryostat 2.3, you can upload multiple files simultaneously by using the File upload action on the Cryostat user interface. To upload the selected files, click Upload. When the upload is complete, click Submit.

More informative target application connection URL

In Cryostat 2.3, the format of the Connection URL of your target application is enhanced to provide more detail about the application that your Cryostat instance is connected to.

Previously, if you were running Cryostat on Red Hat OpenShift, this connection URL showed only the IP address information and port number. With this update, the URL format shows the IP address, the namespace in which the application was located, and the port number.

Cryostat 2.3 removes some features because of their high maintenance costs, low community interest, and better alternative solutions.

Removed static Kubernetes environment variable-based target discovery

In Cryostat 2.3, the io.cryostat.platform.internal.KubeEnvPlatformStrategy value is removed as an option for the CRYOSTAT_PLATFORM environment variable.

The Cryostat release might include fixes for issues that were identified in earlier releases of Cryostat. Review each fixed issue note for a description of the issue and the subsequent fix.

Issues fixed in Cryostat 2.3.1

The following issues have been fixed in the Cryostat 2.3.1 release:

Stored credentials incorrectly match against target applications that require JMX authentication and integrate the Cryostat Agent

Typically, the Cryostat Agent is configured to expose a readonly HTTP API that Cryostat interacts with. The Cryostat Agent provides this HTTP API URL to Cryostat as a discovery plug-in implementation. If a target application has an embedded Cryostat Agent and Cryostat attempts to connect to the target over Java Management Extensions (JMX) rather than HTTP, a conflict might arise. In this situation, the stored credentials of the Agent might overlap and conflict with any stored credentials that are necessary for JMX authentication of the target application.

Before Cryostat 2.3.1, this conflict resulted in the wrong credentials being presented for JMX authentication, and Cryostat operations such as listing recordings or activating Automated Rules might fail. This issue could occur when the integrated Agent was configured with the property cryostat.agent.registration.prefer-jmx and the target application had JMX enabled. This issue could also occur when the integrated Agent was configured to register itself with an HTTP URL for discovery, which is the default behavior, but the target application instance was also discoverable by some other mechanism such as Kubernetes API discovery.

From Cryostat 2.3.1 onward, the Cryostat Agent uses a more specific and unique selector for identifying its credentials. This fix enables Cryostat to distinguish between the Agent’s credentials and any credentials necessary for JMX authentication.

CRYOSTAT_DISABLE_BUILTIN_DISCOVERY environment variable disables Custom Targets

Before Cryostat 2.3.1, when you set the CRYOSTAT_DISABLE_BUILTIN_DISCOVERY environment variable to True, this action also disabled Custom Targets functionality in addition to other built-in discovery mechanisms. The expected behavior is that the CRYOSTAT_DISABLE_BUILTIN_DISCOVERY environment variable disables all built-in discovery mechanisms except Custom Targets.

This issue is resolved in the Cryostat 2.3.1 release, which ensures that the Custom Targets functionality is always available, even if you set CRYOSTAT_DISABLE_BUILTIN_DISCOVERY environment variable to True.

Unable to log out of the Cryostat web application on OpenShift Container Platform 4.12 and later

Before Cryostat 2.3.1, when you clicked Logout to log out of the Cryostat web application, the logout operation failed for Cryostat instances that were deployed on OpenShift Container Platform 4.12 and later. The expected behavior is that the logout operation redirects you to the cluster OAuth login. Instead, the logout attempt failed and the following error message appeared:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://oauth-openshift.apps-crc.testing/logout. (Reason: CORS header 'Access-Control-Allow-Origin' missing). Status code: 200.

Creating automated rules through HTTP API fails for multipart/form-data submissions

Before Cryostat 2.3.1, when you attempted to create automated rules by using data submitted as a multipart/form-data media type through an HTTP API, an "HTTP 415" error occurred. This error occurred because Cryostat did not support the multipart/form-data media type.

From Cryostat 2.3.1 onward, Cryostat can create automated rules for data submitted through any of the following media types:

Deleting a namespace containing a Cryostat installation might freeze

Before Cryostat 2.3.1, when you attempted to delete a namespace on which a Cryostat instance was still installed, the deletion operation might freeze. This could occur if the Lock ConfigMap object was deleted before final cleanup actions were completed for the Cryostat or Cluster Cryostat custom resource (CR). The expected behavior is that the deletion operation succeeds and cleanup actions on any resources that were created for the Cryostat installation are complete.

This issue is resolved in the Cryostat 2.3.1 release in all cases except when the Cryostat Operator is part of the deleted namespace. In this situation, consider reinstalling the Cryostat Operator by using the default installation mode All namespaces on the cluster (default). The reinstalled Operator can then clean up any leftover state and allow your namespace to be deleted.

JMC probe template validation error

Before Cryostat 2.3.1, when you attempted to upload a probe template through the Events view in the Cryostat web console, the upload could fail with a validation error. This validation error resulted from issues when parsing method parameter content types that you can define in the probe template.

Unable to upload JMC probe templates after a failure

Before Cryostat 2.3.1, if a failure occurred when uploading a probe template, any further attempts to upload this template also failed with an HTTP 500 error. This issue occurred if you uploaded an invalid template that failed validation checks and you subsequently attempted to upload a valid version of the same template. In this situation, Cryostat did not alert you that a template with the same name already existed.

From Cryostat 2.3.1 onward, Cryostat displays an error message if you attempt to upload probe templates with duplicate file names.

Wrong port number in Agent configuration when publishing a JMX URL

Before Cryostat 2.3.1, if you configured the Cryostat Agent to register itself as reachable through JMX rather than HTTP, the publication URL in the Agent configuration did not contain the correct JMX port number.

Wrong text in warning modal for disabling a rule

Before Cryostat 2.3.1, when you disabled an automated rule in the Cryostat web console, the warning modal displayed the following incorrect text:

If you click Delete, the rule will be disabled.

From Cryostat 2.3.1 onward, the warning modal displays the following text:

If you click Disable, the rule will be disabled.

Topology view shows toggle icons in the wrong order

Before Cryostat 2.3.1, the Topology view of the Cryostat web console did not show toggle icons in the correct order when you toggled between graph mode and list mode.

From Cryostat 2.3.1 onward, the graph mode correctly shows the list mode icon, and the list mode correctly shows the graph mode icon.

Sometimes a Cryostat release might contain an issue or issues that Red Hat acknowledges and might fix at a later stage during the product’s development. Review each known issue for its description and its resolution.

Cryostat agent reports a “Boot class path mechanism is unsupported” warning message

The following advisory has been issued to document bug fixes and CVE fixes included in the Cryostat 2.3 release:

Revised on 2023-08-29 14:37:02 UTC