Chapter 4. Feature enhancements
Cryostat 2.0 includes feature enhancements that build upon the Cryostat 1 offerings.
Cryostat web console GUI
You can access to the Cryostat information page through the Help icon in the upper-right corner of the Cryostat web console. On this console page, you can view your version of Cryostat.
Additionally, an archived record’s generated name now includes a target alias. The target alias improves record retrieval by linking an alias to the record’s generated name.
Cryostat Operator topology view
The Cryostat Operator now applies the correct app.openshift.io/connects-to
annotation to a Cryostat deployment. This configuration links the Cryostat deployment with the Cryostat Operator deployment in the topology view on the OpenShift Container Platform web console.
Cryostat Operator controller manager
If the Cryostat Operator failed to deploy Cryostat because you did not install cert-manager
, the Cryostat Operator no longer hangs when it deletes Cryostat custom resources.
Cryostat cluster ConsoleLink
namespace
In Cryostat 2.0, a Cryostat Operator cluster might create a duplicate ConsoleLink
namespace for a Cryostat cluster. To avoid this issue, Cryostat Operator now replaces the GenerateName
object with a SH256
hash value defined in Name
object of the ConsoleLink
resource definition.
Custom event templates
You can configure any Cryostat JFR recordings by using custom event templates. You can use custom event templates in the following ways:
-
Instruct the Cryostat Operator to pre-configure Cryostat custom event templates by providing them with template files from stored
ConfigMap
objects. - Upload custom event templates by using Cryostat web applications.
Encode SSL/TLS certificates with supported formats
You can add an SSL/TLS certificate on the Cryostat web console for your target JVM application.
Valid SSL/TLS certificates are in DER-encoded base-64
or binary
formats. Either format supports the following extensions:
-
.der
-
.cer
-
.pem
You can now specify a generated certificate at runtime, so that your target JVM application can use the SSL/TLS for JMX connections. Cryostat attempts to open a JMX connection to a target JVM that uses an SSL/TLS certificate. For a successful JMX connection, Cryostat must pass all its authentication checks on the target JVM certificate that you provided at runtime .
You can use the POST
handler to accept, validate and write the certificate.
Fabric8 Kubernetes and OpenShift clients
Cryostat 2.0 supports version 4.12.0 of Fabric8 Kubernetes and of OpenShift clients. This version enhances application compatibility with Cryostat and reduces downstream build errors.
Grafana container version
Cryostat 2.0 replaces version 6.4.4 of the Grafana container with version 7.3.6.
Grafana error messages
The 502
error message now relates to a failed JMX connection, while the 512
error messages relates to invalid responses sent to the JFR container.
Health check resource definition
Cryostat Operator replaces the api/v1/clienturl
resource definition with the health
resource definition. The Cryostat Operator now uses the health
endpoint when performing containerized JVM health checks.
initialization-resource
annotation
Cryostat Operator now includes an initialization-resource
annotation in its CSV file’s configuration. This annotation enhances the Cryostat Operator instance running on the OpenShift Container Platform web console by providing you with graphical hints to create a Cryostat custom resource for your Cryostat cluster.
OLM bundle descriptors
For Cryostat 2.0, an OLM bundle no longer requires setting an integer value in its eventOptions
descriptor for checking a JFR recording’s duration. Instead, the OLM bundle now uses requires duration formatted values that are defined in its EventOptions
string.
Supported duration units include s
, m
, and h
. For example, 2h15m
denotes a JFR recording length of 2 hours and 15 minutes.
Security context constraint (SCC)
The Cryostat Operator now defaults to using the restricted
SCC setting. A pod contained in a Cryostat cluster can now use any permitted fsGroup
value listed under the restricted
SCC setting. Meaning that Cryostat pods mounted to a persistent storage (PV) can now have read/write access to their directories.
A pod’s read/write access level depends on the pod’s fsGroup
GID value, which the Cryostat Operator configures to adhere to the built-in restricted SecurityContextConstraint
. A SecurityContext
element contains pod-level security attributes.
Before Cryostat 2.0, the Cryostat Operator was set to the default
setting, which caused fsGroup
access issues for a pod running in a Cryostat cluster
For more information about the permitted range of fsGroup
values for your Cryostat cluster, see About pre-allocated security context constraints values in the OpenShift documentation website.
ServiceRef
definition
A ServiceRef
definition includes the following new properties that Cryostat includes in all ServiceRef
objects returned from GET
communications with HTTP API handlers:
- Annotations, such as the Java application name, labels, or port number.
-
User-specific
ServiceRef
values, such as an alias orconnectURL
.
You can use the following two handlers create or delete a ServiceRef
definition:
-
POST
, which creates a newServiceRef
if no existing targets with an identical service URL exist. -
DELETE
, which removes anyServiceRef
definitions from theCustomTargetPlatformClient
if it matches the value specified in thetargetID
path parameter.
Subprocess management
Before Cryostat generates an automated analysis report, Cryostat creates a child subprocess. A child subprocess protects the parent process by accumulating any large memory loads consumed by the report generation.
For example, on a Linux operating system the out-of-memory (OOM) Killer detects a process that tries to request additional memory that is not available from the system and stops the process. If a child subprocess exists, the OOM Killer stops this subprocess but does not interfere with the running parent process.
You can set a minimum or maximum JVM heap size for a child subprocess by using the Cryostat environment variable: CRYOSTAT_REPORT_GENERATION_MAX_HEAP
. Be aware that a low minimum value might stop a child subprocess before it generates a report, while a high maxumim value might cause additional memory constraints on the parent process.
Subprocess report generation
Cryostat 2.0 provides an enhancement to using either ActiveRecordingReportCache
or ArchivedRecordingReportCache
to generate a subprocessed report for your Java application. These classes are simplified as follows:
-
ActiveRecordingReportCache
now automatically includes the path to disk recordings. -
ArchivedRecordingReportCache
calls a utility method that uses the connection manager of a parent process to copy a record to a local disk file. The class passes the local path location to the subprocess.
A subprocess no longer needs to complete the following tasks:
- Establish a JMX connection.
- Handle an SSL/TLS certificate.
- Handle JMX authorization credentials.
The removal of these tasks improves a subprocess’s workload in the following ways:
- Quicker end-to-end report generation.
- Reduction in code complexity so that the codebase is easier to maintain.
- Proper and secure handling of SSL/TLS authentication and JMX authentication mechanisms.
truststore
environment variable
Cryostat 2.0 replaces TRUSTSTORE
environment variable name with SSL_TRUSTSTORE_DIR
.
TargetConnectionManager
handler
The TargetConnectionManager
now support concurrent connections by using a JMX connection timed cache value for any connections between a targeted request and Cryostat. By default, the timed cache is 90 seconds.
Vertx server response management
The Vertx server can now use a TimeoutHandler
implementation to automatically end a delayed response message sent by a Cryostat request handler. This prevents a client from having to wait indefinitely for a response from a Cryostat request handler.
The TimeoutHandler
implementation throws a 500
error message when it detects a delayed response from a Cryostat request handler.
WebSockets
The WebSocket includes the following updates:
- WebSocket connection upgraded from a two-way interactive channel to a one-way push Notification Channel (NC).
-
WebSocket Notification Channel changed from
api/v1/command
toapi/v1/notfications
, because the WebSocket now uses this channel for one-way push notifications. - WebSocket can send events on the Notification Channel when you use recordings and event templates for analyzing your JFR data.
When your WebSocket client connects to a one-way push NC, the client automatically receives information about actions performed by other connected clients on the same channel.