Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Installing Cryostat

Red Hat build of Cryostat 3

Red Hat Customer Content Services

Abstract

Red Hat build of Cryostat is a Red Hat offering on OpenShift Container Platform. The Installing Cryostat guide provides an overview of this product and explains how to install the software and start using it.

Preface
Copy link

The Red Hat build of Cryostat is a container-native implementation of JDK Flight Recorder (JFR) that you can use to securely monitor the Java Virtual Machine (JVM) performance in workloads that run on an OpenShift Container Platform cluster. You can use Cryostat 3.0 to start, stop, retrieve, archive, import, and export JFR data for JVMs inside your containerized applications by using a web console or an HTTP API.

Depending on your use case, you can store and analyze your recordings directly on your Red Hat OpenShift cluster by using the built-in tools that Cryostat provides or you can export recordings to an external monitoring application to perform a more in-depth analysis of your recorded data.

Important

Red Hat build of Cryostat is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Making open source more inclusive
Copy link

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Overview of Cryostat
Copy link

Cryostat is a container-native Java application based on JDK Flight Recorder (JFR) that you can use to monitor Java Virtual Machine (JVM) performance for containerized workloads that run on a Red Hat OpenShift cluster.

You can deploy Cryostat in a container in a Red Hat OpenShift project that hosts your containerized Java applications. You can create JVM targets that correspond to the JVM instances that you use to run your containerized workload. You can connect Cryostat to the JVM targets to record and analyze data about heap and non-heap memory usage, thread count, garbage collection, and other performance metrics for each JVM target.

You can use the tools that are included with Cryostat to monitor the performance of your JVMs in real time, capture JDK Flight Recorder (JFR) recordings and snapshots, generate Automated Analysis reports, and visualize your recorded performance data by using a Grafana dashboard.

The Cryostat web console and HTTP API provides a way to analyze your JVM performance data inside the container without having to rely on an external monitoring application. However, you can also export your recordings from Cryostat into an external instance of JDK Mission Control (JMC) when you need to perform a deeper analysis of your data outside of a cluster environment.

Cryostat supports role-based access control (RBAC) as a standard feature of OpenShift Container Platform.

You can install Cryostat inside a Red Hat OpenShift project by using Operator Lifecycle Manager (OLM).

You can also download the latest Cryostat component images from the Red Hat Ecosystem Catalog. The following container images exist for Cryostat 3.0 on the Red Hat Ecosystem Catalog:

  • Cryostat
  • Red Hat build of Cryostat Operator
  • Red Hat build of Cryostat Operator bundle
  • Cryostat reports
  • Cryostat Grafana dashboard
  • Cryostat DB
  • Cryostat storage
  • JFR data source

Chapter 2. Installing Cryostat
Copy link

You can install the Red Hat build of Cryostat Operator in a project on Red Hat OpenShift by using Operator Lifecycle Manager (OLM).

With the Red Hat build of Cryostat Operator installed, you can create instances of Cryostat that you can access by using a web console from the Red Hat OpenShift web console.

You can also download the latest Cryostat component images from the Red Hat Ecosystem Catalog.

You can use the Operator Lifecycle Manager (OLM) to install the Red Hat build of Cryostat Operator in a project on your Red Hat OpenShift cluster. You can use the Red Hat build of Cryostat Operator to create single namespace or multi-namespace Cryostat instances. You can control these instances by using a GUI that is accessible from the Red Hat OpenShift web console.

Important

If you need to upgrade your Red Hat build of Cryostat Operator subscription from Cryostat 2.0 to Cryostat 3.0, you must change the update channel from stable-2.0 to stable.

Prerequisites

  • Created an OpenShift Container Platform 4.12 or later cluster.
  • Created a Red Hat OpenShift user account with permissions to install Red Hat build of Cryostat Operator in a project.
  • Installed Operator Lifecycle Manager (OLM) on your cluster.

  • Installed cert-manager with the cert-manager Operator for Red Hat OpenShift.

  • Logged in to Red Hat OpenShift by using the Red Hat OpenShift web console.

Procedure

  1. In your browser, navigate to Home > Projects by using the web console.
  2. Select the name of the project in which you want to install the Red Hat build of Cryostat Operator.

  3. Install the Red Hat build of Cryostat Operator:

    1. In the navigation menu of your web console, navigate to Operators > OperatorHub.
    2. Select the Red Hat build of Cryostat Operator from the list. You can use the search box in the upper part of the screen to find the Red Hat build of Cryostat Operator.

    3. To install the Red Hat build of Cryostat Operator in your project, click Install.

      The Red Hat OpenShift web console prompts you to create a Cryostat custom resource (CR).

      Note

      From Cryostat 3.0 onward, in the Installation mode area, the All namespaces on the cluster (default) radio button is the only available option.

      You can create the CR either manually or automatically. If you want to create the CR manually, see step 4. If you want to create the CR automatically, see step 5.

  4. If you want to create the CR manually, complete the following steps:

    1. Navigate to Operators > Installed Operators by using the web console and select Red Hat build of Cryostat Operator from the list of installed operators:

      Figure 2.1. Viewing the Red Hat build of Cryostat operator in the list of installed operators

      Viewing the Red Hat build of Cryostat Operator in the list of installed operators
      View larger image
      Viewing the Red Hat build of Cryostat Operator in the list of installed operators
    2. Click the Details tab.

    3. To create a Cryostat instance, go to the Provided APIs section. Then, under Cryostat, click Create instance.

      Note

      From Cryostat 3.0 onward, the Cryostat API enables you to create both single-namespace and multi-namespace Cryostat instances.

      Figure 2.2. Selecting the Cryostat API that is provided by the Red Hat build of Cryostat Operator

      Selecting the Cryostat API that is provided by the Red Hat build of Cryostat Operator
      View larger image
      Selecting the Cryostat API that is provided by the Red Hat build of Cryostat Operator
    4. Click either the Form view radio button or the YAML view radio button. If you want to enter your information in the YAML configuration file, click YAML view .
    5. Specify a unique name for the instance of Cryostat that you want to create.
    6. Optional: In the Labels field, specify a label or annotation for the Operand workload you want to deploy.

    7. In the Target Namespaces field, select namespaces whose workloads you want to permit this instance of Cryostat to access and work with. Optionally, you can select the same namespace where you installed Cryostat or you can choose a different namespace. To add additional namespaces, click +Add Target Namespace.

      Important

      Users who can access the Cryostat instance have access to all target applications in any namespace that is visible to that Cryostat instance. Therefore, when you deploy a multi-namespace Cryostat instance, you must consider which namespaces to select for monitoring, which namespace to install Cryostat into, and which users you want to grant access to.

      You can also specify additional configuration options for your deployment:

      Figure 2.3. Creating an instance of Cryostat by using a form in the web console

      Creating an instance of Cryostat by using a form in the web console
      View larger image
      Creating an instance of Cryostat by using a form in the web console

      Alternatively, you can use a YAML template to create your instance and specify additional configuration options instead of using the form:

      Figure 2.4. Creating an instance of Cryostat by using a YAML template in the web console

      Creating an instance of Cryostat by using a YAML template in the web console
      View larger image
      Creating an instance of Cryostat by using a YAML template in the web console

  5. If you want to create the CR by using the automatic prompt option, follow the prompt’s instructions and then complete the following steps:

    1. Click either the Form view radio button or the YAML view radio button. If you want to enter your information in the YAML configuration file, click YAML view.
    2. Specify a unique name for the instance of Cryostat that you want to create.
    3. Optional: In the Labels field, specify a label or annotation for the Operand workload you want to deploy.

    4. In the Target Namespaces field, select namespaces whose workloads you want to permit this instance of Cryostat to access and work with. Optionally, you can select the same namespace where you installed Cryostat or you can choose a different namespace. To add additional namespaces, click +Add Target Namespace.

      Important

      Users who can access the Cryostat instance have access to all target applications in any namespace that is visible to that Cryostat instance. Therefore, when you deploy a multi-namespace Cryostat instance, you must consider which namespaces to select for monitoring, which namespace to install Cryostat into, and which users you want to grant access to.

      You can also specify additional configuration options for your deployment:

      Figure 2.5. Creating an instance of Cryostat by using a form in the web console

      Creating an instance of Cryostat by using a form in the web console
      View larger image
      Creating an instance of Cryostat by using a form in the web console

      Alternatively, you can use a YAML template to create your instance and specify additional configuration options instead of using the form:

      Figure 2.6. Creating an instance of Cryostat by using a YAML template in the web console

      Creating an instance of Cryostat by using a YAML template in the web console
      View larger image
      Creating an instance of Cryostat by using a YAML template in the web console

  6. To start the creation process for your Cryostat instance, click Create.

    You must wait for all resources of your Cryostat instance to be ready before you can access it.

Verification

  1. In the navigation menu of the web console, click Operators, then click Installed Operators.
  2. From the table of installed operators, select Red Hat build of Cryostat Operator.

  3. Select the Cryostat tab.

    Your Cryostat instance opens in the table of instances and lists the following conditions:

    • TLSSetupComplete is set to true.
    • MainDeploymentAvailable is set to true.

    • Optional: If you enabled the reports generator service then ReportsDeploymentAvailable is shown and set to true.

      Figure 2.7. Example of conditions set to True under the Status column for a Cryostat instance on OpenShift

      Example of conditions set to `True` under the `Status` column for a Cryostat instance on Red Hat OpenShift
      View larger image
      Example of conditions set to `True` under the `Status` column for a Cryostat instance on Red Hat OpenShift

  4. Optional: Select your Cryostat instance from the Cryostat table. Go to the Cryostat Conditions table, where you can see more information for each condition.

    Figure 2.8. Example of a Cryostat Conditions table that lists each condition and its criteria

    Example of a *Cryostat Conditions* table that lists each condition and its criteria
    View larger image
    Example of a *Cryostat Conditions* table that lists each condition and its criteria

Additional resources

2.1.1. Accessing Cryostat by using the web console
Copy link

You can access and control Cryostat by using a web console that is accessible from the Red Hat OpenShift web console.

Cryostat integrates with the OAuth server that is built into Red Hat OpenShift. When you attempt to access Cryostat on Red Hat OpenShift, the OAuth server directs you to the Red Hat OpenShift login page, where you can enter your Red Hat OpenShift credentials. After you enter your credentials, the OAuth server directs you to the Cryostat web console.

Note

If you want to access all of Cryostat’s features on the OpenShift Container Platform, you must request Cryostat-specific Role-Based Access Controls (RBAC) permissions for your Red Hat OpenShift user account.

See RBAC permissions.

Prerequisites

  • Created a Cryostat instance in your project.
  • Logged in using the Red Hat OpenShift web console.

Procedure

  1. On the Red Hat OpenShift web console, navigate to Installed Operators and select Red Hat build of Cryostat Operator from the list.

  2. To select the Cryostat instance that you want to access, click the Cryostat tab and select this Cryostat instance from the table.

    Figure 2.9. Example of selecting a Cryostat instance under the Cryostat tab

    Selecting a single-namespace Cryostat instance under the Cryostat tab
    View larger image
    Selecting a single-namespace Cryostat instance under the Cryostat tab

  3. To access the Cryostat login screen, click the link in the Application URL section. The OAuth server redirects you to an OpenShift Container Platform login page, so that you can obtain OAuth access tokens for authenticating to the Cryostat API.

    Figure 2.10. Example of selecting a link under the Application URL section

    Example of selecting a link under the *Application URL* section
    View larger image
    Example of selecting a link under the *Application URL* section

  4. Enter your credential details and then click Login. When you log in through the OAuth server for the first time, an Authorize Access page opens on your web browser.

    Figure 2.11. Example of an Authorize Access page that opens in a web browser

    Example of an *Authorize Access* page that displays in a web browser
    View larger image
    Example of an *Authorize Access* page that displays in a web browser
  5. Review the Requested permissions options and then select the required checkboxes. For optimal Cryostat performance, select both checkboxes.

  6. Choose one of the following options:

    • If you want to accept the requested permissions that you selected, click the Allow selected permissions button.

    • If you want to reject all requested permission options, click the Deny button.

      Your web browser redirects you to the Cryostat web console, where you can monitor Java applications that are running in a Java Virtual Machine (JVM).

2.1.2. RBAC permissions
Copy link

From Cryostat 3.0 onward, when installing a Cryostat instance, you can use the .spec.authorizationOptions.openShiftSSO.accessReview field in the Cryostat CRD to specify the required role-based access control (RBAC) permissions for accessing Cryostat. The default role in the Cryostat application’s installation namespace is create pods/exec.

Any Red Hat OpenShift user accounts that are assigned the specified RBAC role have full access to the Cryostat console and all Cryostat features. If a Red Hat OpenShift account does not have the required RBAC permissions, this user is blocked from accessing Cryostat.

Figure 2.12. Specifying OpenShift SSO Access Review authorization options

Specifying OpenShift SSO Access Review authorization options
View larger image
Specifying OpenShift SSO Access Review authorization options

You can use the following fields to specify any customized RBAC settings that are required for accessing Cryostat:

Expand
FieldDetails

group

API group of the resource

Specifying a * value means all groups.

name

Name of the resource being requested for a get command or deleted for a delete command

Specifying an empty value means all names.

namespace

Namespace of the action being requested

Currently, there is no distinction between no namespace and all namespaces. Consider the following guidelines:

  • An empty value is defaulted for LocalSubjectAccessReviews.
  • An empty value means no cluster-scoped resources.
  • An empty value means all namespace-scoped resources from a SubjectAccessReview or SelfSubjectAccessReview.

resource

An existing resource type

Specifying a * value means all resource types.

subresource

An existing resource type

Specifying an empty value means no resource types.

verb

A kubernetes resource API verb (for example, get, list, watch, create, update, delete, proxy)

Specifying a * value means all verbs.

version

API version of the resource

Specifying a * value means all versions.

2.2. Helm charts
Copy link

Instead of using the Red Hat build of Cryostat Operator on Red Hat OpenShift to install Cryostat, you can use a Helm chart. The Red Hat build of Cryostat Operator is the preferred way to install Cryostat, but if you require a flexible installation method that requires fewer cluster permissions, you can install Cryostat with a Helm chart.

Helm is a package manager on Red Hat OpenShift that provides the following benefits:

  • Applies regular application updates by using custom hooks.
  • Manages the installation of complex applications.
  • Provides charts that you can host on public or private servers. If sharing charts on a public server, ensure you’re aware of the security risks.
  • Supports rolling back to previous application versions.

By default, Red Hat OpenShift 4.12 includes the Helm chart package manager.

Before you install Cryostat with a Cryostat Helm chart, consider the following supported functions for the Cryostat Helm chart and the Red Hat build of Cryostat Operator:

Expand
Function ↓Cryostat Helm chartRed Hat build of Cryostat Operator

Access Cryostat by using Services

Access Cryostat by using Routes

Basic authentication

 

OpenShift OAuth authentication

 

End-to-end encryption

 

Grafana integration

Persistent storage

Sidecar report generator

 

The previous table shows that the Cryostat Helm chart does not support the same level of functionality as the Red Hat build of Cryostat Operator.

2.2.1. Installing Cryostat by using a Helm chart
Copy link

By default, Red Hat OpenShift 4.12 includes the Helm chart package manager. You can use this package manager to install a Cryostat Helm chart on Red Hat OpenShift. In turn, you can use this Helm chart to install a Cryostat instance on Red Hat OpenShift.

After you install the Cryostat Helm chart, the Helm chart creates the following objects:

  • Deployment, which contains Cryostat, Grafana, and a data source for Grafana.
  • Routes that exposes the Cryostat and Grafana services outside a Red Hat OpenShift cluster. This object is enabled by default on Red Hat OpenShift.
  • Services for Cryostat and Grafana.
  • Service Account, Role, and Role Binding for Cryostat, so that Cryostat Helm chart can use these objects to discover your applications.

Prerequisites

  • Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.
  • Configured appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.

Procedure

  1. Switch to Developer mode on your Red Hat OpenShift web console.
  2. Click the +Add menu.
  3. From the Developer Catalog panel, click Helm Chart.

  4. Click the Cryostat tile. A window displays on your Red Hat OpenShift web console.

    Tip

    To quickly find the Cryostat tile, enter Cryostat in the search field.

  5. Click Create.

  6. From the Create Helm Release window, complete the following actions:

    1. In the Release name field, enter a name for your Cryostat Helm chart.
    2. From the Chart version drop-down list, ensure a version of Cryostat is selected.
    3. Optional: From Form view, click Chart Values, and then configure options for your Cryostat Helm chart.

    4. Optional: To access more configuration options, switch to the YAML View and then edit the parameters to meet your needs.

      Figure 2.13. OpenShift Create Helm Release window

      Red Hat OpenShift Install Helm Chart window
      View larger image
      Red Hat OpenShift Install Helm Chart window

  7. Click Create.

    A window with tabs might open in your web console where you can view information for the Cryostat Helm chart. From the Release notes tab, you can view post-installation steps that you must perform. To perform these steps, you must use the oc CLI for your Red Hat OpenShift cluster. By default, Cryostat Helm chart uses Routes for networking. If you have disabled Routes, the instructions might differ depending on the kind of networking that you selected.

    Important

    If you set core.route.enabled or grafana.route.enabled to false for your Cryostat Helm chart, which disables the Routes resource, port-forwarding oc instructions display in the web console.

  8. Optional: From the topology window, click a pod icon and then go to either the Details tab or the Resources tab to view more information about the pod.

    Tip

    If you need to quickly find a pod, consider using the filter toolbar, where you can display options, filter by resource, or enter a name of a pod.

    When you completed the post-installation steps that are outlined on the Release notes tab, you can use Cryostat with your applications.

    Figure 2.14. OpenShift pod topology window

    Red Hat OpenShift pod topology window
    View larger image
    Red Hat OpenShift pod topology window

Verification

  1. In the same terminal where you completed the post-installation steps, go to the "Visit the Cryostat application at …​" step to view the URL with which you can access the Cryostat application.
Note

The URL to access the Cryostat application URL varies depending on the configuration parameters that you chose.

Revised on 2024-07-02 13:35:21 UTC

Legal Notice
Copy link

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat