Red Hat Summitこのコンテンツは選択した言語では利用できません。
Release notes for the Red Hat build of Cryostat 4.1
Abstract
Preface
The Red Hat build of Cryostat is a container-native implementation of JDK Flight Recorder (JFR) that you can use to securely monitor the Java Virtual Machine (JVM) performance in workloads that run on an OpenShift Container Platform cluster. You can use Cryostat to start, stop, retrieve, archive, import, and export JFR data for JVMs inside your containerized applications by using a web console or an HTTP API.
Depending on your use case, you can store and analyze your recordings directly on your Red Hat OpenShift cluster by using the built-in tools that Cryostat provides or you can export recordings to an external monitoring application to perform a more in-depth analysis of your recorded data.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Support policy for Cryostat
Red Hat supports a major version of Cryostat for a minimum of 6 months. Red Hat bases this figure on the time that the product gets released on the Red Hat Customer Portal.
You can install and deploy Cryostat on Red Hat OpenShift Container Platform 4.12 or a later version that runs on an x86_64 or ARM64 architecture.
Chapter 2. New features
This section describes new features that the Cryostat 4.1 release provides.
Support for deploying Red Hat build of Cryostat in FIPS-enabled environments
From Cryostat 4.1 onward, the Red Hat build of Cryostat is designed for FIPS usage. When deployed by using the Cryostat Operator, the Red Hat build of Cryostat is now able to run on FIPS-enabled nodes in your Red Hat OpenShift cluster. In this situation, the Operator also ensures that any automatically configured Cryostat agents use TLSv1.3 for successful communication between the agent and Cryostat server.
FIPS support for Red Hat build of Cryostat is available on Red Hat OpenShift Container Platform 4.14 or later using the latest cert-manager Operator for Red Hat Openshift. FIPS support is not available for Red Hat build of Cryostat when deployed on earlier Red Hat OpenShift versions or when deployed by using a Helm chart.
Batch processing of archived recordings for automated analysis
From Cryostat 4.1 onward, Cryostat listens for the creation of archived recordings that have the autoanalyze=true label. When this type of archived recording is created, Cryostat submits this recording for automated analysis immediately. Cryostat uses a new AnalysisReportAggregator process, which listens for notifications about newly created analysis reports and stores the final report in its cache. The AnalysisReportAggregator collects one report "document" per target JVM and exposes the aggregated reports as Prometheus-style metrics, which you can view in the new Automated Reports view of the Cryostat web console.
Automatic archival of external recordings for newly discovered targets
As part of automated analysis improvements, when Cryostat 4.1 detects a new target JVM that has external fixed-duration recordings already running which Cryostat did not know about, Cryostat can automatically archive these recordings after they stop. In this situation, an external recording is one that is started by using the ‑XX:StartFlightRecording=duration=Xs JVM flag, for example, rather than a recording that is started by Cryostat itself.
This feature is enabled by default.
Label autoanalyze=true also applied to external recordings
As part of automated analysis improvements, Cryostat 4.1 also applies the autoanalyze=true label to external recordings that were not started by Cryostat itself. If an external fixed-duration recording is automatically stopped or the user manually archives a copy of the recording, Cryostat now performs an automatic analysis of the recording data.
This enhancement means that Cryostat can now perform automatic analysis of external recordings similar to the way Cryostat already performs automatic analysis of recordings that were created in the Cryostat web console or through automated rules.
This feature is enabled by default.
Automatic archival of active recordings that are manually stopped
As part of automated analysis improvements, Cryostat 4.1 can automatically archive any active recording after it is stopped. This enhancement means that the automatic archival feature is no longer restricted to fixed-duration recordings that are automatically stopped after the elapsed duration. Cryostat now also automatically archives continuous recordings when they are manually stopped.
Recordings panel supports selection of archiveOnStop label for continuous recordings
As part of automated analysis improvements, when creating a custom recording in the Recordings panel of the Cryostat web console, you can now select the Archive on Stop option even if the recording is continuous. In this situation, the archiveOnStop label instructs Cryostat to automatically archive the recording after it is stopped. The Archive on Stop option is selected by default.
This enhancement supersedes the behavior in earlier releases where automatic archival of recordings was restricted to fixed-duration recordings after their specified duration elapsed.
Automated Reports view in Cryostat web console
As part of automated analysis improvements, the Cryostat web console adds a new Automated Reports view under the Flight Recorder > Analyze navigation menu. The Automated Reports view provides an overview of the cached automated analysis reports that are available across all target JVMs. This view displays report results in read-only mode. You cannot use the Automated Reports view to generate new automated analysis reports in bulk.
As in earlier releases, you can use the Recordings view to perform automated analysis on a per-target basis or you can use the Topology view to check node health and status when reports are present. However, these mechanisms do not provide any insight into the actual report data unless you drill down to the Recordings view and analysis panel for each individual target. The new Automated Reports view provides a centralized way to view these types of report details, especially warning or critical-level results, without requiring users to drill down through each individual target that might present such results.
Support for setting up JMX client keystore and certificate import
From Cryostat 4.1 onward, Cryostat can also present a client certificate for its JMX client to target applications that might require client authentication for setting up a Mutual TLS (mTLS) connection. In earlier releases from Cryostat 3.0 onward, Cryostat could only specify or generate self-signed certificates in the truststore for its JMX server. This earlier behavior meant that Cryostat could trust JMX server certificates presented by target applications, but it could not present a JMX client certificate to these applications if they required client authentication.
This enhancement means that Cryostat now supports the ability to set up mTLS two-way authentication with target applications when using a JMX connection. This enhancement also restores the behavior that was available in older Cryostat 2.x releases where Cryostat similarly supported mTLS two-way authentication for JMX connections.
Support for external S3 object storage providers
From Cryostat 4.1 onward, when installing Cryostat by using the Cryostat Operator or a Helm chart, you can configure your Cryostat instance to use an external S3 object storage provider rather than the SeaWeedFS-based cryostat-storage container. This enhancement facilitates users who might have technical or regulatory requirements for using and hosting their own external S3 storage solution instead of relying on the cryostat-storage container.
Cryostat 4.1 provides the following series of configuration properties that you can use to set up your own customized object storage solution:
| Cryostat Operator CR properties | Helm chart properties | Details |
|---|---|---|
|
| Indicates whether your browser can download archived files by directly communicating with the object storage service
If you set this to
If you set this to
By default, this uses the same value that is set for | |
|
| Determines how archived files move between Cryostat components (for example, when Cryostat is configured with sidecar containers and an automated analysis report generation request is sent)
If you set this to
If you set this to
This is set to | |
|
|
| The strategy Cryostat will use for storing files' metadata Available options are:
The default option is |
|
|
| The object storage provider region This may be used by the storage provider to geolocate the physical storage in a particular region for regulatory, performance, or cost reasons. |
|
|
| Indicates whether Cryostat should trust all TLS certificates presented by the external object storage provider
This is set to |
|
|
| The URL for the S3 object storage provider |
|
| Indicates whether virtual host subdomain access should be used as opposed to path-style access
This default option is Note: If your storage provider supports virtual host access, consider enabling this option for performance reasons. | |
|
| Indicates whether path-style access is used If path style access is not used, DNS subdomain resolution is used.
The default option is | |
|
| Name of the secret containing the object storage secret access key | |
|
| A series of configuration properties for object storage buckets
These properties are only relevant when external storage is configured through Note: S3 storage providers typically require the use of bucket names that are globally unique across user accounts within the same S3 provider’s service. If you do not configure bucket names, the Operator attempts to use some default bucket names, which can result in unexpected failures at runtime if the bucket name is not globally unique. If you want to use a commercial S3 provider, consider generating and configuring randomized bucket names to ensure successful operation. | |
|
|
| The name of the bucket used to store archived JFR files |
|
|
| The name of the bucket used to store a cache of Automated Analysis reports attached to archived JFR files |
|
|
| The name of the bucket used to store custom event templates |
|
|
| The name of the bucket used to store JMC Agent Probe templates |
|
|
| The name of the bucket used to storage metadata for other objects such as archived recordings
This is only relevant if the |
|
| The name of the bucket used to store JVM heap dumps | |
|
| The name of the bucket used to store JVM thread dumps | |
|
| Configuration for how the S3 client will locate credentials for the S3 service |
CR properties for configuring custom automated rules from a ConfigMap
From Cryostat 4.1 onward, you can use the Cryostat Operator to configure your Cryostat instance with custom automated rules that you have created in JSON files and stored in ConfigMaps. Cryostat 4.1 adds the automatedRules CR property, which you can use to specify any ConfigMaps and associated automated rule .json files that you want the Operator to preload in your Cryostat instance.
This feature provides an alternative way to add custom automated rules in your Cryostat instance without needing to upload them directly in the Cryostat web console.
CR properties for configuring probe templates from a ConfigMap
From Cryostat 4.1 onward, you can use the Cryostat Operator to configure your Cryostat instance with JDK Mission Control (JMC) agent probe templates that you have created in XML files and stored in ConfigMaps. Cryostat 4.1 adds the probeTemplates CR property, which you can use to specify any ConfigMaps and associated probe template .xml files that you want the Operator to preload in your Cryostat instance.
This feature provides an alternative way to add probe templates in your Cryostat instance without needing to upload them directly in the Cryostat web console.
CR properties for configuring stored credentials from a secret
From Cryostat 4.1 onward, you can use the Cryostat Operator to configure your Cryostat instance with stored credentials that you have created in a JSON file and stored in a secret. Cryostat 4.1 adds the storedCredentials CR property, which you can use to specify any secrets and associated credentials .json files that you want the Operator to preload in your Cryostat instance.
This feature provides an alternative way to add stored credentials in your Cryostat instance without needing to upload them directly in the Cryostat web console.
Default limits and increased request sizes for container resources
The Cryostat Operator now deploys Cryostat with preconfigured limits for each type of container resource that the Operator can manage. In addition, this release increases the preconfigured request sizes for certain types of container resources. If you do not specify custom request sizes, the preconfigured request sizes are applied by default. Similarly, if you do not specify custom request sizes and limits, the preconfigured limits are applied by default. These preconfigured values help to prevent Cryostat from consuming excess resources and negatively affecting other workloads.
The following table outlines the preconfigured request sizes and limits for different types of container resources in Cryostat 4.1:
| Resource | Requests | Limits |
|---|---|---|
| Agent Proxy container CPU | 50m | 500m |
| Agent Proxy container Memory | 64Mi | 200Mi |
| Auth Proxy container CPU | 50m | 500m |
| Auth Proxy container Memory | 64Mi | 128Mi |
| Cryostat container CPU | 500m | 2000m |
| Cryostat container Memory | 348Mi | 1Gi |
| JFR Data Source container CPU | 200m | 500m |
| JFR Data Source container Memory | 200Mi | 500Mi |
| Grafana container CPU | 50m | 500m |
| Grafana container Memory | 128Mi | 256Mi |
| Database container CPU | 50m | 500m |
| Database container Memory | 64Mi | 200Mi |
| Storage container CPU | 50m | 500m |
| Storage container Memory | 256Mi | 512Mi |
File-based custom triggers for dynamic JFR recordings
From Cryostat 4.1 onward, as an alternative to configuring custom triggers for dynamic JFR recordings explicitly, you can define custom triggers in one or more text files and specify the file path as a configuration value instead. If you specify a file path, the Cryostat agent checks this location for any files that contain custom trigger definitions.
You can specify the file path for file-based custom triggers in either of the following ways:
-
By using the
‑Dcryostat.agent.smart-trigger.config.pathJVM system property flag -
By using the
CRYOSTAT_AGENT_SMART_TRIGGER_CONFIG_PATHenvironment variable
The default value for these properties is an empty string.
Diagnostics dashboard card support for invoking heap dumps
From Cryostat 4.1 onward, the Diagnostics card in the Dashboard view of the Cryostat web console contains an Invoke Heap Dump button that you can use to invoke a heap dump for a selected target JVM. When you click this button, a Heap Dump Succeeded confirmation dialog is displayed in the upper-right corner of the panel, the heap dump is archived, and the View collected Heap Dumps icon is enabled. You can subsequently click the View collected Heap Dumps icon to open the Diagnostics > Analyze > Heap Dumps panel where the heap dump appears as a table entry.
The Invoke Heap Dump button is only enabled for target JVMs that are configured to use the Cryostat agent. This button is disabled for target JVMs that are using a JMX connection.
Diagnostics dashboard card support for invoking thread dumps
From Cryostat 4.1 onward, the Diagnostics card in the Dashboard view of the Cryostat web console contains an Invoke Thread Dump button that you can use to invoke a thread dump for a selected target JVM. When you click this button, a Thread Dump Succeeded confirmation dialog is displayed in the upper-right corner of the panel, the thread dump is archived, and the View captured Thread Dumps icon is enabled. You can subsequently click the View captured Thread Dumps icon to open the Diagnostics > Analyze > Thread Dumps panel where the thread dump appears as a table entry.
Diagnostics > Capture view in Cryostat web console
In Cryostat 4.1, the Cryostat web console adds a new Capture view under the Diagnostics navigation menu. Similar to the Diagnostics card in the Dashboard view, you can use the Capture view to perform the following diagnostic operations:
- Click the Invoke Garbage Collection button to instruct Cryostat to perform manual garbage collection for the selected target JVM. When you click this button, you can refresh the Heap Memory Usage chart to view the result of this operation.
- Click the Invoke Thread Dump button to invoke a thread dump for the selected target JVM. When you click this button, a Thread Dump Succeeded confirmation dialog is displayed in the upper-right corner of the panel, the thread dump is archived, and the View captured Thread Dumps icon is enabled. You can subsequently click the View captured Thread Dumps icon to open the Diagnostics > Analyze > Thread Dumps panel where the thread dump appears as a table entry.
- Click the Invoke Heap Dump button to invoke a heap dump for the selected target JVM. When you click this button, a Heap Dump Succeeded confirmation dialog is displayed in the upper-right corner of the panel, the heap dump is archived, and the View collected Heap Dumps icon is enabled. You can subsequently click the View collected Heap Dumps icon to open the Diagnostics > Analyze > Heap Dumps panel where the thread dump appears as a table entry.
- The Capture view also includes a Heap Memory Usage chart showing details for the last 300 seconds (five minutes) at 10-second intervals. When you click the Invoke Garbage Collection button, you can refresh this chart to view the result of the garbage collection operation.
Diagnostics > Analyze > Heap Dumps view in Cryostat web console
In Cryostat 4.1, the Cryostat web console adds a new Heap Dumps view under the Diagnostics > Analyze navigation menu. The Heap Dumps view displays a list of collected heap dumps for a selected target JVM.
You can use the Heap Dumps view to perform the following types of actions:
- View the list of heap dumps for a selected target or all targets.
- View information about a selected target by clicking the information icon next to the Target drop-down list.
- Filter the list of heap dumps by name or by label.
- Add, edit, or delete key-value pair labels for heap dump metadata.
- Download a heap dump.
- Delete heap dumps.
Diagnostics > Analyze > Thread Dumps view in Cryostat web console
In Cryostat 4.1, the Cryostat web console adds a new Thread Dumps view under the Diagnostics > Analyze navigation menu. The Thread Dumps view displays a list of captured thread dumps for a selected target JVM.
You can use the Thread Dumps view to perform the following types of actions:
- View the list of thread dumps for a selected target or all targets.
- View information about a selected target by clicking the information icon next to the Target drop-down list.
- Filter the list of thread dumps by name or by label.
- Add, edit, or delete key-value pair labels for thread dump metadata.
- Download a thread dump.
- Delete thread dumps.
Settings view supports palette color selection and icon size controls
In the Settings view of the Cryostat web console, the General panel now includes an Accessibility area that you can use to configure the following look-and-feel settings:
- The color palette drop-down list provides a list of color palette options that alter the actual display colors that are rendered for views such as the Automated Analysis Report, where color coding is used to indicate score severities. These different palettes allow users to adapt the rendered colors in the web console to suit different types of color blindness, if necessary. The list of available palettes includes Default, High Contrast, Monochrome (blues), and Monochrome (oranges).
- The Use larger UI elements switch determines whether certain UI components, such as labels and icons, should be rendered in a larger size to suit visually impaired users. This switch is set to Off by default.
Topology tab in the Settings view
In Cryostat 4.1, the Settings view of the Cryostat web console includes a new Topology tab that opens a “Topology view configuration” panel. You can use this new panel to select which automated analysis report rule IDs should be analyzed or ignored by the Topology view. Your selections control how the Topology view determines the health status score of a target node and the number of rules to be evaluated when determining that score.
You can use this feature to omit any unwanted or extraneous information from the Topology view. For example, some automated analysis rules provide information about dynamic performance issues such as heap allocation and CPU usage whereas other rules provide information about potential JVM configuration issues. Because the Topology view is primarily intended to give a performance-oriented overview of the entire deployment, it is typically more useful for the health status score of target nodes to account for dynamic performance rules while ignoring configuration rules.
Cryostat Helm chart parameter for configuring custom event templates from a ConfigMap
When installing Cryostat by using a Helm chart, you can now configure Cryostat to use custom JFR event templates that you have created in XML-based .jfc files and stored in ConfigMaps. From Cryostat 4.1 onward, you can use the core.config.eventTemplates.configMapNames parameter to specify a list of ConfigMaps that each contain one or more event template .jfc files that are to be mounted to the Cryostat container.
Cryostat Helm chart parameter for configuring custom automated rules from a ConfigMap
When installing Cryostat by using a Helm chart, you can now configure Cryostat to use custom automated rules that you have created in JSON files and stored in ConfigMaps. From Cryostat 4.1 onward, you can use the core.config.rules.configMapNames parameter to specify a list of ConfigMaps that each contain one or more automated rule .json files that are to be mounted to the Cryostat container.
Cryostat Helm chart parameter for configuring probe templates from a ConfigMap
When installing Cryostat by using a Helm chart, you can now configure Cryostat to use JDK Mission Control (JMC) agent probe templates that you have created in JSON files and stored in ConfigMaps. From Cryostat 4.1 onward, you can use the core.config.probeTemplates.configMapNames parameter to specify a list of ConfigMaps that each contain one or more probe template .xml files that are to be mounted to the Cryostat container.
Cryostat Helm chart parameter for configuring stored credentials from a secret
When installing Cryostat by using a Helm chart, you can now configure Cryostat to use stored credentials that you have created in JSON files and stored in secrets. From Cryostat 4.1 onward, you can use the core.config.credentials.secretNames parameter to specify a list of secrets that each contain one or more credentials .json files that are to be mounted to the Cryostat container.
Cryostat Helm chart parameters for configuring user-supplied annotations
When installing Cryostat by using a Helm chart, you can now configure annotations on the Services that the Helm chart generates. From Cryostat 4.1 onward, you can use a series of parameters to configure annotations for the core, reports, db, and storage service.
Cryostat Helm chart parameters for configuring additional environment variables for containers
When installing Cryostat by using a Helm chart, you can now configure extra configurations, extra environment variables, and Sources for extra variables for each type of container. From Cryostat 4.1 onward, you can use a series of parameters to configure these values for the Cryostat, reports generator, database, object storage, Grafana, JFR data source, OAuth2 proxy, and OpenShift OAuth proxy containers.
For more information about configuring extra environment variables, see the Kubernetes documentation on defining environment variables for a container. For more information about configuring Sources for extra variables, see the Kubernetes documentation on configuring all key-value pairs in a ConfigMap as container environment variables.
Cryostat Helm chart support for external database provider
When installing Cryostat by using a Helm chart, you can now configure the URL of the database instance. From Cryostat 4.1 onward, you can use the db.provider.url parameter to specify this URL. The specified database can be an in-cluster self-hosted instance with a host name such as db.myapp.local or it can be an external commercial database service. Ensure that the specified URL is a complete JDBC URL string including a scheme, host, and port. Also ensure that you provide user authentication information by using the core.databaseSecretName to specify the name of the secret containing database keys. If you specify the URL for an unmanaged database instance, other database configuration settings such as pod annotations and service configurations are not relevant.
If you specify the URL for an external database provider, ensure that this database is a Postgres instance with the pgcrypto extension enabled. If you do not specify a value for the db.provider.url parameter, the Cryostat Helm chart automatically deploys a managed cryostat-db container instance.
Reports option in the Cryostat web console plug-in navigation menu
From Cryostat 4.1 onward, the navigation menu for the Cryostat web console plug-in also includes a Reports option. This option opens the Automated Reports panel, which provides a centralized way to view automated analysis report results across all targets. For more information about this panel, see Automated Reports view in Cryostat web console.
Support for registering application deployments with Cryostat from the OpenShift web console
From Cryostat 4.1 onward, once you have installed one or more Cryostat instances, you can register applications with a Cryostat instance directly from the OpenShift console. You can use this feature from the Workloads > Deployments page or the Topology page in the Developer perspective of the OpenShift console. Alternatively, you can use this feature from the Workloads > Topology page in the Administrator perspective.
When you click the overflow menu icon for a deployed application, you can select a Register with Cryostat option that opens a dialog where you can then select a Cryostat instance and click Submit. In the graphical Topology page, a Cryostat icon appears on the top-left of the registered node. By clicking this icon on the top-left of the node, you can open the Topology view of the Cryostat web console for the appropriate Cryostat instance.
Chapter 3. Feature enhancements
Cryostat 4.1 includes feature enhancements that build upon the Cryostat 3.0 offerings.
Configuration enhancements for IPv4 and IPv6 address handling
Cryostat 4.1 includes the following configuration enhancements for IPv4 and IPv6 address handling:
-
A new
cryostat.discovery.kubernetes.ipv4.dns-transform.enabledconfiguration property is used to indicate whether Cryostat should transform IPv4 endpoint slice addresses to a domain name search (DNS) name. For example, this would transform an IPv4 address such as1.2.3.4to a host name such as1‑2‑3‑4.$namespace.pod. This property is set totrueby default. -
A new
cryostat.discovery.ipv6-enabledconfiguration property is used to enable or disable IPv6 address handling. This property is useful for dual-stack clusters where individual pods might have IPv4 addresses, IPv6 addresses, or both. If you set this property tofalse, IPv6 address handling is disabled. This property is set totrueby default.
Web console enhancement for viewing target JVM details within the current view
In the Cryostat web console, an information icon is now displayed next to the Target drop-down list in each panel where you can select a target JVM. By clicking the information icon, you can open a pop-up window that displays information about the selected target. This information is already accessible in other ways through, for example, the Topology view’s sidebar, the Target JVM Details dashboard card, or the left-hand series of cards in the Automated Reports view. However, this enhancement provides a convenient way to access information about the currently selected target without needing to navigate away from the current view.
Security view enhancement for list of imported SSL/TLS certificates
The Security view of the Cryostat web console includes the following enhancements:
- The Imported SSL/TLS Certificates pane now displays the list of additional imported certificates in a more concise manner as a group of labels rather than a plain list.
- The Stored Credentials table now includes a Topology icon in each table row that you can use to open the Match Expression visualizer for the selected credentials. This supersedes the behavior in earlier releases where each table row included an expandable (>) icon for viewing.
Consolidated Targets tab in Archives panel
In Cryostat 4.1, the Targets tab in the Flight Recorder > Analyze > Archives view now consolidates the old All Targets tab and target-specific lists of archives into a single tab. In this situation, when no target is selected, the panel displays a table of all available targets along with an expandable subtable for each target. If you select a target JVM, the panel then displays the list of archived recordings for the selected target. This enhancement provides a convenient way to view either all targets or the archived recordings for a specific target within the same view.
Automated Rules table enhancements
In Cryostat 4.1, the Flight Recorder > Capture > Automated Rules view includes the following enhancements to the Automated Rules table:
- The information in the old “Maximum data age”, “Maximum data size”, “Archival period”, “Initial delay”, and “Preserved archived copies” columns is now consolidated into a series of key-value pair labels under a single Options column. This helps to streamline the information in the Automated Rules table for easier viewing.
- The Match Expression column now includes a Topology icon in each table row that you can use to open the Match Expression visualizer for the selected rule directly from the table.
- The overflow icon (⋮) next to each automated rule now includes an Edit option that you can use to edit an automated rule directly from the table. This option opens the Automated Rules > Create panel where you can update the selected rule.
- The overflow icon (⋮) next to each automated rule now includes a Copy option that you can use to copy an automated rule directly from the table. This option opens the Automated Rules > Create panel where you can create a copy of the selected rule.
Cryostat web console navigation menu enhancements for JFR data
The Cryostat web console includes the following navigation menu enhancements for Java Flight Recorder (JFR) data:
- The Flight Recorder > Capture > Recordings view now replaces the Active Recordings tab that was in the top-level Recordings view in earlier releases.
- The Flight Recorder > Capture > Events view now replaces the top-level Events view that was in earlier releases.
- The Flight Recorder > Capture > Automated Rules view now replaces the top-level Automated Rules view that was in earlier releases.
- The Flight Recorder > Capture > Instrumentation view now replaces the Probe Templates tab that was in the top-level Events view in earlier releases.
- The Flight Recorder > Analyze > Archives view now replaces both the top-level Archives view and the Archived Recordings tab that was in the top-level Recordings view in earlier releases.
- The Flight Recorder > Analyze > Automated Reports view is new in this release and provides a centralized way to view automated analysis report results across all targets. For more information, see Automated Reports view in Cryostat web console.
Reorganized navigation menu options for the Cryostat web console plug-in
From Cryostat 4.1 onward, the options in the navigation menu for the Cryostat web console plug-in are presented in the following order:
- Dashboard
- Topology
- Recordings
- Archives
- Events
- Automated Rules
- Reports
- Instrumentation
- Diagnostics
- Analyze Thread Dumps
- Analyze Heap Dumps
- Security
- About
Cryostat Grafana dashboard enhancements
In Cryostat 4.1, the Grafana dashboard includes the following enhancements:
- A new expandable Recording Information row contains the Recording Duration and Recording Start Time panels.
- A new expandable Frameworks row contains the Hibernate ORM, Quarkus REST Timeseries, and Quarkus REST Endpoint Statistics panels.
- In the expandable Threads row, the Thread Context Switch Rate panel now uses hertz rather than rothz as a unit of measurement.
Chapter 4. Fixed issues
Cryostat releases can include fixes for issues identified in earlier versions. The following notes provide details about each issue and its resolution.
The following issues have been resolved in the Cryostat 4.1 release.
Cryostat is not updating the state of recordings started with the ‑XX:StartFlightRecording=duration=X JVM flag
Before Cryostat 4.1, if you started a fixed-duration recording by using the ‑XX:StartFlightRecording=duration=Xs flag, Cryostat did not automatically update the state of this recording after the specified duration had elapsed. This meant that the Active Recordings list in the Cryostat web console incorrectly showed a RUNNING state rather than a STOPPED state for these types of recordings.
Cryostat 4.1 resolves this issue by correctly updating the state of any stopped recordings.
Cryostat requires object storage to use the PUT object tagging API call
Before Cryostat 4.1 when archiving an active recording, Cryostat used the PUT object tagging S3 API call to attach metadata to the archived recording file. This metadata includes items such as the labels that were present on the active recording and tags that identify the source target’s connectUrl and jvmId. However, some S3-like storage providers do not support the PUT object tagging API call. For example, Backblaze B2 responds with error codes and other providers such as Wasabi and DigitalOcean Spaces ignore the request entirely. In addition, object tagging usually entails a maximum size for keys and values, and a maximum count of tags that can be applied to objects. Object metadata similarly entails a maximum size for keys and values, and a maximum payload size that can only be set when the data object is created. Consequently, these restrictions could have caused other potential problems with some S3 providers.
Cryostat 4.1 resolves this issue by introducing support for alternative methods of storing archived recording file metadata that do not rely on PUT object tagging API requests.
Cryostat fails to connect to JVM targets over IPv6
Before Cryostat 4.1, when running Cryostat and a sample application in an IPv6-enabled cluster, Cryostat was unable to connect to the target JVM. In this situation, Cryostat returned a connection attempt failed error.
Cryostat 4.1 resolves this issue by introducing improvements for handling IPv6 addresses.
Alias for target JVM includes encoded characters
Before Cryostat 4.1, in the Cryostat web console, the alias for the selected target JVM incorrectly included encoded characters. For example, a value such as /deployments/Fquarkus-run.jar was displayed as %2Fdeployments%2Fquarkus-run.jar.
Cryostat 4.1 resolves this issue by ensuring that target aliases are stored and displayed without URL encoding.
Match Expression Visualizer is not listing targets correctly in list view mode
Before Cryostat 4.1, in the Automated Rules view or the Security view of the Cryostat web console, when you opened the Match Expression visualizer in list mode, the displayed list of targets was incorrect.
Cryostat 4.1 resolves this issue by ensuring that the Match Expression visualizer displays the correct list of targets in list mode.
Chapter 5. Known issues
Sometimes a Cryostat release might contain an issue or issues that Red Hat acknowledges and might fix at a later stage during the product’s development. Review each known issue for its description and its possible workaround.
Periodic archiving for automated rules might not always cap the number of preserved copies
- Description
-
When you create an automated rule that is set to periodically archive recordings and place an upper limit on the number of preserved archives, the number of archived copies for a target might continue to grow unbounded beyond the allowed upper limit. This issue typically appears only when the JVM target alias or the JFR recording name contains unexpected characters such as a colon (
:) character. - Workaround
-
In JVM target aliases and JFR recording names, use only alphanumeric characters, hyphens (
-), and periods (.). Avoid the use of other characters.
Instrumentation view is not updated when probes are inserted
- Description
- In the Flight Recorder > Capture > Instrumentation view of the Cryostat web console, when you upload a probe template and insert the probe for the correct target, a notification is displayed confirming that the probe was inserted. However, in this situation, the view is not updated and the Live Configuration tab does not automatically reflect the changes.
- Workaround
- Refresh your browser or navigate away from and then back to the Instrumentation view.
Instrumentation view incorrectly refers to target as undefined when displaying notification about a removed probe
- Description
-
In the Flight Recorder > Capture > Instrumentation view of the Cryostat web console, when you remove a probe from a selected target, the view is updated and a notification is displayed confirming that the probe was removed. However, in this situation, the text of the notification incorrectly refers to an
undefinedtarget rather than the actual target. - Workaround
- There is no workaround for this issue.
Instrumentation view cannot upload, display, or delete probe templates when no target is selected
- Description
- The Flight Recorder > Capture > Instrumentation view incorrectly requires that you select a target JVM first before you can upload, display, or delete probe templates.
- Workaround
- There is no workaround for this issue.
CR property description for objectStorageOptions.SecretName is incorrectly rendered in the Form view
- Description
- In the Form view of the Create Cryostat panel, when you expand Object Storage Options, the link text in the description of the Secret Name property is incorrectly rendered on screen.
- Workaround
- Click https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable to access the link.
Chapter 6. Advisories related to this release
The following advisories have been issued to document bug fixes and CVE fixes included in the Cryostat 4.1 release:
Revised on 2025-11-25 16:38:11 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}