PMM-14876 - 3.8.0-Staging-RN

sources/metadata/pmm-server/3.8.0.yaml

@@ -0,0 +1,6 @@
+version: 3.8.0
+imageInfo:
+  image_path: "perconalab/pmm-server:3.8.0-rc"
+  image_hash: "sha256:bb7121dcb01c612a92b50c69d4da5da79faa6b1315742851b95bf5ebba4604dc"
+  image_release_timestamp: "2026-05-21T22:36:02.343594Z"
+  status: "available"

sources/metadata/pmm-server/3.7.2.yaml → sources/metadata/pmm-server/3.8.1.yaml

@@ -1,6 +1,6 @@
-version: 3.7.2
+version: 3.8.1
 imageInfo:
   image_path: "perconalab/pmm-server:3-dev-latest"
   image_hash: "sha256:eb2f1aa9c44a76347f2bf011e21a1264e9ab8a76d8d625b7e6995a62e0e169fa"
-  image_release_timestamp: "2026-04-27T9:01:02.343594Z"
+  image_release_timestamp: "2026-05-22T9:01:02.343594Z"
   status: "available"

sources/release-notes/pmm/3.7.1.md

@@ -1,3 +1,143 @@
 ## Release summary
 
-Here goes 3.7.1 release summary and release notes...
+PMM 3.7.1 is primarily a security release. It fixes several CVEs in third-party dependencies, upgrades key components including Grafana, Nomad, and VictoriaMetrics, and masks database credentials in logs to make log sharing safer.
+
+It also adds a MongoDB storage fragmentation view, makes PMM Client setup more flexible for containerized environments, and fixes issues in Real-Time Analytics (RTA), dashboards, and exporters.
+
+## Release highlights
+
+### Spot MongoDB storage fragmentation at a glance
+
+The [MongoDB Cluster Summary](https://docs.percona.com/percona-monitoring-and-management/3/reference/dashboards/dashboard-mongodb-cluster-summary.html) and [MongoDB ReplSet Summary](https://docs.percona.com/percona-monitoring-and-management/3/reference/dashboards/dashboard-mongodb-replset-summary.html) dashboards now include a **Fragmentation Analysis** panel showing the ratio of free to allocated storage per collection. Use it to quickly identify collections wasting disk space due to frequent deletes or document moves, and decide where running `compact` will have the most impact.
+
+![Fragmentation Analysis panel](https://docs.percona.com/percona-monitoring-and-management/3/images/Fragmentation.jpg)
+
+### Safer log sharing with automatic credential masking
+
+PMM now masks database passwords and connection-string credentials in logs. This helps you share logs for troubleshooting without exposing sensitive values.
+
+## Security updates
+
+PMM 3.7.1 upgrades key components and addresses several security vulnerabilities in third-party dependencies:
+
+### Bypass gRPC authorization checks ([CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186))
+
+Fixed by upgrading gRPC dependencies to ≥1.79.3 across all PMM components. This vulnerability was not exploitable in PMM's architecture, but the fix removes it entirely.
+
+### Grafana SQL expressions remote code execution ([CVE-2026-27876](https://nvd.nist.gov/vuln/detail/CVE-2026-27876))
+
+Fixed by upgrading Grafana to 11.6.14. PMM doesn't enable the `sqlExpressions` feature toggle, so this wasn't exploitable in practice, but we applied the fix anyway.
+
+### Go standard library vulnerabilities
+
+We've upgraded the Go toolchain to 1.25.8+ across all PMM binaries to fix the following:
+
+- TLS sessions could resume unexpectedly ([CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121))
+- Crafted query parameters could exhaust memory resources ([CVE-2025-61726](https://nvd.nist.gov/vuln/detail/CVE-2025-61726))
+- Crafted zip archives could exhaust CPU resources ([CVE-2025-61728](https://nvd.nist.gov/vuln/detail/CVE-2025-61728))
+- IPv6 host literals could be parsed incorrectly in PMM Server and Client binaries ([CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679))
+
+### Remaining third-party security risks
+
+Some vulnerabilities in third-party dependencies could not be fixed in this release because upstream fixes were not yet available. Percona assessed each one and considers the risk low for typical PMM deployments. Affected dependencies will be updated as fixes become available.
+
+#### Hijack PATH in OpenTelemetry SDK ([CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051), [CVE-2026-39883](https://nvd.nist.gov/vuln/detail/CVE-2026-39883))
+
+##### Affected component
+
+Grafana (third-party dependency, otel/sdk v1.39.0).
+
+##### Why this is hard to exploit in PMM
+
+To exploit this, an attacker would need local filesystem access to the PMM Server container and control over the PATH environment variable. PMM Server runs in a locked-down container with no shell access, so if someone has that level of access, the container is already compromised.
+
+##### Mitigating factors
+
+- PMM Server is meant to run on trusted infrastructure with restricted access.
+- The container doesn't give unprivileged users shell access.
+- Remote exploitation is not possible.
+
+##### Risk decision
+
+We're accepting this risk for PMM 3.7.1 and will fix it in a future dependency update.
+
+#### Bypass Docker AuthZ plugin checks ([CVE-2026-34040](https://nvd.nist.gov/vuln/detail/CVE-2026-34040))
+
+##### Affected component
+
+HashiCorp Nomad (third-party dependency, docker/moby v28.5.2).
+
+##### Why this is hard to exploit in PMM
+
+This affects Docker daemon AuthZ plugins when handling oversized request bodies. Nomad in PMM doesn't run as a Docker daemon and doesn't use Docker AuthZ plugins. Nomad is also off by default.
+
+##### Mitigating factors
+
+- Nomad is disabled by default and needs to be explicitly enabled.
+- The vulnerable Docker daemon code path is not used by Nomad in PMM.
+- Nomad doesn't expose Docker daemon interfaces.
+
+##### Risk decision
+
+We're accepting this risk for PMM 3.7.1 and will fix it in a future dependency update.
+
+#### Go standard library vulnerabilities in Grafana ClickHouse Datasource plugin
+
+The following CVEs remain present in this third-party plugin build: [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679), [CVE-2026-27137](https://nvd.nist.gov/vuln/detail/CVE-2026-27137), [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280), [CVE-2026-32281](https://nvd.nist.gov/vuln/detail/CVE-2026-32281), [CVE-2026-32283](https://nvd.nist.gov/vuln/detail/CVE-2026-32283), [CVE-2026-33810](https://nvd.nist.gov/vuln/detail/CVE-2026-33810).
+
+##### Affected component
+
+Grafana ClickHouse Datasource plugin (third-party dependency, built with Go 1.26.0).
+
+##### Why this is hard to exploit in PMM
+
+These are Go standard library issues in the ClickHouse Datasource plugin. The plugin only connects to the local ClickHouse instance over localhost, so no external or user-controlled URLs, certificates, or TLS connections go through this code.
+
+##### Mitigating factors
+
+- The plugin only connects to ClickHouse within the PMM Server container.
+- PMM doesn't expose the plugin's URL parsing or certificate validation to untrusted input.
+- These are denial-of-service vulnerabilities — they don't allow code execution, privilege escalation, or unauthorized data access.
+
+##### Risk decision
+
+We're accepting this risk for PMM 3.7.1. The fix requires an upstream rebuild of the plugin with Go ≥1.26.2, which isn't available yet. We'll address it once it is.
+
+#### How to reduce risk
+
+To lower your exposure in the meantime:
+
+- restrict network access to PMM Server to trusted networks and users.
+- keep the number of PMM admins small and enforce strong authentication.
+- apply resource limits to PMM Server containers where possible.
+- keep Nomad disabled unless you specifically need it.
+
+## Components upgrade
+
+- **VictoriaMetrics**: Upgraded from v1.138.0 to v1.140.0.
+- **Nomad**: Upgraded from v1.11.3 to v2.0.0.
+- **Grafana ClickHouse Datasource**: Upgraded to v4.15.0.
+
+## Improvements
+
+- [PMM-14875](https://perconadev.atlassian.net/browse/PMM-14875): Added a **Fragmentation Analysis** panel to the MongoDB Cluster Summary and MongoDB ReplSet Summary dashboards.
+
+- [PMM-14832](https://perconadev.atlassian.net/browse/PMM-14832): You can now use the `--proc-mounts-path` flag with `pmm-agent setup` or set `PMM_AGENT_SETUP_PROC_MOUNTS_PATH` as an environment variable to tell PMM Client where to find `/proc/mounts`. Use this if you are running PMM Client in a container or non-standard environment where the file is not at its default location and disk metrics show up as missing or incorrect.
+
+- [PMM-14399](https://perconadev.atlassian.net/browse/PMM-14399): Improved docs for Docker deployments. The [Docker Easy-install guide](https://docs.percona.com/percona-monitoring-and-management/3/install-pmm/install-pmm-server/deployment-options/docker/easy-install.html) now includes a troubleshooting section for the `FATAL: /srv is not writable for pmm user` error, with steps to resolve Docker volume ownership issues.
+
+## Fixed issues
+
+- [PMM-14983](https://perconadev.atlassian.net/browse/PMM-14983): Users with Viewer and Editor roles would see 401 Unauthorized errors on the Real-Time Analytics (RTA) page and could not load the list of available services. This issue is now fixed.
+
+- [PMM-14984](https://perconadev.atlassian.net/browse/PMM-14984): Fixed an upgrade issue where PMM could fail with a "failed to migrate database" error in some environments.
+
+- [PMM-14852](https://perconadev.atlassian.net/browse/PMM-14852): Fixed data display issues in the Transactions, Cache Capacity, Sessions, and Pages panels of the [MongoDB InMemory Details](https://docs.percona.com/percona-monitoring-and-management/3/reference/dashboards/dashboard-mongodb-inmemory-details.html) dashboard. These panels now use InMemory metrics instead of WiredTiger metrics. In addition, duplicate or irrelevant template variables were removed.
+
+- [PMM-14981](https://perconadev.atlassian.net/browse/PMM-14981): Fixed a documentation issue in the [Kubernetes deployment topic](https://docs.percona.com/percona-monitoring-and-management/3/install-pmm/install-pmm-client/kubernetes.html) where incomplete configuration could cause `permission denied` errors when running PMM Client as a non-root user. The example now includes an init container that sets the required directory permissions before PMM Client starts.
+
+- [PMM-14958](https://perconadev.atlassian.net/browse/PMM-14958): Fixed remaining duplicate metric errors in `mysqld_exporter` logs when monitoring MySQL instances with GTID and parallel replication enabled. Following the partial fix in PMM 3.6.0, errors for `mysql_perf_schema_replication_group_worker_transport_time_seconds` and `mysql_perf_schema_file_instances_total` are now also fixed.
+
+- [PMM-14957](https://perconadev.atlassian.net/browse/PMM-14957), [PMM-14951](https://perconadev.atlassian.net/browse/PMM-14951): Fixed an issue where navigating between dashboards could corrupt query parameters, causing dashboards to show no data or use an incorrect time zone.
+
+- [PMM-14940](https://perconadev.atlassian.net/browse/PMM-14940): Fixed external links on Grafana plugin pages (such as **AlertManager** and **Bar chart**) that previously showed a blank page or opened inside PMM instead of in a new tab.

sources/release-notes/pmm/3.8.0.md

@@ -0,0 +1,54 @@
+## Release summary
+
+- TODO
+
+## Release highlights
+
+### Grafana 12.4 upgrade
+
+PMM 3.8.0 ships with [Grafana 12.4](https://grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v12-0/), so you will notice several day-to-day monitoring improvements right away:
+
+**Faster monitoring dashboards**: Tables in PMM dashboards load, sort, and filter significantly faster. This affects dashboards across PMM including **Nodes Overview**, **MySQL User Details**, **PostgreSQL Instances Overview**, MongoDB, and HA/PXC **Cluster Summary**.
+
+**Less alert noise**: Alert rules now support a [**Recovering** state](https://grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v12-0/#recovering-state-for-alert-rules). This helps avoid repeated fire/resolved notifications when a metric keeps moving above and below an alert threshold, so you get fewer noisy alerts for spiky metrics like replication lag, query response time, and connection counts.
+
+**Custom dashboard compatibility**: All PMM-provided dashboards are unaffected by Grafana 12's Angular removal. If you have custom dashboards using legacy **Graph (old)** or **Table (old)** panels, Grafana will auto-migrate them on first load.
+
+**Recording rules**: Alert rules now support [**recording rules**](https://grafana.com/docs/grafana/latest/alerting/alerting-rules/create-recording-rules/), which pre-calculate frequently used or expensive queries and store the results as new metrics. This can simplify complex alert conditions and improve query performance at scale.
+
+## Components upgrade
+
+- **Grafana**: Upgraded to 12.4.
+
+## Security updates
+
+- [PMM-15005](https://perconadev.atlassian.net/browse/PMM-15005): Removed a self-signed TLS certificate that was previously included in the PMM Server image to suppress ClickHouse startup log noise. Because the same certificate was shared across all PMM Server installations, CVE scanners flagged it as a security risk. Since ClickHouse in PMM doesn't use TLS, the startup log noise is now suppressed without needing a certificate at all.
+
+## Deprecations
+
+- [PMM-14968](https://perconadev.atlassian.net/browse/PMM-14968): UI-based upgrades are now officially deprecated and will be removed in PMM 3.9.0 (July 2026). PMM now shows a warning on all pages where UI-based upgrades were available. Switch to [Docker](https://docs.percona.com/percona-monitoring-and-management/3/pmm-upgrade/upgrade_docker.html), [Podman](https://docs.percona.com/percona-monitoring-and-management/3/pmm-upgrade/upgrade_podman.html), or [Helm](https://docs.percona.com/percona-monitoring-and-management/3/pmm-upgrade/upgrade_helm.html) before then. If you use Watchtower, remove it before switching to avoid conflicts.
+
+## Improvements
+
+- [PMM-12392](https://perconadev.atlassian.net/browse/PMM-12392): Improved how PMM collects processlist data on MySQL 5.7.39+ and 8.0.22+ by switching from Information Schema to Performance Schema. On busy MySQL instances, this reduces the chance of query blocking and deadlocks, lowering the overall monitoring impact on your MySQL server workload.
+
+- [PMM-14937](https://perconadev.atlassian.net/browse/PMM-14937): When adding a MySQL, PostgreSQL, MongoDB, ProxySQL, Valkey, Amazon RDS, or Azure service, you can now set a **Connection timeout** to control how long PMM waits before giving up on a connection attempt. This is useful when monitoring remote or high-latency databases where the default timeout is too short.
+
+- [PMM-14068](https://perconadev.atlassian.net/browse/PMM-14068): The [PostgreSQL Instance Summary](https://docs.percona.com/percona-monitoring-and-management/3/reference/dashboards/dashboard-postgresql-instance-summary.html) dashboard is now easier to read: summary panels use a consistent color scheme to help you spot issues faster, the layout fits laptop screens without cutting off panels, and tables no longer require horizontal scrolling to see all data.
+
+- [PMM-14930](https://perconadev.atlassian.net/browse/PMM-14930): Building on the [native PMM navigation introduced in 3.6.0](https://docs.percona.com/percona-monitoring-and-management/3/3.6.0.html), the **Settings** page now also runs in native PMM UI. You get the same settings with **Metrics resolution**, **Advanced settings**, and **SSH key** tabs in a page that loads faster and looks consistent with the rest of the new interface. Access it at **Configuration > Settings** in the left sidebar.
+
+  ![PMM Settings in native UI](https://docs.percona.com/percona-monitoring-and-management/3/images/PMM_Settings_native_ui.png)
+
+- [PMM-14995](https://perconadev.atlassian.net/browse/PMM-14995): PMM has been updated with Percona's refreshed brand. You'll notice the updated logo across the sidebar, login screen, and help center, along with new technology icons for MySQL, PostgreSQL, MongoDB, and Valkey, and a refreshed color palette throughout the interface.
+
+## Fixed issues
+
+- [PMM-14748](https://perconadev.atlassian.net/browse/PMM-14748): Fixed dashboards resetting the time zone to the browser default when navigating between pages. All dashboards now respect the time zone set in your profile preferences. See [Set time zone](https://docs.percona.com/percona-monitoring-and-management/3/reference/ui/timezone.html).
+
+- [PMM-14791](https://perconadev.atlassian.net/browse/PMM-14791): Resolved an issue in the **Disk Space** graphs on the **Disk Details** dashboard where values were hard to read, legend labels were missing, and charts were displayed incorrectly.
+
+- [PMM-14512](https://perconadev.atlassian.net/browse/PMM-14512): Fixed the **BP Data Dirty** panel on the **MySQL InnoDB Details** dashboard showing no data after upgrading from PMM 2. The panel now correctly displays the ratio of dirty to data pages in the InnoDB buffer pool.
+
+- [PMM-14851](https://perconadev.atlassian.net/browse/PMM-14851): Fixed a bug in the PMM Helm chart that could cause `ClusterRole` to fail when deploying PMM on Kubernetes. The chart now deploys without RBAC errors.
+- [PMM-14934](https://perconadev.atlassian.net/browse/PMM-14934): Fixed an issue where the `GF_SECURITY_ADMIN_USER` and `GF_SECURITY_ADMIN_PASSWORD` environment variables were ignored when starting PMM Server with a named Docker volume (`-v pmm-data:/srv`). You can now use these variables to set the admin username and password at first start, regardless of how the data volume is mounted. As part of this fix, **the first start after upgrading takes about 20–30 seconds longer** than usual while PMM initializes. Subsequent starts are unaffected. PMM HA deployments are unimpacted.

sources/release-notes/pmm/3.8.1.md

@@ -0,0 +1,3 @@
+## Release summary
+
+Here goes 3.8.1 release summary and release notes...