Use jq to get partial models for sanity check for online update forbidden...

jshum2479 · rjeberhard · commit aa036f9209af · 2024-07-11T22:21:38.000Z
diff --git a/operator/src/main/resources/scripts/introspectDomain.sh b/operator/src/main/resources/scripts/introspectDomain.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 #
@@ -185,6 +185,10 @@ doIntrospect() {
     if [ $? -ne 0 ] ; then
       trace SEVERE "DomainSourceType is 'FromModel', 'unzip' is missing in the image. Please use an image with 'unzip' installed" && exit 1
     fi
+    command -v jq
+    if [ $? -ne 0 ] ; then
+      trace SEVERE "DomainSourceType is 'FromModel' and 'onlineUpdate' is enabled, 'jq' is missing in the image. Please use an image with 'jq' installed" && exit 1
+    fi
     createFolder "${DOMAIN_HOME}" "DomainSourceType is 'FromModel' and this is the DOMAIN_HOME directory specified by 'domain.spec.domainHome'." || exit 1
     createWLDomain || exit 1
     created_domain=$DOMAIN_CREATED
diff --git a/operator/src/main/resources/scripts/model-diff.py b/operator/src/main/resources/scripts/model-diff.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2019, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 #
 # ------------
@@ -46,8 +46,9 @@ def is_not_safe_for_online_update(self, model, original_model):
 
     def is_safe_diff(self, model, original_model):
         """
-        Is it a safe difference for update.
+        Is the difference safe for update.
         :param model: diffed model
+        :param original_model: original model (partial only contain server and template names)
         return 0 - always return 0 for V1
         """
 
@@ -103,48 +104,43 @@ def in_forbidden_list(self, model, original_model):
             for key in [ 'Server', 'ServerTemplate']:
                 # topology.Server|ServerTemplate
                 if model[_TOPOLOGY].has_key(key):
-                    temp = model[_TOPOLOGY][key]
-                    for server in temp:
+                    # topology.Server or topology.ServerTemplate
+                    svr_list = model[_TOPOLOGY][key]
+                    for server in svr_list:
+                        # topology.Server.item or topology.ServerTemplate.item
                         # cannot delete server or template
                         if server.startswith('!'):
                             return 1
                         # ok to add
                         if server not in original_model['topology'][key]:
                             continue
                         for not_this in forbidden_network_attributes:
-                            if temp[server].has_key(not_this):
+                            if svr_list[server].has_key(not_this):
                                 return 1
-                        if temp[server].has_key(_NAP):
-                            nap = temp[server][_NAP]
-                            for n in nap:
+                        if svr_list[server].has_key(_NAP):
+                            naps = svr_list[server][_NAP]
+                            for nap in naps:
                                 for not_this in forbidden_network_attributes:
-                                    if temp[server].has_key(not_this):
+                                    if svr_list[server][_NAP][nap].has_key(not_this):
                                         return 1
                         # Do not allow any SSL changes
-                        if temp[server].has_key(_SSL):
+                        if svr_list[server].has_key(_SSL):
                             return 1
 
         return 0
 
 
 class ModelFileDiffer:
 
-    def eval_file(self, file):
-        true = True
-        false = False
-        fh = open(file, 'r')
-        content = fh.read()
-        return eval(content)
+    def eval_string(self, string):
+        return eval(string)
 
     def compare(self):
-        original_model = self.eval_file(sys.argv[1])
-        # past_dict = self.eval_file(sys.argv[2])
+        original_topology = self.eval_string(sys.argv[1])
+        net_diff = self.eval_string(sys.argv[2])
         obj = ModelDiffer()
-        if os.path.exists('/tmp/diffed_model.json'):
-            net_diff = self.eval_file('/tmp/diffed_model.json')
-        else:
-            net_diff = {}
-        return obj.is_safe_diff(net_diff, original_model)
+        return obj.is_safe_diff(net_diff, original_topology)
+
 
 def debug(format_string, *arguments):
     if os.environ.has_key('DEBUG_INTROSPECT_JOB'):
diff --git a/operator/src/main/resources/scripts/modelInImage.sh b/operator/src/main/resources/scripts/modelInImage.sh
@@ -587,8 +587,8 @@ diff_model() {
   trace "Entering diff_model"
   # wdt shell script or logFileRotate may return non-zero code if trap is on, then it will go to trap instead
   # temporarily disable it
-  stop_trap
 
+  stop_trap
   export __WLSDEPLOY_STORE_MODEL__=1
   # $1 - new model, $2 original model
 
@@ -620,17 +620,36 @@ diff_model() {
     fi
   fi
 
+  #  Checking whether domain, rcu credentials have been changed - needed for offline
+  #  and also incompatible changes for online update.
+
   if [ "${MERGED_MODEL_ENVVARS_SAME}" == "false" ] ; then
-    # Generate diffed model update compatibility result
+    # Generate diffed model update compatibility result, use partial model to avoid loading large model
     local ORACLE_SERVER_DIR=${ORACLE_HOME}/wlserver
     local JAVA_PROPS="-Dpython.cachedir.skip=true ${JAVA_PROPS}"
     local JAVA_PROPS="-Dpython.path=${ORACLE_SERVER_DIR}/common/wlst/modules/jython-modules.jar/Lib ${JAVA_PROPS}"
     local JAVA_PROPS="-Dpython.console= ${JAVA_PROPS} -Djava.security.egd=file:/dev/./urandom"
     local CP=${ORACLE_SERVER_DIR}/server/lib/weblogic.jar
+    # Get partial models for sanity check for forbidden attribute change
+    local SERVER_OR_SERVERTEMPLATES_NAMES=$(jq '{ topology: { Server: (.topology.Server | with_entries(.value = {})),
+     ServerTemplate: (if .topology.ServerTemplate then (.topology.ServerTemplate | with_entries(.value = {})) else empty end)
+       }} | if .topology.ServerTemplate == {} then del(.topology.ServerTemplate) else . end' $2)
+    rc=$?
+    if [ $rc -ne 0 ] ; then
+      trace SEVERE "Failed to extract server names from original model using jq "$rc
+      exitOrLoop
+    fi
+    local PARTIAL_DIFFED_MODEL=$(jq '{domainInfo: .domainInfo, topology: .topology} | with_entries(select(.value != null))' /tmp/diffed_model.json)
+    rc=$?
+    if [ $rc -ne 0 ] ; then
+      trace SEVERE "Failed to extract domainInfo and topology from delta model using jq "$rc
+      exitOrLoop
+    fi
+
     ${JAVA_HOME}/bin/java -cp ${CP} \
       ${JAVA_PROPS} \
       org.python.util.jython \
-      ${SCRIPTPATH}/model-diff.py $2 > ${WDT_OUTPUT} 2>&1
+      ${SCRIPTPATH}/model-diff.py "$SERVER_OR_SERVERTEMPLATES_NAMES" "$PARTIAL_DIFFED_MODEL" > ${WDT_OUTPUT} 2>&1
     if [ $? -ne 0 ] ; then
       trace SEVERE "Failed to compare models. Error output:"
       cat ${WDT_OUTPUT}
@@ -640,7 +659,6 @@ diff_model() {
 
   wdtRotateAndCopyLogFile "${WDT_COMPARE_MODEL_LOG}"
 
-  # restore trap
   start_trap
 
   trace "Exiting diff_model"
