1. Patching with OPatch
  2. Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

2 Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

Use Oracle recommended procedures to obtain, create, and update WebLogic Server and Oracle Fusion Middleware (FMW) images with patches, and to update existing containers running in production.

Oracle WebLogic Server and other FMW products can run in containers such as Docker or CRI-O, and in Kubernetes. For the list of products that support running in containers and Kubernetes, see the supported configuration information at https://www.oracle.com/middleware/technologies/ias/oracleas-supported-virtualization.html.

To run WebLogic Server and FMW products in containers and Kubernetes, you must create container images that, not only include these products, but can also be used to start the containers in which these products run. Oracle strongly recommends running FMW products with the latest security fixes applied, by using the patches released through the Oracle Critical Patch Update (CPU) Program. In addition, you may require one-off or interim patches to resolve specific issues. Therefore, you should periodically update WebLogic Server and FMW images to include the required patches and use the patched images to update the existing containers running in production.

FMW images typically include:
  • An operating system
  • A Java Developer Kit (JDK)
  • The applicable FMW product or products
  • Patches, if available
  • Your WebLogic domains and applications, if available

You can use these images in the containers that run the FMW products and applications.

To create and update these images, one option is to use Dockerfiles. FMW products may provide Dockerfile examples for your reference. See also, WebLogic Server Dockerfile examples.

However, best practices in image creation, helps you limit the size of images and update them efficiently. Using past experience in creating and updating FMW images, Oracle has developed the open source, WebLogic Image Tool (WIT). See WebLogic Image Tool.

Introduction to the Open Source WebLogic Image Tool

The WebLogic Image Tool uses best practices to create smaller FMW images which are optimized for starting and running containers in production. Use the following WIT commands to create and update images:

Create Image

Use the create command to:
  • Create new images for these Supported Fusion Middleware Products.
  • Create new FMW images that include FMW patches applied by OPatch, so that the images contain the required patches.
  • Create new FMW images that, not only include the required patches, but also contain files and settings, such as domain configurations, properties, scripts, libraries, and applications.

For more information, see the Create Image WIT documentation.

Update Image

Use the update command to update existing images that were created using WIT, to not only include the patches applied by Opatch, but also include files and settings, such as domain configurations, properties, scripts, libraries, and applications. For more information, see the Update Image WIT documentation.

Rebase Image

Use the rebase command to create a new container image that reuses an existing WebLogic domain from an existing image. For more information, see the Rebase Image WIT documentation.

In all use cases, Oracle recommends using WIT to create and update FMW images. Although you can use Dockerfiles and customized scripts, using WIT optimizes the image size and improves the supportability of the images that you create and update.

Parent topic: Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

Using the Oracle Container Registry

If you prefer to use or start with the images created by Oracle, you may use the pre-built FMW images available in the Oracle Container Registry (OCR). OCR provides FMW images that contain no patches (GA images) and images that include the latest CPU updates. For example, the WebLogic Server and FMW Infrastructure images contain the WebLogic Server and FMW Infrastructure binaries with Patch Set Updates (PSUs), Critical Patch Updates (CPUs), and Security Patch Updates (SPUs). See the middleware/weblogic_cpu or middleware/fmw-infrastructure_cpu repositories for listings of these images. For more information, see Oracle Container Registry.

All of the WebLogic Server based FMW product images, hosted on OCR, are created using WIT. As such, you also can use WIT to update these images.

For example, you can download a WebLogic Server 12.2.1.4 image:
  • With the latest WebLogic Server PSU and use this image in production environments.
  • With the latest WebLogic Server PSU and use this image with updates, such as domain configurations, properties, scripts, libraries, and applications in production environments.
  • With the latest WebLogic Server PSU and update this image with domain configurations, properties, scripts, libraries, and applications, and with specific one-off patches, as required by your applications or environment.
  • With no patches and update this image with domain configurations, properties, scripts, libraries, and applications, and with specific WebLogic Server PSU and one-off patches, as required by your applications or environment.

Note:

When you update existing FMW images using WIT, the process extends the image (the base image) and creates new layers resulting in a bloated final image that is larger than the original image, as well as larger than a new image if you were to create or recreate it using WIT. For small updates, such as a one-off patch, the increase in image size may be negligible. However, for larger updates, the increase in size will be significant, therefore, you should instead, recreate the image with the applicable patches or artifacts.

When applying bundle patches or interim patches to WebLogic Server or FMW images, consider the following recommendations:
  • Use the WIT update command to patch WebLogic Server or FMW upper stack product images with a single interim patch. These patches are typically small and do not significantly increase the final image size.
  • Use the WIT create command to create new WebLogic Server or FMW upper stack product images with a bundle patch and multiple interim patches. These patches can be large and may significantly increase the final image size. The create command helps you optimize the image size.
  • Use the WIT rebase command to patch WebLogic Server or FMW Infrastructure images, which contain WebLogic binaries, while reusing the existing WebLogic domain from the existing image (Domain in Image domain home source type). For more details, see Domain in Image.

Parent topic: Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

Identifying the Images Created Using the WebLogic Image Tool

Some Oracle products that are layered on top of WebLogic Server (for example, some of the Global Business Unit products) do not use WIT to create their images. These products may use their own Dockerfiles and scripts to build product images that extend the WebLogic Server image.

To identify whether the WebLogic Server or FMW image was created using WIT, run the following command:
$ docker inspect -f '{{index .Config.Labels}}’ image-name:1
Images created using WIT will include the following label:
com.oracle.weblogic.imagetool.buildid:[hash]
Additionally, with WIT created images, the WIT inspect command will provide information, such as:
  • Version of WebLogic Server
  • Version of JDK
  • Version of the operating system
  • Name of the user who owns the image
  • Patches applied to the WebLogic Server installation

For more information, see Inspect Image.

If the image was not created using WIT, you can create your own Dockerfile and scripts to update the image or request support from the product team that created the image.

Parent topic: Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

Applying Patches to WebLogic Domains Running in Kubernetes

Oracle recommends using the WebLogic Kubernetes Operator (the Operator) when running WebLogic Server containers in Kubernetes. By using the Operator, you can update WebLogic Server containers running in clusters and domains in a sequential or rolling fashion, so that the applications running in these domains and clusters remain available to external clients. For more information, see Apply patched images to a running domain in the WebLogic Kubernetes Operator documentation.

The Operator supports the following WebLogic domain home source types:
  • Model in Image: The primary image contains the JDK and the WebLogic binaries. A separate, auxiliary image contains WebLogic Deployment Tool (WDT) model files, WDT variable files, and application archive file. For more information, see Auxiliary images in the WebLogic Kubernetes Operator documentation.
  • Domain in Persistent Volume (PV): The primary image contains the JDK and WebLogic binaries. The domain home and application binaries are in a shared PV.

One difference between these domain home source types is how you use them to create and update WebLogic images so that the Operator can apply the update in a rolling fashion to ensure application availability. See Choose a domain home source type in the WebLogic Kubernetes Operator documentation.

Parent topic: Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches

Using the Domain Custom Resource

In Kubernetes, the Domain Custom Resource contains the image name that the Operator uses to start the containers and pods where WebLogic Server instances will be running. For all three domain home source types, you edit the Domain Custom Resource to supply the name of the new, patched image so that the Operator can manage the WebLogic domain update. See Domain resource in the Operator documentation.

For each domain home source type, Oracle recommends the following patch update approaches:

Model in Image

  • To apply patches to a WebLogic primary image, use a patched image from OCR, or the create or update WIT command (according to the previously stated recommendations in "Using the Oracle Container Registry").
  • Edit the Domain Custom Resource with the name of the patched primary image, then the Operator will initiate a rolling restart of the WebLogic domain to update the Oracle Home of the running servers.

Note:

Model in Image domains can use auxiliary images to isolate WebLogic updates from application updates. This isolation simplifies the update process when applying patches. When many domains running in Kubernetes, run the same WebLogic Server version, you can update a single primary image to patch all the domains, and the Operator will apply the update in a rolling fashion. You need not make any changes to the auxiliary image. For more information, see Auxiliary images in the WebLogic Kubernetes Operator documentation.

Domain in PV

  • To apply patches a WebLogic primary image, use a patched image from OCR, or the create or update WIT command (according to the previously stated recommendations in "Using the Oracle Container Registry").
  • Edit the Domain Custom Resource with the name of the patched WebLogic Server image, then the Operator will initiate a rolling restart of the WebLogic domain to update the Oracle Home of the running servers.

Parent topic: Obtaining, Creating, and Updating Oracle Fusion Middleware Images with Patches