Unable to update the security groups of a VM

[eduardovra]

problem

I'm using the newly released feature that allows enabling security groups support in advanced zones, and I'm unable to change the security groups assigned to VMs in my shared network.

This is the error returned:

(dev) 🐱 > update virtualmachine id=450bbfd5-55a7-44d3-966b-99772d50a405 securitygroupnames=default
🙈 Error: (HTTP 530, error code 9999) Cannot invoke "com.cloud.network.Network.getTrafficType()" because "network" is null

The problem seems to be related to a permissions check, it's possible to go around that error by manually inserting a record into the network_permissions table.

(dev) 🐱 > create networkpermissions accountids=7ad6fcd9-bb8b-48e0-83eb-01263c2907c6 networkid=aa67cbd3-4aae-4b7c-87cb-51b1f0605d8e
🙈 Error: (HTTP 431, error code 4350) network is already shared in domain

MariaDB [cloud]> insert into network_permissions (network_id, account_id) values (228,2319);
Query OK, 1 row affected (0.003 sec)

After this, the update virtualmachine call works and the SG is updated normally.

Code reference: https://github.com/apache/cloudstack/blob/main/server/src/main/java/com/cloud/network/NetworkModelImpl.java#L1727

versions

Cloudstack 4.20.

The steps to reproduce the bug

1. Enable security groups support in an advanced zone
2. Create a shared network that is accessible to all accounts (selected scope is ALL), the network offering selected enables SGs.
3. Stop a VM and try to change the security groups either using the UI or API, both won't work

What to do about it?

No response

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[eduardovra]

Reference #9415