Skip to content

Security Group Rules fails to apply on IPv6 only shared network #12697

New issue
New issue
Open
Bug
Open
Security Group Rules fails to apply on IPv6 only shared network#12697
Bug
Labels
bugcomponent:security-group
Milestone
4.22.1
@rajujith

Description

@rajujith
rajujith
opened on Feb 24, 2026

problem

In a shared network with IPv6 only ie the offering has only Security Group as service, the rules fails to apply on the KVM host:

2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Request:Seq 2-7693555538432382383:  { Cmd , MgmtId: 32988855272485, via: 2, Ver: v1, Flags: 100111, [{"com.cloud.agent.api.SecurityGroupRulesCmd":{"guestIp6":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","vmName":"i-2-66-VM","guestMac":"02:01:00:e2:00:02","signature":"3f503368f6f02b0dd4fd636f3fb9cddd","seqNum":"12","vmId":"66","msId":"32988855272485","ingressRuleSet":[{"proto":"all","startPort":"0","endPort":"0"},{"proto":"icmp","startPort":"-1","endPort":"-1"}],"egressRuleSet":[],"vmTO":{"id":"66","name":"i-2-66-VM","state":"Running","type":"User","cpus":"1","minSpeed":"500","maxSpeed":"500","minRam":"(512.00 MB) 536870912","maxRam":"(512.00 MB) 536870912","arch":"x86_64","os":"Rocky Linux 8","platformEmulator":"Rocky Linux 8","bootArgs":"","enableHA":"false","limitCpuUse":"false","enableDynamicallyScaleVm":"false","details":{"cpuOvercommitRatio":"2.0","Message.ReservedCapacityFreed.Flag":"false","rootDiskController":"osdefault"},"uuid":"76ea93e1-00ac-4d1a-93e7-76f5a8341fed","enterHardwareSetup":"false","disks":[],"nics":[{"deviceId":"0","defaultNic":"true","pxeDisable":"false","nicUuid":"3afd5d0c-01ba-4ea6-81b6-6bac4768c5c2","details":{"PromiscuousMode":"false","ForgedTransmits":"true","MacAddressChanges":"true","MacLearning":"false"},"dpdkEnabled":"false","networkId":"226","networkSegmentName":"D1-A1-Z1-S226","uuid":"2ef0d164-5a22-410d-be12-d1256621141d","mac":"02:01:00:e2:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://4001","securityGroupEnabled":"true","name":"cloudbr1","ip6address":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","ip6gateway":"fd6f:ed8b:1fb6:dcb8::1","ip6cidr":"fd6f:ed8b:1fb6:dcb8::/64"}],"vcpuMaxLimit":"1","configDriveLocation":"SECONDARY","guestOsDetails":{},"extraConfig":{},"networkIdToNetworkNameMap":{}},"wait":"0","bypassHostMaintenance":"false"}}] }
2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Processing command: com.cloud.agent.api.SecurityGroupRulesCmd
2026-02-24 09:50:14,298 DEBUG [agent.properties.AgentPropertiesFileHandler] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Property [hypervisor.uri] has empty or null value. Using default value [null].
2026-02-24 09:50:14,298 DEBUG [kvm.resource.LibvirtConnection] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Looking for libvirtd connection at: qemu:///system
2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtVMDef] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for volume [null].
2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Checking default network rules for vm i-2-66-VM
2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtVMDef] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for volume [null].
2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --isFirstNic --check ].
2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Successfully executed process [1034954] for command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --isFirstNic --check ].
2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --rules I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT; ].
2026-02-24 09:50:14,438 WARN  [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Exception [null] occurred when attempting to run command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --rules I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT; ]. java.lang.NullPointerException
        at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1092)
        at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)
        at com.cloud.utils.script.Script.execute(Script.java:254)
        at com.cloud.utils.script.Script.execute(Script.java:219)
        at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.addNetworkRules(LibvirtComputingResource.java:5545)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:62)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:36)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
        at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280)
        at com.cloud.agent.Agent.processRequest(Agent.java:813)
        at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295)
        at com.cloud.utils.nio.Task.call(Task.java:83)
        at com.cloud.utils.nio.Task.call(Task.java:29)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:840)

2026-02-24 09:50:14,438 WARN  [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Failed to program network rules for vm i-2-66-VM

versions

4.22.0.0

The steps to reproduce the bug

  1. Create a shared guest network offering only with Security Group
  2. Create a guest network with the offering
  3. Deploy VM and configure the Security Group rules. No error is thrown but the rules won't work.
    ...

What to do about it?

SG rules should be applied.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugcomponent:security-group

    Type

    Bug

    Projects

    Apache CloudStack 4.22.1

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions