[I] Security Group Rules fails to apply on IPv6 only shared network [cloudstack]

Tue, 24 Feb 2026 02:00:59 -0800 


rajujith opened a new issue, #12697:
URL: https://github.com/apache/cloudstack/issues/12697

   ### problem
   
   In a shared network with IPv6 only ie the offering has only Security Group 
as service, the rules fails to apply on the KVM host: 
   
   ```
   2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Request:Seq 2-7693555538432382383: 
 { Cmd , MgmtId: 32988855272485, via: 2, Ver: v1, Flags: 100111, 
[{"com.cloud.agent.api.SecurityGroupRulesCmd":{"guestIp6":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","vmName":"i-2-66-VM","guestMac":"02:01:00:e2:00:02","signature":"3f503368f6f02b0dd4fd636f3fb9cddd","seqNum":"12","vmId":"66","msId":"32988855272485","ingressRuleSet":[{"proto":"all","startPort":"0","endPort":"0"},{"proto":"icmp","startPort":"-1","endPort":"-1"}],"egressRuleSet":[],"vmTO":{"id":"66","name":"i-2-66-VM","state":"Running","type":"User","cpus":"1","minSpeed":"500","maxSpeed":"500","minRam":"(512.00
 MB) 536870912","maxRam":"(512.00 MB) 536870912","arch":"x86_64","os":"Rocky 
Linux 8","platformEmulator":"Rocky Linux 
8","bootArgs":"","enableHA":"false","limitCpuUse":"false","enableDynamicallyScaleVm":"false","details":{"cpuOvercommitRatio":"2.0","Message.ReservedCapacityFreed.Flag":"false","
 
rootDiskController":"osdefault"},"uuid":"76ea93e1-00ac-4d1a-93e7-76f5a8341fed","enterHardwareSetup":"false","disks":[],"nics":[{"deviceId":"0","defaultNic":"true","pxeDisable":"false","nicUuid":"3afd5d0c-01ba-4ea6-81b6-6bac4768c5c2","details":{"PromiscuousMode":"false","ForgedTransmits":"true","MacAddressChanges":"true","MacLearning":"false"},"dpdkEnabled":"false","networkId":"226","networkSegmentName":"D1-A1-Z1-S226","uuid":"2ef0d164-5a22-410d-be12-d1256621141d","mac":"02:01:00:e2:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://4001","securityGroupEnabled":"true","name":"cloudbr1","ip6address":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","ip6gateway":"fd6f:ed8b:1fb6:dcb8::1","ip6cidr":"fd6f:ed8b:1fb6:dcb8::/64"}],"vcpuMaxLimit":"1","configDriveLocation":"SECONDARY","guestOsDetails":{},"extraConfig":{},"networkIdToNetworkNameMap":{}},"wait":"0","bypassHostMaintenance":"false"}}]
 }
   2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Processing command: 
com.cloud.agent.api.SecurityGroupRulesCmd
   2026-02-24 09:50:14,298 DEBUG [agent.properties.AgentPropertiesFileHandler] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Property [hypervisor.uri] has 
empty or null value. Using default value [null].
   2026-02-24 09:50:14,298 DEBUG [kvm.resource.LibvirtConnection] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Looking for libvirtd connection 
at: qemu:///system
   2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtVMDef] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for 
volume [null].
   2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtComputingResource] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Checking default network rules for 
vm i-2-66-VM
   2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtVMDef] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for 
volume [null].
   2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtComputingResource] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command 
[/usr/share/cloudstack-common/scripts/vm/network/security_group.py 
default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 
fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname 
breth1-4001 --nicsecips 0; --isFirstNic --check ].
   2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Successfully executed process 
[1034954] for command 
[/usr/share/cloudstack-common/scripts/vm/network/security_group.py 
default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 
fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname 
breth1-4001 --nicsecips 0; --isFirstNic --check ].
   2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command 
[/usr/share/cloudstack-common/scripts/vm/network/security_group.py 
add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 
fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 
--vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; 
--rules 
I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT;
 ].
   2026-02-24 09:50:14,438 WARN  [kvm.resource.LibvirtComputingResource] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Exception [null] occurred when 
attempting to run command 
[/usr/share/cloudstack-common/scripts/vm/network/security_group.py 
add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 
fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 
--vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; 
--rules 
I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT;
 ]. java.lang.NullPointerException
           at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1092)
           at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)
           at com.cloud.utils.script.Script.execute(Script.java:254)
           at com.cloud.utils.script.Script.execute(Script.java:219)
           at 
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.addNetworkRules(LibvirtComputingResource.java:5545)
           at 
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:62)
           at 
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:36)
           at 
com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
           at 
com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280)
           at com.cloud.agent.Agent.processRequest(Agent.java:813)
           at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295)
           at com.cloud.utils.nio.Task.call(Task.java:83)
           at com.cloud.utils.nio.Task.call(Task.java:29)
           at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
           at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
           at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
           at java.base/java.lang.Thread.run(Thread.java:840)
   
   2026-02-24 09:50:14,438 WARN  
[resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] 
(AgentRequest-Handler-1:[]) (logid:58a52ca1) Failed to program network rules 
for vm i-2-66-VM
   ```
   
   ### versions
   
   4.22.0.0
   
   ### The steps to reproduce the bug
   
   1. Create a shared guest network offering only with Security Group
   2. Create a guest network with the offering 
   3. Deploy VM and configure the Security Group rules. No error is thrown but 
the rules won't work. 
   ...
   
   
   ### What to do about it?
   
   SG rules should be applied. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to