[4.22] Prevent Load Balancer rule creation when adding a VM from a different network

[nvazquez]

Description

This PR backports an issue fixed by PR #12487 for VPCs not using conserve mode. Since VPC Conserve mode is added on 4.23, only the logic that applies to this issue has been backported from the commit: b6fbdc3

To reproduce the issue:

• Create a VPC
• Create two VPC tiers: Tier 1 and Tier 2.
• Deploy one VM in each tier.
• Acquire a public IP for the VPC.
• Create a Port Forwarding rule on Tier 1, which associates the IP with Tier 1.
• Attempt to create a Load Balancer rule using the same IP but specifying networkid=<tier2_id>.

The issue has been detected using cmk (UI does not allow adding a VM to a LB from a different network).

Before the fix: CloudStack allows the addition of VMs from different networks to the load balancer

After the fix:

(localcloud) 🐱 > create loadbalancerrule privateport=8080 publicport=8080 name=LB algorithm=roundrobin publicipid=dd5d9043-86b4-44d3-80fd-f4523b9f69cd networkid=a97dce8b-6cd7-4bc0-807a-24dc515b5f34
🙈 Error: (HTTP 431, error code 9999) Cannot create Load Balancer rule LB as the IP address 10.0.60.206 is not associated with the network VPC-Default-T2 (ID=a97dce8b-6cd7-4bc0-807a-24dc515b5f34)

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 17082

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17083

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[codecov]

Codecov Report

❌ Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.61%. Comparing base (7aa0558) to head (7911153).
⚠️ Report is 6 commits behind head on 4.22.

Files with missing lines	Patch %	Lines
...loud/network/lb/LoadBalancingRulesManagerImpl.java	0.00%	8 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.22   #12785      +/-   ##
============================================
- Coverage     17.61%   17.61%   -0.01%     
- Complexity    15664    15665       +1     
============================================
  Files          5917     5917              
  Lines        531402   531410       +8     
  Branches      64971    64971              
============================================
  Hits          93596    93596              
- Misses       427252   427260       +8     
  Partials      10554    10554              

Flag	Coverage Δ
uitests	3.70% <ø> (ø)
unittests	18.68% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DaanHoogland]

why protected? private seems apropriate.

[blueorangutan]

[SF] Trillian test result (tid-15602)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 47306 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12785-t15602-kvm-ol8.zip
Smoke tests completed. 146 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestListIdsParams>:teardown	Error	1.11	test_list_ids_parameter.py
test_01_snapshot_root_disk	Error	4.82	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	45.54	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	45.55	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	Error	26.22	test_snapshots.py
test_01_snapshot_usage	Error	25.62	test_usage.py
test_01_vpn_usage	Error	1.08	test_usage.py

[weizhouapache]

code lgtm

[sureshanaparti]

clgtm

[RosiKyu]

Backport Verification - Silent networkId Override Fix on 4.22

LGTM

• Silent networkId override: Fixed on 4.22 backport. LB rule creation with a mismatched networkid now returns a proper error instead of silently creating the rule on the IP's associated network.
• Regressions: None found. Existing 4.22 VPC operations are unaffected by the backported fix - same-tier LB creation, LB on unassociated IPs, multiple LB rules on the same tier, and PF with mismatched networkid rejection all work as expected.

Fix Verification

Setup:

• VPC with Default VPC offering
• Two tiers: tier1 (4ef87ed3), tier2 (9686d3ec)
• VMs: vm1 on tier1, vm2 on tier2
• Public IP 10.0.58.224 acquired, PF rule created on tier1 (IP associated with tier1)

Test: Create LB rule specifying networkid=tier2 on IP already associated with tier1

(localcloud) 🐱 > create portforwardingrule ipaddressid=0b015042-204c-4779-a2a5-f8be3b9b8d56 networkid=4ef87ed3-d26b-441b-9690-a97480c9193f virtualmachineid=6295caa3-c373-4e5b-9d00-e10de1c5f3e6 publicport=22 privateport=22 protocol=TCP openfirewall=false
  "state": "Active",
  "networkid": "4ef87ed3-d26b-441b-9690-a97480c9193f"

(localcloud) 🐱 > create loadbalancerrule publicipid=0b015042-204c-4779-a2a5-f8be3b9b8d56 networkid=9686d3ec-c3bd-4592-8086-d1fab1aaa4cf name=lb-cross-test algorithm=roundrobin publicport=80 privateport=80
Error (HTTP 431, error code 9999): Cannot create Load Balancer rule lb-cross-test as the IP address 10.0.58.224 is not associated with the network tier2 (ID=9686d3ec-c3bd-4592-8086-d1fab1aaa4cf)

Result: FIXED. API correctly rejects LB rule creation when the specified networkid does not match the IP's associated network. Previously the networkid was silently overridden and the rule was created on the wrong tier without any error. Same fix as verified on 4.23.

Regression Testing - No Regressions Found

#	Test	Expected	Result
1	LB on same tier (same IP, port 80)	Rule created on tier1	PASSED
2	LB on same tier, different port (same IP, port 8080)	Rule created on tier1	PASSED
3	LB on fresh IP with no prior association (new IP, tier2, port 8080)	Rule created on tier2	PASSED
4	PF with mismatched networkid (same IP, tier2 VM)	Error - VM not on associated network	PASSED

# Regression 1: LB on same tier (should succeed)
(localcloud) 🐱 > create loadbalancerrule publicipid=0b015042-204c-4779-a2a5-f8be3b9b8d56 networkid=4ef87ed3-d26b-441b-9690-a97480c9193f name=lb-same-tier algorithm=roundrobin publicport=80 privateport=80
  "state": "Add",
  "networkid": "4ef87ed3-d26b-441b-9690-a97480c9193f"

# Regression 2: LB on same tier, different port (should succeed)
(localcloud) 🐱 > create loadbalancerrule publicipid=0b015042-204c-4779-a2a5-f8be3b9b8d56 networkid=4ef87ed3-d26b-441b-9690-a97480c9193f name=lb-same-tier-2 algorithm=roundrobin publicport=8080 privateport=8080
  "state": "Add",
  "networkid": "4ef87ed3-d26b-441b-9690-a97480c9193f"

# Regression 3: LB on fresh IP, no prior network association (should succeed)
(localcloud) 🐱 > associate ipaddress vpcid=13a939f4-49e4-4842-ae71-9c2e11402404 zoneid=e4fc5e7e-6a75-4f18-b914-274429fa9db9
  "id": "cb0bf99e-c9ea-4ef0-b08f-2543c3b4bc15",
  "ipaddress": "10.0.58.225"

(localcloud) 🐱 > create loadbalancerrule publicipid=cb0bf99e-c9ea-4ef0-b08f-2543c3b4bc15 networkid=9686d3ec-c3bd-4592-8086-d1fab1aaa4cf name=lb-fresh-ip algorithm=roundrobin publicport=8080 privateport=8080
  "state": "Add",
  "networkid": "9686d3ec-c3bd-4592-8086-d1fab1aaa4cf"

# Regression 4: PF with mismatched networkid (should fail - existing 4.22 behavior)
(localcloud) 🐱 > create portforwardingrule ipaddressid=0b015042-204c-4779-a2a5-f8be3b9b8d56 networkid=9686d3ec-c3bd-4592-8086-d1fab1aaa4cf virtualmachineid=6ea616d3-9421-462e-82cc-31babfc92227 publicport=80 privateport=80 protocol=TCP openfirewall=false
Error (HTTP 431, error code 4350): Vm doesn't belong to network associated with ipAddress