CLOUDSTACK-6240 Fixed updating advanced SG rules for vm nic secondary ip

api/src/org/apache/cloudstack/api/command/user/vm/AddIpToVmNicCmd.java

@@ -92,6 +92,12 @@ public class AddIpToVmNicCmd extends BaseAsyncCmd {
         return dc.getNetworkType();
     }
 
+    private boolean isZoneSGEnabled() {
+        Network ntwk = _entityMgr.findById(Network.class, getNetworkId());
+        DataCenter dc = _entityMgr.findById(DataCenter.class, ntwk.getDataCenterId());
+        return dc.isSecurityGroupEnabled();
+    }
+
     @Override
     public String getEventType() {
         return EventTypes.EVENT_NET_IP_ASSIGN;
@@ -136,7 +142,7 @@ public class AddIpToVmNicCmd extends BaseAsyncCmd {
 
         if (result != null) {
             secondaryIp = result.getIp4Address();
-            if (getNetworkType() == NetworkType.Basic) {
+            if (isZoneSGEnabled()) {
                 // add security group rules for the secondary ip addresses
                 boolean success = false;
                 success = _securityGroupService.securityGroupRulesForVmSecIp(getNicId(), secondaryIp, true);

api/src/org/apache/cloudstack/api/command/user/vm/RemoveIpFromVmNicCmd.java

@@ -131,6 +131,13 @@ public class RemoveIpFromVmNicCmd extends BaseAsyncCmd {
         return null;
     }
 
+
+    private boolean isZoneSGEnabled() {
+        Network ntwk = _entityMgr.findById(Network.class, getNetworkId());
+        DataCenter dc = _entityMgr.findById(DataCenter.class, ntwk.getDataCenterId());
+        return dc.isSecurityGroupEnabled();
+    }
+
     @Override
     public void execute() throws InvalidParameterValueException {
         CallContext.current().setEventDetails("Ip Id: " + id);
@@ -140,7 +147,7 @@ public class RemoveIpFromVmNicCmd extends BaseAsyncCmd {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Invalid IP id is passed");
         }
 
-        if (getNetworkType() == NetworkType.Basic) {
+        if (isZoneSGEnabled()) {
             //remove the security group rules for this secondary ip
             boolean success = false;
             success = _securityGroupService.securityGroupRulesForVmSecIp(nicSecIp.getNicId(), nicSecIp.getIp4Address(), false);

server/src/com/cloud/network/security/SecurityGroupManagerImpl.java

@@ -1350,16 +1350,17 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
 
         // Validate parameters
         List<SecurityGroupVO> vmSgGrps = getSecurityGroupsForVm(vmId);
-        if (vmSgGrps == null) {
+        if (vmSgGrps.isEmpty()) {
             s_logger.debug("Vm is not in any Security group ");
             return true;
         }
 
-        for (SecurityGroupVO securityGroup : vmSgGrps) {
-            Account owner = _accountMgr.getAccount(securityGroup.getAccountId());
-            if (owner == null) {
-                throw new InvalidParameterValueException("Unable to find security group owner by id=" + securityGroup.getAccountId());
-            }
+        //If network does not support SG service, no need add SG rules for secondary ip
+        Network network = _networkModel.getNetwork(nic.getNetworkId());
+        if (!_networkModel.isSecurityGroupSupportedInNetwork(network)) {
+            s_logger.debug("Network " + network + " is not enabled with security group service, "+
+                    "so not applying SG rules for secondary ip");
+            return true;
         }
 
         String vmMac = vm.getPrivateMacAddress();