server: Fix NPE when on findHostsForMigration when no suitable hosts are found (#13138)

* Host HA code improvements

* Fix to not cancel VM HA items when Host HA is enabled & inspection in progress, and some code improvements

- When Host HA inspection in progress, the investigor returns the Host Status as Up which cancels the VM HA items
- Don't cancel the VM HA items, instead reschedule them to try again later

* Changes to consider Recovered/Available Host HA state along with the agent connection status to determine the Host HA inspection in progress or not, and some code improvements

.asf.yaml

@@ -50,16 +50,11 @@ github:
     rebase: false
 
   collaborators:
-    - acs-robot
+    - ingox
     - gpordeus
-    - hsato03
-    - FelipeM525
-    - lucas-a-martins
-    - nicoschmdt
-    - abh1sar
-    - rosi-shapeblue
-    - sudo87
     - erikbocks
+    - Imvedansh
+    - Damans227
 
   protected_branches: ~
 

.codespellrc

@@ -0,0 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[codespell]
+ignore-words = .github/linters/codespell.txt
+skip = systemvm/agent/noVNC/*,ui/package.json,ui/package-lock.json,ui/public/js/less.min.js,ui/public/locales/*.json,server/src/test/java/org/apache/cloudstack/network/ssl/CertServiceTest.java,test/integration/smoke/test_ssl_offloading.py

.gitattributes

@@ -0,0 +1 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/CODEOWNERS

@@ -0,0 +1,25 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+/plugins/storage/volume/linstor @rp-
+/plugins/storage/volume/storpool @slavkap
+/plugins/storage/volume/ontap @rajiv1 @sandeeplocharla @piyush5 @suryag
+
+.pre-commit-config.yaml @jbampton
+/.github/linters/ @jbampton
+
+/plugins/network-elements/nsx/ @Pearl1594 @nvazquez

.github/aw/imports/.gitattributes

@@ -0,0 +1,5 @@
+# Mark all cached import files as generated
+* linguist-generated=true
+
+# Use 'ours' merge strategy to keep local cached versions
+* merge=ours

.github/aw/imports/github/gh-aw/94662b1dee8ce96c876ba9f33b3ab8be32de82a4/.github_workflows_shared_reporting.md

@@ -0,0 +1,73 @@
+---
+# Report formatting guidelines
+---
+
+## Report Structure Guidelines
+
+### 1. Header Levels
+**Use h3 (###) or lower for all headers in your issue report to maintain proper document hierarchy.**
+
+When creating GitHub issues or discussions:
+- Use `###` (h3) for main sections (e.g., "### Test Summary")
+- Use `####` (h4) for subsections (e.g., "#### Device-Specific Results")
+- Never use `##` (h2) or `#` (h1) in reports - these are reserved for titles
+
+### 2. Progressive Disclosure
+**Wrap detailed test results in `<details><summary><b>Section Name</b></summary>` tags to improve readability and reduce scrolling.**
+
+Use collapsible sections for:
+- Verbose details (full test logs, raw data)
+- Secondary information (minor warnings, extra context)
+- Per-item breakdowns when there are many items
+
+Always keep critical information visible (summary, critical issues, key metrics).
+
+### 3. Report Structure Pattern
+
+1. **Overview**: 1-2 paragraphs summarizing key findings
+2. **Critical Information**: Show immediately (summary stats, critical issues)
+3. **Details**: Use `<details><summary><b>Section Name</b></summary>` for expanded content
+4. **Context**: Add helpful metadata (workflow run, date, trigger)
+
+### Design Principles (Airbnb-Inspired)
+
+Reports should:
+- **Build trust through clarity**: Most important info immediately visible
+- **Exceed expectations**: Add helpful context like trends, comparisons
+- **Create delight**: Use progressive disclosure to reduce overwhelm
+- **Maintain consistency**: Follow patterns across all reports
+
+### Example Report Structure
+
+```markdown
+### Summary
+- Key metric 1: value
+- Key metric 2: value
+- Status: ✅/⚠️/❌
+
+### Critical Issues
+[Always visible - these are important]
+
+<details>
+<summary><b>View Detailed Results</b></summary>
+
+[Comprehensive details, logs, traces]
+
+</details>
+
+<details>
+<summary><b>View All Warnings</b></summary>
+
+[Minor issues and potential problems]
+
+</details>
+
+### Recommendations
+[Actionable next steps - keep visible]
+```
+
+## Workflow Run References
+
+- Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)`
+- Include up to 3 most relevant run URLs at end under `**References:**`
+- Do NOT add footer attribution (system adds automatically)

.github/dependabot.yml

@@ -0,0 +1,41 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    open-pull-requests-limit: 2
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7

.github/linters/.yamllint.yml

@@ -15,13 +15,14 @@
 # specific language governing permissions and limitations
 # under the License.
 ---
-extends: relaxed
+extends: default
 
 rules:
   line-length:
     max: 400  # Very forgiving for GitHub Actions and infrastructure files
   indentation: disable  # Disable indentation checking for existing files
   comments: disable  # Disable comment formatting checks
+  braces: disable
   brackets: disable  # Disable bracket spacing checks
   colons:
     max-spaces-after: -1  # Allow any number of spaces after colon

.github/linters/codespell.txt

@@ -4,6 +4,7 @@ acount
 actuall
 acuiring
 acumulate
+addin
 addreess
 addtion
 adminstrator
@@ -12,10 +13,8 @@ afrer
 afterall
 againt
 ags
-aktive
 algoritm
 allo
-alloacate
 allocted
 alocation
 alogrithm
@@ -65,6 +64,7 @@ bject
 boardcast
 bootstraper
 bu
+callin
 cant
 capabilites
 capablity
@@ -73,6 +73,7 @@ carrefully
 cavaet
 chaing
 checkd
+checkin
 childs
 choosen
 chould
@@ -93,7 +94,6 @@ confg
 configruation
 configuable
 conneciton
-connexion
 constrait
 constraits
 containg
@@ -101,9 +101,7 @@ contex
 continuesly
 contro
 controler
-controles
 controll
-convienient
 convinience
 coputer
 correcponding
@@ -158,13 +156,13 @@ differnet
 differnt
 direcotry
 directroy
-disale
 disbale
 discrepency
 disover
 dissapper
 dissassociated
 divice
+dockin
 doesn'
 doesnot
 doesnt
@@ -175,7 +173,6 @@ eanbled
 earch
 ect
 elemnt
-eles
 elments
 emmited
 enble
@@ -187,22 +184,19 @@ environmnet
 equivalant
 erro
 erronous
-everthing
 everytime
 excute
 execept
 execption
+exects
 execut
 executeable
 exeeded
 exisitng
 exisits
-existin
 existsing
-exitting
 expcted
 expection
-explaination
 explicitely
 faield
 faild
@@ -215,7 +209,6 @@ fillled
 findout
 fisrt
 fo
-folowing
 fowarding
 frist
 fro
@@ -234,6 +227,7 @@ hanling
 happend
 hasing
 hasnt
+havin
 hda
 hostanme
 hould
@@ -253,20 +247,14 @@ implmeneted
 implmentation
 incase
 includeing
-incosistency
 indecates
-indien
 infor
 informations
 informaton
-infrastrcuture
 ingore
-inital
 initalize
 initator
-initilization
 inspite
-instace
 instal
 instnace
 intefaces
@@ -284,12 +272,8 @@ ist
 klunky
 lable
 leve
-lief
 limite
-linke
 listner
-lokal
-lokales
 maintainence
 maintenace
 maintenence
@@ -298,7 +282,6 @@ mambers
 manaully
 manuel
 maxium
-mehtod
 mergable
 mesage
 messge
@@ -308,7 +291,6 @@ minumum
 mis
 modifers
 mor
-mot
 mulitply
 multipl
 multple
@@ -322,7 +304,7 @@ nin
 nodel
 nome
 noone
-nowe
+notin
 numbe
 numer
 occured
@@ -390,12 +372,9 @@ remaning
 remore
 remvoing
 renabling
-repeatly
 reponse
 reqest
 reqiured
-requieres
-requried
 reserv
 reserverd
 reseted
@@ -414,14 +393,13 @@ retuned
 returing
 rever
 rocessor
+roperty
 runing
 runnign
 sate
 scalled
-scipt
 scirpt
 scrip
-seconadry
 seconday
 seesion
 sepcified
@@ -434,12 +412,10 @@ settig
 sevices
 shoul
 shoule
-sie
 signle
 simplier
 singature
 skiping
-snaphsot
 snpashot
 specied
 specifed
@@ -450,7 +426,6 @@ standy
 statics
 stickyness
 stil
-stip
 storeage
 strat
 streched
@@ -459,7 +434,6 @@ succesfull
 successfull
 suceessful
 suces
-sucessfully
 suiteable
 suppots
 suppport
@@ -492,7 +466,6 @@ uncompressible
 uneccessarily
 unexepected
 unexpect
-unknow
 unkonw
 unkown
 unneccessary
@@ -500,14 +473,12 @@ unparseable
 unrecoginized
 unsupport
 unxpected
-updat
 uptodate
 usera
 usign
 usin
 utlization
 vaidate
-valiate
 valule
 valus
 varibles
@@ -516,8 +487,6 @@ verfying
 verifing
 virutal
 visable
-wakup
 wil
 wit
-wll
 wth

.github/workflows/build.yml

@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5

.github/workflows/ci.yml

@@ -146,6 +146,7 @@ jobs:
                   smoke/test_vm_snapshot_kvm
                   smoke/test_vm_snapshots
                   smoke/test_volumes
+                  smoke/test_vpc_conserve_mode
                   smoke/test_vpc_ipv6
                   smoke/test_vpc_redundant
                   smoke/test_vpc_router_nics
@@ -216,7 +217,7 @@ jobs:
                   smoke/test_list_volumes"]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -340,7 +341,7 @@ jobs:
           echo -e "Simulator CI Test Results: (only failures listed)\n"
           python3 ./tools/marvin/xunit-reader.py integration-test-results/
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         with:
           files: jacoco-coverage.xml
           fail_ci_if_error: true

.github/workflows/codecov.yml

@@ -32,7 +32,7 @@ jobs:
     name: codecov
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -49,7 +49,7 @@ jobs:
           cd nonoss && bash -x install-non-oss.sh && cd ..
           mvn -P quality -Dsimulator -Dnoredist clean install -T$(nproc)
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         with:
           files: ./client/target/site/jacoco-aggregate/jacoco.xml
           fail_ci_if_error: true

.github/workflows/codeql-analysis.yml

@@ -35,14 +35,14 @@ jobs:
         language: ["actions"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "Security"

.github/workflows/daily-repo-status.md

@@ -0,0 +1,54 @@
+---
+description: |
+  This workflow creates daily repo status reports. It gathers recent repository
+  activity (issues, PRs, discussions, releases, code changes) and generates
+  engaging GitHub issues with productivity insights, community highlights,
+  and project recommendations.
+
+on:
+  schedule: daily
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
+network: defaults
+
+tools:
+  github:
+    # If in a public repo, setting `lockdown: false` allows
+    # reading issues, pull requests and comments from 3rd-parties
+    # If in a private repo this has no particular effect.
+    lockdown: false
+
+safe-outputs:
+  create-issue:
+    title-prefix: "[repo-status] "
+    labels: [report, daily-status]
+source: githubnext/agentics/workflows/daily-repo-status.md@d19056381ba48cb1f7c78510c23069701fa7ae87
+---
+
+# Daily Repo Status
+
+Create an upbeat daily status report for the repo as a GitHub issue.
+
+## What to include
+
+- Recent repository activity (issues, PRs, discussions, releases, code changes)
+- Progress tracking, goal reminders and highlights
+- Project status and recommendations
+- Actionable next steps for maintainers
+
+## Style
+
+- Be positive, encouraging, and helpful 🌟
+- Use emojis moderately for engagement
+- Keep it concise - adjust length based on actual activity
+
+## Process
+
+1. Gather recent activity from the repository
+2. Study the repository, its issues and its pull requests
+3. Create a new GitHub issue with your findings and insights

.github/workflows/docker-cloudstack-simulator.yml

@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Login to Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
         with:
           registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USER }}
@@ -47,7 +47,7 @@ jobs:
       - name: Set Docker repository name
         run: echo "DOCKER_REPOSITORY=apache" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set ACS version
         run: echo "ACS_VERSION=$(grep '<version>' pom.xml | head -2 | tail -1 | cut -d'>' -f2 |cut -d'<' -f1)" >> $GITHUB_ENV

.github/workflows/issue-triage-agent.md

@@ -0,0 +1,78 @@
+---
+on:
+  schedule: 0 14 * * 1-5
+  workflow_dispatch: null
+permissions:
+  issues: read
+imports:
+- github/gh-aw/.github/workflows/shared/reporting.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4
+safe-outputs:
+  add-comment: {}
+  add-labels:
+    allowed:
+    - bug
+    - feature
+    - enhancement
+    - documentation
+    - question
+    - help-wanted
+    - good-first-issue
+source: github/gh-aw/.github/workflows/issue-triage-agent.md@94662b1dee8ce96c876ba9f33b3ab8be32de82a4
+strict: true
+timeout-minutes: 5
+tools:
+  github:
+    toolsets:
+    - issues
+    - labels
+---
+# Issue Triage Agent
+
+List open issues in ${{ github.repository }} that have no labels. For each unlabeled issue, analyze the title and body, then add one of the allowed labels: `bug`, `feature`, `enhancement`, `documentation`, `question`, `help-wanted`, or `good-first-issue`.
+
+Skip issues that:
+- Already have any of these labels
+- Have been assigned to any user (especially non-bot users)
+
+After adding the label to an issue, mention the issue author in a comment using this format (follow shared/reporting.md guidelines):
+
+**Comment Template**:
+```markdown
+### 🏷️ Issue Triaged
+
+Hi @{author}! I've categorized this issue as **{label_name}** based on the following analysis:
+
+**Reasoning**: {brief_explanation_of_why_this_label}
+
+<details>
+<summary><b>View Triage Details</b></summary>
+
+#### Analysis
+- **Keywords detected**: {list_of_keywords_that_matched}
+- **Issue type indicators**: {what_made_this_fit_the_category}
+- **Confidence**: {High/Medium/Low}
+
+#### Recommended Next Steps
+- {context_specific_suggestion_1}
+- {context_specific_suggestion_2}
+
+</details>
+
+**References**: [Triage run §{run_id}](https://github.com/github/gh-aw/actions/runs/{run_id})
+```
+
+**Key formatting requirements**:
+- Use h3 (###) for the main heading
+- Keep reasoning visible for quick understanding
+- Wrap detailed analysis in `<details>` tags
+- Include workflow run reference
+- Keep total comment concise (collapsed details prevent noise)
+
+## Batch Comment Optimization
+
+For efficiency, if multiple issues are triaged in a single run:
+1. Add individual labels to each issue
+2. Add a brief comment to each issue (using the template above)
+3. Optionally: Create a discussion summarizing all triage actions for that run
+
+This provides both per-issue context and batch visibility.

.github/workflows/main-sonar-check.yml

@@ -32,7 +32,7 @@ jobs:
     name: Main Sonar JaCoCo Build
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -44,14 +44,14 @@ jobs:
           cache: 'maven'
 
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
 
       - name: Cache local Maven repository
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('pom.xml', '*/pom.xml', '*/*/pom.xml', '*/*/*/pom.xml') }}

.github/workflows/merge-conflict-checker.yml

@@ -18,8 +18,8 @@
 name: "PR Merge Conflict Check"
 on:
   push:
-  pull_request_target:
-    types: [synchronize]
+  pull_request:
+    types: [opened, synchronize, reopened]
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Conflict Check
-      uses: eps1lon/actions-label-merge-conflict@v2.0.0
+      uses: eps1lon/actions-label-merge-conflict@v3.0.3
       with:
         repoToken: "${{ secrets.GITHUB_TOKEN }}"
         dirtyLabel: "status:has-conflicts"

.github/workflows/pre-commit.yml

@@ -32,18 +32,18 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check Out
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install
         run: |
           python -m pip install --upgrade pip
           pip install pre-commit
       - name: Set PY
         run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         with:
           path: ~/.cache/pre-commit
           key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
       - name: Run pre-commit
-        run: pre-commit run --all-files
+        run: pre-commit run --color=always --all-files
       - name: Run manual pre-commit hooks
-        run: pre-commit run --all-files --hook-stage manual
+        run: pre-commit run --color=always --all-files --hook-stage manual

.github/workflows/rat.yml

@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up JDK 17
         uses: actions/setup-java@v5
         with:

.github/workflows/sonar-check.yml

@@ -33,7 +33,7 @@ jobs:
     name: Sonar JaCoCo Coverage
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: "refs/pull/${{ github.event.number }}/merge"
           fetch-depth: 0
@@ -46,14 +46,14 @@ jobs:
           cache: 'maven'
 
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
 
       - name: Cache local Maven repository
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('pom.xml', '*/pom.xml', '*/*/pom.xml', '*/*/*/pom.xml') }}

.github/workflows/stale.yml

@@ -0,0 +1,49 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v10
+        with:
+          stale-issue-message: 'This issue is stale because it has been open for 120 days with no activity. It may be removed by administrators of this project at any time. Remove the stale label or comment to request for removal of it to prevent this.'
+          stale-pr-message: 'This PR is stale because it has been open for 120 days with no activity. It may be removed by administrators of this project at any time. Remove the stale label or comment to request for removal of it to prevent this.'
+          close-issue-message: 'This issue was closed because it has been stale for 120 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stale for 240 days with no activity.'
+          stale-issue-label: 'no-issue-activity'
+          stale-pr-label: 'no-pr-activity'
+          days-before-stale: 120
+          days-before-close: -1
+          days-before-pr-close: 240
+          exempt-issue-labels: 'gsoc,good-first-issue,long-term-plan'
+          exempt-pr-labels: 'status:ready-for-merge,status:needs-testing,status:on-hold'
+      - uses: actions/stale@v10
+        with:
+          stale-issue-label: 'archive'
+          days-before-stale: 240
+          exempt-issue-labels: 'gsoc,good-first-issue,long-term-plan'
+          days-before-close: -1

.github/workflows/ui.yml

@@ -31,10 +31,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Node
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 16
 
@@ -55,7 +55,7 @@ jobs:
           npm run lint
           npm run test:unit
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         if: github.repository == 'apache/cloudstack'
         with:
           working-directory: ui

.pre-commit-config.yaml

@@ -25,6 +25,12 @@ repos:
     hooks:
       - id: identity
       - id: check-hooks-apply
+  - repo: https://github.com/thlorenz/doctoc.git
+    rev: v2.2.0
+    hooks:
+      - id: doctoc
+        name: Add TOC for Markdown files
+        files: ^CONTRIBUTING\.md$|^INSTALL\.md$|^README\.md$
   - repo: https://github.com/oxipng/oxipng
     rev: v9.1.5
     hooks:
@@ -41,6 +47,21 @@ repos:
   - repo: https://github.com/Lucas-C/pre-commit-hooks
     rev: v1.5.5
     hooks:
+      - id: chmod
+        name: set file permissions
+        args: ['644']
+        files: \.md$
+        stages: [manual]
+      - id: insert-license
+        name: add license for all cfg files
+        description: automatically adds a licence header to all cfg files that don't have a license header
+        files: \.cfg$
+        args:
+          - --comment-style
+          - '|#|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
       - id: insert-license
         name: add license for all Markdown files
         files: \.md$
@@ -50,7 +71,56 @@ repos:
           - --license-filepath
           - .github/workflows/license-templates/LICENSE.txt
           - --fuzzy-match-generates-todo
-        exclude: ^(CHANGES|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE)\.md$|^ui/docs/(full|smoke)-test-plan\.template\.md$
+        exclude: ^(CHANGES|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE)\.md$|^ui/docs/(full|smoke)-test-plan\.template\.md$|^\.github/workflows/.*\.md$|^\.github/aw/.*\.md$
+      - id: insert-license
+        name: add license for all properties files
+        description: automatically adds a licence header to all properties files that don't have a license header
+        files: \.properties$
+        args:
+          - --comment-style
+          - '|#|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
+      - id: insert-license
+        name: add license for all Shell files
+        description: automatically adds a licence header to all Shell files that don't have a license header
+        files: \.sh$
+        args:
+          - --comment-style
+          - '|#|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
+      - id: insert-license
+        name: add license for all SQL files
+        files: \.sql$
+        args:
+          - --comment-style
+          - '|--|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
+      - id: insert-license
+        name: add license for all Vue files
+        files: \.vue$
+        args:
+          - --comment-style
+          - '|//|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
+      - id: insert-license
+        name: add license for all YAML files
+        description: automatically adds a licence header to all YAML files that don't have a license header
+        files: \.ya?ml$
+        args:
+          - --comment-style
+          - '|#|'
+          - --license-filepath
+          - .github/workflows/license-templates/LICENSE.txt
+          - --fuzzy-match-generates-todo
+        exclude: ^\.github/workflows/.*\.lock\.yml$
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
@@ -84,7 +154,7 @@ repos:
           ^systemvm/agent/certs/realhostip\.key$|
           ^test/integration/smoke/test_ssl_offloading\.py$
       - id: end-of-file-fixer
-        exclude: \.vhd$
+        exclude: \.vhd$|\.svg$
       - id: file-contents-sorter
         args: [--unique]
         files: ^\.github/linters/codespell\.txt$
@@ -92,17 +162,15 @@ repos:
       - id: forbid-submodules
       - id: mixed-line-ending
       - id: trailing-whitespace
-        files: \.(bat|cfg|cs|css|gitignore|header|in|install|java|md|properties|py|rb|rc|sh|sql|te|template|txt|ucls|vue|xml|xsl|yaml|yml)$|^cloud-cli/bindir/cloud-tool$|^debian/changelog$
+        files: ^(LICENSE|NOTICE)$|README$|\.(bat|cfg|config|cs|css|erb|gitignore|header|in|install|java|md|properties|py|rb|rc|sh|sql|svg|te|template|txt|ucls|vue|xml|xsl|yaml|yml)$|^cloud-cli/bindir/cloud-tool$|^debian/changelog$
         args: [--markdown-linebreak-ext=md]
         exclude: ^services/console-proxy/rdpconsole/src/test/doc/freerdp-debug-log\.txt$
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.6
+    rev: v2.4.2
     hooks:
       - id: codespell
         name: run codespell
         description: Check spelling with codespell
-        args: [--ignore-words=.github/linters/codespell.txt]
-        exclude: ^systemvm/agent/noVNC/|^ui/package\.json$|^ui/package-lock\.json$|^ui/public/js/less\.min\.js$|^ui/public/locales/.*[^n].*\.json$|^server/src/test/java/org/apache/cloudstack/network/ssl/CertServiceTest.java$|^test/integration/smoke/test_ssl_offloading.py$
   - repo: https://github.com/pycqa/flake8
     rev: 7.0.0
     hooks:
@@ -116,15 +184,7 @@ repos:
         description: check Markdown files with markdownlint
         args: [--config=.github/linters/.markdown-lint.yml]
         types: [markdown]
-        files: \.(md|mdown|markdown)$
-  - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.5.5
-    hooks:
-      - id: chmod
-        name: set file permissions
-        args: ['644']
         files: \.md$
-        stages: [manual]
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.37.1
     hooks:
@@ -134,4 +194,4 @@ repos:
         args: [--config-file=.github/linters/.yamllint.yml]
         types: [yaml]
         files: \.ya?ml$
-        exclude: ^.*k8s-.*\.ya?ml$
+        exclude: ^.*k8s-.*\.ya?ml$|^.github/workflows/.*\.lock\.ya?ml$

CONTRIBUTING.md

@@ -21,6 +21,24 @@
 
 ## Summary
 
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Summary](#summary)
+- [Bug fixes](#bug-fixes)
+- [Developing new features](#developing-new-features)
+- [PendingReleaseNotes file](#pendingreleasenotes-file)
+- [Fork the code](#fork-the-code)
+- [Making changes](#making-changes)
+- [Rebase `feature_x` to include updates from `upstream/main`](#rebase-feature_x-to-include-updates-from-upstreammain)
+- [Make a GitHub Pull Request to contribute your changes](#make-a-github-pull-request-to-contribute-your-changes)
+- [Cleaning up after a successful pull request](#cleaning-up-after-a-successful-pull-request)
+- [Release Principles](#release-principles)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## Summary
+
 This document covers how to contribute to the ACS project. ACS uses GitHub PRs to manage code contributions.
 These instructions assume you have a GitHub.com account, so if you don't have one you will have to create one. Your proposed code changes will be published to your own fork of the ACS project, and you will submit a Pull Request for your changes to be added.
 

INSTALL.md

@@ -26,9 +26,21 @@ or the developer [wiki](https://cwiki.apache.org/confluence/display/CLOUDSTACK/H
 Apache CloudStack developers use various platforms for development, this guide
 was tested against a CentOS 7 x86_64 setup.
 
-* [Setting up development environment](https://cwiki.apache.org/confluence/display/CLOUDSTACK/Setting+up+CloudStack+Development+Environment) for Apache CloudStack.
-* [Building](https://cwiki.apache.org/confluence/display/CLOUDSTACK/How+to+build+CloudStack) Apache CloudStack.
-* [Appliance based development](https://github.com/rhtyd/monkeybox)
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Setting up Development Environment](#setting-up-development-environment)
+  - [Using jenv and/or pyenv for Version Management](#using-jenv-andor-pyenv-for-version-management)
+- [Getting the Source Code](#getting-the-source-code)
+- [Building](#building)
+- [To bring up CloudStack UI](#to-bring-up-cloudstack-ui)
+- [Building with non-redistributable plugins](#building-with-non-redistributable-plugins)
+- [Packaging and Installation](#packaging-and-installation)
+  - [Debian/Ubuntu](#debianubuntu)
+  - [RHEL/CentOS](#rhelcentos)
+- [Notes](#notes)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Setting up Development Environment
 

LICENSE

@@ -177,14 +177,14 @@ Copyright (c) 2014 The Apache Software Foundation
       of your accepting any such warranty or additional liability.
 
    END OF TERMS AND CONDITIONS
-            
+
 
 This distribution contains third party resources.
 Within the console-proxy/js directory
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Copyright (c) 2009, John Resig 
-            
+            Copyright (c) 2009, John Resig
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -192,10 +192,10 @@ Within the console-proxy/js directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -203,43 +203,43 @@ Within the console-proxy/js directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from John Resig   
-            jquery.js 
+
+        from John Resig
+            jquery.js
 
 
 Within the systemvm/debian/etc directory
     placed in the public domain
-        by Adiscon GmbH  http://www.adiscon.com/ 
-            rsyslog.conf 
-        by Simon Kelley   
-            dnsmasq.conf 
-            vpcdnsmasq.conf 
+        by Adiscon GmbH  http://www.adiscon.com/
+            rsyslog.conf
+        by Simon Kelley
+            dnsmasq.conf
+            vpcdnsmasq.conf
 
 Within the systemvm/debian/etc/apache2 directory
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2012 The Apache Software Foundation
-        from The Apache Software Foundation  http://www.apache.org/ 
-            httpd.conf 
+        from The Apache Software Foundation  http://www.apache.org/
+            httpd.conf
             vhost.template
 
 Within the systemvm/debian/etc/ssh/ directory
     licensed under the BSD (2-clause) http://www.opensource.org/licenses/BSD-2-Clause  (as follows)
- 
-            
+
+
             Redistribution and use in source and binary forms, with or without modification,
             are permitted provided that the following conditions are met:
-            
+
             Redistributions of source code must retain the above copyright notice, this list
             of  conditions and the following disclaimer. Redistributions in binary form must
             reproduce the above copyright notice, this list  of conditions and the following
             disclaimer in the documentation and/or other materials  provided with the
             distribution.
-            
+
             Neither the name of the author nor the names of contributors may be used to
             endorse  or promote products derived from this software without specific prior
             written permission.
-            
+
             THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
             ANY  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
             WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -250,55 +250,55 @@ Within the systemvm/debian/etc/ssh/ directory
             ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
             (INCLUDING  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
             SOFTWARE, EVEN IF ADVISED  OF THE POSSIBILITY OF SUCH DAMAGE.
-                        
-        from OpenSSH Project  http://www.openssh.org/ 
-            sshd_config 
+
+        from OpenSSH Project  http://www.openssh.org/
+            sshd_config
 
 Within the systemvm/debian/root/redundant_router directory
     placed in the public domain
-        by The netfilter.org project  http://www.netfilter.org/ 
-            conntrackd.conf.templ 
+        by The netfilter.org project  http://www.netfilter.org/
+            conntrackd.conf.templ
 
 Within the scripts/storage/secondary directory
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2010-2011 OpenStack, LLC.
-        from OpenStack, LLC  http://www.openstack.org 
-            swift 
+        from OpenStack, LLC  http://www.openstack.org
+            swift
 
 Within the scripts/vm/hypervisor/xenserver directory
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2010-2011 OpenStack, LLC.
-        from OpenStack, LLC  http://www.openstack.org 
-            swift 
+        from OpenStack, LLC  http://www.openstack.org
+            swift
 
 Within the ui/lib directory
     placed in the public domain
-        by Eric Meyer  http://meyerweb.com/eric/ 
+        by Eric Meyer  http://meyerweb.com/eric/
             reset.css  from http://meyerweb.com/eric/tools/css/reset/
 
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2006 Google Inc.
-        from Google Inc.  http://google.com 
+        from Google Inc.  http://google.com
             excanvas.js  from http://code.google.com/p/explorercanvas/
 
     licensed under the BSD (2-clause) http://www.opensource.org/licenses/BSD-2-Clause  (as follows)
 
             Copyright (c) 2008 George McGinley Smith
-            All rights reserved. 
-            
+            All rights reserved.
+
             Redistribution and use in source and binary forms, with or without modification,
             are permitted provided that the following conditions are met:
-            
+
             Redistributions of source code must retain the above copyright notice, this list
             of  conditions and the following disclaimer. Redistributions in binary form must
             reproduce the above copyright notice, this list  of conditions and the following
             disclaimer in the documentation and/or other materials  provided with the
             distribution.
-            
+
             Neither the name of the author nor the names of contributors may be used to
             endorse  or promote products derived from this software without specific prior
             written permission.
-            
+
             THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
             ANY  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
             WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -309,13 +309,13 @@ Within the ui/lib directory
             ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
             (INCLUDING  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
             SOFTWARE, EVEN IF ADVISED  OF THE POSSIBILITY OF SUCH DAMAGE.
-                        
-        from George McGinley Smith   
-            jquery.easing.js 
+
+        from George McGinley Smith
+            jquery.easing.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
- 
-            
+
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -323,10 +323,10 @@ Within the ui/lib directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -334,14 +334,14 @@ Within the ui/lib directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from The Dojo Foundation  http://dojofoundation.org/ 
+
+        from The Dojo Foundation  http://dojofoundation.org/
             require.js  from http://github.com/jrburke/requirejs
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Copyright (c) 2011, John Resig 
-            
+            Copyright (c) 2011, John Resig
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -349,10 +349,10 @@ Within the ui/lib directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -360,14 +360,14 @@ Within the ui/lib directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from John Resig   
-            jquery.js 
+
+        from John Resig
+            jquery.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
             Copyright (c) 2014 Jörn Zaefferer
-            
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -375,10 +375,10 @@ Within the ui/lib directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -386,9 +386,9 @@ Within the ui/lib directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Jorn Zaefferer   
-            jquery.validate.js 
+
+        from Jorn Zaefferer
+            jquery.validate.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
@@ -418,8 +418,8 @@ Within the ui/lib directory
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Copyright (c) 2010, Sebastian Tschan 
-            
+            Copyright (c) 2010, Sebastian Tschan
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -427,10 +427,10 @@ Within the ui/lib directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -438,14 +438,14 @@ Within the ui/lib directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Sebastian Tschan  https://blueimp.net 
-            jquery.md5.js 
+
+        from Sebastian Tschan  https://blueimp.net
+            jquery.md5.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Copyright (c) 2006 Klaus Hartl (stilbuero.de) 
-            
+            Copyright (c) 2006 Klaus Hartl (stilbuero.de)
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -453,10 +453,10 @@ Within the ui/lib directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -464,15 +464,15 @@ Within the ui/lib directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Klaus Hartl  http://stilbuero.de 
-            jquery.cookies.js 
+
+        from Klaus Hartl  http://stilbuero.de
+            jquery.cookies.js
 
 Within the ui/lib/flot directory
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Released under the MIT license by IOLA, December 2007. 
-            
+            Released under the MIT license by IOLA, December 2007.
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -480,10 +480,10 @@ Within the ui/lib/flot directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -491,24 +491,24 @@ Within the ui/lib/flot directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from IOLA  http://www.iola.dk/ 
-            jquery.flot.crosshair.js 
-            jquery.flot.fillbetween.js 
-            jquery.flot.image.js 
-            jquery.flot.js 
-            jquery.flot.navigate.js 
-            jquery.flot.resize.js 
-            jquery.flot.selection.js 
-            jquery.flot.stack.js 
-            jquery.flot.symbol.js 
-            jquery.flot.threshold.js 
+
+        from IOLA  http://www.iola.dk/
+            jquery.flot.crosshair.js
+            jquery.flot.fillbetween.js
+            jquery.flot.image.js
+            jquery.flot.js
+            jquery.flot.navigate.js
+            jquery.flot.resize.js
+            jquery.flot.selection.js
+            jquery.flot.stack.js
+            jquery.flot.symbol.js
+            jquery.flot.threshold.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
             Created by Brian Medendorp, June 2009
-            Updated November 2009 with contributions from: btburnett3, Anthony Aragues and Xavi Ivars 
-            
+            Updated November 2009 with contributions from: btburnett3, Anthony Aragues and Xavi Ivars
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -516,10 +516,10 @@ Within the ui/lib/flot directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -527,13 +527,13 @@ Within the ui/lib/flot directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Brian Medendorp   
-            jquery.pie.js 
+
+        from Brian Medendorp
+            jquery.pie.js
 
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
- 
-            
+
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -541,10 +541,10 @@ Within the ui/lib/flot directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -552,14 +552,14 @@ Within the ui/lib/flot directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Ole Laursen   
-            jquery.colorhelpers.js 
+
+        from Ole Laursen
+            jquery.colorhelpers.js
 
 Within the ui/lib/jquery-ui directory
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
- 
-            
+
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -567,10 +567,10 @@ Within the ui/lib/jquery-ui directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -578,17 +578,17 @@ Within the ui/lib/jquery-ui directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from jQuery UI Developers  http://jqueryui.com/about 
-            css/jquery-ui.css 
-            index.html 
-            js/jquery-ui.js 
+
+        from jQuery UI Developers  http://jqueryui.com/about
+            css/jquery-ui.css
+            index.html
+            js/jquery-ui.js
 
 Within the ui/lib/qunit directory
     licensed under the MIT License http://www.opensource.org/licenses/mit-license.php  (as follows)
 
-            Copyright (c) 2012 John Resig, Jörn Zaefferer 
-            
+            Copyright (c) 2012 John Resig, Jörn Zaefferer
+
             Permission is hereby granted, free  of charge, to any person obtaining
             a  copy  of this  software  and  associated  documentation files  (the
             "Software"), to  deal in  the Software without  restriction, including
@@ -596,10 +596,10 @@ Within the ui/lib/qunit directory
             distribute,  sublicense, and/or sell  copies of  the Software,  and to
             permit persons to whom the Software  is furnished to do so, subject to
             the following conditions:
-            
+
             The  above  copyright  notice  and  this permission  notice  shall  be
             included in all copies or substantial portions of the Software.
-            
+
             THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
             EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
             MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
@@ -607,20 +607,20 @@ Within the ui/lib/qunit directory
             LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
             OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
             WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-                        
-        from Jorn Zaefferer   
+
+        from Jorn Zaefferer
             qunit.css  from http://docs.jquery.com/QUnit
             qunit.js  from http://docs.jquery.com/QUnit
 
 Within the utils/src/main/java/com/cloud/utils/db directory
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2004 Clinton Begin
-        from Clinton Begin  http://code.google.com/p/mybatis/ 
+        from Clinton Begin  http://code.google.com/p/mybatis/
             ScriptRunner.java  from http://code.google.com/p/mybatis/
 
 Within the utils/src/main/java/org/apache/commons/httpclient/contrib/ssl directory
     licensed under the Apache License, Version 2 http://www.apache.org/licenses/LICENSE-2.0.txt  (as above)
     Copyright (c) 2007 The Apache Software Foundation
-        from The Apache Software Foundation  http://www.apache.org/ 
-            EasySSLProtocolSocketFactory.java 
-            EasyX509TrustManager.java 
+        from The Apache Software Foundation  http://www.apache.org/
+            EasySSLProtocolSocketFactory.java
+            EasyX509TrustManager.java

NOTICE

@@ -1,62 +1,62 @@
 Apache CloudStack
 Copyright 2014 The Apache Software Foundation
-  
+
   This product includes software developed at
   The Apache Software Foundation (http://www.apache.org/).
-      
 
 
-  
+
+
   This distribution contains third party resources requiring the following notices:
 
-    
-  For 
+
+  For
     jquery.js
-  
+
 
         jQuery JavaScript Library v1.3.2
         http://jquery.com/
-        
+
         Copyright (c) 2009 John Resig
         Dual licensed under the MIT and GPL licenses.
         http://docs.jquery.com/License
-        
+
         Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009)
         Revision: 6246
 
-    
-  For 
+
+  For
     jquery.js
-  
+
 
         jQuery JavaScript Library v1.6.4
         http://jquery.com/
-        
+
         Copyright 2011, John Resig
         Dual licensed under the MIT or GPL Version 2 licenses.
         http://jquery.org/license
-        
+
         Includes Sizzle.js
         http://sizzlejs.com/
         Copyright 2011, The Dojo Foundation
         Released under the MIT, BSD, and GPL Licenses.
-        
+
         Date: Mon Sep 12 18:54:48 2011 -0400
 
-    
-  For 
+
+  For
     jquery.md5.js
-  
+
 
         jQuery MD5 Plugin 1.2.1
         https://github.com/blueimp/jQuery-MD5
-        
+
         Copyright 2010, Sebastian Tschan
         https://blueimp.net
-        
+
         Licensed under the MIT license:
         http://creativecommons.org/licenses/MIT/
-        
+
         Based on
         A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
         Digest Algorithm, as defined in RFC 1321.
@@ -65,15 +65,15 @@ Copyright 2014 The Apache Software Foundation
         Distributed under the BSD License
         See http://pajhome.org.uk/crypt/md5 for more info.
 
-    
-  For 
+
+  For
     jquery.colorhelpers.js
-  
+
 
         Plugin for jQuery for working with colors.
-        
+
         Version 1.1.
-        
+
         Inspiration from jQuery color animation plugin by John Resig.
-        
+
         Released under the MIT license by Ole Laursen, October 2009.

PRE_COMMIT.md

@@ -20,7 +20,7 @@
 # pre-commit
 
 We run [pre-commit](https://pre-commit.com/) with
-[GitHub Actions](https://github.com/apache/cloudstack/blob/main/.github/workflows/linter.yml) so installation on your
+[GitHub Actions](https://github.com/apache/cloudstack/blob/main/.github/workflows/pre-commit.yml) so installation on your
 local machine is currently optional.
 
 The `pre-commit` [configuration file](https://github.com/apache/cloudstack/blob/main/.pre-commit-config.yaml)

README.md

@@ -31,6 +31,24 @@
 
 [![Apache CloudStack](tools/logo/apache_cloudstack.png)](https://cloudstack.apache.org/)
 
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Who Uses CloudStack?](#who-uses-cloudstack)
+- [Demo](#demo)
+- [Getting Started](#getting-started)
+- [Getting Source Repository](#getting-source-repository)
+- [Documentation](#documentation)
+- [News and Events](#news-and-events)
+- [Getting Involved and Contributing](#getting-involved-and-contributing)
+- [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)
+- [License](#license)
+- [Notice of Cryptographic Software](#notice-of-cryptographic-software)
+- [Star History](#star-history)
+- [Contributors](#contributors)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 Apache CloudStack is open source software designed to deploy and manage large
 networks of virtual machines, as a highly available, highly scalable
 Infrastructure as a Service (IaaS) cloud computing platform. CloudStack is used

agent/conf/agent.properties

@@ -457,3 +457,18 @@ iscsi.session.cleanup.enabled=false
 
 # Instance conversion VIRT_V2V_TMPDIR env var
 #convert.instance.env.virtv2v.tmpdir=
+
+# Time, in seconds, to wait before retrying to rebase during the incremental snapshot process.
+# incremental.snapshot.retry.rebase.wait=60
+
+# Path to the VDDK library directory for VMware to KVM conversion via VDDK,
+# passed to virt-v2v as -io vddk-libdir=<path>
+#vddk.lib.dir=
+
+# Ordered VDDK transport preference for VMware to KVM conversion via VDDK, passed as
+# -io vddk-transports=<value> to virt-v2v. Example: nbd:nbdssl
+#vddk.transports=
+
+# Optional vCenter SHA1 thumbprint for VMware to KVM conversion via VDDK, passed as
+# -io vddk-thumbprint=<value>. If unset, CloudStack computes it on the KVM host via openssl.
+#vddk.thumbprint=

agent/conf/uefi.properties.in

@@ -0,0 +1,24 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Configuration file for UEFI
+
+guest.nvram.template.legacy=@GUESTNVRAMTEMPLATELEGACY@
+guest.loader.legacy=@GUESTLOADERLEGACY@
+guest.nvram.template.secure=@GUESTNVRAMTEMPLATESECURE@
+guest.loader.secure=@GUESTLOADERSECURE@
+guest.nvram.path=@GUESTNVRAMPATH@

agent/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.apache.cloudstack</groupId>
         <artifactId>cloudstack</artifactId>
-        <version>4.22.0.1</version>
+        <version>4.23.0.0-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

agent/src/main/java/com/cloud/agent/Agent.java

@@ -1322,7 +1322,6 @@ public class Agent implements HandlerFactory, IAgentControl, AgentStatusUpdater
                         processResponse((Response)request, task.getLink());
                     } else {
                         //put the requests from mgt server into another thread pool, as the request may take a longer time to finish. Don't block the NIO main thread pool
-                        //processRequest(request, task.getLink());
                         requestHandler.submit(new AgentRequestHandler(getType(), getLink(), request));
                     }
                 } catch (final ClassNotFoundException e) {
@@ -1332,13 +1331,14 @@ public class Agent implements HandlerFactory, IAgentControl, AgentStatusUpdater
                 }
             } else if (task.getType() == Task.Type.DISCONNECT) {
                 try {
-                    // an issue has been found if reconnect immediately after disconnecting. please refer to https://github.com/apache/cloudstack/issues/8517
+                    // an issue has been found if reconnect immediately after disconnecting.
                     // wait 5 seconds before reconnecting
+                    logger.debug("Wait for 5 secs before reconnecting, disconnect task - {}", () -> getLinkLog(task.getLink()));
                     Thread.sleep(5000);
                 } catch (InterruptedException e) {
                 }
                 shell.setConnectionTransfer(false);
-                logger.debug("Executing disconnect task - {}", () -> getLinkLog(task.getLink()));
+                logger.debug("Executing disconnect task - {} and reconnecting", () -> getLinkLog(task.getLink()));
                 reconnect(task.getLink());
             } else if (task.getType() == Task.Type.OTHER) {
                 processOtherTask(task);

agent/src/main/java/com/cloud/agent/properties/AgentProperties.java

@@ -117,7 +117,7 @@ public class AgentProperties{
 
     /**
      * Local storage path.<br>
-     * This property allows multiple values to be entered in a single String. The differente values must be separated by commas.<br>
+     * This property allows multiple values to be entered in a single String. The different values must be separated by commas.<br>
      * Data type: String.<br>
      * Default value: <code>/var/lib/libvirt/images/</code>
      */
@@ -134,7 +134,7 @@ public class AgentProperties{
 
     /**
      * MANDATORY: The UUID for the local storage pool.<br>
-     * This property allows multiple values to be entered in a single String. The differente values must be separated by commas.<br>
+     * This property allows multiple values to be entered in a single String. The different values must be separated by commas.<br>
      * Data type: String.<br>
      * Default value: <code>null</code>
      */
@@ -808,6 +808,30 @@ public class AgentProperties{
      */
     public static final Property<String> CONVERT_ENV_VIRTV2V_TMPDIR = new Property<>("convert.instance.env.virtv2v.tmpdir", null, String.class);
 
+    /**
+     * Path to the VDDK library directory on the KVM conversion host, used when converting VMs from VMware to KVM via VDDK.
+     * This directory is passed to virt-v2v as <code>-io vddk-libdir=&lt;path&gt;</code>.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_LIB_DIR = new Property<>("vddk.lib.dir", null, String.class);
+
+    /**
+     * Ordered list of VDDK transports for virt-v2v, passed as <code>-io vddk-transports=&lt;value&gt;</code>.
+     * Example: <code>nbd:nbdssl</code>.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_TRANSPORTS = new Property<>("vddk.transports", null, String.class);
+
+    /**
+     * vCenter TLS certificate thumbprint used by virt-v2v VDDK mode, passed as <code>-io vddk-thumbprint=&lt;value&gt;</code>.
+     * If unset, the KVM host computes it at runtime from the vCenter endpoint.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_THUMBPRINT = new Property<>("vddk.thumbprint", null, String.class);
+
     /**
      * BGP controll CIDR
      * Data type: String.<br>
@@ -885,6 +909,11 @@ public class AgentProperties{
      */
     public static final Property<Boolean> CREATE_FULL_CLONE = new Property<>("create.full.clone", false);
 
+    /**
+     * Time, in seconds, to wait before retrying to rebase during the incremental snapshot process.
+     * */
+    public static final Property<Integer> INCREMENTAL_SNAPSHOT_RETRY_REBASE_WAIT = new Property<>("incremental.snapshot.retry.rebase.wait", 60);
+
 
     public static class Property <T>{
         private String name;

agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java

@@ -175,12 +175,12 @@ public class ConsoleProxyResource extends ServerResourceBase implements ServerRe
                 try {
                     is.close();
                 } catch (final IOException e) {
-                    logger.warn("Exception when closing , console proxy address : {}", proxyManagementIp);
+                    logger.warn("Exception when closing , console proxy address: {}", proxyManagementIp);
                     success = false;
                 }
             }
         } catch (final IOException e) {
-            logger.warn("Unable to open console proxy command port url, console proxy address : {}", proxyManagementIp);
+            logger.warn("Unable to open console proxy command port url, console proxy address: {}", proxyManagementIp);
             success = false;
         }
 
@@ -331,7 +331,7 @@ public class ConsoleProxyResource extends ServerResourceBase implements ServerRe
         final Object resource = this;
         logger.info("Building class loader for com.cloud.consoleproxy.ConsoleProxy");
         if (consoleProxyMain == null) {
-            logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", encryptorPassword);
+            logger.info("Running com.cloud.consoleproxy.ConsoleProxy");
             consoleProxyMain = new Thread(new ManagedContextRunnable() {
                 @Override
                 protected void runInContext() {

api/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.apache.cloudstack</groupId>
         <artifactId>cloudstack</artifactId>
-        <version>4.22.0.1</version>
+        <version>4.23.0.0-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

api/src/main/java/com/cloud/agent/api/storage/OVFHelper.java

@@ -119,8 +119,7 @@ public class OVFHelper {
         boolean password = StringUtils.isNotBlank(passStr) && passStr.equalsIgnoreCase("true");
         String label = ovfParser.getChildNodeValue(node, "Label");
         String description = ovfParser.getChildNodeValue(node, "Description");
-        logger.debug("Creating OVF property index " + index + (category == null ? "" : " for category " + category)
-                + " with key = " + key);
+        logger.debug("Creating OVF property index {} {} with key = {}", index, (category == null ? "" : " for category " + category), key);
         return new OVFPropertyTO(key, type, value, qualifiers, userConfigurable,
                 label, description, password, index, category);
     }
@@ -152,7 +151,7 @@ public class OVFHelper {
                     if (child.getNodeName().equalsIgnoreCase("Category") ||
                             child.getNodeName().endsWith(":Category")) {
                         lastCategoryFound = child.getTextContent();
-                        logger.info("Category found " + lastCategoryFound);
+                        logger.info("Category found {}", lastCategoryFound);
                     } else if (child.getNodeName().equalsIgnoreCase("Property") ||
                             child.getNodeName().endsWith(":Property")) {
                         OVFPropertyTO prop = createOVFPropertyFromNode(child, propertyIndex, lastCategoryFound);
@@ -250,13 +249,13 @@ public class OVFHelper {
         int diskNumber = 0;
         for (OVFVirtualHardwareItemTO diskItem : diskHardwareItems) {
             if (StringUtils.isBlank(diskItem.getHostResource())) {
-                logger.error("Missing disk information for hardware item " + diskItem.getElementName() + " " + diskItem.getInstanceId());
+                logger.error("Missing disk information for hardware item {} {}", diskItem.getElementName(), diskItem.getInstanceId());
                 continue;
             }
             String diskId = extractDiskIdFromDiskHostResource(diskItem.getHostResource());
             OVFDisk diskDefinition = getDiskDefinitionFromDiskId(diskId, disks);
             if (diskDefinition == null) {
-                logger.error("Missing disk definition for disk ID " + diskId);
+                logger.error("Missing disk definition for disk ID {}", diskId);
             }
             OVFFile fileDefinition = getFileDefinitionFromDiskDefinition(diskDefinition._fileRef, files);
             DatadiskTO datadiskTO = generateDiskTO(fileDefinition, diskDefinition, ovfParentPath, diskNumber, diskItem);
@@ -278,8 +277,8 @@ public class OVFHelper {
         if (StringUtils.isNotBlank(path)) {
             File f = new File(path);
             if (!f.exists() || f.isDirectory()) {
-                logger.error("One of the attached disk or iso does not exists " + path);
-                throw new InternalErrorException("One of the attached disk or iso as stated on OVF does not exists " + path);
+                logger.error("One of the attached disk or ISOs does not exists {}", path);
+                throw new InternalErrorException("One of the attached disk or ISOs as stated on OVF does not exists " + path);
             }
         }
         Long capacity = disk != null ? disk._capacity : file._size;
@@ -334,9 +333,7 @@ public class OVFHelper {
             od._controller = getControllerType(items, od._diskId);
             vd.add(od);
         }
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("found %d disk definitions",vd.size()));
-        }
+        logger.trace("Found {} disk definitions", vd.size());
         return vd;
     }
 
@@ -366,9 +363,7 @@ public class OVFHelper {
                 vf.add(of);
             }
         }
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("found %d file definitions in %s",vf.size(), ovfFile.getPath()));
-        }
+        logger.trace("Found {} file definitions in {}", vf.size(), ovfFile.getPath());
         return vf;
     }
 
@@ -506,7 +501,7 @@ public class OVFHelper {
             outfile.write(writer.toString());
             outfile.close();
         } catch (IOException | TransformerException e) {
-            logger.info("Unexpected exception caught while rewriting OVF:" + e.getMessage(), e);
+            logger.info("Unexpected exception caught while rewriting OVF: {}", e.getMessage(), e);
             throw new CloudRuntimeException(e);
         }
     }
@@ -522,9 +517,7 @@ public class OVFHelper {
 
     public List<OVFNetworkTO> getNetPrerequisitesFromDocument(Document doc) throws InternalErrorException {
         if (doc == null) {
-            if (logger.isTraceEnabled()) {
-                logger.trace("no document to parse; returning no prerequisite networks");
-            }
+            logger.trace("No document to parse; returning no prerequisite networks");
             return Collections.emptyList();
         }
 
@@ -540,9 +533,7 @@ public class OVFHelper {
     private void matchNicsToNets(Map<String, OVFNetworkTO> nets, Node systemElement) {
         final DocumentTraversal traversal = (DocumentTraversal) systemElement;
         final NodeIterator iterator = traversal.createNodeIterator(systemElement, NodeFilter.SHOW_ELEMENT, null, true);
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("starting out with %d network-prerequisites, parsing hardware",nets.size()));
-        }
+        logger.trace("Starting out with {} network-prerequisites, parsing hardware", nets.size());
         int nicCount = 0;
         for (Node n = iterator.nextNode(); n != null; n = iterator.nextNode()) {
             final Element e = (Element) n;
@@ -550,9 +541,7 @@ public class OVFHelper {
                 nicCount++;
                 String name = e.getTextContent(); // should be in our nets
                 if(nets.get(name) == null) {
-                    if(logger.isInfoEnabled()) {
-                        logger.info(String.format("found a nic definition without a network definition byname %s, adding it to the list.", name));
-                    }
+                    logger.info("Found a NIC definition without a Network definition by name {}, adding it to the list.", name);
                     nets.put(name, new OVFNetworkTO());
                 }
                 OVFNetworkTO thisNet = nets.get(name);
@@ -561,9 +550,7 @@ public class OVFHelper {
                 }
             }
         }
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("ending up with %d network-prerequisites, parsed %d nics", nets.size(), nicCount));
-        }
+        logger.trace("Ending up with {} network-prerequisites, parsed {} nics", nets.size(), nicCount);
     }
 
     /**
@@ -585,7 +572,7 @@ public class OVFHelper {
             int addressOnParent = Integer.parseInt(addressOnParentStr);
             nic.setAddressOnParent(addressOnParent);
         } catch (NumberFormatException e) {
-            logger.warn("Encountered element of type \"AddressOnParent\", that could not be parse to an integer number: " + addressOnParentStr);
+            logger.warn("Encountered element of type \"AddressOnParent\", that could not be parse to an integer number: {}", addressOnParentStr);
         }
 
         boolean automaticAllocation = StringUtils.isNotBlank(automaticAllocationStr) && Boolean.parseBoolean(automaticAllocationStr);
@@ -597,7 +584,7 @@ public class OVFHelper {
             int instanceId = Integer.parseInt(instanceIdStr);
             nic.setInstanceID(instanceId);
         } catch (NumberFormatException e) {
-            logger.warn("Encountered element of type \"InstanceID\", that could not be parse to an integer number: " + instanceIdStr);
+            logger.warn("Encountered element of type \"InstanceID\", that could not be parse to an integer number: {}", instanceIdStr);
         }
 
         nic.setResourceSubType(resourceSubType);
@@ -630,9 +617,7 @@ public class OVFHelper {
 
             nets.put(networkName,network);
         }
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("found %d networks in template", nets.size()));
-        }
+        logger.trace("Found {} Networks in Template", nets.size());
         return nets;
     }
 
@@ -771,7 +756,7 @@ public class OVFHelper {
             try {
                 return Long.parseLong(value);
             } catch (NumberFormatException e) {
-                logger.debug("Could not parse the value: " + value + ", ignoring it");
+                logger.debug("Could not parse the value: {}, ignoring it", value);
             }
         }
         return null;
@@ -782,7 +767,7 @@ public class OVFHelper {
             try {
                 return Integer.parseInt(value);
             } catch (NumberFormatException e) {
-                logger.debug("Could not parse the value: " + value + ", ignoring it");
+                logger.debug("Could not parse the value: {}, ignoring it", value);
             }
         }
         return null;
@@ -820,7 +805,7 @@ public class OVFHelper {
                 try {
                     compressedLicense = compressOVFEula(eulaLicense);
                 } catch (IOException e) {
-                    logger.error("Could not compress the license for info " + eulaInfo);
+                    logger.error("Could not compress the license for info {}", eulaInfo);
                     continue;
                 }
                 OVFEulaSectionTO eula = new OVFEulaSectionTO(eulaInfo, compressedLicense, eulaIndex);

api/src/main/java/com/cloud/agent/api/storage/OVFParser.java

@@ -54,7 +54,7 @@ public class OVFParser {
             documentBuilderFactory.setNamespaceAware(true);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
-            logger.error("Cannot start the OVF parser: " + e.getMessage(), e);
+            logger.error("Cannot start the OVF parser: {}", e.getMessage(), e);
         }
     }
 
@@ -70,7 +70,7 @@ public class OVFParser {
         try {
             return documentBuilder.parse(new File(ovfFilePath));
         } catch (SAXException | IOException e) {
-            logger.error("Error parsing " + ovfFilePath + " " + e.getMessage(), e);
+            logger.error("Error parsing {} {}", ovfFilePath, e.getMessage(), e);
             return null;
         }
     }

api/src/main/java/com/cloud/agent/api/to/NicTO.java

@@ -33,6 +33,7 @@ public class NicTO extends NetworkTO {
     boolean dpdkEnabled;
     Integer mtu;
     Long networkId;
+    boolean enabled;
 
     String networkSegmentName;
 
@@ -154,4 +155,12 @@ public class NicTO extends NetworkTO {
     public void setNetworkSegmentName(String networkSegmentName) {
         this.networkSegmentName = networkSegmentName;
     }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
 }

api/src/main/java/com/cloud/agent/api/to/RemoteInstanceTO.java

@@ -36,13 +36,17 @@ public class RemoteInstanceTO implements Serializable {
     private String vcenterPassword;
     private String vcenterHost;
     private String datacenterName;
+    private String clusterName;
+    private String hostName;
 
     public RemoteInstanceTO() {
     }
 
-    public RemoteInstanceTO(String instanceName) {
+    public RemoteInstanceTO(String instanceName, String clusterName, String hostName) {
         this.hypervisorType = Hypervisor.HypervisorType.VMware;
         this.instanceName = instanceName;
+        this.clusterName = clusterName;
+        this.hostName = hostName;
     }
 
     public RemoteInstanceTO(String instanceName, String instancePath, String vcenterHost, String vcenterUsername, String vcenterPassword, String datacenterName) {
@@ -55,6 +59,12 @@ public class RemoteInstanceTO implements Serializable {
         this.datacenterName = datacenterName;
     }
 
+    public RemoteInstanceTO(String instanceName, String instancePath, String vcenterHost, String vcenterUsername, String vcenterPassword, String datacenterName, String clusterName, String hostName) {
+        this(instanceName, instancePath, vcenterHost, vcenterUsername, vcenterPassword, datacenterName);
+        this.clusterName = clusterName;
+        this.hostName = hostName;
+    }
+
     public Hypervisor.HypervisorType getHypervisorType() {
         return this.hypervisorType;
     }
@@ -82,4 +92,12 @@ public class RemoteInstanceTO implements Serializable {
     public String getDatacenterName() {
         return datacenterName;
     }
+
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    public String getHostName() {
+        return hostName;
+    }
 }

api/src/main/java/com/cloud/agent/api/to/VirtualMachineMetadataTO.java

@@ -0,0 +1,182 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.agent.api.to;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class VirtualMachineMetadataTO {
+    // VM details
+    private final String name;
+    private final String internalName;
+    private final String displayName;
+    private final String instanceUuid;
+    private final Integer cpuCores;
+    private final Integer memory;
+    private final Long created;
+    private final Long started;
+
+    // Owner details
+    private final String ownerDomainUuid;
+    private final String ownerDomainName;
+    private final String ownerAccountUuid;
+    private final String ownerAccountName;
+    private final String ownerProjectUuid;
+    private final String ownerProjectName;
+
+    // Host and service offering
+    private final String serviceOfferingName;
+    private final List<String> serviceOfferingHostTags;
+
+    // zone, pod, and cluster details
+    private final String zoneName;
+    private final String zoneUuid;
+    private final String podName;
+    private final String podUuid;
+    private final String clusterName;
+    private final String clusterUuid;
+
+    // resource tags
+    private final Map<String, String> resourceTags;
+
+    public VirtualMachineMetadataTO(
+            String name, String internalName, String displayName, String instanceUuid, Integer cpuCores, Integer memory, Long created, Long started,
+            String ownerDomainUuid, String ownerDomainName, String ownerAccountUuid, String ownerAccountName, String ownerProjectUuid, String ownerProjectName,
+            String serviceOfferingName, List<String> serviceOfferingHostTags,
+            String zoneName, String zoneUuid, String podName, String podUuid, String clusterName, String clusterUuid, Map<String, String> resourceTags) {
+        /*
+        * Something failed in the metadata shall not be a fatal error, the VM can still be started
+        * Thus, the unknown fields just get an explicit "unknown" value so it can be fixed in case
+        * there are bugs on some execution paths.
+        * */
+
+        this.name = (name != null) ? name : "unknown";
+        this.internalName = (internalName != null) ? internalName : "unknown";
+        this.displayName = (displayName != null) ? displayName : "unknown";
+        this.instanceUuid = (instanceUuid != null) ? instanceUuid : "unknown";
+        this.cpuCores = (cpuCores != null) ? cpuCores : -1;
+        this.memory = (memory != null) ? memory : -1;
+        this.created = (created != null) ? created : 0;
+        this.started = (started != null) ? started : 0;
+        this.ownerDomainUuid = (ownerDomainUuid != null) ? ownerDomainUuid : "unknown";
+        this.ownerDomainName = (ownerDomainName != null) ? ownerDomainName : "unknown";
+        this.ownerAccountUuid = (ownerAccountUuid != null) ? ownerAccountUuid : "unknown";
+        this.ownerAccountName = (ownerAccountName != null) ? ownerAccountName : "unknown";
+        this.ownerProjectUuid = (ownerProjectUuid != null) ? ownerProjectUuid : "unknown";
+        this.ownerProjectName = (ownerProjectName != null) ? ownerProjectName : "unknown";
+        this.serviceOfferingName = (serviceOfferingName != null) ? serviceOfferingName : "unknown";
+        this.serviceOfferingHostTags = (serviceOfferingHostTags != null) ? serviceOfferingHostTags : new ArrayList<>();
+        this.zoneName = (zoneName != null) ? zoneName : "unknown";
+        this.zoneUuid = (zoneUuid != null) ? zoneUuid : "unknown";
+        this.podName = (podName != null) ? podName : "unknown";
+        this.podUuid = (podUuid != null) ? podUuid : "unknown";
+        this.clusterName = (clusterName != null) ? clusterName : "unknown";
+        this.clusterUuid = (clusterUuid != null) ? clusterUuid : "unknown";
+
+        this.resourceTags = (resourceTags != null) ? resourceTags : new HashMap<>();
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getInternalName() {
+        return internalName;
+    }
+
+    public String getDisplayName() {
+        return displayName;
+    }
+
+    public String getInstanceUuid() {
+        return instanceUuid;
+    }
+
+    public Integer getCpuCores() {
+        return cpuCores;
+    }
+
+    public Integer getMemory() {
+        return memory;
+    }
+
+    public Long getCreated() { return created; }
+
+    public Long getStarted() {
+        return started;
+    }
+
+    public String getOwnerDomainUuid() {
+        return ownerDomainUuid;
+    }
+
+    public String getOwnerDomainName() {
+        return ownerDomainName;
+    }
+
+    public String getOwnerAccountUuid() {
+        return ownerAccountUuid;
+    }
+
+    public String getOwnerAccountName() {
+        return ownerAccountName;
+    }
+
+    public String getOwnerProjectUuid() {
+        return ownerProjectUuid;
+    }
+
+    public String getOwnerProjectName() {
+        return ownerProjectName;
+    }
+
+    public String getserviceOfferingName() {
+        return serviceOfferingName;
+    }
+
+    public List<String> getserviceOfferingHostTags() {
+        return serviceOfferingHostTags;
+    }
+
+    public String getZoneName() {
+        return zoneName;
+    }
+
+    public String getZoneUuid() {
+        return zoneUuid;
+    }
+
+    public String getPodName() {
+        return podName;
+    }
+
+    public String getPodUuid() {
+        return podUuid;
+    }
+
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    public String getClusterUuid() {
+        return clusterUuid;
+    }
+
+    public Map<String, String> getResourceTags() { return resourceTags; }
+}

api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java

@@ -89,6 +89,7 @@ public class VirtualMachineTO {
     private DeployAsIsInfoTO deployAsIsInfo;
     private String metadataManufacturer;
     private String metadataProductName;
+    private VirtualMachineMetadataTO metadata;
 
     public VirtualMachineTO(long id, String instanceName, VirtualMachine.Type type, int cpus, Integer speed, long minRam, long maxRam, BootloaderType bootloader,
             String os, boolean enableHA, boolean limitCpuUse, String vncPassword) {
@@ -494,6 +495,14 @@ public class VirtualMachineTO {
         this.metadataProductName = metadataProductName;
     }
 
+    public VirtualMachineMetadataTO getMetadata() {
+        return metadata;
+    }
+
+    public void setMetadata(VirtualMachineMetadataTO metadata) {
+        this.metadata = metadata;
+    }
+
     @Override
     public String toString() {
         return String.format("VM {id: \"%s\", name: \"%s\", uuid: \"%s\", type: \"%s\"}", id, name, uuid, type);

api/src/main/java/com/cloud/agent/manager/allocator/HostAllocator.java

@@ -22,19 +22,11 @@ import com.cloud.deploy.DeploymentPlan;
 import com.cloud.deploy.DeploymentPlanner.ExcludeList;
 import com.cloud.host.Host;
 import com.cloud.host.Host.Type;
-import com.cloud.offering.ServiceOffering;
 import com.cloud.utils.component.Adapter;
-import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineProfile;
 
 public interface HostAllocator extends Adapter {
 
-    /**
-     * @param UserVm vm
-     * @param ServiceOffering offering
-     **/
-    boolean isVirtualMachineUpgradable(final VirtualMachine vm, final ServiceOffering offering);
-
     /**
     * Determines which physical hosts are suitable to
     * allocate the guest virtual machines on
@@ -49,31 +41,6 @@ public interface HostAllocator extends Adapter {
 
     public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo);
 
-    /**
-     * Determines which physical hosts are suitable to allocate the guest
-     * virtual machines on
-     *
-     * Allocators must set any other hosts not considered for allocation in the
-     * ExcludeList avoid. Thus the avoid set and the list of hosts suitable,
-     * together must cover the entire host set in the cluster.
-     *
-     * @param VirtualMachineProfile
-     *            vmProfile
-     * @param DeploymentPlan
-     *            plan
-     * @param GuestType
-     *            type
-     * @param ExcludeList
-     *            avoid
-     * @param int returnUpTo (use -1 to return all possible hosts)
-     * @param boolean considerReservedCapacity (default should be true, set to
-     *        false if host capacity calculation should not look at reserved
-     *        capacity)
-     * @return List<Host> List of hosts that are suitable for VM allocation
-     **/
-
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity);
-
     /**
      * Determines which physical hosts are suitable to allocate the guest
      * virtual machines on

api/src/main/java/com/cloud/api/commands/ListRecurringSnapshotScheduleCmd.java

@@ -35,10 +35,10 @@ public class ListRecurringSnapshotScheduleCmd extends BaseListCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.SNAPSHOT_POLICY_ID, type = CommandType.LONG, description = "lists recurring snapshots by snapshot policy ID")
+    @Parameter(name = ApiConstants.SNAPSHOT_POLICY_ID, type = CommandType.LONG, description = "Lists recurring Snapshots by Snapshot policy ID")
     private Long snapshotPolicyId;
 
-    @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.LONG, required = true, description = "list recurring snapshots by volume ID")
+    @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.LONG, required = true, description = "List recurring Snapshots by volume ID")
     private Long volumeId;
 
     /////////////////////////////////////////////////////

api/src/main/java/com/cloud/configuration/ConfigurationService.java

@@ -24,15 +24,18 @@ import com.cloud.network.Network;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.admin.config.ResetCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateManagementNetworkIpRangeCmd;
-import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.ListGuestNetworkIpv6PrefixesCmd;
+import org.apache.cloudstack.api.command.admin.network.NetworkOfferingBaseCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdatePodManagementNetworkIpRangeCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateDiskOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.DeleteDiskOfferingCmd;
@@ -105,6 +108,33 @@ public interface ConfigurationService {
      */
     ServiceOffering createServiceOffering(CreateServiceOfferingCmd cmd);
 
+    /**
+     * Clones a service offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created service offering cloned from source, null otherwise
+     */
+    ServiceOffering cloneServiceOffering(CloneServiceOfferingCmd cmd);
+
+    /**
+     * Clones a disk offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created disk offering cloned from source, null otherwise
+     */
+    DiskOffering cloneDiskOffering(CloneDiskOfferingCmd cmd);
+
+    /**
+     * Clones a network offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created network offering cloned from source, null otherwise
+     */
+    NetworkOffering cloneNetworkOffering(CloneNetworkOfferingCmd cmd);
+
     /**
      * Updates a service offering
      *
@@ -282,7 +312,7 @@ public interface ConfigurationService {
 
     boolean releasePublicIpRange(ReleasePublicIpRangeCmd cmd);
 
-    NetworkOffering createNetworkOffering(CreateNetworkOfferingCmd cmd);
+    NetworkOffering createNetworkOffering(NetworkOfferingBaseCmd cmd);
 
     NetworkOffering updateNetworkOffering(UpdateNetworkOfferingCmd cmd);
 

api/src/main/java/com/cloud/cpu/CPU.java

@@ -22,7 +22,8 @@ public class CPU {
     public enum CPUArch {
         x86("i686", 32),
         amd64("x86_64", 64),
-        arm64("aarch64", 64);
+        arm64("aarch64", 64),
+        s390x("s390x", 64);
 
         private final String type;
         private final int bits;

api/src/main/java/com/cloud/deploy/DeploymentClusterPlanner.java

@@ -62,11 +62,11 @@ public interface DeploymentClusterPlanner extends DeploymentPlanner {
             "vm.allocation.algorithm",
             "Advanced",
             "random",
-            "Order in which hosts within a cluster will be considered for VM allocation. The value can be 'random', 'firstfit', 'userdispersing', 'userconcentratedpod_random', 'userconcentratedpod_firstfit', or 'firstfitleastconsumed'.",
+            "Order in which hosts within a cluster will be considered for VM allocation. The value can be 'random', 'firstfit', 'userdispersing', or 'firstfitleastconsumed'.",
             true,
             ConfigKey.Scope.Global, null, null, null, null, null,
             ConfigKey.Kind.Select,
-            "random,firstfit,userdispersing,userconcentratedpod_random,userconcentratedpod_firstfit,firstfitleastconsumed");
+            "random,firstfit,userdispersing,firstfitleastconsumed");
 
     /**
      * This is called to determine list of possible clusters where a virtual

api/src/main/java/com/cloud/deploy/DeploymentPlanner.java

@@ -70,7 +70,7 @@ public interface DeploymentPlanner extends Adapter {
     boolean canHandle(VirtualMachineProfile vm, DeploymentPlan plan, ExcludeList avoid);
 
     public enum AllocationAlgorithm {
-        random, firstfit, userdispersing, userconcentratedpod_random, userconcentratedpod_firstfit;
+        random, firstfit, userdispersing, firstfitleastconsumed;
     }
 
     public enum PlannerResourceUsage {

api/src/main/java/com/cloud/event/EventTypes.java

@@ -298,8 +298,9 @@ public class EventTypes {
     public static final String EVENT_REGISTER_CNI_CONFIG = "REGISTER.CNI.CONFIG";
     public static final String EVENT_DELETE_CNI_CONFIG = "DELETE.CNI.CONFIG";
 
-    //register for user API and secret keys
+    //user API and secret keys
     public static final String EVENT_REGISTER_FOR_SECRET_API_KEY = "REGISTER.USER.KEY";
+    public static final String EVENT_DELETE_SECRET_API_KEY = "DELETE.USER.KEY";
     public static final String API_KEY_ACCESS_UPDATE = "API.KEY.ACCESS.UPDATE";
 
     // Template Events
@@ -374,11 +375,13 @@ public class EventTypes {
 
     // Service Offerings
     public static final String EVENT_SERVICE_OFFERING_CREATE = "SERVICE.OFFERING.CREATE";
+    public static final String EVENT_SERVICE_OFFERING_CLONE = "SERVICE.OFFERING.CLONE";
     public static final String EVENT_SERVICE_OFFERING_EDIT = "SERVICE.OFFERING.EDIT";
     public static final String EVENT_SERVICE_OFFERING_DELETE = "SERVICE.OFFERING.DELETE";
 
     // Disk Offerings
     public static final String EVENT_DISK_OFFERING_CREATE = "DISK.OFFERING.CREATE";
+    public static final String EVENT_DISK_OFFERING_CLONE = "DISK.OFFERING.CLONE";
     public static final String EVENT_DISK_OFFERING_EDIT = "DISK.OFFERING.EDIT";
     public static final String EVENT_DISK_OFFERING_DELETE = "DISK.OFFERING.DELETE";
 
@@ -399,6 +402,7 @@ public class EventTypes {
 
     // Network offerings
     public static final String EVENT_NETWORK_OFFERING_CREATE = "NETWORK.OFFERING.CREATE";
+    public static final String EVENT_NETWORK_OFFERING_CLONE = "NETWORK.OFFERING.CLONE";
     public static final String EVENT_NETWORK_OFFERING_ASSIGN = "NETWORK.OFFERING.ASSIGN";
     public static final String EVENT_NETWORK_OFFERING_EDIT = "NETWORK.OFFERING.EDIT";
     public static final String EVENT_NETWORK_OFFERING_REMOVE = "NETWORK.OFFERING.REMOVE";
@@ -503,6 +507,7 @@ public class EventTypes {
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE = "VPN.S2S.CUSTOMER.GATEWAY.CREATE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE = "VPN.S2S.CUSTOMER.GATEWAY.DELETE";
     public static final String EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE = "VPN.S2S.CUSTOMER.GATEWAY.UPDATE";
+    public static final String EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS = "VPN.S2S.GATEWAY.OBSOLETE.PARAMS";
     public static final String EVENT_S2S_VPN_CONNECTION_CREATE = "VPN.S2S.CONNECTION.CREATE";
     public static final String EVENT_S2S_VPN_CONNECTION_DELETE = "VPN.S2S.CONNECTION.DELETE";
     public static final String EVENT_S2S_VPN_CONNECTION_RESET = "VPN.S2S.CONNECTION.RESET";
@@ -582,6 +587,7 @@ public class EventTypes {
 
     // Network ACL
     public static final String EVENT_NETWORK_ACL_CREATE = "NETWORK.ACL.CREATE";
+    public static final String EVENT_NETWORK_ACL_IMPORT = "NETWORK.ACL.IMPORT";
     public static final String EVENT_NETWORK_ACL_DELETE = "NETWORK.ACL.DELETE";
     public static final String EVENT_NETWORK_ACL_REPLACE = "NETWORK.ACL.REPLACE";
     public static final String EVENT_NETWORK_ACL_UPDATE = "NETWORK.ACL.UPDATE";
@@ -596,6 +602,7 @@ public class EventTypes {
 
     // VPC offerings
     public static final String EVENT_VPC_OFFERING_CREATE = "VPC.OFFERING.CREATE";
+    public static final String EVENT_VPC_OFFERING_CLONE = "VPC.OFFERING.CLONE";
     public static final String EVENT_VPC_OFFERING_UPDATE = "VPC.OFFERING.UPDATE";
     public static final String EVENT_VPC_OFFERING_DELETE = "VPC.OFFERING.DELETE";
 
@@ -628,6 +635,7 @@ public class EventTypes {
 
     // Backup and Recovery events
     public static final String EVENT_VM_BACKUP_IMPORT_OFFERING = "BACKUP.IMPORT.OFFERING";
+    public static final String EVENT_VM_BACKUP_OFFERING_CLONE = "BACKUP.OFFERING.CLONE";
     public static final String EVENT_VM_BACKUP_OFFERING_ASSIGN = "BACKUP.OFFERING.ASSIGN";
     public static final String EVENT_VM_BACKUP_OFFERING_REMOVE = "BACKUP.OFFERING.REMOVE";
     public static final String EVENT_VM_BACKUP_CREATE = "BACKUP.CREATE";
@@ -1043,11 +1051,13 @@ public class EventTypes {
 
         // Service Offerings
         entityEventDetails.put(EVENT_SERVICE_OFFERING_CREATE, ServiceOffering.class);
+        entityEventDetails.put(EVENT_SERVICE_OFFERING_CLONE, ServiceOffering.class);
         entityEventDetails.put(EVENT_SERVICE_OFFERING_EDIT, ServiceOffering.class);
         entityEventDetails.put(EVENT_SERVICE_OFFERING_DELETE, ServiceOffering.class);
 
         // Disk Offerings
         entityEventDetails.put(EVENT_DISK_OFFERING_CREATE, DiskOffering.class);
+        entityEventDetails.put(EVENT_DISK_OFFERING_CLONE, DiskOffering.class);
         entityEventDetails.put(EVENT_DISK_OFFERING_EDIT, DiskOffering.class);
         entityEventDetails.put(EVENT_DISK_OFFERING_DELETE, DiskOffering.class);
 
@@ -1068,6 +1078,7 @@ public class EventTypes {
 
         // Network offerings
         entityEventDetails.put(EVENT_NETWORK_OFFERING_CREATE, NetworkOffering.class);
+        entityEventDetails.put(EVENT_NETWORK_OFFERING_CLONE, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_ASSIGN, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_EDIT, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_REMOVE, NetworkOffering.class);
@@ -1151,6 +1162,7 @@ public class EventTypes {
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_CREATE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_DELETE, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CUSTOMER_GATEWAY_UPDATE, Site2SiteCustomerGateway.class);
+        entityEventDetails.put(EVENT_S2S_VPN_GATEWAY_OBSOLETE_PARAMS, Site2SiteCustomerGateway.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_CREATE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_DELETE, Site2SiteVpnConnection.class);
         entityEventDetails.put(EVENT_S2S_VPN_CONNECTION_RESET, Site2SiteVpnConnection.class);

api/src/main/java/com/cloud/ha/Investigator.java

@@ -26,17 +26,19 @@ public interface Investigator extends Adapter {
      * Returns if the vm is still alive.
      *
      * @param vm to work on.
+     * @return true if vm is alive, otherwise false
      */
-    public boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM;
+    boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM;
 
-    public Status isAgentAlive(Host agent);
+    /**
+     * Returns the agent status of the host.
+     *
+     * @param host
+     * @return status of the host agent
+     */
+    Status getHostAgentStatus(Host host);
 
     class UnknownVM extends Exception {
-
-        /**
-         *
-         */
         private static final long serialVersionUID = 1L;
-
     };
 }

api/src/main/java/com/cloud/host/Host.java

@@ -57,8 +57,14 @@ public interface Host extends StateObject<Status>, Identity, Partition, HAResour
     String HOST_UEFI_ENABLE = "host.uefi.enable";
     String HOST_VOLUME_ENCRYPTION = "host.volume.encryption";
     String HOST_INSTANCE_CONVERSION = "host.instance.conversion";
+    String HOST_VDDK_SUPPORT = "host.vddk.support";
+    String HOST_VDDK_LIB_DIR = "vddk.lib.dir";
+    String HOST_VDDK_VERSION = "host.vddk.version";
     String HOST_OVFTOOL_VERSION = "host.ovftool.version";
     String HOST_VIRTV2V_VERSION = "host.virtv2v.version";
+    String HOST_SSH_PORT = "host.ssh.port";
+
+    int DEFAULT_SSH_PORT = 22;
 
     /**
      * @return name of the machine.

api/src/main/java/com/cloud/host/HostStats.java

@@ -36,5 +36,4 @@ public interface HostStats {
     public HostStats getHostStats();
 
     public double getLoadAverage();
-    // public double getXapiMemoryUsageKBs();
 }

api/src/main/java/com/cloud/kubernetes/cluster/KubernetesCluster.java

@@ -98,7 +98,7 @@ public interface KubernetesCluster extends ControlledEntity, com.cloud.utils.fsm
             s_fsm.addTransition(State.Running, Event.ScaleDownRequested, State.Scaling);
             s_fsm.addTransition(State.Stopped, Event.ScaleUpRequested, State.ScalingStoppedCluster);
             s_fsm.addTransition(State.Scaling, Event.OperationSucceeded, State.Running);
-            s_fsm.addTransition(State.Scaling, Event.OperationFailed, State.Alert);
+            s_fsm.addTransition(State.Scaling, Event.OperationFailed, State.Running);
             s_fsm.addTransition(State.ScalingStoppedCluster, Event.OperationSucceeded, State.Stopped);
             s_fsm.addTransition(State.ScalingStoppedCluster, Event.OperationFailed, State.Alert);
 

api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java

@@ -18,6 +18,7 @@ package com.cloud.kubernetes.cluster;
 
 import org.apache.cloudstack.acl.ControlledEntity;
 
+import java.util.List;
 import java.util.Map;
 
 import com.cloud.user.Account;
@@ -33,8 +34,10 @@ public interface KubernetesServiceHelper extends Adapter {
     ControlledEntity findByUuid(String uuid);
     ControlledEntity findByVmId(long vmId);
     void checkVmCanBeDestroyed(UserVm userVm);
+    void checkVmAffinityGroupsCanBeUpdated(UserVm userVm);
     boolean isValidNodeType(String nodeType);
     Map<String, Long> getServiceOfferingNodeTypeMap(Map<String, Map<String, String>> serviceOfferingNodeTypeMap);
     Map<String, Long> getTemplateNodeTypeMap(Map<String, Map<String, String>> templateNodeTypeMap);
+    Map<String, List<Long>> getAffinityGroupNodeTypeMap(Map<String, Map<String, String>> affinityGroupNodeTypeMap);
     void cleanupForAccount(Account account);
 }

api/src/main/java/com/cloud/network/Ipv6Service.java

@@ -45,7 +45,7 @@ public interface Ipv6Service extends PluggableService, Configurable {
     static final ConfigKey<Boolean> Ipv6OfferingCreationEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class,
             "ipv6.offering.enabled",
             "false",
-            "Indicates whether creation of IPv6 network/VPC offering is enabled or not.",
+            "Indicates whether creation of IPv6 Network/VPC offering is enabled or not.",
             true);
 
     static final ConfigKey<Integer> Ipv6PrefixSubnetCleanupInterval = new ConfigKey<Integer>("Advanced", Integer.class,

api/src/main/java/com/cloud/network/Network.java

@@ -325,9 +325,9 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
 
     public enum State {
 
-        Allocated("Indicates the network configuration is in allocated but not setup"), Setup("Indicates the network configuration is setup"), Implementing(
-                "Indicates the network configuration is being implemented"), Implemented("Indicates the network configuration is in use"), Shutdown(
-                "Indicates the network configuration is being destroyed"), Destroy("Indicates that the network is destroyed");
+        Allocated("Indicates the Network configuration is in allocated but not setup"), Setup("Indicates the Network configuration is setup"), Implementing(
+                "Indicates the Network configuration is being implemented"), Implemented("Indicates the Network configuration is in use"), Shutdown(
+                "Indicates the Network configuration is being destroyed"), Destroy("Indicates that the Network is destroyed");
 
         protected static final StateMachine2<State, Network.Event, Network> s_fsm = new StateMachine2<State, Network.Event, Network>();
 
@@ -510,4 +510,6 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
     Integer getPrivateMtu();
 
     Integer getNetworkCidrSize();
+
+    boolean getKeepMacAddressOnPublicNic();
 }

api/src/main/java/com/cloud/network/NetworkModel.java

@@ -125,6 +125,10 @@ public interface NetworkModel {
      */
     String getNextAvailableMacAddressInNetwork(long networkConfigurationId) throws InsufficientAddressCapacityException;
 
+    String getUniqueMacAddress(long macAddress, long networkId, long datacenterId) throws InsufficientAddressCapacityException;
+
+    boolean isMACUnique(String mac, long networkId);
+
     PublicIpAddress getPublicIpAddress(long ipAddressId);
 
     List<? extends Vlan> listPodVlans(long podId);
@@ -364,4 +368,8 @@ public interface NetworkModel {
 
     boolean checkSecurityGroupSupportForNetwork(Account account, DataCenter zone, List<Long> networkIds,
                                                 List<Long> securityGroupsIds);
+
+    default long getMacIdentifier(Long dataCenterId) {
+        return 0;
+    }
 }

api/src/main/java/com/cloud/network/NetworkProfile.java

@@ -385,6 +385,11 @@ public class NetworkProfile implements Network {
         return networkCidrSize;
     }
 
+    @Override
+    public boolean getKeepMacAddressOnPublicNic() {
+        return true;
+    }
+
     @Override
     public String toString() {
         return String.format("NetworkProfile %s",

api/src/main/java/com/cloud/network/NetworkService.java

@@ -81,7 +81,7 @@ public interface NetworkService {
             true, ConfigKey.Scope.Zone);
 
     public static final ConfigKey<Boolean> AllowUsersToSpecifyVRMtu = new ConfigKey<>("Advanced", Boolean.class,
-            "allow.end.users.to.specify.vr.mtu", "false", "Allow end users to specify VR MTU",
+            "allow.end.users.to.specify.vr.mtu", "false", "Allow end Users to specify VR MTU",
             true, ConfigKey.Scope.Zone);
 
     List<? extends Network> getIsolatedNetworksOwnedByAccountInZone(long zoneId, Account owner);
@@ -108,6 +108,10 @@ public interface NetworkService {
            PhysicalNetwork physicalNetwork, long zoneId, ControlledEntity.ACLType aclType) throws
             InsufficientCapacityException, ConcurrentOperationException, ResourceAllocationException;
 
+    Network createGuestNetwork(long networkOfferingId, String name, String displayText, Account owner,
+                               PhysicalNetwork physicalNetwork, long zoneId, ControlledEntity.ACLType aclType, Pair<Integer, Integer> vrIfaceMTUs) throws
+            InsufficientCapacityException, ConcurrentOperationException, ResourceAllocationException;
+
     Pair<List<? extends Network>, Integer> searchForNetworks(ListNetworksCmd cmd);
 
     boolean deleteNetwork(long networkId, boolean forced);
@@ -275,4 +279,6 @@ public interface NetworkService {
     IpAddresses getIpAddressesFromIps(String ipAddress, String ip6Address, String macAddress);
 
     String getNicVlanValueForExternalVm(NicTO nic);
+
+    Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId);
 }

api/src/main/java/com/cloud/network/Networks.java

@@ -78,7 +78,7 @@ public class Networks {
             }
             @Override
             public String getValueFrom(URI uri) {
-                return uri.getAuthority();
+                return uri == null ? null : uri.getAuthority();
             }
         },
         Vswitch("vs", String.class), LinkLocal(null, null), Vnet("vnet", Long.class), Storage("storage", Integer.class), Lswitch("lswitch", String.class) {
@@ -96,7 +96,7 @@ public class Networks {
              */
             @Override
             public String getValueFrom(URI uri) {
-                return uri.getSchemeSpecificPart();
+                return uri == null ? null : uri.getSchemeSpecificPart();
             }
         },
         Mido("mido", String.class), Pvlan("pvlan", String.class),
@@ -177,7 +177,7 @@ public class Networks {
          * @return the scheme as BroadcastDomainType
          */
         public static BroadcastDomainType getSchemeValue(URI uri) {
-            return toEnumValue(uri.getScheme());
+            return toEnumValue(uri == null ? null : uri.getScheme());
         }
 
         /**
@@ -191,7 +191,7 @@ public class Networks {
             if (com.cloud.dc.Vlan.UNTAGGED.equalsIgnoreCase(str)) {
                 return Native;
             }
-            return getSchemeValue(new URI(str));
+            return getSchemeValue(str == null ? null : new URI(str));
         }
 
         /**
@@ -220,7 +220,7 @@ public class Networks {
          * @return the host part as String
          */
         public String getValueFrom(URI uri) {
-            return uri.getHost();
+            return uri == null ? null : uri.getHost();
         }
 
         /**
@@ -243,7 +243,7 @@ public class Networks {
          * @throws URISyntaxException the string is not even an uri
          */
         public static String getValue(String uriString) throws URISyntaxException {
-            return getValue(new URI(uriString));
+            return getValue(uriString == null ? null : new URI(uriString));
         }
 
         /**

api/src/main/java/com/cloud/network/PhysicalNetworkTrafficType.java

@@ -41,4 +41,6 @@ public interface PhysicalNetworkTrafficType extends InternalIdentity, Identity {
     String getHypervNetworkLabel();
 
     String getOvm3NetworkLabel();
+
+    String getVlan();
 }

api/src/main/java/com/cloud/network/as/AutoScaleVmGroup.java

@@ -43,7 +43,7 @@ public interface AutoScaleVmGroup extends ControlledEntity, InternalIdentity, Di
             } else if (state.equalsIgnoreCase("scaling")) {
                 return SCALING;
             } else {
-                throw new IllegalArgumentException("Unexpected AutoScale VM group state : " + state);
+                throw new IllegalArgumentException("Unexpected AutoScale Instance group state : " + state);
             }
         }
     }

api/src/main/java/com/cloud/network/lb/LoadBalancingRulesService.java

@@ -108,7 +108,7 @@ public interface LoadBalancingRulesService {
     /**
      * Assign a virtual machine or list of virtual machines, or Map of <vmId vmIp> to a load balancer.
      */
-    boolean assignToLoadBalancer(long lbRuleId, List<Long> vmIds, Map<Long, List<String>> vmIdIpMap, boolean isAutoScaleVM);
+    boolean assignToLoadBalancer(long lbRuleId, List<Long> vmIds, Map<Long, List<String>> vmIdIpMap, Map<Long, Long> vmIdNetworkMap, boolean isAutoScaleVM);
 
     boolean assignSSLCertToLoadBalancerRule(Long lbRuleId, String certName, String publicCert, String privateKey);
 

api/src/main/java/com/cloud/network/rules/LbStickinessMethod.java

@@ -108,8 +108,7 @@ public class LbStickinessMethod {
     }
 
     public void addParam(String name, Boolean required, String description, Boolean isFlag) {
-        /* FIXME : UI is breaking if the capability string length is larger , temporarily description is commented out */
-        // LbStickinessMethodParam param = new LbStickinessMethodParam(name, required, description);
+        /* is this still a valid comment: FIXME : UI is breaking if the capability string length is larger , temporarily description is commented out */
         LbStickinessMethodParam param = new LbStickinessMethodParam(name, required, " ", isFlag);
         _paramList.add(param);
         return;
@@ -133,7 +132,6 @@ public class LbStickinessMethod {
 
     public void setDescription(String description) {
         /* FIXME : UI is breaking if the capability string length is larger , temporarily description is commented out */
-        //this.description = description;
         this._description = " ";
     }
 }

api/src/main/java/com/cloud/network/vpc/NetworkACLService.java

@@ -19,6 +19,7 @@ package com.cloud.network.vpc;
 import java.util.List;
 
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
+import org.apache.cloudstack.api.command.user.network.ImportNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 import org.apache.cloudstack.api.command.user.network.MoveNetworkAclItemCmd;
@@ -98,4 +99,6 @@ public interface NetworkACLService {
     NetworkACLItem moveNetworkAclRuleToNewPosition(MoveNetworkAclItemCmd moveNetworkAclItemCmd);
 
     NetworkACLItem moveRuleToTheTopInACLList(NetworkACLItem ruleBeingMoved);
+
+    List<NetworkACLItem> importNetworkACLRules(ImportNetworkACLCmd cmd) throws ResourceUnavailableException;
 }

api/src/main/java/com/cloud/network/vpc/Vpc.java

@@ -107,4 +107,6 @@ public interface Vpc extends ControlledEntity, Identity, InternalIdentity {
     String getIp6Dns2();
 
     boolean useRouterIpAsResolver();
+
+    boolean getKeepMacAddressOnPublicNic();
 }

api/src/main/java/com/cloud/network/vpc/VpcOffering.java

@@ -84,4 +84,6 @@ public interface VpcOffering extends InternalIdentity, Identity {
     NetworkOffering.RoutingMode getRoutingMode();
 
     Boolean isSpecifyAsNumber();
+
+    boolean isConserveMode();
 }

api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java

@@ -20,6 +20,7 @@ package com.cloud.network.vpc;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.cloudstack.api.command.admin.vpc.CloneVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.UpdateVPCOfferingCmd;
 import org.apache.cloudstack.api.command.user.vpc.ListVPCOfferingsCmd;
@@ -34,12 +35,14 @@ public interface VpcProvisioningService {
 
     VpcOffering createVpcOffering(CreateVPCOfferingCmd cmd);
 
+    VpcOffering cloneVPCOffering(CloneVPCOfferingCmd cmd);
+
     VpcOffering createVpcOffering(String name, String displayText, List<String> supportedServices,
                                   Map<String, List<String>> serviceProviders,
                                   Map serviceCapabilitystList, NetUtils.InternetProtocol internetProtocol,
                                   Long serviceOfferingId, String externalProvider, NetworkOffering.NetworkMode networkMode,
                                   List<Long> domainIds, List<Long> zoneIds, VpcOffering.State state,
-                                  NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber);
+                                  NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber, boolean conserveMode);
 
 
     Pair<List<? extends VpcOffering>,Integer> listVpcOfferings(ListVPCOfferingsCmd cmd);

api/src/main/java/com/cloud/network/vpc/VpcService.java

@@ -58,7 +58,7 @@ public interface VpcService {
      */
     Vpc createVpc(long zoneId, long vpcOffId, long vpcOwnerId, String vpcName, String displayText, String cidr, String networkDomain,
                   String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Boolean displayVpc, Integer publicMtu, Integer cidrSize,
-                  Long asNumber, List<Long> bgpPeerIds, Boolean useVrIpResolver) throws ResourceAllocationException;
+                  Long asNumber, List<Long> bgpPeerIds, Boolean useVrIpResolver, boolean keepMacAddressOnPublicNic) throws ResourceAllocationException;
 
     /**
      * Persists VPC record in the database
@@ -104,7 +104,7 @@ public interface VpcService {
      * @throws ResourceUnavailableException if during restart some resources may not be available
      * @throws InsufficientCapacityException if for instance no address space, compute or storage is sufficiently available
      */
-    Vpc updateVpc(long vpcId, String vpcName, String displayText, String customId, Boolean displayVpc, Integer mtu, String sourceNatIp) throws ResourceUnavailableException, InsufficientCapacityException;
+    Vpc updateVpc(long vpcId, String vpcName, String displayText, String customId, Boolean displayVpc, Integer mtu, String sourceNatIp, Boolean keepMacAddressOnPublicNic) throws ResourceUnavailableException, InsufficientCapacityException;
 
     /**
      * Lists VPC(s) based on the parameters passed to the API call

api/src/main/java/com/cloud/server/ManagementService.java

@@ -71,12 +71,13 @@ import org.apache.cloudstack.api.command.user.vm.GetVMPasswordCmd;
 import org.apache.cloudstack.api.command.user.vmgroup.UpdateVMGroupCmd;
 import org.apache.cloudstack.config.Configuration;
 import org.apache.cloudstack.config.ConfigurationGroup;
-import org.apache.cloudstack.framework.config.ConfigKey;
 
 import com.cloud.alert.Alert;
 import com.cloud.capacity.Capacity;
 import com.cloud.dc.Pod;
 import com.cloud.dc.Vlan;
+import com.cloud.deploy.DeploymentPlan;
+import com.cloud.deploy.DeploymentPlanner.ExcludeList;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.ManagementServerException;
 import com.cloud.exception.ResourceUnavailableException;
@@ -97,6 +98,7 @@ import com.cloud.utils.Ternary;
 import com.cloud.vm.InstanceGroup;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachine.Type;
+import com.cloud.vm.VirtualMachineProfile;
 
 /**
  * Hopefully this is temporary.
@@ -105,14 +107,6 @@ import com.cloud.vm.VirtualMachine.Type;
 public interface ManagementService {
     static final String Name = "management-server";
 
-    ConfigKey<Boolean> JsInterpretationEnabled = new ConfigKey<>("Hidden"
-            , Boolean.class
-            , "js.interpretation.enabled"
-            , "false"
-            , "Enable/Disable all JavaScript interpretation related functionalities to create or update Javascript rules."
-            , false
-            , ConfigKey.Scope.Global);
-
     /**
      * returns the a map of the names/values in the configuration table
      *
@@ -478,6 +472,19 @@ public interface ManagementService {
 
     Ternary<Pair<List<? extends Host>, Integer>, List<? extends Host>, Map<Host, Boolean>> listHostsForMigrationOfVM(VirtualMachine vm, Long startIndex, Long pageSize, String keyword, List<VirtualMachine> vmList);
 
+    /**
+     * Apply affinity group constraints and other exclusion rules for VM migration.
+     * This is a helper method that can be used independently for per-iteration affinity checks in DRS.
+     *
+     * @param vm The virtual machine to migrate
+     * @param vmProfile The VM profile
+     * @param plan The deployment plan
+     * @param vmList List of VMs with current/simulated placements for affinity processing
+     * @return ExcludeList containing hosts to avoid
+     */
+    ExcludeList applyAffinityConstraints(VirtualMachine vm, VirtualMachineProfile vmProfile,
+            DeploymentPlan plan, List<VirtualMachine> vmList);
+
     /**
      * List storage pools for live migrating of a volume. The API returns list of all pools in the cluster to which the
      * volume can be migrated. Current pool is not included in the list. In case of vSphere datastore cluster storage pools,
@@ -518,6 +525,4 @@ public interface ManagementService {
 
     boolean removeManagementServer(RemoveManagementServerCmd cmd);
 
-    void checkJsInterpretationAllowedIfNeededForParameterValue(String paramName, boolean paramValue);
-
 }

api/src/main/java/com/cloud/server/ResourceTag.java

@@ -16,14 +16,14 @@
 // under the License.
 package com.cloud.server;
 
-import org.apache.cloudstack.acl.ControlledEntity;
-import org.apache.cloudstack.api.Identity;
-import org.apache.cloudstack.api.InternalIdentity;
-
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
 public interface ResourceTag extends ControlledEntity, Identity, InternalIdentity {
 
     // FIXME - extract enum to another interface as its used both by resourceTags and resourceMetaData code
@@ -70,7 +70,7 @@ public interface ResourceTag extends ControlledEntity, Identity, InternalIdentit
         GuestOs(false, true),
         NetworkOffering(false, true),
         VpcOffering(true, false),
-        Domain(false, false, true),
+        Domain(true, false, true),
         ObjectStore(false, false, true);
 
 

api/src/main/java/com/cloud/storage/Storage.java

@@ -128,7 +128,7 @@ public class Storage {
     public static enum TemplateType {
         ROUTING, // Router template
         SYSTEM, /* routing, system vm template */
-        BUILTIN, /* buildin template */
+        BUILTIN, /* builtin template */
         PERHOST, /* every host has this template, don't need to install it in secondary storage */
         USER, /* User supplied template/iso */
         VNF,    /* VNFs (virtual network functions) template */

api/src/main/java/com/cloud/storage/VolumeApiService.java

@@ -56,9 +56,9 @@ public interface VolumeApiService {
             Boolean.class,
             "use.https.to.upload",
             "true",
-            "Determines the protocol (HTTPS or HTTP) ACS will use to generate links to upload ISOs, volumes, and templates. When set as 'true', ACS will use protocol HTTPS, otherwise, it will use protocol HTTP. Default value is 'true'.",
+            "Controls whether upload links for ISOs, volumes, and templates use HTTPS (true, default) or HTTP (false). After changing this setting, the Secondary Storage VM (SSVM) must be recreated",
             true,
-            ConfigKey.Scope.StoragePool);
+            ConfigKey.Scope.Zone);
 
     /**
      * Creates the database object for a volume based on the given criteria

api/src/main/java/com/cloud/user/AccountService.java

@@ -21,12 +21,13 @@ import java.util.Map;
 
 import com.cloud.utils.Pair;
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.RolePermissionEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 
 import com.cloud.dc.DataCenter;
 import com.cloud.domain.Domain;
@@ -35,7 +36,16 @@ import com.cloud.network.vpc.VpcOffering;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.auth.UserTwoFactorAuthenticator;
+import org.apache.cloudstack.backup.BackupOffering;
 
 public interface AccountService {
 
@@ -58,7 +68,8 @@ public interface AccountService {
 
     User getSystemUser();
 
-    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID);
+    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone,
+                    String accountName, Long domainId, String userUUID, boolean isPasswordChangeRequired);
 
     User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
                     User.Source source);
@@ -95,7 +106,7 @@ public interface AccountService {
 
     void markUserRegistered(long userId);
 
-    public String[] createApiKeyAndSecretKey(RegisterCmd cmd);
+    ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd cmd);
 
     public String[] createApiKeyAndSecretKey(final long userId);
 
@@ -115,13 +126,19 @@ public interface AccountService {
 
     void checkAccess(Account account, VpcOffering vof, DataCenter zone) throws PermissionDeniedException;
 
+    void checkAccess(Account account, BackupOffering bof) throws PermissionDeniedException;
+
     void checkAccess(User user, ControlledEntity entity);
 
     void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) throws PermissionDeniedException;
 
     void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource);
 
-    Long finalyzeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
+    void validateCallingUserHasAccessToDesiredUser(Long userId);
+
+    Long finalizeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
+
+    Long finalizeAccountId(Long accountId, String accountName, Long domainId, Long projectId);
 
     /**
      * returns the user account object for a given user id
@@ -130,9 +147,15 @@ public interface AccountService {
      */
     UserAccount getUserAccountById(Long userId);
 
-    public Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd);
+    Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd);
 
-    public Pair<Boolean, Map<String, String>> getKeys(Long userId);
+    ListResponse<ApiKeyPairResponse> listKeys(ListUserKeysCmd cmd);
+
+    List<ApiKeyPairPermission> listKeyRules(ListUserKeyRulesCmd cmd);
+
+    void deleteApiKey(DeleteUserKeysCmd cmd);
+
+    void deleteApiKey(ApiKeyPair id);
 
     /**
      * Lists user two-factor authentication provider plugins
@@ -147,4 +170,13 @@ public interface AccountService {
      */
     UserTwoFactorAuthenticator getUserTwoFactorAuthenticationProvider(final Long domainId);
 
+    ApiKeyPair getLatestUserKeyPair(Long userId);
+
+    ApiKeyPair getKeyPairById(Long id);
+
+    ApiKeyPair getKeyPairByApiKey(String apiKey);
+
+    String getAccessingApiKey(BaseCmd cmd);
+
+    List<RolePermissionEntity> getAllKeypairPermissions(String apiKey);
 }

api/src/main/java/com/cloud/user/ApiKeyPairState.java

@@ -0,0 +1,21 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.user;
+
+public enum ApiKeyPairState {
+    ENABLED, REMOVED, EXPIRED
+}

api/src/main/java/com/cloud/user/ResourceLimitService.java

@@ -35,7 +35,7 @@ import org.apache.cloudstack.resourcelimit.Reserver;
 public interface ResourceLimitService {
 
     static final ConfigKey<Long> MaxAccountSecondaryStorage = new ConfigKey<>("Account Defaults", Long.class, "max.account.secondary.storage", "400",
-            "The default maximum secondary storage space (in GiB) that can be used for an account", false);
+            "The default maximum secondary storage space (in GiB) that can be used for an Account", false);
     static final ConfigKey<Long> MaxProjectSecondaryStorage = new ConfigKey<>("Project Defaults", Long.class, "max.project.secondary.storage", "400",
             "The default maximum secondary storage space (in GiB) that can be used for a project", false);
     static final ConfigKey<Long> ResourceCountCheckInterval = new ConfigKey<>("Advanced", Long.class, "resourcecount.check.interval", "300",

api/src/main/java/com/cloud/user/User.java

@@ -65,14 +65,6 @@ public interface User extends OwnedBy, InternalIdentity {
 
     public void setState(Account.State state);
 
-    public String getApiKey();
-
-    public void setApiKey(String apiKey);
-
-    public String getSecretKey();
-
-    public void setSecretKey(String secretKey);
-
     public String getTimezone();
 
     public void setTimezone(String timezone);

api/src/main/java/com/cloud/user/UserAccount.java

@@ -39,10 +39,6 @@ public interface UserAccount extends InternalIdentity {
 
     String getState();
 
-    String getApiKey();
-
-    String getSecretKey();
-
     Date getCreated();
 
     Date getRemoved();

api/src/main/java/com/cloud/vm/Nic.java

@@ -162,4 +162,6 @@ public interface Nic extends Identity, InternalIdentity {
     String getIPv6Address();
 
     Integer getMtu();
+
+    boolean isEnabled();
 }

api/src/main/java/com/cloud/vm/NicProfile.java

@@ -52,6 +52,7 @@ public class NicProfile implements InternalIdentity, Serializable {
     boolean defaultNic;
     Integer networkRate;
     boolean isSecurityGroupEnabled;
+    boolean enabled;
 
     Integer orderIndex;
 
@@ -87,6 +88,7 @@ public class NicProfile implements InternalIdentity, Serializable {
         broadcastType = network.getBroadcastDomainType();
         trafficType = network.getTrafficType();
         format = nic.getAddressFormat();
+        enabled = nic.isEnabled();
 
         iPv4Address = nic.getIPv4Address();
         iPv4Netmask = nic.getIPv4Netmask();
@@ -414,6 +416,14 @@ public class NicProfile implements InternalIdentity, Serializable {
         this.ipv4AllocationRaceCheck = ipv4AllocationRaceCheck;
     }
 
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
     //
     // OTHER METHODS
     //

api/src/main/java/com/cloud/vm/UserVmService.java

@@ -40,6 +40,7 @@ import org.apache.cloudstack.api.command.user.vm.ScaleVMCmd;
 import org.apache.cloudstack.api.command.user.vm.StartVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateDefaultNicForVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVMCmd;
+import org.apache.cloudstack.api.command.user.vm.UpdateVmNicCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVmNicIpCmd;
 import org.apache.cloudstack.api.command.user.vm.UpgradeVMCmd;
 import org.apache.cloudstack.api.command.user.vmgroup.CreateVMGroupCmd;
@@ -152,6 +153,8 @@ public interface UserVmService {
      */
     UserVm updateNicIpForVirtualMachine(UpdateVmNicIpCmd cmd);
 
+    UserVm updateVirtualMachineNic(UpdateVmNicCmd cmd);
+
     UserVm recoverVirtualMachine(RecoverVMCmd cmd) throws ResourceAllocationException;
 
     /**
@@ -524,6 +527,7 @@ public interface UserVmService {
      * @param userId user ID
      * @param serviceOffering service offering for the imported VM
      * @param sshPublicKey ssh key for the imported VM
+     * @param guestOsId guest OS ID for the imported VM (if not passed, then the guest OS of the template will be used)
      * @param hostName the name for the imported VM
      * @param hypervisorType hypervisor type for the imported VM
      * @param customParameters details for the imported VM
@@ -533,7 +537,7 @@ public interface UserVmService {
      * @throws InsufficientCapacityException in case of errors
      */
     UserVm importVM(final DataCenter zone, final Host host, final VirtualMachineTemplate template, final String instanceNameInternal, final String displayName, final Account owner, final String userData, final Account caller, final Boolean isDisplayVm, final String keyboard,
-                    final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKey,
+                    final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKey, final Long guestOsId,
                     final String hostName, final HypervisorType hypervisorType, final Map<String, String> customParameters,
                     final VirtualMachine.PowerState powerState, final LinkedHashMap<String, List<NicProfile>> networkNicMap) throws InsufficientCapacityException;
 

api/src/main/java/com/cloud/vm/VirtualMachine.java

@@ -124,6 +124,9 @@ public interface VirtualMachine extends RunningOn, ControlledEntity, Partition,
             s_fsm.addTransition(new Transition<State, Event>(State.Stopping, VirtualMachine.Event.StopRequested, State.Stopping, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Stopping, VirtualMachine.Event.AgentReportShutdowned, State.Stopped, Arrays.asList(new Impact[]{Impact.USAGE})));
             s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.OperationFailed, State.Expunging,null));
+            // Note: In addition to the Stopped -> Error transition for failed VM creation,
+            // a VM can also transition from Expunging to Error on OperationFailedToError.
+            s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.OperationFailedToError, State.Error, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.ExpungeOperation, State.Expunging,null));
             s_fsm.addTransition(new Transition<State, Event>(State.Error, VirtualMachine.Event.DestroyRequested, State.Expunging, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Error, VirtualMachine.Event.ExpungeOperation, State.Expunging, null));

api/src/main/java/com/cloud/vm/VmDetailConstants.java

@@ -55,6 +55,9 @@ public interface VmDetailConstants {
     String NIC_MULTIQUEUE_NUMBER = "nic.multiqueue.number";
     String NIC_PACKED_VIRTQUEUES_ENABLED = "nic.packed.virtqueues.enabled";
 
+    // KVM specific, disk controllers
+    String KVM_SKIP_FORCE_DISK_CONTROLLER = "skip.force.disk.controller";
+
     // Mac OSX guest specific (internal)
     String SMC_PRESENT = "smc.present";
     String FIRMWARE = "firmware";
@@ -93,6 +96,7 @@ public interface VmDetailConstants {
     String CKS_NODE_TYPE = "node";
     String OFFERING = "offering";
     String TEMPLATE = "template";
+    String AFFINITY_GROUP = "affinitygroup";
 
     // VMware to KVM VM migrations specific
     String VMWARE_TO_KVM_PREFIX = "vmware-to-kvm";

api/src/main/java/com/cloud/vm/snapshot/VMSnapshot.java

@@ -29,10 +29,10 @@ import com.cloud.utils.fsm.StateObject;
 public interface VMSnapshot extends ControlledEntity, Identity, InternalIdentity, StateObject<VMSnapshot.State> {
 
     enum State {
-        Allocated("The VM snapshot is allocated but has not been created yet."), Creating("The VM snapshot is being created."), Ready(
-                "The VM snapshot is ready to be used."), Reverting("The VM snapshot is being used to revert"), Expunging("The volume is being expunging"), Removed(
+        Allocated("The Instance Snapshot is allocated but has not been created yet."), Creating("The Instance Snapshot is being created."), Ready(
+                "The Instance Snapshot is ready to be used."), Reverting("The Instance Snapshot is being used to revert"), Expunging("The volume is being expunging"), Removed(
                 "The volume is destroyed, and can't be recovered."), Error("The volume is in error state, and can't be recovered"),
-        Hidden("The VM snapshot is hidden from the user and cannot be recovered.");
+        Hidden("The Instance snapshot is hidden from the user and cannot be recovered.");
 
         String _description;
 

api/src/main/java/org/apache/cloudstack/acl/APIChecker.java

@@ -20,6 +20,7 @@ import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 
 import java.util.List;
 
@@ -31,8 +32,8 @@ public interface APIChecker extends Adapter {
     // If true, apiChecker has checked the operation
     // If false, apiChecker is unable to handle the operation or not implemented
     // On exception, checkAccess failed don't allow
-    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
-    boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(User user, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
+    boolean checkAccess(Account account, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
     /**
      * Verifies if the account has permission for the given list of APIs and returns only the allowed ones.
      *
@@ -43,4 +44,5 @@ public interface APIChecker extends Adapter {
      */
     List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
     boolean isEnabled();
+    List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType);
 }

api/src/main/java/org/apache/cloudstack/acl/RolePermissionEntity.java

@@ -21,7 +21,7 @@ import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.api.InternalIdentity;
 
 public interface RolePermissionEntity extends InternalIdentity, Identity {
-    public enum Permission {
+    enum Permission {
         ALLOW, DENY
     }
     Rule getRule();

api/src/main/java/org/apache/cloudstack/acl/RoleService.java

@@ -104,5 +104,26 @@ public interface RoleService {
 
     List<RolePermission> findAllPermissionsBy(Long roleId);
 
+    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId, boolean considerImplicitRules);
+
     Permission getRolePermission(String permission);
+
+    int removeRolesIfNeeded(List<? extends Role> roles);
+
+    /**
+     * Checks if the role of the caller account has compatible permissions of the specified role permissions.
+     * For each permission of the {@param rolePermissionsToAccess}, the role of the caller needs to contain the same permission.
+     *
+     * @param rolePermissions the permissions of the caller role.
+     * @param rolePermissionsToAccess the permissions for the role that the caller role wants to access.
+     * @return True if the role can be accessed with the given permissions; false otherwise.
+     */
+    boolean roleHasPermission(Map<String, RolePermissionEntity> rolePermissions, List<RolePermissionEntity> rolePermissionsToAccess);
+
+    /**
+     * Given a list of role permissions, returns a {@link Map} containing the API name as the key and the {@link RolePermissionEntity} for the API as the value.
+     *
+     * @param rolePermissions Permissions for the role from role.
+     */
+    Map<String, RolePermissionEntity> getRoleRulesAndPermissions(List<RolePermissionEntity> rolePermissions);
 }

api/src/main/java/org/apache/cloudstack/acl/RoleType.java

@@ -132,10 +132,10 @@ public enum RoleType {
      * */
     public static Account.Type getAccountTypeByRole(final Role role, final Account.Type defautAccountType) {
         if (role != null) {
-            LOGGER.debug(String.format("Role [%s] is not null; therefore, we use its account type [%s].", role, defautAccountType));
+            LOGGER.debug("Role [{}] is not null; therefore, we use its Account type [{}].", role, defautAccountType);
             return role.getRoleType().getAccountType();
         }
-        LOGGER.debug(String.format("Role is null; therefore, we use the default account type [%s] value.", defautAccountType));
+        LOGGER.debug("Role is null; therefore, we use the default Account type [{}] value.", defautAccountType);
         return defautAccountType;
     }
 }

api/src/main/java/org/apache/cloudstack/acl/Rule.java

@@ -25,16 +25,18 @@ import org.apache.commons.lang3.StringUtils;
 
 public final class Rule {
     private final String rule;
+    private final Pattern matchingPattern;
     private final static Pattern ALLOWED_PATTERN = Pattern.compile("^[a-zA-Z0-9*]+$");
 
     public Rule(final String rule) {
         validate(rule);
         this.rule = rule;
+        matchingPattern = Pattern.compile(rule.toLowerCase().replace("*", "(\\w*\\*?)+"));
     }
 
     public boolean matches(final String commandName) {
-        return StringUtils.isNotEmpty(commandName)
-                && commandName.toLowerCase().matches(rule.toLowerCase().replace("*", "\\w*"));
+        return StringUtils.isNotEmpty(commandName) &&
+                matchingPattern.matcher(commandName.toLowerCase()).matches();
     }
 
     public String getRuleString() {

api/src/main/java/org/apache/cloudstack/acl/SecurityChecker.java

@@ -27,6 +27,8 @@ import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
 
+import org.apache.cloudstack.backup.BackupOffering;
+
 /**
  * SecurityChecker checks the ownership and access control to objects within
  */
@@ -145,4 +147,6 @@ public interface SecurityChecker extends Adapter {
     boolean checkAccess(Account account, NetworkOffering nof, DataCenter zone) throws PermissionDeniedException;
 
     boolean checkAccess(Account account, VpcOffering vof, DataCenter zone) throws PermissionDeniedException;
+
+    boolean checkAccess(Account account, BackupOffering bof) throws PermissionDeniedException;
 }

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java

@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+import java.util.Date;
+
+public interface ApiKeyPair extends ControlledEntity, InternalIdentity, Identity {
+    Long getUserId();
+    Date getStartDate();
+    Date getEndDate();
+    Date getCreated();
+    String getDescription();
+    String getApiKey();
+    String getSecretKey();
+    String getName();
+    Date getRemoved();
+    void setRemoved(Date date);
+    void validateDate();
+    boolean hasEndDatePassed();
+}

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairPermission.java

@@ -0,0 +1,23 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.RolePermissionEntity;
+
+public interface ApiKeyPairPermission extends RolePermissionEntity {
+    long getApiKeyPairId();
+}

api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java

@@ -0,0 +1,27 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import java.util.List;
+
+public interface ApiKeyPairService {
+    List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId, Long roleId);
+
+    ApiKeyPair findByApiKey(String apiKey);
+
+    ApiKeyPair findById(Long id);
+}

api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupResponse.java

@@ -34,27 +34,27 @@ import com.cloud.serializer.Param;
 public class AffinityGroupResponse extends BaseResponse implements ControlledViewEntityResponse {
 
     @SerializedName(ApiConstants.ID)
-    @Param(description = "the ID of the affinity group")
+    @Param(description = "The ID of the affinity group")
     private String id;
 
     @SerializedName(ApiConstants.NAME)
-    @Param(description = "the name of the affinity group")
+    @Param(description = "The name of the affinity group")
     private String name;
 
     @SerializedName(ApiConstants.DESCRIPTION)
-    @Param(description = "the description of the affinity group")
+    @Param(description = "The description of the affinity group")
     private String description;
 
     @SerializedName(ApiConstants.ACCOUNT)
-    @Param(description = "the account owning the affinity group")
+    @Param(description = "The account owning the affinity group")
     private String accountName;
 
     @SerializedName(ApiConstants.DOMAIN_ID)
-    @Param(description = "the domain ID of the affinity group")
+    @Param(description = "The domain ID of the affinity group")
     private String domainId;
 
     @SerializedName(ApiConstants.DOMAIN)
-    @Param(description = "the domain name of the affinity group")
+    @Param(description = "The domain name of the affinity group")
     private String domainName;
 
     @SerializedName(ApiConstants.DOMAIN_PATH)
@@ -62,19 +62,19 @@ public class AffinityGroupResponse extends BaseResponse implements ControlledVie
     private String domainPath;
 
     @SerializedName(ApiConstants.PROJECT_ID)
-    @Param(description = "the project ID of the affinity group")
+    @Param(description = "The project ID of the affinity group")
     private String projectId;
 
     @SerializedName(ApiConstants.PROJECT)
-    @Param(description = "the project name of the affinity group")
+    @Param(description = "The project name of the affinity group")
     private String projectName;
 
     @SerializedName(ApiConstants.TYPE)
-    @Param(description = "the type of the affinity group")
+    @Param(description = "The type of the affinity group")
     private String type;
 
     @SerializedName("virtualmachineIds")
-    @Param(description = "virtual machine IDs associated with this affinity group")
+    @Param(description = "Instance IDs associated with this affinity group")
     private List<String> vmIdList;
 
     @SerializedName("dedicatedresources")

api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupService.java

@@ -66,5 +66,4 @@ public interface AffinityGroupService {
 
     boolean isAffinityGroupAvailableInDomain(long affinityGroupId, long domainId);
 
-
 }

api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupTypeResponse.java

@@ -29,7 +29,7 @@ import com.cloud.serializer.Param;
 public class AffinityGroupTypeResponse extends BaseResponse {
 
     @SerializedName(ApiConstants.TYPE)
-    @Param(description = "the type of the affinity group")
+    @Param(description = "The type of the affinity group")
     private String type;
 
     public AffinityGroupTypeResponse() {