Hi Matthew, In your case does the user to which VM belongs have the access to the network you are trying to add to the VM? I tried it in a test env and it works fine when the user has access to the network (eg, the user owns the network). But it would fail when the user doesn't have the access to the network.
Below is an example. First I tried to add a user owned network using domain admin. It worked. Then I tried adding a domain-admin owned network to the VM. It failed. But smae operation worked when I added proper network permissions. (sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229 { "count": 1, "network": [ { "account": "ACSUser", "acltype": "Account", "broadcastdomaintype": "Vlan", "canusefordeploy": true, "cidr": "10.1.1.0/24", "created": "2022-09-01T06:55:10+0000", "displaytext": "user-iso1", "dns1": "10.0.32.1", "dns2": "8.8.8.8", "domain": "ROOT", "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea", "egressdefaultpolicy": false, "gateway": "10.1.1.1", "hasannotations": false, "id": "4caccd89-9479-4c57-bef2-b8bdd3a99229", "ispersistent": false, "issystem": false, "name": "user-iso1", "netmask": "255.255.255.0", "networkdomain": "cs4cloud.internal", "networkofferingavailability": "Required", "networkofferingconservemode": true, ... } (sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398 { "count": 1, "network": [ { "account": "ACSUser", "acltype": "Account", "broadcastdomaintype": "Vlan", "canusefordeploy": true, "created": "2022-09-01T06:55:37+0000", "displaytext": "user-l2", "dns1": "10.0.32.1", "dns2": "8.8.8.8", "domain": "ROOT", "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea", "hasannotations": false, "id": "54b35a12-0947-4897-ab3b-10059c3e1398", "ispersistent": false, "issystem": false, "name": "user-l2", "networkofferingavailability": "Optional", "networkofferingconservemode": true, "networkofferingdisplaytext": "Offering for L2 networks", "networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab", "networkofferingname": "DefaultL2NetworkOffering", "physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501", "receivedbytes": 0, "redundantrouter": false, "related": "54b35a12-0947-4897-ab3b-10059c3e1398", "restartrequired": false, "sentbytes": 0, "service": [], "specifyipranges": false, "state": "Implemented", "strechedl2subnet": false, "tags": [], "traffictype": "Guest", "type": "L2", "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d", "zonename": "ref-trl-3557-v-M7-abhishek-kumar" } ] } (sblab) 🐷 > deploy virtualmachine zoneid=fce252b8-5075-4077-80c0-4f027fea354d serviceofferingid=3ed0124f-7064-4680-82da-80204d3a3ddb templateid=feb21788-29be-4fb0-8618-ec0f50921838 networkids=4caccd89-9479-4c57-bef2-b8bdd3a99229 { "virtualmachine": { "account": "ACSUser", "affinitygroup": [], "cpunumber": 1, "cpuspeed": 500, "created": "2022-09-01T07:12:40+0000", "details": { "dataDiskController": "osdefault", "rootDiskController": "osdefault" }, "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "domain": "ROOT", "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea", "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea", "haenable": false, "hasannotations": false, "hypervisor": "VMware", "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "isdynamicallyscalable": false, "jobid": "448d9d04-bc0b-4576-94a9-5ece301b52e5", "jobstatus": 0, "lastupdated": "2022-09-01T07:12:49+0000", "memory": 512, "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "nic": [ { "broadcasturi": "vlan://2227", "deviceid": "0", "extradhcpoption": [], "gateway": "10.1.1.1", "id": "b1811c73-ec60-4c50-91c3-0b562c496284", "ipaddress": "10.1.1.227", "isdefault": true, "isolationuri": "vlan://2227", "macaddress": "02:00:18:83:00:04", "netmask": "255.255.255.0", "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229", "networkname": "user-iso1", "secondaryip": [], "traffictype": "Guest", "type": "Isolated" } ], ... "userid": "96793627-9833-4012-9247-fc8761330e96", "username": "user", "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d", "zonename": "ref-trl-3557-v-M7-abhishek-kumar" } } (sblab) 🍀 > set username domadmin (sblab) 🐒 > sync Discovered 328 APIs (sblab) 🐹 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=54b35a12-0947-4897-ab3b-10059c3e1398 { "virtualmachine": { "account": "ACSUser", "affinitygroup": [], "created": "2022-09-01T07:12:40+0000", "details": { "dataDiskController": "osdefault", "rootDiskController": "osdefault" }, "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "domain": "ROOT", "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea", "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea", "haenable": false, "hasannotations": false, "hypervisor": "VMware", "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "isdynamicallyscalable": false, "jobid": "3a286118-843a-4a92-b0cc-8bdc4ecd334f", "jobstatus": 0, "lastupdated": "2022-09-01T07:12:49+0000", "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "nic": [ { "broadcasturi": "vlan://2240", "deviceid": "1", "extradhcpoption": [], "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c", "isdefault": false, "isolationuri": "vlan://2240", "macaddress": "02:00:7e:eb:00:02", "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398", "networkname": "user-l2", "secondaryip": [], "traffictype": "Guest", "type": "L2" }, { "broadcasturi": "vlan://2227", "deviceid": "0", "extradhcpoption": [], "gateway": "10.1.1.1", "id": "b1811c73-ec60-4c50-91c3-0b562c496284", "ipaddress": "10.1.1.227", "isdefault": true, "isolationuri": "vlan://2227", "macaddress": "02:00:18:83:00:04", "netmask": "255.255.255.0", "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229", "networkname": "user-iso1", "secondaryip": [], "traffictype": "Guest", "type": "Isolated" } ], ... } } (sblab) 🦇 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=79bda62e-5b08-434c-846c-8db806482da9 { "accountid": "e879dc18-4adb-42d8-bcc6-8bda00ba93f6", "cmd": "org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd", "completed": "2022-09-01T07:13:50+0000", "created": "2022-09-01T07:13:50+0000", "jobid": "03a994d6-f001-46c8-9c37-22ae9ccede2a", "jobinstanceid": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "jobinstancetype": "VirtualMachine", "jobprocstatus": 0, "jobresult": { "errorcode": 530, "errortext": "Unable to use network with id= 79bda62e-5b08-434c-846c-8db806482da9, permission denied" }, "jobresultcode": 530, "jobresulttype": "object", "jobstatus": 2, "userid": "4628e888-55b0-4230-b0be-679fe2374e7a" } 🙈 Error: async API failed for job 03a994d6-f001-46c8-9c37-22ae9ccede2a (sblab) 🐀 > create networkpermissions networkid=79bda62e-5b08-434c-846c-8db806482da9 accountids=9e5e5c6d-74d4-4df6-a4ad-0e575d3a2298 { "success": true } (sblab) 🐟 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=79bda62e-5b08-434c-846c-8db806482da9 { "virtualmachine": { "account": "ACSUser", "affinitygroup": [], "created": "2022-09-01T07:12:40+0000", "details": { "dataDiskController": "osdefault", "rootDiskController": "osdefault" }, "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "domain": "ROOT", "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea", "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea", "haenable": false, "hasannotations": false, "hypervisor": "VMware", "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "isdynamicallyscalable": false, "jobid": "bcf0f01b-b55d-42d3-9535-056315e5608c", "jobstatus": 0, "lastupdated": "2022-09-01T07:12:49+0000", "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410", "nic": [ { "broadcasturi": "vlan://2240", "deviceid": "1", "extradhcpoption": [], "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c", "isdefault": false, "isolationuri": "vlan://2240", "macaddress": "02:00:7e:eb:00:02", "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398", "networkname": "user-l2", "secondaryip": [], "traffictype": "Guest", "type": "L2" }, { "broadcasturi": "vlan://2231", "deviceid": "2", "extradhcpoption": [], "id": "c8635505-33f4-44ac-ab42-d3dc698c4da2", "isdefault": false, "isolationuri": "vlan://2231", "macaddress": "02:00:15:b4:00:01", "networkid": "79bda62e-5b08-434c-846c-8db806482da9", "networkname": "dom-l2", "secondaryip": [], "traffictype": "Guest", "type": "L2" }, { "broadcasturi": "vlan://2227", "deviceid": "0", "extradhcpoption": [], "gateway": "10.1.1.1", "id": "b1811c73-ec60-4c50-91c3-0b562c496284", "ipaddress": "10.1.1.227", "isdefault": true, "isolationuri": "vlan://2227", "macaddress": "02:00:18:83:00:04", "netmask": "255.255.255.0", "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229", "networkname": "user-iso1", "secondaryip": [], "traffictype": "Guest", "type": "Isolated" } ], ... } } Regards, Abhishek ________________________________ From: Matthew Smart <msm...@smartsoftwareinc.com> Sent: 01 September 2022 05:02 To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: Permission Denied when trying to add nictovirtualmachine as Domain Admin All, I am having an issue trying to add a nic to an existing virtual machine. This seems very similar to issue 6590 https://github.com/apache/cloudstack/issues/6590 . The error is the same if I try it from the UI or cloudmonkey: Error 530, Unable to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied It doesn't matter which network or which VM I use. I do not have any projects defined. Any ideas? Api log: 2022-08-31 18:28:00,903 INFO [a.c.c.a.ApiServlet] (qtp1750498848-285:ctx-e1ff1e99 ctx-7d49ea3e ctx-ac87c2e4) (logid:a0a5f800) (userId=2 accountId=2 sessionId=null) 0:0:0:0:0:0:0:1 -- GET signatureversion=3&apiKey=eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A&expires=2022-08-31T23%3A38%3A00%2B0000&jobid=85620fa4-c3ee-4b55-a220-2b2efbfc8240&command=queryAsyncJobResult&signature=DVfJ3fAUm9fTkGpJnZIPqqVTiuM%3D&response=json 200 {"queryasyncjobresultresponse":{"accountid":"4881765b-737e-11e6-af31-a4badb303ab0","userid":"488183c2-737e-11e6-af31-a4badb303ab0","cmd":"org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin","jobstatus":2,"jobprocstatus":0,"jobresultcode":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"Unable to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied"},"jobinstancetype":"VirtualMachine","jobinstanceid":"a13626c9-209f-4d63-b1ae-624e77863d68","created":"2022-08-31T18:27:58-0500","completed":"2022-08-31T18:27:58-0500","jobid":"85620fa4-c3ee-4b55-a220-2b2efbfc8240"}} Management log: 2022-08-31 18:27:58,876 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Executing AsyncJobVO: {id:25273, userId: 2, accountId: 2, instanceType: VirtualMachine, instanceId: 22, cmd: org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin, cmdInfo: {"expires":"2022-08-31T23:37:58+0000","apiKey":"eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A","signature":"G5byvIP9InHK1s301Dir4KAUYnM\u003d","httpmethod":"GET","ctxAccountId":"2","cmdEventType":"NIC.CREATE","signatureversion":"3","virtualmachineid":"a13626c9-209f-4d63-b1ae-624e77863d68","response":"json","ctxUserId":"2","networkid":"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2","ctxStartEventId":"314819","ctxDetails":"{\"interface com.cloud.vm.VirtualMachine\":\"a13626c9-209f-4d63-b1ae-624e77863d68\",\"interface com.cloud.network.Network\":\"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2\"}"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 181122448243502, completeMsid: null, lastUpdated: null, lastPolled: null, created: null, removed: null} 2022-08-31 18:27:58,899 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Unexpected exception while executing org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin com.cloud.exception.PermissionDeniedException: Unable to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied at com.cloud.network.NetworkModelImpl.checkNetworkPermissions(NetworkModelImpl.java:1681) at com.cloud.vm.UserVmManagerImpl.addNicToVirtualMachine(UserVmManagerImpl.java:1323) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:107) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:52) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215) at com.sun.proxy.$Proxy128.addNicToVirtualMachine(Unknown Source) at org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd.execute(AddNicToVMCmd.java:173) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:163) at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:620) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:568) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) 2022-08-31 18:27:58,902 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Complete async job-25273, jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Unable to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied"} -- Matthew Smart President Smart Software Solutions Inc. 108 S Pierre St. Pierre, SD 57501 Phone: (605) 280-0383 Skype: msmart13 Email:msm...@smartsoftwareinc.com