Fix validation for password enabled VMs

João Jandre · JoaoJandre · commit 1cefa7883476 · 2026-05-11T16:03:05.000-03:00
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/backup/CreateBackupOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/backup/CreateBackupOfferingCmd.java
@@ -143,7 +143,7 @@ public String getValidationSteps() {
                 sb.append(",");
             } catch (IllegalArgumentException ex) {
                 logger.error("Invalid validation step informed [{}].", step, ex);
-                throw new InvalidParameterValueException(String.format("Invalid validation step [%s] informed. Accepted values are: wait_for_boot, screenshot and script.", step));
+                throw new InvalidParameterValueException(String.format("Invalid validation step [%s] informed. Accepted values are: wait_for_boot, screenshot and execute_command.", step));
             }
         }
         sb.deleteCharAt(sb.lastIndexOf(","));
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDao.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDao.java
@@ -136,5 +136,5 @@ public interface NetworkDao extends GenericDao<NetworkVO, Long>, StateDao<State,
 
     List<NetworkVO> getAllPersistentNetworksFromZone(long dataCenterId);
 
-    NetworkVO findByZoneIdAndAccountIdAndGuestType(long zoneId, long accountId, GuestType guestType);
+    NetworkVO findByZoneIdAndAccountIdAndGuestTypeAndName(long zoneId, long accountId, GuestType guestType, String name);
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
@@ -910,12 +910,13 @@ public List<NetworkVO> listByPhysicalNetworkPvlan(long physicalNetworkId, String
     }
 
     @Override
-    public NetworkVO findByZoneIdAndAccountIdAndGuestType(long zoneId, long accountId, GuestType guestType) {
+    public NetworkVO findByZoneIdAndAccountIdAndGuestTypeAndName(long zoneId, long accountId, GuestType guestType, String name) {
         SearchCriteria<NetworkVO> sc = AllFieldsSearch.create();
 
         sc.setParameters("datacenter", zoneId);
         sc.setParameters("account", accountId);
         sc.setParameters("guestType", guestType);
+        sc.setParameters("name", name);
 
         return findOneBy(sc);
     }
diff --git a/plugins/backup/kboss/src/main/java/org/apache/cloudstack/backup/KbossBackupProvider.java b/plugins/backup/kboss/src/main/java/org/apache/cloudstack/backup/KbossBackupProvider.java
@@ -1175,19 +1175,18 @@ protected boolean validateWithHash(long backupId, BackupVO backupVO, BackupDetai
     }
 
     protected boolean validateWithValidationVm(long backupId, long hostId, BackupVO backupVO) {
-        UserVmVO validationVm;
-        validationVm = allocateValidationVm(backupId, backupVO);
-        if (validationVm == null) {
-            return false;
-        }
-
-        HostVO hostVo = hostDao.findById(hostId);
-
-        List<VolumeObjectTO> volumeToList = new ArrayList<>();
         boolean startedVm = false;
-        VirtualMachineTO vmTO = null;
-        List<VolumeVO> volumeVOs = volumeDao.findByInstance(validationVm.getId());
+        UserVmVO validationVm = null;
+        List<VolumeVO> volumeVOs = List.of();
         try {
+            validationVm = allocateValidationVm(backupId, backupVO);
+            if (validationVm == null) {
+                return false;
+            }
+
+            HostVO hostVo = hostDao.findById(hostId);
+            List<VolumeObjectTO> volumeToList = new ArrayList<>();
+            volumeVOs = volumeDao.findByInstance(validationVm.getId());
             createValidationVolumesOnPrimaryStorage(volumeVOs, validationVm, backupVO, hostVo, volumeToList);
 
             List<InternalBackupDataStoreVO> backupDeltas = internalBackupDataStoreDao.listByBackupId(backupId);
@@ -1205,7 +1204,7 @@ protected boolean validateWithValidationVm(long backupId, long hostId, BackupVO
 
             HypervisorGuru hvGuru = hypervisorGuruManager.getGuru(validationVm.getHypervisorType());
             VirtualMachineProfileImpl profile = new VirtualMachineProfileImpl(validationVm);
-            vmTO = hvGuru.implement(profile);
+            VirtualMachineTO vmTO = hvGuru.implement(profile);
 
             if (!validateBackup(backupId, vmTO, backupDeltaAndVolumePairs, backupVO, validationVm, hostVo)) {
                 endBackupChainIfConfigured(backupVO);
@@ -1410,6 +1409,7 @@ protected boolean prepareForValidation(long hostId, Set<Pair<BackupDeltaTO, Volu
 
     protected void createValidationVolumesOnPrimaryStorage(List<VolumeVO> volumeVOs, UserVmVO validationVm, BackupVO backupVO, HostVO hostVo, List<VolumeObjectTO> volumeToList) throws NoTransitionException {
         for (VolumeVO volume : volumeVOs) {
+            logger.debug("Creating validation volume [{}] for validation VM [{}].", volume.getUuid(), validationVm.getUuid());
             VolumeInfo volumeInfo = volumeDataFactory.getVolume(volume.getId());
             volumeInfo = volumeOrchestrationService.createVolumeOnPrimaryStorage(validationVm, volumeInfo, Hypervisor.HypervisorType.KVM, null, hostVo.getClusterId(),
                     hostVo.getPodId());
@@ -2676,8 +2676,9 @@ protected void validateVmState(VirtualMachine vm, String operation, VirtualMachi
 
     protected Pair<Boolean, BackupVO> validateCompressionStateForRestoreAndGetBackup(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Pair<Boolean, BackupVO>>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
                     logger.warn("Unable to get lock on backup [{}]. Cannot restore it.", backupId);
                     return new Pair<>(false, null);
@@ -2692,7 +2693,9 @@ protected Pair<Boolean, BackupVO> validateCompressionStateForRestoreAndGetBackup
                 backupDao.update(backupId, backupVO);
                 return new Pair<>(true, backupVO);
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
@@ -2703,8 +2706,9 @@ protected Pair<Boolean, BackupVO> validateCompressionStateForRestoreAndGetBackup
      * */
     protected boolean validateBackupStateForRemoval(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Boolean>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
                     logger.warn("Unable to acquire lock for backup [{}]. Cannot remove it.", backupId);
                     return false;
@@ -2727,7 +2731,9 @@ protected boolean validateBackupStateForRemoval(long backupId) {
                 }
                 return true;
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
@@ -2738,8 +2744,9 @@ protected boolean validateBackupStateForRemoval(long backupId) {
      * */
     protected Pair<Boolean, BackupVO> validateBackupStateForStartCompressionAndUpdateCompressionStatus(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Pair<Boolean, BackupVO>>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
                     logger.warn("Unable to get lock on backup [{}]. Will abort the start of the compression process. We might try again later.", backupId);
                     return new Pair<>(false, null);
@@ -2755,7 +2762,9 @@ protected Pair<Boolean, BackupVO> validateBackupStateForStartCompressionAndUpdat
                 backupDao.update(backupVO.getId(), backupVO);
                 return new Pair<>(true, backupVO);
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
@@ -2766,8 +2775,9 @@ protected Pair<Boolean, BackupVO> validateBackupStateForStartCompressionAndUpdat
      * */
     protected Pair<Boolean, BackupVO> validateBackupStateForFinalizeCompression(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Pair<Boolean, BackupVO>>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
                     logger.warn("Unable to get lock on backup [{}]. Will abort the finalize compression process. We might try again later.", backupId);
                     return new Pair<>(false, null);
@@ -2786,23 +2796,25 @@ protected Pair<Boolean, BackupVO> validateBackupStateForFinalizeCompression(long
                     backupVO.setCompressionStatus(Backup.CompressionStatus.FinalizingCompression);
                     backupDao.update(backupId, backupVO);
                 } else {
-                    logger.warn(
-                            "Backup [{}] is in [{}] state. Aborting compression and cleaning up compressed data. We can only finish compression process if backup is in [{}] " + "state.",
-                            backupVO.getUuid(), backupVO.getStatus(), Backup.Status.BackedUp);
+                    logger.warn("Backup [{}] is in [{}] state. Aborting compression and cleaning up compressed data. We can only finish compression process if backup is in [{}] "
+                                    + "state.", backupVO.getUuid(), backupVO.getStatus(), Backup.Status.BackedUp);
                     backupVO.setCompressionStatus(Backup.CompressionStatus.CompressionError);
                     backupDao.update(backupId, backupVO);
                 }
                 return new Pair<>(true, backupVO);
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
 
     protected Pair<Boolean, Backup.Status> validateBackupStateForRestoreBackupToVM(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Pair<Boolean, Backup.Status>>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
                     logger.warn("Unable to get lock on backup [{}]. Cannot create VM from this backup right now.", backupId);
                     return new Pair<>(false, null);
@@ -2815,13 +2827,14 @@ protected Pair<Boolean, Backup.Status> validateBackupStateForRestoreBackupToVM(l
                     backupDao.update(backupId, backupVO);
                     return new Pair<>(true, oldStatus);
                 } else {
-                    logger.warn(
-                            "Backup [{}] is in [{}] state. Aborting restore. We can only restore the backup if backup is in [{}] states.",
+                    logger.warn("Backup [{}] is in [{}] state. Aborting VM creation from backup. We can only create VM from backup if backup is in [{}] state.",
                             backupVO.getUuid(), backupVO.getStatus(), List.of(Backup.Status.BackedUp, Backup.Status.Restoring));
                     return new Pair<>(false, null);
                 }
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
@@ -2832,10 +2845,11 @@ protected Pair<Boolean, Backup.Status> validateBackupStateForRestoreBackupToVM(l
      * */
     protected boolean validateBackupStateForValidation(long backupId) {
         return Transaction.execute(TransactionLegacy.CLOUD_DB, (TransactionCallback<Boolean>) result -> {
+            BackupVO backupVO = null;
             try {
-                BackupVO backupVO = lockBackup(backupId);
+                backupVO = lockBackup(backupId);
                 if (backupVO == null) {
-                    logger.warn("Unable to acquire lock for backup [{}]. Cannot validate it.", backupId);
+                    logger.warn("Unable to acquire lock for backup [{}]. Cannot validate it. It might have been removed.", backupId);
                     return false;
                 }
 
@@ -2846,7 +2860,9 @@ protected boolean validateBackupStateForValidation(long backupId) {
                 }
                 return true;
             } finally {
-                releaseBackup(backupId);
+                if (backupVO != null) {
+                    releaseBackup(backupId);
+                }
             }
         });
     }
diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
@@ -427,6 +427,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
     private static final int ACQUIRE_GLOBAL_LOCK_TIMEOUT_FOR_COOPERATION = 3;
 
     private static final long GiB_TO_BYTES = 1024 * 1024 * 1024;
+    private static final String BACKUP_VALIDATION_NETWORK = "BackupValidationNetwork";
+    private static final String DEFAULT_SHARED_NETWORK_OFFERING_WITH_NO_SERVICE = "DefaultSharedNetworkOfferingWithNoService";
 
     @Inject
     private EntityManager _entityMgr;
@@ -4584,19 +4586,7 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
                     }
 
                     profile.setDefaultNic(true);
-                    if (!_networkModel.areServicesSupportedInNetwork(network.getId(), new Service[]{Service.UserData})) {
-                        if ((userData != null) && (!userData.isEmpty())) {
-                            throw new InvalidParameterValueException(String.format("Unable to deploy VM as UserData is provided while deploying the VM, but there is no support for %s service in the default network %s/%s.", Service.UserData.getName(), network.getName(), network.getUuid()));
-                        }
-
-                        if ((sshPublicKeys != null) && (!sshPublicKeys.isEmpty())) {
-                            throw new InvalidParameterValueException(String.format("Unable to deploy VM as SSH keypair is provided while deploying the VM, but there is no support for %s service in the default network %s/%s", Service.UserData.getName(), network.getName(), network.getUuid()));
-                        }
-
-                        if (template.isEnablePassword()) {
-                            throw new InvalidParameterValueException(String.format("Unable to deploy VM as template %s is password enabled, but there is no support for %s service in the default network %s/%s", template, Service.UserData.getName(), network.getName(), network.getUuid()));
-                        }
-                    }
+                    validateUserdataSupport(userData, vmType, template, network, sshPublicKeys);
                 }
 
                 if (_networkModel.isSecurityGroupSupportedInNetwork(network)) {
@@ -4703,6 +4693,30 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
         }
     }
 
+    /**
+     * Validates that the network supports the necessary UserData-related features for the VM
+     * <br/>
+     * Validation VMs are not validated, there VMs should be in a no-service network regardless of the original VM's settings.
+     * */
+    private void validateUserdataSupport(String userData, String vmType, VMTemplateVO template, NetworkVO network, String sshPublicKeys) {
+        if (VALIDATION_VM.equals(vmType)) {
+            return;
+        }
+        if (!_networkModel.areServicesSupportedInNetwork(network.getId(), new Service[]{Service.UserData})) {
+            if ((userData != null) && (!userData.isEmpty())) {
+                throw new InvalidParameterValueException(String.format("Unable to deploy VM as UserData is provided while deploying the VM, but there is no support for %s service in the default network %s/%s.", Service.UserData.getName(), network.getName(), network.getUuid()));
+            }
+
+            if ((sshPublicKeys != null) && (!sshPublicKeys.isEmpty())) {
+                throw new InvalidParameterValueException(String.format("Unable to deploy VM as SSH keypair is provided while deploying the VM, but there is no support for %s service in the default network %s/%s", Service.UserData.getName(), network.getName(), network.getUuid()));
+            }
+
+            if (template.isEnablePassword()) {
+                throw new InvalidParameterValueException(String.format("Unable to deploy VM as template %s is password enabled, but there is no support for %s service in the default network %s/%s", template.getId(), Service.UserData.getName(), network.getName(), network.getUuid()));
+            }
+        }
+    }
+
     private void assignInstanceToGroup(String group, long id) {
         // Assign instance to the group
         try {
@@ -10128,13 +10142,11 @@ public UserVm allocateVMForValidation(long backupId, HypervisorType hypervisor)
             throw new CloudRuntimeException(String.format("Unable to find service offering with the uuid stored in backup [%s]. Unable to validate the backup.", backup.getUuid()));
         }
 
-        VirtualMachineTemplate template;
-
         String templateUuid = backup.getDetail(ApiConstants.TEMPLATE_ID);
         if (templateUuid == null) {
             throw new CloudRuntimeException(String.format("Backup [%s] doesn't contain a template uuid. Unable to validate it.", backup.getUuid()));
         }
-        template = _templateDao.findByUuidIncludingRemoved(templateUuid);
+        VirtualMachineTemplate template = _templateDao.findByUuidIncludingRemoved(templateUuid);
         if (template == null) {
             throw new CloudRuntimeException(String.format("Unable to find template associated with the backup [%s]. Unable to validate it.", backup.getUuid()));
         }
@@ -10183,25 +10195,25 @@ public UserVm allocateVMForValidation(long backupId, HypervisorType hypervisor)
     }
 
     private Network getValidationNetwork(long zoneId) {
-        NetworkVO networkVo = _networkDao.findByZoneIdAndAccountIdAndGuestType(zoneId, Account.ACCOUNT_ID_SYSTEM, GuestType.Shared);
+        NetworkVO networkVo = _networkDao.findByZoneIdAndAccountIdAndGuestTypeAndName(zoneId, Account.ACCOUNT_ID_SYSTEM, GuestType.Shared, BACKUP_VALIDATION_NETWORK);
         AccountVO accountVO = _accountDao.findById(Account.ACCOUNT_ID_SYSTEM);
 
         if (networkVo != null) {
             return networkVo;
         }
 
-        NetworkOfferingVO offeringVo = _networkOfferingDao.findByUniqueName("DefaultSharedNetworkOfferingWithNoService");
+        NetworkOfferingVO offeringVo = _networkOfferingDao.findByUniqueName(DEFAULT_SHARED_NETWORK_OFFERING_WITH_NO_SERVICE);
 
         if (offeringVo == null) {
-            offeringVo = new NetworkOfferingVO("DefaultSharedNetworkOfferingWithNoService",
+            offeringVo = new NetworkOfferingVO(DEFAULT_SHARED_NETWORK_OFFERING_WITH_NO_SERVICE,
                     "Default shared offering with no services.", TrafficType.Guest, false, false, null, null, true, Availability.Optional, null, GuestType.Shared, false, true,
                     false, false, false, false);
             offeringVo.setState(NetworkOffering.State.Enabled);
             offeringVo = _networkOfferingDao.persistDefaultNetworkOffering(offeringVo);
         }
 
         try {
-            CreateNetworkCmd cmd = new CreateNetworkCmd(offeringVo.getId(), "BackupValidationNetwork", "System network for validating backups", "192.168.0.1", "255.255.0.0",
+            CreateNetworkCmd cmd = new CreateNetworkCmd(offeringVo.getId(), BACKUP_VALIDATION_NETWORK, "System network for validating backups", "192.168.0.1", "255.255.0.0",
                     "192.168.0.2", "192.168.255.255", accountVO.getDomainId(), accountVO.getAccountName(), zoneId, ACLType.Domain.name(), true, false);
             ComponentContext.inject(cmd);
             return networkService.createGuestNetwork(cmd);
diff --git a/server/src/main/java/org/apache/cloudstack/backup/InternalBackupServiceJobController.java b/server/src/main/java/org/apache/cloudstack/backup/InternalBackupServiceJobController.java
@@ -251,7 +251,7 @@ protected void submitQueuedJobsForExecution(List<InternalBackupServiceJobVO> job
             }
 
             if (busyInstances.contains(job.getInstanceId())) {
-                VirtualMachine vm = instanceDao.findById(job.getInstanceId());
+                VirtualMachine vm = instanceDao.findByIdIncludingRemoved(job.getInstanceId());
                 logger.debug("Instance [{}] has another backup service job running, will not schedule a {} job for it now.", vm.getUuid(), controllerType);
                 continue;
             }
diff --git a/server/src/test/java/com/cloud/vpc/dao/MockNetworkDaoImpl.java b/server/src/test/java/com/cloud/vpc/dao/MockNetworkDaoImpl.java

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ public String getValidationSteps() {`
`143`	`143`	`sb.append(",");`
`144`	`144`	`} catch (IllegalArgumentException ex) {`
`145`	`145`	`logger.error("Invalid validation step informed [{}].", step, ex);`
`146`		`- throw new InvalidParameterValueException(String.format("Invalid validation step [%s] informed. Accepted values are: wait_for_boot, screenshot and script.", step));`
	`146`	`+ throw new InvalidParameterValueException(String.format("Invalid validation step [%s] informed. Accepted values are: wait_for_boot, screenshot and execute_command.", step));`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`	`sb.deleteCharAt(sb.lastIndexOf(","));`
Original file line number	Diff line number	Diff line change
`@@ -136,5 +136,5 @@ public interface NetworkDao extends GenericDao<NetworkVO, Long>, StateDao<State,`
`136`	`136`
`137`	`137`	`List<NetworkVO> getAllPersistentNetworksFromZone(long dataCenterId);`
`138`	`138`
`139`		`- NetworkVO findByZoneIdAndAccountIdAndGuestType(long zoneId, long accountId, GuestType guestType);`
	`139`	`+ NetworkVO findByZoneIdAndAccountIdAndGuestTypeAndName(long zoneId, long accountId, GuestType guestType, String name);`
`140`	`140`	`}`
Original file line number	Diff line number	Diff line change
`@@ -910,12 +910,13 @@ public List<NetworkVO> listByPhysicalNetworkPvlan(long physicalNetworkId, String`
`910`	`910`	`}`
`911`	`911`
`912`	`912`	`@Override`
`913`		`- public NetworkVO findByZoneIdAndAccountIdAndGuestType(long zoneId, long accountId, GuestType guestType) {`
	`913`	`+ public NetworkVO findByZoneIdAndAccountIdAndGuestTypeAndName(long zoneId, long accountId, GuestType guestType, String name) {`
`914`	`914`	`SearchCriteria<NetworkVO> sc = AllFieldsSearch.create();`
`915`	`915`
`916`	`916`	`sc.setParameters("datacenter", zoneId);`
`917`	`917`	`sc.setParameters("account", accountId);`
`918`	`918`	`sc.setParameters("guestType", guestType);`
	`919`	`+ sc.setParameters("name", name);`
`919`	`920`
`920`	`921`	`return findOneBy(sc);`
`921`	`922`	`}`
Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ protected void submitQueuedJobsForExecution(List<InternalBackupServiceJobVO> job`
`251`	`251`	`}`
`252`	`252`
`253`	`253`	`if (busyInstances.contains(job.getInstanceId())) {`
`254`		`- VirtualMachine vm = instanceDao.findById(job.getInstanceId());`
	`254`	`+ VirtualMachine vm = instanceDao.findByIdIncludingRemoved(job.getInstanceId());`
`255`	`255`	`logger.debug("Instance [{}] has another backup service job running, will not schedule a {} job for it now.", vm.getUuid(), controllerType);`
`256`	`256`	`continue;`
`257`	`257`	`}`