diff --git a/.asf.yaml b/.asf.yaml
index a19e3a60a2ba..5105ede1813f 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -50,7 +50,8 @@ github:
     rebase: false
 
   collaborators:
-    - gpordeus
+    - ingox
+    - gp-santos
     - erikbocks
     - Imvedansh
     - Damans227
diff --git a/.codespellrc b/.codespellrc
new file mode 100644
index 000000000000..3c632f8ba534
--- /dev/null
+++ b/.codespellrc
@@ -0,0 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[codespell]
+ignore-words = .github/linters/codespell.txt
+skip = systemvm/agent/noVNC/*,ui/package.json,ui/package-lock.json,ui/public/js/less.min.js,ui/public/locales/*.json,server/src/test/java/org/apache/cloudstack/network/ssl/CertServiceTest.java,test/integration/smoke/test_ssl_offloading.py
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index a0602871ef1e..689275cff115 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -17,6 +17,7 @@
 
 /plugins/storage/volume/linstor @rp-
 /plugins/storage/volume/storpool @slavkap
+/plugins/storage/volume/ontap @rajiv1 @sandeeplocharla @piyush5 @suryag
 
 .pre-commit-config.yaml @jbampton
 /.github/linters/ @jbampton
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 41b307863fc3..cef74aafb4b0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -22,8 +22,19 @@
 
 version: 2
 updates:
-  - package-ecosystem: "maven" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    open-pull-requests-limit: 2
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: "maven"
+    directory: "/"
     schedule:
       interval: "daily"
     cooldown:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 84020f4a6b06..4c33a1313436 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up JDK 17
         uses: actions/setup-java@v5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6957d3f54464..52c47b26de8f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -217,7 +217,7 @@ jobs:
                   smoke/test_list_volumes"]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -283,7 +283,7 @@ jobs:
           # https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2004-Readme.md#mysql
           sudo apt-get install -y mysql-server
           sudo systemctl start mysql
-          sudo mysql -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY ''; FLUSH PRIVILEGES;"
+          sudo mysql -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY ''; FLUSH PRIVILEGES;"
           sudo systemctl restart mysql
           sudo mysql -uroot -e "SELECT VERSION();"
 
@@ -341,7 +341,7 @@ jobs:
           echo -e "Simulator CI Test Results: (only failures listed)\n"
           python3 ./tools/marvin/xunit-reader.py integration-test-results/
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         with:
           files: jacoco-coverage.xml
           fail_ci_if_error: true
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index fbd944a758f9..0ee10baa385b 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -32,7 +32,7 @@ jobs:
     name: codecov
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -49,7 +49,7 @@ jobs:
           cd nonoss && bash -x install-non-oss.sh && cd ..
           mvn -P quality -Dsimulator -Dnoredist clean install -T$(nproc)
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         with:
           files: ./client/target/site/jacoco-aggregate/jacoco.xml
           fail_ci_if_error: true
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 74e59aa821d1..cb1fa88a1023 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -35,14 +35,14 @@ jobs:
         language: ["actions"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "Security"
diff --git a/.github/workflows/daily-repo-status.lock.yml b/.github/workflows/daily-repo-status.lock.yml
index 1d7e7eecd14d..35eb5d409a48 100644
--- a/.github/workflows/daily-repo-status.lock.yml
+++ b/.github/workflows/daily-repo-status.lock.yml
@@ -54,11 +54,11 @@ jobs:
       comment_repo: ""
     steps:
       - name: Setup
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.45.
         with:
           destination: /opt/gh-aw/
       - name: Check workflow file
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_WORKFLOW_FILE: "daily-repo-status.lock.yml"
         with:
@@ -96,7 +96,7 @@ jobs:
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
       - name: Setup
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.45.
         with:
           destination: /opt/gh-aw/
       - name: Checkout
@@ -120,7 +120,7 @@ jobs:
         id: checkout-
         if: |
           github.event.
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
         with:
@@ -132,7 +132,7 @@ jobs:
             await main();
       - name: Generate agentic run
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         with:
           script: |
             const fs = require('fs');
@@ -469,7 +469,7 @@ jobs:
           }
 
       - name: Generate workflow
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         with:
           script: |
             const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');
@@ -559,7 +559,7 @@ jobs:
           {{#runtime-import .github/workflows/daily-repo-status.md}}
 
       - name: Substitute
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.
           GH_AW_GITHUB_ACTOR: ${{ github.actor }}
@@ -589,7 +589,7 @@ jobs:
               }
             });
       - name: Interpolate variables and render
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.
         with:
@@ -667,7 +667,7 @@ jobs:
           bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
       - name: Redact secrets in
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -682,7 +682,7 @@ jobs:
           SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Safe
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v6.0.
         with:
           name: safe-
           path: ${{ env.GH_AW_SAFE_OUTPUTS }}
@@ -690,7 +690,7 @@ jobs:
       - name: Ingest agent
         id:
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
           GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
@@ -704,13 +704,13 @@ jobs:
             await main();
       - name: Upload sanitized agent
         if: always() && env.
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v6.0.
         with:
           name: agent-
           path: ${{ env.GH_AW_AGENT_OUTPUT }}
           if-no-files-found:
       - name: Upload engine output
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v6.0.
         with:
           name:
           path: |
@@ -719,7 +719,7 @@ jobs:
           if-no-files-found:
       - name: Parse agent logs for step
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
         with:
@@ -730,7 +730,7 @@ jobs:
             await main();
       - name: Parse MCP Gateway logs for step
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -755,7 +755,7 @@ jobs:
       - name: Upload agent
         if: always()
         continue-on-error:
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v6.0.
         with:
           name: agent-
           path: |
@@ -784,12 +784,12 @@ jobs:
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
       - name: Setup
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.45.
         with:
           destination: /opt/gh-aw/
       - name: Download agent output
         continue-on-error:
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v6.0.
         with:
           name: agent-
           path: /tmp/gh-aw/safeoutputs/
@@ -800,7 +800,7 @@ jobs:
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
       - name: Process No-Op
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_NOOP_MAX:
@@ -816,7 +816,7 @@ jobs:
             await main();
       - name: Record Missing
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Daily Repo Status"
@@ -831,7 +831,7 @@ jobs:
             await main();
       - name: Handle Agent
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Daily Repo Status"
@@ -851,7 +851,7 @@ jobs:
             await main();
       - name: Handle No-Op
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Daily Repo Status"
@@ -881,18 +881,18 @@ jobs:
       success: ${{ steps.parse_results.outputs.success }}
     steps:
       - name: Setup
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.45.
         with:
           destination: /opt/gh-aw/
       - name: Download agent
         continue-on-error:
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v6.0.
         with:
           name: agent-
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output
         continue-on-error:
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v6.0.
         with:
           name: agent-
           path: /tmp/gh-aw/threat-detection/
@@ -902,7 +902,7 @@ jobs:
         run: |
           echo "Agent output-types: $AGENT_OUTPUT_TYPES"
       - name: Setup threat
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           WORKFLOW_NAME: "Daily Repo Status"
           WORKFLOW_DESCRIPTION: "This workflow creates daily repo status reports. It gathers recent repository\nactivity (issues, PRs, discussions, releases, code changes) and generates\nengaging GitHub issues with productivity insights, community highlights,\nand project recommendations."
@@ -955,7 +955,7 @@ jobs:
           XDG_CONFIG_HOME: /home/
       - name: Parse threat detection
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -964,7 +964,7 @@ jobs:
             await main();
       - name: Upload threat detection
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v6.0.
         with:
           name: threat-detection.
           path: /tmp/gh-aw/threat-detection/detection.
@@ -993,12 +993,12 @@ jobs:
       process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
     steps:
       - name: Setup
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.45.
         with:
           destination: /opt/gh-aw/
       - name: Download agent output
         continue-on-error:
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v6.0.
         with:
           name: agent-
           path: /tmp/gh-aw/safeoutputs/
@@ -1009,7 +1009,7 @@ jobs:
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
       - name: Process Safe
         id:
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"report\",\"daily-status\"],\"max\":1,\"title_prefix\":\"[repo-status] \"},\"missing_data\":{},\"missing_tool\":{}}"
diff --git a/.github/workflows/docker-cloudstack-simulator.yml b/.github/workflows/docker-cloudstack-simulator.yml
index af6cbf49f5ef..96c9400935c2 100644
--- a/.github/workflows/docker-cloudstack-simulator.yml
+++ b/.github/workflows/docker-cloudstack-simulator.yml
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Login to Docker Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
         with:
           registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USER }}
@@ -47,7 +47,7 @@ jobs:
       - name: Set Docker repository name
         run: echo "DOCKER_REPOSITORY=apache" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set ACS version
         run: echo "ACS_VERSION=$(grep '<version>' pom.xml | head -2 | tail -1 | cut -d'>' -f2 |cut -d'<' -f1)" >> $GITHUB_ENV
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
index 2410f7b9e457..1c3d11a800e6 100644
--- a/.github/workflows/issue-triage-agent.lock.yml
+++ b/.github/workflows/issue-triage-agent.lock.yml
@@ -53,11 +53,11 @@ jobs:
       comment_repo: ""
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.71.1
         with:
           destination: /opt/gh-aw/actions
       - name: Check workflow file timestamps
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_WORKFLOW_FILE: "issue-triage-agent.lock.yml"
         with:
@@ -91,7 +91,7 @@ jobs:
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.71.1
         with:
           destination: /opt/gh-aw/actions
       - name: Checkout repository
@@ -113,7 +113,7 @@ jobs:
           echo "Git configured with standard GitHub Actions identity"
       - name: Generate agentic run info
         id: generate_aw_info
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const fs = require('fs');
@@ -167,7 +167,7 @@ jobs:
         run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.18.0
       - name: Determine automatic lockdown mode for GitHub MCP Server
         id: determine-automatic-lockdown
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
           GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
@@ -459,7 +459,7 @@ jobs:
           }
           GH_AW_MCP_CONFIG_EOF
       - name: Generate workflow overview
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');
@@ -552,7 +552,7 @@ jobs:
           {{#runtime-import .github/workflows/issue-triage-agent.md}}
           GH_AW_PROMPT_EOF
       - name: Substitute placeholders
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
           GH_AW_GITHUB_ACTOR: ${{ github.actor }}
@@ -582,7 +582,7 @@ jobs:
               }
             });
       - name: Interpolate variables and render templates
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
           GH_AW_GITHUB_REPOSITORY: ${{ github.repository }}
@@ -661,7 +661,7 @@ jobs:
           bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID"
       - name: Redact secrets in logs
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -676,7 +676,7 @@ jobs:
           SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Safe Outputs
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: safe-output
           path: ${{ env.GH_AW_SAFE_OUTPUTS }}
@@ -684,7 +684,7 @@ jobs:
       - name: Ingest agent output
         id: collect_output
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
           GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com"
@@ -698,13 +698,13 @@ jobs:
             await main();
       - name: Upload sanitized agent output
         if: always() && env.GH_AW_AGENT_OUTPUT
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: agent-output
           path: ${{ env.GH_AW_AGENT_OUTPUT }}
           if-no-files-found: warn
       - name: Upload engine output files
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: agent_outputs
           path: |
@@ -713,7 +713,7 @@ jobs:
           if-no-files-found: ignore
       - name: Parse agent logs for step summary
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/
         with:
@@ -724,7 +724,7 @@ jobs:
             await main();
       - name: Parse MCP Gateway logs for step summary
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -749,7 +749,7 @@ jobs:
       - name: Upload agent artifacts
         if: always()
         continue-on-error: true
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: agent-artifacts
           path: |
@@ -780,12 +780,12 @@ jobs:
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.71.1
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -796,7 +796,7 @@ jobs:
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
       - name: Process No-Op Messages
         id: noop
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_NOOP_MAX: 1
@@ -812,7 +812,7 @@ jobs:
             await main();
       - name: Record Missing Tool
         id: missing_tool
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Issue Triage Agent"
@@ -827,7 +827,7 @@ jobs:
             await main();
       - name: Handle Agent Failure
         id: handle_agent_failure
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Issue Triage Agent"
@@ -846,7 +846,7 @@ jobs:
             await main();
       - name: Handle No-Op Message
         id: handle_noop_message
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Issue Triage Agent"
@@ -874,18 +874,18 @@ jobs:
       success: ${{ steps.parse_results.outputs.success }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.71.1
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent artifacts
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-artifacts
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/threat-detection/
@@ -895,7 +895,7 @@ jobs:
         run: |
           echo "Agent output-types: $AGENT_OUTPUT_TYPES"
       - name: Setup threat detection
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           WORKFLOW_NAME: "Issue Triage Agent"
           WORKFLOW_DESCRIPTION: "No description provided"
@@ -948,7 +948,7 @@ jobs:
           XDG_CONFIG_HOME: /home/runner
       - name: Parse threat detection results
         id: parse_results
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -957,7 +957,7 @@ jobs:
             await main();
       - name: Upload threat detection log
         if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: threat-detection.log
           path: /tmp/gh-aw/threat-detection/detection.log
@@ -987,12 +987,12 @@ jobs:
       process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }}
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@58d1d157fbac0f1204798500faefc4f7461ebe28 # v0.45.0
+        uses: github/gh-aw/actions/setup@f01a9d118afa6e306f3645ca31e43f4ea8fb4d22 # v0.71.1
         with:
           destination: /opt/gh-aw/actions
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -1003,7 +1003,7 @@ jobs:
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV"
       - name: Process Safe Outputs
         id: process_safe_outputs
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"add_labels\":{\"allowed\":[\"bug\",\"feature\",\"enhancement\",\"documentation\",\"question\",\"help-wanted\",\"good-first-issue\"]},\"missing_data\":{},\"missing_tool\":{}}"
diff --git a/.github/workflows/main-sonar-check.yml b/.github/workflows/main-sonar-check.yml
index 224ea2cde801..7ccd6600ab97 100644
--- a/.github/workflows/main-sonar-check.yml
+++ b/.github/workflows/main-sonar-check.yml
@@ -32,7 +32,7 @@ jobs:
     name: Main Sonar JaCoCo Build
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/merge-conflict-checker.yml b/.github/workflows/merge-conflict-checker.yml
index a997cb94ccc0..2c826a47c7ec 100644
--- a/.github/workflows/merge-conflict-checker.yml
+++ b/.github/workflows/merge-conflict-checker.yml
@@ -17,16 +17,14 @@
 
 name: "PR Merge Conflict Check"
 on:
-  push:
-  pull_request:
-    types: [opened, synchronize, reopened]
+  schedule:
+    - cron: '*/10 * * * *'
+  workflow_dispatch:
 
-permissions:  # added using https://github.com/step-security/secure-workflows
-  contents: read
+permissions: {}
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+  group: "gh-aw-${{ github.workflow }}"
 
 jobs:
   triage:
@@ -35,7 +33,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Conflict Check
-      uses: eps1lon/actions-label-merge-conflict@v2.0.0
+      uses: eps1lon/actions-label-merge-conflict@v3.0.3
       with:
         repoToken: "${{ secrets.GITHUB_TOKEN }}"
         dirtyLabel: "status:has-conflicts"
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 11fe5c068814..895a597659de 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Check Out
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Install
         run: |
           python -m pip install --upgrade pip
diff --git a/.github/workflows/rat.yml b/.github/workflows/rat.yml
index d71f4b0852d8..21b8e197d825 100644
--- a/.github/workflows/rat.yml
+++ b/.github/workflows/rat.yml
@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up JDK 17
         uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/sonar-check.yml b/.github/workflows/sonar-check.yml
index 31fb671cc58f..9f5c3a194bc7 100644
--- a/.github/workflows/sonar-check.yml
+++ b/.github/workflows/sonar-check.yml
@@ -33,7 +33,7 @@ jobs:
     name: Sonar JaCoCo Coverage
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: "refs/pull/${{ github.event.number }}/merge"
           fetch-depth: 0
diff --git a/.github/workflows/ui.yml b/.github/workflows/ui.yml
index 56b04a6f9c96..2db8456fcba7 100644
--- a/.github/workflows/ui.yml
+++ b/.github/workflows/ui.yml
@@ -31,10 +31,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Node
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 16
 
@@ -55,7 +55,7 @@ jobs:
           npm run lint
           npm run test:unit
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@v6
         if: github.repository == 'apache/cloudstack'
         with:
           working-directory: ui
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cf6f8d39027d..755ae125edf0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -162,17 +162,15 @@ repos:
       - id: forbid-submodules
       - id: mixed-line-ending
       - id: trailing-whitespace
-        files: ^(LICENSE|NOTICE)$|\.(bat|cfg|cs|css|gitignore|header|in|install|java|md|properties|py|rb|rc|sh|sql|te|template|txt|ucls|vue|xml|xsl|yaml|yml)$|^cloud-cli/bindir/cloud-tool$|^debian/changelog$
+        files: ^(LICENSE|NOTICE)$|README$|\.(bat|cfg|config|cs|css|erb|gitignore|header|in|install|java|md|properties|py|rb|rc|sh|sql|svg|te|template|txt|ucls|vue|xml|xsl|yaml|yml)$|^cloud-cli/bindir/cloud-tool$|^debian/changelog$
         args: [--markdown-linebreak-ext=md]
         exclude: ^services/console-proxy/rdpconsole/src/test/doc/freerdp-debug-log\.txt$
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.1
+    rev: v2.4.2
     hooks:
       - id: codespell
         name: run codespell
         description: Check spelling with codespell
-        args: [--ignore-words=.github/linters/codespell.txt]
-        exclude: ^systemvm/agent/noVNC/|^ui/package\.json$|^ui/package-lock\.json$|^ui/public/js/less\.min\.js$|^ui/public/locales/.*[^n].*\.json$|^server/src/test/java/org/apache/cloudstack/network/ssl/CertServiceTest.java$|^test/integration/smoke/test_ssl_offloading.py$
   - repo: https://github.com/pycqa/flake8
     rev: 7.0.0
     hooks:
@@ -186,7 +184,7 @@ repos:
         description: check Markdown files with markdownlint
         args: [--config=.github/linters/.markdown-lint.yml]
         types: [markdown]
-        files: \.(md|mdown|markdown)$
+        files: \.md$
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.37.1
     hooks:
diff --git a/agent/conf/agent.properties b/agent/conf/agent.properties
index 0dc5b8211e0d..ba4a3874664a 100644
--- a/agent/conf/agent.properties
+++ b/agent/conf/agent.properties
@@ -457,3 +457,18 @@ iscsi.session.cleanup.enabled=false
 
 # Instance conversion VIRT_V2V_TMPDIR env var
 #convert.instance.env.virtv2v.tmpdir=
+
+# Time, in seconds, to wait before retrying to rebase during the incremental snapshot process.
+# incremental.snapshot.retry.rebase.wait=60
+
+# Path to the VDDK library directory for VMware to KVM conversion via VDDK,
+# passed to virt-v2v as -io vddk-libdir=<path>
+#vddk.lib.dir=
+
+# Ordered VDDK transport preference for VMware to KVM conversion via VDDK, passed as
+# -io vddk-transports=<value> to virt-v2v. Example: nbd:nbdssl
+#vddk.transports=
+
+# Optional vCenter SHA1 thumbprint for VMware to KVM conversion via VDDK, passed as
+# -io vddk-thumbprint=<value>. If unset, CloudStack computes it on the KVM host via openssl.
+#vddk.thumbprint=
diff --git a/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java b/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
index 3364f9708cf5..e69a7efdc9c7 100644
--- a/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
+++ b/agent/src/main/java/com/cloud/agent/properties/AgentProperties.java
@@ -808,6 +808,30 @@ public Property<Integer> getWorkers() {
      */
     public static final Property<String> CONVERT_ENV_VIRTV2V_TMPDIR = new Property<>("convert.instance.env.virtv2v.tmpdir", null, String.class);
 
+    /**
+     * Path to the VDDK library directory on the KVM conversion host, used when converting VMs from VMware to KVM via VDDK.
+     * This directory is passed to virt-v2v as <code>-io vddk-libdir=&lt;path&gt;</code>.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_LIB_DIR = new Property<>("vddk.lib.dir", null, String.class);
+
+    /**
+     * Ordered list of VDDK transports for virt-v2v, passed as <code>-io vddk-transports=&lt;value&gt;</code>.
+     * Example: <code>nbd:nbdssl</code>.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_TRANSPORTS = new Property<>("vddk.transports", null, String.class);
+
+    /**
+     * vCenter TLS certificate thumbprint used by virt-v2v VDDK mode, passed as <code>-io vddk-thumbprint=&lt;value&gt;</code>.
+     * If unset, the KVM host computes it at runtime from the vCenter endpoint.
+     * Data type: String.<br>
+     * Default value: <code>null</code>
+     */
+    public static final Property<String> VDDK_THUMBPRINT = new Property<>("vddk.thumbprint", null, String.class);
+
     /**
      * BGP controll CIDR
      * Data type: String.<br>
@@ -885,6 +909,11 @@ public Property<Integer> getWorkers() {
      */
     public static final Property<Boolean> CREATE_FULL_CLONE = new Property<>("create.full.clone", false);
 
+    /**
+     * Time, in seconds, to wait before retrying to rebase during the incremental snapshot process.
+     * */
+    public static final Property<Integer> INCREMENTAL_SNAPSHOT_RETRY_REBASE_WAIT = new Property<>("incremental.snapshot.retry.rebase.wait", 60);
+
 
     public static class Property <T>{
         private String name;
diff --git a/api/src/main/java/com/cloud/agent/api/to/BucketTO.java b/api/src/main/java/com/cloud/agent/api/to/BucketTO.java
index f7e4bfea80fb..fd8237998a74 100644
--- a/api/src/main/java/com/cloud/agent/api/to/BucketTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/BucketTO.java
@@ -26,10 +26,13 @@ public final class BucketTO {
 
     private String secretKey;
 
+    private long accountId;
+
     public BucketTO(Bucket bucket) {
         this.name = bucket.getName();
         this.accessKey = bucket.getAccessKey();
         this.secretKey = bucket.getSecretKey();
+        this.accountId = bucket.getAccountId();
     }
 
     public BucketTO(String name) {
@@ -47,4 +50,8 @@ public String getAccessKey() {
     public String getSecretKey() {
         return this.secretKey;
     }
+
+    public long getAccountId() {
+        return this.accountId;
+    }
 }
diff --git a/api/src/main/java/com/cloud/agent/api/to/NicTO.java b/api/src/main/java/com/cloud/agent/api/to/NicTO.java
index ca95fcfd6790..2ed7d9f9a201 100644
--- a/api/src/main/java/com/cloud/agent/api/to/NicTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/NicTO.java
@@ -33,6 +33,7 @@ public class NicTO extends NetworkTO {
     boolean dpdkEnabled;
     Integer mtu;
     Long networkId;
+    boolean enabled;
 
     String networkSegmentName;
 
@@ -154,4 +155,12 @@ public String getNetworkSegmentName() {
     public void setNetworkSegmentName(String networkSegmentName) {
         this.networkSegmentName = networkSegmentName;
     }
+
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
 }
diff --git a/api/src/main/java/com/cloud/agent/api/to/RemoteInstanceTO.java b/api/src/main/java/com/cloud/agent/api/to/RemoteInstanceTO.java
index 18737c584b34..7daeb9649177 100644
--- a/api/src/main/java/com/cloud/agent/api/to/RemoteInstanceTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/RemoteInstanceTO.java
@@ -36,13 +36,17 @@ public class RemoteInstanceTO implements Serializable {
     private String vcenterPassword;
     private String vcenterHost;
     private String datacenterName;
+    private String clusterName;
+    private String hostName;
 
     public RemoteInstanceTO() {
     }
 
-    public RemoteInstanceTO(String instanceName) {
+    public RemoteInstanceTO(String instanceName, String clusterName, String hostName) {
         this.hypervisorType = Hypervisor.HypervisorType.VMware;
         this.instanceName = instanceName;
+        this.clusterName = clusterName;
+        this.hostName = hostName;
     }
 
     public RemoteInstanceTO(String instanceName, String instancePath, String vcenterHost, String vcenterUsername, String vcenterPassword, String datacenterName) {
@@ -55,6 +59,12 @@ public RemoteInstanceTO(String instanceName, String instancePath, String vcenter
         this.datacenterName = datacenterName;
     }
 
+    public RemoteInstanceTO(String instanceName, String instancePath, String vcenterHost, String vcenterUsername, String vcenterPassword, String datacenterName, String clusterName, String hostName) {
+        this(instanceName, instancePath, vcenterHost, vcenterUsername, vcenterPassword, datacenterName);
+        this.clusterName = clusterName;
+        this.hostName = hostName;
+    }
+
     public Hypervisor.HypervisorType getHypervisorType() {
         return this.hypervisorType;
     }
@@ -82,4 +92,12 @@ public String getVcenterHost() {
     public String getDatacenterName() {
         return datacenterName;
     }
+
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    public String getHostName() {
+        return hostName;
+    }
 }
diff --git a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
index e26cc1e9f029..9af6c731fd24 100644
--- a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
@@ -51,6 +51,7 @@ public class VirtualMachineTO {
 
     private long minRam;
     private long maxRam;
+    private long requestedRam;
     private String hostName;
     private String arch;
     private String os;
@@ -207,15 +208,20 @@ public long getMinRam() {
         return minRam;
     }
 
-    public void setRam(long minRam, long maxRam) {
+    public void setRam(long minRam, long maxRam, long requestedRam) {
         this.minRam = minRam;
         this.maxRam = maxRam;
+        this.requestedRam = requestedRam;
     }
 
     public long getMaxRam() {
         return maxRam;
     }
 
+    public long getRequestedRam() {
+        return requestedRam;
+    }
+
     public String getHostName() {
         return hostName;
     }
diff --git a/api/src/main/java/com/cloud/agent/manager/allocator/HostAllocator.java b/api/src/main/java/com/cloud/agent/manager/allocator/HostAllocator.java
index 604720aaa290..5d028d31d5b6 100644
--- a/api/src/main/java/com/cloud/agent/manager/allocator/HostAllocator.java
+++ b/api/src/main/java/com/cloud/agent/manager/allocator/HostAllocator.java
@@ -22,19 +22,11 @@
 import com.cloud.deploy.DeploymentPlanner.ExcludeList;
 import com.cloud.host.Host;
 import com.cloud.host.Host.Type;
-import com.cloud.offering.ServiceOffering;
 import com.cloud.utils.component.Adapter;
-import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineProfile;
 
 public interface HostAllocator extends Adapter {
 
-    /**
-     * @param UserVm vm
-     * @param ServiceOffering offering
-     **/
-    boolean isVirtualMachineUpgradable(final VirtualMachine vm, final ServiceOffering offering);
-
     /**
     * Determines which physical hosts are suitable to
     * allocate the guest virtual machines on
@@ -49,31 +41,6 @@ public interface HostAllocator extends Adapter {
 
     public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo);
 
-    /**
-     * Determines which physical hosts are suitable to allocate the guest
-     * virtual machines on
-     *
-     * Allocators must set any other hosts not considered for allocation in the
-     * ExcludeList avoid. Thus the avoid set and the list of hosts suitable,
-     * together must cover the entire host set in the cluster.
-     *
-     * @param VirtualMachineProfile
-     *            vmProfile
-     * @param DeploymentPlan
-     *            plan
-     * @param GuestType
-     *            type
-     * @param ExcludeList
-     *            avoid
-     * @param int returnUpTo (use -1 to return all possible hosts)
-     * @param boolean considerReservedCapacity (default should be true, set to
-     *        false if host capacity calculation should not look at reserved
-     *        capacity)
-     * @return List<Host> List of hosts that are suitable for VM allocation
-     **/
-
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity);
-
     /**
      * Determines which physical hosts are suitable to allocate the guest
      * virtual machines on
diff --git a/api/src/main/java/com/cloud/deploy/DeploymentPlanner.java b/api/src/main/java/com/cloud/deploy/DeploymentPlanner.java
index 8f7e773070f0..22d796d4a775 100644
--- a/api/src/main/java/com/cloud/deploy/DeploymentPlanner.java
+++ b/api/src/main/java/com/cloud/deploy/DeploymentPlanner.java
@@ -70,7 +70,7 @@ public interface DeploymentPlanner extends Adapter {
     boolean canHandle(VirtualMachineProfile vm, DeploymentPlan plan, ExcludeList avoid);
 
     public enum AllocationAlgorithm {
-        random, firstfit, userdispersing;
+        random, firstfit, userdispersing, firstfitleastconsumed;
     }
 
     public enum PlannerResourceUsage {
diff --git a/api/src/main/java/com/cloud/ha/Investigator.java b/api/src/main/java/com/cloud/ha/Investigator.java
index 88d802a1ce44..00371d395f5a 100644
--- a/api/src/main/java/com/cloud/ha/Investigator.java
+++ b/api/src/main/java/com/cloud/ha/Investigator.java
@@ -26,17 +26,19 @@ public interface Investigator extends Adapter {
      * Returns if the vm is still alive.
      *
      * @param vm to work on.
+     * @return true if vm is alive, otherwise false
      */
-    public boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM;
+    boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM;
 
-    public Status isAgentAlive(Host agent);
+    /**
+     * Returns the agent status of the host.
+     *
+     * @param host
+     * @return status of the host agent
+     */
+    Status getHostAgentStatus(Host host);
 
     class UnknownVM extends Exception {
-
-        /**
-         *
-         */
         private static final long serialVersionUID = 1L;
-
     };
 }
diff --git a/api/src/main/java/com/cloud/host/Host.java b/api/src/main/java/com/cloud/host/Host.java
index 9c011bac3190..b52348201516 100644
--- a/api/src/main/java/com/cloud/host/Host.java
+++ b/api/src/main/java/com/cloud/host/Host.java
@@ -57,6 +57,9 @@ public static String[] toStrings(Host.Type... types) {
     String HOST_UEFI_ENABLE = "host.uefi.enable";
     String HOST_VOLUME_ENCRYPTION = "host.volume.encryption";
     String HOST_INSTANCE_CONVERSION = "host.instance.conversion";
+    String HOST_VDDK_SUPPORT = "host.vddk.support";
+    String HOST_VDDK_LIB_DIR = "vddk.lib.dir";
+    String HOST_VDDK_VERSION = "host.vddk.version";
     String HOST_OVFTOOL_VERSION = "host.ovftool.version";
     String HOST_VIRTV2V_VERSION = "host.virtv2v.version";
     String HOST_SSH_PORT = "host.ssh.port";
diff --git a/api/src/main/java/com/cloud/network/Network.java b/api/src/main/java/com/cloud/network/Network.java
index 0846306f70f9..e41eb880ffd5 100644
--- a/api/src/main/java/com/cloud/network/Network.java
+++ b/api/src/main/java/com/cloud/network/Network.java
@@ -510,4 +510,6 @@ public void setIp6Address(String ip6Address) {
     Integer getPrivateMtu();
 
     Integer getNetworkCidrSize();
+
+    boolean getKeepMacAddressOnPublicNic();
 }
diff --git a/api/src/main/java/com/cloud/network/NetworkProfile.java b/api/src/main/java/com/cloud/network/NetworkProfile.java
index 2e8efb489308..d690344a0e38 100644
--- a/api/src/main/java/com/cloud/network/NetworkProfile.java
+++ b/api/src/main/java/com/cloud/network/NetworkProfile.java
@@ -385,6 +385,11 @@ public Integer getNetworkCidrSize() {
         return networkCidrSize;
     }
 
+    @Override
+    public boolean getKeepMacAddressOnPublicNic() {
+        return true;
+    }
+
     @Override
     public String toString() {
         return String.format("NetworkProfile %s",
diff --git a/api/src/main/java/com/cloud/network/vpc/Vpc.java b/api/src/main/java/com/cloud/network/vpc/Vpc.java
index b94089d2d433..a0686e2bf7d0 100644
--- a/api/src/main/java/com/cloud/network/vpc/Vpc.java
+++ b/api/src/main/java/com/cloud/network/vpc/Vpc.java
@@ -107,4 +107,6 @@ public enum State {
     String getIp6Dns2();
 
     boolean useRouterIpAsResolver();
+
+    boolean getKeepMacAddressOnPublicNic();
 }
diff --git a/api/src/main/java/com/cloud/network/vpc/VpcService.java b/api/src/main/java/com/cloud/network/vpc/VpcService.java
index c1546609d2b7..3d0ba43263f5 100644
--- a/api/src/main/java/com/cloud/network/vpc/VpcService.java
+++ b/api/src/main/java/com/cloud/network/vpc/VpcService.java
@@ -58,7 +58,7 @@ public interface VpcService {
      */
     Vpc createVpc(long zoneId, long vpcOffId, long vpcOwnerId, String vpcName, String displayText, String cidr, String networkDomain,
                   String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Boolean displayVpc, Integer publicMtu, Integer cidrSize,
-                  Long asNumber, List<Long> bgpPeerIds, Boolean useVrIpResolver) throws ResourceAllocationException;
+                  Long asNumber, List<Long> bgpPeerIds, Boolean useVrIpResolver, boolean keepMacAddressOnPublicNic) throws ResourceAllocationException;
 
     /**
      * Persists VPC record in the database
@@ -104,7 +104,7 @@ Vpc createVpc(long zoneId, long vpcOffId, long vpcOwnerId, String vpcName, Strin
      * @throws ResourceUnavailableException if during restart some resources may not be available
      * @throws InsufficientCapacityException if for instance no address space, compute or storage is sufficiently available
      */
-    Vpc updateVpc(long vpcId, String vpcName, String displayText, String customId, Boolean displayVpc, Integer mtu, String sourceNatIp) throws ResourceUnavailableException, InsufficientCapacityException;
+    Vpc updateVpc(long vpcId, String vpcName, String displayText, String customId, Boolean displayVpc, Integer mtu, String sourceNatIp, Boolean keepMacAddressOnPublicNic) throws ResourceUnavailableException, InsufficientCapacityException;
 
     /**
      * Lists VPC(s) based on the parameters passed to the API call
diff --git a/api/src/main/java/com/cloud/projects/ProjectService.java b/api/src/main/java/com/cloud/projects/ProjectService.java
index 5080cb5a7812..d11e9ae0446d 100644
--- a/api/src/main/java/com/cloud/projects/ProjectService.java
+++ b/api/src/main/java/com/cloud/projects/ProjectService.java
@@ -82,7 +82,7 @@ public interface ProjectService {
 
     Project updateProject(long id, String name, String displayText, String newOwnerName, Long userId, Role newRole) throws ResourceAllocationException;
 
-    boolean addAccountToProject(long projectId, String accountName, String email, Long projectRoleId, Role projectRoleType);
+    boolean addAccountToProject(long projectId, String accountName, String email, Long projectRoleId, Role projectRoleType) throws ResourceAllocationException;
 
     boolean deleteAccountFromProject(long projectId, String accountName);
 
@@ -100,6 +100,6 @@ public interface ProjectService {
 
     Project findByProjectAccountIdIncludingRemoved(long projectAccountId);
 
-    boolean addUserToProject(Long projectId, String username, String email, Long projectRoleId, Role projectRole);
+    boolean addUserToProject(Long projectId, String username, String email, Long projectRoleId, Role projectRole) throws ResourceAllocationException;
 
 }
diff --git a/api/src/main/java/com/cloud/server/ManagementService.java b/api/src/main/java/com/cloud/server/ManagementService.java
index 51737546ffad..bcca229c06bc 100644
--- a/api/src/main/java/com/cloud/server/ManagementService.java
+++ b/api/src/main/java/com/cloud/server/ManagementService.java
@@ -71,7 +71,6 @@
 import org.apache.cloudstack.api.command.user.vmgroup.UpdateVMGroupCmd;
 import org.apache.cloudstack.config.Configuration;
 import org.apache.cloudstack.config.ConfigurationGroup;
-import org.apache.cloudstack.framework.config.ConfigKey;
 
 import com.cloud.alert.Alert;
 import com.cloud.capacity.Capacity;
@@ -108,14 +107,6 @@
 public interface ManagementService {
     static final String Name = "management-server";
 
-    ConfigKey<Boolean> JsInterpretationEnabled = new ConfigKey<>("Hidden"
-            , Boolean.class
-            , "js.interpretation.enabled"
-            , "false"
-            , "Enable/Disable all JavaScript interpretation related functionalities to create or update Javascript rules."
-            , false
-            , ConfigKey.Scope.Global);
-
     /**
      * returns the a map of the names/values in the configuration table
      *
@@ -534,6 +525,4 @@ VirtualMachine upgradeSystemVM(ScaleSystemVMCmd cmd) throws ResourceUnavailableE
 
     boolean removeManagementServer(RemoveManagementServerCmd cmd);
 
-    void checkJsInterpretationAllowedIfNeededForParameterValue(String paramName, boolean paramValue);
-
 }
diff --git a/api/src/main/java/com/cloud/storage/VMTemplateStorageResourceAssoc.java b/api/src/main/java/com/cloud/storage/VMTemplateStorageResourceAssoc.java
index db702a61f2bc..7d5b2d7c57d7 100644
--- a/api/src/main/java/com/cloud/storage/VMTemplateStorageResourceAssoc.java
+++ b/api/src/main/java/com/cloud/storage/VMTemplateStorageResourceAssoc.java
@@ -23,9 +23,10 @@
 
 public interface VMTemplateStorageResourceAssoc extends InternalIdentity {
     public static enum Status {
-        UNKNOWN, DOWNLOAD_ERROR, NOT_DOWNLOADED, DOWNLOAD_IN_PROGRESS, DOWNLOADED, ABANDONED, UPLOADED, NOT_UPLOADED, UPLOAD_ERROR, UPLOAD_IN_PROGRESS, CREATING, CREATED, BYPASSED
+        UNKNOWN, DOWNLOAD_ERROR, NOT_DOWNLOADED, DOWNLOAD_IN_PROGRESS, DOWNLOADED, ABANDONED, LIMIT_REACHED, UPLOADED, NOT_UPLOADED, UPLOAD_ERROR, UPLOAD_IN_PROGRESS, CREATING, CREATED, BYPASSED
     }
 
+    List<Status> ERROR_DOWNLOAD_STATES = List.of(Status.DOWNLOAD_ERROR, Status.ABANDONED, Status.LIMIT_REACHED, Status.UNKNOWN);
     List<Status> PENDING_DOWNLOAD_STATES = List.of(Status.NOT_DOWNLOADED, Status.DOWNLOAD_IN_PROGRESS);
 
     String getInstallPath();
diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java
index 30919e5b782f..4145e2b89eb3 100644
--- a/api/src/main/java/com/cloud/user/AccountService.java
+++ b/api/src/main/java/com/cloud/user/AccountService.java
@@ -138,6 +138,8 @@ User createUser(String userName, String password, String firstName, String lastN
 
     Long finalizeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
 
+    Long finalizeAccountId(Long accountId, String accountName, Long domainId, Long projectId);
+
     /**
      * returns the user account object for a given user id
      * @param userId user id
diff --git a/api/src/main/java/com/cloud/user/ResourceLimitService.java b/api/src/main/java/com/cloud/user/ResourceLimitService.java
index 738e593582b4..9c493fb383c9 100644
--- a/api/src/main/java/com/cloud/user/ResourceLimitService.java
+++ b/api/src/main/java/com/cloud/user/ResourceLimitService.java
@@ -30,6 +30,7 @@
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.template.VirtualMachineTemplate;
+import org.apache.cloudstack.resourcelimit.Reserver;
 
 public interface ResourceLimitService {
 
@@ -191,6 +192,7 @@ public interface ResourceLimitService {
      */
     public void checkResourceLimit(Account account, ResourceCount.ResourceType type, long... count) throws ResourceAllocationException;
     public void checkResourceLimitWithTag(Account account, ResourceCount.ResourceType type, String tag, long... count) throws ResourceAllocationException;
+    public void checkResourceLimitWithTag(Account account, Long domainId, boolean considerSystemAccount, ResourceCount.ResourceType type, String tag, long... count) throws ResourceAllocationException;
 
     /**
      * Gets the count of resources for a resource type and account
@@ -251,12 +253,12 @@ public interface ResourceLimitService {
     List<String> getResourceLimitStorageTags(DiskOffering diskOffering);
     void updateTaggedResourceLimitsAndCountsForAccounts(List<AccountResponse> responses, String tag);
     void updateTaggedResourceLimitsAndCountsForDomains(List<DomainResponse> responses, String tag);
-    void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering) throws ResourceAllocationException;
-
+    void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering, List<Reserver> reservations) throws ResourceAllocationException;
+    List<String> getResourceLimitStorageTagsForResourceCountOperation(Boolean display, DiskOffering diskOffering);
     void checkVolumeResourceLimitForDiskOfferingChange(Account owner, Boolean display, Long currentSize, Long newSize,
-            DiskOffering currentOffering, DiskOffering newOffering) throws ResourceAllocationException;
+            DiskOffering currentOffering, DiskOffering newOffering, List<Reserver> reservations) throws ResourceAllocationException;
 
-    void checkPrimaryStorageResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering) throws ResourceAllocationException;
+    void checkPrimaryStorageResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering, List<Reserver> reservations) throws ResourceAllocationException;
 
     void incrementVolumeResourceCount(long accountId, Boolean display, Long size, DiskOffering diskOffering);
     void decrementVolumeResourceCount(long accountId, Boolean display, Long size, DiskOffering diskOffering);
@@ -273,25 +275,23 @@ void updateVolumeResourceCountForDiskOfferingChange(long accountId, Boolean disp
 
     void incrementVolumePrimaryStorageResourceCount(long accountId, Boolean display, Long size, DiskOffering diskOffering);
     void decrementVolumePrimaryStorageResourceCount(long accountId, Boolean display, Long size, DiskOffering diskOffering);
-    void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template) throws ResourceAllocationException;
+    void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, List<Reserver> reservations) throws ResourceAllocationException;
     void incrementVmResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template);
     void decrementVmResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template);
 
     void checkVmResourceLimitsForServiceOfferingChange(Account owner, Boolean display, Long currentCpu, Long newCpu,
-            Long currentMemory, Long newMemory, ServiceOffering currentOffering, ServiceOffering newOffering, VirtualMachineTemplate template) throws ResourceAllocationException;
+            Long currentMemory, Long newMemory, ServiceOffering currentOffering, ServiceOffering newOffering, VirtualMachineTemplate template, List<Reserver> reservations) throws ResourceAllocationException;
 
     void checkVmResourceLimitsForTemplateChange(Account owner, Boolean display, ServiceOffering offering,
-            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate) throws ResourceAllocationException;
+            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate, List<Reserver> reservations) throws ResourceAllocationException;
 
-    void checkVmCpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long cpu) throws ResourceAllocationException;
     void incrementVmCpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long cpu);
     void decrementVmCpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long cpu);
-    void checkVmMemoryResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory) throws ResourceAllocationException;
     void incrementVmMemoryResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory);
     void decrementVmMemoryResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory);
 
-    void checkVmGpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) throws ResourceAllocationException;
     void incrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu);
     void decrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu);
 
+    long recalculateDomainResourceCount(final long domainId, final ResourceType type, String tag);
 }
diff --git a/api/src/main/java/com/cloud/vm/Nic.java b/api/src/main/java/com/cloud/vm/Nic.java
index afc44b8d39fa..cc0b294205ca 100644
--- a/api/src/main/java/com/cloud/vm/Nic.java
+++ b/api/src/main/java/com/cloud/vm/Nic.java
@@ -162,4 +162,6 @@ public enum ReservationStrategy {
     String getIPv6Address();
 
     Integer getMtu();
+
+    boolean isEnabled();
 }
diff --git a/api/src/main/java/com/cloud/vm/NicProfile.java b/api/src/main/java/com/cloud/vm/NicProfile.java
index a0c80ceb1bfb..d3ed7b4b87d2 100644
--- a/api/src/main/java/com/cloud/vm/NicProfile.java
+++ b/api/src/main/java/com/cloud/vm/NicProfile.java
@@ -52,6 +52,7 @@ public class NicProfile implements InternalIdentity, Serializable {
     boolean defaultNic;
     Integer networkRate;
     boolean isSecurityGroupEnabled;
+    boolean enabled;
 
     Integer orderIndex;
 
@@ -87,6 +88,7 @@ public NicProfile(Nic nic, Network network, URI broadcastUri, URI isolationUri,
         broadcastType = network.getBroadcastDomainType();
         trafficType = network.getTrafficType();
         format = nic.getAddressFormat();
+        enabled = nic.isEnabled();
 
         iPv4Address = nic.getIPv4Address();
         iPv4Netmask = nic.getIPv4Netmask();
@@ -414,6 +416,14 @@ public void setIpv4AllocationRaceCheck(boolean ipv4AllocationRaceCheck) {
         this.ipv4AllocationRaceCheck = ipv4AllocationRaceCheck;
     }
 
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
     //
     // OTHER METHODS
     //
diff --git a/api/src/main/java/com/cloud/vm/UserVmService.java b/api/src/main/java/com/cloud/vm/UserVmService.java
index 01f11b73cd41..67aa0534a5f3 100644
--- a/api/src/main/java/com/cloud/vm/UserVmService.java
+++ b/api/src/main/java/com/cloud/vm/UserVmService.java
@@ -40,6 +40,7 @@
 import org.apache.cloudstack.api.command.user.vm.StartVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateDefaultNicForVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVMCmd;
+import org.apache.cloudstack.api.command.user.vm.UpdateVmNicCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVmNicIpCmd;
 import org.apache.cloudstack.api.command.user.vm.UpgradeVMCmd;
 import org.apache.cloudstack.api.command.user.vmgroup.CreateVMGroupCmd;
@@ -152,6 +153,8 @@ void startVirtualMachineForHA(VirtualMachine vm, Map<VirtualMachineProfile.Param
      */
     UserVm updateNicIpForVirtualMachine(UpdateVmNicIpCmd cmd);
 
+    UserVm updateVirtualMachineNic(UpdateVmNicCmd cmd);
+
     UserVm recoverVirtualMachine(RecoverVMCmd cmd) throws ResourceAllocationException;
 
     /**
@@ -524,6 +527,7 @@ UserVm upgradeVirtualMachine(ScaleVMCmd cmd) throws ResourceUnavailableException
      * @param userId user ID
      * @param serviceOffering service offering for the imported VM
      * @param sshPublicKey ssh key for the imported VM
+     * @param guestOsId guest OS ID for the imported VM (if not passed, then the guest OS of the template will be used)
      * @param hostName the name for the imported VM
      * @param hypervisorType hypervisor type for the imported VM
      * @param customParameters details for the imported VM
@@ -533,7 +537,7 @@ UserVm upgradeVirtualMachine(ScaleVMCmd cmd) throws ResourceUnavailableException
      * @throws InsufficientCapacityException in case of errors
      */
     UserVm importVM(final DataCenter zone, final Host host, final VirtualMachineTemplate template, final String instanceNameInternal, final String displayName, final Account owner, final String userData, final Account caller, final Boolean isDisplayVm, final String keyboard,
-                    final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKey,
+                    final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKey, final Long guestOsId,
                     final String hostName, final HypervisorType hypervisorType, final Map<String, String> customParameters,
                     final VirtualMachine.PowerState powerState, final LinkedHashMap<String, List<NicProfile>> networkNicMap) throws InsufficientCapacityException;
 
diff --git a/api/src/main/java/com/cloud/vm/VirtualMachine.java b/api/src/main/java/com/cloud/vm/VirtualMachine.java
index d244de7115e8..41c9a864c9d0 100644
--- a/api/src/main/java/com/cloud/vm/VirtualMachine.java
+++ b/api/src/main/java/com/cloud/vm/VirtualMachine.java
@@ -124,6 +124,9 @@ public static StateMachine2<State, VirtualMachine.Event, VirtualMachine> getStat
             s_fsm.addTransition(new Transition<State, Event>(State.Stopping, VirtualMachine.Event.StopRequested, State.Stopping, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Stopping, VirtualMachine.Event.AgentReportShutdowned, State.Stopped, Arrays.asList(new Impact[]{Impact.USAGE})));
             s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.OperationFailed, State.Expunging,null));
+            // Note: In addition to the Stopped -> Error transition for failed VM creation,
+            // a VM can also transition from Expunging to Error on OperationFailedToError.
+            s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.OperationFailedToError, State.Error, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Expunging, VirtualMachine.Event.ExpungeOperation, State.Expunging,null));
             s_fsm.addTransition(new Transition<State, Event>(State.Error, VirtualMachine.Event.DestroyRequested, State.Expunging, null));
             s_fsm.addTransition(new Transition<State, Event>(State.Error, VirtualMachine.Event.ExpungeOperation, State.Expunging, null));
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiCommandResourceType.java b/api/src/main/java/org/apache/cloudstack/api/ApiCommandResourceType.java
index 4d33ba859a5b..e2ebb242cbf2 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiCommandResourceType.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiCommandResourceType.java
@@ -127,8 +127,8 @@ public String toString() {
     }
 
     public static ApiCommandResourceType fromString(String value) {
-        if (StringUtils.isNotEmpty(value) && EnumUtils.isValidEnum(ApiCommandResourceType.class, value)) {
-            return valueOf(value);
+        if (StringUtils.isNotBlank(value) && EnumUtils.isValidEnumIgnoreCase(ApiCommandResourceType.class, value)) {
+            return EnumUtils.getEnumIgnoreCase(ApiCommandResourceType.class, value);
         }
         return null;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index 3d827641358b..4d4ead277e5d 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -20,6 +20,7 @@ public class ApiConstants {
     public static final String ACCOUNT = "account";
     public static final String ACCOUNTS = "accounts";
     public static final String ACCOUNT_NAME = "accountname";
+    public static final String ACCOUNT_STATE_TO_SHOW = "accountstatetoshow";
     public static final String ACCOUNT_TYPE = "accounttype";
     public static final String ACCOUNT_ID = "accountid";
     public static final String ACCOUNT_IDS = "accountids";
@@ -156,6 +157,7 @@ public class ApiConstants {
     public static final String CUSTOM_ID = "customid";
     public static final String CUSTOM_ACTION_ID = "customactionid";
     public static final String CUSTOM_JOB_ID = "customjobid";
+    public static final String CURRENCY = "currency";
     public static final String CURRENT_START_IP = "currentstartip";
     public static final String CURRENT_END_IP = "currentendip";
     public static final String ENCRYPT = "encrypt";
@@ -508,6 +510,7 @@ public class ApiConstants {
     public static final String REPAIR = "repair";
     public static final String REPETITION_ALLOWED = "repetitionallowed";
     public static final String REQUIRES_HVM = "requireshvm";
+    public static final String RESERVED_RESOURCE_DETAILS = "reservedresourcedetails";
     public static final String RESOURCES = "resources";
     public static final String RESOURCE_COUNT = "resourcecount";
     public static final String RESOURCE_NAME = "resourcename";
@@ -524,7 +527,6 @@ public class ApiConstants {
     public static final String SCHEDULE = "schedule";
     public static final String SCHEDULE_ID = "scheduleid";
     public static final String SCOPE = "scope";
-    public static final String USER_SECRET_KEY = "usersecretkey";
     public static final String SEARCH_BASE = "searchbase";
     public static final String SECONDARY_IP = "secondaryip";
     public static final String SECURITY_GROUP_IDS = "securitygroupids";
@@ -540,6 +542,7 @@ public class ApiConstants {
     public static final String SESSIONKEY = "sessionkey";
     public static final String SHOW_CAPACITIES = "showcapacities";
     public static final String SHOW_REMOVED = "showremoved";
+    public static final String SHOW_RESOURCES = "showresources";
     public static final String SHOW_RESOURCE_ICON = "showicon";
     public static final String SHOW_INACTIVE = "showinactive";
     public static final String SHOW_UNIQUE = "showunique";
@@ -605,9 +608,11 @@ public class ApiConstants {
     public static final String TENANT_NAME = "tenantname";
     public static final String TOTAL = "total";
     public static final String TOTAL_SUBNETS = "totalsubnets";
+    public static final String TOTAL_QUOTA = "totalquota";
     public static final String TYPE = "type";
     public static final String TRUST_STORE = "truststore";
     public static final String TRUST_STORE_PASSWORD = "truststorepass";
+    public static final String UNIT = "unit";
     public static final String URL = "url";
     public static final String USAGE_INTERFACE = "usageinterface";
     public static final String USED = "used";
@@ -628,6 +633,8 @@ public class ApiConstants {
     public static final String USERNAME = "username";
     public static final String USER_CONFIGURABLE = "userconfigurable";
     public static final String USER_SECURITY_GROUP_LIST = "usersecuritygrouplist";
+    public static final String USER_SECRET_KEY = "usersecretkey";
+    public static final String USE_VDDK = "usevddk";
     public static final String USE_VIRTUAL_NETWORK = "usevirtualnetwork";
     public static final String USE_VIRTUAL_ROUTER_IP_RESOLVER = "userouteripresolver";
     public static final String UPDATE_IN_SEQUENCE = "updateinsequence";
@@ -1297,6 +1304,8 @@ public class ApiConstants {
     public static final String OBJECT_LOCKING = "objectlocking";
     public static final String ENCRYPTION = "encryption";
     public static final String QUOTA = "quota";
+    public static final String QUOTA_CONSUMED = "quotaconsumed";
+    public static final String QUOTA_USAGE = "quotausage";
     public static final String ACCESS_KEY = "accesskey";
 
     public static final String SOURCE_NAT_IP = "sourcenatipaddress";
@@ -1347,6 +1356,13 @@ public class ApiConstants {
     public static final String OBJECT_STORAGE_LIMIT = "objectstoragelimit";
     public static final String OBJECT_STORAGE_TOTAL = "objectstoragetotal";
 
+    public static final String KEEP_MAC_ADDRESS_ON_PUBLIC_NIC = "keepmacaddressonpublicnic";
+
+    public static final String PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC =
+            "Indicates whether to use the same MAC address for the public NIC of VRs on the same network. If \"true\", when creating redundant routers or recreating" +
+                    " a VR, CloudStack will use the same MAC address for the public NIC of all VRs. Otherwise, if \"false\", new public NICs will always have " +
+                    " a new MAC address.";
+
     public static final String PARAMETER_DESCRIPTION_ACTIVATION_RULE = "Quota tariff's activation rule. It can receive a JS script that results in either " +
             "a boolean or a numeric value: if it results in a boolean value, the tariff value will be applied according to the result; if it results in a numeric value, the " +
             "numeric value will be applied; if the result is neither a boolean nor a numeric value, the tariff will not be applied. If the rule is not informed, the tariff " +
diff --git a/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java b/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
index e495cf284130..00b1bc310d5a 100644
--- a/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
@@ -27,7 +27,6 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.UUID;
 import java.util.regex.Pattern;
 
 import javax.inject.Inject;
@@ -504,12 +503,6 @@ public Map<String, String> convertExternalDetailsToMap(Map externalDetails) {
     }
 
     public String getResourceUuid(String parameterName) {
-        UUID resourceUuid = CallContext.current().getApiResourceUuid(parameterName);
-
-        if (resourceUuid != null) {
-            return resourceUuid.toString();
-        }
-
-        return null;
+        return CallContext.current().getApiResourceUuid(parameterName);
     }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java b/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
index 338c1e738dfc..b0738cf78e16 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
@@ -343,6 +343,8 @@ public interface ResponseGenerator {
 
     UserVm findUserVmById(Long vmId);
 
+    UserVm findUserVmByNicId(Long nicId);
+
     Volume findVolumeById(Long volumeId);
 
     Account findAccountByNameDomain(String accountName, Long domainId);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java
index 6deaea22ac6c..d333a74fdb3b 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java
@@ -63,6 +63,12 @@ public class ProvisionCertificateCmd extends BaseAsyncCmd {
             description = "Name of the CA service provider, otherwise the default configured provider plugin will be used")
     private String provider;
 
+    @Parameter(name = ApiConstants.FORCED, type = CommandType.BOOLEAN,
+            description = "When true, uses SSH to re-provision the agent's certificate, bypassing the NIO agent connection. " +
+            "Use this when agents are disconnected due to a CA change. Supported for KVM hosts and SystemVMs. Default is false",
+            since = "4.23.0")
+    private Boolean forced;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -79,6 +85,10 @@ public String getProvider() {
         return provider;
     }
 
+    public boolean isForced() {
+        return forced != null && forced;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -90,7 +100,7 @@ public void execute() {
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to find host by ID: " + getHostId());
         }
 
-        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider());
+        boolean result = caManager.provisionCertificate(host, getReconnect(), getProvider(), isForced());
         SuccessResponse response = new SuccessResponse(getCommandName());
         response.setSuccess(result);
         setResponseObject(response);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/ha/ConfigureHAForHostCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/ha/ConfigureHAForHostCmd.java
index 6804e4355ca8..cb427e659495 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/ha/ConfigureHAForHostCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/ha/ConfigureHAForHostCmd.java
@@ -87,6 +87,7 @@ private void setupResponse(final boolean result, final String resourceUuid) {
         final HostHAResponse response = new HostHAResponse();
         response.setId(resourceUuid);
         response.setProvider(getHaProvider().toLowerCase());
+        response.setStatus(result);
         response.setResponseName(getCommandName());
         setResponseObject(response);
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/host/FindHostsForMigrationCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/host/FindHostsForMigrationCmd.java
index abca619f82a7..4d6ef7419616 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/host/FindHostsForMigrationCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/host/FindHostsForMigrationCmd.java
@@ -78,7 +78,7 @@ public void execute() {
         for (Host host : result.first()) {
             HostForMigrationResponse hostResponse = _responseGenerator.createHostForMigrationResponse(host);
             Boolean suitableForMigration = false;
-            if (hostsWithCapacity.contains(host)) {
+            if (hostsWithCapacity != null && hostsWithCapacity.contains(host)) {
                 suitableForMigration = true;
             }
             hostResponse.setSuitableForMigration(suitableForMigration);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/host/ListHostsCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/host/ListHostsCmd.java
index e202dfad77ba..8f5e6c784d6e 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/host/ListHostsCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/host/ListHostsCmd.java
@@ -252,7 +252,7 @@ protected ListResponse<HostResponse> getHostResponses() {
             for (Host host : result.first()) {
                 HostResponse hostResponse = _responseGenerator.createHostResponse(host, getDetails());
                 Boolean suitableForMigration = false;
-                if (hostsWithCapacity.contains(host)) {
+                if (hostsWithCapacity != null && hostsWithCapacity.contains(host)) {
                     suitableForMigration = true;
                 }
                 hostResponse.setSuitableForMigration(suitableForMigration);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserCmd.java
index 3427cef33661..a3dcf08c3a31 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserCmd.java
@@ -22,7 +22,7 @@
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.UserResponse;
-
+import org.apache.cloudstack.api.ApiArgValidator;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.user.UserAccount;
 
@@ -35,7 +35,7 @@ public class GetUserCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, required = true, description = "API key of the user")
+    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, required = true, description = "API key of the user", validations = {ApiArgValidator.NotNullOrEmpty})
     private String apiKey;
 
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/ImportVmCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/ImportVmCmd.java
index f7940460d6cd..db7dcc3fb44f 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/ImportVmCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vm/ImportVmCmd.java
@@ -30,6 +30,7 @@
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ResponseObject;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.GuestOSResponse;
 import org.apache.cloudstack.api.response.HostResponse;
 import org.apache.cloudstack.api.response.NetworkResponse;
 import org.apache.cloudstack.api.response.StoragePoolResponse;
@@ -171,6 +172,21 @@ public class ImportVmCmd extends ImportUnmanagedInstanceCmd {
             description = "(only for importing VMs from VMware to KVM) optional - if true, forces virt-v2v conversions to write directly on the provided storage pool (avoid using temporary conversion pool).")
     private Boolean forceConvertToPool;
 
+    @Parameter(name = ApiConstants.OS_ID,
+            type = CommandType.UUID,
+            entityType = GuestOSResponse.class,
+            since = "4.22.1",
+            description = "(only for importing VMs from VMware to KVM) optional - the ID of the guest OS for the imported VM.")
+    private Long guestOsId;
+
+    @Parameter(name = ApiConstants.USE_VDDK,
+            type = CommandType.BOOLEAN,
+            since = "4.22.1",
+            description = "(only for importing VMs from VMware to KVM) optional - if true, uses VDDK on the KVM conversion host for converting the VM. " +
+                    "This parameter is mutually exclusive with " + ApiConstants.FORCE_MS_TO_IMPORT_VM_FILES + ".")
+    private Boolean useVddk;
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -247,6 +263,10 @@ public Long getStoragePoolId() {
         return storagePoolId;
     }
 
+    public boolean getUseVddk() {
+        return BooleanUtils.toBooleanDefaultIfNull(useVddk, true);
+    }
+
     public String getTmpPath() {
         return tmpPath;
     }
@@ -268,6 +288,10 @@ public boolean getForceConvertToPool() {
         return BooleanUtils.toBooleanDefaultIfNull(forceConvertToPool, false);
     }
 
+    public Long getGuestOsId() {
+        return guestOsId;
+    }
+
     @Override
     public String getEventDescription() {
         String vmName = getName();
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddAccountToProjectCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddAccountToProjectCmd.java
index 85e7b0af3193..63a0a6ca51e9 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddAccountToProjectCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddAccountToProjectCmd.java
@@ -18,6 +18,7 @@
 
 import java.util.List;
 
+import com.cloud.exception.ResourceAllocationException;
 import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.BaseCmd;
@@ -106,7 +107,7 @@ public ProjectAccount.Role getRoleType() {
     /////////////////////////////////////////////////////
 
     @Override
-    public void execute() {
+    public void execute() throws ResourceAllocationException {
         if (accountName == null && email == null) {
             throw new InvalidParameterValueException("Either accountName or email is required");
         }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddUserToProjectCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddUserToProjectCmd.java
index 69832d4dfdc9..683522039b17 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddUserToProjectCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/account/AddUserToProjectCmd.java
@@ -17,6 +17,7 @@
 
 package org.apache.cloudstack.api.command.user.account;
 
+import com.cloud.exception.ResourceAllocationException;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiArgValidator;
@@ -111,7 +112,7 @@ public String getEventDescription() {
     /////////////////////////////////////////////////////
 
     @Override
-    public void execute()  {
+    public void execute() throws ResourceAllocationException {
         validateInput();
         boolean result = _projectService.addUserToProject(getProjectId(),  getUsername(), getEmail(), getProjectRoleId(), getRoleType());
         if (result) {
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/backup/RestoreVolumeFromBackupAndAttachToVMCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/backup/RestoreVolumeFromBackupAndAttachToVMCmd.java
index 703a1b2e8802..4644687817df 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/backup/RestoreVolumeFromBackupAndAttachToVMCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/backup/RestoreVolumeFromBackupAndAttachToVMCmd.java
@@ -20,6 +20,7 @@
 import javax.inject.Inject;
 
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -53,6 +54,7 @@ public class RestoreVolumeFromBackupAndAttachToVMCmd extends BaseAsyncCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
+    @ACL
     @Parameter(name = ApiConstants.BACKUP_ID,
             type = CommandType.UUID,
             entityType = BackupResponse.class,
@@ -60,12 +62,14 @@ public class RestoreVolumeFromBackupAndAttachToVMCmd extends BaseAsyncCmd {
             description = "ID of the Instance backup")
     private Long backupId;
 
+    @ACL
     @Parameter(name = ApiConstants.VOLUME_ID,
             type = CommandType.STRING,
             required = true,
             description = "ID of the volume backed up")
     private String volumeUuid;
 
+    @ACL
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
             type = CommandType.UUID,
             entityType = UserVmResponse.class,
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/bucket/DeleteBucketCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/bucket/DeleteBucketCmd.java
index 4a9a0569c3b8..abbb1760f9d2 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/bucket/DeleteBucketCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/bucket/DeleteBucketCmd.java
@@ -17,6 +17,7 @@
 package org.apache.cloudstack.api.command.user.bucket;
 
 import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.ResourceAllocationException;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.storage.object.Bucket;
 import com.cloud.user.Account;
@@ -82,7 +83,7 @@ public ApiCommandResourceType getApiResourceType() {
     }
 
     @Override
-    public void execute() throws ConcurrentOperationException {
+    public void execute() throws ConcurrentOperationException, ResourceAllocationException {
         CallContext.current().setEventDetails("Bucket ID: " + getResourceUuid(ApiConstants.ID));
         boolean result = _bucketService.deleteBucket(id, CallContext.current().getCallingAccount());
         SuccessResponse response = new SuccessResponse(getCommandName());
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/guest/ListGuestOsCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/guest/ListGuestOsCmd.java
index 4ff2ebf0a667..d558e4c4f245 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/guest/ListGuestOsCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/guest/ListGuestOsCmd.java
@@ -45,6 +45,11 @@ public class ListGuestOsCmd extends BaseListCmd {
     @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = GuestOSResponse.class, description = "List by OS type ID")
     private Long id;
 
+    @Parameter(name = ApiConstants.IDS, type = CommandType.LIST, collectionType = CommandType.UUID,
+            entityType = GuestOSResponse.class, since = "4.22.1",
+            description = "Comma separated list of OS types")
+    private List<Long> ids;
+
     @Parameter(name = ApiConstants.OS_CATEGORY_ID, type = CommandType.UUID, entityType = GuestOSCategoryResponse.class, description = "List by OS Category ID")
     private Long osCategoryId;
 
@@ -63,6 +68,10 @@ public Long getId() {
         return id;
     }
 
+    public List<Long> getIds() {
+        return ids;
+    }
+
     public Long getOsCategoryId() {
         return osCategoryId;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/job/ListAsyncJobsCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/job/ListAsyncJobsCmd.java
index b55d1b234f19..2c8401831132 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/job/ListAsyncJobsCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/job/ListAsyncJobsCmd.java
@@ -19,6 +19,7 @@
 import java.util.Date;
 
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListAccountResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
@@ -40,6 +41,12 @@ public class ListAsyncJobsCmd extends BaseListAccountResourcesCmd {
     @Parameter(name = ApiConstants.MANAGEMENT_SERVER_ID, type = CommandType.UUID, entityType = ManagementServerResponse.class, description = "The id of the management server", since="4.19")
     private Long managementServerId;
 
+    @Parameter(name = ApiConstants.RESOURCE_ID, validations = {ApiArgValidator.UuidString}, type = CommandType.STRING, description = "the ID of the resource associated with the job", since="4.22.1")
+    private String resourceId;
+
+    @Parameter(name = ApiConstants.RESOURCE_TYPE, type = CommandType.STRING, description = "the type of the resource associated with the job", since="4.22.1")
+    private String resourceType;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -52,6 +59,14 @@ public Long getManagementServerId() {
         return managementServerId;
     }
 
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    public String getResourceType() {
+        return resourceType;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/job/QueryAsyncJobResultCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/job/QueryAsyncJobResultCmd.java
index 93a443757212..5c3b0084574b 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/job/QueryAsyncJobResultCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/job/QueryAsyncJobResultCmd.java
@@ -16,8 +16,8 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.job;
 
-
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiArgValidator;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
@@ -34,9 +34,15 @@ public class QueryAsyncJobResultCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.JOB_ID, type = CommandType.UUID, entityType = AsyncJobResponse.class, required = true, description = "The ID of the asynchronous job")
+    @Parameter(name = ApiConstants.JOB_ID, type = CommandType.UUID, entityType = AsyncJobResponse.class, description = "The ID of the asynchronous job")
     private Long id;
 
+    @Parameter(name = ApiConstants.RESOURCE_ID, validations = {ApiArgValidator.UuidString}, type = CommandType.STRING, description = "the ID of the resource associated with the job", since="4.22.1")
+    private String resourceId;
+
+    @Parameter(name = ApiConstants.RESOURCE_TYPE, type = CommandType.STRING, description = "the type of the resource associated with the job", since="4.22.1")
+    private String resourceType;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -45,6 +51,14 @@ public Long getId() {
         return id;
     }
 
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    public String getResourceType() {
+        return resourceType;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
index cbf6df081b3b..ee5b8568e835 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
@@ -199,6 +199,11 @@ public class CreateNetworkCmd extends BaseCmd implements UserCmd {
     @Parameter(name=ApiConstants.AS_NUMBER, type=CommandType.LONG, since = "4.20.0", description="the AS Number of the network")
     private Long asNumber;
 
+    @Parameter(name = ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            type = CommandType.BOOLEAN, since = "4.23.0", authorized = {RoleType.Admin})
+    private Boolean keepMacAddressOnPublicNic;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -286,6 +291,10 @@ public String getSourceNatIP() {
         return sourceNatIP;
     }
 
+    public Boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
     @Override
     public boolean isDisplay() {
         if(displayNetwork == null)
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/network/UpdateNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/network/UpdateNetworkCmd.java
index 2e638f1e2f76..7b6841d60976 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/network/UpdateNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/network/UpdateNetworkCmd.java
@@ -105,6 +105,11 @@ public class UpdateNetworkCmd extends BaseAsyncCustomIdCmd implements UserCmd {
     @Parameter(name = ApiConstants.SOURCE_NAT_IP, type = CommandType.STRING, description = "IPV4 address to be assigned to the public interface of the network router. This address must already be acquired for this network", since = "4.19")
     private String sourceNatIP;
 
+    @Parameter(name = ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            type = CommandType.BOOLEAN, since = "4.23.0", authorized = {RoleType.Admin})
+    private Boolean keepMacAddressOnPublicNic;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -186,6 +191,10 @@ public String getSourceNatIP() {
         return sourceNatIP;
     }
 
+    public Boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vm/CreateVMFromBackupCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vm/CreateVMFromBackupCmd.java
index e17ba9c2d705..a719062e1bca 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/vm/CreateVMFromBackupCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vm/CreateVMFromBackupCmd.java
@@ -51,6 +51,7 @@ public class CreateVMFromBackupCmd extends BaseDeployVMCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
+    @ACL
     @Parameter(name = ApiConstants.BACKUP_ID,
             type = CommandType.UUID,
             entityType = BackupResponse.class,
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vm/UpdateVmNicCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vm/UpdateVmNicCmd.java
new file mode 100644
index 000000000000..363273a4670d
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vm/UpdateVmNicCmd.java
@@ -0,0 +1,95 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.vm;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ResponseObject;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.NicResponse;
+import org.apache.cloudstack.api.response.UserVmResponse;
+import org.apache.cloudstack.context.CallContext;
+
+import com.cloud.event.EventTypes;
+import com.cloud.user.Account;
+import com.cloud.uservm.UserVm;
+
+import java.util.ArrayList;
+import java.util.EnumSet;
+
+@APICommand(name = "updateVmNic", description = "Updates the specified VM NIC", responseObject = NicResponse.class, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
+        authorized = { RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User })
+public class UpdateVmNicCmd extends BaseAsyncCmd {
+
+    @ACL
+    @Parameter(name = ApiConstants.NIC_ID, type = CommandType.UUID, entityType = NicResponse.class, required = true, description = "NIC ID")
+    private Long nicId;
+
+    @Parameter(name = ApiConstants.ENABLED, type = CommandType.BOOLEAN, description = "If true, sets the NIC state to UP; otherwise, sets the NIC state to DOWN")
+    private Boolean enabled;
+
+    public Long getNicId() {
+        return nicId;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_NIC_UPDATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return String.format("Updating NIC %s.", getResourceUuid(ApiConstants.NIC_ID));
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        UserVm vm = _responseGenerator.findUserVmByNicId(nicId);
+        if (vm == null) {
+            return Account.ACCOUNT_ID_SYSTEM;
+        }
+        return vm.getAccountId();
+    }
+
+    @Override
+    public void execute() {
+        CallContext.current().setEventDetails(String.format("NIC ID: %s", getResourceUuid(ApiConstants.NIC_ID)));
+
+        UserVm result = _userVmService.updateVirtualMachineNic(this);
+
+        ArrayList<ApiConstants.VMDetails> dc = new ArrayList<>();
+        dc.add(ApiConstants.VMDetails.valueOf("nics"));
+        EnumSet<ApiConstants.VMDetails> details = EnumSet.copyOf(dc);
+
+        if (result != null){
+            UserVmResponse response = _responseGenerator.createUserVmResponse(ResponseObject.ResponseView.Restricted, "virtualmachine", details, result).get(0);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to update NIC from VM.");
+        }
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
index 5bcf3a141178..78de05648486 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
@@ -32,6 +32,7 @@
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.ProjectResponse;
 import org.apache.cloudstack.api.response.SnapshotResponse;
+import org.apache.cloudstack.api.response.StoragePoolResponse;
 import org.apache.cloudstack.api.response.UserVmResponse;
 import org.apache.cloudstack.api.response.VolumeResponse;
 import org.apache.cloudstack.api.response.ZoneResponse;
@@ -109,6 +110,13 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd implements UserC
                description = "The ID of the Instance; to be used with snapshot Id, Instance to which the volume gets attached after creation")
     private Long virtualMachineId;
 
+    @Parameter(name = ApiConstants.STORAGE_ID,
+            type = CommandType.UUID,
+            entityType = StoragePoolResponse.class,
+            description = "Storage pool ID to create the volume in. Cannot be used with the snapshotid parameter.",
+            authorized = {RoleType.Admin})
+    private Long storageId;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -153,6 +161,13 @@ private Long getProjectId() {
         return projectId;
     }
 
+    public Long getStorageId() {
+        if (snapshotId != null && storageId != null) {
+            throw new IllegalArgumentException("StorageId parameter cannot be specified with the SnapshotId parameter.");
+        }
+        return storageId;
+    }
+
     public Boolean getDisplayVolume() {
         return displayVolume;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java
index 11930bcbab61..9b5d25aa0ddb 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateStaticRouteCmd.java
@@ -46,7 +46,6 @@ public class CreateStaticRouteCmd extends BaseAsyncCreateCmd {
     @Parameter(name = ApiConstants.GATEWAY_ID,
                type = CommandType.UUID,
                entityType = PrivateGatewayResponse.class,
-               required = true,
                description = "The gateway ID we are creating static route for. Mutually exclusive with the nexthop parameter")
     private Long gatewayId;
 
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateVPCCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateVPCCmd.java
index 2adbbd664085..86309d7f28a5 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateVPCCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/CreateVPCCmd.java
@@ -130,6 +130,11 @@ public class CreateVPCCmd extends BaseAsyncCreateCmd implements UserCmd {
             description="(optional) for NSX based VPCs: when set to true, use the VR IP as nameserver, otherwise use DNS1 and DNS2")
     private Boolean useVrIpResolver;
 
+    @Parameter(name = ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            type = CommandType.BOOLEAN, since = "4.23.0", authorized = {RoleType.Admin})
+    private boolean keepMacAddressOnPublicNic = true;
+
     // ///////////////////////////////////////////////////
     // ///////////////// Accessors ///////////////////////
     // ///////////////////////////////////////////////////
@@ -214,6 +219,10 @@ public boolean getUseVrIpResolver() {
         return BooleanUtils.toBoolean(useVrIpResolver);
     }
 
+    public boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmd.java
index f2327c9073f3..6cfdb895977d 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmd.java
@@ -69,6 +69,11 @@ public class UpdateVPCCmd extends BaseAsyncCustomIdCmd implements UserCmd {
             since = "4.19")
     private String sourceNatIP;
 
+    @Parameter(name = ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC,
+            type = CommandType.BOOLEAN, since = "4.23.0", authorized = {RoleType.Admin})
+    private Boolean keepMacAddressOnPublicNic;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -97,6 +102,10 @@ public String getSourceNatIP() {
         return sourceNatIP;
     }
 
+    public Boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/ExtensionResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/ExtensionResponse.java
index fdf1e87df506..911839da405f 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/ExtensionResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/ExtensionResponse.java
@@ -85,6 +85,12 @@ public class ExtensionResponse extends BaseResponse {
     @Param(description = "Removal timestamp of the extension, if applicable")
     private Date removed;
 
+    @SerializedName(ApiConstants.RESERVED_RESOURCE_DETAILS)
+    @Param(description = "Resource detail names as comma separated string that should be reserved and not visible " +
+                    "to end users",
+            since = "4.22.1")
+    protected String reservedResourceDetails;
+
     public ExtensionResponse(String id, String name, String description, String type) {
         this.id = id;
         this.name = name;
@@ -179,4 +185,8 @@ public Date getRemoved() {
     public void setRemoved(Date removed) {
         this.removed = removed;
     }
+
+    public void setReservedResourceDetails(String reservedResourceDetails) {
+        this.reservedResourceDetails = reservedResourceDetails;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
index 7c4b733a80f5..3a3663af2551 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/NetworkResponse.java
@@ -331,6 +331,10 @@ public class NetworkResponse extends BaseResponseWithAssociatedNetwork implement
     @Param(description = "The BGP peers for the network", since = "4.20.0")
     private Set<BgpPeerResponse> bgpPeers;
 
+    @SerializedName(ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC)
+    @Param(description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC, since = "4.23.0")
+    private Boolean keepMacAddressOnPublicNic;
+
     public NetworkResponse() {}
 
     public Boolean getDisplayNetwork() {
@@ -702,4 +706,8 @@ public void setIpv6Dns1(String ipv6Dns1) {
     public void setIpv6Dns2(String ipv6Dns2) {
         this.ipv6Dns2 = ipv6Dns2;
     }
+
+    public void setKeepMacAddressOnPublicNic(Boolean keepMacAddressOnPublicNic) {
+        this.keepMacAddressOnPublicNic = keepMacAddressOnPublicNic;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/NicResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/NicResponse.java
index f992514b8db2..92f25e370fb4 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/NicResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/NicResponse.java
@@ -146,6 +146,10 @@ public class NicResponse extends BaseResponse {
     @Param(description = "Public IP address associated with this NIC via Static NAT rule")
     private String publicIp;
 
+    @SerializedName(ApiConstants.ENABLED)
+    @Param(description = "whether the NIC is enabled or not")
+    private Boolean isEnabled;
+
     public void setVmId(String vmId) {
         this.vmId = vmId;
     }
@@ -416,4 +420,12 @@ public void setPublicIpId(String publicIpId) {
     public void setPublicIp(String publicIp) {
         this.publicIp = publicIp;
     }
+
+    public Boolean getEnabled() {
+        return isEnabled;
+    }
+
+    public void setEnabled(Boolean enabled) {
+        isEnabled = enabled;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/UnmanagedInstanceResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/UnmanagedInstanceResponse.java
index 195323b741d2..3f2dc045e87c 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/UnmanagedInstanceResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/UnmanagedInstanceResponse.java
@@ -51,6 +51,14 @@ public class UnmanagedInstanceResponse extends BaseResponse {
     @Param(description = "The name of the host to which Instance belongs")
     private String hostName;
 
+    @SerializedName(ApiConstants.HYPERVISOR)
+    @Param(description = "The hypervisor to which Instance belongs")
+    private String hypervisor;
+
+    @SerializedName(ApiConstants.HYPERVISOR_VERSION)
+    @Param(description = "The hypervisor version of the host to which Instance belongs")
+    private String hypervisorVersion;
+
     @SerializedName(ApiConstants.POWER_STATE)
     @Param(description = "The power state of the Instance")
     private String  powerState;
@@ -140,6 +148,22 @@ public void setHostName(String hostName) {
         this.hostName = hostName;
     }
 
+    public String getHypervisor() {
+        return hypervisor;
+    }
+
+    public void setHypervisor(String hypervisor) {
+        this.hypervisor = hypervisor;
+    }
+
+    public String getHypervisorVersion() {
+        return hypervisorVersion;
+    }
+
+    public void setHypervisorVersion(String hypervisorVersion) {
+        this.hypervisorVersion = hypervisorVersion;
+    }
+
     public String getPowerState() {
         return powerState;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
index acfabb113502..34d50d5b9f92 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
@@ -185,6 +185,10 @@ public class VpcResponse extends BaseResponseWithAnnotations implements Controll
     @Param(description = "The BGP peers for the VPC", since = "4.20.0")
     private Set<BgpPeerResponse> bgpPeers;
 
+    @SerializedName(ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC)
+    @Param(description = ApiConstants.PARAMETER_DESCRIPTION_KEEP_MAC_ADDRESS_ON_PUBLIC_NIC, since = "4.23.0")
+    private Boolean keepMacAddressOnPublicNic;
+
     public void setId(final String id) {
         this.id = id;
     }
@@ -366,4 +370,8 @@ public void addBgpPeer(BgpPeerResponse bgpPeer) {
         }
         this.bgpPeers.add(bgpPeer);
     }
+
+    public void setKeepMacAddressOnPublicNic(Boolean keepMacAddressOnPublicNic) {
+        this.keepMacAddressOnPublicNic = keepMacAddressOnPublicNic;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java b/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
index 6c0121a3e4d8..0da11bbd651a 100644
--- a/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
+++ b/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
@@ -235,7 +235,7 @@ public interface BackupManager extends BackupService, Configurable, PluggableSer
      * @param forced Indicates if backup will be force removed or not
      * @return returns operation success
      */
-    boolean deleteBackup(final Long backupId, final Boolean forced);
+    boolean deleteBackup(final Long backupId, final Boolean forced) throws ResourceAllocationException;
 
     void validateBackupForZone(Long zoneId);
 
diff --git a/api/src/main/java/org/apache/cloudstack/ca/CAManager.java b/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
index b0fb1ac73c21..d2ebdc25f1bd 100644
--- a/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
+++ b/api/src/main/java/org/apache/cloudstack/ca/CAManager.java
@@ -23,6 +23,8 @@
 import java.util.List;
 import java.util.Map;
 
+import com.trilead.ssh2.Connection;
+
 import org.apache.cloudstack.framework.ca.CAProvider;
 import org.apache.cloudstack.framework.ca.CAService;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -39,7 +41,10 @@ public interface CAManager extends CAService, Configurable, PluggableService {
     ConfigKey<String> CAProviderPlugin = new ConfigKey<>("Advanced", String.class,
             "ca.framework.provider.plugin",
             "root",
-            "The CA provider plugin that is used for secure CloudStack management server-agent communication for encryption and authentication. Restart management server(s) when changed.", true);
+            "The CA provider plugin used for CloudStack internal certificate management (MS-agent encryption and authentication). " +
+            "The default 'root' provider auto-generates a CA on first startup, but also supports user-provided custom CA material " +
+            "via the ca.plugin.root.private.key, ca.plugin.root.public.key, and ca.plugin.root.ca.certificate settings. " +
+            "Restart management server(s) when changed.", false);
 
     ConfigKey<Integer> CertKeySize = new ConfigKey<>("Advanced", Integer.class,
                                     "ca.framework.cert.keysize",
@@ -85,6 +90,12 @@ public interface CAManager extends CAService, Configurable, PluggableService {
                     "The actual implementation will depend on the configured CA provider.",
             false);
 
+    ConfigKey<Boolean> CaInjectDefaultTruststore = new ConfigKey<>("Advanced", Boolean.class,
+            "ca.framework.inject.default.truststore", "true",
+            "When true, injects the CA provider's certificate into the JVM default truststore on management server startup. " +
+            "This allows outgoing HTTPS connections from the management server to trust servers with certificates signed by the configured CA. " +
+            "Restart management server(s) when changed.", false);
+
     /**
      * Returns a list of available CA provider plugins
      * @return returns list of CAProvider
@@ -130,12 +141,26 @@ public interface CAManager extends CAService, Configurable, PluggableService {
     boolean revokeCertificate(final BigInteger certSerial, final String certCn, final String provider);
 
     /**
-     * Provisions certificate for given active and connected agent host
+     * Provisions certificate for given agent host.
+     * When forced=true, uses SSH to re-provision bypassing the NIO agent connection (for disconnected agents).
      * @param host
+     * @param reconnect
      * @param provider
+     * @param forced when true, provisions via SSH instead of NIO; supports KVM hosts and SystemVMs
      * @return returns success/failure as boolean
      */
-    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider);
+    boolean provisionCertificate(final Host host, final Boolean reconnect, final String provider, final boolean forced);
+
+    /**
+     * Provisions certificate for a KVM host using an existing SSH connection.
+     * Runs keystore-setup to generate a CSR, issues a certificate, then runs keystore-cert-import.
+     * Used during host discovery and for forced re-provisioning when the NIO agent is unreachable.
+     * @param sshConnection active SSH connection to the KVM host
+     * @param agentIp IP address of the KVM host agent
+     * @param agentHostname hostname of the KVM host agent
+     * @param caProvider optional CA provider plugin name (null uses default)
+     */
+    void provisionCertificateViaSsh(Connection sshConnection, String agentIp, String agentHostname, String caProvider);
 
     /**
      * Setups up a new keystore and generates CSR for a host
diff --git a/api/src/main/java/org/apache/cloudstack/context/CallContext.java b/api/src/main/java/org/apache/cloudstack/context/CallContext.java
index 5e0c60184f4f..fcfb5b6b1e00 100644
--- a/api/src/main/java/org/apache/cloudstack/context/CallContext.java
+++ b/api/src/main/java/org/apache/cloudstack/context/CallContext.java
@@ -63,7 +63,7 @@ protected Stack<CallContext> initialValue() {
     private User user;
     private long userId;
     private final Map<Object, Object> context = new HashMap<Object, Object>();
-    private final Map<String, UUID> apiResourcesUuids = new HashMap<>();
+    private final Map<String, String> apiResourcesUuids = new HashMap<>();
     private Project project;
     private String apiName;
 
@@ -389,11 +389,11 @@ public void setEventDisplayEnabled(boolean eventDisplayEnabled) {
         isEventDisplayEnabled = eventDisplayEnabled;
     }
 
-    public UUID getApiResourceUuid(String paramName) {
+    public String getApiResourceUuid(String paramName) {
         return apiResourcesUuids.get(paramName);
     }
 
-    public void putApiResourceUuid(String paramName, UUID uuid) {
+    public void putApiResourceUuid(String paramName, String uuid) {
         apiResourcesUuids.put(paramName, uuid);
     }
 
diff --git a/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java b/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
index f50f841ed74a..a01131278a76 100644
--- a/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
+++ b/api/src/main/java/org/apache/cloudstack/extension/ExtensionHelper.java
@@ -17,8 +17,11 @@
 
 package org.apache.cloudstack.extension;
 
+import java.util.List;
+
 public interface ExtensionHelper {
     Long getExtensionIdForCluster(long clusterId);
     Extension getExtension(long id);
     Extension getExtensionForCluster(long clusterId);
+    List<String> getExtensionReservedResourceDetails(long extensionId);
 }
diff --git a/api/src/main/java/org/apache/cloudstack/resourcelimit/Reserver.java b/api/src/main/java/org/apache/cloudstack/resourcelimit/Reserver.java
new file mode 100644
index 000000000000..6b3f57b6aa5e
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/resourcelimit/Reserver.java
@@ -0,0 +1,30 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.resourcelimit;
+
+/**
+ * Interface implemented by <code>CheckedReservation</code>.
+ * </br></br>
+ * This is defined in <code>cloud-api</code> to allow methods declared in modules that do not depend on <code>cloud-server</code>
+ * to receive <code>CheckedReservations</code> as parameters.
+ */
+public interface Reserver extends AutoCloseable {
+
+    void close();
+
+}
diff --git a/api/src/main/java/org/apache/cloudstack/storage/object/BucketApiService.java b/api/src/main/java/org/apache/cloudstack/storage/object/BucketApiService.java
index e27ef308d7f2..8c164133db88 100644
--- a/api/src/main/java/org/apache/cloudstack/storage/object/BucketApiService.java
+++ b/api/src/main/java/org/apache/cloudstack/storage/object/BucketApiService.java
@@ -95,7 +95,7 @@ public interface BucketApiService {
      */
     Bucket createBucket(CreateBucketCmd cmd);
 
-    boolean deleteBucket(long bucketId, Account caller);
+    boolean deleteBucket(long bucketId, Account caller) throws ResourceAllocationException;
 
     boolean updateBucket(UpdateBucketCmd cmd, Account caller) throws ResourceAllocationException;
 
diff --git a/api/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageService.java b/api/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageService.java
index 5f69f3e46e73..13f01b4944ad 100644
--- a/api/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageService.java
+++ b/api/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageService.java
@@ -25,17 +25,28 @@
 import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.VolumeForImportResponse;
 import org.apache.cloudstack.api.response.VolumeResponse;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
 
 import java.util.Arrays;
 import java.util.List;
 
-public interface VolumeImportUnmanageService extends PluggableService {
+public interface VolumeImportUnmanageService extends PluggableService, Configurable {
 
      List<Hypervisor.HypervisorType> SUPPORTED_HYPERVISORS =
             Arrays.asList(Hypervisor.HypervisorType.KVM, Hypervisor.HypervisorType.VMware);
 
     List<Storage.StoragePoolType> SUPPORTED_STORAGE_POOL_TYPES_FOR_KVM = Arrays.asList(Storage.StoragePoolType.NetworkFilesystem,
-            Storage.StoragePoolType.Filesystem, Storage.StoragePoolType.RBD);
+            Storage.StoragePoolType.Filesystem, Storage.StoragePoolType.RBD, Storage.StoragePoolType.SharedMountPoint);
+
+    ConfigKey<Boolean> AllowImportVolumeWithBackingFile = new ConfigKey<>(Boolean.class,
+            "allow.import.volume.with.backing.file",
+            "Advanced",
+            "false",
+            "If enabled, allows QCOW2 volumes with backing files to be imported or unmanaged",
+            true,
+            ConfigKey.Scope.Global,
+            null);
 
     ListResponse<VolumeForImportResponse> listVolumesForImport(ListVolumesForImportCmd cmd);
 
diff --git a/api/src/main/java/org/apache/cloudstack/vm/UnmanagedInstanceTO.java b/api/src/main/java/org/apache/cloudstack/vm/UnmanagedInstanceTO.java
index bba97dff71cb..cbb7c4de698a 100644
--- a/api/src/main/java/org/apache/cloudstack/vm/UnmanagedInstanceTO.java
+++ b/api/src/main/java/org/apache/cloudstack/vm/UnmanagedInstanceTO.java
@@ -55,6 +55,9 @@ public enum PowerState {
 
     private String hostName;
 
+    private String hypervisorType;
+    private String hostHypervisorVersion;
+
     private List<Disk> disks;
 
     private List<Nic> nics;
@@ -168,6 +171,22 @@ public void setHostName(String hostName) {
         this.hostName = hostName;
     }
 
+    public String getHypervisorType() {
+        return hypervisorType;
+    }
+
+    public void setHypervisorType(String hypervisorType) {
+        this.hypervisorType = hypervisorType;
+    }
+
+    public String getHostHypervisorVersion() {
+        return hostHypervisorVersion;
+    }
+
+    public void setHostHypervisorVersion(String hostHypervisorVersion) {
+        this.hostHypervisorVersion = hostHypervisorVersion;
+    }
+
     public List<Disk> getDisks() {
         return disks;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManager.java b/api/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManager.java
index b6233b9c2704..e1963313eb6f 100644
--- a/api/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManager.java
+++ b/api/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManager.java
@@ -26,6 +26,8 @@
 
 public interface UnmanagedVMsManager extends VmImportService, UnmanageVMService, PluggableService, Configurable {
 
+    String VM_IMPORT_DEFAULT_TEMPLATE_NAME = "system-default-vm-import-dummy-template.iso";
+    String KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME = "kvm-default-vm-import-dummy-template";
     ConfigKey<Boolean> UnmanageVMPreserveNic = new ConfigKey<>("Advanced", Boolean.class, "unmanage.vm.preserve.nics", "false",
             "If set to true, do not remove VM nics (and its MAC addresses) when unmanaging a VM, leaving them allocated but not reserved. " +
                     "If set to false, nics are removed and MAC addresses can be reassigned", true, ConfigKey.Scope.Zone);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForGuestNetworkCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForGuestNetworkCmdTest.java
index 4039ca6dc948..38d0df2e8b82 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForGuestNetworkCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForGuestNetworkCmdTest.java
@@ -40,7 +40,7 @@ public class CreateIpv4SubnetForGuestNetworkCmdTest {
     @Test
     public void testCreateIpv4SubnetForGuestNetworkCmd() {
         Long parentId = 1L;
-        UUID parentUuid = UUID.randomUUID();
+        String parentUuid = UUID.randomUUID().toString();
         String subnet = "192.168.1.0/24";
         Integer cidrSize = 26;
 
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForZoneCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForZoneCmdTest.java
index bb324aca0e70..560ecdc3b296 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForZoneCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CreateIpv4SubnetForZoneCmdTest.java
@@ -40,7 +40,7 @@ public class CreateIpv4SubnetForZoneCmdTest {
     @Test
     public void testCreateIpv4SubnetForZoneCmd() {
         Long zoneId = 1L;
-        UUID zoneUuid = UUID.randomUUID();
+        String zoneUuid = UUID.randomUUID().toString();
         String subnet = "192.168.1.0/24";
         String accountName = "user";
         Long projectId = 10L;
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DedicateIpv4SubnetForZoneCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DedicateIpv4SubnetForZoneCmdTest.java
index 31458d2833fa..4640510ccdab 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DedicateIpv4SubnetForZoneCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DedicateIpv4SubnetForZoneCmdTest.java
@@ -39,7 +39,7 @@ public class DedicateIpv4SubnetForZoneCmdTest {
     @Test
     public void testDedicateIpv4SubnetForZoneCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
         String accountName = "user";
         Long projectId = 10L;
         Long domainId = 11L;
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForGuestNetworkCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForGuestNetworkCmdTest.java
index 48aceeaaeec1..cd25d8d24014 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForGuestNetworkCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForGuestNetworkCmdTest.java
@@ -39,7 +39,7 @@ public class DeleteIpv4SubnetForGuestNetworkCmdTest {
     @Test
     public void testDeleteIpv4SubnetForGuestNetworkCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         DeleteIpv4SubnetForGuestNetworkCmd cmd = new DeleteIpv4SubnetForGuestNetworkCmd();
         ReflectionTestUtils.setField(cmd, "id", id);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForZoneCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForZoneCmdTest.java
index 5c3593a8f1b6..269fb3f3c192 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForZoneCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/DeleteIpv4SubnetForZoneCmdTest.java
@@ -39,7 +39,7 @@ public class DeleteIpv4SubnetForZoneCmdTest {
     @Test
     public void testDeleteIpv4SubnetForZoneCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         DeleteIpv4SubnetForZoneCmd cmd = new DeleteIpv4SubnetForZoneCmd();
         ReflectionTestUtils.setField(cmd, "id", id);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/ReleaseDedicatedIpv4SubnetForZoneCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/ReleaseDedicatedIpv4SubnetForZoneCmdTest.java
index 29d6d8e735bb..6e5d2a95f3ab 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/ReleaseDedicatedIpv4SubnetForZoneCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/ReleaseDedicatedIpv4SubnetForZoneCmdTest.java
@@ -39,7 +39,7 @@ public class ReleaseDedicatedIpv4SubnetForZoneCmdTest {
     @Test
     public void testReleaseDedicatedIpv4SubnetForZoneCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         ReleaseDedicatedIpv4SubnetForZoneCmd cmd = new ReleaseDedicatedIpv4SubnetForZoneCmd();
         ReflectionTestUtils.setField(cmd, "id", id);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/UpdateIpv4SubnetForZoneCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/UpdateIpv4SubnetForZoneCmdTest.java
index 399b77de6e85..af37006eafd2 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/UpdateIpv4SubnetForZoneCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/UpdateIpv4SubnetForZoneCmdTest.java
@@ -40,7 +40,7 @@ public class UpdateIpv4SubnetForZoneCmdTest {
     @Test
     public void testUpdateIpv4SubnetForZoneCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
         String subnet = "192.168.1.0/24";
 
         UpdateIpv4SubnetForZoneCmd cmd = new UpdateIpv4SubnetForZoneCmd();
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForNetworkCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForNetworkCmdTest.java
index 9cd403ddd1de..3db1fab466f6 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForNetworkCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForNetworkCmdTest.java
@@ -46,7 +46,7 @@ public class ChangeBgpPeersForNetworkCmdTest {
     @Test
     public void testChangeBgpPeersForNetworkCmd() {
         Long networkId = 10L;
-        UUID networkUuid = UUID.randomUUID();
+        String networkUuid = UUID.randomUUID().toString();
         List<Long> bgpPeerIds = Arrays.asList(20L, 21L);
 
         ChangeBgpPeersForNetworkCmd cmd = new ChangeBgpPeersForNetworkCmd();
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForVpcCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForVpcCmdTest.java
index 545523e3ab97..fb85f7060684 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForVpcCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ChangeBgpPeersForVpcCmdTest.java
@@ -46,7 +46,7 @@ public class ChangeBgpPeersForVpcCmdTest {
     @Test
     public void testChangeBgpPeersForVpcCmd() {
         Long VpcId = 10L;
-        UUID vpcUuid = UUID.randomUUID();
+        String vpcUuid = UUID.randomUUID().toString();
         List<Long> bgpPeerIds = Arrays.asList(20L, 21L);
 
         ChangeBgpPeersForVpcCmd cmd = new ChangeBgpPeersForVpcCmd();
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/CreateBgpPeerCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/CreateBgpPeerCmdTest.java
index 866824f62936..3abc5f57d017 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/CreateBgpPeerCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/CreateBgpPeerCmdTest.java
@@ -40,7 +40,7 @@ public class CreateBgpPeerCmdTest {
     @Test
     public void testCreateBgpPeerCmd() {
         Long zoneId = 1L;
-        UUID zoneUuid = UUID.randomUUID();
+        String zoneUuid = UUID.randomUUID().toString();
         String accountName = "user";
         Long projectId = 10L;
         Long domainId = 11L;
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DedicateBgpPeerCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DedicateBgpPeerCmdTest.java
index a8046d3d745c..c5edb1b8f53f 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DedicateBgpPeerCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DedicateBgpPeerCmdTest.java
@@ -39,7 +39,7 @@ public class DedicateBgpPeerCmdTest {
     @Test
     public void testDedicateBgpPeerCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
         String accountName = "user";
         Long projectId = 10L;
         Long domainId = 11L;
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DeleteBgpPeerCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DeleteBgpPeerCmdTest.java
index d54be9e859e4..5228a63dc92d 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DeleteBgpPeerCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/DeleteBgpPeerCmdTest.java
@@ -39,7 +39,7 @@ public class DeleteBgpPeerCmdTest {
     @Test
     public void testDeleteBgpPeerCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         DeleteBgpPeerCmd cmd = new DeleteBgpPeerCmd();
         ReflectionTestUtils.setField(cmd, "id", id);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ReleaseDedicatedBgpPeerCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ReleaseDedicatedBgpPeerCmdTest.java
index 1cf8ead706d1..60a814d63050 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ReleaseDedicatedBgpPeerCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/ReleaseDedicatedBgpPeerCmdTest.java
@@ -39,7 +39,7 @@ public class ReleaseDedicatedBgpPeerCmdTest {
     @Test
     public void testReleaseDedicatedBgpPeerCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         ReleaseDedicatedBgpPeerCmd cmd = new ReleaseDedicatedBgpPeerCmd();
         ReflectionTestUtils.setField(cmd, "id", id);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/UpdateBgpPeerCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/UpdateBgpPeerCmdTest.java
index 1601fcb4c5a5..d594bc5718b7 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/UpdateBgpPeerCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/bgp/UpdateBgpPeerCmdTest.java
@@ -40,7 +40,7 @@ public class UpdateBgpPeerCmdTest {
     @Test
     public void testUpdateBgpPeerCmd() {
         Long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
         String ip4Address = "ip4-address";
         String ip6Address = "ip6-address";
         Long peerAsNumber = 15000L;
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/storage/DownloadImageStoreObjectCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/storage/DownloadImageStoreObjectCmdTest.java
index 3b2b49cae4e1..8d2771c969b7 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/storage/DownloadImageStoreObjectCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/storage/DownloadImageStoreObjectCmdTest.java
@@ -97,7 +97,7 @@ public void testGetEventType() {
 
     @Test
     public void testGetEventDescription() {
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
 
         ReflectionTestUtils.setField(cmd, "storeId", 1L);
         ReflectionTestUtils.setField(cmd, "path", "path/to/object");
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/volume/UnmanageVolumeCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/volume/UnmanageVolumeCmdTest.java
index ecca507a6b95..59a61806e867 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/admin/volume/UnmanageVolumeCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/volume/UnmanageVolumeCmdTest.java
@@ -44,7 +44,7 @@ public class UnmanageVolumeCmdTest {
     public void testUnmanageVolumeCmd() {
         long accountId = 2L;
         Long volumeId = 3L;
-        UUID volumeUuid = UUID.randomUUID();
+        String volumeUuid = UUID.randomUUID().toString();
         Volume volume = Mockito.mock(Volume.class);
 
         Mockito.when(responseGenerator.findVolumeById(volumeId)).thenReturn(volume);
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/test/AddAccountToProjectCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/test/AddAccountToProjectCmdTest.java
index f100822b8c77..cd0390aa2689 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/test/AddAccountToProjectCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/test/AddAccountToProjectCmdTest.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.api.command.test;
 
+import com.cloud.exception.ResourceAllocationException;
 import junit.framework.Assert;
 import junit.framework.TestCase;
 
@@ -149,6 +150,8 @@ public void testExecuteForNullAccountNameEmail() {
             addAccountToProjectCmd.execute();
         } catch (InvalidParameterValueException exception) {
             Assert.assertEquals("Either accountName or email is required", exception.getLocalizedMessage());
+        } catch (ResourceAllocationException exception) {
+            Assert.fail();
         }
 
     }
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/test/CreateSnapshotCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/test/CreateSnapshotCmdTest.java
index b70efaf9a6c5..032dca8d8007 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/test/CreateSnapshotCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/test/CreateSnapshotCmdTest.java
@@ -118,7 +118,7 @@ public void testCreateFailure() {
         AccountService accountService = Mockito.mock(AccountService.class);
         Account account = Mockito.mock(Account.class);
         Mockito.when(accountService.getAccount(anyLong())).thenReturn(account);
-        UUID volumeUuid = UUID.randomUUID();
+        String volumeUuid = UUID.randomUUID().toString();
 
         CallContext.current().putApiResourceUuid("volumeid", volumeUuid);
 
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/test/UpdateConditionCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/test/UpdateConditionCmdTest.java
index 3dfb29dadd3e..c78dbe9b56bc 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/test/UpdateConditionCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/test/UpdateConditionCmdTest.java
@@ -56,7 +56,7 @@ public class UpdateConditionCmdTest {
     private static final Long threshold = 100L;
 
     private static final long accountId = 5L;
-    private static final UUID conditionUuid = UUID.randomUUID();
+    private static final String conditionUuid = UUID.randomUUID().toString();
 
     @Before
     public void setUp() {
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/user/network/routing/DeleteRoutingFirewallRuleCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/user/network/routing/DeleteRoutingFirewallRuleCmdTest.java
index d3cf5dd6cd68..dbe7669431d8 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/user/network/routing/DeleteRoutingFirewallRuleCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/user/network/routing/DeleteRoutingFirewallRuleCmdTest.java
@@ -49,7 +49,7 @@ public void testProperties() {
         ReflectionTestUtils.setField(cmd, "_firewallService", _firewallService);
 
         long id = 1L;
-        UUID uuid = UUID.randomUUID();
+        String uuid = UUID.randomUUID().toString();
         long accountId = 2L;
         long networkId = 3L;
 
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmdTest.java
index acb2dc685976..9d56cffd6718 100644
--- a/api/src/test/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmdTest.java
+++ b/api/src/test/java/org/apache/cloudstack/api/command/user/vpc/UpdateVPCCmdTest.java
@@ -93,7 +93,7 @@ public void testExecute() throws ResourceUnavailableException, InsufficientCapac
         responseGenerator = Mockito.mock(ResponseGenerator.class);
         cmd._responseGenerator = responseGenerator;
         Mockito.verify(_vpcService, Mockito.times(0)).updateVpc(Mockito.anyLong(), Mockito.anyString(), Mockito.anyString(),
-                Mockito.anyString(), Mockito.anyBoolean(), Mockito.anyInt(), Mockito.anyString());
+                Mockito.anyString(), Mockito.anyBoolean(), Mockito.anyInt(), Mockito.anyString(), Mockito.anyBoolean());
 
     }
 }
diff --git a/client/pom.xml b/client/pom.xml
index b8dffe65d4fb..ba16cc5d34a2 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -121,6 +121,11 @@
             <artifactId>cloud-plugin-storage-volume-adaptive</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-storage-volume-ontap</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>
             <artifactId>cloud-plugin-storage-volume-solidfire</artifactId>
@@ -372,11 +377,6 @@
             <artifactId>cloud-plugin-explicit-dedication</artifactId>
             <version>${project.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.cloudstack</groupId>
-            <artifactId>cloud-plugin-host-allocator-random</artifactId>
-            <version>${project.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>
             <artifactId>cloud-plugin-outofbandmanagement-driver-ipmitool</artifactId>
@@ -716,17 +716,17 @@
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bcprov-jdk15on</artifactId>
+                        <artifactId>bcprov-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bcpkix-jdk15on</artifactId>
+                        <artifactId>bcpkix-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                     <dependency>
                         <groupId>org.bouncycastle</groupId>
-                        <artifactId>bctls-jdk15on</artifactId>
+                        <artifactId>bctls-jdk18on</artifactId>
                         <version>${cs.bcprov.version}</version>
                     </dependency>
                 </dependencies>
@@ -906,13 +906,13 @@
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bcprov-jdk15on</artifactId>
+                                    <artifactId>bcprov-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bcpkix-jdk15on</artifactId>
+                                    <artifactId>bcpkix-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
 			        </artifactItem>
@@ -936,7 +936,7 @@
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.bouncycastle</groupId>
-                                    <artifactId>bctls-jdk15on</artifactId>
+                                    <artifactId>bctls-jdk18on</artifactId>
                                     <overWrite>false</overWrite>
                                     <outputDirectory>${project.build.directory}/lib</outputDirectory>
                                 </artifactItem>
@@ -971,9 +971,9 @@
                                     <exclude>org.apache.tomcat.embed:tomcat-embed-core</exclude>
                                     <exclude>org.apache.geronimo.specs:geronimo-servlet_3.0_spec</exclude>
                                     <exclude>org.apache.geronimo.specs:geronimo-javamail_1.4_spec</exclude>
-                                    <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
-                                    <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
-                                    <exclude>org.bouncycastle:bctls-jdk15on</exclude>
+                                    <exclude>org.bouncycastle:bcprov-jdk18on</exclude>
+                                    <exclude>org.bouncycastle:bcpkix-jdk18on</exclude>
+                                    <exclude>org.bouncycastle:bctls-jdk18on</exclude>
                                     <exclude>com.mysql:mysql-connector-j</exclude>
                                     <exclude>org.apache.cloudstack:cloud-plugin-storage-volume-storpool</exclude>
                                     <exclude>org.apache.cloudstack:cloud-plugin-storage-volume-linstor</exclude>
diff --git a/core/src/main/java/com/cloud/agent/api/CheckConvertInstanceCommand.java b/core/src/main/java/com/cloud/agent/api/CheckConvertInstanceCommand.java
index fc066e5c5899..c46fb697a3c1 100644
--- a/core/src/main/java/com/cloud/agent/api/CheckConvertInstanceCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/CheckConvertInstanceCommand.java
@@ -18,6 +18,8 @@
 
 public class CheckConvertInstanceCommand extends Command {
     boolean checkWindowsGuestConversionSupport = false;
+    boolean useVddk = false;
+    String vddkLibDir;
 
     public CheckConvertInstanceCommand() {
     }
@@ -26,6 +28,11 @@ public CheckConvertInstanceCommand(boolean checkWindowsGuestConversionSupport) {
         this.checkWindowsGuestConversionSupport = checkWindowsGuestConversionSupport;
     }
 
+    public CheckConvertInstanceCommand(boolean checkWindowsGuestConversionSupport, boolean useVddk) {
+        this.checkWindowsGuestConversionSupport = checkWindowsGuestConversionSupport;
+        this.useVddk = useVddk;
+    }
+
     @Override
     public boolean executeInSequence() {
         return false;
@@ -34,4 +41,20 @@ public boolean executeInSequence() {
     public boolean getCheckWindowsGuestConversionSupport() {
         return checkWindowsGuestConversionSupport;
     }
+
+    public boolean isUseVddk() {
+        return useVddk;
+    }
+
+    public void setUseVddk(boolean useVddk) {
+        this.useVddk = useVddk;
+    }
+
+    public String getVddkLibDir() {
+        return vddkLibDir;
+    }
+
+    public void setVddkLibDir(String vddkLibDir) {
+        this.vddkLibDir = vddkLibDir;
+    }
 }
diff --git a/core/src/main/java/com/cloud/agent/api/CheckOnHostAnswer.java b/core/src/main/java/com/cloud/agent/api/CheckOnHostAnswer.java
index 5a26b22ec6a5..41e266784db8 100644
--- a/core/src/main/java/com/cloud/agent/api/CheckOnHostAnswer.java
+++ b/core/src/main/java/com/cloud/agent/api/CheckOnHostAnswer.java
@@ -38,6 +38,8 @@ public CheckOnHostAnswer(CheckOnHostCommand cmd, Boolean alive, String details)
 
     public CheckOnHostAnswer(CheckOnHostCommand cmd, String details) {
         super(cmd, false, details);
+        determined = false;
+        alive = false;
     }
 
     public boolean isDetermined() {
@@ -47,5 +49,4 @@ public boolean isDetermined() {
     public boolean isAlive() {
         return alive;
     }
-
 }
diff --git a/core/src/main/java/com/cloud/agent/api/CheckOnHostCommand.java b/core/src/main/java/com/cloud/agent/api/CheckOnHostCommand.java
index 94239f2900ef..72b5217604dc 100644
--- a/core/src/main/java/com/cloud/agent/api/CheckOnHostCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/CheckOnHostCommand.java
@@ -24,7 +24,7 @@
 
 public class CheckOnHostCommand extends Command {
     HostTO host;
-    boolean reportCheckFailureIfOneStorageIsDown;
+    boolean reportIfHeartBeatFailedForOneStoragePool;
 
     protected CheckOnHostCommand() {
     }
@@ -34,17 +34,17 @@ public CheckOnHostCommand(Host host) {
         setWait(20);
     }
 
-    public CheckOnHostCommand(Host host, boolean reportCheckFailureIfOneStorageIsDown) {
+    public CheckOnHostCommand(Host host, boolean reportIfHeartBeatFailedForOneStoragePool) {
         this(host);
-        this.reportCheckFailureIfOneStorageIsDown = reportCheckFailureIfOneStorageIsDown;
+        this.reportIfHeartBeatFailedForOneStoragePool = reportIfHeartBeatFailedForOneStoragePool;
     }
 
     public HostTO getHost() {
         return host;
     }
 
-    public boolean isCheckFailedOnOneStorage() {
-        return reportCheckFailureIfOneStorageIsDown;
+    public boolean shouldReportIfHeartBeatFailedForOneStoragePool() {
+        return reportIfHeartBeatFailedForOneStoragePool;
     }
 
     @Override
diff --git a/core/src/main/java/com/cloud/agent/api/ConvertInstanceCommand.java b/core/src/main/java/com/cloud/agent/api/ConvertInstanceCommand.java
index 24336747ccf4..38e0dca7736c 100644
--- a/core/src/main/java/com/cloud/agent/api/ConvertInstanceCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/ConvertInstanceCommand.java
@@ -31,6 +31,10 @@ public class ConvertInstanceCommand extends Command {
     private boolean exportOvfToConversionLocation;
     private int threadsCountToExportOvf = 0;
     private String extraParams;
+    private boolean useVddk;
+    private String vddkLibDir;
+    private String vddkTransports;
+    private String vddkThumbprint;
 
     public ConvertInstanceCommand() {
     }
@@ -90,6 +94,38 @@ public void setExtraParams(String extraParams) {
         this.extraParams = extraParams;
     }
 
+    public boolean isUseVddk() {
+        return useVddk;
+    }
+
+    public void setUseVddk(boolean useVddk) {
+        this.useVddk = useVddk;
+    }
+
+    public String getVddkLibDir() {
+        return vddkLibDir;
+    }
+
+    public void setVddkLibDir(String vddkLibDir) {
+        this.vddkLibDir = vddkLibDir;
+    }
+
+    public String getVddkTransports() {
+        return vddkTransports;
+    }
+
+    public void setVddkTransports(String vddkTransports) {
+        this.vddkTransports = vddkTransports;
+    }
+
+    public String getVddkThumbprint() {
+        return vddkThumbprint;
+    }
+
+    public void setVddkThumbprint(String vddkThumbprint) {
+        this.vddkThumbprint = vddkThumbprint;
+    }
+
     @Override
     public boolean executeInSequence() {
         return false;
diff --git a/core/src/main/java/com/cloud/agent/api/PropagateResourceEventCommand.java b/core/src/main/java/com/cloud/agent/api/PropagateResourceEventCommand.java
index ed337885beed..21c4e7b97d03 100644
--- a/core/src/main/java/com/cloud/agent/api/PropagateResourceEventCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/PropagateResourceEventCommand.java
@@ -24,6 +24,8 @@
 public class PropagateResourceEventCommand extends Command {
     long hostId;
     ResourceState.Event event;
+    boolean forced;
+    boolean forceDeleteStorage;
 
     protected PropagateResourceEventCommand() {
 
@@ -34,6 +36,13 @@ public PropagateResourceEventCommand(long hostId, ResourceState.Event event) {
         this.event = event;
     }
 
+    public PropagateResourceEventCommand(long hostId, ResourceState.Event event, boolean forced, boolean forceDeleteStorage) {
+        this.hostId = hostId;
+        this.event = event;
+        this.forced = forced;
+        this.forceDeleteStorage = forceDeleteStorage;
+    }
+
     public long getHostId() {
         return hostId;
     }
@@ -42,6 +51,14 @@ public ResourceState.Event getEvent() {
         return event;
     }
 
+    public boolean isForced() {
+        return forced;
+    }
+
+    public boolean isForceDeleteStorage() {
+        return forceDeleteStorage;
+    }
+
     @Override
     public boolean executeInSequence() {
         // TODO Auto-generated method stub
diff --git a/core/src/main/java/com/cloud/agent/api/ScaleVmCommand.java b/core/src/main/java/com/cloud/agent/api/ScaleVmCommand.java
index dc63b1ee746d..e2953e9c7ad7 100644
--- a/core/src/main/java/com/cloud/agent/api/ScaleVmCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/ScaleVmCommand.java
@@ -30,6 +30,7 @@ public class ScaleVmCommand extends Command {
     Integer maxSpeed;
     long minRam;
     long maxRam;
+    private boolean limitCpuUseChange;
 
     public VirtualMachineTO getVm() {
         return vm;
@@ -43,7 +44,7 @@ public int getCpus() {
         return cpus;
     }
 
-    public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpeed, long minRam, long maxRam, boolean limitCpuUse) {
+    public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpeed, long minRam, long maxRam, boolean limitCpuUse, Double cpuQuotaPercentage, boolean limitCpuUseChange) {
         super();
         this.vmName = vmName;
         this.cpus = cpus;
@@ -52,6 +53,8 @@ public ScaleVmCommand(String vmName, int cpus, Integer minSpeed, Integer maxSpee
         this.minRam = minRam;
         this.maxRam = maxRam;
         this.vm = new VirtualMachineTO(1L, vmName, null, cpus, minSpeed, maxSpeed, minRam, maxRam, null, null, false, limitCpuUse, null);
+        this.vm.setCpuQuotaPercentage(cpuQuotaPercentage);
+        this.limitCpuUseChange = limitCpuUseChange;
     }
 
     public void setCpus(int cpus) {
@@ -102,6 +105,10 @@ public VirtualMachineTO getVirtualMachine() {
         return vm;
     }
 
+    public boolean getLimitCpuUseChange() {
+        return limitCpuUseChange;
+    }
+
     @Override
     public boolean executeInSequence() {
         return true;
diff --git a/core/src/main/java/com/cloud/agent/api/UpdateVmNicAnswer.java b/core/src/main/java/com/cloud/agent/api/UpdateVmNicAnswer.java
new file mode 100644
index 000000000000..0af6d7fa3a3d
--- /dev/null
+++ b/core/src/main/java/com/cloud/agent/api/UpdateVmNicAnswer.java
@@ -0,0 +1,27 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package com.cloud.agent.api;
+
+public class UpdateVmNicAnswer extends Answer {
+    public UpdateVmNicAnswer() {
+    }
+
+    public UpdateVmNicAnswer(UpdateVmNicCommand cmd, boolean success, String result) {
+        super(cmd, success, result);
+    }
+}
diff --git a/core/src/main/java/com/cloud/agent/api/UpdateVmNicCommand.java b/core/src/main/java/com/cloud/agent/api/UpdateVmNicCommand.java
new file mode 100644
index 000000000000..a5c5faf32fed
--- /dev/null
+++ b/core/src/main/java/com/cloud/agent/api/UpdateVmNicCommand.java
@@ -0,0 +1,51 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package com.cloud.agent.api;
+
+public class UpdateVmNicCommand extends Command {
+
+    String nicMacAddress;
+    String instanceName;
+    Boolean enabled;
+
+    @Override
+    public boolean executeInSequence() {
+        return true;
+    }
+
+    protected UpdateVmNicCommand() {
+    }
+
+    public UpdateVmNicCommand(String nicMacAdderss, String instanceName, Boolean enabled) {
+        this.nicMacAddress = nicMacAdderss;
+        this.instanceName = instanceName;
+        this.enabled = enabled;
+    }
+
+    public String getNicMacAddress() {
+        return nicMacAddress;
+    }
+
+    public String getVmName() {
+        return instanceName;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+}
diff --git a/core/src/main/java/com/cloud/agent/api/routing/LoadBalancerConfigCommand.java b/core/src/main/java/com/cloud/agent/api/routing/LoadBalancerConfigCommand.java
index d8cc74817d7b..96d73e11990d 100644
--- a/core/src/main/java/com/cloud/agent/api/routing/LoadBalancerConfigCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/routing/LoadBalancerConfigCommand.java
@@ -36,6 +36,7 @@ public class LoadBalancerConfigCommand extends NetworkElementCommand {
     public String lbStatsAuth = "admin1:AdMiN123";
     public String lbStatsUri = "/admin?stats";
     public String maxconn = "";
+    public Long idleTimeout = 50000L; /* 0=infinite, >0 = timeout in milliseconds */
     public String lbProtocol;
     public boolean keepAliveEnabled = false;
     NicTO nic;
@@ -50,7 +51,7 @@ public LoadBalancerConfigCommand(LoadBalancerTO[] loadBalancers, Long vpcId) {
     }
 
     public LoadBalancerConfigCommand(LoadBalancerTO[] loadBalancers, String publicIp, String guestIp, String privateIp, NicTO nic, Long vpcId, String maxconn,
-            boolean keepAliveEnabled) {
+            boolean keepAliveEnabled, Long idleTimeout) {
         this.loadBalancers = loadBalancers;
         this.lbStatsPublicIP = publicIp;
         this.lbStatsPrivateIP = privateIp;
@@ -59,6 +60,7 @@ public LoadBalancerConfigCommand(LoadBalancerTO[] loadBalancers, String publicIp
         this.vpcId = vpcId;
         this.maxconn = maxconn;
         this.keepAliveEnabled = keepAliveEnabled;
+        this.idleTimeout = idleTimeout;
     }
 
     public NicTO getNic() {
diff --git a/core/src/main/java/com/cloud/agent/api/storage/DownloadAnswer.java b/core/src/main/java/com/cloud/agent/api/storage/DownloadAnswer.java
index 0c6373134b18..1c5eb7b9a9af 100644
--- a/core/src/main/java/com/cloud/agent/api/storage/DownloadAnswer.java
+++ b/core/src/main/java/com/cloud/agent/api/storage/DownloadAnswer.java
@@ -140,7 +140,7 @@ public void setTemplateSize(long templateSize) {
     }
 
     public Long getTemplateSize() {
-        return templateSize;
+        return templateSize == 0 ? templatePhySicalSize : templateSize;
     }
 
     public void setTemplatePhySicalSize(long templatePhySicalSize) {
diff --git a/core/src/main/java/com/cloud/network/HAProxyConfigurator.java b/core/src/main/java/com/cloud/network/HAProxyConfigurator.java
index 128652fc64fa..7d544c2e49c0 100644
--- a/core/src/main/java/com/cloud/network/HAProxyConfigurator.java
+++ b/core/src/main/java/com/cloud/network/HAProxyConfigurator.java
@@ -635,6 +635,19 @@ public String[] generateConfiguration(final LoadBalancerConfigCommand lbCmd) {
         if (lbCmd.keepAliveEnabled) {
             dSection.set(7, "\tno option httpclose");
         }
+        if (lbCmd.idleTimeout > 0) {
+            dSection.set(9, "\ttimeout client     " + Long.toString(lbCmd.idleTimeout));
+            dSection.set(10, "\ttimeout server     " + Long.toString(lbCmd.idleTimeout));
+        } else if (lbCmd.idleTimeout == 0) {
+            // .remove() is not allowed, only .set() operations are allowed as the list
+            // is a fixed size.  So lets just mark the entry as blank.
+            dSection.set(9, "");
+            dSection.set(10, "");
+        } else {
+            // Negative idleTimeout values are considered invalid; retain the
+            // default HAProxy timeout values from defaultsSection for predictability.
+            logger.warn("Negative idleTimeout ({}) configured; retaining default HAProxy timeouts.", lbCmd.idleTimeout);
+        }
 
         if (logger.isDebugEnabled()) {
             for (final String s : dSection) {
diff --git a/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java b/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java
index 6fe001de72c0..71c329796d1b 100755
--- a/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java
+++ b/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java
@@ -52,6 +52,7 @@
 import com.cloud.utils.Pair;
 import com.cloud.utils.UriUtils;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
 import com.cloud.utils.net.Proxy;
 
 /**
@@ -125,6 +126,7 @@ private GetMethod createRequest(String downloadUrl) {
         GetMethod request = new GetMethod(downloadUrl);
         request.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, myretryhandler);
         request.setFollowRedirects(followRedirects);
+        request.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
         return request;
     }
 
diff --git a/core/src/main/java/com/cloud/storage/template/MetalinkTemplateDownloader.java b/core/src/main/java/com/cloud/storage/template/MetalinkTemplateDownloader.java
index 95ed0d1e76d0..0dad2564779c 100644
--- a/core/src/main/java/com/cloud/storage/template/MetalinkTemplateDownloader.java
+++ b/core/src/main/java/com/cloud/storage/template/MetalinkTemplateDownloader.java
@@ -18,8 +18,11 @@
 //
 package com.cloud.storage.template;
 
+
 import com.cloud.storage.StorageLayer;
 import com.cloud.utils.UriUtils;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
+
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.HttpMethod;
 import org.apache.commons.httpclient.HttpMethodRetryHandler;
@@ -59,6 +62,7 @@ protected GetMethod createRequest(String downloadUrl) {
         GetMethod request = new GetMethod(downloadUrl);
         request.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, myretryhandler);
         request.setFollowRedirects(followRedirects);
+        request.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
         if (!toFileSet) {
             String[] parts = downloadUrl.split("/");
             String filename = parts[parts.length - 1];
diff --git a/core/src/main/java/com/cloud/storage/template/SimpleHttpMultiFileDownloader.java b/core/src/main/java/com/cloud/storage/template/SimpleHttpMultiFileDownloader.java
index 8719947cb4f0..6608754073a1 100644
--- a/core/src/main/java/com/cloud/storage/template/SimpleHttpMultiFileDownloader.java
+++ b/core/src/main/java/com/cloud/storage/template/SimpleHttpMultiFileDownloader.java
@@ -44,6 +44,7 @@
 import org.apache.commons.lang3.StringUtils;
 
 import com.cloud.storage.StorageLayer;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
 
 public class SimpleHttpMultiFileDownloader extends ManagedContextRunnable implements TemplateDownloader {
     private static final MultiThreadedHttpConnectionManager s_httpClientManager = new MultiThreadedHttpConnectionManager();
@@ -95,6 +96,7 @@ private GetMethod createRequest(String downloadUrl) {
         GetMethod request = new GetMethod(downloadUrl);
         request.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, retryHandler);
         request.setFollowRedirects(followRedirects);
+        request.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
         return request;
     }
 
@@ -141,6 +143,7 @@ private void tryAndGetTotalRemoteSize() {
                 continue;
             }
             HeadMethod headMethod = new HeadMethod(downloadUrl);
+            headMethod.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
             try {
                 if (client.executeMethod(headMethod) != HttpStatus.SC_OK) {
                     continue;
diff --git a/core/src/main/java/org/apache/cloudstack/backup/RestoreBackupCommand.java b/core/src/main/java/org/apache/cloudstack/backup/RestoreBackupCommand.java
index f5ad5fbea2c7..972c2eaf7bb4 100644
--- a/core/src/main/java/org/apache/cloudstack/backup/RestoreBackupCommand.java
+++ b/core/src/main/java/org/apache/cloudstack/backup/RestoreBackupCommand.java
@@ -34,6 +34,7 @@ public class RestoreBackupCommand extends Command  {
     private List<String> backupVolumesUUIDs;
     private List<PrimaryDataStoreTO> restoreVolumePools;
     private List<String> restoreVolumePaths;
+    private List<Long> restoreVolumeSizes;
     private List<String> backupFiles;
     private String diskType;
     private Boolean vmExists;
@@ -92,6 +93,14 @@ public void setRestoreVolumePaths(List<String> restoreVolumePaths) {
         this.restoreVolumePaths = restoreVolumePaths;
     }
 
+    public List<Long> getRestoreVolumeSizes() {
+        return restoreVolumeSizes;
+    }
+
+    public void setRestoreVolumeSizes(List<Long> restoreVolumeSizes) {
+        this.restoreVolumeSizes = restoreVolumeSizes;
+    }
+
     public List<String> getBackupFiles() {
         return backupFiles;
     }
diff --git a/core/src/main/java/org/apache/cloudstack/direct/download/DirectTemplateDownloaderImpl.java b/core/src/main/java/org/apache/cloudstack/direct/download/DirectTemplateDownloaderImpl.java
index a1485463eaa0..05619e5632b0 100644
--- a/core/src/main/java/org/apache/cloudstack/direct/download/DirectTemplateDownloaderImpl.java
+++ b/core/src/main/java/org/apache/cloudstack/direct/download/DirectTemplateDownloaderImpl.java
@@ -21,6 +21,7 @@
 import com.cloud.utils.UriUtils;
 import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.cloudstack.utils.security.DigestHelper;
+import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
@@ -33,6 +34,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
 
 public abstract class DirectTemplateDownloaderImpl implements DirectTemplateDownloader {
 
@@ -128,15 +130,14 @@ public void setFollowRedirects(boolean followRedirects) {
      */
     protected File createTemporaryDirectoryAndFile(String downloadDir) {
         createFolder(downloadDir);
-        return new File(downloadDir + File.separator + getFileNameFromUrl());
+        return new File(downloadDir + File.separator + getTemporaryFileName());
     }
 
     /**
-     * Return filename from url
+     * Return filename from the temporary download file
      */
-    public String getFileNameFromUrl() {
-        String[] urlParts = url.split("/");
-        return urlParts[urlParts.length - 1];
+    public String getTemporaryFileName() {
+        return String.format("%s.%s", UUID.randomUUID(), FilenameUtils.getExtension(url));
     }
 
     @Override
diff --git a/core/src/main/java/org/apache/cloudstack/direct/download/HttpDirectTemplateDownloader.java b/core/src/main/java/org/apache/cloudstack/direct/download/HttpDirectTemplateDownloader.java
index c4a802ecdbc6..99b84bb645c8 100644
--- a/core/src/main/java/org/apache/cloudstack/direct/download/HttpDirectTemplateDownloader.java
+++ b/core/src/main/java/org/apache/cloudstack/direct/download/HttpDirectTemplateDownloader.java
@@ -19,6 +19,7 @@
 
 package org.apache.cloudstack.direct.download;
 
+
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -32,6 +33,7 @@
 import com.cloud.utils.Pair;
 import com.cloud.utils.UriUtils;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
 import com.cloud.utils.storage.QCOW2Utils;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.httpclient.HttpClient;
@@ -39,6 +41,7 @@
 import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.httpclient.methods.HeadMethod;
+import org.apache.commons.httpclient.params.HttpMethodParams;
 import org.apache.commons.io.IOUtils;
 
 public class HttpDirectTemplateDownloader extends DirectTemplateDownloaderImpl {
@@ -68,6 +71,7 @@ public HttpDirectTemplateDownloader(String url, Long templateId, String destPool
     protected GetMethod createRequest(String downloadUrl, Map<String, String> headers) {
         GetMethod request = new GetMethod(downloadUrl);
         request.setFollowRedirects(this.isFollowRedirects());
+        request.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
         if (MapUtils.isNotEmpty(headers)) {
             for (String key : headers.keySet()) {
                 request.setRequestHeader(key, headers.get(key));
@@ -111,6 +115,7 @@ protected Pair<Boolean, String> performDownload() {
     public boolean checkUrl(String url) {
         HeadMethod httpHead = new HeadMethod(url);
         httpHead.setFollowRedirects(this.isFollowRedirects());
+        httpHead.getParams().setParameter(HttpMethodParams.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
         try {
             int responseCode = client.executeMethod(httpHead);
             if (responseCode != HttpStatus.SC_OK) {
diff --git a/core/src/main/java/org/apache/cloudstack/direct/download/MetalinkDirectTemplateDownloader.java b/core/src/main/java/org/apache/cloudstack/direct/download/MetalinkDirectTemplateDownloader.java
index 2050b9ef09f7..854c310cde9a 100644
--- a/core/src/main/java/org/apache/cloudstack/direct/download/MetalinkDirectTemplateDownloader.java
+++ b/core/src/main/java/org/apache/cloudstack/direct/download/MetalinkDirectTemplateDownloader.java
@@ -97,7 +97,7 @@ public Pair<Boolean, String> downloadTemplate() {
             DirectTemplateDownloader urlDownloader = createDownloaderForMetalinks(getUrl(), getTemplateId(), getDestPoolPath(),
                     getChecksum(), headers, connectTimeout, soTimeout, null, temporaryDownloadPath);
             try {
-                setDownloadedFilePath(downloadDir + File.separator + getFileNameFromUrl());
+                setDownloadedFilePath(downloadDir + File.separator + getTemporaryFileName());
                 File f = new File(getDownloadedFilePath());
                 if (f.exists()) {
                     f.delete();
diff --git a/core/src/main/java/org/apache/cloudstack/direct/download/NfsDirectTemplateDownloader.java b/core/src/main/java/org/apache/cloudstack/direct/download/NfsDirectTemplateDownloader.java
index 21184ef07fe9..6b0959b78ffb 100644
--- a/core/src/main/java/org/apache/cloudstack/direct/download/NfsDirectTemplateDownloader.java
+++ b/core/src/main/java/org/apache/cloudstack/direct/download/NfsDirectTemplateDownloader.java
@@ -69,7 +69,7 @@ public Pair<Boolean, String> downloadTemplate() {
         String mount = String.format(mountCommand, srcHost + ":" + srcPath, "/mnt/" + mountSrcUuid);
         Script.runSimpleBashScript(mount);
         String downloadDir = getDestPoolPath() + File.separator + getDirectDownloadTempPath(getTemplateId());
-        setDownloadedFilePath(downloadDir + File.separator + getFileNameFromUrl());
+        setDownloadedFilePath(downloadDir + File.separator + getTemporaryFileName());
         Script.runSimpleBashScript("cp /mnt/" + mountSrcUuid + srcPath + " " + getDownloadedFilePath());
         Script.runSimpleBashScript("umount /mnt/" + mountSrcUuid);
         return new Pair<>(true, getDownloadedFilePath());
diff --git a/core/src/main/java/org/apache/cloudstack/storage/command/TemplateOrVolumePostUploadCommand.java b/core/src/main/java/org/apache/cloudstack/storage/command/TemplateOrVolumePostUploadCommand.java
index 253a2607a72c..98db75f39025 100644
--- a/core/src/main/java/org/apache/cloudstack/storage/command/TemplateOrVolumePostUploadCommand.java
+++ b/core/src/main/java/org/apache/cloudstack/storage/command/TemplateOrVolumePostUploadCommand.java
@@ -19,6 +19,9 @@
 
 package org.apache.cloudstack.storage.command;
 
+import com.cloud.configuration.Resource;
+import org.apache.cloudstack.utils.bytescale.ByteScaleUtils;
+
 public class TemplateOrVolumePostUploadCommand {
 
     long entityId;
@@ -185,6 +188,11 @@ public void setDescription(String description) {
         this.description = description;
     }
 
+    public void setDefaultMaxSecondaryStorageInBytes(long defaultMaxSecondaryStorageInBytes) {
+        this.defaultMaxSecondaryStorageInGB = defaultMaxSecondaryStorageInBytes != Resource.RESOURCE_UNLIMITED ?
+                ByteScaleUtils.bytesToGibibytes(defaultMaxSecondaryStorageInBytes) : Resource.RESOURCE_UNLIMITED;
+    }
+
     public void setDefaultMaxSecondaryStorageInGB(long defaultMaxSecondaryStorageInGB) {
         this.defaultMaxSecondaryStorageInGB = defaultMaxSecondaryStorageInGB;
     }
diff --git a/core/src/main/java/org/apache/cloudstack/storage/command/UploadStatusCommand.java b/core/src/main/java/org/apache/cloudstack/storage/command/UploadStatusCommand.java
index 9e6b76e467ff..f78744046f73 100644
--- a/core/src/main/java/org/apache/cloudstack/storage/command/UploadStatusCommand.java
+++ b/core/src/main/java/org/apache/cloudstack/storage/command/UploadStatusCommand.java
@@ -28,6 +28,7 @@ public enum EntityType {
     }
     private String entityUuid;
     private EntityType entityType;
+    private Boolean abort;
 
     protected UploadStatusCommand() {
     }
@@ -37,6 +38,11 @@ public UploadStatusCommand(String entityUuid, EntityType entityType) {
         this.entityType = entityType;
     }
 
+    public UploadStatusCommand(String entityUuid, EntityType entityType, Boolean abort) {
+        this(entityUuid, entityType);
+        this.abort = abort;
+    }
+
     public String getEntityUuid() {
         return entityUuid;
     }
@@ -45,6 +51,10 @@ public EntityType getEntityType() {
         return entityType;
     }
 
+    public Boolean getAbort() {
+        return abort;
+    }
+
     @Override
     public boolean executeInSequence() {
         return false;
diff --git a/core/src/test/java/com/cloud/agent/resource/virtualnetwork/ConfigHelperTest.java b/core/src/test/java/com/cloud/agent/resource/virtualnetwork/ConfigHelperTest.java
index 6d4c6234c424..4ddadab999a4 100644
--- a/core/src/test/java/com/cloud/agent/resource/virtualnetwork/ConfigHelperTest.java
+++ b/core/src/test/java/com/cloud/agent/resource/virtualnetwork/ConfigHelperTest.java
@@ -235,7 +235,7 @@ protected LoadBalancerConfigCommand generateLoadBalancerConfigCommand() {
         lbs.toArray(arrayLbs);
 
         final NicTO nic = new NicTO();
-        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, null, "1000", false);
+        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, null, "1000", false, 0L);
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, "10.1.10.2");
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, ROUTERNAME);
 
diff --git a/core/src/test/java/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java b/core/src/test/java/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
index 4196587cc3f2..ed819bb7c68f 100644
--- a/core/src/test/java/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
+++ b/core/src/test/java/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
@@ -779,7 +779,7 @@ protected LoadBalancerConfigCommand generateLoadBalancerConfigCommand1() {
         final LoadBalancerTO[] arrayLbs = new LoadBalancerTO[lbs.size()];
         lbs.toArray(arrayLbs);
         final NicTO nic = new NicTO();
-        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, null, "1000", false);
+        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, null, "1000", false, 50000L);
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, "10.1.10.2");
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, ROUTERNAME);
         return cmd;
@@ -795,7 +795,7 @@ protected LoadBalancerConfigCommand generateLoadBalancerConfigCommand2() {
         lbs.toArray(arrayLbs);
         final NicTO nic = new NicTO();
         nic.setIp("10.1.10.2");
-        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, Long.valueOf(1), "1000", false);
+        final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(arrayLbs, "64.10.2.10", "10.1.10.2", "192.168.1.2", nic, Long.valueOf(1), "1000", false, 50000L);
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, "10.1.10.2");
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, ROUTERNAME);
         return cmd;
diff --git a/core/src/test/java/com/cloud/network/HAProxyConfiguratorTest.java b/core/src/test/java/com/cloud/network/HAProxyConfiguratorTest.java
index 72361c2880ed..073f976719b5 100644
--- a/core/src/test/java/com/cloud/network/HAProxyConfiguratorTest.java
+++ b/core/src/test/java/com/cloud/network/HAProxyConfiguratorTest.java
@@ -79,13 +79,14 @@ public void testGenerateConfigurationLoadBalancerConfigCommand() {
         LoadBalancerTO[] lba = new LoadBalancerTO[1];
         lba[0] = lb;
         HAProxyConfigurator hpg = new HAProxyConfigurator();
-        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false);
+        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false, 0L);
         String result = genConfig(hpg, cmd);
         assertTrue("keepalive disabled should result in 'option httpclose' in the resulting haproxy config", result.contains("\toption httpclose"));
 
-        cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "4", true);
+        cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "4", true, 0L);
         result = genConfig(hpg, cmd);
         assertTrue("keepalive enabled should result in 'no option httpclose' in the resulting haproxy config", result.contains("\tno option httpclose"));
+
         // TODO
         // create lb command
         // setup tests for
@@ -93,6 +94,27 @@ public void testGenerateConfigurationLoadBalancerConfigCommand() {
         // httpmode
     }
 
+    /**
+     * Test method for {@link com.cloud.network.HAProxyConfigurator#generateConfiguration(com.cloud.agent.api.routing.LoadBalancerConfigCommand)}.
+     */
+    @Test
+    public void testGenerateConfigurationLoadBalancerIdleTimeoutConfigCommand() {
+        LoadBalancerTO lb = new LoadBalancerTO("1", "10.2.0.1", 80, "http", "bla", false, false, false, null);
+        LoadBalancerTO[] lba = new LoadBalancerTO[1];
+        lba[0] = lb;
+        HAProxyConfigurator hpg = new HAProxyConfigurator();
+
+        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "4", true, 0L);
+        String result = genConfig(hpg, cmd);
+        assertTrue("idleTimeout of 0 should not generate 'timeout server' in the resulting haproxy config", !result.contains("\ttimeout server"));
+        assertTrue("idleTimeout of 0 should not generate 'timeout client' in the resulting haproxy config", !result.contains("\ttimeout client"));
+
+        cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "4", true, 1234L);
+        result = genConfig(hpg, cmd);
+        assertTrue("idleTimeout of 1234 should result in 'timeout server     1234' in the resulting haproxy config", result.contains("\ttimeout server     1234"));
+        assertTrue("idleTimeout of 1234 should result in 'timeout client     1234' in the resulting haproxy config", result.contains("\ttimeout client     1234"));
+    }
+
     /**
      * Test method for {@link com.cloud.network.HAProxyConfigurator#generateConfiguration(com.cloud.agent.api.routing.LoadBalancerConfigCommand)}.
      */
@@ -106,7 +128,7 @@ public void testGenerateConfigurationLoadBalancerProxyProtocolConfigCommand() {
         LoadBalancerTO[] lba = new LoadBalancerTO[1];
         lba[0] = lb;
         HAProxyConfigurator hpg = new HAProxyConfigurator();
-        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false);
+        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false, 0L);
         String result = genConfig(hpg, cmd);
         assertTrue("'send-proxy' should result if protocol is 'tcp-proxy'", result.contains("send-proxy"));
     }
@@ -118,7 +140,7 @@ public void generateConfigurationTestWithCidrList() {
         LoadBalancerTO[] lba = new LoadBalancerTO[1];
         lba[0] = lb;
         HAProxyConfigurator hpg = new HAProxyConfigurator();
-        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false);
+        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false, 0L);
         String result = genConfig(hpg, cmd);
         Assert.assertTrue(result.contains("acl network_allowed src 1.1.1.1 2.2.2.2/24 \n\ttcp-request connection reject if !network_allowed"));
     }
@@ -131,7 +153,7 @@ public void generateConfigurationTestWithSslCert() {
         LoadBalancerTO[] lba = new LoadBalancerTO[1];
         lba[0] = lb;
         HAProxyConfigurator hpg = new HAProxyConfigurator();
-        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false);
+        LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lba, "10.0.0.1", "10.1.0.1", "10.1.1.1", null, 1L, "12", false, 0L);
         String result = genConfig(hpg, cmd);
         Assert.assertTrue(result.contains("bind 10.2.0.1:443 ssl crt /etc/cloudstack/ssl/10_2_0_1-443.pem"));
     }
diff --git a/debian/changelog b/debian/changelog
index 02251137e9d0..41f97748a0b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,13 +2,19 @@ cloudstack (4.23.0.0-SNAPSHOT) unstable; urgency=low
 
   * Update the version to 4.23.0.0-SNAPSHOT
 
- -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, 30 Oct 2025 19:23:55 +0530
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Fri, 22 May 2026 10:20:00 -0300
+
+cloudstack (4.22.1.0) unstable; urgency=low
+
+  * Update the version to 4.22.1.0
 
-cloudstack (4.23.0.0-SNAPSHOT-SNAPSHOT) unstable; urgency=low
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Mon, 11 May 2026 20:26:07 +0530
 
-  * Update the version to 4.23.0.0-SNAPSHOT-SNAPSHOT
+cloudstack (4.22.0.0) unstable; urgency=low
 
- -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, Aug 28 11:58:36 2025 +0530
+  * Update the version to 4.22.0.0
+
+ -- the Apache CloudStack project <dev@cloudstack.apache.org>  Thu, 30 Oct 2025 19:23:55 +0530
 
 cloudstack (4.21.0.0) unstable; urgency=low
 
diff --git a/engine/api/src/main/java/com/cloud/vm/VirtualMachineManager.java b/engine/api/src/main/java/com/cloud/vm/VirtualMachineManager.java
index 702404546894..e871bd8672ff 100644
--- a/engine/api/src/main/java/com/cloud/vm/VirtualMachineManager.java
+++ b/engine/api/src/main/java/com/cloud/vm/VirtualMachineManager.java
@@ -181,15 +181,6 @@ void orchestrateStart(String vmUuid, Map<VirtualMachineProfile.Param, Object> pa
     void advanceReboot(String vmUuid, Map<VirtualMachineProfile.Param, Object> params) throws InsufficientCapacityException, ResourceUnavailableException,
         ConcurrentOperationException, OperationTimedoutException;
 
-    /**
-     * Check to see if a virtual machine can be upgraded to the given service offering
-     *
-     * @param vm
-     * @param offering
-     * @return true if the host can handle the upgrade, false otherwise
-     */
-    boolean isVirtualMachineUpgradable(final VirtualMachine vm, final ServiceOffering offering);
-
     VirtualMachine findById(long vmId);
 
     void storageMigration(String vmUuid, Map<Long, Long> volumeToPool);
@@ -230,6 +221,8 @@ NicProfile addVmToNetwork(VirtualMachine vm, Network network, NicProfile request
 
     Boolean updateDefaultNicForVM(VirtualMachine vm, Nic nic, Nic defaultNic);
 
+    boolean updateVmNic(VirtualMachine vm, Nic nic, Boolean enabled) throws ResourceUnavailableException;
+
     /**
      * @param vm
      * @param network
diff --git a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
index 947cbd8e6182..030c1277efe2 100644
--- a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
+++ b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/NetworkOrchestrationService.java
@@ -122,6 +122,14 @@ public interface NetworkOrchestrationService {
                     "Load Balancer(haproxy) maximum number of concurrent connections(global max)",
                     true,
                     Scope.Global);
+    ConfigKey<Long> NETWORK_LB_HAPROXY_IDLE_TIMEOUT = new ConfigKey<>(
+                    "Network",
+                    Long.class,
+                    "network.loadbalancer.haproxy.idle.timeout",
+                    "50000",
+                    "Load Balancer(haproxy) idle timeout in milliseconds. Use 0 for infinite.",
+                    true,
+                    Scope.Global);
 
     List<? extends Network> setupNetwork(Account owner, NetworkOffering offering, DeploymentPlan plan, String name, String displayText, boolean isDefault)
         throws ConcurrentOperationException;
@@ -212,6 +220,11 @@ Network createGuestNetwork(long networkOfferingId, String name, String displayTe
                                Boolean displayNetworkEnabled, String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId, String routerIp, String routerIpv6,
                                String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException;
 
+    Network createGuestNetwork(long networkOfferingId, String name, String displayText, String gateway, String cidr, String vlanId, boolean bypassVlanOverlapCheck, String networkDomain, Account owner,
+                               Long domainId, PhysicalNetwork physicalNetwork, long zoneId, ACLType aclType, Boolean subdomainAccess, Long vpcId, String ip6Gateway, String ip6Cidr,
+                               Boolean displayNetworkEnabled, String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId, String routerIp, String routerIpv6,
+                               String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize, boolean keepMacAddressOnPublicNic) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException;
+
     UserDataServiceProvider getPasswordResetProvider(Network network);
 
     UserDataServiceProvider getSSHKeyResetProvider(Network network);
@@ -310,7 +323,7 @@ void implementNetworkElementsAndResources(DeployDestination dest, ReservationCon
 
     void removeDhcpServiceInSubnet(Nic nic);
 
-    boolean resourceCountNeedsUpdate(NetworkOffering ntwkOff, ACLType aclType);
+    boolean isResourceCountUpdateNeeded(NetworkOffering networkOffering);
 
     void prepareAllNicsForMigration(VirtualMachineProfile vm, DeployDestination dest);
 
diff --git a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/VolumeOrchestrationService.java b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/VolumeOrchestrationService.java
index 6f8c46304567..a55219511cb3 100644
--- a/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/VolumeOrchestrationService.java
+++ b/engine/api/src/main/java/org/apache/cloudstack/engine/orchestration/service/VolumeOrchestrationService.java
@@ -120,7 +120,7 @@ VolumeInfo moveVolume(VolumeInfo volume, long destPoolDcId, Long destPoolPodId,
     void destroyVolume(Volume volume);
 
     DiskProfile allocateRawVolume(Type type, String name, DiskOffering offering, Long size, Long minIops, Long maxIops, VirtualMachine vm, VirtualMachineTemplate template,
-            Account owner, Long deviceId);
+            Account owner, Long deviceId, boolean incrementResourceCount);
 
     VolumeInfo createVolumeOnPrimaryStorage(VirtualMachine vm, VolumeInfo volume, HypervisorType rootDiskHyperType, StoragePool storagePool) throws NoTransitionException;
 
diff --git a/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java b/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
index 4c81c7359f25..abaf6ea967d0 100644
--- a/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
+++ b/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
@@ -133,6 +133,20 @@ public interface CapacityManager {
             "capacity.calculate.workers", "1",
             "Number of worker threads to be used for capacities calculation", true);
 
+    ConfigKey<Integer> KvmMemoryDynamicScalingCapacity = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED,
+            Integer.class, "kvm.memory.dynamic.scaling.capacity", "0",
+            "Defines the maximum memory capacity in MiB for which VMs can be dynamically scaled to with KVM. " +
+                    "The 'kvm.memory.dynamic.scaling.capacity' setting's value will be used to define the value of the " +
+                    "'<maxMemory />' element of domain XMLs. If it is set to a value less than or equal to '0', then the host's memory capacity will be considered.",
+            true, ConfigKey.Scope.Cluster);
+
+    ConfigKey<Integer> KvmCpuDynamicScalingCapacity = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED,
+            Integer.class, "kvm.cpu.dynamic.scaling.capacity", "0",
+            "Defines the maximum vCPU capacity for which VMs can be dynamically scaled to with KVM. " +
+                    "The 'kvm.cpu.dynamic.scaling.capacity' setting's value will be used to define the value of the " +
+                    "'<vcpu />' element of domain XMLs. If it is set to a value less than or equal to '0', then the host's CPU cores capacity will be considered.",
+            true, ConfigKey.Scope.Cluster);
+
     public boolean releaseVmCapacity(VirtualMachine vm, boolean moveFromReserved, boolean moveToReservered, Long hostId);
 
     void allocateVmCapacity(VirtualMachine vm, boolean fromLastHost);
diff --git a/engine/components-api/src/main/java/com/cloud/ha/HighAvailabilityManager.java b/engine/components-api/src/main/java/com/cloud/ha/HighAvailabilityManager.java
index ddc8153d7398..53bfcce27038 100644
--- a/engine/components-api/src/main/java/com/cloud/ha/HighAvailabilityManager.java
+++ b/engine/components-api/src/main/java/com/cloud/ha/HighAvailabilityManager.java
@@ -21,6 +21,7 @@
 import com.cloud.deploy.DeploymentPlanner;
 import com.cloud.host.HostVO;
 import com.cloud.host.Status;
+import com.cloud.storage.Storage.StoragePoolType;
 import com.cloud.utils.component.Manager;
 import com.cloud.vm.VMInstanceVO;
 import org.apache.cloudstack.framework.config.ConfigKey;
@@ -32,6 +33,8 @@
  */
 public interface HighAvailabilityManager extends Manager {
 
+    List<StoragePoolType> LIBVIRT_STORAGE_POOL_TYPES_WITH_HA_SUPPORT = List.of(StoragePoolType.NetworkFilesystem, StoragePoolType.SharedMountPoint);
+
     ConfigKey<Boolean> ForceHA = new ConfigKey<>("Advanced", Boolean.class, "force.ha", "false",
         "Force High-Availability to happen even if the VM says no.", true, Cluster);
 
@@ -72,10 +75,10 @@ public interface HighAvailabilityManager extends Manager {
         + " which are registered for the HA event that were successful and are now ready to be purged.",
         true, Cluster);
 
-    public static final ConfigKey<Boolean> KvmHAFenceHostIfHeartbeatFailsOnStorage = new ConfigKey<>("Advanced", Boolean.class, "kvm.ha.fence.on.storage.heartbeat.failure", "false",
+    ConfigKey<Boolean> KvmHAFenceHostIfHeartbeatFailsOnStorage = new ConfigKey<>("Advanced", Boolean.class, "kvm.ha.fence.on.storage.heartbeat.failure", "false",
             "Proceed fencing the host even the heartbeat failed for only one storage pool", false, ConfigKey.Scope.Zone);
 
-    public enum WorkType {
+    enum WorkType {
         Migration,  // Migrating VMs off of a host.
         Stop,       // Stops a VM for storage pool migration purposes.  This should be obsolete now.
         CheckStop,  // Checks if a VM has been stopped.
diff --git a/engine/components-api/src/main/java/com/cloud/resource/ResourceManager.java b/engine/components-api/src/main/java/com/cloud/resource/ResourceManager.java
index e724f5d081bd..4767e86e8ab8 100755
--- a/engine/components-api/src/main/java/com/cloud/resource/ResourceManager.java
+++ b/engine/components-api/src/main/java/com/cloud/resource/ResourceManager.java
@@ -122,6 +122,8 @@ public interface ResourceManager extends ResourceService, Configurable {
 
     public boolean executeUserRequest(long hostId, ResourceState.Event event) throws AgentUnavailableException;
 
+    boolean executeUserRequest(long hostId, ResourceState.Event event, boolean isForced, boolean isForceDeleteStorage) throws AgentUnavailableException;
+
     boolean resourceStateTransitTo(Host host, Event event, long msId) throws NoTransitionException;
 
     boolean umanageHost(long hostId);
diff --git a/engine/orchestration/src/main/java/com/cloud/agent/manager/AgentManagerImpl.java b/engine/orchestration/src/main/java/com/cloud/agent/manager/AgentManagerImpl.java
index 527c5259376a..1215829d92f8 100644
--- a/engine/orchestration/src/main/java/com/cloud/agent/manager/AgentManagerImpl.java
+++ b/engine/orchestration/src/main/java/com/cloud/agent/manager/AgentManagerImpl.java
@@ -805,8 +805,11 @@ protected AgentAttache notifyMonitorsOfConnection(final AgentAttache attache, fi
                 String uefiEnabled = detailsMap.get(Host.HOST_UEFI_ENABLE);
                 String virtv2vVersion = detailsMap.get(Host.HOST_VIRTV2V_VERSION);
                 String ovftoolVersion = detailsMap.get(Host.HOST_OVFTOOL_VERSION);
+                String vddkSupport = detailsMap.get(Host.HOST_VDDK_SUPPORT);
+                String vddkLibDir = detailsMap.get(Host.HOST_VDDK_LIB_DIR);
+                String vddkVersion = detailsMap.get(Host.HOST_VDDK_VERSION);
                 logger.debug("Got HOST_UEFI_ENABLE [{}] for host [{}]:", uefiEnabled, host);
-                if (ObjectUtils.anyNotNull(uefiEnabled, virtv2vVersion, ovftoolVersion)) {
+                if (ObjectUtils.anyNotNull(uefiEnabled, virtv2vVersion, ovftoolVersion, vddkSupport, vddkLibDir, vddkVersion)) {
                     _hostDao.loadDetails(host);
                     boolean updateNeeded = false;
                     if (StringUtils.isNotBlank(uefiEnabled) && !uefiEnabled.equals(host.getDetails().get(Host.HOST_UEFI_ENABLE))) {
@@ -821,6 +824,26 @@ protected AgentAttache notifyMonitorsOfConnection(final AgentAttache attache, fi
                         host.getDetails().put(Host.HOST_OVFTOOL_VERSION, ovftoolVersion);
                         updateNeeded = true;
                     }
+                    if (StringUtils.isNotBlank(vddkSupport) && !vddkSupport.equals(host.getDetails().get(Host.HOST_VDDK_SUPPORT))) {
+                        host.getDetails().put(Host.HOST_VDDK_SUPPORT, vddkSupport);
+                        updateNeeded = true;
+                    }
+                    if (!StringUtils.defaultString(vddkLibDir).equals(StringUtils.defaultString(host.getDetails().get(Host.HOST_VDDK_LIB_DIR)))) {
+                        if (StringUtils.isBlank(vddkLibDir)) {
+                            host.getDetails().remove(Host.HOST_VDDK_LIB_DIR);
+                        } else {
+                            host.getDetails().put(Host.HOST_VDDK_LIB_DIR, vddkLibDir);
+                        }
+                        updateNeeded = true;
+                    }
+                    if (!StringUtils.defaultString(vddkVersion).equals(StringUtils.defaultString(host.getDetails().get(Host.HOST_VDDK_VERSION)))) {
+                        if (StringUtils.isBlank(vddkVersion)) {
+                            host.getDetails().remove(Host.HOST_VDDK_VERSION);
+                        } else {
+                            host.getDetails().put(Host.HOST_VDDK_VERSION, vddkVersion);
+                        }
+                        updateNeeded = true;
+                    }
                     if (updateNeeded) {
                         _hostDao.saveDetails(host);
                     }
diff --git a/engine/orchestration/src/main/java/com/cloud/agent/manager/ClusteredAgentManagerImpl.java b/engine/orchestration/src/main/java/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
index cfa0949883fd..38a198b73040 100644
--- a/engine/orchestration/src/main/java/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
+++ b/engine/orchestration/src/main/java/com/cloud/agent/manager/ClusteredAgentManagerImpl.java
@@ -1306,11 +1306,20 @@ public String dispatch(final ClusterServicePdu pdu) {
 
                 boolean result;
                 try {
-                    result = _resourceMgr.executeUserRequest(cmd.getHostId(), cmd.getEvent());
+                    result = _resourceMgr.executeUserRequest(cmd.getHostId(), cmd.getEvent(), cmd.isForced(), cmd.isForceDeleteStorage());
                     logger.debug("Result is {}", result);
                 } catch (final AgentUnavailableException ex) {
                     logger.warn("Agent is unavailable", ex);
                     return null;
+                } catch (final RuntimeException ex) {
+                    logger.error(String.format("Failed to execute propagated event %s for host %d", cmd.getEvent().name(), cmd.getHostId()), ex);
+                    final Answer[] answers = new Answer[1];
+                    String details = ex.getMessage();
+                    if (details == null || details.isEmpty()) {
+                        details = ex.toString();
+                    }
+                    answers[0] = new Answer(cmd, false, details);
+                    return _gson.toJson(answers);
                 }
 
                 final Answer[] answers = new Answer[1];
diff --git a/engine/orchestration/src/main/java/com/cloud/vm/VirtualMachineManagerImpl.java b/engine/orchestration/src/main/java/com/cloud/vm/VirtualMachineManagerImpl.java
index e8796fb02529..ead990b42b86 100755
--- a/engine/orchestration/src/main/java/com/cloud/vm/VirtualMachineManagerImpl.java
+++ b/engine/orchestration/src/main/java/com/cloud/vm/VirtualMachineManagerImpl.java
@@ -17,6 +17,7 @@
 
 package com.cloud.vm;
 
+import static com.cloud.configuration.ConfigurationManagerImpl.EXPOSE_ERRORS_TO_USER;
 import static com.cloud.configuration.ConfigurationManagerImpl.MIGRATE_VM_ACROSS_CLUSTERS;
 
 import java.lang.reflect.Field;
@@ -49,7 +50,7 @@
 import javax.naming.ConfigurationException;
 import javax.persistence.EntityExistsException;
 
-
+import com.cloud.hypervisor.KVMGuru;
 import org.apache.cloudstack.affinity.dao.AffinityGroupVMMapDao;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
@@ -153,6 +154,8 @@
 import com.cloud.agent.api.UnPlugNicCommand;
 import com.cloud.agent.api.UnmanageInstanceCommand;
 import com.cloud.agent.api.UnregisterVMCommand;
+import com.cloud.agent.api.UpdateVmNicAnswer;
+import com.cloud.agent.api.UpdateVmNicCommand;
 import com.cloud.agent.api.VmDiskStatsEntry;
 import com.cloud.agent.api.VmNetworkStatsEntry;
 import com.cloud.agent.api.VmStatsEntry;
@@ -307,7 +310,6 @@
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
 import com.google.gson.Gson;
 
-
 public class VirtualMachineManagerImpl extends ManagerBase implements VirtualMachineManager, VmWorkJobHandler, Listener, Configurable {
 
     public static final String VM_WORK_JOB_HANDLER = VirtualMachineManagerImpl.class.getSimpleName();
@@ -585,7 +587,7 @@ public void allocate(final String vmInstanceName, final VirtualMachineTemplate t
                         Long deviceId = dataDiskDeviceIds.get(index++);
                         String volumeName = deviceId == null ? "DATA-" + persistedVm.getId() : "DATA-" + persistedVm.getId() + "-" + String.valueOf(deviceId);
                         volumeMgr.allocateRawVolume(Type.DATADISK, volumeName, dataDiskOfferingInfo.getDiskOffering(), dataDiskOfferingInfo.getSize(),
-                                dataDiskOfferingInfo.getMinIops(), dataDiskOfferingInfo.getMaxIops(), persistedVm, template, owner, deviceId);
+                                dataDiskOfferingInfo.getMinIops(), dataDiskOfferingInfo.getMaxIops(), persistedVm, template, owner, deviceId, true);
                     }
                 }
                 if (datadiskTemplateToDiskOfferingMap != null && !datadiskTemplateToDiskOfferingMap.isEmpty()) {
@@ -595,7 +597,7 @@ public void allocate(final String vmInstanceName, final VirtualMachineTemplate t
                         long diskOfferingSize = diskOffering.getDiskSize() / (1024 * 1024 * 1024);
                         VMTemplateVO dataDiskTemplate = _templateDao.findById(dataDiskTemplateToDiskOfferingMap.getKey());
                         volumeMgr.allocateRawVolume(Type.DATADISK, "DATA-" + persistedVm.getId() + "-" + String.valueOf( diskNumber), diskOffering, diskOfferingSize, null, null,
-                                persistedVm, dataDiskTemplate, owner, diskNumber);
+                                persistedVm, dataDiskTemplate, owner, diskNumber, true);
                         diskNumber++;
                     }
                 }
@@ -625,7 +627,7 @@ private void allocateRootVolume(VMInstanceVO vm, VirtualMachineTemplate template
             String rootVolumeName = String.format("ROOT-%s", vm.getId());
             if (template.getFormat() == ImageFormat.ISO) {
                 volumeMgr.allocateRawVolume(Type.ROOT, rootVolumeName, rootDiskOfferingInfo.getDiskOffering(), rootDiskOfferingInfo.getSize(),
-                        rootDiskOfferingInfo.getMinIops(), rootDiskOfferingInfo.getMaxIops(), vm, template, owner, null);
+                        rootDiskOfferingInfo.getMinIops(), rootDiskOfferingInfo.getMaxIops(), vm, template, owner, null, true);
             } else if (Arrays.asList(ImageFormat.BAREMETAL, ImageFormat.EXTERNAL).contains(template.getFormat())) {
                 logger.debug("{} has format [{}]. Skipping ROOT volume [{}] allocation.", template, template.getFormat(), rootVolumeName);
             } else {
@@ -931,10 +933,22 @@ public void start(final String vmUuid, final Map<VirtualMachineProfile.Param, Ob
     public void start(final String vmUuid, final Map<VirtualMachineProfile.Param, Object> params, final DeploymentPlan planToDeploy, final DeploymentPlanner planner) {
         try {
             advanceStart(vmUuid, params, planToDeploy, planner);
-        } catch (ConcurrentOperationException | InsufficientCapacityException e) {
-            throw new CloudRuntimeException(String.format("Unable to start a VM [%s] due to [%s].", vmUuid, e.getMessage()), e).add(VirtualMachine.class, vmUuid);
+        } catch (ConcurrentOperationException e) {
+            final CallContext cctxt = CallContext.current();
+            final Account account = cctxt.getCallingAccount();
+            if (canExposeError(account)) {
+                throw new CloudRuntimeException(String.format("Unable to start a VM [%s] due to [%s].", vmUuid, e.getMessage()), e).add(VirtualMachine.class, vmUuid);
+            }
+            throw new CloudRuntimeException(String.format("Unable to start a VM [%s] due to concurrent operation.", vmUuid), e).add(VirtualMachine.class, vmUuid);
+        } catch (final InsufficientCapacityException e) {
+            final CallContext cctxt = CallContext.current();
+            final Account account = cctxt.getCallingAccount();
+            if (canExposeError(account)) {
+                throw new CloudRuntimeException(String.format("Unable to start a VM [%s] due to [%s].", vmUuid, e.getMessage()), e).add(VirtualMachine.class, vmUuid);
+            }
+            throw new CloudRuntimeException(String.format("Unable to start a VM [%s] due to insufficient capacity.", vmUuid), e).add(VirtualMachine.class, vmUuid);
         } catch (final ResourceUnavailableException e) {
-            if (e.getScope() != null && e.getScope().equals(VirtualRouter.class)){
+            if (e.getScope() != null && e.getScope().equals(VirtualRouter.class)) {
                 Account callingAccount = CallContext.current().getCallingAccount();
                 String errorSuffix = (callingAccount != null && callingAccount.getType() == Account.Type.ADMIN) ?
                         String.format("Failure: %s", e.getMessage()) :
@@ -1365,6 +1379,7 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
 
         final HypervisorGuru hvGuru = _hvGuruMgr.getGuru(vm.getHypervisorType());
 
+        Throwable lastKnownError = null;
         boolean canRetry = true;
         ExcludeList avoids = null;
         try {
@@ -1388,7 +1403,8 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
 
             int retry = StartRetry.value();
             while (retry-- != 0) {
-                logger.debug("Instance start attempt #{}", (StartRetry.value() - retry));
+                int attemptNumber = StartRetry.value() - retry;
+                logger.debug("Instance start attempt #{}", attemptNumber);
 
                 if (reuseVolume) {
                     final List<VolumeVO> vols = _volsDao.findReadyRootVolumesByInstance(vm.getId());
@@ -1454,8 +1470,13 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
                         reuseVolume = false;
                         continue;
                     }
-                    throw new InsufficientServerCapacityException("Unable to create a deployment for " + vmProfile, DataCenter.class, plan.getDataCenterId(),
-                            areAffinityGroupsAssociated(vmProfile));
+                    String message = String.format("Unable to create a deployment for %s after %s attempts", vmProfile, attemptNumber);
+                    if (canExposeError(account) && lastKnownError != null) {
+                        message += String.format(" Last known error: %s", lastKnownError.getMessage());
+                        throw new CloudRuntimeException(message, lastKnownError);
+                    } else {
+                        throw new InsufficientServerCapacityException(message, DataCenter.class, plan.getDataCenterId(), areAffinityGroupsAssociated(vmProfile));
+                    }
                 }
 
                 avoids.addHost(dest.getHost().getId());
@@ -1623,11 +1644,15 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
                             throw new ExecutionException("Unable to start  VM:" + vm.getUuid() + " due to error in finalizeStart, not retrying");
                         }
                     }
-                    logger.info("Unable to start VM on {} due to {}", dest.getHost(), (startAnswer == null ? " no start answer" : startAnswer.getDetails()));
+                    String msg = String.format("Unable to start VM on %s due to %s", dest.getHost(), startAnswer == null ? "no start command answer" : startAnswer.getDetails());
+                    lastKnownError = new ExecutionException(msg);
+
                     if (startAnswer != null && startAnswer.getContextParam("stopRetry") != null) {
+                        logger.error(msg, lastKnownError);
                         break;
                     }
 
+                    logger.debug(msg, lastKnownError);
                 } catch (OperationTimedoutException e) {
                     logger.debug("Unable to send the start command to host {} failed to start VM: {}", dest.getHost(), vm);
                     if (e.isActive()) {
@@ -1637,6 +1662,7 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
                     throw new AgentUnavailableException("Unable to start " + vm.getHostName(), destHostId, e);
                 } catch (final ResourceUnavailableException e) {
                     logger.warn("Unable to contact resource.", e);
+                    lastKnownError = e;
                     if (!avoids.add(e)) {
                         if (e.getScope() == Volume.class || e.getScope() == Nic.class) {
                             throw e;
@@ -1693,10 +1719,22 @@ public void orchestrateStart(final String vmUuid, final Map<VirtualMachineProfil
         }
 
         if (startedVm == null) {
-            throw new CloudRuntimeException("Unable to start Instance '" + vm.getHostName() + "' (" + vm.getUuid() + "), see management server log for details");
+            String messageTmpl = "Unable to start Instance '%s' (%s)%s";
+            String details;
+            if (canExposeError(account) && lastKnownError != null) {
+                details = ": " + lastKnownError.getMessage();
+            } else {
+                details = ", see management server log for details";
+            }
+            String message = String.format(messageTmpl, vm.getHostName(), vm.getUuid(), details);
+            throw new CloudRuntimeException(message, lastKnownError);
         }
     }
 
+    private boolean canExposeError(Account account) {
+        return (account != null && account.getType() == Account.Type.ADMIN) || Boolean.TRUE.equals(EXPOSE_ERRORS_TO_USER.value());
+    }
+
     protected void updateStartCommandWithExternalDetails(Host host, VirtualMachineTO vmTO, StartCommand command) {
         if (!HypervisorType.External.equals(host.getHypervisorType())) {
             return;
@@ -2180,7 +2218,6 @@ private List<Map<String, String>> getVolumesToDisconnect(VirtualMachine vm) {
     protected boolean sendStop(final VirtualMachineGuru guru, final VirtualMachineProfile profile, final boolean force, final boolean checkBeforeCleanup) {
         final VirtualMachine vm = profile.getVirtualMachine();
         Map<String, Boolean> vlanToPersistenceMap = getVlanToPersistenceMapForVM(vm.getId());
-
         StopCommand stpCmd = new StopCommand(vm, getExecuteInSequence(vm.getHypervisorType()), checkBeforeCleanup);
         updateStopCommandForExternalHypervisorType(vm.getHypervisorType(), profile, stpCmd);
         if (MapUtils.isNotEmpty(vlanToPersistenceMap)) {
@@ -3981,19 +4018,6 @@ protected void runInContext() {
         }
     }
 
-    @Override
-    public boolean isVirtualMachineUpgradable(final VirtualMachine vm, final ServiceOffering offering) {
-        boolean isMachineUpgradable = true;
-        for (final HostAllocator allocator : hostAllocators) {
-            isMachineUpgradable = allocator.isVirtualMachineUpgradable(vm, offering);
-            if (!isMachineUpgradable) {
-                break;
-            }
-        }
-
-        return isMachineUpgradable;
-    }
-
     @Override
     public void reboot(final String vmUuid, final Map<VirtualMachineProfile.Param, Object> params) throws InsufficientCapacityException, ResourceUnavailableException {
         try {
@@ -4433,11 +4457,6 @@ public void checkIfCanUpgrade(final VirtualMachine vmInstance, final ServiceOffe
             throw new InvalidParameterValueException("isSystem property is different for current service offering and new service offering");
         }
 
-        if (!isVirtualMachineUpgradable(vmInstance, newServiceOffering)) {
-            throw new InvalidParameterValueException("Unable to upgrade virtual machine, not enough resources available " + "for an offering of " +
-                    newServiceOffering.getCpu() + " cpu(s) at " + newServiceOffering.getSpeed() + " Mhz, and " + newServiceOffering.getRamSize() + " MB of memory");
-        }
-
         final List<String> currentTags = StringUtils.csvTagsToList(currentDiskOffering.getTags());
         final List<String> newTags = StringUtils.csvTagsToList(newDiskOffering.getTags());
         if (VolumeApiServiceImpl.MatchStoragePoolTagsWithDiskOffering.valueIn(vmInstance.getDataCenterId())) {
@@ -5144,7 +5163,7 @@ public VMInstanceVO reConfigureVm(final String vmUuid, final ServiceOffering old
             try {
                 result = retrieveResultFromJobOutcomeAndThrowExceptionIfNeeded(outcome);
             } catch (Exception ex) {
-                throw new RuntimeException("Unhandled exception", ex);
+                throw new RuntimeException("Unable to reconfigure VM.", ex);
             }
 
             if (result != null) {
@@ -5157,22 +5176,29 @@ public VMInstanceVO reConfigureVm(final String vmUuid, final ServiceOffering old
 
     private VMInstanceVO orchestrateReConfigureVm(String vmUuid, ServiceOffering oldServiceOffering, ServiceOffering newServiceOffering,
                                                   boolean reconfiguringOnExistingHost) throws ResourceUnavailableException, ConcurrentOperationException {
-        final VMInstanceVO vm = _vmDao.findByUuid(vmUuid);
+        VMInstanceVO vm = _vmDao.findByUuid(vmUuid);
 
         HostVO hostVo = _hostDao.findById(vm.getHostId());
 
-        Long clustedId = hostVo.getClusterId();
-        Float memoryOvercommitRatio = CapacityManager.MemOverprovisioningFactor.valueIn(clustedId);
-        Float cpuOvercommitRatio = CapacityManager.CpuOverprovisioningFactor.valueIn(clustedId);
-        boolean divideMemoryByOverprovisioning = HypervisorGuruBase.VmMinMemoryEqualsMemoryDividedByMemOverprovisioningFactor.valueIn(clustedId);
-        boolean divideCpuByOverprovisioning = HypervisorGuruBase.VmMinCpuSpeedEqualsCpuSpeedDividedByCpuOverprovisioningFactor.valueIn(clustedId);
+        Long clusterId = hostVo.getClusterId();
+        Float memoryOvercommitRatio = CapacityManager.MemOverprovisioningFactor.valueIn(clusterId);
+        Float cpuOvercommitRatio = CapacityManager.CpuOverprovisioningFactor.valueIn(clusterId);
+        boolean divideMemoryByOverprovisioning = HypervisorGuruBase.VmMinMemoryEqualsMemoryDividedByMemOverprovisioningFactor.valueIn(clusterId);
+        boolean divideCpuByOverprovisioning = HypervisorGuruBase.VmMinCpuSpeedEqualsCpuSpeedDividedByCpuOverprovisioningFactor.valueIn(clusterId);
 
         int minMemory = (int)(newServiceOffering.getRamSize() / (divideMemoryByOverprovisioning ? memoryOvercommitRatio : 1));
         int minSpeed = (int)(newServiceOffering.getSpeed() / (divideCpuByOverprovisioning ? cpuOvercommitRatio : 1));
 
-        ScaleVmCommand scaleVmCommand =
-                new ScaleVmCommand(vm.getInstanceName(), newServiceOffering.getCpu(), minSpeed,
-                        newServiceOffering.getSpeed(), minMemory * 1024L * 1024L, newServiceOffering.getRamSize() * 1024L * 1024L, newServiceOffering.getLimitCpuUse());
+        Double cpuQuotaPercentage = null;
+        if (newServiceOffering.getLimitCpuUse() && vm.getHypervisorType().equals(HypervisorType.KVM)) {
+            KVMGuru kvmGuru = (KVMGuru) _hvGuruMgr.getGuru(vm.getHypervisorType());
+            cpuQuotaPercentage = kvmGuru.getCpuQuotaPercentage(minSpeed, hostVo.getSpeed());
+        }
+
+        boolean limitCpuUseChange = oldServiceOffering.getLimitCpuUse() != newServiceOffering.getLimitCpuUse();
+        ScaleVmCommand scaleVmCommand = new ScaleVmCommand(vm.getInstanceName(), newServiceOffering.getCpu(), minSpeed, newServiceOffering.getSpeed(),
+                minMemory * 1024L * 1024L, newServiceOffering.getRamSize() * 1024L * 1024L,
+                newServiceOffering.getLimitCpuUse(), cpuQuotaPercentage, limitCpuUseChange);
 
         scaleVmCommand.getVirtualMachine().setId(vm.getId());
         scaleVmCommand.getVirtualMachine().setUuid(vm.getUuid());
@@ -5201,16 +5227,20 @@ private VMInstanceVO orchestrateReConfigureVm(String vmUuid, ServiceOffering old
                 throw new CloudRuntimeException("Unable to scale vm due to " + (reconfigureAnswer == null ? "" : reconfigureAnswer.getDetails()));
             }
 
-            upgradeVmDb(vm.getId(), newServiceOffering, oldServiceOffering);
+            if (reconfiguringOnExistingHost) {
+                _capacityMgr.releaseVmCapacity(vm, false, false, vm.getHostId());
+            }
+
+            boolean vmUpgraded = upgradeVmDb(vm.getId(), newServiceOffering, oldServiceOffering);
+            if (vmUpgraded) {
+                vm = _vmDao.findById(vm.getId());
+            }
 
             if (vm.getType().equals(VirtualMachine.Type.User)) {
                 _userVmMgr.generateUsageEvent(vm, vm.isDisplayVm(), EventTypes.EVENT_VM_DYNAMIC_SCALE);
             }
 
             if (reconfiguringOnExistingHost) {
-                vm.setServiceOfferingId(oldServiceOffering.getId());
-                _capacityMgr.releaseVmCapacity(vm, false, false, vm.getHostId());
-                vm.setServiceOfferingId(newServiceOffering.getId());
                 _capacityMgr.allocateVmCapacity(vm, false);
             }
 
@@ -5239,9 +5269,20 @@ private void removeCustomOfferingDetails(long vmId) {
 
     private void saveCustomOfferingDetails(long vmId, ServiceOffering serviceOffering) {
         Map<String, String> details = vmInstanceDetailsDao.listDetailsKeyPairs(vmId);
-        details.put(UsageEventVO.DynamicParameters.cpuNumber.name(), serviceOffering.getCpu().toString());
-        details.put(UsageEventVO.DynamicParameters.cpuSpeed.name(), serviceOffering.getSpeed().toString());
-        details.put(UsageEventVO.DynamicParameters.memory.name(), serviceOffering.getRamSize().toString());
+
+        // We need to restore only the customizable parameters. If we save a parameter that is not customizable and attempt
+        // to restore a VM snapshot, com.cloud.vm.UserVmManagerImpl.validateCustomParameters will fail.
+        ServiceOffering unfilledOffering = _serviceOfferingDao.findByIdIncludingRemoved(serviceOffering.getId());
+        if (unfilledOffering.getCpu() == null) {
+            details.put(UsageEventVO.DynamicParameters.cpuNumber.name(), serviceOffering.getCpu().toString());
+        }
+        if (unfilledOffering.getSpeed() == null) {
+            details.put(UsageEventVO.DynamicParameters.cpuSpeed.name(), serviceOffering.getSpeed().toString());
+        }
+        if (unfilledOffering.getRamSize() == null) {
+            details.put(UsageEventVO.DynamicParameters.memory.name(), serviceOffering.getRamSize().toString());
+        }
+
         List<VMInstanceDetailVO> detailList = new ArrayList<>();
         for (Map.Entry<String, String> entry: details.entrySet()) {
             VMInstanceDetailVO detailVO = new VMInstanceDetailVO(vmId, entry.getKey(), entry.getValue(), true);
@@ -6270,6 +6311,80 @@ private Pair<JobInfo.Status, String> orchestrateUpdateDefaultNic(final VmWorkUpd
                 _jobMgr.marshallResultObject(result));
     }
 
+    @Override
+    public boolean updateVmNic(VirtualMachine vm, Nic nic, Boolean enabled) {
+        Outcome<VirtualMachine> outcome = updateVmNicThroughJobQueue(vm, nic, enabled);
+
+        retrieveVmFromJobOutcome(outcome, vm.getUuid(), "updateVmNic");
+
+        try {
+            Object jobResult = retrieveResultFromJobOutcomeAndThrowExceptionIfNeeded(outcome);
+            if (jobResult instanceof Boolean) {
+                return BooleanUtils.isTrue((Boolean) jobResult);
+            }
+        } catch (ResourceUnavailableException | InsufficientCapacityException ex) {
+            throw new CloudRuntimeException(String.format("Exception while updating VM [%s] NIC. Check the logs for more information.", vm.getUuid()));
+        }
+        throw new CloudRuntimeException("Unexpected job execution result.");
+    }
+
+    private boolean orchestrateUpdateVmNic(final VirtualMachine vm, final Nic nic, final Boolean enabled) throws ResourceUnavailableException {
+        if (vm.getState() == State.Running) {
+            try {
+                UpdateVmNicCommand updateVmNicCmd = new UpdateVmNicCommand(nic.getMacAddress(), vm.getName(), enabled);
+                Commands cmds = new Commands(Command.OnError.Stop);
+                cmds.addCommand("updatevmnic", updateVmNicCmd);
+
+                _agentMgr.send(vm.getHostId(), cmds);
+
+                UpdateVmNicAnswer updateVmNicAnswer = cmds.getAnswer(UpdateVmNicAnswer.class);
+                if (updateVmNicAnswer == null || !updateVmNicAnswer.getResult()) {
+                    logger.warn("Unable to update VM %s NIC [{}].", vm.getName(), nic.getUuid());
+                    return false;
+                }
+            } catch (final OperationTimedoutException e) {
+                throw new AgentUnavailableException(String.format("Unable to update NIC %s for VM %s.", nic.getUuid(), vm.getUuid()), vm.getHostId(), e);
+            }
+        }
+
+        NicVO nicVo = _nicsDao.findById(nic.getId());
+        nicVo.setEnabled(enabled);
+        _nicsDao.persist(nicVo);
+
+        return true;
+    }
+
+    public Outcome<VirtualMachine> updateVmNicThroughJobQueue(final VirtualMachine vm, final Nic nic, final Boolean isNicEnabled) {
+        Long vmId = vm.getId();
+        String commandName = VmWorkUpdateNic.class.getName();
+        Pair<VmWorkJobVO, Long> pendingWorkJob = retrievePendingWorkJob(vmId, commandName);
+
+        VmWorkJobVO workJob = pendingWorkJob.first();
+
+        if (workJob == null) {
+            Pair<VmWorkJobVO, VmWork> newVmWorkJobAndInfo = createWorkJobAndWorkInfo(commandName, vmId);
+
+            workJob = newVmWorkJobAndInfo.first();
+            VmWorkUpdateNic workInfo = new VmWorkUpdateNic(newVmWorkJobAndInfo.second(), nic.getId(), isNicEnabled);
+
+            setCmdInfoAndSubmitAsyncJob(workJob, workInfo, vmId);
+        }
+        AsyncJobExecutionContext.getCurrentExecutionContext().joinJob(workJob.getId());
+
+        return new VmJobVirtualMachineOutcome(workJob, vmId);
+    }
+
+    @ReflectionUse
+    private Pair<JobInfo.Status, String> orchestrateUpdateVmNic(final VmWorkUpdateNic work) throws Exception {
+        VMInstanceVO vm = findVmById(work.getVmId());
+        final NicVO nic = _entityMgr.findById(NicVO.class, work.getNicId());
+        if (nic == null) {
+            throw new CloudRuntimeException(String.format("Unable to find NIC with ID %s.", work.getNicId()));
+        }
+        final boolean result = orchestrateUpdateVmNic(vm, nic, work.isEnabled());
+        return new Pair<>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(result));
+    }
+
     private Pair<Long, Long> findClusterAndHostIdForVmFromVolumes(long vmId) {
         Long clusterId = null;
         Long hostId = null;
diff --git a/engine/orchestration/src/main/java/com/cloud/vm/VmWorkUpdateNic.java b/engine/orchestration/src/main/java/com/cloud/vm/VmWorkUpdateNic.java
new file mode 100644
index 000000000000..1c63cf34a192
--- /dev/null
+++ b/engine/orchestration/src/main/java/com/cloud/vm/VmWorkUpdateNic.java
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.vm;
+
+public class VmWorkUpdateNic extends VmWork {
+    private static final long serialVersionUID = -8957066627929113278L;
+
+    Long nicId;
+    Boolean enabled;
+
+    public VmWorkUpdateNic(VmWork vmWork, Long nicId, Boolean enabled) {
+        super(vmWork);
+        this.nicId = nicId;
+        this.enabled = enabled;
+    }
+
+    public Long getNicId() {
+        return nicId;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+}
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index b6f31414655a..4262ee701aab 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -58,6 +58,7 @@
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
 import org.apache.cloudstack.network.dao.NetworkPermissionDao;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.ObjectUtils;
@@ -86,6 +87,7 @@
 import com.cloud.api.query.vo.DomainRouterJoinVO;
 import com.cloud.bgp.BGPService;
 import com.cloud.configuration.ConfigurationManager;
+import com.cloud.configuration.Resource;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.dc.ASNumberVO;
 import com.cloud.dc.ClusterVO;
@@ -214,6 +216,7 @@
 import com.cloud.offerings.dao.NetworkOfferingDetailsDao;
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.resource.ResourceManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ManagementServer;
 import com.cloud.user.Account;
 import com.cloud.user.ResourceLimitService;
@@ -447,6 +450,8 @@ public void setDhcpProviders(final List<DhcpServiceProvider> dhcpProviders) {
     ClusterDao clusterDao;
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
+    @Inject
+    private ReservationDao reservationDao;
 
     protected StateMachine2<Network.State, Network.Event, Network> _stateMachine;
     ScheduledExecutorService _executor;
@@ -858,6 +863,7 @@ private static NetworkVO getNetworkVO(long id, final NetworkOffering offering, f
                 vpcId, offering.isRedundantRouter(), predefined.getExternalId());
         vo.setDisplayNetwork(isDisplayNetworkEnabled == null || isDisplayNetworkEnabled);
         vo.setStrechedL2Network(offering.isSupportingStrechedL2());
+        vo.setKeepMacAddressOnPublicNic(predefined.getKeepMacAddressOnPublicNic());
         return vo;
     }
 
@@ -2326,7 +2332,8 @@ public void prepareAllNicsForMigration(final VirtualMachineProfile vm, final Dep
             for (final NetworkElement element : networkElements) {
                 if (providersToImplement.contains(element.getProvider())) {
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(_networkModel.getPhysicalNetworkId(network), element.getProvider().getName())) {
-                        throw new CloudRuntimeException(String.format("Service provider %s either doesn't exist or is not enabled in physical network: %s", element.getProvider().getName(), _physicalNetworkDao.findById(network.getPhysicalNetworkId())));
+                        throw new CloudRuntimeException(String.format("Service provider %s either doesn't exist or is not enabled in physical network: %s",
+                                element.getProvider().getName(), _physicalNetworkDao.findById(network.getPhysicalNetworkId())));
                     }
                     if (element instanceof NetworkMigrationResponder) {
                         if (!((NetworkMigrationResponder) element).prepareMigration(profile, network, vm, dest, context)) {
@@ -2633,6 +2640,10 @@ && isDhcpAccrossMultipleSubnetsSupported(dhcpServiceProvider)) {
 
         final NetworkGuru guru = AdapterBase.getAdapterByName(networkGurus, network.getGuruName());
         guru.deallocate(network, profile, vm);
+        if (nic.getReservationStrategy() == Nic.ReservationStrategy.Create) {
+            applyProfileToNicForRelease(nic, profile);
+            _nicDao.update(nic.getId(), nic);
+        }
         if (BooleanUtils.isNotTrue(preserveNics)) {
             _nicDao.remove(nic.getId());
         }
@@ -2714,7 +2725,7 @@ public Network createPrivateNetwork(final long networkOfferingId, final String n
         return createGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId,
                 bypassVlanOverlapCheck, null, owner, null, pNtwk, pNtwk.getDataCenterId(), ACLType.Account, null,
                 vpcId, null, null, true, null, null, null, true, null, null,
-                null, null, null, null, null, null);
+                null, null, null, null, null, null, true);
     }
 
     @Override
@@ -2725,10 +2736,25 @@ public Network createGuestNetwork(final long networkOfferingId, final String nam
                                       final Boolean isDisplayNetworkEnabled, final String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId,
                                       String routerIp, String routerIpv6, String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2,
                                       Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
+        return createGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId, bypassVlanOverlapCheck,
+                networkDomain, owner, domainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, ip6Gateway, ip6Cidr,
+                isDisplayNetworkEnabled, isolatedPvlan, isolatedPvlanType, externalId, false, routerIp, routerIpv6,
+                ip4Dns1, ip4Dns2, ip6Dns1, ip6Dns2, vrIfaceMTUs, networkCidrSize, true);
+    }
+
+    @Override
+    @DB
+    public Network createGuestNetwork(final long networkOfferingId, final String name, final String displayText, final String gateway, final String cidr, String vlanId,
+                                      boolean bypassVlanOverlapCheck, String networkDomain, final Account owner, final Long domainId, final PhysicalNetwork pNtwk,
+                                      final long zoneId, final ACLType aclType, Boolean subdomainAccess, final Long vpcId, final String ip6Gateway, final String ip6Cidr,
+                                      final Boolean isDisplayNetworkEnabled, final String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId,
+                                      String routerIp, String routerIpv6, String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2,
+                                      Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize, boolean keepMacAddressOnPublicNic) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
         // create Isolated/Shared/L2 network
         return createGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId, bypassVlanOverlapCheck,
                 networkDomain, owner, domainId, pNtwk, zoneId, aclType, subdomainAccess, vpcId, ip6Gateway, ip6Cidr,
-                isDisplayNetworkEnabled, isolatedPvlan, isolatedPvlanType, externalId, false, routerIp, routerIpv6, ip4Dns1, ip4Dns2, ip6Dns1, ip6Dns2, vrIfaceMTUs, networkCidrSize);
+                isDisplayNetworkEnabled, isolatedPvlan, isolatedPvlanType, externalId, false, routerIp, routerIpv6,
+                ip4Dns1, ip4Dns2, ip6Dns1, ip6Dns2, vrIfaceMTUs, networkCidrSize, keepMacAddressOnPublicNic);
     }
 
     @DB
@@ -2737,7 +2763,8 @@ private Network createGuestNetwork(final long networkOfferingId, final String na
                                        final long zoneId, final ACLType aclType, Boolean subdomainAccess, final Long vpcId, final String ip6Gateway, final String ip6Cidr,
                                        final Boolean isDisplayNetworkEnabled, final String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId,
                                        final Boolean isPrivateNetwork, String routerIp, String routerIpv6, final String ip4Dns1, final String ip4Dns2,
-                                       final String ip6Dns1, final String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
+                                       final String ip6Dns1, final String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize,
+                                       boolean keepMacAddressOnPublicNic) throws ConcurrentOperationException, InsufficientCapacityException, ResourceAllocationException {
 
         final NetworkOfferingVO ntwkOff = _networkOfferingDao.findById(networkOfferingId);
         final DataCenterVO zone = _dcDao.findById(zoneId);
@@ -2747,12 +2774,6 @@ private Network createGuestNetwork(final long networkOfferingId, final String na
             return null;
         }
 
-        final boolean updateResourceCount = resourceCountNeedsUpdate(ntwkOff, aclType);
-        //check resource limits
-        if (updateResourceCount) {
-            _resourceLimitMgr.checkResourceLimit(owner, ResourceType.network, isDisplayNetworkEnabled);
-        }
-
         // Validate network offering
         if (ntwkOff.getState() != NetworkOffering.State.Enabled) {
             // see NetworkOfferingVO
@@ -2771,218 +2792,219 @@ private Network createGuestNetwork(final long networkOfferingId, final String na
 
         boolean ipv6 = false;
 
-        if (StringUtils.isNoneBlank(ip6Gateway, ip6Cidr)) {
-            ipv6 = true;
-        }
-        // Validate zone
-        if (zone.getNetworkType() == NetworkType.Basic) {
-            // In Basic zone the network should have aclType=Domain, domainId=1, subdomainAccess=true
-            if (aclType == null || aclType != ACLType.Domain) {
-                throw new InvalidParameterValueException("Only AclType=Domain can be specified for network creation in Basic zone");
-            }
-
-            // Only one guest network is supported in Basic zone
-            final List<NetworkVO> guestNetworks = _networksDao.listByZoneAndTrafficType(zone.getId(), TrafficType.Guest);
-            if (!guestNetworks.isEmpty()) {
-                throw new InvalidParameterValueException("Can't have more than one Guest network in zone with network type " + NetworkType.Basic);
+        try (CheckedReservation networkReservation = new CheckedReservation(owner, domainId, Resource.ResourceType.network, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+            if (StringUtils.isNoneBlank(ip6Gateway, ip6Cidr)) {
+                ipv6 = true;
             }
+            // Validate zone
+            if (zone.getNetworkType() == NetworkType.Basic) {
+                // In Basic zone the network should have aclType=Domain, domainId=1, subdomainAccess=true
+                if (aclType == null || aclType != ACLType.Domain) {
+                    throw new InvalidParameterValueException("Only AclType=Domain can be specified for network creation in Basic zone");
+                }
 
-            // if zone is basic, only Shared network offerings w/o source nat service are allowed
-            if (!(ntwkOff.getGuestType() == GuestType.Shared && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))) {
-                throw new InvalidParameterValueException("For zone of type " + NetworkType.Basic + " only offerings of " + "guestType " + GuestType.Shared + " with disabled "
-                        + Service.SourceNat.getName() + " service are allowed");
-            }
+                // Only one guest network is supported in Basic zone
+                final List<NetworkVO> guestNetworks = _networksDao.listByZoneAndTrafficType(zone.getId(), TrafficType.Guest);
+                if (!guestNetworks.isEmpty()) {
+                    throw new InvalidParameterValueException("Can't have more than one Guest network in zone with network type " + NetworkType.Basic);
+                }
 
-            if (domainId == null || domainId != Domain.ROOT_DOMAIN) {
-                throw new InvalidParameterValueException("Guest network in Basic zone should be dedicated to ROOT domain");
-            }
+                // if zone is basic, only Shared network offerings w/o source nat service are allowed
+                if (!(ntwkOff.getGuestType() == GuestType.Shared && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))) {
+                    throw new InvalidParameterValueException("For zone of type " + NetworkType.Basic + " only offerings of " + "guestType " + GuestType.Shared + " with disabled "
+                            + Service.SourceNat.getName() + " service are allowed");
+                }
 
-            if (subdomainAccess == null) {
-                subdomainAccess = true;
-            } else if (!subdomainAccess) {
-                throw new InvalidParameterValueException("Subdomain access should be set to true for the" + " guest network in the Basic zone");
-            }
+                if (domainId == null || domainId != Domain.ROOT_DOMAIN) {
+                    throw new InvalidParameterValueException("Guest network in Basic zone should be dedicated to ROOT domain");
+                }
 
-            if (vlanId == null) {
-                vlanId = Vlan.UNTAGGED;
-            } else {
-                if (!vlanId.equalsIgnoreCase(Vlan.UNTAGGED)) {
-                    throw new InvalidParameterValueException("Only vlan " + Vlan.UNTAGGED + " can be created in " + "the zone of type " + NetworkType.Basic);
+                if (subdomainAccess == null) {
+                    subdomainAccess = true;
+                } else if (!subdomainAccess) {
+                    throw new InvalidParameterValueException("Subdomain access should be set to true for the" + " guest network in the Basic zone");
                 }
-            }
 
-        } else if (zone.getNetworkType() == NetworkType.Advanced) {
-            if (zone.isSecurityGroupEnabled()) {
-                if (isolatedPvlan != null) {
-                    throw new InvalidParameterValueException("Isolated Private VLAN is not supported with security group!");
+                if (vlanId == null) {
+                    vlanId = Vlan.UNTAGGED;
+                } else {
+                    if (!vlanId.equalsIgnoreCase(Vlan.UNTAGGED)) {
+                        throw new InvalidParameterValueException("Only vlan " + Vlan.UNTAGGED + " can be created in " + "the zone of type " + NetworkType.Basic);
+                    }
                 }
-                // Only Account specific Isolated network with sourceNat service disabled are allowed in security group
-                // enabled zone
-                if ((ntwkOff.getGuestType() != GuestType.Shared) && (ntwkOff.getGuestType() != GuestType.L2)) {
-                    throw new InvalidParameterValueException("Only shared or L2 guest network can be created in security group enabled zone");
+
+            } else if (zone.getNetworkType() == NetworkType.Advanced) {
+                if (zone.isSecurityGroupEnabled()) {
+                    if (isolatedPvlan != null) {
+                        throw new InvalidParameterValueException("Isolated Private VLAN is not supported with security group!");
+                    }
+                    // Only Account specific Isolated network with sourceNat service disabled are allowed in security group
+                    // enabled zone
+                    if ((ntwkOff.getGuestType() != GuestType.Shared) && (ntwkOff.getGuestType() != GuestType.L2)) {
+                        throw new InvalidParameterValueException("Only shared or L2 guest network can be created in security group enabled zone");
+                    }
+                    if (_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) {
+                        throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone");
+                    }
                 }
-                if (_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)) {
-                    throw new InvalidParameterValueException("Service SourceNat is not allowed in security group enabled zone");
+
+                //don't allow eip/elb networks in Advance zone
+                if (ntwkOff.isElasticIp() || ntwkOff.isElasticLb()) {
+                    throw new InvalidParameterValueException("Elastic IP and Elastic LB services are supported in zone of type " + NetworkType.Basic);
                 }
             }
 
-            //don't allow eip/elb networks in Advance zone
-            if (ntwkOff.isElasticIp() || ntwkOff.isElasticLb()) {
-                throw new InvalidParameterValueException("Elastic IP and Elastic LB services are supported in zone of type " + NetworkType.Basic);
+            if (ipv6 && !GuestType.Shared.equals(ntwkOff.getGuestType())) {
+                _networkModel.checkIp6CidrSizeEqualTo64(ip6Cidr);
             }
-        }
-
-        if (ipv6 && !GuestType.Shared.equals(ntwkOff.getGuestType())) {
-            _networkModel.checkIp6CidrSizeEqualTo64(ip6Cidr);
-        }
 
-        //TODO(VXLAN): Support VNI specified
-        // VlanId can be specified only when network offering supports it
-        final boolean vlanSpecified = vlanId != null;
-        if (vlanSpecified != ntwkOff.isSpecifyVlan()) {
-            if (vlanSpecified) {
-                if (!isSharedNetworkWithoutSpecifyVlan(ntwkOff) && !isPrivateGatewayWithoutSpecifyVlan(ntwkOff)) {
-                    throw new InvalidParameterValueException("Can't specify vlan; corresponding offering says specifyVlan=false");
+            //TODO(VXLAN): Support VNI specified
+            // VlanId can be specified only when network offering supports it
+            final boolean vlanSpecified = vlanId != null;
+            if (vlanSpecified != ntwkOff.isSpecifyVlan()) {
+                if (vlanSpecified) {
+                    if (!isSharedNetworkWithoutSpecifyVlan(ntwkOff) && !isPrivateGatewayWithoutSpecifyVlan(ntwkOff)) {
+                        throw new InvalidParameterValueException("Can't specify vlan; corresponding offering says specifyVlan=false");
+                    }
+                } else {
+                    throw new InvalidParameterValueException("Vlan has to be specified; corresponding offering says specifyVlan=true");
                 }
-            } else {
-                throw new InvalidParameterValueException("Vlan has to be specified; corresponding offering says specifyVlan=true");
             }
-        }
 
-        if (vlanSpecified) {
-            URI uri = encodeVlanIdIntoBroadcastUri(vlanId, pNtwk);
-            // Aux: generate secondary URI for secondary VLAN ID (if provided) for performing checks
-            URI secondaryUri = StringUtils.isNotBlank(isolatedPvlan) ? BroadcastDomainType.fromString(isolatedPvlan) : null;
-            if (isSharedNetworkWithoutSpecifyVlan(ntwkOff) || isPrivateGatewayWithoutSpecifyVlan(ntwkOff)) {
-                bypassVlanOverlapCheck = true;
-            }
-            //don't allow to specify vlan tag used by physical network for dynamic vlan allocation
-            if (!(bypassVlanOverlapCheck && (ntwkOff.getGuestType() == GuestType.Shared || isPrivateNetwork))
-                    && _dcDao.findVnet(zoneId, pNtwk.getId(), BroadcastDomainType.getValue(uri)).size() > 0) {
-                throw new InvalidParameterValueException("The VLAN tag to use for new guest network, " + vlanId + " is already being used for dynamic vlan allocation for the guest network in zone "
-                        + zone.getName());
-            }
-            if (secondaryUri != null && !(bypassVlanOverlapCheck && ntwkOff.getGuestType() == GuestType.Shared) &&
-                    _dcDao.findVnet(zoneId, pNtwk.getId(), BroadcastDomainType.getValue(secondaryUri)).size() > 0) {
-                throw new InvalidParameterValueException(String.format(
-                        "The VLAN tag for isolated PVLAN %s is already being used for dynamic vlan allocation for the guest network in zone %s",
-                        isolatedPvlan, zone));
-            }
-            if (!UuidUtils.isUuid(vlanId)) {
-                // For Isolated and L2 networks, don't allow to create network with vlan that already exists in the zone
-                if (!hasGuestBypassVlanOverlapCheck(bypassVlanOverlapCheck, ntwkOff, isPrivateNetwork)) {
-                    if (_networksDao.listByZoneAndUriAndGuestType(zoneId, uri.toString(), null).size() > 0) {
-                        throw new InvalidParameterValueException(String.format(
-                                "Network with vlan %s already exists or overlaps with other network vlans in zone %s",
-                                vlanId, zone));
-                    } else if (secondaryUri != null && _networksDao.listByZoneAndUriAndGuestType(zoneId, secondaryUri.toString(), null).size() > 0) {
-                        throw new InvalidParameterValueException(String.format(
-                                "Network with vlan %s already exists or overlaps with other network vlans in zone %s",
-                                isolatedPvlan, zone));
-                    } else {
-                        final List<DataCenterVnetVO> dcVnets = _datacenterVnetDao.findVnet(zoneId, BroadcastDomainType.getValue(uri));
-                        //for the network that is created as part of private gateway,
-                        //the vnet is not coming from the data center vnet table, so the list can be empty
-                        if (!dcVnets.isEmpty()) {
-                            final DataCenterVnetVO dcVnet = dcVnets.get(0);
-                            // Fail network creation if specified vlan is dedicated to a different account
-                            if (dcVnet.getAccountGuestVlanMapId() != null) {
-                                final Long accountGuestVlanMapId = dcVnet.getAccountGuestVlanMapId();
-                                final AccountGuestVlanMapVO map = _accountGuestVlanMapDao.findById(accountGuestVlanMapId);
-                                if (map.getAccountId() != owner.getAccountId()) {
-                                    throw new InvalidParameterValueException("Vlan " + vlanId + " is dedicated to a different account");
-                                }
-                                // Fail network creation if owner has a dedicated range of vlans but the specified vlan belongs to the system pool
-                            } else {
-                                final List<AccountGuestVlanMapVO> maps = _accountGuestVlanMapDao.listAccountGuestVlanMapsByAccount(owner.getAccountId());
-                                if (maps != null && !maps.isEmpty()) {
-                                    final int vnetsAllocatedToAccount = _datacenterVnetDao.countVnetsAllocatedToAccount(zoneId, owner.getAccountId());
-                                    final int vnetsDedicatedToAccount = _datacenterVnetDao.countVnetsDedicatedToAccount(zoneId, owner.getAccountId());
-                                    if (vnetsAllocatedToAccount < vnetsDedicatedToAccount) {
-                                        throw new InvalidParameterValueException("Specified vlan " + vlanId + " doesn't belong" + " to the vlan range dedicated to the owner "
-                                                + owner.getAccountName());
+            if (vlanSpecified) {
+                URI uri = encodeVlanIdIntoBroadcastUri(vlanId, pNtwk);
+                // Aux: generate secondary URI for secondary VLAN ID (if provided) for performing checks
+                URI secondaryUri = StringUtils.isNotBlank(isolatedPvlan) ? BroadcastDomainType.fromString(isolatedPvlan) : null;
+                if (isSharedNetworkWithoutSpecifyVlan(ntwkOff) || isPrivateGatewayWithoutSpecifyVlan(ntwkOff)) {
+                    bypassVlanOverlapCheck = true;
+                }
+                //don't allow to specify vlan tag used by physical network for dynamic vlan allocation
+                if (!(bypassVlanOverlapCheck && (ntwkOff.getGuestType() == GuestType.Shared || isPrivateNetwork))
+                        && _dcDao.findVnet(zoneId, pNtwk.getId(), BroadcastDomainType.getValue(uri)).size() > 0) {
+                    throw new InvalidParameterValueException("The VLAN tag to use for new guest network, " + vlanId + " is already being used for dynamic vlan allocation for the guest network in zone "
+                            + zone.getName());
+                }
+                if (secondaryUri != null && !(bypassVlanOverlapCheck && ntwkOff.getGuestType() == GuestType.Shared) &&
+                        _dcDao.findVnet(zoneId, pNtwk.getId(), BroadcastDomainType.getValue(secondaryUri)).size() > 0) {
+                    throw new InvalidParameterValueException(String.format(
+                            "The VLAN tag for isolated PVLAN %s is already being used for dynamic vlan allocation for the guest network in zone %s",
+                            isolatedPvlan, zone));
+                }
+                if (!UuidUtils.isUuid(vlanId)) {
+                    // For Isolated and L2 networks, don't allow to create network with vlan that already exists in the zone
+                    if (!hasGuestBypassVlanOverlapCheck(bypassVlanOverlapCheck, ntwkOff, isPrivateNetwork)) {
+                        if (_networksDao.listByZoneAndUriAndGuestType(zoneId, uri.toString(), null).size() > 0) {
+                            throw new InvalidParameterValueException(String.format(
+                                    "Network with vlan %s already exists or overlaps with other network vlans in zone %s",
+                                    vlanId, zone));
+                        } else if (secondaryUri != null && _networksDao.listByZoneAndUriAndGuestType(zoneId, secondaryUri.toString(), null).size() > 0) {
+                            throw new InvalidParameterValueException(String.format(
+                                    "Network with vlan %s already exists or overlaps with other network vlans in zone %s",
+                                    isolatedPvlan, zone));
+                        } else {
+                            final List<DataCenterVnetVO> dcVnets = _datacenterVnetDao.findVnet(zoneId, BroadcastDomainType.getValue(uri));
+                            //for the network that is created as part of private gateway,
+                            //the vnet is not coming from the data center vnet table, so the list can be empty
+                            if (!dcVnets.isEmpty()) {
+                                final DataCenterVnetVO dcVnet = dcVnets.get(0);
+                                // Fail network creation if specified vlan is dedicated to a different account
+                                if (dcVnet.getAccountGuestVlanMapId() != null) {
+                                    final Long accountGuestVlanMapId = dcVnet.getAccountGuestVlanMapId();
+                                    final AccountGuestVlanMapVO map = _accountGuestVlanMapDao.findById(accountGuestVlanMapId);
+                                    if (map.getAccountId() != owner.getAccountId()) {
+                                        throw new InvalidParameterValueException("Vlan " + vlanId + " is dedicated to a different account");
+                                    }
+                                    // Fail network creation if owner has a dedicated range of vlans but the specified vlan belongs to the system pool
+                                } else {
+                                    final List<AccountGuestVlanMapVO> maps = _accountGuestVlanMapDao.listAccountGuestVlanMapsByAccount(owner.getAccountId());
+                                    if (maps != null && !maps.isEmpty()) {
+                                        final int vnetsAllocatedToAccount = _datacenterVnetDao.countVnetsAllocatedToAccount(zoneId, owner.getAccountId());
+                                        final int vnetsDedicatedToAccount = _datacenterVnetDao.countVnetsDedicatedToAccount(zoneId, owner.getAccountId());
+                                        if (vnetsAllocatedToAccount < vnetsDedicatedToAccount) {
+                                            throw new InvalidParameterValueException("Specified vlan " + vlanId + " doesn't belong" + " to the vlan range dedicated to the owner "
+                                                    + owner.getAccountName());
+                                        }
                                     }
                                 }
                             }
                         }
-                    }
-                } else {
-                    // don't allow to creating shared network with given Vlan ID, if there already exists a isolated network or
-                    // shared network with same Vlan ID in the zone
-                    if (!bypassVlanOverlapCheck && _networksDao.listByZoneAndUriAndGuestType(zoneId, uri.toString(), GuestType.Isolated).size() > 0) {
-                        throw new InvalidParameterValueException(String.format(
-                                "There is an existing isolated/shared network that overlaps with vlan id:%s in zone %s", vlanId, zone));
+                    } else {
+                        // don't allow to creating shared network with given Vlan ID, if there already exists a isolated network or
+                        // shared network with same Vlan ID in the zone
+                        if (!bypassVlanOverlapCheck && _networksDao.listByZoneAndUriAndGuestType(zoneId, uri.toString(), GuestType.Isolated).size() > 0) {
+                            throw new InvalidParameterValueException(String.format(
+                                    "There is an existing isolated/shared network that overlaps with vlan id:%s in zone %s", vlanId, zone));
+                        }
                     }
                 }
-            }
 
-        }
+            }
 
-        // If networkDomain is not specified, take it from the global configuration
-        if (_networkModel.areServicesSupportedByNetworkOffering(networkOfferingId, Service.Dns)) {
-            final Map<Network.Capability, String> dnsCapabilities = _networkModel.getNetworkOfferingServiceCapabilities(_entityMgr.findById(NetworkOffering.class, networkOfferingId),
-                    Service.Dns);
-            final String isUpdateDnsSupported = dnsCapabilities.get(Capability.AllowDnsSuffixModification);
-            if (isUpdateDnsSupported == null || !Boolean.valueOf(isUpdateDnsSupported)) {
-                if (networkDomain != null) {
-                    // TBD: NetworkOfferingId and zoneId. Send uuids instead.
-                    throw new InvalidParameterValueException(String.format(
-                            "Domain name change is not supported by network offering id=%d in zone %s",
-                            networkOfferingId, zone));
-                }
-            } else {
-                if (networkDomain == null) {
-                    // 1) Get networkDomain from the corresponding account/domain/zone
-                    if (aclType == ACLType.Domain) {
-                        networkDomain = _networkModel.getDomainNetworkDomain(domainId, zoneId);
-                    } else if (aclType == ACLType.Account) {
-                        networkDomain = _networkModel.getAccountNetworkDomain(owner.getId(), zoneId);
+            // If networkDomain is not specified, take it from the global configuration
+            if (_networkModel.areServicesSupportedByNetworkOffering(networkOfferingId, Service.Dns)) {
+                final Map<Network.Capability, String> dnsCapabilities = _networkModel.getNetworkOfferingServiceCapabilities(_entityMgr.findById(NetworkOffering.class, networkOfferingId),
+                        Service.Dns);
+                final String isUpdateDnsSupported = dnsCapabilities.get(Capability.AllowDnsSuffixModification);
+                if (isUpdateDnsSupported == null || !Boolean.valueOf(isUpdateDnsSupported)) {
+                    if (networkDomain != null) {
+                        // TBD: NetworkOfferingId and zoneId. Send uuids instead.
+                        throw new InvalidParameterValueException(String.format(
+                                "Domain name change is not supported by network offering id=%d in zone %s",
+                                networkOfferingId, zone));
                     }
-
-                    // 2) If null, generate networkDomain using domain suffix from the global config variables
+                } else {
                     if (networkDomain == null) {
-                        networkDomain = "cs" + Long.toHexString(owner.getId()) + GuestDomainSuffix.valueIn(zoneId);
-                    }
+                        // 1) Get networkDomain from the corresponding account/domain/zone
+                        if (aclType == ACLType.Domain) {
+                            networkDomain = _networkModel.getDomainNetworkDomain(domainId, zoneId);
+                        } else if (aclType == ACLType.Account) {
+                            networkDomain = _networkModel.getAccountNetworkDomain(owner.getId(), zoneId);
+                        }
 
-                } else {
-                    // validate network domain
-                    if (!NetUtils.verifyDomainName(networkDomain)) {
-                        throw new InvalidParameterValueException("Invalid network domain. Total length shouldn't exceed 190 chars. Each domain "
-                                + "label must be between 1 and 63 characters long, can contain ASCII letters 'a' through 'z', the digits '0' through '9', "
-                                + "and the hyphen ('-'); can't start or end with \"-\"");
+                        // 2) If null, generate networkDomain using domain suffix from the global config variables
+                        if (networkDomain == null) {
+                            networkDomain = "cs" + Long.toHexString(owner.getId()) + GuestDomainSuffix.valueIn(zoneId);
+                        }
+
+                    } else {
+                        // validate network domain
+                        if (!NetUtils.verifyDomainName(networkDomain)) {
+                            throw new InvalidParameterValueException("Invalid network domain. Total length shouldn't exceed 190 chars. Each domain "
+                                    + "label must be between 1 and 63 characters long, can contain ASCII letters 'a' through 'z', the digits '0' through '9', "
+                                    + "and the hyphen ('-'); can't start or end with \"-\"");
+                        }
                     }
                 }
             }
-        }
 
-        // In Advance zone Cidr for Shared networks and Isolated networks w/o source nat service can't be NULL - 2.2.x
-        // limitation, remove after we introduce support for multiple ip ranges
-        // with different Cidrs for the same Shared network
-        final boolean cidrRequired = zone.getNetworkType() == NetworkType.Advanced
-                && ntwkOff.getTrafficType() == TrafficType.Guest
-                && (ntwkOff.getGuestType() == GuestType.Shared || (ntwkOff.getGuestType() == GuestType.Isolated
-                && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)
-                && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.Gateway)));
-        if (cidr == null && ip6Cidr == null && cidrRequired) {
-            if (ntwkOff.getGuestType() == GuestType.Shared) {
-                throw new InvalidParameterValueException(String.format("Gateway/netmask are required when creating %s networks.", Network.GuestType.Shared));
-            } else {
-                throw new InvalidParameterValueException("gateway/netmask are required when create network of" + " type " + GuestType.Isolated + " with service " + Service.SourceNat.getName() + " disabled");
+            // In Advance zone Cidr for Shared networks and Isolated networks w/o source nat service can't be NULL - 2.2.x
+            // limitation, remove after we introduce support for multiple ip ranges
+            // with different Cidrs for the same Shared network
+            final boolean cidrRequired = zone.getNetworkType() == NetworkType.Advanced
+                    && ntwkOff.getTrafficType() == TrafficType.Guest
+                    && (ntwkOff.getGuestType() == GuestType.Shared || (ntwkOff.getGuestType() == GuestType.Isolated
+                    && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat)
+                    && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.Gateway)));
+            if (cidr == null && ip6Cidr == null && cidrRequired) {
+                if (ntwkOff.getGuestType() == GuestType.Shared) {
+                    throw new InvalidParameterValueException(String.format("Gateway/netmask are required when creating %s networks.", Network.GuestType.Shared));
+                } else {
+                    throw new InvalidParameterValueException("gateway/netmask are required when create network of" + " type " + GuestType.Isolated + " with service " + Service.SourceNat.getName() + " disabled");
+                }
             }
-        }
 
-        checkL2OfferingServices(ntwkOff);
+            checkL2OfferingServices(ntwkOff);
 
-        // No cidr can be specified in Basic zone
-        if (zone.getNetworkType() == NetworkType.Basic && cidr != null) {
-            throw new InvalidParameterValueException("StartIp/endIp/gateway/netmask can't be specified for zone of type " + NetworkType.Basic);
-        }
+            // No cidr can be specified in Basic zone
+            if (zone.getNetworkType() == NetworkType.Basic && cidr != null) {
+                throw new InvalidParameterValueException("StartIp/endIp/gateway/netmask can't be specified for zone of type " + NetworkType.Basic);
+            }
 
-        // Check if cidr is RFC1918 compliant if the network is Guest Isolated for IPv4
-        if (cidr != null && (ntwkOff.getGuestType() == Network.GuestType.Isolated && ntwkOff.getTrafficType() == TrafficType.Guest) &&
-                !NetUtils.validateGuestCidr(cidr, !ConfigurationManager.AllowNonRFC1918CompliantIPs.value())) {
+            // Check if cidr is RFC1918 compliant if the network is Guest Isolated for IPv4
+            if (cidr != null && (ntwkOff.getGuestType() == Network.GuestType.Isolated && ntwkOff.getTrafficType() == TrafficType.Guest) &&
+                    !NetUtils.validateGuestCidr(cidr, !ConfigurationManager.AllowNonRFC1918CompliantIPs.value())) {
                 throw new InvalidParameterValueException("Virtual Guest Cidr " + cidr + " is not RFC 1918 or 6598 compliant");
-        }
+            }
 
         final String networkDomainFinal = networkDomain;
         final String vlanIdFinal = vlanId;
@@ -2998,75 +3020,75 @@ public Network doInTransaction(final TransactionStatus status) {
                 final NetworkVO userNetwork = new NetworkVO();
                 userNetwork.setNetworkDomain(networkDomainFinal);
 
-                if (cidr != null && gateway != null) {
-                    userNetwork.setCidr(cidr);
-                    userNetwork.setGateway(gateway);
-                }
-
-                if (StringUtils.isNoneBlank(ip6Gateway, ip6Cidr)) {
-                    userNetwork.setIp6Cidr(ip6Cidr);
-                    userNetwork.setIp6Gateway(ip6Gateway);
-                }
+                    if (cidr != null && gateway != null) {
+                        userNetwork.setCidr(cidr);
+                        userNetwork.setGateway(gateway);
+                    }
 
-                if (externalId != null) {
-                    userNetwork.setExternalId(externalId);
-                }
+                    if (StringUtils.isNoneBlank(ip6Gateway, ip6Cidr)) {
+                        userNetwork.setIp6Cidr(ip6Cidr);
+                        userNetwork.setIp6Gateway(ip6Gateway);
+                    }
 
-                if (StringUtils.isNotBlank(routerIp)) {
-                    userNetwork.setRouterIp(routerIp);
-                }
+                    if (externalId != null) {
+                        userNetwork.setExternalId(externalId);
+                    }
 
-                if (StringUtils.isNotBlank(routerIpv6)) {
-                    userNetwork.setRouterIpv6(routerIpv6);
-                }
+                    if (StringUtils.isNotBlank(routerIp)) {
+                        userNetwork.setRouterIp(routerIp);
+                    }
 
-                if (vrIfaceMTUs != null) {
-                    if (vrIfaceMTUs.first() != null && vrIfaceMTUs.first() > 0) {
-                        userNetwork.setPublicMtu(vrIfaceMTUs.first());
-                    } else {
-                        userNetwork.setPublicMtu(Integer.valueOf(NetworkService.VRPublicInterfaceMtu.defaultValue()));
+                    if (StringUtils.isNotBlank(routerIpv6)) {
+                        userNetwork.setRouterIpv6(routerIpv6);
                     }
 
-                    if (vrIfaceMTUs.second() != null && vrIfaceMTUs.second() > 0) {
-                        userNetwork.setPrivateMtu(vrIfaceMTUs.second());
+                    if (vrIfaceMTUs != null) {
+                        if (vrIfaceMTUs.first() != null && vrIfaceMTUs.first() > 0) {
+                            userNetwork.setPublicMtu(vrIfaceMTUs.first());
+                        } else {
+                            userNetwork.setPublicMtu(Integer.valueOf(NetworkService.VRPublicInterfaceMtu.defaultValue()));
+                        }
+
+                        if (vrIfaceMTUs.second() != null && vrIfaceMTUs.second() > 0) {
+                            userNetwork.setPrivateMtu(vrIfaceMTUs.second());
+                        } else {
+                            userNetwork.setPrivateMtu(Integer.valueOf(NetworkService.VRPrivateInterfaceMtu.defaultValue()));
+                        }
                     } else {
+                        userNetwork.setPublicMtu(Integer.valueOf(NetworkService.VRPublicInterfaceMtu.defaultValue()));
                         userNetwork.setPrivateMtu(Integer.valueOf(NetworkService.VRPrivateInterfaceMtu.defaultValue()));
                     }
-                } else {
-                    userNetwork.setPublicMtu(Integer.valueOf(NetworkService.VRPublicInterfaceMtu.defaultValue()));
-                    userNetwork.setPrivateMtu(Integer.valueOf(NetworkService.VRPrivateInterfaceMtu.defaultValue()));
-                }
 
-                if (!GuestType.L2.equals(userNetwork.getGuestType())) {
-                    if (StringUtils.isNotBlank(ip4Dns1)) {
-                        userNetwork.setDns1(ip4Dns1);
-                    }
-                    if (StringUtils.isNotBlank(ip4Dns2)) {
-                        userNetwork.setDns2(ip4Dns2);
-                    }
-                    if (StringUtils.isNotBlank(ip6Dns1)) {
-                        userNetwork.setIp6Dns1(ip6Dns1);
-                    }
-                    if (StringUtils.isNotBlank(ip6Dns2)) {
-                        userNetwork.setIp6Dns2(ip6Dns2);
+                    if (!GuestType.L2.equals(userNetwork.getGuestType())) {
+                        if (StringUtils.isNotBlank(ip4Dns1)) {
+                            userNetwork.setDns1(ip4Dns1);
+                        }
+                        if (StringUtils.isNotBlank(ip4Dns2)) {
+                            userNetwork.setDns2(ip4Dns2);
+                        }
+                        if (StringUtils.isNotBlank(ip6Dns1)) {
+                            userNetwork.setIp6Dns1(ip6Dns1);
+                        }
+                        if (StringUtils.isNotBlank(ip6Dns2)) {
+                            userNetwork.setIp6Dns2(ip6Dns2);
+                        }
                     }
-                }
 
-                if (vlanIdFinal != null) {
-                    if (isolatedPvlan == null) {
-                        URI uri = null;
-                        if (UuidUtils.isUuid(vlanIdFinal)) {
-                            //Logical router's UUID provided as VLAN_ID
-                            userNetwork.setVlanIdAsUUID(vlanIdFinal); //Set transient field
-                        } else {
-                            uri = encodeVlanIdIntoBroadcastUri(vlanIdFinal, pNtwk);
-                        }
+                    if (vlanIdFinal != null) {
+                        if (isolatedPvlan == null) {
+                            URI uri = null;
+                            if (UuidUtils.isUuid(vlanIdFinal)) {
+                                //Logical router's UUID provided as VLAN_ID
+                                userNetwork.setVlanIdAsUUID(vlanIdFinal); //Set transient field
+                            } else {
+                                uri = encodeVlanIdIntoBroadcastUri(vlanIdFinal, pNtwk);
+                            }
 
-                        if (_networksDao.listByPhysicalNetworkPvlan(physicalNetworkId, uri.toString()).size() > 0) {
-                            throw new InvalidParameterValueException(String.format(
-                                    "Network with vlan %s already exists or overlaps with other network pvlans in zone %s",
-                                    vlanIdFinal, zone));
-                        }
+                            if (_networksDao.listByPhysicalNetworkPvlan(physicalNetworkId, uri.toString()).size() > 0) {
+                                throw new InvalidParameterValueException(String.format(
+                                        "Network with vlan %s already exists or overlaps with other network pvlans in zone %s",
+                                        vlanIdFinal, zone));
+                            }
 
                         userNetwork.setBroadcastUri(uri);
                         if (!vlanIdFinal.equalsIgnoreCase(Vlan.UNTAGGED)) {
@@ -3090,6 +3112,7 @@ public Network doInTransaction(final TransactionStatus status) {
                     }
                 }
                 userNetwork.setNetworkCidrSize(networkCidrSize);
+                userNetwork.setKeepMacAddressOnPublicNic(keepMacAddressOnPublicNic);
                 final List<? extends Network> networks = setupNetwork(owner, ntwkOff, userNetwork, plan, name, displayText, true, domainId, aclType, subdomainAccessFinal, vpcId,
                         isDisplayNetworkEnabled);
                 Network network;
@@ -3110,8 +3133,8 @@ public Network doInTransaction(final TransactionStatus status) {
                     }
                 }
 
-                if (updateResourceCount) {
-                    _resourceLimitMgr.incrementResourceCount(owner.getId(), ResourceType.network, isDisplayNetworkEnabled);
+                if (isResourceCountUpdateNeeded(ntwkOff)) {
+                    changeAccountResourceCountOrRecalculateDomainResourceCount(owner.getAccountId(), domainId, isDisplayNetworkEnabled, true);
                 }
                 UsageEventUtils.publishNetworkCreation(network);
 
@@ -3122,6 +3145,7 @@ public Network doInTransaction(final TransactionStatus status) {
         CallContext.current().setEventDetails("Network ID: " + network.getUuid());
         CallContext.current().putContextParameter(Network.class, network.getUuid());
         return network;
+        }
     }
 
     @Override
@@ -3487,9 +3511,8 @@ public List<VlanVO> doInTransaction(TransactionStatus status) {
                             }
 
                             final NetworkOffering ntwkOff = _entityMgr.findById(NetworkOffering.class, networkFinal.getNetworkOfferingId());
-                            final boolean updateResourceCount = resourceCountNeedsUpdate(ntwkOff, networkFinal.getAclType());
-                            if (updateResourceCount) {
-                                _resourceLimitMgr.decrementResourceCount(networkFinal.getAccountId(), ResourceType.network, networkFinal.getDisplayNetwork());
+                            if (isResourceCountUpdateNeeded(ntwkOff)) {
+                                changeAccountResourceCountOrRecalculateDomainResourceCount(networkFinal.getAccountId(), networkFinal.getDomainId(), networkFinal.getDisplayNetwork(), false);
                             }
                         }
                         return deletedVlans.second();
@@ -3512,6 +3535,23 @@ public List<VlanVO> doInTransaction(TransactionStatus status) {
         return success;
     }
 
+    /**
+     * If it is a shared network with {@link ACLType#Domain}, it will belong to account {@link Account#ACCOUNT_ID_SYSTEM} and the resources will be not incremented for the
+     * domain. Therefore, we force the recalculation of the domain's resource count in this case. Otherwise, it will change the count for the account owner.
+     * @param incrementAccountResourceCount If true, the account resource count will be incremented by 1; otherwise, it will decremented by 1.
+     */
+    private void changeAccountResourceCountOrRecalculateDomainResourceCount(Long accountId, Long domainId, boolean displayNetwork, boolean incrementAccountResourceCount) {
+        if (Account.ACCOUNT_ID_SYSTEM == accountId && ObjectUtils.isNotEmpty(domainId)) {
+            _resourceLimitMgr.recalculateDomainResourceCount(domainId, ResourceType.network, null);
+        } else {
+            if (incrementAccountResourceCount) {
+                _resourceLimitMgr.incrementResourceCount(accountId, ResourceType.network, displayNetwork);
+            } else {
+                _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.network, displayNetwork);
+            }
+        }
+    }
+
     private void publishDeletedVlanRanges(List<VlanVO> deletedVlanRangeToPublish) {
         if (CollectionUtils.isNotEmpty(deletedVlanRangeToPublish)) {
             for (VlanVO vlan : deletedVlanRangeToPublish) {
@@ -3521,10 +3561,8 @@ private void publishDeletedVlanRanges(List<VlanVO> deletedVlanRangeToPublish) {
     }
 
     @Override
-    public boolean resourceCountNeedsUpdate(final NetworkOffering ntwkOff, final ACLType aclType) {
-        //Update resource count only for Isolated account specific non-system networks
-        final boolean updateResourceCount = ntwkOff.getGuestType() == GuestType.Isolated && !ntwkOff.isSystemOnly() && aclType == ACLType.Account;
-        return updateResourceCount;
+    public boolean isResourceCountUpdateNeeded(NetworkOffering networkOffering) {
+        return !networkOffering.isSystemOnly();
     }
 
     protected Pair<Boolean, List<VlanVO>> deleteVlansInNetwork(final NetworkVO network, final long userId, final Account callerAccount) {
@@ -4919,6 +4957,7 @@ public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[]{NetworkGcWait, NetworkGcInterval, NetworkLockTimeout, DeniedRoutes,
                 GuestDomainSuffix, NetworkThrottlingRate, MinVRVersion,
                 PromiscuousMode, MacAddressChanges, ForgedTransmits, MacLearning, RollingRestartEnabled,
-                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN};
+                TUNGSTEN_ENABLED, NSX_ENABLED, NETRIS_ENABLED, NETWORK_LB_HAPROXY_MAX_CONN,
+                NETWORK_LB_HAPROXY_IDLE_TIMEOUT};
     }
 }
diff --git a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java
index e8c75afa81c5..bf3985d3ce77 100644
--- a/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java
+++ b/engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/VolumeOrchestrator.java
@@ -40,6 +40,7 @@
 
 import com.cloud.deploy.DeploymentClusterPlanner;
 import com.cloud.exception.ResourceAllocationException;
+import com.cloud.resourcelimit.ReservationHelper;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.VMTemplateVO;
 import com.cloud.storage.dao.VMTemplateDao;
@@ -82,6 +83,7 @@
 import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.resourcedetail.DiskOfferingDetailVO;
 import org.apache.cloudstack.resourcedetail.dao.DiskOfferingDetailsDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.secret.PassphraseVO;
 import org.apache.cloudstack.secret.dao.PassphraseDao;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
@@ -862,7 +864,7 @@ protected DiskProfile toDiskProfile(Volume vol, DiskOffering offering) {
     @ActionEvent(eventType = EventTypes.EVENT_VOLUME_CREATE, eventDescription = "creating volume", create = true)
     @Override
     public DiskProfile allocateRawVolume(Type type, String name, DiskOffering offering, Long size, Long minIops, Long maxIops, VirtualMachine vm, VirtualMachineTemplate template, Account owner,
-                                         Long deviceId) {
+                                         Long deviceId, boolean incrementResourceCount) {
         if (size == null) {
             size = offering.getDiskSize();
         } else {
@@ -901,7 +903,7 @@ public DiskProfile allocateRawVolume(Type type, String name, DiskOffering offeri
         saveVolumeDetails(offering.getId(), vol.getId());
 
         // Save usage event and update resource count for user vm volumes
-        if (vm.getType() == VirtualMachine.Type.User) {
+        if (vm.getType() == VirtualMachine.Type.User && incrementResourceCount) {
             UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_CREATE, vol.getAccountId(), vol.getDataCenterId(), vol.getId(), vol.getName(), offering.getId(), null, size,
                     Volume.class.getName(), vol.getUuid(), vol.getInstanceId(), vol.isDisplayVolume());
             _resourceLimitMgr.incrementVolumeResourceCount(vm.getAccountId(), vol.isDisplayVolume(), vol.getSize(), offering);
@@ -1938,14 +1940,20 @@ protected void updateVolumeSize(DataStore store, VolumeVO vol) throws ResourceAl
                 template == null ? null : template.getSize(),
                 vol.getPassphraseId() != null);
 
-        if (newSize != vol.getSize()) {
-            DiskOfferingVO diskOffering = diskOfferingDao.findByIdIncludingRemoved(vol.getDiskOfferingId());
+        if (newSize == vol.getSize()) {
+            return;
+        }
+
+        DiskOfferingVO diskOffering = diskOfferingDao.findByIdIncludingRemoved(vol.getDiskOfferingId());
+
+        List<Reserver> reservations = new ArrayList<>();
+        try {
             VMInstanceVO vm = vol.getInstanceId() != null ? vmInstanceDao.findById(vol.getInstanceId()) : null;
             if (vm == null || vm.getType() == VirtualMachine.Type.User) {
                 // Update resource count for user vm volumes when volume is attached
                 if (newSize > vol.getSize()) {
                     _resourceLimitMgr.checkPrimaryStorageResourceLimit(_accountMgr.getActiveAccountById(vol.getAccountId()),
-                            vol.isDisplay(), newSize - vol.getSize(), diskOffering);
+                            vol.isDisplay(), newSize - vol.getSize(), diskOffering, reservations);
                     _resourceLimitMgr.incrementVolumePrimaryStorageResourceCount(vol.getAccountId(), vol.isDisplay(),
                             newSize - vol.getSize(), diskOffering);
                 } else {
@@ -1953,9 +1961,11 @@ protected void updateVolumeSize(DataStore store, VolumeVO vol) throws ResourceAl
                             vol.getSize() - newSize, diskOffering);
                 }
             }
-            vol.setSize(newSize);
-            _volsDao.persist(vol);
+        }  finally {
+            ReservationHelper.closeAll(reservations);
         }
+        vol.setSize(newSize);
+        _volsDao.persist(vol);
     }
 
     @Override
diff --git a/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDao.java b/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDao.java
index 01afd0780f7e..e4047cf7973d 100644
--- a/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDao.java
+++ b/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDao.java
@@ -27,6 +27,6 @@ public interface AccountVlanMapDao extends GenericDao<AccountVlanMapVO, Long> {
 
     public List<AccountVlanMapVO> listAccountVlanMapsByVlan(long vlanDbId);
 
-    public AccountVlanMapVO findAccountVlanMap(long accountId, long vlanDbId);
+    public AccountVlanMapVO findAccountVlanMap(Long accountId, long vlanDbId);
 
 }
diff --git a/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDaoImpl.java b/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDaoImpl.java
index 12114770f112..0844bb77caa2 100644
--- a/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/dc/dao/AccountVlanMapDaoImpl.java
@@ -48,9 +48,9 @@ public List<AccountVlanMapVO> listAccountVlanMapsByVlan(long vlanDbId) {
     }
 
     @Override
-    public AccountVlanMapVO findAccountVlanMap(long accountId, long vlanDbId) {
+    public AccountVlanMapVO findAccountVlanMap(Long accountId, long vlanDbId) {
         SearchCriteria<AccountVlanMapVO> sc = AccountVlanSearch.create();
-        sc.setParameters("accountId", accountId);
+        sc.setParametersIfNotNull("accountId", accountId);
         sc.setParameters("vlanDbId", vlanDbId);
         return findOneIncludingRemovedBy(sc);
     }
diff --git a/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDao.java b/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDao.java
index 6af16bbace99..d14ccbe86ca6 100644
--- a/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDao.java
+++ b/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDao.java
@@ -24,5 +24,5 @@
 public interface DomainVlanMapDao extends GenericDao<DomainVlanMapVO, Long> {
     public List<DomainVlanMapVO> listDomainVlanMapsByDomain(long domainId);
     public List<DomainVlanMapVO> listDomainVlanMapsByVlan(long vlanDbId);
-    public DomainVlanMapVO findDomainVlanMap(long domainId, long vlanDbId);
+    public DomainVlanMapVO findDomainVlanMap(Long domainId, long vlanDbId);
 }
diff --git a/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDaoImpl.java b/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDaoImpl.java
index f789721d5fd6..0b4c781349fd 100644
--- a/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/dc/dao/DomainVlanMapDaoImpl.java
@@ -46,9 +46,9 @@ public List<DomainVlanMapVO> listDomainVlanMapsByVlan(long vlanDbId) {
     }
 
     @Override
-    public DomainVlanMapVO findDomainVlanMap(long domainId, long vlanDbId) {
+    public DomainVlanMapVO findDomainVlanMap(Long domainId, long vlanDbId) {
         SearchCriteria<DomainVlanMapVO> sc = DomainVlanSearch.create();
-        sc.setParameters("domainId", domainId);
+        sc.setParametersIfNotNull("domainId", domainId);
         sc.setParameters("vlanDbId", vlanDbId);
         return findOneIncludingRemovedBy(sc);
     }
diff --git a/engine/schema/src/main/java/com/cloud/domain/dao/DomainDaoImpl.java b/engine/schema/src/main/java/com/cloud/domain/dao/DomainDaoImpl.java
index 56d971bbe015..1afa0d22dcc1 100644
--- a/engine/schema/src/main/java/com/cloud/domain/dao/DomainDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/domain/dao/DomainDaoImpl.java
@@ -262,7 +262,7 @@ public boolean isChildDomain(Long parentId, Long childId) {
         SearchCriteria<DomainVO> sc = DomainPairSearch.create();
         sc.setParameters("id", parentId, childId);
 
-        List<DomainVO> domainPair = listBy(sc);
+        List<DomainVO> domainPair = listIncludingRemovedBy(sc);
 
         if ((domainPair != null) && (domainPair.size() == 2)) {
             DomainVO d1 = domainPair.get(0);
diff --git a/engine/schema/src/main/java/com/cloud/host/dao/HostDao.java b/engine/schema/src/main/java/com/cloud/host/dao/HostDao.java
index 090b019334f4..5f5b2affee08 100644
--- a/engine/schema/src/main/java/com/cloud/host/dao/HostDao.java
+++ b/engine/schema/src/main/java/com/cloud/host/dao/HostDao.java
@@ -218,7 +218,7 @@ int countHostsByMsResourceStateTypeAndHypervisorType(long msId, List<ResourceSta
      */
     List<String> listOrderedHostsHypervisorVersionsInDatacenter(long datacenterId, HypervisorType hypervisorType);
 
-    List<HostVO> findHostsWithTagRuleThatMatchComputeOferringTags(String computeOfferingTags);
+    List<HostVO> findHostsWithTagRuleThatMatchComputeOfferingTags(String computeOfferingTags);
 
     List<Long> findClustersThatMatchHostTagRule(String computeOfferingTags);
 
diff --git a/engine/schema/src/main/java/com/cloud/host/dao/HostDaoImpl.java b/engine/schema/src/main/java/com/cloud/host/dao/HostDaoImpl.java
index 2d8fcca6cdb7..99c9a979c3bf 100644
--- a/engine/schema/src/main/java/com/cloud/host/dao/HostDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/host/dao/HostDaoImpl.java
@@ -1520,7 +1520,7 @@ private List<Long> findHostIdsByHostTags(String hostTags){
         }
     }
 
-    public List<HostVO> findHostsWithTagRuleThatMatchComputeOferringTags(String computeOfferingTags) {
+    public List<HostVO> findHostsWithTagRuleThatMatchComputeOfferingTags(String computeOfferingTags) {
         List<HostTagVO> hostTagVOList = _hostTagsDao.findHostRuleTags();
         List<HostVO> result = new ArrayList<>();
         for (HostTagVO rule: hostTagVOList) {
@@ -1534,7 +1534,7 @@ public List<HostVO> findHostsWithTagRuleThatMatchComputeOferringTags(String comp
 
     public List<Long> findClustersThatMatchHostTagRule(String computeOfferingTags) {
         Set<Long> result = new HashSet<>();
-        List<HostVO> hosts = findHostsWithTagRuleThatMatchComputeOferringTags(computeOfferingTags);
+        List<HostVO> hosts = findHostsWithTagRuleThatMatchComputeOfferingTags(computeOfferingTags);
         for (HostVO host: hosts) {
             result.add(host.getClusterId());
         }
diff --git a/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDao.java b/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDao.java
index 7a00829fd44e..0d86ca0e48c7 100644
--- a/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDao.java
+++ b/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDao.java
@@ -45,4 +45,9 @@ public interface HostTagsDao extends GenericDao<HostTagVO, Long> {
     HostTagResponse newHostTagResponse(HostTagVO hostTag);
 
     List<HostTagVO> searchByIds(Long... hostTagIds);
+
+    /**
+     * List all host tags defined on hosts within a cluster
+     */
+    List<String> listByClusterId(Long clusterId);
 }
diff --git a/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDaoImpl.java b/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDaoImpl.java
index 4aa14a31cfcf..d3fee6a26761 100644
--- a/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/host/dao/HostTagsDaoImpl.java
@@ -23,6 +23,7 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Component;
 
@@ -43,9 +44,12 @@ public class HostTagsDaoImpl extends GenericDaoBase<HostTagVO, Long> implements
     private final SearchBuilder<HostTagVO> stSearch;
     private final SearchBuilder<HostTagVO> tagIdsearch;
     private final SearchBuilder<HostTagVO> ImplicitTagsSearch;
+    private final GenericSearchBuilder<HostTagVO, String> tagSearch;
 
     @Inject
     private ConfigurationDao _configDao;
+    @Inject
+    private HostDao hostDao;
 
     public HostTagsDaoImpl() {
         HostSearch = createSearchBuilder();
@@ -72,6 +76,11 @@ public HostTagsDaoImpl() {
         ImplicitTagsSearch.and("hostId", ImplicitTagsSearch.entity().getHostId(), SearchCriteria.Op.EQ);
         ImplicitTagsSearch.and("isImplicit", ImplicitTagsSearch.entity().getIsImplicit(), SearchCriteria.Op.EQ);
         ImplicitTagsSearch.done();
+
+        tagSearch = createSearchBuilder(String.class);
+        tagSearch.selectFields(tagSearch.entity().getTag());
+        tagSearch.and("hostIdIN", tagSearch.entity().getHostId(), SearchCriteria.Op.IN);
+        tagSearch.done();
     }
 
     @Override
@@ -235,4 +244,15 @@ public List<HostTagVO> searchByIds(Long... tagIds) {
 
         return tagList;
     }
+
+    @Override
+    public List<String> listByClusterId(Long clusterId) {
+        List<Long> hostIds = hostDao.listIdsByClusterId(clusterId);
+        if (CollectionUtils.isEmpty(hostIds)) {
+            return new ArrayList<>();
+        }
+        SearchCriteria<String> sc = tagSearch.create();
+        sc.setParameters("hostIdIN", hostIds.toArray());
+        return customSearch(sc, null);
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
index 4e8b6204f720..9f7ffabac930 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/NetworkDaoImpl.java
@@ -193,6 +193,7 @@ protected void init() {
         PersistentNetworkSearch.and("id", PersistentNetworkSearch.entity().getId(), Op.NEQ);
         PersistentNetworkSearch.and("guestType", PersistentNetworkSearch.entity().getGuestType(), Op.IN);
         PersistentNetworkSearch.and("broadcastUri", PersistentNetworkSearch.entity().getBroadcastUri(), Op.EQ);
+        PersistentNetworkSearch.and("dc", PersistentNetworkSearch.entity().getDataCenterId(), Op.EQ);
         PersistentNetworkSearch.and("removed", PersistentNetworkSearch.entity().getRemoved(), Op.NULL);
         final SearchBuilder<NetworkOfferingVO> persistentNtwkOffJoin = _ntwkOffDao.createSearchBuilder();
         persistentNtwkOffJoin.and("persistent", persistentNtwkOffJoin.entity().isPersistent(), Op.EQ);
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/NetworkVO.java b/engine/schema/src/main/java/com/cloud/network/dao/NetworkVO.java
index 02abaacd854e..f2572ba91c21 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/NetworkVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/NetworkVO.java
@@ -203,9 +203,13 @@ public class NetworkVO implements Network {
     @Column(name = "private_mtu")
     Integer privateMtu;
 
+    @Column(name = "keep_mac_address_on_public_nic")
+    private boolean keepMacAddressOnPublicNic = true;
+
     @Transient
     Integer networkCidrSize;
 
+
     public NetworkVO() {
         uuid = UUID.randomUUID().toString();
     }
@@ -773,4 +777,13 @@ public Integer getNetworkCidrSize() {
     public void setNetworkCidrSize(Integer networkCidrSize) {
         this.networkCidrSize = networkCidrSize;
     }
+
+    @Override
+    public boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
+    public void setKeepMacAddressOnPublicNic(boolean keepMacAddressOnPublicNic) {
+        this.keepMacAddressOnPublicNic = keepMacAddressOnPublicNic;
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDao.java b/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDao.java
index ccba6bb18893..606bdaaaa7a7 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDao.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDao.java
@@ -19,9 +19,21 @@
 import com.cloud.network.vo.PublicIpQuarantineVO;
 import com.cloud.utils.db.GenericDao;
 
+import java.util.Date;
+import java.util.List;
+
 public interface PublicIpQuarantineDao extends GenericDao<PublicIpQuarantineVO, Long> {
 
     PublicIpQuarantineVO findByPublicIpAddressId(long publicIpAddressId);
 
     PublicIpQuarantineVO findByIpAddress(String publicIpAddress);
+
+    /**
+     * Returns a list of public IP addresses that are actively quarantined at the specified date and the previous owner differs from the specified user.
+     *
+     * @param userId used to check against the IP's previous owner;
+     * @param date used to check if the quarantine is active;
+     * @return a list of PublicIpQuarantineVOs.
+     */
+    List<PublicIpQuarantineVO> listQuarantinedIpAddressesToUser(Long userId, Date date);
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDaoImpl.java b/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDaoImpl.java
index a1b789b8a46b..0c47a0d36e30 100644
--- a/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/network/dao/PublicIpQuarantineDaoImpl.java
@@ -26,6 +26,8 @@
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
+import java.util.Date;
+import java.util.List;
 
 @Component
 public class PublicIpQuarantineDaoImpl extends GenericDaoBase<PublicIpQuarantineVO, Long> implements PublicIpQuarantineDao {
@@ -33,6 +35,8 @@ public class PublicIpQuarantineDaoImpl extends GenericDaoBase<PublicIpQuarantine
 
     private SearchBuilder<IPAddressVO> ipAddressSearchBuilder;
 
+    private SearchBuilder<PublicIpQuarantineVO> quarantinedIpAddressesSearch;
+
     @Inject
     IPAddressDao ipAddressDao;
 
@@ -47,8 +51,16 @@ public void init() {
         publicIpAddressByIdSearch.join("quarantineJoin", ipAddressSearchBuilder, ipAddressSearchBuilder.entity().getId(),
                 publicIpAddressByIdSearch.entity().getPublicIpAddressId(), JoinBuilder.JoinType.INNER);
 
+        quarantinedIpAddressesSearch = createSearchBuilder();
+        quarantinedIpAddressesSearch.and("previousOwnerId", quarantinedIpAddressesSearch.entity().getPreviousOwnerId(), SearchCriteria.Op.NEQ);
+        quarantinedIpAddressesSearch.and();
+        quarantinedIpAddressesSearch.op("removedIsNull", quarantinedIpAddressesSearch.entity().getRemoved(), SearchCriteria.Op.NULL);
+        quarantinedIpAddressesSearch.and("endDate", quarantinedIpAddressesSearch.entity().getEndDate(), SearchCriteria.Op.GT);
+        quarantinedIpAddressesSearch.cp();
+
         ipAddressSearchBuilder.done();
         publicIpAddressByIdSearch.done();
+        quarantinedIpAddressesSearch.done();
     }
 
     @Override
@@ -68,4 +80,14 @@ public PublicIpQuarantineVO findByIpAddress(String publicIpAddress) {
 
         return findOneBy(sc, filter);
     }
+
+    @Override
+    public List<PublicIpQuarantineVO> listQuarantinedIpAddressesToUser(Long userId, Date date) {
+        SearchCriteria<PublicIpQuarantineVO> sc = quarantinedIpAddressesSearch.create();
+
+        sc.setParameters("previousOwnerId", userId);
+        sc.setParameters("endDate", date);
+
+        return searchIncludingRemoved(sc, null, false, false);
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/vpc/VpcVO.java b/engine/schema/src/main/java/com/cloud/network/vpc/VpcVO.java
index e942eadb8ffb..742d3f2f82ee 100644
--- a/engine/schema/src/main/java/com/cloud/network/vpc/VpcVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/vpc/VpcVO.java
@@ -108,6 +108,9 @@ public class VpcVO implements Vpc {
     @Column(name = "use_router_ip_resolver")
     boolean useRouterIpResolver = false;
 
+    @Column(name = "keep_mac_address_on_public_nic")
+    private boolean keepMacAddressOnPublicNic = true;
+
     @Transient
     boolean rollingRestart = false;
 
@@ -321,4 +324,13 @@ public boolean useRouterIpAsResolver() {
     public void setUseRouterIpResolver(boolean useRouterIpResolver) {
         this.useRouterIpResolver = useRouterIpResolver;
     }
+
+    @Override
+    public boolean getKeepMacAddressOnPublicNic() {
+        return keepMacAddressOnPublicNic;
+    }
+
+    public void setKeepMacAddressOnPublicNic(boolean keepMacAddressOnPublicNic) {
+        this.keepMacAddressOnPublicNic = keepMacAddressOnPublicNic;
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDao.java b/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDao.java
index 1a2b098c40a7..f24f3f3b67c4 100644
--- a/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDao.java
+++ b/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDao.java
@@ -35,7 +35,7 @@ public interface GuestOSDao extends GenericDao<GuestOSVO, Long> {
 
     List<GuestOSVO> listByDisplayName(String displayName);
 
-    Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(Long startIndex, Long pageSize, Long id, Long osCategoryId, String description, String keyword, Boolean forDisplay);
+    Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(Long startIndex, Long pageSize, List<Long> ids, Long osCategoryId, String description, String keyword, Boolean forDisplay);
 
     List<Long> listIdsByCategoryId(final long categoryId);
 }
diff --git a/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDaoImpl.java b/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDaoImpl.java
index 881be207c1aa..09f8772fb59c 100644
--- a/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/storage/dao/GuestOSDaoImpl.java
@@ -125,12 +125,12 @@ public List<GuestOSVO> listByDisplayName(String displayName) {
         return listBy(sc);
     }
 
-    public Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(Long startIndex, Long pageSize, Long id, Long osCategoryId, String description, String keyword, Boolean forDisplay) {
+    public Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(Long startIndex, Long pageSize, List<Long> ids, Long osCategoryId, String description, String keyword, Boolean forDisplay) {
         final Filter searchFilter = new Filter(GuestOSVO.class, "displayName", true, startIndex, pageSize);
         final SearchCriteria<GuestOSVO> sc = createSearchCriteria();
 
-        if (id != null) {
-            sc.addAnd("id", SearchCriteria.Op.EQ, id);
+        if (CollectionUtils.isNotEmpty(ids)) {
+            sc.addAnd("id", SearchCriteria.Op.IN, ids.toArray());
         }
 
         if (osCategoryId != null) {
diff --git a/engine/schema/src/main/java/com/cloud/storage/dao/SnapshotDaoImpl.java b/engine/schema/src/main/java/com/cloud/storage/dao/SnapshotDaoImpl.java
index 80e1b7d4d4be..f167b5731878 100755
--- a/engine/schema/src/main/java/com/cloud/storage/dao/SnapshotDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/storage/dao/SnapshotDaoImpl.java
@@ -170,6 +170,7 @@ protected void init() {
         CountSnapshotsByAccount.select(null, Func.COUNT, null);
         CountSnapshotsByAccount.and("account", CountSnapshotsByAccount.entity().getAccountId(), SearchCriteria.Op.EQ);
         CountSnapshotsByAccount.and("status", CountSnapshotsByAccount.entity().getState(), SearchCriteria.Op.NIN);
+        CountSnapshotsByAccount.and("snapshotTypeNEQ", CountSnapshotsByAccount.entity().getSnapshotType(), SearchCriteria.Op.NIN);
         CountSnapshotsByAccount.and("removed", CountSnapshotsByAccount.entity().getRemoved(), SearchCriteria.Op.NULL);
         CountSnapshotsByAccount.done();
 
@@ -220,6 +221,7 @@ public Long countSnapshotsForAccount(long accountId) {
         SearchCriteria<Long> sc = CountSnapshotsByAccount.create();
         sc.setParameters("account", accountId);
         sc.setParameters("status", State.Error, State.Destroyed);
+        sc.setParameters("snapshotTypeNEQ", Snapshot.Type.GROUP.ordinal());
         return customSearch(sc, null).get(0);
     }
 
diff --git a/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDao.java b/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDao.java
index a03b94faa797..717e3e782f2f 100644
--- a/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDao.java
+++ b/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDao.java
@@ -166,4 +166,12 @@ public interface VolumeDao extends GenericDao<VolumeVO, Long>, StateDao<Volume.S
     int getVolumeCountByOfferingId(long diskOfferingId);
 
     VolumeVO findByLastIdAndState(long lastVolumeId, Volume.State...states);
+
+    /**
+     *  Retrieves volume by its externalId
+     *
+     * @param externalUuid
+     * @return Volume Object of matching search criteria
+     */
+    VolumeVO findByExternalUuid(String externalUuid);
 }
diff --git a/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDaoImpl.java b/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDaoImpl.java
index 727c4fe8ef27..fce4d1f7233d 100644
--- a/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/storage/dao/VolumeDaoImpl.java
@@ -74,6 +74,7 @@ public class VolumeDaoImpl extends GenericDaoBase<VolumeVO, Long> implements Vol
     private final SearchBuilder<VolumeVO> storeAndInstallPathSearch;
     private final SearchBuilder<VolumeVO> volumeIdSearch;
     protected GenericSearchBuilder<VolumeVO, Long> CountByAccount;
+    protected final SearchBuilder<VolumeVO> ExternalUuidSearch;
     protected GenericSearchBuilder<VolumeVO, SumCount> primaryStorageSearch;
     protected GenericSearchBuilder<VolumeVO, SumCount> primaryStorageSearch2;
     protected GenericSearchBuilder<VolumeVO, SumCount> secondaryStorageSearch;
@@ -459,6 +460,10 @@ public VolumeDaoImpl() {
         CountByAccount.and("idNIN", CountByAccount.entity().getId(), Op.NIN);
         CountByAccount.done();
 
+        ExternalUuidSearch = createSearchBuilder();
+        ExternalUuidSearch.and("externalUuid", ExternalUuidSearch.entity().getExternalUuid(), Op.EQ);
+        ExternalUuidSearch.done();
+
         primaryStorageSearch = createSearchBuilder(SumCount.class);
         primaryStorageSearch.select("sum", Func.SUM, primaryStorageSearch.entity().getSize());
         primaryStorageSearch.and("accountId", primaryStorageSearch.entity().getAccountId(), Op.EQ);
@@ -934,4 +939,11 @@ public VolumeVO findByLastIdAndState(long lastVolumeId, State ...states) {
         sc.and(sc.entity().getState(), SearchCriteria.Op.IN,  (Object[]) states);
         return sc.find();
     }
+
+    @Override
+    public VolumeVO findByExternalUuid(String externalUuid) {
+        SearchCriteria<VolumeVO> sc = ExternalUuidSearch.create();
+        sc.setParameters("externalUuid", externalUuid);
+        return findOneBy(sc);
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/DatabaseVersionHierarchy.java b/engine/schema/src/main/java/com/cloud/upgrade/DatabaseVersionHierarchy.java
index 445a59310fb4..377b2f913755 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/DatabaseVersionHierarchy.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/DatabaseVersionHierarchy.java
@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.upgrade;
 
+import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -96,7 +97,9 @@ public DbUpgrade[] getPath(final CloudStackVersion fromVersion, final CloudStack
         // we cannot find the version specified, so get the
         // most recent one immediately before this version
         if (!contains(fromVersion)) {
-            return getPath(getRecentVersion(fromVersion), toVersion);
+            DbUpgrade[] dbUpgrades = getPath(getRecentVersion(fromVersion), toVersion);
+            return Arrays.stream(dbUpgrades).filter(up -> CloudStackVersion.compare(up.getUpgradedVersion(), fromVersion.toString()) > 0)
+                    .toArray(DbUpgrade[]::new);
         }
 
         final Predicate<? super VersionNode> predicate;
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
index 292bafefbb65..2acb4138d234 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
@@ -1073,7 +1073,7 @@ protected void updateRegisteredTemplateDetails(Long templateId, MetadataTemplate
         }
         Hypervisor.HypervisorType hypervisorType = templateDetails.getHypervisorType();
         updateSystemVMEntries(templateId, hypervisorType);
-        updateConfigurationParams(hypervisorType, templateDetails.getName(), zoneId);
+        updateConfigurationParams(hypervisorType, templateVO.getName(), zoneId);
     }
 
     protected void updateTemplateUrlChecksumAndGuestOsId(VMTemplateVO templateVO,
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42020to42030.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42020to42030.java
index 68100e164018..e0aa38a717b2 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42020to42030.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42020to42030.java
@@ -57,8 +57,4 @@ public void performDataMigration(Connection conn) {
     public InputStream[] getCleanupScripts() {
         return null;
     }
-
-    @Override
-    public void updateSystemVmTemplates(Connection conn) {
-    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42200to42210.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42200to42210.java
index c9610f7b9ff5..813351d75341 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42200to42210.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42200to42210.java
@@ -16,6 +16,14 @@
 // under the License.
 package com.cloud.upgrade.dao;
 
+import org.apache.cloudstack.vm.UnmanagedVMsManager;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.util.ArrayList;
+import java.util.List;
+
 public class Upgrade42200to42210 extends DbUpgradeAbstractImpl implements DbUpgrade, DbUpgradeSystemVmTemplate {
 
     @Override
@@ -27,4 +35,47 @@ public String[] getUpgradableVersionRange() {
     public String getUpgradedVersion() {
         return "4.22.1.0";
     }
+
+    @Override
+    public void performDataMigration(Connection conn) {
+        removeDuplicateKVMImportTemplates(conn);
+    }
+
+    private void removeDuplicateKVMImportTemplates(Connection conn) {
+        List<Long> templateIds = new ArrayList<>();
+        try (PreparedStatement selectStmt = conn.prepareStatement(String.format("SELECT id FROM cloud.vm_template WHERE name='%s' ORDER BY id ASC", UnmanagedVMsManager.KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME))) {
+            ResultSet rs = selectStmt.executeQuery();
+            while (rs.next()) {
+                templateIds.add(rs.getLong(1));
+            }
+
+            if (templateIds.size() <= 1) {
+                return;
+            }
+
+            logger.info("Removing duplicate template " + UnmanagedVMsManager.KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME + " entries");
+            Long firstTemplateId = templateIds.get(0);
+
+            String updateTemplateSql = "UPDATE cloud.vm_instance SET vm_template_id = ? WHERE vm_template_id = ?";
+            String deleteTemplateSql = "DELETE FROM cloud.vm_template WHERE id = ?";
+
+            try (PreparedStatement updateTemplateStmt = conn.prepareStatement(updateTemplateSql);
+                 PreparedStatement deleteTemplateStmt = conn.prepareStatement(deleteTemplateSql)) {
+                for (int i = 1; i < templateIds.size(); i++) {
+                    Long duplicateTemplateId = templateIds.get(i);
+
+                    // Update VM references
+                    updateTemplateStmt.setLong(1, firstTemplateId);
+                    updateTemplateStmt.setLong(2, duplicateTemplateId);
+                    updateTemplateStmt.executeUpdate();
+
+                    // Delete duplicate dummy template
+                    deleteTemplateStmt.setLong(1, duplicateTemplateId);
+                    deleteTemplateStmt.executeUpdate();
+                }
+            }
+        } catch (Exception e) {
+            logger.warn("Failed to remove duplicate template " + UnmanagedVMsManager.KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME + " entries", e);
+        }
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java
index df4743894c9d..393f20399503 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade42210to42300.java
@@ -17,7 +17,12 @@
 package com.cloud.upgrade.dao;
 
 import java.io.InputStream;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
 
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 public class Upgrade42210to42300 extends DbUpgradeAbstractImpl implements DbUpgrade, DbUpgradeSystemVmTemplate {
@@ -42,4 +47,46 @@ public InputStream[] getPrepareScripts() {
 
         return new InputStream[] {script};
     }
+
+    @Override
+    public void performDataMigration(Connection conn) {
+        unhideJsInterpretationEnabled(conn);
+    }
+
+    protected void unhideJsInterpretationEnabled(Connection conn) {
+        String value = getJsInterpretationEnabled(conn);
+        if (value != null) {
+            updateJsInterpretationEnabledFields(conn, value);
+        }
+    }
+
+    protected String getJsInterpretationEnabled(Connection conn) {
+        String query = "SELECT value FROM cloud.configuration WHERE name = 'js.interpretation.enabled' AND category = 'Hidden';";
+
+        try (PreparedStatement pstmt = conn.prepareStatement(query)) {
+            ResultSet rs = pstmt.executeQuery();
+            if (rs.next()) {
+                return rs.getString("value");
+            }
+            logger.debug("Unable to retrieve value of hidden configuration 'js.interpretation.enabled'. The configuration may already be unhidden.");
+            return null;
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Error while retrieving value of hidden configuration 'js.interpretation.enabled'.", e);
+        }
+    }
+
+    protected void updateJsInterpretationEnabledFields(Connection conn, String encryptedValue) {
+        String query = "UPDATE cloud.configuration SET value = ?, category = 'System', component = 'JsInterpreter', is_dynamic = 1 WHERE name = 'js.interpretation.enabled';";
+
+        try (PreparedStatement pstmt = conn.prepareStatement(query)) {
+            String decryptedValue = DBEncryptionUtil.decrypt(encryptedValue);
+            logger.info("Updating setting 'js.interpretation.enabled' to decrypted value [{}], category 'System', component 'JsInterpreter', and is_dynamic '1'.", decryptedValue);
+            pstmt.setString(1, decryptedValue);
+            pstmt.executeUpdate();
+        } catch (SQLException e) {
+            throw new CloudRuntimeException("Error while unhiding configuration 'js.interpretation.enabled'.", e);
+        } catch (CloudRuntimeException e) {
+            logger.warn("Error while decrypting configuration 'js.interpretation.enabled'. The configuration may already be decrypted.");
+        }
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/vm/NicVO.java b/engine/schema/src/main/java/com/cloud/vm/NicVO.java
index 6c569e22dd95..65946b8d8210 100644
--- a/engine/schema/src/main/java/com/cloud/vm/NicVO.java
+++ b/engine/schema/src/main/java/com/cloud/vm/NicVO.java
@@ -131,6 +131,9 @@ protected NicVO() {
     @Column(name = "mtu")
     Integer mtu;
 
+    @Column(name = "enabled")
+    boolean enabled;
+
     @Transient
     transient String nsxLogicalSwitchUuid;
 
@@ -143,6 +146,7 @@ public NicVO(String reserver, Long instanceId, long configurationId, VirtualMach
         this.networkId = configurationId;
         this.state = State.Allocated;
         this.vmType = vmType;
+        this.enabled = true;
     }
 
     @Override
@@ -397,6 +401,14 @@ public void setNsxLogicalSwitchPortUuid(String nsxLogicalSwitchPortUuid) {
         this.nsxLogicalSwitchPortUuid = nsxLogicalSwitchPortUuid;
     }
 
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
     @Override
     public int hashCode() {
         return new HashCodeBuilder(17, 31).append(id).toHashCode();
diff --git a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDao.java b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDao.java
index 23541c2431e7..4fd3e729e0d2 100755
--- a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDao.java
+++ b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDao.java
@@ -21,6 +21,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.utils.Pair;
@@ -192,4 +193,8 @@ List<VMInstanceVO> searchRemovedByRemoveDate(final Date startDate, final Date en
     int getVmCountByOfferingNotInDomain(Long serviceOfferingId, List<Long> domainIds);
 
     List<VMInstanceVO> listByIdsIncludingRemoved(List<Long> ids);
+
+    List<VMInstanceVO> listDeleteProtectedVmsByAccountId(long accountId);
+
+    List<VMInstanceVO> listDeleteProtectedVmsByDomainIds(Set<Long> domainIds);
 }
diff --git a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
index 589a63ea0d84..019d152ce5c3 100755
--- a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
@@ -25,11 +25,13 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.commons.collections.CollectionUtils;
 import org.springframework.stereotype.Component;
 
@@ -106,6 +108,8 @@ public class VMInstanceDaoImpl extends GenericDaoBase<VMInstanceVO, Long> implem
     protected SearchBuilder<VMInstanceVO> IdsPowerStateSelectSearch;
     GenericSearchBuilder<VMInstanceVO, Integer> CountByOfferingId;
     GenericSearchBuilder<VMInstanceVO, Integer> CountUserVmNotInDomain;
+    SearchBuilder<VMInstanceVO> DeleteProtectedVmSearchByAccount;
+    SearchBuilder<VMInstanceVO> DeleteProtectedVmSearchByDomainIds;
 
     @Inject
     ResourceTagDao tagsDao;
@@ -354,7 +358,8 @@ protected void init() {
                 IdsPowerStateSelectSearch.entity().getPowerHostId(),
                 IdsPowerStateSelectSearch.entity().getPowerState(),
                 IdsPowerStateSelectSearch.entity().getPowerStateUpdateCount(),
-                IdsPowerStateSelectSearch.entity().getPowerStateUpdateTime());
+                IdsPowerStateSelectSearch.entity().getPowerStateUpdateTime(),
+                IdsPowerStateSelectSearch.entity().getState());
         IdsPowerStateSelectSearch.done();
 
         CountByOfferingId = createSearchBuilder(Integer.class);
@@ -368,6 +373,19 @@ protected void init() {
         CountUserVmNotInDomain.and("domainIdsNotIn", CountUserVmNotInDomain.entity().getDomainId(), Op.NIN);
         CountUserVmNotInDomain.done();
 
+        DeleteProtectedVmSearchByAccount = createSearchBuilder();
+        DeleteProtectedVmSearchByAccount.selectFields(DeleteProtectedVmSearchByAccount.entity().getUuid());
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.ACCOUNT_ID, DeleteProtectedVmSearchByAccount.entity().getAccountId(), Op.EQ);
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.DELETE_PROTECTION, DeleteProtectedVmSearchByAccount.entity().isDeleteProtection(), Op.EQ);
+        DeleteProtectedVmSearchByAccount.and(ApiConstants.REMOVED, DeleteProtectedVmSearchByAccount.entity().getRemoved(), Op.NULL);
+        DeleteProtectedVmSearchByAccount.done();
+
+        DeleteProtectedVmSearchByDomainIds = createSearchBuilder();
+        DeleteProtectedVmSearchByDomainIds.selectFields(DeleteProtectedVmSearchByDomainIds.entity().getUuid());
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.DOMAIN_IDS, DeleteProtectedVmSearchByDomainIds.entity().getDomainId(), Op.IN);
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.DELETE_PROTECTION, DeleteProtectedVmSearchByDomainIds.entity().isDeleteProtection(), Op.EQ);
+        DeleteProtectedVmSearchByDomainIds.and(ApiConstants.REMOVED, DeleteProtectedVmSearchByDomainIds.entity().getRemoved(), Op.NULL);
+        DeleteProtectedVmSearchByDomainIds.done();
     }
 
     @Override
@@ -1088,10 +1106,14 @@ public Map<Long, VirtualMachine.PowerState> updatePowerState(
 
     private boolean isPowerStateInSyncWithInstanceState(final VirtualMachine.PowerState powerState, final long powerHostId, final VMInstanceVO instance) {
         State instanceState = instance.getState();
+        if (instanceState == null) {
+            logger.warn("VM {} has null instance state during power state sync check, treating as out of sync", instance);
+            return false;
+        }
         if ((powerState == VirtualMachine.PowerState.PowerOff && instanceState == State.Running)
                 || (powerState == VirtualMachine.PowerState.PowerOn && instanceState == State.Stopped)) {
             HostVO instanceHost = hostDao.findById(instance.getHostId());
-            HostVO powerHost = powerHostId == instance.getHostId() ? instanceHost : hostDao.findById(powerHostId);
+            HostVO powerHost = instance.getHostId() != null && powerHostId == instance.getHostId() ? instanceHost : hostDao.findById(powerHostId);
             logger.debug("VM: {} on host: {} and power host : {} is in {} state, but power state is {}",
                     instance, instanceHost, powerHost, instanceState, powerState);
             return false;
@@ -1296,4 +1318,22 @@ public List<VMInstanceVO> listByIdsIncludingRemoved(List<Long> ids) {
         sc.setParameters("ids", ids.toArray());
         return listIncludingRemovedBy(sc);
     }
+
+    @Override
+    public List<VMInstanceVO> listDeleteProtectedVmsByAccountId(long accountId)  {
+        SearchCriteria<VMInstanceVO> sc = DeleteProtectedVmSearchByAccount.create();
+        sc.setParameters(ApiConstants.ACCOUNT_ID, accountId);
+        sc.setParameters(ApiConstants.DELETE_PROTECTION, true);
+        Filter filter = new Filter(VMInstanceVO.class, null, false, 0L, 10L);
+        return listBy(sc, filter);
+    }
+
+    @Override
+    public List<VMInstanceVO> listDeleteProtectedVmsByDomainIds(Set<Long> domainIds)  {
+        SearchCriteria<VMInstanceVO> sc = DeleteProtectedVmSearchByDomainIds.create();
+        sc.setParameters(ApiConstants.DOMAIN_IDS, domainIds.toArray());
+        sc.setParameters(ApiConstants.DELETE_PROTECTION, true);
+        Filter filter = new Filter(VMInstanceVO.class, null, false, 0L, 10L);
+        return listBy(sc, filter);
+    }
 }
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDao.java b/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDao.java
index ee1783a9c896..87b7dab1ff7b 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDao.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDao.java
@@ -21,20 +21,14 @@
 import java.util.List;
 
 import com.cloud.utils.DateUtil;
-import org.apache.cloudstack.api.response.BackupScheduleResponse;
-import org.apache.cloudstack.backup.BackupSchedule;
 import org.apache.cloudstack.backup.BackupScheduleVO;
 
 import com.cloud.utils.db.GenericDao;
 
 public interface BackupScheduleDao extends GenericDao<BackupScheduleVO, Long> {
-    BackupScheduleVO findByVM(Long vmId);
-
     List<BackupScheduleVO> listByVM(Long vmId);
 
     BackupScheduleVO findByVMAndIntervalType(Long vmId, DateUtil.IntervalType intervalType);
 
     List<BackupScheduleVO> getSchedulesToExecute(Date currentTimestamp);
-
-    BackupScheduleResponse newBackupScheduleResponse(BackupSchedule schedule);
 }
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDaoImpl.java b/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDaoImpl.java
index d9cf7b63680b..972af73391af 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDaoImpl.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/backup/dao/BackupScheduleDaoImpl.java
@@ -17,28 +17,23 @@
 
 package org.apache.cloudstack.backup.dao;
 
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
 import java.util.Date;
 import java.util.List;
 
 import javax.annotation.PostConstruct;
-import javax.inject.Inject;
 
 import com.cloud.utils.DateUtil;
-import org.apache.cloudstack.api.response.BackupScheduleResponse;
-import org.apache.cloudstack.backup.BackupSchedule;
+import com.cloud.utils.db.DB;
+import com.cloud.utils.db.TransactionLegacy;
 import org.apache.cloudstack.backup.BackupScheduleVO;
 
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
-import com.cloud.vm.VMInstanceVO;
-import com.cloud.vm.dao.VMInstanceDao;
 
 public class BackupScheduleDaoImpl extends GenericDaoBase<BackupScheduleVO, Long> implements BackupScheduleDao {
-
-    @Inject
-    VMInstanceDao vmInstanceDao;
-
     private SearchBuilder<BackupScheduleVO> backupScheduleSearch;
     private SearchBuilder<BackupScheduleVO> executableSchedulesSearch;
 
@@ -59,13 +54,6 @@ protected void init() {
         executableSchedulesSearch.done();
     }
 
-    @Override
-    public BackupScheduleVO findByVM(Long vmId) {
-        SearchCriteria<BackupScheduleVO> sc = backupScheduleSearch.create();
-        sc.setParameters("vm_id", vmId);
-        return findOneBy(sc);
-    }
-
     @Override
     public List<BackupScheduleVO> listByVM(Long vmId) {
         SearchCriteria<BackupScheduleVO> sc = backupScheduleSearch.create();
@@ -88,21 +76,19 @@ public List<BackupScheduleVO> getSchedulesToExecute(Date currentTimestamp) {
         return listBy(sc);
     }
 
+    @DB
     @Override
-    public BackupScheduleResponse newBackupScheduleResponse(BackupSchedule schedule) {
-        VMInstanceVO vm = vmInstanceDao.findByIdIncludingRemoved(schedule.getVmId());
-        BackupScheduleResponse response = new BackupScheduleResponse();
-        response.setId(schedule.getUuid());
-        response.setVmId(vm.getUuid());
-        response.setVmName(vm.getHostName());
-        response.setIntervalType(schedule.getScheduleType());
-        response.setSchedule(schedule.getSchedule());
-        response.setTimezone(schedule.getTimezone());
-        response.setMaxBackups(schedule.getMaxBackups());
-        if (schedule.getQuiesceVM() != null) {
-            response.setQuiesceVM(schedule.getQuiesceVM());
+    public boolean remove(Long id) {
+        String sql = "UPDATE backups SET backup_schedule_id = NULL WHERE backup_schedule_id = ?";
+        TransactionLegacy transaction = TransactionLegacy.currentTxn();
+        try {
+            PreparedStatement preparedStatement = transaction.prepareAutoCloseStatement(sql);
+            preparedStatement.setLong(1, id);
+            preparedStatement.executeUpdate();
+            return super.remove(id);
+        } catch (SQLException e) {
+            logger.warn("Unable to clean up backup schedules references from the backups table.", e);
+            return false;
         }
-        response.setObjectName("backupschedule");
-        return response;
     }
 }
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDao.java b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDao.java
index 6aeee1ad1ccd..3329983d711e 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDao.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDao.java
@@ -51,6 +51,8 @@ public interface SnapshotDataStoreDao extends GenericDao<SnapshotDataStoreVO, Lo
 
     SnapshotDataStoreVO findBySnapshotIdAndDataStoreRoleAndState(long snapshotId, DataStoreRole role, ObjectInDataStoreStateMachine.State state);
 
+    List<SnapshotDataStoreVO> listBySnapshotIdAndDataStoreRoleAndStateIn(long snapshotId, DataStoreRole role, ObjectInDataStoreStateMachine.State... state);
+
     List<SnapshotDataStoreVO> listReadyByVolumeIdAndCheckpointPathNotNull(long volumeId);
 
     SnapshotDataStoreVO findOneBySnapshotId(long snapshotId, long zoneId);
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDaoImpl.java b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDaoImpl.java
index cdf903407c17..8b7a2b78de7e 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDaoImpl.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/SnapshotDataStoreDaoImpl.java
@@ -67,7 +67,8 @@ public class SnapshotDataStoreDaoImpl extends GenericDaoBase<SnapshotDataStoreVO
     private SearchBuilder<SnapshotDataStoreVO> searchFilteringStoreIdEqStoreRoleEqStateNeqRefCntNeq;
     protected SearchBuilder<SnapshotDataStoreVO> searchFilteringStoreIdEqStateEqStoreRoleEqIdEqUpdateCountEqSnapshotIdEqVolumeIdEq;
     private SearchBuilder<SnapshotDataStoreVO> stateSearch;
-    private SearchBuilder<SnapshotDataStoreVO> idStateNeqSearch;
+    private SearchBuilder<SnapshotDataStoreVO> idStateNinSearch;
+    private SearchBuilder<SnapshotDataStoreVO> idEqRoleEqStateInSearch;
     protected SearchBuilder<SnapshotVO> snapshotVOSearch;
     private SearchBuilder<SnapshotDataStoreVO> snapshotCreatedSearch;
     private SearchBuilder<SnapshotDataStoreVO> dataStoreAndInstallPathSearch;
@@ -146,10 +147,15 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         stateSearch.done();
 
 
-        idStateNeqSearch = createSearchBuilder();
-        idStateNeqSearch.and(SNAPSHOT_ID, idStateNeqSearch.entity().getSnapshotId(), SearchCriteria.Op.EQ);
-        idStateNeqSearch.and(STATE, idStateNeqSearch.entity().getState(), SearchCriteria.Op.NEQ);
-        idStateNeqSearch.done();
+        idStateNinSearch = createSearchBuilder();
+        idStateNinSearch.and(SNAPSHOT_ID, idStateNinSearch.entity().getSnapshotId(), SearchCriteria.Op.EQ);
+        idStateNinSearch.and(STATE, idStateNinSearch.entity().getState(), SearchCriteria.Op.NOTIN);
+        idStateNinSearch.done();
+
+        idEqRoleEqStateInSearch = createSearchBuilder();
+        idEqRoleEqStateInSearch.and(SNAPSHOT_ID, idEqRoleEqStateInSearch.entity().getSnapshotId(), SearchCriteria.Op.EQ);
+        idEqRoleEqStateInSearch.and(STORE_ROLE, idEqRoleEqStateInSearch.entity().getRole(), SearchCriteria.Op.EQ);
+        idEqRoleEqStateInSearch.and(STATE, idEqRoleEqStateInSearch.entity().getState(), SearchCriteria.Op.IN);
 
         snapshotVOSearch = snapshotDao.createSearchBuilder();
         snapshotVOSearch.and(VOLUME_ID, snapshotVOSearch.entity().getVolumeId(), SearchCriteria.Op.EQ);
@@ -387,6 +393,15 @@ public SnapshotDataStoreVO findBySnapshotIdAndDataStoreRoleAndState(long snapsho
         return findOneBy(sc);
     }
 
+    @Override
+    public List<SnapshotDataStoreVO> listBySnapshotIdAndDataStoreRoleAndStateIn(long snapshotId, DataStoreRole role, State... state) {
+        SearchCriteria<SnapshotDataStoreVO> sc = idEqRoleEqStateInSearch.create();
+        sc.setParameters(SNAPSHOT_ID, snapshotId);
+        sc.setParameters(STORE_ROLE, role);
+        sc.setParameters(STATE, (Object[])state);
+        return listBy(sc);
+    }
+
     @Override
     public SnapshotDataStoreVO findOneBySnapshotId(long snapshotId, long zoneId) {
         try (TransactionLegacy transactionLegacy = TransactionLegacy.currentTxn()) {
@@ -480,7 +495,7 @@ public List<SnapshotDataStoreVO> findBySnapshotId(long snapshotId) {
 
     @Override
     public List<SnapshotDataStoreVO> findBySnapshotIdWithNonDestroyedState(long snapshotId) {
-        SearchCriteria<SnapshotDataStoreVO> sc = idStateNeqSearch.create();
+        SearchCriteria<SnapshotDataStoreVO> sc = idStateNinSearch.create();
         sc.setParameters(SNAPSHOT_ID, snapshotId);
         sc.setParameters(STATE, State.Destroyed.name());
         return listBy(sc);
@@ -488,7 +503,7 @@ public List<SnapshotDataStoreVO> findBySnapshotIdWithNonDestroyedState(long snap
 
     @Override
     public List<SnapshotDataStoreVO> findBySnapshotIdAndNotInDestroyedHiddenState(long snapshotId) {
-        SearchCriteria<SnapshotDataStoreVO> sc = idStateNeqSearch.create();
+        SearchCriteria<SnapshotDataStoreVO> sc = idStateNinSearch.create();
         sc.setParameters(SNAPSHOT_ID, snapshotId);
         sc.setParameters(STATE, State.Destroyed.name(), State.Hidden.name());
         return listBy(sc);
diff --git a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-common-daos-between-management-and-usage-context.xml b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-common-daos-between-management-and-usage-context.xml
index 1846c3c62a0e..2c6869bd81e3 100644
--- a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-common-daos-between-management-and-usage-context.xml
+++ b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-common-daos-between-management-and-usage-context.xml
@@ -73,5 +73,7 @@
 	<bean id="volumeDaoImpl" class="com.cloud.storage.dao.VolumeDaoImpl" />
   	<bean id="reservationDao" class="org.apache.cloudstack.reservation.dao.ReservationDaoImpl" />
     <bean id="backupOfferingDaoImpl" class="org.apache.cloudstack.backup.dao.BackupOfferingDaoImpl" />
+	<bean id="vpcOfferingDaoImpl" class="com.cloud.network.vpc.dao.VpcOfferingDaoImpl" />
+	<bean id="vpcOfferingDetailsDaoImpl" class="com.cloud.network.vpc.dao.VpcOfferingDetailsDaoImpl"/>
     <bean id="backupOfferingDetailsDaoImpl" class="org.apache.cloudstack.backup.dao.BackupOfferingDetailsDaoImpl" />
 </beans>
diff --git a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
index edc14d9fa0cc..ad3722577c27 100644
--- a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
+++ b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
@@ -236,13 +236,11 @@
   <bean id="volumeStatsDaoImpl" class="com.cloud.storage.dao.VolumeStatsDaoImpl" />
   <bean id="vpcDaoImpl" class="com.cloud.network.vpc.dao.VpcDaoImpl" />
   <bean id="vpcGatewayDaoImpl" class="com.cloud.network.vpc.dao.VpcGatewayDaoImpl" />
-  <bean id="vpcOfferingDaoImpl" class="com.cloud.network.vpc.dao.VpcOfferingDaoImpl" />
   <bean id="vpcOfferingJoinDaoImpl" class="com.cloud.api.query.dao.VpcOfferingJoinDaoImpl" />
   <bean id="vpcOfferingServiceMapDaoImpl" class="com.cloud.network.vpc.dao.VpcOfferingServiceMapDaoImpl" />
   <bean id="vpcServiceMapDaoImpl" class="com.cloud.network.vpc.dao.VpcServiceMapDaoImpl" />
   <bean id="vpnUserDaoImpl" class="com.cloud.network.dao.VpnUserDaoImpl" />
   <bean id="applicationLbRuleDaoImpl" class="org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDaoImpl" />
-  <bean id="vpcOfferingDetailsDaoImpl" class="com.cloud.network.vpc.dao.VpcOfferingDetailsDaoImpl"/>
   <bean id="networkDetailsDaoImpl" class="com.cloud.network.dao.NetworkDetailsDaoImpl" />
   <bean id="tungstenGuestNetworkIpAddressDaoImpl" class="com.cloud.network.dao.TungstenGuestNetworkIpAddressDaoImpl"/>
   <bean id="tungstenSecurityGroupRuleDaoImpl" class="com.cloud.network.security.dao.TungstenSecurityGroupRuleDaoImpl"/>
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql b/engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql
index 3dd6c18f57c5..4405250f2711 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql
@@ -31,7 +31,7 @@ CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.account', 'api_key_access', 'boolean
 CALL `cloud_usage`.`IDEMPOTENT_ADD_COLUMN`('cloud_usage.account', 'api_key_access', 'boolean DEFAULT NULL COMMENT "is api key access allowed for the account" ');
 
 -- Create a new group for Usage Server related configurations
-INSERT INTO `cloud`.`configuration_group` (`name`, `description`, `precedence`) VALUES ('Usage Server', 'Usage Server related configuration', 9);
+INSERT IGNORE INTO `cloud`.`configuration_group` (`name`, `description`, `precedence`) VALUES ('Usage Server', 'Usage Server related configuration', 9);
 UPDATE `cloud`.`configuration_subgroup` set `group_id` = (SELECT `id` FROM `cloud`.`configuration_group` WHERE `name` = 'Usage Server'), `precedence` = 1 WHERE `name`='Usage';
 UPDATE `cloud`.`configuration` SET `group_id` = (SELECT `id` FROM `cloud`.`configuration_group` WHERE `name` = 'Usage Server') where `subgroup_id` = (SELECT `id` FROM `cloud`.`configuration_subgroup` WHERE `name` = 'Usage');
 
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42010to42100.sql b/engine/schema/src/main/resources/META-INF/db/schema-42010to42100.sql
index 4c65f37e0fe0..000b54b72078 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42010to42100.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42010to42100.sql
@@ -687,22 +687,23 @@ CREATE TABLE IF NOT EXISTS `cloud`.`backup_details` (
 UPDATE `cloud`.`backups` b
 INNER JOIN `cloud`.`vm_instance` vm ON b.vm_id = vm.id
 SET b.backed_volumes = (
-    SELECT CONCAT("[",
-        GROUP_CONCAT(
-            CONCAT(
-                "{\"uuid\":\"", v.uuid, "\",",
-                "\"type\":\"", v.volume_type, "\",",
-                "\"size\":", v.`size`, ",",
-                "\"path\":\"", IFNULL(v.path, 'null'), "\",",
-                "\"deviceId\":", IFNULL(v.device_id, 'null'), ",",
-                "\"diskOfferingId\":\"", doff.uuid, "\",",
-                "\"minIops\":", IFNULL(v.min_iops, 'null'), ",",
-                "\"maxIops\":", IFNULL(v.max_iops, 'null'),
-                "}"
-            )
-            SEPARATOR ","
+    SELECT COALESCE(
+        CAST(
+            JSON_ARRAYAGG(
+                JSON_OBJECT(
+                     'uuid', v.uuid,
+                     'type', v.volume_type,
+                     'size', v.size,
+                     'path', v.path,
+                     'deviceId', v.device_id,
+                     'diskOfferingId', doff.uuid,
+                     'minIops', v.min_iops,
+                     'maxIops', v.max_iops
+                )
+            ) AS CHAR
         ),
-    "]")
+        '[]'
+    )
     FROM `cloud`.`volumes` v
     LEFT JOIN `cloud`.`disk_offering` doff ON v.disk_offering_id = doff.id
     WHERE v.instance_id = vm.id
@@ -711,22 +712,23 @@ SET b.backed_volumes = (
 -- Add diskOfferingId, deviceId, minIops and maxIops to backup_volumes in vm_instance table
 UPDATE `cloud`.`vm_instance` vm
 SET vm.backup_volumes = (
-    SELECT CONCAT("[",
-        GROUP_CONCAT(
-            CONCAT(
-                "{\"uuid\":\"", v.uuid, "\",",
-                "\"type\":\"", v.volume_type, "\",",
-                "\"size\":", v.`size`, ",",
-                "\"path\":\"", IFNULL(v.path, 'null'), "\",",
-                "\"deviceId\":", IFNULL(v.device_id, 'null'), ",",
-                "\"diskOfferingId\":\"", doff.uuid, "\",",
-                "\"minIops\":", IFNULL(v.min_iops, 'null'), ",",
-                "\"maxIops\":", IFNULL(v.max_iops, 'null'),
-                "}"
-            )
-            SEPARATOR ","
+    SELECT COALESCE(
+        CAST(
+            JSON_ARRAYAGG(
+                JSON_OBJECT(
+                     'uuid', v.uuid,
+                     'type', v.volume_type,
+                     'size', v.size,
+                     'path', v.path,
+                     'deviceId', v.device_id,
+                     'diskOfferingId', doff.uuid,
+                     'minIops', v.min_iops,
+                     'maxIops', v.max_iops
+                )
+            ) AS CHAR
         ),
-    "]")
+        '[]'
+    )
     FROM `cloud`.`volumes` v
     LEFT JOIN `cloud`.`disk_offering` doff ON v.disk_offering_id = doff.id
     WHERE v.instance_id = vm.id
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42200to42210-cleanup.sql b/engine/schema/src/main/resources/META-INF/db/schema-42200to42210-cleanup.sql
index 54baf226ac43..2f104568c140 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42200to42210-cleanup.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42200to42210-cleanup.sql
@@ -18,3 +18,9 @@
 --;
 -- Schema upgrade cleanup from 4.22.0.0 to 4.22.1.0
 --;
+
+-- Entries remaining on `cloud`.`resource_reservation` during the upgrade process are stale, so delete them.
+-- This script was added to normalize volume/primary storage reservations that got stuck due to a bug on VM deployment,
+-- but it is more interesting to introduce a smarter logic to clean these stale reservations in the future without the need
+-- for upgrades (for instance, by having a heartbeat_time column for the reservations and automatically cleaning old entries).
+DELETE FROM `cloud`.`resource_reservation`;
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42200to42210.sql b/engine/schema/src/main/resources/META-INF/db/schema-42200to42210.sql
index a8a3d3f7bd4f..baa20e9f0ad5 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42200to42210.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42200to42210.sql
@@ -33,3 +33,29 @@ UPDATE `cloud`.`alert` SET type = 34 WHERE name = 'ALERT.VR.PRIVATE.IFACE.MTU';
 
 -- Update configuration 'kvm.ssh.to.agent' description and is_dynamic fields
 UPDATE `cloud`.`configuration` SET description = 'True if the management server will restart the agent service via SSH into the KVM hosts after or during maintenance operations', is_dynamic = 1 WHERE name = 'kvm.ssh.to.agent';
+
+-- Sanitize legacy network-level addressing fields for Public networks
+UPDATE `cloud`.`networks`
+SET `broadcast_uri` = NULL,
+	`gateway` = NULL,
+	`cidr` = NULL,
+	`ip6_gateway` = NULL,
+	`ip6_cidr` = NULL
+WHERE `traffic_type` = 'Public';
+
+UPDATE `cloud`.`vm_template` SET guest_os_id = 99 WHERE name = 'kvm-default-vm-import-dummy-template';
+
+-- Update existing vm_template records with NULL type to "USER"
+UPDATE `cloud`.`vm_template` SET `type` = 'USER' WHERE `type` IS NULL;
+
+-- remove unused config item
+DELETE FROM `cloud`.`configuration` WHERE name = 'consoleproxy.cmd.port';
+
+-- Drops the unused "backup_interval_type" column of the "cloud.backups" table
+ALTER TABLE `cloud`.`backups` DROP COLUMN `backup_interval_type`;
+
+-- Update `user.password.reset.mail.template` configuration value to match new logic
+UPDATE `cloud`.`configuration`
+SET value = CONCAT_WS('\n', 'Hello {{username}}!', 'You have requested to reset your password. Please click the following link to reset your password:', '{{{resetLink}}}', 'If you did not request a password reset, please ignore this email.', '', 'Regards,', 'The CloudStack Team')
+WHERE name = 'user.password.reset.mail.template'
+  AND value IN (CONCAT_WS('\n', 'Hello {{username}}!', 'You have requested to reset your password. Please click the following link to reset your password:', 'http://{{{resetLink}}}', 'If you did not request a password reset, please ignore this email.', '', 'Regards,', 'The CloudStack Team'), CONCAT_WS('\n', 'Hello {{username}}!', 'You have requested to reset your password. Please click the following link to reset your password:', '{{{domainUrl}}}{{{resetLink}}}', 'If you did not request a password reset, please ignore this email.', '', 'Regards,', 'The CloudStack Team'));
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index d69b524b85d9..dfa5fa8f3a14 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -114,3 +114,38 @@ CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Resource Admin', 'deleteUserKey
 
 -- Add conserve mode for VPC offerings
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tinyint(1) unsigned NULL DEFAULT 0 COMMENT ''True if the VPC offering is IP conserve mode enabled, allowing public IP services to be used across multiple VPC tiers'' ');
+
+--- Disable/enable NICs
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.nics','enabled', 'TINYINT(1) NOT NULL DEFAULT 1 COMMENT ''Indicates whether the NIC is enabled or not'' ');
+
+--- Quota tariff/usage mapping
+CREATE TABLE IF NOT EXISTS `cloud_usage`.`quota_tariff_usage` (
+    `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
+    `tariff_id` bigint(20) unsigned NOT NULL COMMENT 'ID of the tariff of the Quota usage detail calculated, foreign key to quota_tariff table',
+    `quota_usage_id` bigint(20) unsigned NOT NULL COMMENT 'ID of the aggregation of Quota usage details, foreign key to quota_usage table',
+    `quota_used` decimal(20,8) NOT NULL COMMENT 'Amount of quota used',
+    PRIMARY KEY (`id`),
+    CONSTRAINT `fk_quota_tariff_usage__tariff_id` FOREIGN KEY (`tariff_id`) REFERENCES `cloud_usage`.`quota_tariff` (`id`),
+    CONSTRAINT `fk_quota_tariff_usage__quota_usage_id` FOREIGN KEY (`quota_usage_id`) REFERENCES `cloud_usage`.`quota_usage` (`id`));
+
+-- Add the 'keep_mac_address_on_public_nic' column to the 'cloud.networks' and 'cloud.vpc' tables
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.networks', 'keep_mac_address_on_public_nic', 'TINYINT(1) NOT NULL DEFAULT 1');
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc', 'keep_mac_address_on_public_nic', 'TINYINT(1) NOT NULL DEFAULT 1');
+
+-- Creates the 'kvm.memory.dynamic.scaling.capacity' and, for already active ACS environments,
+-- initializes it with the value of the setting 'vm.serviceoffering.ram.size.max'
+INSERT INTO `cloud`.`configuration` (`category`, `instance`, `component`, `name`, `value`, `default_value`, `updated`, `scope`, `is_dynamic`, `group_id`, `subgroup_id`, `display_text`, `description`)
+SELECT 'Advanced', 'DEFAULT', 'CapacityManager', 'kvm.memory.dynamic.scaling.capacity', `cfg`.`value`, 0, NULL, 4, 1, 6, 27,
+       'KVM memory dynamic scaling capacity', 'Defines the maximum memory capacity in MiB for which VMs can be dynamically scaled to with KVM. The ''kvm.memory.dynamic.scaling.capacity'' setting''s value will be used to define the value of the ''<maxMemory />'' element of domain XMLs. If it is set to a value less than or equal to ''0'', then the host''s memory capacity will be considered.'
+FROM `cloud`.`configuration` `cfg`
+WHERE NOT EXISTS (SELECT 1 FROM `cloud`.`configuration` WHERE `name` = 'kvm.memory.dynamic.scaling.capacity')
+  AND `cfg`.`name` = 'vm.serviceoffering.ram.size.max';
+
+-- Creates the 'kvm.cpu.dynamic.scaling.capacity' and, for already active ACS environments,
+-- initializes it with the value of the setting 'vm.serviceoffering.cpu.cores.max'
+INSERT INTO `cloud`.`configuration` (`category`, `instance`, `component`, `name`, `value`, `default_value`, `updated`, `scope`, `is_dynamic`, `group_id`, `subgroup_id`, `display_text`, `description`)
+SELECT 'Advanced', 'DEFAULT', 'CapacityManager', 'kvm.cpu.dynamic.scaling.capacity', `cfg`.`value`, 0, NULL, 4, 1, 6, 27,
+       'KVM CPU dynamic scaling capacity', 'Defines the maximum vCPU capacity for which VMs can be dynamically scaled to with KVM. The ''kvm.cpu.dynamic.scaling.capacity'' setting''s value will be used to define the value of the ''<vcpu />'' element of domain XMLs. If it is set to a value less than or equal to ''0'', then the host''s CPU cores capacity will be considered.'
+FROM `cloud`.`configuration` `cfg`
+WHERE NOT EXISTS (SELECT 1 FROM `cloud`.`configuration` WHERE `name` = 'kvm.cpu.dynamic.scaling.capacity')
+  AND `cfg`.`name` = 'vm.serviceoffering.cpu.cores.max';
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud.domain_router_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud.domain_router_view.sql
index a12e02bcfdb8..d5f17606cb41 100644
--- a/engine/schema/src/main/resources/META-INF/db/views/cloud.domain_router_view.sql
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud.domain_router_view.sql
@@ -76,6 +76,7 @@ select
     nics.broadcast_uri broadcast_uri,
     nics.isolation_uri isolation_uri,
     nics.mtu mtu,
+    nics.enabled is_nic_enabled,
     vpc.id vpc_id,
     vpc.uuid vpc_uuid,
     vpc.name vpc_name,
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud.user_vm_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud.user_vm_view.sql
index 94bc8640fd54..c169cbce2170 100644
--- a/engine/schema/src/main/resources/META-INF/db/views/cloud.user_vm_view.sql
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud.user_vm_view.sql
@@ -79,6 +79,7 @@ SELECT
     `vm_template`.`format` AS `template_format`,
     `vm_template`.`display_text` AS `template_display_text`,
     `vm_template`.`enable_password` AS `password_enabled`,
+    `vm_template`.`extension_id` AS `template_extension_id`,
     `iso`.`id` AS `iso_id`,
     `iso`.`uuid` AS `iso_uuid`,
     `iso`.`name` AS `iso_name`,
@@ -141,6 +142,7 @@ SELECT
     `nics`.`mac_address` AS `mac_address`,
     `nics`.`broadcast_uri` AS `broadcast_uri`,
     `nics`.`isolation_uri` AS `isolation_uri`,
+    `nics`.`enabled` AS `is_nic_enabled`,
     `vpc`.`id` AS `vpc_id`,
     `vpc`.`uuid` AS `vpc_uuid`,
     `networks`.`uuid` AS `network_uuid`,
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_summary_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_summary_view.sql
new file mode 100644
index 000000000000..0646c3b6f919
--- /dev/null
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_summary_view.sql
@@ -0,0 +1,48 @@
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+
+-- cloud_usage.quota_summary_view source
+
+-- Create view for quota summary
+DROP VIEW IF EXISTS `cloud_usage`.`quota_summary_view`;
+CREATE VIEW `cloud_usage`.`quota_summary_view` AS
+SELECT
+    cloud_usage.quota_account.account_id AS account_id,
+    cloud_usage.quota_account.quota_balance AS quota_balance,
+    cloud_usage.quota_account.quota_balance_date AS quota_balance_date,
+    cloud_usage.quota_account.quota_enforce AS quota_enforce,
+    cloud_usage.quota_account.quota_min_balance AS quota_min_balance,
+    cloud_usage.quota_account.quota_alert_date AS quota_alert_date,
+    cloud_usage.quota_account.quota_alert_type AS quota_alert_type,
+    cloud_usage.quota_account.last_statement_date AS last_statement_date,
+    cloud.account.uuid AS account_uuid,
+    cloud.account.account_name AS account_name,
+    cloud.account.state AS account_state,
+    cloud.account.removed AS account_removed,
+    cloud.domain.id AS domain_id,
+    cloud.domain.uuid AS domain_uuid,
+    cloud.domain.name AS domain_name,
+    cloud.domain.path AS domain_path,
+    cloud.domain.removed AS domain_removed,
+    cloud.projects.uuid AS project_uuid,
+    cloud.projects.name AS project_name,
+    cloud.projects.removed AS project_removed
+FROM
+    cloud_usage.quota_account
+        INNER JOIN cloud.account ON (cloud.account.id = cloud_usage.quota_account.account_id)
+        INNER JOIN cloud.domain ON (cloud.domain.id = cloud.account.domain_id)
+        LEFT JOIN cloud.projects ON (cloud.account.type = 5 AND cloud.account.id = cloud.projects.project_account_id);
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_usage_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_usage_view.sql
new file mode 100644
index 000000000000..7ac001384e8e
--- /dev/null
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud_usage.quota_usage_view.sql
@@ -0,0 +1,35 @@
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+
+-- VIEW `cloud_usage`.`quota_usage_view`;
+
+DROP VIEW IF EXISTS `cloud_usage`.`quota_usage_view`;
+CREATE VIEW `cloud_usage`.`quota_usage_view` AS
+SELECT  qu.id,
+        qu.usage_item_id,
+        qu.zone_id,
+        qu.account_id,
+        qu.domain_id,
+        qu.usage_type,
+        qu.quota_used,
+        qu.start_date,
+        qu.end_date,
+        cu.usage_id AS resource_id,
+        cu.network_id as network_id,
+        cu.offering_id as offering_id
+FROM    `cloud_usage`.`quota_usage` qu
+INNER   JOIN `cloud_usage`.`cloud_usage` cu ON (cu.id = qu.usage_item_id);
diff --git a/engine/schema/src/test/java/com/cloud/upgrade/DatabaseUpgradeCheckerTest.java b/engine/schema/src/test/java/com/cloud/upgrade/DatabaseUpgradeCheckerTest.java
index 27995eb179af..ab64e4698f01 100644
--- a/engine/schema/src/test/java/com/cloud/upgrade/DatabaseUpgradeCheckerTest.java
+++ b/engine/schema/src/test/java/com/cloud/upgrade/DatabaseUpgradeCheckerTest.java
@@ -44,6 +44,7 @@
 import com.cloud.upgrade.dao.Upgrade41120to41200;
 import com.cloud.upgrade.dao.Upgrade41510to41520;
 import com.cloud.upgrade.dao.Upgrade41610to41700;
+import com.cloud.upgrade.dao.Upgrade42010to42100;
 import com.cloud.upgrade.dao.Upgrade452to453;
 import com.cloud.upgrade.dao.Upgrade453to460;
 import com.cloud.upgrade.dao.Upgrade460to461;
@@ -380,4 +381,23 @@ public void isNotStandalone() throws SQLException {
         assertFalse("DatabaseUpgradeChecker should not be a standalone component", checker.isStandalone());
     }
 
+    @Test
+    public void testCalculateUpgradePath42010to42100() {
+
+        final CloudStackVersion dbVersion = CloudStackVersion.parse("4.20.1.0");
+        assertNotNull(dbVersion);
+
+        final CloudStackVersion currentVersion = CloudStackVersion.parse("4.21.0.0");
+        assertNotNull(currentVersion);
+
+        final DatabaseUpgradeChecker checker = new DatabaseUpgradeChecker();
+        final DbUpgrade[] upgrades = checker.calculateUpgradePath(dbVersion, currentVersion);
+
+        assertNotNull(upgrades);
+        assertEquals(1, upgrades.length);
+        assertTrue(upgrades[0] instanceof Upgrade42010to42100);
+
+        assertArrayEquals(new String[]{"4.20.1.0", "4.21.0.0"}, upgrades[0].getUpgradableVersionRange());
+        assertEquals(currentVersion.toString(), upgrades[0].getUpgradedVersion());
+    }
 }
diff --git a/engine/schema/src/test/java/com/cloud/upgrade/SystemVmTemplateRegistrationTest.java b/engine/schema/src/test/java/com/cloud/upgrade/SystemVmTemplateRegistrationTest.java
index 8028e78c9073..51db952eb613 100644
--- a/engine/schema/src/test/java/com/cloud/upgrade/SystemVmTemplateRegistrationTest.java
+++ b/engine/schema/src/test/java/com/cloud/upgrade/SystemVmTemplateRegistrationTest.java
@@ -570,18 +570,19 @@ public void updateRegisteredTemplateDetails_UpdatesTemplateSuccessfully() {
         SystemVmTemplateRegistration.MetadataTemplateDetails templateDetails =
                 Mockito.mock(SystemVmTemplateRegistration.MetadataTemplateDetails.class);
         VMTemplateVO templateVO = Mockito.mock(VMTemplateVO.class);
+        String templateName = "templateName";
+        when(templateVO.getName()).thenReturn(templateName);
         GuestOSVO guestOS = Mockito.mock(GuestOSVO.class);
 
         when(templateDetails.getGuestOs()).thenReturn("Debian");
         when(templateDetails.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
-        when(templateDetails.getName()).thenReturn("templateName");
         when(vmTemplateDao.findById(templateId)).thenReturn(templateVO);
         when(guestOSDao.findOneByDisplayName("Debian")).thenReturn(guestOS);
         when(guestOS.getId()).thenReturn(10L);
         when(vmTemplateDao.update(templateVO.getId(), templateVO)).thenReturn(true);
         doNothing().when(systemVmTemplateRegistration).updateSystemVMEntries(templateId, Hypervisor.HypervisorType.KVM);
         doNothing().when(systemVmTemplateRegistration).updateConfigurationParams(Hypervisor.HypervisorType.KVM,
-                "templateName", zoneId);
+                templateName, zoneId);
 
         systemVmTemplateRegistration.updateRegisteredTemplateDetails(templateId, templateDetails, zoneId);
 
@@ -590,7 +591,7 @@ public void updateRegisteredTemplateDetails_UpdatesTemplateSuccessfully() {
         verify(vmTemplateDao).update(templateVO.getId(), templateVO);
         verify(systemVmTemplateRegistration).updateSystemVMEntries(templateId, Hypervisor.HypervisorType.KVM);
         verify(systemVmTemplateRegistration).updateConfigurationParams(Hypervisor.HypervisorType.KVM,
-                "templateName", zoneId);
+                templateName, zoneId);
     }
 
     @Test
@@ -620,16 +621,17 @@ public void updateRegisteredTemplateDetails_SkipsGuestOSUpdateWhenNotFound() {
         SystemVmTemplateRegistration.MetadataTemplateDetails templateDetails =
                 Mockito.mock(SystemVmTemplateRegistration.MetadataTemplateDetails.class);
         VMTemplateVO templateVO = Mockito.mock(VMTemplateVO.class);
+        String templateName = "templateName";
+        when(templateVO.getName()).thenReturn(templateName);
 
         when(templateDetails.getGuestOs()).thenReturn("NonExistentOS");
         when(templateDetails.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
-        when(templateDetails.getName()).thenReturn("templateName");
         when(vmTemplateDao.findById(templateId)).thenReturn(templateVO);
         when(guestOSDao.findOneByDisplayName("NonExistentOS")).thenReturn(null);
         when(vmTemplateDao.update(templateVO.getId(), templateVO)).thenReturn(true);
         doNothing().when(systemVmTemplateRegistration).updateSystemVMEntries(templateId, Hypervisor.HypervisorType.KVM);
         doNothing().when(systemVmTemplateRegistration).updateConfigurationParams(Hypervisor.HypervisorType.KVM,
-                "templateName", zoneId);
+                templateName, zoneId);
 
         systemVmTemplateRegistration.updateRegisteredTemplateDetails(templateId, templateDetails, zoneId);
 
@@ -637,7 +639,7 @@ public void updateRegisteredTemplateDetails_SkipsGuestOSUpdateWhenNotFound() {
         verify(vmTemplateDao).update(templateVO.getId(), templateVO);
         verify(systemVmTemplateRegistration).updateSystemVMEntries(templateId, Hypervisor.HypervisorType.KVM);
         verify(systemVmTemplateRegistration).updateConfigurationParams(Hypervisor.HypervisorType.KVM,
-                "templateName", zoneId);
+                templateName, zoneId);
     }
 
     @Test
diff --git a/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java b/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
index 275f41de43a2..bcade3a371c4 100644
--- a/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
+++ b/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
@@ -148,8 +148,8 @@
 import java.util.stream.Collectors;
 import org.apache.commons.collections.CollectionUtils;
 
-import static org.apache.cloudstack.vm.UnmanagedVMsManagerImpl.KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME;
-import static org.apache.cloudstack.vm.UnmanagedVMsManagerImpl.VM_IMPORT_DEFAULT_TEMPLATE_NAME;
+import static org.apache.cloudstack.vm.UnmanagedVMsManager.KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME;
+import static org.apache.cloudstack.vm.UnmanagedVMsManager.VM_IMPORT_DEFAULT_TEMPLATE_NAME;
 
 public class StorageSystemDataMotionStrategy implements DataMotionStrategy {
     protected Logger logger = LogManager.getLogger(getClass());
diff --git a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategy.java b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategy.java
index 7174336113b5..88f479c09045 100644
--- a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategy.java
+++ b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategy.java
@@ -120,7 +120,7 @@ public class DefaultSnapshotStrategy extends SnapshotStrategyBase {
     private final List<Snapshot.State> snapshotStatesAbleToDeleteSnapshot = Arrays.asList(Snapshot.State.Destroying, Snapshot.State.Destroyed, Snapshot.State.Error, Snapshot.State.Hidden);
 
     public SnapshotDataStoreVO getSnapshotImageStoreRef(long snapshotId, long zoneId) {
-        List<SnapshotDataStoreVO> snaps = snapshotStoreDao.listReadyBySnapshot(snapshotId, DataStoreRole.Image);
+        List<SnapshotDataStoreVO> snaps = snapshotStoreDao.listBySnapshotIdAndDataStoreRoleAndStateIn(snapshotId, DataStoreRole.Image, State.Ready, State.Hidden);
         for (SnapshotDataStoreVO ref : snaps) {
             if (zoneId == dataStoreMgr.getStoreZoneId(ref.getDataStoreId(), ref.getRole())) {
                 return ref;
diff --git a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/ScaleIOVMSnapshotStrategy.java b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/ScaleIOVMSnapshotStrategy.java
index 7199fce1d347..aced750bd320 100644
--- a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/ScaleIOVMSnapshotStrategy.java
+++ b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/ScaleIOVMSnapshotStrategy.java
@@ -40,6 +40,7 @@
 import org.apache.cloudstack.storage.datastore.util.ScaleIOUtil;
 import org.apache.cloudstack.storage.to.VolumeObjectTO;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.cloudstack.storage.datastore.api.Volume;
 
 import com.cloud.agent.api.VMSnapshotTO;
 import com.cloud.alert.AlertManager;
@@ -200,11 +201,35 @@ public VMSnapshot takeVMSnapshot(VMSnapshot vmSnapshot) {
                 if (volumeIds != null && !volumeIds.isEmpty()) {
                     List<VMSnapshotDetailsVO> vmSnapshotDetails = new ArrayList<VMSnapshotDetailsVO>();
                     vmSnapshotDetails.add(new VMSnapshotDetailsVO(vmSnapshot.getId(), "SnapshotGroupId", snapshotGroupId, false));
+                    Map<String, String> snapshotNameToSrcPathMap = new HashMap<>();
+                    for (Map.Entry<String, String> entry : srcVolumeDestSnapshotMap.entrySet()) {
+                        snapshotNameToSrcPathMap.put(entry.getValue(), entry.getKey());
+                    }
+
+                    for (String snapshotVolumeId : volumeIds) {
+                        // Use getVolume() to fetch snapshot volume details and get its name
+                        Volume snapshotVolume = client.getVolume(snapshotVolumeId);
+                        if (snapshotVolume == null) {
+                            throw new CloudRuntimeException("Cannot find snapshot volume with id: " + snapshotVolumeId);
+                        }
+                        String snapshotName = snapshotVolume.getName();
+
+                        // Match back to source volume path
+                        String srcVolumePath = snapshotNameToSrcPathMap.get(snapshotName);
+                        if (srcVolumePath == null) {
+                            throw new CloudRuntimeException("Cannot match snapshot " + snapshotName + " to a source volume");
+                        }
+
+                        // Find the matching VolumeObjectTO by path
+                        VolumeObjectTO matchedVolume = volumeTOs.stream()
+                            .filter(v -> ScaleIOUtil.getVolumePath(v.getPath()).equals(srcVolumePath))
+                            .findFirst()
+                            .orElseThrow(() -> new CloudRuntimeException("Cannot find source volume for path: " + srcVolumePath));
 
-                    for (int index = 0; index < volumeIds.size(); index++) {
-                        String volumeSnapshotName = srcVolumeDestSnapshotMap.get(ScaleIOUtil.getVolumePath(volumeTOs.get(index).getPath()));
-                        String pathWithScaleIOVolumeName = ScaleIOUtil.updatedPathWithVolumeName(volumeIds.get(index), volumeSnapshotName);
-                        vmSnapshotDetails.add(new VMSnapshotDetailsVO(vmSnapshot.getId(), "Vol_" + volumeTOs.get(index).getId() + "_Snapshot", pathWithScaleIOVolumeName, false));
+                        String pathWithScaleIOVolumeName = ScaleIOUtil.updatedPathWithVolumeName(snapshotVolumeId, snapshotName);
+                        vmSnapshotDetails.add(new VMSnapshotDetailsVO(vmSnapshot.getId(),
+                            "Vol_" + matchedVolume.getId() + "_Snapshot",
+                            pathWithScaleIOVolumeName, false));
                     }
 
                     vmSnapshotDetailsDao.saveDetails(vmSnapshotDetails);
diff --git a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/StorageVMSnapshotStrategy.java b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/StorageVMSnapshotStrategy.java
index e3f28a7012c2..31b13fc279e3 100644
--- a/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/StorageVMSnapshotStrategy.java
+++ b/engine/storage/snapshot/src/main/java/org/apache/cloudstack/storage/vmsnapshot/StorageVMSnapshotStrategy.java
@@ -111,7 +111,7 @@ public VMSnapshot takeVMSnapshot(VMSnapshot vmSnapshot) {
         FreezeThawVMAnswer freezeAnswer = null;
         FreezeThawVMCommand thawCmd = null;
         FreezeThawVMAnswer thawAnswer = null;
-        List<SnapshotInfo> forRollback = new ArrayList<>();
+        List<SnapshotInfo> snapshotsForRollback = new ArrayList<>();
         long startFreeze = 0;
         try {
             vmSnapshotHelper.vmSnapshotStateTransitTo(vmSnapshotVO, VMSnapshot.Event.CreateRequested);
@@ -165,7 +165,7 @@ public VMSnapshot takeVMSnapshot(VMSnapshot vmSnapshot) {
                 logger.info("The virtual machine is frozen");
                 for (VolumeInfo vol : vinfos) {
                     long startSnapshtot = System.nanoTime();
-                    SnapshotInfo snapInfo = createDiskSnapshot(vmSnapshot, forRollback, vol);
+                    SnapshotInfo snapInfo = createDiskSnapshot(vmSnapshot, snapshotsForRollback, vol);
 
                     if (snapInfo == null) {
                         thawAnswer = (FreezeThawVMAnswer) agentMgr.send(hostId, thawCmd);
@@ -222,7 +222,7 @@ public VMSnapshot takeVMSnapshot(VMSnapshot vmSnapshot) {
                 }
             }
             if (!result) {
-                for (SnapshotInfo snapshotInfo : forRollback) {
+                for (SnapshotInfo snapshotInfo : snapshotsForRollback) {
                     rollbackDiskSnapshot(snapshotInfo);
                 }
                 try {
@@ -388,10 +388,16 @@ private long elapsedTime(long startTime) {
 
     //Rollback if one of disks snapshot fails
     protected void rollbackDiskSnapshot(SnapshotInfo snapshotInfo) {
+        if (snapshotInfo == null) {
+            return;
+        }
         Long snapshotID = snapshotInfo.getId();
         SnapshotVO snapshot = snapshotDao.findById(snapshotID);
+        if (snapshot == null) {
+            return;
+        }
         deleteSnapshotByStrategy(snapshot);
-        logger.debug("Rollback is executed: deleting snapshot with id:" + snapshotID);
+        logger.debug("Rollback is executed: deleting snapshot with id: {}", snapshotID);
     }
 
     protected void deleteSnapshotByStrategy(SnapshotVO snapshot) {
@@ -434,7 +440,7 @@ protected void revertDiskSnapshot(VMSnapshot vmSnapshot) {
         }
     }
 
-    protected SnapshotInfo createDiskSnapshot(VMSnapshot vmSnapshot, List<SnapshotInfo> forRollback, VolumeInfo vol) {
+    protected SnapshotInfo createDiskSnapshot(VMSnapshot vmSnapshot, List<SnapshotInfo> snapshotsForRollback, VolumeInfo vol) {
         String snapshotName = vmSnapshot.getId() + "_" + vol.getUuid();
         SnapshotVO snapshot = new SnapshotVO(vol.getDataCenterId(), vol.getAccountId(), vol.getDomainId(), vol.getId(), vol.getDiskOfferingId(),
                               snapshotName, (short) Snapshot.Type.GROUP.ordinal(),  Snapshot.Type.GROUP.name(),  vol.getSize(), vol.getMinIops(),  vol.getMaxIops(), Hypervisor.HypervisorType.KVM, null);
@@ -448,6 +454,7 @@ protected SnapshotInfo createDiskSnapshot(VMSnapshot vmSnapshot, List<SnapshotIn
         vol.addPayload(setPayload(vol, snapshot, quiescevm));
         SnapshotInfo snapshotInfo = snapshotDataFactory.getSnapshot(snapshot.getId(), vol.getDataStore());
         snapshotInfo.addPayload(vol.getpayload());
+        snapshotsForRollback.add(snapshotInfo);
         SnapshotStrategy snapshotStrategy = storageStrategyFactory.getSnapshotStrategy(snapshotInfo, SnapshotOperation.TAKE);
         if (snapshotStrategy == null) {
             throw new CloudRuntimeException("Could not find strategy for snapshot uuid:" + snapshotInfo.getUuid());
@@ -455,8 +462,6 @@ protected SnapshotInfo createDiskSnapshot(VMSnapshot vmSnapshot, List<SnapshotIn
         snapshotInfo = snapshotStrategy.takeSnapshot(snapshotInfo);
         if (snapshotInfo == null) {
             throw new CloudRuntimeException("Failed to create snapshot");
-        } else {
-          forRollback.add(snapshotInfo);
         }
         vmSnapshotDetailsDao.persist(new VMSnapshotDetailsVO(vmSnapshot.getId(), STORAGE_SNAPSHOT, String.valueOf(snapshot.getId()), true));
         snapshotInfo.markBackedUp();
diff --git a/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategyTest.java b/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategyTest.java
index 53f98c18f1be..41bfaa6f0c77 100644
--- a/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategyTest.java
+++ b/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/snapshot/DefaultSnapshotStrategyTest.java
@@ -257,11 +257,6 @@ public void verifyIfTheSnapshotIsBeingUsedByAnyVolumeTestDetailsIsNotEmptyThrowC
 
     @Test
     public void testGetSnapshotImageStoreRefNull() {
-        SnapshotDataStoreVO ref1 = Mockito.mock(SnapshotDataStoreVO.class);
-        Mockito.when(ref1.getDataStoreId()).thenReturn(1L);
-        Mockito.when(ref1.getRole()).thenReturn(DataStoreRole.Image);
-        Mockito.when(snapshotDataStoreDao.listReadyBySnapshot(Mockito.anyLong(), Mockito.any(DataStoreRole.class))).thenReturn(List.of(ref1));
-        Mockito.when(dataStoreManager.getStoreZoneId(1L, DataStoreRole.Image)).thenReturn(2L);
         Assert.assertNull(defaultSnapshotStrategySpy.getSnapshotImageStoreRef(1L, 1L));
     }
 
@@ -270,7 +265,7 @@ public void testGetSnapshotImageStoreRefNotNull() {
         SnapshotDataStoreVO ref1 = Mockito.mock(SnapshotDataStoreVO.class);
         Mockito.when(ref1.getDataStoreId()).thenReturn(1L);
         Mockito.when(ref1.getRole()).thenReturn(DataStoreRole.Image);
-        Mockito.when(snapshotDataStoreDao.listReadyBySnapshot(Mockito.anyLong(), Mockito.any(DataStoreRole.class))).thenReturn(List.of(ref1));
+        Mockito.when(snapshotDataStoreDao.listBySnapshotIdAndDataStoreRoleAndStateIn(Mockito.anyLong(), Mockito.any(DataStoreRole.class), Mockito.any(), Mockito.any())).thenReturn(List.of(ref1));
         Mockito.when(dataStoreManager.getStoreZoneId(1L, DataStoreRole.Image)).thenReturn(1L);
         Assert.assertNotNull(defaultSnapshotStrategySpy.getSnapshotImageStoreRef(1L, 1L));
     }
diff --git a/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/vmsnapshot/VMSnapshotStrategyKVMTest.java b/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/vmsnapshot/VMSnapshotStrategyKVMTest.java
index 050c0246abaf..7d5d3c786e87 100644
--- a/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/vmsnapshot/VMSnapshotStrategyKVMTest.java
+++ b/engine/storage/snapshot/src/test/java/org/apache/cloudstack/storage/vmsnapshot/VMSnapshotStrategyKVMTest.java
@@ -155,7 +155,7 @@ public void setUp() throws Exception {
     @Test
     public void testCreateDiskSnapshotBasedOnStrategy() throws Exception {
         VMSnapshotVO vmSnapshot = Mockito.mock(VMSnapshotVO.class);
-        List<SnapshotInfo> forRollback = new ArrayList<>();
+        List<SnapshotInfo> snapshotsForRollback = new ArrayList<>();
         VolumeInfo vol = Mockito.mock(VolumeInfo.class);
         SnapshotInfo snapshotInfo = Mockito.mock(SnapshotInfo.class);
         SnapshotStrategy strategy = Mockito.mock(SnapshotStrategy.class);
@@ -179,7 +179,7 @@ public void testCreateDiskSnapshotBasedOnStrategy() throws Exception {
         VMSnapshotDetailsVO vmDetails = new VMSnapshotDetailsVO(vmSnapshot.getId(), volUuid, String.valueOf(snapshot.getId()), false);
         when(vmSnapshotDetailsDao.persist(any())).thenReturn(vmDetails);
 
-        info =  vmStrategy.createDiskSnapshot(vmSnapshot, forRollback, vol);
+        info =  vmStrategy.createDiskSnapshot(vmSnapshot, snapshotsForRollback, vol);
         assertNotNull(info);
     }
 
diff --git a/engine/storage/src/main/java/org/apache/cloudstack/storage/allocator/AbstractStoragePoolAllocator.java b/engine/storage/src/main/java/org/apache/cloudstack/storage/allocator/AbstractStoragePoolAllocator.java
index cd9ab3adb210..4057f7a051bf 100644
--- a/engine/storage/src/main/java/org/apache/cloudstack/storage/allocator/AbstractStoragePoolAllocator.java
+++ b/engine/storage/src/main/java/org/apache/cloudstack/storage/allocator/AbstractStoragePoolAllocator.java
@@ -145,10 +145,10 @@ protected List<StoragePool> reorderPoolsByCapacity(DeploymentPlan plan, List<Sto
             storageType = "shared";
         }
 
-        logger.debug(String.format(
-                "Filtering storage pools by capacity type [%s] as the first storage pool of the list, with name [%s] and ID [%s], is a [%s] storage.",
+        logger.info(
+                "Filtering storage pools by capacity type [{}] as the first storage pool of the list, with name [{}] and ID [{}], is a [{}] storage.",
                 capacityType, storagePool.getName(), storagePool.getUuid(), storageType
-        ));
+        );
 
         Pair<List<Long>, Map<Long, Double>> result = capacityDao.orderHostsByFreeCapacity(zoneId, clusterId, capacityType);
         List<Long> poolIdsByCapacity = result.first();
@@ -185,7 +185,7 @@ protected List<StoragePool> reorderPoolsByNumberOfVolumes(DeploymentPlan plan, L
         Long clusterId = plan.getClusterId();
 
         List<Long> poolIdsByVolCount = volumeDao.listPoolIdsByVolumeCount(dcId, podId, clusterId, account.getAccountId());
-        logger.debug(String.format("List of pools in ascending order of number of volumes for account [%s] is [%s].", account, poolIdsByVolCount));
+        logger.debug("List of pools in ascending order of number of volumes for account [{}] is [{}].", account, poolIdsByVolCount);
 
         // now filter the given list of Pools by this ordered list
         Map<Long, StoragePool> poolMap = new HashMap<>();
@@ -206,16 +206,11 @@ protected List<StoragePool> reorderPoolsByNumberOfVolumes(DeploymentPlan plan, L
 
     @Override
     public List<StoragePool> reorderPools(List<StoragePool> pools, VirtualMachineProfile vmProfile, DeploymentPlan plan, DiskProfile dskCh) {
-        if (logger.isTraceEnabled()) {
-            logger.trace("reordering pools");
-        }
         if (pools == null) {
-            logger.trace("There are no pools to reorder; returning null.");
+            logger.info("There are no pools to reorder.");
             return null;
         }
-        if (logger.isTraceEnabled()) {
-            logger.trace(String.format("reordering %d pools", pools.size()));
-        }
+        logger.info("Reordering [{}] pools", pools.size());
         Account account = null;
         if (vmProfile.getVirtualMachine() != null) {
             account = vmProfile.getOwner();
@@ -224,9 +219,7 @@ public List<StoragePool> reorderPools(List<StoragePool> pools, VirtualMachinePro
         pools = reorderStoragePoolsBasedOnAlgorithm(pools, plan, account);
 
         if (vmProfile.getVirtualMachine() == null) {
-            if (logger.isTraceEnabled()) {
-                logger.trace("The VM is null, skipping pools reordering by disk provisioning type.");
-            }
+            logger.info("The VM is null, skipping pool reordering by disk provisioning type.");
             return pools;
         }
 
@@ -240,14 +233,10 @@ public List<StoragePool> reorderPools(List<StoragePool> pools, VirtualMachinePro
 
     List<StoragePool> reorderStoragePoolsBasedOnAlgorithm(List<StoragePool> pools, DeploymentPlan plan, Account account) {
         String volumeAllocationAlgorithm = VolumeOrchestrationService.VolumeAllocationAlgorithm.value();
-        logger.debug("Using volume allocation algorithm {} to reorder pools.", volumeAllocationAlgorithm);
+        logger.info("Using volume allocation algorithm {} to reorder pools.", volumeAllocationAlgorithm);
         if (volumeAllocationAlgorithm.equals("random") || (account == null)) {
             reorderRandomPools(pools);
         } else if (StringUtils.equalsAny(volumeAllocationAlgorithm, "userdispersing", "firstfitleastconsumed")) {
-            if (logger.isTraceEnabled()) {
-                logger.trace("Using reordering algorithm {}", volumeAllocationAlgorithm);
-            }
-
             if (volumeAllocationAlgorithm.equals("userdispersing")) {
                 pools = reorderPoolsByNumberOfVolumes(plan, pools, account);
             } else {
@@ -259,16 +248,15 @@ List<StoragePool> reorderStoragePoolsBasedOnAlgorithm(List<StoragePool> pools, D
 
     void reorderRandomPools(List<StoragePool> pools) {
         StorageUtil.traceLogStoragePools(pools, logger, "pools to choose from: ");
-        if (logger.isTraceEnabled()) {
-            logger.trace("Shuffle this so that we don't check the pools in the same order. Algorithm == 'random' (or no account?)");
-        }
-        StorageUtil.traceLogStoragePools(pools, logger, "pools to shuffle: ");
+        logger.trace("Shuffle this so that we don't check the pools in the same order. Algorithm == 'random' (or no account?)");
+        logger.debug("Pools to shuffle: [{}]", pools);
         Collections.shuffle(pools, secureRandom);
-        StorageUtil.traceLogStoragePools(pools, logger, "shuffled list of pools to choose from: ");
+        logger.debug("Shuffled list of pools to choose from: [{}]", pools);
     }
 
     private List<StoragePool> reorderPoolsByDiskProvisioningType(List<StoragePool> pools, DiskProfile diskProfile) {
         if (diskProfile != null && diskProfile.getProvisioningType() != null && !diskProfile.getProvisioningType().equals(Storage.ProvisioningType.THIN)) {
+            logger.info("Reordering [{}] pools by disk provisioning type [{}].", pools.size(), diskProfile.getProvisioningType());
             List<StoragePool> reorderedPools = new ArrayList<>();
             int preferredIndex = 0;
             for (StoragePool pool : pools) {
@@ -282,22 +270,28 @@ private List<StoragePool> reorderPoolsByDiskProvisioningType(List<StoragePool> p
                     reorderedPools.add(preferredIndex++, pool);
                 }
             }
+            logger.debug("Reordered list of pools by disk provisioning type [{}]: [{}]", diskProfile.getProvisioningType(), reorderedPools);
             return reorderedPools;
         } else {
+            if (diskProfile == null) {
+                logger.info("Reordering pools by disk provisioning type wasn't necessary, since no disk profile was found.");
+            } else {
+                logger.debug("Reordering pools by disk provisioning type wasn't necessary, since the provisioning type is [{}].", diskProfile.getProvisioningType());
+            }
             return pools;
         }
     }
 
     protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh, DeploymentPlan plan) {
-        logger.debug(String.format("Checking if storage pool [%s] is suitable to disk [%s].", pool, dskCh));
+        logger.debug("Checking if storage pool [{}] is suitable to disk [{}].", pool, dskCh);
         if (avoid.shouldAvoid(pool)) {
-            logger.debug(String.format("StoragePool [%s] is in avoid set, skipping this pool to allocation of disk [%s].", pool, dskCh));
+            logger.debug("StoragePool [{}] is in avoid set, skipping this pool to allocation of disk [{}].", pool, dskCh);
             return false;
         }
 
         if (dskCh.requiresEncryption() && !pool.getPoolType().supportsEncryption()) {
             if (logger.isDebugEnabled()) {
-                logger.debug(String.format("Storage pool type '%s' doesn't support encryption required for volume, skipping this pool", pool.getPoolType()));
+                logger.debug("Storage pool type '[{}]' doesn't support encryption required for volume, skipping this pool", pool.getPoolType());
             }
             return false;
         }
@@ -319,8 +313,8 @@ protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh,
         }
 
         if (!checkDiskProvisioningSupport(dskCh, pool)) {
-            logger.debug(String.format("Storage pool [%s] does not have support to disk provisioning of disk [%s].", pool, ReflectionToStringBuilderUtils.reflectOnlySelectedFields(dskCh,
-                    "type", "name", "diskOfferingId", "templateId", "volumeId", "provisioningType", "hyperType")));
+            logger.debug("Storage pool [{}] does not have support to disk provisioning of disk [{}].", pool, ReflectionToStringBuilderUtils.reflectOnlySelectedFields(dskCh,
+                    "type", "name", "diskOfferingId", "templateId", "volumeId", "provisioningType", "hyperType"));
             return false;
         }
 
@@ -332,7 +326,7 @@ protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh,
             HostVO plannedHost = hostDao.findById(plan.getHostId());
             if (!storageMgr.checkIfHostAndStoragePoolHasCommonStorageAccessGroups(plannedHost, pool)) {
                 if (logger.isDebugEnabled()) {
-                    logger.debug(String.format("StoragePool %s and host %s does not have matching storage access groups", pool, plannedHost));
+                    logger.debug("StoragePool [{}] and host [{}] does not have matching storage access groups", pool, plannedHost);
                 }
                 return false;
             }
@@ -343,13 +337,13 @@ protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh,
         if (!isTempVolume) {
             volume = volumeDao.findById(dskCh.getVolumeId());
             if (!storageMgr.storagePoolCompatibleWithVolumePool(pool, volume)) {
-                logger.debug(String.format("Pool [%s] is not compatible with volume [%s], skipping it.", pool, volume));
+                logger.debug("Pool [{}] is not compatible with volume [{}], skipping it.", pool, volume);
                 return false;
             }
         }
 
         if (pool.isManaged() && !storageUtil.managedStoragePoolCanScale(pool, plan.getClusterId(), plan.getHostId())) {
-            logger.debug(String.format("Cannot allocate pool [%s] to volume [%s] because the max number of managed clustered filesystems has been exceeded.", pool, volume));
+            logger.debug("Cannot allocate pool [{}] to volume [{}] because the max number of managed clustered filesystems has been exceeded.", pool, volume);
             return false;
         }
 
@@ -358,13 +352,13 @@ protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh,
         requestVolumeDiskProfilePairs.add(new Pair<>(volume, dskCh));
         if (dskCh.getHypervisorType() == HypervisorType.VMware) {
             if (pool.getPoolType() == Storage.StoragePoolType.DatastoreCluster && storageMgr.isStoragePoolDatastoreClusterParent(pool)) {
-                logger.debug(String.format("Skipping allocation of pool [%s] to volume [%s] because this pool is a parent datastore cluster.", pool, volume));
+                logger.debug("Skipping allocation of pool [{}] to volume [{}] because this pool is a parent datastore cluster.", pool, volume);
                 return false;
             }
             if (pool.getParent() != 0L) {
                 StoragePoolVO datastoreCluster = storagePoolDao.findById(pool.getParent());
                 if (datastoreCluster == null || (datastoreCluster != null && datastoreCluster.getStatus() != StoragePoolStatus.Up)) {
-                    logger.debug(String.format("Skipping allocation of pool [%s] to volume [%s] because this pool is not in [%s] state.", datastoreCluster, volume, StoragePoolStatus.Up));
+                    logger.debug("Skipping allocation of pool [{}] to volume [{}] because this pool is not in [{}] state.", datastoreCluster, volume, StoragePoolStatus.Up);
                     return false;
                 }
             }
@@ -374,11 +368,11 @@ protected boolean filter(ExcludeList avoid, StoragePool pool, DiskProfile dskCh,
                         storageMgr.isStoragePoolCompliantWithStoragePolicy(dskCh.getDiskOfferingId(), pool) :
                         storageMgr.isStoragePoolCompliantWithStoragePolicy(requestVolumeDiskProfilePairs, pool);
                 if (!isStoragePoolStoragePolicyCompliance) {
-                    logger.debug(String.format("Skipping allocation of pool [%s] to volume [%s] because this pool is not compliant with the storage policy required by the volume.", pool, volume));
+                    logger.debug("Skipping allocation of pool [{}] to volume [{}] because this pool is not compliant with the storage policy required by the volume.", pool, volume);
                     return false;
                 }
             } catch (StorageUnavailableException e) {
-                logger.warn(String.format("Could not verify storage policy compliance against storage pool %s due to exception %s", pool.getUuid(), e.getMessage()));
+                logger.warn("Could not verify storage policy compliance against storage pool [{}] due to exception [{}]", pool.getUuid(), e.getMessage());
                 return false;
             }
         }
@@ -427,19 +421,19 @@ private boolean checkHypervisorCompatibility(HypervisorType hyperType, Volume.Ty
     protected void logDisabledStoragePools(long dcId, Long podId, Long clusterId, ScopeType scope) {
         List<StoragePoolVO> disabledPools = storagePoolDao.findDisabledPoolsByScope(dcId, podId, clusterId, scope);
         if (disabledPools != null && !disabledPools.isEmpty()) {
-            logger.trace(String.format("Ignoring pools [%s] as they are in disabled state.", ReflectionToStringBuilderUtils.reflectOnlySelectedFields(disabledPools)));
+            logger.trace("Ignoring pools [{}] as they are in disabled state.", ReflectionToStringBuilderUtils.reflectOnlySelectedFields(disabledPools));
         }
     }
 
     protected void logStartOfSearch(DiskProfile dskCh, VirtualMachineProfile vmProfile, DeploymentPlan plan, int returnUpTo,
             boolean bypassStorageTypeCheck){
-        logger.trace(String.format("%s is looking for storage pools that match the VM's disk profile [%s], virtual machine profile [%s] and "
-                + "deployment plan [%s]. Returning up to [%d] and bypassStorageTypeCheck [%s].", this.getClass().getSimpleName(), dskCh, vmProfile, plan, returnUpTo, bypassStorageTypeCheck));
+        logger.trace("[{}] is looking for storage pools that match the VM's disk profile [{}], virtual machine profile [{}] and "
+                + "deployment plan [{}]. Returning up to [{}] and bypassStorageTypeCheck [{}].", this.getClass().getSimpleName(), dskCh, vmProfile, plan, returnUpTo, bypassStorageTypeCheck);
     }
 
     protected void logEndOfSearch(List<StoragePool> storagePoolList) {
-        logger.debug(String.format("%s is returning [%s] suitable storage pools [%s].", this.getClass().getSimpleName(), storagePoolList.size(),
-                Arrays.toString(storagePoolList.toArray())));
+        logger.debug("[{}] is returning [{}] suitable storage pools [{}].", this.getClass().getSimpleName(), storagePoolList.size(),
+                Arrays.toString(storagePoolList.toArray()));
     }
 
 }
diff --git a/engine/storage/src/main/java/org/apache/cloudstack/storage/image/BaseImageStoreDriverImpl.java b/engine/storage/src/main/java/org/apache/cloudstack/storage/image/BaseImageStoreDriverImpl.java
index a2e9eff2a08a..26b39e30776f 100644
--- a/engine/storage/src/main/java/org/apache/cloudstack/storage/image/BaseImageStoreDriverImpl.java
+++ b/engine/storage/src/main/java/org/apache/cloudstack/storage/image/BaseImageStoreDriverImpl.java
@@ -230,8 +230,10 @@ protected Void createTemplateAsyncCallback(AsyncCallbackDispatcher<? extends Bas
             updateBuilder.setJobId(answer.getJobId());
             updateBuilder.setLocalDownloadPath(answer.getDownloadPath());
             updateBuilder.setInstallPath(answer.getInstallPath());
-            updateBuilder.setSize(answer.getTemplateSize());
-            updateBuilder.setPhysicalSize(answer.getTemplatePhySicalSize());
+            if (!VMTemplateStorageResourceAssoc.ERROR_DOWNLOAD_STATES.contains(answer.getDownloadStatus())) {
+                updateBuilder.setSize(answer.getTemplateSize());
+                updateBuilder.setPhysicalSize(answer.getTemplatePhySicalSize());
+            }
             _templateStoreDao.update(tmpltStoreVO.getId(), updateBuilder);
             // update size in vm_template table
             VMTemplateVO tmlptUpdater = _templateDao.createForUpdate();
@@ -241,8 +243,7 @@ protected Void createTemplateAsyncCallback(AsyncCallbackDispatcher<? extends Bas
 
         AsyncCompletionCallback<CreateCmdResult> caller = context.getParentCallback();
 
-        if (answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.DOWNLOAD_ERROR ||
-                answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.ABANDONED || answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.UNKNOWN) {
+        if (VMTemplateStorageResourceAssoc.ERROR_DOWNLOAD_STATES.contains(answer.getDownloadStatus())) {
             CreateCmdResult result = new CreateCmdResult(null, null);
             result.setSuccess(false);
             result.setResult(answer.getErrorString());
@@ -285,19 +286,22 @@ protected Void createTemplateAsyncCallback(AsyncCallbackDispatcher<? extends Bas
             updateBuilder.setJobId(answer.getJobId());
             updateBuilder.setLocalDownloadPath(answer.getDownloadPath());
             updateBuilder.setInstallPath(answer.getInstallPath());
-            updateBuilder.setSize(answer.getTemplateSize());
-            updateBuilder.setPhysicalSize(answer.getTemplatePhySicalSize());
+            if (!VMTemplateStorageResourceAssoc.ERROR_DOWNLOAD_STATES.contains(answer.getDownloadStatus())) {
+                updateBuilder.setSize(answer.getTemplateSize());
+                updateBuilder.setPhysicalSize(answer.getTemplatePhySicalSize());
+            }
             _volumeStoreDao.update(volStoreVO.getId(), updateBuilder);
             // update size in volume table
-            VolumeVO volUpdater = volumeDao.createForUpdate();
-            volUpdater.setSize(answer.getTemplateSize());
-            volumeDao.update(obj.getId(), volUpdater);
+            if (!VMTemplateStorageResourceAssoc.ERROR_DOWNLOAD_STATES.contains(answer.getDownloadStatus())) {
+                VolumeVO volUpdater = volumeDao.createForUpdate();
+                volUpdater.setSize(answer.getTemplateSize());
+                volumeDao.update(obj.getId(), volUpdater);
+            }
         }
 
         AsyncCompletionCallback<CreateCmdResult> caller = context.getParentCallback();
 
-        if (answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.DOWNLOAD_ERROR ||
-                answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.ABANDONED || answer.getDownloadStatus() == VMTemplateStorageResourceAssoc.Status.UNKNOWN) {
+        if (VMTemplateStorageResourceAssoc.ERROR_DOWNLOAD_STATES.contains(answer.getDownloadStatus())) {
             CreateCmdResult result = new CreateCmdResult(null, null);
             result.setSuccess(false);
             result.setResult(answer.getErrorString());
diff --git a/engine/storage/volume/src/main/java/org/apache/cloudstack/storage/volume/VolumeServiceImpl.java b/engine/storage/volume/src/main/java/org/apache/cloudstack/storage/volume/VolumeServiceImpl.java
index 436f991afbd1..8731e8791ddd 100644
--- a/engine/storage/volume/src/main/java/org/apache/cloudstack/storage/volume/VolumeServiceImpl.java
+++ b/engine/storage/volume/src/main/java/org/apache/cloudstack/storage/volume/VolumeServiceImpl.java
@@ -395,9 +395,9 @@ public AsyncCallFuture<VolumeApiResult> expungeVolumeAsync(VolumeInfo volume) {
         }
 
         // Find out if the volume is at state of download_in_progress on secondary storage
-        VolumeDataStoreVO volumeStore = _volumeStoreDao.findByVolume(volume.getId());
-        if (volumeStore != null) {
-            if (volumeStore.getDownloadState() == VMTemplateStorageResourceAssoc.Status.DOWNLOAD_IN_PROGRESS) {
+        VolumeDataStoreVO volumeOnImageStore = _volumeStoreDao.findByVolume(volume.getId());
+        if (volumeOnImageStore != null) {
+            if (volumeOnImageStore.getDownloadState() == VMTemplateStorageResourceAssoc.Status.DOWNLOAD_IN_PROGRESS) {
                 String msg = String.format("Volume: %s is currently being uploaded; can't delete it.", volume);
                 logger.debug(msg);
                 result.setSuccess(false);
@@ -416,10 +416,10 @@ public AsyncCallFuture<VolumeApiResult> expungeVolumeAsync(VolumeInfo volume) {
 
         if (!volumeExistsOnPrimary(vol)) {
             // not created on primary store
-            if (volumeStore == null) {
+            if (volumeOnImageStore == null) {
                 // also not created on secondary store
                 if (logger.isDebugEnabled()) {
-                    logger.debug("Marking volume that was never created as destroyed: " + vol);
+                    logger.debug("Marking volume that was never created as destroyed: {}", vol);
                 }
                 VMTemplateVO template = templateDao.findById(vol.getTemplateId());
                 if (template != null && !template.isDeployAsIs()) {
@@ -435,11 +435,21 @@ public AsyncCallFuture<VolumeApiResult> expungeVolumeAsync(VolumeInfo volume) {
         if (volume.getDataStore().getRole() == DataStoreRole.Image) {
             // no need to change state in volumes table
             volume.processEventOnly(Event.DestroyRequested);
+            if (volumeOnImageStore == null) {
+                logger.debug("Volume {} doesn't exist on image store, no need to delete", vol);
+                future.complete(result);
+                return future;
+            }
         } else if (volume.getDataStore().getRole() == DataStoreRole.Primary) {
             if (vol.getState() == Volume.State.Expunging) {
                 logger.info("Volume {} is already in Expunging, retrying", volume);
             }
             volume.processEvent(Event.ExpungeRequested);
+            if (!volumeExistsOnPrimary(vol)) {
+                logger.debug("Volume {} doesn't exist on primary storage, no need to delete", vol);
+                future.complete(result);
+                return future;
+            }
         }
 
         DeleteVolumeContext<VolumeApiResult> context = new DeleteVolumeContext<>(null, vo, future);
@@ -460,13 +470,11 @@ public void ensureVolumeIsExpungeReady(long volumeId) {
 
     private boolean volumeExistsOnPrimary(VolumeVO vol) {
         Long poolId = vol.getPoolId();
-
         if (poolId == null) {
             return false;
         }
 
         PrimaryDataStore primaryStore = dataStoreMgr.getPrimaryDataStore(poolId);
-
         if (primaryStore == null) {
             return false;
         }
@@ -476,8 +484,7 @@ private boolean volumeExistsOnPrimary(VolumeVO vol) {
         }
 
         String volumePath = vol.getPath();
-
-        if (volumePath == null || volumePath.trim().isEmpty()) {
+        if (StringUtils.isBlank(volumePath)) {
             return false;
         }
 
diff --git a/framework/db/src/main/java/com/cloud/utils/db/SearchCriteria.java b/framework/db/src/main/java/com/cloud/utils/db/SearchCriteria.java
index 15807eb26d42..3323d5c4d829 100644
--- a/framework/db/src/main/java/com/cloud/utils/db/SearchCriteria.java
+++ b/framework/db/src/main/java/com/cloud/utils/db/SearchCriteria.java
@@ -205,6 +205,12 @@ public void setJoinParameters(String joinName, String conditionName, Object... p
 
     }
 
+    public void setJoinParametersIfNotNull(String joinName, String conditionName, Object... params) {
+        if (ArrayUtils.isNotEmpty(params) && (params.length > 1 || params[0] != null)) {
+            setJoinParameters(joinName, conditionName, params);
+        }
+    }
+
     public SearchCriteria<?> getJoin(String joinName) {
         return _joins.get(joinName).getT();
     }
diff --git a/framework/db/src/main/java/com/cloud/utils/db/SequenceFetcher.java b/framework/db/src/main/java/com/cloud/utils/db/SequenceFetcher.java
index f902fda3bf14..a59b73e5cee1 100644
--- a/framework/db/src/main/java/com/cloud/utils/db/SequenceFetcher.java
+++ b/framework/db/src/main/java/com/cloud/utils/db/SequenceFetcher.java
@@ -64,7 +64,7 @@ public <T> T getNextSequence(Class<T> clazz, TableGenerator tg, Object key, bool
         try {
             return future.get();
         } catch (Exception e) {
-            logger.warn("Unable to get sequeunce for " + tg.table() + ":" + tg.pkColumnValue(), e);
+            logger.warn("Unable to get sequence for " + tg.table() + ":" + tg.pkColumnValue(), e);
             return null;
         }
     }
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmd.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmd.java
index 5ab54149645e..9d76a7e6ec25 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmd.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmd.java
@@ -83,6 +83,12 @@ public class CreateExtensionCmd extends BaseCmd {
             description = "Details in key/value pairs using format details[i].keyname=keyvalue. Example: details[0].endpoint.url=urlvalue")
     protected Map details;
 
+    @Parameter(name = ApiConstants.RESERVED_RESOURCE_DETAILS, type = CommandType.STRING,
+            description = "Resource detail names as comma separated string that should be reserved and not visible " +
+                    "to end users",
+            since = "4.22.1")
+    protected String reservedResourceDetails;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -115,6 +121,10 @@ public Map<String, String> getDetails() {
         return convertDetailsToMap(details);
     }
 
+    public String getReservedResourceDetails() {
+        return reservedResourceDetails;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmd.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmd.java
index ded07d2dd323..5baaea1709db 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmd.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmd.java
@@ -78,6 +78,12 @@ public class UpdateExtensionCmd extends BaseCmd {
                     "if false or not set, no action)")
     private Boolean cleanupDetails;
 
+    @Parameter(name = ApiConstants.RESERVED_RESOURCE_DETAILS, type = CommandType.STRING,
+            description = "Resource detail names as comma separated string that should be reserved and not visible " +
+                    "to end users",
+            since = "4.22.1")
+    protected String reservedResourceDetails;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -106,6 +112,10 @@ public Boolean isCleanupDetails() {
         return cleanupDetails;
     }
 
+    public String getReservedResourceDetails() {
+        return reservedResourceDetails;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
index 4171b9615fea..f6fd08b6da2c 100644
--- a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
+++ b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImpl.java
@@ -216,6 +216,11 @@ public class ExtensionsManagerImpl extends ManagerBase implements ExtensionsMana
     @Inject
     AccountService accountService;
 
+    // Map of in-built extension names and their reserved resource details that shouldn't be accessible to end-users
+    protected static final Map<String, List<String>> INBUILT_RESERVED_RESOURCE_DETAILS = Map.of(
+            "proxmox", List.of("proxmox_vmid")
+    );
+
     private ScheduledExecutorService extensionPathStateCheckExecutor;
 
     protected String getDefaultExtensionRelativePath(String name) {
@@ -563,6 +568,25 @@ protected void checkExtensionPathState(Extension extension, List<ManagementServe
         updateExtensionPathReady(extension, true);
     }
 
+    protected void addInbuiltExtensionReservedResourceDetails(long extensionId, List<String> reservedResourceDetails) {
+        ExtensionVO vo = extensionDao.findById(extensionId);
+        if (vo == null || vo.isUserDefined()) {
+            return;
+        }
+        String lowerName = StringUtils.defaultString(vo.getName()).toLowerCase();
+        Optional<Map.Entry<String, List<String>>> match = INBUILT_RESERVED_RESOURCE_DETAILS.entrySet().stream()
+                .filter(e -> lowerName.contains(e.getKey().toLowerCase()))
+                .findFirst();
+        if (match.isPresent()) {
+            Set<String> existing = new HashSet<>(reservedResourceDetails);
+            for (String detailKey : match.get().getValue()) {
+                if (existing.add(detailKey)) {
+                    reservedResourceDetails.add(detailKey);
+                }
+            }
+        }
+    }
+
     @Override
     public String getExtensionsPath() {
         return externalProvisioner.getExtensionsPath();
@@ -577,6 +601,7 @@ public Extension createExtension(CreateExtensionCmd cmd) {
         String relativePath = cmd.getPath();
         final Boolean orchestratorRequiresPrepareVm = cmd.isOrchestratorRequiresPrepareVm();
         final String stateStr = cmd.getState();
+        final String reservedResourceDetails = cmd.getReservedResourceDetails();
         ExtensionVO extensionByName = extensionDao.findByName(name);
         if (extensionByName != null) {
             throw new CloudRuntimeException("Extension by name already exists");
@@ -624,6 +649,10 @@ public Extension createExtension(CreateExtensionCmd cmd) {
                         ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM, String.valueOf(orchestratorRequiresPrepareVm),
                         false));
             }
+            if (StringUtils.isNotBlank(reservedResourceDetails)) {
+                detailsVOList.add(new ExtensionDetailsVO(extension.getId(),
+                        ApiConstants.RESERVED_RESOURCE_DETAILS, reservedResourceDetails, false));
+            }
             if (CollectionUtils.isNotEmpty(detailsVOList)) {
                 extensionDetailsDao.saveDetails(detailsVOList);
             }
@@ -704,6 +733,7 @@ public Extension updateExtension(UpdateExtensionCmd cmd) {
         final String stateStr = cmd.getState();
         final Map<String, String> details = cmd.getDetails();
         final Boolean cleanupDetails = cmd.isCleanupDetails();
+        final String reservedResourceDetails = cmd.getReservedResourceDetails();
         final ExtensionVO extensionVO = extensionDao.findById(id);
         if (extensionVO == null) {
             throw new InvalidParameterValueException("Failed to find the extension");
@@ -732,7 +762,8 @@ public Extension updateExtension(UpdateExtensionCmd cmd) {
                 throw new CloudRuntimeException(String.format("Failed to updated the extension: %s",
                         extensionVO.getName()));
             }
-            updateExtensionsDetails(cleanupDetails, details, orchestratorRequiresPrepareVm, id);
+            updateExtensionsDetails(cleanupDetails, details, orchestratorRequiresPrepareVm, reservedResourceDetails,
+                    id);
             return extensionVO;
         });
         if (StringUtils.isNotBlank(stateStr)) {
@@ -748,9 +779,11 @@ public Extension updateExtension(UpdateExtensionCmd cmd) {
         return result;
     }
 
-    protected void updateExtensionsDetails(Boolean cleanupDetails, Map<String, String> details, Boolean orchestratorRequiresPrepareVm, long id) {
+    protected void updateExtensionsDetails(Boolean cleanupDetails, Map<String, String> details,
+               Boolean orchestratorRequiresPrepareVm, String reservedResourceDetails, long id) {
         final boolean needToUpdateAllDetails = Boolean.TRUE.equals(cleanupDetails) || MapUtils.isNotEmpty(details);
-        if (!needToUpdateAllDetails && orchestratorRequiresPrepareVm == null) {
+        if (!needToUpdateAllDetails && orchestratorRequiresPrepareVm == null &&
+                StringUtils.isBlank(reservedResourceDetails)) {
             return;
         }
         if (needToUpdateAllDetails) {
@@ -761,6 +794,9 @@ protected void updateExtensionsDetails(Boolean cleanupDetails, Map<String, Strin
                 hiddenDetails.put(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM,
                         String.valueOf(orchestratorRequiresPrepareVm));
             }
+            if (StringUtils.isNotBlank(reservedResourceDetails)) {
+                hiddenDetails.put(ApiConstants.RESERVED_RESOURCE_DETAILS, reservedResourceDetails);
+            }
             if (MapUtils.isNotEmpty(hiddenDetails)) {
                 hiddenDetails.forEach((key, value) -> detailsVOList.add(
                         new ExtensionDetailsVO(id, key, value, false)));
@@ -775,15 +811,29 @@ protected void updateExtensionsDetails(Boolean cleanupDetails, Map<String, Strin
                 extensionDetailsDao.removeDetails(id);
             }
         } else {
-            ExtensionDetailsVO detailsVO = extensionDetailsDao.findDetail(id,
-                    ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM);
-            if (detailsVO == null) {
-                extensionDetailsDao.persist(new ExtensionDetailsVO(id,
-                        ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM,
-                        String.valueOf(orchestratorRequiresPrepareVm), false));
-            } else if (Boolean.parseBoolean(detailsVO.getValue()) != orchestratorRequiresPrepareVm) {
-                detailsVO.setValue(String.valueOf(orchestratorRequiresPrepareVm));
-                extensionDetailsDao.update(detailsVO.getId(), detailsVO);
+            if (orchestratorRequiresPrepareVm != null) {
+                ExtensionDetailsVO detailsVO = extensionDetailsDao.findDetail(id,
+                        ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM);
+                if (detailsVO == null) {
+                    extensionDetailsDao.persist(new ExtensionDetailsVO(id,
+                            ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM,
+                            String.valueOf(orchestratorRequiresPrepareVm), false));
+                } else if (Boolean.parseBoolean(detailsVO.getValue()) != orchestratorRequiresPrepareVm) {
+                    detailsVO.setValue(String.valueOf(orchestratorRequiresPrepareVm));
+                    extensionDetailsDao.update(detailsVO.getId(), detailsVO);
+                }
+            }
+            if (StringUtils.isNotBlank(reservedResourceDetails)) {
+                ExtensionDetailsVO detailsVO = extensionDetailsDao.findDetail(id,
+                        ApiConstants.RESERVED_RESOURCE_DETAILS);
+                if (detailsVO == null) {
+                    extensionDetailsDao.persist(new ExtensionDetailsVO(id,
+                            ApiConstants.RESERVED_RESOURCE_DETAILS,
+                            reservedResourceDetails, false));
+                } else if (!reservedResourceDetails.equals(detailsVO.getValue())) {
+                    detailsVO.setValue(reservedResourceDetails);
+                    extensionDetailsDao.update(detailsVO.getId(), detailsVO);
+                }
             }
         }
     }
@@ -961,12 +1011,16 @@ public ExtensionResponse createExtensionResponse(Extension extension,
             hiddenDetails = extensionDetails.second();
         } else {
             hiddenDetails = extensionDetailsDao.listDetailsKeyPairs(extension.getId(),
-                    List.of(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM));
+                    List.of(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM,
+                            ApiConstants.RESERVED_RESOURCE_DETAILS));
         }
         if (hiddenDetails.containsKey(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM)) {
             response.setOrchestratorRequiresPrepareVm(Boolean.parseBoolean(
                     hiddenDetails.get(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM)));
         }
+        if (hiddenDetails.containsKey(ApiConstants.RESERVED_RESOURCE_DETAILS)) {
+            response.setReservedResourceDetails(hiddenDetails.get(ApiConstants.RESERVED_RESOURCE_DETAILS));
+        }
         response.setObjectName(Extension.class.getSimpleName().toLowerCase());
         return response;
     }
@@ -1605,6 +1659,24 @@ public Extension getExtensionForCluster(long clusterId) {
         return extensionDao.findById(extensionId);
     }
 
+    @Override
+    public List<String> getExtensionReservedResourceDetails(long extensionId) {
+        ExtensionDetailsVO detailsVO = extensionDetailsDao.findDetail(extensionId,
+                ApiConstants.RESERVED_RESOURCE_DETAILS);
+        List<String> reservedDetails = new ArrayList<>();
+        if (detailsVO != null && StringUtils.isNotBlank(detailsVO.getValue())) {
+            String[] parts = detailsVO.getValue().split(",");
+            for (String part : parts) {
+                String trimmedPart = part.trim();
+                if (StringUtils.isNotBlank(trimmedPart)) {
+                    reservedDetails.add(trimmedPart);
+                }
+            }
+        }
+        addInbuiltExtensionReservedResourceDetails(extensionId, reservedDetails);
+        return reservedDetails;
+    }
+
     @Override
     public boolean start() {
         long pathStateCheckInterval = PathStateCheckInterval.value();
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmdTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmdTest.java
index 2edb6ea48e3f..2f630966056c 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmdTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/CreateExtensionCmdTest.java
@@ -94,4 +94,18 @@ public void testGetDetailsReturnsMap() {
         setField(cmd, "details", details);
         assertTrue(MapUtils.isNotEmpty(cmd.getDetails()));
     }
+
+    @Test
+    public void getReservedResourceDetailsReturnsValueWhenSet() {
+        setField(cmd, "reservedResourceDetails", "detail1,detail2,detail3");
+        String result = cmd.getReservedResourceDetails();
+        assertEquals("detail1,detail2,detail3", result);
+    }
+
+    @Test
+    public void getReservedResourceDetailsReturnsNullWhenNotSet() {
+        setField(cmd, "reservedResourceDetails", null);
+        String result = cmd.getReservedResourceDetails();
+        assertNull(result);
+    }
 }
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmdTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmdTest.java
index f0a3a6fcf219..5c5c2014a529 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmdTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/api/UpdateExtensionCmdTest.java
@@ -26,6 +26,7 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.springframework.test.util.ReflectionTestUtils.setField;
 
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -134,6 +135,20 @@ public void isCleanupDetailsReturnsValueWhenSet() {
         assertTrue(cmd.isCleanupDetails());
     }
 
+    @Test
+    public void getReservedResourceDetailsReturnsValueWhenSet() {
+        setField(cmd, "reservedResourceDetails", "detail1,detail2,detail3");
+        String result = cmd.getReservedResourceDetails();
+        assertEquals("detail1,detail2,detail3", result);
+    }
+
+    @Test
+    public void getReservedResourceDetailsReturnsNullWhenNotSet() {
+        setField(cmd, "reservedResourceDetails", null);
+        String result = cmd.getReservedResourceDetails();
+        assertNull(result);
+    }
+
     @Test
     public void executeSetsExtensionResponseWhenManagerSucceeds() {
         Extension extension = mock(Extension.class);
diff --git a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
index 085ae212b281..ff3fce06b006 100644
--- a/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
+++ b/framework/extensions/src/test/java/org/apache/cloudstack/framework/extensions/manager/ExtensionsManagerImplTest.java
@@ -23,11 +23,13 @@
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.anyBoolean;
 import static org.mockito.Mockito.anyLong;
 import static org.mockito.Mockito.anyString;
 import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
@@ -40,6 +42,7 @@
 
 import java.io.File;
 import java.security.InvalidParameterException;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
@@ -49,8 +52,6 @@
 import java.util.Map;
 import java.util.UUID;
 
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.user.AccountService;
 import org.apache.cloudstack.acl.Role;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
@@ -85,9 +86,11 @@
 import org.apache.cloudstack.framework.extensions.dao.ExtensionResourceMapDetailsDao;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionCustomActionDetailsVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionCustomActionVO;
+import org.apache.cloudstack.framework.extensions.vo.ExtensionDetailsVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionResourceMapVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionVO;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
+import org.apache.commons.collections.CollectionUtils;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -113,6 +116,7 @@
 import com.cloud.exception.AgentUnavailableException;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.OperationTimedoutException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.host.Host;
 import com.cloud.host.dao.HostDao;
 import com.cloud.host.dao.HostDetailsDao;
@@ -122,6 +126,7 @@
 import com.cloud.serializer.GsonHelper;
 import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.user.Account;
+import com.cloud.user.AccountService;
 import com.cloud.utils.Pair;
 import com.cloud.utils.UuidUtils;
 import com.cloud.utils.db.EntityManager;
@@ -664,6 +669,8 @@ public void testCreateExtension_Success() {
         when(cmd.getPath()).thenReturn(null);
         when(cmd.isOrchestratorRequiresPrepareVm()).thenReturn(null);
         when(cmd.getState()).thenReturn(null);
+        String reservedResourceDetails = "abc,xyz";
+        when(cmd.getReservedResourceDetails()).thenReturn(reservedResourceDetails);
         when(extensionDao.findByName("ext1")).thenReturn(null);
         when(extensionDao.persist(any())).thenAnswer(inv -> {
             ExtensionVO extensionVO = inv.getArgument(0);
@@ -671,11 +678,20 @@ public void testCreateExtension_Success() {
             return extensionVO;
         });
         when(managementServerHostDao.listBy(any())).thenReturn(Collections.emptyList());
-
+        List<ExtensionDetailsVO> detailsList = new ArrayList<>();
+        doAnswer(inv -> {
+            List<ExtensionDetailsVO> detailsVO = inv.getArgument(0);
+            detailsList.addAll(detailsVO);
+            return null;
+        }).when(extensionDetailsDao).saveDetails(anyList());
         Extension ext = extensionsManager.createExtension(cmd);
 
         assertEquals("ext1", ext.getName());
         verify(extensionDao).persist(any());
+        assertTrue(CollectionUtils.isNotEmpty(detailsList));
+        assertTrue(detailsList.stream()
+                .anyMatch(detail -> ApiConstants.RESERVED_RESOURCE_DETAILS.equals(detail.getName())
+                    && reservedResourceDetails.equals(detail.getValue())));
     }
 
     @Test
@@ -938,14 +954,32 @@ public void testUpdateExtension_InvalidState() {
     public void updateExtensionsDetails_SavesDetails_WhenDetailsProvided() {
         long extensionId = 10L;
         Map<String, String> details = Map.of("foo", "bar", "baz", "qux");
-        extensionsManager.updateExtensionsDetails(false, details, null, extensionId);
+        extensionsManager.updateExtensionsDetails(false, details, null, null, extensionId);
         verify(extensionDetailsDao).saveDetails(any());
     }
 
+    @Test
+    public void updateExtensionsDetails_PersistReservedDetail_WhenProvided() {
+        long extensionId = 10L;
+        when(extensionDetailsDao.persist(any())).thenReturn(mock(ExtensionDetailsVO.class));
+        extensionsManager.updateExtensionsDetails(false, null, null, "abc,xyz", extensionId);
+        verify(extensionDetailsDao).persist(any());
+    }
+
+    @Test
+    public void updateExtensionsDetails_UpdateReservedDetail_WhenProvided() {
+        long extensionId = 10L;
+        when(extensionDetailsDao.findDetail(anyLong(), eq(ApiConstants.RESERVED_RESOURCE_DETAILS)))
+                .thenReturn(mock(ExtensionDetailsVO.class));
+        when(extensionDetailsDao.update(anyLong(), any())).thenReturn(true);
+        extensionsManager.updateExtensionsDetails(false, null, null, "abc,xyz", extensionId);
+        verify(extensionDetailsDao).update(anyLong(), any());
+    }
+
     @Test
     public void updateExtensionsDetails_DoesNothing_WhenDetailsAndCleanupAreNull() {
         long extensionId = 11L;
-        extensionsManager.updateExtensionsDetails(null, null, null, extensionId);
+        extensionsManager.updateExtensionsDetails(null, null, null, null, extensionId);
         verify(extensionDetailsDao, never()).removeDetails(anyLong());
         verify(extensionDetailsDao, never()).saveDetails(any());
     }
@@ -953,7 +987,7 @@ public void updateExtensionsDetails_DoesNothing_WhenDetailsAndCleanupAreNull() {
     @Test
     public void updateExtensionsDetails_RemovesDetailsOnly_WhenCleanupIsTrue() {
         long extensionId = 12L;
-        extensionsManager.updateExtensionsDetails(true, null, null, extensionId);
+        extensionsManager.updateExtensionsDetails(true, null, null, null, extensionId);
         verify(extensionDetailsDao).removeDetails(extensionId);
         verify(extensionDetailsDao, never()).saveDetails(any());
     }
@@ -961,7 +995,7 @@ public void updateExtensionsDetails_RemovesDetailsOnly_WhenCleanupIsTrue() {
     @Test
     public void updateExtensionsDetails_PersistsOrchestratorFlag_WhenFlagIsNotNull() {
         long extensionId = 13L;
-        extensionsManager.updateExtensionsDetails(false, null, true, extensionId);
+        extensionsManager.updateExtensionsDetails(false, null, true, null, extensionId);
         verify(extensionDetailsDao).persist(any());
     }
 
@@ -970,7 +1004,7 @@ public void updateExtensionsDetails_ThrowsException_WhenPersistFails() {
         long extensionId = 14L;
         Map<String, String> details = Map.of("foo", "bar");
         doThrow(CloudRuntimeException.class).when(extensionDetailsDao).saveDetails(any());
-        extensionsManager.updateExtensionsDetails(false, details, null, extensionId);
+        extensionsManager.updateExtensionsDetails(false, details, null, null, extensionId);
     }
 
     @Test
@@ -1161,7 +1195,8 @@ public void testCreateExtensionResponse_HiddenDetailsOnly() {
         when(externalProvisioner.getExtensionPath("entry2.sh")).thenReturn("/some/path/entry2.sh");
 
         Map<String, String> hiddenDetails = Map.of(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM, "false");
-        when(extensionDetailsDao.listDetailsKeyPairs(2L, List.of(ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM)))
+        when(extensionDetailsDao.listDetailsKeyPairs(2L, List.of(
+                ApiConstants.ORCHESTRATOR_REQUIRES_PREPARE_VM, ApiConstants.RESERVED_RESOURCE_DETAILS)))
                 .thenReturn(hiddenDetails);
 
         EnumSet<ApiConstants.ExtensionDetails> viewDetails = EnumSet.noneOf(ApiConstants.ExtensionDetails.class);
@@ -2069,4 +2104,118 @@ public void getCallerDetailsReturnsDetailsWithoutRoleWhenRoleIsNull() {
         }
     }
 
+    @Test
+    public void getExtensionReservedResourceDetailsReturnsEmptyListWhenDetailsNotFound() {
+        long extensionId = 1L;
+        when(extensionDetailsDao.findDetail(extensionId, ApiConstants.RESERVED_RESOURCE_DETAILS)).thenReturn(null);
+
+        List<String> result = extensionsManager.getExtensionReservedResourceDetails(extensionId);
+
+        assertNotNull(result);
+        assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void getExtensionReservedResourceDetailsReturnsEmptyListWhenValueIsBlank() {
+        long extensionId = 2L;
+        ExtensionDetailsVO detailsVO = mock(ExtensionDetailsVO.class);
+        when(detailsVO.getValue()).thenReturn("   ");
+        when(extensionDetailsDao.findDetail(extensionId, ApiConstants.RESERVED_RESOURCE_DETAILS)).thenReturn(detailsVO);
+
+        List<String> result = extensionsManager.getExtensionReservedResourceDetails(extensionId);
+
+        assertNotNull(result);
+        assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void getExtensionReservedResourceDetailsReturnsListOfTrimmedDetails() {
+        long extensionId = 3L;
+        ExtensionDetailsVO detailsVO = mock(ExtensionDetailsVO.class);
+        when(detailsVO.getValue()).thenReturn(" detail1 , detail2,detail3 ");
+        when(extensionDetailsDao.findDetail(extensionId, ApiConstants.RESERVED_RESOURCE_DETAILS)).thenReturn(detailsVO);
+
+        List<String> result = extensionsManager.getExtensionReservedResourceDetails(extensionId);
+
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertEquals("detail1", result.get(0));
+        assertEquals("detail2", result.get(1));
+        assertEquals("detail3", result.get(2));
+    }
+
+    @Test
+    public void getExtensionReservedResourceDetailsHandlesEmptyPartsGracefully() {
+        long extensionId = 4L;
+        ExtensionDetailsVO detailsVO = mock(ExtensionDetailsVO.class);
+        when(detailsVO.getValue()).thenReturn("detail1,,detail2, ,detail3");
+        when(extensionDetailsDao.findDetail(extensionId, ApiConstants.RESERVED_RESOURCE_DETAILS)).thenReturn(detailsVO);
+
+        List<String> result = extensionsManager.getExtensionReservedResourceDetails(extensionId);
+
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertEquals("detail1", result.get(0));
+        assertEquals("detail2", result.get(1));
+        assertEquals("detail3", result.get(2));
+    }
+
+    @Test
+    public void getExtensionReservedResourceDetailsReturnsEmptyListWhenSplitResultsInNoParts() {
+        long extensionId = 5L;
+        ExtensionDetailsVO detailsVO = mock(ExtensionDetailsVO.class);
+        when(detailsVO.getValue()).thenReturn(",");
+        when(extensionDetailsDao.findDetail(extensionId, ApiConstants.RESERVED_RESOURCE_DETAILS)).thenReturn(detailsVO);
+
+        List<String> result = extensionsManager.getExtensionReservedResourceDetails(extensionId);
+
+        assertNotNull(result);
+        assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void addInbuiltExtensionReservedResourceDetailsDoesNothingWhenExtensionNotFound() {
+        when(extensionDao.findById(1L)).thenReturn(null);
+        List<String> reservedResourceDetails = new ArrayList<>();
+        extensionsManager.addInbuiltExtensionReservedResourceDetails(1L, reservedResourceDetails);
+        assertTrue(reservedResourceDetails.isEmpty());
+    }
+
+    @Test
+    public void addInbuiltExtensionReservedResourceDetailsDoesNothingForUserDefinedExtension() {
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.isUserDefined()).thenReturn(true);
+        when(extensionDao.findById(2L)).thenReturn(extension);
+        List<String> reservedResourceDetails = new ArrayList<>();
+        reservedResourceDetails.add("existing-detail");
+        extensionsManager.addInbuiltExtensionReservedResourceDetails(2L, reservedResourceDetails);
+        assertEquals(1, reservedResourceDetails.size());
+        assertTrue(reservedResourceDetails.contains("existing-detail"));
+    }
+
+    @Test
+    public void addInbuiltExtensionReservedResourceDetailsDoesNothingWhenNoMatchFound() {
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.isUserDefined()).thenReturn(false);
+        when(extension.getName()).thenReturn("no-such-inbuilt-key-expected");
+        when(extensionDao.findById(3L)).thenReturn(extension);
+        List<String> reservedResourceDetails = new ArrayList<>();
+        extensionsManager.addInbuiltExtensionReservedResourceDetails(3L, reservedResourceDetails);
+        assertTrue(reservedResourceDetails.isEmpty());
+    }
+
+    @Test
+    public void addInbuiltExtensionReservedResourceDetailsAddedDetails() {
+        ExtensionVO extension = mock(ExtensionVO.class);
+        when(extension.isUserDefined()).thenReturn(false);
+        Map.Entry<String, List<String>> entry =
+                ExtensionsManagerImpl.INBUILT_RESERVED_RESOURCE_DETAILS.entrySet().iterator().next();
+        when(extension.getName()).thenReturn(entry.getKey());
+        when(extensionDao.findById(3L)).thenReturn(extension);
+        List<String> reservedResourceDetails = new ArrayList<>();
+        extensionsManager.addInbuiltExtensionReservedResourceDetails(3L, reservedResourceDetails);
+        assertFalse(reservedResourceDetails.isEmpty());
+        assertEquals(reservedResourceDetails.size(), entry.getValue().size());
+        assertTrue(reservedResourceDetails.containsAll(entry.getValue()));
+    }
 }
diff --git a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDao.java b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDao.java
index 9f7a4ad6e058..926280bfeade 100644
--- a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDao.java
+++ b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDao.java
@@ -23,12 +23,30 @@
 
 import com.cloud.utils.db.GenericDao;
 
+import javax.annotation.Nullable;
+
 public interface AsyncJobDao extends GenericDao<AsyncJobVO, Long> {
 
     AsyncJobVO findInstancePendingAsyncJob(String instanceType, long instanceId);
 
     List<AsyncJobVO> findInstancePendingAsyncJobs(String instanceType, Long accountId);
 
+    /**
+     * Finds async job matching the given parameters.
+     * Non-null parameters are added to search criteria.
+     * Returns the most recent job by creation date.
+     * <p>
+     * When searching by resourceId and resourceType, only one active job
+     * is expected per resource, so returning a single result is sufficient.
+     *
+     * @param id           job ID
+     * @param resourceId   resource ID (instanceId)
+     * @param resourceType resource type (instanceType)
+     * @return matching job or null
+     */
+    @Nullable
+    AsyncJobVO findJob(Long id, Long resourceId, String resourceType);
+
     AsyncJobVO findPseudoJob(long threadId, long msid);
 
     void cleanupPseduoJobs(long msid);
diff --git a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDaoImpl.java b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDaoImpl.java
index a2f1f36b8637..81cc5d4f2a8c 100644
--- a/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDaoImpl.java
+++ b/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/dao/AsyncJobDaoImpl.java
@@ -22,6 +22,8 @@
 import java.util.List;
 
 import org.apache.cloudstack.api.ApiConstants;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.jobs.JobInfo;
@@ -45,6 +47,7 @@ public class AsyncJobDaoImpl extends GenericDaoBase<AsyncJobVO, Long> implements
     private final SearchBuilder<AsyncJobVO> expiringUnfinishedAsyncJobSearch;
     private final SearchBuilder<AsyncJobVO> expiringCompletedAsyncJobSearch;
     private final SearchBuilder<AsyncJobVO> failureMsidAsyncJobSearch;
+    private final SearchBuilder<AsyncJobVO> byIdResourceIdResourceTypeSearch;
     private final GenericSearchBuilder<AsyncJobVO, Long> asyncJobTypeSearch;
     private final GenericSearchBuilder<AsyncJobVO, Long> pendingNonPseudoAsyncJobsSearch;
 
@@ -95,6 +98,12 @@ public AsyncJobDaoImpl() {
         failureMsidAsyncJobSearch.and("job_cmd", failureMsidAsyncJobSearch.entity().getCmd(), Op.IN);
         failureMsidAsyncJobSearch.done();
 
+        byIdResourceIdResourceTypeSearch = createSearchBuilder();
+        byIdResourceIdResourceTypeSearch.and("id", byIdResourceIdResourceTypeSearch.entity().getId(), SearchCriteria.Op.EQ);
+        byIdResourceIdResourceTypeSearch.and("instanceId", byIdResourceIdResourceTypeSearch.entity().getInstanceId(), SearchCriteria.Op.EQ);
+        byIdResourceIdResourceTypeSearch.and("instanceType", byIdResourceIdResourceTypeSearch.entity().getInstanceType(), SearchCriteria.Op.EQ);
+        byIdResourceIdResourceTypeSearch.done();
+
         asyncJobTypeSearch = createSearchBuilder(Long.class);
         asyncJobTypeSearch.select(null, SearchCriteria.Func.COUNT, asyncJobTypeSearch.entity().getId());
         asyncJobTypeSearch.and("job_info", asyncJobTypeSearch.entity().getCmdInfo(),Op.LIKE);
@@ -140,6 +149,30 @@ public List<AsyncJobVO> findInstancePendingAsyncJobs(String instanceType, Long a
         return listBy(sc);
     }
 
+    @Override
+    public AsyncJobVO findJob(Long id, Long resourceId, String resourceType) {
+        SearchCriteria<AsyncJobVO> sc = byIdResourceIdResourceTypeSearch.create();
+
+        if (id == null && resourceId == null && StringUtils.isBlank(resourceType)) {
+            logger.debug("findJob called with all null parameters");
+            return null;
+        }
+
+        if (id != null) {
+            sc.setParameters("id", id);
+        }
+        if (resourceId != null && StringUtils.isNotBlank(resourceType)) {
+            sc.setParameters("instanceType", resourceType);
+            sc.setParameters("instanceId", resourceId);
+        }
+        Filter filter = new Filter(AsyncJobVO.class, "created", false, 0L, 1L);
+        List<AsyncJobVO> result = searchIncludingRemoved(sc, filter, Boolean.FALSE, false);
+        if (CollectionUtils.isNotEmpty(result)) {
+            return result.get(0);
+        }
+        return null;
+    }
+
     @Override
     public AsyncJobVO findPseudoJob(long threadId, long msid) {
         SearchCriteria<AsyncJobVO> sc = pseudoJobSearch.create();
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/QuotaAccountStateFilter.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/QuotaAccountStateFilter.java
new file mode 100644
index 000000000000..cc6ca203ef79
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/QuotaAccountStateFilter.java
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.quota;
+
+import org.apache.commons.lang3.StringUtils;
+
+public enum QuotaAccountStateFilter {
+    ALL, ACTIVE, REMOVED;
+
+    public static QuotaAccountStateFilter getValue(String value) {
+        if (StringUtils.isBlank(value)) {
+            return null;
+        }
+        for (QuotaAccountStateFilter state : values()) {
+            if (state.name().equalsIgnoreCase(value)) {
+                return state;
+            }
+        }
+        return null;
+    }
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelper.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelper.java
index a2fca7b80fd5..23020292027c 100644
--- a/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelper.java
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelper.java
@@ -28,12 +28,14 @@
 import com.cloud.dc.ClusterDetailsDao;
 import com.cloud.dc.ClusterDetailsVO;
 import com.cloud.host.HostTagVO;
+import com.cloud.hypervisor.Hypervisor;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.vpc.VpcOfferingVO;
 import com.cloud.network.vpc.VpcVO;
 import javax.inject.Inject;
 
-import com.cloud.hypervisor.Hypervisor;
 import com.cloud.storage.StoragePoolTagVO;
+import com.cloud.vm.VirtualMachine;
 import org.apache.cloudstack.acl.RoleVO;
 import org.apache.cloudstack.acl.dao.RoleDao;
 import org.apache.cloudstack.backup.BackupOfferingVO;
@@ -66,6 +68,7 @@
 import com.cloud.host.HostVO;
 import com.cloud.host.dao.HostDao;
 import com.cloud.host.dao.HostTagsDao;
+import com.cloud.network.vpc.dao.VpcOfferingDao;
 import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
 import com.cloud.server.ResourceTag;
@@ -191,6 +194,9 @@ public class PresetVariableHelper {
     @Inject
     ClusterDetailsDao clusterDetailsDao;
 
+    @Inject
+    VpcOfferingDao vpcOfferingDao;
+
     protected boolean backupSnapshotAfterTakingSnapshot = SnapshotInfo.BackupSnapshotAfterTakingSnapshot.value();
 
     private List<Integer> runningAndAllocatedVmUsageTypes = Arrays.asList(UsageTypes.RUNNING_VM, UsageTypes.ALLOCATED_VM);
@@ -778,6 +784,30 @@ protected void loadPresetVariableValueForNetwork(UsageVO usageRecord, Value valu
         value.setId(network.getUuid());
         value.setName(network.getName());
         value.setState(usageRecord.getState());
+        value.setResourceCounting(getPresetVariableValueNetworkResourceCounting(networkId));
+        value.setNetworkOffering(getPresetVariableValueNetworkOffering(network.getNetworkOfferingId()));
+    }
+
+    protected ResourceCounting getPresetVariableValueNetworkResourceCounting(Long networkId) {
+        ResourceCounting resourceCounting = new ResourceCounting();
+        List<VMInstanceVO> vmInstancesVO = vmInstanceDao.listNonRemovedVmsByTypeAndNetwork(networkId, VirtualMachine.Type.User);
+        int runningVms = (int) vmInstancesVO.stream().filter(vm -> vm.getState().equals(VirtualMachine.State.Running)).count();
+        int stoppedVms = (int) vmInstancesVO.stream().filter(vm -> vm.getState().equals(VirtualMachine.State.Stopped)).count();
+
+        resourceCounting.setRunningVms(runningVms);
+        resourceCounting.setStoppedVms(stoppedVms);
+        return resourceCounting;
+    }
+
+    protected GenericPresetVariable getPresetVariableValueNetworkOffering(Long networkOfferingId) {
+        NetworkOfferingVO networkOfferingVo = networkOfferingDao.findByIdIncludingRemoved(networkOfferingId);
+        validateIfObjectIsNull(networkOfferingVo, networkOfferingId, "network offering");
+
+        GenericPresetVariable networkOffering = new GenericPresetVariable();
+        networkOffering.setId(networkOfferingVo.getUuid());
+        networkOffering.setName(networkOfferingVo.getName());
+
+        return networkOffering;
     }
 
     protected void loadPresetVariableValueForVpc(UsageVO usageRecord, Value value) {
@@ -793,6 +823,18 @@ protected void loadPresetVariableValueForVpc(UsageVO usageRecord, Value value) {
 
         value.setId(vpc.getUuid());
         value.setName(vpc.getName());
+        value.setVpcOffering(getPresetVariableValueVpcOffering(vpc.getVpcOfferingId()));
+    }
+
+    protected GenericPresetVariable getPresetVariableValueVpcOffering(Long vpcOfferingId) {
+        VpcOfferingVO vpcOfferingVo = vpcOfferingDao.findByIdIncludingRemoved(vpcOfferingId);
+        validateIfObjectIsNull(vpcOfferingVo, vpcOfferingId, "vpc offering");
+
+        GenericPresetVariable vpcOffering = new GenericPresetVariable();
+        vpcOffering.setId(vpcOfferingVo.getUuid());
+        vpcOffering.setName(vpcOfferingVo.getName());
+
+        return vpcOffering;
     }
 
     /**
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/ResourceCounting.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/ResourceCounting.java
new file mode 100644
index 000000000000..75049c3486a3
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/ResourceCounting.java
@@ -0,0 +1,52 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.quota.activationrule.presetvariables;
+
+
+import org.apache.cloudstack.quota.constant.QuotaTypes;
+import org.apache.commons.lang3.builder.ToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringStyle;
+
+public class ResourceCounting {
+
+    @PresetVariableDefinition(description = "The number of running user instances.", supportedTypes = {QuotaTypes.NETWORK})
+    private int runningVms;
+    @PresetVariableDefinition(description = "The number of stopped user instances.", supportedTypes = {QuotaTypes.NETWORK})
+    private int stoppedVms;
+
+    public int getRunningVms() {
+        return runningVms;
+    }
+
+    public void setRunningVms(int runningVms) {
+        this.runningVms = runningVms;
+    }
+
+    public int getStoppedVms() {
+        return stoppedVms;
+    }
+
+    public void setStoppedVms(int stoppedVms) {
+        this.stoppedVms = stoppedVms;
+    }
+
+    @Override
+    public String toString() {
+        return ToStringBuilder.reflectionToString(this, ToStringStyle.JSON_STYLE);
+    }
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/Value.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/Value.java
index ac776d13c578..286fe5c60fd5 100644
--- a/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/Value.java
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/activationrule/presetvariables/Value.java
@@ -84,6 +84,9 @@ public class Value extends GenericPresetVariable {
     @PresetVariableDefinition(description = "Backup offering of the backup.", supportedTypes = {QuotaTypes.BACKUP})
     private BackupOffering backupOffering;
 
+    @PresetVariableDefinition(description = "The amount of resources of the usage type.")
+    private ResourceCounting resourceCounting;
+
     @PresetVariableDefinition(description = "The hypervisor where the resource was deployed. Values can be: XenServer, KVM, VMware, Hyperv, BareMetal, Ovm, Ovm3 and LXC.",
             supportedTypes = {QuotaTypes.RUNNING_VM, QuotaTypes.ALLOCATED_VM, QuotaTypes.VM_SNAPSHOT, QuotaTypes.SNAPSHOT})
     private String hypervisorType;
@@ -96,6 +99,12 @@ public class Value extends GenericPresetVariable {
 
     private String state;
 
+    @PresetVariableDefinition(description = "Network offering of the network.", supportedTypes = {QuotaTypes.NETWORK})
+    private GenericPresetVariable networkOffering;
+
+    @PresetVariableDefinition(description = "VPC offering of the VPC.", supportedTypes = {QuotaTypes.VPC})
+    private GenericPresetVariable vpcOffering;
+
     public Host getHost() {
         return host;
     }
@@ -255,4 +264,28 @@ public String getState() {
     public void setState(String state) {
         this.state = state;
     }
+
+    public ResourceCounting getResourceCounting() {
+        return resourceCounting;
+    }
+
+    public void setResourceCounting(ResourceCounting resourceCounting) {
+        this.resourceCounting = resourceCounting;
+    }
+
+    public GenericPresetVariable getNetworkOffering() {
+        return networkOffering;
+    }
+
+    public void setNetworkOffering(GenericPresetVariable networkOffering) {
+        this.networkOffering = networkOffering;
+    }
+
+    public GenericPresetVariable getVpcOffering() {
+        return vpcOffering;
+    }
+
+    public void setVpcOffering(GenericPresetVariable vpcOffering) {
+        this.vpcOffering = vpcOffering;
+    }
 }
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDao.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDao.java
new file mode 100644
index 000000000000..d8ee26075014
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDao.java
@@ -0,0 +1,32 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.quota.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.quota.QuotaAccountStateFilter;
+import org.apache.cloudstack.quota.vo.QuotaSummaryVO;
+
+import com.cloud.utils.Pair;
+import com.cloud.utils.db.GenericDao;
+
+public interface QuotaSummaryDao extends GenericDao<QuotaSummaryVO, Long> {
+
+    Pair<List<QuotaSummaryVO>, Integer> listQuotaSummariesForAccountAndOrDomain(Long accountId, String accountName, Long domainId, String domainPath,
+                                                                                QuotaAccountStateFilter accountStateFilter, Long startIndex, Long pageSize);
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDaoImpl.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDaoImpl.java
new file mode 100644
index 000000000000..d90d5a75859e
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaSummaryDaoImpl.java
@@ -0,0 +1,80 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.quota.dao;
+
+import java.util.List;
+
+import org.apache.cloudstack.quota.QuotaAccountStateFilter;
+import org.apache.cloudstack.quota.vo.QuotaSummaryVO;
+
+import com.cloud.utils.Pair;
+import com.cloud.utils.db.Filter;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.db.TransactionLegacy;
+
+public class QuotaSummaryDaoImpl extends GenericDaoBase<QuotaSummaryVO, Long> implements QuotaSummaryDao {
+
+    @Override
+    public Pair<List<QuotaSummaryVO>, Integer> listQuotaSummariesForAccountAndOrDomain(Long accountId, String accountName, Long domainId, String domainPath,
+                                                                                       QuotaAccountStateFilter accountStateFilter, Long startIndex, Long pageSize) {
+        SearchCriteria<QuotaSummaryVO> searchCriteria = createListQuotaSummariesSearchCriteria(accountId, accountName, domainId, domainPath, accountStateFilter);
+        Filter filter = new Filter(QuotaSummaryVO.class, "accountName", true, startIndex, pageSize);
+
+        return Transaction.execute(TransactionLegacy.USAGE_DB, (TransactionCallback<Pair<List<QuotaSummaryVO>, Integer>>) status -> searchAndCount(searchCriteria, filter));
+    }
+
+    protected SearchCriteria<QuotaSummaryVO> createListQuotaSummariesSearchCriteria(Long accountId, String accountName, Long domainId, String domainPath,
+                                                                                    QuotaAccountStateFilter accountStateFilter) {
+        SearchCriteria<QuotaSummaryVO> searchCriteria = createListQuotaSummariesSearchBuilder(accountStateFilter).create();
+
+        searchCriteria.setParametersIfNotNull("accountId", accountId);
+        searchCriteria.setParametersIfNotNull("domainId", domainId);
+
+        if (accountName != null) {
+            searchCriteria.setParameters("accountName", "%" + accountName + "%");
+        }
+
+        if (domainPath != null) {
+            searchCriteria.setParameters("domainPath", domainPath + "%");
+        }
+
+        return searchCriteria;
+    }
+
+    protected SearchBuilder<QuotaSummaryVO> createListQuotaSummariesSearchBuilder(QuotaAccountStateFilter accountStateFilter) {
+        SearchBuilder<QuotaSummaryVO> searchBuilder = createSearchBuilder();
+
+        searchBuilder.and("accountId", searchBuilder.entity().getAccountId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("accountName", searchBuilder.entity().getAccountName(), SearchCriteria.Op.LIKE);
+        searchBuilder.and("domainId", searchBuilder.entity().getDomainId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("domainPath", searchBuilder.entity().getDomainPath(), SearchCriteria.Op.LIKE);
+
+        if (QuotaAccountStateFilter.REMOVED.equals(accountStateFilter)) {
+            searchBuilder.and("accountRemoved", searchBuilder.entity().getAccountRemoved(), SearchCriteria.Op.NNULL);
+        } else if (QuotaAccountStateFilter.ACTIVE.equals(accountStateFilter)) {
+            searchBuilder.and("accountRemoved", searchBuilder.entity().getAccountRemoved(), SearchCriteria.Op.NULL);
+        }
+
+        return searchBuilder;
+    }
+
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDao.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDao.java
new file mode 100644
index 000000000000..9684ca117b56
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDao.java
@@ -0,0 +1,29 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.quota.dao;
+
+import com.cloud.utils.db.GenericDao;
+import org.apache.cloudstack.quota.vo.QuotaTariffUsageVO;
+import java.util.List;
+
+public interface QuotaTariffUsageDao extends GenericDao<QuotaTariffUsageVO, Long> {
+
+    void persistQuotaTariffUsage(QuotaTariffUsageVO quotaTariffUsage);
+
+    List<QuotaTariffUsageVO> listQuotaTariffUsages(Long quotaUsageId);
+
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDaoImpl.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDaoImpl.java
new file mode 100644
index 000000000000..556f552fed69
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaTariffUsageDaoImpl.java
@@ -0,0 +1,56 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.quota.dao;
+
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import org.apache.cloudstack.quota.vo.QuotaTariffUsageVO;
+import org.springframework.stereotype.Component;
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.db.TransactionLegacy;
+
+import javax.annotation.PostConstruct;
+import java.util.List;
+
+@Component
+public class QuotaTariffUsageDaoImpl extends GenericDaoBase<QuotaTariffUsageVO, Long> implements QuotaTariffUsageDao {
+    private SearchBuilder<QuotaTariffUsageVO> searchQuotaTariffUsages;
+
+    @PostConstruct
+    public void init() {
+        searchQuotaTariffUsages = createSearchBuilder();
+        searchQuotaTariffUsages.and("quotaUsageId", searchQuotaTariffUsages.entity().getQuotaUsageId(), SearchCriteria.Op.EQ);
+        searchQuotaTariffUsages.done();
+    }
+
+    @Override
+    public void persistQuotaTariffUsage(final QuotaTariffUsageVO quotaTariffUsage) {
+        logger.trace("Persisting quota tariff usage [{}].", quotaTariffUsage);
+        Transaction.execute(TransactionLegacy.USAGE_DB, (TransactionCallback<QuotaTariffUsageVO>) status -> persist(quotaTariffUsage));
+    }
+
+    @Override
+    public List<QuotaTariffUsageVO> listQuotaTariffUsages(Long quotaUsageId) {
+        SearchCriteria<QuotaTariffUsageVO> sc = searchQuotaTariffUsages.create();
+        sc.setParameters("quotaUsageId", quotaUsageId);
+        return Transaction.execute(TransactionLegacy.USAGE_DB, (TransactionCallback<List<QuotaTariffUsageVO>>) status -> listBy(sc));
+    }
+
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDao.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDao.java
new file mode 100644
index 000000000000..126fa11413f7
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDao.java
@@ -0,0 +1,31 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.quota.dao;
+
+import com.cloud.utils.db.GenericDao;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
+
+import java.util.Date;
+import java.util.List;
+
+public interface QuotaUsageJoinDao extends GenericDao<QuotaUsageJoinVO, Long> {
+
+    List<QuotaUsageJoinVO> findQuotaUsage(Long accountId, Long domainId, Integer usageType, Long resourceId, Long networkId, Long offeringId, Date startDate, Date endDate, Long tariffId);
+
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDaoImpl.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDaoImpl.java
new file mode 100644
index 000000000000..b98ea2b3a5d2
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/dao/QuotaUsageJoinDaoImpl.java
@@ -0,0 +1,94 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package org.apache.cloudstack.quota.dao;
+
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.JoinBuilder;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.db.Transaction;
+import com.cloud.utils.db.TransactionCallback;
+import com.cloud.utils.db.TransactionLegacy;
+import org.apache.cloudstack.quota.vo.QuotaTariffUsageVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Component;
+
+import javax.annotation.PostConstruct;
+import javax.inject.Inject;
+import java.util.Date;
+import java.util.List;
+
+@Component
+public class QuotaUsageJoinDaoImpl extends GenericDaoBase<QuotaUsageJoinVO, Long> implements QuotaUsageJoinDao {
+
+    private SearchBuilder<QuotaUsageJoinVO> searchQuotaUsages;
+
+    private SearchBuilder<QuotaUsageJoinVO> searchQuotaUsagesJoinTariffUsages;
+
+    @Inject
+    private QuotaTariffUsageDao quotaTariffUsageDao;
+
+    @PostConstruct
+    public void init() {
+        searchQuotaUsages = createSearchBuilder();
+        prepareQuotaUsageSearchBuilder(searchQuotaUsages);
+        searchQuotaUsages.done();
+
+        SearchBuilder<QuotaTariffUsageVO> searchQuotaTariffUsages = quotaTariffUsageDao.createSearchBuilder();
+        searchQuotaTariffUsages.and("tariffId", searchQuotaTariffUsages.entity().getTariffId(), SearchCriteria.Op.EQ);
+        searchQuotaUsagesJoinTariffUsages = createSearchBuilder();
+        prepareQuotaUsageSearchBuilder(searchQuotaUsagesJoinTariffUsages);
+        searchQuotaUsagesJoinTariffUsages.join("searchQuotaTariffUsages", searchQuotaTariffUsages, searchQuotaUsagesJoinTariffUsages.entity().getId(),
+                searchQuotaTariffUsages.entity().getQuotaUsageId(), JoinBuilder.JoinType.INNER);
+        searchQuotaUsagesJoinTariffUsages.done();
+    }
+
+    private void prepareQuotaUsageSearchBuilder(SearchBuilder<QuotaUsageJoinVO> searchBuilder) {
+        searchBuilder.and("accountId", searchBuilder.entity().getAccountId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("domainId", searchBuilder.entity().getDomainId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("usageType", searchBuilder.entity().getUsageType(), SearchCriteria.Op.EQ);
+        searchBuilder.and("resourceId", searchBuilder.entity().getResourceId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("networkId", searchBuilder.entity().getNetworkId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("offeringId", searchBuilder.entity().getOfferingId(), SearchCriteria.Op.EQ);
+        searchBuilder.and("startDate", searchBuilder.entity().getStartDate(), SearchCriteria.Op.BETWEEN);
+        searchBuilder.and("endDate", searchBuilder.entity().getEndDate(), SearchCriteria.Op.BETWEEN);
+    }
+
+    @Override
+    public List<QuotaUsageJoinVO> findQuotaUsage(Long accountId, Long domainId, Integer usageType, Long resourceId, Long networkId, Long offeringId, Date startDate, Date endDate, Long tariffId) {
+        SearchCriteria<QuotaUsageJoinVO> sc = tariffId == null ? searchQuotaUsages.create() : searchQuotaUsagesJoinTariffUsages.create();
+
+        sc.setParametersIfNotNull("accountId", accountId);
+        sc.setParametersIfNotNull("domainId", domainId);
+        sc.setParametersIfNotNull("usageType", usageType);
+        sc.setParametersIfNotNull("resourceId", resourceId);
+        sc.setParametersIfNotNull("networkId", networkId);
+        sc.setParametersIfNotNull("offeringId", offeringId);
+
+        if (ObjectUtils.allNotNull(startDate, endDate)) {
+            sc.setParameters("startDate", startDate, endDate);
+            sc.setParameters("endDate", startDate, endDate);
+        }
+
+        sc.setJoinParametersIfNotNull("searchQuotaTariffUsages", "tariffId", tariffId);
+
+        return Transaction.execute(TransactionLegacy.USAGE_DB, (TransactionCallback<List<QuotaUsageJoinVO>>) status -> listBy(sc));
+    }
+
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaSummaryVO.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaSummaryVO.java
new file mode 100644
index 000000000000..f9796497d57d
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaSummaryVO.java
@@ -0,0 +1,154 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.quota.vo;
+
+import java.math.BigDecimal;
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.persistence.Temporal;
+import javax.persistence.TemporalType;
+
+import com.cloud.user.Account;
+
+@Entity
+@Table(name = "quota_summary_view")
+public class QuotaSummaryVO {
+
+    @Id
+    @Column(name = "account_id")
+    private Long accountId = null;
+
+    @Column(name = "quota_enforce")
+    private Integer quotaEnforce = 0;
+
+    @Column(name = "quota_balance")
+    private BigDecimal quotaBalance;
+
+    @Column(name = "quota_balance_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date quotaBalanceDate = null;
+
+    @Column(name = "quota_min_balance")
+    private BigDecimal quotaMinBalance;
+
+    @Column(name = "quota_alert_type")
+    private Integer quotaAlertType = null;
+
+    @Column(name = "quota_alert_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date quotaAlertDate = null;
+
+    @Column(name = "last_statement_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date lastStatementDate = null;
+
+    @Column(name = "account_uuid")
+    private String accountUuid;
+
+    @Column(name = "account_name")
+    private String accountName;
+
+    @Column(name = "account_state")
+    @Enumerated(EnumType.STRING)
+    private Account.State accountState;
+
+    @Column(name = "account_removed")
+    private Date accountRemoved;
+
+    @Column(name = "domain_id")
+    private Long domainId;
+
+    @Column(name = "domain_uuid")
+    private String domainUuid;
+
+    @Column(name = "domain_name")
+    private String domainName;
+
+    @Column(name = "domain_path")
+    private String domainPath;
+
+    @Column(name = "domain_removed")
+    private Date domainRemoved;
+
+    @Column(name = "project_uuid")
+    private String projectUuid;
+
+    @Column(name = "project_name")
+    private String projectName;
+
+    @Column(name = "project_removed")
+    private Date projectRemoved;
+
+    public Long getAccountId() {
+        return accountId;
+    }
+
+    public BigDecimal getQuotaBalance() {
+        return quotaBalance;
+    }
+
+    public String getAccountUuid() {
+        return accountUuid;
+    }
+
+    public String getAccountName() {
+        return accountName;
+    }
+
+    public Date getAccountRemoved() {
+        return accountRemoved;
+    }
+
+    public Account.State getAccountState() {
+        return accountState;
+    }
+
+    public Long getDomainId() {
+        return domainId;
+    }
+
+    public String getDomainUuid() {
+        return domainUuid;
+    }
+
+    public String getDomainPath() {
+        return domainPath;
+    }
+
+    public Date getDomainRemoved() {
+        return domainRemoved;
+    }
+
+    public String getProjectUuid() {
+        return projectUuid;
+    }
+
+    public String getProjectName() {
+        return projectName;
+    }
+
+    public Date getProjectRemoved() {
+        return projectRemoved;
+    }
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaTariffUsageVO.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaTariffUsageVO.java
new file mode 100644
index 000000000000..4fa9e771713e
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaTariffUsageVO.java
@@ -0,0 +1,86 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.quota.vo;
+
+import java.math.BigDecimal;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringStyle;
+
+@Entity
+@Table(name = "quota_tariff_usage")
+public class QuotaTariffUsageVO implements InternalIdentity {
+    @Id
+    @Column(name = "id")
+    private Long id;
+
+    @Column(name = "tariff_id")
+    private Long tariffId;
+
+    @Column(name = "quota_usage_id")
+    private Long quotaUsageId;
+
+    @Column(name = "quota_used")
+    private BigDecimal quotaUsed;
+
+    public QuotaTariffUsageVO() {
+        quotaUsed = new BigDecimal(0);
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    public Long getTariffId() {
+        return tariffId;
+    }
+
+    public Long getQuotaUsageId() {
+        return quotaUsageId;
+    }
+
+    public BigDecimal getQuotaUsed() {
+        return quotaUsed;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public void setTariffId(Long tariffId) {
+        this.tariffId = tariffId;
+    }
+
+    public void setQuotaUsageId(Long quotaUsageId) {
+        this.quotaUsageId = quotaUsageId;
+    }
+
+    public void setQuotaUsed(BigDecimal quotaUsed) {
+        this.quotaUsed = quotaUsed;
+    }
+
+    @Override
+    public String toString() {
+        return new ReflectionToStringBuilder(this, ToStringStyle.JSON_STYLE).toString();
+    }
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageJoinVO.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageJoinVO.java
new file mode 100644
index 000000000000..df9577e23c3e
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageJoinVO.java
@@ -0,0 +1,179 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.quota.vo;
+
+import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.persistence.Temporal;
+import javax.persistence.TemporalType;
+import java.math.BigDecimal;
+import java.util.Date;
+
+@Entity
+@Table(name = "quota_usage_view")
+public class QuotaUsageJoinVO implements InternalIdentity {
+
+    @Id
+    @Column(name = "id", updatable = false, nullable = false)
+    private Long id;
+
+    @Column(name = "zone_id")
+    private Long zoneId = null;
+
+    @Column(name = "account_id")
+    private Long accountId = null;
+
+    @Column(name = "domain_id")
+    private Long domainId = null;
+
+    @Column(name = "usage_item_id")
+    private Long usageItemId;
+
+    @Column(name = "usage_type")
+    private int usageType;
+
+    @Column(name = "quota_used")
+    private BigDecimal quotaUsed;
+
+    @Column(name = "start_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date startDate = null;
+
+    @Column(name = "end_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date endDate = null;
+
+    @Column(name = "resource_id")
+    private Long resourceId = null;
+
+    @Column(name = "network_id")
+    private Long networkId = null;
+
+    @Column(name = "offering_id")
+    private Long offeringId = null;
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public void setZoneId(Long zoneId) {
+        this.zoneId = zoneId;
+    }
+
+    public Long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(Long accountId) {
+        this.accountId = accountId;
+    }
+
+    public Long getDomainId() {
+        return domainId;
+    }
+
+    public void setDomainId(Long domainId) {
+        this.domainId = domainId;
+    }
+
+    public Long getUsageItemId() {
+        return usageItemId;
+    }
+
+    public void setUsageItemId(Long usageItemId) {
+        this.usageItemId = usageItemId;
+    }
+
+    public int getUsageType() {
+        return usageType;
+    }
+
+    public void setUsageType(int usageType) {
+        this.usageType = usageType;
+    }
+
+    public BigDecimal getQuotaUsed() {
+        return quotaUsed;
+    }
+
+    public void setQuotaUsed(BigDecimal quotaUsed) {
+        this.quotaUsed = quotaUsed;
+    }
+
+    public Date getStartDate() {
+        return startDate;
+    }
+
+    public void setStartDate(Date startDate) {
+        this.startDate = startDate;
+    }
+
+    public Date getEndDate() {
+        return endDate;
+    }
+
+    public void setEndDate(Date endDate) {
+        this.endDate = endDate;
+    }
+
+    public Long getResourceId() {
+        return resourceId;
+    }
+
+    public void setResourceId(Long resourceId) {
+        this.resourceId = resourceId;
+    }
+
+    public Long getNetworkId() {
+        return networkId;
+    }
+
+    public void setNetworkId(Long networkId) {
+        this.networkId = networkId;
+    }
+
+    public Long getOfferingId() {
+        return offeringId;
+    }
+
+    public void setOfferingId(Long offeringId) {
+        this.offeringId = offeringId;
+    }
+
+    public QuotaUsageJoinVO () {
+    }
+
+    @Override
+    public String toString() {
+        return ReflectionToStringBuilderUtils.reflectOnlySelectedFields(this, "id", "zoneId", "accountId", "domainId", "usageItemId", "usageType", "quotaUsed", "startDate",
+                "endDate", "resourceId");
+    }
+}
diff --git a/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageResourceVO.java b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageResourceVO.java
new file mode 100644
index 000000000000..924824231005
--- /dev/null
+++ b/framework/quota/src/main/java/org/apache/cloudstack/quota/vo/QuotaUsageResourceVO.java
@@ -0,0 +1,62 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package org.apache.cloudstack.quota.vo;
+
+import java.util.Date;
+
+public class QuotaUsageResourceVO {
+    private String uuid;
+    private String name;
+    private Date removed;
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    public void setRemoved(Date removed) {
+        this.removed = removed;
+    }
+
+    public boolean isRemoved() {
+        return this.removed != null;
+    }
+
+    public QuotaUsageResourceVO(String uuid, String name, Date removed) {
+        this.uuid = uuid;
+        this.name = name;
+        this.removed = removed;
+    }
+}
diff --git a/framework/quota/src/main/resources/META-INF/cloudstack/quota/spring-framework-quota-context.xml b/framework/quota/src/main/resources/META-INF/cloudstack/quota/spring-framework-quota-context.xml
index 453355c8522d..5ca2679c388c 100644
--- a/framework/quota/src/main/resources/META-INF/cloudstack/quota/spring-framework-quota-context.xml
+++ b/framework/quota/src/main/resources/META-INF/cloudstack/quota/spring-framework-quota-context.xml
@@ -19,13 +19,16 @@
 
 	<bean id="presetVariableHelper" class="org.apache.cloudstack.quota.activationrule.presetvariables.PresetVariableHelper" />
 	<bean id="QuotaTariffDao" class="org.apache.cloudstack.quota.dao.QuotaTariffDaoImpl" />
-    <bean id="QuotaAccountDao" class="org.apache.cloudstack.quota.dao.QuotaAccountDaoImpl" />
+	<bean id="QuotaSummaryDao" class="org.apache.cloudstack.quota.dao.QuotaSummaryDaoImpl" />
+	<bean id="QuotaAccountDao" class="org.apache.cloudstack.quota.dao.QuotaAccountDaoImpl" />
 	<bean id="QuotaBalanceDao" class="org.apache.cloudstack.quota.dao.QuotaBalanceDaoImpl" />
 	<bean id="QuotaCreditsDao" class="org.apache.cloudstack.quota.dao.QuotaCreditsDaoImpl" />
 	<bean id="QuotaEmailTemplatesDao"
 		class="org.apache.cloudstack.quota.dao.QuotaEmailTemplatesDaoImpl" />
 	<bean id="QuotaUsageDao" class="org.apache.cloudstack.quota.dao.QuotaUsageDaoImpl" />
-    <bean id="UserVmDetailsDao" class="org.apache.cloudstack.quota.dao.VMInstanceDetailsDaoImpl" />
+	<bean id="QuotaUsageJoinDao" class="org.apache.cloudstack.quota.dao.QuotaUsageJoinDaoImpl"/>
+	<bean id="QuotaTariffUsageDao" class="org.apache.cloudstack.quota.dao.QuotaTariffUsageDaoImpl" />
+	<bean id="UserVmDetailsDao" class="org.apache.cloudstack.quota.dao.VMInstanceDetailsDaoImpl" />
 
 	<bean id="QuotaManager" class="org.apache.cloudstack.quota.QuotaManagerImpl" />
     <bean id="QuotaAlertManager" class="org.apache.cloudstack.quota.QuotaAlertManagerImpl" />
diff --git a/framework/quota/src/test/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelperTest.java b/framework/quota/src/test/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelperTest.java
index 85397503587e..bcdbc3b46cec 100644
--- a/framework/quota/src/test/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelperTest.java
+++ b/framework/quota/src/test/java/org/apache/cloudstack/quota/activationrule/presetvariables/PresetVariableHelperTest.java
@@ -31,14 +31,22 @@
 import com.cloud.dc.ClusterDetailsVO;
 import com.cloud.host.HostTagVO;
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.network.Network;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.vpc.VpcOfferingVO;
+import com.cloud.network.vpc.VpcVO;
+import com.cloud.network.vpc.dao.VpcOfferingDao;
 import com.cloud.storage.StoragePoolTagVO;
+import com.cloud.vm.VirtualMachine;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.RoleVO;
 import org.apache.cloudstack.acl.dao.RoleDao;
 import org.apache.cloudstack.backup.BackupOfferingVO;
 import org.apache.cloudstack.backup.dao.BackupOfferingDao;
 import org.apache.cloudstack.quota.constant.QuotaTypes;
+import org.apache.cloudstack.quota.dao.NetworkDao;
 import org.apache.cloudstack.quota.dao.VmTemplateDao;
+import org.apache.cloudstack.quota.dao.VpcDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreVO;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
@@ -188,6 +196,15 @@ public class PresetVariableHelperTest {
     @Mock
     BackupOfferingDao backupOfferingDaoMock;
 
+    @Mock
+    NetworkDao networkDaoMock;
+
+    @Mock
+    VpcDao vpcDaoMock;
+
+    @Mock
+    VpcOfferingDao vpcOfferingDaoMock;
+
     List<Integer> runningAndAllocatedVmUsageTypes = Arrays.asList(UsageTypes.RUNNING_VM, UsageTypes.ALLOCATED_VM);
     List<Integer> templateAndIsoUsageTypes = Arrays.asList(UsageTypes.TEMPLATE, UsageTypes.ISO);
 
@@ -223,6 +240,10 @@ private Value getValueForTests() {
         value.setVmSnapshotType(VMSnapshot.Type.Disk.toString());
         value.setComputingResources(getComputingResourcesForTests());
         value.setVolumeType(Volume.Type.DATADISK.toString());
+        value.setState(Network.State.Implemented.toString());
+        value.setResourceCounting(getResourceCountingForTests());
+        value.setNetworkOffering(getNetworkOfferingForTests());
+        value.setVpcOffering(getVpcOfferingForTests());
         return value;
     }
 
@@ -259,6 +280,13 @@ private Configuration getConfigurationForTests() {
         return configuration;
     }
 
+    private ResourceCounting getResourceCountingForTests() {
+        ResourceCounting resourceCounting = new ResourceCounting();
+        resourceCounting.setRunningVms(1);
+        resourceCounting.setStoppedVms(1);
+        return resourceCounting;
+    }
+
     private List<HostTagVO> getHostTagsForTests() {
         return Arrays.asList(new HostTagVO(1, "tag1", false), new HostTagVO(1, "tag2", false));
     }
@@ -324,6 +352,20 @@ private DiskOfferingPresetVariables getDiskOfferingForTests() {
         return diskOffering;
     }
 
+    private GenericPresetVariable getNetworkOfferingForTests() {
+        GenericPresetVariable networkOffering = new GenericPresetVariable();
+        networkOffering.setId("network_offering_id");
+        networkOffering.setName("network_offering_name");
+        return networkOffering;
+    }
+
+    private GenericPresetVariable getVpcOfferingForTests() {
+        GenericPresetVariable vpcOffering = new GenericPresetVariable();
+        vpcOffering.setId("vpc_offering_id");
+        vpcOffering.setName("vpc_offering_name");
+        return vpcOffering;
+    }
+
     private void mockMethodValidateIfObjectIsNull() {
         Mockito.doNothing().when(presetVariableHelperSpy).validateIfObjectIsNull(Mockito.any(), Mockito.anyLong(), Mockito.anyString());
     }
@@ -1289,4 +1331,120 @@ public void testGetSnapshotImageStoreRefNotNull() {
         Mockito.when(imageStoreDaoMock.findById(1L)).thenReturn(store);
         Assert.assertNotNull(presetVariableHelperSpy.getSnapshotImageStoreRef(1L, 1L));
     }
+
+    @Test
+    public void loadPresetVariableValueForNetworkTestRecordIsNotANetworkDoNothing() {
+        getQuotaTypesForTests(UsageTypes.NETWORK).forEach(type -> {
+            Mockito.doReturn(type.getKey()).when(usageVoMock).getUsageType();
+            presetVariableHelperSpy.loadPresetVariableValueForNetwork(usageVoMock, null);
+        });
+
+        Mockito.verifyNoInteractions(networkDaoMock);
+    }
+
+    @Test
+    public void loadPresetVariableValueForNetworkTestRecordIsNetworkSetFields() {
+        Value expected = getValueForTests();
+
+        NetworkVO networkVoMock = Mockito.mock(NetworkVO.class);
+        Mockito.doReturn(networkVoMock).when(networkDaoMock).findByIdIncludingRemoved(Mockito.anyLong());
+
+        mockMethodValidateIfObjectIsNull();
+
+        Mockito.doReturn(expected.getId()).when(networkVoMock).getUuid();
+        Mockito.doReturn(expected.getName()).when(networkVoMock).getName();
+        Mockito.doReturn(expected.getState()).when(usageVoMock).getState();
+        Mockito.doReturn(expected.getResourceCounting()).when(presetVariableHelperSpy).getPresetVariableValueNetworkResourceCounting(Mockito.anyLong());
+        Mockito.doReturn(expected.getNetworkOffering()).when(presetVariableHelperSpy).getPresetVariableValueNetworkOffering(Mockito.anyLong());
+        Mockito.doReturn(UsageTypes.NETWORK).when(usageVoMock).getUsageType();
+
+        Value result = new Value();
+        presetVariableHelperSpy.loadPresetVariableValueForNetwork(usageVoMock, result);
+
+        assertPresetVariableIdAndName(expected, result);
+        Assert.assertEquals(expected.getState(), result.getState());
+        Assert.assertEquals(expected.getResourceCounting(), result.getResourceCounting());
+    }
+
+    @Test
+    public void getPresetVariableValueNetworkResourceCountingTestSetValueAndReturnObject() {
+        VMInstanceVO vmInstanceVoMock1 = Mockito.spy(VMInstanceVO.class);
+        vmInstanceVoMock1.setState(VirtualMachine.State.Stopped);
+
+        VMInstanceVO vmInstanceVoMock2 = Mockito.spy(VMInstanceVO.class);
+        vmInstanceVoMock2.setState(VirtualMachine.State.Running);
+
+        Mockito.doReturn(List.of(vmInstanceVoMock1, vmInstanceVoMock2)).when(vmInstanceDaoMock).listNonRemovedVmsByTypeAndNetwork(Mockito.anyLong(), Mockito.any());
+
+        mockMethodValidateIfObjectIsNull();
+
+        ResourceCounting expected = getResourceCountingForTests();
+
+        ResourceCounting result = presetVariableHelperSpy.getPresetVariableValueNetworkResourceCounting(1L);
+
+        Assert.assertEquals(expected.getRunningVms(), result.getRunningVms());
+        Assert.assertEquals(expected.getStoppedVms(), result.getStoppedVms());
+    }
+
+    @Test
+    public void loadPresetVariableValueForVpcTestRecordIsNotAVpcDoNothing() {
+        getQuotaTypesForTests(UsageTypes.VPC).forEach(type -> {
+            Mockito.doReturn(type.getKey()).when(usageVoMock).getUsageType();
+            presetVariableHelperSpy.loadPresetVariableValueForVpc(usageVoMock, null);
+        });
+
+        Mockito.verifyNoInteractions(vpcDaoMock);
+    }
+
+    @Test
+    public void loadPresetVariableValueForVpcTestRecordIsVpcSetFields() {
+        Value expected = getValueForTests();
+
+        VpcVO networkVoMock = Mockito.mock(VpcVO.class);
+        Mockito.doReturn(networkVoMock).when(vpcDaoMock).findByIdIncludingRemoved(Mockito.anyLong());
+
+        mockMethodValidateIfObjectIsNull();
+
+        Mockito.doReturn(expected.getId()).when(networkVoMock).getUuid();
+        Mockito.doReturn(expected.getName()).when(networkVoMock).getName();
+        Mockito.doReturn(expected.getVpcOffering()).when(presetVariableHelperSpy).getPresetVariableValueVpcOffering(Mockito.anyLong());
+
+        Mockito.doReturn(UsageTypes.VPC).when(usageVoMock).getUsageType();
+
+        Value result = new Value();
+        presetVariableHelperSpy.loadPresetVariableValueForVpc(usageVoMock, result);
+
+        assertPresetVariableIdAndName(expected, result);
+        Assert.assertEquals(expected.getVpcOffering(), result.getVpcOffering());
+    }
+
+    @Test
+    public void getPresetVariableValueNetworkOfferingTestSetValuesAndReturnObject() {
+        NetworkOfferingVO networkOfferingVoMock = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.doReturn(networkOfferingVoMock).when(networkOfferingDaoMock).findByIdIncludingRemoved(Mockito.anyLong());
+        mockMethodValidateIfObjectIsNull();
+
+        GenericPresetVariable expected = getGenericPresetVariableForTests();
+        Mockito.doReturn(expected.getId()).when(networkOfferingVoMock).getUuid();
+        Mockito.doReturn(expected.getName()).when(networkOfferingVoMock).getName();
+
+        GenericPresetVariable result = presetVariableHelperSpy.getPresetVariableValueNetworkOffering(1L);
+
+        assertPresetVariableIdAndName(expected, result);
+    }
+
+    @Test
+    public void getPresetVariableValueVpcOfferingTestSetValuesAndReturnObject() {
+        VpcOfferingVO vpcOfferingVoMock = Mockito.mock(VpcOfferingVO.class);
+        Mockito.doReturn(vpcOfferingVoMock).when(vpcOfferingDaoMock).findByIdIncludingRemoved(Mockito.anyLong());
+        mockMethodValidateIfObjectIsNull();
+
+        GenericPresetVariable expected = getGenericPresetVariableForTests();
+        Mockito.doReturn(expected.getId()).when(vpcOfferingVoMock).getUuid();
+        Mockito.doReturn(expected.getName()).when(vpcOfferingVoMock).getName();
+
+        GenericPresetVariable result = presetVariableHelperSpy.getPresetVariableValueVpcOffering(1L);
+
+        assertPresetVariableIdAndName(expected, result);
+    }
 }
diff --git a/packaging/el8/cloud.spec b/packaging/el8/cloud.spec
index 705959336f15..13c0a36cb106 100644
--- a/packaging/el8/cloud.spec
+++ b/packaging/el8/cloud.spec
@@ -83,6 +83,8 @@ Requires: (iptables-services or iptables)
 Requires: rng-tools
 Requires: (qemu-img or qemu-tools)
 Requires: python3-pip
+Requires: python3-six
+Requires: python3-protobuf
 Requires: python3-setuptools
 Requires: (libgcrypt > 1.8.3 or libgcrypt20)
 Group:     System Environment/Libraries
@@ -115,7 +117,7 @@ Requires: ipset
 Requires: perl
 Requires: rsync
 Requires: cifs-utils
-Requires: edk2-ovmf
+Requires: (edk2-ovmf or qemu-ovmf-x86_64)
 Requires: swtpm
 Requires: (python3-libvirt or python3-libvirt-python)
 Requires: (qemu-img or qemu-tools)
@@ -334,11 +336,11 @@ cp -r ui/dist/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/
 rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/config.json
 ln -sf /etc/%{name}/ui/config.json ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/config.json
 
-# Package mysql-connector-python
-wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl
-wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/e9/93/4860cebd5ad3ff2664ad3c966490ccb46e3b88458b2095145bca11727ca4/setuptools-47.3.1-py3-none-any.whl
-wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/32/27/1141a8232723dcb10a595cc0ce4321dcbbd5215300bf4acfc142343205bf/protobuf-3.19.6-py2.py3-none-any.whl
+# Package mysql-connector-python (bundled to avoid dependency on external community repo)
+# Version 8.0.31 is the last version supporting Python 3.6 (EL8)
 wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/08/1f/42d74bae9dd6dcfec67c9ed0f3fa482b1ae5ac5f117ca82ab589ecb3ca19/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+# Version 8.3.0 supports Python 3.8 to 3.12 (EL9, EL10)
+wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/53/ed/26a4b8cacb8852c6fd97d2d58a7f2591c41989807ea82bd8d9725a4e6937/mysql_connector_python-8.3.0-py2.py3-none-any.whl
 
 chmod 440 ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
 chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/mnt
@@ -455,8 +457,13 @@ then
 fi
 
 %post management
-# Install mysql-connector-python
-pip3 install %{_datadir}/%{name}-management/setup/wheel/six-1.15.0-py2.py3-none-any.whl %{_datadir}/%{name}-management/setup/wheel/setuptools-47.3.1-py3-none-any.whl %{_datadir}/%{name}-management/setup/wheel/protobuf-3.19.6-py2.py3-none-any.whl %{_datadir}/%{name}-management/setup/wheel/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+# Install mysql-connector-python wheel
+# Detect Python version to install compatible wheel
+if python3 -c 'import sys; sys.exit(0 if sys.version_info >= (3, 7) else 1)'; then
+    pip3 install %{_datadir}/%{name}-management/setup/wheel/mysql_connector_python-8.3.0-py2.py3-none-any.whl
+else
+    pip3 install %{_datadir}/%{name}-management/setup/wheel/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+fi
 
 /usr/bin/systemctl enable cloudstack-management > /dev/null 2>&1 || true
 /usr/bin/systemctl enable --now rngd > /dev/null 2>&1 || true
diff --git a/packaging/suse15 b/packaging/suse15
deleted file mode 120000
index 4dad90d45e0c..000000000000
--- a/packaging/suse15
+++ /dev/null
@@ -1 +0,0 @@
-el8
\ No newline at end of file
diff --git a/packaging/suse15/cloud-ipallocator.rc b/packaging/suse15/cloud-ipallocator.rc
new file mode 120000
index 000000000000..647598e6dc41
--- /dev/null
+++ b/packaging/suse15/cloud-ipallocator.rc
@@ -0,0 +1 @@
+../el8/cloud-ipallocator.rc
\ No newline at end of file
diff --git a/packaging/suse15/cloud.limits b/packaging/suse15/cloud.limits
new file mode 120000
index 000000000000..37be77e3acf2
--- /dev/null
+++ b/packaging/suse15/cloud.limits
@@ -0,0 +1 @@
+../el8/cloud.limits
\ No newline at end of file
diff --git a/packaging/suse15/cloud.spec b/packaging/suse15/cloud.spec
new file mode 100644
index 000000000000..cdfc5a72a34e
--- /dev/null
+++ b/packaging/suse15/cloud.spec
@@ -0,0 +1,750 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+%define __os_install_post %{nil}
+%global debug_package %{nil}
+%global __requires_exclude libc\\.so\\..*|libc\\.so\\.6\\(GLIBC_.*\\)
+%define _binaries_in_noarch_packages_terminate_build   0
+
+# DISABLE the post-percentinstall java repacking and line number stripping
+# we need to find a way to just disable the java repacking and line number stripping, but not the autodeps
+
+Name:      cloudstack
+Summary:   CloudStack IaaS Platform
+#http://fedoraproject.org/wiki/PackageNamingGuidelines#Pre-Release_packages
+%define _maventag %{_fullver}
+Release:   %{_rel}
+
+Version:   %{_ver}
+License:   ASL 2.0
+Vendor:    Apache CloudStack <dev@cloudstack.apache.org>
+Packager:  Apache CloudStack <dev@cloudstack.apache.org>
+Group:     System Environment/Libraries
+# FIXME do groups for every single one of the subpackages
+Source0:   %{name}-%{_maventag}.tgz
+BuildRoot: %{_tmppath}/%{name}-%{_maventag}-%{release}-build
+BuildArch: noarch
+
+BuildRequires: (java-11-openjdk-devel or java-17-openjdk-devel or java-21-openjdk-devel)
+#BuildRequires: ws-commons-util
+BuildRequires: jpackage-utils
+BuildRequires: gcc
+BuildRequires: glibc-devel
+BuildRequires: /usr/bin/mkisofs
+BuildRequires: python3-setuptools
+BuildRequires: wget
+BuildRequires: nodejs
+
+%description
+CloudStack is a highly-scalable elastic, open source,
+intelligent IaaS cloud implementation.
+
+%package management
+Summary:   CloudStack management server UI
+Requires: (java-17-openjdk or java-21-openjdk)
+Requires: (tzdata-java or timezone-java)
+Requires: python3
+Requires: bash
+Requires: gawk
+Requires: which
+Requires: file
+Requires: tar
+Requires: bzip2
+Requires: gzip
+Requires: unzip
+Requires: (/sbin/mount.nfs or /usr/sbin/mount.nfs)
+Requires: (openssh-clients or openssh)
+Requires: (nfs-utils or nfs-client)
+Requires: iproute
+Requires: wget
+Requires: (mysql or mariadb or mysql8.4)
+Requires: sudo
+Requires: /sbin/service
+Requires: /sbin/chkconfig
+Requires: /usr/bin/ssh-keygen
+Requires: (genisoimage or mkisofs or xorrisofs)
+Requires: ipmitool
+Requires: %{name}-common = %{_ver}
+Requires: (iptables-services or iptables)
+Requires: rng-tools
+Requires: (qemu-img or qemu-tools)
+Requires: python3-pip
+Requires: python3-six
+Requires: python3-protobuf
+Requires: python3-setuptools
+Requires: (libgcrypt > 1.8.3 or libgcrypt20)
+Group:     System Environment/Libraries
+%description management
+The CloudStack management server is the central point of coordination,
+management, and intelligence in CloudStack.
+
+%package common
+Summary: Apache CloudStack common files and scripts
+Requires: python3
+Group:   System Environment/Libraries
+%description common
+The Apache CloudStack files shared between agent and management server
+%global __requires_exclude libc\\.so\\..*|libc\\.so\\.6\\(GLIBC_.*\\)|^(libuuid\\.so\\.1|/usr/bin/python)$
+
+%package agent
+Summary: CloudStack Agent for KVM hypervisors
+Requires: (openssh-clients or openssh)
+Requires: (java-17-openjdk or java-21-openjdk)
+Requires: (tzdata-java or timezone-java)
+Requires: %{name}-common = %{_ver}
+Requires: libvirt
+Requires: libvirt-daemon-driver-storage-rbd
+Requires: ebtables
+Requires: iptables
+Requires: ethtool
+Requires: (net-tools or net-tools-deprecated)
+Requires: iproute
+Requires: ipset
+Requires: perl
+Requires: rsync
+Requires: cifs-utils
+Requires: (edk2-ovmf or qemu-ovmf-x86_64)
+Requires: swtpm
+Requires: (python3-libvirt or python3-libvirt-python)
+Requires: (qemu-img or qemu-tools)
+Requires: qemu-kvm
+Requires: cryptsetup
+Requires: rng-tools
+Requires: (libgcrypt > 1.8.3 or libgcrypt20)
+Requires: (selinux-tools if selinux-tools)
+Requires: sysstat
+Provides: cloud-agent
+Group: System Environment/Libraries
+%description agent
+The CloudStack agent for KVM hypervisors
+
+%package baremetal-agent
+Summary: CloudStack baremetal agent
+Requires: tftp-server
+Requires: xinetd
+Requires: syslinux
+Requires: chkconfig
+Requires: dhcp
+Requires: httpd
+Group:     System Environment/Libraries
+%description baremetal-agent
+The CloudStack baremetal agent
+
+%package usage
+Summary: CloudStack Usage calculation server
+Requires: (java-17-openjdk or java-21-openjdk)
+Requires: (tzdata-java or timezone-java)
+Group: System Environment/Libraries
+%description usage
+The CloudStack usage calculation service
+
+%package ui
+Summary: CloudStack UI
+Group: System Environment/Libraries
+%description ui
+The CloudStack UI
+
+%package marvin
+Summary: Apache CloudStack Marvin library
+Requires: python3-pip
+Requires: gcc
+Requires: python3-devel
+Requires: libffi-devel
+Requires: openssl-devel
+Group: System Environment/Libraries
+%description marvin
+Apache CloudStack Marvin library
+
+%package integration-tests
+Summary: Apache CloudStack Marvin integration tests
+Requires: %{name}-marvin = %{_ver}
+Group: System Environment/Libraries
+%description integration-tests
+Apache CloudStack Marvin integration tests
+
+%if "%{_ossnoss}" == "noredist"
+%package mysql-ha
+Summary: Apache CloudStack Balancing Strategy for MySQL
+Group: System Environmnet/Libraries
+%description mysql-ha
+Apache CloudStack Balancing Strategy for MySQL
+
+%endif
+
+%prep
+echo Doing CloudStack build
+
+%setup -q -n %{name}-%{_maventag}
+
+%build
+
+cp packaging/suse15/replace.properties build/replace.properties
+echo VERSION=%{_maventag} >> build/replace.properties
+echo PACKAGE=%{name} >> build/replace.properties
+touch build/gitrev.txt
+echo $(git rev-parse HEAD) > build/gitrev.txt
+
+if [ "%{_ossnoss}" == "NOREDIST" -o "%{_ossnoss}" == "noredist" ] ; then
+   echo "Adding noredist flag to the maven build"
+   FLAGS="$FLAGS -Dnoredist"
+fi
+
+if [ "%{_sim}" == "SIMULATOR" -o "%{_sim}" == "simulator" ] ; then
+   echo "Adding simulator flag to the maven build"
+   FLAGS="$FLAGS -Dsimulator"
+fi
+
+if [ \"%{_temp}\" != "" ]; then
+    echo "Adding flags to package requested templates"
+    FLAGS="$FLAGS `rpm --eval %{?_temp}`"
+fi
+
+mvn -Psystemvm,developer $FLAGS clean package
+cd ui && npm install && npm run build && cd ..
+
+%install
+[ ${RPM_BUILD_ROOT} != "/" ] && rm -rf ${RPM_BUILD_ROOT}
+# Common directories
+mkdir -p ${RPM_BUILD_ROOT}%{_bindir}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/agent
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/ipallocator
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/cache/%{name}/management/work
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/cache/%{name}/management/temp
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/mnt
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management
+mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/default
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d
+
+# Common
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/vms
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/python-site
+mkdir -p ${RPM_BUILD_ROOT}/usr/bin
+cp -r scripts/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts
+install -D systemvm/dist/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/vms/
+install python/lib/cloud_utils.py ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/python-site/cloud_utils.py
+cp -r python/lib/cloudutils ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/python-site/
+python3 -m py_compile ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/python-site/cloud_utils.py
+python3 -m compileall ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/python-site/cloudutils
+cp build/gitrev.txt ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts
+cp packaging/suse15/cloudstack-sccs ${RPM_BUILD_ROOT}/usr/bin
+
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts/network/cisco
+cp -r plugins/network-elements/cisco-vnmc/src/main/scripts/network/cisco/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts/network/cisco
+
+# Management
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/lib
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/management
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/systemd/system/%{name}-management.service.d
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/run
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel
+
+# Setup Jetty
+ln -sf /etc/%{name}/management ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/conf
+ln -sf /var/log/%{name}/management ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/logs
+
+install -D client/target/utilities/bin/cloud-migrate-databases ${RPM_BUILD_ROOT}%{_bindir}/%{name}-migrate-databases
+install -D client/target/utilities/bin/cloud-set-guest-password ${RPM_BUILD_ROOT}%{_bindir}/%{name}-set-guest-password
+install -D client/target/utilities/bin/cloud-set-guest-sshkey ${RPM_BUILD_ROOT}%{_bindir}/%{name}-set-guest-sshkey
+install -D client/target/utilities/bin/cloud-setup-databases ${RPM_BUILD_ROOT}%{_bindir}/%{name}-setup-databases
+install -D client/target/utilities/bin/cloud-setup-encryption ${RPM_BUILD_ROOT}%{_bindir}/%{name}-setup-encryption
+install -D client/target/utilities/bin/cloud-setup-management ${RPM_BUILD_ROOT}%{_bindir}/%{name}-setup-management
+install -D client/target/utilities/bin/cloud-setup-baremetal ${RPM_BUILD_ROOT}%{_bindir}/%{name}-setup-baremetal
+install -D client/target/utilities/bin/cloud-sysvmadm ${RPM_BUILD_ROOT}%{_bindir}/%{name}-sysvmadm
+install -D client/target/utilities/bin/cloud-update-xenserver-licenses ${RPM_BUILD_ROOT}%{_bindir}/%{name}-update-xenserver-licenses
+# Bundle cmk in cloudstack-management
+wget https://github.com/apache/cloudstack-cloudmonkey/releases/latest/download/cmk.linux.x86-64 -O ${RPM_BUILD_ROOT}%{_bindir}/cmk
+chmod +x ${RPM_BUILD_ROOT}%{_bindir}/cmk
+
+cp -r client/target/utilities/scripts/db/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup
+cp -r plugins/integrations/kubernetes-service/src/main/resources/conf/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf
+cp -r client/target/cloud-client-ui-%{_maventag}.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/
+cp -r client/target/classes/META-INF/webapp ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapp
+cp ui/dist/config.json ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/
+cp -r ui/dist/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapp/
+rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapp/config.json
+ln -sf /etc/%{name}/management/config.json ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapp/config.json
+mv ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cloud-client-ui-%{_maventag}.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/lib/cloudstack-%{_maventag}.jar
+cp client/target/lib/*jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/lib/
+
+# Don't package the scripts in the management webapp
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/scripts
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/vms
+
+for name in db.properties server.properties log4j-cloud.xml environment.properties java.security.ciphers
+do
+  cp client/target/conf/$name ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/$name
+done
+
+ln -sf log4j-cloud.xml  ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/log4j2.xml
+
+install python/bindir/cloud-external-ipallocator.py ${RPM_BUILD_ROOT}%{_bindir}/%{name}-external-ipallocator.py
+install -D client/target/pythonlibs/jasypt-1.9.3.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/lib/jasypt-1.9.3.jar
+install -D utils/target/cloud-utils-%{_maventag}-bundled.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/lib/%{name}-utils.jar
+
+install -D packaging/suse15/cloud-ipallocator.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-ipallocator
+install -D packaging/suse15/cloud.limits ${RPM_BUILD_ROOT}%{_sysconfdir}/security/limits.d/cloud
+install -D packaging/suse15/filelimit.conf ${RPM_BUILD_ROOT}%{_sysconfdir}/systemd/system/%{name}-management.service.d
+install -D packaging/systemd/cloudstack-management.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-management.service
+install -D packaging/systemd/cloudstack-management.default ${RPM_BUILD_ROOT}%{_sysconfdir}/default/%{name}-management
+install -D server/target/conf/cloudstack-sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
+touch ${RPM_BUILD_ROOT}%{_localstatedir}/run/%{name}-management.pid
+#install -D server/target/conf/cloudstack-catalina.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}-catalina
+install -D server/target/conf/cloudstack-management.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}-management
+
+install -D plugins/integrations/kubernetes-service/src/main/resources/conf/etcd-node.yml ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf/etcd-node.yml
+install -D plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node.yml ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf/k8s-control-node.yml
+install -D plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node-add.yml ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf/k8s-control-node-add.yml
+install -D plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-node.yml ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/cks/conf/k8s-node.yml
+
+# SystemVM template
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/templates/systemvm
+cp -r engine/schema/dist/systemvm-templates/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/templates/systemvm
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/templates/systemvm/sha512sum.txt
+
+# Sample Extensions
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/extensions
+cp -r extensions/* ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/extensions
+ln -sf %{_sysconfdir}/%{name}/extensions ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/extensions
+
+# UI
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/ui
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/
+cp -r client/target/classes/META-INF/webapp/WEB-INF ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui
+cp ui/dist/config.json ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/ui/
+cp -r ui/dist/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/
+rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/config.json
+ln -sf /etc/%{name}/ui/config.json ${RPM_BUILD_ROOT}%{_datadir}/%{name}-ui/config.json
+
+# Package mysql-connector-python (bundled to avoid dependency on external community repo)
+# Version 8.0.31 is the last version supporting Python 3.6 (EL8)
+wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/08/1f/42d74bae9dd6dcfec67c9ed0f3fa482b1ae5ac5f117ca82ab589ecb3ca19/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+# Version 8.3.0 supports Python 3.8 to 3.12 (EL9, EL10)
+wget -P ${RPM_BUILD_ROOT}%{_datadir}/%{name}-management/setup/wheel https://files.pythonhosted.org/packages/53/ed/26a4b8cacb8852c6fd97d2d58a7f2591c41989807ea82bd8d9725a4e6937/mysql_connector_python-8.3.0-py2.py3-none-any.whl
+
+chmod 440 ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/mnt
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/cache/%{name}/management/work
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/cache/%{name}/management/temp
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/management
+chmod 770 ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/agent
+
+# KVM Agent
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/agent
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/agent
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/plugins
+install -D packaging/systemd/cloudstack-agent.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-agent.service
+install -D packaging/systemd/cloudstack-rolling-maintenance@.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-rolling-maintenance@.service
+install -D packaging/systemd/cloudstack-agent.default ${RPM_BUILD_ROOT}%{_sysconfdir}/default/%{name}-agent
+install -D agent/target/transformed/agent.properties ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/agent/agent.properties
+install -D agent/target/transformed/uefi.properties ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/agent/uefi.properties
+install -D agent/target/transformed/environment.properties ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/agent/environment.properties
+install -D agent/target/transformed/log4j-cloud.xml ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/agent/log4j-cloud.xml
+install -D agent/target/transformed/cloud-setup-agent ${RPM_BUILD_ROOT}%{_bindir}/%{name}-setup-agent
+install -D agent/target/transformed/cloudstack-agent-upgrade ${RPM_BUILD_ROOT}%{_bindir}/%{name}-agent-upgrade
+install -D agent/target/transformed/cloud-guest-tool ${RPM_BUILD_ROOT}%{_bindir}/%{name}-guest-tool
+install -D agent/target/transformed/libvirtqemuhook ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook
+install -D agent/target/transformed/rolling-maintenance ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/rolling-maintenance
+install -D agent/target/transformed/cloud-ssh ${RPM_BUILD_ROOT}%{_bindir}/%{name}-ssh
+install -D agent/target/transformed/cloudstack-agent-profile.sh ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d/%{name}-agent-profile.sh
+install -D agent/target/transformed/cloudstack-agent.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}-agent
+install -D plugins/hypervisors/kvm/target/cloud-plugin-hypervisor-kvm-%{_maventag}.jar ${RPM_BUILD_ROOT}%{_datadir}/%name-agent/lib/cloud-plugin-hypervisor-kvm-%{_maventag}.jar
+cp plugins/hypervisors/kvm/target/dependencies/*  ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib
+cp plugins/storage/volume/storpool/target/*.jar  ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib
+cp plugins/storage/volume/linstor/target/*.jar  ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib
+
+# Usage server
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/usage
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-usage/lib
+install -D usage/target/cloud-usage-%{_maventag}.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-usage/cloud-usage-%{_maventag}.jar
+install -D usage/target/transformed/db.properties ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/usage/db.properties
+install -D usage/target/transformed/log4j-cloud_usage.xml ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/usage/log4j-cloud.xml
+cp usage/target/dependencies/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-usage/lib/
+cp client/target/lib/mysql*jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-usage/lib/
+install -D packaging/systemd/cloudstack-usage.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-usage.service
+install -D packaging/systemd/cloudstack-usage.default ${RPM_BUILD_ROOT}%{_sysconfdir}/default/%{name}-usage
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}/usage/
+install -D usage/target/transformed/cloudstack-usage.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}-usage
+
+# Marvin
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-marvin
+cp tools/marvin/dist/Marvin-*.tar.gz ${RPM_BUILD_ROOT}%{_datadir}/%{name}-marvin/
+
+# integration-tests
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-integration-tests
+cp -r test/integration/* ${RPM_BUILD_ROOT}%{_datadir}/%{name}-integration-tests/
+
+# MYSQL HA
+if [ "x%{_ossnoss}" == "xnoredist" ] ; then
+  mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-mysql-ha/lib
+  cp -r plugins/database/mysql-ha/target/cloud-plugin-database-mysqlha-%{_maventag}.jar ${RPM_BUILD_ROOT}%{_datadir}/%{name}-mysql-ha/lib
+fi
+
+#License files from whisker
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-management-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-management-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-common-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-common-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-agent-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-agent-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-usage-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-usage-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-ui-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-ui-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-marvin-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-marvin-%{version}/LICENSE
+install -D tools/whisker/NOTICE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-integration-tests-%{version}/NOTICE
+install -D tools/whisker/LICENSE ${RPM_BUILD_ROOT}%{_defaultdocdir}/%{name}-integration-tests-%{version}/LICENSE
+
+%clean
+[ ${RPM_BUILD_ROOT} != "/" ] && rm -rf ${RPM_BUILD_ROOT}
+
+%posttrans common
+
+unalias cp
+python_dir=$(python3 -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")
+if [ ! -z $python_dir ];then
+  cp -f -r /usr/share/cloudstack-common/python-site/* $python_dir/
+fi
+
+%preun management
+/usr/bin/systemctl stop cloudstack-management || true
+/usr/bin/systemctl disable cloudstack-management || true
+
+%pre management
+id cloud > /dev/null 2>&1 || /usr/sbin/useradd -M -U -c "CloudStack unprivileged user" \
+     -r -s /bin/sh -d %{_localstatedir}/cloudstack/management cloud || true
+
+rm -rf %{_localstatedir}/cache/cloudstack
+
+# in case of upgrade to 4.9+ copy commands.properties if not exists in /etc/cloudstack/management/
+if [ "$1" == "2" ] ; then
+    if [ -f "%{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/commands.properties" ] && [ ! -f "%{_sysconfdir}/%{name}/management/commands.properties" ] ; then
+        cp -p %{_datadir}/%{name}-management/webapps/client/WEB-INF/classes/commands.properties %{_sysconfdir}/%{name}/management/commands.properties
+    fi
+fi
+
+# Remove old tomcat symlinks and env config file
+if [ -L "%{_datadir}/%{name}-management/lib" ]
+then
+    rm -f %{_datadir}/%{name}-management/bin
+    rm -f %{_datadir}/%{name}-management/lib
+    rm -f %{_datadir}/%{name}-management/temp
+    rm -f %{_datadir}/%{name}-management/work
+    rm -f %{_sysconfdir}/default/%{name}-management
+fi
+
+%post management
+# Install mysql-connector-python wheel
+# Detect Python version to install compatible wheel
+if python3 -c 'import sys; sys.exit(0 if sys.version_info >= (3, 7) else 1)'; then
+    pip3 install %{_datadir}/%{name}-management/setup/wheel/mysql_connector_python-8.3.0-py2.py3-none-any.whl
+else
+    pip3 install %{_datadir}/%{name}-management/setup/wheel/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+fi
+
+/usr/bin/systemctl enable cloudstack-management > /dev/null 2>&1 || true
+/usr/bin/systemctl enable --now rngd > /dev/null 2>&1 || true
+
+grep -s -q "db.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.cloud.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "db.usage.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.usage.driver=jdbc:mysql"  "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "db.simulator.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties" || sed -i -e "\$adb.simulator.driver=jdbc:mysql" "%{_sysconfdir}/%{name}/management/db.properties"
+
+# Update DB properties having master and slave(s), with source and replica(s) respectively (for inclusiveness)
+grep -s -q "^db.cloud.slaves=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.cloud.slaves=/db.cloud.replicas=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "^db.cloud.secondsBeforeRetryMaster=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.cloud.secondsBeforeRetryMaster=/db.cloud.secondsBeforeRetrySource=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "^db.cloud.queriesBeforeRetryMaster=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.cloud.queriesBeforeRetryMaster=/db.cloud.queriesBeforeRetrySource=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "^db.usage.slaves=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.usage.slaves=/db.usage.replicas=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "^db.usage.secondsBeforeRetryMaster=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.usage.secondsBeforeRetryMaster=/db.usage.secondsBeforeRetrySource=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+grep -s -q "^db.usage.queriesBeforeRetryMaster=" "%{_sysconfdir}/%{name}/management/db.properties" && sed -i "s/^db.usage.queriesBeforeRetryMaster=/db.usage.queriesBeforeRetrySource=/g" "%{_sysconfdir}/%{name}/management/db.properties"
+
+if [ ! -f %{_datadir}/cloudstack-common/scripts/vm/hypervisor/xenserver/vhd-util ] ; then
+    echo Please download vhd-util from http://download.cloudstack.org/tools/vhd-util and put it in
+    echo %{_datadir}/cloudstack-common/scripts/vm/hypervisor/xenserver/
+fi
+
+if [ -f %{_sysconfdir}/sysconfig/%{name}-management ] ; then
+    rm -f %{_sysconfdir}/sysconfig/%{name}-management
+fi
+
+chown -R cloud:cloud /var/log/cloudstack/management
+chown -R cloud:cloud /usr/share/cloudstack-management/templates
+find /usr/share/cloudstack-management/templates -type d -exec chmod 0770 {} \;
+
+systemctl daemon-reload
+
+%posttrans management
+# Print help message
+if [ -f "/usr/share/cloudstack-common/scripts/installer/cloudstack-help-text" ];then
+    sed -i "s,^ACS_VERSION=.*,ACS_VERSION=%{_maventag},g" /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text
+    /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text management
+fi
+
+%preun agent
+/sbin/service cloudstack-agent stop || true
+if [ "$1" == "0" ] ; then
+    /sbin/chkconfig --del cloudstack-agent > /dev/null 2>&1 || true
+fi
+
+%pre agent
+
+# save old configs if they exist (for upgrade). Otherwise we may lose them
+# when the old packages are erased. There are a lot of properties files here.
+if [ -d "%{_sysconfdir}/cloud" ] ; then
+    mv %{_sysconfdir}/cloud %{_sysconfdir}/cloud.rpmsave
+fi
+
+%posttrans agent
+
+if [ "$1" == "2" ] ; then
+    echo "Running %{_bindir}/%{name}-agent-upgrade to update bridge name for upgrade from CloudStack 4.0.x (and before) to CloudStack 4.1 (and later)"
+    %{_bindir}/%{name}-agent-upgrade
+fi
+if [ ! -d %{_sysconfdir}/libvirt/hooks ] ; then
+    mkdir %{_sysconfdir}/libvirt/hooks
+fi
+cp -a ${RPM_BUILD_ROOT}%{_datadir}/%{name}-agent/lib/libvirtqemuhook %{_sysconfdir}/libvirt/hooks/qemu
+mkdir -m 0755 -p /usr/share/cloudstack-agent/tmp
+/usr/bin/systemctl restart libvirtd
+/usr/bin/systemctl enable cloudstack-agent > /dev/null 2>&1 || true
+/usr/bin/systemctl enable cloudstack-rolling-maintenance@p > /dev/null 2>&1 || true
+/usr/bin/systemctl enable --now rngd > /dev/null 2>&1 || true
+
+# if saved agent.properties from upgrade exist, copy them over
+if [ -f "%{_sysconfdir}/cloud.rpmsave/agent/agent.properties" ]; then
+    mv %{_sysconfdir}/%{name}/agent/agent.properties  %{_sysconfdir}/%{name}/agent/agent.properties.rpmnew
+    cp -p %{_sysconfdir}/cloud.rpmsave/agent/agent.properties %{_sysconfdir}/%{name}/agent
+    # make sure we only do this on the first install of this RPM, don't want to overwrite on a reinstall
+    mv %{_sysconfdir}/cloud.rpmsave/agent/agent.properties %{_sysconfdir}/cloud.rpmsave/agent/agent.properties.rpmsave
+fi
+
+# if saved uefi.properties from upgrade exist, copy them over
+if [ -f "%{_sysconfdir}/cloud.rpmsave/agent/uefi.properties" ]; then
+    mv %{_sysconfdir}/%{name}/agent/uefi.properties  %{_sysconfdir}/%{name}/agent/uefi.properties.rpmnew
+    cp -p %{_sysconfdir}/cloud.rpmsave/agent/uefi.properties %{_sysconfdir}/%{name}/agent
+    # make sure we only do this on the first install of this RPM, don't want to overwrite on a reinstall
+    mv %{_sysconfdir}/cloud.rpmsave/agent/uefi.properties %{_sysconfdir}/cloud.rpmsave/agent/uefi.properties.rpmsave
+fi
+
+systemctl daemon-reload
+
+# Print help message
+if [ -f "/usr/share/cloudstack-common/scripts/installer/cloudstack-help-text" ];then
+    sed -i "s,^ACS_VERSION=.*,ACS_VERSION=%{_maventag},g" /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text
+    /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text agent
+fi
+
+%pre usage
+id cloud > /dev/null 2>&1 || /usr/sbin/useradd -M -U -c "CloudStack unprivileged user" \
+     -r -s /bin/sh -d %{_localstatedir}/cloudstack/management cloud|| true
+
+%preun usage
+/sbin/service cloudstack-usage stop || true
+if [ "$1" == "0" ] ; then
+    /sbin/chkconfig --del cloudstack-usage > /dev/null 2>&1 || true
+fi
+
+%post usage
+if [ -f "%{_sysconfdir}/%{name}/management/db.properties" ]; then
+    echo "Replacing usage server's db.properties with a link to the management server's db.properties"
+    rm -f %{_sysconfdir}/%{name}/usage/db.properties
+    ln -s %{_sysconfdir}/%{name}/management/db.properties %{_sysconfdir}/%{name}/usage/db.properties
+    /usr/bin/systemctl enable cloudstack-usage > /dev/null 2>&1 || true
+fi
+
+if [ -f "%{_sysconfdir}/%{name}/management/key" ]; then
+    echo "Replacing usage server's key with a link to the management server's key"
+    rm -f %{_sysconfdir}/%{name}/usage/key
+    ln -s %{_sysconfdir}/%{name}/management/key %{_sysconfdir}/%{name}/usage/key
+fi
+
+if [ ! -f "%{_sysconfdir}/%{name}/usage/key" ]; then
+    ln -s %{_sysconfdir}/%{name}/management/key %{_sysconfdir}/%{name}/usage/key
+fi
+
+mkdir -p /usr/local/libexec
+if [ ! -f "/usr/local/libexec/sanity-check-last-id" ]; then
+    echo 1 > /usr/local/libexec/sanity-check-last-id
+fi
+chown cloud:cloud /usr/local/libexec/sanity-check-last-id
+
+%posttrans usage
+# Print help message
+if [ -f "/usr/share/cloudstack-common/scripts/installer/cloudstack-help-text" ];then
+    sed -i "s,^ACS_VERSION=.*,ACS_VERSION=%{_maventag},g" /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text
+    /usr/share/cloudstack-common/scripts/installer/cloudstack-help-text usage
+fi
+
+%post marvin
+pip3 install --upgrade https://files.pythonhosted.org/packages/08/1f/42d74bae9dd6dcfec67c9ed0f3fa482b1ae5ac5f117ca82ab589ecb3ca19/mysql_connector_python-8.0.31-py2.py3-none-any.whl
+pip3 install --upgrade /usr/share/cloudstack-marvin/Marvin-*.tar.gz
+
+#No default permission as the permission setup is complex
+%files management
+%defattr(-,root,root,-)
+%dir %{_datadir}/%{name}-management
+%dir %attr(0770,root,cloud) %{_localstatedir}/%{name}/mnt
+%dir %attr(0770,cloud,cloud) %{_localstatedir}/%{name}/management
+%dir %attr(0770,root,cloud) %{_localstatedir}/cache/%{name}/management
+%dir %attr(0770,root,cloud) %{_localstatedir}/log/%{name}/management
+%config(noreplace) %{_sysconfdir}/default/%{name}-management
+%config(noreplace) %{_sysconfdir}/sudoers.d/%{name}-management
+%config(noreplace) %{_sysconfdir}/security/limits.d/cloud
+%config(noreplace) %{_sysconfdir}/systemd/system/%{name}-management.service.d
+%config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/management/db.properties
+%config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/management/server.properties
+%config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/management/config.json
+%config(noreplace) %{_sysconfdir}/%{name}/management/log4j-cloud.xml
+%config(noreplace) %{_sysconfdir}/%{name}/management/log4j2.xml
+%config(noreplace) %{_sysconfdir}/%{name}/management/environment.properties
+%config(noreplace) %{_sysconfdir}/%{name}/management/java.security.ciphers
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name}-management
+%attr(0644,root,root) %{_unitdir}/%{name}-management.service
+%attr(0755,cloud,cloud) %{_localstatedir}/run/%{name}-management.pid
+%attr(0755,root,root) %{_bindir}/%{name}-setup-management
+%attr(0755,root,root) %{_bindir}/%{name}-update-xenserver-licenses
+%{_datadir}/%{name}-management/conf
+%{_datadir}/%{name}-management/lib/*.jar
+%{_datadir}/%{name}-management/logs
+%{_datadir}/%{name}-management/templates
+%{_datadir}/%{name}-management/extensions
+%attr(0755,root,root) %{_bindir}/%{name}-setup-databases
+%attr(0755,root,root) %{_bindir}/%{name}-migrate-databases
+%attr(0755,root,root) %{_bindir}/%{name}-set-guest-password
+%attr(0755,root,root) %{_bindir}/%{name}-set-guest-sshkey
+%attr(0755,root,root) %{_bindir}/%{name}-sysvmadm
+%attr(0755,root,root) %{_bindir}/%{name}-setup-encryption
+%attr(0755,root,root) %{_bindir}/cmk
+%{_datadir}/%{name}-management/cks/conf/*.yml
+%{_datadir}/%{name}-management/setup/*.sql
+%{_datadir}/%{name}-management/setup/*.sh
+%{_datadir}/%{name}-management/setup/server-setup.xml
+%{_datadir}/%{name}-management/webapp/*
+%dir %attr(0770, cloud, cloud) %{_datadir}/%{name}-management/templates
+%dir %attr(0770, cloud, cloud) %{_datadir}/%{name}-management/templates/systemvm
+%attr(0644, cloud, cloud) %{_datadir}/%{name}-management/templates/systemvm/*
+%attr(0755,root,root) %{_bindir}/%{name}-external-ipallocator.py
+%attr(0755,root,root) %{_initrddir}/%{name}-ipallocator
+%dir %attr(0770,root,root) %{_localstatedir}/log/%{name}/ipallocator
+%{_defaultdocdir}/%{name}-management-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-management-%{version}/NOTICE
+%{_datadir}/%{name}-management/setup/wheel/*.whl
+%dir %attr(0755,cloud,cloud) %{_sysconfdir}/%{name}/extensions
+%attr(0755,cloud,cloud) %{_sysconfdir}/%{name}/extensions/*
+
+%files agent
+%attr(0755,root,root) %{_bindir}/%{name}-setup-agent
+%attr(0755,root,root) %{_bindir}/%{name}-agent-upgrade
+%attr(0755,root,root) %{_bindir}/%{name}-guest-tool
+%attr(0755,root,root) %{_bindir}/%{name}-ssh
+%attr(0644,root,root) %{_unitdir}/%{name}-agent.service
+%attr(0644,root,root) %{_unitdir}/%{name}-rolling-maintenance@.service
+%config(noreplace) %{_sysconfdir}/default/%{name}-agent
+%attr(0644,root,root) %{_sysconfdir}/profile.d/%{name}-agent-profile.sh
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name}-agent
+%attr(0755,root,root) %{_datadir}/%{name}-common/scripts/network/cisco
+%config(noreplace) %{_sysconfdir}/%{name}/agent
+%dir %{_localstatedir}/log/%{name}/agent
+%attr(0644,root,root) %{_datadir}/%{name}-agent/lib/*.jar
+%attr(0755,root,root) %{_datadir}/%{name}-agent/lib/libvirtqemuhook
+%attr(0755,root,root) %{_datadir}/%{name}-agent/lib/rolling-maintenance
+%dir %{_datadir}/%{name}-agent/plugins
+%{_defaultdocdir}/%{name}-agent-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-agent-%{version}/NOTICE
+
+%files common
+%dir %attr(0755,root,root) %{_datadir}/%{name}-common/python-site/cloudutils
+%dir %attr(0755,root,root) %{_datadir}/%{name}-common/vms
+%attr(0755,root,root) %{_datadir}/%{name}-common/scripts
+%attr(0755,root,root) /usr/bin/cloudstack-sccs
+%attr(0644, root, root) %{_datadir}/%{name}-common/vms/agent.zip
+%attr(0644, root, root) %{_datadir}/%{name}-common/vms/cloud-scripts.tgz
+%attr(0644, root, root) %{_datadir}/%{name}-common/vms/patch-sysvms.sh
+%attr(0644,root,root) %{_datadir}/%{name}-common/python-site/cloud_utils.py
+%attr(0644,root,root) %{_datadir}/%{name}-common/python-site/__pycache__/*
+%attr(0644,root,root) %{_datadir}/%{name}-common/python-site/cloudutils/*
+%attr(0644, root, root) %{_datadir}/%{name}-common/lib/jasypt-1.9.3.jar
+%attr(0644, root, root) %{_datadir}/%{name}-common/lib/%{name}-utils.jar
+%{_defaultdocdir}/%{name}-common-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-common-%{version}/NOTICE
+
+%files ui
+%config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/ui/config.json
+%{_datadir}/%{name}-ui/*
+%{_defaultdocdir}/%{name}-ui-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-ui-%{version}/NOTICE
+
+%files usage
+%attr(0644,root,root) %{_unitdir}/%{name}-usage.service
+%config(noreplace) %{_sysconfdir}/default/%{name}-usage
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name}-usage
+%attr(0644,root,root) %{_datadir}/%{name}-usage/*.jar
+%attr(0644,root,root) %{_datadir}/%{name}-usage/lib/*.jar
+%dir %attr(0770,root,cloud) %{_localstatedir}/log/%{name}/usage
+%attr(0644,root,root) %{_sysconfdir}/%{name}/usage/db.properties
+%attr(0644,root,root) %{_sysconfdir}/%{name}/usage/log4j-cloud.xml
+%{_defaultdocdir}/%{name}-usage-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-usage-%{version}/NOTICE
+
+%files marvin
+%attr(0644,root,root) %{_datadir}/%{name}-marvin/Marvin*.tar.gz
+%{_defaultdocdir}/%{name}-marvin-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-marvin-%{version}/NOTICE
+
+%files integration-tests
+%attr(0755,root,root) %{_datadir}/%{name}-integration-tests/*
+%{_defaultdocdir}/%{name}-integration-tests-%{version}/LICENSE
+%{_defaultdocdir}/%{name}-integration-tests-%{version}/NOTICE
+
+%if "%{_ossnoss}" == "noredist"
+%files mysql-ha
+%defattr(0644,cloud,cloud,0755)
+%attr(0644,root,root) %{_datadir}/%{name}-mysql-ha/lib/*
+%endif
+
+%files baremetal-agent
+%attr(0755,root,root) %{_bindir}/cloudstack-setup-baremetal
+
+%changelog
+* Thu Dec 22 2022 Rohit Yadav <rohit@apache.org> 4.18.0
+- Add support for EL9
+
+* Fri Oct 14 2022 Daan Hoogland <daan.hoogland@gmail.com> 4.18.0
+- initialising sanity check pointer file
+
+* Tue Jun 29 2021 David Jumani <dj.davidjumani1994@gmail.com> 4.16.0
+- Adding SUSE 15 support
+
+* Thu Apr 30 2015 Rohit Yadav <bhaisaab@apache.org> 4.6.0
+- Remove awsapi package
+
+* Wed Nov 19 2014 Hugo Trippaers <hugo@apache.org> 4.6.0
+- Create a specific spec for CentOS 7
+
+* Fri Jul 4 2014 Hugo Trippaers <hugo@apache.org> 4.5.0
+- Add a package for the mysql ha module
+
+* Fri Oct 5 2012 Hugo Trippaers <hugo@apache.org> 4.1.0
+- new style spec file
diff --git a/packaging/suse15/cloudstack-agent.te b/packaging/suse15/cloudstack-agent.te
new file mode 120000
index 000000000000..30e123f6cba5
--- /dev/null
+++ b/packaging/suse15/cloudstack-agent.te
@@ -0,0 +1 @@
+../el8/cloudstack-agent.te
\ No newline at end of file
diff --git a/packaging/suse15/cloudstack-sccs b/packaging/suse15/cloudstack-sccs
new file mode 120000
index 000000000000..b9e6ed9dc085
--- /dev/null
+++ b/packaging/suse15/cloudstack-sccs
@@ -0,0 +1 @@
+../el8/cloudstack-sccs
\ No newline at end of file
diff --git a/packaging/suse15/filelimit.conf b/packaging/suse15/filelimit.conf
new file mode 120000
index 000000000000..c71688ea640a
--- /dev/null
+++ b/packaging/suse15/filelimit.conf
@@ -0,0 +1 @@
+../el8/filelimit.conf
\ No newline at end of file
diff --git a/packaging/suse15/replace.properties b/packaging/suse15/replace.properties
new file mode 100644
index 000000000000..b1900af83406
--- /dev/null
+++ b/packaging/suse15/replace.properties
@@ -0,0 +1,65 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+DBUSER=cloud
+DBPW=cloud
+DBROOTPW=
+MSLOG=vmops.log
+APISERVERLOG=api.log
+DBHOST=localhost
+DBDRIVER=jdbc:mysql
+COMPONENTS-SPEC=components-premium.xml
+REMOTEHOST=localhost
+AGENTCLASSPATH=
+AGENTLOG=/var/log/cloudstack/agent/agent.log
+AGENTLOGDIR=/var/log/cloudstack/agent/
+AGENTSYSCONFDIR=/etc/cloudstack/agent
+APISERVERLOG=/var/log/cloudstack/management/apilog.log
+BINDIR=/usr/bin
+COMMONLIBDIR=/usr/share/cloudstack-common
+CONFIGUREVARS=
+DEPSCLASSPATH=
+DOCDIR=
+IPALOCATORLOG=/var/log/cloudstack/management/ipallocator.log
+JAVADIR=/usr/share/java
+LIBEXECDIR=/usr/libexec
+LOCKDIR=/var/lock
+MSCLASSPATH=
+MSCONF=/etc/cloudstack/management
+MSENVIRON=/usr/share/cloudstack-management
+MSLOG=/var/log/cloudstack/management/management-server.log
+MSLOGDIR=/var/log/cloudstack/management/
+MSMNTDIR=/var/cloudstack/mnt
+MSUSER=cloud
+PIDDIR=/var/run
+PLUGINJAVADIR=/usr/share/cloudstack-management/plugin
+PREMIUMJAVADIR=/usr/share/cloudstack-management/premium
+PYTHONDIR=/usr/share/cloudstack-common/python-site/
+SERVERSYSCONFDIR=/etc/sysconfig
+SETUPDATADIR=/usr/share/cloudstack-management/setup
+SYSCONFDIR=/etc/sysconfig
+SYSTEMCLASSPATH=
+SYSTEMJARS=
+USAGECLASSPATH=
+USAGELOG=/var/log/cloudstack/usage/usage.log
+USAGESYSCONFDIR=/etc/sysconfig
+EXTENSIONSDEPLOYMENTMODE=production
+GUESTNVRAMTEMPLATELEGACY=/usr/share/qemu/ovmf-x86_64-vars.bin
+GUESTLOADERLEGACY=/usr/share/qemu/ovmf-x86_64-code.bin
+GUESTNVRAMTEMPLATESECURE=/usr/share/qemu/ovmf-x86_64-ms-vars.bin
+GUESTLOADERSECURE=/usr/share/qemu/ovmf-x86_64-ms-code.bin
+GUESTNVRAMPATH=/var/lib/libvirt/qemu/nvram/
diff --git a/packaging/systemd/cloudstack-management.default b/packaging/systemd/cloudstack-management.default
index 994a1ee86997..a41338beda68 100644
--- a/packaging/systemd/cloudstack-management.default
+++ b/packaging/systemd/cloudstack-management.default
@@ -17,7 +17,7 @@
 
 JAVA_OPTS="-Djava.security.properties=/etc/cloudstack/management/java.security.ciphers -Djava.awt.headless=true -Xmx2G -XX:+UseParallelGC -XX:MaxGCPauseMillis=500 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/cloudstack/management/ -XX:ErrorFile=/var/log/cloudstack/management/cloudstack-management.err --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.base/sun.security.x509=ALL-UNNAMED"
 
-CLASSPATH="/usr/share/cloudstack-management/lib/*:/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/java/mysql-connector-java.jar:/usr/share/cloudstack-mysql-ha/lib/*"
+CLASSPATH="/usr/share/cloudstack-management/lib/*:/etc/cloudstack/management:/usr/share/cloudstack-common:/usr/share/cloudstack-management/setup:/usr/share/cloudstack-management:/usr/share/cloudstack-mysql-ha/lib/*"
 
 BOOTSTRAP_CLASS=org.apache.cloudstack.ServerDaemon
 
diff --git a/packaging/systemd/cloudstack-usage.default b/packaging/systemd/cloudstack-usage.default
index 493f40c277a2..36b71ac3e0d6 100644
--- a/packaging/systemd/cloudstack-usage.default
+++ b/packaging/systemd/cloudstack-usage.default
@@ -17,7 +17,7 @@
 
 JAVA_OPTS="-Xms256m -Xmx2048m --add-opens=java.base/java.lang=ALL-UNNAMED"
 
-CLASSPATH="/usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar"
+CLASSPATH="/usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage"
 
 JAVA_CLASS=com.cloud.usage.UsageServer
 
diff --git a/plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java b/plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java
index c5b690cfcd40..df9336026f4d 100644
--- a/plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java
+++ b/plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java
@@ -357,7 +357,8 @@ private Pair<List<PrimaryDataStoreTO>, List<String>> getVolumePoolsAndPaths(List
             volumePools.add(dataStore != null ? (PrimaryDataStoreTO)dataStore.getTO() : null);
 
             String volumePathPrefix = getVolumePathPrefix(storagePool);
-            volumePaths.add(String.format("%s/%s", volumePathPrefix, volume.getPath()));
+            String volumePathSuffix = getVolumePathSuffix(storagePool);
+            volumePaths.add(String.format("%s%s%s", volumePathPrefix, volume.getPath(), volumePathSuffix));
         }
         return new Pair<>(volumePools, volumePaths);
     }
@@ -367,14 +368,24 @@ private String getVolumePathPrefix(StoragePoolVO storagePool) {
         if (ScopeType.HOST.equals(storagePool.getScope()) ||
                 Storage.StoragePoolType.SharedMountPoint.equals(storagePool.getPoolType()) ||
                 Storage.StoragePoolType.RBD.equals(storagePool.getPoolType())) {
-            volumePathPrefix = storagePool.getPath();
+            volumePathPrefix = storagePool.getPath() + "/";
+        } else if (Storage.StoragePoolType.Linstor.equals(storagePool.getPoolType())) {
+            volumePathPrefix = "/dev/drbd/by-res/cs-";
         } else {
             // Should be Storage.StoragePoolType.NetworkFilesystem
-            volumePathPrefix = String.format("/mnt/%s", storagePool.getUuid());
+            volumePathPrefix = String.format("/mnt/%s/", storagePool.getUuid());
         }
         return volumePathPrefix;
     }
 
+    private String getVolumePathSuffix(StoragePoolVO storagePool) {
+        if (Storage.StoragePoolType.Linstor.equals(storagePool.getPoolType())) {
+            return "/0";
+        } else {
+            return "";
+        }
+    }
+
     @Override
     public Pair<Boolean, String> restoreBackedUpVolume(Backup backup, Backup.VolumeInfo backupVolumeInfo, String hostIp, String dataStoreUuid, Pair<String, VirtualMachine.State> vmNameAndState) {
         final VolumeVO volume = volumeDao.findByUuid(backupVolumeInfo.getUuid());
@@ -419,7 +430,9 @@ public Pair<Boolean, String> restoreBackedUpVolume(Backup backup, Backup.VolumeI
         restoreCommand.setBackupRepoType(backupRepository.getType());
         restoreCommand.setBackupRepoAddress(backupRepository.getAddress());
         restoreCommand.setVmName(vmNameAndState.first());
-        restoreCommand.setRestoreVolumePaths(Collections.singletonList(String.format("%s/%s", getVolumePathPrefix(pool), volumeUUID)));
+        String restoreVolumePath = String.format("%s%s%s", getVolumePathPrefix(pool), volumeUUID, getVolumePathSuffix(pool));
+        restoreCommand.setRestoreVolumePaths(Collections.singletonList(restoreVolumePath));
+        restoreCommand.setRestoreVolumeSizes(Collections.singletonList(backedUpVolumeSize));
         DataStore dataStore = dataStoreMgr.getDataStore(pool.getId(), DataStoreRole.Primary);
         restoreCommand.setRestoreVolumePools(Collections.singletonList(dataStore != null ? (PrimaryDataStoreTO)dataStore.getTO() : null));
         restoreCommand.setDiskType(backupVolumeInfo.getType().name().toLowerCase(Locale.ROOT));
@@ -478,6 +491,9 @@ public boolean deleteBackup(Backup backup, boolean forced) {
         } else {
             host = resourceManager.findOneRandomRunningHostByHypervisor(Hypervisor.HypervisorType.KVM, backup.getZoneId());
         }
+        if (host == null) {
+            throw new CloudRuntimeException(String.format("Unable to find a running KVM host in zone %d to delete backup %s", backup.getZoneId(), backup.getUuid()));
+        }
 
         DeleteBackupCommand command = new DeleteBackupCommand(backup.getExternalId(), backupRepository.getType(),
                 backupRepository.getAddress(), backupRepository.getMountOptions());
@@ -564,7 +580,14 @@ public Pair<Long, Long> getBackupStorageStats(Long zoneId) {
     @Override
     public void syncBackupStorageStats(Long zoneId) {
         final List<BackupRepository> repositories = backupRepositoryDao.listByZoneAndProvider(zoneId, getName());
+        if (CollectionUtils.isEmpty(repositories)) {
+            return;
+        }
         final Host host = resourceManager.findOneRandomRunningHostByHypervisor(Hypervisor.HypervisorType.KVM, zoneId);
+        if (host == null) {
+            logger.warn("Unable to find a running KVM host in zone {} to sync backup storage stats", zoneId);
+            return;
+        }
         for (final BackupRepository repository : repositories) {
             GetBackupStorageStatsCommand command = new GetBackupStorageStatsCommand(repository.getType(), repository.getAddress(), repository.getMountOptions());
             BackupStorageStatsAnswer answer;
diff --git a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java
index 5ff036fef12f..d018d488c64a 100644
--- a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java
+++ b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java
@@ -40,17 +40,17 @@ public final class RootCACustomTrustManager implements X509TrustManager {
     private boolean authStrictness = true;
     private boolean allowExpiredCertificate = true;
     private CrlDao crlDao;
-    private X509Certificate caCertificate;
+    private List<X509Certificate> caCertificates;
     private Map<String, X509Certificate> activeCertMap;
 
-    public RootCACustomTrustManager(final String clientAddress, final boolean authStrictness, final boolean allowExpiredCertificate, final Map<String, X509Certificate> activeCertMap, final X509Certificate caCertificate, final CrlDao crlDao) {
+    public RootCACustomTrustManager(final String clientAddress, final boolean authStrictness, final boolean allowExpiredCertificate, final Map<String, X509Certificate> activeCertMap, final List<X509Certificate> caCertificates, final CrlDao crlDao) {
         if (StringUtils.isNotEmpty(clientAddress)) {
             this.clientAddress = clientAddress.replace("/", "").split(":")[0];
         }
         this.authStrictness = authStrictness;
         this.allowExpiredCertificate = allowExpiredCertificate;
         this.activeCertMap = activeCertMap;
-        this.caCertificate = caCertificate;
+        this.caCertificates = caCertificates;
         this.crlDao = crlDao;
     }
 
@@ -151,6 +151,6 @@ public void checkServerTrusted(X509Certificate[] x509Certificates, String s) thr
 
     @Override
     public X509Certificate[] getAcceptedIssuers() {
-        return new X509Certificate[]{caCertificate};
+        return caCertificates.toArray(new X509Certificate[0]);
     }
 }
diff --git a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
index 25c45ed2a102..afb4f561160e 100644
--- a/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
+++ b/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java
@@ -40,7 +40,6 @@
 import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
@@ -60,6 +59,7 @@
 import org.apache.cloudstack.framework.ca.Certificate;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
+import org.apache.cloudstack.framework.config.ValidatedConfigKey;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.utils.security.CertUtils;
 import org.apache.cloudstack.utils.security.KeyStoreUtils;
@@ -92,6 +92,7 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
 
     private static KeyPair caKeyPair = null;
     private static X509Certificate caCertificate = null;
+    private static List<X509Certificate> caCertificates = null;
     private static KeyStore managementKeyStore = null;
 
     @Inject
@@ -103,20 +104,25 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
     /////////////// Root CA Settings ///////////////////
     ////////////////////////////////////////////////////
 
-    private static ConfigKey<String> rootCAPrivateKey = new ConfigKey<>("Hidden", String.class,
-            "ca.plugin.root.private.key",
-            null,
-            "The ROOT CA private key.", true);
-
-    private static ConfigKey<String> rootCAPublicKey = new ConfigKey<>("Hidden", String.class,
-            "ca.plugin.root.public.key",
-            null,
-            "The ROOT CA public key.", true);
-
-    private static ConfigKey<String> rootCACertificate = new ConfigKey<>("Hidden", String.class,
-            "ca.plugin.root.ca.certificate",
-            null,
-            "The ROOT CA certificate.", true);
+    private static ConfigKey<String> rootCAPrivateKey = new ValidatedConfigKey<>("Hidden", String.class,
+            "ca.plugin.root.private.key", null,
+            "The ROOT CA private key in PEM format. " +
+            "When set along with the public key and certificate, CloudStack uses this custom CA instead of auto-generating one. " +
+            "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.",
+            false, ConfigKey.Scope.Global, null, RootCAProvider::validatePrivateKeyPem);
+
+    private static ConfigKey<String> rootCAPublicKey = new ValidatedConfigKey<>("Hidden", String.class,
+            "ca.plugin.root.public.key", null,
+            "The ROOT CA public key in PEM format (X.509/SPKI: must start with '-----BEGIN PUBLIC KEY-----'). " +
+            "Required when providing a custom CA. Restart management server(s) when changed.",
+            false, ConfigKey.Scope.Global, null, RootCAProvider::validatePublicKeyPem);
+
+    private static ConfigKey<String> rootCACertificate = new ValidatedConfigKey<>("Hidden", String.class,
+            "ca.plugin.root.ca.certificate", null,
+            "The CA certificate(s) in PEM format (must start with '-----BEGIN CERTIFICATE-----'). " +
+            "For intermediate CAs, concatenate the signing cert first, followed by intermediate(s) and root. " +
+            "Required when providing a custom CA. Restart management server(s) when changed.",
+            false, ConfigKey.Scope.Global, null, RootCAProvider::validateCACertificatePem);
 
     private static ConfigKey<String> rootCAIssuerDN = new ConfigKey<>("Advanced", String.class,
             "ca.plugin.root.issuer.dn",
@@ -151,7 +157,7 @@ private Certificate generateCertificate(final List<String> domainNames, final Li
                 caCertificate, caKeyPair, keyPair.getPublic(),
                 subject, CAManager.CertSignatureAlgorithm.value(),
                 validityDays, domainNames, ipAddresses);
-        return new Certificate(clientCertificate, keyPair.getPrivate(), Collections.singletonList(caCertificate));
+        return new Certificate(clientCertificate, keyPair.getPrivate(), caCertificates);
     }
 
     private Certificate generateCertificateUsingCsr(final String csr, final List<String> names, final List<String> ips, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
@@ -205,7 +211,7 @@ private Certificate generateCertificateUsingCsr(final String csr, final List<Str
                 caCertificate, caKeyPair, request.getPublicKey(),
                 subject, CAManager.CertSignatureAlgorithm.value(),
                 validityDays, dnsNames, ipAddresses);
-        return new Certificate(clientCertificate, null, Collections.singletonList(caCertificate));
+        return new Certificate(clientCertificate, null, caCertificates);
     }
 
     ////////////////////////////////////////////////////////
@@ -219,7 +225,7 @@ public boolean canProvisionCertificates() {
 
     @Override
     public List<X509Certificate> getCaCertificate() {
-        return Collections.singletonList(caCertificate);
+        return caCertificates;
     }
 
     @Override
@@ -254,8 +260,8 @@ public boolean revokeCertificate(final BigInteger certSerial, final String certC
     private KeyStore getCaKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        if (caKeyPair != null && caCertificate != null) {
-            ks.setKeyEntry(caAlias, caKeyPair.getPrivate(), getKeyStorePassphrase(), new X509Certificate[]{caCertificate});
+        if (caKeyPair != null && CollectionUtils.isNotEmpty(caCertificates)) {
+            ks.setKeyEntry(caAlias, caKeyPair.getPrivate(), getKeyStorePassphrase(), caCertificates.toArray(new X509Certificate[0]));
         } else {
             return null;
         }
@@ -274,7 +280,7 @@ public SSLEngine createSSLEngine(final SSLContext sslContext, final String remot
         final boolean authStrictness = rootCAAuthStrictness.value();
         final boolean allowExpiredCertificate = rootCAAllowExpiredCert.value();
 
-        TrustManager[] tms = new TrustManager[]{new RootCACustomTrustManager(remoteAddress, authStrictness, allowExpiredCertificate, certMap, caCertificate, crlDao)};
+        TrustManager[] tms = new TrustManager[]{new RootCACustomTrustManager(remoteAddress, authStrictness, allowExpiredCertificate, certMap, caCertificates, crlDao)};
 
         sslContext.init(kmf.getKeyManagers(), tms, new SecureRandom());
         final SSLEngine sslEngine = sslContext.createSSLEngine();
@@ -316,33 +322,39 @@ private boolean saveNewRootCAKeypair() {
             if (!configDao.update(rootCAPrivateKey.key(), rootCAPrivateKey.category(), CertUtils.privateKeyToPem(keyPair.getPrivate()))) {
                 logger.error("Failed to save RootCA private key");
             }
+            caKeyPair = keyPair;
         } catch (final NoSuchProviderException | NoSuchAlgorithmException | IOException e) {
             logger.error("Failed to generate/save RootCA private/public keys due to exception:", e);
         }
-        return loadRootCAKeyPair();
+        return caKeyPair != null && caKeyPair.getPrivate() != null && caKeyPair.getPublic() != null;
     }
 
-    private boolean saveNewRootCACertificate() {
+    boolean saveNewRootCACertificate() {
         if (caKeyPair == null) {
             throw new CloudRuntimeException("Cannot issue self-signed root CA certificate as CA keypair is not initialized");
         }
         try {
             logger.debug("Generating root CA certificate");
-            final X509Certificate rootCaCertificate = CertUtils.generateV3Certificate(
+            final X509Certificate generatedCACert = CertUtils.generateV3Certificate(
                     null, caKeyPair, caKeyPair.getPublic(),
                     rootCAIssuerDN.value(), CAManager.CertSignatureAlgorithm.value(),
                     getCaValidityDays(), null, null);
-            if (!configDao.update(rootCACertificate.key(), rootCACertificate.category(), CertUtils.x509CertificateToPem(rootCaCertificate))) {
+            if (!configDao.update(rootCACertificate.key(), rootCACertificate.category(), CertUtils.x509CertificateToPem(generatedCACert))) {
                 logger.error("Failed to update RootCA public/x509 certificate");
             }
+            caCertificates = new ArrayList<>(java.util.Collections.singletonList(generatedCACert));
+            caCertificate = generatedCACert;
         } catch (final CertificateException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | InvalidKeyException | OperatorCreationException | IOException e) {
             logger.error("Failed to generate RootCA certificate from private/public keys due to exception:", e);
             return false;
         }
-        return loadRootCACertificate();
+        return caCertificate != null;
     }
 
     private boolean loadRootCAKeyPair() {
+        if (caKeyPair != null) {
+            return true;
+        }
         if (StringUtils.isAnyEmpty(rootCAPublicKey.value(), rootCAPrivateKey.value())) {
             return false;
         }
@@ -355,14 +367,35 @@ private boolean loadRootCAKeyPair() {
         return caKeyPair.getPrivate() != null && caKeyPair.getPublic() != null;
     }
 
-    private boolean loadRootCACertificate() {
+    boolean loadRootCACertificate() {
+        if (caCertificate != null && CollectionUtils.isNotEmpty(caCertificates)) {
+            return true;
+        }
+        caCertificate = null;
+        caCertificates = null;
         if (StringUtils.isEmpty(rootCACertificate.value())) {
             return false;
         }
         try {
-            caCertificate = CertUtils.pemToX509Certificate(rootCACertificate.value());
-            caCertificate.verify(caKeyPair.getPublic());
-        } catch (final IOException | CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
+            final List<X509Certificate> loadedCerts = CertUtils.pemToX509Certificates(rootCACertificate.value());
+            if (CollectionUtils.isEmpty(loadedCerts)) {
+                logger.error("No certificates found in ca.plugin.root.ca.certificate");
+                return false;
+            }
+            final X509Certificate loadedCACert = loadedCerts.get(0);
+
+            // Verify key ownership without enforcing self-signature
+            if (!loadedCACert.getPublicKey().equals(caKeyPair.getPublic())) {
+                logger.error("The public key in the CA certificate does not match the configured CA public key");
+                return false;
+            }
+
+            if (loadedCerts.size() > 1) {
+                logger.info("Loaded CA certificate chain with {} certificate(s)", loadedCerts.size());
+            }
+            caCertificates = loadedCerts;
+            caCertificate = loadedCACert;
+        } catch (final IOException | CertificateException e) {
             logger.error("Failed to load saved RootCA certificate due to exception:", e);
             return false;
         }
@@ -389,9 +422,15 @@ private boolean loadManagementKeyStore() {
         try {
             managementKeyStore = KeyStore.getInstance("JKS");
             managementKeyStore.load(null, null);
-            managementKeyStore.setCertificateEntry(caAlias, caCertificate);
+            int caIndex = 0;
+            for (final X509Certificate cert : caCertificates) {
+                managementKeyStore.setCertificateEntry(caAlias + "-" + caIndex++, cert);
+            }
+            final List<X509Certificate> fullChain = new ArrayList<>();
+            fullChain.add(serverCertificate.getClientCertificate());
+            fullChain.addAll(caCertificates);
             managementKeyStore.setKeyEntry(managementAlias, serverCertificate.getPrivateKey(), getKeyStorePassphrase(),
-                    new X509Certificate[]{serverCertificate.getClientCertificate(), caCertificate});
+                    fullChain.toArray(new X509Certificate[0]));
         } catch (final CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException  e) {
             logger.error("Failed to load root CA management-server keystore due to exception: ", e);
             return false;
@@ -421,14 +460,63 @@ protected void addConfiguredManagementIp(List<String> ipList) {
     }
 
 
+    private static void validatePrivateKeyPem(String value) {
+        if (StringUtils.isEmpty(value)) return;
+        try {
+            CertUtils.pemToPrivateKey(value);
+        } catch (InvalidKeySpecException | IOException e) {
+            throw new IllegalArgumentException(
+                    "ca.plugin.root.private.key is not a valid PEM private key: " + e.getMessage());
+        }
+    }
+
+    private static void validatePublicKeyPem(String value) {
+        if (StringUtils.isEmpty(value)) return;
+        try {
+            CertUtils.pemToPublicKey(value);
+        } catch (InvalidKeySpecException | IOException e) {
+            throw new IllegalArgumentException(
+                    "ca.plugin.root.public.key is not a valid PEM public key: " + e.getMessage());
+        }
+    }
+
+    static void validateCACertificatePem(String value) {
+        if (StringUtils.isEmpty(value)) return;
+        try {
+            final List<X509Certificate> certs = CertUtils.pemToX509Certificates(value);
+            if (CollectionUtils.isEmpty(certs)) {
+                throw new IllegalArgumentException(
+                        "ca.plugin.root.ca.certificate contains no certificates");
+            }
+        } catch (IOException | CertificateException e) {
+            throw new IllegalArgumentException(
+                    "ca.plugin.root.ca.certificate is not a valid PEM certificate: " + e.getMessage());
+        }
+    }
+
     private boolean setupCA() {
-        if (!loadRootCAKeyPair() && !saveNewRootCAKeypair()) {
-            logger.error("Failed to save and load root CA keypair");
-            return false;
+        if (!loadRootCAKeyPair()) {
+            if (hasUserProvidedCAKeys()) {
+                logger.error("Failed to load user-provided CA keys from configuration. " +
+                    "Check that ca.plugin.root.private.key, ca.plugin.root.public.key, and " +
+                    "ca.plugin.root.ca.certificate are all set and in the correct PEM format. " +
+                    "Overwriting with auto-generated keys.");
+            }
+            if (!saveNewRootCAKeypair()) {
+                logger.error("Failed to save and load root CA keypair");
+                return false;
+            }
         }
-        if (!loadRootCACertificate() && !saveNewRootCACertificate()) {
-            logger.error("Failed to save and load root CA certificate");
-            return false;
+        if (!loadRootCACertificate()) {
+            if (hasUserProvidedCAKeys()) {
+                logger.error("Failed to load user-provided CA certificate. " +
+                    "Check that ca.plugin.root.ca.certificate is set and in PEM format. " +
+                    "Overwriting with auto-generated certificate.");
+            }
+            if (!saveNewRootCACertificate()) {
+                logger.error("Failed to save and load root CA certificate");
+                return false;
+            }
         }
         if (!loadManagementKeyStore()) {
             logger.error("Failed to check and configure management server keystore");
@@ -437,10 +525,16 @@ private boolean setupCA() {
         return true;
     }
 
+    private boolean hasUserProvidedCAKeys() {
+        return StringUtils.isNotEmpty(rootCAPublicKey.value())
+            || StringUtils.isNotEmpty(rootCAPrivateKey.value())
+            || StringUtils.isNotEmpty(rootCACertificate.value());
+    }
+
     @Override
     public boolean start() {
         managementCertificateCustomSAN = CAManager.CertManagementCustomSubjectAlternativeName.value();
-        return loadRootCAKeyPair() && loadRootCAKeyPair() && loadManagementKeyStore();
+        return loadRootCAKeyPair() && loadRootCACertificate() && loadManagementKeyStore();
     }
 
     @Override
diff --git a/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java b/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java
index d4ded3023321..714e18c3449f 100644
--- a/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java
+++ b/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java
@@ -23,9 +23,11 @@
 import java.security.KeyPair;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.List;
 
 import org.apache.cloudstack.utils.security.CertUtils;
 import org.junit.Assert;
@@ -63,14 +65,14 @@ public void setUp() throws Exception {
 
     @Test
     public void testAuthNotStrictWithInvalidCert() throws Exception {
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(null, null);
     }
 
     @Test
     public void testAuthNotStrictWithRevokedCert() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), caCertificate);
@@ -79,7 +81,7 @@ public void testAuthNotStrictWithRevokedCert() throws Exception {
     @Test
     public void testAuthNotStrictWithInvalidCertOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), caCertificate);
@@ -88,14 +90,14 @@ public void testAuthNotStrictWithInvalidCertOwnership() throws Exception {
     @Test(expected = CertificateException.class)
     public void testAuthNotStrictWithDenyExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, false, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, false, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
     }
 
     @Test
     public void testAuthNotStrictWithAllowExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), expiredClientCertificate);
@@ -103,35 +105,50 @@ public void testAuthNotStrictWithAllowExpiredCertAndOwnership() throws Exception
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithInvalidCert() throws Exception {
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(null, null);
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithRevokedCert() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithInvalidCertOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithDenyExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, false, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, false, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
     }
 
+    @Test
+    public void testGetAcceptedIssuersWithChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final List<X509Certificate> chain = Arrays.asList(caCertificate, rootCert);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(
+                clientIp, false, true, certMap, chain, crlDao);
+
+        final X509Certificate[] issuers = trustManager.getAcceptedIssuers();
+        Assert.assertEquals(2, issuers.length);
+        Assert.assertEquals(caCertificate, issuers[0]);
+        Assert.assertEquals(rootCert, issuers[1]);
+    }
+
     @Test
     public void testAuthStrictWithAllowExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         Assert.assertTrue(trustManager.getAcceptedIssuers() != null);
         Assert.assertTrue(trustManager.getAcceptedIssuers().length == 1);
         Assert.assertEquals(trustManager.getAcceptedIssuers()[0], caCertificate);
diff --git a/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java b/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java
index 8311f4d45abc..21f00c66a1df 100644
--- a/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java
+++ b/plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java
@@ -31,6 +31,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
 
@@ -38,6 +39,7 @@
 
 import org.apache.cloudstack.framework.ca.Certificate;
 import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.utils.security.CertUtils;
 import org.apache.cloudstack.utils.security.SSLUtils;
 import org.bouncycastle.asn1.x509.GeneralName;
@@ -49,7 +51,6 @@
 import org.junit.runner.RunWith;
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
-import org.springframework.test.util.ReflectionTestUtils;
 
 
 @RunWith(MockitoJUnitRunner.class)
@@ -75,7 +76,7 @@ public void setUp() throws Exception {
 
         addField(provider, "caKeyPair", caKeyPair);
         addField(provider, "caCertificate", caCertificate);
-        addField(provider, "caKeyPair", caKeyPair);
+        addField(provider, "caCertificates", Collections.singletonList(caCertificate));
     }
 
     @After
@@ -129,6 +130,46 @@ public void testIssueCertificateWithCsr() throws NoSuchProviderException, Certif
         certificate.getClientCertificate().verify(caCertificate.getPublicKey());
     }
 
+    @Test
+    public void testGetCaCertificateWithChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(rootCert, rootKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        final List<X509Certificate> chain = Arrays.asList(intermediateCert, rootCert);
+        addField(provider, "caKeyPair", intermediateKeyPair);
+        addField(provider, "caCertificate", intermediateCert);
+        addField(provider, "caCertificates", chain);
+
+        Assert.assertEquals(2, provider.getCaCertificate().size());
+        Assert.assertEquals(intermediateCert, provider.getCaCertificate().get(0));
+        Assert.assertEquals(rootCert, provider.getCaCertificate().get(1));
+    }
+
+    @Test
+    public void testIssueCertificateWithoutCsrAndChain() throws Exception {
+        final KeyPair rootKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate rootCert = CertUtils.generateV3Certificate(null, rootKeyPair, rootKeyPair.getPublic(),
+                "CN=root", "SHA256withRSA", 365, null, null);
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(rootCert, rootKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        addField(provider, "caKeyPair", intermediateKeyPair);
+        addField(provider, "caCertificate", intermediateCert);
+        addField(provider, "caCertificates", Arrays.asList(intermediateCert, rootCert));
+
+        final Certificate certificate = provider.issueCertificate(Arrays.asList("domain1.com"), null, 1);
+        Assert.assertNotNull(certificate);
+        Assert.assertEquals(2, certificate.getCaCertificates().size());
+        Assert.assertEquals(intermediateCert, certificate.getCaCertificates().get(0));
+        Assert.assertEquals(rootCert, certificate.getCaCertificates().get(1));
+        certificate.getClientCertificate().verify(intermediateKeyPair.getPublic());
+    }
+
     @Test
     public void testRevokeCertificate() throws Exception {
         Assert.assertTrue(provider.revokeCertificate(CertUtils.generateRandomBigInt(), "anyString"));
@@ -177,8 +218,8 @@ public void testIsManagementCertificateNoAltNames() {
     }
 
     @Test
-    public void testIsManagementCertificateNoMatch() {
-        ReflectionTestUtils.setField(provider, "managementCertificateCustomSAN", "cloudstack");
+    public void testIsManagementCertificateNoMatch() throws Exception {
+        addField(provider, "managementCertificateCustomSAN", "cloudstack");
         try {
             X509Certificate certificate = Mockito.mock(X509Certificate.class);
             List<List<?>> altNames = new ArrayList<>();
@@ -193,9 +234,9 @@ public void testIsManagementCertificateNoMatch() {
     }
 
     @Test
-    public void testIsManagementCertificateMatch() {
+    public void testIsManagementCertificateMatch() throws Exception {
         String customSAN = "cloudstack";
-        ReflectionTestUtils.setField(provider, "managementCertificateCustomSAN", customSAN);
+        addField(provider, "managementCertificateCustomSAN", customSAN);
         try {
             X509Certificate certificate = Mockito.mock(X509Certificate.class);
             List<List<?>> altNames = new ArrayList<>();
@@ -208,4 +249,58 @@ public void testIsManagementCertificateMatch() {
             Assert.fail(String.format("Exception occurred: %s", e.getMessage()));
         }
     }
+
+    @Test
+    public void testLoadRootCACertificateWithMismatchedCert() throws Exception {
+        KeyPair otherKeyPair = CertUtils.generateRandomKeyPair(1024);
+        X509Certificate mismatchedCert = CertUtils.generateV3Certificate(null, otherKeyPair, otherKeyPair.getPublic(), "CN=other", "SHA256withRSA", 365, null, null);
+        String mismatchedPem = CertUtils.x509CertificateToPem(mismatchedCert);
+
+        ConfigKey<String> mockCertKey = Mockito.mock(ConfigKey.class);
+        Mockito.when(mockCertKey.value()).thenReturn(mismatchedPem);
+        addField(provider, "rootCACertificate", mockCertKey);
+
+        addField(provider, "caCertificate", null);
+        addField(provider, "caCertificates", null);
+
+        Boolean result = provider.loadRootCACertificate();
+        Assert.assertFalse(result);
+        Assert.assertNull(provider.getCaCertificate());
+    }
+
+    @Test
+    public void testSaveNewRootCACertificateWithStaleCache() throws Exception {
+        ConfigurationDao configDao = Mockito.mock(ConfigurationDao.class);
+        addField(provider, "configDao", configDao);
+
+        ConfigKey<String> mockCertKey = Mockito.mock(ConfigKey.class);
+        Mockito.when(mockCertKey.key()).thenReturn("ca.plugin.root.ca.certificate");
+        Mockito.when(mockCertKey.category()).thenReturn("Hidden");
+        addField(provider, "rootCACertificate", mockCertKey);
+
+        ConfigKey<String> mockIssuerKey = Mockito.mock(ConfigKey.class);
+        Mockito.when(mockIssuerKey.value()).thenReturn("CN=ca.cloudstack.apache.org");
+        addField(provider, "rootCAIssuerDN", mockIssuerKey);
+
+        addField(provider, "caCertificate", null);
+        addField(provider, "caCertificates", null);
+
+        Mockito.when(configDao.update(Mockito.anyString(), Mockito.anyString(), Mockito.anyString())).thenReturn(true);
+
+        Boolean result = provider.saveNewRootCACertificate();
+        Assert.assertTrue(result);
+        Assert.assertNotNull(provider.getCaCertificate());
+        Assert.assertEquals(1, provider.getCaCertificate().size());
+    }
+
+    @Test
+    public void testValidateCACertificatePem() throws Exception {
+        String truncatedPem = "-----BEGIN CERTIFICATE-----\nMIICxTCCAa0CAQAw\n";
+        try {
+            RootCAProvider.validateCACertificatePem(truncatedPem);
+            Assert.fail("Expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            Assert.assertTrue(e.getMessage().contains("is not a valid PEM certificate"));
+        }
+    }
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java
index d3bd3868ed16..bfe26a9f4250 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaStatementCmd.java
@@ -17,7 +17,6 @@
 package org.apache.cloudstack.api.command;
 
 import java.util.Date;
-import java.util.List;
 
 import javax.inject.Inject;
 
@@ -28,24 +27,25 @@
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.api.response.ProjectResponse;
 import org.apache.cloudstack.api.response.QuotaResponseBuilder;
 import org.apache.cloudstack.api.response.QuotaStatementItemResponse;
 import org.apache.cloudstack.api.response.QuotaStatementResponse;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
 
-import com.cloud.user.Account;
+import org.apache.commons.lang3.ObjectUtils;
 
-@APICommand(name = "quotaStatement", responseObject = QuotaStatementItemResponse.class, description = "Create a quota statement", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
-        httpMethod = "GET")
+@APICommand(name = "quotaStatement", responseObject = QuotaStatementItemResponse.class, description = "Create a Quota statement for the provided Account, Project, or Domain.",
+        since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false, httpMethod = "GET")
 public class QuotaStatementCmd extends BaseCmd {
 
-
-
-    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = true, description = "Optional, Account Id for which statement needs to be generated")
+    @ACL
+    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING,
+            description = "Name of the Account for which the Quota statement will be generated. Deprecated, please use accountid instead.")
     private String accountName;
 
     @ACL
-    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = true, entityType = DomainResponse.class, description = "Optional, If domain Id is given and the caller is domain admin then the statement is generated for domain.")
+    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class,
+            description = "ID of the Domain for which the Quota statement will be generated. May be used individually or with account.")
     private Long domainId;
 
     @Parameter(name = ApiConstants.END_DATE, type = CommandType.DATE, required = true, description = "End of the period of the Quota statement. " +
@@ -56,15 +56,25 @@ public class QuotaStatementCmd extends BaseCmd {
             ApiConstants.PARAMETER_DESCRIPTION_START_DATE_POSSIBLE_FORMATS)
     private Date startDate;
 
-    @Parameter(name = ApiConstants.TYPE, type = CommandType.INTEGER, description = "List quota usage records for the specified usage type")
+    @Parameter(name = ApiConstants.TYPE, type = CommandType.INTEGER,
+            description = "Consider only Quota usage records for the specified usage type in the statement.")
     private Integer usageType;
 
     @ACL
-    @Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "List usage records for the specified Account")
+    @Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class,
+            description = "ID of the Account for which the Quota statement will be generated. Can not be specified with projectid.")
     private Long accountId;
 
+    @ACL
+    @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, entityType = ProjectResponse.class,
+            description = "ID of the Project for which the Quota statement will be generated. Can not be specified with accountid.", since = "4.23.0")
+    private Long projectId;
+
+    @Parameter(name = ApiConstants.SHOW_RESOURCES, type = CommandType.BOOLEAN, description = "List the resources of each Quota type in the period.", since = "4.23.0")
+    private boolean showResources;
+
     @Inject
-    private QuotaResponseBuilder _responseBuilder;
+    QuotaResponseBuilder responseBuilder;
 
     public Long getAccountId() {
         return accountId;
@@ -99,43 +109,47 @@ public void setDomainId(Long domainId) {
     }
 
     public Date getEndDate() {
-        return _responseBuilder.startOfNextDay(endDate == null ? new Date() : new Date(endDate.getTime()));
+        return endDate;
     }
 
     public void setEndDate(Date endDate) {
-        this.endDate = endDate == null ? null : new Date(endDate.getTime());
+        this.endDate = endDate;
     }
 
     public Date getStartDate() {
-        return startDate == null ? null : new Date(startDate.getTime());
+        return startDate;
     }
 
     public void setStartDate(Date startDate) {
-        this.startDate = startDate == null ? null : new Date(startDate.getTime());
+        this.startDate = startDate;
+    }
+
+    public boolean isShowResources() {
+        return showResources;
+    }
+
+    public void setShowResources(boolean showResources) {
+        this.showResources = showResources;
+    }
+
+    public Long getProjectId() {
+        return projectId;
     }
 
     @Override
     public long getEntityOwnerId() {
-        if (accountId != null) {
-            return accountId;
+        if (ObjectUtils.allNull(accountId, accountName, projectId)) {
+            return -1;
         }
-        Account activeAccountByName = _accountService.getActiveAccountByName(accountName, domainId);
-        if (activeAccountByName != null) {
-            return activeAccountByName.getAccountId();
-        }
-        return Account.ACCOUNT_ID_SYSTEM;
+        return _accountService.finalizeAccountId(accountId, accountName, domainId, projectId);
     }
 
     @Override
     public void execute() {
-        List<QuotaUsageVO> quotaUsage = _responseBuilder.getQuotaUsage(this);
-
-        QuotaStatementResponse response = _responseBuilder.createQuotaStatementResponse(quotaUsage);
-        response.setStartDate(startDate == null ? null : new Date(startDate.getTime()));
-        response.setEndDate(endDate == null ? null : new Date(endDate.getTime()));
-
+        QuotaStatementResponse response = responseBuilder.createQuotaStatementResponse(this);
+        response.setStartDate(startDate);
+        response.setEndDate(endDate);
         response.setResponseName(getCommandName());
         setResponseObject(response);
     }
-
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaSummaryCmd.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaSummaryCmd.java
index 87322b01f4d4..870b9b6df6e5 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaSummaryCmd.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaSummaryCmd.java
@@ -16,61 +16,80 @@
 //under the License.
 package org.apache.cloudstack.api.command;
 
-import com.cloud.user.Account;
 import com.cloud.utils.Pair;
 
+
+import org.apache.cloudstack.api.ACL;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListCmd;
 import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.QuotaResponseBuilder;
 import org.apache.cloudstack.api.response.QuotaSummaryResponse;
-import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.api.response.ProjectResponse;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.quota.QuotaAccountStateFilter;
+import org.apache.cloudstack.quota.QuotaService;
+import org.apache.commons.lang3.ObjectUtils;
 
 import java.util.List;
 
 import javax.inject.Inject;
 
-@APICommand(name = "quotaSummary", responseObject = QuotaSummaryResponse.class, description = "Lists balance and quota usage for all Accounts", since = "4.7.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
-        httpMethod = "GET")
+@APICommand(name = "quotaSummary", responseObject = QuotaSummaryResponse.class, description = "Lists Quota balance summary of Accounts and Projects.", since = "4.7.0",
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false, httpMethod = "GET")
 public class QuotaSummaryCmd extends BaseListCmd {
 
-    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = false, description = "Optional, Account Id for which statement needs to be generated")
+    @Inject
+    QuotaResponseBuilder quotaResponseBuilder;
+
+    @Inject
+    QuotaService quotaService;
+
+    @ACL
+    @Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "ID of the Account for which balance will be listed. Can not be specified with projectid.", since = "4.23.0")
+    private Long accountId;
+
+    @ACL
+    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, required = false, description = "Name of the Account for which balance will be listed.")
     private String accountName;
 
-    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = false, entityType = DomainResponse.class, description = "Optional, If domain Id is given and the caller is domain admin then the statement is generated for domain.")
+    @ACL
+    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, required = false, entityType = DomainResponse.class, description = "ID of the Domain for which balance will be listed. May be used individually or with accountname.")
     private Long domainId;
 
-    @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, required = false, description = "Optional, to list all Accounts irrespective of the quota activity")
+    @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, description = "False (default) lists the Quota balance summary for calling Account. True lists balance summary for " +
+            "Accounts which the caller has access. If domain ID is informed, this parameter is considered as true.")
     private Boolean listAll;
 
-    @Inject
-    QuotaResponseBuilder _responseBuilder;
+    @Parameter(name = ApiConstants.ACCOUNT_STATE_TO_SHOW, type = CommandType.STRING, description =  "Possible values are [ALL, ACTIVE, REMOVED]. ALL will list summaries for " +
+            "active and removed accounts; ACTIVE will list summaries only for active accounts; REMOVED will list summaries only for removed accounts. The default value is ACTIVE.",
+            since = "4.23.0")
+    private String accountStateToShow;
 
-    public QuotaSummaryCmd() {
-        super();
-    }
+    @ACL
+    @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, entityType = ProjectResponse.class, description = "ID of the Project for which balance will be listed. Can not be specified with accountId.", since = "4.23.0")
+    private Long projectId;
 
     @Override
     public void execute() {
-        Account caller = CallContext.current().getCallingAccount();
-        Pair<List<QuotaSummaryResponse>, Integer> responses;
-        if (caller.getType() == Account.Type.ADMIN) {
-            if (getAccountName() != null && getDomainId() != null)
-                responses = _responseBuilder.createQuotaSummaryResponse(getAccountName(), getDomainId());
-            else
-                responses = _responseBuilder.createQuotaSummaryResponse(isListAll(), getKeyword(), getStartIndex(), getPageSizeVal());
-        } else {
-            responses = _responseBuilder.createQuotaSummaryResponse(caller.getAccountName(), caller.getDomainId());
-        }
-        final ListResponse<QuotaSummaryResponse> response = new ListResponse<QuotaSummaryResponse>();
+        Pair<List<QuotaSummaryResponse>, Integer> responses = quotaResponseBuilder.createQuotaSummaryResponse(this);
+        ListResponse<QuotaSummaryResponse> response = new ListResponse<>();
         response.setResponses(responses.first(), responses.second());
         response.setResponseName(getCommandName());
         setResponseObject(response);
     }
 
+    public Long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(Long accountId) {
+        this.accountId = accountId;
+    }
+
     public String getAccountName() {
         return accountName;
     }
@@ -88,16 +107,31 @@ public void setDomainId(Long domainId) {
     }
 
     public Boolean isListAll() {
-        return listAll == null ? false: listAll;
+        // If a domain ID was specified, then allow listing all summaries of domain
+        return ObjectUtils.defaultIfNull(listAll, Boolean.FALSE) || domainId != null;
     }
 
     public void setListAll(Boolean listAll) {
         this.listAll = listAll;
     }
 
+    public Long getProjectId() {
+        return projectId;
+    }
+
+    public QuotaAccountStateFilter getAccountStateToShow() {
+        QuotaAccountStateFilter state = QuotaAccountStateFilter.getValue(accountStateToShow);
+        if (state != null) {
+            return state;
+        }
+        return QuotaAccountStateFilter.ACTIVE;
+    }
+
     @Override
     public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM;
+        if (ObjectUtils.allNull(accountId, accountName, projectId)) {
+            return -1;
+        }
+        return _accountService.finalizeAccountId(accountId, accountName, domainId, projectId);
     }
-
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilder.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilder.java
index 67f75ebf82fb..bde905c487b7 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilder.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilder.java
@@ -24,6 +24,7 @@
 import org.apache.cloudstack.api.command.QuotaEmailTemplateUpdateCmd;
 import org.apache.cloudstack.api.command.QuotaPresetVariablesListCmd;
 import org.apache.cloudstack.api.command.QuotaStatementCmd;
+import org.apache.cloudstack.api.command.QuotaSummaryCmd;
 import org.apache.cloudstack.api.command.QuotaTariffCreateCmd;
 import org.apache.cloudstack.api.command.QuotaTariffListCmd;
 import org.apache.cloudstack.api.command.QuotaTariffUpdateCmd;
@@ -31,7 +32,6 @@
 import org.apache.cloudstack.quota.vo.QuotaBalanceVO;
 import org.apache.cloudstack.quota.vo.QuotaEmailConfigurationVO;
 import org.apache.cloudstack.quota.vo.QuotaTariffVO;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
 
 import java.util.Date;
 import java.util.List;
@@ -48,20 +48,14 @@ public interface QuotaResponseBuilder {
 
     boolean isUserAllowedToSeeActivationRules(User user);
 
-    QuotaStatementResponse createQuotaStatementResponse(List<QuotaUsageVO> quotaUsage);
+    QuotaStatementResponse createQuotaStatementResponse(QuotaStatementCmd cmd);
 
     QuotaBalanceResponse createQuotaBalanceResponse(List<QuotaBalanceVO> quotaUsage, Date startDate, Date endDate);
 
-    Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(Boolean listAll);
-
-    Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(Boolean listAll, String keyword, Long startIndex, Long pageSize);
-
-    Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(String accountName, Long domainId);
+    Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(QuotaSummaryCmd cmd);
 
     QuotaBalanceResponse createQuotaLastBalanceResponse(List<QuotaBalanceVO> quotaBalance, Date startDate);
 
-    List<QuotaUsageVO> getQuotaUsage(QuotaStatementCmd cmd);
-
     List<QuotaBalanceVO> getQuotaBalance(QuotaBalanceCmd cmd);
 
     QuotaCreditsResponse addQuotaCredits(Long accountId, Long domainId, Double amount, Long updatedBy, Boolean enforce);
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
index f94565870585..c919bb5887c1 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
@@ -21,13 +21,11 @@
 import java.lang.reflect.Modifier;
 import java.lang.reflect.ParameterizedType;
 import java.math.BigDecimal;
-import java.math.RoundingMode;
 import java.time.LocalDate;
 import java.time.ZoneId;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Calendar;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Date;
@@ -36,17 +34,45 @@
 import java.util.List;
 import java.util.ListIterator;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
+import com.cloud.domain.Domain;
+import com.cloud.domain.DomainVO;
+import com.cloud.domain.dao.DomainDao;
+import com.cloud.event.ActionEvent;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.network.dao.IPAddressDao;
+import com.cloud.network.dao.IPAddressVO;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.offerings.NetworkOfferingVO;
+import com.cloud.storage.dao.VMTemplateDao;
+import com.cloud.storage.dao.VolumeDao;
+import com.cloud.storage.dao.SnapshotDao;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.storage.VolumeVO;
+import com.cloud.storage.SnapshotVO;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.user.AccountVO;
+import com.cloud.user.dao.AccountDao;
+import com.cloud.user.dao.UserDao;
 import com.cloud.user.User;
 import com.cloud.user.UserVO;
 import com.cloud.utils.DateUtil;
+import com.cloud.utils.Pair;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.vm.VMInstanceVO;
+import com.cloud.vm.dao.VMInstanceDao;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.command.QuotaBalanceCmd;
@@ -56,6 +82,7 @@
 import org.apache.cloudstack.api.command.QuotaEmailTemplateUpdateCmd;
 import org.apache.cloudstack.api.command.QuotaPresetVariablesListCmd;
 import org.apache.cloudstack.api.command.QuotaStatementCmd;
+import org.apache.cloudstack.api.command.QuotaSummaryCmd;
 import org.apache.cloudstack.api.command.QuotaTariffCreateCmd;
 import org.apache.cloudstack.api.command.QuotaTariffListCmd;
 import org.apache.cloudstack.api.command.QuotaTariffUpdateCmd;
@@ -71,14 +98,17 @@
 import org.apache.cloudstack.quota.activationrule.presetvariables.GenericPresetVariable;
 import org.apache.cloudstack.quota.activationrule.presetvariables.PresetVariableDefinition;
 import org.apache.cloudstack.quota.activationrule.presetvariables.PresetVariables;
+import org.apache.cloudstack.quota.activationrule.presetvariables.ResourceCounting;
 import org.apache.cloudstack.quota.activationrule.presetvariables.Value;
 import org.apache.cloudstack.quota.constant.QuotaConfig;
 import org.apache.cloudstack.quota.constant.QuotaTypes;
+
 import org.apache.cloudstack.quota.dao.QuotaAccountDao;
 import org.apache.cloudstack.quota.dao.QuotaBalanceDao;
 import org.apache.cloudstack.quota.dao.QuotaCreditsDao;
 import org.apache.cloudstack.quota.dao.QuotaEmailConfigurationDao;
 import org.apache.cloudstack.quota.dao.QuotaEmailTemplatesDao;
+import org.apache.cloudstack.quota.dao.QuotaSummaryDao;
 import org.apache.cloudstack.quota.dao.QuotaTariffDao;
 import org.apache.cloudstack.quota.dao.QuotaUsageDao;
 import org.apache.cloudstack.quota.vo.QuotaAccountVO;
@@ -86,10 +116,14 @@
 import org.apache.cloudstack.quota.vo.QuotaCreditsVO;
 import org.apache.cloudstack.quota.vo.QuotaEmailConfigurationVO;
 import org.apache.cloudstack.quota.vo.QuotaEmailTemplatesVO;
+import org.apache.cloudstack.quota.vo.QuotaSummaryVO;
 import org.apache.cloudstack.quota.vo.QuotaTariffVO;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageResourceVO;
 import org.apache.cloudstack.utils.jsinterpreter.JsInterpreter;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.compress.utils.Sets;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.reflect.FieldUtils;
@@ -97,19 +131,6 @@
 import org.apache.logging.log4j.Logger;
 import org.springframework.stereotype.Component;
 
-import com.cloud.domain.DomainVO;
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.event.ActionEvent;
-import com.cloud.event.EventTypes;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.user.Account;
-import com.cloud.user.AccountManager;
-import com.cloud.user.AccountVO;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.user.dao.UserDao;
-import com.cloud.utils.Pair;
-import com.cloud.utils.db.Filter;
-
 @Component
 public class QuotaResponseBuilderImpl implements QuotaResponseBuilder {
     protected Logger logger = LogManager.getLogger(getClass());
@@ -121,7 +142,7 @@ public class QuotaResponseBuilderImpl implements QuotaResponseBuilder {
     @Inject
     private QuotaCreditsDao quotaCreditsDao;
     @Inject
-    private QuotaUsageDao _quotaUsageDao;
+    private QuotaUsageDao quotaUsageDao;
     @Inject
     private QuotaEmailTemplatesDao _quotaEmailTemplateDao;
 
@@ -134,27 +155,40 @@ public class QuotaResponseBuilderImpl implements QuotaResponseBuilder {
     @Inject
     private QuotaAccountDao quotaAccountDao;
     @Inject
-    private DomainDao _domainDao;
+    private DomainDao domainDao;
     @Inject
     private AccountManager _accountMgr;
     @Inject
-    private QuotaStatement _statement;
+    private QuotaStatement quotaStatement;
     @Inject
     private QuotaManager _quotaManager;
     @Inject
     private QuotaEmailConfigurationDao quotaEmailConfigurationDao;
     @Inject
+    private QuotaSummaryDao quotaSummaryDao;
+    @Inject
     private JsInterpreterHelper jsInterpreterHelper;
     @Inject
     private ApiDiscoveryService apiDiscoveryService;
+    @Inject
+    private IPAddressDao ipAddressDao;
+    @Inject
+    private NetworkDao networkDao;
+    @Inject
+    private NetworkOfferingDao networkOfferingDao;
+    @Inject
+    private SnapshotDao snapshotDao;
+    @Inject
+    private VMInstanceDao vmInstanceDao;
+    @Inject
+    private VMTemplateDao vmTemplateDao;
+    @Inject
+    private VolumeDao volumeDao;
 
-    private final Class<?>[] assignableClasses = {GenericPresetVariable.class, ComputingResources.class};
 
-    protected void checkActivationRulesAllowed(String activationRule) {
-        if (!_quotaService.isJsInterpretationEnabled() && StringUtils.isNotEmpty(activationRule)) {
-            throw new PermissionDeniedException("Quota Tariff Activation Rule cannot be set, as Javascript interpretation is disabled in the configuration.");
-        }
-    }
+    private final Class<?>[] assignableClasses = {GenericPresetVariable.class, ComputingResources.class, ResourceCounting.class};
+
+    private Set<Account.Type> accountTypesThatCanListAllQuotaSummaries = Sets.newHashSet(Account.Type.ADMIN, Account.Type.DOMAIN_ADMIN);
 
     @Override
     public QuotaTariffResponse createQuotaTariffResponse(QuotaTariffVO tariff, boolean returnActivationRule) {
@@ -180,75 +214,113 @@ public QuotaTariffResponse createQuotaTariffResponse(QuotaTariffVO tariff, boole
     }
 
     @Override
-    public Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(final String accountName, final Long domainId) {
-        List<QuotaSummaryResponse> result = new ArrayList<QuotaSummaryResponse>();
+    public Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(QuotaSummaryCmd cmd) {
+        Account caller = CallContext.current().getCallingAccount();
 
-        if (accountName != null && domainId != null) {
-            Account account = _accountDao.findActiveAccount(accountName, domainId);
-            QuotaSummaryResponse qr = getQuotaSummaryResponse(account);
-            result.add(qr);
+        if (!accountTypesThatCanListAllQuotaSummaries.contains(caller.getType()) || !cmd.isListAll()) {
+            return getQuotaSummaryResponse(cmd.getEntityOwnerId(), null, null, cmd);
         }
 
-        return new Pair<>(result, result.size());
+        return getQuotaSummaryResponseWithListAll(cmd, caller);
     }
 
-    @Override
-    public Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(Boolean listAll) {
-        return createQuotaSummaryResponse(listAll, null, null, null);
+    protected Pair<List<QuotaSummaryResponse>, Integer> getQuotaSummaryResponseWithListAll(QuotaSummaryCmd cmd, Account caller) {
+        Long domainId = cmd.getDomainId();
+        if (domainId != null) {
+            DomainVO domain = domainDao.findByIdIncludingRemoved(domainId);
+            if (domain == null) {
+                throw new InvalidParameterValueException(String.format("Domain [%s] does not exist.", domainId));
+            }
+        }
+
+        String domainPath = getDomainPathByDomainIdForDomainAdmin(caller);
+
+        Long accountId = cmd.getEntityOwnerId();
+        if (accountId == -1) {
+            accountId = cmd.isListAll() ? null : caller.getAccountId();
+        }
+
+        return getQuotaSummaryResponse(accountId, domainId, domainPath, cmd);
     }
 
-    @Override
-    public Pair<List<QuotaSummaryResponse>, Integer> createQuotaSummaryResponse(Boolean listAll, final String keyword, final Long startIndex, final Long pageSize) {
-        List<QuotaSummaryResponse> result = new ArrayList<QuotaSummaryResponse>();
-        Integer count = 0;
-        if (listAll) {
-            Filter filter = new Filter(AccountVO.class, "accountName", true, startIndex, pageSize);
-            Pair<List<AccountVO>, Integer> data = _accountDao.findAccountsLike(keyword, filter);
-            count = data.second();
-            for (final AccountVO account : data.first()) {
-                QuotaSummaryResponse qr = getQuotaSummaryResponse(account);
-                result.add(qr);
-            }
-        } else {
-            Pair<List<QuotaAccountVO>, Integer> data = quotaAccountDao.listAllQuotaAccount(startIndex, pageSize);
-            count = data.second();
-            for (final QuotaAccountVO quotaAccount : data.first()) {
-                AccountVO account = _accountDao.findById(quotaAccount.getId());
-                if (account == null) {
-                    continue;
-                }
-                QuotaSummaryResponse qr = getQuotaSummaryResponse(account);
-                result.add(qr);
-            }
+    /**
+     * Retrieves the domain path of the caller's domain (if the caller is Domain Admin) for filtering in the quota summary query.
+     * @return null if the caller is an Admin or the domain path of the caller's domain if the caller is a Domain Admin.
+     * @throws InvalidParameterValueException if it cannot find the domain.
+     */
+    protected String getDomainPathByDomainIdForDomainAdmin(Account caller) {
+        if (caller.getType() != Account.Type.DOMAIN_ADMIN) {
+            return null;
         }
-        return new Pair<>(result, count);
+
+        Long domainId = caller.getDomainId();
+        Domain domain = domainDao.findById(domainId);
+        _accountMgr.checkAccess(caller, domain);
+
+        if (domain == null) {
+            throw new InvalidParameterValueException(String.format("Domain ID [%s] is invalid.", domainId));
+        }
+
+        return domain.getPath();
     }
 
-    protected QuotaSummaryResponse getQuotaSummaryResponse(final Account account) {
-        Calendar[] period = _statement.getCurrentStatementTime();
-
-        if (account != null) {
-            QuotaSummaryResponse qr = new QuotaSummaryResponse();
-            DomainVO domain = _domainDao.findById(account.getDomainId());
-            BigDecimal curBalance = _quotaBalanceDao.lastQuotaBalance(account.getAccountId(), account.getDomainId(), period[1].getTime());
-            BigDecimal quotaUsage = _quotaUsageDao.findTotalQuotaUsage(account.getAccountId(), account.getDomainId(), null, period[0].getTime(), period[1].getTime());
-
-            qr.setAccountId(account.getUuid());
-            qr.setAccountName(account.getAccountName());
-            qr.setDomainId(domain.getUuid());
-            qr.setDomainName(domain.getName());
-            qr.setBalance(curBalance);
-            qr.setQuotaUsage(quotaUsage);
-            qr.setState(account.getState());
-            qr.setStartDate(period[0].getTime());
-            qr.setEndDate(period[1].getTime());
-            qr.setCurrency(QuotaConfig.QuotaCurrencySymbol.value());
-            qr.setQuotaEnabled(QuotaConfig.QuotaAccountEnabled.valueIn(account.getId()));
-            qr.setObjectName("summary");
-            return qr;
-        } else {
-            return new QuotaSummaryResponse();
+    /**
+     * Returns a <code>List</code> of <code>QuotaSummaryResponse</code> based on the provided parameters.
+     * @param accountId ID of the Account to return the summaries for. If <code>-1</code>, either because no specific
+     *                  Account was provided, or list all is disabled, then the summary is generated for the calling Account.
+     * @param domainId ID of the Domain to return the summaries for.
+     * @param domainPath path of the Domain to return the summaries for.
+     */
+    protected Pair<List<QuotaSummaryResponse>, Integer> getQuotaSummaryResponse(Long accountId, Long domainId, String domainPath, QuotaSummaryCmd cmd) {
+        if (accountId != null && accountId == -1) {
+            accountId = CallContext.current().getCallingAccountId();
+        }
+
+        Pair<List<QuotaSummaryVO>, Integer> pairSummaries = quotaSummaryDao.listQuotaSummariesForAccountAndOrDomain(accountId, cmd.getKeyword(), domainId, domainPath,
+                cmd.getAccountStateToShow(), cmd.getStartIndex(), cmd.getPageSizeVal());
+        List<QuotaSummaryVO> summaries = pairSummaries.first();
+
+        if (CollectionUtils.isEmpty(summaries)) {
+            logger.info("There are no summaries to list for parameters [{}].", ReflectionToStringBuilderUtils.reflectOnlySelectedFields(cmd, "accountName", "domainId", "listAll", "page", "pageSize"));
+            return new Pair<>(new ArrayList<>(), 0);
+        }
+
+        List<QuotaSummaryResponse> responses = summaries.stream().map(this::getQuotaSummaryResponse).collect(Collectors.toList());
+
+        return new Pair<>(responses, pairSummaries.second());
+    }
+
+    protected QuotaSummaryResponse getQuotaSummaryResponse(QuotaSummaryVO summary) {
+        QuotaSummaryResponse response = new QuotaSummaryResponse();
+        Account account = _accountDao.findByUuidIncludingRemoved(summary.getAccountUuid());
+
+        Calendar[] period = quotaStatement.getCurrentStatementTime();
+        Date startDate = period[0].getTime();
+        Date endDate = period[1].getTime();
+        BigDecimal quotaUsage = quotaUsageDao.findTotalQuotaUsage(account.getAccountId(), account.getDomainId(), null, startDate, endDate);
+
+        response.setQuotaUsage(quotaUsage);
+        response.setStartDate(startDate);
+        response.setEndDate(endDate);
+        response.setAccountId(summary.getAccountUuid());
+        response.setAccountName(summary.getAccountName());
+        response.setDomainId(summary.getDomainUuid());
+        response.setDomainPath(summary.getDomainPath());
+        response.setBalance(summary.getQuotaBalance());
+        response.setState(summary.getAccountState());
+        response.setCurrency(QuotaConfig.QuotaCurrencySymbol.value());
+        response.setQuotaEnabled(QuotaConfig.QuotaAccountEnabled.valueIn(account.getId()));
+        response.setDomainRemoved(summary.getDomainRemoved() != null);
+        response.setAccountRemoved(summary.getAccountRemoved() != null);
+        response.setObjectName("summary");
+
+        if (summary.getProjectUuid() != null) {
+            response.setProjectId(summary.getProjectUuid());
+            response.setProjectName(summary.getProjectName());
+            response.setProjectRemoved(summary.getProjectRemoved() != null);
         }
+
+        return response;
     }
 
     public boolean isUserAllowedToSeeActivationRules(User user) {
@@ -347,76 +419,210 @@ public int compare(QuotaBalanceVO o1, QuotaBalanceVO o2) {
     }
 
     @Override
-    public QuotaStatementResponse createQuotaStatementResponse(final List<QuotaUsageVO> quotaUsage) {
-        if (quotaUsage == null || quotaUsage.isEmpty()) {
-            throw new InvalidParameterValueException("There is no usage data found for period mentioned.");
-        }
+    public QuotaStatementResponse createQuotaStatementResponse(QuotaStatementCmd cmd) {
+        Long accountId = getAccountIdForQuotaStatement(cmd);
+        Long domainId = getDomainIdForQuotaStatement(cmd, accountId);
+        List<QuotaUsageJoinVO> quotaUsages = _quotaService.getQuotaUsage(accountId, null, domainId, cmd.getUsageType(), cmd.getStartDate(), cmd.getEndDate());
+
+        logger.debug("Creating quota statement from [{}] usage records for parameters [{}].", quotaUsages.size(),
+                ReflectionToStringBuilderUtils.reflectOnlySelectedFields(cmd, "accountName", "accountId", "projectId", "domainId", "startDate", "endDate", "usageType", "showResources"));
+        createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformed(quotaUsages, cmd.getUsageType());
+
+        Map<Integer, List<QuotaUsageJoinVO>> recordsPerUsageTypes = quotaUsages.stream()
+                .sorted(Comparator.comparingInt(QuotaUsageJoinVO::getUsageType))
+                .collect(Collectors.groupingBy(QuotaUsageJoinVO::getUsageType));
+
+        List<QuotaStatementItemResponse> items = new ArrayList<>();
+        recordsPerUsageTypes.forEach((key, value) -> items.add(createStatementItem(key, value, cmd.isShowResources())));
 
         QuotaStatementResponse statement = new QuotaStatementResponse();
+        statement.setLineItem(items);
+        statement.setTotalQuota(items.stream().map(QuotaStatementItemResponse::getQuotaUsed).reduce(BigDecimal.ZERO, BigDecimal::add));
+        statement.setCurrency(QuotaConfig.QuotaCurrencySymbol.value());
+        statement.setObjectName("statement");
+
+        if (accountId != null) {
+            Account account = _accountDao.findByIdIncludingRemoved(accountId);
+            statement.setAccountId(account.getUuid());
+            statement.setAccountName(account.getAccountName());
+            domainId = account.getDomainId();
+        }
+        if (domainId != null) {
+            DomainVO domain = domainDao.findByIdIncludingRemoved(domainId);
+            statement.setDomainId(domain.getUuid());
+        }
 
-        HashMap<Integer, QuotaTypes> quotaTariffMap = new HashMap<Integer, QuotaTypes>();
-        Collection<QuotaTypes> result = QuotaTypes.listQuotaTypes().values();
+        return statement;
+    }
 
-        for (QuotaTypes quotaTariff : result) {
-            quotaTariffMap.put(quotaTariff.getQuotaType(), quotaTariff);
-            // add dummy record for each usage type
-            QuotaUsageVO dummy = new QuotaUsageVO(quotaUsage.get(0));
-            dummy.setUsageType(quotaTariff.getQuotaType());
-            dummy.setQuotaUsed(new BigDecimal(0));
-            quotaUsage.add(dummy);
+    protected Long getAccountIdForQuotaStatement(QuotaStatementCmd cmd) {
+        if (Account.Type.NORMAL.equals(CallContext.current().getCallingAccount().getType())) {
+            logger.debug("Limiting the Quota statement for the calling Account, as they are a User Account.");
+            return CallContext.current().getCallingAccountId();
         }
 
-        if (logger.isDebugEnabled()) {
-            logger.debug(
-                    "createQuotaStatementResponse Type=" + quotaUsage.get(0).getUsageType() + " usage=" + quotaUsage.get(0).getQuotaUsed().setScale(2, RoundingMode.HALF_EVEN)
-                    + " rec.id=" + quotaUsage.get(0).getUsageItemId() + " SD=" + quotaUsage.get(0).getStartDate() + " ED=" + quotaUsage.get(0).getEndDate());
+        long accountId = cmd.getEntityOwnerId();
+        if (accountId != -1) {
+            return accountId;
         }
 
-        Collections.sort(quotaUsage, new Comparator<QuotaUsageVO>() {
-            @Override
-            public int compare(QuotaUsageVO o1, QuotaUsageVO o2) {
-                if (o1.getUsageType() == o2.getUsageType()) {
-                    return 0;
-                }
-                return o1.getUsageType() < o2.getUsageType() ? -1 : 1;
-            }
-        });
+        if (cmd.getDomainId() == null) {
+            logger.debug("Limiting the Quota statement for the calling Account, as 'domainid' was not informed.");
+            return CallContext.current().getCallingAccountId();
+        }
+
+        logger.debug("Allowing admin/domain admin to generate the Quota statement for the provided Domain.");
+        return null;
+    }
+
+    protected Long getDomainIdForQuotaStatement(QuotaStatementCmd cmd, Long accountId) {
+        if (accountId != null) {
+            logger.debug("Quota statement is already limited to Account [{}].", accountId);
+            Account account = _accountDao.findByIdIncludingRemoved(accountId);
+            return account.getDomainId();
+        }
+
+        Long domainId = cmd.getDomainId();
+        if (domainId != null) {
+            return domainId;
+        }
+
+        logger.debug("Limiting the Quota statement for the calling Account's Domain.");
+        return CallContext.current().getCallingAccount().getDomainId();
+    }
+
+    protected void createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformed(List<QuotaUsageJoinVO> quotaUsages, Integer usageType) {
+        if (usageType != null) {
+            logger.debug("As the usage type [{}] was informed as parameter of the API quotaStatement, we will not create dummy records.", usageType);
+            return;
+
+        }
+
+        for (Integer quotaType : QuotaTypes.listQuotaTypes().keySet()) {
+            QuotaUsageJoinVO dummy = new QuotaUsageJoinVO();
+            dummy.setUsageType(quotaType);
+            dummy.setQuotaUsed(BigDecimal.ZERO);
+            quotaUsages.add(dummy);
+        }
+    }
+
+    protected QuotaStatementItemResponse createStatementItem(int usageType, List<QuotaUsageJoinVO> usageRecords, boolean showResources) {
+        QuotaUsageJoinVO firstRecord = usageRecords.get(0);
+        int type = firstRecord.getUsageType();
+
+        QuotaTypes quotaType = QuotaTypes.listQuotaTypes().get(type);
+
+        QuotaStatementItemResponse item = new QuotaStatementItemResponse(type);
+        item.setQuotaUsed(usageRecords.stream().map(QuotaUsageJoinVO::getQuotaUsed).filter(Objects::nonNull).reduce(BigDecimal.ZERO, BigDecimal::add));
+        item.setUsageUnit(quotaType.getQuotaUnit());
+        item.setUsageName(quotaType.getQuotaName());
+
+        setStatementItemResources(item, usageType, usageRecords, showResources);
+        return item;
+    }
+
+    protected void setStatementItemResources(QuotaStatementItemResponse statementItem, int usageType, List<QuotaUsageJoinVO> quotaUsageRecords, boolean showResources) {
+        if (!showResources) {
+            return;
+        }
+
+        List<QuotaStatementItemResourceResponse> itemDetails = new ArrayList<>();
+
+        Map<Long, BigDecimal> quotaUsagesValuesAggregatedById = quotaUsageRecords
+                .stream()
+                .filter(quotaUsageJoinVo -> getResourceIdByUsageType(quotaUsageJoinVo, usageType) != null)
+                .collect(Collectors.groupingBy(
+                        quotaUsageJoinVo -> getResourceIdByUsageType(quotaUsageJoinVo, usageType),
+                        Collectors.reducing(new BigDecimal(0), QuotaUsageJoinVO::getQuotaUsed, BigDecimal::add)
+                ));
+
+        for (Map.Entry<Long, BigDecimal> entry : quotaUsagesValuesAggregatedById.entrySet()) {
+            QuotaStatementItemResourceResponse detail = new QuotaStatementItemResourceResponse();
+
+            detail.setQuotaUsed(entry.getValue());
+
+            QuotaUsageResourceVO resource = getResourceFromIdAndType(entry.getKey(), usageType);
+            if (resource != null) {
+                detail.setResourceId(resource.getUuid());
+                detail.setDisplayName(resource.getName());
+                detail.setRemoved(resource.isRemoved());
+            } else {
+                detail.setDisplayName("<untraceable>");
 
-        List<QuotaStatementItemResponse> items = new ArrayList<QuotaStatementItemResponse>();
-        QuotaStatementItemResponse lineitem;
-        int type = -1;
-        BigDecimal usage = new BigDecimal(0);
-        BigDecimal totalUsage = new BigDecimal(0);
-        quotaUsage.add(new QuotaUsageVO());// boundary
-        QuotaUsageVO prev = quotaUsage.get(0);
-        if (logger.isDebugEnabled()) {
-            logger.debug("createQuotaStatementResponse record count=" + quotaUsage.size());
-        }
-        for (final QuotaUsageVO quotaRecord : quotaUsage) {
-            if (type != quotaRecord.getUsageType()) {
-                if (type != -1) {
-                    lineitem = new QuotaStatementItemResponse(type);
-                    lineitem.setQuotaUsed(usage);
-                    lineitem.setAccountId(prev.getAccountId());
-                    lineitem.setDomainId(prev.getDomainId());
-                    lineitem.setUsageUnit(quotaTariffMap.get(type).getQuotaUnit());
-                    lineitem.setUsageName(quotaTariffMap.get(type).getQuotaName());
-                    lineitem.setObjectName("quotausage");
-                    items.add(lineitem);
-                    totalUsage = totalUsage.add(usage);
-                    usage = new BigDecimal(0);
-                }
-                type = quotaRecord.getUsageType();
             }
-            prev = quotaRecord;
-            usage = usage.add(quotaRecord.getQuotaUsed());
+            itemDetails.add(detail);
         }
+        statementItem.setResources(itemDetails);
+    }
 
-        statement.setLineItem(items);
-        statement.setTotalQuota(totalUsage);
-        statement.setCurrency(QuotaConfig.QuotaCurrencySymbol.value());
-        statement.setObjectName("statement");
-        return statement;
+    protected Long getResourceIdByUsageType(QuotaUsageJoinVO quotaUsageJoinVo, int usageType) {
+        switch (usageType) {
+            case QuotaTypes.NETWORK_BYTES_SENT:
+            case QuotaTypes.NETWORK_BYTES_RECEIVED:
+                return quotaUsageJoinVo.getNetworkId();
+            case QuotaTypes.NETWORK_OFFERING:
+                return quotaUsageJoinVo.getOfferingId();
+            default:
+                return quotaUsageJoinVo.getResourceId();
+        }
+    }
+
+    protected QuotaUsageResourceVO getResourceFromIdAndType(long resourceId, int usageType) {
+        switch (usageType) {
+            case QuotaTypes.ALLOCATED_VM:
+            case QuotaTypes.RUNNING_VM:
+                VMInstanceVO vmInstance = vmInstanceDao.findByIdIncludingRemoved(resourceId);
+                if (vmInstance != null) {
+                    return new QuotaUsageResourceVO(vmInstance.getUuid(), vmInstance.getHostName(), vmInstance.getRemoved());
+                }
+                break;
+            case QuotaTypes.VOLUME:
+            case QuotaTypes.VOLUME_SECONDARY:
+            case QuotaTypes.VM_DISK_BYTES_READ:
+            case QuotaTypes.VM_DISK_BYTES_WRITE:
+            case QuotaTypes.VM_DISK_IO_READ:
+            case QuotaTypes.VM_DISK_IO_WRITE:
+                VolumeVO volume = volumeDao.findByIdIncludingRemoved(resourceId);
+                if (volume != null) {
+                    return new QuotaUsageResourceVO(volume.getUuid(), volume.getName(), volume.getRemoved());
+                }
+                break;
+            case QuotaTypes.VM_SNAPSHOT_ON_PRIMARY:
+            case QuotaTypes.VM_SNAPSHOT:
+            case QuotaTypes.SNAPSHOT:
+                SnapshotVO snapshot = snapshotDao.findByIdIncludingRemoved(resourceId);
+                if (snapshot != null) {
+                    return new QuotaUsageResourceVO(snapshot.getUuid(), snapshot.getName(), snapshot.getRemoved());
+                }
+                break;
+            case QuotaTypes.NETWORK_BYTES_SENT:
+            case QuotaTypes.NETWORK_BYTES_RECEIVED:
+                NetworkVO network = networkDao.findByIdIncludingRemoved(resourceId);
+                if (network != null) {
+                    return new QuotaUsageResourceVO(network.getUuid(), network.getName(), network.getRemoved());
+                }
+                break;
+            case QuotaTypes.TEMPLATE:
+            case QuotaTypes.ISO:
+                VMTemplateVO vmTemplate = vmTemplateDao.findByIdIncludingRemoved(resourceId);
+                if (vmTemplate != null) {
+                    return new QuotaUsageResourceVO(vmTemplate.getUuid(), vmTemplate.getName(), vmTemplate.getRemoved());
+                }
+                break;
+            case QuotaTypes.NETWORK_OFFERING:
+                NetworkOfferingVO networkOffering = networkOfferingDao.findByIdIncludingRemoved(resourceId);
+                if (networkOffering != null) {
+                    return new QuotaUsageResourceVO(networkOffering.getUuid(), networkOffering.getName(), networkOffering.getRemoved());
+                }
+                break;
+            case QuotaTypes.IP_ADDRESS:
+                IPAddressVO ipAddress = ipAddressDao.findByIdIncludingRemoved(resourceId);
+                if (ipAddress != null) {
+                    return new QuotaUsageResourceVO(ipAddress.getUuid(), ipAddress.getName(), ipAddress.getRemoved());
+                }
+                break;
+        }
+        return null;
     }
 
     @Override
@@ -450,6 +656,7 @@ public QuotaTariffVO updateQuotaTariffPlan(QuotaTariffUpdateCmd cmd) {
         Integer position = cmd.getPosition();
 
         warnQuotaTariffUpdateDeprecatedFields(cmd);
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.ACTIVATION_RULE, StringUtils.isNotBlank(activationRule));
 
         QuotaTariffVO currentQuotaTariff = _quotaTariffDao.findByName(name);
 
@@ -457,8 +664,6 @@ public QuotaTariffVO updateQuotaTariffPlan(QuotaTariffUpdateCmd cmd) {
             throw new InvalidParameterValueException(String.format("There is no quota tariffs with name [%s].", name));
         }
 
-        checkActivationRulesAllowed(activationRule);
-
         Date currentQuotaTariffStartDate = currentQuotaTariff.getEffectiveOn();
 
         currentQuotaTariff.setRemoved(now);
@@ -473,14 +678,14 @@ public QuotaTariffVO updateQuotaTariffPlan(QuotaTariffUpdateCmd cmd) {
     }
 
     protected void warnQuotaTariffUpdateDeprecatedFields(QuotaTariffUpdateCmd cmd) {
-        String warnMessage = "The parameter 's%s' for API 'quotaTariffUpdate' is no longer needed and it will be removed in future releases.";
+        String warnMessage = "The parameter '{}' for API 'quotaTariffUpdate' is no longer needed and it will be removed in future releases.";
 
         if (cmd.getStartDate() != null) {
-            logger.warn(String.format(warnMessage,"startdate"));
+            logger.warn(warnMessage, "startdate");
         }
 
         if (cmd.getUsageType() != null) {
-            logger.warn(String.format(warnMessage,"usagetype"));
+            logger.warn(warnMessage, "usagetype");
         }
     }
 
@@ -667,11 +872,6 @@ public QuotaBalanceResponse createQuotaLastBalanceResponse(List<QuotaBalanceVO>
         return resp;
     }
 
-    @Override
-    public List<QuotaUsageVO> getQuotaUsage(QuotaStatementCmd cmd) {
-        return _quotaService.getQuotaUsage(cmd.getAccountId(), cmd.getAccountName(), cmd.getDomainId(), cmd.getUsageType(), cmd.getStartDate(), cmd.getEndDate());
-    }
-
     @Override
     public List<QuotaBalanceVO> getQuotaBalance(QuotaBalanceCmd cmd) {
         return _quotaService.findQuotaBalanceVO(cmd.getAccountId(), cmd.getAccountName(), cmd.getDomainId(), cmd.getStartDate(), cmd.getEndDate());
@@ -707,14 +907,14 @@ public QuotaTariffVO createQuotaTariff(QuotaTariffCreateCmd cmd) {
         String activationRule = cmd.getActivationRule();
         Integer position = ObjectUtils.defaultIfNull(cmd.getPosition(), 1);
 
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.ACTIVATION_RULE, StringUtils.isNotBlank(activationRule));
+
         QuotaTariffVO currentQuotaTariff = _quotaTariffDao.findByName(name);
 
         if (currentQuotaTariff != null) {
             throw new InvalidParameterValueException(String.format("A quota tariff with name [%s] already exist.", name));
         }
 
-        checkActivationRulesAllowed(activationRule);
-
         if (startDate.compareTo(now) < 0) {
             throw new InvalidParameterValueException(String.format("The value passed as Quota tariff's start date is in the past: [%s]. " +
                     "Please, inform a date in the future or do not pass the parameter to use the current date and time.", startDate));
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResourceResponse.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResourceResponse.java
new file mode 100644
index 000000000000..3e052f733391
--- /dev/null
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResourceResponse.java
@@ -0,0 +1,61 @@
+//Licensed to the Apache Software Foundation (ASF) under one
+//or more contributor license agreements.  See the NOTICE file
+//distributed with this work for additional information
+//regarding copyright ownership.  The ASF licenses this file
+//to you under the Apache License, Version 2.0 (the
+//"License"); you may not use this file except in compliance
+//with the License.  You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing,
+//software distributed under the License is distributed on an
+//"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+//KIND, either express or implied.  See the License for the
+//specific language governing permissions and limitations
+//under the License.
+package org.apache.cloudstack.api.response;
+
+import java.math.BigDecimal;
+
+import com.google.gson.annotations.SerializedName;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+import com.cloud.serializer.Param;
+
+public class QuotaStatementItemResourceResponse extends BaseResponse {
+
+    @SerializedName(ApiConstants.QUOTA_CONSUMED)
+    @Param(description = "Quota consumed.")
+    private BigDecimal quotaUsed;
+
+    @SerializedName(ApiConstants.RESOURCE_ID)
+    @Param(description = "Resources's ID.")
+    private String resourceId;
+
+    @SerializedName(ApiConstants.DISPLAY_NAME)
+    @Param(description = "Resource's display name.")
+    private String displayName;
+
+    @SerializedName(ApiConstants.REMOVED)
+    @Param(description = "Indicates whether the resource is removed or active.")
+    private boolean removed;
+
+    public void setQuotaUsed(BigDecimal quotaUsed) {
+        this.quotaUsed = quotaUsed;
+    }
+
+    public void setResourceId(String resourceId) {
+        this.resourceId = resourceId;
+    }
+
+    public void setDisplayName(String displayName) {
+        this.displayName = displayName;
+    }
+
+    public void setRemoved(boolean removed) {
+        this.removed = removed;
+    }
+}
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResponse.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResponse.java
index c370d82b3cc4..0747c5a9172d 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResponse.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementItemResponse.java
@@ -17,72 +17,41 @@
 package org.apache.cloudstack.api.response;
 
 import java.math.BigDecimal;
-import java.math.RoundingMode;
+import java.util.List;
 
 import com.google.gson.annotations.SerializedName;
 
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
 
 import com.cloud.serializer.Param;
 
 public class QuotaStatementItemResponse extends BaseResponse {
 
-    @SerializedName("type")
-    @Param(description = "Usage type")
+    @SerializedName(ApiConstants.TYPE)
+    @Param(description = "Usage type.")
     private int usageType;
 
-    @SerializedName("accountid")
-    @Param(description = "Account id")
-    private Long accountId;
-
-    @SerializedName("account")
-    @Param(description = "Account name")
-    private String accountName;
-
-    @SerializedName("domain")
-    @Param(description = "Domain id")
-    private Long domainId;
-
-    @SerializedName("name")
-    @Param(description = "Usage type name")
+    @SerializedName(ApiConstants.NAME)
+    @Param(description = "Name of the Usage type.")
     private String usageName;
 
-    @SerializedName("unit")
-    @Param(description = "Usage unit")
+    @SerializedName(ApiConstants.UNIT)
+    @Param(description = "Unit of the Usage type.")
     private String usageUnit;
 
-    @SerializedName("quota")
-    @Param(description = "Quota consumed")
+    @SerializedName(ApiConstants.QUOTA)
+    @Param(description = "Quota consumed.")
     private BigDecimal quotaUsed;
 
+    @SerializedName(ApiConstants.RESOURCES)
+    @Param(description = "Item's resources.")
+    private List<QuotaStatementItemResourceResponse> resources;
+
     public QuotaStatementItemResponse(final int usageType) {
         this.usageType = usageType;
     }
 
-    public Long getAccountId() {
-        return accountId;
-    }
-
-    public void setAccountId(Long accountId) {
-        this.accountId = accountId;
-    }
-
-    public String getAccountName() {
-        return accountName;
-    }
-
-    public void setAccountName(String accountName) {
-        this.accountName = accountName;
-    }
-
-    public Long getDomainId() {
-        return domainId;
-    }
-
-    public void setDomainId(Long domainId) {
-        this.domainId = domainId;
-    }
-
     public String getUsageName() {
         return usageName;
     }
@@ -112,7 +81,15 @@ public BigDecimal getQuotaUsed() {
     }
 
     public void setQuotaUsed(BigDecimal quotaUsed) {
-        this.quotaUsed = quotaUsed.setScale(2, RoundingMode.HALF_EVEN);
+        this.quotaUsed = quotaUsed;
+    }
+
+    public List<QuotaStatementItemResourceResponse> getResources() {
+        return resources;
+    }
+
+    public void setResources(List<QuotaStatementItemResourceResponse> resources) {
+        this.resources = resources;
     }
 
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementResponse.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementResponse.java
index 0a7ba4dbeb94..81cb1011182d 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementResponse.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaStatementResponse.java
@@ -18,56 +18,56 @@
 
 import com.cloud.serializer.Param;
 import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
 
 import java.math.BigDecimal;
-import java.math.RoundingMode;
 import java.util.Date;
 import java.util.List;
 
 public class QuotaStatementResponse  extends BaseResponse {
 
-    @SerializedName("accountid")
-    @Param(description = "Account ID")
-    private Long accountId;
+    @SerializedName(ApiConstants.ACCOUNT_ID)
+    @Param(description = "ID of the Account.")
+    private String accountId;
 
-    @SerializedName("account")
-    @Param(description = "Account name")
+    @SerializedName(ApiConstants.ACCOUNT)
+    @Param(description = "Name of the Account.")
     private String accountName;
 
-    @SerializedName("domain")
-    @Param(description = "Domain ID")
-    private Long domainId;
+    @SerializedName(ApiConstants.DOMAIN)
+    @Param(description = "ID of the Domain.")
+    private String domainId;
 
-    @SerializedName("quotausage")
-    @Param(description = "List of quota usage under various types", responseObject = QuotaStatementItemResponse.class)
+    @SerializedName(ApiConstants.QUOTA_USAGE)
+    @Param(description = "List of Quota usage under various types.", responseObject = QuotaStatementItemResponse.class)
     private List<QuotaStatementItemResponse> lineItem;
 
-    @SerializedName("totalquota")
-    @Param(description = "Total quota used during this period")
+    @SerializedName(ApiConstants.TOTAL_QUOTA)
+    @Param(description = "Total Quota consumed during this period.")
     private BigDecimal totalQuota;
 
-    @SerializedName("startdate")
-    @Param(description = "Start date")
+    @SerializedName(ApiConstants.START_DATE)
+    @Param(description = "Start date of the Quota statement.")
     private Date startDate = null;
 
-    @SerializedName("enddate")
-    @Param(description = "End date")
+    @SerializedName(ApiConstants.END_DATE)
+    @Param(description = "End date of the Quota statement.")
     private Date endDate = null;
 
-    @SerializedName("currency")
-    @Param(description = "Currency")
+    @SerializedName(ApiConstants.CURRENCY)
+    @Param(description = "Currency of the Quota statement.")
     private String currency;
 
     public QuotaStatementResponse() {
         super();
     }
 
-    public Long getAccountId() {
+    public String getAccountId() {
         return accountId;
     }
 
-    public void setAccountId(Long accountId) {
+    public void setAccountId(String accountId) {
         this.accountId = accountId;
     }
 
@@ -79,45 +79,36 @@ public void setAccountName(String accountName) {
         this.accountName = accountName;
     }
 
-    public Long getDomainId() {
+    public String getDomainId() {
         return domainId;
     }
 
-    public void setDomainId(Long domainId) {
+    public void setDomainId(String domainId) {
         this.domainId = domainId;
     }
 
-    public List<QuotaStatementItemResponse> getLineItem() {
-        return lineItem;
-    }
-
     public void setLineItem(List<QuotaStatementItemResponse> lineItem) {
         this.lineItem = lineItem;
     }
 
     public Date getStartDate() {
-        return startDate == null ? null : new Date(startDate.getTime());
+        return startDate;
     }
 
     public void setStartDate(Date startDate) {
-        this.startDate = startDate == null ? null : new Date(startDate.getTime());
+        this.startDate = startDate;
     }
 
     public Date getEndDate() {
-        return endDate == null ? null : new Date(endDate.getTime());
+        return endDate;
     }
 
     public void setEndDate(Date endDate) {
-        this.endDate = endDate == null ? null : new Date(endDate.getTime());
-    }
-
-
-    public BigDecimal getTotalQuota() {
-        return totalQuota;
+        this.endDate = endDate;
     }
 
     public void setTotalQuota(BigDecimal totalQuota) {
-        this.totalQuota = totalQuota.setScale(2, RoundingMode.HALF_EVEN);
+        this.totalQuota = totalQuota;
     }
 
     public String getCurrency() {
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaSummaryResponse.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaSummaryResponse.java
index f8f27b4813d8..d76202bfd889 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaSummaryResponse.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaSummaryResponse.java
@@ -17,7 +17,6 @@
 package org.apache.cloudstack.api.response;
 
 import java.math.BigDecimal;
-import java.math.RoundingMode;
 import java.util.Date;
 
 import com.google.gson.annotations.SerializedName;
@@ -30,40 +29,48 @@
 public class QuotaSummaryResponse extends BaseResponse {
 
     @SerializedName("accountid")
-    @Param(description = "Account ID")
+    @Param(description = "Account's ID")
     private String accountId;
 
     @SerializedName("account")
-    @Param(description = "Account name")
+    @Param(description = "Account's name")
     private String accountName;
 
     @SerializedName("domainid")
-    @Param(description = "Domain ID")
+    @Param(description = "Domain's ID")
     private String domainId;
 
     @SerializedName("domain")
-    @Param(description = "Domain name")
-    private String domainName;
+    @Param(description = "Domain's path")
+    private String domainPath;
 
     @SerializedName("balance")
-    @Param(description = "Account balance")
+    @Param(description = "Account's balance")
     private BigDecimal balance;
 
     @SerializedName("state")
-    @Param(description = "Account state")
+    @Param(description = "Account's state")
     private State state;
 
+    @SerializedName("domainremoved")
+    @Param(description = "If the domain is removed or not", since = "4.23.0")
+    private boolean domainRemoved;
+
+    @SerializedName("accountremoved")
+    @Param(description = "If the account is removed or not", since = "4.23.0")
+    private boolean accountRemoved;
+
     @SerializedName("quota")
-    @Param(description = "Quota usage of this period")
+    @Param(description = "Quota consumed between the startdate and enddate")
     private BigDecimal quotaUsage;
 
     @SerializedName("startdate")
-    @Param(description = "Start date")
-    private Date startDate = null;
+    @Param(description = "Start date of the quota consumption")
+    private Date startDate;
 
     @SerializedName("enddate")
-    @Param(description = "End date")
-    private Date endDate = null;
+    @Param(description = "End date of the quota consumption")
+    private Date endDate;
 
     @SerializedName("currency")
     @Param(description = "Currency")
@@ -73,9 +80,17 @@ public class QuotaSummaryResponse extends BaseResponse {
     @Param(description = "If the account has the quota config enabled")
     private boolean quotaEnabled;
 
-    public QuotaSummaryResponse() {
-        super();
-    }
+    @SerializedName("projectname")
+    @Param(description = "Name of the project", since = "4.23.0")
+    private String projectName;
+
+    @SerializedName("projectid")
+    @Param(description = "Project's id", since = "4.23.0")
+    private String projectId;
+
+    @SerializedName("projectremoved")
+    @Param(description = "Whether the project is removed or not", since = "4.23.0")
+    private Boolean projectRemoved;
 
     public String getAccountId() {
         return accountId;
@@ -101,28 +116,16 @@ public void setDomainId(String domainId) {
         this.domainId = domainId;
     }
 
-    public String getDomainName() {
-        return domainName;
-    }
-
-    public void setDomainName(String domainName) {
-        this.domainName = domainName;
-    }
-
-    public BigDecimal getQuotaUsage() {
-        return quotaUsage;
-    }
-
-    public State getState() {
-        return state;
+    public void setDomainPath(String domainPath) {
+        this.domainPath = domainPath;
     }
 
     public void setState(State state) {
         this.state = state;
     }
 
-    public void setQuotaUsage(BigDecimal startQuota) {
-        this.quotaUsage = startQuota.setScale(2, RoundingMode.HALF_EVEN);
+    public void setQuotaUsage(BigDecimal quotaUsage) {
+        this.quotaUsage = quotaUsage;
     }
 
     public BigDecimal getBalance() {
@@ -130,38 +133,42 @@ public BigDecimal getBalance() {
     }
 
     public void setBalance(BigDecimal balance) {
-        this.balance = balance.setScale(2, RoundingMode.HALF_EVEN);
+        this.balance = balance;
     }
 
-    public Date getStartDate() {
-        return startDate == null ?  null : new Date(startDate.getTime());
+    public void setStartDate(Date startDate) {
+        this.startDate = startDate;
     }
 
-    public void setStartDate(Date startDate) {
-        this.startDate =  startDate == null ?  null : new Date(startDate.getTime());
+    public void setEndDate(Date endDate) {
+        this.endDate = endDate;
     }
 
-    public Date getEndDate() {
-        return  endDate == null ?  null : new Date(endDate.getTime());
+    public void setCurrency(String currency) {
+        this.currency = currency;
     }
 
-    public void setEndDate(Date endDate) {
-        this.endDate = endDate == null ?  null : new Date(endDate.getTime());
+    public void setQuotaEnabled(boolean quotaEnabled) {
+        this.quotaEnabled = quotaEnabled;
     }
 
-    public String getCurrency() {
-        return currency;
+    public void setProjectName(String projectName) {
+        this.projectName = projectName;
     }
 
-    public void setCurrency(String currency) {
-        this.currency = currency;
+    public void setProjectId(String projectId) {
+        this.projectId = projectId;
     }
 
-    public boolean getQuotaEnabled() {
-        return quotaEnabled;
+    public void setProjectRemoved(Boolean projectRemoved) {
+        this.projectRemoved = projectRemoved;
     }
 
-    public void setQuotaEnabled(boolean quotaEnabled) {
-        this.quotaEnabled = quotaEnabled;
+    public void setDomainRemoved(boolean domainRemoved) {
+        this.domainRemoved = domainRemoved;
+    }
+
+    public void setAccountRemoved(boolean accountRemoved) {
+        this.accountRemoved = accountRemoved;
     }
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaService.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaService.java
index f6a34e01be8d..78acfc11682e 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaService.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaService.java
@@ -21,14 +21,14 @@
 import java.util.List;
 
 import org.apache.cloudstack.quota.vo.QuotaBalanceVO;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
 
 import com.cloud.user.AccountVO;
 import com.cloud.utils.component.PluggableService;
 
 public interface QuotaService extends PluggableService {
 
-    List<QuotaUsageVO> getQuotaUsage(Long accountId, String accountName, Long domainId, Integer usageType, Date startDate, Date endDate);
+    List<QuotaUsageJoinVO> getQuotaUsage(Long accountId, String accountName, Long domainId, Integer usageType, Date startDate, Date endDate);
 
     List<QuotaBalanceVO> findQuotaBalanceVO(Long accountId, String accountName, Long domainId, Date startDate, Date endDate);
 
@@ -40,6 +40,4 @@ public interface QuotaService extends PluggableService {
 
     boolean saveQuotaAccount(AccountVO account, BigDecimal aggrUsage, Date endDate);
 
-    boolean isJsInterpretationEnabled();
-
 }
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaServiceImpl.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaServiceImpl.java
index f455c3cba147..a0ba2fbc751d 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaServiceImpl.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/quota/QuotaServiceImpl.java
@@ -26,6 +26,8 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.projects.ProjectManager;
+import com.cloud.user.AccountService;
 import org.apache.cloudstack.api.command.QuotaBalanceCmd;
 import org.apache.cloudstack.api.command.QuotaConfigureEmailCmd;
 import org.apache.cloudstack.api.command.QuotaCreditsCmd;
@@ -51,10 +53,10 @@
 import org.apache.cloudstack.quota.constant.QuotaConfig;
 import org.apache.cloudstack.quota.dao.QuotaAccountDao;
 import org.apache.cloudstack.quota.dao.QuotaBalanceDao;
-import org.apache.cloudstack.quota.dao.QuotaUsageDao;
+import org.apache.cloudstack.quota.dao.QuotaUsageJoinDao;
 import org.apache.cloudstack.quota.vo.QuotaAccountVO;
 import org.apache.cloudstack.quota.vo.QuotaBalanceVO;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
 import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.stereotype.Component;
 
@@ -62,7 +64,6 @@
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
-import com.cloud.server.ManagementService;
 import com.cloud.user.Account;
 import com.cloud.user.AccountVO;
 import com.cloud.user.dao.AccountDao;
@@ -75,9 +76,11 @@ public class QuotaServiceImpl extends ManagerBase implements QuotaService, Confi
     @Inject
     private AccountDao _accountDao;
     @Inject
+    private AccountService accountService;
+    @Inject
     private QuotaAccountDao _quotaAcc;
     @Inject
-    private QuotaUsageDao _quotaUsageDao;
+    private QuotaUsageJoinDao quotaUsageJoinDao;
     @Inject
     private DomainDao _domainDao;
     @Inject
@@ -86,11 +89,11 @@ public class QuotaServiceImpl extends ManagerBase implements QuotaService, Confi
     private QuotaBalanceDao _quotaBalanceDao;
     @Inject
     private QuotaResponseBuilder _respBldr;
+    @Inject
+    private ProjectManager projectMgr;
 
     private TimeZone _usageTimezone;
 
-    private boolean jsInterpretationEnabled = false;
-
     public QuotaServiceImpl() {
         super();
     }
@@ -102,8 +105,6 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         String timeZoneStr = ObjectUtils.defaultIfNull(_configDao.getValue(Config.UsageAggregationTimezone.toString()), "GMT");
         _usageTimezone = TimeZone.getTimeZone(timeZoneStr);
 
-        jsInterpretationEnabled = ManagementService.JsInterpretationEnabled.value();
-
         return true;
     }
 
@@ -212,27 +213,7 @@ public List<QuotaBalanceVO> findQuotaBalanceVO(Long accountId, String accountNam
     }
 
     @Override
-    public List<QuotaUsageVO> getQuotaUsage(Long accountId, String accountName, Long domainId, Integer usageType, Date startDate, Date endDate) {
-        // if accountId is not specified, use accountName and domainId
-        if ((accountId == null) && (accountName != null) && (domainId != null)) {
-            Account userAccount = null;
-            Account caller = CallContext.current().getCallingAccount();
-            if (_domainDao.isChildDomain(caller.getDomainId(), domainId)) {
-                Filter filter = new Filter(AccountVO.class, "id", Boolean.FALSE, null, null);
-                List<AccountVO> accounts = _accountDao.listAccounts(accountName, domainId, filter);
-                if (!accounts.isEmpty()) {
-                    userAccount = accounts.get(0);
-                }
-                if (userAccount != null) {
-                    accountId = userAccount.getId();
-                } else {
-                    throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
-                }
-            } else {
-                throw new PermissionDeniedException("Invalid Domain Id or Account");
-            }
-        }
-
+    public List<QuotaUsageJoinVO> getQuotaUsage(Long accountId, String accountName, Long domainId, Integer usageType, Date startDate, Date endDate) {
         if (startDate.after(endDate)) {
             throw new InvalidParameterValueException("Incorrect Date Range. Start date: " + startDate + " is after end date:" + endDate);
         }
@@ -240,7 +221,7 @@ public List<QuotaUsageVO> getQuotaUsage(Long accountId, String accountName, Long
         logger.debug("Getting quota records of type [{}] for account [{}] in domain [{}], between [{}] and [{}].",
                 usageType, accountId, domainId, startDate, endDate);
 
-        return _quotaUsageDao.findQuotaUsage(accountId, domainId, usageType, startDate, endDate);
+        return quotaUsageJoinDao.findQuotaUsage(accountId, domainId, usageType, null, null, null, startDate, endDate, null);
     }
 
     @Override
@@ -292,9 +273,4 @@ public void setMinBalance(Long accountId, Double balance) {
             _quotaAcc.updateQuotaAccount(accountId, acc);
         }
     }
-
-    @Override
-    public boolean isJsInterpretationEnabled() {
-        return jsInterpretationEnabled;
-    }
 }
diff --git a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/command/QuotaStatementCmdTest.java b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/command/QuotaStatementCmdTest.java
index d6f9f747fa84..e67638db632e 100644
--- a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/command/QuotaStatementCmdTest.java
+++ b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/command/QuotaStatementCmdTest.java
@@ -16,38 +16,29 @@
 // under the License.
 package org.apache.cloudstack.api.command;
 
-import junit.framework.TestCase;
 import org.apache.cloudstack.api.response.QuotaResponseBuilder;
 import org.apache.cloudstack.api.response.QuotaStatementResponse;
-import org.apache.cloudstack.quota.vo.QuotaUsageVO;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
 
-import java.lang.reflect.Field;
-import java.util.ArrayList;
-import java.util.List;
-
 @RunWith(MockitoJUnitRunner.class)
-public class QuotaStatementCmdTest extends TestCase {
+public class QuotaStatementCmdTest {
     @Mock
-    QuotaResponseBuilder responseBuilder;
+    QuotaResponseBuilder responseBuilderMock;
 
     @Test
-    public void testQuotaStatementCmd() throws NoSuchFieldException, IllegalAccessException {
+    public void executeTestVerifyCalls() {
         QuotaStatementCmd cmd = new QuotaStatementCmd();
         cmd.setAccountName("admin");
+        cmd.responseBuilder = responseBuilderMock;
 
-        Field rbField = QuotaStatementCmd.class.getDeclaredField("_responseBuilder");
-        rbField.setAccessible(true);
-        rbField.set(cmd, responseBuilder);
+        Mockito.doReturn(new QuotaStatementResponse()).when(responseBuilderMock).createQuotaStatementResponse(Mockito.any());
 
-        List<QuotaUsageVO> quotaUsageVOList = new ArrayList<QuotaUsageVO>();
-        Mockito.when(responseBuilder.getQuotaUsage(Mockito.eq(cmd))).thenReturn(quotaUsageVOList);
-        Mockito.when(responseBuilder.createQuotaStatementResponse(Mockito.eq(quotaUsageVOList))).thenReturn(new QuotaStatementResponse());
         cmd.execute();
-        Mockito.verify(responseBuilder, Mockito.times(1)).getQuotaUsage(Mockito.eq(cmd));
+
+        Mockito.verify(responseBuilderMock).createQuotaStatementResponse(cmd);
     }
 }
diff --git a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
index 3629bf2e3fe9..81b4992082d9 100644
--- a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
+++ b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
@@ -16,13 +16,13 @@
 // under the License.
 package org.apache.cloudstack.api.response;
 
-import java.lang.reflect.Field;
 import java.math.BigDecimal;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
 import java.util.ArrayList;
-import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@@ -31,6 +31,7 @@
 import java.util.HashSet;
 import java.util.function.Consumer;
 
+import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
@@ -43,10 +44,11 @@
 import org.apache.cloudstack.api.command.QuotaCreditsListCmd;
 import org.apache.cloudstack.api.command.QuotaEmailTemplateListCmd;
 import org.apache.cloudstack.api.command.QuotaEmailTemplateUpdateCmd;
+import org.apache.cloudstack.api.command.QuotaStatementCmd;
+import org.apache.cloudstack.api.command.QuotaSummaryCmd;
 import org.apache.cloudstack.api.command.QuotaValidateActivationRuleCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.discovery.ApiDiscoveryService;
-import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.jsinterpreter.JsInterpreterHelper;
 import org.apache.cloudstack.quota.QuotaService;
 import org.apache.cloudstack.quota.QuotaStatement;
@@ -68,6 +70,7 @@
 import org.apache.cloudstack.quota.vo.QuotaEmailConfigurationVO;
 import org.apache.cloudstack.quota.vo.QuotaEmailTemplatesVO;
 import org.apache.cloudstack.quota.vo.QuotaTariffVO;
+import org.apache.cloudstack.quota.vo.QuotaUsageJoinVO;
 import org.apache.cloudstack.utils.jsinterpreter.JsInterpreter;
 
 import org.apache.commons.lang3.time.DateUtils;
@@ -79,7 +82,10 @@
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.MockedConstruction;
+import org.mockito.MockedStatic;
 import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
 
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.user.Account;
@@ -89,8 +95,7 @@
 import com.cloud.user.User;
 
 import junit.framework.TestCase;
-import org.mockito.Spy;
-import org.mockito.junit.MockitoJUnitRunner;
+
 
 @RunWith(MockitoJUnitRunner.class)
 public class QuotaResponseBuilderImplTest extends TestCase {
@@ -153,7 +158,7 @@ public class QuotaResponseBuilderImplTest extends TestCase {
     Account accountMock;
 
     @Mock
-    DomainVO domainVOMock;
+    DomainVO domainVoMock;
 
     @Mock
     QuotaConfigureEmailCmd quotaConfigureEmailCmdMock;
@@ -161,6 +166,9 @@ public class QuotaResponseBuilderImplTest extends TestCase {
     @Mock
     QuotaAccountVO quotaAccountVOMock;
 
+    @Mock
+    CallContext callContextMock;
+
     @Mock
     QuotaEmailTemplatesVO quotaEmailTemplatesVoMock;
 
@@ -184,17 +192,8 @@ public void setup() {
         CallContext.register(callerUserMock, callerAccountMock);
     }
 
-    private void overrideDefaultQuotaEnabledConfigValue(final Object value) throws IllegalAccessException, NoSuchFieldException {
-        Field f = ConfigKey.class.getDeclaredField("_defaultValue");
-        f.setAccessible(true);
-        f.set(QuotaConfig.QuotaAccountEnabled, value);
-    }
-
-    private Calendar[] createPeriodForQuotaSummary() {
-        final Calendar calendar = Calendar.getInstance();
-        calendar.set(Calendar.HOUR, 0);
-        return new Calendar[] {calendar, calendar};
-    }
+    @Mock
+    Pair<List<QuotaSummaryResponse>, Integer> quotaSummaryResponseMock1, quotaSummaryResponseMock2;
 
     @Mock
     QuotaValidateActivationRuleCmd quotaValidateActivationRuleCmdMock = Mockito.mock(QuotaValidateActivationRuleCmd.class);
@@ -466,36 +465,6 @@ public void deleteQuotaTariffTestUpdateRemoved() {
         Mockito.verify(quotaTariffVoMock).setRemoved(Mockito.any(Date.class));
     }
 
-    @Test
-    public void getQuotaSummaryResponseTestAccountIsNotNullQuotaIsDisabledShouldReturnFalse() throws NoSuchFieldException, IllegalAccessException {
-        Calendar[] period = createPeriodForQuotaSummary();
-        overrideDefaultQuotaEnabledConfigValue("false");
-
-        Mockito.doReturn(period).when(quotaStatementMock).getCurrentStatementTime();
-        Mockito.doReturn(domainVOMock).when(domainDaoMock).findById(Mockito.anyLong());
-        Mockito.doReturn(BigDecimal.ZERO).when(quotaBalanceDaoMock).lastQuotaBalance(Mockito.anyLong(), Mockito.anyLong(), Mockito.any(Date.class));
-        Mockito.doReturn(BigDecimal.ZERO).when(quotaUsageDaoMock).findTotalQuotaUsage(Mockito.anyLong(), Mockito.anyLong(), Mockito.isNull(), Mockito.any(Date.class), Mockito.any(Date.class));
-
-        QuotaSummaryResponse quotaSummaryResponse = quotaResponseBuilderSpy.getQuotaSummaryResponse(accountMock);
-
-        assertFalse(quotaSummaryResponse.getQuotaEnabled());
-    }
-
-    @Test
-    public void getQuotaSummaryResponseTestAccountIsNotNullQuotaIsEnabledShouldReturnTrue() throws NoSuchFieldException, IllegalAccessException {
-        Calendar[] period = createPeriodForQuotaSummary();
-        overrideDefaultQuotaEnabledConfigValue("true");
-
-        Mockito.doReturn(period).when(quotaStatementMock).getCurrentStatementTime();
-        Mockito.doReturn(domainVOMock).when(domainDaoMock).findById(Mockito.anyLong());
-        Mockito.doReturn(BigDecimal.ZERO).when(quotaBalanceDaoMock).lastQuotaBalance(Mockito.anyLong(), Mockito.anyLong(), Mockito.any(Date.class));
-        Mockito.doReturn(BigDecimal.ZERO).when(quotaUsageDaoMock).findTotalQuotaUsage(Mockito.anyLong(), Mockito.anyLong(), Mockito.isNull(), Mockito.any(Date.class), Mockito.any(Date.class));
-
-        QuotaSummaryResponse quotaSummaryResponse = quotaResponseBuilderSpy.getQuotaSummaryResponse(accountMock);
-
-        assertTrue(quotaSummaryResponse.getQuotaEnabled());
-    }
-
     @Test
     public void filterSupportedTypesTestReturnWhenQuotaTypeDoesNotMatch() throws NoSuchFieldException {
         List<Pair<String, String>> variables = new ArrayList<>();
@@ -576,6 +545,63 @@ public void validateQuotaConfigureEmailCmdParametersTestWithTemplateNameAndEnabl
         quotaResponseBuilderSpy.validateQuotaConfigureEmailCmdParameters(quotaConfigureEmailCmdMock);
     }
 
+    @Test
+    public void createQuotaSummaryResponseTestNotListAllAndAllAccountTypesReturnsSingleRecord() {
+        QuotaSummaryCmd cmd = new QuotaSummaryCmd();
+
+        try(MockedStatic<CallContext> callContextMocked = Mockito.mockStatic(CallContext.class)) {
+            callContextMocked.when(CallContext::current).thenReturn(callContextMock);
+
+            Mockito.doReturn(accountMock).when(callContextMock).getCallingAccount();
+
+            Mockito.doReturn(quotaSummaryResponseMock1).when(quotaResponseBuilderSpy).getQuotaSummaryResponse(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
+
+            for (Account.Type type : Account.Type.values()) {
+                Mockito.doReturn(type).when(accountMock).getType();
+
+                Pair<List<QuotaSummaryResponse>, Integer> result = quotaResponseBuilderSpy.createQuotaSummaryResponse(cmd);
+                Assert.assertEquals(quotaSummaryResponseMock1, result);
+            }
+
+            Mockito.verify(quotaResponseBuilderSpy, Mockito.times(Account.Type.values().length)).getQuotaSummaryResponse(Mockito.any(), Mockito.any(), Mockito.any(),
+                    Mockito.any());
+        };
+    }
+
+    @Test
+    public void getDomainPathByDomainIdForDomainAdminTestAccountNotDomainAdminReturnsNull() {
+        for (Account.Type type : Account.Type.values()) {
+            if (Account.Type.DOMAIN_ADMIN.equals(type)) {
+                continue;
+            }
+
+            Mockito.doReturn(type).when(accountMock).getType();
+            Assert.assertNull(quotaResponseBuilderSpy.getDomainPathByDomainIdForDomainAdmin(accountMock));
+        }
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void getDomainPathByDomainIdForDomainAdminTestDomainFromCallerIsNullThrowsInvalidParameterValueException() {
+        Mockito.doReturn(Account.Type.DOMAIN_ADMIN).when(accountMock).getType();
+        Mockito.doReturn(null).when(domainDaoMock).findById(Mockito.anyLong());
+        Mockito.lenient().doNothing().when(accountManagerMock).checkAccess(Mockito.any(Account.class), Mockito.any(Domain.class));
+
+        quotaResponseBuilderSpy.getDomainPathByDomainIdForDomainAdmin(accountMock);
+    }
+
+    @Test
+    public void getDomainPathByDomainIdForDomainAdminTestDomainFromCallerIsNotNullReturnsPath() {
+        String expected = "/test/";
+
+        Mockito.doReturn(Account.Type.DOMAIN_ADMIN).when(accountMock).getType();
+        Mockito.doReturn(domainVoMock).when(domainDaoMock).findById(Mockito.anyLong());
+        Mockito.doNothing().when(accountManagerMock).checkAccess(Mockito.any(Account.class), Mockito.any(Domain.class));
+        Mockito.doReturn(expected).when(domainVoMock).getPath();
+
+        String result = quotaResponseBuilderSpy.getDomainPathByDomainIdForDomainAdmin(accountMock);
+        Assert.assertEquals(expected, result);
+    }
+
     @Test
     public void getQuotaEmailConfigurationVoTestTemplateNameIsNull() {
         Mockito.doReturn(null).when(quotaConfigureEmailCmdMock).getTemplateName();
@@ -892,4 +918,199 @@ public void injectUsageTypeVariablesTestReturnInjectedVariables() {
         Assert.assertTrue(formattedVariables.containsValue("accountname"));
         Assert.assertTrue(formattedVariables.containsValue("zonename"));
     }
+
+    @Test
+    public void createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformedTestUsageTypeDifferentFromNullDoNothing() {
+        List<QuotaUsageJoinVO> listUsage = new ArrayList<>();
+
+        quotaResponseBuilderSpy.createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformed(listUsage, 1);
+
+        Assert.assertTrue(listUsage.isEmpty());
+    }
+
+    @Test
+    public void createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformedTestUsageTypeIsNullAddDummyForAllQuotaTypes() {
+        List<QuotaUsageJoinVO> listUsage = new ArrayList<>();
+        listUsage.add(new QuotaUsageJoinVO());
+
+        quotaResponseBuilderSpy.createDummyRecordForEachQuotaTypeIfUsageTypeIsNotInformed(listUsage, null);
+
+        Assert.assertEquals(QuotaTypes.listQuotaTypes().size() + 1, listUsage.size());
+
+        QuotaTypes.listQuotaTypes().entrySet().forEach(entry -> {
+            Assert.assertTrue(listUsage.stream().anyMatch(usage -> usage.getUsageType() == entry.getKey() && usage.getQuotaUsed().equals(BigDecimal.ZERO)));
+        });
+    }
+
+    private List<QuotaUsageJoinVO> getQuotaUsagesForTest() {
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
+
+        List<QuotaUsageJoinVO> quotaUsages = new ArrayList<>();
+
+        QuotaUsageJoinVO quotaUsage = new QuotaUsageJoinVO();
+        quotaUsage.setAccountId(1l);
+        quotaUsage.setDomainId(2l);
+        quotaUsage.setUsageType(3);
+        quotaUsage.setQuotaUsed(BigDecimal.valueOf(10));
+        try {
+            quotaUsage.setStartDate(sdf.parse("2022-01-01"));
+            quotaUsage.setEndDate(sdf.parse("2022-01-02"));
+        } catch (ParseException ignored) {
+        }
+        quotaUsages.add(quotaUsage);
+
+        quotaUsage = new QuotaUsageJoinVO();
+        quotaUsage.setAccountId(4l);
+        quotaUsage.setDomainId(5l);
+        quotaUsage.setUsageType(3);
+        quotaUsage.setQuotaUsed(null);
+        try {
+            quotaUsage.setStartDate(sdf.parse("2022-01-03"));
+            quotaUsage.setEndDate(sdf.parse("2022-01-04"));
+        } catch (ParseException ignored) {
+        }
+        quotaUsages.add(quotaUsage);
+
+        quotaUsage = new QuotaUsageJoinVO();
+        quotaUsage.setAccountId(6l);
+        quotaUsage.setDomainId(7l);
+        quotaUsage.setUsageType(3);
+        quotaUsage.setQuotaUsed(BigDecimal.valueOf(5));
+        try {
+            quotaUsage.setStartDate(sdf.parse("2022-01-05"));
+            quotaUsage.setEndDate(sdf.parse("2022-01-06"));
+        } catch (ParseException ignored) {
+        }
+        quotaUsages.add(quotaUsage);
+
+        return quotaUsages;
+    }
+
+    @Test
+    public void createStatementItemTestReturnItem() {
+        List<QuotaUsageJoinVO> quotaUsages = getQuotaUsagesForTest();
+        Mockito.doNothing().when(quotaResponseBuilderSpy).setStatementItemResources(Mockito.any(), Mockito.anyInt(), Mockito.any(), Mockito.anyBoolean());
+
+        QuotaStatementItemResponse result = quotaResponseBuilderSpy.createStatementItem(0, quotaUsages, false);
+
+        QuotaUsageJoinVO expected = quotaUsages.get(0);
+        QuotaTypes quotaTypeExpected = QuotaTypes.listQuotaTypes().get(expected.getUsageType());
+        Assert.assertEquals(BigDecimal.valueOf(15), result.getQuotaUsed());
+        Assert.assertEquals(quotaTypeExpected.getQuotaUnit(), result.getUsageUnit());
+        Assert.assertEquals(quotaTypeExpected.getQuotaName(), result.getUsageName());
+    }
+
+    @Test
+    public void setStatementItemResourcesTestDoNotShowResourcesDoNothing() {
+        QuotaStatementItemResponse item = new QuotaStatementItemResponse(1);
+
+        quotaResponseBuilderSpy.setStatementItemResources(item, 0, getQuotaUsagesForTest(), false);
+
+        Assert.assertNull(item.getResources());
+    }
+
+    @Test
+    public void getAccountIdForQuotaStatementTestLimitsToCallingAccountForNormalUser() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+
+        Mockito.doReturn(accountMock).when(callContextMock).getCallingAccount();
+        Mockito.doReturn(Account.Type.NORMAL).when(accountMock).getType();
+
+        try (MockedStatic<CallContext> callContextMocked = Mockito.mockStatic(CallContext.class)) {
+            callContextMocked.when(CallContext::current).thenReturn(callContextMock);
+
+            Long result = quotaResponseBuilderSpy.getAccountIdForQuotaStatement(cmd);
+
+            Assert.assertEquals(Long.valueOf(callerAccountMock.getAccountId()), result);
+        }
+    }
+
+    @Test
+    public void getAccountIdForQuotaStatementTestReturnsEntityOwnerIdWhenProvided() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+
+        Mockito.doReturn(42L).when(cmd).getEntityOwnerId();
+
+        Long result = quotaResponseBuilderSpy.getAccountIdForQuotaStatement(cmd);
+
+        Assert.assertEquals(Long.valueOf(42L), result);
+    }
+
+    @Test
+    public void getAccountIdForQuotaStatementTestLimitsToCallingAccountWhenCallerIsAdminAndDomainIsNotProvided() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+
+        Mockito.doReturn(accountMock).when(callContextMock).getCallingAccount();
+        Mockito.doReturn(Account.Type.ADMIN).when(accountMock).getType();
+        Mockito.doReturn(-1L).when(cmd).getEntityOwnerId();
+        Mockito.doReturn(null).when(cmd).getDomainId();
+
+        try (MockedStatic<CallContext> callContextMocked = Mockito.mockStatic(CallContext.class)) {
+            callContextMocked.when(CallContext::current).thenReturn(callContextMock);
+
+            Long result = quotaResponseBuilderSpy.getAccountIdForQuotaStatement(cmd);
+
+            Assert.assertEquals(Long.valueOf(callerAccountMock.getAccountId()), result);
+        }
+    }
+
+    @Test
+    public void getAccountIdForQuotaStatementTestReturnsNullWhenCallerIsAdminAndDomainIsProvided() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+
+        Mockito.doReturn(accountMock).when(callContextMock).getCallingAccount();
+        Mockito.doReturn(Account.Type.ADMIN).when(accountMock).getType();
+        Mockito.doReturn(-1L).when(cmd).getEntityOwnerId();
+        Mockito.doReturn(10L).when(cmd).getDomainId();
+
+        try (MockedStatic<CallContext> callContextMocked = Mockito.mockStatic(CallContext.class)) {
+            callContextMocked.when(CallContext::current).thenReturn(callContextMock);
+
+            Long result = quotaResponseBuilderSpy.getAccountIdForQuotaStatement(cmd);
+
+            Assert.assertNull(result);
+        }
+    }
+
+    @Test
+    public void getDomainIdForQuotaStatementTestReturnsAccountDomainIdWhenAccountIdIsProvided() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+        AccountVO account = Mockito.mock(AccountVO.class);
+
+        Mockito.doReturn(account).when(accountDaoMock).findByIdIncludingRemoved(55L);
+        Mockito.doReturn(77L).when(account).getDomainId();
+
+        Long result = quotaResponseBuilderSpy.getDomainIdForQuotaStatement(cmd, 55L);
+
+        Assert.assertEquals(Long.valueOf(77L), result);
+    }
+
+    @Test
+    public void getDomainIdForQuotaStatementTestReturnsProvidedDomainIdWhenAccountIdIsNull() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+
+        Mockito.doReturn(99L).when(cmd).getDomainId();
+
+        Long result = quotaResponseBuilderSpy.getDomainIdForQuotaStatement(cmd, null);
+
+        Assert.assertEquals(Long.valueOf(99L), result);
+    }
+
+    @Test
+    public void getDomainIdForQuotaStatementTestFallsBackToCallingAccountDomainIdWhenNeitherAccountNorDomainIsProvided() {
+        QuotaStatementCmd cmd = Mockito.mock(QuotaStatementCmd.class);
+        Account account = Mockito.mock(Account.class);
+
+        Mockito.doReturn(null).when(cmd).getDomainId();
+        Mockito.doReturn(123L).when(account).getDomainId();
+        Mockito.doReturn(account).when(callContextMock).getCallingAccount();
+
+        try (MockedStatic<CallContext> callContextMocked = Mockito.mockStatic(CallContext.class)) {
+            callContextMocked.when(CallContext::current).thenReturn(callContextMock);
+
+            Long result = quotaResponseBuilderSpy.getDomainIdForQuotaStatement(cmd, null);
+
+            Assert.assertEquals(123L, result.longValue());
+        }
+    }
 }
diff --git a/plugins/database/quota/src/test/java/org/apache/cloudstack/quota/QuotaServiceImplTest.java b/plugins/database/quota/src/test/java/org/apache/cloudstack/quota/QuotaServiceImplTest.java
index 19e756d1d973..a0fe63de8518 100644
--- a/plugins/database/quota/src/test/java/org/apache/cloudstack/quota/QuotaServiceImplTest.java
+++ b/plugins/database/quota/src/test/java/org/apache/cloudstack/quota/QuotaServiceImplTest.java
@@ -18,6 +18,7 @@
 
 import com.cloud.configuration.Config;
 import com.cloud.domain.dao.DomainDao;
+import com.cloud.user.AccountVO;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.db.TransactionLegacy;
 import junit.framework.TestCase;
@@ -27,14 +28,17 @@
 import org.apache.cloudstack.quota.dao.QuotaAccountDao;
 import org.apache.cloudstack.quota.dao.QuotaBalanceDao;
 import org.apache.cloudstack.quota.dao.QuotaUsageDao;
+import org.apache.cloudstack.quota.dao.QuotaUsageJoinDao;
 import org.apache.cloudstack.quota.vo.QuotaAccountVO;
 import org.apache.cloudstack.quota.vo.QuotaBalanceVO;
 import org.joda.time.DateTime;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import javax.naming.ConfigurationException;
@@ -48,7 +52,7 @@
 public class QuotaServiceImplTest extends TestCase {
 
     @Mock
-    AccountDao accountDao;
+    AccountDao accountDaoMock;
     @Mock
     QuotaAccountDao quotaAcc;
     @Mock
@@ -60,9 +64,16 @@ public class QuotaServiceImplTest extends TestCase {
     @Mock
     QuotaBalanceDao quotaBalanceDao;
     @Mock
+    QuotaUsageJoinDao quotaUsageJoinDaoMock;
+    @Mock
     QuotaResponseBuilder respBldr;
+    @Mock
+    private AccountVO accountVoMock;
+
+    @Spy
+    @InjectMocks
+    QuotaServiceImpl quotaServiceImplSpy;
 
-    QuotaServiceImpl quotaService = new QuotaServiceImpl();
 
     @Before
     public void setup() throws IllegalAccessException, NoSuchFieldException, ConfigurationException {
@@ -71,34 +82,34 @@ public void setup() throws IllegalAccessException, NoSuchFieldException, Configu
 
         Field accountDaoField = QuotaServiceImpl.class.getDeclaredField("_accountDao");
         accountDaoField.setAccessible(true);
-        accountDaoField.set(quotaService, accountDao);
+        accountDaoField.set(quotaServiceImplSpy, accountDaoMock);
 
         Field quotaAccountDaoField = QuotaServiceImpl.class.getDeclaredField("_quotaAcc");
         quotaAccountDaoField.setAccessible(true);
-        quotaAccountDaoField.set(quotaService, quotaAcc);
+        quotaAccountDaoField.set(quotaServiceImplSpy, quotaAcc);
 
-        Field quotaUsageDaoField = QuotaServiceImpl.class.getDeclaredField("_quotaUsageDao");
+        Field quotaUsageDaoField = QuotaServiceImpl.class.getDeclaredField("quotaUsageJoinDao");
         quotaUsageDaoField.setAccessible(true);
-        quotaUsageDaoField.set(quotaService, quotaUsageDao);
+        quotaUsageDaoField.set(quotaServiceImplSpy, quotaUsageJoinDaoMock);
 
         Field domainDaoField = QuotaServiceImpl.class.getDeclaredField("_domainDao");
         domainDaoField.setAccessible(true);
-        domainDaoField.set(quotaService, domainDao);
+        domainDaoField.set(quotaServiceImplSpy, domainDao);
 
         Field configDaoField = QuotaServiceImpl.class.getDeclaredField("_configDao");
         configDaoField.setAccessible(true);
-        configDaoField.set(quotaService, configDao);
+        configDaoField.set(quotaServiceImplSpy, configDao);
 
         Field balanceDaoField = QuotaServiceImpl.class.getDeclaredField("_quotaBalanceDao");
         balanceDaoField.setAccessible(true);
-        balanceDaoField.set(quotaService, quotaBalanceDao);
+        balanceDaoField.set(quotaServiceImplSpy, quotaBalanceDao);
 
         Field QuotaResponseBuilderField = QuotaServiceImpl.class.getDeclaredField("_respBldr");
         QuotaResponseBuilderField.setAccessible(true);
-        QuotaResponseBuilderField.set(quotaService, respBldr);
+        QuotaResponseBuilderField.set(quotaServiceImplSpy, respBldr);
 
         Mockito.when(configDao.getValue(Mockito.eq(Config.UsageAggregationTimezone.toString()))).thenReturn("IST");
-        quotaService.configure("randomName", null);
+        quotaServiceImplSpy.configure("randomName", null);
     }
 
     @Test
@@ -120,9 +131,9 @@ public void testFindQuotaBalanceVO() {
         Mockito.when(quotaBalanceDao.lastQuotaBalanceVO(Mockito.eq(accountId), Mockito.eq(domainId), Mockito.any(Date.class))).thenReturn(records);
 
         // with enddate
-        assertTrue(quotaService.findQuotaBalanceVO(accountId, accountName, domainId, startDate, endDate).get(0).equals(qb));
+        assertTrue(quotaServiceImplSpy.findQuotaBalanceVO(accountId, accountName, domainId, startDate, endDate).get(0).equals(qb));
         // without enddate
-        assertTrue(quotaService.findQuotaBalanceVO(accountId, accountName, domainId, startDate, null).get(0).equals(qb));
+        assertTrue(quotaServiceImplSpy.findQuotaBalanceVO(accountId, accountName, domainId, startDate, null).get(0).equals(qb));
     }
 
     @Test
@@ -133,8 +144,9 @@ public void testGetQuotaUsage() {
         final Date startDate = new DateTime().minusDays(2).toDate();
         final Date endDate = new Date();
 
-        quotaService.getQuotaUsage(accountId, accountName, domainId, QuotaTypes.IP_ADDRESS, startDate, endDate);
-        Mockito.verify(quotaUsageDao, Mockito.times(1)).findQuotaUsage(Mockito.eq(accountId), Mockito.eq(domainId), Mockito.eq(QuotaTypes.IP_ADDRESS), Mockito.any(Date.class), Mockito.any(Date.class));
+        quotaServiceImplSpy.getQuotaUsage(accountId, accountName, domainId, QuotaTypes.IP_ADDRESS, startDate, endDate);
+        Mockito.verify(quotaUsageJoinDaoMock, Mockito.times(1)).findQuotaUsage(Mockito.eq(accountId), Mockito.eq(domainId), Mockito.eq(QuotaTypes.IP_ADDRESS), Mockito.any(),
+                Mockito.any(), Mockito.any(), Mockito.any(Date.class), Mockito.any(Date.class), Mockito.any());
     }
 
     @Test
@@ -142,13 +154,13 @@ public void testSetLockAccount() {
         // existing account
         QuotaAccountVO quotaAccountVO = new QuotaAccountVO();
         Mockito.when(quotaAcc.findByIdQuotaAccount(Mockito.anyLong())).thenReturn(quotaAccountVO);
-        quotaService.setLockAccount(2L, true);
+        quotaServiceImplSpy.setLockAccount(2L, true);
         Mockito.verify(quotaAcc, Mockito.times(0)).persistQuotaAccount(Mockito.any(QuotaAccountVO.class));
         Mockito.verify(quotaAcc, Mockito.times(1)).updateQuotaAccount(Mockito.anyLong(), Mockito.any(QuotaAccountVO.class));
 
         // new account
         Mockito.when(quotaAcc.findByIdQuotaAccount(Mockito.anyLong())).thenReturn(null);
-        quotaService.setLockAccount(2L, true);
+        quotaServiceImplSpy.setLockAccount(2L, true);
         Mockito.verify(quotaAcc, Mockito.times(1)).persistQuotaAccount(Mockito.any(QuotaAccountVO.class));
     }
 
@@ -160,13 +172,14 @@ public void testSetMinBalance() {
         // existing account setting
         QuotaAccountVO quotaAccountVO = new QuotaAccountVO();
         Mockito.when(quotaAcc.findByIdQuotaAccount(Mockito.anyLong())).thenReturn(quotaAccountVO);
-        quotaService.setMinBalance(accountId, balance);
+        quotaServiceImplSpy.setMinBalance(accountId, balance);
         Mockito.verify(quotaAcc, Mockito.times(0)).persistQuotaAccount(Mockito.any(QuotaAccountVO.class));
         Mockito.verify(quotaAcc, Mockito.times(1)).updateQuotaAccount(Mockito.anyLong(), Mockito.any(QuotaAccountVO.class));
 
         // no account with limit set
         Mockito.when(quotaAcc.findByIdQuotaAccount(Mockito.anyLong())).thenReturn(null);
-        quotaService.setMinBalance(accountId, balance);
+        quotaServiceImplSpy.setMinBalance(accountId, balance);
         Mockito.verify(quotaAcc, Mockito.times(1)).persistQuotaAccount(Mockito.any(QuotaAccountVO.class));
     }
+
 }
diff --git a/plugins/event-bus/webhook/src/main/java/org/apache/cloudstack/mom/webhook/WebhookDeliveryThread.java b/plugins/event-bus/webhook/src/main/java/org/apache/cloudstack/mom/webhook/WebhookDeliveryThread.java
index ac840c00be32..3f2d85458d30 100644
--- a/plugins/event-bus/webhook/src/main/java/org/apache/cloudstack/mom/webhook/WebhookDeliveryThread.java
+++ b/plugins/event-bus/webhook/src/main/java/org/apache/cloudstack/mom/webhook/WebhookDeliveryThread.java
@@ -48,6 +48,8 @@
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
+import javax.net.ssl.SSLContext;
+
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.TrustAllStrategy;
 import org.apache.http.entity.ContentType;
@@ -97,7 +99,9 @@ protected boolean isValidJson(String json) {
 
     protected void setHttpClient() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
         if (webhook.isSslVerification()) {
-            httpClient = HttpClients.createDefault();
+            httpClient = HttpClients.custom()
+                    .setSSLContext(SSLContext.getDefault())
+                    .build();
             return;
         }
         httpClient = HttpClients
diff --git a/plugins/host-allocators/random/pom.xml b/plugins/host-allocators/random/pom.xml
deleted file mode 100644
index 061caf1573ff..000000000000
--- a/plugins/host-allocators/random/pom.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements.  See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership.  The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License.  You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied.  See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>cloud-plugin-host-allocator-random</artifactId>
-    <name>Apache CloudStack Plugin - Host Allocator Random</name>
-    <parent>
-        <groupId>org.apache.cloudstack</groupId>
-        <artifactId>cloudstack-plugins</artifactId>
-        <version>4.23.0.0-SNAPSHOT</version>
-        <relativePath>../../pom.xml</relativePath>
-    </parent>
-</project>
diff --git a/plugins/host-allocators/random/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java b/plugins/host-allocators/random/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java
deleted file mode 100644
index 42129944a194..000000000000
--- a/plugins/host-allocators/random/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java
+++ /dev/null
@@ -1,196 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.agent.manager.allocator.impl;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.collections.ListUtils;
-import org.apache.commons.lang3.ObjectUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.stereotype.Component;
-
-import com.cloud.agent.manager.allocator.HostAllocator;
-import com.cloud.capacity.CapacityManager;
-import com.cloud.dc.ClusterDetailsDao;
-import com.cloud.dc.dao.ClusterDao;
-import com.cloud.deploy.DeploymentPlan;
-import com.cloud.deploy.DeploymentPlanner.ExcludeList;
-import com.cloud.host.Host;
-import com.cloud.host.Host.Type;
-import com.cloud.host.HostVO;
-import com.cloud.host.dao.HostDao;
-import com.cloud.offering.ServiceOffering;
-import com.cloud.resource.ResourceManager;
-import com.cloud.storage.VMTemplateVO;
-import com.cloud.utils.Pair;
-import com.cloud.utils.component.AdapterBase;
-import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.VirtualMachineProfile;
-
-@Component
-public class RandomAllocator extends AdapterBase implements HostAllocator {
-    @Inject
-    private HostDao _hostDao;
-    @Inject
-    private ResourceManager _resourceMgr;
-    @Inject
-    private ClusterDao clusterDao;
-    @Inject
-    private ClusterDetailsDao clusterDetailsDao;
-    @Inject
-    private CapacityManager capacityManager;
-
-    protected List<HostVO> listHostsByTags(Host.Type type, long dcId, Long podId, Long clusterId, String offeringHostTag, String templateTag) {
-        List<HostVO> taggedHosts = new ArrayList<>();
-        if (offeringHostTag != null) {
-            taggedHosts.addAll(_hostDao.listByHostTag(type, clusterId, podId, dcId, offeringHostTag));
-        }
-        if (templateTag != null) {
-            List<HostVO> templateTaggedHosts = _hostDao.listByHostTag(type, clusterId, podId, dcId, templateTag);
-            if (taggedHosts.isEmpty()) {
-                taggedHosts = templateTaggedHosts;
-            } else {
-                taggedHosts.retainAll(templateTaggedHosts);
-            }
-        }
-        if (logger.isDebugEnabled()) {
-            logger.debug(String.format("Found %d hosts %s with type: %s, zone ID: %d, pod ID: %d, cluster ID: %s, offering host tag(s): %s, template tag: %s",
-                    taggedHosts.size(),
-                    (taggedHosts.isEmpty() ? "" : String.format("(%s)", StringUtils.join(taggedHosts.stream().map(HostVO::toString).toArray(), ","))),
-                    type.name(), dcId, podId, clusterId, offeringHostTag, templateTag));
-        }
-        return taggedHosts;
-    }
-    private List<Host> findSuitableHosts(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type,
-                                         ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
-                                         boolean considerReservedCapacity) {
-        long dcId = plan.getDataCenterId();
-        Long podId = plan.getPodId();
-        Long clusterId = plan.getClusterId();
-        ServiceOffering offering = vmProfile.getServiceOffering();
-        List<? extends Host> hostsCopy = null;
-        List<Host> suitableHosts = new ArrayList<>();
-
-        if (type == Host.Type.Storage) {
-            return suitableHosts;
-        }
-        String offeringHostTag = offering.getHostTag();
-
-        VMTemplateVO template = (VMTemplateVO)vmProfile.getTemplate();
-        String templateTag = template.getTemplateTag();
-        String hostTag = null;
-        if (ObjectUtils.anyNotNull(offeringHostTag, templateTag)) {
-            hostTag = ObjectUtils.allNotNull(offeringHostTag, templateTag) ?
-                    String.format("%s, %s", offeringHostTag, templateTag) :
-                    ObjectUtils.firstNonNull(offeringHostTag, templateTag);
-            logger.debug("Looking for hosts in dc [{}], pod [{}], cluster [{}] and complying with host tag(s): [{}]", dcId, podId, clusterId, hostTag);
-        } else {
-            logger.debug("Looking for hosts in dc: {} pod: {} cluster: {}", dcId , podId, clusterId);
-        }
-        if (hosts != null) {
-            // retain all computing hosts, regardless of whether they support routing...it's random after all
-            hostsCopy = new ArrayList<>(hosts);
-            if (ObjectUtils.anyNotNull(offeringHostTag, templateTag)) {
-                hostsCopy.retainAll(listHostsByTags(type, dcId, podId, clusterId, offeringHostTag, templateTag));
-            } else {
-                hostsCopy.retainAll(_hostDao.listAllHostsThatHaveNoRuleTag(type, clusterId, podId, dcId));
-            }
-        } else {
-            // list all computing hosts, regardless of whether they support routing...it's random after all
-            if (offeringHostTag != null) {
-                hostsCopy = listHostsByTags(type, dcId, podId, clusterId, offeringHostTag, templateTag);
-            } else {
-                hostsCopy = _hostDao.listAllHostsThatHaveNoRuleTag(type, clusterId, podId, dcId);
-            }
-        }
-        hostsCopy = ListUtils.union(hostsCopy, _hostDao.findHostsWithTagRuleThatMatchComputeOferringTags(offeringHostTag));
-
-        if (hostsCopy.isEmpty()) {
-            logger.info("No suitable host found for VM [{}] in {}.", vmProfile, hostTag);
-            return null;
-        }
-
-        logger.debug("Random Allocator found {} hosts", hostsCopy.size());
-        if (hostsCopy.isEmpty()) {
-            return suitableHosts;
-        }
-
-        Collections.shuffle(hostsCopy);
-        for (Host host : hostsCopy) {
-            if (suitableHosts.size() == returnUpTo) {
-                break;
-            }
-            if (avoid.shouldAvoid(host)) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug(String.format("Host %s is in avoid set, skipping this and trying other available hosts", host));
-                }
-                continue;
-            }
-            Pair<Boolean, Boolean> cpuCapabilityAndCapacity = capacityManager.checkIfHostHasCpuCapabilityAndCapacity(host, offering, considerReservedCapacity);
-            if (!cpuCapabilityAndCapacity.first() || !cpuCapabilityAndCapacity.second()) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug(String.format("Not using host %s; host has cpu capability? %s, host has capacity? %s", host, cpuCapabilityAndCapacity.first(), cpuCapabilityAndCapacity.second()));
-                }
-                continue;
-            }
-            if (logger.isDebugEnabled()) {
-                logger.debug(String.format("Found a suitable host, adding to list: %s", host));
-            }
-            suitableHosts.add(host);
-        }
-        if (logger.isDebugEnabled()) {
-            logger.debug("Random Host Allocator returning " + suitableHosts.size() + " suitable hosts");
-        }
-        return suitableHosts;
-    }
-
-    @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo) {
-        return allocateTo(vmProfile, plan, type, avoid, returnUpTo, true);
-    }
-
-    @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type,
-                                 ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
-                                 boolean considerReservedCapacity) {
-        if (CollectionUtils.isEmpty(hosts)) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Random Allocator found 0 hosts as given host list is empty");
-            }
-            return new ArrayList<>();
-        }
-        return findSuitableHosts(vmProfile, plan, type, avoid, hosts, returnUpTo, considerReservedCapacity);
-    }
-
-    @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan,
-                                 Type type, ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity) {
-        return findSuitableHosts(vmProfile, plan, type, avoid, null, returnUpTo, considerReservedCapacity);
-    }
-
-    @Override
-    public boolean isVirtualMachineUpgradable(VirtualMachine vm, ServiceOffering offering) {
-        // currently we do no special checks to rule out a VM being upgradable to an offering, so
-        // return true
-        return true;
-    }
-}
diff --git a/plugins/host-allocators/random/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java b/plugins/host-allocators/random/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java
deleted file mode 100644
index 538d7157184a..000000000000
--- a/plugins/host-allocators/random/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java
+++ /dev/null
@@ -1,80 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.agent.manager.allocator.impl;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.junit.Assert;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.junit.MockitoJUnitRunner;
-
-import com.cloud.host.Host;
-import com.cloud.host.HostVO;
-import com.cloud.host.dao.HostDao;
-
-@RunWith(MockitoJUnitRunner.class)
-public class RandomAllocatorTest {
-
-    @Mock
-    HostDao hostDao;
-    @InjectMocks
-    RandomAllocator randomAllocator;
-
-    @Test
-    public void testListHostsByTags() {
-        Host.Type type = Host.Type.Routing;
-        Long id = 1L;
-        String templateTag = "tag1";
-        String offeringTag = "tag2";
-        HostVO host1 = Mockito.mock(HostVO.class);
-        HostVO host2 = Mockito.mock(HostVO.class);
-        Mockito.when(hostDao.listByHostTag(type, id, id, id, offeringTag)).thenReturn(List.of(host1, host2));
-
-        // No template tagged host
-        Mockito.when(hostDao.listByHostTag(type, id, id, id, templateTag)).thenReturn(new ArrayList<>());
-        List<HostVO> result = randomAllocator.listHostsByTags(type, id, id, id, offeringTag, templateTag);
-        Assert.assertTrue(CollectionUtils.isEmpty(result));
-
-        // Different template tagged host
-        HostVO host3 = Mockito.mock(HostVO.class);
-        Mockito.when(hostDao.listByHostTag(type, id, id, id, templateTag)).thenReturn(List.of(host3));
-        result = randomAllocator.listHostsByTags(type, id, id, id, offeringTag, templateTag);
-        Assert.assertTrue(CollectionUtils.isEmpty(result));
-
-        // Matching template tagged host
-        Mockito.when(hostDao.listByHostTag(type, id, id, id, templateTag)).thenReturn(List.of(host1));
-        result = randomAllocator.listHostsByTags(type, id, id, id, offeringTag, templateTag);
-        Assert.assertFalse(CollectionUtils.isEmpty(result));
-        Assert.assertEquals(1, result.size());
-
-        // No template tag
-        result = randomAllocator.listHostsByTags(type, id, id, id, offeringTag, null);
-        Assert.assertFalse(CollectionUtils.isEmpty(result));
-        Assert.assertEquals(2, result.size());
-
-        // No offering tag
-        result = randomAllocator.listHostsByTags(type, id, id, id, null, templateTag);
-        Assert.assertFalse(CollectionUtils.isEmpty(result));
-        Assert.assertEquals(1, result.size());
-    }
-}
diff --git a/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BareMetalTemplateAdapter.java b/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BareMetalTemplateAdapter.java
index 940897de3c95..c6c38a398098 100644
--- a/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BareMetalTemplateAdapter.java
+++ b/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BareMetalTemplateAdapter.java
@@ -106,7 +106,6 @@ public VMTemplateVO create(TemplateProfile profile) {
             }
         }
 
-        _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
         return template;
     }
 
diff --git a/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/App.config b/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/App.config
index b66258ad9f6f..e96b6d8b8c5e 100644
--- a/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/App.config
+++ b/plugins/hypervisors/hyperv/DotNet/ServerResource/AgentShell/App.config
@@ -35,7 +35,7 @@
       <appender-ref ref="EventLogAppender"/>
     </root>
   </log4net>
-  
+
   <applicationSettings>
     <CloudStack.Plugin.AgentShell.AgentSettings>
       <setting name="cpus" serializeAs="String">
diff --git a/plugins/hypervisors/hyperv/DotNet/ServerResource/HypervResource/App.config b/plugins/hypervisors/hyperv/DotNet/ServerResource/HypervResource/App.config
index 3c4f70660827..c5025fb267c5 100644
--- a/plugins/hypervisors/hyperv/DotNet/ServerResource/HypervResource/App.config
+++ b/plugins/hypervisors/hyperv/DotNet/ServerResource/HypervResource/App.config
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8" ?>
-<!-- 
+<!--
     Note: Add entries to the App.config file for configuration settings
     that apply only to the Test project.
 -->
diff --git a/plugins/hypervisors/hyperv/DotNet/ServerResource/ServerResource.Tests/App.config b/plugins/hypervisors/hyperv/DotNet/ServerResource/ServerResource.Tests/App.config
index ddf1da0bcf67..184c44a5f279 100644
--- a/plugins/hypervisors/hyperv/DotNet/ServerResource/ServerResource.Tests/App.config
+++ b/plugins/hypervisors/hyperv/DotNet/ServerResource/ServerResource.Tests/App.config
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- 
+<!--
     Note: Add entries to the App.config file for configuration settings
     that apply only to the Test project.
 -->
diff --git a/plugins/hypervisors/hyperv/src/main/java/com/cloud/ha/HypervInvestigator.java b/plugins/hypervisors/hyperv/src/main/java/com/cloud/ha/HypervInvestigator.java
index 3d79b9efdd13..4e44d8cb7359 100644
--- a/plugins/hypervisors/hyperv/src/main/java/com/cloud/ha/HypervInvestigator.java
+++ b/plugins/hypervisors/hyperv/src/main/java/com/cloud/ha/HypervInvestigator.java
@@ -41,15 +41,15 @@ public class HypervInvestigator extends AdapterBase implements Investigator {
 
     @Override
     public boolean isVmAlive(com.cloud.vm.VirtualMachine vm, Host host) throws UnknownVM {
-        Status status = isAgentAlive(host);
+        Status status = getHostAgentStatus(host);
         if (status == null) {
             throw new UnknownVM();
         }
-        return status == Status.Up ? true : null;
+        return status == Status.Up;
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         if (agent.getHypervisorType() != Hypervisor.HypervisorType.Hyperv) {
             return null;
         }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/ha/KVMInvestigator.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/ha/KVMInvestigator.java
index ce9fbe6c232c..da9a0d6e2919 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/ha/KVMInvestigator.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/ha/KVMInvestigator.java
@@ -19,10 +19,7 @@
 package com.cloud.ha;
 
 import com.cloud.agent.AgentManager;
-import com.cloud.agent.api.Answer;
-import com.cloud.agent.api.CheckOnHostCommand;
 import com.cloud.host.Host;
-import com.cloud.host.HostVO;
 import com.cloud.host.Status;
 import com.cloud.host.dao.HostDao;
 import com.cloud.hypervisor.Hypervisor;
@@ -34,11 +31,12 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreProviderManager;
 import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreDriver;
 import org.apache.cloudstack.ha.HAManager;
+import org.apache.cloudstack.kvm.ha.KVMHostActivityChecker;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 
 import javax.inject.Inject;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 public class KVMInvestigator extends AdapterBase implements Investigator {
@@ -54,13 +52,15 @@ public class KVMInvestigator extends AdapterBase implements Investigator {
     private HAManager haManager;
     @Inject
     private DataStoreProviderManager dataStoreProviderMgr;
+    @Inject
+    private KVMHostActivityChecker hostActivityChecker;
 
     @Override
     public boolean isVmAlive(com.cloud.vm.VirtualMachine vm, Host host) throws UnknownVM {
         if (haManager.isHAEligible(host)) {
             return haManager.isVMAliveOnHost(host);
         }
-        Status status = isAgentAlive(host);
+        Status status = getHostAgentStatus(host);
         logger.debug("HA: HOST is ineligible legacy state {} for host {}", status, host);
         if (status == null) {
             throw new UnknownVM();
@@ -73,86 +73,41 @@ public boolean isVmAlive(com.cloud.vm.VirtualMachine vm, Host host) throws Unkno
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
-        if (agent.getHypervisorType() != Hypervisor.HypervisorType.KVM && agent.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
+    public Status getHostAgentStatus(Host host) {
+        if (host.getHypervisorType() != Hypervisor.HypervisorType.KVM && host.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
             return null;
         }
 
-        if (haManager.isHAEligible(agent)) {
-            return haManager.getHostStatus(agent);
+        if (haManager.isHAEligible(host)) {
+            return haManager.getHostStatusFromHAConfig(host);
         }
 
-        List<StoragePoolVO> clusterPools = _storagePoolDao.findPoolsInClusters(Arrays.asList(agent.getClusterId()), null);
-        boolean storageSupportHA = storageSupportHa(clusterPools);
-        if (!storageSupportHA) {
-            List<StoragePoolVO> zonePools = _storagePoolDao.findZoneWideStoragePoolsByHypervisor(agent.getDataCenterId(), agent.getHypervisorType());
-            storageSupportHA = storageSupportHa(zonePools);
+        List<StoragePoolVO> clusterPools = _storagePoolDao.findPoolsInClusters(Collections.singletonList(host.getClusterId()), null);
+        boolean storageSupportsHA = storageSupportsHA(clusterPools);
+        if (!storageSupportsHA) {
+            List<StoragePoolVO> zonePools = _storagePoolDao.findZoneWideStoragePoolsByHypervisor(host.getDataCenterId(), host.getHypervisorType());
+            storageSupportsHA = storageSupportsHA(zonePools);
         }
-        if (!storageSupportHA) {
-            logger.warn("Agent investigation was requested on host {}, but host does not support investigation because it has no NFS storage. Skipping investigation.", agent);
+        if (!storageSupportsHA) {
+            logger.warn("Agent investigation was requested on host {}, but host does not support investigation" +
+                    " because it has no HA supported storage. Skipping investigation.", host);
             return null;
         }
 
-        Status hostStatus = null;
-        Status neighbourStatus = null;
-        boolean reportFailureIfOneStorageIsDown = HighAvailabilityManager.KvmHAFenceHostIfHeartbeatFailsOnStorage.value();
-        CheckOnHostCommand cmd = new CheckOnHostCommand(agent, reportFailureIfOneStorageIsDown);
-
-        try {
-            Answer answer = _agentMgr.easySend(agent.getId(), cmd);
-            if (answer != null) {
-                hostStatus = answer.getResult() ? Status.Down : Status.Up;
-            }
-        } catch (Exception e) {
-            logger.debug("Failed to send command to host: {}", agent);
-        }
-        if (hostStatus == null) {
-            hostStatus = Status.Disconnected;
-        }
-
-        List<HostVO> neighbors = _resourceMgr.listHostsInClusterByStatus(agent.getClusterId(), Status.Up);
-        for (HostVO neighbor : neighbors) {
-            if (neighbor.getId() == agent.getId()
-                    || (neighbor.getHypervisorType() != Hypervisor.HypervisorType.KVM && neighbor.getHypervisorType() != Hypervisor.HypervisorType.LXC)) {
-                continue;
-            }
-            logger.debug("Investigating host:{} via neighbouring host:{}", agent, neighbor);
-            try {
-                Answer answer = _agentMgr.easySend(neighbor.getId(), cmd);
-                if (answer != null) {
-                    neighbourStatus = answer.getResult() ? Status.Down : Status.Up;
-                    logger.debug("Neighbouring host:{} returned status:{} for the investigated host:{}", neighbor, neighbourStatus, agent);
-                    if (neighbourStatus == Status.Up) {
-                        break;
-                    }
-                }
-            } catch (Exception e) {
-                logger.debug("Failed to send command to host: {}", neighbor);
-            }
-        }
-        if (neighbourStatus == Status.Up && (hostStatus == Status.Disconnected || hostStatus == Status.Down)) {
-            hostStatus = Status.Disconnected;
-        }
-        if (neighbourStatus == Status.Down && (hostStatus == Status.Disconnected || hostStatus == Status.Down)) {
-            hostStatus = Status.Down;
-        }
-        logger.debug("HA: HOST is ineligible legacy state {} for host {}", hostStatus, agent);
-        return hostStatus;
+        return hostActivityChecker.getHostAgentStatus(host);
     }
 
-    private boolean storageSupportHa(List<StoragePoolVO> pools) {
-        boolean storageSupportHA = false;
+    private boolean storageSupportsHA(List<StoragePoolVO> pools) {
         for (StoragePoolVO pool : pools) {
             DataStoreProvider storeProvider = dataStoreProviderMgr.getDataStoreProvider(pool.getStorageProviderName());
             DataStoreDriver storeDriver = storeProvider.getDataStoreDriver();
             if (storeDriver instanceof PrimaryDataStoreDriver) {
                 PrimaryDataStoreDriver primaryStoreDriver = (PrimaryDataStoreDriver)storeDriver;
                 if (primaryStoreDriver.isStorageSupportHA(pool.getPoolType())) {
-                    storageSupportHA = true;
-                    break;
+                    return true;
                 }
             }
         }
-        return storageSupportHA;
+        return false;
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java
index da60f6fd7177..e19c3437ba56 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java
@@ -275,6 +275,7 @@ public LibvirtVMDef.InterfaceDef plug(NicTO nic, String guestOsType, String nicA
         if (nic.getPxeDisable()) {
             intf.setPxeDisable(true);
         }
+        intf.setLinkStateUp(nic.isEnabled());
 
         return intf;
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHABase.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHABase.java
index 896426addca1..f30e2c779195 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHABase.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHABase.java
@@ -35,11 +35,9 @@
 public class KVMHABase {
     protected Logger logger = LogManager.getLogger(getClass());
     private long _timeout = 60000; /* 1 minutes */
-    protected static String s_heartBeatPath;
-    protected long _heartBeatUpdateTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.HEARTBEAT_UPDATE_TIMEOUT);
-    protected long _heartBeatUpdateFreq = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_FREQUENCY);
+    protected long _heartBeatUpdateFreqInMs = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_FREQUENCY);
     protected long _heartBeatUpdateMaxTries = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_MAX_TRIES);
-    protected long _heartBeatUpdateRetrySleep = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_RETRY_SLEEP);
+    protected long _heartBeatUpdateRetrySleepInMs = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_RETRY_SLEEP);
 
     public static enum PoolType {
         PrimaryStorage, SecondaryStorage
@@ -139,7 +137,7 @@ protected String checkingMountPoint(HAStoragePool pool, String poolName) {
             /* Can't find the mount point? */
             /* we need to mount it under poolName */
             if (poolName != null) {
-                Script mount = new Script("/bin/bash", 60000);
+                Script mount = new Script("/bin/bash", _timeout);
                 mount.add("-c");
                 mount.add("mount " + mountSource + " " + destPath);
                 String result = mount.execute();
@@ -155,7 +153,6 @@ protected String checkingMountPoint(HAStoragePool pool, String poolName) {
     }
 
     protected String getMountPoint(HAStoragePool storagePool) {
-
         StoragePool pool = null;
         String poolName = null;
         try {
@@ -172,7 +169,6 @@ protected String getMountPoint(HAStoragePool storagePool) {
                 }
                 poolName = pool.getName();
             }
-
         } catch (LibvirtException e) {
             logger.debug("Ignoring libvirt error.", e);
         } finally {
@@ -235,7 +231,7 @@ protected String runScriptRetry(String cmdString, OutputInterpreter interpreter)
         return result;
     }
 
-    public Boolean checkingHeartBeat() {
+    public Boolean hasHeartBeat() {
         // TODO Auto-generated method stub
         return null;
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAChecker.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAChecker.java
index db6190fa8f28..0ee59c95da39 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAChecker.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAChecker.java
@@ -26,44 +26,43 @@
 public class KVMHAChecker extends KVMHABase implements Callable<Boolean> {
     private List<HAStoragePool> storagePools;
     private HostTO host;
-    private boolean reportFailureIfOneStorageIsDown;
+    private boolean reportIfHeartBeatFailedForOneStoragePool;
 
-    public KVMHAChecker(List<HAStoragePool> pools, HostTO host, boolean reportFailureIfOneStorageIsDown) {
+    public KVMHAChecker(List<HAStoragePool> pools, HostTO host, boolean reportIfHeartBeatFailedForOneStoragePool) {
         this.storagePools = pools;
         this.host = host;
-        this.reportFailureIfOneStorageIsDown = reportFailureIfOneStorageIsDown;
+        this.reportIfHeartBeatFailedForOneStoragePool = reportIfHeartBeatFailedForOneStoragePool;
     }
 
     /*
-     * True means heartbeaing is on going, or we can't get it's status. False
-     * means heartbeating is stopped definitely
+     * True means heart beating is on going, or we can't get it's status.
+     * False means heart beating is stopped definitely.
      */
     @Override
-    public Boolean checkingHeartBeat() {
-        boolean validResult = false;
-
-        String hostAndPools = String.format("host IP [%s] in pools [%s]", host.getPrivateNetwork().getIp(), storagePools.stream().map(pool -> pool.getPoolUUID()).collect(Collectors.joining(", ")));
-
-        logger.debug(String.format("Checking heart beat with KVMHAChecker for %s", hostAndPools));
+    public Boolean hasHeartBeat() {
+        String hostAndPools = String.format("host IP [%s] in pools [%s]", host.getPrivateNetwork().getIp(),
+                storagePools.stream().map(pool -> pool.getPoolUUID()).collect(Collectors.joining(", ")));
+        logger.debug("Checking heart beat with KVMHAChecker for {}", hostAndPools);
 
+        boolean heartBeatCheckResult = false;
         for (HAStoragePool pool : storagePools) {
-            validResult = pool.getPool().checkingHeartBeat(pool, host);
-            if (reportFailureIfOneStorageIsDown && !validResult) {
+            heartBeatCheckResult = pool.getPool().hasHeartBeat(pool, host);
+            if (reportIfHeartBeatFailedForOneStoragePool && !heartBeatCheckResult) {
                 break;
             }
         }
 
-        if (!validResult) {
-            logger.warn(String.format("All checks with KVMHAChecker for %s considered it as dead. It may cause a shutdown of the host.", hostAndPools));
+        if (!heartBeatCheckResult) {
+            logger.warn("All checks with KVMHAChecker for {} considered it as dead. It may cause a shutdown of the host.", hostAndPools);
         }
 
-        return validResult;
+        return heartBeatCheckResult;
     }
 
     @Override
     public Boolean call() throws Exception {
         // logger.addAppender(new org.apache.log4j.ConsoleAppender(new
         // org.apache.log4j.PatternLayout(), "System.out"));
-        return checkingHeartBeat();
+        return hasHeartBeat();
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAMonitor.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAMonitor.java
index cf407bfc08a8..9f1b849e9727 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAMonitor.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAMonitor.java
@@ -18,7 +18,7 @@
 
 import com.cloud.agent.properties.AgentProperties;
 import com.cloud.agent.properties.AgentPropertiesFileHandler;
-import com.cloud.storage.Storage.StoragePoolType;
+import com.cloud.ha.HighAvailabilityManager;
 import com.cloud.utils.script.Script;
 import org.libvirt.Connect;
 import org.libvirt.LibvirtException;
@@ -34,60 +34,51 @@
 
 public class KVMHAMonitor extends KVMHABase implements Runnable {
 
-    private final Map<String, HAStoragePool> storagePool = new ConcurrentHashMap<>();
+    private final Map<String, HAStoragePool> haStoragePools = new ConcurrentHashMap<>();
     private final boolean rebootHostAndAlertManagementOnHeartbeatTimeout;
 
     private final String hostPrivateIp;
 
-    public KVMHAMonitor(HAStoragePool pool, String host, String scriptPath) {
-        if (pool != null) {
-            storagePool.put(pool.getPoolUUID(), pool);
-        }
+    public KVMHAMonitor(String host) {
         hostPrivateIp = host;
-        configureHeartBeatPath(scriptPath);
-
         rebootHostAndAlertManagementOnHeartbeatTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.REBOOT_HOST_AND_ALERT_MANAGEMENT_ON_HEARTBEAT_TIMEOUT);
     }
 
-    private static synchronized void configureHeartBeatPath(String scriptPath) {
-        KVMHABase.s_heartBeatPath = scriptPath;
-    }
-
     public void addStoragePool(HAStoragePool pool) {
-        synchronized (storagePool) {
-            storagePool.put(pool.getPoolUUID(), pool);
+        synchronized (haStoragePools) {
+            haStoragePools.put(pool.getPoolUUID(), pool);
         }
     }
 
     public void removeStoragePool(String uuid) {
-        synchronized (storagePool) {
-            HAStoragePool pool = storagePool.get(uuid);
+        synchronized (haStoragePools) {
+            HAStoragePool pool = haStoragePools.get(uuid);
             if (pool != null) {
                 Script.runSimpleBashScript("umount " + pool.getMountDestPath());
-                storagePool.remove(uuid);
+                haStoragePools.remove(uuid);
             }
         }
     }
 
     public List<HAStoragePool> getStoragePools() {
-        synchronized (storagePool) {
-            return new ArrayList<>(storagePool.values());
+        synchronized (haStoragePools) {
+            return new ArrayList<>(haStoragePools.values());
         }
     }
 
     public HAStoragePool getStoragePool(String uuid) {
-        synchronized (storagePool) {
-            return storagePool.get(uuid);
+        synchronized (haStoragePools) {
+            return haStoragePools.get(uuid);
         }
     }
 
     protected void runHeartBeat() {
-        synchronized (storagePool) {
+        synchronized (haStoragePools) {
             Set<String> removedPools = new HashSet<>();
-            for (String uuid : storagePool.keySet()) {
-                HAStoragePool primaryStoragePool = storagePool.get(uuid);
-                if (primaryStoragePool.getPool().getType() == StoragePoolType.NetworkFilesystem) {
-                    checkForNotExistingPools(removedPools, uuid);
+            for (String uuid : haStoragePools.keySet()) {
+                HAStoragePool primaryStoragePool = haStoragePools.get(uuid);
+                if (HighAvailabilityManager.LIBVIRT_STORAGE_POOL_TYPES_WITH_HA_SUPPORT.contains(primaryStoragePool.getPool().getType())) {
+                    checkForNotExistingLibvirtStoragePools(removedPools, uuid);
                     if (removedPools.contains(uuid)) {
                         continue;
                     }
@@ -96,7 +87,7 @@ protected void runHeartBeat() {
                 result = executePoolHeartBeatCommand(uuid, primaryStoragePool, result);
 
                 if (result != null && rebootHostAndAlertManagementOnHeartbeatTimeout) {
-                    logger.warn(String.format("Write heartbeat for pool [%s] failed: %s; stopping cloudstack-agent.", uuid, result));
+                    logger.warn("Write heartbeat for pool [{}] failed: {}; stopping cloudstack-agent.", uuid, result);
                     primaryStoragePool.getPool().createHeartBeatCommand(primaryStoragePool, null, false);;
                 }
             }
@@ -109,45 +100,43 @@ protected void runHeartBeat() {
     }
 
     private String executePoolHeartBeatCommand(String uuid, HAStoragePool primaryStoragePool, String result) {
-        for (int i = 1; i <= _heartBeatUpdateMaxTries; i++) {
+        for (int attempt = 1; attempt <= _heartBeatUpdateMaxTries; attempt++) {
             result = primaryStoragePool.getPool().createHeartBeatCommand(primaryStoragePool, hostPrivateIp, true);
-
-            if (result != null) {
-                logger.warn(String.format("Write heartbeat for pool [%s] failed: %s; try: %s of %s.", uuid, result, i, _heartBeatUpdateMaxTries));
-                try {
-                    Thread.sleep(_heartBeatUpdateRetrySleep);
-                } catch (InterruptedException e) {
-                    logger.debug("[IGNORED] Interrupted between heartbeat retries.", e);
-                }
-            } else {
+            if (result == null) {
                 break;
             }
 
+            logger.warn("Write heartbeat for pool [{}] failed: {}; try: {} of {}.", uuid, result, attempt, _heartBeatUpdateMaxTries);
+            try {
+                Thread.sleep(_heartBeatUpdateRetrySleepInMs);
+            } catch (InterruptedException e) {
+                logger.debug("[IGNORED] Interrupted between heartbeat retries.", e);
+            }
         }
         return result;
     }
 
-    private void checkForNotExistingPools(Set<String> removedPools, String uuid) {
+    private void checkForNotExistingLibvirtStoragePools(Set<String> removedPools, String uuid) {
         try {
             Connect conn = LibvirtConnection.getConnection();
             StoragePool storage = conn.storagePoolLookupByUUIDString(uuid);
             if (storage == null || storage.getInfo().state != StoragePoolState.VIR_STORAGE_POOL_RUNNING) {
                 if (storage == null) {
-                    logger.debug(String.format("Libvirt storage pool [%s] not found, removing from HA list.", uuid));
+                    logger.debug("Libvirt storage pool [{}] not found, removing from HA list.", uuid);
                 } else {
-                    logger.debug(String.format("Libvirt storage pool [%s] found, but not running, removing from HA list.", uuid));
+                    logger.debug("Libvirt storage pool [{}] found, but not running, removing from HA list.", uuid);
                 }
 
                 removedPools.add(uuid);
             }
 
-            logger.debug(String.format("Found NFS storage pool [%s] in libvirt, continuing.", uuid));
+            logger.debug("Found NFS storage pool [{}] in libvirt, continuing.", uuid);
 
         } catch (LibvirtException e) {
-            logger.debug(String.format("Failed to lookup libvirt storage pool [%s].", uuid), e);
+            logger.debug("Failed to lookup libvirt storage pool [{}].", uuid, e);
 
             if (e.toString().contains("pool not found")) {
-                logger.debug(String.format("Removing pool [%s] from HA monitor since it was deleted.", uuid));
+                logger.debug("Removing pool [{}] from HA monitor since it was deleted.", uuid);
                 removedPools.add(uuid);
             }
         }
@@ -160,11 +149,10 @@ public void run() {
             runHeartBeat();
 
             try {
-                Thread.sleep(_heartBeatUpdateFreq);
+                Thread.sleep(_heartBeatUpdateFreqInMs);
             } catch (InterruptedException e) {
                 logger.debug("[IGNORED] Interrupted between heartbeats.", e);
             }
         }
     }
-
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAVMActivityChecker.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAVMActivityChecker.java
index e6937b515e95..c13be64a3a3e 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAVMActivityChecker.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/KVMHAVMActivityChecker.java
@@ -39,12 +39,12 @@ public KVMHAVMActivityChecker(final HAStoragePool pool, final HostTO host, final
     }
 
     @Override
-    public Boolean checkingHeartBeat() {
-        return this.storagePool.getPool().vmActivityCheck(storagePool, host, activityScriptTimeout, volumeUuidList, vmActivityCheckPath, suspectTimeInSeconds);
+    public Boolean hasHeartBeat() {
+        return this.storagePool.getPool().hasVmActivity(storagePool, host, activityScriptTimeout, volumeUuidList, vmActivityCheckPath, suspectTimeInSeconds);
     }
 
     @Override
     public Boolean call() throws Exception {
-        return checkingHeartBeat();
+        return hasHeartBeat();
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
index 55bab118ad00..06b668b801d3 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -18,6 +18,9 @@
 
 import static com.cloud.host.Host.HOST_INSTANCE_CONVERSION;
 import static com.cloud.host.Host.HOST_OVFTOOL_VERSION;
+import static com.cloud.host.Host.HOST_VDDK_LIB_DIR;
+import static com.cloud.host.Host.HOST_VDDK_SUPPORT;
+import static com.cloud.host.Host.HOST_VDDK_VERSION;
 import static com.cloud.host.Host.HOST_VIRTV2V_VERSION;
 import static com.cloud.host.Host.HOST_VOLUME_ENCRYPTION;
 import static org.apache.cloudstack.utils.linux.KVMHostInfo.isHostS390x;
@@ -121,6 +124,7 @@
 import org.libvirt.LibvirtException;
 import org.libvirt.MemoryStatistic;
 import org.libvirt.Network;
+import org.libvirt.SchedLongParameter;
 import org.libvirt.SchedParameter;
 import org.libvirt.SchedUlongParameter;
 import org.libvirt.Secret;
@@ -365,6 +369,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     public static final String WINDOWS_GUEST_CONVERSION_SUPPORTED_CHECK_CMD = "rpm -qa | grep -i virtio-win";
     public static final String UBUNTU_WINDOWS_GUEST_CONVERSION_SUPPORTED_CHECK_CMD = "dpkg -l virtio-win";
     public static final String UBUNTU_NBDKIT_PKG_CHECK_CMD = "dpkg -l nbdkit";
+    public static final String VDDK_AUTODETECT_PATH_CMD = "find / -type d -name 'vmware-vix-disklib-distrib' 2>/dev/null | head -n 1";
 
     public static final int LIBVIRT_CGROUP_CPU_SHARES_MIN = 2;
     public static final int LIBVIRT_CGROUP_CPU_SHARES_MAX = 262144;
@@ -879,16 +884,41 @@ protected enum HealthCheckResult {
         SUCCESS, FAILURE, IGNORE
     }
 
+    public enum CpuSchedulerParameter {
+        CPU_SHARES("cpu_shares"), PERIOD("vcpu_period"), QUOTA("vcpu_quota");
+
+        private String name;
+
+        CpuSchedulerParameter(String name) {
+            this.name = name;
+        }
+
+        public String getName() {
+            return name;
+        }
+
+        @Override
+        public String toString() {
+            return getName();
+        }
+    }
+
     protected BridgeType bridgeType;
 
     protected StorageSubsystemCommandHandler storageHandler;
 
     private boolean convertInstanceVerboseMode = false;
     private Map<String, String> convertInstanceEnv = null;
+    private String vddkLibDir = null;
+    private static final String libguestfsBackend = "direct";
     protected boolean dpdkSupport = false;
     protected String dpdkOvsPath;
     protected String directDownloadTemporaryDownloadPath;
     protected String cachePath;
+    private String vddkTransports = null;
+    private String vddkThumbprint = null;
+    private String vddkVersion = null;
+    private String detectedPasswordFileOption = null;
     protected String javaTempDir = System.getProperty("java.io.tmpdir");
 
     private String getEndIpFromStartIp(final String startIp, final int numIps) {
@@ -953,6 +983,26 @@ public Map<String, String> getConvertInstanceEnv() {
         return convertInstanceEnv;
     }
 
+    public String getVddkLibDir() {
+        return vddkLibDir;
+    }
+
+    public String getLibguestfsBackend() {
+        return libguestfsBackend;
+    }
+
+    public String getVddkTransports() {
+        return vddkTransports;
+    }
+
+    public String getVddkThumbprint() {
+        return vddkThumbprint;
+    }
+
+    public String getVddkVersion() {
+        return vddkVersion;
+    }
+
     /**
      * Defines resource's public and private network interface according to what is configured in agent.properties.
      */
@@ -1065,11 +1115,6 @@ public boolean configure(final String name, final Map<String, Object> params) th
             throw new ConfigurationException("Unable to find patch.sh");
         }
 
-        heartBeatPath = Script.findScript(kvmScriptsDir, "kvmheartbeat.sh");
-        if (heartBeatPath == null) {
-            throw new ConfigurationException("Unable to find kvmheartbeat.sh");
-        }
-
         createVmPath = Script.findScript(storageScriptsDir, "createvm.sh");
         if (createVmPath == null) {
             throw new ConfigurationException("Unable to find the createvm.sh");
@@ -1158,6 +1203,37 @@ public boolean configure(final String name, final Map<String, Object> params) th
 
         setConvertInstanceEnv(convertEnvTmpDir, convertEnvVirtv2vTmpDir);
 
+        vddkLibDir = StringUtils.trimToNull(AgentPropertiesFileHandler.getPropertyValue(AgentProperties.VDDK_LIB_DIR));
+        if (StringUtils.isNotBlank(vddkLibDir) && !isVddkLibDirValid(vddkLibDir)) {
+            LOGGER.warn("Configured VDDK library dir [{}] is invalid (missing lib64/libvixDiskLib.so), attempting auto-detection", vddkLibDir);
+            vddkLibDir = null;
+        }
+        if (StringUtils.isBlank(vddkLibDir)) {
+            vddkLibDir = detectVddkLibDir();
+        }
+        if (StringUtils.isNotBlank(vddkLibDir)) {
+            LOGGER.info("Detected VDDK library dir: {}", vddkLibDir);
+        } else {
+            LOGGER.warn("Could not detect a valid VDDK library dir; VDDK conversion will be unavailable");
+        }
+
+        vddkVersion = detectVddkVersion();
+        if (StringUtils.isNotBlank(vddkVersion)) {
+            LOGGER.info("Detected nbdkit VDDK plugin version: {}", vddkVersion);
+        }
+
+        vddkTransports = StringUtils.trimToNull(
+                AgentPropertiesFileHandler.getPropertyValue(AgentProperties.VDDK_TRANSPORTS));
+        vddkThumbprint = StringUtils.trimToNull(
+                AgentPropertiesFileHandler.getPropertyValue(AgentProperties.VDDK_THUMBPRINT));
+
+        detectedPasswordFileOption = detectPasswordFileOption();
+        if (StringUtils.isNotBlank(detectedPasswordFileOption)) {
+            LOGGER.info("Detected virt-v2v password option: {}", detectedPasswordFileOption);
+        } else {
+            LOGGER.warn("Could not detect virt-v2v password option, VDDK conversions may fail");
+        }
+
         pool = (String)params.get("pool");
         if (pool == null) {
             pool = "/root";
@@ -1332,9 +1408,9 @@ public boolean configure(final String name, final Map<String, Object> params) th
 
         final String[] info = NetUtils.getNetworkParams(privateNic);
 
-        kvmhaMonitor = new KVMHAMonitor(null, info[0], heartBeatPath);
-        final Thread ha = new Thread(kvmhaMonitor);
-        ha.start();
+        kvmhaMonitor = new KVMHAMonitor(info[0]);
+        final Thread haMonitorThread = new Thread(kvmhaMonitor);
+        haMonitorThread.start();
 
         storagePoolManager = new KVMStoragePoolManager(storageLayer, kvmhaMonitor);
 
@@ -2909,23 +2985,61 @@ protected String getUuid(String uuid) {
     protected void setQuotaAndPeriod(VirtualMachineTO vmTO, CpuTuneDef ctd) {
         if (vmTO.isLimitCpuUse() && vmTO.getCpuQuotaPercentage() != null) {
             Double cpuQuotaPercentage = vmTO.getCpuQuotaPercentage();
-            int period = CpuTuneDef.DEFAULT_PERIOD;
-            int quota = (int) (period * cpuQuotaPercentage);
-            if (quota < CpuTuneDef.MIN_QUOTA) {
-                LOGGER.info("Calculated quota (" + quota + ") below the minimum (" + CpuTuneDef.MIN_QUOTA + ") for VM domain " + vmTO.getUuid() + ", setting it to minimum " +
-                        "and calculating period instead of using the default");
-                quota = CpuTuneDef.MIN_QUOTA;
-                period = (int) ((double) quota / cpuQuotaPercentage);
-                if (period > CpuTuneDef.MAX_PERIOD) {
-                    LOGGER.info("Calculated period (" + period + ") exceeds the maximum (" + CpuTuneDef.MAX_PERIOD +
-                            "), setting it to the maximum");
-                    period = CpuTuneDef.MAX_PERIOD;
-                }
+            Pair<Integer, Long> periodAndQuota = getPeriodAndQuota(cpuQuotaPercentage);
+            ctd.setPeriod(periodAndQuota.first());
+            ctd.setQuota(periodAndQuota.second());
+            LOGGER.info("Setting quota = [{}] and period = [{}] to VM domain [{}].", periodAndQuota.second(), periodAndQuota.first(), vmTO.getUuid());
+        }
+    }
+
+    /**
+     * Calculates the CPU period and quota based on the quota percentage defined by the Management Server
+     * @param cpuQuotaPercentage CPU quota percentage defined by the Management Server
+     * @return The period and quota to be defined for the VM's domain
+     */
+    protected Pair<Integer, Long> getPeriodAndQuota(double cpuQuotaPercentage) {
+        int period = CpuTuneDef.DEFAULT_PERIOD;
+        long quota = (long) (period * cpuQuotaPercentage);
+        if (quota < CpuTuneDef.MIN_QUOTA) {
+            LOGGER.info("Calculated quota ({}) below the minimum ({}), setting it to minimum and calculating period instead of using the default", quota, CpuTuneDef.MIN_QUOTA);
+            quota = CpuTuneDef.MIN_QUOTA;
+            period = (int) ((double) quota / cpuQuotaPercentage);
+            if (period > CpuTuneDef.MAX_PERIOD) {
+                LOGGER.info("Calculated period ({}) exceeds the maximum ({}), setting it to the maximum", period, CpuTuneDef.MAX_PERIOD);
+                period = CpuTuneDef.MAX_PERIOD;
             }
-            ctd.setQuota(quota);
-            ctd.setPeriod(period);
-            LOGGER.info("Setting quota=" + quota + ", period=" + period + " to VM domain " + vmTO.getUuid());
         }
+
+        LOGGER.info("Calculated period = [{}] and quota = [{}] given the [{}] quota percentage.", period, quota, cpuQuotaPercentage);
+        return new Pair<>(period, quota);
+    }
+
+    /**
+     * Dynamically updates the domain's "vcpu_quota" and "period" fields of the CPU tune definition.
+     * This is required because the values of the fields must change according to the new CPU speed of the VM.
+     * When the CPU limitation is removed from the domain, the "vcpu_quota" field is set to 17,592,186,044,415.
+     * @param domain VM's domain.
+     * @param vmTO VM's transfer object, which contains the required fields to update the "vcpu_quota" and "period" fields.
+     * @param limitCpuUseChange Indicates whether the CPU limitation for the VM has changed.
+     * @throws org.libvirt.LibvirtException
+     **/
+    public void updateCpuQuotaAndPeriod(Domain domain, VirtualMachineTO vmTO, boolean limitCpuUseChange) throws LibvirtException {
+        if (hypervisorLibvirtVersion < MIN_LIBVIRT_VERSION_FOR_GUEST_CPU_TUNE || (!limitCpuUseChange && !vmTO.isLimitCpuUse())) {
+            logger.info("Not updating the [{}] and [{}] for the [{}] domain, because [{}].",
+                    CpuSchedulerParameter.QUOTA, CpuSchedulerParameter.PERIOD, domain.getName(), hypervisorLibvirtVersion < MIN_LIBVIRT_VERSION_FOR_GUEST_CPU_TUNE ?
+                            "the current Libvirt version does not support CPU tune" : "it was not requested to remove, change or apply CPU limitation for the instance.");
+            return;
+        }
+
+        if (limitCpuUseChange && !vmTO.isLimitCpuUse()) {
+            logger.info("Updating the [{}] of the [{}] domain to [{}], because CPU limitation has been removed.", CpuSchedulerParameter.QUOTA, domain.getName(), CpuTuneDef.MAX_CPU_QUOTA);
+            LibvirtComputingResource.setQuota(domain, CpuTuneDef.MAX_CPU_QUOTA);
+            return;
+        }
+
+        Pair<Integer, Long> periodAndQuota = getPeriodAndQuota(vmTO.getCpuQuotaPercentage());
+        LibvirtComputingResource.setPeriod(domain, periodAndQuota.first());
+        LibvirtComputingResource.setQuota(domain, periodAndQuota.second());
     }
 
     protected void enlightenWindowsVm(VirtualMachineTO vmTO, FeaturesDef features) {
@@ -3389,10 +3503,10 @@ protected GuestResourceDef createGuestResourceDef(VirtualMachineTO vmTO){
 
         grd.setMemBalloning(!noMemBalloon);
 
-        Long maxRam = ByteScaleUtils.bytesToKibibytes(vmTO.getMaxRam());
-
-        grd.setMemorySize(maxRam);
-        grd.setCurrentMem(getCurrentMemAccordingToMemBallooning(vmTO, maxRam));
+        long requestedRam = ByteScaleUtils.bytesToKibibytes(vmTO.getRequestedRam());
+        long minRam = ByteScaleUtils.bytesToKibibytes(vmTO.getMinRam());
+        grd.setCurrentMem(getCurrentMemAccordingToMemBallooning(vmTO, requestedRam, minRam));
+        grd.setMaxMemory(ByteScaleUtils.bytesToKibibytes(vmTO.getMaxRam()));
 
         int vcpus = vmTO.getCpus();
         Integer maxVcpus = vmTO.getVcpuMaxLimit();
@@ -3403,18 +3517,19 @@ protected GuestResourceDef createGuestResourceDef(VirtualMachineTO vmTO){
         return grd;
     }
 
-    protected long getCurrentMemAccordingToMemBallooning(VirtualMachineTO vmTO, long maxRam) {
-        long retVal = maxRam;
+    protected long getCurrentMemAccordingToMemBallooning(VirtualMachineTO vmTO, long requestedRam, long minRam) {
         if (noMemBalloon) {
-            LOGGER.warn(String.format("Setting VM's [%s] current memory as max memory [%s] due to memory ballooning is disabled. If you are using a custom service offering, verify if memory ballooning really should be disabled.", vmTO.toString(), maxRam));
-        } else if (vmTO != null && vmTO.getType() != VirtualMachine.Type.User) {
-            LOGGER.warn(String.format("Setting System VM's [%s] current memory as max memory [%s].", vmTO.toString(), maxRam));
-        } else {
-            long minRam = ByteScaleUtils.bytesToKibibytes(vmTO.getMinRam());
-            LOGGER.debug(String.format("Setting VM's [%s] current memory as min memory [%s] due to memory ballooning is enabled.", vmTO.toString(), minRam));
-            retVal = minRam;
+            LOGGER.warn("Setting VM's [{}] current memory as requested memory [{}] due to memory ballooning is disabled.", vmTO.toString(), requestedRam);
+            return requestedRam;
         }
-        return retVal;
+
+        if (vmTO != null && vmTO.getType() != VirtualMachine.Type.User) {
+            LOGGER.warn("Setting System VM's [{}] current memory as requested memory [{}].", vmTO.toString(), requestedRam);
+            return requestedRam;
+        }
+
+        LOGGER.debug("Setting VM's [{}] current memory as min memory [{}] due to memory ballooning is enabled.", vmTO.toString(), minRam);
+        return minRam;
     }
 
     /**
@@ -4229,6 +4344,13 @@ public StartupCommand[] initialize() {
         cmd.setHostTags(getHostTags());
         boolean instanceConversionSupported = hostSupportsInstanceConversion();
         cmd.getHostDetails().put(HOST_INSTANCE_CONVERSION, String.valueOf(instanceConversionSupported));
+        cmd.getHostDetails().put(HOST_VDDK_SUPPORT, String.valueOf(hostSupportsVddk()));
+        if (StringUtils.isNotBlank(vddkLibDir)) {
+            cmd.getHostDetails().put(HOST_VDDK_LIB_DIR, vddkLibDir);
+        }
+        if (StringUtils.isNotBlank(vddkVersion)) {
+            cmd.getHostDetails().put(HOST_VDDK_VERSION, vddkVersion);
+        }
         if (instanceConversionSupported) {
             cmd.getHostDetails().put(HOST_VIRTV2V_VERSION, getHostVirtV2vVersion());
         }
@@ -4851,6 +4973,12 @@ public List<InterfaceDef> getInterfaces(final Connect conn, final String vmName)
         }
     }
 
+    public InterfaceDef getInterface(final Connect conn, final String vmName, final String macAddress) {
+        List<InterfaceDef> interfaces = getInterfaces(conn, vmName);
+        return interfaces.stream().filter(interfaceDef -> interfaceDef.getMacAddress().equals(macAddress))
+                .findFirst().orElseThrow(() -> new CloudRuntimeException(String.format("Unable to find NIC with MAC address %s.", macAddress)));
+    }
+
     public List<DiskDef> getDisks(final Connect conn, final String vmName) {
         final LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
         Domain dm = null;
@@ -5944,6 +6072,66 @@ public boolean hostSupportsInstanceConversion() {
         return exitValue == 0;
     }
 
+    public boolean hostSupportsVddk() {
+        return hostSupportsVddk(null);
+    }
+
+    public boolean hostSupportsVddk(String overriddenVddkLibDir) {
+        String effectiveVddkLibDir = StringUtils.trimToNull(overriddenVddkLibDir);
+        if (StringUtils.isBlank(effectiveVddkLibDir)) {
+            effectiveVddkLibDir = StringUtils.trimToNull(vddkLibDir);
+        }
+        if (StringUtils.isBlank(effectiveVddkLibDir) || !isVddkLibDirValid(effectiveVddkLibDir)) {
+            effectiveVddkLibDir = detectVddkLibDir();
+        }
+        return hostSupportsInstanceConversion() && isVddkLibDirValid(effectiveVddkLibDir) && StringUtils.isNotBlank(detectVddkVersion());
+    }
+
+    protected boolean isVddkLibDirValid(String path) {
+        if (StringUtils.isBlank(path)) {
+            return false;
+        }
+        File libDir = new File(path, "lib64");
+        if (!libDir.isDirectory()) {
+            return false;
+        }
+        File[] libs = libDir.listFiles((dir, name) -> name.startsWith("libvixDiskLib.so"));
+        return libs != null && libs.length > 0;
+    }
+
+    protected String detectVddkLibDir() {
+        String detectedPath = StringUtils.trimToNull(Script.runSimpleBashScript(VDDK_AUTODETECT_PATH_CMD));
+        if (StringUtils.isNotBlank(detectedPath) && isVddkLibDirValid(detectedPath)) {
+            return detectedPath;
+        }
+        return null;
+    }
+
+    protected String detectVddkVersion() {
+        try {
+            ProcessBuilder pb = new ProcessBuilder("nbdkit", "vddk", "--version");
+            Process process = pb.start();
+
+            String output = new String(process.getInputStream().readAllBytes());
+            process.waitFor();
+
+            if (StringUtils.isBlank(output)) {
+                return null;
+            }
+
+            for (String line : output.split("\\R")) {
+                String trimmed = StringUtils.trimToEmpty(line);
+                if (trimmed.startsWith("vddk ")) {
+                    return StringUtils.trimToNull(trimmed.substring("vddk ".length()));
+                }
+            }
+            return null;
+        } catch (Exception e) {
+            LOGGER.error("Failed to detect vddk version: {}", e.getMessage());
+            return null;
+        }
+    }
+
     public boolean hostSupportsWindowsGuestConversion() {
         if (isUbuntuOrDebianHost()) {
             int exitValue = Script.runSimpleBashScriptForExitValue(UBUNTU_WINDOWS_GUEST_CONVERSION_SUPPORTED_CHECK_CMD);
@@ -5958,6 +6146,40 @@ public boolean hostSupportsOvfExport() {
         return exitValue == 0;
     }
 
+    /**
+     * Detect which password option virt-v2v supports by examining its --help output
+     * @return "-ip" if supported (virt-v2v >= 2.8.1), "--password-file" if older version, or null if detection fails
+     */
+    protected String detectPasswordFileOption() {
+        try {
+            ProcessBuilder pb = new ProcessBuilder("virt-v2v", "--help");
+            Process process = pb.start();
+
+            String output = new String(process.getInputStream().readAllBytes());
+            process.waitFor();
+
+            if (output.contains("-ip <filename>")) {
+                return "-ip";
+            } else if (output.contains("--password-file")) {
+                return "--password-file";
+            } else {
+                LOGGER.error("virt-v2v does not support -ip or --password-file");
+                return null;
+            }
+        } catch (Exception e) {
+            LOGGER.error("Failed to detect virt-v2v password option: {}", e.getMessage());
+            return null;
+        }
+    }
+
+    /**
+     * Get the detected password file option for virt-v2v
+     * @return the password option ("-ip" or "--password-file") or null if not detected
+     */
+    public String getDetectedPasswordFileOption() {
+        return detectedPasswordFileOption;
+    }
+
     public String getHostVirtV2vVersion() {
         if (!hostSupportsInstanceConversion()) {
             return "";
@@ -6092,29 +6314,59 @@ public static long countDomainRunningVcpus(Domain dm) throws LibvirtException {
      **/
     public static Integer getCpuShares(Domain dm) throws LibvirtException {
         for (SchedParameter c : dm.getSchedulerParameters()) {
-            if (c.field.equals("cpu_shares")) {
+            if (c.field.equals(CpuSchedulerParameter.CPU_SHARES.getName())) {
                 return Integer.parseInt(c.getValueAsString());
             }
         }
-        LOGGER.warn(String.format("Could not get cpu_shares of domain: [%s]. Returning default value of 0. ", dm.getName()));
+        LOGGER.warn("Could not get [{}] of domain: [{}]. Returning default value of 0. ", CpuSchedulerParameter.CPU_SHARES.getName(), dm.getName());
         return 0;
     }
 
     /**
-     * Sets the cpu_shares (priority) of the running VM <br/>
+     * Updates the cpu_shares (priority) of the running VM.
      * @param dm domain of the VM.
      * @param cpuShares new priority of the running VM.
-     * @throws org.libvirt.LibvirtException
      **/
     public static void setCpuShares(Domain dm, Integer cpuShares) throws LibvirtException {
+        LOGGER.info("Dynamically updating the [{}] of the [{}] VM to [{}].", CpuSchedulerParameter.CPU_SHARES.getName(), dm.getName(), cpuShares);
         SchedUlongParameter[] params = new SchedUlongParameter[1];
         params[0] = new SchedUlongParameter();
-        params[0].field = "cpu_shares";
+        params[0].field = CpuSchedulerParameter.CPU_SHARES.getName();
         params[0].value = cpuShares;
 
         dm.setSchedulerParameters(params);
     }
 
+    /**
+     * Updates the period of the running VM.
+     * @param domain domain of the VM.
+     * @param period new period of the running VM.
+     **/
+    public static void setPeriod(Domain domain, int period) throws LibvirtException {
+        LOGGER.info("Dynamically updating the [{}] of the [{}] VM to [{}].", CpuSchedulerParameter.PERIOD.getName(), domain.getName(), period);
+        SchedUlongParameter[] params = new SchedUlongParameter[1];
+        params[0] = new SchedUlongParameter();
+        params[0].field = CpuSchedulerParameter.PERIOD.getName();
+        params[0].value = period;
+
+        domain.setSchedulerParameters(params);
+    }
+
+    /**
+     * Updates the quota of the running VM.
+     * @param domain domain of the VM.
+     * @param quota new quota of the running VM.
+     **/
+    public static void setQuota(Domain domain, long quota) throws LibvirtException {
+        LOGGER.info("Dynamically updating the [{}] of the [{}] VM to [{}].", CpuSchedulerParameter.QUOTA.getName(), domain.getName(), quota);
+        SchedLongParameter[] params = new SchedLongParameter[1];
+        params[0] = new SchedLongParameter();
+        params[0].field = CpuSchedulerParameter.QUOTA.getName();
+        params[0].value = quota;
+
+        domain.setSchedulerParameters(params);
+    }
+
     /**
      * Set up a libvirt secret for a volume. If Libvirt says that a secret already exists for this volume path, we use its uuid.
      * The UUID of the secret needs to be prescriptive such that we can register the same UUID on target host during live migration
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtDomainXMLParser.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtDomainXMLParser.java
index 4d823783a99a..e114669b8b56 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtDomainXMLParser.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtDomainXMLParser.java
@@ -542,7 +542,7 @@ private void extractCpuTuneDef(final Element rootElement) {
 
             final String quota = getTagValue("quota", cpuTuneDefElement);
             if (StringUtils.isNotBlank(quota)) {
-                cpuTuneDef.setQuota((Integer.parseInt(quota)));
+                cpuTuneDef.setQuota((Long.parseLong(quota)));
             }
 
             final String period = getTagValue("period", cpuTuneDefElement);
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDef.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDef.java
index 08086859fb70..d3765c01ccbc 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDef.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDef.java
@@ -79,28 +79,47 @@ private void generatePciXml(StringBuilder gpuBuilder) {
         gpuBuilder.append("  <driver name='vfio'/>\n");
         gpuBuilder.append("  <source>\n");
 
-        // Parse the bus address (e.g., 00:02.0) into domain, bus, slot, function
-        String domain = "0x0000";
-        String bus = "0x00";
-        String slot = "0x00";
-        String function = "0x0";
+        // Parse the bus address into domain, bus, slot, function. Two input formats are accepted:
+        //   - "dddd:bb:ss.f"  full PCI address with domain (e.g. 0000:00:02.0)
+        //   - "bb:ss.f"       legacy short BDF; domain defaults to 0000
+        // Each segment is parsed as a hex integer and formatted with fixed widths
+        // (domain: 4 hex digits, bus/slot: 2 hex digits, function: 1 hex digit) to
+        // produce canonical libvirt XML values regardless of input casing or padding.
+        int domainVal = 0, busVal = 0, slotVal = 0, funcVal = 0;
 
         if (busAddress != null && !busAddress.isEmpty()) {
             String[] parts = busAddress.split(":");
-            if (parts.length > 1) {
-                bus = "0x" + parts[0];
-                String[] slotFunctionParts = parts[1].split("\\.");
-                if (slotFunctionParts.length > 0) {
-                    slot = "0x" + slotFunctionParts[0];
-                    if (slotFunctionParts.length > 1) {
-                        function = "0x" + slotFunctionParts[1].trim();
-                    }
+            try {
+                String slotFunction;
+                if (parts.length == 3) {
+                    domainVal = Integer.parseInt(parts[0], 16);
+                    busVal = Integer.parseInt(parts[1], 16);
+                    slotFunction = parts[2];
+                } else if (parts.length == 2) {
+                    busVal = Integer.parseInt(parts[0], 16);
+                    slotFunction = parts[1];
+                } else {
+                    throw new IllegalArgumentException("Invalid PCI bus address format: '" + busAddress + "'");
                 }
+                String[] sf = slotFunction.split("\\.");
+                if (sf.length == 2) {
+                    slotVal = Integer.parseInt(sf[0], 16);
+                    funcVal = Integer.parseInt(sf[1].trim(), 16);
+                } else {
+                    throw new IllegalArgumentException("Invalid PCI bus address format: '" + busAddress + "'");
+                }
+            } catch (NumberFormatException e) {
+                throw new IllegalArgumentException("Invalid PCI bus address format: '" + busAddress + "'", e);
             }
         }
 
+        String domain = String.format("0x%04x", domainVal);
+        String bus = String.format("0x%02x", busVal);
+        String slot = String.format("0x%02x", slotVal);
+        String function = String.format("0x%x", funcVal);
+
         gpuBuilder.append("    <address domain='").append(domain).append("' bus='").append(bus).append("' slot='")
-                .append(slot).append("' function='").append(function.trim()).append("'/>\n");
+                .append(slot).append("' function='").append(function).append("'/>\n");
         gpuBuilder.append("  </source>\n");
         gpuBuilder.append("</hostdev>\n");
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
index 097a9b8dd322..bf8b1af6c18d 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtVMDef.java
@@ -443,15 +443,15 @@ public String toString() {
     }
 
     public static class GuestResourceDef {
-        private long memory;
+        private long maxMemory;
         private long currentMemory = -1;
         private int vcpu = -1;
         private int maxVcpu = -1;
         private boolean memoryBalloning = false;
         private int memoryBalloonStatsPeriod = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.VM_MEMBALLOON_STATS_PERIOD);
 
-        public void setMemorySize(long mem) {
-            this.memory = mem;
+        public void setMaxMemory(long mem) {
+            this.maxMemory = mem;
         }
 
         public void setCurrentMem(long currMem) {
@@ -484,8 +484,8 @@ public String toString() {
             response.append(String.format("<memory>%s</memory>\n", this.currentMemory));
             response.append(String.format("<currentMemory>%s</currentMemory>\n", this.currentMemory));
 
-            if (this.memory > this.currentMemory) {
-                response.append(String.format("<maxMemory slots='16' unit='KiB'>%s</maxMemory>\n", this.memory));
+            if (this.maxMemory > this.currentMemory) {
+                response.append(String.format("<maxMemory slots='16' unit='KiB'>%s</maxMemory>\n", this.maxMemory));
                 response.append(String.format("<cpu> <numa> <cell id='0' cpus='0-%s' memory='%s' unit='KiB'/> </numa> </cpu>\n", this.maxVcpu - 1, this.currentMemory));
             }
 
@@ -1920,11 +1920,12 @@ public String toString() {
 
     public static class CpuTuneDef {
         private int _shares = 0;
-        private int quota = 0;
+        private long quota = 0;
         private int period = 0;
         static final int DEFAULT_PERIOD = 10000;
         static final int MIN_QUOTA = 1000;
         static final int MAX_PERIOD = 1000000;
+        public static final long MAX_CPU_QUOTA = 17592186044415L;
 
         public void setShares(int shares) {
             _shares = shares;
@@ -1934,11 +1935,11 @@ public int getShares() {
             return _shares;
         }
 
-        public int getQuota() {
+        public long getQuota() {
             return quota;
         }
 
-        public void setQuota(int quota) {
+        public void setQuota(long quota) {
             this.quota = quota;
         }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapper.java
index b94b48300036..de9341715f02 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapper.java
@@ -30,7 +30,15 @@ public class LibvirtCheckConvertInstanceCommandWrapper extends CommandWrapper<Ch
 
     @Override
     public Answer execute(CheckConvertInstanceCommand cmd, LibvirtComputingResource serverResource) {
-        if (!serverResource.hostSupportsInstanceConversion()) {
+        if (cmd.isUseVddk()) {
+            if (!serverResource.hostSupportsVddk(cmd.getVddkLibDir())) {
+                String msg = String.format("Cannot convert the instance from VMware using VDDK on host %s. " +
+                                "Please make sure virt-v2v%s, nbdkit-vddk and a valid VDDK library directory are available on the host.",
+                        serverResource.getPrivateIp(), serverResource.isUbuntuOrDebianHost() ? ", nbdkit" : "");
+                logger.info(msg);
+                return new CheckConvertInstanceAnswer(cmd, false, msg);
+            }
+        } else if (!serverResource.hostSupportsInstanceConversion()) {
             String msg = String.format("Cannot convert the instance from VMware as the virt-v2v binary is not found on host %s. " +
                     "Please install virt-v2v%s on the host before attempting the instance conversion.", serverResource.getPrivateIp(), serverResource.isUbuntuOrDebianHost()? ", nbdkit" : "");
             logger.info(msg);
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckOnHostCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckOnHostCommandWrapper.java
index 48996a7ba97c..f901fd97ca76 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckOnHostCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckOnHostCommandWrapper.java
@@ -26,6 +26,7 @@
 import java.util.concurrent.Future;
 
 import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.CheckOnHostAnswer;
 import com.cloud.agent.api.CheckOnHostCommand;
 import com.cloud.agent.api.to.HostTO;
 import com.cloud.hypervisor.kvm.resource.KVMHABase.HAStoragePool;
@@ -45,20 +46,21 @@ public Answer execute(final CheckOnHostCommand command, final LibvirtComputingRe
 
         final List<HAStoragePool> pools = monitor.getStoragePools();
         final HostTO host = command.getHost();
-        final KVMHAChecker ha = new KVMHAChecker(pools, host, command.isCheckFailedOnOneStorage());
+
+        final KVMHAChecker ha = new KVMHAChecker(pools, host, command.shouldReportIfHeartBeatFailedForOneStoragePool());
 
         final Future<Boolean> future = executors.submit(ha);
         try {
-            final Boolean result = future.get();
-            if (result) {
-                return new Answer(command, false, "Heart is beating...");
+            final Boolean hasHeartBeat = future.get();
+            if (hasHeartBeat) {
+                return new CheckOnHostAnswer(command, true, "Heart is beating");
             } else {
-                return new Answer(command);
+                return new CheckOnHostAnswer(command, "Heart is not beating");
             }
         } catch (final InterruptedException e) {
-            return new Answer(command, false, "CheckOnHostCommand: can't get status of host: InterruptedException");
+            return new CheckOnHostAnswer(command, "CheckOnHostCommand: can't get status of host: InterruptedException");
         } catch (final ExecutionException e) {
-            return new Answer(command, false, "CheckOnHostCommand: can't get status of host: ExecutionException");
+            return new CheckOnHostAnswer(command, "CheckOnHostCommand: can't get status of host: ExecutionException");
         }
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVMActivityOnStoragePoolCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVMActivityOnStoragePoolCommandWrapper.java
index a708d441be59..b132f6d98ce9 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVMActivityOnStoragePoolCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVMActivityOnStoragePoolCommandWrapper.java
@@ -48,9 +48,9 @@ public Answer execute(final CheckVMActivityOnStoragePoolCommand command, final L
 
         KVMStoragePool primaryPool = storagePoolMgr.getStoragePool(pool.getType(), pool.getUuid());
 
-        if (primaryPool.isPoolSupportHA()){
-            final HAStoragePool nfspool = monitor.getStoragePool(pool.getUuid());
-            final KVMHAVMActivityChecker ha = new KVMHAVMActivityChecker(nfspool, command.getHost(), command.getVolumeList(), libvirtComputingResource.getVmActivityCheckPath(), command.getSuspectTimeInSeconds());
+        if (primaryPool.isPoolSupportHA()) {
+            final HAStoragePool haPool = monitor.getStoragePool(pool.getUuid());
+            final KVMHAVMActivityChecker ha = new KVMHAVMActivityChecker(haPool, command.getHost(), command.getVolumeList(), libvirtComputingResource.getVmActivityCheckPath(), command.getSuspectTimeInSeconds());
             final Future<Boolean> future = executors.submit(ha);
             try {
                 final Boolean result = future.get();
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapper.java
index 99005755cbbe..aa6a37b6561d 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapper.java
@@ -45,11 +45,10 @@ public Answer execute(final CheckVirtualMachineCommand command, final LibvirtCom
             Integer vncPort = null;
             if (state == PowerState.PowerOn) {
                 vncPort = libvirtComputingResource.getVncPort(conn, command.getVmName());
-            }
-
-            Domain vm = conn.domainLookupByName(command.getVmName());
-            if (state == PowerState.PowerOn && DomainInfo.DomainState.VIR_DOMAIN_PAUSED.equals(vm.getInfo().state)) {
-                return new CheckVirtualMachineAnswer(command, PowerState.PowerUnknown, vncPort);
+                Domain vm = conn.domainLookupByName(command.getVmName());
+                if (DomainInfo.DomainState.VIR_DOMAIN_PAUSED.equals(vm.getInfo().state)) {
+                    return new CheckVirtualMachineAnswer(command, PowerState.PowerUnknown, vncPort);
+                }
             }
 
             return new CheckVirtualMachineAnswer(command, state, vncPort);
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVolumeCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVolumeCommandWrapper.java
index 55225ba086c3..6788516df741 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVolumeCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVolumeCommandWrapper.java
@@ -47,7 +47,10 @@
 @ResourceWrapper(handles = CheckVolumeCommand.class)
 public final class LibvirtCheckVolumeCommandWrapper extends CommandWrapper<CheckVolumeCommand, Answer, LibvirtComputingResource> {
 
-    private static final List<Storage.StoragePoolType> STORAGE_POOL_TYPES_SUPPORTED = Arrays.asList(Storage.StoragePoolType.Filesystem, Storage.StoragePoolType.NetworkFilesystem);
+    private static final List<Storage.StoragePoolType> STORAGE_POOL_TYPES_SUPPORTED = Arrays.asList(
+            Storage.StoragePoolType.Filesystem,
+            Storage.StoragePoolType.NetworkFilesystem,
+            Storage.StoragePoolType.SharedMountPoint);
 
     @Override
     public Answer execute(final CheckVolumeCommand command, final LibvirtComputingResource libvirtComputingResource) {
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
index 66a5f5dd7d20..f28b5eda4a63 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
@@ -20,10 +20,17 @@
 
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Locale;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.cloudstack.storage.to.PrimaryDataStoreTO;
 import org.apache.commons.collections4.MapUtils;
@@ -51,6 +58,7 @@ public class LibvirtConvertInstanceCommandWrapper extends CommandWrapper<Convert
 
     private static final List<Hypervisor.HypervisorType> supportedInstanceConvertSourceHypervisors =
             List.of(Hypervisor.HypervisorType.VMware);
+    private static final Pattern SHA1_FINGERPRINT_PATTERN = Pattern.compile("(?i)(?:SHA1\\s+)?Fingerprint\\s*=\\s*([0-9A-F:]+)");
 
     @Override
     public Answer execute(ConvertInstanceCommand cmd, LibvirtComputingResource serverResource) {
@@ -61,7 +69,8 @@ public Answer execute(ConvertInstanceCommand cmd, LibvirtComputingResource serve
         DataStoreTO conversionTemporaryLocation = cmd.getConversionTemporaryLocation();
         long timeout = (long) cmd.getWait() * 1000;
         String extraParams = cmd.getExtraParams();
-        String originalVMName = cmd.getOriginalVMName(); // For logging purposes, as the sourceInstance may have been cloned
+        boolean useVddk = cmd.isUseVddk();
+        String originalVMName = cmd.getOriginalVMName();
 
         if (cmd.getCheckConversionSupport() && !serverResource.hostSupportsInstanceConversion()) {
             String msg = String.format("Cannot convert the instance %s from VMware as the virt-v2v binary is not found. " +
@@ -84,61 +93,75 @@ public Answer execute(ConvertInstanceCommand cmd, LibvirtComputingResource serve
         logger.info(String.format("(%s) Attempting to convert the instance %s from %s to KVM",
                 originalVMName, sourceInstanceName, sourceHypervisorType));
         final String temporaryConvertPath = temporaryStoragePool.getLocalPath();
+        final String temporaryConvertUuid = UUID.randomUUID().toString();
+        boolean verboseModeEnabled = serverResource.isConvertInstanceVerboseModeEnabled();
 
-        String ovfTemplateDirOnConversionLocation;
-        String sourceOVFDirPath;
+        boolean cleanupSecondaryStorage = false;
         boolean ovfExported = false;
-        if (cmd.getExportOvfToConversionLocation()) {
-            String exportInstanceOVAUrl = getExportInstanceOVAUrl(sourceInstance, originalVMName);
-            if (StringUtils.isBlank(exportInstanceOVAUrl)) {
-                String err = String.format("Couldn't export OVA for the VM %s, due to empty url", sourceInstanceName);
-                logger.error(String.format("(%s) %s", originalVMName, err));
-                return new Answer(cmd, false, err);
-            }
+        String ovfTemplateDirOnConversionLocation = null;
 
-            int noOfThreads = cmd.getThreadsCountToExportOvf();
-            if (noOfThreads > 1 && !serverResource.ovfExportToolSupportsParallelThreads()) {
-                noOfThreads = 0;
-            }
-            ovfTemplateDirOnConversionLocation = UUID.randomUUID().toString();
-            temporaryStoragePool.createFolder(ovfTemplateDirOnConversionLocation);
-            sourceOVFDirPath = String.format("%s/%s/", temporaryConvertPath, ovfTemplateDirOnConversionLocation);
-            ovfExported = exportOVAFromVMOnVcenter(exportInstanceOVAUrl, sourceOVFDirPath, noOfThreads, originalVMName, timeout);
-            if (!ovfExported) {
-                String err = String.format("Export OVA for the VM %s failed", sourceInstanceName);
-                logger.error(String.format("(%s) %s", originalVMName, err));
-                return new Answer(cmd, false, err);
-            }
-            sourceOVFDirPath = String.format("%s%s/", sourceOVFDirPath, sourceInstanceName);
-        } else {
-            ovfTemplateDirOnConversionLocation = cmd.getTemplateDirOnConversionLocation();
-            sourceOVFDirPath = String.format("%s/%s/", temporaryConvertPath, ovfTemplateDirOnConversionLocation);
-        }
+        try {
+            boolean result;
+            if (useVddk) {
+                logger.info("({}) Using VDDK-based conversion (direct from VMware)", originalVMName);
+                String vddkLibDir = resolveVddkSetting(cmd.getVddkLibDir(), serverResource.getVddkLibDir());
+                if (StringUtils.isBlank(vddkLibDir)) {
+                    String err = String.format("VDDK lib dir is not configured on the host. " +
+                            "Set '%s' in agent.properties or in details parameter of the import api call to use VDDK-based conversion.", "vddk.lib.dir");
+                    logger.error("({}) {}", originalVMName, err);
+                    return new Answer(cmd, false, err);
+                }
+                String vddkTransports = resolveVddkSetting(cmd.getVddkTransports(), serverResource.getVddkTransports());
+                String configuredVddkThumbprint = resolveVddkSetting(cmd.getVddkThumbprint(), serverResource.getVddkThumbprint());
+                String passwordOption = serverResource.getDetectedPasswordFileOption();
+                result = performInstanceConversionUsingVddk(sourceInstance, originalVMName, temporaryConvertPath,
+                        vddkLibDir, serverResource.getLibguestfsBackend(), vddkTransports, configuredVddkThumbprint,
+                        timeout, verboseModeEnabled, extraParams, temporaryConvertUuid, passwordOption);
+            } else {
+                logger.info("({}) Using OVF-based conversion (export + local convert)", originalVMName);
+                String sourceOVFDirPath;
+                if (cmd.getExportOvfToConversionLocation()) {
+                    String exportInstanceOVAUrl = getExportInstanceOVAUrl(sourceInstance, originalVMName);
 
-        logger.info(String.format("(%s) Attempting to convert the OVF %s of the instance %s from %s to KVM",
-                originalVMName, ovfTemplateDirOnConversionLocation, sourceInstanceName, sourceHypervisorType));
+                    if (StringUtils.isBlank(exportInstanceOVAUrl)) {
+                        String err = String.format("Couldn't export OVA for the VM %s, due to empty url", sourceInstanceName);
+                        logger.error("({}) {}", originalVMName, err);
+                        return new Answer(cmd, false, err);
+                    }
 
-        final String temporaryConvertUuid = UUID.randomUUID().toString();
-        boolean verboseModeEnabled = serverResource.isConvertInstanceVerboseModeEnabled();
+                    int noOfThreads = cmd.getThreadsCountToExportOvf();
+                    if (noOfThreads > 1 && !serverResource.ovfExportToolSupportsParallelThreads()) {
+                        noOfThreads = 0;
+                    }
+                    ovfTemplateDirOnConversionLocation = UUID.randomUUID().toString();
+                    temporaryStoragePool.createFolder(ovfTemplateDirOnConversionLocation);
+                    sourceOVFDirPath = String.format("%s/%s/", temporaryConvertPath, ovfTemplateDirOnConversionLocation);
+                    ovfExported = exportOVAFromVMOnVcenter(exportInstanceOVAUrl, sourceOVFDirPath, noOfThreads, originalVMName, timeout);
+
+                    if (!ovfExported) {
+                        String err = String.format("Export OVA for the VM %s failed", sourceInstanceName);
+                        logger.error("({}) {}", originalVMName, err);
+                        return new Answer(cmd, false, err);
+                    }
+                    sourceOVFDirPath = String.format("%s%s/", sourceOVFDirPath, sourceInstanceName);
+                } else {
+                    ovfTemplateDirOnConversionLocation = cmd.getTemplateDirOnConversionLocation();
+                    sourceOVFDirPath = String.format("%s/%s/", temporaryConvertPath, ovfTemplateDirOnConversionLocation);
+                }
+
+                result = performInstanceConversion(originalVMName, sourceOVFDirPath, temporaryConvertPath, temporaryConvertUuid,
+                        timeout, verboseModeEnabled, extraParams, serverResource);
+            }
 
-        boolean cleanupSecondaryStorage = false;
-        try {
-            boolean result = performInstanceConversion(originalVMName, sourceOVFDirPath, temporaryConvertPath, temporaryConvertUuid,
-                    timeout, verboseModeEnabled, extraParams, serverResource);
             if (!result) {
-                String err = String.format(
-                        "The virt-v2v conversion for the OVF %s failed. Please check the agent logs " +
-                                "for the virt-v2v output. Please try on a different kvm host which " +
-                                "has a different virt-v2v version.",
-                        ovfTemplateDirOnConversionLocation);
-                logger.error(String.format("(%s) %s", originalVMName, err));
+                String err = String.format("Instance conversion failed for VM %s. Please check virt-v2v logs.", sourceInstanceName);
+                logger.error("({}) {}", originalVMName, err);
                 return new Answer(cmd, false, err);
             }
             return new ConvertInstanceAnswer(cmd, temporaryConvertUuid);
         } catch (Exception e) {
-            String error = String.format("Error converting instance %s from %s, due to: %s",
-                    sourceInstanceName, sourceHypervisorType, e.getMessage());
-            logger.error(String.format("(%s) %s", originalVMName, error), e);
+            String error = String.format("Error converting instance %s from %s, due to: %s", sourceInstanceName, sourceHypervisorType, e.getMessage());
+            logger.error("({}) {}", originalVMName, error, e);
             cleanupSecondaryStorage = true;
             return new Answer(cmd, false, error);
         } finally {
@@ -275,4 +298,198 @@ protected void addExtraParamsToScript(String extraParams, Script script) {
     protected String encodeUsername(String username) {
         return URLEncoder.encode(username, Charset.defaultCharset());
     }
+
+    private String resolveVddkSetting(String commandValue, String agentValue) {
+        return StringUtils.defaultIfBlank(StringUtils.trimToNull(commandValue), StringUtils.trimToNull(agentValue));
+    }
+
+    protected boolean performInstanceConversionUsingVddk(RemoteInstanceTO vmwareInstance, String originalVMName,
+                                                         String temporaryConvertFolder, String vddkLibDir,
+                                                         String libguestfsBackend, String vddkTransports,
+                                                         String configuredVddkThumbprint,
+                                                         long timeout, boolean verboseModeEnabled, String extraParams,
+                                                         String temporaryConvertUuid, String passwordOption) {
+
+        String vcenterPassword = vmwareInstance.getVcenterPassword();
+        if (StringUtils.isBlank(vcenterPassword)) {
+            logger.error("({}) Could not determine vCenter password for {}", originalVMName, vmwareInstance.getVcenterHost());
+            return false;
+        }
+
+        String passwordFilePath = String.format("/tmp/v2v.pass.cloud.%s.%s",
+                StringUtils.defaultIfBlank(vmwareInstance.getVcenterHost(), "unknown"),
+                UUID.randomUUID());
+        try {
+            Files.writeString(Path.of(passwordFilePath), vcenterPassword);
+            Files.setPosixFilePermissions(Path.of(passwordFilePath), Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
+            logger.debug("({}) Written vCenter password to {}", originalVMName, passwordFilePath);
+        } catch (Exception e) {
+            logger.error("({}) Failed to write vCenter password file {}: {}", originalVMName, passwordFilePath, e.getMessage());
+            return false;
+        }
+
+        try {
+            String vpxUrl = buildVpxUrl(vmwareInstance);
+
+            StringBuilder cmd = new StringBuilder();
+
+            cmd.append("export LIBGUESTFS_BACKEND=").append(libguestfsBackend).append(" && ");
+
+            cmd.append("virt-v2v ");
+            cmd.append("--root first ");
+            cmd.append("-ic '").append(vpxUrl).append("' ");
+            if (StringUtils.isBlank(passwordOption)) {
+                logger.error("({}) Could not determine supported password file option for virt-v2v", originalVMName);
+                return false;
+            }
+
+            cmd.append(passwordOption).append(" ").append(passwordFilePath).append(" ");
+            cmd.append("-it vddk ");
+            cmd.append("-io vddk-libdir=").append(vddkLibDir).append(" ");
+            String vddkThumbprint = StringUtils.trimToNull(configuredVddkThumbprint);
+            if (StringUtils.isBlank(vddkThumbprint)) {
+                vddkThumbprint = getVcenterThumbprint(vmwareInstance.getVcenterHost(), timeout, originalVMName);
+            }
+            if (StringUtils.isBlank(vddkThumbprint)) {
+                logger.error("({}) Could not determine vCenter thumbprint for {}", originalVMName, vmwareInstance.getVcenterHost());
+                return false;
+            }
+            cmd.append("-io vddk-thumbprint=").append(vddkThumbprint).append(" ");
+            if (StringUtils.isNotBlank(vddkTransports)) {
+                cmd.append("-io vddk-transports=").append(vddkTransports).append(" ");
+            }
+            cmd.append(vmwareInstance.getInstanceName()).append(" ");
+            cmd.append("-o local ");
+            cmd.append("-os ").append(temporaryConvertFolder).append(" ");
+            cmd.append("-of qcow2 ");
+            cmd.append("-on ").append(temporaryConvertUuid).append(" ");
+
+            if (verboseModeEnabled) {
+                cmd.append("-v ");
+            }
+
+            if (StringUtils.isNotBlank(extraParams)) {
+                cmd.append(extraParams).append(" ");
+            }
+
+            Script script = new Script("/bin/bash", timeout, logger);
+            script.add("-c");
+            script.add(cmd.toString());
+
+            String logPrefix = String.format("(%s) virt-v2v vddk import", originalVMName);
+            OutputInterpreter.LineByLineOutputLogger outputLogger =
+                    new OutputInterpreter.LineByLineOutputLogger(logger, logPrefix);
+
+            logger.info("({}) Starting virt-v2v VDDK conversion", originalVMName);
+            script.execute(outputLogger);
+
+            int exitValue = script.getExitValue();
+            if (exitValue != 0) {
+                logger.error("({}) virt-v2v failed with exit code {}", originalVMName, exitValue);
+            }
+
+            return exitValue == 0;
+        } finally {
+            try {
+                Files.deleteIfExists(Path.of(passwordFilePath));
+                logger.debug("({}) Deleted password file {}", originalVMName, passwordFilePath);
+            } catch (Exception e) {
+                logger.warn("({}) Failed to delete password file {}: {}", originalVMName, passwordFilePath, e.getMessage());
+            }
+        }
+    }
+
+    protected String getVcenterThumbprint(String vcenterHost, long timeout, String originalVMName) {
+        if (StringUtils.isBlank(vcenterHost)) {
+            return null;
+        }
+
+        String endpoint = String.format("%s:443", vcenterHost);
+        String command = String.format("openssl s_client -connect '%s' </dev/null 2>/dev/null | " +
+                "openssl x509 -fingerprint -sha1 -noout", endpoint);
+
+        Script script = new Script("/bin/bash", timeout, logger);
+        script.add("-c");
+        script.add(command);
+
+        OutputInterpreter.AllLinesParser parser = new OutputInterpreter.AllLinesParser();
+        script.execute(parser);
+
+        String output = parser.getLines();
+        if (script.getExitValue() != 0) {
+            logger.error("({}) Failed to fetch vCenter thumbprint for {}", originalVMName, vcenterHost);
+            return null;
+        }
+
+        String thumbprint = extractSha1Fingerprint(output);
+        if (StringUtils.isBlank(thumbprint)) {
+            logger.error("({}) Failed to parse vCenter thumbprint from output for {}", originalVMName, vcenterHost);
+            return null;
+        }
+        return thumbprint;
+    }
+
+    private String extractSha1Fingerprint(String output) {
+        String parsedOutput = StringUtils.trimToEmpty(output);
+        if (StringUtils.isBlank(parsedOutput)) {
+            return null;
+        }
+
+        for (String line : parsedOutput.split("\\R")) {
+            String trimmedLine = StringUtils.trimToEmpty(line);
+            if (StringUtils.isBlank(trimmedLine)) {
+                continue;
+            }
+
+            Matcher matcher = SHA1_FINGERPRINT_PATTERN.matcher(trimmedLine);
+            if (matcher.find()) {
+                return matcher.group(1).toUpperCase(Locale.ROOT);
+            }
+
+            // Fallback for raw fingerprint-only output.
+            if (trimmedLine.matches("(?i)[0-9a-f]{2}(:[0-9a-f]{2})+")) {
+                return trimmedLine.toUpperCase(Locale.ROOT);
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Build vpx:// URL for virt-v2v
+     *
+     * Format:
+     * vpx://user@vcenter/DC/cluster/host?no_verify=1
+     */
+    private String buildVpxUrl(RemoteInstanceTO vmwareInstance) {
+
+        String vmName = vmwareInstance.getInstanceName();
+        String vcenter = vmwareInstance.getVcenterHost();
+        String username = vmwareInstance.getVcenterUsername();
+        String datacenter = vmwareInstance.getDatacenterName();
+        String cluster = vmwareInstance.getClusterName();
+        String host = vmwareInstance.getHostName();
+
+        String encodedUsername = encodeUsername(username);
+
+        StringBuilder url = new StringBuilder();
+        url.append("vpx://")
+                .append(encodedUsername)
+                .append("@")
+                .append(vcenter)
+                .append("/")
+                .append(datacenter);
+
+        if (StringUtils.isNotBlank(cluster)) {
+            url.append("/").append(cluster);
+        }
+
+        if (StringUtils.isNotBlank(host)) {
+            url.append("/").append(host);
+        }
+
+        url.append("?no_verify=1");
+
+        logger.info("({}) Using VPX URL: {}", vmName, url);
+        return url.toString();
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java
index 114b27d3a5b7..c0887415c650 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java
@@ -22,6 +22,7 @@
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.GetRemoteVmsAnswer;
 import com.cloud.agent.api.GetRemoteVmsCommand;
+import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
 import com.cloud.hypervisor.kvm.resource.LibvirtConnection;
 import com.cloud.hypervisor.kvm.resource.LibvirtDomainXMLParser;
@@ -97,6 +98,7 @@ private UnmanagedInstanceTO getUnmanagedInstance(LibvirtComputingResource libvir
             if (parser.getCpuTuneDef() !=null) {
                 instance.setCpuSpeed(parser.getCpuTuneDef().getShares());
             }
+            instance.setHypervisorType(Hypervisor.HypervisorType.KVM.name());
             instance.setPowerState(getPowerState(libvirtComputingResource.getVmState(conn,domain.getName())));
             instance.setNics(getUnmanagedInstanceNics(parser.getInterfaces()));
             instance.setDisks(getUnmanagedInstanceDisks(parser.getDisks(),libvirtComputingResource, domain));
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetUnmanagedInstancesCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetUnmanagedInstancesCommandWrapper.java
index b382613f8abb..60bc222594bb 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetUnmanagedInstancesCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetUnmanagedInstancesCommandWrapper.java
@@ -19,6 +19,7 @@
 
 import com.cloud.agent.api.GetUnmanagedInstancesAnswer;
 import com.cloud.agent.api.GetUnmanagedInstancesCommand;
+import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
 import com.cloud.hypervisor.kvm.resource.LibvirtDomainXMLParser;
 import com.cloud.hypervisor.kvm.resource.LibvirtVMDef;
@@ -130,6 +131,7 @@ private UnmanagedInstanceTO getUnmanagedInstance(LibvirtComputingResource libvir
             if (parser.getCpuModeDef() != null) {
                 instance.setCpuCoresPerSocket(parser.getCpuModeDef().getCoresPerSocket());
             }
+            instance.setHypervisorType(Hypervisor.HypervisorType.KVM.name());
             instance.setPowerState(getPowerState(libvirtComputingResource.getVmState(conn,domain.getName())));
             instance.setMemory((int) LibvirtComputingResource.getDomainMemory(domain) / 1024);
             instance.setNics(getUnmanagedInstanceNics(libvirtComputingResource, parser.getInterfaces()));
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetVolumesOnStorageCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetVolumesOnStorageCommandWrapper.java
index 6d918435277b..ab6bdd6135d5 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetVolumesOnStorageCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetVolumesOnStorageCommandWrapper.java
@@ -52,7 +52,7 @@
 public final class LibvirtGetVolumesOnStorageCommandWrapper extends CommandWrapper<GetVolumesOnStorageCommand, Answer, LibvirtComputingResource> {
 
     static final List<StoragePoolType> STORAGE_POOL_TYPES_SUPPORTED_BY_QEMU_IMG = Arrays.asList(StoragePoolType.NetworkFilesystem,
-            StoragePoolType.Filesystem, StoragePoolType.RBD);
+            StoragePoolType.Filesystem, StoragePoolType.RBD, StoragePoolType.SharedMountPoint);
 
     @Override
     public Answer execute(final GetVolumesOnStorageCommand command, final LibvirtComputingResource libvirtComputingResource) {
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
index 43607edc53a5..f54918bbc228 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
@@ -259,6 +259,12 @@ Use VIR_DOMAIN_XML_SECURE (value = 1) prior to v1.0.0.
             final int migrateDowntime = libvirtComputingResource.getMigrateDowntime();
             boolean isMigrateDowntimeSet = false;
 
+            final int migrateWait = libvirtComputingResource.getMigrateWait();
+            logger.info("vm.migrate.wait value set to: {} secs for VM: {}", migrateWait, vmName);
+
+            final int migratePauseAfter = libvirtComputingResource.getMigratePauseAfter();
+            logger.info("vm.migrate.pauseafter value set to: {} ms for VM: {}", migratePauseAfter, vmName);
+
             while (!executor.isTerminated()) {
                 Thread.sleep(100);
                 sleeptime += 100;
@@ -278,8 +284,6 @@ Use VIR_DOMAIN_XML_SECURE (value = 1) prior to v1.0.0.
                 }
 
                 // abort the vm migration if the job is executed more than vm.migrate.wait
-                final int migrateWait = libvirtComputingResource.getMigrateWait();
-                logger.info("vm.migrate.wait value set to: {}for VM: {}", migrateWait, vmName);
                 if (migrateWait > 0 && sleeptime > migrateWait * 1000) {
                     DomainState state = null;
                     try {
@@ -306,8 +310,6 @@ Use VIR_DOMAIN_XML_SECURE (value = 1) prior to v1.0.0.
                 }
 
                 // pause vm if we meet the vm.migrate.pauseafter threshold and not already paused
-                final int migratePauseAfter = libvirtComputingResource.getMigratePauseAfter();
-                logger.info("vm.migrate.pauseafter value set to: {} for VM: {}", migratePauseAfter, vmName);
                 if (migratePauseAfter > 0 && sleeptime > migratePauseAfter) {
                     DomainState state = null;
                     try {
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtReadyCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtReadyCommandWrapper.java
index e74923b281f6..5a7d6d2c203a 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtReadyCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtReadyCommandWrapper.java
@@ -34,6 +34,7 @@
 import com.cloud.resource.CommandWrapper;
 import com.cloud.resource.ResourceWrapper;
 import com.cloud.utils.script.Script;
+import org.apache.commons.lang3.StringUtils;
 
 @ResourceWrapper(handles =  ReadyCommand.class)
 public final class LibvirtReadyCommandWrapper extends CommandWrapper<ReadyCommand, Answer, LibvirtComputingResource> {
@@ -50,6 +51,9 @@ public Answer execute(final ReadyCommand command, final LibvirtComputingResource
         if (libvirtComputingResource.hostSupportsInstanceConversion()) {
             hostDetails.put(Host.HOST_VIRTV2V_VERSION, libvirtComputingResource.getHostVirtV2vVersion());
         }
+        hostDetails.put(Host.HOST_VDDK_SUPPORT, Boolean.toString(libvirtComputingResource.hostSupportsVddk()));
+        hostDetails.put(Host.HOST_VDDK_LIB_DIR, StringUtils.defaultString(libvirtComputingResource.getVddkLibDir()));
+        hostDetails.put(Host.HOST_VDDK_VERSION, StringUtils.defaultString(libvirtComputingResource.getVddkVersion()));
 
         if (libvirtComputingResource.hostSupportsOvfExport()) {
             hostDetails.put(Host.HOST_OVFTOOL_VERSION, libvirtComputingResource.getHostOvfToolVersion());
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapper.java
index 714e3844b347..22dbfbdd67a2 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapper.java
@@ -41,9 +41,9 @@
 import org.apache.commons.lang3.StringUtils;
 import org.libvirt.LibvirtException;
 
-import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.List;
 import java.util.Locale;
@@ -56,10 +56,25 @@ public class LibvirtRestoreBackupCommandWrapper extends CommandWrapper<RestoreBa
     private static final String UMOUNT_COMMAND = "sudo umount %s";
     private static final String FILE_PATH_PLACEHOLDER = "%s/%s";
     private static final String ATTACH_QCOW2_DISK_COMMAND = " virsh attach-disk %s %s %s --driver qemu --subdriver qcow2 --cache none";
+    private static final String ATTACH_RAW_DISK_COMMAND = " virsh attach-disk %s %s %s --driver qemu --cache none";
     private static final String ATTACH_RBD_DISK_XML_COMMAND = " virsh attach-device %s /dev/stdin <<EOF%sEOF";
     private static final String CURRRENT_DEVICE = "virsh domblklist --domain %s | tail -n 3 | head -n 1 | awk '{print $1}'";
     private static final String RSYNC_COMMAND = "rsync -az %s %s";
 
+    private String getVolumeUuidFromPath(String volumePath, PrimaryDataStoreTO volumePool) {
+        if (Storage.StoragePoolType.Linstor.equals(volumePool.getPoolType())) {
+            Path path = Paths.get(volumePath);
+            String rscName = path.getParent().getFileName().toString();
+            if (rscName.startsWith("cs-")) {
+                rscName = rscName.substring(3);
+            }
+            return rscName;
+        } else {
+            int lastIndex = volumePath.lastIndexOf("/");
+            return volumePath.substring(lastIndex + 1);
+        }
+    }
+
     @Override
     public Answer execute(RestoreBackupCommand command, LibvirtComputingResource serverResource) {
         String vmName = command.getVmName();
@@ -73,7 +88,7 @@ public Answer execute(RestoreBackupCommand command, LibvirtComputingResource ser
         List<PrimaryDataStoreTO> restoreVolumePools = command.getRestoreVolumePools();
         List<String> restoreVolumePaths = command.getRestoreVolumePaths();
         Integer mountTimeout = command.getMountTimeout() * 1000;
-        int timeout = command.getWait();
+        int timeout = command.getWait() > 0 ? command.getWait() * 1000 : serverResource.getCmdsTimeout();
         KVMStoragePoolManager storagePoolMgr = serverResource.getStoragePoolMgr();
         List<String> backupFiles = command.getBackupFiles();
 
@@ -84,9 +99,9 @@ public Answer execute(RestoreBackupCommand command, LibvirtComputingResource ser
                 PrimaryDataStoreTO volumePool = restoreVolumePools.get(0);
                 String volumePath = restoreVolumePaths.get(0);
                 String backupFile = backupFiles.get(0);
-                int lastIndex = volumePath.lastIndexOf("/");
-                newVolumeId = volumePath.substring(lastIndex + 1);
-                restoreVolume(storagePoolMgr, backupPath, volumePool, volumePath, diskType, backupFile,
+                newVolumeId = getVolumeUuidFromPath(volumePath, volumePool);
+                Long size = command.getRestoreVolumeSizes().get(0);
+                restoreVolume(storagePoolMgr, backupPath, volumePool, volumePath, diskType, backupFile, size,
                         new Pair<>(vmName, command.getVmState()), mountDirectory, timeout);
             } else if (Boolean.TRUE.equals(vmExists)) {
                 restoreVolumesOfExistingVM(storagePoolMgr, restoreVolumePools, restoreVolumePaths, backedVolumeUUIDs, backupPath, backupFiles, mountDirectory, timeout);
@@ -143,7 +158,7 @@ private void restoreVolumesOfDestroyedVMs(KVMStoragePoolManager storagePoolMgr,
                 String volumePath = volumePaths.get(i);
                 String backupFile = backupFiles.get(i);
                 String bkpPath = getBackupPath(mountDirectory, backupPath, backupFile, diskType);
-                String volumeUuid = volumePath.substring(volumePath.lastIndexOf(File.separator) + 1);
+                String volumeUuid = getVolumeUuidFromPath(volumePath, volumePool);
                 diskType = "datadisk";
                 verifyBackupFile(bkpPath, volumeUuid);
                 if (!replaceVolumeWithBackup(storagePoolMgr, volumePool, volumePath, bkpPath, timeout)) {
@@ -157,14 +172,14 @@ private void restoreVolumesOfDestroyedVMs(KVMStoragePoolManager storagePoolMgr,
     }
 
     private void restoreVolume(KVMStoragePoolManager storagePoolMgr, String backupPath, PrimaryDataStoreTO volumePool, String volumePath, String diskType, String backupFile,
-                               Pair<String, VirtualMachine.State> vmNameAndState, String mountDirectory, int timeout) {
+                               Long size, Pair<String, VirtualMachine.State> vmNameAndState, String mountDirectory, int timeout) {
         String bkpPath;
         String volumeUuid;
         try {
             bkpPath = getBackupPath(mountDirectory, backupPath, backupFile, diskType);
-            volumeUuid = volumePath.substring(volumePath.lastIndexOf(File.separator) + 1);
+            volumeUuid = getVolumeUuidFromPath(volumePath, volumePool);
             verifyBackupFile(bkpPath, volumeUuid);
-            if (!replaceVolumeWithBackup(storagePoolMgr, volumePool, volumePath, bkpPath, timeout, true)) {
+            if (!replaceVolumeWithBackup(storagePoolMgr, volumePool, volumePath, bkpPath, timeout, true, size)) {
                 throw new CloudRuntimeException(String.format("Unable to restore contents from the backup volume [%s].", volumeUuid));
 
             }
@@ -247,42 +262,66 @@ private boolean checkBackupPathExists(String backupPath) {
     }
 
     private boolean replaceVolumeWithBackup(KVMStoragePoolManager storagePoolMgr, PrimaryDataStoreTO volumePool, String volumePath, String backupPath, int timeout) {
-        return replaceVolumeWithBackup(storagePoolMgr, volumePool, volumePath, backupPath, timeout, false);
+        return replaceVolumeWithBackup(storagePoolMgr, volumePool, volumePath, backupPath, timeout, false, null);
     }
 
-    private boolean replaceVolumeWithBackup(KVMStoragePoolManager storagePoolMgr, PrimaryDataStoreTO volumePool, String volumePath, String backupPath, int timeout, boolean createTargetVolume) {
-        if (volumePool.getPoolType() != Storage.StoragePoolType.RBD) {
-            int exitValue = Script.runSimpleBashScriptForExitValue(String.format(RSYNC_COMMAND, backupPath, volumePath));
-            return exitValue == 0;
+    private boolean replaceVolumeWithBackup(KVMStoragePoolManager storagePoolMgr, PrimaryDataStoreTO volumePool, String volumePath, String backupPath, int timeout, boolean createTargetVolume, Long size) {
+        if (List.of(Storage.StoragePoolType.RBD, Storage.StoragePoolType.Linstor).contains(volumePool.getPoolType())) {
+            return replaceBlockDeviceWithBackup(storagePoolMgr, volumePool, volumePath, backupPath, timeout, createTargetVolume, size);
         }
 
-        return replaceRbdVolumeWithBackup(storagePoolMgr, volumePool, volumePath, backupPath, timeout, createTargetVolume);
+        int exitValue = Script.runSimpleBashScriptForExitValue(String.format(RSYNC_COMMAND, backupPath, volumePath), timeout, false);
+        return exitValue == 0;
     }
 
-    private boolean replaceRbdVolumeWithBackup(KVMStoragePoolManager storagePoolMgr, PrimaryDataStoreTO volumePool, String volumePath, String backupPath, int timeout, boolean createTargetVolume) {
+    private boolean replaceBlockDeviceWithBackup(KVMStoragePoolManager storagePoolMgr, PrimaryDataStoreTO volumePool, String volumePath, String backupPath, int timeout, boolean createTargetVolume, Long size) {
         KVMStoragePool volumeStoragePool = storagePoolMgr.getStoragePool(volumePool.getPoolType(), volumePool.getUuid());
         QemuImg qemu;
         try {
-            qemu = new QemuImg(timeout * 1000, true, false);
-            if (!createTargetVolume) {
-                KVMPhysicalDisk rdbDisk = volumeStoragePool.getPhysicalDisk(volumePath);
-                logger.debug("Restoring RBD volume: {}", rdbDisk.toString());
+            qemu = new QemuImg(timeout, true, false);
+            String volumeUuid = getVolumeUuidFromPath(volumePath, volumePool);
+            KVMPhysicalDisk disk = null;
+            if (createTargetVolume) {
+                if (Storage.StoragePoolType.Linstor.equals(volumePool.getPoolType())) {
+                    if (size == null) {
+                        throw new CloudRuntimeException("Restore volume size is required for Linstor pool when creating target volume");
+                    }
+                    disk = volumeStoragePool.createPhysicalDisk(volumeUuid, QemuImg.PhysicalDiskFormat.RAW, Storage.ProvisioningType.THIN, size, null);
+                }
+            } else {
+                if (Storage.StoragePoolType.Linstor.equals(volumePool.getPoolType())) {
+                    storagePoolMgr.connectPhysicalDisk(volumePool.getPoolType(), volumePool.getUuid(), volumeUuid, null);
+                } else {
+                    disk = volumeStoragePool.getPhysicalDisk(volumePath);
+                }
                 qemu.setSkipTargetVolumeCreation(true);
             }
+            if (disk != null) {
+                logger.debug("Restoring volume: {}", disk.toString());
+            }
         } catch (LibvirtException ex) {
-            throw new CloudRuntimeException("Failed to create qemu-img command to restore RBD volume with backup", ex);
+            throw new CloudRuntimeException(String.format("Failed to create qemu-img command to restore %s volume with backup", volumePool.getPoolType()), ex);
         }
 
         QemuImgFile srcBackupFile = null;
         QemuImgFile destVolumeFile = null;
         try {
             srcBackupFile = new QemuImgFile(backupPath, QemuImg.PhysicalDiskFormat.QCOW2);
-            String rbdDestVolumeFile = KVMPhysicalDisk.RBDStringBuilder(volumeStoragePool, volumePath);
-            destVolumeFile = new QemuImgFile(rbdDestVolumeFile, QemuImg.PhysicalDiskFormat.RAW);
-
-            logger.debug("Starting convert backup  {} to RBD volume  {}", backupPath, volumePath);
+            String destVolume;
+            switch(volumePool.getPoolType()) {
+                case Linstor:
+                    destVolume = volumePath;
+                    break;
+                case RBD:
+                   destVolume = KVMPhysicalDisk.RBDStringBuilder(volumeStoragePool, volumePath);
+                   break;
+                default:
+                    throw new CloudRuntimeException(String.format("Unsupported storage pool type [%s] for block device restore with backup.", volumePool.getPoolType()));
+            }
+            destVolumeFile = new QemuImgFile(destVolume, QemuImg.PhysicalDiskFormat.RAW);
+            logger.debug("Starting convert backup  {} to volume  {}", backupPath, volumePath);
             qemu.convert(srcBackupFile, destVolumeFile);
-            logger.debug("Successfully converted backup {} to RBD volume  {}", backupPath, volumePath);
+            logger.debug("Successfully converted backup {} to volume  {}", backupPath, volumePath);
         } catch (QemuImgException | LibvirtException e) {
             String srcFilename = srcBackupFile != null ? srcBackupFile.getFileName() : null;
             String destFilename = destVolumeFile != null ? destVolumeFile.getFileName() : null;
@@ -296,12 +335,14 @@ private boolean replaceRbdVolumeWithBackup(KVMStoragePoolManager storagePoolMgr,
     private boolean attachVolumeToVm(KVMStoragePoolManager storagePoolMgr, String vmName, PrimaryDataStoreTO volumePool, String volumePath) {
         String deviceToAttachDiskTo = getDeviceToAttachDisk(vmName);
         int exitValue;
-        if (volumePool.getPoolType() != Storage.StoragePoolType.RBD) {
-            exitValue = Script.runSimpleBashScriptForExitValue(String.format(ATTACH_QCOW2_DISK_COMMAND, vmName, volumePath, deviceToAttachDiskTo));
-        } else {
+        if (volumePool.getPoolType() == Storage.StoragePoolType.RBD) {
             String xmlForRbdDisk = getXmlForRbdDisk(storagePoolMgr, volumePool, volumePath, deviceToAttachDiskTo);
             logger.debug("RBD disk xml to attach: {}", xmlForRbdDisk);
             exitValue = Script.runSimpleBashScriptForExitValue(String.format(ATTACH_RBD_DISK_XML_COMMAND, vmName, xmlForRbdDisk));
+        } else if (volumePool.getPoolType() == Storage.StoragePoolType.Linstor) {
+            exitValue = Script.runSimpleBashScriptForExitValue(String.format(ATTACH_RAW_DISK_COMMAND, vmName, volumePath, deviceToAttachDiskTo));
+        } else {
+            exitValue = Script.runSimpleBashScriptForExitValue(String.format(ATTACH_QCOW2_DISK_COMMAND, vmName, volumePath, deviceToAttachDiskTo));
         }
         return exitValue == 0;
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtScaleVmCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtScaleVmCommandWrapper.java
index 1536984f2e85..b1f64c8c6dbb 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtScaleVmCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtScaleVmCommandWrapper.java
@@ -49,10 +49,11 @@ public Answer execute(ScaleVmCommand command, LibvirtComputingResource libvirtCo
             conn = libvirtUtilitiesHelper.getConnectionByVmName(vmName);
             Domain dm = conn.domainLookupByName(vmName);
 
-            logger.debug(String.format("Scaling %s.", scalingDetails));
+            logger.debug("Scaling {}.", scalingDetails);
             scaleMemory(dm, newMemory, vmDefinition);
             scaleVcpus(dm, newVcpus, vmDefinition);
             updateCpuShares(dm, newCpuShares);
+            libvirtComputingResource.updateCpuQuotaAndPeriod(dm, vmSpec, command.getLimitCpuUseChange());
 
             return new ScaleVmAnswer(command, true, String.format("Successfully scaled %s.", scalingDetails));
         } catch (LibvirtException | CloudRuntimeException e) {
@@ -74,7 +75,7 @@ protected void updateCpuShares(Domain dm, int newCpuShares) throws LibvirtExcept
 
         if (oldCpuShares < newCpuShares) {
             LibvirtComputingResource.setCpuShares(dm, newCpuShares);
-            logger.info(String.format("Successfully increased cpu_shares of VM [%s] from [%s] to [%s].", dm.getName(), oldCpuShares, newCpuShares));
+            logger.info("Successfully increased cpu_shares of VM [{}] from [{}] to [{}].", dm.getName(), oldCpuShares, newCpuShares);
         }
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java
index 11fa605908a6..42953aa9f835 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtTakeBackupCommandWrapper.java
@@ -52,6 +52,7 @@ public Answer execute(TakeBackupCommand command, LibvirtComputingResource libvir
         List<PrimaryDataStoreTO> volumePools = command.getVolumePools();
         final List<String> volumePaths = command.getVolumePaths();
         KVMStoragePoolManager storagePoolMgr = libvirtComputingResource.getStoragePoolMgr();
+        int timeout = command.getWait() > 0 ? command.getWait() * 1000 : libvirtComputingResource.getCmdsTimeout();
 
         List<String> diskPaths = new ArrayList<>();
         if (Objects.nonNull(volumePaths)) {
@@ -81,7 +82,7 @@ public Answer execute(TakeBackupCommand command, LibvirtComputingResource libvir
                 "-d", diskPaths.isEmpty() ? "" : String.join(",", diskPaths)
         });
 
-        Pair<Integer, String> result = Script.executePipedCommands(commands, libvirtComputingResource.getCmdsTimeout());
+        Pair<Integer, String> result = Script.executePipedCommands(commands, timeout);
 
         if (result.first() != 0) {
             logger.debug("Failed to take VM backup: " + result.second());
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtUpdateVmNicCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtUpdateVmNicCommandWrapper.java
new file mode 100644
index 000000000000..85f00e1dbd49
--- /dev/null
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtUpdateVmNicCommandWrapper.java
@@ -0,0 +1,67 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.hypervisor.kvm.resource.wrapper;
+
+import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.UpdateVmNicAnswer;
+import com.cloud.agent.api.UpdateVmNicCommand;
+import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.hypervisor.kvm.resource.LibvirtVMDef.InterfaceDef;
+import com.cloud.resource.CommandWrapper;
+import com.cloud.resource.ResourceWrapper;
+import org.libvirt.Connect;
+import org.libvirt.Domain;
+import org.libvirt.LibvirtException;
+
+@ResourceWrapper(handles =  UpdateVmNicCommand.class)
+public final class LibvirtUpdateVmNicCommandWrapper extends CommandWrapper<UpdateVmNicCommand, Answer, LibvirtComputingResource> {
+
+    @Override
+    public Answer execute(UpdateVmNicCommand command, LibvirtComputingResource libvirtComputingResource) {
+        String nicMacAddress = command.getNicMacAddress();
+        String vmName = command.getVmName();
+        boolean isEnabled = command.isEnabled();
+
+        Domain vm = null;
+        try {
+            final LibvirtUtilitiesHelper libvirtUtilitiesHelper = libvirtComputingResource.getLibvirtUtilitiesHelper();
+            final Connect conn = libvirtUtilitiesHelper.getConnectionByVmName(vmName);
+            vm = libvirtComputingResource.getDomain(conn, vmName);
+
+            final InterfaceDef nic = libvirtComputingResource.getInterface(conn, vmName, nicMacAddress);
+            nic.setLinkStateUp(isEnabled);
+            vm.updateDeviceFlags(nic.toString(), Domain.DeviceModifyFlags.LIVE);
+
+            return new UpdateVmNicAnswer(command, true, "success");
+        } catch (final LibvirtException e) {
+            final String msg = String.format(" Update NIC failed due to %s.", e);
+            logger.warn(msg, e);
+            return new UpdateVmNicAnswer(command, false, msg);
+        } finally {
+            if (vm != null) {
+                try {
+                    vm.free();
+                } catch (final LibvirtException l) {
+                    logger.trace("Ignoring libvirt error.", l);
+                }
+            }
+        }
+    }
+}
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/IscsiAdmStoragePool.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/IscsiAdmStoragePool.java
index f5bfd898a4f4..8cf6de68f955 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/IscsiAdmStoragePool.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/IscsiAdmStoragePool.java
@@ -208,12 +208,12 @@ public String getStorageNodeId() {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         return null;
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
         return null;
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePool.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePool.java
index 8dd2116e1235..3e35ed9476b1 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePool.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePool.java
@@ -33,35 +33,33 @@
 
 public interface KVMStoragePool {
 
-    public static final long HeartBeatUpdateTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.HEARTBEAT_UPDATE_TIMEOUT);
-    public static final long HeartBeatUpdateFreq = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_FREQUENCY);
-    public static final long HeartBeatUpdateMaxTries = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_MAX_TRIES);
-    public static final long HeartBeatUpdateRetrySleep = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_RETRY_SLEEP);
-    public static final long HeartBeatCheckerTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_CHECKER_TIMEOUT);
+    long HeartBeatUpdateTimeoutInMs = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.HEARTBEAT_UPDATE_TIMEOUT);
+    long HeartBeatUpdateFreqInMs = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_UPDATE_FREQUENCY);
+    long HeartBeatCheckerTimeoutInMs = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_HEARTBEAT_CHECKER_TIMEOUT);
 
-    public default KVMPhysicalDisk createPhysicalDisk(String volumeUuid, PhysicalDiskFormat format, Storage.ProvisioningType provisioningType, long size, Long usableSize, byte[] passphrase) {
+    default KVMPhysicalDisk createPhysicalDisk(String volumeUuid, PhysicalDiskFormat format, Storage.ProvisioningType provisioningType, long size, Long usableSize, byte[] passphrase) {
         return createPhysicalDisk(volumeUuid, format, provisioningType, size, passphrase);
     }
 
-    public KVMPhysicalDisk createPhysicalDisk(String volumeUuid, PhysicalDiskFormat format, Storage.ProvisioningType provisioningType, long size, byte[] passphrase);
+    KVMPhysicalDisk createPhysicalDisk(String volumeUuid, PhysicalDiskFormat format, Storage.ProvisioningType provisioningType, long size, byte[] passphrase);
 
-    public KVMPhysicalDisk createPhysicalDisk(String volumeUuid, Storage.ProvisioningType provisioningType, long size, byte[] passphrase);
+    KVMPhysicalDisk createPhysicalDisk(String volumeUuid, Storage.ProvisioningType provisioningType, long size, byte[] passphrase);
 
-    public boolean connectPhysicalDisk(String volumeUuid, Map<String, String> details);
+    boolean connectPhysicalDisk(String volumeUuid, Map<String, String> details);
 
-    public KVMPhysicalDisk getPhysicalDisk(String volumeUuid);
+    KVMPhysicalDisk getPhysicalDisk(String volumeUuid);
 
-    public boolean disconnectPhysicalDisk(String volumeUuid);
+    boolean disconnectPhysicalDisk(String volumeUuid);
 
-    public boolean deletePhysicalDisk(String volumeUuid, Storage.ImageFormat format);
+    boolean deletePhysicalDisk(String volumeUuid, Storage.ImageFormat format);
 
-    public List<KVMPhysicalDisk> listPhysicalDisks();
+    List<KVMPhysicalDisk> listPhysicalDisks();
 
-    public String getUuid();
+    String getUuid();
 
-    public long getCapacity();
+    long getCapacity();
 
-    public long getUsed();
+    long getUsed();
 
     default Long getCapacityIops() {
         return null;
@@ -71,51 +69,51 @@ default Long getUsedIops() {
         return null;
     }
 
-    public long getAvailable();
+    long getAvailable();
 
-    public boolean refresh();
+    boolean refresh();
 
-    public boolean isExternalSnapshot();
+    boolean isExternalSnapshot();
 
-    public String getLocalPath();
+    String getLocalPath();
 
-    public String getSourceHost();
+    String getSourceHost();
 
-    public String getSourceDir();
+    String getSourceDir();
 
-    public int getSourcePort();
+    int getSourcePort();
 
-    public String getAuthUserName();
+    String getAuthUserName();
 
-    public String getAuthSecret();
+    String getAuthSecret();
 
-    public StoragePoolType getType();
+    StoragePoolType getType();
 
-    public boolean delete();
+    boolean delete();
 
     PhysicalDiskFormat getDefaultFormat();
 
-    public boolean createFolder(String path);
+    boolean createFolder(String path);
 
-    public boolean supportsConfigDriveIso();
+    boolean supportsConfigDriveIso();
 
-    public Map<String, String> getDetails();
+    Map<String, String> getDetails();
 
     default String getLocalPathFor(String relativePath) {
         return String.format("%s%s%s", getLocalPath(), File.separator, relativePath);
     }
 
-    public boolean isPoolSupportHA();
+    boolean isPoolSupportHA();
 
-    public String getHearthBeatPath();
+    String getHearthBeatPath();
 
-    public String createHeartBeatCommand(HAStoragePool primaryStoragePool, String hostPrivateIp, boolean hostValidation);
+    String createHeartBeatCommand(HAStoragePool primaryStoragePool, String hostPrivateIp, boolean hostValidation);
 
-    public String getStorageNodeId();
+    String getStorageNodeId();
 
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host);
+    Boolean hasHeartBeat(HAStoragePool pool, HostTO host);
 
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration);
+    Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration);
 
     default LibvirtVMDef.DiskDef.BlockIOSize getSupportedLogicalBlockSize() {
         return null;
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePoolManager.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePoolManager.java
index 6665cf625e2f..35cc864268c3 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePoolManager.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStoragePoolManager.java
@@ -289,6 +289,7 @@ public KVMStoragePool getStoragePool(StoragePoolType type, String uuid, boolean
 
         if (pool instanceof LibvirtStoragePool) {
             addPoolDetails(uuid, (LibvirtStoragePool) pool);
+            ((LibvirtStoragePool) pool).setType(type);
         }
 
         return pool;
@@ -390,6 +391,9 @@ public KVMStoragePool createStoragePool(String name, String host, int port, Stri
     private synchronized KVMStoragePool createStoragePool(String name, String host, int port, String path, String userInfo, StoragePoolType type, Map<String, String> details, boolean primaryStorage) {
         StorageAdaptor adaptor = getStorageAdaptor(type);
         KVMStoragePool pool = adaptor.createStoragePool(name, host, port, path, userInfo, type, details, primaryStorage);
+        if (pool instanceof LibvirtStoragePool) {
+            ((LibvirtStoragePool) pool).setType(type);
+        }
 
         // LibvirtStorageAdaptor-specific statement
         if (pool.isPoolSupportHA() && primaryStorage) {
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStorageProcessor.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStorageProcessor.java
index 030d9747d6cd..f95ebff5326f 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStorageProcessor.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/KVMStorageProcessor.java
@@ -185,6 +185,8 @@ public class KVMStorageProcessor implements StorageProcessor {
 
     private int incrementalSnapshotTimeout;
 
+    private int incrementalSnapshotRetryRebaseWait;
+
     private static final String CHECKPOINT_XML_TEMP_DIR = "/tmp/cloudstack/checkpointXMLs";
 
     private static final String BACKUP_XML_TEMP_DIR = "/tmp/cloudstack/backupXMLs";
@@ -252,6 +254,7 @@ public boolean configure(final String name, final Map<String, Object> params) th
         _cmdsTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.CMDS_TIMEOUT) * 1000;
 
         incrementalSnapshotTimeout = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.INCREMENTAL_SNAPSHOT_TIMEOUT) * 1000;
+        incrementalSnapshotRetryRebaseWait = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.INCREMENTAL_SNAPSHOT_RETRY_REBASE_WAIT) * 1000;
         return true;
     }
 
@@ -2044,7 +2047,7 @@ private void waitForBackup(String vmName) throws CloudRuntimeException {
             try {
                 Thread.sleep(10000);
             } catch (InterruptedException e) {
-                throw new CloudRuntimeException(e);
+                logger.trace("Thread that was tracking the progress for backup of VM [{}] was interrupted. Ignoring.", vmName);
             }
         }
 
@@ -2093,8 +2096,25 @@ protected void rebaseSnapshot(SnapshotObjectTO snapshotObjectTO, KVMStoragePool
             QemuImg qemuImg = new QemuImg(wait);
             qemuImg.rebase(snapshotFile, parentSnapshotFile, PhysicalDiskFormat.QCOW2.toString(), false);
         } catch (LibvirtException | QemuImgException e) {
-            logger.error("Exception while rebasing incremental snapshot [{}] due to: [{}].", snapshotName, e.getMessage(), e);
-            throw new CloudRuntimeException(e);
+            if (!StringUtils.contains(e.getMessage(), "Is another process using the image")) {
+                logger.error("Exception while rebasing incremental snapshot [{}] due to: [{}].", snapshotName, e.getMessage(), e);
+                throw new CloudRuntimeException(e);
+            }
+            retryRebase(snapshotName, wait, e, snapshotFile, parentSnapshotFile);
+        }
+    }
+
+    private void retryRebase(String snapshotName, int wait, Exception e, QemuImgFile snapshotFile, QemuImgFile parentSnapshotFile) {
+        logger.warn("Libvirt still has not released the lock, will wait [{}] milliseconds and try again later.", incrementalSnapshotRetryRebaseWait);
+        try {
+            Thread.sleep(incrementalSnapshotRetryRebaseWait);
+            QemuImg qemuImg = new QemuImg(wait);
+            qemuImg.rebase(snapshotFile, parentSnapshotFile, PhysicalDiskFormat.QCOW2.toString(), false);
+        } catch (LibvirtException | QemuImgException | InterruptedException ex) {
+            logger.error("Unable to rebase snapshot [{}].", snapshotName, ex);
+            CloudRuntimeException cre = new CloudRuntimeException(ex);
+            cre.addSuppressed(e);
+            throw cre;
         }
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/LibvirtStoragePool.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/LibvirtStoragePool.java
index ab39f7bc6ffd..910f0eb15e0b 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/LibvirtStoragePool.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/LibvirtStoragePool.java
@@ -31,6 +31,7 @@
 import com.cloud.agent.api.to.HostTO;
 import com.cloud.agent.properties.AgentProperties;
 import com.cloud.agent.properties.AgentPropertiesFileHandler;
+import com.cloud.ha.HighAvailabilityManager;
 import com.cloud.hypervisor.kvm.resource.KVMHABase.HAStoragePool;
 import com.cloud.storage.Storage;
 import com.cloud.storage.Storage.StoragePoolType;
@@ -320,29 +321,38 @@ public void setDetails(Map<String, String> details) {
 
     @Override
     public boolean isPoolSupportHA() {
-        return type == StoragePoolType.NetworkFilesystem;
+        return HighAvailabilityManager.LIBVIRT_STORAGE_POOL_TYPES_WITH_HA_SUPPORT.contains(type);
     }
 
     public String getHearthBeatPath() {
-        if (type == StoragePoolType.NetworkFilesystem) {
+        if (StoragePoolType.NetworkFilesystem.equals(type)) {
             String kvmScriptsDir = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_SCRIPTS_DIR);
-            return Script.findScript(kvmScriptsDir, "kvmheartbeat.sh");
+            String scriptPath = Script.findScript(kvmScriptsDir, "kvmheartbeat.sh");
+            if (scriptPath == null) {
+                throw new CloudRuntimeException("Unable to find heartbeat script 'kvmheartbeat.sh' in directory: " + kvmScriptsDir);
+            }
+            return scriptPath;
+        } else if (StoragePoolType.SharedMountPoint.equals(type)) {
+            String kvmScriptsDir = AgentPropertiesFileHandler.getPropertyValue(AgentProperties.KVM_SCRIPTS_DIR);
+            String scriptPath = Script.findScript(kvmScriptsDir, "kvmsmpheartbeat.sh");
+            if (scriptPath == null) {
+                throw new CloudRuntimeException("Unable to find heartbeat script 'kvmsmpheartbeat.sh' in directory: " + kvmScriptsDir);
+            }
+            return scriptPath;
         }
         return null;
     }
 
 
     public String createHeartBeatCommand(HAStoragePool primaryStoragePool, String hostPrivateIp, boolean hostValidation) {
-        Script cmd = new Script(primaryStoragePool.getPool().getHearthBeatPath(), HeartBeatUpdateTimeout, logger);
+        Script cmd = new Script(primaryStoragePool.getPool().getHearthBeatPath(), HeartBeatUpdateTimeoutInMs, logger);
         cmd.add("-i", primaryStoragePool.getPoolIp());
         cmd.add("-p", primaryStoragePool.getPoolMountSourcePath());
         cmd.add("-m", primaryStoragePool.getMountDestPath());
 
         if (hostValidation) {
             cmd.add("-h", hostPrivateIp);
-        }
-
-        if (!hostValidation) {
+        } else {
             cmd.add("-c");
         }
 
@@ -360,54 +370,58 @@ public String getStorageNodeId() {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
-        boolean validResult = false;
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         String hostIp = host.getPrivateNetwork().getIp();
-        Script cmd = new Script(getHearthBeatPath(), HeartBeatCheckerTimeout, logger);
+        Script cmd = new Script(getHearthBeatPath(), HeartBeatCheckerTimeoutInMs, logger);
         cmd.add("-i", pool.getPoolIp());
         cmd.add("-p", pool.getPoolMountSourcePath());
         cmd.add("-m", pool.getMountDestPath());
         cmd.add("-h", hostIp);
         cmd.add("-r");
-        cmd.add("-t", String.valueOf(HeartBeatUpdateFreq / 1000));
+        cmd.add("-t", String.valueOf(HeartBeatUpdateFreqInMs / 1000));
         OutputInterpreter.OneLineParser parser = new OutputInterpreter.OneLineParser();
         String result = cmd.execute(parser);
         String parsedLine = parser.getLine();
 
-        logger.debug(String.format("Checking heart beat with KVMHAChecker [{command=\"%s\", result: \"%s\", log: \"%s\", pool: \"%s\"}].", cmd.toString(), result, parsedLine,
-                pool.getPoolIp()));
+        logger.debug("Checking heart beat for host IP {} with KVMHAChecker [{command=\"{}\", result: \"{}\", log: \"{}\", pool: \"{}\"}].", hostIp, cmd.toString(), result, parsedLine, pool.getPoolIp());
 
         if (result == null && parsedLine.contains("DEAD")) {
-            logger.warn(String.format("Checking heart beat with KVMHAChecker command [%s] returned [%s]. [%s]. It may cause a shutdown of host IP [%s].", cmd.toString(),
-                    result, parsedLine, hostIp));
+            logger.warn("Checking heart beat for host IP {} with KVMHAChecker command [{}] returned [{}]. It may cause a shutdown of the host.", hostIp, cmd.toString(), parsedLine);
+            return false;
         } else {
-            validResult = true;
+            logger.debug("Checking heart beat for host IP {} with KVMHAChecker command [{}] succeeded.", hostIp, cmd.toString());
+            return true;
         }
-        return validResult;
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+        String hostIp = host.getPrivateNetwork().getIp();
         Script cmd = new Script(vmActivityCheckPath, activityScriptTimeout.getStandardSeconds(), logger);
         cmd.add("-i", pool.getPoolIp());
         cmd.add("-p", pool.getPoolMountSourcePath());
         cmd.add("-m", pool.getMountDestPath());
-        cmd.add("-h", host.getPrivateNetwork().getIp());
+        cmd.add("-h", hostIp);
         cmd.add("-u", volumeUUIDListString);
-        cmd.add("-t", String.valueOf(String.valueOf(System.currentTimeMillis() / 1000)));
+        cmd.add("-t", String.valueOf(System.currentTimeMillis() / 1000));
         cmd.add("-d", String.valueOf(duration));
         OutputInterpreter.OneLineParser parser = new OutputInterpreter.OneLineParser();
 
         String result = cmd.execute(parser);
         String parsedLine = parser.getLine();
 
-        logger.debug(String.format("Checking heart beat with KVMHAVMActivityChecker [{command=\"%s\", result: \"%s\", log: \"%s\", pool: \"%s\"}].", cmd.toString(), result, parsedLine, pool.getPoolIp()));
+        logger.debug("Checking VM activity for host IP {} with KVMHAVMActivityChecker [{command=\"{}\", result: \"{}\", log: \"{}\", pool: \"{}\"}].", hostIp, cmd.toString(), result, parsedLine, pool.getPoolIp());
 
         if (result == null && parsedLine.contains("DEAD")) {
-            logger.warn(String.format("Checking heart beat with KVMHAVMActivityChecker command [%s] returned [%s]. It is [%s]. It may cause a shutdown of host IP [%s].", cmd.toString(), result, parsedLine, host.getPrivateNetwork().getIp()));
+            logger.warn("Checking VM activity for host IP {} with KVMHAVMActivityChecker command [{}] returned [{}]. It may cause a shutdown of the host.", hostIp, cmd.toString(), parsedLine);
             return false;
         } else {
+            logger.debug("Checking VM activity for host IP {} with KVMHAVMActivityChecker command [{}] succeeded.", hostIp, cmd.toString());
             return true;
         }
     }
+
+    public void setType(StoragePoolType type) {
+        this.type = type;
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/MultipathSCSIPool.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/MultipathSCSIPool.java
index 229481b1f795..df9986c99194 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/MultipathSCSIPool.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/MultipathSCSIPool.java
@@ -225,13 +225,13 @@ public String getStorageNodeId() {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         return null;
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout,
-            String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout,
+                                 String volumeUUIDListString, String vmActivityCheckPath, long duration) {
         return null;
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptor.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptor.java
index e336e0e5a54d..82bc35f009ee 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptor.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptor.java
@@ -27,6 +27,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
+import java.util.function.Predicate;
 
 import com.cloud.agent.api.PrepareStorageClientCommand;
 import org.apache.cloudstack.storage.datastore.client.ScaleIOGatewayClient;
@@ -644,18 +645,30 @@ public Ternary<Boolean, Map<String, String>, String> prepareStorageClient(String
             // Assuming SDC service is started, add mdms
             String mdms = details.get(ScaleIOGatewayClient.STORAGE_POOL_MDMS);
             String[] mdmAddresses = mdms.split(",");
-            if (mdmAddresses.length > 0) {
-                if (ScaleIOUtil.isMdmPresent(mdmAddresses[0])) {
-                    return new Ternary<>(true, getSDCDetails(details), "MDM added, no need to prepare the SDC client");
-                }
-
-                ScaleIOUtil.addMdms(mdmAddresses);
-                if (!ScaleIOUtil.isMdmPresent(mdmAddresses[0])) {
-                    return new Ternary<>(false, null, "Failed to add MDMs");
+            // remove MDMs already present in the config and added to the SDC
+            String[] mdmAddressesToAdd = Arrays.stream(mdmAddresses)
+                    .filter(Predicate.not(ScaleIOUtil::isMdmPresent))
+                    .toArray(String[]::new);
+            // if all MDMs are already in the config and added to the SDC
+            if (mdmAddressesToAdd.length < 1 && mdmAddresses.length > 0) {
+                String msg = String.format("MDMs %s of the storage pool %s are already added", mdms, uuid);
+                logger.debug(msg);
+                return new Ternary<>(true, getSDCDetails(details), msg);
+            } else if (mdmAddressesToAdd.length > 0) {
+                ScaleIOUtil.addMdms(mdmAddressesToAdd);
+                String[] missingMdmAddresses = Arrays.stream(mdmAddressesToAdd)
+                        .filter(Predicate.not(ScaleIOUtil::isMdmPresent))
+                        .toArray(String[]::new);
+                if (missingMdmAddresses.length > 0) {
+                    String msg = String.format("Failed to add MDMs %s of the storage pool %s", String.join(", ", missingMdmAddresses), uuid);
+                    logger.debug(msg);
+                    return new Ternary<>(false, null, msg);
                 } else {
-                    logger.debug(String.format("MDMs %s added to storage pool %s", mdms, uuid));
+                    logger.debug("MDMs {} of the storage pool {} are added", mdmAddressesToAdd, uuid);
                     applyMdmsChangeWaitTime(details);
                 }
+            } else {
+                return new Ternary<>(false, getSDCDetails(details), "No MDM addresses provided");
             }
         }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePool.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePool.java
index e8243c3f7cfe..fc512ff94a94 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePool.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePool.java
@@ -236,12 +236,12 @@ public String getStorageNodeId() {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         return null;
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
         return null;
     }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAConfig.java b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAConfig.java
index 59ea720328f5..3fbb5340fcce 100644
--- a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAConfig.java
+++ b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAConfig.java
@@ -19,38 +19,37 @@
 
 import org.apache.cloudstack.framework.config.ConfigKey;
 
-public class KVMHAConfig {
+public interface KVMHAConfig {
 
-    public static final ConfigKey<Long> KvmHAHealthCheckTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.health.check.timeout", "10",
+    ConfigKey<Long> KvmHAHealthCheckTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.health.check.timeout", "10",
             "The maximum length of time, in seconds, expected for an health check to complete.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHAActivityCheckTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.timeout", "60",
+    ConfigKey<Long> KvmHAActivityCheckTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.timeout", "60",
             "The maximum length of time, in seconds, expected for an activity check to complete.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHAActivityCheckInterval = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.interval", "60",
+    ConfigKey<Long> KvmHAActivityCheckInterval = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.interval", "60",
             "The interval, in seconds, between activity checks.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHAActivityCheckMaxAttempts = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.max.attempts", "10",
+    ConfigKey<Long> KvmHAActivityCheckMaxAttempts = new ConfigKey<>("Advanced", Long.class, "kvm.ha.activity.check.max.attempts", "10",
             "The maximum number of activity check attempts to perform before deciding to recover or degrade a resource.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Double> KvmHAActivityCheckFailureThreshold = new ConfigKey<>("Advanced", Double.class, "kvm.ha.activity.check.failure.ratio", "0.7",
+    ConfigKey<Double> KvmHAActivityCheckFailureThreshold = new ConfigKey<>("Advanced", Double.class, "kvm.ha.activity.check.failure.ratio", "0.7",
             "The activity check failure threshold ratio. This is used with the activity check maximum attempts for deciding to recover or degrade a resource. For most environments, please keep this value above 0.5.",
             true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHADegradedMaxPeriod = new ConfigKey<>("Advanced", Long.class, "kvm.ha.degraded.max.period", "300",
+    ConfigKey<Long> KvmHADegradedMaxPeriod = new ConfigKey<>("Advanced", Long.class, "kvm.ha.degraded.max.period", "300",
             "The maximum length of time, in seconds, a resource can be in degraded state where only health checks are performed.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHARecoverTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.timeout", "60",
+    ConfigKey<Long> KvmHARecoverTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.timeout", "60",
             "The maximum length of time, in seconds, expected for a recovery operation to complete.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHARecoverWaitPeriod = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.wait.period", "600",
+    ConfigKey<Long> KvmHARecoverWaitPeriod = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.wait.period", "600",
             "The maximum length of time, in seconds, to wait for a resource to recover.", true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHARecoverAttemptThreshold = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.failure.threshold", "1",
+    ConfigKey<Long> KvmHARecoverAttemptThreshold = new ConfigKey<>("Advanced", Long.class, "kvm.ha.recover.failure.threshold", "1",
             "The maximum recovery attempts to be made for a resource, after which the resource is fenced. The recovery counter resets when a health check passes for a resource.",
             true, ConfigKey.Scope.Cluster);
 
-    public static final ConfigKey<Long> KvmHAFenceTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.fence.timeout", "60",
+    ConfigKey<Long> KvmHAFenceTimeout = new ConfigKey<>("Advanced", Long.class, "kvm.ha.fence.timeout", "60",
             "The maximum length of time, in seconds, expected for a fence operation to complete.", true, ConfigKey.Scope.Cluster);
-
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAProvider.java b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAProvider.java
index b937be5265b7..f0b5cfc337de 100644
--- a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAProvider.java
+++ b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHAProvider.java
@@ -68,17 +68,18 @@ public boolean hasActivity(final Host r, final DateTime suspectTime) throws HACh
 
     @Override
     public boolean recover(Host r) throws HARecoveryException {
+        logger.debug("Recover the host {}", r);
         try {
-            if (outOfBandManagementService.isOutOfBandManagementEnabled(r)){
+            if (outOfBandManagementService.isOutOfBandManagementEnabled(r)) {
                 final OutOfBandManagementResponse resp = outOfBandManagementService.executePowerOperation(r, PowerOperation.RESET, null);
                 return resp.getSuccess();
             } else {
                 logger.warn("OOBM recover operation failed for the host {}", r);
                 return false;
             }
-        } catch (Exception e){
+        } catch (Exception e) {
             logger.warn("OOBM service is not configured or enabled for this host {} error is {}", r, e.getMessage());
-            throw new HARecoveryException(String.format(" OOBM service is not configured or enabled for this host %s", r), e);
+            throw new HARecoveryException(String.format("OOBM service is not configured or enabled for this host %s", r), e);
         }
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHostActivityChecker.java b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHostActivityChecker.java
index 31f87d7e0442..af7441c4fd29 100644
--- a/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHostActivityChecker.java
+++ b/plugins/hypervisors/kvm/src/main/java/org/apache/cloudstack/kvm/ha/KVMHostActivityChecker.java
@@ -19,6 +19,7 @@
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.CheckOnHostAnswer;
 import com.cloud.agent.api.CheckOnHostCommand;
 import com.cloud.agent.api.CheckVMActivityOnStoragePoolCommand;
 import com.cloud.dc.dao.ClusterDao;
@@ -61,7 +62,7 @@ public class KVMHostActivityChecker extends AdapterBase implements ActivityCheck
     @Inject
     private AgentManager agentMgr;
     @Inject
-    private PrimaryDataStoreDao storagePool;
+    private PrimaryDataStoreDao storagePoolDao;
     @Inject
     private StorageManager storageManager;
     @Inject
@@ -70,11 +71,11 @@ public class KVMHostActivityChecker extends AdapterBase implements ActivityCheck
     @Override
     public boolean isActive(Host r, DateTime suspectTime) throws HACheckerException {
         try {
-            return isVMActivityOnHost(r, suspectTime);
+            return hasVMActivityOnHost(r, suspectTime);
         } catch (HACheckerException e) {
-            //Re-throwing the exception to avoid poluting the 'HACheckerException' already thrown
+            //Re-throwing the exception to avoid polluting the 'HACheckerException' already thrown
             throw e;
-        } catch (Exception e){
+        } catch (Exception e) {
             String message = String.format("Operation timed out, probably the %s is not reachable.", r.toString());
             logger.warn(message, e);
             throw new HACheckerException(message, e);
@@ -83,82 +84,115 @@ public boolean isActive(Host r, DateTime suspectTime) throws HACheckerException
 
     @Override
     public boolean isHealthy(Host r) {
-        return isAgentActive(r);
+        return isHostAgentUp(r);
     }
 
-    private boolean isAgentActive(Host agent) {
-        if (agent.getHypervisorType() != Hypervisor.HypervisorType.KVM && agent.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
-            throw new IllegalStateException(String.format("Calling KVM investigator for non KVM Host of type [%s].", agent.getHypervisorType()));
+    private boolean isHostAgentUp(Host host) {
+        if (host.getHypervisorType() != Hypervisor.HypervisorType.KVM && host.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
+            throw new IllegalStateException(String.format("Calling KVM investigator for non KVM Host of type [%s].", host.getHypervisorType()));
+        }
+
+        Status hostStatus = getHostAgentStatus(host);
+
+        logger.debug("{} has the status [{}].", host.toString(), hostStatus);
+        return hostStatus == Status.Up;
+    }
+
+    public Status getHostAgentStatus(Host host) {
+        if (host.getHypervisorType() != Hypervisor.HypervisorType.KVM && host.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
+            return null;
+        }
+
+        Status hostStatusFromItself = checkHostStatusWithSameHost(host);
+        if (hostStatusFromItself == Status.Up) {
+            return Status.Up;
         }
-        Status hostStatus = Status.Unknown;
-        Status neighbourStatus = Status.Unknown;
-        final CheckOnHostCommand cmd = new CheckOnHostCommand(agent, HighAvailabilityManager.KvmHAFenceHostIfHeartbeatFailsOnStorage.value());
+
+        Status hostStatusFromNeighbour = checkHostStatusWithNeighbourHosts(host);
+        Status hostStatus = hostStatusFromItself;
+        if (hostStatusFromNeighbour == Status.Up && (hostStatusFromItself == Status.Disconnected || hostStatusFromItself == Status.Down)) {
+            hostStatus = Status.Disconnected;
+        }
+        if (hostStatusFromNeighbour == Status.Down && (hostStatusFromItself == Status.Disconnected || hostStatusFromItself == Status.Down)) {
+            hostStatus = Status.Down;
+        }
+
+        logger.debug("HA: HOST is ineligible legacy state {} for host {}", hostStatus, host);
+        return hostStatus;
+    }
+
+    private Status checkHostStatusWithSameHost(Host host) {
+        Status hostStatus;
+        boolean reportFailureIfOneStorageIsDown = HighAvailabilityManager.KvmHAFenceHostIfHeartbeatFailsOnStorage.value();
+        final CheckOnHostCommand cmd = new CheckOnHostCommand(host, reportFailureIfOneStorageIsDown);
         try {
-            logger.debug(String.format("Checking %s status...", agent.toString()));
-            Answer answer = agentMgr.easySend(agent.getId(), cmd);
+            logger.debug("Checking {} status...", host.toString());
+            Answer answer = agentMgr.easySend(host.getId(), cmd);
             if (answer != null) {
-                hostStatus = answer.getResult() ? Status.Down : Status.Up;
-                logger.debug(String.format("%s has the status [%s].", agent.toString(), hostStatus));
-
-                if ( hostStatus == Status.Up ){
-                    return true;
+                if (answer.getResult()) {
+                    hostStatus = ((CheckOnHostAnswer)answer).isAlive() ? Status.Up : Status.Down;
+                } else {
+                    logger.debug("{} is not active according to itself, details: {}.", host.toString(), answer.getDetails());
+                    hostStatus = Status.Down;
                 }
-            }
-            else {
-                logger.debug(String.format("Setting %s to \"Disconnected\" status.", agent.toString()));
+                logger.debug("{} has the status [{}].", host.toString(), hostStatus);
+            } else {
+                logger.debug("Setting {} to \"Disconnected\" status.", host.toString());
                 hostStatus = Status.Disconnected;
             }
         } catch (Exception e) {
-            logger.warn(String.format("Failed to send command CheckOnHostCommand to %s.", agent.toString()), e);
+            logger.warn("Failed to send command CheckOnHostCommand to {}.", host.toString(), e);
+            hostStatus = Status.Disconnected;
         }
 
-        List<HostVO> neighbors = resourceManager.listHostsInClusterByStatus(agent.getClusterId(), Status.Up);
+        return hostStatus;
+    }
+
+    private Status checkHostStatusWithNeighbourHosts(Host host) {
+        Status hostStatusFromNeighbour = Status.Unknown;
+        boolean reportFailureIfOneStorageIsDown = HighAvailabilityManager.KvmHAFenceHostIfHeartbeatFailsOnStorage.value();
+        final CheckOnHostCommand cmd = new CheckOnHostCommand(host, reportFailureIfOneStorageIsDown);
+        List<HostVO> neighbors = resourceManager.listHostsInClusterByStatus(host.getClusterId(), Status.Up);
         for (HostVO neighbor : neighbors) {
-            if (neighbor.getId() == agent.getId() || (neighbor.getHypervisorType() != Hypervisor.HypervisorType.KVM && neighbor.getHypervisorType() != Hypervisor.HypervisorType.LXC)) {
+            if (neighbor.getId() == host.getId()
+                    || (neighbor.getHypervisorType() != Hypervisor.HypervisorType.KVM && neighbor.getHypervisorType() != Hypervisor.HypervisorType.LXC)) {
                 continue;
             }
 
             try {
-                logger.debug(String.format("Investigating %s via neighbouring %s.", agent.toString(), neighbor.toString()));
-
+                logger.debug("Investigating {} via neighboring {}.", host.toString(), neighbor.toString());
                 Answer answer = agentMgr.easySend(neighbor.getId(), cmd);
                 if (answer != null) {
-                    neighbourStatus = answer.getResult() ? Status.Down : Status.Up;
-
-                    logger.debug(String.format("Neighbouring %s returned status [%s] for the investigated %s.", neighbor.toString(), neighbourStatus, agent.toString()));
-
-                    if (neighbourStatus == Status.Up) {
-                        break;
+                    if (answer.getResult()) {
+                        hostStatusFromNeighbour = ((CheckOnHostAnswer)answer).isAlive() ? Status.Up : Status.Down;
+                        logger.debug("Neighboring {} returned status [{}] for the investigated {}.", neighbor.toString(), hostStatusFromNeighbour, host.toString());
+                        if (hostStatusFromNeighbour == Status.Up) {
+                            return hostStatusFromNeighbour;
+                        }
+                    } else {
+                        logger.debug("{} is not active according to neighbor {}, details: {}.", host.toString(), neighbor.toString(), answer.getDetails());
                     }
                 } else {
-                    logger.debug(String.format("Neighbouring %s is Disconnected.", neighbor.toString()));
+                    logger.debug("Neighboring {} is Disconnected.", neighbor.toString());
                 }
             } catch (Exception e) {
-                logger.warn(String.format("Failed to send command CheckOnHostCommand to %s.", neighbor.toString()), e);
+                logger.warn("Failed to send command CheckOnHostCommand to neighbor {}.", neighbor.toString(), e);
             }
         }
-        if (neighbourStatus == Status.Up && (hostStatus == Status.Disconnected || hostStatus == Status.Down)) {
-            hostStatus = Status.Disconnected;
-        }
-        if (neighbourStatus == Status.Down && (hostStatus == Status.Disconnected || hostStatus == Status.Down)) {
-            hostStatus = Status.Down;
-        }
 
-        logger.debug(String.format("%s has the status [%s].", agent.toString(), hostStatus));
-
-        return hostStatus == Status.Up;
+        return hostStatusFromNeighbour;
     }
 
-    private boolean isVMActivityOnHost(Host agent, DateTime suspectTime) throws HACheckerException {
-        if (agent.getHypervisorType() != Hypervisor.HypervisorType.KVM && agent.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
-            throw new IllegalStateException(String.format("Calling KVM investigator for non KVM Host of type [%s].", agent.getHypervisorType()));
+    private boolean hasVMActivityOnHost(Host host, DateTime suspectTime) throws HACheckerException {
+        if (host.getHypervisorType() != Hypervisor.HypervisorType.KVM && host.getHypervisorType() != Hypervisor.HypervisorType.LXC) {
+            throw new IllegalStateException(String.format("Calling KVM investigator for non KVM Host of type [%s].", host.getHypervisorType()));
         }
         boolean activityStatus = true;
-        HashMap<StoragePool, List<Volume>> poolVolMap = getVolumeUuidOnHost(agent);
-        for (StoragePool pool : poolVolMap.keySet()) {
-            activityStatus = verifyActivityOfStorageOnHost(poolVolMap, pool, agent, suspectTime, activityStatus);
+        HashMap<StoragePool, List<Volume>> poolVolumeMap = getStoragePoolAndVolumeInfoOnHost(host);
+        for (StoragePool pool : poolVolumeMap.keySet()) {
+            activityStatus = verifyActivityOfStorageOnHost(poolVolumeMap, pool, host, suspectTime, activityStatus);
             if (!activityStatus) {
-                logger.warn("It seems that the storage pool [{}] does not have activity on {}.", pool, agent);
+                logger.warn("It seems that the storage pool [{}] does not have activity on {}.", pool, host);
                 break;
             }
         }
@@ -166,66 +200,64 @@ private boolean isVMActivityOnHost(Host agent, DateTime suspectTime) throws HACh
         return activityStatus;
     }
 
-    protected boolean verifyActivityOfStorageOnHost(HashMap<StoragePool, List<Volume>> poolVolMap, StoragePool pool, Host agent, DateTime suspectTime, boolean activityStatus) throws HACheckerException, IllegalStateException {
+    protected boolean verifyActivityOfStorageOnHost(HashMap<StoragePool, List<Volume>> poolVolMap, StoragePool pool, Host host, DateTime suspectTime, boolean activityStatus) throws HACheckerException, IllegalStateException {
         List<Volume> volume_list = poolVolMap.get(pool);
-        final CheckVMActivityOnStoragePoolCommand cmd = new CheckVMActivityOnStoragePoolCommand(agent, pool, volume_list, suspectTime);
+        final CheckVMActivityOnStoragePoolCommand cmd = new CheckVMActivityOnStoragePoolCommand(host, pool, volume_list, suspectTime);
 
-        logger.debug("Checking VM activity for {} on storage pool [{}].", agent.toString(), pool);
+        logger.debug("Checking VM activity for {} on storage pool [{}].", host.toString(), pool);
         try {
-            Answer answer = storageManager.sendToPool(pool, getNeighbors(agent), cmd);
-
+            Answer answer = storageManager.sendToPool(pool, getNeighbors(host), cmd);
             if (answer != null) {
                 activityStatus = !answer.getResult();
-                logger.debug("{} {} activity on storage pool [{}]", agent.toString(), activityStatus ? "has" : "does not have", pool);
+                logger.debug("{} {} activity on storage pool [{}]", host.toString(), activityStatus ? "has" : "does not have", pool);
             } else {
-                String message = String.format("Did not get a valid response for VM activity check for %s on storage pool [%s].", agent.toString(), pool);
+                String message = String.format("Did not get a valid response for VM activity check for %s on storage pool [%s].", host.toString(), pool);
                 logger.debug(message);
                 throw new IllegalStateException(message);
             }
-        } catch (StorageUnavailableException e){
-            String message = String.format("Storage [%s] is unavailable to do the check, probably the %s is not reachable.", pool, agent);
+        } catch (StorageUnavailableException e) {
+            String message = String.format("Storage [%s] is unavailable to do the check, probably the %s is not reachable.", pool, host);
             logger.warn(message, e);
             throw new HACheckerException(message, e);
         }
         return activityStatus;
     }
 
-    private HashMap<StoragePool, List<Volume>> getVolumeUuidOnHost(Host agent) {
-        List<VMInstanceVO> vm_list = vmInstanceDao.listByHostId(agent.getId());
-        List<VolumeVO> volume_list = new ArrayList<VolumeVO>();
-        for (VirtualMachine vm : vm_list) {
+    private HashMap<StoragePool, List<Volume>> getStoragePoolAndVolumeInfoOnHost(Host host) {
+        List<VMInstanceVO> vmListOnHost = vmInstanceDao.listByHostId(host.getId());
+        List<VolumeVO> volumeListOnHost = new ArrayList<>();
+        for (VirtualMachine vm : vmListOnHost) {
             logger.debug("Retrieving volumes of VM [{}]...", vm);
-            List<VolumeVO> vm_volume_list = volumeDao.findByInstance(vm.getId());
-            volume_list.addAll(vm_volume_list);
+            List<VolumeVO> volumeListOfVM = volumeDao.findByInstance(vm.getId());
+            volumeListOnHost.addAll(volumeListOfVM);
         }
 
-        HashMap<StoragePool, List<Volume>> poolVolMap = new HashMap<StoragePool, List<Volume>>();
-        for (Volume vol : volume_list) {
-            StoragePool sp = storagePool.findById(vol.getPoolId());
-            logger.debug("Retrieving storage pool [{}] of volume [{}]...", sp, vol);
-            if (!poolVolMap.containsKey(sp)) {
-                List<Volume> list = new ArrayList<Volume>();
-                list.add(vol);
+        HashMap<StoragePool, List<Volume>> poolVolumeMap = new HashMap<>();
+        for (Volume volume : volumeListOnHost) {
+            StoragePool pool = storagePoolDao.findById(volume.getPoolId());
+            logger.debug("Retrieving storage pool [{}] of volume [{}]...", pool, volume);
+            if (!poolVolumeMap.containsKey(pool)) {
+                List<Volume> volList = new ArrayList<>();
+                volList.add(volume);
 
-                poolVolMap.put(sp, list);
+                poolVolumeMap.put(pool, volList);
             } else {
-                poolVolMap.get(sp).add(vol);
+                poolVolumeMap.get(pool).add(volume);
             }
         }
-        return poolVolMap;
+        return poolVolumeMap;
     }
 
-    public long[] getNeighbors(Host agent) {
-        List<Long> neighbors = new ArrayList<Long>();
-        List<HostVO> cluster_hosts = resourceManager.listHostsInClusterByStatus(agent.getClusterId(), Status.Up);
-        logger.debug("Retrieving all \"Up\" hosts from cluster [{}]...", clusterDao.findById(agent.getClusterId()));
-        for (HostVO host : cluster_hosts) {
-            if (host.getId() == agent.getId() || (host.getHypervisorType() != Hypervisor.HypervisorType.KVM && host.getHypervisorType() != Hypervisor.HypervisorType.LXC)) {
+    public long[] getNeighbors(Host host) {
+        List<Long> neighbors = new ArrayList<>();
+        List<HostVO> clusterHosts = resourceManager.listHostsInClusterByStatus(host.getClusterId(), Status.Up);
+        logger.debug("Retrieving all \"Up\" hosts from cluster [{}]...", clusterDao.findById(host.getClusterId()));
+        for (HostVO clusterHost : clusterHosts) {
+            if (clusterHost.getId() == host.getId() || (clusterHost.getHypervisorType() != Hypervisor.HypervisorType.KVM && clusterHost.getHypervisorType() != Hypervisor.HypervisorType.LXC)) {
                 continue;
             }
-            neighbors.add(host.getId());
+            neighbors.add(clusterHost.getId());
         }
         return ArrayUtils.toPrimitive(neighbors.toArray(new Long[neighbors.size()]));
     }
-
 }
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
index cde87fd93842..b3bdafb73751 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
@@ -3133,7 +3133,7 @@ public void testCheckOnHostCommand() {
         assertNotNull(wrapper);
 
         final Answer answer = wrapper.execute(command, libvirtComputingResourceMock);
-        assertTrue(answer.getResult());
+        assertFalse(answer.getResult());
 
         verify(libvirtComputingResourceMock, times(1)).getMonitor();
     }
@@ -5642,35 +5642,45 @@ public void testAddExtraConfigComponentNotEmptyExtraConfig() {
         Mockito.verify(vmDef, times(1)).addComp(any());
     }
 
-    public void validateGetCurrentMemAccordingToMemBallooningWithoutMemBalooning(){
+    @Test
+    public void getCurrentMemAccordingToMemBallooningTestValidateCurrentMemoryWithoutMemBallooning(){
         VirtualMachineTO vmTo = Mockito.mock(VirtualMachineTO.class);
-        Mockito.when(vmTo.getType()).thenReturn(Type.User);
         LibvirtComputingResource libvirtComputingResource = new LibvirtComputingResource();
         libvirtComputingResource.noMemBalloon = true;
-        long maxMemory = 2048;
+        long requestedMemory = 1024 * 1024;
+        long minMemory = 512 * 1024;
 
-        long currentMemory = libvirtComputingResource.getCurrentMemAccordingToMemBallooning(vmTo, maxMemory);
-        Assert.assertEquals(maxMemory, currentMemory);
-        Mockito.verify(vmTo, Mockito.times(0)).getMinRam();
+        long currentMemory = libvirtComputingResource.getCurrentMemAccordingToMemBallooning(vmTo, requestedMemory, minMemory);
+        Assert.assertEquals(requestedMemory, currentMemory);
     }
 
     @Test
-    public void validateGetCurrentMemAccordingToMemBallooningWithtMemBalooning(){
+    public void getCurrentMemAccordingToMemBallooningTestValidateCurrentMemoryWithMemoryBallooning(){
         LibvirtComputingResource libvirtComputingResource = new LibvirtComputingResource();
         libvirtComputingResource.noMemBalloon = false;
 
-        long maxMemory = 2048;
-        long minMemory = ByteScaleUtils.mebibytesToBytes(64);
-
         VirtualMachineTO vmTo = Mockito.mock(VirtualMachineTO.class);
         Mockito.when(vmTo.getType()).thenReturn(Type.User);
-        Mockito.when(vmTo.getMinRam()).thenReturn(minMemory);
+        long requestedMemory = 1024 * 1024;
+        long minMemory = 512 * 1024;
 
-        long currentMemory = libvirtComputingResource.getCurrentMemAccordingToMemBallooning(vmTo, maxMemory);
-        Assert.assertEquals(ByteScaleUtils.bytesToKibibytes(minMemory), currentMemory);
-        Mockito.verify(vmTo).getMinRam();
+        long currentMemory = libvirtComputingResource.getCurrentMemAccordingToMemBallooning(vmTo, requestedMemory, minMemory);
+        Assert.assertEquals(minMemory, currentMemory);
     }
 
+    @Test
+    public void getCurrentMemAccordingToMemBallooningTestValidateCurrentMemoryForSystemVms() {
+        LibvirtComputingResource libvirtComputingResource = new LibvirtComputingResource();
+        libvirtComputingResource.noMemBalloon = false;
+
+        VirtualMachineTO vmTo = Mockito.mock(VirtualMachineTO.class);
+        Mockito.when(vmTo.getType()).thenReturn(Type.SecondaryStorageVm);
+        long requestedMemory = 1024 * 1024;
+        long minMemory = 512 * 1024;
+
+        long currentMemory = libvirtComputingResource.getCurrentMemAccordingToMemBallooning(vmTo, requestedMemory, minMemory);
+        Assert.assertEquals(requestedMemory, currentMemory);
+    }
     @Test
     public void validateCreateGuestResourceDefWithVcpuMaxLimit(){
         LibvirtComputingResource libvirtComputingResource = new LibvirtComputingResource();
@@ -7203,4 +7213,113 @@ public void defineDiskForDefaultPoolTypeHandlesNullDetails() {
         libvirtComputingResourceSpy.defineDiskForDefaultPoolType(diskDef, volume, false, false, false, physicalDisk, DEV_ID, DISK_BUS_TYPE, DISK_BUS_TYPE_DATA, null);
         Mockito.verify(diskDef).defFileBasedDisk(PHYSICAL_DISK_PATH, DEV_ID, DISK_BUS_TYPE_DATA, DiskDef.DiskFmtType.QCOW2);
     }
+
+    @Test
+    public void getInterfaceTestValidMacAddressReturnInterface() {
+        String macAddress = "a0:90:27:a9:9e:62";
+        final String vmName = "Test";
+        final InterfaceDef interfaceDef = Mockito.mock(InterfaceDef.class);
+        final List<InterfaceDef> interfaces = new ArrayList<>();
+        interfaces.add(interfaceDef);
+
+        Mockito.doReturn(macAddress).when(interfaceDef).getMacAddress();
+        Mockito.doReturn(interfaces).when(libvirtComputingResourceSpy).getInterfaces(Mockito.any(), Mockito.anyString());
+
+        InterfaceDef result = libvirtComputingResourceSpy.getInterface(connMock, vmName, macAddress);
+
+        Assert.assertNotNull(result);
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void getInterfaceTestInvalidMacAddressThrowCloudRuntimeException() {
+        String invalidMacAddress = "ea:57:5d:f1:64:05";
+        String macAddress = "a0:90:27:a9:9e:62";
+        final String vmName = "Test";
+        final InterfaceDef interfaceDef = Mockito.mock(InterfaceDef.class);
+        final List<InterfaceDef> interfaces = new ArrayList<>();
+        interfaces.add(interfaceDef);
+
+        Mockito.doReturn(macAddress).when(interfaceDef).getMacAddress();
+        Mockito.doReturn(interfaces).when(libvirtComputingResourceSpy).getInterfaces(Mockito.any(), Mockito.anyString());
+
+        libvirtComputingResourceSpy.getInterface(connMock, vmName, invalidMacAddress);
+    }
+
+    @Test
+    public void updateCpuQuotaAndPeriodTestAssertPeriodAndQuotaAreNotUpdatedWhenLibvirtVersionIsLessThanTheMinimum() throws LibvirtException {
+        libvirtComputingResourceSpy.hypervisorLibvirtVersion = 8999;
+        libvirtComputingResourceSpy.updateCpuQuotaAndPeriod(domainMock, null, false);
+        Mockito.verify(domainMock, Mockito.never()).setSchedulerParameters(Mockito.any());
+    }
+
+    @Test
+    public void updateCpuQuotaAndPeriodTestAssertPeriodAndQuotaAreNotUpdatedWhenThereIsNoCapCapChangeAndNoCpuLimitationIsApplied() throws LibvirtException {
+        Mockito.when(vmTO.isLimitCpuUse()).thenReturn(false);
+        libvirtComputingResourceSpy.hypervisorLibvirtVersion = 9000;
+        libvirtComputingResourceSpy.updateCpuQuotaAndPeriod(domainMock, vmTO, false);
+        Mockito.verify(domainMock, Mockito.never()).setSchedulerParameters(Mockito.any());
+    }
+
+    @Test
+    public void updateCpuQuotaAndPeriodTestAssertQuotaIsRemovedWhenThereIsCpuCapChangeAndNoCpuLimitationIsApplied() throws LibvirtException {
+        Mockito.when(vmTO.isLimitCpuUse()).thenReturn(false);
+        Mockito.when(domainMock.getName()).thenReturn("i-2-10-VM");
+        libvirtComputingResourceSpy.hypervisorLibvirtVersion = 9000;
+        libvirtComputingResourceSpy.updateCpuQuotaAndPeriod(domainMock, vmTO, true);
+        Mockito.verify(domainMock, Mockito.times(1)).setSchedulerParameters(Mockito.any());
+    }
+
+    @Test
+    public void updateCpuQuotaAndPeriodTestAssertPeriodAndQuotaAreUpdatedWhenThereIsNotCpuCapChangeAndCpuLimitationIsApplied() throws LibvirtException {
+        Mockito.when(vmTO.isLimitCpuUse()).thenReturn(true);
+        double cpuQuotaPercentage = 0.03;
+        Mockito.when(vmTO.getCpuQuotaPercentage()).thenReturn(cpuQuotaPercentage);
+        Mockito.doReturn(new Pair<>(1000, 300L)).when(libvirtComputingResourceSpy).getPeriodAndQuota(cpuQuotaPercentage);
+        Mockito.when(domainMock.getName()).thenReturn("i-2-10-VM");
+        libvirtComputingResourceSpy.hypervisorLibvirtVersion = 9000;
+        libvirtComputingResourceSpy.updateCpuQuotaAndPeriod(domainMock, vmTO, false);
+        Mockito.verify(domainMock, Mockito.times(2)).setSchedulerParameters(Mockito.any());
+    }
+
+    @Test
+    public void updateCpuQuotaAndPeriodTestAssertPeriodAndQuotaAreUpdatedWhenThereIsCpuCapChangeAndCpuLimitationIsApplied() throws LibvirtException {
+        Mockito.when(vmTO.isLimitCpuUse()).thenReturn(true);
+        double cpuQuotaPercentage = 0.03;
+        Mockito.when(vmTO.getCpuQuotaPercentage()).thenReturn(cpuQuotaPercentage);
+        Mockito.doReturn(new Pair<>(1000, 300L)).when(libvirtComputingResourceSpy).getPeriodAndQuota(cpuQuotaPercentage);
+        Mockito.when(domainMock.getName()).thenReturn("i-2-10-VM");
+        libvirtComputingResourceSpy.hypervisorLibvirtVersion = 9000;
+        libvirtComputingResourceSpy.updateCpuQuotaAndPeriod(domainMock, vmTO, true);
+        Mockito.verify(domainMock, Mockito.times(2)).setSchedulerParameters(Mockito.any());
+    }
+
+    @Test
+    public void getPeriodAndQuotaTestAssertQuotaIsEqualToPeriodMultipliedByQuotaPercentage() {
+        double cpuQuotaPercentage = 0.3;
+        int expectedPeriod = CpuTuneDef.DEFAULT_PERIOD;
+        long expectedQuota = (long) (expectedPeriod * cpuQuotaPercentage);
+        Pair<Integer, Long> expectedResult = new Pair<>(expectedPeriod, expectedQuota);
+        Pair<Integer, Long> result = libvirtComputingResourceSpy.getPeriodAndQuota(cpuQuotaPercentage);
+        Assert.assertEquals(expectedResult, result);
+    }
+
+    @Test
+    public void getPeriodAndQuotaTestQuotaIsEqualToMinimumWhenRequired() {
+        double cpuQuotaPercentage = 0.03;
+        long expectedQuota = CpuTuneDef.MIN_QUOTA;
+        int expectedPeriod = (int) ((double) expectedQuota / cpuQuotaPercentage);
+        Pair<Integer, Long> expectedResult = new Pair<>(expectedPeriod, expectedQuota);
+        Pair<Integer, Long> result = libvirtComputingResourceSpy.getPeriodAndQuota(cpuQuotaPercentage);
+        Assert.assertEquals(expectedResult, result);
+    }
+
+    @Test
+    public void getPeriodAndQuotaTestPeriodIsEqualToMaximumWhenRequired() {
+        double cpuQuotaPercentage = 0.0003;
+        long expectedQuota = CpuTuneDef.MIN_QUOTA;
+        int expectedPeriod = CpuTuneDef.MAX_PERIOD;
+        Pair<Integer, Long> expectedResult = new Pair<>(expectedPeriod, expectedQuota);
+        Pair<Integer, Long> result = libvirtComputingResourceSpy.getPeriodAndQuota(cpuQuotaPercentage);
+        Assert.assertEquals(expectedResult, result);
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDefTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDefTest.java
index 0060e1d7ed4d..e6f63e852f85 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDefTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtGpuDefTest.java
@@ -115,6 +115,145 @@ public void testGpuDef_withComplexPciAddress() {
         assertTrue(gpuXml.contains("</hostdev>"));
     }
 
+    @Test
+    public void testGpuDef_withFullPciAddressDomainZero() {
+        LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+        VgpuTypesInfo pciGpuInfo = new VgpuTypesInfo(
+                GpuDevice.DeviceType.PCI,
+                "passthrough",
+                "passthrough",
+                "0000:00:02.0",
+                "10de",
+                "NVIDIA Corporation",
+                "1b38",
+                "Tesla T4"
+        );
+        gpuDef.defGpu(pciGpuInfo);
+
+        String gpuXml = gpuDef.toString();
+
+        assertTrue(gpuXml.contains("<address domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>"));
+    }
+
+    @Test
+    public void testGpuDef_withFullPciAddressNonZeroDomain() {
+        LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+        VgpuTypesInfo pciGpuInfo = new VgpuTypesInfo(
+                GpuDevice.DeviceType.PCI,
+                "passthrough",
+                "passthrough",
+                "0001:65:00.0",
+                "10de",
+                "NVIDIA Corporation",
+                "1b38",
+                "Tesla T4"
+        );
+        gpuDef.defGpu(pciGpuInfo);
+
+        String gpuXml = gpuDef.toString();
+
+        assertTrue(gpuXml.contains("<address domain='0x0001' bus='0x65' slot='0x00' function='0x0'/>"));
+    }
+
+    @Test
+    public void testGpuDef_withNvidiaStyleEightDigitDomain() {
+        // nvidia-smi reports PCI addresses with an 8-digit domain (e.g. "00000001:af:00.1").
+        // generatePciXml must normalize it to the canonical 4-digit form "0x0001".
+        LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+        VgpuTypesInfo pciGpuInfo = new VgpuTypesInfo(
+                GpuDevice.DeviceType.PCI,
+                "passthrough",
+                "passthrough",
+                "00000001:af:00.1",
+                "10de",
+                "NVIDIA Corporation",
+                "1b38",
+                "Tesla T4"
+        );
+        gpuDef.defGpu(pciGpuInfo);
+
+        String gpuXml = gpuDef.toString();
+
+        assertTrue(gpuXml.contains("<address domain='0x0001' bus='0xaf' slot='0x00' function='0x1'/>"));
+    }
+
+    @Test
+    public void testGpuDef_withFullPciAddressVfNonZeroDomain() {
+        LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+        VgpuTypesInfo vfGpuInfo = new VgpuTypesInfo(
+                GpuDevice.DeviceType.PCI,
+                "VF-Profile",
+                "VF-Profile",
+                "0002:81:00.3",
+                "10de",
+                "NVIDIA Corporation",
+                "1eb8",
+                "Tesla T4"
+        );
+        gpuDef.defGpu(vfGpuInfo);
+
+        String gpuXml = gpuDef.toString();
+
+        // Non-passthrough NVIDIA VFs should be unmanaged
+        assertTrue(gpuXml.contains("<hostdev mode='subsystem' type='pci' managed='no' display='off'>"));
+        assertTrue(gpuXml.contains("<address domain='0x0002' bus='0x81' slot='0x00' function='0x3'/>"));
+    }
+
+    @Test
+    public void testGpuDef_withLegacyShortBdfDefaultsDomainToZero() {
+        // Backward compatibility: short BDF with no domain segment must still
+        // produce a valid libvirt address with domain 0x0000.
+        LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+        VgpuTypesInfo pciGpuInfo = new VgpuTypesInfo(
+                GpuDevice.DeviceType.PCI,
+                "passthrough",
+                "passthrough",
+                "af:00.0",
+                "10de",
+                "NVIDIA Corporation",
+                "1b38",
+                "Tesla T4"
+        );
+        gpuDef.defGpu(pciGpuInfo);
+
+        String gpuXml = gpuDef.toString();
+
+        assertTrue(gpuXml.contains("<address domain='0x0000' bus='0xaf' slot='0x00' function='0x0'/>"));
+    }
+
+    @Test
+    public void testGpuDef_withInvalidBusAddressThrows() {
+        String[] invalidAddresses = {
+                "notahex:00.0",          // non-hex bus
+                "gg:00:02.0",            // non-hex domain
+                "00:02:03:04",           // too many colon-separated parts
+                "00",                    // missing slot/function
+                "00:02",                 // missing function (no dot)
+                "00:02.0.1",             // extra dot in ss.f
+        };
+        for (String addr : invalidAddresses) {
+            LibvirtGpuDef gpuDef = new LibvirtGpuDef();
+            VgpuTypesInfo info = new VgpuTypesInfo(
+                    GpuDevice.DeviceType.PCI,
+                    "passthrough",
+                    "passthrough",
+                    addr,
+                    "10de",
+                    "NVIDIA Corporation",
+                    "1b38",
+                    "Tesla T4"
+            );
+            gpuDef.defGpu(info);
+            try {
+                String ignored = gpuDef.toString();
+                fail("Expected IllegalArgumentException for address: " + addr + " but got: " + ignored);
+            } catch (IllegalArgumentException e) {
+                assertTrue("Exception message should contain the bad address",
+                        e.getMessage().contains(addr));
+            }
+        }
+    }
+
     @Test
     public void testGpuDef_withNullDeviceType() {
         LibvirtGpuDef gpuDef = new LibvirtGpuDef();
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapperTest.java
index 3cad9c27a687..74090723331a 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapperTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckConvertInstanceCommandWrapperTest.java
@@ -52,6 +52,7 @@ public void setUp() {
 
     @Test
     public void testCheckInstanceCommand_success() {
+        Mockito.when(checkConvertInstanceCommandMock.isUseVddk()).thenReturn(false);
         Mockito.when(libvirtComputingResourceMock.hostSupportsInstanceConversion()).thenReturn(true);
         Answer answer = checkConvertInstanceCommandWrapper.execute(checkConvertInstanceCommandMock, libvirtComputingResourceMock);
         assertTrue(answer.getResult());
@@ -59,9 +60,33 @@ public void testCheckInstanceCommand_success() {
 
     @Test
     public void testCheckInstanceCommand_failure() {
+        Mockito.when(checkConvertInstanceCommandMock.isUseVddk()).thenReturn(false);
         Mockito.when(libvirtComputingResourceMock.hostSupportsInstanceConversion()).thenReturn(false);
         Answer answer = checkConvertInstanceCommandWrapper.execute(checkConvertInstanceCommandMock, libvirtComputingResourceMock);
         assertFalse(answer.getResult());
         assertTrue(StringUtils.isNotBlank(answer.getDetails()));
     }
+
+    @Test
+    public void testCheckInstanceCommand_vddkSuccess() {
+        Mockito.when(checkConvertInstanceCommandMock.isUseVddk()).thenReturn(true);
+        Mockito.when(checkConvertInstanceCommandMock.getVddkLibDir()).thenReturn("/opt/vmware-vddk/vmware-vix-disklib-distrib");
+        Mockito.when(libvirtComputingResourceMock.hostSupportsVddk("/opt/vmware-vddk/vmware-vix-disklib-distrib")).thenReturn(true);
+
+        Answer answer = checkConvertInstanceCommandWrapper.execute(checkConvertInstanceCommandMock, libvirtComputingResourceMock);
+
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void testCheckInstanceCommand_vddkFailure() {
+        Mockito.when(checkConvertInstanceCommandMock.isUseVddk()).thenReturn(true);
+        Mockito.when(checkConvertInstanceCommandMock.getVddkLibDir()).thenReturn("/opt/vmware-vddk/vmware-vix-disklib-distrib");
+        Mockito.when(libvirtComputingResourceMock.hostSupportsVddk("/opt/vmware-vddk/vmware-vix-disklib-distrib")).thenReturn(false);
+
+        Answer answer = checkConvertInstanceCommandWrapper.execute(checkConvertInstanceCommandMock, libvirtComputingResourceMock);
+
+        assertFalse(answer.getResult());
+        assertTrue(StringUtils.isNotBlank(answer.getDetails()));
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapperTest.java
new file mode 100644
index 000000000000..a06a9c50bc1c
--- /dev/null
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtCheckVirtualMachineCommandWrapperTest.java
@@ -0,0 +1,191 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.cloud.hypervisor.kvm.resource.wrapper;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.libvirt.Connect;
+import org.libvirt.Domain;
+import org.libvirt.DomainInfo;
+import org.libvirt.DomainInfo.DomainState;
+import org.libvirt.LibvirtException;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import com.cloud.agent.api.CheckVirtualMachineAnswer;
+import com.cloud.agent.api.CheckVirtualMachineCommand;
+import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.vm.VirtualMachine.PowerState;
+
+@RunWith(MockitoJUnitRunner.class)
+public class LibvirtCheckVirtualMachineCommandWrapperTest {
+
+    private static final String VM_NAME = "i-2-3-VM";
+
+    @Mock
+    private LibvirtComputingResource libvirtComputingResource;
+    @Mock
+    private LibvirtUtilitiesHelper libvirtUtilitiesHelper;
+    @Mock
+    private Connect conn;
+    @Mock
+    private Domain domain;
+
+    private LibvirtCheckVirtualMachineCommandWrapper wrapper;
+    private CheckVirtualMachineCommand command;
+
+    @Before
+    public void setUp() throws LibvirtException {
+        wrapper = new LibvirtCheckVirtualMachineCommandWrapper();
+        command = new CheckVirtualMachineCommand(VM_NAME);
+
+        when(libvirtComputingResource.getLibvirtUtilitiesHelper()).thenReturn(libvirtUtilitiesHelper);
+        when(libvirtUtilitiesHelper.getConnectionByVmName(VM_NAME)).thenReturn(conn);
+    }
+
+    @Test
+    public void testExecuteVmPoweredOnReturnsStateAndVncPort() throws LibvirtException {
+        DomainInfo domainInfo = new DomainInfo();
+        domainInfo.state = DomainState.VIR_DOMAIN_RUNNING;
+
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOn);
+        when(libvirtComputingResource.getVncPort(conn, VM_NAME)).thenReturn(5900);
+        when(conn.domainLookupByName(VM_NAME)).thenReturn(domain);
+        when(domain.getInfo()).thenReturn(domainInfo);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertTrue(answer.getResult());
+        assertEquals(PowerState.PowerOn, answer.getState());
+        assertEquals(Integer.valueOf(5900), answer.getVncPort());
+    }
+
+    @Test
+    public void testExecuteVmPausedReturnsPowerUnknown() throws LibvirtException {
+        DomainInfo domainInfo = new DomainInfo();
+        domainInfo.state = DomainState.VIR_DOMAIN_PAUSED;
+
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOn);
+        when(libvirtComputingResource.getVncPort(conn, VM_NAME)).thenReturn(5901);
+        when(conn.domainLookupByName(VM_NAME)).thenReturn(domain);
+        when(domain.getInfo()).thenReturn(domainInfo);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertTrue(answer.getResult());
+        assertEquals(PowerState.PowerUnknown, answer.getState());
+        assertEquals(Integer.valueOf(5901), answer.getVncPort());
+    }
+
+    @Test
+    public void testExecuteVmPoweredOffReturnsStateWithNullVncPort() throws LibvirtException {
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOff);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertTrue(answer.getResult());
+        assertEquals(PowerState.PowerOff, answer.getState());
+        assertNull(answer.getVncPort());
+    }
+
+    @Test
+    public void testExecuteVmStateUnknownReturnsStateWithNullVncPort() throws LibvirtException {
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerUnknown);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertTrue(answer.getResult());
+        assertEquals(PowerState.PowerUnknown, answer.getState());
+        assertNull(answer.getVncPort());
+    }
+
+    @Test
+    public void testExecuteVmPoweredOnWithNullVncPort() throws LibvirtException {
+        DomainInfo domainInfo = new DomainInfo();
+        domainInfo.state = DomainState.VIR_DOMAIN_RUNNING;
+
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOn);
+        when(libvirtComputingResource.getVncPort(conn, VM_NAME)).thenReturn(null);
+        when(conn.domainLookupByName(VM_NAME)).thenReturn(domain);
+        when(domain.getInfo()).thenReturn(domainInfo);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertTrue(answer.getResult());
+        assertEquals(PowerState.PowerOn, answer.getState());
+        assertNull(answer.getVncPort());
+    }
+
+    @Test
+    public void testExecuteLibvirtExceptionOnGetConnectionReturnsFailure() throws LibvirtException {
+        LibvirtException libvirtException = mock(LibvirtException.class);
+        when(libvirtException.getMessage()).thenReturn("Connection refused");
+        when(libvirtUtilitiesHelper.getConnectionByVmName(VM_NAME)).thenThrow(libvirtException);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertFalse(answer.getResult());
+        assertEquals("Connection refused", answer.getDetails());
+    }
+
+    @Test
+    public void testExecuteLibvirtExceptionOnGetVncPortReturnsFailure() throws LibvirtException {
+        LibvirtException libvirtException = mock(LibvirtException.class);
+        when(libvirtException.getMessage()).thenReturn("VNC port error");
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOn);
+        when(libvirtComputingResource.getVncPort(conn, VM_NAME)).thenThrow(libvirtException);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertFalse(answer.getResult());
+        assertEquals("VNC port error", answer.getDetails());
+    }
+
+    @Test
+    public void testExecuteLibvirtExceptionOnDomainLookupReturnsFailure() throws LibvirtException {
+        LibvirtException libvirtException = mock(LibvirtException.class);
+        when(libvirtException.getMessage()).thenReturn("Domain not found");
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOn);
+        when(libvirtComputingResource.getVncPort(conn, VM_NAME)).thenReturn(5900);
+        when(conn.domainLookupByName(VM_NAME)).thenThrow(libvirtException);
+
+        CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) wrapper.execute(command, libvirtComputingResource);
+
+        assertFalse(answer.getResult());
+        assertEquals("Domain not found", answer.getDetails());
+    }
+
+    @Test
+    public void testExecuteCallsGetLibvirtUtilitiesHelper() throws LibvirtException {
+        when(libvirtComputingResource.getVmState(conn, VM_NAME)).thenReturn(PowerState.PowerOff);
+
+        wrapper.execute(command, libvirtComputingResource);
+
+        verify(libvirtComputingResource).getLibvirtUtilitiesHelper();
+        verify(libvirtUtilitiesHelper).getConnectionByVmName(VM_NAME);
+    }
+}
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapperTest.java
index 4d55ac2bc73a..c30fa2f49482 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapperTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapperTest.java
@@ -18,6 +18,7 @@
 //
 package com.cloud.hypervisor.kvm.resource.wrapper;
 
+import java.nio.file.Files;
 import java.util.List;
 import java.util.UUID;
 
@@ -189,4 +190,127 @@ public void testAddExtraParamsToScriptDifferentArgs() {
         Mockito.verify(script).add("-x");
         Mockito.verify(script).add("-v");
     }
+
+    @Test
+    public void testPerformInstanceConversionUsingVddkUsesConfiguredLibguestfsBackend() {
+        RemoteInstanceTO remoteInstanceTO = Mockito.mock(RemoteInstanceTO.class);
+        Mockito.when(remoteInstanceTO.getVcenterHost()).thenReturn("vcenter.local");
+        Mockito.when(remoteInstanceTO.getVcenterUsername()).thenReturn("administrator@vsphere.local");
+        Mockito.when(remoteInstanceTO.getVcenterPassword()).thenReturn("secret");
+        Mockito.when(remoteInstanceTO.getDatacenterName()).thenReturn("dc1");
+        Mockito.when(remoteInstanceTO.getClusterName()).thenReturn("cluster1");
+        Mockito.when(remoteInstanceTO.getHostName()).thenReturn("host1");
+        Mockito.doReturn("28:19:A6:1C:90:ED:46:D7:1C:86:BC:F6:13:52:F0:B9:19:81:0D:81")
+                .when(convertInstanceCommandWrapper).getVcenterThumbprint(Mockito.anyString(), Mockito.anyLong(), Mockito.anyString());
+
+        try (MockedStatic<Files> filesMock = Mockito.mockStatic(Files.class);
+             MockedConstruction<Script> ignored = Mockito.mockConstruction(Script.class, (mock, context) -> {
+                 Mockito.when(mock.execute(Mockito.any())).thenReturn("");
+                 Mockito.when(mock.getExitValue()).thenReturn(0);
+             })) {
+            filesMock.when(() -> Files.writeString(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local.")), Mockito.eq("secret")))
+                    .thenAnswer(invocation -> invocation.getArgument(0));
+            filesMock.when(() -> Files.deleteIfExists(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local."))))
+                    .thenReturn(true);
+
+            boolean result = convertInstanceCommandWrapper.performInstanceConversionUsingVddk(
+                    remoteInstanceTO, vmName, "/tmp/convert", "/opt/vddk", "libvirt", null, null, 1000L, false, null, "tmp-uuid", "-ip");
+
+            Assert.assertTrue(result);
+            Script scriptMock = ignored.constructed().get(0);
+            Mockito.verify(scriptMock).add("-c");
+            Mockito.verify(scriptMock).add(Mockito.contains("export LIBGUESTFS_BACKEND=libvirt &&"));
+            Mockito.verify(scriptMock).add(Mockito.contains("-ip /tmp/v2v.pass.cloud.vcenter.local."));
+            Mockito.verify(scriptMock).add(Mockito.contains(" -on tmp-uuid "));
+            Mockito.verify(scriptMock).add(Mockito.contains("-io vddk-thumbprint=28:19:A6:1C:90:ED:46:D7:1C:86:BC:F6:13:52:F0:B9:19:81:0D:81 "));
+        }
+    }
+
+    @Test
+    public void testPerformInstanceConversionUsingVddkUsesConfiguredTransportsOrder() {
+        RemoteInstanceTO remoteInstanceTO = Mockito.mock(RemoteInstanceTO.class);
+        Mockito.when(remoteInstanceTO.getVcenterHost()).thenReturn("vcenter.local");
+        Mockito.when(remoteInstanceTO.getVcenterUsername()).thenReturn("administrator@vsphere.local");
+        Mockito.when(remoteInstanceTO.getVcenterPassword()).thenReturn("secret");
+        Mockito.when(remoteInstanceTO.getDatacenterName()).thenReturn("dc1");
+        Mockito.when(remoteInstanceTO.getClusterName()).thenReturn("cluster1");
+        Mockito.when(remoteInstanceTO.getHostName()).thenReturn("host1");
+        Mockito.doReturn("28:19:A6:1C:90:ED:46:D7:1C:86:BC:F6:13:52:F0:B9:19:81:0D:81")
+                .when(convertInstanceCommandWrapper).getVcenterThumbprint(Mockito.anyString(), Mockito.anyLong(), Mockito.anyString());
+
+        try (MockedStatic<Files> filesMock = Mockito.mockStatic(Files.class);
+             MockedConstruction<Script> ignored = Mockito.mockConstruction(Script.class, (mock, context) -> {
+                 Mockito.when(mock.execute(Mockito.any())).thenReturn("");
+                 Mockito.when(mock.getExitValue()).thenReturn(0);
+             })) {
+            filesMock.when(() -> Files.writeString(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local.")), Mockito.eq("secret")))
+                    .thenAnswer(invocation -> invocation.getArgument(0));
+            filesMock.when(() -> Files.deleteIfExists(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local."))))
+                    .thenReturn(true);
+
+            boolean result = convertInstanceCommandWrapper.performInstanceConversionUsingVddk(
+                    remoteInstanceTO, vmName, "/tmp/convert", "/opt/vddk", "direct", "nbd:nbdssl", null, 1000L, false, null, "tmp-uuid", "-ip");
+
+            Assert.assertTrue(result);
+            Script scriptMock = ignored.constructed().get(0);
+            Mockito.verify(scriptMock).add(Mockito.contains("-io vddk-transports=nbd:nbdssl "));
+        }
+    }
+
+    @Test
+    public void testPerformInstanceConversionUsingVddkFailsWhenThumbprintUnavailable() {
+        RemoteInstanceTO remoteInstanceTO = Mockito.mock(RemoteInstanceTO.class);
+        Mockito.when(remoteInstanceTO.getVcenterHost()).thenReturn("vcenter.local");
+        Mockito.when(remoteInstanceTO.getVcenterUsername()).thenReturn("administrator@vsphere.local");
+        Mockito.when(remoteInstanceTO.getVcenterPassword()).thenReturn("secret");
+        Mockito.when(remoteInstanceTO.getDatacenterName()).thenReturn("dc1");
+        Mockito.when(remoteInstanceTO.getClusterName()).thenReturn("cluster1");
+        Mockito.when(remoteInstanceTO.getHostName()).thenReturn("host1");
+        Mockito.doReturn(null)
+                .when(convertInstanceCommandWrapper).getVcenterThumbprint(Mockito.anyString(), Mockito.anyLong(), Mockito.anyString());
+
+        try (MockedStatic<Files> filesMock = Mockito.mockStatic(Files.class)) {
+            filesMock.when(() -> Files.writeString(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local.")), Mockito.eq("secret")))
+                    .thenAnswer(invocation -> invocation.getArgument(0));
+            filesMock.when(() -> Files.deleteIfExists(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local."))))
+                    .thenReturn(true);
+
+            boolean result = convertInstanceCommandWrapper.performInstanceConversionUsingVddk(
+                    remoteInstanceTO, vmName, "/tmp/convert", "/opt/vddk", "direct", null, null, 1000L, false, null, "tmp-uuid", "-ip");
+
+            Assert.assertFalse(result);
+        }
+    }
+
+    @Test
+    public void testPerformInstanceConversionUsingVddkUsesConfiguredThumbprintFromAgentProperty() {
+        RemoteInstanceTO remoteInstanceTO = Mockito.mock(RemoteInstanceTO.class);
+        Mockito.when(remoteInstanceTO.getVcenterHost()).thenReturn("vcenter.local");
+        Mockito.when(remoteInstanceTO.getVcenterUsername()).thenReturn("administrator@vsphere.local");
+        Mockito.when(remoteInstanceTO.getVcenterPassword()).thenReturn("secret");
+        Mockito.when(remoteInstanceTO.getDatacenterName()).thenReturn("dc1");
+        Mockito.when(remoteInstanceTO.getClusterName()).thenReturn("cluster1");
+        Mockito.when(remoteInstanceTO.getHostName()).thenReturn("host1");
+
+        try (MockedStatic<Files> filesMock = Mockito.mockStatic(Files.class);
+             MockedConstruction<Script> ignored = Mockito.mockConstruction(Script.class, (mock, context) -> {
+                 Mockito.when(mock.execute(Mockito.any())).thenReturn("");
+                 Mockito.when(mock.getExitValue()).thenReturn(0);
+             })) {
+            filesMock.when(() -> Files.writeString(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local.")), Mockito.eq("secret")))
+                    .thenAnswer(invocation -> invocation.getArgument(0));
+            filesMock.when(() -> Files.deleteIfExists(Mockito.argThat(path -> path.toString().contains("/tmp/v2v.pass.cloud.vcenter.local."))))
+                    .thenReturn(true);
+
+            boolean result = convertInstanceCommandWrapper.performInstanceConversionUsingVddk(
+                    remoteInstanceTO, vmName, "/tmp/convert", "/opt/vddk", "direct", null,
+                    "AA:BB:CC:DD:EE", 1000L, false, null, "tmp-uuid", "-ip");
+
+            Assert.assertTrue(result);
+            Script scriptMock = ignored.constructed().get(0);
+            Mockito.verify(scriptMock).add(Mockito.contains("-io vddk-thumbprint=AA:BB:CC:DD:EE "));
+            Mockito.verify(convertInstanceCommandWrapper, Mockito.never())
+                    .getVcenterThumbprint(Mockito.anyString(), Mockito.anyLong(), Mockito.anyString());
+        }
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapperTest.java
index d72dc0d8ac36..ef6b5c08189d 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapperTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreBackupCommandWrapperTest.java
@@ -18,6 +18,7 @@
 
 import com.cloud.agent.api.Answer;
 import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.storage.Storage;
 import com.cloud.utils.script.Script;
 import com.cloud.vm.VirtualMachine;
 import org.apache.cloudstack.backup.BackupAnswer;
@@ -66,7 +67,10 @@ public void testExecuteWithVmExistsNull() throws Exception {
         when(command.getMountOptions()).thenReturn("rw");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -109,6 +113,7 @@ public void testExecuteWithVmExistsTrue() throws Exception {
         when(command.isVmExists()).thenReturn(true);
         when(command.getDiskType()).thenReturn("root");
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupVolumesUUIDs()).thenReturn(Arrays.asList("volume-123"));
@@ -148,6 +153,7 @@ public void testExecuteWithVmExistsFalse() throws Exception {
         when(command.isVmExists()).thenReturn(false);
         when(command.getDiskType()).thenReturn("root");
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -185,7 +191,10 @@ public void testExecuteWithCifsMountType() throws Exception {
         when(command.getMountOptions()).thenReturn("username=user,password=pass");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -226,7 +235,10 @@ public void testExecuteWithMountFailure() throws Exception {
         lenient().when(command.getMountOptions()).thenReturn("rw");
         lenient().when(command.isVmExists()).thenReturn(null);
         lenient().when(command.getDiskType()).thenReturn("root");
+        lenient().when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        lenient().when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        lenient().when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         lenient().when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -262,7 +274,10 @@ public void testExecuteWithBackupFileNotFound() throws Exception {
         when(command.getMountOptions()).thenReturn("rw");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -308,7 +323,10 @@ public void testExecuteWithCorruptBackupFile() throws Exception {
         when(command.getMountOptions()).thenReturn("rw");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -356,7 +374,10 @@ public void testExecuteWithRsyncFailure() throws Exception {
         when(command.getMountOptions()).thenReturn("rw");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -370,7 +391,15 @@ public void testExecuteWithRsyncFailure() throws Exception {
 
             try (MockedStatic<Script> scriptMock = mockStatic(Script.class)) {
                 scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString(), anyInt(), any(Boolean.class)))
-                        .thenReturn(0); // Mount success
+                        .thenAnswer(invocation -> {
+                            String command = invocation.getArgument(0);
+                            if (command.contains("mount")) {
+                                return 0; // mount success
+                            } else if (command.contains("rsync")) {
+                                return 1; // Rsync failure
+                            }
+                            return 0; // Other commands success
+                        });
                 scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString()))
                         .thenAnswer(invocation -> {
                             String command = invocation.getArgument(0);
@@ -378,8 +407,6 @@ public void testExecuteWithRsyncFailure() throws Exception {
                                 return 0; // File exists
                             } else if (command.contains("qemu-img check")) {
                                 return 0; // File is valid
-                            } else if (command.contains("rsync")) {
-                                return 1; // Rsync failure
                             }
                             return 0; // Other commands success
                         });
@@ -406,7 +433,10 @@ public void testExecuteWithAttachVolumeFailure() throws Exception {
         when(command.getMountOptions()).thenReturn("rw");
         when(command.isVmExists()).thenReturn(null);
         when(command.getDiskType()).thenReturn("root");
+        when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -420,7 +450,15 @@ public void testExecuteWithAttachVolumeFailure() throws Exception {
 
             try (MockedStatic<Script> scriptMock = mockStatic(Script.class)) {
                 scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString(), anyInt(), any(Boolean.class)))
-                        .thenReturn(0); // Mount success
+                        .thenAnswer(invocation -> {
+                            String command = invocation.getArgument(0);
+                            if (command.contains("mount")) {
+                                return 0; // Mount success
+                            } else if (command.contains("rsync")) {
+                                return 0; // Rsync success
+                            }
+                            return 0; // Other commands success
+                        });
                 scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString()))
                         .thenAnswer(invocation -> {
                             String command = invocation.getArgument(0);
@@ -428,8 +466,6 @@ public void testExecuteWithAttachVolumeFailure() throws Exception {
                                 return 0; // File exists
                             } else if (command.contains("qemu-img check")) {
                                 return 0; // File is valid
-                            } else if (command.contains("rsync")) {
-                                return 0; // Rsync success
                             } else if (command.contains("virsh attach-disk")) {
                                 return 1; // Attach failure
                             }
@@ -460,7 +496,10 @@ public void testExecuteWithTempDirectoryCreationFailure() throws Exception {
         lenient().when(command.getMountOptions()).thenReturn("rw");
         lenient().when(command.isVmExists()).thenReturn(null);
         lenient().when(command.getDiskType()).thenReturn("root");
+        lenient().when(command.getRestoreVolumeSizes()).thenReturn(Arrays.asList(1024L));
+        lenient().when(command.getWait()).thenReturn(60);
         PrimaryDataStoreTO primaryDataStore = Mockito.mock(PrimaryDataStoreTO.class);
+        lenient().when(primaryDataStore.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(primaryDataStore));
         lenient().when(command.getRestoreVolumePaths()).thenReturn(Arrays.asList("/var/lib/libvirt/images/volume-123"));
         when(command.getBackupFiles()).thenReturn(Arrays.asList("volume-123"));
@@ -492,6 +531,8 @@ public void testExecuteWithMultipleVolumes() throws Exception {
         when(command.getDiskType()).thenReturn("root");
         PrimaryDataStoreTO primaryDataStore1 = Mockito.mock(PrimaryDataStoreTO.class);
         PrimaryDataStoreTO primaryDataStore2 = Mockito.mock(PrimaryDataStoreTO.class);
+        when(primaryDataStore1.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
+        when(primaryDataStore2.getPoolType()).thenReturn(Storage.StoragePoolType.NetworkFilesystem);
         when(command.getRestoreVolumePools()).thenReturn(Arrays.asList(
                 primaryDataStore1,
                 primaryDataStore2
@@ -510,10 +551,10 @@ public void testExecuteWithMultipleVolumes() throws Exception {
             filesMock.when(() -> Files.createTempDirectory(anyString())).thenReturn(tempPath);
 
             try (MockedStatic<Script> scriptMock = mockStatic(Script.class)) {
-                scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString(), anyInt(), any(Boolean.class)))
-                        .thenReturn(0); // Mount success
                 scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString()))
-                        .thenReturn(0); // All other commands success
+                        .thenReturn(0); // All commands success
+                scriptMock.when(() -> Script.runSimpleBashScriptForExitValue(anyString(), anyInt(), any(Boolean.class)))
+                        .thenReturn(0); // All commands success
 
                 filesMock.when(() -> Files.deleteIfExists(any(Path.class))).thenReturn(true);
 
diff --git a/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/qemu/QemuImgTest.java b/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/qemu/QemuImgTest.java
index 5a0274257764..140302590ba2 100644
--- a/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/qemu/QemuImgTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/org/apache/cloudstack/utils/qemu/QemuImgTest.java
@@ -57,7 +57,7 @@ public static void setUp() {
             Connect conn = new Connect("qemu:///system", false);
             conn.getVersion();
             libVirtAvailable = true;
-        } catch (LibvirtException ignored) {}
+        } catch (LibvirtException | UnsatisfiedLinkError | ExceptionInInitializerError ignored) {}
         Assume.assumeTrue("libvirt not available", libVirtAvailable);
     }
 
diff --git a/plugins/hypervisors/simulator/src/main/java/com/cloud/ha/SimulatorInvestigator.java b/plugins/hypervisors/simulator/src/main/java/com/cloud/ha/SimulatorInvestigator.java
index 7114a8411578..95a6a1291cf1 100644
--- a/plugins/hypervisors/simulator/src/main/java/com/cloud/ha/SimulatorInvestigator.java
+++ b/plugins/hypervisors/simulator/src/main/java/com/cloud/ha/SimulatorInvestigator.java
@@ -54,13 +54,13 @@ protected SimulatorInvestigator() {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         if (agent.getHypervisorType() != HypervisorType.Simulator) {
             return null;
         }
 
         if (haManager.isHAEligible(agent)) {
-            return haManager.getHostStatus(agent);
+            return haManager.getHostStatusFromHAConfig(agent);
         }
 
         CheckOnHostCommand cmd = new CheckOnHostCommand(agent);
diff --git a/plugins/hypervisors/vmware/src/main/java/com/cloud/ha/VmwareInvestigator.java b/plugins/hypervisors/vmware/src/main/java/com/cloud/ha/VmwareInvestigator.java
index 5bfc18968430..3d4fab0d229e 100644
--- a/plugins/hypervisors/vmware/src/main/java/com/cloud/ha/VmwareInvestigator.java
+++ b/plugins/hypervisors/vmware/src/main/java/com/cloud/ha/VmwareInvestigator.java
@@ -28,7 +28,7 @@ protected VmwareInvestigator() {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         if (agent.getHypervisorType() == HypervisorType.VMware)
             return Status.Disconnected;
 
diff --git a/plugins/integrations/kubernetes-service/pom.xml b/plugins/integrations/kubernetes-service/pom.xml
index 6b5cec95aab9..f638dbde7f3b 100644
--- a/plugins/integrations/kubernetes-service/pom.xml
+++ b/plugins/integrations/kubernetes-service/pom.xml
@@ -124,16 +124,6 @@
             <version>${cs.hamcrest.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
-            <version>${cs.bcprov.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bctls-jdk15on</artifactId>
-            <version>${cs.bcprov.version}</version>
-        </dependency>
         <dependency>
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
index 1ed75f14dfb1..1ca86ed8c832 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
@@ -581,7 +581,7 @@ protected FirewallRule removeSshFirewallRule(final IpAddress publicIp, final lon
         List<FirewallRuleVO> firewallRules = firewallRulesDao.listByIpPurposeProtocolAndNotRevoked(publicIp.getId(), FirewallRule.Purpose.Firewall, NetUtils.TCP_PROTO);
         for (FirewallRuleVO firewallRule : firewallRules) {
             PortForwardingRuleVO pfRule = portForwardingRulesDao.findByNetworkAndPorts(networkId, firewallRule.getSourcePortStart(), firewallRule.getSourcePortEnd());
-            if (firewallRule.getSourcePortStart() == CLUSTER_NODES_DEFAULT_START_SSH_PORT || (Objects.nonNull(pfRule) && pfRule.getDestinationPortStart() == DEFAULT_SSH_PORT) ) {
+            if (Objects.equals(firewallRule.getSourcePortStart(), CLUSTER_NODES_DEFAULT_START_SSH_PORT) || (Objects.nonNull(pfRule) && pfRule.getDestinationPortStart() == DEFAULT_SSH_PORT) ) {
                 rule = firewallRule;
                 firewallService.revokeIngressFwRule(firewallRule.getId(), true);
                 logger.debug("The SSH firewall rule {} with the id {} was revoked", firewallRule.getName(), firewallRule.getId());
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
index c623426b137a..78c183619f6b 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
@@ -135,10 +135,14 @@ private void scaleKubernetesClusterIsolatedNetworkRules(final List<Long> cluster
 
         // Remove existing SSH firewall rules
         FirewallRule firewallRule = removeSshFirewallRule(publicIp, network.getId());
+        int existingFirewallRuleSourcePortEnd;
         if (firewallRule == null) {
-            throw new ManagementServerException("Firewall rule for node SSH access can't be provisioned");
+            logger.warn("SSH firewall rule not found for Kubernetes cluster: {}. It may have been manually deleted or modified.", kubernetesCluster.getName());
+            existingFirewallRuleSourcePortEnd = CLUSTER_NODES_DEFAULT_START_SSH_PORT + clusterVMIds.size() - 1;
+        } else {
+            existingFirewallRuleSourcePortEnd = firewallRule.getSourcePortEnd();
         }
-        int existingFirewallRuleSourcePortEnd = firewallRule.getSourcePortEnd();
+
         try {
             removePortForwardingRules(publicIp, network, owner, CLUSTER_NODES_DEFAULT_START_SSH_PORT, existingFirewallRuleSourcePortEnd);
         } catch (ResourceUnavailableException e) {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/utils/KubernetesClusterUtil.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/utils/KubernetesClusterUtil.java
index 00625f6e076d..023fc9ec7fad 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/utils/KubernetesClusterUtil.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/utils/KubernetesClusterUtil.java
@@ -171,11 +171,20 @@ public static boolean isKubernetesClusterDashboardServiceRunning(final Kubernete
         // Check if dashboard service is up running.
         while (System.currentTimeMillis() < timeoutTime) {
             if (LOGGER.isDebugEnabled()) {
-                LOGGER.debug(String.format("Checking dashboard service for the Kubernetes cluster: %s to come up", kubernetesCluster));
+                LOGGER.debug(String.format("Checking dashboard service (Kubernetes Dashboard or Headlamp) for the Kubernetes cluster: %s to come up", kubernetesCluster));
             }
+            // Check for Headlamp (new dashboard) in kube-system namespace
+            if (isKubernetesClusterAddOnServiceRunning(kubernetesCluster, ipAddress, port, user, sshKeyFile, "kube-system", "headlamp")) {
+                if (LOGGER.isInfoEnabled()) {
+                    LOGGER.info(String.format("Headlamp dashboard service for the Kubernetes cluster %s is in running state", kubernetesCluster));
+                }
+                running = true;
+                break;
+            }
+            // For backward compatibility, check for Kubernetes Dashboard in kubernetes-dashboard namespace
             if (isKubernetesClusterAddOnServiceRunning(kubernetesCluster, ipAddress, port, user, sshKeyFile, "kubernetes-dashboard", "kubernetes-dashboard")) {
                 if (LOGGER.isInfoEnabled()) {
-                    LOGGER.info(String.format("Dashboard service for the Kubernetes cluster %s is in running state", kubernetesCluster));
+                    LOGGER.info(String.format("Kubernetes Dashboard service for the Kubernetes cluster %s is in running state", kubernetesCluster));
                 }
                 running = true;
                 break;
diff --git a/plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node.yml b/plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node.yml
index 70291dd1c35a..4db349ac778a 100644
--- a/plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node.yml
+++ b/plugins/integrations/kubernetes-service/src/main/resources/conf/k8s-control-node.yml
@@ -331,16 +331,29 @@ write_files:
         if [[ ${EXTERNAL_CNI_PLUGIN} == false ]]; then
           /opt/bin/kubectl apply -f ${K8S_CONFIG_SCRIPTS_COPY_DIR}/network.yaml
         fi
-        /opt/bin/kubectl apply -f ${K8S_CONFIG_SCRIPTS_COPY_DIR}/dashboard.yaml
+        if [ -f "${K8S_CONFIG_SCRIPTS_COPY_DIR}/headlamp.yaml" ]; then
+          echo "Installing Headlamp dashboard from ISO"
+          /opt/bin/kubectl apply -f ${K8S_CONFIG_SCRIPTS_COPY_DIR}/headlamp.yaml
+        elif [ -f "${K8S_CONFIG_SCRIPTS_COPY_DIR}/dashboard.yaml" ]; then
+          echo "Installing Kubernetes Dashboard from ISO"
+          /opt/bin/kubectl apply -f ${K8S_CONFIG_SCRIPTS_COPY_DIR}/dashboard.yaml
+          /opt/bin/kubectl create rolebinding admin-binding --role=admin --user=admin || true
+          /opt/bin/kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=admin || true
+          /opt/bin/kubectl create clusterrolebinding kubernetes-dashboard-ui --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard || true
+        else
+          echo "Warning: No dashboard YAML found in ISO (neither headlamp.yaml nor dashboard.yaml)"
+        fi
         rm -rf "${K8S_CONFIG_SCRIPTS_COPY_DIR}"
       else
+        ### Online installation - use Headlamp by default ###
         /opt/bin/kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(/opt/bin/kubectl version | base64 | tr -d '\n')"
-        /opt/bin/kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta6/aio/deploy/recommended.yaml
+        /opt/bin/kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/headlamp/v0.40.1/kubernetes-headlamp.yaml
+        /opt/bin/kubectl create serviceaccount headlamp-admin -n kube-system || true
+        /opt/bin/kubectl create clusterrolebinding headlamp-admin --clusterrole=cluster-admin --serviceaccount=kube-system:headlamp-admin || true
       fi
 
       /opt/bin/kubectl create rolebinding admin-binding --role=admin --user=admin || true
       /opt/bin/kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=admin || true
-      /opt/bin/kubectl create clusterrolebinding kubernetes-dashboard-ui --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard || true
 
       sudo touch /home/cloud/success
       echo "true" > /home/cloud/success
diff --git a/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/ElasticLoadBalancerManagerImpl.java b/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/ElasticLoadBalancerManagerImpl.java
index a8a6a58c098d..9dc083015c3b 100644
--- a/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/ElasticLoadBalancerManagerImpl.java
+++ b/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/ElasticLoadBalancerManagerImpl.java
@@ -214,7 +214,8 @@ private void createApplyLoadBalancingRulesCommands(List<LoadBalancingRule> rules
             maxconn = offering.getConcurrentConnections().toString();
         }
         LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lbs, elbVm.getPublicIpAddress(), _nicDao.getIpAddress(guestNetworkId, elbVm.getId()),
-                elbVm.getPrivateIpAddress(), null, null, maxconn, offering.isKeepAliveEnabled());
+                elbVm.getPrivateIpAddress(), null, null, maxconn, offering.isKeepAliveEnabled(),
+                NetworkOrchestrationService.NETWORK_LB_HAPROXY_IDLE_TIMEOUT.value());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, elbVm.getPrivateIpAddress());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, elbVm.getInstanceName());
         //FIXME: why are we setting attributes directly? Ick!! There should be accessors and
diff --git a/plugins/network-elements/internal-loadbalancer/src/main/java/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/main/java/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
index 2f540a5935c6..cda139b5a62b 100644
--- a/plugins/network-elements/internal-loadbalancer/src/main/java/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
+++ b/plugins/network-elements/internal-loadbalancer/src/main/java/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java
@@ -513,7 +513,8 @@ private void createApplyLoadBalancingRulesCommands(final List<LoadBalancingRule>
         }
         final LoadBalancerConfigCommand cmd =
                 new LoadBalancerConfigCommand(lbs, guestNic.getIPv4Address(), guestNic.getIPv4Address(), internalLbVm.getPrivateIpAddress(), _itMgr.toNicTO(guestNicProfile,
-                        internalLbVm.getHypervisorType()), internalLbVm.getVpcId(), maxconn, offering.isKeepAliveEnabled());
+                        internalLbVm.getHypervisorType()), internalLbVm.getVpcId(), maxconn, offering.isKeepAliveEnabled(),
+                        NetworkOrchestrationService.NETWORK_LB_HAPROXY_IDLE_TIMEOUT.value());
 
         cmd.lbStatsVisibility = _configDao.getValue(Config.NetworkLBHaproxyStatsVisbility.key());
         cmd.lbStatsUri = _configDao.getValue(Config.NetworkLBHaproxyStatsUri.key());
diff --git a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 7953a6a27cdf..d9f4963165ec 100644
--- a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -485,6 +485,12 @@ public Long finalizeAccountId(String accountName, Long domainId, Long projectId,
         return null;
     }
 
+    @Override
+    public Long finalizeAccountId(Long accountId, String accountName, Long domainId, Long projectId) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
     @Override
     public void checkAccess(Account account, ServiceOffering so, DataCenter zone) throws PermissionDeniedException {
         // TODO Auto-generated method stub
diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeleteNsxNatRuleCommand.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeleteNsxNatRuleCommand.java
index c5231b19ac40..b642df856185 100644
--- a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeleteNsxNatRuleCommand.java
+++ b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/DeleteNsxNatRuleCommand.java
@@ -54,6 +54,13 @@ public String getProtocol() {
         return protocol;
     }
 
+    public String getNetworkServiceName() {
+        if (service != null) {
+            return service.getName();
+        }
+        return null;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {
diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java
index 76815b0deebe..78a9363a5e49 100644
--- a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java
+++ b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java
@@ -415,10 +415,10 @@ private NsxAnswer executeRequest(CreateNsxPortForwardRuleCommand cmd) {
 
     private NsxAnswer executeRequest(DeleteNsxNatRuleCommand cmd) {
         String ruleName = null;
-        if (cmd.getService() == Network.Service.StaticNat) {
+        if (Network.Service.StaticNat.getName().equals(cmd.getNetworkServiceName())) {
             ruleName = NsxControllerUtils.getStaticNatRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
                     cmd.getNetworkResourceId(), cmd.isResourceVpc());
-        } else if (cmd.getService() == Network.Service.PortForwarding) {
+        } else if (Network.Service.PortForwarding.getName().equals(cmd.getNetworkServiceName())) {
             ruleName = NsxControllerUtils.getPortForwardRuleName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(),
                     cmd.getNetworkResourceId(), cmd.getRuleId(), cmd.isResourceVpc());
         }
@@ -456,7 +456,7 @@ private NsxAnswer executeRequest(DeleteNsxLoadBalancerRuleCommand cmd) {
         try {
             nsxApiClient.deleteNsxLbResources(tier1GatewayName, cmd.getLbId());
         } catch (Exception e) {
-            logger.error(String.format("Failed to add NSX load balancer rule %s for network: %s", ruleName, cmd.getNetworkResourceName()));
+            logger.error(String.format("Failed to delete NSX load balancer rule %s for network: %s", ruleName, cmd.getNetworkResourceName()));
             return new NsxAnswer(cmd, new CloudRuntimeException(e.getMessage()));
         }
         return new NsxAnswer(cmd, true, null);
diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java
index 7ad27c4a6356..4d78f2a0ab26 100644
--- a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java
+++ b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java
@@ -44,6 +44,7 @@
 import com.vmware.nsx_policy.infra.tier_1s.nat.NatRules;
 import com.vmware.nsx_policy.model.ApiError;
 import com.vmware.nsx_policy.model.DhcpRelayConfig;
+import com.vmware.nsx_policy.model.EnforcementPoint;
 import com.vmware.nsx_policy.model.EnforcementPointListResult;
 import com.vmware.nsx_policy.model.Group;
 import com.vmware.nsx_policy.model.GroupListResult;
@@ -64,12 +65,13 @@
 import com.vmware.nsx_policy.model.PolicyGroupMembersListResult;
 import com.vmware.nsx_policy.model.PolicyNatRule;
 import com.vmware.nsx_policy.model.PolicyNatRuleListResult;
+import com.vmware.nsx_policy.model.PolicyGroupMemberDetails;
 import com.vmware.nsx_policy.model.Rule;
 import com.vmware.nsx_policy.model.SecurityPolicy;
 import com.vmware.nsx_policy.model.Segment;
 import com.vmware.nsx_policy.model.SegmentSubnet;
 import com.vmware.nsx_policy.model.ServiceListResult;
-import com.vmware.nsx_policy.model.SiteListResult;
+import com.vmware.nsx_policy.model.Site;
 import com.vmware.nsx_policy.model.Tier1;
 import com.vmware.vapi.bindings.Service;
 import com.vmware.vapi.bindings.Structure;
@@ -83,6 +85,7 @@
 import com.vmware.vapi.internal.protocol.client.rest.authn.BasicAuthenticationAppender;
 import com.vmware.vapi.protocol.HttpConfiguration;
 import com.vmware.vapi.std.errors.Error;
+import com.vmware.vapi.std.errors.NotFound;
 import org.apache.cloudstack.resource.NsxLoadBalancerMember;
 import org.apache.cloudstack.resource.NsxNetworkRule;
 import org.apache.cloudstack.utils.NsxControllerUtils;
@@ -96,9 +99,12 @@
 import java.util.Locale;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.Set;
 import java.util.function.Function;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
+import static java.util.stream.Collectors.toSet;
 import static org.apache.cloudstack.utils.NsxControllerUtils.getServerPoolMemberName;
 import static org.apache.cloudstack.utils.NsxControllerUtils.getServerPoolName;
 import static org.apache.cloudstack.utils.NsxControllerUtils.getServiceName;
@@ -282,16 +288,18 @@ private Tier1 getTier1Gateway(String tier1GatewayId) {
             Tier1s tier1service = (Tier1s) nsxService.apply(Tier1s.class);
             return tier1service.get(tier1GatewayId);
         } catch (Exception e) {
-            logger.debug(String.format("NSX Tier-1 gateway with name: %s not found", tier1GatewayId));
+            logger.debug("NSX Tier-1 gateway with name: {} not found", tier1GatewayId);
         }
         return null;
     }
 
-    private List<com.vmware.nsx_policy.model.LocaleServices> getTier0LocalServices(String tier0Gateway) {
+    private Optional<com.vmware.nsx_policy.model.LocaleServices> findTier0LocalServices(String tier0Gateway) {
         try {
             LocaleServices tier0LocaleServices = (LocaleServices) nsxService.apply(LocaleServices.class);
-            LocaleServicesListResult result = tier0LocaleServices.list(tier0Gateway, null, false, null, null, null, null);
-            return result.getResults();
+            LocaleServicesListResult result = tier0LocaleServices.list(tier0Gateway, null, false, null, 1L, null, null);
+            return Optional.ofNullable(result.getResults())
+                    .filter(Predicate.not(List::isEmpty))
+                    .map(l -> l.get(0));
         } catch (Exception e) {
             throw new CloudRuntimeException(String.format("Failed to fetch locale services for tier gateway %s due to %s", tier0Gateway, e.getMessage()));
         }
@@ -302,10 +310,13 @@ private List<com.vmware.nsx_policy.model.LocaleServices> getTier0LocalServices(S
      */
     private void createTier1LocaleServices(String tier1Id, String edgeCluster, String tier0Gateway) {
         try {
-            List<com.vmware.nsx_policy.model.LocaleServices> localeServices = getTier0LocalServices(tier0Gateway);
+            Optional<com.vmware.nsx_policy.model.LocaleServices> localeServices = findTier0LocalServices(tier0Gateway);
+            if (localeServices.isEmpty()) {
+                throw new CloudRuntimeException(String.format("Failed to find locale services for tier-0 gateway %s", tier0Gateway));
+            }
             com.vmware.nsx_policy.infra.tier_1s.LocaleServices tier1LocalService = (com.vmware.nsx_policy.infra.tier_1s.LocaleServices) nsxService.apply(com.vmware.nsx_policy.infra.tier_1s.LocaleServices.class);
             com.vmware.nsx_policy.model.LocaleServices localeService = new com.vmware.nsx_policy.model.LocaleServices.Builder()
-                    .setEdgeClusterPath(localeServices.get(0).getEdgeClusterPath()).build();
+                    .setEdgeClusterPath(localeServices.get().getEdgeClusterPath()).build();
             tier1LocalService.patch(tier1Id, TIER_1_LOCALE_SERVICE_ID, localeService);
         } catch (Error error) {
             throw new CloudRuntimeException(String.format("Failed to instantiate tier-1 gateway %s in edge cluster %s", tier1Id, edgeCluster));
@@ -327,7 +338,7 @@ public void createTier1Gateway(String name, String tier0Gateway, String edgeClus
         String tier0GatewayPath = TIER_0_GATEWAY_PATH_PREFIX + tier0Gateway;
         Tier1 tier1 = getTier1Gateway(name);
         if (tier1 != null) {
-            logger.info(String.format("VPC network with name %s exists in NSX zone", name));
+            logger.info("VPC network with name {} exists in NSX zone", name);
             return;
         }
 
@@ -359,7 +370,7 @@ public void deleteTier1Gateway(String tier1Id) {
         com.vmware.nsx_policy.infra.tier_1s.LocaleServices localeService = (com.vmware.nsx_policy.infra.tier_1s.LocaleServices)
                 nsxService.apply(com.vmware.nsx_policy.infra.tier_1s.LocaleServices.class);
         if (getTier1Gateway(tier1Id) == null) {
-            logger.warn(String.format("The Tier 1 Gateway %s does not exist, cannot be removed", tier1Id));
+            logger.warn("The Tier 1 Gateway {} does not exist, cannot be removed", tier1Id);
             return;
         }
         removeTier1GatewayNatRules(tier1Id);
@@ -370,13 +381,21 @@ public void deleteTier1Gateway(String tier1Id) {
 
     private void removeTier1GatewayNatRules(String tier1Id) {
         NatRules natRulesService = (NatRules) nsxService.apply(NatRules.class);
-        PolicyNatRuleListResult result = natRulesService.list(tier1Id, NAT_ID, null, false, null, null, null, null);
-        List<PolicyNatRule> natRules = result.getResults();
+        List<PolicyNatRule> natRules = PagedFetcher.<PolicyNatRuleListResult, PolicyNatRule>withPageFetcher(
+                cursor -> natRulesService.list(tier1Id, NAT_ID, cursor, false, null, null, null, null)
+                ).cursorExtractor(PolicyNatRuleListResult::getCursor)
+                .itemsExtractor(PolicyNatRuleListResult::getResults)
+                .itemsSetter((page, allItems) -> {
+                    page.setResults(allItems);
+                    page.setResultCount((long) allItems.size());
+                })
+                .fetchAll()
+                .getResults();
         if (CollectionUtils.isEmpty(natRules)) {
-            logger.debug(String.format("Didn't find any NAT rule to remove on the Tier 1 Gateway %s", tier1Id));
+            logger.debug("Didn't find any NAT rule to remove on the Tier 1 Gateway {}", tier1Id);
         } else {
             for (PolicyNatRule natRule : natRules) {
-                logger.debug(String.format("Removing NAT rule %s from Tier 1 Gateway %s", natRule.getId(), tier1Id));
+                logger.debug("Removing NAT rule {} from Tier 1 Gateway {}", natRule.getId(), tier1Id);
                 natRulesService.delete(tier1Id, NAT_ID, natRule.getId());
             }
         }
@@ -384,38 +403,45 @@ private void removeTier1GatewayNatRules(String tier1Id) {
     }
 
     public String getDefaultSiteId() {
-        SiteListResult sites = getSites();
-        if (CollectionUtils.isEmpty(sites.getResults())) {
+        Optional<Site> site = findFirstSite();
+        if (site.isEmpty()) {
             String errorMsg = "No sites are found in the linked NSX infrastructure";
             logger.error(errorMsg);
             throw new CloudRuntimeException(errorMsg);
         }
-        return sites.getResults().get(0).getId();
+        return site.get().getId();
     }
 
-    protected SiteListResult getSites() {
+    protected Optional<Site> findFirstSite() {
         try {
             Sites sites = (Sites) nsxService.apply(Sites.class);
-            return sites.list(null, false, null, null, null, null);
+            List<Site> siteList = sites.list(null, false, null, 1L, null, null)
+                    .getResults();
+            return Optional.ofNullable(siteList)
+                    .filter(Predicate.not(List::isEmpty))
+                    .map(l -> l.get(0));
         } catch (Exception e) {
             throw new CloudRuntimeException(String.format("Failed to fetch sites list due to %s", e.getMessage()));
         }
     }
 
     public String getDefaultEnforcementPointPath(String siteId) {
-        EnforcementPointListResult epList = getEnforcementPoints(siteId);
-        if (CollectionUtils.isEmpty(epList.getResults())) {
+        Optional<EnforcementPoint> ep = findFirstEnforcementPoint(siteId);
+        if (ep.isEmpty()) {
             String errorMsg = String.format("No enforcement points are found in the linked NSX infrastructure for site ID %s", siteId);
             logger.error(errorMsg);
             throw new CloudRuntimeException(errorMsg);
         }
-        return epList.getResults().get(0).getPath();
+        return ep.get().getPath();
     }
 
-    protected EnforcementPointListResult getEnforcementPoints(String siteId) {
+    protected Optional<EnforcementPoint> findFirstEnforcementPoint(String siteId) {
         try {
             EnforcementPoints enforcementPoints = (EnforcementPoints) nsxService.apply(EnforcementPoints.class);
-            return enforcementPoints.list(siteId, null, false, null, null, null, null);
+            EnforcementPointListResult result = enforcementPoints.list(siteId, null, false, null, 1L, null, null);
+            return Optional.ofNullable(result.getResults())
+                    .filter(Predicate.not(List::isEmpty))
+                    .map(l -> l.get(0));
         } catch (Exception e) {
             throw new CloudRuntimeException(String.format("Failed to fetch enforcement points due to %s", e.getMessage()));
         }
@@ -424,7 +450,15 @@ protected EnforcementPointListResult getEnforcementPoints(String siteId) {
     public TransportZoneListResult getTransportZones() {
         try {
             com.vmware.nsx.TransportZones transportZones = (com.vmware.nsx.TransportZones) nsxService.apply(com.vmware.nsx.TransportZones.class);
-            return transportZones.list(null, null, true, null, null, null, null, null, TransportType.OVERLAY.name(), null);
+            return PagedFetcher.<TransportZoneListResult, TransportZone>withPageFetcher(
+                    cursor -> transportZones.list(cursor, null, true, null, null, null, null, null, TransportType.OVERLAY.name(), null)
+                    ).cursorExtractor(TransportZoneListResult::getCursor)
+                    .itemsExtractor(TransportZoneListResult::getResults)
+                    .itemsSetter((page, allItems) -> {
+                        page.setResults(allItems);
+                        page.setResultCount((long) allItems.size());
+                    })
+                    .fetchAll();
         } catch (Exception e) {
             throw new CloudRuntimeException(String.format("Failed to fetch transport zones due to %s", e.getMessage()));
         }
@@ -465,7 +499,7 @@ public void deleteSegment(long zoneId, long domainId, long accountId, Long vpcId
             removeSegment(segmentName, zoneId);
             DhcpRelayConfigs dhcpRelayConfig = (DhcpRelayConfigs) nsxService.apply(DhcpRelayConfigs.class);
             String dhcpRelayConfigId = NsxControllerUtils.getNsxDhcpRelayConfigId(zoneId, domainId, accountId, vpcId, networkId);
-            logger.debug(String.format("Removing the DHCP relay config with ID %s", dhcpRelayConfigId));
+            logger.debug("Removing the DHCP relay config with ID {}", dhcpRelayConfigId);
             dhcpRelayConfig.delete(dhcpRelayConfigId);
         } catch (Error error) {
             ApiError ae = error.getData()._convertTo(ApiError.class);
@@ -476,7 +510,7 @@ public void deleteSegment(long zoneId, long domainId, long accountId, Long vpcId
     }
 
     protected void removeSegment(String segmentName, long zoneId) {
-        logger.debug(String.format("Removing the segment with ID %s", segmentName));
+        logger.debug("Removing the segment with ID {}", segmentName);
         Segments segmentService = (Segments) nsxService.apply(Segments.class);
         String errMsg = String.format("The segment with ID %s is not found, skipping removal", segmentName);
         try {
@@ -498,7 +532,7 @@ protected void removeSegment(String segmentName, long zoneId) {
             portCount = retrySegmentDeletion(segmentPortsService, segmentName, enforcementPointPath, zoneId);
         }
         if (portCount == 0L) {
-            logger.debug(String.format("Removing the segment with ID %s", segmentName));
+            logger.debug("Removing the segment with ID {}", segmentName);
             removeGroupForSegment(segmentName);
             segmentService.delete(segmentName);
         } else {
@@ -509,8 +543,18 @@ protected void removeSegment(String segmentName, long zoneId) {
     }
 
     private PolicyGroupMembersListResult getSegmentPortList(SegmentPorts segmentPortsService, String segmentName, String enforcementPointPath) {
-        return segmentPortsService.list(DEFAULT_DOMAIN, segmentName, null, enforcementPointPath,
-                false, null, 50L, false, null);
+        return PagedFetcher.
+                <PolicyGroupMembersListResult, PolicyGroupMemberDetails>withPageFetcher(
+                cursor -> segmentPortsService.list(DEFAULT_DOMAIN, segmentName, cursor, enforcementPointPath,
+                        false, null, 50L, false, null)
+                )
+                .cursorExtractor(PolicyGroupMembersListResult::getCursor)
+                .itemsExtractor(PolicyGroupMembersListResult::getResults)
+                .itemsSetter((page, allItems) -> {
+                    page.setResults(allItems);
+                    page.setResultCount((long) allItems.size());
+                })
+                .fetchAll();
     }
 
     private Long retrySegmentDeletion(SegmentPorts segmentPortsService, String segmentName, String enforcementPointPath, long zoneId) {
@@ -546,7 +590,7 @@ public void createStaticNatRule(String vpcName, String tier1GatewayName,
                     .setEnabled(true)
                     .build();
 
-            logger.debug(String.format("Creating NSX static NAT rule %s for tier-1 gateway %s (VPC: %s)", ruleName, tier1GatewayName, vpcName));
+            logger.debug("Creating NSX static NAT rule {} for tier-1 gateway {} (VPC: {})", ruleName, tier1GatewayName, vpcName);
             natService.patch(tier1GatewayName, NatId.USER.name(), ruleName, rule);
         } catch (Error error) {
             ApiError ae = error.getData()._convertTo(ApiError.class);
@@ -582,8 +626,7 @@ public void deleteNatRule(Network.Service service, String privatePort, String pr
                 natService.delete(tier1GatewayName, NatId.USER.name(), ruleName);
             }
         } catch (Error error) {
-            String msg = String.format("Cannot find NAT rule with name %s: %s, skipping deletion", ruleName, error.getMessage());
-            logger.debug(msg);
+            logger.debug("Cannot find NAT rule with name {}: {}, skipping deletion", ruleName, error.getMessage());
         }
 
         if (service == Network.Service.PortForwarding) {
@@ -595,7 +638,7 @@ public void createPortForwardingRule(String ruleName, String tier1GatewayName, S
                                          String vmIp, String publicPort, String service) {
         try {
             NatRules natService = (NatRules) nsxService.apply(NatRules.class);
-            logger.debug(String.format("Creating NSX Port-Forwarding NAT %s for network %s", ruleName, networkName));
+            logger.debug("Creating NSX Port-Forwarding NAT {} for network {}", ruleName, networkName);
             PolicyNatRule rule = new PolicyNatRule.Builder()
                     .setId(ruleName)
                     .setDisplayName(ruleName)
@@ -656,9 +699,20 @@ List<LBPoolMember> getLbPoolMembers(List<NsxLoadBalancerMember> memberList, Stri
     public void createNsxLbServerPool(List<NsxLoadBalancerMember> memberList, String tier1GatewayName, String lbServerPoolName,
                                       String algorithm, String privatePort, String protocol) {
         try {
-            String activeMonitorPath = getLbActiveMonitorPath(lbServerPoolName, privatePort, protocol);
             List<LBPoolMember> members = getLbPoolMembers(memberList, tier1GatewayName);
             LbPools lbPools = (LbPools) nsxService.apply(LbPools.class);
+            Optional<LBPool> nsxLbServerPool = getNsxLbServerPool(lbPools, lbServerPoolName);
+            // Skip if pool exists and members unchanged
+            if (nsxLbServerPool.isPresent()) {
+                List<LBPoolMember> existingMembers = nsxLbServerPool
+                        .map(LBPool::getMembers)
+                        .orElseGet(List::of);
+                if (hasSamePoolMembers(existingMembers, members)) {
+                    logger.debug("Skipping patch for LB pool {} on Tier-1 {}: members unchanged", lbServerPoolName, tier1GatewayName);
+                    return;
+                }
+            }
+            String activeMonitorPath = getLbActiveMonitorPath(lbServerPoolName, privatePort, protocol);
             LBPool lbPool = new LBPool.Builder()
                     .setId(lbServerPoolName)
                     .setDisplayName(lbServerPoolName)
@@ -676,9 +730,52 @@ public void createNsxLbServerPool(List<NsxLoadBalancerMember> memberList, String
         }
     }
 
+    private Optional<LBPool> getNsxLbServerPool(LbPools lbPools, String lbServerPoolName) {
+        try {
+            return Optional.ofNullable(lbPools.get(lbServerPoolName));
+        } catch (NotFound e) {
+            logger.warn("Server Pool not found: {}", lbServerPoolName);
+            return Optional.empty();
+        }
+    }
+
+    private boolean hasSamePoolMembers(List<LBPoolMember> existingMembers, List<LBPoolMember> membersUpdate) {
+        Set<String> existingMembersSet = existingMembers.stream()
+                .map(this::buildPoolMemberKey)
+                .collect(toSet());
+        Set<String> updateMembersSet = membersUpdate.stream()
+                .map(this::buildPoolMemberKey)
+                .collect(toSet());
+
+        return existingMembersSet.size() == updateMembersSet.size()
+               && existingMembersSet.containsAll(updateMembersSet);
+    }
+
+    private String buildPoolMemberKey(LBPoolMember member) {
+        return member.getIpAddress() + ':' + member.getPort() + ':' + member.getDisplayName();
+    }
+
     private String getLbActiveMonitorPath(String lbServerPoolName, String port, String protocol) {
         LbMonitorProfiles lbActiveMonitor = (LbMonitorProfiles) nsxService.apply(LbMonitorProfiles.class);
         String lbMonitorProfileId = getActiveMonitorProfileName(lbServerPoolName, port, protocol);
+        Optional<Structure> monitorProfile = getMonitorProfile(lbActiveMonitor, lbMonitorProfileId);
+        if (monitorProfile.isEmpty()) {
+            patchMonitoringProfile(port, protocol, lbMonitorProfileId, lbActiveMonitor);
+            monitorProfile = getMonitorProfile(lbActiveMonitor, lbMonitorProfileId);
+        }
+        return monitorProfile.map(structure -> structure._getDataValue().getField("path").toString()).orElse(null);
+    }
+
+    private Optional<Structure> getMonitorProfile(LbMonitorProfiles lbActiveMonitor, String lbMonitorProfileId) {
+        try {
+            return Optional.ofNullable(lbActiveMonitor.get(lbMonitorProfileId));
+        } catch (NotFound e) {
+            logger.warn("LB Monitor Profile not found: {}", lbMonitorProfileId);
+            return Optional.empty();
+        }
+    }
+
+    private void patchMonitoringProfile(String port, String protocol, String lbMonitorProfileId, LbMonitorProfiles lbActiveMonitor) {
         if ("TCP".equals(protocol.toUpperCase(Locale.ROOT))) {
             LBTcpMonitorProfile lbTcpMonitorProfile = new LBTcpMonitorProfile.Builder(TCP_MONITOR_PROFILE)
                     .setDisplayName(lbMonitorProfileId)
@@ -691,14 +788,18 @@ private String getLbActiveMonitorPath(String lbServerPoolName, String port, Stri
                     .build();
             lbActiveMonitor.patch(lbMonitorProfileId, icmpMonitorProfile);
         }
-
-        LBMonitorProfileListResult listResult = listLBActiveMonitors(lbActiveMonitor);
-        Optional<Structure> monitorProfile = listResult.getResults().stream().filter(profile -> profile._getDataValue().getField("id").toString().equals(lbMonitorProfileId)).findFirst();
-        return monitorProfile.map(structure -> structure._getDataValue().getField("path").toString()).orElse(null);
     }
 
     LBMonitorProfileListResult listLBActiveMonitors(LbMonitorProfiles lbActiveMonitor) {
-        return lbActiveMonitor.list(null, false, null, null, null, null);
+        return PagedFetcher.<LBMonitorProfileListResult, Structure>withPageFetcher(
+                cursor -> lbActiveMonitor.list(cursor, false, null, null, null, null)
+                ).cursorExtractor(LBMonitorProfileListResult::getCursor)
+                .itemsExtractor(LBMonitorProfileListResult::getResults)
+                .itemsSetter((page, allItems) -> {
+                    page.setResults(allItems);
+                    page.setResultCount((long) allItems.size());
+                })
+                .fetchAll();
     }
 
     public void createNsxLoadBalancer(String tier1GatewayName) {
@@ -735,7 +836,7 @@ public void createAndAddNsxLbVirtualServer(String tier1GatewayName, long lbId, S
             String lbVirtualServerName = getVirtualServerName(tier1GatewayName, lbId);
             String lbServiceName = getLoadBalancerName(tier1GatewayName);
             LbVirtualServers lbVirtualServers = (LbVirtualServers) nsxService.apply(LbVirtualServers.class);
-            if (Objects.nonNull(getLbVirtualServerService(lbVirtualServers, lbServiceName))) {
+            if (Objects.nonNull(getLbVirtualServerService(lbVirtualServers, lbVirtualServerName))) {
                 return;
             }
             LBVirtualServer lbVirtualServer = new LBVirtualServer.Builder()
@@ -763,7 +864,7 @@ private LBVirtualServer getLbVirtualServerService(LbVirtualServers lbVirtualServ
                 return lbVirtualServer;
             }
         } catch (Exception e) {
-            logger.debug(String.format("Found an LB virtual server named: %s on NSX", lbVSName));
+            logger.debug("Found an LB virtual server named: {} on NSX", lbVSName);
             return null;
         }
         return null;
@@ -851,8 +952,15 @@ private String getLbPath(String lbServiceName) {
     private String getLbProfileForProtocol(String protocol) {
         try {
             LbAppProfiles lbAppProfiles = (LbAppProfiles) nsxService.apply(LbAppProfiles.class);
-            LBAppProfileListResult lbAppProfileListResults = lbAppProfiles.list(null, null,
-                    null, null, null, null);
+            LBAppProfileListResult lbAppProfileListResults = PagedFetcher.<LBAppProfileListResult, Structure>withPageFetcher(
+                            cursor -> lbAppProfiles.list(cursor, null, null, null, null, null)
+                    ).cursorExtractor(LBAppProfileListResult::getCursor)
+                    .itemsExtractor(LBAppProfileListResult::getResults)
+                    .itemsSetter((page, allItems) -> {
+                        page.setResults(allItems);
+                        page.setResultCount((long) allItems.size());
+                    })
+                    .fetchAll();
             Optional<Structure> appProfile = lbAppProfileListResults.getResults().stream().filter(profile -> profile._getDataValue().getField("path").toString().contains(protocol.toLowerCase(Locale.ROOT))).findFirst();
             return appProfile.map(structure -> structure._getDataValue().getField("path").toString()).orElse(null);
         } catch (Error error) {
@@ -868,7 +976,15 @@ public String getNsxInfraServices(String ruleName, String port, String protocol,
             Services service = (Services) nsxService.apply(Services.class);
 
             // Find default service if present
-            ServiceListResult serviceList = service.list(null, true, false, null, null, null, null);
+            ServiceListResult serviceList = PagedFetcher.<ServiceListResult, com.vmware.nsx_policy.model.Service>withPageFetcher(
+                            cursor -> service.list(cursor, true, false, null, null, null, null)
+                    ).cursorExtractor(ServiceListResult::getCursor)
+                    .itemsExtractor(ServiceListResult::getResults)
+                    .itemsSetter((page, allItems) -> {
+                        page.setResults(allItems);
+                        page.setResultCount((long) allItems.size());
+                    })
+                    .fetchAll();
 
             List<com.vmware.nsx_policy.model.Service> services = serviceList.getResults();
             List<String> matchedDefaultSvc = services.parallelStream().filter(svc ->
@@ -1095,9 +1211,17 @@ protected List<String> getGroupsForTraffic(SDNProviderNetworkRule rule,
 
     private List<Group> listNsxGroups() {
         try {
-           Groups groups = (Groups) nsxService.apply(Groups.class);
-           GroupListResult result = groups.list(DEFAULT_DOMAIN, null, false, null, null, null, null, null);
-           return result.getResults();
+            Groups groups = (Groups) nsxService.apply(Groups.class);
+            GroupListResult result = PagedFetcher.<GroupListResult, Group>withPageFetcher(
+                            cursor -> groups.list(DEFAULT_DOMAIN, cursor, false, null, null, null, null, null)
+                    ).cursorExtractor(GroupListResult::getCursor)
+                    .itemsExtractor(GroupListResult::getResults)
+                    .itemsSetter((page, allItems) -> {
+                        page.setResults(allItems);
+                        page.setResultCount((long) allItems.size());
+                    })
+                    .fetchAll();
+            return result.getResults();
         } catch (Error error) {
             ApiError ae = error.getData()._convertTo(ApiError.class);
             String msg = String.format("Failed to list NSX groups, due to: %s", ae.getErrorMessage());
diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/PagedFetcher.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/PagedFetcher.java
new file mode 100644
index 000000000000..b3cd4e0a16fc
--- /dev/null
+++ b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/PagedFetcher.java
@@ -0,0 +1,82 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.function.BiConsumer;
+import java.util.function.Function;
+
+class PagedFetcher<R, T> {
+
+    private final Function<String, R> fetchPage;
+    private Function<R, String> cursorExtractor;
+    private Function<R, List<T>> itemsExtractor;
+    private BiConsumer<R, List<T>> itemsSetter;
+
+    static <R, T> PagedFetcher<R, T> withPageFetcher(Function<String, R> pageFetcher) {
+        return new PagedFetcher<>(pageFetcher);
+    }
+
+    PagedFetcher<R, T> cursorExtractor(Function<R, String> cursorProvider) {
+        this.cursorExtractor = cursorProvider;
+        return this;
+    }
+
+    PagedFetcher<R, T> itemsExtractor(Function<R, List<T>> resultsProvider) {
+        this.itemsExtractor = resultsProvider;
+        return this;
+    }
+
+    PagedFetcher<R, T> itemsSetter(BiConsumer<R, List<T>> resultsSetter) {
+        this.itemsSetter = resultsSetter;
+        return this;
+    }
+
+    private PagedFetcher(Function<String, R> pageFetcher) {
+        this.fetchPage = pageFetcher;
+    }
+
+    R fetchAll() {
+        Objects.requireNonNull(cursorExtractor, "Cursor extractor must be set");
+        Objects.requireNonNull(itemsExtractor, "Items extractor must be set");
+        Objects.requireNonNull(itemsSetter, "Items setter must be set");
+
+        R firstPage = fetchPage.apply(null);
+        String cursor = cursorExtractor.apply(firstPage);
+        if (cursor == null || cursor.isEmpty()) {
+            return firstPage;
+        }
+
+        List<T> firstResults = itemsExtractor.apply(firstPage);
+        List<T> allItems = firstResults != null
+                ? new ArrayList<>(firstResults)
+                : new ArrayList<>();
+        while (cursor != null && !cursor.isEmpty()) {
+            R nextPage = fetchPage.apply(cursor);
+            List<T> nextItems = itemsExtractor.apply(nextPage);
+            if (nextItems != null && !nextItems.isEmpty()) {
+                allItems.addAll(nextItems);
+            }
+            cursor = cursorExtractor.apply(nextPage);
+        }
+
+        itemsSetter.accept(firstPage, allItems);
+        return firstPage;
+    }
+}
diff --git a/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/resource/NsxResourceTest.java b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/resource/NsxResourceTest.java
index ee4f4fb64c20..0d74bb8a3b3d 100644
--- a/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/resource/NsxResourceTest.java
+++ b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/resource/NsxResourceTest.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.resource;
 
+import com.cloud.network.Network;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.vmware.nsx.model.TransportZone;
@@ -61,6 +62,7 @@
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -247,8 +249,12 @@ public void testCreatePortForwardRule() {
     @Test
     public void testDeleteNsxNatRule() {
         DeleteNsxNatRuleCommand cmd = new DeleteNsxNatRuleCommand(domainId, accountId, zoneId, 3L, "VPC01", true, 2L, 5L, "22", "tcp");
+        Network.Service service = mock(Network.Service.class);
+        when(service.getName()).thenReturn("PortForwarding");
+        cmd.setService(service);
         NsxAnswer answer = (NsxAnswer) nsxResource.executeRequest(cmd);
         assertTrue(answer.getResult());
+        verify(nsxApi).deleteNatRule(service, "22", "tcp", "VPC01", "D1-A2-Z1-V3", "D1-A2-Z1-V3-PF5");
     }
 
     @Test
diff --git a/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/NsxApiClientTest.java b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/NsxApiClientTest.java
index f9ee8daea4bb..5f8d771f75df 100644
--- a/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/NsxApiClientTest.java
+++ b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/NsxApiClientTest.java
@@ -18,13 +18,32 @@
 
 import com.cloud.network.Network;
 import com.cloud.network.SDNProviderNetworkRule;
+import com.cloud.utils.exception.CloudRuntimeException;
 import com.vmware.nsx.cluster.Status;
 import com.vmware.nsx.model.ClusterStatus;
 import com.vmware.nsx.model.ControllerClusterStatus;
+import com.vmware.nsx_policy.infra.LbAppProfiles;
+import com.vmware.nsx_policy.infra.LbMonitorProfiles;
+import com.vmware.nsx_policy.infra.LbPools;
+import com.vmware.nsx_policy.infra.LbServices;
+import com.vmware.nsx_policy.infra.LbVirtualServers;
 import com.vmware.nsx_policy.infra.domains.Groups;
+import com.vmware.nsx_policy.model.ApiError;
 import com.vmware.nsx_policy.model.Group;
+import com.vmware.nsx_policy.model.LBAppProfileListResult;
+import com.vmware.nsx_policy.model.LBIcmpMonitorProfile;
+import com.vmware.nsx_policy.model.LBService;
+import com.vmware.nsx_policy.model.LBTcpMonitorProfile;
+import com.vmware.nsx_policy.model.LBPool;
+import com.vmware.nsx_policy.model.LBPoolMember;
+import com.vmware.nsx_policy.model.LBVirtualServer;
 import com.vmware.nsx_policy.model.PathExpression;
 import com.vmware.vapi.bindings.Service;
+import com.vmware.vapi.bindings.Structure;
+import com.vmware.vapi.std.errors.Error;
+import com.vmware.vapi.std.errors.NotFound;
+import org.apache.cloudstack.resource.NsxLoadBalancerMember;
+import org.apache.cloudstack.utils.NsxControllerUtils;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -36,8 +55,20 @@
 import java.util.List;
 import java.util.function.Function;
 
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
 public class NsxApiClientTest {
 
+    private static final String TIER_1_GATEWAY_NAME = "t1";
+
     @Mock
     private Function<Class<? extends Service>, Service> nsxService;
     @Mock
@@ -108,4 +139,284 @@ public void testIsNsxControllerActive() {
         Mockito.when(clusterStatus.getControlClusterStatus()).thenReturn(status);
         Assert.assertTrue(client.isNsxControllerActive());
     }
+
+    @Test
+    public void testCreateNsxLbServerPoolExistingMonitorProfileSkipsMonitorPatch() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LbMonitorProfiles lbMonitorProfiles = mockLbMonitorProfiles();
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(lbMonitorProfiles, never()).patch(anyString(), any(LBTcpMonitorProfile.class));
+        verify(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolMissingMonitorTCPProfilePerformsPatch() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LbMonitorProfiles lbMonitorProfiles = Mockito.mock(LbMonitorProfiles.class);
+        Structure monitorStructure = Mockito.mock(Structure.class, Mockito.RETURNS_DEEP_STUBS);
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(nsxService.apply(LbMonitorProfiles.class)).thenReturn(lbMonitorProfiles);
+        Mockito.when(lbMonitorProfiles.get(anyString())).thenThrow(new NotFound(null, null)).thenReturn(monitorStructure);
+        Mockito.when(monitorStructure._getDataValue().getField("path").toString()).thenReturn("/infra/lb-monitor-profiles/test");
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(lbMonitorProfiles).patch(anyString(), any(LBTcpMonitorProfile.class));
+        verify(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolMissingMonitorUDPProfilePerformsPatch() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LbMonitorProfiles lbMonitorProfiles = Mockito.mock(LbMonitorProfiles.class);
+        Structure monitorStructure = Mockito.mock(Structure.class, Mockito.RETURNS_DEEP_STUBS);
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(nsxService.apply(LbMonitorProfiles.class)).thenReturn(lbMonitorProfiles);
+        Mockito.when(lbMonitorProfiles.get(anyString())).thenThrow(new NotFound(null, null)).thenReturn(monitorStructure);
+        Mockito.when(monitorStructure._getDataValue().getField("path").toString()).thenReturn("/infra/lb-monitor-profiles/test");
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "UDP");
+
+        verify(lbMonitorProfiles).patch(anyString(), any(LBIcmpMonitorProfile.class));
+        verify(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolPoolExistsWithSameMembersSkipsPatch() {
+        long lbId = 1L;
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, lbId);
+        List<NsxLoadBalancerMember> memberList = List.of(
+                new NsxLoadBalancerMember(1L, "10.0.0.1", 80),
+                new NsxLoadBalancerMember(2L, "10.0.0.2", 80)
+        );
+        List<LBPoolMember> sameMembers = List.of(
+                createPoolMember(2L, "10.0.0.2", 80),
+                createPoolMember(1L, "10.0.0.1", 80)
+        );
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LBPool existingPool = Mockito.mock(LBPool.class);
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenReturn(existingPool);
+        Mockito.when(existingPool.getMembers()).thenReturn(sameMembers);
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(nsxService, never()).apply(LbMonitorProfiles.class);
+        verify(lbPools, never()).patch(anyString(), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolPoolExistsWithoutMembersAndEmptyUpdateSkipsPatch() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LBPool existingPool = Mockito.mock(LBPool.class);
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenReturn(existingPool);
+        Mockito.when(existingPool.getMembers()).thenReturn(null);
+
+        client.createNsxLbServerPool(List.of(), TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(nsxService, never()).apply(LbMonitorProfiles.class);
+        verify(lbPools, never()).patch(anyString(), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolPoolExistsWithDuplicateMembersSkipsPatch() {
+        long lbId = 1L;
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, lbId);
+        List<NsxLoadBalancerMember> memberList = List.of(
+                new NsxLoadBalancerMember(1L, "10.0.0.1", 80),
+                new NsxLoadBalancerMember(2L, "10.0.0.2", 80)
+        );
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LBPool existingPool = Mockito.mock(LBPool.class);
+
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenReturn(existingPool);
+        Mockito.when(existingPool.getMembers()).thenReturn(List.of(
+                createPoolMember(1L, "10.0.0.1", 80),
+                createPoolMember(1L, "10.0.0.1", 80),
+                createPoolMember(2L, "10.0.0.2", 80)
+        ));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(nsxService, never()).apply(LbMonitorProfiles.class);
+        verify(lbPools, never()).patch(anyString(), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolPoolExistsWithDifferentMembersPerformsPatch() {
+        long lbId = 1L;
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, lbId);
+        List<NsxLoadBalancerMember> memberList = List.of(
+                new NsxLoadBalancerMember(1L, "10.0.0.1", 80),
+                new NsxLoadBalancerMember(2L, "10.0.0.2", 80)
+        );
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LBPool existingPool = Mockito.mock(LBPool.class);
+
+        mockLbMonitorProfiles();
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenReturn(existingPool);
+        Mockito.when(existingPool.getMembers()).thenReturn(List.of(
+                createPoolMember(1L, "10.0.0.10", 80)
+        ));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolPoolDoesNotExistPerformsPatch() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+
+        mockLbMonitorProfiles();
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null));
+
+        client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+
+        verify(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+    }
+
+    @Test
+    public void testCreateAndAddNsxLbVirtualServerVirtualServerAlreadyExistsSkipsPatch() {
+        long lbId = 1L;
+        String lbVirtualServerName = NsxControllerUtils.getVirtualServerName(TIER_1_GATEWAY_NAME, lbId);
+        String lbServiceName = NsxControllerUtils.getLoadBalancerName(TIER_1_GATEWAY_NAME);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LbServices lbServices = Mockito.mock(LbServices.class);
+        LbVirtualServers lbVirtualServers = Mockito.mock(LbVirtualServers.class);
+        LBVirtualServer existingVs = Mockito.mock(LBVirtualServer.class);
+
+        mockLbMonitorProfiles();
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(nsxService.apply(LbServices.class)).thenReturn(lbServices);
+        Mockito.when(nsxService.apply(LbVirtualServers.class)).thenReturn(lbVirtualServers);
+        Mockito.when(lbPools.get(anyString())).thenThrow(new NotFound(null, null));
+        Mockito.when(lbServices.get(anyString())).thenReturn(null);
+        Mockito.when(lbVirtualServers.get(lbVirtualServerName)).thenReturn(existingVs);
+
+        client.createAndAddNsxLbVirtualServer(TIER_1_GATEWAY_NAME, lbId, "192.168.1.1", "443",
+                memberList, "roundrobin", "TCP", "80");
+
+        verify(lbVirtualServers).get(lbVirtualServerName);
+        verify(lbVirtualServers, never()).get(lbServiceName);
+        verify(lbVirtualServers, never()).patch(anyString(), any(LBVirtualServer.class));
+    }
+
+    @Test
+    public void testCreateAndAddNsxLbVirtualServerVirtualServerNotFoundPerformsPatch() {
+        long lbId = 1L;
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, lbId);
+        String lbVirtualServerName = NsxControllerUtils.getVirtualServerName(TIER_1_GATEWAY_NAME, lbId);
+        String lbServiceName = NsxControllerUtils.getLoadBalancerName(TIER_1_GATEWAY_NAME);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        LBPool lbPool = Mockito.mock(LBPool.class);
+        LbServices lbServices = Mockito.mock(LbServices.class);
+        LBService lbService = Mockito.mock(LBService.class);
+        LbVirtualServers lbVirtualServers = Mockito.mock(LbVirtualServers.class);
+
+        mockLbMonitorProfiles();
+        mockLbAppProfiles();
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(nsxService.apply(LbServices.class)).thenReturn(lbServices);
+        Mockito.when(nsxService.apply(LbVirtualServers.class)).thenReturn(lbVirtualServers);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null)).thenReturn(lbPool);
+        Mockito.when(lbPool.getPath()).thenReturn("/infra/lb-pools/" + lbServerPoolName);
+        Mockito.when(lbServices.get(lbServiceName)).thenReturn(lbService);
+        Mockito.when(lbService.getPath()).thenReturn("/infra/lb-services/" + lbServiceName);
+        Mockito.when(lbVirtualServers.get(lbVirtualServerName)).thenThrow(new NotFound(null, null));
+
+        client.createAndAddNsxLbVirtualServer(TIER_1_GATEWAY_NAME, lbId, "192.168.1.1", "443",
+                memberList, "roundrobin", "TCP", "80");
+
+        verify(lbVirtualServers).get(lbVirtualServerName);
+        verify(lbVirtualServers, never()).get(lbServiceName);
+        verify(lbVirtualServers).patch(eq(lbVirtualServerName), any(LBVirtualServer.class));
+    }
+
+    @Test
+    public void testCreateNsxLbServerPoolThrowsExceptionOnPatchError() {
+        String lbServerPoolName = NsxControllerUtils.getServerPoolName(TIER_1_GATEWAY_NAME, 1L);
+        List<NsxLoadBalancerMember> memberList = List.of(new NsxLoadBalancerMember(1L, "10.0.0.1", 80));
+
+        LbPools lbPools = Mockito.mock(LbPools.class);
+        Structure errorData = Mockito.mock(Structure.class);
+        ApiError apiError = new ApiError();
+        apiError.setErrorData(errorData);
+
+        mockLbMonitorProfiles();
+        Mockito.when(nsxService.apply(LbPools.class)).thenReturn(lbPools);
+        Mockito.when(lbPools.get(lbServerPoolName)).thenThrow(new NotFound(null, null));
+        when(errorData._convertTo(ApiError.class)).thenReturn(apiError);
+        doThrow(new Error(List.of(), errorData)).when(lbPools).patch(eq(lbServerPoolName), any(LBPool.class));
+
+        CloudRuntimeException thrownException = assertThrows(CloudRuntimeException.class, () -> {
+            client.createNsxLbServerPool(memberList, TIER_1_GATEWAY_NAME, lbServerPoolName, "roundrobin", "80", "TCP");
+        });
+        assertTrue(thrownException.getMessage().startsWith("Failed to create NSX LB server pool, due to"));
+    }
+
+    private LbMonitorProfiles mockLbMonitorProfiles() {
+        LbMonitorProfiles lbMonitorProfiles = Mockito.mock(LbMonitorProfiles.class);
+        Structure monitorStructure = Mockito.mock(Structure.class, Mockito.RETURNS_DEEP_STUBS);
+
+        Mockito.when(nsxService.apply(LbMonitorProfiles.class)).thenReturn(lbMonitorProfiles);
+        Mockito.when(lbMonitorProfiles.get(anyString())).thenReturn(monitorStructure);
+        Mockito.when(monitorStructure._getDataValue().getField("path").toString()).thenReturn("/infra/lb-monitor-profiles/test");
+        return lbMonitorProfiles;
+    }
+
+    private void mockLbAppProfiles() {
+        LbAppProfiles lbAppProfiles = Mockito.mock(LbAppProfiles.class);
+        LBAppProfileListResult appProfileListResult = Mockito.mock(LBAppProfileListResult.class);
+        Structure appProfile = Mockito.mock(Structure.class, Mockito.RETURNS_DEEP_STUBS);
+
+        Mockito.when(nsxService.apply(LbAppProfiles.class)).thenReturn(lbAppProfiles);
+        Mockito.when(lbAppProfiles.list(null, null, null, null, null, null)).thenReturn(appProfileListResult);
+        Mockito.when(appProfileListResult.getResults()).thenReturn(List.of(appProfile));
+        Mockito.when(appProfile._getDataValue().getField("path").toString()).thenReturn("/infra/lb-app-profiles/default-tcp-profile");
+    }
+
+    private LBPoolMember createPoolMember(long vmId, String ipAddress, int port) {
+        return new LBPoolMember.Builder()
+                .setDisplayName(NsxControllerUtils.getServerPoolMemberName(TIER_1_GATEWAY_NAME, vmId))
+                .setIpAddress(ipAddress)
+                .setPort(String.valueOf(port))
+                .build();
+    }
 }
diff --git a/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/PagedFetcherTest.java b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/PagedFetcherTest.java
new file mode 100644
index 000000000000..6d6b4cde1326
--- /dev/null
+++ b/plugins/network-elements/nsx/src/test/java/org/apache/cloudstack/service/PagedFetcherTest.java
@@ -0,0 +1,156 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.service;
+
+import org.junit.Test;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+
+public class PagedFetcherTest {
+
+    private static class Page {
+        private String cursor;
+        private List<String> items;
+
+        Page(String cursor, List<String> items) {
+            this.cursor = cursor;
+            this.items = items;
+        }
+
+        String getCursor() {
+            return cursor;
+        }
+
+        List<String> getItems() {
+            return items;
+        }
+
+        void setItems(List<String> items) {
+            this.items = items;
+        }
+    }
+
+    @Test
+    public void testFetchAllWhenThereIsNoPagination() {
+        // given
+        Page firstPage = new Page(null, new ArrayList<>(List.of("a", "b")));
+        AtomicBoolean itemsSetterCalled = new AtomicBoolean(false);
+        PagedFetcher<Page, String> fetcher = PagedFetcher.<Page, String>withPageFetcher(
+                        cursor -> {
+                            assertNull(cursor);
+                            return firstPage;
+                        })
+                .cursorExtractor(Page::getCursor)
+                .itemsExtractor(Page::getItems)
+                .itemsSetter((page, items) -> itemsSetterCalled.set(true));
+
+        // when
+        Page result = fetcher.fetchAll();
+
+        // then
+        assertSame(firstPage, result);
+        assertEquals(List.of("a", "b"), result.getItems());
+        assertFalse("itemsSetter must not be called when there is no next page", itemsSetterCalled.get());
+    }
+
+    @Test
+    public void testFetchAllWhenThereIsNoPaginationAndEmptyCursor() {
+        // given
+        Page firstPage = new Page("", new ArrayList<>(List.of("x")));
+
+        AtomicBoolean itemsSetterCalled = new AtomicBoolean(false);
+
+        PagedFetcher<Page, String> fetcher = PagedFetcher
+                .<Page, String>withPageFetcher(cursor -> {
+                    assertNull(cursor);
+                    return firstPage;
+                })
+                .cursorExtractor(Page::getCursor)
+                .itemsExtractor(Page::getItems)
+                .itemsSetter((page, items) -> itemsSetterCalled.set(true));
+
+        // when
+        Page result = fetcher.fetchAll();
+
+        // then
+        assertSame(firstPage, result);
+        assertEquals(List.of("x"), result.getItems());
+        assertFalse("itemsSetter must not be called when there is no next page", itemsSetterCalled.get());
+    }
+
+    @Test
+    public void testFetchAllWhenMultiPages() {
+        // given
+        Page page1 = new Page("c1", new ArrayList<>(List.of("p1a", "p1b")));
+        Page page2 = new Page("c2", new ArrayList<>(List.of("p2a")));
+        Page page3 = new Page(null, new ArrayList<>(List.of("p3a", "p3b")));
+
+        Map<String, Page> pagesByCursor = new HashMap<>();
+        pagesByCursor.put(null, page1);
+        pagesByCursor.put("c1", page2);
+        pagesByCursor.put("c2", page3);
+
+        PagedFetcher<Page, String> fetcher = PagedFetcher
+                .<Page, String>withPageFetcher(pagesByCursor::get)
+                .cursorExtractor(Page::getCursor)
+                .itemsExtractor(Page::getItems)
+                .itemsSetter((page, items) -> {
+                    assertSame(page1, page);
+                    page.setItems(items);
+                });
+
+        // when
+        Page result = fetcher.fetchAll();
+
+        // then
+        assertSame("Result must be the first page object", page1, result);
+        assertEquals(List.of("p1a", "p1b", "p2a", "p3a", "p3b"), result.getItems());
+    }
+
+    @Test
+    public void testFetchAllFirstPageItemsNullSecondWithItems() {
+        // given
+        Page page1 = new Page("next", null);
+        Page page2 = new Page(null, new ArrayList<>(List.of("x", "y")));
+
+        Map<String, Page> pages = new HashMap<>();
+        pages.put(null, page1);
+        pages.put("next", page2);
+
+        PagedFetcher<Page, String> fetcher = PagedFetcher
+                .<Page, String>withPageFetcher(pages::get)
+                .cursorExtractor(Page::getCursor)
+                .itemsExtractor(Page::getItems)
+                .itemsSetter(Page::setItems);
+
+        // when
+        Page result = fetcher.fetchAll();
+
+        // then
+        assertSame(page1, result);
+        assertEquals(List.of("x", "y"), result.getItems());
+    }
+}
diff --git a/plugins/pom.xml b/plugins/pom.xml
index e7d13871285e..44220481a6fe 100755
--- a/plugins/pom.xml
+++ b/plugins/pom.xml
@@ -84,8 +84,6 @@
 
         <module>ha-planners/skip-heurestics</module>
 
-        <module>host-allocators/random</module>
-
         <module>hypervisors/baremetal</module>
         <module>hypervisors/external</module>
         <module>hypervisors/hyperv</module>
@@ -129,6 +127,7 @@
         <module>storage/volume/default</module>
         <module>storage/volume/nexenta</module>
         <module>storage/volume/sample</module>
+        <module>storage/volume/ontap</module>
         <module>storage/volume/solidfire</module>
         <module>storage/volume/scaleio</module>
         <module>storage/volume/linstor</module>
@@ -203,13 +202,13 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
             <scope>compile</scope>
         </dependency>
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio-admin</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
             <scope>compile</scope>
         </dependency>
         <dependency>
diff --git a/plugins/storage/object/minio/pom.xml b/plugins/storage/object/minio/pom.xml
index d69c2a7498fa..64d62cf8d347 100644
--- a/plugins/storage/object/minio/pom.xml
+++ b/plugins/storage/object/minio/pom.xml
@@ -46,12 +46,24 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
         </dependency>
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio-admin</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
+        </dependency>
+        <!-- Pin okhttp3 to the version required by minio 8.6.0+, overriding the older
+             version transitively pulled by influxdb-java -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>5.1.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>logging-interceptor</artifactId>
+            <version>5.1.0</version>
         </dependency>
     </dependencies>
 </project>
diff --git a/plugins/storage/object/minio/src/main/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImpl.java b/plugins/storage/object/minio/src/main/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImpl.java
index 9dc4b30414e6..28e3b85e1a50 100644
--- a/plugins/storage/object/minio/src/main/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImpl.java
+++ b/plugins/storage/object/minio/src/main/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImpl.java
@@ -24,6 +24,8 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
+import java.util.stream.Collectors;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
@@ -98,6 +100,51 @@ protected String getUserOrAccessKeyForAccount(Account account) {
         return String.format("%s-%s", ACS_PREFIX, account.getUuid());
     }
 
+    private void updateCannedPolicy(long storeId, Account account, String excludeBucket) {
+        List<BucketVO> buckets = _bucketDao.listByObjectStoreIdAndAccountId(storeId, account.getId());
+
+        String resources = buckets.stream()
+                .map(BucketVO::getName)
+                .filter(name -> !Objects.equals(name, excludeBucket))
+                .map(name -> "\"arn:aws:s3:::" + name + "/*\"")
+                .collect(Collectors.joining(",\n"));
+        String policy;
+        if (resources.isEmpty()) {
+            // Resource cannot be empty in a canned Policy so deny access to all resources if the user has no buckets
+            policy = " {\n" +
+                    "     \"Statement\": [\n" +
+                    "         {\n" +
+                    "             \"Action\": \"s3:*\",\n" +
+                    "             \"Effect\": \"Deny\",\n" +
+                    "             \"Resource\": [\"arn:aws:s3:::*\", \"arn:aws:s3:::*/*\"]\n" +
+                    "         }\n" +
+                    "     ],\n" +
+                    "     \"Version\": \"2012-10-17\"\n" +
+                    " }";
+        } else {
+            policy = " {\n" +
+                    "     \"Statement\": [\n" +
+                    "         {\n" +
+                    "             \"Action\": \"s3:*\",\n" +
+                    "             \"Effect\": \"Allow\",\n" +
+                    "             \"Resource\": [" + resources + "]\n" +
+                    "         }\n" +
+                    "     ],\n" +
+                    "     \"Version\": \"2012-10-17\"\n" +
+                    " }";
+        }
+
+        MinioAdminClient minioAdminClient = getMinIOAdminClient(storeId);
+        String policyName = getUserOrAccessKeyForAccount(account) + "-policy";
+        String userName = getUserOrAccessKeyForAccount(account);
+        try {
+            minioAdminClient.addCannedPolicy(policyName, policy);
+            minioAdminClient.setPolicy(userName, false, policyName);
+        } catch (NoSuchAlgorithmException | IOException | InvalidKeyException e) {
+            throw new CloudRuntimeException(e);
+        }
+    }
+
     @Override
     public Bucket createBucket(Bucket bucket, boolean objectLock) {
         //ToDo Client pool mgmt
@@ -125,33 +172,8 @@ public Bucket createBucket(Bucket bucket, boolean objectLock) {
             throw new CloudRuntimeException(e);
         }
 
-        List<BucketVO> buckets = _bucketDao.listByObjectStoreIdAndAccountId(storeId, accountId);
-        StringBuilder resources_builder = new StringBuilder();
-        for(BucketVO exitingBucket : buckets) {
-            resources_builder.append("\"arn:aws:s3:::"+exitingBucket.getName()+"/*\",\n");
-        }
-        resources_builder.append("\"arn:aws:s3:::"+bucketName+"/*\"\n");
-
-        String policy = " {\n" +
-                "     \"Statement\": [\n" +
-                "         {\n" +
-                "             \"Action\": \"s3:*\",\n" +
-                "             \"Effect\": \"Allow\",\n" +
-                "             \"Principal\": \"*\",\n" +
-                "             \"Resource\": ["+resources_builder+"]" +
-                "         }\n" +
-                "     ],\n" +
-                "     \"Version\": \"2012-10-17\"\n" +
-                " }";
-        MinioAdminClient minioAdminClient = getMinIOAdminClient(storeId);
-        String policyName = getUserOrAccessKeyForAccount(account) + "-policy";
-        String userName = getUserOrAccessKeyForAccount(account);
-        try {
-            minioAdminClient.addCannedPolicy(policyName, policy);
-            minioAdminClient.setPolicy(userName, false, policyName);
-        } catch (Exception e) {
-            throw new CloudRuntimeException(e);
-        }
+        updateCannedPolicy(storeId, account,null);
+
         String accessKey = _accountDetailsDao.findDetail(accountId, MINIO_ACCESS_KEY).getValue();
         String secretKey = _accountDetailsDao.findDetail(accountId, MINIO_SECRET_KEY).getValue();
         ObjectStoreVO store = _storeDao.findById(storeId);
@@ -183,6 +205,8 @@ public List<Bucket> listBuckets(long storeId) {
     @Override
     public boolean deleteBucket(BucketTO bucket, long storeId) {
         String bucketName = bucket.getName();
+        long accountId = bucket.getAccountId();
+        Account account = _accountDao.findById(accountId);
         MinioClient minioClient = getMinIOClient(storeId);
         try {
             if(!minioClient.bucketExists(BucketExistsArgs.builder().bucket(bucketName).build())) {
@@ -197,6 +221,9 @@ public boolean deleteBucket(BucketTO bucket, long storeId) {
         } catch (Exception e) {
             throw new CloudRuntimeException(e);
         }
+
+        updateCannedPolicy(storeId, account, bucketName);
+
         return true;
     }
 
diff --git a/plugins/storage/object/minio/src/test/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImplTest.java b/plugins/storage/object/minio/src/test/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImplTest.java
index 1a8b3d9663a2..d3298a235ca4 100644
--- a/plugins/storage/object/minio/src/test/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImplTest.java
+++ b/plugins/storage/object/minio/src/test/java/org/apache/cloudstack/storage/datastore/driver/MinIOObjectStoreDriverImplTest.java
@@ -129,10 +129,15 @@ public void testCreateBucket() throws Exception {
     @Test
     public void testDeleteBucket() throws Exception {
         String bucketName = "test-bucket";
-        BucketTO bucket = new BucketTO(bucketName);
+        BucketVO bucketVO = new BucketVO(1L, 1L, 1L, bucketName, 1, false, false, false, null);
+        BucketTO bucket = new BucketTO(bucketVO);
+        when(accountDao.findById(1L)).thenReturn(account);
+        when(account.getUuid()).thenReturn(UUID.randomUUID().toString());
+        when(bucketDao.listByObjectStoreIdAndAccountId(anyLong(), anyLong())).thenReturn(new ArrayList<BucketVO>());
         doReturn(minioClient).when(minioObjectStoreDriverImpl).getMinIOClient(anyLong());
         when(minioClient.bucketExists(BucketExistsArgs.builder().bucket(bucketName).build())).thenReturn(true);
         doNothing().when(minioClient).removeBucket(RemoveBucketArgs.builder().bucket(bucketName).build());
+        doReturn(minioAdminClient).when(minioObjectStoreDriverImpl).getMinIOAdminClient(anyLong());
         boolean success = minioObjectStoreDriverImpl.deleteBucket(bucket, 1L);
         assertTrue(success);
         verify(minioClient, times(1)).bucketExists(any());
diff --git a/plugins/storage/object/simulator/pom.xml b/plugins/storage/object/simulator/pom.xml
index dc4ab0146067..bd6c6ef99059 100644
--- a/plugins/storage/object/simulator/pom.xml
+++ b/plugins/storage/object/simulator/pom.xml
@@ -46,12 +46,12 @@
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
         </dependency>
         <dependency>
             <groupId>io.minio</groupId>
             <artifactId>minio-admin</artifactId>
-            <version>8.5.2</version>
+            <version>${cs.minio.version}</version>
         </dependency>
     </dependencies>
 </project>
diff --git a/plugins/storage/volume/adaptive/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/AdaptiveDataStoreLifeCycleImpl.java b/plugins/storage/volume/adaptive/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/AdaptiveDataStoreLifeCycleImpl.java
index 771f79887e0f..c8efc08c2892 100644
--- a/plugins/storage/volume/adaptive/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/AdaptiveDataStoreLifeCycleImpl.java
+++ b/plugins/storage/volume/adaptive/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/AdaptiveDataStoreLifeCycleImpl.java
@@ -217,13 +217,14 @@ public DataStore initialize(Map<String, Object> dsInfos) {
             // validate the provided details are correct/valid for the provider
             api.validate();
 
-            // if we have user-provided capacity bytes, validate they do not exceed the manaaged storage capacity bytes
+            // User-provided capacityBytes always wins; validate against storage stats only when
+            // the provider could actually report them. If the provider cannot (empty pod with no
+            // footprint, no quota set, transient probe failure), fall through and use what the
+            // user supplied rather than failing the whole registration.
             ProviderVolumeStorageStats stats = api.getManagedStorageStats();
-            if (capacityBytes != null && capacityBytes != 0 && stats != null) {
-                if (stats.getCapacityInBytes() > 0) {
-                    if (stats.getCapacityInBytes() < capacityBytes) {
-                        throw new InvalidParameterValueException("Capacity bytes provided exceeds the capacity of the storage endpoint: provided by user: " + capacityBytes + ", storage capacity from storage provider: " + stats.getCapacityInBytes());
-                    }
+            if (capacityBytes != null && capacityBytes > 0) {
+                if (stats != null && stats.getCapacityInBytes() > 0 && stats.getCapacityInBytes() < capacityBytes) {
+                    throw new InvalidParameterValueException("Provided capacity bytes exceed the capacity of the storage endpoint: provided by user: " + capacityBytes + ", storage capacity from storage provider: " + stats.getCapacityInBytes());
                 }
                 parameters.setCapacityBytes(capacityBytes);
             }
diff --git a/plugins/storage/volume/default/src/main/java/org/apache/cloudstack/storage/datastore/driver/CloudStackPrimaryDataStoreDriverImpl.java b/plugins/storage/volume/default/src/main/java/org/apache/cloudstack/storage/datastore/driver/CloudStackPrimaryDataStoreDriverImpl.java
index 5faa377ce3d3..6a7f1d580436 100644
--- a/plugins/storage/volume/default/src/main/java/org/apache/cloudstack/storage/datastore/driver/CloudStackPrimaryDataStoreDriverImpl.java
+++ b/plugins/storage/volume/default/src/main/java/org/apache/cloudstack/storage/datastore/driver/CloudStackPrimaryDataStoreDriverImpl.java
@@ -27,6 +27,7 @@
 import javax.inject.Inject;
 
 import com.cloud.agent.api.to.DiskTO;
+import com.cloud.ha.HighAvailabilityManager;
 import com.cloud.storage.VolumeVO;
 import org.apache.cloudstack.engine.orchestration.service.VolumeOrchestrationService;
 import org.apache.cloudstack.engine.subsystem.api.storage.ChapInfo;
@@ -587,7 +588,7 @@ private boolean anyVolumeRequiresEncryption(DataObject ... objects) {
 
     @Override
     public boolean isStorageSupportHA(StoragePoolType type) {
-        return StoragePoolType.NetworkFilesystem == type;
+        return type != null && HighAvailabilityManager.LIBVIRT_STORAGE_POOL_TYPES_WITH_HA_SUPPORT.contains(type);
     }
 
     @Override
diff --git a/plugins/storage/volume/flasharray/src/main/java/org/apache/cloudstack/storage/datastore/adapter/flasharray/FlashArrayAdapter.java b/plugins/storage/volume/flasharray/src/main/java/org/apache/cloudstack/storage/datastore/adapter/flasharray/FlashArrayAdapter.java
index 41125f3e1135..01207c6d224d 100644
--- a/plugins/storage/volume/flasharray/src/main/java/org/apache/cloudstack/storage/datastore/adapter/flasharray/FlashArrayAdapter.java
+++ b/plugins/storage/volume/flasharray/src/main/java/org/apache/cloudstack/storage/datastore/adapter/flasharray/FlashArrayAdapter.java
@@ -23,7 +23,8 @@
 import java.security.KeyManagementException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.text.SimpleDateFormat;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Map;
@@ -88,6 +89,9 @@ public class FlashArrayAdapter implements ProviderAdapter {
     static final ObjectMapper mapper = new ObjectMapper();
     public String pod = null;
     public String hostgroup = null;
+    private static final DateTimeFormatter DELETION_TIMESTAMP_FORMAT =
+            DateTimeFormatter.ofPattern("yyyyMMddHHmmss").withZone(ZoneOffset.UTC);
+
     private String username;
     private String password;
     private String accessToken;
@@ -200,28 +204,63 @@ public void detach(ProviderAdapterContext context, ProviderAdapterDataObject dat
 
     @Override
     public void delete(ProviderAdapterContext context, ProviderAdapterDataObject dataObject) {
-        // first make sure we are disconnected
-        removeVlunsAll(context, pod, dataObject.getExternalName());
         String fullName = normalizeName(pod, dataObject.getExternalName());
 
-        FlashArrayVolume volume = new FlashArrayVolume();
+        // Snapshots live under /volume-snapshots and already use the array's
+        // reserved form <volume>.<suffix>, which legitimately contains ".".
+        // The stricter [A-Za-z0-9_-] naming rule applies to regular volume
+        // names and free-form rename targets, not to these reserved snapshot
+        // names. Since FlashArray snapshot names are system-defined rather
+        // than arbitrary rename targets, we skip the usual timestamped rename
+        // and only mark snapshots destroyed; the array's own ".N" suffix
+        // already disambiguates them in the recycle bin.
+        if (dataObject.getType() == ProviderAdapterDataObject.Type.SNAPSHOT) {
+            try {
+                FlashArrayVolume destroy = new FlashArrayVolume();
+                destroy.setDestroyed(true);
+                PATCH("/volume-snapshots?names=" + fullName, destroy, new TypeReference<FlashArrayList<FlashArrayVolume>>() {
+                });
+            } catch (CloudRuntimeException e) {
+                String msg = e.getMessage();
+                if (msg != null && (msg.contains("No such volume or snapshot")
+                        || msg.contains("Volume does not exist"))) {
+                    return;
+                }
+                throw e;
+            }
+            return;
+        }
 
-        // rename as we delete so it doesn't conflict if the template or volume is ever recreated
-        // pure keeps the volume(s) around in a Destroyed bucket for a period of time post delete
-        String timestamp = new SimpleDateFormat("yyyyMMddHHmmss").format(new java.util.Date());
-        volume.setExternalName(fullName + "-" + timestamp);
+        // first make sure we are disconnected
+        removeVlunsAll(context, pod, dataObject.getExternalName());
+
+        // Rename then destroy: FlashArray keeps destroyed volumes in a recycle
+        // bin (default 24h) from which they can be recovered. Renaming with a
+        // deletion timestamp gives operators a forensic trail when browsing the
+        // array - they can see when each destroyed copy was deleted on the
+        // CloudStack side. FlashArray rejects a single PATCH that combines
+        // {name, destroyed}, so the rename and the destroy must be issued as
+        // two separate requests each carrying only its own field.
+        // Use UTC so the rename suffix is stable regardless of the management
+        // server's local timezone or DST changes - operators correlating the
+        // CloudStack delete event with the array's audit log get a consistent
+        // wall-clock value.
+        String timestamp = DELETION_TIMESTAMP_FORMAT.format(java.time.Instant.now());
+        String renamedName = fullName + "-" + timestamp;
 
         try {
-            PATCH("/volumes?names=" + fullName, volume, new TypeReference<FlashArrayList<FlashArrayVolume>>() {
+            FlashArrayVolume rename = new FlashArrayVolume();
+            rename.setExternalName(renamedName);
+            PATCH("/volumes?names=" + fullName, rename, new TypeReference<FlashArrayList<FlashArrayVolume>>() {
             });
 
-            // now delete it with new name
-            volume.setDestroyed(true);
-
-            PATCH("/volumes?names=" + fullName + "-" + timestamp, volume, new TypeReference<FlashArrayList<FlashArrayVolume>>() {
+            FlashArrayVolume destroy = new FlashArrayVolume();
+            destroy.setDestroyed(true);
+            PATCH("/volumes?names=" + renamedName, destroy, new TypeReference<FlashArrayList<FlashArrayVolume>>() {
             });
         } catch (CloudRuntimeException e) {
-            if (e.toString().contains("Volume does not exist")) {
+            String msg = e.getMessage();
+            if (msg != null && msg.contains("Volume does not exist")) {
                 return;
             } else {
                 throw e;
diff --git a/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java b/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java
index 2b11c83c8021..31a41cd94079 100644
--- a/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java
+++ b/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStorageAdaptor.java
@@ -514,6 +514,17 @@ private boolean deRefOrDeleteResource(DevelopersApi api, String rscName, String
                 ApiCallRcList answers = api.resourceDefinitionDelete(rd.getName());
                 checkLinstorAnswersThrow(answers);
                 deleted = true;
+
+                // LINSTOR can return success here while the resource lingers in DELETING state
+                // on the controller (down peer, lost quorum, etc.). Confirm it's actually gone
+                // — if not, log a WARN so operators can clear it manually. Don't throw: the
+                // CloudStack-side accounting has already moved on.
+                if (!LinstorUtil.waitForResourceDefinitionDeleted(api, rd.getName(),
+                        LinstorUtil.DEFAULT_RD_DELETE_VERIFY_TIMEOUT_MILLIS)) {
+                    logger.warn("Linstor: resource {} still present {}ms after delete returned success — " +
+                            "may be stuck in DELETING. Check the LINSTOR controller (linstor resource list).",
+                            rd.getName(), LinstorUtil.DEFAULT_RD_DELETE_VERIFY_TIMEOUT_MILLIS);
+                }
             }
         }
         return deleted;
@@ -585,8 +596,8 @@ private static boolean isSystemTemplate(KVMPhysicalDisk disk) {
         Path propFile = diskPath.getParent().resolve("template.properties");
         if (Files.exists(propFile)) {
             java.util.Properties templateProps = new java.util.Properties();
-            try {
-                templateProps.load(new FileInputStream(propFile.toFile()));
+            try (FileInputStream in = new FileInputStream(propFile.toFile())) {
+                templateProps.load(in);
                 String desc = templateProps.getProperty("description");
                 if (desc != null && desc.startsWith("SystemVM Template")) {
                     return true;
diff --git a/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStoragePool.java b/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStoragePool.java
index bb354bec9b4b..1bcfaa4ebf7f 100644
--- a/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStoragePool.java
+++ b/plugins/storage/volume/linstor/src/main/java/com/cloud/hypervisor/kvm/storage/LinstorStoragePool.java
@@ -228,11 +228,11 @@ public String getHearthBeatPath() {
     public String createHeartBeatCommand(HAStoragePool pool, String hostPrivateIp,
             boolean hostValidation) {
         LOGGER.trace(String.format("Linstor.createHeartBeatCommand: %s, %s, %b", pool.getPoolIp(), hostPrivateIp, hostValidation));
-        boolean isStorageNodeUp = checkingHeartBeat(pool, null);
+        boolean isStorageNodeUp = hasHeartBeat(pool, null);
         if (!isStorageNodeUp && !hostValidation) {
             //restart the host
             LOGGER.debug(String.format("The host [%s] will be restarted because the health check failed for the storage pool [%s]", hostPrivateIp, pool.getPool().getType()));
-            Script cmd = new Script(pool.getPool().getHearthBeatPath(), Duration.millis(HeartBeatUpdateTimeout), LOGGER);
+            Script cmd = new Script(pool.getPool().getHearthBeatPath(), Duration.millis(HeartBeatUpdateTimeoutInMs), LOGGER);
             cmd.add("-c");
             cmd.execute();
             return "Down";
@@ -258,7 +258,7 @@ static String getHostname() {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         String hostName;
         if (host == null) {
             hostName = localNodeName;
@@ -274,7 +274,7 @@ public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
     }
 
     private String executeDrbdSetupStatus(OutputInterpreter.AllLinesParser parser) {
-        Script sc = new Script("drbdsetup", Duration.millis(HeartBeatUpdateTimeout), LOGGER);
+        Script sc = new Script("drbdsetup", Duration.millis(HeartBeatUpdateTimeoutInMs), LOGGER);
         sc.add("status");
         sc.add("--json");
         return sc.execute(parser);
@@ -329,7 +329,7 @@ private boolean checkDrbdSetupStatusOutput(String output, String otherNodeName)
     }
 
     private String executeDrbdEventsNow(OutputInterpreter.AllLinesParser parser) {
-        Script sc = new Script("drbdsetup", Duration.millis(HeartBeatUpdateTimeout), LOGGER);
+        Script sc = new Script("drbdsetup", Duration.millis(HeartBeatUpdateTimeoutInMs), LOGGER);
         sc.add("events2");
         sc.add("--now");
         return sc.execute(parser);
@@ -369,8 +369,8 @@ private boolean checkHostUpToDateAndConnected(String hostName) {
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUUIDListString, String vmActivityCheckPath, long duration) {
         LOGGER.trace(String.format("Linstor.vmActivityCheck: %s, %s", pool.getPoolIp(), host.getPrivateNetwork().getIp()));
-        return checkingHeartBeat(pool, host);
+        return hasHeartBeat(pool, host);
     }
 }
diff --git a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImpl.java b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImpl.java
index 3f06bee8ac83..d7451fab18f8 100644
--- a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImpl.java
+++ b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImpl.java
@@ -153,6 +153,8 @@ public Map<String, String> getCapabilities()
         // CAN_CREATE_VOLUME_FROM_SNAPSHOT see note from CAN_CREATE_VOLUME_FROM_VOLUME
         mapCapabilities.put(DataStoreCapabilities.CAN_CREATE_VOLUME_FROM_SNAPSHOT.toString(), Boolean.TRUE.toString());
         mapCapabilities.put(DataStoreCapabilities.CAN_REVERT_VOLUME_TO_SNAPSHOT.toString(), Boolean.TRUE.toString());
+        mapCapabilities.put(DataStoreCapabilities.CAN_CREATE_TEMPLATE_FROM_SNAPSHOT.toString(),
+            Boolean.toString(system_snapshot));
 
         return mapCapabilities;
     }
@@ -230,6 +232,20 @@ private void deleteResourceDefinition(StoragePoolVO storagePoolVO, String rscDef
                 throw new CloudRuntimeException("Linstor: Unable to delete resource definition: " + rscDefName);
             }
             logger.info("Linstor: Deleted resource {}", rscDefName);
+
+            // LINSTOR can return success on the delete API call while the resource lingers in
+            // DELETING state (peer issues, lost quorum, satellite down). Verify the resource is
+            // actually gone — if not, log a WARN so operators see it. We deliberately do NOT
+            // throw here: the volume is already considered gone on the CloudStack side, and
+            // throwing would leave the CS DB and LINSTOR in different states.
+            if (!LinstorUtil.waitForResourceDefinitionDeleted(linstorApi, rscDefName,
+                    LinstorUtil.DEFAULT_RD_DELETE_VERIFY_TIMEOUT_MILLIS))
+            {
+                logger.warn("Linstor: resource {} still present {}ms after delete returned success — " +
+                        "may be stuck in DELETING. Check the LINSTOR controller (linstor resource list) " +
+                        "and clear manually if the resource has no live peers.",
+                        rscDefName, LinstorUtil.DEFAULT_RD_DELETE_VERIFY_TIMEOUT_MILLIS);
+            }
         } catch (ApiException apiEx)
         {
             logger.error("Linstor: ApiEx - " + apiEx.getMessage());
@@ -720,6 +736,13 @@ public void revertSnapshot(
         }
     }
 
+    private static boolean canCopySnapshotToVolumeCond(DataObject srcData, DataObject dstData) {
+        return srcData.getType() == DataObjectType.SNAPSHOT && dstData.getType() == DataObjectType.VOLUME
+            && srcData.getDataStore().getRole() == DataStoreRole.Primary
+            && dstData.getDataStore().getRole() == DataStoreRole.Primary
+            && srcData.getDataStore().getId() == dstData.getDataStore().getId();
+    }
+
     private static boolean canCopySnapshotCond(DataObject srcData, DataObject dstData) {
         return srcData.getType() == DataObjectType.SNAPSHOT && dstData.getType() == DataObjectType.SNAPSHOT
             && (dstData.getDataStore().getRole() == DataStoreRole.Image
@@ -747,7 +770,10 @@ public boolean canCopy(DataObject srcData, DataObject dstData)
     {
         logger.debug("LinstorPrimaryDataStoreDriverImpl.canCopy: " + srcData.getType() + " -> " + dstData.getType());
 
-        if (canCopySnapshotCond(srcData, dstData)) {
+        if (canCopySnapshotToVolumeCond(srcData, dstData)) {
+            StoragePoolVO storagePool = _storagePoolDao.findById(srcData.getDataStore().getId());
+            return storagePool.getStorageProviderName().equals(LinstorUtil.PROVIDER_NAME);
+        } else if (canCopySnapshotCond(srcData, dstData)) {
             SnapshotInfo sinfo = (SnapshotInfo) srcData;
             VolumeInfo volume = sinfo.getBaseVolume();
             StoragePoolVO storagePool = _storagePoolDao.findById(volume.getPoolId());
@@ -766,6 +792,18 @@ public boolean canCopy(DataObject srcData, DataObject dstData)
         return false;
     }
 
+    private CopyCommandResult copySnapshotToVolume(SnapshotInfo snapshotInfo, VolumeInfo volumeInfo) {
+        StoragePoolVO storagePoolVO = _storagePoolDao.findById(snapshotInfo.getDataStore().getId());
+        String rscName = LinstorUtil.RSC_PREFIX + volumeInfo.getUuid();
+        createResourceFromSnapshot(snapshotInfo.getId(), rscName, storagePoolVO);
+
+        VolumeObjectTO volumeTO = (VolumeObjectTO) volumeInfo.getTO();
+        volumeTO.setPath(volumeInfo.getUuid());
+        volumeTO.setSize(volumeInfo.getSize());
+
+        return new CopyCommandResult(null, new CopyCmdAnswer(volumeTO));
+    }
+
     @Override
     public void copyAsync(DataObject srcData, DataObject dstData, AsyncCompletionCallback<CopyCommandResult> callback)
     {
@@ -773,7 +811,9 @@ public void copyAsync(DataObject srcData, DataObject dstData, AsyncCompletionCal
             + srcData.getType() + " -> " + dstData.getType());
 
         final CopyCommandResult res;
-        if (canCopySnapshotCond(srcData, dstData)) {
+        if (canCopySnapshotToVolumeCond(srcData, dstData)) {
+            res = copySnapshotToVolume((SnapshotInfo) srcData, (VolumeInfo) dstData);
+        } else if (canCopySnapshotCond(srcData, dstData)) {
             String errMsg = null;
             Answer answer = copySnapshot(srcData, dstData);
             if (answer != null && !answer.getResult()) {
diff --git a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/util/LinstorUtil.java b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/util/LinstorUtil.java
index 7c45493dddc4..239331077e1b 100644
--- a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/util/LinstorUtil.java
+++ b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/datastore/util/LinstorUtil.java
@@ -401,6 +401,58 @@ public static List<ResourceDefinition> getRDListStartingWith(DevelopersApi api,
                 .collect(Collectors.toList());
     }
 
+    /**
+     * Default per-call timeout for {@link #waitForResourceDefinitionDeleted}. Long enough for a
+     * healthy LINSTOR controller to finish a normal delete; short enough not to block the calling
+     * thread for too long if the delete is genuinely stuck. Used both from the management server
+     * (e.g. {@code LinstorPrimaryDataStoreDriverImpl}) and from KVM agent paths.
+     */
+    public static final long DEFAULT_RD_DELETE_VERIFY_TIMEOUT_MILLIS = 30_000L;
+
+    /**
+     * Returns {@code true} if the named resource definition is no longer present on the LINSTOR
+     * controller. Used after a {@code resourceDefinitionDelete} to verify the delete actually
+     * completed (LINSTOR can return success on the API call while the resource lingers in
+     * DELETING state due to peer issues, lost quorum, or down satellites). Uses the
+     * controller-side name filter rather than scanning every RD on the cluster (cheap even
+     * when polled once per second from {@link #waitForResourceDefinitionDeleted}).
+     */
+    public static boolean isResourceDefinitionGone(DevelopersApi api, String rscName) throws ApiException {
+        List<ResourceDefinition> matching =
+                api.resourceDefinitionList(Collections.singletonList(rscName), false, null, null, null);
+        return matching == null || matching.isEmpty();
+    }
+
+    /**
+     * Polls the controller until the named resource definition is gone or the timeout elapses.
+     * Returns {@code true} if the resource was confirmed gone, {@code false} if it was still
+     * present (or the controller kept erroring) at the deadline. Callers should NOT throw on a
+     * {@code false} return — the upstream API call already reported success and the operator
+     * may need to investigate manually. Log a WARN with the resource name instead.
+     */
+    public static boolean waitForResourceDefinitionDeleted(DevelopersApi api, String rscName, long timeoutMillis) {
+        final long deadline = System.currentTimeMillis() + timeoutMillis;
+        while (true) {
+            try {
+                if (isResourceDefinitionGone(api, rscName)) {
+                    return true;
+                }
+            } catch (ApiException e) {
+                LOGGER.debug("LINSTOR delete-verify poll failed for {}: {}", rscName, e.getMessage());
+                // Keep polling — controller may be transiently unavailable.
+            }
+            if (System.currentTimeMillis() >= deadline) {
+                return false;
+            }
+            try {
+                Thread.sleep(1_000L);
+            } catch (InterruptedException ie) {
+                Thread.currentThread().interrupt();
+                return false;
+            }
+        }
+    }
+
     /**
      * Returns a pair list of resource-definitions with ther 1:1 mapped resource-group objects that start with the
      * resource name `startWith`
diff --git a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/motion/LinstorDataMotionStrategy.java b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/motion/LinstorDataMotionStrategy.java
index cab2820f09ae..aa450a8290fb 100644
--- a/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/motion/LinstorDataMotionStrategy.java
+++ b/plugins/storage/volume/linstor/src/main/java/org/apache/cloudstack/storage/motion/LinstorDataMotionStrategy.java
@@ -314,6 +314,58 @@ private boolean needsExactSizeProp(VolumeInfo srcVolumeInfo) {
         return true;
     }
 
+    /**
+     * Verify that the destination KVM host is a registered LINSTOR satellite on the controller
+     * backing every destination pool involved in this migration. Throws CloudRuntimeException
+     * with a clear message when it isn't, instead of letting the resource creation later fail
+     * obscurely inside auto-placement.
+     *
+     * Best-effort: a transient controller error during this check does not block the migration
+     * — we log a warning and let the downstream resource-create surface the real issue. Only a
+     * confirmed "host not in node list" outcome aborts the migration up-front.
+     */
+    private void verifyDestinationIsLinstorSatellite(Map<VolumeInfo, DataStore> volumeDataStoreMap, Host destHost) {
+        if (destHost == null || destHost.getName() == null) {
+            // Without a destination host name to match, the only sensible thing is to let the
+            // existing flow run and report whatever it would have reported.
+            return;
+        }
+        for (Map.Entry<VolumeInfo, DataStore> entry : volumeDataStoreMap.entrySet()) {
+            DataStore destDataStore = entry.getValue();
+            StoragePoolVO destStoragePool = _storagePool.findById(destDataStore.getId());
+            if (destStoragePool == null
+                    || destStoragePool.getPoolType() != Storage.StoragePoolType.Linstor) {
+                continue;
+            }
+            DevelopersApi api = LinstorUtil.getLinstorAPI(destStoragePool.getHostAddress());
+            try {
+                List<String> nodes = LinstorUtil.getLinstorNodeNames(api);
+                if (nodes == null) {
+                    logger.warn("LINSTOR controller {} returned null node list; skipping pre-flight",
+                            destStoragePool.getHostAddress());
+                    return;
+                }
+                if (!nodes.contains(destHost.getName())) {
+                    throw new CloudRuntimeException(String.format(
+                            "Cannot migrate to host '%s': it is not a registered LINSTOR satellite on " +
+                                    "controller %s (pool '%s'). Known satellites: %s. Either register the " +
+                                    "host with `linstor node create` or pick a different destination.",
+                            destHost.getName(),
+                            destStoragePool.getHostAddress(),
+                            destStoragePool.getName(),
+                            nodes));
+                }
+            } catch (ApiException apiEx) {
+                // Don't block migration on a transient controller hiccup — log and let the
+                // downstream resource creation handle the real failure.
+                logger.warn("LINSTOR pre-flight check could not contact controller {}: {}; " +
+                                "letting downstream resource creation proceed",
+                        destStoragePool.getHostAddress(), apiEx.getBestMessage());
+                return;
+            }
+        }
+    }
+
     @Override
     public void copyAsync(Map<VolumeInfo, DataStore> volumeDataStoreMap, VirtualMachineTO vmTO, Host srcHost,
             Host destHost, AsyncCompletionCallback<CopyCommandResult> callback) {
@@ -323,6 +375,15 @@ public void copyAsync(Map<VolumeInfo, DataStore> volumeDataStoreMap, VirtualMach
                     String.format("Invalid hypervisor type [%s]. Only KVM supported", srcHost.getHypervisorType()));
         }
 
+        // Pre-flight: verify the destination KVM host is registered as a satellite on the
+        // LINSTOR controller backing each destination pool. Without this check, resource
+        // creation falls through to the resource-group's auto-placement filters and may
+        // either silently place the resource on the wrong node or fail with an opaque
+        // auto-place error from the LINSTOR API. Failing fast here gives operators a clear
+        // actionable message instead of having to correlate the live-migration failure with
+        // an unrelated LINSTOR controller log entry.
+        verifyDestinationIsLinstorSatellite(volumeDataStoreMap, destHost);
+
         String errMsg = null;
         VMInstanceVO vmInstance = _vmDao.findById(vmTO.getId());
         vmTO.setState(vmInstance.getState());
diff --git a/plugins/storage/volume/linstor/src/test/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImplTest.java b/plugins/storage/volume/linstor/src/test/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImplTest.java
index 4653cfa358b0..23266e17f4f0 100644
--- a/plugins/storage/volume/linstor/src/test/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImplTest.java
+++ b/plugins/storage/volume/linstor/src/test/java/org/apache/cloudstack/storage/datastore/driver/LinstorPrimaryDataStoreDriverImplTest.java
@@ -25,13 +25,23 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
+import com.cloud.agent.api.to.DataObjectType;
+import com.cloud.storage.DataStoreRole;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreCapabilities;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.storage.datastore.util.LinstorUtil;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
+import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import static org.mockito.Mockito.mock;
@@ -42,6 +52,9 @@ public class LinstorPrimaryDataStoreDriverImplTest {
 
     private DevelopersApi api;
 
+    @Mock
+    private PrimaryDataStoreDao _storagePoolDao;
+
     @InjectMocks
     private LinstorPrimaryDataStoreDriverImpl linstorPrimaryDataStoreDriver;
 
@@ -85,4 +98,100 @@ public void testGetEncryptedLayerList() throws ApiException  {
         layers = LinstorUtil.getEncryptedLayerList(api, "EncryptedGrp");
         Assert.assertEquals(Arrays.asList(LayerType.DRBD, LayerType.LUKS, LayerType.STORAGE), layers);
     }
+
+    @Test
+    public void testGetCapabilitiesIncludesCreateTemplateFromSnapshotMatchesSystemSnapshot() {
+        Map<String, String> caps = linstorPrimaryDataStoreDriver.getCapabilities();
+
+        Assert.assertEquals(
+                "CAN_CREATE_TEMPLATE_FROM_SNAPSHOT should match STORAGE_SYSTEM_SNAPSHOT",
+                caps.get(DataStoreCapabilities.STORAGE_SYSTEM_SNAPSHOT.toString()),
+                caps.get(DataStoreCapabilities.CAN_CREATE_TEMPLATE_FROM_SNAPSHOT.toString()));
+    }
+
+    @Test
+    public void testCanCopySnapshotToVolumeOnSamePrimary() {
+        DataStore primaryStore = mock(DataStore.class);
+        when(primaryStore.getRole()).thenReturn(DataStoreRole.Primary);
+        when(primaryStore.getId()).thenReturn(1L);
+
+        SnapshotInfo snapshot = mock(SnapshotInfo.class);
+        when(snapshot.getType()).thenReturn(DataObjectType.SNAPSHOT);
+        when(snapshot.getDataStore()).thenReturn(primaryStore);
+
+        VolumeInfo volume = mock(VolumeInfo.class);
+        when(volume.getType()).thenReturn(DataObjectType.VOLUME);
+        when(volume.getDataStore()).thenReturn(primaryStore);
+
+        StoragePoolVO pool = mock(StoragePoolVO.class);
+        when(pool.getStorageProviderName()).thenReturn(LinstorUtil.PROVIDER_NAME);
+        when(_storagePoolDao.findById(1L)).thenReturn(pool);
+
+        Assert.assertTrue("canCopy should return true for SNAPSHOT -> VOLUME on same Linstor primary",
+                linstorPrimaryDataStoreDriver.canCopy(snapshot, volume));
+    }
+
+    @Test
+    public void testCanCopySnapshotToVolumeRejectsNonLinstor() {
+        DataStore primaryStore = mock(DataStore.class);
+        when(primaryStore.getRole()).thenReturn(DataStoreRole.Primary);
+        when(primaryStore.getId()).thenReturn(1L);
+
+        SnapshotInfo snapshot = mock(SnapshotInfo.class);
+        when(snapshot.getType()).thenReturn(DataObjectType.SNAPSHOT);
+        when(snapshot.getDataStore()).thenReturn(primaryStore);
+
+        VolumeInfo volume = mock(VolumeInfo.class);
+        when(volume.getType()).thenReturn(DataObjectType.VOLUME);
+        when(volume.getDataStore()).thenReturn(primaryStore);
+
+        StoragePoolVO pool = mock(StoragePoolVO.class);
+        when(pool.getStorageProviderName()).thenReturn("SomeOtherProvider");
+        when(_storagePoolDao.findById(1L)).thenReturn(pool);
+
+        Assert.assertFalse("canCopy should return false for non-Linstor storage",
+                linstorPrimaryDataStoreDriver.canCopy(snapshot, volume));
+    }
+
+    @Test
+    public void testCanCopySnapshotToVolumeRejectsCrossPrimary() {
+        DataStore srcStore = mock(DataStore.class);
+        when(srcStore.getRole()).thenReturn(DataStoreRole.Primary);
+        when(srcStore.getId()).thenReturn(1L);
+
+        DataStore destStore = mock(DataStore.class);
+        when(destStore.getRole()).thenReturn(DataStoreRole.Primary);
+        when(destStore.getId()).thenReturn(2L);
+
+        SnapshotInfo snapshot = mock(SnapshotInfo.class);
+        when(snapshot.getType()).thenReturn(DataObjectType.SNAPSHOT);
+        when(snapshot.getDataStore()).thenReturn(srcStore);
+
+        VolumeInfo volume = mock(VolumeInfo.class);
+        when(volume.getType()).thenReturn(DataObjectType.VOLUME);
+        when(volume.getDataStore()).thenReturn(destStore);
+
+        Assert.assertFalse("canCopy should return false for SNAPSHOT -> VOLUME across different primary stores",
+                linstorPrimaryDataStoreDriver.canCopy(snapshot, volume));
+    }
+
+    @Test
+    public void testCanCopySnapshotToVolumeRejectsImageDest() {
+        DataStore primaryStore = mock(DataStore.class);
+        when(primaryStore.getRole()).thenReturn(DataStoreRole.Primary);
+
+        DataStore imageStore = mock(DataStore.class);
+        when(imageStore.getRole()).thenReturn(DataStoreRole.Image);
+
+        SnapshotInfo snapshot = mock(SnapshotInfo.class);
+        when(snapshot.getType()).thenReturn(DataObjectType.SNAPSHOT);
+        when(snapshot.getDataStore()).thenReturn(primaryStore);
+
+        VolumeInfo volume = mock(VolumeInfo.class);
+        when(volume.getType()).thenReturn(DataObjectType.VOLUME);
+        when(volume.getDataStore()).thenReturn(imageStore);
+
+        Assert.assertFalse("canCopy should return false when destination is Image store",
+                linstorPrimaryDataStoreDriver.canCopy(snapshot, volume));
+    }
 }
diff --git a/plugins/storage/volume/ontap/README.md b/plugins/storage/volume/ontap/README.md
new file mode 100644
index 000000000000..e7e066aafb55
--- /dev/null
+++ b/plugins/storage/volume/ontap/README.md
@@ -0,0 +1,123 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# Apache CloudStack - NetApp ONTAP Storage Plugin
+
+## Overview
+
+The NetApp ONTAP Storage Plugin provides integration between Apache CloudStack and NetApp ONTAP storage systems. This plugin enables CloudStack to provision and manage primary storage on ONTAP clusters, supporting both NAS (NFS) and SAN (iSCSI) protocols.
+
+## Features
+
+- **Primary Storage Support**: Provision and manage primary storage pools on NetApp ONTAP
+- **Multiple Protocols**: Support for NFS 3.0 and iSCSI protocols
+- **Unified Storage**: Integration with traditional ONTAP unified storage architecture
+- **KVM Hypervisor Support**: Supports KVM hypervisor environments
+- **Managed Storage**: Operates as managed storage with full lifecycle management
+- **Flexible Scoping**: Support for Zone-wide and Cluster-scoped storage pools
+
+## Architecture
+
+### Component Structure
+
+| Package | Description                                           |
+|---------|-------------------------------------------------------|
+| `driver` | Primary datastore driver implementation               |
+| `feign` | REST API clients and data models for ONTAP operations |
+| `lifecycle` | Storage pool lifecycle management                     |
+| `listener` | Host connection event handlers                        |
+| `provider` | Main provider and strategy factory                    |
+| `service` | ONTAP Storage strategy implementations (NAS/SAN)      |
+| `utils` | Constants and helper utilities                        |
+
+## Requirements
+
+### ONTAP Requirements
+
+- NetApp ONTAP 9.15.1 or higher
+- Storage Virtual Machine (SVM) configured with appropriate protocols enabled
+- Management LIF accessible from CloudStack management server
+- Data LIF(s) accessible from hypervisor hosts and are of IPv4 type
+- Aggregates assigned to the SVM with sufficient capacity
+
+### CloudStack Requirements
+
+- Apache CloudStack current version or higher
+- KVM hypervisor hosts
+- For iSCSI: Hosts must have iSCSI initiator configured with valid IQN
+- For NFS: Hosts must have NFS client packages installed
+
+### Minimum Volume Size
+
+ONTAP requires a minimum volume size of **1.56 GB** (1,677,721,600 bytes). The plugin will automatically adjust requested sizes below this threshold.
+
+## Configuration
+
+### Storage Pool Creation Parameters
+
+When creating an ONTAP primary storage pool, provide the following details in the URL field (semicolon-separated key=value pairs):
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| `username` | Yes | ONTAP cluster admin username |
+| `password` | Yes | ONTAP cluster admin password |
+| `svmName` | Yes | Storage Virtual Machine name |
+| `protocol` | Yes | Storage protocol (`NFS3` or `ISCSI`) |
+| `managementLIF` | Yes | ONTAP cluster management LIF IP address |
+
+### Example URL Format
+
+```
+username=admin;password=secretpass;svmName=svm1;protocol=ISCSI;managementLIF=192.168.1.100
+```
+
+## Port Configuration
+
+| Protocol | Default Port |
+|----------|--------------|
+| NFS | 2049 |
+| iSCSI | 3260 |
+| ONTAP Management API | 443 (HTTPS) |
+
+## Limitations
+
+- Supports only **KVM** hypervisor
+- Supports only **Unified ONTAP** storage (disaggregated not supported)
+- Supports only **NFS3** and **iSCSI** protocols
+- IPv6 type and FQDN LIFs are not supported
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Connection Failures**
+    - Verify management LIF is reachable from CloudStack management server
+    - Check firewall rules for port 443
+
+2. **Protocol Errors**
+    - Ensure the protocol (NFS/iSCSI) is enabled on the SVM
+    - Verify Data LIFs are configured for the protocol
+
+3. **Capacity Errors**
+    - Check aggregate space availability
+    - Ensure requested volume size meets minimum requirements (1.56 GB)
+
+4. **Host Connection Issues**
+    - For iSCSI: Verify host IQN is properly configured in host's storage URL
+    - For NFS: Ensure NFS client is installed and running
diff --git a/plugins/storage/volume/ontap/pom.xml b/plugins/storage/volume/ontap/pom.xml
new file mode 100644
index 000000000000..749d876911b8
--- /dev/null
+++ b/plugins/storage/volume/ontap/pom.xml
@@ -0,0 +1,169 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cloud-plugin-storage-volume-ontap</artifactId>
+    <name>Apache CloudStack Plugin - Storage Volume ONTAP Provider</name>
+    <parent>
+        <groupId>org.apache.cloudstack</groupId>
+        <artifactId>cloudstack-plugins</artifactId>
+        <version>4.23.0.0-SNAPSHOT</version>
+        <relativePath>../../../pom.xml</relativePath>
+    </parent>
+    <properties>
+        <spring-cloud.version>2021.0.7</spring-cloud.version>
+        <openfeign.version>11.0</openfeign.version>
+        <httpclient.version>4.5.14</httpclient.version>
+        <swagger-annotations.version>1.6.2</swagger-annotations.version>
+        <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
+        <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
+        <jackson-databind.version>2.13.4</jackson-databind.version>
+        <assertj.version>3.24.2</assertj.version>
+        <junit-jupiter.version>5.8.1</junit-jupiter.version>
+        <mockito.version>3.12.4</mockito.version>
+        <mockito-junit-jupiter.version>5.2.0</mockito-junit-jupiter.version>
+    </properties>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework.cloud</groupId>
+                <artifactId>spring-cloud-dependencies</artifactId>
+                <version>${spring-cloud.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-storage-volume-default</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.openfeign</groupId>
+            <artifactId>feign-core</artifactId>
+            <version>${openfeign.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.openfeign</groupId>
+            <artifactId>feign-httpclient</artifactId>
+            <version>${openfeign.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.openfeign</groupId>
+            <artifactId>feign-jackson</artifactId>
+            <version>${openfeign.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson-databind.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>${httpclient.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-engine-storage-volume</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.swagger</groupId>
+            <artifactId>swagger-annotations</artifactId>
+            <version>${swagger-annotations.version}</version>
+        </dependency>
+        <!-- JUnit 5 -->
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${junit-jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- Mockito -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>${mockito-junit-jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- Mockito Inline (for static method mocking) -->
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-inline</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <version>${assertj.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    <repositories>
+        <repository>
+            <id>central</id>
+            <name>Maven Central</name>
+            <url>https://repo.maven.apache.org/maven2</url>
+        </repository>
+    </repositories>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire-plugin.version}</version>
+                <configuration>
+                    <skipTests>false</skipTests>
+                    <includes>
+                        <include>**/*Test.java</include>
+                    </includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>integration-test</phase>
+                        <goals>
+                            <goal>test</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/driver/OntapPrimaryDatastoreDriver.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/driver/OntapPrimaryDatastoreDriver.java
new file mode 100644
index 000000000000..305db1b1f2fa
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/driver/OntapPrimaryDatastoreDriver.java
@@ -0,0 +1,188 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.driver;
+
+import com.cloud.agent.api.to.DataStoreTO;
+import com.cloud.agent.api.to.DataTO;
+import com.cloud.host.Host;
+import com.cloud.storage.Storage;
+import com.cloud.storage.StoragePool;
+import com.cloud.storage.Volume;
+import com.cloud.utils.Pair;
+import org.apache.cloudstack.engine.subsystem.api.storage.ChapInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.CopyCommandResult;
+import org.apache.cloudstack.engine.subsystem.api.storage.CreateCmdResult;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataObject;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreCapabilities;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreDriver;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.TemplateInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
+import org.apache.cloudstack.framework.async.AsyncCompletionCallback;
+import org.apache.cloudstack.storage.command.CommandResult;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class OntapPrimaryDatastoreDriver implements PrimaryDataStoreDriver {
+
+    private static final Logger logger = LogManager.getLogger(OntapPrimaryDatastoreDriver.class);
+
+    @Override
+    public Map<String, String> getCapabilities() {
+        logger.trace("OntapPrimaryDatastoreDriver: getCapabilities: Called");
+        Map<String, String> mapCapabilities = new HashMap<>();
+        mapCapabilities.put(DataStoreCapabilities.STORAGE_SYSTEM_SNAPSHOT.toString(), Boolean.FALSE.toString());
+        mapCapabilities.put(DataStoreCapabilities.CAN_CREATE_VOLUME_FROM_SNAPSHOT.toString(), Boolean.FALSE.toString());
+
+        return mapCapabilities;
+    }
+
+    @Override
+    public DataTO getTO(DataObject data) {
+        return null;
+    }
+
+    @Override
+    public DataStoreTO getStoreTO(DataStore store) { return null; }
+
+    @Override
+    public void createAsync(DataStore dataStore, DataObject dataObject, AsyncCompletionCallback<CreateCmdResult> callback) {
+        throw new UnsupportedOperationException("Create operation is not supported for ONTAP primary storage.");
+    }
+
+    @Override
+    public void deleteAsync(DataStore store, DataObject data, AsyncCompletionCallback<CommandResult> callback) {
+        throw new UnsupportedOperationException("Delete operation is not supported for ONTAP primary storage.");
+    }
+
+    @Override
+    public void copyAsync(DataObject srcData, DataObject destData, AsyncCompletionCallback<CopyCommandResult> callback) {
+        throw new UnsupportedOperationException("Copy operation is not supported for ONTAP primary storage.");
+    }
+
+    @Override
+    public void copyAsync(DataObject srcData, DataObject destData, Host destHost, AsyncCompletionCallback<CopyCommandResult> callback) {
+        throw new UnsupportedOperationException("Copy operation is not supported for ONTAP primary storage.");
+    }
+
+    @Override
+    public boolean canCopy(DataObject srcData, DataObject destData) {
+        return false;
+    }
+
+    @Override
+    public void resize(DataObject data, AsyncCompletionCallback<CreateCmdResult> callback) {}
+
+    @Override
+    public ChapInfo getChapInfo(DataObject dataObject) {
+        return null;
+    }
+
+    @Override
+    public boolean grantAccess(DataObject dataObject, Host host, DataStore dataStore) {
+       return false;
+    }
+
+    @Override
+    public void revokeAccess(DataObject dataObject, Host host, DataStore dataStore) {
+        throw new UnsupportedOperationException("Revoke access operation is not supported for ONTAP primary storage.");
+    }
+
+    @Override
+    public long getDataObjectSizeIncludingHypervisorSnapshotReserve(DataObject dataObject, StoragePool storagePool) {
+        return 0;
+    }
+
+    @Override
+    public long getBytesRequiredForTemplate(TemplateInfo templateInfo, StoragePool storagePool) {
+        return 0;
+    }
+
+    @Override
+    public long getUsedBytes(StoragePool storagePool) {
+        return 0;
+    }
+
+    @Override
+    public long getUsedIops(StoragePool storagePool) {
+        return 0;
+    }
+
+    @Override
+    public void takeSnapshot(SnapshotInfo snapshot, AsyncCompletionCallback<CreateCmdResult> callback) {}
+
+    @Override
+    public void revertSnapshot(SnapshotInfo snapshotOnImageStore, SnapshotInfo snapshotOnPrimaryStore, AsyncCompletionCallback<CommandResult> callback) {}
+
+    @Override
+    public void handleQualityOfServiceForVolumeMigration(VolumeInfo volumeInfo, QualityOfServiceState qualityOfServiceState) {}
+
+    @Override
+    public boolean canProvideStorageStats() {
+        return false;
+    }
+
+    @Override
+    public Pair<Long, Long> getStorageStats(StoragePool storagePool) {
+        return null;
+    }
+
+    @Override
+    public boolean canProvideVolumeStats() {
+        return true;
+    }
+
+    @Override
+    public Pair<Long, Long> getVolumeStats(StoragePool storagePool, String volumeId) {
+        return null;
+    }
+
+    @Override
+    public boolean canHostAccessStoragePool(Host host, StoragePool pool) {
+        return true;
+    }
+
+    @Override
+    public boolean isVmInfoNeeded() {
+        return true;
+    }
+
+    @Override
+    public void provideVmInfo(long vmId, long volumeId) {}
+
+    @Override
+    public boolean isVmTagsNeeded(String tagKey) {
+        return true;
+    }
+
+    @Override
+    public void provideVmTags(long vmId, long volumeId, String tagValue) {}
+
+    @Override
+    public boolean isStorageSupportHA(Storage.StoragePoolType type) {
+        return true;
+    }
+
+    @Override
+    public void detachVolumeFromAllStorageNodes(Volume volume) {}
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignClientFactory.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignClientFactory.java
new file mode 100644
index 000000000000..3bbf3aaaafc4
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignClientFactory.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign;
+
+import feign.Feign;
+
+public class FeignClientFactory {
+
+    private final FeignConfiguration feignConfiguration;
+
+    public FeignClientFactory() {
+        this.feignConfiguration = new FeignConfiguration();
+    }
+
+    public FeignClientFactory(FeignConfiguration feignConfiguration) {
+        this.feignConfiguration = feignConfiguration;
+    }
+
+    public <T> T createClient(Class<T> clientClass, String baseURL) {
+        return Feign.builder()
+                .client(feignConfiguration.createClient())
+                .encoder(feignConfiguration.createEncoder())
+                .decoder(feignConfiguration.createDecoder())
+                .retryer(feignConfiguration.createRetryer())
+                .requestInterceptor(feignConfiguration.createRequestInterceptor())
+                .target(clientClass, baseURL);
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignConfiguration.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignConfiguration.java
new file mode 100644
index 000000000000..866147ad64f5
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/FeignConfiguration.java
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import feign.RequestInterceptor;
+import feign.Retryer;
+import feign.Client;
+import feign.httpclient.ApacheHttpClient;
+import feign.codec.Decoder;
+import feign.codec.Encoder;
+import feign.Response;
+import feign.codec.DecodeException;
+import feign.codec.EncodeException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import org.apache.http.conn.ConnectionKeepAliveStrategy;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.TrustAllStrategy;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.ssl.SSLContexts;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Type;
+import java.nio.charset.StandardCharsets;
+import java.util.concurrent.TimeUnit;
+
+public class FeignConfiguration {
+    private static final Logger logger = LogManager.getLogger(FeignConfiguration.class);
+
+    private final int retryMaxAttempt = 3;
+    private final int retryMaxIntervalInSecs = 5;
+    private final String ontapFeignMaxConnection = "80";
+    private final String ontapFeignMaxConnectionPerRoute = "20";
+    private final ObjectMapper objectMapper;
+
+    public FeignConfiguration() {
+        this.objectMapper = new ObjectMapper();
+        this.objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+    }
+
+    public Client createClient() {
+        int maxConn;
+        int maxConnPerRoute;
+        try {
+            maxConn = Integer.parseInt(this.ontapFeignMaxConnection);
+        } catch (Exception e) {
+            logger.error("ontapFeignClient: parse max connection failed, using default");
+            maxConn = 20;
+        }
+        try {
+            maxConnPerRoute = Integer.parseInt(this.ontapFeignMaxConnectionPerRoute);
+        } catch (Exception e) {
+            logger.error("ontapFeignClient: parse max connection per route failed, using default");
+            maxConnPerRoute = 2;
+        }
+        logger.debug("ontapFeignClient: maxConn={}, maxConnPerRoute={}", maxConn, maxConnPerRoute);
+        ConnectionKeepAliveStrategy keepAliveStrategy = (response, context) -> 0;
+        CloseableHttpClient httpClient = HttpClientBuilder.create()
+                .setMaxConnTotal(maxConn)
+                .setMaxConnPerRoute(maxConnPerRoute)
+                .setKeepAliveStrategy(keepAliveStrategy)
+                .setSSLSocketFactory(getSSLSocketFactory())
+                .setConnectionTimeToLive(60, TimeUnit.SECONDS)
+                .build();
+        return new ApacheHttpClient(httpClient);
+    }
+
+    private SSLConnectionSocketFactory getSSLSocketFactory() {
+        try {
+            SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, new TrustAllStrategy()).build();
+            return new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    public RequestInterceptor createRequestInterceptor() {
+        return template -> {
+            logger.info("Feign Request URL: {}", template.url());
+            logger.info("HTTP Method: {}", template.method());
+            logger.trace("Headers: {}", template.headers());
+            if (template.body() != null) {
+                logger.info("Body: {}", new String(template.body(), StandardCharsets.UTF_8));
+            }
+        };
+    }
+
+    public Retryer createRetryer() {
+        return new Retryer.Default(1000L, retryMaxIntervalInSecs * 1000L, retryMaxAttempt);
+    }
+
+    public Encoder createEncoder() {
+        return new Encoder() {
+            @Override
+            public void encode(Object object, Type bodyType, feign.RequestTemplate template) throws EncodeException {
+                if (object == null) {
+                    template.body(null, StandardCharsets.UTF_8);
+                    return;
+                }
+                try {
+                    byte[] jsonBytes = objectMapper.writeValueAsBytes(object);
+                    template.body(jsonBytes, StandardCharsets.UTF_8);
+                    template.header("Content-Type", "application/json");
+                } catch (JsonProcessingException e) {
+                    throw new EncodeException("Error encoding object to JSON", e);
+                }
+            }
+        };
+    }
+
+    public Decoder createDecoder() {
+        return new Decoder() {
+            @Override
+            public Object decode(Response response, Type type) throws IOException, DecodeException {
+                if (response.body() == null) {
+                    logger.debug("Response body is null, returning null");
+                    return null;
+                }
+                String json = null;
+                try (InputStream bodyStream = response.body().asInputStream()) {
+                    json = new String(bodyStream.readAllBytes(), StandardCharsets.UTF_8);
+                    logger.debug("Decoding JSON response: {}", json);
+                    return objectMapper.readValue(json, objectMapper.getTypeFactory().constructType(type));
+                } catch (IOException e) {
+                    logger.error("IOException during decoding. Status: {}, Raw body: {}", response.status(), json, e);
+                    throw new DecodeException(response.status(), "Error decoding JSON response", response.request(), e);
+                } catch (Exception e) {
+                    logger.error("Unexpected error during decoding. Status: {}, Type: {}, Raw body: {}", response.status(), type, json, e);
+                    throw new DecodeException(response.status(), "Unexpected error during decoding", response.request(), e);
+                }
+            }
+        };
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/AggregateFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/AggregateFeignClient.java
new file mode 100644
index 000000000000..f756c3d32f18
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/AggregateFeignClient.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.client;
+
+import org.apache.cloudstack.storage.feign.model.Aggregate;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+
+public interface AggregateFeignClient {
+
+    @RequestLine("GET /api/storage/aggregates")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Aggregate> getAggregateResponse(@Param("authHeader") String authHeader);
+
+    @RequestLine("GET /api/storage/aggregates/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Aggregate getAggregateByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/ClusterFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/ClusterFeignClient.java
new file mode 100644
index 000000000000..582fb58e6f3b
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/ClusterFeignClient.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.client;
+
+import org.apache.cloudstack.storage.feign.model.Cluster;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+
+public interface ClusterFeignClient {
+
+    @RequestLine("GET /api/cluster")
+    @Headers({"Authorization: {authHeader}", "return_records: {returnRecords}"})
+    Cluster getCluster(@Param("authHeader") String authHeader, @Param("returnRecords") boolean returnRecords);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/JobFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/JobFeignClient.java
new file mode 100644
index 000000000000..535e112d9eb3
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/JobFeignClient.java
@@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.client;
+
+import org.apache.cloudstack.storage.feign.model.Job;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+
+public interface JobFeignClient {
+
+    @RequestLine("GET /api/cluster/jobs/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Job getJobByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NASFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NASFeignClient.java
new file mode 100644
index 000000000000..f48f83dc28de
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NASFeignClient.java
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.client;
+
+import feign.QueryMap;
+import org.apache.cloudstack.storage.feign.model.ExportPolicy;
+import org.apache.cloudstack.storage.feign.model.FileInfo;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+
+import java.util.Map;
+
+public interface NASFeignClient {
+
+    // File Operations
+    @RequestLine("GET /api/storage/volumes/{volumeUuid}/files/{path}")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<FileInfo> getFileResponse(@Param("authHeader") String authHeader,
+                                            @Param("volumeUuid") String volumeUUID,
+                                            @Param("path") String filePath);
+
+    @RequestLine("DELETE /api/storage/volumes/{volumeUuid}/files/{path}")
+    @Headers({"Authorization: {authHeader}"})
+    void deleteFile(@Param("authHeader") String authHeader,
+                    @Param("volumeUuid") String volumeUUID,
+                    @Param("path") String filePath);
+
+    @RequestLine("PATCH /api/storage/volumes/{volumeUuid}/files/{path}")
+    @Headers({"Authorization: {authHeader}"})
+    void updateFile(@Param("authHeader") String authHeader,
+                    @Param("volumeUuid") String volumeUUID,
+                    @Param("path") String filePath,
+                    FileInfo fileInfo);
+
+    @RequestLine("POST /api/storage/volumes/{volumeUuid}/files/{path}")
+    @Headers({"Authorization: {authHeader}"})
+    void createFile(@Param("authHeader") String authHeader,
+                    @Param("volumeUuid") String volumeUUID,
+                    @Param("path") String filePath,
+                    FileInfo file);
+
+    // Export Policy Operations
+    @RequestLine("POST /api/protocols/nfs/export-policies")
+    @Headers({"Authorization: {authHeader}"})
+    void createExportPolicy(@Param("authHeader") String authHeader,
+                                    ExportPolicy exportPolicy);
+
+    @RequestLine("GET /api/protocols/nfs/export-policies")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<ExportPolicy> getExportPolicyResponse(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryMap);
+
+    @RequestLine("GET /api/protocols/nfs/export-policies/{id}")
+    @Headers({"Authorization: {authHeader}"})
+    ExportPolicy getExportPolicyById(@Param("authHeader") String authHeader,
+                                                    @Param("id") String id);
+
+    @RequestLine("DELETE /api/protocols/nfs/export-policies/{id}")
+    @Headers({"Authorization: {authHeader}"})
+    void deleteExportPolicyById(@Param("authHeader") String authHeader,
+                                @Param("id") String id);
+
+    @RequestLine("PATCH /api/protocols/nfs/export-policies/{id}")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<ExportPolicy> updateExportPolicy(@Param("authHeader") String authHeader,
+                                                   @Param("id") String id,
+                                                   ExportPolicy request);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NetworkFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NetworkFeignClient.java
new file mode 100644
index 000000000000..4dc82a68238e
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/NetworkFeignClient.java
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.client;
+
+import feign.Headers;
+import feign.Param;
+import feign.QueryMap;
+import feign.RequestLine;
+import org.apache.cloudstack.storage.feign.model.IpInterface;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+
+import java.util.Map;
+
+public interface NetworkFeignClient {
+    @RequestLine("GET /api/network/ip/interfaces")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<IpInterface> getNetworkIpInterfaces(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryParams);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SANFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SANFeignClient.java
new file mode 100644
index 000000000000..5cbba9d683d2
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SANFeignClient.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.client;
+
+import feign.QueryMap;
+import org.apache.cloudstack.storage.feign.model.Igroup;
+import org.apache.cloudstack.storage.feign.model.IscsiService;
+import org.apache.cloudstack.storage.feign.model.Lun;
+import org.apache.cloudstack.storage.feign.model.LunMap;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+import java.util.Map;
+
+public interface SANFeignClient {
+    // iSCSI Service APIs
+    @RequestLine("GET /api/protocols/san/iscsi/services")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<IscsiService> getIscsiServices(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryMap);
+
+    // LUN Operation APIs
+    @RequestLine("POST /api/storage/luns?return_records={returnRecords}")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Lun> createLun(@Param("authHeader") String authHeader, @Param("returnRecords") boolean returnRecords, Lun lun);
+
+    @RequestLine("GET /api/storage/luns")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Lun> getLunResponse(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryMap);
+
+    @RequestLine("GET /{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Lun getLunByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+
+    @RequestLine("PATCH /{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    void updateLun(@Param("authHeader") String authHeader, @Param("uuid") String uuid, Lun lun);
+
+    @RequestLine("DELETE /api/storage/luns/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    void deleteLun(@Param("authHeader") String authHeader, @Param("uuid") String uuid, @QueryMap Map<String, Object> queryMap);
+
+    // iGroup Operation APIs
+    @RequestLine("POST /api/protocols/san/igroups?return_records={returnRecords}")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Igroup> createIgroup(@Param("authHeader") String authHeader, @Param("returnRecords") boolean returnRecords, Igroup igroupRequest);
+
+    @RequestLine("GET /api/protocols/san/igroups")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Igroup> getIgroupResponse(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryMap);
+
+    @RequestLine("GET /{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Igroup getIgroupByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+
+    @RequestLine("DELETE /api/protocols/san/igroups/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    void deleteIgroup(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+
+    // LUN Maps Operation APIs
+    @RequestLine("POST /api/protocols/san/lun-maps")
+    @Headers({"Authorization: {authHeader}", "return_records: {returnRecords}"})
+    OntapResponse<LunMap> createLunMap(@Param("authHeader") String authHeader, @Param("returnRecords") boolean returnRecords, LunMap lunMap);
+
+
+    @RequestLine("GET /api/protocols/san/lun-maps")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<LunMap> getLunMapResponse(@Param("authHeader") String authHeader,  @QueryMap Map<String, Object> queryMap);
+
+    @RequestLine("DELETE /api/protocols/san/lun-maps/{lunUuid}/{igroupUuid}")
+    @Headers({"Authorization: {authHeader}"})
+    void deleteLunMap(@Param("authHeader") String authHeader,
+                      @Param("lunUuid") String lunUUID,
+                      @Param("igroupUuid") String igroupUUID);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SvmFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SvmFeignClient.java
new file mode 100644
index 000000000000..29ea3b5f694f
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/SvmFeignClient.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.client;
+
+import feign.QueryMap;
+import org.apache.cloudstack.storage.feign.model.Svm;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+import java.util.Map;
+
+public interface SvmFeignClient {
+
+    // SVM Operation APIs
+    @RequestLine("GET /api/svm/svms")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Svm> getSvmResponse(@QueryMap Map<String, Object> queryMap, @Param("authHeader") String authHeader);
+
+    @RequestLine("GET /api/svm/svms/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Svm getSvmByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/VolumeFeignClient.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/VolumeFeignClient.java
new file mode 100644
index 000000000000..6384566487d4
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/client/VolumeFeignClient.java
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.client;
+
+import feign.QueryMap;
+import org.apache.cloudstack.storage.feign.model.Volume;
+import org.apache.cloudstack.storage.feign.model.response.JobResponse;
+import feign.Headers;
+import feign.Param;
+import feign.RequestLine;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+
+import java.util.Map;
+
+public interface VolumeFeignClient {
+
+    @RequestLine("DELETE /api/storage/volumes/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    JobResponse deleteVolume(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+
+    @RequestLine("POST /api/storage/volumes")
+    @Headers({"Authorization: {authHeader}"})
+    JobResponse createVolumeWithJob(@Param("authHeader") String authHeader, Volume volumeRequest);
+
+    @RequestLine("GET /api/storage/volumes")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Volume> getAllVolumes(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryParams);
+
+    @RequestLine("GET /api/storage/volumes/{uuid}")
+    @Headers({"Authorization: {authHeader}"})
+    Volume getVolumeByUUID(@Param("authHeader") String authHeader, @Param("uuid") String uuid);
+
+    @RequestLine("GET /api/storage/volumes")
+    @Headers({"Authorization: {authHeader}"})
+    OntapResponse<Volume> getVolume(@Param("authHeader") String authHeader, @QueryMap Map<String, Object> queryMap);
+
+    @RequestLine("PATCH /api/storage/volumes/{uuid}")
+    @Headers({ "Authorization: {authHeader}"})
+    JobResponse updateVolumeRebalancing(@Param("authHeader") String authHeader, @Param("uuid") String uuid, Volume volumeRequest);
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Aggregate.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Aggregate.java
new file mode 100644
index 000000000000..8ac1717604a5
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Aggregate.java
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Aggregate {
+    // Replace previous enum with case-insensitive mapping
+    public enum StateEnum {
+        ONLINE("online");
+        private final String value;
+
+        StateEnum(String value) {
+            this.value = value;
+        }
+
+        @JsonValue
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        @JsonCreator
+        public static StateEnum fromValue(String text) {
+            for (StateEnum b : StateEnum.values()) {
+                if (String.valueOf(b.value).equals(text)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+
+    @JsonProperty("name")
+    private String name = null;
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getName(), getUuid());
+    }
+
+    @JsonProperty("uuid")
+    private String uuid = null;
+
+    @JsonProperty("state")
+    private StateEnum state = null;
+
+    @JsonProperty("space")
+    private AggregateSpace space = null;
+
+
+    public Aggregate name(String name) {
+        this.name = name;
+        return this;
+    }
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Aggregate uuid(String uuid) {
+        this.uuid = uuid;
+        return this;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public StateEnum getState() {
+        return state;
+    }
+
+    public AggregateSpace getSpace() {
+        return space;
+    }
+
+    public Double getAvailableBlockStorageSpace() {
+        if (space != null && space.blockStorage != null) {
+            return space.blockStorage.available;
+        }
+        return null;
+    }
+
+
+    @Override
+    public boolean equals(java.lang.Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        Aggregate diskAggregates = (Aggregate) o;
+        return Objects.equals(this.name, diskAggregates.name) &&
+                Objects.equals(this.uuid, diskAggregates.uuid);
+    }
+
+    /**
+     * Convert the given object to string with each line indented by 4 spaces
+     * (except the first line).
+     */
+    private String toIndentedString(java.lang.Object o) {
+        if (o == null) {
+            return "null";
+        }
+        return o.toString().replace("\n", "\n    ");
+    }
+
+    @Override
+    public String toString() {
+        return "DiskAggregates [name=" + name + ", uuid=" + uuid + "]";
+    }
+
+    public static class AggregateSpace {
+        @JsonProperty("block_storage")
+        private AggregateSpaceBlockStorage blockStorage = null;
+    }
+
+    public static class AggregateSpaceBlockStorage {
+        @JsonProperty("available")
+        private Double available = null;
+        @JsonProperty("size")
+        private Double size = null;
+        @JsonProperty("used")
+        private Double used = null;
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/AntiRansomware.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/AntiRansomware.java
new file mode 100644
index 000000000000..21748dcd53ec
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/AntiRansomware.java
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class AntiRansomware {
+    @JsonProperty("state")
+    private String state;
+
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Cluster.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Cluster.java
new file mode 100644
index 000000000000..061372756175
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Cluster.java
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.Objects;
+
+/**
+ * Complete cluster information
+ */
+@SuppressWarnings("checkstyle:RegexpSingleline")
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Cluster {
+
+    @JsonProperty("name")
+    private String name = null;
+    @JsonProperty("uuid")
+    private String uuid = null;
+    @JsonProperty("version")
+    private Version version = null;
+    @JsonProperty("health")
+    private String health = null;
+
+    @JsonProperty("san_optimized")
+    private Boolean sanOptimized = null;
+
+    @JsonProperty("disaggregated")
+    private Boolean disaggregated = null;
+
+
+    public String getHealth() {
+        return health;
+    }
+
+    public void setHealth(String health) {
+        this.health = health;
+    }
+
+    public Cluster name(String name) {
+        this.name = name;
+        return this;
+    }
+
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public Cluster version(Version version) {
+        this.version = version;
+        return this;
+    }
+
+    public Version getVersion() {
+        return version;
+    }
+
+    public void setVersion(Version version) {
+        this.version = version;
+    }
+
+    public Boolean getSanOptimized() {
+        return sanOptimized;
+    }
+
+    public void setSanOptimized(Boolean sanOptimized) {
+        this.sanOptimized = sanOptimized;
+    }
+
+    public Boolean getDisaggregated() {
+        return disaggregated;
+    }
+    public void setDisaggregated(Boolean disaggregated) {
+        this.disaggregated = disaggregated;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getName(), getUuid());
+    }
+
+    @Override
+    public boolean equals(java.lang.Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        Cluster cluster = (Cluster) o;
+        return Objects.equals(this.name, cluster.name) &&
+                Objects.equals(this.uuid, cluster.uuid);
+    }
+    @Override
+    public String toString() {
+        return "Cluster{" +
+                "name='" + name + '\'' +
+                ", uuid='" + uuid + '\'' +
+                ", version=" + version +
+                ", sanOptimized=" + sanOptimized +
+                ", disaggregated=" + disaggregated +
+                '}';
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportPolicy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportPolicy.java
new file mode 100644
index 000000000000..8c7c0323e662
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportPolicy.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.math.BigInteger;
+import java.util.List;
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class ExportPolicy {
+
+  @JsonProperty("id")
+  private BigInteger id = null;
+  @JsonProperty("name")
+  private String name = null;
+  @JsonProperty("rules")
+  private List<ExportRule> rules = null;
+  @JsonProperty("svm")
+  private Svm svm = null;
+
+  public BigInteger getId() {
+    return id;
+  }
+
+  public ExportPolicy name(String name) {
+    this.name = name;
+    return this;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public ExportPolicy rules(List<ExportRule> rules) {
+    this.rules = rules;
+    return this;
+  }
+
+  public List<ExportRule> getRules() {
+    return rules;
+  }
+
+  public void setRules(List<ExportRule> rules) {
+    this.rules = rules;
+  }
+
+  public ExportPolicy svm(Svm svm) {
+    this.svm = svm;
+    return this;
+  }
+
+  public Svm getSvm() {
+    return svm;
+  }
+
+  public void setSvm(Svm svm) {
+    this.svm = svm;
+  }
+
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+    ExportPolicy exportPolicy = (ExportPolicy) o;
+    return Objects.equals(this.id, exportPolicy.id) &&
+        Objects.equals(this.name, exportPolicy.name);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash( id, name);
+  }
+
+
+  @Override
+  public String toString() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("class ExportPolicy {\n");
+    sb.append("    id: ").append(toIndentedString(id)).append("\n");
+    sb.append("    name: ").append(toIndentedString(name)).append("\n");
+    sb.append("    rules: ").append(toIndentedString(rules)).append("\n");
+    sb.append("    svm: ").append(toIndentedString(svm)).append("\n");
+    sb.append("}");
+    return sb.toString();
+  }
+  private String toIndentedString(Object o) {
+    if (o == null) {
+      return "null";
+    }
+    return o.toString().replace("\n", "\n    ");
+  }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportRule.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportRule.java
new file mode 100644
index 000000000000..087e9aa681b4
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/ExportRule.java
@@ -0,0 +1,195 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/**
+ * ExportRule
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class ExportRule {
+    @JsonProperty("anonymous_user")
+    private String anonymousUser ;
+
+    @JsonProperty("clients")
+    private List<ExportClient> clients = null;
+
+    @JsonProperty("index")
+    private Integer index = null;
+
+    public enum ProtocolsEnum {
+        ANY("any"),
+
+        NFS("nfs"),
+
+        NFS3("nfs3"),
+
+        NFS4("nfs4");
+
+        private String value;
+
+        ProtocolsEnum(String value) {
+            this.value = value;
+        }
+
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        public static ProtocolsEnum fromValue(String text) {
+            for (ProtocolsEnum b : ProtocolsEnum.values()) {
+                if (String.valueOf(b.value).equals(text)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+
+    @JsonProperty("protocols")
+    private List<ProtocolsEnum> protocols = null;
+
+    @JsonProperty("ro_rule")
+    private List<String> roRule = null;
+
+    @JsonProperty("rw_rule")
+    private List<String> rwRule = null;
+
+    @JsonProperty("superuser")
+    private List<String> superuser = null;
+
+
+    public ExportRule anonymousUser(String anonymousUser) {
+        this.anonymousUser = anonymousUser;
+        return this;
+    }
+
+    public String getAnonymousUser() {
+        return anonymousUser;
+    }
+
+    public void setAnonymousUser(String anonymousUser) {
+        this.anonymousUser = anonymousUser;
+    }
+
+    public ExportRule clients(List<ExportClient> clients) {
+        this.clients = clients;
+        return this;
+    }
+
+    public List<ExportClient> getClients() {
+        return clients;
+    }
+
+    public void setClients(List<ExportClient> clients) {
+        this.clients = clients;
+    }
+
+    public Integer getIndex() {
+        return index;
+    }
+    public void setIndex(Integer index)
+    {
+        this.index=index;
+    }
+
+    public ExportRule protocols(List<ProtocolsEnum> protocols) {
+        this.protocols = protocols;
+        return this;
+    }
+
+    public List<ProtocolsEnum> getProtocols() {
+        return protocols;
+    }
+
+    public void setProtocols(List<ProtocolsEnum> protocols) {
+        this.protocols = protocols;
+    }
+
+    public static class ExportClient {
+        @JsonProperty("match")
+        private String match = null;
+
+        public ExportClient match (String match) {
+            this.match = match;
+            return this;
+        }
+        public String getMatch () {
+            return match;
+        }
+
+        public void setMatch (String match) {
+            this.match = match;
+        }
+    }
+
+    public List<String> getRwRule() {
+        return rwRule;
+    }
+
+    public void setRwRule(List<String> rwRule) {
+        this.rwRule = rwRule;
+    }
+
+    public List<String> getRoRule() {
+        return roRule;
+    }
+
+    public void setRoRule(List<String> roRule) {
+        this.roRule = roRule;
+    }
+
+    public List<String> getSuperuser() {
+        return superuser;
+    }
+
+    public void setSuperuser(List<String> superuser) {
+        this.superuser = superuser;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("class ExportRule {\n");
+
+        sb.append("    anonymousUser: ").append(toIndentedString(anonymousUser)).append("\n");
+        sb.append("    clients: ").append(toIndentedString(clients)).append("\n");
+        sb.append("    index: ").append(toIndentedString(index)).append("\n");
+        sb.append("    protocols: ").append(toIndentedString(protocols)).append("\n");
+        sb.append("}");
+        return sb.toString();
+    }
+    private String toIndentedString(Object o) {
+        if (o == null) {
+            return "null";
+        }
+        return o.toString().replace("\n", "\n    ");
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/FileInfo.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/FileInfo.java
new file mode 100644
index 000000000000..181620268932
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/FileInfo.java
@@ -0,0 +1,297 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+import java.time.OffsetDateTime;
+import java.util.Objects;
+
+/**
+ * Information about a single file.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class FileInfo {
+  @JsonProperty("bytes_used")
+  private Long bytesUsed = null;
+  @JsonProperty("creation_time")
+  private OffsetDateTime creationTime = null;
+  @JsonProperty("fill_enabled")
+  private Boolean fillEnabled = null;
+  @JsonProperty("is_empty")
+  private Boolean isEmpty = null;
+  @JsonProperty("is_snapshot")
+  private Boolean isSnapshot = null;
+  @JsonProperty("is_vm_aligned")
+  private Boolean isVmAligned = null;
+  @JsonProperty("modified_time")
+  private OffsetDateTime modifiedTime = null;
+  @JsonProperty("name")
+  private String name = null;
+  @JsonProperty("overwrite_enabled")
+  private Boolean overwriteEnabled = null;
+  @JsonProperty("path")
+  private String path = null;
+  @JsonProperty("size")
+  private Long size = null;
+  @JsonProperty("target")
+  private String target = null;
+
+  /**
+   * Type of the file.
+   */
+  public enum TypeEnum {
+    FILE("file"),
+    DIRECTORY("directory");
+
+    private String value;
+
+    TypeEnum(String value) {
+      this.value = value;
+    }
+
+    @JsonValue
+    public String getValue() {
+      return value;
+    }
+
+    @Override
+    public String toString() {
+      return String.valueOf(value);
+    }
+
+    @JsonCreator
+    public static TypeEnum fromValue(String value) {
+      for (TypeEnum b : TypeEnum.values()) {
+        if (b.value.equals(value)) {
+          return b;
+        }
+      }
+      return null;
+    }
+  }
+
+  @JsonProperty("type")
+  private TypeEnum type = null;
+
+  @JsonProperty("unique_bytes")
+  private Long uniqueBytes = null;
+
+  @JsonProperty("unix_permissions")
+  private Integer unixPermissions = null;
+
+   /**
+   * The actual number of bytes used on disk by this file. If byte_offset and length parameters are specified, this will return the bytes used by the file within the given range.
+   * @return bytesUsed
+  **/
+  public Long getBytesUsed() {
+    return bytesUsed;
+  }
+
+  public OffsetDateTime getCreationTime() {
+    return creationTime;
+  }
+
+  public FileInfo fillEnabled(Boolean fillEnabled) {
+    this.fillEnabled = fillEnabled;
+    return this;
+  }
+
+  public Boolean isFillEnabled() {
+    return fillEnabled;
+  }
+
+  public void setFillEnabled(Boolean fillEnabled) {
+    this.fillEnabled = fillEnabled;
+  }
+
+
+  public Boolean isIsEmpty() {
+    return isEmpty;
+  }
+
+  public void setIsEmpty(Boolean isEmpty) {
+    this.isEmpty = isEmpty;
+  }
+
+  public Boolean isIsSnapshot() {
+    return isSnapshot;
+  }
+
+  public void setIsSnapshot(Boolean isSnapshot) {
+    this.isSnapshot = isSnapshot;
+  }
+
+
+  public Boolean isIsVmAligned() {
+    return isVmAligned;
+  }
+
+
+  public OffsetDateTime getModifiedTime() {
+    return modifiedTime;
+  }
+
+  public FileInfo name(String name) {
+    this.name = name;
+    return this;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public FileInfo overwriteEnabled(Boolean overwriteEnabled) {
+    this.overwriteEnabled = overwriteEnabled;
+    return this;
+  }
+
+  public Boolean isOverwriteEnabled() {
+    return overwriteEnabled;
+  }
+
+  public void setOverwriteEnabled(Boolean overwriteEnabled) {
+    this.overwriteEnabled = overwriteEnabled;
+  }
+
+  public FileInfo path(String path) {
+    this.path = path;
+    return this;
+  }
+
+  public String getPath() {
+    return path;
+  }
+
+  public void setPath(String path) {
+    this.path = path;
+  }
+  public Long getSize() {
+    return size;
+  }
+
+  public void setSize(Long size) {
+    this.size = size;
+  }
+
+  public FileInfo target(String target) {
+    this.target = target;
+    return this;
+  }
+
+  public String getTarget() {
+    return target;
+  }
+
+  public void setTarget(String target) {
+    this.target = target;
+  }
+
+  public FileInfo type(TypeEnum type) {
+    this.type = type;
+    return this;
+  }
+
+  public TypeEnum getType() {
+    return type;
+  }
+
+  public void setType(TypeEnum type) {
+    this.type = type;
+  }
+
+  public Long getUniqueBytes() {
+    return uniqueBytes;
+  }
+
+  public FileInfo unixPermissions(Integer unixPermissions) {
+    this.unixPermissions = unixPermissions;
+    return this;
+  }
+
+  public Integer getUnixPermissions() {
+    return unixPermissions;
+  }
+
+  public void setUnixPermissions(Integer unixPermissions) {
+    this.unixPermissions = unixPermissions;
+  }
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+    FileInfo fileInfo = (FileInfo) o;
+    return Objects.equals(this.name, fileInfo.name) &&
+        Objects.equals(this.path, fileInfo.path);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(name, path);
+  }
+
+
+  @Override
+  public String toString() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("class FileInfo {\n");
+    sb.append("    bytesUsed: ").append(toIndentedString(bytesUsed)).append("\n");
+    sb.append("    creationTime: ").append(toIndentedString(creationTime)).append("\n");
+    sb.append("    fillEnabled: ").append(toIndentedString(fillEnabled)).append("\n");
+    sb.append("    isEmpty: ").append(toIndentedString(isEmpty)).append("\n");
+    sb.append("    isSnapshot: ").append(toIndentedString(isSnapshot)).append("\n");
+    sb.append("    isVmAligned: ").append(toIndentedString(isVmAligned)).append("\n");
+    sb.append("    modifiedTime: ").append(toIndentedString(modifiedTime)).append("\n");
+    sb.append("    name: ").append(toIndentedString(name)).append("\n");
+    sb.append("    overwriteEnabled: ").append(toIndentedString(overwriteEnabled)).append("\n");
+    sb.append("    path: ").append(toIndentedString(path)).append("\n");
+    sb.append("    size: ").append(toIndentedString(size)).append("\n");
+    sb.append("    target: ").append(toIndentedString(target)).append("\n");
+    sb.append("    type: ").append(toIndentedString(type)).append("\n");
+    sb.append("    uniqueBytes: ").append(toIndentedString(uniqueBytes)).append("\n");
+    sb.append("    unixPermissions: ").append(toIndentedString(unixPermissions)).append("\n");
+    sb.append("}");
+    return sb.toString();
+  }
+
+  /**
+   * Convert the given object to string with each line indented by 4 spaces
+   * (except the first line).
+   */
+  private String toIndentedString(Object o) {
+    if (o == null) {
+      return "null";
+    }
+    return o.toString().replace("\n", "\n    ");
+  }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Igroup.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Igroup.java
new file mode 100644
index 000000000000..3596a802f941
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Igroup.java
@@ -0,0 +1,257 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Igroup {
+    @JsonProperty("delete_on_unmap")
+    private Boolean deleteOnUnmap = null;
+    @JsonProperty("initiators")
+    private List<Initiator> initiators = null;
+    @JsonProperty("lun_maps")
+    private List<LunMap> lunMaps = null;
+    @JsonProperty("os_type")
+    private OsTypeEnum osType = null;
+
+    @JsonProperty("parent_igroups")
+    private List<Igroup> parentIgroups = null;
+
+    @JsonProperty("igroups")
+    private List<Igroup> igroups = null;
+
+    @JsonProperty("name")
+    private String name = null;
+
+    @JsonProperty("protocol")
+    private ProtocolEnum protocol = null;
+    @JsonProperty("svm")
+    private Svm svm = null;
+    @JsonProperty("uuid")
+    private String uuid = null;
+
+    public enum OsTypeEnum {
+        HyperV("hyper_v"),
+
+        Linux("linux"),
+
+        VMware("vmware"),
+
+        Windows("windows"),
+
+        Xen("xen");
+
+        private String value;
+
+        OsTypeEnum(String value) {
+            this.value = value;
+        }
+
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        public static OsTypeEnum fromValue(String text) {
+            for (OsTypeEnum b : OsTypeEnum.values()) {
+                if (String.valueOf(b.value).equals(text)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+
+    public List<Igroup> getParentIgroups() {
+        return parentIgroups;
+    }
+
+    public void setParentIgroups(List<Igroup> parentIgroups) {
+        this.parentIgroups = parentIgroups;
+    }
+
+    public Igroup igroups(List<Igroup> igroups) {
+        this.igroups = igroups;
+        return this;
+    }
+
+   public List<Igroup> getIgroups() {
+        return igroups;
+    }
+
+    public void setIgroups(List<Igroup> igroups) {
+        this.igroups = igroups;
+    }
+
+    public enum ProtocolEnum {
+        iscsi("iscsi"),
+
+        mixed("mixed");
+
+        private String value;
+
+        ProtocolEnum(String value) {
+            this.value = value;
+        }
+
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        public static ProtocolEnum fromValue(String text) {
+            for (ProtocolEnum b : ProtocolEnum.values()) {
+                if (String.valueOf(b.value).equals(text)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+    public Igroup deleteOnUnmap(Boolean deleteOnUnmap) {
+        this.deleteOnUnmap = deleteOnUnmap;
+        return this;
+    }
+
+   public Boolean isDeleteOnUnmap() {
+        return deleteOnUnmap;
+    }
+
+    public void setDeleteOnUnmap(Boolean deleteOnUnmap) {
+        this.deleteOnUnmap = deleteOnUnmap;
+    }
+
+    public Igroup initiators(List<Initiator> initiators) {
+        this.initiators = initiators;
+        return this;
+    }
+    public List<Initiator> getInitiators() {
+        return initiators;
+    }
+
+    public void setInitiators(List<Initiator> initiators) {
+        this.initiators = initiators;
+    }
+
+    public Igroup lunMaps(List<LunMap> lunMaps) {
+        this.lunMaps = lunMaps;
+        return this;
+    }
+    public List<LunMap> getLunMaps() {
+        return lunMaps;
+    }
+
+    public void setLunMaps(List<LunMap> lunMaps) {
+        this.lunMaps = lunMaps;
+    }
+
+    public Igroup name(String name) {
+        this.name = name;
+        return this;
+    }
+
+    public String getName() {
+        return name;
+    }
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Igroup osType(OsTypeEnum osType) {
+        this.osType = osType;
+        return this;
+    }
+    public OsTypeEnum getOsType() {
+        return osType;
+    }
+
+    public void setOsType(OsTypeEnum osType) {
+        this.osType = osType;
+    }
+
+    public Igroup protocol(ProtocolEnum protocol) {
+        this.protocol = protocol;
+        return this;
+    }
+
+    public ProtocolEnum getProtocol() {
+        return protocol;
+    }
+
+    public void setProtocol(ProtocolEnum protocol) {
+        this.protocol = protocol;
+    }
+
+    public Igroup svm(Svm svm) {
+        this.svm = svm;
+        return this;
+    }
+    public Svm getSvm() {
+        return svm;
+    }
+
+    public void setSvm(Svm svm) {
+        this.svm = svm;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, uuid);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        Igroup other = (Igroup) obj;
+        return Objects.equals(name, other.name) && Objects.equals(uuid, other.uuid);
+    }
+
+    @Override
+    public String toString() {
+        return "Igroup [deleteOnUnmap=" + deleteOnUnmap + ", initiators=" + initiators + ", lunMaps=" + lunMaps
+                + ", name=" + name + ", replication="  + ", osType=" + osType + ", parentIgroups="
+                + parentIgroups + ", igroups=" + igroups + ", protocol=" + protocol + ", svm=" + svm + ", uuid=" + uuid
+                + ", portset=" + "]";
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Initiator.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Initiator.java
new file mode 100644
index 000000000000..b0a5bd24272a
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Initiator.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Initiator {
+    @JsonProperty("name")
+    private String name = null;
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IpInterface.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IpInterface.java
new file mode 100644
index 000000000000..c15798a42b70
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IpInterface.java
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class IpInterface {
+    @JsonProperty("uuid")
+    private String uuid;
+
+    @JsonProperty("name")
+    private String name;
+
+    @JsonProperty("ip")
+    private IpInfo ip;
+
+    @JsonProperty("svm")
+    private Svm svm;
+
+    @JsonProperty("services")
+    private List<String> services;
+
+    // Getters and setters
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public IpInfo getIp() {
+        return ip;
+    }
+
+    public void setIp(IpInfo ip) {
+        this.ip = ip;
+    }
+
+    public Svm getSvm() {
+        return svm;
+    }
+
+    public void setSvm(Svm svm) {
+        this.svm = svm;
+    }
+
+    public List<String> getServices() {
+        return services;
+    }
+
+    public void setServices(List<String> services) {
+        this.services = services;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        IpInterface that = (IpInterface) o;
+        return Objects.equals(uuid, that.uuid) &&
+                Objects.equals(name, that.name) &&
+                Objects.equals(ip, that.ip) &&
+                Objects.equals(svm, that.svm) &&
+                Objects.equals(services, that.services);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(uuid, name, ip, svm, services);
+    }
+
+    @Override
+    public String toString() {
+        return "IpInterface{" +
+                "uuid='" + uuid + '\'' +
+                ", name='" + name + '\'' +
+                ", ip=" + ip +
+                ", svm=" + svm +
+                ", services=" + services +
+                '}';
+    }
+
+    // Nested class for IP information
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public static class IpInfo {
+        @JsonProperty("address")
+        private String address;
+
+        public String getAddress() {
+            return address;
+        }
+
+        public void setAddress(String address) {
+            this.address = address;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            IpInfo ipInfo = (IpInfo) o;
+            return Objects.equals(address, ipInfo.address);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(address);
+        }
+
+        @Override
+        public String toString() {
+            return "IpInfo{" +
+                    "address='" + address + '\'' +
+                    '}';
+        }
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IscsiService.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IscsiService.java
new file mode 100644
index 000000000000..06d1ca92735f
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/IscsiService.java
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+
+/**
+ * An iSCSI service defines the properties of the iSCSI target for an SVM.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class IscsiService {
+    @JsonProperty("enabled")
+    private Boolean enabled = null;
+
+    @JsonProperty("svm")
+    private Svm svm = null;
+
+    @JsonProperty("target")
+    private IscsiServiceTarget target = null;
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(Boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    public Svm getSvm() {
+        return svm;
+    }
+
+    public void setSvm(Svm svm) {
+        this.svm = svm;
+    }
+
+    public IscsiServiceTarget getTarget() {
+        return target;
+    }
+
+    public void setTarget(IscsiServiceTarget target) {
+        this.target = target;
+    }
+
+    @Override
+    public String toString() {
+        return "IscsiService{" +
+                "enabled=" + enabled +
+                ", svm=" + svm +
+                ", target=" + target +
+                '}';
+    }
+
+    /**
+     * iSCSI target information
+     */
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public static class IscsiServiceTarget {
+        @JsonProperty("alias")
+        private String alias = null;
+
+        @JsonProperty("name")
+        private String name = null;
+
+        public String getAlias() {
+            return alias;
+        }
+
+        public void setAlias(String alias) {
+            this.alias = alias;
+        }
+
+        public String getName() {
+            return name;
+        }
+
+        public void setName(String name) {
+            this.name = name;
+        }
+
+        @Override
+        public String toString() {
+            return "IscsiServiceTarget{" +
+                    "alias='" + alias + '\'' +
+                    ", name='" + name + '\'' +
+                    '}';
+        }
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Job.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Job.java
new file mode 100644
index 000000000000..cdeaf2ed8388
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Job.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author Administrator
+ *
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(Include.NON_NULL)
+public class Job {
+
+    @JsonProperty("uuid")
+    String uuid;
+    @JsonProperty("description")
+    String description;
+    @JsonProperty("state")
+    String state;
+    @JsonProperty("message")
+    String message;
+    @JsonProperty("code")
+    String code;
+    @JsonProperty("_links")
+    private Links links;
+
+    @JsonProperty("error")
+    private JobError error;
+    public JobError getError () { return error; }
+    public void setError (JobError error) { this.error = error; }
+    public Links getLinks() { return links; }
+    public void setLinks(Links links) { this.links = links; }
+    public String getUuid() {
+        return uuid;
+    }
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+    public String getDescription() {
+        return description;
+    }
+    public void setDescription(String description) {
+        this.description = description;
+    }
+    public String getState() {
+        return state;
+    }
+    public void setState(String state) {
+        this.state = state;
+    }
+    public String getMessage() {
+        return message;
+    }
+    public void setMessage(String message) {
+        this.message = message;
+    }
+    public String getCode() {
+        return code;
+    }
+    public void setCode(String code) {
+        this.code = code;
+    }
+    @Override
+    public String toString() {
+        return "JobDTO [uuid=" + uuid + ", description=" + description + ", state=" + state + ", message="
+                + message + ", code=" + code + "]";
+    }
+
+    public static class Links {
+        @JsonProperty("self")
+        private Self self;
+        public Self getSelf() { return self; }
+        public void setSelf(Self self) { this.self = self; }
+    }
+
+    public static class Self {
+        @JsonProperty("href")
+        private String href;
+        public String getHref() { return href; }
+        public void setHref(String href) { this.href = href; }
+    }
+
+    public static class JobError {
+        @JsonProperty("message")
+        String errorMesssage;
+        @JsonProperty("code")
+        String code;
+        public String getErrorMesssage () { return errorMesssage; }
+        public void setErrorMesssage (String errorMesssage) { this.errorMesssage = errorMesssage; }
+        public String getCode() {
+            return code;
+        }
+        public void setCode(String code) {
+            this.code = code;
+        }
+        @Override
+        public String toString() {
+            return "JobError [errorMesssage=" + errorMesssage + ", code=" + code + "]";
+        }
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Lun.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Lun.java
new file mode 100644
index 000000000000..364790958c8a
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Lun.java
@@ -0,0 +1,341 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * A LUN is the logical representation of storage in a storage area network (SAN).&lt;br/&gt; In ONTAP, a LUN is located within a volume. Optionally, it can be located within a qtree in a volume.&lt;br/&gt; A LUN can be created to a specified size using thin or thick provisioning. A LUN can then be renamed, resized, cloned, and moved to a different volume. LUNs support the assignment of a quality of service (QoS) policy for performance management or a QoS policy can be assigned to the volume containing the LUN. See the LUN object model to learn more about each of the properties supported by the LUN REST API.&lt;br/&gt; A LUN must be mapped to an initiator group to grant access to the initiator group&#39;s initiators (client hosts). Initiators can then access the LUN and perform I/O over a Fibre Channel (FC) fabric using the Fibre Channel Protocol or a TCP/IP network using iSCSI.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Lun {
+
+    @JsonProperty("auto_delete")
+    private Boolean autoDelete = null;
+
+    /**
+     * The class of LUN.&lt;br/&gt; Optional in POST.
+     */
+    public enum PropertyClassEnum {
+        REGULAR("regular");
+
+        private String value;
+
+        PropertyClassEnum(String value) {
+            this.value = value;
+        }
+
+        @JsonValue
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        @JsonCreator
+        public static PropertyClassEnum fromValue(String value) {
+            for (PropertyClassEnum b : PropertyClassEnum.values()) {
+                if (b.value.equals(value)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+
+    @JsonProperty("class")
+    private PropertyClassEnum propertyClass = null;
+
+    @JsonProperty("enabled")
+    private Boolean enabled = null;
+
+    @JsonProperty("lun_maps")
+    private List<LunMap> lunMaps = null;
+
+    @JsonProperty("name")
+    private String name = null;
+
+    @JsonProperty("clone")
+    private Clone clone = null;
+
+    /**
+     * The operating system type of the LUN.&lt;br/&gt; Required in POST when creating a LUN that is not a clone of another. Disallowed in POST when creating a LUN clone.
+     */
+    public enum OsTypeEnum {
+        HYPER_V("hyper_v"),
+
+        LINUX("linux"),
+
+        VMWARE("vmware"),
+
+        WINDOWS("windows"),
+
+        XEN("xen");
+
+        private String value;
+
+        OsTypeEnum(String value) {
+            this.value = value;
+        }
+
+        @JsonValue
+        public String getValue() {
+            return value;
+        }
+
+        @Override
+        public String toString() {
+            return String.valueOf(value);
+        }
+
+        @JsonCreator
+        public static OsTypeEnum fromValue(String value) {
+            for (OsTypeEnum b : OsTypeEnum.values()) {
+                if (b.value.equals(value)) {
+                    return b;
+                }
+            }
+            return null;
+        }
+    }
+
+    @JsonProperty("os_type")
+    private OsTypeEnum osType = null;
+
+    @JsonProperty("serial_number")
+    private String serialNumber = null;
+
+    @JsonProperty("space")
+    private LunSpace space = null;
+
+    @JsonProperty("svm")
+    private Svm svm = null;
+
+    @JsonProperty("uuid")
+    private String uuid = null;
+
+    public Lun autoDelete(Boolean autoDelete) {
+        this.autoDelete = autoDelete;
+        return this;
+    }
+
+    public Boolean isAutoDelete() {
+        return autoDelete;
+    }
+
+    public void setAutoDelete(Boolean autoDelete) {
+        this.autoDelete = autoDelete;
+    }
+
+    public Lun propertyClass(PropertyClassEnum propertyClass) {
+        this.propertyClass = propertyClass;
+        return this;
+    }
+
+    public PropertyClassEnum getPropertyClass() {
+        return propertyClass;
+    }
+
+    public void setPropertyClass(PropertyClassEnum propertyClass) {
+        this.propertyClass = propertyClass;
+    }
+
+    public Lun enabled(Boolean enabled) {
+        this.enabled = enabled;
+        return this;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(Boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    public List<LunMap> getLunMaps() {
+        return lunMaps;
+    }
+
+    public void setLunMaps(List<LunMap> lunMaps) {
+        this.lunMaps = lunMaps;
+    }
+
+    public Lun name(String name) {
+        this.name = name;
+        return this;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Lun osType(OsTypeEnum osType) {
+        this.osType = osType;
+        return this;
+    }
+
+    public OsTypeEnum getOsType() {
+        return osType;
+    }
+
+    public void setOsType(OsTypeEnum osType) {
+        this.osType = osType;
+    }
+
+    public String getSerialNumber() {
+        return serialNumber;
+    }
+
+    public Lun space(LunSpace space) {
+        this.space = space;
+        return this;
+    }
+
+    public LunSpace getSpace() {
+        return space;
+    }
+
+    public void setSpace(LunSpace space) {
+        this.space = space;
+    }
+
+    public Lun svm(Svm svm) {
+        this.svm = svm;
+        return this;
+    }
+
+    public Svm getSvm() {
+        return svm;
+    }
+
+    public void setSvm(Svm svm) {
+        this.svm = svm;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public Clone getClone() {
+        return clone;
+    }
+
+    public void setClone(Clone clone) {
+        this.clone = clone;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        Lun lun = (Lun) o;
+        return Objects.equals(this.name, lun.name) && Objects.equals(this.uuid, lun.uuid);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name, uuid);
+    }
+
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("class Lun {\n");
+        sb.append("    autoDelete: ").append(toIndentedString(autoDelete)).append("\n");
+        sb.append("    propertyClass: ").append(toIndentedString(propertyClass)).append("\n");
+        sb.append("    enabled: ").append(toIndentedString(enabled)).append("\n");
+        sb.append("    lunMaps: ").append(toIndentedString(lunMaps)).append("\n");
+        sb.append("    name: ").append(toIndentedString(name)).append("\n");
+        sb.append("    osType: ").append(toIndentedString(osType)).append("\n");
+        sb.append("    serialNumber: ").append(toIndentedString(serialNumber)).append("\n");
+        sb.append("    space: ").append(toIndentedString(space)).append("\n");
+        sb.append("    svm: ").append(toIndentedString(svm)).append("\n");
+        sb.append("    uuid: ").append(toIndentedString(uuid)).append("\n");
+        sb.append("}");
+        return sb.toString();
+    }
+
+    /**
+     * Convert the given object to string with each line indented by 4 spaces
+     * (except the first line).
+     */
+    private String toIndentedString(Object o) {
+        if (o == null) {
+            return "null";
+        }
+        return o.toString().replace("\n", "\n    ");
+    }
+
+
+    public static class Clone {
+        @JsonProperty("source")
+        private Source source = null;
+        public Source getSource() {
+            return source;
+        }
+        public void setSource(Source source) {
+            this.source = source;
+        }
+    }
+
+    public static class Source {
+        @JsonProperty("name")
+        private String name = null;
+        @JsonProperty("uuid")
+        private String uuid = null;
+
+        public String getName() {
+            return name;
+        }
+        public void setName(String name) {
+            this.name = name;
+        }
+        public String getUuid() {
+            return uuid;
+        }
+        public void setUuid(String uuid) {
+            this.uuid = uuid;
+        }
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunMap.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunMap.java
new file mode 100644
index 000000000000..085e38f1e9c6
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunMap.java
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.gson.annotations.SerializedName;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class LunMap {
+  @JsonProperty("igroup")
+  private Igroup igroup = null;
+  @JsonProperty("logical_unit_number")
+  private Integer logicalUnitNumber = null;
+  @JsonProperty("lun")
+  private Lun lun = null;
+  @JsonProperty("svm")
+  @SerializedName("svm")
+  private Svm svm = null;
+
+  public LunMap igroup (Igroup igroup) {
+    this.igroup = igroup;
+    return this;
+  }
+
+  public Igroup getIgroup () {
+    return igroup;
+  }
+
+  public void setIgroup (Igroup igroup) {
+    this.igroup = igroup;
+  }
+
+  public LunMap logicalUnitNumber (Integer logicalUnitNumber) {
+    this.logicalUnitNumber = logicalUnitNumber;
+    return this;
+  }
+
+  public Integer getLogicalUnitNumber () {
+    return logicalUnitNumber;
+  }
+
+  public void setLogicalUnitNumber (Integer logicalUnitNumber) {
+    this.logicalUnitNumber = logicalUnitNumber;
+  }
+
+  public LunMap lun (Lun lun) {
+    this.lun = lun;
+    return this;
+  }
+
+  public Lun getLun () {
+    return lun;
+  }
+
+  public void setLun (Lun lun) {
+    this.lun = lun;
+  }
+
+  public LunMap svm (Svm svm) {
+    this.svm = svm;
+    return this;
+  }
+
+  public Svm getSvm () {
+    return svm;
+  }
+
+  public void setSvm (Svm svm) {
+    this.svm = svm;
+  }
+
+  @Override
+  public String toString () {
+    StringBuilder sb = new StringBuilder();
+    sb.append("class LunMap {\n");
+    sb.append("    igroup: ").append(toIndentedString(igroup)).append("\n");
+    sb.append("    logicalUnitNumber: ").append(toIndentedString(logicalUnitNumber)).append("\n");
+    sb.append("    lun: ").append(toIndentedString(lun)).append("\n");
+    sb.append("    svm: ").append(toIndentedString(svm)).append("\n");
+    sb.append("}");
+    return sb.toString();
+  }
+
+  private String toIndentedString (Object o) {
+    if (o == null) {
+      return "null";
+    }
+    return o.toString().replace("\n", "\n    ");
+  }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunSpace.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunSpace.java
new file mode 100644
index 000000000000..03e776cd378c
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/LunSpace.java
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * The storage space related properties of the LUN.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class LunSpace {
+
+    @JsonProperty("scsi_thin_provisioning_support_enabled")
+    private Boolean scsiThinProvisioningSupportEnabled = null;
+
+    @JsonProperty("size")
+    private Long size = null;
+
+    @JsonProperty("used")
+    private Long used = null;
+    @JsonProperty("physical_used")
+    private Long physicalUsed = null;
+
+    public LunSpace scsiThinProvisioningSupportEnabled(Boolean scsiThinProvisioningSupportEnabled) {
+        this.scsiThinProvisioningSupportEnabled = scsiThinProvisioningSupportEnabled;
+        return this;
+    }
+
+    public Boolean isScsiThinProvisioningSupportEnabled() {
+        return scsiThinProvisioningSupportEnabled;
+    }
+
+    public void setScsiThinProvisioningSupportEnabled(Boolean scsiThinProvisioningSupportEnabled) {
+        this.scsiThinProvisioningSupportEnabled = scsiThinProvisioningSupportEnabled;
+    }
+
+    public LunSpace size(Long size) {
+        this.size = size;
+        return this;
+    }
+
+    public Long getSize() {
+        return size;
+    }
+
+    public void setSize(Long size) {
+        this.size = size;
+    }
+
+    public Long getUsed() {
+        return used;
+    }
+
+    public Long getPhysicalUsed() {
+        return physicalUsed;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("class LunSpace {\n");
+        sb.append("    scsiThinProvisioningSupportEnabled: ").append(toIndentedString(scsiThinProvisioningSupportEnabled)).append("\n");
+        sb.append("    size: ").append(toIndentedString(size)).append("\n");
+        sb.append("    used: ").append(toIndentedString(used)).append("\n");
+        sb.append("    physicalUsed: ").append(toIndentedString(physicalUsed)).append("\n");
+        sb.append("}");
+        return sb.toString();
+    }
+
+    private String toIndentedString(Object o) {
+        if (o == null) {
+            return "null";
+        }
+        return o.toString().replace("\n", "\n    ");
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Nas.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Nas.java
new file mode 100644
index 000000000000..42d348d80c80
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Nas.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Nas {
+    @JsonProperty("path")
+    private String path;
+
+    @JsonProperty("export_policy")
+    private ExportPolicy exportPolicy;
+
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    public ExportPolicy getExportPolicy() {
+        return exportPolicy;
+    }
+
+    public void setExportPolicy(ExportPolicy exportPolicy) {
+        this.exportPolicy = exportPolicy;
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/OntapStorage.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/OntapStorage.java
new file mode 100644
index 000000000000..8b450331b50a
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/OntapStorage.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+
+public class OntapStorage {
+    private final String username;
+    private final String password;
+    private final String managementLIF;
+    private final String svmName;
+    private final Long size;
+    private final ProtocolType protocolType;
+    private final Boolean isDisaggregated;
+
+    public OntapStorage(String username, String password, String managementLIF, String svmName, Long size, ProtocolType protocolType, Boolean isDisaggregated) {
+        this.username = username;
+        this.password = password;
+        this.managementLIF = managementLIF;
+        this.svmName = svmName;
+        this.size = size;
+        this.protocolType = protocolType;
+        this.isDisaggregated = isDisaggregated;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public String getManagementLIF() {
+        return managementLIF;
+    }
+
+    public String getSvmName() {
+        return svmName;
+    }
+
+    public Long getSize() {
+        return size;
+    }
+
+    public ProtocolType getProtocol() {
+        return protocolType;
+    }
+
+    public Boolean getIsDisaggregated() {
+        return isDisaggregated;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Policy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Policy.java
new file mode 100644
index 000000000000..24fdee6a1424
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Policy.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Policy {
+    private int minThroughputIops;
+    private int minThroughputMbps;
+    private int maxThroughputIops;
+    private int maxThroughputMbps;
+    private String uuid;
+    private String name;
+    public int getMinThroughputIops() { return minThroughputIops; }
+    public void setMinThroughputIops(int minThroughputIops) { this.minThroughputIops = minThroughputIops; }
+    public int getMinThroughputMbps() { return minThroughputMbps; }
+    public void setMinThroughputMbps(int minThroughputMbps) { this.minThroughputMbps = minThroughputMbps; }
+    public int getMaxThroughputIops() { return maxThroughputIops; }
+    public void setMaxThroughputIops(int maxThroughputIops) { this.maxThroughputIops = maxThroughputIops; }
+    public int getMaxThroughputMbps() { return maxThroughputMbps; }
+    public void setMaxThroughputMbps(int maxThroughputMbps) { this.maxThroughputMbps = maxThroughputMbps; }
+    public String getUuid() { return uuid; }
+    public void setUuid(String uuid) { this.uuid = uuid; }
+    public String getName() { return name; }
+    public void setName(String name) { this.name = name; }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        Policy policy = (Policy) o;
+        return Objects.equals(getUuid(), policy.getUuid());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(getUuid());
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Qos.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Qos.java
new file mode 100644
index 000000000000..3f7f8180de8e
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Qos.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Qos {
+    @JsonProperty("policy")
+    private Policy policy;
+
+    public Policy getPolicy() {
+        return policy;
+    }
+
+    public void setPolicy(Policy policy) {
+        this.policy = policy;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Svm.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Svm.java
new file mode 100644
index 000000000000..b1462c593863
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Svm.java
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Svm {
+    @JsonProperty("uuid")
+    private String uuid = null;
+
+    @JsonProperty("name")
+    private String name = null;
+
+    @JsonProperty("iscsi.enabled")
+    private Boolean iscsiEnabled = null;
+
+    @JsonProperty("fcp.enabled")
+    private Boolean fcpEnabled = null;
+
+    @JsonProperty("nfs.enabled")
+    private Boolean nfsEnabled = null;
+
+    @JsonProperty("aggregates")
+    private List<Aggregate> aggregates = null;
+
+    @JsonProperty("aggregates_delegated")
+    private Boolean aggregatesDelegated = null;
+
+    @JsonProperty("state")
+    private String state = null;
+
+    @JsonIgnore
+    private Links links = null;
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Boolean getIscsiEnabled() {
+        return iscsiEnabled;
+    }
+
+    public void setIscsiEnabled(Boolean iscsiEnabled) {
+        this.iscsiEnabled = iscsiEnabled;
+    }
+
+    public Boolean getFcpEnabled() {
+        return fcpEnabled;
+    }
+
+    public void setFcpEnabled(Boolean fcpEnabled) {
+        this.fcpEnabled = fcpEnabled;
+    }
+
+    public Boolean getNfsEnabled() {
+        return nfsEnabled;
+    }
+
+    public void setNfsEnabled(Boolean nfsEnabled) {
+        this.nfsEnabled = nfsEnabled;
+    }
+
+    public List<Aggregate> getAggregates() {
+        return aggregates;
+    }
+
+    public void setAggregates(List<Aggregate> aggregates) {
+        this.aggregates = aggregates;
+    }
+
+    public Boolean getAggregatesDelegated() {
+        return aggregatesDelegated;
+    }
+
+    public void setAggregatesDelegated(Boolean aggregatesDelegated) {
+        this.aggregatesDelegated = aggregatesDelegated;
+    }
+
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public Links getLinks() {
+        return links;
+    }
+
+    public void setLinks(Links links) {
+        this.links = links;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        Svm svm = (Svm) o;
+        return Objects.equals(getUuid(), svm.getUuid());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(getUuid());
+    }
+
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    public static class Links { }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Version.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Version.java
new file mode 100644
index 000000000000..80b4d0229abe
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Version.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.Objects;
+
+/**
+ * This returns the cluster version information.  When the cluster has more than one node, the cluster version is equivalent to the lowest of generation, major, and minor versions on all nodes.
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Version {
+  @JsonProperty("full")
+  private String full = null;
+
+  @JsonProperty("generation")
+  private Integer generation = null;
+
+  @JsonProperty("major")
+  private Integer major = null;
+
+  @JsonProperty("minor")
+  private Integer minor = null;
+
+  public String getFull() {
+    return full;
+  }
+
+  public Integer getGeneration() {
+    return generation;
+  }
+
+  public Integer getMajor() {
+    return major;
+  }
+
+  public Integer getMinor() {
+    return minor;
+  }
+
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+    Version clusterVersion = (Version) o;
+    return Objects.equals(this.full, clusterVersion.full) &&
+        Objects.equals(this.generation, clusterVersion.generation) &&
+        Objects.equals(this.major, clusterVersion.major) &&
+        Objects.equals(this.minor, clusterVersion.minor);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(full, generation, major, minor);
+  }
+
+
+  @Override
+  public String toString() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("class ClusterVersion {\n");
+    sb.append("    full: ").append(toIndentedString(full)).append("\n");
+    sb.append("    generation: ").append(toIndentedString(generation)).append("\n");
+    sb.append("    major: ").append(toIndentedString(major)).append("\n");
+    sb.append("    minor: ").append(toIndentedString(minor)).append("\n");
+    sb.append("}");
+    return sb.toString();
+  }
+
+  /**
+   * Convert the given object to string with each line indented by 4 spaces
+   * (except the first line).
+   */
+  private String toIndentedString(Object o) {
+    if (o == null) {
+      return "null";
+    }
+    return o.toString().replace("\n", "\n    ");
+  }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Volume.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Volume.java
new file mode 100644
index 000000000000..e7c538d7cd04
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/Volume.java
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Objects;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class Volume {
+    @JsonProperty("uuid")
+    private String uuid;
+
+    @JsonProperty("name")
+    private String name;
+
+    @JsonProperty("state")
+    private String state;
+
+    @JsonProperty("nas")
+    private Nas nas;
+
+    @JsonProperty("svm")
+    private Svm svm;
+
+    @JsonProperty("qos")
+    private Qos qos;
+
+    @JsonProperty("space")
+    private VolumeSpace space;
+
+    @JsonProperty("anti_ransomware")
+    private AntiRansomware antiRansomware;
+
+    @JsonProperty("aggregates")
+    private List<Aggregate> aggregates = null;
+
+    @JsonProperty("size")
+    private Long size = null;
+
+    // Getters and setters
+    public String getUuid() {
+        return uuid;
+    }
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+    public String getName() {
+        return name;
+    }
+    public void setName(String name) {
+        this.name = name;
+    }
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    public Nas getNas() {
+        return nas;
+    }
+
+    public void setNas(Nas nas) {
+        this.nas = nas;
+    }
+
+    public Svm getSvm() {
+        return svm;
+    }
+
+    public void setSvm(Svm svm) {
+        this.svm = svm;
+    }
+
+    public Qos getQos() {
+        return qos;
+    }
+
+    public void setQos(Qos qos) {
+        this.qos = qos;
+    }
+
+    public VolumeSpace getSpace() {
+        return space;
+    }
+
+    public void setSpace(VolumeSpace space) {
+        this.space = space;
+    }
+
+    public AntiRansomware getAntiRansomware() {
+        return antiRansomware;
+    }
+
+    public void setAntiRansomware(AntiRansomware antiRansomware) {
+        this.antiRansomware = antiRansomware;
+    }
+
+    public List<Aggregate> getAggregates () { return aggregates; }
+
+    public void setAggregates (List<Aggregate> aggregates) { this.aggregates = aggregates; }
+
+    public Long getSize () { return size; }
+
+    public void setSize (Long size) { this.size = size; }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        Volume volume = (Volume) o;
+        return Objects.equals(uuid, volume.uuid);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(uuid);
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeQosPolicy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeQosPolicy.java
new file mode 100644
index 000000000000..7a9a4307ab1a
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeQosPolicy.java
@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class VolumeQosPolicy {
+    @JsonProperty("max_throughput_iops")
+    private Integer maxThroughputIops = null;
+
+    @JsonProperty("max_throughput_mbps")
+    private Integer maxThroughputMbps = null;
+
+    @JsonProperty("min_throughput_iops")
+    private Integer minThroughputIops = null;
+
+    @JsonProperty("name")
+    private String name = null;
+
+    @JsonProperty("uuid")
+    private String uuid = null;
+
+    public Integer getMaxThroughputIops() {
+        return maxThroughputIops;
+    }
+
+    public void setMaxThroughputIops(Integer maxThroughputIops) {
+        this.maxThroughputIops = maxThroughputIops;
+    }
+
+    public Integer getMaxThroughputMbps() {
+        return maxThroughputMbps;
+    }
+
+    public void setMaxThroughputMbps(Integer maxThroughputMbps) {
+        this.maxThroughputMbps = maxThroughputMbps;
+    }
+
+    public Integer getMinThroughputIops() {
+        return minThroughputIops;
+    }
+
+    public void setMinThroughputIops(Integer minThroughputIops) {
+        this.minThroughputIops = minThroughputIops;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpace.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpace.java
new file mode 100644
index 000000000000..84ae7d93199e
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpace.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class VolumeSpace {
+    @JsonProperty("size")
+    private long size;
+
+    @JsonProperty("available")
+    private long available;
+
+    @JsonProperty("used")
+    private long used;
+
+    public long getSize() {
+        return size;
+    }
+
+    public void setSize(long size) {
+        this.size = size;
+    }
+
+    public long getAvailable() {
+        return available;
+    }
+
+    public void setAvailable(long available) {
+        this.available = available;
+    }
+
+    public long getUsed() {
+        return used;
+    }
+
+    public void setUsed(long used) {
+        this.used = used;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpaceLogicalSpace.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpaceLogicalSpace.java
new file mode 100644
index 000000000000..fa14252e4db3
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/VolumeSpaceLogicalSpace.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class VolumeSpaceLogicalSpace {
+
+    @JsonProperty("available")
+    private Long available = null;
+
+    @JsonProperty("used")
+    private Double used = null;
+
+    public Long getAvailable() {
+        return available;
+    }
+
+    public void setAvailable(Long available) {
+        this.available = available;
+    }
+
+    public Double getUsed() {
+        return used;
+    }
+
+    public void setUsed(Double used) {
+        this.used = used;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/JobResponse.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/JobResponse.java
new file mode 100644
index 000000000000..a794c191c493
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/JobResponse.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.feign.model.response;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.apache.cloudstack.storage.feign.model.Job;
+
+public class JobResponse {
+    @JsonProperty("job")
+    private Job job;
+    public Job getJob() { return job; }
+    public void setJob(Job job) { this.job = job; }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/OntapResponse.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/OntapResponse.java
new file mode 100644
index 000000000000..8377f8906b99
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/feign/model/response/OntapResponse.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.feign.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+
+/**
+ * OntapResponse
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class OntapResponse<T> {
+  @JsonProperty("num_records")
+  private Integer numRecords;
+
+  @JsonProperty("records")
+  private List<T> records;
+
+  public OntapResponse () {
+    // Default constructor
+  }
+
+  public OntapResponse (List<T> records) {
+    this.records = records;
+    this.numRecords = (records != null) ? records.size() : 0;
+  }
+
+  public Integer getNumRecords() {
+    return numRecords;
+  }
+
+  public void setNumRecords(Integer numRecords) {
+    this.numRecords = numRecords;
+  }
+
+  public List<T> getRecords() {
+    return records;
+  }
+
+  public void setRecords(List<T> records) {
+    this.records = records;
+    this.numRecords = (records != null) ? records.size() : 0;
+  }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycle.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycle.java
new file mode 100755
index 000000000000..7a66c0a72fe2
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycle.java
@@ -0,0 +1,536 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.lifecycle;
+
+
+import com.cloud.agent.api.StoragePoolInfo;
+import com.cloud.dc.ClusterVO;
+import com.cloud.dc.dao.ClusterDao;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.host.HostVO;
+import com.cloud.hypervisor.Hypervisor;
+import com.cloud.resource.ResourceManager;
+import com.cloud.storage.Storage;
+import com.cloud.storage.StorageManager;
+import com.cloud.storage.StoragePool;
+import com.cloud.storage.StoragePoolAutomation;
+import com.cloud.utils.StringUtils;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.google.common.base.Preconditions;
+import org.apache.cloudstack.engine.subsystem.api.storage.ClusterScope;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
+import org.apache.cloudstack.engine.subsystem.api.storage.HostScope;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreLifeCycle;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreParameters;
+import org.apache.cloudstack.engine.subsystem.api.storage.ZoneScope;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailsDao;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDetailsDao;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.cloudstack.storage.datastore.lifecycle.BasePrimaryDataStoreLifeCycleImpl;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.feign.model.Volume;
+import org.apache.cloudstack.storage.provider.StorageProviderFactory;
+import org.apache.cloudstack.storage.service.StorageStrategy;
+import org.apache.cloudstack.storage.service.model.AccessGroup;
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.apache.cloudstack.storage.utils.OntapStorageUtils;
+import org.apache.cloudstack.storage.volume.datastore.PrimaryDataStoreHelper;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+
+public class OntapPrimaryDatastoreLifecycle extends BasePrimaryDataStoreLifeCycleImpl implements PrimaryDataStoreLifeCycle {
+    @Inject private ClusterDao _clusterDao;
+    @Inject private StorageManager _storageMgr;
+    @Inject private ResourceManager _resourceMgr;
+    @Inject private PrimaryDataStoreHelper _dataStoreHelper;
+    @Inject private PrimaryDataStoreDetailsDao _datastoreDetailsDao;
+    @Inject private StoragePoolAutomation _storagePoolAutomation;
+    @Inject private PrimaryDataStoreDao storagePoolDao;
+    @Inject private StoragePoolDetailsDao storagePoolDetailsDao;
+    private static final Logger logger = LogManager.getLogger(OntapPrimaryDatastoreLifecycle.class);
+
+    private static final long ONTAP_MIN_VOLUME_SIZE_IN_BYTES = 1677721600L;
+
+    @Override
+    public DataStore initialize(Map<String, Object> dsInfos) {
+        if (dsInfos == null) {
+            throw new CloudRuntimeException("Datastore info map is null, cannot create primary storage");
+        }
+        String url = (String) dsInfos.get("url");
+        Long zoneId = (Long) dsInfos.get("zoneId");
+        Long podId = (Long) dsInfos.get("podId");
+        Long clusterId = (Long) dsInfos.get("clusterId");
+        String storagePoolName = (String) dsInfos.get("name");
+        String providerName = (String) dsInfos.get("providerName");
+        Long capacityBytes = (Long) dsInfos.get("capacityBytes");
+        boolean managed = (boolean) dsInfos.get("managed");
+        String tags = (String) dsInfos.get("tags");
+        Boolean isTagARule = (Boolean) dsInfos.get("isTagARule");
+
+        logger.info("Creating ONTAP primary storage pool with name: " + storagePoolName + ", provider: " + providerName +
+                ", zoneId: " + zoneId + ", podId: " + podId + ", clusterId: " + clusterId);
+        logger.debug("Received capacityBytes from UI: " + capacityBytes);
+
+        @SuppressWarnings("unchecked")
+        Map<String, String> details = (Map<String, String>) dsInfos.get("details");
+
+        capacityBytes = validateInitializeInputs(capacityBytes, podId, clusterId, zoneId, storagePoolName, providerName, managed, url, details);
+
+        PrimaryDataStoreParameters parameters = new PrimaryDataStoreParameters();
+        if (clusterId != null) {
+            ClusterVO clusterVO = _clusterDao.findById(clusterId);
+            Preconditions.checkNotNull(clusterVO, "Unable to locate the specified cluster");
+            if (clusterVO.getHypervisorType() != Hypervisor.HypervisorType.KVM) {
+                throw new CloudRuntimeException("ONTAP primary storage is supported only for KVM hypervisor");
+            }
+            parameters.setHypervisorType(clusterVO.getHypervisorType());
+        }
+
+        details.put(OntapStorageConstants.SIZE, capacityBytes.toString());
+        details.putIfAbsent(OntapStorageConstants.IS_DISAGGREGATED, "false");
+
+        ProtocolType protocol = ProtocolType.valueOf(details.get(OntapStorageConstants.PROTOCOL));
+
+//        long volumeSize = Long.parseLong(details.get(OntapStorageConstants.SIZE));
+        OntapStorage ontapStorage = new OntapStorage(
+                details.get(OntapStorageConstants.USERNAME),
+                details.get(OntapStorageConstants.PASSWORD),
+                details.get(OntapStorageConstants.MANAGEMENT_LIF),
+                details.get(OntapStorageConstants.SVM_NAME),
+                capacityBytes,
+                protocol,
+                Boolean.parseBoolean(details.get(OntapStorageConstants.IS_DISAGGREGATED).toLowerCase()));
+
+        StorageStrategy storageStrategy = StorageProviderFactory.getStrategy(ontapStorage);
+        boolean isValid = storageStrategy.connect();
+        if (isValid) {
+            String dataLIF = storageStrategy.getNetworkInterface();
+            if (dataLIF == null || dataLIF.isEmpty()) {
+                throw new CloudRuntimeException("Failed to retrieve Data LIF from ONTAP, cannot create primary storage");
+            }
+            logger.info("Using Data LIF for storage access: " + dataLIF);
+            details.put(OntapStorageConstants.DATA_LIF, dataLIF);
+            logger.info("Creating ONTAP volume '" + storagePoolName + "' with size: " + capacityBytes + " bytes (" +
+                    (capacityBytes / (1024 * 1024 * 1024)) + " GB)");
+            try {
+                Volume volume = storageStrategy.createStorageVolume(storagePoolName, capacityBytes);
+                if (volume == null) {
+                    logger.error("createStorageVolume returned null for volume: " + storagePoolName);
+                    throw new CloudRuntimeException("Failed to create ONTAP volume: " + storagePoolName);
+                }
+                logger.info("Volume object retrieved successfully. UUID: " + volume.getUuid() + ", Name: " + volume.getName());
+                details.putIfAbsent(OntapStorageConstants.VOLUME_UUID, volume.getUuid());
+                details.putIfAbsent(OntapStorageConstants.VOLUME_NAME, volume.getName());
+            } catch (Exception e) {
+                logger.error("Exception occurred while creating ONTAP volume: " + storagePoolName, e);
+                throw new CloudRuntimeException("Failed to create ONTAP volume: " + storagePoolName + ". Error: " + e.getMessage(), e);
+            }
+        } else {
+            throw new CloudRuntimeException("ONTAP details validation failed, cannot create primary storage");
+        }
+
+        String path;
+        int port;
+        switch (protocol) {
+            case NFS3:
+                parameters.setType(Storage.StoragePoolType.NetworkFilesystem);
+                path = OntapStorageConstants.SLASH + storagePoolName;
+                port = OntapStorageConstants.NFS3_PORT;
+                logger.info("Setting NFS path for storage pool: " + path + ", port: " + port);
+                break;
+            case ISCSI:
+                parameters.setType(Storage.StoragePoolType.Iscsi);
+                path = storageStrategy.getStoragePath();
+                port = OntapStorageConstants.ISCSI_PORT;
+                logger.info("Setting iSCSI path for storage pool: " + path + ", port: " + port);
+                break;
+            default:
+                throw new CloudRuntimeException("Unsupported protocol: " + protocol + ", cannot create primary storage");
+        }
+
+        parameters.setHost(details.get(OntapStorageConstants.DATA_LIF));
+        parameters.setPort(port);
+        parameters.setPath(path);
+        parameters.setTags(tags);
+        parameters.setIsTagARule(isTagARule);
+        parameters.setDetails(details);
+        parameters.setUuid(UUID.randomUUID().toString());
+        parameters.setZoneId(zoneId);
+        parameters.setPodId(podId);
+        parameters.setClusterId(clusterId);
+        parameters.setName(storagePoolName);
+        parameters.setProviderName(providerName);
+        parameters.setManaged(managed);
+        parameters.setCapacityBytes(capacityBytes);
+        parameters.setUsedBytes(0);
+
+        return _dataStoreHelper.createPrimaryDataStore(parameters);
+    }
+
+    private long validateInitializeInputs(Long capacityBytes, Long podId, Long clusterId, Long zoneId,
+                                          String storagePoolName, String providerName, boolean managed, String url, Map<String, String> details) {
+
+        // Capacity validation
+        if (capacityBytes == null || capacityBytes <= 0) {
+            logger.warn("capacityBytes not provided or invalid (" + capacityBytes + "), using ONTAP minimum size: " + ONTAP_MIN_VOLUME_SIZE_IN_BYTES);
+            capacityBytes = ONTAP_MIN_VOLUME_SIZE_IN_BYTES;
+        } else if (capacityBytes < ONTAP_MIN_VOLUME_SIZE_IN_BYTES) {
+            logger.warn("capacityBytes (" + capacityBytes + ") is below ONTAP minimum (" + ONTAP_MIN_VOLUME_SIZE_IN_BYTES + "), adjusting to minimum");
+            capacityBytes = ONTAP_MIN_VOLUME_SIZE_IN_BYTES;
+        }
+
+        // Scope (pod/cluster/zone) validation
+        if (podId == null ^ clusterId == null) {
+            throw new CloudRuntimeException("Cluster Id or Pod Id is null, cannot create primary storage");
+        }
+        if (podId == null && clusterId == null) {
+            if (zoneId != null) {
+                logger.info("Both Pod Id and Cluster Id are null, Primary storage pool will be associated with a Zone");
+            } else {
+                throw new CloudRuntimeException("Pod Id, Cluster Id and Zone Id are all null, cannot create primary storage");
+            }
+        }
+
+        // Basic parameter validation
+        if (StringUtils.isBlank(storagePoolName)) {
+            throw new CloudRuntimeException("Storage pool name is null or empty, cannot create primary storage");
+        }
+        if (StringUtils.isBlank(providerName)) {
+            throw new CloudRuntimeException("Provider name is null or empty, cannot create primary storage");
+        }
+        logger.debug("ONTAP primary storage will be created as " + (managed ? "managed" : "unmanaged"));
+        if (!managed) {
+            throw new CloudRuntimeException("ONTAP primary storage must be managed");
+        }
+
+        // Details key validation
+        Set<String> requiredKeys = Set.of(
+                OntapStorageConstants.USERNAME,
+                OntapStorageConstants.PASSWORD,
+                OntapStorageConstants.SVM_NAME,
+                OntapStorageConstants.PROTOCOL,
+                OntapStorageConstants.MANAGEMENT_LIF
+        );
+        Set<String> optionalKeys = Set.of(
+                OntapStorageConstants.IS_DISAGGREGATED
+        );
+        Set<String> allowedKeys = new java.util.HashSet<>(requiredKeys);
+        allowedKeys.addAll(optionalKeys);
+
+        if (StringUtils.isNotBlank(url)) {
+            for (String segment : url.split(OntapStorageConstants.SEMICOLON)) {
+                if (segment.isEmpty()) {
+                    continue;
+                }
+                String[] kv = segment.split(OntapStorageConstants.EQUALS, 2);
+                if (kv.length == 2) {
+                    details.put(kv[0].trim(), kv[1].trim());
+                }
+            }
+        }
+
+        for (Map.Entry<String, String> e : details.entrySet()) {
+            String key = e.getKey();
+            String val = e.getValue();
+            if (!allowedKeys.contains(key)) {
+                throw new CloudRuntimeException("Unexpected ONTAP detail key in URL: " + key);
+            }
+            if (StringUtils.isBlank(val)) {
+                throw new CloudRuntimeException("ONTAP primary storage creation failed, empty detail: " + key);
+            }
+        }
+
+        Set<String> providedKeys = new HashSet<>(details.keySet());
+        if (!providedKeys.containsAll(requiredKeys)) {
+            Set<String> missing = new HashSet<>(requiredKeys);
+            missing.removeAll(providedKeys);
+            throw new CloudRuntimeException("ONTAP primary storage creation failed, missing detail(s): " + missing);
+        }
+
+        return capacityBytes;
+    }
+
+    @Override
+    public boolean attachCluster(DataStore dataStore, ClusterScope scope) {
+        logger.debug("In attachCluster for ONTAP primary storage");
+        if (dataStore == null) {
+            throw new InvalidParameterValueException("attachCluster: dataStore should not be null");
+        }
+        if (scope == null) {
+            throw new InvalidParameterValueException("attachCluster: scope should not be null");
+        }
+        List<String> hostsIdentifier = new ArrayList<>();
+        StoragePoolVO storagePool = storagePoolDao.findById(dataStore.getId());
+        if (storagePool == null) {
+            logger.error("attachCluster : Storage Pool not found for id: " + dataStore.getId());
+            throw new CloudRuntimeException("attachCluster : Storage Pool not found for id: " + dataStore.getId());
+        }
+        PrimaryDataStoreInfo primaryStore = (PrimaryDataStoreInfo)dataStore;
+        List<HostVO> hostsToConnect = _resourceMgr.getEligibleUpAndEnabledHostsInClusterForStorageConnection(primaryStore);
+        logger.debug("attachCluster: Eligible Up and Enabled hosts: {} in cluster {}", hostsToConnect, primaryStore.getClusterId());
+
+        Map<String, String> details = storagePoolDetailsDao.listDetailsKeyPairs(primaryStore.getId());
+        StorageStrategy strategy = OntapStorageUtils.getStrategyByStoragePoolDetails(details);
+
+        ProtocolType protocol = ProtocolType.valueOf(details.get(OntapStorageConstants.PROTOCOL));
+        if (!validateProtocolSupportAndFetchHostsIdentifier(hostsToConnect, protocol, hostsIdentifier)) {
+            String errMsg = "attachCluster: Not all hosts in the cluster support the protocol: " + protocol.name();
+            logger.error(errMsg);
+            throw new CloudRuntimeException(errMsg);
+        }
+
+        logger.debug("attachCluster: Attaching the pool to each of the host in the cluster: {}", primaryStore.getClusterId());
+        if (hostsIdentifier != null && hostsIdentifier.size() > 0) {
+            try {
+                AccessGroup accessGroupRequest = new AccessGroup();
+                accessGroupRequest.setHostsToConnect(hostsToConnect);
+                accessGroupRequest.setScope(scope);
+                primaryStore.setDetails(details);
+                accessGroupRequest.setPrimaryDataStoreInfo(primaryStore);
+                strategy.createAccessGroup(accessGroupRequest);
+            } catch (Exception e) {
+                logger.error("attachCluster: Failed to create access group on storage system for cluster: " + primaryStore.getClusterId() + ". Exception: " + e.getMessage());
+                throw new CloudRuntimeException("attachCluster: Failed to create access group on storage system for cluster: " + primaryStore.getClusterId() + ". Exception: " + e.getMessage());
+            }
+        }
+        logger.debug("attachCluster: Attaching the pool to each of the host in the cluster: {}", primaryStore.getClusterId());
+        for (HostVO host : hostsToConnect) {
+            try {
+                _storageMgr.connectHostToSharedPool(host, dataStore.getId());
+            } catch (Exception e) {
+                logger.warn("attachCluster: Unable to establish a connection between " + host + " and " + dataStore, e);
+                return false;
+            }
+        }
+        _dataStoreHelper.attachCluster(dataStore);
+        return true;
+    }
+
+    @Override
+    public boolean attachHost(DataStore store, HostScope scope, StoragePoolInfo existingInfo) {
+        return false;
+    }
+
+    @Override
+    public boolean attachZone(DataStore dataStore, ZoneScope scope, Hypervisor.HypervisorType hypervisorType) {
+        logger.debug("In attachZone for ONTAP primary storage");
+        if (dataStore == null) {
+            throw new InvalidParameterValueException("attachZone: dataStore should not be null");
+        }
+        if (scope == null) {
+            throw new InvalidParameterValueException("attachZone: scope should not be null");
+        }
+        List<String> hostsIdentifier = new ArrayList<>();
+        StoragePoolVO storagePool = storagePoolDao.findById(dataStore.getId());
+        if (storagePool == null) {
+            logger.error("attachZone : Storage Pool not found for id: " + dataStore.getId());
+            throw new CloudRuntimeException("attachZone : Storage Pool not found for id: " + dataStore.getId());
+        }
+
+        PrimaryDataStoreInfo primaryStore = (PrimaryDataStoreInfo)dataStore;
+        List<HostVO> hostsToConnect = _resourceMgr.getEligibleUpAndEnabledHostsInZoneForStorageConnection(dataStore, scope.getScopeId(), Hypervisor.HypervisorType.KVM);
+        logger.debug(String.format("In createPool. Attaching the pool to each of the hosts in %s.", hostsToConnect));
+
+        Map<String, String> details = storagePoolDetailsDao.listDetailsKeyPairs(primaryStore.getId());
+        StorageStrategy strategy = OntapStorageUtils.getStrategyByStoragePoolDetails(details);
+
+        logger.debug("attachZone: Eligible Up and Enabled hosts: {}", hostsToConnect);
+        ProtocolType protocol = ProtocolType.valueOf(details.get(OntapStorageConstants.PROTOCOL));
+        if (!validateProtocolSupportAndFetchHostsIdentifier(hostsToConnect, protocol, hostsIdentifier)) {
+            String errMsg = "attachZone: Not all hosts in the zone support the protocol: " + protocol.name();
+            logger.error(errMsg);
+            throw new CloudRuntimeException(errMsg);
+        }
+        if (hostsIdentifier != null && !hostsIdentifier.isEmpty()) {
+            try {
+                AccessGroup accessGroupRequest = new AccessGroup();
+                accessGroupRequest.setHostsToConnect(hostsToConnect);
+                accessGroupRequest.setScope(scope);
+                primaryStore.setDetails(details);
+                accessGroupRequest.setPrimaryDataStoreInfo(primaryStore);
+                strategy.createAccessGroup(accessGroupRequest);
+            } catch (Exception e) {
+                logger.error("attachZone: Failed to create access group on storage system for zone with Exception: " + e.getMessage());
+                throw new CloudRuntimeException("attachZone: Failed to create access group on storage system for zone with Exception: " + e.getMessage());
+            }
+        }
+        for (HostVO host : hostsToConnect) {
+            try {
+                _storageMgr.connectHostToSharedPool(host, dataStore.getId());
+            } catch (Exception e) {
+                logger.warn("Unable to establish a connection between " + host + " and " + dataStore, e);
+                return  false;
+            }
+        }
+        _dataStoreHelper.attachZone(dataStore);
+        return true;
+    }
+
+    private boolean validateProtocolSupportAndFetchHostsIdentifier(List<HostVO> hosts, ProtocolType protocolType, List<String> hostIdentifiers) {
+        switch (protocolType) {
+            case ISCSI:
+                String protocolPrefix = OntapStorageConstants.IQN;
+                for (HostVO host : hosts) {
+                    if (host == null || host.getStorageUrl() == null || host.getStorageUrl().trim().isEmpty()
+                            || !host.getStorageUrl().startsWith(protocolPrefix)) {
+                        return false;
+                    }
+                    hostIdentifiers.add(host.getStorageUrl());
+                }
+                break;
+            case NFS3:
+                String ip = "";
+                for (HostVO host : hosts) {
+                    if (host != null) {
+                        ip =  host.getStorageIpAddress() != null ? host.getStorageIpAddress().trim() : "";
+                        if (ip.isEmpty()) {
+                            if (host.getPrivateIpAddress() == null || host.getPrivateIpAddress().trim().isEmpty()) {
+                                return false;
+                            }
+                            ip = host.getPrivateIpAddress().trim();
+                        }
+                    }
+                    hostIdentifiers.add(ip);
+                }
+                break;
+            default:
+                throw new CloudRuntimeException("validateProtocolSupportAndFetchHostsIdentifier : Unsupported protocol: " + protocolType.name());
+        }
+        logger.info("validateProtocolSupportAndFetchHostsIdentifier: All hosts support the protocol: " + protocolType.name());
+        return true;
+    }
+
+    @Override
+    public boolean maintain(DataStore store) {
+        logger.info("Placing storage pool {} in maintenance mode", store);
+        if (_storagePoolAutomation.maintain(store)) {
+            return _dataStoreHelper.maintain(store);
+        } else {
+            return false;
+        }
+    }
+
+    @Override
+    public boolean cancelMaintain(DataStore store) {
+        logger.info("Cancelling storage pool maintenance for {}", store);
+        if (_dataStoreHelper.cancelMaintain(store)) {
+            return _storagePoolAutomation.cancelMaintain(store);
+        } else {
+            return false;
+        }
+    }
+
+    @Override
+    public boolean deleteDataStore(DataStore store) {
+        logger.info("deleteDataStore: Starting deletion process for storage pool id: {}", store.getId());
+
+        long storagePoolId = store.getId();
+        StoragePool storagePool = _storageMgr.getStoragePool(storagePoolId);
+        if (storagePool == null) {
+            logger.warn("deleteDataStore: Storage pool not found for id: {}, skipping deletion", storagePoolId);
+            return true;
+        }
+
+        try {
+            Map<String, String> details = _datastoreDetailsDao.listDetailsKeyPairs(storagePoolId);
+            if (details == null || details.isEmpty()) {
+                logger.warn("deleteDataStore: No details found for storage pool id: {}, proceeding with CS entity deletion only", storagePoolId);
+                return _dataStoreHelper.deletePrimaryDataStore(store);
+            }
+
+            logger.info("deleteDataStore: Deleting access groups for storage pool '{}'", storagePool.getName());
+
+            StorageStrategy storageStrategy = OntapStorageUtils.getStrategyByStoragePoolDetails(details);
+
+            PrimaryDataStoreInfo primaryDataStoreInfo = (PrimaryDataStoreInfo) store;
+            primaryDataStoreInfo.setDetails(details);
+
+            logger.info("deleteDataStore: Deleting ONTAP volume for storage pool '{}'", storagePool.getName());
+            Volume volume = new Volume();
+            volume.setUuid(details.get(OntapStorageConstants.VOLUME_UUID));
+            volume.setName(details.get(OntapStorageConstants.VOLUME_NAME));
+            try {
+                if (volume.getUuid() == null || volume.getUuid().isEmpty() || volume.getName() == null || volume.getName().isEmpty()) {
+                    logger.error("deleteDataStore: Volume UUID/Name not found in details for storage pool id: {}, cannot delete volume", storagePoolId);
+                    throw new CloudRuntimeException("Volume UUID/Name not found in details, cannot delete ONTAP volume");
+                }
+                storageStrategy.deleteStorageVolume(volume);
+                logger.info("deleteDataStore: Successfully deleted ONTAP volume '{}' (UUID: {}) for storage pool '{}'",
+                        volume.getName(), volume.getUuid(), storagePool.getName());
+            } catch (Exception e) {
+                logger.error("deleteDataStore: Exception while retrieving volume UUID for storage pool id: {}. Error: {}",
+                        storagePoolId, e.getMessage(), e);
+            }
+            AccessGroup accessGroup = new AccessGroup();
+            accessGroup.setPrimaryDataStoreInfo(primaryDataStoreInfo);
+            storageStrategy.deleteAccessGroup(accessGroup);
+            logger.info("deleteDataStore: Successfully deleted access groups for storage pool '{}'", storagePool.getName());
+
+        } catch (Exception e) {
+            logger.error("deleteDataStore: Failed to delete access groups for storage pool id: {}. Error: {}",
+                    storagePoolId, e.getMessage(), e);
+            logger.warn("deleteDataStore: Proceeding with CloudStack entity deletion despite ONTAP cleanup failure");
+        }
+
+        return _dataStoreHelper.deletePrimaryDataStore(store);
+    }
+
+
+    @Override
+    public boolean migrateToObjectStore(DataStore store) {
+        return false;
+    }
+
+    @Override
+    public void updateStoragePool(StoragePool storagePool, Map<String, String> details) {
+
+    }
+
+    @Override
+    public void enableStoragePool(DataStore store) {
+        _dataStoreHelper.enable(store);
+    }
+
+    @Override
+    public void disableStoragePool(DataStore store) {
+        _dataStoreHelper.disable(store);
+    }
+
+    @Override
+    public void changeStoragePoolScopeToZone(DataStore store, ClusterScope clusterScope, Hypervisor.HypervisorType hypervisorType) {
+
+    }
+
+    @Override
+    public void changeStoragePoolScopeToCluster(DataStore store, ClusterScope clusterScope, Hypervisor.HypervisorType hypervisorType) {
+
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/listener/OntapHostListener.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/listener/OntapHostListener.java
new file mode 100644
index 000000000000..a7c851dbe718
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/listener/OntapHostListener.java
@@ -0,0 +1,186 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.listener;
+
+import javax.inject.Inject;
+
+import com.cloud.agent.api.ModifyStoragePoolCommand;
+import com.cloud.agent.api.ModifyStoragePoolAnswer;
+import com.cloud.agent.api.StoragePoolInfo;
+import com.cloud.alert.AlertManager;
+import com.cloud.storage.StoragePoolHostVO;
+import com.cloud.storage.dao.StoragePoolHostDao;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
+import com.cloud.agent.AgentManager;
+import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.DeleteStoragePoolCommand;
+import com.cloud.host.Host;
+import com.cloud.storage.StoragePool;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.cloudstack.engine.subsystem.api.storage.HypervisorHostListener;
+import com.cloud.host.dao.HostDao;
+
+public class OntapHostListener implements HypervisorHostListener {
+    protected Logger logger = LogManager.getLogger(getClass());
+
+    @Inject
+    private AgentManager _agentMgr;
+    @Inject
+    private AlertManager _alertMgr;
+    @Inject
+    private PrimaryDataStoreDao _storagePoolDao;
+    @Inject
+    private HostDao _hostDao;
+    @Inject
+    private StoragePoolHostDao storagePoolHostDao;
+
+    @Override
+    public boolean hostConnect(long hostId, long poolId)  {
+        logger.info("Connect to host " + hostId + " from pool " + poolId);
+        Host host = _hostDao.findById(hostId);
+        if (host == null) {
+            logger.error("host was not found with id : {}", hostId);
+            return false;
+        }
+
+        StoragePool pool = _storagePoolDao.findById(poolId);
+        if (pool == null) {
+            logger.error("Failed to connect host - storage pool not found with id: {}", poolId);
+            return false;
+        }
+        logger.info("Connecting host {} to ONTAP storage pool {}", host.getName(), pool.getName());
+        try {
+            ModifyStoragePoolCommand cmd = new ModifyStoragePoolCommand(true, pool);
+
+            Answer answer = _agentMgr.easySend(hostId, cmd);
+
+            if (answer == null) {
+                throw new CloudRuntimeException(String.format("Unable to get an answer to the modify storage pool command (%s)", pool));
+            }
+
+            if (!answer.getResult()) {
+                String msg = String.format("Unable to attach storage pool %s to host %d", pool, hostId);
+
+                _alertMgr.sendAlert(AlertManager.AlertType.ALERT_TYPE_HOST, pool.getDataCenterId(), pool.getPodId(), msg, msg);
+
+                throw new CloudRuntimeException(String.format(
+                        "Unable to establish a connection from agent to storage pool %s due to %s", pool, answer.getDetails()));
+            }
+
+            if (!(answer instanceof ModifyStoragePoolAnswer)) {
+                logger.error("Received unexpected answer type {} for storage pool {}", answer.getClass().getName(), pool.getName());
+                throw new CloudRuntimeException("Failed to connect to storage pool. Please check agent logs for details.");
+            }
+
+            ModifyStoragePoolAnswer mspAnswer = (ModifyStoragePoolAnswer) answer;
+            StoragePoolInfo poolInfo = mspAnswer.getPoolInfo();
+            if (poolInfo == null) {
+                throw new CloudRuntimeException("ModifyStoragePoolAnswer returned null poolInfo");
+            }
+
+            String localPath = poolInfo.getLocalPath();
+            logger.info("Storage pool {} successfully mounted at: {}", pool.getName(), localPath);
+
+            StoragePoolHostVO storagePoolHost = storagePoolHostDao.findByPoolHost(poolId, hostId);
+
+            if (storagePoolHost == null) {
+                storagePoolHost = new StoragePoolHostVO(poolId, hostId, localPath);
+                storagePoolHostDao.persist(storagePoolHost);
+                logger.info("Created storage_pool_host_ref entry for pool {} and host {}", pool.getName(), host.getName());
+            } else {
+                storagePoolHost.setLocalPath(localPath);
+                storagePoolHostDao.update(storagePoolHost.getId(), storagePoolHost);
+                logger.info("Updated storage_pool_host_ref entry with local_path: {}", localPath);
+            }
+
+            StoragePoolVO poolVO = _storagePoolDao.findById(poolId);
+            if (poolVO != null && poolInfo.getCapacityBytes() > 0) {
+                poolVO.setCapacityBytes(poolInfo.getCapacityBytes());
+                poolVO.setUsedBytes(poolInfo.getCapacityBytes() - poolInfo.getAvailableBytes());
+                _storagePoolDao.update(poolVO.getId(), poolVO);
+                logger.info("Updated storage pool capacity: {} GB, used: {} GB", poolInfo.getCapacityBytes() / (1024 * 1024 * 1024), (poolInfo.getCapacityBytes() - poolInfo.getAvailableBytes()) / (1024 * 1024 * 1024));
+            }
+
+        } catch (Exception e) {
+            logger.error("Exception while connecting host {} to storage pool {}", host.getName(), pool.getName(), e);
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public boolean hostDisconnected(Host host, StoragePool pool) {
+        logger.info("Disconnect from host " + host.getId() + " from pool " + pool.getName());
+
+        Host hostToremove = _hostDao.findById(host.getId());
+        if (hostToremove == null) {
+            logger.error("Failed to add host by HostListener as host was not found with id : {}", host.getId());
+            return false;
+        }
+        logger.info("Disconnecting host {} from ONTAP storage pool {}", host.getName(), pool.getName());
+
+        try {
+            DeleteStoragePoolCommand cmd = new DeleteStoragePoolCommand(pool);
+            long hostId = host.getId();
+            Answer answer = _agentMgr.easySend(hostId, cmd);
+
+            if (answer != null && answer.getResult()) {
+                logger.info("Successfully disconnected host {} from ONTAP storage pool {}", host.getName(), pool.getName());
+                return true;
+            } else {
+                String errMsg = (answer != null) ? answer.getDetails() : "Unknown error";
+                logger.warn("Failed to disconnect host {} from storage pool {}. Error: {}", host.getName(), pool.getName(), errMsg);
+                return false;
+            }
+        } catch (Exception e) {
+            logger.error("Exception while disconnecting host {} from storage pool {}", host.getName(), pool.getName(), e);
+            return false;
+        }
+    }
+
+    @Override
+    public boolean hostDisconnected(long hostId, long poolId) {
+        return false;
+    }
+
+    @Override
+    public boolean hostAboutToBeRemoved(long hostId) {
+        return false;
+    }
+
+    @Override
+    public boolean hostRemoved(long hostId, long clusterId) {
+        return false;
+    }
+
+    @Override
+    public boolean hostEnabled(long hostId) {
+        return false;
+    }
+
+    @Override
+    public boolean hostAdded(long hostId) {
+        return false;
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProvider.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProvider.java
new file mode 100755
index 000000000000..65d9e9622f04
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProvider.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.provider;
+
+
+import com.cloud.utils.component.ComponentContext;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreDriver;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreLifeCycle;
+import org.apache.cloudstack.engine.subsystem.api.storage.HypervisorHostListener;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreProvider;
+import org.apache.cloudstack.storage.driver.OntapPrimaryDatastoreDriver;
+import org.apache.cloudstack.storage.lifecycle.OntapPrimaryDatastoreLifecycle;
+import org.apache.cloudstack.storage.listener.OntapHostListener;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.stereotype.Component;
+
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+@Component
+public class OntapPrimaryDatastoreProvider implements PrimaryDataStoreProvider {
+
+    private static final Logger logger = LogManager.getLogger(OntapPrimaryDatastoreProvider.class);
+    private OntapPrimaryDatastoreDriver primaryDatastoreDriver;
+    private OntapPrimaryDatastoreLifecycle primaryDatastoreLifecycle;
+    private HypervisorHostListener listener;
+
+    public OntapPrimaryDatastoreProvider() {
+        logger.info("OntapPrimaryDatastoreProvider initialized");
+    }
+    @Override
+    public DataStoreLifeCycle getDataStoreLifeCycle() {
+        return primaryDatastoreLifecycle;
+    }
+
+    @Override
+    public DataStoreDriver getDataStoreDriver() {
+        return primaryDatastoreDriver;
+    }
+
+    @Override
+    public HypervisorHostListener getHostListener() {
+        return listener;
+    }
+
+    @Override
+    public String getName() {
+        logger.trace("OntapPrimaryDatastoreProvider: getName: Called");
+        return OntapStorageConstants.ONTAP_PLUGIN_NAME;
+    }
+
+    @Override
+    public boolean configure(Map<String, Object> params) {
+        logger.trace("OntapPrimaryDatastoreProvider: configure: Called");
+        primaryDatastoreDriver = ComponentContext.inject(OntapPrimaryDatastoreDriver.class);
+        primaryDatastoreLifecycle = ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class);
+        listener = ComponentContext.inject(OntapHostListener.class);
+        return true;
+    }
+
+    @Override
+    public Set<DataStoreProviderType> getTypes() {
+        logger.trace("OntapPrimaryDatastoreProvider: getTypes: Called");
+        Set<DataStoreProviderType> typeSet = new HashSet<DataStoreProviderType>();
+        typeSet.add(DataStoreProviderType.PRIMARY);
+        return typeSet;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/StorageProviderFactory.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/StorageProviderFactory.java
new file mode 100644
index 000000000000..5c0bf1af4454
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/provider/StorageProviderFactory.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.provider;
+
+import com.cloud.utils.component.ComponentContext;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.service.StorageStrategy;
+import org.apache.cloudstack.storage.service.UnifiedNASStrategy;
+import org.apache.cloudstack.storage.service.UnifiedSANStrategy;
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+
+public class StorageProviderFactory {
+    private static final Logger logger = LogManager.getLogger(StorageProviderFactory.class);
+
+    public static StorageStrategy getStrategy(OntapStorage ontapStorage) {
+        ProtocolType protocol = ontapStorage.getProtocol();
+        logger.info("Initializing StorageProviderFactory with protocol: " + protocol);
+        switch (protocol) {
+            case NFS3:
+                if (!ontapStorage.getIsDisaggregated()) {
+                    UnifiedNASStrategy unifiedNASStrategy = new UnifiedNASStrategy(ontapStorage);
+                    ComponentContext.inject(unifiedNASStrategy);
+                    unifiedNASStrategy.setOntapStorage(ontapStorage);
+                    return unifiedNASStrategy;
+                }
+                throw new CloudRuntimeException("Unsupported configuration: Disaggregated ONTAP is not supported.");
+            case ISCSI:
+                if (!ontapStorage.getIsDisaggregated()) {
+                    UnifiedSANStrategy unifiedSANStrategy = new UnifiedSANStrategy(ontapStorage);
+                    ComponentContext.inject(unifiedSANStrategy);
+                    unifiedSANStrategy.setOntapStorage(ontapStorage);
+                    return unifiedSANStrategy;
+                }
+                throw new CloudRuntimeException("Unsupported configuration: Disaggregated ONTAP is not supported.");
+            default:
+                throw new CloudRuntimeException("Unsupported protocol: " + protocol);
+        }
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/NASStrategy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/NASStrategy.java
new file mode 100644
index 000000000000..27a4f3d2ce7d
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/NASStrategy.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service;
+
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+
+public abstract class NASStrategy extends StorageStrategy {
+    public NASStrategy(OntapStorage ontapStorage) {
+        super(ontapStorage);
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/SANStrategy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/SANStrategy.java
new file mode 100644
index 000000000000..ce3b2806ef75
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/SANStrategy.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service;
+
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+
+public abstract class SANStrategy extends StorageStrategy {
+    public SANStrategy(OntapStorage ontapStorage) {
+        super(ontapStorage);
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/StorageStrategy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/StorageStrategy.java
new file mode 100644
index 000000000000..2eb459c78919
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/StorageStrategy.java
@@ -0,0 +1,456 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+        package org.apache.cloudstack.storage.service;
+
+import com.cloud.utils.exception.CloudRuntimeException;
+import feign.FeignException;
+import org.apache.cloudstack.storage.feign.FeignClientFactory;
+import org.apache.cloudstack.storage.feign.client.AggregateFeignClient;
+import org.apache.cloudstack.storage.feign.client.JobFeignClient;
+import org.apache.cloudstack.storage.feign.client.NetworkFeignClient;
+import org.apache.cloudstack.storage.feign.client.SANFeignClient;
+import org.apache.cloudstack.storage.feign.client.SvmFeignClient;
+import org.apache.cloudstack.storage.feign.client.VolumeFeignClient;
+import org.apache.cloudstack.storage.feign.model.Aggregate;
+import org.apache.cloudstack.storage.feign.model.IpInterface;
+import org.apache.cloudstack.storage.feign.model.IscsiService;
+import org.apache.cloudstack.storage.feign.model.Job;
+import org.apache.cloudstack.storage.feign.model.Nas;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.feign.model.Svm;
+import org.apache.cloudstack.storage.feign.model.Volume;
+import org.apache.cloudstack.storage.feign.model.response.JobResponse;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import org.apache.cloudstack.storage.service.model.AccessGroup;
+import org.apache.cloudstack.storage.service.model.CloudStackVolume;
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.apache.cloudstack.storage.utils.OntapStorageUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+public abstract class StorageStrategy {
+    private final FeignClientFactory feignClientFactory;
+    private final AggregateFeignClient aggregateFeignClient;
+    private final VolumeFeignClient volumeFeignClient;
+    private final SvmFeignClient svmFeignClient;
+    private final JobFeignClient jobFeignClient;
+    private final NetworkFeignClient networkFeignClient;
+    private final SANFeignClient sanFeignClient;
+
+    protected OntapStorage storage;
+
+    private List<Aggregate> aggregates;
+
+    private static final Logger logger = LogManager.getLogger(StorageStrategy.class);
+
+    public StorageStrategy(OntapStorage ontapStorage) {
+        storage = ontapStorage;
+        String baseURL = OntapStorageConstants.HTTPS + storage.getManagementLIF();
+        logger.info("Initializing StorageStrategy with base URL: " + baseURL);
+        this.feignClientFactory = new FeignClientFactory();
+        this.aggregateFeignClient = feignClientFactory.createClient(AggregateFeignClient.class, baseURL);
+        this.volumeFeignClient = feignClientFactory.createClient(VolumeFeignClient.class, baseURL);
+        this.svmFeignClient = feignClientFactory.createClient(SvmFeignClient.class, baseURL);
+        this.jobFeignClient = feignClientFactory.createClient(JobFeignClient.class, baseURL);
+        this.networkFeignClient = feignClientFactory.createClient(NetworkFeignClient.class, baseURL);
+        this.sanFeignClient = feignClientFactory.createClient(SANFeignClient.class, baseURL);
+    }
+
+    public boolean connect() {
+        logger.info("Attempting to connect to ONTAP cluster at " + storage.getManagementLIF() + " and validate SVM " +
+                storage.getSvmName() + ", protocol " + storage.getProtocol());
+        String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+        String svmName = storage.getSvmName();
+        try {
+            Svm svm = new Svm();
+            logger.info("Fetching the SVM details...");
+            Map<String, Object> queryParams = Map.of(OntapStorageConstants.NAME, svmName, OntapStorageConstants.FIELDS, OntapStorageConstants.AGGREGATES +
+                    OntapStorageConstants.COMMA + OntapStorageConstants.STATE);
+            OntapResponse<Svm> svms = svmFeignClient.getSvmResponse(queryParams, authHeader);
+            if (svms != null && svms.getRecords() != null && !svms.getRecords().isEmpty()) {
+                svm = svms.getRecords().get(0);
+            } else {
+                logger.error("No SVM found on the ONTAP cluster by the name" + svmName + ".");
+                return false;
+            }
+
+            logger.info("Validating SVM state and protocol settings...");
+            if (!Objects.equals(svm.getState(), OntapStorageConstants.RUNNING)) {
+                logger.error("SVM " + svmName + " is not in running state.");
+                return false;
+            }
+            if (Objects.equals(storage.getProtocol(), OntapStorageConstants.NFS) && !svm.getNfsEnabled()) {
+                logger.error("NFS protocol is not enabled on SVM " + svmName);
+                return false;
+            } else if (Objects.equals(storage.getProtocol(), OntapStorageConstants.ISCSI) && !svm.getIscsiEnabled()) {
+                logger.error("iSCSI protocol is not enabled on SVM " + svmName);
+                return false;
+            }
+            List<Aggregate> aggrs = svm.getAggregates();
+            if (aggrs == null || aggrs.isEmpty()) {
+                logger.error("No aggregates are assigned to SVM " + svmName);
+                return false;
+            }
+            for (Aggregate aggr : aggrs) {
+                logger.debug("Found aggregate: " + aggr.getName() + " with UUID: " + aggr.getUuid());
+                Aggregate aggrResp = aggregateFeignClient.getAggregateByUUID(authHeader, aggr.getUuid());
+                if (aggrResp == null) {
+                    logger.warn("Aggregate details response is null for aggregate " + aggr.getName() + ". Skipping.");
+                    break;
+                }
+                if (!Objects.equals(aggrResp.getState(), Aggregate.StateEnum.ONLINE)) {
+                    logger.warn("Aggregate " + aggr.getName() + " is not in online state. Skipping this aggregate.");
+                    continue;
+                } else if (aggrResp.getSpace() == null || aggrResp.getAvailableBlockStorageSpace() == null ||
+                        aggrResp.getAvailableBlockStorageSpace() <= storage.getSize().doubleValue()) {
+                    logger.warn("Aggregate " + aggr.getName() + " does not have sufficient available space. Skipping this aggregate.");
+                    continue;
+                }
+                logger.info("Selected aggregate: " + aggr.getName() + " for volume operations.");
+                this.aggregates = List.of(aggr);
+                break;
+            }
+            if (this.aggregates == null || this.aggregates.isEmpty()) {
+                logger.error("No suitable aggregates found on SVM " + svmName + " for volume creation.");
+                return false;
+            }
+
+            logger.info("Successfully connected to ONTAP cluster and validated ONTAP details provided");
+        } catch (Exception e) {
+            logger.error("Failed to connect to ONTAP cluster: " + e.getMessage(), e);
+            return false;
+        }
+        return true;
+    }
+
+    public Volume createStorageVolume(String volumeName, Long size) {
+        logger.info("Creating volume: " + volumeName + " of size: " + size + " bytes");
+
+        String svmName = storage.getSvmName();
+        if (aggregates == null || aggregates.isEmpty()) {
+            logger.error("No aggregates available to create volume on SVM " + svmName);
+            throw new CloudRuntimeException("No aggregates available to create volume on SVM " + svmName);
+        }
+        if (size == null || size <= 0) {
+            throw new CloudRuntimeException("Invalid volume size provided: " + size);
+        }
+
+        String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+
+        Volume volumeRequest = new Volume();
+        Svm svm = new Svm();
+        svm.setName(svmName);
+        Nas nas = new Nas();
+        nas.setPath(OntapStorageConstants.SLASH + volumeName);
+
+        volumeRequest.setName(volumeName);
+        volumeRequest.setSvm(svm);
+
+        long maxAvailableAggregateSpaceBytes = -1L;
+        Aggregate aggrChosen = null;
+        for (Aggregate aggr : aggregates) {
+            logger.debug("Found aggregate: " + aggr.getName() + " with UUID: " + aggr.getUuid());
+            Aggregate aggrResp = aggregateFeignClient.getAggregateByUUID(authHeader, aggr.getUuid());
+
+            if (aggrResp == null) {
+                logger.warn("Aggregate details response is null for aggregate " + aggr.getName() + ". Skipping.");
+                break;
+            }
+
+            if (!Objects.equals(aggrResp.getState(), Aggregate.StateEnum.ONLINE)) {
+                logger.warn("Aggregate " + aggr.getName() + " is not in online state. Skipping this aggregate.");
+                continue;
+            }
+
+            if (aggrResp.getSpace() == null || aggrResp.getAvailableBlockStorageSpace() == null) {
+                logger.warn("Aggregate " + aggr.getName() + " does not have space information. Skipping this aggregate.");
+                continue;
+            }
+
+            final long availableBytes = aggrResp.getAvailableBlockStorageSpace().longValue();
+            logger.debug("Aggregate " + aggr.getName() + " available bytes=" + availableBytes + ", requested=" + size);
+
+            if (availableBytes <= size) {
+                logger.warn("Aggregate " + aggr.getName() + " does not have sufficient available space. Required=" +
+                        size + " bytes, available=" + availableBytes + " bytes. Skipping this aggregate.");
+                continue;
+            }
+
+            if (availableBytes > maxAvailableAggregateSpaceBytes) {
+                maxAvailableAggregateSpaceBytes = availableBytes;
+                aggrChosen = aggr;
+            }
+        }
+
+        if (aggrChosen == null) {
+            logger.error("No suitable aggregates found on SVM " + svmName + " for volume creation.");
+            throw new CloudRuntimeException("No suitable aggregates found on SVM " + svmName + " for volume operations.");
+        }
+        logger.info("Selected aggregate: " + aggrChosen.getName() + " for volume operations.");
+
+        Aggregate aggr = new Aggregate();
+        aggr.setName(aggrChosen.getName());
+        aggr.setUuid(aggrChosen.getUuid());
+        volumeRequest.setAggregates(List.of(aggr));
+        volumeRequest.setSize(size);
+        volumeRequest.setNas(nas);
+        try {
+            JobResponse jobResponse = volumeFeignClient.createVolumeWithJob(authHeader, volumeRequest);
+            if (jobResponse == null || jobResponse.getJob() == null) {
+                throw new CloudRuntimeException("Failed to initiate volume creation for " + volumeName);
+            }
+            String jobUUID = jobResponse.getJob().getUuid();
+
+            Boolean jobSucceeded = jobPollForSuccess(jobUUID);
+            if (!jobSucceeded) {
+                logger.error("Volume creation job failed for volume: " + volumeName);
+                throw new CloudRuntimeException("Volume creation job failed for volume: " + volumeName);
+            }
+            logger.info("Volume creation job completed successfully for volume: " + volumeName);
+        } catch (Exception e) {
+            logger.error("Exception while creating volume: ", e);
+            throw new CloudRuntimeException("Failed to create volume: " + e.getMessage());
+        }
+        OntapResponse<Volume> volumesResponse = volumeFeignClient.getAllVolumes(authHeader, Map.of(OntapStorageConstants.NAME, volumeName));
+        if (volumesResponse == null || volumesResponse.getRecords() == null || volumesResponse.getRecords().isEmpty()) {
+            logger.error("Volume " + volumeName + " not found after creation.");
+            throw new CloudRuntimeException("Volume " + volumeName + " not found after creation.");
+        }
+        Volume createdVolume = volumesResponse.getRecords().get(0);
+        if (createdVolume == null) {
+            logger.error("Failed to retrieve details of the created volume " + volumeName);
+            throw new CloudRuntimeException("Failed to retrieve details of the created volume " + volumeName);
+        } else if (createdVolume.getName() == null || !createdVolume.getName().equals(volumeName)) {
+            logger.error("Mismatch in created volume name. Expected: " + volumeName + ", Found: " + createdVolume.getName());
+            throw new CloudRuntimeException("Mismatch in created volume name. Expected: " + volumeName + ", Found: " + createdVolume.getName());
+        }
+        logger.info("Volume created successfully: " + volumeName);
+        try {
+            Map<String, Object> queryParams = Map.of(OntapStorageConstants.NAME, volumeName);
+            logger.debug("Fetching volume details for: " + volumeName);
+
+            OntapResponse<Volume> ontapVolume = volumeFeignClient.getVolume(authHeader, queryParams);
+            logger.debug("Feign call completed. Processing response...");
+
+            if (ontapVolume == null) {
+                logger.error("OntapResponse is null for volume: " + volumeName);
+                throw new CloudRuntimeException("Failed to fetch volume " + volumeName + ": Response is null");
+            }
+            logger.debug("OntapResponse is not null. Checking records field...");
+
+            if (ontapVolume.getRecords() == null) {
+                logger.error("OntapResponse.records is null for volume: " + volumeName);
+                throw new CloudRuntimeException("Failed to fetch volume " + volumeName + ": Records list is null");
+            }
+            logger.debug("Records field is not null. Size: " + ontapVolume.getRecords().size());
+
+            if (ontapVolume.getRecords().isEmpty()) {
+                logger.error("OntapResponse.records is empty for volume: " + volumeName);
+                throw new CloudRuntimeException("Failed to fetch volume " + volumeName + ": No records found");
+            }
+
+            Volume volume = ontapVolume.getRecords().get(0);
+            logger.info("Volume retrieved successfully: " + volumeName + ", UUID: " + volume.getUuid());
+            return volume;
+        } catch (Exception e) {
+            logger.error("Exception while retrieving volume details for: " + volumeName, e);
+            throw new CloudRuntimeException("Failed to fetch volume: " + volumeName + ". Error: " + e.getMessage(), e);
+        }
+    }
+
+    public Volume updateStorageVolume(Volume volume) {
+        return null;
+    }
+
+    public void deleteStorageVolume(Volume volume) {
+        logger.info("Deleting ONTAP volume by name: " + volume.getName() + " and uuid: " + volume.getUuid());
+        String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+        try {
+            JobResponse jobResponse = volumeFeignClient.deleteVolume(authHeader, volume.getUuid());
+            Boolean jobSucceeded = jobPollForSuccess(jobResponse.getJob().getUuid());
+            if (!jobSucceeded) {
+                logger.error("Volume deletion job failed for volume: " + volume.getName());
+                throw new CloudRuntimeException("Volume deletion job failed for volume: " + volume.getName());
+            }
+            logger.info("Volume deleted successfully: " + volume.getName());
+        } catch (FeignException.FeignClientException e) {
+            logger.error("Exception while deleting volume: ", e);
+            throw new CloudRuntimeException("Failed to delete volume: " + e.getMessage());
+        }
+        logger.info("ONTAP volume deletion process completed for volume: " + volume.getName());
+    }
+
+    public Volume getStorageVolume(Volume volume) {
+        return null;
+    }
+
+    public String getStoragePath() {
+        String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+        String targetIqn = null;
+        try {
+            if (storage.getProtocol() == ProtocolType.ISCSI) {
+                logger.info("Fetching iSCSI target IQN for SVM: {}", storage.getSvmName());
+
+                Map<String, Object> queryParams = new HashMap<>();
+                queryParams.put(OntapStorageConstants.SVM_DOT_NAME, storage.getSvmName());
+                queryParams.put("fields", "enabled,target");
+                queryParams.put("max_records", "1");
+
+                OntapResponse<IscsiService> response = sanFeignClient.getIscsiServices(authHeader, queryParams);
+
+                if (response == null || response.getRecords() == null || response.getRecords().isEmpty()) {
+                    throw new CloudRuntimeException("No iSCSI service found for SVM: " + storage.getSvmName());
+                }
+
+                IscsiService iscsiService = response.getRecords().get(0);
+
+                if (iscsiService.getTarget() == null || iscsiService.getTarget().getName() == null) {
+                    throw new CloudRuntimeException("iSCSI target IQN not found for SVM: " + storage.getSvmName());
+                }
+
+                targetIqn = iscsiService.getTarget().getName();
+                logger.info("Retrieved iSCSI target IQN: {}", targetIqn);
+                return targetIqn;
+
+            } else if (storage.getProtocol() == ProtocolType.NFS3) {
+            } else {
+                throw new CloudRuntimeException("Unsupported protocol for path retrieval: " + storage.getProtocol());
+            }
+
+        } catch (FeignException.FeignClientException e) {
+            logger.error("Exception while retrieving storage path for protocol {}: {}", storage.getProtocol(), e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to retrieve storage path: " + e.getMessage());
+        }
+        return targetIqn;
+    }
+
+    public String getNetworkInterface() {
+        String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+        try {
+            Map<String, Object> queryParams = new HashMap<>();
+            queryParams.put(OntapStorageConstants.SVM_DOT_NAME, storage.getSvmName());
+            if (storage.getProtocol() != null) {
+                switch (storage.getProtocol()) {
+                    case NFS3:
+                        queryParams.put(OntapStorageConstants.SERVICES, OntapStorageConstants.DATA_NFS);
+                        break;
+                    case ISCSI:
+                        queryParams.put(OntapStorageConstants.SERVICES, OntapStorageConstants.DATA_ISCSI);
+                        break;
+                    default:
+                        logger.error("Unsupported protocol: " + storage.getProtocol());
+                        throw new CloudRuntimeException("Unsupported protocol: " + storage.getProtocol());
+                }
+            }
+            queryParams.put(OntapStorageConstants.FIELDS, OntapStorageConstants.IP_ADDRESS);
+            queryParams.put(OntapStorageConstants.RETURN_RECORDS, OntapStorageConstants.TRUE);
+            OntapResponse<IpInterface> response =
+                    networkFeignClient.getNetworkIpInterfaces(authHeader, queryParams);
+            if (response != null && response.getRecords() != null && !response.getRecords().isEmpty()) {
+                IpInterface ipInterface = null;
+                if (storage.getProtocol() == ProtocolType.ISCSI) {
+                    ipInterface = response.getRecords().get(0);
+                } else if (storage.getProtocol() == ProtocolType.NFS3) {
+                    for (IpInterface iface : response.getRecords()) {
+                        if (iface.getIp().getAddress().contains(".")) {
+                            ipInterface = iface;
+                            break;
+                        }
+                    }
+                }
+
+                logger.info("Retrieved network interface: " + ipInterface.getIp().getAddress());
+                return ipInterface.getIp().getAddress();
+            } else {
+                throw new CloudRuntimeException("No network interfaces found for SVM " + storage.getSvmName() +
+                        " for protocol " + storage.getProtocol());
+            }
+        } catch (FeignException.FeignClientException e) {
+            logger.error("Exception while retrieving network interfaces: ", e);
+            throw new CloudRuntimeException("Failed to retrieve network interfaces: " + e.getMessage());
+        }
+    }
+
+    abstract public CloudStackVolume createCloudStackVolume(CloudStackVolume cloudstackVolume);
+
+    abstract CloudStackVolume updateCloudStackVolume(CloudStackVolume cloudstackVolume);
+
+    abstract public void deleteCloudStackVolume(CloudStackVolume cloudstackVolume);
+
+    abstract public void copyCloudStackVolume(CloudStackVolume cloudstackVolume);
+
+    abstract public CloudStackVolume getCloudStackVolume(Map<String, String> cloudStackVolumeMap);
+
+    abstract public AccessGroup createAccessGroup(AccessGroup accessGroup);
+
+    abstract public void deleteAccessGroup(AccessGroup accessGroup);
+
+    abstract AccessGroup updateAccessGroup(AccessGroup accessGroup);
+
+    abstract public AccessGroup getAccessGroup(Map<String, String> values);
+
+    abstract public Map<String,String> enableLogicalAccess(Map<String,String> values);
+
+    abstract public void disableLogicalAccess(Map<String, String> values);
+
+    abstract public Map<String, String> getLogicalAccess(Map<String, String> values);
+
+    private Boolean jobPollForSuccess(String jobUUID) {
+        int jobRetryCount = 0;
+        Job jobResp = null;
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+            while (jobResp == null || !jobResp.getState().equals(OntapStorageConstants.JOB_SUCCESS)) {
+                if (jobRetryCount >= OntapStorageConstants.JOB_MAX_RETRIES) {
+                    logger.error("Job did not complete within expected time.");
+                    throw new CloudRuntimeException("Job did not complete within expected time.");
+                }
+
+                try {
+                    jobResp = jobFeignClient.getJobByUUID(authHeader, jobUUID);
+                    if (jobResp == null) {
+                        logger.warn("Job with UUID " + jobUUID + " not found. Retrying...");
+                    } else if (jobResp.getState().equals(OntapStorageConstants.JOB_FAILURE)) {
+                        throw new CloudRuntimeException("Job failed with error: " + jobResp.getMessage());
+                    }
+                } catch (FeignException.FeignClientException e) {
+                    throw new CloudRuntimeException("Failed to fetch job status: " + e.getMessage());
+                }
+
+                jobRetryCount++;
+                Thread.sleep(OntapStorageConstants.CREATE_VOLUME_CHECK_SLEEP_TIME);
+            }
+            if (jobResp == null || !jobResp.getState().equals(OntapStorageConstants.JOB_SUCCESS)) {
+                return false;
+            }
+        } catch (FeignException.FeignClientException e) {
+            throw new CloudRuntimeException("Failed to fetch job status: " + e.getMessage());
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
+        return true;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedNASStrategy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedNASStrategy.java
new file mode 100644
index 000000000000..54dee01ac2b6
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedNASStrategy.java
@@ -0,0 +1,303 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service;
+
+import com.cloud.host.HostVO;
+import com.cloud.storage.dao.VolumeDao;
+import com.cloud.utils.exception.CloudRuntimeException;
+import feign.FeignException;
+import org.apache.cloudstack.engine.subsystem.api.storage.EndPointSelector;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreInfo;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailsDao;
+import org.apache.cloudstack.storage.feign.FeignClientFactory;
+import org.apache.cloudstack.storage.feign.client.JobFeignClient;
+import org.apache.cloudstack.storage.feign.client.NASFeignClient;
+import org.apache.cloudstack.storage.feign.client.VolumeFeignClient;
+import org.apache.cloudstack.storage.feign.model.ExportPolicy;
+import org.apache.cloudstack.storage.feign.model.ExportRule;
+import org.apache.cloudstack.storage.feign.model.Job;
+import org.apache.cloudstack.storage.feign.model.Nas;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.feign.model.Svm;
+import org.apache.cloudstack.storage.feign.model.Volume;
+import org.apache.cloudstack.storage.feign.model.response.JobResponse;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import org.apache.cloudstack.storage.service.model.AccessGroup;
+import org.apache.cloudstack.storage.service.model.CloudStackVolume;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.apache.cloudstack.storage.utils.OntapStorageUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+public class UnifiedNASStrategy extends NASStrategy {
+
+    private static final Logger logger = LogManager.getLogger(UnifiedNASStrategy.class);
+    private final FeignClientFactory feignClientFactory;
+    private final NASFeignClient nasFeignClient;
+    private final VolumeFeignClient volumeFeignClient;
+    private final JobFeignClient jobFeignClient;
+    @Inject private VolumeDao volumeDao;
+    @Inject private EndPointSelector epSelector;
+    @Inject private StoragePoolDetailsDao storagePoolDetailsDao;
+
+    public UnifiedNASStrategy(OntapStorage ontapStorage) {
+        super(ontapStorage);
+        String baseURL = OntapStorageConstants.HTTPS + ontapStorage.getManagementLIF();
+        this.feignClientFactory = new FeignClientFactory();
+        this.nasFeignClient = feignClientFactory.createClient(NASFeignClient.class, baseURL);
+        this.volumeFeignClient = feignClientFactory.createClient(VolumeFeignClient.class,baseURL );
+        this.jobFeignClient = feignClientFactory.createClient(JobFeignClient.class, baseURL );
+    }
+
+    public void setOntapStorage(OntapStorage ontapStorage) {
+        this.storage = ontapStorage;
+    }
+
+    @Override
+    public CloudStackVolume createCloudStackVolume(CloudStackVolume cloudstackVolume) {
+        return null;
+    }
+
+    @Override
+    CloudStackVolume updateCloudStackVolume(CloudStackVolume cloudstackVolume) {
+        return null;
+    }
+
+    @Override
+    public void deleteCloudStackVolume(CloudStackVolume cloudstackVolume) {
+    }
+
+    @Override
+    public void copyCloudStackVolume(CloudStackVolume cloudstackVolume) {
+
+    }
+
+    @Override
+    public CloudStackVolume getCloudStackVolume(Map<String, String> cloudStackVolumeMap) {
+        return null;
+    }
+
+    @Override
+    public AccessGroup createAccessGroup(AccessGroup accessGroup) {
+        logger.info("createAccessGroup: Create access group {}: " , accessGroup);
+        Map<String, String> details = accessGroup.getPrimaryDataStoreInfo().getDetails();
+        String svmName = details.get(OntapStorageConstants.SVM_NAME);
+        String volumeUUID = details.get(OntapStorageConstants.VOLUME_UUID);
+        String volumeName = details.get(OntapStorageConstants.VOLUME_NAME);
+
+        ExportPolicy policyRequest = createExportPolicyRequest(accessGroup,svmName,volumeName);
+        try {
+            ExportPolicy createdPolicy = createExportPolicy(svmName, policyRequest);
+            logger.info("ExportPolicy created: {}, now attaching this policy to storage pool volume", createdPolicy.getName());
+            assignExportPolicyToVolume(volumeUUID,createdPolicy.getName());
+            storagePoolDetailsDao.addDetail(accessGroup.getPrimaryDataStoreInfo().getId(), OntapStorageConstants.EXPORT_POLICY_ID, String.valueOf(createdPolicy.getId()), true);
+            storagePoolDetailsDao.addDetail(accessGroup.getPrimaryDataStoreInfo().getId(), OntapStorageConstants.EXPORT_POLICY_NAME, createdPolicy.getName(), true);
+            logger.info("Successfully assigned exportPolicy {} to volume {}", policyRequest.getName(), volumeName);
+            accessGroup.setPolicy(policyRequest);
+            return accessGroup;
+        }catch(Exception e){
+            logger.error("Exception occurred while creating access group: " +  e);
+            throw new CloudRuntimeException("Failed to create access group: " + e);
+        }
+    }
+
+    @Override
+    public void deleteAccessGroup(AccessGroup accessGroup) {
+        logger.info("deleteAccessGroup: Deleting export policy");
+
+        if (accessGroup == null) {
+            throw new CloudRuntimeException("deleteAccessGroup: Invalid accessGroup object - accessGroup is null");
+        }
+
+        PrimaryDataStoreInfo primaryDataStoreInfo = accessGroup.getPrimaryDataStoreInfo();
+        if (primaryDataStoreInfo == null) {
+            throw new CloudRuntimeException("deleteAccessGroup: PrimaryDataStoreInfo is null in accessGroup");
+        }
+        logger.info("deleteAccessGroup: Deleting export policy for the storage pool {}", primaryDataStoreInfo.getName());
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+            String svmName = storage.getSvmName();
+            String exportPolicyName = primaryDataStoreInfo.getDetails().get(OntapStorageConstants.EXPORT_POLICY_NAME);
+            String exportPolicyId = primaryDataStoreInfo.getDetails().get(OntapStorageConstants.EXPORT_POLICY_ID);
+            if (exportPolicyId == null || exportPolicyId.isEmpty()) {
+                logger.warn("deleteAccessGroup: Export policy ID not found in storage pool details for storage pool {}. Cannot delete export policy.", primaryDataStoreInfo.getName());
+                throw new CloudRuntimeException("Export policy ID not found for storage pool: " + primaryDataStoreInfo.getName());
+            }
+
+            try {
+                nasFeignClient.deleteExportPolicyById(authHeader,exportPolicyId);
+                logger.info("deleteAccessGroup: Successfully deleted export policy '{}'", exportPolicyName);
+            } catch (Exception e) {
+                logger.error("deleteAccessGroup: Failed to delete export policy. Exception: {}", e.getMessage(), e);
+                throw new CloudRuntimeException("Failed to delete export policy: " + e.getMessage(), e);
+            }
+        } catch (Exception e) {
+            logger.error("deleteAccessGroup: Failed to delete export policy. Exception: {}", e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to delete export policy: " + e.getMessage(), e);
+        }
+    }
+
+    @Override
+    public AccessGroup updateAccessGroup(AccessGroup accessGroup) {
+        return null;
+    }
+
+    @Override
+    public AccessGroup getAccessGroup(Map<String, String> values) {
+        return null;
+    }
+
+    @Override
+    public Map <String, String> enableLogicalAccess(Map<String, String> values) {
+        return null;
+    }
+
+    @Override
+    public void disableLogicalAccess(Map<String, String> values) {
+    }
+
+    @Override
+    public Map<String, String> getLogicalAccess(Map<String, String> values) {
+        return null;
+    }
+
+    private ExportPolicy createExportPolicy(String svmName, ExportPolicy policy) {
+        logger.info("Creating export policy: {} for SVM: {}", policy, svmName);
+
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+            nasFeignClient.createExportPolicy(authHeader,  policy);
+            OntapResponse<ExportPolicy> policiesResponse = null;
+            try {
+                Map<String, Object> queryParams = Map.of(OntapStorageConstants.NAME, policy.getName());
+                policiesResponse = nasFeignClient.getExportPolicyResponse(authHeader, queryParams);
+                if (policiesResponse == null || policiesResponse.getRecords().isEmpty()) {
+                    throw new CloudRuntimeException("Export policy " + policy.getName() + " was not created on ONTAP. " +
+                            "Received successful response but policy does not exist.");
+                }
+                logger.info("Export policy created and verified successfully: " + policy.getName());
+            } catch (FeignException e) {
+                logger.error("Failed to verify export policy creation: " + policy.getName(), e);
+                throw new CloudRuntimeException("Export policy creation verification failed: " + e.getMessage());
+            }
+            logger.info("Export policy created successfully with name {}", policy.getName());
+            return policiesResponse.getRecords().get(0);
+        } catch (FeignException e) {
+            logger.error("Failed to create export policy: {}", policy, e);
+            throw new CloudRuntimeException("Failed to create export policy: " + e.getMessage());
+        } catch (Exception e) {
+            logger.error("Exception while creating export policy: {}", policy, e);
+            throw new CloudRuntimeException("Failed to create export policy: " + e.getMessage());
+        }
+    }
+
+    private void assignExportPolicyToVolume(String volumeUuid, String policyName) {
+        logger.info("Assigning export policy: {} to volume: {}", policyName, volumeUuid);
+
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+            Volume volumeUpdate = new Volume();
+            Nas nas = new Nas();
+            ExportPolicy policy = new ExportPolicy();
+            policy.setName(policyName);
+            nas.setExportPolicy(policy);
+            volumeUpdate.setNas(nas);
+
+            try {
+                JobResponse jobResponse = volumeFeignClient.updateVolumeRebalancing(authHeader, volumeUuid, volumeUpdate);
+                if (jobResponse == null || jobResponse.getJob() == null) {
+                    throw new CloudRuntimeException("Failed to attach policy " + policyName + "to volume " + volumeUuid);
+                }
+                String jobUUID = jobResponse.getJob().getUuid();
+                int jobRetryCount = 0;
+                Job createVolumeJob = null;
+                while(createVolumeJob == null || !createVolumeJob.getState().equals(OntapStorageConstants.JOB_SUCCESS)) {
+                    if(jobRetryCount >= OntapStorageConstants.JOB_MAX_RETRIES) {
+                        logger.error("Job to update volume " + volumeUuid + " did not complete within expected time.");
+                        throw new CloudRuntimeException("Job to update volume " + volumeUuid + " did not complete within expected time.");
+                    }
+                    try {
+                        createVolumeJob = jobFeignClient.getJobByUUID(authHeader, jobUUID);
+                        if (createVolumeJob == null) {
+                            logger.warn("Job with UUID " + jobUUID + " not found. Retrying...");
+                        } else if (createVolumeJob.getState().equals(OntapStorageConstants.JOB_FAILURE)) {
+                            throw new CloudRuntimeException("Job to update volume " + volumeUuid + " failed with error: " + createVolumeJob.getMessage());
+                        }
+                    } catch (FeignException.FeignClientException e) {
+                        throw new CloudRuntimeException("Failed to fetch job status: " + e.getMessage());
+                    }
+                    jobRetryCount++;
+                    Thread.sleep(OntapStorageConstants.CREATE_VOLUME_CHECK_SLEEP_TIME);
+                }
+            } catch (Exception e) {
+                logger.error("Exception while updating volume: ", e);
+                throw new CloudRuntimeException("Failed to update volume: " + e.getMessage());
+            }
+            logger.info("Export policy successfully assigned to volume: {}", volumeUuid);
+        } catch (FeignException e) {
+            logger.error("Failed to assign export policy to volume: {}", volumeUuid, e);
+            throw new CloudRuntimeException("Failed to assign export policy: " + e.getMessage());
+        } catch (Exception e) {
+            logger.error("Exception while assigning export policy to volume: {}", volumeUuid, e);
+            throw new CloudRuntimeException("Failed to assign export policy: " + e.getMessage());
+        }
+    }
+
+    private ExportPolicy createExportPolicyRequest(AccessGroup accessGroup,String svmName , String volumeName){
+
+        String exportPolicyName = OntapStorageUtils.generateExportPolicyName(svmName,volumeName);
+        ExportPolicy exportPolicy = new ExportPolicy();
+
+        List<ExportRule> rules = new ArrayList<>();
+        ExportRule exportRule = new ExportRule();
+
+        List<ExportRule.ExportClient> exportClients = new ArrayList<>();
+        List<HostVO> hosts = accessGroup.getHostsToConnect();
+        for (HostVO host : hosts) {
+            String hostStorageIp = host.getStorageIpAddress();
+            String ip = (hostStorageIp != null && !hostStorageIp.isEmpty())
+                    ? hostStorageIp
+                    : host.getPrivateIpAddress();
+            String ipToUse = ip + "/31";
+            ExportRule.ExportClient exportClient = new ExportRule.ExportClient();
+            exportClient.setMatch(ipToUse);
+            exportClients.add(exportClient);
+        }
+        exportRule.setClients(exportClients);
+        exportRule.setProtocols(List.of(ExportRule.ProtocolsEnum.ANY));
+        exportRule.setRoRule(List.of("sys"));
+        exportRule.setRwRule(List.of("sys"));
+        exportRule.setSuperuser(List.of("sys"));
+        rules.add(exportRule);
+
+        Svm svm = new Svm();
+        svm.setName(svmName);
+        exportPolicy.setSvm(svm);
+        exportPolicy.setRules(rules);
+        exportPolicy.setName(exportPolicyName);
+
+        return exportPolicy;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedSANStrategy.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedSANStrategy.java
new file mode 100644
index 000000000000..9814f3b9a93c
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/UnifiedSANStrategy.java
@@ -0,0 +1,309 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service;
+
+import com.cloud.host.HostVO;
+import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreInfo;
+import org.apache.cloudstack.storage.feign.FeignClientFactory;
+import org.apache.cloudstack.storage.feign.client.SANFeignClient;
+import org.apache.cloudstack.storage.feign.model.Igroup;
+import org.apache.cloudstack.storage.feign.model.Initiator;
+import org.apache.cloudstack.storage.feign.model.Svm;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.feign.model.response.OntapResponse;
+import org.apache.cloudstack.storage.service.model.AccessGroup;
+import org.apache.cloudstack.storage.service.model.CloudStackVolume;
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.apache.cloudstack.storage.utils.OntapStorageUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+public class UnifiedSANStrategy extends SANStrategy {
+
+    private static final Logger logger = LogManager.getLogger(UnifiedSANStrategy.class);
+    private final FeignClientFactory feignClientFactory;
+    private final SANFeignClient sanFeignClient;
+
+    public UnifiedSANStrategy(OntapStorage ontapStorage) {
+        super(ontapStorage);
+        String baseURL = OntapStorageConstants.HTTPS + ontapStorage.getManagementLIF();
+        this.feignClientFactory = new FeignClientFactory();
+        this.sanFeignClient = feignClientFactory.createClient(SANFeignClient.class, baseURL);
+    }
+
+    public void setOntapStorage(OntapStorage ontapStorage) {
+        this.storage = ontapStorage;
+    }
+
+    @Override
+    public CloudStackVolume createCloudStackVolume(CloudStackVolume cloudstackVolume) {
+        return null;
+    }
+
+    @Override
+    CloudStackVolume updateCloudStackVolume(CloudStackVolume cloudstackVolume) {
+        return null;
+    }
+
+    @Override
+    public void deleteCloudStackVolume(CloudStackVolume cloudstackVolume) {}
+
+    @Override
+    public void copyCloudStackVolume(CloudStackVolume cloudstackVolume) {}
+
+    @Override
+    public CloudStackVolume getCloudStackVolume(Map<String, String> values) {
+        return null;
+    }
+
+    @Override
+    public AccessGroup createAccessGroup(AccessGroup accessGroup) {
+        logger.info("createAccessGroup : Create Igroup");
+        String igroupName = "unknown";
+        logger.debug("createAccessGroup : Creating Igroup with access group request {} ", accessGroup);
+        if (accessGroup == null) {
+            logger.error("createAccessGroup: Igroup creation failed. Invalid request: {}", accessGroup);
+            throw new CloudRuntimeException("createAccessGroup : Failed to create Igroup, invalid request");
+        }
+        try {
+            if (accessGroup.getPrimaryDataStoreInfo() == null || accessGroup.getPrimaryDataStoreInfo().getDetails() == null
+                    || accessGroup.getPrimaryDataStoreInfo().getDetails().isEmpty()) {
+                throw new CloudRuntimeException("createAccessGroup : Failed to create Igroup, invalid datastore details in the request");
+            }
+            Map<String, String> dataStoreDetails = accessGroup.getPrimaryDataStoreInfo().getDetails();
+            logger.debug("createAccessGroup: Successfully fetched datastore details.");
+
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+
+            Igroup igroupRequest = new Igroup();
+            List<String> hostsIdentifier = new ArrayList<>();
+            String svmName = dataStoreDetails.get(OntapStorageConstants.SVM_NAME);
+            igroupName = OntapStorageUtils.getIgroupName(svmName, accessGroup.getScope().getScopeType(), accessGroup.getScope().getScopeId());
+            Hypervisor.HypervisorType hypervisorType = accessGroup.getPrimaryDataStoreInfo().getHypervisor();
+
+            ProtocolType protocol = ProtocolType.valueOf(dataStoreDetails.get(OntapStorageConstants.PROTOCOL));
+            if (accessGroup.getHostsToConnect() == null || accessGroup.getHostsToConnect().isEmpty()) {
+                throw new CloudRuntimeException("createAccessGroup : Failed to create Igroup, no hosts to connect provided in the request");
+            }
+            if (!validateProtocolSupportAndFetchHostsIdentifier(accessGroup.getHostsToConnect(), protocol, hostsIdentifier)) {
+                String errMsg = "createAccessGroup: Not all hosts in the " +  accessGroup.getScope().getScopeType().toString()  + " support the protocol: " + protocol.name();
+                throw new CloudRuntimeException(errMsg);
+            }
+
+            if (svmName != null && !svmName.isEmpty()) {
+                Svm svm = new Svm();
+                svm.setName(svmName);
+                igroupRequest.setSvm(svm);
+            }
+
+            if (igroupName != null && !igroupName.isEmpty()) {
+                igroupRequest.setName(igroupName);
+            }
+
+            igroupRequest.setOsType(Igroup.OsTypeEnum.Linux);
+
+            if (hostsIdentifier != null && hostsIdentifier.size() > 0) {
+                List<Initiator> initiators = new ArrayList<>();
+                for (String hostIdentifier : hostsIdentifier) {
+                    Initiator initiator = new Initiator();
+                    initiator.setName(hostIdentifier);
+                    initiators.add(initiator);
+                }
+                igroupRequest.setInitiators(initiators);
+            }
+            igroupRequest.setProtocol(Igroup.ProtocolEnum.valueOf("iscsi"));
+            logger.debug("createAccessGroup: About to call sanFeignClient.createIgroup with igroupName: {}", igroupName);
+            AccessGroup createdAccessGroup = new AccessGroup();
+            OntapResponse<Igroup> createdIgroup = null;
+            try {
+                createdIgroup = sanFeignClient.createIgroup(authHeader, true, igroupRequest);
+            } catch (Exception feignEx) {
+                String errMsg = feignEx.getMessage();
+                if (errMsg != null && errMsg.contains(("5374023"))) {
+                    logger.warn("createAccessGroup: Igroup with name {} already exists. Fetching existing Igroup.", igroupName);
+                    return createdAccessGroup;
+                }
+                logger.error("createAccessGroup: Exception during Feign call: {}", feignEx.getMessage(), feignEx);
+                throw feignEx;
+            }
+
+            logger.debug("createAccessGroup: createdIgroup: {}", createdIgroup);
+            logger.debug("createAccessGroup: createdIgroup Records: {}", createdIgroup.getRecords());
+            if (createdIgroup == null || createdIgroup.getRecords() == null || createdIgroup.getRecords().isEmpty()) {
+                logger.error("createAccessGroup: Igroup creation failed for Igroup Name {}", igroupName);
+                throw new CloudRuntimeException("Failed to create Igroup: " + igroupName);
+            }
+            Igroup igroup = createdIgroup.getRecords().get(0);
+            logger.debug("createAccessGroup: Successfully extracted igroup from response: {}", igroup);
+            logger.info("createAccessGroup: Igroup created successfully. IgroupName: {}", igroup.getName());
+
+            createdAccessGroup.setIgroup(igroup);
+            logger.debug("createAccessGroup: Returning createdAccessGroup");
+            return createdAccessGroup;
+        } catch (Exception e) {
+            logger.error("Exception occurred while creating Igroup: {}, Exception: {}", igroupName, e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to create Igroup: " + e.getMessage(), e);
+        }
+    }
+
+    @Override
+    public void deleteAccessGroup(AccessGroup accessGroup) {
+        logger.info("deleteAccessGroup: Deleting iGroup");
+
+        if (accessGroup == null) {
+            throw new CloudRuntimeException("deleteAccessGroup: Invalid accessGroup object - accessGroup is null");
+        }
+
+        PrimaryDataStoreInfo primaryDataStoreInfo = accessGroup.getPrimaryDataStoreInfo();
+        if (primaryDataStoreInfo == null) {
+            throw new CloudRuntimeException("deleteAccessGroup: PrimaryDataStoreInfo is null in accessGroup");
+        }
+
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+
+            String svmName = storage.getSvmName();
+
+            String igroupName;
+            if (primaryDataStoreInfo.getClusterId() != null) {
+                igroupName = OntapStorageUtils.getIgroupName(svmName, com.cloud.storage.ScopeType.CLUSTER, primaryDataStoreInfo.getClusterId());
+                logger.info("deleteAccessGroup: Deleting cluster-scoped iGroup '{}'", igroupName);
+            } else {
+                igroupName = OntapStorageUtils.getIgroupName(svmName, com.cloud.storage.ScopeType.ZONE, primaryDataStoreInfo.getDataCenterId());
+                logger.info("deleteAccessGroup: Deleting zone-scoped iGroup '{}'", igroupName);
+            }
+
+            Map<String, Object> igroupParams = Map.of(
+                    OntapStorageConstants.SVM_DOT_NAME, svmName,
+                    OntapStorageConstants.NAME, igroupName
+            );
+
+            try {
+                OntapResponse<Igroup> igroupResponse = sanFeignClient.getIgroupResponse(authHeader, igroupParams);
+                if (igroupResponse == null || igroupResponse.getRecords() == null || igroupResponse.getRecords().isEmpty()) {
+                    logger.warn("deleteAccessGroup: iGroup '{}' not found, may have been already deleted", igroupName);
+                    return;
+                }
+
+                Igroup igroup = igroupResponse.getRecords().get(0);
+                String igroupUuid = igroup.getUuid();
+
+                if (igroupUuid == null || igroupUuid.isEmpty()) {
+                    throw new CloudRuntimeException("deleteAccessGroup: iGroup UUID is null or empty for iGroup: " + igroupName);
+                }
+
+                logger.info("deleteAccessGroup: Deleting iGroup '{}' with UUID '{}'", igroupName, igroupUuid);
+
+                sanFeignClient.deleteIgroup(authHeader, igroupUuid);
+
+                logger.info("deleteAccessGroup: Successfully deleted iGroup '{}'", igroupName);
+
+            } catch (Exception e) {
+                String errorMsg = e.getMessage();
+                if (errorMsg != null && (errorMsg.contains("5374852") || errorMsg.contains("not found"))) {
+                    logger.warn("deleteAccessGroup: iGroup '{}' does not exist, skipping deletion", igroupName);
+                } else {
+                    throw e;
+                }
+            }
+
+        } catch (Exception e) {
+            logger.error("deleteAccessGroup: Failed to delete iGroup. Exception: {}", e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to delete iGroup: " + e.getMessage(), e);
+        }
+    }
+
+    private boolean validateProtocolSupportAndFetchHostsIdentifier(List<HostVO> hosts, ProtocolType protocolType, List<String> hostIdentifiers) {
+        switch (protocolType) {
+            case ISCSI:
+                String protocolPrefix = OntapStorageConstants.IQN;
+                for (HostVO host : hosts) {
+                    if (host == null || host.getStorageUrl() == null || host.getStorageUrl().trim().isEmpty()
+                            || !host.getStorageUrl().startsWith(protocolPrefix)) {
+                        return false;
+                    }
+                    hostIdentifiers.add(host.getStorageUrl());
+                }
+                break;
+            default:
+                throw new CloudRuntimeException("validateProtocolSupportAndFetchHostsIdentifier : Unsupported protocol: " + protocolType.name());
+        }
+        logger.info("validateProtocolSupportAndFetchHostsIdentifier: All hosts support the protocol: " + protocolType.name());
+        return true;
+    }
+
+    @Override
+    public AccessGroup updateAccessGroup(AccessGroup accessGroup) {
+        return null;
+    }
+
+    public AccessGroup getAccessGroup(Map<String, String> values) {
+        logger.info("getAccessGroup : fetch Igroup");
+        logger.debug("getAccessGroup : fetching Igroup with params {} ", values);
+        if (values == null || values.isEmpty()) {
+            logger.error("getAccessGroup: get Igroup failed. Invalid request: {}", values);
+            throw new CloudRuntimeException("getAccessGroup : get Igroup Failed, invalid request");
+        }
+        String svmName = values.get(OntapStorageConstants.SVM_DOT_NAME);
+        String igroupName = values.get(OntapStorageConstants.NAME);
+        if (svmName == null || igroupName == null || svmName.isEmpty() || igroupName.isEmpty()) {
+            logger.error("getAccessGroup: get Igroup failed. Invalid svm:{} or igroup name: {}", svmName, igroupName);
+            throw new CloudRuntimeException("getAccessGroup : Failed to get Igroup, invalid request");
+        }
+        try {
+            String authHeader = OntapStorageUtils.generateAuthHeader(storage.getUsername(), storage.getPassword());
+            Map<String, Object> queryParams = Map.of(OntapStorageConstants.SVM_DOT_NAME, svmName, OntapStorageConstants.NAME, igroupName, OntapStorageConstants.FIELDS, OntapStorageConstants.INITIATORS);
+            OntapResponse<Igroup> igroupResponse = sanFeignClient.getIgroupResponse(authHeader, queryParams);
+            if (igroupResponse == null || igroupResponse.getRecords() == null || igroupResponse.getRecords().isEmpty()) {
+                logger.warn("getAccessGroup: Igroup '{}' not found on SVM '{}'. Returning null.", igroupName, svmName);
+                return null;
+            }
+            Igroup igroup = igroupResponse.getRecords().get(0);
+            AccessGroup accessGroup = new AccessGroup();
+            accessGroup.setIgroup(igroup);
+            return accessGroup;
+        } catch (Exception e) {
+            String errMsg = e.getMessage();
+            if (errMsg != null && errMsg.contains("not found")) {
+                logger.warn("getAccessGroup: Igroup '{}' not found on SVM '{}' ({}). Returning null.", igroupName, svmName, errMsg);
+                return null;
+            }
+            logger.error("Exception occurred while fetching Igroup, Exception: {}", errMsg);
+            throw new CloudRuntimeException("Failed to fetch Igroup details: " + errMsg);
+        }
+    }
+
+    public Map<String, String> enableLogicalAccess(Map<String, String> values) {
+        return null;
+    }
+
+    public void disableLogicalAccess(Map<String, String> values) {}
+
+    public Map<String, String> getLogicalAccess(Map<String, String> values) {
+        return null;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/AccessGroup.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/AccessGroup.java
new file mode 100755
index 000000000000..9ff80e7cf8a9
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/AccessGroup.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service.model;
+
+import com.cloud.host.HostVO;
+import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStoreInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.Scope;
+import org.apache.cloudstack.storage.feign.model.ExportPolicy;
+import org.apache.cloudstack.storage.feign.model.Igroup;
+
+import java.util.List;
+
+public class AccessGroup {
+
+    private Igroup igroup;
+    private ExportPolicy exportPolicy;
+
+    private List<HostVO> hostsToConnect;
+    private PrimaryDataStoreInfo primaryDataStoreInfo;
+    private Scope scope;
+
+
+    public Igroup getIgroup() {
+        return igroup;
+    }
+
+    public void setIgroup(Igroup igroup) {
+        this.igroup = igroup;
+    }
+
+    public ExportPolicy getPolicy() {
+        return exportPolicy;
+    }
+
+    public void setPolicy(ExportPolicy policy) {
+        this.exportPolicy = policy;
+    }
+    public List<HostVO> getHostsToConnect() {
+        return hostsToConnect;
+    }
+    public void setHostsToConnect(List<HostVO> hostsToConnect) {
+        this.hostsToConnect = hostsToConnect;
+    }
+    public PrimaryDataStoreInfo getPrimaryDataStoreInfo() {
+        return primaryDataStoreInfo;
+    }
+    public void setPrimaryDataStoreInfo(PrimaryDataStoreInfo primaryDataStoreInfo) {
+        this.primaryDataStoreInfo = primaryDataStoreInfo;
+    }
+    public Scope getScope() {
+        return scope;
+    }
+    public void setScope(Scope scope) {
+        this.scope = scope;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/CloudStackVolume.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/CloudStackVolume.java
new file mode 100644
index 000000000000..6c51e4630800
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/CloudStackVolume.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service.model;
+
+import org.apache.cloudstack.engine.subsystem.api.storage.DataObject;
+import org.apache.cloudstack.storage.feign.model.FileInfo;
+import org.apache.cloudstack.storage.feign.model.Lun;
+
+public class CloudStackVolume {
+
+    private FileInfo file;
+    private Lun lun;
+    private String datastoreId;
+    private DataObject volumeInfo; // This is needed as we need DataObject to be passed to agent to create volume
+    public FileInfo getFile() {
+        return file;
+    }
+
+    public void setFile(FileInfo file) {
+        this.file = file;
+    }
+
+    public Lun getLun() {
+        return lun;
+    }
+
+    public void setLun(Lun lun) {
+        this.lun = lun;
+    }
+    public String getDatastoreId() {
+        return datastoreId;
+    }
+    public void setDatastoreId(String datastoreId) {
+        this.datastoreId = datastoreId;
+    }
+    public DataObject getVolumeInfo() {
+        return volumeInfo;
+    }
+    public void setVolumeInfo(DataObject volumeInfo) {
+        this.volumeInfo = volumeInfo;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/ProtocolType.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/ProtocolType.java
new file mode 100644
index 000000000000..00dca62480dc
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/service/model/ProtocolType.java
@@ -0,0 +1,25 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.service.model;
+
+public enum ProtocolType {
+        NFS3,
+        ISCSI
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageConstants.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageConstants.java
new file mode 100644
index 000000000000..0cf0a9b07e0f
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageConstants.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.utils;
+
+
+public class OntapStorageConstants {
+
+    public static final String ONTAP_PLUGIN_NAME = "ONTAP";
+    public static final int NFS3_PORT = 2049;
+    public static final int ISCSI_PORT = 3260;
+
+    public static final String NFS = "nfs";
+    public static final String ISCSI = "iscsi";
+    public static final String SIZE = "size";
+    public static final String PROTOCOL = "protocol";
+    public static final String SVM_NAME = "svmName";
+    public static final String USERNAME = "username";
+    public static final String PASSWORD = "password";
+    public static final String DATA_LIF = "dataLIF";
+    public static final String MANAGEMENT_LIF = "managementLIF";
+    public static final String VOLUME_NAME = "volumeName";
+    public static final String VOLUME_UUID = "volumeUUID";
+    public static final String EXPORT_POLICY_ID = "exportPolicyId";
+    public static final String EXPORT_POLICY_NAME = "exportPolicyName";
+    public static final String IS_DISAGGREGATED = "isDisaggregated";
+    public static final String RUNNING = "running";
+    public static final String EXPORT = "export";
+
+    public static final int ONTAP_PORT = 443;
+
+    public static final String JOB_RUNNING = "running";
+    public static final String JOB_QUEUE = "queued";
+    public static final String JOB_PAUSED = "paused";
+    public static final String JOB_FAILURE = "failure";
+    public static final String JOB_SUCCESS = "success";
+
+    public static final String TRUE = "true";
+    public static final String FALSE = "false";
+
+    // Query params
+    public static final String NAME = "name";
+    public static final String FIELDS = "fields";
+    public  static final String INITIATORS = "initiators";
+    public static final String AGGREGATES = "aggregates";
+    public static final String STATE = "state";
+    public static final String DATA_NFS = "data_nfs";
+    public static final String DATA_ISCSI = "data_iscsi";
+    public static final String IP_ADDRESS = "ip.address";
+    public static final String SERVICES = "services";
+    public static final String RETURN_RECORDS = "return_records";
+
+    public static final int JOB_MAX_RETRIES = 100;
+    public static final int CREATE_VOLUME_CHECK_SLEEP_TIME = 2000;
+
+    public static final String SLASH = "/";
+    public static final String EQUALS = "=";
+    public static final String SEMICOLON = ";";
+    public static final String COMMA = ",";
+    public static final String HYPHEN = "-";
+
+    public static final String VOLUME_PATH_PREFIX = "/vol/";
+
+    public static final String ONTAP_NAME_REGEX = "^[a-zA-Z][a-zA-Z0-9_]*$";
+    public static final String KVM = "KVM";
+
+    public static final String HTTPS = "https://";
+    public static final String SVM_DOT_NAME = "svm.name";
+    public static final String LUN_DOT_NAME = "lun.name";
+    public static final String IQN = "iqn";
+    public static final String LUN_DOT_UUID = "lun.uuid";
+    public static final String LOGICAL_UNIT_NUMBER = "logical_unit_number";
+    public static final String IGROUP_DOT_NAME = "igroup.name";
+    public static final String IGROUP_DOT_UUID = "igroup.uuid";
+    public static final String UNDERSCORE = "_";
+    public static final String CS = "cs";
+}
diff --git a/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageUtils.java b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageUtils.java
new file mode 100644
index 000000000000..0924cf3b9bb6
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/java/org/apache/cloudstack/storage/utils/OntapStorageUtils.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.storage.utils;
+
+import com.cloud.storage.ScopeType;
+import com.cloud.utils.StringUtils;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.storage.feign.model.OntapStorage;
+import org.apache.cloudstack.storage.provider.StorageProviderFactory;
+import org.apache.cloudstack.storage.service.StorageStrategy;
+import org.apache.cloudstack.storage.service.model.ProtocolType;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.util.Base64Utils;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+
+public class OntapStorageUtils {
+
+    private static final Logger logger = LogManager.getLogger(OntapStorageUtils.class);
+
+    private static final String BASIC = "Basic";
+    private static final String AUTH_HEADER_COLON = ":";
+
+    public static String generateAuthHeader (String username, String password) {
+        byte[] encodedBytes = Base64Utils.encode((username + AUTH_HEADER_COLON + password).getBytes(StandardCharsets.UTF_8));
+        return BASIC + StringUtils.SPACE + new String(encodedBytes);
+    }
+
+    public static StorageStrategy getStrategyByStoragePoolDetails(Map<String, String> details) {
+        if (details == null || details.isEmpty()) {
+            logger.error("getStrategyByStoragePoolDetails: Storage pool details are null or empty");
+            throw new CloudRuntimeException("getStrategyByStoragePoolDetails: Storage pool details are null or empty");
+        }
+        String protocol = details.get(OntapStorageConstants.PROTOCOL);
+        OntapStorage ontapStorage = new OntapStorage(details.get(OntapStorageConstants.USERNAME), details.get(OntapStorageConstants.PASSWORD),
+                details.get(OntapStorageConstants.MANAGEMENT_LIF), details.get(OntapStorageConstants.SVM_NAME), Long.parseLong(details.get(OntapStorageConstants.SIZE)),
+                ProtocolType.valueOf(protocol),
+                Boolean.parseBoolean(details.get(OntapStorageConstants.IS_DISAGGREGATED)));
+        StorageStrategy storageStrategy = StorageProviderFactory.getStrategy(ontapStorage);
+        boolean isValid = storageStrategy.connect();
+        if (isValid) {
+            logger.info("Connection to Ontap SVM [{}] successful", details.get(OntapStorageConstants.SVM_NAME));
+            return storageStrategy;
+        } else {
+            logger.error("getStrategyByStoragePoolDetails: Connection to Ontap SVM [" + details.get(OntapStorageConstants.SVM_NAME) + "] failed");
+            throw new CloudRuntimeException("getStrategyByStoragePoolDetails: Connection to Ontap SVM [" + details.get(OntapStorageConstants.SVM_NAME) + "] failed");
+        }
+    }
+
+    public static String getIgroupName(String svmName, ScopeType scopeType, Long scopeId) {
+        return OntapStorageConstants.CS + OntapStorageConstants.UNDERSCORE + svmName + OntapStorageConstants.UNDERSCORE + scopeType.toString().toLowerCase() + OntapStorageConstants.UNDERSCORE + scopeId;
+    }
+
+    public static String generateExportPolicyName(String svmName, String volumeName){
+        return OntapStorageConstants.EXPORT + OntapStorageConstants.HYPHEN + svmName + OntapStorageConstants.HYPHEN + volumeName;
+    }
+}
diff --git a/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/logback-spring.xml b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/logback-spring.xml
new file mode 100644
index 000000000000..8c4d997a1ad3
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/logback-spring.xml
@@ -0,0 +1,44 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+<configuration>
+
+    <!-- Define a separate appender for Feign logs -->
+    <appender name="FEIGN_LOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>logs/feign-requests.log</file>
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>logs/feign-requests.%d{yyyy-MM-dd}.log</fileNamePattern>
+            <maxHistory>30</maxHistory>
+        </rollingPolicy>
+        <encoder>
+            <pattern>%d{yyyy-MM-dd HH:mm:ss} %-5level %logger{36} - %msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <!-- Create a logger for your Feign interceptor class -->
+    <logger name="org.apache.cloudstack.storage.feign.FeignConfiguration" level="INFO" additivity="false">
+        <appender-ref ref="FEIGN_LOG"/>
+    </logger>
+
+    <!-- Root logger (optional) -->
+    <root level="INFO">
+        <appender-ref ref="CONSOLE"/>
+    </root>
+
+</configuration>
diff --git a/plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/module.properties b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/module.properties
similarity index 94%
rename from plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/module.properties
rename to plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/module.properties
index dcfe8d3537ff..67fd086eba10 100644
--- a/plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/module.properties
+++ b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/module.properties
@@ -14,5 +14,5 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-name=host-allocator-random
-parent=allocator
+name=storage-volume-ontap
+parent=storage
diff --git a/plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/spring-host-allocator-random-context.xml b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/spring-storage-volume-ontap-context.xml
similarity index 91%
rename from plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/spring-host-allocator-random-context.xml
rename to plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/spring-storage-volume-ontap-context.xml
index d84eaafaa5a7..6ab9c46fcf9d 100644
--- a/plugins/host-allocators/random/src/main/resources/META-INF/cloudstack/host-allocator-random/spring-host-allocator-random-context.xml
+++ b/plugins/storage/volume/ontap/src/main/resources/META-INF/cloudstack/storage-volume-ontap/spring-storage-volume-ontap-context.xml
@@ -27,8 +27,7 @@
                       http://www.springframework.org/schema/context/spring-context.xsd"
                       >
 
-    <bean id="randomAllocator"
-        class="com.cloud.agent.manager.allocator.impl.RandomAllocator" />
-
+    <bean id="ontapPrimaryDataStoreProvider"
+        class="org.apache.cloudstack.storage.provider.OntapPrimaryDatastoreProvider" />
 
 </beans>
diff --git a/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycleTest.java b/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycleTest.java
new file mode 100644
index 000000000000..789615a9f43b
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/lifecycle/OntapPrimaryDatastoreLifecycleTest.java
@@ -0,0 +1,324 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.lifecycle;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
+import org.apache.cloudstack.storage.feign.model.Volume;
+import com.cloud.dc.dao.ClusterDao;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.dc.ClusterVO;
+import java.util.Map;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import java.util.HashMap;
+import org.apache.cloudstack.storage.provider.StorageProviderFactory;
+import org.apache.cloudstack.storage.service.StorageStrategy;
+import org.apache.cloudstack.storage.volume.datastore.PrimaryDataStoreHelper;
+
+
+@ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
+public class OntapPrimaryDatastoreLifecycleTest {
+    @InjectMocks
+    private OntapPrimaryDatastoreLifecycle ontapPrimaryDatastoreLifecycle;
+
+    @Mock
+    private ClusterDao _clusterDao;
+
+    @Mock
+    private StorageStrategy storageStrategy;
+
+    @Mock
+    private PrimaryDataStoreHelper _dataStoreHelper;
+
+    @BeforeEach
+    void setUp() {
+
+        ClusterVO clusterVO = new ClusterVO(1L, 1L, "clusterName");
+        clusterVO.setHypervisorType("KVM");
+        when(_clusterDao.findById(1L)).thenReturn(clusterVO);
+
+        when(storageStrategy.connect()).thenReturn(true);
+        when(storageStrategy.getNetworkInterface()).thenReturn("testNetworkInterface");
+
+        Volume volume = new Volume();
+        volume.setUuid("test-volume-uuid");
+        volume.setName("testVolume");
+        when(storageStrategy.createStorageVolume(any(), any())).thenReturn(volume);
+
+    }
+
+    @Test
+    public void testInitialize_positive() {
+
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("username", "testUser");
+        dsInfos.put("password", "testPassword");
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        try(MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+            storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+            ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+        }
+    }
+
+    @Test
+    public void testInitialize_positiveWithIsDisaggregated() {
+
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("username", "testUser");
+        dsInfos.put("password", "testPassword");
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1;isDisaggregated=false");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        try(MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+            storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+            ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+        }
+    }
+
+    @Test
+    public void testInitialize_null_Arg() {
+        Exception ex = assertThrows(CloudRuntimeException.class,() ->
+                ontapPrimaryDatastoreLifecycle.initialize(null));
+        assertTrue(ex.getMessage().contains("Datastore info map is null, cannot create primary storage"));
+    }
+
+    @Test
+    public void testInitialize_missingRequiredDetailKey() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+            storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+            Exception ex = assertThrows(CloudRuntimeException.class, () -> ontapPrimaryDatastoreLifecycle.initialize(dsInfos));
+            assertTrue(ex.getMessage().contains("missing detail"));
+        }
+    }
+
+    @Test
+    public void testInitialize_invalidCapacityBytes() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",-1L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+            storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+            ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+        }
+    }
+
+    @Test
+    public void testInitialize_unmanagedStorage() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",false);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("must be managed"));
+    }
+
+    @Test
+    public void testInitialize_nullStoragePoolName() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", null);
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("Storage pool name is null or empty"));
+    }
+
+    @Test
+    public void testInitialize_nullProviderName() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", null);
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("Provider name is null or empty"));
+    }
+
+    @Test
+    public void testInitialize_nullPodAndClusterAndZone() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",null);
+        dsInfos.put("podId",null);
+        dsInfos.put("clusterId", null);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("Pod Id, Cluster Id and Zone Id are all null"));
+    }
+
+    @Test
+    public void testInitialize_clusterNotKVM() {
+        ClusterVO clusterVO = new ClusterVO(2L, 1L, "clusterName");
+        clusterVO.setHypervisorType("XenServer");
+        when(_clusterDao.findById(2L)).thenReturn(clusterVO);
+
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 2L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("ONTAP primary storage is supported only for KVM hypervisor"));
+    }
+
+    @Test
+    public void testInitialize_unexpectedDetailKey() {
+        Map<String, Object> dsInfos = new HashMap<>();
+        dsInfos.put("url", "username=testUser;password=testPassword;svmName=testSVM;protocol=NFS3;managementLIF=192.168.1.1;unexpectedKey=unexpectedValue");
+        dsInfos.put("zoneId",1L);
+        dsInfos.put("podId",1L);
+        dsInfos.put("clusterId", 1L);
+        dsInfos.put("name", "testStoragePool");
+        dsInfos.put("providerName", "testProvider");
+        dsInfos.put("capacityBytes",200000L);
+        dsInfos.put("managed",true);
+        dsInfos.put("tags", "testTag");
+        dsInfos.put("isTagARule", false);
+        dsInfos.put("details", new HashMap<String, String>());
+
+        Exception ex = assertThrows(CloudRuntimeException.class, () -> {
+            try (MockedStatic<StorageProviderFactory> storageProviderFactory = Mockito.mockStatic(StorageProviderFactory.class)) {
+                storageProviderFactory.when(() -> StorageProviderFactory.getStrategy(any())).thenReturn(storageStrategy);
+                ontapPrimaryDatastoreLifecycle.initialize(dsInfos);
+            }
+        });
+        assertTrue(ex.getMessage().contains("Unexpected ONTAP detail key in URL"));
+    }
+
+}
diff --git a/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProviderTest.java b/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProviderTest.java
new file mode 100644
index 000000000000..0d8ac53a1f98
--- /dev/null
+++ b/plugins/storage/volume/ontap/src/test/java/org/apache/cloudstack/storage/provider/OntapPrimaryDatastoreProviderTest.java
@@ -0,0 +1,215 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.storage.provider;
+
+import com.cloud.utils.component.ComponentContext;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreDriver;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreLifeCycle;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreProvider.DataStoreProviderType;
+import org.apache.cloudstack.engine.subsystem.api.storage.HypervisorHostListener;
+import org.apache.cloudstack.storage.driver.OntapPrimaryDatastoreDriver;
+import org.apache.cloudstack.storage.lifecycle.OntapPrimaryDatastoreLifecycle;
+import org.apache.cloudstack.storage.listener.OntapHostListener;
+import org.apache.cloudstack.storage.utils.OntapStorageConstants;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.mock;
+
+@ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
+public class OntapPrimaryDatastoreProviderTest {
+
+    private OntapPrimaryDatastoreProvider provider;
+
+    @BeforeEach
+    void setUp() {
+        provider = new OntapPrimaryDatastoreProvider();
+    }
+
+    @Test
+    public void testGetName() {
+        String name = provider.getName();
+        assertEquals(OntapStorageConstants.ONTAP_PLUGIN_NAME, name);
+    }
+
+    @Test
+    public void testGetTypes() {
+        Set<DataStoreProviderType> types = provider.getTypes();
+        assertNotNull(types);
+        assertEquals(1, types.size());
+        assertTrue(types.contains(DataStoreProviderType.PRIMARY));
+    }
+
+    @Test
+    public void testGetDataStoreLifeCycle_beforeConfigure() {
+        DataStoreLifeCycle lifeCycle = provider.getDataStoreLifeCycle();
+        assertNull(lifeCycle);
+    }
+
+    @Test
+    public void testGetDataStoreDriver_beforeConfigure() {
+        DataStoreDriver driver = provider.getDataStoreDriver();
+        assertNull(driver);
+    }
+
+    @Test
+    public void testGetHostListener_beforeConfigure() {
+        HypervisorHostListener listener = provider.getHostListener();
+        assertNull(listener);
+    }
+
+    @Test
+    public void testConfigure() {
+        OntapPrimaryDatastoreDriver mockDriver = mock(OntapPrimaryDatastoreDriver.class);
+        OntapPrimaryDatastoreLifecycle mockLifecycle = mock(OntapPrimaryDatastoreLifecycle.class);
+        OntapHostListener mockListener = mock(OntapHostListener.class);
+
+        try (MockedStatic<ComponentContext> componentContext = Mockito.mockStatic(ComponentContext.class)) {
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreDriver.class))
+                    .thenReturn(mockDriver);
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class))
+                    .thenReturn(mockLifecycle);
+            componentContext.when(() -> ComponentContext.inject(OntapHostListener.class))
+                    .thenReturn(mockListener);
+
+            Map<String, Object> params = new HashMap<>();
+            boolean result = provider.configure(params);
+
+            assertTrue(result);
+        }
+    }
+
+    @Test
+    public void testGetDataStoreLifeCycle_afterConfigure() {
+        OntapPrimaryDatastoreDriver mockDriver = mock(OntapPrimaryDatastoreDriver.class);
+        OntapPrimaryDatastoreLifecycle mockLifecycle = mock(OntapPrimaryDatastoreLifecycle.class);
+        OntapHostListener mockListener = mock(OntapHostListener.class);
+
+        try (MockedStatic<ComponentContext> componentContext = Mockito.mockStatic(ComponentContext.class)) {
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreDriver.class))
+                    .thenReturn(mockDriver);
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class))
+                    .thenReturn(mockLifecycle);
+            componentContext.when(() -> ComponentContext.inject(OntapHostListener.class))
+                    .thenReturn(mockListener);
+
+            provider.configure(new HashMap<>());
+
+            DataStoreLifeCycle lifeCycle = provider.getDataStoreLifeCycle();
+            assertNotNull(lifeCycle);
+            assertEquals(mockLifecycle, lifeCycle);
+        }
+    }
+
+    @Test
+    public void testGetDataStoreDriver_afterConfigure() {
+        OntapPrimaryDatastoreDriver mockDriver = mock(OntapPrimaryDatastoreDriver.class);
+        OntapPrimaryDatastoreLifecycle mockLifecycle = mock(OntapPrimaryDatastoreLifecycle.class);
+        OntapHostListener mockListener = mock(OntapHostListener.class);
+
+        try (MockedStatic<ComponentContext> componentContext = Mockito.mockStatic(ComponentContext.class)) {
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreDriver.class))
+                    .thenReturn(mockDriver);
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class))
+                    .thenReturn(mockLifecycle);
+            componentContext.when(() -> ComponentContext.inject(OntapHostListener.class))
+                    .thenReturn(mockListener);
+
+            provider.configure(new HashMap<>());
+
+            DataStoreDriver driver = provider.getDataStoreDriver();
+            assertNotNull(driver);
+            assertEquals(mockDriver, driver);
+        }
+    }
+
+    @Test
+    public void testGetHostListener_afterConfigure() {
+        OntapPrimaryDatastoreDriver mockDriver = mock(OntapPrimaryDatastoreDriver.class);
+        OntapPrimaryDatastoreLifecycle mockLifecycle = mock(OntapPrimaryDatastoreLifecycle.class);
+        OntapHostListener mockListener = mock(OntapHostListener.class);
+
+        try (MockedStatic<ComponentContext> componentContext = Mockito.mockStatic(ComponentContext.class)) {
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreDriver.class))
+                    .thenReturn(mockDriver);
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class))
+                    .thenReturn(mockLifecycle);
+            componentContext.when(() -> ComponentContext.inject(OntapHostListener.class))
+                    .thenReturn(mockListener);
+
+            provider.configure(new HashMap<>());
+
+            HypervisorHostListener listener = provider.getHostListener();
+            assertNotNull(listener);
+            assertEquals(mockListener, listener);
+        }
+    }
+
+    @Test
+    public void testConfigure_withNullParams() {
+        OntapPrimaryDatastoreDriver mockDriver = mock(OntapPrimaryDatastoreDriver.class);
+        OntapPrimaryDatastoreLifecycle mockLifecycle = mock(OntapPrimaryDatastoreLifecycle.class);
+        OntapHostListener mockListener = mock(OntapHostListener.class);
+
+        try (MockedStatic<ComponentContext> componentContext = Mockito.mockStatic(ComponentContext.class)) {
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreDriver.class))
+                    .thenReturn(mockDriver);
+            componentContext.when(() -> ComponentContext.inject(OntapPrimaryDatastoreLifecycle.class))
+                    .thenReturn(mockLifecycle);
+            componentContext.when(() -> ComponentContext.inject(OntapHostListener.class))
+                    .thenReturn(mockListener);
+
+            boolean result = provider.configure(null);
+
+            assertTrue(result);
+            assertNotNull(provider.getDataStoreDriver());
+            assertNotNull(provider.getDataStoreLifeCycle());
+            assertNotNull(provider.getHostListener());
+        }
+    }
+
+    @Test
+    public void testGetTypes_returnsOnlyPrimaryType() {
+        Set<DataStoreProviderType> types = provider.getTypes();
+
+        assertNotNull(types);
+        assertEquals(1, types.size());
+        assertTrue(types.contains(DataStoreProviderType.PRIMARY));
+
+        // Verify it doesn't contain other types
+        for (DataStoreProviderType type : types) {
+            assertEquals(DataStoreProviderType.PRIMARY, type);
+        }
+    }
+}
diff --git a/plugins/storage/volume/primera/src/main/java/org/apache/cloudstack/storage/datastore/adapter/primera/PrimeraAdapter.java b/plugins/storage/volume/primera/src/main/java/org/apache/cloudstack/storage/datastore/adapter/primera/PrimeraAdapter.java
index b574ccdb1649..3f92f8e4014d 100644
--- a/plugins/storage/volume/primera/src/main/java/org/apache/cloudstack/storage/datastore/adapter/primera/PrimeraAdapter.java
+++ b/plugins/storage/volume/primera/src/main/java/org/apache/cloudstack/storage/datastore/adapter/primera/PrimeraAdapter.java
@@ -384,6 +384,7 @@ public ProviderVolume copy(ProviderAdapterContext context, ProviderAdapterDataOb
             // Online copy configuration: immediate clone with deduplication and compression
             parms.setOnline(true);
             parms.setDestCPG(cpg);
+            parms.setSnapCPG(snapCpg);
             parms.setTpvv(false);
             parms.setReduce(true);
             logger.debug("PrimeraAdapter: Configuring online copy - destination CPG: '{}', deduplication enabled, thin provisioning disabled", cpg);
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
index c6a61c35b8b7..8e23bc159a43 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
@@ -94,6 +94,9 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
     private String password;
     private String sessionKey;
 
+    private String gatewayVersion = null;
+    private int[] parsedVersion = null;
+
     // The session token is valid for 8 hours from the time it was created, unless there has been no activity for 10 minutes
     // Reference: https://cpsdocs.dellemc.com/bundle/PF_REST_API_RG/page/GUID-92430F19-9F44-42B6-B898-87D5307AE59B.html
     private static final long MAX_VALID_SESSION_TIME_IN_HRS = 8;
@@ -621,15 +624,26 @@ public boolean revertSnapshot(final String sourceSnapshotVolumeId, final String
             throw new CloudRuntimeException("Unable to revert, source snapshot volume and destination volume doesn't belong to same volume tree");
         }
 
+        String requestBody = buildOverwriteVolumeContentRequest(sourceSnapshotVolumeId);
+
         Boolean overwriteVolumeContentStatus = post(
                 "/instances/Volume::" + destVolumeId + "/action/overwriteVolumeContent",
-                String.format("{\"srcVolumeId\":\"%s\",\"allowOnExtManagedVol\":\"TRUE\"}", sourceSnapshotVolumeId), Boolean.class);
+                requestBody, Boolean.class);
         if (overwriteVolumeContentStatus != null) {
             return overwriteVolumeContentStatus;
         }
         return false;
     }
 
+    private String buildOverwriteVolumeContentRequest(final String srcVolumeId) {
+        if (isVersionAtLeast(4, 0)) {
+            logger.debug("Using PowerFlex 4.0+ overwriteVolumeContent request body");
+            return String.format("{\"srcVolumeId\":\"%s\"}", srcVolumeId);
+        } else {
+            logger.debug("Using pre-4.0 overwriteVolumeContent request body");
+            return String.format("{\"srcVolumeId\":\"%s\",\"allowOnExtManagedVol\":\"TRUE\"}", srcVolumeId);                }
+    }
+
     @Override
     public boolean mapVolumeToSdc(final String volumeId, final String sdcId) {
         Preconditions.checkArgument(StringUtils.isNotEmpty(volumeId), "Volume id cannot be null");
@@ -1168,4 +1182,49 @@ private String getConnectionManagerStats() {
         sb.append("\n");
         return sb.toString();
     }
+
+    private String fetchGatewayVersion() {
+        try {
+            JsonNode node = get("/version", JsonNode.class);
+            if (node != null && node.isTextual()) {
+                return node.asText();
+            }
+            if (node != null && node.has("version")) {
+                return node.get("version").asText();
+            }
+        } catch (Exception e) {
+            logger.warn("Could not fetch PowerFlex gateway version: " + e.getMessage());
+        }
+        return null;
+    }
+
+    private int[] parseVersion(String version) {
+        if (StringUtils.isEmpty(version)) return new int[]{0, 0, 0};
+        String[] parts = version.replaceAll("\"", "").split("\\.");
+        int[] parsed = new int[3];
+        for (int i = 0; i < Math.min(parts.length, 3); i++) {
+            try {
+                parsed[i] = Integer.parseInt(parts[i].trim());
+            } catch (NumberFormatException e) {
+                parsed[i] = 0;
+            }
+        }
+        return parsed;
+    }
+
+    private synchronized int[] getGatewayVersion() {
+        if (parsedVersion == null) {
+            gatewayVersion = fetchGatewayVersion();
+            parsedVersion = parseVersion(gatewayVersion);
+            logger.info("PowerFlex Gateway version detected: " + gatewayVersion
+                    + " => parsed: " + Arrays.toString(parsedVersion));
+        }
+        return parsedVersion;
+    }
+
+    private boolean isVersionAtLeast(int major, int minor) {
+        int[] v = getGatewayVersion();
+        if (v[0] != major) return v[0] > major;
+        return v[1] >= minor;
+    }
 }
diff --git a/plugins/storage/volume/storpool/src/main/java/com/cloud/hypervisor/kvm/storage/StorPoolStoragePool.java b/plugins/storage/volume/storpool/src/main/java/com/cloud/hypervisor/kvm/storage/StorPoolStoragePool.java
index ab5dc03d3431..04100a3c6d38 100644
--- a/plugins/storage/volume/storpool/src/main/java/com/cloud/hypervisor/kvm/storage/StorPoolStoragePool.java
+++ b/plugins/storage/volume/storpool/src/main/java/com/cloud/hypervisor/kvm/storage/StorPoolStoragePool.java
@@ -198,11 +198,11 @@ public String getHearthBeatPath() {
 
     @Override
     public String createHeartBeatCommand(HAStoragePool primaryStoragePool, String hostPrivateIp, boolean hostValidation) {
-        boolean isStorageNodeUp = checkingHeartBeat(primaryStoragePool, null);
+        boolean isStorageNodeUp = hasHeartBeat(primaryStoragePool, null);
         if (!isStorageNodeUp && !hostValidation) {
             //restart the host
             logger.debug(String.format("The host [%s] will be restarted because the health check failed for the storage pool [%s]", hostPrivateIp, primaryStoragePool.getPool().getType()));
-            Script cmd = new Script(primaryStoragePool.getPool().getHearthBeatPath(), HeartBeatUpdateTimeout, logger);
+            Script cmd = new Script(primaryStoragePool.getPool().getHearthBeatPath(), HeartBeatUpdateTimeoutInMs, logger);
             cmd.add("-c");
             cmd.execute();
             return "Down";
@@ -240,7 +240,7 @@ public static final String getStorPoolConfigParam(String param) {
     }
 
     @Override
-    public Boolean checkingHeartBeat(HAStoragePool pool, HostTO host) {
+    public Boolean hasHeartBeat(HAStoragePool pool, HostTO host) {
         boolean isNodeWorking = false;
         OutputInterpreter.AllLinesParser parser = new OutputInterpreter.AllLinesParser();
 
@@ -300,8 +300,8 @@ private String executeStorPoolServiceListCmd(OutputInterpreter.AllLinesParser pa
     }
 
     @Override
-    public Boolean vmActivityCheck(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUuidListString, String vmActivityCheckPath, long duration) {
-        return checkingHeartBeat(pool, host);
+    public Boolean hasVmActivity(HAStoragePool pool, HostTO host, Duration activityScriptTimeout, String volumeUuidListString, String vmActivityCheckPath, long duration) {
+        return hasHeartBeat(pool, host);
     }
 
     @Override
diff --git a/plugins/user-authenticators/ldap/pom.xml b/plugins/user-authenticators/ldap/pom.xml
index c9e5a083725c..24a58653e10d 100644
--- a/plugins/user-authenticators/ldap/pom.xml
+++ b/plugins/user-authenticators/ldap/pom.xml
@@ -172,6 +172,18 @@
                     <groupId>org.apache.directory.shared</groupId>
                     <artifactId>shared-ldap-schema</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcutil-jdk15on</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -191,12 +203,40 @@
             <artifactId>apacheds-core</artifactId>
             <version>${ads.version}</version>
             <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcutil-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-protocol-ldap</artifactId>
             <version>${ads.version}</version>
             <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcutil-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.directory.server</groupId>
diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
index 1a9d677d43a5..135e1290f082 100644
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@@ -335,6 +335,9 @@ private static void addBaseCookies(final LoginCmdResponse loginResponse, final H
         resp.addCookie(newCookie(domain, path,"isSAML", URLEncoder.encode("true", HttpUtils.UTF_8)));
         resp.addCookie(newCookie(domain, path,"twoFaEnabled", URLEncoder.encode(loginResponse.is2FAenabled(), HttpUtils.UTF_8)));
         resp.addCookie(newCookie(domain, path,"userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
+        if (StringUtils.isNotBlank(loginResponse.getManagementServerId())) {
+            resp.addCookie(new Cookie(ApiConstants.MANAGEMENT_SERVER_ID, URLEncoder.encode(loginResponse.getManagementServerId(), HttpUtils.UTF_8)));
+        }
     }
 
     private static Cookie newCookie(final String domain, final String path, final String name, final String value) {
diff --git a/pom.xml b/pom.xml
index 17935c526922..a29a656ce512 100644
--- a/pom.xml
+++ b/pom.xml
@@ -132,7 +132,7 @@
         <cs.axiom.version>1.2.8</cs.axiom.version>
         <cs.axis2.version>1.6.4</cs.axis2.version>
         <cs.batik.version>1.14</cs.batik.version>
-        <cs.bcprov.version>1.70</cs.bcprov.version>
+        <cs.bcprov.version>1.83</cs.bcprov.version>
         <cs.cglib.version>3.3.0</cs.cglib.version>
         <cs.checkstyle-lib.version>8.18</cs.checkstyle-lib.version>
         <cs.cron-utils.version>9.2.0</cs.cron-utils.version>
@@ -170,7 +170,7 @@
         <cs.libvirt-java.version>0.5.3</cs.libvirt-java.version>
         <cs.mail.version>1.5.0-b01</cs.mail.version>
         <cs.mustache.version>0.9.14</cs.mustache.version>
-        <cs.mysql.version>8.0.33</cs.mysql.version>
+        <cs.mysql.version>8.4.0</cs.mysql.version>
         <cs.neethi.version>2.0.4</cs.neethi.version>
         <cs.nitro.version>10.1</cs.nitro.version>
         <cs.opensaml.version>2.6.6</cs.opensaml.version>
@@ -191,6 +191,7 @@
         <cs.ini.version>0.5.4</cs.ini.version>
         <cs.caffeine.version>3.1.7</cs.caffeine.version>
         <cs.protobuf.version>3.25.5</cs.protobuf.version>
+        <cs.minio.version>8.6.0</cs.minio.version>
     </properties>
 
     <distributionManagement>
@@ -583,17 +584,17 @@
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
-                <artifactId>bcpkix-jdk15on</artifactId>
+                <artifactId>bcpkix-jdk18on</artifactId>
                 <version>${cs.bcprov.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
-                <artifactId>bcprov-jdk15on</artifactId>
+                <artifactId>bcprov-jdk18on</artifactId>
                 <version>${cs.bcprov.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
-                <artifactId>bctls-jdk15on</artifactId>
+                <artifactId>bctls-jdk18on</artifactId>
                 <version>${cs.bcprov.version}</version>
             </dependency>
             <dependency>
@@ -668,6 +669,18 @@
                         <groupId>org.slf4j</groupId>
                         <artifactId>log4j-over-slf4j</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcprov-jdk15on</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcpkix-jdk15on</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.bouncycastle</groupId>
+                        <artifactId>bcutil-jdk15on</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
diff --git a/scripts/util/create-kubernetes-binaries-iso.sh b/scripts/util/create-kubernetes-binaries-iso.sh
index ebaf072771c5..00234f205114 100755
--- a/scripts/util/create-kubernetes-binaries-iso.sh
+++ b/scripts/util/create-kubernetes-binaries-iso.sh
@@ -19,8 +19,8 @@
 set -e
 
 if [ $# -lt 6 ]; then
-    echo "Invalid input. Valid usage: ./create-kubernetes-binaries-iso.sh OUTPUT_PATH KUBERNETES_VERSION CNI_VERSION CRICTL_VERSION WEAVENET_NETWORK_YAML_CONFIG DASHBOARD_YAML_CONFIG BUILD_NAME [ARCH] [ETCD_VERSION]"
-    echo "eg: ./create-kubernetes-binaries-iso.sh ./ 1.11.4 0.7.1 1.11.1 https://github.com/weaveworks/weave/releases/download/latest_release/weave-daemonset-k8s-1.11.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.0/src/deploy/recommended/kubernetes-dashboard.yaml setup-v1.11.4 amd64"
+    echo "Invalid input. Valid usage: ./create-kubernetes-binaries-iso.sh OUTPUT_PATH KUBERNETES_VERSION CNI_VERSION CRICTL_VERSION WEAVENET_NETWORK_YAML_CONFIG HEADLAMP_DASHBOARD_VERSION BUILD_NAME [ARCH] [ETCD_VERSION]"
+    echo "eg: ./create-kubernetes-binaries-iso.sh ./ 1.11.4 0.7.1 1.11.1 https://github.com/weaveworks/weave/releases/download/latest_release/weave-daemonset-k8s-1.11.yaml 0.40.1 setup-v1.11.4 amd64"
     exit 1
 fi
 
@@ -96,10 +96,11 @@ echo "Downloading network config ${NETWORK_CONFIG_URL}"
 network_conf_file="${working_dir}/network.yaml"
 curl -sSL ${NETWORK_CONFIG_URL} -o ${network_conf_file}
 
-DASHBORAD_CONFIG_URL="${6}"
-echo "Downloading dashboard config ${DASHBORAD_CONFIG_URL}"
-dashboard_conf_file="${working_dir}/dashboard.yaml"
-curl -sSL ${DASHBORAD_CONFIG_URL} -o ${dashboard_conf_file}
+HEADLAMP_DASHBOARD_VERSION="${6}"
+HEADLAMP_DASHBOARD_URL="https://raw.githubusercontent.com/kubernetes-sigs/headlamp/v${HEADLAMP_DASHBOARD_VERSION}/kubernetes-headlamp.yaml"
+echo "Downloading Headlamp manifest from ${HEADLAMP_DASHBOARD_URL}"
+headlamp_conf_file="${working_dir}/headlamp.yaml"
+curl -sSL ${HEADLAMP_DASHBOARD_URL} -o ${headlamp_conf_file}
 
 # TODO : Change the url once merged
 AUTOSCALER_URL="https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/cloudstack/examples/cluster-autoscaler-standard.yaml"
@@ -135,7 +136,7 @@ mkdir -p "${working_dir}/docker"
 output=`${k8s_dir}/kubeadm config images list --kubernetes-version=${RELEASE}`
 
 # Don't forget about the yaml images !
-for i in ${network_conf_file} ${dashboard_conf_file}
+for i in ${network_conf_file} ${headlamp_conf_file}
 do
   images=`grep "image:" $i | cut -d ':' -f2- | tr -d ' ' | tr -d "'"`
   output=`printf "%s\n" ${output} ${images}`
diff --git a/scripts/util/keystore-cert-import b/scripts/util/keystore-cert-import
index a9465f273a3d..cf355e098454 100755
--- a/scripts/util/keystore-cert-import
+++ b/scripts/util/keystore-cert-import
@@ -70,8 +70,8 @@ elif [ ! -f "$CACERT_FILE" ]; then
 fi
 
 # Import cacerts into the keystore
-awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE"
-for caChain in $(ls cloudca.*); do
+awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE"
+for caChain in $(ls cloudca.* 2>/dev/null); do
     keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true
     keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
 done
@@ -137,6 +137,22 @@ if [ -f "$SYSTEM_FILE" ]; then
     chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt
     update-ca-certificates > /dev/null 2>&1 || true
 
+    # Import CA cert(s) into realhostip.keystore so the SSVM JVM
+    # (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh)
+    # can trust servers signed by the CloudStack CA
+    REALHOSTIP_KS_FILE="$(dirname "$(dirname "$PROPS_FILE")")/certs/realhostip.keystore"
+    REALHOSTIP_PASS="vmops.com"
+    if [ -f "$REALHOSTIP_KS_FILE" ]; then
+        awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE"
+        for caChain in $(ls cloudca.* 2>/dev/null); do
+            keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \
+                -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
+            keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \
+                -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1
+        done
+        rm -f cloudca.*
+    fi
+
     # Ensure cloud service is running in systemvm
     if [ "$MODE" == "ssh" ]; then
         systemctl start cloud > /dev/null 2>&1
diff --git a/scripts/vm/hypervisor/kvm/gpudiscovery.sh b/scripts/vm/hypervisor/kvm/gpudiscovery.sh
index bf6892c898db..524f86241860 100755
--- a/scripts/vm/hypervisor/kvm/gpudiscovery.sh
+++ b/scripts/vm/hypervisor/kvm/gpudiscovery.sh
@@ -357,7 +357,33 @@
 
 #   	"vgpu_instances":[],
 #   	"vf_instances":[]
-# 	  }
+# 	  },
+# 	  {
+#       "pci_address": "0001:65:00.0",
+#       "vendor_id": "10de",
+#       "device_id": "20B0",
+#       "vendor": "NVIDIA Corporation",
+#       "device": "A100-SXM4-40GB",
+#       "driver": "nvidia",
+#       "pci_class": "3D controller",
+#       "iommu_group": "20",
+#       "sriov_totalvfs": 0,
+#       "sriov_numvfs": 0,
+#
+#       "full_passthrough": {
+#         "enabled": true,
+#         "libvirt_address": {
+#           "domain": "0x0001",
+#           "bus": "0x65",
+#           "slot": "0x00",
+#           "function": "0x0"
+#         },
+#         "used_by_vm": "ml-train"
+#       },
+#
+#       "vgpu_instances": [],
+#       "vf_instances": []
+#     }
 #   ]
 # }
 #
@@ -416,9 +442,18 @@ parse_nvidia_vgpu_profiles() {
 			store_profile_data
 
 			gpu_address="${BASH_REMATCH[1]}"
-			# Convert from format like 00000000:AF:00.0 to AF:00.0 and normalize to lowercase
-			if [[ $gpu_address =~ [0-9A-Fa-f]+:([0-9A-Fa-f]+:[0-9A-Fa-f]+\.[0-9A-Fa-f]+) ]]; then
-				gpu_address="${BASH_REMATCH[1],,}"
+			# nvidia-smi reports addresses in the form "00000000:AF:00.0"
+			# (8-digit domain). Reformat to the canonical 4-digit
+			# "dddd:bb:ss.f" lowercase form so cache keys line up with the
+			# normalize_pci_address output used at lookup time. Short
+			# addresses ("AF:00.0") are widened by prepending domain 0.
+			if [[ $gpu_address =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+				gpu_address=$(printf "%04x:%02x:%02x.%x" \
+					"0x${BASH_REMATCH[1]}" "0x${BASH_REMATCH[2]}" \
+					"0x${BASH_REMATCH[3]}" "0x${BASH_REMATCH[4]}")
+			elif [[ $gpu_address =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+				gpu_address=$(printf "0000:%02x:%02x.%x" \
+					"0x${BASH_REMATCH[1]}" "0x${BASH_REMATCH[2]}" "0x${BASH_REMATCH[3]}")
 			else
 				gpu_address="${gpu_address,,}"
 			fi
@@ -506,10 +541,58 @@ get_nvidia_profile_info() {
 	fi
 }
 
-# Get nodedev name for a PCI address (e.g. "00:02.0" -> "pci_0000_00_02_0")
-get_nodedev_name() {
+# Parse a PCI address and assign the libvirt-formatted DOMAIN/BUS/SLOT/FUNC
+# values into the caller's scope. Accepts both full ("0000:00:02.0") and short
+# ("00:02.0") formats; short addresses are assumed to be in PCI domain 0.
+#
+# IMPORTANT: bash uses dynamic scoping, so callers that don't want these four
+# values to leak into the global scope MUST declare them `local` before
+# invoking this function, e.g.:
+#     local DOMAIN BUS SLOT FUNC
+#     parse_pci_address "$addr"
+parse_pci_address() {
 	local addr="$1"
-	echo "pci_$(echo "$addr" | sed 's/[:.]/\_/g' | sed 's/^/0000_/')"
+	if [[ $addr =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+		DOMAIN=$(printf "0x%04x" "0x${BASH_REMATCH[1]}")
+		BUS=$(printf "0x%02x" "0x${BASH_REMATCH[2]}")
+		SLOT=$(printf "0x%02x" "0x${BASH_REMATCH[3]}")
+		FUNC=$(printf "0x%x" "0x${BASH_REMATCH[4]}")
+	elif [[ $addr =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+		DOMAIN="0x0000"
+		BUS=$(printf "0x%02x" "0x${BASH_REMATCH[1]}")
+		SLOT=$(printf "0x%02x" "0x${BASH_REMATCH[2]}")
+		FUNC=$(printf "0x%x" "0x${BASH_REMATCH[3]}")
+	else
+		DOMAIN="0x0000"
+		BUS="0x00"
+		SLOT="0x00"
+		FUNC="0x0"
+	fi
+}
+
+# Normalize a PCI address to its canonical full domain-qualified form
+# ("dddd:bb:ss.f", lowercase, zero-padded). Both "dddd:bb:ss.f" (full) and
+# "bb:ss.f" (short, domain 0) inputs are accepted.
+normalize_pci_address() {
+	local addr="$1"
+	if [[ $addr =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+		printf "%04x:%02x:%02x.%x\n" \
+			"0x${BASH_REMATCH[1]}" "0x${BASH_REMATCH[2]}" \
+			"0x${BASH_REMATCH[3]}" "0x${BASH_REMATCH[4]}"
+	elif [[ $addr =~ ^([0-9A-Fa-f]+):([0-9A-Fa-f]+)\.([0-9A-Fa-f]+)$ ]]; then
+		printf "0000:%02x:%02x.%x\n" \
+			"0x${BASH_REMATCH[1]}" "0x${BASH_REMATCH[2]}" "0x${BASH_REMATCH[3]}"
+	else
+		echo "$addr"
+	fi
+}
+
+# Get nodedev name for a PCI address (e.g. "0000:00:02.0" -> "pci_0000_00_02_0").
+# Short addresses are widened to domain 0 first.
+get_nodedev_name() {
+	local addr
+	addr=$(normalize_pci_address "$1")
+	echo "pci_$(echo "$addr" | sed 's/[:.]/\_/g')"
 }
 
 # Get cached nodedev XML for a PCI address
@@ -572,9 +655,12 @@ get_numa_node() {
 	echo "${node:--1}"
 }
 
-# Given a PCI address, return its PCI root (the top‐level bridge ID, e.g. "0000:00:03")
+# Given a PCI address, return its PCI root (the top‐level bridge ID, e.g.
+# "0000:00:03.0"). Both full ("0000:00:02.0") and short ("00:02.0") inputs are
+# accepted; output is always domain-qualified.
 get_pci_root() {
-	local addr="$1"
+	local addr
+	addr=$(normalize_pci_address "$1")
 	local xml
 	xml=$(get_nodedev_xml "$addr")
 
@@ -583,21 +669,23 @@ get_pci_root() {
 		local parent
 		parent=$(echo "$xml" | xmlstarlet sel -t -v "/device/parent" 2>/dev/null || true)
 		if [[ -n "$parent" ]]; then
-			# If parent is a PCI device, recursively find its root
-			if [[ $parent =~ ^pci_0000_([0-9A-Fa-f]{2})_([0-9A-Fa-f]{2})_([0-9A-Fa-f])$ ]]; then
-				local parent_addr="${BASH_REMATCH[1]}:${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+			# If parent is a PCI device, recursively find its root.
+			# libvirt nodedev names look like pci_<domain>_<bus>_<slot>_<func>
+			# where <domain> is one or more hex digits (typically 4).
+			if [[ $parent =~ ^pci_([0-9A-Fa-f]+)_([0-9A-Fa-f]{2})_([0-9A-Fa-f]{2})_([0-9A-Fa-f])$ ]]; then
+				local parent_addr="${BASH_REMATCH[1]}:${BASH_REMATCH[2]}:${BASH_REMATCH[3]}.${BASH_REMATCH[4]}"
 				get_pci_root "$parent_addr"
 				return
 			else
-				# Parent is not PCI device, so current device is the root
-				echo "0000:$addr"
+				# Parent is not a PCI device, so current device is the root
+				echo "$addr"
 				return
 			fi
 		fi
 	fi
 
 	# fallback
-	echo "0000:$addr"
+	echo "$addr"
 }
 
 # Build VM → hostdev maps:
@@ -613,18 +701,23 @@ for VM in "${VMS[@]}"; do
 		continue
 	fi
 
-	# -- PCI hostdevs: use xmlstarlet to extract BDF for all PCI host devices --
-	while read -r bus slot func; do
+	# -- PCI hostdevs: use xmlstarlet to extract the full domain:bus:slot.func
+	# for all PCI host devices. libvirt's <address> element may omit the domain
+	# attribute, in which case we default to 0.
+	while IFS=: read -r dom bus slot func; do
 		[[ -n "$bus" && -n "$slot" && -n "$func" ]] || continue
-		# Format to match lspci output (e.g., 01:00.0) by padding with zeros
+		[[ -n "$dom" ]] || dom="0"
+		# Format to match lspci -D output (e.g., 0000:01:00.0) by padding with zeros
+		dom_fmt=$(printf "%04x" "0x$dom")
 		bus_fmt=$(printf "%02x" "0x$bus")
 		slot_fmt=$(printf "%02x" "0x$slot")
 		func_fmt=$(printf "%x" "0x$func")
-		BDF="$bus_fmt:$slot_fmt.$func_fmt"
+		BDF="${dom_fmt}:${bus_fmt}:${slot_fmt}.${func_fmt}"
 		pci_to_vm["$BDF"]="$VM"
 	done < <(echo "$xml" | xmlstarlet sel -T -t -m "//hostdev[@type='pci']/source/address" \
-		-v "substring-after(@bus, '0x')" -o " " \
-		-v "substring-after(@slot, '0x')" -o " " \
+		-v "substring-after(@domain, '0x')" -o ":" \
+		-v "substring-after(@bus, '0x')" -o ":" \
+		-v "substring-after(@slot, '0x')" -o ":" \
 		-v "substring-after(@function, '0x')" -n 2>/dev/null || true)
 
 	# -- MDEV hostdevs: use xmlstarlet to extract UUIDs --
@@ -677,7 +770,8 @@ parse_and_add_gpu_properties() {
 # Appends JSON strings for each found mdev instance to the global 'vlist' array.
 # Arguments:
 #   $1: mdev_base_path (e.g., /sys/bus/pci/devices/.../mdev_supported_types)
-#   $2: bdf (e.g., 01:00.0)
+#   $2: bdf — short "bb:ss.f" (e.g. 01:00.0) or full
+#       "dddd:bb:ss.f" (e.g. 0001:65:00.0) for non-zero PCI domains
 process_mdev_instances() {
 	local mdev_base_path="$1"
 	local bdf="$2"
@@ -705,10 +799,8 @@ process_mdev_instances() {
 				local MDEV_UUID
 				MDEV_UUID=$(basename "$UDIR")
 
-				local DOMAIN="0x0000"
-				local BUS="0x${bdf:0:2}"
-				local SLOT="0x${bdf:3:2}"
-				local FUNC="0x${bdf:6:1}"
+				local DOMAIN BUS SLOT FUNC
+				parse_pci_address "$bdf"
 
 				local raw
 				raw="${mdev_to_vm[$MDEV_UUID]:-}"
@@ -727,6 +819,10 @@ process_mdev_instances() {
 # Parse nvidia-smi vgpu profiles once at the beginning
 parse_nvidia_vgpu_profiles
 
+# `lspci -nnm` keeps the existing output format for devices in PCI domain 0
+# (short "bb:ss.f" form) and includes the domain prefix only for devices on
+# non-zero PCI segments (multi-IIO servers, some ARM systems). The helpers
+# below (parse_pci_address, normalize_pci_address) accept both formats.
 mapfile -t LINES < <(lspci -nnm)
 
 echo '{ "gpus": ['
@@ -743,13 +839,18 @@ for LINE in "${LINES[@]}"; do
 		continue
 	fi
 
+	# sysfs paths always require the full domain-qualified form. PCI_ADDR may
+	# be short ("00:02.0") for domain 0 or full ("0001:65:00.0") otherwise, so
+	# we derive a separate SYSFS_ADDR just for filesystem lookups.
+	SYSFS_ADDR=$(normalize_pci_address "$PCI_ADDR")
+
 	# If this is a VF, skip it. It will be processed under its PF.
-	if [[ -e "/sys/bus/pci/devices/0000:$PCI_ADDR/physfn" ]]; then
+	if [[ -e "/sys/bus/pci/devices/$SYSFS_ADDR/physfn" ]]; then
 		continue
 	fi
 
-	# Only process GPU classes (3D controller)
-	if [[ ! "$PCI_CLASS" =~ (3D\ controller|Processing\ accelerators) ]]; then
+	# Only process PCI classes - 3D controller, Processing accelerators, Display controller
+	if [[ ! "$PCI_CLASS" =~ (3D\ controller|Processing\ accelerators|Display\ controller) ]]; then
 		continue
 	fi
 
@@ -761,7 +862,7 @@ for LINE in "${LINES[@]}"; do
 	DEVICE_ID=$(sed -E 's/.*\[([0-9A-Fa-f]{4})\]$/\1/' <<<"$DEVICE_FIELD")
 
 	# Kernel driver
-	DRV_PATH="/sys/bus/pci/devices/0000:$PCI_ADDR/driver"
+	DRV_PATH="/sys/bus/pci/devices/$SYSFS_ADDR/driver"
 	if [[ -L $DRV_PATH ]]; then
 		DRIVER=$(basename "$(readlink "$DRV_PATH")")
 	else
@@ -781,7 +882,7 @@ for LINE in "${LINES[@]}"; do
 	read -r TOTALVFS NUMVFS < <(get_sriov_counts "$PCI_ADDR")
 
 	# Get Physical GPU properties from its own description file, if available
-	PF_DESC_PATH="/sys/bus/pci/devices/0000:$PCI_ADDR/description"
+	PF_DESC_PATH="/sys/bus/pci/devices/$SYSFS_ADDR/description"
 	parse_and_add_gpu_properties "$PF_DESC_PATH"
 	# Save physical function's properties before they are overwritten by vGPU/VF processing
 	PF_MAX_INSTANCES=$MAX_INSTANCES
@@ -791,25 +892,27 @@ for LINE in "${LINES[@]}"; do
 	PF_MAX_RESOLUTION_Y=$MAX_RESOLUTION_Y
 
 	# === full_passthrough usage ===
-	raw="${pci_to_vm[$PCI_ADDR]:-}"
+	# pci_to_vm is keyed by the full domain-qualified form, so normalize the
+	# lspci-style PCI_ADDR (which may be short for domain 0) before lookup.
+	raw="${pci_to_vm[$(normalize_pci_address "$PCI_ADDR")]:-}"
 	FULL_USED_JSON=$(to_json_vm "$raw")
 
 	# === vGPU (MDEV) instances ===
 	VGPU_ARRAY="[]"
 	declare -a vlist=()
 	# Process mdev on the Physical Function
-	MDEV_BASE="/sys/bus/pci/devices/0000:$PCI_ADDR/mdev_supported_types"
+	MDEV_BASE="/sys/bus/pci/devices/$SYSFS_ADDR/mdev_supported_types"
 	process_mdev_instances "$MDEV_BASE" "$PCI_ADDR"
 
 	# === VF instances (SR-IOV / MIG) ===
 	VF_ARRAY="[]"
 	declare -a flist=()
 	if ((TOTALVFS > 0)); then
-		for VF_LINK in /sys/bus/pci/devices/0000:"$PCI_ADDR"/virtfn*; do
+		for VF_LINK in /sys/bus/pci/devices/"$SYSFS_ADDR"/virtfn*; do
 			[[ -L $VF_LINK ]] || continue
 			VF_PATH=$(readlink -f "$VF_LINK")
-			VF_ADDR=${VF_PATH##*/} # e.g. "0000:65:00.2"
-			VF_BDF="${VF_ADDR:5}"  # "65:00.2"
+			# Keep the full domain-qualified address (e.g. "0000:65:00.2")
+			VF_BDF=${VF_PATH##*/}
 
 			# For NVIDIA SR-IOV, check for vGPU (mdev) on the VF itself
 			if [[ "$VENDOR_ID" == "10de" ]]; then
@@ -817,10 +920,7 @@ for LINE in "${LINES[@]}"; do
 				process_mdev_instances "$VF_MDEV_BASE" "$VF_BDF"
 			fi
 
-			DOMAIN="0x0000"
-			BUS="0x${VF_BDF:0:2}"
-			SLOT="0x${VF_BDF:3:2}"
-			FUNC="0x${VF_BDF:6:1}"
+			parse_pci_address "$VF_BDF"
 
 			# Determine vf_profile using nvidia-smi information
 			VF_PROFILE=""
@@ -835,8 +935,10 @@ for LINE in "${LINES[@]}"; do
 				# For NVIDIA GPUs, check current vGPU type
 				current_vgpu_type=$(get_current_vgpu_type "$VF_PATH")
 				if [[ "$current_vgpu_type" != "0" ]]; then
-					# Get profile info from nvidia-smi cache
-					profile_info=$(get_nvidia_profile_info "$PCI_ADDR" "$current_vgpu_type")
+					# nvidia_vgpu_profiles is keyed by the canonical full
+					# "dddd:bb:ss.f" form, so widen PCI_ADDR (which may be
+					# short for domain 0) before the cache lookup.
+					profile_info=$(get_nvidia_profile_info "$(normalize_pci_address "$PCI_ADDR")" "$current_vgpu_type")
 					IFS='|' read -r VF_PROFILE_NAME VF_MAX_INSTANCES VF_VIDEO_RAM VF_MAX_HEADS VF_MAX_RESOLUTION_X VF_MAX_RESOLUTION_Y <<< "$profile_info"
 					VF_PROFILE="$VF_PROFILE_NAME"
 				fi
@@ -853,12 +955,17 @@ for LINE in "${LINES[@]}"; do
 			fi
 			VF_PROFILE_JSON=$(json_escape "$VF_PROFILE")
 
-			# Determine which VM uses this VF_BDF
-			raw="${pci_to_vm[$VF_BDF]:-}"
+			# Determine which VM uses this VF_BDF (normalize for map lookup)
+			raw="${pci_to_vm[$(normalize_pci_address "$VF_BDF")]:-}"
 			USED_JSON=$(to_json_vm "$raw")
 
+			# For backward-compat JSON output, strip the default "0000:" domain
+			# prefix so domain-0 VFs still print as "65:00.2" rather than the
+			# full "0000:65:00.2". Non-zero domains are preserved unchanged.
+			VF_DISPLAY_ADDR="${VF_BDF#0000:}"
+
 			flist+=(
-				"{\"vf_pci_address\":\"$VF_BDF\",\"vf_profile\":$VF_PROFILE_JSON,\"max_instances\":$VF_MAX_INSTANCES,\"video_ram\":$VF_VIDEO_RAM,\"max_heads\":$VF_MAX_HEADS,\"max_resolution_x\":$VF_MAX_RESOLUTION_X,\"max_resolution_y\":$VF_MAX_RESOLUTION_Y,\"libvirt_address\":{\"domain\":\"$DOMAIN\",\"bus\":\"$BUS\",\"slot\":\"$SLOT\",\"function\":\"$FUNC\"},\"used_by_vm\":$USED_JSON}")
+				"{\"vf_pci_address\":\"$VF_DISPLAY_ADDR\",\"vf_profile\":$VF_PROFILE_JSON,\"max_instances\":$VF_MAX_INSTANCES,\"video_ram\":$VF_VIDEO_RAM,\"max_heads\":$VF_MAX_HEADS,\"max_resolution_x\":$VF_MAX_RESOLUTION_X,\"max_resolution_y\":$VF_MAX_RESOLUTION_Y,\"libvirt_address\":{\"domain\":\"$DOMAIN\",\"bus\":\"$BUS\",\"slot\":\"$SLOT\",\"function\":\"$FUNC\"},\"used_by_vm\":$USED_JSON}")
 		done
 		if [ ${#flist[@]} -gt 0 ]; then
 			VF_ARRAY="[$(
@@ -882,10 +989,9 @@ for LINE in "${LINES[@]}"; do
 	if [[ ${#vlist[@]} -eq 0 && ${#flist[@]} -eq 0 ]]; then
 		FP_ENABLED=1
 	fi
-	DOMAIN="0x0000"
-	BUS="0x${PCI_ADDR:0:2}"
-	SLOT="0x${PCI_ADDR:3:2}"
-	FUNC="0x${PCI_ADDR:6:1}"
+
+	# Sets global DOMAIN/BUS/SLOT/FUNC for JSON output below
+	parse_pci_address "$PCI_ADDR"
 
 	# Emit JSON
 	if $first_gpu; then
diff --git a/scripts/vm/hypervisor/kvm/kvmheartbeat.sh b/scripts/vm/hypervisor/kvm/kvmheartbeat.sh
index 9b7eadada69f..1fa49b807769 100755
--- a/scripts/vm/hypervisor/kvm/kvmheartbeat.sh
+++ b/scripts/vm/hypervisor/kvm/kvmheartbeat.sh
@@ -75,7 +75,7 @@ fi
 #delete VMs on this mountpoint
 deleteVMs() {
   local mountPoint=$1
-  vmPids=$(ps aux| grep qemu | grep "$mountPoint" | awk '{print $2}' 2> /dev/null)
+  vmPids=$(ps aux | grep qemu | grep "$mountPoint" | awk '{print $2}' 2> /dev/null)
   if [ $? -gt 0 ]
   then
      return
@@ -93,7 +93,7 @@ deleteVMs() {
 }
 
 #checking is there the same nfs server mounted under $MountPoint?
-mounts=$(cat /proc/mounts |grep nfs|grep $MountPoint)
+mounts=$(cat /proc/mounts | grep nfs | grep $MountPoint)
 if [ $? -gt 0 ]
 then
    # remount it
diff --git a/scripts/vm/hypervisor/kvm/kvmsmpheartbeat.sh b/scripts/vm/hypervisor/kvm/kvmsmpheartbeat.sh
new file mode 100755
index 000000000000..b102a1a866bb
--- /dev/null
+++ b/scripts/vm/hypervisor/kvm/kvmsmpheartbeat.sh
@@ -0,0 +1,218 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+help() {
+  printf "Usage: $0
+                -i identifier (required for CLI compatibility; value ignored by local-only heartbeat)
+                -p path (required for CLI compatibility; value ignored by local-only heartbeat)
+                -m mount point (local path where heartbeat will be written)
+                -h host (host IP/name to include in heartbeat filename)
+                -r write/read hb log (read-check mode)
+                -c cleanup (trigger emergency reboot)
+                -t interval between read hb log\n"
+  exit 1
+}
+
+#set -x
+NfsSvrIP=
+NfsSvrPath=
+MountPoint=
+HostIP=
+interval=
+rflag=0
+cflag=0
+
+while getopts 'i:p:m:h:t:rc' OPTION
+do
+  case $OPTION in
+  i)
+     NfsSvrIP="$OPTARG"
+     ;; # retained for CLI compatibility but unused for this script
+  p)
+     NfsSvrPath="$OPTARG"
+     ;; # retained for CLI compatibility but unused for this script
+  m)
+     MountPoint="$OPTARG"
+     ;;
+  h)
+     HostIP="$OPTARG"
+     ;;
+  r)
+     rflag=1
+     ;;
+  t)
+     interval="$OPTARG"
+     ;;
+  c)
+    cflag=1
+     ;;
+  *)
+     help
+     ;;
+  esac
+done
+
+# For heartbeat we require a mountpoint
+if [ -z "$MountPoint" ]
+then
+   echo "Mount point (-m) is required"
+   help
+fi
+
+# Validate mount point exists, is (if possible) a mounted filesystem, and is writable
+if [ ! -d "$MountPoint" ]; then
+  echo "Mount point directory does not exist: $MountPoint" >&2
+  exit 1
+fi
+
+# If the 'mountpoint' utility is available, ensure this is an actual mount
+if command -v mountpoint >/dev/null 2>&1; then
+  if ! mountpoint -q "$MountPoint"; then
+    echo "Mount point is not a mounted filesystem: $MountPoint" >&2
+    exit 1
+  fi
+fi
+
+# Ensure the mount point is writable
+if [ ! -w "$MountPoint" ]; then
+  echo "Mount point is not writable: $MountPoint" >&2
+  exit 1
+fi
+#delete VMs on this mountpoint (best-effort)
+deleteVMs() {
+  local mountPoint=$1
+  # ensure it ends with a single trailing slash
+  mountPoint="${mountPoint%/}/"
+
+  vmPids=$(ps aux | grep qemu | grep "$mountPoint" | awk '{print $2}' 2> /dev/null)
+
+  if [ -z "$vmPids" ]
+  then
+     return
+  fi
+
+  for pid in $vmPids
+  do
+     kill -9 $pid &> /dev/null
+  done
+}
+
+#checking is there the mount point present under $MountPoint?
+if grep -q "^[^ ]\+ $MountPoint " /proc/mounts
+then
+   # mount exists; nothing to do here; keep for compatibility with original flow
+   :
+else
+   # mount point not present
+   # if not in read-check mode, consider deleting VMs similar to original behavior
+   if [ "$rflag" == "0" ]
+   then
+     deleteVMs $MountPoint
+   fi
+fi
+
+hbFolder="$MountPoint/KVMHA"
+hbFile="$hbFolder/hb-$HostIP"
+
+write_hbLog() {
+#write the heart beat log
+  stat "$hbFile" &> /dev/null
+  if [ $? -gt 0 ]
+  then
+     # create a new one
+     mkdir -p "$hbFolder" &> /dev/null
+     # touch will be done by atomic write below; ensure folder is writable
+     if [ ! -w "$hbFolder" ]; then
+       printf "Folder not writable: $hbFolder" >&2
+       return 2
+     fi
+  fi
+
+  timestamp=$(date +%s)
+  # Write atomically to avoid partial writes (write to tmp then mv)
+  tmpfile="${hbFile}.$$"
+  printf "%s\n" "$timestamp" > "$tmpfile" 2>/dev/null
+  if [ $? -ne 0 ]; then
+    printf "Failed to write heartbeat to $tmpfile" >&2
+    return 2
+  fi
+  mv -f "$tmpfile" "$hbFile" 2>/dev/null
+  return $?
+}
+
+check_hbLog() {
+  hb_diff=0
+  if [ ! -f "$hbFile" ]; then
+    # signal large difference if file missing
+    hb_diff=999999
+    return 1
+  fi
+  now=$(date +%s)
+  hb=$(cat "$hbFile" 2>/dev/null)
+  if [ -z "$hb" ]; then
+    hb_diff=999998
+    return 1
+  fi
+  diff=`expr $now - $hb 2>/dev/null`
+  if [ $? -ne 0 ]
+  then
+    hb_diff=999997
+    return 1
+  fi
+  if [ -z "$interval" ]; then
+    # if no interval provided, consider 0 as success
+    if [ $diff -gt 0 ]; then
+      hb_diff=$diff
+      return 1
+    else
+      hb_diff=0
+      return 0
+    fi
+  fi
+  if [ $diff -gt $interval ]
+  then
+    hb_diff=$diff
+    return 1
+  fi
+  hb_diff=0
+  return 0
+}
+
+if [ "$rflag" == "1" ]
+then
+  check_hbLog
+  status=$?
+  diff="${hb_diff:-0}"
+  if [ $status -eq 0 ]
+  then
+    echo "=====> ALIVE <====="
+  else
+    echo "=====> Considering host as DEAD because last write on [$hbFile] was [$diff] seconds ago, but the max interval is [$interval] <======"
+  fi
+  exit 0
+elif [ "$cflag" == "1" ]
+then
+  /usr/bin/logger -t heartbeat "kvmsmpheartbeat.sh will reboot system because it was unable to write the heartbeat to the storage."
+  sync &
+  sleep 5
+  echo b > /proc/sysrq-trigger
+  exit $?
+else
+  write_hbLog
+  exit $?
+fi
diff --git a/scripts/vm/hypervisor/kvm/nasbackup.sh b/scripts/vm/hypervisor/kvm/nasbackup.sh
index 7f4a4b621929..441312f35e86 100755
--- a/scripts/vm/hypervisor/kvm/nasbackup.sh
+++ b/scripts/vm/hypervisor/kvm/nasbackup.sh
@@ -90,17 +90,42 @@ sanity_checks() {
 
 ### Operation methods ###
 
+get_ceph_uuid_from_path() {
+  local fullpath="$1"
+  # disk for rbd => rbd:<pool>/<uuid>:mon_host=<monitor_host>...
+  # sample: rbd:cloudstack/53d5c355-d726-4d3e-9422-046a503a0b12:mon_host=10.0.1.2...
+  local beforeUuid="${fullpath#*/}" # Remove up to first slash after rbd:
+  local volUuid="${beforeUuid%%:*}" # Remove everything after colon to get the uuid
+  echo ""$volUuid""
+}
+
+get_linstor_uuid_from_path() {
+  local fullpath="$1"
+  # disk for linstor => /dev/drbd/by-res/cs-<uuid>/0
+  # sample: /dev/drbd/by-res/cs-53d5c355-d726-4d3e-9422-046a503a0b12/0
+  local beforeUuid="${fullpath#/dev/drbd/by-res/}"
+  local volUuid="${beforeUuid%%/*}"
+  volUuid="${volUuid#cs-}"
+  echo "$volUuid"
+}
+
 backup_running_vm() {
   mount_operation
   mkdir -p "$dest" || { echo "Failed to create backup directory $dest"; exit 1; }
 
   name="root"
   echo "<domainbackup mode='push'><disks>" > $dest/backup.xml
-  for disk in $(virsh -c qemu:///system domblklist $VM --details 2>/dev/null | awk '/disk/{print$3}'); do
-    volpath=$(virsh -c qemu:///system domblklist $VM --details | awk "/$disk/{print $4}" | sed 's/.*\///')
-    echo "<disk name='$disk' backup='yes' type='file' backupmode='full'><driver type='qcow2'/><target file='$dest/$name.$volpath.qcow2' /></disk>" >> $dest/backup.xml
+  while read -r disk fullpath; do
+    if [[ "$fullpath" == /dev/drbd/by-res/* ]]; then
+        volUuid=$(get_linstor_uuid_from_path "$fullpath")
+    else
+        volUuid="${fullpath##*/}"
+    fi
+    echo "<disk name='$disk' backup='yes' type='file' backupmode='full'><driver type='qcow2'/><target file='$dest/$name.$volUuid.qcow2' /></disk>" >> $dest/backup.xml
     name="datadisk"
-  done
+  done < <(
+    virsh -c qemu:///system domblklist "$VM" --details 2>/dev/null | awk '$2=="disk"{print $3, $4}'
+  )
   echo "</disks></domainbackup>" >> $dest/backup.xml
 
   local thaw=0
@@ -147,6 +172,25 @@ backup_running_vm() {
     sleep 5
   done
 
+  # Use qemu-img convert to sparsify linstor backups which get bloated due to virsh backup-begin.
+  name="root"
+  while read -r disk fullpath; do
+    if [[ "$fullpath" != /dev/drbd/by-res/* ]]; then
+      continue
+    fi
+    volUuid=$(get_linstor_uuid_from_path "$fullpath")
+    if ! qemu-img convert -O qcow2 "$dest/$name.$volUuid.qcow2" "$dest/$name.$volUuid.qcow2.tmp" >> "$logFile" 2> >(cat >&2); then
+      echo "qemu-img convert failed for $dest/$name.$volUuid.qcow2"
+      cleanup
+      exit 1
+    fi
+
+    mv "$dest/$name.$volUuid.qcow2.tmp" "$dest/$name.$volUuid.qcow2"
+    name="datadisk"
+  done < <(
+    virsh -c qemu:///system domblklist "$VM" --details 2>/dev/null | awk '$2=="disk"{print $3, $4}'
+  )
+
   rm -f $dest/backup.xml
   sync
 
@@ -167,10 +211,9 @@ backup_stopped_vm() {
   name="root"
   for disk in $DISK_PATHS; do
     if [[ "$disk" == rbd:* ]]; then
-      # disk for rbd => rbd:<pool>/<uuid>:mon_host=<monitor_host>...
-      # sample: rbd:cloudstack/53d5c355-d726-4d3e-9422-046a503a0b12:mon_host=10.0.1.2...
-      beforeUuid="${disk#*/}"     # Remove up to first slash after rbd:
-      volUuid="${beforeUuid%%:*}" # Remove everything after colon to get the uuid
+      volUuid=$(get_ceph_uuid_from_path "$disk")
+    elif [[ "$disk" == /dev/drbd/by-res/* ]]; then
+      volUuid=$(get_linstor_uuid_from_path "$disk")
     else
       volUuid="${disk##*/}"
     fi
diff --git a/server/src/main/java/com/cloud/agent/manager/allocator/impl/BaseAllocator.java b/server/src/main/java/com/cloud/agent/manager/allocator/impl/BaseAllocator.java
new file mode 100644
index 000000000000..58fcc62cdc31
--- /dev/null
+++ b/server/src/main/java/com/cloud/agent/manager/allocator/impl/BaseAllocator.java
@@ -0,0 +1,90 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.agent.manager.allocator.impl;
+
+import com.cloud.agent.manager.allocator.HostAllocator;
+import com.cloud.capacity.CapacityManager;
+import com.cloud.host.Host;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
+import com.cloud.offering.ServiceOffering;
+import com.cloud.utils.Pair;
+import com.cloud.utils.component.AdapterBase;
+import org.apache.commons.collections.CollectionUtils;
+
+import javax.inject.Inject;
+import java.util.List;
+
+public abstract class BaseAllocator extends AdapterBase implements HostAllocator {
+
+    @Inject
+    protected HostDao hostDao;
+
+    @Inject
+    protected CapacityManager capacityManager;
+
+    protected void retainHostsMatchingServiceOfferingAndTemplateTags(List<HostVO> availableHosts, Host.Type type, long dcId, Long podId, Long clusterId, String offeringHostTag, String templateTag) {
+        logger.debug("Hosts {} will be checked for template and host tags compatibility.", availableHosts);
+
+        if (offeringHostTag != null) {
+            logger.debug("Looking for hosts having the tag [{}] specified in the Service Offering.", offeringHostTag);
+            List<HostVO> hostsWithHostTag = hostDao.listByHostTag(type, clusterId, podId, dcId, offeringHostTag);
+            logger.debug("Retaining hosts {} because they match the offering host tag {}.", hostsWithHostTag, offeringHostTag);
+            availableHosts.retainAll(hostsWithHostTag);
+        }
+
+        if (templateTag != null) {
+            logger.debug("Looking for hosts having the tag [{}] specified in the Template.", templateTag);
+            List<HostVO> hostsWithTemplateTag = hostDao.listByHostTag(type, clusterId, podId, dcId, templateTag);
+            logger.debug("Retaining hosts {} because they match the template tag {}.", hostsWithTemplateTag, templateTag);
+            availableHosts.retainAll(hostsWithTemplateTag);
+        }
+
+        logger.debug("Remaining hosts after template tag and host tags validations are {}.", availableHosts);
+    }
+
+    protected void addHostsBasedOnTagRules(String hostTagOnOffering, List<HostVO> clusterHosts) {
+        List<HostVO> hostsWithTagRules = hostDao.findHostsWithTagRuleThatMatchComputeOfferingTags(hostTagOnOffering);
+
+        if (CollectionUtils.isEmpty(hostsWithTagRules)) {
+            logger.info("No hosts found with tag rules matching the compute offering tag [{}].", hostTagOnOffering);
+            return;
+        }
+
+        logger.info("Found hosts {} with tag rules matching the compute offering tag [{}].", hostsWithTagRules, hostTagOnOffering);
+        clusterHosts.addAll(hostsWithTagRules);
+    }
+
+    /**
+     * Adds hosts with enough CPU capability and enough CPU capacity to the suitable hosts list.
+     */
+    protected boolean hostHasCpuCapabilityAndCapacity(boolean considerReservedCapacity, ServiceOffering offering, Host host) {
+        logger.debug("Looking for CPU frequency {} MHz and RAM {} MB.", () -> offering.getCpu() * offering.getSpeed(), offering::getRamSize);
+        Pair<Boolean, Boolean> cpuCapabilityAndCapacity = capacityManager.checkIfHostHasCpuCapabilityAndCapacity(host, offering, considerReservedCapacity);
+        Boolean hasCpuCapability = cpuCapabilityAndCapacity.first();
+        Boolean hasCpuCapacity = cpuCapabilityAndCapacity.second();
+
+        if (hasCpuCapability && hasCpuCapacity) {
+            logger.debug("Host {} is a suitable host as it has enough CPU capability and CPU capacity.", () -> host);
+            return true;
+        }
+
+        logger.debug("Cannot use host {}. Does the host have CPU capability? {}. Does the host have CPU capacity? {}..", () -> host, () -> hasCpuCapability, () -> hasCpuCapacity);
+        return false;
+    }
+
+}
diff --git a/server/src/main/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocator.java b/server/src/main/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocator.java
index 1110804959ea..8b4ca318bf78 100644
--- a/server/src/main/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocator.java
+++ b/server/src/main/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocator.java
@@ -16,36 +16,17 @@
 // under the License.
 package com.cloud.agent.manager.allocator.impl;
 
-import java.text.DecimalFormat;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
+import static com.cloud.deploy.DeploymentPlanner.AllocationAlgorithm.firstfitleastconsumed;
+import static com.cloud.deploy.DeploymentPlanner.AllocationAlgorithm.random;
+import static com.cloud.deploy.DeploymentPlanner.AllocationAlgorithm.userdispersing;
 
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-
-import com.cloud.gpu.dao.VgpuProfileDao;
-
-import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
-import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
-import org.springframework.stereotype.Component;
-
-import com.cloud.agent.manager.allocator.HostAllocator;
 import com.cloud.capacity.Capacity;
-import com.cloud.capacity.CapacityManager;
 import com.cloud.capacity.CapacityVO;
 import com.cloud.capacity.dao.CapacityDao;
 import com.cloud.configuration.Config;
 import com.cloud.configuration.ConfigurationManager;
-import com.cloud.dc.ClusterDetailsDao;
-import com.cloud.dc.dao.ClusterDao;
-import com.cloud.deploy.DeploymentPlan;
 import com.cloud.deploy.DeploymentClusterPlanner;
+import com.cloud.deploy.DeploymentPlan;
 import com.cloud.deploy.DeploymentPlanner.ExcludeList;
 import com.cloud.deploy.FirstFitPlanner;
 import com.cloud.gpu.GPU;
@@ -53,11 +34,9 @@
 import com.cloud.host.Host;
 import com.cloud.host.Host.Type;
 import com.cloud.host.HostVO;
-import com.cloud.host.dao.HostDao;
 import com.cloud.host.dao.HostDetailsDao;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.resource.ResourceManager;
-import com.cloud.service.ServiceOfferingDetailsVO;
 import com.cloud.service.dao.ServiceOfferingDetailsDao;
 import com.cloud.storage.GuestOSCategoryVO;
 import com.cloud.storage.GuestOSVO;
@@ -66,22 +45,38 @@
 import com.cloud.storage.dao.GuestOSDao;
 import com.cloud.user.Account;
 import com.cloud.utils.Pair;
-import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.StringUtils;
 import com.cloud.vm.VMInstanceDetailVO;
-import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineProfile;
-import com.cloud.vm.dao.VMInstanceDetailsDao;
 import com.cloud.vm.dao.VMInstanceDao;
+import com.cloud.vm.dao.VMInstanceDetailsDao;
 
+import java.text.DecimalFormat;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.jetbrains.annotations.NotNull;
+import org.springframework.stereotype.Component;
 
 /**
  * An allocator that tries to find a fit on a computing host.  This allocator does not care whether or not the host supports routing.
  */
 @Component
-public class FirstFitAllocator extends AdapterBase implements HostAllocator {
-    @Inject
-    protected HostDao _hostDao = null;
+public class FirstFitAllocator extends BaseAllocator {
     @Inject
     HostDetailsDao _hostDetailsDao = null;
     @Inject
@@ -95,289 +90,183 @@ public class FirstFitAllocator extends AdapterBase implements HostAllocator {
     @Inject
     protected ResourceManager _resourceMgr;
     @Inject
-    ClusterDao _clusterDao;
-    @Inject
-    ClusterDetailsDao _clusterDetailsDao;
-    @Inject
     ServiceOfferingDetailsDao _serviceOfferingDetailsDao;
     @Inject
-    CapacityManager _capacityMgr;
-    @Inject
     CapacityDao _capacityDao;
     @Inject
-    VMInstanceDetailsDao _vmInstanceDetailsDao;
-    @Inject
-    private VgpuProfileDao vgpuProfileDao;
+    VMInstanceDetailsDao vmInstanceDetailsDao;
 
     boolean _checkHvm = true;
+
     static DecimalFormat decimalFormat = new DecimalFormat("#.##");
 
     @Override
     public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo) {
-        return allocateTo(vmProfile, plan, type, avoid, returnUpTo, true);
+        return allocateTo(vmProfile, plan, type, avoid, null, returnUpTo, true);
     }
 
     @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity) {
+    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
+                                 boolean considerReservedCapacity) {
+        if (type == Host.Type.Storage) {
+            return null;
+        }
 
         long dcId = plan.getDataCenterId();
         Long podId = plan.getPodId();
         Long clusterId = plan.getClusterId();
         ServiceOffering offering = vmProfile.getServiceOffering();
-        VMTemplateVO template = (VMTemplateVO)vmProfile.getTemplate();
+        VMTemplateVO template = (VMTemplateVO) vmProfile.getTemplate();
         Account account = vmProfile.getOwner();
 
-        boolean isVMDeployedWithUefi = false;
-        VMInstanceDetailVO vmInstanceDetailVO = _vmInstanceDetailsDao.findDetail(vmProfile.getId(), "UEFI");
-        if(vmInstanceDetailVO != null){
-            if ("secure".equalsIgnoreCase(vmInstanceDetailVO.getValue()) || "legacy".equalsIgnoreCase(vmInstanceDetailVO.getValue())) {
-                isVMDeployedWithUefi = true;
-            }
-        }
-        logger.info(" Guest VM is requested with Custom[UEFI] Boot Type "+ isVMDeployedWithUefi);
+        String hostTagOnOffering = offering.getHostTag();
+        String hostTagOnTemplate = template.getTemplateTag();
+        String paramAsStringToLog = String.format("zone [%s], pod [%s], cluster [%s]", dcId, podId, clusterId);
 
+        List<HostVO> suitableHosts = retrieveHosts(vmProfile, type, (List<HostVO>) hosts, clusterId, podId, dcId, hostTagOnOffering, hostTagOnTemplate);
 
-        if (type == Host.Type.Storage) {
-            // FirstFitAllocator should be used for user VMs only since it won't care whether the host is capable of routing or not
-            return new ArrayList<>();
+        if (suitableHosts.isEmpty()) {
+            logger.info("No suitable host found for VM [{}] in {}.", vmProfile, paramAsStringToLog);
+            return null;
         }
-        String paramAsStringToLog = String.format("zone [%s], pod [%s], cluster [%s]", dcId, podId, clusterId);
-        logger.debug("Looking for hosts in {}", paramAsStringToLog);
 
-        String hostTagOnOffering = offering.getHostTag();
-        String hostTagOnTemplate = template.getTemplateTag();
-        String hostTagUefi = "UEFI";
+        if (CollectionUtils.isEmpty(hosts)) {
+            addHostsToAvoidSet(type, avoid, clusterId, podId, dcId, suitableHosts);
+        }
 
-        boolean hasSvcOfferingTag = hostTagOnOffering != null ? true : false;
-        boolean hasTemplateTag = hostTagOnTemplate != null ? true : false;
+        return allocateTo(vmProfile, plan, offering, template, avoid, suitableHosts, returnUpTo, considerReservedCapacity, account);
+    }
 
-        List<HostVO> clusterHosts = new ArrayList<>();
-        List<HostVO> hostsMatchingUefiTag = new ArrayList<>();
-        if(isVMDeployedWithUefi){
-            hostsMatchingUefiTag = _hostDao.listByHostCapability(type, clusterId, podId, dcId, Host.HOST_UEFI_ENABLE);
-            if (logger.isDebugEnabled()) {
-                logger.debug("Hosts with tag '" + hostTagUefi + "' are:" + hostsMatchingUefiTag);
-            }
-        }
+    protected List<HostVO> retrieveHosts(VirtualMachineProfile vmProfile, Type type, List<HostVO> hostsToFilter, Long clusterId, Long podId, long dcId, String hostTagOnOffering,
+                                         String hostTagOnTemplate) {
+        String haVmTag = (String) vmProfile.getParameter(VirtualMachineProfile.Param.HaTag);
+        List<HostVO> clusterHosts;
 
+        if (CollectionUtils.isNotEmpty(hostsToFilter)) {
+            clusterHosts = new ArrayList<>(hostsToFilter);
+        } else {
+            clusterHosts = _resourceMgr.listAllUpAndEnabledHosts(type, clusterId, podId, dcId);
+        }
 
-        String haVmTag = (String)vmProfile.getParameter(VirtualMachineProfile.Param.HaTag);
         if (haVmTag != null) {
-            clusterHosts = _hostDao.listByHostTag(type, clusterId, podId, dcId, haVmTag);
+            clusterHosts.retainAll(hostDao.listByHostTag(type, clusterId, podId, dcId, haVmTag));
+        } else if (ObjectUtils.allNull(hostTagOnOffering, hostTagOnTemplate)) {
+            clusterHosts.retainAll(_resourceMgr.listAllUpAndEnabledNonHAHosts(type, clusterId, podId, dcId));
         } else {
-            if (hostTagOnOffering == null && hostTagOnTemplate == null) {
-                clusterHosts = _resourceMgr.listAllUpAndEnabledNonHAHosts(type, clusterId, podId, dcId);
-            } else {
-                List<HostVO> hostsMatchingOfferingTag = new ArrayList<>();
-                List<HostVO> hostsMatchingTemplateTag = new ArrayList<>();
-                if (hasSvcOfferingTag) {
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Looking for hosts having tag specified on SvcOffering:" + hostTagOnOffering);
-                    }
-                    hostsMatchingOfferingTag = _hostDao.listByHostTag(type, clusterId, podId, dcId, hostTagOnOffering);
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Hosts with tag '" + hostTagOnOffering + "' are:" + hostsMatchingOfferingTag);
-                    }
-                }
-                if (hasTemplateTag) {
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Looking for hosts having tag specified on Template:" + hostTagOnTemplate);
-                    }
-                    hostsMatchingTemplateTag = _hostDao.listByHostTag(type, clusterId, podId, dcId, hostTagOnTemplate);
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Hosts with tag '" + hostTagOnTemplate + "' are:" + hostsMatchingTemplateTag);
-                    }
-                }
-
-                if (hasSvcOfferingTag && hasTemplateTag) {
-                    hostsMatchingOfferingTag.retainAll(hostsMatchingTemplateTag);
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Found " + hostsMatchingOfferingTag.size() + " Hosts satisfying both tags, host ids are:" + hostsMatchingOfferingTag);
-                    }
-
-                    clusterHosts = hostsMatchingOfferingTag;
-                } else {
-                    if (hasSvcOfferingTag) {
-                        clusterHosts = hostsMatchingOfferingTag;
-                    } else {
-                        clusterHosts = hostsMatchingTemplateTag;
-                    }
-                }
-            }
+            retainHostsMatchingServiceOfferingAndTemplateTags(clusterHosts, type, dcId, podId, clusterId, hostTagOnOffering, hostTagOnTemplate);
         }
 
-        if (isVMDeployedWithUefi) {
-            clusterHosts.retainAll(hostsMatchingUefiTag);
-        }
+        filterHostsWithUefiEnabled(type, vmProfile, clusterId, podId, dcId, clusterHosts);
 
-        clusterHosts.addAll(_hostDao.findHostsWithTagRuleThatMatchComputeOferringTags(hostTagOnOffering));
+        addHostsBasedOnTagRules(hostTagOnOffering, clusterHosts);
 
+        return clusterHosts;
 
-        if (clusterHosts.isEmpty()) {
-            logger.warn("No suitable host found for VM [{}] with tags {} in {}.", vmProfile, hostTagOnOffering, paramAsStringToLog);
-            return null;
-        }
-        // add all hosts that we are not considering to the avoid list
-        List<HostVO> allhostsInCluster = _hostDao.listAllUpAndEnabledNonHAHosts(type, clusterId, podId, dcId, null);
-        allhostsInCluster.removeAll(clusterHosts);
+    }
 
-        logger.debug(() -> String.format("Adding hosts [%s] to the avoid set because these hosts do not support HA.",
-                ReflectionToStringBuilderUtils.reflectOnlySelectedFields(allhostsInCluster, "uuid", "name")));
+    /**
+     * Add all hosts to the avoid set that were not considered during the allocation
+     */
+    protected void addHostsToAvoidSet(Type type, ExcludeList avoid, Long clusterId, Long podId, long dcId, List<HostVO> suitableHosts) {
+        List<HostVO> allHostsInCluster = hostDao.listAllUpAndEnabledNonHAHosts(type, clusterId, podId, dcId, null);
 
-        for (HostVO host : allhostsInCluster) {
+        allHostsInCluster.removeAll(suitableHosts);
+
+        logger.debug("Adding hosts [{}] to the avoid set because these hosts were not considered for allocation.",
+                () -> ReflectionToStringBuilderUtils.reflectOnlySelectedFields(allHostsInCluster, "uuid", "name"));
+
+        for (HostVO host : allHostsInCluster) {
             avoid.addHost(host.getId());
         }
-
-        return allocateTo(vmProfile, plan, offering, template, avoid, clusterHosts, returnUpTo, considerReservedCapacity, account);
     }
 
-    @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
-        boolean considerReservedCapacity) {
-        long dcId = plan.getDataCenterId();
-        Long podId = plan.getPodId();
-        Long clusterId = plan.getClusterId();
-        ServiceOffering offering = vmProfile.getServiceOffering();
-        VMTemplateVO template = (VMTemplateVO)vmProfile.getTemplate();
-        Account account = vmProfile.getOwner();
-        List<Host> suitableHosts = new ArrayList<>();
-        List<Host> hostsCopy = new ArrayList<>(hosts);
+    protected void filterHostsWithUefiEnabled(Type type, VirtualMachineProfile vmProfile, Long clusterId, Long podId, long dcId, List<HostVO> clusterHosts) {
+        VMInstanceDetailVO vmInstanceDetailVO = vmInstanceDetailsDao.findDetail(vmProfile.getId(), "UEFI");
 
-        if (type == Host.Type.Storage) {
-            // FirstFitAllocator should be used for user VMs only since it won't care whether the host is capable of
-            // routing or not.
-            return suitableHosts;
+        if (vmInstanceDetailVO == null) {
+            return;
         }
 
-        String hostTagOnOffering = offering.getHostTag();
-        String hostTagOnTemplate = template.getTemplateTag();
-        boolean hasSvcOfferingTag = hostTagOnOffering != null ? true : false;
-        boolean hasTemplateTag = hostTagOnTemplate != null ? true : false;
-
-        String haVmTag = (String)vmProfile.getParameter(VirtualMachineProfile.Param.HaTag);
-        if (haVmTag != null) {
-            hostsCopy.retainAll(_hostDao.listByHostTag(type, clusterId, podId, dcId, haVmTag));
-        } else {
-            if (hostTagOnOffering == null && hostTagOnTemplate == null) {
-                hostsCopy.retainAll(_resourceMgr.listAllUpAndEnabledNonHAHosts(type, clusterId, podId, dcId));
-            } else {
-                if (hasSvcOfferingTag) {
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Looking for hosts having tag specified on SvcOffering:" + hostTagOnOffering);
-                    }
-                    hostsCopy.retainAll(_hostDao.listByHostTag(type, clusterId, podId, dcId, hostTagOnOffering));
-
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Hosts with tag '" + hostTagOnOffering + "' are:" + hostsCopy);
-                    }
-                }
-
-                if (hasTemplateTag) {
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Looking for hosts having tag specified on Template:" + hostTagOnTemplate);
-                    }
-
-                    hostsCopy.retainAll(_hostDao.listByHostTag(type, clusterId, podId, dcId, hostTagOnTemplate));
-
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Hosts with tag '" + hostTagOnTemplate + "' are:" + hostsCopy);
-                    }
-                }
-            }
+        if (!StringUtils.equalsAnyIgnoreCase(vmInstanceDetailVO.getValue(), ApiConstants.BootMode.SECURE.toString(), ApiConstants.BootMode.LEGACY.toString())) {
+            return;
         }
 
-        hostsCopy.addAll(_hostDao.findHostsWithTagRuleThatMatchComputeOferringTags(hostTagOnOffering));
+        logger.info("Guest VM is requested with Custom[UEFI] Boot Type enabled.");
 
-        if (!hostsCopy.isEmpty()) {
-            suitableHosts = allocateTo(vmProfile, plan, offering, template, avoid, hostsCopy, returnUpTo, considerReservedCapacity, account);
-        }
+        List<HostVO> hostsMatchingUefiTag = hostDao.listByHostCapability(type, clusterId, podId, dcId, Host.HOST_UEFI_ENABLE);
 
-        return suitableHosts;
+        logger.debug("Hosts with UEFI enabled are {}.", hostsMatchingUefiTag);
+        clusterHosts.retainAll(hostsMatchingUefiTag);
     }
 
     protected List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, ServiceOffering offering, VMTemplateVO template, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
-        boolean considerReservedCapacity, Account account) {
+                                    boolean considerReservedCapacity, Account account) {
         String vmAllocationAlgorithm = DeploymentClusterPlanner.VmAllocationAlgorithm.value();
-        if (vmAllocationAlgorithm.equals("random")) {
-            // Shuffle this so that we don't check the hosts in the same order.
+        if (random.toString().equals(vmAllocationAlgorithm)) {
             Collections.shuffle(hosts);
-        } else if (vmAllocationAlgorithm.equals("userdispersing")) {
+        } else if (userdispersing.toString().equals(vmAllocationAlgorithm)) {
             hosts = reorderHostsByNumberOfVms(plan, hosts, account);
-        } else if(vmAllocationAlgorithm.equals("firstfitleastconsumed")){
+        } else if (firstfitleastconsumed.toString().equals(vmAllocationAlgorithm)) {
             hosts = reorderHostsByCapacity(plan, hosts);
         }
 
-        if (logger.isDebugEnabled()) {
-            logger.debug("FirstFitAllocator has " + hosts.size() + " hosts to check for allocation: " + hosts);
-        }
-
-        // We will try to reorder the host lists such that we give priority to hosts that have
-        // the minimums to support a VM's requirements
+        logger.debug("FirstFitAllocator has {} hosts to check for allocation {}.", hosts.size(), hosts);
         hosts = prioritizeHosts(template, offering, hosts);
+        logger.debug("Found {} hosts for allocation after prioritization: {}.", hosts.size(), hosts);
 
-        if (logger.isDebugEnabled()) {
-            logger.debug("Found " + hosts.size() + " hosts for allocation after prioritization: " + hosts);
-        }
+        List<Host> suitableHosts = checkHostsCompatibilities(offering, vmProfile, avoid, hosts, returnUpTo, considerReservedCapacity);
+        logger.debug("Host Allocator returning {} suitable hosts.", suitableHosts.size());
 
-        if (logger.isDebugEnabled()) {
-            logger.debug("Looking for speed=" + (offering.getCpu() * offering.getSpeed()) + "Mhz, Ram=" + offering.getRamSize() + " MB");
-        }
+        return suitableHosts;
+    }
 
-        long serviceOfferingId = offering.getId();
+    protected List<Host> checkHostsCompatibilities(ServiceOffering offering, VirtualMachineProfile vmProfile, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo, boolean considerReservedCapacity) {
         List<Host> suitableHosts = new ArrayList<>();
-        ServiceOfferingDetailsVO offeringDetails = null;
+        logger.debug("Checking compatibility for the following hosts {}.", suitableHosts);
 
         for (Host host : hosts) {
             if (suitableHosts.size() == returnUpTo) {
                 break;
             }
+
             if (avoid.shouldAvoid(host)) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Host: {} is in avoid set, skipping this and trying other available hosts", host);
-                }
+                logger.debug("Host [{}] is in avoid set, skipping this and trying other available hosts", host);
                 continue;
             }
 
-            //find number of guest VMs occupying capacity on this host.
-            if (_capacityMgr.checkIfHostReachMaxGuestLimit(host)) {
+            if (capacityManager.checkIfHostReachMaxGuestLimit(host)) {
                 logger.debug("Adding host [{}] to the avoid set because this host already has the max number of running (user and/or system) VMs.", host);
                 avoid.addHost(host.getId());
                 continue;
             }
 
-            // Check if GPU device is required by offering and host has the availability
-            if (_resourceMgr.isGPUDeviceAvailable(offering, host, vmProfile.getId())) {
-                logger.debug("Host [{}] has required GPU devices available.", host);
-            } else {
-                // If GPU is not available, skip this host
-                logger.debug("Adding host [{}] to avoid set, because this host does not have required GPU devices available.", host);
-                avoid.addHost(host.getId());
+            if (offeringRequestedVGpuAndHostDoesNotHaveIt(offering, vmProfile, avoid, host)) {
                 continue;
             }
 
-            Pair<Boolean, Boolean> cpuCapabilityAndCapacity = _capacityMgr.checkIfHostHasCpuCapabilityAndCapacity(host, offering, considerReservedCapacity);
-            if (cpuCapabilityAndCapacity.first() && cpuCapabilityAndCapacity.second()) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Found a suitable host, adding to list: {}", host);
-                }
+            if (hostHasCpuCapabilityAndCapacity(considerReservedCapacity, offering, host)) {
                 suitableHosts.add(host);
-            } else {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Not using host {}; host has cpu capability? {}, host has capacity?{}",
-                            host, cpuCapabilityAndCapacity.first(), cpuCapabilityAndCapacity.second());
-                }
-                avoid.addHost(host.getId());
+                continue;
             }
+            avoid.addHost(host.getId());
         }
+        return suitableHosts;
+    }
 
-        if (logger.isDebugEnabled()) {
-            logger.debug("Host Allocator returning " + suitableHosts.size() + " suitable hosts");
-        }
+    protected boolean offeringRequestedVGpuAndHostDoesNotHaveIt(ServiceOffering offering, VirtualMachineProfile vmProfile, ExcludeList avoid, Host host) {
+      if (_resourceMgr.isGPUDeviceAvailable(offering, host, vmProfile.getId())) {
+        logger.debug("Host [{}] has required GPU devices available.", () -> host);
+        return false;
+      }
 
-        return suitableHosts;
+      logger.debug("Adding host [{}] to avoid set, because this host does not have required GPU devices available.", () -> host);
+      avoid.addHost(host.getId());
+      return true;
     }
 
-    // Reorder hosts in the decreasing order of free capacity.
+    /**
+     * Reorder hosts in the decreasing order of free capacity.
+     */
     private List<? extends Host> reorderHostsByCapacity(DeploymentPlan plan, List<? extends Host> hosts) {
         Long zoneId = plan.getDataCenterId();
         Long clusterId = plan.getClusterId();
@@ -388,26 +277,10 @@ private List<? extends Host> reorderHostsByCapacity(DeploymentPlan plan, List<?
                 .sorted(Map.Entry.comparingByValue(Comparator.reverseOrder()))
                 .collect(Collectors.toMap(Map.Entry::getKey, entry -> decimalFormat.format(entry.getValue() * 100) + "%",
                         (e1, e2) -> e1, LinkedHashMap::new));
-        if (logger.isDebugEnabled()) {
-            logger.debug("List of hosts: [{}] in descending order of free capacity (percentage) in the cluster: {}",
-                    hostIdsByFreeCapacity, sortedHostByCapacity);
-        }
-
-        //now filter the given list of Hosts by this ordered list
-        Map<Long, Host> hostMap = new HashMap<>();
-        for (Host host : hosts) {
-            hostMap.put(host.getId(), host);
-        }
-        List<Long> matchingHostIds = new ArrayList<>(hostMap.keySet());
-
-        hostIdsByFreeCapacity.retainAll(matchingHostIds);
-
-        List<Host> reorderedHosts = new ArrayList<>();
-        for(Long id: hostIdsByFreeCapacity){
-            reorderedHosts.add(hostMap.get(id));
-        }
+        logger.debug("List of hosts: [{}] in descending order of free capacity (percentage) in the cluster: {}.",
+                hostIdsByFreeCapacity, sortedHostByCapacity);
 
-        return reorderedHosts;
+        return filterHosts(hosts, hostIdsByFreeCapacity);
     }
 
     private Pair<List<Long>, Map<Long, Double>> getOrderedHostsByCapacity(Long zoneId, Long clusterId) {
@@ -450,116 +323,154 @@ private List<? extends Host> reorderHostsByNumberOfVms(DeploymentPlan plan, List
         Long clusterId = plan.getClusterId();
 
         List<Long> hostIdsByVmCount = _vmInstanceDao.listHostIdsByVmCount(dcId, podId, clusterId, account.getAccountId());
-        if (logger.isDebugEnabled()) {
-            logger.debug("List of hosts in ascending order of number of VMs: " + hostIdsByVmCount);
-        }
+        logger.debug("List of hosts in ascending order of number of VMs: {}.", hostIdsByVmCount);
 
-        //now filter the given list of Hosts by this ordered list
+        return filterHosts(hosts, hostIdsByVmCount);
+    }
+
+    /**
+     * Filter the given list of Hosts considering the ordered list
+     */
+    private List<? extends Host> filterHosts(List<? extends Host> hosts, List<Long> orderedHostIdsList) {
         Map<Long, Host> hostMap = new HashMap<>();
+
         for (Host host : hosts) {
             hostMap.put(host.getId(), host);
         }
         List<Long> matchingHostIds = new ArrayList<>(hostMap.keySet());
-
-        hostIdsByVmCount.retainAll(matchingHostIds);
+        orderedHostIdsList.retainAll(matchingHostIds);
 
         List<Host> reorderedHosts = new ArrayList<>();
-        for (Long id : hostIdsByVmCount) {
+        for(Long id: orderedHostIdsList){
             reorderedHosts.add(hostMap.get(id));
         }
 
         return reorderedHosts;
     }
 
-    @Override
-    public boolean isVirtualMachineUpgradable(VirtualMachine vm, ServiceOffering offering) {
-        // currently we do no special checks to rule out a VM being upgradable to an offering, so
-        // return true
-        return true;
-    }
-
+    /**
+     * Reorder the host list giving priority to hosts that have the minimum to support the VM's requirements.
+     */
     protected List<? extends Host> prioritizeHosts(VMTemplateVO template, ServiceOffering offering, List<? extends Host> hosts) {
         if (template == null) {
             return hosts;
         }
 
-        // Determine the guest OS category of the template
-        String templateGuestOSCategory = getTemplateGuestOSCategory(template);
+        List<Host> hostsToCheck = filterHostWithNoHvmIfTemplateRequested(template, hosts);
 
         List<Host> prioritizedHosts = new ArrayList<>();
-        List<Host> noHvmHosts = new ArrayList<>();
+        List<Host> highPriorityHosts = new ArrayList<>();
+        List<Host> lowPriorityHosts = new ArrayList<>();
+
+        prioritizeHostsWithMatchingGuestOs(template, hostsToCheck, highPriorityHosts, lowPriorityHosts);
+        hostsToCheck.removeAll(highPriorityHosts);
+        hostsToCheck.removeAll(lowPriorityHosts);
+
+        prioritizeHostsByHvmCapability(template, hostsToCheck, prioritizedHosts);
+        prioritizedHosts.addAll(0, highPriorityHosts);
+        prioritizedHosts.addAll(lowPriorityHosts);
+
+        prioritizeHostsByGpuEnabled(offering, prioritizedHosts);
+
+        return prioritizedHosts;
+    }
+
 
-        // If a template requires HVM and a host doesn't support HVM, remove it from consideration
+    /**
+     * If a template requires HVM and a host doesn't support HVM, remove it from consideration.
+     */
+    protected List<Host> filterHostWithNoHvmIfTemplateRequested(VMTemplateVO template, List<? extends Host> hosts) {
         List<Host> hostsToCheck = new ArrayList<>();
-        if (template.isRequiresHvm()) {
-            for (Host host : hosts) {
-                if (hostSupportsHVM(host)) {
-                    hostsToCheck.add(host);
-                } else {
-                    noHvmHosts.add(host);
-                }
-            }
-        } else {
+
+        if (!template.isRequiresHvm()) {
+            logger.debug("Template [{}] does not require HVM, therefore, the hosts {} will not be checked for HVM compatibility.", template, hostsToCheck);
             hostsToCheck.addAll(hosts);
+            return hostsToCheck;
         }
 
-        if (logger.isDebugEnabled()) {
-            if (noHvmHosts.size() > 0) {
-                logger.debug("Not considering hosts: " + noHvmHosts + "  to deploy template: " + template + " as they are not HVM enabled");
+        List<Host> noHvmHosts = new ArrayList<>();
+        logger.debug("Template [{}] requires HVM, therefore, the hosts %s will be checked for HVM compatibility.", template, hostsToCheck);
+
+        for (Host host : hosts) {
+            if (hostSupportsHVM(host)) {
+                hostsToCheck.add(host);
+            } else {
+                noHvmHosts.add(host);
             }
         }
-        // If a host is tagged with the same guest OS category as the template, move it to a high priority list
-        // If a host is tagged with a different guest OS category than the template, move it to a low priority list
-        List<Host> highPriorityHosts = new ArrayList<>();
-        List<Host> lowPriorityHosts = new ArrayList<>();
-        for (Host host : hostsToCheck) {
-            String hostGuestOSCategory = getHostGuestOSCategory(host);
-            if (hostGuestOSCategory == null) {
-                continue;
-            } else if (templateGuestOSCategory != null && templateGuestOSCategory.equals(hostGuestOSCategory)) {
-                highPriorityHosts.add(host);
-            } else {
-                lowPriorityHosts.add(host);
+
+        if (!noHvmHosts.isEmpty()) {
+            logger.debug("Not considering hosts {} to deploy VM using template {} as they are not HVM enabled.", noHvmHosts, template);
+        }
+
+        return hostsToCheck;
+    }
+
+
+    /**
+     * If service offering did not request for vGPU, then move all host with GPU to the end of the host priority list.
+     */
+    protected void prioritizeHostsByGpuEnabled(ServiceOffering offering, List<Host> prioritizedHosts) {
+        boolean serviceOfferingRequestedVGpu = _serviceOfferingDetailsDao.findDetail(offering.getId(), GPU.Keys.vgpuType.toString()) != null || offering.getVgpuProfileId() != null;
+
+        if (serviceOfferingRequestedVGpu) {
+            return;
+        }
+
+        List<Host> gpuEnabledHosts = new ArrayList<>();
+
+        for (Host host : prioritizedHosts) {
+            if (_resourceMgr.isHostGpuEnabled(host.getId())) {
+                gpuEnabledHosts.add(host);
             }
         }
 
-        hostsToCheck.removeAll(highPriorityHosts);
-        hostsToCheck.removeAll(lowPriorityHosts);
+        if (!gpuEnabledHosts.isEmpty()) {
+            prioritizedHosts.removeAll(gpuEnabledHosts);
+            prioritizedHosts.addAll(gpuEnabledHosts);
+        }
+    }
 
-        // Prioritize the remaining hosts by HVM capability
+    /**
+     * Prioritize remaining host by HVM capability.
+     *
+     * <ul>
+     *     <li>If host and template both do not support HVM, put it at the start of the list.</li>
+     *     <li>If the template doesn't require HVM, but the machine supports it, append it to the list.</li>
+     * </ul>
+     */
+    protected void prioritizeHostsByHvmCapability(VMTemplateVO template, List<Host> hostsToCheck, List<Host> prioritizedHosts) {
         for (Host host : hostsToCheck) {
             if (!template.isRequiresHvm() && !hostSupportsHVM(host)) {
-                // Host and template both do not support hvm, put it as first consideration
                 prioritizedHosts.add(0, host);
             } else {
-                // Template doesn't require hvm, but the machine supports it, make it last for consideration
                 prioritizedHosts.add(host);
             }
         }
+    }
 
-        // Merge the lists
-        prioritizedHosts.addAll(0, highPriorityHosts);
-        prioritizedHosts.addAll(lowPriorityHosts);
 
-        // if service offering is not GPU enabled then move all the GPU enabled hosts to the end of priority list.
-        if (_serviceOfferingDetailsDao.findDetail(offering.getId(), GPU.Keys.vgpuType.toString()) == null && offering.getVgpuProfileId() == null) {
+    /**
+     * <ul>
+     *     <li>If a host is tagged with the same guest OS category as the template, move it to a high priority list.</li>
+     *     <li>If a host is tagged with a different guest OS category than the template, move it to a low priority list.</li>
+     * </ul>
+     */
+    protected void prioritizeHostsWithMatchingGuestOs(VMTemplateVO template, List<Host> hostsToCheck, List<Host> highPriorityHosts, List<Host> lowPriorityHosts) {
+        String templateGuestOSCategory = getTemplateGuestOSCategory(template);
 
-            List<Host> gpuEnabledHosts = new ArrayList<>();
-            // Check for GPU enabled hosts.
-            for (Host host : prioritizedHosts) {
-                if (_resourceMgr.isHostGpuEnabled(host.getId())) {
-                    gpuEnabledHosts.add(host);
-                }
-            }
-            // Move GPU enabled hosts to the end of list
-            if(!gpuEnabledHosts.isEmpty()) {
-                prioritizedHosts.removeAll(gpuEnabledHosts);
-                prioritizedHosts.addAll(gpuEnabledHosts);
+        for (Host host : hostsToCheck) {
+            String hostGuestOSCategory = getHostGuestOSCategory(host);
+
+            if (StringUtils.equals(templateGuestOSCategory, hostGuestOSCategory)) {
+                highPriorityHosts.add(host);
+            } else if (hostGuestOSCategory != null) {
+                lowPriorityHosts.add(host);
             }
         }
-        return prioritizedHosts;
     }
 
+
     protected boolean hostSupportsHVM(Host host) {
         if (!_checkHvm) {
             return true;
@@ -621,19 +532,8 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         if (_configDao != null) {
             Map<String, String> configs = _configDao.getConfiguration(params);
             String value = configs.get("xenserver.check.hvm");
-            _checkHvm = value == null ? true : Boolean.parseBoolean(value);
+            _checkHvm = value == null || Boolean.parseBoolean(value);
         }
         return true;
     }
-
-    @Override
-    public boolean start() {
-        return true;
-    }
-
-    @Override
-    public boolean stop() {
-        return true;
-    }
-
 }
diff --git a/server/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java b/server/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java
new file mode 100644
index 000000000000..96b4255b876d
--- /dev/null
+++ b/server/src/main/java/com/cloud/agent/manager/allocator/impl/RandomAllocator.java
@@ -0,0 +1,132 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.agent.manager.allocator.impl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Component;
+
+import com.cloud.deploy.DeploymentPlan;
+import com.cloud.deploy.DeploymentPlanner.ExcludeList;
+import com.cloud.host.Host;
+import com.cloud.host.Host.Type;
+import com.cloud.host.HostVO;
+import com.cloud.offering.ServiceOffering;
+import com.cloud.resource.ResourceManager;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.vm.VirtualMachineProfile;
+
+@Component
+public class RandomAllocator extends BaseAllocator {
+    @Inject
+    private ResourceManager _resourceMgr;
+
+    protected List<Host> findSuitableHosts(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
+                                         boolean considerReservedCapacity) {
+        if (type == Host.Type.Storage) {
+            return null;
+        }
+
+        long dcId = plan.getDataCenterId();
+        Long podId = plan.getPodId();
+        Long clusterId = plan.getClusterId();
+        ServiceOffering offering = vmProfile.getServiceOffering();
+
+        String offeringHostTag = offering.getHostTag();
+        VMTemplateVO template = (VMTemplateVO) vmProfile.getTemplate();
+        logger.debug("Looking for hosts in zone [{}], pod [{}], cluster [{}].", dcId, podId, clusterId);
+
+        List<? extends Host> availableHosts = retrieveHosts(type, (List<HostVO>) hosts, template, offeringHostTag, clusterId, podId, dcId);
+
+        if (availableHosts.isEmpty()) {
+            logger.info("No suitable host found for VM [{}] in zone [{}], pod [{}], cluster [{}].", vmProfile, dcId, podId, clusterId);
+            return null;
+        }
+
+        return filterAvailableHosts(avoid, returnUpTo, considerReservedCapacity, availableHosts, offering);
+    }
+
+    protected List<Host> filterAvailableHosts(ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity, List<? extends Host> availableHosts, ServiceOffering offering) {
+        logger.debug("Random Allocator found [{}] available hosts. They will be checked if they are in the avoid set and for CPU capability and capacity.", availableHosts::size);
+        List<Host> suitableHosts = new ArrayList<>();
+
+        Collections.shuffle(availableHosts);
+        for (Host host : availableHosts) {
+            if (suitableHosts.size() == returnUpTo) {
+                break;
+            }
+
+            if (avoid.shouldAvoid(host)) {
+                logger.debug("Host [{}] is in the avoid set, skipping it and trying other available hosts.", () -> host);
+                continue;
+            }
+
+            if (!hostHasCpuCapabilityAndCapacity(considerReservedCapacity, offering, host)) {
+                continue;
+            }
+
+            logger.debug("Found the suitable host [{}], adding to list.", () -> host);
+            suitableHosts.add(host);
+        }
+
+        logger.debug("Random Host Allocator returning {} suitable hosts.", suitableHosts::size);
+        return suitableHosts;
+    }
+
+    /**
+     * @return all computing hosts, regardless of whether they support routing.
+     */
+    protected List<HostVO> retrieveHosts(Type type, List<HostVO> hosts, VMTemplateVO template, String offeringHostTag, Long clusterId, Long podId, long dcId) {
+        List<HostVO> availableHosts;
+        String templateTag = template.getTemplateTag();
+
+        if (CollectionUtils.isNotEmpty(hosts)) {
+            availableHosts = new ArrayList<>(hosts);
+        } else {
+            availableHosts = _resourceMgr.listAllUpAndEnabledHosts(type, clusterId, podId, dcId);
+        }
+
+        if (ObjectUtils.anyNotNull(offeringHostTag, templateTag)) {
+            retainHostsMatchingServiceOfferingAndTemplateTags(availableHosts, type, dcId, podId, clusterId, offeringHostTag, templateTag);
+        } else {
+            List<HostVO> hostsWithNoRuleTag = hostDao.listAllHostsThatHaveNoRuleTag(type, clusterId, podId, dcId);
+            logger.debug("Retaining hosts {} because they do not have rule tags.", hostsWithNoRuleTag);
+            availableHosts.retainAll(hostsWithNoRuleTag);
+        }
+
+        addHostsBasedOnTagRules(offeringHostTag, availableHosts);
+
+        return availableHosts;
+    }
+
+    @Override
+    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo) {
+        return allocateTo(vmProfile, plan, type, avoid, null, returnUpTo, true);
+    }
+
+    @Override
+    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
+                                 boolean considerReservedCapacity) {
+        return findSuitableHosts(vmProfile, plan, type, avoid, hosts, returnUpTo, considerReservedCapacity);
+    }
+}
diff --git a/server/src/main/java/com/cloud/agent/manager/allocator/impl/TestingAllocator.java b/server/src/main/java/com/cloud/agent/manager/allocator/impl/TestingAllocator.java
index fd8e65e24761..04a0b182b7b1 100644
--- a/server/src/main/java/com/cloud/agent/manager/allocator/impl/TestingAllocator.java
+++ b/server/src/main/java/com/cloud/agent/manager/allocator/impl/TestingAllocator.java
@@ -28,32 +28,24 @@
 import com.cloud.host.Host;
 import com.cloud.host.Host.Type;
 import com.cloud.host.dao.HostDao;
-import com.cloud.offering.ServiceOffering;
 import com.cloud.utils.component.AdapterBase;
-import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineProfile;
 
 public class TestingAllocator extends AdapterBase implements HostAllocator {
     @Inject
     HostDao _hostDao;
-    Long _computingHost;
     Long _storageHost;
     Long _routingHost;
 
     @Override
     public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo) {
-        return allocateTo(vmProfile, plan, type, avoid, returnUpTo, true);
+        return allocateTo(vmProfile, plan, type, avoid, null, returnUpTo, true);
     }
 
     @Override
     public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, List<? extends Host> hosts, int returnUpTo,
-        boolean considerReservedCapacity) {
-        return allocateTo(vmProfile, plan, type, avoid, returnUpTo, considerReservedCapacity);
-    }
-
-    @Override
-    public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Type type, ExcludeList avoid, int returnUpTo, boolean considerReservedCapacity) {
-        List<Host> availableHosts = new ArrayList<Host>();
+                                 boolean considerReservedCapacity) {
+        List<Host> availableHosts = new ArrayList<>();
         Host host = null;
         if (type == Host.Type.Routing && _routingHost != null) {
             host = _hostDao.findById(_routingHost);
@@ -66,13 +58,6 @@ public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan pla
         return availableHosts;
     }
 
-    @Override
-    public boolean isVirtualMachineUpgradable(VirtualMachine vm, ServiceOffering offering) {
-        // currently we do no special checks to rule out a VM being upgradable to an offering, so
-        // return true
-        return true;
-    }
-
     @Override
     public boolean configure(String name, Map<String, Object> params) {
         String value = (String)params.get(Host.Type.Routing.toString());
diff --git a/server/src/main/java/com/cloud/api/ApiDBUtils.java b/server/src/main/java/com/cloud/api/ApiDBUtils.java
index 1d6d5d5c5004..1d00e9ec16ba 100644
--- a/server/src/main/java/com/cloud/api/ApiDBUtils.java
+++ b/server/src/main/java/com/cloud/api/ApiDBUtils.java
@@ -45,7 +45,6 @@
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.AsyncJobResponse;
 import org.apache.cloudstack.api.response.BackupOfferingResponse;
-import org.apache.cloudstack.api.response.BackupScheduleResponse;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.DomainRouterResponse;
@@ -76,7 +75,6 @@
 import org.apache.cloudstack.api.response.ZoneResponse;
 import org.apache.cloudstack.backup.BackupOffering;
 import org.apache.cloudstack.backup.BackupRepository;
-import org.apache.cloudstack.backup.BackupSchedule;
 import org.apache.cloudstack.backup.dao.BackupDao;
 import org.apache.cloudstack.backup.dao.BackupOfferingDao;
 import org.apache.cloudstack.backup.dao.BackupRepositoryDao;
@@ -2230,6 +2228,10 @@ public static List<NicSecondaryIpVO> findNicSecondaryIps(long nicId) {
         return s_nicSecondaryIpDao.listByNicId(nicId);
     }
 
+    public static NicVO findNicById(long nicId) {
+        return s_nicDao.findById(nicId);
+    }
+
     public static TemplateResponse newTemplateUpdateResponse(TemplateJoinVO vr) {
         return s_templateJoinDao.newUpdateResponse(vr);
     }
@@ -2298,6 +2300,10 @@ public static boolean isAdmin(Account account) {
         return s_accountService.isAdmin(account.getId());
     }
 
+    public static Account getSystemAccount() {
+        return s_accountService.getSystemAccount();
+    }
+
     public static List<ResourceTagJoinVO> listResourceTagViewByResourceUUID(String resourceUUID, ResourceObjectType resourceType) {
         return s_tagJoinDao.listBy(resourceUUID, resourceType);
     }
@@ -2306,10 +2312,6 @@ public static ResourceIconVO getResourceIconByResourceUUID(String resourceUUID,
         return s_resourceIconDao.findByResourceUuid(resourceUUID, resourceType);
     }
 
-    public static BackupScheduleResponse newBackupScheduleResponse(BackupSchedule schedule) {
-        return s_backupScheduleDao.newBackupScheduleResponse(schedule);
-    }
-
     public static BackupOfferingResponse newBackupOfferingResponse(BackupOffering offering) {
         BackupRepository repository = s_backupRepositoryDao.findByUuid(offering.getExternalId());
         Boolean crossZoneInstanceCreationEnabled = repository != null ? Boolean.TRUE.equals(repository.crossZoneInstanceCreationEnabled()) : false;
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index cf98df0da243..a8551b4c6693 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -32,6 +32,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.TimeZone;
 import java.util.function.Consumer;
@@ -39,10 +40,6 @@
 
 import javax.inject.Inject;
 
-import com.cloud.domain.dao.DomainDao;
-import com.cloud.user.AccountVO;
-import com.cloud.user.ApiKeyPairState;
-import com.cloud.user.dao.AccountDao;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.RoleVO;
@@ -53,6 +50,7 @@
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiConstants.DomainDetails;
 import org.apache.cloudstack.api.ApiConstants.HostDetails;
@@ -217,6 +215,7 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotInfo;
 import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.framework.jobs.AsyncJobManager;
+import org.apache.cloudstack.framework.jobs.dao.AsyncJobDao;
 import org.apache.cloudstack.gui.theme.GuiThemeJoin;
 import org.apache.cloudstack.management.ManagementServerHost;
 import org.apache.cloudstack.network.BgpPeerVO;
@@ -264,6 +263,7 @@
 import com.cloud.api.query.vo.ProjectAccountJoinVO;
 import com.cloud.api.query.vo.ProjectInvitationJoinVO;
 import com.cloud.api.query.vo.ProjectJoinVO;
+import com.cloud.api.query.ResourceIdSupport;
 import com.cloud.api.query.vo.ResourceTagJoinVO;
 import com.cloud.api.query.vo.SecurityGroupJoinVO;
 import com.cloud.api.query.vo.ServiceOfferingJoinVO;
@@ -304,6 +304,7 @@
 import com.cloud.dc.dao.VlanDetailsDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.DomainVO;
+import com.cloud.domain.dao.DomainDao;
 import com.cloud.event.Event;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
@@ -421,11 +422,14 @@
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
+import com.cloud.user.AccountVO;
+import com.cloud.user.ApiKeyPairState;
 import com.cloud.user.SSHKeyPair;
 import com.cloud.user.User;
 import com.cloud.user.UserAccount;
 import com.cloud.user.UserData;
 import com.cloud.user.UserStatisticsVO;
+import com.cloud.user.dao.AccountDao;
 import com.cloud.user.dao.UserDataDao;
 import com.cloud.user.dao.UserStatisticsDao;
 import com.cloud.uservm.UserVm;
@@ -458,7 +462,7 @@
 
 import sun.security.x509.X509CertImpl;
 
-public class ApiResponseHelper implements ResponseGenerator {
+public class ApiResponseHelper implements ResponseGenerator, ResourceIdSupport {
 
     protected Logger logger = LogManager.getLogger(ApiResponseHelper.class);
     private static final DecimalFormat s_percentFormat = new DecimalFormat("##.##");
@@ -542,6 +546,8 @@ public class ApiResponseHelper implements ResponseGenerator {
     Site2SiteVpnManager site2SiteVpnManager;
     @Inject
     ResourceIconManager resourceIconManager;
+    @Inject
+    AsyncJobDao asyncJobDao;
 
     public static String getPrettyDomainPath(String path) {
         if (path == null) {
@@ -814,7 +820,7 @@ public static DataStoreRole getDataStoreRole(Snapshot snapshot, SnapshotDataStor
 
         if (mapCapabilities != null) {
             String value = mapCapabilities.get(DataStoreCapabilities.STORAGE_SYSTEM_SNAPSHOT.toString());
-            Boolean supportsStorageSystemSnapshots = new Boolean(value);
+            boolean supportsStorageSystemSnapshots = Boolean.getBoolean(value);
 
             if (supportsStorageSystemSnapshots) {
                 return DataStoreRole.Primary;
@@ -1929,6 +1935,12 @@ public UserVm findUserVmById(Long vmId) {
 
     }
 
+    @Override
+    public UserVm findUserVmByNicId(Long nicId) {
+        NicVO nic = ApiDBUtils.findNicById(nicId);
+        return ApiDBUtils.findUserVmById(nic.getInstanceId());
+    }
+
     @Override
     public VolumeVO findVolumeById(Long volumeId) {
         return ApiDBUtils.findVolumeById(volumeId);
@@ -2329,16 +2341,26 @@ public TemplatePermissionsResponse createTemplatePermissionsResponse(ResponseVie
 
     @Override
     public AsyncJobResponse queryJobResult(final QueryAsyncJobResultCmd cmd) {
-        final Account caller = CallContext.current().getCallingAccount();
+        ApiCommandResourceType resourceType = getResourceType(cmd.getResourceType());
+        String resourceTypeName = Optional.ofNullable(resourceType).map(ApiCommandResourceType::name).orElse(null);
+
+        Long resourceId = getResourceId(resourceType, cmd.getResourceId());
+        Long jobId = cmd.getId();
+        if (jobId == null && resourceId == null) {
+            throw new InvalidParameterValueException("Expected parameter job id or parameters resource type and resource id");
+        }
 
-        final AsyncJob job = _entityMgr.findByIdIncludingRemoved(AsyncJob.class, cmd.getId());
+        final AsyncJob job = asyncJobDao.findJob(jobId, resourceId, resourceTypeName);
         if (job == null) {
-            throw new InvalidParameterValueException("Unable to find a job by id " + cmd.getId());
+            throw new InvalidParameterValueException("Unable to find a job by id " + jobId + " resource type "
+                    + cmd.getResourceType() + " resource id " + cmd.getResourceId());
         }
+        jobId = job.getId();
 
         final User userJobOwner = _accountMgr.getUserIncludingRemoved(job.getUserId());
         final Account jobOwner = _accountMgr.getAccount(userJobOwner.getAccountId());
 
+        final Account caller = CallContext.current().getCallingAccount();
         //check permissions
         if (_accountMgr.isNormalUser(caller.getId())) {
             //regular users can see only jobs they own
@@ -2349,7 +2371,7 @@ public AsyncJobResponse queryJobResult(final QueryAsyncJobResultCmd cmd) {
             _accountMgr.checkAccess(caller, null, true, jobOwner);
         }
 
-        return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true));
+        return createAsyncJobResponse(_jobMgr.queryJob(jobId, true));
     }
 
     public AsyncJobResponse createAsyncJobResponse(AsyncJob job) {
@@ -2868,6 +2890,11 @@ public NetworkResponse createNetworkResponse(ResponseView view, Network network)
             }
         }
 
+        if (CallContext.current().getCallingAccount().getType() == Account.Type.ADMIN &&
+                network.getVpcId() == null && network.getGuestType() == Network.GuestType.Isolated) {
+            response.setKeepMacAddressOnPublicNic(network.getKeepMacAddressOnPublicNic());
+        }
+
         response.setObjectName("network");
         return response;
     }
@@ -3631,6 +3658,9 @@ public VpcResponse createVpcResponse(ResponseView view, Vpc vpc) {
             }
         }
 
+        if (CallContext.current().getCallingAccount().getType() == Account.Type.ADMIN) {
+            response.setKeepMacAddressOnPublicNic(vpc.getKeepMacAddressOnPublicNic());
+        }
         response.setObjectName("vpc");
         return response;
     }
@@ -4844,6 +4874,8 @@ public NicResponse createNicResponse(Nic result) {
             VpcVO vpc = _entityMgr.findByUuidIncludingRemoved(VpcVO.class, userVm.getVpcUuid());
             response.setVpcName(vpc.getName());
         }
+
+        response.setEnabled(result.isEnabled());
         return response;
     }
 
@@ -5096,7 +5128,25 @@ public UserDataResponse createUserDataResponse(UserData userData) {
 
     @Override
     public BackupScheduleResponse createBackupScheduleResponse(BackupSchedule schedule) {
-        return ApiDBUtils.newBackupScheduleResponse(schedule);
+        BackupScheduleResponse response = new BackupScheduleResponse();
+        response.setId(schedule.getUuid());
+        response.setIntervalType(schedule.getScheduleType());
+        response.setSchedule(schedule.getSchedule());
+        response.setTimezone(schedule.getTimezone());
+        response.setMaxBackups(schedule.getMaxBackups());
+
+        if (schedule.getQuiesceVM() != null) {
+            response.setQuiesceVM(schedule.getQuiesceVM());
+        }
+
+        VMInstanceVO vm = ApiDBUtils.findVMInstanceById(schedule.getVmId());
+        if (vm != null) {
+            response.setVmId(vm.getUuid());
+            response.setVmName(vm.getHostName());
+        }
+
+        response.setObjectName("backupschedule");
+        return response;
     }
 
     @Override
@@ -5393,8 +5443,21 @@ public UnmanagedInstanceResponse createUnmanagedInstanceResponse(UnmanagedInstan
         if (host != null) {
             response.setHostId(host.getUuid());
             response.setHostName(host.getName());
-        } else if (instance.getHostName() != null) {
-            response.setHostName(instance.getHostName());
+            if (host.getHypervisorType() != null) {
+                response.setHypervisor(host.getHypervisorType().name());
+            }
+            response.setHypervisorVersion(host.getHypervisorVersion());
+        } else {
+            // In case the unmanaged instance is on an external host
+            if (instance.getHostName() != null) {
+                response.setHostName(instance.getHostName());
+            }
+            if (instance.getHypervisorType() != null) {
+                response.setHypervisor(instance.getHypervisorType());
+            }
+            if (instance.getHostHypervisorVersion() != null) {
+                response.setHypervisorVersion(instance.getHostHypervisorVersion());
+            }
         }
         response.setPowerState((instance.getPowerState() != null)? instance.getPowerState().toString() : UnmanagedInstanceTO.PowerState.PowerUnknown.toString());
         response.setCpuCores(instance.getCpuCores());
@@ -5802,4 +5865,14 @@ public ListResponse<BaseRolePermissionResponse> createKeypairPermissionsResponse
         response.setResponses(permissionResponses);
         return response;
     }
+
+    @Override
+    public EntityManager getEntityManager() {
+        return _entityMgr;
+    }
+
+    @Override
+    public AccountManager getAccountManager() {
+        return _accountMgr;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java
index 5a634cc0ca8d..2d17fd029a14 100644
--- a/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java
+++ b/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -28,7 +28,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.StringTokenizer;
-import java.util.UUID;
 import java.util.regex.Matcher;
 
 import javax.inject.Inject;
@@ -314,20 +313,7 @@ public void processParameters(final BaseCmd cmd, final Map params) {
 
     protected void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) {
         Account caller = CallContext.current().getCallingAccount();
-        List<Long> entityOwners = cmd.getEntityOwnerIds();
-        Account[] owners = null;
-        if (entityOwners != null) {
-            owners = entityOwners.stream().map(id -> _accountMgr.getAccount(id)).toArray(Account[]::new);
-        } else {
-            if (cmd.getEntityOwnerId() == Account.ACCOUNT_ID_SYSTEM && cmd instanceof BaseAsyncCmd && ((BaseAsyncCmd)cmd).getApiResourceType() == ApiCommandResourceType.Network) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Skipping access check on the network owner if the owner is ROOT/system.");
-                }
-                owners = new Account[]{};
-            } else {
-                owners = new Account[]{_accountMgr.getAccount(cmd.getEntityOwnerId())};
-            }
-        }
+        Account[] owners = getEntityOwners(cmd);
 
         if (cmd instanceof BaseAsyncCreateCmd) {
             // check that caller can access the owner account.
@@ -539,7 +525,7 @@ private Long translateUuidToInternalId(final String uuid, final Parameter annota
                         continue;
                     }
                     String entityUuid = ((Identity) objVO).getUuid();
-                    CallContext.current().putApiResourceUuid(annotation.name(), UUID.fromString(entityUuid));
+                    CallContext.current().putApiResourceUuid(annotation.name(), entityUuid);
                 }
                 validateNaturalNumber(internalId, annotation.name());
                 return internalId;
@@ -564,7 +550,7 @@ private Long translateUuidToInternalId(final String uuid, final Parameter annota
             }
             // Return on first non-null Id for the uuid entity
             if (internalId != null){
-                CallContext.current().putApiResourceUuid(annotation.name(), UUID.fromString(uuid));
+                CallContext.current().putApiResourceUuid(annotation.name(), uuid);
                 CallContext.current().putContextParameter(entity, uuid);
                 break;
             }
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
index fb97e2f3d8dd..051af377c6d0 100644
--- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -31,7 +31,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.UUID;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -52,6 +51,7 @@
 import com.cloud.storage.dao.StoragePoolAndAccessGroupMapDao;
 import com.cloud.cluster.ManagementServerHostPeerJoinVO;
 
+import com.cloud.vm.UserVmManager;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker;
@@ -374,7 +374,7 @@
 import com.cloud.vm.dao.VMInstanceDetailsDao;
 
 @Component
-public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements QueryService, Configurable {
+public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements QueryService, Configurable, ResourceIdSupport {
 
 
     private static final String ID_FIELD = "id";
@@ -910,26 +910,14 @@ private Pair<List<Long>, Integer> searchForEventIdsAndCount(ListEventsCmd cmd) {
         Integer entryTime = cmd.getEntryTime();
         Integer duration = cmd.getDuration();
         Long startId = cmd.getStartId();
-        final String resourceUuid = cmd.getResourceId();
-        final String resourceTypeStr = cmd.getResourceType();
+        final String resourceUuid = getResourceUuid(cmd.getResourceId());
+        final ApiCommandResourceType resourceType = getResourceType(cmd.getResourceType());
         final String stateStr = cmd.getState();
-        ApiCommandResourceType resourceType = null;
         Long resourceId = null;
-        if (resourceTypeStr != null) {
-            resourceType = ApiCommandResourceType.fromString(resourceTypeStr);
-            if (resourceType == null) {
-                throw new InvalidParameterValueException(String.format("Invalid %s", ApiConstants.RESOURCE_TYPE));
-            }
-        }
         if (resourceUuid != null) {
-            if (resourceTypeStr == null) {
+            if (resourceType == null) {
                 throw new InvalidParameterValueException(String.format("%s parameter must be used with %s parameter", ApiConstants.RESOURCE_ID, ApiConstants.RESOURCE_TYPE));
             }
-            try {
-                UUID.fromString(resourceUuid);
-            } catch (IllegalArgumentException ex) {
-                throw new InvalidParameterValueException(String.format("Invalid %s", ApiConstants.RESOURCE_ID));
-            }
             Object object = entityManager.findByUuidIncludingRemoved(resourceType.getAssociatedClass(), resourceUuid);
             if (object instanceof InternalIdentity) {
                 resourceId = ((InternalIdentity)object).getId();
@@ -3275,6 +3263,18 @@ private Pair<List<AsyncJobJoinVO>, Integer> searchForAsyncJobsInternal(ListAsync
             sc.setParameters("executingMsid", msHost.getMsid());
         }
 
+        if (cmd.getResourceType() != null) {
+            ApiCommandResourceType resourceType = getResourceType(cmd.getResourceType());
+            sc.addAnd("instanceType", SearchCriteria.Op.EQ, resourceType.toString());
+
+            final String resourceId = getResourceUuid(cmd.getResourceId());
+            if (resourceId != null) {
+                sc.addAnd("instanceUuid", SearchCriteria.Op.EQ, resourceId);
+            }
+        } else if (cmd.getResourceId() != null) {
+            throw new InvalidParameterValueException(String.format("%s parameter must be used with %s parameter", ApiConstants.RESOURCE_ID, ApiConstants.RESOURCE_TYPE));
+        }
+
         return _jobJoinDao.searchAndCount(sc, searchFilter);
     }
 
@@ -4401,6 +4401,9 @@ private Pair<List<Long>, Integer> searchForServiceOfferingIdsAndCount(ListServic
         List<String> hostTags = new ArrayList<>();
         if (currentVmOffering != null) {
             hostTags.addAll(com.cloud.utils.StringUtils.csvTagsToList(currentVmOffering.getHostTag()));
+            if (UserVmManager.AllowDifferentHostTagsOfferingsForVmScale.value()) {
+                addVmCurrentClusterHostTags(vmInstance, hostTags);
+            }
         }
 
         if (!hostTags.isEmpty()) {
@@ -4412,7 +4415,7 @@ private Pair<List<Long>, Integer> searchForServiceOfferingIdsAndCount(ListServic
                     flag = false;
                     serviceOfferingSearch.op("hostTag" + tag, serviceOfferingSearch.entity().getHostTag(), Op.FIND_IN_SET);
                 } else {
-                    serviceOfferingSearch.and("hostTag" + tag, serviceOfferingSearch.entity().getHostTag(), Op.FIND_IN_SET);
+                    serviceOfferingSearch.or("hostTag" + tag, serviceOfferingSearch.entity().getHostTag(), Op.FIND_IN_SET);
                 }
             }
             serviceOfferingSearch.cp().cp();
@@ -4557,6 +4560,30 @@ private Pair<List<Long>, Integer> searchForServiceOfferingIdsAndCount(ListServic
         return new Pair<>(offeringIds, count);
     }
 
+    protected void addVmCurrentClusterHostTags(VMInstanceVO vmInstance, List<String> hostTags) {
+        if (vmInstance == null) {
+            return;
+        }
+        Long hostId = vmInstance.getHostId() == null ? vmInstance.getLastHostId() : vmInstance.getHostId();
+        if (hostId == null) {
+            return;
+        }
+        HostVO host = hostDao.findById(hostId);
+        if (host == null) {
+            logger.warn("Unable to find host with id " + hostId);
+            return;
+        }
+        List<String> clusterTags = _hostTagDao.listByClusterId(host.getClusterId());
+        if (CollectionUtils.isEmpty(clusterTags)) {
+            logger.debug("No host tags defined for hosts in the cluster " + host.getClusterId());
+            return;
+        }
+        Set<String> existingTagsSet = new HashSet<>(hostTags);
+        clusterTags.stream()
+                .filter(tag -> !existingTagsSet.contains(tag))
+                .forEach(hostTags::add);
+    }
+
     @Override
     public ListResponse<ZoneResponse> listDataCenters(ListZonesCmd cmd) {
         Pair<List<DataCenterJoinVO>, Integer> result = listDataCentersInternal(cmd);
@@ -5007,16 +5034,13 @@ private Pair<List<TemplateJoinVO>, Integer> searchForTemplatesInternal(Long temp
                 ex.addProxyObject(template.getUuid(), "templateId");
                 throw ex;
             }
+
             if (!template.isPublicTemplate() && caller.getType() == Account.Type.DOMAIN_ADMIN) {
                 Account template_acc = accountMgr.getAccount(template.getAccountId());
                 DomainVO domain = _domainDao.findById(template_acc.getDomainId());
                 accountMgr.checkAccess(caller, domain);
-            }
-
-            // if template is not public, perform permission check here
-            else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN) {
-                accountMgr.checkAccess(caller, null, false, template);
-            } else if (template.isPublicTemplate()) {
+            } else if (template.isPublicTemplate() || caller.getType() != Account.Type.ADMIN) {
+                // if template is not public or non-admin caller, perform permission check here
                 accountMgr.checkAccess(caller, null, false, template);
             }
 
@@ -6335,4 +6359,14 @@ public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[] {AllowUserViewDestroyedVM, UserVMDeniedDetails, UserVMReadOnlyDetails, SortKeyAscending,
                 AllowUserViewAllDomainAccounts, AllowUserViewAllDataCenters, SharePublicTemplatesWithOtherDomains, ReturnVmStatsOnVmList};
     }
+
+    @Override
+    public EntityManager getEntityManager() {
+        return entityManager;
+    }
+
+    @Override
+    public AccountManager getAccountManager() {
+        return accountMgr;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/query/ResourceIdSupport.java b/server/src/main/java/com/cloud/api/query/ResourceIdSupport.java
new file mode 100644
index 000000000000..2c32df22f0c5
--- /dev/null
+++ b/server/src/main/java/com/cloud/api/query/ResourceIdSupport.java
@@ -0,0 +1,123 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.query;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.utils.db.EntityManager;
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Optional;
+import java.util.UUID;
+import static org.apache.cloudstack.acl.SecurityChecker.AccessType;
+
+/**
+ * Support interface for converting resource UUIDs to internal IDs
+ * with validation and access control.
+ *
+ * @author mprokopchuk
+ */
+public interface ResourceIdSupport {
+
+    EntityManager getEntityManager();
+
+    AccountManager getAccountManager();
+
+    /**
+     * Converts resource UUID to internal database ID with access control checks.
+     *
+     * @param resourceType type of the resource
+     * @param resourceUuid UUID of the resource
+     * @return internal resource ID or null if parameters are null
+     * @throws InvalidParameterValueException if only one parameter provided or resource not found
+     */
+    default Long getResourceId(ApiCommandResourceType resourceType, String resourceUuid) {
+        String uuid = getResourceUuid(resourceUuid);
+
+        if (resourceType == null && uuid == null) {
+            return null;
+        } else if ((resourceType == null) ^ (uuid == null)) {
+            throw new InvalidParameterValueException(String.format("Both %s and %s required",
+                    ApiConstants.RESOURCE_ID, ApiConstants.RESOURCE_TYPE));
+        }
+
+        Object object = getEntityManager().findByUuidIncludingRemoved(resourceType.getAssociatedClass(), resourceUuid);
+        if (!(object instanceof InternalIdentity)) {
+            throw new InvalidParameterValueException(String.format("Invalid %s", ApiConstants.RESOURCE_ID));
+        }
+        Long resourceId = ((InternalIdentity) object).getId();
+
+        Account caller = CallContext.current().getCallingAccount();
+        boolean isRootAdmin = getAccountManager().isRootAdmin(caller.getId());
+
+        if (!isRootAdmin && object instanceof ControlledEntity) {
+            ControlledEntity entity = (ControlledEntity) object;
+            boolean sameOwner = entity.getAccountId() == caller.getId();
+            getAccountManager().checkAccess(caller, AccessType.ListEntry, sameOwner, entity);
+        }
+
+        return resourceId;
+    }
+
+    /**
+     * Parses and validates resource type string.
+     *
+     * @param resourceType resource type as string
+     * @return parsed resource type or null if not provided
+     * @throws InvalidParameterValueException if provided type is invalid
+     */
+    default ApiCommandResourceType getResourceType(String resourceType) {
+        Optional<String> resourceTypeOpt = Optional.ofNullable(resourceType).filter(StringUtils::isNotBlank);
+        // return null if resource type was not provided
+        if (resourceTypeOpt.isEmpty()) {
+            return null;
+        }
+        // return value or throw exception if provided resource type is invalid
+        return resourceTypeOpt
+                .map(ApiCommandResourceType::fromString)
+                .orElseThrow(() -> new InvalidParameterValueException(String.format("Invalid %s",
+                        ApiConstants.RESOURCE_TYPE)));
+    }
+
+    /**
+     * Validates resource UUID format.
+     *
+     * @param resourceUuid UUID string to validate
+     * @return validated UUID or null if not provided
+     * @throws InvalidParameterValueException if UUID format is invalid
+     */
+    default String getResourceUuid(String resourceUuid) {
+        if (StringUtils.isBlank(resourceUuid)) {
+            return null;
+        }
+
+        try {
+            UUID.fromString(resourceUuid);
+        } catch (IllegalArgumentException ex) {
+            throw new InvalidParameterValueException(String.format("Invalid %s", ApiConstants.RESOURCE_ID));
+        }
+
+        return resourceUuid;
+    }
+
+}
diff --git a/server/src/main/java/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java
index 2c6c64816619..9bc409d455e7 100644
--- a/server/src/main/java/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java
@@ -196,6 +196,7 @@ public DomainRouterResponse newDomainRouterResponse(DomainRouterJoinVO router, A
                     nicResponse.setMtu(router.getMtu());
                 }
                 nicResponse.setIsDefault(router.isDefaultNic());
+                nicResponse.setEnabled(router.isNicEnabled());
                 nicResponse.setObjectName("nic");
                 routerResponse.addNic(nicResponse);
             }
@@ -289,6 +290,7 @@ public DomainRouterResponse setDomainRouterResponse(DomainRouterResponse vrData,
                 nicResponse.setMtu(vr.getMtu());
             }
             nicResponse.setIsDefault(vr.isDefaultNic());
+            nicResponse.setEnabled(vr.isNicEnabled());
             nicResponse.setObjectName("nic");
             vrData.addNic(nicResponse);
         }
diff --git a/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java
index 93dca8cc07a1..72690091e40e 100644
--- a/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/UserVmJoinDaoImpl.java
@@ -17,14 +17,13 @@
 package com.cloud.api.query.dao;
 
 import java.text.DecimalFormat;
-import java.util.ArrayList;
-import java.util.Collections;
 import java.time.LocalDate;
 import java.time.ZoneId;
 import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
 import java.util.Calendar;
+import java.util.Collections;
 import java.util.Date;
-
 import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.List;
@@ -34,8 +33,6 @@
 
 import javax.inject.Inject;
 
-import com.cloud.gpu.dao.VgpuProfileDao;
-import com.cloud.service.dao.ServiceOfferingDao;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
@@ -49,6 +46,7 @@
 import org.apache.cloudstack.api.response.UserVmResponse;
 import org.apache.cloudstack.api.response.VnfNicResponse;
 import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.query.QueryService;
 import org.apache.cloudstack.vm.lease.VMLeaseManager;
@@ -61,11 +59,13 @@
 import com.cloud.api.ApiResponseHelper;
 import com.cloud.api.query.vo.UserVmJoinVO;
 import com.cloud.gpu.GPU;
+import com.cloud.gpu.dao.VgpuProfileDao;
 import com.cloud.host.ControlState;
 import com.cloud.network.IpAddress;
 import com.cloud.network.vpc.VpcVO;
 import com.cloud.network.vpc.dao.VpcDao;
 import com.cloud.service.ServiceOfferingDetailsVO;
+import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.GuestOS;
 import com.cloud.storage.Storage.TemplateType;
@@ -94,7 +94,6 @@
 import com.cloud.vm.VmStats;
 import com.cloud.vm.dao.NicExtraDhcpOptionDao;
 import com.cloud.vm.dao.NicSecondaryIpVO;
-
 import com.cloud.vm.dao.VMInstanceDetailsDao;
 
 @Component
@@ -128,6 +127,8 @@ public class UserVmJoinDaoImpl extends GenericDaoBaseWithTagInformation<UserVmJo
     private VgpuProfileDao vgpuProfileDao;
     @Inject
     VMTemplateDao vmTemplateDao;
+    @Inject
+    ExtensionHelper extensionHelper;
 
     private final SearchBuilder<UserVmJoinVO> VmDetailSearch;
     private final SearchBuilder<UserVmJoinVO> activeVmByIsoSearch;
@@ -358,6 +359,7 @@ public UserVmResponse newUserVmResponse(ResponseView view, String objectName, Us
                 nicResponse.setIp6Address(userVm.getIp6Address());
                 nicResponse.setIp6Gateway(userVm.getIp6Gateway());
                 nicResponse.setIp6Cidr(userVm.getIp6Cidr());
+                nicResponse.setEnabled(userVm.isNicEnabled());
                 if (userVm.getBroadcastUri() != null) {
                     nicResponse.setBroadcastUri(userVm.getBroadcastUri().toString());
                 }
@@ -460,7 +462,16 @@ public UserVmResponse newUserVmResponse(ResponseView view, String objectName, Us
 
             // Remove deny listed settings if user is not admin
             if (caller.getType() != Account.Type.ADMIN) {
-                String[] userVmSettingsToHide = QueryService.UserVMDeniedDetails.value().split(",");
+                List<String> userVmSettingsToHide = new ArrayList<>();
+                String[] parts = QueryService.UserVMDeniedDetails.value().split(",");
+                if (parts.length > 0) {
+                    Collections.addAll(userVmSettingsToHide, parts);
+                }
+                if (userVm.getTemplateExtensionId() != null) {
+                    userVmSettingsToHide.addAll(extensionHelper.getExtensionReservedResourceDetails(
+                            userVm.getTemplateExtensionId()));
+                }
+
                 for (String key : userVmSettingsToHide) {
                     resourceDetails.remove(key.trim());
                 }
@@ -520,7 +531,6 @@ public UserVmResponse newUserVmResponse(ResponseView view, String objectName, Us
         return userVmResponse;
     }
 
-
     private long computeLeaseDurationFromExpiryDate(Date created, Date leaseExpiryDate) {
         LocalDate createdDate = created.toInstant().atZone(ZoneId.systemDefault()).toLocalDate();
         LocalDate expiryDate = leaseExpiryDate.toInstant().atZone(ZoneId.systemDefault()).toLocalDate();
@@ -556,7 +566,7 @@ private void addVmRxTxDataToResponse(UserVmJoinVO userVm, UserVmResponse userVmR
 
     /**
      * The resulting Response attempts to be in line with what is returned from
-     * @see com.cloud.api.ApiResponseHelper#createNicResponse(Nic)
+     * @see com.cloud.api.ApiResponseHelper#{code}createNicResponse(Nic){code}
      */
     @Override
     public UserVmResponse setUserVmResponse(ResponseView view, UserVmResponse userVmData, UserVmJoinVO uvo) {
@@ -625,6 +635,7 @@ public UserVmResponse setUserVmResponse(ResponseView view, UserVmResponse userVm
             /*17: default*/
             nicResponse.setIsDefault(uvo.isDefaultNic());
             nicResponse.setDeviceId(String.valueOf(uvo.getNicDeviceId()));
+            nicResponse.setEnabled(uvo.isNicEnabled());
             List<NicSecondaryIpVO> secondaryIps = ApiDBUtils.findNicSecondaryIps(uvo.getNicId());
             if (secondaryIps != null) {
                 List<NicSecondaryIpResponse> ipList = new ArrayList<NicSecondaryIpResponse>();
diff --git a/server/src/main/java/com/cloud/api/query/vo/DomainRouterJoinVO.java b/server/src/main/java/com/cloud/api/query/vo/DomainRouterJoinVO.java
index 485b8f0a6b93..db7f75b6f2bb 100644
--- a/server/src/main/java/com/cloud/api/query/vo/DomainRouterJoinVO.java
+++ b/server/src/main/java/com/cloud/api/query/vo/DomainRouterJoinVO.java
@@ -274,6 +274,9 @@ public class DomainRouterJoinVO extends BaseViewVO implements ControlledViewEnti
     @Column(name = "mtu")
     private Integer mtu;
 
+    @Column(name = "is_nic_enabled")
+    private boolean isNicEnabled;
+
     public DomainRouterJoinVO() {
     }
 
@@ -577,4 +580,8 @@ public String getSoftwareVersion() {
     public Integer getMtu() {
         return mtu;
     }
+
+    public boolean isNicEnabled() {
+        return isNicEnabled;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/query/vo/UserVmJoinVO.java b/server/src/main/java/com/cloud/api/query/vo/UserVmJoinVO.java
index eab34081d514..c59a13ccd1b2 100644
--- a/server/src/main/java/com/cloud/api/query/vo/UserVmJoinVO.java
+++ b/server/src/main/java/com/cloud/api/query/vo/UserVmJoinVO.java
@@ -207,6 +207,9 @@ public class UserVmJoinVO extends BaseViewWithTagInformationVO implements Contro
     @Column(name = "template_format")
     private Storage.ImageFormat templateFormat;
 
+    @Column(name = "template_extension_id")
+    private Long templateExtensionId;
+
     @Column(name = "password_enabled")
     private boolean passwordEnabled;
 
@@ -345,6 +348,9 @@ public class UserVmJoinVO extends BaseViewWithTagInformationVO implements Contro
     @Column(name = "is_default_nic")
     private boolean isDefaultNic;
 
+    @Column(name = "is_nic_enabled")
+    private boolean isNicEnabled;
+
     @Column(name = "ip_address")
     private String ipAddress;
 
@@ -709,6 +715,10 @@ public Storage.ImageFormat getTemplateFormat() {
         return templateFormat;
     }
 
+    public Long getTemplateExtensionId() {
+        return templateExtensionId;
+    }
+
     public boolean isPasswordEnabled() {
         return passwordEnabled;
     }
@@ -1089,4 +1099,8 @@ public void setLeaseExpiryAction(String leaseExpiryAction) {
     public String getLeaseActionExecution() {
         return leaseActionExecution;
     }
+
+    public boolean isNicEnabled() {
+        return isNicEnabled;
+    }
 }
diff --git a/server/src/main/java/com/cloud/capacity/CapacityManagerImpl.java b/server/src/main/java/com/cloud/capacity/CapacityManagerImpl.java
index 2940f900b081..3be7384ffb71 100644
--- a/server/src/main/java/com/cloud/capacity/CapacityManagerImpl.java
+++ b/server/src/main/java/com/cloud/capacity/CapacityManagerImpl.java
@@ -1214,6 +1214,6 @@ public String getConfigComponentName() {
     public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[] {CpuOverprovisioningFactor, MemOverprovisioningFactor, StorageCapacityDisableThreshold, StorageOverprovisioningFactor,
                 StorageAllocatedCapacityDisableThreshold, StorageOperationsExcludeCluster, ImageStoreNFSVersion, SecondaryStorageCapacityThreshold,
-                StorageAllocatedCapacityDisableThresholdForVolumeSize, CapacityCalculateWorkers };
+                StorageAllocatedCapacityDisableThresholdForVolumeSize, CapacityCalculateWorkers, KvmMemoryDynamicScalingCapacity, KvmCpuDynamicScalingCapacity };
     }
 }
diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
index 6cc816a81dec..6da5dda967d0 100644
--- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -132,6 +132,7 @@
 import org.apache.cloudstack.region.Region;
 import org.apache.cloudstack.region.RegionVO;
 import org.apache.cloudstack.region.dao.RegionDao;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.resourcedetail.DiskOfferingDetailVO;
 import org.apache.cloudstack.resourcedetail.dao.DiskOfferingDetailsDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
@@ -271,6 +272,7 @@
 import com.cloud.org.Grouping.AllocationState;
 import com.cloud.projects.Project;
 import com.cloud.projects.ProjectManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ManagementService;
 import com.cloud.service.ServiceOfferingDetailsVO;
 import com.cloud.service.ServiceOfferingVO;
@@ -415,6 +417,8 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
     @Inject
     ResourceLimitService _resourceLimitMgr;
     @Inject
+    ReservationDao reservationDao;
+    @Inject
     ProjectManager _projectMgr;
     @Inject
     NetworkOfferingServiceMapDao _ntwkOffServiceMapDao;
@@ -543,6 +547,9 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
     public static final ConfigKey<Boolean> ALLOW_DOMAIN_ADMINS_TO_CREATE_TAGGED_OFFERINGS = new ConfigKey<>(Boolean.class, "allow.domain.admins.to.create.tagged.offerings", "Advanced",
             "false", "Allow domain admins to create offerings with tags.", true, ConfigKey.Scope.Account, null);
 
+    public static final ConfigKey<Boolean> EXPOSE_ERRORS_TO_USER = new ConfigKey<>(Boolean.class, "expose.errors.to.user", ConfigKey.CATEGORY_ADVANCED,
+            "false", "If set to true, detailed error messages will be returned to all user roles. If false, detailed errors are only shown to admin users", true, ConfigKey.Scope.Global, null);
+
     public static final ConfigKey<Long> DELETE_QUERY_BATCH_SIZE = new ConfigKey<>("Advanced", Long.class, "delete.query.batch.size", "0",
             "Indicates the limit applied while deleting entries in bulk. With this, the delete query will apply the limit as many times as necessary," +
                     " to delete all the entries. This is advised when retaining several days of records, which can lead to slowness. <= 0 means that no limit will " +
@@ -650,7 +657,6 @@ protected void overProvisioningFactorsForValidation() {
     protected void populateConfigKeysAllowedOnlyForDefaultAdmin() {
         configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key());
         configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.allowOperationsOnUsersInSameAccount.key());
-
         configKeysAllowedOnlyForDefaultAdmin.add(VirtualMachineManager.SystemVmEnableUserData.key());
         configKeysAllowedOnlyForDefaultAdmin.add(ConsoleProxyManager.ConsoleProxyVmUserData.key());
         configKeysAllowedOnlyForDefaultAdmin.add(SecondaryStorageVmManager.SecondaryStorageVmUserData.key());
@@ -999,7 +1005,7 @@ private void updateCustomDisplayNameOnHypervisorsList(String previousValue, Stri
         String hypervisors = _configDao.getValue(hypervisorListConfigName);
         if (Arrays.asList(hypervisors.split(",")).contains(previousValue)) {
             hypervisors = hypervisors.replace(previousValue, newValue);
-            logger.info("Updating the hypervisor list configuration '{}}' to match the new custom hypervisor display name",
+            logger.info("Updating the hypervisor list configuration '{}' to match the new custom hypervisor display name",
                     hypervisorListConfigName);
             _configDao.update(hypervisorListConfigName, hypervisors);
         }
@@ -5509,22 +5515,20 @@ public Vlan createVlanAndPublicIpRange(final CreateVlanIpRangeCmd cmd) throws In
             throw new InvalidParameterValueException("Gateway, netmask and zoneId have to be passed in for virtual and direct untagged networks");
         }
 
-        if (forVirtualNetwork) {
-            if (vlanOwner != null) {
-
-                final long accountIpRange = NetUtils.ip2Long(endIP) - NetUtils.ip2Long(startIP) + 1;
-
-                // check resource limits
-                _resourceLimitMgr.checkResourceLimit(vlanOwner, ResourceType.public_ip, accountIpRange);
-            }
-        }
         // Check if the IP range overlaps with the private ip
         if (ipv4) {
             checkOverlapPrivateIpRange(zoneId, startIP, endIP);
         }
 
-        return commitVlan(zoneId, podId, startIP, endIP, newVlanGateway, newVlanNetmask, vlanId, forVirtualNetwork, forSystemVms, networkId, physicalNetworkId, startIPv6, endIPv6, ip6Gateway,
-                ip6Cidr, domain, vlanOwner, network, sameSubnet, cmd.getProvider());
+        long reservedIpAddressesAmount = 0L;
+        if (forVirtualNetwork && vlanOwner != null) {
+            reservedIpAddressesAmount = NetUtils.ip2Long(endIP) - NetUtils.ip2Long(startIP) + 1;
+        }
+
+        try (CheckedReservation publicIpReservation = new CheckedReservation(vlanOwner, ResourceType.public_ip, null, null, null, reservedIpAddressesAmount, null, reservationDao, _resourceLimitMgr)) {
+            return commitVlan(zoneId, podId, startIP, endIP, newVlanGateway, newVlanNetmask, vlanId, forVirtualNetwork, forSystemVms, networkId, physicalNetworkId, startIPv6, endIPv6, ip6Gateway,
+                    ip6Cidr, domain, vlanOwner, network, sameSubnet, cmd.getProvider());
+        }
     }
 
     private Network getNetwork(Long networkId) {
@@ -5894,7 +5898,7 @@ public Vlan createVlanAndPublicIpRange(final long zoneId, final long networkId,
         final VlanVO vlan = commitVlanAndIpRange(zoneId, networkId, physicalNetworkId, podId, startIP, endIP, vlanGateway, vlanNetmask, vlanId, domain, vlanOwner, vlanIp6Gateway, vlanIp6Cidr,
                 ipv4, zone, vlanType, ipv6Range, ipRange, forSystemVms, provider);
 
-        if (vlan != null) {
+        if (vlan != null && network.getTrafficType() != TrafficType.Public) {
             if (ipv4) {
                 addCidrAndGatewayForIpv4(networkId, vlanGateway, vlanNetmask);
             } else if (ipv6) {
@@ -6060,7 +6064,7 @@ public VlanVO doInTransaction(final TransactionStatus status) {
                                 ip.isSourceNat(), vlan.getVlanType().toString(), ip.getSystem(), usageHidden, ip.getClass().getName(), ip.getUuid());
                     }
                     // increment resource count for dedicated public ip's
-                    _resourceLimitMgr.incrementResourceCount(vlanOwner.getId(), ResourceType.public_ip, new Long(ips.size()));
+                    _resourceLimitMgr.incrementResourceCount(vlanOwner.getId(), ResourceType.public_ip, (long)ips.size());
                 } else if (domain != null && !forSystemVms) {
                     // This VLAN is domain-wide, so create a DomainVlanMapVO entry
                     final DomainVlanMapVO domainVlanMapVO = new DomainVlanMapVO(domain.getId(), vlan.getId());
@@ -6104,7 +6108,7 @@ public Vlan updateVlanAndPublicIpRange(final long id, String startIp,
                                            String endIpv6,
                                            String ip6Gateway,
                                            String ip6Cidr,
-                                           Boolean forSystemVms) throws ConcurrentOperationException {
+                                           Boolean forSystemVms) throws ConcurrentOperationException, ResourceAllocationException {
 
         VlanVO vlanRange = _vlanDao.findById(id);
         if (vlanRange == null) {
@@ -6124,24 +6128,49 @@ public Vlan updateVlanAndPublicIpRange(final long id, String startIp,
             }
         }
 
+        AccountVlanMapVO accountMap = _accountVlanMapDao.findAccountVlanMap(null, id);
+        Account account = accountMap != null ? _accountDao.findById(accountMap.getAccountId()) : null;
+
+        DomainVlanMapVO domainMap = _domainVlanMapDao.findDomainVlanMap(null, id);
+        Long domainId = domainMap != null ? domainMap.getDomainId() : null;
+
         final Boolean isRangeForSystemVM = checkIfVlanRangeIsForSystemVM(id);
         if (forSystemVms != null && isRangeForSystemVM != forSystemVms) {
             if (VlanType.DirectAttached.equals(vlanRange.getVlanType())) {
                 throw new InvalidParameterValueException("forSystemVms is not available for this IP range with vlan type: " + VlanType.DirectAttached);
             }
             // Check if range has already been dedicated
-            final List<AccountVlanMapVO> maps = _accountVlanMapDao.listAccountVlanMapsByVlan(id);
-            if (maps != null && !maps.isEmpty()) {
+            if (account != null) {
                 throw new InvalidParameterValueException("Specified Public IP range has already been dedicated to an account");
             }
-
-            List<DomainVlanMapVO> domainmaps = _domainVlanMapDao.listDomainVlanMapsByVlan(id);
-            if (domainmaps != null && !domainmaps.isEmpty()) {
+            if (domainId != null) {
                 throw new InvalidParameterValueException("Specified Public IP range has already been dedicated to a domain");
             }
         }
         if (ipv4) {
-            updateVlanAndIpv4Range(id, vlanRange, startIp, endIp, gateway, netmask, isRangeForSystemVM, forSystemVms);
+            long existingIpAddressAmount = 0L;
+            long newIpAddressAmount = 0L;
+
+            if (account != null) {
+                // IPv4 public range is dedicated to an account (IPv6 cannot be dedicated at the moment).
+                // We need to update the resource count.
+                existingIpAddressAmount = _publicIpAddressDao.countIPs(vlanRange.getDataCenterId(), id, false);
+                newIpAddressAmount = NetUtils.ip2Long(endIp) - NetUtils.ip2Long(startIp) + 1;
+            }
+
+            try (CheckedReservation publicIpReservation = new CheckedReservation(account, ResourceType.public_ip, null, null, null, newIpAddressAmount, existingIpAddressAmount, reservationDao, _resourceLimitMgr)) {
+
+                updateVlanAndIpv4Range(id, vlanRange, startIp, endIp, gateway, netmask, isRangeForSystemVM, forSystemVms);
+
+                if (account != null) {
+                    long countDiff = newIpAddressAmount - existingIpAddressAmount;
+                    if (countDiff > 0) {
+                        _resourceLimitMgr.incrementResourceCount(account.getId(), ResourceType.public_ip, countDiff);
+                    } else if (countDiff < 0) {
+                        _resourceLimitMgr.decrementResourceCount(account.getId(), ResourceType.public_ip, Math.abs(countDiff));
+                    }
+                }
+            }
         }
         if (ipv6) {
             updateVlanAndIpv6Range(id, vlanRange, startIpv6, endIpv6, ip6Gateway, ip6Cidr, isRangeForSystemVM, forSystemVms);
@@ -6420,7 +6449,7 @@ public VlanVO deleteVlanAndPublicIpRange(final long userId, final long vlanDbId,
             } finally {
                 _vlanDao.releaseFromLockTable(vlanDbId);
                 if (resourceCountToBeDecrement > 0) {  //Making sure to decrement the count of only success operations above. For any reaason if disassociation fails then this number will vary from original range length.
-                    _resourceLimitMgr.decrementResourceCount(acctVln.get(0).getAccountId(), ResourceType.public_ip, new Long(resourceCountToBeDecrement));
+                    _resourceLimitMgr.decrementResourceCount(acctVln.get(0).getAccountId(), ResourceType.public_ip, (long)resourceCountToBeDecrement);
                 }
             }
         } else {   // !isAccountSpecific
@@ -6528,12 +6557,6 @@ public Vlan dedicatePublicIpRange(final DedicatePublicIpRangeCmd cmd) throws Res
             throw new InvalidParameterValueException("Public IP range can be dedicated to an account only in the zone of type " + NetworkType.Advanced);
         }
 
-        // Check Public IP resource limits
-        if (vlanOwner != null) {
-            final int accountPublicIpRange = _publicIpAddressDao.countIPs(zoneId, vlanDbId, false);
-            _resourceLimitMgr.checkResourceLimit(vlanOwner, ResourceType.public_ip, accountPublicIpRange);
-        }
-
         // Check if any of the Public IP addresses is allocated to another
         // account
         final List<IPAddressVO> ips = _publicIpAddressDao.listByVlanId(vlanDbId);
@@ -6554,29 +6577,35 @@ public Vlan dedicatePublicIpRange(final DedicatePublicIpRangeCmd cmd) throws Res
             }
         }
 
-        if (vlanOwner != null) {
-            // Create an AccountVlanMapVO entry
-            final AccountVlanMapVO accountVlanMapVO = new AccountVlanMapVO(vlanOwner.getId(), vlan.getId());
-            _accountVlanMapDao.persist(accountVlanMapVO);
+        // Check Public IP resource limits
+        long reservedIpAddressesAmount = vlanOwner != null ? _publicIpAddressDao.countIPs(zoneId, vlanDbId, false) : 0L;
+        try (CheckedReservation publicIpReservation = new CheckedReservation(vlanOwner, ResourceType.public_ip, null, null, null, reservedIpAddressesAmount, null, reservationDao, _resourceLimitMgr)) {
 
-           // generate usage event for dedication of every ip address in the range
-            for (final IPAddressVO ip : ips) {
-                final boolean usageHidden = _ipAddrMgr.isUsageHidden(ip);
-                UsageEventUtils.publishUsageEvent(EventTypes.EVENT_NET_IP_ASSIGN, vlanOwner.getId(), ip.getDataCenterId(), ip.getId(), ip.getAddress().toString(), ip.isSourceNat(),
-                        vlan.getVlanType().toString(), ip.getSystem(), usageHidden, ip.getClass().getName(), ip.getUuid());
+            if (vlanOwner != null) {
+                // Create an AccountVlanMapVO entry
+                final AccountVlanMapVO accountVlanMapVO = new AccountVlanMapVO(vlanOwner.getId(), vlan.getId());
+                _accountVlanMapDao.persist(accountVlanMapVO);
+
+               // generate usage event for dedication of every ip address in the range
+                for (final IPAddressVO ip : ips) {
+                    final boolean usageHidden = _ipAddrMgr.isUsageHidden(ip);
+                    UsageEventUtils.publishUsageEvent(EventTypes.EVENT_NET_IP_ASSIGN, vlanOwner.getId(), ip.getDataCenterId(), ip.getId(), ip.getAddress().toString(), ip.isSourceNat(),
+                            vlan.getVlanType().toString(), ip.getSystem(), usageHidden, ip.getClass().getName(), ip.getUuid());
+                }
+            } else if (domain != null) {
+                // Create an DomainVlanMapVO entry
+                DomainVlanMapVO domainVlanMapVO = new DomainVlanMapVO(domain.getId(), vlan.getId());
+                _domainVlanMapDao.persist(domainVlanMapVO);
             }
-        } else if (domain != null) {
-            // Create an DomainVlanMapVO entry
-            DomainVlanMapVO domainVlanMapVO = new DomainVlanMapVO(domain.getId(), vlan.getId());
-            _domainVlanMapDao.persist(domainVlanMapVO);
-        }
 
-        // increment resource count for dedicated public ip's
-        if (vlanOwner != null) {
-            _resourceLimitMgr.incrementResourceCount(vlanOwner.getId(), ResourceType.public_ip, new Long(ips.size()));
-        }
+            // increment resource count for dedicated public ip's
+            if (vlanOwner != null) {
+                _resourceLimitMgr.incrementResourceCount(vlanOwner.getId(), ResourceType.public_ip, (long)ips.size());
+            }
 
-        return vlan;
+            return vlan;
+
+        }
     }
 
     @Override
@@ -6665,7 +6694,7 @@ public boolean releasePublicIpRange(final long vlanDbId, final User user, final
                 }
             }
             // decrement resource count for dedicated public ip's
-            _resourceLimitMgr.decrementResourceCount(acctVln.get(0).getAccountId(), ResourceType.public_ip, new Long(ips.size()));
+            _resourceLimitMgr.decrementResourceCount(acctVln.get(0).getAccountId(), ResourceType.public_ip, (long)ips.size());
             success = true;
         } else if (isDomainSpecific && _domainVlanMapDao.remove(domainVlan.get(0).getId())) {
             logger.debug("Remove the vlan from domain_vlan_map successfully.");
@@ -6834,7 +6863,7 @@ public void checkPodCidrSubnets(final long dcId, final Long podIdToBeSkipped, fi
         final List<Object> newCidrPair = new ArrayList<>();
         newCidrPair.add(0, getCidrAddress(cidr));
         newCidrPair.add(1, (long)getCidrSize(cidr));
-        currentPodCidrSubnets.put(new Long(-1), newCidrPair);
+        currentPodCidrSubnets.put(-1L, newCidrPair);
 
         final DataCenterVO dcVo = _zoneDao.findById(dcId);
         final String guestNetworkCidr = dcVo.getGuestNetworkCidr();
@@ -6934,7 +6963,7 @@ private boolean validPod(final String podName, final long zoneId) {
     }
 
     private String getPodName(final long podId) {
-        return _podDao.findById(new Long(podId)).getName();
+        return _podDao.findById(podId).getName();
     }
 
     private boolean validZone(final String zoneName) {
@@ -6946,7 +6975,7 @@ private boolean validZone(final long zoneId) {
     }
 
     private String getZoneName(final long zoneId) {
-        final DataCenterVO zone = _zoneDao.findById(new Long(zoneId));
+        final DataCenterVO zone = _zoneDao.findById(zoneId);
         if (zone != null) {
             return zone.getName();
         } else {
@@ -6973,11 +7002,14 @@ private boolean deleteAndPublishVlanAndPublicIpRange(final long userId, final lo
             final boolean ipv4 = deletedVlan.getVlanGateway() != null;
             final boolean ipv6 = deletedVlan.getIp6Gateway() != null;
             final long networkId = deletedVlan.getNetworkId();
+            final NetworkVO networkVO = _networkDao.findById(networkId);
 
-            if (ipv4) {
-                removeCidrAndGatewayForIpv4(networkId, deletedVlan);
-            } else if (ipv6) {
-                removeCidrAndGatewayForIpv6(networkId, deletedVlan);
+            if (networkVO != null && networkVO.getTrafficType() != TrafficType.Public) {
+                if (ipv4) {
+                    removeCidrAndGatewayForIpv4(networkId, deletedVlan);
+                } else if (ipv6) {
+                    removeCidrAndGatewayForIpv6(networkId, deletedVlan);
+                }
             }
 
             messageBus.publish(_name, MESSAGE_DELETE_VLAN_IP_RANGE_EVENT, PublishScope.LOCAL, deletedVlan);
@@ -9366,11 +9398,10 @@ public ConfigKey<?>[] getConfigKeys() {
                 BYTES_MAX_READ_LENGTH, BYTES_MAX_WRITE_LENGTH, ADD_HOST_ON_SERVICE_RESTART_KVM, SET_HOST_DOWN_TO_MAINTENANCE,
                 VM_SERVICE_OFFERING_MAX_CPU_CORES, VM_SERVICE_OFFERING_MAX_RAM_SIZE, MIGRATE_VM_ACROSS_CLUSTERS,
                 ENABLE_ACCOUNT_SETTINGS_FOR_DOMAIN, ENABLE_DOMAIN_SETTINGS_FOR_CHILD_DOMAIN,
-                ALLOW_DOMAIN_ADMINS_TO_CREATE_TAGGED_OFFERINGS, DELETE_QUERY_BATCH_SIZE, AllowNonRFC1918CompliantIPs, HostCapacityTypeCpuMemoryWeight
+                ALLOW_DOMAIN_ADMINS_TO_CREATE_TAGGED_OFFERINGS, EXPOSE_ERRORS_TO_USER, DELETE_QUERY_BATCH_SIZE, AllowNonRFC1918CompliantIPs, HostCapacityTypeCpuMemoryWeight
         };
     }
 
-
     /**
      * Returns a string representing the specified configuration's type.
      * @param configName name of the configuration.
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
index f344b1b7c46a..47d1a306e4d9 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
@@ -69,9 +69,6 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
     ConfigKey<String> ConsoleProxyCapacityScanInterval = new ConfigKey<>(String.class, "consoleproxy.capacityscan.interval", "Console Proxy", "30000",
             "The time interval(in millisecond) to scan whether or not system needs more console proxy to ensure minimal standby capacity", false, null);
 
-    ConfigKey<Integer> ConsoleProxyCmdPort = new ConfigKey<>(Integer.class, "consoleproxy.cmd.port", "Console Proxy", String.valueOf(DEFAULT_PROXY_CMD_PORT),
-            "Console proxy command port that is used to communicate with management server", false, ConfigKey.Scope.Zone, null);
-
     ConfigKey<Boolean> ConsoleProxyRestart = new ConfigKey<>(Boolean.class, "consoleproxy.restart", "Console Proxy", "true",
             "Console proxy restart flag, defaults to true", true, ConfigKey.Scope.Zone, null);
 
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index db15a440ba36..b3da6af21138 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -1589,7 +1589,7 @@ public String getConfigComponentName() {
     @Override
     public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[] {ConsoleProxySslEnabled, NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled, ConsoleProxyServiceOffering,
-                                   ConsoleProxyCapacityStandby, ConsoleProxyCapacityScanInterval, ConsoleProxyCmdPort, ConsoleProxyRestart, ConsoleProxyUrlDomain, ConsoleProxySessionMax, ConsoleProxySessionTimeout, ConsoleProxyDisableRpFilter, ConsoleProxyLaunchMax,
+                                   ConsoleProxyCapacityStandby, ConsoleProxyCapacityScanInterval, ConsoleProxyRestart, ConsoleProxyUrlDomain, ConsoleProxySessionMax, ConsoleProxySessionTimeout, ConsoleProxyDisableRpFilter, ConsoleProxyLaunchMax,
                                    ConsoleProxyManagementLastState, ConsoleProxyServiceManagementState, NoVncConsoleShowDot,
                                    ConsoleProxyVmUserData};
     }
diff --git a/server/src/main/java/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/main/java/com/cloud/deploy/DeploymentPlanningManagerImpl.java
index 230f97f6fd35..7fb4a97e149b 100644
--- a/server/src/main/java/com/cloud/deploy/DeploymentPlanningManagerImpl.java
+++ b/server/src/main/java/com/cloud/deploy/DeploymentPlanningManagerImpl.java
@@ -20,7 +20,6 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -1714,20 +1713,19 @@ protected List<Host> findSuitableHosts(VirtualMachineProfile vmProfile, Deployme
 
     @Override
     public void reorderHostsByPriority(Map<Long, Integer> priorities, List<Host> hosts) {
-        logger.info("Re-ordering hosts {} by priorities {}", hosts, priorities);
+        if (CollectionUtils.isEmpty(hosts)){
+            logger.debug("Hosts list is empty; therefore, there is nothing to reorder.");
+            return;
+        }
 
+        logger.info("Re-ordering hosts [{}] by priorities [{}].", hosts, priorities);
         hosts.removeIf(host -> DataCenterDeployment.PROHIBITED_HOST_PRIORITY.equals(getHostPriority(priorities, host.getId())));
+        hosts.sort((host1, host2) -> {
+            int res = getHostPriority(priorities, host1.getId()).compareTo(getHostPriority(priorities, host2.getId()));
+            return -res;
+        });
 
-        Collections.sort(hosts, new Comparator<>() {
-                    @Override
-                    public int compare(Host host1, Host host2) {
-                        int res = getHostPriority(priorities, host1.getId()).compareTo(getHostPriority(priorities, host2.getId()));
-                        return -res;
-                    }
-                }
-        );
-
-        logger.info("Hosts after re-ordering are: {}", hosts);
+        logger.info("Hosts after re-ordering are: [{}].", hosts);
     }
 
     private Integer getHostPriority(Map<Long, Integer> priorities, Long hostId) {
diff --git a/server/src/main/java/com/cloud/ha/CheckOnAgentInvestigator.java b/server/src/main/java/com/cloud/ha/CheckOnAgentInvestigator.java
index d7945ef20776..e0dbc8fcbe11 100644
--- a/server/src/main/java/com/cloud/ha/CheckOnAgentInvestigator.java
+++ b/server/src/main/java/com/cloud/ha/CheckOnAgentInvestigator.java
@@ -38,7 +38,7 @@ protected CheckOnAgentInvestigator() {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         return null;
     }
 
diff --git a/server/src/main/java/com/cloud/ha/HighAvailabilityManagerImpl.java b/server/src/main/java/com/cloud/ha/HighAvailabilityManagerImpl.java
index c8635397b661..755de00dec26 100644
--- a/server/src/main/java/com/cloud/ha/HighAvailabilityManagerImpl.java
+++ b/server/src/main/java/com/cloud/ha/HighAvailabilityManagerImpl.java
@@ -42,6 +42,9 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.ha.HAConfig;
+import org.apache.cloudstack.ha.HAResource;
+import org.apache.cloudstack.ha.dao.HAConfigDao;
 import org.apache.cloudstack.managed.context.ManagedContext;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.management.ManagementServerHost;
@@ -223,6 +226,8 @@ public void setHaPlanners(List<HAPlanner> haPlanners) {
     @Inject
     ConfigurationDao _configDao;
     @Inject
+    HAConfigDao _haConfigDao;
+    @Inject
     VolumeOrchestrationService volumeMgr;
 
     String _instance;
@@ -237,25 +242,53 @@ public void setHaPlanners(List<HAPlanner> haPlanners) {
     long _timeBetweenCleanups;
     String _haTag = null;
 
+    protected HighAvailabilityManagerImpl() {
+    }
+
     private boolean vmHasPendingHAJob(final List<HaWorkVO> pendingHaWorks, final VMInstanceVO vm) {
         Optional<HaWorkVO> item = pendingHaWorks.stream()
                 .filter(h -> h.getInstanceId() == vm.getId())
                 .reduce((first, second) -> second);
         if (item.isPresent() && (item.get().getTimesTried() < _maxRetries ||
                 !item.get().canScheduleNew(_timeBetweenFailures))) {
-            logger.debug(String.format("Skipping HA on %s as there is already a running HA job for it", vm));
+            logger.debug("Skipping HA on {} as there is already a running HA job for it", vm);
             return true;
         }
         return false;
     }
 
-    protected HighAvailabilityManagerImpl() {
+    private boolean isHostHAInspectionInProgress(long hostId) {
+        final HAConfig haConfig = _haConfigDao.findHAResource(hostId, HAResource.ResourceType.Host);
+        if (haConfig == null || !haConfig.isEnabled()) {
+            return false;
+        }
+
+        HAConfig.HAState state = haConfig.getState();
+        logger.debug("Checking Host HA inspection is in progress or not for the host {} from HAConfig, HA state is {}", hostId, state);
+        if (state == HAConfig.HAState.Suspect || state == HAConfig.HAState.Checking) {
+            return true;
+        }
+
+        if (state == HAConfig.HAState.Recovered || state == HAConfig.HAState.Available) {
+            // If the host HA state is Recovered, it indicates that the host has restarted successfully.
+            // If the host HA state is Available, it means the host has restarted successfully and the recovery waiting period has completed.
+            // In both states, the agent can connect as soon as the host is ready (and can move to Suspect -> Checking HA state if the agent connection fails again before Fencing).
+            final HostVO host = _hostDao.findById(hostId);
+            if (host != null && host.getStatus() != Status.Up) {
+                logger.debug("{} is in {} status and HA state is {}, considering Host HA inspection is still in progress" +
+                        " until we are sure the host is ready after a recovery wait period and agent is connected/Up", host, host.getStatus(), state);
+                return true;
+            }
+        }
+
+        return false;
     }
 
     @Override
     public Status investigate(final long hostId) {
         final HostVO host = _hostDao.findById(hostId);
         if (host == null) {
+            logger.warn("Host with id {} is removed or doesn't exists.", hostId);
             return Status.Alert;
         }
 
@@ -270,7 +303,7 @@ public Status investigate(final long hostId) {
 
         Status hostState = null;
         for (Investigator investigator : investigators) {
-            hostState = investigator.isAgentAlive(host);
+            hostState = investigator.getHostAgentStatus(host);
             if (hostState != null) {
                 if (logger.isDebugEnabled()) {
                     logger.debug("{} was able to determine host {} is in {}", investigator.getName(), host, hostState.toString());
@@ -278,7 +311,7 @@ public Status investigate(final long hostId) {
                 return hostState;
             }
             if (logger.isDebugEnabled()) {
-                logger.debug(investigator.getName() + " unable to determine the state of the host.  Moving on.");
+                logger.debug("{} unable to determine the state of the host.  Moving on.", investigator.getName());
             }
         }
 
@@ -570,9 +603,9 @@ private void startVm(VirtualMachine vm, Map<VirtualMachineProfile.Param, Object>
     }
 
     protected Long restart(final HaWorkVO work) {
-        logger.debug("RESTART with HAWORK");
+        logger.debug("RESTART with HA WORK");
         List<HaWorkVO> items = _haDao.listFutureHaWorkForVm(work.getInstanceId(), work.getId());
-        if (items.size() > 0) {
+        if (!items.isEmpty()) {
             StringBuilder str = new StringBuilder("Cancelling this work item because newer ones have been scheduled.  Work Ids = [");
             for (HaWorkVO item : items) {
                 str.append(item.getId()).append(", ");
@@ -583,7 +616,7 @@ protected Long restart(final HaWorkVO work) {
         }
 
         items = _haDao.listRunningHaWorkForVm(work.getInstanceId());
-        if (items.size() > 0) {
+        if (!items.isEmpty()) {
             StringBuilder str = new StringBuilder("Waiting because there's HA work being executed on an item currently.  Work Ids =[");
             for (HaWorkVO item : items) {
                 str.append(item.getId()).append(", ");
@@ -597,21 +630,21 @@ protected Long restart(final HaWorkVO work) {
 
         VirtualMachine vm = _itMgr.findById(work.getInstanceId());
         if (vm == null) {
-            logger.info("Unable to find vm: " + vmId);
+            logger.info("Unable to find vm: {}", vmId);
             return null;
         }
         if (checkAndCancelWorkIfNeeded(work)) {
             return null;
         }
 
-        logger.info("HA on " + vm);
+        logger.info("HA on {}", vm);
         if (vm.getState() != work.getPreviousState() || vm.getUpdated() != work.getUpdateTime()) {
-            logger.info("VM " + vm + " has been changed.  Current State = " + vm.getState() + " Previous State = " + work.getPreviousState() + " last updated = " +
-                vm.getUpdated() + " previous updated = " + work.getUpdateTime());
+            logger.info("VM {} has been changed.  Current State = {} Previous State = {} last updated = {} previous updated = {}",
+                    vm, vm.getState(), work.getPreviousState(), vm.getUpdated(), work.getUpdateTime());
             return null;
         }
         if (vm.getHostId() != null && !vm.getHostId().equals(work.getHostId())) {
-            logger.info("VM " + vm + " has been changed.  Current host id = " + vm.getHostId() + " Previous host id = " + work.getHostId());
+            logger.info("VM {} has been changed.  Current host id = {} Previous host id = {}", vm, vm.getHostId(), work.getHostId());
             return null;
         }
 
@@ -628,10 +661,13 @@ protected Long restart(final HaWorkVO work) {
         boolean isHostRemoved = false;
         if (host == null) {
             host = _hostDao.findByIdIncludingRemoved(work.getHostId());
-            if (host != null) {
-                logger.debug("VM {} is now no longer on host {} as the host is removed", vm, host);
-                isHostRemoved = true;
+            if (host == null) {
+                logger.debug("VM {} is now no longer on host {}, the host doesn't exist", vm, work.getHostId());
+                return null;
             }
+
+            logger.debug("VM {} is now no longer on host {} as the host is removed", vm, host);
+            isHostRemoved = true;
         }
 
         DataCenterVO dcVO = _dcDao.findById(host.getDataCenterId());
@@ -652,40 +688,39 @@ protected Long restart(final HaWorkVO work) {
                     try
                     {
                         alive = investigator.isVmAlive(vm, host);
-                        logger.info(investigator.getName() + " found " + vm + " to be alive? " + alive);
+                        logger.info("{} found {} to be alive? {}", investigator.getName(), vm, alive);
                         break;
                     } catch (UnknownVM e) {
-                        logger.info(investigator.getName() + " could not find " + vm);
+                        logger.info("{} could not find {}", investigator.getName(), vm);
                     }
                 }
 
                 boolean fenced = false;
                 if (alive == null) {
-                    logger.debug("Fencing off VM that we don't know the state of");
+                    logger.debug("Fencing off VM {} that we don't know the state of", vm);
                     for (FenceBuilder fb : fenceBuilders) {
                         Boolean result = fb.fenceOff(vm, host);
-                        logger.info("Fencer " + fb.getName() + " returned " + result);
+                        logger.info("Fencer {} returned {}", fb.getName(), result);
                         if (result != null && result) {
                             fenced = true;
                             break;
                         }
                     }
-
                 } else if (!alive) {
                     fenced = true;
                 } else {
-                    logger.debug("VM {} is found to be alive by {}", vm, investigator.getName());
+                    logger.debug("VM {} is found to be alive by {} on host {}", vm, investigator.getName(), host);
                     if (host.getStatus() == Status.Up) {
-                        logger.info(vm + " is alive and host is up. No need to restart it.");
+                        logger.info("{} is alive and host {} is up. No need to restart it.", vm, host);
                         return null;
                     } else {
-                        logger.debug("Rescheduling because the host is not up but the vm is alive");
+                        logger.debug("Rescheduling because the host {} is not up but the vm {} is alive", host, vm);
                         return (System.currentTimeMillis() >> 10) + _investigateRetryInterval;
                     }
                 }
 
                 if (!fenced) {
-                    logger.debug("We were unable to fence off the VM " + vm);
+                    logger.debug("We were unable to fence off the VM {}", vm);
                     _alertMgr.sendAlert(alertType, vm.getDataCenterId(), vm.getPodIdToDeployIn(), "Unable to restart " + vm.getHostName() +
                         " which was running on host " + hostDesc, "Insufficient capacity to restart VM, name: " + vm.getHostName() + ", id: " + vmId +
                         " which was running on host " + hostDesc);
@@ -728,15 +763,15 @@ protected Long restart(final HaWorkVO work) {
 
         if (!ForceHA.value() && !vm.isHaEnabled()) {
             if (logger.isDebugEnabled()) {
-                logger.debug("VM is not HA enabled so we're done.");
+                logger.debug("VM {} is not HA enabled so we're done.", vm);
             }
             return null; // VM doesn't require HA
         }
 
-        if ((host == null || host.getRemoved() != null || host.getState() != Status.Up)
+        if ((host.getRemoved() != null || host.getState() != Status.Up)
                  && !volumeMgr.canVmRestartOnAnotherServer(vm.getId())) {
             if (logger.isDebugEnabled()) {
-                logger.debug("VM can not restart on another server.");
+                logger.debug("VM {} can not restart on another server.", vm);
             }
             return null;
         }
@@ -777,13 +812,13 @@ protected Long restart(final HaWorkVO work) {
             if (started != null && started.getState() == VirtualMachine.State.Running) {
                 String message = String.format("HA starting VM: %s (%s)", started.getHostName(), started.getInstanceName());
                 HostVO hostVmHasStarted = _hostDao.findById(started.getHostId());
-                logger.info(String.format("HA is now restarting %s on %s", started, hostVmHasStarted));
+                logger.info("HA is now restarting {} on {}", started, hostVmHasStarted);
                 _alertMgr.sendAlert(alertType, vm.getDataCenterId(), vm.getPodIdToDeployIn(), message, message);
                 return null;
             }
 
             if (logger.isDebugEnabled()) {
-                logger.debug("Rescheduling VM " + vm.toString() + " to try again in " + _restartRetryInterval);
+                logger.debug("Rescheduling VM {} to try again in {}", vm.toString(), _restartRetryInterval);
             }
         } catch (final InsufficientCapacityException e) {
             logger.warn("Unable to restart " + vm.toString() + " due to " + e.getMessage());
@@ -815,6 +850,9 @@ protected boolean checkAndCancelWorkIfNeeded(final HaWorkVO work) {
         if (!CancellableWorkReasonTypes.contains(work.getReasonType())) {
             return false;
         }
+        if (isHostHAInspectionInProgress(work.getHostId())) {
+            return false;
+        }
         Status hostStatus = investigate(work.getHostId());
         if (!Status.Up.equals(hostStatus)) {
             return false;
@@ -825,13 +863,14 @@ protected boolean checkAndCancelWorkIfNeeded(final HaWorkVO work) {
     }
 
     public Long migrate(final HaWorkVO work) {
+        logger.debug("MIGRATE with HA WORK");
         long vmId = work.getInstanceId();
         long srcHostId = work.getHostId();
         HostVO srcHost = _hostDao.findById(srcHostId);
 
         VMInstanceVO vm = _instanceDao.findById(vmId);
         if (vm == null) {
-            logger.info("Unable to find vm: " + vmId + ", skipping migrate.");
+            logger.info("Unable to find vm: {}, skipping migrate.", vmId);
             return null;
         }
         if (checkAndCancelWorkIfNeeded(work)) {
@@ -840,11 +879,11 @@ public Long migrate(final HaWorkVO work) {
         logger.info("Migration attempt: for {} from {}. Starting attempt: {}/{} times.", vm, srcHost, 1 + work.getTimesTried(), _maxRetries);
 
         if (VirtualMachine.State.Stopped.equals(vm.getState())) {
-            logger.info(String.format("vm %s is Stopped, skipping migrate.", vm));
+            logger.info("vm {} is Stopped, skipping migrate.", vm);
             return null;
         }
         if (VirtualMachine.State.Running.equals(vm.getState()) && srcHostId != vm.getHostId()) {
-            logger.info(String.format("VM %s is running on a different host %s, skipping migration", vm, vm.getHostId()));
+            logger.info("VM {} is running on a different host {}, skipping migration", vm, vm.getHostId());
             return null;
         }
 
@@ -879,7 +918,7 @@ public boolean scheduleDestroy(VMInstanceVO vm, long hostId, ReasonType reasonTy
         final HaWorkVO work = new HaWorkVO(vm.getId(), vm.getType(), WorkType.Destroy, Step.Scheduled, hostId, vm.getState(), 0, vm.getUpdated(), reasonType);
         _haDao.persist(work);
         if (logger.isDebugEnabled()) {
-            logger.debug("Scheduled " + work.toString());
+            logger.debug("{}}", work.toString());
         }
         wakeupWorkers();
         return true;
@@ -897,7 +936,7 @@ private void stopVMWithCleanup(VirtualMachine vm, VirtualMachine.State state) th
     }
 
     private void destroyVM(VirtualMachine vm, boolean expunge) throws OperationTimedoutException, AgentUnavailableException {
-        logger.info("Destroying " + vm.toString());
+        logger.info("Destroying {}", vm.toString());
         if (VirtualMachine.Type.ConsoleProxy.equals(vm.getType())) {
             consoleProxyManager.destroyProxy(vm.getId());
         } else if (VirtualMachine.Type.SecondaryStorageVm.equals(vm.getType())) {
@@ -908,9 +947,10 @@ private void destroyVM(VirtualMachine vm, boolean expunge) throws OperationTimed
     }
 
     protected Long destroyVM(final HaWorkVO work) {
+        logger.debug("DESTROY with HA WORK");
         final VirtualMachine vm = _itMgr.findById(work.getInstanceId());
         if (vm == null) {
-            logger.info("No longer can find VM " + work.getInstanceId() + ". Throwing away " + work);
+            logger.info("No longer can find VM {}. Throwing away {}",  work.getInstanceId(), work);
             return null;
         }
         if (checkAndCancelWorkIfNeeded(work)) {
@@ -944,20 +984,21 @@ protected Long destroyVM(final HaWorkVO work) {
     }
 
     protected Long stopVM(final HaWorkVO work) throws ConcurrentOperationException {
+        logger.debug("STOP with HA WORK");
         VirtualMachine vm = _itMgr.findById(work.getInstanceId());
         if (vm == null) {
-            logger.info("No longer can find VM " + work.getInstanceId() + ". Throwing away " + work);
+            logger.info("No longer can find VM {}. Throwing away {}", work.getInstanceId(), work);
             work.setStep(Step.Done);
             return null;
         }
         if (checkAndCancelWorkIfNeeded(work)) {
             return null;
         }
-        logger.info("Stopping " + vm);
+        logger.info("Stopping {}", vm);
         try {
             if (work.getWorkType() == WorkType.Stop) {
                 _itMgr.advanceStop(vm.getUuid(), false);
-                logger.info("Successfully stopped " + vm);
+                logger.info("Successfully stopped {}", vm);
                 return null;
             } else if (work.getWorkType() == WorkType.CheckStop) {
                 if ((vm.getState() != work.getPreviousState()) || vm.getUpdated() != work.getUpdateTime() || vm.getHostId() == null ||
@@ -969,7 +1010,7 @@ protected Long stopVM(final HaWorkVO work) throws ConcurrentOperationException {
                 }
 
                 _itMgr.advanceStop(vm.getUuid(), false);
-                logger.info("Stop for " + vm + " was successful");
+                logger.info("Stop for {} was successful", vm);
                 return null;
             } else if (work.getWorkType() == WorkType.ForceStop) {
                 if ((vm.getState() != work.getPreviousState()) || vm.getUpdated() != work.getUpdateTime() || vm.getHostId() == null ||
@@ -981,13 +1022,13 @@ protected Long stopVM(final HaWorkVO work) throws ConcurrentOperationException {
                 }
 
                 _itMgr.advanceStop(vm.getUuid(), true);
-                logger.info("Stop for " + vm + " was successful");
+                logger.info("Stop for {} was successful", vm);
                 return null;
             } else {
                 assert false : "Who decided there's other steps but didn't modify the guy who does the work?";
             }
         } catch (final ResourceUnavailableException e) {
-            logger.debug("Agnet is not available" + e.getMessage());
+            logger.debug("Agent is not available" + e.getMessage());
         } catch (OperationTimedoutException e) {
             logger.debug("operation timed out: " + e.getMessage());
         }
@@ -1043,7 +1084,8 @@ private void processWork(final HaWorkVO work) {
         try {
             if (vm != null && !VmHaEnabled.valueIn(vm.getDataCenterId())) {
                 if (logger.isDebugEnabled()) {
-                    logger.debug(String.format("VM high availability manager is disabled, rescheduling the HA work %s, for the VM %s (id) to retry later in case VM high availability manager is enabled on retry attempt", work, vm.getName(), vm.getId()));
+                    logger.debug("VM high availability manager is disabled, rescheduling the HA work {} for the VM {} ({}) " +
+                            "to retry later in case VM high availability manager is enabled on retry attempt", work, vm.getName(), vm.getId());
                 }
                 long nextTime = getRescheduleTime(wt);
                 rescheduleWork(work, nextTime);
@@ -1065,13 +1107,13 @@ private void processWork(final HaWorkVO work) {
             }
 
             if (nextTime == null) {
-                logger.info("Completed work " + work + ". Took " + (work.getTimesTried() + 1) + "/" + _maxRetries + " attempts.");
+                logger.info("Completed work {}. Took {}/{} attempts.", work, work.getTimesTried() + 1, _maxRetries);
                 work.setStep(Step.Done);
             } else {
                 rescheduleWork(work, nextTime.longValue());
             }
         } catch (Exception e) {
-            logger.warn("Encountered unhandled exception during HA process, reschedule work", e);
+            logger.warn("Encountered unhandled exception during HA process, reschedule work {}", work, e);
 
             long nextTime = getRescheduleTime(wt);
             rescheduleWork(work, nextTime);
@@ -1085,11 +1127,11 @@ private void processWork(final HaWorkVO work) {
         } finally {
             if (!Step.Done.equals(work.getStep())) {
                 if (work.getTimesTried() >= _maxRetries) {
-                    logger.warn("Giving up, retried max " + work.getTimesTried() + "/" + _maxRetries + " times for work: " + work);
+                    logger.warn("Giving up, retried max {}/{} times for work: {}", work.getTimesTried(), _maxRetries, work);
                     work.setStep(Step.Done);
                 } else {
-                    logger.warn("Rescheduling work " + work + " to try again at " + new Date(work.getTimeToTry() << 10) +
-                            ". Finished attempt " + work.getTimesTried() + "/" + _maxRetries + " times.");
+                    logger.warn("Rescheduling work {} to try again at {}. Finished attempt {}/{} times.",
+                            work, new Date(work.getTimeToTry() << 10), work.getTimesTried(), _maxRetries);
                 }
             }
             _haDao.update(work.getId(), work);
diff --git a/server/src/main/java/com/cloud/ha/KVMFencer.java b/server/src/main/java/com/cloud/ha/KVMFencer.java
index b51ed00b028c..4a6606b09cc3 100644
--- a/server/src/main/java/com/cloud/ha/KVMFencer.java
+++ b/server/src/main/java/com/cloud/ha/KVMFencer.java
@@ -74,7 +74,7 @@ public KVMFencer() {
     @Override
     public Boolean fenceOff(VirtualMachine vm, Host host) {
         if (host.getHypervisorType() != HypervisorType.KVM && host.getHypervisorType() != HypervisorType.LXC) {
-            logger.warn("Don't know how to fence non kvm hosts " + host.getHypervisorType());
+            logger.warn("Don't know how to fence non kvm hosts {}", host.getHypervisorType());
             return null;
         }
 
@@ -97,11 +97,8 @@ public Boolean fenceOff(VirtualMachine vm, Host host) {
                 FenceAnswer answer;
                 try {
                     answer = (FenceAnswer)_agentMgr.send(h.getId(), fence);
-                } catch (AgentUnavailableException e) {
-                    logger.info("Moving on to the next host because " + h.toString() + " is unavailable", e);
-                    continue;
-                } catch (OperationTimedoutException e) {
-                    logger.info("Moving on to the next host because " + h.toString() + " is unavailable", e);
+                } catch (AgentUnavailableException | OperationTimedoutException e) {
+                    logger.info("Moving on to the next host because {} is unavailable", h.toString(), e);
                     continue;
                 }
                 if (answer != null && answer.getResult()) {
@@ -115,7 +112,7 @@ public Boolean fenceOff(VirtualMachine vm, Host host) {
                             "Fencing off host " + host.getId() + " did not succeed after asking " + i + " hosts. " +
                             "Check Agent logs for more information.");
 
-        logger.error("Unable to fence off " + vm.toString() + " on " + host.toString());
+        logger.error("Unable to fence off {} on {}", vm.toString(), host.toString());
 
         return false;
     }
diff --git a/server/src/main/java/com/cloud/ha/ManagementIPSystemVMInvestigator.java b/server/src/main/java/com/cloud/ha/ManagementIPSystemVMInvestigator.java
index 0972f2451afb..d14c4baafb34 100644
--- a/server/src/main/java/com/cloud/ha/ManagementIPSystemVMInvestigator.java
+++ b/server/src/main/java/com/cloud/ha/ManagementIPSystemVMInvestigator.java
@@ -104,7 +104,7 @@ public boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         return null;
     }
 
diff --git a/server/src/main/java/com/cloud/ha/UserVmDomRInvestigator.java b/server/src/main/java/com/cloud/ha/UserVmDomRInvestigator.java
index 7d063b3088e4..82074460f2af 100644
--- a/server/src/main/java/com/cloud/ha/UserVmDomRInvestigator.java
+++ b/server/src/main/java/com/cloud/ha/UserVmDomRInvestigator.java
@@ -103,7 +103,7 @@ public boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         if (logger.isDebugEnabled()) {
             logger.debug("checking if agent ({}) is alive", agent);
         }
diff --git a/server/src/main/java/com/cloud/ha/XenServerInvestigator.java b/server/src/main/java/com/cloud/ha/XenServerInvestigator.java
index 5482a7f148e6..fea44c97ab58 100644
--- a/server/src/main/java/com/cloud/ha/XenServerInvestigator.java
+++ b/server/src/main/java/com/cloud/ha/XenServerInvestigator.java
@@ -46,7 +46,7 @@ protected XenServerInvestigator() {
     }
 
     @Override
-    public Status isAgentAlive(Host agent) {
+    public Status getHostAgentStatus(Host agent) {
         if (agent.getHypervisorType() != HypervisorType.XenServer) {
             return null;
         }
@@ -74,7 +74,7 @@ public Status isAgentAlive(Host agent) {
 
     @Override
     public boolean isVmAlive(VirtualMachine vm, Host host) throws UnknownVM {
-        Status status = isAgentAlive(host);
+        Status status = getHostAgentStatus(host);
         if (status == null) {
             throw new UnknownVM();
         }
diff --git a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
index 97c453003a86..c7de3d472e3f 100644
--- a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
+++ b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
@@ -205,6 +205,7 @@ public NicTO toNicTO(NicProfile profile) {
         to.setIp6Dns1(profile.getIPv6Dns1());
         to.setIp6Dns2(profile.getIPv6Dns2());
         to.setNetworkId(profile.getNetworkId());
+        to.setEnabled(profile.isEnabled());
 
         NetworkVO network = networkDao.findById(profile.getNetworkId());
         to.setNetworkUuid(network.getUuid());
diff --git a/server/src/main/java/com/cloud/hypervisor/KVMGuru.java b/server/src/main/java/com/cloud/hypervisor/KVMGuru.java
index 3303bc029333..6c1c3424b1b9 100644
--- a/server/src/main/java/com/cloud/hypervisor/KVMGuru.java
+++ b/server/src/main/java/com/cloud/hypervisor/KVMGuru.java
@@ -20,7 +20,7 @@
 import com.cloud.agent.api.to.DataObjectType;
 import com.cloud.agent.api.to.NicTO;
 import com.cloud.agent.api.to.VirtualMachineTO;
-import com.cloud.configuration.ConfigurationManagerImpl;
+import com.cloud.capacity.CapacityManager;
 import com.cloud.event.EventTypes;
 import com.cloud.event.UsageEventUtils;
 import com.cloud.host.HostVO;
@@ -44,6 +44,7 @@
 import com.cloud.vm.VirtualMachineProfile;
 import com.cloud.vm.dao.VMInstanceDao;
 import org.apache.cloudstack.backup.Backup;
+import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.storage.command.CopyCommand;
 import org.apache.cloudstack.storage.command.StorageSubSystemCommand;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
@@ -54,9 +55,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
-import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.utils.bytescale.ByteScaleUtils;
-import org.apache.commons.lang3.math.NumberUtils;
 
 public class KVMGuru extends HypervisorGuruBase implements HypervisorGuru {
     @Inject
@@ -130,30 +129,47 @@ protected double getVmSpeed(VirtualMachineTO to) {
      * @param vmProfile vm profile
      */
     protected void setVmQuotaPercentage(VirtualMachineTO to, VirtualMachineProfile vmProfile) {
-        if (to.isLimitCpuUse()) {
-            VirtualMachine vm = vmProfile.getVirtualMachine();
-            HostVO host = hostDao.findById(vm.getHostId());
-            if (host == null) {
-                logger.warn("Host is not available. Skipping setting CPU quota percentage for VM: {}", vm);
-                return;
-            }
-            logger.debug("Limiting CPU usage for VM: {} on host: {}", vm, host);
-            double hostMaxSpeed = getHostCPUSpeed(host);
-            double maxSpeed = getVmSpeed(to);
-            try {
-                BigDecimal percent = new BigDecimal(maxSpeed / hostMaxSpeed);
-                percent = percent.setScale(2, RoundingMode.HALF_DOWN);
-                if (percent.compareTo(new BigDecimal(1)) == 1) {
-                    logger.debug("VM {} CPU MHz exceeded host {} CPU MHz, limiting VM CPU to the host maximum", vm, host);
-                    percent = new BigDecimal(1);
-                }
-                to.setCpuQuotaPercentage(percent.doubleValue());
-                logger.debug("Host: {} max CPU speed = {} MHz, VM: {} max CPU speed = {} MHz. " +
-                        "Setting CPU quota percentage as: {}",
-                        host, hostMaxSpeed, vm, maxSpeed, percent.doubleValue());
-            } catch (NumberFormatException e) {
-                logger.error("Error calculating VM: {} quota percentage, it will not be set. Error: {}", vm, e.getMessage(), e);
+        if (!to.isLimitCpuUse()) {
+            return;
+        }
+
+        VirtualMachine vm = vmProfile.getVirtualMachine();
+        HostVO host = hostDao.findById(vm.getHostId());
+        if (host == null) {
+            logger.warn("Host is not available. Skipping setting CPU quota percentage for VM: [{}].", vm);
+            return;
+        }
+
+        logger.debug("Limiting CPU usage for VM: [{}] on host: [{}].", vm, host);
+        double maxSpeed = getVmSpeed(to);
+        double hostMaxSpeed = getHostCPUSpeed(host);
+        Double cpuQuotaPercentage = getCpuQuotaPercentage(maxSpeed, hostMaxSpeed);
+        if (cpuQuotaPercentage != null) {
+            to.setCpuQuotaPercentage(cpuQuotaPercentage);
+        }
+    }
+
+    /**
+     * Calculates the VM quota percentage based on the VM and host CPU speeds.
+     * @param vmSpeeed Speed of the VM.
+     * @param hostSpeed Speed of the host.
+     * @return The VM quota percentage.
+     */
+    public Double getCpuQuotaPercentage(double vmSpeeed, double hostSpeed) {
+        logger.debug("Calculating CPU quota percentage for VM with speed [{}] on host with speed [{}].", vmSpeeed, hostSpeed);
+        try {
+            BigDecimal percent = new BigDecimal(vmSpeeed / hostSpeed);
+            percent = percent.setScale(2, RoundingMode.HALF_DOWN);
+            if (percent.compareTo(new BigDecimal(1)) > 0) {
+                logger.debug("VM CPU speed exceeded host CPU speed and, therefore, limiting VM CPU quota to the host maximum.");
+                percent = new BigDecimal(1);
             }
+            double quotaPercentage = percent.doubleValue();
+            logger.info("Calculated CPU quota percentage for VM with speed [{}] on host with speed [{}] is [{}].", vmSpeeed, hostSpeed, quotaPercentage);
+            return quotaPercentage;
+        } catch (NumberFormatException e) {
+            logger.info("Could not calculate CPU quota percentage for VM with speed [{}] on host with speed [{}]. Therefore, CPU limitation will not be set for the domain.", vmSpeeed, hostSpeed);
+            return null;
         }
     }
 
@@ -214,28 +230,31 @@ protected void configureVmMemoryAndCpuCores(VirtualMachineTO virtualMachineTo, H
         Pair<Long, Integer> max = getHostMaxMemoryAndCpuCores(hostVo, virtualMachine, vmDescription);
 
         Long maxHostMemory = max.first();
-        Integer maxHostCpuCore = max.second();
+        Integer maxHostCpuCores = max.second();
 
         long minMemory = virtualMachineTo.getMinRam();
         Long maxMemory = virtualMachineTo.getMaxRam();
+        long requestedMemory = maxMemory;
+
         int minCpuCores = virtualMachineTo.getCpus();
-        Integer maxCpuCores = minCpuCores;
+        int maxCpuCores = minCpuCores;
 
-        ServiceOfferingVO serviceOfferingVO = serviceOfferingDao.findById(virtualMachineProfile.getId(), virtualMachineProfile.getServiceOfferingId());
-        if (isVmDynamicScalable(serviceOfferingVO, virtualMachineTo, virtualMachine)) {
+        if (isVmDynamicScalable(virtualMachineTo, virtualMachine)) {
+            ServiceOfferingVO serviceOfferingVO = serviceOfferingDao.findById(virtualMachineProfile.getId(), virtualMachineProfile.getServiceOfferingId());
             serviceOfferingDao.loadDetails(serviceOfferingVO);
 
-            maxMemory = getVmMaxMemory(serviceOfferingVO, vmDescription, maxHostMemory);
-            maxCpuCores = getVmMaxCpuCores(serviceOfferingVO, vmDescription, maxHostCpuCore);
+            Long clusterId = hostVo != null ? hostVo.getClusterId() : null;
+            maxMemory = getVmMaxMemory(serviceOfferingVO, vmDescription, maxHostMemory, clusterId);
+            maxCpuCores = getVmMaxCpuCores(serviceOfferingVO, vmDescription, maxHostCpuCores, clusterId);
         }
 
-        virtualMachineTo.setRam(minMemory, maxMemory);
+        virtualMachineTo.setRam(minMemory, maxMemory, requestedMemory);
         virtualMachineTo.setCpus(minCpuCores);
         virtualMachineTo.setVcpuMaxLimit(maxCpuCores);
     }
 
-    protected boolean isVmDynamicScalable(ServiceOfferingVO serviceOfferingVO, VirtualMachineTO virtualMachineTo, VirtualMachine virtualMachine) {
-        return serviceOfferingVO.isDynamic() && virtualMachineTo.isEnableDynamicallyScaleVm() && UserVmManager.EnableDynamicallyScaleVm.valueIn(virtualMachine.getDataCenterId());
+    protected boolean isVmDynamicScalable(VirtualMachineTO virtualMachineTo, VirtualMachine virtualMachine) {
+        return virtualMachineTo.isEnableDynamicallyScaleVm() && UserVmManager.EnableDynamicallyScaleVm.valueIn(virtualMachine.getDataCenterId());
     }
 
     protected Pair<Long, Integer> getHostMaxMemoryAndCpuCores(HostVO host, VirtualMachine virtualMachine, String vmDescription){
@@ -263,53 +282,34 @@ protected Pair<Long, Integer> getHostMaxMemoryAndCpuCores(HostVO host, VirtualMa
         return new Pair<>(maxHostMemory, maxHostCpuCore);
     }
 
-    protected Long getVmMaxMemory(ServiceOfferingVO serviceOfferingVO, String vmDescription, Long maxHostMemory) {
-        String serviceOfferingDescription = serviceOfferingVO.toString();
-
+    protected Long getVmMaxMemory(ServiceOfferingVO serviceOfferingVO, String vmDescription, Long maxHostMemory, Long clusterId) {
         Long maxMemory;
-        Integer customOfferingMaxMemory = NumberUtils.createInteger(serviceOfferingVO.getDetail(ApiConstants.MAX_MEMORY));
-        Integer maxMemoryConfig = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.value();
-        if (customOfferingMaxMemory != null) {
-            logger.debug(String.format("Using 'Custom unconstrained' %s max memory value [%sMb] as %s memory.", serviceOfferingDescription, customOfferingMaxMemory, vmDescription));
-            maxMemory = ByteScaleUtils.mebibytesToBytes(customOfferingMaxMemory);
+        ConfigKey<Integer> maxMemoryConfig = CapacityManager.KvmMemoryDynamicScalingCapacity;
+        Integer maxMemoryConfigValue = maxMemoryConfig.valueIn(clusterId);
+        logger.info("[{}] is a dynamically scalable service offering. Using config [{}] value [{}] in cluster [ID: {}] as max [{}] memory.",
+                serviceOfferingVO.toString(), maxMemoryConfig.key(), maxMemoryConfigValue, clusterId, vmDescription);
+        if (maxMemoryConfigValue > 0) {
+            maxMemory = ByteScaleUtils.mebibytesToBytes(maxMemoryConfigValue);
         } else {
-            String maxMemoryConfigKey = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.key();
-
-            logger.info(String.format("%s is a 'Custom unconstrained' service offering. Using config [%s] value [%s] as max %s memory.",
-                    serviceOfferingDescription, maxMemoryConfigKey, maxMemoryConfig, vmDescription));
-
-            if (maxMemoryConfig > 0) {
-                maxMemory = ByteScaleUtils.mebibytesToBytes(maxMemoryConfig);
-            } else {
-                logger.info(String.format("Config [%s] has value less or equal '0'. Using %s host or last host max memory [%s] as VM max memory in the hypervisor.", maxMemoryConfigKey, vmDescription, maxHostMemory));
-                maxMemory = maxHostMemory;
-            }
+            logger.info("Config [{}] in cluster [ID: {}] has value less or equal '0'. Using [{}] host or last host max memory [{}] as VM max memory in the hypervisor.",
+                    maxMemoryConfig.key(), clusterId, vmDescription, maxHostMemory);
+            maxMemory = maxHostMemory;
         }
         return maxMemory;
     }
 
-    protected Integer getVmMaxCpuCores(ServiceOfferingVO serviceOfferingVO, String vmDescription, Integer maxHostCpuCore) {
-        String serviceOfferingDescription = serviceOfferingVO.toString();
-
+    protected Integer getVmMaxCpuCores(ServiceOfferingVO serviceOfferingVO, String vmDescription, Integer maxHostCpuCores, Long clusterId) {
         Integer maxCpuCores;
-        Integer customOfferingMaxCpuCores = NumberUtils.createInteger(serviceOfferingVO.getDetail(ApiConstants.MAX_CPU_NUMBER));
-        Integer maxCpuCoresConfig = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.value();
-
-        if (customOfferingMaxCpuCores != null) {
-            logger.debug(String.format("Using 'Custom unconstrained' %s max cpu cores [%s] as %s cpu cores.", serviceOfferingDescription, customOfferingMaxCpuCores, vmDescription));
-            maxCpuCores = customOfferingMaxCpuCores;
+        ConfigKey<Integer> maxCpuCoresConfig = CapacityManager.KvmCpuDynamicScalingCapacity;
+        Integer maxCpuCoresConfigValue = maxCpuCoresConfig.valueIn(clusterId);
+        logger.info("[{}] is a dynamically scalable service offering. Using config [{}] value [{}] in cluster [ID: {}] as max [{}] CPU cores.",
+                serviceOfferingVO.toString(), maxCpuCoresConfig.key(), maxCpuCoresConfigValue, clusterId, vmDescription);
+        if (maxCpuCoresConfigValue > 0) {
+            maxCpuCores = maxCpuCoresConfigValue;
         } else {
-            String maxCpuCoreConfigKey = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.key();
-
-            logger.info(String.format("%s is a 'Custom unconstrained' service offering. Using config [%s] value [%s] as max %s cpu cores.",
-                    serviceOfferingDescription, maxCpuCoreConfigKey, maxCpuCoresConfig, vmDescription));
-
-            if (maxCpuCoresConfig > 0) {
-                maxCpuCores = maxCpuCoresConfig;
-            } else {
-                logger.info(String.format("Config [%s] has value less or equal '0'. Using %s host or last host max cpu cores [%s] as VM cpu cores in the hypervisor.", maxCpuCoreConfigKey, vmDescription, maxHostCpuCore));
-                maxCpuCores = maxHostCpuCore;
-            }
+            logger.info("Config [{}] in cluster [ID: {}] has value less or equal '0'. Using [{}] host or last host max CPU cores [{}] as VM CPU cores in the hypervisor.",
+                    maxCpuCoresConfig.key(), clusterId, vmDescription, maxHostCpuCores);
+            maxCpuCores = maxHostCpuCores;
         }
         return maxCpuCores;
     }
diff --git a/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java b/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
index efda72555e2c..b9fa3f0ebae7 100644
--- a/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
+++ b/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
@@ -21,7 +21,6 @@
 import java.net.InetAddress;
 import java.net.URI;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -32,11 +31,8 @@
 
 import org.apache.cloudstack.agent.lb.IndirectAgentLB;
 import org.apache.cloudstack.ca.CAManager;
-import org.apache.cloudstack.ca.SetupCertificateCommand;
 import org.apache.cloudstack.direct.download.DirectDownloadManager;
-import org.apache.cloudstack.framework.ca.Certificate;
 import org.apache.cloudstack.utils.cache.LazyCache;
-import org.apache.cloudstack.utils.security.KeyStoreUtils;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.Listener;
@@ -66,7 +62,6 @@
 import com.cloud.resource.ResourceStateAdapter;
 import com.cloud.resource.ServerResource;
 import com.cloud.resource.UnableDeleteHostException;
-import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.StringUtils;
 import com.cloud.utils.UuidUtils;
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -174,55 +169,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age
             throw new CloudRuntimeException("Cannot secure agent communication because SSH connection is invalid for host IP=" + agentIp);
         }
 
-        Integer validityPeriod = CAManager.CertValidityPeriod.value();
-        if (validityPeriod < 1) {
-            validityPeriod = 1;
-        }
-
-        String keystorePassword = PasswordGenerator.generateRandomPassword(16);
-        final SSHCmdHelper.SSHCmdResult keystoreSetupResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
-                                "/etc/cloudstack/agent/agent.properties " +
-                                "/etc/cloudstack/agent/%s " +
-                                "%s %d " +
-                                "/etc/cloudstack/agent/%s",
-                        KeyStoreUtils.KS_SETUP_SCRIPT,
-                        KeyStoreUtils.KS_FILENAME,
-                        keystorePassword,
-                        validityPeriod,
-                        KeyStoreUtils.CSR_FILENAME));
-
-        if (!keystoreSetupResult.isSuccess()) {
-            throw new CloudRuntimeException("Failed to setup keystore on the KVM host: " + agentIp);
-        }
-
-        final Certificate certificate = caManager.issueCertificate(keystoreSetupResult.getStdOut(), Arrays.asList(agentHostname, agentIp), Collections.singletonList(agentIp), null, null);
-        if (certificate == null || certificate.getClientCertificate() == null) {
-            throw new CloudRuntimeException("Failed to issue certificates for KVM host agent: " + agentIp);
-        }
-
-        final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate);
-        final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
-                                "/etc/cloudstack/agent/agent.properties %s " +
-                                "/etc/cloudstack/agent/%s %s " +
-                                "/etc/cloudstack/agent/%s \"%s\" " +
-                                "/etc/cloudstack/agent/%s \"%s\" " +
-                                "/etc/cloudstack/agent/%s \"%s\"",
-                        KeyStoreUtils.KS_IMPORT_SCRIPT,
-                        keystorePassword,
-                        KeyStoreUtils.KS_FILENAME,
-                        KeyStoreUtils.SSH_MODE,
-                        KeyStoreUtils.CERT_FILENAME,
-                        certificateCommand.getEncodedCertificate(),
-                        KeyStoreUtils.CACERT_FILENAME,
-                        certificateCommand.getEncodedCaCertificates(),
-                        KeyStoreUtils.PKEY_FILENAME,
-                        certificateCommand.getEncodedPrivateKey()));
-
-        if (setupCertResult != null && !setupCertResult.isSuccess()) {
-            throw new CloudRuntimeException("Failed to setup certificate in the KVM agent's keystore file, please see logs and configure manually!");
-        }
+        caManager.provisionCertificateViaSsh(sshConnection, agentIp, agentHostname, null);
 
         if (logger.isDebugEnabled()) {
             logger.debug("Succeeded to import certificate in the keystore for agent on the KVM host: " + agentIp + ". Agent secured and trusted.");
diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
index 7f41a1a106cb..da84e5058603 100644
--- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -539,6 +539,9 @@ public boolean configure(String name, Map<String, Object> params) {
         AssignIpAddressSearch.and("allocated", AssignIpAddressSearch.entity().getAllocatedTime(), Op.NULL);
         AssignIpAddressSearch.and("vlanId", AssignIpAddressSearch.entity().getVlanId(), Op.IN);
         AssignIpAddressSearch.and("forSystemVms", AssignIpAddressSearch.entity().isForSystemVms(), Op.EQ);
+        AssignIpAddressSearch.and("id", AssignIpAddressSearch.entity().getId(), Op.NIN);
+        AssignIpAddressSearch.and("requestedAddress", AssignIpAddressSearch.entity().getAddress(), Op.EQ);
+        AssignIpAddressSearch.and("routerAddress", AssignIpAddressSearch.entity().getAddress(), Op.NEQ);
 
         SearchBuilder<VlanVO> vlanSearch = _vlanDao.createSearchBuilder();
         vlanSearch.and("type", vlanSearch.entity().getVlanType(), Op.EQ);
@@ -945,10 +948,23 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
         if (podId != null) {
             sc = AssignIpAddressFromPodVlanSearch.create();
             sc.setJoinParameters("podVlanMapSB", "podId", podId);
-            errorMessage.append(" pod id=" + podId);
+            errorMessage.append(" pod id=").append(podId);
         } else {
             sc = AssignIpAddressSearch.create();
-            errorMessage.append(" zone id=" + dcId);
+            errorMessage.append(" zone id=").append(dcId);
+        }
+
+        if (lockOneRow) {
+            logger.debug("Listing quarantined public IPs to ignore on search for public IP for system VM. The IPs ignored will be the ones that: were not associated to account [{}]; were not removed yet; and with quarantine end dates after [{}].", owner.getUuid(), new Date());
+
+            List<PublicIpQuarantineVO> quarantinedAddresses = publicIpQuarantineDao.listQuarantinedIpAddressesToUser(owner.getId(), new Date());
+            List<Long> quarantinedAddressesIDs = quarantinedAddresses.stream().map(PublicIpQuarantineVO::getPublicIpAddressId).collect(Collectors.toList());
+
+            logger.debug("Found addresses with the following IDs: [{}] that will be ignored when searching for available public IPs.", quarantinedAddressesIDs);
+
+            if (CollectionUtils.isNotEmpty(quarantinedAddressesIDs)) {
+                sc.setParameters("id", quarantinedAddressesIDs.toArray());
+            }
         }
 
         sc.setParameters("dc", dcId);
@@ -956,11 +972,11 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
         // for direct network take ip addresses only from the vlans belonging to the network
         if (vlanUse == VlanType.DirectAttached) {
             sc.setJoinParameters("vlan", "networkId", guestNetworkId);
-            errorMessage.append(", network id=" + guestNetworkId);
+            errorMessage.append(", network id=").append(guestNetworkId);
         }
         if (requestedGateway != null) {
             sc.setJoinParameters("vlan", "vlanGateway", requestedGateway);
-            errorMessage.append(", requested gateway=" + requestedGateway);
+            errorMessage.append(", requested gateway=").append(requestedGateway);
         }
         sc.setJoinParameters("vlan", "type", vlanUse);
 
@@ -970,38 +986,39 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
             NetworkDetailVO routerIpDetail = _networkDetailsDao.findDetail(network.getId(), ApiConstants.ROUTER_IP);
             routerIpAddress = routerIpDetail != null ? routerIpDetail.getValue() : null;
         }
+
         if (requestedIp != null) {
-            sc.addAnd("address", SearchCriteria.Op.EQ, requestedIp);
-            errorMessage.append(": requested ip " + requestedIp + " is not available");
+            sc.setParameters("requestedAddress", requestedIp);
+            errorMessage.append(": requested ip ").append(requestedIp).append(" is not available");
         } else if (routerIpAddress != null) {
-            sc.addAnd("address", Op.NEQ, routerIpAddress);
+            sc.setParameters("routerAddress", routerIpAddress);
         }
 
         boolean ascOrder = ! forSystemVms;
-        Filter filter = new Filter(IPAddressVO.class, "forSystemVms", ascOrder, 0l, 1l);
+        Filter filter = new Filter(IPAddressVO.class, "forSystemVms", ascOrder, 0L, 1L);
 
         filter.addOrderBy(IPAddressVO.class,"vlanId", true);
 
-        List<IPAddressVO> addrs = new ArrayList<>();
+        List<IPAddressVO> addresses = new ArrayList<>();
 
         if (forSystemVms) {
             // Get Public IPs for system vms in dedicated ranges
             sc.setParameters("forSystemVms", true);
             if (lockOneRow) {
-                addrs = _ipAddressDao.lockRows(sc, filter, true);
+                addresses = _ipAddressDao.lockRows(sc, filter, true);
             } else {
-                addrs = new ArrayList<>(_ipAddressDao.search(sc, null));
+                addresses = new ArrayList<>(_ipAddressDao.search(sc, null));
             }
         }
-        if ((!lockOneRow || (lockOneRow && CollectionUtils.isEmpty(addrs))) &&
+        if ((!lockOneRow || (lockOneRow && CollectionUtils.isEmpty(addresses))) &&
                 !(forSystemVms && SystemVmPublicIpReservationModeStrictness.value())) {
             sc.setParameters("forSystemVms", false);
             // If owner has dedicated Public IP ranges, fetch IP from the dedicated range
             // Otherwise fetch IP from the system pool
             // Checking if network is null in the case of system VM's. At the time of allocation of IP address to systemVm, no network is present.
             if (network == null || !(network.getGuestType() == GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced)) {
-                List<AccountVlanMapVO> maps = _accountVlanMapDao.listAccountVlanMapsByAccount(owner.getId());
-                for (AccountVlanMapVO map : maps) {
+                List<AccountVlanMapVO> accountVlanMaps = _accountVlanMapDao.listAccountVlanMapsByAccount(owner.getId());
+                for (AccountVlanMapVO map : accountVlanMaps) {
                     if (vlanDbIds == null || vlanDbIds.contains(map.getVlanDbId()))
                         dedicatedVlanDbIds.add(map.getVlanDbId());
                 }
@@ -1020,10 +1037,10 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
                 if (!dedicatedVlanDbIds.isEmpty()) {
                     fetchFromDedicatedRange = true;
                     sc.setParameters("vlanId", dedicatedVlanDbIds.toArray());
-                    errorMessage.append(", vlanId id=" + Arrays.toString(dedicatedVlanDbIds.toArray()));
+                    errorMessage.append(", vlanId id=").append(Arrays.toString(dedicatedVlanDbIds.toArray()));
                 } else if (!nonDedicatedVlanDbIds.isEmpty()) {
                     sc.setParameters("vlanId", nonDedicatedVlanDbIds.toArray());
-                    errorMessage.append(", vlanId id=" + Arrays.toString(nonDedicatedVlanDbIds.toArray()));
+                    errorMessage.append(", vlanId id=").append(Arrays.toString(nonDedicatedVlanDbIds.toArray()));
                 } else {
                     if (podId != null) {
                         InsufficientAddressCapacityException ex = new InsufficientAddressCapacityException("Insufficient address capacity", Pod.class, podId);
@@ -1037,13 +1054,13 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
                 }
             }
             if (lockOneRow) {
-                addrs = _ipAddressDao.lockRows(sc, filter, true);
+                addresses = _ipAddressDao.lockRows(sc, filter, true);
             } else {
-                addrs = new ArrayList<>(_ipAddressDao.search(sc, null));
+                addresses = new ArrayList<>(_ipAddressDao.search(sc, null));
             }
 
             // If all the dedicated IPs of the owner are in use fetch an IP from the system pool
-            if ((!lockOneRow || (lockOneRow && addrs.size() == 0)) && fetchFromDedicatedRange && vlanUse == VlanType.VirtualNetwork) {
+            if ((!lockOneRow || (lockOneRow && addresses.isEmpty())) && fetchFromDedicatedRange && vlanUse == VlanType.VirtualNetwork) {
                 // Verify if account is allowed to acquire IPs from the system
                 boolean useSystemIps = UseSystemPublicIps.valueIn(owner.getId());
                 if (useSystemIps && !nonDedicatedVlanDbIds.isEmpty()) {
@@ -1051,15 +1068,15 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
                     sc.setParameters("vlanId", nonDedicatedVlanDbIds.toArray());
                     errorMessage.append(", vlanId id=" + Arrays.toString(nonDedicatedVlanDbIds.toArray()));
                     if (lockOneRow) {
-                        addrs = _ipAddressDao.lockRows(sc, filter, true);
+                        addresses = _ipAddressDao.lockRows(sc, filter, true);
                     } else {
-                        addrs.addAll(_ipAddressDao.search(sc, null));
+                        addresses.addAll(_ipAddressDao.search(sc, null));
                     }
                 }
             }
         }
 
-        if (lockOneRow && addrs.size() == 0) {
+        if (lockOneRow && addresses.isEmpty()) {
             if (podId != null) {
                 InsufficientAddressCapacityException ex = new InsufficientAddressCapacityException("Insufficient address capacity", Pod.class, podId);
                 // for now, we hardcode the table names, but we should ideally do a lookup for the tablename from the VO object.
@@ -1073,13 +1090,12 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
         }
 
         if (lockOneRow) {
-            assert (addrs.size() == 1) : "Return size is incorrect: " + addrs.size();
-            IpAddress ipAddress = addrs.get(0);
-            boolean ipCanBeAllocated = canPublicIpAddressBeAllocated(ipAddress, owner);
+            IPAddressVO allocatableIp = addresses.get(0);
+
+            boolean isPublicIpAllocatable = canPublicIpAddressBeAllocated(allocatableIp, owner);
 
-            if (!ipCanBeAllocated) {
-                throw new InsufficientAddressCapacityException(String.format("Failed to allocate public IP address [%s] as it is in quarantine.", ipAddress.getAddress()),
-                        DataCenter.class, dcId);
+            if (!isPublicIpAllocatable) {
+                throw new InsufficientAddressCapacityException(String.format("Failed to allocate public IP [%s] as it is in quarantine.", allocatableIp.getAddress()), DataCenter.class, dcId);
             }
         }
 
@@ -1088,12 +1104,12 @@ public List<IPAddressVO> listAvailablePublicIps(final long dcId, final Long podI
             try {
                 _resourceLimitMgr.checkResourceLimit(owner, ResourceType.public_ip);
             } catch (ResourceAllocationException ex) {
-                logger.warn("Failed to allocate resource of type " + ex.getResourceType() + " for account " + owner);
+                logger.warn("Failed to allocate resource of type {} for account {}", ex.getResourceType(), owner);
                 throw new AccountLimitException("Maximum number of public IP addresses for account: " + owner.getAccountName() + " has been exceeded.");
             }
         }
 
-        return addrs;
+        return addresses;
     }
 
     @DB
@@ -2558,26 +2574,27 @@ public boolean canPublicIpAddressBeAllocated(IpAddress ip, Account newOwner) {
         PublicIpQuarantineVO publicIpQuarantineVO = publicIpQuarantineDao.findByPublicIpAddressId(ip.getId());
 
         if (publicIpQuarantineVO == null) {
-            logger.debug(String.format("Public IP address [%s] is not in quarantine; therefore, it is allowed to be allocated.", ip));
+            logger.debug("Public IP address [{}] is not in quarantine; therefore, it is allowed to be allocated.", ip);
             return true;
         }
 
         if (!isPublicIpAddressStillInQuarantine(publicIpQuarantineVO, new Date())) {
-            logger.debug(String.format("Public IP address [%s] is no longer in quarantine; therefore, it is allowed to be allocated.", ip));
+            logger.debug("Public IP address [{}] is no longer in quarantine; therefore, it is allowed to be allocated.", ip);
+            removePublicIpAddressFromQuarantine(publicIpQuarantineVO.getId(), "IP was removed from quarantine because it was no longer in quarantine.");
             return true;
         }
 
         Account previousOwner = _accountMgr.getAccount(publicIpQuarantineVO.getPreviousOwnerId());
 
         if (Objects.equals(previousOwner.getUuid(), newOwner.getUuid())) {
-            logger.debug(String.format("Public IP address [%s] is in quarantine; however, the Public IP previous owner [%s] is the same as the new owner [%s]; therefore the IP" +
-                    " can be allocated. The public IP address will be removed from quarantine.", ip, previousOwner, newOwner));
+            logger.debug("Public IP address [{}] is in quarantine; however, the Public IP previous owner [{}] is the same as the new owner [{}]; therefore the IP" +
+                    " can be allocated. The public IP address will be removed from quarantine.", ip, previousOwner, newOwner);
             removePublicIpAddressFromQuarantine(publicIpQuarantineVO.getId(), "IP was removed from quarantine because it has been allocated by the previous owner");
             return true;
         }
 
-        logger.error(String.format("Public IP address [%s] is in quarantine and the previous owner [%s] is different than the new owner [%s]; therefore, the IP cannot be " +
-                "allocated.", ip, previousOwner, newOwner));
+        logger.error("Public IP address [{}] is in quarantine and the previous owner [{}] is different than the new owner [{}]; therefore, the IP cannot be " +
+                "allocated.", ip, previousOwner, newOwner);
         return false;
     }
 
@@ -2628,7 +2645,7 @@ public void removePublicIpAddressFromQuarantine(Long quarantineProcessId, String
         publicIpQuarantineVO.setRemovalReason(removalReason);
         publicIpQuarantineVO.setRemoverAccountId(removerAccountId);
 
-        logger.debug(String.format("Removing public IP Address [%s] from quarantine by updating the removed date to [%s].", ipAddress, removedDate));
+        logger.debug("Removing public IP Address [{}] from quarantine by updating the removed date to [{}].", ipAddress, removedDate);
         publicIpQuarantineDao.persist(publicIpQuarantineVO);
     }
 
diff --git a/server/src/main/java/com/cloud/network/NetworkMigrationManagerImpl.java b/server/src/main/java/com/cloud/network/NetworkMigrationManagerImpl.java
index 450f08c46e35..a09867b8ffc3 100644
--- a/server/src/main/java/com/cloud/network/NetworkMigrationManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkMigrationManagerImpl.java
@@ -301,7 +301,7 @@ public Long makeCopyOfVpc(long vpcId, long vpcOfferingId) {
 
             copyOfVpc = _vpcService.createVpc(vpc.getZoneId(), vpcOfferingId, vpc.getAccountId(), vpc.getName(),
                     vpc.getDisplayText(), vpc.getCidr(), vpc.getNetworkDomain(), vpc.getIp4Dns1(), vpc.getIp4Dns2(),
-                    vpc.getIp6Dns1(), vpc.getIp6Dns2(), vpc.isDisplay(), vpc.getPublicMtu(), null, null, null, vpc.useRouterIpAsResolver());
+                    vpc.getIp6Dns1(), vpc.getIp6Dns2(), vpc.isDisplay(), vpc.getPublicMtu(), null, null, null, vpc.useRouterIpAsResolver(), vpc.getKeepMacAddressOnPublicNic());
 
             copyOfVpcId = copyOfVpc.getId();
             //on resume of migration the uuid will be swapped already. So the copy will have the value of the original vpcid.
diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index 0a2e679b723e..d18fd043f697 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -41,6 +41,7 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.resourcelimit.CheckedReservation;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.alert.AlertService;
@@ -76,6 +77,7 @@
 import org.apache.cloudstack.network.RoutedIpv4Manager;
 import org.apache.cloudstack.network.dao.NetworkPermissionDao;
 import org.apache.cloudstack.network.element.InternalLoadBalancerElementService;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.BooleanUtils;
@@ -338,6 +340,8 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
     @Inject
     ResourceLimitService _resourceLimitMgr;
     @Inject
+    ReservationDao reservationDao;
+    @Inject
     DomainManager _domainMgr;
     @Inject
     ProjectManager _projectMgr;
@@ -1155,28 +1159,26 @@ public IpAddress reserveIpAddress(Account account, Boolean displayIp, Long ipAdd
         if (ipDedicatedAccountId != null && !ipDedicatedAccountId.equals(account.getAccountId())) {
             throw new InvalidParameterValueException("Unable to reserve a IP because it is dedicated to another Account.");
         }
-        if (ipDedicatedAccountId == null) {
-            // Check that the maximum number of public IPs for the given accountId will not be exceeded
-            try {
-                _resourceLimitMgr.checkResourceLimit(account, Resource.ResourceType.public_ip);
-            } catch (ResourceAllocationException ex) {
-                logger.warn("Failed to allocate resource of type " + ex.getResourceType() + " for account " + account);
-                throw new AccountLimitException("Maximum number of public IP addresses for account: " + account.getAccountName() + " has been exceeded.");
+
+        long reservedIpAddressesAmount = ipDedicatedAccountId == null ? 1L : 0L;
+        try (CheckedReservation publicIpAddressReservation = new CheckedReservation(account, Resource.ResourceType.public_ip, reservedIpAddressesAmount, reservationDao, _resourceLimitMgr)) {
+            List<AccountVlanMapVO> maps = _accountVlanMapDao.listAccountVlanMapsByVlan(ipVO.getVlanId());
+            ipVO.setAllocatedTime(new Date());
+            ipVO.setAllocatedToAccountId(account.getAccountId());
+            ipVO.setAllocatedInDomainId(account.getDomainId());
+            ipVO.setState(State.Reserved);
+            if (displayIp != null) {
+                ipVO.setDisplay(displayIp);
             }
+            ipVO = _ipAddressDao.persist(ipVO);
+            if (reservedIpAddressesAmount > 0) {
+                _resourceLimitMgr.incrementResourceCount(account.getId(), Resource.ResourceType.public_ip);
+            }
+            return ipVO;
+        } catch (ResourceAllocationException ex) {
+            logger.warn("Failed to allocate resource of type " + ex.getResourceType() + " for account " + account);
+            throw new AccountLimitException("Maximum number of public IP addresses for account: " + account.getAccountName() + " has been exceeded.");
         }
-        List<AccountVlanMapVO> maps = _accountVlanMapDao.listAccountVlanMapsByVlan(ipVO.getVlanId());
-        ipVO.setAllocatedTime(new Date());
-        ipVO.setAllocatedToAccountId(account.getAccountId());
-        ipVO.setAllocatedInDomainId(account.getDomainId());
-        ipVO.setState(State.Reserved);
-        if (displayIp != null) {
-            ipVO.setDisplay(displayIp);
-        }
-        ipVO = _ipAddressDao.persist(ipVO);
-        if (ipDedicatedAccountId == null) {
-            _resourceLimitMgr.incrementResourceCount(account.getId(), Resource.ResourceType.public_ip);
-        }
-        return ipVO;
     }
 
     @Override
@@ -1547,6 +1549,8 @@ public Network createGuestNetwork(CreateNetworkCmd cmd) throws InsufficientCapac
 
         DataCenter zone = getAndValidateZone(cmd, pNtwk);
 
+        boolean keepMacAddressOnPublicNic = getAndValidateSupportForKeepMacAddressOnPublicNicParameter(cmd.getKeepMacAddressOnPublicNic(), ntwkOff);
+
         _accountMgr.checkAccess(owner, ntwkOff, zone);
 
         validateZoneAvailability(caller, zone);
@@ -1832,7 +1836,7 @@ public Network createGuestNetwork(CreateNetworkCmd cmd) throws InsufficientCapac
 
         Network network = commitNetwork(networkOfferingId, gateway, startIP, endIP, netmask, networkDomain, vlanId, bypassVlanOverlapCheck, name, displayText, caller, physicalNetworkId, zone.getId(),
                 domainId, isDomainSpecific, subdomainAccess, vpcId, startIPv6, endIPv6, ip6Gateway, ip6Cidr, displayNetwork, aclId, secondaryVlanId, privateVlanType, ntwkOff, pNtwk, aclType, owner, cidr, createVlan,
-                externalId, routerIPv4, routerIPv6, associatedNetwork, ip4Dns1, ip4Dns2, ip6Dns1, ip6Dns2, interfaceMTUs, networkCidrSize);
+                externalId, routerIPv4, routerIPv6, associatedNetwork, ip4Dns1, ip4Dns2, ip6Dns1, ip6Dns2, interfaceMTUs, networkCidrSize, keepMacAddressOnPublicNic);
 
         // retrieve, acquire and associate the correct IP addresses
         checkAndSetRouterSourceNatIp(owner, cmd, network);
@@ -1877,6 +1881,24 @@ private void validateNetworkCreationSupported(long zoneId, String zoneName, Gues
         }
     }
 
+    protected boolean getAndValidateSupportForKeepMacAddressOnPublicNicParameter(Boolean keepMacAddressOnPublicNic, NetworkOffering networkOffering) {
+        if (networkOffering.isForVpc() && keepMacAddressOnPublicNic != null) {
+            throw new InvalidParameterValueException(
+                    String.format("The [%s] parameter cannot be specified on the creation of VPC tiers.", ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC)
+            );
+        }
+
+        GuestType guestType = networkOffering.getGuestType();
+        if (guestType != GuestType.Isolated && keepMacAddressOnPublicNic != null) {
+            throw new InvalidParameterValueException(String.format(
+                    "The [%s] parameter can only be specified on the creation of [%s] networks.",
+                    ApiConstants.KEEP_MAC_ADDRESS_ON_PUBLIC_NIC, GuestType.Isolated
+            ));
+        }
+
+        return keepMacAddressOnPublicNic == null || keepMacAddressOnPublicNic;
+    }
+
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_NETWORK_CREATE, eventDescription = "creating network")
@@ -2280,7 +2302,7 @@ protected Network commitNetwork(final Long networkOfferingId, final String gatew
                                   final Boolean displayNetwork, final Long aclId, final String isolatedPvlan, final PVlanType isolatedPvlanType, final NetworkOffering ntwkOff, final PhysicalNetwork pNtwk, final ACLType aclType, final Account ownerFinal,
                                   final String cidr, final boolean createVlan, final String externalId, String routerIp, String routerIpv6,
                                   final Network associatedNetwork, final String ip4Dns1, final String ip4Dns2, final String ip6Dns1, final String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs,
-                                  final Integer networkCidrSize) throws InsufficientCapacityException, ResourceAllocationException {
+                                  final Integer networkCidrSize, final boolean keepMacAddressOnPublicNic) throws InsufficientCapacityException, ResourceAllocationException {
         try {
             Network network = Transaction.execute(new TransactionCallbackWithException<Network, Exception>() {
                 @Override
@@ -2346,7 +2368,7 @@ public Network doInTransaction(TransactionStatus status) throws InsufficientCapa
                         }
                         network = _networkMgr.createGuestNetwork(networkOfferingId, name, displayText, gateway, cidr, vlanId, bypassVlanOverlapCheck, networkDomain, owner, sharedDomainId, pNtwk,
                                 zoneId, aclType, subdomainAccess, vpcId, ip6Gateway, ip6Cidr, displayNetwork, isolatedPvlan, isolatedPvlanType, externalId, routerIp, routerIpv6, ip4Dns1, ip4Dns2,
-                                ip6Dns1, ip6Dns2, vrIfaceMTUs, networkCidrSize);
+                                ip6Dns1, ip6Dns2, vrIfaceMTUs, networkCidrSize, keepMacAddressOnPublicNic);
                     }
 
                     if (createVlan && network != null) {
@@ -3154,6 +3176,7 @@ public Network updateGuestNetwork(final UpdateNetworkCmd cmd) {
         String ip4Dns2 = cmd.getIp4Dns2();
         String ip6Dns1 = cmd.getIp6Dns1();
         String ip6Dns2 = cmd.getIp6Dns2();
+        Boolean keepMacAddressOnPublicNic = cmd.getKeepMacAddressOnPublicNic();
 
         boolean restartNetwork = false;
 
@@ -3212,11 +3235,15 @@ public Network updateGuestNetwork(final UpdateNetworkCmd cmd) {
             network.setUuid(customId);
         }
 
+        if (keepMacAddressOnPublicNic != null) {
+            network.setKeepMacAddressOnPublicNic(getAndValidateSupportForKeepMacAddressOnPublicNicParameter(keepMacAddressOnPublicNic, offering));
+        }
+
         // display flag is not null and has changed
         if (displayNetwork != null && displayNetwork != network.getDisplayNetwork()) {
             // Update resource count if it needs to be updated
             NetworkOffering networkOffering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-            if (_networkMgr.resourceCountNeedsUpdate(networkOffering, network.getAclType())) {
+            if (_networkMgr.isResourceCountUpdateNeeded(networkOffering)) {
                 _resourceLimitMgr.changeResourceCount(network.getAccountId(), Resource.ResourceType.network, displayNetwork);
             }
 
diff --git a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
index b915027e9ab3..c6296682bb09 100644
--- a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
+++ b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
@@ -396,7 +396,8 @@ public void createApplyLoadBalancingRulesCommands(final List<LoadBalancingRule>
         }
 
         final LoadBalancerConfigCommand cmd = new LoadBalancerConfigCommand(lbs, routerPublicIp, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()),
-                router.getPrivateIpAddress(), _itMgr.toNicTO(nicProfile, router.getHypervisorType()), router.getVpcId(), maxconn, offering.isKeepAliveEnabled());
+                router.getPrivateIpAddress(), _itMgr.toNicTO(nicProfile, router.getHypervisorType()), router.getVpcId(), maxconn, offering.isKeepAliveEnabled(),
+                NetworkOrchestrationService.NETWORK_LB_HAPROXY_IDLE_TIMEOUT.value());
 
         cmd.lbStatsVisibility = _configDao.getValue(Config.NetworkLBHaproxyStatsVisbility.key());
         cmd.lbStatsUri = _configDao.getValue(Config.NetworkLBHaproxyStatsUri.key());
diff --git a/server/src/main/java/com/cloud/network/router/NetworkHelperImpl.java b/server/src/main/java/com/cloud/network/router/NetworkHelperImpl.java
index 684f196ce9fd..56534a8ee7df 100644
--- a/server/src/main/java/com/cloud/network/router/NetworkHelperImpl.java
+++ b/server/src/main/java/com/cloud/network/router/NetworkHelperImpl.java
@@ -737,55 +737,91 @@ protected LinkedHashMap<Network, List<? extends NicProfile>> configureControlNic
     }
 
     protected LinkedHashMap<Network, List<? extends NicProfile>> configurePublicNic(final RouterDeploymentDefinition routerDeploymentDefinition, final boolean hasGuestNic) throws InsufficientAddressCapacityException {
-        final LinkedHashMap<Network, List<? extends NicProfile>> publicConfig = new LinkedHashMap<Network, List<? extends NicProfile>>(3);
-
-        if (routerDeploymentDefinition.isPublicNetwork()) {
-            logger.debug("Adding NIC for Virtual Router in Public network ");
-            // if source nat service is supported by the network, get the source
-            // nat ip address
-            final NicProfile defaultNic = new NicProfile();
-            defaultNic.setDefaultNic(true);
-            final PublicIp sourceNatIp = routerDeploymentDefinition.getSourceNatIP();
-            defaultNic.setIPv4Address(sourceNatIp.getAddress().addr());
-            defaultNic.setIPv4Gateway(sourceNatIp.getGateway());
-            defaultNic.setIPv4Netmask(sourceNatIp.getNetmask());
-            defaultNic.setMacAddress(sourceNatIp.getMacAddress());
-            // get broadcast from public network
-            final Network pubNet = _networkDao.findById(sourceNatIp.getNetworkId());
-            if (pubNet.getBroadcastDomainType() == BroadcastDomainType.Vxlan) {
-                defaultNic.setBroadcastType(BroadcastDomainType.Vxlan);
-                defaultNic.setBroadcastUri(BroadcastDomainType.Vxlan.toUri(sourceNatIp.getVlanTag()));
-                defaultNic.setIsolationUri(BroadcastDomainType.Vxlan.toUri(sourceNatIp.getVlanTag()));
-            } else {
-                defaultNic.setBroadcastType(BroadcastDomainType.Vlan);
-                defaultNic.setBroadcastUri(sourceNatIp.getVlanTag() != null ? BroadcastDomainType.Vlan.toUri(sourceNatIp.getVlanTag()) : null);
-                defaultNic.setIsolationUri(sourceNatIp.getVlanTag() != null ?  IsolationType.Vlan.toUri(sourceNatIp.getVlanTag()) : null);
-            }
-
-            //If guest nic has already been added we will have 2 devices in the list.
-            if (hasGuestNic) {
-                defaultNic.setDeviceId(2);
-            }
+        final LinkedHashMap<Network, List<? extends NicProfile>> publicConfig = new LinkedHashMap<>(3);
+        if (!routerDeploymentDefinition.isPublicNetwork()) {
+            return publicConfig;
+        }
 
-            final NetworkOffering publicOffering = _networkModel.getSystemAccountNetworkOfferings(NetworkOffering.SystemPublicNetwork).get(0);
-            final List<? extends Network> publicNetworks = _networkMgr.setupNetwork(s_systemAccount, publicOffering, routerDeploymentDefinition.getPlan(), null, null, false);
-            final String publicIp = defaultNic.getIPv4Address();
-            // We want to use the identical MAC address for RvR on public
-            // interface if possible
-            final NicVO peerNic = _nicDao.findByIp4AddressAndNetworkId(publicIp, publicNetworks.get(0).getId());
-            if (peerNic != null) {
-                logger.info("Use same MAC as previous RvR, the MAC is " + peerNic.getMacAddress());
-                defaultNic.setMacAddress(peerNic.getMacAddress());
-            }
-            if (routerDeploymentDefinition.getGuestNetwork() != null) {
-                ipv6Service.updateNicIpv6(defaultNic, routerDeploymentDefinition.getDest().getDataCenter(), routerDeploymentDefinition.getGuestNetwork());
-            }
-            publicConfig.put(publicNetworks.get(0), new ArrayList<NicProfile>(Arrays.asList(defaultNic)));
+        final PublicIp sourceNatIp = routerDeploymentDefinition.getSourceNatIP();
+        final NicProfile defaultNic = new NicProfile();
+        configurePublicVrNicBasedOnSourceNatIp(defaultNic, sourceNatIp);
+        if (hasGuestNic) {
+            logger.debug("Guest NIC has already been configured, therefore setting device ID of new VR (with source NAT [{}]) public NIC to [2].", sourceNatIp);
+            defaultNic.setDeviceId(2);
         }
 
+        final NetworkOffering publicOffering = _networkModel.getSystemAccountNetworkOfferings(NetworkOffering.SystemPublicNetwork).get(0);
+        final List<? extends Network> publicNetworks = _networkMgr.setupNetwork(s_systemAccount, publicOffering, routerDeploymentDefinition.getPlan(), null, null, false);
+
+        setPublicNicMacAddressSameAsPeerNic(defaultNic, publicNetworks.get(0), routerDeploymentDefinition);
+
+        if (routerDeploymentDefinition.getGuestNetwork() != null) {
+            ipv6Service.updateNicIpv6(defaultNic, routerDeploymentDefinition.getDest().getDataCenter(), routerDeploymentDefinition.getGuestNetwork());
+        }
+        publicConfig.put(publicNetworks.get(0), List.of(defaultNic));
         return publicConfig;
     }
 
+    /**
+     * Configures the public NIC of a Virtual Router based on the provided source NAT IP.
+     * @param nic Virtual Router public NIC to be configured.
+     * @param sourceNatIp Source NAT IP which should be used to configure the Virtual Router's public NIC.
+     */
+    protected void configurePublicVrNicBasedOnSourceNatIp(NicProfile nic, PublicIp sourceNatIp) {
+        logger.debug("Configuring public NIC of VR with source NAT IP equal to [{}]", sourceNatIp.getAddress().addr());
+        nic.setDefaultNic(true);
+        nic.setIPv4Address(sourceNatIp.getAddress().addr());
+        nic.setIPv4Gateway(sourceNatIp.getGateway());
+        nic.setIPv4Netmask(sourceNatIp.getNetmask());
+        nic.setMacAddress(sourceNatIp.getMacAddress());
+
+        Network publicNetwork = _networkDao.findById(sourceNatIp.getNetworkId());
+        if (publicNetwork.getBroadcastDomainType() == BroadcastDomainType.Vxlan) {
+            nic.setBroadcastType(BroadcastDomainType.Vxlan);
+            nic.setBroadcastUri(BroadcastDomainType.Vxlan.toUri(sourceNatIp.getVlanTag()));
+            nic.setIsolationUri(BroadcastDomainType.Vxlan.toUri(sourceNatIp.getVlanTag()));
+        } else {
+            nic.setBroadcastType(BroadcastDomainType.Vlan);
+            nic.setBroadcastUri(sourceNatIp.getVlanTag() != null ? BroadcastDomainType.Vlan.toUri(sourceNatIp.getVlanTag()) : null);
+            nic.setIsolationUri(sourceNatIp.getVlanTag() != null ? IsolationType.Vlan.toUri(sourceNatIp.getVlanTag()) : null);
+        }
+    }
+
+    /**
+     * Sets the MAC address of the new VR's public NIC the same as the previous VR's public NIC MAC address if
+     * {@link RouterDeploymentDefinition#getKeepMacAddressOnPublicNic()} is set to {@code true} and a peer NIC is found; otherwise,
+     * does nothing.
+     */
+    protected void setPublicNicMacAddressSameAsPeerNic(NicProfile defaultNic, Network publicNetwork, RouterDeploymentDefinition routerDeploymentDefinition) throws InsufficientAddressCapacityException {
+        String publicIp = defaultNic.getIPv4Address();
+        logger.info("Verifying if we will use same MAC address for public NIC of new VR (with source NAT [{}]).", publicIp);
+
+        logger.debug("Searching for peer NIC for public IP [{}] and network [{}].", publicIp, publicNetwork.getUuid());
+        NicVO peerNic = _nicDao.findByIp4AddressAndNetworkId(publicIp, publicNetwork.getId());
+        if (peerNic == null) {
+            logger.info("We will not use the same MAC address for public NIC of new VR as we have not found a peer NIC for public IP [{}] and network [{}].",
+                    publicIp, publicNetwork.getUuid());
+            return;
+        }
+
+        logger.info("Found peer NIC [{}] for public IP [{}] and network [{}].", peerNic.getUuid(), publicIp, publicNetwork.getUuid());
+        boolean keepMacAddressOnPublicNic = routerDeploymentDefinition.getKeepMacAddressOnPublicNic();
+        String macAddressLog = String.format("same MAC address for public NIC of new VR (with source NAT [%s]) as the [keep_mac_address_on_public_nic] property is configured as [%s].", publicIp, keepMacAddressOnPublicNic);
+        if (keepMacAddressOnPublicNic) {
+            logger.info("Using {}", macAddressLog);
+            defaultNic.setMacAddress(peerNic.getMacAddress());
+            return;
+        }
+
+        logger.info("Not using {}", macAddressLog);
+        boolean fetchNewMacAddress = peerNic.getMacAddress().equals(defaultNic.getMacAddress());
+        if (fetchNewMacAddress) {
+            logger.debug("Fetching new MAC address for public NIC of new VR, since the MAC address of the peer NIC [UUID: {}, MAC address: {}] is equal to the predefined MAC address of the current NIC.", peerNic.getUuid(), peerNic.getMacAddress());
+            routerDeploymentDefinition.findSourceNatIP();
+            configurePublicVrNicBasedOnSourceNatIp(defaultNic, routerDeploymentDefinition.getSourceNatIP());
+        }
+    }
+
     @Override
     public LinkedHashMap<Network, List<? extends NicProfile>> configureDefaultNics(final RouterDeploymentDefinition routerDeploymentDefinition) throws ConcurrentOperationException, InsufficientAddressCapacityException {
 
diff --git a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 19a5896e4252..dd65719ad033 100644
--- a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -1690,7 +1690,7 @@ private void updateWithLbRules(final DomainRouterJoinVO routerJoinVO, final Stri
                 } else {
                     loadBalancingData.append("maxconn=").append(offering.getConcurrentConnections());
                 }
-
+                loadBalancingData.append(",idletimeout=").append(NetworkOrchestrationService.NETWORK_LB_HAPROXY_IDLE_TIMEOUT.value());
                 loadBalancingData.append(",sourcePortStart=").append(firewallRuleVO.getSourcePortStart())
                         .append(",sourcePortEnd=").append(firewallRuleVO.getSourcePortEnd());
                 if (firewallRuleVO instanceof LoadBalancerVO) {
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 156e71e72b8f..c5f36e856550 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -42,30 +42,8 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import com.cloud.configuration.ConfigurationManager;
-import com.cloud.configuration.ConfigurationManagerImpl;
-import com.cloud.bgp.BGPService;
-import com.cloud.dc.ASNumberVO;
-import com.cloud.dc.dao.ASNumberDao;
-import com.cloud.dc.Vlan;
-import com.cloud.network.RemoteAccessVpn;
-import com.cloud.network.Site2SiteVpnConnection;
-import com.cloud.network.dao.NetrisProviderDao;
-import com.cloud.network.dao.NsxProviderDao;
-import com.cloud.network.dao.RemoteAccessVpnDao;
-import com.cloud.network.dao.RemoteAccessVpnVO;
-import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
-import com.cloud.network.dao.Site2SiteCustomerGatewayVO;
-import com.cloud.network.dao.Site2SiteVpnConnectionDao;
-import com.cloud.network.dao.Site2SiteVpnConnectionVO;
-import com.cloud.network.element.NetrisProviderVO;
-import com.cloud.network.element.NetworkACLServiceProvider;
-import com.cloud.network.element.NsxProviderVO;
-import com.cloud.network.rules.RulesManager;
-import com.cloud.network.vpn.RemoteAccessVpnService;
-import com.cloud.utils.DomainHelper;
-import com.cloud.vm.dao.VMInstanceDao;
 import com.google.common.collect.Sets;
+
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.annotation.AnnotationService;
@@ -108,12 +86,18 @@
 import com.cloud.alert.AlertManager;
 import com.cloud.api.query.dao.VpcOfferingJoinDao;
 import com.cloud.api.query.vo.VpcOfferingJoinVO;
+import com.cloud.bgp.BGPService;
 import com.cloud.configuration.Config;
+import com.cloud.configuration.ConfigurationManager;
+import com.cloud.configuration.ConfigurationManagerImpl;
 import com.cloud.configuration.Resource.ResourceType;
+import com.cloud.dc.ASNumberVO;
 import com.cloud.dc.DataCenter;
 import com.cloud.dc.DataCenterVO;
 import com.cloud.dc.Vlan.VlanType;
+import com.cloud.dc.Vlan;
 import com.cloud.dc.VlanVO;
+import com.cloud.dc.dao.ASNumberDao;
 import com.cloud.dc.dao.DataCenterDao;
 import com.cloud.dc.dao.VlanDao;
 import com.cloud.deploy.DeployDestination;
@@ -143,18 +127,33 @@
 import com.cloud.network.Networks.BroadcastDomainType;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.PhysicalNetwork;
+import com.cloud.network.RemoteAccessVpn;
+import com.cloud.network.Site2SiteVpnConnection;
 import com.cloud.network.addr.PublicIp;
 import com.cloud.network.dao.FirewallRulesDao;
 import com.cloud.network.dao.IPAddressDao;
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.NetrisProviderDao;
+import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.dao.RemoteAccessVpnDao;
+import com.cloud.network.dao.RemoteAccessVpnVO;
+import com.cloud.network.dao.Site2SiteCustomerGatewayDao;
+import com.cloud.network.dao.Site2SiteCustomerGatewayVO;
+import com.cloud.network.dao.Site2SiteVpnConnectionDao;
+import com.cloud.network.dao.Site2SiteVpnConnectionVO;
+import com.cloud.network.element.NetrisProviderVO;
+import com.cloud.network.element.NetworkACLServiceProvider;
 import com.cloud.network.element.NetworkElement;
+import com.cloud.network.element.NsxProviderVO;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.VpcProvider;
 import com.cloud.network.router.CommandSetupHelper;
 import com.cloud.network.router.NetworkHelper;
 import com.cloud.network.router.VpcVirtualNetworkApplianceManager;
+import com.cloud.network.rules.RulesManager;
+import com.cloud.network.vpn.RemoteAccessVpnService;
 import com.cloud.network.vpc.VpcOffering.State;
 import com.cloud.network.vpc.dao.NetworkACLDao;
 import com.cloud.network.vpc.dao.PrivateIpDao;
@@ -173,6 +172,7 @@
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.org.Grouping;
 import com.cloud.projects.Project.ListProjectResourcesCriteria;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ResourceTag.ResourceObjectType;
 import com.cloud.tags.ResourceTagVO;
 import com.cloud.tags.dao.ResourceTagDao;
@@ -180,6 +180,7 @@
 import com.cloud.user.AccountManager;
 import com.cloud.user.ResourceLimitService;
 import com.cloud.user.User;
+import com.cloud.utils.DomainHelper;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
 import com.cloud.utils.StringUtils;
@@ -209,6 +210,7 @@
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.dao.DomainRouterDao;
 import com.cloud.vm.dao.NicDao;
+import com.cloud.vm.dao.VMInstanceDao;
 
 import static com.cloud.offering.NetworkOffering.RoutingMode.Dynamic;
 
@@ -1566,16 +1568,13 @@ public List<Long> getVpcOfferingZones(Long vpcOfferingId) {
     @ActionEvent(eventType = EventTypes.EVENT_VPC_CREATE, eventDescription = "creating vpc", create = true)
     public Vpc createVpc(final long zoneId, final long vpcOffId, final long vpcOwnerId, final String vpcName, final String displayText, final String cidr, String networkDomain,
                          final String ip4Dns1, final String ip4Dns2, final String ip6Dns1, final String ip6Dns2, final Boolean displayVpc, Integer publicMtu,
-                         final Integer cidrSize, final Long asNumber, final List<Long> bgpPeerIds, Boolean useVrIpResolver) throws ResourceAllocationException {
+                         final Integer cidrSize, final Long asNumber, final List<Long> bgpPeerIds, Boolean useVrIpResolver, boolean keepMacAddressOnPublicNic) throws ResourceAllocationException {
         final Account caller = CallContext.current().getCallingAccount();
         final Account owner = _accountMgr.getAccount(vpcOwnerId);
 
         // Verify that caller can perform actions in behalf of vpc owner
         _accountMgr.checkAccess(caller, null, false, owner);
 
-        // check resource limit
-        _resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc);
-
         // Validate zone
         final DataCenter zone = _dcDao.findById(zoneId);
         if (zone == null) {
@@ -1669,26 +1668,29 @@ public Vpc createVpc(final long zoneId, final long vpcOffId, final long vpcOwner
         vpc.setPublicMtu(publicMtu);
         vpc.setDisplay(Boolean.TRUE.equals(displayVpc));
         vpc.setUseRouterIpResolver(Boolean.TRUE.equals(useVrIpResolver));
-
-        if (vpc.getCidr() == null && cidrSize != null) {
-            // Allocate a CIDR for VPC
-            Ipv4GuestSubnetNetworkMap subnet = routedIpv4Manager.getOrCreateIpv4SubnetForVpc(vpc, cidrSize);
-            if (subnet != null) {
-                vpc.setCidr(subnet.getSubnet());
-            } else {
-                throw new CloudRuntimeException("Failed to allocate a CIDR with requested size for VPC.");
+        vpc.setKeepMacAddressOnPublicNic(keepMacAddressOnPublicNic);
+
+        try (CheckedReservation vpcReservation = new CheckedReservation(owner, ResourceType.vpc, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+            if (vpc.getCidr() == null && cidrSize != null) {
+                // Allocate a CIDR for VPC
+                Ipv4GuestSubnetNetworkMap subnet = routedIpv4Manager.getOrCreateIpv4SubnetForVpc(vpc, cidrSize);
+                if (subnet != null) {
+                    vpc.setCidr(subnet.getSubnet());
+                } else {
+                    throw new CloudRuntimeException("Failed to allocate a CIDR with requested size for VPC.");
+                }
             }
-        }
 
-        Vpc newVpc = createVpc(displayVpc, vpc);
-        // assign Ipv4 subnet to Routed VPC
-        if (routedIpv4Manager.isRoutedVpc(vpc)) {
-            routedIpv4Manager.assignIpv4SubnetToVpc(newVpc);
-        }
-        if (CollectionUtils.isNotEmpty(bgpPeerIds)) {
-            routedIpv4Manager.persistBgpPeersForVpc(newVpc.getId(), bgpPeerIds);
+            Vpc newVpc = createVpc(displayVpc, vpc);
+            // assign Ipv4 subnet to Routed VPC
+            if (routedIpv4Manager.isRoutedVpc(vpc)) {
+                routedIpv4Manager.assignIpv4SubnetToVpc(newVpc);
+            }
+            if (CollectionUtils.isNotEmpty(bgpPeerIds)) {
+                routedIpv4Manager.persistBgpPeersForVpc(newVpc.getId(), bgpPeerIds);
+            }
+            return newVpc;
         }
-        return newVpc;
     }
 
     private void validateVpcCidrSize(Account caller, long accountId, VpcOffering vpcOffering, String cidr, Integer cidrSize, long zoneId) {
@@ -1727,7 +1729,8 @@ public Vpc createVpc(CreateVPCCmd cmd) throws ResourceAllocationException {
         List<Long> bgpPeerIds = (cmd instanceof CreateVPCCmdByAdmin) ? ((CreateVPCCmdByAdmin)cmd).getBgpPeerIds() : null;
         Vpc vpc = createVpc(cmd.getZoneId(), cmd.getVpcOffering(), cmd.getEntityOwnerId(), cmd.getVpcName(), cmd.getDisplayText(),
             cmd.getCidr(), cmd.getNetworkDomain(), cmd.getIp4Dns1(), cmd.getIp4Dns2(), cmd.getIp6Dns1(),
-            cmd.getIp6Dns2(), cmd.isDisplay(), cmd.getPublicMtu(), cmd.getCidrSize(), cmd.getAsNumber(), bgpPeerIds, cmd.getUseVrIpResolver());
+            cmd.getIp6Dns2(), cmd.isDisplay(), cmd.getPublicMtu(), cmd.getCidrSize(), cmd.getAsNumber(), bgpPeerIds,
+            cmd.getUseVrIpResolver(), cmd.getKeepMacAddressOnPublicNic());
 
         String sourceNatIP = cmd.getSourceNatIP();
         boolean forNsx = isVpcForProvider(Provider.Nsx, vpc);
@@ -1939,12 +1942,14 @@ public void doInTransactionWithoutResult(final TransactionStatus status) {
 
     @Override
     public Vpc updateVpc(UpdateVPCCmd cmd) throws ResourceUnavailableException, InsufficientCapacityException {
-        return updateVpc(cmd.getId(), cmd.getVpcName(), cmd.getDisplayText(), cmd.getCustomId(), cmd.isDisplayVpc(), cmd.getPublicMtu(), cmd.getSourceNatIP());
+        return updateVpc(cmd.getId(), cmd.getVpcName(), cmd.getDisplayText(), cmd.getCustomId(),
+                cmd.isDisplayVpc(), cmd.getPublicMtu(), cmd.getSourceNatIP(), cmd.getKeepMacAddressOnPublicNic());
     }
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_VPC_UPDATE, eventDescription = "updating vpc")
-    public Vpc updateVpc(final long vpcId, final String vpcName, final String displayText, final String customId, final Boolean displayVpc, Integer mtu, String sourceNatIp) throws ResourceUnavailableException, InsufficientCapacityException {
+    public Vpc updateVpc(final long vpcId, final String vpcName, final String displayText, final String customId,
+                         final Boolean displayVpc, Integer mtu, String sourceNatIp, Boolean keepMacAddressOnPublicNic) throws ResourceUnavailableException, InsufficientCapacityException {
         final Account caller = CallContext.current().getCallingAccount();
 
         // Verify input parameters
@@ -1976,6 +1981,10 @@ public Vpc updateVpc(final long vpcId, final String vpcName, final String displa
             vpc.setDisplay(displayVpc);
         }
 
+        if (keepMacAddressOnPublicNic != null) {
+            vpc.setKeepMacAddressOnPublicNic(keepMacAddressOnPublicNic);
+        }
+
         mtu = validateMtu(vpcToUpdate, mtu);
         if (mtu != null) {
             updateMtuOfVpcNetwork(vpcToUpdate, vpc, mtu);
diff --git a/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java b/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
index 95fdfa0fde89..92af441d06b9 100644
--- a/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/main/java/com/cloud/projects/ProjectManagerImpl.java
@@ -36,6 +36,7 @@
 import javax.mail.MessagingException;
 import javax.naming.ConfigurationException;
 
+import com.cloud.resourcelimit.CheckedReservation;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ProjectRole;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -47,6 +48,7 @@
 import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.utils.mailing.MailAddress;
 import org.apache.cloudstack.utils.mailing.SMTPMailProperties;
 import org.apache.cloudstack.utils.mailing.SMTPMailSender;
@@ -159,6 +161,8 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager, C
     private VpcManager _vpcMgr;
     @Inject
     MessageBus messageBus;
+    @Inject
+    private ReservationDao reservationDao;
 
     protected boolean _invitationRequired = false;
     protected long _invitationTimeOut = 86400000;
@@ -272,42 +276,41 @@ public Project createProject(final String name, final String displayText, String
             owner = _accountDao.findById(user.getAccountId());
         }
 
-        //do resource limit check
-        _resourceLimitMgr.checkResourceLimit(owner, ResourceType.project);
-
-        final Account ownerFinal = owner;
-        User finalUser = user;
-        Project project =  Transaction.execute(new TransactionCallback<Project>() {
-            @Override
-            public Project doInTransaction(TransactionStatus status) {
+        try (CheckedReservation projectReservation = new CheckedReservation(owner, ResourceType.project, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+            final Account ownerFinal = owner;
+            User finalUser = user;
+            Project project =  Transaction.execute(new TransactionCallback<Project>() {
+                @Override
+                public Project doInTransaction(TransactionStatus status) {
 
-                //Create an account associated with the project
-                StringBuilder acctNm = new StringBuilder("PrjAcct-");
-                acctNm.append(name).append("-").append(ownerFinal.getDomainId());
+                    //Create an account associated with the project
+                    StringBuilder acctNm = new StringBuilder("PrjAcct-");
+                    acctNm.append(name).append("-").append(ownerFinal.getDomainId());
 
-                Account projectAccount = _accountMgr.createAccount(acctNm.toString(), Account.Type.PROJECT, null, domainId, null, null, UUID.randomUUID().toString());
+                    Account projectAccount = _accountMgr.createAccount(acctNm.toString(), Account.Type.PROJECT, null, domainId, null, null, UUID.randomUUID().toString());
 
-                Project project = _projectDao.persist(new ProjectVO(name, displayText, ownerFinal.getDomainId(), projectAccount.getId()));
+                    Project project = _projectDao.persist(new ProjectVO(name, displayText, ownerFinal.getDomainId(), projectAccount.getId()));
 
-                //assign owner to the project
-                assignAccountToProject(project, ownerFinal.getId(), ProjectAccount.Role.Admin,
-                        Optional.ofNullable(finalUser).map(User::getId).orElse(null),  null);
+                    //assign owner to the project
+                    assignAccountToProject(project, ownerFinal.getId(), ProjectAccount.Role.Admin,
+                            Optional.ofNullable(finalUser).map(User::getId).orElse(null),  null);
 
                 if (project != null) {
                     CallContext.current().setEventDetails("Project ID: " + project.getUuid());
                     CallContext.current().putContextParameter(Project.class, project.getUuid());
                 }
 
-                //Increment resource count
-                _resourceLimitMgr.incrementResourceCount(ownerFinal.getId(), ResourceType.project);
+                    //Increment resource count
+                    _resourceLimitMgr.incrementResourceCount(ownerFinal.getId(), ResourceType.project);
 
-                return project;
-            }
-        });
+                    return project;
+                }
+            });
 
-        messageBus.publish(_name, ProjectManager.MESSAGE_CREATE_TUNGSTEN_PROJECT_EVENT, PublishScope.LOCAL, project);
+            messageBus.publish(_name, ProjectManager.MESSAGE_CREATE_TUNGSTEN_PROJECT_EVENT, PublishScope.LOCAL, project);
 
-        return project;
+            return project;
+        }
     }
 
     @Override
@@ -491,6 +494,9 @@ public Boolean doInTransaction(TransactionStatus status) {
         //remove account
         ProjectAccountVO projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId());
         success = _projectAccountDao.remove(projectAccount.getId());
+        if (projectAccount.getAccountRole() == Role.Admin) {
+            _resourceLimitMgr.decrementResourceCount(account.getId(), ResourceType.project);
+        }
 
         //remove all invitations for account
         if (success) {
@@ -537,7 +543,7 @@ public ProjectVO findByProjectAccountIdIncludingRemoved(long projectAccountId) {
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_PROJECT_USER_ADD, eventDescription = "adding user to project", async = true)
-    public boolean addUserToProject(Long projectId, String username, String email, Long projectRoleId, Role projectRole) {
+    public boolean addUserToProject(Long projectId, String username, String email, Long projectRoleId, Role projectRole) throws ResourceAllocationException {
         Account caller = CallContext.current().getCallingAccount();
 
         Project project = getProject(projectId);
@@ -594,12 +600,20 @@ public boolean addUserToProject(Long projectId, String username, String email, L
             if (username == null) {
                 throw new InvalidParameterValueException("User information (ID) is required to add user to the project");
             }
-            if (assignUserToProject(project, user.getId(), user.getAccountId(), projectRole,
-                    Optional.ofNullable(role).map(ProjectRole::getId).orElse(null)) != null) {
-                return true;
+
+            boolean shouldIncrementResourceCount = projectRole != null && Role.Admin == projectRole;
+            try (CheckedReservation cr = new CheckedReservation(userAccount, ResourceType.project, shouldIncrementResourceCount ? 1L : 0L, reservationDao, _resourceLimitMgr)) {
+                if (assignUserToProject(project, user.getId(), user.getAccountId(), projectRole,
+                        Optional.ofNullable(role).map(ProjectRole::getId).orElse(null)) != null) {
+                    if (shouldIncrementResourceCount) {
+                        _resourceLimitMgr.incrementResourceCount(userAccount.getId(), ResourceType.project);
+                    }
+                    return true;
+                } else {
+                    logger.warn("Failed to add user to project: {}", project);
+                    return false;
+                }
             }
-            logger.warn("Failed to add user to project: {}", project);
-            return false;
         }
     }
 
@@ -652,13 +666,17 @@ public boolean canModifyProjectAccount(Account caller, long accountId) {
     }
 
     private void updateProjectAccount(ProjectAccountVO futureOwner, Role newAccRole, Long accountId) throws ResourceAllocationException {
-        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(accountId), ResourceType.project);
-        futureOwner.setAccountRole(newAccRole);
-        _projectAccountDao.update(futureOwner.getId(), futureOwner);
-        if (newAccRole != null && Role.Admin == newAccRole) {
-            _resourceLimitMgr.incrementResourceCount(accountId, ResourceType.project);
-        } else {
-            _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.project);
+        Account account = _accountMgr.getAccount(accountId);
+        boolean shouldIncrementResourceCount = Role.Admin == newAccRole;
+
+        try (CheckedReservation checkedReservation = new CheckedReservation(account, ResourceType.project, shouldIncrementResourceCount ? 1L : 0L, reservationDao, _resourceLimitMgr)) {
+            futureOwner.setAccountRole(newAccRole);
+            _projectAccountDao.update(futureOwner.getId(), futureOwner);
+            if (shouldIncrementResourceCount) {
+                _resourceLimitMgr.incrementResourceCount(accountId, ResourceType.project);
+            } else {
+                _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.project);
+            }
         }
     }
 
@@ -701,20 +719,18 @@ public void doInTransactionWithoutResult(TransactionStatus status) throws Resour
                                     " doesn't belong to the project. Add it to the project first and then change the project's ownership");
                         }
 
-                        //do resource limit check
-                        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(futureOwnerAccount.getId()), ResourceType.project);
-
-                        //unset the role for the old owner
-                        ProjectAccountVO currentOwner = _projectAccountDao.findByProjectIdAccountId(projectId, currentOwnerAccount.getId());
-                        currentOwner.setAccountRole(Role.Regular);
-                        _projectAccountDao.update(currentOwner.getId(), currentOwner);
-                        _resourceLimitMgr.decrementResourceCount(currentOwnerAccount.getId(), ResourceType.project);
-
-                        //set new owner
-                        futureOwner.setAccountRole(Role.Admin);
-                        _projectAccountDao.update(futureOwner.getId(), futureOwner);
-                        _resourceLimitMgr.incrementResourceCount(futureOwnerAccount.getId(), ResourceType.project);
-
+                        try (CheckedReservation checkedReservation = new CheckedReservation(futureOwnerAccount, ResourceType.project, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+                            //unset the role for the old owner
+                            ProjectAccountVO currentOwner = _projectAccountDao.findByProjectIdAccountId(projectId, currentOwnerAccount.getId());
+                            currentOwner.setAccountRole(Role.Regular);
+                            _projectAccountDao.update(currentOwner.getId(), currentOwner);
+                            _resourceLimitMgr.decrementResourceCount(currentOwnerAccount.getId(), ResourceType.project);
+
+                            //set new owner
+                            futureOwner.setAccountRole(Role.Admin);
+                            _projectAccountDao.update(futureOwner.getId(), futureOwner);
+                            _resourceLimitMgr.incrementResourceCount(futureOwnerAccount.getId(), ResourceType.project);
+                        }
                     } else {
                         logger.trace("Future owner {}is already the owner of the project {}", newOwnerName, project);
                     }
@@ -792,7 +808,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) throws Resour
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_PROJECT_ACCOUNT_ADD, eventDescription = "adding account to project", async = true)
-    public boolean addAccountToProject(long projectId, String accountName, String email, Long projectRoleId, Role projectRoleType) {
+    public boolean addAccountToProject(long projectId, String accountName, String email, Long projectRoleId, Role projectRoleType) throws ResourceAllocationException {
         Account caller = CallContext.current().getCallingAccount();
 
         //check that the project exists
@@ -857,12 +873,19 @@ public boolean addAccountToProject(long projectId, String accountName, String em
             if (account == null) {
                 throw new InvalidParameterValueException("Account information is required for assigning account to the project");
             }
-            if (assignAccountToProject(project, account.getId(), projectRoleType, null,
-                    Optional.ofNullable(projectRole).map(ProjectRole::getId).orElse(null)) != null) {
-                return true;
-            } else {
-                logger.warn("Failed to add account {} to project {}", accountName, project);
-                return false;
+
+            boolean shouldIncrementResourceCount = projectRoleType != null && Role.Admin == projectRoleType;
+            try (CheckedReservation cr = new CheckedReservation(account, ResourceType.project, shouldIncrementResourceCount ? 1L : 0L, reservationDao, _resourceLimitMgr)) {
+                if (assignAccountToProject(project, account.getId(), projectRoleType, null,
+                        Optional.ofNullable(projectRole).map(ProjectRole::getId).orElse(null)) != null) {
+                    if (shouldIncrementResourceCount) {
+                        _resourceLimitMgr.incrementResourceCount(account.getId(), ResourceType.project);
+                    }
+                    return true;
+                } else {
+                    logger.warn("Failed to add account {} to project {}", accountName, project);
+                    return false;
+                }
             }
         }
     }
@@ -1042,7 +1065,9 @@ public Boolean doInTransaction(TransactionStatus status) {
                 boolean success = true;
                 ProjectAccountVO projectAccount = _projectAccountDao.findByProjectIdUserId(projectId, user.getAccountId(), user.getId());
                 success = _projectAccountDao.remove(projectAccount.getId());
-
+                if (projectAccount.getAccountRole() == Role.Admin) {
+                    _resourceLimitMgr.decrementResourceCount(user.getAccountId(), ResourceType.project);
+                }
                 if (success) {
                     logger.debug("Removed user {} from project. Removing any invite sent to the user", user);
                     ProjectInvitation invite = _projectInvitationDao.findByUserIdProjectId(user.getId(), user.getAccountId(),  projectId);
diff --git a/server/src/main/java/com/cloud/resource/ResourceManagerImpl.java b/server/src/main/java/com/cloud/resource/ResourceManagerImpl.java
index 621b110486b9..0f6933664f93 100755
--- a/server/src/main/java/com/cloud/resource/ResourceManagerImpl.java
+++ b/server/src/main/java/com/cloud/resource/ResourceManagerImpl.java
@@ -78,6 +78,7 @@
 import org.apache.cloudstack.framework.extensions.vo.ExtensionResourceMapVO;
 import org.apache.cloudstack.framework.extensions.vo.ExtensionVO;
 import org.apache.cloudstack.gpu.GpuService;
+import org.apache.cloudstack.jsinterpreter.JsInterpreterHelper;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
@@ -310,6 +311,8 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
     private GpuService gpuService;
     @Inject
     ManagementService managementService;
+    @Inject
+    JsInterpreterHelper jsInterpreterHelper;
 
     private List<? extends Discoverer> _discoverers;
 
@@ -1169,7 +1172,7 @@ protected boolean canDeleteHost(HostVO host) {
     @Override
     public boolean deleteHost(final long hostId, final boolean isForced, final boolean isForceDeleteStorage) {
         try {
-            final Boolean result = propagateResourceEvent(hostId, ResourceState.Event.DeleteHost);
+            final Boolean result = propagateResourceEvent(hostId, ResourceState.Event.DeleteHost, isForced, isForceDeleteStorage);
             if (result != null) {
                 return result;
             }
@@ -2818,9 +2821,6 @@ private void updateHostTags(HostVO host, Long hostId, List<String> hostTags, Boo
 
     @Override
     public Host updateHost(final UpdateHostCmd cmd) throws NoTransitionException {
-        managementService.checkJsInterpretationAllowedIfNeededForParameterValue(ApiConstants.IS_TAG_A_RULE,
-                Boolean.TRUE.equals(cmd.getIsTagARule()));
-
         return updateHost(cmd.getId(), cmd.getName(), cmd.getOsCategoryId(),
                 cmd.getAllocationState(), cmd.getUrl(), cmd.getHostTags(), cmd.getIsTagARule(), cmd.getAnnotation(), false,
                 cmd.getExternalDetails(), cmd.isCleanupExternalDetails());
@@ -2830,6 +2830,8 @@ private Host updateHost(Long hostId, String name, Long guestOSCategoryId, String
             String url, List<String> hostTags, Boolean isTagARule, String annotation,
             boolean isUpdateFromHostHealthCheck, Map<String, String> externalDetails,
             boolean cleanupExternalDetails) throws NoTransitionException {
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.IS_TAG_A_RULE, Boolean.TRUE.equals(isTagARule));
+
         // Verify that the host exists
         final HostVO host = _hostDao.findById(hostId);
         if (host == null) {
@@ -3902,13 +3904,18 @@ public boolean cancelMaintenance(final long hostId) {
     }
 
     @Override
-    public boolean executeUserRequest(final long hostId, final ResourceState.Event event) {
+    public boolean executeUserRequest(final long hostId, final ResourceState.Event event) throws AgentUnavailableException {
+        return executeUserRequest(hostId, event, false, false);
+    }
+
+    @Override
+    public boolean executeUserRequest(final long hostId, final ResourceState.Event event, final boolean isForced, final boolean isForceDeleteStorage) throws AgentUnavailableException {
         if (event == ResourceState.Event.AdminAskMaintenance) {
             return doMaintain(hostId);
         } else if (event == ResourceState.Event.AdminCancelMaintenance) {
             return doCancelMaintenance(hostId);
         } else if (event == ResourceState.Event.DeleteHost) {
-            return doDeleteHost(hostId, false, false);
+            return doDeleteHost(hostId, isForced, isForceDeleteStorage);
         } else if (event == ResourceState.Event.Unmanaged) {
             return doUmanageHost(hostId);
         } else if (event == ResourceState.Event.UpdatePassword) {
@@ -4028,6 +4035,10 @@ public String getPeerName(final long agentHostId) {
     }
 
     public Boolean propagateResourceEvent(final long agentId, final ResourceState.Event event) throws AgentUnavailableException {
+        return propagateResourceEvent(agentId, event, false, false);
+    }
+
+    public Boolean propagateResourceEvent(final long agentId, final ResourceState.Event event, final boolean isForced, final boolean isForceDeleteStorage) throws AgentUnavailableException {
         final String msPeer = getPeerName(agentId);
         if (msPeer == null) {
             return null;
@@ -4035,7 +4046,7 @@ public Boolean propagateResourceEvent(final long agentId, final ResourceState.Ev
 
         logger.debug("Propagating resource request event:" + event.toString() + " to agent:" + agentId);
         final Command[] cmds = new Command[1];
-        cmds[0] = new PropagateResourceEventCommand(agentId, event);
+        cmds[0] = new PropagateResourceEventCommand(agentId, event, isForced, isForceDeleteStorage);
 
         final String AnsStr = _clusterMgr.execute(msPeer, agentId, _gson.toJson(cmds), true);
         if (AnsStr == null) {
@@ -4048,6 +4059,13 @@ public Boolean propagateResourceEvent(final long agentId, final ResourceState.Ev
             logger.debug("Result for agent change is " + answers[0].getResult());
         }
 
+        if (!answers[0].getResult()) {
+            final String details = answers[0].getDetails();
+            if (details != null && !details.isEmpty()) {
+                throw new CloudRuntimeException(String.format("Failed to propagate resource event %s for host %d on peer %s: %s", event, agentId, msPeer, details));
+            }
+        }
+
         return answers[0].getResult();
     }
 
diff --git a/server/src/main/java/com/cloud/resourcelimit/CheckedReservation.java b/server/src/main/java/com/cloud/resourcelimit/CheckedReservation.java
index d66e1eb912ad..cab77ccf16ac 100644
--- a/server/src/main/java/com/cloud/resourcelimit/CheckedReservation.java
+++ b/server/src/main/java/com/cloud/resourcelimit/CheckedReservation.java
@@ -20,13 +20,17 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
+import com.cloud.api.ApiDBUtils;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.reservation.ReservationVO;
 import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.user.ResourceReservation;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -40,7 +44,7 @@
 import com.cloud.utils.exception.CloudRuntimeException;
 
 
-public class CheckedReservation  implements AutoCloseable {
+public class CheckedReservation implements Reserver {
     protected Logger logger = LogManager.getLogger(getClass());
 
     private static final int TRY_TO_GET_LOCK_TIME = 120;
@@ -48,11 +52,15 @@ public class CheckedReservation  implements AutoCloseable {
     ReservationDao reservationDao;
 
     ResourceLimitService resourceLimitService;
-    private final Account account;
-    private final ResourceType resourceType;
-    private Long amount;
+    private Account account;
+    private Long domainId;
+    private ResourceType resourceType;
+    private Long resourceId;
+    private Long reservationAmount;
+    private List<String> reservationTags;
+    private Long existingAmount;
+    private List<String> existingLimitTags;
     private List<ResourceReservation> reservations;
-    private List<String> resourceLimitTags;
 
     private String getContextParameterKey() {
         return getResourceReservationContextParameterKey(resourceType);
@@ -73,12 +81,12 @@ private void removeAllReservations() {
         this.reservations = null;
     }
 
-    protected void checkLimitAndPersistReservations(Account account, ResourceType resourceType, Long resourceId, List<String> resourceLimitTags, Long amount) throws ResourceAllocationException {
+    protected void checkLimitAndPersistReservations(Account account, Long domainId, ResourceType resourceType, Long resourceId, List<String> resourceLimitTags, Long amount) throws ResourceAllocationException {
         try {
-            checkLimitAndPersistReservation(account, resourceType, resourceId, null, amount);
+            checkLimitAndPersistReservation(account, domainId, resourceType, resourceId, null, amount);
             if (CollectionUtils.isNotEmpty(resourceLimitTags)) {
                 for (String tag : resourceLimitTags) {
-                    checkLimitAndPersistReservation(account, resourceType, resourceId, tag, amount);
+                    checkLimitAndPersistReservation(account, domainId, resourceType, resourceId, tag, amount);
                 }
             }
         } catch (ResourceAllocationException rae) {
@@ -87,11 +95,11 @@ protected void checkLimitAndPersistReservations(Account account, ResourceType re
         }
     }
 
-    protected void checkLimitAndPersistReservation(Account account, ResourceType resourceType, Long resourceId, String tag, Long amount) throws ResourceAllocationException {
+    protected void checkLimitAndPersistReservation(Account account, Long domainId, ResourceType resourceType, Long resourceId, String tag, Long amount) throws ResourceAllocationException {
         if (amount > 0) {
-            resourceLimitService.checkResourceLimitWithTag(account, resourceType, tag, amount);
+            resourceLimitService.checkResourceLimitWithTag(account, domainId, true, resourceType, tag, amount);
         }
-        ReservationVO reservationVO = new ReservationVO(account.getAccountId(), account.getDomainId(), resourceType, tag, amount);
+        ReservationVO reservationVO = new ReservationVO(account.getAccountId(), domainId, resourceType, tag, amount);
         if (resourceId != null) {
             reservationVO.setResourceId(resourceId);
         }
@@ -99,9 +107,25 @@ protected void checkLimitAndPersistReservation(Account account, ResourceType res
         this.reservations.add(reservation);
     }
 
-    public CheckedReservation(Account account, ResourceType resourceType, List<String> resourceLimitTags, Long amount,
-            ReservationDao reservationDao, ResourceLimitService resourceLimitService) throws ResourceAllocationException {
-        this(account, resourceType, null, resourceLimitTags, amount, reservationDao, resourceLimitService);
+    // TODO: refactor these into a Builder to avoid having so many constructors
+    public CheckedReservation(Account account, ResourceType resourceType, List<String> resourceLimitTags, Long reservationAmount,
+                              ReservationDao reservationDao, ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+        this(account, resourceType, null, resourceLimitTags, null, reservationAmount, null, reservationDao, resourceLimitService);
+    }
+
+    public CheckedReservation(Account account, ResourceType resourceType, Long resourceId, List<String> reservedTags,
+                              List<String> existingTags, Long reservationAmount, Long existingAmount, ReservationDao reservationDao,
+                              ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+        this(account, null, resourceType, resourceId, reservedTags, existingTags, reservationAmount, existingAmount, reservationDao, resourceLimitService);
+    }
+
+    public CheckedReservation(Account account, Long domainId, ResourceType resourceType, Long resourceId, List<String> reservedTags,
+                              Long reservationAmount, ReservationDao reservationDao, ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+        this(account, domainId, resourceType, resourceId, reservedTags, null, reservationAmount, null, reservationDao, resourceLimitService);
+    }
+
+    public CheckedReservation(Account account, ResourceType resourceType, Long resourceId, List<String> reservedTags, Long reservationAmount, ReservationDao reservationDao, ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+        this(account, null, resourceType, resourceId, reservedTags, null, reservationAmount, null, reservationDao, resourceLimitService);
     }
 
     /**
@@ -109,25 +133,48 @@ public CheckedReservation(Account account, ResourceType resourceType, List<Strin
      * - create DB entry for reservation
      * - hold the id of this record as a ticket for implementation
      *
-     * @param amount positive number of the resource type to reserve
+     * @param reservationAmount positive number of the resource type to reserve
      * @throws ResourceAllocationException
      */
-    public CheckedReservation(Account account, ResourceType resourceType, Long resourceId, List<String> resourceLimitTags, Long amount,
-                              ReservationDao reservationDao, ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+    public CheckedReservation(Account account, Long domainId, ResourceType resourceType, Long resourceId, List<String> reservedTags,
+                              List<String> existingTags, Long reservationAmount, Long existingAmount, ReservationDao reservationDao,
+                              ResourceLimitService resourceLimitService) throws ResourceAllocationException {
+
+        if (ObjectUtils.allNull(account, domainId)) {
+            logger.debug("Not reserving any {} resources, as no account/domain was provided.", resourceType);
+            return;
+        }
+
         this.reservationDao = reservationDao;
         this.resourceLimitService = resourceLimitService;
+
+        // When allocating to a domain instead of a specific account, consider the system account as the owner for the validations here.
+        if (account == null) {
+            account = ApiDBUtils.getSystemAccount();
+        }
         this.account = account;
+
+        if (domainId == null) {
+            domainId = account.getDomainId();
+        }
+        this.domainId = domainId;
+
         this.resourceType = resourceType;
-        this.amount = amount;
+        this.reservationAmount = reservationAmount;
+        this.existingAmount = existingAmount;
         this.reservations = new ArrayList<>();
-        this.resourceLimitTags = resourceLimitTags;
 
-        if (this.amount != null && this.amount != 0) {
-            if (amount > 0) {
+        this.reservationTags = getTagsWithoutNull(reservedTags);
+        this.existingLimitTags = getTagsWithoutNull(existingTags);
+
+        // TODO: refactor me
+        if (this.reservationAmount != null && this.reservationAmount != 0) {
+            if (reservationAmount > 0) {
                 setGlobalLock();
                 if (quotaLimitLock.lock(TRY_TO_GET_LOCK_TIME)) {
                     try {
-                        checkLimitAndPersistReservations(account, resourceType, resourceId, resourceLimitTags, amount);
+                        adjustCountToNotConsiderExistingAmount();
+                        checkLimitAndPersistReservations(account, this.domainId, resourceType, resourceId, reservationTags, reservationAmount);
                         CallContext.current().putContextParameter(getContextParameterKey(), getIds());
                     } catch (NullPointerException npe) {
                         throw new CloudRuntimeException("not enough means to check limits", npe);
@@ -138,12 +185,26 @@ public CheckedReservation(Account account, ResourceType resourceType, Long resou
                     throw new ResourceAllocationException(String.format("unable to acquire resource reservation \"%s\"", quotaLimitLock.getName()), resourceType);
                 }
             } else {
-                checkLimitAndPersistReservations(account, resourceType, resourceId, resourceLimitTags, amount);
+                checkLimitAndPersistReservations(account, this.domainId, resourceType, resourceId, reservationTags, reservationAmount);
             }
         } else {
             logger.debug("not reserving any amount of resources for {} in domain {}, type: {}, tag: {}",
-                    account.getAccountName(), account.getDomainId(), resourceType, getResourceLimitTagsAsString());
+                    account.getAccountName(), this.domainId, resourceType, getResourceLimitTagsAsString());
+        }
+    }
+
+    protected List<String> getTagsWithoutNull(List<String> tags) {
+        if (tags == null) {
+            return null;
+        }
+        return tags.stream().filter(Objects::nonNull).collect(Collectors.toList());
+    }
+
+    protected void adjustCountToNotConsiderExistingAmount() throws ResourceAllocationException {
+        if (existingAmount == null || existingAmount == 0) {
+            return;
         }
+        checkLimitAndPersistReservations(account, domainId, resourceType, resourceId, existingLimitTags, -1 * existingAmount);
     }
 
     public CheckedReservation(Account account, ResourceType resourceType, Long amount, ReservationDao reservationDao,
@@ -153,7 +214,7 @@ public CheckedReservation(Account account, ResourceType resourceType, Long amoun
 
     @NotNull
     private void setGlobalLock() {
-        String lockName = String.format("CheckedReservation-%s/%d", account.getDomainId(), resourceType.getOrdinal());
+        String lockName = String.format("CheckedReservation-%s/%d", this.domainId, resourceType.getOrdinal());
         setQuotaLimitLock(GlobalLock.getInternLock(lockName));
     }
 
@@ -162,7 +223,7 @@ protected void setQuotaLimitLock(GlobalLock quotaLimitLock) {
     }
 
     @Override
-    public void close() throws Exception {
+    public void close() {
         removeAllReservations();
     }
 
@@ -171,11 +232,11 @@ public Account getAccount() {
     }
 
     public String getResourceLimitTagsAsString() {
-        return CollectionUtils.isNotEmpty(resourceLimitTags) ? StringUtils.join(resourceLimitTags) : null;
+        return CollectionUtils.isNotEmpty(reservationTags) ? StringUtils.join(reservationTags) : null;
     }
 
     public Long getReservedAmount() {
-        return amount;
+        return reservationAmount;
     }
 
     public List<ResourceReservation> getReservations() {
diff --git a/server/src/main/java/com/cloud/resourcelimit/ReservationHelper.java b/server/src/main/java/com/cloud/resourcelimit/ReservationHelper.java
new file mode 100644
index 000000000000..cffa17176faa
--- /dev/null
+++ b/server/src/main/java/com/cloud/resourcelimit/ReservationHelper.java
@@ -0,0 +1,35 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.resourcelimit;
+
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.resourcelimit.Reserver;
+
+import java.util.List;
+
+public class ReservationHelper {
+
+    public static void closeAll(List<Reserver> reservations) throws CloudRuntimeException {
+        for (Reserver reservation : reservations) {
+            reservation.close();
+        }
+    }
+
+}
diff --git a/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 0da403c35f2f..27facb304eba 100644
--- a/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -54,6 +54,7 @@
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.reservation.ReservationVO;
 import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreVO;
 import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreDao;
@@ -92,6 +93,7 @@
 import com.cloud.network.dao.IPAddressDao;
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkDomainDao;
 import com.cloud.network.vpc.dao.VpcDao;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.ServiceOffering;
@@ -175,6 +177,8 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
     @Inject
     private ReservationDao reservationDao;
     @Inject
+    private ResourceLimitService resourceLimitService;
+    @Inject
     protected SnapshotDao _snapshotDao;
     @Inject
     protected BackupDao backupDao;
@@ -204,6 +208,8 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
     DiskOfferingDao diskOfferingDao;
     @Inject
     BucketDao bucketDao;
+    @Inject
+    private NetworkDomainDao networkDomainDao;
 
     protected GenericSearchBuilder<TemplateDataStoreVO, SumCount> templateSizeSearch;
     protected GenericSearchBuilder<SnapshotDataStoreVO, SumCount> snapshotSizeSearch;
@@ -267,7 +273,7 @@ public boolean configure(final String name, final Map<String, Object> params) th
 
         templateSizeSearch = _vmTemplateStoreDao.createSearchBuilder(SumCount.class);
         templateSizeSearch.select("sum", Func.SUM, templateSizeSearch.entity().getSize());
-        templateSizeSearch.and("downloadState", templateSizeSearch.entity().getDownloadState(), Op.EQ);
+        templateSizeSearch.and("downloadState", templateSizeSearch.entity().getDownloadState(), Op.IN);
         templateSizeSearch.and("destroyed", templateSizeSearch.entity().getDestroyed(), Op.EQ);
         SearchBuilder<VMTemplateVO> join1 = _vmTemplateDao.createSearchBuilder();
         join1.and("accountId", join1.entity().getAccountId(), Op.EQ);
@@ -515,15 +521,7 @@ public long findCorrectResourceLimitForDomain(Domain domain, ResourceType type,
         return max;
     }
 
-    protected void checkDomainResourceLimit(final Account account, final Project project, final ResourceType type, String tag, long numResources) throws ResourceAllocationException {
-        // check all domains in the account's domain hierarchy
-        Long domainId;
-        if (project != null) {
-            domainId = project.getDomainId();
-        } else {
-            domainId = account.getDomainId();
-        }
-
+    protected void checkDomainResourceLimit(Long domainId, final ResourceType type, String tag, long numResources) throws ResourceAllocationException {
         while (domainId != null) {
             DomainVO domain = _domainDao.findById(domainId);
             // no limit check if it is ROOT domain
@@ -645,11 +643,16 @@ public void checkResourceLimit(final Account account, final ResourceType type, l
 
     @Override
     public void checkResourceLimitWithTag(final Account account, final ResourceType type, String tag, long... count) throws ResourceAllocationException {
+        checkResourceLimitWithTag(account, null, false, type, tag, count);
+    }
+
+    @Override
+    public void checkResourceLimitWithTag(final Account account, Long domainId, boolean considerSystemAccount, final ResourceType type, String tag, long... count) throws ResourceAllocationException {
         final long numResources = ((count.length == 0) ? 1 : count[0]);
         Project project = null;
 
         // Don't place any limits on system or root admin accounts
-        if (_accountMgr.isRootAdmin(account.getId())) {
+        if (_accountMgr.isRootAdmin(account.getId()) && !(considerSystemAccount && Account.ACCOUNT_ID_SYSTEM == account.getId())) {
             return;
         }
 
@@ -657,6 +660,14 @@ public void checkResourceLimitWithTag(final Account account, final ResourceType
             project = _projectDao.findByProjectAccountId(account.getId());
         }
 
+        if (domainId == null) {
+            if (project != null) {
+                domainId = project.getDomainId();
+            } else {
+                domainId = account.getDomainId();
+            }
+        }
+        Long domainIdFinal = domainId;
         final Project projectFinal = project;
         Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() {
             @Override
@@ -666,7 +677,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) throws Resour
                 // Check account limits
                 checkAccountResourceLimit(account, projectFinal, type, tag, numResources);
                 // check all domains in the account's domain hierarchy
-                checkDomainResourceLimit(account, projectFinal, type, tag, numResources);
+                checkDomainResourceLimit(domainIdFinal, type, tag, numResources);
             }
         });
     }
@@ -1031,7 +1042,8 @@ public ResourceLimitVO updateResourceLimit(Long accountId, Long domainId, Intege
 
         ResourceLimitVO limit = _resourceLimitDao.findByOwnerIdAndTypeAndTag(ownerId, ownerType, resourceType, tag);
 
-        ActionEventUtils.onActionEvent(caller.getId(), caller.getAccountId(),
+        Long callingUserId = CallContext.current().getCallingUserId();
+        ActionEventUtils.onActionEvent(callingUserId, caller.getAccountId(),
                 caller.getDomainId(), EventTypes.EVENT_RESOURCE_LIMIT_UPDATE,
                 "Resource limit updated. Resource Type: " + resourceType + ", New Value: " + max,
                 ownerResourceId, ownerResourceType.toString());
@@ -1208,7 +1220,7 @@ protected boolean updateResourceCountForAccount(final long accountId, final Reso
      * @param type the resource type to do the recalculation for
      * @return the resulting new resource count
      */
-    protected long recalculateDomainResourceCount(final long domainId, final ResourceType type, String tag) {
+    public long recalculateDomainResourceCount(final long domainId, final ResourceType type, String tag) {
         List<AccountVO> accounts = _accountDao.findActiveAccountsForDomain(domainId);
         List<DomainVO> childDomains = _domainDao.findImmediateChildrenForParent(domainId);
 
@@ -1244,9 +1256,8 @@ protected long recalculateDomainResourceCount(final long domainId, final Resourc
             long newResourceCount = 0L;
             ResourceCountVO domainRC = null;
 
-            // calculate project count here
-            if (type == ResourceType.project) {
-                newResourceCount += _projectDao.countProjectsForDomain(domainId);
+            if (type == ResourceType.network) {
+                newResourceCount += networkDomainDao.listDomainNetworkMapByDomain(domainId).size();
             }
 
             // TODO make sure that the resource counts are not null
@@ -1493,7 +1504,7 @@ public long calculateSecondaryStorageForAccount(long accountId) {
         long totalTemplatesSize = 0;
 
         SearchCriteria<SumCount> sc = templateSizeSearch.create();
-        sc.setParameters("downloadState", Status.DOWNLOADED);
+        sc.setParameters("downloadState", Status.DOWNLOADED, Status.DOWNLOAD_IN_PROGRESS);
         sc.setParameters("destroyed", false);
         sc.setJoinParameters("templates", "accountId", accountId);
         List<SumCount> templates = _vmTemplateStoreDao.customSearch(sc, null);
@@ -1730,7 +1741,8 @@ public List<String> getResourceLimitStorageTags(DiskOffering diskOffering) {
         return tags;
     }
 
-    protected List<String> getResourceLimitStorageTagsForResourceCountOperation(Boolean display, DiskOffering diskOffering) {
+    @Override
+    public List<String> getResourceLimitStorageTagsForResourceCountOperation(Boolean display, DiskOffering diskOffering) {
         if (Boolean.FALSE.equals(display)) {
             return new ArrayList<>();
         }
@@ -1744,54 +1756,53 @@ protected List<String> getResourceLimitStorageTagsForResourceCountOperation(Bool
     }
 
     @Override
-    public void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering) throws ResourceAllocationException {
+    public void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering, List<Reserver> reservations) throws ResourceAllocationException {
         List<String> tags = getResourceLimitStorageTagsForResourceCountOperation(display, diskOffering);
         if (CollectionUtils.isEmpty(tags)) {
             return;
         }
-        for (String tag : tags) {
-            checkResourceLimitWithTag(owner, ResourceType.volume, tag);
-            if (size != null) {
-                checkResourceLimitWithTag(owner, ResourceType.primary_storage, tag, size);
-            }
+
+        CheckedReservation volumeReservation = new CheckedReservation(owner, ResourceType.volume, tags, 1L, reservationDao, resourceLimitService);
+        reservations.add(volumeReservation);
+
+        if (size != null) {
+            CheckedReservation primaryStorageReservation = new CheckedReservation(owner, ResourceType.primary_storage, tags, size, reservationDao, resourceLimitService);
+            reservations.add(primaryStorageReservation);
         }
     }
 
     @Override
-    public void checkPrimaryStorageResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering) throws ResourceAllocationException {
+    public void checkPrimaryStorageResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering, List<Reserver> reservations) throws ResourceAllocationException {
         List<String> tags = getResourceLimitStorageTagsForResourceCountOperation(display, diskOffering);
         if (CollectionUtils.isEmpty(tags)) {
             return;
         }
-        if (size != null) {
-            for (String tag : tags) {
-                checkResourceLimitWithTag(owner, ResourceType.primary_storage, tag, size);
-            }
-        }
+        CheckedReservation primaryStorageReservation = new CheckedReservation(owner, ResourceType.primary_storage, tags, size, reservationDao, resourceLimitService);
+        reservations.add(primaryStorageReservation);
     }
 
     @Override
     public void checkVolumeResourceLimitForDiskOfferingChange(Account owner, Boolean display, Long currentSize, Long newSize,
-            DiskOffering currentOffering, DiskOffering newOffering
+            DiskOffering currentOffering, DiskOffering newOffering, List<Reserver> reservations
     ) throws ResourceAllocationException {
         Ternary<Set<String>, Set<String>, Set<String>> updatedResourceLimitStorageTags = getResourceLimitStorageTagsForDiskOfferingChange(display, currentOffering, newOffering);
         if (updatedResourceLimitStorageTags == null) {
             return;
         }
 
-        Set<String> sameTags = updatedResourceLimitStorageTags.first();
-        Set<String> newTags = updatedResourceLimitStorageTags.second();
-
-        if (newSize > currentSize) {
-            for (String tag : sameTags) {
-                checkResourceLimitWithTag(owner, ResourceType.primary_storage, tag, newSize - currentSize);
-            }
+        List<String> currentTags = getResourceLimitStorageTagsForResourceCountOperation(true, currentOffering);
+        List<String> tagsAfterUpdate = getResourceLimitStorageTagsForResourceCountOperation(true, newOffering);
+        if (currentTags.isEmpty() && tagsAfterUpdate.isEmpty()) {
+            return;
         }
 
-        for (String tag : newTags) {
-            checkResourceLimitWithTag(owner, ResourceType.volume, tag, 1L);
-            checkResourceLimitWithTag(owner, ResourceType.primary_storage, tag, newSize);
-        }
+        CheckedReservation volumeReservation = new CheckedReservation(owner, ResourceType.volume, null, tagsAfterUpdate,
+                currentTags, 1L, 1L, reservationDao, resourceLimitService);
+        reservations.add(volumeReservation);
+
+        CheckedReservation primaryStorageReservation = new CheckedReservation(owner, ResourceType.primary_storage, null,
+                tagsAfterUpdate, currentTags, newSize, currentSize, reservationDao, resourceLimitService);
+        reservations.add(primaryStorageReservation);
     }
 
     @DB
@@ -2018,20 +2029,27 @@ protected List<String> getResourceLimitHostTagsForResourceCountOperation(Boolean
     }
 
     @Override
-    public void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template) throws ResourceAllocationException {
+    public void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, List<Reserver> reservations) throws ResourceAllocationException {
         List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
         if (CollectionUtils.isEmpty(tags)) {
             return;
         }
+
+        CheckedReservation vmReservation = new CheckedReservation(owner, ResourceType.user_vm, tags, 1L, reservationDao, resourceLimitService);
+        reservations.add(vmReservation);
+
         Long cpu = serviceOffering.getCpu() != null ? Long.valueOf(serviceOffering.getCpu()) : 0L;
+        CheckedReservation cpuReservation = new CheckedReservation(owner, ResourceType.cpu, tags, cpu, reservationDao, resourceLimitService);
+        reservations.add(cpuReservation);
+
         Long ram = serviceOffering.getRamSize() != null ? Long.valueOf(serviceOffering.getRamSize()) : 0L;
+        CheckedReservation memReservation = new CheckedReservation(owner, ResourceType.memory, tags, ram, reservationDao, resourceLimitService);
+        reservations.add(memReservation);
+
         Long gpu = serviceOffering.getGpuCount() != null ? Long.valueOf(serviceOffering.getGpuCount()) : 0L;
-        for (String tag : tags) {
-            checkResourceLimitWithTag(owner, ResourceType.user_vm, tag);
-            checkResourceLimitWithTag(owner, ResourceType.cpu, tag, cpu);
-            checkResourceLimitWithTag(owner, ResourceType.memory, tag, ram);
-            checkResourceLimitWithTag(owner, ResourceType.gpu, tag, gpu);
-        }
+        CheckedReservation gpuReservation = new CheckedReservation(owner, ResourceType.gpu, tags, gpu, reservationDao, resourceLimitService);
+        reservations.add(gpuReservation);
+
     }
 
     @Override
@@ -2081,83 +2099,60 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
 
     @Override
     public void checkVmResourceLimitsForTemplateChange(Account owner, Boolean display, ServiceOffering offering,
-            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate) throws ResourceAllocationException {
+            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate, List<Reserver> reservations) throws ResourceAllocationException {
         checkVmResourceLimitsForServiceOfferingAndTemplateChange(owner, display, null, null,
-                null, null, offering, offering, currentTemplate, newTemplate);
+                null, null, offering, offering, currentTemplate, newTemplate, reservations);
     }
 
     @Override
     public void checkVmResourceLimitsForServiceOfferingChange(Account owner, Boolean display, Long currentCpu, Long newCpu,
             Long currentMemory, Long newMemory,
-            ServiceOffering currentOffering, ServiceOffering newOffering, VirtualMachineTemplate template
+            ServiceOffering currentOffering, ServiceOffering newOffering, VirtualMachineTemplate template, List<Reserver> reservations
     ) throws ResourceAllocationException {
         checkVmResourceLimitsForServiceOfferingAndTemplateChange(owner, display, currentCpu, newCpu, currentMemory, newMemory, currentOffering,
-                newOffering != null ? newOffering : currentOffering, template, template);
+                newOffering != null ? newOffering : currentOffering, template, template, reservations);
     }
 
     private void checkVmResourceLimitsForServiceOfferingAndTemplateChange(Account owner, Boolean display, Long currentCpu, Long newCpu,
             Long currentMemory, Long newMemory, ServiceOffering currentOffering, ServiceOffering newOffering,
-            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate
+            VirtualMachineTemplate currentTemplate, VirtualMachineTemplate newTemplate, List<Reserver> reservations
     ) throws ResourceAllocationException {
-        Ternary<Set<String>, Set<String>, Set<String>> updatedResourceLimitHostTags = getResourceLimitHostTagsForVmServiceOfferingAndTemplateChange(display, currentOffering, newOffering, currentTemplate, newTemplate);
-        if (updatedResourceLimitHostTags == null) {
+        List<String> currentTags = getResourceLimitHostTagsForResourceCountOperation(true, currentOffering, currentTemplate);
+        List<String> tagsAfterUpdate = getResourceLimitHostTagsForResourceCountOperation(true, newOffering, newTemplate);
+        if (currentTags.isEmpty() && tagsAfterUpdate.isEmpty()) {
             return;
         }
 
+        CheckedReservation vmReservation = new CheckedReservation(owner, ResourceType.user_vm, null, tagsAfterUpdate,
+                currentTags, 1L, 1L, reservationDao, resourceLimitService);
+        reservations.add(vmReservation);
+
         if (currentCpu == null) {
             currentCpu = currentOffering.getCpu() != null ? Long.valueOf(currentOffering.getCpu()) : 0L;
         }
         if (newCpu == null) {
             newCpu = newOffering.getCpu() != null ? Long.valueOf(newOffering.getCpu()) : 0L;
         }
+        CheckedReservation cpuReservation = new CheckedReservation(owner, ResourceType.cpu, null, tagsAfterUpdate,
+                currentTags, newCpu, currentCpu, reservationDao, resourceLimitService);
+        reservations.add(cpuReservation);
+
         if (currentMemory == null) {
             currentMemory = currentOffering.getRamSize() != null ? Long.valueOf(currentOffering.getRamSize()) : 0L;
         }
         if (newMemory == null) {
             newMemory = newOffering.getRamSize() != null ? Long.valueOf(newOffering.getRamSize()) : 0L;
         }
+        CheckedReservation memReservation = new CheckedReservation(owner, ResourceType.memory, null, tagsAfterUpdate,
+                currentTags, newMemory, currentMemory, reservationDao, resourceLimitService);
+        reservations.add(memReservation);
+
         Long currentGpu = currentOffering.getGpuCount() != null ? Long.valueOf(currentOffering.getGpuCount()) : 0L;
         Long newGpu = newOffering.getGpuCount() != null ? Long.valueOf(newOffering.getGpuCount()) : 0L;
 
-        Set<String> sameTags = updatedResourceLimitHostTags.first();
-        Set<String> newTags = updatedResourceLimitHostTags.second();
-
-        if (newCpu - currentCpu > 0 || newMemory - currentMemory > 0 || newGpu - currentGpu > 0) {
-            for (String tag : sameTags) {
-                if (newCpu - currentCpu > 0) {
-                    checkResourceLimitWithTag(owner, ResourceType.cpu, tag, newCpu - currentCpu);
-                }
-
-                if (newMemory - currentMemory > 0) {
-                    checkResourceLimitWithTag(owner, ResourceType.memory, tag, newMemory - currentMemory);
-                }
-
-                if (newGpu - currentGpu > 0) {
-                    checkResourceLimitWithTag(owner, ResourceType.gpu, tag, newGpu - currentGpu);
-                }
-            }
-        }
-
-        for (String tag : newTags) {
-            checkResourceLimitWithTag(owner, ResourceType.user_vm, tag, 1L);
-            checkResourceLimitWithTag(owner, ResourceType.cpu, tag, newCpu);
-            checkResourceLimitWithTag(owner, ResourceType.memory, tag, newMemory);
-            checkResourceLimitWithTag(owner, ResourceType.gpu, tag, newGpu);
-        }
-    }
-
-    @Override
-    public void checkVmCpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long cpu) throws ResourceAllocationException {
-        List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
-        if (CollectionUtils.isEmpty(tags)) {
-            return;
-        }
-        if (cpu == null) {
-            cpu = serviceOffering.getCpu() != null ? Long.valueOf(serviceOffering.getCpu()) : 0L;
-        }
-        for (String tag : tags) {
-            checkResourceLimitWithTag(owner, ResourceType.cpu, tag, cpu);
-        }
+        CheckedReservation gpuReservation = new CheckedReservation(owner, ResourceType.gpu, null, tagsAfterUpdate,
+                currentTags, newGpu, currentGpu, reservationDao, resourceLimitService);
+        reservations.add(gpuReservation);
     }
 
     @Override
@@ -2188,20 +2183,6 @@ public void decrementVmCpuResourceCount(long accountId, Boolean display, Service
         }
     }
 
-    @Override
-    public void checkVmMemoryResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory) throws ResourceAllocationException {
-        List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
-        if (CollectionUtils.isEmpty(tags)) {
-            return;
-        }
-        if (memory == null) {
-            memory = serviceOffering.getRamSize() != null ? Long.valueOf(serviceOffering.getRamSize()) : 0L;
-        }
-        for (String tag : tags) {
-            checkResourceLimitWithTag(owner, ResourceType.memory, tag, memory);
-        }
-    }
-
     @Override
     public void incrementVmMemoryResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory) {
         List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
@@ -2230,20 +2211,6 @@ public void decrementVmMemoryResourceCount(long accountId, Boolean display, Serv
         }
     }
 
-    @Override
-    public void checkVmGpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) throws ResourceAllocationException {
-        List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
-        if (CollectionUtils.isEmpty(tags)) {
-            return;
-        }
-        if (gpu == null) {
-            gpu = serviceOffering.getGpuCount() != null ? Long.valueOf(serviceOffering.getGpuCount()) : 0L;
-        }
-        for (String tag : tags) {
-            checkResourceLimitWithTag(owner, ResourceType.gpu, tag, gpu);
-        }
-    }
-
     @Override
     public void incrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) {
         List<String> tags = getResourceLimitHostTagsForResourceCountOperation(display, serviceOffering, template);
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index f8c4d1d44d4c..e5066b6da5cc 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -44,6 +44,7 @@
 import javax.naming.ConfigurationException;
 
 import org.apache.cloudstack.acl.ApiKeyPairVO;
+import com.cloud.api.query.MutualExclusiveIdsManagerBase;
 import com.cloud.network.vpc.VpcVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
@@ -566,6 +567,7 @@
 import org.apache.cloudstack.api.command.user.vm.StopVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateDefaultNicForVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVMCmd;
+import org.apache.cloudstack.api.command.user.vm.UpdateVmNicCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVmNicIpCmd;
 import org.apache.cloudstack.api.command.user.vm.UpgradeVMCmd;
 import org.apache.cloudstack.api.command.user.vmgroup.CreateVMGroupCmd;
@@ -842,7 +844,6 @@
 import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.component.ComponentLifecycle;
-import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.concurrency.NamedThreadFactory;
 import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.db.DB;
@@ -885,7 +886,7 @@
 import com.cloud.vm.dao.VMInstanceDao;
 import com.cloud.vm.dao.VMInstanceDetailsDao;
 
-public class ManagementServerImpl extends ManagerBase implements ManagementServer, Configurable {
+public class ManagementServerImpl extends MutualExclusiveIdsManagerBase implements ManagementServer, Configurable {
     protected StateMachine2<State, VirtualMachine.Event, VirtualMachine> _stateMachine;
 
     static final String FOR_SYSTEMVMS = "forsystemvms";
@@ -1081,8 +1082,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
 
     protected List<DeploymentPlanner> _planners;
 
-    private boolean jsInterpretationEnabled = false;
-
     private final List<HypervisorType> supportedHypervisors = new ArrayList<>();
 
     public List<DeploymentPlanner> getPlanners() {
@@ -1163,8 +1162,6 @@ public boolean configure(final String name, final Map<String, Object> params) th
         supportedHypervisors.add(HypervisorType.KVM);
         supportedHypervisors.add(HypervisorType.XenServer);
 
-        jsInterpretationEnabled = JsInterpretationEnabled.value();
-
         return true;
     }
 
@@ -1699,11 +1696,7 @@ protected List<Host> getCapableSuitableHosts(
         List<Host> suitableHosts = new ArrayList<>();
 
         for (final HostAllocator allocator : hostAllocators) {
-            if (CollectionUtils.isNotEmpty(compatibleHosts)) {
-                suitableHosts = allocator.allocateTo(vmProfile, plan, Host.Type.Routing, excludes, compatibleHosts, HostAllocator.RETURN_UPTO_ALL, false);
-            } else {
-                suitableHosts = allocator.allocateTo(vmProfile, plan, Host.Type.Routing, excludes, HostAllocator.RETURN_UPTO_ALL, false);
-            }
+            suitableHosts = allocator.allocateTo(vmProfile, plan, Host.Type.Routing, excludes, compatibleHosts, HostAllocator.RETURN_UPTO_ALL, false);
 
             if (CollectionUtils.isNotEmpty(suitableHosts)) {
                 break;
@@ -1712,18 +1705,17 @@ protected List<Host> getCapableSuitableHosts(
 
         _dpMgr.reorderHostsByPriority(plan.getHostPriorities(), suitableHosts);
 
-        if (suitableHosts.isEmpty()) {
+        if (CollectionUtils.isEmpty(suitableHosts)) {
             logger.warn("No suitable hosts found.");
-        } else {
-            logger.debug("Hosts having capacity and suitable for migration: {}", suitableHosts);
+            return suitableHosts;
         }
 
+        logger.debug("Hosts having capacity and are suitable for migration: {}", suitableHosts);
+
         // Only list hosts of the same architecture as the source Host in a multi-arch zone
-        if (!suitableHosts.isEmpty()) {
-            List<CPU.CPUArch> clusterArchs = ApiDBUtils.listZoneClustersArchs(vm.getDataCenterId());
-            if (CollectionUtils.isNotEmpty(clusterArchs) && clusterArchs.size() > 1) {
-                suitableHosts = suitableHosts.stream().filter(h -> h.getArch() == srcHost.getArch()).collect(Collectors.toList());
-            }
+        List<CPU.CPUArch> clusterArchs = ApiDBUtils.listZoneClustersArchs(vm.getDataCenterId());
+        if (CollectionUtils.isNotEmpty(clusterArchs) && clusterArchs.size() > 1) {
+            suitableHosts = suitableHosts.stream().filter(h -> h.getArch() == srcHost.getArch()).collect(Collectors.toList());
         }
 
         return suitableHosts;
@@ -2908,7 +2900,7 @@ protected void setParameters(SearchCriteria<IPAddressVO> sc, final ListPublicIpA
 
     @Override
     public Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(final ListGuestOsCmd cmd) {
-        final Long id = cmd.getId();
+        List<Long> ids = getIdsListFromCmd(cmd.getId(), cmd.getIds());
         final Long osCategoryId = cmd.getOsCategoryId();
         final String description = cmd.getDescription();
         final String keyword = cmd.getKeyword();
@@ -2916,7 +2908,7 @@ public Pair<List<? extends GuestOS>, Integer> listGuestOSByCriteria(final ListGu
         final Long pageSize = cmd.getPageSizeVal();
         Boolean forDisplay = cmd.getDisplay();
 
-        return _guestOSDao.listGuestOSByCriteria(startIndex, pageSize, id, osCategoryId, description, keyword, forDisplay);
+        return _guestOSDao.listGuestOSByCriteria(startIndex, pageSize, ids, osCategoryId, description, keyword, forDisplay);
     }
 
     @Override
@@ -3043,33 +3035,46 @@ public Pair<List<? extends GuestOSHypervisor>, Integer> listGuestOSMappingByCrit
         final String hypervisor = cmd.getHypervisor();
         final String hypervisorVersion = cmd.getHypervisorVersion();
 
-        //throw exception if hypervisor name is not passed, but version is
+        //throw exception if hypervisor name is not passed, but a version is
         if (hypervisorVersion != null && (hypervisor == null || hypervisor.isEmpty())) {
             throw new InvalidParameterValueException("Hypervisor version parameter cannot be used without specifying a hypervisor : XenServer, KVM or VMware");
         }
 
-        final SearchCriteria<GuestOSHypervisorVO> sc = _guestOSHypervisorDao.createSearchCriteria();
+        SearchBuilder<GuestOSHypervisorVO> sb = _guestOSHypervisorDao.createSearchBuilder();
+        sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
+        sb.and("guestOsName", sb.entity().getGuestOsName(), SearchCriteria.Op.LIKE);
+        sb.and("hypervisorType", sb.entity().getHypervisorType(), SearchCriteria.Op.LIKE);
+        sb.and("hypervisorVersion", sb.entity().getHypervisorVersion(), SearchCriteria.Op.LIKE);
+        sb.and(guestOsId, sb.entity().getGuestOsId(), SearchCriteria.Op.EQ);
+        SearchBuilder<GuestOSVO> guestOSSearch = _guestOSDao.createSearchBuilder();
+        guestOSSearch.and("display", guestOSSearch.entity().isDisplay(), SearchCriteria.Op.LIKE);
+        sb.join("guestOSSearch", guestOSSearch, sb.entity().getGuestOsId(), guestOSSearch.entity().getId(), JoinBuilder.JoinType.INNER);
+
+        final SearchCriteria<GuestOSHypervisorVO> sc = sb.create();
 
         if (id != null) {
-            sc.addAnd("id", SearchCriteria.Op.EQ, id);
+            sc.setParameters("id", id);
         }
 
         if (osTypeId != null) {
-            sc.addAnd(guestOsId, SearchCriteria.Op.EQ, osTypeId);
+            sc.setParameters(guestOsId, osTypeId);
         }
 
         if (osNameForHypervisor != null) {
-            sc.addAnd("guestOsName", SearchCriteria.Op.LIKE, "%" + osNameForHypervisor + "%");
+            sc.setParameters("guestOsName", "%" + osNameForHypervisor + "%");
         }
 
         if (hypervisor != null) {
-            sc.addAnd("hypervisorType", SearchCriteria.Op.LIKE, "%" + hypervisor + "%");
+            sc.setParameters("hypervisorType", "%" + hypervisor + "%");
         }
 
         if (hypervisorVersion != null) {
-            sc.addAnd("hypervisorVersion", SearchCriteria.Op.LIKE, "%" + hypervisorVersion + "%");
+            sc.setParameters("hypervisorVersion", "%" + hypervisorVersion + "%");
         }
 
+        // Exclude the mappings for guest OS marked as display = false
+        sc.setJoinParameters("guestOSSearch", "display", true);
+
         if (osDisplayName != null) {
             List<GuestOSVO> guestOSVOS = _guestOSDao.listLikeDisplayName(osDisplayName);
             if (CollectionUtils.isNotEmpty(guestOSVOS)) {
@@ -4152,6 +4157,7 @@ public List<Class<?>> getCommands() {
         cmdList.add(StopVMCmd.class);
         cmdList.add(UpdateDefaultNicForVMCmd.class);
         cmdList.add(UpdateVMCmd.class);
+        cmdList.add(UpdateVmNicCmd.class);
         cmdList.add(UpgradeVMCmd.class);
         cmdList.add(CreateVMGroupCmd.class);
         cmdList.add(DeleteVMGroupCmd.class);
@@ -4359,10 +4365,8 @@ public List<Class<?>> getCommands() {
         cmdList.add(ListGuestVlansCmd.class);
         cmdList.add(AssignVolumeCmd.class);
         cmdList.add(ListSecondaryStorageSelectorsCmd.class);
-        if (jsInterpretationEnabled) {
-            cmdList.add(CreateSecondaryStorageSelectorCmd.class);
-            cmdList.add(UpdateSecondaryStorageSelectorCmd.class);
-        }
+        cmdList.add(CreateSecondaryStorageSelectorCmd.class);
+        cmdList.add(UpdateSecondaryStorageSelectorCmd.class);
         cmdList.add(RemoveSecondaryStorageSelectorCmd.class);
         cmdList.add(ListAffectedVmsForStorageScopeChangeCmd.class);
         cmdList.add(ListGuiThemesCmd.class);
@@ -4420,8 +4424,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {exposeCloudStackVersionInApiXmlResponse, exposeCloudStackVersionInApiListCapabilities, vmPasswordLength, sshKeyLength, humanReadableSizes, customCsIdentifier,
-        JsInterpretationEnabled};
+        return new ConfigKey<?>[] {exposeCloudStackVersionInApiXmlResponse, exposeCloudStackVersionInApiListCapabilities, vmPasswordLength, sshKeyLength, humanReadableSizes, customCsIdentifier};
     }
 
     protected class EventPurgeTask extends ManagedContextRunnable {
@@ -5987,13 +5990,5 @@ public boolean removeManagementServer(RemoveManagementServerCmd cmd) {
     public Answer getExternalVmConsole(VirtualMachine vm, Host host) {
         return extensionsManager.getInstanceConsole(vm, host);
     }
-    @Override
-    public void checkJsInterpretationAllowedIfNeededForParameterValue(String paramName, boolean paramValue) {
-        if (!paramValue || jsInterpretationEnabled) {
-            return;
-        }
-        throw new InvalidParameterValueException(String.format(
-                "The parameter %s cannot be set to true as JS interpretation is disabled",
-                paramName));
-    }
+
 }
diff --git a/server/src/main/java/com/cloud/storage/ImageStoreUploadMonitorImpl.java b/server/src/main/java/com/cloud/storage/ImageStoreUploadMonitorImpl.java
index 334e9f108356..c670b6316451 100755
--- a/server/src/main/java/com/cloud/storage/ImageStoreUploadMonitorImpl.java
+++ b/server/src/main/java/com/cloud/storage/ImageStoreUploadMonitorImpl.java
@@ -25,7 +25,6 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import com.cloud.agent.api.to.OVFInformationTO;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.engine.subsystem.api.storage.EndPoint;
@@ -37,6 +36,7 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.storage.command.UploadStatusAnswer;
 import org.apache.cloudstack.storage.command.UploadStatusAnswer.UploadStatus;
 import org.apache.cloudstack.storage.command.UploadStatusCommand;
@@ -55,6 +55,7 @@
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.StartupCommand;
+import com.cloud.agent.api.to.OVFInformationTO;
 import com.cloud.alert.AlertManager;
 import com.cloud.api.query.dao.TemplateJoinDao;
 import com.cloud.api.query.vo.TemplateJoinVO;
@@ -62,15 +63,20 @@
 import com.cloud.event.EventTypes;
 import com.cloud.event.UsageEventUtils;
 import com.cloud.exception.ConnectionException;
+import com.cloud.exception.ResourceAllocationException;
 import com.cloud.host.Host;
 import com.cloud.host.Status;
 import com.cloud.host.dao.HostDao;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.storage.Volume.Event;
 import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.storage.dao.VMTemplateZoneDao;
 import com.cloud.storage.dao.VolumeDao;
 import com.cloud.template.VirtualMachineTemplate;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
 import com.cloud.user.ResourceLimitService;
+import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.concurrency.NamedThreadFactory;
 import com.cloud.utils.db.Transaction;
@@ -117,6 +123,12 @@ public class ImageStoreUploadMonitorImpl extends ManagerBase implements ImageSto
     private TemplateJoinDao templateJoinDao;
     @Inject
     private DeployAsIsHelper deployAsIsHelper;
+    @Inject
+    private AccountDao accountDao;
+    @Inject
+    private AccountManager _accountMgr;
+    @Inject
+    private ReservationDao reservationDao;
 
     private long _nodeId;
     private ScheduledExecutorService _executor = null;
@@ -205,6 +217,36 @@ protected class UploadStatusCheck extends ManagedContextRunnable {
         public UploadStatusCheck() {
         }
 
+        private Answer sendUploadStatusCommandForVolume(EndPoint ep, UploadStatusCommand cmd, VolumeVO volume) {
+            Answer answer = null;
+            try {
+                answer = ep.sendMessage(cmd);
+            } catch (CloudRuntimeException e) {
+                logger.warn("Unable to get upload status for volume {}. Error details: {}", volume, e.getMessage());
+                answer = new UploadStatusAnswer(cmd, UploadStatus.UNKNOWN, e.getMessage());
+            }
+            if (answer == null || !(answer instanceof UploadStatusAnswer)) {
+                logger.warn("No or invalid answer corresponding to UploadStatusCommand for volume {}", volume);
+                return null;
+            }
+            return answer;
+        }
+
+        private Answer sendUploadStatusCommandForTemplate(EndPoint ep, UploadStatusCommand cmd, VMTemplateVO template) {
+            Answer answer = null;
+            try {
+                answer = ep.sendMessage(cmd);
+            } catch (CloudRuntimeException e) {
+                logger.warn("Unable to get upload status for template {}. Error details: {}", template, e.getMessage());
+                answer = new UploadStatusAnswer(cmd, UploadStatus.UNKNOWN, e.getMessage());
+            }
+            if (answer == null || !(answer instanceof UploadStatusAnswer)) {
+                logger.warn("No or invalid answer corresponding to UploadStatusCommand for template {}", template);
+                return null;
+            }
+            return answer;
+        }
+
         @Override
         protected void runInContext() {
             // 1. Select all entries with download_state = Not_Downloaded or Download_In_Progress
@@ -231,18 +273,17 @@ protected void runInContext() {
                     UploadStatusCommand cmd = new UploadStatusCommand(volume.getUuid(), EntityType.Volume);
                     if (host != null && host.getManagementServerId() != null) {
                         if (_nodeId == host.getManagementServerId().longValue()) {
-                            Answer answer = null;
-                            try {
-                                answer = ep.sendMessage(cmd);
-                            } catch (CloudRuntimeException e) {
-                                logger.warn("Unable to get upload status for volume {}. Error details: {}", volume, e.getMessage());
-                                answer = new UploadStatusAnswer(cmd, UploadStatus.UNKNOWN, e.getMessage());
-                            }
-                            if (answer == null || !(answer instanceof UploadStatusAnswer)) {
-                                logger.warn("No or invalid answer corresponding to UploadStatusCommand for volume {}", volume);
+                            Answer answer = sendUploadStatusCommandForVolume(ep, cmd, volume);
+                            if (answer == null) {
                                 continue;
                             }
-                            handleVolumeStatusResponse((UploadStatusAnswer)answer, volume, volumeDataStore);
+                            if (!handleVolumeStatusResponse((UploadStatusAnswer)answer, volume, volumeDataStore)) {
+                                cmd = new UploadStatusCommand(volume.getUuid(), EntityType.Volume, true);
+                                answer = sendUploadStatusCommandForVolume(ep, cmd, volume);
+                                if (answer == null) {
+                                    logger.warn("Unable to abort upload for volume {}", volume);
+                                }
+                            }
                         }
                     } else {
                         String error = "Volume " + volume.getUuid() + " failed to upload as SSVM is either destroyed or SSVM agent not in 'Up' state";
@@ -275,18 +316,17 @@ protected void runInContext() {
                     UploadStatusCommand cmd = new UploadStatusCommand(template.getUuid(), EntityType.Template);
                     if (host != null && host.getManagementServerId() != null) {
                         if (_nodeId == host.getManagementServerId().longValue()) {
-                            Answer answer = null;
-                            try {
-                                answer = ep.sendMessage(cmd);
-                            } catch (CloudRuntimeException e) {
-                                logger.warn("Unable to get upload status for template {}. Error details: {}", template, e.getMessage());
-                                answer = new UploadStatusAnswer(cmd, UploadStatus.UNKNOWN, e.getMessage());
-                            }
-                            if (answer == null || !(answer instanceof UploadStatusAnswer)) {
-                                logger.warn("No or invalid answer corresponding to UploadStatusCommand for template {}", template);
+                            Answer answer = sendUploadStatusCommandForTemplate(ep, cmd, template);
+                            if (answer == null) {
                                 continue;
                             }
-                            handleTemplateStatusResponse((UploadStatusAnswer)answer, template, templateDataStore);
+                            if (!handleTemplateStatusResponse((UploadStatusAnswer) answer, template, templateDataStore)) {
+                                cmd = new UploadStatusCommand(template.getUuid(), EntityType.Template, true);
+                                answer = sendUploadStatusCommandForTemplate(ep, cmd, template);
+                                if (answer == null) {
+                                    logger.warn("Unable to abort upload for template {}", template);
+                                }
+                            }
                         }
                     } else {
                         String error = String.format(
@@ -303,7 +343,41 @@ protected void runInContext() {
             }
         }
 
-        private void handleVolumeStatusResponse(final UploadStatusAnswer answer, final VolumeVO volume, final VolumeDataStoreVO volumeDataStore) {
+        private Boolean checkAndUpdateSecondaryStorageResourceLimit(Long accountId, Long lastSize, Long currentSize) {
+            if (lastSize >= currentSize) {
+                return true;
+            }
+            Long usage = currentSize - lastSize;
+            try (CheckedReservation secStorageReservation = new CheckedReservation(_accountMgr.getAccount(accountId), Resource.ResourceType.secondary_storage, null, null, usage, reservationDao, _resourceLimitMgr)) {
+                _resourceLimitMgr.incrementResourceCount(accountId, Resource.ResourceType.secondary_storage, usage);
+                return true;
+            } catch (Exception e) {
+                _resourceLimitMgr.decrementResourceCount(accountId, Resource.ResourceType.secondary_storage, lastSize);
+                return false;
+            }
+        }
+
+        private Boolean checkAndUpdateVolumeResourceLimit(VolumeVO volume, VolumeDataStoreVO volumeDataStore, UploadStatusAnswer answer) {
+            boolean success = true;
+            Long currentSize = answer.getVirtualSize() != 0 ? answer.getVirtualSize() : answer.getPhysicalSize();
+            Long lastSize = volume.getSize() != null ? volume.getSize() : 0L;
+            if (!checkAndUpdateSecondaryStorageResourceLimit(volume.getAccountId(), lastSize, currentSize)) {
+                volumeDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOAD_ERROR);
+                volumeDataStore.setState(State.Failed);
+                volumeDataStore.setErrorString("Storage Limit Reached");
+                Account owner = accountDao.findById(volume.getAccountId());
+                String msg = String.format("Upload of volume [%s] failed because its owner [%s] does not have enough secondary storage space available.", volume.getUuid(), owner.getUuid());
+                logger.error(msg);
+                success = false;
+            }
+            VolumeVO volumeUpdate = _volumeDao.findById(volume.getId());
+            volumeUpdate.setSize(currentSize);
+            _volumeDao.update(volumeUpdate.getId(), volumeUpdate);
+            return success;
+        }
+
+        private boolean handleVolumeStatusResponse(final UploadStatusAnswer answer, final VolumeVO volume, final VolumeDataStoreVO volumeDataStore) {
+            final boolean[] needAbort = new boolean[]{false};
             final StateMachine2<Volume.State, Event, Volume> stateMachine = Volume.State.getStateMachine();
             Transaction.execute(new TransactionCallbackNoReturn() {
                 @Override
@@ -315,6 +389,11 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                     try {
                         switch (answer.getStatus()) {
                         case COMPLETED:
+                            if (!checkAndUpdateVolumeResourceLimit(tmpVolume, tmpVolumeDataStore, answer)) {
+                                stateMachine.transitTo(tmpVolume, Event.OperationFailed, null, _volumeDao);
+                                sendAlert = true;
+                                break;
+                            }
                             tmpVolumeDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOADED);
                             tmpVolumeDataStore.setState(State.Ready);
                             tmpVolumeDataStore.setInstallPath(answer.getInstallPath());
@@ -326,7 +405,6 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                             volumeUpdate.setSize(answer.getVirtualSize());
                             _volumeDao.update(tmpVolume.getId(), volumeUpdate);
                             stateMachine.transitTo(tmpVolume, Event.OperationSucceeded, null, _volumeDao);
-                            _resourceLimitMgr.incrementResourceCount(volume.getAccountId(), Resource.ResourceType.secondary_storage, answer.getVirtualSize());
 
                             // publish usage events
                             UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_UPLOAD, tmpVolume.getAccountId(),
@@ -339,6 +417,12 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                             }
                             break;
                         case IN_PROGRESS:
+                            if (!checkAndUpdateVolumeResourceLimit(tmpVolume, tmpVolumeDataStore, answer)) {
+                                stateMachine.transitTo(tmpVolume, Event.OperationFailed, null, _volumeDao);
+                                sendAlert = true;
+                                needAbort[0] = true;
+                                break;
+                            }
                             if (tmpVolume.getState() == Volume.State.NotUploaded) {
                                 tmpVolumeDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOAD_IN_PROGRESS);
                                 tmpVolumeDataStore.setDownloadPercent(answer.getDownloadPercent());
@@ -387,10 +471,29 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                     }
                 }
             });
+            return !needAbort[0];
         }
 
-        private void handleTemplateStatusResponse(final UploadStatusAnswer answer, final VMTemplateVO template, final TemplateDataStoreVO templateDataStore) {
+        private Boolean checkAndUpdateTemplateResourceLimit(VMTemplateVO template, TemplateDataStoreVO templateDataStore, UploadStatusAnswer answer) {
+            boolean success = true;
+            Long currentSize = answer.getVirtualSize() != 0 ? answer.getVirtualSize() : answer.getPhysicalSize();
+            Long lastSize = template.getSize() != null ? template.getSize() : 0L;
+            if (!checkAndUpdateSecondaryStorageResourceLimit(template.getAccountId(), lastSize, currentSize)) {
+                templateDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOAD_ERROR);
+                templateDataStore.setErrorString("Storage Limit Reached");
+                templateDataStore.setState(State.Failed);
+                Account owner = accountDao.findById(template.getAccountId());
+                String msg = String.format("Upload of template [%s] failed because its owner [%s] does not have enough secondary storage space available.", template.getUuid(), owner.getUuid());
+                logger.error(msg);
+                success = false;
+            }
+            templateDataStore.setSize(currentSize);
+            return success;
+        }
+
+        private boolean handleTemplateStatusResponse(final UploadStatusAnswer answer, final VMTemplateVO template, final TemplateDataStoreVO templateDataStore) {
             final StateMachine2<VirtualMachineTemplate.State, VirtualMachineTemplate.Event, VirtualMachineTemplate> stateMachine = VirtualMachineTemplate.State.getStateMachine();
+            final boolean[] needAbort = new boolean[]{false};
             Transaction.execute(new TransactionCallbackNoReturn() {
                 @Override
                 public void doInTransactionWithoutResult(TransactionStatus status) {
@@ -401,6 +504,11 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                     try {
                         switch (answer.getStatus()) {
                         case COMPLETED:
+                            if (!checkAndUpdateTemplateResourceLimit(tmpTemplate, tmpTemplateDataStore, answer)) {
+                                stateMachine.transitTo(tmpTemplate, VirtualMachineTemplate.Event.OperationFailed, null, _templateDao);
+                                sendAlert = true;
+                                break;
+                            }
                             tmpTemplateDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOADED);
                             tmpTemplateDataStore.setState(State.Ready);
                             tmpTemplateDataStore.setInstallPath(answer.getInstallPath());
@@ -436,8 +544,23 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                                     break;
                                 }
                             }
+
+                            Account owner = accountDao.findById(template.getAccountId());
+                            long templateSize = answer.getVirtualSize();
+
+                            try (CheckedReservation secondaryStorageReservation = new CheckedReservation(owner, Resource.ResourceType.secondary_storage, null, null, templateSize, reservationDao, _resourceLimitMgr)) {
+                                _resourceLimitMgr.incrementResourceCount(owner.getId(), Resource.ResourceType.secondary_storage, templateSize);
+                            } catch (ResourceAllocationException e) {
+                                tmpTemplateDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.UPLOAD_ERROR);
+                                tmpTemplateDataStore.setState(State.Failed);
+                                stateMachine.transitTo(tmpTemplate, VirtualMachineTemplate.Event.OperationFailed, null, _templateDao);
+                                msg = String.format("Upload of template [%s] failed because its owner [%s] does not have enough secondary storage space available.", template.getUuid(), owner.getUuid());
+                                logger.warn(msg);
+                                sendAlert = true;
+                                break;
+                            }
+
                             stateMachine.transitTo(tmpTemplate, VirtualMachineTemplate.Event.OperationSucceeded, null, _templateDao);
-                            _resourceLimitMgr.incrementResourceCount(template.getAccountId(), Resource.ResourceType.secondary_storage, answer.getVirtualSize());
                             //publish usage event
                             String etype = EventTypes.EVENT_TEMPLATE_CREATE;
                             if (tmpTemplate.getFormat() == Storage.ImageFormat.ISO) {
@@ -453,6 +576,12 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                             }
                             break;
                         case IN_PROGRESS:
+                            if (!checkAndUpdateTemplateResourceLimit(tmpTemplate, tmpTemplateDataStore, answer)) {
+                                stateMachine.transitTo(tmpTemplate, VirtualMachineTemplate.Event.OperationFailed, null, _templateDao);
+                                sendAlert = true;
+                                needAbort[0] = true;
+                                break;
+                            }
                             if (tmpTemplate.getState() == VirtualMachineTemplate.State.NotUploaded) {
                                 tmpTemplateDataStore.setDownloadState(VMTemplateStorageResourceAssoc.Status.DOWNLOAD_IN_PROGRESS);
                                 stateMachine.transitTo(tmpTemplate, VirtualMachineTemplate.Event.UploadRequested, null, _templateDao);
@@ -502,6 +631,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                     }
                 }
             });
+            return !needAbort[0];
         }
 
     }
diff --git a/server/src/main/java/com/cloud/storage/StorageManagerImpl.java b/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
index 1f453a862947..7c501c78beeb 100644
--- a/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
+++ b/server/src/main/java/com/cloud/storage/StorageManagerImpl.java
@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.storage;
 
+import static com.cloud.configuration.ConfigurationManagerImpl.SystemVMUseLocalStorage;
 import static com.cloud.utils.NumbersUtil.toHumanReadableSize;
 
 import java.io.UnsupportedEncodingException;
@@ -111,6 +112,7 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.jsinterpreter.JsInterpreterHelper;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.management.ManagementServerHost;
 import org.apache.cloudstack.resourcedetail.dao.DiskOfferingDetailsDao;
@@ -148,6 +150,7 @@
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.time.DateUtils;
 import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.EnumUtils;
 import org.springframework.stereotype.Component;
 
@@ -180,7 +183,6 @@
 import com.cloud.cluster.ClusterManagerListener;
 import com.cloud.configuration.Config;
 import com.cloud.configuration.ConfigurationManager;
-import com.cloud.configuration.ConfigurationManagerImpl;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.cpu.CPU;
 import com.cloud.dc.ClusterVO;
@@ -417,6 +419,8 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
     StorageManager storageManager;
     @Inject
     ManagementService managementService;
+    @Inject
+    JsInterpreterHelper jsInterpreterHelper;
 
     protected List<StoragePoolDiscoverer> _discoverers;
 
@@ -819,6 +823,10 @@ protected DataStore createLocalStorage(Map<String, Object> poolInfos) throws Con
         return createLocalStorage(host, pInfo);
     }
 
+    private boolean isLocalStorageEnabledForZone(DataCenterVO zone) {
+        return zone.isLocalStorageEnabled() || BooleanUtils.toBoolean(SystemVMUseLocalStorage.valueIn(zone.getId()));
+    }
+
     @DB
     @Override
     public DataStore createLocalStorage(Host host, StoragePoolInfo pInfo) throws ConnectionException {
@@ -826,12 +834,7 @@ public DataStore createLocalStorage(Host host, StoragePoolInfo pInfo) throws Con
         if (dc == null) {
             return null;
         }
-        boolean useLocalStorageForSystemVM = false;
-        Boolean isLocal = ConfigurationManagerImpl.SystemVMUseLocalStorage.valueIn(dc.getId());
-        if (isLocal != null) {
-            useLocalStorageForSystemVM = isLocal.booleanValue();
-        }
-        if (!(dc.isLocalStorageEnabled() || useLocalStorageForSystemVM)) {
+        if (!isLocalStorageEnabledForZone(dc)) {
             return null;
         }
         DataStore store = null;
@@ -962,6 +965,8 @@ protected void checkNFSMountOptionsForUpdate(Map<String, String> details, Storag
 
     @Override
     public PrimaryDataStoreInfo createPool(CreateStoragePoolCmd cmd) throws ResourceInUseException, IllegalArgumentException, UnknownHostException, ResourceUnavailableException {
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.IS_TAG_A_RULE, Boolean.TRUE.equals(cmd.isTagARule()));
+
         String providerName = cmd.getStorageProviderName();
         Map<String,String> uriParams = extractUriParamsAsMap(cmd.getUrl());
         boolean isFileScheme = "file".equals(uriParams.get("scheme"));
@@ -1033,9 +1038,10 @@ public PrimaryDataStoreInfo createPool(CreateStoragePoolCmd cmd) throws Resource
         if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
             throw new PermissionDeniedException(String.format("Cannot perform this operation, Zone is currently disabled: %s", zone));
         }
-
-        managementService.checkJsInterpretationAllowedIfNeededForParameterValue(ApiConstants.IS_TAG_A_RULE,
-                Boolean.TRUE.equals(cmd.isTagARule()));
+        // Check if it's local storage and if it's enabled on the zone
+        if (isFileScheme && !isLocalStorageEnabledForZone(zone)) {
+            throw new InvalidParameterValueException("Local storage is not enabled for zone: " + zone);
+        }
 
         Map<String, Object> params = new HashMap<>();
         params.put("zoneId", zone.getId());
@@ -1218,11 +1224,9 @@ public StoragePool enablePrimaryStoragePool(Long id) {
     @ActionEvent(eventType = EventTypes.EVENT_UPDATE_PRIMARY_STORAGE, eventDescription = "update storage pool")
     public PrimaryDataStoreInfo updateStoragePool(UpdateStoragePoolCmd cmd) throws IllegalArgumentException {
         // Input validation
-        Long id = cmd.getId();
-
-        managementService.checkJsInterpretationAllowedIfNeededForParameterValue(ApiConstants.IS_TAG_A_RULE,
-                Boolean.TRUE.equals(cmd.isTagARule()));
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.IS_TAG_A_RULE, Boolean.TRUE.equals(cmd.isTagARule()));
 
+        Long id = cmd.getId();
         StoragePoolVO pool = _storagePoolDao.findById(id);
         if (pool == null) {
             throw new IllegalArgumentException("Unable to find storage pool with ID: " + id);
@@ -2751,6 +2755,7 @@ protected void validateHeuristicRule(String heuristicRule) {
         if (StringUtils.isBlank(heuristicRule)) {
             throw new IllegalArgumentException("Unable to create a new secondary storage selector as the given heuristic rule is blank.");
         }
+        jsInterpreterHelper.ensureInterpreterEnabledIfParameterProvided(ApiConstants.HEURISTIC_RULE, true);
     }
 
     public void syncDatastoreClusterStoragePool(long datastoreClusterPoolId, List<ModifyStoragePoolAnswer> childDatastoreAnswerList, long hostId) {
diff --git a/server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java
index 17961dbd955f..6872d2070d66 100644
--- a/server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java
@@ -35,16 +35,11 @@
 
 import javax.inject.Inject;
 
-import com.cloud.projects.Project;
-import com.cloud.projects.ProjectManager;
-import com.cloud.vm.snapshot.VMSnapshot;
-import com.cloud.vm.snapshot.VMSnapshotDetailsVO;
-import com.cloud.vm.snapshot.dao.VMSnapshotDetailsDao;
-import org.apache.cloudstack.api.command.user.volume.AssignVolumeCmd;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.user.volume.AssignVolumeCmd;
 import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd;
 import org.apache.cloudstack.api.command.user.volume.ChangeOfferingForVolumeCmd;
 import org.apache.cloudstack.api.command.user.volume.CheckAndRepairVolumeCmd;
@@ -94,10 +89,12 @@
 import org.apache.cloudstack.framework.jobs.impl.OutcomeImpl;
 import org.apache.cloudstack.framework.jobs.impl.VmWorkJobVO;
 import org.apache.cloudstack.jobs.JobInfo;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.resourcedetail.DiskOfferingDetailVO;
 import org.apache.cloudstack.resourcedetail.SnapshotPolicyDetailVO;
 import org.apache.cloudstack.resourcedetail.dao.DiskOfferingDetailsDao;
 import org.apache.cloudstack.resourcedetail.dao.SnapshotPolicyDetailsDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
 import org.apache.cloudstack.storage.command.AttachAnswer;
 import org.apache.cloudstack.storage.command.AttachCommand;
@@ -166,8 +163,12 @@
 import com.cloud.offering.DiskOffering;
 import com.cloud.org.Cluster;
 import com.cloud.org.Grouping;
+import com.cloud.projects.Project;
+import com.cloud.projects.ProjectManager;
 import com.cloud.resource.ResourceManager;
 import com.cloud.resource.ResourceState;
+import com.cloud.resourcelimit.CheckedReservation;
+import com.cloud.resourcelimit.ReservationHelper;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.server.ManagementService;
 import com.cloud.server.ResourceTag;
@@ -242,8 +243,12 @@
 import com.cloud.vm.dao.UserVmDao;
 import com.cloud.vm.dao.VMInstanceDetailsDao;
 import com.cloud.vm.dao.VMInstanceDao;
+import com.cloud.vm.snapshot.VMSnapshot;
+import com.cloud.vm.snapshot.VMSnapshotDetailsVO;
 import com.cloud.vm.snapshot.VMSnapshotVO;
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
+import com.cloud.vm.snapshot.dao.VMSnapshotDetailsDao;
+
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonParseException;
@@ -351,10 +356,8 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
     private ManagementService managementService;
     @Inject
     protected SnapshotHelper snapshotHelper;
-
     @Inject
     protected DomainDao domainDao;
-
     @Inject
     protected ProjectManager projectManager;
     @Inject
@@ -367,7 +370,8 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
     HostPodDao podDao;
     @Inject
     EndPointSelector _epSelector;
-
+    @Inject
+    private ReservationDao reservationDao;
     @Inject
     private VMSnapshotDetailsDao vmSnapshotDetailsDao;
 
@@ -440,9 +444,17 @@ public VolumeVO uploadVolume(UploadVolumeCmd cmd) throws ResourceAllocationExcep
         Long diskOfferingId = cmd.getDiskOfferingId();
         String imageStoreUuid = cmd.getImageStoreUuid();
 
-        validateVolume(caller, ownerId, zoneId, volumeName, url, format, diskOfferingId);
+        VolumeVO volume;
 
-        VolumeVO volume = persistVolume(owner, zoneId, volumeName, url, format, diskOfferingId, Volume.State.Allocated);
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+
+        validateVolume(caller, ownerId, zoneId, volumeName, url, format, diskOfferingId, reservations);
+        volume = persistVolume(owner, zoneId, volumeName, url, format, diskOfferingId, Volume.State.Allocated);
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
 
         VolumeInfo vol = volFactory.getVolume(volume.getId());
 
@@ -482,80 +494,85 @@ public GetUploadParamsResponse uploadVolume(final GetUploadParamsForVolumeCmd cm
         final Long diskOfferingId = cmd.getDiskOfferingId();
         String imageStoreUuid = cmd.getImageStoreUuid();
 
-        validateVolume(caller, ownerId, zoneId, volumeName, null, format, diskOfferingId);
-
-        return Transaction.execute(new TransactionCallbackWithException<GetUploadParamsResponse, MalformedURLException>() {
-            @Override
-            public GetUploadParamsResponse doInTransaction(TransactionStatus status) throws MalformedURLException {
-
-                VolumeVO volume = persistVolume(owner, zoneId, volumeName, null, format, diskOfferingId, Volume.State.NotUploaded);
-
-                final DataStore store = _tmpltMgr.getImageStore(imageStoreUuid, zoneId, volume);
-
-                VolumeInfo vol = volFactory.getVolume(volume.getId());
-
-                RegisterVolumePayload payload = new RegisterVolumePayload(null, cmd.getChecksum(), format);
-                vol.addPayload(payload);
-
-                Pair<EndPoint, DataObject> pair = volService.registerVolumeForPostUpload(vol, store);
-                EndPoint ep = pair.first();
-                DataObject dataObject = pair.second();
-
-                GetUploadParamsResponse response = new GetUploadParamsResponse();
-
-                String ssvmUrlDomain = _configDao.getValue(Config.SecStorageSecureCopyCert.key());
-                String protocol = UseHttpsToUpload.valueIn(zoneId) ? "https" : "http";
-
-                String url = ImageStoreUtil.generatePostUploadUrl(ssvmUrlDomain, ep.getPublicAddr(), vol.getUuid(),
-                        protocol);
-                response.setPostURL(new URL(url));
-
-                // set the post url, this is used in the monitoring thread to determine the SSVM
-                VolumeDataStoreVO volumeStore = _volumeStoreDao.findByVolume(vol.getId());
-                assert (volumeStore != null) : "sincle volume is registered, volumestore cannot be null at this stage";
-                volumeStore.setExtractUrl(url);
-                _volumeStoreDao.persist(volumeStore);
-
-                response.setId(UUID.fromString(vol.getUuid()));
-
-                int timeout = ImageStoreUploadMonitorImpl.getUploadOperationTimeout();
-                DateTime currentDateTime = new DateTime(DateTimeZone.UTC);
-                String expires = currentDateTime.plusMinutes(timeout).toString();
-                response.setTimeout(expires);
-
-                String key = _configDao.getValue(Config.SSVMPSK.key());
-                /*
-                 * encoded metadata using the post upload config key
-                 */
-                TemplateOrVolumePostUploadCommand command = new TemplateOrVolumePostUploadCommand(vol.getId(),
-                        vol.getUuid(), volumeStore.getInstallPath(), cmd.getChecksum(), vol.getType().toString(),
-                        vol.getName(), vol.getFormat().toString(), dataObject.getDataStore().getUri(),
-                        dataObject.getDataStore().getRole().toString(), zoneId);
-                command.setLocalPath(volumeStore.getLocalDownloadPath());
-                //using the existing max upload size configuration
-                command.setProcessTimeout(NumbersUtil.parseLong(_configDao.getValue("vmware.package.ova.timeout"), 3600));
-                command.setMaxUploadSize(_configDao.getValue(Config.MaxUploadVolumeSize.key()));
-
-                long accountId = vol.getAccountId();
-                Account account = _accountDao.findById(accountId);
-                Domain domain = domainDao.findById(account.getDomainId());
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            validateVolume(caller, ownerId, zoneId, volumeName, null, format, diskOfferingId, reservations);
 
-                command.setDefaultMaxSecondaryStorageInGB(_resourceLimitMgr.findCorrectResourceLimitForAccountAndDomain(account, domain, ResourceType.secondary_storage, null));
-                command.setAccountId(accountId);
-                Gson gson = new GsonBuilder().create();
-                String metadata = EncryptionUtil.encodeData(gson.toJson(command), key);
-                response.setMetadata(metadata);
+            return Transaction.execute(new TransactionCallbackWithException<GetUploadParamsResponse, MalformedURLException>() {
+                @Override
+                public GetUploadParamsResponse doInTransaction(TransactionStatus status) throws MalformedURLException {
+
+                    VolumeVO volume = persistVolume(owner, zoneId, volumeName, null, format, diskOfferingId, Volume.State.NotUploaded);
+
+                    final DataStore store = _tmpltMgr.getImageStore(imageStoreUuid, zoneId, volume);
+
+                    VolumeInfo vol = volFactory.getVolume(volume.getId());
+
+                    RegisterVolumePayload payload = new RegisterVolumePayload(null, cmd.getChecksum(), format);
+                    vol.addPayload(payload);
+
+                    Pair<EndPoint, DataObject> pair = volService.registerVolumeForPostUpload(vol, store);
+                    EndPoint ep = pair.first();
+                    DataObject dataObject = pair.second();
+
+                    GetUploadParamsResponse response = new GetUploadParamsResponse();
+
+                    String ssvmUrlDomain = _configDao.getValue(Config.SecStorageSecureCopyCert.key());
+                    String protocol = UseHttpsToUpload.value() ? "https" : "http";
+
+                    String url = ImageStoreUtil.generatePostUploadUrl(ssvmUrlDomain, ep.getPublicAddr(), vol.getUuid(),  protocol);
+                    response.setPostURL(new URL(url));
+
+                    // set the post url, this is used in the monitoring thread to determine the SSVM
+                    VolumeDataStoreVO volumeStore = _volumeStoreDao.findByVolume(vol.getId());
+                    assert (volumeStore != null) : "sincle volume is registered, volumestore cannot be null at this stage";
+                    volumeStore.setExtractUrl(url);
+                    _volumeStoreDao.persist(volumeStore);
+
+                    response.setId(UUID.fromString(vol.getUuid()));
+
+                    int timeout = ImageStoreUploadMonitorImpl.getUploadOperationTimeout();
+                    DateTime currentDateTime = new DateTime(DateTimeZone.UTC);
+                    String expires = currentDateTime.plusMinutes(timeout).toString();
+                    response.setTimeout(expires);
+
+                    String key = _configDao.getValue(Config.SSVMPSK.key());
+                    /*
+                     * encoded metadata using the post upload config key
+                     */
+                    TemplateOrVolumePostUploadCommand command = new TemplateOrVolumePostUploadCommand(vol.getId(),
+                            vol.getUuid(), volumeStore.getInstallPath(), cmd.getChecksum(), vol.getType().toString(),
+                            vol.getName(), vol.getFormat().toString(), dataObject.getDataStore().getUri(),
+                            dataObject.getDataStore().getRole().toString(), zoneId);
+                    command.setLocalPath(volumeStore.getLocalDownloadPath());
+                    //using the existing max upload size configuration
+                    command.setProcessTimeout(NumbersUtil.parseLong(_configDao.getValue("vmware.package.ova.timeout"), 3600));
+                    command.setMaxUploadSize(_configDao.getValue(Config.MaxUploadVolumeSize.key()));
+
+                    long accountId = vol.getAccountId();
+                    Account account = _accountDao.findById(accountId);
+                    Domain domain = domainDao.findById(account.getDomainId());
+
+                    command.setDefaultMaxSecondaryStorageInBytes(_resourceLimitMgr.findCorrectResourceLimitForAccountAndDomain(account, domain, ResourceType.secondary_storage, null));
+                    command.setAccountId(accountId);
+                    Gson gson = new GsonBuilder().create();
+                    String metadata = EncryptionUtil.encodeData(gson.toJson(command), key);
+                    response.setMetadata(metadata);
+
+                    /*
+                     * signature calculated on the url, expiry, metadata.
+                     */
+                    response.setSignature(EncryptionUtil.generateSignature(metadata + url + expires, key));
+                    return response;
+                }
+            });
 
-                /*
-                 * signature calculated on the url, expiry, metadata.
-                 */
-                response.setSignature(EncryptionUtil.generateSignature(metadata + url + expires, key));
-                return response;
-            }
-        });
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
-    private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format, Long diskOfferingId) throws ResourceAllocationException {
+    private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format, Long diskOfferingId, List<Reserver> reservations) throws ResourceAllocationException {
 
         // permission check
         Account volumeOwner = _accountMgr.getActiveAccountById(ownerId);
@@ -566,7 +583,7 @@ private boolean validateVolume(Account caller, long ownerId, Long zoneId, String
         _accountMgr.checkAccess(caller, null, true, volumeOwner);
 
         // Check that the resource limit for volumes won't be exceeded
-        _resourceLimitMgr.checkVolumeResourceLimit(volumeOwner, true, null, diskOffering);
+        _resourceLimitMgr.checkVolumeResourceLimit(volumeOwner, true, null, diskOffering, reservations);
 
         // Verify that zone exists
         DataCenterVO zone = _dcDao.findById(zoneId);
@@ -940,30 +957,39 @@ public VolumeVO allocVolume(CreateVolumeCmd cmd) throws ResourceAllocationExcept
 
         Storage.ProvisioningType provisioningType = diskOffering.getProvisioningType();
 
-        // Check that the resource limit for volume & primary storage won't be exceeded
-        _resourceLimitMgr.checkVolumeResourceLimit(owner,displayVolume, size, diskOffering);
-
-        // Verify that zone exists
-        DataCenterVO zone = _dcDao.findById(zoneId);
-        if (zone == null) {
-            throw new InvalidParameterValueException("Unable to find zone by id " + zoneId);
+        List<String> tags = _resourceLimitMgr.getResourceLimitStorageTagsForResourceCountOperation(displayVolume, diskOffering);
+        if (tags.size() == 1 && tags.get(0) == null) {
+            tags = new ArrayList<>();
         }
 
-        // Check if zone is disabled
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
-            throw new PermissionDeniedException(String.format("Cannot perform this operation, Zone: %s is currently disabled", zone));
-        }
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            _resourceLimitMgr.checkVolumeResourceLimit(owner, displayVolume, size, diskOffering, reservations);
 
-        // If local storage is disabled then creation of volume with local disk
-        // offering not allowed
-        if (!zone.isLocalStorageEnabled() && diskOffering.isUseLocalStorage()) {
-            throw new InvalidParameterValueException("Zone is not configured to use local storage but volume's disk offering " + diskOffering.getName() + " uses it");
-        }
+            // Verify that zone exists
+            DataCenterVO zone = _dcDao.findById(zoneId);
+            if (zone == null) {
+                throw new InvalidParameterValueException("Unable to find zone by id " + zoneId);
+            }
+
+            // Check if zone is disabled
+            if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
+                throw new PermissionDeniedException(String.format("Cannot perform this operation, Zone: %s is currently disabled", zone));
+            }
+
+            // If local storage is disabled then creation of volume with local disk
+            // offering not allowed
+            if (!zone.isLocalStorageEnabled() && diskOffering.isUseLocalStorage()) {
+                throw new InvalidParameterValueException("Zone is not configured to use local storage but volume's disk offering " + diskOffering.getName() + " uses it");
+            }
 
-        String userSpecifiedName = getVolumeNameFromCommand(cmd);
+            String userSpecifiedName = getVolumeNameFromCommand(cmd);
 
-        return commitVolume(cmd.getSnapshotId(), caller, owner, displayVolume, zoneId, diskOfferingId, provisioningType, size, minIops, maxIops, parentVolume, userSpecifiedName,
-                _uuidMgr.generateUuid(Volume.class, cmd.getCustomId()), details);
+            return commitVolume(cmd.getSnapshotId(), caller, owner, displayVolume, zoneId, diskOfferingId, provisioningType, size, minIops, maxIops, parentVolume, userSpecifiedName,
+                    _uuidMgr.generateUuid(Volume.class, cmd.getCustomId()), details);
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     @Override
@@ -981,7 +1007,7 @@ private VolumeVO commitVolume(final Long snapshotId, final Account caller, final
         return Transaction.execute(new TransactionCallback<VolumeVO>() {
             @Override
             public VolumeVO doInTransaction(TransactionStatus status) {
-                VolumeVO volume = new VolumeVO(userSpecifiedName, -1, -1, -1, -1, new Long(-1), null, null, provisioningType, 0, Volume.Type.DATADISK);
+                VolumeVO volume = new VolumeVO(userSpecifiedName, -1, -1, -1, -1, -1L, null, null, provisioningType, 0, Volume.Type.DATADISK);
                 volume.setPoolId(null);
                 volume.setUuid(uuid);
                 volume.setDataCenterId(zoneId);
@@ -1046,6 +1072,36 @@ public boolean validateVolumeSizeInBytes(long size) {
         return true;
     }
 
+    private VolumeVO createVolumeOnStoragePool(Long volumeId, Long storageId) throws ExecutionException, InterruptedException {
+        VolumeVO volume = _volsDao.findById(volumeId);
+        StoragePool storagePool = (StoragePool) dataStoreMgr.getDataStore(storageId, DataStoreRole.Primary);
+        if (storagePool == null) {
+            throw new InvalidParameterValueException("Failed to find the storage pool: " + storageId);
+        } else if (!storagePool.getStatus().equals(StoragePoolStatus.Up)) {
+            throw new InvalidParameterValueException(String.format("Cannot create volume %s on storage pool %s as the storage pool is not in Up state.",
+                    volume.getUuid(), storagePool.getName()));
+        }
+
+        if (storagePool.getDataCenterId() != volume.getDataCenterId()) {
+            throw new InvalidParameterValueException(String.format("Cannot create volume %s in zone %s on storage pool %s in zone %s.",
+                    volume.getUuid(), volume.getDataCenterId(), storagePool.getUuid(), storagePool.getDataCenterId()));
+        }
+
+        DiskOfferingVO diskOffering = _diskOfferingDao.findById(volume.getDiskOfferingId());
+        if (!doesStoragePoolSupportDiskOffering(storagePool, diskOffering)) {
+            throw new InvalidParameterValueException(String.format("Disk offering: %s is not compatible with the storage pool", diskOffering.getUuid()));
+        }
+
+        DataStore dataStore = dataStoreMgr.getDataStore(storageId, DataStoreRole.Primary);
+        VolumeInfo volumeInfo = volFactory.getVolume(volumeId, dataStore);
+        AsyncCallFuture<VolumeApiResult> createVolumeFuture = volService.createVolumeAsync(volumeInfo, dataStore);
+        VolumeApiResult createVolumeResult = createVolumeFuture.get();
+        if (createVolumeResult.isFailed()) {
+            throw new CloudRuntimeException("Volume creation on storage failed: " + createVolumeResult.getResult());
+        }
+        return _volsDao.findById(volumeInfo.getId());
+    }
+
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_VOLUME_CREATE, eventDescription = "creating volume", async = true)
@@ -1077,6 +1133,8 @@ public VolumeVO createVolume(CreateVolumeCmd cmd) {
                         throw new CloudRuntimeException(message.toString());
                     }
                 }
+            } else if (cmd.getStorageId() != null) {
+                volume = createVolumeOnStoragePool(cmd.getEntityId(), cmd.getStorageId());
             }
             return volume;
         } catch (Exception e) {
@@ -1288,134 +1346,141 @@ public VolumeVO resizeVolume(ResizeVolumeCmd cmd) throws ResourceAllocationExcep
         if (dataStore != null && dataStore.getDriver() instanceof PrimaryDataStoreDriver) {
             newSize = ((PrimaryDataStoreDriver) dataStore.getDriver()).getVolumeSizeRequiredOnPool(newSize, null, isEncryptionRequired);
         }
-        validateVolumeResizeWithSize(volume, currentSize, newSize, shrinkOk, diskOffering, newDiskOffering);
 
-        // Note: The storage plug-in in question should perform validation on the IOPS to check if a sufficient number of IOPS is available to perform
-        // the requested change
-
-        /* If this volume has never been beyond allocated state, short circuit everything and simply update the database. */
-        // We need to publish this event to usage_volume table
-        if (volume.getState() == Volume.State.Allocated) {
-            logger.debug("Volume is in the allocated state, but has never been created. Simply updating database with new size and IOPS.");
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            validateVolumeResizeWithSize(volume, currentSize, newSize, shrinkOk, diskOffering, newDiskOffering, reservations);
 
-            volume.setSize(newSize);
-            volume.setMinIops(newMinIops);
-            volume.setMaxIops(newMaxIops);
-            volume.setHypervisorSnapshotReserve(newHypervisorSnapshotReserve);
+            // Note: The storage plug-in in question should perform validation on the IOPS to check if a sufficient number of IOPS is available to perform
+            // the requested change
 
-            if (newDiskOffering != null) {
-                volume.setDiskOfferingId(cmd.getNewDiskOfferingId());
-            }
+            /* If this volume has never been beyond allocated state, short circuit everything and simply update the database. */
+            // We need to publish this event to usage_volume table
+            if (volume.getState() == Volume.State.Allocated) {
+                logger.debug("Volume is in the allocated state, but has never been created. Simply updating database with new size and IOPS.");
 
-            _volsDao.update(volume.getId(), volume);
-            _resourceLimitMgr.updateVolumeResourceCountForDiskOfferingChange(volume.getAccountId(), volume.isDisplayVolume(), currentSize, newSize,
-                    diskOffering, newDiskOffering);
-            UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_RESIZE, volume.getAccountId(), volume.getDataCenterId(), volume.getId(), volume.getName(),
-                    volume.getDiskOfferingId(), volume.getTemplateId(), volume.getSize(), Volume.class.getName(), volume.getUuid());
-            return volume;
-        }
+                volume.setSize(newSize);
+                volume.setMinIops(newMinIops);
+                volume.setMaxIops(newMaxIops);
+                volume.setHypervisorSnapshotReserve(newHypervisorSnapshotReserve);
 
-        Long newDiskOfferingId = newDiskOffering != null ? newDiskOffering.getId() : diskOffering.getId();
+                if (newDiskOffering != null) {
+                    volume.setDiskOfferingId(cmd.getNewDiskOfferingId());
+                }
 
-        boolean volumeMigrateRequired = false;
-        List<? extends StoragePool> suitableStoragePoolsWithEnoughSpace = null;
-        StoragePoolVO storagePool = _storagePoolDao.findById(volume.getPoolId());
-        if (!storageMgr.storagePoolHasEnoughSpaceForResize(storagePool, currentSize, newSize)) {
-            if (!autoMigrateVolume) {
-                throw new CloudRuntimeException(String.format("Failed to resize volume %s since the storage pool does not have enough space to accommodate new size for the volume %s, try with automigrate set to true in order to check in the other suitable pools for the new size and then migrate & resize volume there.", volume.getUuid(), volume.getName()));
-            }
-            Pair<List<? extends StoragePool>, List<? extends StoragePool>> poolsPair = managementService.listStoragePoolsForSystemMigrationOfVolume(volume.getId(), newDiskOfferingId, currentSize, newMinIops, newMaxIops, true, false);
-            List<? extends StoragePool> suitableStoragePools = poolsPair.second();
-            if (CollectionUtils.isEmpty(poolsPair.first()) && CollectionUtils.isEmpty(poolsPair.second())) {
-                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resize failed for volume ID: %s as no suitable pool(s) found for migrating to support new disk offering or new size", volume.getUuid()));
+                _volsDao.update(volume.getId(), volume);
+                _resourceLimitMgr.updateVolumeResourceCountForDiskOfferingChange(volume.getAccountId(), volume.isDisplayVolume(), currentSize, newSize,
+                        diskOffering, newDiskOffering);
+                UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_RESIZE, volume.getAccountId(), volume.getDataCenterId(), volume.getId(), volume.getName(),
+                        volume.getDiskOfferingId(), volume.getTemplateId(), volume.getSize(), Volume.class.getName(), volume.getUuid());
+                return volume;
             }
-            final Long newSizeFinal = newSize;
-            suitableStoragePoolsWithEnoughSpace = suitableStoragePools.stream().filter(pool -> storageMgr.storagePoolHasEnoughSpaceForResize(pool, 0L, newSizeFinal)).collect(Collectors.toList());
-            if (CollectionUtils.isEmpty(suitableStoragePoolsWithEnoughSpace)) {
-                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resize failed for volume ID: %s as no suitable pool(s) with enough space found.", volume.getUuid()));
+
+            Long newDiskOfferingId = newDiskOffering != null ? newDiskOffering.getId() : diskOffering.getId();
+
+            boolean volumeMigrateRequired = false;
+            List<? extends StoragePool> suitableStoragePoolsWithEnoughSpace = null;
+            StoragePoolVO storagePool = _storagePoolDao.findById(volume.getPoolId());
+            if (!storageMgr.storagePoolHasEnoughSpaceForResize(storagePool, currentSize, newSize)) {
+                if (!autoMigrateVolume) {
+                    throw new CloudRuntimeException(String.format("Failed to resize volume %s since the storage pool does not have enough space to accommodate new size for the volume %s, try with automigrate set to true in order to check in the other suitable pools for the new size and then migrate & resize volume there.", volume.getUuid(), volume.getName()));
+                }
+                Pair<List<? extends StoragePool>, List<? extends StoragePool>> poolsPair = managementService.listStoragePoolsForSystemMigrationOfVolume(volume.getId(), newDiskOfferingId, currentSize, newMinIops, newMaxIops, true, false);
+                List<? extends StoragePool> suitableStoragePools = poolsPair.second();
+                if (CollectionUtils.isEmpty(poolsPair.first()) && CollectionUtils.isEmpty(poolsPair.second())) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resize failed for volume ID: %s as no suitable pool(s) found for migrating to support new disk offering or new size", volume.getUuid()));
+                }
+                final Long newSizeFinal = newSize;
+                suitableStoragePoolsWithEnoughSpace = suitableStoragePools.stream().filter(pool -> storageMgr.storagePoolHasEnoughSpaceForResize(pool, 0L, newSizeFinal)).collect(Collectors.toList());
+                if (CollectionUtils.isEmpty(suitableStoragePoolsWithEnoughSpace)) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resize failed for volume ID: %s as no suitable pool(s) with enough space found.", volume.getUuid()));
+                }
+                Collections.shuffle(suitableStoragePoolsWithEnoughSpace);
+                volumeMigrateRequired = true;
             }
-            Collections.shuffle(suitableStoragePoolsWithEnoughSpace);
-            volumeMigrateRequired = true;
-        }
 
-        boolean volumeResizeRequired = false;
-        if (currentSize != newSize || !compareEqualsIncludingNullOrZero(newMaxIops, volume.getMaxIops()) || !compareEqualsIncludingNullOrZero(newMinIops, volume.getMinIops())) {
-            volumeResizeRequired = true;
-        }
-        if (!volumeMigrateRequired && !volumeResizeRequired && newDiskOffering != null) {
-            _volsDao.updateDiskOffering(volume.getId(), newDiskOffering.getId());
-            volume = _volsDao.findById(volume.getId());
-            updateStorageWithTheNewDiskOffering(volume, newDiskOffering);
+            boolean volumeResizeRequired = false;
+            if (currentSize != newSize || !compareEqualsIncludingNullOrZero(newMaxIops, volume.getMaxIops()) || !compareEqualsIncludingNullOrZero(newMinIops, volume.getMinIops())) {
+                volumeResizeRequired = true;
+            }
+            if (!volumeMigrateRequired && !volumeResizeRequired && newDiskOffering != null) {
+                _volsDao.updateDiskOffering(volume.getId(), newDiskOffering.getId());
+                volume = _volsDao.findById(volume.getId());
+                updateStorageWithTheNewDiskOffering(volume, newDiskOffering);
 
-            return volume;
-        }
+                return volume;
+            }
 
-        if (volumeMigrateRequired) {
-            MigrateVolumeCmd migrateVolumeCmd = new MigrateVolumeCmd(volume.getId(), suitableStoragePoolsWithEnoughSpace.get(0).getId(), newDiskOfferingId, true);
-            try {
-                Volume result = migrateVolume(migrateVolumeCmd);
-                volume = (result != null) ? _volsDao.findById(result.getId()) : null;
-                if (volume == null) {
+            if (volumeMigrateRequired) {
+                MigrateVolumeCmd migrateVolumeCmd = new MigrateVolumeCmd(volume.getId(), suitableStoragePoolsWithEnoughSpace.get(0).getId(), newDiskOfferingId, true);
+                try {
+                    Volume result = migrateVolume(migrateVolumeCmd);
+                    volume = (result != null) ? _volsDao.findById(result.getId()) : null;
+                    if (volume == null) {
+                        throw new CloudRuntimeException(String.format("Volume resize operation failed for volume ID: %s as migration failed to storage pool %s accommodating new size", volume.getUuid(), suitableStoragePoolsWithEnoughSpace.get(0).getId()));
+                    }
+                } catch (Exception e) {
                     throw new CloudRuntimeException(String.format("Volume resize operation failed for volume ID: %s as migration failed to storage pool %s accommodating new size", volume.getUuid(), suitableStoragePoolsWithEnoughSpace.get(0).getId()));
                 }
-            } catch (Exception e) {
-                throw new CloudRuntimeException(String.format("Volume resize operation failed for volume ID: %s as migration failed to storage pool %s accommodating new size", volume.getUuid(), suitableStoragePoolsWithEnoughSpace.get(0).getId()));
             }
-        }
 
-        UserVmVO userVm = _userVmDao.findById(volume.getInstanceId());
+            UserVmVO userVm = _userVmDao.findById(volume.getInstanceId());
 
-        if (userVm != null) {
-            // serialize VM operation
-            AsyncJobExecutionContext jobContext = AsyncJobExecutionContext.getCurrentExecutionContext();
+            if (userVm != null) {
+                // serialize VM operation
+                AsyncJobExecutionContext jobContext = AsyncJobExecutionContext.getCurrentExecutionContext();
 
-            if (jobContext.isJobDispatchedBy(VmWorkConstants.VM_WORK_JOB_DISPATCHER)) {
-                // avoid re-entrance
+                if (jobContext.isJobDispatchedBy(VmWorkConstants.VM_WORK_JOB_DISPATCHER)) {
+                    // avoid re-entrance
 
-                VmWorkJobVO placeHolder = null;
+                    VmWorkJobVO placeHolder = null;
 
-                placeHolder = createPlaceHolderWork(userVm.getId());
+                    placeHolder = createPlaceHolderWork(userVm.getId());
 
-                try {
-                    return orchestrateResizeVolume(volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve,
+                    try {
+                        return orchestrateResizeVolume(volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve,
+                                newDiskOffering != null ? cmd.getNewDiskOfferingId() : null, shrinkOk);
+                    } finally {
+                        _workJobDao.expunge(placeHolder.getId());
+                    }
+                } else {
+                    Outcome<Volume> outcome = resizeVolumeThroughJobQueue(userVm.getId(), volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve,
                             newDiskOffering != null ? cmd.getNewDiskOfferingId() : null, shrinkOk);
-                } finally {
-                    _workJobDao.expunge(placeHolder.getId());
-                }
-            } else {
-                Outcome<Volume> outcome = resizeVolumeThroughJobQueue(userVm.getId(), volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve,
-                        newDiskOffering != null ? cmd.getNewDiskOfferingId() : null, shrinkOk);
 
-                try {
-                    outcome.get();
-                } catch (InterruptedException e) {
-                    throw new RuntimeException("Operation was interrupted", e);
-                } catch (ExecutionException e) {
-                    throw new RuntimeException("Execution exception", e);
-                }
-
-                Object jobResult = _jobMgr.unmarshallResultObject(outcome.getJob());
+                    try {
+                        outcome.get();
+                    } catch (InterruptedException e) {
+                        throw new RuntimeException("Operation was interrupted", e);
+                    } catch (ExecutionException e) {
+                        throw new RuntimeException("Execution exception", e);
+                    }
 
-                if (jobResult != null) {
-                    if (jobResult instanceof ConcurrentOperationException) {
-                        throw (ConcurrentOperationException) jobResult;
-                    } else if (jobResult instanceof ResourceAllocationException) {
-                        throw (ResourceAllocationException) jobResult;
-                    } else if (jobResult instanceof RuntimeException) {
-                        throw (RuntimeException) jobResult;
-                    } else if (jobResult instanceof Throwable) {
-                        throw new RuntimeException("Unexpected exception", (Throwable) jobResult);
-                    } else if (jobResult instanceof Long) {
-                        return _volsDao.findById((Long) jobResult);
+                    Object jobResult = _jobMgr.unmarshallResultObject(outcome.getJob());
+
+                    if (jobResult != null) {
+                        if (jobResult instanceof ConcurrentOperationException) {
+                            throw (ConcurrentOperationException) jobResult;
+                        } else if (jobResult instanceof ResourceAllocationException) {
+                            throw (ResourceAllocationException) jobResult;
+                        } else if (jobResult instanceof RuntimeException) {
+                            throw (RuntimeException) jobResult;
+                        } else if (jobResult instanceof Throwable) {
+                            throw new RuntimeException("Unexpected exception", (Throwable) jobResult);
+                        } else if (jobResult instanceof Long) {
+                            return _volsDao.findById((Long) jobResult);
+                        }
                     }
-                }
 
-                return volume;
+                    return volume;
+                }
             }
-        }
 
-        return orchestrateResizeVolume(volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve, newDiskOffering != null ? cmd.getNewDiskOfferingId() : null,
-                shrinkOk);
+            return orchestrateResizeVolume(volume.getId(), currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve, newDiskOffering != null ? cmd.getNewDiskOfferingId() : null,
+                    shrinkOk);
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     protected void validateNoVmSnapshots(VolumeVO volume) {
@@ -1699,10 +1764,10 @@ protected VolumeVO retrieveAndValidateVolume(long volumeId, Account caller) {
      *
      * A volume can be destroyed if it is not in any of the following states.
      * <ul>
-     *  <li> {@value Volume.State#Destroy};
-     *  <li> {@value Volume.State#Expunging};
-     *  <li> {@value Volume.State#Expunged};
-     *  <li> {@value Volume.State#Allocated}.
+     *  <li> {code}Volume.State#Destroy{code};
+     *  <li> {code}Volume.State#Expunging{code};
+     *  <li> {code}Volume.State#Expunged{code};
+     *  <li> {code}Volume.State#Allocated{code}.
      * </ul>
      *
      * The volume is destroyed via {@link VolumeService#destroyVolume(long)} method.
@@ -1872,24 +1937,29 @@ public Volume recoverVolume(long volumeId) {
             throw new InvalidParameterValueException("Please specify a volume in Destroy state.");
         }
 
+        DiskOffering diskOffering = _diskOfferingDao.findById(volume.getDiskOfferingId());
+
+        List<Reserver> reservations = new ArrayList<>();
         try {
-            _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(volume.getAccountId()), ResourceType.primary_storage, volume.isDisplayVolume(), volume.getSize());
+            _resourceLimitMgr.checkVolumeResourceLimit(_accountMgr.getAccount(volume.getAccountId()), volume.isDisplayVolume(), volume.getSize(), diskOffering, reservations);
+
+            try {
+                _volsDao.detachVolume(volume.getId());
+                stateTransitTo(volume, Volume.Event.RecoverRequested);
+            } catch (NoTransitionException e) {
+                logger.debug("Failed to recover volume {}", volume, e);
+                throw new CloudRuntimeException(String.format("Failed to recover volume %s", volume), e);
+            }
+            _resourceLimitMgr.incrementVolumeResourceCount(volume.getAccountId(), volume.isDisplay(),
+                    volume.getSize(), _diskOfferingDao.findById(volume.getDiskOfferingId()));
+
         } catch (ResourceAllocationException e) {
             logger.error("primary storage resource limit check failed", e);
             throw new InvalidParameterValueException(e.getMessage());
+        } finally {
+            ReservationHelper.closeAll(reservations);
         }
 
-        try {
-            _volsDao.detachVolume(volume.getId());
-            stateTransitTo(volume, Volume.Event.RecoverRequested);
-        } catch (NoTransitionException e) {
-            logger.debug("Failed to recover volume {}", volume, e);
-            throw new CloudRuntimeException(String.format("Failed to recover volume %s", volume), e);
-        }
-        _resourceLimitMgr.incrementVolumeResourceCount(volume.getAccountId(), volume.isDisplay(),
-                volume.getSize(), _diskOfferingDao.findById(volume.getDiskOfferingId()));
-
-
         publishVolumeCreationUsageEvent(volume);
 
         return volume;
@@ -2118,98 +2188,145 @@ public Volume changeDiskOfferingForVolumeInternal(Long volumeId, Long newDiskOff
             newSize = ((PrimaryDataStoreDriver) dataStore.getDriver()).getVolumeSizeRequiredOnPool(newSize, null, newDiskOffering.getEncrypt());
         }
 
-        validateVolumeResizeWithSize(volume, currentSize, newSize, shrinkOk, existingDiskOffering, newDiskOffering);
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            validateVolumeResizeWithSize(volume, currentSize, newSize, shrinkOk, existingDiskOffering, newDiskOffering, reservations);
 
-        /* If this volume has never been beyond allocated state, short circuit everything and simply update the database. */
-        // We need to publish this event to usage_volume table
-        if (volume.getState() == Volume.State.Allocated) {
-            logger.debug("Volume {} is in the allocated state, but has never been created. Simply updating database with new size and IOPS.", volume);
+            /* If this volume has never been beyond allocated state, short circuit everything and simply update the database. */
+            // We need to publish this event to usage_volume table
+            if (volume.getState() == Volume.State.Allocated) {
+                logger.debug("Volume {} is in the allocated state, but has never been created. Simply updating database with new size and IOPS.", volume);
 
-            volume.setSize(newSize);
-            volume.setMinIops(newMinIops);
-            volume.setMaxIops(newMaxIops);
-            volume.setHypervisorSnapshotReserve(newHypervisorSnapshotReserve);
+                volume.setSize(newSize);
+                volume.setMinIops(newMinIops);
+                volume.setMaxIops(newMaxIops);
+                volume.setHypervisorSnapshotReserve(newHypervisorSnapshotReserve);
 
-            if (newDiskOffering != null) {
-                volume.setDiskOfferingId(newDiskOfferingId);
-                _volumeMgr.saveVolumeDetails(newDiskOfferingId, volume.getId());
-            }
+                if (newDiskOffering != null) {
+                    volume.setDiskOfferingId(newDiskOfferingId);
+                    _volumeMgr.saveVolumeDetails(newDiskOfferingId, volume.getId());
+                }
 
-            _volsDao.update(volume.getId(), volume);
-            _resourceLimitMgr.updateVolumeResourceCountForDiskOfferingChange(volume.getAccountId(), volume.isDisplayVolume(), currentSize, newSize,
-                    existingDiskOffering, newDiskOffering);
+                _volsDao.update(volume.getId(), volume);
+                _resourceLimitMgr.updateVolumeResourceCountForDiskOfferingChange(volume.getAccountId(), volume.isDisplayVolume(), currentSize, newSize,
+                        existingDiskOffering, newDiskOffering);
 
-            if (currentSize != newSize) {
-                UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_RESIZE, volume.getAccountId(), volume.getDataCenterId(), volume.getId(), volume.getName(),
-                        volume.getDiskOfferingId(), volume.getTemplateId(), volume.getSize(), Volume.class.getName(), volume.getUuid());
+                if (currentSize != newSize) {
+                    UsageEventUtils.publishUsageEvent(EventTypes.EVENT_VOLUME_RESIZE, volume.getAccountId(), volume.getDataCenterId(), volume.getId(), volume.getName(),
+                            volume.getDiskOfferingId(), volume.getTemplateId(), volume.getSize(), Volume.class.getName(), volume.getUuid());
+                }
+                return volume;
             }
-            return volume;
-        }
+            if (currentSize != newSize || !compareEqualsIncludingNullOrZero(newMaxIops, volume.getMaxIops()) || !compareEqualsIncludingNullOrZero(newMinIops, volume.getMinIops())) {
+                volumeResizeRequired = true;
+                validateVolumeReadyStateAndHypervisorChecks(volume, currentSize, newSize);
+            }
+            StoragePoolVO existingStoragePool = _storagePoolDao.findById(volume.getPoolId());
 
-        if (currentSize != newSize || !compareEqualsIncludingNullOrZero(newMaxIops, volume.getMaxIops()) || !compareEqualsIncludingNullOrZero(newMinIops, volume.getMinIops())) {
-            volumeResizeRequired = true;
-            validateVolumeReadyStateAndHypervisorChecks(volume, currentSize, newSize);
-        }
+            Pair<List<? extends StoragePool>, List<? extends StoragePool>> poolsPair = managementService.listStoragePoolsForSystemMigrationOfVolume(volume.getId(), newDiskOffering.getId(), currentSize, newMinIops, newMaxIops, true, false);
+            List<? extends StoragePool> suitableStoragePools = poolsPair.second();
+            if (!suitableStoragePools.stream().anyMatch(p -> (p.getId() == existingStoragePool.getId()))) {
+                volumeMigrateRequired = true;
+                if (!autoMigrateVolume) {
+                    throw new InvalidParameterValueException(String.format("Failed to change offering for volume %s since automigrate is set to false but volume needs to migrated", volume.getUuid()));
+                }
+            }
 
-        StoragePoolVO existingStoragePool = _storagePoolDao.findById(volume.getPoolId());
+            if (!volumeMigrateRequired && !volumeResizeRequired) {
+                _volsDao.updateDiskOffering(volume.getId(), newDiskOffering.getId());
+                volume = _volsDao.findById(volume.getId());
+                updateStorageWithTheNewDiskOffering(volume, newDiskOffering);
 
-        Pair<List<? extends StoragePool>, List<? extends StoragePool>> poolsPair = managementService.listStoragePoolsForSystemMigrationOfVolume(volume.getId(), newDiskOffering.getId(), currentSize, newMinIops, newMaxIops, true, false);
-        List<? extends StoragePool> suitableStoragePools = poolsPair.second();
+                return volume;
+            }
 
-        if (!suitableStoragePools.stream().anyMatch(p -> (p.getId() == existingStoragePool.getId()))) {
-            volumeMigrateRequired = true;
-            if (!autoMigrateVolume) {
-                throw new InvalidParameterValueException(String.format("Failed to change offering for volume %s since automigrate is set to false but volume needs to migrated", volume.getUuid()));
+            if (volumeMigrateRequired) {
+                if (CollectionUtils.isEmpty(poolsPair.first()) && CollectionUtils.isEmpty(poolsPair.second())) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) found for migrating to support new disk offering", volume));
+                }
+                final Long newSizeFinal = newSize;
+                List<? extends StoragePool> suitableStoragePoolsWithEnoughSpace = suitableStoragePools.stream().filter(pool -> storageMgr.storagePoolHasEnoughSpaceForResize(pool, 0L, newSizeFinal)).collect(Collectors.toList());
+                if (CollectionUtils.isEmpty(suitableStoragePoolsWithEnoughSpace)) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) with enough space found for volume migration.", volume));
+                }
+                Collections.shuffle(suitableStoragePoolsWithEnoughSpace);
+                MigrateVolumeCmd migrateVolumeCmd = new MigrateVolumeCmd(volume.getId(), suitableStoragePoolsWithEnoughSpace.get(0).getId(), newDiskOffering.getId(), true);
+                String volumeUuid = volume.getUuid();
+                try {
+                    Volume result = migrateVolume(migrateVolumeCmd);
+                    volume = (result != null) ? _volsDao.findById(result.getId()) : null;
+                    if (volume == null) {
+                        throw new CloudRuntimeException("Change offering for the volume failed.");
+                    }
+                } catch (Exception e) {
+                    logger.error("Volume change offering operation failed for volume ID: {} migration failed to storage pool {} due to {}", volumeUuid, suitableStoragePoolsWithEnoughSpace.get(0).getId(), e.getMessage());
+                    throw new CloudRuntimeException("Change offering for the volume failed.", e);
+                }
             }
-        }
 
-        if (!volumeMigrateRequired && !volumeResizeRequired) {
-            _volsDao.updateDiskOffering(volume.getId(), newDiskOffering.getId());
-            volume = _volsDao.findById(volume.getId());
-            updateStorageWithTheNewDiskOffering(volume, newDiskOffering);
+            if (volumeResizeRequired) {
+                // refresh volume data
+                volume = _volsDao.findById(volume.getId());
+                try {
+                    volume = resizeVolumeInternal(volume, newDiskOffering, currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve, shrinkOk);
+                } catch (Exception e) {
+                    if (volumeMigrateRequired) {
+                        logger.warn(String.format("Volume change offering operation succeeded for volume ID: %s but volume resize operation failed, so please try resize volume operation separately", volume.getUuid()));
+                    } else {
+                        throw new CloudRuntimeException(String.format("Volume disk offering change operation failed for volume ID [%s] because the volume resize operation failed.", volume.getUuid()));
+                    }
+                }
+            }
 
-            return volume;
-        }
+            if (!volumeMigrateRequired && !volumeResizeRequired) {
+                _volsDao.updateDiskOffering(volume.getId(), newDiskOffering.getId());
+                volume = _volsDao.findById(volume.getId());
+                updateStorageWithTheNewDiskOffering(volume, newDiskOffering);
 
-        if (volumeMigrateRequired) {
-            if (CollectionUtils.isEmpty(poolsPair.first()) && CollectionUtils.isEmpty(poolsPair.second())) {
-                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) found for migrating to support new disk offering", volume));
-            }
-            final Long newSizeFinal = newSize;
-            List<? extends StoragePool> suitableStoragePoolsWithEnoughSpace = suitableStoragePools.stream().filter(pool -> storageMgr.storagePoolHasEnoughSpaceForResize(pool, 0L, newSizeFinal)).collect(Collectors.toList());
-            if (CollectionUtils.isEmpty(suitableStoragePoolsWithEnoughSpace)) {
-                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) with enough space found for volume migration.", volume));
+                return volume;
             }
-            Collections.shuffle(suitableStoragePoolsWithEnoughSpace);
-            MigrateVolumeCmd migrateVolumeCmd = new MigrateVolumeCmd(volume.getId(), suitableStoragePoolsWithEnoughSpace.get(0).getId(), newDiskOffering.getId(), true);
-            String volumeUuid = volume.getUuid();
-            try {
-                Volume result = migrateVolume(migrateVolumeCmd);
-                volume = (result != null) ? _volsDao.findById(result.getId()) : null;
-                if (volume == null) {
-                    throw new CloudRuntimeException("Change offering for the volume failed.");
+
+            if (volumeMigrateRequired) {
+                if (CollectionUtils.isEmpty(poolsPair.first()) && CollectionUtils.isEmpty(poolsPair.second())) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) found for migrating to support new disk offering", volume));
+                }
+                final Long newSizeFinal = newSize;
+                List<? extends StoragePool> suitableStoragePoolsWithEnoughSpace = suitableStoragePools.stream().filter(pool -> storageMgr.storagePoolHasEnoughSpaceForResize(pool, 0L, newSizeFinal)).collect(Collectors.toList());
+                if (CollectionUtils.isEmpty(suitableStoragePoolsWithEnoughSpace)) {
+                    throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume change offering operation failed for volume: %s as no suitable pool(s) with enough space found for volume migration.", volume));
+                }
+                Collections.shuffle(suitableStoragePoolsWithEnoughSpace);
+                MigrateVolumeCmd migrateVolumeCmd = new MigrateVolumeCmd(volume.getId(), suitableStoragePoolsWithEnoughSpace.get(0).getId(), newDiskOffering.getId(), true);
+                try {
+                    Volume result = migrateVolume(migrateVolumeCmd);
+                    volume = (result != null) ? _volsDao.findById(result.getId()) : null;
+                    if (volume == null) {
+                        throw new CloudRuntimeException(String.format("Volume change offering operation failed for volume: %s migration failed to storage pool %s", volume, suitableStoragePools.get(0)));
+                    }
+                } catch (Exception e) {
+                    throw new CloudRuntimeException(String.format("Volume change offering operation failed for volume: %s migration failed to storage pool %s due to %s", volume, suitableStoragePools.get(0), e.getMessage()));
                 }
-            } catch (Exception e) {
-                logger.error("Volume change offering operation failed for volume ID: {} migration failed to storage pool {} due to {}", volumeUuid, suitableStoragePoolsWithEnoughSpace.get(0).getId(), e.getMessage());
-                throw new CloudRuntimeException("Change offering for the volume failed.", e);
             }
-        }
 
-        if (volumeResizeRequired) {
-            // refresh volume data
-            volume = _volsDao.findById(volume.getId());
-            try {
-                volume = resizeVolumeInternal(volume, newDiskOffering, currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve, shrinkOk);
-            } catch (Exception e) {
-                if (volumeMigrateRequired) {
-                    logger.warn(String.format("Volume change offering operation succeeded for volume ID: %s but volume resize operation failed, so please try resize volume operation separately", volume.getUuid()));
-                } else {
-                    throw new CloudRuntimeException(String.format("Volume disk offering change operation failed for volume ID [%s] because the volume resize operation failed.", volume.getUuid()));
+            if (volumeResizeRequired) {
+                // refresh volume data
+                volume = _volsDao.findById(volume.getId());
+                try {
+                    volume = resizeVolumeInternal(volume, newDiskOffering, currentSize, newSize, newMinIops, newMaxIops, newHypervisorSnapshotReserve, shrinkOk);
+                } catch (Exception e) {
+                    if (volumeMigrateRequired) {
+                        logger.warn(String.format("Volume change offering operation succeeded for volume ID: %s but volume resize operation failed, so please try resize volume operation separately", volume.getUuid()));
+                    } else {
+                        throw new CloudRuntimeException(String.format("Volume change offering operation failed for volume ID: %s due to resize volume operation failed", volume.getUuid()));
+                    }
                 }
             }
-        }
 
-        return volume;
+            return volume;
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     private void updateStorageWithTheNewDiskOffering(VolumeVO volume, DiskOfferingVO newDiskOffering) {
@@ -2415,7 +2532,7 @@ private void checkIfVolumeCanResizeWithNewDiskOffering(VolumeVO volume, DiskOffe
     }
 
     private void validateVolumeResizeWithSize(VolumeVO volume, long currentSize, Long newSize, boolean shrinkOk,
-            DiskOfferingVO existingDiskOffering, DiskOfferingVO newDiskOffering) throws ResourceAllocationException {
+            DiskOfferingVO existingDiskOffering, DiskOfferingVO newDiskOffering, List<Reserver> reservations) throws ResourceAllocationException {
 
         // if the caller is looking to change the size of the volume
         if (newSize != null && currentSize != newSize) {
@@ -2480,7 +2597,7 @@ private void validateVolumeResizeWithSize(VolumeVO volume, long currentSize, Lon
         /* Check resource limit for this account */
         _resourceLimitMgr.checkVolumeResourceLimitForDiskOfferingChange(_accountMgr.getAccount(volume.getAccountId()),
                 volume.isDisplayVolume(), currentSize, newSize != null ? newSize : currentSize,
-                existingDiskOffering, newDiskOffering);
+                existingDiskOffering, newDiskOffering, reservations);
     }
 
     @Override
@@ -2659,7 +2776,7 @@ public Volume attachVolumeToVM(Long vmId, Long volumeId, Long deviceId, Boolean
 
         checkForBackups(vm, true);
 
-        checkRightsToAttach(caller, volumeToAttach, vm);
+        _accountMgr.checkAccess(caller, null, true, volumeToAttach, vm);
 
         StoragePoolVO volumeToAttachStoragePool = _storagePoolDao.findById(volumeToAttach.getPoolId());
         if (logger.isTraceEnabled() && volumeToAttachStoragePool != null) {
@@ -2683,16 +2800,34 @@ public Volume attachVolumeToVM(Long vmId, Long volumeId, Long deviceId, Boolean
             throw new InvalidParameterValueException("Volume's disk offering has encryption enabled, but volume encryption is not supported for hypervisor type " + rootDiskHyperType);
         }
 
-        _jobMgr.updateAsyncJobAttachment(job.getId(), "Volume", volumeId);
+        Account owner = _accountDao.findById(volumeToAttach.getAccountId());
+        List<String> resourceLimitStorageTags = _resourceLimitMgr.getResourceLimitStorageTagsForResourceCountOperation(true, diskOffering);
+        Long requiredPrimaryStorageSpace = getRequiredPrimaryStorageSizeForVolumeAttach(resourceLimitStorageTags, volumeToAttach);
 
-        if (asyncExecutionContext.isJobDispatchedBy(VmWorkConstants.VM_WORK_JOB_DISPATCHER)) {
-            return safelyOrchestrateAttachVolume(vmId, volumeId, deviceId);
-        } else {
-            return getVolumeAttachJobResult(vmId, volumeId, deviceId);
+        try (CheckedReservation primaryStorageReservation = new CheckedReservation(owner, ResourceType.primary_storage, resourceLimitStorageTags, requiredPrimaryStorageSpace, reservationDao, _resourceLimitMgr)) {
+
+            _jobMgr.updateAsyncJobAttachment(job.getId(), "Volume", volumeId);
+
+            if (asyncExecutionContext.isJobDispatchedBy(VmWorkConstants.VM_WORK_JOB_DISPATCHER)) {
+                return safelyOrchestrateAttachVolume(vmId, volumeId, deviceId);
+            } else {
+                return getVolumeAttachJobResult(vmId, volumeId, deviceId);
+            }
+
+        } catch (ResourceAllocationException e) {
+            logger.error("primary storage resource limit check failed", e);
+            throw new InvalidParameterValueException(e.getMessage());
+        }
+    }
+
+    protected Long getRequiredPrimaryStorageSizeForVolumeAttach(List<String> resourceLimitStorageTags, VolumeInfo volumeToAttach) {
+        if (CollectionUtils.isEmpty(resourceLimitStorageTags) || Arrays.asList(Volume.State.Allocated, Volume.State.Ready).contains(volumeToAttach.getState())) {
+            return 0L;
         }
+        return volumeToAttach.getSize();
     }
 
-    @Nullable private Volume getVolumeAttachJobResult(Long vmId, Long volumeId, Long deviceId) {
+    @Nullable protected Volume getVolumeAttachJobResult(Long vmId, Long volumeId, Long deviceId) {
         Outcome<Volume> outcome = attachVolumeToVmThroughJobQueue(vmId, volumeId, deviceId);
 
         Volume vol = null;
@@ -2741,21 +2876,6 @@ private void checkForMatchingHypervisorTypesIf(boolean checkNeeded, HypervisorTy
         }
     }
 
-    private void checkRightsToAttach(Account caller, VolumeInfo volumeToAttach, UserVmVO vm) {
-        _accountMgr.checkAccess(caller, null, true, volumeToAttach, vm);
-
-        Account owner = _accountDao.findById(volumeToAttach.getAccountId());
-
-        if (!Arrays.asList(Volume.State.Allocated, Volume.State.Ready).contains(volumeToAttach.getState())) {
-            try {
-                _resourceLimitMgr.checkResourceLimit(owner, ResourceType.primary_storage, volumeToAttach.getSize());
-            } catch (ResourceAllocationException e) {
-                logger.error("primary storage resource limit check failed", e);
-                throw new InvalidParameterValueException(e.getMessage());
-            }
-        }
-    }
-
     private void checkForVMSnapshots(Long vmId, UserVmVO vm) {
         // if target VM has associated VM snapshots
         List<VMSnapshotVO> vmSnapshots = _vmSnapshotDao.findByVm(vmId);
@@ -4321,16 +4441,22 @@ public Volume assignVolumeToAccount(AssignVolumeCmd command) throws ResourceAllo
         _accountMgr.checkAccess(caller, null, true, oldAccount);
         _accountMgr.checkAccess(caller, null, true, newAccount);
 
-        _resourceLimitMgr.checkVolumeResourceLimit(newAccount, true, volume.getSize(), _diskOfferingDao.findById(volume.getDiskOfferingId()));
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+        _resourceLimitMgr.checkVolumeResourceLimit(newAccount, true, volume.getSize(), _diskOfferingDao.findById(volume.getDiskOfferingId()), reservations);
 
-        Transaction.execute(new TransactionCallbackNoReturn() {
-            @Override
-            public void doInTransactionWithoutResult(TransactionStatus status) {
-                updateVolumeAccount(oldAccount, volume, newAccount);
-            }
-        });
+            Transaction.execute(new TransactionCallbackNoReturn() {
+                @Override
+                public void doInTransactionWithoutResult(TransactionStatus status) {
+                    updateVolumeAccount(oldAccount, volume, newAccount);
+                }
+            });
 
         return volume;
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     protected void updateVolumeAccount(Account oldAccount, VolumeVO volume, Account newAccount) {
@@ -5287,20 +5413,20 @@ private Pair<JobInfo.Status, String> orchestrateExtractVolume(VmWorkExtractVolum
     private Pair<JobInfo.Status, String> orchestrateAttachVolumeToVM(VmWorkAttachVolume work) throws Exception {
         Volume vol = orchestrateAttachVolumeToVM(work.getVmId(), work.getVolumeId(), work.getDeviceId());
 
-        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(new Long(vol.getId())));
+        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(vol.getId()));
     }
 
     @ReflectionUse
     private Pair<JobInfo.Status, String> orchestrateDetachVolumeFromVM(VmWorkDetachVolume work) throws Exception {
         Volume vol = orchestrateDetachVolumeFromVM(work.getVmId(), work.getVolumeId());
-        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(new Long(vol.getId())));
+        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(vol.getId()));
     }
 
     @ReflectionUse
     private Pair<JobInfo.Status, String> orchestrateResizeVolume(VmWorkResizeVolume work) throws Exception {
         Volume vol = orchestrateResizeVolume(work.getVolumeId(), work.getCurrentSize(), work.getNewSize(), work.getNewMinIops(), work.getNewMaxIops(), work.getNewHypervisorSnapshotReserve(),
                 work.getNewServiceOfferingId(), work.isShrinkOk());
-        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(new Long(vol.getId())));
+        return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED, _jobMgr.marshallResultObject(vol.getId()));
     }
 
     @ReflectionUse
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadActiveState.java b/server/src/main/java/com/cloud/storage/download/DownloadActiveState.java
index 889ffbc0b1ce..35b23985dd20 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadActiveState.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadActiveState.java
@@ -95,6 +95,11 @@ public String handleAbort() {
         return Status.ABANDONED.toString();
     }
 
+    @Override
+    public String handleLimitReached() {
+        return Status.LIMIT_REACHED.toString();
+    }
+
     @Override
     public String handleDisconnect() {
 
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadErrorState.java b/server/src/main/java/com/cloud/storage/download/DownloadErrorState.java
index a0834456a2d0..5dddefb01924 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadErrorState.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadErrorState.java
@@ -60,6 +60,11 @@ public String handleAbort() {
         return Status.ABANDONED.toString();
     }
 
+    @Override
+    public String handleLimitReached() {
+        return Status.LIMIT_REACHED.toString();
+    }
+
     @Override
     public String getName() {
         return Status.DOWNLOAD_ERROR.toString();
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadInactiveState.java b/server/src/main/java/com/cloud/storage/download/DownloadInactiveState.java
index 8fee3d0437c1..69d46879ebeb 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadInactiveState.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadInactiveState.java
@@ -36,6 +36,12 @@ public String handleAbort() {
         return getName();
     }
 
+    @Override
+    public String handleLimitReached() {
+        // ignore and stay put
+        return getName();
+    }
+
     @Override
     public String handleDisconnect() {
         //ignore and stay put
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadLimitReachedState.java b/server/src/main/java/com/cloud/storage/download/DownloadLimitReachedState.java
new file mode 100644
index 000000000000..8ce5668299e6
--- /dev/null
+++ b/server/src/main/java/com/cloud/storage/download/DownloadLimitReachedState.java
@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.storage.download;
+
+import org.apache.cloudstack.storage.command.DownloadProgressCommand.RequestType;
+import org.apache.logging.log4j.Level;
+
+import com.cloud.agent.api.storage.DownloadAnswer;
+import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
+
+public class DownloadLimitReachedState extends DownloadInactiveState {
+
+    public DownloadLimitReachedState(DownloadListener dl) {
+        super(dl);
+    }
+
+    @Override
+    public String getName() {
+        return Status.LIMIT_REACHED.toString();
+    }
+
+    @Override
+    public String handleEvent(DownloadEvent event, Object eventObj) {
+        if (logger.isTraceEnabled()) {
+            getDownloadListener().log("handleEvent, event type=" + event + ", curr state=" + getName(), Level.TRACE);
+        }
+        return Status.LIMIT_REACHED.toString();
+    }
+
+    @Override
+    public void onEntry(String prevState, DownloadEvent event, Object evtObj) {
+        if (!prevState.equalsIgnoreCase(getName())) {
+            DownloadAnswer answer = new DownloadAnswer("Storage Limit Reached", Status.LIMIT_REACHED);
+            getDownloadListener().callback(answer);
+            getDownloadListener().cancelStatusTask();
+            getDownloadListener().cancelTimeoutTask();
+            getDownloadListener().scheduleImmediateStatusCheck(RequestType.PURGE);
+        }
+    }
+}
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadListener.java b/server/src/main/java/com/cloud/storage/download/DownloadListener.java
index 42b0e394db4c..a35f4391b0a2 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadListener.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadListener.java
@@ -25,6 +25,15 @@
 
 import javax.inject.Inject;
 
+import com.cloud.configuration.Resource;
+import com.cloud.resourcelimit.CheckedReservation;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.storage.VolumeVO;
+import com.cloud.storage.dao.VMTemplateDao;
+import com.cloud.storage.dao.VolumeDao;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.user.ResourceLimitService;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataObject;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
@@ -34,10 +43,13 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.ZoneScope;
 import org.apache.cloudstack.framework.async.AsyncCompletionCallback;
 import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.storage.command.DownloadCommand;
 import org.apache.cloudstack.storage.command.DownloadCommand.ResourceType;
 import org.apache.cloudstack.storage.command.DownloadProgressCommand;
 import org.apache.cloudstack.storage.command.DownloadProgressCommand.RequestType;
+import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreVO;
 import org.apache.cloudstack.utils.cache.LazyCache;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
@@ -107,6 +119,7 @@ protected void runInContext() {
     public static final String DOWNLOAD_ERROR = Status.DOWNLOAD_ERROR.toString();
     public static final String DOWNLOAD_IN_PROGRESS = Status.DOWNLOAD_IN_PROGRESS.toString();
     public static final String DOWNLOAD_ABANDONED = Status.ABANDONED.toString();
+    public static final String DOWNLOAD_LIMIT_REACHED = Status.LIMIT_REACHED.toString();
 
     private EndPoint _ssAgent;
 
@@ -137,6 +150,18 @@ protected void runInContext() {
     private DataStoreManager _storeMgr;
     @Inject
     private VolumeService _volumeSrv;
+    @Inject
+    private VMTemplateDao _templateDao;
+    @Inject
+    private TemplateDataStoreDao _templateDataStoreDao;
+    @Inject
+    private VolumeDao _volumeDao;
+    @Inject
+    private ResourceLimitService _resourceLimitMgr;
+    @Inject
+    private AccountManager _accountMgr;
+    @Inject
+    ReservationDao _reservationDao;
 
     private LazyCache<Long, List<Hypervisor.HypervisorType>> zoneHypervisorsCache;
 
@@ -160,7 +185,7 @@ public DownloadListener(EndPoint ssAgent, DataStore store, DataObject object, Ti
         _downloadMonitor = downloadMonitor;
         _cmd = cmd;
         initStateMachine();
-        _currState = getState(Status.NOT_DOWNLOADED.toString());
+        _currState = getState(NOT_DOWNLOADED);
         this._timer = timer;
         _timeoutTask = new TimeoutTask(this);
         this._timer.schedule(_timeoutTask, 3 * STATUS_POLL_INTERVAL);
@@ -184,11 +209,12 @@ public void setCurrState(Status currState) {
     }
 
     private void initStateMachine() {
-        _stateMap.put(Status.NOT_DOWNLOADED.toString(), new NotDownloadedState(this));
-        _stateMap.put(Status.DOWNLOADED.toString(), new DownloadCompleteState(this));
-        _stateMap.put(Status.DOWNLOAD_ERROR.toString(), new DownloadErrorState(this));
-        _stateMap.put(Status.DOWNLOAD_IN_PROGRESS.toString(), new DownloadInProgressState(this));
-        _stateMap.put(Status.ABANDONED.toString(), new DownloadAbandonedState(this));
+        _stateMap.put(NOT_DOWNLOADED, new NotDownloadedState(this));
+        _stateMap.put(DOWNLOADED, new DownloadCompleteState(this));
+        _stateMap.put(DOWNLOAD_ERROR, new DownloadErrorState(this));
+        _stateMap.put(DOWNLOAD_IN_PROGRESS, new DownloadInProgressState(this));
+        _stateMap.put(DOWNLOAD_ABANDONED, new DownloadAbandonedState(this));
+        _stateMap.put(DOWNLOAD_LIMIT_REACHED, new DownloadLimitReachedState(this));
     }
 
     private DownloadState getState(String stateName) {
@@ -239,10 +265,53 @@ public boolean isRecurring() {
         return false;
     }
 
+    private Long getAccountIdForDataObject() {
+        if (object == null) {
+            return null;
+        }
+        if (DataObjectType.TEMPLATE.equals(object.getType())) {
+            VMTemplateVO t = _templateDao.findById(object.getId());
+            return t != null ? t.getAccountId() : null;
+        } else if (DataObjectType.VOLUME.equals(object.getType())) {
+            VolumeVO v = _volumeDao.findById(object.getId());
+            return v != null ? v.getAccountId() : null;
+        }
+        return null;
+    }
+
+    private Long getSizeFromDB() {
+        Long lastSize = null;
+        if (DataObjectType.TEMPLATE.equals(object.getType())) {
+            TemplateDataStoreVO t = _templateDataStoreDao.findByStoreTemplate(object.getDataStore().getId(), object.getId());
+            lastSize = t.getSize();
+        } else if (DataObjectType.VOLUME.equals(object.getType())) {
+            VolumeVO v = _volumeDao.findById(object.getId());
+            lastSize = v.getSize();
+        }
+        return lastSize == null ? 0L : lastSize;
+    }
+
+    private Boolean checkAndUpdateResourceLimits(DownloadAnswer answer) {
+        Long lastSize = getSizeFromDB();
+        Long currentSize = answer.getTemplateSize();
+
+        if (currentSize > lastSize) {
+            Long accountId = getAccountIdForDataObject();
+            Account account = _accountMgr.getAccount(accountId);
+            Long usage = currentSize - lastSize;
+            try (CheckedReservation secStorageReservation = new CheckedReservation(account, Resource.ResourceType.secondary_storage, usage, _reservationDao, _resourceLimitMgr)) {
+                _resourceLimitMgr.incrementResourceCount(accountId, Resource.ResourceType.secondary_storage, usage);
+            } catch (Exception e) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     @Override
     public boolean processAnswers(long agentId, long seq, Answer[] answers) {
         boolean processed = false;
-        if (answers != null & answers.length > 0) {
+        if (answers != null && answers.length > 0) {
             if (answers[0] instanceof DownloadAnswer) {
                 final DownloadAnswer answer = (DownloadAnswer)answers[0];
                 if (getJobId() == null) {
@@ -250,7 +319,11 @@ public boolean processAnswers(long agentId, long seq, Answer[] answers) {
                 } else if (!getJobId().equalsIgnoreCase(answer.getJobId())) {
                     return false;//TODO
                 }
-                transition(DownloadEvent.DOWNLOAD_ANSWER, answer);
+                if (!checkAndUpdateResourceLimits(answer)) {
+                    transition(DownloadEvent.LIMIT_REACHED, answer);
+                } else {
+                    transition(DownloadEvent.DOWNLOAD_ANSWER, answer);
+                }
                 processed = true;
             }
         }
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadState.java b/server/src/main/java/com/cloud/storage/download/DownloadState.java
index 68723b53e354..e58d1f3f39f7 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadState.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadState.java
@@ -26,7 +26,7 @@
 
 public abstract class DownloadState {
     public static enum DownloadEvent {
-        DOWNLOAD_ANSWER, ABANDON_DOWNLOAD, TIMEOUT_CHECK, DISCONNECT
+        DOWNLOAD_ANSWER, ABANDON_DOWNLOAD, LIMIT_REACHED, TIMEOUT_CHECK, DISCONNECT
     };
 
     protected Logger logger = LogManager.getLogger(getClass());
@@ -51,6 +51,8 @@ public String handleEvent(DownloadEvent event, Object eventObj) {
                 return handleAnswer(answer);
             case ABANDON_DOWNLOAD:
                 return handleAbort();
+            case LIMIT_REACHED:
+                return handleLimitReached();
             case TIMEOUT_CHECK:
                 Date now = new Date();
                 long update = now.getTime() - dl.getLastUpdated().getTime();
@@ -78,6 +80,8 @@ public void onExit() {
 
     public abstract String handleAbort();
 
+    public abstract String handleLimitReached();
+
     public abstract String handleDisconnect();
 
     public abstract String handleAnswer(DownloadAnswer answer);
diff --git a/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
index b5a03d1836bb..ce01048eaa56 100755
--- a/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/main/java/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@@ -16,8 +16,6 @@
 // under the License.
 package com.cloud.storage.snapshot;
 
-
-import com.cloud.storage.StoragePoolStatus;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
@@ -36,11 +34,7 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
-import com.cloud.host.dao.HostDao;
-import com.cloud.storage.Upload;
-import com.cloud.storage.dao.SnapshotDetailsDao;
 import org.apache.cloudstack.acl.SecurityChecker;
-import com.cloud.api.ApiDBUtils;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
 import org.apache.cloudstack.api.ApiCommandResourceType;
@@ -77,6 +71,7 @@
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.resourcedetail.SnapshotPolicyDetailVO;
 import org.apache.cloudstack.resourcedetail.dao.SnapshotPolicyDetailsDao;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
@@ -98,6 +93,7 @@
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.DeleteSnapshotsDirCommand;
 import com.cloud.alert.AlertManager;
+import com.cloud.api.ApiDBUtils;
 import com.cloud.api.commands.ListRecurringSnapshotScheduleCmd;
 import com.cloud.api.query.MutualExclusiveIdsManagerBase;
 import com.cloud.configuration.Config;
@@ -119,10 +115,12 @@
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.exception.StorageUnavailableException;
 import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
 import com.cloud.org.Grouping;
 import com.cloud.projects.Project.ListProjectResourcesCriteria;
 import com.cloud.resource.ResourceManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ResourceTag.ResourceObjectType;
 import com.cloud.server.TaggedResourceService;
 import com.cloud.storage.CreateSnapshotPayload;
@@ -135,15 +133,18 @@
 import com.cloud.storage.SnapshotScheduleVO;
 import com.cloud.storage.SnapshotVO;
 import com.cloud.storage.Storage;
+import com.cloud.storage.StoragePoolStatus;
 import com.cloud.storage.Storage.ImageFormat;
 import com.cloud.storage.Storage.StoragePoolType;
 import com.cloud.storage.StorageManager;
 import com.cloud.storage.StoragePool;
+import com.cloud.storage.Upload;
 import com.cloud.storage.VMTemplateStorageResourceAssoc;
 import com.cloud.storage.VMTemplateVO;
 import com.cloud.storage.Volume;
 import com.cloud.storage.VolumeVO;
 import com.cloud.storage.dao.DiskOfferingDao;
+import com.cloud.storage.dao.SnapshotDetailsDao;
 import com.cloud.storage.dao.SnapshotDao;
 import com.cloud.storage.dao.SnapshotPolicyDao;
 import com.cloud.storage.dao.SnapshotScheduleDao;
@@ -251,7 +252,8 @@ public class SnapshotManagerImpl extends MutualExclusiveIdsManagerBase implement
     public TaggedResourceService taggedResourceService;
     @Inject
     private AnnotationDao annotationDao;
-
+    @Inject
+    private ReservationDao reservationDao;
     @Inject
     protected SnapshotHelper snapshotHelper;
     @Inject
@@ -321,7 +323,7 @@ public Answer sendToPool(Volume vol, Command cmd) {
             hostIdsToTryFirst = new long[] {vmHostId};
         }
 
-        List<Long> hostIdsToAvoid = new ArrayList<Long>();
+        List<Long> hostIdsToAvoid = new ArrayList<>();
         for (int retry = _totalRetries; retry >= 0; retry--) {
             try {
                 Pair<Long, Answer> result = _storageMgr.sendToPool(pool, hostIdsToTryFirst, hostIdsToAvoid, cmd);
@@ -421,7 +423,7 @@ public Snapshot revertSnapshot(Long snapshotId) {
     }
 
     public void updateVolumeSizeAndPrimaryStorageCount(VolumeVO volume, SnapshotVO snapshot) {
-        Long differenceBetweenVolumeAndSnapshotSize = new Long(volume.getSize() - snapshot.getSize());
+        long differenceBetweenVolumeAndSnapshotSize = volume.getSize() - snapshot.getSize();
         if (differenceBetweenVolumeAndSnapshotSize != 0) {
             if (differenceBetweenVolumeAndSnapshotSize > 0) {
                 _resourceLimitMgr.decrementResourceCount(snapshot.getAccountId(), ResourceType.primary_storage, differenceBetweenVolumeAndSnapshotSize);
@@ -696,7 +698,7 @@ public Snapshot backupSnapshotFromVmSnapshot(Long snapshotId, Long vmId, Long vo
         } catch (Exception e) {
             logger.debug("Failed to backup Snapshot from Instance Snapshot", e);
             _resourceLimitMgr.decrementResourceCount(snapshotOwnerId, ResourceType.snapshot);
-            _resourceLimitMgr.decrementResourceCount(snapshotOwnerId, ResourceType.secondary_storage, new Long(volume.getSize()));
+            _resourceLimitMgr.decrementResourceCount(snapshotOwnerId, ResourceType.secondary_storage, volume.getSize());
             throw new CloudRuntimeException("Failed to backup Snapshot from Instance Snapshot", e);
         } finally {
             if (snapshotOnPrimaryStore != null) {
@@ -911,43 +913,36 @@ public boolean deleteSnapshot(long snapshotId, Long zoneId) {
         List<SnapshotDataStoreVO> snapshotStoreRefs = storeRefAndZones.first();
         List<Long> zoneIds = storeRefAndZones.second();
 
-        boolean result = snapshotStrategy.deleteSnapshot(snapshotId, zoneId);
-        if (result) {
-            for (Long zId : zoneIds) {
-                if (snapshotCheck.getState() == Snapshot.State.BackedUp) {
-                    UsageEventUtils.publishUsageEvent(EventTypes.EVENT_SNAPSHOT_DELETE, snapshotCheck.getAccountId(), zId, snapshotId,
-                            snapshotCheck.getName(), null, null, 0L, snapshotCheck.getClass().getName(), snapshotCheck.getUuid());
+        try {
+            boolean result = snapshotStrategy.deleteSnapshot(snapshotId, zoneId);
+            if (result) {
+                for (Long zId : zoneIds) {
+                    if (snapshotCheck.getState() == Snapshot.State.BackedUp) {
+                        UsageEventUtils.publishUsageEvent(EventTypes.EVENT_SNAPSHOT_DELETE, snapshotCheck.getAccountId(), zId, snapshotId,
+                                snapshotCheck.getName(), null, null, 0L, snapshotCheck.getClass().getName(), snapshotCheck.getUuid());
+                    }
                 }
-            }
-            final SnapshotVO postDeleteSnapshotEntry = _snapshotDao.findById(snapshotId);
-            if (postDeleteSnapshotEntry == null || Snapshot.State.Destroyed.equals(postDeleteSnapshotEntry.getState())) {
-                annotationDao.removeByEntityType(AnnotationService.EntityType.SNAPSHOT.name(), snapshotCheck.getUuid());
+                final SnapshotVO postDeleteSnapshotEntry = _snapshotDao.findById(snapshotId);
+                if (postDeleteSnapshotEntry == null || Snapshot.State.Destroyed.equals(postDeleteSnapshotEntry.getState())) {
+                    annotationDao.removeByEntityType(AnnotationService.EntityType.SNAPSHOT.name(), snapshotCheck.getUuid());
 
-                if (snapshotCheck.getState() != Snapshot.State.Error && snapshotCheck.getState() != Snapshot.State.Destroyed) {
-                    _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.snapshot);
+                    if (snapshotCheck.getState() != Snapshot.State.Error && snapshotCheck.getState() != Snapshot.State.Destroyed) {
+                        _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.snapshot);
+                    }
                 }
-            }
-            for (SnapshotDataStoreVO snapshotStoreRef : snapshotStoreRefs) {
-                if (ObjectInDataStoreStateMachine.State.Ready.equals(snapshotStoreRef.getState()) && !DataStoreRole.Primary.equals(snapshotStoreRef.getRole())) {
-                    _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.secondary_storage, new Long(snapshotStoreRef.getPhysicalSize()));
+                for (SnapshotDataStoreVO snapshotStoreRef : snapshotStoreRefs) {
+                    if (ObjectInDataStoreStateMachine.State.Ready.equals(snapshotStoreRef.getState()) && !DataStoreRole.Primary.equals(snapshotStoreRef.getRole())) {
+                        _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.secondary_storage, snapshotStoreRef.getPhysicalSize());
+                    }
                 }
             }
-        }
-        final SnapshotVO postDeleteSnapshotEntry = _snapshotDao.findById(snapshotId);
-        if (postDeleteSnapshotEntry == null || Snapshot.State.Destroyed.equals(postDeleteSnapshotEntry.getState())) {
-            annotationDao.removeByEntityType(AnnotationService.EntityType.SNAPSHOT.name(), snapshotCheck.getUuid());
 
-            if (snapshotCheck.getState() != Snapshot.State.Error && snapshotCheck.getState() != Snapshot.State.Destroyed) {
-                _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.snapshot);
-            }
-        }
-        for (SnapshotDataStoreVO snapshotStoreRef : snapshotStoreRefs) {
-            if (ObjectInDataStoreStateMachine.State.Ready.equals(snapshotStoreRef.getState()) && !DataStoreRole.Primary.equals(snapshotStoreRef.getRole())) {
-                _resourceLimitMgr.decrementResourceCount(snapshotCheck.getAccountId(), ResourceType.secondary_storage, new Long(snapshotStoreRef.getPhysicalSize()));
-            }
-        }
+            return result;
+        } catch (Exception e) {
+            logger.debug("Failed to delete snapshot {}:{}", snapshotCheck, e.toString());
 
-        return result;
+            throw new CloudRuntimeException("Failed to delete snapshot:" + e.toString());
+        }
     }
 
     @Override
@@ -961,7 +956,7 @@ public Pair<List<? extends Snapshot>, Integer> listSnapshots(ListSnapshotsCmd cm
         Map<String, String> tags = cmd.getTags();
         Long zoneId = cmd.getZoneId();
         Account caller = CallContext.current().getCallingAccount();
-        List<Long> permittedAccounts = new ArrayList<Long>();
+        List<Long> permittedAccounts = new ArrayList<>();
 
         // Verify parameters
         if (volumeId != null) {
@@ -973,7 +968,7 @@ public Pair<List<? extends Snapshot>, Integer> listSnapshots(ListSnapshotsCmd cm
 
         List<Long> ids = getIdsListFromCmd(cmd.getId(), cmd.getIds());
 
-        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<Long, Boolean, ListProjectResourcesCriteria>(cmd.getDomainId(),
+        Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject = new Ternary<>(cmd.getDomainId(),
                 cmd.isRecursive(), null);
         _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedAccounts, domainIdRecursiveListProject, cmd.listAll(), false);
         Long domainId = domainIdRecursiveListProject.first();
@@ -1066,7 +1061,7 @@ public Pair<List<? extends Snapshot>, Integer> listSnapshots(ListSnapshotsCmd cm
         }
 
         Pair<List<SnapshotVO>, Integer> result = _snapshotDao.searchAndCount(sc, searchFilter);
-        return new Pair<List<? extends Snapshot>, Integer>(result.first(), result.second());
+        return new Pair<>(result.first(), result.second());
     }
 
     @Override
@@ -1082,7 +1077,7 @@ public boolean deleteSnapshotDirsForAccount(Account account) {
             if (volume.getPoolId() == null) {
                 continue;
             }
-            Long volumeId = volume.getId();
+            long volumeId = volume.getId();
             Long dcId = volume.getDataCenterId();
             if (_snapshotDao.listByVolumeIdIncludingRemoved(volumeId).isEmpty()) {
                 // This volume doesn't have any snapshots. Nothing do delete.
@@ -1126,7 +1121,7 @@ public boolean deleteSnapshotDirsForAccount(Account account) {
                     if (Type.MANUAL == snapshot.getRecurringType()) {
                         _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.snapshot);
                         for (SnapshotDataStoreVO snapshotStoreRef : snapshotStoreRefs) {
-                            _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.secondary_storage, new Long(snapshotStoreRef.getPhysicalSize()));
+                            _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.secondary_storage, snapshotStoreRef.getPhysicalSize());
                         }
                     }
 
@@ -1155,7 +1150,6 @@ protected void validatePolicyZones(List<Long> zoneIds, List<Long> poolIds, Volum
             throw new InvalidParameterValueException("Backing up of snapshot is not supported by the zone of the volume. Snapshots can not be taken for multiple zones");
         }
         boolean isRootAdminCaller = _accountMgr.isRootAdmin(caller.getId());
-
         if (hasZones) {
             for (Long zoneId : zoneIds) {
                 getCheckedDestinationZoneForSnapshotCopy(zoneId, isRootAdminCaller);
@@ -1291,7 +1285,6 @@ protected SnapshotPolicyVO persistSnapshotPolicy(VolumeVO volume, String schedul
 
         logger.debug("Acquired lock for creating snapshot policy [{}] for volume {}.", intervalType, volume);
 
-
         try {
             SnapshotPolicyVO policy = _snapshotPolicyDao.findOneByVolumeInterval(volumeId, intervalType);
 
@@ -1498,7 +1491,7 @@ public List<SnapshotScheduleVO> findRecurringSnapshotSchedule(ListRecurringSnaps
         }
 
         // List only future schedules, not past ones.
-        List<SnapshotScheduleVO> snapshotSchedules = new ArrayList<SnapshotScheduleVO>();
+        List<SnapshotScheduleVO> snapshotSchedules = new ArrayList<>();
         if (policyId == null) {
             List<SnapshotPolicyVO> policyInstances = listPoliciesforVolume(volumeId);
             for (SnapshotPolicyVO policyInstance : policyInstances) {
@@ -1632,7 +1625,6 @@ public SnapshotInfo takeSnapshot(VolumeInfo volume) throws ResourceAllocationExc
 
         Long snapshotId = payload.getSnapshotId();
         Account snapshotOwner = payload.getAccount();
-
         SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, volume.getDataStore());
         StoragePool storagePool = _storagePoolDao.findById(volume.getPoolId());
 
@@ -1698,7 +1690,7 @@ public SnapshotInfo takeSnapshot(VolumeInfo volume) throws ResourceAllocationExc
 
                 ResourceType storeResourceType = dataStoreRole == DataStoreRole.Image ? ResourceType.secondary_storage : ResourceType.primary_storage;
                 // Correct the resource count of snapshot in case of delta snapshots.
-                _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, new Long(volume.getSize() - snapshotStoreRef.getPhysicalSize()));
+                _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, volume.getSize() - snapshotStoreRef.getPhysicalSize());
 
                 if (!payload.getAsyncBackup()) {
                     if (backupSnapToSecondary) {
@@ -1717,7 +1709,7 @@ public SnapshotInfo takeSnapshot(VolumeInfo volume) throws ResourceAllocationExc
             }
             ResourceType storeResourceType = getStoreResourceType(volume.getDataCenterId(), payload.getLocationType());
             _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), ResourceType.snapshot);
-            _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, new Long(volume.getSize()));
+            _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, volume.getSize());
             throw cre;
         } catch (Exception e) {
             if (logger.isDebugEnabled()) {
@@ -1725,7 +1717,7 @@ public SnapshotInfo takeSnapshot(VolumeInfo volume) throws ResourceAllocationExc
             }
             ResourceType storeResourceType = getStoreResourceType(volume.getDataCenterId(), payload.getLocationType());
             _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), ResourceType.snapshot);
-            _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, new Long(volume.getSize()));
+            _resourceLimitMgr.decrementResourceCount(snapshotOwner.getId(), storeResourceType, volume.getSize());
             throw new CloudRuntimeException("Failed to create snapshot", e);
         }
         return snapshot;
@@ -1935,7 +1927,7 @@ public boolean deleteSnapshotPolicies(DeleteSnapshotPoliciesCmd cmd) {
         }
 
         if (policyIds == null) {
-            policyIds = new ArrayList<Long>();
+            policyIds = new ArrayList<>();
             policyIds.add(policyId);
         } else if (policyIds.size() <= 0) {
             // Not even sure how this is even possible
@@ -2018,20 +2010,6 @@ public Snapshot allocSnapshot(Long volumeId, Long policyId, String snapshotName,
         Type snapshotType = getSnapshotType(policyId);
         Account owner = _accountMgr.getAccount(volume.getAccountId());
 
-        ResourceType storeResourceType = getStoreResourceType(volume.getDataCenterId(), locationType);
-        try {
-            _resourceLimitMgr.checkResourceLimit(owner, ResourceType.snapshot);
-            _resourceLimitMgr.checkResourceLimit(owner, storeResourceType, volume.getSize());
-        } catch (ResourceAllocationException e) {
-            if (snapshotType != Type.MANUAL) {
-                String msg = String.format("Snapshot resource limit exceeded for account %s. Failed to create recurring snapshots", owner);
-                logger.warn(msg);
-                _alertMgr.sendAlert(AlertManager.AlertType.ALERT_TYPE_UPDATE_RESOURCE_COUNT, 0L, 0L, msg, "Snapshot resource limit exceeded for account id : " + owner.getId()
-                        + ". Failed to create recurring snapshots; please use updateResourceLimit to increase the limit");
-            }
-            throw e;
-        }
-
         // Determine the name for this snapshot
         // Snapshot Name: VMInstancename + volumeName + timeString
         String timeString = DateUtil.getDateDisplayString(DateUtil.GMT_TIMEZONE, new Date(), DateUtil.YYYYMMDD_FORMAT);
@@ -2063,17 +2041,33 @@ public Snapshot allocSnapshot(Long volumeId, Long policyId, String snapshotName,
             hypervisorType = volume.getHypervisorType();
         }
 
-        SnapshotVO snapshotVO = new SnapshotVO(volume.getDataCenterId(), volume.getAccountId(), volume.getDomainId(), volume.getId(), volume.getDiskOfferingId(), snapshotName,
-                (short)snapshotType.ordinal(), snapshotType.name(), volume.getSize(), volume.getMinIops(), volume.getMaxIops(), hypervisorType, locationType);
+        ResourceType storeResourceType = ResourceType.secondary_storage;
+        if (!isBackupSnapshotToSecondaryForZone(volume.getDataCenterId()) ||
+                Snapshot.LocationType.PRIMARY.equals(locationType)) {
+            storeResourceType = ResourceType.primary_storage;
+        }
 
-        SnapshotVO snapshot = _snapshotDao.persist(snapshotVO);
-        if (snapshot == null) {
-            throw new CloudRuntimeException(String.format("Failed to create snapshot for volume: %s", volume));
+        try (CheckedReservation volumeSnapshotReservation = new CheckedReservation(owner, ResourceType.snapshot, null, null, 1L, reservationDao, _resourceLimitMgr);
+             CheckedReservation storageReservation = new CheckedReservation(owner, storeResourceType, null, null, volume.getSize(), reservationDao, _resourceLimitMgr)) {
+            SnapshotVO snapshotVO = new SnapshotVO(volume.getDataCenterId(), volume.getAccountId(), volume.getDomainId(), volume.getId(), volume.getDiskOfferingId(), snapshotName,
+                    (short)snapshotType.ordinal(), snapshotType.name(), volume.getSize(), volume.getMinIops(), volume.getMaxIops(), hypervisorType, locationType);
+
+            SnapshotVO snapshot = _snapshotDao.persist(snapshotVO);
+            if (snapshot == null) {
+                throw new CloudRuntimeException(String.format("Failed to create snapshot for volume: %s", volume));
+            }
+            CallContext.current().putContextParameter(Snapshot.class, snapshot.getUuid());
+            _resourceLimitMgr.incrementResourceCount(volume.getAccountId(), ResourceType.snapshot);
+            _resourceLimitMgr.incrementResourceCount(volume.getAccountId(), storeResourceType, volume.getSize());
+            return snapshot;
+        } catch (ResourceAllocationException e) {
+            if (snapshotType != Type.MANUAL) {
+                String msg = String.format("Snapshot resource limit exceeded for account id : %s. Failed to create recurring snapshots", owner.getId());
+                logger.warn(msg);
+                _alertMgr.sendAlert(AlertManager.AlertType.ALERT_TYPE_UPDATE_RESOURCE_COUNT, 0L, 0L, msg, msg + ". Please, use updateResourceLimit to increase the limit");
+            }
+            throw e;
         }
-        CallContext.current().putContextParameter(Snapshot.class, snapshot.getUuid());
-        _resourceLimitMgr.incrementResourceCount(volume.getAccountId(), ResourceType.snapshot);
-        _resourceLimitMgr.incrementResourceCount(volume.getAccountId(), storeResourceType, volume.getSize());
-        return snapshot;
     }
 
     @Override
@@ -2123,57 +2117,61 @@ private boolean checkAndProcessSnapshotAlreadyExistInStore(long snapshotId, Data
 
     @DB
     private boolean copySnapshotToZone(SnapshotDataStoreVO snapshotDataStoreVO, DataStore srcSecStore,
-                                       DataCenterVO dstZone, DataStore dstSecStore, Account account, boolean kvmIncrementalSnapshot)
+                                       DataCenterVO dstZone, DataStore dstSecStore, Account account, boolean kvmIncrementalSnapshot, boolean shouldCheckResourceLimits)
             throws ResourceAllocationException {
         final long snapshotId = snapshotDataStoreVO.getSnapshotId();
         final long dstZoneId = dstZone.getId();
         if (checkAndProcessSnapshotAlreadyExistInStore(snapshotId, dstSecStore)) {
             return true;
         }
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.secondary_storage, snapshotDataStoreVO.getSize());
-        // snapshotId may refer to ID of a removed parent snapshot
-        SnapshotInfo snapshotOnSecondary = snapshotFactory.getSnapshot(snapshotId, srcSecStore);
-        if (kvmIncrementalSnapshot) {
-            snapshotOnSecondary = snapshotHelper.convertSnapshotIfNeeded(snapshotOnSecondary);
-        }
-        String copyUrl = null;
-        try {
-            AsyncCallFuture<CreateCmdResult> future = snapshotSrv.queryCopySnapshot(snapshotOnSecondary);
-            CreateCmdResult result = future.get();
-            if (!result.isFailed()) {
-                copyUrl = result.getPath();
-            }
-        } catch (InterruptedException | ExecutionException | ResourceUnavailableException ex) {
-            logger.error("Failed to prepare URL for copy for snapshot ID: {} on store: {}", snapshotId, srcSecStore, ex);
-        }
-        if (StringUtils.isEmpty(copyUrl)) {
-            logger.error("Unable to prepare URL for copy for snapshot ID: {} on store: {}", snapshotId, srcSecStore);
-            return false;
-        }
-        logger.debug(String.format("Copying snapshot ID: %d to destination zones using download URL: %s", snapshotId, copyUrl));
-        try {
-            AsyncCallFuture<SnapshotResult> future = snapshotSrv.copySnapshot(snapshotOnSecondary, copyUrl, dstSecStore);
-            SnapshotResult result = future.get();
-            if (result.isFailed()) {
-                logger.debug("Copy snapshot ID: {} failed for image store {}: {}", snapshotId, dstSecStore, result.getResult());
-                return false;
+        // Resource limit checks are not performed here at the moment, but they were added in case this method is used
+        // in the future to copy a standalone snapshot
+        long requiredSecondaryStorageSpace = shouldCheckResourceLimits ? snapshotDataStoreVO.getSize() : 0L;
+        try (CheckedReservation secondaryStorageReservation = new CheckedReservation(account, ResourceType.secondary_storage, null, null, null, requiredSecondaryStorageSpace, null, reservationDao, _resourceLimitMgr)) {
+            // snapshotId may refer to ID of a removed parent snapshot
+            SnapshotInfo snapshotOnSecondary = snapshotFactory.getSnapshot(snapshotId, srcSecStore);
+            if (kvmIncrementalSnapshot) {
+                snapshotOnSecondary = snapshotHelper.convertSnapshotIfNeeded(snapshotOnSecondary);
             }
-            snapshotZoneDao.addSnapshotToZone(snapshotId, dstZoneId);
-            _resourceLimitMgr.incrementResourceCount(account.getId(), ResourceType.secondary_storage, snapshotDataStoreVO.getSize());
-            if (account.getId() != Account.ACCOUNT_ID_SYSTEM) {
-                SnapshotVO snapshotVO = _snapshotDao.findByIdIncludingRemoved(snapshotId);
-                UsageEventUtils.publishUsageEvent(EventTypes.EVENT_SNAPSHOT_COPY, account.getId(), dstZoneId, snapshotId, null, null, null, snapshotVO.getSize(),
-                        snapshotVO.getSize(), snapshotVO.getClass().getName(), snapshotVO.getUuid());
+            String copyUrl = null;
+            try {
+                AsyncCallFuture<CreateCmdResult> future = snapshotSrv.queryCopySnapshot(snapshotOnSecondary);
+                CreateCmdResult result = future.get();
+                if (!result.isFailed()) {
+                    copyUrl = result.getPath();
+                }
+            } catch (InterruptedException | ExecutionException | ResourceUnavailableException ex) {
+                logger.error("Failed to prepare URL for copy for snapshot ID: {} on store: {}", snapshotId, srcSecStore, ex);
             }
-            if (kvmIncrementalSnapshot) {
-                ((ImageStoreEntity) srcSecStore).deleteExtractUrl(snapshotOnSecondary.getPath(), copyUrl, Upload.Type.SNAPSHOT);
+            if (StringUtils.isEmpty(copyUrl)) {
+                logger.error("Unable to prepare URL for copy for snapshot ID: {} on store: {}", snapshotId, srcSecStore);
+                return false;
             }
+            logger.debug(String.format("Copying snapshot ID: %d to destination zones using download URL: %s", snapshotId, copyUrl));
+            try {
+                AsyncCallFuture<SnapshotResult> future = snapshotSrv.copySnapshot(snapshotOnSecondary, copyUrl, dstSecStore);
+                SnapshotResult result = future.get();
+                if (result.isFailed()) {
+                    logger.debug("Copy snapshot ID: {} failed for image store {}: {}", snapshotId, dstSecStore, result.getResult());
+                    return false;
+                }
+                snapshotZoneDao.addSnapshotToZone(snapshotId, dstZoneId);
+                _resourceLimitMgr.incrementResourceCount(account.getId(), ResourceType.secondary_storage, snapshotDataStoreVO.getSize());
+                if (account.getId() != Account.ACCOUNT_ID_SYSTEM) {
+                    SnapshotVO snapshotVO = _snapshotDao.findByIdIncludingRemoved(snapshotId);
+                    UsageEventUtils.publishUsageEvent(EventTypes.EVENT_SNAPSHOT_COPY, account.getId(), dstZoneId, snapshotId, null, null, null, snapshotVO.getSize(),
+                            snapshotVO.getSize(), snapshotVO.getClass().getName(), snapshotVO.getUuid());
+                }
+                if (kvmIncrementalSnapshot) {
+                    ((ImageStoreEntity) srcSecStore).deleteExtractUrl(snapshotOnSecondary.getPath(), copyUrl, Upload.Type.SNAPSHOT);
+                }
 
-            return true;
-        } catch (InterruptedException | ExecutionException | ResourceUnavailableException ex) {
-            logger.debug("Failed to copy snapshot ID: {} to image store: {}", snapshotId, dstSecStore);
+                return true;
+            } catch (InterruptedException | ExecutionException | ResourceUnavailableException ex) {
+                logger.debug("Failed to copy snapshot ID: {} to image store: {}", snapshotId, dstSecStore);
+            }
+            return false;
         }
-        return false;
     }
 
     @DB
@@ -2205,13 +2203,6 @@ private boolean copySnapshotChainToZone(SnapshotVO snapshotVO, DataStore srcSecS
         if (CollectionUtils.isEmpty(snapshotChain)) {
             return true;
         }
-        try {
-            _resourceLimitMgr.checkResourceLimit(account, ResourceType.secondary_storage, size);
-        } catch (ResourceAllocationException e) {
-            logger.error(String.format("Unable to allocate secondary storage resources for snapshot chain for %s with size: %d", snapshotVO, size), e);
-            return false;
-        }
-        Collections.reverse(snapshotChain);
         if (dstSecStore == null) {
             // find all eligible image stores for the destination zone
             List<DataStore> dstSecStores = dataStoreMgr.getImageStoresByScopeExcludingReadOnly(new ZoneScope(destZoneId));
@@ -2223,16 +2214,23 @@ private boolean copySnapshotChainToZone(SnapshotVO snapshotVO, DataStore srcSecS
                 throw new StorageUnavailableException("Destination zone is not ready, no image store with free capacity", DataCenter.class, destZoneId);
             }
         }
-        logger.debug("Copying snapshot chain for snapshot ID: {} on secondary store: {} of zone ID: {}", snapshotVO, dstSecStore, destZone);
-        for (SnapshotDataStoreVO snapshotDataStoreVO : snapshotChain) {
-            if (!copySnapshotToZone(snapshotDataStoreVO, srcSecStore, destZone, dstSecStore, account, kvmIncrementalSnapshot)) {
-                logger.error("Failed to copy snapshot: {} to zone: {} due to failure to copy snapshot ID: {} from snapshot chain",
-                        snapshotVO, destZone, snapshotDataStoreVO.getSnapshotId());
-                return false;
+        try  (CheckedReservation secondaryStorageReservation = new CheckedReservation(account, ResourceType.secondary_storage, null, null, null, size, null, reservationDao, _resourceLimitMgr)) {
+            logger.debug("Copying snapshot chain for snapshot ID: {} on secondary store: {} of zone ID: {}", snapshotVO, dstSecStore, destZone);
+            Collections.reverse(snapshotChain);
+            for (SnapshotDataStoreVO snapshotDataStoreVO : snapshotChain) {
+                if (!copySnapshotToZone(snapshotDataStoreVO, srcSecStore, destZone, dstSecStore, account, kvmIncrementalSnapshot, false)) {
+                    logger.error("Failed to copy snapshot: {} to zone: {} due to failure to copy snapshot ID: {} from snapshot chain",
+                            snapshotVO, destZone, snapshotDataStoreVO.getSnapshotId());
+                    return false;
+                }
             }
+            return true;
+        } catch (ResourceAllocationException e) {
+            logger.error(String.format("Unable to allocate secondary storage resources for snapshot chain for %s with size: %d", snapshotVO, size), e);
+            return false;
         }
-        return true;
     }
+
     @DB
     private List<String> copySnapshotToZones(SnapshotVO snapshotVO, DataStore srcSecStore, List<DataCenterVO> dstZones) throws StorageUnavailableException, ResourceAllocationException {
         AccountVO account = _accountDao.findById(snapshotVO.getAccountId());
diff --git a/server/src/main/java/com/cloud/template/HypervisorTemplateAdapter.java b/server/src/main/java/com/cloud/template/HypervisorTemplateAdapter.java
index a7a6cea7d907..fdde8f47a675 100644
--- a/server/src/main/java/com/cloud/template/HypervisorTemplateAdapter.java
+++ b/server/src/main/java/com/cloud/template/HypervisorTemplateAdapter.java
@@ -34,10 +34,8 @@
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.command.user.iso.DeleteIsoCmd;
-import org.apache.cloudstack.api.command.user.iso.GetUploadParamsForIsoCmd;
 import org.apache.cloudstack.api.command.user.iso.RegisterIsoCmd;
 import org.apache.cloudstack.api.command.user.template.DeleteTemplateCmd;
-import org.apache.cloudstack.api.command.user.template.GetUploadParamsForTemplateCmd;
 import org.apache.cloudstack.api.command.user.template.RegisterTemplateCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.direct.download.DirectDownloadManager;
@@ -197,19 +195,6 @@ public TemplateProfile prepare(RegisterIsoCmd cmd) throws ResourceAllocationExce
             profile.setSize(templateSize);
         }
         profile.setUrl(url);
-        // Check that the resource limit for secondary storage won't be exceeded
-        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()),
-                ResourceType.secondary_storage,
-                UriUtils.getRemoteSize(url, followRedirects));
-        return profile;
-    }
-
-    @Override
-    public TemplateProfile prepare(GetUploadParamsForIsoCmd cmd) throws ResourceAllocationException {
-        TemplateProfile profile = super.prepare(cmd);
-
-        // Check that the resource limit for secondary storage won't be exceeded
-        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()), ResourceType.secondary_storage);
         return profile;
     }
 
@@ -228,19 +213,7 @@ public TemplateProfile prepare(RegisterTemplateCmd cmd) throws ResourceAllocatio
             profile.setForCks(cmd.isForCks());
         }
         profile.setUrl(url);
-        // Check that the resource limit for secondary storage won't be exceeded
-        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()),
-                ResourceType.secondary_storage,
-                UriUtils.getRemoteSize(url, followRedirects));
-        return profile;
-    }
 
-    @Override
-    public TemplateProfile prepare(GetUploadParamsForTemplateCmd cmd) throws ResourceAllocationException {
-        TemplateProfile profile = super.prepare(cmd);
-
-        // Check that the resource limit for secondary storage won't be exceeded
-        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()), ResourceType.secondary_storage);
         return profile;
     }
 
@@ -268,7 +241,6 @@ public VMTemplateVO create(TemplateProfile profile) {
             persistDirectDownloadTemplate(template.getId(), profile.getSize());
         }
 
-        _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
         return template;
     }
 
@@ -377,7 +349,7 @@ public List<TemplateOrVolumePostUploadCommand> doInTransaction(TransactionStatus
                 if(payloads.isEmpty()) {
                     throw new CloudRuntimeException("unable to find zone or an image store with enough capacity");
                 }
-                _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
+
                 return payloads;
             }
         });
@@ -396,13 +368,12 @@ protected Void createTemplateAsyncCallBack(AsyncCallbackDispatcher<HypervisorTem
         CreateTemplateContext<TemplateApiResult> context) {
         TemplateApiResult result = callback.getResult();
         TemplateInfo template = context.template;
+        VMTemplateVO tmplt = _tmpltDao.findById(template.getId());
         if (result.isSuccess()) {
-            VMTemplateVO tmplt = _tmpltDao.findById(template.getId());
             // need to grant permission for public templates
             if (tmplt.isPublicTemplate()) {
                 _messageBus.publish(_name, TemplateManager.MESSAGE_REGISTER_PUBLIC_TEMPLATE_EVENT, PublishScope.LOCAL, tmplt.getId());
             }
-            long accountId = tmplt.getAccountId();
             if (template.getSize() != null) {
                 // publish usage event
                 String etype = EventTypes.EVENT_TEMPLATE_CREATE;
@@ -431,9 +402,13 @@ protected Void createTemplateAsyncCallBack(AsyncCallbackDispatcher<HypervisorTem
                     UsageEventUtils.publishUsageEvent(etype, template.getAccountId(), -1, template.getId(), template.getName(), null, null, physicalSize,
                         template.getSize(), VirtualMachineTemplate.class.getName(), template.getUuid());
                 }
-                _resourceLimitMgr.incrementResourceCount(accountId, ResourceType.secondary_storage, template.getSize());
             }
         }
+        if (tmplt != null) {
+            long accountId = tmplt.getAccountId();
+            Account account = _accountDao.findById(accountId);
+            _resourceLimitMgr.recalculateResourceCount(accountId, account.getDomainId(), ResourceType.secondary_storage.getOrdinal());
+        }
 
         return null;
     }
diff --git a/server/src/main/java/com/cloud/template/TemplateAdapterBase.java b/server/src/main/java/com/cloud/template/TemplateAdapterBase.java
index 97c6e5903592..8f5081356051 100644
--- a/server/src/main/java/com/cloud/template/TemplateAdapterBase.java
+++ b/server/src/main/java/com/cloud/template/TemplateAdapterBase.java
@@ -245,7 +245,7 @@ protected void postUploadAllocation(List<DataStore> imageStores, VMTemplateVO te
             Account account = _accountDao.findById(accountId);
             Domain domain = _domainDao.findById(account.getDomainId());
 
-            payload.setDefaultMaxSecondaryStorageInGB(_resourceLimitMgr.findCorrectResourceLimitForAccountAndDomain(account, domain, ResourceType.secondary_storage, null));
+            payload.setDefaultMaxSecondaryStorageInBytes(_resourceLimitMgr.findCorrectResourceLimitForAccountAndDomain(account, domain, ResourceType.secondary_storage, null));
             payload.setAccountId(accountId);
             payload.setRemoteEndPoint(ep.getPublicAddr());
             payload.setRequiresHvm(template.requiresHvm());
@@ -364,8 +364,6 @@ public TemplateProfile prepare(boolean isIso, long userId, String name, String d
             throw new IllegalArgumentException("Unable to find user with id " + userId);
         }
 
-        _resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.template);
-
         // If a zoneId is specified, make sure it is valid
         if (zoneIdList != null) {
             for (Long zoneId :zoneIdList) {
diff --git a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
index 67f7128e864d..3aaebc691309 100755
--- a/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/main/java/com/cloud/template/TemplateManagerImpl.java
@@ -86,6 +86,7 @@
 import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.secstorage.dao.SecondaryStorageHeuristicDao;
 import org.apache.cloudstack.secstorage.heuristics.HeuristicType;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
@@ -152,6 +153,7 @@
 import com.cloud.hypervisor.HypervisorGuruManager;
 import com.cloud.projects.Project;
 import com.cloud.projects.ProjectManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.GuestOSVO;
 import com.cloud.storage.ImageStoreUploadMonitorImpl;
@@ -201,6 +203,7 @@
 import com.cloud.utils.EnumUtils;
 import com.cloud.utils.Pair;
 import com.cloud.utils.StringUtils;
+import com.cloud.utils.UriUtils;
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -302,29 +305,27 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
     private VMTemplateDetailsDao _tmpltDetailsDao;
     @Inject
     private HypervisorGuruManager _hvGuruMgr;
-
-    private List<TemplateAdapter> _adapters;
-
-    ExecutorService _preloadExecutor;
-
+    @Inject
+    ReservationDao reservationDao;
     @Inject
     private StorageCacheManager cacheMgr;
     @Inject
     private EndPointSelector selector;
-
     @Inject
     protected SnapshotHelper snapshotHelper;
     @Inject
     VnfTemplateManager vnfTemplateManager;
     @Inject
     TemplateDeployAsIsDetailsDao templateDeployAsIsDetailsDao;
-
     @Inject
     private SecondaryStorageHeuristicDao secondaryStorageHeuristicDao;
-
     @Inject
     private HeuristicRuleHelper heuristicRuleHelper;
 
+    private List<TemplateAdapter> _adapters;
+
+    ExecutorService _preloadExecutor;
+
     protected boolean backupSnapshotAfterTakingSnapshot = SnapshotInfo.BackupSnapshotAfterTakingSnapshot.value();
 
     private TemplateAdapter getAdapter(HypervisorType type) {
@@ -353,15 +354,31 @@ private TemplateAdapter getAdapter(HypervisorType type) {
     @ActionEvent(eventType = EventTypes.EVENT_ISO_CREATE, eventDescription = "Creating ISO")
     public VirtualMachineTemplate registerIso(RegisterIsoCmd cmd) throws ResourceAllocationException {
         TemplateAdapter adapter = getAdapter(HypervisorType.None);
-        TemplateProfile profile = adapter.prepare(cmd);
-        VMTemplateVO template = adapter.create(profile);
+        Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
 
-        if (template != null) {
-            CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
-            return template;
-        } else {
-            throw new CloudRuntimeException("Failed to create ISO");
+        // Secondary storage resource count is not incremented for BareMetalTemplateAdapter
+        // Note: checking the file size before registering will require the Management Server host to have access to the Internet and a DNS server
+        // If it does not, UriUtils.getRemoteSize will return 0L.
+        long secondaryStorageUsage = adapter instanceof HypervisorTemplateAdapter && !cmd.isDirectDownload() ?
+                UriUtils.getRemoteSize(cmd.getUrl(), StorageManager.DataStoreDownloadFollowRedirects.value()) : 0L;
+
+        try (CheckedReservation templateReservation = new CheckedReservation(owner, ResourceType.template, null, null, 1L, reservationDao, _resourceLimitMgr);
+             CheckedReservation secondaryStorageReservation = new CheckedReservation(owner, ResourceType.secondary_storage, null, null, secondaryStorageUsage, reservationDao, _resourceLimitMgr)) {
+            TemplateProfile profile = adapter.prepare(cmd);
+            VMTemplateVO template = adapter.create(profile);
+
+            // Secondary storage resource usage will be incremented in com.cloud.template.HypervisorTemplateAdapter.createTemplateAsyncCallBack
+            _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
+            if (secondaryStorageUsage > 0) {
+                _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.secondary_storage, secondaryStorageUsage);
+            }
+            if (template != null) {
+                CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
+                return template;
+            }
         }
+
+        throw new CloudRuntimeException("Failed to create ISO");
     }
 
     @Override
@@ -380,18 +397,32 @@ public VirtualMachineTemplate registerTemplate(RegisterTemplateCmd cmd) throws U
         }
 
         TemplateAdapter adapter = getAdapter(HypervisorType.getType(cmd.getHypervisor()));
-        TemplateProfile profile = adapter.prepare(cmd);
-        VMTemplateVO template = adapter.create(profile);
+        Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
+
+        long secondaryStorageUsage = adapter instanceof HypervisorTemplateAdapter && !cmd.isDirectDownload() ?
+                UriUtils.getRemoteSize(cmd.getUrl(), StorageManager.DataStoreDownloadFollowRedirects.value()) : 0L;
 
-        if (template != null) {
-            CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
-            if (cmd instanceof RegisterVnfTemplateCmd) {
-                vnfTemplateManager.persistVnfTemplate(template.getId(), (RegisterVnfTemplateCmd) cmd);
+        try (CheckedReservation templateReservation = new CheckedReservation(owner, ResourceType.template, null, null, 1L, reservationDao, _resourceLimitMgr);
+             CheckedReservation secondaryStorageReservation = new CheckedReservation(owner, ResourceType.secondary_storage, null, null, secondaryStorageUsage, reservationDao, _resourceLimitMgr)) {
+            TemplateProfile profile = adapter.prepare(cmd);
+            VMTemplateVO template = adapter.create(profile);
+
+            // Secondary storage resource usage will be incremented in com.cloud.template.HypervisorTemplateAdapter.createTemplateAsyncCallBack
+            // for HypervisorTemplateAdapter
+            _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
+            if (secondaryStorageUsage > 0) {
+                _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.secondary_storage, secondaryStorageUsage);
+            }
+
+            if (template != null) {
+                CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
+                if (cmd instanceof RegisterVnfTemplateCmd) {
+                    vnfTemplateManager.persistVnfTemplate(template.getId(), (RegisterVnfTemplateCmd) cmd);
+                }
+                return template;
             }
-            return template;
-        } else {
-            throw new CloudRuntimeException("Failed to create a Template");
         }
+        throw new CloudRuntimeException("Failed to create a Template");
     }
 
     /**
@@ -455,17 +486,35 @@ private GetUploadParamsResponse registerPostUploadInternal(TemplateAdapter adapt
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_ISO_CREATE, eventDescription = "Creating post upload ISO")
     public GetUploadParamsResponse registerIsoForPostUpload(GetUploadParamsForIsoCmd cmd) throws ResourceAllocationException, MalformedURLException {
-        TemplateAdapter adapter = getAdapter(HypervisorType.None);
-        TemplateProfile profile = adapter.prepare(cmd);
-        return registerPostUploadInternal(adapter, profile);
+        Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
+
+        try (CheckedReservation templateReservation = new CheckedReservation(owner, ResourceType.template, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+            TemplateAdapter adapter = getAdapter(HypervisorType.None);
+            TemplateProfile profile = adapter.prepare(cmd);
+
+            GetUploadParamsResponse response = registerPostUploadInternal(adapter, profile);
+
+            _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
+
+            return response;
+        }
     }
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_TEMPLATE_CREATE, eventDescription = "Creating post upload Template")
     public GetUploadParamsResponse registerTemplateForPostUpload(GetUploadParamsForTemplateCmd cmd) throws ResourceAllocationException, MalformedURLException {
-        TemplateAdapter adapter = getAdapter(HypervisorType.getType(cmd.getHypervisor()));
-        TemplateProfile profile = adapter.prepare(cmd);
-        return registerPostUploadInternal(adapter, profile);
+        Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId());
+
+        try (CheckedReservation templateReservation = new CheckedReservation(owner, ResourceType.template, null, null, 1L, reservationDao, _resourceLimitMgr)) {
+            TemplateAdapter adapter = getAdapter(HypervisorType.getType(cmd.getHypervisor()));
+            TemplateProfile profile = adapter.prepare(cmd);
+
+            GetUploadParamsResponse response = registerPostUploadInternal(adapter, profile);
+
+            _resourceLimitMgr.incrementResourceCount(profile.getAccountId(), ResourceType.template);
+
+            return response;
+        }
     }
 
     @Override
@@ -527,7 +576,7 @@ public VirtualMachineTemplate prepareTemplate(long templateId, long zoneId, Long
 
         VMTemplateVO vmTemplate = _tmpltDao.findById(templateId);
         if (vmTemplate == null) {
-            throw new InvalidParameterValueException("Unable to find Template id=" + templateId);
+            throw new InvalidParameterValueException("Unable to find Template ID=" + templateId);
         }
 
         _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate);
@@ -832,9 +881,6 @@ public boolean copy(long userId, VMTemplateVO template, DataStore srcSecStore, D
         // find the size of the template to be copied
         TemplateDataStoreVO srcTmpltStore = _tmplStoreDao.findByStoreTemplate(srcSecStore.getId(), tmpltId);
 
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.template);
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.secondary_storage, new Long(srcTmpltStore.getSize()).longValue());
-
         // Event details
         String copyEventType;
         if (template.getFormat().equals(ImageFormat.ISO)) {
@@ -897,9 +943,6 @@ public boolean copy(long userId, VMTemplateVO template, DataStore srcSecStore, D
                         }
                     }
                 }
-
-                return true;
-
             } catch (Exception ex) {
                 logger.debug("Failed to copy Template to image store:{} ,will try next one", dstSecStore, ex);
             }
@@ -981,20 +1024,22 @@ public VirtualMachineTemplate copyTemplate(CopyTemplateCmd cmd) throws StorageUn
                 // sync template from cache store to region store if it is not there, for cases where we are going to migrate existing NFS to S3.
                 _tmpltSvr.syncTemplateToRegionStore(template, srcSecStore);
             }
+
+            AccountVO templateOwner = _accountDao.findById(template.getAccountId());
+
             for (Long destZoneId : destZoneIds) {
                 DataStore dstSecStore = getImageStore(destZoneId, templateId);
                 if (dstSecStore != null) {
                     logger.debug("There is Template {} in secondary storage {} in zone {} , don't need to copy", template, dstSecStore, dataCenterVOs.get(destZoneId));
                     continue;
                 }
-                if (!copy(userId, template, srcSecStore, dataCenterVOs.get(destZoneId))) {
-                    failedZones.add(dataCenterVOs.get(destZoneId).getName());
-                }
-                else{
-                    if (template.getSize() != null) {
-                        // increase resource count
-                        long accountId = template.getAccountId();
-                        _resourceLimitMgr.incrementResourceCount(accountId, ResourceType.secondary_storage, template.getSize());
+                if (template.getSize() != null) {
+                    try (CheckedReservation secondaryStorageReservation = new CheckedReservation(templateOwner, ResourceType.secondary_storage, null, null, template.getSize(), reservationDao, _resourceLimitMgr)) {
+                        if (!copy(userId, template, srcSecStore, dataCenterVOs.get(destZoneId))) {
+                            failedZones.add(dataCenterVOs.get(destZoneId).getName());
+                            continue;
+                        }
+                        _resourceLimitMgr.incrementResourceCount(templateOwner.getId(), ResourceType.secondary_storage, template.getSize());
                     }
                 }
             }
@@ -1018,9 +1063,6 @@ private boolean addTemplateToZone(VMTemplateVO template, long dstZoneId, long so
 
         AccountVO account = _accountDao.findById(template.getAccountId());
 
-
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.template);
-
         try {
             _tmpltDao.addTemplateToZone(template, dstZoneId);
             return true;
@@ -1839,7 +1881,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                         // decrement resource count
                         if (accountId != null) {
                             _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.template);
-                            _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.secondary_storage, new Long(volumeFinal != null ? volumeFinal.getSize()
+                            _resourceLimitMgr.decrementResourceCount(accountId, ResourceType.secondary_storage, (long)(volumeFinal != null ? volumeFinal.getSize()
                                     : snapshotFinal.getSize()));
                         }
                     }
@@ -1990,107 +2032,106 @@ public VMTemplateVO createPrivateTemplateRecord(CreateTemplateCmd cmd, Account t
             }
         }
 
-        _resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.template);
-        _resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.secondary_storage, new Long(volume != null ? volume.getSize() : snapshot.getSize()).longValue());
+        long templateSize = volume != null ? volume.getSize() : snapshot.getSize();
+        try (CheckedReservation templateReservation = new CheckedReservation(templateOwner, ResourceType.template, null, null, 1L, reservationDao, _resourceLimitMgr);
+             CheckedReservation secondaryStorageReservation = new CheckedReservation(templateOwner, ResourceType.secondary_storage, null, null, templateSize, reservationDao, _resourceLimitMgr)) {
 
-        if (!isAdmin || featured == null) {
-            featured = Boolean.FALSE;
-        }
-        Long guestOSId = cmd.getOsTypeId();
-        GuestOSVO guestOS = _guestOSDao.findById(guestOSId);
-        if (guestOS == null) {
-            throw new InvalidParameterValueException("GuestOS with ID: " + guestOSId + " does not exist.");
-        }
-
-        Long nextTemplateId = _tmpltDao.getNextInSequence(Long.class, "id");
-        String description = cmd.getDisplayText();
-        boolean isExtractable = false;
-        Long sourceTemplateId = null;
-        if (volume != null) {
-            VMTemplateVO template = ApiDBUtils.findTemplateById(volume.getTemplateId());
-            isExtractable = template != null && template.isExtractable() && template.getTemplateType() != Storage.TemplateType.SYSTEM;
-            if (template != null) {
-                arch = template.getArch();
+            if (!isAdmin || featured == null) {
+                featured = Boolean.FALSE;
             }
-            if (volume.getIsoId() != null && volume.getIsoId() != 0) {
-                sourceTemplateId = volume.getIsoId();
-            } else if (volume.getTemplateId() != null) {
-                sourceTemplateId = volume.getTemplateId();
-            }
-        }
-        String templateTag = cmd.getTemplateTag();
-        if (templateTag != null) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Adding Template tag: " + templateTag);
+            Long guestOSId = cmd.getOsTypeId();
+            GuestOSVO guestOS = _guestOSDao.findById(guestOSId);
+            if (guestOS == null) {
+                throw new InvalidParameterValueException("GuestOS with ID: " + guestOSId + " does not exist.");
             }
-        }
-        privateTemplate = new VMTemplateVO(nextTemplateId, name, ImageFormat.RAW, isPublic, featured, isExtractable,
-                TemplateType.USER, null, requiresHvmValue, bitsValue, templateOwner.getId(), null, description,
-                passwordEnabledValue, guestOS.getId(), true, hyperType, templateTag, cmd.getDetails(), sshKeyEnabledValue, isDynamicScalingEnabled, false, false, arch, null);
 
-        if (sourceTemplateId != null) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("This Template is getting created from other Template, setting source Template ID to: " + sourceTemplateId);
+            Long nextTemplateId = _tmpltDao.getNextInSequence(Long.class, "id");
+            String description = cmd.getDisplayText();
+            boolean isExtractable = false;
+            Long sourceTemplateId = null;
+            if (volume != null) {
+                VMTemplateVO template = ApiDBUtils.findTemplateById(volume.getTemplateId());
+                isExtractable = template != null && template.isExtractable() && template.getTemplateType() != Storage.TemplateType.SYSTEM;
+                if (template != null) {
+                    arch = template.getArch();
+                }
+                if (volume.getIsoId() != null && volume.getIsoId() != 0) {
+                    sourceTemplateId = volume.getIsoId();
+                } else if (volume.getTemplateId() != null) {
+                    sourceTemplateId = volume.getTemplateId();
+                }
             }
-        }
+            String templateTag = cmd.getTemplateTag();
+            if (templateTag != null) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Adding Template tag: " + templateTag);
+                }
+            }
+            privateTemplate = new VMTemplateVO(nextTemplateId, name, ImageFormat.RAW, isPublic, featured, isExtractable,
+                    TemplateType.USER, null, requiresHvmValue, bitsValue, templateOwner.getId(), null, description,
+                    passwordEnabledValue, guestOS.getId(), true, hyperType, templateTag, cmd.getDetails(), sshKeyEnabledValue, isDynamicScalingEnabled, false, false, arch, null);
 
+            if (sourceTemplateId != null) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("This Template is getting created from other Template, setting source Template ID to: " + sourceTemplateId);
+                }
+            }
 
-        // for region wide storage, set cross zones flag
-        List<ImageStoreVO> stores = _imgStoreDao.findRegionImageStores();
-        if (!CollectionUtils.isEmpty(stores)) {
-            privateTemplate.setCrossZones(true);
-        }
+            // for region wide storage, set cross zones flag
+            List<ImageStoreVO> stores = _imgStoreDao.findRegionImageStores();
+            if (!CollectionUtils.isEmpty(stores)) {
+                privateTemplate.setCrossZones(true);
+            }
 
-        privateTemplate.setSourceTemplateId(sourceTemplateId);
+            privateTemplate.setSourceTemplateId(sourceTemplateId);
 
-        VMTemplateVO template = _tmpltDao.persist(privateTemplate);
-        // Increment the number of templates
-        if (template != null) {
-            Map<String, String> details = new HashMap<String, String>();
+            VMTemplateVO template = _tmpltDao.persist(privateTemplate);
+            // Increment the number of templates
+            if (template != null) {
+                Map<String, String> details = new HashMap<String, String>();
 
-            if (sourceTemplateId != null) {
-                VMTemplateVO sourceTemplate = _tmpltDao.findById(sourceTemplateId);
-                if (sourceTemplate != null && sourceTemplate.getDetails() != null) {
-                    details.putAll(sourceTemplate.getDetails());
+                if (sourceTemplateId != null) {
+                    VMTemplateVO sourceTemplate = _tmpltDao.findById(sourceTemplateId);
+                    if (sourceTemplate != null && sourceTemplate.getDetails() != null) {
+                        details.putAll(sourceTemplate.getDetails());
+                    }
                 }
-            }
 
-            if (volume != null) {
-                Long vmId = volume.getInstanceId();
-                if (vmId != null) {
-                    UserVmVO userVm = _userVmDao.findById(vmId);
-                    if (userVm != null) {
-                        _userVmDao.loadDetails(userVm);
-                        Map<String, String> vmDetails = userVm.getDetails();
-                        vmDetails = vmDetails.entrySet()
-                                .stream()
-                                .filter(map -> map.getValue() != null)
-                                .collect(Collectors.toMap(map -> map.getKey(), map -> map.getValue()));
-                        details.putAll(vmDetails);
+                if (volume != null) {
+                    Long vmId = volume.getInstanceId();
+                    if (vmId != null) {
+                        UserVmVO userVm = _userVmDao.findById(vmId);
+                        if (userVm != null) {
+                            _userVmDao.loadDetails(userVm);
+                            Map<String, String> vmDetails = userVm.getDetails();
+                            vmDetails = vmDetails.entrySet()
+                                    .stream()
+                                    .filter(map -> map.getValue() != null)
+                                    .collect(Collectors.toMap(map -> map.getKey(), map -> map.getValue()));
+                            details.putAll(vmDetails);
+                        }
                     }
                 }
-            }
-            if (cmd.getDetails() != null) {
-                details.remove(VmDetailConstants.ENCRYPTED_PASSWORD); // new password will be generated during vm deployment from password enabled template
-                details.putAll(cmd.getDetails());
-            }
-            if (!details.isEmpty()) {
-                privateTemplate.setDetails(details);
-                _tmpltDao.saveDetails(privateTemplate);
-            }
+                if (cmd.getDetails() != null) {
+                    details.remove(VmDetailConstants.ENCRYPTED_PASSWORD); // new password will be generated during vm deployment from password enabled template
+                    details.putAll(cmd.getDetails());
+                }
+                if (!details.isEmpty()) {
+                    privateTemplate.setDetails(details);
+                    _tmpltDao.saveDetails(privateTemplate);
+                }
 
-            _resourceLimitMgr.incrementResourceCount(templateOwner.getId(), ResourceType.template);
-            _resourceLimitMgr.incrementResourceCount(templateOwner.getId(), ResourceType.secondary_storage,
-                    new Long(volume != null ? volume.getSize() : snapshot.getSize()));
-        }
+                _resourceLimitMgr.incrementResourceCount(templateOwner.getId(), ResourceType.template);
+                _resourceLimitMgr.incrementResourceCount(templateOwner.getId(), ResourceType.secondary_storage, templateSize);
+            }
 
-        if (template != null) {
-            CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
-            return template;
-        } else {
-            throw new CloudRuntimeException("Failed to create a Template");
+            if (template != null) {
+                CallContext.current().putContextParameter(VirtualMachineTemplate.class, template.getUuid());
+                return template;
+            } else {
+                throw new CloudRuntimeException("Failed to create a Template");
+            }
         }
-
     }
 
     @Override
@@ -2262,7 +2303,7 @@ private VMTemplateVO updateTemplateOrIso(BaseUpdateTemplateOrIsoCmd cmd) {
                   templateTag == null &&
                   forCks == null &&
                   arch == null &&
-                  (!cleanupDetails && details == null) //update details in every case except this one
+                  (! cleanupDetails && details == null) // update details in every case except this one
                   );
         if (!updateNeeded) {
             return template;
@@ -2381,6 +2422,9 @@ private VMTemplateVO updateTemplateOrIso(BaseUpdateTemplateOrIsoCmd cmd) {
 
     @Override
     public TemplateType validateTemplateType(BaseCmd cmd, boolean isAdmin, boolean isCrossZones, HypervisorType hypervisorType) {
+        if (cmd instanceof GetUploadParamsForIsoCmd) {
+            return TemplateType.USER;
+        }
         if (!(cmd instanceof UpdateTemplateCmd) && !(cmd instanceof RegisterTemplateCmd) && !(cmd instanceof GetUploadParamsForTemplateCmd)) {
             return null;
         }
@@ -2413,7 +2457,7 @@ public TemplateType validateTemplateType(BaseCmd cmd, boolean isAdmin, boolean i
             } else if ((cmd instanceof RegisterVnfTemplateCmd || cmd instanceof UpdateVnfTemplateCmd) && !TemplateType.VNF.equals(templateType)) {
                 throw new InvalidParameterValueException("The template type must be VNF for VNF templates, but the actual type is " + templateType);
             }
-        } else if (cmd instanceof RegisterTemplateCmd) {
+        } else if (cmd instanceof RegisterTemplateCmd || cmd instanceof GetUploadParamsForTemplateCmd) {
             boolean isRouting = Boolean.TRUE.equals(isRoutingType);
             templateType = (cmd instanceof RegisterVnfTemplateCmd) ? TemplateType.VNF : (isRouting ? TemplateType.ROUTING : TemplateType.USER);
         }
@@ -2423,6 +2467,8 @@ public TemplateType validateTemplateType(BaseCmd cmd, boolean isAdmin, boolean i
                 throw new InvalidParameterValueException(String.format("Users can not register Template with template type %s.", templateType));
             } else if (cmd instanceof UpdateTemplateCmd) {
                 throw new InvalidParameterValueException(String.format("Users can not update Template to template type %s.", templateType));
+            } else if (cmd instanceof GetUploadParamsForTemplateCmd) {
+                throw new InvalidParameterValueException(String.format("Users can not request upload parameters for Template with template type %s.", templateType));
             }
         }
         return templateType;
@@ -2452,7 +2498,6 @@ void validateDetails(VMTemplateVO template, Map<String, String> details) {
         if (MapUtils.isEmpty(details)) {
             return;
         }
-
         String bootMode = details.get(ApiConstants.BootType.UEFI.toString());
         if (bootMode == null) {
             return;
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index d9af7af6c334..d4d48bdf77be 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -73,7 +73,9 @@
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
 import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
@@ -1387,20 +1389,19 @@ public UserAccount createUserAccount(final String userName, final String passwor
 
         final String accountNameFinal = accountName;
         final Long domainIdFinal = domainId;
-        final String accountUUIDFinal = accountUUID;
+        final String resolvedAccountUUID = accountUUID != null ? accountUUID : UUID.randomUUID().toString();
+
+        // Check role escalation before the transaction — this is a read-only check
+        // that iterates all API commands and doesn't need a write transaction open.
+        AccountVO requestedAccount = new AccountVO(accountNameFinal, domainIdFinal, networkDomain, accountType, roleId, resolvedAccountUUID);
+        checkRoleEscalation(getCurrentCallingAccount(), requestedAccount);
+
         Pair<Long, Account> pair = Transaction.execute(new TransactionCallback<>() {
             @Override
             public Pair<Long, Account> doInTransaction(TransactionStatus status) {
-                // create account
-                String accountUUID = accountUUIDFinal;
-                if (accountUUID == null) {
-                    accountUUID = UUID.randomUUID().toString();
-                }
-                AccountVO account = createAccount(accountNameFinal, accountType, roleId, domainIdFinal, networkDomain, details, accountUUID);
+                AccountVO account = createAccount(accountNameFinal, accountType, roleId, domainIdFinal, networkDomain, details, resolvedAccountUUID);
                 long accountId = account.getId();
 
-                checkRoleEscalation(getCurrentCallingAccount(), account);
-
                 // create the first user for the account
                 UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source);
 
@@ -2212,6 +2213,7 @@ public boolean deleteUserAccount(long accountId) {
 
         checkIfAccountManagesProjects(accountId);
         verifyCallerPrivilegeForUserOrAccountOperations(account);
+        validateNoDeleteProtectedVmsForAccount(account);
 
         CallContext.current().putContextParameter(Account.class, account.getUuid());
 
@@ -2251,6 +2253,23 @@ protected boolean isDeleteNeeded(AccountVO account, long accountId, Account call
         return true;
     }
 
+    private void validateNoDeleteProtectedVmsForAccount(Account account) {
+        long accountId = account.getId();
+        List<VMInstanceVO> deleteProtectedVms = _vmDao.listDeleteProtectedVmsByAccountId(accountId);
+        if (CollectionUtils.isEmpty(deleteProtectedVms)) {
+            return;
+        }
+
+        if (logger.isDebugEnabled()) {
+            List<String> vmUuids = deleteProtectedVms.stream().map(VMInstanceVO::getUuid).collect(Collectors.toList());
+            logger.debug("Cannot delete Account {}, delete protection enabled for Instances: {}", account, vmUuids);
+        }
+
+        throw new InvalidParameterValueException(
+                String.format("Cannot delete Account '%s'. One or more Instances have delete protection enabled.",
+                        account.getAccountName()));
+    }
+
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_ENABLE, eventDescription = "enabling account", async = true)
     public AccountVO enableAccount(String accountName, Long domainId, Long accountId) {
@@ -3828,6 +3847,11 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEn
     @Override
     public UserAccount getUserByApiKey(String apiKey) {
         ApiKeyPairVO keyPair = apiKeyPairDao.findByApiKey(apiKey);
+
+        if (keyPair == null) {
+            return null;
+        }
+
         return userAccountDao.findById(keyPair.getUserId());
     }
 
@@ -3886,6 +3910,48 @@ public Long finalizeAccountId(final String accountName, final Long domainId, fin
         return null;
     }
 
+    @Override
+    public Long finalizeAccountId(Long accountId, String accountName, Long domainId, Long projectId) {
+        if (projectId != null) {
+            if (ObjectUtils.anyNotNull(accountId, accountName)) {
+                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Project and account can not be specified together.");
+            }
+            return getActiveProjectAccountByProjectId(projectId);
+        }
+        if (accountId != null) {
+            if (getActiveAccountById(accountId) != null) {
+                return accountId;
+            }
+            throw new InvalidParameterValueException(String.format("Unable to find account with ID [%s].", accountId));
+        }
+
+        if (accountName == null && domainId == null) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Either %s or %s must be informed.", ApiConstants.ACCOUNT_ID, ApiConstants.PROJECT_ID));
+        }
+
+        try {
+            Account activeAccount = getActiveAccountByName(accountName, domainId);
+            if (activeAccount != null) {
+                return activeAccount.getId();
+            }
+        } catch (InvalidParameterValueException exception) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Both %s and %s are needed if using either. Consider using %s instead.",
+                    ApiConstants.ACCOUNT, ApiConstants.DOMAIN_ID, ApiConstants.ACCOUNT_ID));
+        }
+        throw new InvalidParameterValueException(String.format("Unable to find account by name [%s] on domain [%s].", accountName, domainId));
+    }
+
+    protected long getActiveProjectAccountByProjectId(long projectId) {
+        Project project = _projectMgr.getProject(projectId);
+        if (project == null) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Unable to find project with ID [%s].", projectId));
+        }
+        if (project.getState() != Project.State.Active) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Project with ID [%s] is not active.", projectId));
+        }
+        return project.getProjectAccountId();
+    }
+
     @Override
     public UserAccount getUserAccountById(Long userId) {
         UserAccount userAccount = userAccountDao.findById(userId);
diff --git a/server/src/main/java/com/cloud/user/DomainManagerImpl.java b/server/src/main/java/com/cloud/user/DomainManagerImpl.java
index 28f9bd3ab391..a590c5ad833d 100644
--- a/server/src/main/java/com/cloud/user/DomainManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/DomainManagerImpl.java
@@ -25,6 +25,7 @@
 import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
@@ -104,6 +105,7 @@
 import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.ReservationContext;
 import com.cloud.vm.ReservationContextImpl;
+import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.VMInstanceDao;
 
 import org.apache.commons.lang3.StringUtils;
@@ -364,6 +366,8 @@ public boolean deleteDomain(long domainId, Boolean cleanup) {
         }
 
         _accountMgr.checkAccess(caller, domain);
+        // Check across the domain hierarchy (current + children) for any delete-protected instances
+        validateNoDeleteProtectedVmsForDomain(domain);
 
         return deleteDomain(domain, cleanup);
     }
@@ -724,6 +728,22 @@ protected boolean cleanupDomain(Long domainId, Long ownerId) throws ConcurrentOp
         return success && deleteDomainSuccess;
     }
 
+    private void validateNoDeleteProtectedVmsForDomain(Domain parentDomain) {
+        Set<Long> allDomainIds = getDomainChildrenIds(parentDomain.getPath());
+        List<VMInstanceVO> deleteProtectedVms = vmInstanceDao.listDeleteProtectedVmsByDomainIds(allDomainIds);
+        if (CollectionUtils.isEmpty(deleteProtectedVms)) {
+            return;
+        }
+        if (logger.isDebugEnabled()) {
+            List<String> vmUuids = deleteProtectedVms.stream().map(VMInstanceVO::getUuid).collect(Collectors.toList());
+            logger.debug("Cannot delete Domain {}, it has delete protection enabled for Instances: {}", parentDomain, vmUuids);
+        }
+
+        throw new InvalidParameterValueException(
+                String.format("Cannot delete Domain '%s'. One or more Instances have delete protection enabled.",
+                        parentDomain.getName()));
+    }
+
     @Override
     public Pair<List<? extends Domain>, Integer> searchForDomains(ListDomainsCmd cmd) {
         Account caller = getCaller();
diff --git a/server/src/main/java/com/cloud/vm/UserVmManager.java b/server/src/main/java/com/cloud/vm/UserVmManager.java
index c035165a3fa8..300803bfa986 100644
--- a/server/src/main/java/com/cloud/vm/UserVmManager.java
+++ b/server/src/main/java/com/cloud/vm/UserVmManager.java
@@ -108,6 +108,13 @@ public interface UserVmManager extends UserVmService {
             "Comma separated list of allowed additional VM settings if VM instance settings are read from OVA.",
             true, ConfigKey.Scope.Zone, null, null, null, null, null, ConfigKey.Kind.CSV, null);
 
+    ConfigKey<Boolean> AllowDifferentHostTagsOfferingsForVmScale = new ConfigKey<>("Advanced", Boolean.class, "allow.different.host.tags.offerings.for.vm.scale", "false",
+            "Enables/Disable allowing to change a VM offering to offerings with different host tags", true);
+
+    ConfigKey<Boolean> AutoMigrateVmOnLiveScaleInsufficientCapacity = new ConfigKey<>("Advanced", Boolean.class, "auto.migrate.vm.on.live.scale.insufficient.capacity",
+            "true", "Defines whether a VM should be automatically migrated to a suitable host when the current host " +
+                    "lacks sufficient compute capacity to live scale the instance. Defaults to true.", true, ConfigKey.Scope.Cluster);
+
     static final int MAX_USER_DATA_LENGTH_BYTES = 2048;
 
     public  static  final String CKS_NODE = "cksnode";
@@ -199,4 +206,9 @@ static Set<String> getStrictHostTags() {
 
     Boolean getDestroyRootVolumeOnVmDestruction(Long domainId);
 
+    /**
+     * @return true if the VM is part of a CKS cluster, false otherwise.
+     */
+    boolean isVMPartOfAnyCKSCluster(VMInstanceVO vm);
+
 }
diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
index 4597ef81965b..bb55f570927b 100644
--- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
@@ -60,9 +60,6 @@
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.ParserConfigurationException;
 
-import com.cloud.serializer.GsonHelper;
-import com.cloud.storage.SnapshotPolicyVO;
-import com.cloud.storage.dao.SnapshotPolicyDao;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -99,6 +96,7 @@
 import org.apache.cloudstack.api.command.user.vm.StartVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateDefaultNicForVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVMCmd;
+import org.apache.cloudstack.api.command.user.vm.UpdateVmNicCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVmNicIpCmd;
 import org.apache.cloudstack.api.command.user.vm.UpgradeVMCmd;
 import org.apache.cloudstack.api.command.user.vmgroup.CreateVMGroupCmd;
@@ -129,6 +127,7 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeService;
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeService.VolumeApiResult;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.framework.async.AsyncCallFuture;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
@@ -139,6 +138,7 @@
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.cloudstack.query.QueryService;
 import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
 import org.apache.cloudstack.storage.command.DeleteCommand;
 import org.apache.cloudstack.storage.command.DettachCommand;
@@ -156,7 +156,6 @@
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.math.NumberUtils;
 import org.apache.commons.lang3.ObjectUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.builder.ToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 import org.jetbrains.annotations.NotNull;
@@ -267,12 +266,12 @@
 import com.cloud.kubernetes.cluster.KubernetesServiceHelper;
 import com.cloud.network.IpAddressManager;
 import com.cloud.network.Network;
+import com.cloud.network.NetworkService;
 import com.cloud.network.Network.GuestType;
 import com.cloud.network.Network.IpAddresses;
 import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.NetworkModel;
-import com.cloud.network.NetworkService;
 import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.PhysicalNetwork;
 import com.cloud.network.as.AutoScaleManager;
@@ -314,6 +313,8 @@
 import com.cloud.resource.ResourceManager;
 import com.cloud.resource.ResourceState;
 import com.cloud.resourcelimit.CheckedReservation;
+import com.cloud.resourcelimit.ReservationHelper;
+import com.cloud.serializer.GsonHelper;
 import com.cloud.server.ManagementService;
 import com.cloud.server.ResourceTag;
 import com.cloud.service.ServiceOfferingVO;
@@ -325,6 +326,7 @@
 import com.cloud.storage.GuestOSVO;
 import com.cloud.storage.ScopeType;
 import com.cloud.storage.Snapshot;
+import com.cloud.storage.SnapshotPolicyVO;
 import com.cloud.storage.SnapshotVO;
 import com.cloud.storage.Storage;
 import com.cloud.storage.Storage.ImageFormat;
@@ -343,6 +345,7 @@
 import com.cloud.storage.dao.GuestOSCategoryDao;
 import com.cloud.storage.dao.GuestOSDao;
 import com.cloud.storage.dao.SnapshotDao;
+import com.cloud.storage.dao.SnapshotPolicyDao;
 import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.storage.dao.VMTemplateZoneDao;
 import com.cloud.storage.dao.VolumeDao;
@@ -373,6 +376,7 @@
 import com.cloud.utils.Journal;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
+import com.cloud.utils.StringUtils;
 import com.cloud.utils.component.ComponentContext;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.concurrency.NamedThreadFactory;
@@ -638,6 +642,9 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
     @Inject
     VnfTemplateManager vnfTemplateManager;
 
+    @Inject
+    ExtensionHelper extensionHelper;
+
     private ScheduledExecutorService _executor = null;
     private ScheduledExecutorService _vmIpFetchExecutor = null;
     private int _expungeInterval;
@@ -883,10 +890,10 @@ public UserVm resetVMPassword(ResetVMPasswordCmd cmd, String password) throws Re
     }
 
     private boolean resetVMPasswordInternal(Long vmId, String password) throws ResourceUnavailableException, InsufficientCapacityException {
-        Long userId = CallContext.current().getCallingUserId();
+        long userId = CallContext.current().getCallingUserId();
         VMInstanceVO vmInstance = _vmDao.findById(vmId);
 
-        if (password == null || password.equals("")) {
+        if (StringUtils.isEmpty(password)) {
             return false;
         }
 
@@ -1071,7 +1078,7 @@ protected void removeEncryptedPasswordFromUserVmVoDetails(long vmId) {
     }
 
     private boolean resetVMSSHKeyInternal(Long vmId, String sshPublicKeys, String keypairnames) throws ResourceUnavailableException, InsufficientCapacityException {
-        Long userId = CallContext.current().getCallingUserId();
+        long userId = CallContext.current().getCallingUserId();
         VMInstanceVO vmInstance = _vmDao.findById(vmId);
 
         VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vmInstance.getTemplateId());
@@ -1174,21 +1181,21 @@ private UserVm rebootVirtualMachine(long userId, long vmId, boolean enterSetup,
                     List<Long> vmNetworks = _vmNetworkMapDao.getNetworks(vmId);
                     List<DomainRouterVO> routers = new ArrayList<>();
                     //List the stopped routers
-                    for(long vmNetworkId : vmNetworks) {
+                    for (long vmNetworkId : vmNetworks) {
                         List<DomainRouterVO> router = _routerDao.listStopped(vmNetworkId);
                         routers.addAll(router);
                     }
                     //A vm may not have many nics attached and even fewer routers might be stopped (only in exceptional cases)
                     //Safe to start the stopped router serially, this is consistent with the way how multiple networks are added to vm during deploy
                     //and routers are started serially ,may revisit to make this process parallel
-                    for(DomainRouterVO routerToStart : routers) {
+                    for (DomainRouterVO routerToStart : routers) {
                         logger.warn("Trying to start router {} as part of vm: {} reboot", routerToStart, vm);
                         _virtualNetAppliance.startRouter(routerToStart.getId(),true);
                     }
                 }
             } catch (ConcurrentOperationException e) {
                 throw new CloudRuntimeException("Concurrent operations on starting router. " + e);
-            } catch (Exception ex){
+            } catch (Exception ex) {
                 throw new CloudRuntimeException("Router start failed due to" + ex);
             } finally {
                 if (logger.isInfoEnabled()) {
@@ -1243,7 +1250,7 @@ public UserVm upgradeVirtualMachine(UpgradeVMCmd cmd) throws ResourceAllocationE
         if (vmInstance == null) {
             throw new InvalidParameterValueException("unable to find an Instance with id " + vmId);
         } else if (!(vmInstance.getState().equals(State.Stopped))) {
-            throw new InvalidParameterValueException("Unable to upgrade Instance " + vmInstance.toString() + " " + " in state " + vmInstance.getState()
+            throw new InvalidParameterValueException("Unable to upgrade Instance " + vmInstance + " " + " in state " + vmInstance.getState()
             + "; make sure the Instance is stopped");
         }
 
@@ -1305,46 +1312,45 @@ private void validateOfferingMaxResource(ServiceOfferingVO offering) {
 
     @Override
     public void validateCustomParameters(ServiceOfferingVO serviceOffering, Map<String, String> customParameters) {
-        //TODO need to validate custom cpu, and memory against min/max CPU/Memory ranges from service_offering_details table
-        if (customParameters.size() != 0) {
-            Map<String, String> offeringDetails = serviceOfferingDetailsDao.listDetailsKeyPairs(serviceOffering.getId());
-            if (serviceOffering.getCpu() == null) {
-                int minCPU = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MIN_CPU_NUMBER), 1);
-                int maxCPU = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MAX_CPU_NUMBER), Integer.MAX_VALUE);
-                int cpuNumber = NumbersUtil.parseInt(customParameters.get(UsageEventVO.DynamicParameters.cpuNumber.name()), -1);
-                Integer maxCPUCores = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.value() == 0 ? Integer.MAX_VALUE: ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.value();
-                if (cpuNumber < minCPU || cpuNumber > maxCPU || cpuNumber > maxCPUCores) {
-                    throw new InvalidParameterValueException(String.format("Invalid CPU cores value, specify a value between %d and %d", minCPU, Math.min(maxCPUCores, maxCPU)));
-                }
-            } else if (customParameters.containsKey(UsageEventVO.DynamicParameters.cpuNumber.name())) {
-                throw new InvalidParameterValueException("The CPU cores of this offering id:" + serviceOffering.getUuid()
-                + " is not customizable. This is predefined in the Template.");
-            }
-
-            if (serviceOffering.getSpeed() == null) {
-                String cpuSpeed = customParameters.get(UsageEventVO.DynamicParameters.cpuSpeed.name());
-                if ((cpuSpeed == null) || (NumbersUtil.parseInt(cpuSpeed, -1) <= 0)) {
-                    throw new InvalidParameterValueException("Invalid CPU speed value, specify a value between 1 and " + Integer.MAX_VALUE);
-                }
-            } else if (!serviceOffering.isCustomCpuSpeedSupported() && customParameters.containsKey(UsageEventVO.DynamicParameters.cpuSpeed.name())) {
-                throw new InvalidParameterValueException("The CPU speed of this offering id:" + serviceOffering.getUuid()
-                + " is not customizable. This is predefined in the Template.");
-            }
-
-            if (serviceOffering.getRamSize() == null) {
-                int minMemory = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MIN_MEMORY), 32);
-                int maxMemory = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MAX_MEMORY), Integer.MAX_VALUE);
-                int memory = NumbersUtil.parseInt(customParameters.get(UsageEventVO.DynamicParameters.memory.name()), -1);
-                Integer maxRAMSize = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.value() == 0 ? Integer.MAX_VALUE: ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.value();
-                if (memory < minMemory || memory > maxMemory || memory > maxRAMSize) {
-                    throw new InvalidParameterValueException(String.format("Invalid memory value, specify a value between %d and %d", minMemory, Math.min(maxRAMSize, maxMemory)));
-                }
-            } else if (customParameters.containsKey(UsageEventVO.DynamicParameters.memory.name())) {
-                throw new InvalidParameterValueException("The memory of this offering id:" + serviceOffering.getUuid() + " is not customizable. This is predefined in the Template.");
-            }
-        } else {
+        if (MapUtils.isEmpty(customParameters) && serviceOffering.isDynamic()) {
             throw new InvalidParameterValueException("Need to specify custom parameter values cpu, cpu speed and memory when using custom offering");
         }
+        Map<String, String> offeringDetails = serviceOfferingDetailsDao.listDetailsKeyPairs(serviceOffering.getId());
+        if (serviceOffering.getCpu() == null) {
+            int minCPU = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MIN_CPU_NUMBER), 1);
+            int maxCPU = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MAX_CPU_NUMBER), Integer.MAX_VALUE);
+            int cpuNumber = NumbersUtil.parseInt(customParameters.get(UsageEventVO.DynamicParameters.cpuNumber.name()), -1);
+            int maxCPUCores = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.value() == 0 ? Integer.MAX_VALUE: ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES.value();
+            if (cpuNumber < minCPU || cpuNumber > maxCPU || cpuNumber > maxCPUCores) {
+                throw new InvalidParameterValueException(String.format("Invalid CPU cores value, specify a value between %d and %d", minCPU, Math.min(maxCPUCores, maxCPU)));
+            }
+        } else if (customParameters.containsKey(UsageEventVO.DynamicParameters.cpuNumber.name())) {
+            throw new InvalidParameterValueException("The CPU cores of this offering id:" + serviceOffering.getUuid()
+            + " is not customizable. This is predefined in the Template.");
+        }
+
+        if (serviceOffering.getSpeed() == null) {
+            String cpuSpeed = customParameters.get(UsageEventVO.DynamicParameters.cpuSpeed.name());
+            if ((cpuSpeed == null) || (NumbersUtil.parseInt(cpuSpeed, -1) <= 0)) {
+                throw new InvalidParameterValueException("Invalid CPU speed value, specify a value between 1 and " + Integer.MAX_VALUE);
+            }
+        } else if (!serviceOffering.isCustomCpuSpeedSupported() && customParameters.containsKey(UsageEventVO.DynamicParameters.cpuSpeed.name())) {
+            throw new InvalidParameterValueException(String.format("The CPU speed of this offering id:%s"
+                    + " is not customizable. This is predefined as %d MHz.",
+                    serviceOffering.getUuid(), serviceOffering.getSpeed()));
+        }
+
+        if (serviceOffering.getRamSize() == null) {
+            int minMemory = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MIN_MEMORY), 32);
+            int maxMemory = NumbersUtil.parseInt(offeringDetails.get(ApiConstants.MAX_MEMORY), Integer.MAX_VALUE);
+            int memory = NumbersUtil.parseInt(customParameters.get(UsageEventVO.DynamicParameters.memory.name()), -1);
+            int maxRAMSize = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.value() == 0 ? Integer.MAX_VALUE: ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE.value();
+            if (memory < minMemory || memory > maxMemory || memory > maxRAMSize) {
+                throw new InvalidParameterValueException(String.format("Invalid memory value, specify a value between %d and %d", minMemory, Math.min(maxRAMSize, maxMemory)));
+            }
+        } else if (customParameters.containsKey(UsageEventVO.DynamicParameters.memory.name())) {
+            throw new InvalidParameterValueException("The memory of this offering id:" + serviceOffering.getUuid() + " is not customizable. This is predefined in the Template.");
+        }
     }
 
     private UserVm upgradeStoppedVirtualMachine(Long vmId, Long svcOffId, Map<String, String> customParameters) throws ResourceAllocationException {
@@ -1373,31 +1379,37 @@ private UserVm upgradeStoppedVirtualMachine(Long vmId, Long svcOffId, Map<String
 
         Account owner = _accountMgr.getActiveAccountById(vmInstance.getAccountId());
         VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vmInstance.getTemplateId());
-        if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
-            _resourceLimitMgr.checkVmResourceLimitsForServiceOfferingChange(owner, vmInstance.isDisplay(), (long) currentCpu, (long) newCpu,
-                    (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template);
-        }
 
-        // Check that the specified service offering ID is valid
-        _itMgr.checkIfCanUpgrade(vmInstance, newServiceOffering);
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
+                _resourceLimitMgr.checkVmResourceLimitsForServiceOfferingChange(owner, vmInstance.isDisplay(), (long) currentCpu, (long) newCpu,
+                        (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template, reservations);
+            }
 
-        // Check if the new service offering can be applied to vm instance
-        _accountMgr.checkAccess(owner, newServiceOffering, _dcDao.findById(vmInstance.getDataCenterId()));
+            // Check that the specified service offering ID is valid
+            _itMgr.checkIfCanUpgrade(vmInstance, newServiceOffering);
 
-        // resize and migrate the root volume if required
-        DiskOfferingVO newDiskOffering = _diskOfferingDao.findById(newServiceOffering.getDiskOfferingId());
-        changeDiskOfferingForRootVolume(vmId, newDiskOffering, customParameters, vmInstance.getDataCenterId());
+            // Check if the new service offering can be applied to vm instance
+            _accountMgr.checkAccess(owner, newServiceOffering, _dcDao.findById(vmInstance.getDataCenterId()));
 
-        _itMgr.upgradeVmDb(vmId, newServiceOffering, currentServiceOffering);
+            // resize and migrate the root volume if required
+            DiskOfferingVO newDiskOffering = _diskOfferingDao.findById(newServiceOffering.getDiskOfferingId());
+            changeDiskOfferingForRootVolume(vmId, newDiskOffering, customParameters, vmInstance.getDataCenterId());
 
-        // Increment or decrement CPU and Memory count accordingly.
-        if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
-            _resourceLimitMgr.updateVmResourceCountForServiceOfferingChange(owner.getAccountId(), vmInstance.isDisplay(), (long) currentCpu, (long) newCpu,
-                    (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template);
-        }
+            _itMgr.upgradeVmDb(vmId, newServiceOffering, currentServiceOffering);
 
-        return _vmDao.findById(vmInstance.getId());
+            // Increment or decrement CPU and Memory count accordingly.
+            if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
+                _resourceLimitMgr.updateVmResourceCountForServiceOfferingChange(owner.getAccountId(), vmInstance.isDisplay(), (long) currentCpu, (long) newCpu,
+                        (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template);
+            }
 
+            return _vmDao.findById(vmInstance.getId());
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     /**
@@ -1473,7 +1485,7 @@ public UserVm addNicToVirtualMachine(AddNicToVMCmd cmd) throws InvalidParameterV
 
         macAddress = validateOrReplaceMacAddress(macAddress, network);
 
-        if(_nicDao.findByNetworkIdAndMacAddress(networkId, macAddress) != null) {
+        if (_nicDao.findByNetworkIdAndMacAddress(networkId, macAddress) != null) {
             throw new CloudRuntimeException("A NIC with this MAC address exists for network: " + network.getUuid());
         }
 
@@ -1499,7 +1511,7 @@ public UserVm addNicToVirtualMachine(AddNicToVMCmd cmd) throws InvalidParameterV
                     vmInstance, dc, network, dataCenterDao.findById(network.getDataCenterId())));
         }
 
-        if(_networkModel.getNicInNetwork(vmInstance.getId(),network.getId()) != null){
+        if (_networkModel.getNicInNetwork(vmInstance.getId(),network.getId()) != null) {
             logger.debug("Instance {} already in network {} going to add another NIC", vmInstance, network);
         } else {
             //* get all vms hostNames in the network
@@ -1527,7 +1539,7 @@ public UserVm addNicToVirtualMachine(AddNicToVMCmd cmd) throws InvalidParameterV
         } catch (ConcurrentOperationException e) {
             throw new CloudRuntimeException("Concurrent operations on adding NIC to " + vmInstance + ": " + e);
         } finally {
-            if(cleanUp) {
+            if (cleanUp) {
                 try {
                     _itMgr.removeVmFromNetwork(vmInstance, network, null);
                 } catch (ResourceUnavailableException e) {
@@ -1731,7 +1743,7 @@ public UserVm updateDefaultNicForVirtualMachine(UpdateDefaultNicForVMCmd cmd) th
             oldNetworkOfferingId = oldDefaultNetwork.getNetworkOfferingId();
         }
         NicVO existingVO = _nicDao.findById(existing.id);
-        Integer chosenID = nic.getDeviceId();
+        int chosenID = nic.getDeviceId();
         Integer existingID = existing.getDeviceId();
 
         Network newdefault = null;
@@ -1899,6 +1911,54 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
         return vm;
     }
 
+    @Override
+    public UserVm updateVirtualMachineNic(UpdateVmNicCmd cmd) {
+        Long nicId = cmd.getNicId();
+        Boolean isNicEnabled = cmd.isEnabled();
+        Account caller = CallContext.current().getCallingAccount();
+
+        NicVO nic = _nicDao.findById(nicId);
+        if (nic == null) {
+            throw new InvalidParameterValueException("Unable to find the specified NIC.");
+        }
+
+        UserVmVO vmInstance = _vmDao.findById(nic.getInstanceId());
+        if (vmInstance == null) {
+            throw new InvalidParameterValueException("Unable to find a virtual machine associated with the specified NIC.");
+        }
+
+        if (vmInstance.getHypervisorType() != HypervisorType.KVM) {
+            throw new InvalidParameterValueException("Updating the VM NIC is only supported by the KVM hypervisor.");
+        }
+
+        NetworkVO network = _networkDao.findById(nic.getNetworkId());
+        if (network == null) {
+            throw new InvalidParameterValueException("Unable to find NIC's network.");
+        }
+
+        _accountMgr.checkAccess(caller, null, true, vmInstance);
+
+        if (isNicEnabled == null) {
+            return vmInstance;
+        }
+
+        boolean success = false;
+        try {
+            success = _itMgr.updateVmNic(vmInstance, nic, isNicEnabled);
+        } catch (ResourceUnavailableException e) {
+            throw new CloudRuntimeException(String.format("Unable to update NIC %s of VM %s in network %s due to: %s.", nic, vmInstance, network.getUuid(), e.getMessage()));
+        } catch (ConcurrentOperationException e) {
+            throw new CloudRuntimeException(String.format("Concurrent operations while updating NIC %s for VM %s: %s.", nic, vmInstance, e.getMessage()));
+        }
+
+        if (!success) {
+            throw new CloudRuntimeException(String.format("Failed to update NIC %s of VM %s in network %s.", nic, vmInstance, network.getUuid()));
+        }
+
+        logger.debug("Successfully updated NIC {} in network {} for VM {}.", nic, network.getUuid(), vmInstance);
+        return vmInstance;
+    }
+
     private void updatePublicIpDnatVmIp(long vmId, long networkId, String oldIp, String newIp) {
         if (!_networkModel.areServicesSupportedInNetwork(networkId, Service.StaticNat)) {
             return;
@@ -2056,25 +2116,26 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
         int newCpu = newServiceOffering.getCpu();
         int newMemory = newServiceOffering.getRamSize();
         int newSpeed = newServiceOffering.getSpeed();
+        boolean cpuCapEnabledForTheNewOffering = newServiceOffering.getLimitCpuUse();
         int currentCpu = currentServiceOffering.getCpu();
         int currentMemory = currentServiceOffering.getRamSize();
         int currentSpeed = currentServiceOffering.getSpeed();
+        boolean cpuCapEnabledForTheCurrentOffering = currentServiceOffering.getLimitCpuUse();
         int memoryDiff = newMemory - currentMemory;
         int cpuDiff = newCpu * newSpeed - currentCpu * currentSpeed;
 
-        // Don't allow to scale when (Any of the new values less than current values) OR (All current and new values are same)
-        if ((newSpeed < currentSpeed || newMemory < currentMemory || newCpu < currentCpu) || (newSpeed == currentSpeed && newMemory == currentMemory && newCpu == currentCpu)) {
-            String message = String.format("While the VM is running, only scalling up it is supported. New service offering {\"memory\": %s, \"speed\": %s, \"cpu\": %s} should"
-              + " have at least one value (ram, speed or cpu) greater than the current values {\"memory\": %s, \"speed\": %s, \"cpu\": %s}.", newMemory, newSpeed, newCpu,
-              currentMemory, currentSpeed, currentCpu);
-
-            throw new InvalidParameterValueException(message);
+        boolean scalingDown = newSpeed < currentSpeed || newMemory < currentMemory || newCpu < currentCpu;
+        if (scalingDown) {
+            throw new InvalidParameterValueException(String.format("Scaling down is not supported while the VM is running. The new service offering attributes " +
+                    "{\"memory\": %s, \"CPU speed\": %s, \"vCPUs\": %s} must not be lower than the current values {\"memory\": %s, \"CPU speed\": %s, \"vCPUs\": %s}.",
+                    newMemory, newSpeed, newCpu, currentMemory, currentSpeed, currentCpu));
         }
 
-        if (vmHypervisorType.equals(HypervisorType.KVM) && !currentServiceOffering.isDynamic()) {
-            String message = String.format("Unable to live scale VM on KVM when current service offering is a \"Fixed Offering\". KVM needs the tag \"maxMemory\" to live scale and it is only configured when VM is deployed with a custom service offering and \"Dynamic Scalable\" is enabled.");
-            logger.info(message);
-            throw new InvalidParameterValueException(message);
+        boolean sameAmountOfResourcesAsThePreviousOffering = newSpeed == currentSpeed && newMemory == currentMemory && newCpu == currentCpu;
+        boolean cpuCapChange = cpuCapEnabledForTheCurrentOffering != cpuCapEnabledForTheNewOffering;
+        if (sameAmountOfResourcesAsThePreviousOffering && (vmHypervisorType != HypervisorType.KVM || !cpuCapChange)) {
+            throw new InvalidParameterValueException("While the VM is running, scaling to a service offering with the same attributes (memory, CPU speed and vCPUs) " +
+                    "is only allowed when the CPU cap is changed.");
         }
 
         serviceOfferingDao.loadDetails(currentServiceOffering);
@@ -2091,9 +2152,11 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
 
         VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vmInstance.getTemplateId());
 
+        List<Reserver> reservations = new ArrayList<>();
+        try {
         // Check resource limits
         _resourceLimitMgr.checkVmResourceLimitsForServiceOfferingChange(owner, vmInstance.isDisplay(), (long) currentCpu, (long) newCpu,
-                (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template);
+                (long) currentMemory, (long) newMemory, currentServiceOffering, newServiceOffering, template, reservations);
 
         // Dynamically upgrade the running vms
         boolean success = false;
@@ -2109,14 +2172,14 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
 
             // Check vm flag
             if (!vmInstance.isDynamicallyScalable()) {
-                throw new CloudRuntimeException(String.format("Unable to scale %s as it does not have tools to support dynamic scaling.", vmInstance.toString()));
+                throw new CloudRuntimeException(String.format("Unable to scale %s as it does not have tools to support dynamic scaling.", vmInstance));
             }
 
             // Check disable threshold for cluster is not crossed
             HostVO host = _hostDao.findById(vmInstance.getHostId());
             _hostDao.loadDetails(host);
             if (_capacityMgr.checkIfClusterCrossesThreshold(host.getClusterId(), cpuDiff, memoryDiff)) {
-                throw new CloudRuntimeException(String.format("Unable to scale %s due to insufficient resources.", vmInstance.toString()));
+                throw new CloudRuntimeException(String.format("Unable to scale %s due to insufficient resources.", vmInstance));
             }
 
             while (retry-- != 0) { // It's != so that it can match -1.
@@ -2138,8 +2201,19 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
                         excludes.addHost(vmInstance.getHostId());
                     }
 
+                    boolean autoMigrateVmToASuitableHost = AutoMigrateVmOnLiveScaleInsufficientCapacity.valueIn(host.getClusterId());
+                    if (!existingHostHasCapacity && !autoMigrateVmToASuitableHost) {
+                        logger.error("Unable to scale the VM [{}] because the host [{}] in which it is currently allocated does not " +
+                                "have enough compute capacity to scale the instance and the VM should not be automatically migrated to another host " +
+                                "([{}] setting is [false]).", vmInstance.getInstanceName(), host.getName(), AutoMigrateVmOnLiveScaleInsufficientCapacity.key());
+                        return false;
+                    }
+
                     // #2 migrate the vm if host doesn't have capacity or is in avoid set
                     if (!existingHostHasCapacity) {
+                        logger.info("Host [{}] does not have enough compute capacity to scale the instance [{}]. Since the [{}] setting is " +
+                                        "[true], the VM will be migrated to a suitable host and, if succeeded, the VM will be live scaled to the requested " +
+                                        "compute offering.", host.getName(), vmInstance.getInstanceName(), AutoMigrateVmOnLiveScaleInsufficientCapacity.key());
                         _itMgr.findHostAndMigrate(vmInstance.getUuid(), newServiceOfferingId, customParameters, excludes);
                     }
 
@@ -2153,7 +2227,7 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
                     success = true;
                     return success;
                 } catch (InsufficientCapacityException | ResourceUnavailableException | ConcurrentOperationException e) {
-                    logger.error(String.format("Unable to scale %s due to [%s].", vmInstance.toString(), e.getMessage()), e);
+                    logger.error(String.format("Unable to scale %s due to [%s].", vmInstance, e.getMessage()), e);
                 } finally {
                     if (!success) {
                         // Decrement CPU and Memory count accordingly.
@@ -2165,6 +2239,10 @@ private boolean upgradeRunningVirtualMachine(Long vmId, Long newServiceOfferingI
             }
         }
         return success;
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     protected void validateDiskOfferingChecks(ServiceOfferingVO currentServiceOffering, ServiceOfferingVO newServiceOffering) {
@@ -2275,7 +2353,7 @@ public HashMap<String, VolumeStatsEntry> getVolumeStatistics(long clusterId, Str
                     answer = _agentMgr.easySend(neighbor.getId(), cmd);
                 }
 
-                if (answer != null && answer instanceof GetVolumeStatsAnswer){
+                if (answer != null && answer instanceof GetVolumeStatsAnswer) {
                     GetVolumeStatsAnswer volstats = (GetVolumeStatsAnswer)answer;
                     if (volstats.getVolumeStats() != null) {
                         volumeStatsByUuid.putAll(volstats.getVolumeStats());
@@ -2286,7 +2364,7 @@ public HashMap<String, VolumeStatsEntry> getVolumeStatistics(long clusterId, Str
         return volumeStatsByUuid.size() > 0 ? volumeStatsByUuid : null;
     }
 
-    private List<String> getVolumesByHost(HostVO host, StoragePool pool){
+    private List<String> getVolumesByHost(HostVO host, StoragePool pool) {
         List<VMInstanceVO> vmsPerHost = _vmInstanceDao.listByHostId(host.getId());
         return vmsPerHost.stream()
                 .flatMap(vm -> _volsDao.findNonDestroyedVolumesByInstanceIdAndPoolId(vm.getId(),pool.getId()).stream().map(vol ->
@@ -2350,34 +2428,40 @@ public UserVm recoverVirtualMachine(RecoverVMCmd cmd) throws ResourceAllocationE
                 ServiceOfferingVO serviceOffering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
                 VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vm.getTemplateId());
 
-                // First check that the maximum number of UserVMs, CPU and Memory limit for the given
-                // accountId will not be exceeded
-                if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
-                    resourceLimitService.checkVmResourceLimit(account, vm.isDisplayVm(), serviceOffering, template);
-                }
+                List<Reserver> reservations = new ArrayList<>();
+                try {
+                    // First check that the maximum number of UserVMs, CPU and Memory limit for the given
+                    // accountId will not be exceeded
+                    if (!VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
+                        resourceLimitService.checkVmResourceLimit(account, vm.isDisplayVm(), serviceOffering, template, reservations);
+                    }
 
-                _haMgr.cancelDestroy(vm, vm.getHostId());
+                    _haMgr.cancelDestroy(vm, vm.getHostId());
 
-                try {
-                    if (!_itMgr.stateTransitTo(vm, VirtualMachine.Event.RecoveryRequested, null)) {
-                        logger.debug("Unable to recover the vm {} because it is not in the correct state. current state: {}", vm, vm.getState());
+                    try {
+                        if (!_itMgr.stateTransitTo(vm, VirtualMachine.Event.RecoveryRequested, null)) {
+                            logger.debug("Unable to recover the vm {} because it is not in the correct state. current state: {}", vm, vm.getState());
+                            throw new InvalidParameterValueException(String.format("Unable to recover the vm %s because it is not in the correct state. current state: %s", vm, vm.getState()));
+                        }
+                    } catch (NoTransitionException e) {
                         throw new InvalidParameterValueException(String.format("Unable to recover the vm %s because it is not in the correct state. current state: %s", vm, vm.getState()));
                     }
-                } catch (NoTransitionException e) {
-                    throw new InvalidParameterValueException(String.format("Unable to recover the vm %s because it is not in the correct state. current state: %s", vm, vm.getState()));
-                }
 
-                // Recover the VM's disks
-                List<VolumeVO> volumes = _volsDao.findByInstance(vmId);
-                for (VolumeVO volume : volumes) {
-                    if (volume.getVolumeType().equals(Volume.Type.ROOT)) {
-                        recoverRootVolume(volume, vmId);
-                        break;
+                    // Recover the VM's disks
+                    List<VolumeVO> volumes = _volsDao.findByInstance(vmId);
+                    for (VolumeVO volume : volumes) {
+                        if (volume.getVolumeType().equals(Volume.Type.ROOT)) {
+                            recoverRootVolume(volume, vmId);
+                            break;
+                        }
                     }
-                }
 
-                //Update Resource Count for the given account
-                resourceCountIncrement(account.getId(), vm.isDisplayVm(), serviceOffering, template);
+                    //Update Resource Count for the given account
+                    resourceCountIncrement(account.getId(), vm.isDisplayVm(), serviceOffering, template);
+
+                } finally {
+                    ReservationHelper.closeAll(reservations);
+                }
             }
         });
 
@@ -2558,6 +2642,22 @@ public boolean expunge(UserVmVO vm) {
         }
     }
 
+    private void transitionExpungingToError(long vmId) {
+        UserVmVO vm = _vmDao.findById(vmId);
+        if (vm != null && vm.getState() == State.Expunging) {
+            try {
+                boolean transitioned = _itMgr.stateTransitTo(vm, VirtualMachine.Event.OperationFailedToError, null);
+                if (transitioned) {
+                    logger.info("Transitioned VM [{}] from Expunging to Error after failed expunge", vm.getUuid());
+                } else {
+                    logger.warn("Failed to persist transition of VM [{}] from Expunging to Error after failed expunge, possibly due to concurrent update", vm.getUuid());
+                }
+            } catch (NoTransitionException e) {
+                logger.warn("Failed to transition VM {} to Error state: {}", vm, e.getMessage());
+            }
+        }
+    }
+
     /**
      * Release network resources, it was done on vm stop previously.
      * @param id vm id
@@ -2566,7 +2666,7 @@ public boolean expunge(UserVmVO vm) {
      */
     private void releaseNetworkResourcesOnExpunge(long id) throws ConcurrentOperationException, ResourceUnavailableException {
         final VMInstanceVO vmInstance = _vmDao.findById(id);
-        if (vmInstance != null){
+        if (vmInstance != null) {
             final VirtualMachineProfile profile = new VirtualMachineProfileImpl(vmInstance);
             _networkMgr.release(profile, false);
         }
@@ -2785,10 +2885,16 @@ protected void verifyVmLimits(UserVmVO vmInstance, Map<String, String> details)
             Map<String, String> customParameters = new HashMap<>();
             customParameters.put(VmDetailConstants.CPU_NUMBER, String.valueOf(newCpu));
             customParameters.put(VmDetailConstants.MEMORY, String.valueOf(newMemory));
-            if (svcOffering.isCustomCpuSpeedSupported()) {
+            if (details.containsKey(VmDetailConstants.CPU_SPEED)) {
                 customParameters.put(VmDetailConstants.CPU_SPEED, details.get(VmDetailConstants.CPU_SPEED));
             }
             validateCustomParameters(svcOffering, customParameters);
+        } else {
+            if (details.containsKey(VmDetailConstants.CPU_NUMBER) || details.containsKey(VmDetailConstants.MEMORY) ||
+                    details.containsKey(VmDetailConstants.CPU_SPEED)) {
+                throw new InvalidParameterValueException("CPU number, Memory and CPU speed cannot be updated for a " +
+                        "non-dynamic offering");
+            }
         }
         if (VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
             return;
@@ -2796,53 +2902,25 @@ protected void verifyVmLimits(UserVmVO vmInstance, Map<String, String> details)
         long currentCpu = currentServiceOffering.getCpu();
         long currentMemory = currentServiceOffering.getRamSize();
         VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vmInstance.getTemplateId());
-        Long currentGpu = currentServiceOffering.getGpuCount() != null ? Long.valueOf(currentServiceOffering.getGpuCount()) : 0L;
-        Long newGpu = svcOffering.getGpuCount() != null ? Long.valueOf(svcOffering.getGpuCount()) : 0L;
+        List<Reserver> reservations = new ArrayList<>();
         try {
-            checkVmLimits(owner, vmInstance, svcOffering, template, newCpu, currentCpu, newMemory, currentMemory, newGpu, currentGpu);
+            _resourceLimitMgr.checkVmResourceLimitsForServiceOfferingChange(owner, vmInstance.isDisplay(), currentCpu, newCpu,
+                    currentMemory, newMemory, currentServiceOffering, svcOffering, template, reservations);
+            if (newCpu > currentCpu) {
+                _resourceLimitMgr.incrementVmCpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, newCpu - currentCpu);
+            } else if (newCpu > 0 && currentCpu > newCpu){
+                _resourceLimitMgr.decrementVmCpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, currentCpu - newCpu);
+            }
+            if (newMemory > currentMemory) {
+                _resourceLimitMgr.incrementVmMemoryResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, newMemory - currentMemory);
+            } else if (newMemory > 0 && currentMemory > newMemory){
+                _resourceLimitMgr.decrementVmMemoryResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, currentMemory - newMemory);
+            }
         } catch (ResourceAllocationException e) {
             logger.error(String.format("Failed to updated VM due to: %s", e.getLocalizedMessage()));
             throw new InvalidParameterValueException(e.getLocalizedMessage());
-        }
-        adjustVmLimits(owner, vmInstance, svcOffering, template, newCpu, currentCpu, newMemory, currentMemory, newGpu, currentGpu);
-    }
-
-    private void checkVmLimits(Account owner, UserVmVO vmInstance, ServiceOfferingVO svcOffering,
-            VMTemplateVO template, Long newCpu, Long currentCpu, Long newMemory, Long currentMemory,
-            Long newGpu, Long currentGpu
-    ) throws ResourceAllocationException {
-        if (newCpu > currentCpu) {
-            _resourceLimitMgr.checkVmCpuResourceLimit(owner, vmInstance.isDisplay(), svcOffering,
-                    template, newCpu - currentCpu);
-        }
-        if (newMemory > currentMemory) {
-            _resourceLimitMgr.checkVmMemoryResourceLimit(owner, vmInstance.isDisplay(), svcOffering,
-                    template, newMemory - currentMemory);
-        }
-        if (newGpu > currentGpu) {
-            _resourceLimitMgr.checkVmGpuResourceLimit(owner, vmInstance.isDisplay(), svcOffering,
-                    template, newGpu - currentGpu);
-        }
-    }
-
-    private void adjustVmLimits(Account owner, UserVmVO vmInstance, ServiceOfferingVO svcOffering,
-            VMTemplateVO template, Long newCpu, Long currentCpu, Long newMemory, Long currentMemory,
-            Long newGpu, Long currentGpu
-    ) {
-        if (newCpu > currentCpu) {
-            _resourceLimitMgr.incrementVmCpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, newCpu - currentCpu);
-        } else if (newCpu > 0 && currentCpu > newCpu){
-            _resourceLimitMgr.decrementVmCpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, currentCpu - newCpu);
-        }
-        if (newMemory > currentMemory) {
-            _resourceLimitMgr.incrementVmMemoryResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, newMemory - currentMemory);
-        } else if (newMemory > 0 && currentMemory > newMemory){
-            _resourceLimitMgr.decrementVmMemoryResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, currentMemory - newMemory);
-        }
-        if (newGpu > currentGpu) {
-            _resourceLimitMgr.incrementVmGpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, newGpu - currentGpu);
-        } else if (newGpu > 0 && currentGpu > newGpu){
-            _resourceLimitMgr.decrementVmGpuResourceCount(owner.getAccountId(), vmInstance.isDisplay(), svcOffering, template, currentGpu - newGpu);
+        } finally {
+            ReservationHelper.closeAll(reservations);
         }
     }
 
@@ -2908,6 +2986,11 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx
                 .map(item -> (item).trim())
                 .collect(Collectors.toList());
         userDenyListedSettings.addAll(QueryService.RootAdminOnlyVmSettings);
+        if (template != null && template.getExtensionId() != null) {
+            userDenyListedSettings.addAll(extensionHelper.getExtensionReservedResourceDetails(
+                    template.getExtensionId()));
+        }
+
         final List<String> userReadOnlySettings = Stream.of(QueryService.UserVMReadOnlyDetails.value().split(","))
                 .map(item -> (item).trim())
                 .collect(Collectors.toList());
@@ -2972,7 +3055,7 @@ public UserVm updateVirtualMachine(UpdateVMCmd cmd) throws ResourceUnavailableEx
                         if (userReadOnlySettings.contains(detailName)) {
                             throw new InvalidParameterValueException("You're not allowed to add or edit the read-only setting: " + detailName);
                         }
-                        if (existingDetails.stream().anyMatch(d -> Objects.equals(d.getName(), detailName) && !d.isDisplay())){
+                        if (existingDetails.stream().anyMatch(d -> Objects.equals(d.getName(), detailName) && !d.isDisplay())) {
                             throw new InvalidParameterValueException("You're not allowed to add or edit the non-displayable setting: " + detailName);
                         }
                     }
@@ -3064,25 +3147,24 @@ protected void validateGuestOsIdForUpdateVirtualMachineCommand(UpdateVMCmd cmd)
     private void saveUsageEvent(UserVmVO vm) {
 
         // If vm not destroyed
-        if( vm.getState() != State.Destroyed && vm.getState() != State.Expunging && vm.getState() != State.Error){
+        if (vm.getState() != State.Destroyed && vm.getState() != State.Expunging && vm.getState() != State.Error) {
 
-            if(vm.isDisplayVm()){
+            if (vm.isDisplayVm()) {
                 //1. Allocated VM Usage Event
                 generateUsageEvent(vm, true, EventTypes.EVENT_VM_CREATE);
 
-                if(vm.getState() == State.Running || vm.getState() == State.Stopping){
+                if (vm.getState() == State.Running || vm.getState() == State.Stopping) {
                     //2. Running VM Usage Event
                     generateUsageEvent(vm, true, EventTypes.EVENT_VM_START);
 
                     // 3. Network offering usage
                     generateNetworkUsageForVm(vm, true, EventTypes.EVENT_NETWORK_OFFERING_ASSIGN);
                 }
-
-            }else {
+            } else {
                 //1. Allocated VM Usage Event
                 generateUsageEvent(vm, true, EventTypes.EVENT_VM_DESTROY);
 
-                if(vm.getState() == State.Running || vm.getState() == State.Stopping){
+                if (vm.getState() == State.Running || vm.getState() == State.Stopping) {
                     //2. Running VM Usage Event
                     generateUsageEvent(vm, true, EventTypes.EVENT_VM_STOP);
 
@@ -3094,8 +3176,7 @@ private void saveUsageEvent(UserVmVO vm) {
 
     }
 
-    private void generateNetworkUsageForVm(VirtualMachine vm, boolean isDisplay, String eventType){
-
+    private void generateNetworkUsageForVm(VirtualMachine vm, boolean isDisplay, String eventType) {
         List<NicVO> nics = _nicDao.listByVmId(vm.getId());
         for (NicVO nic : nics) {
             NetworkVO network = _networkDao.findById(nic.getNetworkId());
@@ -3120,9 +3201,9 @@ public UserVm updateVirtualMachine(long id, String displayName, String group, Bo
             throw new CloudRuntimeException("Unable to find virtual machine with id " + id);
         }
 
-        if(instanceName != null){
+        if (instanceName != null) {
             VMInstanceVO vmInstance = _vmInstanceDao.findVMByInstanceName(instanceName);
-            if(vmInstance != null && vmInstance.getId() != id){
+            if (vmInstance != null && vmInstance.getId() != id) {
                 throw new CloudRuntimeException("Instance name : " + instanceName + " is not unique");
             }
         }
@@ -3264,7 +3345,7 @@ private void checkAndUpdateSecurityGroupForVM(List<Long> securityGroupIdList, Us
                     networkIds = networks.stream().map(Network::getId).collect(Collectors.toList());
                 }
             } catch (InvalidParameterValueException e) {
-                if(logger.isDebugEnabled()) {
+                if (logger.isDebugEnabled()) {
                     logger.debug(e.getMessage(),e);
                 }
             }
@@ -3554,8 +3635,19 @@ public UserVm destroyVm(DestroyVMCmd cmd) throws ResourceUnavailableException, C
         detachVolumesFromVm(vm, dataVols);
 
         UserVm destroyedVm = destroyVm(vmId, expunge);
-        if (expunge && !expunge(vm)) {
-            throw new CloudRuntimeException("Failed to expunge vm " + destroyedVm);
+        if (expunge) {
+            boolean expunged = false;
+            String errorMsg = "";
+            try {
+                expunged = expunge(vm);
+            } catch (RuntimeException e) {
+                logger.error("Failed to expunge VM [{}] due to: {}", vm, e.getMessage(), e);
+                errorMsg = e.getMessage();
+            }
+            if (!expunged) {
+                transitionExpungingToError(vm.getId());
+                throw new CloudRuntimeException("Failed to expunge VM " + vm.getUuid() + (StringUtils.isNotBlank(errorMsg) ? " due to: " + errorMsg : ""));
+            }
         }
 
         autoScaleManager.removeVmFromVmGroup(vmId);
@@ -4269,9 +4361,7 @@ protected List<String> getResourceLimitStorageTags(long diskOfferingId) {
         return resourceLimitService.getResourceLimitStorageTags(diskOfferingVO);
     }
 
-    private List<CheckedReservation> reserveStorageResourcesForVm(Account owner, Long diskOfferingId, Long diskSize, List<VmDiskInfo> dataDiskInfoList, Long rootDiskOfferingId, ServiceOfferingVO offering, Long rootDiskSize) throws ResourceAllocationException {
-        List <CheckedReservation> checkedReservations = new ArrayList<>();
-
+    private void reserveStorageResourcesForVm(List<Reserver> checkedReservations, Account owner, Long diskOfferingId, Long diskSize, List<VmDiskInfo> dataDiskInfoList, Long rootDiskOfferingId, ServiceOfferingVO offering, Long rootDiskSize) throws ResourceAllocationException {
         List<String> rootResourceLimitStorageTags = getResourceLimitStorageTags(rootDiskOfferingId != null ? rootDiskOfferingId : offering.getDiskOfferingId());
         CheckedReservation rootVolumeReservation = new CheckedReservation(owner, ResourceType.volume, rootResourceLimitStorageTags, 1L, reservationDao, resourceLimitService);
         checkedReservations.add(rootVolumeReservation);
@@ -4279,12 +4369,12 @@ private List<CheckedReservation> reserveStorageResourcesForVm(Account owner, Lon
         checkedReservations.add(rootPrimaryStorageReservation);
 
         if (diskOfferingId != null) {
-            List<String> additionalResourceLimitStorageTags = diskOfferingId != null ? getResourceLimitStorageTags(diskOfferingId) : null;
+            List<String> additionalResourceLimitStorageTags = getResourceLimitStorageTags(diskOfferingId);
             DiskOfferingVO diskOffering = _diskOfferingDao.findById(diskOfferingId);
             Long size = verifyAndGetDiskSize(diskOffering, diskSize);
-            CheckedReservation additionalVolumeReservation = diskOfferingId != null ? new CheckedReservation(owner, ResourceType.volume, additionalResourceLimitStorageTags, 1L, reservationDao, resourceLimitService) : null;
+            CheckedReservation additionalVolumeReservation = new CheckedReservation(owner, ResourceType.volume, additionalResourceLimitStorageTags, 1L, reservationDao, resourceLimitService);
             checkedReservations.add(additionalVolumeReservation);
-            CheckedReservation additionalPrimaryStorageReservation = diskOfferingId != null ? new CheckedReservation(owner, ResourceType.primary_storage, additionalResourceLimitStorageTags, size, reservationDao, resourceLimitService) : null;
+            CheckedReservation additionalPrimaryStorageReservation = new CheckedReservation(owner, ResourceType.primary_storage, additionalResourceLimitStorageTags, size, reservationDao, resourceLimitService);
             checkedReservations.add(additionalPrimaryStorageReservation);
 
         }
@@ -4300,7 +4390,6 @@ private List<CheckedReservation> reserveStorageResourcesForVm(Account owner, Lon
                 checkedReservations.add(additionalPrimaryStorageReservation);
             }
         }
-        return checkedReservations;
     }
 
     private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, String displayName, Account owner,
@@ -4312,10 +4401,10 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
         Map<String, String> userVmOVFPropertiesMap, boolean dynamicScalingEnabled, String vmType, VMTemplateVO template,
         HypervisorType hypervisorType, long accountId, ServiceOfferingVO offering, boolean isIso,
         Long rootDiskOfferingId, long volumesSize, Volume volume, Snapshot snapshot) throws ResourceAllocationException {
-        List<CheckedReservation> checkedReservations = new ArrayList<>();
+        List<Reserver> checkedReservations = new ArrayList<>();
 
         try {
-            checkedReservations = reserveStorageResourcesForVm(owner, diskOfferingId, diskSize, dataDiskInfoList, rootDiskOfferingId, offering, volumesSize);
+            reserveStorageResourcesForVm(checkedReservations, owner, diskOfferingId, diskSize, dataDiskInfoList, rootDiskOfferingId, offering, volumesSize);
 
             // verify security group ids
             if (securityGroupIdList != null) {
@@ -4353,7 +4442,6 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
                         throw new InvalidParameterValueException(String.format("Invalid disk offering %s specified for datadisk Template %s. Disk offering size should be greater than or equal to the Template size", dataDiskOffering, dataDiskTemplate));
                     }
                     _templateDao.loadDetails(dataDiskTemplate);
-                    resourceLimitService.checkVolumeResourceLimit(owner, true, dataDiskOffering.getDiskSize(), dataDiskOffering);
                 }
             }
 
@@ -4401,7 +4489,7 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
                 }
             }
 
-            if (template.getTemplateType().equals(TemplateType.SYSTEM) && !CKS_NODE.equals(vmType) && !SHAREDFSVM.equals(vmType)) {
+            if (TemplateType.SYSTEM.equals(template.getTemplateType()) && !CKS_NODE.equals(vmType) && !SHAREDFSVM.equals(vmType)) {
                 throw new InvalidParameterValueException(String.format("Unable to use system template %s to deploy a user vm", template));
             }
 
@@ -4457,7 +4545,7 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
                     }
 
                     NetworkOffering ntwkOffering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-                    Long physicalNetworkId = _networkModel.findPhysicalNetworkId(zone.getId(), ntwkOffering.getTags(), ntwkOffering.getTrafficType());
+                    long physicalNetworkId = _networkModel.findPhysicalNetworkId(zone.getId(), ntwkOffering.getTags(), ntwkOffering.getTrafficType());
 
                     String provider = _ntwkSrvcDao.getProviderForServiceInNetwork(network.getId(), Service.Connectivity);
                     if (!_networkModel.isProviderEnabledInPhysicalNetwork(physicalNetworkId, provider)) {
@@ -4607,14 +4695,7 @@ private UserVm getUncheckedUserVmResource(DataCenter zone, String hostName, Stri
             logger.error("error during resource reservation and allocation", e);
             throw new CloudRuntimeException(e);
         } finally {
-            for (CheckedReservation checkedReservation : checkedReservations) {
-                try {
-                    checkedReservation.close();
-                } catch (Exception e) {
-                    logger.error("error during resource reservation and allocation", e);
-                    throw new CloudRuntimeException(e);
-                }
-            }
+            ReservationHelper.closeAll(checkedReservations);
         }
     }
 
@@ -4682,7 +4763,7 @@ protected long configureCustomRootDiskSize(Map<String, String> customParameters,
         }
 
         if (customParameters.containsKey(VmDetailConstants.ROOT_DISK_SIZE)) {
-            Long rootDiskSize = NumbersUtil.parseLong(customParameters.get(VmDetailConstants.ROOT_DISK_SIZE), -1);
+            long rootDiskSize = NumbersUtil.parseLong(customParameters.get(VmDetailConstants.ROOT_DISK_SIZE), -1);
             if (rootDiskSize <= 0) {
                 throw new InvalidParameterValueException("Root disk size should be a positive number.");
             }
@@ -4796,12 +4877,13 @@ private String generateHostName(String uuidName) {
 
     private UserVmVO commitUserVm(final boolean isImport, final DataCenter zone, final Host host, final Host lastHost, final VirtualMachineTemplate template, final String hostName, final String displayName, final Account owner,
                                   final Long diskOfferingId, final Long diskSize, final String userData, Long userDataId, String userDataDetails, final Boolean isDisplayVm, final String keyboard,
-                                  final long accountId, final long userId, final ServiceOffering offering, final boolean isIso, final String sshPublicKeys, final LinkedHashMap<String, List<NicProfile>> networkNicMap,
+                                  final long accountId, final long userId, final ServiceOffering offering, final boolean isIso, final Long guestOsId, final String sshPublicKeys, final LinkedHashMap<String, List<NicProfile>> networkNicMap,
                                   final long id, final String instanceName, final String uuidName, final HypervisorType hypervisorType, final Map<String, String> customParameters,
                                   final Map<String, Map<Integer, String>> extraDhcpOptionMap, final Map<Long, DiskOffering> dataDiskTemplateToDiskOfferingMap,
                                   final Map<String, String> userVmOVFPropertiesMap, final VirtualMachine.PowerState powerState, final boolean dynamicScalingEnabled, String vmType, final Long rootDiskOfferingId, String sshkeypairs,
                                   List<VmDiskInfo> dataDiskInfoList, Volume volume, Snapshot snapshot) throws InsufficientCapacityException {
-        UserVmVO vm = new UserVmVO(id, instanceName, displayName, template.getId(), hypervisorType, template.getGuestOSId(), offering.isOfferHA(),
+        long selectedGuestOsId = guestOsId != null ? guestOsId : template.getGuestOSId();
+        UserVmVO vm = new UserVmVO(id, instanceName, displayName, template.getId(), hypervisorType, selectedGuestOsId, offering.isOfferHA(),
                 offering.getLimitCpuUse(), owner.getDomainId(), owner.getId(), userId, offering.getId(), userData, userDataId, userDataDetails, hostName);
         vm.setUuid(uuidName);
         vm.setDynamicallyScalable(dynamicScalingEnabled);
@@ -4827,8 +4909,7 @@ private UserVmVO commitUserVm(final boolean isImport, final DataCenter zone, fin
             vm.setIsoId(template.getId());
         }
 
-        long guestOSId = template.getGuestOSId();
-        GuestOSVO guestOS = _guestOSDao.findById(guestOSId);
+        GuestOSVO guestOS = _guestOSDao.findById(selectedGuestOsId);
         long guestOSCategoryId = guestOS.getCategoryId();
         GuestOSCategoryVO guestOSCategory = _guestOSCategoryDao.findById(guestOSCategoryId);
         if (hypervisorType.equals(HypervisorType.VMware)) {
@@ -5086,7 +5167,7 @@ private UserVmVO commitUserVm(final DataCenter zone, final VirtualMachineTemplat
                                   List<VmDiskInfo> dataDiskInfoList, Volume volume, Snapshot snapshot) throws InsufficientCapacityException {
         return commitUserVm(false, zone, null, null, template, hostName, displayName, owner,
                 diskOfferingId, diskSize, userData, userDataId, userDataDetails, isDisplayVm, keyboard,
-                accountId, userId, offering, isIso, sshPublicKeys, networkNicMap,
+                accountId, userId, offering, isIso, null, sshPublicKeys, networkNicMap,
                 id, instanceName, uuidName, hypervisorType, customParameters,
                 extraDhcpOptionMap, dataDiskTemplateToDiskOfferingMap,
                 userVmOVFPropertiesMap, null, dynamicScalingEnabled, vmType, rootDiskOfferingId, sshkeypairs, dataDiskInfoList, volume, snapshot);
@@ -5118,7 +5199,7 @@ public void validateRootDiskResize(final HypervisorType hypervisorType, Long roo
 
 
     @Override
-    public void generateUsageEvent(VirtualMachine vm, boolean isDisplay, String eventType){
+    public void generateUsageEvent(VirtualMachine vm, boolean isDisplay, String eventType) {
         ServiceOfferingVO serviceOffering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
         if (!serviceOffering.isDynamic()) {
             UsageEventUtils.publishUsageEvent(eventType, vm.getAccountId(), vm.getDataCenterId(), vm.getId(),
@@ -5360,7 +5441,7 @@ private void addUserVMCmdlineArgs(Long vmId, VirtualMachineProfile profile, Depl
         if (dc.getDns2() != null) {
             buf.append(" dns2=").append(dc.getDns2());
         }
-        logger.info("cmdline details: "+ buf.toString());
+        logger.info("cmdline details: "+ buf);
     }
 
     @Override
@@ -5374,7 +5455,7 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         }
         // add userdata info into vm profile
         Nic defaultNic = _networkModel.getDefaultNic(vm.getId());
-        if(defaultNic != null) {
+        if (defaultNic != null) {
             Network network = _networkModel.getNetwork(defaultNic.getNetworkId());
             if (_networkModel.isSharedNetworkWithoutServices(network.getId())) {
                 final String serviceOffering = serviceOfferingDao.findByIdIncludingRemoved(vm.getId(), vm.getServiceOfferingId()).getDisplayText();
@@ -5398,7 +5479,19 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
 
     @Override
     public boolean setupVmForPvlan(boolean add, Long hostId, NicProfile nic) {
-        if (!nic.getBroadCastUri().getScheme().equals("pvlan")) {
+        if (nic == null) {
+            logger.warn("Skipping PVLAN setup on host {} because NIC profile is null", hostId);
+            return false;
+        }
+
+        if (nic.getBroadCastUri() == null) {
+            logger.debug("Skipping PVLAN setup on host {} for NIC {} because broadcast URI is null", hostId, nic);
+            return false;
+        }
+
+        String scheme = nic.getBroadCastUri().getScheme();
+        if (!"pvlan".equalsIgnoreCase(scheme)) {
+            logger.debug("Skipping PVLAN setup on host {} for NIC {} because broadcast URI scheme is {}", hostId, nic, scheme);
             return false;
         }
         String op = "add";
@@ -5406,11 +5499,17 @@ public boolean setupVmForPvlan(boolean add, Long hostId, NicProfile nic) {
             // "delete" would remove all the rules(if using ovs) related to this vm
             op = "delete";
         }
-        Network network = _networkDao.findById(nic.getNetworkId());
+
         Host host = _hostDao.findById(hostId);
+        if (host == null) {
+            logger.warn("Host with id {} does not exist", hostId);
+            return false;
+        }
+
+        Network network = _networkDao.findById(nic.getNetworkId());
         String networkTag = _networkModel.getNetworkTag(host.getHypervisorType(), network);
         PvlanSetupCommand cmd = PvlanSetupCommand.createVmSetup(op, nic.getBroadCastUri(), networkTag, nic.getMacAddress());
-        Answer answer = null;
+        Answer answer;
         try {
             answer = _agentMgr.send(hostId, cmd);
         } catch (OperationTimedoutException e) {
@@ -5602,7 +5701,7 @@ private void checkForceStopVmPermission(Account callingAccount) {
     public UserVm stopVirtualMachine(long vmId, boolean forced) throws ConcurrentOperationException {
         // Input validation
         Account caller = CallContext.current().getCallingAccount();
-        Long userId = CallContext.current().getCallingUserId();
+        long userId = CallContext.current().getCallingUserId();
 
         // if account is removed, return error
         if (caller != null && caller.getRemoved() != null) {
@@ -5625,7 +5724,7 @@ public UserVm stopVirtualMachine(long vmId, boolean forced) throws ConcurrentOpe
         try {
             VirtualMachineEntity vmEntity = _orchSrvc.getVirtualMachine(vm.getUuid());
 
-            if(forced) {
+            if (forced) {
                 status = vmEntity.stopForced(Long.toString(userId));
             } else {
                 status = vmEntity.stop(Long.toString(userId));
@@ -5685,49 +5784,13 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
         return startVirtualMachine(vmId, podId, clusterId, hostId, additionalParams, deploymentPlannerToUse, true);
     }
 
-    @Override
-    public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMachine(long vmId, Long podId, Long clusterId, Long hostId,
-            @NotNull Map<VirtualMachineProfile.Param, Object> additionalParams, String deploymentPlannerToUse, boolean isExplicitHost)
-            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        // Input validation
-        final Account callerAccount = CallContext.current().getCallingAccount();
-        UserVO callerUser = _userDao.findById(CallContext.current().getCallingUserId());
-
-        // if account is removed, return error
-        if (callerAccount == null || callerAccount.getRemoved() != null) {
-            throw new InvalidParameterValueException(String.format("The account %s is removed", callerAccount));
-        }
-
-        UserVmVO vm = _vmDao.findById(vmId);
-        if (vm == null) {
-            throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
-        }
-
-        if (vm.getState() == State.Running) {
-            throw new InvalidParameterValueException(String.format("The virtual machine %s (%s) is already running",
-                    vm.getUuid(), vm.getDisplayNameOrHostName()));
-        }
-
-        _accountMgr.checkAccess(callerAccount, null, true, vm);
-
-        Account owner = _accountDao.findById(vm.getAccountId());
-
-        if (owner == null) {
-            throw new InvalidParameterValueException("The owner of " + vm + " does not exist: " + vm.getAccountId());
-        }
+    private Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMachineUnchecked(UserVmVO vm, VMTemplateVO template, Long podId,
+            Long clusterId, Long hostId, @NotNull Map<VirtualMachineProfile.Param, Object> additionalParams, String deploymentPlannerToUse,
+            boolean isExplicitHost, boolean isRootAdmin) throws ResourceUnavailableException, InsufficientCapacityException {
 
-        if (owner.getState() == Account.State.DISABLED) {
-            throw new PermissionDeniedException(String.format("The owner of %s is disabled: %s", vm, owner));
-        }
-        VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vm.getTemplateId());
-        if (VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
-            // check if account/domain is with in resource limits to start a new vm
-            ServiceOfferingVO offering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
-            resourceLimitService.checkVmResourceLimit(owner, vm.isDisplayVm(), offering, template);
-        }
         // check if vm is security group enabled
-        if (_securityGroupMgr.isVmSecurityGroupEnabled(vmId) && _securityGroupMgr.getSecurityGroupsForVm(vmId).isEmpty()
-                && !_securityGroupMgr.isVmMappedToDefaultSecurityGroup(vmId) && _networkModel.canAddDefaultSecurityGroup()) {
+        if (_securityGroupMgr.isVmSecurityGroupEnabled(vm.getId()) && _securityGroupMgr.getSecurityGroupsForVm(vm.getId()).isEmpty()
+                && !_securityGroupMgr.isVmMappedToDefaultSecurityGroup(vm.getId()) && _networkModel.canAddDefaultSecurityGroup()) {
             // if vm is not mapped to security group, create a mapping
             if (logger.isDebugEnabled()) {
                 logger.debug("Vm " + vm + " is security group enabled, but not mapped to default security group; creating the mapping automatically");
@@ -5740,10 +5803,10 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
                 _securityGroupMgr.addInstanceToGroups(vm, groupList);
             }
         }
+
         // Choose deployment planner
         // Host takes 1st preference, Cluster takes 2nd preference and Pod takes 3rd
         // Default behaviour is invoked when host, cluster or pod are not specified
-        boolean isRootAdmin = _accountService.isRootAdmin(callerAccount.getId());
         Pod destinationPod = getDestinationPod(podId, isRootAdmin);
         Cluster destinationCluster = getDestinationCluster(clusterId, isRootAdmin);
         HostVO destinationHost = getDestinationHost(hostId, isRootAdmin, isExplicitHost);
@@ -5766,7 +5829,7 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
                 logger.info(errorMsg);
                 if (!AllowDeployVmIfGivenHostFails.value()) {
                     throw new InvalidParameterValueException(errorMsg);
-                };
+                }
             } else {
                 plan = new DataCenterDeployment(vm.getDataCenterId(), destinationHost.getPodId(), destinationHost.getClusterId(), destinationHost.getId(), null, null);
                 if (!AllowDeployVmIfGivenHostFails.value()) {
@@ -5791,27 +5854,23 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
         Map<VirtualMachineProfile.Param, Object> params = null;
         if (vm.isUpdateParameters()) {
             _vmDao.loadDetails(vm);
-
             String password = getCurrentVmPasswordOrDefineNewPassword(String.valueOf(additionalParams.getOrDefault(VirtualMachineProfile.Param.VmPassword, "")), vm, template);
-
             if (!validPassword(password)) {
                 throw new InvalidParameterValueException("A valid password for this virtual machine was not provided.");
             }
-
             // Check if an SSH key pair was selected for the instance and if so
             // use it to encrypt & save the vm password
             encryptAndStorePassword(vm, password);
-
             params = createParameterInParameterMap(params, additionalParams, VirtualMachineProfile.Param.VmPassword, password);
         }
 
-        if(additionalParams.containsKey(VirtualMachineProfile.Param.BootIntoSetup)) {
-            if (! HypervisorType.VMware.equals(vm.getHypervisorType())) {
+        if (additionalParams.containsKey(VirtualMachineProfile.Param.BootIntoSetup)) {
+            if (!HypervisorType.VMware.equals(vm.getHypervisorType())) {
                 throw new InvalidParameterValueException(ApiConstants.BOOT_INTO_SETUP + " makes no sense for " + vm.getHypervisorType());
             }
             Object paramValue = additionalParams.get(VirtualMachineProfile.Param.BootIntoSetup);
             if (logger.isTraceEnabled()) {
-                    logger.trace("It was specified whether to enter setup mode: " + paramValue.toString());
+                logger.trace("It was specified whether to enter setup mode: " + paramValue.toString());
             }
             params = createParameterInParameterMap(params, additionalParams, VirtualMachineProfile.Param.BootIntoSetup, paramValue);
         }
@@ -5829,11 +5888,12 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
         }
         vmEntity.setParamsToEntity(additionalParams);
 
+        UserVO callerUser = _userDao.findById(CallContext.current().getCallingUserId());
         String reservationId = vmEntity.reserve(planner, plan, new ExcludeList(), Long.toString(callerUser.getId()));
         vmEntity.deploy(reservationId, Long.toString(callerUser.getId()), params, deployOnGivenHost);
 
         Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> vmParamPair = new Pair(vm, params);
-        if (vm != null && vm.isUpdateParameters()) {
+        if (vm.isUpdateParameters()) {
             // this value is not being sent to the backend; need only for api
             // display purposes
             if (template.isEnablePassword()) {
@@ -5844,10 +5904,59 @@ public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMach
                 _vmDao.update(vm.getId(), vm);
             }
         }
-
         return vmParamPair;
     }
 
+    @Override
+    public Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>> startVirtualMachine(long vmId, Long podId, Long clusterId, Long hostId,
+            @NotNull Map<VirtualMachineProfile.Param, Object> additionalParams, String deploymentPlannerToUse, boolean isExplicitHost)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
+        // Input validation
+        final Account callerAccount = CallContext.current().getCallingAccount();
+
+        // if account is removed, return error
+        if (callerAccount == null || callerAccount.getRemoved() != null) {
+            throw new InvalidParameterValueException(String.format("The account %s is removed", callerAccount));
+        }
+
+        UserVmVO vm = _vmDao.findById(vmId);
+        if (vm == null) {
+            throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
+        }
+
+        if (vm.getState() == State.Running) {
+            throw new InvalidParameterValueException(String.format("The virtual machine %s (%s) is already running",
+                    vm.getUuid(), vm.getDisplayNameOrHostName()));
+        }
+
+        _accountMgr.checkAccess(callerAccount, null, true, vm);
+
+        Account owner = _accountDao.findById(vm.getAccountId());
+
+        if (owner == null) {
+            throw new InvalidParameterValueException("The owner of " + vm + " does not exist: " + vm.getAccountId());
+        }
+
+        if (owner.getState() == Account.State.DISABLED) {
+            throw new PermissionDeniedException(String.format("The owner of %s is disabled: %s", vm, owner));
+        }
+        boolean isRootAdmin = _accountService.isRootAdmin(callerAccount.getId());
+
+        VMTemplateVO template = _templateDao.findByIdIncludingRemoved(vm.getTemplateId());
+        if (VirtualMachineManager.ResourceCountRunningVMsonly.value()) {
+            ServiceOfferingVO offering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
+            List<String> resourceLimitHostTags = resourceLimitService.getResourceLimitHostTags(offering, template);
+            try (CheckedReservation vmReservation = new CheckedReservation(owner, ResourceType.user_vm, resourceLimitHostTags, 1l, reservationDao, resourceLimitService);
+                 CheckedReservation cpuReservation = new CheckedReservation(owner, ResourceType.cpu, resourceLimitHostTags, Long.valueOf(offering.getCpu()), reservationDao, resourceLimitService);
+                 CheckedReservation memReservation = new CheckedReservation(owner, ResourceType.memory, resourceLimitHostTags, Long.valueOf(offering.getRamSize()), reservationDao, resourceLimitService);
+            ) {
+                return startVirtualMachineUnchecked(vm, template, podId, clusterId, hostId, additionalParams, deploymentPlannerToUse, isExplicitHost, isRootAdmin);
+            }
+        } else {
+            return startVirtualMachineUnchecked(vm, template, podId, clusterId, hostId, additionalParams, deploymentPlannerToUse, isExplicitHost, isRootAdmin);
+        }
+    }
+
     /**
      * If the template is password enabled and the VM already has a password, returns it.
      * If the template is password enabled and the VM does not have a password, sets the password to the password defined by the user and returns it. If no password is informed,
@@ -6283,8 +6392,8 @@ private void verifyServiceOffering(BaseDeployVMCmd cmd, ServiceOffering serviceO
         }
 
         if (!serviceOffering.isDynamic()) {
-            for(String detail: cmd.getDetails().keySet()) {
-                if(detail.equalsIgnoreCase(VmDetailConstants.CPU_NUMBER) || detail.equalsIgnoreCase(VmDetailConstants.CPU_SPEED) || detail.equalsIgnoreCase(VmDetailConstants.MEMORY)) {
+            for (String detail: cmd.getDetails().keySet()) {
+                if (detail.equalsIgnoreCase(VmDetailConstants.CPU_NUMBER) || detail.equalsIgnoreCase(VmDetailConstants.CPU_SPEED) || detail.equalsIgnoreCase(VmDetailConstants.MEMORY)) {
                     throw new InvalidParameterValueException("cpuNumber or cpuSpeed or memory should not be specified for static service offering");
                 }
             }
@@ -6364,7 +6473,13 @@ public UserVm createVirtualMachine(DeployVMCmd cmd) throws InsufficientCapacityE
             }
             _accountMgr.checkAccess(caller, null, true, snapshot);
             VolumeInfo volumeOfSnapshot = getVolume(snapshot.getVolumeId(), templateId, true);
-            templateId = volumeOfSnapshot.getTemplateId();
+            if (volumeOfSnapshot != null) {
+                templateId = volumeOfSnapshot.getTemplateId();
+            } else if (templateId == null) {
+                throw new InvalidParameterValueException(
+                        "Could not determine template from snapshot id=" + cmd.getSnapshotId() +
+                                "; the source volume no longer exists. Please specify a templateId.");
+            }
         }
 
         VirtualMachineTemplate template = null;
@@ -6503,8 +6618,8 @@ private UserVm createVirtualMachine(BaseDeployVMCmd cmd, DataCenter zone, Accoun
 
         // check if this templateId has a child ISO
         List<VMTemplateVO> child_templates = _templateDao.listByParentTemplatetId(template.getId());
-        for (VMTemplateVO tmpl: child_templates){
-            if (tmpl.getFormat() == Storage.ImageFormat.ISO){
+        for (VMTemplateVO tmpl: child_templates) {
+            if (tmpl.getFormat() == Storage.ImageFormat.ISO) {
                 logger.info("MDOV trying to attach disk {} to the VM {}", tmpl, vm);
                 _tmplService.attachIso(tmpl.getId(), vm.getId(), true);
             }
@@ -6646,7 +6761,9 @@ protected void addLeaseDetailsForInstance(UserVm vm, Integer leaseDuration, VMLe
     private VolumeInfo getVolume(long id, Long templateId, boolean isSnapshot) {
         VolumeInfo volume = volFactory.getVolume(id);
         if (volume != null) {
-            if (volume.getDataStore() == null || !ScopeType.ZONE.equals(volume.getDataStore().getScope().getScopeType())) {
+            if (!isSnapshot
+                    && (volume.getDataStore() == null
+                    || !ScopeType.ZONE.equals(volume.getDataStore().getScope().getScopeType()))) {
                 throw new InvalidParameterValueException("Deployment of virtual machine is supported only for Zone-wide storage pools");
             }
             checkIfVolumeTemplateIsTheSameAsTheProvided(volume, templateId);
@@ -6862,7 +6979,7 @@ protected void addExtraConfig(UserVm vm, String extraConfig) {
         } else if (hypervisorType.equals(HypervisorType.VMware)) {
             persistExtraConfigVmware(decodedUrl, vm);
         } else {
-            String msg = String.format("This hypervisor %s is not supported for use with this feature", hypervisorType.toString());
+            String msg = String.format("This hypervisor %s is not supported for use with this feature", hypervisorType);
             throw new CloudRuntimeException(msg);
         }
     }
@@ -7161,7 +7278,7 @@ public VirtualMachine migrateVirtualMachine(Long vmId, Host destinationHost) thr
 
         checkIfHostOfVMIsInPrepareForMaintenanceState(vm, "Migrate");
 
-        if(serviceOfferingDetailsDao.findDetail(vm.getServiceOfferingId(), GPU.Keys.pciDevice.toString()) != null) {
+        if (serviceOfferingDetailsDao.findDetail(vm.getServiceOfferingId(), GPU.Keys.pciDevice.toString()) != null) {
             throw new InvalidParameterValueException("Live Migration of GPU enabled VM is not supported");
         }
 
@@ -7208,7 +7325,7 @@ private DeployDestination chooseVmMigrationDestination(VMInstanceVO vm, Host src
         vm.setLastHostId(null); // Last host does not have higher priority in vm migration
         final ServiceOfferingVO offering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
         final VirtualMachineProfile profile = new VirtualMachineProfileImpl(vm, null, offering, null, null);
-        final Long srcHostId = srcHost.getId();
+        final long srcHostId = srcHost.getId();
         final Host host = _hostDao.findById(srcHostId);
         ExcludeList excludes = new ExcludeList();
         excludes.addHost(srcHostId);
@@ -7776,7 +7893,7 @@ public VirtualMachine migrateVirtualMachineWithVolume(Long vmId, Host destinatio
             throw ex;
         }
 
-        if(serviceOfferingDetailsDao.findDetail(vm.getServiceOfferingId(), GPU.Keys.pciDevice.toString()) != null) {
+        if (serviceOfferingDetailsDao.findDetail(vm.getServiceOfferingId(), GPU.Keys.pciDevice.toString()) != null) {
             throw new InvalidParameterValueException("Live Migration of GPU enabled VM is not supported");
         }
 
@@ -7818,38 +7935,29 @@ public VirtualMachine migrateVirtualMachineWithVolume(Long vmId, Host destinatio
         return findMigratedVm(vm.getId(), vm.getType());
     }
 
-    protected void checkVolumesLimits(Account account, List<VolumeVO> volumes) throws ResourceAllocationException {
-        Long totalVolumes = 0L;
-        Long totalVolumesSize = 0L;
+    protected void checkVolumesLimits(Account account, List<VolumeVO> volumes, List<Reserver> reservations) throws ResourceAllocationException {
         Map<Long, List<String>> diskOfferingTagsMap = new HashMap<>();
-        Map<String, Long> tagVolumeCountMap = new HashMap<>();
-        Map<String, Long> tagSizeMap = new HashMap<>();
+
         for (VolumeVO volume : volumes) {
             if (!volume.isDisplay()) {
                 continue;
             }
-            totalVolumes++;
-            totalVolumesSize += volume.getSize();
-            if (!diskOfferingTagsMap.containsKey(volume.getDiskOfferingId())) {
-                diskOfferingTagsMap.put(volume.getDiskOfferingId(), _resourceLimitMgr.getResourceLimitStorageTags(
-                        _diskOfferingDao.findById(volume.getDiskOfferingId())));
-            }
-            List<String> tags = diskOfferingTagsMap.get(volume.getDiskOfferingId());
-            for (String tag : tags) {
-                if (tagVolumeCountMap.containsKey(tag)) {
-                    tagVolumeCountMap.put(tag, tagVolumeCountMap.get(tag) + 1);
-                    tagSizeMap.put(tag, tagSizeMap.get(tag) + volume.getSize());
-                } else {
-                    tagVolumeCountMap.put(tag, 1L);
-                    tagSizeMap.put(tag, volume.getSize());
-                }
+
+            Long diskOfferingId = volume.getDiskOfferingId();
+            if (!diskOfferingTagsMap.containsKey(diskOfferingId)) {
+                DiskOffering diskOffering = _diskOfferingDao.findById(diskOfferingId);
+                List<String> tagsForDiskOffering = _resourceLimitMgr.getResourceLimitStorageTags(diskOffering);
+                diskOfferingTagsMap.put(diskOfferingId, tagsForDiskOffering);
             }
-        }
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.volume, totalVolumes);
-        _resourceLimitMgr.checkResourceLimit(account, ResourceType.primary_storage, totalVolumesSize);
-        for (String tag : tagVolumeCountMap.keySet()) {
-            resourceLimitService.checkResourceLimitWithTag(account, ResourceType.volume, tag, tagVolumeCountMap.get(tag));
-            resourceLimitService.checkResourceLimitWithTag(account, ResourceType.primary_storage, tag, tagSizeMap.get(tag));
+
+            List<String> tags = diskOfferingTagsMap.get(diskOfferingId);
+
+            CheckedReservation volumeReservation = new CheckedReservation(account, ResourceType.volume, tags, 1L, reservationDao, resourceLimitService);
+            reservations.add(volumeReservation);
+
+            long size = ObjectUtils.defaultIfNull(volume.getSize(), 0L);
+            CheckedReservation primaryStorageReservation = new CheckedReservation(account, ResourceType.primary_storage, tags, size, reservationDao, resourceLimitService);
+            reservations.add(primaryStorageReservation);
         }
     }
 
@@ -7870,7 +7978,7 @@ public UserVm moveVmToUser(final AssignVMCmd cmd) throws ResourceAllocationExcep
 
         Long domainId = cmd.getDomainId();
         Long projectId = cmd.getProjectId();
-        Long oldAccountId = vm.getAccountId();
+        long oldAccountId = vm.getAccountId();
         String newAccountName = cmd.getAccountName();
         final Account oldAccount = _accountService.getActiveAccountById(oldAccountId);
         final Account newAccount = _accountMgr.finalizeOwner(caller, newAccountName, domainId, projectId);
@@ -7891,14 +7999,16 @@ public UserVm moveVmToUser(final AssignVMCmd cmd) throws ResourceAllocationExcep
         final ServiceOfferingVO offering = serviceOfferingDao.findByIdIncludingRemoved(vm.getId(), vm.getServiceOfferingId());
         VirtualMachineTemplate template = _templateDao.findByIdIncludingRemoved(vm.getTemplateId());
 
-        verifyResourceLimitsForAccountAndStorage(newAccount, vm, offering, volumes, template);
-
         validateIfNewOwnerHasAccessToTemplate(vm, newAccount, template);
 
         DomainVO domain = _domainDao.findById(domainId);
         logger.trace("Verifying if the new account [{}] has access to the specified domain [{}].", newAccount, domain);
         _accountMgr.checkAccess(newAccount, domain);
 
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+        verifyResourceLimitsForAccountAndStorage(newAccount, vm, offering, volumes, template, reservations);
+
         Network newNetwork = ensureDestinationNetwork(cmd, vm, newAccount);
         try {
             Transaction.execute(new TransactionCallbackNoReturn() {
@@ -7915,6 +8025,10 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
             throw e;
         }
 
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
+
         logger.info("VM [{}] now belongs to account [{}].", vm.getInstanceName(), newAccountName);
         return vm;
     }
@@ -7985,18 +8099,18 @@ protected void validateIfVolumesHaveNoSnapshots(List<VolumeVO> volumes) throws I
      * @param volumes The volumes whose total size can exceed resource limits.
      * @throws ResourceAllocationException
      */
-    protected void verifyResourceLimitsForAccountAndStorage(Account account, UserVmVO vm, ServiceOfferingVO offering, List<VolumeVO> volumes, VirtualMachineTemplate template)
+    protected void verifyResourceLimitsForAccountAndStorage(Account account, UserVmVO vm, ServiceOfferingVO offering, List<VolumeVO> volumes, VirtualMachineTemplate template, List<Reserver> reservations)
             throws ResourceAllocationException {
 
         logger.trace("Verifying if CPU and RAM for VM [{}] do not exceed account [{}] limit.", vm, account);
 
         if (!countOnlyRunningVmsInResourceLimitation()) {
-            resourceLimitService.checkVmResourceLimit(account, vm.isDisplayVm(), offering, template);
+            resourceLimitService.checkVmResourceLimit(account, vm.isDisplayVm(), offering, template, reservations);
         }
 
         logger.trace("Verifying if volume size for VM [{}] does not exceed account [{}] limit.", vm, account);
 
-        checkVolumesLimits(account, volumes);
+        checkVolumesLimits(account, volumes, reservations);
     }
 
     protected boolean countOnlyRunningVmsInResourceLimitation() {
@@ -8493,7 +8607,7 @@ protected void selectApplicableNetworkToCreateVm(Account newAccount, DataCenterV
     protected void addDefaultSecurityGroupToSecurityGroupIdList(Account newAccount, List<Long> securityGroupIdList) {
         logger.debug("Adding default security group to security group list if not already in it.");
 
-        Long newAccountId = newAccount.getId();
+        long newAccountId = newAccount.getId();
         SecurityGroup defaultGroup = _securityGroupMgr.getDefaultSecurityGroup(newAccountId);
         boolean defaultGroupPresent = false;
 
@@ -8628,10 +8742,8 @@ protected void updateBackupScheduleOwnership(UserVmVO vm, Account newAccount) {
     /**
      * Attempts to create a network suitable for the creation of a VM ({@link NetworkOrchestrationService#createGuestNetwork}).
      * If no physical network is found, throws a {@link InvalidParameterValueException}.
-     * @param caller The account which calls for the network creation.
      * @param newAccount The account to which the network will be created.
      * @param zone The zone where the network will be created.
-     * @param requiredOffering The network offering required to create the network.
      * @return The NetworkVO for the network created.
      * @throws InsufficientCapacityException
      * @throws ResourceAllocationException
@@ -8642,7 +8754,7 @@ protected NetworkVO createApplicableNetworkToCreateVm(Account newAccount, DataCe
         logger.trace("Creating an applicable network to create the VM.");
 
         NetworkVO defaultNetwork;
-        Long zoneId = zone.getId();
+        long zoneId = zone.getId();
         Account caller = CallContext.current().getCallingAccount();
         NetworkOfferingVO requiredOffering = getOfferingWithRequiredAvailabilityForNetworkCreation();
         String requiredOfferingTags = requiredOffering.getTags();
@@ -8753,6 +8865,10 @@ public UserVm restoreVM(RestoreVMCmd cmd) throws InsufficientCapacityException,
             throw new InvalidParameterValueException(String.format("Operation not supported for instance: %s",
                     vm.getName()));
         }
+        if (isVMPartOfAnyCKSCluster(vm)) {
+            throw new UnsupportedServiceException("Cannot restore VM with id = " + vm.getUuid() +
+                    " as it belongs to a CKS cluster. Please remove the VM from the CKS cluster before restoring.");
+        }
         _accountMgr.checkAccess(caller, null, true, vm);
 
         VMTemplateVO template;
@@ -8891,12 +9007,10 @@ public UserVm restoreVirtualMachine(final Account caller, final long vmId, final
 
         VMTemplateVO template = getRestoreVirtualMachineTemplate(caller, newTemplateId, rootVols, vm);
         DiskOffering diskOffering = rootDiskOfferingId != null ? _diskOfferingDao.findById(rootDiskOfferingId) : null;
+
+        List<Reserver> reservations = new ArrayList<>();
         try {
-            checkRestoreVmFromTemplate(vm, template, rootVols, diskOffering, details);
-        } catch (ResourceAllocationException e) {
-            logger.error("Failed to restore VM {} due to {}", vm, e.getMessage(), e);
-            throw new CloudRuntimeException("Failed to restore VM " + vm.getUuid() + " due to " + e.getMessage(), e);
-        }
+        checkRestoreVmFromTemplate(vm, template, rootVols, diskOffering, details, reservations);
 
         if (needRestart) {
             try {
@@ -9043,6 +9157,12 @@ public Pair<UserVmVO, Volume> doInTransaction(final TransactionStatus status) th
         logger.debug("Restore VM {} done successfully", vm);
         return vm;
 
+        } catch (ResourceAllocationException e) {
+            logger.error("Failed to restore VM {} due to {}", vm, e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to restore VM " + vm.getUuid() + " due to " + e.getMessage(), e);
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     Long getRootVolumeSizeForVmRestore(Volume vol, VMTemplateVO template, UserVmVO userVm, DiskOffering diskOffering, Map<String, String> details, boolean update) {
@@ -9142,7 +9262,7 @@ private void updateVMDynamicallyScalabilityUsingTemplate(UserVmVO vm, Long newTe
      * @param template template
      * @throws InvalidParameterValueException if restore is not possible
      */
-    private void checkRestoreVmFromTemplate(UserVmVO vm, VMTemplateVO template, List<VolumeVO> rootVolumes, DiskOffering newDiskOffering, Map<String,String> details) throws ResourceAllocationException {
+    private void checkRestoreVmFromTemplate(UserVmVO vm, VMTemplateVO template, List<VolumeVO> rootVolumes, DiskOffering newDiskOffering, Map<String,String> details, List<Reserver> reservations) throws ResourceAllocationException {
         TemplateDataStoreVO tmplStore;
         if (!template.isDirectDownload()) {
             tmplStore = _templateStoreDao.findByTemplateZoneReady(template.getId(), vm.getDataCenterId());
@@ -9160,7 +9280,7 @@ private void checkRestoreVmFromTemplate(UserVmVO vm, VMTemplateVO template, List
         if (vm.getTemplateId() != template.getId()) {
             ServiceOfferingVO serviceOffering = serviceOfferingDao.findById(vm.getId(), vm.getServiceOfferingId());
             VMTemplateVO currentTemplate = _templateDao.findByIdIncludingRemoved(vm.getTemplateId());
-            _resourceLimitMgr.checkVmResourceLimitsForTemplateChange(owner, vm.isDisplay(), serviceOffering, currentTemplate, template);
+            _resourceLimitMgr.checkVmResourceLimitsForTemplateChange(owner, vm.isDisplay(), serviceOffering, currentTemplate, template, reservations);
         }
 
         for (Volume vol : rootVolumes) {
@@ -9171,7 +9291,7 @@ private void checkRestoreVmFromTemplate(UserVmVO vm, VMTemplateVO template, List
             if (newDiskOffering != null || !vol.getSize().equals(newSize)) {
                 DiskOffering currentOffering = _diskOfferingDao.findById(vol.getDiskOfferingId());
                 _resourceLimitMgr.checkVolumeResourceLimitForDiskOfferingChange(owner, vol.isDisplay(),
-                        vol.getSize(), newSize, currentOffering, newDiskOffering);
+                        vol.getSize(), newSize, currentOffering, newDiskOffering, reservations);
             }
         }
     }
@@ -9187,8 +9307,14 @@ private void handleManagedStorage(UserVmVO vm, VolumeVO root) {
             Long hostId = vm.getHostId() != null ? vm.getHostId() : vm.getLastHostId();
 
             if (hostId != null) {
-                VolumeInfo volumeInfo = volFactory.getVolume(root.getId());
+                // default findById() won't search entries with removed field not null
                 Host host = _hostDao.findById(hostId);
+                if (host == null) {
+                    logger.warn("Host {} not found", hostId);
+                    return;
+                }
+
+                VolumeInfo volumeInfo = volFactory.getVolume(root.getId());
 
                 final Command cmd;
 
@@ -9352,7 +9478,7 @@ public ConfigKey<?>[] getConfigKeys() {
                 VmIpFetchThreadPoolMax, VmIpFetchTaskWorkers, AllowDeployVmIfGivenHostFails, EnableAdditionalVmConfig, DisplayVMOVFProperties,
                 KvmAdditionalConfigAllowList, XenServerAdditionalConfigAllowList, VmwareAdditionalConfigAllowList, DestroyRootVolumeOnVmDestruction,
                 EnforceStrictResourceLimitHostTagCheck, StrictHostTags, AllowUserForceStopVm, VmDistinctHostNameScope,
-                VmwareAdditionalDetailsFromOvaEnabled, VmwareAllowedAdditionalDetailsFromOva};
+                VmwareAdditionalDetailsFromOvaEnabled, VmwareAllowedAdditionalDetailsFromOva, AllowDifferentHostTagsOfferingsForVmScale, AutoMigrateVmOnLiveScaleInsufficientCapacity};
     }
 
     @Override
@@ -9388,7 +9514,7 @@ private boolean checkStatusOfVolumeSnapshots(VirtualMachine vm, Volume.Type type
         }
         logger.debug("Found {} no. of volumes of type {} for vm with VM ID {}", listVolumes.size(), type, vm);
         for (VolumeVO volume : listVolumes) {
-            Long volumeId = volume.getId();
+            long volumeId = volume.getId();
             logger.debug("Checking status of snapshots for Volume: {}", volume);
             List<SnapshotVO> ongoingSnapshots = _snapshotDao.listByStatus(volumeId, Snapshot.State.Creating, Snapshot.State.CreatedOnPrimary, Snapshot.State.BackingUp);
             int ongoingSnapshotsCount = ongoingSnapshots.size();
@@ -9407,12 +9533,12 @@ private void checkForUnattachedVolumes(long vmId, List<VolumeVO> volumes) {
 
         for (VolumeVO volume : volumes) {
             if (volume.getInstanceId() == null || vmId != volume.getInstanceId() || volume.getVolumeType() != Volume.Type.DATADISK) {
-                sb.append(volume.toString() + "; ");
+                sb.append(volume + "; ");
             }
         }
 
         if (!StringUtils.isEmpty(sb.toString())) {
-            throw new InvalidParameterValueException("The following supplied volumes are not DATADISK attached to the VM: " + sb.toString());
+            throw new InvalidParameterValueException("The following supplied volumes are not DATADISK attached to the VM: " + sb);
         }
     }
 
@@ -9420,7 +9546,7 @@ private void validateVolumes(List<VolumeVO> volumes) {
 
         for (VolumeVO volume : volumes) {
             if (!(volume.getVolumeType() == Volume.Type.ROOT || volume.getVolumeType() == Volume.Type.DATADISK)) {
-                throw new InvalidParameterValueException("Please specify volume of type " + Volume.Type.DATADISK.toString() + " or " + Volume.Type.ROOT.toString());
+                throw new InvalidParameterValueException("Please specify volume of type " + Volume.Type.DATADISK + " or " + Volume.Type.ROOT);
             }
             if (volume.isDeleteProtection()) {
                 throw new InvalidParameterValueException(String.format(
@@ -9491,7 +9617,7 @@ private String getInternalName(long accountId, long vmId) {
     @Override
     public UserVm importVM(final DataCenter zone, final Host host, final VirtualMachineTemplate template, final String instanceNameInternal, final String displayName,
                            final Account owner, final String userData, final Account caller, final Boolean isDisplayVm, final String keyboard,
-                           final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKeys,
+                           final long accountId, final long userId, final ServiceOffering serviceOffering, final String sshPublicKeys, final Long guestOsId,
                            final String hostName, final HypervisorType hypervisorType, final Map<String, String> customParameters,
                            final VirtualMachine.PowerState powerState, final LinkedHashMap<String, List<NicProfile>> networkNicMap) throws InsufficientCapacityException {
         return Transaction.execute((TransactionCallbackWithException<UserVm, InsufficientCapacityException>) status -> {
@@ -9514,10 +9640,10 @@ public UserVm importVM(final DataCenter zone, final Host host, final VirtualMach
 
             final String uuidName = _uuidMgr.generateUuid(UserVm.class, null);
             final Host lastHost = powerState != VirtualMachine.PowerState.PowerOn ? host : null;
-            final Boolean dynamicScalingEnabled = checkIfDynamicScalingCanBeEnabled(null, serviceOffering, template, zone.getId());
+            final boolean dynamicScalingEnabled = checkIfDynamicScalingCanBeEnabled(null, serviceOffering, template, zone.getId());
             return commitUserVm(true, zone, host, lastHost, template, hostName, displayName, owner,
                     null, null, userData, null, null, isDisplayVm, keyboard,
-                    accountId, userId, serviceOffering, template.getFormat().equals(ImageFormat.ISO), sshPublicKeys, networkNicMap,
+                    accountId, userId, serviceOffering, template.getFormat().equals(ImageFormat.ISO), guestOsId, sshPublicKeys, networkNicMap,
                     id, instanceName, uuidName, hypervisorType, customParameters,
                     null, null, null, powerState, dynamicScalingEnabled, null, serviceOffering.getDiskOfferingId(), null, null, null, null);
         });
@@ -9576,7 +9702,7 @@ private void updateDetailsWithRootDiskAttributes(Map<String, String> details, Vm
     }
 
     private void checkRootDiskSizeAgainstBackup(Long instanceVolumeSize,DiskOffering rootDiskOffering, Long backupVolumeSize) {
-        Long instanceRootDiskSize = rootDiskOffering.isCustomized() ? instanceVolumeSize : rootDiskOffering.getDiskSize() / GiB_TO_BYTES;
+        long instanceRootDiskSize = rootDiskOffering.isCustomized() ? instanceVolumeSize : rootDiskOffering.getDiskSize() / GiB_TO_BYTES;
         if (instanceRootDiskSize < backupVolumeSize) {
             throw new InvalidParameterValueException(
                     String.format("Instance volume root disk size %d[GiB] cannot be less than the backed-up volume size %d[GiB].",
@@ -9653,7 +9779,7 @@ public UserVm allocateVMFromBackup(CreateVMFromBackupCmd cmd) throws Insufficien
         Long size = cmd.getSize();
 
         Long diskOfferingId = cmd.getDiskOfferingId();
-        Boolean isIso = template.getFormat().equals(ImageFormat.ISO);
+        boolean isIso = template.getFormat().equals(ImageFormat.ISO);
         if (diskOfferingId != null) {
             if (!isIso) {
                 throw new InvalidParameterValueException(ApiConstants.DISK_OFFERING_ID + " parameter is supported for creating instance from backup only for ISO. For creating VMs with templates, please use the parameter " + ApiConstants.DATADISKS_DETAILS);
@@ -9944,10 +10070,15 @@ private void collectVmDiskAndNetworkStatistics(UserVm vm, State expectedState) {
         }
     }
 
-    public Boolean getDestroyRootVolumeOnVmDestruction(Long domainId){
+    public Boolean getDestroyRootVolumeOnVmDestruction(Long domainId) {
         return DestroyRootVolumeOnVmDestruction.valueIn(domainId);
     }
 
+    @Override
+    public boolean isVMPartOfAnyCKSCluster(VMInstanceVO vm) {
+        return kubernetesServiceHelpers.get(0).findByVmId(vm.getId()) != null;
+    }
+
     private void setVncPasswordForKvmIfAvailable(Map<String, String> customParameters, UserVmVO vm) {
         if (customParameters.containsKey(VmDetailConstants.KVM_VNC_PASSWORD)
                 && StringUtils.isNotEmpty(customParameters.get(VmDetailConstants.KVM_VNC_PASSWORD))) {
diff --git a/server/src/main/java/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/main/java/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
index 5c90b5cbee6b..52e2434d3206 100644
--- a/server/src/main/java/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
+++ b/server/src/main/java/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java
@@ -449,7 +449,6 @@ public VMSnapshot allocVMSnapshot(Long vmId, String vsDisplayName, String vsDesc
      * Create, persist and return vm snapshot for userVmVo with given parameters.
      * Persistence and support for custom service offerings are done on the same transaction
      * @param userVmVo user vm
-     * @param vmId vm id
      * @param vsDescription vm description
      * @param vmSnapshotName vm snapshot name
      * @param vsDisplayName vm snapshot display name
@@ -759,11 +758,24 @@ public UserVm revertToSnapshot(Long vmSnapshotId) throws InsufficientCapacityExc
                     "Instance Snapshot reverting failed because the Instance is not in Running or Stopped state.");
         }
 
-        if (userVm.getState() == VirtualMachine.State.Running && vmSnapshotVo.getType() == VMSnapshot.Type.Disk || userVm.getState() == VirtualMachine.State.Stopped
-                && vmSnapshotVo.getType() == VMSnapshot.Type.DiskAndMemory) {
+        if (userVm.getState() == VirtualMachine.State.Running && vmSnapshotVo.getType() == VMSnapshot.Type.Disk) {
+            throw new InvalidParameterValueException(
+                    "Reverting to the Instance Snapshot is not allowed for running Instances as this would result in an Instance state change. " +
+                            "For running Instances only Snapshots with memory can be reverted. " +
+                            "In order to revert to a Snapshot without memory you need to first stop the Instance.");
+        }
+
+        if (userVm.getState() == VirtualMachine.State.Running && vmSnapshotVo.getType() == VMSnapshot.Type.Disk) {
+            throw new InvalidParameterValueException(
+                    "Reverting to the Instance Snapshot is not allowed for running Instances as this would result in an Instance state change. " +
+                            "For running Instances only Snapshots with memory can be reverted. " +
+                            "In order to revert to a Snapshot without memory you need to first stop the Instance.");
+        }
+
+        if (userVm.getState() == VirtualMachine.State.Stopped && vmSnapshotVo.getType() == VMSnapshot.Type.DiskAndMemory) {
             throw new InvalidParameterValueException(
-                    "Reverting to the Instance Snapshot is not allowed for running Instances as this would result in a Instance state change. For running Instances only Snapshots with memory can be reverted. In order to revert to a Snapshot without memory you need to first stop the Instance."
-                            + " Snapshot");
+                    "Reverting to the Instance Snapshot is not allowed for stopped Instances when the Snapshot contains memory as this would result in an Instance state change. " +
+                            "In order to revert to a Snapshot with memory you need to first start the Instance.");
         }
 
         // if snapshot is not created, error out
@@ -816,37 +828,59 @@ else if (jobResult instanceof Throwable)
     }
 
     /**
-     * If snapshot was taken with a different service offering than actual used in vm, should change it back to it
-     * @param userVm vm to change service offering (if necessary)
-     * @param vmSnapshotVo vm snapshot
+     * Check if service offering change is needed for user vm when reverting to vm snapshot.
+     * Service offering change is needed when snapshot was taken with a different service offering than actual used in vm.
+     * Service offering change is also needed when service offering is dynamic and the amount of cpu, memory or cpu speed
+     * has been changed since snapshot was taken.
+     * @param userVm
+     * @param vmSnapshotVo
+     * @return true if service offering change is needed; false otherwise
      */
-    protected void updateUserVmServiceOffering(UserVm userVm, VMSnapshotVO vmSnapshotVo) {
+    protected boolean userVmServiceOfferingNeedsChange(UserVm userVm, VMSnapshotVO vmSnapshotVo) {
         if (vmSnapshotVo.getServiceOfferingId() != userVm.getServiceOfferingId()) {
-            changeUserVmServiceOffering(userVm, vmSnapshotVo);
+            return true;
         }
+
+        ServiceOfferingVO currentServiceOffering = _serviceOfferingDao.findByIdIncludingRemoved(userVm.getId(), userVm.getServiceOfferingId());
+        if (currentServiceOffering.isDynamic()) {
+            Map<String, String> vmDetails = getVmMapDetails(vmSnapshotVo);
+            ServiceOfferingVO newServiceOffering = _serviceOfferingDao.getComputeOffering(currentServiceOffering, vmDetails);
+
+            int newCpu = newServiceOffering.getCpu();
+            int newMemory = newServiceOffering.getRamSize();
+            int newSpeed = newServiceOffering.getSpeed();
+            int currentCpu = currentServiceOffering.getCpu();
+            int currentMemory = currentServiceOffering.getRamSize();
+            int currentSpeed = currentServiceOffering.getSpeed();
+
+            if (newCpu != currentCpu || newMemory != currentMemory || newSpeed != currentSpeed) {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**
      * Get user vm details as a map
-     * @param userVm user vm
+     * @param vmSnapshotVo snapshot to get the details from
      * @return map
      */
-    protected Map<String, String> getVmMapDetails(UserVm userVm) {
-        List<VMInstanceDetailVO> userVmDetails = _vmInstanceDetailsDao.listDetails(userVm.getId());
+    protected Map<String, String> getVmMapDetails(VMSnapshotVO vmSnapshotVo) {
+        List<VMSnapshotDetailsVO> vmSnapshotDetails = _vmSnapshotDetailsDao.listDetails(vmSnapshotVo.getId());
         Map<String, String> details = new HashMap<String, String>();
-        for (VMInstanceDetailVO detail : userVmDetails) {
+        for (VMSnapshotDetailsVO detail : vmSnapshotDetails) {
             details.put(detail.getName(), detail.getValue());
         }
         return details;
     }
 
     /**
-     * Update service offering on {@link userVm} to the one specified in {@link vmSnapshotVo}
+     * Update service offering on {code}userVm{code} to the one specified in {code}vmSnapshotVo{code}
      * @param userVm user vm to be updated
      * @param vmSnapshotVo vm snapshot
      */
     protected void changeUserVmServiceOffering(UserVm userVm, VMSnapshotVO vmSnapshotVo) {
-        Map<String, String> vmDetails = getVmMapDetails(userVm);
+        Map<String, String> vmDetails = getVmMapDetails(vmSnapshotVo);
         boolean result = upgradeUserVmServiceOffering(userVm, vmSnapshotVo.getServiceOfferingId(), vmDetails);
         if (! result){
             throw new CloudRuntimeException("Instance Snapshot reverting failed because the Instance service offering couldn't be changed to the one used when Snapshot was taken");
@@ -855,8 +889,8 @@ protected void changeUserVmServiceOffering(UserVm userVm, VMSnapshotVO vmSnapsho
     }
 
     /**
-     * Upgrade virtual machine {@linkplain vmId} to new service offering {@linkplain serviceOfferingId}
-     * @param vmId vm id
+     * Upgrade virtual machine {code}vm{code} to new service offering {code}serviceOfferingId{code}
+     * @param vm vm
      * @param serviceOfferingId service offering id
      * @param details vm details
      * @return if operation was successful
@@ -943,8 +977,10 @@ private UserVm orchestrateRevertToVMSnapshot(Long vmSnapshotId) throws Insuffici
             Transaction.execute(new TransactionCallbackWithExceptionNoReturn<CloudRuntimeException>() {
                 @Override
                 public void doInTransactionWithoutResult(TransactionStatus status) throws CloudRuntimeException {
+                    if (userVmServiceOfferingNeedsChange(userVm, vmSnapshotVo)) {
+                        changeUserVmServiceOffering(userVm, vmSnapshotVo);
+                    }
                     revertCustomServiceOfferingDetailsFromVmSnapshot(userVm, vmSnapshotVo);
-                    updateUserVmServiceOffering(userVm, vmSnapshotVo);
                 }
             });
             return userVm;
@@ -1294,7 +1330,7 @@ public Outcome<VirtualMachine> deleteAllVMSnapshotsThroughJobQueue(final Long vm
     public Pair<JobInfo.Status, String> orchestrateCreateVMSnapshot(VmWorkCreateVMSnapshot work) throws Exception {
         VMSnapshot snapshot = orchestrateCreateVMSnapshot(work.getVmId(), work.getVmSnapshotId(), work.isQuiesceVm());
         return new Pair<JobInfo.Status, String>(JobInfo.Status.SUCCEEDED,
-                _jobMgr.marshallResultObject(new Long(snapshot.getId())));
+                _jobMgr.marshallResultObject(Long.valueOf(snapshot.getId())));
     }
 
     @ReflectionUse
diff --git a/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java b/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
index db636c7f0f42..fd4fc9466066 100644
--- a/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
@@ -81,6 +81,7 @@
 import org.apache.cloudstack.managed.context.ManagedContextTimerTask;
 import org.apache.cloudstack.poll.BackgroundPollManager;
 import org.apache.cloudstack.poll.BackgroundPollTask;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
@@ -89,6 +90,8 @@
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringStyle;
 
 import com.cloud.alert.AlertManager;
 import com.cloud.api.ApiDispatcher;
@@ -122,6 +125,7 @@
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.projects.Project;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.storage.DiskOfferingVO;
@@ -173,8 +177,6 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
-import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
-import org.apache.commons.lang3.builder.ToStringStyle;
 
 public class BackupManagerImpl extends ManagerBase implements BackupManager {
 
@@ -244,6 +246,8 @@ public class BackupManagerImpl extends ManagerBase implements BackupManager {
     private GuestOSDao _guestOSDao;
     @Inject
     private DomainHelper domainHelper;
+    @Inject
+    ReservationDao reservationDao;
 
     private AsyncJobDispatcher asyncJobDispatcher;
     private Timer backupTimer;
@@ -940,14 +944,6 @@ public boolean createBackup(CreateBackupCmd cmd, Object job) throws ResourceAllo
         Long backupScheduleId = getBackupScheduleId(job);
         boolean isScheduledBackup = backupScheduleId != null;
         Account owner = accountManager.getAccount(vm.getAccountId());
-        try {
-            resourceLimitMgr.checkResourceLimit(owner, Resource.ResourceType.backup);
-        } catch (ResourceAllocationException e) {
-            if (isScheduledBackup) {
-                sendExceededBackupLimitAlert(owner.getUuid(), Resource.ResourceType.backup);
-            }
-            throw e;
-        }
 
         Long backupSize = 0L;
         for (final Volume volume: volumeDao.findByInstance(vmId)) {
@@ -959,40 +955,49 @@ public boolean createBackup(CreateBackupCmd cmd, Object job) throws ResourceAllo
                 backupSize += volumeSize;
             }
         }
-        try {
-            resourceLimitMgr.checkResourceLimit(owner, Resource.ResourceType.backup_storage, backupSize);
-        } catch (ResourceAllocationException e) {
-            if (isScheduledBackup) {
-                sendExceededBackupLimitAlert(owner.getUuid(), Resource.ResourceType.backup_storage);
-            }
-            throw e;
+        createCheckedBackup(cmd, owner, isScheduledBackup, backupSize, vm, vmId, backupProvider, backupScheduleId);
+        if (isScheduledBackup) {
+            deleteOldestBackupFromScheduleIfRequired(vmId, backupScheduleId);
         }
+        return true;
+    }
 
-        ActionEventUtils.onStartedActionEvent(User.UID_SYSTEM, vm.getAccountId(),
-                EventTypes.EVENT_VM_BACKUP_CREATE, "creating backup for VM ID:" + vm.getUuid(),
-                vmId, ApiCommandResourceType.VirtualMachine.toString(),
-                true, 0);
+    private void createCheckedBackup(CreateBackupCmd cmd, Account owner, boolean isScheduledBackup, Long backupSize,
+                 VMInstanceVO vm, Long vmId, BackupProvider backupProvider, Long backupScheduleId)
+            throws ResourceAllocationException {
+        try (CheckedReservation backupReservation = new CheckedReservation(owner, Resource.ResourceType.backup,
+                1L, reservationDao, resourceLimitMgr);
+             CheckedReservation backupStorageReservation = new CheckedReservation(owner,
+                     Resource.ResourceType.backup_storage, backupSize, reservationDao, resourceLimitMgr)) {
 
-        Pair<Boolean, Backup> result = backupProvider.takeBackup(vm, cmd.getQuiesceVM());
-        if (!result.first()) {
-            throw new CloudRuntimeException("Failed to create VM backup");
-        }
-        Backup backup = result.second();
-        if (backup != null) {
-            BackupVO vmBackup = backupDao.findById(result.second().getId());
-            vmBackup.setBackupScheduleId(backupScheduleId);
-            if (cmd.getName() != null) {
-                vmBackup.setName(cmd.getName());
+            ActionEventUtils.onStartedActionEvent(User.UID_SYSTEM, vm.getAccountId(),
+                    EventTypes.EVENT_VM_BACKUP_CREATE, "creating backup for VM ID:" + vm.getUuid(),
+                    vmId, ApiCommandResourceType.VirtualMachine.toString(),
+                    true, 0);
+
+            Pair<Boolean, Backup> result = backupProvider.takeBackup(vm, cmd.getQuiesceVM());
+            if (!result.first()) {
+                throw new CloudRuntimeException("Failed to create VM backup");
             }
-            vmBackup.setDescription(cmd.getDescription());
-            backupDao.update(vmBackup.getId(), vmBackup);
-            resourceLimitMgr.incrementResourceCount(vm.getAccountId(), Resource.ResourceType.backup);
-            resourceLimitMgr.incrementResourceCount(vm.getAccountId(), Resource.ResourceType.backup_storage, backup.getSize());
-        }
-        if (isScheduledBackup) {
-            deleteOldestBackupFromScheduleIfRequired(vmId, backupScheduleId);
+            Backup backup = result.second();
+            if (backup != null) {
+                BackupVO vmBackup = backupDao.findById(result.second().getId());
+                vmBackup.setBackupScheduleId(backupScheduleId);
+                if (cmd.getName() != null) {
+                    vmBackup.setName(cmd.getName());
+                }
+                vmBackup.setDescription(cmd.getDescription());
+                backupDao.update(vmBackup.getId(), vmBackup);
+                resourceLimitMgr.incrementResourceCount(vm.getAccountId(), Resource.ResourceType.backup);
+                resourceLimitMgr.incrementResourceCount(vm.getAccountId(), Resource.ResourceType.backup_storage, backup.getSize());
+            }
+        } catch (ResourceAllocationException e) {
+            if (isScheduledBackup && (Resource.ResourceType.backup.equals(e.getResourceType()) ||
+                    Resource.ResourceType.backup_storage.equals(e.getResourceType()))) {
+                sendExceededBackupLimitAlert(owner.getUuid(), e.getResourceType());
+            }
+            throw e;
         }
-        return true;
     }
 
     /**
@@ -1044,7 +1049,7 @@ protected Long getBackupScheduleId(Object job) {
      * @param vmId The ID of the VM associated with the backups
      * @param backupScheduleId Backup schedule ID of the backups
      */
-    protected void deleteOldestBackupFromScheduleIfRequired(Long vmId, long backupScheduleId) {
+    protected void deleteOldestBackupFromScheduleIfRequired(Long vmId, long backupScheduleId) throws ResourceAllocationException {
         BackupScheduleVO backupScheduleVO = backupScheduleDao.findById(backupScheduleId);
         if (backupScheduleVO == null || backupScheduleVO.getMaxBackups() == 0) {
             logger.info("The schedule does not have a retention specified and, hence, not deleting any backups from it.", vmId);
@@ -1068,7 +1073,7 @@ protected void deleteOldestBackupFromScheduleIfRequired(Long vmId, long backupSc
      * @param amountOfBackupsToDelete Number of backups to be deleted from the list of backups
      * @param backupScheduleId ID of the backup schedule associated with the backups
      */
-    protected void deleteExcessBackups(List<BackupVO> backups, int amountOfBackupsToDelete, long backupScheduleId) {
+    protected void deleteExcessBackups(List<BackupVO> backups, int amountOfBackupsToDelete, long backupScheduleId) throws ResourceAllocationException {
         logger.debug("Deleting the [{}] oldest backups from the schedule [ID: {}].", amountOfBackupsToDelete, backupScheduleId);
 
         for (int i = 0; i < amountOfBackupsToDelete; i++) {
@@ -1121,7 +1126,7 @@ public Pair<List<Backup>, Integer> listBackups(final ListBackupsCmd cmd) {
         sb.and("backupOfferingId", sb.entity().getBackupOfferingId(), SearchCriteria.Op.EQ);
 
         if (keyword != null) {
-            sb.or().op("keywordName", sb.entity().getName(), SearchCriteria.Op.LIKE);
+            sb.and().op("keywordName", sb.entity().getName(), SearchCriteria.Op.LIKE);
             SearchBuilder<VMInstanceVO> vmSearch = vmInstanceDao.createSearchBuilder();
             sb.join("vmSearch", vmSearch, sb.entity().getVmId(), vmSearch.entity().getId(), JoinBuilder.JoinType.INNER);
             sb.or("vmSearch", "keywordVmName", vmSearch.entity().getHostName(), SearchCriteria.Op.LIKE);
@@ -1666,7 +1671,7 @@ protected Pair<Boolean, String> restoreBackedUpVolume(final Backup.VolumeInfo ba
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_VM_BACKUP_DELETE, eventDescription = "deleting VM backup", async = true)
-    public boolean deleteBackup(final Long backupId, final Boolean forced) {
+    public boolean deleteBackup(final Long backupId, final Boolean forced) throws ResourceAllocationException {
         final BackupVO backup = backupDao.findByIdIncludingRemoved(backupId);
         if (backup == null) {
             throw new CloudRuntimeException("Backup " + backupId + " does not exist");
@@ -1681,24 +1686,49 @@ public boolean deleteBackup(final Long backupId, final Boolean forced) {
 
         validateBackupForZone(backup.getZoneId());
         accountManager.checkAccess(CallContext.current().getCallingAccount(), null, true, vm == null ? backup : vm);
+
+        checkForPendingBackupJobs(backup);
         final BackupOffering offering = backupOfferingDao.findByIdIncludingRemoved(backup.getBackupOfferingId());
         if (offering == null) {
             throw new CloudRuntimeException(String.format("Backup offering with ID [%s] does not exist.", backup.getBackupOfferingId()));
         }
         final BackupProvider backupProvider = getBackupProvider(backup.getZoneId());
-        boolean result = backupProvider.deleteBackup(backup, forced);
-        if (result) {
-            resourceLimitMgr.decrementResourceCount(backup.getAccountId(), Resource.ResourceType.backup);
-            Long backupSize = backup.getSize() != null ? backup.getSize() : 0L;
-            resourceLimitMgr.decrementResourceCount(backup.getAccountId(), Resource.ResourceType.backup_storage, backupSize);
-            if (backupDao.remove(backup.getId())) {
-                checkAndGenerateUsageForLastBackupDeletedAfterOfferingRemove(vm, backup);
-                return true;
-            } else {
-                return false;
+        return deleteCheckedBackup(forced, backupProvider, backup, vm);
+    }
+
+    private boolean deleteCheckedBackup(Boolean forced, BackupProvider backupProvider, BackupVO backup, VMInstanceVO vm) throws ResourceAllocationException {
+        Account owner = accountManager.getAccount(backup.getAccountId());
+        long backupSize = backup.getSize() != null ? backup.getSize() : 0L;
+        try (CheckedReservation backupReservation = new CheckedReservation(owner, Resource.ResourceType.backup,
+                backup.getId(), null, -1L, reservationDao, resourceLimitMgr);
+             CheckedReservation backupStorageReservation = new CheckedReservation(owner,
+                     Resource.ResourceType.backup_storage, backup.getId(), null, -1 * backupSize,
+                     reservationDao, resourceLimitMgr)) {
+            boolean result = backupProvider.deleteBackup(backup, forced);
+            if (result) {
+                resourceLimitMgr.decrementResourceCount(backup.getAccountId(), Resource.ResourceType.backup);
+                resourceLimitMgr.decrementResourceCount(backup.getAccountId(), Resource.ResourceType.backup_storage, backupSize);
+                if (backupDao.remove(backup.getId())) {
+                    checkAndGenerateUsageForLastBackupDeletedAfterOfferingRemove(vm, backup);
+                    return true;
+                } else {
+                    return false;
+                }
             }
+            throw new CloudRuntimeException("Failed to delete the backup");
+        }
+    }
+
+    private void checkForPendingBackupJobs(final BackupVO backup) {
+        String backupUuid = backup.getUuid();
+        long pendingJobs = asyncJobManager.countPendingJobs(backupUuid,
+                CreateVMFromBackupCmd.class.getName(),
+                CreateVMFromBackupCmdByAdmin.class.getName(),
+                RestoreBackupCmd.class.getName(),
+                RestoreVolumeFromBackupAndAttachToVMCmd.class.getName());
+        if (pendingJobs > 0) {
+            throw new CloudRuntimeException("Cannot delete Backup while a create Instance from Backup or restore Backup operation is in progress, please try again later.");
         }
-        throw new CloudRuntimeException("Failed to delete the backup");
     }
 
     /**
diff --git a/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java b/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
index 2b4e7ddc9d41..73ff79301fb7 100644
--- a/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java
@@ -22,12 +22,14 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.SecureRandom;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -39,6 +41,21 @@
 import javax.naming.ConfigurationException;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+import com.trilead.ssh2.Connection;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import com.cloud.host.HostVO;
+import com.cloud.utils.PasswordGenerator;
+import com.cloud.utils.ssh.SSHCmdHelper;
+import com.cloud.vm.VMInstanceVO;
+import com.cloud.vm.dao.VMInstanceDao;
+import org.apache.cloudstack.utils.security.KeyStoreUtils;
+import org.apache.commons.lang3.math.NumberUtils;
 
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ServerApiException;
@@ -60,6 +77,7 @@
 import org.joda.time.DateTimeZone;
 
 import com.cloud.agent.AgentManager;
+import com.cloud.agent.api.routing.NetworkElementCommand;
 import com.cloud.alert.AlertManager;
 import com.cloud.certificate.CrlVO;
 import com.cloud.certificate.dao.CrlDao;
@@ -81,6 +99,12 @@ public class CAManagerImpl extends ManagerBase implements CAManager {
     @Inject
     private HostDao hostDao;
     @Inject
+    private VMInstanceDao vmInstanceDao;
+    @Inject
+    private NetworkOrchestrationService networkOrchestrationService;
+    @Inject
+    private ConfigurationDao configDao;
+    @Inject
     private AgentManager agentManager;
     @Inject
     private BackgroundPollManager backgroundPollManager;
@@ -177,12 +201,17 @@ public boolean revokeCertificate(final BigInteger certSerial, final String certC
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_CA_CERTIFICATE_PROVISION, eventDescription = "provisioning certificate for host", async = true)
-    public boolean provisionCertificate(final Host host, final Boolean reconnect, final String caProvider) {
+    public boolean provisionCertificate(final Host host, final Boolean reconnect, final String caProvider, final boolean forced) {
         if (host == null) {
             throw new CloudRuntimeException("Unable to find valid host to renew certificate for");
         }
         CallContext.current().setEventDetails("Host ID: " + host.getUuid());
         CallContext.current().putContextParameter(Host.class, host.getUuid());
+
+        if (forced) {
+            return provisionCertificateForced(host, reconnect, caProvider);
+        }
+
         String csr = null;
 
         try {
@@ -200,6 +229,141 @@ public boolean provisionCertificate(final Host host, final Boolean reconnect, fi
         }
     }
 
+    protected boolean provisionCertificateForced(Host host, Boolean reconnect, String caProvider) {
+        if (host.getType() == Host.Type.Routing && host.getHypervisorType() == com.cloud.hypervisor.Hypervisor.HypervisorType.KVM) {
+            return provisionKvmHostViaSsh(host, caProvider);
+        } else if (host.getType() == Host.Type.ConsoleProxy || host.getType() == Host.Type.SecondaryStorageVM) {
+            return provisionSystemVmViaSsh(host, reconnect, caProvider);
+        }
+        throw new CloudRuntimeException("Forced certificate provisioning is only supported for KVM hosts and SystemVMs.");
+    }
+
+    @Override
+    public void provisionCertificateViaSsh(final Connection sshConnection, final String agentIp, final String agentHostname, final String caProvider) {
+        Integer validityPeriod = CAManager.CertValidityPeriod.value();
+        if (validityPeriod < 1) {
+            validityPeriod = 1;
+        }
+
+        String keystorePassword = PasswordGenerator.generateRandomPassword(16);
+
+        // 1. Setup Keystore and Generate CSR
+        final SSHCmdHelper.SSHCmdResult keystoreSetupResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
+                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
+                              "/etc/cloudstack/agent/agent.properties " +
+                              "/etc/cloudstack/agent/%s " +
+                              "%s %d " +
+                              "/etc/cloudstack/agent/%s",
+                        KeyStoreUtils.KS_SETUP_SCRIPT,
+                        KeyStoreUtils.KS_FILENAME,
+                        keystorePassword,
+                        validityPeriod,
+                        KeyStoreUtils.CSR_FILENAME));
+
+        if (!keystoreSetupResult.isSuccess()) {
+            throw new CloudRuntimeException("Failed to setup keystore and generate CSR via SSH on host: " + agentIp);
+        }
+
+        // 2. Issue Certificate based on returned CSR
+        final String csr = keystoreSetupResult.getStdOut();
+        final Certificate certificate = issueCertificate(csr, Arrays.asList(agentHostname, agentIp),
+                Collections.singletonList(agentIp), null, caProvider);
+
+        if (certificate == null || certificate.getClientCertificate() == null) {
+            throw new CloudRuntimeException("Failed to issue certificates for host: " + agentIp);
+        }
+
+        // 3. Import Certificate into agent keystore
+        final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate);
+        final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
+                String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " +
+                              "/etc/cloudstack/agent/agent.properties %s " +
+                              "/etc/cloudstack/agent/%s %s " +
+                              "/etc/cloudstack/agent/%s \"%s\" " +
+                              "/etc/cloudstack/agent/%s \"%s\" " +
+                              "/etc/cloudstack/agent/%s \"%s\"",
+                        KeyStoreUtils.KS_IMPORT_SCRIPT,
+                        keystorePassword,
+                        KeyStoreUtils.KS_FILENAME,
+                        KeyStoreUtils.SSH_MODE,
+                        KeyStoreUtils.CERT_FILENAME,
+                        certificateCommand.getEncodedCertificate(),
+                        KeyStoreUtils.CACERT_FILENAME,
+                        certificateCommand.getEncodedCaCertificates(),
+                        KeyStoreUtils.PKEY_FILENAME,
+                        certificateCommand.getEncodedPrivateKey()));
+
+        if (!setupCertResult.isSuccess()) {
+            throw new CloudRuntimeException("Failed to import certificates into agent keystore via SSH on host: " + agentIp);
+        }
+    }
+
+    private boolean provisionKvmHostViaSsh(Host host, String caProvider) {
+        final HostVO hostVO = (HostVO) host;
+        hostDao.loadDetails(hostVO);
+        String username = hostVO.getDetail(ApiConstants.USERNAME);
+        String password = hostVO.getDetail(ApiConstants.PASSWORD);
+        String hostIp = host.getPrivateIpAddress();
+
+        int port = AgentManager.KVMHostDiscoverySshPort.valueIn(host.getClusterId());
+        if (hostVO.getDetail(Host.HOST_SSH_PORT) != null) {
+            port = NumberUtils.toInt(hostVO.getDetail(Host.HOST_SSH_PORT), port);
+        }
+
+        Connection sshConnection = null;
+        try {
+            sshConnection = new Connection(hostIp, port);
+            sshConnection.connect(null, 60000, 60000);
+
+            String privateKey = configDao.getValue("ssh.privatekey");
+            if (!SSHCmdHelper.acquireAuthorizedConnectionWithPublicKey(sshConnection, username, privateKey)) {
+                if (StringUtils.isEmpty(password) || !sshConnection.authenticateWithPassword(username, password)) {
+                    throw new CloudRuntimeException("Failed to authenticate to host via SSH for forced provisioning: " + hostIp);
+                }
+            }
+
+            provisionCertificateViaSsh(sshConnection, hostIp, host.getName(), caProvider);
+
+            String sudoPrefix = "root".equals(username) ? "" : "sudo ";
+            SSHCmdHelper.sshExecuteCmd(sshConnection, sudoPrefix + "systemctl restart libvirtd");
+            SSHCmdHelper.sshExecuteCmd(sshConnection, sudoPrefix + "systemctl restart cloudstack-agent");
+
+            return true;
+        } catch (Exception e) {
+            logger.error("Error during forced SSH provisioning for KVM host " + host.getUuid(), e);
+            return false;
+        } finally {
+            if (sshConnection != null) {
+                sshConnection.close();
+            }
+        }
+    }
+
+    private boolean provisionSystemVmViaSsh(Host host, Boolean reconnect, String caProvider) {
+        VMInstanceVO vm = vmInstanceDao.findVMByInstanceName(host.getName());
+        if (vm == null) {
+            throw new CloudRuntimeException("Cannot find underlying VM for host: " + host.getName());
+        }
+
+        final Map<String, String> sshAccessDetails = networkOrchestrationService.getSystemVMAccessDetails(vm);
+        final Map<String, String> ipAddressDetails = new HashMap<>(sshAccessDetails);
+        ipAddressDetails.remove(NetworkElementCommand.ROUTER_NAME);
+
+        try {
+            final Host hypervisorHost = hostDao.findById(vm.getHostId());
+            if (hypervisorHost == null) {
+                throw new CloudRuntimeException("Cannot find hypervisor host for system VM: " + host.getName());
+            }
+
+            final Certificate certificate = issueCertificate(null, Arrays.asList(vm.getHostName(), vm.getInstanceName()),
+                    new ArrayList<>(ipAddressDetails.values()), CertValidityPeriod.value(), caProvider);
+            return deployCertificate(hypervisorHost, certificate, reconnect, sshAccessDetails);
+        } catch (Exception e) {
+            logger.error("Failed to provision system VM " + host.getName() + " via hypervisor SSH proxy. Ensure the hypervisor host is connected.", e);
+            return false;
+        }
+    }
+
     @Override
     public String generateKeyStoreAndCsr(final Host host, final Map<String, String> sshAccessDetails) throws AgentUnavailableException, OperationTimedoutException {
         final SetupKeyStoreCommand cmd = new SetupKeyStoreCommand(CertValidityPeriod.value());
@@ -211,11 +375,6 @@ public String generateKeyStoreAndCsr(final Host host, final Map<String, String>
         return answer.getCsr();
     }
 
-    private boolean isValidSystemVMType(Host.Type type) {
-        return Host.Type.SecondaryStorageVM.equals(type) ||
-                Host.Type.ConsoleProxy.equals(type);
-    }
-
     @Override
     public boolean deployCertificate(final Host host, final Certificate certificate, final Boolean reconnect, final Map<String, String> sshAccessDetails)
             throws AgentUnavailableException, OperationTimedoutException {
@@ -340,7 +499,7 @@ protected void runInContext() {
                         if (AutomaticCertRenewal.valueIn(host.getClusterId())) {
                             try {
                                 logger.debug("Attempting certificate auto-renewal for " + hostDescription, e);
-                                boolean result = caManager.provisionCertificate(host, false, null);
+                                boolean result = caManager.provisionCertificate(host, false, null, false);
                                 if (result) {
                                     logger.debug("Succeeded in auto-renewing certificate for " + hostDescription, e);
                                 } else {
@@ -400,9 +559,57 @@ public boolean start() {
             logger.error("Failed to find valid configured CA provider, please check!");
             return false;
         }
+        if (CaInjectDefaultTruststore.value()) {
+            injectCaCertIntoDefaultTruststore();
+        }
         return true;
     }
 
+    private void injectCaCertIntoDefaultTruststore() {
+        try {
+            final List<X509Certificate> caCerts = configuredCaProvider.getCaCertificate();
+            if (caCerts == null || caCerts.isEmpty()) {
+                logger.debug("No CA certificates found from the configured provider, skipping JVM truststore injection");
+                return;
+            }
+
+            final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            trustStore.load(null, null);
+
+            // Copy existing default trusted certs
+            final TrustManagerFactory defaultTmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            defaultTmf.init((KeyStore) null);
+            int aliasIndex = 0;
+            for (final TrustManager tm : defaultTmf.getTrustManagers()) {
+                if (tm instanceof X509TrustManager) {
+                    for (final X509Certificate cert : ((X509TrustManager) tm).getAcceptedIssuers()) {
+                        trustStore.setCertificateEntry("default-ca-" + aliasIndex++, cert);
+                    }
+                }
+            }
+
+            // Add CA provider's certificates
+            int count = 0;
+            for (final X509Certificate caCert : caCerts) {
+                final String alias = "cloudstack-ca-" + count;
+                trustStore.setCertificateEntry(alias, caCert);
+                count++;
+                logger.info("Injected CA certificate into JVM default truststore: subject={}, alias={}",
+                    caCert.getSubjectX500Principal().getName(), alias);
+            }
+
+            // Reinitialize default SSLContext with the updated truststore
+            final TrustManagerFactory updatedTmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            updatedTmf.init(trustStore);
+            final SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, updatedTmf.getTrustManagers(), new SecureRandom());
+            SSLContext.setDefault(sslContext);
+            logger.info("Successfully injected {} CA certificate(s) into JVM default truststore", count);
+        } catch (final GeneralSecurityException | IOException e) {
+            logger.error("Failed to inject CA certificate into JVM default truststore", e);
+        }
+    }
+
     @Override
     public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
         backgroundPollManager.submitTask(new CABackgroundTask(this, hostDao));
@@ -433,7 +640,7 @@ public String getConfigComponentName() {
     public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[] {CAProviderPlugin, CertKeySize, CertSignatureAlgorithm, CertValidityPeriod,
                 AutomaticCertRenewal, AllowHostIPInSysVMAgentCert, CABackgroundJobDelay, CertExpiryAlertPeriod,
-                CertManagementCustomSubjectAlternativeName
+                CertManagementCustomSubjectAlternativeName, CaInjectDefaultTruststore
         };
     }
 
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/GuiThemeServiceImpl.java b/server/src/main/java/org/apache/cloudstack/gui/theme/GuiThemeServiceImpl.java
index 1cb80e3dc8d3..9a92b9bef013 100644
--- a/server/src/main/java/org/apache/cloudstack/gui/theme/GuiThemeServiceImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/GuiThemeServiceImpl.java
@@ -27,11 +27,6 @@
 import com.cloud.utils.db.Transaction;
 import com.cloud.utils.db.TransactionCallback;
 import com.cloud.utils.exception.CloudRuntimeException;
-import com.google.gson.JsonArray;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
-import com.google.gson.JsonSyntaxException;
 import org.apache.cloudstack.api.ResponseGenerator;
 import org.apache.cloudstack.api.command.user.gui.theme.CreateGuiThemeCmd;
 import org.apache.cloudstack.api.command.user.gui.theme.ListGuiThemesCmd;
@@ -43,6 +38,7 @@
 import org.apache.cloudstack.gui.theme.dao.GuiThemeDao;
 import org.apache.cloudstack.gui.theme.dao.GuiThemeDetailsDao;
 import org.apache.cloudstack.gui.theme.dao.GuiThemeJoinDao;
+import org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -52,24 +48,12 @@
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 
 @Component
 public class GuiThemeServiceImpl implements GuiThemeService {
 
     protected Logger logger = LogManager.getLogger(getClass());
 
-    private static final List<String> ALLOWED_PRIMITIVE_PROPERTIES = List.of("appTitle", "footer", "loginFooter", "logo", "minilogo", "banner");
-
-    private static final List<String> ALLOWED_ERROR_PROPERTIES = List.of("403", "404", "500");
-
-    private static final List<String> ALLOWED_PLUGIN_PROPERTIES = List.of("name", "path", "icon", "isExternalLink");
-
-    private static final String ERROR = "error";
-
-    private static final String PLUGINS = "plugins";
-
     @Inject
     GuiThemeDao guiThemeDao;
 
@@ -91,6 +75,9 @@ public class GuiThemeServiceImpl implements GuiThemeService {
     @Inject
     DomainDao domainDao;
 
+    @Inject
+    JsonConfigValidator jsonConfigValidator;
+
     @Override
     public ListResponse<GuiThemeResponse> listGuiThemes(ListGuiThemesCmd cmd) {
         ListResponse<GuiThemeResponse> response = new ListResponse<>();
@@ -244,94 +231,7 @@ protected void validateParameters(String jsonConfig, String domainIds, String ac
 
         validateObjectUuids(accountIds, Account.class);
         validateObjectUuids(domainIds, Domain.class);
-        validateJsonConfiguration(jsonConfig);
-    }
-
-    protected void validateJsonConfiguration(String jsonConfig) {
-        if (jsonConfig == null) {
-            return;
-        }
-
-        JsonObject jsonObject = new JsonObject();
-
-        try {
-            JsonElement jsonElement = new JsonParser().parse(jsonConfig);
-            Set<Map.Entry<String, JsonElement>> entries = jsonElement.getAsJsonObject().entrySet();
-            entries.stream().forEach(entry -> validateJsonAttributes(entry, jsonObject));
-        } catch (JsonSyntaxException exception) {
-            logger.error("The following exception was thrown while parsing the JSON object: [{}].", exception.getMessage());
-            throw new CloudRuntimeException("Specified JSON configuration is not a valid JSON object.");
-        }
-    }
-
-    /**
-     * Validates the informed JSON attributes considering the allowed properties by the API, any invalid option is ignored.
-     * All valid options are added to a {@link JsonObject} that will be considered as the final JSON configuration used by the GUI theme.
-     */
-    private void validateJsonAttributes(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
-        JsonElement entryValue = entry.getValue();
-        String entryKey = entry.getKey();
-
-        if (entryValue.isJsonPrimitive() && ALLOWED_PRIMITIVE_PROPERTIES.contains(entryKey)) {
-            logger.trace("The JSON attribute [{}] is a valid option.", entryKey);
-            jsonObject.add(entryKey, entryValue);
-        } else if (entryValue.isJsonObject() && ERROR.equals(entryKey)) {
-            validateErrorAttribute(entry, jsonObject);
-        } else if (entryValue.isJsonArray() && PLUGINS.equals(entryKey)) {
-            validatePluginsAttribute(entry, jsonObject);
-        } else {
-            warnOfInvalidJsonAttribute(entryKey);
-        }
-    }
-
-    /**
-     * Creates a {@link JsonObject} with only the valid options for the Plugins' properties specified in the {@link #ALLOWED_PLUGIN_PROPERTIES}.
-     */
-    protected void validatePluginsAttribute(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
-        Set<Map.Entry<String, JsonElement>> entries = entry.getValue().getAsJsonArray().get(0).getAsJsonObject().entrySet();
-        JsonObject objectToBeAdded = createJsonObject(entries, ALLOWED_PLUGIN_PROPERTIES);
-        JsonArray jsonArray = new JsonArray();
-
-        if (objectToBeAdded.entrySet().isEmpty()) {
-            return;
-        }
-
-        jsonArray.add(objectToBeAdded);
-        jsonObject.add(entry.getKey(), jsonArray);
-    }
-
-    /**
-     * Creates a {@link JsonObject} with only the valid options for the Error's properties specified in the {@link #ALLOWED_ERROR_PROPERTIES}.
-     */
-    protected void validateErrorAttribute(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
-        Set<Map.Entry<String, JsonElement>> entries = entry.getValue().getAsJsonObject().entrySet();
-        JsonObject objectToBeAdded = createJsonObject(entries, ALLOWED_ERROR_PROPERTIES);
-
-        if (objectToBeAdded.entrySet().isEmpty()) {
-            return;
-        }
-
-        jsonObject.add(entry.getKey(), objectToBeAdded);
-    }
-
-    protected JsonObject createJsonObject(Set<Map.Entry<String, JsonElement>> entries, List<String> allowedProperties) {
-        JsonObject objectToBeAdded = new JsonObject();
-
-        for (Map.Entry<String, JsonElement> recursiveEntry : entries) {
-            String entryKey = recursiveEntry.getKey();
-
-            if (!allowedProperties.contains(entryKey)) {
-                warnOfInvalidJsonAttribute(entryKey);
-                continue;
-            }
-            objectToBeAdded.add(entryKey, recursiveEntry.getValue());
-        }
-
-        return objectToBeAdded;
-    }
-
-    protected void warnOfInvalidJsonAttribute(String entryKey) {
-        logger.warn("The JSON attribute [{}] is not a valid option, therefore, it will be ignored.", entryKey);
+        jsonConfigValidator.validateJsonConfiguration(jsonConfig);
     }
 
     /**
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigAttributeValidator.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigAttributeValidator.java
new file mode 100644
index 000000000000..a3d6a7b4ef9d
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigAttributeValidator.java
@@ -0,0 +1,27 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import java.util.Map;
+
+public interface JsonConfigAttributeValidator {
+
+    void validate(Map.Entry<String, JsonElement> entry, JsonObject jsonObject);
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigValidator.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigValidator.java
new file mode 100644
index 000000000000..69a707d4d4d6
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/JsonConfigValidator.java
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator;
+
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import javax.inject.Inject;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public class JsonConfigValidator {
+    protected Logger logger = LogManager.getLogger(getClass());
+
+    private static final List<String> ALLOWED_PRIMITIVE_PROPERTIES = List.of("appTitle", "footer", "loginFooter", "logo", "minilogo", "banner", "docBase", "apidocs", "defaultLanguage");
+    private static final List<String> ALLOWED_DYNAMIC_PROPERTIES = List.of("error", "theme", "plugins", "keyboardOptions", "userCard", "docHelpMappings");
+
+    @Inject
+    private List<JsonConfigAttributeValidator> attributes;
+
+    public void validateJsonConfiguration(String jsonConfig) {
+        if (StringUtils.isBlank(jsonConfig)) {
+            return;
+        }
+
+        JsonObject jsonObject = new JsonObject();
+
+        try {
+            JsonElement jsonElement = JsonParser.parseString(jsonConfig);
+            Set<Map.Entry<String, JsonElement>> entries = jsonElement.getAsJsonObject().entrySet();
+            entries.forEach(entry -> validateJsonAttributes(entry, jsonObject));
+        } catch (JsonSyntaxException exception) {
+            logger.error("The following exception was thrown while parsing the JSON object: [{}].", exception.getMessage());
+            throw new CloudRuntimeException("Specified JSON configuration is not a valid JSON object.");
+        }
+    }
+
+    /**
+     * Validates the informed JSON attributes considering the allowed properties by the API, any invalid option is ignored.
+     * All valid options are added to a {@link JsonObject} that will be considered as the final JSON configuration used by the GUI theme.
+     */
+    private void validateJsonAttributes(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
+        JsonElement entryValue = entry.getValue();
+        String entryKey = entry.getKey();
+
+        if (entryValue.isJsonPrimitive() && ALLOWED_PRIMITIVE_PROPERTIES.contains(entryKey)) {
+            logger.trace("The JSON attribute [{}] is a valid option.", entryKey);
+            jsonObject.add(entryKey, entryValue);
+        } else if (ALLOWED_DYNAMIC_PROPERTIES.contains(entryKey)) {
+            attributes.forEach(attribute -> attribute.validate(entry, jsonObject));
+        } else {
+            logger.warn("The JSON attribute [{}] is not a valid option, therefore, it will be ignored.", entryKey);
+        }
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/AttributeBase.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/AttributeBase.java
new file mode 100644
index 000000000000..b4bafb1f5da5
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/AttributeBase.java
@@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator.attributes;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigAttributeValidator;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class AttributeBase implements JsonConfigAttributeValidator {
+    protected Logger logger = LogManager.getLogger(getClass());
+
+    protected abstract String getAttributeName();
+    protected abstract List<String> getAllowedProperties();
+
+    @Override
+    public void validate(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
+        if (!getAttributeName().equals(entry.getKey())) {
+            return;
+        }
+
+        Set<Map.Entry<String, JsonElement>> entries = entry.getValue().getAsJsonObject().entrySet();
+        JsonObject objectToBeAdded = createJsonObject(entries, getAllowedProperties());
+
+        if (!objectToBeAdded.entrySet().isEmpty()) {
+            jsonObject.add(entry.getKey(), objectToBeAdded);
+        }
+    }
+
+    /**
+     * Creates a {@link JsonObject} with only the valid options for the attribute properties specified in the allowedProperties parameter.
+     */
+    public JsonObject createJsonObject(Set<Map.Entry<String, JsonElement>> entries, List<String> allowedProperties) {
+        JsonObject objectToBeAdded = new JsonObject();
+
+        for (Map.Entry<String, JsonElement> recursiveEntry : entries) {
+            String entryKey = recursiveEntry.getKey();
+
+            if (!allowedProperties.contains(entryKey)) {
+                warnOfInvalidJsonAttribute(entryKey);
+                continue;
+            }
+            objectToBeAdded.add(entryKey, recursiveEntry.getValue());
+        }
+
+        logger.trace("JSON object with valid options: {}.", objectToBeAdded);
+        return objectToBeAdded;
+    }
+
+    protected void warnOfInvalidJsonAttribute(String entryKey) {
+        logger.warn("The JSON attribute [{}] is not a valid option, therefore, it will be ignored.", entryKey);
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ErrorAttribute.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ErrorAttribute.java
new file mode 100644
index 000000000000..40e519f81330
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ErrorAttribute.java
@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator.attributes;
+
+import java.util.List;
+
+/**
+ * Specific validator for the "error" object within the GUI theme JSON configuration.
+ *
+ * <p>
+ * This component is defined as a bean in the Spring XML configuration and is automatically injected into
+ * the {@link org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator} attribute list.
+ * </p>
+ */
+public class ErrorAttribute extends AttributeBase {
+
+    @Override
+    protected String getAttributeName() {
+        return "error";
+    }
+
+    @Override
+    protected List<String> getAllowedProperties() {
+        return List.of("403", "404", "500");
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/PluginsAttribute.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/PluginsAttribute.java
new file mode 100644
index 000000000000..1e0fa64669fa
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/PluginsAttribute.java
@@ -0,0 +1,68 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator.attributes;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Specific validator for the "plugins" object within the GUI theme JSON configuration.
+ *
+ * <p>
+ * This component is defined as a bean in the Spring XML configuration and is automatically injected into
+ * the {@link org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator} attribute list.
+ * </p>
+ */
+public class PluginsAttribute extends AttributeBase {
+
+    @Override
+    protected String getAttributeName() {
+        return "plugins";
+    }
+
+    @Override
+    protected List<String> getAllowedProperties() {
+        return List.of("name", "path", "icon", "isExternalLink");
+    }
+
+    @Override
+    public void validate(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
+        if (!getAttributeName().equals(entry.getKey())) {
+            return;
+        }
+
+        JsonArray jsonArrayResult = new JsonArray();
+        JsonArray sourceJsonArray = entry.getValue().getAsJsonArray();
+        for (JsonElement jsonElement : sourceJsonArray) {
+            Set<Map.Entry<String, JsonElement>> pluginEntries = jsonElement.getAsJsonObject().entrySet();
+            JsonObject pluginObjectToBeAdded = createJsonObject(pluginEntries, getAllowedProperties());
+
+            if (pluginObjectToBeAdded.entrySet().isEmpty()) {
+                return;
+            }
+
+            jsonArrayResult.add(pluginObjectToBeAdded);
+        }
+
+        jsonObject.add(entry.getKey(), jsonArrayResult);
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ThemeAttribute.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ThemeAttribute.java
new file mode 100644
index 000000000000..92c74626b89d
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/ThemeAttribute.java
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator.attributes;
+
+import java.util.List;
+
+/**
+ * Specific validator for the "theme" object within the GUI theme JSON configuration.
+ *
+ * <p>
+ * This component is defined as a bean in the Spring XML configuration and is automatically injected into
+ * the {@link org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator} attribute list.
+ * </p>
+ */
+public class ThemeAttribute extends AttributeBase {
+
+    @Override
+    protected String getAttributeName() {
+        return "theme";
+    }
+
+    @Override
+    protected List<String> getAllowedProperties() {
+        return List.of("@layout-mode", "@logo-background-color", "@mini-logo-background-color", "@navigation-background-color",
+                "@project-nav-background-color", "@project-nav-text-color", "@navigation-text-color", "@primary-color", "@link-color", "@link-hover-color", "@loading-color", "@processing-color",
+                "@success-color", "@warning-color", "@error-color", "@font-size-base", "@heading-color", "@text-color", "@text-color-secondary", "@disabled-color", "@border-color-base", "@border-radius-base",
+                "@box-shadow-base", "@logo-width", "@logo-height", "@mini-logo-width", "@mini-logo-height", "@banner-width", "@banner-height", "@error-width", "@error-height");
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/UserCardAttribute.java b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/UserCardAttribute.java
new file mode 100644
index 000000000000..c6dc5dc69102
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/gui/theme/json/config/validator/attributes/UserCardAttribute.java
@@ -0,0 +1,88 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.gui.theme.json.config.validator.attributes;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Specific validator for the "userCard" object within the GUI theme JSON configuration.
+ *
+ * <p>
+ * This component is defined as a bean in the Spring XML configuration and is automatically injected into
+ * the {@link org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator} attribute list.
+ * </p>
+ */
+public class UserCardAttribute extends AttributeBase {
+    private static final List<String> ALLOWED_USER_CARD_LINKS_PROPERTIES = List.of("title", "text", "link", "icon");
+    private static final String LINKS = "links";
+
+    @Override
+    protected String getAttributeName() {
+        return "userCard";
+    }
+
+    @Override
+    protected List<String> getAllowedProperties() {
+        return List.of("title", "icon", "links");
+    }
+
+    @Override
+    public void validate(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
+        if (!getAttributeName().equals(entry.getKey())) {
+            return;
+        }
+
+        Set<Map.Entry<String, JsonElement>> entries = entry.getValue().getAsJsonObject().entrySet();
+        JsonObject objectToBeAdded = new JsonObject();
+        for (Map.Entry<String, JsonElement> recursiveEntry : entries) {
+            String entryKey = recursiveEntry.getKey();
+
+            if (!getAllowedProperties().contains(entryKey)) {
+                warnOfInvalidJsonAttribute(entryKey);
+                continue;
+            }
+
+            if (LINKS.equals(entryKey)) {
+                createLinkJsonObject(recursiveEntry, jsonObject);
+            }
+
+            objectToBeAdded.add(entryKey, recursiveEntry.getValue());
+        }
+    }
+
+    private void createLinkJsonObject(Map.Entry<String, JsonElement> entry, JsonObject jsonObject) {
+        JsonArray jsonArrayResult = new JsonArray();
+        JsonArray sourceJsonArray = entry.getValue().getAsJsonArray();
+        for (JsonElement jsonElement : sourceJsonArray) {
+            Set<Map.Entry<String, JsonElement>> linkEntries = jsonElement.getAsJsonObject().entrySet();
+            JsonObject linkObjectToBeAdded = createJsonObject(linkEntries, ALLOWED_USER_CARD_LINKS_PROPERTIES);
+
+            if (linkObjectToBeAdded.entrySet().isEmpty()) {
+                return;
+            }
+
+            jsonArrayResult.add(linkObjectToBeAdded);
+        }
+        jsonObject.add(entry.getKey(), jsonArrayResult);
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/ha/HAManager.java b/server/src/main/java/org/apache/cloudstack/ha/HAManager.java
index 8282c621c1e3..068230c6673d 100644
--- a/server/src/main/java/org/apache/cloudstack/ha/HAManager.java
+++ b/server/src/main/java/org/apache/cloudstack/ha/HAManager.java
@@ -67,11 +67,16 @@ public interface HAManager extends HAConfigManager {
             "The number of pending fence operations per management server. This setting determines the size of the size of the FENCE queue.", true);
 
     boolean transitionHAState(final HAConfig.Event event, final HAConfig haConfig);
+
     HAProvider getHAProvider(final String name);
+
     HAResourceCounter getHACounter(final Long resourceId, final HAResource.ResourceType resourceType);
+
     void purgeHACounter(final Long resourceId, final HAResource.ResourceType resourceType);
 
     boolean isHAEligible(final HAResource resource);
+
     Boolean isVMAliveOnHost(final Host host) throws Investigator.UnknownVM;
-    Status getHostStatus(final Host host);
+
+    Status getHostStatusFromHAConfig(final Host host);
 }
diff --git a/server/src/main/java/org/apache/cloudstack/ha/HAManagerImpl.java b/server/src/main/java/org/apache/cloudstack/ha/HAManagerImpl.java
index a016be5c6e32..93b237ec20a9 100644
--- a/server/src/main/java/org/apache/cloudstack/ha/HAManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/ha/HAManagerImpl.java
@@ -139,9 +139,7 @@ public synchronized HAResourceCounter getHACounter(final Long resourceId, final
 
     public synchronized void purgeHACounter(final Long resourceId, final HAResource.ResourceType resourceType) {
         final String key = resourceCounterKey(resourceId, resourceType);
-        if (haCounterMap.containsKey(key)) {
-            haCounterMap.remove(key);
-        }
+        haCounterMap.remove(key);
     }
 
     public boolean transitionHAState(final HAConfig.Event event, final HAConfig haConfig) {
@@ -248,6 +246,7 @@ public boolean isHAEnabledForZone(final HAResource resource) {
     }
 
     private boolean isHAEnabledForCluster(final HAResource resource) {
+        // HA is enabled by default when cluster details doesn't exist
         if (resource == null || resource.getClusterId() == null) {
             return true;
         }
@@ -259,14 +258,10 @@ private boolean isHAEligibleForResource(final HAResource resource) {
         if (resource == null || resource.getId() < 1L) {
             return false;
         }
-        HAResource.ResourceType resourceType = null;
-        if (resource instanceof Host) {
-            resourceType = HAResource.ResourceType.Host;
-        }
-        if (resourceType == null) {
+        if (!(resource instanceof Host)) {
             return false;
         }
-        final HAConfig haConfig = haConfigDao.findHAResource(resource.getId(), resourceType);
+        final HAConfig haConfig = haConfigDao.findHAResource(resource.getId(), HAResource.ResourceType.Host);
         return haConfig != null && haConfig.isEnabled()
                 && haConfig.getState() != HAConfig.HAState.Disabled
                 && haConfig.getState() != HAConfig.HAState.Ineligible;
@@ -317,19 +312,23 @@ public Boolean isVMAliveOnHost(final Host host) throws Investigator.UnknownVM {
         throw new Investigator.UnknownVM();
     }
 
-    public Status getHostStatus(final Host host) {
+    public Status getHostStatusFromHAConfig(final Host host) {
         final HAConfig haConfig = haConfigDao.findHAResource(host.getId(), HAResource.ResourceType.Host);
-        if (haConfig != null) {
-            if (haConfig.getState() == HAConfig.HAState.Fenced) {
-                logger.debug("HA: Agent [{}] is available/suspect/checking Up.", host);
-                return Status.Down;
-            } else if (haConfig.getState() == HAConfig.HAState.Degraded || haConfig.getState() == HAConfig.HAState.Recovering || haConfig.getState() == HAConfig.HAState.Fencing) {
-                logger.debug("HA: Agent [{}] is disconnected. State: {}, {}.", host, haConfig.getState(), haConfig.getState().getDescription());
-                return Status.Disconnected;
-            }
-            return Status.Up;
+        if (haConfig == null) {
+            logger.warn("HA: Agent [{}] config is not available.", host);
+            return Status.Unknown;
         }
-        return Status.Unknown;
+        if (haConfig.getState() == HAConfig.HAState.Fenced) {
+            logger.debug("HA: Agent [{}] is fenced.", host);
+            return Status.Down;
+        }
+        if (haConfig.getState() == HAConfig.HAState.Degraded || haConfig.getState() == HAConfig.HAState.Recovering || haConfig.getState() == HAConfig.HAState.Fencing) {
+            logger.debug("HA: Agent [{}] is disconnected. State: {}, {}.", host, haConfig.getState(), haConfig.getState().getDescription());
+            return Status.Disconnected;
+        }
+
+        logger.debug("HA: Agent [{}] is considered Up (HA state can be Available/Suspect/Checking/Recovered). State: {}, {}.", host, haConfig.getState(), haConfig.getState().getDescription());
+        return Status.Up;
     }
 
     //////////////////////////////////////////////////////
@@ -511,9 +510,14 @@ private boolean processHAStateChange(final HAConfig haConfig, final HAConfig.HAS
 
         // Attempt recovery
         if (newState == HAConfig.HAState.Recovering) {
-            if (counter.getRecoveryCounter() >= (Long) (haProvider.getConfigValue(HAProviderConfig.MaxRecoveryAttempts, resource))) {
+            long recoveryCounter = counter.getRecoveryCounter();
+            Long maxRecoveryAttempts = (Long) (haProvider.getConfigValue(HAProviderConfig.MaxRecoveryAttempts, resource));
+            if (recoveryCounter >= maxRecoveryAttempts) {
+                logger.debug("Recovery attempts have reached the configured limit: {} for the resource [{}].", maxRecoveryAttempts, resource);
                 return false;
             }
+
+            logger.debug("Recovery attempt #{} for the resource [{}]. Max recovery attempts configured is {}.", recoveryCounter + 1, resource, maxRecoveryAttempts);
             final RecoveryTask task = ComponentContext.inject(new RecoveryTask(resource, haProvider, haConfig,
                     HAProviderConfig.RecoveryTimeout, recoveryExecutor));
             final Future<Boolean> recoveryFuture = recoveryExecutor.submit(task);
@@ -536,20 +540,20 @@ public boolean preStateTransitionEvent(final HAConfig.HAState oldState, final HA
             return false;
         }
 
-        logger.debug(String.format("HA state pre-transition:: new state=[%s], old state=[%s], for resource id=[%s], status=[%s], ha config state=[%s]." , newState, oldState, haConfig.getResourceId(), status, haConfig.getState()));
+        logger.debug("HA state pre-transition:: new state=[{}], old state=[{}], for resource id=[{}], status=[{}], ha config state=[{}].", newState, oldState, haConfig.getResourceId(), status, haConfig.getState());
 
         if (status && haConfig.getState() != newState) {
-            logger.warn(String.format("HA state pre-transition:: HA state is not equal to transition state, HA state=[%s], new state=[%s].", haConfig.getState(), newState));
+            logger.warn("HA state pre-transition:: HA state is not equal to transition state, HA state=[{}], new state=[{}].", haConfig.getState(), newState);
         }
         return processHAStateChange(haConfig, newState, status);
     }
 
     @Override
     public boolean postStateTransitionEvent(final StateMachine2.Transition<HAConfig.HAState, HAConfig.Event> transition, final HAConfig haConfig, final boolean status, final Object opaque) {
-        logger.debug(String.format("HA state post-transition:: new state=[%s], old state=[%s], for resource id=[%s], status=[%s], ha config state=[%s].", transition.getToState(), transition.getCurrentState(),  haConfig.getResourceId(), status, haConfig.getState()));
+        logger.debug("HA state post-transition:: new state=[{}], old state=[{}], for resource id=[{}], status=[{}], ha config state=[{}].", transition.getToState(), transition.getCurrentState(), haConfig.getResourceId(), status, haConfig.getState());
 
         if (status && haConfig.getState() != transition.getToState()) {
-            logger.warn(String.format("HA state post-transition:: HA state is not equal to transition state, HA state=[%s], new state=[%s].", haConfig.getState(), transition.getToState()));
+            logger.warn("HA state post-transition:: HA state is not equal to transition state, HA state=[{}], new state=[{}].", haConfig.getState(), transition.getToState());
         }
         return processHAStateChange(haConfig, transition.getToState(), status);
     }
@@ -645,7 +649,7 @@ protected void runInContext() {
             try {
                 logger.debug("HA health check task is running...");
 
-                final List<HAConfig> haConfigList = new ArrayList<HAConfig>(haConfigDao.listAll());
+                final List<HAConfig> haConfigList = new ArrayList<>(haConfigDao.listAll());
                 for (final HAConfig haConfig : haConfigList) {
                     currentHaConfig = haConfig;
 
@@ -676,8 +680,8 @@ protected void runInContext() {
                                     HAProviderConfig.HealthCheckTimeout, healthCheckExecutor));
                             healthCheckExecutor.submit(task);
                             break;
-                    default:
-                        break;
+                        default:
+                            break;
                     }
 
                     final HAResourceCounter counter = getHACounter(haConfig.getResourceId(), haConfig.getResourceType());
@@ -695,16 +699,22 @@ protected void runInContext() {
                     }
 
                     if (haConfig.getState() == HAConfig.HAState.Recovering) {
-                        if (counter.getRecoveryCounter() >= (Long) (haProvider.getConfigValue(HAProviderConfig.MaxRecoveryAttempts, resource))) {
+                        long recoveryCounter = counter.getRecoveryCounter();
+                        Long maxRecoveryAttempts = (Long) (haProvider.getConfigValue(HAProviderConfig.MaxRecoveryAttempts, resource));
+                        if (recoveryCounter >= maxRecoveryAttempts) {
+                            logger.debug("Recovery attempts have reached the max limit: {} for the resource [{}].", maxRecoveryAttempts, resource);
                             transitionHAState(HAConfig.Event.RecoveryOperationThresholdExceeded, haConfig);
                         } else {
+                            logger.debug("Retry recovery for the resource [{}]. Max recovery attempts configured is {}.", resource, maxRecoveryAttempts);
                             transitionHAState(HAConfig.Event.RetryRecovery, haConfig);
                         }
                     }
 
                     if (haConfig.getState() == HAConfig.HAState.Recovered) {
                         counter.markRecoveryStarted();
-                        if (counter.canExitRecovery((Long)(haProvider.getConfigValue(HAProviderConfig.RecoveryWaitTimeout, resource)))) {
+                        Long recoveryWaitTimeout = (Long)(haProvider.getConfigValue(HAProviderConfig.RecoveryWaitTimeout, resource));
+                        logger.debug("Recovery started for the resource [{}], wait period configured to become Available is {} secs", resource, recoveryWaitTimeout);
+                        if (counter.canExitRecovery(recoveryWaitTimeout)) {
                             if (transitionHAState(HAConfig.Event.RecoveryWaitPeriodTimeout, haConfig)) {
                                 counter.markRecoveryCompleted();
                             }
@@ -717,7 +727,7 @@ protected void runInContext() {
                 }
             } catch (Throwable t) {
                 if (currentHaConfig != null) {
-                    logger.error(String.format("Error trying to perform health checks in HA manager [%s].", currentHaConfig.getHaProvider()), t);
+                    logger.error("Error trying to perform health checks in HA manager [{}].", currentHaConfig.getHaProvider(), t);
                 } else {
                     logger.error("Error trying to perform health checks in HA manager.", t);
                 }
diff --git a/server/src/main/java/org/apache/cloudstack/ha/HAResourceCounter.java b/server/src/main/java/org/apache/cloudstack/ha/HAResourceCounter.java
index f493f6926e07..23ebbaa6a7ae 100644
--- a/server/src/main/java/org/apache/cloudstack/ha/HAResourceCounter.java
+++ b/server/src/main/java/org/apache/cloudstack/ha/HAResourceCounter.java
@@ -36,6 +36,10 @@ public long getActivityCheckCounter() {
         return activityCheckCounter.get();
     }
 
+    public long getActivityCheckFailureCounter() {
+        return activityCheckFailureCounter.get();
+    }
+
     public long getRecoveryCounter() {
         return recoveryOperationCounter.get();
     }
@@ -66,7 +70,7 @@ public synchronized void resetSuspectTimestamp() {
         firstHealthCheckFailureTimestamp = null;
     }
 
-    public boolean hasActivityThresholdExceeded(final double failureRatio) {
+    public boolean hasActivityFailureThresholdExceeded(final double failureRatio) {
         return activityCheckFailureCounter.get() > (activityCheckCounter.get() * failureRatio);
     }
 
diff --git a/server/src/main/java/org/apache/cloudstack/ha/task/ActivityCheckTask.java b/server/src/main/java/org/apache/cloudstack/ha/task/ActivityCheckTask.java
index 5ddbac626bc5..e27d039b3927 100644
--- a/server/src/main/java/org/apache/cloudstack/ha/task/ActivityCheckTask.java
+++ b/server/src/main/java/org/apache/cloudstack/ha/task/ActivityCheckTask.java
@@ -62,6 +62,8 @@ public synchronized void processResult(boolean result, Throwable t) {
             return;
         }
 
+        long activityCounter = counter.getActivityCheckCounter();
+        logger.debug("Activity check #{}, result: {} for the resource {}. Max activity checks configured is {}", activityCounter + 1, result, getResource(), maxActivityChecks);
         counter.incrActivityCounter(!result);
 
         if (counter.getActivityCheckCounter() < maxActivityChecks) {
@@ -69,7 +71,9 @@ public synchronized void processResult(boolean result, Throwable t) {
             return;
         }
 
-        if (counter.hasActivityThresholdExceeded(activityCheckFailureRatio)) {
+        long activityCheckFailureCount = counter.getActivityCheckFailureCounter();
+        logger.debug("{} activity checks failed out of {} checks performed for the resource {}. Failure threshold configured is {}", activityCheckFailureCount, maxActivityChecks, getResource(), activityCheckFailureRatio);
+        if (counter.hasActivityFailureThresholdExceeded(activityCheckFailureRatio)) {
             haManager.transitionHAState(HAConfig.Event.ActivityCheckFailureOverThresholdRatio, haConfig);
         } else {
             if (haManager.transitionHAState(HAConfig.Event.ActivityCheckFailureUnderThresholdRatio, haConfig)) {
diff --git a/server/src/main/java/org/apache/cloudstack/ha/task/BaseHATask.java b/server/src/main/java/org/apache/cloudstack/ha/task/BaseHATask.java
index 6dc7b9281ba5..bf34d3514b62 100644
--- a/server/src/main/java/org/apache/cloudstack/ha/task/BaseHATask.java
+++ b/server/src/main/java/org/apache/cloudstack/ha/task/BaseHATask.java
@@ -97,7 +97,7 @@ public Boolean call() throws HACheckerException, HAFenceException, HARecoveryExc
                 result = future.get(timeout, TimeUnit.SECONDS);
             }
         } catch (InterruptedException | ExecutionException e) {
-            logger.warn("Exception occurred while running " + getTaskType() + " on a resource: " + e.getMessage(), e.getCause());
+            logger.warn("Exception occurred while running {} on a resource: {}", getTaskType(), e.getMessage(), e.getCause());
             throwable = e.getCause();
         } catch (TimeoutException e) {
             logger.trace("{} operation timed out for resource: {}", getTaskType(), resource);
diff --git a/server/src/main/java/org/apache/cloudstack/jsinterpreter/JsInterpreterHelper.java b/server/src/main/java/org/apache/cloudstack/jsinterpreter/JsInterpreterHelper.java
index b4d4b5fca452..f6b1455d097e 100644
--- a/server/src/main/java/org/apache/cloudstack/jsinterpreter/JsInterpreterHelper.java
+++ b/server/src/main/java/org/apache/cloudstack/jsinterpreter/JsInterpreterHelper.java
@@ -17,9 +17,13 @@
 
 package org.apache.cloudstack.jsinterpreter;
 
+import com.cloud.exception.InvalidParameterValueException;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
+import org.apache.cloudstack.utils.jsinterpreter.JsInterpreter;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
@@ -36,9 +40,13 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-public class JsInterpreterHelper {
+public class JsInterpreterHelper implements Configurable {
     private final Logger logger = LogManager.getLogger(getClass());
 
+    public static final ConfigKey<Boolean> JS_INTERPRETATION_ENABLED = new ConfigKey<>(ConfigKey.CATEGORY_SYSTEM, Boolean.class, "js.interpretation.enabled",
+            "false", "Enable/disable all JavaScript interpretation related functionalities.",
+            true, ConfigKey.Scope.Global);
+
     private static final String NAME = "name";
     private static final String PROPERTY = "property";
     private static final String TYPE = "type";
@@ -237,4 +245,21 @@ public Set<String> getVariables() {
     public void setVariables(Set<String> variables) {
         this.variables = variables;
     }
+
+    public void ensureInterpreterEnabledIfParameterProvided(String paramName, boolean paramProvided) {
+        if (paramProvided && !JS_INTERPRETATION_ENABLED.value()) {
+            throw new InvalidParameterValueException(String.format(
+                    "'%s' cannot be set because JavaScript interpretation is disabled in setting '%s'.", paramName, JS_INTERPRETATION_ENABLED.key()));
+        }
+    }
+
+    @Override
+    public String getConfigComponentName() {
+        return JsInterpreter.class.getSimpleName();
+    }
+
+    @Override
+    public ConfigKey<?>[] getConfigKeys() {
+        return new ConfigKey<?>[] { JS_INTERPRETATION_ENABLED };
+    }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/network/router/deployment/RouterDeploymentDefinition.java b/server/src/main/java/org/apache/cloudstack/network/router/deployment/RouterDeploymentDefinition.java
index 4187586736d7..77cd7890e413 100644
--- a/server/src/main/java/org/apache/cloudstack/network/router/deployment/RouterDeploymentDefinition.java
+++ b/server/src/main/java/org/apache/cloudstack/network/router/deployment/RouterDeploymentDefinition.java
@@ -394,7 +394,7 @@ protected void executeDeployment()
         }
     }
 
-    protected void findSourceNatIP() throws InsufficientAddressCapacityException, ConcurrentOperationException {
+    public void findSourceNatIP() throws InsufficientAddressCapacityException, ConcurrentOperationException {
         sourceNatIp = null;
         DataCenter zone = dest.getDataCenter();
         Long zoneId = null;
@@ -548,4 +548,8 @@ protected boolean routersNeedReset() {
 
         return needReset;
     }
+
+    public boolean getKeepMacAddressOnPublicNic() {
+        return guestNetwork == null || guestNetwork.getKeepMacAddressOnPublicNic();
+    }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/network/router/deployment/VpcRouterDeploymentDefinition.java b/server/src/main/java/org/apache/cloudstack/network/router/deployment/VpcRouterDeploymentDefinition.java
index 063565ebf468..9e432265f2a1 100644
--- a/server/src/main/java/org/apache/cloudstack/network/router/deployment/VpcRouterDeploymentDefinition.java
+++ b/server/src/main/java/org/apache/cloudstack/network/router/deployment/VpcRouterDeploymentDefinition.java
@@ -117,7 +117,7 @@ protected boolean prepareDeployment() {
     }
 
     @Override
-    protected void findSourceNatIP() throws InsufficientAddressCapacityException, ConcurrentOperationException {
+    public void findSourceNatIP() throws InsufficientAddressCapacityException, ConcurrentOperationException {
         sourceNatIp = null;
         DataCenter zone = dest.getDataCenter();
         Long zoneId = null;
@@ -219,4 +219,9 @@ public boolean isRedundant() {
     public boolean isRollingRestart() {
         return vpc.isRollingRestart();
     }
+
+    @Override
+    public boolean getKeepMacAddressOnPublicNic() {
+        return vpc == null || vpc.getKeepMacAddressOnPublicNic();
+    }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/storage/object/BucketApiServiceImpl.java b/server/src/main/java/org/apache/cloudstack/storage/object/BucketApiServiceImpl.java
index 5a18f16fd724..900cbdfac0db 100644
--- a/server/src/main/java/org/apache/cloudstack/storage/object/BucketApiServiceImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/storage/object/BucketApiServiceImpl.java
@@ -16,6 +16,27 @@
 // under the License.
 package org.apache.cloudstack.storage.object;
 
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.api.command.user.bucket.CreateBucketCmd;
+import org.apache.cloudstack.api.command.user.bucket.UpdateBucketCmd;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
+import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.storage.datastore.db.ObjectStoreDao;
+import org.apache.cloudstack.storage.datastore.db.ObjectStoreVO;
+import org.apache.commons.lang3.ObjectUtils;
+import org.jetbrains.annotations.NotNull;
+
 import com.amazonaws.services.s3.internal.BucketNameUtils;
 import com.amazonaws.services.s3.model.IllegalBucketNameException;
 import com.cloud.agent.api.to.BucketTO;
@@ -24,6 +45,7 @@
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.ResourceAllocationException;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.resourcelimit.ResourceLimitManagerImpl;
 import com.cloud.storage.BucketVO;
 import com.cloud.storage.DataStoreRole;
@@ -36,22 +58,6 @@
 import com.cloud.utils.concurrency.NamedThreadFactory;
 import com.cloud.utils.db.GlobalLock;
 import com.cloud.utils.exception.CloudRuntimeException;
-import org.apache.cloudstack.api.command.user.bucket.CreateBucketCmd;
-import org.apache.cloudstack.api.command.user.bucket.UpdateBucketCmd;
-import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.framework.config.Configurable;
-import org.apache.cloudstack.managed.context.ManagedContextRunnable;
-import org.apache.cloudstack.storage.datastore.db.ObjectStoreDao;
-import org.apache.cloudstack.storage.datastore.db.ObjectStoreVO;
-
-import javax.inject.Inject;
-import javax.naming.ConfigurationException;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.Executors;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
 
 public class BucketApiServiceImpl extends ManagerBase implements BucketApiService, Configurable {
 
@@ -68,6 +74,8 @@ public class BucketApiServiceImpl extends ManagerBase implements BucketApiServic
 
     @Inject
     private BucketStatisticsDao _bucketStatisticsDao;
+    @Inject
+    ReservationDao reservationDao;
 
     private ScheduledExecutorService _executor = null;
 
@@ -136,13 +144,26 @@ public Bucket allocBucket(CreateBucketCmd cmd) throws ResourceAllocationExceptio
             return null;
         }
 
-        resourceLimitManager.checkResourceLimit(owner, Resource.ResourceType.bucket);
-        resourceLimitManager.checkResourceLimit(owner, Resource.ResourceType.object_storage, (cmd.getQuota() * Resource.ResourceType.bytesToGiB));
+        long size = ObjectUtils.defaultIfNull(cmd.getQuota(), 0) * Resource.ResourceType.bytesToGiB;
+        return createCheckedBucket(cmd, owner, size, ownerId);
+    }
 
-        BucketVO bucket = new BucketVO(ownerId, owner.getDomainId(), cmd.getObjectStoragePoolId(), cmd.getBucketName(), cmd.getQuota(),
-                                    cmd.isVersioning(), cmd.isEncryption(), cmd.isObjectLocking(), cmd.getPolicy());
-        _bucketDao.persist(bucket);
-        return bucket;
+    @NotNull
+    private BucketVO createCheckedBucket(CreateBucketCmd cmd, Account owner, long size, long ownerId) throws ResourceAllocationException {
+        try (CheckedReservation bucketReservation = new CheckedReservation(owner, Resource.ResourceType.bucket,
+                1L, reservationDao, resourceLimitManager);
+             CheckedReservation objectStorageReservation = new CheckedReservation(owner,
+                     Resource.ResourceType.object_storage, size, reservationDao, resourceLimitManager)) {
+            BucketVO bucket = new BucketVO(ownerId, owner.getDomainId(), cmd.getObjectStoragePoolId(), cmd.getBucketName(), cmd.getQuota(),
+                    cmd.isVersioning(), cmd.isEncryption(), cmd.isObjectLocking(), cmd.getPolicy());
+            _bucketDao.persist(bucket);
+            resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.bucket);
+            if (size > 0) {
+                resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage,
+                        (cmd.getQuota() * Resource.ResourceType.bytesToGiB));
+            }
+            return bucket;
+        }
     }
 
     @Override
@@ -160,7 +181,6 @@ public Bucket createBucket(CreateBucketCmd cmd) {
         try {
             bucketTO = new BucketTO(objectStore.createBucket(bucket, objectLock));
             bucketCreated = true;
-            resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.bucket);
 
             if (cmd.isVersioning()) {
                 objectStore.setBucketVersioning(bucketTO);
@@ -172,7 +192,6 @@ public Bucket createBucket(CreateBucketCmd cmd) {
 
             if (cmd.getQuota() != null) {
                 objectStore.setQuota(bucketTO, cmd.getQuota());
-                resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, (cmd.getQuota() * Resource.ResourceType.bytesToGiB));
                 if (objectStoreVO.getTotalSize() != null && objectStoreVO.getTotalSize() != 0 && objectStoreVO.getAllocatedSize() != null) {
                     Long allocatedSize = objectStoreVO.getAllocatedSize() / Resource.ResourceType.bytesToGiB;
                     Long totalSize = objectStoreVO.getTotalSize() / Resource.ResourceType.bytesToGiB;
@@ -193,11 +212,16 @@ public Bucket createBucket(CreateBucketCmd cmd) {
                 _objectStoreDao.updateAllocatedSize(objectStoreVO, cmd.getQuota() * Resource.ResourceType.bytesToGiB);
             }
         } catch (Exception e) {
-            logger.debug("Failed to create bucket with name: "+bucket.getName(), e);
+            logger.debug("Failed to create bucket with name: {}", bucket.getName(), e);
             if(bucketCreated) {
                 objectStore.deleteBucket(bucketTO);
             }
             _bucketDao.remove(bucket.getId());
+            resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.bucket);
+            if (bucket.getQuota() != null) {
+                resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage,
+                        (bucket.getQuota() * Resource.ResourceType.bytesToGiB));
+            }
             throw new CloudRuntimeException("Failed to create bucket with name: "+bucket.getName()+". "+e.getMessage());
         }
         return bucket;
@@ -205,24 +229,36 @@ public Bucket createBucket(CreateBucketCmd cmd) {
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_BUCKET_DELETE, eventDescription = "deleting bucket")
-    public boolean deleteBucket(long bucketId, Account caller) {
+    public boolean deleteBucket(long bucketId, Account caller) throws ResourceAllocationException {
         Bucket bucket = _bucketDao.findById(bucketId);
-        BucketTO bucketTO = new BucketTO(bucket);
         if (bucket == null) {
             throw new InvalidParameterValueException("Unable to find bucket with ID: " + bucketId);
         }
         _accountMgr.checkAccess(caller, null, true, bucket);
         ObjectStoreVO objectStoreVO = _objectStoreDao.findById(bucket.getObjectStoreId());
         ObjectStoreEntity  objectStore = (ObjectStoreEntity)_dataStoreMgr.getDataStore(objectStoreVO.getId(), DataStoreRole.Object);
-        if (objectStore.deleteBucket(bucketTO)) {
-            resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.bucket);
-            if (bucket.getQuota() != null) {
-                resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, (bucket.getQuota() * Resource.ResourceType.bytesToGiB));
-                _objectStoreDao.updateAllocatedSize(objectStoreVO, -(bucket.getQuota() * Resource.ResourceType.bytesToGiB));
+        return deleteCheckedBucket(objectStore, bucket, objectStoreVO);
+    }
+
+    private boolean deleteCheckedBucket(ObjectStoreEntity objectStore, Bucket bucket, ObjectStoreVO objectStoreVO) throws ResourceAllocationException {
+        Account owner = _accountMgr.getAccount(bucket.getAccountId());
+        try (CheckedReservation bucketReservation = new CheckedReservation(owner, Resource.ResourceType.bucket,
+                bucket.getId(), null, -1L, reservationDao, resourceLimitManager);
+             CheckedReservation objectStorageReservation = new CheckedReservation(owner,
+                     Resource.ResourceType.object_storage, bucket.getId(), null,
+                     -1*(ObjectUtils.defaultIfNull(bucket.getQuota(), 0) * Resource.ResourceType.bytesToGiB), reservationDao, resourceLimitManager)) {
+            BucketTO bucketTO = new BucketTO(bucket);
+            if (objectStore.deleteBucket(bucketTO)) {
+                resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.bucket);
+                if (bucket.getQuota() != null) {
+                    resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, (bucket.getQuota() * Resource.ResourceType.bytesToGiB));
+                    _objectStoreDao.updateAllocatedSize(objectStoreVO, -(bucket.getQuota() * Resource.ResourceType.bytesToGiB));
+                }
+                _bucketDao.remove(bucket.getId());
+                return true;
             }
-            return _bucketDao.remove(bucketId);
+            return false;
         }
-        return false;
     }
 
     @Override
@@ -236,16 +272,6 @@ public boolean updateBucket(UpdateBucketCmd cmd, Account caller) throws Resource
         _accountMgr.checkAccess(caller, null, true, bucket);
         ObjectStoreVO objectStoreVO = _objectStoreDao.findById(bucket.getObjectStoreId());
         ObjectStoreEntity  objectStore = (ObjectStoreEntity)_dataStoreMgr.getDataStore(objectStoreVO.getId(), DataStoreRole.Object);
-        Integer quota = cmd.getQuota();
-        Integer quotaDelta = null;
-
-        if (quota != null) {
-            quotaDelta = quota - bucket.getQuota();
-            if (quotaDelta > 0) {
-                Account owner = _accountMgr.getActiveAccountById(bucket.getAccountId());
-                resourceLimitManager.checkResourceLimit(owner, Resource.ResourceType.object_storage, (quotaDelta * Resource.ResourceType.bytesToGiB));
-            }
-        }
 
         try {
             if (cmd.getEncryption() != null) {
@@ -271,16 +297,8 @@ public boolean updateBucket(UpdateBucketCmd cmd, Account caller) throws Resource
                 bucket.setPolicy(cmd.getPolicy());
             }
 
-            if (cmd.getQuota() != null) {
-                objectStore.setQuota(bucketTO, cmd.getQuota());
-                bucket.setQuota(cmd.getQuota());
-                if (quotaDelta > 0) {
-                    resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, (quotaDelta * Resource.ResourceType.bytesToGiB));
-                } else {
-                    resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, ((-quotaDelta) * Resource.ResourceType.bytesToGiB));
-                }
-                _objectStoreDao.updateAllocatedSize(objectStoreVO, (quotaDelta * Resource.ResourceType.bytesToGiB));
-            }
+            updateBucketQuota(cmd, bucket, objectStore, objectStoreVO, bucketTO);
+
             _bucketDao.update(bucket.getId(), bucket);
         } catch (Exception e) {
             throw new CloudRuntimeException("Error while updating bucket: " +bucket.getName() +". "+e.getMessage());
@@ -289,6 +307,31 @@ public boolean updateBucket(UpdateBucketCmd cmd, Account caller) throws Resource
         return true;
     }
 
+    private void updateBucketQuota(UpdateBucketCmd cmd, BucketVO bucket, ObjectStoreEntity objectStore, ObjectStoreVO objectStoreVO, BucketTO bucketTO) throws ResourceAllocationException {
+        Integer quota = cmd.getQuota();
+        if (quota == null) {
+            return;
+        }
+
+        int quotaDelta = quota - bucket.getQuota();
+        objectStore.setQuota(bucketTO, quota);
+        bucket.setQuota(quota);
+
+        long diff = quotaDelta * Resource.ResourceType.bytesToGiB;
+
+        if (quotaDelta < 0) {
+            resourceLimitManager.decrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, Math.abs(diff));
+            _objectStoreDao.updateAllocatedSize(objectStoreVO, diff);
+            return;
+        }
+
+        Account owner = _accountMgr.getActiveAccountById(bucket.getAccountId());
+        try (CheckedReservation objectStorageReservation = new CheckedReservation(owner, Resource.ResourceType.object_storage, diff, reservationDao, resourceLimitManager)) {
+            resourceLimitManager.incrementResourceCount(bucket.getAccountId(), Resource.ResourceType.object_storage, diff);
+            _objectStoreDao.updateAllocatedSize(objectStoreVO, diff);
+        }
+    }
+
     public void getBucketUsage() {
         //ToDo track usage one last time when object store or bucket is removed
         List<ObjectStoreVO> objectStores = _objectStoreDao.listObjectStores();
diff --git a/server/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImpl.java b/server/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImpl.java
index 383644f9aa20..abc2e5ca2255 100644
--- a/server/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImpl.java
@@ -35,6 +35,7 @@
 import com.cloud.host.dao.HostDao;
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.offering.DiskOffering;
+import com.cloud.resourcelimit.ReservationHelper;
 import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.Storage;
@@ -68,6 +69,8 @@
 import org.apache.cloudstack.api.response.VolumeResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.VolumeOrchestrationService;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
@@ -198,10 +201,7 @@ public VolumeResponse importVolume(ImportVolumeCmd cmd) {
             logFailureAndThrowException("Volume is a reference of snapshot on primary: " + volume.getFullPath());
         }
 
-        // 5. check resource limitation
-        checkResourceLimitForImportVolume(owner, volume);
-
-        // 6. get disk offering
+        // 5. get disk offering
         DiskOfferingVO diskOffering = getOrCreateDiskOffering(owner, cmd.getDiskOfferingId(), pool.getDataCenterId(), pool.isLocal());
         if (diskOffering.isCustomized()) {
             volumeApiService.validateCustomDiskOfferingSizeRange(volume.getVirtualSize() / ByteScaleUtils.GiB);
@@ -210,17 +210,26 @@ public VolumeResponse importVolume(ImportVolumeCmd cmd) {
             logFailureAndThrowException(String.format("Disk offering: %s storage tags are not compatible with selected storage pool: %s", diskOffering, pool));
         }
 
-        // 7. create records
-        String volumeName = StringUtils.isNotBlank(cmd.getName()) ? cmd.getName().trim() : volumePath;
-        VolumeVO volumeVO = importVolumeInternal(volume, diskOffering, owner, pool, volumeName);
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            // 6. check resource limitation
+            checkResourceLimitForImportVolume(owner, volume, diskOffering, reservations);
+
+            // 7. create records
+            String volumeName = StringUtils.isNotBlank(cmd.getName()) ? cmd.getName().trim() : volumePath;
+            VolumeVO volumeVO = importVolumeInternal(volume, diskOffering, owner, pool, volumeName);
 
-        // 8. Update resource count
-        updateResourceLimitForVolumeImport(volumeVO);
+            // 8. Update resource count
+            updateResourceLimitForVolumeImport(volumeVO);
 
-        // 9. Publish event
-        publicUsageEventForVolumeImportAndUnmanage(volumeVO, true);
+            // 9. Publish event
+            publicUsageEventForVolumeImportAndUnmanage(volumeVO, true);
 
-        return responseGenerator.createVolumeResponse(ResponseObject.ResponseView.Full, volumeVO);
+            return responseGenerator.createVolumeResponse(ResponseObject.ResponseView.Full, volumeVO);
+
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
     }
 
     protected VolumeOnStorageTO getVolumeOnStorageAndCheck(StoragePoolVO pool, String volumePath) {
@@ -394,7 +403,7 @@ protected void checkIfVolumeHasBackingFile(VolumeOnStorageTO volume) {
         Map<VolumeOnStorageTO.Detail, String> volumeDetails = volume.getDetails();
         if (volumeDetails != null && volumeDetails.containsKey(VolumeOnStorageTO.Detail.BACKING_FILE)) {
             String backingFile = volumeDetails.get(VolumeOnStorageTO.Detail.BACKING_FILE);
-            if (StringUtils.isNotBlank(backingFile)) {
+            if (StringUtils.isNotBlank(backingFile) && !AllowImportVolumeWithBackingFile.value()) {
                 logFailureAndThrowException("Volume with backing file cannot be imported or unmanaged.");
             }
         }
@@ -456,11 +465,10 @@ private VolumeVO importVolumeInternal(VolumeOnStorageTO volume, DiskOfferingVO d
         return volumeDao.findById(diskProfile.getVolumeId());
     }
 
-    protected void checkResourceLimitForImportVolume(Account owner, VolumeOnStorageTO volume) {
+    protected void checkResourceLimitForImportVolume(Account owner, VolumeOnStorageTO volume, DiskOfferingVO diskOffering, List<Reserver> reservations) {
         Long volumeSize = volume.getVirtualSize();
         try {
-            resourceLimitService.checkResourceLimit(owner, Resource.ResourceType.volume);
-            resourceLimitService.checkResourceLimit(owner, Resource.ResourceType.primary_storage, volumeSize);
+            resourceLimitService.checkVolumeResourceLimit(owner, true, volumeSize, diskOffering, reservations);
         } catch (ResourceAllocationException e) {
             logger.error("VM resource allocation error for account: {}", owner, e);
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("VM resource allocation error for account: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
@@ -513,4 +521,16 @@ private void unmanageVolumeFromDatabase(VolumeVO volume) {
         volume.setRemoved(new Date());
         volumeDao.update(volume.getId(), volume);
     }
+
+    @Override
+    public String getConfigComponentName() {
+        return VolumeImportUnmanageManagerImpl.class.getSimpleName();
+    }
+
+    @Override
+    public ConfigKey<?>[] getConfigKeys() {
+        return new ConfigKey<?>[]{
+                AllowImportVolumeWithBackingFile
+        };
+    }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImpl.java b/server/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImpl.java
index 14c67417015c..846eab599fd1 100644
--- a/server/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImpl.java
@@ -86,6 +86,8 @@
 import com.cloud.org.Cluster;
 import com.cloud.resource.ResourceManager;
 import com.cloud.resource.ResourceState;
+import com.cloud.resourcelimit.CheckedReservation;
+import com.cloud.resourcelimit.ReservationHelper;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.server.ManagementService;
 import com.cloud.service.ServiceOfferingVO;
@@ -155,8 +157,6 @@
 import org.apache.cloudstack.api.command.admin.vm.ListVmsForImportCmd;
 import org.apache.cloudstack.api.command.admin.vm.UnmanageVMInstanceCmd;
 import org.apache.cloudstack.api.response.ListResponse;
-import org.apache.cloudstack.api.response.NicResponse;
-import org.apache.cloudstack.api.response.UnmanagedInstanceDiskResponse;
 import org.apache.cloudstack.api.response.UnmanagedInstanceResponse;
 import org.apache.cloudstack.api.response.UserVmResponse;
 import org.apache.cloudstack.context.CallContext;
@@ -166,6 +166,8 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreVO;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
@@ -195,21 +197,23 @@
 
 import static org.apache.cloudstack.api.ApiConstants.MAX_IOPS;
 import static org.apache.cloudstack.api.ApiConstants.MIN_IOPS;
+import static org.apache.cloudstack.storage.volume.VolumeImportUnmanageService.AllowImportVolumeWithBackingFile;
 import static org.apache.cloudstack.vm.ImportVmTask.Step.CloningInstance;
 import static org.apache.cloudstack.vm.ImportVmTask.Step.Completed;
 import static org.apache.cloudstack.vm.ImportVmTask.Step.ConvertingInstance;
 import static org.apache.cloudstack.vm.ImportVmTask.Step.Importing;
 
 public class UnmanagedVMsManagerImpl implements UnmanagedVMsManager {
-    public static final String VM_IMPORT_DEFAULT_TEMPLATE_NAME = "system-default-vm-import-dummy-template.iso";
-    public static final String KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME = "kvm-default-vm-import-dummy-template";
     protected Logger logger = LogManager.getLogger(UnmanagedVMsManagerImpl.class);
+    private static final long OTHER_LINUX_64_GUEST_OS_ID = 99;
     private static final List<Hypervisor.HypervisorType> importUnmanagedInstancesSupportedHypervisors =
             Arrays.asList(Hypervisor.HypervisorType.VMware, Hypervisor.HypervisorType.KVM);
 
     private static final List<Storage.StoragePoolType> forceConvertToPoolAllowedTypes =
             Arrays.asList(Storage.StoragePoolType.NetworkFilesystem, Storage.StoragePoolType.Filesystem,
                     Storage.StoragePoolType.SharedMountPoint);
+    private static final String DETAIL_VDDK_TRANSPORTS = "vddk.transports";
+    private static final String DETAIL_VDDK_THUMBPRINT = "vddk.thumbprint";
 
     ConfigKey<Boolean> ConvertVmwareInstanceToKvmExtraParamsAllowed = new ConfigKey<>(Boolean.class,
             "convert.vmware.instance.to.kvm.extra.params.allowed",
@@ -254,6 +258,8 @@ public class UnmanagedVMsManagerImpl implements UnmanagedVMsManager {
     @Inject
     private ResourceLimitService resourceLimitService;
     @Inject
+    private ReservationDao reservationDao;
+    @Inject
     private VMInstanceDetailsDao vmInstanceDetailsDao;
     @Inject
     private UserVmManager userVmManager;
@@ -326,7 +332,7 @@ private VMTemplateVO createDefaultDummyVmImportTemplate(boolean isKVM) {
         try {
             template = VMTemplateVO.createSystemIso(templateDao.getNextInSequence(Long.class, "id"), templateName, templateName, true,
                     "", true, 64, Account.ACCOUNT_ID_SYSTEM, "",
-                    "VM Import Default Template", false, 1);
+                    "VM Import Default Template", false, OTHER_LINUX_64_GUEST_OS_ID);
             template.setState(VirtualMachineTemplate.State.Inactive);
             template = templateDao.persist(template);
             if (template == null) {
@@ -340,68 +346,6 @@ private VMTemplateVO createDefaultDummyVmImportTemplate(boolean isKVM) {
         return template;
     }
 
-    private UnmanagedInstanceResponse createUnmanagedInstanceResponse(UnmanagedInstanceTO instance, Cluster cluster, Host host) {
-        UnmanagedInstanceResponse response = new UnmanagedInstanceResponse();
-        response.setName(instance.getName());
-
-        if (cluster != null) {
-            response.setClusterId(cluster.getUuid());
-        }
-        if (host != null) {
-            response.setHostId(host.getUuid());
-            response.setHostName(host.getName());
-        }
-        response.setPowerState(instance.getPowerState().toString());
-        response.setCpuCores(instance.getCpuCores());
-        response.setCpuSpeed(instance.getCpuSpeed());
-        response.setCpuCoresPerSocket(instance.getCpuCoresPerSocket());
-        response.setMemory(instance.getMemory());
-        response.setOperatingSystemId(instance.getOperatingSystemId());
-        response.setOperatingSystem(instance.getOperatingSystem());
-        response.setObjectName("unmanagedinstance");
-
-        if (instance.getDisks() != null) {
-            for (UnmanagedInstanceTO.Disk disk : instance.getDisks()) {
-                UnmanagedInstanceDiskResponse diskResponse = new UnmanagedInstanceDiskResponse();
-                diskResponse.setDiskId(disk.getDiskId());
-                if (StringUtils.isNotEmpty(disk.getLabel())) {
-                    diskResponse.setLabel(disk.getLabel());
-                }
-                diskResponse.setCapacity(disk.getCapacity());
-                diskResponse.setController(disk.getController());
-                diskResponse.setControllerUnit(disk.getControllerUnit());
-                diskResponse.setPosition(disk.getPosition());
-                diskResponse.setImagePath(disk.getImagePath());
-                diskResponse.setDatastoreName(disk.getDatastoreName());
-                diskResponse.setDatastoreHost(disk.getDatastoreHost());
-                diskResponse.setDatastorePath(disk.getDatastorePath());
-                diskResponse.setDatastoreType(disk.getDatastoreType());
-                response.addDisk(diskResponse);
-            }
-        }
-
-        if (instance.getNics() != null) {
-            for (UnmanagedInstanceTO.Nic nic : instance.getNics()) {
-                NicResponse nicResponse = new NicResponse();
-                nicResponse.setId(nic.getNicId());
-                nicResponse.setNetworkName(nic.getNetwork());
-                nicResponse.setMacAddress(nic.getMacAddress());
-                if (StringUtils.isNotEmpty(nic.getAdapterType())) {
-                    nicResponse.setAdapterType(nic.getAdapterType());
-                }
-                if (!CollectionUtils.isEmpty(nic.getIpAddress())) {
-                    nicResponse.setIpAddresses(nic.getIpAddress());
-                }
-                nicResponse.setVlanId(nic.getVlan());
-                nicResponse.setIsolatedPvlanId(nic.getPvlan());
-                nicResponse.setIsolatedPvlanType(nic.getPvlanType());
-                response.addNic(nicResponse);
-            }
-        }
-
-        return response;
-    }
-
     private List<String> getAdditionalNameFilters(Cluster cluster) {
         List<String> additionalNameFilter = new ArrayList<>();
         if (cluster == null) {
@@ -639,7 +583,7 @@ private Pair<UnmanagedInstanceTO.Disk, List<UnmanagedInstanceTO.Disk>> getRootAn
         return new Pair<>(rootDisk, dataDisks);
     }
 
-    private void checkUnmanagedDiskAndOfferingForImport(String instanceName, UnmanagedInstanceTO.Disk disk, DiskOffering diskOffering, ServiceOffering serviceOffering, final Account owner, final DataCenter zone, final Cluster cluster, final boolean migrateAllowed)
+    private void checkUnmanagedDiskAndOfferingForImport(String instanceName, UnmanagedInstanceTO.Disk disk, DiskOffering diskOffering, ServiceOffering serviceOffering, final Account owner, final DataCenter zone, final Cluster cluster, final boolean migrateAllowed, List<Reserver> reservations)
             throws ServerApiException, PermissionDeniedException, ResourceAllocationException {
         if (serviceOffering == null && diskOffering == null) {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Disk offering for disk ID [%s] not found during VM [%s] import.", disk.getDiskId(), instanceName));
@@ -647,7 +591,6 @@ private void checkUnmanagedDiskAndOfferingForImport(String instanceName, Unmanag
         if (diskOffering != null) {
             accountService.checkAccess(owner, diskOffering, zone);
         }
-        resourceLimitService.checkVolumeResourceLimit(owner, true, null, diskOffering);
         if (disk.getCapacity() == null || disk.getCapacity() == 0) {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Size of disk(ID: %s) is found invalid during VM import", disk.getDiskId()));
         }
@@ -662,9 +605,10 @@ private void checkUnmanagedDiskAndOfferingForImport(String instanceName, Unmanag
         if (diskOffering != null && !migrateAllowed && !storagePoolSupportsDiskOffering(storagePool, diskOffering)) {
             throw new InvalidParameterValueException(String.format("Disk offering: %s is not compatible with storage pool: %s of unmanaged disk: %s", diskOffering.getUuid(), storagePool.getUuid(), disk.getDiskId()));
         }
+        resourceLimitService.checkVolumeResourceLimit(owner, true, disk.getCapacity(), diskOffering, reservations);
     }
 
-    private void checkUnmanagedDiskAndOfferingForImport(String intanceName, List<UnmanagedInstanceTO.Disk> disks, final Map<String, Long> diskOfferingMap, final Account owner, final DataCenter zone, final Cluster cluster, final boolean migrateAllowed)
+    private void checkUnmanagedDiskAndOfferingForImport(String intanceName, List<UnmanagedInstanceTO.Disk> disks, final Map<String, Long> diskOfferingMap, final Account owner, final DataCenter zone, final Cluster cluster, final boolean migrateAllowed, List<Reserver> reservations)
             throws ServerApiException, PermissionDeniedException, ResourceAllocationException {
         String diskController = null;
         for (UnmanagedInstanceTO.Disk disk : disks) {
@@ -681,7 +625,7 @@ private void checkUnmanagedDiskAndOfferingForImport(String intanceName, List<Unm
                     throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Multiple data disk controllers of different type (%s, %s) are not supported for import. Please make sure that all data disk controllers are of the same type", diskController, disk.getController()));
                 }
             }
-            checkUnmanagedDiskAndOfferingForImport(intanceName, disk, diskOfferingDao.findById(diskOfferingMap.get(disk.getDiskId())), null, owner, zone, cluster, migrateAllowed);
+            checkUnmanagedDiskAndOfferingForImport(intanceName, disk, diskOfferingDao.findById(diskOfferingMap.get(disk.getDiskId())), null, owner, zone, cluster, migrateAllowed, reservations);
         }
     }
 
@@ -1108,44 +1052,10 @@ private void publishVMUsageUpdateResourceCount(final UserVm userVm, ServiceOffer
         }
     }
 
-    protected void checkUnmanagedDiskLimits(Account account, UnmanagedInstanceTO.Disk rootDisk, ServiceOffering serviceOffering,
-            List<UnmanagedInstanceTO.Disk> dataDisks, Map<String, Long> dataDiskOfferingMap) throws ResourceAllocationException {
-        Long totalVolumes = 0L;
-        Long totalVolumesSize = 0L;
-        List<UnmanagedInstanceTO.Disk> disks = new ArrayList<>();
-        disks.add(rootDisk);
-        disks.addAll(dataDisks);
-        Map<String, Long> diskOfferingMap = new HashMap<>(dataDiskOfferingMap);
-        diskOfferingMap.put(rootDisk.getDiskId(), serviceOffering.getDiskOfferingId());
-        Map<Long, Long> diskOfferingVolumeCountMap = new HashMap<>();
-        Map<Long, Long> diskOfferingSizeMap = new HashMap<>();
-        for (UnmanagedInstanceTO.Disk disk : disks) {
-            totalVolumes++;
-            totalVolumesSize += disk.getCapacity();
-            Long diskOfferingId = diskOfferingMap.get(disk.getDiskId());
-            if (diskOfferingVolumeCountMap.containsKey(diskOfferingId)) {
-                diskOfferingVolumeCountMap.put(diskOfferingId, diskOfferingVolumeCountMap.get(diskOfferingId) + 1);
-                diskOfferingSizeMap.put(diskOfferingId, diskOfferingSizeMap.get(diskOfferingId) + disk.getCapacity());
-            } else {
-                diskOfferingVolumeCountMap.put(diskOfferingId, 1L);
-                diskOfferingSizeMap.put(diskOfferingId, disk.getCapacity());
-            }
-        }
-        resourceLimitService.checkResourceLimit(account, Resource.ResourceType.volume, totalVolumes);
-        resourceLimitService.checkResourceLimit(account, Resource.ResourceType.primary_storage, totalVolumesSize);
-        for (Long diskOfferingId : diskOfferingVolumeCountMap.keySet()) {
-            List<String> tags = resourceLimitService.getResourceLimitStorageTags(diskOfferingDao.findById(diskOfferingId));
-            for (String tag : tags) {
-                resourceLimitService.checkResourceLimitWithTag(account, Resource.ResourceType.volume, tag, diskOfferingVolumeCountMap.get(diskOfferingId));
-                resourceLimitService.checkResourceLimitWithTag(account, Resource.ResourceType.primary_storage, tag, diskOfferingSizeMap.get(diskOfferingId));
-            }
-        }
-    }
-
     private UserVm importVirtualMachineInternal(final UnmanagedInstanceTO unmanagedInstance, final String instanceNameInternal, final DataCenter zone, final Cluster cluster, final HostVO host,
                                                 final VirtualMachineTemplate template, final String displayName, final String hostName, final Account caller, final Account owner, final Long userId,
                                                 final ServiceOfferingVO serviceOffering, final Map<String, Long> dataDiskOfferingMap,
-                                                final Map<String, Long> nicNetworkMap, final Map<String, Network.IpAddresses> callerNicIpAddressMap,
+                                                final Map<String, Long> nicNetworkMap, final Map<String, Network.IpAddresses> callerNicIpAddressMap, final Long guestOsId,
                                                 final Map<String, String> details, final boolean migrateAllowed, final boolean forced, final boolean isImportUnmanagedFromSameHypervisor) {
         logger.debug(LogUtils.logGsonWithoutException("Trying to import VM [%s] with name [%s], in zone [%s], cluster [%s], and host [%s], using template [%s], service offering [%s], disks map [%s], NICs map [%s] and details [%s].",
                 unmanagedInstance, displayName, zone, cluster, host, template, serviceOffering, dataDiskOfferingMap, nicNetworkMap, details));
@@ -1199,99 +1109,103 @@ private UserVm importVirtualMachineInternal(final UnmanagedInstanceTO unmanagedI
             allDetails.put(VmDetailConstants.ROOT_DISK_SIZE, String.valueOf(size));
         }
 
+        List<Reserver> reservations = new ArrayList<>();
         try {
-            checkUnmanagedDiskAndOfferingForImport(unmanagedInstance.getName(), rootDisk, null, validatedServiceOffering, owner, zone, cluster, migrateAllowed);
+            checkUnmanagedDiskAndOfferingForImport(unmanagedInstance.getName(), rootDisk, null, validatedServiceOffering, owner, zone, cluster, migrateAllowed, reservations);
             if (CollectionUtils.isNotEmpty(dataDisks)) { // Data disk(s) present
-                checkUnmanagedDiskAndOfferingForImport(unmanagedInstance.getName(), dataDisks, dataDiskOfferingMap, owner, zone, cluster, migrateAllowed);
+                checkUnmanagedDiskAndOfferingForImport(unmanagedInstance.getName(), dataDisks, dataDiskOfferingMap, owner, zone, cluster, migrateAllowed, reservations);
                 allDetails.put(VmDetailConstants.DATA_DISK_CONTROLLER, dataDisks.get(0).getController());
             }
-            checkUnmanagedDiskLimits(owner, rootDisk, serviceOffering, dataDisks, dataDiskOfferingMap);
-        } catch (ResourceAllocationException e) {
-            logger.error("Volume resource allocation error for owner: {}", owner, e);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resource allocation error for owner: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
-        }
-        // Check NICs and supplied networks
-        Map<String, Network.IpAddresses> nicIpAddressMap = getNicIpAddresses(unmanagedInstance.getNics(), callerNicIpAddressMap);
-        Map<String, Long> allNicNetworkMap = getUnmanagedNicNetworkMap(unmanagedInstance.getName(), unmanagedInstance.getNics(), nicNetworkMap, nicIpAddressMap, zone, hostName, owner, cluster.getHypervisorType());
-        if (!CollectionUtils.isEmpty(unmanagedInstance.getNics())) {
-            allDetails.put(VmDetailConstants.NIC_ADAPTER, unmanagedInstance.getNics().get(0).getAdapterType());
-        }
 
-        if (StringUtils.isNotEmpty(unmanagedInstance.getVncPassword())) {
-            allDetails.put(VmDetailConstants.KVM_VNC_PASSWORD, unmanagedInstance.getVncPassword());
-        }
+            // Check NICs and supplied networks
+            Map<String, Network.IpAddresses> nicIpAddressMap = getNicIpAddresses(unmanagedInstance.getNics(), callerNicIpAddressMap);
+            Map<String, Long> allNicNetworkMap = getUnmanagedNicNetworkMap(unmanagedInstance.getName(), unmanagedInstance.getNics(), nicNetworkMap, nicIpAddressMap, zone, hostName, owner, cluster.getHypervisorType());
+            if (!CollectionUtils.isEmpty(unmanagedInstance.getNics())) {
+                allDetails.put(VmDetailConstants.NIC_ADAPTER, unmanagedInstance.getNics().get(0).getAdapterType());
+            }
 
-        addImportingVMBootTypeAndModeDetails(unmanagedInstance.getBootType(), unmanagedInstance.getBootMode(), allDetails);
+            if (StringUtils.isNotEmpty(unmanagedInstance.getVncPassword())) {
+                allDetails.put(VmDetailConstants.KVM_VNC_PASSWORD, unmanagedInstance.getVncPassword());
+            }
 
-        VirtualMachine.PowerState powerState = VirtualMachine.PowerState.PowerOff;
-        if (unmanagedInstance.getPowerState().equals(UnmanagedInstanceTO.PowerState.PowerOn)) {
-            powerState = VirtualMachine.PowerState.PowerOn;
-        }
+            addImportingVMBootTypeAndModeDetails(unmanagedInstance.getBootType(), unmanagedInstance.getBootMode(), allDetails);
 
-        try {
-            userVm = userVmManager.importVM(zone, host, template, internalCSName, displayName, owner,
-                    null, caller, true, null, owner.getAccountId(), userId,
-                    validatedServiceOffering, null, hostName,
-                    cluster.getHypervisorType(), allDetails, powerState, null);
-        } catch (InsufficientCapacityException ice) {
-            String errorMsg = String.format("Failed to import VM [%s] due to [%s].", displayName, ice.getMessage());
-            logger.error(errorMsg, ice);
-            throw new ServerApiException(ApiErrorCode.INSUFFICIENT_CAPACITY_ERROR, errorMsg);
-        }
+            VirtualMachine.PowerState powerState = VirtualMachine.PowerState.PowerOff;
+            if (unmanagedInstance.getPowerState().equals(UnmanagedInstanceTO.PowerState.PowerOn)) {
+                powerState = VirtualMachine.PowerState.PowerOn;
+            }
 
-        if (userVm == null) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import vm name: %s", displayName));
-        }
-        List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
-        try {
-            if (rootDisk.getCapacity() == null || rootDisk.getCapacity() == 0) {
-                throw new InvalidParameterValueException(String.format("Root disk ID: %s size is invalid", rootDisk.getDiskId()));
+            try {
+                userVm = userVmManager.importVM(zone, host, template, internalCSName, displayName, owner,
+                        null, caller, true, null, owner.getAccountId(), userId,
+                        validatedServiceOffering, null, guestOsId, hostName,
+                        cluster.getHypervisorType(), allDetails, powerState, null);
+            } catch (InsufficientCapacityException ice) {
+                String errorMsg = String.format("Failed to import VM [%s] due to [%s].", displayName, ice.getMessage());
+                logger.error(errorMsg, ice);
+                throw new ServerApiException(ApiErrorCode.INSUFFICIENT_CAPACITY_ERROR, errorMsg);
             }
-            Long minIops = null;
-            if (details.containsKey(MIN_IOPS)) {
-                minIops = Long.parseLong(details.get(MIN_IOPS));
+
+            if (userVm == null) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import vm name: %s", displayName));
             }
-            Long maxIops = null;
-            if (details.containsKey(MAX_IOPS)) {
-                maxIops = Long.parseLong(details.get(MAX_IOPS));
+            List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
+            try {
+                if (rootDisk.getCapacity() == null || rootDisk.getCapacity() == 0) {
+                    throw new InvalidParameterValueException(String.format("Root disk ID: %s size is invalid", rootDisk.getDiskId()));
+                }
+                Long minIops = null;
+                if (details.containsKey(MIN_IOPS)) {
+                    minIops = Long.parseLong(details.get(MIN_IOPS));
+                }
+                Long maxIops = null;
+                if (details.containsKey(MAX_IOPS)) {
+                    maxIops = Long.parseLong(details.get(MAX_IOPS));
+                }
+                DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
+                diskProfileStoragePoolList.add(importDisk(rootDisk, userVm, cluster, diskOffering, Volume.Type.ROOT, String.format("ROOT-%d", userVm.getId()),
+                        rootDisk.getCapacity(), minIops, maxIops, template, owner, null));
+                long deviceId = 1L;
+                for (UnmanagedInstanceTO.Disk disk : dataDisks) {
+                    if (disk.getCapacity() == null || disk.getCapacity() == 0) {
+                        throw new InvalidParameterValueException(String.format("Disk ID: %s size is invalid", rootDisk.getDiskId()));
+                    }
+                    DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
+                    diskProfileStoragePoolList.add(importDisk(disk, userVm, cluster, offering, Volume.Type.DATADISK, String.format("DATA-%d-%s", userVm.getId(), disk.getDiskId()),
+                            disk.getCapacity(), offering.getMinIops(), offering.getMaxIops(),
+                            template, owner, deviceId));
+                    deviceId++;
+                }
+            } catch (Exception e) {
+                logger.error(String.format("Failed to import volumes while importing vm: %s", displayName), e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", displayName, StringUtils.defaultString(e.getMessage())));
             }
-            DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
-            diskProfileStoragePoolList.add(importDisk(rootDisk, userVm, cluster, diskOffering, Volume.Type.ROOT, String.format("ROOT-%d", userVm.getId()),
-                    rootDisk.getCapacity(), minIops, maxIops, template, owner, null));
-            long deviceId = 1L;
-            for (UnmanagedInstanceTO.Disk disk : dataDisks) {
-                if (disk.getCapacity() == null || disk.getCapacity() == 0) {
-                    throw new InvalidParameterValueException(String.format("Disk ID: %s size is invalid", rootDisk.getDiskId()));
+            try {
+                int nicIndex = 0;
+                for (UnmanagedInstanceTO.Nic nic : unmanagedInstance.getNics()) {
+                    Network network = networkDao.findById(allNicNetworkMap.get(nic.getNicId()));
+                    Network.IpAddresses ipAddresses = nicIpAddressMap.get(nic.getNicId());
+                    importNic(nic, userVm, network, ipAddresses, nicIndex, nicIndex == 0, forced);
+                    nicIndex++;
                 }
-                DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
-                diskProfileStoragePoolList.add(importDisk(disk, userVm, cluster, offering, Volume.Type.DATADISK, String.format("DATA-%d-%s", userVm.getId(), disk.getDiskId()),
-                        disk.getCapacity(), offering.getMinIops(), offering.getMaxIops(),
-                        template, owner, deviceId));
-                deviceId++;
+            } catch (Exception e) {
+                logger.error(String.format("Failed to import NICs while importing vm: %s", displayName), e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import NICs while importing vm: %s. %s", displayName, StringUtils.defaultString(e.getMessage())));
             }
-        } catch (Exception e) {
-            logger.error(String.format("Failed to import volumes while importing vm: %s", displayName), e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", displayName, StringUtils.defaultString(e.getMessage())));
-        }
-        try {
-            int nicIndex = 0;
-            for (UnmanagedInstanceTO.Nic nic : unmanagedInstance.getNics()) {
-                Network network = networkDao.findById(allNicNetworkMap.get(nic.getNicId()));
-                Network.IpAddresses ipAddresses = nicIpAddressMap.get(nic.getNicId());
-                importNic(nic, userVm, network, ipAddresses, nicIndex, nicIndex == 0, forced);
-                nicIndex++;
+            if (migrateAllowed) {
+                userVm = migrateImportedVM(host, template, validatedServiceOffering, userVm, owner, diskProfileStoragePoolList);
             }
-        } catch (Exception e) {
-            logger.error(String.format("Failed to import NICs while importing vm: %s", displayName), e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import NICs while importing vm: %s. %s", displayName, StringUtils.defaultString(e.getMessage())));
-        }
-        if (migrateAllowed) {
-            userVm = migrateImportedVM(host, template, validatedServiceOffering, userVm, owner, diskProfileStoragePoolList);
+            publishVMUsageUpdateResourceCount(userVm, validatedServiceOffering, template);
+            return userVm;
+
+        } catch (ResourceAllocationException e) { // This will be thrown by checkUnmanagedDiskAndOfferingForImport, so the VM was not imported yet
+            logger.error("Volume resource allocation error for owner: {}", owner, e);
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Volume resource allocation error for owner: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
+        } finally {
+            ReservationHelper.closeAll(reservations);
         }
-        publishVMUsageUpdateResourceCount(userVm, validatedServiceOffering, template);
-        return userVm;
     }
 
     private void addImportingVMBootTypeAndModeDetails(String bootType, String bootMode, Map<String, String> allDetails) {
@@ -1396,8 +1310,6 @@ private UserVmResponse baseImportInstance(ImportUnmanagedInstanceCmd cmd) {
         VMTemplateVO template = getTemplateForImportInstance(cmd.getTemplateId(), cluster.getHypervisorType());
         ServiceOfferingVO serviceOffering = getServiceOfferingForImportInstance(cmd.getServiceOfferingId(), owner, zone);
 
-        checkResourceLimitForImportInstance(owner);
-
         String displayName = getDisplayNameForImportInstance(cmd.getDisplayName(), instanceName);
         String hostName = getHostNameForImportInstance(cmd.getHostName(), cluster.getHypervisorType(), instanceName, displayName);
 
@@ -1413,31 +1325,38 @@ private UserVmResponse baseImportInstance(ImportUnmanagedInstanceCmd cmd) {
         List<String> managedVms = new ArrayList<>(additionalNameFilters);
         managedVms.addAll(getHostsManagedVms(hosts));
 
-        ActionEventUtils.onStartedActionEvent(userId, owner.getId(), EventTypes.EVENT_VM_IMPORT,
-                cmd.getEventDescription(), null, null, true, 0);
+        try {
 
-        if (cmd instanceof ImportVmCmd) {
-            ImportVmCmd importVmCmd = (ImportVmCmd) cmd;
-            if (StringUtils.isBlank(importVmCmd.getImportSource())) {
-                throw new CloudRuntimeException("Please provide an import source for importing the VM");
-            }
-            String source = importVmCmd.getImportSource().toUpperCase();
-            ImportSource importSource = Enum.valueOf(ImportSource.class, source);
-            if (ImportSource.VMWARE == importSource) {
-                userVm = importUnmanagedInstanceFromVmwareToKvm(zone, cluster,
-                        template, instanceName, displayName, hostName, caller, owner, userId,
-                        serviceOffering, dataDiskOfferingMap,
-                        nicNetworkMap, nicIpAddressMap,
-                        details, importVmCmd, forced);
-            }
-        } else {
-            if (List.of(Hypervisor.HypervisorType.VMware, Hypervisor.HypervisorType.KVM).contains(cluster.getHypervisorType())) {
-                userVm = importUnmanagedInstanceFromHypervisor(zone, cluster, hosts, additionalNameFilters,
-                        template, instanceName, displayName, hostName, caller, owner, userId,
-                        serviceOffering, dataDiskOfferingMap,
-                        nicNetworkMap, nicIpAddressMap,
-                        details, cmd.getMigrateAllowed(), managedVms, forced);
+            ActionEventUtils.onStartedActionEvent(userId, owner.getId(), EventTypes.EVENT_VM_IMPORT,
+                    cmd.getEventDescription(), null, null, true, 0);
+
+            if (cmd instanceof ImportVmCmd) {
+                ImportVmCmd importVmCmd = (ImportVmCmd) cmd;
+                if (StringUtils.isBlank(importVmCmd.getImportSource())) {
+                    throw new CloudRuntimeException("Please provide an import source for importing the VM");
+                }
+                String source = importVmCmd.getImportSource().toUpperCase();
+                ImportSource importSource = Enum.valueOf(ImportSource.class, source);
+                if (ImportSource.VMWARE == importSource) {
+                    userVm = importUnmanagedInstanceFromVmwareToKvm(zone, cluster,
+                            template, instanceName, displayName, hostName, caller, owner, userId,
+                            serviceOffering, dataDiskOfferingMap,
+                            nicNetworkMap, nicIpAddressMap,
+                            details, importVmCmd, forced);
+                }
+            } else {
+                if (List.of(Hypervisor.HypervisorType.VMware, Hypervisor.HypervisorType.KVM).contains(cluster.getHypervisorType())) {
+                    userVm = importUnmanagedInstanceFromHypervisor(zone, cluster, hosts, additionalNameFilters,
+                            template, instanceName, displayName, hostName, caller, owner, userId,
+                            serviceOffering, dataDiskOfferingMap,
+                            nicNetworkMap, nicIpAddressMap,
+                            details, cmd.getMigrateAllowed(), managedVms, forced);
+                }
             }
+
+        } catch (ResourceAllocationException e) {
+            logger.error(String.format("VM resource allocation error for account: %s", owner.getUuid()), e);
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("VM resource allocation error for account: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
         }
 
         if (userVm == null) {
@@ -1526,15 +1445,6 @@ private String getDisplayNameForImportInstance(String displayName, String instan
         return StringUtils.isEmpty(displayName) ? instanceName : displayName;
     }
 
-    private void checkResourceLimitForImportInstance(Account owner) {
-        try {
-            resourceLimitService.checkResourceLimit(owner, Resource.ResourceType.user_vm, 1);
-        } catch (ResourceAllocationException e) {
-            logger.error("VM resource allocation error for account: {}", owner, e);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("VM resource allocation error for account: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
-        }
-    }
-
     private ServiceOfferingVO getServiceOfferingForImportInstance(Long serviceOfferingId, Account owner, DataCenter zone) {
         if (serviceOfferingId == null) {
             throw new InvalidParameterValueException("Service offering ID cannot be null");
@@ -1550,10 +1460,11 @@ private ServiceOfferingVO getServiceOfferingForImportInstance(Long serviceOfferi
     protected VMTemplateVO getTemplateForImportInstance(Long templateId, Hypervisor.HypervisorType hypervisorType) {
         VMTemplateVO template;
         if (templateId == null) {
-            String templateName = (Hypervisor.HypervisorType.KVM.equals(hypervisorType)) ? KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME : VM_IMPORT_DEFAULT_TEMPLATE_NAME;
+            boolean isKVMHypervisor = Hypervisor.HypervisorType.KVM.equals(hypervisorType);
+            String templateName = (isKVMHypervisor) ? KVM_VM_IMPORT_DEFAULT_TEMPLATE_NAME : VM_IMPORT_DEFAULT_TEMPLATE_NAME;
             template = templateDao.findByName(templateName);
             if (template == null) {
-                template = createDefaultDummyVmImportTemplate(Hypervisor.HypervisorType.KVM == hypervisorType);
+                template = createDefaultDummyVmImportTemplate(isKVMHypervisor);
                 if (template == null) {
                     throw new InvalidParameterValueException(String.format("Default VM import template with unique name: %s for hypervisor: %s cannot be created. Please use templateid parameter for import", templateName, hypervisorType.toString()));
                 }
@@ -1586,7 +1497,7 @@ private UserVm importUnmanagedInstanceFromHypervisor(DataCenter zone, Cluster cl
                                                          String hostName, Account caller, Account owner, long userId,
                                                          ServiceOfferingVO serviceOffering, Map<String, Long> dataDiskOfferingMap,
                                                          Map<String, Long> nicNetworkMap, Map<String, Network.IpAddresses> nicIpAddressMap,
-                                                         Map<String, String> details, Boolean migrateAllowed, List<String> managedVms, boolean forced) {
+                                                         Map<String, String> details, Boolean migrateAllowed, List<String> managedVms, boolean forced) throws ResourceAllocationException {
         UserVm userVm = null;
         for (HostVO host : hosts) {
             HashMap<String, UnmanagedInstanceTO> unmanagedInstances = getUnmanagedInstancesForHost(host, instanceName, managedVms);
@@ -1630,11 +1541,18 @@ private UserVm importUnmanagedInstanceFromHypervisor(DataCenter zone, Cluster cl
 
                     template.setGuestOSId(guestOSHypervisor.getGuestOsId());
                 }
-                userVm = importVirtualMachineInternal(unmanagedInstance, instanceName, zone, cluster, host,
-                        template, displayName, hostName, CallContext.current().getCallingAccount(), owner, userId,
-                        serviceOffering, dataDiskOfferingMap,
-                        nicNetworkMap, nicIpAddressMap,
-                        details, migrateAllowed, forced, true);
+
+                List<Reserver> reservations = new ArrayList<>();
+                try {
+                    checkVmResourceLimitsForUnmanagedInstanceImport(owner, unmanagedInstance, serviceOffering, template, reservations);
+                    userVm = importVirtualMachineInternal(unmanagedInstance, instanceName, zone, cluster, host,
+                            template, displayName, hostName, CallContext.current().getCallingAccount(), owner, userId,
+                            serviceOffering, dataDiskOfferingMap,
+                            nicNetworkMap, nicIpAddressMap, null,
+                            details, migrateAllowed, forced, true);
+                } finally {
+                    ReservationHelper.closeAll(reservations);
+                }
                 break;
             }
             if (userVm != null) {
@@ -1644,6 +1562,36 @@ private UserVm importUnmanagedInstanceFromHypervisor(DataCenter zone, Cluster cl
         return userVm;
     }
 
+    protected void checkVmResourceLimitsForUnmanagedInstanceImport(Account owner, UnmanagedInstanceTO unmanagedInstance, ServiceOfferingVO serviceOffering, VMTemplateVO template, List<Reserver> reservations) throws ResourceAllocationException {
+        // When importing an unmanaged instance, the amount of CPUs and memory is obtained from the hypervisor unless powered off
+        // and not using a dynamic offering, unlike the external VM import that always obtains it from the compute offering
+        Integer cpu = serviceOffering.getCpu();
+        Integer memory = serviceOffering.getRamSize();
+
+        if (serviceOffering.isDynamic() || !UnmanagedInstanceTO.PowerState.PowerOff.equals(unmanagedInstance.getPowerState())) {
+            cpu = unmanagedInstance.getCpuCores();
+            memory = unmanagedInstance.getMemory();
+        }
+
+        if (cpu == null || cpu == 0) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("CPU cores [%s] is not valid for importing VM [%s].", cpu, unmanagedInstance.getName()));
+        }
+        if (memory == null || memory == 0) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Memory [%s] is not valid for importing VM [%s].", memory, unmanagedInstance.getName()));
+        }
+
+        List<String> resourceLimitHostTags = resourceLimitService.getResourceLimitHostTags(serviceOffering, template);
+
+        CheckedReservation vmReservation = new CheckedReservation(owner, Resource.ResourceType.user_vm, resourceLimitHostTags, 1L, reservationDao, resourceLimitService);
+        reservations.add(vmReservation);
+
+        CheckedReservation cpuReservation = new CheckedReservation(owner, Resource.ResourceType.cpu, resourceLimitHostTags, cpu.longValue(), reservationDao, resourceLimitService);
+        reservations.add(cpuReservation);
+
+        CheckedReservation memReservation = new CheckedReservation(owner, Resource.ResourceType.memory, resourceLimitHostTags, memory.longValue(), reservationDao, resourceLimitService);
+        reservations.add(memReservation);
+    }
+
     private Pair<UnmanagedInstanceTO, Boolean> getSourceVmwareUnmanagedInstance(String vcenter, String datacenterName, String username,
                                                                                 String password, String clusterName, String sourceHostName,
                                                                                 String sourceVM, ServiceOfferingVO serviceOffering) {
@@ -1700,7 +1648,7 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
                                                           Account caller, Account owner, long userId,
                                                           ServiceOfferingVO serviceOffering, Map<String, Long> dataDiskOfferingMap,
                                                           Map<String, Long> nicNetworkMap, Map<String, Network.IpAddresses> nicIpAddressMap,
-                                                          Map<String, String> details, ImportVmCmd cmd, boolean forced) {
+                                                          Map<String, String> details, ImportVmCmd cmd, boolean forced) throws ResourceAllocationException {
         Long existingVcenterId = cmd.getExistingVcenterId();
         String vcenter = cmd.getVcenter();
         String datacenterName = cmd.getDatacenterName();
@@ -1713,6 +1661,9 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
         Long convertStoragePoolId = cmd.getConvertStoragePoolId();
         String extraParams = cmd.getExtraParams();
         boolean forceConvertToPool = cmd.getForceConvertToPool();
+        Long guestOsId = cmd.getGuestOsId();
+        boolean forceMsToImportVmFiles = Boolean.TRUE.equals(cmd.getForceMsToImportVmFiles());
+        boolean useVddk = cmd.getUseVddk();
 
         if ((existingVcenterId == null && vcenter == null) || (existingVcenterId != null && vcenter != null)) {
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR,
@@ -1722,8 +1673,14 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
             throw new ServerApiException(ApiErrorCode.PARAM_ERROR,
                     "Please set all the information for a vCenter IP/Name, datacenter, username and password");
         }
+        if (forceMsToImportVmFiles && useVddk) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR,
+                    String.format("Parameters %s and %s are mutually exclusive",
+                            ApiConstants.FORCE_MS_TO_IMPORT_VM_FILES, ApiConstants.USE_VDDK));
+        }
 
         checkConversionStoragePool(convertStoragePoolId, forceConvertToPool);
+        validateSelectedConversionStoragePoolForVddk(useVddk, convertStoragePoolId, serviceOffering, dataDiskOfferingMap);
 
         checkExtraParamsAllowed(extraParams);
 
@@ -1745,10 +1702,18 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
         DataStoreTO temporaryConvertLocation = null;
         String ovfTemplateOnConvertLocation = null;
         ImportVmTask importVMTask = null;
+        List<Reserver> reservations = new ArrayList<>();
         try {
-            HostVO convertHost = selectKVMHostForConversionInCluster(destinationCluster, convertInstanceHostId);
-            HostVO importHost = selectKVMHostForImportingInCluster(destinationCluster, importInstanceHostId);
-            CheckConvertInstanceAnswer conversionSupportAnswer = checkConversionSupportOnHost(convertHost, sourceVMName, false);
+            HostVO convertHost = selectKVMHostForConversionInCluster(destinationCluster, convertInstanceHostId, useVddk);
+            HostVO importHost = (useVddk && importInstanceHostId == null)
+                    ? convertHost
+                    : selectKVMHostForImportingInCluster(destinationCluster, importInstanceHostId);
+
+            boolean isOvfExportSupported = false;
+            CheckConvertInstanceAnswer conversionSupportAnswer = checkConversionSupportOnHost(convertHost, sourceVMName, false, useVddk, details);
+            if (!useVddk) {
+                isOvfExportSupported = conversionSupportAnswer.isOvfExportSupported();
+            }
             logger.debug("The host {}  is selected to execute the conversion of the " +
                     "instance {} from VMware to KVM ", convertHost, sourceVMName);
 
@@ -1768,14 +1733,17 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
             sourceVMwareInstance = sourceInstanceDetails.first();
             isClonedInstance = sourceInstanceDetails.second();
 
+            // Ensure that the configured resource limits will not be exceeded before beginning the conversion process
+            checkVmResourceLimitsForUnmanagedInstanceImport(owner, sourceVMwareInstance, serviceOffering, template, reservations);
+
             boolean isWindowsVm = sourceVMwareInstance.getOperatingSystem().toLowerCase().contains("windows");
             if (isWindowsVm) {
-                checkConversionSupportOnHost(convertHost, sourceVMName, true);
+                checkConversionSupportOnHost(convertHost, sourceVMName, true, useVddk, details);
             }
 
             checkNetworkingBeforeConvertingVmwareInstance(zone, owner, displayName, hostName, sourceVMwareInstance, nicNetworkMap, nicIpAddressMap, forced);
             UnmanagedInstanceTO convertedInstance;
-            if (cmd.getForceMsToImportVmFiles() || !conversionSupportAnswer.isOvfExportSupported()) {
+            if (!useVddk && (forceMsToImportVmFiles || !isOvfExportSupported)) {
                 // Uses MS for OVF export to temporary conversion location
                 int noOfThreads = UnmanagedVMsManager.ThreadsOnMSToImportVMwareVMFiles.value();
                 importVmTasksManager.updateImportVMTaskStep(importVMTask, zone, owner, convertHost, importHost, null, ConvertingInstance);
@@ -1787,12 +1755,12 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
                         serviceOffering, dataDiskOfferingMap, temporaryConvertLocation,
                         ovfTemplateOnConvertLocation, forceConvertToPool, extraParams);
             } else {
-                // Uses KVM Host for OVF export to temporary conversion location, through ovftool
+                // Uses KVM Host for direct conversion using VDDK, or for OVF export to temporary conversion location through ovftool
                 importVmTasksManager.updateImportVMTaskStep(importVMTask, zone, owner, convertHost, importHost, null, ConvertingInstance);
-                convertedInstance = convertVmwareInstanceToKVMAfterExportingOVFToConvertLocation(
+                convertedInstance = convertVmwareInstanceToKVMUsingVDDKOrAfterExportingOVFToConvertLocation(
                         sourceVMName, sourceVMwareInstance, convertHost, importHost,
                         convertStoragePools, serviceOffering, dataDiskOfferingMap,
-                        temporaryConvertLocation, vcenter, username, password, datacenterName, forceConvertToPool, extraParams);
+                        temporaryConvertLocation, vcenter, username, password, datacenterName, forceConvertToPool, extraParams, useVddk, details);
             }
 
             sanitizeConvertedInstance(convertedInstance, sourceVMwareInstance);
@@ -1800,7 +1768,7 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
             UserVm userVm = importVirtualMachineInternal(convertedInstance, null, zone, destinationCluster, null,
                     template, displayName, hostName, caller, owner, userId,
                     serviceOffering, dataDiskOfferingMap,
-                    nicNetworkMap, nicIpAddressMap,
+                    nicNetworkMap, nicIpAddressMap, guestOsId,
                     details, false, forced, false);
             long timeElapsedInSecs = (System.currentTimeMillis() - importStartTime) / 1000;
             logger.debug(String.format("VMware VM %s imported successfully to CloudStack instance %s (%s), Time taken: %d secs, OVF files imported from %s, Source VMware VM details - OS: %s, PowerState: %s, Disks: %s, NICs: %s",
@@ -1820,6 +1788,7 @@ protected UserVm importUnmanagedInstanceFromVmwareToKvm(DataCenter zone, Cluster
             if (temporaryConvertLocation != null  && StringUtils.isNotBlank(ovfTemplateOnConvertLocation)) {
                 removeTemplate(temporaryConvertLocation, ovfTemplateOnConvertLocation);
             }
+            ReservationHelper.closeAll(reservations);
         }
     }
 
@@ -1847,6 +1816,45 @@ protected void checkConversionStoragePool(Long convertStoragePoolId, boolean for
         }
     }
 
+    protected void validateSelectedConversionStoragePoolForVddk(boolean useVddk, Long convertStoragePoolId,
+                                                                ServiceOfferingVO serviceOffering, Map<String, Long> dataDiskOfferingMap) {
+        if (!useVddk || convertStoragePoolId == null) {
+            return;
+        }
+
+        StoragePoolVO selectedStoragePool = primaryDataStoreDao.findById(convertStoragePoolId);
+        if (selectedStoragePool == null) {
+            return;
+        }
+
+        if (serviceOffering.getDiskOfferingId() != null) {
+            DiskOfferingVO rootDiskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
+            if (rootDiskOffering == null) {
+                throw new InvalidParameterValueException(String.format("Cannot find disk offering with ID %s that belongs to the service offering %s",
+                        serviceOffering.getDiskOfferingId(), serviceOffering.getName()));
+            }
+            if (!volumeApiService.doesStoragePoolSupportDiskOffering(selectedStoragePool, rootDiskOffering)) {
+                throw new InvalidParameterValueException(String.format("The root disk offering '%s' is not supported by the selected conversion storage pool '%s'. " +
+                        "When using VDDK, all selected disk offerings must be compatible with the conversion storage pool, as it will become the primary storage for the imported volumes.",
+                        rootDiskOffering.getName(), selectedStoragePool.getName()));
+            }
+        }
+
+        if (MapUtils.isNotEmpty(dataDiskOfferingMap)) {
+            for (Long diskOfferingId : dataDiskOfferingMap.values()) {
+                DiskOfferingVO diskOffering = diskOfferingDao.findById(diskOfferingId);
+                if (diskOffering == null) {
+                    throw new InvalidParameterValueException(String.format("Cannot find disk offering with ID %s", diskOfferingId));
+                }
+                if (!volumeApiService.doesStoragePoolSupportDiskOffering(selectedStoragePool, diskOffering)) {
+                    throw new InvalidParameterValueException(String.format("The data disk offering '%s' is not supported by the selected conversion storage pool '%s'. " +
+                            "When using VDDK, all selected disk offerings must be compatible with the conversion storage pool, as it will become the primary storage for the imported volumes.",
+                            diskOffering.getName(), selectedStoragePool.getName()));
+                }
+            }
+        }
+    }
+
     private void checkNetworkingBeforeConvertingVmwareInstance(DataCenter zone, Account owner, String displayName,
                                                                String hostName, UnmanagedInstanceTO sourceVMwareInstance,
                                                                Map<String, Long> nicNetworkMap,
@@ -2009,7 +2017,7 @@ HostVO selectKVMHostForImportingInCluster(Cluster destinationCluster, Long impor
         throw new CloudRuntimeException(err);
     }
 
-    HostVO selectKVMHostForConversionInCluster(Cluster destinationCluster, Long convertInstanceHostId) {
+    HostVO selectKVMHostForConversionInCluster(Cluster destinationCluster, Long convertInstanceHostId, boolean useVddk) {
         if (convertInstanceHostId != null) {
             HostVO selectedHost = hostDao.findById(convertInstanceHostId);
             String err = null;
@@ -2043,24 +2051,58 @@ HostVO selectKVMHostForConversionInCluster(Cluster destinationCluster, Long conv
         // Auto select host with conversion capability
         List<HostVO> hosts = hostDao.listByClusterHypervisorTypeAndHostCapability(destinationCluster.getId(), destinationCluster.getHypervisorType(), Host.HOST_INSTANCE_CONVERSION);
         if (CollectionUtils.isNotEmpty(hosts)) {
-            return hosts.get(new Random().nextInt(hosts.size()));
+            if (useVddk) {
+                List<HostVO> vddkHosts = filterHostsWithVddkSupport(hosts);
+                if (CollectionUtils.isNotEmpty(vddkHosts)) {
+                    hosts = vddkHosts;
+                }
+            }
+            if (CollectionUtils.isNotEmpty(hosts)) {
+                return hosts.get(new Random().nextInt(hosts.size()));
+            }
         }
 
         // Try without host capability check
         hosts = hostDao.listByClusterAndHypervisorType(destinationCluster.getId(), destinationCluster.getHypervisorType());
         if (CollectionUtils.isNotEmpty(hosts)) {
-            return hosts.get(new Random().nextInt(hosts.size()));
+            if (useVddk) {
+                List<HostVO> vddkHosts = filterHostsWithVddkSupport(hosts);
+                if (CollectionUtils.isNotEmpty(vddkHosts)) {
+                    hosts = vddkHosts;
+                }
+            }
+            if (CollectionUtils.isNotEmpty(hosts)) {
+                return hosts.get(new Random().nextInt(hosts.size()));
+            }
         }
 
-        String err = String.format("Could not find any suitable %s host in cluster %s to perform the instance conversion",
-                destinationCluster.getHypervisorType(), destinationCluster);
+        String err = useVddk
+                ? String.format("Could not find any suitable %s host in cluster %s with '%s' configured to perform the VDDK-based instance conversion",
+                        destinationCluster.getHypervisorType(), destinationCluster, Host.HOST_VDDK_SUPPORT)
+                : String.format("Could not find any suitable %s host in cluster %s to perform the instance conversion",
+                        destinationCluster.getHypervisorType(), destinationCluster);
         logger.error(err);
         throw new CloudRuntimeException(err);
     }
 
-    private CheckConvertInstanceAnswer checkConversionSupportOnHost(HostVO convertHost, String sourceVM, boolean checkWindowsGuestConversionSupport) {
-        logger.debug(String.format("Checking the %s conversion support on the host %s", checkWindowsGuestConversionSupport? "windows guest" : "", convertHost));
-        CheckConvertInstanceCommand cmd = new CheckConvertInstanceCommand(checkWindowsGuestConversionSupport);
+    private List<HostVO> filterHostsWithVddkSupport(List<HostVO> hosts) {
+        return hosts.stream().filter(h -> {
+            hostDao.loadDetails(h);
+            return Boolean.parseBoolean(h.getDetail(Host.HOST_VDDK_SUPPORT));
+        }).collect(Collectors.toList());
+    }
+
+    private CheckConvertInstanceAnswer checkConversionSupportOnHost(HostVO convertHost, String sourceVM,
+                                                                    boolean checkWindowsGuestConversionSupport,
+                                                                    boolean useVddk, Map<String, String> details) {
+        logger.debug(String.format("Checking the %s%s conversion support on the host %s",
+                useVddk ? "VDDK " : "",
+                checkWindowsGuestConversionSupport ? "windows guest " : "",
+                convertHost));
+        CheckConvertInstanceCommand cmd = new CheckConvertInstanceCommand(checkWindowsGuestConversionSupport, useVddk);
+        if (MapUtils.isNotEmpty(details)) {
+            cmd.setVddkLibDir(StringUtils.trimToNull(details.get(Host.HOST_VDDK_LIB_DIR)));
+        }
         int timeoutSeconds = 60;
         cmd.setWait(timeoutSeconds);
 
@@ -2094,7 +2136,7 @@ private UnmanagedInstanceTO convertVmwareInstanceToKVMWithOVFOnConvertLocation(
         logger.debug("Delegating the conversion of instance {} from VMware to KVM to the host {} using OVF {} on conversion datastore",
                 sourceVM, convertHost, ovfTemplateDirConvertLocation);
 
-        RemoteInstanceTO remoteInstanceTO = new RemoteInstanceTO(sourceVM);
+        RemoteInstanceTO remoteInstanceTO = new RemoteInstanceTO(sourceVM, sourceVMwareInstance.getClusterName(), sourceVMwareInstance.getHostName());
         List<String> destinationStoragePools = selectInstanceConversionStoragePools(convertStoragePools, sourceVMwareInstance.getDisks(), serviceOffering, dataDiskOfferingMap);
         ConvertInstanceCommand cmd = new ConvertInstanceCommand(remoteInstanceTO,
                 Hypervisor.HypervisorType.KVM, temporaryConvertLocation,
@@ -2109,15 +2151,16 @@ private UnmanagedInstanceTO convertVmwareInstanceToKVMWithOVFOnConvertLocation(
                 remoteInstanceTO, destinationStoragePools, temporaryConvertLocation, forceConvertToPool);
     }
 
-    private UnmanagedInstanceTO convertVmwareInstanceToKVMAfterExportingOVFToConvertLocation(
+    private UnmanagedInstanceTO convertVmwareInstanceToKVMUsingVDDKOrAfterExportingOVFToConvertLocation(
             String sourceVM, UnmanagedInstanceTO sourceVMwareInstance, HostVO convertHost,
             HostVO importHost, List<StoragePoolVO> convertStoragePools,
             ServiceOfferingVO serviceOffering, Map<String, Long> dataDiskOfferingMap,
             DataStoreTO temporaryConvertLocation, String vcenterHost, String vcenterUsername,
-            String vcenterPassword, String datacenterName, boolean forceConvertToPool, String extraParams) {
+            String vcenterPassword, String datacenterName, boolean forceConvertToPool, String extraParams,
+            boolean useVddk, Map<String, String> details) {
         logger.debug("Delegating the conversion of instance {} from VMware to KVM to the host {} after OVF export through ovftool", sourceVM, convertHost);
 
-        RemoteInstanceTO remoteInstanceTO = new RemoteInstanceTO(sourceVMwareInstance.getName(), sourceVMwareInstance.getPath(), vcenterHost, vcenterUsername, vcenterPassword, datacenterName);
+        RemoteInstanceTO remoteInstanceTO = new RemoteInstanceTO(sourceVMwareInstance.getName(), sourceVMwareInstance.getPath(), vcenterHost, vcenterUsername, vcenterPassword, datacenterName, sourceVMwareInstance.getClusterName(), sourceVMwareInstance.getHostName());
         List<String> destinationStoragePools = selectInstanceConversionStoragePools(convertStoragePools, sourceVMwareInstance.getDisks(), serviceOffering, dataDiskOfferingMap);
         ConvertInstanceCommand cmd = new ConvertInstanceCommand(remoteInstanceTO,
                 Hypervisor.HypervisorType.KVM, temporaryConvertLocation, null, false, true, sourceVM);
@@ -2132,10 +2175,22 @@ private UnmanagedInstanceTO convertVmwareInstanceToKVMAfterExportingOVFToConvert
         if (StringUtils.isNotBlank(extraParams)) {
             cmd.setExtraParams(extraParams);
         }
+        cmd.setUseVddk(useVddk);
+        applyVddkOverridesFromDetails(cmd, details);
         return convertAndImportToKVM(cmd, convertHost, importHost, sourceVM,
                 remoteInstanceTO, destinationStoragePools, temporaryConvertLocation, forceConvertToPool);
     }
 
+    private void applyVddkOverridesFromDetails(ConvertInstanceCommand cmd, Map<String, String> details) {
+        if (MapUtils.isEmpty(details)) {
+            return;
+        }
+
+        cmd.setVddkLibDir(StringUtils.trimToNull(details.get(Host.HOST_VDDK_LIB_DIR)));
+        cmd.setVddkTransports(StringUtils.trimToNull(details.get(DETAIL_VDDK_TRANSPORTS)));
+        cmd.setVddkThumbprint(StringUtils.trimToNull(details.get(DETAIL_VDDK_THUMBPRINT)));
+    }
+
     private UnmanagedInstanceTO convertAndImportToKVM(ConvertInstanceCommand convertInstanceCommand, HostVO convertHost, HostVO importHost,
                                                       String sourceVM,
                                                       RemoteInstanceTO remoteInstanceTO,
@@ -2366,6 +2421,8 @@ public List<Class<?>> getCommands() {
      * Perform validations before attempting to unmanage a VM from CloudStack:
      * - VM must not have any associated volume snapshot
      * - VM must not have an attached ISO
+     * - VM must not belong to any CKS cluster
+     * @throws UnsupportedServiceException in case any of the validations above fail
      */
     void performUnmanageVMInstancePrechecks(VMInstanceVO vmVO) {
         if (hasVolumeSnapshotsPriorToUnmanageVM(vmVO)) {
@@ -2377,6 +2434,11 @@ void performUnmanageVMInstancePrechecks(VMInstanceVO vmVO) {
             throw new UnsupportedServiceException("Cannot unmanage VM with id = " + vmVO.getUuid() +
                     " as there is an ISO attached. Please detach ISO before unmanaging.");
         }
+
+        if (userVmManager.isVMPartOfAnyCKSCluster(vmVO)) {
+            throw new UnsupportedServiceException("Cannot unmanage VM with id = " + vmVO.getUuid() +
+                    " as it belongs to a CKS cluster. Please remove the VM from the CKS cluster before unmanaging.");
+        }
     }
 
     private boolean hasVolumeSnapshotsPriorToUnmanageVM(VMInstanceVO vmVO) {
@@ -2521,12 +2583,6 @@ private UserVmResponse importKvmInstance(ImportVmCmd cmd) {
             throw new InvalidParameterValueException(String.format("Service offering ID: %d cannot be found", serviceOfferingId));
         }
         accountService.checkAccess(owner, serviceOffering, zone);
-        try {
-            resourceLimitService.checkResourceLimit(owner, Resource.ResourceType.user_vm, 1);
-        } catch (ResourceAllocationException e) {
-            logger.error("VM resource allocation error for account: {}", owner, e);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("VM resource allocation error for account: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
-        }
         String displayName = cmd.getDisplayName();
         if (StringUtils.isEmpty(displayName)) {
             displayName = instanceName;
@@ -2614,26 +2670,34 @@ private UserVmResponse importKvmInstance(ImportVmCmd cmd) {
 
         UserVm userVm = null;
 
-        if (ImportSource.EXTERNAL == importSource) {
-            String username = cmd.getUsername();
-            String password = cmd.getPassword();
-            String tmpPath = cmd.getTmpPath();
-            userVm = importExternalKvmVirtualMachine(unmanagedInstanceTO, instanceName, zone,
-                    template, displayName, hostName, caller, owner, userId,
-                    serviceOffering, dataDiskOfferingMap,
-                    nicNetworkMap, nicIpAddressMap, remoteUrl, username, password, tmpPath, details);
-        } else if (ImportSource.SHARED == importSource || ImportSource.LOCAL == importSource) {
-            try {
-                userVm = importKvmVirtualMachineFromDisk(importSource, instanceName, zone,
+        try {
+
+            if (ImportSource.EXTERNAL == importSource) {
+                String username = cmd.getUsername();
+                String password = cmd.getPassword();
+                String tmpPath = cmd.getTmpPath();
+                userVm = importExternalKvmVirtualMachine(unmanagedInstanceTO, instanceName, zone,
                         template, displayName, hostName, caller, owner, userId,
-                        serviceOffering, dataDiskOfferingMap, networkId, hostId, poolId, diskPath,
-                        details);
-            } catch (InsufficientCapacityException e) {
-                throw new RuntimeException(e);
-            } catch (ResourceAllocationException e) {
-                throw new RuntimeException(e);
+                        serviceOffering, dataDiskOfferingMap,
+                        nicNetworkMap, nicIpAddressMap, remoteUrl, username, password, tmpPath, details);
+            } else if (ImportSource.SHARED == importSource || ImportSource.LOCAL == importSource) {
+                try {
+                    userVm = importKvmVirtualMachineFromDisk(importSource, instanceName, zone,
+                            template, displayName, hostName, caller, owner, userId,
+                            serviceOffering, dataDiskOfferingMap, networkId, hostId, poolId, diskPath,
+                            details);
+                } catch (InsufficientCapacityException e) {
+                    throw new RuntimeException(e);
+                } catch (ResourceAllocationException e) {
+                    throw new RuntimeException(e);
+                }
             }
+
+        } catch (ResourceAllocationException e) {
+            logger.error(String.format("VM resource allocation error for account: %s", owner.getUuid()), e);
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("VM resource allocation error for account: %s. %s", owner.getUuid(), StringUtils.defaultString(e.getMessage())));
         }
+
         if (userVm == null) {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import Vm with name: %s ", instanceName));
         }
@@ -2647,7 +2711,7 @@ private UserVm importExternalKvmVirtualMachine(final UnmanagedInstanceTO unmanag
                                                 final VirtualMachineTemplate template, final String displayName, final String hostName, final Account caller, final Account owner, final Long userId,
                                                 final ServiceOfferingVO serviceOffering, final Map<String, Long> dataDiskOfferingMap,
                                                 final Map<String, Long> nicNetworkMap, final Map<String, Network.IpAddresses> callerNicIpAddressMap,
-                                                final String remoteUrl, String username, String password, String tmpPath, final Map<String, String> details) {
+                                                final String remoteUrl, String username, String password, String tmpPath, final Map<String, String> details) throws ResourceAllocationException {
         UserVm userVm = null;
 
         Map<String, String> allDetails = new HashMap<>(details);
@@ -2658,6 +2722,7 @@ private UserVm importExternalKvmVirtualMachine(final UnmanagedInstanceTO unmanag
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("No attached disks found for the unmanaged VM: %s", instanceName));
         }
 
+        DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
         Pair<UnmanagedInstanceTO.Disk, List<UnmanagedInstanceTO.Disk>> rootAndDataDisksPair = getRootAndDataDisks(unmanagedInstanceDisks, dataDiskOfferingMap);
         final UnmanagedInstanceTO.Disk rootDisk = rootAndDataDisksPair.first();
         final List<UnmanagedInstanceTO.Disk> dataDisks = rootAndDataDisksPair.second();
@@ -2666,18 +2731,23 @@ private UserVm importExternalKvmVirtualMachine(final UnmanagedInstanceTO unmanag
         }
         allDetails.put(VmDetailConstants.ROOT_DISK_CONTROLLER, rootDisk.getController());
 
-        // Check NICs and supplied networks
-        Map<String, Network.IpAddresses> nicIpAddressMap = getNicIpAddresses(unmanagedInstance.getNics(), callerNicIpAddressMap);
-        Map<String, Long> allNicNetworkMap = getUnmanagedNicNetworkMap(unmanagedInstance.getName(), unmanagedInstance.getNics(), nicNetworkMap, nicIpAddressMap, zone, hostName, owner, Hypervisor.HypervisorType.KVM);
-        if (!CollectionUtils.isEmpty(unmanagedInstance.getNics())) {
-            allDetails.put(VmDetailConstants.NIC_ADAPTER, unmanagedInstance.getNics().get(0).getAdapterType());
-        }
-        VirtualMachine.PowerState powerState = VirtualMachine.PowerState.PowerOff;
+        List<Reserver> reservations = new ArrayList<>();
+        try {
+            checkVmResourceLimitsForExternalKvmVmImport(owner, serviceOffering, (VMTemplateVO) template, details, reservations);
+            checkVolumeResourceLimitsForExternalKvmVmImport(owner, rootDisk, dataDisks, diskOffering, dataDiskOfferingMap, reservations);
+
+            // Check NICs and supplied networks
+            Map<String, Network.IpAddresses> nicIpAddressMap = getNicIpAddresses(unmanagedInstance.getNics(), callerNicIpAddressMap);
+            Map<String, Long> allNicNetworkMap = getUnmanagedNicNetworkMap(unmanagedInstance.getName(), unmanagedInstance.getNics(), nicNetworkMap, nicIpAddressMap, zone, hostName, owner, Hypervisor.HypervisorType.KVM);
+            if (!CollectionUtils.isEmpty(unmanagedInstance.getNics())) {
+                allDetails.put(VmDetailConstants.NIC_ADAPTER, unmanagedInstance.getNics().get(0).getAdapterType());
+            }
+            VirtualMachine.PowerState powerState = VirtualMachine.PowerState.PowerOff;
 
         try {
             userVm = userVmManager.importVM(zone, null, template, null, displayName, owner,
                     null, caller, true, null, owner.getAccountId(), userId,
-                    serviceOffering, null, hostName,
+                    serviceOffering, null, null, hostName,
                     Hypervisor.HypervisorType.KVM, allDetails, powerState, null);
         } catch (InsufficientCapacityException ice) {
             logger.error(String.format("Failed to import vm name: %s", instanceName), ice);
@@ -2686,77 +2756,93 @@ private UserVm importExternalKvmVirtualMachine(final UnmanagedInstanceTO unmanag
         if (userVm == null) {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import vm name: %s", instanceName));
         }
-        DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
         String rootVolumeName = String.format("ROOT-%s", userVm.getId());
-        DiskProfile diskProfile = volumeManager.allocateRawVolume(Volume.Type.ROOT, rootVolumeName, diskOffering, null, null, null, userVm, template, owner, null);
+        DiskProfile diskProfile = volumeManager.allocateRawVolume(Volume.Type.ROOT, rootVolumeName, diskOffering, null, null, null, userVm, template, owner, null, false);
 
         DiskProfile[] dataDiskProfiles = new DiskProfile[dataDisks.size()];
         int diskSeq = 0;
         for (UnmanagedInstanceTO.Disk disk : dataDisks) {
-            if (disk.getCapacity() == null || disk.getCapacity() == 0) {
-                throw new InvalidParameterValueException(String.format("Disk ID: %s size is invalid", disk.getDiskId()));
-            }
             DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
-            DiskProfile dataDiskProfile = volumeManager.allocateRawVolume(Volume.Type.DATADISK, String.format("DATA-%d-%s", userVm.getId(), disk.getDiskId()), offering, null, null, null, userVm, template, owner, null);
+            DiskProfile dataDiskProfile = volumeManager.allocateRawVolume(Volume.Type.DATADISK, String.format("DATA-%d-%s", userVm.getId(), disk.getDiskId()), offering, null, null, null, userVm, template, owner, null, false);
             dataDiskProfiles[diskSeq++] = dataDiskProfile;
         }
 
-        final VirtualMachineProfile profile = new VirtualMachineProfileImpl(userVm, template, serviceOffering, owner, null);
-        ServiceOfferingVO dummyOffering = serviceOfferingDao.findById(userVm.getId(), serviceOffering.getId());
-        profile.setServiceOffering(dummyOffering);
-        DeploymentPlanner.ExcludeList excludeList = new DeploymentPlanner.ExcludeList();
-        final DataCenterDeployment plan = new DataCenterDeployment(zone.getId(), null, null, null, null, null);
-        DeployDestination dest = null;
-        try {
-            dest = deploymentPlanningManager.planDeployment(profile, plan, excludeList, null);
-        } catch (Exception e) {
-            logger.warn("Import failed for Vm: {} while finding deployment destination", userVm, e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s while finding deployment destination", userVm.getInstanceName()));
-        }
-        if(dest == null) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s. Suitable deployment destination not found", userVm.getInstanceName()));
-        }
+            final VirtualMachineProfile profile = new VirtualMachineProfileImpl(userVm, template, serviceOffering, owner, null);
+            ServiceOfferingVO dummyOffering = serviceOfferingDao.findById(userVm.getId(), serviceOffering.getId());
+            profile.setServiceOffering(dummyOffering);
+            DeploymentPlanner.ExcludeList excludeList = new DeploymentPlanner.ExcludeList();
+            final DataCenterDeployment plan = new DataCenterDeployment(zone.getId(), null, null, null, null, null);
+            DeployDestination dest = null;
+            try {
+                dest = deploymentPlanningManager.planDeployment(profile, plan, excludeList, null);
+            } catch (Exception e) {
+                logger.warn("Import failed for Vm: {} while finding deployment destination", userVm, e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s while finding deployment destination", userVm.getInstanceName()));
+            }
+            if(dest == null) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s. Suitable deployment destination not found", userVm.getInstanceName()));
+            }
 
-        List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
-        try {
-            if (rootDisk.getCapacity() == null || rootDisk.getCapacity() == 0) {
-                throw new InvalidParameterValueException(String.format("Root disk ID: %s size is invalid", rootDisk.getDiskId()));
+            List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
+            try {
+                diskProfileStoragePoolList.add(importExternalDisk(rootDisk, userVm, dest, diskOffering, Volume.Type.ROOT,
+                        template, null, remoteUrl, username, password, tmpPath, diskProfile));
+
+                long deviceId = 1L;
+                diskSeq = 0;
+                for (UnmanagedInstanceTO.Disk disk : dataDisks) {
+                    DiskProfile dataDiskProfile = dataDiskProfiles[diskSeq++];
+                    DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
+
+                    diskProfileStoragePoolList.add(importExternalDisk(disk, userVm, dest, offering, Volume.Type.DATADISK,
+                            template, deviceId, remoteUrl, username, password, tmpPath, dataDiskProfile));
+                    deviceId++;
+                }
+            } catch (Exception e) {
+                logger.error(String.format("Failed to import volumes while importing vm: %s", instanceName), e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
+            }
+            try {
+                int nicIndex = 0;
+                for (UnmanagedInstanceTO.Nic nic : unmanagedInstance.getNics()) {
+                    Network network = networkDao.findById(allNicNetworkMap.get(nic.getNicId()));
+                    Network.IpAddresses ipAddresses = nicIpAddressMap.get(nic.getNicId());
+                    importNic(nic, userVm, network, ipAddresses, nicIndex, nicIndex==0, true);
+                    nicIndex++;
+                }
+            } catch (Exception e) {
+                logger.error(String.format("Failed to import NICs while importing vm: %s", instanceName), e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import NICs while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
             }
+            publishVMUsageUpdateResourceCount(userVm, dummyOffering, template);
+            return userVm;
 
-            diskProfileStoragePoolList.add(importExternalDisk(rootDisk, userVm, dest, diskOffering, Volume.Type.ROOT,
-                    template, null, remoteUrl, username, password, tmpPath, diskProfile));
+        } finally {
+            ReservationHelper.closeAll(reservations);
+        }
+    }
 
-            long deviceId = 1L;
-            diskSeq = 0;
-            for (UnmanagedInstanceTO.Disk disk : dataDisks) {
-                DiskProfile dataDiskProfile = dataDiskProfiles[diskSeq++];
-                DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
+    protected void checkVolumeResourceLimitsForExternalKvmVmImport(Account owner, UnmanagedInstanceTO.Disk rootDisk,
+                                                                   List<UnmanagedInstanceTO.Disk> dataDisks, DiskOfferingVO rootDiskOffering,
+                                                                   Map<String, Long> dataDiskOfferingMap, List<Reserver> reservations) throws ResourceAllocationException {
+        if (rootDisk.getCapacity() == null || rootDisk.getCapacity() == 0) {
+            throw new InvalidParameterValueException(String.format("Root disk ID: %s size is invalid", rootDisk.getDiskId()));
+        }
+        resourceLimitService.checkVolumeResourceLimit(owner, true, rootDisk.getCapacity(), rootDiskOffering, reservations);
 
-                diskProfileStoragePoolList.add(importExternalDisk(disk, userVm, dest, offering, Volume.Type.DATADISK,
-                        template, deviceId, remoteUrl, username, password, tmpPath, dataDiskProfile));
-                deviceId++;
-            }
-        } catch (Exception e) {
-            logger.error(String.format("Failed to import volumes while importing vm: %s", instanceName), e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
+        if (CollectionUtils.isEmpty(dataDisks)) {
+            return;
         }
-        try {
-            int nicIndex = 0;
-            for (UnmanagedInstanceTO.Nic nic : unmanagedInstance.getNics()) {
-                Network network = networkDao.findById(allNicNetworkMap.get(nic.getNicId()));
-                Network.IpAddresses ipAddresses = nicIpAddressMap.get(nic.getNicId());
-                importNic(nic, userVm, network, ipAddresses, nicIndex, nicIndex==0, true);
-                nicIndex++;
+        for (UnmanagedInstanceTO.Disk disk : dataDisks) {
+            if (disk.getCapacity() == null || disk.getCapacity() == 0) {
+                throw new InvalidParameterValueException(String.format("Data disk ID: %s size is invalid", disk.getDiskId()));
             }
-        } catch (Exception e) {
-            logger.error(String.format("Failed to import NICs while importing vm: %s", instanceName), e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import NICs while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
+            DiskOffering offering = diskOfferingDao.findById(dataDiskOfferingMap.get(disk.getDiskId()));
+            resourceLimitService.checkVolumeResourceLimit(owner, true, disk.getCapacity(), offering, reservations);
         }
-        publishVMUsageUpdateResourceCount(userVm, dummyOffering, template);
-        return userVm;
     }
 
     private UserVm importKvmVirtualMachineFromDisk(final ImportSource importSource, final String instanceName, final DataCenter zone,
@@ -2812,82 +2898,136 @@ private UserVm importKvmVirtualMachineFromDisk(final ImportSource importSource,
         profiles.add(nicProfile);
         networkNicMap.put(network.getUuid(), profiles);
 
+        List<Reserver> reservations = new ArrayList<>();
         try {
+            checkVmResourceLimitsForExternalKvmVmImport(owner, serviceOffering, (VMTemplateVO) template, details, reservations);
             userVm = userVmManager.importVM(zone, null, template, null, displayName, owner,
                     null, caller, true, null, owner.getAccountId(), userId,
-                    serviceOffering, null, hostName,
+                    serviceOffering, null, null, hostName,
                     Hypervisor.HypervisorType.KVM, allDetails, powerState, networkNicMap);
-        } catch (InsufficientCapacityException ice) {
+
+            if (userVm == null) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import vm name: %s", instanceName));
+            }
+
+            DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
+            List<String> resourceLimitStorageTags = resourceLimitService.getResourceLimitStorageTagsForResourceCountOperation(true, diskOffering);
+            CheckedReservation volumeReservation = new CheckedReservation(owner, Resource.ResourceType.volume, resourceLimitStorageTags,
+                    CollectionUtils.isNotEmpty(resourceLimitStorageTags) ? 1L : 0L, reservationDao, resourceLimitService);
+            reservations.add(volumeReservation);
+
+            String rootVolumeName = String.format("ROOT-%s", userVm.getId());
+            DiskProfile diskProfile = volumeManager.allocateRawVolume(Volume.Type.ROOT, rootVolumeName, diskOffering, null, null, null, userVm, template, owner, null, false);
+
+            final VirtualMachineProfile profile = new VirtualMachineProfileImpl(userVm, template, serviceOffering, owner, null);
+            ServiceOfferingVO dummyOffering = serviceOfferingDao.findById(userVm.getId(), serviceOffering.getId());
+            profile.setServiceOffering(dummyOffering);
+            DeploymentPlanner.ExcludeList excludeList = new DeploymentPlanner.ExcludeList();
+            final DataCenterDeployment plan = new DataCenterDeployment(zone.getId(), null, null, hostId, poolId, null);
+            DeployDestination dest = null;
+            try {
+                dest = deploymentPlanningManager.planDeployment(profile, plan, excludeList, null);
+            } catch (Exception e) {
+                logger.warn("Import failed for Vm: {} while finding deployment destination", userVm, e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s while finding deployment destination", userVm.getInstanceName()));
+            }
+            if(dest == null) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s. Suitable deployment destination not found", userVm.getInstanceName()));
+            }
+
+            Map<Volume, StoragePool> storage = dest.getStorageForDisks();
+            Volume volume = volumeDao.findById(diskProfile.getVolumeId());
+            StoragePool storagePool = storage.get(volume);
+            CheckVolumeCommand checkVolumeCommand = new CheckVolumeCommand();
+            checkVolumeCommand.setSrcFile(diskPath);
+            StorageFilerTO storageTO = new StorageFilerTO(storagePool);
+            checkVolumeCommand.setStorageFilerTO(storageTO);
+            Answer answer = agentManager.easySend(dest.getHost().getId(), checkVolumeCommand);
+            if (!(answer instanceof CheckVolumeAnswer)) {
+                cleanupFailedImportVM(userVm);
+                throw new CloudRuntimeException("Disk not found or is invalid");
+            }
+            CheckVolumeAnswer checkVolumeAnswer = (CheckVolumeAnswer) answer;
+            try {
+                checkVolume(checkVolumeAnswer.getVolumeDetails());
+            } catch (CloudRuntimeException e) {
+                cleanupFailedImportVM(userVm);
+                throw e;
+            }
+            if (!checkVolumeAnswer.getResult()) {
+                cleanupFailedImportVM(userVm);
+                throw new CloudRuntimeException("Disk not found or is invalid");
+            }
+            diskProfile.setSize(checkVolumeAnswer.getSize());
+
+            CheckedReservation primaryStorageReservation = new CheckedReservation(owner, Resource.ResourceType.primary_storage, resourceLimitStorageTags,
+                    CollectionUtils.isNotEmpty(resourceLimitStorageTags) ? diskProfile.getSize() : 0L, reservationDao, resourceLimitService);
+            reservations.add(primaryStorageReservation);
+
+            List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
+            try {
+                long deviceId = 1L;
+                if(ImportSource.SHARED == importSource) {
+                    diskProfileStoragePoolList.add(importKVMSharedDisk(userVm, diskOffering, Volume.Type.ROOT,
+                            template, deviceId, poolId, diskPath, diskProfile));
+                } else if(ImportSource.LOCAL == importSource) {
+                    diskProfileStoragePoolList.add(importKVMLocalDisk(userVm, diskOffering, Volume.Type.ROOT,
+                            template, deviceId, hostId, diskPath, diskProfile));
+                }
+            } catch (Exception e) {
+                logger.error(String.format("Failed to import volumes while importing vm: %s", instanceName), e);
+                cleanupFailedImportVM(userVm);
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
+            }
+            networkOrchestrationService.importNic(macAddress, 0, network, true, userVm, requestedIpPair, zone, true);
+            publishVMUsageUpdateResourceCount(userVm, dummyOffering, template);
+            return userVm;
+
+        } catch (InsufficientCapacityException ice) { // This will be thrown by com.cloud.vm.UserVmService.importVM
             logger.error(String.format("Failed to import vm name: %s", instanceName), ice);
             throw new ServerApiException(ApiErrorCode.INSUFFICIENT_CAPACITY_ERROR, ice.getMessage());
-        }
-        if (userVm == null) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import vm name: %s", instanceName));
-        }
-        DiskOfferingVO diskOffering = diskOfferingDao.findById(serviceOffering.getDiskOfferingId());
-        String rootVolumeName = String.format("ROOT-%s", userVm.getId());
-        DiskProfile diskProfile = volumeManager.allocateRawVolume(Volume.Type.ROOT, rootVolumeName, diskOffering, null, null, null, userVm, template, owner, null);
-
-        final VirtualMachineProfile profile = new VirtualMachineProfileImpl(userVm, template, serviceOffering, owner, null);
-        ServiceOfferingVO dummyOffering = serviceOfferingDao.findById(userVm.getId(), serviceOffering.getId());
-        profile.setServiceOffering(dummyOffering);
-        DeploymentPlanner.ExcludeList excludeList = new DeploymentPlanner.ExcludeList();
-        final DataCenterDeployment plan = new DataCenterDeployment(zone.getId(), null, null, hostId, poolId, null);
-        DeployDestination dest = null;
-        try {
-            dest = deploymentPlanningManager.planDeployment(profile, plan, excludeList, null);
-        } catch (Exception e) {
-            logger.warn("Import failed for Vm: {} while finding deployment destination", userVm, e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s while finding deployment destination", userVm.getInstanceName()));
-        }
-        if(dest == null) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Import failed for Vm: %s. Suitable deployment destination not found", userVm.getInstanceName()));
-        }
-
-        Map<Volume, StoragePool> storage = dest.getStorageForDisks();
-        Volume volume = volumeDao.findById(diskProfile.getVolumeId());
-        StoragePool storagePool = storage.get(volume);
-        CheckVolumeCommand checkVolumeCommand = new CheckVolumeCommand();
-        checkVolumeCommand.setSrcFile(diskPath);
-        StorageFilerTO storageTO = new StorageFilerTO(storagePool);
-        checkVolumeCommand.setStorageFilerTO(storageTO);
-        Answer answer = agentManager.easySend(dest.getHost().getId(), checkVolumeCommand);
-        if (!(answer instanceof CheckVolumeAnswer)) {
-            cleanupFailedImportVM(userVm);
-            throw new CloudRuntimeException("Disk not found or is invalid");
-        }
-        CheckVolumeAnswer checkVolumeAnswer = (CheckVolumeAnswer) answer;
-        try {
-            checkVolume(checkVolumeAnswer.getVolumeDetails());
-        } catch (CloudRuntimeException e) {
+        } catch (ResourceAllocationException e) {
             cleanupFailedImportVM(userVm);
             throw e;
+        } finally {
+            ReservationHelper.closeAll(reservations);
         }
-        if (!checkVolumeAnswer.getResult()) {
-            cleanupFailedImportVM(userVm);
-            throw new CloudRuntimeException("Disk not found or is invalid");
+    }
+
+    protected void checkVmResourceLimitsForExternalKvmVmImport(Account owner, ServiceOfferingVO serviceOffering, VMTemplateVO template, Map<String, String> details, List<Reserver> reservations) throws ResourceAllocationException {
+        // When importing an external VM, the amount of CPUs and memory is always obtained from the compute offering,
+        // unlike the unmanaged instance import that obtains it from the hypervisor unless the VM is powered off and the offering is fixed
+        Integer cpu = serviceOffering.getCpu();
+        Integer memory = serviceOffering.getRamSize();
+
+        if (serviceOffering.isDynamic()) {
+            cpu = getDetailAsInteger(VmDetailConstants.CPU_NUMBER, details);
+            memory = getDetailAsInteger(VmDetailConstants.MEMORY, details);
         }
-        diskProfile.setSize(checkVolumeAnswer.getSize());
 
-        List<Pair<DiskProfile, StoragePool>> diskProfileStoragePoolList = new ArrayList<>();
+        List<String> resourceLimitHostTags = resourceLimitService.getResourceLimitHostTags(serviceOffering, template);
+
+        CheckedReservation vmReservation = new CheckedReservation(owner, Resource.ResourceType.user_vm, resourceLimitHostTags, 1L, reservationDao, resourceLimitService);
+        reservations.add(vmReservation);
+
+        CheckedReservation cpuReservation = new CheckedReservation(owner, Resource.ResourceType.cpu, resourceLimitHostTags, cpu.longValue(), reservationDao, resourceLimitService);
+        reservations.add(cpuReservation);
+
+        CheckedReservation memReservation = new CheckedReservation(owner, Resource.ResourceType.memory, resourceLimitHostTags, memory.longValue(), reservationDao, resourceLimitService);
+        reservations.add(memReservation);
+    }
+
+    protected Integer getDetailAsInteger(String key, Map<String, String> details) {
+        String detail = details.get(key);
+        if (detail == null) {
+            throw new InvalidParameterValueException(String.format("Detail '%s' must be provided.", key));
+        }
         try {
-            long deviceId = 1L;
-            if(ImportSource.SHARED == importSource) {
-                diskProfileStoragePoolList.add(importKVMSharedDisk(userVm, diskOffering, Volume.Type.ROOT,
-                        template, deviceId, poolId, diskPath, diskProfile));
-            } else if(ImportSource.LOCAL == importSource) {
-                diskProfileStoragePoolList.add(importKVMLocalDisk(userVm, diskOffering, Volume.Type.ROOT,
-                        template, deviceId, hostId, diskPath, diskProfile));
-            }
-        } catch (Exception e) {
-            logger.error(String.format("Failed to import volumes while importing vm: %s", instanceName), e);
-            cleanupFailedImportVM(userVm);
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, String.format("Failed to import volumes while importing vm: %s. %s", instanceName, StringUtils.defaultString(e.getMessage())));
+            return Integer.valueOf(detail);
+        } catch (NumberFormatException e) {
+            throw new InvalidParameterValueException(String.format("Please provide a valid integer value for detail '%s'.", key));
         }
-        networkOrchestrationService.importNic(macAddress, 0, network, true, userVm, requestedIpPair, zone, true);
-        publishVMUsageUpdateResourceCount(userVm, dummyOffering, template);
-        return userVm;
     }
 
     private void checkVolume(Map<VolumeOnStorageTO.Detail, String> volumeDetails) {
@@ -2909,7 +3049,7 @@ private void checkVolume(Map<VolumeOnStorageTO.Detail, String> volumeDetails) {
         }
         if (volumeDetails.containsKey(VolumeOnStorageTO.Detail.BACKING_FILE)) {
             String backingFile = volumeDetails.get(VolumeOnStorageTO.Detail.BACKING_FILE);
-            if (StringUtils.isNotBlank(backingFile)) {
+            if (StringUtils.isNotBlank(backingFile) && !AllowImportVolumeWithBackingFile.value()) {
                 logFailureAndThrowException("Volume with backing file cannot be imported or unmanaged.");
             }
         }
@@ -3000,9 +3140,8 @@ public ListResponse<UnmanagedInstanceResponse> listVmsForImport(ListVmsForImport
                     !instance.getName().toLowerCase().contains(keyword)) {
                 continue;
             }
-            responses.add(createUnmanagedInstanceResponse(instance, null, null));
+            responses.add(responseGenerator.createUnmanagedInstanceResponse(instance, null, null));
         }
-
         ListResponse<UnmanagedInstanceResponse> listResponses = new ListResponse<>();
         listResponses.setResponses(responses, responses.size());
         return listResponses;
diff --git a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-misc-context.xml b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-misc-context.xml
index f4fd57d59fc4..755c50f7a3a3 100644
--- a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-misc-context.xml
+++ b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-misc-context.xml
@@ -83,4 +83,9 @@
 
     <bean id="domainHelper" class="com.cloud.utils.DomainHelper" />
 
+    <bean id="jsonConfigValidator" class="org.apache.cloudstack.gui.theme.json.config.validator.JsonConfigValidator" />
+    <bean id="errorAttribute" class="org.apache.cloudstack.gui.theme.json.config.validator.attributes.ErrorAttribute" />
+    <bean id="pluginsAttribute" class="org.apache.cloudstack.gui.theme.json.config.validator.attributes.PluginsAttribute" />
+    <bean id="themeAttribute" class="org.apache.cloudstack.gui.theme.json.config.validator.attributes.ThemeAttribute" />
+    <bean id="userCardAttribute" class="org.apache.cloudstack.gui.theme.json.config.validator.attributes.UserCardAttribute" />
 </beans>
diff --git a/server/src/main/resources/META-INF/cloudstack/server-allocator/spring-server-allocator-context.xml b/server/src/main/resources/META-INF/cloudstack/server-allocator/spring-server-allocator-context.xml
index d3781649845b..28b96b8d194b 100644
--- a/server/src/main/resources/META-INF/cloudstack/server-allocator/spring-server-allocator-context.xml
+++ b/server/src/main/resources/META-INF/cloudstack/server-allocator/spring-server-allocator-context.xml
@@ -34,6 +34,9 @@
     <bean id="firstFitAllocator"
         class="com.cloud.agent.manager.allocator.impl.FirstFitAllocator" />
 
+    <bean id="randomAllocator"
+          class="com.cloud.agent.manager.allocator.impl.RandomAllocator" />
+
     <bean id="FirstFitRouting"
         class="com.cloud.agent.manager.allocator.impl.FirstFitRoutingAllocator">
         <property name="name" value="FirstFitRouting" />
diff --git a/server/src/test/java/com/cloud/agent/manager/allocator/impl/BaseAllocatorTest.java b/server/src/test/java/com/cloud/agent/manager/allocator/impl/BaseAllocatorTest.java
new file mode 100644
index 000000000000..ddd1e3959d51
--- /dev/null
+++ b/server/src/test/java/com/cloud/agent/manager/allocator/impl/BaseAllocatorTest.java
@@ -0,0 +1,219 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.agent.manager.allocator.impl;
+
+import com.cloud.capacity.CapacityManager;
+import com.cloud.deploy.DeploymentPlan;
+import com.cloud.deploy.DeploymentPlanner;
+import com.cloud.host.Host;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
+import com.cloud.offering.ServiceOffering;
+import com.cloud.service.ServiceOfferingVO;
+import com.cloud.utils.Pair;
+import com.cloud.vm.VirtualMachineProfile;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+@RunWith(MockitoJUnitRunner.class)
+public class BaseAllocatorTest {
+    @Mock
+    HostDao hostDaoMock;
+
+    @Mock
+    CapacityManager capacityManagerMock;
+
+    @InjectMocks
+    @Spy
+    BaseAllocator baseAllocator = new MockBaseAllocator();
+
+    private final Host.Type type = Host.Type.Routing;
+
+    private final Long clusterId = 1L;
+
+    private final Long podId = 2L;
+
+    private final Long dcId = 3L;
+
+    private final HostVO host1 = Mockito.mock(HostVO.class);
+
+    private final HostVO host2 = Mockito.mock(HostVO.class);
+
+    private final HostVO host3 = Mockito.mock(HostVO.class);
+
+    private final ServiceOfferingVO serviceOffering = Mockito.mock(ServiceOfferingVO.class);
+
+    private final String hostTag = "hostTag";
+
+    @Test
+    public void retainHostsMatchingServiceOfferingAndTemplateTagsTestHasServiceOfferingTagShouldRetainHostsWithServiceOfferingTag() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+        List<HostVO> hostsWithMathingTags = new ArrayList<>(Arrays.asList(host1, host3));
+        String hostTagOnTemplate = "hostTagOnTemplate";
+        String hostTagOnOffering = null;
+
+        Mockito.doReturn(hostsWithMathingTags).when(hostDaoMock).listByHostTag(type, clusterId, podId, dcId, hostTagOnTemplate);
+        baseAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(suitableHosts, type, dcId, podId, clusterId, hostTagOnOffering, hostTagOnTemplate);
+
+        Assert.assertEquals(2, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+        Assert.assertEquals(host3, suitableHosts.get(1));
+    }
+
+    @Test
+    public void retainHostsMatchingServiceOfferingAndTemplateTagsTestHasServiceOfferingTagAndHasHostTagOnTemplateShouldRetainHostsWithServiceOfferingTagAndTemplateTag() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+        List<HostVO> hostsWithMathingServiceTags = new ArrayList<>(Arrays.asList(host1, host3));
+        List<HostVO> hostsWithMathingTemplateTags = new ArrayList<>(Arrays.asList(host1, host2));
+        String hostTagOnTemplate = "hostTagOnTemplate";
+        String hostTagOnOffering = "hostTagOnOffering";
+
+        Mockito.doReturn(hostsWithMathingTemplateTags).when(hostDaoMock).listByHostTag(type, clusterId, podId, dcId, hostTagOnTemplate);
+        Mockito.doReturn(hostsWithMathingServiceTags).when(hostDaoMock).listByHostTag(type, clusterId, podId, dcId, hostTagOnOffering);
+        baseAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(suitableHosts, type, dcId, podId, clusterId, hostTagOnOffering, hostTagOnTemplate);
+
+        Assert.assertEquals(1, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+    }
+
+    @Test
+    public void retainHostsMatchingServiceOfferingAndTemplateTagsTestHasHostTagOnTemplateShouldRetainHostsWithTemplateTag() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+        List<HostVO> hostsWithMathingServiceTags = new ArrayList<>(Arrays.asList(host1, host3));
+        String hostTagOnTemplate = null;
+        String hostTagOnOffering = "hostTagOnOffering";
+
+        Mockito.doReturn(hostsWithMathingServiceTags).when(hostDaoMock).listByHostTag(type, clusterId, podId, dcId, hostTagOnOffering);
+        baseAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(suitableHosts, type, dcId, podId, clusterId, hostTagOnOffering, hostTagOnTemplate);
+
+        Assert.assertEquals(2, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+        Assert.assertEquals(host3, suitableHosts.get(1));
+    }
+
+    @Test
+    public void retainHostsMatchingServiceOfferingAndTemplateTagsTestNoServiceTagAndNoTemplateTagShouldHaveAllSuitableHosts() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+        String hostTagOnTemplate = null;
+        String hostTagOnOffering = null;
+
+        baseAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(suitableHosts, type, dcId, podId, clusterId, hostTagOnOffering, hostTagOnTemplate);
+
+        Assert.assertEquals(3, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+        Assert.assertEquals(host2, suitableHosts.get(1));
+        Assert.assertEquals(host3, suitableHosts.get(2));
+    }
+
+    @Test
+    public void addHostsBasedOnTagRulesTestHostsWithTagRuleIsEmptyShouldNotAddToSuitableHosts() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> emptyList = new ArrayList<>();
+
+        Mockito.doReturn(emptyList).when(hostDaoMock).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.anyString());
+        baseAllocator.addHostsBasedOnTagRules(hostTag, suitableHosts);
+
+        Assert.assertEquals(2, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+        Assert.assertEquals(host2, suitableHosts.get(1));
+    }
+
+    @Test
+    public void addHostsBasedOnTagRulesTestHostsWithTagRuleIsNotEmptyShouldAddToSuitableHosts() {
+        List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsMatchingRuleTag = new ArrayList<>(Arrays.asList(host3));
+
+        Mockito.doReturn(hostsMatchingRuleTag).when(hostDaoMock).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.anyString());
+        baseAllocator.addHostsBasedOnTagRules(hostTag, suitableHosts);
+
+        Assert.assertEquals(3, suitableHosts.size());
+        Assert.assertEquals(host1, suitableHosts.get(0));
+        Assert.assertEquals(host2, suitableHosts.get(1));
+        Assert.assertEquals(host3, suitableHosts.get(2));
+    }
+
+    @Test
+    public void hostHasCpuCapabilityAndCapacityTestHostHasCpuCapabilityAndCpuCapacityShouldReturnTrue() {
+        Boolean hasCpuCapability = true;
+        Boolean hasCpuCapacity = true;
+        Pair<Boolean, Boolean> pair = new Pair<>(hasCpuCapability, hasCpuCapacity);
+
+        Mockito.doReturn(pair).when(capacityManagerMock).checkIfHostHasCpuCapabilityAndCapacity(Mockito.any(Host.class), Mockito.any(ServiceOffering.class), Mockito.anyBoolean());
+        boolean result = baseAllocator.hostHasCpuCapabilityAndCapacity(true, serviceOffering, host1);
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void hostHasCpuCapabilityAndCapacityTestHostHasCpuCapabilityButNoCpuCapacityShouldReturnFalse() {
+        Boolean hasCpuCapability = true;
+        Boolean hasCpuCapacity = false;
+        Pair<Boolean, Boolean> pair = new Pair<>(hasCpuCapability, hasCpuCapacity);
+
+        Mockito.doReturn(pair).when(capacityManagerMock).checkIfHostHasCpuCapabilityAndCapacity(Mockito.any(Host.class), Mockito.any(ServiceOffering.class), Mockito.anyBoolean());
+        boolean result = baseAllocator.hostHasCpuCapabilityAndCapacity(true, serviceOffering, host1);
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void hostHasCpuCapabilityAndCapacityTestHostDoesNotHaveCpuCapabilityButHasCpuCapacityShouldReturnFalse() {
+        Boolean hasCpuCapability = false;
+        Boolean hasCpuCapacity = true;
+        Pair<Boolean, Boolean> pair = new Pair<>(hasCpuCapability, hasCpuCapacity);
+
+        Mockito.doReturn(pair).when(capacityManagerMock).checkIfHostHasCpuCapabilityAndCapacity(Mockito.any(Host.class), Mockito.any(ServiceOffering.class), Mockito.anyBoolean());
+        boolean result = baseAllocator.hostHasCpuCapabilityAndCapacity(true, serviceOffering, host1);
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void hostHasCpuCapabilityAndCapacityTestHostDoesNotHaveCpuCapabilityAndCpuCapacityShouldReturnFalse() {
+        Boolean hasCpuCapability = false;
+        Boolean hasCpuCapacity = false;
+        Pair<Boolean, Boolean> pair = new Pair<>(hasCpuCapability, hasCpuCapacity);
+
+        Mockito.doReturn(pair).when(capacityManagerMock).checkIfHostHasCpuCapabilityAndCapacity(Mockito.any(Host.class), Mockito.any(ServiceOffering.class), Mockito.anyBoolean());
+        boolean result = baseAllocator.hostHasCpuCapabilityAndCapacity(true, serviceOffering, host1);
+
+        Assert.assertFalse(result);
+    }
+
+    class MockBaseAllocator extends BaseAllocator {
+
+        @Override
+        public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Host.Type type, DeploymentPlanner.ExcludeList avoid, int returnUpTo) {
+            return null;
+        }
+
+        @Override
+        public List<Host> allocateTo(VirtualMachineProfile vmProfile, DeploymentPlan plan, Host.Type type, DeploymentPlanner.ExcludeList avoid, List<? extends Host> hosts, int returnUpTo, boolean considerReservedCapacity) {
+            return null;
+        }
+    }
+}
diff --git a/server/src/test/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocatorTest.java b/server/src/test/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocatorTest.java
index 0d6a6fa8ff92..00cac5bbd52c 100644
--- a/server/src/test/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocatorTest.java
+++ b/server/src/test/java/com/cloud/agent/manager/allocator/impl/FirstFitAllocatorTest.java
@@ -18,214 +18,596 @@
 
 package com.cloud.agent.manager.allocator.impl;
 
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.cloud.agent.manager.allocator.HostAllocator;
 import com.cloud.capacity.CapacityManager;
 import com.cloud.capacity.CapacityVO;
 import com.cloud.deploy.DeploymentPlan;
 import com.cloud.deploy.DeploymentPlanner;
 import com.cloud.host.Host;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.resource.ResourceManager;
+import com.cloud.service.ServiceOfferingDetailsVO;
+import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDetailsDao;
+import com.cloud.storage.VMTemplateVO;
 import com.cloud.user.Account;
 import com.cloud.utils.Pair;
+import com.cloud.vm.VMInstanceDetailVO;
 import com.cloud.vm.VirtualMachineProfile;
+import com.cloud.vm.dao.VMInstanceDetailsDao;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.junit.Assert;
-import org.junit.Before;
 import org.junit.Test;
-
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyMap;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+@RunWith(MockitoJUnitRunner.class)
+public class FirstFitAllocatorTest {
+  private static final double TOLERANCE = 0.0001;
 
+  @Mock
+  HostDao hostDaoMock;
 
-public class FirstFitAllocatorTest {
-    private static final double TOLERANCE = 0.0001;
-    private FirstFitAllocator allocator;
-    private CapacityManager capacityMgr;
-    private ServiceOfferingDetailsDao offeringDetailsDao;
-    private ResourceManager resourceMgr;
-
-    private DeploymentPlan plan;
-    private ServiceOffering offering;
-    private DeploymentPlanner.ExcludeList avoid;
-    private Account account;
-
-    private Host host1;
-    private Host host2;
-    private VirtualMachineProfile vmProfile;
-    ConfigurationDao configDao;
-
-    @Before
-    public void setUp() {
-        allocator = new FirstFitAllocator();
-        capacityMgr = mock(CapacityManager.class);
-        offeringDetailsDao = mock(ServiceOfferingDetailsDao.class);
-        resourceMgr = mock(ResourceManager.class);
-        configDao = mock(ConfigurationDao.class);
-
-        allocator._capacityMgr = capacityMgr;
-        allocator._serviceOfferingDetailsDao = offeringDetailsDao;
-        allocator._resourceMgr = resourceMgr;
-        allocator._configDao = configDao;
-
-        plan = mock(DeploymentPlan.class);
-        offering = mock(ServiceOffering.class);
-        avoid = mock(DeploymentPlanner.ExcludeList.class);
-        account = mock(Account.class);
-
-        host1 = mock(Host.class);
-        host2 = mock(Host.class);
-
-        vmProfile = mock(VirtualMachineProfile.class);
-        when(vmProfile.getId()).thenReturn(1L);
-
-        when(plan.getDataCenterId()).thenReturn(1L);
-        when(offering.getCpu()).thenReturn(2);
-        when(offering.getSpeed()).thenReturn(1000);
-        when(offering.getRamSize()).thenReturn(2048);
-        when(offering.getId()).thenReturn(123L);
-        when(offering.getHostTag()).thenReturn(null);
-        when(offering.getVgpuProfileId()).thenReturn(null);
-    }
-
-    @Test
-    public void testConfigure() throws Exception {
-        when(configDao.getConfiguration(anyMap())).thenReturn(new HashMap<>());
-        assertTrue(allocator._checkHvm);
-        assertTrue(allocator.configure("test", new HashMap<>()));
-    }
-
-    @Test
-    public void testAllocateTo_SuccessfulMatch() {
-        List<Host> inputHosts = Arrays.asList(host1, host2);
-
-        // All hosts are allowed
-        when(avoid.shouldAvoid(host1)).thenReturn(false);
-        when(avoid.shouldAvoid(host2)).thenReturn(false);
-
-        // No GPU requirement
-        when(offeringDetailsDao.findDetail(eq(123L), anyString())).thenReturn(null);
-
-        // CPU capability and capacity is met
-        when(capacityMgr.checkIfHostReachMaxGuestLimit(any())).thenReturn(false);
-        when(capacityMgr.checkIfHostHasCpuCapabilityAndCapacity(eq(host1), eq(offering), eq(true)))
-                .thenReturn(new Pair<>(true, true));
-        when(capacityMgr.checkIfHostHasCpuCapabilityAndCapacity(eq(host2), eq(offering), eq(true)))
-                .thenReturn(new Pair<>(true, false));
-
-
-        when(resourceMgr.isGPUDeviceAvailable(offering, host1, vmProfile.getId())).thenReturn(true);
-        when(resourceMgr.isGPUDeviceAvailable(offering, host2, vmProfile.getId())).thenReturn(true);
-
-        List<Host> result = allocator.allocateTo(vmProfile, plan, offering, null, avoid, inputHosts, 2, true, account);
-
-        // Only host1 should be returned
-        assertEquals(1, result.size());
-        assertTrue(result.contains(host1));
-        assertFalse(result.contains(host2));
-    }
-
-    @Test
-    public void testAllocateTo_AvoidSetAndGuestLimit() {
-        List<Host> inputHosts = Arrays.asList(host1, host2);
-
-        when(avoid.shouldAvoid(host1)).thenReturn(true); // Avoided
-        when(avoid.shouldAvoid(host2)).thenReturn(false);
-
-        when(capacityMgr.checkIfHostReachMaxGuestLimit(host2)).thenReturn(true); // Reached limit
-
-        List<Host> result = allocator.allocateTo(vmProfile, plan, offering, null, avoid, inputHosts, 2, true, account);
-
-        assertTrue(result.isEmpty());
-    }
-
-    @Test
-    public void testAllocateTo_GPUNotAvailable() {
-        List<Host> inputHosts = Arrays.asList(host1);
-        when(avoid.shouldAvoid(host1)).thenReturn(false);
-
-        // GPU required but not available
-        var vgpuDetail = mock(com.cloud.service.ServiceOfferingDetailsVO.class);
-        var pciDetail = mock(com.cloud.service.ServiceOfferingDetailsVO.class);
-        when(offeringDetailsDao.findDetail(eq(123L), eq("vgpuType"))).thenReturn(vgpuDetail);
-        when(offeringDetailsDao.findDetail(eq(123L), eq("pciDevice"))).thenReturn(pciDetail);
-        when(pciDetail.getValue()).thenReturn("NVIDIA");
-        when(vgpuDetail.getValue()).thenReturn("GRID");
-
-        when(resourceMgr.isGPUDeviceAvailable(offering, host1, vmProfile.getId())).thenReturn(false);
-
-        List<Host> result = allocator.allocateTo(vmProfile, plan, offering, null, avoid, inputHosts, 1, true, account);
-
-        assertTrue(result.isEmpty());
-    }
-
-    @Test
-    public void testHostByCombinedCapacityOrder() {
-        // Test scenario 1: Default capacity usage (0.5 weight)
-        List<CapacityVO> mockCapacity = getHostCapacities();
-        Map<Long, Double> hostByCombinedCapacity = FirstFitAllocator.getHostByCombinedCapacities(mockCapacity, 0.5);
-
-        // Verify host ordering and capacity values
-        Long firstHostId = hostByCombinedCapacity.keySet().iterator().next();
-        Assert.assertEquals("Host with ID 1 should be first in ordering", Long.valueOf(1L), firstHostId);
-        Assert.assertEquals("Host 1 combined capacity should match expected value",
-                0.9609375, hostByCombinedCapacity.get(1L), TOLERANCE);
-        Assert.assertEquals("Host 2 combined capacity should match expected value",
-                0.9296875, hostByCombinedCapacity.get(2L), TOLERANCE);
-
-        // Test scenario 2: Modified capacity usage (0.7 weight)
-        when(mockCapacity.get(0).getUsedCapacity()).thenReturn(1500L);
-        hostByCombinedCapacity = FirstFitAllocator.getHostByCombinedCapacities(mockCapacity, 0.7);
-
-        // Verify new ordering after capacity change
-        firstHostId = hostByCombinedCapacity.keySet().iterator().next();
-        Assert.assertEquals("Host with ID 2 should be first after capacity change", Long.valueOf(2L), firstHostId);
-        Assert.assertEquals("Host 2 combined capacity should match expected value after change",
-                0.9515625, hostByCombinedCapacity.get(2L), TOLERANCE);
-        Assert.assertEquals("Host 1 combined capacity should match expected value after change",
-                0.9484375, hostByCombinedCapacity.get(1L), TOLERANCE);
-    }
-
-    List<CapacityVO> getHostCapacities() {
-        CapacityVO cpuCapacity1 = mock(CapacityVO.class);
-        when(cpuCapacity1.getHostOrPoolId()).thenReturn(1L);
-        when(cpuCapacity1.getTotalCapacity()).thenReturn(32000L);
-        when(cpuCapacity1.getReservedCapacity()).thenReturn(0L);
-        when(cpuCapacity1.getUsedCapacity()).thenReturn(500L);
-        when(cpuCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_CPU);
-
-        CapacityVO cpuCapacity2 = mock(CapacityVO.class);
-        when(cpuCapacity2.getHostOrPoolId()).thenReturn(2L);
-        when(cpuCapacity2.getTotalCapacity()).thenReturn(32000L);
-        when(cpuCapacity2.getReservedCapacity()).thenReturn(0L);
-        when(cpuCapacity2.getUsedCapacity()).thenReturn(500L);
-        when(cpuCapacity2.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_CPU);
-
-        CapacityVO memCapacity1 = mock(CapacityVO.class);
-        when(memCapacity1.getHostOrPoolId()).thenReturn(1L);
-        when(memCapacity1.getTotalCapacity()).thenReturn(8589934592L);
-        when(memCapacity1.getReservedCapacity()).thenReturn(0L);
-        when(memCapacity1.getUsedCapacity()).thenReturn(536870912L);
-        when(memCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_MEMORY);
-
-        CapacityVO memCapacity2 = mock(CapacityVO.class);
-        when(memCapacity2.getHostOrPoolId()).thenReturn(2L);
-        when(memCapacity2.getTotalCapacity()).thenReturn(8589934592L);
-        when(memCapacity2.getReservedCapacity()).thenReturn(0L);
-        when(memCapacity2.getUsedCapacity()).thenReturn(1073741824L);
-        when(memCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_MEMORY);
-        return Arrays.asList(cpuCapacity1, memCapacity1, cpuCapacity2, memCapacity2);
-    }
+  @Mock
+  ResourceManager resourceManagerMock;
+
+  @Mock
+  VMInstanceDetailsDao userVmDetailsDaoMock;
+
+  @Mock
+  ServiceOfferingDetailsDao serviceOfferingDetailsDao;
+
+  @Mock
+  CapacityManager capacityMgr;
+
+  @Mock
+  ConfigurationDao configDao;
+
+  @Spy
+  @InjectMocks
+  FirstFitAllocator firstFitAllocatorSpy;
+
+  private final Host.Type type = Host.Type.Routing;
+
+  private final Long clusterId = 1L;
+
+  private final Long podId = 2L;
+
+  private final Long dcId = 3L;
+
+  private final List<HostVO> emptyList = new ArrayList<>();
+
+  private final String hostTag = "hostTag";
+
+  private final String templateTag = "templateTag";
+
+  private final HostVO host1 = mock(HostVO.class);
+
+  private final HostVO host2 = mock(HostVO.class);
+
+  private final HostVO host3 = mock(HostVO.class);
+
+  private final ServiceOfferingVO serviceOffering = mock(ServiceOfferingVO.class);
+
+  private final DeploymentPlanner.ExcludeList excludeList = mock(DeploymentPlanner.ExcludeList.class);
+
+  private final VirtualMachineProfile virtualMachineProfile = mock(VirtualMachineProfile.class);
+
+  private final VMTemplateVO vmTemplateVO = mock(VMTemplateVO.class);
+
+  private final Account account = mock(Account.class);
+
+  private final DeploymentPlan deploymentPlan = mock(DeploymentPlan.class);
+
+  private final DeploymentPlanner.ExcludeList avoid = mock(DeploymentPlanner.ExcludeList.class);
+
+  private final ServiceOffering offering = mock(ServiceOffering.class);
+
+  private final boolean considerReservedCapacity = true;
+
+  @Test
+  public void testConfigure() throws Exception {
+    when(configDao.getConfiguration(Mockito.anyMap())).thenReturn(new HashMap<>());
+    Assert.assertTrue(firstFitAllocatorSpy._checkHvm);
+    Assert.assertTrue(firstFitAllocatorSpy.configure("test", new HashMap<>()));
+  }
+
+  @Test
+  public void testAllocateTo_SuccessfulMatch() {
+    List<Host> inputHosts = Arrays.asList(host1, host2);
+
+    // All hosts are allowed
+    when(avoid.shouldAvoid(host1)).thenReturn(false);
+    when(avoid.shouldAvoid(host2)).thenReturn(false);
+
+    // CPU capability and capacity is met
+    when(capacityMgr.checkIfHostReachMaxGuestLimit(Mockito.any(Host.class))).thenReturn(false);
+    when(capacityMgr.checkIfHostHasCpuCapabilityAndCapacity(host1, offering, true))
+        .thenReturn(new Pair<>(true, true));
+    when(capacityMgr.checkIfHostHasCpuCapabilityAndCapacity(host2, offering,true))
+        .thenReturn(new Pair<>(true, false));
+
+    when(resourceManagerMock.isGPUDeviceAvailable(offering, host1, virtualMachineProfile.getId())).thenReturn(true);
+    when(resourceManagerMock.isGPUDeviceAvailable(offering, host2, virtualMachineProfile.getId())).thenReturn(true);
+
+    List<Host> result = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, offering, null, avoid, inputHosts, 2, true, account);
+
+    // Only host1 should be returned
+    Assert.assertEquals(1, result.size());
+    Assert.assertTrue(result.contains(host1));
+    Assert.assertFalse(result.contains(host2));
+  }
+
+  @Test
+  public void testAllocateTo_AvoidSetAndGuestLimit() {
+    List<Host> inputHosts = Arrays.asList(host1, host2);
+
+    when(avoid.shouldAvoid(host1)).thenReturn(true); // Avoided
+    when(avoid.shouldAvoid(host2)).thenReturn(false);
+
+    when(capacityMgr.checkIfHostReachMaxGuestLimit(host2)).thenReturn(true); // Reached limit
+
+    List<Host> result = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, offering, null, avoid, inputHosts, 2, true, account);
+
+    Assert.assertTrue(result.isEmpty());
+  }
+
+  @Test
+  public void testAllocateTo_GPUNotAvailable() {
+    List<Host> inputHosts = Arrays.asList(host1);
+    when(avoid.shouldAvoid(host1)).thenReturn(false);
+    when(resourceManagerMock.isGPUDeviceAvailable(offering, host1, virtualMachineProfile.getId())).thenReturn(false);
+
+    List<Host> result = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, offering, null, avoid, inputHosts, 1, true, account);
+
+    Assert.assertTrue(result.isEmpty());
+  }
+
+  @Test
+  public void allocateToTestHostTypeStorageShouldReturnNull() {
+    List<Host> suitableHosts = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, Host.Type.Storage, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+    Assert.assertNull(suitableHosts);
+  }
+
+  @Test
+  public void allocateToTestSuitableHostsEmptyShouldReturnNull() {
+    Mockito.doReturn(serviceOffering).when(virtualMachineProfile).getServiceOffering();
+    Mockito.doReturn(vmTemplateVO).when(virtualMachineProfile).getTemplate();
+    Mockito.doReturn(account).when(virtualMachineProfile).getOwner();
+    Mockito.doReturn(hostTag).when(serviceOffering).getHostTag();
+    Mockito.doReturn(templateTag).when(vmTemplateVO).getTemplateTag();
+    Mockito.doReturn(emptyList).when(firstFitAllocatorSpy).retrieveHosts(Mockito.any(VirtualMachineProfile.class), Mockito.any(Host.Type.class), Mockito.nullable(List.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString(), Mockito.anyString());
+    List<Host> suitableHosts = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, type, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+    Assert.assertNull(suitableHosts);
+  }
+
+  @Test
+  public void allocateToTestSuitableHostsNotEmptyShouldCallAllocateToMethod() {
+    List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+
+    Mockito.doReturn(serviceOffering).when(virtualMachineProfile).getServiceOffering();
+    Mockito.doReturn(vmTemplateVO).when(virtualMachineProfile).getTemplate();
+    Mockito.doReturn(account).when(virtualMachineProfile).getOwner();
+    Mockito.doReturn(hostTag).when(serviceOffering).getHostTag();
+    Mockito.doReturn(templateTag).when(vmTemplateVO).getTemplateTag();
+    Mockito.doReturn(hosts).when(firstFitAllocatorSpy).retrieveHosts(Mockito.any(VirtualMachineProfile.class), Mockito.any(Host.Type.class), Mockito.nullable(List.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString(), Mockito.anyString());
+    Mockito.doReturn(hosts).when(firstFitAllocatorSpy).allocateTo(Mockito.any(VirtualMachineProfile.class), Mockito.any(DeploymentPlan.class), Mockito.any(ServiceOffering.class), Mockito.any(VMTemplateVO.class), Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyList(), Mockito.anyInt(), Mockito.anyBoolean(), Mockito.any(Account.class));
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsToAvoidSet(Mockito.any(Host.Type.class), Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    List<Host> suitableHosts = firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, type, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+    Mockito.verify(firstFitAllocatorSpy, Mockito.times(1)).allocateTo(virtualMachineProfile, deploymentPlan, serviceOffering, vmTemplateVO, excludeList, hosts, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity, account);
+    Assert.assertEquals(2, suitableHosts.size());
+  }
+
+  @Test
+  public void allocateToTestProvidedHostsNotNullShouldCallAddHostsToAvoidSetMethod() {
+    List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+
+    Mockito.doReturn(serviceOffering).when(virtualMachineProfile).getServiceOffering();
+    Mockito.doReturn(vmTemplateVO).when(virtualMachineProfile).getTemplate();
+    Mockito.doReturn(account).when(virtualMachineProfile).getOwner();
+    Mockito.doReturn(hostTag).when(serviceOffering).getHostTag();
+    Mockito.doReturn(templateTag).when(vmTemplateVO).getTemplateTag();
+    Mockito.doReturn(hosts).when(firstFitAllocatorSpy).retrieveHosts(Mockito.any(VirtualMachineProfile.class), Mockito.any(Host.Type.class), Mockito.nullable(List.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString(), Mockito.anyString());
+    Mockito.doReturn(hosts).when(firstFitAllocatorSpy).allocateTo(Mockito.any(VirtualMachineProfile.class), Mockito.any(DeploymentPlan.class), Mockito.any(ServiceOffering.class), Mockito.any(VMTemplateVO.class), Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyList(), Mockito.anyInt(), Mockito.anyBoolean(), Mockito.any(Account.class));
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsToAvoidSet(Mockito.any(Host.Type.class), Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    firstFitAllocatorSpy.allocateTo(virtualMachineProfile, deploymentPlan, type, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+    Mockito.verify(firstFitAllocatorSpy, Mockito.times(1)).addHostsToAvoidSet(Mockito.any(Host.Type.class), Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+  }
+
+  @Test
+  public void retrieveHostsTestHostsToFilterIsNullAndHaTagNotNullShouldReturnOnlyHostsWithHaTag() {
+    List<HostVO> allUpAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> hostsWithHaTag = new ArrayList<>(Arrays.asList(host1, host2));
+    String hostVmTag = "haVmTag";
+
+    Mockito.doReturn(hostVmTag).when(virtualMachineProfile).getParameter(Mockito.any(VirtualMachineProfile.Param.class));
+    Mockito.doReturn(allUpAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+    Mockito.doReturn(hostsWithHaTag).when(hostDaoMock).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+    Mockito.doNothing().when(firstFitAllocatorSpy).filterHostsWithUefiEnabled(Mockito.any(Host.Type.class), Mockito.any(VirtualMachineProfile.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsBasedOnTagRules(Mockito.anyString(), Mockito.anyList());
+    List<HostVO> resultHosts = firstFitAllocatorSpy.retrieveHosts(virtualMachineProfile, type, emptyList, clusterId, podId, dcId, hostTag, templateTag);
+
+    Assert.assertEquals(2, resultHosts.size());
+    Assert.assertEquals(host1, resultHosts.get(0));
+    Assert.assertEquals(host2, resultHosts.get(1));
+  }
+
+  @Test
+  public void retrieveHostsTestHostsToFilterIsNotNullAndHaTagNotNullShouldReturnOnlyHostsToFilterWithHaTag() {
+    List<HostVO> hostsToFilter = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> hostsWithHaTag = new ArrayList<>(Arrays.asList(host1, host2));
+    String hostVmTag = "haVmTag";
+
+    Mockito.doReturn(hostVmTag).when(virtualMachineProfile).getParameter(Mockito.any(VirtualMachineProfile.Param.class));
+    Mockito.doReturn(hostsWithHaTag).when(hostDaoMock).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+    Mockito.doNothing().when(firstFitAllocatorSpy).filterHostsWithUefiEnabled(Mockito.any(Host.Type.class), Mockito.any(VirtualMachineProfile.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsBasedOnTagRules(Mockito.anyString(), Mockito.anyList());
+    List<HostVO> resultHosts = firstFitAllocatorSpy.retrieveHosts(virtualMachineProfile, type, hostsToFilter, clusterId, podId, dcId, hostTag, templateTag);
+
+    Assert.assertEquals(2, resultHosts.size());
+    Assert.assertEquals(host1, resultHosts.get(0));
+    Assert.assertEquals(host2, resultHosts.get(1));
+  }
+
+  @Test
+  public void retrieveHostsTestHostsToFilterIsNullAndNoHaTagAndNoHostTagShouldReturnOnlyAllUpAndEnabledNonHaHosts() {
+    List<HostVO> allUpAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> upAndEnabledHostsWithNoHa = new ArrayList<>(Arrays.asList(host1, host2));
+
+    Mockito.doReturn(allUpAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+    Mockito.doReturn(upAndEnabledHostsWithNoHa).when(resourceManagerMock).listAllUpAndEnabledNonHAHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+    Mockito.doNothing().when(firstFitAllocatorSpy).filterHostsWithUefiEnabled(Mockito.any(Host.Type.class), Mockito.any(VirtualMachineProfile.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsBasedOnTagRules(Mockito.nullable(String.class), Mockito.anyList());
+    List<HostVO> resultHosts = firstFitAllocatorSpy.retrieveHosts(virtualMachineProfile, type, emptyList, clusterId, podId, dcId, null, null);
+
+    Assert.assertEquals(2, resultHosts.size());
+    Assert.assertEquals(host1, resultHosts.get(0));
+    Assert.assertEquals(host2, resultHosts.get(1));
+  }
+
+  @Test
+  public void retrieveHostsTestHostsToFilterIsNullAndNoHaTagWithHostTagShouldCallRetainHostsMatchingServiceOfferingAndTemplateTags() {
+    List<HostVO> allUpAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(allUpAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+    Mockito.doNothing().when(firstFitAllocatorSpy).retainHostsMatchingServiceOfferingAndTemplateTags(Mockito.anyList(), Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString(), Mockito.anyString());
+    Mockito.doNothing().when(firstFitAllocatorSpy).filterHostsWithUefiEnabled(Mockito.any(Host.Type.class), Mockito.any(VirtualMachineProfile.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyList());
+    Mockito.doNothing().when(firstFitAllocatorSpy).addHostsBasedOnTagRules(Mockito.anyString(), Mockito.anyList());
+    firstFitAllocatorSpy.retrieveHosts(virtualMachineProfile, type, emptyList, clusterId, podId, dcId, hostTag, templateTag);
+
+    Mockito.verify(firstFitAllocatorSpy, Mockito.times(1)).retainHostsMatchingServiceOfferingAndTemplateTags(Mockito.anyList(), Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString(), Mockito.anyString());
+  }
+
+  @Test
+  public void addHostsToAvoidSetTestAllHostsWereConsideredForAllocationShouldNotAddAnyHostToTheAvoidSet() {
+    List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(suitableHosts).when(hostDaoMock).listAllUpAndEnabledNonHAHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.nullable(String.class));
+    firstFitAllocatorSpy.addHostsToAvoidSet(type, excludeList, clusterId, podId, dcId, suitableHosts);
+
+    Assert.assertTrue(excludeList.getHostsToAvoid().isEmpty());
+  }
+
+  @Test
+  public void addHostsToAvoidSetTestNotAllHostsWereConsideredForAllocationShouldAddHostToTheAvoidSet() {
+    List<HostVO> allUpAndEnabledNonHAHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> consideredHosts = new ArrayList<>(Arrays.asList(host2, host3));
+
+    Mockito.doReturn(1L).when(host1).getId();
+    Mockito.doCallRealMethod().when(excludeList).addHost(Mockito.anyLong());
+    Mockito.doCallRealMethod().when(excludeList).getHostsToAvoid();
+    Mockito.doReturn(allUpAndEnabledNonHAHosts).when(hostDaoMock).listAllUpAndEnabledNonHAHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.nullable(String.class));
+    firstFitAllocatorSpy.addHostsToAvoidSet(type, excludeList, clusterId, podId, dcId, consideredHosts);
+
+    Assert.assertEquals(1, excludeList.getHostsToAvoid().size());
+    Assert.assertTrue(excludeList.getHostsToAvoid().contains(1L));
+  }
+
+  @Test
+  public void filterHostsWithUefiEnabledTestNoDetailWithUefiShouldNotFilterAnyHost() {
+    List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    VMInstanceDetailVO userVmDetailVO = null;
+
+    Mockito.doReturn(userVmDetailVO).when(userVmDetailsDaoMock).findDetail(Mockito.anyLong(), Mockito.anyString());
+    firstFitAllocatorSpy.filterHostsWithUefiEnabled(type, virtualMachineProfile, clusterId, podId, dcId, suitableHosts);
+
+    Assert.assertEquals(3, suitableHosts.size());
+    Assert.assertEquals(host1, suitableHosts.get(0));
+    Assert.assertEquals(host2, suitableHosts.get(1));
+    Assert.assertEquals(host3, suitableHosts.get(2));
+  }
+
+  @Test
+  public void filterHostsWithUefiEnabledTestDetailWithUefiWithInvalidModeShouldNotFilterAnyHost() {
+    List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    VMInstanceDetailVO userVmDetailVO = mock(VMInstanceDetailVO.class);
+    String bootMode = "Invalid mode";
+
+    Mockito.doReturn(bootMode).when(userVmDetailVO).getValue();
+    Mockito.doReturn(userVmDetailVO).when(userVmDetailsDaoMock).findDetail(Mockito.anyLong(), Mockito.anyString());
+    firstFitAllocatorSpy.filterHostsWithUefiEnabled(type, virtualMachineProfile, clusterId, podId, dcId, suitableHosts);
+
+    Assert.assertEquals(3, suitableHosts.size());
+    Assert.assertEquals(host1, suitableHosts.get(0));
+    Assert.assertEquals(host2, suitableHosts.get(1));
+    Assert.assertEquals(host3, suitableHosts.get(2));
+  }
+
+  @Test
+  public void filterHostsWithUefiEnabledTestDetailWithUefiWithLegacyModeShouldFilterHost() {
+    List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> uefiHosts = new ArrayList<>(Arrays.asList(host2, host3));
+    VMInstanceDetailVO userVmDetailVO = mock(VMInstanceDetailVO.class);
+    String bootMode = ApiConstants.BootMode.LEGACY.toString();
+
+    Mockito.doReturn(bootMode).when(userVmDetailVO).getValue();
+    Mockito.doReturn(userVmDetailVO).when(userVmDetailsDaoMock).findDetail(Mockito.anyLong(), Mockito.anyString());
+    Mockito.doReturn(uefiHosts).when(hostDaoMock).listByHostCapability(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+    firstFitAllocatorSpy.filterHostsWithUefiEnabled(type, virtualMachineProfile, clusterId, podId, dcId, suitableHosts);
+
+    Assert.assertEquals(2, suitableHosts.size());
+    Assert.assertEquals(host2, suitableHosts.get(0));
+    Assert.assertEquals(host3, suitableHosts.get(1));
+  }
+
+  @Test
+  public void filterHostsWithUefiEnabledTestDetailWithUefiWithSecureModeShouldFilterHost() {
+    List<HostVO> suitableHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<HostVO> uefiHosts = new ArrayList<>(Arrays.asList(host2, host3));
+    VMInstanceDetailVO userVmDetailVO = mock(VMInstanceDetailVO.class);
+    String bootMode = ApiConstants.BootMode.SECURE.toString();
+
+    Mockito.doReturn(bootMode).when(userVmDetailVO).getValue();
+    Mockito.doReturn(userVmDetailVO).when(userVmDetailsDaoMock).findDetail(Mockito.anyLong(), Mockito.anyString());
+    Mockito.doReturn(uefiHosts).when(hostDaoMock).listByHostCapability(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+    firstFitAllocatorSpy.filterHostsWithUefiEnabled(type, virtualMachineProfile, clusterId, podId, dcId, suitableHosts);
+
+    Assert.assertEquals(2, suitableHosts.size());
+    Assert.assertEquals(host2, suitableHosts.get(0));
+    Assert.assertEquals(host3, suitableHosts.get(1));
+  }
+
+  @Test
+  public void offeringRequestedVGpuAndHostDoesNotHaveItTestVGpuRequestedButHostDoesNotHaveItShouldReturnTrue() {
+    Mockito.doReturn(1L).when(host1).getId();
+    Mockito.doCallRealMethod().when(excludeList).addHost(Mockito.anyLong());
+    Mockito.doCallRealMethod().when(excludeList).getHostsToAvoid();
+    Mockito.doReturn(false).when(resourceManagerMock).isGPUDeviceAvailable(Mockito.any(ServiceOffering.class), Mockito.any(Host.class),  Mockito.any(Long.class));
+    boolean result = firstFitAllocatorSpy.offeringRequestedVGpuAndHostDoesNotHaveIt(serviceOffering, virtualMachineProfile, excludeList, host1);
+
+    Assert.assertTrue(result);
+    Assert.assertEquals(1, excludeList.getHostsToAvoid().size());
+    Assert.assertTrue(excludeList.getHostsToAvoid().contains(1L));
+  }
+
+  @Test
+  public void offeringRequestedVGpuAndHostDoesNotHaveItTestVGpuRequestedAndHostDoesHaveItShouldReturnFalse() {
+    Mockito.doReturn(true).when(resourceManagerMock).isGPUDeviceAvailable(Mockito.any(ServiceOffering.class), Mockito.any(Host.class),  Mockito.any(Long.class));
+    boolean result = firstFitAllocatorSpy.offeringRequestedVGpuAndHostDoesNotHaveIt(serviceOffering, virtualMachineProfile, excludeList, host1);
+
+    Assert.assertFalse(result);
+    Mockito.verify(excludeList, Mockito.never()).addHost(Mockito.anyLong());
+  }
+
+  @Test
+  public void filterHostWithNoHvmIfTemplateRequestedTestTemplateDoesNotRequireHvm() {
+    List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(false).when(vmTemplateVO).isRequiresHvm();
+    List<Host> suitableHosts = firstFitAllocatorSpy.filterHostWithNoHvmIfTemplateRequested(vmTemplateVO, hosts);
+
+    Assert.assertEquals(3, suitableHosts.size());
+    Assert.assertEquals(host1, suitableHosts.get(0));
+    Assert.assertEquals(host2, suitableHosts.get(1));
+    Assert.assertEquals(host3, suitableHosts.get(2));
+  }
+
+  @Test
+  public void filterHostWithNoHvmIfTemplateRequestedTestTemplateRequiresHvmShouldReturnOnlyHvmHosts() {
+    List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(true).when(vmTemplateVO).isRequiresHvm();
+    Mockito.doReturn(true).when(firstFitAllocatorSpy).hostSupportsHVM(host1);
+    Mockito.doReturn(false).when(firstFitAllocatorSpy).hostSupportsHVM(host2);
+    Mockito.doReturn(true).when(firstFitAllocatorSpy).hostSupportsHVM(host3);
+    List<Host> suitableHosts = firstFitAllocatorSpy.filterHostWithNoHvmIfTemplateRequested(vmTemplateVO, hosts);
+
+    Assert.assertEquals(2, suitableHosts.size());
+    Assert.assertEquals(host1, suitableHosts.get(0));
+    Assert.assertEquals(host3, suitableHosts.get(1));
+  }
+
+  @Test
+  public void prioritizeHostsByGpuEnabledTestServiceOfferingRequestedVGpuViaDetailShouldDoNothing() {
+    List<Host> hosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    ServiceOfferingDetailsVO requestedVGpuType = mock(ServiceOfferingDetailsVO.class);
+
+    Mockito.doReturn(requestedVGpuType).when(serviceOfferingDetailsDao).findDetail(Mockito.anyLong(), Mockito.anyString());
+    firstFitAllocatorSpy.prioritizeHostsByGpuEnabled(serviceOffering, hosts);
+
+    Assert.assertEquals(3, hosts.size());
+    Assert.assertEquals(host1, hosts.get(0));
+    Assert.assertEquals(host2, hosts.get(1));
+    Assert.assertEquals(host3, hosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsByGpuEnabledTestServiceOfferingRequestedVGpuViaProfileIdShouldDoNothing() {
+    List<Host> hosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(1L).when(serviceOffering).getVgpuProfileId();
+    firstFitAllocatorSpy.prioritizeHostsByGpuEnabled(serviceOffering, hosts);
+
+    Assert.assertEquals(3, hosts.size());
+    Assert.assertEquals(host1, hosts.get(0));
+    Assert.assertEquals(host2, hosts.get(1));
+    Assert.assertEquals(host3, hosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsByGpuEnabledTestServiceOfferingDidNotRequestVGpuShouldReorderList() {
+    List<Host> allHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(null).when(serviceOfferingDetailsDao).findDetail(Mockito.anyLong(), Mockito.anyString());
+    Mockito.doReturn(null).when(serviceOffering).getVgpuProfileId();
+    Mockito.doReturn(1L).when(host1).getId();
+    Mockito.doReturn(2L).when(host2).getId();
+    Mockito.doReturn(3L).when(host3).getId();
+    Mockito.doReturn(true).when(resourceManagerMock).isHostGpuEnabled(1L);
+    Mockito.doReturn(false).when(resourceManagerMock).isHostGpuEnabled(2L);
+    Mockito.doReturn(false).when(resourceManagerMock).isHostGpuEnabled(3L);
+    firstFitAllocatorSpy.prioritizeHostsByGpuEnabled(serviceOffering, allHosts);
+
+    Assert.assertEquals(3, allHosts.size());
+    Assert.assertEquals(host2, allHosts.get(0));
+    Assert.assertEquals(host3, allHosts.get(1));
+    Assert.assertEquals(host1, allHosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsByGpuEnabledTestServiceOfferingDidNotRequestVGpuShouldNotReorderListIfThereIsNoHostWithVGpu() {
+    List<Host> allHosts = new ArrayList<>(Arrays.asList(host1, host2, host3));
+
+    Mockito.doReturn(null).when(serviceOfferingDetailsDao).findDetail(Mockito.anyLong(), Mockito.anyString());
+    Mockito.doReturn(null).when(serviceOffering).getVgpuProfileId();
+    Mockito.doReturn(1L).when(host1).getId();
+    Mockito.doReturn(2L).when(host2).getId();
+    Mockito.doReturn(3L).when(host3).getId();
+    Mockito.doReturn(false).when(resourceManagerMock).isHostGpuEnabled(Mockito.anyLong());
+    firstFitAllocatorSpy.prioritizeHostsByGpuEnabled(serviceOffering, allHosts);
+
+    Assert.assertEquals(3, allHosts.size());
+    Assert.assertEquals(host1, allHosts.get(0));
+    Assert.assertEquals(host2, allHosts.get(1));
+    Assert.assertEquals(host3, allHosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsByHvmCapabilityTestTemplateDidNotRequestedHvmShouldPutHostThatDoesNotSupportHvmInStartOfThePriorityList() {
+    List<Host> hostsToCheck = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<Host> prioritizedHosts = new ArrayList<>();
+
+    Mockito.doReturn(false).when(vmTemplateVO).isRequiresHvm();
+    Mockito.doReturn(true).when(firstFitAllocatorSpy).hostSupportsHVM(host1);
+    Mockito.doReturn(false).when(firstFitAllocatorSpy).hostSupportsHVM(host2);
+    Mockito.doReturn(true).when(firstFitAllocatorSpy).hostSupportsHVM(host3);
+    firstFitAllocatorSpy.prioritizeHostsByHvmCapability(vmTemplateVO, hostsToCheck, prioritizedHosts);
+
+    Assert.assertEquals(3, prioritizedHosts.size());
+    Assert.assertEquals(host2, prioritizedHosts.get(0));
+    Assert.assertEquals(host1, prioritizedHosts.get(1));
+    Assert.assertEquals(host3, prioritizedHosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsByHvmCapabilityTestTemplateRequiresHvmShouldNotReorderList() {
+    List<Host> hostsToCheck = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<Host> prioritizedHosts = new ArrayList<>();
+
+    Mockito.doReturn(true).when(vmTemplateVO).isRequiresHvm();
+    firstFitAllocatorSpy.prioritizeHostsByHvmCapability(vmTemplateVO, hostsToCheck, prioritizedHosts);
+
+    Assert.assertEquals(3, prioritizedHosts.size());
+    Assert.assertEquals(host1, prioritizedHosts.get(0));
+    Assert.assertEquals(host2, prioritizedHosts.get(1));
+    Assert.assertEquals(host3, prioritizedHosts.get(2));
+  }
+
+  @Test
+  public void prioritizeHostsWithMatchingGuestOsTestShouldPutMatchingHostInHighPriorityAndHostsThatDoesNotMatchInLowPriorityList() {
+    List<Host> hostsToCheck = new ArrayList<>(Arrays.asList(host1, host2, host3));
+    List<Host> highPriorityHosts = new ArrayList<>();
+    List<Host> lowPriorityHosts = new ArrayList<>();
+    String guestOsCategory1 = "guestOsCategory1";
+    String guestOsCategory2 = "guestOsCategory2";
+
+    Mockito.doReturn(guestOsCategory1).when(firstFitAllocatorSpy).getTemplateGuestOSCategory(vmTemplateVO);
+    Mockito.doReturn(guestOsCategory1).when(firstFitAllocatorSpy).getHostGuestOSCategory(host1);
+    Mockito.doReturn(guestOsCategory2).when(firstFitAllocatorSpy).getHostGuestOSCategory(host2);
+    Mockito.doReturn(null).when(firstFitAllocatorSpy).getHostGuestOSCategory(host3);
+    firstFitAllocatorSpy.prioritizeHostsWithMatchingGuestOs(vmTemplateVO,hostsToCheck, highPriorityHosts, lowPriorityHosts);
+
+    Assert.assertEquals(1, highPriorityHosts.size());
+    Assert.assertEquals(host1, highPriorityHosts.get(0));
+    Assert.assertEquals(1, lowPriorityHosts.size());
+    Assert.assertEquals(host2, lowPriorityHosts.get(0));
+  }
+
+  @Test
+  public void testHostByCombinedCapacityOrder() {
+    // Test scenario 1: Default capacity usage (0.5 weight)
+    List<CapacityVO> mockCapacity = getHostCapacities();
+    Map<Long, Double> hostByCombinedCapacity = FirstFitAllocator.getHostByCombinedCapacities(mockCapacity, 0.5);
+
+    // Verify host ordering and capacity values
+    Long firstHostId = hostByCombinedCapacity.keySet().iterator().next();
+    Assert.assertEquals("Host with ID 1 should be first in ordering", Long.valueOf(1L), firstHostId);
+    Assert.assertEquals("Host 1 combined capacity should match expected value",
+        0.9609375, hostByCombinedCapacity.get(1L), TOLERANCE);
+    Assert.assertEquals("Host 2 combined capacity should match expected value",
+        0.9296875, hostByCombinedCapacity.get(2L), TOLERANCE);
+
+    // Test scenario 2: Modified capacity usage (0.7 weight)
+    when(mockCapacity.get(0).getUsedCapacity()).thenReturn(1500L);
+    hostByCombinedCapacity = FirstFitAllocator.getHostByCombinedCapacities(mockCapacity, 0.7);
+
+    // Verify new ordering after capacity change
+    firstHostId = hostByCombinedCapacity.keySet().iterator().next();
+    Assert.assertEquals("Host with ID 2 should be first after capacity change", Long.valueOf(2L), firstHostId);
+    Assert.assertEquals("Host 2 combined capacity should match expected value after change",
+        0.9515625, hostByCombinedCapacity.get(2L), TOLERANCE);
+    Assert.assertEquals("Host 1 combined capacity should match expected value after change",
+        0.9484375, hostByCombinedCapacity.get(1L), TOLERANCE);
+  }
+
+  List<CapacityVO> getHostCapacities() {
+    CapacityVO cpuCapacity1 = mock(CapacityVO.class);
+    when(cpuCapacity1.getHostOrPoolId()).thenReturn(1L);
+    when(cpuCapacity1.getTotalCapacity()).thenReturn(32000L);
+    when(cpuCapacity1.getReservedCapacity()).thenReturn(0L);
+    when(cpuCapacity1.getUsedCapacity()).thenReturn(500L);
+    when(cpuCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_CPU);
+
+    CapacityVO cpuCapacity2 = mock(CapacityVO.class);
+    when(cpuCapacity2.getHostOrPoolId()).thenReturn(2L);
+    when(cpuCapacity2.getTotalCapacity()).thenReturn(32000L);
+    when(cpuCapacity2.getReservedCapacity()).thenReturn(0L);
+    when(cpuCapacity2.getUsedCapacity()).thenReturn(500L);
+    when(cpuCapacity2.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_CPU);
+
+    CapacityVO memCapacity1 = mock(CapacityVO.class);
+    when(memCapacity1.getHostOrPoolId()).thenReturn(1L);
+    when(memCapacity1.getTotalCapacity()).thenReturn(8589934592L);
+    when(memCapacity1.getReservedCapacity()).thenReturn(0L);
+    when(memCapacity1.getUsedCapacity()).thenReturn(536870912L);
+    when(memCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_MEMORY);
+
+    CapacityVO memCapacity2 = mock(CapacityVO.class);
+    when(memCapacity2.getHostOrPoolId()).thenReturn(2L);
+    when(memCapacity2.getTotalCapacity()).thenReturn(8589934592L);
+    when(memCapacity2.getReservedCapacity()).thenReturn(0L);
+    when(memCapacity2.getUsedCapacity()).thenReturn(1073741824L);
+    when(memCapacity1.getCapacityType()).thenReturn(CapacityVO.CAPACITY_TYPE_MEMORY);
+    return Arrays.asList(cpuCapacity1, memCapacity1, cpuCapacity2, memCapacity2);
+  }
 }
diff --git a/server/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java b/server/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java
new file mode 100644
index 000000000000..ab9b322eb843
--- /dev/null
+++ b/server/src/test/java/com/cloud/agent/manager/allocator/impl/RandomAllocatorTest.java
@@ -0,0 +1,332 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.agent.manager.allocator.impl;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import com.cloud.agent.manager.allocator.HostAllocator;
+import com.cloud.deploy.DeploymentPlan;
+import com.cloud.deploy.DeploymentPlanner;
+import com.cloud.offering.ServiceOffering;
+import com.cloud.resource.ResourceManager;
+import com.cloud.service.ServiceOfferingVO;
+import com.cloud.storage.VMTemplateVO;
+import com.cloud.vm.VirtualMachineProfile;
+import org.apache.commons.collections.CollectionUtils;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import com.cloud.host.Host;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
+
+@RunWith(MockitoJUnitRunner.class)
+public class RandomAllocatorTest {
+
+    @Mock
+    HostDao hostDao;
+
+    @Spy
+    @InjectMocks
+    RandomAllocator randomAllocator;
+
+    @Mock
+    ResourceManager resourceManagerMock;
+
+    private final Host.Type type = Host.Type.Routing;
+
+    private final Long clusterId = 1L;
+
+    private final Long podId = 2L;
+
+    private final Long zoneId = 3L;
+
+    private final List<HostVO> emptyList = new ArrayList<>();
+
+    private final String hostTag = "hostTag";
+
+    private final HostVO host1 = Mockito.mock(HostVO.class);
+
+    private final HostVO host2 = Mockito.mock(HostVO.class);
+
+    private final HostVO host3 = Mockito.mock(HostVO.class);
+
+    private final VMTemplateVO vmTemplateVO = Mockito.mock(VMTemplateVO.class);
+
+    private final ServiceOfferingVO serviceOffering = Mockito.mock(ServiceOfferingVO.class);
+
+    private final DeploymentPlanner.ExcludeList excludeList = Mockito.mock(DeploymentPlanner.ExcludeList.class);
+
+    private final VirtualMachineProfile virtualMachineProfile = Mockito.mock(VirtualMachineProfile.class);
+
+    private final DeploymentPlan deploymentPlan = Mockito.mock(DeploymentPlan.class);
+
+    private final boolean considerReservedCapacity = true;
+
+
+    @Test
+    public void testListHostsByTags() {
+        Host.Type type = Host.Type.Routing;
+        Long id = 1L;
+        String templateTag = "tag1";
+        String offeringTag = "tag2";
+        HostVO host1 = Mockito.mock(HostVO.class);
+        HostVO host2 = Mockito.mock(HostVO.class);
+        Mockito.when(hostDao.listByHostTag(type, clusterId, podId, zoneId, offeringTag)).thenReturn(List.of(host1, host2));
+
+        // No template tagged host
+        ArrayList<HostVO> noTemplateTaggedHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        Mockito.when(hostDao.listByHostTag(type, clusterId, podId, zoneId, templateTag)).thenReturn(new ArrayList<>());
+        randomAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(noTemplateTaggedHosts, type, zoneId, podId, clusterId, offeringTag, templateTag);
+        Assert.assertTrue(CollectionUtils.isEmpty(noTemplateTaggedHosts));
+
+        // Different template tagged host
+        ArrayList<HostVO> differentTemplateTaggedHost = new ArrayList<>(Arrays.asList(host1, host2));
+        HostVO host3 = Mockito.mock(HostVO.class);
+        Mockito.when(hostDao.listByHostTag(type, clusterId, podId, zoneId, templateTag)).thenReturn(List.of(host3));
+        randomAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(differentTemplateTaggedHost, type, zoneId, podId, clusterId, offeringTag, templateTag);
+        Assert.assertTrue(CollectionUtils.isEmpty(differentTemplateTaggedHost));
+
+        // Matching template tagged host
+        ArrayList<HostVO> matchingTemplateTaggedHost = new ArrayList<>(Arrays.asList(host1, host2));
+        Mockito.when(hostDao.listByHostTag(type, clusterId, podId, zoneId, templateTag)).thenReturn(List.of(host1));
+        randomAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(matchingTemplateTaggedHost, type, zoneId, podId, clusterId, offeringTag, templateTag);
+        Assert.assertFalse(CollectionUtils.isEmpty(matchingTemplateTaggedHost));
+        Assert.assertEquals(1, matchingTemplateTaggedHost.size());
+
+        // No template tag
+        ArrayList<HostVO> noTemplateTag = new ArrayList<>(Arrays.asList(host1, host2));
+        randomAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(noTemplateTag, type, zoneId, podId, clusterId, offeringTag, null);
+        Assert.assertFalse(CollectionUtils.isEmpty(noTemplateTag));
+        Assert.assertEquals(2, noTemplateTag.size());
+
+        // No offering tag
+        ArrayList<HostVO> noOfferingTag = new ArrayList<>(Arrays.asList(host1, host2));
+        randomAllocator.retainHostsMatchingServiceOfferingAndTemplateTags(noOfferingTag, type, zoneId, podId, clusterId, null, templateTag);
+        Assert.assertFalse(CollectionUtils.isEmpty(noOfferingTag));
+        Assert.assertEquals(1, noOfferingTag.size());
+    }
+
+    @Test
+    public void findSuitableHostsTestHostTypeStorageShouldReturnNull() {
+        List<Host> suitableHosts = randomAllocator.findSuitableHosts(virtualMachineProfile, deploymentPlan, Host.Type.Storage, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+        Assert.assertNull(suitableHosts);
+    }
+
+    @Test
+    public void findSuitableHostsTestNoAvailableHostsShouldReturnNull() {
+        Mockito.doReturn(serviceOffering).when(virtualMachineProfile).getServiceOffering();
+        Mockito.doReturn(vmTemplateVO).when(virtualMachineProfile).getTemplate();
+        Mockito.doReturn(hostTag).when(serviceOffering).getHostTag();
+        Mockito.doReturn(emptyList).when(randomAllocator).retrieveHosts(Mockito.any(Host.Type.class), Mockito.nullable(List.class), Mockito.any(VMTemplateVO.class), Mockito.anyString(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        List<Host> suitableHosts = randomAllocator.findSuitableHosts(virtualMachineProfile, deploymentPlan, type, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+        Assert.assertNull(suitableHosts);
+    }
+
+    @Test
+    public void findSuitableHostsTestAvailableHostsShouldCallFilterAvailableHostsOnce() {
+        List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+
+        Mockito.doReturn(serviceOffering).when(virtualMachineProfile).getServiceOffering();
+        Mockito.doReturn(vmTemplateVO).when(virtualMachineProfile).getTemplate();
+        Mockito.doReturn(hostTag).when(serviceOffering).getHostTag();
+        Mockito.doReturn(hosts).when(randomAllocator).retrieveHosts(Mockito.any(Host.Type.class), Mockito.nullable(List.class), Mockito.any(VMTemplateVO.class), Mockito.anyString(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hosts).when(randomAllocator).filterAvailableHosts(Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyInt(), Mockito.anyBoolean(), Mockito.anyList(), Mockito.any(ServiceOffering.class));
+        List<Host> suitableHosts = randomAllocator.findSuitableHosts(virtualMachineProfile, deploymentPlan, type, excludeList, null, HostAllocator.RETURN_UPTO_ALL, considerReservedCapacity);
+
+        Mockito.verify(randomAllocator, Mockito.times(1)).filterAvailableHosts(Mockito.any(DeploymentPlanner.ExcludeList.class), Mockito.anyInt(), Mockito.anyBoolean(), Mockito.anyList(), Mockito.any(ServiceOffering.class));
+        Assert.assertEquals(2, suitableHosts.size());
+    }
+
+    @Test
+    public void filterAvailableHostsTestAvailableHostsReachedReturnUpToLimitShouldReturnOnlyHostsWithinLimit() {
+        List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+        int returnUpTo = 1;
+
+        Mockito.doReturn(false).when(excludeList).shouldAvoid(Mockito.any(Host.class));
+        Mockito.doReturn(true).when(randomAllocator).hostHasCpuCapabilityAndCapacity(Mockito.anyBoolean(), Mockito.any(ServiceOffering.class), Mockito.any(Host.class));
+        List<Host> suitableHosts = randomAllocator.filterAvailableHosts(excludeList, returnUpTo, considerReservedCapacity, hosts, serviceOffering);
+
+        Assert.assertEquals(1, suitableHosts.size());
+    }
+
+    @Test
+    public void filterAvailableHostsTestReturnUpToAllShouldReturnAllAvailableHosts() {
+        List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+        int returnUpTo = HostAllocator.RETURN_UPTO_ALL;
+
+        Mockito.doReturn(false).when(excludeList).shouldAvoid(Mockito.any(Host.class));
+        Mockito.doReturn(true).when(randomAllocator).hostHasCpuCapabilityAndCapacity(Mockito.anyBoolean(), Mockito.any(ServiceOffering.class), Mockito.any(Host.class));
+        List<Host> suitableHosts = randomAllocator.filterAvailableHosts(excludeList, returnUpTo, considerReservedCapacity, hosts, serviceOffering);
+
+        Assert.assertEquals(2, suitableHosts.size());
+    }
+
+    @Test
+    public void filterAvailableHostsTestHost1InAvoidShouldOnlyReturnHost2() {
+        List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+        int returnUpTo = HostAllocator.RETURN_UPTO_ALL;
+
+        Mockito.doReturn(true).when(excludeList).shouldAvoid(host1);
+        Mockito.doReturn(false).when(excludeList).shouldAvoid(host2);
+        Mockito.doReturn(true).when(randomAllocator).hostHasCpuCapabilityAndCapacity(Mockito.anyBoolean(), Mockito.any(ServiceOffering.class), Mockito.any(Host.class));
+        List<Host> suitableHosts = randomAllocator.filterAvailableHosts(excludeList, returnUpTo, considerReservedCapacity, hosts, serviceOffering);
+
+        Assert.assertEquals(1, suitableHosts.size());
+        Assert.assertEquals(host2, suitableHosts.get(0));
+    }
+
+    @Test
+    public void filterAvailableHostsTestOnlyHost2HasCpuCapacityAndCapabilityShouldReturnOnlyHost2() {
+        List<HostVO> hosts = new ArrayList<>(Arrays.asList(host1, host2));
+        int returnUpTo = HostAllocator.RETURN_UPTO_ALL;
+
+        Mockito.doReturn(false).when(excludeList).shouldAvoid(Mockito.any(Host.class));
+        Mockito.doReturn(false).when(randomAllocator).hostHasCpuCapabilityAndCapacity(considerReservedCapacity, serviceOffering, host1);
+        Mockito.doReturn(true).when(randomAllocator).hostHasCpuCapabilityAndCapacity(considerReservedCapacity, serviceOffering, host2);
+        List<Host> suitableHosts = randomAllocator.filterAvailableHosts(excludeList, returnUpTo, considerReservedCapacity, hosts, serviceOffering);
+
+        Assert.assertEquals(1, suitableHosts.size());
+        Assert.assertEquals(host2, suitableHosts.get(0));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNullAndNoHostTagAndNoTagRuleShouldOnlyReturnHostsWithNoTags() {
+        List<HostVO> upAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithNoRuleTagsAndHostTags = new ArrayList<>(Arrays.asList(host1));
+
+        Mockito.doReturn(upAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsWithNoRuleTagsAndHostTags).when(hostDao).listAllHostsThatHaveNoRuleTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(emptyList).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, null, vmTemplateVO, null, clusterId, podId, zoneId);
+
+        Assert.assertEquals(1, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNullAndOnlyHostTagsRulesShouldReturnHostsThatMatchRuleTagsAndHostsWithNoTags() {
+        List<HostVO> upAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithNoRuleTagsAndHostTags = new ArrayList<>(Arrays.asList(host1));
+        List<HostVO> hostsMatchingRuleTags = new ArrayList<>(Arrays.asList(host2));
+
+        Mockito.doReturn(upAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsWithNoRuleTagsAndHostTags).when(hostDao).listAllHostsThatHaveNoRuleTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsMatchingRuleTags).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, null, vmTemplateVO, null, clusterId, podId, zoneId);
+
+        Assert.assertEquals(2, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+        Assert.assertEquals(host2, availableHosts.get(1));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNullProvidedHostTagsNotNullAndNoHostWithMatchingRuleTagsShouldReturnHostWithMatchingTags() {
+        List<HostVO> upAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithMatchingTags = new ArrayList<>(Arrays.asList(host1));
+
+        Mockito.doReturn(upAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsWithMatchingTags).when(hostDao).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+        Mockito.doReturn(emptyList).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, null, vmTemplateVO, hostTag, clusterId, podId, zoneId);
+
+        Assert.assertEquals(1, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNullProvidedHostTagsNotNullAndHostWithMatchingRuleTagsShouldReturnHostWithHostMatchingTagsAndRuleTags() {
+        List<HostVO> upAndEnabledHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithMatchingTags = new ArrayList<>(Arrays.asList(host1));
+        List<HostVO> hostsMatchingRuleTags = new ArrayList<>(Arrays.asList(host3));
+
+        Mockito.doReturn(upAndEnabledHosts).when(resourceManagerMock).listAllUpAndEnabledHosts(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsWithMatchingTags).when(hostDao).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+        Mockito.doReturn(hostsMatchingRuleTags).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, null, vmTemplateVO, hostTag, clusterId, podId, zoneId);
+
+        Assert.assertEquals(2, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+        Assert.assertEquals(host3, availableHosts.get(1));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNotNullAndNoHostTagAndNoTagRuleShouldOnlyReturnHostsWithNoTags() {
+        List<HostVO> providedHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithNoRuleTagsAndHostTags = new ArrayList<>(Arrays.asList(host1));
+
+        Mockito.doReturn(hostsWithNoRuleTagsAndHostTags).when(hostDao).listAllHostsThatHaveNoRuleTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(emptyList).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, providedHosts, vmTemplateVO, null, clusterId, podId, zoneId);
+
+        Assert.assertEquals(1, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNotNullAndOnlyHostTagsRulesShouldReturnHostsThatMatchRuleTagsAndHostsWithNoTags() {
+        List<HostVO> providedHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithNoRuleTagsAndHostTags = new ArrayList<>(Arrays.asList(host1));
+        List<HostVO> hostsMatchingRuleTags = new ArrayList<>(Arrays.asList(host2));
+
+        Mockito.doReturn(hostsWithNoRuleTagsAndHostTags).when(hostDao).listAllHostsThatHaveNoRuleTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.doReturn(hostsMatchingRuleTags).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, providedHosts, vmTemplateVO, null, clusterId, podId, zoneId);
+
+        Assert.assertEquals(2, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+        Assert.assertEquals(host2, availableHosts.get(1));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNotNullProvidedHostTagsNotNullAndNoHostWithMatchingRuleTagsShouldReturnHostWithMatchingTags() {
+        List<HostVO> providedHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithMatchingTags = new ArrayList<>(Arrays.asList(host1));
+
+        Mockito.doReturn(hostsWithMatchingTags).when(hostDao).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+        Mockito.doReturn(emptyList).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, providedHosts, vmTemplateVO, hostTag, clusterId, podId, zoneId);
+
+        Assert.assertEquals(1, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+    }
+
+    @Test
+    public void retrieveHostsTestProvidedHostsNullNotProvidedHostTagsNotNullAndHostWithMatchingRuleTagsShouldReturnHostWithHostMatchingTagsAndRuleTags() {
+        List<HostVO> providedHosts = new ArrayList<>(Arrays.asList(host1, host2));
+        List<HostVO> hostsWithMatchingTags = new ArrayList<>(Arrays.asList(host1));
+        List<HostVO> hostsMatchingRuleTags = new ArrayList<>(Arrays.asList(host3));
+
+        Mockito.doReturn(hostsWithMatchingTags).when(hostDao).listByHostTag(Mockito.any(Host.Type.class), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyLong(), Mockito.anyString());
+        Mockito.doReturn(hostsMatchingRuleTags).when(hostDao).findHostsWithTagRuleThatMatchComputeOfferingTags(Mockito.nullable(String.class));
+        List<HostVO> availableHosts = randomAllocator.retrieveHosts(type, providedHosts, vmTemplateVO, hostTag, clusterId, podId, zoneId);
+
+        Assert.assertEquals(2, availableHosts.size());
+        Assert.assertEquals(host1, availableHosts.get(0));
+        Assert.assertEquals(host3, availableHosts.get(1));
+    }
+}
diff --git a/server/src/test/java/com/cloud/api/query/QueryManagerImplTest.java b/server/src/test/java/com/cloud/api/query/QueryManagerImplTest.java
index 892cd1e7def6..ccc0d0c8d4c4 100644
--- a/server/src/test/java/com/cloud/api/query/QueryManagerImplTest.java
+++ b/server/src/test/java/com/cloud/api/query/QueryManagerImplTest.java
@@ -18,6 +18,7 @@
 package com.cloud.api.query;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -33,6 +34,7 @@
 import java.util.UUID;
 import java.util.stream.Collectors;
 
+import com.cloud.host.dao.HostTagsDao;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ResponseObject;
@@ -156,6 +158,9 @@ public class QueryManagerImplTest {
     @Mock
     HostDao hostDao;
 
+    @Mock
+    HostTagsDao hostTagsDao;
+
     @Mock
     ClusterDao clusterDao;
 
@@ -267,7 +272,7 @@ public void searchForEventsFailResourceTypeInvalid() {
     public void searchForEventsFailResourceIdInvalid() {
         ListEventsCmd cmd  = setupMockListEventsCmd();
         Mockito.when(cmd.getResourceId()).thenReturn("random");
-        Mockito.when(cmd.getResourceType()).thenReturn(ApiCommandResourceType.VirtualMachine.toString());
+        Mockito.lenient().when(cmd.getResourceType()).thenReturn(ApiCommandResourceType.VirtualMachine.toString());
         queryManager.searchForEvents(cmd);
     }
 
@@ -622,4 +627,39 @@ public void updateHostsExtensions_withHostResponses_setsExtension() {
         verify(host1).setExtensionId("a");
         verify(host2).setExtensionId("b");
     }
+
+    @Test
+    public void testAddVmCurrentClusterHostTags() {
+        String tag1 = "tag1";
+        String tag2 = "tag2";
+        VMInstanceVO vmInstance = mock(VMInstanceVO.class);
+        HostVO host = mock(HostVO.class);
+        when(vmInstance.getHostId()).thenReturn(null);
+        when(vmInstance.getLastHostId()).thenReturn(1L);
+        when(hostDao.findById(1L)).thenReturn(host);
+        when(host.getClusterId()).thenReturn(1L);
+        when(hostTagsDao.listByClusterId(1L)).thenReturn(Arrays.asList(tag1, tag2));
+
+        List<String> hostTags = new ArrayList<>(Collections.singleton(tag1));
+        queryManagerImplSpy.addVmCurrentClusterHostTags(vmInstance, hostTags);
+        assertEquals(2, hostTags.size());
+        assertTrue(hostTags.contains(tag2));
+    }
+
+    @Test
+    public void testAddVmCurrentClusterHostTagsEmptyHostTagsInCluster() {
+        String tag1 = "tag1";
+        VMInstanceVO vmInstance = mock(VMInstanceVO.class);
+        HostVO host = mock(HostVO.class);
+        when(vmInstance.getHostId()).thenReturn(null);
+        when(vmInstance.getLastHostId()).thenReturn(1L);
+        when(hostDao.findById(1L)).thenReturn(host);
+        when(host.getClusterId()).thenReturn(1L);
+        when(hostTagsDao.listByClusterId(1L)).thenReturn(null);
+
+        List<String> hostTags = new ArrayList<>(Collections.singleton(tag1));
+        queryManagerImplSpy.addVmCurrentClusterHostTags(vmInstance, hostTags);
+        assertEquals(1, hostTags.size());
+        assertTrue(hostTags.contains(tag1));
+    }
 }
diff --git a/server/src/test/java/com/cloud/api/query/dao/UserVmJoinDaoImplTest.java b/server/src/test/java/com/cloud/api/query/dao/UserVmJoinDaoImplTest.java
index 34e5e48cc32f..e4146fd22657 100755
--- a/server/src/test/java/com/cloud/api/query/dao/UserVmJoinDaoImplTest.java
+++ b/server/src/test/java/com/cloud/api/query/dao/UserVmJoinDaoImplTest.java
@@ -27,6 +27,7 @@
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ResponseObject;
 import org.apache.cloudstack.api.response.UserVmResponse;
+import org.apache.cloudstack.extension.ExtensionHelper;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -82,6 +83,9 @@ public class UserVmJoinDaoImplTest extends GenericDaoBaseWithTagInformationBaseT
     @Mock
     private VMTemplateDao vmTemplateDao;
 
+    @Mock
+    ExtensionHelper extensionHelper;
+
     private UserVmJoinVO userVm = new UserVmJoinVO();
     private UserVmResponse userVmResponse = new UserVmResponse();
 
diff --git a/server/src/test/java/com/cloud/ha/HighAvailabilityManagerImplTest.java b/server/src/test/java/com/cloud/ha/HighAvailabilityManagerImplTest.java
index 9274bd1ff085..626f2cda172f 100644
--- a/server/src/test/java/com/cloud/ha/HighAvailabilityManagerImplTest.java
+++ b/server/src/test/java/com/cloud/ha/HighAvailabilityManagerImplTest.java
@@ -35,6 +35,7 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreProviderManager;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.ha.dao.HAConfigDao;
 import org.apache.cloudstack.managed.context.ManagedContext;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -118,6 +119,8 @@ public class HighAvailabilityManagerImplTest {
     @Mock
     ConfigurationDao _configDao;
     @Mock
+    HAConfigDao _haConfigDao;
+    @Mock
     VolumeOrchestrationService volumeMgr;
     @Mock
     ConsoleProxyManager consoleProxyManager;
@@ -362,7 +365,7 @@ public void investigateHostStatusSuccess() {
         investigators.add(investigator);
         highAvailabilityManager.setInvestigators(investigators);
         // Mock isAgentAlive to return host status as Down
-        Mockito.when(investigator.isAgentAlive(hostVO)).thenReturn(Status.Down);
+        Mockito.when(investigator.getHostAgentStatus(hostVO)).thenReturn(Status.Down);
 
         ConfigKey<Boolean> haEnabled = Mockito.mock(ConfigKey.class);
         highAvailabilityManager.VmHaEnabled = haEnabled;
diff --git a/server/src/test/java/com/cloud/hypervisor/KVMGuruTest.java b/server/src/test/java/com/cloud/hypervisor/KVMGuruTest.java
index d8d62df1a723..e5239a651230 100644
--- a/server/src/test/java/com/cloud/hypervisor/KVMGuruTest.java
+++ b/server/src/test/java/com/cloud/hypervisor/KVMGuruTest.java
@@ -16,6 +16,25 @@
 // under the License.
 package com.cloud.hypervisor;
 
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.utils.bytescale.ByteScaleUtils;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
 import com.cloud.agent.api.to.NicTO;
 import com.cloud.agent.api.to.VirtualMachineTO;
 import com.cloud.configuration.ConfigurationManagerImpl;
@@ -34,23 +53,10 @@
 import com.cloud.utils.Pair;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineProfile;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.utils.bytescale.ByteScaleUtils;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.Spy;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.apache.cloudstack.framework.config.impl.ConfigDepotImpl;
 
-import java.io.UnsupportedEncodingException;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.Map;
+import java.math.BigDecimal;
+import java.math.RoundingMode;
 
 @RunWith(MockitoJUnitRunner.class)
 public class KVMGuruTest {
@@ -111,8 +117,15 @@ public class KVMGuruTest {
     private static final String detail2Key = "detail2";
     private static final String detail2Value = "value2";
 
+    private ConfigKey<Integer> originalVmServiceOfferingMaxCpuCores;
+    private ConfigKey<Integer> originalVmServiceOfferingMaxRAMSize;
+
     @Before
     public void setup() throws UnsupportedEncodingException {
+        // Preserve the original value for restoration in tearDown
+        originalVmServiceOfferingMaxCpuCores = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES;
+        originalVmServiceOfferingMaxRAMSize = ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE;
+
         Mockito.when(vmTO.isLimitCpuUse()).thenReturn(true);
         Mockito.when(vmProfile.getVirtualMachine()).thenReturn(vm);
         Mockito.when(vm.getHostId()).thenReturn(hostId);
@@ -134,6 +147,13 @@ public void setup() throws UnsupportedEncodingException {
                 Arrays.asList(detail1, detail2));
     }
 
+    @After
+    public void tearDown() {
+        // Restore the original value
+        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES = originalVmServiceOfferingMaxCpuCores;
+        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE = originalVmServiceOfferingMaxRAMSize;
+    }
+
     @Test
     public void testSetVmQuotaPercentage() {
         guru.setVmQuotaPercentage(vmTO, vmProfile);
@@ -170,79 +190,45 @@ public void testSetVmQuotaPercentageOverProvision() {
     }
 
     @Test
-    public void validateGetVmMaxMemoryReturnCustomOfferingMaxMemory(){
-        int maxCustomOfferingMemory = 64;
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_MEMORY)).thenReturn(String.valueOf(maxCustomOfferingMemory));
+    public void getVmMaxMemoryTestConsiderKvmMemoryDynamicScalingCapacitySettingWhenItIsGreaterThanZero() {
+        int maxMemoryConfigValue = 64;
 
-        long result = guru.getVmMaxMemory(serviceOfferingVoMock, "Vm description", 1l);
+        ConfigDepotImpl configDepotMock = Mockito.mock(ConfigDepotImpl.class);
+        ConfigKey.init(configDepotMock);
+        Mockito.when(configDepotMock.getConfigStringValue(Mockito.any(), Mockito.any(), Mockito.any()))
+                .thenReturn(String.valueOf(maxMemoryConfigValue));
 
-        Assert.assertEquals(ByteScaleUtils.mebibytesToBytes(maxCustomOfferingMemory), result);
+        long result = guru.getVmMaxMemory(serviceOfferingVoMock, "Vm description", 1L, 1L);
+        ConfigKey.init(null);
+        Assert.assertEquals(ByteScaleUtils.mebibytesToBytes(maxMemoryConfigValue), result);
     }
 
     @Test
-    public void validateGetVmMaxMemoryReturnVmServiceOfferingMaxRAMSize(){
-        int maxMemoryConfig = 64;
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_MEMORY)).thenReturn(null);
-
-        ConfigKey<Integer> vmServiceOfferingMaxRAMSize = Mockito.mock(ConfigKey.class);
-        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE = vmServiceOfferingMaxRAMSize;
-
-        Mockito.when(vmServiceOfferingMaxRAMSize.value()).thenReturn(maxMemoryConfig);
-        long result = guru.getVmMaxMemory(serviceOfferingVoMock, "Vm description", 1l);
-
-        Assert.assertEquals(ByteScaleUtils.mebibytesToBytes(maxMemoryConfig), result);
-    }
-
-    @Test
-    public void validateGetVmMaxMemoryReturnMaxHostMemory(){
+    public void getVmMaxMemoryTestConsiderHostMaxMemoryWhenKvmMemoryDynamicScalingCapacitySettingIsEqualToZero() {
         long maxHostMemory = ByteScaleUtils.mebibytesToBytes(2000);
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_MEMORY)).thenReturn(null);
-
-        ConfigKey<Integer> vmServiceOfferingMaxRAMSize = Mockito.mock(ConfigKey.class);
-        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_RAM_SIZE = vmServiceOfferingMaxRAMSize;
-
-        Mockito.when(vmServiceOfferingMaxRAMSize.value()).thenReturn(0);
-
-        long result = guru.getVmMaxMemory(serviceOfferingVoMock, "Vm description", maxHostMemory);
+        long result = guru.getVmMaxMemory(serviceOfferingVoMock, "Vm description", maxHostMemory, 1L);
 
         Assert.assertEquals(maxHostMemory, result);
     }
 
     @Test
-    public void validateGetVmMaxCpuCoresReturnCustomOfferingMaxCpuCores(){
-        int maxCustomOfferingCpuCores = 16;
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_CPU_NUMBER)).thenReturn(String.valueOf(maxCustomOfferingCpuCores));
-
-        long result = guru.getVmMaxCpuCores(serviceOfferingVoMock, "Vm description", 1);
-
-        Assert.assertEquals(maxCustomOfferingCpuCores, result);
-    }
-
-    @Test
-    public void validateGetVmMaxCpuCoresVmServiceOfferingMaxCPUCores(){
+    public void getVmMaxCpuCoresTestConsiderKvmCpuDynamicScalingCapacitySettingWhenItIsGreaterThanZero() {
         int maxCpuCoresConfig = 16;
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_CPU_NUMBER)).thenReturn(null);
-
-        ConfigKey<Integer> vmServiceOfferingMaxCPUCores = Mockito.mock(ConfigKey.class);
-        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES = vmServiceOfferingMaxCPUCores;
+        ConfigDepotImpl configDepotMock = Mockito.mock(ConfigDepotImpl.class);
+        ConfigKey.init(configDepotMock);
+        Mockito.when(configDepotMock.getConfigStringValue(Mockito.any(), Mockito.any(), Mockito.any()))
+                .thenReturn(String.valueOf(maxCpuCoresConfig));
 
-        Mockito.when(vmServiceOfferingMaxCPUCores.value()).thenReturn(maxCpuCoresConfig);
-        long result = guru.getVmMaxCpuCores(serviceOfferingVoMock, "Vm description", 1);
+        long result = guru.getVmMaxCpuCores(serviceOfferingVoMock, "Vm description", 1, 1L);
+        ConfigKey.init(null);
 
         Assert.assertEquals(maxCpuCoresConfig, result);
     }
 
     @Test
-    public void validateGetVmMaxCpuCoresReturnMaxHostMemory(){
+    public void getVmMaxCpuCoresTestConsiderHostMaxCpuWhenKvmCpuDynamicScalingCapacitySettingIsEqualToZero() {
         int maxHostCpuCores = 64;
-        Mockito.when(serviceOfferingVoMock.getDetail(ApiConstants.MAX_CPU_NUMBER)).thenReturn(null);
-
-        ConfigKey<Integer> vmServiceOfferingMaxCPUCores = Mockito.mock(ConfigKey.class);
-        ConfigurationManagerImpl.VM_SERVICE_OFFERING_MAX_CPU_CORES = vmServiceOfferingMaxCPUCores;
-
-        Mockito.when(vmServiceOfferingMaxCPUCores.value()).thenReturn(0);
-
-        long result = guru.getVmMaxCpuCores(serviceOfferingVoMock, "Vm description", maxHostCpuCores);
+        long result = guru.getVmMaxCpuCores(serviceOfferingVoMock, "Vm description", maxHostCpuCores, 1L);
 
         Assert.assertEquals(maxHostCpuCores, result);
     }
@@ -305,39 +291,36 @@ public void validateConfigureVmMemoryAndCpuCoresServiceOfferingIsDynamicAndVmIsD
         guru.serviceOfferingDao = serviceOfferingDaoMock;
 
         Mockito.doReturn(serviceOfferingVoMock).when(serviceOfferingDaoMock).findById(Mockito.anyLong(), Mockito.anyLong());
-        Mockito.doReturn(true).when(guru).isVmDynamicScalable(Mockito.any(), Mockito.any(), Mockito.any());
+        Mockito.doReturn(true).when(guru).isVmDynamicScalable(Mockito.any(), Mockito.any());
 
         guru.configureVmMemoryAndCpuCores(vmTO, host, virtualMachineMock, vmProfile);
 
-        Mockito.verify(guru).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong());
-        Mockito.verify(guru).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt());
+        Mockito.verify(guru).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.verify(guru).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt(), Mockito.anyLong());
     }
 
     @Test
     public void validateConfigureVmMemoryAndCpuCoresServiceOfferingIsNotDynamicAndVmIsDynamicDoNotCallGetMethods(){
         guru.serviceOfferingDao = serviceOfferingDaoMock;
 
-        Mockito.doReturn(serviceOfferingVoMock).when(serviceOfferingDaoMock).findById(Mockito.anyLong(), Mockito.anyLong());
-        Mockito.doReturn(false).when(guru).isVmDynamicScalable(Mockito.any(), Mockito.any(), Mockito.any());
+        Mockito.doReturn(false).when(guru).isVmDynamicScalable(Mockito.any(), Mockito.any());
 
         guru.configureVmMemoryAndCpuCores(vmTO, host, virtualMachineMock, vmProfile);
 
-        Mockito.verify(guru, Mockito.never()).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong());
-        Mockito.verify(guru, Mockito.never()).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt());
+        Mockito.verify(guru, Mockito.never()).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.verify(guru, Mockito.never()).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt(), Mockito.anyLong());
     }
 
     @Test
     public void validateConfigureVmMemoryAndCpuCoresServiceOfferingIsDynamicAndVmIsNotDynamicDoNotCallGetMethods(){
         guru.serviceOfferingDao = serviceOfferingDaoMock;
 
-        Mockito.doReturn(serviceOfferingVoMock).when(serviceOfferingDaoMock).findById(Mockito.anyLong(), Mockito.anyLong());
-        Mockito.doReturn(true).when(serviceOfferingVoMock).isDynamic();
         Mockito.doReturn(false).when(vmTO).isEnableDynamicallyScaleVm();
 
         guru.configureVmMemoryAndCpuCores(vmTO, host, virtualMachineMock, vmProfile);
 
-        Mockito.verify(guru, Mockito.never()).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong());
-        Mockito.verify(guru, Mockito.never()).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt());
+        Mockito.verify(guru, Mockito.never()).getVmMaxMemory(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyLong(), Mockito.anyLong());
+        Mockito.verify(guru, Mockito.never()).getVmMaxCpuCores(Mockito.any(ServiceOfferingVO.class), Mockito.anyString(), Mockito.anyInt(), Mockito.anyLong());
     }
 
     @Test
@@ -490,4 +473,30 @@ public void testGetNullWhenVMThereIsNoInformationOfUsedHosts() {
 
         Assert.assertNull(clusterId);
     }
+
+    @Test
+    public void getCpuQuotaPercentageTestAssertQuotaEqualsVmSpeedDividedByHostSpeed() {
+        double hostSpeed = 3000;
+        double vmSpeed = 500;
+        double expectedQuota = new BigDecimal(vmSpeed / hostSpeed).setScale(2, RoundingMode.HALF_DOWN).doubleValue();
+        double actualQuota = guru.getCpuQuotaPercentage(vmSpeed, hostSpeed);
+        Assert.assertEquals(expectedQuota, actualQuota, 0.0001);
+    }
+
+    @Test
+    public void getCpuQuotaPercentageTestAssertQuotaEqualsOneWhenVmSpeedIsGreaterThanHostSpeed() {
+        double hostSpeed = 3000;
+        double vmSpeed = 6000;
+        double expectedQuota = 1;
+        double actualQuota = guru.getCpuQuotaPercentage(vmSpeed, hostSpeed);
+        Assert.assertEquals(expectedQuota, actualQuota, 0.0001);
+    }
+
+    @Test
+    public void getCpuQuotaPercentageTestReturnNullWhenANumberFormatExceptionIsThrown() {
+        double hostSpeed = 0;
+        double vmSpeed = 6000;
+        Double actualQuota = guru.getCpuQuotaPercentage(vmSpeed, hostSpeed);
+        Assert.assertNull(actualQuota);
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java
index 824d4ee47019..cf3a886ce99f 100644
--- a/server/src/test/java/com/cloud/network/IpAddressManagerTest.java
+++ b/server/src/test/java/com/cloud/network/IpAddressManagerTest.java
@@ -356,6 +356,7 @@ public void checkIfPublicIpAddressIsNotInQuarantineAndCanBeAllocatedTestIpIsNoLo
         Mockito.when(ipAddressMock.getId()).thenReturn(dummyID);
         Mockito.when(publicIpQuarantineDaoMock.findByPublicIpAddressId(Mockito.anyLong())).thenReturn(publicIpQuarantineVOMock);
         Mockito.doReturn(false).when(ipAddressManager).isPublicIpAddressStillInQuarantine(Mockito.any(PublicIpQuarantineVO.class), Mockito.any(Date.class));
+        Mockito.doNothing().when(ipAddressManager).removePublicIpAddressFromQuarantine(Mockito.anyLong(), Mockito.anyString());
 
         boolean result = ipAddressManager.canPublicIpAddressBeAllocated(ipAddressMock, newOwnerMock);
 
diff --git a/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java b/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
index 51b2dad3decd..cd7d40d68951 100644
--- a/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
+++ b/server/src/test/java/com/cloud/network/NetworkServiceImplTest.java
@@ -460,7 +460,7 @@ public void testCreateGuestNetwork() throws InsufficientCapacityException, Resou
                 null, null, false, null, accountMock, null, phyNet,
                 1L, null, null, null, null, null,
                 true, null, null, null, null, null,
-                null, null, null, null, new Pair<>(1500, privateMtu), null);
+                null, null, null, null, new Pair<>(1500, privateMtu), null, true);
     }
     @Test
     public void testValidateMtuConfigWhenMtusExceedThreshold() {
@@ -1330,4 +1330,52 @@ public void addProjectNetworksConditionToSearch_includesSpecificProjectWhenProje
         Mockito.verify(accountJoin).addAnd("type", SearchCriteria.Op.EQ, Account.Type.PROJECT);
         Mockito.verify(sc).addAnd("id", SearchCriteria.Op.SC, accountJoin);
     }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestThrowExceptionWhenParamIsSpecifiedOnTiersCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.isForVpc()).thenReturn(true);
+
+        service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(true, networkOfferingVO);
+    }
+
+    @Test
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestReturnTrueByDefaultOnTiersCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.isForVpc()).thenReturn(true);
+
+        Assert.assertTrue(service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(null, networkOfferingVO));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestThrowExceptionWhenParamIsSpecifiedOnNonIsolatedNetworksCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.getGuestType()).thenReturn(Network.GuestType.Shared);
+
+        service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(true, networkOfferingVO);
+    }
+
+    @Test
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestReturnTrueByDefaultOnNonIsolatedNetworksCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.getGuestType()).thenReturn(Network.GuestType.L2);
+
+        Assert.assertTrue(service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(null, networkOfferingVO));
+    }
+
+    @Test
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestReturnTrueByDefaultOnIsolatedNetworksCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.getGuestType()).thenReturn(Network.GuestType.Isolated);
+
+        Assert.assertTrue(service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(null, networkOfferingVO));
+    }
+
+    @Test
+    public void getAndValidateSupportForKeepMacAddressOnPublicNicParameterTestReturnSpecifiedValueOnIsolatedNetworksCreation() {
+        networkOfferingVO = Mockito.mock(NetworkOfferingVO.class);
+        Mockito.when(networkOfferingVO.getGuestType()).thenReturn(Network.GuestType.Isolated);
+
+        Assert.assertFalse(service.getAndValidateSupportForKeepMacAddressOnPublicNicParameter(false, networkOfferingVO));
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/router/NetworkHelperImplTest.java b/server/src/test/java/com/cloud/network/router/NetworkHelperImplTest.java
index 4237ef7f6f65..e4773d01de92 100644
--- a/server/src/test/java/com/cloud/network/router/NetworkHelperImplTest.java
+++ b/server/src/test/java/com/cloud/network/router/NetworkHelperImplTest.java
@@ -24,18 +24,31 @@
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
+import com.cloud.deploy.DeployDestination;
+import com.cloud.exception.InsufficientAddressCapacityException;
+import com.cloud.network.Ipv6Service;
+import com.cloud.network.Network;
+import com.cloud.network.Networks;
+import com.cloud.network.addr.PublicIp;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.utils.net.Ip;
+import com.cloud.vm.NicProfile;
+import com.cloud.vm.NicVO;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.network.router.deployment.RouterDeploymentDefinition;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import com.cloud.agent.AgentManager;
@@ -57,6 +70,9 @@
 import com.cloud.vm.dao.DomainRouterDao;
 import com.cloud.vm.dao.NicDao;
 
+import java.util.List;
+import java.util.Map;
+
 
 @RunWith(MockitoJUnitRunner.class)
 public class NetworkHelperImplTest {
@@ -69,32 +85,59 @@ public class NetworkHelperImplTest {
     @Mock
     DomainRouterDao routerDao;
 
+    @Spy
     @InjectMocks
-    protected NetworkHelperImpl nwHelper = new NetworkHelperImpl();
+    protected NetworkHelperImpl networkHelperSpy = new NetworkHelperImpl();
+
     @Mock
     NetworkOrchestrationService networkOrchestrationService;
+
     @Mock
     NetworkDao networkDao;
+
     @Mock
     NetworkModel networkModel;
+
     @Mock
-    NicDao nicDao;
+    private NicDao nicDaoMock;
 
     @Mock
     private RouterDeploymentDefinition routerDeploymentDefinition;
+
     @Mock
     private VirtualRouterProvider virtualProvider;
+
     @Mock
     private Account owner;
+
     @Mock
     private ServiceOfferingVO routerOffering;
+
     @Mock
     private VMTemplateVO template;
 
+    @Mock
+    private PublicIp publicIpMock;
+
+    @Mock
+    private RouterDeploymentDefinition routerDeploymentDefinitionMock;
+
+    @Mock
+    private Ipv6Service ipv6ServiceMock;
+
+    @Mock
+    private NicVO nicVoMock;
+
+    @Mock
+    private Network networkMock;
+
+    private NicProfile nicProfile = new NicProfile();
+
     @Before
     public void setUp() {
-        nwHelper._networkDao = networkDao;
-        nwHelper._networkModel = networkModel;
+        networkHelperSpy._networkDao = networkDao;
+        networkHelperSpy._networkModel = networkModel;
+
         when(template.getId()).thenReturn(1L);
         when(template.isDynamicallyScalable()).thenReturn(true);
         when(virtualProvider.getId()).thenReturn(1L);
@@ -107,7 +150,7 @@ public void setUp() {
     public void testSendCommandsToRouterWrongRouterVersion()
             throws AgentUnavailableException, OperationTimedoutException, ResourceUnavailableException {
         // Prepare
-        NetworkHelperImpl nwHelperUT = spy(this.nwHelper);
+        NetworkHelperImpl nwHelperUT = networkHelperSpy;
         VirtualRouter vr = mock(VirtualRouter.class);
         doReturn(false).when(nwHelperUT).checkRouterVersion(vr);
 
@@ -122,7 +165,7 @@ public void testSendCommandsToRouterWrongRouterVersion()
     public void testSendCommandsToRouter()
             throws AgentUnavailableException, OperationTimedoutException, ResourceUnavailableException {
         // Prepare
-        NetworkHelperImpl nwHelperUT = spy(this.nwHelper);
+        NetworkHelperImpl nwHelperUT = networkHelperSpy;
         VirtualRouter vr = mock(VirtualRouter.class);
         when(vr.getHostId()).thenReturn(HOST_ID);
         doReturn(true).when(nwHelperUT).checkRouterVersion(vr);
@@ -160,7 +203,7 @@ public void testSendCommandsToRouter()
     public void testSendCommandsToRouterWithTrueResult()
             throws AgentUnavailableException, OperationTimedoutException, ResourceUnavailableException {
         // Prepare
-        NetworkHelperImpl nwHelperUT = spy(this.nwHelper);
+        NetworkHelperImpl nwHelperUT = networkHelperSpy;
         VirtualRouter vr = mock(VirtualRouter.class);
         when(vr.getHostId()).thenReturn(HOST_ID);
         doReturn(true).when(nwHelperUT).checkRouterVersion(vr);
@@ -198,7 +241,7 @@ public void testSendCommandsToRouterWithTrueResult()
     public void testSendCommandsToRouterWithNoAnswers()
             throws AgentUnavailableException, OperationTimedoutException, ResourceUnavailableException {
         // Prepare
-        NetworkHelperImpl nwHelperUT = spy(this.nwHelper);
+        NetworkHelperImpl nwHelperUT = networkHelperSpy;
         VirtualRouter vr = mock(VirtualRouter.class);
         when(vr.getHostId()).thenReturn(HOST_ID);
         doReturn(true).when(nwHelperUT).checkRouterVersion(vr);
@@ -227,7 +270,7 @@ public void testCreateDomainRouter_New() {
         boolean offerHA = false;
         Long vpcId = 900L;
         when(routerDao.persist(any(DomainRouterVO.class))).thenAnswer(invocation -> invocation.getArgument(0));
-        DomainRouterVO result = nwHelper.createOrUpdateDomainRouter(
+        DomainRouterVO result = networkHelperSpy.createOrUpdateDomainRouter(
                 null, id, routerDeploymentDefinition, owner, userId, routerOffering, offerHA, vpcId, template);
         assertNotNull(result);
         assertEquals(id, result.getId());
@@ -261,11 +304,234 @@ public void testUpdateDomainRouter() {
                 owner.getDomainId(), owner.getId(), userId, routerDeploymentDefinition.isRedundant(), VirtualRouter.RedundantState.UNKNOWN,
                 offerHA, false, vpcId);
         existing.setDynamicallyScalable(false);
-        DomainRouterVO result = nwHelper.createOrUpdateDomainRouter(
+        DomainRouterVO result = networkHelperSpy.createOrUpdateDomainRouter(
                 existing, id, routerDeploymentDefinition, owner, userId, routerOffering, offerHA, vpcId, template);
         verify(routerDao).update(existing.getId(), existing);
         assertEquals(template.getId(), result.getTemplateId());
         assertEquals(Hypervisor.HypervisorType.KVM, result.getHypervisorType());
         assertTrue(result.isDynamicallyScalable());
     }
+
+
+    private NicProfile getExpectedNicProfile(boolean vxlan, String vlanTag) {
+        NicProfile nic = new NicProfile();
+        nic.setDefaultNic(true);
+        nic.setIPv4Address("192.168.0.10");
+        nic.setIPv4Gateway("192.168.0.1");
+        nic.setIPv4Netmask("255.255.255.0");
+        nic.setMacAddress("ff-ff-ff-ff-ff-ff");
+
+        if (vxlan) {
+            nic.setBroadcastType(Networks.BroadcastDomainType.Vxlan);
+            nic.setBroadcastUri(Networks.BroadcastDomainType.Vxlan.toUri(vlanTag));
+            nic.setIsolationUri(Networks.BroadcastDomainType.Vxlan.toUri(vlanTag));
+        } else {
+            nic.setBroadcastType(Networks.BroadcastDomainType.Vlan);
+            nic.setBroadcastUri(vlanTag != null ? Networks.BroadcastDomainType.Vlan.toUri(vlanTag) : null);
+            nic.setIsolationUri(vlanTag != null ? Networks.IsolationType.Vlan.toUri(vlanTag) : null);
+        }
+
+        return nic;
+    }
+
+    @Test
+    public void configurePublicVrNicBasedOnSourceNatIpTestConfigureVxLanNic() {
+        String vlanTag = "200";
+        NicProfile expected = getExpectedNicProfile(true, vlanTag);
+
+        Ip ipMock = Mockito.mock(Ip.class);
+        NetworkVO publicNetworkMock = Mockito.mock(NetworkVO.class);
+        long networkId = 1L;
+        Mockito.when(publicIpMock.getAddress()).thenReturn(ipMock);
+        Mockito.when(ipMock.addr()).thenReturn(expected.getIPv4Address());
+        Mockito.when(publicIpMock.getGateway()).thenReturn(expected.getIPv4Gateway());
+        Mockito.when(publicIpMock.getNetmask()).thenReturn(expected.getIPv4Netmask());
+        Mockito.when(publicIpMock.getMacAddress()).thenReturn(expected.getMacAddress());
+        Mockito.when(publicIpMock.getNetworkId()).thenReturn(networkId);
+        Mockito.when(networkDao.findById(networkId)).thenReturn(publicNetworkMock);
+        Mockito.when(publicNetworkMock.getBroadcastDomainType()).thenReturn(Networks.BroadcastDomainType.Vxlan);
+        Mockito.when(publicIpMock.getVlanTag()).thenReturn(vlanTag);
+
+        networkHelperSpy.configurePublicVrNicBasedOnSourceNatIp(nicProfile, publicIpMock);
+
+        Assert.assertTrue(nicProfile.isDefaultNic());
+        Assert.assertEquals(expected.getIPv4Address(), nicProfile.getIPv4Address());
+        Assert.assertEquals(expected.getIPv4Gateway(), nicProfile.getIPv4Gateway());
+        Assert.assertEquals(expected.getIPv4Netmask(), nicProfile.getIPv4Netmask());
+        Assert.assertEquals(expected.getMacAddress(), nicProfile.getMacAddress());
+        Assert.assertEquals(expected.getBroadcastType(), nicProfile.getBroadcastType());
+        Assert.assertEquals(expected.getBroadCastUri(), nicProfile.getBroadCastUri());
+        Assert.assertEquals(expected.getIsolationUri(), nicProfile.getIsolationUri());
+    }
+
+    @Test
+    public void configurePublicVrNicBasedOnSourceNatIpTestConfigureVlanNicWithVlanTag() {
+        String vlanTag = "200";
+        NicProfile expected = getExpectedNicProfile(false, vlanTag);
+
+        Ip ipMock = Mockito.mock(Ip.class);
+        NetworkVO publicNetworkMock = Mockito.mock(NetworkVO.class);
+        long networkId = 1L;
+        Mockito.when(publicIpMock.getAddress()).thenReturn(ipMock);
+        Mockito.when(ipMock.addr()).thenReturn(expected.getIPv4Address());
+        Mockito.when(publicIpMock.getGateway()).thenReturn(expected.getIPv4Gateway());
+        Mockito.when(publicIpMock.getNetmask()).thenReturn(expected.getIPv4Netmask());
+        Mockito.when(publicIpMock.getMacAddress()).thenReturn(expected.getMacAddress());
+        Mockito.when(publicIpMock.getNetworkId()).thenReturn(networkId);
+        Mockito.when(networkDao.findById(networkId)).thenReturn(publicNetworkMock);
+        Mockito.when(publicNetworkMock.getBroadcastDomainType()).thenReturn(Networks.BroadcastDomainType.Vlan);
+        Mockito.when(publicIpMock.getVlanTag()).thenReturn(vlanTag);
+
+        networkHelperSpy.configurePublicVrNicBasedOnSourceNatIp(nicProfile, publicIpMock);
+
+        Assert.assertTrue(nicProfile.isDefaultNic());
+        Assert.assertEquals(expected.getIPv4Address(), nicProfile.getIPv4Address());
+        Assert.assertEquals(expected.getIPv4Gateway(), nicProfile.getIPv4Gateway());
+        Assert.assertEquals(expected.getIPv4Netmask(), nicProfile.getIPv4Netmask());
+        Assert.assertEquals(expected.getMacAddress(), nicProfile.getMacAddress());
+        Assert.assertEquals(expected.getBroadcastType(), nicProfile.getBroadcastType());
+        Assert.assertEquals(expected.getBroadCastUri(), nicProfile.getBroadCastUri());
+        Assert.assertEquals(expected.getIsolationUri(), nicProfile.getIsolationUri());
+    }
+
+    @Test
+    public void configurePublicVrNicBasedOnSourceNatIpTestConfigureVlanNicWithNoVlanTag() {
+        String vlanTag = null;
+        NicProfile expected = getExpectedNicProfile(false, vlanTag);
+
+        Ip ipMock = Mockito.mock(Ip.class);
+        NetworkVO publicNetworkMock = Mockito.mock(NetworkVO.class);
+        long networkId = 1L;
+        Mockito.when(publicIpMock.getAddress()).thenReturn(ipMock);
+        Mockito.when(ipMock.addr()).thenReturn(expected.getIPv4Address());
+        Mockito.when(publicIpMock.getGateway()).thenReturn(expected.getIPv4Gateway());
+        Mockito.when(publicIpMock.getNetmask()).thenReturn(expected.getIPv4Netmask());
+        Mockito.when(publicIpMock.getMacAddress()).thenReturn(expected.getMacAddress());
+        Mockito.when(publicIpMock.getNetworkId()).thenReturn(networkId);
+        Mockito.when(networkDao.findById(networkId)).thenReturn(publicNetworkMock);
+        Mockito.when(publicNetworkMock.getBroadcastDomainType()).thenReturn(Networks.BroadcastDomainType.Vlan);
+        Mockito.when(publicIpMock.getVlanTag()).thenReturn(vlanTag);
+
+        networkHelperSpy.configurePublicVrNicBasedOnSourceNatIp(nicProfile, publicIpMock);
+
+        Assert.assertTrue(nicProfile.isDefaultNic());
+        Assert.assertEquals(expected.getIPv4Address(), nicProfile.getIPv4Address());
+        Assert.assertEquals(expected.getIPv4Gateway(), nicProfile.getIPv4Gateway());
+        Assert.assertEquals(expected.getIPv4Netmask(), nicProfile.getIPv4Netmask());
+        Assert.assertEquals(expected.getMacAddress(), nicProfile.getMacAddress());
+        Assert.assertEquals(expected.getBroadcastType(), nicProfile.getBroadcastType());
+        Assert.assertEquals(expected.getBroadCastUri(), nicProfile.getBroadCastUri());
+        Assert.assertEquals(expected.getIsolationUri(), nicProfile.getIsolationUri());
+    }
+
+    @Test
+    public void setPublicNicMacAddressSameAsPeerNicTestDoNothingWhenThereIsNoPeer() throws InsufficientAddressCapacityException {
+        String newMacAddress = "ff-ff-ff-ff-ff-ff";
+        nicProfile.setIPv4Address("10.0.0.1");
+        nicProfile.setMacAddress(newMacAddress);
+        Mockito.when(nicDaoMock.findByIp4AddressAndNetworkId(Mockito.anyString(), Mockito.anyLong())).thenReturn(null);
+
+        networkHelperSpy.setPublicNicMacAddressSameAsPeerNic(nicProfile, networkMock, routerDeploymentDefinitionMock);
+
+        Assert.assertEquals(newMacAddress, nicProfile.getMacAddress());
+    }
+
+    @Test
+    public void setPublicNicMacAddressSameAsPeerNicTestKeepMacAddress() throws InsufficientAddressCapacityException {
+        String peerMacAddress = "ff-ff-ff-ff-ff-ff";
+        nicProfile.setIPv4Address("10.0.0.1");
+        nicProfile.setMacAddress("ff-ff-ff-ff-ff-f1");
+
+        Mockito.when(nicDaoMock.findByIp4AddressAndNetworkId(Mockito.anyString(), Mockito.anyLong())).thenReturn(nicVoMock);
+        Mockito.when(nicVoMock.getMacAddress()).thenReturn(peerMacAddress);
+        Mockito.when(routerDeploymentDefinitionMock.getKeepMacAddressOnPublicNic()).thenReturn(true);
+
+        networkHelperSpy.setPublicNicMacAddressSameAsPeerNic(nicProfile, networkMock, routerDeploymentDefinitionMock);
+
+        Assert.assertEquals(peerMacAddress, nicProfile.getMacAddress());
+    }
+
+    @Test
+    public void setPublicNicMacAddressSameAsPeerNicTestDifferentMacAddressFetchingNewSourceNatIp() throws InsufficientAddressCapacityException {
+        String macAddress = "ff-ff-ff-ff-ff-f1";
+        nicProfile.setIPv4Address("10.0.0.1");
+        nicProfile.setMacAddress(macAddress);
+        PublicIp publicIpMock = Mockito.mock(PublicIp.class);
+
+        Mockito.when(nicDaoMock.findByIp4AddressAndNetworkId(Mockito.anyString(), Mockito.anyLong())).thenReturn(nicVoMock);
+        Mockito.when(nicVoMock.getMacAddress()).thenReturn(macAddress);
+        Mockito.when(routerDeploymentDefinitionMock.getKeepMacAddressOnPublicNic()).thenReturn(false);
+        Mockito.when(routerDeploymentDefinitionMock.getSourceNatIP()).thenReturn(publicIpMock);
+        Mockito.doNothing().when(networkHelperSpy).configurePublicVrNicBasedOnSourceNatIp(nicProfile, publicIpMock);
+
+        networkHelperSpy.setPublicNicMacAddressSameAsPeerNic(nicProfile, networkMock, routerDeploymentDefinitionMock);
+
+        Mockito.verify(routerDeploymentDefinitionMock).findSourceNatIP();
+        Mockito.verify(networkHelperSpy).configurePublicVrNicBasedOnSourceNatIp(nicProfile, publicIpMock);
+    }
+
+    @Test
+    public void setPublicNicMacAddressSameAsPeerNicTestDifferentMacAddressNotFetchingNewSourceNatIp() throws InsufficientAddressCapacityException {
+        String newMacAddress = "ff-ff-ff-ff-ff-ff";
+        nicProfile.setIPv4Address("10.0.0.1");
+        nicProfile.setMacAddress(newMacAddress);
+
+        Mockito.when(nicDaoMock.findByIp4AddressAndNetworkId(Mockito.anyString(), Mockito.anyLong())).thenReturn(nicVoMock);
+        Mockito.when(nicVoMock.getMacAddress()).thenReturn("ff-ff-ff-ff-ff-f1");
+        Mockito.when(routerDeploymentDefinitionMock.getKeepMacAddressOnPublicNic()).thenReturn(false);
+
+        networkHelperSpy.setPublicNicMacAddressSameAsPeerNic(nicProfile, networkMock, routerDeploymentDefinitionMock);
+
+        Mockito.verify(routerDeploymentDefinitionMock, Mockito.never()).findSourceNatIP();
+        Mockito.verify(networkHelperSpy, Mockito.never()).configurePublicVrNicBasedOnSourceNatIp(Mockito.any(), Mockito.any());
+        Assert.assertEquals(newMacAddress, nicProfile.getMacAddress());
+    }
+
+    @Test
+    public void configurePublicNicTestReturnEmptyMapWhenNetworkIsNotPublic() throws InsufficientAddressCapacityException {
+        Mockito.when(routerDeploymentDefinitionMock.isPublicNetwork()).thenReturn(false);
+
+        Map<Network, List<? extends NicProfile>> nic = networkHelperSpy.configurePublicNic(routerDeploymentDefinitionMock, false);
+        Assert.assertTrue(nic.isEmpty());
+    }
+
+    @Test
+    public void configurePublicNicTestConfigureDeviceId() throws InsufficientAddressCapacityException {
+        PublicIp publicIpMock = Mockito.mock(PublicIp.class);
+        NetworkOffering networkOfferingMock = Mockito.mock(NetworkOffering.class);
+
+        Mockito.when(routerDeploymentDefinitionMock.isPublicNetwork()).thenReturn(true);
+        Mockito.when(routerDeploymentDefinitionMock.getSourceNatIP()).thenReturn(publicIpMock);
+        Mockito.doNothing().when(networkHelperSpy).configurePublicVrNicBasedOnSourceNatIp(Mockito.any(), Mockito.any());
+        Mockito.doReturn(List.of(networkOfferingMock)).when(networkModel).getSystemAccountNetworkOfferings(Mockito.any());
+        Mockito.doReturn(List.of(networkMock)).when(networkOrchestrationService).setupNetwork(
+                Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyBoolean()
+        );
+        Mockito.doNothing().when(networkHelperSpy).setPublicNicMacAddressSameAsPeerNic(Mockito.any(), Mockito.any(), Mockito.any());
+
+        Map<Network, List<? extends NicProfile>> nic = networkHelperSpy.configurePublicNic(routerDeploymentDefinitionMock, true);
+        Integer nicDeviceId = nic.get(networkMock).get(0).getDeviceId();
+        Assert.assertEquals(2, nicDeviceId.intValue());
+    }
+
+    @Test
+    public void configurePublicNicTestUpdateGuestNetworksIpv6Nic() throws InsufficientAddressCapacityException {
+        PublicIp publicIpMock = Mockito.mock(PublicIp.class);
+        NetworkOffering networkOfferingMock = Mockito.mock(NetworkOffering.class);
+        DeployDestination deployDestinationMock = Mockito.mock(DeployDestination.class);
+
+        Mockito.when(routerDeploymentDefinitionMock.isPublicNetwork()).thenReturn(true);
+        Mockito.when(routerDeploymentDefinitionMock.getSourceNatIP()).thenReturn(publicIpMock);
+        Mockito.doNothing().when(networkHelperSpy).configurePublicVrNicBasedOnSourceNatIp(Mockito.any(), Mockito.any());
+        Mockito.doReturn(List.of(networkOfferingMock)).when(networkModel).getSystemAccountNetworkOfferings(Mockito.any());
+        Mockito.doReturn(List.of(networkMock)).when(networkOrchestrationService).setupNetwork(
+                Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyBoolean()
+        );
+        Mockito.doNothing().when(networkHelperSpy).setPublicNicMacAddressSameAsPeerNic(Mockito.any(), Mockito.any(), Mockito.any());
+        Mockito.when(routerDeploymentDefinitionMock.getGuestNetwork()).thenReturn(networkMock);
+        Mockito.when(routerDeploymentDefinitionMock.getDest()).thenReturn(deployDestinationMock);
+
+        Map<Network, List<? extends NicProfile>> nic = networkHelperSpy.configurePublicNic(routerDeploymentDefinitionMock, false);
+        Mockito.verify(ipv6ServiceMock).updateNicIpv6(Mockito.eq(nic.get(networkMock).get(0)), Mockito.any(), Mockito.eq(networkMock));
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
index ff34d72c218d..8b8259421cd0 100644
--- a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
@@ -23,7 +23,6 @@
 import com.cloud.agent.api.to.IpAddressTO;
 import com.cloud.agent.manager.Commands;
 import com.cloud.alert.AlertManager;
-import com.cloud.configuration.Resource;
 import com.cloud.dc.DataCenterVO;
 import com.cloud.dc.VlanVO;
 import com.cloud.dc.dao.DataCenterDao;
@@ -54,6 +53,7 @@
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingServiceMapVO;
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
@@ -81,6 +81,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
 import org.mockito.junit.MockitoJUnitRunner;
@@ -490,9 +491,8 @@ private void mockVpcDnsResources(boolean supportDnsService, boolean isIpv6) {
     public void testCreateVpcDnsOfferingServiceFailure() {
         mockVpcDnsResources(false, false);
         try {
-            doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.vpc);
             manager.createVpc(zoneId, vpcOfferingId, vpcOwnerId, vpcName, vpcName, ip4Cidr, vpcDomain,
-                    ip4Dns[0], null, null, null, true, 1500, null, null, null, false);
+                    ip4Dns[0], null, null, null, true, 1500, null, null, null, false, true);
         } catch (ResourceAllocationException e) {
             Assert.fail(String.format("failure with exception: %s", e.getMessage()));
         }
@@ -502,9 +502,8 @@ public void testCreateVpcDnsOfferingServiceFailure() {
     public void testCreateVpcDnsIpv6OfferingFailure() {
         mockVpcDnsResources(true, false);
         try {
-            doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.vpc);
             manager.createVpc(zoneId, vpcOfferingId, vpcOwnerId, vpcName, vpcName, ip4Cidr, vpcDomain,
-                    ip4Dns[0], ip4Dns[1], ip6Dns[0], null, true, 1500, null, null, null, false);
+                    ip4Dns[0], ip4Dns[1], ip6Dns[0], null, true, 1500, null, null, null, false, true);
         } catch (ResourceAllocationException e) {
             Assert.fail(String.format("failure with exception: %s", e.getMessage()));
         }
@@ -516,10 +515,9 @@ public void testCreateVpc() {
         VpcVO vpc = Mockito.mock(VpcVO.class);
         Mockito.when(vpcDao.persist(any(), anyMap())).thenReturn(vpc);
         Mockito.when(vpc.getUuid()).thenReturn("uuid");
-        try {
-            doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.vpc);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             manager.createVpc(zoneId, vpcOfferingId, vpcOwnerId, vpcName, vpcName, ip4Cidr, vpcDomain,
-                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, null, null, null, false);
+                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, null, null, null, false, true);
         } catch (ResourceAllocationException e) {
             Assert.fail(String.format("failure with exception: %s", e.getMessage()));
         }
@@ -533,10 +531,9 @@ public void testCreateRoutedVpc() {
         Mockito.when(vpc.getUuid()).thenReturn("uuid");
         doReturn(true).when(routedIpv4Manager).isRoutedVpc(any());
         doNothing().when(routedIpv4Manager).getOrCreateIpv4SubnetForVpc(any(), anyString());
-        try {
-            doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.vpc);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             manager.createVpc(zoneId, vpcOfferingId, vpcOwnerId, vpcName, vpcName, ip4Cidr, vpcDomain,
-                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, null, null, null, false);
+                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, null, null, null, false, true);
         } catch (ResourceAllocationException e) {
             Assert.fail(String.format("failure with exception: %s", e.getMessage()));
         }
@@ -556,10 +553,10 @@ public void testCreateRoutedVpcWithDynamicRouting() {
         Ipv4GuestSubnetNetworkMap ipv4GuestSubnetNetworkMap = Mockito.mock(Ipv4GuestSubnetNetworkMap.class);
         doReturn(ipv4GuestSubnetNetworkMap).when(routedIpv4Manager).getOrCreateIpv4SubnetForVpc(any(), anyInt());
         List<Long> bgpPeerIds = Arrays.asList(11L, 12L);
-        try {
-            doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.vpc);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+
             manager.createVpc(zoneId, vpcOfferingId, vpcOwnerId, vpcName, vpcName, null, vpcDomain,
-                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, 24, null, bgpPeerIds, false);
+                    ip4Dns[0], ip4Dns[1], null, null, true, 1500, 24, null, bgpPeerIds, false, true);
         } catch (ResourceAllocationException e) {
             Assert.fail(String.format("failure with exception: %s", e.getMessage()));
         }
diff --git a/server/src/test/java/com/cloud/resource/MockResourceManagerImpl.java b/server/src/test/java/com/cloud/resource/MockResourceManagerImpl.java
index 6373c3277d00..8b62861165f9 100755
--- a/server/src/test/java/com/cloud/resource/MockResourceManagerImpl.java
+++ b/server/src/test/java/com/cloud/resource/MockResourceManagerImpl.java
@@ -318,6 +318,11 @@ public boolean executeUserRequest(final long hostId, final Event event) throws A
         return false;
     }
 
+    @Override
+    public boolean executeUserRequest(long hostId, Event event, boolean isForced, boolean isForceDeleteStorage) throws AgentUnavailableException {
+        return false;
+    }
+
     /* (non-Javadoc)
      * @see com.cloud.resource.ResourceManager#resourceStateTransitTo(com.cloud.host.Host, com.cloud.resource.ResourceState.Event, long)
      */
diff --git a/server/src/test/java/com/cloud/resource/ResourceManagerImplTest.java b/server/src/test/java/com/cloud/resource/ResourceManagerImplTest.java
index 3937a5950690..30a021591a5d 100644
--- a/server/src/test/java/com/cloud/resource/ResourceManagerImplTest.java
+++ b/server/src/test/java/com/cloud/resource/ResourceManagerImplTest.java
@@ -1184,4 +1184,31 @@ public void testUpdateHostStorageAccessGroups() {
         Mockito.verify(host).setStorageAccessGroups("group1,group2");
         Mockito.verify(hostDao).update(hostId, host);
     }
+
+    @Test
+    public void executeUserRequestDeleteHostPassesForcedFlags() throws Exception {
+        Mockito.doReturn(true).when(resourceManager).doDeleteHost(anyLong(), anyBoolean(), anyBoolean());
+
+        resourceManager.executeUserRequest(hostId, ResourceState.Event.DeleteHost, true, true);
+
+        Mockito.verify(resourceManager).doDeleteHost(hostId, true, true);
+    }
+
+    @Test
+    public void executeUserRequestDeleteHostPassesNonForcedFlags() throws Exception {
+        Mockito.doReturn(true).when(resourceManager).doDeleteHost(anyLong(), anyBoolean(), anyBoolean());
+
+        resourceManager.executeUserRequest(hostId, ResourceState.Event.DeleteHost, false, false);
+
+        Mockito.verify(resourceManager).doDeleteHost(hostId, false, false);
+    }
+
+    @Test
+    public void executeUserRequestDefaultOverloadPassesFalseForDeleteHost() throws Exception {
+        Mockito.doReturn(true).when(resourceManager).doDeleteHost(anyLong(), anyBoolean(), anyBoolean());
+
+        resourceManager.executeUserRequest(hostId, ResourceState.Event.DeleteHost);
+
+        Mockito.verify(resourceManager).doDeleteHost(hostId, false, false);
+    }
 }
diff --git a/server/src/test/java/com/cloud/resourcelimit/CheckedReservationTest.java b/server/src/test/java/com/cloud/resourcelimit/CheckedReservationTest.java
index 247647dd010e..5e72f2044939 100644
--- a/server/src/test/java/com/cloud/resourcelimit/CheckedReservationTest.java
+++ b/server/src/test/java/com/cloud/resourcelimit/CheckedReservationTest.java
@@ -149,23 +149,10 @@ public void testReservationPersistAndCallContextParam() {
     @Test
     public void testMultipleReservationsWithOneFailing() {
         List<String> tags = List.of("abc", "xyz");
-        when(account.getAccountId()).thenReturn(1L);
-        when(account.getDomainId()).thenReturn(4L);
         Map<Long, ReservationVO> persistedReservations = new HashMap<>();
-        Mockito.when(reservationDao.persist(Mockito.any(ReservationVO.class))).thenAnswer((Answer<ReservationVO>) invocation -> {
-            ReservationVO reservationVO = (ReservationVO) invocation.getArguments()[0];
-            Long id = (long) (persistedReservations.size() + 1);
-            ReflectionTestUtils.setField(reservationVO, "id", id);
-            persistedReservations.put(id, reservationVO);
-            return reservationVO;
-        });
-        Mockito.when(reservationDao.remove(Mockito.anyLong())).thenAnswer((Answer<Boolean>) invocation -> {
-            Long id = (Long) invocation.getArguments()[0];
-            persistedReservations.remove(id);
-            return true;
-        });
+
         try {
-            Mockito.doThrow(ResourceAllocationException.class).when(resourceLimitService).checkResourceLimitWithTag(account, Resource.ResourceType.cpu, "xyz", 1L);
+            Mockito.doThrow(ResourceAllocationException.class).when(resourceLimitService).checkResourceLimitWithTag(account, account.getDomainId(), true, Resource.ResourceType.cpu, "xyz", 1L);
             try (CheckedReservation vmReservation = new CheckedReservation(account, Resource.ResourceType.user_vm, tags, 1L, reservationDao, resourceLimitService);
                  CheckedReservation cpuReservation = new CheckedReservation(account, Resource.ResourceType.cpu, tags, 1L, reservationDao, resourceLimitService);
                  CheckedReservation memReservation = new CheckedReservation(account, Resource.ResourceType.memory, tags, 256L, reservationDao, resourceLimitService);
diff --git a/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java b/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
index 84586bcdc2cc..18fa16e04a21 100644
--- a/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
+++ b/server/src/test/java/com/cloud/resourcelimit/ResourceLimitManagerImplTest.java
@@ -34,9 +34,10 @@
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
+
 import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.junit.After;
@@ -46,6 +47,7 @@
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.Spy;
@@ -83,6 +85,7 @@
 import com.cloud.user.User;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.Pair;
+import com.cloud.utils.StringUtils;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineManager;
@@ -279,6 +282,7 @@ public void testGetResourceLimitStorageTags1() {
 
     @Test
     public void testCheckVmResourceLimit() {
+        List<Reserver> reservations = new ArrayList<>();
         ServiceOffering serviceOffering = Mockito.mock(ServiceOffering.class);
         VirtualMachineTemplate template = Mockito.mock(VirtualMachineTemplate.class);
         Mockito.when(serviceOffering.getHostTag()).thenReturn(hostTags.get(0));
@@ -286,72 +290,12 @@ public void testCheckVmResourceLimit() {
         Mockito.when(serviceOffering.getRamSize()).thenReturn(256);
         Mockito.when(template.getTemplateTag()).thenReturn(hostTags.get(0));
         Account account = Mockito.mock(Account.class);
-        try {
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any());
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
-            resourceLimitManager.checkVmResourceLimit(account, true, serviceOffering, template);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            resourceLimitManager.checkVmResourceLimit(account, true, serviceOffering, template, reservations);
             List<String> tags = new ArrayList<>();
             tags.add(null);
             tags.add(hostTags.get(0));
-            for (String tag: tags) {
-                Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.user_vm, tag);
-                Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.cpu, tag, 2L);
-                Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.memory, tag, 256L);
-            }
-        } catch (ResourceAllocationException e) {
-            Assert.fail("Exception encountered: " + e.getMessage());
-        }
-    }
-
-    @Test
-    public void testCheckVmCpuResourceLimit() {
-        ServiceOffering serviceOffering = Mockito.mock(ServiceOffering.class);
-        VirtualMachineTemplate template = Mockito.mock(VirtualMachineTemplate.class);
-        Mockito.when(serviceOffering.getHostTag()).thenReturn(hostTags.get(0));
-        Mockito.when(template.getTemplateTag()).thenReturn(hostTags.get(0));
-        Account account = Mockito.mock(Account.class);
-        long cpu = 2L;
-        try {
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
-            resourceLimitManager.checkVmCpuResourceLimit(account, true, serviceOffering, template, cpu);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.cpu, null, cpu);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.cpu, hostTags.get(0), cpu);
-        } catch (ResourceAllocationException e) {
-            Assert.fail("Exception encountered: " + e.getMessage());
-        }
-    }
-
-    @Test
-    public void testCheckVmMemoryResourceLimit() {
-        ServiceOffering serviceOffering = Mockito.mock(ServiceOffering.class);
-        VirtualMachineTemplate template = Mockito.mock(VirtualMachineTemplate.class);
-        Mockito.when(serviceOffering.getHostTag()).thenReturn(hostTags.get(0));
-        Mockito.when(template.getTemplateTag()).thenReturn(hostTags.get(0));
-        Account account = Mockito.mock(Account.class);
-        long delta = 256L;
-        try {
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
-            resourceLimitManager.checkVmMemoryResourceLimit(account, true, serviceOffering, template, delta);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.memory, null, delta);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.memory, hostTags.get(0), delta);
-        } catch (ResourceAllocationException e) {
-            Assert.fail("Exception encountered: " + e.getMessage());
-        }
-    }
-
-    @Test
-    public void testCheckVmGpuResourceLimit() {
-        ServiceOffering serviceOffering = Mockito.mock(ServiceOffering.class);
-        VirtualMachineTemplate template = Mockito.mock(VirtualMachineTemplate.class);
-        Mockito.when(serviceOffering.getHostTag()).thenReturn(hostTags.get(0));
-        Mockito.when(template.getTemplateTag()).thenReturn(hostTags.get(0));
-        Account account = Mockito.mock(Account.class);
-        long gpuCount = 2L;
-        try {
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
-            resourceLimitManager.checkVmGpuResourceLimit(account, true, serviceOffering, template, gpuCount);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.gpu, null, gpuCount);
-            Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.gpu, hostTags.get(0), gpuCount);
+            Assert.assertEquals(4, mockCheckedReservation.constructed().size());
         } catch (ResourceAllocationException e) {
             Assert.fail("Exception encountered: " + e.getMessage());
         }
@@ -359,22 +303,15 @@ public void testCheckVmGpuResourceLimit() {
 
     @Test
     public void testCheckVolumeResourceLimit() {
+        List<Reserver> reservations = new ArrayList<>();
         String checkTag = storageTags.get(0);
         DiskOffering diskOffering = Mockito.mock(DiskOffering.class);
         Mockito.when(diskOffering.getTags()).thenReturn(checkTag);
         Mockito.when(diskOffering.getTagsArray()).thenReturn(new String[]{checkTag});
         Account account = Mockito.mock(Account.class);
-        try {
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any());
-            Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
-            resourceLimitManager.checkVolumeResourceLimit(account, true, 100L, diskOffering);
-            List<String> tags = new ArrayList<>();
-            tags.add(null);
-            tags.add(checkTag);
-            for (String tag: tags) {
-                Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.volume, tag);
-                Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(account, Resource.ResourceType.primary_storage, tag, 100L);
-            }
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            resourceLimitManager.checkVolumeResourceLimit(account, true, 100L, diskOffering, reservations);
+            Assert.assertEquals(2, reservations.size());
         } catch (ResourceAllocationException e) {
             Assert.fail("Exception encountered: " + e.getMessage());
         }
@@ -627,10 +564,11 @@ public void testCheckResourceLimitWithTag() {
     public void testCheckResourceLimitWithTagNonAdmin() throws ResourceAllocationException {
         AccountVO account = Mockito.mock(AccountVO.class);
         Mockito.when(account.getId()).thenReturn(1L);
+        Mockito.when(account.getDomainId()).thenReturn(1L);
         Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(false);
         Mockito.doReturn(new ArrayList<ResourceLimitVO>()).when(resourceLimitManager).lockAccountAndOwnerDomainRows(Mockito.anyLong(), Mockito.any(Resource.ResourceType.class), Mockito.anyString());
         Mockito.doNothing().when(resourceLimitManager).checkAccountResourceLimit(account, null, Resource.ResourceType.cpu, hostTags.get(0), 1);
-        Mockito.doNothing().when(resourceLimitManager).checkDomainResourceLimit(account, null, Resource.ResourceType.cpu, hostTags.get(0), 1);
+        Mockito.doNothing().when(resourceLimitManager).checkDomainResourceLimit(1L, Resource.ResourceType.cpu, hostTags.get(0), 1);
         try {
             resourceLimitManager.checkResourceLimitWithTag(account, Resource.ResourceType.cpu, hostTags.get(0), 1);
         } catch (ResourceAllocationException e) {
@@ -646,9 +584,10 @@ public void testCheckResourceLimitWithTagProject() throws ResourceAllocationExce
         Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(false);
         ProjectVO projectVO = Mockito.mock(ProjectVO.class);
         Mockito.when(projectDao.findByProjectAccountId(Mockito.anyLong())).thenReturn(projectVO);
+        Mockito.when(projectVO.getDomainId()).thenReturn(1L);
         Mockito.doReturn(new ArrayList<ResourceLimitVO>()).when(resourceLimitManager).lockAccountAndOwnerDomainRows(Mockito.anyLong(), Mockito.any(Resource.ResourceType.class), Mockito.anyString());
         Mockito.doNothing().when(resourceLimitManager).checkAccountResourceLimit(account, projectVO, Resource.ResourceType.cpu, hostTags.get(0), 1);
-        Mockito.doNothing().when(resourceLimitManager).checkDomainResourceLimit(account, projectVO, Resource.ResourceType.cpu, hostTags.get(0), 1);
+        Mockito.doNothing().when(resourceLimitManager).checkDomainResourceLimit(1L, Resource.ResourceType.cpu, hostTags.get(0), 1);
         try {
             resourceLimitManager.checkResourceLimitWithTag(account, Resource.ResourceType.cpu, hostTags.get(0), 1);
         } catch (ResourceAllocationException e) {
@@ -992,13 +931,6 @@ public void updateTaggedResourceLimitsAndCountsForDomains() {
                         Mockito.anyList(), Mockito.eq(tag));
     }
 
-    private void mockCheckResourceLimitWithTag() throws ResourceAllocationException {
-        Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(
-                Mockito.any(Account.class), Mockito.any(Resource.ResourceType.class), Mockito.anyString());
-        Mockito.doNothing().when(resourceLimitManager).checkResourceLimitWithTag(
-                Mockito.any(Account.class), Mockito.any(Resource.ResourceType.class), Mockito.anyString(), Mockito.anyLong());
-    }
-
     private void mockIncrementResourceCountWithTag() {
         Mockito.doNothing().when(resourceLimitManager).incrementResourceCountWithTag(
                 Mockito.anyLong(), Mockito.any(Resource.ResourceType.class), Mockito.anyString());
@@ -1015,6 +947,7 @@ private void mockDecrementResourceCountWithTag() {
 
     @Test
     public void testCheckVolumeResourceCount() throws ResourceAllocationException {
+        List<Reserver> reservations = new ArrayList<>();
         Account account = Mockito.mock(Account.class);
         String tag = "tag";
         long delta = 10L;
@@ -1028,12 +961,11 @@ public void testCheckVolumeResourceCount() throws ResourceAllocationException {
 
         Mockito.doReturn(List.of(tag)).when(resourceLimitManager)
                 .getResourceLimitStorageTagsForResourceCountOperation(Mockito.anyBoolean(), Mockito.any(DiskOffering.class));
-        mockCheckResourceLimitWithTag();
-        resourceLimitManager.checkVolumeResourceLimit(account, false, delta, Mockito.mock(DiskOffering.class));
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimitWithTag(
-                account, Resource.ResourceType.volume, tag);
-        Mockito.verify(resourceLimitManager, Mockito.times(1))
-                .checkResourceLimitWithTag(account, Resource.ResourceType.primary_storage, tag, 10L);
+
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            resourceLimitManager.checkVolumeResourceLimit(account, false, delta, Mockito.mock(DiskOffering.class), reservations);
+            Assert.assertEquals(2,  reservations.size());
+        }
     }
 
     @Test
diff --git a/server/src/test/java/com/cloud/server/ManagementServerImplTest.java b/server/src/test/java/com/cloud/server/ManagementServerImplTest.java
index b569368f2482..924bf1135a67 100644
--- a/server/src/test/java/com/cloud/server/ManagementServerImplTest.java
+++ b/server/src/test/java/com/cloud/server/ManagementServerImplTest.java
@@ -23,6 +23,10 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import com.cloud.deploy.DataCenterDeployment;
+import com.cloud.deploy.DeploymentPlanner;
+import com.cloud.deploy.DeploymentPlanningManager;
+import com.cloud.vm.VirtualMachineProfile;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -181,6 +185,24 @@ public class ManagementServerImplTest {
     @Mock
     HostAllocator hostAllocator;
 
+    @Mock
+    VirtualMachine virtualMachineMock;
+
+    @Mock
+    VirtualMachineProfile virtualMachineProfileMock;
+
+    @Mock
+    DataCenterDeployment dataCenterDeploymentMock;
+
+    @Mock
+    DeploymentPlanner.ExcludeList excludeListMock;
+
+    @Mock
+    Host hostMock;
+
+    @Mock
+    DeploymentPlanningManager deploymentPlanningManagerMock;
+
     private AutoCloseable closeable;
     private MockedStatic<ApiDBUtils> apiDBUtilsMock;
 
@@ -1053,10 +1075,19 @@ public void testListGuestOSCategoriesByCriteria_FilterById() {
 
     @Test
     public void testGetExternalVmConsole() {
-        VirtualMachine virtualMachine = Mockito.mock(VirtualMachine.class);
         Host host = Mockito.mock(Host.class);
-        Mockito.when(extensionManager.getInstanceConsole(virtualMachine, host)).thenReturn(Mockito.mock(com.cloud.agent.api.Answer.class));
-        Assert.assertNotNull(spy.getExternalVmConsole(virtualMachine, host));
-        Mockito.verify(extensionManager).getInstanceConsole(virtualMachine, host);
+        Mockito.when(extensionManager.getInstanceConsole(virtualMachineMock, host)).thenReturn(Mockito.mock(com.cloud.agent.api.Answer.class));
+        Assert.assertNotNull(spy.getExternalVmConsole(virtualMachineMock, host));
+        Mockito.verify(extensionManager).getInstanceConsole(virtualMachineMock, host);
+    }
+
+    @Test
+    public void getCapableSuitableHostsTestHostArchIsNotFilteredWhenNoSuitableHostsAreFound() {
+        List<Host> compatibleHosts = List.of(hostMock);
+        Mockito.doReturn(null).when(hostAllocator).allocateTo(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.anyList(), Mockito.anyInt(), Mockito.anyBoolean());
+
+        spy.getCapableSuitableHosts(virtualMachineMock, virtualMachineProfileMock, dataCenterDeploymentMock, compatibleHosts, excludeListMock, hostMock);
+
+        apiDBUtilsMock.verify(() -> ApiDBUtils.listZoneClustersArchs(Mockito.anyLong()), Mockito.never());
     }
 }
diff --git a/server/src/test/java/com/cloud/storage/VolumeApiServiceImplTest.java b/server/src/test/java/com/cloud/storage/VolumeApiServiceImplTest.java
index 0575b430ef10..77e321ab8591 100644
--- a/server/src/test/java/com/cloud/storage/VolumeApiServiceImplTest.java
+++ b/server/src/test/java/com/cloud/storage/VolumeApiServiceImplTest.java
@@ -26,7 +26,6 @@
 import static org.mockito.ArgumentMatchers.nullable;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
@@ -44,6 +43,7 @@
 import com.cloud.event.EventTypes;
 import com.cloud.event.UsageEventUtils;
 import com.cloud.host.HostVO;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.vm.snapshot.VMSnapshot;
@@ -91,6 +91,7 @@
 import org.mockito.InOrder;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.Spy;
@@ -99,7 +100,6 @@
 
 import com.cloud.api.query.dao.ServiceOfferingJoinDao;
 import com.cloud.configuration.ConfigurationManager;
-import com.cloud.configuration.Resource;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.dc.ClusterVO;
 import com.cloud.dc.DataCenterVO;
@@ -551,7 +551,9 @@ public void attachRootInUploadedState() throws NoSuchFieldException, IllegalAcce
     @Test
     public void attachRootVolumePositive() throws NoSuchFieldException, IllegalAccessException {
         thrown.expect(NullPointerException.class);
-        volumeApiServiceImpl.attachVolumeToVM(2L, 6L, 0L, false);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            volumeApiServiceImpl.attachVolumeToVM(2L, 6L, 0L, false);
+        }
     }
 
     // Negative test - attach data volume, to the vm on non-kvm hypervisor
@@ -570,7 +572,9 @@ public void attachDiskWithEncryptEnabledOfferingOnKVM() throws NoSuchFieldExcept
         DiskOfferingVO diskOffering = Mockito.mock(DiskOfferingVO.class);
         when(diskOffering.getEncrypt()).thenReturn(true);
         when(_diskOfferingDao.findById(anyLong())).thenReturn(diskOffering);
-        volumeApiServiceImpl.attachVolumeToVM(4L, 10L, 1L, false);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            volumeApiServiceImpl.attachVolumeToVM(4L, 10L, 1L, false);
+        }
     }
 
     // volume not Ready
@@ -655,9 +659,7 @@ public void testAllocSnapshotNonManagedStorageArchive() {
      * The resource limit check for primary storage should not be skipped for Volume in 'Uploaded' state.
      */
     @Test
-    public void testResourceLimitCheckForUploadedVolume() throws NoSuchFieldException, IllegalAccessException, ResourceAllocationException {
-        doThrow(new ResourceAllocationException("primary storage resource limit check failed", Resource.ResourceType.primary_storage)).when(resourceLimitServiceMock)
-        .checkResourceLimit(any(AccountVO.class), any(Resource.ResourceType.class), any(Long.class));
+    public void testAttachVolumeToVMPerformsResourceReservation() throws NoSuchFieldException, IllegalAccessException, ResourceAllocationException {
         UserVmVO vm = Mockito.mock(UserVmVO.class);
         AccountVO acc = Mockito.mock(AccountVO.class);
         VolumeInfo volumeToAttach = Mockito.mock(VolumeInfo.class);
@@ -678,10 +680,10 @@ public void testResourceLimitCheckForUploadedVolume() throws NoSuchFieldExceptio
         DataCenterVO zoneWithDisabledLocalStorage = Mockito.mock(DataCenterVO.class);
         when(_dcDao.findById(anyLong())).thenReturn(zoneWithDisabledLocalStorage);
         when(zoneWithDisabledLocalStorage.isLocalStorageEnabled()).thenReturn(true);
-        try {
+        doReturn(volumeVoMock).when(volumeApiServiceImpl).getVolumeAttachJobResult(Mockito.any(), Mockito.any(), Mockito.any());
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             volumeApiServiceImpl.attachVolumeToVM(2L, 9L, null, false);
-        } catch (InvalidParameterValueException e) {
-            Assert.assertEquals(e.getMessage(), ("primary storage resource limit check failed"));
+            Assert.assertEquals(1, mockCheckedReservation.constructed().size());
         }
     }
 
@@ -2208,6 +2210,36 @@ public void testCreateVolumeOnSecondaryForAttachIfNeeded_NoSuitablePool_ReturnSa
         }
     }
 
+    @Test
+    public void getRequiredPrimaryStorageSizeForVolumeAttachTestTagsAreEmptyReturnsZero() {
+        List<String> tags = new ArrayList<>();
+
+        Long result = volumeApiServiceImpl.getRequiredPrimaryStorageSizeForVolumeAttach(tags, volumeInfoMock);
+
+        Assert.assertEquals(0L, (long) result);
+    }
+
+    @Test
+    public void getRequiredPrimaryStorageSizeForVolumeAttachTestVolumeIsReadyReturnsZero() {
+        List<String> tags = List.of("tag1", "tag2");
+        Mockito.doReturn(Volume.State.Ready).when(volumeInfoMock).getState();
+
+        Long result = volumeApiServiceImpl.getRequiredPrimaryStorageSizeForVolumeAttach(tags, volumeInfoMock);
+
+        Assert.assertEquals(0L, (long) result);
+    }
+
+    @Test
+    public void getRequiredPrimaryStorageSizeForVolumeAttachTestTagsAreNotEmptyAndVolumeIsUploadedReturnsVolumeSize() {
+        List<String> tags = List.of("tag1", "tag2");
+        Mockito.doReturn(Volume.State.Uploaded).when(volumeInfoMock).getState();
+        Mockito.doReturn(2L).when(volumeInfoMock).getSize();
+
+        Long result = volumeApiServiceImpl.getRequiredPrimaryStorageSizeForVolumeAttach(tags, volumeInfoMock);
+
+        Assert.assertEquals(2L, (long) result);
+    }
+
     @Test
     public void validateNoVmSnapshotsTestNoInstanceId() {
         Mockito.doReturn(null).when(volumeVoMock).getInstanceId();
diff --git a/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerImplTest.java b/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerImplTest.java
index 2d3cb04ab962..ff0888c184c0 100644
--- a/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerImplTest.java
+++ b/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerImplTest.java
@@ -22,7 +22,6 @@
 import com.cloud.event.ActionEventUtils;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
-import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.org.Grouping;
 import com.cloud.storage.DataStoreRole;
@@ -317,12 +316,11 @@ public void testCopyNewSnapshotToZones() {
         Mockito.when(result1.isFailed()).thenReturn(false);
         AsyncCallFuture<SnapshotResult> future1 = Mockito.mock(AsyncCallFuture.class);
         try {
-            Mockito.doNothing().when(resourceLimitService).checkResourceLimit(Mockito.any(), Mockito.any(), Mockito.anyLong());
             Mockito.when(future.get()).thenReturn(result);
             Mockito.when(snapshotService.queryCopySnapshot(Mockito.any())).thenReturn(future);
             Mockito.when(future1.get()).thenReturn(result1);
             Mockito.when(snapshotService.copySnapshot(Mockito.any(SnapshotInfo.class), Mockito.anyString(), Mockito.any(DataStore.class))).thenReturn(future1);
-        } catch (ResourceAllocationException | ResourceUnavailableException | ExecutionException | InterruptedException e) {
+        } catch (ResourceUnavailableException | ExecutionException | InterruptedException e) {
             Assert.fail(e.getMessage());
         }
         List<Long> addedZone = new ArrayList<>();
diff --git a/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerTest.java b/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerTest.java
index 3b5d92103e77..8eee0ed66261 100755
--- a/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerTest.java
+++ b/server/src/test/java/com/cloud/storage/snapshot/SnapshotManagerTest.java
@@ -16,6 +16,27 @@
 // under the License.
 package com.cloud.storage.snapshot;
 
+import org.apache.cloudstack.api.command.user.snapshot.ExtractSnapshotCmd;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
+import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
+import org.apache.cloudstack.engine.subsystem.api.storage.ObjectInDataStoreStateMachine;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotDataFactory;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotInfo;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotService;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotStrategy;
+import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotStrategy.SnapshotOperation;
+import org.apache.cloudstack.engine.subsystem.api.storage.StorageStrategyFactory;
+import org.apache.cloudstack.engine.subsystem.api.storage.VolumeDataFactory;
+import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.snapshot.SnapshotHelper;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreVO;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
+
 import com.cloud.api.ApiDBUtils;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.dc.DataCenter;
@@ -27,6 +48,7 @@
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
 import com.cloud.resource.ResourceManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ResourceTag;
 import com.cloud.server.TaggedResourceService;
 import com.cloud.storage.DataStoreRole;
@@ -57,27 +79,6 @@
 import com.cloud.vm.snapshot.VMSnapshotVO;
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
 
-import org.apache.cloudstack.api.command.user.snapshot.ExtractSnapshotCmd;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
-import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
-import org.apache.cloudstack.engine.subsystem.api.storage.ObjectInDataStoreStateMachine;
-import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotDataFactory;
-import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotInfo;
-import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotService;
-import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotStrategy;
-import org.apache.cloudstack.engine.subsystem.api.storage.SnapshotStrategy.SnapshotOperation;
-import org.apache.cloudstack.engine.subsystem.api.storage.StorageStrategyFactory;
-import org.apache.cloudstack.engine.subsystem.api.storage.VolumeDataFactory;
-import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.snapshot.SnapshotHelper;
-import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
-import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreDao;
-import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreVO;
-import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
-import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity;
-
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -87,6 +88,7 @@
 import org.mockito.BDDMockito;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
@@ -237,8 +239,6 @@ public void setup() throws ResourceAllocationException {
         when(_storageStrategyFactory.getSnapshotStrategy(Mockito.any(SnapshotVO.class), Mockito.eq(SnapshotOperation.BACKUP))).thenReturn(snapshotStrategy);
         when(_storageStrategyFactory.getSnapshotStrategy(Mockito.any(SnapshotVO.class), Mockito.eq(SnapshotOperation.REVERT))).thenReturn(snapshotStrategy);
 
-        doNothing().when(_resourceLimitMgr).checkResourceLimit(any(Account.class), any(ResourceType.class));
-        doNothing().when(_resourceLimitMgr).checkResourceLimit(any(Account.class), any(ResourceType.class), anyLong());
         doNothing().when(_resourceLimitMgr).incrementResourceCount(anyLong(), any(ResourceType.class));
         doNothing().when(_resourceLimitMgr).incrementResourceCount(anyLong(), any(ResourceType.class), anyLong());
 
@@ -320,7 +320,12 @@ public void testAllocSnapshotF4() throws ResourceAllocationException {
         when(mockList2.size()).thenReturn(0);
         when(_vmSnapshotDao.listByInstanceId(TEST_VM_ID, VMSnapshot.State.Creating, VMSnapshot.State.Reverting, VMSnapshot.State.Expunging)).thenReturn(mockList2);
         when(_snapshotDao.persist(any(SnapshotVO.class))).thenReturn(snapshotMock);
-        _snapshotMgr.allocSnapshot(TEST_VOLUME_ID, Snapshot.MANUAL_POLICY_ID, null, null);
+
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            _snapshotMgr.allocSnapshot(TEST_VOLUME_ID, Snapshot.MANUAL_POLICY_ID, null, null);
+        } catch (ResourceAllocationException e) {
+            Assert.fail(String.format("Failure with exception: %s", e.getMessage()));
+        }
     }
 
     @Test(expected = InvalidParameterValueException.class)
@@ -468,7 +473,7 @@ public void validateCreateTagsForSnapshotPolicyWithEmptyTags(){
     public void validateCreateTagsForSnapshotPolicyWithValidTags(){
         Mockito.doReturn(null).when(taggedResourceServiceMock).createTags(any(), any(), any(), any());
 
-        Map map = new HashMap<>();
+        Map<String, String> map = new HashMap<>();
         map.put("test", "test");
 
         _snapshotMgr.createTagsForSnapshotPolicy(map, snapshotPolicyVoMock);
diff --git a/server/src/test/java/com/cloud/template/TemplateManagerImplTest.java b/server/src/test/java/com/cloud/template/TemplateManagerImplTest.java
index 7bdc1e7c6040..6288180a9f4e 100755
--- a/server/src/test/java/com/cloud/template/TemplateManagerImplTest.java
+++ b/server/src/test/java/com/cloud/template/TemplateManagerImplTest.java
@@ -22,7 +22,6 @@
 import com.cloud.agent.AgentManager;
 import com.cloud.api.query.dao.SnapshotJoinDao;
 import com.cloud.api.query.dao.UserVmJoinDao;
-import com.cloud.configuration.Resource;
 import com.cloud.dc.dao.DataCenterDao;
 import com.cloud.deployasis.dao.TemplateDeployAsIsDetailsDao;
 import com.cloud.domain.dao.DomainDao;
@@ -34,6 +33,7 @@
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.HypervisorGuruManager;
 import com.cloud.projects.ProjectManager;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.GuestOSVO;
 import com.cloud.storage.Snapshot;
@@ -64,12 +64,14 @@
 import com.cloud.user.UserData;
 import com.cloud.user.UserVO;
 import com.cloud.user.dao.AccountDao;
-import com.cloud.utils.component.ComponentContext;
 import com.cloud.utils.concurrency.NamedThreadFactory;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.UserVmDao;
 import com.cloud.vm.dao.VMInstanceDao;
+
+import junit.framework.TestCase;
+
 import org.apache.cloudstack.api.command.user.template.CreateTemplateCmd;
 import org.apache.cloudstack.api.command.user.template.DeleteTemplateCmd;
 import org.apache.cloudstack.api.command.user.template.RegisterTemplateCmd;
@@ -92,6 +94,7 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeDataFactory;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.messagebus.MessageBus;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.secstorage.dao.SecondaryStorageHeuristicDao;
 import org.apache.cloudstack.secstorage.heuristics.HeuristicType;
 import org.apache.cloudstack.snapshot.SnapshotHelper;
@@ -105,13 +108,20 @@
 import org.apache.cloudstack.storage.heuristics.HeuristicRuleHelper;
 import org.apache.cloudstack.storage.template.VnfTemplateManager;
 import org.apache.cloudstack.test.utils.SpringUtils;
+
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.Mockito;
+import org.mockito.Spy;
 import org.mockito.invocation.InvocationOnMock;
+import org.mockito.junit.MockitoJUnitRunner;
 import org.mockito.stubbing.Answer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -120,11 +130,7 @@
 import org.springframework.core.type.classreading.MetadataReader;
 import org.springframework.core.type.classreading.MetadataReaderFactory;
 import org.springframework.core.type.filter.TypeFilter;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.context.support.AnnotationConfigContextLoader;
 
-import javax.inject.Inject;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@@ -137,81 +143,81 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
 
-import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.nullable;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.ArgumentMatchers.anyLong;
+import static org.mockito.ArgumentMatchers.nullable;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
-public class TemplateManagerImplTest {
+@RunWith(MockitoJUnitRunner.class)
+public class TemplateManagerImplTest extends TestCase {
 
-    @Inject
-    TemplateManagerImpl templateManager = new TemplateManagerImpl();
+    @Spy
+    @InjectMocks
+    TemplateManagerImpl templateManager;
 
-    @Inject
+    @Mock
     DataStoreManager dataStoreManager;
 
-    @Inject
+    @Mock
     VMTemplateDao vmTemplateDao;
 
-    @Inject
+    @Mock
     VMTemplatePoolDao vmTemplatePoolDao;
 
-    @Inject
+    @Mock
     TemplateDataStoreDao templateDataStoreDao;
 
-    @Inject
+    @Mock
     StoragePoolHostDao storagePoolHostDao;
 
-    @Inject
+    @Mock
     PrimaryDataStoreDao primaryDataStoreDao;
 
-    @Inject
+    @Mock
     ResourceLimitService resourceLimitMgr;
 
-    @Inject
+    @Mock
     ImageStoreDao imgStoreDao;
 
-    @Inject
+    @Mock
     GuestOSDao guestOSDao;
 
-    @Inject
-    VMTemplateDao tmpltDao;
-
-    @Inject
+    @Mock
     SnapshotDao snapshotDao;
 
-    @Inject
+    @Mock
+    VolumeDao volumeDao;
+
+    @Mock
     VMTemplateDetailsDao tmpltDetailsDao;
 
-    @Inject
+    @Mock
     StorageStrategyFactory storageStrategyFactory;
 
-    @Inject
+    @Mock
     VMInstanceDao _vmInstanceDao;
 
-    @Inject
-    private VMTemplateDao _tmpltDao;
+    @Mock
+    ReservationDao reservationDao;
 
-    @Inject
+    @Mock
     HypervisorGuruManager _hvGuruMgr;
 
-    @Inject
+    @Mock
     AccountManager _accountMgr;
-    @Inject
+
+    @Mock
     VnfTemplateManager vnfTemplateManager;
-    @Inject
+    @Mock
     SnapshotJoinDao snapshotJoinDao;
-    @Inject
+    @Mock
     TemplateDeployAsIsDetailsDao templateDeployAsIsDetailsDao;
 
-    @Inject
+    @Mock
     HeuristicRuleHelper heuristicRuleHelperMock;
 
     public class CustomThreadPoolExecutor extends ThreadPoolExecutor {
@@ -241,7 +247,6 @@ public int getCount() {
 
     @Before
     public void setUp() {
-        ComponentContext.initComponentsLifeCycle();
         AccountVO account = new AccountVO("admin", 1L, "networkDomain", Account.Type.NORMAL, "uuid");
         UserVO user = new UserVO(1, "testuser", "password", "firstname", "lastName", "email", "timezone", UUID.randomUUID().toString(), User.Source.UNKNOWN);
         CallContext.register(user, account);
@@ -275,7 +280,7 @@ public void testForceDeleteTemplate() {
         List<TemplateAdapter> adapters  = new ArrayList<TemplateAdapter>();
         adapters.add(templateAdapter);
         when(cmd.getId()).thenReturn(0L);
-        when(_tmpltDao.findById(cmd.getId())).thenReturn(template);
+        when(vmTemplateDao.findById(cmd.getId())).thenReturn(template);
         when(cmd.getZoneId()).thenReturn(null);
 
         when(template.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.None);
@@ -296,7 +301,6 @@ public void testForceDeleteTemplate() {
         //case 2.2: When Force delete flag is 'false' and VM instance VO list is non empty.
         when(cmd.isForced()).thenReturn(false);
         VMInstanceVO vmInstanceVO = mock(VMInstanceVO.class);
-        when(vmInstanceVO.getInstanceName()).thenReturn("mydDummyVM");
         vmInstanceVOList.add(vmInstanceVO);
         when(_vmInstanceDao.listNonExpungedByTemplate(anyLong())).thenReturn(vmInstanceVOList);
         try {
@@ -311,7 +315,6 @@ public void testPrepareTemplateIsSeeded() {
         when(mockTemplate.getId()).thenReturn(202l);
 
         StoragePoolVO mockPool = mock(StoragePoolVO.class);
-        when(mockPool.getId()).thenReturn(2l);
 
         PrimaryDataStore mockPrimaryDataStore = mock(PrimaryDataStore.class);
         when(mockPrimaryDataStore.getId()).thenReturn(2l);
@@ -319,7 +322,6 @@ public void testPrepareTemplateIsSeeded() {
         VMTemplateStoragePoolVO mockTemplateStore = mock(VMTemplateStoragePoolVO.class);
         when(mockTemplateStore.getDownloadState()).thenReturn(VMTemplateStorageResourceAssoc.Status.DOWNLOADED);
 
-        when(dataStoreManager.getPrimaryDataStore(anyLong())).thenReturn(mockPrimaryDataStore);
         when(vmTemplateDao.findById(anyLong(), anyBoolean())).thenReturn(mockTemplate);
         when(vmTemplatePoolDao.findByPoolTemplate(anyLong(), anyLong(), nullable(String.class))).thenReturn(mockTemplateStore);
 
@@ -335,13 +337,11 @@ public void testPrepareTemplateNotDownloaded() {
         when(mockTemplate.getId()).thenReturn(202l);
 
         StoragePoolVO mockPool = mock(StoragePoolVO.class);
-        when(mockPool.getId()).thenReturn(2l);
 
         PrimaryDataStore mockPrimaryDataStore = mock(PrimaryDataStore.class);
         when(mockPrimaryDataStore.getId()).thenReturn(2l);
         when(mockPrimaryDataStore.getDataCenterId()).thenReturn(1l);
 
-        when(dataStoreManager.getPrimaryDataStore(anyLong())).thenReturn(mockPrimaryDataStore);
         when(vmTemplateDao.findById(anyLong(), anyBoolean())).thenReturn(mockTemplate);
         when(vmTemplatePoolDao.findByPoolTemplate(anyLong(), anyLong(), nullable(String.class))).thenReturn(null);
         when(templateDataStoreDao.findByTemplateZoneDownloadStatus(202l, 1l, VMTemplateStorageResourceAssoc.Status.DOWNLOADED)).thenReturn(null);
@@ -356,7 +356,6 @@ public void testPrepareTemplateNoHostConnectedToPool() {
         when(mockTemplate.getId()).thenReturn(202l);
 
         StoragePoolVO mockPool = mock(StoragePoolVO.class);
-        when(mockPool.getId()).thenReturn(2l);
 
         PrimaryDataStore mockPrimaryDataStore = mock(PrimaryDataStore.class);
         when(mockPrimaryDataStore.getId()).thenReturn(2l);
@@ -364,7 +363,6 @@ public void testPrepareTemplateNoHostConnectedToPool() {
 
         TemplateDataStoreVO mockTemplateDataStore = mock(TemplateDataStoreVO.class);
 
-        when(dataStoreManager.getPrimaryDataStore(anyLong())).thenReturn(mockPrimaryDataStore);
         when(vmTemplateDao.findById(anyLong(), anyBoolean())).thenReturn(mockTemplate);
         when(vmTemplatePoolDao.findByPoolTemplate(anyLong(), anyLong(), nullable(String.class))).thenReturn(null);
         when(templateDataStoreDao.findByTemplateZoneDownloadStatus(202l, 1l, VMTemplateStorageResourceAssoc.Status.DOWNLOADED)).thenReturn(mockTemplateDataStore);
@@ -415,20 +413,10 @@ public void testTemplateScheduledForDownloadInDisabledPool() {
         PrimaryDataStore mockPrimaryDataStore = mock(PrimaryDataStore.class);
         VMTemplateStoragePoolVO mockTemplateStore = mock(VMTemplateStoragePoolVO.class);
 
-        when(mockPrimaryDataStore.getId()).thenReturn(2l);
-        when(mockPool.getId()).thenReturn(2l);
         when(mockPool.getStatus()).thenReturn(StoragePoolStatus.Disabled);
-        when(mockPool.getDataCenterId()).thenReturn(1l);
-        when(mockTemplate.getId()).thenReturn(202l);
-        when(mockTemplateStore.getDownloadState()).thenReturn(VMTemplateStorageResourceAssoc.Status.DOWNLOADED);
         when(vmTemplateDao.findById(anyLong())).thenReturn(mockTemplate);
-        when(dataStoreManager.getPrimaryDataStore(anyLong())).thenReturn(mockPrimaryDataStore);
-        when(vmTemplateDao.findById(anyLong(), anyBoolean())).thenReturn(mockTemplate);
-        when(vmTemplatePoolDao.findByPoolTemplate(anyLong(), anyLong(), nullable(String.class))).thenReturn(mockTemplateStore);
         when(primaryDataStoreDao.findById(anyLong())).thenReturn(mockPool);
 
-        doNothing().when(mockTemplateStore).setMarkedForGC(anyBoolean());
-
         ExecutorService preloadExecutor = new CustomThreadPoolExecutor(8, 8, 0L, TimeUnit.MILLISECONDS, new LinkedBlockingQueue(),
                 new NamedThreadFactory("Template-Preloader"));
         templateManager._preloadExecutor = preloadExecutor;
@@ -446,15 +434,10 @@ public void testTemplateScheduledForDownloadInMultiplePool() {
 
         StoragePoolVO mockPool1 = mock(StoragePoolVO.class);
         when(mockPool1.getId()).thenReturn(2l);
-        when(mockPool1.getStatus()).thenReturn(StoragePoolStatus.Up);
         when(mockPool1.getDataCenterId()).thenReturn(1l);
         StoragePoolVO mockPool2 = mock(StoragePoolVO.class);
-        when(mockPool2.getId()).thenReturn(3l);
-        when(mockPool2.getStatus()).thenReturn(StoragePoolStatus.Up);
         when(mockPool2.getDataCenterId()).thenReturn(1l);
         StoragePoolVO mockPool3 = mock(StoragePoolVO.class);
-        when(mockPool3.getId()).thenReturn(4l);
-        when(mockPool3.getStatus()).thenReturn(StoragePoolStatus.Up);
         when(mockPool3.getDataCenterId()).thenReturn(2l);
         pools.add(mockPool1);
         pools.add(mockPool2);
@@ -467,9 +450,6 @@ public void testTemplateScheduledForDownloadInMultiplePool() {
         when(dataStoreManager.getPrimaryDataStore(anyLong())).thenReturn(mockPrimaryDataStore);
         when(vmTemplateDao.findById(anyLong(), anyBoolean())).thenReturn(mockTemplate);
         when(vmTemplatePoolDao.findByPoolTemplate(anyLong(), anyLong(), nullable(String.class))).thenReturn(mockTemplateStore);
-        when(primaryDataStoreDao.findById(2l)).thenReturn(mockPool1);
-        when(primaryDataStoreDao.findById(3l)).thenReturn(mockPool2);
-        when(primaryDataStoreDao.findById(4l)).thenReturn(mockPool3);
         when(primaryDataStoreDao.listByStatus(StoragePoolStatus.Up)).thenReturn(pools);
 
         doNothing().when(mockTemplateStore).setMarkedForGC(anyBoolean());
@@ -497,7 +477,6 @@ public void testCreatePrivateTemplateRecordForRegionStore() throws ResourceAlloc
         when(mockCreateCmd.getVolumeId()).thenReturn(null);
         when(mockCreateCmd.getSnapshotId()).thenReturn(1L);
         when(mockCreateCmd.getOsTypeId()).thenReturn(1L);
-        when(mockCreateCmd.getEventDescription()).thenReturn("test");
         when(mockCreateCmd.getDetails()).thenReturn(null);
         when(mockCreateCmd.getZoneId()).thenReturn(null);
 
@@ -510,20 +489,17 @@ public void testCreatePrivateTemplateRecordForRegionStore() throws ResourceAlloc
         when(mockSnapshot.getState()).thenReturn(Snapshot.State.BackedUp);
         when(mockSnapshot.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.XenServer);
 
-        doNothing().when(resourceLimitMgr).checkResourceLimit(any(Account.class), eq(Resource.ResourceType.template));
-        doNothing().when(resourceLimitMgr).checkResourceLimit(any(Account.class), eq(Resource.ResourceType.secondary_storage), anyLong());
-
         GuestOSVO mockGuestOS = mock(GuestOSVO.class);
         when(guestOSDao.findById(anyLong())).thenReturn(mockGuestOS);
 
-        when(tmpltDao.getNextInSequence(eq(Long.class), eq("id"))).thenReturn(1L);
+        when(vmTemplateDao.getNextInSequence(eq(Long.class), eq("id"))).thenReturn(1L);
 
         List<ImageStoreVO> mockRegionStores = new ArrayList<>();
         ImageStoreVO mockRegionStore = mock(ImageStoreVO.class);
         mockRegionStores.add(mockRegionStore);
         when(imgStoreDao.findRegionImageStores()).thenReturn(mockRegionStores);
 
-        when(tmpltDao.persist(any(VMTemplateVO.class))).thenAnswer(new Answer<VMTemplateVO>() {
+        when(vmTemplateDao.persist(any(VMTemplateVO.class))).thenAnswer(new Answer<VMTemplateVO>() {
             @Override
             public VMTemplateVO answer(InvocationOnMock invocationOnMock) throws Throwable {
                 Object[] args = invocationOnMock.getArguments();
@@ -531,8 +507,10 @@ public VMTemplateVO answer(InvocationOnMock invocationOnMock) throws Throwable {
             }
         });
 
-        VMTemplateVO template = templateManager.createPrivateTemplateRecord(mockCreateCmd, mockTemplateOwner);
-        assertTrue("Template in a region store should have cross zones set", template.isCrossZones());
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            VMTemplateVO template = templateManager.createPrivateTemplateRecord(mockCreateCmd, mockTemplateOwner);
+            assertTrue("Template in a region store should have cross zones set", template.isCrossZones());
+        }
     }
 
     @Test
@@ -544,7 +522,7 @@ public void testLinkUserDataToTemplate() {
         when(cmd.getUserdataPolicy()).thenReturn(UserData.UserDataOverridePolicy.ALLOWOVERRIDE);
 
         VMTemplateVO template = Mockito.mock(VMTemplateVO.class);
-        when(_tmpltDao.findById(anyLong())).thenReturn(template);
+        when(vmTemplateDao.findById(anyLong())).thenReturn(template);
 
         VirtualMachineTemplate resultTemplate = templateManager.linkUserDataToTemplate(cmd);
 
@@ -560,7 +538,6 @@ public void testLinkUserDataToTemplateByProvidingBothISOAndTemplateId() {
         when(cmd.getUserdataPolicy()).thenReturn(UserData.UserDataOverridePolicy.ALLOWOVERRIDE);
 
         VMTemplateVO template = Mockito.mock(VMTemplateVO.class);
-        when(_tmpltDao.findById(1L)).thenReturn(template);
 
         templateManager.linkUserDataToTemplate(cmd);
     }
@@ -574,7 +551,6 @@ public void testLinkUserDataToTemplateByNotProvidingBothISOAndTemplateId() {
         when(cmd.getUserdataPolicy()).thenReturn(UserData.UserDataOverridePolicy.ALLOWOVERRIDE);
 
         VMTemplateVO template = Mockito.mock(VMTemplateVO.class);
-        when(_tmpltDao.findById(1L)).thenReturn(template);
 
         templateManager.linkUserDataToTemplate(cmd);
     }
@@ -587,7 +563,7 @@ public void testLinkUserDataToTemplateWhenNoTemplate() {
         when(cmd.getUserdataId()).thenReturn(2L);
         when(cmd.getUserdataPolicy()).thenReturn(UserData.UserDataOverridePolicy.ALLOWOVERRIDE);
 
-        when(_tmpltDao.findById(anyLong())).thenReturn(null);
+        when(vmTemplateDao.findById(anyLong())).thenReturn(null);
 
         templateManager.linkUserDataToTemplate(cmd);
     }
@@ -602,7 +578,7 @@ public void testUnLinkUserDataToTemplate() {
 
         VMTemplateVO template = Mockito.mock(VMTemplateVO.class);
         when(template.getId()).thenReturn(1L);
-        when(_tmpltDao.findById(1L)).thenReturn(template);
+        when(vmTemplateDao.findById(1L)).thenReturn(template);
 
         VirtualMachineTemplate resultTemplate = templateManager.linkUserDataToTemplate(cmd);
 
@@ -633,7 +609,6 @@ public void getImageStoreTestStoreUuidIsNullAndThereIsNoActiveHeuristicRulesShou
         DataStore dataStore = Mockito.mock(DataStore.class);
         VolumeVO volumeVO = Mockito.mock(VolumeVO.class);
 
-        Mockito.when(dataStoreManager.getDataStore(Mockito.anyString(), Mockito.any(DataStoreRole.class))).thenReturn(null);
         Mockito.when(heuristicRuleHelperMock.getImageStoreIfThereIsHeuristicRule(Mockito.anyLong(), Mockito.any(HeuristicType.class), Mockito.any(VolumeVO.class))).thenReturn(null);
         Mockito.when(dataStoreManager.getImageStoreWithFreeCapacity(Mockito.anyLong())).thenReturn(dataStore);
 
@@ -646,7 +621,6 @@ public void getImageStoreTestStoreUuidIsNullAndThereIsActiveHeuristicRulesShould
         DataStore dataStore = Mockito.mock(DataStore.class);
         VolumeVO volumeVO = Mockito.mock(VolumeVO.class);
 
-        Mockito.when(dataStoreManager.getDataStore(Mockito.anyString(), Mockito.any(DataStoreRole.class))).thenReturn(null);
         Mockito.when(heuristicRuleHelperMock.getImageStoreIfThereIsHeuristicRule(Mockito.anyLong(), Mockito.any(HeuristicType.class), Mockito.any(VolumeVO.class))).thenReturn(dataStore);
 
         templateManager.getImageStore(null, 1L, volumeVO);
@@ -987,6 +961,11 @@ public TemplateDeployAsIsDetailsDao templateDeployAsIsDetailsDao() {
             return Mockito.mock(TemplateDeployAsIsDetailsDao.class);
         }
 
+        @Bean
+        public ReservationDao reservationDao() {
+            return Mockito.mock(ReservationDao.class);
+        }
+
         @Bean
         public SnapshotHelper snapshotHelper() {
             return Mockito.mock(SnapshotHelper.class);
diff --git a/server/src/test/java/com/cloud/user/DomainManagerImplTest.java b/server/src/test/java/com/cloud/user/DomainManagerImplTest.java
index 5a1dba215ae2..06a8eba903b0 100644
--- a/server/src/test/java/com/cloud/user/DomainManagerImplTest.java
+++ b/server/src/test/java/com/cloud/user/DomainManagerImplTest.java
@@ -68,6 +68,7 @@
 import com.cloud.utils.db.SearchCriteria;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
+import com.cloud.vm.dao.VMInstanceDao;
 
 
 @RunWith(MockitoJUnitRunner.class)
@@ -123,6 +124,8 @@ public class DomainManagerImplTest {
     Account adminAccount;
     @Mock
     GlobalLock lock;
+    @Mock
+    VMInstanceDao vmInstanceDao;
 
     List<AccountVO> domainAccountsForCleanup;
     List<Long> domainNetworkIds;
@@ -213,6 +216,7 @@ public void testDeleteDomainRootDomain() {
     @Test
     public void testDeleteDomainNoCleanup() {
         Mockito.when(_configMgr.releaseDomainSpecificVirtualRanges(Mockito.any())).thenReturn(true);
+        Mockito.doReturn(Collections.emptySet()).when(domainManager).getDomainChildrenIds(Mockito.any());
         domainManager.deleteDomain(DOMAIN_ID, testDomainCleanup);
         Mockito.verify(domainManager).deleteDomain(domain, testDomainCleanup);
         Mockito.verify(domainManager).removeDomainWithNoAccountsForCleanupNetworksOrDedicatedResources(domain);
@@ -278,6 +282,7 @@ public void deleteDomain() {
         Mockito.when(_dedicatedDao.listByDomainId(Mockito.anyLong())).thenReturn(new ArrayList<DedicatedResourceVO>());
         Mockito.when(domainDaoMock.remove(Mockito.anyLong())).thenReturn(true);
         Mockito.when(_configMgr.releaseDomainSpecificVirtualRanges(Mockito.any())).thenReturn(true);
+        Mockito.doReturn(Collections.emptySet()).when(domainManager).getDomainChildrenIds(Mockito.any());
 
         try {
             Assert.assertTrue(domainManager.deleteDomain(20l, false));
@@ -309,7 +314,7 @@ public void deleteDomainCleanup() {
         Mockito.when(_resourceCountDao.removeEntriesByOwner(Mockito.anyLong(), Mockito.eq(ResourceOwnerType.Domain))).thenReturn(1l);
         Mockito.when(_resourceLimitDao.removeEntriesByOwner(Mockito.anyLong(), Mockito.eq(ResourceOwnerType.Domain))).thenReturn(1l);
         Mockito.when(_configMgr.releaseDomainSpecificVirtualRanges(Mockito.any())).thenReturn(true);
-
+        Mockito.when(vmInstanceDao.listDeleteProtectedVmsByDomainIds(Mockito.any())).thenReturn(Collections.emptyList());
         try {
             Assert.assertTrue(domainManager.deleteDomain(20l, true));
         } finally {
diff --git a/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java b/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
index f7439386fab4..93a06ef2097f 100644
--- a/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
+++ b/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
@@ -77,6 +77,7 @@
 import org.apache.cloudstack.api.command.user.vm.ResetVMUserDataCmd;
 import org.apache.cloudstack.api.command.user.vm.RestoreVMCmd;
 import org.apache.cloudstack.api.command.user.vm.UpdateVMCmd;
+import org.apache.cloudstack.api.command.user.vm.UpdateVmNicCmd;
 import org.apache.cloudstack.api.command.user.volume.ResizeVolumeCmd;
 import org.apache.cloudstack.backup.BackupManager;
 import org.apache.cloudstack.backup.BackupVO;
@@ -84,6 +85,7 @@
 import org.apache.cloudstack.backup.dao.BackupScheduleDao;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.engine.subsystem.api.storage.PrimaryDataStore;
 import org.apache.cloudstack.engine.subsystem.api.storage.Scope;
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeDataFactory;
@@ -96,6 +98,7 @@
 import org.apache.cloudstack.userdata.UserDataManager;
 import org.apache.cloudstack.vm.UnmanagedVMsManager;
 import org.apache.cloudstack.vm.lease.VMLeaseManager;
+
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -103,6 +106,7 @@
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.Spy;
@@ -159,9 +163,11 @@
 import com.cloud.offering.ServiceOffering;
 import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.server.ManagementService;
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDao;
+import com.cloud.service.dao.ServiceOfferingDetailsDao;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.GuestOSVO;
 import com.cloud.storage.ScopeType;
@@ -198,6 +204,7 @@
 import com.cloud.utils.db.UUIDManager;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.exception.ExceptionProxyObject;
+import com.cloud.utils.fsm.NoTransitionException;
 import com.cloud.vm.dao.NicDao;
 import com.cloud.vm.dao.UserVmDao;
 import com.cloud.vm.dao.VMInstanceDetailsDao;
@@ -244,6 +251,9 @@ public class UserVmManagerImplTest {
     @Mock
     private UpdateVMCmd updateVmCommand;
 
+    @Mock
+    private UpdateVmNicCmd updateVmNicCmd;
+
     @Mock
     private AccountManager accountManager;
 
@@ -271,6 +281,9 @@ public class UserVmManagerImplTest {
     @Mock
     private UserVO callerUser;
 
+    @Mock
+    private NicVO nicMock;
+
     @Mock
     private VMTemplateDao templateDao;
 
@@ -451,9 +464,14 @@ public class UserVmManagerImplTest {
 
     MockedStatic<UnmanagedVMsManager> unmanagedVMsManagerMockedStatic;
 
-    private static final long vmId = 1l;
+    @Mock
+    ServiceOfferingDetailsDao serviceOfferingDetailsDao;
+
+    private static final long vmId = 1L;
     private static final long zoneId = 2L;
     private static final long accountId = 3L;
+    private static final long nicId = 4L;
+    private static final long networkId = 5L;
     private static final long serviceOfferingId = 10L;
     private static final long templateId = 11L;
     private static final long volumeId = 1L;
@@ -466,8 +484,8 @@ public class UserVmManagerImplTest {
 
     String[] detailsConstants = {VmDetailConstants.MEMORY, VmDetailConstants.CPU_NUMBER, VmDetailConstants.CPU_SPEED};
 
-    private DiskOfferingVO smallerDisdkOffering = prepareDiskOffering(5l * GiB_TO_BYTES, 1l, 1L, 2L);
-    private DiskOfferingVO largerDisdkOffering = prepareDiskOffering(10l * GiB_TO_BYTES, 2l, 10L, 20L);
+    private DiskOfferingVO smallerDisdkOffering = prepareDiskOffering(5L * GiB_TO_BYTES, 1L, 1L, 2L);
+    private DiskOfferingVO largerDisdkOffering = prepareDiskOffering(10L * GiB_TO_BYTES, 2L, 10L, 20L);
     Class<InvalidParameterValueException> expectedInvalidParameterValueException = InvalidParameterValueException.class;
     Class<CloudRuntimeException> expectedCloudRuntimeException = CloudRuntimeException.class;
 
@@ -531,15 +549,15 @@ public void validateGuestOsIdForUpdateVirtualMachineCommandTestOsTypeNull() {
 
     @Test(expected = InvalidParameterValueException.class)
     public void validateGuestOsIdForUpdateVirtualMachineCommandTestOsTypeNotFound() {
-        Mockito.when(updateVmCommand.getOsTypeId()).thenReturn(1l);
+        Mockito.when(updateVmCommand.getOsTypeId()).thenReturn(1L);
 
         userVmManagerImpl.validateGuestOsIdForUpdateVirtualMachineCommand(updateVmCommand);
     }
 
     @Test
     public void validateGuestOsIdForUpdateVirtualMachineCommandTestOsTypeFound() {
-        Mockito.when(updateVmCommand.getOsTypeId()).thenReturn(1l);
-        Mockito.when(guestOSDao.findById(1l)).thenReturn(Mockito.mock(GuestOSVO.class));
+        Mockito.when(updateVmCommand.getOsTypeId()).thenReturn(1L);
+        Mockito.when(guestOSDao.findById(1L)).thenReturn(Mockito.mock(GuestOSVO.class));
 
         userVmManagerImpl.validateGuestOsIdForUpdateVirtualMachineCommand(updateVmCommand);
     }
@@ -558,11 +576,10 @@ private ServiceOfferingVO getSvcoffering(int ramSize) {
         int speed = 128;
 
         boolean ha = false;
-        boolean useLocalStorage = false;
 
         ServiceOfferingVO serviceOffering = new ServiceOfferingVO(name, cpu, ramSize, speed, null, null, ha, displayText, false, null,
                 false);
-        serviceOffering.setDiskOfferingId(1l);
+        serviceOffering.setDiskOfferingId(1L);
         return serviceOffering;
     }
 
@@ -703,7 +720,6 @@ private void verifyMethodsThatAreAlwaysExecuted() throws ResourceUnavailableExce
 
     }
 
-    @SuppressWarnings("unchecked")
     private void configureDoNothingForMethodsThatWeDoNotWantToTest() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
         Mockito.doNothing().when(userVmManagerImpl).validateInputsAndPermissionForUpdateVirtualMachineCommand(updateVmCommand);
         Mockito.doReturn(new ArrayList<Long>()).when(userVmManagerImpl).getSecurityGroupIdList(updateVmCommand);
@@ -716,7 +732,6 @@ private void configureDoNothingForMethodsThatWeDoNotWantToTest() throws Resource
         Mockito.doNothing().when(userVmManagerImpl).validateOldAndNewAccounts(Mockito.nullable(Account.class), Mockito.nullable(Account.class), Mockito.anyLong(), Mockito.nullable(String.class), Mockito.nullable(Long.class));
         Mockito.doNothing().when(userVmManagerImpl).validateIfVmHasNoRules(Mockito.any(), Mockito.anyLong());
         Mockito.doNothing().when(userVmManagerImpl).removeInstanceFromInstanceGroup(Mockito.anyLong());
-        Mockito.doNothing().when(userVmManagerImpl).verifyResourceLimitsForAccountAndStorage(Mockito.any(), Mockito.any(), Mockito.any(), anyList(), Mockito.any());
         Mockito.doNothing().when(userVmManagerImpl).validateIfNewOwnerHasAccessToTemplate(Mockito.any(), Mockito.any(), Mockito.any());
 
         Mockito.doNothing().when(userVmManagerImpl).updateVmOwner(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
@@ -776,7 +791,7 @@ private void configureValidateOrReplaceMacAddressTest(int times, String macAddre
     }
 
     @Test
-    public void testValidatekeyValuePair() throws Exception {
+    public void testValidatekeyValuePair() {
         assertTrue(userVmManagerImpl.isValidKeyValuePair("is-a-template=true\nHVM-boot-policy=\nPV-bootloader=pygrub\nPV-args=hvc0"));
         assertTrue(userVmManagerImpl.isValidKeyValuePair("is-a-template=true HVM-boot-policy= PV-bootloader=pygrub PV-args=hvc0"));
         assertTrue(userVmManagerImpl.isValidKeyValuePair("nvp.vm-uuid=34b3d5ea-1c25-4bb0-9250-8dc3388bfa9b"));
@@ -792,8 +807,8 @@ public void configureCustomRootDiskSizeTest() {
         String vmDetailsRootDiskSize = "123";
         Map<String, String> customParameters = new HashMap<>();
         customParameters.put(VmDetailConstants.ROOT_DISK_SIZE, vmDetailsRootDiskSize);
-        long expectedRootDiskSize = 123l * GiB_TO_BYTES;
-        long offeringRootDiskSize = 0l;
+        long expectedRootDiskSize = 123L * GiB_TO_BYTES;
+        long offeringRootDiskSize = 0L;
         prepareAndRunConfigureCustomRootDiskSizeTest(customParameters, expectedRootDiskSize, 1, offeringRootDiskSize);
     }
 
@@ -802,8 +817,8 @@ public void configureCustomRootDiskSizeTestExpectExceptionZero() {
         String vmDetailsRootDiskSize = "0";
         Map<String, String> customParameters = new HashMap<>();
         customParameters.put(VmDetailConstants.ROOT_DISK_SIZE, vmDetailsRootDiskSize);
-        long expectedRootDiskSize = 0l;
-        long offeringRootDiskSize = 0l;
+        long expectedRootDiskSize = 0L;
+        long offeringRootDiskSize = 0L;
         prepareAndRunConfigureCustomRootDiskSizeTest(customParameters, expectedRootDiskSize, 1, offeringRootDiskSize);
     }
 
@@ -812,31 +827,31 @@ public void configureCustomRootDiskSizeTestExpectExceptionNegativeNum() {
         String vmDetailsRootDiskSize = "-123";
         Map<String, String> customParameters = new HashMap<>();
         customParameters.put(VmDetailConstants.ROOT_DISK_SIZE, vmDetailsRootDiskSize);
-        long expectedRootDiskSize = -123l * GiB_TO_BYTES;
-        long offeringRootDiskSize = 0l;
+        long expectedRootDiskSize = -123L * GiB_TO_BYTES;
+        long offeringRootDiskSize = 0L;
         prepareAndRunConfigureCustomRootDiskSizeTest(customParameters, expectedRootDiskSize, 1, offeringRootDiskSize);
     }
 
     @Test
     public void configureCustomRootDiskSizeTestEmptyParameters() {
         Map<String, String> customParameters = new HashMap<>();
-        long expectedRootDiskSize = 99l * GiB_TO_BYTES;
-        long offeringRootDiskSize = 0l;
+        long expectedRootDiskSize = 99L * GiB_TO_BYTES;
+        long offeringRootDiskSize = 0L;
         prepareAndRunConfigureCustomRootDiskSizeTest(customParameters, expectedRootDiskSize, 1, offeringRootDiskSize);
     }
 
     @Test
     public void configureCustomRootDiskSizeTestEmptyParametersAndOfferingRootSize() {
         Map<String, String> customParameters = new HashMap<>();
-        long expectedRootDiskSize = 10l * GiB_TO_BYTES;
-        long offeringRootDiskSize = 10l * GiB_TO_BYTES;
+        long expectedRootDiskSize = 10L * GiB_TO_BYTES;
+        long offeringRootDiskSize = 10L * GiB_TO_BYTES;
 
         prepareAndRunConfigureCustomRootDiskSizeTest(customParameters, expectedRootDiskSize, 1, offeringRootDiskSize);
     }
 
     private void prepareAndRunConfigureCustomRootDiskSizeTest(Map<String, String> customParameters, long expectedRootDiskSize, int timesVerifyIfHypervisorSupports, Long offeringRootDiskSize) {
         VMTemplateVO template = Mockito.mock(VMTemplateVO.class);
-        Mockito.when(template.getId()).thenReturn(1l);
+        Mockito.when(template.getId()).thenReturn(1L);
         Mockito.when(template.getSize()).thenReturn(99L * GiB_TO_BYTES);
         Mockito.when(templateDao.findById(Mockito.anyLong())).thenReturn(template);
 
@@ -905,7 +920,7 @@ public void prepareResizeVolumeCmdTestSameOfferingSize() {
 
     @Test
     public void prepareResizeVolumeCmdTestOfferingRootSizeZero() {
-        DiskOfferingVO rootSizeZero = prepareDiskOffering(0l, 3l, 100L, 200L);
+        DiskOfferingVO rootSizeZero = prepareDiskOffering(0L, 3L, 100L, 200L);
         prepareAndRunResizeVolumeTest(null, 100L, 200L, smallerDisdkOffering, rootSizeZero);
     }
 
@@ -915,7 +930,7 @@ public void prepareResizeVolumeCmdTestNewOfferingSmaller() {
     }
 
     private void prepareAndRunResizeVolumeTest(Long expectedOfferingId, long expectedMinIops, long expectedMaxIops, DiskOfferingVO currentRootDiskOffering, DiskOfferingVO newRootDiskOffering) {
-        long rootVolumeId = 1l;
+        long rootVolumeId = 1L;
         VolumeVO rootVolumeOfVm = Mockito.mock(VolumeVO.class);
         Mockito.when(rootVolumeOfVm.getId()).thenReturn(rootVolumeId);
 
@@ -962,7 +977,7 @@ public void testUserDataAllowOverride() {
 
         String finalUserdata = userVmManagerImpl.finalizeUserData(null, userDataId, template);
 
-        Assert.assertEquals(finalUserdata, templateUserData);
+        Assert.assertEquals(templateUserData, finalUserdata);
     }
 
     @Test
@@ -979,7 +994,7 @@ public void testUserDataWithoutTemplate() {
 
         String finalUserdata = userVmManagerImpl.finalizeUserData(null, userDataId, template);
 
-        Assert.assertEquals(finalUserdata, userData);
+        Assert.assertEquals(userData, finalUserdata);
     }
 
     @Test
@@ -995,7 +1010,7 @@ public void testUserDataAllowOverrideWithoutAPIuserdata() {
 
         String finalUserdata = userVmManagerImpl.finalizeUserData(null, null, template);
 
-        Assert.assertEquals(finalUserdata, templateUserData);
+        Assert.assertEquals(templateUserData, finalUserdata);
     }
 
     @Test
@@ -1006,7 +1021,7 @@ public void testUserDataAllowOverrideWithUserdataText() {
 
         String finalUserdata = userVmManagerImpl.finalizeUserData(userData, null, template);
 
-        Assert.assertEquals(finalUserdata, userData);
+        Assert.assertEquals(userData, finalUserdata);
     }
 
     @Test(expected = InvalidParameterValueException.class)
@@ -1027,9 +1042,7 @@ public void testResetVMUserDataVMStateNotStopped() {
 
         try {
             userVmManagerImpl.resetVMUserData(cmd);
-        } catch (ResourceUnavailableException e) {
-            throw new RuntimeException(e);
-        } catch (InsufficientCapacityException e) {
+        } catch (ResourceUnavailableException | InsufficientCapacityException e) {
             throw new RuntimeException(e);
         }
     }
@@ -1055,9 +1068,7 @@ public void testResetVMUserDataDontAcceptBothUserdataAndUserdataId() {
 
         try {
             userVmManagerImpl.resetVMUserData(cmd);
-        } catch (ResourceUnavailableException e) {
-            throw new RuntimeException(e);
-        } catch (InsufficientCapacityException e) {
+        } catch (ResourceUnavailableException | InsufficientCapacityException e) {
             throw new RuntimeException(e);
         }
     }
@@ -1091,14 +1102,12 @@ public void testResetVMUserDataSuccessResetWithUserdata() {
         try {
             doNothing().when(userVmManagerImpl).updateUserData(userVmVO);
             userVmManagerImpl.resetVMUserData(cmd);
-        } catch (ResourceUnavailableException e) {
-            throw new RuntimeException(e);
-        } catch (InsufficientCapacityException e) {
+        } catch (ResourceUnavailableException | InsufficientCapacityException e) {
             throw new RuntimeException(e);
         }
 
         Assert.assertEquals("testUserdata", userVmVO.getUserData());
-        Assert.assertEquals(null, userVmVO.getUserDataId());
+        Assert.assertNull(userVmVO.getUserDataId());
     }
 
     @Test
@@ -1132,9 +1141,7 @@ public void testResetVMUserDataSuccessResetWithUserdataId() {
         try {
             doNothing().when(userVmManagerImpl).updateUserData(userVmVO);
             userVmManagerImpl.resetVMUserData(cmd);
-        } catch (ResourceUnavailableException e) {
-            throw new RuntimeException(e);
-        } catch (InsufficientCapacityException e) {
+        } catch (ResourceUnavailableException | InsufficientCapacityException e) {
             throw new RuntimeException(e);
         }
 
@@ -1501,15 +1508,16 @@ public void testRestoreVMWithVolumeSnapshots() throws ResourceUnavailableExcepti
         when(cmd.getVmId()).thenReturn(vmId);
         when(cmd.getTemplateId()).thenReturn(2L);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
+        Mockito.doReturn(false).when(userVmManagerImpl).isVMPartOfAnyCKSCluster(userVmVoMock);
 
         userVmManagerImpl.restoreVM(cmd);
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testRestoreVirtualMachineNoOwner() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineNoOwner() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1519,10 +1527,10 @@ public void testRestoreVirtualMachineNoOwner() throws ResourceUnavailableExcepti
     }
 
     @Test(expected = PermissionDeniedException.class)
-    public void testRestoreVirtualMachineOwnerDisabled() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineOwnerDisabled() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1533,10 +1541,10 @@ public void testRestoreVirtualMachineOwnerDisabled() throws ResourceUnavailableE
     }
 
     @Test(expected = CloudRuntimeException.class)
-    public void testRestoreVirtualMachineNotInRightState() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineNotInRightState() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1548,11 +1556,11 @@ public void testRestoreVirtualMachineNotInRightState() throws ResourceUnavailabl
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testRestoreVirtualMachineNoRootVolume() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long currentTemplateId = 1l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineNoRootVolume() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long currentTemplateId = 1L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1563,17 +1571,17 @@ public void testRestoreVirtualMachineNoRootVolume() throws ResourceUnavailableEx
 
         VMTemplateVO currentTemplate = Mockito.mock(VMTemplateVO.class);
         when(templateDao.findById(currentTemplateId)).thenReturn(currentTemplate);
-        when(volumeDaoMock.findByInstanceAndType(vmId, Volume.Type.ROOT)).thenReturn(new ArrayList<VolumeVO>());
+        when(volumeDaoMock.findByInstanceAndType(vmId, Volume.Type.ROOT)).thenReturn(new ArrayList<>());
 
         userVmManagerImpl.restoreVirtualMachine(accountMock, vmId, newTemplateId, null, false, null);
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testRestoreVirtualMachineMoreThanOneRootVolume() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long currentTemplateId = 1l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineMoreThanOneRootVolume() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long currentTemplateId = 1L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1596,11 +1604,11 @@ public void testRestoreVirtualMachineMoreThanOneRootVolume() throws ResourceUnav
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testRestoreVirtualMachineWithVMSnapshots() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        long userId = 1l;
-        long accountId = 2l;
-        long currentTemplateId = 1l;
-        long newTemplateId = 2l;
+    public void testRestoreVirtualMachineWithVMSnapshots() throws ResourceUnavailableException, InsufficientCapacityException {
+        long userId = 1L;
+        long accountId = 2L;
+        long currentTemplateId = 1L;
+        long newTemplateId = 2L;
         when(accountMock.getId()).thenReturn(userId);
         when(userVmDao.findById(vmId)).thenReturn(userVmVoMock);
         when(userVmVoMock.getAccountId()).thenReturn(accountId);
@@ -1630,9 +1638,9 @@ public void addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecifiedTe
             userVmManagerImpl.addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecified(null, customParameters, detailsConstant, currentValue);
         }
 
-        Assert.assertEquals(customParameters.get(VmDetailConstants.MEMORY), "2048");
-        Assert.assertEquals(customParameters.get(VmDetailConstants.CPU_NUMBER), "4");
-        Assert.assertEquals(customParameters.get(VmDetailConstants.CPU_SPEED), "1000");
+        Assert.assertEquals("2048", customParameters.get(VmDetailConstants.MEMORY));
+        Assert.assertEquals("4", customParameters.get(VmDetailConstants.CPU_NUMBER));
+        Assert.assertEquals("1000", customParameters.get(VmDetailConstants.CPU_SPEED));
     }
 
     @Test
@@ -1671,9 +1679,9 @@ public void addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecifiedTe
             userVmManagerImpl.addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecified(321, customParameters, detailsConstant, currentValue);
         }
 
-        Assert.assertEquals(customParameters.get(VmDetailConstants.MEMORY), "2048");
-        Assert.assertEquals(customParameters.get(VmDetailConstants.CPU_NUMBER), "4");
-        Assert.assertEquals(customParameters.get(VmDetailConstants.CPU_SPEED),"1000");
+        Assert.assertEquals("2048", customParameters.get(VmDetailConstants.MEMORY));
+        Assert.assertEquals("4", customParameters.get(VmDetailConstants.CPU_NUMBER));
+        Assert.assertEquals("1000", customParameters.get(VmDetailConstants.CPU_SPEED));
     }
 
     @Test
@@ -1682,7 +1690,7 @@ public void updateInstanceDetailsMapWithCurrentValuesForAbsentDetailsTestAllCons
         Mockito.doReturn(1L).when(vmInstanceMock).getId();
         Mockito.doReturn(1L).when(vmInstanceMock).getServiceOfferingId();
         Mockito.doReturn(serviceOffering).when(_serviceOfferingDao).findByIdIncludingRemoved(Mockito.anyLong(), Mockito.anyLong());
-        userVmManagerImpl.updateInstanceDetailsMapWithCurrentValuesForAbsentDetails(null, vmInstanceMock, 0l);
+        userVmManagerImpl.updateInstanceDetailsMapWithCurrentValuesForAbsentDetails(null, vmInstanceMock, 0L);
 
         Mockito.verify(userVmManagerImpl).addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecified(Mockito.any(), Mockito.any(), Mockito.eq(VmDetailConstants.CPU_SPEED), Mockito.any());
         Mockito.verify(userVmManagerImpl).addCurrentDetailValueToInstanceDetailsMapIfNewValueWasNotSpecified(Mockito.any(), Mockito.any(), Mockito.eq(VmDetailConstants.MEMORY), Mockito.any());
@@ -1724,23 +1732,11 @@ public void testCheckVolumesLimits() {
         Mockito.when(vol5.isDisplay()).thenReturn(true);
 
         List<VolumeVO> volumes = List.of(vol1, undisplayedVolume, vol3, vol4, vol5);
-        Long size = volumes.stream().filter(VolumeVO::isDisplay).mapToLong(VolumeVO::getSize).sum();
-        try {
-            userVmManagerImpl.checkVolumesLimits(account, volumes);
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimit(account, Resource.ResourceType.volume, 4);
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimit(account, Resource.ResourceType.primary_storage, size);
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimitWithTag(account, Resource.ResourceType.volume, "tag1", 2);
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimitWithTag(account, Resource.ResourceType.volume, "tag2", 3);
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimitWithTag(account, Resource.ResourceType.primary_storage, "tag1",
-                            vol1.getSize() + vol5.getSize());
-            Mockito.verify(resourceLimitMgr, times(1))
-                    .checkResourceLimitWithTag(account, Resource.ResourceType.primary_storage, "tag2",
-                            vol1.getSize() + vol3.getSize() + vol5.getSize());
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            userVmManagerImpl.checkVolumesLimits(account, volumes, reservations);
+            Assert.assertEquals(8, reservations.size());
         } catch (ResourceAllocationException e) {
             Assert.fail(e.getMessage());
         }
@@ -1857,10 +1853,10 @@ public void checkExpungeVmPermissionTestAccountIsAdminHasApiAccessReturnNothing
 
     @Test
     public void validateIfVmSupportsMigrationTestVmIsNullThrowsInvalidParameterValueException() {
-        String expectedMessage = String.format("There is no VM by ID [%s].", 1l);
+        String expectedMessage = String.format("There is no VM by ID [%s].", 1L);
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmSupportsMigration(null, 1l);
+            userVmManagerImpl.validateIfVmSupportsMigration(null, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1872,7 +1868,7 @@ public void validateIfVmSupportsMigrationTestVmIsRunningThrowsInvalidParameterVa
         Mockito.doReturn(VirtualMachine.State.Running).when(userVmVoMock).getState();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1883,7 +1879,7 @@ public void validateIfVmSupportsMigrationTestVmIsSharedFileSystemInstanceThrowsI
         Mockito.doReturn(UserVmManager.SHAREDFSVM).when(userVmVoMock).getUserVmType();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1L);
         });
 
         Assert.assertEquals("Migration is not supported for Shared FileSystem Instances.", assertThrows.getMessage());
@@ -1891,13 +1887,13 @@ public void validateIfVmSupportsMigrationTestVmIsSharedFileSystemInstanceThrowsI
 
     @Test
     public void validateIfVmSupportsMigrationTestVmIsNotRunningDoesNotThrowInvalidParameterValueException() {
-        userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1l);
+        userVmManagerImpl.validateIfVmSupportsMigration(userVmVoMock, 1L);
     }
 
     @Test
     public void validateOldAndNewAccountsTestBothAreValidDoNothing() {
         Account newAccount = Mockito.mock(Account.class);
-        Mockito.doReturn(1l).when(newAccount).getAccountId();
+        Mockito.doReturn(1L).when(newAccount).getAccountId();
 
         userVmManagerImpl.validateOldAndNewAccounts(accountMock, newAccount, 1L, "", 1L);
     }
@@ -1918,7 +1914,7 @@ public void validateOldAndNewAccountsTestNewAccountIsNullThrowsInvalidParameterV
         String expectedMessage = String.format("Invalid new account [%s] for VM in domain [%s].", assignVmCmdMock.getAccountName(), assignVmCmdMock.getDomainId());
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateOldAndNewAccounts(accountMock, null, 1l, assignVmCmdMock.getAccountName(), assignVmCmdMock.getDomainId());
+            userVmManagerImpl.validateOldAndNewAccounts(accountMock, null, 1L, assignVmCmdMock.getAccountName(), assignVmCmdMock.getDomainId());
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1926,12 +1922,12 @@ public void validateOldAndNewAccountsTestNewAccountIsNullThrowsInvalidParameterV
 
     @Test
     public void validateOldAndNewAccountsTestNewAccountStateIsDisabledThrowsInvalidParameterValueException() {
-        String expectedMessage = String.format("The new account owner [%s] is disabled.", accountMock.toString());
+        String expectedMessage = String.format("The new account owner [%s] is disabled.", accountMock);
 
         Mockito.doReturn(Account.State.DISABLED).when(accountMock).getState();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateOldAndNewAccounts(accountMock, accountMock, 1l, "", 1l);
+            userVmManagerImpl.validateOldAndNewAccounts(accountMock, accountMock, 1L, "", 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1939,12 +1935,12 @@ public void validateOldAndNewAccountsTestNewAccountStateIsDisabledThrowsInvalidP
 
     @Test
     public void validateOldAndNewAccountsTestOldAccountIsTheSameAsNewAccountThrowsInvalidParameterValueException() {
-        String expectedMessage = String.format("The new account [%s] is the same as the old account.", accountMock.toString());
+        String expectedMessage = String.format("The new account [%s] is the same as the old account.", accountMock);
 
         Mockito.doReturn(Account.State.ENABLED).when(accountMock).getState();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateOldAndNewAccounts(accountMock, accountMock, 1l, "", 1l);
+            userVmManagerImpl.validateOldAndNewAccounts(accountMock, accountMock, 1L, "", 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1953,9 +1949,9 @@ public void validateOldAndNewAccountsTestOldAccountIsTheSameAsNewAccountThrowsIn
     @Test
     public void validateOldAndNewAccountsTestOldAccountIsNotTheSameAsNewAccountDoesNotThrowInvalidParameterValueException() {
         AccountVO oldAccount = new AccountVO();
-        Mockito.doReturn(1l).when(accountMock).getAccountId();
+        Mockito.doReturn(1L).when(accountMock).getAccountId();
 
-        userVmManagerImpl.validateOldAndNewAccounts(oldAccount, accountMock, 1l, "", 1l);
+        userVmManagerImpl.validateOldAndNewAccounts(oldAccount, accountMock, 1L, "", 1L);
     }
 
     @Test
@@ -1975,7 +1971,7 @@ public void validateIfVmHasNoRulesTestPortForwardingRulesExistThrowsInvalidParam
         Mockito.doReturn(portForwardingRulesListMock).when(portForwardingRulesDaoMock).listByVm(Mockito.anyLong());
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -1988,7 +1984,7 @@ public void validateIfVmHasNoRulesTestStaticNatRulesExistThrowsInvalidParameterV
         Mockito.doReturn(firewallRuleVoListMock).when(firewallRulesDaoMock).listStaticNatByVmId(Mockito.anyLong());
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -2001,7 +1997,7 @@ public void validateIfVmHasNoRulesTestLoadBalancingRulesExistThrowsInvalidParame
         Mockito.doReturn(loadBalancerVmMapVoListMock).when(loadBalancerVmMapDaoMock).listByInstanceId(Mockito.anyLong());
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -2011,14 +2007,14 @@ public void validateIfVmHasNoRulesTestLoadBalancingRulesExistThrowsInvalidParame
     public void validateIfVmHasNoRulesTestOneToOneNatRulesExistThrowsInvalidParameterValueException() {
         String expectedMessage = String.format("Remove the One to One Nat rule for VM [%s] for IP [%s].", userVmVoMock, ipAddressVoMock.toString());
 
-        LinkedList<IPAddressVO> ipAddressVoList = new LinkedList<IPAddressVO>();
+        LinkedList<IPAddressVO> ipAddressVoList = new LinkedList<>();
 
         Mockito.doReturn(ipAddressVoList).when(ipAddressDaoMock).findAllByAssociatedVmId(Mockito.anyLong());
         ipAddressVoList.add(ipAddressVoMock);
         Mockito.doReturn(true).when(ipAddressVoMock).isOneToOneNat();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
-            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1l);
+            userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1L);
         });
 
         Assert.assertEquals(expectedMessage, assertThrows.getMessage());
@@ -2026,31 +2022,31 @@ public void validateIfVmHasNoRulesTestOneToOneNatRulesExistThrowsInvalidParamete
 
     @Test
     public void validateIfVmHasNoRulesTestOneToOneNatRulesDoNotExistDoesNotThrowInvalidParameterValueException() {
-        userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1l);
+        userVmManagerImpl.validateIfVmHasNoRules(userVmVoMock, 1L);
     }
 
     @Test
     public void verifyResourceLimitsForAccountAndStorageTestCountOnlyRunningVmsInResourceLimitationIsTrueDoesNotCallVmResourceLimitCheck() throws ResourceAllocationException {
-        LinkedList<VolumeVO> volumeVoList = new LinkedList<VolumeVO>();
+        List<Reserver> reservations = new ArrayList<>();
+        LinkedList<VolumeVO> volumeVoList = new LinkedList<>();
         Mockito.doReturn(true).when(userVmManagerImpl).countOnlyRunningVmsInResourceLimitation();
 
-        userVmManagerImpl.verifyResourceLimitsForAccountAndStorage(accountMock, userVmVoMock, serviceOfferingVoMock, volumeVoList, virtualMachineTemplateMock);
+        userVmManagerImpl.verifyResourceLimitsForAccountAndStorage(accountMock, userVmVoMock, serviceOfferingVoMock, volumeVoList, virtualMachineTemplateMock, reservations);
 
-        Mockito.verify(resourceLimitMgr, Mockito.never()).checkVmResourceLimit(Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any());
-        Mockito.verify(resourceLimitMgr).checkResourceLimit(accountMock, Resource.ResourceType.volume, 0l);
-        Mockito.verify(resourceLimitMgr).checkResourceLimit(accountMock, Resource.ResourceType.primary_storage, 0l);
+        Mockito.verify(resourceLimitMgr, Mockito.never()).checkVmResourceLimit(Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any(), Mockito.any());
+        Mockito.verify(resourceLimitMgr, Mockito.never()).checkVolumeResourceLimit(Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any(), Mockito.any());
     }
 
     @Test
     public void verifyResourceLimitsForAccountAndStorageTestCountOnlyRunningVmsInResourceLimitationIsFalseCallsVmResourceLimitCheck() throws ResourceAllocationException {
-        LinkedList<VolumeVO> volumeVoList = new LinkedList<VolumeVO>();
+        List<Reserver> reservations = new ArrayList<>();
+        LinkedList<VolumeVO> volumeVoList = new LinkedList<>();
         Mockito.doReturn(false).when(userVmManagerImpl).countOnlyRunningVmsInResourceLimitation();
 
-        userVmManagerImpl.verifyResourceLimitsForAccountAndStorage(accountMock, userVmVoMock, serviceOfferingVoMock, volumeVoList, virtualMachineTemplateMock);
+        userVmManagerImpl.verifyResourceLimitsForAccountAndStorage(accountMock, userVmVoMock, serviceOfferingVoMock, volumeVoList, virtualMachineTemplateMock, reservations);
 
-        Mockito.verify(resourceLimitMgr).checkVmResourceLimit(Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any());
-        Mockito.verify(resourceLimitMgr).checkResourceLimit(accountMock, Resource.ResourceType.volume, 0l);
-        Mockito.verify(resourceLimitMgr).checkResourceLimit(accountMock, Resource.ResourceType.primary_storage, 0l);
+        Mockito.verify(resourceLimitMgr).checkVmResourceLimit(Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any(), Mockito.any());
+        Mockito.verify(userVmManagerImpl).checkVolumesLimits(Mockito.any(), Mockito.any(), Mockito.any());
     }
 
     @Test
@@ -2073,7 +2069,7 @@ public void validateIfNewOwnerHasAccessToTemplateTestCallCheckAccessWhenTemplate
 
     @Test
     public void updateVmOwnerTestCallsSetAccountIdSetDomainIdAndPersist() {
-        userVmManagerImpl.updateVmOwner(accountMock, userVmVoMock, 1l, 1l);
+        userVmManagerImpl.updateVmOwner(accountMock, userVmVoMock, 1L, 1L);
 
         Mockito.verify(userVmVoMock).setAccountId(Mockito.anyLong());
         Mockito.verify(userVmVoMock).setDomainId(Mockito.anyLong());
@@ -2134,7 +2130,7 @@ public void addDefaultNetworkToNetworkListTestDefaultNetworkIsNotNullAddNetworkT
 
     @Test
     public void allocateNetworksForVmTestCallsNetworkManagerAllocate() throws InsufficientCapacityException {
-        LinkedHashMap<Network, List<? extends NicProfile>> networks = new LinkedHashMap<Network, List<? extends NicProfile>>();
+        LinkedHashMap<Network, List<? extends NicProfile>> networks = new LinkedHashMap<>();
 
         Mockito.doReturn(userVmVoMock).when(virtualMachineManager).findById(Mockito.anyLong());
 
@@ -2146,7 +2142,7 @@ public void allocateNetworksForVmTestCallsNetworkManagerAllocate() throws Insuff
     @Test
     public void addSecurityGroupsToVmTestIsVmWareAndSecurityGroupIdListIsNotNullThrowsInvalidParameterValueException() {
         String expectedMessage = "Security group feature is not supported for VMWare hypervisor.";
-        LinkedList<Long> securityGroupIdList = new LinkedList<Long>();
+        LinkedList<Long> securityGroupIdList = new LinkedList<>();
 
         Mockito.doReturn(Hypervisor.HypervisorType.VMware).when(virtualMachineTemplateMock).getHypervisorType();
 
@@ -2159,7 +2155,7 @@ public void addSecurityGroupsToVmTestIsVmWareAndSecurityGroupIdListIsNotNullThro
 
     @Test
     public void addSecurityGroupsToVmTestIsNotVmWareDefaultNetworkIsNullAndNetworkModelCanAddDefaultSecurityGroupCallsAddDefaultSecurityGroupToSecurityGroupIdList() {
-        LinkedList<Long> securityGroupIdList = new LinkedList<Long>();
+        LinkedList<Long> securityGroupIdList = new LinkedList<>();
 
         Mockito.doReturn(Hypervisor.HypervisorType.KVM).when(virtualMachineTemplateMock).getHypervisorType();
         Mockito.doReturn(true).when(networkModel).canAddDefaultSecurityGroup();
@@ -2173,10 +2169,10 @@ public void addSecurityGroupsToVmTestIsNotVmWareDefaultNetworkIsNullAndNetworkMo
 
     @Test
     public void addNetworksToNetworkIdListTestCallsKeepOldSharedNetworkForVmAndAddAdditionalNetworksToVm() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         userVmManagerImpl.addNetworksToNetworkIdList(userVmVoMock, accountMock, networkIdList, applicableNetworks, requestedIPv4ForNics,
                 requestedIPv6ForNics);
@@ -2202,14 +2198,14 @@ public void getOfferingWithRequiredAvailabilityForNetworkCreationTestRequiredOff
 
     @Test
     public void getOfferingWithRequiredAvailabilityForNetworkCreationTestFirstOfferingIsNotEnabledThrowsInvalidParameterValueException() {
-        String expectedMessage = String.format("Required network offering ID [%s] is not in [%s] state.", 1l, NetworkOffering.State.Enabled);
+        String expectedMessage = String.format("Required network offering ID [%s] is not in [%s] state.", 1L, NetworkOffering.State.Enabled);
 
         Mockito.doReturn(networkOfferingVoListMock).when(networkOfferingDaoMock).listByAvailability(NetworkOffering.Availability.Required, false);
         Mockito.doReturn(networkOfferingVoMock).when(networkOfferingVoListMock).get(0);
 
         Mockito.doReturn(NetworkOffering.State.Disabled).when(networkOfferingVoMock).getState();
 
-        Mockito.doReturn(1l).when(networkOfferingVoMock).getId();
+        Mockito.doReturn(1L).when(networkOfferingVoMock).getId();
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
             userVmManagerImpl.getOfferingWithRequiredAvailabilityForNetworkCreation();
@@ -2232,9 +2228,9 @@ public void selectApplicableNetworkToCreateVmTestVirtualNetworkIsEmptyThrowsExce
 
     @Test
     public void selectApplicableNetworkToCreateVmTestVirtualNetworkHasMultipleNetworksThrowsInvalidParameterValueException() {
-        String expectedMessage = String.format("More than one default isolated network has been found for account [%s]; please specify networkIDs.", accountMock.toString());
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        LinkedList<NetworkVO> virtualNetworks = new LinkedList<NetworkVO>();
+        String expectedMessage = String.format("More than one default isolated network has been found for account [%s]; please specify networkIDs.", accountMock);
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        LinkedList<NetworkVO> virtualNetworks = new LinkedList<>();
 
         Mockito.doReturn(virtualNetworks).when(networkModel).listNetworksForAccount(Mockito.anyLong(), Mockito.anyLong(), Mockito.any());
 
@@ -2250,7 +2246,7 @@ public void selectApplicableNetworkToCreateVmTestVirtualNetworkHasMultipleNetwor
 
     @Test
     public void selectApplicableNetworkToCreateVmTestVirtualNetworkHasOneNetworkCallsNetworkDaoFindById() throws InsufficientCapacityException, ResourceAllocationException {
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
 
         Mockito.doReturn(networkVoListMock).when(networkModel).listNetworksForAccount(Mockito.anyLong(), Mockito.anyLong(), Mockito.any());
 
@@ -2266,30 +2262,30 @@ public void selectApplicableNetworkToCreateVmTestVirtualNetworkHasOneNetworkCall
     @Test
     public void addDefaultSecurityGroupToSecurityGroupIdListTestDefaultGroupIsNullCallsCreateSecurityGroup() {
         String expected = "";
-        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<Long>());
+        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<>());
 
         Mockito.doReturn(null).when(securityGroupManagerMock).getDefaultSecurityGroup(Mockito.anyLong());
         Mockito.doReturn(securityGroupVoMock).when(securityGroupManagerMock).createSecurityGroup(SecurityGroupManager.DEFAULT_GROUP_NAME,
-                SecurityGroupManager.DEFAULT_GROUP_DESCRIPTION, 1l, 1l, expected);
+                SecurityGroupManager.DEFAULT_GROUP_DESCRIPTION, 1L, 1L, expected);
 
-        Mockito.doReturn(1l).when(accountMock).getDomainId();
-        Mockito.doReturn(1l).when(accountMock).getId();
+        Mockito.doReturn(1L).when(accountMock).getDomainId();
+        Mockito.doReturn(1L).when(accountMock).getId();
         Mockito.doReturn(expected).when(accountMock).getAccountName();
-        Mockito.doReturn(1l).when(securityGroupVoMock).getId();
+        Mockito.doReturn(1L).when(securityGroupVoMock).getId();
 
         userVmManagerImpl.addDefaultSecurityGroupToSecurityGroupIdList(accountMock, securityGroupIdList);
 
-        Mockito.verify(securityGroupManagerMock).createSecurityGroup(SecurityGroupManager.DEFAULT_GROUP_NAME, SecurityGroupManager.DEFAULT_GROUP_DESCRIPTION, 1l, 1l, expected);
-        Mockito.verify(securityGroupIdList).add(1l);
+        Mockito.verify(securityGroupManagerMock).createSecurityGroup(SecurityGroupManager.DEFAULT_GROUP_NAME, SecurityGroupManager.DEFAULT_GROUP_DESCRIPTION, 1L, 1L, expected);
+        Mockito.verify(securityGroupIdList).add(1L);
     }
 
     @Test
     public void addDefaultSecurityGroupToSecurityGroupIdListTestDefaultGroupIsPresentDoesNotCallAddIdToSecurityGroupIdList() {
-        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<Long>());
+        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<>());
 
-        securityGroupIdList.addFirst(1l);
+        securityGroupIdList.addFirst(1L);
         Mockito.doReturn(securityGroupVoMock).when(securityGroupManagerMock).getDefaultSecurityGroup(Mockito.anyLong());
-        Mockito.doReturn(1l).when(securityGroupVoMock).getId();
+        Mockito.doReturn(1L).when(securityGroupVoMock).getId();
 
         userVmManagerImpl.addDefaultSecurityGroupToSecurityGroupIdList(accountMock, securityGroupIdList);
 
@@ -2298,24 +2294,24 @@ public void addDefaultSecurityGroupToSecurityGroupIdListTestDefaultGroupIsPresen
 
     @Test
     public void addDefaultSecurityGroupToSecurityGroupIdListTestDefaultGroupIsNotPresentCallsAddIdToSecurityGroupIdList() {
-        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<Long>());
+        LinkedList<Long> securityGroupIdList = Mockito.spy(new LinkedList<>());
 
         Mockito.doReturn(securityGroupVoMock).when(securityGroupManagerMock).getDefaultSecurityGroup(Mockito.anyLong());
-        Mockito.doReturn(1l).when(securityGroupVoMock).getId();
+        Mockito.doReturn(1L).when(securityGroupVoMock).getId();
 
         userVmManagerImpl.addDefaultSecurityGroupToSecurityGroupIdList(accountMock, securityGroupIdList);
 
-        Mockito.verify(securityGroupIdList).add(1l);
+        Mockito.verify(securityGroupIdList).add(1L);
     }
 
     @Test
     public void keepOldSharedNetworkForVmTestNetworkIdListIsNotNullOrEmptyDoesNotCallFindDefaultNicForVm() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         userVmManagerImpl.keepOldSharedNetworkForVm(userVmVoMock, accountMock, networkIdList, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
 
@@ -2324,9 +2320,9 @@ public void keepOldSharedNetworkForVmTestNetworkIdListIsNotNullOrEmptyDoesNotCal
 
     @Test
     public void keepOldSharedNetworkForVmTestNetworkIdListIsNullCallsFindDefaultNicForVm() {
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         userVmManagerImpl.keepOldSharedNetworkForVm(userVmVoMock, accountMock, null, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
 
@@ -2335,10 +2331,10 @@ public void keepOldSharedNetworkForVmTestNetworkIdListIsNullCallsFindDefaultNicF
 
     @Test
     public void keepOldSharedNetworkForVmTestNetworkIdListIsEmptyCallsFindDefaultNicForVm() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         userVmManagerImpl.keepOldSharedNetworkForVm(userVmVoMock, accountMock, networkIdList, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
 
@@ -2347,9 +2343,9 @@ public void keepOldSharedNetworkForVmTestNetworkIdListIsEmptyCallsFindDefaultNic
 
     @Test
     public void keepOldSharedNetworkForVmTestDefaultNicOldIsNullDoesNotCallNetworkDaoFindById() {
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         Mockito.doReturn(null).when(nicDao).findDefaultNicForVM(Mockito.anyLong());
 
@@ -2360,9 +2356,9 @@ public void keepOldSharedNetworkForVmTestDefaultNicOldIsNullDoesNotCallNetworkDa
 
     @Test
     public void keepOldSharedNetworkForVmTestDefaultNicOldIsNotNullCallsNetworkDaoFindById() {
-        HashSet<NetworkVO> applicableNetworks = new HashSet<NetworkVO>();
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = new HashSet<>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         Mockito.doReturn(new NicVO()).when(nicDao).findDefaultNicForVM(Mockito.anyLong());
 
@@ -2373,9 +2369,9 @@ public void keepOldSharedNetworkForVmTestDefaultNicOldIsNotNullCallsNetworkDaoFi
 
     @Test
     public void keepOldSharedNetworkForVmTestAccountCanNotUseNetworkDoesNotAddNetworkToApplicableNetworks() {
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         Mockito.doReturn(new NicVO()).when(nicDao).findDefaultNicForVM(Mockito.anyLong());
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
@@ -2388,9 +2384,9 @@ public void keepOldSharedNetworkForVmTestAccountCanNotUseNetworkDoesNotAddNetwor
 
     @Test
     public void keepOldSharedNetworkForVmTestAccountCanUseNetworkAddsNetworkToApplicableNetworks() {
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         Mockito.doReturn(new NicVO()).when(nicDao).findDefaultNicForVM(Mockito.anyLong());
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
@@ -2403,9 +2399,9 @@ public void keepOldSharedNetworkForVmTestAccountCanUseNetworkAddsNetworkToApplic
 
     @Test
     public void addAdditionalNetworksToVmTestNetworkIdListIsNullDoesNotCallCheckNetworkPermissions() {
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         userVmManagerImpl.addAdditionalNetworksToVm(userVmVoMock, accountMock, null, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
 
@@ -2414,10 +2410,10 @@ public void addAdditionalNetworksToVmTestNetworkIdListIsNullDoesNotCallCheckNetw
 
     @Test
     public void addAdditionalNetworksToVmTestNetworkIdListIsEmptyDoesNotCallCheckNetworkPermissions() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
         userVmManagerImpl.addAdditionalNetworksToVm(userVmVoMock, accountMock, networkIdList, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
 
@@ -2427,12 +2423,12 @@ public void addAdditionalNetworksToVmTestNetworkIdListIsEmptyDoesNotCallCheckNet
     @Test
     public void addAdditionalNetworksToVmTestNetworkIsNullThrowsInvalidParameterValueException() {
         String expectedMessage = "Unable to find specified Network ID.";
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
             userVmManagerImpl.addAdditionalNetworksToVm(userVmVoMock, accountMock, networkIdList, applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics);
@@ -2444,12 +2440,12 @@ public void addAdditionalNetworksToVmTestNetworkIsNullThrowsInvalidParameterValu
     @Test
     public void addAdditionalNetworksToVmTestNetworkOfferingIsSystemOnlyThrowsInvalidParameterValueException() {
         String expectedMessage = String.format("Specified network [%s] is system only and cannot be used for VM deployment.", networkMock);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
         Mockito.doReturn(networkOfferingVoMock).when(entityManager).findById(Mockito.any(), Mockito.anyLong());
@@ -2464,12 +2460,12 @@ public void addAdditionalNetworksToVmTestNetworkOfferingIsSystemOnlyThrowsInvali
 
     @Test
     public void addAdditionalNetworksToVmTestNetworkIsNotSharedGuestTypeDoesNotCallNicDaoFindByNtwkIdAndInstanceId() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
         Mockito.doReturn(networkOfferingVoMock).when(entityManager).findById(Mockito.any(), Mockito.anyLong());
@@ -2483,12 +2479,12 @@ public void addAdditionalNetworksToVmTestNetworkIsNotSharedGuestTypeDoesNotCallN
 
     @Test
     public void addAdditionalNetworksToVmTestNetworkIsNotDomainAclTypeDoesNotCallNicDaoFindByNtwkIdAndInstanceId() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
         Mockito.doReturn(networkOfferingVoMock).when(entityManager).findById(Mockito.any(), Mockito.anyLong());
@@ -2503,12 +2499,12 @@ public void addAdditionalNetworksToVmTestNetworkIsNotDomainAclTypeDoesNotCallNic
 
     @Test
     public void addAdditionalNetworksToVmTestOldNicIsNullDoesNotPutIpv4InRequestIpv4ForNics() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = Mockito.spy(new HashMap<Long, String>());
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = Mockito.spy(new HashMap<>());
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
         Mockito.doReturn(networkOfferingVoMock).when(entityManager).findById(Mockito.any(), Mockito.anyLong());
@@ -2525,12 +2521,12 @@ public void addAdditionalNetworksToVmTestOldNicIsNullDoesNotPutIpv4InRequestIpv4
 
     @Test
     public void addAdditionalNetworksToVmTestOldNicIsNotNullPutsIpv4InRequestIpv4ForNics() {
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<NetworkVO>());
-        HashMap<Long, String> requestedIPv4ForNics = Mockito.spy(new HashMap<Long, String>());
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        HashSet<NetworkVO> applicableNetworks = Mockito.spy(new HashSet<>());
+        HashMap<Long, String> requestedIPv4ForNics = Mockito.spy(new HashMap<>());
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
         Mockito.doReturn(networkOfferingVoMock).when(entityManager).findById(Mockito.any(), Mockito.anyLong());
@@ -2549,7 +2545,7 @@ public void addAdditionalNetworksToVmTestOldNicIsNotNullPutsIpv4InRequestIpv4For
     public void createApplicableNetworkToCreateVmTestPhysicalNetworkIsNullThrowsInvalidParameterValueException() {
         Mockito.doReturn(networkOfferingVoMock).when(userVmManagerImpl).getOfferingWithRequiredAvailabilityForNetworkCreation();
 
-        String expectedMessage = String.format("Unable to find physical network with ID [%s] and tag [%s].", 0l, null);
+        String expectedMessage = String.format("Unable to find physical network with ID [%s] and tag [%s].", 0L, null);
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
             userVmManagerImpl.createApplicableNetworkToCreateVm(accountMock, _dcMock);
         });
@@ -2589,7 +2585,7 @@ public void createApplicableNetworkToCreateVmTestFirstNetworkOfferingIsNotPersis
                 Mockito.any(), Mockito.any(), Mockito.anyBoolean(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(),
                 Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
         Mockito.doReturn(networkOfferingVoMock).when(userVmManagerImpl).getOfferingWithRequiredAvailabilityForNetworkCreation();
-        Mockito.doReturn(1l).when(networkMock).getId();
+        Mockito.doReturn(1L).when(networkMock).getId();
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
 
         userVmManagerImpl.createApplicableNetworkToCreateVm(accountMock, _dcMock);
@@ -2665,7 +2661,7 @@ public void implementNetworkTestImplementedNetworkIsNullReturnCurrentNewNetwork(
         try (MockedStatic<CallContext> ignored = mockStatic(CallContext.class)) {
             Mockito.when(CallContext.current()).thenReturn(callContextMock);
 
-            Mockito.doReturn(1l).when(callContextMock).getCallingUserId();
+            Mockito.doReturn(1L).when(callContextMock).getCallingUserId();
 
             Mockito.doReturn(callerUser).when(userDao).findById(Mockito.anyLong());
             Mockito.doReturn(null).when(_networkMgr).implementNetwork(Mockito.anyLong(), Mockito.any(), Mockito.any());
@@ -2684,7 +2680,7 @@ public void implementNetworkTestImplementedNetworkFirstIsNullReturnCurrentNewNet
         try (MockedStatic<CallContext> ignored = mockStatic(CallContext.class)) {
             Mockito.when(CallContext.current()).thenReturn(callContextMock);
 
-            Mockito.doReturn(1l).when(callContextMock).getCallingUserId();
+            Mockito.doReturn(1L).when(callContextMock).getCallingUserId();
 
             Pair<? extends NetworkGuru, ? extends Network> implementedNetwork = Mockito.mock(Pair.class);
 
@@ -2706,7 +2702,7 @@ public void implementNetworkTestImplementedNetworkSecondIsNullReturnCurrentNewNe
         try (MockedStatic<CallContext> ignored = mockStatic(CallContext.class)) {
             Mockito.when(CallContext.current()).thenReturn(callContextMock);
 
-            Mockito.doReturn(1l).when(callContextMock).getCallingUserId();
+            Mockito.doReturn(1L).when(callContextMock).getCallingUserId();
 
             Pair<? extends NetworkGuru, ? extends Network> implementedNetwork = Mockito.mock(Pair.class);
 
@@ -2729,7 +2725,7 @@ public void implementNetworkTestImplementedNetworkSecondIsNotNullReturnImplement
         try (MockedStatic<CallContext> ignored = mockStatic(CallContext.class)) {
             Mockito.when(CallContext.current()).thenReturn(callContextMock);
 
-            Mockito.doReturn(1l).when(callContextMock).getCallingUserId();
+            Mockito.doReturn(1L).when(callContextMock).getCallingUserId();
 
             Pair<? extends NetworkGuru, ? extends Network> implementedNetwork = Mockito.mock(Pair.class);
 
@@ -2753,7 +2749,7 @@ public void implementNetworkTestImplementedNetworkCatchException() throws Resour
         try (MockedStatic<CallContext> ignored = mockStatic(CallContext.class)) {
             Mockito.when(CallContext.current()).thenReturn(callContextMock);
 
-            Mockito.doReturn(1l).when(callContextMock).getCallingUserId();
+            Mockito.doReturn(1L).when(callContextMock).getCallingUserId();
 
             Pair<? extends NetworkGuru, ? extends Network> implementedNetwork = Mockito.mock(Pair.class);
 
@@ -2771,10 +2767,10 @@ public void implementNetworkTestImplementedNetworkCatchException() throws Resour
     @Test
     public void updateBasicTypeNetworkForVmTestNetworkIdListIsNotEmptyThrowsInvalidParameterValueException() {
         String expectedMessage = "Cannot move VM with Network IDs; this is a basic zone VM.";
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
-        LinkedList<Long> securityGroupIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
+        LinkedList<Long> securityGroupIdList = new LinkedList<>();
 
-        networkIdList.add(1l);
+        networkIdList.add(1L);
 
         InvalidParameterValueException assertThrows = Assert.assertThrows(expectedInvalidParameterValueException, () -> {
             userVmManagerImpl.updateBasicTypeNetworkForVm(userVmVoMock, accountMock, virtualMachineTemplateMock, virtualMachineProfileMock, _dcMock, networkIdList,
@@ -2806,7 +2802,7 @@ public void updateBasicTypeNetworkForVmTestNetworkIdListIsEmptyCallsCleanupOfOld
             throws InsufficientCapacityException {
 
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
         Mockito.doReturn(networkMock).when(networkModel).getExclusiveGuestNetwork(Mockito.anyLong());
 
@@ -2823,7 +2819,7 @@ public void updateBasicTypeNetworkForVmTestNetworkIdListIsEmptyCallsCleanupOfOld
     public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsEnabledApplicableNetworksIsEmptyThrowsInvalidParameterValueException() {
         String expectedMessage = "No network is specified, please specify one when you move the VM. For now, please add a network to VM on NICs tab.";
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
         Mockito.doReturn(true).when(networkModel).checkSecurityGroupSupportForNetwork(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
 
@@ -2841,7 +2837,7 @@ public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsEnabledApplicableNe
             ResourceAllocationException {
 
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
         Mockito.doReturn(new NicVO()).when(nicDao).findDefaultNicForVM(Mockito.anyLong());
         Mockito.doReturn(networkMock).when(_networkDao).findById(Mockito.anyLong());
@@ -2861,9 +2857,9 @@ public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsEnabledApplicableNe
     public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsNotEnabledSecurityGroupIdListIsNotEmptyThrowsInvalidParameterValueException() {
         String expectedMessage = "Cannot move VM with security groups; security group feature is not enabled in this zone.";
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
-        securityGroupIdList.add(1l);
+        securityGroupIdList.add(1L);
 
         Mockito.doReturn(false).when(networkModel).checkSecurityGroupSupportForNetwork(accountMock, _dcMock, networkIdList, securityGroupIdList);
 
@@ -2880,7 +2876,7 @@ public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsNotEnabledApplicabl
             ResourceAllocationException {
 
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
         Mockito.doReturn(networkMock).when(userVmManagerImpl).addNicsToApplicableNetworksAndReturnDefaultNetwork(Mockito.any(), Mockito.anyMap(), Mockito.anyMap(), Mockito.any());
         Mockito.doNothing().when(userVmManagerImpl).selectApplicableNetworkToCreateVm(Mockito.any(), Mockito.any(), Mockito.any());
@@ -2903,7 +2899,7 @@ public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsNotEnabledApplicabl
             throws InsufficientCapacityException, ResourceAllocationException {
 
         LinkedList<Long> securityGroupIdList = Mockito.mock(LinkedList.class);
-        LinkedList<Long> networkIdList = new LinkedList<Long>();
+        LinkedList<Long> networkIdList = new LinkedList<>();
 
         Mockito.doReturn(false).when(networkModel).checkSecurityGroupSupportForNetwork(accountMock, _dcMock, networkIdList, securityGroupIdList);
         Mockito.doReturn(true).when(securityGroupIdList).isEmpty();
@@ -2924,10 +2920,10 @@ public void updateAdvancedTypeNetworkForVmTestSecurityGroupIsNotEnabledApplicabl
 
     @Test
     public void addNicsToApplicableNetworksAndReturnDefaultNetworkTestApplicableNetworkIsEmptyReturnNull() {
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
-        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<NetworkVO>();
-        LinkedHashMap<Network, List<? extends NicProfile>> networks = new LinkedHashMap<Network, List<? extends NicProfile>>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
+        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<>();
+        LinkedHashMap<Network, List<? extends NicProfile>> networks = new LinkedHashMap<>();
 
         NetworkVO defaultNetwork = userVmManagerImpl.addNicsToApplicableNetworksAndReturnDefaultNetwork(applicableNetworks, requestedIPv4ForNics, requestedIPv6ForNics, networks);
 
@@ -2936,9 +2932,9 @@ public void addNicsToApplicableNetworksAndReturnDefaultNetworkTestApplicableNetw
 
     @Test
     public void addNicsToApplicableNetworksAndReturnDefaultNetworkTestApplicableNetworkIsNotEmptyReturnFirstElement() {
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
-        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<NetworkVO>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
+        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<>();
         LinkedHashMap<Network, List<? extends NicProfile>> networks = Mockito.spy(LinkedHashMap.class);
 
         applicableNetworks.add(networkMock);
@@ -2951,9 +2947,9 @@ public void addNicsToApplicableNetworksAndReturnDefaultNetworkTestApplicableNetw
 
     @Test
     public void addNicsToApplicableNetworksAndReturnDefaultNetworkTestApplicableNetworkIsNotEmptyPutTwoNetworksInNetworksMapAndReturnFirst() {
-        HashMap<Long, String> requestedIPv4ForNics = new HashMap<Long, String>();
-        HashMap<Long, String> requestedIPv6ForNics = new HashMap<Long, String>();
-        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<NetworkVO>();
+        HashMap<Long, String> requestedIPv4ForNics = new HashMap<>();
+        HashMap<Long, String> requestedIPv6ForNics = new HashMap<>();
+        LinkedHashSet<NetworkVO> applicableNetworks = new LinkedHashSet<>();
         LinkedHashMap<Network, List<? extends NicProfile>> networks = Mockito.spy(LinkedHashMap.class);
 
         NetworkVO networkVoMock2 = Mockito.mock(NetworkVO.class);
@@ -2971,9 +2967,9 @@ public void validateIfVolumesHaveNoSnapshotsTestVolumeHasSnapshotsThrowsInvalidP
         String expectedMessage = String.format("Snapshots exist for volume [%s]. Detach volume or remove snapshots for the volume before assigning VM to another user.",
                 volumeVOMock.getName());
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
         volumes.add(volumeVOMock);
-        LinkedList<SnapshotVO> snapshots = new LinkedList<SnapshotVO>();
+        LinkedList<SnapshotVO> snapshots = new LinkedList<>();
         snapshots.add(snapshotVoMock);
 
         Mockito.doReturn(snapshots).when(snapshotDaoMock).listByStatusNotIn(Mockito.anyLong(), Mockito.any(), Mockito.any());
@@ -2987,9 +2983,9 @@ public void validateIfVolumesHaveNoSnapshotsTestVolumeHasSnapshotsThrowsInvalidP
 
     @Test
     public void validateIfVolumesHaveNoSnapshotsTestVolumeHasNoSnapshotsDoesNotThrowInvalidParameterException() {
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
         volumes.add(volumeVOMock);
-        LinkedList<SnapshotVO> snapshots = new LinkedList<SnapshotVO>();
+        LinkedList<SnapshotVO> snapshots = new LinkedList<>();
 
         Mockito.doReturn(snapshots).when(snapshotDaoMock).listByStatusNotIn(Mockito.anyLong(), Mockito.any(), Mockito.any());
 
@@ -3035,7 +3031,7 @@ public void moveVmToUserTestProjectIdProvidedAndDomainIdIsNullThrowsInvalidParam
 
         Mockito.doReturn(true).when(accountManager).isRootAdmin(Mockito.anyLong());
         Mockito.doReturn(userVmVoMock).when(userVmDao).findById(Mockito.anyLong());
-        Mockito.doReturn(1l).when(assignVmCmdMock).getProjectId();
+        Mockito.doReturn(1L).when(assignVmCmdMock).getProjectId();
         Mockito.doReturn(null).when(assignVmCmdMock).getDomainId();
 
         configureDoNothingForMethodsThatWeDoNotWantToTest();
@@ -3066,7 +3062,7 @@ public void moveVmToUserTestValidateIfVmHasNoRulesThrowsInvalidParameterValueExc
     public void moveVmToUserTestSnapshotsForVolumeExistThrowsInvalidParameterValueException() throws ResourceUnavailableException, InsufficientCapacityException,
             ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
         volumes.add(volumeVOMock);
 
         Mockito.doReturn(true).when(accountManager).isRootAdmin(Mockito.anyLong());
@@ -3085,7 +3081,7 @@ public void moveVmToUserTestSnapshotsForVolumeExistThrowsInvalidParameterValueEx
     public void moveVmToUserTestVerifyResourceLimitsForAccountAndStorageThrowsResourceAllocationException() throws ResourceUnavailableException, InsufficientCapacityException,
             ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         Mockito.doReturn(true).when(accountManager).isRootAdmin(Mockito.anyLong());
         Mockito.doReturn(userVmVoMock).when(userVmDao).findById(Mockito.anyLong());
@@ -3095,7 +3091,7 @@ public void moveVmToUserTestVerifyResourceLimitsForAccountAndStorageThrowsResour
         configureDoNothingForMethodsThatWeDoNotWantToTest();
 
         doThrow(ResourceAllocationException.class).when(userVmManagerImpl).verifyResourceLimitsForAccountAndStorage(Mockito.any(), Mockito.any(),
-                Mockito.any(), Mockito.any(), Mockito.any());
+                Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any());
 
         Assert.assertThrows(ResourceAllocationException.class, () -> userVmManagerImpl.moveVmToUser(assignVmCmdMock));
     }
@@ -3104,7 +3100,7 @@ public void moveVmToUserTestVerifyResourceLimitsForAccountAndStorageThrowsResour
     public void moveVmToUserTestVerifyValidateIfNewOwnerHasAccessToTemplateThrowsInvalidParameterValueException() throws ResourceUnavailableException,
             InsufficientCapacityException, ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         Mockito.doReturn(true).when(accountManager).isRootAdmin(Mockito.anyLong());
         Mockito.doReturn(userVmVoMock).when(userVmDao).findById(Mockito.anyLong());
@@ -3122,7 +3118,7 @@ public void moveVmToUserTestVerifyValidateIfNewOwnerHasAccessToTemplateThrowsInv
     public void moveVmToUserTestAccountManagerCheckAccessThrowsPermissionDeniedException() throws ResourceUnavailableException, InsufficientCapacityException,
             ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         Mockito.doReturn(true).when(accountManager).isRootAdmin(Mockito.anyLong());
         Mockito.doReturn(userVmVoMock).when(userVmDao).findById(Mockito.anyLong());
@@ -3142,7 +3138,7 @@ public void moveVmToUserTestAccountManagerCheckAccessThrowsPermissionDeniedExcep
     public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsInsufficientCapacityException() throws ResourceUnavailableException, InsufficientCapacityException,
             ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         try (MockedStatic<UsageEventUtils> ignored = mockStatic(UsageEventUtils.class)) {
             Mockito.doReturn(Hypervisor.HypervisorType.KVM).when(userVmVoMock).getHypervisorType();
@@ -3153,7 +3149,7 @@ public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsInsufficie
                     Mockito.any());
 
             Assert.assertThrows(CloudRuntimeException.class, () -> userVmManagerImpl.executeStepsToChangeOwnershipOfVm(assignVmCmdMock, callerAccount, accountMock, accountMock,
-                    userVmVoMock, serviceOfferingVoMock, volumes, virtualMachineTemplateMock, 1l));
+                    userVmVoMock, serviceOfferingVoMock, volumes, virtualMachineTemplateMock, 1L));
 
             Mockito.verify(userVmManagerImpl).resourceCountDecrement(Mockito.anyLong(), Mockito.any(), Mockito.any(), Mockito.any());
             Mockito.verify(userVmManagerImpl).updateVmOwner(Mockito.any(), Mockito.any(), Mockito.anyLong(), Mockito.anyLong());
@@ -3165,7 +3161,7 @@ public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsInsufficie
     public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsResourceAllocationException() throws ResourceUnavailableException, InsufficientCapacityException,
             ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         try (MockedStatic<UsageEventUtils> ignored = mockStatic(UsageEventUtils.class)) {
             Mockito.doReturn(Hypervisor.HypervisorType.KVM).when(userVmVoMock).getHypervisorType();
@@ -3176,7 +3172,7 @@ public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsResourceAl
                     Mockito.any());
 
             Assert.assertThrows(CloudRuntimeException.class, () -> userVmManagerImpl.executeStepsToChangeOwnershipOfVm(assignVmCmdMock, callerAccount, accountMock, accountMock,
-                    userVmVoMock, serviceOfferingVoMock, volumes, virtualMachineTemplateMock, 1l));
+                    userVmVoMock, serviceOfferingVoMock, volumes, virtualMachineTemplateMock, 1L));
 
             Mockito.verify(userVmManagerImpl).resourceCountDecrement(Mockito.anyLong(), Mockito.any(), Mockito.any(), Mockito.any());
             Mockito.verify(userVmManagerImpl).updateVmOwner(Mockito.any(), Mockito.any(), Mockito.anyLong(), Mockito.anyLong());
@@ -3188,7 +3184,7 @@ public void executeStepsToChangeOwnershipOfVmTestUpdateVmNetworkThrowsResourceAl
     public void executeStepsToChangeOwnershipOfVmTestResourceCountRunningVmsOnlyEnabledIsFalseCallsResourceCountIncrement() throws ResourceUnavailableException,
             InsufficientCapacityException, ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
 
         try (MockedStatic<UsageEventUtils> ignored = mockStatic(UsageEventUtils.class)) {
@@ -3212,7 +3208,7 @@ public void executeStepsToChangeOwnershipOfVmTestResourceCountRunningVmsOnlyEnab
     public void executeStepsToChangeOwnershipOfVmTestResourceCountRunningVmsOnlyEnabledIsTrueDoesNotCallResourceCountIncrement() throws ResourceUnavailableException,
             InsufficientCapacityException, ResourceAllocationException {
 
-        LinkedList<VolumeVO> volumes = new LinkedList<VolumeVO>();
+        LinkedList<VolumeVO> volumes = new LinkedList<>();
 
         try (MockedStatic<UsageEventUtils> ignored = mockStatic(UsageEventUtils.class)) {
             Mockito.doReturn(Hypervisor.HypervisorType.KVM).when(userVmVoMock).getHypervisorType();
@@ -3221,7 +3217,7 @@ public void executeStepsToChangeOwnershipOfVmTestResourceCountRunningVmsOnlyEnab
             configureDoNothingForMethodsThatWeDoNotWantToTest();
 
             userVmManagerImpl.executeStepsToChangeOwnershipOfVm(assignVmCmdMock, callerAccount, accountMock, accountMock, userVmVoMock, serviceOfferingVoMock, volumes,
-                    virtualMachineTemplateMock, 1l);
+                    virtualMachineTemplateMock, 1L);
 
             Mockito.verify(userVmManagerImpl).resourceCountDecrement(Mockito.anyLong(), Mockito.any(), Mockito.any(), Mockito.any());
             Mockito.verify(userVmManagerImpl).updateVmOwner(Mockito.any(), Mockito.any(), Mockito.anyLong(), Mockito.anyLong());
@@ -3485,9 +3481,9 @@ public void testResetVMSSHKey() throws ResourceUnavailableException, Insufficien
 
         assertNotNull(result);
         Map<String, String> details = result.getDetails();
-        Assert.assertEquals(details.get(VmDetailConstants.SSH_PUBLIC_KEY), "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr...\n" +
-                "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr...");
-        Assert.assertEquals(details.get(VmDetailConstants.SSH_KEY_PAIR_NAMES), "keypair1,keypair2");
+        Assert.assertEquals("ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr...\n" +
+                "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr...", details.get(VmDetailConstants.SSH_PUBLIC_KEY));
+        Assert.assertEquals("keypair1,keypair2", details.get(VmDetailConstants.SSH_KEY_PAIR_NAMES));
     }
 
     @Test
@@ -3883,15 +3879,38 @@ Map<String, String> getLeaseDetails(int leaseDuration, String leaseExecution) {
         return leaseDetails;
     }
 
+    private static DeployVMCmd buildDeployVMCmd(Long volumeId, Long snapshotId) {
+        DeployVMCmd deployVMCmd = mock(DeployVMCmd.class);
+        when(deployVMCmd.getEntityOwnerId()).thenReturn(accountId);
+        when(deployVMCmd.getZoneId()).thenReturn(zoneId);
+        when(deployVMCmd.getServiceOfferingId()).thenReturn(serviceOfferingId);
+        when(deployVMCmd.getVolumeId()).thenReturn(volumeId);
+        when(deployVMCmd.getSnapshotId()).thenReturn(snapshotId);
+        when(deployVMCmd.getTemplateId()).thenReturn(null);
+        when(deployVMCmd.isVolumeOrSnapshotProvided()).thenReturn(true);
+        when(deployVMCmd.getNetworkIds()).thenReturn(null);
+        when(deployVMCmd.getSecurityGroupNameList()).thenReturn(null);
+        // Long methods default to 0L in Mockito; null is required to match real DeployVMCmd field-unset behaviour
+        when(deployVMCmd.getDiskOfferingId()).thenReturn(null);
+        when(deployVMCmd.getUserdataId()).thenReturn(null);
+        when(deployVMCmd.getHostId()).thenReturn(null);
+        // boolean method defaults to false; real DeployVMCmd returns true when field is null
+        when(deployVMCmd.isDynamicScalingEnabled()).thenReturn(true);
+        return deployVMCmd;
+    }
+
+    private static DeployVMCmd getDeployVMCmdFromSnapshot() {
+        return buildDeployVMCmd(null, snashotId);
+    }
+
+    private static DeployVMCmd getDeployVMCmdFromVolume() {
+        return buildDeployVMCmd(volumeId, null);
+    }
+
     @Test
     public void createVirtualMachineWithExistingVolume() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        DeployVMCmd deployVMCmd = new DeployVMCmd();
-        ReflectionTestUtils.setField(deployVMCmd, "zoneId", zoneId);
-        ReflectionTestUtils.setField(deployVMCmd, "serviceOfferingId", serviceOfferingId);
-        ReflectionTestUtils.setField(deployVMCmd, "volumeId", volumeId);
-        deployVMCmd._accountService = accountService;
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromVolume();
 
-        when(accountService.finalizeAccountId(nullable(String.class), nullable(Long.class), nullable(Long.class), eq(true))).thenReturn(accountId);
         when(accountService.getActiveAccountById(accountId)).thenReturn(account);
         when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
         when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
@@ -3920,15 +3939,11 @@ public void createVirtualMachineWithExistingVolume() throws ResourceUnavailableE
     }
 
     @Test
-    public void createVirtualMachineWithExistingSnapshot() throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
-        DeployVMCmd deployVMCmd = new DeployVMCmd();
-        ReflectionTestUtils.setField(deployVMCmd, "zoneId", zoneId);
-        ReflectionTestUtils.setField(deployVMCmd, "serviceOfferingId", serviceOfferingId);
-        ReflectionTestUtils.setField(deployVMCmd, "snapshotId", snashotId);
-        deployVMCmd._accountService = accountService;
+    public void createVirtualMachineWithExistingSnapshot()
+            throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromSnapshot();                                    // mock, no field hacks
 
-        when(accountService.finalizeAccountId(nullable(String.class), nullable(Long.class), nullable(Long.class), eq(true))).thenReturn(accountId);
-        when(accountService.getActiveAccountById(accountId)).thenReturn(account);
+        when(accountService.getActiveAccountById(accountId)).thenReturn(account);      // keep
         when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
         when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
         when(entityManager.findById(DiskOffering.class, serviceOffering.getId())).thenReturn(smallerDisdkOffering);
@@ -3938,9 +3953,6 @@ public void createVirtualMachineWithExistingSnapshot() throws ResourceUnavailabl
         when(snapshotMock.getVolumeId()).thenReturn(volumeId);
         when(volumeInfo.getTemplateId()).thenReturn(templateId);
         when(volumeInfo.getInstanceId()).thenReturn(null);
-        when(volumeInfo.getDataStore()).thenReturn(primaryDataStore);
-        when(primaryDataStore.getScope()).thenReturn(scopeMock);
-        when(primaryDataStore.getScope().getScopeType()).thenReturn(ScopeType.ZONE);
         when(templateMock.getTemplateType()).thenReturn(Storage.TemplateType.VNF);
         when(templateMock.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
         when(templateMock.isDeployAsIs()).thenReturn(false);
@@ -3953,10 +3965,103 @@ public void createVirtualMachineWithExistingSnapshot() throws ResourceUnavailabl
                 any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), nullable(Boolean.class), any(), any(), any(),
                 any(), any(), any(), any(), eq(true), any(), any(), any());
 
+        userVmManagerImpl.createVirtualMachine(deployVMCmd);
+    }
+
+    @Test
+    public void createVirtualMachineWithSnapshotFromExpungedLocalStorageVolumeSucceeds()
+            throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromSnapshot();                                    // mock, no field hacks
+
+        when(accountService.getActiveAccountById(accountId)).thenReturn(account);
+        when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
+        when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
+        when(snapshotDaoMock.findById(snashotId)).thenReturn(snapshotMock);
+        when(snapshotMock.getVolumeId()).thenReturn(volumeId);
+        when(volumeDataFactory.getVolume(volumeId)).thenReturn(volumeInfo);
+        when(volumeInfo.getTemplateId()).thenReturn(templateId);
+        when(volumeInfo.getInstanceId()).thenReturn(null);
+        when(entityManager.findByIdIncludingRemoved(VirtualMachineTemplate.class, templateId)).thenReturn(templateMock);
+        when(templateMock.getTemplateType()).thenReturn(Storage.TemplateType.VNF);
+        when(templateMock.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        when(templateMock.isDeployAsIs()).thenReturn(false);
+        when(templateMock.getFormat()).thenReturn(Storage.ImageFormat.QCOW2);
+        when(templateMock.getUserDataId()).thenReturn(null);
+        Mockito.doNothing().when(vnfTemplateManager).validateVnfApplianceNics(any(), nullable(List.class), any());
+        when(_dcMock.isLocalStorageEnabled()).thenReturn(true);
+        when(_dcMock.getNetworkType()).thenReturn(DataCenter.NetworkType.Basic);
+        Mockito.doReturn(userVmVoMock).when(userVmManagerImpl).createBasicSecurityGroupVirtualMachine(any(), any(), any(), any(), any(), any(), any(),
+                any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), nullable(Boolean.class), any(), any(), any(),
+                any(), any(), any(), any(), eq(true), any(), any(), any());
+
+        // Must NOT throw "Deployment of virtual machine is supported only for Zone-wide storage pools"
+        userVmManagerImpl.createVirtualMachine(deployVMCmd);
+    }
+
+    @Test
+    public void createVirtualMachineWithSnapshotFromVolumeWithNullDataStoreSucceeds()
+            throws ResourceUnavailableException, InsufficientCapacityException, ResourceAllocationException {
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromSnapshot();                                    // mock, no field hacks
 
+        when(accountService.getActiveAccountById(accountId)).thenReturn(account);
+        when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
+        when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
+        when(snapshotDaoMock.findById(snashotId)).thenReturn(snapshotMock);
+        when(snapshotMock.getVolumeId()).thenReturn(volumeId);
+        when(volumeDataFactory.getVolume(volumeId)).thenReturn(volumeInfo);
+        when(volumeInfo.getTemplateId()).thenReturn(templateId);
+        when(volumeInfo.getInstanceId()).thenReturn(null);
+        when(entityManager.findByIdIncludingRemoved(VirtualMachineTemplate.class, templateId)).thenReturn(templateMock);
+        when(templateMock.getTemplateType()).thenReturn(Storage.TemplateType.VNF);
+        when(templateMock.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        when(templateMock.isDeployAsIs()).thenReturn(false);
+        when(templateMock.getFormat()).thenReturn(Storage.ImageFormat.QCOW2);
+        when(templateMock.getUserDataId()).thenReturn(null);
+        Mockito.doNothing().when(vnfTemplateManager).validateVnfApplianceNics(any(), nullable(List.class), any());
+        when(_dcMock.isLocalStorageEnabled()).thenReturn(true);
+        when(_dcMock.getNetworkType()).thenReturn(DataCenter.NetworkType.Basic);
+        Mockito.doReturn(userVmVoMock).when(userVmManagerImpl).createBasicSecurityGroupVirtualMachine(any(), any(), any(), any(), any(), any(), any(),
+                any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), nullable(Boolean.class), any(), any(), any(),
+                any(), any(), any(), any(), eq(true), any(), any(), any());
+
+        // Must NOT throw "Deployment of virtual machine is supported only for Zone-wide storage pools"
         userVmManagerImpl.createVirtualMachine(deployVMCmd);
     }
 
+    @Test
+    public void createVirtualMachineWithVolumeFromNonZoneScopedStorageFails() {
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromVolume();
+
+        when(accountService.getActiveAccountById(accountId)).thenReturn(account);
+        when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
+        when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
+        when(volumeDataFactory.getVolume(volumeId)).thenReturn(volumeInfo);
+        // Volume lives on HOST-scoped (local) storage
+        when(volumeInfo.getDataStore()).thenReturn(primaryDataStore);
+        when(primaryDataStore.getScope()).thenReturn(scopeMock);
+        when(scopeMock.getScopeType()).thenReturn(ScopeType.HOST);
+
+        InvalidParameterValueException ex = assertThrows(InvalidParameterValueException.class,
+                () -> userVmManagerImpl.createVirtualMachine(deployVMCmd));
+        assertEquals("Deployment of virtual machine is supported only for Zone-wide storage pools", ex.getMessage());
+    }
+
+    @Test
+    public void createVirtualMachineWithVolumeWithNullDataStoreFails() {
+        DeployVMCmd deployVMCmd = getDeployVMCmdFromVolume();
+
+        when(accountService.getActiveAccountById(accountId)).thenReturn(account);
+        when(entityManager.findById(DataCenter.class, zoneId)).thenReturn(_dcMock);
+        when(entityManager.findById(ServiceOffering.class, serviceOfferingId)).thenReturn(serviceOffering);
+        when(volumeDataFactory.getVolume(volumeId)).thenReturn(volumeInfo);
+        // Volume's data store is null (pool was deleted)
+        when(volumeInfo.getDataStore()).thenReturn(null);
+
+        InvalidParameterValueException ex = assertThrows(InvalidParameterValueException.class,
+                () -> userVmManagerImpl.createVirtualMachine(deployVMCmd));
+        assertEquals("Deployment of virtual machine is supported only for Zone-wide storage pools", ex.getMessage());
+    }
+
     @Test
     public void testAllocateVMFromBackupWithVmSettingsRestoration() throws InsufficientCapacityException, ResourceAllocationException, ResourceUnavailableException {
         Long backupId = 10L;
@@ -4251,4 +4356,203 @@ public void updateVmExtraConfigDoesNothingWhenExtraConfigIsBlank() {
         verify(vmInstanceDetailsDao, never()).removeDetailsWithPrefix(anyLong(), anyString());
         verify(userVmManagerImpl, never()).addExtraConfig(any(UserVmVO.class), anyString());
     }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void updateVirtualMachineNicTestInvalidNicThrowInvalidParameterValueException() {
+        Long invalidId = -1L;
+        Mockito.doReturn(invalidId).when(updateVmNicCmd).getNicId();
+
+        userVmManagerImpl.updateVirtualMachineNic(updateVmNicCmd);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void updateVirtualMachineNicTestInvalidNicUserVmThrowInvalidParameterValueException() {
+        Mockito.doReturn(nicId).when(updateVmNicCmd).getNicId();
+        Mockito.doReturn(nicMock).when(nicDao).findById(nicId);
+
+        userVmManagerImpl.updateVirtualMachineNic(updateVmNicCmd);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void updateVirtualMachineNicTestInvalidNicNetworkThrowInvalidParameterValueException() {
+        Mockito.doReturn(nicId).when(updateVmNicCmd).getNicId();
+        Mockito.doReturn(true).when(updateVmNicCmd).isEnabled();
+        Mockito.doReturn(nicMock).when(nicDao).findById(nicId);
+        Mockito.doReturn(vmId).when(nicMock).getInstanceId();
+        Mockito.doReturn(userVmVoMock).when(userVmDao).findById(vmId);
+
+        userVmManagerImpl.updateVirtualMachineNic(updateVmNicCmd);
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void updateVirtualMachineNicTestInvalidNicNetworkThrowCloudRuntimeException() {
+        Mockito.doReturn(nicId).when(updateVmNicCmd).getNicId();
+        Mockito.doReturn(true).when(updateVmNicCmd).isEnabled();
+        Mockito.doReturn(nicMock).when(nicDao).findById(nicId);
+        Mockito.doReturn(vmId).when(nicMock).getInstanceId();
+        Mockito.doReturn(userVmVoMock).when(userVmDao).findById(vmId);
+
+        userVmManagerImpl.updateVirtualMachineNic(updateVmNicCmd);
+    }
+
+    @Test
+    public void updateVirtualMachineNicTestValidInputReturnNicUserVm() throws ResourceUnavailableException {
+        Mockito.doReturn(nicId).when(updateVmNicCmd).getNicId();
+        Mockito.doReturn(true).when(updateVmNicCmd).isEnabled();
+        Mockito.doReturn(nicMock).when(nicDao).findById(nicId);
+        Mockito.doReturn(vmId).when(nicMock).getInstanceId();
+        Mockito.doReturn(userVmVoMock).when(userVmDao).findById(vmId);
+        Mockito.doReturn(Hypervisor.HypervisorType.KVM).when(userVmVoMock).getHypervisorType();
+        Mockito.doReturn(networkId).when(nicMock).getNetworkId();
+        Mockito.doReturn(networkMock).when(_networkDao).findById(networkId);
+        Mockito.doReturn(true).when(virtualMachineManager).updateVmNic(Mockito.any(), Mockito.any(), Mockito.any());
+
+        UserVm result = userVmManagerImpl.updateVirtualMachineNic(updateVmNicCmd);
+
+        Assert.assertNotNull(result);
+    }
+
+    @Test
+    public void testTransitionExpungingToErrorVmInExpungingState() throws Exception {
+        UserVmVO vm = mock(UserVmVO.class);
+        when(vm.getState()).thenReturn(VirtualMachine.State.Expunging);
+        when(vm.getUuid()).thenReturn("test-uuid");
+        when(userVmDao.findById(vmId)).thenReturn(vm);
+        when(virtualMachineManager.stateTransitTo(eq(vm), eq(VirtualMachine.Event.OperationFailedToError), eq(null))).thenReturn(true);
+
+        java.lang.reflect.Method method = UserVmManagerImpl.class.getDeclaredMethod("transitionExpungingToError", long.class);
+        method.setAccessible(true);
+        method.invoke(userVmManagerImpl, vmId);
+
+        Mockito.verify(virtualMachineManager).stateTransitTo(vm, VirtualMachine.Event.OperationFailedToError, null);
+    }
+
+    @Test
+    public void testTransitionExpungingToErrorVmNotInExpungingState() throws Exception {
+        UserVmVO vm = mock(UserVmVO.class);
+        when(vm.getState()).thenReturn(VirtualMachine.State.Stopped);
+        when(userVmDao.findById(vmId)).thenReturn(vm);
+
+        java.lang.reflect.Method method = UserVmManagerImpl.class.getDeclaredMethod("transitionExpungingToError", long.class);
+        method.setAccessible(true);
+        method.invoke(userVmManagerImpl, vmId);
+
+        Mockito.verify(virtualMachineManager, Mockito.never()).stateTransitTo(any(VirtualMachine.class), any(VirtualMachine.Event.class), any());
+    }
+
+    @Test
+    public void testTransitionExpungingToErrorVmNotFound() throws Exception {
+        when(userVmDao.findById(vmId)).thenReturn(null);
+
+        java.lang.reflect.Method method = UserVmManagerImpl.class.getDeclaredMethod("transitionExpungingToError", long.class);
+        method.setAccessible(true);
+        method.invoke(userVmManagerImpl, vmId);
+
+        Mockito.verify(virtualMachineManager, Mockito.never()).stateTransitTo(any(VirtualMachine.class), any(VirtualMachine.Event.class), any());
+    }
+
+    @Test
+    public void testTransitionExpungingToErrorHandlesNoTransitionException() throws Exception {
+        UserVmVO vm = mock(UserVmVO.class);
+        when(vm.getState()).thenReturn(VirtualMachine.State.Expunging);
+        when(userVmDao.findById(vmId)).thenReturn(vm);
+        when(virtualMachineManager.stateTransitTo(eq(vm), eq(VirtualMachine.Event.OperationFailedToError), eq(null)))
+                .thenThrow(new NoTransitionException("no transition"));
+
+        java.lang.reflect.Method method = UserVmManagerImpl.class.getDeclaredMethod("transitionExpungingToError", long.class);
+        method.setAccessible(true);
+        method.invoke(userVmManagerImpl, vmId);
+    }
+
+    private ServiceOfferingVO getMockedServiceOffering(boolean custom, boolean customSpeed) {
+        ServiceOfferingVO serviceOffering = mock(ServiceOfferingVO.class);
+        when(serviceOffering.getUuid()).thenReturn("offering-uuid");
+        when(serviceOffering.isDynamic()).thenReturn(custom);
+        when(serviceOffering.isCustomCpuSpeedSupported()).thenReturn(customSpeed);
+        if (custom) {
+            when(serviceOffering.getCpu()).thenReturn(null);
+            when(serviceOffering.getRamSize()).thenReturn(null);
+        }
+        if (customSpeed) {
+            when(serviceOffering.getSpeed()).thenReturn(null);
+        } else {
+            when(serviceOffering.isCustomCpuSpeedSupported()).thenReturn(false);
+            when(serviceOffering.getSpeed()).thenReturn(1000);
+        }
+        return serviceOffering;
+    }
+
+    @Test
+    public void customOfferingNeedsCustomizationThrowsException() {
+        ServiceOfferingVO serviceOffering = getMockedServiceOffering(true, true);
+        InvalidParameterValueException ex = Assert.assertThrows(InvalidParameterValueException.class, () ->
+                userVmManagerImpl.validateCustomParameters(serviceOffering, Collections.emptyMap()));
+        assertEquals("Need to specify custom parameter values cpu, cpu speed and memory when using custom offering", ex.getMessage());
+    }
+
+    @Test
+    public void cpuSpeedCustomizationNotAllowedThrowsException() {
+        ServiceOfferingVO serviceOffering = getMockedServiceOffering(true, false);
+
+        Map<String, String> customParameters = new HashMap<>();
+        customParameters.put(VmDetailConstants.CPU_NUMBER, "1");
+        customParameters.put(VmDetailConstants.CPU_SPEED, "2500");
+
+        InvalidParameterValueException ex = Assert.assertThrows(InvalidParameterValueException.class, () ->
+                userVmManagerImpl.validateCustomParameters(serviceOffering, customParameters));
+        Assert.assertTrue(ex.getMessage().startsWith("The CPU speed of this offering"));
+    }
+
+    @Test
+    public void cpuSpeedCustomizationAllowedDoesNotThrowException() {
+        ServiceOfferingVO serviceOffering = getMockedServiceOffering(true, true);
+
+        when(serviceOfferingDetailsDao.listDetailsKeyPairs(anyLong())).thenReturn(
+                Map.of(ApiConstants.MIN_CPU_NUMBER, "1",
+                        ApiConstants.MAX_CPU_NUMBER, "4",
+                        ApiConstants.MIN_MEMORY, "256",
+                        ApiConstants.MAX_MEMORY, "8192"));
+
+        Map<String, String> customParameters = new HashMap<>();
+        customParameters.put(VmDetailConstants.CPU_NUMBER, "1");
+        customParameters.put(VmDetailConstants.CPU_SPEED, "2500");
+        customParameters.put(VmDetailConstants.MEMORY, "256");
+
+        userVmManagerImpl.validateCustomParameters(serviceOffering, customParameters);
+    }
+
+    @Test
+    public void verifyVmLimits_fixedOffering_throwsException() {
+        when(userVmVoMock.getId()).thenReturn(1L);
+        when(userVmVoMock.getServiceOfferingId()).thenReturn(1L);
+        when(accountDao.findById(anyLong())).thenReturn(callerAccount);
+        ServiceOfferingVO serviceOffering = getMockedServiceOffering(false, false);
+        when(_serviceOfferingDao.findById(anyLong())).thenReturn(serviceOffering);
+        when(_serviceOfferingDao.findByIdIncludingRemoved(anyLong(), anyLong())).thenReturn(serviceOffering);
+
+        Map<String, String> customParameters = new HashMap<>();
+        customParameters.put(VmDetailConstants.CPU_SPEED, "2500");
+
+        InvalidParameterValueException ex = Assert.assertThrows(InvalidParameterValueException.class, () ->
+                userVmManagerImpl.verifyVmLimits(userVmVoMock, customParameters));
+        assertEquals("CPU number, Memory and CPU speed cannot be updated for a non-dynamic offering", ex.getMessage());
+    }
+
+    @Test
+    public void verifyVmLimits_constrainedOffering_throwsException() {
+        when(userVmVoMock.getId()).thenReturn(1L);
+        when(userVmVoMock.getServiceOfferingId()).thenReturn(1L);
+        when(accountDao.findById(anyLong())).thenReturn(callerAccount);
+        ServiceOfferingVO serviceOffering = getMockedServiceOffering(true, false);
+        when(_serviceOfferingDao.findById(anyLong())).thenReturn(serviceOffering);
+        when(_serviceOfferingDao.findByIdIncludingRemoved(anyLong(), anyLong())).thenReturn(serviceOffering);
+
+        Map<String, String> customParameters = new HashMap<>();
+        customParameters.put(VmDetailConstants.CPU_NUMBER, "1");
+        customParameters.put(VmDetailConstants.CPU_SPEED, "2500");
+
+        InvalidParameterValueException ex = Assert.assertThrows(InvalidParameterValueException.class, () ->
+                userVmManagerImpl.verifyVmLimits(userVmVoMock, customParameters));
+        Assert.assertTrue(ex.getMessage().startsWith("The CPU speed of this offering"));
+    }
 }
diff --git a/server/src/test/java/com/cloud/vm/snapshot/VMSnapshotManagerTest.java b/server/src/test/java/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
index aa3cba61f62c..de535ecf7cb6 100644
--- a/server/src/test/java/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
+++ b/server/src/test/java/com/cloud/vm/snapshot/VMSnapshotManagerTest.java
@@ -231,6 +231,7 @@ public void setup() {
         when(vmSnapshotVO.getId()).thenReturn(VM_SNAPSHOT_ID);
         when(serviceOffering.isDynamic()).thenReturn(false);
         when(_serviceOfferingDao.findById(SERVICE_OFFERING_ID)).thenReturn(serviceOffering);
+        when(_serviceOfferingDao.findByIdIncludingRemoved(TEST_VM_ID, SERVICE_OFFERING_ID)).thenReturn(serviceOffering);
 
         for (ResourceDetail detail : Arrays.asList(userVmDetailCpuNumber, vmSnapshotDetailCpuNumber)) {
             when(detail.getName()).thenReturn(VmDetailConstants.CPU_NUMBER);
@@ -360,25 +361,56 @@ public void testAddSupportForCustomServiceOfferingDynamicServiceOffering() {
     }
 
     @Test
-    public void testUpdateUserVmServiceOfferingSameServiceOffering() {
-        _vmSnapshotMgr.updateUserVmServiceOffering(userVm, vmSnapshotVO);
-        verify(_vmSnapshotMgr, never()).changeUserVmServiceOffering(userVm, vmSnapshotVO);
+    public void testUserVmServiceOfferingNeedsChangeWhenSnapshotOfferingDiffers() {
+        when(userVm.getServiceOfferingId()).thenReturn(SERVICE_OFFERING_DIFFERENT_ID);
+        when(vmSnapshotVO.getServiceOfferingId()).thenReturn(SERVICE_OFFERING_ID);
+
+        assertTrue(_vmSnapshotMgr.userVmServiceOfferingNeedsChange(userVm, vmSnapshotVO));
+
+        verify(_serviceOfferingDao, never()).findByIdIncludingRemoved(anyLong(), anyLong());
+        verify(_serviceOfferingDao, never()).getComputeOffering(any(ServiceOfferingVO.class), any());
     }
 
     @Test
-    public void testUpdateUserVmServiceOfferingDifferentServiceOffering() throws ConcurrentOperationException, ResourceUnavailableException, ManagementServerException, VirtualMachineMigrationException {
-        when(userVm.getServiceOfferingId()).thenReturn(SERVICE_OFFERING_DIFFERENT_ID);
-        when(_userVmManager.upgradeVirtualMachine(eq(TEST_VM_ID), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture())).thenReturn(true);
-        _vmSnapshotMgr.updateUserVmServiceOffering(userVm, vmSnapshotVO);
+    public void testUserVmServiceOfferingNeedsChangeWhenSameNonDynamicOffering() {
+        assertFalse(_vmSnapshotMgr.userVmServiceOfferingNeedsChange(userVm, vmSnapshotVO));
 
-        verify(_vmSnapshotMgr).changeUserVmServiceOffering(userVm, vmSnapshotVO);
-        verify(_vmSnapshotMgr).getVmMapDetails(userVm);
-        verify(_vmSnapshotMgr).upgradeUserVmServiceOffering(eq(userVm), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture());
+        verify(_serviceOfferingDao).findByIdIncludingRemoved(TEST_VM_ID, SERVICE_OFFERING_ID);
+        verify(_serviceOfferingDao, never()).getComputeOffering(any(ServiceOfferingVO.class), any());
+    }
+
+    @Test
+    public void testUserVmServiceOfferingNeedsChangeWhenDynamicOfferingMatchesSnapshot() {
+        when(serviceOffering.isDynamic()).thenReturn(true);
+        when(serviceOffering.getCpu()).thenReturn(2);
+        when(serviceOffering.getRamSize()).thenReturn(2048);
+        when(serviceOffering.getSpeed()).thenReturn(1000);
+        when(_serviceOfferingDao.getComputeOffering(eq(serviceOffering), any())).thenReturn(serviceOffering);
+
+        assertFalse(_vmSnapshotMgr.userVmServiceOfferingNeedsChange(userVm, vmSnapshotVO));
+
+        verify(_serviceOfferingDao).getComputeOffering(eq(serviceOffering), any());
+        verify(_vmSnapshotMgr).getVmMapDetails(vmSnapshotVO);
+    }
+
+    @Test
+    public void testUserVmServiceOfferingNeedsChangeWhenDynamicCpuDiffersFromSnapshot() {
+        when(serviceOffering.isDynamic()).thenReturn(true);
+        when(serviceOffering.getCpu()).thenReturn(2);
+        when(serviceOffering.getRamSize()).thenReturn(2048);
+        when(serviceOffering.getSpeed()).thenReturn(1000);
+        ServiceOfferingVO fromSnapshot = mock(ServiceOfferingVO.class);
+        when(fromSnapshot.getCpu()).thenReturn(4);
+        when(fromSnapshot.getRamSize()).thenReturn(2048);
+        when(fromSnapshot.getSpeed()).thenReturn(1000);
+        when(_serviceOfferingDao.getComputeOffering(eq(serviceOffering), any())).thenReturn(fromSnapshot);
+
+        assertTrue(_vmSnapshotMgr.userVmServiceOfferingNeedsChange(userVm, vmSnapshotVO));
     }
 
     @Test
     public void testGetVmMapDetails() {
-        Map<String, String> result = _vmSnapshotMgr.getVmMapDetails(userVm);
+        Map<String, String> result = _vmSnapshotMgr.getVmMapDetails(vmSnapshotVO);
         assert(result.containsKey(userVmDetailCpuNumber.getName()));
         assert(result.containsKey(userVmDetailMemory.getName()));
         assertEquals(userVmDetails.size(), result.size());
@@ -390,7 +422,7 @@ public void testGetVmMapDetails() {
     public void testChangeUserVmServiceOffering() throws ConcurrentOperationException, ResourceUnavailableException, ManagementServerException, VirtualMachineMigrationException {
         when(_userVmManager.upgradeVirtualMachine(eq(TEST_VM_ID), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture())).thenReturn(true);
         _vmSnapshotMgr.changeUserVmServiceOffering(userVm, vmSnapshotVO);
-        verify(_vmSnapshotMgr).getVmMapDetails(userVm);
+        verify(_vmSnapshotMgr).getVmMapDetails(vmSnapshotVO);
         verify(_vmSnapshotMgr).upgradeUserVmServiceOffering(eq(userVm), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture());
     }
 
@@ -398,7 +430,7 @@ public void testChangeUserVmServiceOffering() throws ConcurrentOperationExceptio
     public void testChangeUserVmServiceOfferingFailOnUpgradeVMServiceOffering() throws ConcurrentOperationException, ResourceUnavailableException, ManagementServerException, VirtualMachineMigrationException {
         when(_userVmManager.upgradeVirtualMachine(eq(TEST_VM_ID), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture())).thenReturn(false);
         _vmSnapshotMgr.changeUserVmServiceOffering(userVm, vmSnapshotVO);
-        verify(_vmSnapshotMgr).getVmMapDetails(userVm);
+        verify(_vmSnapshotMgr).getVmMapDetails(vmSnapshotVO);
         verify(_vmSnapshotMgr).upgradeUserVmServiceOffering(eq(userVm), eq(SERVICE_OFFERING_ID), mapDetailsCaptor.capture());
     }
 
diff --git a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
index de768388b449..e4bc2096b9da 100644
--- a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
@@ -704,11 +704,19 @@ public Network createPrivateNetwork(final long networkOfferingId, final String n
     public Network createGuestNetwork(long networkOfferingId, String name, String displayText, String gateway, String cidr, String vlanId, boolean bypassVlanOverlapCheck, String networkDomain,
                                       Account owner, Long domainId, PhysicalNetwork physicalNetwork, long zoneId, ACLType aclType, Boolean subdomainAccess, Long vpcId, String gatewayv6,
                                       String cidrv6, Boolean displayNetworkEnabled, String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId, String routerIp, String routerIpv6,
-                                      String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize) throws ConcurrentOperationException, ResourceAllocationException {
+                                      String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize) throws ConcurrentOperationException {
         // TODO Auto-generated method stub
         return null;
     }
 
+    @Override
+    public Network createGuestNetwork(long networkOfferingId, String name, String displayText, String gateway, String cidr, String vlanId, boolean bypassVlanOverlapCheck, String networkDomain,
+                                      Account owner, Long domainId, PhysicalNetwork physicalNetwork, long zoneId, ACLType aclType, Boolean subdomainAccess, Long vpcId, String gatewayv6,
+                                      String cidrv6, Boolean displayNetworkEnabled, String isolatedPvlan, Network.PVlanType isolatedPvlanType, String externalId, String routerIp, String routerIpv6,
+                                      String ip4Dns1, String ip4Dns2, String ip6Dns1, String ip6Dns2, Pair<Integer, Integer> vrIfaceMTUs, Integer networkCidrSize, boolean keepMacAddressOnPublicNic) throws ConcurrentOperationException {
+        return null;
+    }
+
     /* (non-Javadoc)
      * @see com.cloud.network.NetworkManager#getPasswordResetProvider(com.cloud.network.Network)
      */
@@ -952,7 +960,7 @@ public void removeDhcpServiceInSubnet(Nic nic) {
     }
 
     @Override
-    public boolean resourceCountNeedsUpdate(NetworkOffering ntwkOff, ACLType aclType) {
+    public boolean isResourceCountUpdateNeeded(NetworkOffering ntwkOff) {
         return false;  //To change body of implemented methods use File | Settings | File Templates.
     }
 
diff --git a/server/src/test/java/com/cloud/vpc/MockResourceLimitManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockResourceLimitManagerImpl.java
index 151c7ff8908a..9e0997df08cb 100644
--- a/server/src/test/java/com/cloud/vpc/MockResourceLimitManagerImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockResourceLimitManagerImpl.java
@@ -24,6 +24,7 @@
 
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.springframework.stereotype.Component;
 
 import com.cloud.configuration.Resource.ResourceType;
@@ -237,6 +238,11 @@ public void checkResourceLimitWithTag(Account account, ResourceType type, String
 
     }
 
+    @Override
+    public void checkResourceLimitWithTag(Account account, Long domainId, boolean considerSystemAccount, ResourceType type, String tag, long... count) throws ResourceAllocationException {
+
+    }
+
     @Override
     public List<String> getResourceLimitHostTags() {
         return null;
@@ -268,19 +274,24 @@ public List<String> getResourceLimitStorageTags(DiskOffering diskOffering) {
     }
 
     @Override
-    public void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering) throws ResourceAllocationException {
+    public void checkVolumeResourceLimit(Account owner, Boolean display, Long size, DiskOffering diskOffering, List<Reserver> reservations) throws ResourceAllocationException {
 
     }
 
+    @Override
+    public List<String> getResourceLimitStorageTagsForResourceCountOperation(Boolean display, DiskOffering diskOffering) {
+        return null;
+    }
+
     @Override
     public void checkVolumeResourceLimitForDiskOfferingChange(Account owner, Boolean display, Long currentSize, Long newSize,
-            DiskOffering currentOffering, DiskOffering newOffering) throws ResourceAllocationException {
+            DiskOffering currentOffering, DiskOffering newOffering, List<Reserver> reservations) throws ResourceAllocationException {
 
     }
 
     @Override
     public void checkPrimaryStorageResourceLimit(Account owner, Boolean display, Long size,
-            DiskOffering diskOffering) {
+            DiskOffering diskOffering, List<Reserver> reservations) {
 
     }
 
@@ -324,7 +335,7 @@ public void decrementVolumePrimaryStorageResourceCount(long accountId, Boolean d
     }
 
     @Override
-    public void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template) throws ResourceAllocationException {
+    public void checkVmResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, List<Reserver> reservations) throws ResourceAllocationException {
 
     }
 
@@ -341,19 +352,14 @@ public void decrementVmResourceCount(long accountId, Boolean display, ServiceOff
     @Override
     public void checkVmResourceLimitsForServiceOfferingChange(Account owner, Boolean display, Long currentCpu, Long newCpu,
             Long currentMemory, Long newMemory, ServiceOffering currentOffering, ServiceOffering newOffering,
-            VirtualMachineTemplate template) throws ResourceAllocationException {
+            VirtualMachineTemplate template, List<Reserver> reservations) throws ResourceAllocationException {
 
     }
 
     @Override
     public void checkVmResourceLimitsForTemplateChange(Account owner, Boolean display, ServiceOffering offering,
             VirtualMachineTemplate currentTemplate,
-            VirtualMachineTemplate newTemplate) throws ResourceAllocationException {
-
-    }
-
-    @Override
-    public void checkVmCpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long cpu) throws ResourceAllocationException {
+            VirtualMachineTemplate newTemplate, List<Reserver> reservations) throws ResourceAllocationException {
 
     }
 
@@ -367,11 +373,6 @@ public void decrementVmCpuResourceCount(long accountId, Boolean display, Service
 
     }
 
-    @Override
-    public void checkVmMemoryResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory) throws ResourceAllocationException {
-
-    }
-
     @Override
     public void incrementVmMemoryResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long memory) {
 
@@ -383,17 +384,17 @@ public void decrementVmMemoryResourceCount(long accountId, Boolean display, Serv
     }
 
     @Override
-    public void checkVmGpuResourceLimit(Account owner, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) throws ResourceAllocationException {
+    public void incrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) {
 
     }
 
     @Override
-    public void incrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) {
+    public void decrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) {
 
     }
 
     @Override
-    public void decrementVmGpuResourceCount(long accountId, Boolean display, ServiceOffering serviceOffering, VirtualMachineTemplate template, Long gpu) {
-
+    public long recalculateDomainResourceCount(long domainId, ResourceType type, String tag) {
+        return 0;
     }
 }
diff --git a/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java b/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
index 9aba65791a3e..8094bddf47fb 100644
--- a/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
+++ b/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
@@ -16,9 +16,77 @@
 // under the License.
 package org.apache.cloudstack.backup;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.TimeZone;
+import java.util.UUID;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.stubbing.Answer;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.admin.backup.CloneBackupOfferingCmd;
+import org.apache.cloudstack.api.command.admin.backup.ImportBackupOfferingCmd;
+import org.apache.cloudstack.api.command.admin.backup.UpdateBackupOfferingCmd;
+import org.apache.cloudstack.api.command.user.backup.CreateBackupCmd;
+import org.apache.cloudstack.api.command.user.backup.CreateBackupScheduleCmd;
+import org.apache.cloudstack.api.command.user.backup.DeleteBackupScheduleCmd;
+import org.apache.cloudstack.api.command.user.backup.ListBackupOfferingsCmd;
+import org.apache.cloudstack.api.command.user.backup.ListBackupScheduleCmd;
+import org.apache.cloudstack.api.response.BackupResponse;
+import org.apache.cloudstack.backup.dao.BackupDao;
+import org.apache.cloudstack.backup.dao.BackupDetailsDao;
+import org.apache.cloudstack.backup.dao.BackupOfferingDetailsDao;
+import org.apache.cloudstack.backup.dao.BackupOfferingDao;
+import org.apache.cloudstack.backup.dao.BackupScheduleDao;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.impl.ConfigDepotImpl;
+import org.apache.cloudstack.framework.jobs.AsyncJobManager;
+import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
+import org.apache.cloudstack.reservation.ReservationVO;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
+import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
+import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+
+import com.cloud.alert.AlertManager;
 import com.cloud.api.query.dao.UserVmJoinDao;
 import com.cloud.api.query.vo.UserVmJoinVO;
-import com.cloud.alert.AlertManager;
 import com.cloud.capacity.CapacityVO;
 import com.cloud.configuration.Resource;
 import com.cloud.dc.DataCenter;
@@ -31,6 +99,7 @@
 import com.cloud.event.EventTypes;
 import com.cloud.event.UsageEventUtils;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
 import com.cloud.host.HostVO;
 import com.cloud.host.dao.HostDao;
 import com.cloud.hypervisor.Hypervisor;
@@ -42,7 +111,6 @@
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.storage.DiskOfferingVO;
-import com.cloud.exception.ResourceAllocationException;
 import com.cloud.storage.Storage;
 import com.cloud.storage.VMTemplateVO;
 import com.cloud.storage.Volume;
@@ -62,6 +130,8 @@
 import com.cloud.utils.DateUtil;
 import com.cloud.utils.DomainHelper;
 import com.cloud.utils.Pair;
+import com.cloud.utils.StringUtils;
+import com.cloud.utils.db.DbUtil;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -69,71 +139,11 @@
 import com.cloud.vm.VMInstanceDetailVO;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.VmDiskInfo;
 import com.cloud.vm.VirtualMachineManager;
-import com.cloud.vm.dao.VMInstanceDetailsDao;
+import com.cloud.vm.VmDiskInfo;
 import com.cloud.vm.dao.VMInstanceDao;
+import com.cloud.vm.dao.VMInstanceDetailsDao;
 import com.google.gson.Gson;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.command.admin.backup.CloneBackupOfferingCmd;
-import org.apache.cloudstack.api.command.admin.backup.ImportBackupOfferingCmd;
-import org.apache.cloudstack.api.command.admin.backup.UpdateBackupOfferingCmd;
-import org.apache.cloudstack.api.command.user.backup.CreateBackupCmd;
-import org.apache.cloudstack.api.command.user.backup.CreateBackupScheduleCmd;
-import org.apache.cloudstack.api.command.user.backup.DeleteBackupScheduleCmd;
-import org.apache.cloudstack.api.command.user.backup.ListBackupOfferingsCmd;
-import org.apache.cloudstack.api.command.user.backup.ListBackupScheduleCmd;
-import org.apache.cloudstack.api.response.BackupResponse;
-import org.apache.cloudstack.backup.dao.BackupDao;
-import org.apache.cloudstack.backup.dao.BackupDetailsDao;
-import org.apache.cloudstack.backup.dao.BackupOfferingDao;
-import org.apache.cloudstack.backup.dao.BackupOfferingDetailsDao;
-import org.apache.cloudstack.backup.dao.BackupScheduleDao;
-import org.apache.cloudstack.context.CallContext;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.framework.config.impl.ConfigDepotImpl;
-import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
-import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
-import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.junit.MockitoJUnitRunner;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.MockedStatic;
-import org.mockito.Mockito;
-import org.mockito.MockitoAnnotations;
-import org.mockito.Spy;
-import org.springframework.test.util.ReflectionTestUtils;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.TimeZone;
-import java.util.UUID;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.doNothing;
-import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-import static org.mockito.Mockito.atLeastOnce;
-import org.mockito.ArgumentCaptor;
 
 @RunWith(MockitoJUnitRunner.class)
 public class BackupManagerTest {
@@ -243,6 +253,9 @@ public class BackupManagerTest {
     @Mock
     DomainDao domainDao;
 
+    @Mock
+    ReservationDao reservationDao;
+
     @Mock
     private GuestOSDao _guestOSDao;
 
@@ -252,6 +265,9 @@ public class BackupManagerTest {
     @Mock
     DomainHelper domainHelper;
 
+    @Mock
+    AsyncJobManager asyncJobManager;
+
     private Gson gson;
 
     private String[] hostPossibleValues = {"127.0.0.1", "hostname"};
@@ -259,6 +275,8 @@ public class BackupManagerTest {
     private AutoCloseable closeable;
     private ConfigDepotImpl configDepotImpl;
     private boolean updatedConfigKeyDepot = false;
+    private MockedStatic<DbUtil> dbUtilMockedStatic;
+    private final List<String> mockedGlobalLocks = new ArrayList<>();
 
     @Before
     public void setup() throws Exception {
@@ -290,6 +308,29 @@ public void setup() throws Exception {
         backupProvidersMap.put(backupProvider.getName().toLowerCase(), backupProvider);
         ReflectionTestUtils.setField(backupManager, "backupProvidersMap", backupProvidersMap);
 
+        when(reservationDao.persist(any(ReservationVO.class)))
+                .thenAnswer((Answer<ReservationVO>) invocation -> {
+                    ReservationVO reservationVO = (ReservationVO)invocation.getArguments()[0];
+                    ReflectionTestUtils.setField(reservationVO, "id", 10L);
+                    return reservationVO;
+                });
+        dbUtilMockedStatic = Mockito.mockStatic(DbUtil.class);
+        dbUtilMockedStatic.when(() -> DbUtil.getGlobalLock(anyString(), anyInt())).thenAnswer((Answer<Boolean>) invocation -> {
+                String lockName = invocation.getArgument(0);
+                if (!StringUtils.isBlank(lockName) && !mockedGlobalLocks.contains(lockName)) {
+                    mockedGlobalLocks.add(lockName);
+                    return true;
+                }
+                return false;
+            });
+        dbUtilMockedStatic.when(() -> DbUtil.releaseGlobalLock(anyString())).thenAnswer((Answer<Boolean>) invocation -> {
+            String lockName = invocation.getArgument(0);
+            if (!StringUtils.isBlank(lockName)) {
+                mockedGlobalLocks.remove(lockName);
+            }
+            return true;
+        });
+
         Account account = mock(Account.class);
         User user = mock(User.class);
         CallContext.register(user, account);
@@ -297,6 +338,7 @@ public void setup() throws Exception {
 
     @After
     public void tearDown() throws Exception {
+        dbUtilMockedStatic.close();
         closeable.close();
         if (updatedConfigKeyDepot) {
             ReflectionTestUtils.setField(BackupManager.BackupFrameworkEnabled, "s_depot", configDepotImpl);
@@ -634,6 +676,7 @@ public void createBackupTestCreateScheduledBackup() throws ResourceAllocationExc
         Long oldestBackupId = 7L;
         Long newBackupSize = 1000000000L;
         Long oldBackupSize = 400000000L;
+        long domainId = 101L;
 
         when(vmInstanceDao.findById(vmId)).thenReturn(vmInstanceVOMock);
         when(vmInstanceVOMock.getDataCenterId()).thenReturn(zoneId);
@@ -648,6 +691,7 @@ public void createBackupTestCreateScheduledBackup() throws ResourceAllocationExc
         Mockito.doReturn(scheduleId).when(backupManager).getBackupScheduleId(asyncJobVOMock);
 
         when(accountManager.getAccount(accountId)).thenReturn(accountVOMock);
+        when(accountVOMock.getDomainId()).thenReturn(domainId);
 
         BackupScheduleVO schedule = mock(BackupScheduleVO.class);
         when(backupScheduleDao.findById(scheduleId)).thenReturn(schedule);
@@ -689,8 +733,10 @@ public void createBackupTestCreateScheduledBackup() throws ResourceAllocationExc
 
             assertTrue(backupManager.createBackup(cmd, asyncJobVOMock));
 
-            Mockito.verify(resourceLimitMgr, times(1)).checkResourceLimit(accountVOMock, Resource.ResourceType.backup);
-            Mockito.verify(resourceLimitMgr, times(1)).checkResourceLimit(accountVOMock, Resource.ResourceType.backup_storage, newBackupSize);
+            Mockito.verify(resourceLimitMgr, times(1))
+                    .checkResourceLimitWithTag(accountVOMock, domainId, true, Resource.ResourceType.backup, null, 1L);
+            Mockito.verify(resourceLimitMgr, times(1))
+                    .checkResourceLimitWithTag(accountVOMock, domainId, true, Resource.ResourceType.backup_storage, null, newBackupSize);
 
             Mockito.verify(resourceLimitMgr, times(1)).incrementResourceCount(accountId, Resource.ResourceType.backup);
             Mockito.verify(resourceLimitMgr, times(1)).incrementResourceCount(accountId, Resource.ResourceType.backup_storage, newBackupSize);
@@ -706,6 +752,7 @@ public void createBackupTestResourceLimitReached() throws ResourceAllocationExce
         Long scheduleId = 3L;
         Long backupOfferingId = 4L;
         Long accountId = 5L;
+        long domainId = 101L;
 
         when(vmInstanceDao.findById(vmId)).thenReturn(vmInstanceVOMock);
         when(vmInstanceVOMock.getDataCenterId()).thenReturn(zoneId);
@@ -720,7 +767,9 @@ public void createBackupTestResourceLimitReached() throws ResourceAllocationExce
 
         Account account = Mockito.mock(Account.class);
         when(accountManager.getAccount(accountId)).thenReturn(account);
-        Mockito.doThrow(new ResourceAllocationException("", Resource.ResourceType.backup)).when(resourceLimitMgr).checkResourceLimit(account, Resource.ResourceType.backup);
+        when(account.getDomainId()).thenReturn(domainId);
+        Mockito.doThrow(new ResourceAllocationException("", Resource.ResourceType.backup)).when(resourceLimitMgr)
+                .checkResourceLimitWithTag(account, domainId, true, Resource.ResourceType.backup, null, 1L);
 
         CreateBackupCmd cmd = Mockito.mock(CreateBackupCmd.class);
         when(cmd.getVmId()).thenReturn(vmId);
@@ -744,6 +793,8 @@ public void testCreateBackupStorageLimitReached() throws ResourceAllocationExcep
         Long scheduleId = 3L;
         Long backupOfferingId = 4L;
         Long accountId = 5L;
+        long domainId = 101L;
+        long size = 10000L;
 
         VMInstanceVO vm = Mockito.mock(VMInstanceVO.class);
         when(vmInstanceDao.findById(vmId)).thenReturn(vm);
@@ -751,6 +802,11 @@ public void testCreateBackupStorageLimitReached() throws ResourceAllocationExcep
         when(vm.getBackupOfferingId()).thenReturn(backupOfferingId);
         when(vm.getAccountId()).thenReturn(accountId);
 
+        VolumeVO volume = mock(VolumeVO.class);
+        when(volumeDao.findByInstance(vmId)).thenReturn(List.of(volume));
+        when(volume.getState()).thenReturn(Volume.State.Ready);
+        when(volumeApiService.getVolumePhysicalSize(null, null, null)).thenReturn(size);
+
         overrideBackupFrameworkConfigValue();
         BackupOfferingVO offering = Mockito.mock(BackupOfferingVO.class);
         when(backupOfferingDao.findById(backupOfferingId)).thenReturn(offering);
@@ -761,7 +817,10 @@ public void testCreateBackupStorageLimitReached() throws ResourceAllocationExcep
 
         Account account = Mockito.mock(Account.class);
         when(accountManager.getAccount(accountId)).thenReturn(account);
-        Mockito.doThrow(new ResourceAllocationException("", Resource.ResourceType.backup_storage)).when(resourceLimitMgr).checkResourceLimit(account, Resource.ResourceType.backup_storage, 0L);
+        when(account.getDomainId()).thenReturn(domainId);
+        Mockito.doThrow(new ResourceAllocationException("", Resource.ResourceType.backup_storage))
+                .when(resourceLimitMgr)
+                .checkResourceLimitWithTag(account, domainId, true, Resource.ResourceType.backup_storage, null, size);
 
         CreateBackupCmd cmd = Mockito.mock(CreateBackupCmd.class);
         when(cmd.getVmId()).thenReturn(vmId);
@@ -1488,7 +1547,7 @@ public void testGetIpToNetworkMapFromBackup() {
     }
 
     @Test
-    public void testDeleteBackupVmNotFound() {
+    public void testDeleteBackupVmNotFound() throws ResourceAllocationException {
         Long backupId = 1L;
         Long vmId = 2L;
         Long zoneId = 3L;
@@ -1503,8 +1562,10 @@ public void testDeleteBackupVmNotFound() {
         when(backup.getVmId()).thenReturn(vmId);
         when(backup.getZoneId()).thenReturn(zoneId);
         when(backup.getAccountId()).thenReturn(accountId);
+        when(accountManager.getAccount(accountId)).thenReturn(accountVOMock);
         when(backup.getBackupOfferingId()).thenReturn(backupOfferingId);
         when(backup.getSize()).thenReturn(100L);
+        when(backup.getUuid()).thenReturn("backup-uuid");
 
         overrideBackupFrameworkConfigValue();
 
@@ -1539,6 +1600,31 @@ public void testDeleteBackupVmNotFound() {
         }
     }
 
+    @Test(expected = CloudRuntimeException.class)
+    public void testDeleteBackupBlockedByPendingJobs() throws ResourceAllocationException {
+        Long backupId = 1L;
+        Long vmId = 2L;
+
+        BackupVO backup = mock(BackupVO.class);
+        when(backup.getVmId()).thenReturn(vmId);
+        when(backup.getUuid()).thenReturn("backup-uuid");
+        when(backup.getZoneId()).thenReturn(1L);
+        when(backupDao.findByIdIncludingRemoved(backupId)).thenReturn(backup);
+
+        VMInstanceVO vm = mock(VMInstanceVO.class);
+        when(vmInstanceDao.findByIdIncludingRemoved(vmId)).thenReturn(vm);
+
+        overrideBackupFrameworkConfigValue();
+
+        when(asyncJobManager.countPendingJobs("backup-uuid",
+                "org.apache.cloudstack.api.command.user.vm.CreateVMFromBackupCmd",
+                "org.apache.cloudstack.api.command.admin.vm.CreateVMFromBackupCmdByAdmin",
+                "org.apache.cloudstack.api.command.user.backup.RestoreBackupCmd",
+                "org.apache.cloudstack.api.command.user.backup.RestoreVolumeFromBackupAndAttachToVMCmd")).thenReturn(1L);
+
+        backupManager.deleteBackup(backupId, false);
+    }
+
     @Test
     public void testNewBackupResponse() {
         Long vmId = 1L;
@@ -1743,13 +1829,13 @@ public void getBackupScheduleTestReturnNullWhenSpecifiedBackupScheduleIdIsNotALo
     }
 
     @Test
-    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenBackupScheduleIsNotFound() {
+    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenBackupScheduleIsNotFound() throws ResourceAllocationException {
         backupManager.deleteOldestBackupFromScheduleIfRequired(1L, 1L);
         Mockito.verify(backupManager, Mockito.never()).deleteExcessBackups(Mockito.anyList(), Mockito.anyInt(), Mockito.anyLong());
     }
 
     @Test
-    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenRetentionIsEqualToZero() {
+    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenRetentionIsEqualToZero() throws ResourceAllocationException {
         Mockito.when(backupScheduleDao.findById(1L)).thenReturn(backupScheduleVOMock);
         Mockito.when(backupScheduleVOMock.getMaxBackups()).thenReturn(0);
         backupManager.deleteOldestBackupFromScheduleIfRequired(1L, 1L);
@@ -1757,7 +1843,7 @@ public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenRetentio
     }
 
     @Test
-    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenAmountOfBackupsToBeDeletedIsLessThanOne() {
+    public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenAmountOfBackupsToBeDeletedIsLessThanOne() throws ResourceAllocationException {
         List<BackupVO> backups = List.of(Mockito.mock(BackupVO.class), Mockito.mock(BackupVO.class));
         Mockito.when(backupScheduleDao.findById(1L)).thenReturn(backupScheduleVOMock);
         Mockito.when(backupScheduleVOMock.getMaxBackups()).thenReturn(2);
@@ -1767,7 +1853,7 @@ public void deleteOldestBackupFromScheduleIfRequiredTestSkipDeletionWhenAmountOf
     }
 
     @Test
-    public void deleteOldestBackupFromScheduleIfRequiredTestDeleteBackupsWhenRequired() {
+    public void deleteOldestBackupFromScheduleIfRequiredTestDeleteBackupsWhenRequired() throws ResourceAllocationException {
         List<BackupVO> backups = List.of(Mockito.mock(BackupVO.class), Mockito.mock(BackupVO.class));
         Mockito.when(backupScheduleDao.findById(1L)).thenReturn(backupScheduleVOMock);
         Mockito.when(backupScheduleVOMock.getMaxBackups()).thenReturn(1);
@@ -1778,7 +1864,7 @@ public void deleteOldestBackupFromScheduleIfRequiredTestDeleteBackupsWhenRequire
     }
 
     @Test
-    public void deleteExcessBackupsTestEnsureBackupsAreDeletedWhenMethodIsCalled() {
+    public void deleteExcessBackupsTestEnsureBackupsAreDeletedWhenMethodIsCalled() throws ResourceAllocationException {
         try (MockedStatic<ActionEventUtils> actionEventUtils = Mockito.mockStatic(ActionEventUtils.class)) {
             List<BackupVO> backups = List.of(Mockito.mock(BackupVO.class),
                     Mockito.mock(BackupVO.class),
diff --git a/server/src/test/java/org/apache/cloudstack/ca/CABackgroundTaskTest.java b/server/src/test/java/org/apache/cloudstack/ca/CABackgroundTaskTest.java
index 691bd882c078..7717e6427662 100644
--- a/server/src/test/java/org/apache/cloudstack/ca/CABackgroundTaskTest.java
+++ b/server/src/test/java/org/apache/cloudstack/ca/CABackgroundTaskTest.java
@@ -115,19 +115,19 @@ public void testAutoRenewalEnabledWithNoExceptionsOnProvisioning() throws Except
         certMap.put(hostIp, expiredCertificate);
         Assume.assumeThat(certMap.size() == 1, is(true));
         task.runInContext();
-        Mockito.verify(caManager, Mockito.times(1)).provisionCertificate(host, false, null);
+        Mockito.verify(caManager, Mockito.times(1)).provisionCertificate(host, false, null, false);
         Mockito.verify(caManager, Mockito.times(0)).sendAlert(Mockito.any(Host.class), Mockito.anyString(), Mockito.anyString());
     }
 
     @Test
     public void testAutoRenewalEnabledWithExceptionsOnProvisioning() throws Exception {
         overrideDefaultConfigValue(AutomaticCertRenewal, "_defaultValue", "true");
-        Mockito.when(caManager.provisionCertificate(any(Host.class), anyBoolean(), nullable(String.class))).thenThrow(new CloudRuntimeException("some error"));
+        Mockito.when(caManager.provisionCertificate(any(Host.class), anyBoolean(), nullable(String.class), anyBoolean())).thenThrow(new CloudRuntimeException("some error"));
         host.setManagementServerId(ManagementServerNode.getManagementServerId());
         certMap.put(hostIp, expiredCertificate);
         Assume.assumeThat(certMap.size() == 1, is(true));
         task.runInContext();
-        Mockito.verify(caManager, Mockito.times(1)).provisionCertificate(host, false, null);
+        Mockito.verify(caManager, Mockito.times(1)).provisionCertificate(host, false, null, false);
         Mockito.verify(caManager, Mockito.times(1)).sendAlert(Mockito.any(Host.class), Mockito.anyString(), Mockito.anyString());
     }
 
@@ -138,12 +138,12 @@ public void testAutoRenewalDisabled() throws Exception {
         Assume.assumeThat(certMap.size() == 1, is(true));
         // First round
         task.runInContext();
-        Mockito.verify(caManager, Mockito.times(0)).provisionCertificate(Mockito.any(Host.class), anyBoolean(), Mockito.anyString());
+        Mockito.verify(caManager, Mockito.times(0)).provisionCertificate(Mockito.any(Host.class), anyBoolean(), Mockito.anyString(), Mockito.anyBoolean());
         Mockito.verify(caManager, Mockito.times(1)).sendAlert(Mockito.any(Host.class), Mockito.anyString(), Mockito.anyString());
         Mockito.reset(caManager);
         // Second round
         task.runInContext();
-        Mockito.verify(caManager, Mockito.times(0)).provisionCertificate(Mockito.any(Host.class), anyBoolean(), Mockito.anyString());
+        Mockito.verify(caManager, Mockito.times(0)).provisionCertificate(Mockito.any(Host.class), anyBoolean(), Mockito.anyString(), Mockito.anyBoolean());
         Mockito.verify(caManager, Mockito.times(0)).sendAlert(Mockito.any(Host.class), Mockito.anyString(), Mockito.anyString());
     }
 
diff --git a/server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java
index 08fa5529996a..2d60833d35c7 100644
--- a/server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java
+++ b/server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java
@@ -24,6 +24,7 @@
 import com.cloud.certificate.dao.CrlDao;
 import com.cloud.host.Host;
 import com.cloud.host.dao.HostDao;
+import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.framework.ca.CAProvider;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -33,16 +34,34 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
+
+
+import org.mockito.MockedStatic;
+import org.mockito.MockedConstruction;
+import com.cloud.utils.ssh.SSHCmdHelper;
+import com.cloud.host.HostVO;
+import com.cloud.vm.VMInstanceVO;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import com.cloud.vm.dao.VMInstanceDao;
+import com.trilead.ssh2.Connection;
+import com.cloud.agent.api.routing.NetworkElementCommand;
+import org.apache.cloudstack.api.ApiConstants;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
@@ -62,8 +81,15 @@ public class CAManagerImplTest {
     private AgentManager agentManager;
     @Mock
     private CAProvider caProvider;
-
-    private CAManagerImpl caManager;
+    @Mock
+    private VMInstanceDao vmInstanceDao;
+    @Mock
+    private NetworkOrchestrationService networkOrchestrationService;
+    @Mock
+    private ConfigurationDao configDao;
+    @InjectMocks
+    @Spy
+    private CAManagerImpl caManager = new CAManagerImpl();
 
     private void addField(final CAManagerImpl provider, final String name, final Object o) throws IllegalAccessException, NoSuchFieldException {
         Field f = CAManagerImpl.class.getDeclaredField(name);
@@ -73,10 +99,6 @@ private void addField(final CAManagerImpl provider, final String name, final Obj
 
     @Before
     public void setUp() throws Exception {
-        caManager = new CAManagerImpl();
-        addField(caManager, "crlDao", crlDao);
-        addField(caManager, "hostDao", hostDao);
-        addField(caManager, "agentManager", agentManager);
         addField(caManager, "configuredCaProvider", caProvider);
 
         Mockito.when(caProvider.getProviderName()).thenReturn("root");
@@ -91,19 +113,19 @@ public void tearDown() throws Exception {
     }
 
     @Test(expected = ServerApiException.class)
-    public void testIssueCertificateThrowsException() throws Exception {
+    public void testIssueCertificateThrowsException() {
         caManager.issueCertificate(null, null, null, 1, null);
     }
 
     @Test
-    public void testIssueCertificate() throws Exception {
+    public void testIssueCertificate() {
         caManager.issueCertificate(null, Collections.singletonList("domain.example"), null, 1, null);
         Mockito.verify(caProvider, Mockito.times(1)).issueCertificate(anyList(), nullable(List.class), anyInt());
         Mockito.verify(caProvider, Mockito.times(0)).issueCertificate(anyString(), anyList(), anyList(), anyInt());
     }
 
     @Test
-    public void testRevokeCertificate() throws Exception {
+    public void testRevokeCertificate() {
         final CrlVO crl = new CrlVO(CertUtils.generateRandomBigInt(), "some.domain", "some-uuid");
         Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(crl);
         Mockito.when(caProvider.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(true);
@@ -121,9 +143,190 @@ public void testProvisionCertificate() throws Exception {
         Mockito.when(agentManager.send(anyLong(), any(SetupCertificateCommand.class))).thenReturn(new SetupCertificateAnswer(true));
         Mockito.when(agentManager.send(anyLong(), any(SetupKeyStoreCommand.class))).thenReturn(new SetupKeystoreAnswer("someCsr"));
         Mockito.doNothing().when(agentManager).reconnect(Mockito.anyLong());
-        Assert.assertTrue(caManager.provisionCertificate(host, true, null));
+        Assert.assertTrue(caManager.provisionCertificate(host, true, null, false));
         Mockito.verify(agentManager, Mockito.times(1)).send(Mockito.anyLong(), any(SetupKeyStoreCommand.class));
         Mockito.verify(agentManager, Mockito.times(1)).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
         Mockito.verify(agentManager, Mockito.times(1)).reconnect(Mockito.anyLong());
     }
+
+
+    @Test
+    public void testProvisionCertificateForced() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.doReturn(true).when(caManager).provisionCertificateForced(host, true, null);
+        Assert.assertTrue(caManager.provisionCertificate(host, true, null, true));
+        Mockito.verify(caManager, Mockito.times(1)).provisionCertificateForced(host, true, null);
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupKeyStoreCommand.class));
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
+    }
+
+    @Test
+    public void testIssueCertificateWithCsr() throws Exception {
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyString(), anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        final Certificate result = caManager.issueCertificate("someCsr", Collections.singletonList("domain.example"), Collections.singletonList("1.2.3.4"), 365, null);
+        Assert.assertNotNull(result);
+        Mockito.verify(caProvider, Mockito.times(1)).issueCertificate(anyString(), anyList(), anyList(), anyInt());
+        Mockito.verify(caProvider, Mockito.never()).issueCertificate(anyList(), nullable(List.class), anyInt());
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void testProvisionCertificateNullHost() {
+        caManager.provisionCertificate(null, true, null, false);
+    }
+
+    @Test
+    public void testProvisionCertificateForSystemVm() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getType()).thenReturn(Host.Type.ConsoleProxy);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("1.2.3.4");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        Mockito.when(agentManager.send(anyLong(), any(SetupCertificateCommand.class))).thenReturn(new SetupCertificateAnswer(true));
+        Assert.assertTrue(caManager.provisionCertificate(host, false, null, false));
+        Mockito.verify(agentManager, Mockito.never()).send(Mockito.anyLong(), any(SetupKeyStoreCommand.class));
+        Mockito.verify(agentManager, Mockito.times(1)).send(Mockito.anyLong(), any(SetupCertificateCommand.class));
+        Mockito.verify(agentManager, Mockito.never()).reconnect(Mockito.anyLong());
+    }
+
+    @Test
+    public void testProvisionCertificateWithoutReconnect() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("1.2.3.4");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Mockito.when(caProvider.issueCertificate(anyString(), anyList(), anyList(), anyInt()))
+                .thenReturn(new Certificate(x509, null, Collections.singletonList(x509)));
+        Mockito.when(agentManager.send(anyLong(), any(SetupCertificateCommand.class))).thenReturn(new SetupCertificateAnswer(true));
+        Mockito.when(agentManager.send(anyLong(), any(SetupKeyStoreCommand.class))).thenReturn(new SetupKeystoreAnswer("someCsr"));
+        Assert.assertTrue(caManager.provisionCertificate(host, false, null, false));
+        Mockito.verify(agentManager, Mockito.never()).reconnect(Mockito.anyLong());
+    }
+
+    @Test
+    public void testRevokeCertificateReturnsFalseWhenCrlIsNull() {
+        Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(null);
+        Assert.assertFalse(caManager.revokeCertificate(BigInteger.ONE, "some.domain", null));
+        Mockito.verify(caProvider, Mockito.never()).revokeCertificate(Mockito.any(BigInteger.class), anyString());
+    }
+
+    @Test
+    public void testRevokeCertificateReturnsFalseWhenSerialMismatch() {
+        final CrlVO crl = new CrlVO(BigInteger.ONE, "some.domain", "some-uuid");
+        Mockito.when(crlDao.revokeCertificate(Mockito.any(BigInteger.class), anyString())).thenReturn(crl);
+        Assert.assertFalse(caManager.revokeCertificate(BigInteger.TWO, "some.domain", null));
+        Mockito.verify(caProvider, Mockito.never()).revokeCertificate(Mockito.any(BigInteger.class), anyString());
+    }
+
+    @Test
+    public void testPurgeHostCertificate() throws Exception {
+        final Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("10.0.0.1");
+        Mockito.when(host.getPublicIpAddress()).thenReturn("192.168.0.1");
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair,
+                keyPair.getPublic(), "CN=ca", "SHA256withRSA",
+                365, null, null);
+        caManager.getActiveCertificatesMap().put("10.0.0.1", x509);
+        caManager.getActiveCertificatesMap().put("192.168.0.1", x509);
+        caManager.purgeHostCertificate(host);
+        Assert.assertFalse(caManager.getActiveCertificatesMap().containsKey("10.0.0.1"));
+        Assert.assertFalse(caManager.getActiveCertificatesMap().containsKey("192.168.0.1"));
+    }
+    @Test
+    public void testProvisionCertificateViaSsh() throws Exception {
+        Connection sshConnection = Mockito.mock(Connection.class);
+        final String agentIp = "192.168.1.1";
+        final String agentHostname = "host1";
+        final String caProviderStr = "root";
+
+        try (MockedStatic<SSHCmdHelper> sshCmdHelperMock = Mockito.mockStatic(SSHCmdHelper.class)) {
+            SSHCmdHelper.SSHCmdResult successResult = new SSHCmdHelper.SSHCmdResult(0, "someCsr", "");
+            sshCmdHelperMock.when(() -> SSHCmdHelper.sshExecuteCmdWithResult(Mockito.eq(sshConnection), Mockito.anyString()))
+                    .thenReturn(successResult);
+
+            final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+            final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+            Mockito.doReturn(new Certificate(x509, null, Collections.singletonList(x509)))
+                   .when(caManager).issueCertificate(Mockito.anyString(), Mockito.anyList(), Mockito.anyList(), Mockito.nullable(Integer.class), Mockito.anyString());
+
+            caManager.provisionCertificateViaSsh(sshConnection, agentIp, agentHostname, caProviderStr);
+
+            sshCmdHelperMock.verify(() -> SSHCmdHelper.sshExecuteCmdWithResult(Mockito.eq(sshConnection), Mockito.contains("keystore-setup")), Mockito.times(1));
+            sshCmdHelperMock.verify(() -> SSHCmdHelper.sshExecuteCmdWithResult(Mockito.eq(sshConnection), Mockito.contains("keystore-cert-import")), Mockito.times(1));
+        }
+    }
+
+    @Test
+    public void testProvisionKvmHostViaSsh() throws Exception {
+        HostVO host = Mockito.mock(HostVO.class);
+        Mockito.when(host.getPrivateIpAddress()).thenReturn("192.168.1.1");
+        Mockito.when(host.getName()).thenReturn("host1");
+        Mockito.when(host.getClusterId()).thenReturn(1L);
+
+        Mockito.doNothing().when(hostDao).loadDetails(host);
+        Mockito.when(host.getDetail(ApiConstants.USERNAME)).thenReturn("root");
+        Mockito.when(host.getDetail(ApiConstants.PASSWORD)).thenReturn("password");
+
+        Mockito.when(configDao.getValue("ssh.privatekey")).thenReturn("privatekey");
+
+        try (MockedConstruction<Connection> ignored = Mockito.mockConstruction(Connection.class,
+                (mock, context) -> {
+                    // Do nothing on connect
+                });
+             MockedStatic<SSHCmdHelper> sshCmdHelperMock = Mockito.mockStatic(SSHCmdHelper.class)) {
+            sshCmdHelperMock.when(() -> SSHCmdHelper.acquireAuthorizedConnectionWithPublicKey(Mockito.any(Connection.class), Mockito.anyString(), Mockito.anyString()))
+                    .thenReturn(true);
+
+            Mockito.doNothing().when(caManager).provisionCertificateViaSsh(Mockito.any(Connection.class), Mockito.anyString(), Mockito.anyString(), Mockito.anyString());
+
+            Method method = CAManagerImpl.class.getDeclaredMethod("provisionKvmHostViaSsh", Host.class, String.class);
+            method.setAccessible(true);
+            boolean result = (Boolean) method.invoke(caManager, host, "root");
+
+            Assert.assertTrue(result);
+            Mockito.verify(caManager, Mockito.times(1)).provisionCertificateViaSsh(Mockito.any(Connection.class), Mockito.eq("192.168.1.1"), Mockito.eq("host1"), Mockito.eq("root"));
+            sshCmdHelperMock.verify(() -> SSHCmdHelper.sshExecuteCmd(Mockito.any(Connection.class), Mockito.eq("systemctl restart libvirtd")), Mockito.times(1));
+            sshCmdHelperMock.verify(() -> SSHCmdHelper.sshExecuteCmd(Mockito.any(Connection.class), Mockito.eq("systemctl restart cloudstack-agent")), Mockito.times(1));
+        }
+    }
+
+    @Test
+    public void testProvisionSystemVmViaSsh() throws Exception {
+        Host host = Mockito.mock(Host.class);
+        Mockito.when(host.getName()).thenReturn("v-1-VM");
+
+        VMInstanceVO vm = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(vm.getHostId()).thenReturn(1L);
+        Mockito.when(vm.getHostName()).thenReturn("host1");
+        Mockito.when(vm.getInstanceName()).thenReturn("v-1-VM");
+        Mockito.when(vmInstanceDao.findVMByInstanceName("v-1-VM")).thenReturn(vm);
+
+        Map<String, String> accessDetails = new HashMap<>();
+        accessDetails.put(NetworkElementCommand.ROUTER_IP, "192.168.1.2");
+        Mockito.when(networkOrchestrationService.getSystemVMAccessDetails(vm)).thenReturn(accessDetails);
+
+        HostVO hypervisorHost = Mockito.mock(HostVO.class);
+        Mockito.when(hostDao.findById(1L)).thenReturn(hypervisorHost);
+
+        final KeyPair keyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate x509 = CertUtils.generateV3Certificate(null, keyPair, keyPair.getPublic(), "CN=ca", "SHA256withRSA", 365, null, null);
+        Certificate cert = new Certificate(x509, null, Collections.singletonList(x509));
+        Mockito.doReturn(cert)
+               .when(caManager).issueCertificate(Mockito.nullable(String.class), Mockito.anyList(), Mockito.anyList(), Mockito.nullable(Integer.class), Mockito.anyString());
+
+        Mockito.doReturn(true)
+               .when(caManager).deployCertificate(Mockito.eq(hypervisorHost), Mockito.eq(cert), Mockito.anyBoolean(), Mockito.eq(accessDetails));
+
+        Method method = CAManagerImpl.class.getDeclaredMethod("provisionSystemVmViaSsh", Host.class, Boolean.class, String.class);
+        method.setAccessible(true);
+        boolean result = (Boolean) method.invoke(caManager, host, true, "root");
+
+        Assert.assertTrue(result);
+        Mockito.verify(caManager, Mockito.times(1)).deployCertificate(Mockito.eq(hypervisorHost), Mockito.eq(cert), Mockito.eq(true), Mockito.eq(accessDetails));
+    }
 }
diff --git a/server/src/test/java/org/apache/cloudstack/storage/object/BucketApiServiceImplTest.java b/server/src/test/java/org/apache/cloudstack/storage/object/BucketApiServiceImplTest.java
index b630ddc69a74..a4429befc44b 100644
--- a/server/src/test/java/org/apache/cloudstack/storage/object/BucketApiServiceImplTest.java
+++ b/server/src/test/java/org/apache/cloudstack/storage/object/BucketApiServiceImplTest.java
@@ -16,19 +16,36 @@
 // under the License.
 package org.apache.cloudstack.storage.object;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.cloudstack.api.command.user.bucket.CreateBucketCmd;
 import org.apache.cloudstack.api.command.user.bucket.UpdateBucketCmd;
+import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
+import org.apache.cloudstack.reservation.ReservationVO;
+import org.apache.cloudstack.reservation.dao.ReservationDao;
 import org.apache.cloudstack.storage.datastore.db.ObjectStoreDao;
 import org.apache.cloudstack.storage.datastore.db.ObjectStoreVO;
+import org.apache.commons.lang3.StringUtils;
+import org.junit.After;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.stubbing.Answer;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import com.cloud.agent.api.to.BucketTO;
@@ -40,6 +57,9 @@
 import com.cloud.storage.dao.BucketDao;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
+import com.cloud.user.AccountVO;
+import com.cloud.user.User;
+import com.cloud.utils.db.DbUtil;
 
 @RunWith(MockitoJUnitRunner.class)
 public class BucketApiServiceImplTest {
@@ -62,33 +82,90 @@ public class BucketApiServiceImplTest {
     @Mock
     private BucketDao bucketDao;
 
+    @Mock
+    ReservationDao reservationDao;
+
+    @Mock
+    private AccountVO mockAccountVO;
+
+    private MockedStatic<DbUtil> dbUtilMockedStatic;
+    private final List<String> mockedGlobalLocks = new ArrayList<>();
+    private static final long ACCOUNT_ID = 1001L;
+    private static final long DOMAIN_ID = 10L;
+
+    @Before
+    public void setup() {
+        when(accountManager.getActiveAccountById(ACCOUNT_ID)).thenReturn(mockAccountVO);
+        when(mockAccountVO.getDomainId()).thenReturn(DOMAIN_ID);
+        when(reservationDao.persist(any(ReservationVO.class)))
+                .thenAnswer((Answer<ReservationVO>) invocation -> {
+                    ReservationVO reservationVO = (ReservationVO)invocation.getArguments()[0];
+                    ReflectionTestUtils.setField(reservationVO, "id", 10L);
+                    return reservationVO;
+                });
+        dbUtilMockedStatic = Mockito.mockStatic(DbUtil.class);
+        dbUtilMockedStatic.when(() -> DbUtil.getGlobalLock(anyString(), anyInt()))
+                .thenAnswer((Answer<Boolean>) invocation -> {
+            String lockName = invocation.getArgument(0);
+            if (!StringUtils.isBlank(lockName) && !mockedGlobalLocks.contains(lockName)) {
+                mockedGlobalLocks.add(lockName);
+                return true;
+            }
+            return false;
+        });
+        dbUtilMockedStatic.when(() -> DbUtil.releaseGlobalLock(anyString()))
+                .thenAnswer((Answer<Boolean>) invocation -> {
+            String lockName = invocation.getArgument(0);
+            if (!StringUtils.isBlank(lockName)) {
+                mockedGlobalLocks.remove(lockName);
+            }
+            return true;
+        });
+
+        Account account = mock(Account.class);
+        User user = mock(User.class);
+        CallContext.register(user, account);
+    }
+
+    @After
+    public void tearDown() throws Exception {
+        dbUtilMockedStatic.close();
+        CallContext.unregister();
+    }
+
     @Test
     public void testAllocBucket() throws ResourceAllocationException {
         String bucketName = "bucket1";
-        Long accountId = 1L;
         Long poolId = 2L;
         Long objectStoreId = 3L;
+        int quota = 1;
 
         CreateBucketCmd cmd = Mockito.mock(CreateBucketCmd.class);
         Mockito.when(cmd.getBucketName()).thenReturn(bucketName);
-        Mockito.when(cmd.getEntityOwnerId()).thenReturn(accountId);
+        Mockito.when(cmd.getEntityOwnerId()).thenReturn(ACCOUNT_ID);
         Mockito.when(cmd.getObjectStoragePoolId()).thenReturn(poolId);
-        Mockito.when(cmd.getQuota()).thenReturn(1);
-
-        Account account = Mockito.mock(Account.class);
-        Mockito.when(accountManager.getActiveAccountById(accountId)).thenReturn(account);
+        Mockito.when(cmd.getQuota()).thenReturn(quota);
 
         ObjectStoreVO objectStoreVO = Mockito.mock(ObjectStoreVO.class);
         Mockito.when(objectStoreVO.getId()).thenReturn(objectStoreId);
         Mockito.when(objectStoreDao.findById(poolId)).thenReturn(objectStoreVO);
         ObjectStoreEntity objectStore = Mockito.mock(ObjectStoreEntity.class);
         Mockito.when(dataStoreMgr.getDataStore(objectStoreId, DataStoreRole.Object)).thenReturn(objectStore);
-        Mockito.when(objectStore.createUser(accountId)).thenReturn(true);
+        Mockito.when(objectStore.createUser(ACCOUNT_ID)).thenReturn(true);
 
         bucketApiService.allocBucket(cmd);
 
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimit(account, Resource.ResourceType.bucket);
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).checkResourceLimit(account, Resource.ResourceType.object_storage, 1 * Resource.ResourceType.bytesToGiB);
+        long size = quota * Resource.ResourceType.bytesToGiB;
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .checkResourceLimitWithTag(mockAccountVO, DOMAIN_ID, true,
+                        Resource.ResourceType.bucket, null, 1L);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .checkResourceLimitWithTag(mockAccountVO, DOMAIN_ID, true,
+                        Resource.ResourceType.object_storage, null, size);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .incrementResourceCount(ACCOUNT_ID, Resource.ResourceType.bucket);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .incrementResourceCount(ACCOUNT_ID, Resource.ResourceType.object_storage, size);
     }
 
     @Test
@@ -96,21 +173,21 @@ public void testCreateBucket() {
         Long objectStoreId = 1L;
         Long poolId = 2L;
         Long bucketId = 3L;
-        Long accountId = 4L;
         String bucketName = "bucket1";
+        int quota = 3;
 
         CreateBucketCmd cmd = Mockito.mock(CreateBucketCmd.class);
         Mockito.when(cmd.getObjectStoragePoolId()).thenReturn(poolId);
         Mockito.when(cmd.getEntityId()).thenReturn(bucketId);
-        Mockito.when(cmd.getQuota()).thenReturn(1);
+        Mockito.when(cmd.getQuota()).thenReturn(quota);
 
         BucketVO bucket = new BucketVO(bucketName);
         Mockito.when(bucketDao.findById(bucketId)).thenReturn(bucket);
-        ReflectionTestUtils.setField(bucket, "accountId", accountId);
+        ReflectionTestUtils.setField(bucket, "accountId", ACCOUNT_ID);
 
         ObjectStoreVO objectStoreVO = Mockito.mock(ObjectStoreVO.class);
         Mockito.when(objectStoreVO.getId()).thenReturn(objectStoreId);
-        Mockito.when(objectStoreVO.getTotalSize()).thenReturn(2000000000L);
+        Mockito.when(objectStoreVO.getTotalSize()).thenReturn(10 * Resource.ResourceType.bytesToGiB);
         Mockito.when(objectStoreDao.findById(poolId)).thenReturn(objectStoreVO);
         ObjectStoreEntity objectStore = Mockito.mock(ObjectStoreEntity.class);
         Mockito.when(dataStoreMgr.getDataStore(objectStoreId, DataStoreRole.Object)).thenReturn(objectStore);
@@ -118,23 +195,23 @@ public void testCreateBucket() {
 
         bucketApiService.createBucket(cmd);
 
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).incrementResourceCount(accountId, Resource.ResourceType.bucket);
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).incrementResourceCount(accountId, Resource.ResourceType.object_storage, 1 * Resource.ResourceType.bytesToGiB);
-        Assert.assertEquals(bucket.getState(), Bucket.State.Created);
+        Assert.assertEquals(Bucket.State.Created, bucket.getState());
     }
 
     @Test
-    public void testDeleteBucket() {
+    public void testDeleteBucket() throws ResourceAllocationException {
         Long bucketId = 1L;
-        Long accountId = 2L;
         Long objectStoreId = 3L;
         String bucketName = "bucket1";
-
-        BucketVO bucket = new BucketVO(bucketName);
+        int quota = 2;
+
+        BucketVO bucket = mock(BucketVO.class);
+        when(bucket.getName()).thenReturn(bucketName);
+        when(bucket.getObjectStoreId()).thenReturn(objectStoreId);
+        when(bucket.getQuota()).thenReturn(quota);
+        when(bucket.getAccountId()).thenReturn(ACCOUNT_ID);
+        when(accountManager.getAccount(ACCOUNT_ID)).thenReturn(mock(AccountVO.class));
         Mockito.when(bucketDao.findById(bucketId)).thenReturn(bucket);
-        ReflectionTestUtils.setField(bucket, "objectStoreId", objectStoreId);
-        ReflectionTestUtils.setField(bucket, "quota", 1);
-        ReflectionTestUtils.setField(bucket, "accountId", accountId);
 
         ObjectStoreVO objectStoreVO = Mockito.mock(ObjectStoreVO.class);
         Mockito.when(objectStoreVO.getId()).thenReturn(objectStoreId);
@@ -145,15 +222,17 @@ public void testDeleteBucket() {
 
         bucketApiService.deleteBucket(bucketId, null);
 
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).decrementResourceCount(accountId, Resource.ResourceType.bucket);
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).decrementResourceCount(accountId, Resource.ResourceType.object_storage, 1 * Resource.ResourceType.bytesToGiB);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .decrementResourceCount(ACCOUNT_ID, Resource.ResourceType.bucket);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .decrementResourceCount(ACCOUNT_ID, Resource.ResourceType.object_storage,
+                        quota * Resource.ResourceType.bytesToGiB);
     }
 
     @Test
     public void testUpdateBucket() throws ResourceAllocationException {
         Long bucketId = 1L;
         Long objectStoreId = 2L;
-        Long accountId = 3L;
         Integer bucketQuota = 2;
         Integer cmdQuota = 1;
         String bucketName = "bucket1";
@@ -164,12 +243,10 @@ public void testUpdateBucket() throws ResourceAllocationException {
 
         BucketVO bucket = new BucketVO(bucketName);
         ReflectionTestUtils.setField(bucket, "quota", bucketQuota);
-        ReflectionTestUtils.setField(bucket, "accountId", accountId);
+        ReflectionTestUtils.setField(bucket, "accountId", ACCOUNT_ID);
         ReflectionTestUtils.setField(bucket, "objectStoreId", objectStoreId);
         Mockito.when(bucketDao.findById(bucketId)).thenReturn(bucket);
 
-        Account account = Mockito.mock(Account.class);
-
         ObjectStoreVO objectStoreVO = Mockito.mock(ObjectStoreVO.class);
         Mockito.when(objectStoreVO.getId()).thenReturn(objectStoreId);
         Mockito.when(objectStoreDao.findById(objectStoreId)).thenReturn(objectStoreVO);
@@ -178,6 +255,8 @@ public void testUpdateBucket() throws ResourceAllocationException {
 
         bucketApiService.updateBucket(cmd, null);
 
-        Mockito.verify(resourceLimitManager, Mockito.times(1)).decrementResourceCount(accountId, Resource.ResourceType.object_storage, (bucketQuota - cmdQuota) * Resource.ResourceType.bytesToGiB);
+        Mockito.verify(resourceLimitManager, Mockito.times(1))
+                .decrementResourceCount(ACCOUNT_ID, Resource.ResourceType.object_storage,
+                        (bucketQuota - cmdQuota) * Resource.ResourceType.bytesToGiB);
     }
 }
diff --git a/server/src/test/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImplTest.java
index 9ee34d32a177..f3ed13c3d6ba 100644
--- a/server/src/test/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImplTest.java
+++ b/server/src/test/java/org/apache/cloudstack/storage/volume/VolumeImportUnmanageManagerImplTest.java
@@ -268,9 +268,6 @@ public void testImportVolumeAllGood() throws ResourceAllocationException {
         doNothing().when(volumeImportUnmanageManager).checkIfVolumeIsEncrypted(volumeOnStorageTO);
         doNothing().when(volumeImportUnmanageManager).checkIfVolumeHasBackingFile(volumeOnStorageTO);
 
-        doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.volume);
-        doNothing().when(resourceLimitService).checkResourceLimit(account, Resource.ResourceType.primary_storage, virtualSize);
-
         DiskOfferingVO diskOffering = mock(DiskOfferingVO.class);
         when(diskOffering.isCustomized()).thenReturn(true);
         doReturn(diskOffering).when(volumeImportUnmanageManager).getOrCreateDiskOffering(account, diskOfferingId, zoneId, isLocal);
diff --git a/server/src/test/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImplTest.java
index a24ba7f068b2..bee6c4ad257f 100644
--- a/server/src/test/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImplTest.java
+++ b/server/src/test/java/org/apache/cloudstack/vm/UnmanagedVMsManagerImplTest.java
@@ -31,6 +31,7 @@
 
 import java.net.URI;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -38,8 +39,6 @@
 import java.util.Map;
 import java.util.UUID;
 
-import com.cloud.offering.DiskOffering;
-import com.cloud.vm.ImportVMTaskVO;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ResponseGenerator;
 import org.apache.cloudstack.api.ResponseObject;
@@ -58,6 +57,7 @@
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.resourcelimit.Reserver;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreDao;
 import org.apache.cloudstack.storage.datastore.db.ImageStoreVO;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
@@ -71,6 +71,7 @@
 import org.mockito.BDDMockito;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.MockedConstruction;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
@@ -94,7 +95,6 @@
 import com.cloud.agent.api.ImportConvertedInstanceAnswer;
 import com.cloud.agent.api.ImportConvertedInstanceCommand;
 import com.cloud.agent.api.to.DataStoreTO;
-import com.cloud.configuration.Resource;
 import com.cloud.dc.ClusterVO;
 import com.cloud.dc.DataCenter;
 import com.cloud.dc.DataCenterVO;
@@ -110,8 +110,8 @@
 import com.cloud.exception.InsufficientServerCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.OperationTimedoutException;
-import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.UnsupportedServiceException;
 import com.cloud.host.Host;
 import com.cloud.host.HostVO;
@@ -124,16 +124,20 @@
 import com.cloud.network.NetworkModel;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.org.Grouping;
 import com.cloud.resource.ResourceManager;
 import com.cloud.resource.ResourceState;
+import com.cloud.resourcelimit.CheckedReservation;
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.storage.DataStoreRole;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.ScopeType;
+import com.cloud.storage.Snapshot;
+import com.cloud.storage.SnapshotVO;
 import com.cloud.storage.Storage;
 import com.cloud.storage.StoragePool;
 import com.cloud.storage.StoragePoolHostVO;
@@ -143,6 +147,7 @@
 import com.cloud.storage.VolumeApiService;
 import com.cloud.storage.VolumeVO;
 import com.cloud.storage.dao.DiskOfferingDao;
+import com.cloud.storage.dao.SnapshotDao;
 import com.cloud.storage.dao.StoragePoolHostDao;
 import com.cloud.storage.dao.VMTemplateDao;
 import com.cloud.storage.dao.VMTemplatePoolDao;
@@ -160,13 +165,14 @@
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.DiskProfile;
+import com.cloud.vm.ImportVMTaskVO;
 import com.cloud.vm.NicProfile;
 import com.cloud.vm.UserVmManager;
 import com.cloud.vm.UserVmVO;
+import com.cloud.vm.VmDetailConstants;
 import com.cloud.vm.VMInstanceDetailVO;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.VmDetailConstants;
 import com.cloud.vm.dao.NicDao;
 import com.cloud.vm.dao.UserVmDao;
 import com.cloud.vm.dao.VMInstanceDao;
@@ -177,7 +183,7 @@ public class UnmanagedVMsManagerImplTest {
 
     @Spy
     @InjectMocks
-    private UnmanagedVMsManagerImpl unmanagedVMsManager = new UnmanagedVMsManagerImpl();
+    private UnmanagedVMsManagerImpl unmanagedVMsManager;
 
     @Mock
     private UserVmManager userVmManager;
@@ -241,6 +247,8 @@ public class UnmanagedVMsManagerImplTest {
     private StoragePoolHostDao storagePoolHostDao;
     @Mock
     private ImportVmTasksManager importVmTasksManager;
+    @Mock
+    private SnapshotDao snapshotDao;
 
     @Mock
     private VMInstanceVO virtualMachine;
@@ -252,11 +260,18 @@ public class UnmanagedVMsManagerImplTest {
     ImportVMTaskVO importVMTaskVO;
     @Mock
     private VMInstanceDetailsDao vmInstanceDetailsDao;
-
     @Mock
     private ConfigKey<Boolean> configKeyMockParamsAllowed;
     @Mock
     private ConfigKey<String> configKeyMockParamsAllowedList;
+    @Mock
+    private Account accountMock;
+    @Mock
+    private ServiceOfferingVO serviceOfferingMock;
+    @Mock
+    private VMTemplateVO templateMock;
+    @Mock
+    private UnmanagedInstanceTO unmanagedInstanceMock;
 
     private static final long virtualMachineId = 1L;
 
@@ -302,7 +317,6 @@ public void setUp() throws Exception {
         clusterVO.setHypervisorType(Hypervisor.HypervisorType.VMware.toString());
         when(clusterDao.findById(anyLong())).thenReturn(clusterVO);
         when(configurationDao.getValue(Mockito.anyString())).thenReturn(null);
-        doNothing().when(resourceLimitService).checkResourceLimit(any(Account.class), any(Resource.ResourceType.class), anyLong());
         List<HostVO> hosts = new ArrayList<>();
         HostVO hostVO = Mockito.mock(HostVO.class);
         when(hostVO.isInMaintenanceStates()).thenReturn(false);
@@ -360,7 +374,7 @@ public void setUp() throws Exception {
         when(primaryDataStoreDao.listPoolByHostPath(Mockito.anyString(), Mockito.anyString())).thenReturn(pools);
         when(userVmManager.importVM(nullable(DataCenter.class), nullable(Host.class), nullable(VirtualMachineTemplate.class), nullable(String.class), nullable(String.class),
                 nullable(Account.class), nullable(String.class), nullable(Account.class), nullable(Boolean.class), nullable(String.class),
-                nullable(Long.class), nullable(Long.class), nullable(ServiceOffering.class), nullable(String.class),
+                nullable(Long.class), nullable(Long.class), nullable(ServiceOffering.class), nullable(String.class), nullable(Long.class),
                 nullable(String.class), nullable(Hypervisor.HypervisorType.class), nullable(Map.class), nullable(VirtualMachine.PowerState.class), nullable(LinkedHashMap.class))).thenReturn(userVm);
         NetworkVO networkVO = Mockito.mock(NetworkVO.class);
         when(networkVO.getGuestType()).thenReturn(Network.GuestType.L2);
@@ -384,6 +398,11 @@ public void setUp() throws Exception {
 
         when(vmDao.findById(virtualMachineId)).thenReturn(virtualMachine);
         when(virtualMachine.getState()).thenReturn(VirtualMachine.State.Running);
+
+        when(unmanagedInstanceMock.getCpuCores()).thenReturn(8);
+        when(unmanagedInstanceMock.getMemory()).thenReturn(4096);
+        when(serviceOfferingMock.getCpu()).thenReturn(4);
+        when(serviceOfferingMock.getRamSize()).thenReturn(2048);
     }
 
     @NotNull
@@ -442,7 +461,8 @@ public void importUnmanagedInstanceTest() {
         when(importUnmanageInstanceCmd.getName()).thenReturn("TestInstance");
         when(importUnmanageInstanceCmd.getDomainId()).thenReturn(null);
         when(volumeApiService.doesStoragePoolSupportDiskOffering(any(StoragePool.class), any())).thenReturn(true);
-        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class)) {
+        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class);
+             MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             unmanagedVMsManager.importUnmanagedInstance(importUnmanageInstanceCmd);
         }
     }
@@ -460,7 +480,9 @@ public void importUnmanagedInstanceMissingInstanceTest() {
         ImportUnmanagedInstanceCmd importUnmanageInstanceCmd = Mockito.mock(ImportUnmanagedInstanceCmd.class);
         when(importUnmanageInstanceCmd.getName()).thenReturn("SomeInstance");
         when(importUnmanageInstanceCmd.getDomainId()).thenReturn(null);
-        unmanagedVMsManager.importUnmanagedInstance(importUnmanageInstanceCmd);
+        try (MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.importUnmanagedInstance(importUnmanageInstanceCmd);
+        }
     }
 
     @Test(expected = InvalidParameterValueException.class)
@@ -568,6 +590,53 @@ public void unmanageVMInstanceStoppedInstanceTest() {
         unmanagedVMsManager.unmanageVMInstance(virtualMachineId, null, false);
     }
 
+    @Test(expected = UnsupportedServiceException.class)
+    public void testUnmanageVMInstanceWithVolumeSnapshotsFail() {
+        when(virtualMachine.getType()).thenReturn(VirtualMachine.Type.User);
+        when(virtualMachine.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        when(virtualMachine.getState()).thenReturn(VirtualMachine.State.Stopped);
+        when(virtualMachine.getId()).thenReturn(virtualMachineId);
+        UserVmVO userVmVO = mock(UserVmVO.class);
+        when(userVmDao.findById(anyLong())).thenReturn(userVmVO);
+        when(vmDao.findById(virtualMachineId)).thenReturn(virtualMachine);
+        VolumeVO volumeVO = mock(VolumeVO.class);
+        long volumeId = 20L;
+        when(volumeVO.getId()).thenReturn(volumeId);
+        SnapshotVO snapshotVO = mock(SnapshotVO.class);
+        when(snapshotVO.getState()).thenReturn(Snapshot.State.BackedUp);
+        when(snapshotDao.listByVolumeId(volumeId)).thenReturn(Collections.singletonList(snapshotVO));
+        when(volumeDao.findByInstance(virtualMachineId)).thenReturn(Collections.singletonList(volumeVO));
+        unmanagedVMsManager.unmanageVMInstance(virtualMachineId, null, false);
+    }
+
+    @Test(expected = UnsupportedServiceException.class)
+    public void testUnmanageVMInstanceWithAssociatedIsoFail() {
+        when(virtualMachine.getType()).thenReturn(VirtualMachine.Type.User);
+        when(virtualMachine.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        when(virtualMachine.getState()).thenReturn(VirtualMachine.State.Stopped);
+        when(virtualMachine.getId()).thenReturn(virtualMachineId);
+        UserVmVO userVmVO = mock(UserVmVO.class);
+        when(userVmVO.getIsoId()).thenReturn(null);
+        when(userVmDao.findById(anyLong())).thenReturn(userVmVO);
+        when(vmDao.findById(virtualMachineId)).thenReturn(virtualMachine);
+        when(userVmVO.getIsoId()).thenReturn(1L);
+        unmanagedVMsManager.unmanageVMInstance(virtualMachineId, null, false);
+    }
+
+    @Test(expected = UnsupportedServiceException.class)
+    public void testUnmanageVMInstanceBelongingToCksClusterFail() {
+        when(virtualMachine.getType()).thenReturn(VirtualMachine.Type.User);
+        when(virtualMachine.getHypervisorType()).thenReturn(Hypervisor.HypervisorType.KVM);
+        when(virtualMachine.getState()).thenReturn(VirtualMachine.State.Stopped);
+        when(virtualMachine.getId()).thenReturn(virtualMachineId);
+        UserVmVO userVmVO = mock(UserVmVO.class);
+        when(userVmVO.getIsoId()).thenReturn(null);
+        when(userVmDao.findById(anyLong())).thenReturn(userVmVO);
+        when(vmDao.findById(virtualMachineId)).thenReturn(virtualMachine);
+        when(userVmManager.isVMPartOfAnyCKSCluster(virtualMachine)).thenReturn(true);
+        unmanagedVMsManager.unmanageVMInstance(virtualMachineId, null, false);
+    }
+
     @Test
     public void testListRemoteInstancesTest() {
         ListVmsForImportCmd cmd = Mockito.mock(ListVmsForImportCmd.class);
@@ -597,7 +666,7 @@ public void testImportFromExternalTest() throws InsufficientServerCapacityExcept
         DeployDestination mockDest = Mockito.mock(DeployDestination.class);
         when(deploymentPlanningManager.planDeployment(any(), any(), any(), any())).thenReturn(mockDest);
         DiskProfile diskProfile = Mockito.mock(DiskProfile.class);
-        when(volumeManager.allocateRawVolume(any(), any(), any(), any(), any(), any(), any(), any(), any(), any()))
+        when(volumeManager.allocateRawVolume(any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), anyBoolean()))
                 .thenReturn(diskProfile);
         Map<Volume, StoragePool> storage = new HashMap<>();
         VolumeVO volume = Mockito.mock(VolumeVO.class);
@@ -609,7 +678,8 @@ public void testImportFromExternalTest() throws InsufficientServerCapacityExcept
         CopyRemoteVolumeAnswer copyAnswer = Mockito.mock(CopyRemoteVolumeAnswer.class);
         when(copyAnswer.getResult()).thenReturn(true);
         when(agentManager.easySend(anyLong(), any(CopyRemoteVolumeCommand.class))).thenReturn(copyAnswer);
-        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class)) {
+        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class);
+             MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             unmanagedVMsManager.importVm(cmd);
         }
     }
@@ -661,7 +731,17 @@ public void testGetTemplateForImportInstanceDefaultTemplate() {
     }
 
     private enum VcenterParameter {
-        EXISTING, EXTERNAL, BOTH, NONE, EXISTING_INVALID, AGENT_UNAVAILABLE, CONVERT_FAILURE
+        EXISTING,
+        EXTERNAL,
+        BOTH,
+        NONE,
+        EXISTING_INVALID,
+        AGENT_UNAVAILABLE,
+        CONVERT_FAILURE,
+        FORCE_MS_AND_USE_VDDK,
+        USE_VDDK_OVF_UNSUPPORTED,
+        USE_VDDK_OVF_SUPPORTED,
+        USE_VDDK_DETAILS_OVERRIDES
     }
 
     private void baseTestImportVmFromVmwareToKvm(VcenterParameter vcenterParameter, boolean selectConvertHost,
@@ -698,6 +778,34 @@ private void baseTestImportVmFromVmwareToKvm(VcenterParameter vcenterParameter,
         when(importVmCmd.getConvertInstanceHostId()).thenReturn(null);
         when(importVmCmd.getImportInstanceHostId()).thenReturn(null);
         when(importVmCmd.getConvertStoragePoolId()).thenReturn(null);
+        when(importVmCmd.getExistingVcenterId()).thenReturn(null);
+        when(importVmCmd.getVcenter()).thenReturn(null);
+        when(importVmCmd.getDatacenterName()).thenReturn(null);
+        when(importVmCmd.getUsername()).thenReturn(null);
+        when(importVmCmd.getPassword()).thenReturn(null);
+        when(importVmCmd.getDetails()).thenReturn(new HashMap<>());
+
+        boolean forceMsToImportVmFiles = false;
+        boolean useVddk = false;
+        boolean ovfExportSupported = false;
+        if (VcenterParameter.FORCE_MS_AND_USE_VDDK == vcenterParameter) {
+            forceMsToImportVmFiles = true;
+            useVddk = true;
+        } else if (VcenterParameter.USE_VDDK_OVF_UNSUPPORTED == vcenterParameter) {
+            useVddk = true;
+        } else if (VcenterParameter.USE_VDDK_OVF_SUPPORTED == vcenterParameter) {
+            useVddk = true;
+            ovfExportSupported = true;
+        } else if (VcenterParameter.USE_VDDK_DETAILS_OVERRIDES == vcenterParameter) {
+            useVddk = true;
+            ovfExportSupported = true;
+            when(importVmCmd.getDetails()).thenReturn(Map.of(
+                    "vddk.lib.dir", "/opt/vmware-vddk/override",
+                    "vddk.transports", "nbd:nbdssl",
+                    "vddk.thumbprint", "AA:BB:CC:DD:EE"));
+        }
+        when(importVmCmd.getForceMsToImportVmFiles()).thenReturn(forceMsToImportVmFiles);
+        when(importVmCmd.getUseVddk()).thenReturn(useVddk);
 
         NetworkVO networkVO = Mockito.mock(NetworkVO.class);
         when(networkVO.getGuestType()).thenReturn(Network.GuestType.L2);
@@ -759,11 +867,6 @@ private void baseTestImportVmFromVmwareToKvm(VcenterParameter vcenterParameter,
             when(datacenterVO.getPassword()).thenReturn(password);
             when(importVmCmd.getExistingVcenterId()).thenReturn(existingDatacenterId);
             when(vmwareDatacenterDao.findById(existingDatacenterId)).thenReturn(datacenterVO);
-        } else if (VcenterParameter.EXTERNAL == vcenterParameter) {
-            when(importVmCmd.getVcenter()).thenReturn(vcenterHost);
-            when(importVmCmd.getDatacenterName()).thenReturn(datacenter);
-            when(importVmCmd.getUsername()).thenReturn(username);
-            when(importVmCmd.getPassword()).thenReturn(password);
         }
 
         if (VcenterParameter.BOTH == vcenterParameter) {
@@ -777,8 +880,20 @@ private void baseTestImportVmFromVmwareToKvm(VcenterParameter vcenterParameter,
             when(vmwareDatacenterDao.findById(existingDatacenterId)).thenReturn(null);
         }
 
+        if (VcenterParameter.FORCE_MS_AND_USE_VDDK == vcenterParameter
+                || VcenterParameter.USE_VDDK_OVF_UNSUPPORTED == vcenterParameter
+                || VcenterParameter.USE_VDDK_OVF_SUPPORTED == vcenterParameter
+                || VcenterParameter.USE_VDDK_DETAILS_OVERRIDES == vcenterParameter) {
+            Mockito.doReturn((Long) null).when(importVmCmd).getExistingVcenterId();
+            Mockito.doReturn(vcenterHost).when(importVmCmd).getVcenter();
+            Mockito.doReturn(datacenter).when(importVmCmd).getDatacenterName();
+            Mockito.doReturn(username).when(importVmCmd).getUsername();
+            Mockito.doReturn(password).when(importVmCmd).getPassword();
+        }
+
         CheckConvertInstanceAnswer checkConvertInstanceAnswer = mock(CheckConvertInstanceAnswer.class);
         when(checkConvertInstanceAnswer.getResult()).thenReturn(vcenterParameter != VcenterParameter.CONVERT_FAILURE);
+        when(checkConvertInstanceAnswer.isOvfExportSupported()).thenReturn(ovfExportSupported);
         if (VcenterParameter.AGENT_UNAVAILABLE != vcenterParameter) {
             when(agentManager.send(Mockito.eq(convertHostId), Mockito.any(CheckConvertInstanceCommand.class))).thenReturn(checkConvertInstanceAnswer);
         }
@@ -797,12 +912,33 @@ private void baseTestImportVmFromVmwareToKvm(VcenterParameter vcenterParameter,
             Mockito.lenient().when(agentManager.send(Mockito.eq(convertHostId), Mockito.any(ImportConvertedInstanceCommand.class))).thenReturn(convertImportedInstanceAnswer);
         }
 
-        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class)) {
+        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class);
+             MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
             unmanagedVMsManager.importVm(importVmCmd);
             verify(vmwareGuru).getHypervisorVMOutOfBandAndCloneIfRequired(Mockito.eq(host), Mockito.eq(vmName), anyMap());
-            verify(vmwareGuru).createVMTemplateOutOfBand(Mockito.eq(host), Mockito.eq(vmName), anyMap(), any(DataStoreTO.class), anyInt());
+            if (VcenterParameter.USE_VDDK_OVF_SUPPORTED == vcenterParameter) {
+                verify(vmwareGuru, Mockito.never()).createVMTemplateOutOfBand(anyString(), anyString(), anyMap(), any(DataStoreTO.class), anyInt());
+                verify(agentManager).send(Mockito.eq(convertHostId), Mockito.<com.cloud.agent.api.Command>argThat(command ->
+                        command instanceof ConvertInstanceCommand && ((ConvertInstanceCommand) command).isUseVddk()));
+                verify(vmwareGuru, Mockito.never()).removeVMTemplateOutOfBand(any(DataStoreTO.class), anyString());
+            } else if (VcenterParameter.USE_VDDK_DETAILS_OVERRIDES == vcenterParameter) {
+                verify(vmwareGuru, Mockito.never()).createVMTemplateOutOfBand(anyString(), anyString(), anyMap(), any(DataStoreTO.class), anyInt());
+                verify(agentManager).send(Mockito.eq(convertHostId), Mockito.<com.cloud.agent.api.Command>argThat(command -> {
+                    if (!(command instanceof ConvertInstanceCommand)) {
+                        return false;
+                    }
+                    ConvertInstanceCommand convertCmd = (ConvertInstanceCommand) command;
+                    return convertCmd.isUseVddk()
+                            && "/opt/vmware-vddk/override".equals(convertCmd.getVddkLibDir())
+                            && "nbd:nbdssl".equals(convertCmd.getVddkTransports())
+                            && "AA:BB:CC:DD:EE".equals(convertCmd.getVddkThumbprint());
+                }));
+                verify(vmwareGuru, Mockito.never()).removeVMTemplateOutOfBand(any(DataStoreTO.class), anyString());
+            } else {
+                verify(vmwareGuru).createVMTemplateOutOfBand(Mockito.eq(host), Mockito.eq(vmName), anyMap(), any(DataStoreTO.class), anyInt());
+                verify(vmwareGuru).removeVMTemplateOutOfBand(any(DataStoreTO.class), anyString());
+            }
             verify(vmwareGuru).removeClonedHypervisorVMOutOfBand(Mockito.eq(host), Mockito.eq(vmName), anyMap());
-            verify(vmwareGuru).removeVMTemplateOutOfBand(any(DataStoreTO.class), anyString());
         }
     }
 
@@ -831,7 +967,7 @@ private void importFromDisk(String source) throws InsufficientServerCapacityExce
         DeployDestination mockDest = Mockito.mock(DeployDestination.class);
         when(deploymentPlanningManager.planDeployment(any(), any(), any(), any())).thenReturn(mockDest);
         DiskProfile diskProfile = Mockito.mock(DiskProfile.class);
-        when(volumeManager.allocateRawVolume(any(), any(), any(), any(), any(), any(), any(), any(), any(), any()))
+        when(volumeManager.allocateRawVolume(any(), any(), any(), any(), any(), any(), any(), any(), any(), any(), anyBoolean()))
                         .thenReturn(diskProfile);
         Map<Volume, StoragePool> storage = new HashMap<>();
         VolumeVO volume = Mockito.mock(VolumeVO.class);
@@ -850,7 +986,8 @@ private void importFromDisk(String source) throws InsufficientServerCapacityExce
         when(volumeApiService.doesStoragePoolSupportDiskOffering(any(StoragePool.class), any())).thenReturn(true);
         StoragePoolHostVO storagePoolHost = Mockito.mock(StoragePoolHostVO.class);
         when(storagePoolHostDao.findByPoolHost(anyLong(), anyLong())).thenReturn(storagePoolHost);
-        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class)) {
+        try (MockedStatic<UsageEventUtils> ignored = Mockito.mockStatic(UsageEventUtils.class);
+             MockedConstruction<CheckedReservation> mockCheckedReservation = Mockito.mockConstruction(CheckedReservation.class)) {
                 unmanagedVMsManager.importVm(cmd);
         }
     }
@@ -895,6 +1032,49 @@ public void testImportVmFromVmwareToKvmExistingVcenterConvertFailure() throws Op
         baseTestImportVmFromVmwareToKvm(VcenterParameter.CONVERT_FAILURE, false, false);
     }
 
+    @Test(expected = ServerApiException.class)
+    public void testImportVmFromVmwareToKvmForceMsMutuallyExclusiveWithUseVddk() throws OperationTimedoutException, AgentUnavailableException {
+        baseTestImportVmFromVmwareToKvm(VcenterParameter.FORCE_MS_AND_USE_VDDK, false, false);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateSelectedConversionStoragePoolForVddkFailsWhenPoolDoesNotSupportDiskOfferings() {
+        long poolId = 11L;
+        StoragePoolVO selectedPool = mock(StoragePoolVO.class);
+        ServiceOfferingVO serviceOffering = mock(ServiceOfferingVO.class);
+        DiskOfferingVO rootDiskOffering = mock(DiskOfferingVO.class);
+        DiskOfferingVO dataDiskOffering = mock(DiskOfferingVO.class);
+
+        when(serviceOffering.getDiskOfferingId()).thenReturn(21L);
+        when(primaryDataStoreDao.findById(poolId)).thenReturn(selectedPool);
+        when(diskOfferingDao.findById(21L)).thenReturn(rootDiskOffering);
+        when(diskOfferingDao.findById(22L)).thenReturn(dataDiskOffering);
+        when(volumeApiService.doesStoragePoolSupportDiskOffering(selectedPool, rootDiskOffering)).thenReturn(true);
+        when(volumeApiService.doesStoragePoolSupportDiskOffering(selectedPool, dataDiskOffering)).thenReturn(false);
+
+        unmanagedVMsManager.validateSelectedConversionStoragePoolForVddk(true, poolId,
+                serviceOffering, Map.of("1000-2", 22L));
+    }
+
+    @Test
+    public void testValidateSelectedConversionStoragePoolForVddkPassesWhenPoolSupportsAllDiskOfferings() {
+        long poolId = 12L;
+        StoragePoolVO selectedPool = mock(StoragePoolVO.class);
+        ServiceOfferingVO serviceOffering = mock(ServiceOfferingVO.class);
+        DiskOfferingVO rootDiskOffering = mock(DiskOfferingVO.class);
+        DiskOfferingVO dataDiskOffering = mock(DiskOfferingVO.class);
+
+        when(serviceOffering.getDiskOfferingId()).thenReturn(31L);
+        when(primaryDataStoreDao.findById(poolId)).thenReturn(selectedPool);
+        when(diskOfferingDao.findById(31L)).thenReturn(rootDiskOffering);
+        when(diskOfferingDao.findById(32L)).thenReturn(dataDiskOffering);
+        when(volumeApiService.doesStoragePoolSupportDiskOffering(selectedPool, rootDiskOffering)).thenReturn(true);
+        when(volumeApiService.doesStoragePoolSupportDiskOffering(selectedPool, dataDiskOffering)).thenReturn(true);
+
+        unmanagedVMsManager.validateSelectedConversionStoragePoolForVddk(true, poolId,
+                serviceOffering, Map.of("1000-2", 32L));
+    }
+
     private ClusterVO getClusterForTests() {
         ClusterVO cluster = mock(ClusterVO.class);
         when(cluster.getId()).thenReturn(1L);
@@ -1076,7 +1256,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdEnabledHo
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
         Assert.assertEquals(host, returnedHost);
     }
 
@@ -1092,7 +1272,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdDisabledH
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
         Assert.assertEquals(host, returnedHost);
     }
 
@@ -1104,7 +1284,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdSuccessCo
         when(hostDao.listByClusterHypervisorTypeAndHostCapability(cluster.getId(),
                 cluster.getHypervisorType(), Host.HOST_INSTANCE_CONVERSION)).thenReturn(List.of(host));
 
-        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null);
+        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null, false);
         Assert.assertEquals(host, returnedHost);
     }
 
@@ -1118,7 +1298,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdSuccessNo
 
         when(hostDao.listByClusterAndHypervisorType(cluster.getId(), cluster.getHypervisorType())).thenReturn(List.of(host));
 
-        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null);
+        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null, false);
         Assert.assertEquals(host, returnedHost);
     }
 
@@ -1131,7 +1311,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdFailure()
 
         when(hostDao.listByClusterAndHypervisorType(cluster.getId(), cluster.getHypervisorType())).thenReturn(List.of());
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null, false);
     }
 
     @Test(expected = CloudRuntimeException.class)
@@ -1146,7 +1326,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdInvalidZo
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
     }
 
     @Test(expected = CloudRuntimeException.class)
@@ -1160,7 +1340,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdInvalidTy
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
     }
 
     @Test(expected = CloudRuntimeException.class)
@@ -1173,7 +1353,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdInvalidSt
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
     }
 
     @Test(expected = CloudRuntimeException.class)
@@ -1185,7 +1365,7 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdInvalidRe
 
         when(hostDao.findById(hostId)).thenReturn(host);
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
     }
 
     @Test(expected = CloudRuntimeException.class)
@@ -1195,43 +1375,23 @@ public void testSelectKVMHostForConversionInClusterWithImportInstanceIdInvalidHo
 
         when(hostDao.findById(hostId)).thenReturn(null);
 
-        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId);
+        unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, hostId, false);
     }
 
     @Test
-    public void testCheckUnmanagedDiskLimits() {
-        Account owner = Mockito.mock(Account.class);
-        UnmanagedInstanceTO.Disk disk = Mockito.mock(UnmanagedInstanceTO.Disk.class);
-        Mockito.when(disk.getDiskId()).thenReturn("disk1");
-        Mockito.when(disk.getCapacity()).thenReturn(100L);
-        ServiceOffering serviceOffering = Mockito.mock(ServiceOffering.class);
-        Mockito.when(serviceOffering.getDiskOfferingId()).thenReturn(1L);
-        UnmanagedInstanceTO.Disk dataDisk = Mockito.mock(UnmanagedInstanceTO.Disk.class);
-        Mockito.when(dataDisk.getDiskId()).thenReturn("disk2");
-        Mockito.when(dataDisk.getCapacity()).thenReturn(1000L);
-        Map<String, Long> dataDiskMap = new HashMap<>();
-        dataDiskMap.put("disk2", 2L);
-        DiskOfferingVO offering1 = Mockito.mock(DiskOfferingVO.class);
-        Mockito.when(diskOfferingDao.findById(1L)).thenReturn(offering1);
-        String tag1 = "tag1";
-        Mockito.when(resourceLimitService.getResourceLimitStorageTags(offering1)).thenReturn(List.of(tag1));
-        DiskOfferingVO offering2 = Mockito.mock(DiskOfferingVO.class);
-        Mockito.when(diskOfferingDao.findById(2L)).thenReturn(offering2);
-        String tag2 = "tag2";
-        Mockito.when(resourceLimitService.getResourceLimitStorageTags(offering2)).thenReturn(List.of(tag2));
-        try {
-            Mockito.doNothing().when(resourceLimitService).checkResourceLimit(any(), any(), any());
-            Mockito.doNothing().when(resourceLimitService).checkResourceLimitWithTag(any(), any(), any(), any());
-            unmanagedVMsManager.checkUnmanagedDiskLimits(owner, disk, serviceOffering, List.of(dataDisk), dataDiskMap);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimit(owner, Resource.ResourceType.volume, 2);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimit(owner, Resource.ResourceType.primary_storage, 1100L);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimitWithTag(owner, Resource.ResourceType.volume, tag1,1);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimitWithTag(owner, Resource.ResourceType.volume, tag2,1);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimitWithTag(owner, Resource.ResourceType.primary_storage, tag1,100L);
-            Mockito.verify(resourceLimitService, Mockito.times(1)).checkResourceLimitWithTag(owner, Resource.ResourceType.primary_storage, tag2,1000L);
-        } catch (ResourceAllocationException e) {
-            Assert.fail("Exception encountered: " + e.getMessage());
-        }
+    public void testSelectKVMHostForConversionInClusterVddkAutoSelectsHostWithVddkSupport() {
+        ClusterVO cluster = getClusterForTests();
+        HostVO hostWithVddk = Mockito.mock(HostVO.class);
+        HostVO hostWithoutVddk = Mockito.mock(HostVO.class);
+        when(hostWithVddk.getDetail(Host.HOST_VDDK_SUPPORT)).thenReturn("true");
+        when(hostWithoutVddk.getDetail(Host.HOST_VDDK_SUPPORT)).thenReturn(null);
+
+        when(hostDao.listByClusterHypervisorTypeAndHostCapability(cluster.getId(),
+                cluster.getHypervisorType(), Host.HOST_INSTANCE_CONVERSION))
+                .thenReturn(List.of(hostWithoutVddk, hostWithVddk));
+
+        HostVO returnedHost = unmanagedVMsManager.selectKVMHostForConversionInCluster(cluster, null, true);
+        Assert.assertEquals(hostWithVddk, returnedHost);
     }
 
     @Test
@@ -1351,4 +1511,102 @@ public void testAddServiceOfferingDetailsToParamsCustomUnconstrainedOffering() {
         Assert.assertFalse(params.containsKey(VmDetailConstants.CPU_SPEED));
         Assert.assertFalse(params.containsKey(VmDetailConstants.MEMORY));
     }
+
+    @Test
+    public void checkVmResourceLimitsForUnmanagedInstanceImportTestUsesInformationFromHypervisorWhenOfferingIsDynamic() throws Exception {
+        when(serviceOfferingMock.isDynamic()).thenReturn(true);
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockedConstruction = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.checkVmResourceLimitsForUnmanagedInstanceImport(accountMock, unmanagedInstanceMock, serviceOfferingMock, templateMock, reservations);
+
+            Assert.assertEquals(3, mockedConstruction.constructed().size());
+            Assert.assertEquals(3, reservations.size());
+            verify(unmanagedInstanceMock).getCpuCores();
+            verify(unmanagedInstanceMock).getMemory();
+        }
+    }
+
+    @Test
+    public void checkVmResourceLimitsForUnmanagedInstanceImportTestUsesInformationFromHypervisorWhenVmIsPoweredOn() throws Exception {
+        when(unmanagedInstanceMock.getPowerState()).thenReturn(UnmanagedInstanceTO.PowerState.PowerOn);
+        when(serviceOfferingMock.isDynamic()).thenReturn(false);
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockedConstruction = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.checkVmResourceLimitsForUnmanagedInstanceImport(accountMock, unmanagedInstanceMock, serviceOfferingMock, templateMock, reservations);
+
+            Assert.assertEquals(3, mockedConstruction.constructed().size());
+            Assert.assertEquals(3, reservations.size());
+            verify(unmanagedInstanceMock).getCpuCores();
+            verify(unmanagedInstanceMock).getMemory();
+        }
+    }
+
+    @Test
+    public void checkVmResourceLimitsForUnmanagedInstanceImportTestUsesInformationFromOfferingWhenOfferingIsNotDynamicAndVmIsPoweredOff() throws Exception {
+        when(unmanagedInstanceMock.getPowerState()).thenReturn(UnmanagedInstanceTO.PowerState.PowerOff);
+        when(serviceOfferingMock.isDynamic()).thenReturn(false);
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockedConstruction = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.checkVmResourceLimitsForUnmanagedInstanceImport(accountMock, unmanagedInstanceMock, serviceOfferingMock, templateMock, reservations);
+
+            Assert.assertEquals(3, mockedConstruction.constructed().size());
+            Assert.assertEquals(3, reservations.size());
+            verify(serviceOfferingMock).getCpu();
+            verify(serviceOfferingMock).getRamSize();
+            verify(unmanagedInstanceMock, Mockito.never()).getCpuCores();
+            verify(unmanagedInstanceMock, Mockito.never()).getMemory();
+        }
+    }
+
+    @Test
+    public void checkVmResourceLimitsForExternalKvmVmImportTestUsesInformationFromOfferingWhenOfferingIsNotDynamic() throws ResourceAllocationException {
+        when(serviceOfferingMock.isDynamic()).thenReturn(false);
+        Map<String, String> details = new HashMap<>();
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockedConstruction = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.checkVmResourceLimitsForExternalKvmVmImport(accountMock, serviceOfferingMock, templateMock, details, reservations);
+
+            Assert.assertEquals(3, mockedConstruction.constructed().size());
+            Assert.assertEquals(3, reservations.size());
+            verify(serviceOfferingMock).getCpu();
+            verify(serviceOfferingMock).getRamSize();
+            verify(unmanagedVMsManager, Mockito.never()).getDetailAsInteger(VmDetailConstants.CPU_NUMBER, details);
+            verify(unmanagedVMsManager, Mockito.never()).getDetailAsInteger(VmDetailConstants.MEMORY, details);
+        }
+    }
+
+    @Test
+    public void checkVmResourceLimitsForExternalKvmVmImportTestUsesInformationFromDetailsWhenOfferingIsDynamic() throws ResourceAllocationException {
+        when(serviceOfferingMock.isDynamic()).thenReturn(true);
+        Map<String, String> details = new HashMap<>();
+        details.put(VmDetailConstants.CPU_NUMBER, "8");
+        details.put(VmDetailConstants.MEMORY, "4096");
+        List<Reserver> reservations = new ArrayList<>();
+
+        try (MockedConstruction<CheckedReservation> mockedConstruction = Mockito.mockConstruction(CheckedReservation.class)) {
+            unmanagedVMsManager.checkVmResourceLimitsForExternalKvmVmImport(accountMock, serviceOfferingMock, templateMock, details, reservations);
+
+            Assert.assertEquals(3, mockedConstruction.constructed().size());
+            Assert.assertEquals(3, reservations.size());
+            verify(unmanagedVMsManager).getDetailAsInteger(VmDetailConstants.CPU_NUMBER, details);
+            verify(unmanagedVMsManager).getDetailAsInteger(VmDetailConstants.MEMORY, details);
+        }
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void getDetailAsIntegerTestThrowsInvalidParameterValueExceptionWhenDetailIsNull() {
+        Map<String, String> details = new HashMap<>();
+        unmanagedVMsManager.getDetailAsInteger("non-existent", details);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void getDetailAsIntegerTestThrowsInvalidParameterValueExceptionWhenValueIsInvalid() {
+        Map<String, String> details = new HashMap<>();
+        details.put("key", "not-a-number");
+        unmanagedVMsManager.getDetailAsInteger("key", details);
+    }
 }
diff --git a/services/console-proxy/rdpconsole/pom.xml b/services/console-proxy/rdpconsole/pom.xml
index 058ea891f9cd..9e722be37a09 100644
--- a/services/console-proxy/rdpconsole/pom.xml
+++ b/services/console-proxy/rdpconsole/pom.xml
@@ -46,11 +46,11 @@
         <!-- Another implementation of SSL protocol. Does not work with broken MS RDP SSL too. -->
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bctls-jdk15on</artifactId>
+            <artifactId>bctls-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>com.sun.xml.security</groupId>
diff --git a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/HttpUploadServerHandler.java b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/HttpUploadServerHandler.java
index a580105d52a5..605749649bb0 100644
--- a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/HttpUploadServerHandler.java
+++ b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/HttpUploadServerHandler.java
@@ -130,6 +130,7 @@ public void channelUnregistered(ChannelHandlerContext ctx) throws Exception {
         if (decoder != null) {
             decoder.cleanFiles();
         }
+        storageResource.deregisterUploadChannel(uuid);
         requestProcessed = false;
     }
 
@@ -182,6 +183,7 @@ public void channelRead0(ChannelHandlerContext ctx, HttpObject msg) throws Excep
                     requestProcessed = true;
                     return;
                 }
+                storageResource.registerUploadChannel(uuid, ctx.channel());
                 //set the base directory to download the file
                 DiskFileUpload.baseDirectory = uploadEntity.getInstallPathPrefix();
                 this.processTimeout = uploadEntity.getProcessTimeout();
diff --git a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
index 8dd2fa23169b..3a5ea8b0252b 100644
--- a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
+++ b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
@@ -49,6 +49,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -258,7 +259,8 @@ public void setTimeout(int timeout) {
     protected String _parent = "/mnt/SecStorage";
     final private String _tmpltpp = "template.properties";
     protected String createTemplateFromSnapshotXenScript;
-    private HashMap<String, UploadEntity> uploadEntityStateMap = new HashMap<>();
+    private final Map<String, UploadEntity> uploadEntityStateMap = new ConcurrentHashMap<>();
+    private final Map<String, Channel> uploadChannelMap = new ConcurrentHashMap<>();
     private String _ssvmPSK = null;
     private long processTimeout;
 
@@ -2395,6 +2397,20 @@ private UploadStatusAnswer execute(UploadStatusCommand cmd) {
         String entityUuid = cmd.getEntityUuid();
         if (uploadEntityStateMap.containsKey(entityUuid)) {
             UploadEntity uploadEntity = uploadEntityStateMap.get(entityUuid);
+            if (Boolean.TRUE.equals(cmd.getAbort())) {
+                updateStateMapWithError(entityUuid, "Upload Entity aborted");
+                String errorMsg = uploadEntity.getErrorMessage();
+                if (errorMsg == null) {
+                    errorMsg = "Upload aborted by management server";
+                }
+                Channel channel = uploadChannelMap.remove(entityUuid);
+                if (channel != null && channel.isActive()) {
+                    logger.info("Closing upload channel for entity {}", entityUuid);
+                    channel.close();
+                }
+                uploadEntityStateMap.remove(entityUuid);
+                return new UploadStatusAnswer(cmd, UploadStatus.ERROR, errorMsg);
+            }
             if (uploadEntity.getUploadState() == UploadEntity.Status.ERROR) {
                 uploadEntityStateMap.remove(entityUuid);
                 return new UploadStatusAnswer(cmd, UploadStatus.ERROR, uploadEntity.getErrorMessage());
@@ -2413,6 +2429,7 @@ private UploadStatusAnswer execute(UploadStatusCommand cmd) {
                 UploadStatusAnswer answer = new UploadStatusAnswer(cmd, UploadStatus.IN_PROGRESS);
                 long downloadedSize = FileUtils.sizeOfDirectory(new File(uploadEntity.getInstallPathPrefix()));
                 int downloadPercent = (int)(100 * downloadedSize / uploadEntity.getContentLength());
+                answer.setPhysicalSize(downloadedSize);
                 answer.setDownloadPercent(Math.min(downloadPercent, 100));
                 return answer;
             }
@@ -3442,6 +3459,10 @@ private int getSizeInGB(long sizeInBytes) {
 
     public String postUpload(String uuid, String filename, long processTimeout) {
         UploadEntity uploadEntity = uploadEntityStateMap.get(uuid);
+        if (uploadEntity == null) {
+            logger.warn("Upload entity not found for uuid: {}. Upload may have been aborted.", uuid);
+            return "Upload entity not found. Upload may have been aborted.";
+        }
         int installTimeoutPerGig = 180 * 60 * 1000;
 
         String resourcePath = uploadEntity.getInstallPathPrefix();
@@ -3592,6 +3613,16 @@ protected String getPostUploadPSK() {
         return _ssvmPSK;
     }
 
+    public void registerUploadChannel(String uuid, Channel channel) {
+        uploadChannelMap.put(uuid, channel);
+    }
+
+    public void deregisterUploadChannel(String uuid) {
+        if (uuid != null) {
+            uploadChannelMap.remove(uuid);
+        }
+    }
+
     public void updateStateMapWithError(String uuid, String errorMessage) {
         UploadEntity uploadEntity = null;
         if (uploadEntityStateMap.get(uuid) != null) {
diff --git a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/template/DownloadManagerImpl.java b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/template/DownloadManagerImpl.java
index 23ad6767b20e..f7cdf1ab51ac 100644
--- a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/template/DownloadManagerImpl.java
+++ b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/template/DownloadManagerImpl.java
@@ -999,7 +999,7 @@ private DownloadAnswer handleDownloadProgressCmd(SecondaryStorageResource resour
             break; // TODO
         }
         return new DownloadAnswer(jobId, getDownloadPct(jobId), getDownloadError(jobId), getDownloadStatus2(jobId), getDownloadLocalPath(jobId), getInstallPath(jobId),
-                getDownloadTemplateSize(jobId), getDownloadTemplatePhysicalSize(jobId), getDownloadCheckSum(jobId));
+                getDownloadTemplateSize(jobId), td.getDownloadedBytes(), getDownloadCheckSum(jobId));
     }
 
     private String getInstallPath(String jobId) {
diff --git a/setup/db/deploy-db-dev.sh b/setup/db/deploy-db-dev.sh
index 7896276f8f97..4e0814e0c3f1 100755
--- a/setup/db/deploy-db-dev.sh
+++ b/setup/db/deploy-db-dev.sh
@@ -104,9 +104,10 @@ CP=./
 
 CP=${CP}$PATHSEP$CATALINA_HOME/conf
 
-# Add mysql jar from mysql-connector-java package to CP
+# Add mysql jar from mysql-connector-j package to CP
 # for Jenkins
-CP=${CP}${PATHSEP}/usr/share/java/mysql-connector-java.jar
+MYSQL_CONNECTOR_VERSION = '8.4.0'
+CP=${CP}${PATHSEP}/usr/share/java/mysql-connector-j-${MYSQL_CONNECTOR_VERSION}.jar
 
 for file in $CATALINA_HOME/webapps/client/WEB-INF/lib/*.jar
 do
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index c7dac4df47ea..bde4a976e31c 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -584,6 +584,37 @@ def fw_vpcrouter(self):
                                 "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
                                 (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)])
 
+        # Process static routes for this interface
+        static_routes = CsStaticRoutes("staticroutes", self.config)
+        if static_routes:
+            for item in static_routes.get_bag():
+                if item == "id":
+                    continue
+                static_route = static_routes.get_bag()[item]
+                if static_route['revoke']:
+                    continue
+
+                # Check if this static route applies to this interface
+                # Old style: ip_address field matches this interface's public_ip
+                # New style (nexthop): gateway is in this interface's subnet
+                applies_to_interface = False
+                if 'ip_address' in static_route and static_route['ip_address'] == self.address['public_ip']:
+                    applies_to_interface = True
+                elif 'gateway' in static_route:
+                    device = CsHelper.find_device_for_gateway(self.config, static_route['gateway'])
+                    if device == self.dev:
+                        applies_to_interface = True
+
+                if applies_to_interface:
+                    self.fw.append(["mangle", "",
+                                    "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
+                                    (self.dev, static_route['network'], self.address['public_ip'], self.dev)])
+                    self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
+                                    (static_route['network'], self.dev, self.dev)])
+                    self.fw.append(["filter", "front",
+                                    "-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" %
+                                    (static_route['network'], self.dev)])
+
         if self.is_private_gateway():
             self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                             (self.address['network'], self.dev, self.dev)])
@@ -597,22 +628,6 @@ def fw_vpcrouter(self):
                             "-A PREROUTING -s %s -d %s -m state --state NEW -j MARK --set-xmark %s/0xffffffff" %
                             (self.cl.get_vpccidr(), self.address['network'], hex(100 + int(self.dev[3:])))])
 
-            static_routes = CsStaticRoutes("staticroutes", self.config)
-            if static_routes:
-                for item in static_routes.get_bag():
-                    if item == "id":
-                        continue
-                    static_route = static_routes.get_bag()[item]
-                    if 'ip_address' in static_route and static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']:
-                        self.fw.append(["mangle", "",
-                                        "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
-                                        (self.dev, static_route['network'], static_route['ip_address'], self.dev)])
-                        self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
-                                        (static_route['network'], self.dev, self.dev)])
-                        self.fw.append(["filter", "front",
-                                        "-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" %
-                                        (static_route['network'], self.dev)])
-
             if self.address["source_nat"]:
                 self.fw.append(["nat", "front",
                                 "-A POSTROUTING -o %s -j SNAT --to-source %s" %
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsHelper.py b/systemvm/debian/opt/cloud/bin/cs/CsHelper.py
index c71bcdac4f42..28bed0ae5d6d 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsHelper.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsHelper.py
@@ -25,8 +25,12 @@
 import os.path
 import re
 import shutil
+from typing import Optional, TYPE_CHECKING
 from netaddr import *
 
+if TYPE_CHECKING:
+    from .CsConfig import CsConfig
+
 PUBLIC_INTERFACES = {"router": "eth2", "vpcrouter": "eth1"}
 
 STATE_COMMANDS = {"router": "ip addr show dev eth0 | grep inet | wc -l | xargs bash -c  'if [ $0 == 2 ]; then echo \"PRIMARY\"; else echo \"BACKUP\"; fi'",
@@ -270,3 +274,29 @@ def copy(src, dest):
         logging.error("Could not copy %s to %s" % (src, dest))
     else:
         logging.info("Copied %s to %s" % (src, dest))
+
+
+def find_device_for_gateway(config: 'CsConfig', gateway_ip: str) -> Optional[str]:
+    """
+    Find which ethernet device the gateway IP belongs to by checking
+    if the gateway is in any of the configured interface subnets.
+
+    Args:
+        config: CsConfig instance containing network configuration
+        gateway_ip: IP address of the gateway to locate
+
+    Returns:
+        Device name (e.g., 'eth2') or None if not found
+    """
+    try:
+        interfaces = config.address().get_interfaces()
+        for interface in interfaces:
+            if not interface.is_added():
+                continue
+            if interface.ip_in_subnet(gateway_ip):
+                return interface.get_device()
+        logging.debug("No matching device found for gateway %s" % gateway_ip)
+        return None
+    except Exception as e:
+        logging.error("Error finding device for gateway %s: %s" % (gateway_ip, e))
+        return None
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index 80d64e8f2d92..63d7724dd20a 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -232,7 +232,7 @@ def add_ip6_chain(self, address_family, table, chain, hook, action):
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, \
                 nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain))
-        elif hook == "forward":
+        if hook == "input" or hook == "forward":
             CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def add_ip4_chain(self, address_family, table, chain, hook, action):
@@ -244,6 +244,8 @@ def add_ip4_chain(self, address_family, table, chain, hook, action):
         CsHelper.execute("nft add chain %s %s %s '{ %s }'" % (address_family, table, chain, chain_policy))
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmp type { echo-request, echo-reply } accept" % (address_family, table, chain))
+        elif hook == "forward":
+            CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def apply_nft_ipv4_rules(self, rules, type):
         if len(rules) == 0:
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsStaticRoutes.py b/systemvm/debian/opt/cloud/bin/cs/CsStaticRoutes.py
index bcd669b6d454..d15ea66e164e 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsStaticRoutes.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsStaticRoutes.py
@@ -20,6 +20,7 @@
 import logging
 from . import CsHelper
 from .CsDatabag import CsDataBag
+from .CsRoute import CsRoute
 
 
 class CsStaticRoutes(CsDataBag):
@@ -31,13 +32,46 @@ def process(self):
                 continue
             self.__update(self.dbag[item])
 
+
+
     def __update(self, route):
+        network = route['network']
+        gateway = route['gateway']
+
         if route['revoke']:
-            command = "ip route del %s via %s" % (route['network'], route['gateway'])
+            # Delete from main table
+            command = "ip route del %s via %s" % (network, gateway)
             CsHelper.execute(command)
+
+            # Delete from PBR table if applicable
+            device = CsHelper.find_device_for_gateway(self.config, gateway)
+            if device:
+                cs_route = CsRoute()
+                table_name = cs_route.get_tablename(device)
+                command = "ip route del %s via %s table %s" % (network, gateway, table_name)
+                CsHelper.execute(command)
+                logging.info("Deleted static route %s via %s from PBR table %s" % (network, gateway, table_name))
         else:
-            command = "ip route show | grep %s | awk '{print $1, $3}'" % route['network']
+            # Add to main table (existing logic)
+            command = "ip route show | grep '^%s' | awk '{print $1, $3}'" % network
             result = CsHelper.execute(command)
             if not result:
-                route_command = "ip route add %s via %s" % (route['network'], route['gateway'])
+                route_command = "ip route add %s via %s" % (network, gateway)
                 CsHelper.execute(route_command)
+                logging.info("Added static route %s via %s to main table" % (network, gateway))
+
+            # Add to PBR table if applicable
+            device = CsHelper.find_device_for_gateway(self.config, gateway)
+            if device:
+                cs_route = CsRoute()
+                table_name = cs_route.get_tablename(device)
+                # Check if route already exists in the PBR table
+                check_command = "ip route show table %s | grep '^%s' | awk '{print $1, $3}'" % (table_name, network)
+                result = CsHelper.execute(check_command)
+                if not result:
+                    # Add route to the interface-specific table
+                    route_command = "ip route add %s via %s dev %s table %s" % (network, gateway, device, table_name)
+                    CsHelper.execute(route_command)
+                    logging.info("Added static route %s via %s to PBR table %s" % (network, gateway, table_name))
+            else:
+                logging.info("Static route %s via %s added to main table only (no matching interface found for PBR table)" % (network, gateway))
diff --git a/systemvm/debian/root/health_checks/haproxy_check.py b/systemvm/debian/root/health_checks/haproxy_check.py
index c1db51e440c2..cc9d90f7c18e 100644
--- a/systemvm/debian/root/health_checks/haproxy_check.py
+++ b/systemvm/debian/root/health_checks/haproxy_check.py
@@ -28,6 +28,46 @@ def checkMaxconn(haproxyData, haCfgSections):
 
     return True
 
+def checkIdletimeout(haproxyData, haCfgSections):
+    if "idletimeout" not in haproxyData:
+        return True
+
+    # Normalize idletimeout value to string for comparison
+    idle_value = str(haproxyData["idletimeout"]).strip()
+
+    # Safely get the defaults section and its timeout directives
+    defaults_section = haCfgSections.get("defaults", {})
+    timeout_lines = defaults_section.get("timeout", [])
+
+    # Extract client and server timeout values from the parsed "timeout" entries
+    timeout_values = {}
+    for tline in timeout_lines:
+        tline = tline.strip()
+        if not tline:
+            continue
+        parts = tline.split(None, 1)
+        if len(parts) < 2:
+            continue
+        kind, value = parts[0].strip(), parts[1].strip()
+        if kind in ("client", "server"):
+            timeout_values[kind] = value
+
+    # Special handling for idletimeout == 0: there should be no client/server timeouts configured
+    if idle_value == "0":
+        if "client" in timeout_values or "server" in timeout_values:
+            print("defaults timeout client or timeout server should be absent when idletimeout is 0")
+            return False
+        return True
+
+    # Non-zero idletimeout: both client and server timeouts must be present
+    if "client" not in timeout_values or "server" not in timeout_values:
+        print("defaults timeout client or timeout server missing")
+        return False
+
+    if idle_value != timeout_values["client"] or idle_value != timeout_values["server"]:
+        print("defaults timeout client or timeout server mismatch occurred")
+        return False
+    return True
 
 def checkLoadBalance(haproxyData, haCfgSections):
     correct = True
@@ -120,9 +160,10 @@ def main():
             currSectionDict[lineSec[0]].append(lineSec[1] if len(lineSec) > 1 else '')
 
     checkMaxConn = checkMaxconn(haproxyData[0], haCfgSections)
+    checkIdleTimeout = checkIdletimeout(haproxyData[0], haCfgSections)
     checkLbRules = checkLoadBalance(haproxyData, haCfgSections)
 
-    if checkMaxConn and checkLbRules:
+    if checkMaxConn and checkIdleTimeout and checkLbRules:
         print("All checks pass")
         exit(0)
     else:
diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh
index 88d720e0f32f..8d96de9ba3b8 100755
--- a/systemvm/patch-sysvms.sh
+++ b/systemvm/patch-sysvms.sh
@@ -126,7 +126,28 @@ patch_systemvm() {
 
   if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then
     # Import global cacerts into 'cloud' service's keystore
-    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt 2>/dev/null || true
+    REALHOSTIP_KS_FILE="/usr/local/cloud/systemvm/certs/realhostip.keystore"
+    REALHOSTIP_PASS="vmops.com"
+
+    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts \
+        -destkeystore "$REALHOSTIP_KS_FILE" -srcstorepass changeit -deststorepass \
+        "$REALHOSTIP_PASS" -noprompt 2>/dev/null || true
+
+    # Import CA cert(s) into realhostip.keystore so the SSVM JVM
+    # (which overrides the truststore via -Djavax.net.ssl.trustStore in _run.sh)
+    # can trust servers signed by the CloudStack CA
+    CACERT_FILE="/usr/local/share/ca-certificates/cloudstack/ca.crt"
+
+    if [ -f "$CACERT_FILE" ] && [ -f "$REALHOSTIP_KS_FILE" ]; then
+        awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++} n>0{print > "cloudca." n }' "$CACERT_FILE"
+        for caChain in $(ls cloudca.* 2>/dev/null); do
+            keytool -delete -noprompt -alias "$caChain" -keystore "$REALHOSTIP_KS_FILE" \
+                -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1 || true
+            keytool -import -noprompt -trustcacerts -alias "$caChain" -file "$caChain" \
+                -keystore "$REALHOSTIP_KS_FILE" -storepass "$REALHOSTIP_PASS" > /dev/null 2>&1
+        done
+        rm -f cloudca.*
+    fi
   fi
 
   update_checksum $newpath/cloud-scripts.tgz
diff --git a/test/integration/component/maint/test_redundant_router_deployment_planning.py b/test/integration/component/maint/test_redundant_router_deployment_planning.py
index 5012fd1f2e93..d10e3ee5a7fc 100644
--- a/test/integration/component/maint/test_redundant_router_deployment_planning.py
+++ b/test/integration/component/maint/test_redundant_router_deployment_planning.py
@@ -398,141 +398,146 @@ def test_RvR_multicluster(self):
             self.apiclient.updatePod(cmd)
             self.debug("Enabled first pod for testing..")
 
-        # Creating network using the network offering created
-        self.debug("Creating network with network offering: %s" %
-                                                    self.network_offering.id)
-        network = Network.create(
-                                self.apiclient,
-                                self.services["network"],
-                                accountid=self.account.name,
-                                domainid=self.account.domainid,
-                                networkofferingid=self.network_offering.id,
-                                zoneid=self.zone.id
-                                )
-        self.debug("Created network with ID: %s" % network.id)
-
-        networks = Network.list(
-                                self.apiclient,
-                                id=network.id,
-                                listall=True
-                                )
-        self.assertEqual(
-            isinstance(networks, list),
-            True,
-            "List networks should return a valid response for created network"
-             )
-        nw_response = networks[0]
-
-        self.debug("Network state: %s" % nw_response.state)
-        self.assertEqual(
-                    nw_response.state,
-                    "Allocated",
-                    "The network should be in allocated state after creation"
-                    )
-
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
-                              self.apiclient,
-                              networkid=network.id,
-                              listall=True
-                              )
-        self.assertEqual(
-            routers,
-            None,
-            "Routers should not be spawned when network is in allocated state"
-            )
-
-        self.debug("Deploying VM in account: %s" % self.account.name)
+        try:
+            # Creating network using the network offering created
+            self.debug("Creating network with network offering: %s" %
+                                                        self.network_offering.id)
+            network = Network.create(
+                                    self.apiclient,
+                                    self.services["network"],
+                                    accountid=self.account.name,
+                                    domainid=self.account.domainid,
+                                    networkofferingid=self.network_offering.id,
+                                    zoneid=self.zone.id
+                                    )
+            self.debug("Created network with ID: %s" % network.id)
+
+            networks = Network.list(
+                                    self.apiclient,
+                                    id=network.id,
+                                    listall=True
+                                    )
+            self.assertEqual(
+                isinstance(networks, list),
+                True,
+                "List networks should return a valid response for created network"
+                 )
+            nw_response = networks[0]
+
+            self.debug("Network state: %s" % nw_response.state)
+            self.assertEqual(
+                        nw_response.state,
+                        "Allocated",
+                        "The network should be in allocated state after creation"
+                        )
 
-        # Spawn an instance in that network
-        virtual_machine = VirtualMachine.create(
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
                                   self.apiclient,
-                                  self.services["virtual_machine"],
-                                  accountid=self.account.name,
-                                  domainid=self.account.domainid,
-                                  serviceofferingid=self.service_offering.id,
-                                  networkids=[str(network.id)]
+                                  networkid=network.id,
+                                  listall=True
                                   )
-        self.debug("Deployed VM in network: %s" % network.id)
-
-        vms = VirtualMachine.list(
+            self.assertEqual(
+                routers,
+                None,
+                "Routers should not be spawned when network is in allocated state"
+                )
+
+            self.debug("Deploying VM in account: %s" % self.account.name)
+
+            # Spawn an instance in that network
+            virtual_machine = VirtualMachine.create(
+                                      self.apiclient,
+                                      self.services["virtual_machine"],
+                                      accountid=self.account.name,
+                                      domainid=self.account.domainid,
+                                      serviceofferingid=self.service_offering.id,
+                                      networkids=[str(network.id)]
+                                      )
+            self.debug("Deployed VM in network: %s" % network.id)
+
+            vms = VirtualMachine.list(
+                                      self.apiclient,
+                                      id=virtual_machine.id,
+                                      listall=True
+                                      )
+            self.assertEqual(
+                             isinstance(vms, list),
+                             True,
+                             "List Vms should return a valid list"
+                             )
+            vm = vms[0]
+            self.assertEqual(
+                             vm.state,
+                             "Running",
+                             "Vm should be in running state after deployment"
+                             )
+
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
                                   self.apiclient,
-                                  id=virtual_machine.id,
+                                  networkid=network.id,
                                   listall=True
                                   )
-        self.assertEqual(
-                         isinstance(vms, list),
-                         True,
-                         "List Vms should return a valid list"
-                         )
-        vm = vms[0]
-        self.assertEqual(
-                         vm.state,
-                         "Running",
-                         "Vm should be in running state after deployment"
-                         )
+            self.assertEqual(
+                        isinstance(routers, list),
+                        True,
+                        "list router should return Primary and backup routers"
+                        )
+            self.assertEqual(
+                        len(routers),
+                        2,
+                        "Length of the list router should be 2 (Backup & Primary)"
+                        )
 
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
+            hosts = Host.list(
                               self.apiclient,
-                              networkid=network.id,
+                              id=routers[0].hostid,
                               listall=True
                               )
-        self.assertEqual(
-                    isinstance(routers, list),
-                    True,
-                    "list router should return Primary and backup routers"
-                    )
-        self.assertEqual(
-                    len(routers),
-                    2,
-                    "Length of the list router should be 2 (Backup & Primary)"
-                    )
-
-        hosts = Host.list(
-                          self.apiclient,
-                          id=routers[0].hostid,
-                          listall=True
-                          )
-        self.assertEqual(
-                         isinstance(hosts, list),
-                         True,
-                         "List host should return a valid data"
-                         )
-        first_host = hosts[0]
-
-        hosts = Host.list(
-                          self.apiclient,
-                          id=routers[1].hostid,
-                          listall=True
-                          )
-        self.assertEqual(
-                         isinstance(hosts, list),
-                         True,
-                         "List host should return a valid data"
-                         )
-        second_host = hosts[0]
-
-        # Checking if the cluster IDs of both routers are different?
-        self.assertNotEqual(
-                            first_host.clusterid,
-                            second_host.clusterid,
-                            "Both the routers should be in different clusters"
-                            )
-        self.debug("Enabling remaining pods if any..")
-        pods = Pod.list(
-                        self.apiclient,
-                        zoneid=self.zone.id,
-                        listall=True,
-                        allocationstate="Disabled"
-                        )
+            self.assertEqual(
+                             isinstance(hosts, list),
+                             True,
+                             "List host should return a valid data"
+                             )
+            first_host = hosts[0]
+
+            hosts = Host.list(
+                              self.apiclient,
+                              id=routers[1].hostid,
+                              listall=True
+                              )
+            self.assertEqual(
+                             isinstance(hosts, list),
+                             True,
+                             "List host should return a valid data"
+                             )
+            second_host = hosts[0]
+
+            # Checking if the cluster IDs of both routers are different?
+            self.assertNotEqual(
+                                first_host.clusterid,
+                                second_host.clusterid,
+                                "Both the routers should be in different clusters"
+                                )
+        finally:
+            try:
+                self.debug("Enabling remaining pods if any..")
+                pods = Pod.list(
+                                self.apiclient,
+                                zoneid=self.zone.id,
+                                listall=True,
+                                allocationstate="Disabled"
+                                )
 
-        if pods is not None:
-            for pod in pods:
-                cmd = updatePod.updatePodCmd()
-                cmd.id = pod.id
-                cmd.allocationstate = 'Enabled'
-                self.apiclient.updatePod(cmd)
+                if pods is not None:
+                    for pod in pods:
+                        cmd = updatePod.updatePodCmd()
+                        cmd.id = pod.id
+                        cmd.allocationstate = 'Enabled'
+                        self.apiclient.updatePod(cmd)
+            except Exception as e:
+                self.debug("Warning: Exception during pod re-enablement: %s" % e)
         return
 
     # @attr(tags=["advanced", "advancedns"])
@@ -557,7 +562,7 @@ def test_RvR_multiprimarystorage(self):
         # 3. VM should be deployed and in Running state and on the specified
         #    host
         # 4. There should be two routers (PRIMARY and BACKUP) for this network
-        #    ensure both routers should be on different storage pools
+        #    ensure both routers should be on different hosts
 
         self.debug(
             "Checking if the current zone has multiple active pods in it..")
@@ -636,144 +641,150 @@ def test_RvR_multiprimarystorage(self):
             self.apiclient.updateCluster(cmd)
             self.debug("Enabled first cluster for testing..")
 
-        # Creating network using the network offering created
-        self.debug("Creating network with network offering: %s" %
-                                                    self.network_offering.id)
-        network = Network.create(
-                                self.apiclient,
-                                self.services["network"],
-                                accountid=self.account.name,
-                                domainid=self.account.domainid,
-                                networkofferingid=self.network_offering.id,
-                                zoneid=self.zone.id
-                                )
-        self.debug("Created network with ID: %s" % network.id)
-
-        networks = Network.list(
-                                self.apiclient,
-                                id=network.id,
-                                listall=True
-                                )
-        self.assertEqual(
-            isinstance(networks, list),
-            True,
-            "List networks should return a valid response for created network"
-             )
-        nw_response = networks[0]
-
-        self.debug("Network state: %s" % nw_response.state)
-        self.assertEqual(
-                    nw_response.state,
-                    "Allocated",
-                    "The network should be in allocated state after creation"
-                    )
-
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
-                              self.apiclient,
-                              networkid=network.id,
-                              listall=True
-                              )
-        self.assertEqual(
-            routers,
-            None,
-            "Routers should not be spawned when network is in allocated state"
-            )
-
-        self.debug("Retrieving the list of hosts in the cluster")
-        hosts = Host.list(
-                          self.apiclient,
-                          clusterid=enabled_cluster.id,
-                          listall=True
-                          )
-        self.assertEqual(
-                         isinstance(hosts, list),
-                         True,
-                         "List hosts should not return an empty response"
-                         )
-        host = hosts[0]
-
-        self.debug("Deploying VM in account: %s" % self.account.name)
-
-        # Spawn an instance in that network
-        virtual_machine = VirtualMachine.create(
-                                  self.apiclient,
-                                  self.services["virtual_machine"],
-                                  accountid=self.account.name,
-                                  domainid=self.account.domainid,
-                                  serviceofferingid=self.service_offering.id,
-                                  networkids=[str(network.id)],
-                                  hostid=host.id
-                                  )
-        self.debug("Deployed VM in network: %s" % network.id)
+        try:
+            # Creating network using the network offering created
+            self.debug("Creating network with network offering: %s" %
+                                                        self.network_offering.id)
+            network = Network.create(
+                                    self.apiclient,
+                                    self.services["network"],
+                                    accountid=self.account.name,
+                                    domainid=self.account.domainid,
+                                    networkofferingid=self.network_offering.id,
+                                    zoneid=self.zone.id
+                                    )
+            self.debug("Created network with ID: %s" % network.id)
+
+            networks = Network.list(
+                                    self.apiclient,
+                                    id=network.id,
+                                    listall=True
+                                    )
+            self.assertEqual(
+                isinstance(networks, list),
+                True,
+                "List networks should return a valid response for created network"
+                 )
+            nw_response = networks[0]
+
+            self.debug("Network state: %s" % nw_response.state)
+            self.assertEqual(
+                        nw_response.state,
+                        "Allocated",
+                        "The network should be in allocated state after creation"
+                        )
 
-        vms = VirtualMachine.list(
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
                                   self.apiclient,
-                                  id=virtual_machine.id,
+                                  networkid=network.id,
                                   listall=True
                                   )
-        self.assertEqual(
-                         isinstance(vms, list),
-                         True,
-                         "List Vms should return a valid list"
-                         )
-        vm = vms[0]
-        self.assertEqual(
-                         vm.state,
-                         "Running",
-                         "Vm should be in running state after deployment"
-                         )
-
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
+            self.assertEqual(
+                routers,
+                None,
+                "Routers should not be spawned when network is in allocated state"
+                )
+
+            self.debug("Retrieving the list of hosts in the cluster")
+            hosts = Host.list(
                               self.apiclient,
-                              networkid=network.id,
+                              clusterid=enabled_cluster.id,
                               listall=True
                               )
-        self.assertEqual(
-                    isinstance(routers, list),
-                    True,
-                    "list router should return Primary and backup routers"
-                    )
-        self.assertEqual(
-                    len(routers),
-                    2,
-                    "Length of the list router should be 2 (Backup & Primary)"
-                    )
-        self.assertNotEqual(
-                    routers[0].hostid,
-                    routers[1].hostid,
-                    "Both the routers should be in different storage pools"
-                            )
-        self.debug("Enabling remaining pods if any..")
-        pods = Pod.list(
-                        self.apiclient,
-                        zoneid=self.zone.id,
-                        listall=True,
-                        allocationstate="Disabled"
+            self.assertEqual(
+                             isinstance(hosts, list),
+                             True,
+                             "List hosts should not return an empty response"
+                             )
+            host = hosts[0]
+
+            self.debug("Deploying VM in account: %s" % self.account.name)
+
+            # Spawn an instance in that network
+            virtual_machine = VirtualMachine.create(
+                                      self.apiclient,
+                                      self.services["virtual_machine"],
+                                      accountid=self.account.name,
+                                      domainid=self.account.domainid,
+                                      serviceofferingid=self.service_offering.id,
+                                      networkids=[str(network.id)],
+                                      hostid=host.id
+                                      )
+            self.debug("Deployed VM in network: %s" % network.id)
+
+            vms = VirtualMachine.list(
+                                      self.apiclient,
+                                      id=virtual_machine.id,
+                                      listall=True
+                                      )
+            self.assertEqual(
+                             isinstance(vms, list),
+                             True,
+                             "List Vms should return a valid list"
+                             )
+            vm = vms[0]
+            self.assertEqual(
+                             vm.state,
+                             "Running",
+                             "Vm should be in running state after deployment"
+                             )
+
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
+                                  self.apiclient,
+                                  networkid=network.id,
+                                  listall=True
+                                  )
+            self.assertEqual(
+                        isinstance(routers, list),
+                        True,
+                        "list router should return Primary and backup routers"
                         )
-        if pods is not None:
-            for pod in pods:
-                cmd = updatePod.updatePodCmd()
-                cmd.id = pod.id
-                cmd.allocationstate = 'Enabled'
-                self.apiclient.updatePod(cmd)
-
-        clusters = Cluster.list(
+            self.assertEqual(
+                        len(routers),
+                        2,
+                        "Length of the list router should be 2 (Backup & Primary)"
+                        )
+            self.assertNotEqual(
+                        routers[0].hostid,
+                        routers[1].hostid,
+                        "Both the routers should be in different hosts"
+                                )
+        finally:
+            try:
+                self.debug("Enabling remaining pods if any..")
+                pods = Pod.list(
                                 self.apiclient,
-                                allocationstate="Disabled",
-                                podid=enabled_pod.id,
-                                listall=True
+                                zoneid=self.zone.id,
+                                listall=True,
+                                allocationstate="Disabled"
                                 )
-
-        if clusters is not None:
-            for cluster in clusters:
-                    cmd = updateCluster.updateClusterCmd()
-                    cmd.id = cluster.id
-                    cmd.allocationstate = 'Enabled'
-                    self.apiclient.updateCluster(cmd)
+                if pods is not None:
+                    for pod in pods:
+                        cmd = updatePod.updatePodCmd()
+                        cmd.id = pod.id
+                        cmd.allocationstate = 'Enabled'
+                        self.apiclient.updatePod(cmd)
+
+                clusters = Cluster.list(
+                                        self.apiclient,
+                                        allocationstate="Disabled",
+                                        podid=enabled_pod.id,
+                                        listall=True
+                                        )
+
+                if clusters is not None:
+                    for cluster in clusters:
+                        cmd = updateCluster.updateClusterCmd()
+                        cmd.id = cluster.id
+                        cmd.allocationstate = 'Enabled'
+                        self.apiclient.updateCluster(cmd)
+            except Exception as e:
+                self.debug("Warning: Exception during resource re-enablement: %s" % e)
         return
 
+
     # @attr(tags=["advanced", "advancedns", "ssh"])
     @attr(tags=["TODO"])
     def test_RvR_multihosts(self):
@@ -874,140 +885,145 @@ def test_RvR_multihosts(self):
             self.apiclient.updateCluster(cmd)
             self.debug("Enabled first cluster for testing..")
 
-        # Creating network using the network offering created
-        self.debug("Creating network with network offering: %s" %
-                                                    self.network_offering.id)
-        network = Network.create(
-                                self.apiclient,
-                                self.services["network"],
-                                accountid=self.account.name,
-                                domainid=self.account.domainid,
-                                networkofferingid=self.network_offering.id,
-                                zoneid=self.zone.id
-                                )
-        self.debug("Created network with ID: %s" % network.id)
-
-        networks = Network.list(
-                                self.apiclient,
-                                id=network.id,
-                                listall=True
-                                )
-        self.assertEqual(
-            isinstance(networks, list),
-            True,
-            "List networks should return a valid response for created network"
-             )
-        nw_response = networks[0]
-
-        self.debug("Network state: %s" % nw_response.state)
-        self.assertEqual(
-                    nw_response.state,
-                    "Allocated",
-                    "The network should be in allocated state after creation"
-                    )
-
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
-                              self.apiclient,
-                              networkid=network.id,
-                              listall=True
-                              )
-        self.assertEqual(
-            routers,
-            None,
-            "Routers should not be spawned when network is in allocated state"
-            )
-
-        self.debug("Retrieving the list of hosts in the cluster")
-        hosts = Host.list(
-                          self.apiclient,
-                          clusterid=enabled_cluster.id,
-                          listall=True
-                          )
-        self.assertEqual(
-                         isinstance(hosts, list),
-                         True,
-                         "List hosts should not return an empty response"
-                         )
-        host = hosts[0]
-
-        self.debug("Deploying VM in account: %s" % self.account.name)
-
-        # Spawn an instance in that network
-        virtual_machine = VirtualMachine.create(
-                                  self.apiclient,
-                                  self.services["virtual_machine"],
-                                  accountid=self.account.name,
-                                  domainid=self.account.domainid,
-                                  serviceofferingid=self.service_offering.id,
-                                  networkids=[str(network.id)],
-                                  hostid=host.id
-                                  )
-        self.debug("Deployed VM in network: %s" % network.id)
+        try:
+            # Creating network using the network offering created
+            self.debug("Creating network with network offering: %s" %
+                                                        self.network_offering.id)
+            network = Network.create(
+                                    self.apiclient,
+                                    self.services["network"],
+                                    accountid=self.account.name,
+                                    domainid=self.account.domainid,
+                                    networkofferingid=self.network_offering.id,
+                                    zoneid=self.zone.id
+                                    )
+            self.debug("Created network with ID: %s" % network.id)
+
+            networks = Network.list(
+                                    self.apiclient,
+                                    id=network.id,
+                                    listall=True
+                                    )
+            self.assertEqual(
+                isinstance(networks, list),
+                True,
+                "List networks should return a valid response for created network"
+                 )
+            nw_response = networks[0]
+
+            self.debug("Network state: %s" % nw_response.state)
+            self.assertEqual(
+                        nw_response.state,
+                        "Allocated",
+                        "The network should be in allocated state after creation"
+                        )
 
-        vms = VirtualMachine.list(
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
                                   self.apiclient,
-                                  id=virtual_machine.id,
+                                  networkid=network.id,
                                   listall=True
                                   )
-        self.assertEqual(
-                         isinstance(vms, list),
-                         True,
-                         "List Vms should return a valid list"
-                         )
-        vm = vms[0]
-        self.assertEqual(
-                         vm.state,
-                         "Running",
-                         "Vm should be in running state after deployment"
-                         )
-
-        self.debug("Listing routers for network: %s" % network.name)
-        routers = Router.list(
+            self.assertEqual(
+                routers,
+                None,
+                "Routers should not be spawned when network is in allocated state"
+                )
+
+            self.debug("Retrieving the list of hosts in the cluster")
+            hosts = Host.list(
                               self.apiclient,
-                              networkid=network.id,
+                              clusterid=enabled_cluster.id,
                               listall=True
                               )
-        self.assertEqual(
-                    isinstance(routers, list),
-                    True,
-                    "list router should return Primary and backup routers"
-                    )
-        self.assertEqual(
-                    len(routers),
-                    2,
-                    "Length of the list router should be 2 (Backup & Primary)"
-                  )
-        self.assertNotEqual(
-                            routers[0].hostid,
-                            routers[1].hostid,
-                            "Both the routers should be in different hosts"
-                            )
-        self.debug("Enabling remaining pods if any..")
-        pods = Pod.list(
-                        self.apiclient,
-                        zoneid=self.zone.id,
-                        listall=True,
-                        allocationstate="Disabled"
+            self.assertEqual(
+                             isinstance(hosts, list),
+                             True,
+                             "List hosts should not return an empty response"
+                             )
+            host = hosts[0]
+
+            self.debug("Deploying VM in account: %s" % self.account.name)
+
+            # Spawn an instance in that network
+            virtual_machine = VirtualMachine.create(
+                                      self.apiclient,
+                                      self.services["virtual_machine"],
+                                      accountid=self.account.name,
+                                      domainid=self.account.domainid,
+                                      serviceofferingid=self.service_offering.id,
+                                      networkids=[str(network.id)],
+                                      hostid=host.id
+                                      )
+            self.debug("Deployed VM in network: %s" % network.id)
+
+            vms = VirtualMachine.list(
+                                      self.apiclient,
+                                      id=virtual_machine.id,
+                                      listall=True
+                                      )
+            self.assertEqual(
+                             isinstance(vms, list),
+                             True,
+                             "List Vms should return a valid list"
+                             )
+            vm = vms[0]
+            self.assertEqual(
+                             vm.state,
+                             "Running",
+                             "Vm should be in running state after deployment"
+                             )
+
+            self.debug("Listing routers for network: %s" % network.name)
+            routers = Router.list(
+                                  self.apiclient,
+                                  networkid=network.id,
+                                  listall=True
+                                  )
+            self.assertEqual(
+                        isinstance(routers, list),
+                        True,
+                        "list router should return Primary and backup routers"
                         )
-
-        if pods is not None:
-            for pod in pods:
-                cmd = updatePod.updatePodCmd()
-                cmd.id = pod.id
-                cmd.allocationstate = 'Enabled'
-                self.apiclient.updatePod(cmd)
-
-        clusters = Cluster.list(
+            self.assertEqual(
+                        len(routers),
+                        2,
+                        "Length of the list router should be 2 (Backup & Primary)"
+                        )
+            self.assertNotEqual(
+                                routers[0].hostid,
+                                routers[1].hostid,
+                                "Both the routers should be in different hosts"
+                                )
+        finally:
+            try:
+                self.debug("Enabling remaining pods if any..")
+                pods = Pod.list(
                                 self.apiclient,
-                                allocationstate="Disabled",
-                                podid=enabled_pod.id,
-                                listall=True
+                                zoneid=self.zone.id,
+                                listall=True,
+                                allocationstate="Disabled"
                                 )
-        if clusters is not None:
-            for cluster in clusters:
-                cmd = updateCluster.updateClusterCmd()
-                cmd.id = cluster.id
-                cmd.allocationstate = 'Enabled'
-                self.apiclient.updateCluster(cmd)
+
+                if pods is not None:
+                    for pod in pods:
+                        cmd = updatePod.updatePodCmd()
+                        cmd.id = pod.id
+                        cmd.allocationstate = 'Enabled'
+                        self.apiclient.updatePod(cmd)
+
+                clusters = Cluster.list(
+                                        self.apiclient,
+                                        allocationstate="Disabled",
+                                        podid=enabled_pod.id,
+                                        listall=True
+                                        )
+                if clusters is not None:
+                    for cluster in clusters:
+                        cmd = updateCluster.updateClusterCmd()
+                        cmd.id = cluster.id
+                        cmd.allocationstate = 'Enabled'
+                        self.apiclient.updateCluster(cmd)
+            except Exception as e:
+                self.debug("Warning: Exception during resource re-enablement: %s" % e)
         return
diff --git a/test/integration/component/test_blocker_bugs.py b/test/integration/component/test_blocker_bugs.py
index 7b497cfe2949..e393c7bed02a 100644
--- a/test/integration/component/test_blocker_bugs.py
+++ b/test/integration/component/test_blocker_bugs.py
@@ -542,7 +542,7 @@ def test_01_list_routers_admin(self):
 
 
         # Validate the following
-        # 1. PreReq: have rounters that are owned by other account
+        # 1. PreReq: have routers that are owned by other account
         # 2. Create domain and create accounts in that domain
         # 3. Create one VM for each account
         # 4. Using Admin , run listRouters. It should return all the routers
diff --git a/test/integration/component/test_escalations_instances.py b/test/integration/component/test_escalations_instances.py
index 89c4f4ce2a6c..4aea35850d07 100644
--- a/test/integration/component/test_escalations_instances.py
+++ b/test/integration/component/test_escalations_instances.py
@@ -3341,9 +3341,6 @@ def test_17_running_vm_scaleup(self):
                deployed in step1
         Step6: Verifying that VM's service offerings is changed
         """
-        if self.hypervisor.lower() == 'kvm':
-            self.skipTest(
-                "ScaleVM is not supported on KVM. Hence, skipping the test")
         # Checking if Dynamic scaling of VM is supported or not
         list_config = Configurations.list(
             self.apiClient,
diff --git a/test/integration/component/test_escalations_ipaddresses.py b/test/integration/component/test_escalations_ipaddresses.py
index b91b67c16c3d..d9d760c49017 100644
--- a/test/integration/component/test_escalations_ipaddresses.py
+++ b/test/integration/component/test_escalations_ipaddresses.py
@@ -3455,8 +3455,7 @@ def test_17_create_update_autoscalepolicy(self):
         Step18: Verifying Autoscale policy is updated with condition2
         """
         if self.hypervisor.lower() == 'kvm':
-            self.skipTest(
-                "ScaleVM is not supported on KVM. Hence, skipping the test")
+            self.skipTest("Test not supported on KVM. Skipping it")
 
         list_physical_networks = PhysicalNetwork.list(
             self.apiClient,
@@ -3734,8 +3733,7 @@ def test_18_create_update_autoscaleprofiles(self):
         Step16: Verifying that Autoscale VM is updated
         """
         if self.hypervisor.lower() == 'kvm':
-            self.skipTest(
-                "ScaleVM is not supported on KVM. Hence, skipping the test")
+            self.skipTest("Test not supported on KVM. Skipping it")
 
         list_physical_networks = PhysicalNetwork.list(
             self.apiClient,
@@ -4061,8 +4059,7 @@ def test_19_create_update_autoscalevmgroup(self):
         Step14: Enabling Autoscale VM group and verifying it was enabled
         """
         if self.hypervisor.lower() == 'kvm':
-            self.skipTest(
-                "ScaleVM is not supported on KVM. Hence, skipping the test")
+            self.skipTest("Test not supported on KVM. Skipping it.")
 
         list_physical_networks = PhysicalNetwork.list(
             self.apiClient,
diff --git a/test/integration/smoke/test_certauthority_root.py b/test/integration/smoke/test_certauthority_root.py
index dc6420d6369f..491b8abeb2e8 100644
--- a/test/integration/smoke/test_certauthority_root.py
+++ b/test/integration/smoke/test_certauthority_root.py
@@ -15,9 +15,12 @@
 # specific language governing permissions and limitations
 # under the License.
 
+import re
+from datetime import datetime, timedelta
+
 from nose.plugins.attrib import attr
 from marvin.cloudstackTestCase import cloudstackTestCase
-from marvin.lib.utils import cleanup_resources
+from marvin.lib.utils import cleanup_resources, wait_until
 from marvin.lib.base import *
 from marvin.lib.common import list_hosts
 
@@ -60,6 +63,29 @@ def verifySignature(self, caCert, cert):
         except Exception as e:
             print(f"Certificate verification failed: {e}")
 
+
+    def parseCertificateChain(self, pem):
+        """Split a PEM blob containing one or more certificates into a list of x509 objects."""
+        certs = []
+        matches = re.findall(
+            r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----',
+            pem,
+            re.DOTALL
+        )
+        for match in matches:
+            certs.append(x509.load_pem_x509_certificate(match.encode(), default_backend()))
+        return certs
+
+
+    def assertSignatureValid(self, issuerCert, cert):
+        """Verify cert is signed by issuerCert; raise on failure."""
+        issuerCert.public_key().verify(
+            cert.signature,
+            cert.tbs_certificate_bytes,
+            padding.PKCS1v15(),
+            cert.signature_hash_algorithm,
+        )
+
     def setUp(self):
         self.apiclient = self.testClient.getApiClient()
         self.dbclient = self.testClient.getDbConnection()
@@ -224,3 +250,152 @@ def checkHostIsUp(hostId):
                 self.assertTrue(len(hosts) == 1)
             else:
                 self.fail("Failed to have systemvm host in Up state after cert provisioning")
+
+
+    @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
+    def test_ca_certificate_chain_validity(self):
+        """
+            Tests that listCaCertificate returns a valid certificate chain.
+            When an intermediate CA is configured, the response is a PEM blob
+            containing multiple certificates. Each non-root cert must be signed
+            by the next cert in the chain, and the final cert must be self-signed.
+        """
+        pem = self.getCaCertificate()
+        self.assertTrue(len(pem) > 0)
+
+        chain = self.parseCertificateChain(pem)
+        self.assertTrue(len(chain) >= 1, "Expected at least one certificate in CA chain")
+
+        # Each non-root cert must be signed by the next cert in the chain
+        for i in range(len(chain) - 1):
+            child = chain[i]
+            parent = chain[i + 1]
+            self.assertEqual(
+                child.issuer, parent.subject,
+                f"Chain break: cert[{i}] issuer does not match cert[{i + 1}] subject"
+            )
+            try:
+                self.assertSignatureValid(parent, child)
+            except Exception as e:
+                self.fail(f"Signature verification failed for chain link {i} -> {i + 1}: {e}")
+
+        # The last cert in the chain must be self-signed (root CA)
+        root = chain[-1]
+        self.assertEqual(
+            root.issuer, root.subject,
+            "Final cert in CA chain is not self-signed"
+        )
+        try:
+            self.assertSignatureValid(root, root)
+        except Exception as e:
+            self.fail(f"Root CA self-signature verification failed: {e}")
+
+
+    @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
+    def test_issue_certificate_issuer_matches_ca(self):
+        """
+            Tests that an issued certificate's issuer DN matches the subject DN
+            of the first cert in the returned CA chain, and that the signature
+            verifies against that cert's public key.
+        """
+        cmd = issueCertificate.issueCertificateCmd()
+        cmd.domain = 'apache.org'
+        cmd.ipaddress = '10.1.1.1'
+        cmd.provider = 'root'
+
+        response = self.apiclient.issueCertificate(cmd)
+        self.assertTrue(len(response.certificate) > 0)
+        self.assertTrue(len(response.cacertificates) > 0)
+
+        leaf = x509.load_pem_x509_certificate(response.certificate.encode(), default_backend())
+        caChain = self.parseCertificateChain(response.cacertificates)
+        self.assertTrue(len(caChain) >= 1, "Expected at least one CA certificate in response")
+
+        # The issuing CA is the first cert in the returned chain (intermediate
+        # if an intermediate CA is configured, otherwise the root).
+        issuingCa = caChain[0]
+        self.assertEqual(
+            leaf.issuer, issuingCa.subject,
+            "Leaf certificate issuer does not match issuing CA subject"
+        )
+        try:
+            self.assertSignatureValid(issuingCa, leaf)
+        except Exception as e:
+            self.fail(f"Leaf certificate signature does not verify against issuing CA: {e}")
+
+
+    @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False)
+    def test_certificate_validity_period(self):
+        """
+            Tests that an issued certificate has sensible validity bounds:
+            not_valid_before <= now <= not_valid_after, and validity duration
+            is at least 300 days (CloudStack default is 1 year).
+        """
+        cmd = issueCertificate.issueCertificateCmd()
+        cmd.domain = 'apache.org'
+        cmd.provider = 'root'
+
+        response = self.apiclient.issueCertificate(cmd)
+        self.assertTrue(len(response.certificate) > 0)
+
+        cert = x509.load_pem_x509_certificate(response.certificate.encode(), default_backend())
+
+        # cryptography >= 42 prefers the *_utc variants; fall back for older versions.
+        notBefore = getattr(cert, 'not_valid_before_utc', None) or cert.not_valid_before
+        notAfter = getattr(cert, 'not_valid_after_utc', None) or cert.not_valid_after
+
+        now = datetime.now(notBefore.tzinfo) if notBefore.tzinfo else datetime.utcnow()
+        self.assertTrue(notBefore <= now, f"Certificate not_valid_before {notBefore} is in the future")
+        self.assertTrue(now <= notAfter, f"Certificate not_valid_after {notAfter} is in the past")
+
+        duration = notAfter - notBefore
+        self.assertTrue(
+            duration >= timedelta(days=300),
+            f"Certificate validity duration {duration} is less than expected minimum of 300 days"
+        )
+
+
+    def getUpKVMHosts(self, hostId=None):
+        hosts = list_hosts(
+            self.apiclient,
+            type='Routing',
+            hypervisor='KVM',
+            state='Up',
+            resourcestate='Enabled',
+            id=hostId
+        )
+        return hosts
+
+
+    @attr(tags=['advanced'], required_hardware=True)
+    def test_provision_certificate_kvm(self):
+        """
+            Tests certificate provisioning on a KVM host.
+            Exercises the keystore-cert-import + cloud.jks provisioning flow
+            against a real agent. Skipped when no KVM hosts are available.
+        """
+        if self.hypervisor.lower() != 'kvm':
+            raise self.skipTest("Hypervisor is not KVM, skipping test")
+
+        hosts = self.getUpKVMHosts()
+        if not hosts or len(hosts) < 1:
+            raise self.skipTest("No Up KVM hosts found, skipping test")
+
+        host = hosts[0]
+
+        cmd = provisionCertificate.provisionCertificateCmd()
+        cmd.hostid = host.id
+        cmd.reconnect = True
+        cmd.provider = 'root'
+
+        response = self.apiclient.provisionCertificate(cmd)
+        self.assertTrue(response.success)
+
+        def checkHostIsUp(hostId):
+            hosts = self.getUpKVMHosts(hostId)
+            return (hosts is not None and len(hosts) > 0), hosts
+
+        result, hosts = wait_until(2, 30, checkHostIsUp, host.id)
+        if not result:
+            self.fail("KVM host did not return to Up state after certificate provisioning")
+        self.assertEqual(len(hosts), 1)
diff --git a/test/integration/smoke/test_public_ip_range.py b/test/integration/smoke/test_public_ip_range.py
index 19edc4c164f2..997716caaaf4 100644
--- a/test/integration/smoke/test_public_ip_range.py
+++ b/test/integration/smoke/test_public_ip_range.py
@@ -286,20 +286,25 @@ def base_system_vm(self, services, systemvmtype):
         cmd.allocationstate = 'Disabled'
         self.apiclient.updateZone(cmd)
 
-        # Delete System VM and IP range, so System VM can get IP from original ranges
-        self.debug("Destroying System VM: %s" % systemvm_id)
-        cmd = destroySystemVm.destroySystemVmCmd()
-        cmd.id = systemvm_id
-        self.apiclient.destroySystemVm(cmd)
-
-        domain_id = self.public_ip_range.vlan.domainid
-        self.public_ip_range.delete(self.apiclient)
-
-        # Enable Zone
-        cmd = updateZone.updateZoneCmd()
-        cmd.id = self.zone.id
-        cmd.allocationstate = 'Enabled'
-        self.apiclient.updateZone(cmd)
+        try:
+            # Delete System VM and IP range, so System VM can get IP from original ranges
+            self.debug("Destroying System VM: %s" % systemvm_id)
+            cmd = destroySystemVm.destroySystemVmCmd()
+            cmd.id = systemvm_id
+            self.apiclient.destroySystemVm(cmd)
+
+            domain_id = self.public_ip_range.vlan.domainid
+            self.public_ip_range.delete(self.apiclient)
+
+        finally:
+            # Enable Zone
+            try:
+                cmd = updateZone.updateZoneCmd()
+                cmd.id = self.zone.id
+                cmd.allocationstate = 'Enabled'
+                self.apiclient.updateZone(cmd)
+            except Exception as e:
+                self.debug("Warning: Exception during zone re-enablement in base_system_vm: %s" % e)
 
         # Wait for System VM to start and check System VM public IP
         systemvm_id = self.wait_for_system_vm_start(
@@ -399,18 +404,23 @@ def delete_range(self):
         cmd.allocationstate = 'Disabled'
         self.apiclient.updateZone(cmd)
 
-        # Delete System VM and IP range, so System VM can get IP from original ranges
-        if system_vms:
-            for v in system_vms:
-                self.debug("Destroying System VM: %s" % v.id)
-                cmd = destroySystemVm.destroySystemVmCmd()
-                cmd.id = v.id
-                self.apiclient.destroySystemVm(cmd)
-
-        self.public_ip_range.delete(self.apiclient)
-
-        # Enable Zone
-        cmd = updateZone.updateZoneCmd()
-        cmd.id = self.zone.id
-        cmd.allocationstate = 'Enabled'
-        self.apiclient.updateZone(cmd)
+        try:
+            # Delete System VM and IP range, so System VM can get IP from original ranges
+            if system_vms:
+                for v in system_vms:
+                    self.debug("Destroying System VM: %s" % v.id)
+                    cmd = destroySystemVm.destroySystemVmCmd()
+                    cmd.id = v.id
+                    self.apiclient.destroySystemVm(cmd)
+
+            self.public_ip_range.delete(self.apiclient)
+
+        finally:
+            # Enable Zone
+            try:
+                cmd = updateZone.updateZoneCmd()
+                cmd.id = self.zone.id
+                cmd.allocationstate = 'Enabled'
+                self.apiclient.updateZone(cmd)
+            except Exception as e:
+                self.debug("Warning: Exception during zone re-enablement in delete_range: %s" % e)
diff --git a/test/integration/smoke/test_quarantined_ips.py b/test/integration/smoke/test_quarantined_ips.py
index 42349fd2a530..2469760da130 100644
--- a/test/integration/smoke/test_quarantined_ips.py
+++ b/test/integration/smoke/test_quarantined_ips.py
@@ -85,7 +85,7 @@ def setUp(self):
                                                                 self.services["root_admin"]["roletype"])
 
         """
-        Set public.ip.address.quarantine.duration to 60 minutes
+        Set public.ip.address.quarantine.duration to 1 minute
         """
         update_configuration_cmd = updateConfiguration.updateConfigurationCmd()
         update_configuration_cmd.name = "public.ip.address.quarantine.duration"
@@ -168,8 +168,7 @@ def test_only_owner_can_allocate_ip_in_quarantine_vpc(self):
                                    zoneid=self.zone.id,
                                    vpcid=root_vpc.id,
                                    ipaddress=ip_address)
-        self.assertIn(f"Failed to allocate public IP address [{ip_address}] as it is in quarantine.",
-                      exception.exception.errorMsg)
+        self.assertIn("errorCode: 533", exception.exception.errorMsg)
 
         # Owner should be able to allocate its IP in quarantine
         public_ip = PublicIPAddress.create(self.domain_admin_apiclient,
@@ -267,8 +266,7 @@ def test_only_owner_can_allocate_ip_in_quarantine_network(self):
                                    zoneid=self.zone.id,
                                    networkid=root_network.id,
                                    ipaddress=ip_address)
-        self.assertIn(f"Failed to allocate public IP address [{ip_address}] as it is in quarantine.",
-                      exception.exception.errorMsg)
+        self.assertIn("errorCode: 533", exception.exception.errorMsg)
 
         # Owner should be able to allocate its IP in quarantine
         public_ip = PublicIPAddress.create(self.domain_admin_apiclient,
diff --git a/test/integration/smoke/test_secondary_storage.py b/test/integration/smoke/test_secondary_storage.py
index 4b26950ea646..2ed60a844256 100644
--- a/test/integration/smoke/test_secondary_storage.py
+++ b/test/integration/smoke/test_secondary_storage.py
@@ -136,7 +136,11 @@ def test_01_sys_vm_start(self):
                         'Up',
                         "Check state of primary storage pools is Up or not"
                         )
-        for _ in range(2):
+        # Poll until all SSVMs are Running, or timeout after 3 minutes
+        timeout = 180
+        interval = 15
+        list_ssvm_response = []
+        while timeout > 0:
             list_ssvm_response = list_ssvms(
                                     self.apiclient,
                                     systemvmtype='secondarystoragevm',
@@ -154,10 +158,12 @@ def test_01_sys_vm_start(self):
                             "Check list System VMs response"
                         )
 
-            for ssvm in list_ssvm_response:
-                if ssvm.state != 'Running':
-                    time.sleep(30)
-                    continue
+            if all(ssvm.state == 'Running' for ssvm in list_ssvm_response):
+                break
+
+            time.sleep(interval)
+            timeout -= interval
+
         for ssvm in list_ssvm_response:
             self.assertEqual(
                             ssvm.state,
diff --git a/test/integration/smoke/test_vm_strict_host_tags.py b/test/integration/smoke/test_vm_strict_host_tags.py
index 2377e9a76185..aac3e1ea65f2 100644
--- a/test/integration/smoke/test_vm_strict_host_tags.py
+++ b/test/integration/smoke/test_vm_strict_host_tags.py
@@ -423,7 +423,7 @@ def test_02_restore_vm_strict_tags_failure(self):
             vm.restore(self.apiclient, templateid=self.template_t2.id, expunge=True)
             self.fail("VM should not be restored")
         except Exception as e:
-            self.assertTrue("Unable to start VM with specified id" in str(e))
+            self.assertTrue("Unable to create a deployment for " in str(e))
 
 
 class TestMigrateVMStrictTags(cloudstackTestCase):
diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py
index e41a04ff2e1b..292f52d809bf 100644
--- a/tools/apidoc/gen_toc.py
+++ b/tools/apidoc/gen_toc.py
@@ -174,6 +174,7 @@
     'removeIpFromNic': 'Nic',
     'updateVmNicIp': 'Nic',
     'listNics':'Nic',
+    'updateVmNic': 'Nic',
     'AffinityGroup': 'Affinity Group',
     'ImageStore': 'Image Store',
     'addImageStore': 'Image Store',
diff --git a/tools/devcloud4/binary-installation-advanced/marvin.cfg.erb b/tools/devcloud4/binary-installation-advanced/marvin.cfg.erb
index bd65d3d01723..999dc47dc34a 100644
--- a/tools/devcloud4/binary-installation-advanced/marvin.cfg.erb
+++ b/tools/devcloud4/binary-installation-advanced/marvin.cfg.erb
@@ -5,9 +5,9 @@
 #  to you under the Apache License, Version 2.0 (the
 #  "License"); you may not use this file except in compliance
 #  with the License.  You may obtain a copy of the License at
-#  
+#
 #    http://www.apache.org/licenses/LICENSE-2.0
-#  
+#
 #  Unless required by applicable law or agreed to in writing,
 #  software distributed under the License is distributed on an
 #  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
diff --git a/tools/devcloud4/binary-installation-basic/marvin.cfg.erb b/tools/devcloud4/binary-installation-basic/marvin.cfg.erb
index 721fc07d6c79..03e0dd6562b5 100644
--- a/tools/devcloud4/binary-installation-basic/marvin.cfg.erb
+++ b/tools/devcloud4/binary-installation-basic/marvin.cfg.erb
@@ -5,9 +5,9 @@
 #  to you under the Apache License, Version 2.0 (the
 #  "License"); you may not use this file except in compliance
 #  with the License.  You may obtain a copy of the License at
-#  
+#
 #    http://www.apache.org/licenses/LICENSE-2.0
-#  
+#
 #  Unless required by applicable law or agreed to in writing,
 #  software distributed under the License is distributed on an
 #  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index fd813e077fd1..dcadfb3fead6 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -58,7 +58,7 @@ RUN mvn -Pdeveloper -Dsimulator -DskipTests clean install
 RUN find /var/lib/mysql -type f -exec touch {} \; && \
     (/usr/bin/mysqld_safe &) && \
     sleep 5; \
-    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password by ''" --connect-expired-password; \
+    mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password by ''" --connect-expired-password; \
     mvn -Pdeveloper -pl developer -Ddeploydb; \
     mvn -Pdeveloper -pl developer -Ddeploydb-simulator; \
     MARVIN_FILE=`find /root/tools/marvin/dist/ -name "Marvin*.tar.gz"`; \
diff --git a/tools/marvin/setup.py b/tools/marvin/setup.py
index 4694cecc8a53..e126622930bb 100644
--- a/tools/marvin/setup.py
+++ b/tools/marvin/setup.py
@@ -46,7 +46,7 @@
                 "marvin.sandbox.basic"],
       license="LICENSE.txt",
       install_requires=[
-          "mysql-connector-python <= 8.0.30",
+          "mysql-connector-python <= 8.4.0",
           "requests >= 2.2.1",
           "paramiko >= 1.13.0",
           "nose >= 1.3.3",
diff --git a/tools/utils/database_comparision_during_upgrade/README b/tools/utils/database_comparision_during_upgrade/README
index 45c55eaf38b3..ace71379a11a 100644
--- a/tools/utils/database_comparision_during_upgrade/README
+++ b/tools/utils/database_comparision_during_upgrade/README
@@ -15,14 +15,14 @@ What this tool is capable to do is
 
 The usage is as follows
 1.	First run fresh_install_data_collection.sh file to generate data from fresh install setup .
-	This will be used for comparing between fresh install and upgrade setup. 
+	This will be used for comparing between fresh install and upgrade setup.
 	This is a onetime activity and need to be repeated only when there is some DB changes for that release .
-	Output of this script will come in a base_data folder 
+	Output of this script will come in a base_data folder
 
 2.	Just before upgrade you need to run before_upgrade_data_collection.sh  file to collect required data needed to compare before upgrade and after upgrade setup data
 	The output of this script will come in folder data_before_upgrade
 
-3.	After upgrade  run cloud_schema_comparision.sh to compare cloud database all tables schema between fresh and upgraded setup. 
+3.	After upgrade  run cloud_schema_comparision.sh to compare cloud database all tables schema between fresh and upgraded setup.
 	NOTE: this script requires step 1 output in current working directory
 
 4.	After upgrade  run usage_schema_comparision.sh to compare cloud usage all tables schema between fresh and upgraded setup
@@ -41,4 +41,4 @@ The usage is as follows
 	•	Database user
 	•	Database user password
 
-8.	Result will be shown in the form of files . 
+8.	Result will be shown in the form of files .
diff --git a/ui/docs/development.md b/ui/docs/development.md
index 363c6a3795b3..43b346fad8f4 100644
--- a/ui/docs/development.md
+++ b/ui/docs/development.md
@@ -32,7 +32,7 @@ The following tree shows the basic UI codebase filesystem:
 
 ```bash
     src
-    ├── assests       # sprites, icons, images
+    ├── assets        # sprites, icons, images
     ├── components    # Shared vue files used to render various generic / widely used components
     ├── config        # Contains the layout details of the various routes / sections available in the UI
     ├── locales       # Custom translation keys for the various supported languages
diff --git a/ui/public/config.json b/ui/public/config.json
index 3d50f9811850..81d3938a5dee 100644
--- a/ui/public/config.json
+++ b/ui/public/config.json
@@ -117,5 +117,6 @@
     "message": "🤔 <strong>Sample Announcement</strong>: New Feature Available: Check out our latest dashboard improvements! <a href='/features'>Learn more</a>",
     "startDate": "2025-06-01T00:00:00Z",
     "endDate": "2025-07-16T00:00:00Z"
-  }
+  },
+  "defaultLanguage": "en"
 }
diff --git a/ui/public/locales/el_GR.json b/ui/public/locales/el_GR.json
index bb90661d9d37..566e182b8fad 100644
--- a/ui/public/locales/el_GR.json
+++ b/ui/public/locales/el_GR.json
@@ -2270,8 +2270,6 @@
 "message.error.enable.saml": "Δεν είναι δυνατή η εύρεση των id χρηστών για την ενεργοποίηση του Saml σύνδεση μιας φοράς, παρακαλούμε να το ενεργοποιήσετε με μη αυτόματο τρόπο.",
 "message.error.end.date.and.time": "Παρακαλώ, εισάγετε την τελική ημερομηνία και ώρα!",
 "message.error.endip": "Πληκτρολογήστε End IP",
-"message.error.fixed.offering.kvm": "Δεν είναι δυνατό να κλιμωκαθούν οι εικονές μηχανές που χρησιμοποιούν τον επόπτη KVM με ένα σταθερό υπολογισμό προσφοράς υπηρεσίας.",
-"message.error.fixed.offering.kvm": "Δεν είναι εφικτή η κλιμάκωση προς τα πάνω της εικονικής μηχανής ενώ ανήκει σε μία σταθερή προσφορά νέφους.",
 "message.error.gateway": "Πληκτρολογήστε Πύλη",
 "message.error.host.name": "Πληκτρολογήστε το όνομα του κεντρικού υπολογιστή",
 "message.error.host.password": "Πληκτρολογήστε τον κωδικό πρόσβασης κεντρικού υπολογιστή",
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 513dfcdaa368..3a16d613f37a 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -699,6 +699,7 @@
 "label.create.sharedfs": "Create Shared FileSystem",
 "label.create.network": "Create new Network",
 "label.create.nfs.secondary.staging.storage": "Create NFS secondary staging storage",
+"label.create.on.storage": "Create on Storage",
 "label.create.project": "Create Project",
 "label.create.project.role": "Create Project Role",
 "label.create.routing.policy": "Create Routing Policy",
@@ -715,6 +716,7 @@
 "label.create.tier.networkofferingid.description": "The Network offering for the Network Tier.",
 "label.create.tungsten.routing.policy": "Create Tungsten-Fabric routing policy",
 "label.create.user": "Create User",
+"label.create.volume.on.primary.storage": "Create Volume on the specified Primary Storage",
 "label.create.vm": "Create Instance",
 "label.create.vm.and.stay": "Create Instance & stay on this page",
 "label.create.vpn.connection": "Create VPN connection",
@@ -793,6 +795,7 @@
 "label.delete.ciscoasa1000v": "Delete CiscoASA1000v",
 "label.delete.ciscovnmc.resource": "Delete CiscoVNMC resource",
 "label.delete.condition": "Delete condition",
+"label.delete.confirmation": "Enter the exact resource name to proceed with deletion",
 "label.delete.custom.action": "Delete Custom Action",
 "label.delete.dedicated.vlan.range": "Deleted dedicated VLAN/VNI range.",
 "label.delete.domain": "Delete domain",
@@ -993,6 +996,7 @@
 "label.edit.acl": "Edit ACL",
 "label.edit.acl.rule": "Edit ACL rule",
 "label.edit.autoscale.vmprofile": "Edit AutoScale Instance Profile",
+"label.edit.nic": "Edit NIC",
 "label.edit.project.details": "Edit project details",
 "label.edit.project.role": "Edit project role",
 "label.edit.role": "Edit Role",
@@ -1242,6 +1246,8 @@
 "label.host.alerts": "Hosts in alert state",
 "label.host.name": "Host name",
 "label.host.ovftool.version": "OVFTool Version",
+"label.host.vddk.support": "VDDK Support",
+"label.host.vddk.version": "VDDK Version",
 "label.host.tag": "Host tag",
 "label.host.virtv2v.version": "Virt-v2v Version",
 "label.hostcontrolstate": "Compute Resource Status",
@@ -1428,6 +1434,7 @@
 "label.javadistribution": "Java Runtime Distribution",
 "label.javaversion": "Java Runtime Version",
 "label.keep": "Keep",
+"label.keep.mac.address.on.public.nic": "Use same MAC address for public NIC of VRs",
 "label.kernelversion": "Kernel Version",
 "label.key": "Key",
 "label.keyboard": "Keyboard language",
@@ -1757,6 +1764,7 @@
 "label.no.data": "No data to show",
 "label.no.errors": "No recent errors",
 "label.no.items": "No available Items",
+"label.no.matching.guest.os.vmware.import": "No matching guest OS mapping found, using the default import template guest OS",
 "label.no.matching.offering": "No matching offering found",
 "label.no.matching.network": "No matching Networks found",
 "label.node.version": "Node version",
@@ -2131,6 +2139,7 @@
 "label.requireshvm": "HVM",
 "label.requiresupgrade": "Requires upgrade",
 "label.reserved": "Reserved",
+"label.reservedresourcedetails": "Reserved resource details",
 "label.reserved.system.gateway": "Reserved system gateway",
 "label.reserved.system.ip": "Reserved system IP",
 "label.reserved.system.netmask": "Reserved system netmask",
@@ -2402,6 +2411,7 @@
 "label.user.data.policy.tooltip": "User Data linked to the Template can be overridden by User Data provided during Instance deploy. Select the override policy as required.",
 "label.user.data": "User Data",
 "label.user.data.library": "User Data Library",
+"label.use.vddk": "Use VDDK",
 "label.ssh.port": "SSH port",
 "label.sshkeypair": "New SSH key pair",
 "label.sshkeypairs": "SSH key pairs",
@@ -3067,6 +3077,7 @@
 "message.action.unmanage.volume": "Please confirm that you want to unmanage the Volume.",
 "message.action.unmanage.volumes": "Please confirm that you want to unmanage the Volumes.",
 "message.action.vmsnapshot.delete": "Please confirm that you want to delete this Instance Snapshot. <br>Please notice that the Instance will be paused before the Snapshot deletion, and resumed after deletion, if it runs on KVM.",
+"message.action.vmsnapshot.disk-only.delete": "Please confirm that you want to delete this Instance Snapshot.",
 "message.activate.project": "Are you sure you want to activate this project?",
 "message.add.custom.action.parameters": "Parameters to be made available while running the custom action.",
 "message.add.egress.rule.failed": "Adding new egress rule failed.",
@@ -3589,7 +3600,6 @@
 "message.error.zone.name": "Please enter Zone name.",
 "message.error.zone.type": "Please select Zone type.",
 "message.error.linstor.resourcegroup": "Please enter the Linstor Resource-Group.",
-"message.error.fixed.offering.kvm": "It's not possible to scale up Instances that utilize KVM hypervisor with a fixed compute offering.",
 "message.error.create.webhook.local.account": "Account must be provided for creating a Webhook with Local scope.",
 "message.error.create.webhook.name": "Name must be provided for creating a Webhook.",
 "message.error.create.webhook.payloadurl": "Payload URL must be provided for creating a Webhook.",
@@ -3734,6 +3744,7 @@
 "message.network.selection": "Choose one or more Networks to attach the Instance to.",
 "message.network.selection.new.network": "A new Network can also be created here.",
 "message.network.updateip": "Please confirm that you would like to change the IP address for this NIC on the Instance.",
+"message.network.update.nic": "Please confirm that you would like to update this NIC.",
 "message.network.usage.info.data.points": "Each data point represents the difference in data traffic since the last data point.",
 "message.network.usage.info.sum.of.vnics": "The Network usage shown is made up of the sum of data traffic from all the vNICs in the Instance.",
 "message.nfs.mount.options.description": "Comma separated list of NFS mount options for KVM hosts. Supported options : vers=[3,4.0,4.1,4.2], nconnect=[1...16]",
@@ -4017,13 +4028,14 @@
 "message.success.delete.vgpu.profile": "Successfully deleted vGPU profile",
 "message.success.update.custom.action": "Successfully updated Custom Action",
 "message.success.update.extension": "Successfully updated Extension",
-"message.success.update.sharedfs": "Successfully updated Shared FileSystem",
 "message.success.update.ipaddress": "Successfully updated IP address",
 "message.success.update.iprange": "Successfully updated IP range",
 "message.success.update.ipv4.subnet": "Successfully updated IPv4 subnet",
 "message.success.update.iso": "Successfully updated ISO",
 "message.success.update.kubeversion": "Successfully updated Kubernetes supported version",
 "message.success.update.network": "Successfully updated Network",
+"message.success.update.nic": "Successfully updated NIC",
+"message.success.update.sharedfs": "Successfully updated Shared FileSystem",
 "message.success.update.template": "Successfully updated Template",
 "message.success.update.user": "Successfully updated User",
 "message.success.update.vpn.customer.gateway": "Successfully updated VPN Customer Gateway",
@@ -4073,6 +4085,7 @@
 "message.two.fa.setup.page": "Two factor authentication (2FA) is an extra layer of security to your account.<br> Once setup is done, on every login you will be prompted to enter the 2FA code.<br>",
 "message.two.fa.view.setup.key": "Click here to view the setup key",
 "message.two.fa.view.static.pin": "Click here to view the static PIN",
+"message.update.nic.processing": "Updating NIC...",
 "message.update.ipaddress.processing": "Updating IP Address...",
 "message.update.resource.count": "Please confirm that you want to update resource counts for this Account.",
 "message.update.resource.count.domain": "Please confirm that you want to update resource counts for this domain.",
@@ -4155,7 +4168,9 @@
 "message.warn.importing.instance.without.nic": "WARNING: This Instance is being imported without NICs and many Network resources will not be available. Consider creating a NIC via vCenter before importing or as soon as the Instance is imported. For KVM host, allocate a NIC to Instance after import.",
 "message.warn.select.template": "Please select a Template for Registration.",
 "message.warn.zone.mtu.update": "Please note that this limit won't affect pre-existing Network's MTU settings",
+"message.warn.vpc.offerings": "VPC offerings will only be shown if the selected account has at least one VPC.",
 "message.webhook.deliveries.time.filter": "Webhook deliveries list can be filtered based on date-time. Select 'Custom' for specifying start and end date range.",
+"message.webhook.filter.add": "Webhook deliveries can be controlled using filters (currently by Event type). Please select the parameters to add to the applied filters list.",
 "message.zone.creation.complete": "Zone creation complete.",
 "message.zone.detail.description": "Populate Zone details.",
 "message.zone.detail.hint": "A Zone is the largest organizational unit in CloudStack, and it typically corresponds to a single datacenter. Zones provide physical isolation and redundancy. A zone consists of one or more Pods (each of which contains hosts and primary storage servers) and a secondary storage server which is shared by all pods in the zone.",
diff --git a/ui/public/locales/ja_JP.json b/ui/public/locales/ja_JP.json
index 850264fb3411..b7f32d7a2e12 100644
--- a/ui/public/locales/ja_JP.json
+++ b/ui/public/locales/ja_JP.json
@@ -2932,7 +2932,6 @@
   "message.error.domain": "ドメインを入力し、ROOTドメインは空のままにします",
   "message.error.enable.saml": "SAML SSOを有効にするユーザーIDが見つかりません。手動で有効にしてください。",
   "message.error.endip": "終了IPを入力してください",
-  "message.error.fixed.offering.kvm": "固定コンピューティングオファリングでKVMハイパーバイザーを利用するVMをスケールアップすることはできません。",
   "message.error.gateway": "ゲートウェイに入ってください",
   "message.error.host.name": "ホスト名を入力してください",
   "message.error.host.password": "ホストパスワードを入力してください",
diff --git a/ui/public/locales/pt_BR.json b/ui/public/locales/pt_BR.json
index 59123a5e45c3..91f0fd895e58 100644
--- a/ui/public/locales/pt_BR.json
+++ b/ui/public/locales/pt_BR.json
@@ -1,27 +1,35 @@
 {
 "alert.service.domainrouter": "Roteador do dom\u00ednio",
+"error.dedicate.bgp.peer.failed": "Falha ao dedicar o par BGP",
+"error.dedicate.ipv4.subnet.failed": "Falha ao dedicar a sub-rede IPv4",
 "error.dedicate.cluster.failed": "Falha ao dedicar cluster",
 "error.dedicate.host.failed": "Falha ao dedicar host",
 "error.dedicate.pod.failed": "Falha ao dedicar pod",
 "error.dedicate.zone.failed": "Falha ao dedicar zona",
+"error.empty.counter.operator.threshold": "Contador, Operador ou Limite est\u00e1 vazio",
 "error.execute.api.failed": "Falha ao executar API",
 "error.fetching.async.job.result": "Foi encontrado um erro ao buscar o resultado do job ass\u00edncrono",
-"error.form.message": "H\u00e1 problemas no formul\u00e1rio. Por favor, corrija-os.",
+"error.form.message": "H\u00e1 problemas no formul\u00e1rio. Por favor, corrija-os",
 "error.password.not.match": "Os campos de senha n\u00e3o coincidem",
+"error.release.dedicate.bgp.peer": "Falha ao liberar o par BGP dedicado",
 "error.release.dedicate.cluster": "Falha ao liberar cluster dedicado.",
 "error.release.dedicate.host": "Falha ao liberar host dedicado.",
+"error.release.dedicate.ipv4.subnet": "Falha ao liberar a sub-rede IPv4 dedicada",
 "error.release.dedicate.pod": "Falha ao liberar pod dedicado.",
 "error.release.dedicate.zone": "Falha ao liberar zona dedicada.",
+"error.unable.to.add.setting.extraconfig": "N\u00e3o \u00e9 permitido adicionar configura\u00e7\u00e3o para extraconfig. Por favor, habilite o par\u00e2metro extraconfig para a m\u00e1quina virtual",
 "error.unable.to.proceed": "N\u00e3o foi poss\u00edvel proceder. Por favor, contate um administrador.",
 "firewall.close": "Firewall",
-"icmp.code.desc": "Informe -1 para permitir todos os c\u00f3digos ICMP.",
-"icmp.type.desc": "Informe -1 para permitir todos os tipos ICMP.",
+"icmp.code.desc": "Informe -1 para permitir todos os c\u00f3digos ICMP",
+"icmp.type.desc": "Informe -1 para permitir todos os tipos ICMP",
 "inline": "Inline",
 "label.about": "Sobre",
 "label.about.app": "Sobre o CloudStack",
 "label.accept": "Aceitar",
-"label.accept.project.invitation": "Aceitar convite de projeto.",
+"label.accept.project.invitation": "Aceitar convite de projeto",
 "label.access": "Acesso",
+"label.access.key": "Chave de acesso",
+"label.access.kubernetes.nodes": "Acessar n\u00f3s Kubernetes",
 "label.accesskey": "Chave de acesso",
 "label.account": "Conta",
 "label.account.and.security.group": "Contas e grupos de seguran\u00e7a",
@@ -45,19 +53,27 @@
 "label.action.attach.iso": "Anexar ISO",
 "label.action.bulk.delete.egress.firewall.rules": "Apagar em massa as regras de sa\u00edda do firewall.",
 "label.action.bulk.delete.firewall.rules": "Apagar em massa as regras do firewall.",
+"label.action.bulk.delete.ip.v6.firewall.rules": "Apagar em massa as regras de firewall IPv6.",
 "label.action.bulk.delete.isos": "Apagar em massa as ISOs.",
 "label.action.bulk.delete.load.balancer.rules": "Apagar em massa as regras de balanceamento de carga.",
 "label.action.bulk.delete.portforward.rules": "Apagar em massa as regras de encaminhamento de porta.",
+"label.action.bulk.delete.routing.firewall.rules": "Remover em massa regras de firewall de Roteamento IPv4",
+"label.action.bulk.delete.snapshots": "Excluir snapshots em massa",
 "label.action.bulk.delete.templates": "Apagar em massa as regras de template.",
 "label.action.bulk.release.public.ip.address": "Liberar em massa os enderec\u0327os de IPs P\u00fablicos.",
 "label.action.cancel.maintenance.mode": "Cancelar modo de manuten\u00e7\u00e3o",
 "label.action.change.password": "Trocar de senha",
+"label.action.change.primary.storage.scope": "Alterar escopo do armazenamento prim\u00e1rio",
+"label.action.clear.webhook.deliveries": "Limpar entregas do webhook",
+"label.action.delete.webhook.deliveries": "Excluir entregas do webhook",
 "label.action.configure.stickiness": "Ader\u00eancia",
 "label.action.copy.iso": "Copiar ISO",
+"label.action.copy.snapshot": "Copiar Snapshot",
 "label.action.copy.template": "Copiar template",
 "label.action.create.snapshot.from.vmsnapshot": "Criar snapshot a partir de uma snapshot de VM",
 "label.action.create.template.from.volume": "Criar template a partir do disco",
 "label.action.create.volume": "Criar disco",
+"label.action.create.volume.add": "Criar e Adicionar Volume",
 "label.action.delete.account": "Remover conta",
 "label.action.delete.backup.offering": "Remover oferta de backup",
 "label.action.delete.cluster": "Remover cluster",
@@ -65,20 +81,29 @@
 "label.action.delete.domain": "Remover dom\u00ednio",
 "label.action.delete.egress.firewall": "Remover regra de sa\u00edda do firewall",
 "label.action.delete.firewall": "Remover regra de firewall",
+"label.action.delete.guest.os": "Excluir Guest OS",
+"label.action.delete.guest.os.hypervisor.mapping": "Excluir mapeamento de virtualizador do Guest OS",
+"label.action.delete.interface.static.route": "Remover rota est\u00e1tica da interface Tungsten Fabric",
 "label.action.delete.ip.range": "Remover intervalo de IPs",
 "label.action.delete.iso": "Remover ISO",
 "label.action.delete.load.balancer": "Remover regra do balanceador de carga",
 "label.action.delete.network": "Remover rede",
+"label.action.delete.network.permission": "Excluir permiss\u00e3o de Rede",
+"label.action.delete.network.static.route": "Remover rota est\u00e1tica de Rede Tungsten Fabric",
 "label.action.delete.node": "Remover nodo",
+"label.action.delete.oauth.provider": "Excluir provedor OAuth",
+"message.action.delete.object.storage": "Por favor, confirme que voc\u00ea deseja excluir este Object Storage",
 "label.action.delete.physical.network": "Remover rede f\u00edsica",
 "label.action.delete.pod": "Remover pod",
 "label.action.delete.primary.storage": "Remover armazenamento prim\u00e1rio",
+"label.action.delete.routing.firewall.rule": "Excluir regra de firewall de Roteamento IPv4",
 "label.action.delete.secondary.storage": "Remover armazenamento secund\u00e1rio",
 "label.action.delete.security.group": "Remover grupo de seguran\u00e7a",
 "label.action.delete.service.offering": "Remover plano",
 "label.action.delete.snapshot": "Remover snapshot",
 "label.action.delete.system.service.offering": "Remover oferta de servi\u00e7o de sistema",
 "label.action.delete.template": "Remover template",
+"label.action.delete.tungsten.router.table": "Remover tabela de rotas Tungsten Fabric da Rede",
 "label.action.delete.user": "Remover usu\u00e1rio",
 "label.action.delete.volume": "Remover disco",
 "label.action.delete.zone": "Remover zona",
@@ -87,11 +112,16 @@
 "label.action.destroy.volume": "Destruindo volume",
 "label.action.detach.disk": "Desanexar disco",
 "label.action.detach.iso": "Desanexar ISO",
+"label.action.disable.2FA.user.auth": "Desativar Autentica\u00e7\u00e3o de dois fatores do usu\u00e1rio",
 "label.action.disable.account": "Desativar conta",
 "label.action.disable.cluster": "Desativar cluster",
+"label.action.disable.disk.offering": "Desativar oferta de disco",
 "label.action.disable.physical.network": "Desabilitar rede f\u00edsica",
 "label.action.disable.pod": "Desativar pod",
+"label.action.disable.role": "Desativar Fun\u00e7\u00e3o",
 "label.action.disable.static.nat": "Desativar NAT est\u00e1tico",
+"label.action.disable.service.offering": "Desativar oferta de servi\u00e7o",
+"label.action.disable.system.service.offering": "Desativar oferta de servi\u00e7o do sistema",
 "label.action.disable.user": "Desativar usu\u00e1rio",
 "label.action.disable.zone": "Desativar zona",
 "label.action.download.iso": "Baixar ISO",
@@ -102,22 +132,33 @@
 "label.action.edit.domain": "Editar dom\u00ednio",
 "label.action.edit.instance": "Editar inst\u00e2ncia",
 "label.action.edit.iso": "Editar ISO",
+"label.action.edit.nfs.options": "Editar op\u00e7\u00f5es de montagem NFS",
+"label.action.edit.template": "Editar Template",
 "label.action.edit.zone": "Editar zona",
 "label.action.enable.account": "Ativar conta",
 "label.action.enable.cluster": "Ativar cluster",
+"label.action.enable.disk.offering": "Ativar oferta de disco",
 "label.action.enable.maintenance.mode": "Ativar modo de manuten\u00e7\u00e3o",
 "label.action.enable.physical.network": "Habilitar rede f\u00edsica",
 "label.action.enable.pod": "Ativar pod",
+"label.action.enable.role": "Ativar role",
 "label.action.enable.static.nat": "Ativar NAT est\u00e1tico",
+"label.action.enable.service.offering": "Ativar oferta de servi\u00e7o",
+"label.action.enable.system.service.offering": "Ativar oferta de servi\u00e7o do sistema",
+"label.action.enable.two.factor.authentication": "Autentica\u00e7\u00e3o de dois fatores ativada",
 "label.action.enable.user": "Habilitar usu\u00e1rio",
 "label.action.enable.zone": "Ativar zona",
 "label.action.expunge.instance": "Eliminar inst\u00e2ncia",
 "label.action.force.reconnect": "Forc\u0327ar reconex\u00e3o",
 "label.action.generate.keys": "Gerar chaves",
+"label.action.generate.api.secret.keys": "Gerar novos pares de chave de API",
 "label.action.get.diagnostics": "Obter diagn\u00f3stico",
+"label.action.health.monitor": "Monitor de sa\u00fade",
 "label.action.image.store.read.only": "Colocar armazenamento secund\u00e1rio em modo somente leitura",
 "label.action.image.store.read.write": "Colocar armazenamento secund\u00e1rio em modo leitura-escrita",
 "label.action.import.export.instances": "Importar-exportar inst\u00e2ncias",
+"label.action.import.unmanage.volumes": "Importar volumes de dados",
+"label.action.ingest.instances": "Ingerir inst\u00e2ncias",
 "label.action.iso.permission": "Atualizar permiss\u00f5es da ISO",
 "label.action.iso.share": "Atualizar compartilhamento da ISO",
 "label.action.lock.account": "Bloquear conta",
@@ -126,6 +167,9 @@
 "label.action.migrate.router": "Migrar roteador",
 "label.action.migrate.systemvm": "Migrar VM de sistema",
 "label.action.migrate.systemvm.to.ps": "Migrar VM de sistema para outro armazenamento prim\u00e1rio",
+"label.action.patch.systemvm": "Aplicar patch na VM de sistema",
+"label.action.patch.systemvm.vpc": "Aplicar patch na VM de Sistema - Roteador Virtual de VPCs",
+"label.action.patch.systemvm.processing": "Aplicando patch na VM de sistema....",
 "label.action.project.add.account": "Adicionar conta ao projeto",
 "label.action.project.add.user": "Adicionar usu\u00e1rio a um projeto",
 "label.action.quota.tariff.create": "Criar tarifa",
@@ -136,21 +180,36 @@
 "label.action.reboot.systemvm": "Reiniciar VM de sistema",
 "label.action.recover.volume": "Recuperar volume",
 "label.action.recurring.snapshot": "Snapshots recorrentes",
+"label.action.resize.sharedfs": "Redimensionar Sistema de Arquivos Compartilhado",
+"label.action.restart.sharedfs": "Reiniciar Sistema de Arquivos Compartilhado",
 "label.action.register.iso": "Registrar ISO",
 "label.action.register.template": "Registrar template a partir da URL",
+"label.action.release.asnumber": "Liberar N\u00famero AS",
 "label.action.release.ip": "Liberar IP",
+"label.action.release.reserved.ip": "Liberar IP reservado",
 "label.action.remove.host": "Remover host",
+"label.action.remove.logical.router": "Remover Roteador L\u00f3gico",
+"label.action.remove.network.policy": "Remover Pol\u00edtica de Rede",
+"label.action.remove.nic": "Remover NIC",
+"label.action.remove.router.table.from.interface": "Remover tabela de rotas Tungsten Fabric da interface",
+"label.action.remove.tungsten.routing.policy": "Remover pol\u00edtica de roteamento Tungsten Fabric da Rede",
+"label.action.reserve.ip": "Reservar IP P\u00fablico",
+"label.action.reset.network.permissions": "Redefinir permiss\u00f5es de Rede",
 "label.action.reset.password": "Recuperar senha",
 "label.action.resize.volume": "Redimensionar volume",
 "label.action.revert.snapshot": "Reverter para snapshot",
 "label.action.router.health.checks": "Obter resultado das checagens de sa\u00fade",
 "label.action.run.diagnostics": "Executar diagn\u00f3sticos",
 "label.action.secure.host": "Propagar certificado de seguran\u00e7a para o host",
+"label.action.set.as.source.nat.ip": "Tornar source NAT",
+"label.action.setup.2FA.user.auth": "Configurar Autentica\u00e7\u00e3o de Dois Fatores do Usu\u00e1rio",
 "label.action.start.instance": "Iniciar inst\u00e2ncia",
 "label.action.start.router": "Iniciar roteador",
 "label.action.start.systemvm": "Iniciar VM de sistema",
+"label.action.start.sharedfs": "Iniciar Sistema de Arquivos Compartilhado",
 "label.action.stop.instance": "Parar inst\u00e2ncia",
 "label.action.stop.router": "Parar roteador",
+"label.action.stop.sharedfs": "Parar Sistema de Arquivos Compartilhado",
 "label.action.stop.systemvm": "Parar VM de sistema",
 "label.action.take.snapshot": "Criar snapshot",
 "label.action.template.permission": "Atualizar permiss\u00f5es do template",
@@ -159,8 +218,15 @@
 "label.action.unmanage.instance": "Parar de gerenciar inst\u00e2ncia",
 "label.action.unmanage.instances": "Parar de gerenciar inst\u00e2ncias",
 "label.action.unmanage.virtualmachine": "Parar de gerenciar VM",
+"label.action.unmanage.volume": "Parar de gerenciar Volume",
+"label.action.unmanage.volumes": "Parar de gerenciar Volumes",
+"label.action.update.host": "Atualizar host",
 "label.action.update.offering.access": "Atualizar acesso \u00e0 oferta",
+"label.action.update.security.groups": "Atualizar grupos de seguran\u00e7a",
 "label.action.update.resource.count": "Atualizar contagem de recursos",
+"label.action.userdata.reset": "Redefinir Userdata",
+"label.action.value": "A\u00e7\u00e3o/Valor",
+"label.action.verify.two.factor.authentication": "Autentica\u00e7\u00e3o de dois fatores verificada",
 "label.action.vmsnapshot.create": "Criar snapshot de VM",
 "label.action.vmsnapshot.delete": "Remover snapshot de VM",
 "label.action.vmsnapshot.revert": "Reverter snapshot de VM",
@@ -175,6 +241,7 @@
 "label.add.acl": "Adiciona lista ACL",
 "label.add.affinity.group": "Adicionar um grupo de afinidade",
 "label.add.baremetal.dhcp.device": "Adicionar dispositivo DHCP baremetal",
+"label.add.bgp.peer": "Adicionar par BGP",
 "label.add.bigswitchbcf.device": "Adicionar controlador BigSwitch BCF",
 "label.add.brocadevcs.device": "Adicionar switch Brocade Vcs",
 "label.add.by": "Adicionado por",
@@ -182,40 +249,56 @@
 "label.add.ciscoasa1000v": "Adicionar recurso CiscoASA1000v",
 "label.add.cluster": "Adicionar cluster",
 "label.add.compute.offering": "Adicionar oferta de computa\u00e7\u00e3o",
+"label.add.condition": "Adicionar condi\u00e7\u00e3o",
 "label.add.disk.offering": "Adicionar oferta de disco",
 "label.add.domain": "Adicionar dom\u00ednio",
 "label.add.egress.rule": "Adicionar regra de sa\u00edda",
 "label.add.f5.device": "Adicionar dispositivo F5",
 "label.add.firewall": "Adicionar regra de firewall",
+"label.add.firewallrule": "Adicionar Regra de Firewall",
 "label.add.guest.network": "Adicionar rede guest",
+"label.add.guest.os": "Adicionar SO convidado",
+"label.add.guest.os.hypervisor.mapping": "Adicionar mapeamento de hypervisor do Guest OS",
+"label.add.gui.theme": "Adicionar tema da GUI",
 "label.add.host": "Adicionar host",
 "label.add.ingress.rule": "Adicionar regra de entrada",
 "label.add.intermediate.certificate": "Adicionar certificado intermedi\u00e1rio",
 "label.add.internal.lb": "Adicionar LB interno",
 "label.add.ip.range": "Adicionar intervalo de IPs",
+"label.add.ip.v6.prefix": "Adicionar prefixo IPv6",
+"label.add.ipv4.subnet": "Adicionar sub-rede IPv4 para redes Roteadas",
 "label.add.isolated.network": "Adiciona rede isolada",
+"label.add.key.value": "Adicionar par de chaves valor",
 "label.add.kubernetes.cluster": "Adicionar cluster Kubernetes",
 "label.add.ldap.account": "Adicionar conta LDAP",
 "label.add.acl.name": "Nome da lista ACL",
+  "label.add.logical.router": "Adicionar Roteador L\u00f3gico a esta Rede",
 "label.add.more": "Adicionar mais",
 "label.add.netscaler.device": "Adicionar dispositivo Netscaler",
 "label.add.network": "Adicionar rede",
 "label.add.network.acl": "Adicione ACL de rede",
 "label.add.network.acl": "Adicionar lista de ACL de rede",
 "label.add.network.offering": "Adicionar oferta de rede",
+"label.add.network.permission": "Adicionar permiss\u00e3o de Rede",
 "label.add.new.gateway": "Adicionar novo gateway",
 "label.add.new.tier": "Adicionar nova camada",
 "label.add.niciranvp.device": "Adicionar controlador Nvp",
 "label.add.note": "Adicionar coment\u00e1rio",
+"label.add.object.storage" : "Adicionar Object Storage",
 "label.add.opendaylight.device": "Adiciona controlador OpenDaylight",
 "label.add.pa.device": "Adicionar dispositivo Palo Alto",
+"label.add.param": "Adicionar par\u00c2metro",
 "label.add.physical.network": "Adicionar rede f\u00edsica",
 "label.add.pod": "Adicionar pod",
+"label.add.policy": "Adicionar pol\u00edtica",
+"label.add.prefix": "Adicionar prefixo",
 "label.add.primary.storage": "Adicionar armazenamento prim\u00e1rio",
 "label.add.private.gateway": "Adicionar gateway privado",
 "label.add.resources": "Adicionar recursos",
 "label.add.role": "Adicionar fun\u00e7\u00e3o",
 "label.add.route": "Adicionar rota",
+"label.add.router.table.to.instance": "Adicionar tabela de roteamento a esta Inst\u00e2ncia",
+"label.add.routing.policy": "Adicionar pol\u00edtica de roteamento",
 "label.add.rule": "Adicionar regra",
 "label.add.secondary.ip": "Adicionar IP secund\u00e1rio",
 "label.add.secondary.storage": "Adicionar armazenamento secund\u00e1rio",
@@ -224,8 +307,26 @@
 "label.add.srx.device": "Adicionar dispositivo SRX",
 "label.add.static.route": "Adicionar rota est\u00e1tica",
 "label.add.system.service.offering": "Adicionar oferta de servi\u00e7o para VMs de sistema",
+"label.add.term.then": "Adicionar termo",
 "label.add.traffic": "Adicionar tr\u00e1fego",
 "label.add.traffic.type": "Adicionar tipo de tr\u00e1fego",
+"label.add.tungsten.address.group": "Adicionar Grupo de Endere\u00e7os",
+"label.add.tungsten.fabric.route": "Adicionar tabela de roteamento de Rede Tungsten Fabric",
+"label.add.tungsten.firewall.policy": "Adicionar Pol\u00edtica de Firewall",
+"label.add.tungsten.firewall.rule": "Adicionar Regra de Firewall",
+"label.add.tungsten.interface.route": "Adicionar tabela de roteamento de interface Tungsten Fabric",
+"label.add.tungsten.interface.static.route": "Adicionar rota est\u00e1tica de interface Tungsten Fabric",
+"label.add.tungsten.logical.route": "Adicionar Roteador L\u00f3gico",
+"label.add.tungsten.network.static.route": "Adicionar rota est\u00e1tica de Rede Tungsten Fabric",
+"label.add.tungsten.policy": "Adicionar Pol\u00edtica",
+"label.add.tungsten.policy.set": "Adicionar Conjunto de Pol\u00edticas de Aplica\u00e7\u00e3o",
+"label.add.tungsten.router.table": "Adicionar tabela de roteamento a esta Rede",
+"label.add.tungsten.routing.policy": "Adicionar pol\u00edtica de roteamento a esta Rede",
+"label.add.tungsten.service.group": "Adicionar Grupo de Servi\u00e7os",
+"label.add.tungsten.tag": "Adicionar Tag",
+"label.add.tungsten.tag.type": "Adicionar Tipo de Tag",
+"label.add.upstream.ipv4.routes": "Adicionar roteamento upstream IPv4",
+"label.add.upstream.ipv6.routes": "Adicionar roteamento upstream IPv6",
 "label.add.user": "Adicionar usu\u00e1rio",
 "label.add.vm": "Adicionar VM",
 "label.add.vms": "Adicionar VMs",
@@ -240,7 +341,9 @@
 "label.adding": "Adicionando",
 "label.adding.user": "Adicionando usu\u00e1rio",
 "label.address": "Endere\u00e7o",
+"label.address.group": "Grupo de endere\u00e7os",
 "label.admin": "Administrador",
+"label.adminsonly": "Vis\u00edvel apenas para administradores",
 "label.advanced": "Avan\u00e7ado",
 "label.advanced.mode": "Modo avan\u00e7ado",
 "label.affinity": "Afinidade",
@@ -248,6 +351,7 @@
 "label.affinitygroup": "Grupo de afinidade",
 "label.agent.password": "Senha do agente",
 "label.agent.username": "Usu\u00e1rio do agente",
+"label.agentcount": "N\u00famero de agentes conectados",
 "label.agentport": "Porta do agente",
 "label.agentstate": "Estado do agente",
 "label.agree": "Concordo",
@@ -257,49 +361,85 @@
 "label.algorithm": "Algoritmo",
 "label.all": "Todos",
 "label.all.available.data": "Todos os dados dispon\u00edveis",
+"label.all.ipv6": "Todos IPv6",
 "label.all.zone": "Todas as zonas",
 "label.allocated": "Alocado",
+"label.allocatedonly": "Alocado",
 "label.allocationstate": "Estado da aloca\u00e7\u00e3o",
 "label.allow": "Permitir",
+"label.allow.duplicate.macaddresses": "Permitir endere\u00e7os MAC duplicados",
 "label.allowuserdrivenbackups": "Permitir backups manuais pelos usu\u00e1rios",
 "label.annotation": "Coment\u00e1rio",
 "label.annotations": "Coment\u00e1rios",
 "label.annotation.everyone": "Vis\u00edvel a todos",
 "label.anti.affinity": "Anti-afinidade",
 "label.anti.affinity.group": "Grupo de anti-afinidade",
+"label.api.docs": "Documenta\u00e7\u00c3o da API",
+"label.api.docs.description": "Para informa\u00e7\u00f5es sobre como as APIs funcionam e dicas de como us\u00e1-las, clique aqui para ver o Guia do Desenvolvedor",
+"label.api.docs.count": "APIs dispon\u00edveis para sua conta",
 "label.api.version": "Vers\u00e3o da API",
 "label.apikey": "Chave da API",
 "label.app.cookie": "AppCookie",
 "label.app.name": "CloudStack",
+"label.application.policy.set": "Conjunto de Pol\u00edticas de Aplica\u00e7\u00e3o",
 "label.apply": "Aplicar",
+"label.apply.tungsten.firewall.policy": "Aplicar Pol\u00edtica de Firewall",
+"label.apply.tungsten.network.policy": "Aplicar Pol\u00edtica de Rede",
+"label.apply.tungsten.tag": "Aplicar tag",
+"label.arch": "Arquitetura",
+"label.archived": "Arquivado",
 "label.archive": "Arquivo",
 "label.archive.alerts": "Arquivar alertas",
 "label.archive.events": "Arquivar eventos",
 "label.as.default": "como padr\u00e3o",
+"label.asnumber": "N\u00famero AS",
+"label.asnumbers": "N\u00fameros AS",
+"label.asnrange": "Faixa AS",
 "label.assign": "Atribuir",
 "label.assign.instance.another": "Atribuir inst\u00e2ncia para outra conta",
 "label.assign.vms": "Atribuir VMs",
 "label.assigning.vms": "Atribuindo VMs",
+"label.associated.resource": "Recurso associado",
 "label.associatednetwork": "Rede associada",
 "label.associatednetworkid": "ID de rede associado",
 "label.associatednetworkname": "Nome da rede",
 "label.asyncbackup": "Backup ass\u00edncrono",
+"label.attaching": "Anexando",
+"label.authentication.method": "M\u00e9todo de Autentica\u00e7\u00e3o",
+"label.authentication.sshkey": "Chave SSH do Sistema",
+"label.autoscale": "AutoScale",
+"label.autoscalevmgroupname": "Grupo de AutoScale",
 "label.author.email": "E-mail do autor",
 "label.author.name": "Nome do autor",
+"label.auto.assign": "Atribuir automaticamente",
 "label.auto.assign.diskoffering.disk.size": "Atribuir automaticamente a oferta correspondente ao tamanho do disco",
 "label.auto.assign.random.ip": "Atribuir automaticamente um enderec\u0327o de IP aleat\u00f3rio",
 "label.auto.refresh.statistics": "Tempo entre atualiza\u00e7\u00f5es autom\u00e1ticas",
 "label.auto.refresh.statistics.none": "Nenhum",
+"label.automigrate.volume": "Migrar volume automaticamente para outro pool de armazenamento, se neces\u00e1rio",
+"label.autoscale.vm.groups": "Grupos de AutoScale",
+"label.autoscale.vm.profile": "Perfil de Inst\u00e2ncia de AutoScale",
 "label.autoscalingenabled": "Escalonamento autom\u00e1tico",
 "label.availability": "Disponibilidade",
 "label.available": "Dispon\u00edvel",
+"label.availableprocessors": "N\u00facleos de processador dispon\u00edveis",
+"label.availablevirtualmachinecount": "Inst\u00e2ncias Dispon\u00edveis",
 "label.back": "Voltar",
 "label.backup": "Backup",
 "label.backups": "Backups",
+"label.back.login": "Voltar à página de login",
+"label.backup": "Backups",
 "label.backup.attach.restore": "Restaurar e anexar volume de backup",
+"label.backuplimit": "Limite de backups",
+"label.backup.storage": "Armazenamento de backup",
+"label.backupstoragelimit": "Limite de armazenamento de backup (GiB)",
+"label.backup.configure.schedule": "Configurar Agendamento de Backup",
 "label.backup.offering.assign": "Atribuir VM a oferta de backup",
 "label.backup.offering.remove": "Remover VM de oferta de backup",
 "label.backup.offerings": "Ofertas de backup",
+"label.backup.repository": "Reposit\u00f3rio de Backup",
+"label.backup.repository.add": "Adicionar reposit\u00f3rio de backup",
+"label.backup.repository.remove": "Remover reposit\u00f3rio de backup",
 "label.backup.restore": "Restaurar backup da VM",
 "label.backupofferingid": "Oferta de backup",
 "label.backupofferingname": "Oferta de backup",
@@ -316,6 +456,8 @@
 "label.based.on.role.id.or.type": "Criar uma fun\u00e7\u00e3o baseado no ID da fun\u00e7\u00e3o ou no seu tipo",
 "label.basic": "B\u00e1sico",
 "label.bcfdeviceid": "ID",
+"label.bgp.peers": "Pares BGP",
+"label.bgp.peer.set.reservation.desc": "Voc\u00ea pode tornar o par BGP p\u00fablico, ou pode dedic\u00e1-lo/reserv\u00e1-lo para um Dom\u00ednio ou uma Conta",
 "label.bigswitch.controller.address": "Endere\u00e7o do controlador BigSwitch BCF",
 "label.bladeid": "ID da l\u00e2mina",
 "label.blades": "L\u00e2minas",
@@ -327,7 +469,13 @@
 "label.broadcastdomaintype": "Tipo de dom\u00ednio broadcast",
 "label.broadcasturi": "URI de broadcast",
 "label.brocade.vcs.address": "Endere\u00e7o do switch Vcs",
+"label.browser": "Navegador",
 "label.bucket": "Bucket",
+"label.bucket.delete": "Excluir Bucket",
+"label.bucket.policy": "Pol\u00edtica do Bucket",
+"label.bucket.update": "Atualizar Bucket",
+"label.bucketlimit": "Limite de Bucket",
+"label.buckets": "Buckets",
 "label.by.account": "por conta",
 "label.by.domain": "por dom\u00ednio",
 "label.by.level": "por n\u00edvel",
@@ -338,6 +486,9 @@
 "label.bypassvlanoverlapcheck": "Ignorar a sobreposi\u00e7\u00e3o de ID/intervalo de VLAN",
 "label.cachemode": "Tipo do cache de escrita",
 "label.cancel": "Cancelar",
+"label.cancel.host.as.degraded": "Cancelar host como degradado",
+"label.cancel.shutdown": "Cancelar Desligamento",
+"label.cancelmaintenance": "Cancelar manuten\u00e7\u00e3o",
 "label.capacity": "Capacidade",
 "label.capacitybytes": "Capacidade de bytes",
 "label.capacityiops": "IOPS total",
@@ -348,9 +499,13 @@
 "label.certificate.upload.failed": "Falha ao carregar certificado",
 "label.certificate.upload.failed.description": "Falha ao atualizar certificado SSL. Falha na verifica\u00e7\u00e3o do certificado.",
 "label.certificateid": "ID do certificado",
+"label.change": "Alterar",
 "label.change.affinity": "Mudar afinidade",
+"label.change.bgp.peers": "Alterar pares BGP",
+"label.change.disk.offering": "Alterar oferta de disco",
 "label.change.ip.address": "Trocar endere\u00e7o IP",
 "label.change.ipaddress": "Mudan\u00e7a de endere\u00e7o IP para NIC",
+"label.change.offering.for.volume": "Alterar oferta de disco para o volume",
 "label.change.service.offering": "Alterar oferta de servi\u00e7o",
 "label.character": "Caracter",
 "label.checksum": "Checksum",
@@ -359,6 +514,7 @@
 "label.cidr": "CIDR",
 "label.cidr.destination.network": "CIDR da rede de destino",
 "label.cidrlist": "Lista de CIDRs",
+"label.cidrsize": "Tamanho do CIDR",
 "label.cisco.nexus1000v.ip.address": "Endere\u00e7o IP do Nexus 1000v",
 "label.cisco.nexus1000v.password": "Senha do Nexus 1000v",
 "label.cisco.nexus1000v.username": "Usu\u00e1rio do Nexus 1000v",
@@ -369,42 +525,75 @@
 "label.cleanup": "Limpar",
 "label.clear": "Limpar",
 "label.clear.list": "Limpar lista",
+"label.clear.notification": "Limpar notifica\u00e7\u00e3o",
+"label.clientid": "ID do Cliente Provedor",
 "label.close": "Fechar",
+"label.cloud.managed": "Gerenciado pela Nuvem",
 "label.cloudian.storage": "Armazenamento Cloudian",
 "label.cluster": "Cluster",
 "label.cluster.name": "Nome do cluster",
 "label.cluster.size": "Tamanho do cluster",
 "label.clusterid": "Cluster",
 "label.clustername": "Nome do cluster",
+"label.clusternamelabel": "Nome do cluster",
 "label.clusters": "Clusters",
 "label.clustertype": "Tipo de cluster",
 "label.clvm": "CLVM",
 "label.code": "C\u00f3digo",
+"label.collectiontime": "Tempo de coleta",
+"label.columns": "Colunas",
 "label.comma.separated.list.description": "Insira uma lista de comandos separados por v\u00edrgulas",
+"label.command": "Comando",
 "label.comments": "Coment\u00e1rios",
+"label.commonnames": "Nomes Comuns (CN)",
+"label.communities": "Comunidades",
 "label.community": "Comunidade",
 "label.complete": "Complete",
+"label.compressionstatus": "Estado de compress\u00e3o",
 "label.compute": "Computa\u00e7\u00e3o",
 "label.compute.offerings": "Oferta de computa\u00e7\u00e3o",
+"label.compute.offering.for.sharedfs.instance": "Oferta de computa\u00e7\u00e3o para Inst\u00e2ncia",
+"label.computeonly.offering": "Oferta de disco apenas para computa\u00e7\u00e3o",
+"label.computeonly.offering.tooltip": "Op\u00e7\u00e3o para especificar informa\u00e7\u00f5es relacionadas ao disco ROOT na oferta de computa\u00e7\u00e3o ou para vincular diretamente uma oferta de disco \u00e0 oferta de computa\u00e7\u00e3o",
+"label.conditions": "Condi\u00e7\u00f5es",
 "label.configuration": "Configura\u00e7\u00e3o",
 "label.configure": "Configurar",
+"label.configure.app": "Configurar o App",
+"label.configure.instance": "Configurar inst\u00e2ncia",
+"label.configure.health.monitor": "Configurar Monitor de Sa\u00fade",
 "label.configure.ldap": "Configurar LDAP",
 "label.configure.ovs": "Configure Ovs",
 "label.configure.sticky.policy": "Configurar sticky policy",
 "label.confirm.delete.egress.firewall.rules": "Por favor, confirme se deseja apagar as regras de firewall de sa\u00edda selecionadas",
 "label.confirm.delete.firewall.rules": "Por favor, confirme se deseja apagar as regras de firewall selecionadas",
+"label.confirm.delete.ip.v6.firewall.rules": "Por favor, confirme que deseja excluir as regras de firewall IPv6 selecionadas",
 "label.confirm.delete.isos": "Por favor, confirme se deseja apagar as ISOs selecionadas",
 "label.confirm.delete.loadbalancer.rules": "Por favor, confirme se deseja apagar as regras de balanceamento de carga selecionadas",
 "label.confirm.delete.portforward.rules": "Por favor, confirme se deseja apagar as regras de encaminhamento de porta selecionadas",
+"label.confirm.delete.routing.firewall.rules": "Por favor, confirme que deseja excluir as regras de firewall de Roteamento IPv4 selecionadas",
+"label.confirm.delete.snapshot.zones": "Por favor, confirme que deseja excluir o Snapshot nas zonas selecionadas",
 "label.confirm.delete.templates": "Por favor, confirme se deseja apagar os templates selecionados",
+"label.confirm.delete.tungsten.address.group": "Por favor, confirme que deseja excluir este Grupo de Endere\u00e7os",
+"label.confirm.delete.tungsten.firewall.policy": "Por favor, confirme que deseja excluir esta Pol\u00edtica de Firewall",
+"label.confirm.delete.tungsten.policy": "Por favor, confirme que deseja excluir esta Pol\u00edtica",
+"label.confirm.delete.tungsten.policy.set": "Por favor, confirme que deseja excluir este Conjunto de Pol\u00edticas de Aplica\u00e7\u00e3o",
+"label.confirm.delete.tungsten.service.group": "Por favor, confirme que deseja excluir este Grupo de Servi\u00e7os",
+"label.confirm.delete.tungsten.tag": "Por favor, confirme que deseja excluir esta Tag",
+"label.confirm.delete.tungsten.tag.type": "Por favor, confirme que deseja excluir este Tipo de Tag",
+"label.confirm.remove.logical.router": "Por favor, confirme que deseja excluir este Roteador L\u00f3gico",
 "label.confirm.release.public.ip.addresses": "Por favor, confirme se deseja liberar os endere\u00e7os IPs selecionados",
+"label.confirm.remove.network.route.table": "Por favor, confirme que deseja excluir esta Tabela de Rotas de Rede",
+"label.confirm.remove.route.table": "Por favor, confirme que deseja excluir esta Tabela de Rotas de Interface",
 "label.confirmacceptinvitation": "Por favor, confirme se deseja participar deste projeto",
 "label.confirmation": "Confirma\u00e7\u00e3o",
 "label.confirmdeclineinvitation": "Voc\u00ea tem certeza que quer rejeitar este convite de projeto?",
 "label.confirmpassword": "Confirme a senha",
 "label.confirmpassword.description": "Por favor, digite a mesma senha novamente",
+"label.connect": "Conectar",
 "label.connectiontimeout": "Tempo limite de conex\u00e3o",
 "label.conservemode": "Modo conservativo",
+"label.considerlasthost": "Considerar \u00faltimo Host",
+"label.consoleproxy": "Console proxy",
 "label.console.proxy": "Console proxy",
 "label.console.proxy.vm": "VM da console proxy",
 "label.continue": "Continuar",
@@ -413,13 +602,19 @@
 "label.copied.clipboard": "Copiado para a \u00c1rea de transfer\u00eancia",
 "label.copy": "Copiar",
 "label.copy.clipboard": "Copiar para \u00c1rea de transfer\u00eancia",
+"label.copy.password": "Copiar senha",
 "label.copyid": "Copiar ID",
+"label.core": "Core",
+"label.core.zone.type": "Tipo de zona Core",
+"label.counter": "Contador",
+"label.counter.name": "Nome do contador para o qual a pol\u00edtica ser\u00e1 avaliada",
 "label.cpu": "CPU",
 "label.cpu.sockets": "Sockets da CPU",
 "label.cpu.usage.info": "Informa\u00e7\u00f5es sobre o uso de CPU",
 "label.cpuallocated": "CPU alocada por VMs",
 "label.cpuallocatedghz": "Alocado",
 "label.cpulimit": "Limite de CPU",
+"label.cpuload": "% de CPU em uso",
 "label.cpumaxdeviation": "Desvio",
 "label.cpunumber": "N\u00facleos da CPU",
 "label.cpusockets": "O n\u00famero de sockets de CPU",
@@ -429,13 +624,17 @@
 "label.cpuused": "CPU utilizada",
 "label.cpuusedghz": "CPU utilizada",
 "label.create": "Criar",
-"label.create.instance": "Criar nova instância",
 "label.create.account": "Criar conta",
+"label.create.asnrange": "Criar faixa de número AS",
 "label.create.backup": "Iniciar backup",
+"label.create.bucket": "Criar Bucket",
+"label.create.instance": "Criar inst\u00e2ncia na nuvem",
+"label.create.instance.from.backup": "Criar nova inst\u00e2ncia a partir de backup",
 "label.create.network": "Criar nova rede",
 "label.create.nfs.secondary.staging.storage": "Criar armazenamento secund\u00e1rio tempor\u00e1rio",
 "label.create.project": "Criar um projeto",
 "label.create.project.role": "Criar fun\u00e7\u00e3o para o projeto",
+"label.create.routing.policy": "Criar Pol\u00edtica de Roteamento",
 "label.create.site.vpn.connection": "Criar conex\u00e3o VPN site-to-site",
 "label.create.site.vpn.gateway": "Criar gateway de VPN site-to-site",
 "label.create.snapshot.for.volume": "Criar snapshot para volume",
@@ -447,11 +646,19 @@
 "label.create.tier.name.description": "Um nome \u00fanico para a camada",
 "label.create.tier.netmask.description": "M\u00e1scara de rede da camada. Por exemplo: 255.255.255.0",
 "label.create.tier.networkofferingid.description": "A oferta de rede da camada",
+"label.create.tungsten.routing.policy": "Criar pol\u00edtica de roteamento Tungsten-Fabric",
+"label.create.sharedfs": "Criar Sistema de Arquivos Compartilhado",
 "label.create.user": "Criar usu\u00e1rio",
+"label.create.vm": "Criar Inst\u00e2ncia",
+"label.create.vm.and.stay": "Criar Inst\u00e2ncia e permanecer nesta p\u00e1gina",
 "label.create.vpn.connection": "Criar uma conex\u00e3o VPN",
+"label.create.webhook": "Criar Webhook",
 "label.created": "Criado",
+"label.creating": "Criando",
 "label.creating.iprange": "Criando intervalos de IP",
 "label.credit": "Cr\u00e9dito",
+"label.cron": "Express\u00e3o Cron",
+"label.cron.mode": "Modo Cron",
 "label.crosszones": "Inter zonas",
 "label.currency": "Moeda",
 "label.current": "Atual",
@@ -469,14 +676,22 @@
 "label.data.pool": "Data pool",
 "label.data.pool.description": "\u00c9 necess\u00e1rio informar um data pool ao utilizar um Ceph pool com erasure code",
 "label.date": "Data",
+"label.datetime.filter.period": "De <b>{startDate}</b> at\u00e9 <b>{endDate}</b>",
+"label.datetime.filter.starting": "Iniciando <b>{startDate}</b>",
+"label.datetime.filter.up.to": "At\u00e9 <b>{endDate}</b>",
 "label.day": "Dia",
 "label.day.of.month": "Dia do m\u00eas",
 "label.day.of.week": "Dia da semana",
+"label.db.usage.metrics": "Servidor de BD/Uso",
+"label.dbislocal": "O banco de dados roda localmente",
 "label.dc.name": "Nome do DC",
+"label.declare.host.as.degraded": "Declarar host como degradado",
 "label.decline.invitation": "Rejeitar convite",
 "label.dedicate": "Dedicado",
+"label.dedicate.bgp.peer": "Dedicar par BGP",
 "label.dedicate.cluster": "Cluster dedicado",
 "label.dedicate.host": "Dedicar host",
+"label.dedicate.ipv4.subnet": "Dedicar sub-rede IPv4",
 "label.dedicate.pod": "Pod dedicado",
 "label.dedicate.vlan.vni.range": "Intervalo de VLAN/VNI dedicado",
 "label.dedicate.zone": "Zona dedicada",
@@ -484,6 +699,9 @@
 "label.dedicated.vlan.vni.ranges": "Intervalo(s) de VLAN/VNI dedicados",
 "label.dedicatedresources": "Recursos dedicados",
 "label.default": "Padr\u00e3o",
+"label.default.network.domain.isolated.network": "Dom\u00ednio de rede padr\u00e3o para redes Isoladas",
+"label.default.network.guestcidraddress.isolated.network": "CIDR guest padr\u00e3o para Redes Isoladas",
+"label.default.project": "Projeto padr\u00e3o",
 "label.default.use": "Uso padr\u00e3o",
 "label.default.view": "Visualiza\u00e7\u00e3o padr\u00e3o",
 "label.defaultnetwork": "Rede padr\u00e3o",
@@ -491,12 +709,17 @@
 "label.delete.acl": "Apagar lista ACL",
 "label.delete.affinity.group": "Apagar grupo de afinidade",
 "label.delete.alerts": "Remover alertas",
+"label.delete.asnrange": "Excluir Faixa AS",
+"label.delete.autoscale.vmgroup": "Excluir grupo de auto escalonamento horizontal",
 "label.delete.backup": "Apagar backup",
+"label.delete.backup.schedule": "Remover agendamento de backup",
+"label.delete.bgp.peer": "Excluir par BGP",
 "label.delete.bigswitchbcf": "Remover controlador BigSwitch BCF",
 "label.delete.brocadevcs": "Remover switch Brocade Vcs",
 "label.delete.certificate": "Apagar certificado",
 "label.delete.ciscoasa1000v": "Apagar CiscoASA1000v",
 "label.delete.ciscovnmc.resource": "Apagar recurso CiscoVNMC",
+"label.delete.condition": "Excluir condi\u00e7\u00e3o",
 "label.delete.dedicated.vlan.range": "Apagar intervalo de VLAN/VNI dedicado",
 "label.delete.domain": "Apagar dom\u00ednio",
 "label.delete.events": "Remover eventos",
@@ -505,6 +728,8 @@
 "label.delete.icon": "Remover \u00edcone",
 "label.delete.instance.group": "Apagar grupo de inst\u00e2ncias",
 "label.delete.internal.lb": "Apagar LB interno",
+"label.delete.ipv4.subnet": "Excluir sub-rede IPv4",
+"label.delete.ip.v6.prefix": "Excluir prefixo IPv6",
 "label.delete.netscaler": "Remover NetScaler",
 "label.delete.niciranvp": "Remover controlador Nvp",
 "label.delete.opendaylight.device": "Apagar controladora OpenDaylight",
@@ -518,28 +743,68 @@
 "label.delete.snapshot.policy": "Apagar pol\u00edtica de snapshot",
 "label.delete.srx": "Remover SRX",
 "label.delete.sslcertificate": "Apagar certificado SSL",
+"label.delete.tag": "Remover tag",
+"label.delete.term": "Excluir termo",
+"label.delete.traffic.type": "Excluir tipo de tr\u00e1fego",
+"label.delete.tungsten.address.group": "Excluir Grupo de Endere\u00e7os",
+"label.delete.tungsten.fabric.tag": "Excluir Tag",
+"label.delete.tungsten.fabric.tag.type": "Excluir Tipo de Tag",
+"label.delete.tungsten.firewall.policy": "Excluir Pol\u00edtica de Firewall",
+"label.delete.tungsten.policy": "Excluir Pol\u00edtica",
+"label.delete.tungsten.policy.set": "Excluir Conjunto de Pol\u00edticas",
+"label.delete.tungsten.service.group": "Excluir Grupo de Servi\u00e7os",
 "label.delete.volumes": "Volumes a serem apagados",
 "label.delete.vpn.connection": "Remover conex\u00e3o VPN",
 "label.delete.vpn.customer.gateway": "Remover gateway de VPN de usu\u00e1rio",
 "label.delete.vpn.gateway": "Remover gateway de VPN",
 "label.delete.vpn.user": "Apagar usu\u00e1rio VPN",
+"label.delete.webhook": "Excluir Webhook",
+"label.delete.webhook.delivery": "Excluir Entrega de Webhook",
 "label.deleteconfirm": "Por favor, confirme que voc\u00ea deseja apagar isto",
 "label.deleting": "Removendo",
 "label.deleting.failed": "Falha ao remover",
 "label.deleting.iso": "Removendo ISO",
 "label.deleting.template": "Remover template",
+"label.deleting.snapshot": "Excluindo Snapshot",
+"label.deleteprotection": "Prote\u00e7\u00e3o contra exclus\u00e3o",
 "label.demote.project.owner": "Rebaixar conta para fun\u00e7\u00e3o regular",
 "label.demote.project.owner.user": "Rebaixar usu\u00e1rio para fun\u00e7\u00e3o regular",
 "label.deny": "Negar",
 "label.deployasis": "Ler configura\u00e7\u00f5es da VM do OVA",
 "label.deploymentplanner": "Planejador de implanta\u00e7\u00e3o",
+"label.desc.db.stats": "Estat\u00edsticas do Banco de Dados",
+"label.desc.import.ext.kvm.wizard": "Importar Inst\u00e2ncia de host KVM remoto",
+"label.desc.import.local.kvm.wizard": "Importar imagem QCOW2 do Armazenamento Local",
+"label.desc.import.shared.kvm.wizard": "Importar imagem QCOW2 do Armazenamento Compartilhado",
+"label.desc.import.unmanage.volume": "Importar e parar de gerenciar volume em Pools de Armazenamento",
 "label.desc.importexportinstancewizard": "Importar e exportar inst\u00e2ncias para/de um cluster VMWare existente",
+"label.desc.importmigratefromvmwarewizard": "Importar inst\u00e2ncias do VMware para um cluster KVM",
+"label.desc.ingesttinstancewizard": "Ingerir inst\u00e2ncias de um host KVM externo",
+"label.desc.usage.stats": "Estat\u00edsticas do Usage Server",
 "label.description": "Descri\u00e7\u00e3o",
+"label.destaddressgroupuuid": "Grupo de Endere\u00e7os de Destino",
 "label.destcidr": "CIDR de destino",
+"label.destendport": "Porta Final de Destino",
+"label.desthost": "Host de destino",
 "label.destination": "Destino",
+"label.destination.cluster":  "Cluster de Destino",
+"label.destination.hypervisor":  "Hypervisor de Destino",
+"label.destination.pod":  "Pod de Destino",
+"label.destination.zone":  "Zona de Destino",
 "label.destinationphysicalnetworkid": "ID de destino da rede f\u00edsica",
+"label.destinationtype": "Tipo de Destino",
+"label.destipprefix": "Endere\u00e7o de Rede de Destino",
+"label.destipprefixlen": "Comprimento do Prefixo de Destino",
+"label.destnetwork": "Rede de Destino",
+"label.destnetworkuuid": "Rede",
+"label.destport": "Portas de Destino",
 "label.destroy": "Apagar",
 "label.destroy.router": "Destruir roteador",
+"label.destroy.sharedfs": "Destruir Sistema de Arquivos Compartilhado",
+"label.destroying": "Destruindo",
+"label.destroyed": "Destru\u00eddo",
+"label.deststartport": "Porta Inicial de Destino",
+"label.desttaguuid": "Tag de Destino",
 "label.details": "Detalhes",
 "label.deviceid": "ID do dispositivo",
 "label.devices": "Dispositivos",
@@ -547,16 +812,21 @@
 "label.direct.attached.public.ip": "IP p\u00fablico conectado diretamente",
 "label.direct.ips": "IPs diretos",
 "label.directdownload": "Download direto",
+"label.direction": "Dire\u00e7\u00e3o",
+"label.disable.autoscale.vmgroup": "Desativar grupo de auto escalonamento horizontal",
 "label.disable.host": "Desabilitar host",
 "label.disable.network.offering": "Desabilitar oferta de rede",
 "label.disable.provider": "Desabilitar provedor",
 "label.disable.storage": "Desabilitar pool de armazenamento",
 "label.disable.vpc.offering": "Desabilitar oferta VPC",
 "label.disable.vpn": "Desabilitar VPN",
+"label.disable.webhook": "Desativar Webhook",
 "label.disabled": "Desativado",
 "label.disconnected": "\u00daltima desconex\u00e3o",
 "label.disk": "Disco",
 "label.disk.offerings": "Ofertas de disco",
+"label.disk.path": "Caminho do Disco",
+"label.disk.tooltip": "Nome do arquivo de Imagem de Disco no Pool de Armazenamento selecionado",
 "label.disk.selection": "Sele\u00e7\u00e3o de disco",
 "label.disk.size": "Tamanho do disco",
 "label.disk.usage.info": "Informa\u00e7\u00f5es sobre o uso de disco",
@@ -581,6 +851,7 @@
 "label.disksize": "Tamanho (em GB)",
 "label.disksizeallocated": "Disco alocado",
 "label.disksizeallocatedgb": "Alocado",
+"label.disksizefree": "Disco livre",
 "label.disksizetotal": "Disco total",
 "label.disksizetotalgb": "Total",
 "label.disksizeunallocatedgb": "N\u00e3o alocado",
@@ -602,27 +873,47 @@
 "label.domainid": "ID do dom\u00ednio",
 "label.domainname": "Dom\u00ednio",
 "label.domainpath": "Dom\u00ednio",
+"label.domainrouter": "Roteador Virtual",
 "label.domains": "Dom\u00ednios",
 "label.done": "Pronto",
+"label.down": "Baixo",
 "label.download": "Download",
+"label.download.csv": "Baixar CSV",
 "label.download.kubeconfig.cluster": "Baixar kubeconfig para o cluster <br><br> A ferramenta de linha de comando <code><b>kubectl</b></code> usa os arquivos kubeconfig para encontrar informa\u00e7\u00f5es necess\u00e1rias para escolher o cluster e se comunicar com o servidor da API do cluster.",
 "label.download.kubectl": "Baixar a ferramenta <code><b>kubectl</b></code> para a vers\u00e3o Kubernetes do cluster",
 "label.download.kubernetes.cluster.config": "Baixar a configura\u00e7\u00e3o do cluster Kubernetes",
 "label.download.percent": "Porcentagem do download",
+"label.download.setting": "Baixar configura\u00e7\u00e3o",
 "label.download.state": "Estado do download",
 "label.dpd": "Detec\u00e7\u00e3o de correspondente morto",
 "label.driver": "Driver",
+"label.drs": "DRS",
+"label.drsimbalance": "Desequil\u00edbrio DRS",
+"label.drs.generate.plan": "Gerar plano DRS",
+"label.drs.no.plan.generated": "Nenhum plano DRS foi gerado pois o cluster n\u00e3o est\u00e1 desequilibrado",
+"label.drs.plan": "Plano DRS",
+"label.duration": "Dura\u00e7\u00e3o (em segundos)",
 "label.duration.custom": "Personalizado",
 "label.duration.1hour": "1 hora",
 "label.duration.6hours": "6 horas",
 "label.duration.12hours": "12 horas",
 "label.duration.24hours": "24 horas",
 "label.duration.7days": "7 dias",
+"label.dynamic": "Din\u00e2mico",
 "label.dynamicscalingenabled": "Escalonamento din\u00e2mico habilitado",
 "label.dynamicscalingenabled.tooltip": "VM s\u00f3 pode ser dinamicamente escalonada quando o escalonamento din\u00e2mico estiver habilitado no template, oferta de computa\u00e7\u00e3o e nas configura\u00e7\u00e3oes globais",
+"label.diskofferingstrictness": "Rigor da oferta de disco",
+"label.disksizestrictness": "Rigor do tamanho do disco",
+"label.edge": "Borda",
+"label.edge.zone": "Zona de Borda",
+"label.enable.autoscale.vmgroup": "Ativar Grupo de AutoScaleAutoScaleAutoScale",
 "label.edit": "Editar",
 "label.edit.acl": "Editar lista ACL",
+"label.edit.account": "Editar conta",
+"label.edit.acl.list": "Editar lista ACL",
 "label.edit.acl.rule": "Editar regra ACL",
+"label.edit.autoscale.vmprofile": "Editar Perfil de Inst\u00e2ncia de AutoScale",
+"label.edit.nic": "Editar NIC",
 "label.edit.project.details": "Editar detalhes do projeto",
 "label.edit.project.role": "Editar fun\u00e7\u00e3o do projeto",
 "label.edit.role": "Editar fun\u00e7\u00e3o",
@@ -639,11 +930,18 @@
 "label.email": "Email",
 "label.enable.host": "Habilita host",
 "label.enable.network.offering": "Habilita oferta de rede",
+"label.enable.oauth": "Ativar Login OAuth",
 "label.enable.provider": "Habilitar provedor",
 "label.enable.storage": "Habilitar pool de armazenamento",
 "label.enable.vpc.offering": "Habilitar oferta VPC",
 "label.enable.vpn": "Habilitar VPN",
+"label.enable.webhook": "Ativar Webhook",
+"label.enabled": "Ativado",
+"label.encrypt": "Criptografar",
+"label.encryption": "Criptografia",
+"label.encryptroot": "Criptografar Disco ROOT",
 "label.end": "Fim",
+"label.endasn": "Fim Como N\u00famero",
 "label.end.date": "Data de término",
 "label.end.date.and.time": "Data e hor\u00e1rio final",
 "label.end.ip": "IP final",
@@ -655,7 +953,11 @@
 "label.endipv6": "IP final IPv6",
 "label.endpoint": "Ponto de acesso",
 "label.endport": "Porta final",
+"label.enter.code": "Insira o c\u00f3digo 2FA para verificar",
+"label.enter.static.pin": "Insira o PIN est\u00e1tico para verificar",
 "label.enter.token": "Digite o token",
+"label.entityid": "Entidade",
+"label.entitytype": "Tipo de Entidade",
 "label.error": "Erro",
 "label.error.caught": "Erro detectado",
 "label.error.code": "C\u00f3digo de erro",
@@ -665,10 +967,14 @@
 "label.error.setting": "Erro de configura\u00e7\u00e3o",
 "label.error.something.went.wrong.please.correct.the.following": "Alguma coisa est\u00e1 errada; por favor corrija abaixo",
 "label.error.upper": "ERRO",
+"label.errorinmaintenance": "Erro na manuten\u00e7\u00e3o",
 "label.espencryption": "Encripta\u00e7\u00e3o ESP",
 "label.esphash": "Hash ESP",
 "label.esplifetime": "Tempo de vida do ESP (segundos)",
 "label.esppolicy": "Pol\u00edtica ESP",
+"label.estimatedcost": "Custo estimado",
+"label.eventid": "Evento",
+"label.eventtype": "Tipo de evento",
 "label.esx.host": "ESX/ESXi host",
 "label.event": "Eventos",
 "label.event.archived": "Evento arquivado",
@@ -678,10 +984,21 @@
 "label.every": "Cada",
 "label.example": "Exemplo",
 "label.example.plugin": "PluginDeExemplo",
+"label.execute": "Executar",
+"label.existing": "Existente",
 "label.expunge": "Eliminar",
+"label.export.data.csv": "Exportar dados como CSV",
+"label.export.details.csv": "Exportar detalhes como CSV",
+"label.export.resources.csv": "Exportar recursos como CSV",
+"label.export.rules": "Exportar Regras",
+"label.expunge.sharedfs": "Expurgar Sistema de Arquivos Compartilhado",
+"label.expungevmgraceperiod": "Per\u00edodo de car\u00eancia para expurgar Inst\u00e2ncia (em seg)",
 "label.expunged": "Eliminado",
 "label.expunging": "Eliminando",
+"label.ext.hostname.tooltip": "Nome do Host Externo ou Endere\u00e7o IP",
 "label.external.link": "Link externo",
+"label.external": "Externo",
+"label.external.managed": "Gerenciado Externamente",
 "label.externalid": "ID externo",
 "label.externalloadbalanceripaddress": "Endere\u00e7o externo do balanceador de carga",
 "label.extra": "Argumentos extras",
@@ -689,25 +1006,43 @@
 "label.f5.ip.loadbalancer": "Balanceador de carga F5 Big Ip",
 "label.failed": "Falhou",
 "label.featured": "Em destaque",
+"label.fetch.from.backup": "Buscar do backup",
+"label.fetch.instances": "Buscar Inst\u00e2ncias",
 "label.fetch.latest": "Atualizar",
+"label.fetched": "Buscado",
+"label.filename": "Nome do Arquivo",
 "label.files": "Alterar arquivos a serem recuperados",
+"label.filesystem": "Sistema de Arquivos",
 "label.filter": "Filtro",
 "label.filter.annotations.self": "Criado por mim",
 "label.filter.annotations.all": "Todos os coment\u00e1rios",
 "label.filterby": "Filtrar por",
 "label.fingerprint": "Impress\u00e3o digital",
+"label.finish": "Finalizar",
 "label.firewall": "Firewall",
+"label.firewall.policy": "Pol\u00edtica de Firewall",
+"label.firewallpolicy": "Pol\u00edtica de Firewall",
 "label.firewallrule": "Regra de firewall",
+"label.firewallruleuuid": "Regra de Firewall",
 "label.firstname": "Primeiro nome",
+"label.firstname.lower": "primeiro nome",
 "label.fix.errors": "Corrija os erros",
 "label.fixed": "Fixa",
 "label.for": "para",
 "label.forbidden": "Proibido",
+"label.force.ms.to.import.vm.files": "For\u00e7ar MS a importar arquivo(s) da VM para armazenamento tempor\u00e1rio",
+"label.force.reboot": "For\u00e7ar reinicializa\u00e7\u00e3o",
+"label.force.stop": "For\u00e7ar parada",
 "label.forced": "For\u00e7ar",
 "label.forceencap": "For\u00e7ar encapsulamento UDP de pacotes ESP",
 "label.forgedtransmits": "Transmiss\u00f5es forjadas",
+"label.forgot.password": "Esqueceu a senha?",
+"label.fornsx": "NSX",
+"label.forvpc": "VPC",
+"label.fsprovidername": "Provedor de Sistema de Arquivos Compartilhado",
 "label.format": "Formato",
 "label.free": "Livre",
+"label.french.azerty.keyboard": "Teclado franc\u00eas AZERTY",
 "label.friday": "Sexta-feira",
 "label.from": "de",
 "label.from.lb": "de LB",
@@ -716,6 +1051,7 @@
 "label.fwdeviceid": "ID",
 "label.fwdevicestate": "Estado",
 "label.gateway": "Gateway",
+"label.global": "Global",
 "label.global.settings": "Configura\u00e7\u00f5es globais",
 "label.globo.dns": "GloboDNS",
 "label.globo.dns.configuration": "Configurar GloboDNS",
@@ -740,8 +1076,11 @@
 "label.guest.ip.range": "Intervalo da rede guest",
 "label.guest.netmask": "M\u00e1scara da rede guest",
 "label.guest.networks": "Redes guest",
+"label.guest.os": "SO Convidado",
+"label.guest.os.hypervisor.mappings": "Mapeamentos de SO convidado",
 "label.guest.start.ip": "IP de in\u00edcio do guest",
 "label.guest.traffic": "Tr\u00e1fego da redes guest",
+"label.guest.vlan": "VLAN Guest",
 "label.guestcidraddress": "CIDR da rede guest",
 "label.guestendip": "IP do fim do guest",
 "label.guestgateway": "Gateway da rede guest",
@@ -761,11 +1100,15 @@
 "label.haenable": "HA ativado",
 "label.haprovider": "Provedor HA",
 "label.hardware": "Hardware",
+"label.hasrules":"Regras de FW definidas",
 "label.hastate": "Estado do HA",
 "label.header.backup.schedule": "Voc\u00ea pode definir cronogramas de backup recorrentes selecionando dentre as op\u00e7\u00f5es dispon\u00edveis abaixo e aplicando suas pol\u00edticas preferenciais",
 "label.header.volume.snapshot": "Voc\u00ea pode configurar snapshots recorrentes selecionando as op\u00e7\u00f5es dispon\u00edveis abaixo e aplicando suas pol\u00edticas preferenciais",
 "label.header.volume.take.snapshot": "Por favor confirme que voc\u00ea deseja criar uma snapshot para este volume.",
+"label.headers": "Cabe\u00e7alhos",
 "label.health.check": "Checagem de sa\u00fade",
+"label.heapmemoryused": "Mem\u00f3ria heap usada",
+"label.heapmemorytotal": "Mem\u00f3ria heap dispon\u00edvel",
 "label.help": "Ajuda",
 "label.hideipaddressusage": "Ocultar uso do endere\u00e7o IP",
 "label.home": "In\u00edcio",
@@ -773,11 +1116,19 @@
 "label.host.alerts": "Hosts em estado de alerta",
 "label.host.name": "Nome do host",
 "label.host.tag": "Tag de host",
+"label.hostcontrolstate": "Status do Recurso de Computa\u00e7\u00e3o",
 "label.hostid": "Host",
 "label.hostname": "Host",
+"label.hostname.tooltip": "Host de Destino. O volume deve estar localizado no armazenamento local deste Host",
 "label.hostnamelabel": "Nome do host",
 "label.hosts": "Hosts",
 "label.hosttags": "Tags de host",
+"label.hosttags.explicit": "Tags de Host definidas pela API",
+"label.hosttags.explicit.abbr": "definido pela api",
+"label.hosttags.explicit.description": "As tags de host definidas pelas APIs do CloudStack",
+"label.hosttags.implicit": "Tags de Host definidas pelo Agente",
+"label.hosttags.implicit.abbr": "definido pelo agente",
+"label.hosttags.implicit.description": "As tags de host definidas pelo Agente CloudStack",
 "label.hourly": "A cada hora",
 "label.hypervisor": "Virtualizador",
 "label.hypervisor.capabilities": "Recursos do virtualizador",
@@ -802,22 +1153,31 @@
 "label.ikepolicy": "Pol\u00edtica IKE",
 "label.ikeversion": "Vers\u00e3o do IKE",
 "label.images": "Imagens",
+"label.imagestoreid": "Armazenamento Secun\u00e1rio",
 "label.import.backup.offering": "Importar oferta de backup",
 "label.import.instance": "Importar inst\u00e2ncia",
 "label.import.offering": "Importar oferta",
 "label.import.role": "Importar fun\u00e7\u00e3o",
+"label.import.volume": "Importar Volume",
+"label.inactive": "Inativo",
 "label.in.progress": "em progresso",
 "label.in.progress.for": "em progresso para",
 "label.info": "Info",
 "label.info.upper": "INFO",
 "label.infrastructure": "Infraestrutura",
+"label.ingest.instance": "Ingerir Inst\u00e2ncia",
 "label.ingress": "Entrada",
 "label.ingress.rule": "Regra de entrada",
+"label.initial": "Inicial",
+"label.initialized": "Inicializado",
+"label.interface.route.table": "Tabela de Rotas de Interface",
+"label.interface.router.table": "Tabela de Rotas de Interface",
 "label.insideportprofile": "Perfil de porta interna",
 "label.installwizard.addzoneintro.title": "Vamos adicionar uma zona",
 "label.installwizard.subtitle": "Este tour vai auxiliar voc\u00ea na configura\u00e7\u00e3o da sua instala\u00e7\u00e3o do CloudStack&#8482",
 "label.installwizard.title": "Ol\u00e1, seja bem vindo ao CloudStack&#8482",
 "label.instance": "Inst\u00e2ncia",
+"label.instance.conversion.support": "Convers\u00e3o de Inst\u00e2ncia Suportada",
 "label.instance.groups": "Grupos de inst\u00e2ncia",
 "label.instance.name": "Nome da inst\u00e2ncia",
 "label.instancename": "Nome interno",
@@ -833,35 +1193,61 @@
 "label.internallb.name.description": "Nome \u00fanico para o LB interno",
 "label.internallb.sourceip.description": "Descri\u00e7\u00e3o do LB interno",
 "label.internallbvm": "LbVm interno",
+"label.internetprotocol": "Protocolo de internet",
+"label.invalid.number": "N\u00famero inv\u00e1lido",
+"label.iodriverpolicy" : "Pol\u00edtica de driver de IO",
+"label.iodriverpolicy.tooltip" : "A pol\u00edtica de driver de IO pode ser nativa, io_uring ou threads. Escolher a pol\u00edtica de IO para uma Inst\u00e2ncia substituir\u00e1 a op\u00e7\u00e3o do pool de armazenamento 'kvm.storage.pool.io.policy' se definida (apenas se iothreads estiver ativado)",
+"label.iops": "IOPS",
+"label.iothreadsenabled" : "IOThreads",
+"label.iothreadsenabled.tooltip" : "Ativar aloca\u00e7\u00e3o de iothreads para hypervisor KVM",
 "label.interval": "Intervalo de verifica\u00e7\u00e3o (em seg)",
 "label.intervaltype": "Tipo de intervalo",
 "label.introduction.to.cloudstack": "Introdu\u00e7\u00e3o ao CloudStack&#8482",
 "label.invitations": "Convites",
 "label.invite": "Convidar",
 "label.ip": "IP",
+"label.ip.addresses": "Endere\u00e7os IP",
+"label.ip.range.type": "Tipo de intervalo de IP",
 "label.ip.range": "Intervalo de IP",
 "label.ip.ranges": "Intervalos de IP",
+"label.ip.v4": "IPv4",
+"label.ip.v4.v6": "IPv4 + IPv6 (Pilha Dupla)",
+"label.ip.v6": "IPv6",
+"label.ip.v6.firewall": "Firewall IPv6",
 "label.ip4gateway": "Gateway IPV4",
 "label.ip4netmask": "M\u00e1scara de rede IPv4",
+"label.ip4routes": "Rotas IPv6",
+"label.ip4routing": "Roteamento IPv4",
 "label.ip6address": "Endere\u00e7o IPv6",
 "label.ip6cidr": "CIDR IPv6",
 "label.ip6dns1": "IPv6 DNS1",
 "label.ip6dns2": "IPv6 DNS2",
 "label.ip6gateway": "Gateway IPv6",
+"label.ip6firewall": "Firewall IPv6",
+"label.ip6routes": "Rotas IPv6",
+"label.ip6routing": "Roteamento IPv6",
+"label.ipv6.subnets": "Sub-redes IPv6",
 "label.ipaddress": "Endere\u00e7o IP",
 "label.iplimit": "Limites de IP p\u00fablico",
+"label.ipprefix": "Prefixo IP",
+"label.ipprefixlen": "Comprimento do Prefixo IP",
 "label.ips": "IPs",
 "label.ipsecpsk": "Chave IPSec pr\u00e9 compartilhada",
 "label.iptotal": "Total de endere\u00e7os IPs",
 "label.ipv4.cidr": "CIDR IPv4",
 "label.ipv4.dns1": "IPv4 DNS1",
 "label.ipv4.dns2": "IPv4 DNS2",
+"label.ipv4.subnet.set.reservation.desc": "(opcional) Por favor, especifique um dom\u00ednio ou uma Conta para ser associada a esta sub-rede IPv4",
+"label.ipv4.subnets": "Sub-redes IPv4",
 "label.ipv6.dns1": "IPv6 DNS1",
 "label.ipv6.dns2": "IPv6 DNS2",
 "label.iqn": "Alvo IQN",
+"label.is.base64.encoded": "Codificado em Base64",
 "label.is.in.progress": "est\u00e1 em progresso",
 "label.is.shared": "\u00c9 compartilhado",
+"label.is2faenabled": "2FA est\u00e1 ativado",
 "label.isadvanced": "Mostra ajustes avan\u00e7ados",
+"label.isallocated": "Alocado",
 "label.iscsi": "iSCSI",
 "label.iscustomized": "Tamanho customizado",
 "label.iscustomizeddiskiops": "IOPS personalizado",
@@ -869,6 +1255,8 @@
 "label.isdedicated": "Dedicado",
 "label.isdefault": "\u00c9\u0089 padr\u00e3o",
 "label.isdynamicallyscalable": "Dinamicamente escal\u00e1vel",
+"label.isencrypted": "Criptografado",
+"label.isuserdefined": "Definido pelo us\u00e1rio",
 "label.istagarule": "Tag como regra JS",
 "label.isextractable": "Extra\u00edvel",
 "label.isfeatured": "Em destaque",
@@ -902,13 +1290,20 @@
 "label.items": "itens",
 "label.items.selected": "item(ns) selecionados",
 "label.japanese.keyboard": "Teclado japon\u00eas",
+"label.javadistribution": "Distribui\u00e7\u00e3o Java Runtime",
+"label.javaversion": "Vers\u00e3o Java Runtime",
+"label.jsonconfiguration": "Configura\u00e7\u00e3o JSON",
 "label.keep": "Manter",
+"label.kernelversion": "Vers\u00e3o do Kernel",
+"label.keep.mac.address.on.public.nic": "Utilizar o mesmo endere\u00e7o MAC para a NIC p\u00fablica dos VRs",
 "label.key": "Chave",
 "label.keyboard": "Linguagem do teclado",
 "label.keyboardtype": "Tipo de teclado",
 "label.keypair": "Par de chaves SSH",
+"label.keypairs": "Par(es) de chaves SSH",
 "label.kubeconfig.cluster": "Configura\u00e7\u00e3o do cluster Kubernetes",
 "label.kubernetes": "Kubernetes",
+"label.kubernetes.access.details": "Os n\u00f3s Kubernetes podem ser acessados via SSH usando: <br> <code><b> ssh -i [ssh_key] -p [port_number] cloud@[public_ip_address] </b></code> <br><br> onde, <br> <code><b>ssh_key:</b></code> aponta para o arquivo de chave privada SSH correspondente \u00e0 chave que foi associada durante a cria\u00e7\u00e3o do cluster Kubernetes. Se nenhuma chave SSH foi fornecida durante a cria\u00e7\u00e3o do cluster, use a chave privada SSH do Management Server. <br> <code><b>port_number:</b></code> pode ser obtido na Aba de Encaminhamento de Porta (coluna Porta P\u00fablica)",
 "label.kubernetes.cluster": "Cluster Kubernetes",
 "label.kubernetes.cluster.create": "Criar cluster Kubernetes",
 "label.kubernetes.cluster.delete": "Remover cluster Kubernetes",
@@ -917,6 +1312,8 @@
 "label.kubernetes.cluster.stop": "Parar cluster Kubernetes",
 "label.kubernetes.cluster.upgrade": "Atualizar cluster Kubernetes",
 "label.kubernetes.dashboard": "Dashboard da UI do Kubernetes",
+"label.kubernetes.dashboard.create.token": "Criar token para dashboard Kubernetes",
+"label.kubernetes.dashboard.create.token.desc": "Desde o Kubernetes v1.24.0, n\u00e3o h\u00e1 gera\u00e7\u00e3o autom\u00e1tica de token de conta de servi\u00e7o baseado em segredo por motivo de seguran\u00e7a. Voc\u00ea precisa criar uma conta de servi\u00e7o e um Token Bearer opcional de longa dura\u00e7\u00e3o para a conta de servi\u00e7o",
 "label.kubernetes.isos": "ISOs Kubernetes",
 "label.kubernetes.service": "Servi\u00e7o Kubernetes",
 "label.kubernetes.version.add": "Adicionar vers\u00e3o do Kubernetes",
@@ -924,6 +1321,7 @@
 "label.kubernetes.version.update": "Gerenciar vers\u00e3o do Kubernetes",
 "label.kubernetesversionid": "Vers\u00e3o do Kubernetes",
 "label.kubernetesversionname": "Vers\u00e3o do Kubernetes",
+"label.kvm": "KVM",
 "label.kvmnetworklabel": "Etiqueta de tr\u00e1fego KVM",
 "label.l2": "L2",
 "label.l2gatewayserviceuuid": "UUID do servi\u00e7o de gateway L2",
@@ -931,11 +1329,18 @@
 "label.label": "Etiqueta",
 "label.last.updated": "\u00daltima atualiza\u00e7\u00e3o",
 "label.lastannotated": "Data da \u00faltima anota\u00e7\u00e3o",
+"label.lastboottime": "Hora de inicializa\u00e7\u00e3o da m\u00e1quina do Management Server",
+"label.lastheartbeat": "\u00daltimo heartbeat",
 "label.lastname": "Sobrenome",
 "label.lastname.lower": "sobrenome",
+"label.lastserverstart": "\u00daltima vez que o Management Server foi inicializado",
+"label.lastserverstop": "Hora da \u00faltima parada para este Management Server",
+"label.lastsuccessfuljob": "\u00daltimo job bem-sucedido",
 "label.launch": "Executar",
 "label.launch.vm": "Executar VM",
 "label.launch.vm.and.stay": "Iniciar VM e permanecer na p\u00e1gina",
+"label.launch.vnf.appliance": "Lan\u00e7ar appliance VNF",
+"label.launch.vnf.appliance.and.stay": "Lan\u00e7ar appliance VNF & permanecer nesta p\u00e1gina",
 "label.launch.zone": "Executar zona.",
 "label.lb.algorithm.leastconn": "Conex\u00f5es m\u00ednimas",
 "label.lb.algorithm.roundrobin": "Round-robin",
@@ -946,6 +1351,8 @@
 "label.lbdevicededicated": "Dedicado",
 "label.lbdeviceid": "ID",
 "label.lbdevicestate": "Estado",
+"label.lbprovider": "Provedor de balanceador de carga",
+"label.lbruleid": "ID do Balanceador de carga",
 "label.lbtype": "Tipo de balanceamento de carga",
 "label.ldap.configuration": "Configura\u00e7\u00e3o do LDAP",
 "label.ldap.group.name": "Grupo LDAP",
@@ -954,6 +1361,8 @@
 "label.limit": "Limitar",
 "label.limitcpuuse": "Limite da CPU",
 "label.limits": "Configurar limites",
+"label.limits.configure": "Configurar limites",
+"label.link": "Link",
 "label.link.domain.to.ldap": "Link dom\u00ednio para LDAP",
 "label.linklocalip": "Endere\u00e7o IP do Control",
 "label.linux": "Linux",
@@ -962,6 +1371,8 @@
 "label.list.nodes": "Listar nodos",
 "label.list.pods": "Listar pods",
 "label.list.services": "Listar servi\u00e7os",
+"label.list.vmware.vcenter.vms": "Listar Inst\u00e2ncias VMware",
+"label.livepatch": "Aplicar patch ao vivo no(s) roteador(es) da Rede",
 "label.load.balancer": "Balanceador de carga",
 "label.loadbalancerinstance": "VMs designadas",
 "label.loadbalancerrule": "Regra de balanceamento de carga",
@@ -973,18 +1384,23 @@
 "label.local.storage.enabled.system.vms": "Habilitar armazenamento local para VMs de sistema",
 "label.localstorageenabled": "Habilitar armazenamento local para VMs de usu\u00e1rios",
 "label.localstorageenabledforsystemvm": "Habilitar armazenamento local para VMs de sistema",
+"label.locked": "Bloqueado",
 "label.login": "Entrar",
+"label.loginfo": "Informa\u00e7\u00e3o do arquivo de log",
 "label.login.portal": "Entrar no portal",
 "label.login.single.signon": "Single Sign-On",
 "label.logout": "Sair",
 "label.lun": "LUN",
 "label.lun.number": "LUN #",
+"label.lxc": "LXC",
 "label.lxcnetworklabel": "R\u00f3tulo de tr\u00e1fego LXC",
 "label.macaddress": "Endere\u00e7o MAC",
 "label.macaddress.example": "O endere\u00e7o MAC. Exemplo: 01:23:45:67:89:ab",
 "label.macaddresschanges": "Mudan\u00e7as no endere\u00e7o MAC",
 "label.maclearning": "MAC learning",
 "label.macos": "MacOS",
+"label.maintenance": "Manuten\u00e7\u00e3o",
+"label.majorsequence": "Sequ\u00eancia Maior",
 "label.make": "Tornar",
 "label.make.project.owner": "Criar propriet\u00e1rio de conta de projeto",
 "label.make.user.project.owner": "Tornar usu\u00e1rio dono do projeto",
@@ -992,16 +1408,28 @@
 "label.manage": "Gerenciar",
 "label.manage.vpn.user": "Gerenciar usu\u00e1rios da VPN",
 "label.managed.instances": "Inst\u00e2ncias gerenciadas",
+"label.managed.volumes": "Volumes Gerenciados",
+"label.managementserverid": "Management Server",
+"label.managementservername": "Management Server",
 "label.managedstate": "Estados gerenciados",
 "label.management": "Gerenciamento",
 "label.management.ips": "Gerenciamento de endere\u00e7os IP",
-"label.management.server": "Servidor de gerenciamento",
+"label.management.server": "Management Server",
 "label.management.servers": "Servidores de ger\u00eancia",
 "label.managementservers": "N\u00famero de servidores de ger\u00eancia",
+"label.matchall": "Corresponder a todos",
+"label.max": "M\u00e1x.",
+"label.max.migrations": "M\u00e1x. de migra\u00e7\u00f5es",
+"label.maxbackup": "M\u00e1x. de Backups",
+"label.maxbackupstorage": "M\u00e1x. de Armazenamento de Backup (GiB)",
+"label.maxbackups.to.retain": "M\u00e1x. de Backups para manter",
+"label.maxbucket": "M\u00e1x. de Buckets",
+"label.maxmembers": "M\u00e1x de membros",
+"label.maxbackups": "Backups M\u00e1x.",
 "label.max.primary.storage": "M\u00e1x. de armazenamento prim\u00e1rio (GiB)",
 "label.max.secondary.storage": "M\u00e1x. de armazenamento secund\u00e1rio (GiB)",
-"label.maxcpu": "N\u00famerom\u00e1ximo de cores de CPU",
-"label.maxcpunumber": "N\u00famerom\u00e1ximo de cores de CPU",
+"label.maxcpu": "N\u00famero m\u00e1ximo de cores de CPU",
+"label.maxcpunumber": "N\u00famero m\u00e1ximo de n\u00facleos  de CPU",
 "label.maxdatavolumeslimit": "Limite m\u00e1ximo de volume de dados",
 "label.maxerrorretry": "Limite de tentativas de recupera\u00e7\u00e3o de erro",
 "label.maxguestslimit": "Limite m\u00e1x. de guest",
@@ -1009,8 +1437,9 @@
 "label.maximum": "M\u00e1ximo",
 "label.maxinstance": "Inst\u00e2ncias m\u00e1x",
 "label.maxiops": "M\u00e1x IOPS",
-"label.maxmemory": "M\u00e1x. de mem\u00f3ria (MiB)",
+"label.maxmemory": "M\u00e1ximo de mem\u00f3ria (MiB)",
 "label.maxnetwork": "M\u00e1x. de redes",
+"label.maxobjectstorage": "M\u00e1x. de Object Storage (GiB)",
 "label.maxprimarystorage": "M\u00e1x. armazenamento prim\u00e1rio (GiB)",
 "label.maxproject": "Projetos m\u00e1x.",
 "label.maxpublicip": "M\u00e1x. IPs P\u00fablicos",
@@ -1025,6 +1454,7 @@
 "label.mb.memory": "MB de mem\u00f3ria",
 "label.memory": "Mem\u00f3ria (em MB)",
 "label.memory.free": "Mem\u00f3ria livre",
+"label.memory.maximum.mb": "Mem\u00f3ria m\u00e1x (em MB)",
 "label.memory.total": "Mem\u00f3ria total",
 "label.memory.usage.info": "Informa\u00e7\u00f5es sobre o uso de mem\u00f3ria",
 "label.memory.used": "Mem\u00f3ria usada",
@@ -1040,6 +1470,16 @@
 "label.memused": "Uso de mem\u00f3ria",
 "label.menu.security.groups": "Grupos de seguran\u00e7a",
 "label.menu.service.offerings": "Oferta de servi\u00e7os",
+"label.metadata": "Metadados",
+"label.metadata.description": "Metadados do Objeto",
+"label.metadata.upload.description": "Definir metadados para o objeto",
+"label.migrate.instance.single.storage": "Migrar todo(s) o(s) volume(s) da Inst\u00e2ncia para um \u00fanico armazenamento prim\u00e1rio",
+"label.migrate.instance.specific.storages": "Migrar volume(s) da Inst\u00e2ncia para armazenamentos prim\u00e1rios espec\u00edficos",
+"label.migrate.with.storage": "Migrar com armazenamento",
+"label.min_balance": "Saldo m\u00edn",
+"label.minimumsemanticversion": "Vers\u00e3o sem\u00e2ntica m\u00ednima",
+"label.minmembers": "M\u00edn membros",
+"label.minorsequence": "Sequ\u00eancia Menor",
 "label.metrics": "M\u00e9tricas",
 "label.migrate.allowed": "Migra\u00e7\u00e3o permitida",
 "label.migrate.data.from.image.store": "Migrar dados para o armazenamento de imagens",
@@ -1052,21 +1492,31 @@
 "label.migrating.data": "Migrando dados",
 "label.min.balance": "Saldo m\u00ednimo",
 "label.min.past.hour": "minutos passados da \u00faltima hora",
-"label.mincpunumber": "N\u00famero m\u00edn de n\u00facleos de CPU",
+"label.mincpunumber": "N\u00famero m\u00ednimo de n\u00facleos de CPU",
 "label.minimum": "M\u00ed\u00adnimo",
 "label.miniops": "M\u00edn IOPS",
 "label.minmaxiops": "M\u00edn IOPS /m\u00e1x IOPS",
-"label.minmemory": "M\u00edn mem\u00f3ria (em MB)",
+"label.minmemory": "M\u00ednimo de mem\u00f3ria (em MB)",
 "label.minsize": "Tamanho m\u00ednimo",
 "label.minute.past.hour": "minuto(s) passado(s) da \u00faltima hora",
+"label.mode": "Modo",
 "label.monday": "Segunda",
 "label.monitor": "Monitor",
+"label.monitor.expected.code": "C\u00f3digo de Status HTTP Esperado",
+"label.monitor.http.method": "M\u00e9todo HTTP",
+"label.monitor.interval": "Intervalo de verifica\u00e7\u00e3o de sa\u00fade (seg)",
+"label.monitor.retry": "Contagem de tentativas antes de marcar como inativo",
+"label.monitor.timeout": "Timeout (seg)",
+"label.monitor.type": "Tipo de Monitor",
+"label.monitor.url": "Caminho da URL",
 "label.monthly": "Mensal",
 "label.more.access.dashboard.ui": "Mais sobre como acessar a UI da Dashboard",
+"label.mount.sharedfs": "Montar Sistema de Arquivos Compartilhado via NFS",
 "label.move.down.row": "Mover uma c\u00e9lula para baixo",
 "label.move.to.bottom": "Mover para baixo",
 "label.move.to.top": "Mover para o topo",
 "label.move.up.row": "Mover uma c\u00e9lula para cima",
+"label.my.isos": "Minhas ISOs",
 "label.my.templates": "Meus templates",
 "label.na": "N/D",
 "label.name": "Nome",
@@ -1088,6 +1538,11 @@
 "label.network.name": "Nome da rede",
 "label.network.offering": "Oferta de rede",
 "label.network.offerings": "Oferta de rede",
+"label.network.permissions": "Permiss\u00f5es de rede",
+"label.network.policy": "Pol\u00edtica de Rede",
+"label.network.restart.required": "Reinicializa\u00e7\u00e3o de rede necess\u00e1ria",
+"label.network.route.table": "Tabela de roteamento de rede",
+"label.network.routing.policy": "Pol\u00edtica de roteamento de rede",
 "label.network.selection": "Sele\u00e7\u00e3o da rede",
 "label.network.service.providers": "Provedores de servi\u00e7os de rede",
 "label.network.usage.info": "Informa\u00e7\u00f5es sobre o uso de rede",
@@ -1097,6 +1552,7 @@
 "label.networkkbsread": "Leitura da rede",
 "label.networkkbswrite": "Escrita da rede",
 "label.networklimit": "Limites de rede",
+"label.networkmode": "Modo de Rede",
 "label.networkname": "Nome da rede",
 "label.networkofferingdisplaytext": "Oferta de rede",
 "label.networkofferingid": "Oferta de rede",
@@ -1108,26 +1564,35 @@
 "label.networktype": "Tipo de rede",
 "label.networkwrite": "Escrita da rede",
 "label.new": "Novo",
+"label.new.autoscale.vmgroup": "Novo Grupo de AutoScale",
 "label.new.instance.group": "Novo grupo de inst\u00e2ncia",
 "label.new.password": "Nova senha",
 "label.new.project": "Novo projeto",
 "label.new.secondaryip.description": "Insira um novo endere\u00e7o IP secund\u00e1rio",
 "label.new.tag": "Nova etiqueta",
+"label.new.version.available": "Nova vers\u00e3o dispon\u00edvel",
 "label.new.vm": "Nova VM",
 "label.newdiskoffering": "Nova oferta",
 "label.newinstance": "Nova inst\u00e2ncia",
 "label.newname": "Novo nome",
 "label.next": "Pr\u00f3ximo",
 "label.nfs": "NFS",
+"label.nfsmountopts": "Op\u00e7\u00f5es de montagem NFS",
 "label.nfsserver": "Servidor NFS",
 "label.nic": "NIC",
 "label.nicadaptertype": "Tipo de adaptador de rede",
+"label.nicmultiqueuenumber" : "N\u00famero de multiqueues da NIC",
+"label.nicmultiqueuenumber.tooltip" : "N\u00famero de multiqueues da NIC. Apenas suportado para KVM. O valor \"-1\" indica que o n\u00famero de multiqueues da NIC ser\u00e1 definido como o n\u00famero de vCPUs da Inst\u00e2ncia.",
+"label.nicpackedvirtqueuesenabled" : "Virtqueues empacotadas da NIC ativadas",
+"label.nicpackedvirtqueuesenabled.tooltip" : "Ativar ou n\u00e3o virtqueues empacotadas da NIC. Apenas suportado para KVM com QEMU >= 4.2.0 e Libvirt >=6.3.0.",
 "label.nics": "Adaptadores de rede",
 "label.no": "N\u00e3o",
 "label.no.data": "Sem dados para mostrar",
 "label.no.errors": "Sem erros recentes",
 "label.no.items": "Sem itens dispon\u00edveis",
 "label.no.matching.offering": "Nenhuma oferta correspondente encontrada",
+"label.no.matching.network": "Nenhuma Rede correspondente encontrada",
+"label.no.usage.records": "Nenhum registro de uso encontrado",
 "label.noderootdisksize": "Tamanho do disco ra\u00edz do nodo (em GB)",
 "label.nodiskcache": "Sem cache de disco",
 "label.none": "Nenhum",
@@ -1135,14 +1600,38 @@
 "label.not.found": "N\u00e3o encontrado",
 "label.not.suitable": "N\u00e3o apropriado",
 "label.notifications": "Notifica\u00e7\u00f5es",
+"label.nsx": "NSX",
+"label.nsx.provider": "Provedor NSX",
+"label.nsx.provider.edgecluster": "Cluster de borda do provedor NSX",
+"label.nsx.provider.hostname": "Hostname do provedor NSX",
+"label.nsx.provider.name": "Nome do provedor NSX",
+"label.nsx.provider.password": "Senha do provedor NSX",
+"label.nsx.provider.port": "Porta do provedor NSX",
+"label.nsx.provider.tier0gateway": "Gateway tier-0 do provedor NSX",
+"label.nsx.provider.transportzone": "Zona de transporte do provedor NSX",
+"label.nsx.provider.username": "Nome de usu\u00e1rio do provedor NSX",
+"label.nsx.supports.internal.lb": "Ativar servi\u00e7o de LB interno NSX",
+"label.nsx.supports.lb": "Ativar servi\u00e7o de LB NSX",
 "label.num.cpu.cores": "# de n\u00facleos da CPU",
 "label.number": "#Regra",
 "label.numretries": "N\u00famero de tentativas",
 "label.nvpdeviceid": "ID",
+"label.oauth.configuration": "Configura\u00e7\u00e3o OAuth",
+"label.oauth.verification": "Verifica\u00e7\u00e3o OAuth",
+"label.object.storage" : "Armazenamento de Objetos (Object Storage)",
+"label.object.presigned.url": "URL pr\u00e9-assinada",
+"label.object.presigned.url.description" : "URL pr\u00e9-assinada do objeto para acess\u00e1-lo sem autentica\u00e7\u00e3o.",
+"label.object.url.description" : "URL do objeto",
+"label.objectlocking": "Bloqueio de Objeto",
+"label.objectstoragelimit": "Limite de Armazenamento de Objetos (GiB)",
+"label.objectstore" : "Armazenamento de Objetos",
+"label.objectstore.search" : "Busca baseada em prefixo no diret\u00f3rio atual",
+"label.objectstorageid": "Pool de Armazenamento de Objetos",
 "label.ocfs2": "OCFS2",
 "label.of": "de(a)",
 "label.of.month": "do m\u00eas",
 "label.offerha": "Oferta HA",
+"label.offeringid": "ID da Oferta",
 "label.offeringtype": "Tipo da oferta de computa\u00e7\u00e3o",
 "label.ok": "OK",
 "label.only.end.date.and.time": "Apenas data e hor\u00e1rio final",
@@ -1154,9 +1643,20 @@
 "label.opendaylight.controllers": "Controladores OpenDaylight",
 "label.operation": "Opera\u00e7\u00e3o",
 "label.operation.status": "Estado da opera\u00e7\u00e3o",
+"label.operator.greater": "Maior que",
+"label.operator.greater.or.equal": "Maior ou igual a",
+"label.operator.less": "Menor que",
+"label.operator.less.or.equal": "Menor ou igual a",
+"label.operator.equal": "Igual a",
 "label.optional": "Opcional",
 "label.order": "Ordenar",
 "label.oscategoryid": "Prefer\u00eancia de SO",
+"label.oscategoryname": "Nome da categoria do SO",
+"label.osdisplayname": "Nome do SO",
+"label.osdistribution": "Distribui\u00e7\u00e3o do SO",
+"label.osmappingcheckenabled": "Verificar nome do SO com hypervisor",
+"label.osname": "Nome do SO",
+"label.osnameforhypervisor": "Nome de mapeamento do hypervisor",
 "label.ostypeid": "Tipo de SO",
 "label.ostypename": "Tipo de SO",
 "label.other": "Outro",
@@ -1170,9 +1670,11 @@
 "label.override.guest.traffic": "Sobrescrever tr\u00e1fego guest",
 "label.override.public.traffic": "Sobrescrever tr\u00e1fego p\u00fablico",
 "label.override.rootdisk.size": "Sobrescrever tamanho do disco ra\u00edz",
+"label.override.root.diskoffering": "Substituir oferta de disco root",
 "label.overrideguesttraffic": "Sobrescrever tr\u00e1fego guest",
 "label.overridepublictraffic": "Sobrescrever tr\u00e1fego p\u00fablico",
 "label.ovf.properties": "Propriedades vApp",
+"label.ovm3": "OVM3",
 "label.ovm3cluster": "Clustering nativo",
 "label.ovm3networklabel": "Label de trafego OVM3",
 "label.ovm3pool": "Pooling nativo",
@@ -1186,27 +1688,36 @@
 "label.page": "p\u00e1gina",
 "label.palo.alto.firewall": "Firewall Palo Alto",
 "label.palp": "Perfil de log Palo Alto",
+"label.param.name": "Nome do par\u00e2metro",
+"label.param.value": "Valor do par\u00e2metro",
 "label.params": "Par\u00e2metros",
 "label.parentdomainname": "Dom\u00ednio pai",
 "label.parentname": "Pai",
+"label.parentsubnet": "Sub-rede Pai",
 "label.passive": "Passivo",
 "label.password": "Senha",
+"label.password.default": "Senha Padr\u00e3o",
 "label.password.reset.confirm": "A senha foi recuperada para",
+"label.password.tooltip": "A senha para o Host",
 "label.passwordenabled": "Habilitar troca de senha",
 "label.path": "Caminho (Path)",
 "label.patp": "Perfil de amea\u00e7a Palo Alto",
 "label.pavr": "Roteador virtual",
 "label.payload": "Payload",
+"label.payloadurl": "URL de Payload",
 "label.pcidevice": "GPU",
+"label.pending.jobs": "Jobs pendentes",
 "label.per.account": "Por conta",
 "label.per.zone": "Por zona",
 "label.percentage": "Porcentagem",
+"label.performfreshchecks": "Executar novas verifica\u00e7\u00f5es",
 "label.perfectforwardsecrecy": "Perfect Forward secrecy",
 "label.perform.fresh.checks": "Realizar novas verifica\u00e7\u00f5es",
 "label.permission": "Permiss\u00e3o",
 "label.permissions": "permiss\u00e3o",
 "label.physical.network": "Rede f\u00edsica",
 "label.physicalnetworkid": "Rede f\u00edsica",
+"label.physicalnetworkname": "Nome da Rede F\u00edsica",
 "label.physicalsize": "Tamanho f\u00edsico",
 "label.ping.path": "Caminho do ping",
 "label.pkcs.private.certificate": "Certificado privado PKCS#8",
@@ -1220,6 +1731,8 @@
 "label.podid": "Pod",
 "label.podname": "Nome do pod",
 "label.pods": "Pods",
+"label.policy": "Pol\u00edtica",
+"label.policyuuid": "Pol\u00edtica de Rede",
 "label.port": "Porta",
 "label.port.range": "Intervalo de porta",
 "label.portforwarding": "Encaminhamento de porta",
@@ -1230,20 +1743,30 @@
 "label.powerflex.storage.pool": "Pool de armazenamento",
 "label.powerstate": "Estado de energia",
 "label.preferred": "Preferido",
+"label.prefix": "Prefixo",
+"label.prefix.type": "Tipo de Prefixo",
+"label.prepare.for.shutdown": "Preparar para Desligamento",
+"label.prepareformaintenance": "Preparar para Manuten\u00e7\u00e3o",
 "label.presetup": "PreSetup",
 "label.prev": "Anterior",
 "label.previous": "Anterior",
+"label.primera.url.tooltip": "URL designando o endpoint do array de armazenamento Primera, formatado como: http[s]://HOSTNAME:PORT?cpg=NAME&hostset=NAME[&skipTlsValidation=true][&snapCPG=NAME][&taskWaitTimeoutMs=#][&keyttl=#][&connectTimeoutMs=#] onde valores em [] s\u00e3o opcionais.",
+"label.primera.username.tooltip": "O nome de usu\u00e1rio com privil\u00e9gios de edi\u00e7\u00e3o",
+"label.flashArray.username.tooltip": "O nome de us\u00e1rio com privil\u00e9gios de edi\u00e7\u00e3o",
+"label.flashArray.url.tooltip": "URL designando o endpoint Flash Array, formatado como: http[s]://HOSTNAME:PORT?pod=NAME&hostgroup=NAME[&skipTlsValidation=true][&postCopyWaitMs=#][&keyttl=#][&connectTimeoutMs=#][&apiLoginVersion=#][&apiVersion=#] onde valores em [] s\u00e3o opcionais.",
 "label.primary": "Prim\u00e1rio",
 "label.primary.storage": "Armazenamento prim\u00e1rio",
 "label.primary.storage.allocated": "Armazenamento prim\u00e1rio alocado",
 "label.primary.storage.used": "Uso do armazenamento prim\u00e1rio",
 "label.primarystoragelimit": "Limites do armazenamento prim\u00e1rio (GiB)",
+"label.primarystoragetotal": "Armazenamento prim\u00e1rio",
 "label.private.gateway": "Gateway privado",
 "label.private.interface": "Interface privada",
 "label.private.registry": "Registro privado",
 "label.privateinterface": "Interface privada",
 "label.privateip": "Endere\u00e7o IP privado",
 "label.privatekey": "Chave privada PKCS#8",
+"label.privatemtu": "MTU da Interface Privada",
 "label.privatenetwork": "Rede privada",
 "label.privateport": "Porta privada",
 "label.profilename": "Perfil",
@@ -1278,15 +1801,22 @@
 "label.public.ips": "IPs P\u00fablicos",
 "label.public.lb": "LB p\u00fablico",
 "label.public.traffic": "Tr\u00e1fego p\u00fablico",
+"label.public.traffic.nsx": "Tr\u00e1fego P\u00fablico NSX",
+"label.publicipid": "ID do endere\u00e7o IP",
+"label.publicmtu": "MTU da Interface P\u00fablica",
 "label.publicinterface": "Interface p\u00fablica",
 "label.publicip": "Endere\u00e7o IP",
 "label.publickey": "Chave p\u00fablica",
 "label.publicnetwork": "Rede p\u00fablica",
 "label.publicport": "Porta p\u00fablica",
+"label.purge.usage.records.error": "Falha ao eliminar registros de uso",
+"label.purge.usage.records.success": "Registros de uso eliminados com sucesso",
+"label.purgeresources": "Limpar Recursos",
 "label.purpose": "Prop\u00f3sito",
 "label.qostype": "Tipo de QoS",
 "label.quickview": "Visualiza\u00e7\u00e3o r\u00e1pida",
 "label.quiescevm": "Quiesce VM",
+"label.quiettime": "Tempo em espera (em seg)",
 "label.quota": "Cota",
 "label.quota.add.credits": "Adicionar cr\u00e9ditos",
 "label.quota.configuration": "Configura\u00e7\u00e3o da cota",
@@ -1299,6 +1829,7 @@
 "label.quota.statement.tariff": "Tarifa",
 "label.quota.summary": "Relat\u00f3rios",
 "label.quotastate": "Estado da cota",
+"label.quota_enforce": "Impor Cota",
 "label.summary": "Sum\u00e1rio",
 "label.quota.tariff": "Tarifa",
 "label.quota.tariff.activationrule": "Regra de ativa\u00e7\u00e3o",
@@ -1308,15 +1839,24 @@
 "label.quota.total": "Total",
 "label.quota.type.name": "Tipo de uso",
 "label.quota.type.unit": "Unidade do uso",
+"label.action.update.object.storage" : "Atualizar Object Storage",
 "label.quota.usage": "Consumo da cota",
 "label.quota.validate.activation.rule": "Validar regra de ativa\u00e7\u00e3o",
 "label.quota.value": "Valor",
 "label.rados.monitor": "Monitor RADOS",
+"label.rados.monitor.description": "O(s) monitor(es) RADOS. Se houver v\u00e1rios monitores, eles s\u00e3o separados por v\u00edrgula. Por exemplo, \"192.168.0.1,192.168.0.2,192.168.0.3\", \"mon1, mon2, mon3\". Endere\u00e7os IPv6 devem incluir colchetes, por exemplo, \"[fc00:1234::1],[fc00:1234::2],[fc00:1234::3]\".",
 "label.rados.pool": "Pool do RADOS",
 "label.rados.secret": "Segredo RADOS",
 "label.rados.user": "Usu\u00e1rio RADOS",
 "label.ram": "RAM",
+"label.range.last.1month": "\u00daltimo 1 m\u00eas",
+"label.range.last.1week": "\u00daltima 1 semana",
+"label.range.last.2week": "\u00daltimas 2 semanas",
+"label.range.last.3month": "\u00daltimos 3 meses",
+"label.range.today": "Hoje",
+"label.range.yesterday": "Ontem",
 "label.raw.data": "Dados Brutos",
+"label.rawusage": "Uso bruto (em horas)",
 "label.rbd": "RDB",
 "label.rbdid": "Usu\u00e1rio Ceph",
 "label.rbdmonitor": "Monitor Ceph",
@@ -1328,8 +1868,14 @@
 "label.readonly": "Apenas leitura",
 "label.reason": "Motivo",
 "label.reboot": "Reiniciar",
+"label.recent.deliveries": "Entregas recentes",
+"label.recover.sharedfs": "Recuperar Sistema de Arquivos Compartilhado",
+"label.recovering": "Recuperando",
 "label.receivedbytes": "Bytes recebidos",
 "label.recover.vm": "Recuperar VM",
+"label.recursivedomains": "Dom\u00ednios recursivos",
+"label.redeliver": "Reentregar",
+"label.redirecturi": "URI de Redirecionamento",
 "label.redirect": "Clique para acessar:",
 "label.redundantrouter": "Roteador Redundante",
 "label.redundantrouterstate": "Estado redundante",
@@ -1337,40 +1883,61 @@
 "label.redundantvpcrouter": "VPC redundante",
 "label.refresh": "Atualizar",
 "label.region": "Regi\u00e3o",
+"label.register.api.key": "Registrar chave de API",
+"label.register.oauth": "Registrar OAuth",
+"label.register.user.data": "Registrar dados de usu\u00e1rio",
 "label.register.template": "Registrar template",
 "label.reinstall.vm": "Reinstalar VM",
 "label.reject": "Rejeitar",
 "label.related": "Relacionado",
+"label.relationaloperator": "Operador",
 "label.release": "Liberar",
 "label.release.account": "Liberar conta",
+"label.release.dedicated.bgp.peer": "Liberar par BGP dedicado",
 "label.release.dedicated.cluster": "Liberar cluster dedicado",
 "label.release.dedicated.host": "Liberar host dedicado",
+"label.release.dedicated.ipv4.subnet": "Liberar sub-rede IPv4 dedicada",
 "label.release.dedicated.pod": "LIberar pod dedicado",
 "label.release.dedicated.zone": "Liberar zona dedicada",
 "label.releasing.ip": "Liberando IP",
+"label.remote.instances": "Inst\u00e2ncias Remotas",
 "label.remove": "Remover",
 "label.remove.annotation": "Remover coment\u00e1rio",
+"label.remove.bgp.peer": "Remover par BGP",
 "label.remove.egress.rule": "Remover regra de sa\u00edda",
+"label.remove.gui.theme": "Remover tema da GUI",
+"label.remove.interface.route.table": "Remover tabela de rotas de interface Tungsten",
 "label.remove.ip.range": "Remover intervalo de IPs",
+"label.remove.ipv4.subnet": "Remover sub-rede IPv4",
 "label.remove.ldap": "Remover LDAP",
+"label.remove.logical.network": "Remover Rede do roteador l\u00f3gico",
+"label.remove.logical.router": "Remover roteador l\u00f3gico",
 "label.remove.network.offering": "Remover oferta de rede",
+"label.remove.network.route.table": "Remover tabela de roteamento de Rede Tungsten Fabric",
 "label.remove.pf": "Remover regra de redirecionamento de porta",
+"label.remove.policy": "Remover pol\u00edtica",
 "label.remove.project.account": "Remover conta de projeto",
 "label.remove.project.role": "Remover fun\u00e7\u00e3o do projeo",
 "label.remove.project.user": "Remover usu\u00e1rio do projeto",
+"label.remove.routing.policy": "Remover pol\u00edtica de roteamento Tungsten-Fabric",
+"label.remove.tungsten.tag": "Remover Tag",
+"label.remove.user.data": "Remover Userdata",
+"label.removed": "Removido",
+"label.removedaccounts": "Contas removidas",
 "label.remove.rule": "Remover regra",
 "label.remove.ssh.key.pair": "Remover par de chaves SSH",
 "label.remove.vm.from.lb": "Remover VM da regra de balanceamento de carga",
 "label.remove.vmware.datacenter": "Remover datacenter VMware",
 "label.remove.vpc": "Remover VPC",
 "label.remove.vpc.offering": "Remover oferta VPC",
-"label.removed": "Removido",
 "label.removing": "Removendo",
 "label.replace.acl": "Substituir ACL",
 "label.report.bug": "Reportar um problema",
+"label.request": "Solicita\u00e7\u00e3o",
 "label.required": "Obrigat\u00f3rio",
 "label.requireshvm": "HVM",
 "label.requiresupgrade": "Requer atualiza\u00e7\u00e3o",
+"label.reserved": "Reservado",
 "label.reserved.system.gateway": "Gateway de sistema reservado",
 "label.reserved.system.ip": "IP de sistema reservado",
 "label.reserved.system.netmask": "M\u00e1scara de rede reservada do sistema",
@@ -1380,8 +1947,11 @@
 "label.reservedsystemnetmask": "M\u00e1scara de rede reservada do sistema",
 "label.reservedsystemstartip": "In\u00edcio dos IPs reservados para o sistema",
 "label.reset": "Reiniciar",
+"label.reset.config.value": "Redefinir para valor padr\u00e3o",
 "label.reset.ssh.key.pair": "Recriar par de chaves SSH",
 "label.reset.to.default": "Reinicializar para o padr\u00e3o",
+"label.reset.userdata.on.autoscale.vm.group": "Redefinir Userdata no Grupo de VMs de AutoScale",
+"label.reset.userdata.on.vm": "Redefinir Userdata na Inst\u00e2ncia",
 "label.reset.vpn.connection": "Reiniciar a conex\u00e3o VPN",
 "label.resource": "Recurso",
 "label.resource.limit.exceeded": "Limite de recurso excedido",
@@ -1390,6 +1960,8 @@
 "label.resourcename": "Nome do recurso",
 "label.resources": "Recursos",
 "label.resourcestate": "Estado do recurso",
+"label.resourcetype": "Tipo de recurso",
+"label.response": "Resposta",
 "label.restart.network": "Reiniciar rede",
 "label.restart.vpc": "Reiniciar a VPC",
 "label.restartrequired": "Reiniciar obrigat\u00f3rio",
@@ -1397,12 +1969,18 @@
 "label.restore.volume.attach": "Restaurar volume e anex\u00e1-lo",
 "label.review": "Revisar",
 "label.role": "Fun\u00e7\u00e3o",
+"label.roleid": "Fun\u00e7\u00e3o",
 "label.rolename": "Fun\u00e7\u00e3o",
 "label.roles": "Fun\u00e7\u00f5es",
 "label.roletype": "Tipo de fun\u00e7\u00e3o",
 "label.rolepermissiontab.searchbar": "Pesquisa de regras",
 "label.root.certificate": "Certificado ra\u00edz",
 "label.root.disk.size": "Tamanho do disco ra\u00edz (GB)",
+"label.rootdiskcontrollertypekvm": "Controladora do disco ROOT",
+"label.rootdisksize": "Tamanho do disco ROOT (GB)",
+"label.routenexthop": "Pr\u00f3ximo salto da rota",
+"label.routenexthoptype": "Tipo do pr\u00f3ximo salto da rota",
+"label.routeprefix": "Prefixo da rota",
 "label.rootdisk": "Disco ra\u00edz",
 "label.rootdiskcontrollertype": "Controlador do disco ra\u00edz",
 "label.router.health.check.last.updated": "\u00daltima atualiza\u00e7\u00e3o",
@@ -1412,6 +1990,12 @@
 "label.routercount": "Total de roteadores virtuais",
 "label.routerip": "Endere\u00e7os IPv4 para o roteador dentro da rede compartilhada",
 "label.routeripv6": "Endere\u00e7os IPv6 para o roteador dentro da rede compartilhada",
+"label.router.source.nat.ip": "IP source NAT do roteador",
+"label.routing.firewall": "Firewall de Roteamento IPv4",
+"label.routing.policy": "Pol\u00edtica de roteamento",
+"label.routing.policy.terms": "Termos da pol\u00edtica de roteamento",
+"label.routing.policy.terms.then": "Termos da pol\u00edtica de roteamento ent\u00e3o",
+"label.routingmode": "Modo de roteamento",
 "label.resourcegroup": "Grupo de recurso",
 "label.rule": "Regra",
 "label.rule.number": "Regra n\u00famero",
@@ -1421,6 +2005,7 @@
 "label.rules.file.to.import": "Arquivo CSV com as defini\u00e7\u00f5es de regras para importar",
 "label.run.proxy.locally": "Rodar o proxy localmente",
 "label.running": "VMs rodando",
+"label.running.vms": "Inst\u00e2ncias em Execu\u00e7\u00e3o",
 "label.s2scustomergatewayid": "ID do gateway do cliente site a site",
 "label.s2svpngatewayid": "ID do gateway da VPN site a site",
 "label.s3.access.key": "Chave de acesso",
@@ -1441,9 +2026,17 @@
 "label.save": "Salvar",
 "label.save.new.rule": "Salvar nova regra",
 "label.scale.vm": "Escalar VM",
+"label.scaledown.policies": "Pol\u00edticas de ScaleDown",
+"label.scaledown.policy": "Pol\u00edtica de ScaleDown",
+"label.scaleup.policies": "Pol\u00edticas de ScaleUp",
+"label.scaleup.policy": "Pol\u00edtica de ScaleUp",
+"label.scaling": "Escalonamento",
+"label.schedule.add": "Adicionar agendamento",
+"label.schedules": "Agendamentos",
 "label.schedule": "Programar",
 "label.scheduled.backups": "Backups programados",
 "label.scope": "Escopo",
+"label.scope.tooltip": "Escopo do Pool de Armazenamento Prim\u00e1rio",
 "label.search": "Pesquisar",
 "label.secondary.isolated.vlan.type.isolated": "Isolada",
 "label.secondary.isolated.vlan.type.promiscuous": "Prom\u00edscuos",
@@ -1452,11 +2045,13 @@
 "label.secondaryips": "IPs secund\u00e1rios",
 "label.secondarystoragelimit": "Limites do armazenamento secund\u00e1rio (GiB)",
 "label.secretkey": "Chave secreta",
+"label.secret.key": "Chave secreta",
 "label.secured": "Protegido",
 "label.security.groups": "Grupos de seguran\u00e7a",
 "label.securitygroup": "Grupo de seguran\u00e7a",
 "label.securitygroupenabled": "Grupo de seguran\u00e7a ativado",
 "label.securitygroups": "Grupos de seguran\u00e7a",
+"label.securitygroupsenabled": "Grupos de seguran\u00e7a ativados",
 "label.see.more.info.cpu.usage": "Ver mais informa\u00e7\u00f5es sobre o uso de CPU",
 "label.see.more.info.memory.usage": "Ver mais informa\u00e7\u00f5es sobre o uso de mem\u00f3ria",
 "label.see.more.info.network.usage": "Ver mais informa\u00e7\u00f5es sobre o uso de rede",
@@ -1464,11 +2059,17 @@
 "label.see.more.info.shown.charts": "Ver mais informa\u00E7\u00F5es sobre os gr\u00E1ficos mostrados",
 "label.select": "Selecionar",
 "label.select-view": "Selecionar visualiza\u00e7\u00e3o",
+"label.select.2fa.provider": "Selecione o provedor",
 "label.select.a.zone": "Selecione uma zona",
 "label.select.deployment.infrastructure": "Selecione uma infraestrutura de implanta\u00e7\u00e3o",
+"label.select.guest.os.type": "Por favor, selecione o tipo de SO convidado",
+"label.select.network": "Selecionar Rede",
 "label.select.period": "Selecionar per\u00edodo",
 "label.select.project": "Selecionar projeto",
 "label.select.projects": "Selecionar projetos",
+"label.select.ps": "Selecionar armazenamento prim\u00e1rio",
+"label.select.root.disk": "Selecione o disco ROOT",
+"label.select.source.vcenter.datacenter": "Selecione o Datacenter VMware vCenter de origem",
 "label.select.tier": "Selecionar camada",
 "label.select.zones": "Selecionar zonas",
 "label.selected.storage": "Armazenamento selecionado",
@@ -1477,10 +2078,12 @@
 "label.semanticversion": "Vers\u00e3o sem\u00e2ntica",
 "label.sent": "Enviado",
 "label.sentbytes": "Bytes enviados",
+"label.sequence": "Sequ\u00eancia",
 "label.server": "Servidor",
 "label.server.certificate": "Certificados do servidor",
 "label.service.connectivity.distributedroutercapabilitycheckbox": "Roteador distribu\u00eddo",
 "label.service.connectivity.regionlevelvpccapabilitycheckbox": "VPC a n\u00edvel de regi\u00e3o",
+"label.service.group": "Grupo de servi\u00e7os",
 "label.service.lb.elasticlbcheckbox": "LB el\u00e1stico",
 "label.service.lb.inlinemodedropdown": "Modo",
 "label.service.lb.lbisolationdropdown": "Isolamento de LB",
@@ -1489,23 +2092,31 @@
 "label.service.offering": "Plano",
 "label.service.staticnat.associatepublicip": "Associa IP p\u00fablico",
 "label.service.staticnat.elasticipcheckbox": "IP el\u00e1stico",
+"label.servicegroupuuid": "Grupo de Servi\u00e7os",
+"label.serviceip": "IP de Servi\u00e7o",
 "label.servicelist": "Servi\u00e7os",
 "label.serviceofferingid": "Oferta de computa\u00e7\u00e3o",
 "label.serviceofferingname": "Oferta de computa\u00e7\u00e3o",
+"label.sessions": "Sess\u00f5es de cliente ativas",
 "label.set.default.nic": "Configurar para NIC padr\u00e3o",
 "label.set.reservation": "Fazer reserva",
+"label.set.reservation.account.desc": "Por favor, especifique uma Conta para ser associada a este intervalo de IP",
 "label.set.reservation.desc": "(opcional) especificar uma conta a ser associada a esta faixa de IP.<br/><br/>VMs de sistema: habilitar a dedica\u00e7\u00e3o da faixa IP p\u00fablica para SSVM e CPVM, campo de conta desativado. Rigor das reservas definido em 'system.vm.public.ip.reservation.mode.strictness'",
+"label.set.reservation.systemvm.desc": "Ativar dedica\u00e7\u00e3o de intervalo de IP p\u00fablico para SSVM e CPVM. Rigor da reserva definido em 'system.vm.public.ip.reservation.mode.strictness'.",
 "label.setting": "Configura\u00e7\u00e3o",
 "label.settings": "Configura\u00e7\u00f5es",
 "label.setup": "Configura\u00e7\u00e3o",
-"label.shared": "Compartilhado",
-"label.sharedexecutable": "Compartilhado",
+"label.shared": "Compartilhado(a)",
+"label.shared.filesystems": "Sistemas de Arquivos Compartilhados",
+"label.sharedexecutable": "Execut\u00e1veis compartilhados ",
 "label.sharedmountpoint": "SharedMountPoint",
 "label.sharedrouterip": "Endere\u00e7os IPv4 para o roteador dentro da rede compartilhada",
 "label.sharedrouteripv6": "Endere\u00e7os IPv6 para o roteador dentro da rede compartilhada",
 "label.sharewith": "Compartilhar com",
+"label.show.usage.records": "Mostrar registros de uso",
 "label.showing": "Exibindo",
 "label.shrinkok": "Encolhimento OK",
+"label.shutdown": "Desligar",
 "label.shutdown.provider": "Desabilitar provider",
 "label.simplified.chinese.keyboard": "Teclado chin\u00eas simplificado",
 "label.site.to.site.vpn": "VPN site a site",
@@ -1523,19 +2134,35 @@
 "label.snapshotlimit": "Limite de snapshots",
 "label.snapshotmemory": "Snapshot da mem\u00f3ria",
 "label.snapshots": "Snapshots",
+"label.snapshottype": "Tipo de Snapshot",
+"label.softwareversion": "Vers\u00e3o do software",
 "label.sockettimeout": "Tempo limite no socket",
+"label.source": "Selecionar Hypervisor de Origem de Importa\u00e7\u00e3o-Exporta\u00e7\u00e3o",
 "label.source.based": "SourceBased",
 "label.sourcecidr": "CIDR de origem",
 "label.sourcecidrlist": "Lista de CIDRs de origem",
+"label.sourcehost": "Host de origem",
 "label.sourceipaddress": "Endere\u00e7o IP de origem",
+"label.sourceipaddressnetworkid": "ID da Rede do endere\u00e7o IP de origem",
 "label.sourcenat": "Source NAT",
+"label.sourcenatipaddress": "Endere\u00e7o IP de NAT de origem",
 "label.sourcenatsupported": "Suporte \u00e0 source NAT",
 "label.sourcenattype": "Tipo de source NAT suportado",
 "label.sourceport": "Porta de origem",
+"label.sourcetype": "Tipo de origem",
+"label.specifyasnumber": "Especificar N\u00famero AS",
 "label.specifyipranges": "Especifique range de IP",
 "label.specifyvlan": "Especificar VLAN",
 "label.splitconnections": "Separar conex\u00f5es",
 "label.sr.name": "Nome da etiqueta SR",
+"label.srcaddressgroupuuid": "Grupo de Endere\u00e7os de Origem",
+"label.srcendport": "Porta Final de Origem",
+"label.srcipprefix": "Endere\u00e7o de Rede de Origem",
+"label.srcipprefixlen": "Comprimento do Prefixo de Origem",
+"label.srcnetwork": "Rede de Origem",
+"label.srcnetworkuuid": "Rede",
+"label.srcstartport": "Porta Inicial de Origem",
+"label.srctaguuid": "Tag de Origem",
 "label.srx": "SRX",
 "label.srx.firewall": "Juniper SRX firewall",
 "label.ssh.key.pairs": "Par de chaves SSH",
@@ -1544,6 +2171,7 @@
 "label.sshkeypairs": "Par de chaves SSH",
 "label.standard.us.keyboard": "Teclado padr\u00e3o (EUA)",
 "label.sslcertificates": "Certificados SSL",
+"label.sslverification": "Verifica\u00e7\u00e3o SSL",
 "label.start": "Iniciar",
 "label.start.date": "Data de in\u00edcio",
 "label.start.date.and.time": "Data e hor\u00e1rio inicial",
@@ -1552,14 +2180,18 @@
 "label.start.reserved.system.ip": "In\u00edcio dos IPs reservados para o sistema",
 "label.start.rolling.maintenance": "Iniciar a manunten\u00e7\u00e3o",
 "label.start.vm": "Iniciar VM",
+"label.startasn": "Iniciar N\u00famero AS",
 "label.startdate": "Por data (in\u00edcio)",
+"label.starting": "Iniciando",
 "label.startip": "IP do in\u00edcio",
 "label.startipv4": "IP inicial IPv4",
 "label.startipv6": "IP inicial IPv6",
 "label.startport": "Porta de in\u00edcio",
 "label.startquota": "Valor",
 "label.state": "Estado",
+"label.static": "Est\u00e1tico",
 "label.static.routes": "Rotas est\u00e1ticas",
+"label.staticnat": "NAT Est\u00e1tico",
 "label.statistics": "Estat\u00edsticas",
 "label.status": "Estado",
 "label.step.1": "Passo 1",
@@ -1582,6 +2214,8 @@
 "label.sticky.tablesize": "Tamanho da tabela",
 "label.stop": "Parar",
 "label.stopped": "VMs paradas",
+"label.stopped.vms": "Inst\u00e2ncias Paradas",
+"label.stopping": "Parando",
 "label.storage": "Armazenamento",
 "label.storage.migration.required": "Migra\u00e7\u00e3o de armazenamento necess\u00e1ria",
 "label.storage.tags": "Tags de armazenamento",
@@ -1590,34 +2224,56 @@
 "label.storagemotionenabled": "Motion do armazenamento habilitado",
 "label.storagepolicy": "Pol\u00edtica de armazenamento",
 "label.storagepool": "Pool de armazenamento",
+"label.storagepool.tooltip": "Pool de Armazenamento de Destino. O volume deve estar localizado neste Pool de Armazenamento",
 "label.storagetags": "Tags de armazenamento",
 "label.storagetype": "Tipo de armazenamento",
 "label.storageip": "Endere\u00e7o IP na rede de armazenamento",
 "label.strict": "Rigoroso",
 "label.subdomainaccess": "acesso ao subdom\u00ednio",
 "label.submit": "Enviar",
+"label.subnet": "Sub-rede",
 "label.succeeded": "Sucedido",
 "label.success": "Sucesso",
+"label.success.migrations": "Migra\u00e7\u00f5es bem-sucedidas",
 "label.success.set": "Definido com sucesso",
 "label.success.updated": "Atualizado com sucesso",
 "label.suitability": "Adequabilidade",
 "label.suitable": "Adequado",
 "label.sunday": "Domingo",
+"label.supported": "Suportado",
 "label.supportedservices": "Servi\u00e7os suportados",
 "label.supportsautoscaling": "Suporte \u00e0 auto-escala",
 "label.supportsha": "Suporte \u00e0 HA",
 "label.supportspublicaccess": "Suporte \u00e0 acesso p\u00fablico",
 "label.supportsstrechedl2subnet": "Suporte \u00e0 Streched L2 Subnet",
+"label.supportsvmautoscaling": "Suporta escalonamento autom\u00e1tico",
 "label.suspend.project": "Suspender projeto",
 "label.switch.type": "Tipo de switch",
 "label.sync.storage": "Sincronizar pool do armazenamento",
+"label.system.ip.pool": "Pool do Sistema",
 "label.system.offering": "Ofertas de sistema",
 "label.system.offerings": "Ofertas de sistema",
 "label.system.service.offering": "Ofertas de servi\u00e7o de sistema",
 "label.system.vm": "VM de sistema",
 "label.system.vms": "VMs de sistema",
+"label.systemcycleusage": "Ciclos de usu\u00e1rio, sistema e ociosidade",
+"label.systemloadaverages": "M\u00e9dias de carga de 1, 5 e 15 minutos",
+"label.systemmemoryfree": "Mem\u00f3ria livre do sistema",
+"label.systemmemorytotal": "Mem\u00f3ria total do sistema",
+"label.systemmemoryused": "Mem\u00f3ria do sistema usada",
+"label.systemmemoryvirtualsize": "Tamanho virtual total do processo",
+"label.systemtotalcpucycles": "Capacidade total da CPU para todos os n\u00facleos em MHz",
+"label.systemvm": "VM de Sistema",
 "label.systemvmtype": "Tipo de VM de sistema",
+"label.tag": "Tag",
 "label.tag.key": "Chave",
+"label.tag.nsx": "nsx",
+"label.tag.systemvm": "systemvm",
+"label.tag.type": "Tipo de Tag",
+"label.tagged.limits": "Limites marcados",
+"label.tagtypeuuid": "Tipo de Tag",
+"label.taguuid": "Tag",
+"label.taken": "Ocupado",
 "label.tag.value": "Valor",
 "label.tagged": "Etiquetado",
 "label.tags": "Etiquetas",
@@ -1637,7 +2293,13 @@
 "label.templatename": "Template",
 "label.templates": "Templates",
 "label.templatesubject": "Assunto",
+"label.templatetag": "Tag",
 "label.templatetype": "Tipo de template",
+"label.templateremoved": "Este template foi removido",
+"label.templateversion": "Vers\u00e3o do template",
+"label.term.type": "Tipo de termo",
+"label.test": "Teste",
+"label.test.webhook.delivery": "Testar Entrega de Webhook",
 "label.tftpdir": "Diret\u00f3rio raiz do TFTP",
 "label.theme.alert": "O painel de configura\u00e7\u00e3o \u00e9 apenas vis\u00edvel no ambiente de desenvolvimento, por favor, salve as configura\u00e7\u00f5es para que as mudan\u00e7as tenham efeito.",
 "label.theme.color": "Cor do tema",
@@ -1647,12 +2309,23 @@
 "label.theme.page.style.setting": "Defini\u00e7\u00e3o do estilo da p\u00e1gina",
 "label.theme.project": "Estilo do projeto",
 "label.theme.project.navigation.setting": "Configura\u00e7\u00e3o de navega\u00e7\u00e3o do projeto",
+"label.threadsblockedcount": "Threads Bloqueadas",
+"label.threadsdeamoncount": "Threads Daemon",
+"label.threadsnewcount": "Novas Threads",
+"label.threadsrunnablecount": "Threads Execut\u00e1veis",
+"label.threadsterminatedcount": "Threads Terminadas",
+"label.threadstotalcount": "Contagem total de Threads",
+"label.threadswaitingcount": "Threads Aguardando",
+"label.threshold.description": "Valor pelo qual o Contador ser\u00e1 avaliado com o Operador selecionado",
+"label.themes": "Temas",
 "label.threshold": "Limiar",
 "label.thursday": "Quinta",
 "label.time": "Tempo",
 "label.timeout": "Timeout",
 "label.timeout.in.second ": " Timeout (segundos)",
 "label.timezone": "Fuso hor\u00e1rio",
+"label.tmppath": "Caminho Temp",
+"label.tmppath.tooltip": "Caminho tempor\u00e1rio para armazenar imagens de disco no Host Externo antes de copiar para o pool de armazenamento de destino. O padr\u00e3o \u00e9 /tmp",
 "label.to": "para",
 "label.token": "Token",
 "label.token.for.dashboard.login": "Token para o login na Dashboard pode ser obtido atrav\u00e9s do seguinte comando",
@@ -1666,34 +2339,82 @@
 "label.traffic.types": "Tipos de tr\u00e1fego",
 "label.traffictype": "Tipo de tr\u00e1fego",
 "label.transportzoneuuid": "UUID da zona de transporte",
+"label.trigger.shutdown": "Acionar Desligamento Seguro",
 "label.try.again": "Tente novamente",
 "label.tuesday": "Ter\u00e7a",
+"label.2FA": "2FA",
+"label.two.factor.authentication": "Autentica\u00e7\u00e3o de Dois Fatores",
+"label.two.factor.authentication.secret.key": "Sua chave secreta de autentica\u00e7\u00e3o de dois fatores",
+"label.two.factor.authentication.static.pin": "Seu PIN est\u00e1tico de autentica\u00e7\u00e3o de dois fatores",
+"label.tungsten.fabric": "Tungsten Fabric",
+"label.tungsten.fabric.provider": "Provedor Tungsten Fabric",
+"label.tungsten.fabric.routing": "Roteamento Tungsten Fabric",
+"label.tungsten.interface.router.table": "Tabela de rotas da interface",
+"label.tungsten.logical.router": "Roteador L\u00f3gico",
+"label.tungsten.network.router.table": "Tabela de rotas da rede",
+"label.tungsten.provider": "Provedor Tungsten",
+"label.tungsten.provider.gateway": "Gateway do provedor Tungsten",
+"label.tungsten.provider.hostname": "Hostname do provedor Tungsten",
+"label.tungsten.provider.introspectport": "Porta de introspec\u00e7\u00e3o do provedor Tungsten",
+"label.tungsten.provider.name": "Nome do provedor Tungsten",
+"label.tungsten.provider.port": "Porta do provedor Tungsten",
+"label.tungsten.provider.vrouterport": "Porta do vrouter do provedor Tungsten",
+"label.tungsten.router.table": "Tabela de Roteador",
+"label.tungsten.routing.polices": "Pol\u00edticas de roteamento",
+"label.tungsten.static.routes": "Rotas Est\u00e1ticas",
+"label.tungstengateway": "Gateway",
+"label.tungsteninterfaceroutetablename": "Nome",
+"label.tungstennetworkroutetablename": "Nome",
+"label.tungstenproviderhostname": "Hostname do provedor",
+"label.tungstenproviderintrospectport": "Porta de introspec\u00e7\u00e3o do provedor",
+"label.tungstenproviderport": "Porta do provedor",
+"label.tungstenprovideruuid": "UUID do Provedor",
+"label.tungstenprovidervrouterport": "Porta do vrouter do provedor",
+"label.tungstenroutingpolicyterm": "Rede",
+"label.tungstenvms": "Inst\u00e2ncias",
 "label.type": "Tipo",
 "label.type.id": "Tipo do ID",
 "label.ucs": "UCS",
 "label.udp": "UDP",
+"label.udp6": "UDPv6",
+"label.uefi.supported": "UEFI suportado",
 "label.uk.keyboard": "Teclado do Reino Unido",
 "label.unauthorized": "N\u00e3o autorizado",
 "label.unavailable": "Indispon\u00edvel",
+"label.undefined": "Indefinido",
 "label.unit": "Unidade",
 "label.unknown": "Desconhecido",
 "label.unlimited": "Ilimitado",
+"label.unmanaged": "N\u00e3o gerenciado",
 "label.unmanage.instance": "N\u00e3o gerenciar inst\u00e2ncia",
+"label.unmanage.volume": "Parar de gerenciar Volume",
 "label.unmanaged.instance": "Inst\u00e2ncia n\u00e3o gerenciada",
 "label.unmanaged.instances": "Inst\u00e2ncias n\u00e3o gerenciadas",
+"label.unmanaged.volumes": "Volumes n\u00e3o gerenciados",
 "label.untagged": "N\u00e3omarcado",
+"label.up": "Cima",
+"label.update.autoscale.vmgroup": "Atualizar Grupo de AutoScale",
+"label.update.bgp.peer": "Atualizar par BGP",
+"label.update.condition": "Atualizar condi\u00e7\u00e3o",
+"label.update.ipv4.subnet": "Atualizar sub-rede IPv4",
 "label.update.instance.group": "Grupo de inst\u00e2ncias de atualiza\u00e7\u00e3o",
 "label.update.ip.range": "Atualizar intervalo IP",
 "label.update.network": "Atualizar rede",
 "label.update.physical.network": "Atualizar rede f\u00edsica",
 "label.update.project.role": "Atualizar fun\u00e7\u00e3o do projeto",
+"label.update.sharedfs": "Atualizar Sistema de Arquivos Compartilhado",
 "label.update.ssl": " atualizar certificado SSL",
 "label.update.to": "atualizado para",
 "label.update.traffic.label": "Atualizar etiquetas de tr\u00e1fego",
 "label.update.vmware.datacenter": "Atualizar VMware datacenter",
+"label.update.webhook": "Atualizar Webhook",
+"label.updateinsequence": "Atualizar em sequ\u00eancia",
 "label.updating": "Atualizando",
 "label.upgrade.router.newer.template": "Atualize roteador para usar template mais novo",
+"label.upgrading": "Atualizando",
 "label.upload": "Enviar",
+"label.upload.description": "Caminho de onde objetos serão enviados",
+"label.upload.path": "Caminho de envio",
 "label.upload.icon": "Carregar \u00cdcone",
 "label.upload.iso.from.local": "Carregar ISO local",
 "label.upload.resource.icon": "Carregar \u00cdcone",
@@ -1702,11 +2423,40 @@
 "label.upload.volume.from.local": "Carregar volume local",
 "label.upload.volume.from.url": "Carregar volume por URL",
 "label.url": "URL",
+"label.usage": "Uso",
+"label.usage.explanation": "Nota: Apenas o Usage Server que possui o job de uso ativo \u00e9 mostrado aqui.",
+"label.usage.records.downloading": "Baixando registros de uso",
+"label.usage.records.fetch.child.domains": "Buscar registros de uso para dom\u00ednios filhos",
+"label.usage.records.generate": "Gerar registros de uso",
+"label.usage.records.generate.after": "Os registros de uso ser\u00e3o criados para o per\u00edodo ap\u00f3s ",
+"label.usage.records.generate.description": "Se o job de uso agendado n\u00e3o foi executado ou falhou, isso gerar\u00e1 registros (apenas se houver registros a serem gerados)",
+"label.usage.records.generated": "Um job foi criado para gerar registros de uso.",
+"label.usage.records.purge": "Expurgar registros de uso",
+"label.usage.records.purge.alert": "Expurgar registros de uso excluir\u00e1 permanentemente os registros do banco de dados. Dependendo dos dados sendo exclu\u00eddos, isso pode aumentar a carga no banco de dados e pode demorar um pouco. Tem certeza de que deseja continuar?",
+"label.usage.records.purge.days": "Expurgar registros com mais de",
+"label.usage.records.purge.days.description": "Expurgar registros com mais de o n\u00famero especificado de dias.",
+"label.usage.records.usagetype.required": "O tipo de uso \u00e9 obrigat\u00f3rio com o ID do recurso",
+"label.usageid": "ID do Recurso",
+"label.usageislocal": "Um Usage Server est\u00e1 instalado localmente",
+"label.usagename": "Tipo de uso",
+"label.usagetypedescription": "Descri\u00e7\u00e3o do uso",
 "label.usageinterface": "Interface de uso",
 "label.usagetype": "Tipo",
 "label.usageunit": "Unidade",
 "label.use.kubectl.access.cluster": "os arquivos <code><b>kubectl</b></code> e <code><b>kubeconfig</b></code> para acessar o cluster",
 "label.use.local.timezone": "Use o fuso hor\u00e1rio local",
+"label.userdata.do.append": "Anexar dados do usu\u00e1rio",
+"label.userdata.do.override": "Substituir dados do usu\u00e1rio",
+"label.userdata.registered": "Dados do usu\u00e1rio armazenados",
+"label.userdata.text": "Entrada manual de dados do usu\u00e1rio",
+"label.userdatadetails": "Detalhes dos dados do usu\u00e1rio",
+"label.userdataid": "ID dos dados do usu\u00e1rio",
+"label.userdataname": "Nome dos dados do usu\u00e1rio",
+"label.userdataparams": "Par\u00e2metros dos dados do usu\u00e1rio",
+"label.userdatapolicy": "Pol\u00edtica de link de dados do usu\u00e1rio",
+"label.userdatapolicy.tooltip": "Os dados do usu\u00e1rio vinculados ao Template podem ser substitu\u00eddos pelos dados do usu\u00e1rio fornecidos durante a implanta\u00e7\u00e3o da Inst\u00e2ncia. Selecione a pol\u00edtica de substitui\u00e7\u00e3o conforme necess\u00e1rio.",
+"label.username.tooltip": "O Nome de Usu\u00e1rio para o Host",
+"label.keep.mac.address.on.public.nic": "Utilizar o mesmo endere\u00e7o MAC para a NIC p\u00fablica dos VRs",
 "label.used": "Utilizado",
 "label.usehttps": "Utilize HTTPS",
 "label.usenewdiskoffering": "Substituir a oferta de disco?",
@@ -1731,7 +2481,9 @@
 "label.vcenterpassword": "Senha vCenter",
 "label.vcenterusername": "Usu\u00e1rio vCenter",
 "label.vcsdeviceid": "ID",
+"label.verify": "Verificar",
 "label.version": "Vers\u00e3o",
+"label.versioning": "Versionamento",
 "label.versions": "Vers\u00f5es",
 "label.vgpu": "VGPU",
 "label.vgputype": "Tipo de vGPU",
@@ -1739,11 +2491,14 @@
 "label.view.all": "Visualizar tudo",
 "label.view.console": "Visualizar console",
 "label.viewing": "Visualizar",
+"label.virtualmachine": "Inst\u00e2ncia",
+"label.virtualmachinecount": "Contagem de Inst\u00e2ncias",
 "label.virtual.machine": "M\u00e1quina virtual",
 "label.virtual.machines": "M\u00e1quinas virtuais",
 "label.virtual.network": "Rede virtual",
 "label.virtual.networking": "Rede virtual",
 "label.virtual.routers": "Roteadores virtuais",
+"label.virtual.routers.system.offering": "Oferta de sistema do roteador virtual",
 "label.virtualmachineid": "ID da VM",
 "label.virtualmachinename": "Nome da VM",
 "label.virtualsize": "Tamanho virtual",
@@ -1765,18 +2520,59 @@
 "label.vmlimit": "Limites de inst\u00e2ncias",
 "label.vmname": "Nome da VM",
 "label.vms": "VMs",
+"label.vmscheduleactions": "A\u00e7\u00f5es",
+"label.vmsnapshotlimit": "Limite de snapshots de VM",
 "label.vmstate": "Estado da VM",
 "label.vmtotal": "VMs totais",
+"label.vmware": "VMware",
 "label.vmware.storage.policy": "Pol\u00edtica de armazenamento do VMWare",
 "label.vmwaredcid": "ID do datacenter VMware",
 "label.vmwaredcname": "Nome do datacenter VMware",
 "label.vmwaredcvcenter": "Vcednter do datacenter VMware",
 "label.vmwarenetworklabel": "Etiqueta de tr\u00e1fego VMware",
-"label.vnf.appliance.add": "Adicionar VNF Appliance",
 "label.vnmc": "VNMC",
+"label.vnf.app.action.destroy": "Destruir appliance VNF",
+"label.vnf.app.action.edit": "Editar appliance VNF",
+"label.vnf.app.action.expunge": "Expurgar appliance VNF",
+"label.vnf.app.action.migrate.to.host": "Migrar appliance VNF para outro host",
+"label.vnf.app.action.migrate.to.ps": "Migrar appliance VNF para outro armazenamento prim\u00e1rio",
+"label.vnf.app.action.reboot": "Reiniciar appliance VNF",
+"label.vnf.app.action.recover": "Recuperar appliance VNF",
+"label.vnf.app.action.reinstall": "Reinstalar appliance VNF",
+"label.vnf.app.action.scale": "Escalonar appliance VNF",
+"label.vnf.app.action.start": "Iniciar appliance VNF",
+"label.vnf.app.action.stop": "Parar appliance VNF",
+"label.vnf.appliance": "Appliance VNF",
+"label.vnf.appliance.add": "Adicionar Appliance VNF",
+"label.vnf.appliance.access.methods": "Informa\u00e7\u00f5es de acesso de gerenciamento para este appliance VNF",
+"label.vnf.appliances": "Appliances VNF",
+"label.vnf.cidr.list": "CIDR a partir do qual o acesso \u00e0 interface de Gerenciamento do appliance VNF deve ser permitido",
+"label.vnf.cidr.list.tooltip": "a lista CIDR para encaminhar tr\u00e1fego para a interface de gerenciamento VNF. M\u00faltiplas entradas devem ser separadas por um \u00fanico caractere de v\u00edrgula (,). O valor padr\u00e3o \u00e9 0.0.0.0/0.",
+"label.vnf.configure.management": "Configurar regras de Firewall e Encaminhamento de Porta para as interfaces de gerenciamento da VNF",
+"label.vnf.configure.management.tooltip": "Verdadeiro por padr\u00e3o, regras de grupo de seguran\u00e7a ou de rede (source nat e regras de firewall) ser\u00e3o configuradas para interfaces de gerenciamento VNF. Falso caso contr\u00e1rio. Saiba quais regras s\u00e3o configuradas em http://docs.cloudstack.apache.org/en/latest/adminguide/networking/vnf_templates_appliances.html#deploying-vnf-appliances",
+"label.vnf.detail.add": "Adicionar detalhe VNF",
+"label.vnf.detail.remove": "Remover detalhe VNF",
+"label.vnf.details": "Detalhes VNF",
+"label.vnf.nics": "NICs VNF",
+"label.vnf.nic.add": "Adicionar NIC VNF",
+"label.vnf.nic.delete": "Excluir NIC VNF",
+"label.vnf.nic.description": "Descri\u00e7\u00e3o da NIC VNF",
+"label.vnf.nic.deviceid": "ID do Dispositivo da NIC VNF. Come\u00e7a com 0. A NIC com deviceid como 0 para o appliance VNF ser\u00e1 a NIC padr\u00e3o.",
+"label.vnf.nic.edit": "Editar NIC VNF",
+"label.vnf.nic.management": "NIC de Gerenciamento",
+"label.vnf.nic.management.description": "Verdadeiro se a NIC VNF for uma interface de gerenciamento. Falso caso contr\u00e1rio",
+"label.vnf.nic.mappings": "Mapeamentos de NIC VNF",
+"label.vnf.nic.name": "Nome da NIC VNF",
+"label.vnf.nic.remove": "Remover NIC VNF",
+"label.vnf.nic.required": "Verdadeiro se a NIC VNF for obrigat\u00f3ria. Caso contr\u00e1rio, opcional",
+"label.vnf.settings": "Configura\u00e7\u00f5es VNF",
+"label.vnf.template.register": "Registrar template VNF",
+"label.vnf.templates": "Templates VNF",
 "label.volgroup": "Grupo de volume",
 "label.volume": "Disco",
 "label.volume.empty": "Nenhum volume de dados anexado a esta VM",
+"label.volume.encryption.support": "Criptografia de Volume Suportada",
+"label.volume.metrics": "M\u00e9tricas de Volume",
 "label.volume.volumefileupload.description": "Clique ou arraste o arquivo para esta \u00e1rea para carreg\u00e1-lo",
 "label.volumechecksum": "MD5 checksum",
 "label.volumechecksum.description": "Utilize o hash que voc\u00ea criou no inicio do procedimento de carregamento de volume",
@@ -1788,15 +2584,18 @@
 "label.volumename": "Nome do disco",
 "label.volumes": "Discos",
 "label.volumetotal": "Disco",
+"label.volumetype": "Tipo de Volume",
 "label.vpc": "VPC",
 "label.vpc.id": "ID da VPC",
 "label.vpc.offerings": "Ofertas VPC",
 "label.vpc.virtual.router": "Roteador virtual VPC",
+"label.vpc.restart.required": "Reinicializa\u00e7\u00e3o de VPC necess\u00e1ria",
 "label.vpcid": "VPC",
 "label.vpclimit": "Limites VPC",
 "label.vpcname": "VPC",
 "label.vpcoffering": "Oferta VPC",
 "label.vpcofferingid": "Oferta VPC",
+"label.vpcs": "VPCs",
 "label.vpn": "VPN",
 "label.vpn.connection": "Conex\u00e3o VPN",
 "label.vpn.gateway": "Gateway de VPN",
@@ -1817,20 +2616,26 @@
 "label.warn": "Avisar",
 "label.warn.upper": "AVISO",
 "label.warning": "Aten\u00e7\u00e3o",
+"label.webhook": "Webhook",
+"label.webhook.deliveries": "Entregas de Webhook",
+"label.webhookname": "Webhook",
+"label.webhooks": "Webhooks",
 "label.wednesday": "Quarta-Feira",
 "label.weekly": "Semanal",
 "label.welcome": "Bem-Vindo",
 "label.what.is.cloudstack": "O que \u00e9 o CloudStack&#8482?",
 "label.windows": "Windows",
 "label.with.snapshotid": "com o ID da snapshot",
-"label.write": "Escreva",
+"label.write": "Escrita",
 "label.writeback": "Write-back",
 "label.writecachetype": "Tipo do cache de escrita",
 "label.writeio": "Escrita (IO)",
 "label.writethrough": "Write-through",
 "label.xennetworklabel": "Etiqueta de tr\u00e1fego XenServer",
+"label.xenserver": "XenServer",
 "label.xenservertoolsversion61plus": "Vers\u00e3o original do XS \u00e9 6.1+",
 "label.yes": "Sim",
+"label.your.autoscale.vmgroup": "Seu grupo de escalonamento autom\u00e1tico",
 "label.yourinstance": "Sua inst\u00e2ncia",
 "label.zone": "Zona",
 "label.zone.dedicated": "Zona dedicada",
@@ -1843,18 +2648,37 @@
 "label.zonenamelabel": "Nome da zona",
 "label.zones": "Zonas",
 "label.zonewizard.traffictype.storage": "Armazenamento: tr\u00e1fego entre servidores de armazenamento prim\u00e1ria e secund\u00e1ria, tais como templates de m\u00e1quinas virtuais e snapshots",
+"label.quotagb": "Cota em GB",
+"label.quotagib": "Cota em GiB",
 "message.acquire.ip.failed": "Falha ao adquirir IP",
+"message.action.about.mandate.and.disable.2FA.user.auth": "A autentica\u00e7\u00e3o de dois fatores \u00e9 obrigat\u00f3ria para o usu\u00e1rio. Se for desativada agora, o usu\u00e1rio precisar\u00e1 configurar a autentica\u00e7\u00e3o de dois fatores novamente no pr\u00f3ximo login. <br><br>Por favor, confirme que voc\u00ea deseja desativ\u00e1-la.",
 "message.action.acquire.ip": "Por favor, confirme que voc\u00ea quer adquirir um novo IP",
 "message.action.cancel.maintenance": "A manuten\u00e7\u00e3o do seu host foi cancelada com sucesso",
 "message.action.cancel.maintenance.mode": "Confirme que voc\u00ea deseja cancelar esta manuten\u00e7\u00e3o",
 "message.action.create.snapshot.from.vmsnapshot": "Por favor, confirme que voc\u00ea quer criar uma snapshot a partir de uma snapshot de VM",
+"message.action.delete.asnrange": "Por favor, confirme a faixa AS que voc\u00ea deseja excluir",
+"message.action.delete.autoscale.vmgroup": "Por favor, confirme que voc\u00ea deseja excluir este grupo de autoescalonamento.",
 "message.action.delete.backup.offering": "Por favor, confirme que voc\u00ea quer remover esta oferta de backup",
+"message.action.delete.backup.repository": "Por favor, confirme que voc\u00ea deseja excluir este reposit\u00f3rio de backup?",
+"message.action.delete.backup.schedule": "Confirme que voc\u00ea deseja remover esse agendamento de backup.",
 "message.action.delete.cluster": "Confirme que voc\u00ea deseja excluir este host",
+"message.action.delete.domain": "Por favor, confirme que voc\u00ea deseja excluir este dom\u00ednio.",
 "message.action.delete.disk.offering": "Confirme que voc\u00ea deseja excluir esta oferta de disco",
+"message.action.delete.external.firewall": "Por favor, confirme que voc\u00ea gostaria de remover este firewall externo. Aviso: Se voc\u00ea planeja adicionar de volta o mesmo firewall externo, deve redefinir os dados de uso no dispositivo.",
+"message.action.delete.external.load.balancer": "Por favor, confirme que voc\u00ea gostaria de remover este balanceador de carga externo. Aviso: Se voc\u00ea planeja adicionar de volta o mesmo balanceador de carga externo, deve redefinir os dados de uso no dispositivo.",
+"message.action.delete.gui.theme": "Por favor, confirme que voc\u00ea deseja excluir este tema da GUI",
+"message.action.delete.guest.os": "Por favor, confirme que voc\u00ea deseja excluir este SO convidado. Entradas definidas pelo sistema n\u00e3o podem ser exclu\u00eddas.",
+"message.action.delete.guest.os.hypervisor.mapping": "Por favor, confirme que voc\u00ea deseja excluir este mapeamento de hypervisor do SO convidado. Entradas definidas pelo sistema n\u00e3o podem ser exclu\u00eddas.",
+"message.action.delete.ingress.rule": "Por favor, confirme que voc\u00ea deseja excluir esta regra de ingresso.",
 "message.action.delete.instance.group": "Por favor, confirme que voc\u00ea quer remover o grupo de inst\u00e2ncia",
+"message.action.delete.interface.static.route": "Por favor, confirme que voc\u00ea deseja remover esta Rota Est\u00e1tica de interface?",
 "message.action.delete.iso": "Confirme que voc\u00ea deseja excluir esta ISO",
+"message.action.delete.ipv4.subnet": "Por favor, confirme que voc\u00ea deseja excluir esta sub-rede IPv4.",
+"message.action.delete.network.static.route": "Por favor, confirme que voc\u00ea deseja remover esta Rota Est\u00e1tica de Rede",
 "message.action.delete.network": "Confirme que voc\u00ea deseja remover esta rede.",
+"message.action.delete.nexusvswitch": "Por favor, confirme que voc\u00ea deseja excluir este nexus 1000v",
 "message.action.delete.node": "Por favor, confirme que voc\u00ea quer remover este nodo.",
+"message.action.delete.oauth.provider": "Por favor, confirme que voc\u00ea deseja excluir o provedor OAuth.",
 "message.action.delete.physical.network": "Por favor confirme que voc\u00ea deseja deletar esta rede f\u00edsica",
 "message.action.delete.pod": "Confirme que voc\u00ea deseja remover este pod.",
 "message.action.delete.secondary.storage": "Confirme que voc\u00ea deseja remover este armazenamento secund\u00e1rio.",
@@ -1863,30 +2687,46 @@
 "message.action.delete.snapshot": "Confirme que voc\u00ea deseja remover esta snapshot.",
 "message.action.delete.system.service.offering": "Por favor confirme que voc\u00ea deseja deletar esta oferta de servi\u00e7o de sistema.",
 "message.action.delete.template": "Confirme que voc\u00ea deseja remover este template.",
+"message.action.delete.theme": "Por favor, confirme que voc\u00ea deseja excluir este tema.",
+"message.action.delete.tungsten.router.table": "Por favor, confirme que voc\u00ea deseja remover a Tabela de Rotas desta Rede?",
 "message.action.delete.volume": "Confirme que voc\u00ea deseja remover este disco.",
 "message.action.delete.vpn.user": "Por favor, confirme que voc\u00ea quer remover o usu\u00e1rio da VPN.",
 "message.action.delete.zone": "Confirme que voc\u00ea deseja remover esta zona.",
 "message.action.destroy.instance": "Por favor, confirme que voc\u00ea deseja excluir esta inst\u00e2ncia.",
 "message.action.destroy.instance.with.backups": "Por favor, confirme que voc\u00ea quer destruir a inst\u00e2ncia. \u00c9 poss\u00edvel que haja backups associados a inst\u00e2ncia no qual n\u00e3o ser\u00e3o removidos.",
+"message.action.destroy.sharedfs": "Por favor, confirme que voc\u00ea deseja destruir este Sistema de Arquivos Compartilhado.<br><b>Cuidado: Isso excluir\u00e1 todos os dados do Sistema de Arquivos Compartilhado tamb\u00e9m.</b>",
 "message.action.destroy.systemvm": "Confirme que voc\u00ea deseja excluir esta VM de sistema.",
 "message.action.destroy.volume": "Por favor, confirme que voc\u00ea quer destruir este volume.",
+"message.action.disable.2FA.user.auth": "Por favor, confirme que voc\u00ea deseja desativar a autentica\u00e7\u00e3o de dois fatores do usu\u00e1rio.",
 "message.action.disable.cluster": "Confirma a desativa\u00e7\u00e3o do cluster.",
+"message.action.disable.disk.offering": "Por favor, confirme que voc\u00ea deseja desativar esta oferta de disco.",
 "message.action.disable.physical.network": "Por favor confirme que voc\u00ea deseja desabilitar esta rede f\u00edsica.",
 "message.action.disable.pod": "Confirma a desativa\u00e7\u00e3o do pod.",
 "message.action.disable.static.nat": "Confirme que voc\u00ea deseja desativar o NAT est\u00e1tico.",
+"message.action.disable.service.offering": "Por favor, confirme que voc\u00ea deseja desativar esta oferta de servi\u00e7o.",
+"message.action.disable.system.service.offering": "Por favor, confirme que voc\u00ea deseja desativar esta oferta de servi\u00e7o do sistema.",
 "message.action.disable.zone": "Confirma a desativa\u00e7\u00e3o da zona.",
 "message.action.download.iso": "Por favor confirme que voc\u00ea deseja baixar esta ISO.",
 "message.action.download.snapshot": "Por favor confirme que voc\u00ea deseja baixar esta snapshot.",
 "message.action.download.template": "Por favor confirme que voc\u00ea deseja baixar este template.",
+"message.action.edit.nfs.mount.options": "Altera\u00e7\u00f5es nas op\u00e7\u00f5es de montagem NFS s\u00f3 ter\u00e3o efeito ao cancelar o modo de manuten\u00e7\u00e3o, o que far\u00e1 com que o pool de armazenamento seja remontado em todos os hosts KVM com as novas op\u00e7\u00f5es de montagem.",
 "message.action.enable.cluster": "Confirma a ativa\u00e7\u00e3o do cluster.",
+"message.action.enable.disk.offering": "Por favor, confirme que voc\u00ea deseja ativar esta oferta de disco.",
+"message.action.enable.service.offering": "Por favor, confirme que voc\u00ea deseja ativar esta oferta de servi\u00e7o.",
+"message.action.enable.system.service.offering": "Por favor, confirme que voc\u00ea deseja ativar esta oferta de servi\u00e7o do sistema.",
 "message.action.enable.physical.network": "Por favor confirme que voc\u00ea deseja habilitar esta rede f\u00edsica.",
 "message.action.enable.pod": "Confirma a ativa\u00e7\u00e3o do pod.",
 "message.action.enable.zone": "Confirma a ativa\u00e7\u00e3o da zona.",
 "message.action.expunge.instance": "Por favor, confirme que voc\u00ea deseja eliminar esta inst\u00e2ncia.",
 "message.action.expunge.instance.with.backups": "Por favor, confirme que voc\u00ea quer eliminar esta inst\u00e2ncia. \u00c9 poss\u00edvel que haja backups associados a inst\u00e2ncia no qual n\u00e3o ser\u00e3o removidos.",
+"message.action.expunge.sharedfs": "Por favor, confirme que voc\u00ea deseja expurgar este Sistema de Arquivos Compartilhado.",
 "message.action.host.enable.maintenance.mode": "Ativar o modo de manuten\u00e7\u00e3o ir\u00e1 causar o live migration de todas as inst\u00e2ncias hospedadas neste host para o pr\u00f3ximo dispon\u00edvel.",
 "message.action.instance.reset.password": "Por favor confirme que voc\u00ea deseja alterar a senha de root para est\u00e1 m\u00e1quina virtual.",
 "message.action.manage.cluster": "Confirma a vincula\u00e7\u00e3o do cluster.",
+"message.action.patch.router": "Por favor, confirme que voc\u00ea deseja aplicar um patch ao vivo no roteador. <br> Esta opera\u00e7\u00e3o \u00e9 equivalente a atualizar os pacotes do roteador e reiniciar a Rede sem limpeza.",
+"message.action.patch.systemvm": "Por favor, confirme que voc\u00ea deseja aplicar um patch na VM de Sistema.",
+"message.action.primary.storage.scope.cluster": "Por favor, confirme que voc\u00ea deseja alterar o escopo de zona para o cluster especificado.<br>Esta opera\u00e7\u00e3o atualizar\u00e1 o banco de dados e desconectar\u00e1 o pool de armazenamento de todos os hosts que estavam conectados anteriormente ao armazenamento prim\u00e1rio e n\u00e3o fazem parte do cluster especificado.",
+"message.action.primary.storage.scope.zone": "Por favor, confirme que voc\u00ea deseja alterar o escopo de cluster para zona.<br>Esta opera\u00e7\u00e3o atualizar\u00e1 o banco de dados e conectar\u00e1 o pool de armazenamento a todos os hosts da zona executando o mesmo hypervisor definido no pool de armazenamento.",
 "message.action.primarystorage.enable.maintenance.mode": "Aviso: colocar o armazenamento prim\u00e1rio em modo de manuten\u00e7\u00e3o ir\u00e1 causar a parada de todas as VMs hospedadas nesta unidade. Deseja continuar?",
 "message.action.quota.tariff.create.error.namerequired": "Por favor, informe o nome da tarifa.",
 "message.action.quota.tariff.create.error.usagetyperequired": "Por favor, selecione o tipo da tarifa.",
@@ -1895,8 +2735,16 @@
 "message.action.reboot.instance": "Por favor, confirme que voc\u00ea deseja reiniciar esta inst\u00e2ncia.",
 "message.action.reboot.router": "Confirme que voc\ufffd deseja reiniciar este roteador.",
 "message.action.reboot.systemvm": "Confirme que voc\u00ea deseja reiniciar esta VM de sistema.",
+"message.action.recover.sharedfs": "Por favor, confirme que voc\u00ea gostaria de recuperar este Sistema de Arquivos Compartilhado.",
 "message.action.recover.volume": "Por favor, confirme que voc\u00ea quer recuperar este volume.",
+"message.action.release.asnumber": "Por favor, confirme que voc\u00ea deseja liberar este N\u00famero AS.",
 "message.action.release.ip": "Confirme que voc\u00ea deseja liberar este IP.",
+"message.action.release.reserved.ip": "Por favor, confirme que voc\u00ea deseja liberar este IP reservado.",
+"message.action.remove.host": "Por favor, confirme que voc\u00ea deseja remover este host.",
+"message.action.remove.logical.router": "Por favor, confirme que voc\u00ea deseja remover o Roteador L\u00f3gico?",
+"message.action.remove.routing.policy": "Por favor, confirme que voc\u00ea deseja remover a Pol\u00edtica de Roteamento desta Rede",
+"message.action.reserve.ip": "Por favor, confirme que voc\u00ea deseja reservar este IP.",
+"message.action.restart.sharedfs": "Por favor, confirme que voc\u00ea deseja reiniciar este Sistema de Arquivos Compartilhado. Isso causar\u00e1 um tempo de inatividade para o usu\u00e1rio.<br>Reiniciar com limpeza reinicializar\u00e1 a Inst\u00e2ncia do Sistema de Arquivos Compartilhado sem afetar o sistema de arquivos instalado.",
 "message.action.revert.snapshot": "Por favor, confirme que voc\u00ea deseja reverter o seu volume desta snapshot.",
 "message.action.router.health.checks": "Resultados das checagens de sa\u00fade ser\u00e3o obtidos do roteador.",
 "message.action.router.health.checks.disabled.warning": "Por favor, habilite as checagens de sa\u00fade do roteador.",
@@ -1907,15 +2755,20 @@
 "message.action.settings.warning.vm.running": "Por favor, pare a VM para acessar as configura\u00e7\u00f5es",
 "message.action.start.instance": "Por favor, confirme que voc\u00ea deseja iniciar esta inst\u00e2ncia.",
 "message.action.start.router": "Confirme que voc\u00ea deseja inciar este roteador.",
+"message.action.start.sharedfs": "Por favor, confirme que voc\u00ea deseja iniciar este Sistema de Arquivos Compartilhado.",
 "message.action.start.systemvm": "Confirme que voc\u00ea deseja iniciar esta VM de sistema.",
 "message.action.stop.instance": "Por favor, confirme que voc\u00ea deseja parar esta inst\u00e2ncia.",
 "message.action.stop.router": "Confirme que voc\ufffd deseja parar este roteador.",
+"message.action.stop.sharedfs": "Por favor, confirme que voc\u00ea deseja parar este Sistema de Arquivos Compartilhado.",
 "message.action.stop.systemvm": "Confirme que voc\u00ea deseja parar esta VM de sistema.",
 "message.action.unmanage.cluster": "Confirma a desvincula\u00e7\u00e3o do cluster.",
 "message.action.unmanage.instance": "Por favor, confirme que voc\u00ea deseja parar de gerenciar a inst\u00e2ncia.",
 "message.action.unmanage.instances": "Por favor, confirme que voc\u00ea deseja parar de gerenciar as inst\u00e2ncias.",
 "message.action.unmanage.virtualmachine": "Por favor, confirme que voc\u00ea deseja parar de gerenciar a VM.",
-"message.action.vmsnapshot.delete": "Por favor, confirme que voc\u00ea deseja excluir esta snapshot de VM.",
+"message.action.unmanage.volume": "Por favor, confirme que voc\u00ea deseja parar de gerenciar o Volume.",
+"message.action.unmanage.volumes": "Por favor, confirme que voc\u00ea deseja parar de gerenciar os Volumes.",
+"message.action.vmsnapshot.delete": "Por favor, confirme que voc\u00ea deseja excluir esta snapshot de VM. <br>Saiba que caso a instância execute em um hypervisor KVM, ela será pausada antes da deleç\u00e3o, e continuada após a deleç\u00e3o.",
+"message.action.vmsnapshot.disk-only.delete": "Por favor, confirme que voc\u00ea deseja excluir esta snapshot de VM.",
 "message.activate.project": "Voc\u00ea tem certeza que deseja ativar este projeto?",
 "message.add.egress.rule.failed": "Falha ao adicionar uma nova regra de sa\u00edda",
 "message.add.egress.rule.processing": "Adicionando uma nova regra de sa\u00edda...",
@@ -1923,14 +2776,29 @@
 "message.add.firewall": "Adicionar firewall \u00e0\u00a0 zona.",
 "message.add.firewall.rule.failed": "Falha ao adicionar uma nova regra de firewall",
 "message.add.firewall.rule.processing": "Adicionando uma nova regra de firewall...",
+"message.add.firewallrule.failed": "Falha ao adicionar Regra de Firewall",
 "message.add.host": "Especifique os seguintes par\u00e2metros para adicionar um novo host.",
+"message.add.host.sshkey": "AVISO: Para adicionar um host com chave SSH, voc\u00ea deve garantir que o host do seu hypervisor foi configurado corretamente.",
 "message.add.iprange.processing": "Adicionando intervalo IP...",
+"message.add.ipv4.subnet.for.guest.network.failed": "Falha ao adicionar sub-rede IPv4 para rede guest",
+"message.add.ipv4.subnet.for.guest.network.processing": "Adicionando sub-rede IPv4 para rede guest...",
+"message.add.ip.v6.prefix.processing": "Adicionando Prefixo IPv6...",
+"message.add.ip.v6.firewall.rule.failed": "Falha ao adicionar regra de firewall IPv6",
+"message.add.ip.v6.firewall.rule.processing": "Adicionando regra de firewall IPv6...",
+"message.add.ip.v6.firewall.rule.success": "Regra de firewall IPv6 adicionada",
+"message.redeliver.webhook.delivery": "Reentregar esta entrega de Webhook",
+"message.remove.ip.v6.firewall.rule.failed": "Falha ao remover regra de firewall IPv6",
+"message.remove.ip.v6.firewall.rule.processing": "Removendo regra de firewall IPv6...",
+"message.remove.ip.v6.firewall.rule.success": "Regra de firewall IPv6 removida",
+"message.add.nsx.controller": "Adicionar Provedor NSX",
 "message.add.network": "Adicionar uma nova rede para a zona: <b><span id=\"zone_name\"></span></b>",
 "message.add.network.acl.failed": "Falha ao adicionar lista de rede ACL",
 "message.add.network.acl.processing": "Adicionando lista de rede ACL...",
 "message.add.network.failed": "Falha ao adicionar rede",
 "message.add.network.processing": "Adicionando rede...",
 "message.add.new.gateway.to.vpc": "Favor especificar a informa\u00e7\u00e3o para adicionar um novo gateway a esta VPC.",
+"message.add.physical.network.failed": "Falha ao adicionar rede f\u00edsica",
+"message.add.physical.network.processing": "Adicionando uma nova rede f\u00edsica...",
 "message.add.pod": "Adicionar um novo pod para a zona <b><span id=\"add_pod_zone_name\"></span></b>",
 "message.add.pod.during.zone.creation": "Cada zona deve conter um ou mais pods e iremos adicionar o primeiro pod agora. Um pod cont\u00e9m hosts e servidores de armazenamento prim\u00e1rio que ser\u00e3o adicionados em uma etapa posterior. Inicialmente, configure um intervalo de endere\u00e7os IP reservados para o tr\u00e1fego de gerenciamento interno do CloudStack. A faixa de IP reservados devem ser \u00fanicos para cada zona na nuvem.",
 "message.add.port.forward.failed": "Falha ao adicionar nova regra de encaminhamento de porta",
@@ -1939,6 +2807,9 @@
 "message.add.private.gateway.processing": "Adicionando gateway privado...",
 "message.add.resource.description": "Adicionar recursos de infraestrutura",
 "message.add.resource.hint": "Adicionar recursos de infraestrutura - pods, clusters, armazenamentos prim\u00e1rios/secund\u00e1rios.",
+"message.add.routing.firewall.rule.failed": "Falha ao adicionar regra de firewall de Roteamento IPv4",
+"message.add.routing.firewall.rule.processing": "Adicionando regra de firewall de Roteamento IPv4...",
+"message.add.routing.firewall.rule.success": "Regra de firewall de Roteamento IPv4 adicionada",
 "message.add.rule.failed": "Falha ao adicionar nova regra",
 "message.add.rule.processing": "Adicionando nova regra do security-group...",
 "message.add.secondary.ipaddress.processing": "Adicionando endere\u00e7o IP secund\u00e1rio...",
@@ -1947,7 +2818,10 @@
 "message.add.tag.failed": "Falha ao adicionar nova etiqueta",
 "message.add.tag.for.networkacl": "Adicionar etiqueta para rede ACL",
 "message.add.tag.processing": "Adicionando nova etiqueta...",
+"message.add.template": "Por favor, insira os seguintes dados para criar o seu novo Template",
+"message.add.tungsten.routing.policy.available": "A pol\u00edtica de roteamento Tungsten-Fabric est\u00e1 pronta para iniciar. Por favor, prossiga para a pr\u00f3xima etapa.",
 "message.add.user.to.project": "Este formul\u00e1rio permitir\u00e1 adicionar usu\u00e1rios espec\u00edficos de uma conta a um projeto.<br>Al\u00e9m disso, uma fun\u00e7\u00e3o de projeto pode ser adicionada ao usu\u00e1rio/conta para permitir/n\u00e3o permitir o acesso API em n\u00edvel de projeto.<br> Tamb\u00e9m podemos especificar a fun\u00e7\u00e3o com a qual o usu\u00e1rio deve ser adicionado a um projeto - admin/Regular; se n\u00e3o for especificado, o padr\u00e3o \u00e9 'Regular'.",
+"message.add.volume": "Por favor, preencha os seguintes dados para adicionar um novo volume.",
 "message.add.vpn.connection.failed": "Falha ao adicionar conex\u00e3o VPN",
 "message.add.vpn.connection.processing": "Adicionando conex\u00e3o VPN...",
 "message.add.vpn.customer.gateway": "Adicionando o gateway da VPN do cliente",
@@ -1955,11 +2829,14 @@
 "message.add.vpn.gateway": "Favor confirmar que voc\u00ea deseja adicionar um gateway de VPN",
 "message.add.vpn.gateway.failed": "Falha ao adicionar gateway da VPN",
 "message.add.vpn.gateway.processing": "Adicionando gateway da VPN...",
+"message.added.vpc.offering": "Oferta de VPC adicionada",
+"message.adding.firewall.policy": "Adicionando Pol\u00edtica de Firewall",
 "message.adding.host": "Adicionando host",
 "message.adding.netscaler.device": "Adicionando dispositivo Nescaler",
 "message.adding.netscaler.provider": "Adicionando Netscaler provider",
 "message.advanced.security.group": "Escolha esta op\u00e7\u00e3o se desejar utilizar grupos de seguran\u00e7a para isolamento das VMs guest.",
 "message.alert.show.all.stats.data": "Isso pode retornar muitos dados dependendo das configura\u00e7\u00f5es de coleta e reten\u00e7\u00e3o de estat\u00edsticas.",
+"message.allowed": "Permitido",
 "message.apply.success": "Aplicado com sucesso",
 "message.assign.instance.another": "Favor especificar o tipo de conta, dom\u00ednio, nome da conta e rede (opcional) da nova conta. <br> Se o NIC padr\u00e3o da VM estiver em uma rede compartilhada, o CloudStack verificar\u00e1 se a rede pode ser usada pela nova conta se voc\u00ea n\u00e3o especificar uma rede. <br> Se o NIC padr\u00e3o da VM estiver em uma rede isolada, e a nova conta tiver mais uma rede isolada, voc\u00ea deve especificar uma.",
 "message.assign.vm.failed": "Falha na designa\u00e7\u00e3o de VM",
@@ -1967,26 +2844,52 @@
 "message.attach.volume": "Preencha os seguintes dados para conectar o novo disco. Se voc\u00ea est\u00e1 conectando um disco a uma m\u00e1quina virtual Windows, ser\u00e1 necess\u00e1rio reiniciar a inst\u00e2ncia para visualizar o novo disco.",
 "message.attach.volume.failed": "Falha ao anexar volume",
 "message.attach.volume.progress": "Anexando volume",
+"message.attach.volume.success": "Volume anexado com sucesso \u00e0 inst\u00e2ncia",
 "message.authorization.failed": "Sess\u00e3o expirada, a verifica\u00e7\u00e3o de autoriza\u00e7\u00e3o falhou",
+"message.autoscale.loadbalancer.update": "A regra do balanceador de carga s\u00f3 pode ser atualizada quando o grupo de autoescalonamento estiver DESATIVADO.",
+"message.autoscale.policies.update": "As pol\u00edticas de aumento/diminui\u00e7\u00e3o s\u00f3 podem ser atualizadas quando o grupo de autoescalonamento estiver DESATIVADO.",
+"message.autoscale.vm.networks": "Por favor, escolha pelo menos uma Rede para as Inst\u00e2ncias no grupo de autoescalonamento. A Rede padr\u00e3o deve ser uma Rede Isolada ou Camada de Rede VPC que suporte AutoScale de Inst\u00e2ncia e tenha regras de balanceamento de carga.",
+"message.autoscale.vmprofile.update": "O perfil de Inst\u00e2ncia de AutoScale s\u00f3 pode ser atualizado quando o grupo de autoescalonamento estiver DESATIVADO.",
 "message.backup.attach.restore": "Favor confirmar que voc\u00ea deseja restaurar e anexar o volume do backup?",
 "message.backup.create": "Voc\u00ea tem certeza de que quer criar um backup da VM?",
 "message.backup.offering.remove": "Voc\u00ea tem certeza que quer remover a VM da oferta de backup e excluir a cadeia de backup?",
 "message.backup.restore": "Por favor, confirme que voc\u00ea deseja restaurar o backup da VM?",
+"message.bgp.peers.null": "Por favor note, se nenhum par BGP for selecionado, o VR conectar\u00e1 a <br> (1) pares BGP dedicados que o propriet\u00e1rio pode acessar, se o propriet\u00e1rio tiver pares BGP dedicados e a configura\u00e7\u00e3o da conta use.system.bgp.peers estiver definida como false; <br> (2) todos os pares BGP que o propriet\u00e1rio pode acessar, caso contr\u00e1rio.<br>",
+"message.bucket.delete": "Por favor, confirme que voc\u00ea deseja excluir este Bucket",
+"message.cancel.shutdown": "Por favor, confirme que voc\u00ea gostaria de cancelar o desligamento neste Management Server. Ele voltar\u00e1 a aceitar quaisquer novos job Ass\u00edncronos.",
 "message.certificate.upload.processing": "Carregamento de certificados em andamento",
+"message.change.disk.offering.sharedfs.failed": "Falha ao alterar oferta de disco para o Sistema de Arquivos Compartilhado.",
+"message.change.disk.offering.sharedfs.processing": "Alterando oferta de disco para o Sistema de Arquivos Compartilhado.",
 "message.change.offering.confirm": "Por favor, confirme que voc\u00ea deseja mudar a oferta de servi\u00e7o desta inst\u00e2ncia virtual.",
+"message.change.offering.for.volume": "Por favor, confirme que voc\u00ea deseja alterar a oferta de disco para o volume",
+"message.change.offering.for.volume.failed": "Falha ao alterar oferta para o volume",
+"message.change.offering.processing": "Alterando oferta para o volume...",
 "message.change.password": "Por favor, troque sua senha.",
+"message.change.scope.failed": "Falha na altera\u00e7\u00e3o de escopo",
+"message.change.scope.processing": "Altera\u00e7\u00e3o de escopo em andamento",
+"message.change.service.offering.sharedfs.failed": "Falha ao alterar oferta de servi\u00e7o para o Sistema de Arquivos Compartilhado.",
+"message.change.service.offering.sharedfs.processing": "Alterando oferta de servi\u00e7o para o Sistema de Arquivos Compartilhado.",
 "message.cluster.dedicated": "Cluster dedicado",
 "message.cluster.dedication.released": "Cluster dedicado liberado",
+"message.config.health.monitor.failed": "Configura\u00e7\u00e3o do Monitor de Sa\u00fade falhou",
 "message.config.sticky.policy.failed": "Falha na configura\u00e7\u00e3o da pol\u00edtica sticky",
 "message.config.sticky.policy.processing": "Atualizando pol\u00edtica sticky...",
+"message.configure.network.ip.and.mac": "Por favor, configure o endere\u00e7o IP e o endere\u00e7o mac das redes, se necess\u00e1rio.",
+"message.configure.network.select.default.network": "Por favor, configure o endere\u00e7o IP e o endere\u00e7o mac das redes, se necess\u00e1rio. Por favor, selecione uma rede como a rede padr\u00e3o.",
 "message.configuring.guest.traffic": "Configurando tr\u00e1fego do guest",
+"message.configuring.nsx.public.traffic": "Configurando tr\u00e1fego p\u00fablico NSX",
 "message.configuring.physical.networks": "Configurando redes f\u00edsicas",
 "message.configuring.public.traffic": "Configurando tr\u00e1fego p\u00fablico",
 "message.configuring.storage.traffic": "Configurando tr\u00e1fego de storage",
 "message.confirm.action.force.reconnect": "Por favor confirme que voc\u00ea deseja for\u00e7ar a reconex\u00e3o com este host.",
+"message.confirm.add.router.table.to.instance": "Por favor, confirme que voc\u00ea deseja adicionar a Tabela de Rotas a esta NIC",
+"message.confirm.add.routing.policy": "Por favor, confirme que voc\u00ea deseja adicionar a Pol\u00edtica de Roteamento a esta Rede",
 "message.confirm.archive.selected.alerts": "Por favor confirme que voc\u00ea deseja arquivar os alertas selecionados",
 "message.confirm.archive.selected.events": "Por favor confirme que voc\u00ea deseja arquivar os eventos selecionados",
 "message.confirm.attach.disk": "Voc\u00ea tem certeza que deseja conectar este disco?",
+"message.confirm.change.disk.offering.for.sharedfs": "Por favor, confirme que voc\u00ea deseja alterar a oferta de disco para o Sistema de Arquivos Compartilhado. Isso pode migrar o volume subjacente para um pool de armazenamento diferente, se necess\u00e1rio.",
+"message.confirm.change.offering.for.volume": "Por favor, confirme que voc\u00ea deseja alterar a oferta de disco para o volume",
+"message.confirm.change.service.offering.for.sharedfs": "Por favor, confirme que voc\u00ea deseja alterar a oferta de servi\u00e7o para o Sistema de Arquivos Compartilhado.",
 "message.confirm.configure.ovs": "Voc\u00ea tem certeza de que quer configurar os Ovs?",
 "message.confirm.delete.acl": "Voc\u00ea tem certeza que deseja apagar esta lista ACL?",
 "message.confirm.delete.bigswitchbcf": "Por favor, confirme que voc\u00ea deseja deletar este controlador BigSwitch BCF",
@@ -1999,42 +2902,66 @@
 "message.confirm.delete.niciranvp": "Por favor, confirme que voc\u00ea deseja excluir o controlador Nicira Nvp",
 "message.confirm.delete.pa": "Por favor, confirme que voc\u00ea deseja remover Palo Alto",
 "message.confirm.delete.provider": "Por favor, confirme que voc\u00ea deseja excluir este provedor?",
+"message.confirm.delete.traffic.type": "Por favor, confirme que voc\u00ea gostaria de excluir o tipo de tr\u00e1fego.",
 "message.confirm.delete.srx": "Por favor confirme que voc\u00ea deseja remover o SRX",
 "message.confirm.destroy.router": "Por favor confirme que voc\u00ea gostaria de destruir este roteador",
+"message.confirm.disable.autoscale.vmgroup": "Por favor, confirme que voc\u00ea deseja desativar este grupo de autoescalonamento.",
 "message.confirm.disable.host": "Favor confirmar que voc\u00ea deseja desabilitar este host.",
 "message.confirm.disable.network.offering": "Voc\u00ea tem certeza que deseja deshabilitar esta oferta de rede?",
 "message.confirm.disable.provider": "Por favor confirme que voc\u00ea gostaria de desabilitar este provider",
 "message.confirm.disable.storage": "Por favor, confirme que voc\u00ea deseja desabilitar o pool de armazenamento",
 "message.confirm.disable.vpc.offering": "Voc\u00ea tem certeza que deseja desabilitar esta oferta de VPC?",
+"message.confirm.disable.webhook": "Por favor, confirme que voc\u00ea deseja desativar este webhook.",
+"message.confirm.enable.autoscale.vmgroup": "Por favor, confirme que voc\u00ea deseja ativar este grupo de autoescalonamento.",
 "message.confirm.enable.host": "Por favor confirme que voc\u00ea deseja habilitar este host.",
 "message.confirm.enable.network.offering": "Voc\u00ea tem certeza que deseja habilitar esta oferta de rede?",
 "message.confirm.enable.provider": "Por favor confirme que voc\u00ea gostaria de habilitar este provider",
 "message.confirm.enable.storage": "Por favor, confirme que voc\u00ea deseja hablitar o pool de armazenamento",
 "message.confirm.enable.vpc.offering": "Voc\u00ea tem certeza que deseja habilitar esta oferta de VPC?",
+"message.confirm.enable.webhook": "Por favor, confirme que voc\u00ea deseja ativar este webhook.",
+"message.confirm.remove.firewall.rule": "Por favor, confirme que voc\u00ea deseja excluir esta Regra de Firewall?",
 "message.confirm.remove.ip.range": "Por favor confirme que voc\u00ea deseja remover este range de IP.",
 "message.confirm.remove.network.offering": "Voc\u00ea tem certeza que deseja remover esta oferta de rede?",
+"message.confirm.remove.network.policy": "Por favor, confirme que voc\u00ea deseja remover esta Pol\u00edtica de Rede?",
+"message.confirm.remove.routing.policy": "Por favor, confirme que voc\u00ea deseja excluir esta Pol\u00edtica de Roteamento?",
 "message.confirm.remove.selected.alerts": "Por favor confirme que voc\u00ea deseja remover os alertas selecionados",
 "message.confirm.remove.selected.events": "Por favor confirme que voc\u00ea deseja remover os eventos selecionados",
 "message.confirm.remove.vmware.datacenter": "Por favor, confirme que voc\u00ea quer remover este VMware datacenter",
 "message.confirm.remove.vpc.offering": "Voc\u00ea tem certeza que deseja remover esta oferta de VPC?",
 "message.confirm.replace.acl.new.one": "Voc\u00ea deseja substituir a ACL com uma nova?",
+"message.confirm.reset.network.permissions": "Tem certeza de que deseja redefinir as permiss\u00f5es desta Rede?",
 "message.confirm.scale.up.router.vm": "Voc\u00ea realmente quer escalonar a VM do roteador?",
 "message.confirm.scale.up.system.vm": "Voc\u00ea realmente quer escalonar a VM do sistema?",
 "message.confirm.start.lb.vm": "Confirme que voc\u00ea deseja iniciar esta LB VM",
 "message.confirm.sync.storage": "Por favor, confirme que voc\u00ea gostaria de sincronizar o pool de armazenamento",
+"message.confirm.type": "Para confirmar, digite",
 "message.confirm.upgrade.router.newer.template": "Por favor confirme que voc\u00ea deseja atualizar o roteador para usar o template mais recente.",
 "message.cpu.usage.info": "A porcentagem de uso da CPU pode exceder 100% se a VM tiver mais de 1 vCPU ou quando o CPU Cap n\u00E3o estiver habilitado. Este comportamento acontece de acordo com o hypervisor que est\u00E1 sendo utilizado (ex: no KVM), devido \u00E0 forma como contabilizam as estat\u00EDsticas",
+"message.create.backup.failed": "Falha ao criar backup.",
+"message.create.bucket.failed": "Falha ao criar bucket.",
+"message.create.bucket.processing": "Cria\u00e7\u00e3o de bucket em andamento",
 "message.create.compute.offering": "Oferta de computa\u00e7\u00e3o criada",
 "message.create.internallb": "Criando LB interno",
 "message.create.internallb.failed": "Falha ao criar LB interno",
 "message.create.internallb.processing": "Cria\u00e7\u00e3o do LB interno em progresso",
 "message.create.service.offering": "Oferta de servi\u00e7o criada",
+"message.create.sharedfs.failed": "Falha ao criar Sistema de Arquivos Compartilhado.",
+"message.create.sharedfs.processing": "Cria\u00e7\u00e3o de Sistema de Arquivos Compartilhado em andamento.",
 "message.create.snapshot.from.vmsnapshot.failed": "Falha ao criar snapshot a partir de uma snapshot de VM",
 "message.create.snapshot.from.vmsnapshot.progress": "Cria\u00e7\u00e3o de snapshot em progresso",
+"message.create.template.failed": "Falha ao criar template.",
+"message.create.template.processing": "Cria\u00e7\u00e3o de template em andamento",
+"message.create.tungsten.public.network": "Criar Rede p\u00fablica Tungsten-Fabric",
 "message.create.volume.failed": "Falha ao criar volume",
 "message.create.volume.processing": "Cria\u00e7\u00e3o de volume em progresso",
 "message.create.vpc.offering": "Oferta VPC criada",
 "message.create.vpn.customer.gateway.failed": "A cria\u00e7\u00e3o do gateway da VPN do cliente falhou",
+"message.creating.autoscale.scaledown.conditions": "Criando condi\u00e7\u00f5es de ScaleDown",
+"message.creating.autoscale.scaledown.policy": "Criando pol\u00edtica de ScaleDown",
+"message.creating.autoscale.scaleup.conditions": "Criando condi\u00e7\u00f5es de ScaleUp",
+"message.creating.autoscale.scaleup.policy": "Criando pol\u00edtica de ScaleUp",
+"message.creating.autoscale.vmgroup": "Criando Grupo de AutoScale",
+"message.creating.autoscale.vmprofile": "Criando perfil de Inst\u00e2ncia de AutoScale",
 "message.creating.cluster": "Criando cluster",
 "message.creating.guest.network": "Criando rede guest",
 "message.creating.physical.networks": "Criando redes fisicas",
@@ -2057,9 +2984,13 @@
 "message.delete.acl.rule": "Remover regra ACL",
 "message.delete.acl.rule.failed": "Falha ao remover regra ACL",
 "message.delete.affinity.group": "Por favor, confirme que voc\u00ea deseja remover este grupo de afinidade",
+"message.delete.asn.range": "ASN Range exclu\u00eddo com sucesso",
 "message.delete.backup": "Voc\u00ea tem certeza de que quer apagar o backup?",
 "message.delete.failed": "Falha ao remover",
 "message.delete.gateway": "Favor confirmar que voc\u00ea deseja deleta o gateway",
+"message.delete.ip.v6.prefix.processing": "Excluindo prefixo IPv6...",
+"message.delete.keypair": "Favor confirmar que voc\u00ea deseja deletar a chave de API.",
+"message.delete.keypair.failed": "Falha ao deletar par de chave de API",
 "message.delete.port.forward.processing": "Removendo regra de encaminhamento de porta...",
 "message.delete.project": "Voc\u00ea tem certeza que deseja remover este projeto?",
 "message.delete.rule.processing": "Removendo regra...",
@@ -2068,44 +2999,70 @@
 "message.delete.tag.failed": "Falha ao remover etiqueta",
 "message.delete.tag.for.networkacl": "Remover etiqueta para rede ACL",
 "message.delete.tag.processing": "Removendo etiqueta...",
+"message.delete.traffic.type.processing": "Excluindo tipo de tr\u00e1fego...",
+"message.delete.tungsten.policy.rule": "Por favor, confirme que voc\u00ea deseja excluir a Regra de Pol\u00edtica?",
+"message.delete.tungsten.tag": "Tem certeza de que deseja remover esta Tag desta Pol\u00edtica?",
 "message.delete.user": "Por favor confirme que voc\u00ea deseja deletar este usu\u00e1rio.",
 "message.delete.vpn.connection": "Favor confirmar que voc\u00ea deseja deletar esta conex\u00e3o VPN",
 "message.delete.vpn.customer.gateway": "Favor confirmar que voc\u00ea deseja deletar este gateway de VPN de usu\u00e1rio",
 "message.delete.vpn.gateway": "Favor confirmar que voc\u00ea deseja deletar este gateway de VPN",
+"message.delete.webhook": "Por favor, confirme que voc\u00ea deseja excluir este Webhook.",
+"message.delete.webhook.delivery": "Por favor, confirme que voc\u00ea deseja excluir esta entrega de Webhook.",
+"message.deleting.firewall.policy": "Excluindo Pol\u00edtica de Firewall",
 "message.deleting.node": "Removendo nodo",
 "message.deleting.vm": "Removendo VM",
+"message.denied": "Negado",
 "message.deployasis": "O modelo selecionado \u00e9 Deploy As-Is, ou seja, a VM \u00e9 implantada atrav\u00e9s da importa\u00e7\u00e3o de um OVA com vApps diretamente no vCenter. O redimensionamento do(s) disco(s) raiz(s) \u00e9 permitido somente em VMs paradas para tais modelos.",
 "message.desc.advanced.zone": "Para topologias de rede mais sofisticadas. este modelo fornece maior flexibilidade na defini\u00e7\u00e3o de redes de clientes e fornece ofertas de rede personalizadas, tais como firewall, VPN ou de balanceamento de carga.",
 "message.desc.basic.zone": "Fornece uma \u00fanica rede onde em cada inst\u00e2ncia de VM \u00e9 atribu\u00eddo um IP diretamente na rede. O isolamento guest podem ser fornecidos atrav\u00e9s de camada-3 da rede com grupos de seguran\u00e7a (filtragem da fonte de endere\u00e7os IP).",
+"message.desc.core.zone": "Zonas Core destinam-se a implanta\u00e7\u00f5es baseadas em Datacenter e permitem toda a gama de funcionalidades de Rede e outras no Apache CloudStack. Zonas Core t\u00eam uma s\u00e9rie de pr\u00e9-requisitos e dependem da presen\u00e7a de armazenamento compartilhado e inst\u00e2ncias auxiliares.",
 "message.desc.cluster": "Cada pod deve conter um ou mais clusters, e iremos adicionar o primeiro cluster agora. Um cluster fornece uma maneira de agrupamento de hosts. Os hosts de um cluster t\u00eam hardware id\u00eantico, executam o mesmo virtualizador, est\u00e3o na mesma sub-rede e acessam o mesmo armazenamento compartilhado. Cada cluster \u00e9 constitu\u00eddo por um ou mais hosts e um ou mais servidores de armazenamento prim\u00e1rio.",
 "message.desc.create.ssh.key.pair": "Por favor, preencha os seguintes dados para criar ou registar um par de chaves SSH.<br><br>(1) Se a chave p\u00fablica est\u00e1 definida, CloudStack ir\u00e1 registrar a chave p\u00fablica. Voc\u00ea pode us\u00e1-la atrav\u00e9s de sua chave privada.<br><br>(2) Se a chave p\u00fablica n\u00e3o est\u00e1 definida, CloudStack ir\u00e1 criar um novo par de chaves SSH. Neste caso, copie e salve a chave privada. CloudStack n\u00e3o ir\u00e1 mant\u00ea-la.<br>",
 "message.desc.created.ssh.key.pair": "Par de chaves SSH criado",
-"message.desc.host": "Cada cluster deve conter pelo menos um host (computador) para as VMs guest serem executadas e iremos adicionar o primeira host agora. Para um host funcionar no CloudStack, voc\u00ea deve instalar um virtualizador no host, atribuir um endere\u00e7o IP e garantir que o host est\u00e1 conectado ao servidor de gerenciamento do CloudStack.<br/><br/>Forne\u00e7a o hostname ou o endere\u00e7o IP do host, o nome de usu\u00e1rio (geralmente root) e a senha e qualquer label que voc\u00ea utiliza para categorizar os hosts.",
+"message.desc.edge.zone": "Zonas Edge s\u00e3o zonas leves, projetadas para implanta\u00e7\u00e3o em cen\u00e1rios de computa\u00e7\u00e3o de borda. Elas s\u00e3o limitadas em funcionalidade, mas t\u00eam muito menos pr\u00e9-requisitos do que zonas core.<br><br>Por favor, consulte a documenta\u00e7\u00e3o do Apache CloudStack para mais informa\u00e7\u00f5es sobre Tipos de Zona<br><a href='http://docs.cloudstack.apache.org/en/latest/installguide/configuration.html#adding-a-zone'>http://docs.cloudstack.apache.org/en/latest/installguide/configuration.html#adding-a-zone</a>",
+"message.desc.host": "Cada cluster deve conter pelo menos um host (computador) para as VMs guest serem executadas e iremos adicionar o primeira host agora. Para um host funcionar no CloudStack, voc\u00ea deve instalar um virtualizador no host, atribuir um endere\u00e7o IP e garantir que o host est\u00e1 conectado ao Management Server do CloudStack.<br/><br/>Forne\u00e7a o hostname ou o endere\u00e7o IP do host, o nome de usu\u00e1rio (geralmente root) e a senha e qualquer label que voc\u00ea utiliza para categorizar os hosts.",
+"message.desc.import.ext.kvm.wizard": "Importar dom\u00ednio libvirt de Host KVM Externo n\u00e3o gerenciado pelo CloudStack",
+"message.desc.import.local.kvm.wizard": "Importar imagem QCOW2 do Armazenamento Local do Host KVM selecionado",
+"message.desc.import.shared.kvm.wizard": "Importar imagem QCOW2 do Pool de Armazenamento Prim\u00e1rio selecionado",
+"message.desc.import.unmanage.volume": "Por favor, escolha um pool de armazenamento do qual voc\u00ea deseja importar ou parar de gerenciar volumes. O pool de armazenamento deve estar no status Up. <br>Este recurso suporta apenas KVM.",
 "message.desc.importexportinstancewizard": "Testa caracter\u00edstica s\u00f3 se aplica aos clusters Cloudstack VMware. Ao optar por gerenciar uma inst\u00e2ncia, o CloudStack assume a orquestra\u00e7\u00e3o dessa inst\u00e2ncia. A inst\u00e2ncia \u00e9 deixada em funcionamento e n\u00e3o movida fisicamente. Desagrupar inst\u00e2ncias, remove a capacidade do CloudStack de gerenci\u00e1-las (mas elas s\u00e3o deixadas em funcionamento e n\u00e3o s\u00e3o destru\u00eddas).",
+"message.desc.importingestinstancewizard": "Este recurso aplica-se apenas a inst\u00e2ncias KVM baseadas em libvirt. Apenas inst\u00e2ncias Paradas podem ser ingeridas",
+"message.desc.importmigratefromvmwarewizard": "Ao selecionar um Datacenter VMware existente ou externo e uma inst\u00e2ncia para importar, o CloudStack migra a inst\u00e2ncia selecionada do VMware para KVM em um host de convers\u00e3o usando virt-v2v e a importa para um cluster KVM",
 "message.desc.primary.storage": "Cada cluster deve conter um ou mais servidores de armazenamento prim\u00e1rio e iremos adicionar o primeiro agora. Um armazenamento prim\u00e1rio, cont\u00e9m os volumes de disco para todas as VMs em execu\u00e7\u00e3o nos hosts do cluster. utiliza qualquer protocolo compat\u00edvel com os padr\u00f5es que \u00e9 suportado pelo virtualizador utilizado.",
+"message.desc.register.user.data": "Por favor, preencha os seguintes dados para registrar um dado de usu\u00e1rio.",
+"message.desc.registered.user.data": "Dados do Usu\u00e1rio Registrados.",
 "message.desc.reset.ssh.key.pair": "Por favor, especifique um par de chaves SSH que voc\u00ea deseja adicionar a esta VM.",
 "message.desc.secondary.storage": "Cada zona deve ter pelo menos um NFS ou servidor de armazenamento secund\u00e1rio e iremos adicionar o primeiro agora. Um armazenamento secund\u00e1rios armazena templates de VM, imagens ISO e snapshots do volume de disco da VM. Esse servidor deve estar dispon\u00edvel para todos os hosts na zona. <br/><br/> Fornecer o endere\u00e7o IP e o caminho exportados.",
+"message.desc.zone.edge": "Uma zona \u00e9 a maior unidade organizacional no CloudStack e, normalmente, corresponde a um \u00fanico datacenter. Zonas fornecem isolamento f\u00edsico e redund\u00e2ncia. Uma zona de borda consiste em um ou mais hosts (cada um dos quais fornece armazenamento local como servidores de armazenamento prim\u00e1rio). Apenas redes compartilhadas e L2 podem ser implantadas nessas zonas e funcionalidades que requerem armazenamentos secund\u00e1rios n\u00e3o s\u00e3o suportadas.",
 "message.desc.zone": "Uma zona \u00e9 a maior unidade organizacional no CloudStack e normalmente corresponde \u00e0 um \u00fanico datacenter. As zonas disponibilizam isolamento f\u00edsico e redund\u00e2ncia. Uma zona \u00e9 composta por um ou mais pods (cada um dos quais cont\u00e9m os hosts e servidores de armazenamento prim\u00e1rio) e um servidor de armazenamento secund\u00e1rio que \u00e9 compartilhado por todos os pods na zona.",
 "message.detach.disk": "Voc\u00ea tem certeza que deseja desconectar este disco?",
 "message.detach.iso.confirm": "Confirme se voc\u00ea deseja desconectar o ISO da inst\u00e2ncia virtual.",
 "message.disable.account": "Por favor confirme que voc\u00ea deseja desabilitar esta conta. Ap\u00f3s desabilitar uma conta, todos os usu\u00e1rios desta conta n\u00e3o ir\u00e3o possuir mais acesso aos seus recursos da cloud. Todas as m\u00e1quinas virtuais ser\u00e3o automaticamente desligadas.",
+"message.disable.role": "Por favor, confirme que voc\u00ea gostaria de desativar esta Fun\u00e7\u00e3o",
 "message.disable.user": "Por favor confirme que voc\u00ea deseja desabilitar este usu\u00e1rio.",
 "message.disable.vpn": "Voc\u00ea tem certeza que deseja desabilitar a VPN?",
 "message.disable.vpn.failed": "Falha ao desabilitar VPN",
 "message.disable.vpn.processing": "Desabilitando VPN...",
+"message.disable.webhook.ssl.verification": "Desativar a verifica\u00e7\u00e3o SSL n\u00e3o \u00e9 recomendado",
 "message.discovering.feature": "Descobrindo funcionalidades, por favor aguarde...",
 "message.disk.offering.created": "Oferta de disco criada:",
 "message.disk.usage.info.data.points": "Cada ponto no gr\u00e1fico representa a diferen\u00e7a de dados lidos/escritos desde a \u00faltima coleta de estat\u00edstica realizada (o ponto anterior)",
 "message.disk.usage.info.sum.of.disks": "O uso de disco apresentado \u00e9 composto pela soma de dados lidos/escritos por todos os discos da VM",
 "message.download.volume": "Clique <a href=\"#\">00000</a> para baixar o disco",
 "message.download.volume.confirm": "Por favor confirme que voc\u00ea quer baixar este volume",
+"message.drs.plan.description": "O n\u00famero m\u00e1ximo de migra\u00e7\u00f5es ao vivo permitidas para DRS. Configure DRS na aba de configura\u00e7\u00f5es antes de gerar um plano ou para ativar o DRS autom\u00e1tico para o cluster.",
+"message.drs.plan.executed": "Plano DRS executado com sucesso.",
 "message.edit.acl.failed": "Falha ao editar regra ACL",
 "message.edit.acl.processing": "Editando regra ACL...",
 "message.edit.rule.failed": "Falha ao editar regra",
 "message.edit.rule.processing": "Atualizando regra...",
 "message.edit.traffic.type": "Favor especificar a etiqueta de tr\u00e1fego que voc\u00ea deseja associar com este tipo de tr\u00e1fego.",
+"message.egress.rules.allow": "Permitir (o tr\u00e1fego correspondente \u00e0s regras de sa\u00edda adicionadas ser\u00e1 negado)",
+"message.egress.rules.deny": "Negar (o tr\u00e1fego correspondente \u00e0s regras de sa\u00edda adicionadas ser\u00e1 permitido)",
+"message.egress.rules.info.for.network": "A pol\u00edtica de sa\u00edda padr\u00e3o desta Rede \u00e9 %x. <br> O tr\u00e1fego de sa\u00edda correspondente \u00e0s seguintes regras de sa\u00edda ser\u00e1 %y",
 "message.enable.account": "Confirme se voc\u00ea deseja ativar a conta.",
 "message.enable.netsacler.provider.failed": "Falha ao habilitar provedor Netscaler",
+"message.enable.role": "Por favor, confirme que voc\u00ea deseja ativar esta Fun\u00e7\u00e3o",
 "message.enable.securitygroup.provider.failed": "Falha ao habilitar provedor do grupo de seguran\u00e7a",
 "message.enable.user": "Por favor confirme que voc\u00ea deseja habilitar este usu\u00e1rio.",
 "message.enable.vpn": "Por favor confirme que voc\u00ea deseja acesso VPN habilitado para este endere\u00e7o IP.",
@@ -2117,23 +3074,46 @@
 "message.enter.valid.nic.ip": "Por favor insira um endere\u00e7o IP valido para o NIC",
 "message.error.access.key": "Por favor insira a chave de acesso",
 "message.error.add.guest.network": "Os campos IPv4 ou IPv6 precisam ser preenchidos ao adicionar uma rede guest",
+"message.error.delete.asnrange": "Excluindo Faixa AS",
+"message.error.add.interface.static.route": "Adicionar Rota Est\u00e1tica de interface falhou",
+"message.error.add.logical.router": "Adicionar Roteador L\u00f3gico falhou",
+"message.error.add.network.static.route": "Adicionar Rota Est\u00e1tica de Rede falhou",
+"message.error.add.policy.rule": "Adicionar regra de Pol\u00edtica falhou",
 "message.error.add.secondary.ipaddress": "Houve um erro ao adicionar o endere\u00e7o IP secund\u00e1rio",
+"message.error.add.tungsten.router.table": "Adicionar Tabela de Roteador falhou",
+"message.error.add.tungsten.routing.policy": "Adicionar Pol\u00edtica de Roteamento Tungsten-Fabric falhou",
 "message.error.agent.password": "Por favor, insira a senha do agente",
-"message.error.agent.username": "Por favor, insira o usu\u00e1rio do agent",
+"message.error.agent.username": "Por favor, insira o usu\u00e1rio do agente",
+"message.error.apply.network.policy": "Aplica\u00e7\u00e3o da Pol\u00edtica de Rede falhou",
+"message.error.apply.tungsten.tag": "Aplica\u00e7\u00e3o de Tag falhou",
+"message.error.authentication.code": "Por favor, insira o c\u00f3digo de autentica\u00e7\u00e3o.",
 "message.error.binaries.iso.url": "Por favor, digite a URL ISO dos bin\u00e1rios",
 "message.error.bucket": "Por favor, insira o bucket",
+"message.error.cidr": "CIDR \u00e9 obrigat\u00f3rio",
+"message.error.cidr.or.cidrsize": "CIDR ou tamanho do cidr \u00e9 obrigat\u00f3rio",
 "message.error.cloudian.console": "Single-Sign-On falhou para o Cloudian management console. Solicite a seu administrador que conserte problemas de integra\u00e7\u00e3o.",
 "message.error.cluster.description": "Por favor, digite a descri\u00e7\u00e3o do Kubernetes cluster",
 "message.error.cluster.name": "Por favor, insira o nome do cluster",
 "message.error.confirm.password": "Por favor, confirme a nova senha",
+"message.error.confirm.text": "Por favor, insira o texto de confirma\u00e7\u00e3o",
+"message.error.create.webhook.local.account": "Conta deve ser fornecida para criar um Webhook com escopo Local.",
+"message.error.create.webhook.name": "Nome deve ser fornecido para criar um Webhook.",
+"message.error.create.webhook.payloadurl": "URL de Payload deve ser fornecida para criar um Webhook.",
 "message.error.current.password": "Por favor, insira a senha atual",
 "message.error.custom.disk.size": "Por favor, insira o tamanho do disco personalizado",
 "message.error.date": "Por favor, insira uma data",
+"message.error.delete.interface.static.route": "Remo\u00e7\u00e3o de Rota Est\u00e1tica de interface falhou",
+"message.error.delete.network.static.route": "Remo\u00e7\u00e3o de Rota Est\u00e1tica de Rede falhou",
+"message.error.delete.tungsten.policy.rule": "Exclus\u00e3o da regra de Pol\u00edtica falhou",
+"message.error.delete.tungsten.router.table": "Remo\u00e7\u00e3o da Tabela de Roteador falhou",
+"message.error.delete.tungsten.tag": "Remo\u00e7\u00e3o da Tag falhou",
 "message.error.description": "Por favor, insira uma descri\u00e7\u00e3o",
 "message.error.discovering.feature": "Exce\u00e7\u00e3o lan\u00e7ada durante a descoberta de funcionalidades",
 "message.error.display.text": "Por favor, insira o texto de exibi\u00e7\u00e3o",
+"message.error.duration.less.than.interval": "A dura\u00e7\u00e3o na pol\u00edtica de AutoScale n\u00e3o pode ser menor que o intervalo",
 "message.error.enable.saml": "Incapaz de encontrar IDs de usu\u00e1rios para ativar o SAML Single Sign On, por favor, ative-o manualmente.",
 "message.error.end.date.and.time": "Por favor, selecione a data e hor\u00e1rio final.",
+"message.error.endasn": "Por favor, insira a Faixa AS final",
 "message.error.endip": "Por favor, insira o IP final",
 "message.error.gateway": "Por favor, insira o gateway",
 "message.error.host.name": "Por favor, insira o nome do host",
@@ -2146,9 +3126,11 @@
 "message.error.internallb.instance.port": "Por favor, especifique a porta da inst\u00e2ncia",
 "message.error.internallb.name": "Por favor, especifique um nome para o LB interno",
 "message.error.internallb.source.port": "Por favor, insira uma porta de origem",
+"message.error.invalid.autoscale.vmgroup.name": "Nome do Grupo de AutoScale inv\u00e1lido. Ele pode conter as letras ASCII 'a' a 'z', 'A' a 'Z', os d\u00edgitos '0' a '9' e o h\u00edfen ('-'), deve ter entre 1 e 255 caracteres.",
 "message.error.ip.range": "Por favor, insira um intervalo v\u00e1lido",
 "message.error.ipv4.address": "Por favor, insira um endere\u00e7o IPv4 v\u00e1lido",
 "message.error.ipv4.dns1": "Por favor, insira o DNS 1 IPv4",
+"message.error.ipv4.dns2": "Por favor, insira o DNS 2 IPv4",
 "message.error.ipv6.address": "Por favor, insira um endere\u00e7o IPv6 v\u00e1lido.",
 "message.error.ipv6.gateway": "Por favor, insira o gateway IpV6",
 "message.error.ipv6.gateway.format": "Por favor, insira um gateway IpV6 v\u00e1lido.",
@@ -2158,6 +3140,10 @@
 "message.error.loading.setting": "Houve um erro ao carregar estas configura\u00e7\u00f5es.",
 "message.error.lun": "Por favor, insira o # LUN",
 "message.error.macaddress": "Por favor, digite um endere\u00e7o MAC v\u00e1lido.",
+"message.error.max.members.less.than.min.members": "O valor de M\u00e1x membros deve ser maior que o valor de M\u00edn membros",
+"message.error.mtu.below.min": "MTU est\u00e1 abaixo do valor m\u00ednimo suportado de %x",
+"message.error.mtu.private.max.exceed": "O valor inserido excede o MTU privado m\u00e1ximo permitido para esta Zona, seu valor ser\u00e1 automaticamente reduzido para corresponder a ele.",
+"message.error.mtu.public.max.exceed": "O valor inserido excede o MTU p\u00fablico m\u00e1ximo permitido para esta Zona, seu valor ser\u00e1 automaticamente reduzido para corresponder a ele.",
 "message.error.name": "Por favor, insira um nome",
 "message.error.netmask": "Por favor, insira am\u00e1scara de rede",
 "message.error.network.offering": "Por favor, selecione a oferta de rede",
@@ -2166,6 +3152,7 @@
 "message.error.nexus1000v.password": "Por favor, insira a senha do Nexus 1000v",
 "message.error.nexus1000v.username": "Por favor, insira o usu\u00e1rio do Nexus 1000v",
 "message.error.number": "Por favor, insira um n\u00famero v\u00e1lido",
+"message.error.parent.subnet": "Por favor, escolha uma sub-rede pai",
 "message.error.password": "Insira a sua senha",
 "message.error.path": "Por favor, insira o path",
 "message.error.provide.setting": "Deve fornecer uma chave v\u00e1lida e um valor para a configura\u00e7\u00e3o",
@@ -2173,10 +3160,16 @@
 "message.error.rados.pool": "Por favor, digite o RADOS pool",
 "message.error.rados.secret": "Por favor, digite o RADOS secret",
 "message.error.rados.user": "Por favor, digite o usu\u00e1rio RADOS",
+"message.error.remove.logical.router": "Remo\u00e7\u00e3o do Roteador L\u00f3gico falhou",
+"message.error.remove.network.policy": "Remo\u00e7\u00e3o da Pol\u00edtica de Rede falhou",
 "message.error.remove.nic": "Houve um erro",
 "message.error.remove.secondary.ipaddress": "Houve um erro ao remover o endere\u00e7o IP secund\u00e1rio",
+"message.error.remove.tungsten.routing.policy": "Remo\u00e7\u00e3o da Pol\u00edtica de Roteamento Tungsten-Fabric da Rede falhou",
+"message.error.remove.vm.schedule": "Remo\u00e7\u00e3o do Agendamento de Inst\u00e2ncia falhou",
 "message.error.required.input": "Por favor, digite os dados",
+"message.error.reset.config": "Incapaz de redefinir configura\u00e7\u00e3o para o valor padr\u00e3o",
 "message.error.retrieve.kubeconfig": "N\u00e3o foi poss\u00edvel recuperar a configura\u00e7\u00e3o do cluster Kubernetes",
+"message.error.routing.policy.term": "Comunidade precisa ter o seguinte formato n\u00famero:n\u00famero",
 "message.error.s3nfs.path": "Por favor, insira o S3 NFS path",
 "message.error.s3nfs.server": "Por favor, insira o servidor S3 NFS",
 "message.error.save.setting": "Houve um erro ao salvar esta configura\u00e7\u00e3o.",
@@ -2186,18 +3179,28 @@
 "message.error.secret.key": "Por favor, insira a chave secreta",
 "message.error.select": "Por favor, escolha uma op\u00e7\u00e3o",
 "message.error.select.domain.to.dedicate": "Por favor, escolha o dom\u00ednio a ser dedicado",
+"message.error.select.load.balancer": "Por favor, selecione um balanceador de carga",
+"message.error.select.network": "Por favor, selecione uma Rede",
+"message.error.select.network.supports.vm.autoscaling": "A Rede padr\u00e3o que voc\u00ea selecionou n\u00e3o suporta AutoScale de Inst\u00e2ncia, por favor selecione uma Rede padr\u00e3o que suporte AutoScale de Inst\u00e2ncia.",
+"message.error.select.user": "Por favor, selecione um Usu\u00e1rio",
 "message.error.select.zone.type": "Por favor, escolha o tipo de zona abaixo.",
 "message.error.server": "Por favor, insira o servidor",
 "message.error.serviceoffering.for.cluster": "Por favor, escolha a oferta de servi\u00e7o para o cluster Kubernetes",
+"message.error.setup.2fa": "Falha na configura\u00e7\u00e3o 2FA ao verificar o c\u00f3digo, por favor tente novamente.",
 "message.error.size": "Por favor, insira o tamanho em GB",
 "message.error.size.for.cluster": "Por favor, insira o tamanho do cluster Kubernetes",
 "message.error.smb.password": "Por favor, insira a senha do SMB ",
 "message.error.smb.username": "Por favor, insira o usu\u00e1rio do SMB",
+"message.error.specify.stickiness.method": "Por favor, especifique um m\u00e9todo de stickiness",
 "message.error.specify.sticky.name": "Por favor, especifique o nome sticky",
 "message.error.sr.namelabel": "Por favor, insira o nome-R\u00f3tulo SR",
 "message.error.start.date.and.time": "Por favor, selecione a data e hor\u00e1rio inicial.",
+"message.error.startasn": "Por favor, insira a Faixa AS inicial",
 "message.error.startip": "Por favor, insira o IP de \u00cdnicio",
 "message.error.storage.tags": "Por favor, insira as tags de armazenamento",
+"message.error.swift.account": "Por favor, insira a Conta",
+"message.error.swift.key": "Por favor, insira a chave",
+"message.error.swift.username": "Por favor, insira o nome de usu\u00e1rio",
 "message.error.target.iqn": "Por favor, insira o Target IQN",
 "message.error.time": "Por favor, selecione a hora",
 "message.error.traffic.label": "Por favor, insira o r\u00f3tulo de tr\u00e1fego",
@@ -2206,6 +3209,7 @@
 "message.error.upload.template": "Falha no carregamento de template",
 "message.error.upload.template.description": "Apenas um template pode ser carregado de cada vez",
 "message.error.url": "Por favor, insira a URL",
+"message.error.userdata": "Por favor, insira o Userdata",
 "message.error.username": "Insira o seu usu\u00e1rio",
 "message.error.valid.iops.range": "Por favor, insira uma faixa IOPS v\u00e1lida",
 "message.error.vcenter.datacenter": "Por favor, insira o vCenter datacenter",
@@ -2213,6 +3217,7 @@
 "message.error.vcenter.host": "Por favor, insira o vCenter host",
 "message.error.vcenter.password": "Por favor, insira a senha vCenter",
 "message.error.vcenter.username": "Por favor, insira o usu\u00e1rio vCenter",
+"message.error.verifying.2fa": "Incapaz de verificar 2FA, por favor tente novamente.",
 "message.error.version.for.cluster": "Por favor, selecionar a vers\u00e3o Kubernetes para o cluster Kubernetes",
 "message.error.vlan.range": "Por favor, insira um intervalo VLAN/VNI v\u00e1lido",
 "message.error.volume.name": "Por favor, insira o nome do volume",
@@ -2224,19 +3229,45 @@
 "message.error.zone.name": "Por favor, insira o nome da zona",
 "message.error.zone.type": "Por favor, selecione o tipo de zona",
 "message.error.linstor.resourcegroup": "Por favor, insira o Linstor Resource-Group",
-"message.error.fixed.offering.kvm": "N\u00e3o \u00e9 poss\u00edvel escalar VMs que utilizam o virtualizador KVM com uma oferta de computa\u00e7\u00e3o fixa.",
 "message.fail.to.delete": "Falha ao deletar.",
 "message.failed.to.add": "Falha ao adicionar",
 "message.failed.to.assign.vms": "Falha ao atribuir VMs",
 "message.failed.to.remove": "Falha ao remover",
+"message.forgot.password.success": "Um e-mail foi enviado para o seu endere\u00e7o de e-mail com instru\u00e7\u00f5es sobre como redefinir sua senha.",
 "message.generate.keys": "Por favor confirme que voc\u00ea deseja gerar novas chaves para este usu\u00e1rio.",
 "message.chart.statistic.info": "Os gr\u00E1ficos mostrados s\u00E3o autoajust\u00E1veis, ou seja, se o valor se aproximar ou passar do limite, ele crescer\u00E1 para ajustar o valor mostrado",
+"message.chart.statistic.info.hypervisor.additionals": "Os dados de m\u00e9tricas dependem do plugin de hypervisor usado para cada hypervisor. O comportamento pode variar entre diferentes hypervisors. Por exemplo, com KVM, as m\u00e9tricas s\u00e3o estat\u00edsticas em tempo real fornecidas pelo libvirt. Em contraste, com VMware, as m\u00e9tricas s\u00e3o dados m\u00e9dios para um determinado intervalo de tempo controlado pela configura\u00e7\u00e3o.",
 "message.guest.traffic.in.advanced.zone": "O tr\u00e1fego de rede guest \u00e9 para comunica\u00e7\u00e3o entre m\u00e1quinas virtuais do usu\u00e1rio final. Especifique um intervalo de IDs de VLAN para transportar o tr\u00e1fego do guest para cada rede f\u00edsica.",
 "message.guest.traffic.in.basic.zone": "O tr\u00e1fego de rede guest \u00e9 para comunica\u00e7\u00e3o entre m\u00e1quinas virtuais do usu\u00e1rio final. Especifique um intervalo de endere\u00e7os IP para que CloudStack possa atribuir \u00e0s VMs. Certifique-se que este intervalo n\u00e3o se sobreponha o range de IPs reservados do sistema.",
+"message.host.controlstate": "O Status do Recurso de Computa\u00e7\u00e3o para esta Inst\u00e2ncia \u00e9 ",
+"message.host.controlstate.retry": "Algumas a\u00e7\u00f5es nesta Inst\u00e2ncia falhar\u00e3o, se for o caso, por favor aguarde um pouco e tente novamente.",
 "message.host.dedicated": "Host dedicado",
 "message.host.dedication.released": "Host dedicado liberado",
 "message.info.cloudian.console": "O Cloudian management console deve abrir em outra janela",
-"message.installwizard.copy.whatiscloudstack": "O CloudStack&#8482 \u00e9 uma plataforma de software que agrega recursos computacionais para construir uma Cloud de infraestrutura como servi\u00e7o (IaaS) p\u00fablica, privada ou h\u00edbrida. O CloudStack&#8482 ger\u00eancia a rede, o armazenamento e os recursos computacionais que comp\u00f5em a infraestrutura de cloud. utilize o CloudStack&#8482 para instalar, gerenciar e configurar os ambientes de cloud computing.<br/><br/>Indo al\u00e9m de imagens de m\u00e1quinas virtuais individuais rodando em hardware commodity, CloudStack&#8482 prov\u00ea uma solu\u00e7\u00e3o completa de software de infraestrutura de cloud para entregar datacenters virtuais como um servi\u00e7o - possuindo todos os componentes essenciais para contruir, instalar e gerenciar aplica\u00e7\u00f5es na cloud multi-camadas e multi-tenant.",
+"message.infra.setup.nsx.description": "Esta zona deve conter um provedor NSX porque o m\u00e9todo de isolamento \u00e9 NSX",
+"message.infra.setup.tungsten.description": "Esta zona deve conter um provedor Tungsten-Fabric porque o m\u00e9todo de isolamento \u00e9 TF",
+"message.import.running.instance.warning": "A VM selecionada est\u00e1 ligada no Datacenter VMware. O estado recomendado para converter uma VM VMware em KVM \u00e9 desligada ap\u00f3s um desligamento gracioso do SO convidado.",
+"message.import.volume": "Por favor, especifique o dom\u00ednio, conta ou nome do projeto. <br>Se n\u00e3o definido, o volume ser\u00e1 importado para o solicitante.",
+"message.installwizard.cloudstack.helptext.document": " * Documenta\u00e7\u00e3o:\t ",
+"message.installwizard.cloudstack.helptext.header": "\nVoc\u00ea pode encontrar mais informa\u00e7\u00f5es sobre o Apache CloudStack™ nas p\u00e1ginas listadas abaixo.\n",
+"message.installwizard.cloudstack.helptext.issues": " * Relatar problemas:\t ",
+"message.installwizard.cloudstack.helptext.mailinglists": " * Juntar-se a listas de discuss\u00e3o:\t ",
+"message.installwizard.cloudstack.helptext.releasenotes": " * Notas de lan\u00e7amento:\t ",
+"message.installwizard.cloudstack.helptext.survey": " * Participe da pesquisa:\t ",
+"message.installwizard.cloudstack.helptext.website": " * Site do projeto:\t ",
+"message.installwizard.tooltip.nsx.provider.edgecluster": "Informa\u00e7\u00f5es do cluster de borda do Provedor NSX n\u00e3o fornecidas",
+"message.installwizard.tooltip.nsx.provider.hostname": "Hostname / endere\u00e7o IP do Provedor NSX n\u00e3o fornecido",
+"message.installwizard.tooltip.nsx.provider.password": "Senha do Provedor NSX n\u00e3o fornecida",
+"message.installwizard.tooltip.nsx.provider.tier0gateway": "Informa\u00e7\u00f5es do gateway tier-0 do Provedor NSX n\u00e3o fornecidas",
+"message.installwizard.tooltip.nsx.provider.transportZone": "Informa\u00e7\u00f5es da zona de transporte do Provedor NSX n\u00e3o fornecidas",
+"message.installwizard.tooltip.nsx.provider.username": "Nome de usu\u00e1rio do Provedor NSX n\u00e3o fornecido",
+"message.installwizard.tooltip.tungsten.provider.gateway": "Gateway do provedor Tungsten \u00e9 obrigat\u00f3rio",
+"message.installwizard.tooltip.tungsten.provider.hostname": "Hostname do provedor Tungsten \u00e9 obrigat\u00f3rio",
+"message.installwizard.tooltip.tungsten.provider.introspectport": "Porta de introspec\u00e7\u00e3o do provedor Tungsten \u00e9 obrigat\u00f3ria",
+"message.installwizard.tooltip.tungsten.provider.name": "Nome do provedor Tungsten \u00e9 obrigat\u00f3rio",
+"message.installwizard.tooltip.tungsten.provider.port": "Porta do provedor Tungsten \u00e9 obrigat\u00f3ria",
+"message.installwizard.tooltip.tungsten.provider.vrouterport": "Porta do vrouter do provedor Tungsten \u00e9 obrigat\u00f3ria",
+"message.installwizard.copy.whatiscloudstack": "O CloudStack&#8482 \u00e9 uma plataforma de software que agrega recursos computacionais para construir uma Cloud de infraestrutura como servi\u00e7o (IaaS) p\u00fablica, privada ou h\u00edbrida. O CloudStack&#8482 ger\u00eancia a rede, o armazenamento e os recursos computacionais que comp\u00f5em a infraestrutura de cloud. utilize o CloudStack&#8482 para instalar, gerenciar e configurar os ambientes de cloud computing.<br/><br/>Indo al\u00e9m de imagens de m\u00e1quinas virtuais individuais rodando em hardware commodity, CloudStack&#8482 prov\u00ea uma solu\u00e7\u00e3o completa de software de infraestrutura de cloud para entregar datacenters virtuais como um servi\u00e7o - possuindo todos os componentes essenciais para contruir, instalar e gerenciar aplica\u00e7\u00f5es na cloud multi-camadas e multi-tenant. Ambas as vers\u00f5es open-source e premium est\u00e3o dispon\u00edveis, com a vers\u00e3o opensource oferecendo praticamente os mesmos recursos.",
 "message.installwizard.tooltip.addpod.name": "O nome para o pod",
 "message.installwizard.tooltip.addpod.reservedsystemendip": "Este \u00e9 o range de IP na rede privada que o CloudStack utiliza para gerenciar o armazenamento secund\u00e1rio das VMs e proxy console das VMs. estes endere\u00e7os IP s\u00e3o obtidos da mesma subrede dos servidores hosts.",
 "message.installwizard.tooltip.addpod.reservedsystemgateway": "O gateway para os hosts neste pod.",
@@ -2247,8 +3278,12 @@
 "message.installwizard.tooltip.configureguesttraffic.gueststartip": "O range de endere\u00e7os IP que estar\u00e1 dispon\u00edvel para aloca\u00e7\u00e3o para os guests nesta zona. Caso uma interface de rede seja utilizada, estes IPs devem estar no mesmo CIDR que o CIDR do pod.",
 "message.instances.managed": "Inst\u00e2ncias ou VMs controladas pelo CloudStack",
 "message.instances.unmanaged": "Inst\u00e2ncias ou VMs que n\u00e3o s\u00e3o controladas pelo CloudStack",
+"message.instances.migrate.vmware": "Inst\u00e2ncias que podem ser migradas do VMware.",
 "message.interloadbalance.not.return.elementid": "erro: A API listInternalLoadBalancerElements API n\u00e3o retorna o ID interno do elemento LB",
+"message.ip.address": "Endere\u00e7o IP : ",
 "message.ip.address.changes.effect.after.vm.restart": "As mudan\u00e7as de endere\u00e7o IP entram em vigor somente ap\u00f3s o rein\u00edcio da VM.",
+"message.ip.v6.prefix.delete": "Prefixo IPv6 exclu\u00eddo",
+"message.iso.arch": "Por favor, selecione uma arquitetura ISO",
 "message.iso.desc": "Imagem de disco contendo dados ou m\u00eddia de sistema operacional boot\u00e1vel",
 "message.kubeconfig.cluster.not.available": "kubeconfig do cluster Kubernetes n\u00e3o est\u00e1 dispon\u00edvel no momento",
 "message.kubernetes.cluster.delete": "Por favor, confirme que voc\u00ea quer destruir o cluster",
@@ -2257,25 +3292,43 @@
 "message.kubernetes.cluster.stop": "Por favor, confirme que voc\u00ea deseja parar o cluster",
 "message.kubernetes.cluster.upgrade": "Por favor, selecione a nova vers\u00e3o do Kubernetes",
 "message.kubernetes.version.delete": "Por favor, confirme que voc\u00ea deseja excluir esta vers\u00e3o do Kubernetes",
+"message.l2.network.unsupported.for.nsx": "Redes L2 n\u00e3o s\u00e3o suportadas para zonas habilitadas para NSX",
 "message.launch.zone": "A zona est\u00e1 pronta para ser executada; por favor, v\u00e1 para o pr\u00f3ximo passo.",
 "message.launch.zone.description": "A zona est\u00e1 pronta para iniciar; por favor, prossiga para o pr\u00f3ximo passo.",
 "message.launch.zone.hint": "Configurar componentes e tr\u00e1fego de rede, incluindo endere\u00e7os IP.",
 "message.license.agreements.not.accepted": "Contratos de licen\u00e7a n\u00e3o foram aceitos",
 "message.listnsp.not.return.providerid": "erro: A API listNetworkServiceProviders n\u00e3o retorna o ID do provedor virtualRouter",
 "message.load.host.failed": "Falha ao carregar os hosts",
+"message.loadbalancer.stickypolicy.configuration": "Personalize a pol\u00edtica de stickiness do balanceador de carga:",
+"message.loading.add.interface.static.route": "Adicionando Rota Est\u00e1tica de interface...",
+"message.loading.add.network.static.route": "Adicionando Rota Est\u00e1tica de Rede...",
+"message.loading.add.policy.rule": "Adicionando regra de Pol\u00edtica...",
+"message.loading.add.tungsten.router.table": "Adicionando Tabela de Roteador...",
+"message.loading.apply.tungsten.tag": "Aplicando Tag...",
+"message.loading.delete.interface.static.route": "Removendo Rota Est\u00e1tica de interface...",
+"message.loading.delete.network.static.route": "Removendo Rota Est\u00e1tica de Rede...",
+"message.loading.delete.tungsten.policy.rule": "Excluindo regra de Pol\u00edtica...",
+"message.loading.delete.tungsten.router.table": "Removendo Tabela de Roteador...",
+"message.loading.delete.tungsten.tag": "Removendo Tag...",
 "message.lock.account": "Confirme se voc\u00ea deseja bloquear esta conta. Bloqueando a conta, todos os usu\u00e1rios desta conta n\u00e3o estar\u00e3o mais habilitados a gerenciar os recursos na nuvem. Os recursos existentes (cloud server) ainda poder\u00e3o ser acessados.",
 "message.lock.user": "Confirme se voc\u00ea deseja bloquear o usu\u00e1rio \"{user}\". Bloqueando este usu\u00e1rio, o mesmo n\u00e3o estar\u00e1 mais habilitado a gerenciar os recursos na nuvem. Os recursos existentes (cloud server) ainda poder\u00e3o ser acessados.",
 "message.lock.user.success": "Usu\u00e1rio \"{user}\" bloqueado com sucesso",
 "message.login.failed": "Falha no login",
+"message.list.zone.vmware.datacenter.empty": "Nenhum Datacenter VMware existe na Zona selecionada",
 "message.memory.usage.info.hypervisor.additionals": "Os dados apresentados podem n\u00e3o refletir o real uso de mem\u00f3ria se a VM n\u00e3o possuir as ferramentas adicionais do virtualizador instaladas",
 "message.memory.usage.info.negative.value": "Se n\u00e3o for poss\u00edvel obter do hypervisor o uso de mem\u00f3ria da VM, ser\u00e3o desabilitadas as linhas de mem\u00f3ria livre do gr\u00e1fico de dados brutos e de uso de mem\u00f3ria no gr\u00e1fico de percentual",
+"message.migrate.instance.host.auto.assign": "O Host para a Inst\u00e2ncia ser\u00e1 escolhido automaticamente com base na adequa\u00e7\u00e3o dentro do mesmo cluster",
 "message.migrate.instance.to.host": "Por favor confirme que voc\u00ea deseja migrar a inst\u00e2ncia para outro host.",
 "message.migrate.instance.to.ps": "Por favor confirme que voc\u00ea deseja migrar a inst\u00e2ncia para outro armazenamento prim\u00e1rio.",
+"message.migrate.resource.to.ss": "Por favor, confirme que voc\u00ea deseja migrar este recurso para outro armazenamento secund\u00e1rio.",
 "message.migrate.router.confirm": "Por favor confirme o host que voc\u00ea deseja migrar o roteador para:",
 "message.migrate.systemvm.confirm": "Por favor confirme o host para o qual voc\u00ea deseja migrar a VM de sistema:",
 "message.migrate.volume": "Por favor confirme que voc\u00ea deseja migrar o volume \"{volume}\" do armazenamento prim\u00e1rio \"{storage}\" para outro.",
 "message.migrate.volume.failed": "Falha ao migrar volume",
+"message.migrate.volume.pool.auto.assign": "O armazenamento prim\u00e1rio para o volume ser\u00e1 escolhido automaticamente com base na adequa\u00e7\u00e3o e no destino da Inst\u00e2ncia",
 "message.migrate.volume.processing": "Migrando volume...",
+"message.migrate.volume.tooltip": "O volume pode ser migrado para qualquer pool de armazenamento adequado. O administrador deve escolher a oferta de disco apropriada para substituir, que suporte o novo pool de armazenamento",
+"message.migrate.with.storage": "Especifique o pool de armazenamento para volumes da Inst\u00e2ncia.",
 "message.migrating.failed": "Falha na migra\u00e7\u00e3o",
 "message.migrating.processing": "Migra\u00e7\u00e3o em andamento para",
 "message.migrating.vm.to.storage.failed": "Falha na migra\u00e7\u00e3o da VM para o armazenamento",
@@ -2287,7 +3340,7 @@
 "message.network.addvm.desc": "Por favor especifique a rede onde voc\u00ea gostaria de adicionar esta VM. Uma nova NIC ser\u00e1 adicionada a esta rede.",
 "message.network.description": "Configura\u00e7\u00e3o da rede e do tr\u00e1fego",
 "message.network.error": "Erro de rede",
-"message.network.error.description": "N\u00e3o \u00e9 poss\u00edvel acessar o servidor de gerenciamento ou uma extens\u00e3o do navegador pode estar bloqueando a solicita\u00e7\u00e3o de rede.",
+"message.network.error.description": "N\u00e3o \u00e9 poss\u00edvel acessar o Management Server ou uma extens\u00e3o do navegador pode estar bloqueando a solicita\u00e7\u00e3o de rede.",
 "message.network.hint": "Configure componentes de rede e tr\u00e1fego p\u00fablico/guest/gerenciamento, incluindo endere\u00e7os IP.",
 "message.network.offering.change.warning": "AVISO: Alterar a oferta causar\u00e1 tempo de inatividade de conectividade para as VMs com NICs na rede.",
 "message.network.offering.forged.transmits": "O switch deixa qualquer frame de sa\u00edda de um adaptador de m\u00e1quina virtual com um endere\u00e7o MAC de origem diferente daquele do arquivo de configura\u00e7\u00e3o .vmx.\nRejeitar - O switch deixa qualquer frame de sa\u00edda de um adaptador de m\u00e1quina virtual com um endere\u00e7o MAC de origem diferente daquele do arquivo de configura\u00e7\u00e3o .vmx.\nAceitar - O switch n\u00e3o realiza filtragem e permite todos os frames de sa\u00edda.\nNenhum - padr\u00e3o de valor a partir da configura\u00e7\u00e3o global.",
@@ -2296,20 +3349,35 @@
 "message.network.offering.mac.learning.warning": "AVISO: para usar o MAC Learning voc\u00ea deve assegurar-se de que os virtualizadores dos hosts est\u00e3o rodando ESXi 6.7+ e a rede usa o vSwitch 6.6.0+ distribu\u00eddo.",
 "message.network.offering.promiscuous.mode": "Se aplica apenas para redes guest no virtualizador VMware.\nRejeitar - O switch deixa qualquer frame de sa\u00edda de um adaptador de m\u00e1quina virtual com um endere\u00e7o MAC de origem diferente daquele do arquivo de configura\u00e7\u00e3o .vmx.\nAceitar - O switch n\u00e3o realiza filtragem e permite todos os frames de sa\u00edda.\nNenhum - padr\u00e3o de valor a partir da configura\u00e7\u00e3o global.",
 "message.network.removenic": "Por favor, confirme que deseja remover esta interface de rede, esta a\u00e7\u00e3o tamb\u00e9m ir\u00e1 remover a rede associada \u00e0 VM.",
+"message.network.restart.required": "Reinicializa\u00e7\u00e3o \u00e9 necess\u00e1ria para rede(s). Clique aqui para ver rede(s) que requerem reinicializa\u00e7\u00e3o.",
+"message.network.selection": "Escolha uma ou mais Redes para anexar a Inst\u00e2ncia.",
+"message.network.selection.new.network": "Uma nova Rede tamb\u00e9m pode ser criada aqui.",
 "message.network.secondaryip": "Por favor, confirme que voc\u00ea gostaria de adquirir um novo IP secund\u00e1rio para este NIC. \n NOTA: Voc\u00ea precisa configurar manualmente o IP secund\u00e1rio rec\u00e9m-adquirido dentro da m\u00e1quina virtual.",
 "message.network.updateip": "Por favor, confirme que voc\u00ea gostaria de mudar o endere\u00e7o IP da NIC em VM.",
+"message.network.update.nic": "Por favor, confirme que voc\u00ea gostaria de atualizar esta NIC.",
 "message.network.usage.info.data.points": "Cada ponto no gr\u00e1fico representa a diferen\u00e7a de dados trafegados desde a \u00faltima coleta de estat\u00edstica realizada (o ponto anterior)",
 "message.network.usage.info.sum.of.vnics": "O uso de rede apresentado \u00e9 composto pela soma de dados trafegados por todas as vNICs da VM",
+"message.new.version.available": "Uma nova vers\u00e3o do CloudStack est\u00e1 dispon\u00edvel. Clique aqui para verificar os detalhes",
+"message.nfs.mount.options.description": "Lista separada por v\u00edrgulas de op\u00e7\u00f5es de montagem NFS para hosts KVM. Op\u00e7\u00f5es suportadas : vers=[3,4.0,4.1,4.2], nconnect=[1...16]",
 "message.no.data.to.show.for.period": "Nenhum dado para mostrar no per\u00edodo selecionado.",
 "message.no.description": "Nenhuma descri\u00e7\u00e3o inserida.",
+"message.offering.internet.protocol.warning": "AVISO: Redes suportadas por IPv6 usam roteamento est\u00e1tico e exigir\u00e3o que rotas upstream sejam configuradas manualmente.",
+"message.offering.ipv6.warning": "Por favor, consulte a documenta\u00e7\u00e3o para criar oferta de Rede/VPC habilitada para IPv6 <a href='http://docs.cloudstack.apache.org/en/latest/plugins/ipv6.html#isolated-network-and-vpc-tier'>Suporte IPv6 no CloudStack - Redes Isoladas e Camadas de VPC</a>",
 "message.ovf.configurations": "H\u00e1 propriedades OVF dispon\u00edveis para a personaliza\u00e7\u00e3o do aparelho selecionado. Por favor, edite os valores de forma apropriada.As ofertas incompat\u00edveis de computa\u00e7\u00e3o ser\u00e3o desativadas.",
+"message.password.reset.failed": "Falha ao redefinir senha.",
+"message.password.reset.success": "A senha foi redefinida com sucesso. Por favor, fa\u00e7a login usando suas novas credenciais.",
+"message.path": "Caminho : ",
 "message.path.description": "NFS: caminho exportado do servidor. VMFS: /datacenter name/datastore name. SharedMountPoint: caminho onde o armazenamento prim\u00e1rio \u00e9 montado, tal como /mnt/primary",
 "message.please.confirm.remove.ssh.key.pair": "Por favor, confirme que voc\u00ea deseja remover este par de chaves SSH",
+"message.please.confirm.remove.user.data": "Por favor, confirme que voc\u00ea deseja remover este Userdata",
 "message.please.enter.valid.value": "Por favor, insira um valor v\u00e1lido",
 "message.please.enter.value": "Por favor, insira valores",
+"message.please.wait.while.autoscale.vmgroup.is.being.created": "Por favor, aguarde enquanto seu Grupo de AutoScale est\u00e1 sendo criado; isso pode levar um tempo...",
 "message.please.wait.while.zone.is.being.created": "Por favor, espere enquanto sua zona est\u00e1 sendo criada; isto pode demorar um pouco...",
 "message.pod.dedicated": "Pod dedicado",
 "message.pod.dedication.released": "Pod dedicado liberado",
+"message.prepare.for.shutdown": "Por favor, confirme que voc\u00ea gostaria de preparar este Management Server para desligamento. Ele n\u00e3o aceitar\u00e1 nenhum novo job Ass\u00edncrono, mas N\u00c3O terminar\u00e1 ap\u00f3s n\u00e3o haver jobs pendentes.",
+"message.primary.storage.invalid.state": "Armazenamento prim\u00e1rio n\u00e3o est\u00e1 no estado Up",
 "message.processing.complete": "Processamento conclu\u00eddo!",
 "message.protocol.description": "Para XenServer, escolha NFS, iSCSI, ou PreSetup. para KVM, escolha NFS, SharedMountPoint, RDB, CLVM ou Gluster. para vSphere, escolha NFS, PreSetup (VMFS, iSCSI, fiberChannel, vSAN ou vVols) ou datastoreCluster. para Hyper-V, escolha SMB/CIFS. para LXC, escolha NFS ou SharedMountPoint. para OVM, escolha NFS ou ocfs2.",
 "message.public.traffic.in.advanced.zone": "O tr\u00e1fego p\u00fablico \u00e9 gerado quando as VMs na nuvem acessam a internet. Os IPs acess\u00edveis ao p\u00fablico devem ser alocados para essa finalidade. Os usu\u00e1rios finais podem usar a interface do usu\u00e1rio CloudStack para adquirir esses IPs afim de implementar NAT entre a sua rede de guests e sua rede p\u00fablica. <br/><br/> Forne\u00e7a pelo menos um intervalo de endere\u00e7os IP para o tr\u00e1fego de internet.",
@@ -2337,6 +3405,11 @@
 "message.remove.ldap": "Voc\u00ea tem certeza que deseja deletar a configura\u00e7\u00e3o LDAP?",
 "message.remove.nic.processing": "Removendo NIC...",
 "message.remove.port.forward.failed": "Falha ao remover regra de encaminhamento de porta",
+"message.remove.router.table.from.interface": "Por favor, confirme que voc\u00ea deseja remover a Tabela de Roteamento desta NIC",
+"message.remove.router.table.from.interface.failed": "Remo\u00e7\u00e3o da Tabela de Roteamento da interface falhou",
+"message.remove.routing.firewall.rule.failed": "Falha ao remover regra de firewall de Roteamento IPv4",
+"message.remove.routing.firewall.rule.processing": "Removendo regra de firewall de Roteamento IPv4...",
+"message.remove.routing.firewall.rule.success": "Regra de firewall de Roteamento IPv4 removida",
 "message.remove.rule.failed": "Falha ao remover regra",
 "message.remove.secondary.ipaddress.processing": "Removendo endere\u00e7o IP secund\u00e1rio...",
 "message.remove.securitygroup.rule.processing": "Removendo regra do grupo de seguran\u00e7a...",
@@ -2345,10 +3418,12 @@
 "message.remove.vpc": "Favor confirmar que voc\u00ea deseja remover a VPC",
 "message.request.failed": "Falha na solicita\u00e7\u00e3o",
 "message.required.add.least.ip": "Por favor, adicionar pelo menos UM intervalo IP",
+"message.required.tagged.physical.network": "S\u00f3 pode haver uma rede f\u00edsica n\u00e3o marcada com tipo de tr\u00e1fego convidado.",
 "message.required.traffic.type": "Erro na configura\u00e7\u00e3o! Todos os tipos de tr\u00e1fego necess\u00e1rios devem ser adicionados e com m\u00faltiplas redes f\u00edsicas cada rede deve ter uma etiqueta.",
 "message.reset.vpn.connection": "Favor confirmar que voc\u00ea deseja reinicializar a conex\u00e3o VPN",
 "message.linstor.resourcegroup.description": "Grupo de recursos Linstor a ser usado para armazenamento prim\u00e1rio",
 "message.resize.volume.failed": "Falha ao redimensionar volume",
+"message.resize.volume.processing": "Redimensionamento de volume est\u00e1 em andamento",
 "message.resource.not.found": "Recurso n\u00e3o encontrado",
 "message.restart.mgmt.server": "Reinicie o(s) servidor(es) de gerenciamento para que a nova configura\u00c3\u00a7\u00c3\u00a3o tenha efeito.",
 "message.restart.network": "Por favor confirme que voc\ufffd deseja reiniciar a rede",
@@ -2356,24 +3431,47 @@
 "message.restart.vpc": "Favor confirmar que voc\u00ea deseja reiniciar a VPC",
 "message.restart.vpc.remark": "Por favor, confirme a reinicializa\u00e7\u00e3o do VPC <p><small><i>Observa\u00e7\u00e3o: fazendo um VPC redundante n\u00e3o redundante ir\u00e1 for\u00e7ar uma limpeza. As redes n\u00e3o estar\u00e3o dispon\u00edveis por alguns minutos</i>.</small></p>",
 "message.scale.processing": "Escalonamento em progresso",
+"message.scaledown.policies": "Por favor, adicione pelo menos uma pol\u00edtica de ScaleDown. O Grupo de AutoScale ser\u00e1 reduzido quando todas as condi\u00e7\u00f5es em uma pol\u00edtica de ScaleDown forem atendidas. As pol\u00edticas de ScaleDown ser\u00e3o verificadas ap\u00f3s as pol\u00edticas de ScaleUp.",
+"message.scaledown.policy.continue": "Por favor, adicione pelo menos uma condi\u00e7\u00e3o \u00e0 pol\u00edtica de ScaleDown para continuar",
+"message.scaledown.policy.duration.continue": "Por favor, insira uma dura\u00e7\u00e3o v\u00e1lida para a pol\u00edtica de ScaleDown para continuar",
+"message.scaledown.policy.name.continue": "Por favor, insira um nome para a pol\u00edtica de ScaleDown para continuar",
+"message.scaleup.policies": "Por favor, adicione pelo menos uma pol\u00edtica de ScaleUp. O Grupo de AutoScale ser\u00e1 aumentado quando todas as condi\u00e7\u00f5es em uma pol\u00edtica de ScaleUp forem atendidas. As pol\u00edticas de ScaleUp ser\u00e3o verificadas antes das pol\u00edticas de ScaleDown.",
+"message.scaleup.policy.continue": "Por favor, adicione pelo menos uma condi\u00e7\u00e3o \u00e0 pol\u00edtica de ScaleUp para continuar",
+"message.scaleup.policy.duration.continue": "Por favor, insira uma dura\u00e7\u00e3o v\u00e1lida para a pol\u00edtica de ScaleUp para continuar",
+"message.scaleup.policy.name.continue": "Por favor, insira um nome para a pol\u00edtica de ScaleUp para continuar",
 "message.select.a.zone": "A zona tipicamente corresponde a um \u00fanico datacenter. M\u00faltiplas zonas auxiliam a nuvem a ser mais confi\u00e1vel provendo isolamento f\u00edsico e redund\u00e2ncia.",
 "message.select.affinity.groups": "Por favor, selecione quaisquer grupos de afinidade que voc\u00ea deseja que esta VM perten\u00e7a:",
+"message.select.bgp.peers": "Por favor, selecione / desmarque os pares BGP associados \u00e0 rede ou VPC:",
 "message.select.deselect.desired.options": "Por favor, selecione / desselecione as op\u00e7\u00f5es desejadas",
+"message.select.deselect.to.sort": "Por favor, selecione / desmarque para ordenar os valores",
 "message.select.destination.image.stores": "Por favor, selecione o(s) armazenamento(s) de imagem(ns) para os quais os dados devem ser migrados",
 "message.select.disk.offering": "Por favor, selecione uma oferta de disco para o disco",
 "message.select.end.date.and.time": "Selecione uma data e hor\u00e1rio final.",
+"message.select.kvm.host.instance.conversion": "(Opcional) Selecione um host KVM no cluster para realizar a convers\u00e3o da inst\u00e2ncia atrav\u00e9s do virt-v2v",
+"message.select.load.balancer.rule": "Por favor, selecione uma regra de balanceamento de carga para o seu Grupo de escalonamento automatico.",
 "message.select.migration.policy": "Por favor, selecione uma pol\u00edtica de migra\u00e7\u00e3o",
 "message.select.nic.network": "Por favor, selecione uma rede para o NIC",
 "message.select.security.groups": "Por favor selecione o(s) grupo(s) de seguran\u00e7a para sua nova VM",
 "message.select.start.date.and.time": "Selecione uma data e hor\u00e1rio inicial.",
+"message.select.temporary.storage.instance.conversion": "(Opcional) Selecione um destino tempor\u00e1rio de Armazenamento para os discos convertidos atrav\u00e9s do virt-v2v",
+"message.select.volume.to.continue": "Por favor, selecione um volume para continuar.",
 "message.select.zone.description": "Selecione o tipo de zona b\u00e1sica/avan\u00e7ada",
 "message.select.zone.hint": "Este \u00e9 o tipo de implanta\u00e7\u00e3o de zona que voc\u00ea deseja utilizar. Zona b\u00e1sica: fornece uma \u00fanica rede na qual para cada inst\u00e2ncia de VM \u00e9 atribu\u00eddo um IP diretamente da rede. O isolamento do guest pode ser fornecido atrav\u00e9s de meios da camada 3, tais como grupos de seguran\u00e7a (filtragem de source IP). Zona avan\u00e7ada: para topologias de rede mais sofisticadas. este modelo de rede oferece  maior flexibilidade na defini\u00e7\u00e3o de redes guest e oferece ofertas de rede personalizadas, como firewall, VPN, ou suporte de balanceamento de carga.",
+"message.select.vm.to.continue": "Por favor, selecione uma inst\u00e2ncia para continuar",
+"message.server": "Servidor : ",
 "message.server.description": "NFS, iSCSI, ou PreSetup: endere\u00e7o IP ou nome DNS do dispositivo de armazenamento. VMWare PreSetup: endere\u00e7o IP ou nome DNS do servidor vCenter. Linstor: URL HTTP(S) do linstor-controller.",
 "message.set.default.nic": "Por favor confirme que voc\u00ea quer tornar este NIC o padr\u00e3o para esta VM,",
 "message.set.default.nic.manual": "Por favor atualize manualmente o NIC padr\u00e3o desta VM agora.",
 "message.setting.updated": "Configura\u00e7\u00e3o atualizada:",
+"message.setting.update.delay": "O novo valor entrar\u00e1 em vigor em 30 segundos.",
 "message.setup.physical.network.during.zone.creation": "Ao adicionar uma zona avan\u00e7ada, \u00e9 preciso configurar uma ou mais redes f\u00edsicas. Cada rede corresponde \u00e0 uma interface de rede no virtualizador. Cada rede f\u00edsica pode ser utilizada para transportar um ou mais tipos de tr\u00e1fego, com certas restri\u00e7\u00f5es sobre como eles podem ser combinados. <br/> <strong> Arraste e solte um ou mais tipos de tr\u00e1fego </ strong> em cada rede f\u00edsica.",
 "message.setup.physical.network.during.zone.creation.basic": "Ao adicionar uma zona b\u00e1sica, \u00e9 poss\u00edvel configurar uma rede f\u00edsica, que corresponde a uma interface de rede no virtualizador. A rede carrega diversos tipos de tr\u00e1fego.<br/><br/>\u00c9 poss\u00edvel <strong>adicionar e remover</strong> outros tipos de tr\u00e1fego na mesma interface de rede f\u00edsica.",
+"message.shared.network.offering.warning": "Administradores de dom\u00ednio e usu\u00e1rios regulares s\u00f3 podem criar Redes compartilhadas a partir de ofertas de Rede com a configura\u00e7\u00e3o specifyvlan=false. Por favor, contate um administrador para criar uma oferta de Rede se esta lista estiver vazia.",
+"message.shared.network.unsupported.for.nsx": "Redes compartilhadas n\u00e3o s\u00e3o suportadas para zonas habilitadas para NSX",
+"message.shutdown.triggered": "Um desligamento foi acionado. CloudStack n\u00e3o aceitar\u00e1 novos jobs",
+"message.snapshot.additional.zones": "Snapshots sempre ser\u00e3o criados em sua zona nativa - %x, aqui voc\u00ea pode selecionar zona(s) adicional(is) para onde ela ser\u00e1 copiada no momento da cria\u00e7\u00e3o",
+"message.sourcenatip.change.inhibited": "Alterar o sourcenat para este IP da Rede para este endere\u00e7o est\u00e1 inibido, pois regras de firewall est\u00e3o definidas para ele. Isso pode incluir regras de encaminhamento de porta ou balanceamento de carga.\n - Se esta for uma Rede Isolada, por favor use updateNetwork/clique no bot\u00e3o editar.\n - Se esta for uma VPC, primeiro limpe todas as outras regras para este endere\u00e7o.",
+"message.sourcenatip.change.warning": "AVISO: Alterar o endere\u00e7o IP sourcenat da rede causar\u00e1 tempo de inatividade de conectividade para as Inst\u00e2ncias com NICs na Rede.",
 "message.specify.tag.key": "Por favor, especifique uma chave de etiqueta",
 "message.specify.tag.value": "Por favor, especifique um valor para a etiqueta",
 "message.step.2.continue": "Selecione o plano",
@@ -2381,55 +3479,101 @@
 "message.step.4.continue": "Selecione pelo menos uma rede para continuar",
 "message.step.license.agreements.continue": "Por favor, aceite todos os termos de licen\u00e7a para continuar",
 "message.success.acquire.ip": "IP adquirido com sucesso",
+"message.success.add.bgp.peer": "Novo par BGP adicionado com sucesso",
 "message.success.add.egress.rule": "Nova regra de sa\u00edda adicionada com sucesso",
 "message.success.add.firewall.rule": "Nova regra do firewall adicionada com sucesso",
 "message.success.add.guest.network": "Rede guest criada com sucesso",
+"message.success.add.interface.static.route": "Rota Est\u00e1tica de interface adicionada com sucesso",
+"message.success.add.ip.v6.prefix": "Prefixo IPv6 adicionado com sucesso",
 "message.success.add.iprange": "Intervalo IP adicionado com sucesso",
+"message.success.add.ipv4.subnet": "Sub-rede IPv4 adicionada com sucesso",
+"message.success.add.ipv4.subnet.for.guest.network": "Sub-rede IPv4 para rede guest adicionada com sucesso",
 "message.success.add.kuberversion": "Vers\u00e3o do Kubernetes adicionado com sucesso",
+"message.success.add.logical.router": "Roteador L\u00f3gico adicionado com sucesso",
 "message.success.add.network": "Rede adicionada com sucesso",
 "message.success.add.network.acl": "Lista ACL da rede adicionada com sucesso",
+"message.success.add.network.permissions": "Permiss\u00f5es de Rede adicionadas com sucesso",
+"message.success.add.network.static.route": "Rota Est\u00e1tica de Rede adicionada com sucesso",
+"message.success.add.object.storage": "Object Storage adicionado com sucesso",
+"message.success.add.physical.network": "Rede F\u00edsica adicionada com sucesso",
+"message.success.add.policy.rule": "Regra de Pol\u00edtica adicionada com sucesso",
+"message.success.add.router.table.to.instance": "Tabela de Roteador adicionada \u00e0 Inst\u00e2ncia com sucesso",
 "message.success.add.port.forward": "Nova regra de encaminhamento de porta adicionada com sucesso",
 "message.success.add.private.gateway": "Gateway privado adicionado com sucesso",
 "message.success.add.rule": "Nova regra adicionada com sucesso",
 "message.success.add.secondary.ipaddress": "IP secund\u00e1rio adicionado com sucesso",
 "message.success.add.static.route": "Rota est\u00e1tica adicionada com sucesso",
 "message.success.add.tag": "Etiqueta adicionada com sucesso",
+"message.success.add.tungsten.router.table": "Tabela de Roteador adicionada com sucesso",
+"message.success.add.tungsten.routing.policy": "Pol\u00edtica de roteamento Tungsten-Fabric adicionada com sucesso",
+"message.success.add.vpc": "Uma Nuvem Privada Virtual adicionada com sucesso",
 "message.success.add.vpc.network": "Rede VPC adicionada com sucesso",
 "message.success.add.vpn.customer.gateway": "Gateway da VPN do cliente adicionado com sucesso",
 "message.success.add.vpn.gateway": "Gateway da VPN adicionado com sucesso",
 "message.success.assign.vm": "VM atribu\u00edda com sucesso",
+"message.success.assign.volume": "Volume atribu\u00eddo com sucesso",
+"message.success.apply.network.policy": "Pol\u00edtica de Rede aplicada com sucesso",
+"message.success.apply.tungsten.tag": "Tag aplicada com sucesso",
+"message.success.asign.vm": "Inst\u00e2ncia atribu\u00edda com sucesso",
 "message.success.assigned.vms": "VMs atribu\u00eddas com sucesso",
 "message.success.certificate.upload": "Certificado carregado com sucesso",
 "message.success.change.affinity.group": "Grupos de afinidade alterados com sucesso",
+"message.success.change.bgp.peers": "Pares BGP alterados com sucesso",
 "message.success.change.offering": "Oferta alterada com sucesso",
 "message.success.change.password": "Senha alterada com sucesso",
 "message.success.change.host.password": "Senha do host \"{name}\" foi alterada com sucesso",
+"message.success.change.scope": "Escopo alterado com sucesso para o pool de armazenamento",
+"message.success.clear.webhook.deliveries": "Entregas de webhook limpas com sucesso",
+"message.success.config.health.monitor": "Monitor de Sa\u00fade Configurado com Sucesso",
+"message.success.config.vm.schedule": "Agendamento de Inst\u00e2ncia configurado com sucesso",
 "message.success.config.backup.schedule": "Agendamento de backup de VM configurado com sucesso",
 "message.success.config.sticky.policy": "Sticky policy configurada com sucesso",
 "message.success.copy.clipboard": "Copiado com sucesso para a \u00e1rea de transfer\u00eancia",
 "message.success.create.account": "Conta criada com sucesso",
+"message.success.create.asnrange": "Faixa AS criada com sucesso",
+"message.success.create.bucket": "Bucket criado com sucesso",
+"message.success.create.gui.theme": "Tema da GUI \"{guiTheme}\" criado com sucesso",
 "message.success.create.internallb": "LB interno criado com sucesso",
 "message.success.create.isolated.network": "Rede isolada criada com sucesso",
 "message.success.create.keypair": "Par de chaves SSH criado com sucesso",
 "message.success.create.kubernetes.cluster": "Cluster Kubernetes criado com sucesso",
 "message.success.create.l2.network": "Rede L2 criada com sucesso",
+"message.success.create.password": "Par de chave de acesso \u00e0 API criada com sucesso",
+"message.success.create.sharedfs": "Sistema de Arquivos Compartilhado criado com sucesso",
 "message.success.create.snapshot.from.vmsnapshot": "Snapshot de volume a partir da snapshot de VM criada com sucesso",
+"message.success.create.template": "Template criado com sucesso",
 "message.success.create.user": "Usu\u00e1rio criado com sucesso",
 "message.success.create.volume": "Volume criado com sucesso",
+"message.success.create.webhook": "Webhook criado com sucesso",
+"message.success.dedicate.bgp.peer": "Par BGP dedicado com sucesso",
+"message.success.dedicate.ipv4.subnet": "Sub-rede IPv4 dedicada com sucesso",
 "message.success.delete": "Exclu\u00eddo com sucesso",
 "message.success.delete.acl.rule": "Regra ACL removida com sucesso",
+"message.success.delete.asnrange": "Faixa AS exclu\u00edda com sucesso",
+"message.success.delete.backup.schedule": "Agendamento de Backup de Inst\u00e2ncia exclu\u00eddo com sucesso",
+"message.success.delete.bgp.peer": "Par BGP exclu\u00eddo com sucesso",
 "message.success.delete.icon": "\u00cdcone deletado com sucesso",
+"message.success.delete.interface.static.route": "Rota Est\u00e1tica de interface removida com sucesso",
+"message.success.delete.ipv4.subnet": "Sub-rede IPv4 removida com sucesso",
+"message.success.delete.keypair": "Par de chave de API deletada com sucesso",
+"message.success.delete.network.static.route": "Rota Est\u00e1tica de Rede removida com sucesso",
 "message.success.delete.node": "Nodo exclu\u00eddo com sucesso",
 "message.success.delete.snapshot.policy": "Pol\u00edtica de snapshot exclu\u00edda com sucesso",
 "message.success.delete.static.route": "Rota est\u00e1tica exclu\u00edda com sucesso",
 "message.success.delete.tag": "Tag exclu\u00edda com sucesso",
+"message.success.delete.tungsten.policy.rule": "Regra de Pol\u00edtica exclu\u00edda com sucesso",
+"message.success.delete.tungsten.router.table": "Tabela de Roteador removida com sucesso",
+"message.success.delete.tungsten.tag": "Tag removida com sucesso",
 "message.success.delete.vm": "VM remov\u00edda com sucesso",
 "message.success.disable.saml.auth": "Autoriza\u00e7\u00e3o SAML desativada com sucesso",
 "message.success.disable.vpn": "VPN desativada com sucesso",
 "message.success.edit.acl": "Regra ACL editada com sucesso",
+"message.success.edit.primary.storage": "Armazenamento Prim\u00e1rio editado com sucesso",
 "message.success.edit.rule": "Regra editada com sucesso",
 "message.success.enable.saml.auth": "Autoriza\u00e7\u00e3o SAML ativada com sucesso",
 "message.success.import.instance": "Inst\u00e2ncia importada com sucesso",
+"message.success.import.volume": "Volume importado com sucesso",
+"message.success.migration": "Migra\u00e7\u00e3o conclu\u00edda com sucesso",
 "message.success.migrate.volume": "Volume migrado com sucesso",
 "message.success.migrating": "Migra\u00e7\u00e3o conclu\u00edda com sucesso para",
 "message.success.move.acl.order": "Regra de ACL movida com sucesso",
@@ -2437,25 +3581,47 @@
 "message.success.register.iso": "ISO registrado com sucesso",
 "message.success.register.keypair": "Par de chaves SSH registrado com sucesso",
 "message.success.register.template": "Template cadastrado com sucesso",
+"message.success.register.user.data": "Userdata registrado com sucesso",
+"message.success.register.user.keypair": "Novo par de chave de API criado com sucesso",
+"message.success.release.dedicated.bgp.peer": "Par BGP dedicado liberado com sucesso",
+"message.success.release.dedicated.ipv4.subnet": "Sub-rede IPv4 dedicada liberada com sucesso",
 "message.success.release.ip": "IP liberado com sucesso",
 "message.success.remove.egress.rule": "Regra de sa\u00edda removida com sucesso",
 "message.success.remove.firewall.rule": "Regra de firewall removida com sucesso",
 "message.success.remove.instance.rule": "Inst\u00e2ncia removida da regra",
 "message.success.remove.ip": "IP removido com sucesso",
 "message.success.remove.iprange": "Intervalo de IP removido com sucesso",
+"message.success.remove.logical.router": "Roteador L\u00f3gico removido com sucesso",
+"message.success.remove.network.permissions": "Permiss\u00f5es de Rede removidas com sucesso",
+"message.success.remove.network.policy": "Pol\u00edtica de Rede removida com sucesso",
 "message.success.remove.nic": "NIC removida com sucesso",
+"message.success.remove.objectstore.directory": "Diret\u00f3rio selecionado removido com sucesso",
+"message.success.remove.objectstore.objects": "Objeto(s) selecionado(s) removido(s) com sucesso",
 "message.success.remove.port.forward": "Regra de encaminhamento de porta removida com sucesso",
+"message.success.remove.router.table.from.interface": "Tabela de Roteador removida da interface com sucesso",
 "message.success.remove.rule": "Regra exclu\u00edda com sucesso",
 "message.success.remove.secondary.ipaddress": "Endere\u00e7o de IP secund\u00e1rio removido com sucesso",
 "message.success.remove.sticky.policy": "Sticky policy removida com sucesso",
+"message.success.remove.tungsten.routing.policy": "Pol\u00edtica de Roteamento Tungsten-Fabric removida da Rede com sucesso",
+"message.success.reset.network.permissions": "Permiss\u00f5es de Rede redefinidas com sucesso",
 "message.success.resize.volume": "Volume redimensionado com sucesso",
 "message.success.scale.kubernetes": "Cluster Kubernetes escalonado com sucesso",
 "message.success.unmanage.instance": "Inst\u00e2ncia n\u00e3o gerenciada com sucesso",
+"message.success.unmanage.volume": "Volume n\u00e3o gerenciado com sucesso",
+"message.success.update.account": "Conta atualizada com sucesso",
+"message.success.update.bgp.peer": "Par BGP atualizado com sucesso",
+"message.success.update.bucket": "Bucket atualizado com sucesso",
+"message.success.update.condition": "Condi\u00e7\u00e3o atualizada com sucesso",
+"message.success.update.gui.theme": "Tema da GUI \"{guiTheme}\" atualizado com sucesso",
 "message.success.update.ipaddress": "Endere\u00e7o IP atualizado com sucesso",
 "message.success.update.iprange": "Intervalo de IP atualizado com sucesso",
+"message.success.update.ipv4.subnet": "Sub-rede IPv4 atualizada com sucesso",
 "message.success.update.kubeversion": "Vers\u00e3o compat\u00edvel com Kubernetes atualizada com sucesso",
 "message.success.update.network": "Rede atualizada com sucesso",
+"message.success.update.nic": "NIC atualizada com sucesso",
 "message.success.update.user": "Usu\u00e1rio atualizado com sucesso",
+"message.success.update.sharedfs": "Sistema de Arquivos Compartilhado atualizado com sucesso",
+"message.success.update.template": "Template atualizado com sucesso",
 "message.success.upgrade.kubernetes": "Cluster do Kubernetes atualizado com sucesso",
 "message.success.upload": "Carregado com sucesso",
 "message.success.upload.description": "Este arquivo de ISO foi carregado. Verifique seu status no menu Imagens > ISOs. Verifique seu status no menu templates",
@@ -2466,14 +3632,43 @@
 "message.suspend.project": "Voc\u00ea tem certeza que deseja suspender este projeto?",
 "message.sussess.discovering.feature": "Descoberto todos os recursos dispon\u00edveis!",
 "message.switch.to": "Transferido para",
+"message.template.arch": "Por favor, selecione uma arquitetura de Template.",
 "message.template.desc": "Imagem de SO que pode ser utilizada para bootar VMs",
 "message.template.import.vm.temporary": "Se um template tempor\u00e1rio for usado, a opera\u00e7\u00e3o de redefini\u00e7\u00e3o da VM n\u00e3o funcionar\u00e1 ap\u00f3s a importa\u00e7\u00e3o.",
 "message.template.iso": "Selecione o template ou ISO para continuar",
+"message.template.type.change.warning": "AVISO: Alterar o tipo de Template para SYSTEM desativar\u00e1 futuras altera\u00e7\u00f5es no Template.",
+"message.test.webhook.delivery": "Testar entrega para o Webhook com um payload opcional",
 "message.tooltip.reserved.system.netmask": "O prefixo de rede que define a subrede deste pod. utilize a nota\u00e7\u00e3o CIDR.",
+"message.traffic.type.deleted": "Tipo de tr\u00e1fego exclu\u00eddo com sucesso",
+"message.trigger.shutdown": "Por favor, confirme que voc\u00ea gostaria de acionar um desligamento neste Management Server. Ele n\u00e3o aceitar\u00e1 nenhum novo job Ass\u00edncrono e terminar\u00e1 ap\u00f3s n\u00e3o haver jobs pendentes.",
+"message.two.fa.auth": "Abra o aplicativo de autentica\u00e7\u00e3o de dois fatores no seu dispositivo m\u00f3vel para visualizar seu c\u00f3digo de autentica\u00e7\u00e3o.",
+"message.two.fa.auth.register.account": "Abra o aplicativo de autentica\u00e7\u00e3o de dois fatores e escaneie o c\u00f3digo QR para adicionar a Conta de Usu\u00e1rio.",
+"message.two.fa.auth.staticpin": "<br> Voc\u00ea configurou 2FA para verifica\u00e7\u00e3o de seguran\u00e7a. <br> Insira o PIN est\u00e1tico gerado durante a configura\u00e7\u00e3o do 2FA para verificar.",
+"message.two.fa.auth.totp": "<br> Voc\u00ea configurou 2FA para verifica\u00e7\u00e3o de seguran\u00e7a. <br> Abra o aplicativo autenticador TOTP no seu dispositivo e insira o c\u00f3digo de autentica\u00e7\u00e3o.",
+"message.two.fa.login.page": "A autentica\u00e7\u00e3o de dois fatores (2FA) est\u00e1 ativada na sua Conta, voc\u00ea precisa selecionar um provedor 2FA e configurar. 2FA \u00e9 uma camada extra de seguran\u00e7a para sua conta. Uma vez que a configura\u00e7\u00e3o seja feita, em cada login voc\u00ea ser\u00e1 solicitado a inserir o c\u00f3digo 2FA.<br>",
+"message.two.fa.register.account": "1. Abra o aplicativo autenticador TOTP no seu dispositivo. <br>2. Escaneie o c\u00f3digo QR abaixo para adicionar o Usu\u00e1rio. <br>3. Se voc\u00ea n\u00e3o conseguir escanear o c\u00f3digo QR, insira a chave de configura\u00e7\u00e3o manualmente. <br>4. A verifica\u00e7\u00e3o do c\u00f3digo 2FA \u00e9 obrigat\u00f3ria para completar a configura\u00e7\u00e3o 2FA.",
+"message.two.fa.register.account.login.page": "1. Abra o aplicativo autenticador TOTP no seu dispositivo. <br>2. Escaneie o c\u00f3digo QR abaixo para adicionar o Usu\u00e1rio. <br>3. Se voc\u00ea n\u00e3o conseguir escanear o c\u00f3digo QR, insira a chave de configura\u00e7\u00e3o manualmente. <br>4. Verifique o c\u00f3digo 2FA para continuar para o login.",
+"message.two.fa.setup.page": "A autentica\u00e7\u00e3o de dois fatores (2FA) \u00e9 uma camada extra de seguran\u00e7a para sua conta.<br> Uma vez que a configura\u00e7\u00e3o seja feita, em cada login voc\u00ea ser\u00e1 solicitado a inserir o c\u00f3digo 2FA.<br>",
+"message.two.fa.static.pin.part1": "Se voc\u00ea n\u00e3o conseguir escanear o c\u00f3digo QR, ",
+"message.two.fa.static.pin.part2": "Clique aqui para visualizar o c\u00f3digo secreto",
+"message.two.fa.staticpin": "1. Use o PIN est\u00e1tico gerado como c\u00f3digo 2FA para autentica\u00e7\u00e3o de dois fatores.<br>2. Salve este PIN est\u00e1tico / c\u00f3digo 2FA e n\u00e3o o compartilhe. Este c\u00f3digo ser\u00e1 usado para logins subsequentes.<br>3. A verifica\u00e7\u00e3o do c\u00f3digo 2FA \u00e9 obrigat\u00f3ria para completar a configura\u00e7\u00e3o 2FA.",
+"message.two.fa.staticpin.login.page": "1. Use o PIN est\u00e1tico gerado como c\u00f3digo 2FA para autentica\u00e7\u00e3o de dois fatores.<br>2. Salve este PIN est\u00e1tico / c\u00f3digo 2FA e n\u00e3o o compartilhe. Este c\u00f3digo ser\u00e1 usado para logins subsequentes.<br>3. Verifique o c\u00f3digo 2FA para continuar para o login.",
+"message.two.fa.view.setup.key": "Clique aqui para visualizar a chave de configura\u00e7\u00e3o",
+"message.two.fa.view.static.pin": "Clique aqui para visualizar o PIN est\u00e1tico",
+"message.two.factor.authorization.failed": "Incapaz de verificar 2FA com o c\u00f3digo fornecido, por favor tente novamente.",
+"message.type.values.to.add": "Por favor, adicione valores adicionais digitando-os",
 "message.traffic.type.to.basic.zone": "Tipo de tr\u00e1fego para a zona b\u00e1sica",
+"message.update.autoscale.policy.failed": "Falha ao atualizar pol\u00edtica de AutoScale",
+"message.update.autoscale.vm.profile.failed": "Falha ao atualizar perfil de Inst\u00e2ncia de AutoScale",
+"message.update.autoscale.vmgroup.failed": "Falha ao atualizar grupo de AutoScale",
+"message.update.condition.failed": "Falha ao atualizar condi\u00e7\u00e3o",
+"message.update.condition.processing": "Atualizando condi\u00e7\u00e3o...",
+"message.update.failed": "Atualiza\u00e7\u00e3o falhou",
+"message.update.nic.processing": "Atualizando NIC...",
 "message.update.ipaddress.processing": "Atualizando endere\u00e7o IP...",
 "message.update.resource.count": "Por favor confirme que voc\u00ea quer atualizar a contagem de recursos para esta conta.",
 "message.update.resource.count.domain": "Por favor, confirme que voc\u00ea deseja atualizar as contagens de recursos para este dom\u00ednio.",
+"message.update.resource.limit.max.untagged.error": "Limite n\u00e3o marcado %x \u00e9 %y. Por favor, especifique limite para tag '%z' menor ou igual a esse",
 "message.update.ssl": "Envie o novo certificado SSL X.509 para ser atualizado em cada console proxy:",
 "message.upload.failed": "Falha ao fazer o carregamento",
 "message.upload.file.limit": "Apenas um arquivo pode ser carregado de cada vez",
@@ -2488,6 +3683,7 @@
 "message.validate.maxlength": "Por favor entre com mais de [0] caracteres.",
 "message.validate.minlength": "Por favor entre com pelo menos [0] caracteres.",
 "message.validate.number": "Por favor entre um n\u00famero v\u00e1lido.",
+"message.validate.positive.number": "Por favor, insira um n\u00famero positivo v\u00e1lido.",
 "message.validate.range": "Por favor entre com um valor com valor entre [0] e [1].",
 "message.validate.range.length": "Por favor entre com um valor com tamanho entre [0] e [1] caracteres.",
 "message.virtual.router.not.return.elementid": "erro: A API listVirtualRouterElements n\u00e3o retorna o ID do elemento do roteador virtual",
@@ -2502,6 +3698,20 @@
 "message.vm.state.stopped": "A VM est\u00e1 parada",
 "message.vm.state.stopping": "A VM est\u00e1 sendo parada",
 "message.vm.state.unknown": "O estado da VM \u00e9 desconhecido.",
+"message.vnf.appliance.networks": "Por favor, selecione as redes para o novo appliance VNF.",
+"message.vnf.credentials.change": "Por favor, altere a(s) senha(s) do appliance VNF imediatamente.",
+"message.vnf.credentials.default": "A(s) credencial(is) padr\u00e3o do appliance VNF",
+"message.vnf.credentials.in.template.vnf.details": "Por favor, encontre as credenciais padr\u00e3o para este VNF nos detalhes do template VNF.",
+"message.vnf.error.deviceid.should.be.consecutive": "O deviceid das NICs VNF selecionadas deve ser consecutivo.",
+"message.vnf.error.network.is.already.used": "A Rede foi usada por v\u00e1rias NICs do novo appliance VNF.",
+"message.vnf.error.network.should.be.used": "Todas as redes selecionadas devem ser usadas como Nics VNF",
+"message.vnf.error.no.networks": "Por favor, selecione as redes para o novo appliance VNF.",
+"message.vnf.error.no.network.for.required.deviceid": "Por favor, selecione uma Rede para a NIC obrigat\u00f3ria do novo appliance VNF.",
+"message.vnf.nic.move.down.fail": "Falha ao mover esta NIC para baixo",
+"message.vnf.nic.move.up.fail": "Falha ao mover esta NIC para cima",
+"message.vnf.no.credentials": "Nenhuma credencial encontrada para o appliance VNF.",
+"message.vnf.select.networks": "Por favor, selecione a rede relevante para cada NIC VNF.",
+"message.volume.state.primary.storage.suitability": "A adequa\u00e7\u00e3o de um armazenamento prim\u00e1rio para um volume depende da oferta de disco do volume e da aloca\u00e7\u00e3o da m\u00e1quina virtual (se o volume estiver anexado a uma m\u00e1quina virtual).",
 "message.volume.state.allocated": "O volume foi alocado, mas ainda n\u00e3o foi criado",
 "message.volume.state.attaching": "O volume est\u00e1 anexado a um volume do estado pronto.",
 "message.volume.state.copying": "O volume est\u00e1 sendo copiado do armazenamento de imagens para o armazenamento prim\u00e1rio, no caso de ser um volume carregado",
@@ -2521,12 +3731,20 @@
 "message.volume.state.uploaderror": "O carregamento do volume encontrou um erro",
 "message.volume.state.uploadinprogress": "Carregamento do volume em progresso",
 "message.volume.state.uploadop": "A opera\u00e7\u00e3o de carregamento de volume est\u00e1 em andamento",
+"message.volumes.managed": "Volumes controlados pelo CloudStack.",
+"message.volumes.unmanaged": "Volumes n\u00e3o controlados pelo CloudStack.",
+"message.vpc.restart.required": "Reinicializa\u00e7\u00e3o \u00e9 necess\u00e1ria para VPC(s). Clique aqui para ver VPC(s) que requerem reinicializa\u00e7\u00e3o.",
 "message.vr.alert.upon.network.offering.creation.others": "Como nenhum dos servi\u00e7os obrigat\u00f3rios para cria\u00e7\u00e3o do VR (VPN, DHCP, DNS, Firewall, LB, UserData, SourceNat, StaticNat, PortForwarding) foram habilitados, o VR n\u00e3o ser\u00e1 criado e a oferta de computa\u00e7\u00e3o n\u00e3o ser\u00e1 usada.",
+"message.warn.change.primary.storage.scope": "Este recurso \u00e9 testado e suportado para as seguintes configura\u00e7\u00f5es:<br>KVM - NFS/Ceph - DefaultPrimary<br>VMware - NFS - DefaultPrimary<br>*Pode haver etapas extras envolvidas para faz\u00ea-lo funcionar para outras configura\u00e7\u00f5es.",
 "message.warn.filetype": "jpg, jpeg, png, bmp e svg s\u00e3o os \u00fanicos formatos de imagem suportados",
 "message.warn.importing.instance.without.nic": "AVISO: essa inst\u00e2ncia est\u00e1 sendo importada sem NICs e muitos recursos de rede n\u00e3o estar\u00e3o dispon\u00edveis. Considere criar uma NIC antes de importar via VCenter ou assim que a inst\u00e2ncia for importada.",
+"message.warn.vpc.offerings": "Ofertas de VPC s\u00c3o exibidas somente caso a conta selecionada possua ao menos uma VPC.",
+"message.warn.zone.mtu.update": "Por favor, note que este limite n\u00e3o afetar\u00e1 as configura\u00e7\u00f5es de MTU da Rede pr\u00e9-existentes",
+"message.webhook.deliveries.time.filter": "A lista de entregas de webhook pode ser filtrada com base em data e hora. Selecione 'Customizado' para especificar o intervalo de data de in\u00edcio e fim.",
 "message.zone.creation.complete": "Cria\u00e7\u00e3o de zona completa",
 "message.zone.detail.description": "Preencha os detalhes da zona",
 "message.zone.detail.hint": "Uma zona \u00e9 a maior unidade organizacional no CloudStack, e normalmente corresponde a um \u00fanico datacenter. As zonas proporcionam isolamento f\u00edsico e redund\u00e2ncia. Uma zona consiste em um ou mais pods (cada um contendo hosts e servidores de armazenamento prim\u00e1rio) e um servidor de armazenamento secund\u00e1rio que \u00e9 compartilhado por todos os pods da zona.",
+"message.zone.edge.local.storage": "Armazenamento local ser\u00e1 usado por padr\u00e3o para Inst\u00e2ncias de Usu\u00e1rio e roteadores virtuais",
 "message.validate.min": "Por favor entre com um valor maior que ou igual a {0}.",
 "migrate.from": "Migrar de",
 "migrate.to": "Migrar para",
diff --git a/ui/public/locales/te.json b/ui/public/locales/te.json
index ed72626e0a67..f3b4c70ca2ed 100644
--- a/ui/public/locales/te.json
+++ b/ui/public/locales/te.json
@@ -3169,7 +3169,6 @@
   "message.error.zone.name": "దయచేసి జోన్ పేరును నమోదు చేయండి.",
   "message.error.zone.type": "దయచేసి జోన్ రకాన్ని ఎంచుకోండి.",
   "message.error.linstor.resourcegroup": "దయచేసి Linstor Resource-Groupని నమోదు చేయండి.",
-  "message.error.fixed.offering.kvm": "ఫిక్స్‌డ్ కంప్యూట్ ఆఫర్‌తో KVM హైపర్‌వైజర్‌ను ఉపయోగించుకునే సందర్భాలను స్కేల్ చేయడం సాధ్యం కాదు.",
   "message.error.create.webhook.local.account": "స్థానిక స్కోప్‌తో వెబ్‌హుక్‌ని సృష్టించడానికి తప్పనిసరిగా ఖాతా అందించబడాలి.",
   "message.error.create.webhook.name": "వెబ్‌హుక్‌ని సృష్టించడానికి తప్పనిసరిగా పేరు అందించాలి.",
   "message.error.create.webhook.payloadurl": "Webhookని సృష్టించడానికి పేలోడ్ URL తప్పనిసరిగా అందించబడాలి.",
diff --git a/ui/public/locales/zh_CN.json b/ui/public/locales/zh_CN.json
index 4b68a2ef6d77..9536bab7ee43 100644
--- a/ui/public/locales/zh_CN.json
+++ b/ui/public/locales/zh_CN.json
@@ -3462,7 +3462,6 @@
   "message.error.zone.name": "\u8BF7\u8F93\u5165\u533A\u57DF\u540D\u79F0",
   "message.error.zone.type": "\u8BF7\u9009\u62E9\u533A\u57DF\u7C7B\u578B",
   "message.error.linstor.resourcegroup": "\u8BF7\u8F93\u5165 Linstor \u8D44\u6E90\u7EC4",
-  "message.error.fixed.offering.kvm": "\u4E0D\u53EF\u80FD\u901A\u8FC7\u56FA\u5B9A\u7684\u8BA1\u7B97\u65B9\u6848\u6765\u6269\u5C55KVM\u865A\u62DF\u673A\u3002",
   "message.fail.to.delete": "\u5220\u9664\u5931\u8D25\u3002",
   "message.failed.to.add": "\u6DFB\u52A0\u5931\u8D25",
   "message.failed.to.assign.vms": "\u672A\u80FD\u5206\u914D\u865A\u62DF\u673A",
diff --git a/ui/src/assets/icons/dark.svg b/ui/src/assets/icons/dark.svg
index b1dd4b38e0ac..524521a3208e 100644
--- a/ui/src/assets/icons/dark.svg
+++ b/ui/src/assets/icons/dark.svg
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<svg width="52px" height="45px" viewBox="0 0 52 45" version="1.1" 
-    xmlns="http://www.w3.org/2000/svg" 
+<svg width="52px" height="45px" viewBox="0 0 52 45" version="1.1"
+    xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink">
     <defs>
         <filter x="-9.4%" y="-6.2%" width="118.8%" height="122.5%" filterUnits="objectBoundingBox" id="filter-1">
diff --git a/ui/src/components/header/TranslationMenu.vue b/ui/src/components/header/TranslationMenu.vue
index 4cd369d3bf6f..f68d9e3849d1 100644
--- a/ui/src/components/header/TranslationMenu.vue
+++ b/ui/src/components/header/TranslationMenu.vue
@@ -52,6 +52,7 @@
 import moment from 'moment'
 import 'moment/locale/zh-cn'
 import { loadLanguageAsync } from '@/locales'
+import { vueProps } from '@/vue-app'
 
 moment.locale('en')
 
@@ -63,7 +64,7 @@ export default {
     }
   },
   mounted () {
-    this.language = this.$localStorage.get('LOCALE') || 'en'
+    this.language = this.$localStorage.get('LOCALE') || vueProps.$config?.defaultLanguage || 'en'
     this.setLocale(this.language)
   },
   methods: {
diff --git a/ui/src/components/view/DeployVMFromBackup.vue b/ui/src/components/view/DeployVMFromBackup.vue
index cbf265b08e4e..ccd019eeb7fc 100644
--- a/ui/src/components/view/DeployVMFromBackup.vue
+++ b/ui/src/components/view/DeployVMFromBackup.vue
@@ -1454,7 +1454,7 @@ export default {
     this.initForm()
     this.dataPreFill = this.preFillContent && Object.keys(this.preFillContent).length > 0 ? this.preFillContent : {}
     this.showOverrideDiskOfferingOption = this.dataPreFill.overridediskoffering
-
+    this.selectedArchitecture = this.dataPreFill.backupArch ? this.dataPreFill.backupArch : this.architectureTypes.opts[0].id
     if (this.dataPreFill.isIso) {
       this.tabKey = 'isoid'
     } else {
@@ -1543,46 +1543,6 @@ export default {
     fillValue (field) {
       this.form[field] = this.dataPreFill[field]
     },
-    fetchZoneByQuery () {
-      return new Promise(resolve => {
-        let zones = []
-        let apiName = ''
-        const params = {}
-        if (this.templateId) {
-          apiName = 'listTemplates'
-          params.listall = true
-          params.templatefilter = this.isNormalAndDomainUser ? 'executable' : 'all'
-          params.id = this.templateId
-        } else if (this.isoId) {
-          apiName = 'listIsos'
-          params.listall = true
-          params.isofilter = this.isNormalAndDomainUser ? 'executable' : 'all'
-          params.id = this.isoId
-        } else if (this.networkId) {
-          params.listall = true
-          params.id = this.networkId
-          apiName = 'listNetworks'
-        }
-        if (!apiName) return resolve(zones)
-
-        getAPI(apiName, params).then(json => {
-          let objectName
-          const responseName = [apiName.toLowerCase(), 'response'].join('')
-          for (const key in json[responseName]) {
-            if (key === 'count') {
-              continue
-            }
-            objectName = key
-            break
-          }
-          const data = json?.[responseName]?.[objectName] || []
-          zones = data.map(item => item.zoneid)
-          return resolve(zones)
-        }).catch(() => {
-          return resolve(zones)
-        })
-      })
-    },
     async fetchData () {
       this.fetchZones(null, null)
       _.each(this.params, (param, name) => {
@@ -1721,6 +1681,7 @@ export default {
           if (template.details['vmware-to-kvm-mac-addresses']) {
             this.dataPreFill.macAddressArray = JSON.parse(template.details['vmware-to-kvm-mac-addresses'])
           }
+          this.selectedArchitecture = template?.arch || 'x86_64'
         }
       } else if (name === 'isoid') {
         this.templateConfigurations = []
@@ -2347,9 +2308,6 @@ export default {
       this.clusterId = null
       this.zone = _.find(this.options.zones, (option) => option.id === value)
       this.isZoneSelectedMultiArch = this.zone.ismultiarch
-      if (this.isZoneSelectedMultiArch) {
-        this.selectedArchitecture = this.architectureTypes.opts[0].id
-      }
       this.zoneSelected = true
       this.form.startvm = true
       this.selectedZone = this.zoneId
diff --git a/ui/src/components/view/ListView.vue b/ui/src/components/view/ListView.vue
index 66dd6b3db9e6..b03293efacae 100644
--- a/ui/src/components/view/ListView.vue
+++ b/ui/src/components/view/ListView.vue
@@ -949,7 +949,7 @@
             style="margin-left: 5px"
             :actions="actions"
             :resource="record"
-            :enabled="quickViewEnabled() && actions.length > 0"
+            :enabled="quickViewEnabled(actions, columns, column.key)"
             @exec-action="$parent.execAction"
           />
         </template>
diff --git a/ui/src/components/view/Setting.vue b/ui/src/components/view/Setting.vue
index 4987a0bd6121..5f1db1445ee7 100644
--- a/ui/src/components/view/Setting.vue
+++ b/ui/src/components/view/Setting.vue
@@ -251,7 +251,7 @@ export default {
       this.parentToggleSetting(false)
     },
     downloadSetting () {
-      this.downloadObjectAsJson(this.uiSettings)
+      this.downloadObjectAsJson(this.$config.theme)
     },
     resetSetting () {
       this.uiSettings = {}
diff --git a/ui/src/components/view/WebhookFiltersTab.vue b/ui/src/components/view/WebhookFiltersTab.vue
index 2d276e2a3cf0..513720a86258 100644
--- a/ui/src/components/view/WebhookFiltersTab.vue
+++ b/ui/src/components/view/WebhookFiltersTab.vue
@@ -18,6 +18,7 @@
 <template>
   <div>
     <div class="add-row">
+      <p>{{ $t('message.webhook.filter.add') }}</p>
       <a-form
         :ref="addFormRef"
         :model="addFilterForm"
@@ -90,7 +91,7 @@
       {{ (selectedRowKeys && selectedRowKeys.length > 0) ? $t('label.action.delete.webhook.filters') : $t('label.action.clear.webhook.filters') }}
     </a-button>
     <list-view
-      :tabLoading="tabLoading"
+      :loading="tabLoading"
       :columns="columns"
       :items="filters"
       :actions="actions"
diff --git a/ui/src/config/section/compute.js b/ui/src/config/section/compute.js
index dd17116df02d..6b7a5428b1f9 100644
--- a/ui/src/config/section/compute.js
+++ b/ui/src/config/section/compute.js
@@ -536,7 +536,12 @@ export default {
           api: 'deleteVMSnapshot',
           icon: 'delete-outlined',
           label: 'label.action.vmsnapshot.delete',
-          message: 'message.action.vmsnapshot.delete',
+          message: (record) => {
+            if (record.hypervisor !== 'KVM' || record.type === 'Disk') {
+              return 'message.action.vmsnapshot.disk-only.delete'
+            }
+            return 'message.action.vmsnapshot.delete'
+          },
           dataView: true,
           show: (record) => { return ['Ready', 'Expunging', 'Error'].includes(record.state) },
           args: ['vmsnapshotid'],
diff --git a/ui/src/config/section/extension.js b/ui/src/config/section/extension.js
index 4c6d9ebf0761..5904abae30b6 100644
--- a/ui/src/config/section/extension.js
+++ b/ui/src/config/section/extension.js
@@ -44,7 +44,7 @@ export default {
       }, 'created']
     return fields
   },
-  details: ['name', 'description', 'id', 'type', 'details', 'path', 'pathready', 'isuserdefined', 'orchestratorrequirespreparevm', 'created'],
+  details: ['name', 'description', 'id', 'type', 'details', 'path', 'pathready', 'isuserdefined', 'orchestratorrequirespreparevm', 'reservedresourcedetails', 'created'],
   filters: ['orchestrator'],
   tabs: [{
     name: 'details',
diff --git a/ui/src/config/section/infra/hosts.js b/ui/src/config/section/infra/hosts.js
index 2f27db5780bc..48e850a22fbe 100644
--- a/ui/src/config/section/infra/hosts.js
+++ b/ui/src/config/section/infra/hosts.js
@@ -103,7 +103,7 @@ export default {
       show: (record) => {
         return record.hypervisor === 'KVM' || record.hypervisor === store.getters.customHypervisorName
       },
-      args: ['hostid'],
+      args: ['hostid', 'forced'],
       mapping: {
         hostid: {
           value: (record) => { return record.id }
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
index 37cdd0c8b98a..50c2ff4250b0 100644
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@@ -49,9 +49,14 @@ export default {
         return fields
       },
       details: () => {
-        var fields = ['name', 'id', 'description', 'type', 'traffictype', 'vpcid', 'vlan', 'broadcasturi', 'cidr', 'ip6cidr', 'netmask', 'gateway', 'asnumber', 'aclname', 'ispersistent', 'restartrequired', 'reservediprange', 'redundantrouter', 'networkdomain', 'egressdefaultpolicy', 'zonename', 'account', 'domainpath', 'associatednetwork', 'associatednetworkid', 'ip4routing', 'ip6firewall', 'ip6routing', 'ip6routes', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'publicmtu', 'privatemtu']
-        if (!isAdmin()) {
-          fields = fields.filter(function (e) { return e !== 'broadcasturi' })
+        const fields = ['name', 'id', 'description', 'type', 'traffictype', 'vpcid', 'vlan', 'cidr', 'ip6cidr', 'netmask', 'gateway', 'asnumber', 'aclname', 'ispersistent', 'restartrequired', 'reservediprange', 'redundantrouter', 'networkdomain', 'egressdefaultpolicy', 'zonename', 'account', 'domainpath', 'associatednetwork', 'associatednetworkid', 'ip4routing', 'ip6firewall', 'ip6routing', 'ip6routes', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'publicmtu', 'privatemtu']
+        if (isAdmin()) {
+          const vlanIndex = fields.findIndex(detail => detail === 'vlan')
+          fields.splice(vlanIndex + 1, 0, 'broadcasturi')
+          fields.push({
+            field: 'keepmacaddressonpublicnic',
+            customTitle: 'keep.mac.address.on.public.nic'
+          })
         }
         return fields
       },
@@ -233,7 +238,16 @@ export default {
         fields.push(...['domain', 'zonename'])
         return fields
       },
-      details: ['name', 'id', 'displaytext', 'cidr', 'networkdomain', 'ip4routing', 'ip4routes', 'ip6routes', 'ispersistent', 'redundantvpcrouter', 'restartrequired', 'zonename', 'account', 'domain', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'publicmtu'],
+      details: () => {
+        const fields = ['name', 'id', 'displaytext', 'cidr', 'networkdomain', 'ip4routing', 'ip4routes', 'ip6routes', 'ispersistent', 'redundantvpcrouter', 'restartrequired', 'zonename', 'account', 'domain', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'publicmtu']
+        if (isAdmin()) {
+          fields.push({
+            field: 'keepmacaddressonpublicnic',
+            customTitle: 'keep.mac.address.on.public.nic'
+          })
+        }
+        return fields
+      },
       searchFilters: ['name', 'zoneid', 'domainid', 'account', 'restartrequired', 'tags'],
       related: [{
         name: 'vm',
@@ -268,7 +282,13 @@ export default {
           icon: 'edit-outlined',
           label: 'label.edit',
           dataView: true,
-          args: ['name', 'displaytext', 'publicmtu', 'sourcenatipaddress']
+          args: () => {
+            const fields = ['name', 'displaytext', 'publicmtu', 'sourcenatipaddress']
+            if (isAdmin()) {
+              fields.push('keepmacaddressonpublicnic')
+            }
+            return fields
+          }
         },
         {
           api: 'restartVPC',
diff --git a/ui/src/config/section/project.js b/ui/src/config/section/project.js
index 5a1f5f71c81d..c08cb8dce4dc 100644
--- a/ui/src/config/section/project.js
+++ b/ui/src/config/section/project.js
@@ -162,6 +162,7 @@ export default {
       },
       groupAction: true,
       popup: true,
+      requireNameConfirmation: true,
       groupMap: (selection, values) => { return selection.map(x => { return { id: x, cleanup: values.cleanup || null } }) },
       args: (record, store) => {
         const fields = []
diff --git a/ui/src/permission.js b/ui/src/permission.js
index 671d6626b931..0b87de92c6b4 100644
--- a/ui/src/permission.js
+++ b/ui/src/permission.js
@@ -93,6 +93,7 @@ router.beforeEach((to, from, next) => {
           return
         }
         store.commit('SET_LOGIN_FLAG', true)
+        store.commit('SET_MS_ID', Cookies.get('managementserverid'))
       }
       // store already loaded
       if (store.getters.passwordChangeRequired) {
diff --git a/ui/src/style/ant-overwrite/ant-form.less b/ui/src/style/ant-overwrite/ant-form.less
index 52a2086fb4ff..882724b8ecc3 100644
--- a/ui/src/style/ant-overwrite/ant-form.less
+++ b/ui/src/style/ant-overwrite/ant-form.less
@@ -23,6 +23,6 @@
   transition: transform .3s, -webkit-transform .3s;
 }
 
-.ant-select-open .ant-select-arrow .ant-select-suffix svg {
+.ant-select-open .ant-select-arrow .ant-select-suffix:not(.anticon-search) svg {
   transform: rotateZ(-180deg);
 }
diff --git a/ui/src/utils/guiTheme.js b/ui/src/utils/guiTheme.js
index b1a7209fd270..438ce9333a4e 100644
--- a/ui/src/utils/guiTheme.js
+++ b/ui/src/utils/guiTheme.js
@@ -17,6 +17,7 @@
 
 import { vueProps } from '@/vue-app'
 import { getAPI } from '@/api'
+import { loadLanguageAsync } from '../locales'
 
 export async function applyCustomGuiTheme (accountid, domainid) {
   await fetch('config.json').then(response => response.json()).then(config => {
@@ -69,12 +70,15 @@ async function applyDynamicCustomization (response) {
   vueProps.$config.logo = jsonConfig?.logo ?? vueProps.$config.logo
   vueProps.$config.minilogo = jsonConfig?.minilogo ?? vueProps.$config.minilogo
   vueProps.$config.banner = jsonConfig?.banner ?? vueProps.$config.banner
+  vueProps.$config.docBase = jsonConfig?.docBase ?? vueProps.$config.docBase
+  vueProps.$config.apidocs = jsonConfig?.apidocs ?? vueProps.$config.apidocs
+  vueProps.$config.docHelpMappings = jsonConfig?.docHelpMappings ?? vueProps.$config.docHelpMappings
+  vueProps.$config.keyboardOptions = jsonConfig?.keyboardOptions ?? vueProps.$config.keyboardOptions
+  vueProps.$config.defaultLanguage = vueProps.$localStorage.get('LOCALE') ?? jsonConfig?.defaultLanguage ?? vueProps.$config.defaultLanguage
 
-  if (jsonConfig?.error) {
-    vueProps.$config.error[403] = jsonConfig?.error[403] ?? vueProps.$config.error[403]
-    vueProps.$config.error[404] = jsonConfig?.error[404] ?? vueProps.$config.error[404]
-    vueProps.$config.error[500] = jsonConfig?.error[500] ?? vueProps.$config.error[500]
-  }
+  applyJsonConfigToObject(jsonConfig?.error, vueProps.$config.error)
+  applyJsonConfigToObject(jsonConfig?.userCard, vueProps.$config.userCard)
+  applyJsonConfigToObject(jsonConfig?.theme, vueProps.$config.theme)
 
   if (jsonConfig?.plugins) {
     jsonConfig.plugins.forEach(plugin => {
@@ -82,12 +86,32 @@ async function applyDynamicCustomization (response) {
     })
   }
 
+  if (vueProps.$store) {
+    vueProps.$store.dispatch('SetDarkMode', (vueProps.$config.theme['@layout-mode'] === 'dark'))
+  }
+  window.less.modifyVars(vueProps.$config.theme)
+
   vueProps.$config.favicon = jsonConfig?.favicon ?? vueProps.$config.favicon
   vueProps.$config.css = response?.css ?? null
 
+  if (vueProps.$config.defaultLanguage) {
+    vueProps.$localStorage.set('LOCALE', vueProps.$config.defaultLanguage)
+    loadLanguageAsync()
+  }
+
   await applyStaticCustomization(vueProps.$config.favicon, vueProps.$config.css)
 }
 
+function applyJsonConfigToObject (sourceConfig, targetObject) {
+  if (!sourceConfig) {
+    return
+  }
+
+  for (const [variableName, value] of Object.entries(targetObject)) {
+    targetObject[variableName] = sourceConfig?.[variableName] ?? value
+  }
+}
+
 async function applyStaticCustomization (favicon, css) {
   document.getElementById('favicon').href = favicon
 
diff --git a/ui/src/views/AutogenView.vue b/ui/src/views/AutogenView.vue
index f4aa842d8f2b..436f61a37da3 100644
--- a/ui/src/views/AutogenView.vue
+++ b/ui/src/views/AutogenView.vue
@@ -195,8 +195,6 @@
         :footer="null"
         style="top: 20px;"
         :width="modalWidth"
-        :ok-button-props="getOkProps()"
-        :cancel-button-props="getCancelProps()"
         :confirmLoading="actionLoading"
         @cancel="cancelAction"
         centered
@@ -216,7 +214,7 @@
           :spinning="actionLoading"
           v-ctrl-enter="handleSubmit"
         >
-          <span v-if="currentAction.message">
+          <span v-if="currentAction.messageString">
             <div v-if="selectedRowKeys.length > 0">
               <a-alert
                 v-if="['delete-outlined', 'DeleteOutlined', 'poweroff-outlined', 'PoweroffOutlined'].includes(currentAction.icon)"
@@ -228,7 +226,7 @@
                     style="padding-left: 5px"
                     v-html="`<b>${selectedRowKeys.length} ` + $t('label.items.selected') + `. </b>`"
                   />
-                  <span v-html="currentAction.message" />
+                  <span v-html="currentAction.messageString" />
                 </template>
               </a-alert>
               <a-alert
@@ -240,14 +238,14 @@
                     v-if="selectedRowKeys.length > 0"
                     v-html="`<b>${selectedRowKeys.length} ` + $t('label.items.selected') + `. </b>`"
                   />
-                  <span v-html="currentAction.message" />
+                  <span v-html="currentAction.messageString" />
                 </template>
               </a-alert>
             </div>
             <div v-else>
               <a-alert type="warning">
                 <template #message>
-                  <span v-html="currentAction.message" />
+                  <span v-html="currentAction.messageString" />
                 </template>
               </a-alert>
             </div>
@@ -270,8 +268,18 @@
               </a-table>
             </div>
             <br v-if="currentAction.paramFields.length > 0" />
-          </span>
-          <a-form
+             </span>
+           <div v-if="currentAction.requireNameConfirmation && !(currentAction.groupAction && selectedRowKeys.length > 0)" style="margin-bottom: 5px">
+            <a-form-item>
+                <a-input v-model:value="actionConfirmText" :placeholder="resource.name" />
+            </a-form-item>
+            <a-alert type="info">
+              <template #message>
+                <div v-html="$t('label.delete.confirmation')"></div>
+              </template>
+            </a-alert>
+           </div>
+           <a-form
             :ref="formRef"
             :model="form"
             :rules="rules"
@@ -294,6 +302,11 @@
                     :title="$t('label.default.network.' + field.name + '.isolated.network')"
                     :tooltip="field.description"
                   />
+                  <tooltip-label
+                    v-else-if="field.name === 'keepmacaddressonpublicnic' && currentAction.api === 'updateVPC'"
+                    :title="$t('label.keep.mac.address.on.public.nic')"
+                    :tooltip="field.description"
+                  />
                   <tooltip-label
                     v-else
                     :title="$t('label.' + field.name)"
@@ -526,6 +539,7 @@
                 type="primary"
                 @click="handleSubmit"
                 ref="submit"
+                :disabled="isSubmitDisabled"
               >{{ $t('label.ok') }}</a-button>
             </div>
           </a-form>
@@ -686,6 +700,7 @@ export default {
       confirmDirty: false,
       firstIndex: 0,
       modalWidth: '30vw',
+      actionConfirmText: '',
       promises: []
     }
   },
@@ -893,6 +908,12 @@ export default {
         return 'active'
       }
       return 'self'
+    },
+    isSubmitDisabled () {
+      if (this.currentAction?.requireNameConfirmation && !(this.currentAction.groupAction && this.selectedRowKeys.length > 0)) {
+        return this.actionConfirmText.trim() !== this.resource?.name?.trim()
+      }
+      return false
     }
   },
   methods: {
@@ -902,19 +923,6 @@ export default {
       }
       return 'inline-flex'
     },
-    getOkProps () {
-      if (this.selectedRowKeys.length > 0 && this.currentAction?.groupAction) {
-      } else {
-        return { props: { type: 'primary' } }
-      }
-    },
-    getCancelProps () {
-      if (this.selectedRowKeys.length > 0 && this.currentAction?.groupAction) {
-        return { props: { type: 'primary' } }
-      } else {
-        return { props: { type: 'default' } }
-      }
-    },
     switchProject (projectId) {
       if (!projectId || !projectId.length || projectId.length !== 36) {
         return
@@ -1303,6 +1311,7 @@ export default {
       this.actionLoading = false
       this.showAction = false
       this.currentAction = {}
+      this.actionConfirmText = ''
     },
     cancelAction () {
       eventBus.emit('action-closing', { action: this.currentAction })
@@ -1360,6 +1369,7 @@ export default {
       this.currentAction = action
       this.currentAction.params = store.getters.apis[this.currentAction.api].params
       this.resource = action.resource
+      this.actionConfirmText = ''
       this.$emit('change-resource', this.resource)
       var paramFields = this.currentAction.params
       paramFields.sort(function (a, b) {
@@ -1374,9 +1384,11 @@ export default {
       this.currentAction.paramFilters = []
       if ('message' in action) {
         if (typeof action.message === 'function') {
-          action.message = action.message(action.resource)
+          action.messageString = action.message(action.resource)
+        } else {
+          action.messageString = action.message
         }
-        action.message = Array.isArray(action.message) ? this.$t(...action.message) : this.$t(action.message)
+        action.messageString = Array.isArray(action.messageString) ? this.$t(...action.messageString) : this.$t(action.messageString)
       }
       this.getArgs(action, isGroupAction, paramFields)
       this.getFilters(action, isGroupAction, paramFields)
@@ -1642,6 +1654,12 @@ export default {
     },
     handleSubmit (e) {
       if (this.actionLoading) return
+
+      if (this.currentAction?.requireNameConfirmation && !(this.currentAction.groupAction && this.selectedRowKeys.length > 0)) {
+        if (this.actionConfirmText.trim() !== this.resource?.name?.trim()) {
+          return
+        }
+      }
       this.promises = []
       if (!this.dataView && this.currentAction.groupAction && this.selectedRowKeys.length > 0) {
         if (this.selectedRowKeys.length > 0) {
diff --git a/ui/src/views/compute/DeployVM.vue b/ui/src/views/compute/DeployVM.vue
index 26176e760051..474c3bb01ac9 100644
--- a/ui/src/views/compute/DeployVM.vue
+++ b/ui/src/views/compute/DeployVM.vue
@@ -459,6 +459,9 @@
                     :value="securitygroupids"
                     :loading="loading.networks"
                     :preFillContent="dataPreFill"
+                    :domainId="owner.domainid"
+                    :account="owner.account"
+                    :projectId="owner.projectid"
                     @select-security-group-item="($event) => updateSecurityGroups($event)"></security-group-selection>
                 </template>
               </a-step>
@@ -1501,6 +1504,9 @@ export default {
       return tabList
     },
     showSecurityGroupSection () {
+      if (this.zone && this.zone.networktype === 'Basic') {
+        return true
+      }
       if (this.networks.length < 1) {
         return false
       }
diff --git a/ui/src/views/compute/KubernetesServiceTab.vue b/ui/src/views/compute/KubernetesServiceTab.vue
index fc8f9c60213a..3c45feea063f 100644
--- a/ui/src/views/compute/KubernetesServiceTab.vue
+++ b/ui/src/views/compute/KubernetesServiceTab.vue
@@ -66,32 +66,62 @@
           </a-timeline>
         </a-card>
         <a-card :title="$t('label.kubernetes.dashboard')">
+          <p><strong>Note:</strong> CloudStack Kubernetes clusters use <strong>Headlamp</strong> dashboard (deployed in <code>kube-system</code> namespace). For backward compatibility with older clusters using Kubernetes Dashboard, please check your cluster configuration.</p>
           <a-timeline>
             <a-timeline-item>
               <p>
-                {{ $t('label.run.proxy.locally') }}<br><br>
-                <code><b>kubectl --kubeconfig /custom/path/kube.conf proxy</b></code>
+                <strong>Access Headlamp Dashboard (new clusters)</strong><br><br>
+                <strong>Step 1:</strong> Run port-forward command:<br>
+                <code><b>kubectl --kubeconfig /custom/path/kube.conf port-forward -n kube-system service/headlamp 8080:80</b></code><br><br>
+                <strong>Step 2:</strong> Open in your browser:<br>
+                <a href="http://localhost:8080"><code>http://localhost:8080</code></a>
               </p>
             </a-timeline-item>
             <a-timeline-item>
               <p>
-                {{ $t('label.open.url') }}<br><br>
+                <strong>Access Kubernetes Dashboard (legacy clusters)</strong><br><br>
+                <strong>Step 1:</strong> {{ $t('label.run.proxy.locally') }}<br>
+                <code><b>kubectl --kubeconfig /custom/path/kube.conf proxy</b></code><br><br>
+                <strong>Step 2:</strong> {{ $t('label.open.url') }}<br>
                 <a href="http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/"><code>http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/</code></a>
               </p>
             </a-timeline-item>
             <a-timeline-item>
+              <p>
+                <strong>Create Access Token for Headlamp (new clusters)</strong>
+              </p>
               <p v-html="$t('label.kubernetes.dashboard.create.token')"></p>
               <p v-html="$t('label.kubernetes.dashboard.create.token.desc')"></p>
-              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubernetes-dashboard-admin-user\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubernetes-dashboard-token\n  namespace: kubernetes-dashboard\n  annotations:\n    kubernetes.io/service-account.name: kubernetes-dashboard-admin-user\nEOF'" :rows="10" readonly />
+              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: headlamp-admin\n  namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: headlamp-admin\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: headlamp-admin\n  namespace: kube-system\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: headlamp-admin-token\n  namespace: kube-system\n  annotations:\n    kubernetes.io/service-account.name: headlamp-admin\nEOF'" :rows="12" readonly />
+              <br><br>
+              <p>{{ $t('label.token.for.dashboard.login') }}:</p>
+              <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret headlamp-admin-token -n kube-system</b></code>
+            </a-timeline-item>
+            <a-timeline-item>
+              <p>
+                <strong>Create Access Token for Kubernetes Dashboard (legacy clusters)</strong>
+              </p>
+              <p v-html="$t('label.kubernetes.dashboard.create.token.desc')"></p>
+              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubernetes-dashboard-admin-user\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubernetes-dashboard-token\n  namespace: kubernetes-dashboard\n  annotations:\n    kubernetes.io/service-account.name: kubernetes-dashboard-admin-user\nEOF'" :rows="12" readonly />
+              <br><br>
+              <p>{{ $t('label.token.for.dashboard.login') }}:</p>
+              <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret kubernetes-dashboard-token -n kubernetes-dashboard</b></code>
             </a-timeline-item>
             <a-timeline-item>
               <p>
-                {{ $t('label.token.for.dashboard.login') }}<br><br>
-                <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret $(kubectl --kubeconfig /custom/path/kube.conf get secrets -n kubernetes-dashboard | grep kubernetes-dashboard-token | awk '{print $1}') -n kubernetes-dashboard</b></code>
+                <strong>Important Notes:</strong><br>
+                • <strong>Port-forwarding is recommended for Headlamp</strong> - simpler and more reliable than kubectl proxy<br>
+                • Token is only needed if accessing Headlamp via NodePort or LoadBalancer with external access<br>
+                • For Kubernetes 1.24+, service account tokens are no longer auto-generated - use the Secret resource shown above or <code>kubectl create token</code> command<br>
+                • <strong>Cluster-admin role grants full control</strong> - use with caution and only for trusted administrators<br>
+                • Keep the port-forward command running while using the dashboard (press Ctrl+C to stop)
               </p>
             </a-timeline-item>
           </a-timeline>
-          <p>{{ $t('label.more.access.dashboard.ui') }}, <a href="https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui">https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui</a></p>
+          <p>{{ $t('label.more.access.dashboard.ui') }}:
+            <a href="https://headlamp.dev/docs/latest/">Headlamp Documentation</a> |
+            <a href="https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui">Kubernetes Dashboard (Legacy)</a>
+          </p>
         </a-card>
         <a-card :title="$t('label.access.kubernetes.nodes')">
           <p v-html="$t('label.kubernetes.access.details')"></p>
diff --git a/ui/src/views/compute/ScaleVM.vue b/ui/src/views/compute/ScaleVM.vue
index ce8dca5b43a6..b810e1327c6b 100644
--- a/ui/src/views/compute/ScaleVM.vue
+++ b/ui/src/views/compute/ScaleVM.vue
@@ -23,10 +23,6 @@
       <loading-outlined style="color: #1890ff;" />
     </div>
 
-    <a-alert v-if="fixedOfferingKvm" type="error" show-icon>
-      <template #message><span style="margin-bottom: 5px" v-html="$t('message.error.fixed.offering.kvm')" /></template>
-    </a-alert>
-
     <compute-offering-selection
       :compute-items="offerings"
       :loading="loading"
@@ -42,9 +38,11 @@
       :memory-input-decorator="memoryKey"
       :computeOfferingId="selectedOffering.id"
       :isConstrained="'serviceofferingdetails' in selectedOffering"
+      :initialCpuValue="getInitialCpuValue()"
       :minCpu="getMinCpu()"
       :maxCpu="'serviceofferingdetails' in selectedOffering ? selectedOffering.serviceofferingdetails.maxcpunumber*1 : Number.MAX_SAFE_INTEGER"
       :cpuSpeed="getCPUSpeed()"
+      :initialMemoryValue="getInitialMemoryValue()"
       :minMemory="getMinMemory()"
       :maxMemory="'serviceofferingdetails' in selectedOffering ? selectedOffering.serviceofferingdetails.maxmemory*1 : Number.MAX_SAFE_INTEGER"
       :isCustomized="selectedOffering.iscustomized"
@@ -151,32 +149,31 @@ export default {
           return
         }
         this.offerings = response.listserviceofferingsresponse.serviceoffering || []
-        if (this.resource.state === 'Running' && this.resource.hypervisor === 'KVM') {
-          this.offerings = this.offerings.filter(offering => offering.id === this.resource.serviceofferingid)
-          this.currentOffer = this.offerings[0]
-          if (this.currentOffer === undefined) {
-            this.fixedOfferingKvm = true
-          }
-        }
-        this.offerings.map(i => { this.offeringsMap[i.id] = i })
+        this.offerings.forEach(offering => { this.offeringsMap[offering.id] = offering })
       }).finally(() => {
         this.loading = false
       })
     },
     getMinCpu () {
-      // We can only scale up while a VM is running
-      if (this.resource.state === 'Running') {
-        return this.resource.cpunumber
-      }
       return this.selectedOffering?.serviceofferingdetails?.mincpunumber * 1 || 1
     },
-    getMinMemory () {
-      // We can only scale up while a VM is running
-      if (this.resource.state === 'Running') {
-        return this.resource.memory
+    getInitialCpuValue () {
+      const offeringMinCpu = this.getMinCpu()
+      if (this.resource.cpunumber < offeringMinCpu) {
+        return offeringMinCpu
       }
+      return this.resource.cpunumber
+    },
+    getMinMemory () {
       return this.selectedOffering?.serviceofferingdetails?.minmemory * 1 || 32
     },
+    getInitialMemoryValue () {
+      const offeringMinMemory = this.getMinMemory()
+      if (this.resource.memory < offeringMinMemory) {
+        return offeringMinMemory
+      }
+      return this.resource.memory
+    },
     getCPUSpeed () {
       // We can only scale up while a VM is running
       if (this.resource.state === 'Running') {
diff --git a/ui/src/views/compute/StartBackup.vue b/ui/src/views/compute/StartBackup.vue
index 812e9e49e050..de2680d14476 100644
--- a/ui/src/views/compute/StartBackup.vue
+++ b/ui/src/views/compute/StartBackup.vue
@@ -125,7 +125,7 @@ export default {
         postAPI('createBackup', data).then(response => {
           this.$pollJob({
             jobId: response.createbackupresponse.jobid,
-            title: this.$t('label.create.bucket'),
+            title: this.$t('label.create.backup'),
             description: values.name,
             errorMessage: this.$t('message.create.backup.failed'),
             loadingMessage: `${this.$t('label.create.backup')}: ${this.resource.name || this.resource.id}`,
diff --git a/ui/src/views/compute/wizard/ComputeOfferingSelection.vue b/ui/src/views/compute/wizard/ComputeOfferingSelection.vue
index eb6e228a93f6..0a3e5fd2e827 100644
--- a/ui/src/views/compute/wizard/ComputeOfferingSelection.vue
+++ b/ui/src/views/compute/wizard/ComputeOfferingSelection.vue
@@ -41,6 +41,8 @@
       <template #headerCell="{ column }">
         <template v-if="column.key === 'cpu'"><appstore-outlined /> {{ $t('label.cpu') }}</template>
         <template v-if="column.key === 'ram'"><bulb-outlined /> {{ $t('label.memory') }}</template>
+        <template v-if="column.key === 'hosttags'"><tag-outlined /> {{ $t('label.hosttags') }}</template>
+        <template v-if="column.key === 'storagetags'"><tag-outlined /> {{ $t('label.storagetags') }}</template>
         <template v-if="column.key === 'gpu'"><font-awesome-icon
               :icon="['fa-solid', 'fa-microchip']"
               class="anticon"
@@ -197,6 +199,22 @@ export default {
         })
       }
 
+      if (this.computeItems.some(item => item.hosttags !== undefined && item.hosttags !== null)) {
+        baseColumns.push({
+          key: 'hosttags',
+          dataIndex: 'hosttags',
+          width: '30%'
+        })
+      }
+
+      if (this.computeItems.some(item => item.storagetags !== undefined && item.storagetags !== null)) {
+        baseColumns.push({
+          key: 'storagetags',
+          dataIndex: 'storagetags',
+          width: '30%'
+        })
+      }
+
       return baseColumns
     },
     tableSource () {
@@ -256,6 +274,7 @@ export default {
           }
           gpuValue = gpuCount + ' x ' + gpuType
         }
+
         return {
           key: item.id,
           name: item.name,
@@ -267,7 +286,9 @@ export default {
           gpuCount: gpuCount,
           gpuType: gpuType,
           gpu: gpuValue,
-          gpuDetails: this.getGpuDetails(item)
+          gpuDetails: this.getGpuDetails(item),
+          hosttags: item.hosttags !== undefined && item.hosttags !== null ? item.hosttags : undefined,
+          storagetags: item.storagetags !== undefined && item.storagetags !== null ? item.storagetags : undefined
         }
       })
     },
diff --git a/ui/src/views/compute/wizard/ComputeSelection.vue b/ui/src/views/compute/wizard/ComputeSelection.vue
index 563e17984e35..9cf36153f5cd 100644
--- a/ui/src/views/compute/wizard/ComputeSelection.vue
+++ b/ui/src/views/compute/wizard/ComputeSelection.vue
@@ -111,6 +111,10 @@ export default {
       type: Number,
       default: 0
     },
+    initialCpuValue: {
+      type: Number,
+      default: 0
+    },
     minCpu: {
       type: Number,
       default: 0
@@ -119,6 +123,10 @@ export default {
       type: Number,
       default: 2
     },
+    initialMemoryValue: {
+      type: Number,
+      default: 0
+    },
     minMemory: {
       type: Number,
       default: 0
@@ -200,8 +208,8 @@ export default {
   },
   methods: {
     fillValue () {
-      this.cpuNumberInputValue = this.minCpu
-      this.memoryInputValue = this.minMemory
+      this.cpuNumberInputValue = this.initialCpuValue > 0 ? this.initialCpuValue : this.minCpu
+      this.memoryInputValue = this.initialMemoryValue > 0 ? this.initialMemoryValue : this.minMemory
       this.cpuSpeedInputValue = this.cpuSpeed
 
       if (!this.preFillContent) {
diff --git a/ui/src/views/compute/wizard/SecurityGroupSelection.vue b/ui/src/views/compute/wizard/SecurityGroupSelection.vue
index 9d91cc1cbe19..0ea08ec8887d 100644
--- a/ui/src/views/compute/wizard/SecurityGroupSelection.vue
+++ b/ui/src/views/compute/wizard/SecurityGroupSelection.vue
@@ -75,6 +75,18 @@ export default {
     preFillContent: {
       type: Object,
       default: () => {}
+    },
+    domainId: {
+      type: String,
+      default: () => ''
+    },
+    account: {
+      type: String,
+      default: () => ''
+    },
+    projectId: {
+      type: String,
+      default: () => ''
     }
   },
   data () {
@@ -102,6 +114,9 @@ export default {
     }
   },
   computed: {
+    ownerParams () {
+      return `${this.domainId}-${this.account}-${this.projectId}`
+    },
     rowSelection () {
       return {
         type: 'checkbox',
@@ -121,6 +136,11 @@ export default {
         this.selectedRowKeys = newValue
       }
     },
+    ownerParams () {
+      this.selectedRowKeys = []
+      this.$emit('select-security-group-item', null)
+      this.fetchData()
+    },
     loading () {
       if (!this.loading) {
         if (this.preFillContent.securitygroupids) {
@@ -140,9 +160,9 @@ export default {
   methods: {
     fetchData () {
       const params = {
-        projectid: this.$store.getters.project ? this.$store.getters.project.id : null,
-        domainid: this.$store.getters.project && this.$store.getters.project.id ? null : this.$store.getters.userInfo.domainid,
-        account: this.$store.getters.project && this.$store.getters.project.id ? null : this.$store.getters.userInfo.account,
+        projectid: this.projectId || (this.$store.getters.project ? this.$store.getters.project.id : null),
+        domainid: this.projectId || (this.$store.getters.project && this.$store.getters.project.id) ? null : (this.domainId || this.$store.getters.userInfo.domainid),
+        account: this.projectId || (this.$store.getters.project && this.$store.getters.project.id) ? null : (this.account || this.$store.getters.userInfo.account),
         page: this.page,
         pageSize: this.pageSize
       }
diff --git a/ui/src/views/extension/CreateExtension.vue b/ui/src/views/extension/CreateExtension.vue
index 6311e6dea95d..3baae81174e9 100644
--- a/ui/src/views/extension/CreateExtension.vue
+++ b/ui/src/views/extension/CreateExtension.vue
@@ -89,6 +89,14 @@
         <details-input
           v-model:value="form.details" />
       </a-form-item>
+      <a-form-item name="reservedresourcedetails" ref="reservedresourcedetails">
+        <template #label>
+          <tooltip-label :title="$t('label.reservedresourcedetails')" :tooltip="apiParams.reservedresourcedetails.description"/>
+        </template>
+        <a-input
+          v-model:value="form.reservedresourcedetails"
+          :placeholder="apiParams.reservedresourcedetails.description" />
+      </a-form-item>
       <a-form-item name="state" ref="state">
         <template #label>
           <tooltip-label :title="$t('label.enabled')" :tooltip="apiParams.state.description"/>
@@ -201,6 +209,9 @@ export default {
             params['details[0].' + key] = value
           })
         }
+        if (values.reservedresourcedetails) {
+          params.reservedresourcedetails = values.reservedresourcedetails
+        }
         postAPI('createExtension', params).then(response => {
           this.$emit('refresh-data')
           this.$notification.success({
diff --git a/ui/src/views/extension/UpdateExtension.vue b/ui/src/views/extension/UpdateExtension.vue
index 192a339b43ad..0926c6268b60 100644
--- a/ui/src/views/extension/UpdateExtension.vue
+++ b/ui/src/views/extension/UpdateExtension.vue
@@ -46,6 +46,14 @@
         <details-input
           v-model:value="form.details" />
       </a-form-item>
+      <a-form-item name="reservedresourcedetails" ref="reservedresourcedetails">
+        <template #label>
+          <tooltip-label :title="$t('label.reservedresourcedetails')" :tooltip="apiParams.reservedresourcedetails.description"/>
+        </template>
+        <a-input
+          v-model:value="form.reservedresourcedetails"
+          :placeholder="apiParams.reservedresourcedetails.description" />
+      </a-form-item>
       <div :span="24" class="action-button">
         <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
         <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
@@ -90,13 +98,16 @@ export default {
       this.form = reactive({
         description: this.resource.description,
         details: this.resource.details,
-        orchestratorrequirespreparevm: this.resource.orchestratorrequirespreparevm
+        orchestratorrequirespreparevm: this.resource.orchestratorrequirespreparevm,
+        reservedresourcedetails: this.resource.reservedresourcedetails
       })
     },
     fetchData () {
       this.loading = true
       getAPI('listExtensions', { id: this.resource.id }).then(json => {
-        this.form.details = json?.listextensionsresponse?.extension?.[0]?.details
+        const ext = json?.listextensionsresponse?.extension?.[0] || {}
+        this.form.details = ext.details
+        this.form.reservedresourcedetails = ext.reservedresourcedetails
       }).finally(() => {
         this.loading = false
       })
@@ -110,7 +121,7 @@ export default {
         const params = {
           id: this.resource.id
         }
-        const keys = ['description', 'orchestratorrequirespreparevm']
+        const keys = ['description', 'orchestratorrequirespreparevm', 'reservedresourcedetails']
         for (const key of keys) {
           if (values[key] !== undefined || values[key] !== null) {
             params[key] = values[key]
diff --git a/ui/src/views/image/TemplateZones.vue b/ui/src/views/image/TemplateZones.vue
index e517aad5167d..31b65e556a4b 100644
--- a/ui/src/views/image/TemplateZones.vue
+++ b/ui/src/views/image/TemplateZones.vue
@@ -91,7 +91,7 @@
           :rowKey="record => record.datastoreId">
           <template #bodyCell="{ text, record, column }">
             <template v-if="column.dataIndex === 'datastore' && record.datastoreId">
-                <router-link :to="{ path: '/storagepool/' + encodeURIComponent(record.datastoreId) }">
+              <router-link :to="{ path: '/storagepool/' + encodeURIComponent(record.datastoreId) }">
                 {{ text }}
               </router-link>
             </template>
@@ -107,7 +107,7 @@
           :rowKey="record => record.datastoreId">
           <template #bodyCell="{ text, record, column }">
             <template v-if="column.dataIndex === 'datastore' && record.datastoreId">
-                <router-link :to="{ path: '/imagestore/' + record.datastoreId }">
+              <router-link :to="{ path: '/imagestore/' + record.datastoreId }">
                 {{ text }}
               </router-link>
             </template>
@@ -217,7 +217,9 @@
           <a-alert type="error">
             <template #message>
               <exclamation-circle-outlined style="color: red; fontSize: 30px; display: inline-flex" />
-              <span style="padding-left: 5px" v-html="`<b>${selectedRowKeys.length} ` + $t('label.items.selected') + `. </b>`" />
+              <span
+                style="padding-left: 5px"
+                v-html="`<b>${selectedRowKeys.length} ` + $t('label.items.selected') + `. </b>`" />
               <span v-html="$t(message.confirmMessage)" />
             </template>
           </a-alert>
@@ -391,10 +393,10 @@ export default {
   },
   computed: {
     isActionsOnTemplatePermitted () {
-      return (['Admin'].includes(this.$store.getters.userInfo.roletype) || // If admin or owner or belongs to current project
+      return (['Admin'].includes(this.$store.getters.userInfo.roletype) ||
         (this.resource.domainid === this.$store.getters.userInfo.domainid && this.resource.account === this.$store.getters.userInfo.account) ||
         (this.resource.domainid === this.$store.getters.userInfo.domainid && this.resource.projectid && this.$store.getters.project && this.$store.getters.project.id && this.resource.projectid === this.$store.getters.project.id)) &&
-        (this.resource.isready || !this.resource.status || this.resource.status.indexOf('Downloaded') === -1) && // Template is ready or downloaded
+        (this.resource.isready || !this.resource.status || this.resource.status.indexOf('Downloaded') === -1) &&
         this.resource.templatetype !== 'SYSTEM'
     }
   },
@@ -476,7 +478,7 @@ export default {
       this.showTable = false
       this.fetchData()
       if (this.dataSource.length === 0) {
-        this.$router.go(-1)
+        this.$router.push({ path: '/template' })
       }
     },
     getOkProps () {
diff --git a/ui/src/views/infra/HostInfo.vue b/ui/src/views/infra/HostInfo.vue
index 0fea5788a319..cb16a5a8bbee 100644
--- a/ui/src/views/infra/HostInfo.vue
+++ b/ui/src/views/infra/HostInfo.vue
@@ -64,6 +64,22 @@
           </div>
         </div>
       </a-list-item>
+      <a-list-item v-if="host.details && host.details['host.vddk.support']">
+        <div>
+          <strong>{{ $t('label.host.vddk.support') }}</strong>
+          <div>
+            {{ host.details['host.vddk.support'] }}
+          </div>
+        </div>
+      </a-list-item>
+      <a-list-item v-if="host.details && host.details['host.vddk.version']">
+        <div>
+          <strong>{{ $t('label.host.vddk.version') }}</strong>
+          <div>
+            {{ host.details['host.vddk.version'] }}
+          </div>
+        </div>
+      </a-list-item>
       <a-list-item v-if="host.details && host.details['host.ovftool.version']">
         <div>
           <strong>{{ $t('label.host.ovftool.version') }}</strong>
diff --git a/ui/src/views/network/CreateIsolatedNetworkForm.vue b/ui/src/views/network/CreateIsolatedNetworkForm.vue
index 7dc4dbe75e3f..3ce8f809a7e2 100644
--- a/ui/src/views/network/CreateIsolatedNetworkForm.vue
+++ b/ui/src/views/network/CreateIsolatedNetworkForm.vue
@@ -96,6 +96,11 @@
                 {{ opt.displaytext || opt.name || opt.description }}
               </a-select-option>
             </a-select>
+            <a-alert type="warning" v-if="!this.hasVPC">
+              <template #message>
+                <span v-html="$t('message.warn.vpc.offerings')"/>
+              </template>
+            </a-alert>
           </a-form-item>
           <a-form-item ref="asnumber" name="asnumber" v-if="isASNumberRequired()">
             <template #label>
@@ -294,6 +299,15 @@
               v-model:value="form.sourcenatipaddress"
               :placeholder="apiParams.sourcenatipaddress?.description"/>
           </a-form-item>
+          <a-form-item name="keepMacAddressOnPublicNic" ref="keepMacAddressOnPublicNic" v-if="isAdmin() && !selectedNetworkOffering?.forvpc">
+            <template #label>
+              <tooltip-label
+                :title="$t('label.keep.mac.address.on.public.nic')"
+                :tooltip="apiParams.keepmacaddressonpublicnic?.description"
+              />
+            </template>
+            <a-switch v-model:checked="form.keepMacAddressOnPublicNic" />
+          </a-form-item>
           <div :span="24" class="action-button">
             <a-button
               :loading="actionLoading"
@@ -369,7 +383,8 @@ export default {
       setMTU: false,
       asNumberLoading: false,
       selectedAsNumber: 0,
-      asNumbersZone: []
+      asNumbersZone: [],
+      hasVPC: true
     }
   },
   watch: {
@@ -408,7 +423,9 @@ export default {
   methods: {
     initForm () {
       this.formRef = ref()
-      this.form = reactive({})
+      this.form = reactive({
+        keepMacAddressOnPublicNic: true
+      })
       this.rules = reactive({
         name: [{ required: true, message: this.$t('message.error.name') }],
         zoneid: [{ type: 'number', required: true, message: this.$t('message.error.select') }],
@@ -515,13 +532,17 @@ export default {
       if (this.vpc !== null) { // from VPC section
         this.fetchNetworkOfferingData(true)
       } else { // from guest network section
-        var params = {}
+        const params = {
+          account: this.owner.account,
+          projectid: this.owner.projectid,
+          domainid: this.owner.domainid
+        }
         this.networkOfferingLoading = true
         if ('listVPCs' in this.$store.getters.apis) {
           getAPI('listVPCs', params).then(json => {
             const listVPCs = json.listvpcsresponse.vpc
-            var vpcAvailable = this.arrayHasItems(listVPCs)
-            if (vpcAvailable === false) {
+            this.hasVPC = this.arrayHasItems(listVPCs)
+            if (!this.hasVPC) {
               this.fetchNetworkOfferingData(false)
             } else {
               this.fetchNetworkOfferingData()
@@ -534,7 +555,7 @@ export default {
     },
     fetchNetworkOfferingData (forVpc) {
       this.networkOfferingLoading = true
-      var params = {
+      const params = {
         zoneid: this.selectedZone.id,
         guestiptype: 'Isolated',
         state: 'Enabled'
@@ -577,7 +598,7 @@ export default {
     },
     fetchVpcData () {
       this.vpcLoading = true
-      var params = {
+      const params = {
         listAll: true,
         details: 'min'
       }
@@ -600,14 +621,15 @@ export default {
         const formRaw = toRaw(this.form)
         const values = this.handleRemoveFields(formRaw)
         this.actionLoading = true
-        var params = {
+        const params = {
           zoneId: this.selectedZone.id,
           name: values.name,
           displayText: values.displaytext,
-          networkOfferingId: this.selectedNetworkOffering.id
+          networkOfferingId: this.selectedNetworkOffering.id,
+          keepmacaddressonpublicnic: values.keepMacAddressOnPublicNic
         }
-        var usefulFields = ['gateway', 'netmask', 'cidrsize', 'startip', 'startipv4', 'endip', 'endipv4', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'sourcenatipaddress', 'externalid', 'vpcid', 'vlan', 'networkdomain']
-        for (var field of usefulFields) {
+        const usefulFields = ['gateway', 'netmask', 'cidrsize', 'startip', 'startipv4', 'endip', 'endipv4', 'dns1', 'dns2', 'ip6dns1', 'ip6dns2', 'sourcenatipaddress', 'externalid', 'vpcid', 'vlan', 'networkdomain']
+        for (const field of usefulFields) {
           if (this.isValidTextValueForKey(values, field)) {
             params[field] = values[field]
           }
diff --git a/ui/src/views/network/CreateNetwork.vue b/ui/src/views/network/CreateNetwork.vue
index 05fd7cbd5a6c..46ed9d2e039f 100644
--- a/ui/src/views/network/CreateNetwork.vue
+++ b/ui/src/views/network/CreateNetwork.vue
@@ -106,7 +106,7 @@ export default {
     fetchActionZoneData () {
       this.loading = true
       const params = {}
-      if (this.resource.zoneid && (this.$route.name === 'deployVirtualMachine' || this.$route.path.startsWith('/backup'))) {
+      if (this.resource?.zoneid && (this.$route.name === 'deployVirtualMachine' || this.$route.path.startsWith('/backup'))) {
         params.id = this.resource.zoneid
       }
       this.actionZoneLoading = true
diff --git a/ui/src/views/network/CreateVpc.vue b/ui/src/views/network/CreateVpc.vue
index 2218662076e6..2b66f79b387d 100644
--- a/ui/src/views/network/CreateVpc.vue
+++ b/ui/src/views/network/CreateVpc.vue
@@ -202,6 +202,15 @@
             v-model:value="form.sourcenatipaddress"
             :placeholder="apiParams.sourcenatipaddress?.description"/>
         </a-form-item>
+        <a-form-item name="keepMacAddressOnPublicNic" ref="keepMacAddressOnPublicNic" v-if="isAdmin()">
+          <template #label>
+            <tooltip-label
+              :title="$t('label.keep.mac.address.on.public.nic')"
+              :tooltip="apiParams.keepmacaddressonpublicnic?.description"
+            />
+          </template>
+          <a-switch v-model:checked="form.keepMacAddressOnPublicNic" />
+        </a-form-item>
         <a-form-item name="start" ref="start">
           <template #label>
             <tooltip-label :title="$t('label.start')" :tooltip="apiParams.start.description"/>
@@ -287,7 +296,8 @@ export default {
     initForm () {
       this.formRef = ref()
       this.form = reactive({
-        start: true
+        start: true,
+        keepMacAddressOnPublicNic: true
       })
       this.rules = reactive({
         name: [{ required: true, message: this.$t('message.error.required.input') }],
@@ -447,7 +457,7 @@ export default {
       if (this.loading) return
       this.formRef.value.validate().then(() => {
         const values = toRaw(this.form)
-        var params = {}
+        const params = {}
         if (this.owner?.account) {
           params.account = this.owner.account
           params.domainid = this.owner.domainid
@@ -460,7 +470,11 @@ export default {
           if (input === '' || input === null || input === undefined) {
             continue
           }
-          params[key] = input
+          if (key === 'keepMacAddressOnPublicNic') {
+            params.keepmacaddressonpublicnic = input
+          } else {
+            params[key] = input
+          }
         }
         if (this.selectedVpcOffering.networkmode === 'ROUTED') {
           if ((values.cidr === undefined || values.cidr === '') && (values.cidrsize === undefined || values.cidrsize === '')) {
diff --git a/ui/src/views/network/NicsTab.vue b/ui/src/views/network/NicsTab.vue
index 9c16865e0c6e..4c99f4f1c511 100644
--- a/ui/src/views/network/NicsTab.vue
+++ b/ui/src/views/network/NicsTab.vue
@@ -54,6 +54,13 @@
           icon="environment-outlined"
           :disabled="(!('addIpToNic' in $store.getters.apis) && !('addIpToNic' in $store.getters.apis))"
           @onClick="onAcquireSecondaryIPAddress(record)" />
+        <tooltip-button
+          v-if="resource.hypervisor === 'KVM'"
+          tooltipPlacement="bottom"
+          :tooltip="$t('label.edit.nic')"
+          icon="edit-outlined"
+          :disabled="(!('updateVmNic' in $store.getters.apis))"
+          @onClick="onUpdateNic(record)" />
         <a-popconfirm
           :title="$t('message.network.removenic')"
           @confirm="removeNIC(record.nic)"
@@ -195,7 +202,7 @@
       <a-divider />
       <div v-ctrl-enter="submitSecondaryIP">
         <div class="modal-form">
-          <p class="modal-form__label">{{ $t('label.publicip') }}:</p>
+          <p class="modal-form__label--no-margin">{{ $t('label.publicip') }}:</p>
           <a-select
             v-if="editNicResource.type==='Shared'"
             v-model:value="newSecondaryIp"
@@ -243,6 +250,31 @@
         </a-list-item>
       </a-list>
     </a-modal>
+
+    <a-modal
+      :visible="showUpdateNicModal"
+      :title="$t('label.edit.nic')"
+      :maskClosable="false"
+      :closable="true"
+      :footer="null"
+      @cancel="closeModals"
+    >
+      {{ $t('message.network.update.nic') }}
+
+      <a-form
+        @finish="submitUpdateNic"
+        v-ctrl-enter="submitUpdateNic">
+        <a-form-item name="linkstate" ref="linkstate">
+          <p class="modal-form__label">{{ $t('state.enabled') }}:</p>
+          <a-switch v-model:checked="editNicStateValue" @change="val => { editNicStateValue = val }" />
+        </a-form-item>
+
+        <div :span="24" class="action-button">
+          <a-button @click="closeModals">{{ $t('label.cancel') }}</a-button>
+          <a-button type="primary" ref="submit" @click="submitUpdateNic">{{ $t('label.ok') }}</a-button>
+        </div>
+      </a-form>
+    </a-modal>
   </a-spin>
 </template>
 
@@ -279,6 +311,7 @@ export default {
       showAddNetworkModal: false,
       showUpdateIpModal: false,
       showSecondaryIpModal: false,
+      showUpdateNicModal: false,
       addNetworkData: {
         allNetworks: [],
         network: '',
@@ -289,6 +322,7 @@ export default {
       editIpAddressNic: '',
       editIpAddressValue: '',
       editNetworkId: '',
+      editNicStateValue: false,
       secondaryIPs: [],
       selectedNicId: '',
       newSecondaryIp: '',
@@ -360,6 +394,7 @@ export default {
       this.showAddNetworkModal = false
       this.showUpdateIpModal = false
       this.showSecondaryIpModal = false
+      this.showUpdateNicModal = false
       this.addNetworkData.network = ''
       this.addNetworkData.ipaddress = ''
       this.addNetworkData.macaddress = ''
@@ -386,6 +421,11 @@ export default {
       this.editNetworkId = record.nic.networkid
       this.fetchSecondaryIPs(record.nic.id)
     },
+    onUpdateNic (record) {
+      this.editNicResource = record.nic
+      this.editNicStateValue = record.nic.enabled
+      this.showUpdateNicModal = true
+    },
     submitAddNetwork () {
       if (this.loadingNic) return
       const params = {}
@@ -609,12 +649,46 @@ export default {
         this.loadingNic = false
         this.fetchSecondaryIPs(this.selectedNicId)
       })
+    },
+    submitUpdateNic () {
+      if (this.loadingNic) return
+      this.loadingNic = true
+      this.showUpdateNicModal = false
+      const params = {
+        nicId: this.editNicResource.id,
+        enabled: this.editNicStateValue
+      }
+      postAPI('updateVmNic', params).then(response => {
+        this.$pollJob({
+          jobId: response.updatevmnicresponse.jobid,
+          successMessage: this.$t('message.success.update.nic'),
+          successMethod: () => {
+            this.loadingNic = false
+            this.closeModals()
+          },
+          errorMessage: this.$t('label.error'),
+          errorMethod: () => {
+            this.loadingNic = false
+            this.closeModals()
+          },
+          loadingMessage: this.$t('message.update.nic.processing'),
+          catchMessage: this.$t('error.fetching.async.job.result'),
+          catchMethod: () => {
+            this.loadingNic = false
+            this.closeModals()
+            this.$emit('refresh')
+          }
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+        this.loadingNic = false
+      })
     }
   }
 }
 </script>
 
-<style scoped>
+<style lang="scss" scoped>
 .modal-form {
   display: flex;
   flex-direction: column;
@@ -626,6 +700,7 @@ export default {
 
     &--no-margin {
       margin-top: 0;
+      font-weight: bold;
     }
   }
 }
diff --git a/ui/src/views/network/NicsTable.vue b/ui/src/views/network/NicsTable.vue
index a31925a6b374..11ba135e39a2 100644
--- a/ui/src/views/network/NicsTable.vue
+++ b/ui/src/views/network/NicsTable.vue
@@ -71,6 +71,9 @@
           {{ $t('label.default') }}
         </a-tag>
       </template>
+      <template v-if="column.key === 'enabled'">
+        <status :text="text ? 'enabled' : 'disabled'"/> {{ text ? 'Enabled' : 'Disabled' }}
+      </template>
     </template>
   </a-table>
 </template>
@@ -78,6 +81,7 @@
 <script>
 import { getAPI } from '@/api'
 import ResourceIcon from '@/components/view/ResourceIcon'
+import Status from '@/components/widgets/Status'
 
 export default {
   name: 'NicsTable',
@@ -92,7 +96,8 @@ export default {
     }
   },
   components: {
-    ResourceIcon
+    ResourceIcon,
+    Status
   },
   inject: ['parentFetchData'],
   data () {
@@ -123,6 +128,11 @@ export default {
         {
           title: this.$t('label.gateway'),
           dataIndex: 'gateway'
+        },
+        {
+          key: 'enabled',
+          title: this.$t('label.state'),
+          dataIndex: 'enabled'
         }
       ],
       networkicon: {},
diff --git a/ui/src/views/network/UpdateNetwork.vue b/ui/src/views/network/UpdateNetwork.vue
index 4a434bb15ae4..2299d842a71f 100644
--- a/ui/src/views/network/UpdateNetwork.vue
+++ b/ui/src/views/network/UpdateNetwork.vue
@@ -208,6 +208,15 @@
           </template>
           <a-switch v-model:checked="form.displaynetwork" />
         </a-form-item>
+        <a-form-item name="keepMacAddressOnPublicNic" ref="keepMacAddressOnPublicNic" v-if="isAdmin() && isUpdatingIsolatedNetwork && !resource?.vpcid">
+          <template #label>
+            <tooltip-label
+              :title="$t('label.keep.mac.address.on.public.nic')"
+              :tooltip="apiParams.keepmacaddressonpublicnic?.description"
+            />
+          </template>
+          <a-switch v-model:checked="form.keepMacAddressOnPublicNic" />
+        </a-form-item>
         <a-form-item name="forced" ref="forced" v-if="isAdmin()">
           <template #label>
             <tooltip-label :title="$t('label.forced')" :tooltip="apiParams.forced.description"/>
@@ -310,7 +319,8 @@ export default {
       this.form = reactive({
         displaynetwork: this.resource.displaynetwork,
         privatemtu: this.resource.privatemtu,
-        publicmtu: this.resource.publicmtu
+        publicmtu: this.resource.publicmtu,
+        keepMacAddressOnPublicNic: this.resource.keepmacaddressonpublicnic
       })
       this.rules = reactive({
         name: [{ required: true, message: this.$t('message.error.required.input') }],
@@ -393,18 +403,20 @@ export default {
         const formRaw = toRaw(this.form)
         const values = this.handleRemoveFields(formRaw)
         this.loading = true
-        var manualFields = ['name', 'networkofferingid']
+        const manualFields = ['name', 'networkofferingid']
         const params = {
           id: this.resource.id,
           name: values.name
         }
-        for (var field in values) {
+        for (const field in values) {
           if (manualFields.includes(field)) continue
-          var fieldValue = values[field]
-          if (fieldValue !== undefined &&
-            fieldValue !== null &&
-            (!(field in this.resourceValues) || this.resourceValues[field] !== fieldValue)) {
-            params[field] = fieldValue
+          const fieldValue = values[field]
+          if (fieldValue !== undefined && fieldValue !== null && (!(field in this.resourceValues) || this.resourceValues[field] !== fieldValue)) {
+            if (field === 'keepMacAddressOnPublicNic') {
+              params.keepmacaddressonpublicnic = fieldValue
+            } else {
+              params[field] = fieldValue
+            }
           }
         }
         if (values.networkofferingid !== undefined &&
diff --git a/ui/src/views/network/VpcTiersTab.vue b/ui/src/views/network/VpcTiersTab.vue
index 4f6aaef4445d..4a689f13c34d 100644
--- a/ui/src/views/network/VpcTiersTab.vue
+++ b/ui/src/views/network/VpcTiersTab.vue
@@ -193,8 +193,14 @@
               optionFilterProp="label"
               :filterOption="(input, option) => {
                 return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-              }" >
-              <a-select-option v-for="item in networkOfferings" :key="item.id" :value="item.id" :label="item.displaytext || item.name || item.description">
+              }"
+               >
+              <a-select-option
+                v-for="item in networkOfferings"
+                :key="item.id"
+                :value="item.id"
+                :label="item.displaytext || item.name || item.description"
+                :title="item.displaytext || item.name || item.description">
                 {{ item.displaytext || item.name || item.description }}
               </a-select-option>
             </a-select>
diff --git a/ui/src/views/network/VpnCustomerGateway.vue b/ui/src/views/network/VpnCustomerGateway.vue
index c1b1ed78ce06..d1aec08a5023 100644
--- a/ui/src/views/network/VpnCustomerGateway.vue
+++ b/ui/src/views/network/VpnCustomerGateway.vue
@@ -372,9 +372,13 @@ export default {
         'Group 15': 'modp3072',
         'Group 16': 'modp4096',
         'Group 17': 'modp6144',
-        'Group 18': 'modp8192'
+        'Group 18': 'modp8192',
+        'Group 22': 'modp1024s160',
+        'Group 23': 'modp2048s224',
+        'Group 24': 'modp2048s256',
+        'Group 31': 'curve25519'
       },
-      ikeDhGroupInitialKey: 'Group 5',
+      ikeDhGroupInitialKey: 'Group 31',
       isSubmitted: false,
       ikeversion: 'ike',
       allowedEncryptionAlgos: [],
@@ -401,12 +405,12 @@ export default {
         gateway: '',
         cidrlist: '',
         ipsecpsk: '',
-        ikeEncryption: '',
-        ikeHash: '',
-        ikeversion: '',
-        ikeDh: '',
-        espEncryption: '',
-        espHash: '',
+        ikeEncryption: 'aes256',
+        ikeHash: 'sha1',
+        ikeversion: 'ike',
+        ikeDh: 'Group 31(curve 25519)',
+        espEncryption: 'aes256',
+        espHash: 'sha256',
         perfectForwardSecrecy: 'None',
         ikelifetime: '86400',
         esplifetime: '3600',
diff --git a/ui/src/views/storage/CreateVMFromBackup.vue b/ui/src/views/storage/CreateVMFromBackup.vue
index 8d29397e45ad..891e8fe96420 100644
--- a/ui/src/views/storage/CreateVMFromBackup.vue
+++ b/ui/src/views/storage/CreateVMFromBackup.vue
@@ -92,10 +92,11 @@ export default {
     }
   },
   async created () {
-    await Promise.all[(
+    await Promise.all([
       this.fetchServiceOffering(),
-      this.fetchBackupOffering()
-    )]
+      this.fetchBackupOffering(),
+      this.fetchBackupArch()
+    ])
     this.loading = false
   },
   methods: {
@@ -118,6 +119,23 @@ export default {
         this.backupOffering = backupOfferings[0]
       })
     },
+    fetchBackupArch () {
+      const isIso = this.resource.vmdetails.isiso === 'true'
+      const api = isIso ? 'listIsos' : 'listTemplates'
+      const responseKey = isIso ? 'listisosresponse' : 'listtemplatesresponse'
+      const itemKey = isIso ? 'iso' : 'template'
+
+      return getAPI(api, {
+        id: this.resource.vmdetails.templateid,
+        listall: true,
+        ...(isIso ? {} : { templatefilter: 'all' })
+      }).then(response => {
+        const items = response?.[responseKey]?.[itemKey] || []
+        this.backupArch = items[0]?.arch || 'x86_64'
+      }).catch(() => {
+        this.backupArch = 'x86_64'
+      })
+    },
     populatePreFillData () {
       this.vmdetails = this.resource.vmdetails
       this.dataPreFill.zoneid = this.resource.zoneid
@@ -128,6 +146,7 @@ export default {
       this.dataPreFill.backupid = this.resource.id
       this.dataPreFill.computeofferingid = this.vmdetails.serviceofferingid
       this.dataPreFill.templateid = this.vmdetails.templateid
+      this.dataPreFill.backupArch = this.backupArch
       this.dataPreFill.allowtemplateisoselection = true
       this.dataPreFill.isoid = this.vmdetails.templateid
       this.dataPreFill.allowIpAddressesFetch = this.resource.isbackupvmexpunged
diff --git a/ui/src/views/storage/CreateVolume.vue b/ui/src/views/storage/CreateVolume.vue
index e99cc7491707..f5185091f31b 100644
--- a/ui/src/views/storage/CreateVolume.vue
+++ b/ui/src/views/storage/CreateVolume.vue
@@ -116,6 +116,42 @@
             :placeholder="apiParams.maxiops.description"/>
         </a-form-item>
       </span>
+      <a-form-item name="createOnStorage" ref="createOnStorage" v-if="showStoragePoolSelect">
+        <template #label>
+          <tooltip-label :title="$t('label.create.on.storage')" :tooltip="$t('label.create.volume.on.primary.storage')" />
+        </template>
+        <a-switch
+          v-model:checked="form.createOnStorage"
+          :checked="createOnStorage"
+          @change="onChangeCreateOnStorage" />
+      </a-form-item>
+      <span v-if="showStoragePoolSelect && createOnStorage">
+        <a-form-item ref="storageid" name="storageid">
+          <template #label>
+            <tooltip-label :title="$t('label.storageid')" />
+          </template>
+          <a-select
+            v-model:value="form.storageid"
+            :loading="loading"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }" >
+            <a-select-option
+              v-for="(pool, index) in storagePools"
+              :value="pool.id"
+              :key="index"
+              :label="pool.name">
+              <span>
+                <resource-icon v-if="pool.icon" :image="pool.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <hdd-outlined v-else style="margin-right: 5px"/>
+                {{ pool.name }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+      </span>
       <a-form-item name="attachVolume" ref="attachVolume" v-if="!createVolumeFromVM">
         <template #label>
           <tooltip-label :title="$t('label.action.attach.to.instance')" :tooltip="$t('label.attach.vol.to.instance')" />
@@ -170,6 +206,7 @@
 import { ref, reactive, toRaw } from 'vue'
 import { getAPI, postAPI } from '@/api'
 import { mixinForm } from '@/utils/mixin'
+import { isAdmin } from '@/role'
 import ResourceIcon from '@/components/view/ResourceIcon'
 import TooltipLabel from '@/components/widgets/TooltipLabel'
 import OwnershipSelection from '@/views/compute/wizard/OwnershipSelection.vue'
@@ -203,11 +240,16 @@ export default {
       loading: false,
       isCustomizedDiskIOps: false,
       virtualmachines: [],
+      createOnStorage: false,
+      storagePools: [],
       attachVolume: false,
       vmidtoattach: null
     }
   },
   computed: {
+    showStoragePoolSelect () {
+      return isAdmin() && !this.createVolumeFromSnapshot
+    },
     createVolumeFromVM () {
       return this.$route.path.startsWith('/vm/')
     },
@@ -299,6 +341,9 @@ export default {
         this.zones = json.listzonesresponse.zone || []
         this.form.zoneid = this.zones[0].id || ''
         this.fetchDiskOfferings(this.form.zoneid)
+        if (this.createOnStorage) {
+          this.fetchStoragePools(this.form.zoneid)
+        }
         if (this.attachVolume) {
           this.fetchVirtualMachines(this.form.zoneid)
         }
@@ -355,6 +400,25 @@ export default {
         this.loading = false
       })
     },
+    fetchStoragePools (zoneId) {
+      if (!zoneId) {
+        this.storagePools = []
+        return
+      }
+      this.loading = true
+      getAPI('listStoragePools', {
+        zoneid: zoneId,
+        showicon: true
+      }).then(json => {
+        const pools = json.liststoragepoolsresponse.storagepool || []
+        this.storagePools = pools.filter(p => p.state === 'Up')
+      }).catch(error => {
+        this.$notifyError(error)
+        this.storagePools = []
+      }).finally(() => {
+        this.loading = false
+      })
+    },
     fetchVirtualMachines (zoneId) {
       var params = {
         zoneid: zoneId,
@@ -394,6 +458,7 @@ export default {
         if (this.customDiskOffering) {
           values.size = values.size.trim()
         }
+        delete values.createOnStorage
         if (this.createVolumeFromSnapshot) {
           values.snapshotid = this.resource.id
         }
@@ -467,6 +532,15 @@ export default {
         this.attachVolumeApiParams = this.$getApiParams('attachVolume')
         this.fetchVirtualMachines(this.form.zoneid)
       }
+    },
+    onChangeCreateOnStorage () {
+      this.createOnStorage = !this.createOnStorage
+      if (this.createOnStorage) {
+        this.fetchStoragePools(this.form.zoneid)
+        this.form.storageid = this.storagePools[0]?.id || undefined
+      } else {
+        this.form.storageid = undefined
+      }
     }
   }
 }
diff --git a/ui/src/views/tools/ImportUnmanagedInstance.vue b/ui/src/views/tools/ImportUnmanagedInstance.vue
index 1d5bec8be744..ffa0d9344335 100644
--- a/ui/src/views/tools/ImportUnmanagedInstance.vue
+++ b/ui/src/views/tools/ImportUnmanagedInstance.vue
@@ -152,6 +152,12 @@
                   </a-row>
                 </a-radio-group>
               </a-form-item>
+              <a-form-item name="usevddk" ref="usevddk" v-if="selectedVmwareVcenter">
+                <template #label>
+                  <tooltip-label :title="$t('label.use.vddk')" :tooltip="apiParams.usevddk ? apiParams.usevddk.description : ''"/>
+                </template>
+                <a-switch v-model:checked="form.usevddk" @change="onUseVddkChange" />
+              </a-form-item>
               <a-form-item name="forceconverttopool" ref="forceconverttopool" v-if="selectedVmwareVcenter">
                 <template #label>
                   <tooltip-label :title="$t('label.force.convert.to.pool')" :tooltip="apiParams.forceconverttopool.description"/>
@@ -170,7 +176,7 @@
                   @handle-checkselectpair-change="updateSelectedKvmHostForConversion"
                 />
               </a-form-item>
-              <a-form-item name="importhostid" ref="importhostid">
+              <a-form-item name="importhostid" ref="importhostid" v-if="!form.usevddk">
                 <check-box-select-pair
                   layout="vertical"
                   v-if="cluster.hypervisortype === 'KVM' && selectedVmwareVcenter"
@@ -184,12 +190,13 @@
               </a-form-item>
               <a-form-item name="convertstorageoption" ref="convertstorageoption">
                 <check-box-select-pair
+                  :key="`convertstorageoption-${form.usevddk ? 'vddk' : 'default'}-${switches.forceConvertToPool ? 'pool' : 'tmp'}`"
                   layout="vertical"
                   v-if="cluster.hypervisortype === 'KVM' && selectedVmwareVcenter"
                   :resourceKey="cluster.id"
                   :selectOptions="storageOptionsForConversion"
                   :checkBoxLabel="switches.forceConvertToPool ? $t('message.select.destination.storage.instance.conversion') : $t('message.select.temporary.storage.instance.conversion')"
-                  :defaultCheckBoxValue="false"
+                  :defaultCheckBoxValue="switches.forceConvertToPool"
                   :reversed="false"
                   @handle-checkselectpair-change="updateSelectedStorageOptionForConversion"
                 />
@@ -226,12 +233,35 @@
                   :placeholder="$t('label.extra')"
                 />
               </a-form-item>
-              <a-form-item name="forcemstoimportvmfiles" ref="forcemstoimportvmfiles" v-if="selectedVmwareVcenter">
+              <a-form-item name="forcemstoimportvmfiles" ref="forcemstoimportvmfiles" v-if="selectedVmwareVcenter && !form.usevddk">
                 <template #label>
                   <tooltip-label :title="$t('label.force.ms.to.import.vm.files')" :tooltip="apiParams.forcemstoimportvmfiles.description"/>
                 </template>
                 <a-switch v-model:checked="form.forcemstoimportvmfiles" @change="val => { switches.forceMsToImportVmFiles = val }" />
               </a-form-item>
+              <a-form-item name="osid" ref="osid" v-if="selectedVmwareVcenter">
+                <template #label>
+                  <tooltip-label :title="$t('label.guest.os')" :tooltip="$t('label.select.guest.os.type')"/>
+                </template>
+                <a-spin v-if="loadingGuestOsMappings" />
+                <template v-else>
+                  <a-select
+                    v-if="resource.guestOsMappings && resource.guestOsMappings.length > 0"
+                    v-model:value="form.osid"
+                    showSearch
+                    optionFilterProp="label"
+                    :filterOption="(input, option) => {
+                      return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+                    }">
+                    <a-select-option v-for="mapping in resource.guestOsMappings" :key="mapping.ostypeid" :label="mapping.osdisplayname">
+                      <span>
+                        {{ mapping.osdisplayname }}
+                      </span>
+                    </a-select-option>
+                  </a-select>
+                  <a-span v-else>{{ $t('label.no.matching.guest.os.vmware.import') }}</a-span>
+                </template>
+              </a-form-item>
               <a-form-item name="serviceofferingid" ref="serviceofferingid">
                 <template #label>
                   <tooltip-label :title="$t('label.serviceofferingid')" :tooltip="apiParams.serviceofferingid.description"/>
@@ -490,6 +520,10 @@ export default {
     selectedVmwareVcenter: {
       type: Array,
       required: false
+    },
+    loadingGuestOsMappings: {
+      type: Boolean,
+      required: false
     }
   },
   data () {
@@ -554,7 +588,8 @@ export default {
       selectedRootDiskSources: [],
       vmwareToKvmExtraParamsAllowed: false,
       vmwareToKvmExtraParamsSelected: false,
-      vmwareToKvmExtraParams: ''
+      vmwareToKvmExtraParams: '',
+      userModifiedVddkSetting: false
     }
   },
   beforeCreate () {
@@ -739,6 +774,11 @@ export default {
         this.$refs.displayname.focus()
         this.selectMatchingComputeOffering()
       }
+    },
+    'resource.guestOsMappings' (mappings) {
+      if (mappings && mappings.length > 0) {
+        this.form.osid = mappings[0].ostypeid
+      }
     }
   },
   methods: {
@@ -746,12 +786,14 @@ export default {
       this.formRef = ref()
       this.form = reactive({
         rootdiskid: 0,
+        usevddk: false,
         migrateallowed: this.switches.migrateAllowed,
         forced: this.switches.forced,
         forcemstoimportvmfiles: this.switches.forceMsToImportVmFiles,
         forceconverttopool: this.switches.forceConvertToPool,
         domainid: null,
-        account: null
+        account: null,
+        osid: null
       })
       this.rules = reactive({
         displayname: [{ required: true, message: this.$t('message.error.input.value') }],
@@ -978,6 +1020,8 @@ export default {
       }).then(json => {
         this.kvmHostsForConversion = json.listhostsresponse.host || []
         this.kvmHostsForConversion = this.kvmHostsForConversion.filter(host => ['Enabled', 'Disabled'].includes(host.resourcestate))
+        // Check if any host has VDDK support
+        let hasVddkSupport = false
         this.kvmHostsForConversion.map(host => {
           host.name = host.name + ' [Pod=' + host.podname + '] [Cluster=' + host.clustername + ']'
           if (host.instanceconversionsupported !== null && host.instanceconversionsupported !== undefined && host.instanceconversionsupported) {
@@ -991,7 +1035,29 @@ export default {
           if (host.details['host.ovftool.version']) {
             host.name = host.name + ' (ovftool=' + host.details['host.ovftool.version'] + ')'
           }
+          // Check for VDDK support
+          if (host.details['host.vddk.support'] === 'true' || host.details['host.vddk.support'] === true) {
+            hasVddkSupport = true
+          }
+
+          if (this.form.usevddk) {
+            if (host.details['host.vddk.support'] === 'true' || host.details['host.vddk.support'] === true) {
+              host.name = host.name + ' (VDDK=' + this.$t('label.supported') + ')'
+            } else {
+              host.name = host.name + ' (VDDK=' + this.$t('label.not.supported') + ')'
+            }
+            if (host.details['host.vddk.version']) {
+              host.name = host.name + ' (vddk=' + host.details['host.vddk.version'] + ')'
+            }
+          }
         })
+
+        // Enable usevddk by default if at least one host has VDDK support
+        // Only auto-enable if user hasn't manually modified the setting
+        if (hasVddkSupport && !this.form.usevddk && !this.userModifiedVddkSetting) {
+          this.form.usevddk = true
+          this.onUseVddkChange(true, false)
+        }
       })
     },
     fetchKvmHostsForImporting () {
@@ -1019,6 +1085,11 @@ export default {
         }
         getAPI('listStoragePools', params).then(json => {
           this.storagePoolsForConversion = json.liststoragepoolsresponse.storagepool || []
+          // Keep selected pool state aligned when the value is auto-populated by v-model.
+          if (this.form.convertstoragepoolid) {
+            const poolExists = this.storagePoolsForConversion.some(pool => pool.id === this.form.convertstoragepoolid)
+            this.selectedStoragePoolForConversion = poolExists ? this.form.convertstoragepoolid : null
+          }
         })
       } else if (this.selectedStorageOptionForConversion === 'local') {
         const kvmHost = this.kvmHostsForConversion.filter(x => x.id === this.selectedKvmHostForConversion)[0]
@@ -1028,6 +1099,10 @@ export default {
           status: 'Up'
         }).then(json => {
           this.storagePoolsForConversion = json.liststoragepoolsresponse.storagepool || []
+          if (this.form.convertstoragepoolid) {
+            const poolExists = this.storagePoolsForConversion.some(pool => pool.id === this.form.convertstoragepoolid)
+            this.selectedStoragePoolForConversion = poolExists ? this.form.convertstoragepoolid : null
+          }
         })
       }
     },
@@ -1082,6 +1157,34 @@ export default {
     },
     onForceConvertToPoolChange (val) {
       this.switches.forceConvertToPool = val
+      this.form.forceconverttopool = val
+      this.selectedStorageOptionForConversion = null
+      this.selectedStoragePoolForConversion = null
+      this.showStoragePoolsForConversion = false
+      this.resetStorageOptionsForConversion()
+    },
+    onUseVddkChange (val, isUserChange = true) {
+      if (isUserChange) {
+        this.userModifiedVddkSetting = true
+      }
+      if (val) {
+        this.form.forceconverttopool = true
+        this.form.forcemstoimportvmfiles = false
+        this.switches.forceConvertToPool = true
+        this.switches.forceMsToImportVmFiles = false
+        // Reset import host selection when VDDK is enabled
+        this.selectedKvmHostForImporting = null
+        // Refresh host list to show VDDK support details
+        this.fetchKvmHostsForConversion()
+      } else {
+        this.form.forceconverttopool = false
+        this.switches.forceConvertToPool = false
+        this.selectedStorageOptionForConversion = null
+        this.selectedStoragePoolForConversion = null
+        this.showStoragePoolsForConversion = false
+        // Refresh host list to remove VDDK support details
+        this.fetchKvmHostsForConversion()
+      }
       this.resetStorageOptionsForConversion()
     },
     updateSelectedRootDisk () {
@@ -1196,18 +1299,25 @@ export default {
           if (this.selectedKvmHostForImporting) {
             params.importinstancehostid = this.selectedKvmHostForImporting
           }
-          if (this.selectedStoragePoolForConversion) {
-            params.convertinstancepoolid = this.selectedStoragePoolForConversion
+          const selectedPoolForConversion = values.convertstoragepoolid || this.selectedStoragePoolForConversion
+          if (selectedPoolForConversion) {
+            params.convertinstancepoolid = selectedPoolForConversion
           }
           if (this.vmwareToKvmExtraParams) {
             params.extraparams = this.vmwareToKvmExtraParams
           }
-          params.forcemstoimportvmfiles = values.forcemstoimportvmfiles
-          if (values.forceconverttopool) {
+          if (values.usevddk) {
+            params.usevddk = true
+            params.forcemstoimportvmfiles = false
+          } else {
+            params.usevddk = false
+            params.forcemstoimportvmfiles = values.forcemstoimportvmfiles
+          }
+          if (values.forceconverttopool !== undefined) {
             params.forceconverttopool = values.forceconverttopool
           }
         }
-        var keys = ['hostname', 'domainid', 'projectid', 'account', 'migrateallowed', 'forced', 'forcemstoimportvmfiles']
+        var keys = ['hostname', 'domainid', 'projectid', 'account', 'migrateallowed', 'forced', 'osid']
         if (this.templateType !== 'auto') {
           keys.push('templateid')
         }
@@ -1321,6 +1431,11 @@ export default {
       this.templateType = this.defaultTemplateType()
       this.updateComputeOffering(undefined)
       this.switches = {}
+      this.form.usevddk = false
+      this.form.forceconverttopool = false
+      this.form.forcemstoimportvmfiles = false
+      this.userModifiedVddkSetting = false
+      this.resetStorageOptionsForConversion()
     },
     closeAction () {
       this.$emit('close-action')
diff --git a/ui/src/views/tools/ManageInstances.vue b/ui/src/views/tools/ManageInstances.vue
index a6260bfb316d..6f625961ea8f 100644
--- a/ui/src/views/tools/ManageInstances.vue
+++ b/ui/src/views/tools/ManageInstances.vue
@@ -541,6 +541,7 @@
             :tmppath="this.values?.tmppath || ''"
             :diskpath="this.values?.diskpath || ''"
             :isOpen="showUnmanageForm"
+            :loadingGuestOsMappings="loadingGuestOsMappings"
             :selectedVmwareVcenter="selectedVmwareVcenter"
             @refresh-data="fetchInstances"
             @close-action="closeImportUnmanagedInstanceForm"
@@ -774,7 +775,8 @@ export default {
       activeTabKey: 1,
       loadingImportVmTasks: false,
       importVmTasks: [],
-      importVmTasksFilter: 'running'
+      importVmTasksFilter: 'running',
+      loadingGuestOsMappings: false
     }
   },
   created () {
@@ -1377,8 +1379,21 @@ export default {
         this.fetchInstances()
       }
     },
+    async fetchGuestOsMappings (osIdentifier, hypervisorVersion) {
+      const params = {}
+      params.hypervisor = 'VMware'
+      params.hypervisorversion = hypervisorVersion
+      params.osnameforhypervisor = osIdentifier
+      return await getAPI('listGuestOsMapping', params).then(json => {
+        return json.listguestosmappingresponse?.guestosmapping || []
+      }).catch(error => {
+        this.$notifyError(error)
+        return []
+      })
+    },
     fetchVmwareInstanceForKVMMigration (vmname, hostname) {
       const params = {}
+      this.loadingGuestOsMappings = true
       if (this.isMigrateFromVmware && this.selectedVmwareVcenter) {
         if (this.selectedVmwareVcenter.vcenter) {
           params.datacentername = this.selectedVmwareVcenter.datacentername
@@ -1391,15 +1406,17 @@ export default {
         params.instancename = vmname
         params.hostname = hostname
       }
-      getAPI('listVmwareDcVms', params).then(json => {
+      getAPI('listVmwareDcVms', params).then(async json => {
         const response = json.listvmwaredcvmsresponse
         this.selectedUnmanagedInstance = response.unmanagedinstance[0]
         this.selectedUnmanagedInstance.ostypename = this.selectedUnmanagedInstance.osdisplayname
         this.selectedUnmanagedInstance.state = this.selectedUnmanagedInstance.powerstate
+        this.selectedUnmanagedInstance.guestOsMappings = await this.fetchGuestOsMappings(this.selectedUnmanagedInstance.osid, this.selectedUnmanagedInstance.hypervisorversion)
       }).catch(error => {
         this.$notifyError(error)
       }).finally(() => {
         this.loading = false
+        this.loadingGuestOsMappings = false
       })
     },
     onManageInstanceAction () {
diff --git a/usage/src/main/java/com/cloud/usage/UsageSanityChecker.java b/usage/src/main/java/com/cloud/usage/UsageSanityChecker.java
index d5dee9b00bc0..77f626246ccf 100644
--- a/usage/src/main/java/com/cloud/usage/UsageSanityChecker.java
+++ b/usage/src/main/java/com/cloud/usage/UsageSanityChecker.java
@@ -289,7 +289,7 @@ protected Connection getConnection() {
     }
 
     /**
-     * usage something like: /usr/bin/java -Xmx2G -cp /usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/java/mysql-connector-java.jar:/usr/share/cloudstack-common com.cloud.usage.UsageSanityChecker
+     * usage something like: /usr/bin/java -Xmx2G -cp /usr/share/cloudstack-usage/*:/usr/share/cloudstack-usage/lib/*:/usr/share/cloudstack-mysql-ha/lib/*:/etc/cloudstack/usage:/usr/share/cloudstack-common com.cloud.usage.UsageSanityChecker
      * @param args none
      */
     public static void main(String[] args) {
diff --git a/utils/pom.xml b/utils/pom.xml
index 4b6e547e4519..775f5529d917 100755
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -68,15 +68,15 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bctls-jdk15on</artifactId>
+            <artifactId>bctls-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>com.jcraft</groupId>
diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java
index 9f998efe0994..b7d95f8133be 100644
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -19,6 +19,8 @@
 
 package com.cloud.utils;
 
+import static com.cloud.utils.UriUtils.USER_AGENT;
+
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 
@@ -33,6 +35,8 @@
 import java.net.URL;
 import java.util.Map;
 
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
+
 public class HttpUtils {
 
     protected static Logger LOGGER = LogManager.getLogger(HttpUtils.class);
@@ -161,6 +165,7 @@ public static boolean downloadFileWithProgress(final String fileURL, final Strin
         try {
             URL url = new URL(fileURL);
             httpConn = (HttpURLConnection) url.openConnection();
+            httpConn.setRequestProperty(USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
             int responseCode = httpConn.getResponseCode();
             if (responseCode == HttpURLConnection.HTTP_OK) {
                 int contentLength = httpConn.getContentLength();
diff --git a/utils/src/main/java/com/cloud/utils/UriUtils.java b/utils/src/main/java/com/cloud/utils/UriUtils.java
index eba6f88201b0..a4654091e0cb 100644
--- a/utils/src/main/java/com/cloud/utils/UriUtils.java
+++ b/utils/src/main/java/com/cloud/utils/UriUtils.java
@@ -67,12 +67,14 @@
 
 import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 
 public class UriUtils {
 
     protected static Logger LOGGER = LogManager.getLogger(UriUtils.class);
+    public static final String USER_AGENT = "User-Agent";
 
     public static String formNfsUri(String host, String path) {
         try {
@@ -227,6 +229,7 @@ public static long getRemoteSize(String url, Boolean followRedirect) {
                 URI uri = new URI(url);
                 httpConn = (HttpURLConnection)uri.toURL().openConnection();
                 httpConn.setRequestMethod(method);
+                httpConn.setRequestProperty(USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
                 httpConn.setConnectTimeout(2000);
                 httpConn.setReadTimeout(5000);
                 httpConn.setInstanceFollowRedirects(Boolean.TRUE.equals(followRedirect));
diff --git a/utils/src/main/java/com/cloud/utils/net/HttpClientCloudStackUserAgent.java b/utils/src/main/java/com/cloud/utils/net/HttpClientCloudStackUserAgent.java
new file mode 100644
index 000000000000..991aa296380a
--- /dev/null
+++ b/utils/src/main/java/com/cloud/utils/net/HttpClientCloudStackUserAgent.java
@@ -0,0 +1,39 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.utils.net;
+
+import org.apache.logging.log4j.util.Strings;
+
+public class HttpClientCloudStackUserAgent {
+    public static final String CLOUDSTACK_USER_AGENT = buildUserAgent();
+
+    private static String buildUserAgent() {
+        String version = HttpClientCloudStackUserAgent.class
+                .getPackage()
+                .getImplementationVersion();
+
+        if (Strings.isBlank(version)) {
+            version = "unknown";
+        }
+        return "CloudStack-Agent/" + version + " (Apache CloudStack)";
+    }
+
+    private HttpClientCloudStackUserAgent() {}
+}
diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
index 65878e055e73..d89d9fa2d93c 100644
--- a/utils/src/main/java/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@@ -1265,7 +1265,7 @@ public static boolean isValidS2SVpnPolicy(final String policyType, final String
             if (group == null && policyType.toLowerCase().matches("ike")) {
                 return false; // StrongSwan requires a DH group for the IKE policy
             }
-            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192")) {
+            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|modp1024s160|modp2048s224|modp2048s256|curve25519")) {
                 return false;
             }
         }
diff --git a/utils/src/main/java/com/cloud/utils/nio/Link.java b/utils/src/main/java/com/cloud/utils/nio/Link.java
index 4e68554eb499..71bb0b7eda53 100644
--- a/utils/src/main/java/com/cloud/utils/nio/Link.java
+++ b/utils/src/main/java/com/cloud/utils/nio/Link.java
@@ -380,7 +380,7 @@ public static SSLEngine initServerSSLEngine(final CAService caService, final Str
         if (caService != null) {
             return caService.createSSLEngine(sslContext, clientAddress);
         }
-        LOGGER.error("CA service is not configured, by-passing CA manager to create SSL engine");
+        LOGGER.error("CA service is not configured, bypassing CA manager to create SSL engine");
         char[] passphrase = KeyStoreUtils.DEFAULT_KS_PASSPHRASE;
         final KeyStore ks = loadKeyStore(NioConnection.class.getResourceAsStream("/cloud.keystore"), passphrase);
         final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
@@ -552,7 +552,7 @@ private static HandshakeHolder doHandshakeWrap(final SocketChannel socketChannel
             LOGGER.error(String.format("SSL error caught during wrap data: %s, for local address=%s, remote address=%s.",
                     sslException.getMessage(), socketChannel.getLocalAddress(), socketChannel.getRemoteAddress()));
             sslEngine.closeOutbound();
-            return new HandshakeHolder(myAppData, myNetData, true);
+            return new HandshakeHolder(myAppData, myNetData, false);
         }
         if (result == null) {
             return new HandshakeHolder(myAppData, myNetData, false);
diff --git a/utils/src/main/java/com/cloud/utils/storage/QCOW2Utils.java b/utils/src/main/java/com/cloud/utils/storage/QCOW2Utils.java
index 34d748b0708e..a4a49825d1f6 100644
--- a/utils/src/main/java/com/cloud/utils/storage/QCOW2Utils.java
+++ b/utils/src/main/java/com/cloud/utils/storage/QCOW2Utils.java
@@ -35,6 +35,7 @@
 
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.UriUtils;
+import com.cloud.utils.net.HttpClientCloudStackUserAgent;
 
 public final class QCOW2Utils {
     protected static Logger LOGGER = LogManager.getLogger(QCOW2Utils.class);
@@ -119,6 +120,7 @@ public static long getVirtualSizeFromUrl(String urlStr, boolean followRedirects)
         try {
             URI url = new URI(urlStr);
             httpConn = (HttpURLConnection)url.toURL().openConnection();
+            httpConn.setRequestProperty(UriUtils.USER_AGENT, HttpClientCloudStackUserAgent.CLOUDSTACK_USER_AGENT);
             httpConn.setInstanceFollowRedirects(followRedirects);
             return getVirtualSize(httpConn.getInputStream(), UriUtils.isUrlForCompressedFile(urlStr));
         } catch (URISyntaxException e) {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/redfish/RedfishClient.java b/utils/src/main/java/org/apache/cloudstack/utils/redfish/RedfishClient.java
index f9952b2c03bb..c5567cfa2e22 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/redfish/RedfishClient.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/redfish/RedfishClient.java
@@ -231,21 +231,19 @@ private HttpResponse executeHttpRequest(String url, HttpRequestBase httpReq) {
     }
 
     protected HttpResponse retryHttpRequest(String url, HttpRequestBase httpReq, HttpClient client) {
-        logger.warn(String.format("Failed to execute HTTP %s request [URL: %s]. Executing the request again.", httpReq.getMethod(), url));
+        logger.warn("Failed to execute HTTP {} request [URL: {}]. Executing the request again.", httpReq.getMethod(), url);
         HttpResponse response = null;
         for (int attempt = 1; attempt < redfishRequestMaxRetries + 1; attempt++) {
             try {
                 TimeUnit.SECONDS.sleep(WAIT_FOR_REQUEST_RETRY);
-                logger.debug(String.format("HTTP %s request retry attempt %d/%d [URL: %s].", httpReq.getMethod(), attempt, redfishRequestMaxRetries, url));
+                logger.debug("HTTP {} request retry attempt {}/{} [URL: {}].", httpReq.getMethod(), attempt, redfishRequestMaxRetries, url);
                 response = client.execute(httpReq);
                 break;
             } catch (IOException | InterruptedException e) {
                 if (attempt == redfishRequestMaxRetries) {
                     throw new RedfishException(String.format("Failed to execute HTTP %s request retry attempt %d/%d [URL: %s] due to exception %s", httpReq.getMethod(), attempt, redfishRequestMaxRetries,url, e));
                 } else {
-                    logger.warn(
-                            String.format("Failed to execute HTTP %s request retry attempt %d/%d [URL: %s] due to exception %s", httpReq.getMethod(), attempt, redfishRequestMaxRetries,
-                                    url, e));
+                    logger.warn("Failed to execute HTTP {} request retry attempt {}/{} [URL: {}] due to exception {}", httpReq.getMethod(), attempt, redfishRequestMaxRetries, url, e);
                 }
             }
         }
@@ -312,7 +310,7 @@ public void executeComputerSystemReset(String hostAddress, RedfishResetCmd reset
             throw new RedfishException(String.format("Failed to execute System power command for host by performing '%s' request on URL '%s' and host address '%s'. The expected HTTP status code is '%s' but it got '%s'.",
                     HttpPost.METHOD_NAME, url, hostAddress, EXPECTED_HTTP_STATUS, statusCode));
         }
-        logger.debug(String.format("Sending ComputerSystem.Reset Command '%s' to host '%s' with request '%s %s'", resetCommand, hostAddress, HttpPost.METHOD_NAME, url));
+        logger.debug("Sending ComputerSystem.Reset Command '{}' to host '{}' with request '{} {}'", resetCommand, hostAddress, HttpPost.METHOD_NAME, url);
     }
 
     /**
@@ -330,7 +328,7 @@ public String getSystemId(String hostAddress) {
 
         String systemId = processGetSystemIdResponse(response);
 
-        logger.debug(String.format("Retrieved System ID '%s' with request '%s: %s'", systemId, HttpGet.METHOD_NAME, url));
+        logger.debug("Retrieved System ID '{}' with request '{}: {}'", systemId, HttpGet.METHOD_NAME, url);
 
         return systemId;
     }
@@ -384,7 +382,7 @@ public RedfishPowerState getSystemPowerState(String hostAddress) {
         }
 
         RedfishPowerState powerState = processGetSystemRequestResponse(response);
-        logger.debug(String.format("Retrieved System power state '%s' with request '%s: %s'", powerState, HttpGet.METHOD_NAME, url));
+        logger.debug("Retrieved System power state '{}' with request '{}: {}'", powerState, HttpGet.METHOD_NAME, url);
         return powerState;
     }
 
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
index 6ff3d918f43a..84a4a1274406 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java
@@ -98,9 +98,18 @@ public static KeyFactory getKeyFactory() {
         return keyFactory;
     }
 
-    public static X509Certificate pemToX509Certificate(final String pem) throws CertificateException, IOException {
-        final PEMParser pemParser = new PEMParser(new StringReader(pem));
-        return new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder) pemParser.readObject());
+    public static List<X509Certificate> pemToX509Certificates(final String pem) throws CertificateException, IOException {
+        final List<X509Certificate> certs = new ArrayList<>();
+        try (final PEMParser pemParser = new PEMParser(new StringReader(pem))) {
+            final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
+            Object parsedObj;
+            while ((parsedObj = pemParser.readObject()) != null) {
+                if (parsedObj instanceof X509CertificateHolder) {
+                    certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+                }
+            }
+        }
+        return certs;
     }
 
     public static String x509CertificateToPem(final X509Certificate cert) throws IOException {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/security/KeyStoreUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/security/KeyStoreUtils.java
index e78d14adbb2d..c6f8d21918c4 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/security/KeyStoreUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/security/KeyStoreUtils.java
@@ -26,7 +26,6 @@
 public class KeyStoreUtils {
     public static final String KS_SETUP_SCRIPT = "keystore-setup";
     public static final String KS_IMPORT_SCRIPT = "keystore-cert-import";
-    public static final String KS_SYSTEMVM_IMPORT_SCRIPT = "keystore-cert-import-sysvm";
 
     public static final String AGENT_PROPSFILE = "agent.properties";
     public static final String KS_PASSPHRASE_PROPERTY = "keystore.passphrase";
diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
index 4495a123b07e..5c9d41f90a25 100644
--- a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@@ -131,6 +131,10 @@ public void testIsValidS2SVpnPolicy() {
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-md5;modp1024"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha256;modp3072,aes128-sha512;modp1536"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp1024s160"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s224"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s256"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;curve25519"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "aes128-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1,aes256-sha1"));
diff --git a/utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java b/utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java
index 691e7ea0f23f..8141c918c8a6 100644
--- a/utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java
+++ b/utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java
@@ -53,7 +53,7 @@ public void testGenerateRandomKeyPair() throws Exception {
     public void testCertificateConversionMethods() throws Exception {
         final X509Certificate in = caCertificate;
         final String pem = CertUtils.x509CertificateToPem(in);
-        final X509Certificate out = CertUtils.pemToX509Certificate(pem);
+        final X509Certificate out = CertUtils.pemToX509Certificates(pem).get(0);
         Assert.assertTrue(pem.startsWith("-----BEGIN CERTIFICATE-----\n"));
         Assert.assertTrue(pem.endsWith("-----END CERTIFICATE-----\n"));
         Assert.assertEquals(in.getSerialNumber(), out.getSerialNumber());
@@ -87,6 +87,21 @@ public void testGenerateRandomBigInt() throws Exception {
         Assert.assertNotEquals(CertUtils.generateRandomBigInt(), CertUtils.generateRandomBigInt());
     }
 
+    @Test
+    public void testPemToX509CertificatesWithChain() throws Exception {
+        final KeyPair intermediateKeyPair = CertUtils.generateRandomKeyPair(1024);
+        final X509Certificate intermediateCert = CertUtils.generateV3Certificate(caCertificate, caKeyPair,
+                intermediateKeyPair.getPublic(), "CN=intermediate", "SHA256withRSA", 365, null, null);
+
+        final String chainPem = CertUtils.x509CertificateToPem(intermediateCert)
+                + CertUtils.x509CertificateToPem(caCertificate);
+        final List<X509Certificate> parsed = CertUtils.pemToX509Certificates(chainPem);
+
+        Assert.assertEquals(2, parsed.size());
+        Assert.assertEquals(intermediateCert.getSerialNumber(), parsed.get(0).getSerialNumber());
+        Assert.assertEquals(caCertificate.getSerialNumber(), parsed.get(1).getSerialNumber());
+    }
+
     @Test
     public void testGenerateCertificate() throws Exception {
         final KeyPair clientKeyPair = CertUtils.generateRandomKeyPair(1024);
diff --git a/vmware-base/src/main/java/com/cloud/hypervisor/vmware/mo/BaseMO.java b/vmware-base/src/main/java/com/cloud/hypervisor/vmware/mo/BaseMO.java
index ead1d8a72133..1266c04f3b4b 100644
--- a/vmware-base/src/main/java/com/cloud/hypervisor/vmware/mo/BaseMO.java
+++ b/vmware-base/src/main/java/com/cloud/hypervisor/vmware/mo/BaseMO.java
@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.hypervisor.vmware.mo;
 
+import com.cloud.hypervisor.Hypervisor;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 
@@ -45,9 +46,9 @@ public class BaseMO {
     protected VmwareContext _context;
     protected ManagedObjectReference _mor;
 
-    protected static String[] propertyPathsForUnmanagedVmsThinListing = new String[] {"name", "config.template",
-            "runtime.powerState", "config.guestId", "config.guestFullName", "runtime.host",
-            "config.bootOptions", "config.firmware"};
+    protected static String[] propertyPathsForUnmanagedVmsThinListing = new String[] {"name", "config.template", "runtime.powerState",
+            "config.guestId", "config.guestFullName", "summary.guest.guestId", "summary.guest.guestFullName",
+            "runtime.host", "config.bootOptions", "config.firmware"};
 
     private String _name;
 
@@ -207,6 +208,11 @@ private UnmanagedInstanceTO createUnmanagedInstanceTOFromThinListingDynamicPrope
         boolean isTemplate = false;
         boolean excludeByKeyword = false;
 
+        String configGuestId = null;
+        String configGuestFullName = null;
+        String summaryGuestId = null;
+        String summaryGuestFullName = null;
+
         for (DynamicProperty objProp : objProps) {
             if (objProp.getName().equals("name")) {
                 vmName = (String) objProp.getVal();
@@ -220,13 +226,17 @@ private UnmanagedInstanceTO createUnmanagedInstanceTOFromThinListingDynamicPrope
                 VirtualMachinePowerState powerState = (VirtualMachinePowerState) objProp.getVal();
                 vm.setPowerState(convertPowerState(powerState));
             } else if (objProp.getName().equals("config.guestFullName")) {
-                vm.setOperatingSystem((String) objProp.getVal());
+                configGuestFullName = (String) objProp.getVal();
             } else if (objProp.getName().equals("config.guestId")) {
-                vm.setOperatingSystemId((String) objProp.getVal());
+                configGuestId = (String) objProp.getVal();
+            } else if (objProp.getName().equals("summary.guest.guestFullName")) {
+                summaryGuestFullName = (String) objProp.getVal();
+            } else if (objProp.getName().equals("summary.guest.guestId")) {
+                summaryGuestId = (String) objProp.getVal();
             } else if (objProp.getName().equals("config.bootOptions")) {
                 VirtualMachineBootOptions bootOptions = (VirtualMachineBootOptions) objProp.getVal();
                 String bootMode = "LEGACY";
-                if (bootOptions != null && bootOptions.isEfiSecureBootEnabled()) {
+                if (bootOptions != null && Boolean.TRUE.equals(bootOptions.isEfiSecureBootEnabled())) {
                     bootMode = "SECURE";
                 }
                 vm.setBootMode(bootMode);
@@ -238,6 +248,11 @@ private UnmanagedInstanceTO createUnmanagedInstanceTOFromThinListingDynamicPrope
                 setUnmanagedInstanceTOHostAndCluster(vm, hostMor, hostClusterNamesMap);
             }
         }
+
+        vm.setHypervisorType(Hypervisor.HypervisorType.VMware.name());
+        vm.setOperatingSystem(StringUtils.isNotBlank(summaryGuestFullName) ? summaryGuestFullName : configGuestFullName);
+        vm.setOperatingSystemId(StringUtils.isNotBlank(summaryGuestId) ? summaryGuestId : configGuestId);
+
         if (isTemplate || excludeByKeyword) {
             return null;
         }
diff --git a/vmware-base/src/main/java/com/cloud/hypervisor/vmware/util/VmwareHelper.java b/vmware-base/src/main/java/com/cloud/hypervisor/vmware/util/VmwareHelper.java
index 7ac161a4683c..89f6d7abd7d0 100644
--- a/vmware-base/src/main/java/com/cloud/hypervisor/vmware/util/VmwareHelper.java
+++ b/vmware-base/src/main/java/com/cloud/hypervisor/vmware/util/VmwareHelper.java
@@ -41,6 +41,7 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 
 import com.cloud.agent.api.to.DiskTO;
+import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.vmware.mo.ClusterMO;
 import com.cloud.hypervisor.vmware.mo.DatastoreFile;
 import com.cloud.hypervisor.vmware.mo.DistributedVirtualSwitchMO;
@@ -752,7 +753,7 @@ public static String getRecommendedDiskControllerFromDescriptor(GuestOsDescripto
 
         recommendedController = guestOsDescriptor.getRecommendedDiskController();
 
-        // By-pass auto detected PVSCSI controller to use LsiLogic Parallel instead
+        // Bypass auto detected PVSCSI controller to use LsiLogic Parallel instead
         if (DiskControllerType.getType(recommendedController) == DiskControllerType.pvscsi) {
             recommendedController = DiskControllerType.lsilogic.toString();
         }
@@ -819,7 +820,7 @@ public static UnmanagedInstanceTO getUnmanagedInstance(VmwareHypervisorHost hype
                 instance.setBootType(firmware.equalsIgnoreCase("efi") ? "UEFI" : "BIOS");
                 VirtualMachineBootOptions bootOptions = configInfo.getBootOptions();
                 String bootMode = "LEGACY";
-                if (bootOptions != null && bootOptions.isEfiSecureBootEnabled()) {
+                if (bootOptions != null && Boolean.TRUE.equals(bootOptions.isEfiSecureBootEnabled())) {
                     bootMode = "SECURE";
                 }
                 instance.setBootMode(bootMode);
@@ -833,6 +834,8 @@ public static UnmanagedInstanceTO getUnmanagedInstance(VmwareHypervisorHost hype
             }
 
             instance.setHostName(hyperHost.getHyperHostName());
+            instance.setHypervisorType(Hypervisor.HypervisorType.VMware.name());
+            instance.setHostHypervisorVersion(getVmwareHostVersion(hyperHost));
 
             if (StringUtils.isEmpty(instance.getOperatingSystemId()) && configSummary != null) {
                 instance.setOperatingSystemId(configSummary.getGuestId());
@@ -866,6 +869,17 @@ public static UnmanagedInstanceTO getUnmanagedInstance(VmwareHypervisorHost hype
         return instance;
     }
 
+    protected static String getVmwareHostVersion(VmwareHypervisorHost hyperHost) {
+        if (hyperHost instanceof HostMO) {
+            try {
+                return ((HostMO) hyperHost).getProductVersion();
+            } catch (Exception e) {
+                LOGGER.warn("Unable to get unmanaged instance host version, due to: " + e.getMessage(), e);
+            }
+        }
+        return null;
+    }
+
     protected static List<UnmanagedInstanceTO.Disk> getUnmanageInstanceDisks(VirtualMachineMO vmMo) {
         List<UnmanagedInstanceTO.Disk> instanceDisks = new ArrayList<>();
         VirtualDisk[] disks = null;
diff --git a/vmware-base/src/test/java/com/cloud/hypervisor/vmware/util/VmwareHelperTest.java b/vmware-base/src/test/java/com/cloud/hypervisor/vmware/util/VmwareHelperTest.java
index 3908f8b0be34..54a312909b3d 100644
--- a/vmware-base/src/test/java/com/cloud/hypervisor/vmware/util/VmwareHelperTest.java
+++ b/vmware-base/src/test/java/com/cloud/hypervisor/vmware/util/VmwareHelperTest.java
@@ -20,6 +20,8 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
 
+import com.cloud.hypervisor.vmware.mo.ClusterMO;
+import com.cloud.hypervisor.vmware.mo.HostMO;
 import com.vmware.vim25.DatastoreInfo;
 import com.vmware.vim25.Description;
 import com.vmware.vim25.ManagedObjectReference;
@@ -105,4 +107,25 @@ public void testGetUnmanageInstanceDisks() {
         Assert.assertEquals(diskFileBaseName, disk.getFileBaseName());
         Assert.assertEquals(dataStoreName, disk.getDatastoreName());
     }
+
+    @Test
+    public void testGetVmwareHostVersionException() throws Exception {
+        HostMO hostMO = Mockito.mock(HostMO.class);
+        Mockito.when(hostMO.getProductVersion()).thenThrow(new Exception("Error obtaining host version"));
+        Assert.assertNull(VmwareHelper.getVmwareHostVersion(hostMO));
+    }
+
+    @Test
+    public void testGetVmwareHostVersion() throws Exception {
+        HostMO hostMO = Mockito.mock(HostMO.class);
+        String version = "8.0.3";
+        Mockito.when(hostMO.getProductVersion()).thenReturn(version);
+        Assert.assertEquals(version, VmwareHelper.getVmwareHostVersion(hostMO));
+    }
+
+    @Test
+    public void testGetVmwareHostVersionInvalidParameter() {
+        ClusterMO clusterMO = Mockito.mock(ClusterMO.class);
+        Assert.assertNull(VmwareHelper.getVmwareHostVersion(clusterMO));
+    }
 }