default Security rule doesn't apply to system VMs since nic.getIsolationUri is not set

use to.setSecurityGroupEnabled to indicate if securitygroup is enabled on this NIC

CLOUDSTACK-983: default Security rule doesn't apply to system VMs

plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java

@@ -2901,9 +2901,8 @@ public class LibvirtComputingResource extends ServerResourceBase implements
 
             NicTO[] nics = vmSpec.getNics();
             for (NicTO nic : nics) {
-                if (nic.getIsolationUri() != null
-                        && nic.getIsolationUri().getScheme()
-                                .equalsIgnoreCase(IsolationType.Ec2.toString())) {
+                if (nic.isSecurityGroupEnabled() || ( nic.getIsolationUri() != null
+                         && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString()))) {
                     if (vmSpec.getType() != VirtualMachine.Type.User) {
                         default_network_rules_for_systemvm(conn, vmName);
                         break;

plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java

@@ -1324,7 +1324,8 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
                     NicTO[] nics = vmSpec.getNics();
                     boolean secGrpEnabled = false;
                     for (NicTO nic : nics) {
-                        if (nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
+                        if (nic.isSecurityGroupEnabled() || (nic.getIsolationUri() != null
+                                       && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString()))) {
                             secGrpEnabled = true;
                             break;
                         }
@@ -1342,7 +1343,8 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
                     //For user vm, program the rules for each nic if the isolation uri scheme is ec2
                     NicTO[] nics = vmSpec.getNics();
                     for (NicTO nic : nics) {
-                        if (nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
+                        if ( nic.isSecurityGroupEnabled() || nic.getIsolationUri() != null
+                                   && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
                             result = callHostPlugin(conn, "vmops", "default_network_rules", "vmName", vmName, "vmIP", nic.getIp(), "vmMAC", nic.getMac(), "vmID", Long.toString(vmSpec.getId()));
 
                             if (result == null || result.isEmpty() || !Boolean.parseBoolean(result)) {

server/src/com/cloud/hypervisor/HypervisorGuruBase.java

@@ -62,6 +62,7 @@ public abstract class HypervisorGuruBase extends AdapterBase implements Hypervis
         to.setIsolationuri(profile.getIsolationUri());
         to.setNetworkRateMbps(profile.getNetworkRate());
         to.setName(profile.getName());
+        to.setSecurityGroupEnabled(profile.isSecurityGroupEnabled());
         
         // Workaround to make sure the TO has the UUID we need for Niciri integration
         NicVO nicVO = _nicDao.findById(profile.getId());