From f83a9a6367b39a329e690f46160c7df36fa523f7 Mon Sep 17 00:00:00 2001
From: Stefan Hanreich <s.hanreich@proxmox.com>
Date: Wed, 20 Nov 2024 15:47:41 +0100
Subject: [PATCH] firewall: sdn: ignore EPERM when reading the legacy IPAM file

On fresh installations, neither the new nor the old IPAM db file
exist. This triggers our fallback code path and leads to errors in the
syslog on fresh installs where there is no IPAM database. This happens
whenever a firewall API call is made. Because of this, we choose to
ignore EPERM when reading the legacy files. This is okay, because we
move existing databases in the postinstall script of
libpve-network-perl, making the situation where the new file does not
exist, but the old file exists unlikely.

Reported-by: Alexander Zeidler <a.zeidler@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 pve-rs/src/firewall/sdn.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pve-rs/src/firewall/sdn.rs b/pve-rs/src/firewall/sdn.rs
index a7d7b80..ef4eb70 100644
--- a/pve-rs/src/firewall/sdn.rs
+++ b/pve-rs/src/firewall/sdn.rs
@@ -127,6 +127,7 @@ mod export {
                 match fs::read_to_string(SDN_IPAM_LEGACY) {
                     Ok(data) => add_ipam_ipsets(data)?,
                     Err(e) if e.kind() == io::ErrorKind::NotFound => (),
+                    Err(e) if e.kind() == io::ErrorKind::PermissionDenied => (),
                     Err(e) => bail!("Cannot open legacy IPAM database: {e:#}"),
                 }
             }