Add migration to set gunicorn control socket paths for pulpcore#1057
Merged
evgeni merged 1 commit intotheforeman:developfrom May 5, 2026
Merged
Add migration to set gunicorn control socket paths for pulpcore#1057evgeni merged 1 commit intotheforeman:developfrom
evgeni merged 1 commit intotheforeman:developfrom
Conversation
Odilhao
force-pushed
the
fix-puppet-gunicorn-pulpcore
branch
from
bd408aa to
7d089a2
Compare
Gunicorn 25.1.0+ defaults to creating a control socket at \$HOME/gunicorn.ctl (/var/lib/pulp/gunicorn.ctl for the pulp user), causing SELinux AVC denials. puppet-pulpcore PR theforeman#403 adds api_control_socket_path and content_control_socket_path parameters; this migration sets them to /run/pulpcore-{api,content}/gunicorn.ctl for existing installations, where systemd already creates those directories with the correct pulpcore_server_var_run_t SELinux label. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Odilhao
force-pushed
the
fix-puppet-gunicorn-pulpcore
branch
from
7d089a2 to
6d89ea6
Compare
Contributor
|
For this and the pulpcore change to work, Pulp needs to backport pulp/pulpcore#7591 to 3.105 , unless it was patched somewhere? |
Contributor
|
I gave this a test after patching Pulpcore to support the control socket argument, and the AVC denials are not coming back. I also applied theforeman/puppet-foreman_proxy_content#537 and theforeman/puppet-foreman_proxy_content#537. |
Member
|
Converted to a draft until pulp/pulpcore#7591 has been backported to the Pulp we're using, as otherwise merging this will break Pulp completely. |
Member
Author
|
The pulpcore backport was done at theforeman/pulpcore-packaging@e9ca8b0 we can move this back to review ready, this will be the last piece to unlock ci. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Gunicorn 25.1.0+ defaults to creating a control socket at $HOME/gunicorn.ctl (/var/lib/pulp/gunicorn.ctl for the pulp user), causing SELinux AVC denials. theforeman/puppet-pulpcore#403 adds api_control_socket_path and content_control_socket_path parameters; this migration sets them to /run/pulpcore-{api,content}/gunicorn.ctl for existing installations, where systemd already creates those directories with the correct pulpcore_server_var_run_t SELinux label.