Fix gunicorn control socket path causing Permission denied on k8s rolling updates

pedro-psb · claude · pedro-psb · commit c41bf046041e · 2026-04-14T15:39:58.000-03:00
gunicorn 23.x introduced a control socket (gunicornc) that defaults to gunicorn.ctl relative to the working directory. Since pulpcore-content sets its CWD to WORKING_DIRECTORY (/var/lib/pulp/tmp by default), the socket lands on the shared PVC and persists across pod restarts, causing Permission denied when a new pod tries to recreate it during a rolling update. Default to /tmp/pulpcore-content.ctl, which is pod-local ephemeral storage. Users who want a different path can override via gunicorn.conf.py. fixes: #7574 Assisted-by: Claude Code Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/CHANGES/7574.bugfix b/CHANGES/7574.bugfix
@@ -0,0 +1 @@
+Fixed gunicorn control socket being placed on the shared PVC by defaulting to `/tmp/pulpcore-content.ctl`, preventing Permission denied errors during k8s rolling updates.
diff --git a/pulpcore/content/entrypoint.py b/pulpcore/content/entrypoint.py
@@ -15,6 +15,10 @@ def load_app_specific_config(self):
         )
         self.set_option("default_proc_name", "pulpcore-content", enforced=True)
         self.set_option("worker_class", worker_class, enforced=True)
+        # Use /tmp for the gunicornc control socket (see https://gunicorn.org/guides/gunicornc/).
+        # The default (relative to CWD) places it on the shared PVC, causing Permission denied
+        # during k8s rolling updates. Users can override this via gunicorn.conf.py.
+        self.set_option("control_socket", "/tmp/pulpcore-content.ctl")
 
     def load(self):
         import pulpcore.content

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixed gunicorn control socket being placed on the shared PVC by defaulting to `/tmp/pulpcore-content.ctl`, preventing Permission denied errors during k8s rolling updates.