Celery Start celery in the detached mode (Fix)

The Fix

pip install celery==5.2.4

Based on closed celery/celery issue #7200 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit

@@ -327,6 +327,10 @@ def worker(ctx, hostname=None, pool_cls=None, app=None, uid=None, gid=None,
             if '-D' in argv:
                 argv.remove('-D')
+            if "--uid" in argv:
+                argv.remove('--uid')
+            if "--gid" in argv:

repro.py

def detach(path, argv, logfile=None, pidfile=None, uid=None,
           gid=None, umask=None, workdir=None, fake=False, app=None,
           executable=None, hostname=None):
    """Detach program by argv."""
    fake = 1 if C_FAKEFORK else fake
    # `detached()` will attempt to touch the logfile to confirm that error
    # messages won't be lost after detaching stdout/err, but this means we need
    # to pre-format it rather than relying on `setup_logging_subsystem()` like
    # we can elsewhere.
    logfile = node_format(logfile, hostname)
    with detached(logfile, pidfile, uid, gid, umask, workdir, fake, after_forkers=False):                 <<< changes user here
        try:
            if executable is not None:
                path = executable
            os.execv(path, [path] + argv)                                                                 <<< fails here
            return EX_OK
        except Exception:  # pylint: disable=broad-except
            if app is None:
                from celery import current_app
                app = current_app
            app.log.setup_logging_subsystem(
                'ERROR', logfile, hostname=hostname)
            logger.critical("Can't exec %r", ' '.join([path] + argv),
                            exc_info=True)
            return EX_FAILURE

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

fix.md

Option A — Upgrade to fixed release\npip install celery==5.2.4\nWhen NOT to use: Do not apply this fix if the application requires specific uid/gid handling for security.\n\n

Why This Fix Works in Production

Trigger: return os.initgroups(username, gid)
Mechanism: The detach function incorrectly passes uid and gid parameters after changing the process owner
Why the fix works: Fixes issue #7200 by removing the uid and gid arguments from argv before running in detached mode. (first fixed release: 5.2.4).

Production impact:

If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

The detach function incorrectly passes uid and gid parameters after changing the process owner
Surfaces as: return os.initgroups(username, gid)

Proof / Evidence

GitHub issue: #7200
Fix PR: https://github.com/celery/celery/pull/7244
First fixed release: 5.2.4
Reproduced locally: No (not executed)
Last verified: 2026-02-09
Confidence: 0.85
Did this fix it?: Yes (upstream fix exists)
Own content ratio: 0.41

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub

“Hey @ssvasilyev :wave:, Thank you for opening an issue”

@open-collective-bot · 2022-01-04 · source

Failure Signature (Search String)

return os.initgroups(username, gid)

Error Message

Stack trace

error.txt

Error Message
-------------
return os.initgroups(username, gid) 
OSError: [Errno 1] Operation not permitted

Minimal Reproduction

repro.py

def detach(path, argv, logfile=None, pidfile=None, uid=None,
           gid=None, umask=None, workdir=None, fake=False, app=None,
           executable=None, hostname=None):
    """Detach program by argv."""
    fake = 1 if C_FAKEFORK else fake
    # `detached()` will attempt to touch the logfile to confirm that error
    # messages won't be lost after detaching stdout/err, but this means we need
    # to pre-format it rather than relying on `setup_logging_subsystem()` like
    # we can elsewhere.
    logfile = node_format(logfile, hostname)
    with detached(logfile, pidfile, uid, gid, umask, workdir, fake, after_forkers=False):                 <<< changes user here
        try:
            if executable is not None:
                path = executable
            os.execv(path, [path] + argv)                                                                 <<< fails here
            return EX_OK
        except Exception:  # pylint: disable=broad-except
            if app is None:
                from celery import current_app
                app = current_app
            app.log.setup_logging_subsystem(
                'ERROR', logfile, hostname=hostname)
            logger.critical("Can't exec %r", ' '.join([path] + argv),
                            exc_info=True)
            return EX_FAILURE

What Broke

Celery fails to start in detached mode, resulting in no logging and process termination.

Why It Broke

The detach function incorrectly passes uid and gid parameters after changing the process owner

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install celery==5.2.4

When NOT to use: Do not apply this fix if the application requires specific uid/gid handling for security.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Option D — Guard side-effects with OnceOnly Guardrail for side-effects

Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.

Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.

Show example snippet (optional)

onceonly.py

from onceonly import OnceOnly
import os

once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)

# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..."  # replace
key = f"stripe:webhook:{event_id}"

res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
    return {"status": "already_processed"}

# Safe to execute the side-effect exactly once.
handle_event(event_id)

See OnceOnly SDK

When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Fix reference: https://github.com/celery/celery/pull/7244

First fixed release: 5.2.4

Last verified: 2026-02-09. Validate in your environment.

When NOT to Use This Fix

Do not apply this fix if the application requires specific uid/gid handling for security.
Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.

Verify Fix

verify

Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

Version	Status
5.2.4	Fixed

Related Issues

No related fixes found.

Cluster: celery:configuration-error Celery hub Celery best practices All hubs All clusters

Related clusters: Data consistency Duplicates Duplicate processing

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.