diff --git a/web/tunnel/apps.py b/web/tunnel/apps.py
index 1c27f49ef0899a7a0a21df57a28e3ff4d93cff31..9bde22d2c012b096878489522d1694698d020ff4 100644
--- a/web/tunnel/apps.py
+++ b/web/tunnel/apps.py
@@ -40,20 +40,8 @@ class TunnelConfig(AppConfig):
"Could not delete k8s service", extra=kwargs, exc_info=True
)
continue
- try:
- log.debug("Create k8s svc")
- k8s_svc("create", alert_admins=True, **kwargs)
- except:
- log.warning(
- "Could not create k8s service. Stop/Delete tunnel",
- extra=kwargs,
- exc_info=True,
- )
- try:
- stop_and_delete(raise_exception=False, **kwargs)
- tunnel.delete()
- except:
- log.exception("Could not stop/delete ssh tunnel", extra=kwargs)
+ log.debug("Create k8s svc")
+ k8s_svc("create", alert_admins=True, raise_exception=False, **kwargs)
def create_user(self, username, passwd, groups=[], superuser=False, mail=""):
from django.contrib.auth.models import Group
diff --git a/web/tunnel/utils.py b/web/tunnel/utils.py
index 54860f316a41f76b37c1dd145931400dfe29573b..1e10ab8cf21141d898c755f4dd66b3201ff11206 100644
--- a/web/tunnel/utils.py
+++ b/web/tunnel/utils.py
@@ -116,7 +116,18 @@ def run_popen_cmd(
extra=log_extra,
)
- with subprocess.Popen(cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE) as p:
+ # gunicorn preload app feature does not use gunicorn user/group but
+ # the current uid instead. Which is root. We don't want to run commands as root.
+ def set_uid():
+ def result():
+ os.setuid(1000)
+ os.setgid(100)
+
+ return result
+
+ with subprocess.Popen(
+ cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE, preexec_fn=set_uid()
+ ) as p:
stdout, stderr = p.communicate()
returncode = p.returncode