| FROM python:3.11-slim | |
| # Create a non-root user with UID 1000 (matches HF Spaces runtime) | |
| RUN useradd -m -u 1000 user | |
| # Set HOME and include user's local bin in PATH | |
| ENV HOME=/home/user \ | |
| PATH=/home/user/.local/bin:$PATH | |
| # Set working directory early to avoid permission issues | |
| WORKDIR $HOME/app | |
| # Install system dependencies as root | |
| RUN apt-get update && apt-get install -y \ | |
| gcc \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # Copy requirements first for better caching | |
| COPY requirements.txt /tmp/requirements.txt | |
| # Install Python dependencies (system-wide) | |
| RUN pip install --no-cache-dir -r /tmp/requirements.txt | |
| # Copy the application and set ownership to 'user' at copy time to avoid expensive chowns | |
| COPY --chown=user:user . $HOME/app | |
| # Ensure entrypoint is executable (no-op if missing) | |
| RUN chmod +x $HOME/app/entrypoint.sh || true | |
| # Create /data directory (runtime-mounted on HF Spaces) with safe permissions | |
| RUN mkdir -p /data && chmod 700 /data | |
| # Switch to non-root user for subsequent steps and runtime | |
| USER user | |
| # Upgrade pip in user's environment | |
| RUN pip install --no-cache-dir --upgrade pip | |
| # Expose the port and set entrypoint to prepare /data at runtime | |
| EXPOSE 8000 | |
| ENTRYPOINT ["/home/user/app/entrypoint.sh"] | |
| CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"] |