Update Dockerfile

Dockerfile

@@ -1,47 +1,50 @@
 FROM python:3.11.11-slim-bullseye
 
-# Install system dependencies
+# Install system dependencies as root
 RUN apt-get update -qq \
-  && apt-get -qqq install --no-install-recommends -y pkg-config gcc g++ \
+  && apt-get -qqq install --no-install-recommends -y \
+     pkg-config gcc g++ git curl \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-# Create non-root user
-RUN addgroup --system --gid 1032 libretranslate \
-  && adduser --system --uid 1032 --gid 1032 libretranslate
+# Create non-root user with specific UID/GID
+# Using UID/GID 1000 which is common for the first user
+RUN groupadd -r -g 1000 libretranslate \
+  && useradd -r -u 1000 -g 1000 -m -d /home/libretranslate -s /bin/bash libretranslate
 
 # Set working directory
 WORKDIR /app
 
-# Create virtual environment
-RUN python -m venv venv
-
-# Upgrade pip
-RUN ./venv/bin/pip install --upgrade pip
-
-# Clone LibreTranslate repository
-RUN apt-get update -qq \
-  && apt-get install -y git \
-  && git clone https://github.com/LibreTranslate/LibreTranslate.git . \
+# Clone repository as root, then change ownership
+RUN git clone https://github.com/LibreTranslate/LibreTranslate.git . \
+  && chown -R libretranslate:libretranslate /app \
   && apt-get remove -y git \
   && apt-get autoremove -y \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-# Install Python dependencies
+# Create necessary directories with proper permissions
+RUN mkdir -p /app/db /app/logs /tmp/prometheus_data \
+  && chown -R libretranslate:libretranslate /app /tmp/prometheus_data \
+  && chmod 755 /app /app/db /app/logs /tmp/prometheus_data
+
+# Switch to non-root user for all subsequent operations
+USER libretranslate
+
+# Create virtual environment as non-root user
+RUN python -m venv venv \
+  && ./venv/bin/pip install --upgrade pip wheel
+
+# Install Python dependencies as non-root user
 RUN ./venv/bin/pip install Babel==2.12.1 \
   && ./venv/bin/python scripts/compile_locales.py \
   && ./venv/bin/pip install torch==2.2.0 --extra-index-url https://download.pytorch.org/whl/cpu \
   && ./venv/bin/pip install "numpy<2" \
-  && ./venv/bin/pip install . \
+  && ./venv/bin/pip install -e . \
   && ./venv/bin/pip install gunicorn \
   && ./venv/bin/pip cache purge
 
-# Create necessary directories
-RUN mkdir -p /app/db /app/logs /tmp/prometheus_data \
-  && chown -R libretranslate:libretranslate /app /tmp/prometheus_data
-
-# Copy wsgi.py file (if not in the repo)
+# Create wsgi.py as non-root user
 RUN echo 'from app.main import create_app\n\
 \n\
 def app(*args, **kwargs):\n\
@@ -54,18 +57,19 @@ def app(*args, **kwargs):\n\
         setattr(args, k, v)\n\
     return create_app(args)' > /app/wsgi.py
 
-# Switch to non-root user
-USER libretranslate
-
 # Set environment variables
 ENV PROMETHEUS_MULTIPROC_DIR=/tmp/prometheus_data
-ENV LT_LOAD_ONLY=""
-ENV LT_UPDATE_MODELS=false
+ENV HOME=/home/libretranslate
+ENV USER=libretranslate
 
-# Expose port
+# Expose port (as non-root, can only bind to ports > 1024)
 EXPOSE 7860
 
-# Default command with Gunicorn
+# Health check running as non-root
+HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
+  CMD ./venv/bin/python -c "import urllib.request; urllib.request.urlopen('http://localhost:7860/languages').read()"
+
+# Run gunicorn as non-root user
 CMD ["./venv/bin/gunicorn", \
      "--workers", "3", \
      "--bind", "0.0.0.0:7860", \