Update Dockerfile

Dockerfile

@@ -1,6 +1,12 @@
 # Use the official Python 3.9 slim image as the base
 FROM python:3.9-slim
 
+# Create a non-root user and group
+# - Create a group named 'appgroup' with GID 1001
+# - Create a user named 'appuser' with UID 1001, assign to 'appgroup', and prevent it from being used for login (-D)
+RUN addgroup --gid 1001 appgroup && \
+    adduser --uid 1001 --gid 1001 --disabled-password --gecos '' appuser
+
 # Set the working directory inside the container
 WORKDIR /app
 
@@ -8,14 +14,25 @@ WORKDIR /app
 COPY requirements.txt requirements.txt
 
 # Install the Python dependencies
-RUN pip install --no-cache-dir -r requirements.txt
+# Also install ' dumb-init' which is good practice for handling signals in containers
+RUN pip install --no-cache-dir -r requirements.txt dumb-init
 
 # Copy the rest of the application code
-COPY . .
+# Use --chown to ensure the copied files are owned by appuser:appgroup
+COPY --chown=appuser:appgroup . .
+
+# Change ownership of the working directory to appuser:appgroup
+# This ensures that if any build steps created files, or if the volume mount
+# needs to write here, the user has permissions.
+RUN chown -R appuser:appgroup /app
+
+# Switch to the non-root user
+USER appuser
 
 # Expose the port the app runs on (defined by the PORT environment variable or 5000)
 EXPOSE 7860
 
 # Define the command to run the application
-# Run the application using Gunicorn
-CMD ["gunicorn", "--bind", "0.0.0.0:7860", "app:app"]
+# Use dumb-init to handle PID 1 correctly and forward signals (like SIGTERM from docker stop)
+# Run the application using Gunicorn bound to all interfaces
+CMD ["dumb-init", "gunicorn", "--bind", "0.0.0.0:7860", "app:app"]