# ============================================ # Certificate Verification AI Service # Multi-stage Production Dockerfile # ============================================ # ------ Stage 1: Builder ------ FROM python:3.11-slim AS builder WORKDIR /build # Install build dependencies RUN apt-get update && \ apt-get install -y --no-install-recommends gcc g++ && \ rm -rf /var/lib/apt/lists/* COPY requirements.txt . # Install CPU-only PyTorch first (saves ~1.5GB vs full CUDA bundle) RUN pip install --no-cache-dir --prefix=/install \ torch torchvision --index-url https://download.pytorch.org/whl/cpu # Install remaining requirements RUN pip install --no-cache-dir --prefix=/install -r requirements.txt # ------ Stage 2: Runtime ------ FROM python:3.11-slim AS runtime LABEL maintainer="AI Certificate Verification Service" LABEL description="FastAPI-based certificate verification with YOLO & ViT models" # Environment defaults ENV PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 \ APP_HOME=/app \ PORT=8080 \ WORKERS=1 \ LOG_LEVEL=info \ SKIP_MODEL_LOADING=true \ GUNICORN_TIMEOUT=300 \ GUNICORN_KEEP_ALIVE=5 \ GUNICORN_GRACEFUL_TIMEOUT=120 \ # Disable HuggingFace telemetry & symlinks HF_HUB_DISABLE_TELEMETRY=1 \ TRANSFORMERS_OFFLINE=0 \ # Torch settings OMP_NUM_THREADS=2 \ MKL_NUM_THREADS=2 WORKDIR $APP_HOME # Install runtime system dependencies only RUN apt-get update && \ apt-get install -y --no-install-recommends \ libgl1 \ libglib2.0-0 \ libsm6 \ libxext6 \ libxrender1 \ curl \ tini && \ rm -rf /var/lib/apt/lists/* && \ # Create non-root user groupadd -r appuser && \ useradd -r -g appuser -d $APP_HOME -s /sbin/nologin appuser # Copy installed Python packages from builder COPY --from=builder /install /usr/local # Copy application code COPY api.py ocr_client.py verifier_supabase.py verifier.py \ yolo_seal_detector.py yolo_new.py vit_seal_classifier.py \ image_annotator.py model_downloader.py \ ./ # Keep image lean for Render free; models are downloaded at runtime when enabled # Copy production configs COPY gunicorn.conf.py ./ COPY entrypoint.sh ./ # Make entrypoint executable RUN chmod +x entrypoint.sh # Create writable directories for model downloads & temp files RUN mkdir -p /app/models /app/tmp && \ chown -R appuser:appuser /app # Switch to non-root user USER appuser # Expose port EXPOSE ${PORT} # Health check HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 \ CMD curl -f http://localhost:${PORT}/health || exit 1 # Use tini for proper signal handling ENTRYPOINT ["tini", "--"] # Start service via entrypoint CMD ["./entrypoint.sh"]