| # Use a specific Python 3.9 slim image | |
| FROM python:3.9-slim | |
| # Install system dependencies (as root, before creating the non-root user) | |
| RUN apt-get update && apt-get install -y \ | |
| build-essential \ | |
| curl \ | |
| software-properties-common \ | |
| git \ | |
| libgomp1 \ | |
| && rm -rf /var/lib/apt/lists/* | |
| # Create a non-root user "appuser" with UID 1000 (as expected by HF Spaces) | |
| # and create its home directory. | |
| RUN useradd -m -u 1000 appuser | |
| # Switch to the non-root user "appuser" | |
| USER appuser | |
| # Set environment variables for the "appuser" | |
| # HOME is crucial for tools like pip and streamlit to find user-specific paths | |
| ENV HOME=/home/appuser | |
| # Add user's local bin to PATH (where pip --user installs scripts) | |
| ENV PATH="$HOME/.local/bin:$PATH" | |
| # Set Hugging Face cache to be within the user's home directory | |
| ENV HF_HOME="$HOME/.cache/huggingface" \ | |
| STREAMLIT_SERVER_HEADLESS="true" \ | |
| STREAMLIT_BROWSER_GATHERUSAGSTATS="false" \ | |
| STREAMLIT_GLOBAL_GATHERUSAGSTATS="false" \ | |
| PYTHONUNBUFFERED=1 | |
| # Set the working directory inside the user's home | |
| # All subsequent COPY and RUN commands will be relative to this | |
| WORKDIR $HOME/app | |
| # Copy requirements.txt first and install dependencies as "appuser" | |
| # --chown=appuser:appuser ensures the copied file is owned by appuser | |
| COPY --chown=appuser:appuser requirements.txt ./ | |
| # Pip will install packages to user's site-packages (e.g., $HOME/.local/lib/python3.9/site-packages) | |
| RUN pip install --no-cache-dir -r requirements.txt | |
| # Copy the application source code into the WORKDIR | |
| # Ensure your streamlit_app.py is in a 'src' folder at the root of your build context | |
| # e.g., your project structure is: | |
| # . | |
| # βββ Dockerfile | |
| # βββ requirements.txt | |
| # βββ src/ | |
| # βββ streamlit_app.py | |
| COPY --chown=appuser:appuser src/ ./src/ | |
| # If your streamlit_app.py is at the root of your project (next to Dockerfile): | |
| # COPY --chown=appuser:appuser streamlit_app.py ./streamlit_app.py | |
| # Expose the port Streamlit will run on | |
| EXPOSE 8501 | |
| # Healthcheck (Streamlit's health endpoint) | |
| HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health | |
| # Command to run the Streamlit application | |
| # Ensure the path to your script is correct relative to WORKDIR ($HOME/app) | |
| # If streamlit_app.py is in $HOME/app/src/streamlit_app.py: | |
| ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"] | |
| # If streamlit_app.py is in $HOME/app/streamlit_app.py (if you changed the COPY above): | |
| # ENTRYPOINT ["streamlit", "run", "streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"] |