# Use a specific Python 3.9 slim image FROM python:3.9-slim # Install system dependencies (as root, before creating the non-root user) RUN apt-get update && apt-get install -y \ build-essential \ curl \ software-properties-common \ git \ libgomp1 \ && rm -rf /var/lib/apt/lists/* # Create a non-root user "appuser" with UID 1000 (as expected by HF Spaces) # and create its home directory. RUN useradd -m -u 1000 appuser # Switch to the non-root user "appuser" USER appuser # Set environment variables for the "appuser" # HOME is crucial for tools like pip and streamlit to find user-specific paths ENV HOME=/home/appuser # Add user's local bin to PATH (where pip --user installs scripts) ENV PATH="$HOME/.local/bin:$PATH" # Set Hugging Face cache to be within the user's home directory ENV HF_HOME="$HOME/.cache/huggingface" \ STREAMLIT_SERVER_HEADLESS="true" \ STREAMLIT_BROWSER_GATHERUSAGSTATS="false" \ STREAMLIT_GLOBAL_GATHERUSAGSTATS="false" \ PYTHONUNBUFFERED=1 # Set the working directory inside the user's home # All subsequent COPY and RUN commands will be relative to this WORKDIR $HOME/app # Copy requirements.txt first and install dependencies as "appuser" # --chown=appuser:appuser ensures the copied file is owned by appuser COPY --chown=appuser:appuser requirements.txt ./ # Pip will install packages to user's site-packages (e.g., $HOME/.local/lib/python3.9/site-packages) RUN pip install --no-cache-dir -r requirements.txt # Copy the application source code into the WORKDIR # Ensure your streamlit_app.py is in a 'src' folder at the root of your build context # e.g., your project structure is: # . # ├── Dockerfile # ├── requirements.txt # └── src/ # └── streamlit_app.py COPY --chown=appuser:appuser src/ ./src/ # If your streamlit_app.py is at the root of your project (next to Dockerfile): # COPY --chown=appuser:appuser streamlit_app.py ./streamlit_app.py # Expose the port Streamlit will run on EXPOSE 8501 # Healthcheck (Streamlit's health endpoint) HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health # Command to run the Streamlit application # Ensure the path to your script is correct relative to WORKDIR ($HOME/app) # If streamlit_app.py is in $HOME/app/src/streamlit_app.py: ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"] # If streamlit_app.py is in $HOME/app/streamlit_app.py (if you changed the COPY above): # ENTRYPOINT ["streamlit", "run", "streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]