Update Dockerfile

Dockerfile

@@ -1,68 +1,90 @@
+# Start from a stable Python base image
 FROM python:3.13-bookworm
 
-# Install system dependencies
-# Use the headless version of openjdk-17, which is standard for server environments
-RUN apt-get update && \
-    apt-get install -y git curl openjdk-17-jre-headless nginx netcat-traditional unzip && \
-    rm -rf /var/lib/apt/lists/*
+# Use ARG for versions to easily update them
+ARG NEO4J_VERSION=5.15.0
+
+# Set Environment Variables
+ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 \
+    NEO4J_HOME=/neo4j \
+    PATH="$PATH:/neo4j/bin"
 
-# Set JAVA_HOME (Good practice, though often not strictly necessary if Java is in the PATH)
-ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+# Install system dependencies as root
+# Using --no-install-recommends to keep the image smaller
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    openjdk-17-jre-headless \
+    nginx \
+    netcat-traditional \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
 
-# Download and install Neo4j Community Edition
-ENV NEO4J_VERSION=5.15.0
-RUN curl -fsSL https://dist.neo4j.org/neo4j-community-5.15.0-unix.tar.gz -o neo4j.tar.gz && \
-    tar -xzf neo4j.tar.gz && \
-    mv neo4j-community-5.15.0 /neo4j && \
+# Download and install Neo4j Community Edition as root
+RUN curl -fsSL "https://dist.neo4j.org/neo4j-community-${NEO4J_VERSION}-unix.tar.gz" -o neo4j.tar.gz && \
+    tar -xzf neo4j.tar.gz -C / && \
+    mv "/neo4j-community-${NEO4J_VERSION}" "${NEO4J_HOME}" && \
     rm neo4j.tar.gz
 
-# Download and install the APOC plugin for Neo4j
-RUN curl -fsSL https://github.com/neo4j/apoc/releases/download/5.15.0/apoc-5.15.0-core.jar -o /neo4j/plugins/apoc.jar
+# Create plugins directory and download the APOC plugin
+RUN mkdir -p ${NEO4J_HOME}/plugins
+RUN curl -fsSL "https://github.com/neo4j/apoc/releases/download/${NEO4J_VERSION}/apoc-${NEO4J_VERSION}-core.jar" -o "${NEO4J_HOME}/plugins/apoc.jar"
 
-# Set workdir
+# Set the working directory
 WORKDIR /app
 
-RUN pwd
-# === Step 2.2: USE THE BUILD ARGUMENT IN YOUR CLONE COMMAND ===
-# Clone the project using the token for authentication
+# Clone the project repository.
 RUN git clone https://github.com/bhuvanmdev/graph-rag-agent.git /app
 
-# Create directories for Neo4j data and logs
-RUN mkdir -p /app/neo4j_data /app/neo4j_logs
+# Install Python dependencies before creating the non-root user
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
 
 # === Correct Neo4j Configuration ===
-RUN sed -i 's/#server.default_listen_address=127.0.0.1/server.default_listen_address=0.0.0.0/' /neo4j/conf/neo4j.conf && \
-    sed -i 's|#dbms.directories.data=data|dbms.directories.data=/app/neo4j_data|' /neo4j/conf/neo4j.conf && \
-    sed -i 's|#dbms.directories.logs=logs|dbms.directories.logs=/app/neo4j_logs|' /neo4j/conf/neo4j.conf && \
-    echo 'dbms.security.auth_enabled=false' >> /neo4j/conf/neo4j.conf
-
-# Install Python dependencies
-RUN pip install --upgrade pip && \
-    pip install -r requirements.txt
-
-# Install git-lfs, pull LFS files, and unzip. This will now work because the repo
-# was cloned with credentials.
-# RUN apt-get update && \
-#     apt-get install -y --no-install-recommends git-lfs unzip && \
-#     git lfs install && \
-#     git lfs pull && \
-#     unzip neo4j_data.zip && \
-#     rm -rf /var/lib/apt/lists/*
+# Create directories first, then configure Neo4j to use them.
+RUN mkdir -p /app/neo4j_data /app/neo4j_logs
+RUN sed -i 's/#server.default_listen_address=127.0.0.1/server.default_listen_address=0.0.0.0/' ${NEO4J_HOME}/conf/neo4j.conf && \
+    sed -i 's|#dbms.directories.data=data|dbms.directories.data=/app/neo4j_data|' ${NEO4J_HOME}/conf/neo4j.conf && \
+    sed -i 's|#dbms.directories.logs=logs|dbms.directories.logs=/app/neo4j_logs|' ${NEO4J_HOME}/conf/neo4j.conf && \
+    echo 'dbms.security.auth_enabled=false' >> ${NEO4J_HOME}/conf/neo4j.conf && \
+    echo 'dbms.security.procedures.unrestricted=apoc.*' >> ${NEO4J_HOME}/conf/neo4j.conf
 
+# === Correctly Prepare and Place Data ===
+# The neo4j_data.zip file should be in the same directory as your Dockerfile
 COPY neo4j_data.zip /app/neo4j_data.zip
-RUN unzip neo4j_data.zip
-# Move the unzipped data
-RUN mv /app/neo4j_data/* /neo4j/data/ && mv /app/neo4j_logs/* /neo4j/logs/
+# Unzip the data into a temporary directory first to inspect its structure
+RUN unzip /app/neo4j_data.zip -d /app && \
+    rm -rf /app/neo4j_data.zip
+# RUN mkdir -p /app/temp_unzip && unzip /app/neo4j_data.zip -d /app/temp_unzip
+# Assuming the zip file contains 'neo4j_data' and 'neo4j_logs' folders,
+# move their *contents* to the correct final destination.
+# RUN mv /app/temp_unzip/neo4j_data/* /app/neo4j_data/ && \
+#     mv /app/temp_unzip/neo4j_logs/* /app/neo4j_logs/ && \
+#     rm -rf /app/temp_unzip /app/neo4j_data.zip
 
-# Copy Nginx config and run script
+# Create a non-root user 'user' with UID 1000 as required by Hugging Face Spaces
+RUN useradd -m -u 1000 user
+ENV HOME=/home/user
+
+# === Configure Nginx ===
+RUN mkdir -p /var/lib/nginx/body /var/log/nginx
+# Move the nginx.conf from the cloned repo to its destination
 RUN mv /app/nginx.conf /etc/nginx/nginx.conf
+
+# === Set Final Permissions ===
+# This is the most critical step to prevent runtime errors.
+# Change ownership of all application, database, and Nginx directories to the non-root user.
+RUN chown -R user:user /app ${NEO4J_HOME} /var/lib/nginx /var/log/nginx /etc/nginx/nginx.conf
+
+# Make the startup script executable
 RUN chmod +x /app/scripts/run.sh
 
-# Expose HTTP (Nginx), Neo4j, and Gradio ports
-EXPOSE 8080
+# Switch to the non-root user for runtime
+USER user
 
-# Set Neo4j Home
-ENV NEO4J_HOME=/neo4j
+# Expose the port Nginx will listen on
+EXPOSE 8080
 
-# Entrypoint: Start all services
+# Entrypoint to start all services
 ENTRYPOINT ["/app/scripts/run.sh"]