Update Dockerfile

Dockerfile

@@ -2,32 +2,43 @@
 FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Install system deps
 RUN apt-get update && apt-get install -y \
     python3 python3-venv python3-pip git wget \
  && rm -rf /var/lib/apt/lists/*
 
+# Create a non-root user
+RUN useradd -m -s /bin/bash comfy
+
 WORKDIR /workspace
 RUN git clone https://github.com/comfyanonymous/ComfyUI.git
 WORKDIR /workspace/ComfyUI
 
+# Create Python venv & install dependencies as root
 RUN python3 -m venv .venv \
  && . .venv/bin/activate \
  && pip install --upgrade pip \
  && pip install huggingface_hub xformers!=0.0.18 \
  && pip install -r requirements.txt
 
-# Create the user directory with permissive rights
-RUN mkdir -p /workspace/ComfyUI/user && chmod -R 777 /workspace/ComfyUI/user
+# Pre-create writable folders
+RUN mkdir -p /workspace/ComfyUI/user /workspace/ComfyUI/temp \
+ && chown -R comfy:comfy /workspace/ComfyUI/user /workspace/ComfyUI/temp
 
 # Copy download script
 COPY download_flux.py /workspace/ComfyUI/download_flux.py
 
-# Use secret to download model files via huggingface_hub
+# Run model download with secret token as root
 RUN --mount=type=secret,id=HF_TOKEN,mode=0444,required=true \
     . .venv/bin/activate && \
     python download_flux.py
 
+# Make sure entire repo is owned by comfy (safe for venv)
+RUN chown -R comfy:comfy /workspace/ComfyUI
+
+# Switch to comfy user
+USER comfy
+
 EXPOSE 7860
 
-# Use split cross attention flag and listen on all interfaces, enforce CPU mode
 CMD ["/bin/bash", "-c", "source .venv/bin/activate && python3 main.py --listen 0.0.0.0 --port 7860 --cpu --use-split-cross-attention"]