| # ... (previous parts: FROM, ENV, apt-get install, font COPY, font cache) ... | |
| # Create a non-root user and group | |
| ARG APP_USER_UID=1000 | |
| ARG APP_USER_GID=1000 | |
| RUN groupadd --gid $APP_USER_GID appgroup && \ | |
| useradd --uid $APP_USER_UID --gid appgroup --shell /bin/bash --create-home appuser | |
| # Set the working directory | |
| WORKDIR /home/appuser/app | |
| # Copy requirements.txt first | |
| COPY requirements.txt ./ | |
| # Note: No --chown here yet, let root handle this initial copy for pip cache reasons if any | |
| # Pip install as root (or a user with system-wide install permissions) | |
| # This avoids issues if some packages need to write to system locations during install | |
| # and also helps if the user's .local/bin isn't perfectly on PATH immediately | |
| RUN python -m pip install --no-cache-dir --upgrade pip | |
| RUN python -m pip install --no-cache-dir -r requirements.txt | |
| # Now copy the rest of the application code | |
| COPY . . | |
| # CRITICAL PERMISSION FIX: | |
| # After all files are copied, ensure the entire app directory | |
| # and its contents are owned by appuser and appuser has write permissions. | |
| # Also, explicitly create the output directory as root and then chown it. | |
| RUN mkdir -p /home/appuser/app/temp_cinegen_media && \ | |
| chown -R appuser:appgroup /home/appuser/app | |
| # The chown -R above should cover temp_cinegen_media as well if it's inside /app | |
| # Switch to the non-root user | |
| USER appuser | |
| ENV PATH="/home/appuser/.local/bin:${PATH}" # Ensure this is set for appuser | |
| # Expose Streamlit's default port | |
| EXPOSE 8501 | |
| # Command to run Streamlit | |
| CMD ["streamlit", "run", "app.py", "--server.headless=true", "--server.port=8501", "--server.fileWatcherType=none"] |