FROM python:3.9-slim # Define arguments for user ID and group ID (optional, but good for consistency) ARG UID=1000 ARG GID=1000 # Install system dependencies required by OpenCV and other build tools # libgl1-mesa-glx: Provides libGL.so.1 (OpenGL library) - THIS IS THE KEY FIX # libsm6, libxrender1: Common X11 dependencies often needed by OpenCV # ffmpeg: Good for general video processing capabilities # build-essential, curl, software-properties-common, git: Keep your existing dev tools RUN apt-get update && apt-get install -y \ build-essential \ curl \ software-properties-common \ git \ libgl1-mesa-glx \ libsm6 \ libxrender1 \ ffmpeg \ # Clean up apt caches to reduce image size && rm -rf /var/lib/apt/lists/* # Create a non-root user and group # -m: create home directory # -u ${UID}: assign specific UID (optional, but good for host volume mounting) # -g appgroup: assign to appgroup RUN groupadd -g ${GID} appgroup && \ useradd -m -u ${UID} -g appgroup appuser # Set the HOME environment variable for the new user ENV HOME /home/appuser # Set the working directory for the application # We'll put it in /app and then change ownership so the non-root user can write to it WORKDIR /app # Copy your requirements.txt file and install Python dependencies (as root, for system-wide install) COPY requirements.txt . RUN pip3 install --no-cache-dir -r requirements.txt # Change ownership of the /app directory to the new non-root user # This is crucial so that the 'appuser' can read/write in its working directory RUN chown -R appuser:appgroup /app # Switch to the non-root user for subsequent commands USER appuser # Copy your application source code and assets into the /app directory # Now, these files will be owned by 'appuser' COPY . . EXPOSE 8501 HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health # Ensure the entrypoint path is correct for your app within the container # Based on your structure, it's inside 'src/' relative to the WORKDIR /app ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]