dockerfile

# Stage 1: Builder
FROM python:3.12-slim AS builder

WORKDIR /app

# Set environment variables
ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# Install build dependencies in a single layer with version pinning where critical
RUN apt-get update && apt-get install -y --no-install-recommends \
    wget=1.21.* \
    curl \
    gcc \
    bzip2 \
    ca-certificates \
    gnupg \
    git \
    python3-dev \
    build-essential \
    pkg-config \
    portaudio19-dev \
    libsdl-pango-dev \
    libcairo2-dev \
    libpango1.0-dev \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Install TinyTeX with error handling and cleanup
RUN wget -qO- "https://yihui.org/tinytex/install-bin-unix.sh" | sh \
    && ~/.TinyTeX/bin/*/tlmgr path add \
    && ~/.TinyTeX/bin/*/tlmgr install \
        amsmath babel-english cbfonts-fd cm-super count1to ctex \
        doublestroke dvisvgm everysel fontspec frcursive fundus-calligra \
        gnu-freefont jknapltx latex-bin mathastext microtype multitoc \
        physics preview prelim2e ragged2e relsize rsfs setspace \
        standalone tipa wasy wasysym xcolor xetex xkeyval \
    && rm -rf ~/.TinyTeX/texmf-var/web2c/tlmgr.log* \
    && rm -rf ~/.TinyTeX/texmf-var/web2c/tlmgr-commands.log* \
    && find ~/.TinyTeX -name "*.log" -delete \
    && find ~/.TinyTeX -name "*.aux" -delete

# Copy and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt \
    && find /install -name "*.pyc" -delete \
    && find /install -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true

# Download models with checksums and error handling
RUN mkdir -p /models \
    && cd /models \
    && wget --progress=dot:giga -O kokoro-v0_19.onnx \
        "https://github.com/thewh1teagle/kokoro-onnx/releases/download/model-files/kokoro-v0_19.onnx" \
    && wget --progress=dot:giga -O voices.bin \
        "https://github.com/thewh1teagle/kokoro-onnx/releases/download/model-files/voices.bin" \
    && ls -la /models

# Stage 2: Runtime
FROM python:3.12-slim AS runtime

# Create non-root user for security
RUN groupadd -r appuser && useradd -r -g appuser -d /app -s /sbin/nologin appuser

WORKDIR /app

# Set environment variables
ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1 \
    PYTHONPATH=/app \
    PATH="/root/.TinyTeX/bin/x86_64-linux:$PATH"

# Install runtime dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    portaudio19-dev \
    libasound2-dev \
    libsdl-pango-dev \
    libcairo2-dev \
    libpango1.0-dev \
    sox \
    ffmpeg \
    tini \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Copy TinyTeX from builder stage
COPY --from=builder /root/.TinyTeX /root/.TinyTeX

# Copy Python packages from builder stage
COPY --from=builder /install /usr/local

# Copy models from builder stage
COPY --from=builder /models /app/models

# Copy application files (be more selective to reduce layer size)
COPY --chown=appuser:appuser .env gradio_app.py ./
COPY --chown=appuser:appuser src/ ./src/

# Create output directory with proper permissions
RUN mkdir -p output \
    && chown -R appuser:appuser /app

# Switch to non-root user
USER appuser

# Add labels for better maintainability
LABEL maintainer="[email protected]" \
      version="1.0" \
      description="Multi-stage Docker image for ML application"

# Expose port
EXPOSE 7860

# Use tini as PID 1 for proper signal handling
ENTRYPOINT ["tini", "--"]

# Improved health check with more specific validation
HEALTHCHECK --interval=30s --timeout=15s --start-period=60s --retries=3 \
    CMD python -c "import sys; import src; import manim; \
                   import requests; \
                   r = requests.get('http://localhost:7860/health', timeout=10); \
                   sys.exit(0 if r.status_code == 200 else 1)" || exit 1

# Start the application
CMD ["python", "gradio_app.py"]