Fix permission issues by using a non-root user and dedicated cache directories

Dockerfile

@@ -2,12 +2,16 @@ FROM python:3.9
 
 WORKDIR /code
 
-# Create cache directories with appropriate permissions
-RUN mkdir -p /code/model_cache /code/hf_home
+# Create a non-root user to run the app
+RUN useradd -m appuser
+
+# Create cache directories and set permissions
+RUN mkdir -p /home/appuser/cache /home/appuser/hf_home && \
+    chown -R appuser:appuser /home/appuser/cache /home/appuser/hf_home
 
 # Set environment variables for the cache
-ENV TRANSFORMERS_CACHE=/code/model_cache
-ENV HF_HOME=/code/hf_home
+ENV TRANSFORMERS_CACHE=/home/appuser/cache
+ENV HF_HOME=/home/appuser/hf_home
 
 COPY ./requirements.txt /code/requirements.txt
 
@@ -15,6 +19,12 @@ RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt
 
 COPY . /code
 
+# Give ownership of the code to appuser
+RUN chown -R appuser:appuser /code
+
 EXPOSE 7860
 
+# Switch to appuser for running the application
+USER appuser
+
 CMD ["python", "app.py"]

app.py

@@ -8,19 +8,13 @@ import json
 
 app = Flask(__name__)
 
-# Set cache directory to a location where we have write permissions
-cache_dir = os.path.join(os.getcwd(), 'model_cache')
-hf_home = os.path.join(os.getcwd(), 'hf_home')
+# Use environment variables for cache locations
+cache_dir = os.environ.get('TRANSFORMERS_CACHE', '/home/appuser/cache')
+hf_home = os.environ.get('HF_HOME', '/home/appuser/hf_home')
 os.environ['TRANSFORMERS_CACHE'] = cache_dir
 os.environ['HF_HOME'] = hf_home
 
-# Make sure the directories exist with proper permissions
-try:
-    os.makedirs(cache_dir, exist_ok=True)
-    os.makedirs(hf_home, exist_ok=True)
-    print(f"Created cache directories: {cache_dir} and {hf_home}", file=sys.stderr)
-except Exception as e:
-    print(f"Error setting up cache directories: {e}", file=sys.stderr)
+print(f"Using cache directories: {cache_dir} and {hf_home}", file=sys.stderr)
 
 # Load GPT-2 small model
 try: