Dockerfile

# Step 1: Start with a specific, stable Python base image
FROM python:3.11-slim

# Step 2: Set environment variables for better logging and security
# Ensures Python output is sent directly to the logs, which is great for debugging.
ENV PYTHONUNBUFFERED=1
# Prevents Python from writing .pyc files, keeping the image clean.
ENV PYTHONDONTWRITEBYTECODE=1
# FIX: Sets the home directory, telling deepface to write to a permitted location.
ENV HOME=/app

# Step 3: Update, install system dependencies, and clean up in a single layer
# This installs libraries needed by OpenCV and then clears the apt cache to keep the image small.
RUN apt-get update && apt-get install -y --no-install-recommends \
    libgl1 \
    libglib2.0-0 \
    && rm -rf /var/lib/apt/lists/*

# Step 4: Create a non-root user for security
# Running applications as a non-root user is a critical security best practice.
RUN useradd -m appuser

# Step 5: Set the working directory
WORKDIR /app

# Step 6: Copy and install Python packages
# Copy requirements first to leverage Docker's build cache for faster builds.
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Step 7: Copy the rest of the application code and set permissions
COPY . .
RUN chown -R appuser:appuser /app

# Step 8: Switch to the non-root user
USER appuser

# Step 9: Expose the port the application will run on
EXPOSE 7860

# Step 10: The command to start the Gunicorn server
# Includes the long timeout for model loading and binds to the correct port.
CMD ["gunicorn", "--workers", "1", "--timeout", "120", "--bind", "0.0.0.0:7860", "app:app"]