Update Dockerfile

Dockerfile

@@ -1,42 +1,46 @@
 # Use an official Python runtime as a parent image
 FROM python:3.10-slim-bullseye
 
-# Set environment variables
+# Set environment variables for Python, pip, and locale
 ENV PYTHONUNBUFFERED 1
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PIP_NO_CACHE_DIR off
 ENV PIP_DISABLE_PIP_VERSION_CHECK 1
 ENV DEBIAN_FRONTEND=noninteractive
+# Set a UTF-8 locale to prevent potential encoding issues with filenames or text processing
+ENV LANG C.UTF-8
+ENV LC_ALL C.UTF-8
 
 # Set the working directory in the container
 WORKDIR /app
 
 # Install system dependencies
 # - ffmpeg for MoviePy audio/video processing
-# - imagemagick for MoviePy TextClip and other image operations
-# - git in case requirements.txt pulls from git repositories
-# - fonts-dejavu-core and fonts-liberation for general font availability
+# - imagemagick for MoviePy TextClip and other image operations (ensure it's v6 or v7 compatible with policy fix)
+# - git for pip requirements from git
+# - fonts-dejavu-core, fonts-liberation for general font availability
+# - libgl1-mesa-glx, libglib2.0-0 often needed for CV/GUI libraries, though maybe not strictly for this app yet
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ffmpeg \
     imagemagick \
     git \
     fonts-dejavu-core \
     fonts-liberation \
-    # Add any other system-level packages your app might need (e.g., build-essential if compiling C extensions)
+    libgl1-mesa-glx \
+    libglib2.0-0 \
     && rm -rf /var/lib/apt/lists/*
 
 # Modify ImageMagick policy.xml to allow operations needed by MoviePy
 # This is critical for TextClip and other ImageMagick-dependent features in MoviePy
-# It attempts to find policy.xml for ImageMagick v6 or v7 and comments out restrictive lines.
 RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         XML_FILE="/etc/ImageMagick-6/policy.xml"; \
-        echo "INFO: Modifying ImageMagick policy at $XML_FILE (v6) for MoviePy compatibility." ; \
+        logger -s "INFO: Modifying ImageMagick policy at $XML_FILE (v6) for MoviePy compatibility." ; \
     elif [ -f /etc/ImageMagick-7/policy.xml ]; then \
         XML_FILE="/etc/ImageMagick-7/policy.xml"; \
-        echo "INFO: Modifying ImageMagick policy at $XML_FILE (v7) for MoviePy compatibility." ; \
+        logger -s "INFO: Modifying ImageMagick policy at $XML_FILE (v7) for MoviePy compatibility." ; \
     else \
         XML_FILE=""; \
-        echo "WARNING: ImageMagick policy.xml not found in expected /etc/ImageMagick-[67]/ locations. MoviePy TextClip might fail." ; \
+        logger -s "WARNING: ImageMagick policy.xml not found in /etc/ImageMagick-[67]/. MoviePy TextClip might fail." ; \
     fi && \
     if [ -n "$XML_FILE" ] && [ -f "$XML_FILE" ]; then \
         sed -i 's/<policy domain="path" rights="none" pattern="@\*"\/>/<!-- <policy domain="path" rights="none" pattern="@\*" \/> -->/' "$XML_FILE" && \
@@ -46,42 +50,39 @@ RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         sed -i 's/<policy domain="coder" rights="none" pattern="MSL"\/>/<!-- <policy domain="coder" rights="none" pattern="MSL" \/> -->/' "$XML_FILE" && \
         sed -i 's/<policy domain="coder" rights="none" pattern="HTTPS"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTPS" \/> -->/' "$XML_FILE" && \
         sed -i 's/<policy domain="coder" rights="none" pattern="HTTP"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTP" \/> -->/' "$XML_FILE" && \
-        echo "INFO: ImageMagick policy modifications attempted." ; \
+        logger -s "INFO: ImageMagick policy modifications applied to $XML_FILE." ; \
     fi
 
+# Create a non-root user and group
+RUN groupadd -r appgroup && useradd --no-log-init -r -g appgroup -u 1000 appuser
+RUN mkdir -p /home/appuser/.cache && chown -R appuser:appgroup /home/appuser
+
+# Set Streamlit home directory to be writable by appuser
+ENV STREAMLIT_HOME=/home/appuser/.streamlit
+RUN mkdir -p $STREAMLIT_HOME && chown -R appuser:appgroup $STREAMLIT_HOME
+
 # Copy the requirements file first to leverage Docker cache
-COPY requirements.txt .
+COPY --chown=appuser:appgroup requirements.txt .
 
-# Install Python dependencies
-RUN pip install --upgrade pip && \
-    pip install -r requirements.txt
+# Install Python dependencies as the non-root user
+USER appuser
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
 
 # Copy the rest of the application code into the container
-COPY . .
-
-# Create a directory for fonts if it doesn't exist and copy custom fonts
-# This assumes your 'arial.ttf' (or other custom fonts) are in 'assets/fonts/' in your project
-# Adjust the source path ('assets/fonts/arial.ttf') if your font is located elsewhere.
-RUN mkdir -p /usr/local/share/fonts/truetype/mycustomfonts && \
-    if [ -f assets/fonts/arial.ttf ]; then \
-        cp assets/fonts/arial.ttf /usr/local/share/fonts/truetype/mycustomfonts/arial.ttf && \
-        echo "INFO: Copied arial.ttf to custom font directory." ; \
-    else \
-        echo "WARNING: assets/fonts/arial.ttf not found. Ensure fonts are available for Pillow/MoviePy." ; \
-    fi && \
-    fc-cache -fv  # Update the system font cache
+USER root # Switch back to root to copy to /app, then chown
+COPY --chown=appuser:appgroup . .
+USER appuser # Switch back to appuser
 
-# Create the output directory for media and ensure it's writable
-# The Hugging Face Spaces environment usually runs as 'appuser' (UID 1000)
-RUN mkdir -p /app/temp_cinegen_media && chown -R 1000:1000 /app/temp_cinegen_media
-# If running locally as root, this chown might not be strictly necessary,
-# but it's good practice for environments that use a non-root user.
+# Create the output directory for media and ensure it's writable by appuser
+# This should already be under /app which is owned by appuser now.
+RUN mkdir -p /app/temp_cinegen_media
+# The assets directory also needs to be accessible
+RUN mkdir -p /app/assets/fonts
 
 # Expose the port Streamlit runs on
 EXPOSE 8501
 
 # Define the command to run the application
 # Use 0.0.0.0 to make the app accessible from outside the container
-# The Hugging Face Spaces environment might override this CMD or provide its own startup script.
-# For local Docker runs, this will be used.
-CMD ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0"]
+CMD ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0", "--global.sharingMode=off", "--client.gatherUsageStats=false"]