deepface-rest-api/Dockerfile at main · DmytroGural/deepface-rest-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# ──────────────────────────────────────────────────────────────────────────────
# Stage 1 — builder
# Installs Python dependencies into an isolated prefix.
# Contains build tools (cmake, gcc) that are NOT carried into the final image.
# ──────────────────────────────────────────────────────────────────────────────
FROM python:3.10-slim AS builder

WORKDIR /build

# Build-time system dependencies only — none of these end up in the runtime image
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        build-essential \
        cmake \
        libglib2.0-dev \
        libgl1-mesa-dev \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .

# Install into /install so the runtime stage can copy them with a single COPY
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt


# ──────────────────────────────────────────────────────────────────────────────
# Stage 2 — runtime
# Lean image: no compilers, no dev headers, no build cache.
# ──────────────────────────────────────────────────────────────────────────────
FROM python:3.10-slim AS runtime

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONPATH=/app \
    DEEPFACE_HOME=/app/.deepface

WORKDIR /app

# Runtime-only system libraries (no -dev packages needed)
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        libglib2.0-0 \
        libgl1 \
        libgomp1 \
    && rm -rf /var/lib/apt/lists/*

# Copy installed Python packages from builder
COPY --from=builder /install /usr/local

# Copy application source.
# What's excluded is defined in .dockerignore — single source of truth.
COPY . .

# Create an unprivileged user and the weights cache directory.
# faces_db is intentionally NOT created here — it is always mounted from outside.
RUN useradd -m -u 1000 appuser \
    && mkdir -p /app/.deepface \
    && chown -R appuser:appuser /app

USER appuser

EXPOSE 5000

# GUNICORN_WORKERS / GUNICORN_TIMEOUT — override via .env or docker run -e
CMD ["sh", "-c", \
     "gunicorn main:app \
      --bind 0.0.0.0:5000 \
      --workers ${GUNICORN_WORKERS:-2} \
      --timeout ${GUNICORN_TIMEOUT:-120} \
      --preload \
      --access-logfile - \
      --error-logfile - \
      --log-level info"]