Create a new user for the container runtime

without root permission

docker/Dockerfile

@@ -23,27 +23,25 @@ RUN \
     libglib2.0-0=2.66.* \
     libopencv-dev=4.5.*
 
-# set working directory and path
+# set working directory and env
 ARG APPDIR=/usr/src
 ARG APPNAME=InvokeAI
 WORKDIR ${APPDIR}
 ENV PATH ${APPDIR}/${APPNAME}/bin:$PATH
+# Keeps Python from generating .pyc files in the container
+ENV PYTHONDONTWRITEBYTECODE 1
+# Turns off buffering for easier container logging
+ENV PYTHONUNBUFFERED 1
+# don't fall back to legacy build system
+ENV PIP_USE_PEP517=1
 
 #######################
 ##  build pyproject  ##
 #######################
 FROM python-base AS pyproject-builder
-ENV PIP_USE_PEP517=1
-
-# prepare for buildkit cache
-ARG PIP_CACHE_DIR=/var/cache/buildkit/pip
-ARG CONTAINER_FLAVOR=cuda
-ENV PIP_CACHE_DIR ${PIP_CACHE_DIR}
-RUN mkdir -p ${PIP_CACHE_DIR}
 
 # Install dependencies
 RUN \
-  --mount=type=cache,target=${PIP_CACHE_DIR} \
   --mount=type=cache,target=/var/cache/apt,sharing=locked \
   --mount=type=cache,target=/var/lib/apt,sharing=locked \
   apt-get update \
@@ -53,6 +51,11 @@ RUN \
     gcc=4:10.2.* \
     python3-dev=3.9.*
 
+# prepare pip for buildkit cache
+ARG PIP_CACHE_DIR=/var/cache/buildkit/pip
+ARG CONTAINER_FLAVOR=cuda
+ENV PIP_CACHE_DIR ${PIP_CACHE_DIR}
+
 # create virtual environment
 RUN --mount=type=cache,target=${PIP_CACHE_DIR} \
   python3 -m venv "${APPNAME}" \
@@ -76,12 +79,17 @@ RUN python3 -c "from patchmatch import patch_match"
 #####################
 FROM python-base AS runtime
 
-# setup environment
+# Create a new User
-COPY --from=pyproject-builder ${APPDIR}/${APPNAME} ${APPNAME}
+ARG UNAME=appuser
-ENV INVOKEAI_ROOT=/data
+RUN groupadd "${APPNAME}" \
-ENV INVOKE_MODEL_RECONFIGURE="--yes --default_only"
+  && useradd -l -s /bin/bash "${UNAME}"
+USER "${UNAME}"
 
-# set Entrypoint and default CMD
+# setup runtime environment
+COPY --chown=${UNAME}:${APPNAME} --from=pyproject-builder ${APPDIR}/${APPNAME} ${APPNAME}
+ENV INVOKEAI_ROOT /data
+ENV TRANSFORMERS_CACHE /data/.cache
+ENV INVOKE_MODEL_RECONFIGURE "--yes --default_only"
 ENTRYPOINT [ "invokeai" ]
 CMD [ "--web", "--host=0.0.0.0" ]
 VOLUME [ "/data" ]

docker/env.sh

@@ -1,11 +1,13 @@
 #!/usr/bin/env bash
 
 if [[ -z "$PIP_EXTRA_INDEX_URL" ]]; then
+
   # Activate virtual environment if not already activated
   if [[ -z $VIRTUAL_ENV ]]; then
     [[ -e "$(dirname "${BASH_SOURCE[0]}")/../.venv/bin/activate" ]] \
       && source "$(dirname "${BASH_SOURCE[0]}")/../.venv/bin/activate"
   fi
+
   # Decide which container flavor to build if not specified
   if [[ -z "$CONTAINER_FLAVOR" ]] && python -c "import torch" &>/dev/null; then
     # Check for CUDA and ROCm
@@ -19,6 +21,7 @@ if [[ -z "$PIP_EXTRA_INDEX_URL" ]]; then
       CONTAINER_FLAVOR="cpu"
     fi
   fi
+
   # Set PIP_EXTRA_INDEX_URL based on container flavor
   if [[ "$CONTAINER_FLAVOR" == "rocm" ]]; then
     PIP_EXTRA_INDEX_URL="https://download.pytorch.org/whl/rocm"

docker/run.sh

@@ -22,7 +22,7 @@ docker run \
   --name="${REPOSITORY_NAME,,}" \
   --hostname="${REPOSITORY_NAME,,}" \
   --mount=source="${VOLUMENAME}",target=/data \
-  ${MODELSPATH:+-u "$(id -u):$(id -g)"} \
+  ${MODELSPATH:+--user "$(id -u):$(id -g)"} \
   ${MODELSPATH:+--mount="type=bind,source=${MODELSPATH},target=/data/models"} \
   ${HUGGING_FACE_HUB_TOKEN:+--env="HUGGING_FACE_HUB_TOKEN=${HUGGING_FACE_HUB_TOKEN}"} \
   --publish=9090:9090 \