# Dockerfile
# Use a stable Python base image
FROM python:3.11-slim

# --- ROOT-LEVEL SETUP ---
# Do all system-level setup as the root user first.
WORKDIR /app
RUN useradd -m nit

# Copy the application code and set ownership for the nit user.
COPY . /app
RUN chown -R nit:nit /app

# --- DROP PRIVILEGES ---
# Now, switch to the non-root user for the rest of the build and for runtime.
USER nit
WORKDIR /home/nit

# Create and activate a virtual environment
ENV VIRTUAL_ENV=/home/nit/.venv
RUN python3 -m venv $VIRTUAL_ENV
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

# Install a vulnerable version of mlflow
# Pinning the version is crucial for stability and targeting specific vulnerabilities
RUN pip install --no-cache-dir mlflow==2.14.1

# --- Runtime Step: Expose the port and start the server ---
EXPOSE 5000

# The command to run when a container is started from this image.
# It serves the pre-populated mlruns directory.
CMD ["mlflow", "ui", "--host", "0.0.0.0", "--port", "5000", "--backend-store-uri", "file:///home/nit/mlruns"]