marcel/familienarchiv
1
0
Fork 0
Code Issues 109 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security(ocr): redirect XDG cache and Torch home away from read-only HOME

Browse Source 
Prevents PyTorch/Matplotlib/Ketos from writing to /home/ocr which is
on the read-only container filesystem — fixes Nora's blocker. Also
restores the explanatory comment on the ocr_cache volume mount.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-17 17:30:39 +02:00
parent eb63df2000
commit fc8b4b164b
2 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docker-compose.yml
View File

@@ -87,9 +87,11 @@ services:
memswap_limit: 12g memswap_limit: 12g
volumes: volumes:
- ocr_models:/app/models - ocr_models:/app/models
- ocr_cache:/app/cache - ocr_cache:/app/cache # HuggingFace / ketos cache — prevents re-downloads on recreate (HF_HOME)
environment: environment:
HF_HOME: /app/cache HF_HOME: /app/cache
XDG_CACHE_HOME: /app/cache
TORCH_HOME: /app/models/torch
KRAKEN_MODEL_PATH: /app/models/german_kurrent.mlmodel KRAKEN_MODEL_PATH: /app/models/german_kurrent.mlmodel
TRAINING_TOKEN: "${OCR_TRAINING_TOKEN:-}" TRAINING_TOKEN: "${OCR_TRAINING_TOKEN:-}"
OCR_CONFIDENCE_THRESHOLD: "0.3" OCR_CONFIDENCE_THRESHOLD: "0.3"

2
ocr-service/Dockerfile
View File

@@ -30,6 +30,8 @@ RUN chmod +x /app/entrypoint.sh
ENV HOME=/home/ocr ENV HOME=/home/ocr
ENV HF_HOME=/app/cache ENV HF_HOME=/app/cache
ENV XDG_CACHE_HOME=/app/cache
ENV TORCH_HOME=/app/models/torch
USER ocr USER ocr