marcel/familienarchiv
1
0
Fork 0
Code Issues 111 Pull Requests 1 Actions 1 Packages Projects Releases Wiki Activity

security(ocr): run OCR container as non-root user (CIS Docker §4.1) #611

Merged
marcel merged 12 commits from feat/issue-459-ocr-non-root into main 2026-05-17 19:06:47 +02:00
Conversation 31 Commits 12 Files Changed 9 +5 -1
2 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit fc8b4b164b - Show all commits

4
docker-compose.yml
View File

@@ -87,9 +87,11 @@ services:
memswap_limit: 12g
volumes:
- ocr_models:/app/models
- ocr_cache:/app/cache
- ocr_cache:/app/cache # HuggingFace / ketos cache — prevents re-downloads on recreate (HF_HOME)
environment:
HF_HOME: /app/cache
XDG_CACHE_HOME: /app/cache
TORCH_HOME: /app/models/torch
KRAKEN_MODEL_PATH: /app/models/german_kurrent.mlmodel
TRAINING_TOKEN: "${OCR_TRAINING_TOKEN:-}"
OCR_CONFIDENCE_THRESHOLD: "0.3"

2
ocr-service/Dockerfile
View File

@@ -30,6 +30,8 @@ RUN chmod +x /app/entrypoint.sh
ENV HOME=/home/ocr
ENV HF_HOME=/app/cache
ENV XDG_CACHE_HOME=/app/cache
ENV TORCH_HOME=/app/models/torch
USER ocr