Fix permissions and robust multi-service startup for HF Spaces

Dockerfile

@@ -1,93 +1,67 @@
 # ─────────────────────────────────────────────────────────────────
-# Taskflow — All-in-one Dockerfile for Hugging Face Spaces
-#
-# HF Spaces rules this file must satisfy:
-#   - Expose exactly port 7860
-#   - Run as non-root user (we use "user" uid 1000)
-#   - Single container (no docker-compose)
-#
-# Architecture inside this container:
-#   PostgreSQL 16  →  internal port 5432
-#   Node/Express   →  internal port 5000
-#   Nginx          →  port 7860  (serves React SPA + proxies /api to Express)
-#
-# Process manager: supervisord keeps all three services alive.
+# Taskflow — Robust Multi-Service Dockerfile for HF Spaces
 # ─────────────────────────────────────────────────────────────────
 
 FROM ubuntu:22.04
 
-ENV DEBIAN_FRONTEND=noninteractive
-ENV NODE_ENV=production
-ENV PORT=5000
-ENV DB_HOST=127.0.0.1
-ENV DB_PORT=5432
-ENV DB_NAME=taskflow
-ENV DB_USER=taskflow_user
-ENV DB_PASSWORD=taskflow_hf_secret
-ENV JWT_SECRET=taskflow_huggingface_jwt_secret_change_for_production_use
-ENV JWT_EXPIRES_IN=7d
-ENV FRONTEND_URL=http://localhost:7860
-
-# ── System packages ────────────────────────────────────────────────
+# Environment variables
+ENV DEBIAN_FRONTEND=noninteractive \
+    NODE_ENV=production \
+    PORT=5000 \
+    DB_HOST=127.0.0.1 \
+    DB_PORT=5432 \
+    DB_NAME=taskflow \
+    DB_USER=taskflow_user \
+    DB_PASSWORD=taskflow_hf_secret \
+    JWT_SECRET=taskflow_huggingface_jwt_secret_change_for_production_use \
+    JWT_EXPIRES_IN=7d \
+    FRONTEND_URL=http://localhost:7860
+
+# 1. Install System Dependencies
 RUN apt-get update && apt-get install -y \
     curl wget gnupg2 lsb-release ca-certificates \
     nginx supervisor \
     postgresql-14 postgresql-client-14 \
-    && rm -rf /var/lib/apt/lists/*
-
-# ── Node.js 20 ─────────────────────────────────────────────────────
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
     && apt-get install -y nodejs \
-    && rm -rf /var/lib/apt/lists/*
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# 2. Setup User and Directories
+# HF Spaces uses UID 1000
+RUN useradd -m -u 1000 hfuser && \
+    mkdir -p /app/backend /app/frontend /var/log/supervisor /var/run/supervisor \
+    /run/postgresql /var/lib/postgresql/data /var/log/nginx /var/lib/nginx /run/nginx \
+    && chown -R hfuser:hfuser /app /var/log/supervisor /var/run/supervisor /run/postgresql \
+    /var/lib/postgresql /var/log/nginx /var/lib/nginx /run/nginx
 
-# ── Working directories ────────────────────────────────────────────
 WORKDIR /app
-RUN mkdir -p /app/backend /app/frontend /var/log/supervisor \
-             /run/postgresql /var/lib/postgresql/data
 
-# ── Backend ────────────────────────────────────────────────────────
-COPY backend/package*.json /app/backend/
+# 3. Backend Implementation
+COPY --chown=hfuser:hfuser backend/package*.json /app/backend/
 RUN cd /app/backend && npm ci --only=production
 
-COPY backend/ /app/backend/
+COPY --chown=hfuser:hfuser backend/ /app/backend/
 
-# ── Frontend — build React app ─────────────────────────────────────
-COPY frontend/package*.json /app/frontend/
+# 4. Frontend Implementation
+COPY --chown=hfuser:hfuser frontend/package*.json /app/frontend/
 RUN cd /app/frontend && npm ci
 
-COPY frontend/ /app/frontend/
-# Point the API at the same origin so nginx can proxy it
-RUN echo "REACT_APP_API_URL=/api" > /app/frontend/.env.production
-RUN cd /app/frontend && npm run build
+COPY --chown=hfuser:hfuser frontend/ /app/frontend/
+RUN echo "REACT_APP_API_URL=/api" > /app/frontend/.env.production && \
+    cd /app/frontend && npm run build
 
-# ── Nginx config ───────────────────────────────────────────────────
+# 5. Configurations
 RUN rm -f /etc/nginx/sites-enabled/default
-COPY hf.nginx.conf /etc/nginx/sites-enabled/taskflow.conf
-
-# ── Supervisord config ─────────────────────────────────────────────
-COPY supervisord.conf /etc/supervisor/conf.d/taskflow.conf
+COPY --chown=hfuser:hfuser hf.nginx.conf /etc/nginx/sites-enabled/taskflow.conf
+COPY --chown=hfuser:hfuser supervisord.conf /etc/supervisor/conf.d/taskflow.conf
+COPY --chown=hfuser:hfuser start.sh /app/start.sh
 
-# ── Startup script ─────────────────────────────────────────────────
-COPY start.sh /app/start.sh
-RUN chmod +x /app/start.sh
+RUN chmod +x /app/start.sh && \
+    touch /run/nginx.pid && chown hfuser:hfuser /run/nginx.pid
 
-# ── HF Spaces: must run as non-root with uid 1000 ──────────────────
-RUN useradd -m -u 1000 hfuser \
-    && chown -R hfuser:hfuser /app \
-    && chown -R hfuser:hfuser /var/log/nginx \
-    && chown -R hfuser:hfuser /var/lib/nginx \
-    && chown -R hfuser:hfuser /run \
-    && chown -R postgres:postgres /var/lib/postgresql \
-    && chown -R postgres:postgres /run/postgresql \
-    && chmod 777 /var/log/supervisor \
-    && chmod 777 /tmp
-
-# Nginx needs to write to these as non-root
-RUN chown -R hfuser:hfuser /var/log/nginx /var/lib/nginx /run/nginx* 2>/dev/null || true \
-    && touch /run/nginx.pid && chown hfuser:hfuser /run/nginx.pid 2>/dev/null || true
+# 6. Final Permissions Check
+RUN chmod -R 777 /var/run /run /tmp /var/log/supervisor /var/lib/postgresql
 
 USER hfuser
-
 EXPOSE 7860
-
 CMD ["/app/start.sh"]

start.sh

@@ -5,21 +5,23 @@ echo "========================================"
 echo "  Taskflow — HF Spaces Startup"
 echo "========================================"
 
+# Pre-cleanup to ensure fresh start if restarted
+rm -rf /tmp/pg_setup.log /run/postgresql/*.pid /run/nginx.pid 2>/dev/null || true
+
 # ── 1. Initialise PostgreSQL data directory ────────────────────────
 if [ ! -f /var/lib/postgresql/data/PG_VERSION ]; then
     echo "▶ Initialising PostgreSQL data directory..."
-    # initdb must run as postgres user
-    su -c "/usr/lib/postgresql/14/bin/initdb -D /var/lib/postgresql/data --auth=trust --username=postgres" postgres
+    /usr/lib/postgresql/14/bin/initdb -D /var/lib/postgresql/data --auth=trust --username=hfuser
     echo "  Done."
 fi
 
 # ── 2. Start PostgreSQL temporarily to set up DB + user ────────────
 echo "▶ Starting PostgreSQL for setup..."
-su -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l /tmp/pg_setup.log start -w" postgres
+/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data -l /tmp/pg_setup.log start -w
 
 # Wait for postgres to be ready
 for i in {1..20}; do
-    if su -c "pg_isready -h 127.0.0.1 -U postgres" postgres >/dev/null 2>&1; then
+    if pg_isready -h 127.0.0.1 -U hfuser >/dev/null 2>&1; then
         echo "  PostgreSQL is ready."
         break
     fi
@@ -29,9 +31,9 @@ done
 
 # ── 3. Create database and user if they don't exist ────────────────
 echo "▶ Setting up database..."
-su -c "psql -h 127.0.0.1 -U postgres -tc \"SELECT 1 FROM pg_roles WHERE rolname='taskflow_user'\" | grep -q 1 || psql -h 127.0.0.1 -U postgres -c \"CREATE USER taskflow_user WITH PASSWORD 'taskflow_hf_secret';\"" postgres
-su -c "psql -h 127.0.0.1 -U postgres -tc \"SELECT 1 FROM pg_database WHERE datname='taskflow'\" | grep -q 1 || psql -h 127.0.0.1 -U postgres -c \"CREATE DATABASE taskflow OWNER taskflow_user;\"" postgres
-su -c "psql -h 127.0.0.1 -U postgres -c \"GRANT ALL PRIVILEGES ON DATABASE taskflow TO taskflow_user;\"" postgres
+psql -h 127.0.0.1 -U hfuser -d postgres -tc "SELECT 1 FROM pg_roles WHERE rolname='taskflow_user'" | grep -q 1 || psql -h 127.0.0.1 -U hfuser -d postgres -c "CREATE USER taskflow_user WITH PASSWORD 'taskflow_hf_secret';"
+psql -h 127.0.0.1 -U hfuser -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='taskflow'" | grep -q 1 || psql -h 127.0.0.1 -U hfuser -d postgres -c "CREATE DATABASE taskflow OWNER taskflow_user;"
+psql -h 127.0.0.1 -U hfuser -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE taskflow TO taskflow_user;"
 echo "  Database ready."
 
 # ── 4. Run migrations ──────────────────────────────────────────────
@@ -41,7 +43,7 @@ node src/utils/migrate.js
 echo "  Migrations complete."
 
 # ── 5. Seed demo data (only if users table is empty) ───────────────
-USER_COUNT=$(su -c "psql -h 127.0.0.1 -U postgres -d taskflow -tAc \"SELECT COUNT(*) FROM users 2>/dev/null || echo 0\"" postgres 2>/dev/null || echo "0")
+USER_COUNT=$(psql -h 127.0.0.1 -U hfuser -d taskflow -tAc "SELECT COUNT(*) FROM users 2>/dev/null || echo 0" 2>/dev/null || echo "0")
 if [ "$USER_COUNT" = "0" ] || [ -z "$USER_COUNT" ]; then
     echo "▶ Seeding demo data..."
     node src/utils/seed.js || echo "  Seed skipped (already exists)."
@@ -51,7 +53,7 @@ fi
 
 # ── 6. Stop the temporary postgres (supervisord will restart it) ───
 echo "▶ Handing off PostgreSQL to supervisord..."
-su -c "/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data stop -m fast" postgres || true
+/usr/lib/postgresql/14/bin/pg_ctl -D /var/lib/postgresql/data stop -m fast || true
 
 # ── 7. Hand off to supervisord ────────────────────────────────────
 echo "▶ Starting all services via supervisord..."

supervisord.conf

@@ -2,11 +2,9 @@
 nodaemon=true
 logfile=/var/log/supervisor/supervisord.log
 pidfile=/tmp/supervisord.pid
-user=root
 
 [program:postgres]
 command=/usr/lib/postgresql/14/bin/postgres -D /var/lib/postgresql/data -c listen_addresses=127.0.0.1
-user=postgres
 autostart=true
 autorestart=true
 stdout_logfile=/var/log/supervisor/postgres.log