Fix pid/temp paths for non-root: supervisord and nginx; set MPLCONFIGDIR

Dockerfile

@@ -36,31 +36,46 @@ COPY backend/ ./backend/
 # ---------- Runtime ----------
 FROM python:3.11-slim AS runtime
 ENV PYTHONUNBUFFERED=1 PIP_NO_CACHE_DIR=1 PORT=7860 \
-    PATH="/opt/venv/bin:${PATH}" 
+    PATH="/opt/venv/bin:${PATH}" \
+    MPLCONFIGDIR=/tmp/matplotlib  
 
 WORKDIR /app
 
+# 輕量執行期相依
 RUN apt-get update && apt-get install -y --no-install-recommends \
     nginx supervisor ca-certificates \
     libgomp1 libopenblas0 \
  && rm -rf /var/lib/apt/lists/*
 
+# 建立可寫的暫存與 pid 目錄
+RUN mkdir -p /tmp/nginx/client_body /tmp/nginx/proxy /tmp/nginx/fastcgi /tmp/nginx/uwsgi /tmp/nginx/scgi \
+    /tmp/matplotlib
+
+# 前端靜態檔
 COPY --from=fe /app/frontend/dist /usr/share/nginx/html
 
+# 只拷「虛擬環境」
 COPY --from=be /opt/venv /opt/venv
 
+# 後端程式碼
 COPY --from=be /app/backend /app/backend
 
+# nginx 設定
 COPY nginx.conf.template /etc/nginx/nginx.conf
 
+# 調整 nginx：移除 user 指令、把 pid 與 temp 目錄轉到 /tmp
 RUN set -eux; \
-    sed -ri 's/^\s*user\s+[^;]+;//g' /etc/nginx/nginx.conf || true; \
-    if grep -qE '^\s*pid\s+' /etc/nginx/nginx.conf; then \
-      sed -ri 's|^\s*pid\s+[^;]+;|pid /tmp/nginx.pid;|' /etc/nginx/nginx.conf; \
-    else \
-      sed -ri '1i pid /tmp/nginx.pid;' /etc/nginx/nginx.conf; \
-    fi
-
+  sed -ri 's/^\s*user\s+[^;]+;//g' /etc/nginx/nginx.conf || true; \
+  if grep -qE '^\s*pid\s+' /etc/nginx/nginx.conf; then \
+    sed -ri 's|^\s*pid\s+[^;]+;|pid /tmp/nginx.pid;|' /etc/nginx/nginx.conf; \
+  else \
+    sed -ri '1i pid /tmp/nginx.pid;' /etc/nginx/nginx.conf; \
+  fi; \
+  # 若沒有 temp 路徑，就在 http {} 內加入；有的話改成 /tmp
+  sed -ri 's|client_max_body_size .*;||g' /etc/nginx/nginx.conf || true; \
+  sed -ri '/http\s*{.*/a \    client_max_body_size 100M;\n    client_body_temp_path /tmp/nginx/client_body;\n    proxy_temp_path /tmp/nginx/proxy;\n    fastcgi_temp_path /tmp/nginx/fastcgi;\n    uwsgi_temp_path /tmp/nginx/uwsgi;\n    scgi_temp_path /tmp/nginx/scgi;' /etc/nginx/nginx.conf
+
+# 產生 supervisor 設定：把 pidfile 放 /tmp，且不使用任何 user=
 RUN mkdir -p /etc/supervisor/conf.d && \
 printf "[program:api]\n\
 command=gunicorn --workers 2 --threads 8 --timeout 0 --chdir /app/backend -b 0.0.0.0:5001 server:app\n\
@@ -73,8 +88,10 @@ priority=20\nautostart=true\nautorestart=true\n\
 stdout_logfile=/dev/stdout\nstderr_logfile=/dev/stderr\n\
 stdout_logfile_maxbytes=0\nstderr_logfile_maxbytes=0\n\n\
 [supervisord]\n\
-logfile=/dev/stdout\nlogfile_maxbytes=0\nnodaemon=true\n" \
+logfile=/dev/stdout\nlogfile_maxbytes=0\n\
+pidfile=/tmp/supervisord.pid\n\
+nodaemon=true\n" \
 > /etc/supervisor/conf.d/app.conf
 
 EXPOSE 7860
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/app.conf"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/app.conf"]