mirror of
				https://github.com/searxng/searxng.git
				synced 2025-10-25 15:52:31 -04:00 
			
		
		
		
	[mod] container: build custom base images (#4799)
Instead of using Wolfi base images from cgr.dev and making that mess on the Dockerfile, why don't we build the base images ourselves from Wolfi repos with apko? The intention of this is to simplify the main Dockerfile and avoid having to patch the base image every time, it also simplifies some steps like image ownership management and provides extremely fast builds.
This commit is contained in:
		
							parent
							
								
									1b08324f26
								
							
						
					
					
						commit
						86373e7c87
					
				
							
								
								
									
										8
									
								
								.github/workflows/cleanup.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										8
									
								
								.github/workflows/cleanup.yml
									
									
									
									
										vendored
									
									
								
							| @ -5,7 +5,7 @@ name: Cleanup | |||||||
| on: | on: | ||||||
|   workflow_dispatch: |   workflow_dispatch: | ||||||
|   schedule: |   schedule: | ||||||
|     - cron: "4 4 * * 0" |     - cron: "4 4 * * *" | ||||||
| 
 | 
 | ||||||
| concurrency: | concurrency: | ||||||
|   group: ${{ github.workflow }} |   group: ${{ github.workflow }} | ||||||
| @ -28,7 +28,7 @@ jobs: | |||||||
|         with: |         with: | ||||||
|           account: "${{ github.repository_owner }}" |           account: "${{ github.repository_owner }}" | ||||||
|           token: "${{ secrets.GITHUB_TOKEN }}" |           token: "${{ secrets.GITHUB_TOKEN }}" | ||||||
|           image-names: "cache" |           image-names: "cache base" | ||||||
|           image-tags: "!searxng-*" |           image-tags: "!searxng*" | ||||||
|           cut-off: "1w" |           cut-off: "1d" | ||||||
|           keep-n-most-recent: "100" |           keep-n-most-recent: "100" | ||||||
|  | |||||||
							
								
								
									
										72
									
								
								.github/workflows/container.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										72
									
								
								.github/workflows/container.yml
									
									
									
									
										vendored
									
									
								
							| @ -25,10 +25,80 @@ env: | |||||||
|   PYTHON_VERSION: "3.13" |   PYTHON_VERSION: "3.13" | ||||||
| 
 | 
 | ||||||
| jobs: | jobs: | ||||||
|  |   build-base: | ||||||
|  |     if: | | ||||||
|  |       (github.repository_owner == 'searxng' && github.event.workflow_run.conclusion == 'success') | ||||||
|  |       || github.event_name == 'workflow_dispatch' | ||||||
|  |     name: Build base | ||||||
|  |     runs-on: ubuntu-24.04 | ||||||
|  |     permissions: | ||||||
|  |       # Organization GHCR | ||||||
|  |       packages: write | ||||||
|  | 
 | ||||||
|  |     steps: | ||||||
|  |       - name: Checkout | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |         with: | ||||||
|  |           persist-credentials: "false" | ||||||
|  | 
 | ||||||
|  |       - name: Get date | ||||||
|  |         id: date | ||||||
|  |         run: echo "date=$(date +'%Y%m%d')" >>$GITHUB_OUTPUT | ||||||
|  | 
 | ||||||
|  |       - name: Check cache apko | ||||||
|  |         id: cache-apko | ||||||
|  |         uses: actions/cache/restore@v4 | ||||||
|  |         with: | ||||||
|  |           # yamllint disable-line rule:line-length | ||||||
|  |           key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" | ||||||
|  |           path: "/tmp/.apko/" | ||||||
|  |           lookup-only: true | ||||||
|  | 
 | ||||||
|  |       - if: steps.cache-apko.outputs.cache-hit != 'true' | ||||||
|  |         name: Setup cache apko | ||||||
|  |         uses: actions/cache@v4 | ||||||
|  |         with: | ||||||
|  |           # yamllint disable-line rule:line-length | ||||||
|  |           key: "apko-${{ steps.date.outputs.date }}-${{ hashFiles('./container/base.yml', './container/base-builder.yml') }}" | ||||||
|  |           restore-keys: "apko-${{ steps.date.outputs.date }}-" | ||||||
|  |           path: "/tmp/.apko/" | ||||||
|  | 
 | ||||||
|  |       - if: steps.cache-apko.outputs.cache-hit != 'true' | ||||||
|  |         name: Setup apko | ||||||
|  |         run: | | ||||||
|  |           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" | ||||||
|  |           brew install apko | ||||||
|  | 
 | ||||||
|  |       - if: steps.cache-apko.outputs.cache-hit != 'true' | ||||||
|  |         name: Login to GHCR | ||||||
|  |         uses: docker/login-action@v3 | ||||||
|  |         with: | ||||||
|  |           registry: "ghcr.io" | ||||||
|  |           username: "${{ github.repository_owner }}" | ||||||
|  |           password: "${{ secrets.GITHUB_TOKEN }}" | ||||||
|  | 
 | ||||||
|  |       - if: steps.cache-apko.outputs.cache-hit != 'true' | ||||||
|  |         name: Build | ||||||
|  |         run: | | ||||||
|  |           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" | ||||||
|  | 
 | ||||||
|  |           apko publish ./container/base.yml ghcr.io/${{ github.repository_owner }}/base:searxng \ | ||||||
|  |             --cache-dir=/tmp/.apko/ \ | ||||||
|  |             --sbom=false \ | ||||||
|  |             --vcs=false \ | ||||||
|  |             --log-level=debug | ||||||
|  | 
 | ||||||
|  |           apko publish ./container/base-builder.yml ghcr.io/${{ github.repository_owner }}/base:searxng-builder \ | ||||||
|  |             --cache-dir=/tmp/.apko/ \ | ||||||
|  |             --sbom=false \ | ||||||
|  |             --vcs=false \ | ||||||
|  |             --log-level=debug | ||||||
|  | 
 | ||||||
|   build: |   build: | ||||||
|     if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' |     if: github.repository_owner == 'searxng' || github.event_name == 'workflow_dispatch' | ||||||
|     name: Build (${{ matrix.arch }}) |     name: Build (${{ matrix.arch }}) | ||||||
|     runs-on: ${{ matrix.os }} |     runs-on: ${{ matrix.os }} | ||||||
|  |     needs: build-base | ||||||
|     strategy: |     strategy: | ||||||
|       fail-fast: false |       fail-fast: false | ||||||
|       matrix: |       matrix: | ||||||
|  | |||||||
| @ -1,12 +1,4 @@ | |||||||
| FROM cgr.dev/chainguard/wolfi-base:latest AS builder | FROM ghcr.io/searxng/base:searxng-builder AS builder | ||||||
| 
 |  | ||||||
| RUN apk add --no-cache \ |  | ||||||
|     build-base \ |  | ||||||
|     python-3.13-dev \ |  | ||||||
|     py3-pip \ |  | ||||||
|     brotli |  | ||||||
| 
 |  | ||||||
| WORKDIR /usr/local/searxng/ |  | ||||||
| 
 | 
 | ||||||
| COPY ./requirements.txt ./requirements.txt | COPY ./requirements.txt ./requirements.txt | ||||||
| 
 | 
 | ||||||
| @ -23,34 +15,11 @@ ARG TIMESTAMP_UWSGI="0" | |||||||
| RUN python -m compileall -q searx \ | RUN python -m compileall -q searx \ | ||||||
|  && touch -c --date=@$TIMESTAMP_SETTINGS ./searx/settings.yml \ |  && touch -c --date=@$TIMESTAMP_SETTINGS ./searx/settings.yml \ | ||||||
|  && touch -c --date=@$TIMESTAMP_UWSGI ./container/uwsgi.ini \ |  && touch -c --date=@$TIMESTAMP_UWSGI ./container/uwsgi.ini \ | ||||||
|  && find /usr/local/searxng/searx/static \ |  && find ./searx/static \ | ||||||
|     \( -name "*.html" -o -name "*.css" -o -name "*.js" -o -name "*.svg" -o -name "*.ttf" -o -name "*.eot" \) \ |     \( -name "*.html" -o -name "*.css" -o -name "*.js" -o -name "*.svg" -o -name "*.ttf" -o -name "*.eot" \) \ | ||||||
|     -type f -exec gzip -9 -k {} + -exec brotli --best {} + |     -type f -exec gzip -9 -k {} + -exec brotli --best {} + | ||||||
| 
 | 
 | ||||||
| ARG SEARXNG_UID="977" | FROM ghcr.io/searxng/base:searxng AS dist | ||||||
| ARG SEARXNG_GID="977" |  | ||||||
| 
 |  | ||||||
| RUN echo "root:x:0:root" >/tmp/.group \ |  | ||||||
|  && echo "root:x:0:0:root:/usr/local/searxng:/bin/ash" >/tmp/.passwd \ |  | ||||||
|  && echo "searxng:x:$SEARXNG_GID:searxng" >>/tmp/.group \ |  | ||||||
|  && echo "searxng:x:$SEARXNG_UID:$SEARXNG_GID:searxng:/usr/local/searxng:/bin/ash" >>/tmp/.passwd |  | ||||||
| 
 |  | ||||||
| FROM scratch AS dist |  | ||||||
| 
 |  | ||||||
| # Prepare base image |  | ||||||
| COPY --from=builder /tmp/.passwd /etc/passwd |  | ||||||
| COPY --from=builder /tmp/.group /etc/group |  | ||||||
| COPY --chown=root:root --from=cgr.dev/chainguard/wolfi-base:latest / / |  | ||||||
| COPY --chown=root:root --from=builder /tmp/.passwd /etc/passwd |  | ||||||
| COPY --chown=root:root --from=builder /tmp/.group /etc/group |  | ||||||
| RUN rm -rf /root/ /home/ |  | ||||||
| 
 |  | ||||||
| RUN apk add --no-cache \ |  | ||||||
|     python-3.13 \ |  | ||||||
|     # healthcheck |  | ||||||
|     wget \ |  | ||||||
|     # uwsgi |  | ||||||
|     mailcap |  | ||||||
| 
 | 
 | ||||||
| ARG LABEL_DATE="0001-01-01T00:00:00Z" | ARG LABEL_DATE="0001-01-01T00:00:00Z" | ||||||
| ARG GIT_URL="unspecified" | ARG GIT_URL="unspecified" | ||||||
| @ -58,8 +27,6 @@ ARG SEARXNG_GIT_VERSION="unspecified" | |||||||
| ARG LABEL_VCS_REF="unspecified" | ARG LABEL_VCS_REF="unspecified" | ||||||
| ARG LABEL_VCS_URL="unspecified" | ARG LABEL_VCS_URL="unspecified" | ||||||
| 
 | 
 | ||||||
| WORKDIR /usr/local/searxng/ |  | ||||||
| 
 |  | ||||||
| COPY --chown=searxng:searxng --from=builder /usr/local/searxng/venv/ ./venv/ | COPY --chown=searxng:searxng --from=builder /usr/local/searxng/venv/ ./venv/ | ||||||
| COPY --chown=searxng:searxng --from=builder /usr/local/searxng/searx/ ./searx/ | COPY --chown=searxng:searxng --from=builder /usr/local/searxng/searx/ ./searx/ | ||||||
| COPY --chown=searxng:searxng ./container/ ./container/ | COPY --chown=searxng:searxng ./container/ ./container/ | ||||||
| @ -75,16 +42,8 @@ LABEL org.opencontainers.image.authors="searxng <$GIT_URL>" \ | |||||||
|       org.opencontainers.image.url="$LABEL_VCS_URL" \ |       org.opencontainers.image.url="$LABEL_VCS_URL" \ | ||||||
|       org.opencontainers.image.version="$SEARXNG_GIT_VERSION" |       org.opencontainers.image.version="$SEARXNG_GIT_VERSION" | ||||||
| 
 | 
 | ||||||
| # Image specific environment variables |  | ||||||
| ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ |  | ||||||
|     SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt" \ |  | ||||||
|     HISTFILE="/dev/null" \ |  | ||||||
|     CONFIG_PATH="/etc/searxng" \ |  | ||||||
|     DATA_PATH="/var/cache/searxng" |  | ||||||
| 
 |  | ||||||
| # SearXNG specific environment variables |  | ||||||
| ENV SEARXNG_VERSION="$SEARXNG_GIT_VERSION" \ | ENV SEARXNG_VERSION="$SEARXNG_GIT_VERSION" \ | ||||||
|     INSTANCE_NAME="searxng" \ |     INSTANCE_NAME="SearXNG" \ | ||||||
|     AUTOCOMPLETE="" \ |     AUTOCOMPLETE="" \ | ||||||
|     BASE_URL="" \ |     BASE_URL="" \ | ||||||
|     BIND_ADDRESS="[::]:8080" \ |     BIND_ADDRESS="[::]:8080" \ | ||||||
| @ -93,10 +52,6 @@ ENV SEARXNG_VERSION="$SEARXNG_GIT_VERSION" \ | |||||||
|     UWSGI_WORKERS="%k" \ |     UWSGI_WORKERS="%k" \ | ||||||
|     UWSGI_THREADS="4" |     UWSGI_THREADS="4" | ||||||
| 
 | 
 | ||||||
| # Volume ownership |  | ||||||
| RUN mkdir -p $CONFIG_PATH $DATA_PATH \ |  | ||||||
|  && chown -R searxng:searxng $CONFIG_PATH $DATA_PATH |  | ||||||
| 
 |  | ||||||
| VOLUME $CONFIG_PATH | VOLUME $CONFIG_PATH | ||||||
| VOLUME $DATA_PATH | VOLUME $DATA_PATH | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										27
									
								
								container/base-builder.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								container/base-builder.yml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,27 @@ | |||||||
|  | contents: | ||||||
|  |   keyring: | ||||||
|  |     - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub | ||||||
|  |   repositories: | ||||||
|  |     - https://packages.wolfi.dev/os | ||||||
|  |   packages: | ||||||
|  |     - wolfi-baselayout | ||||||
|  |     - ca-certificates-bundle | ||||||
|  |     - busybox | ||||||
|  |     - build-base | ||||||
|  |     - python-3.13-dev | ||||||
|  |     - py3-pip | ||||||
|  |     - brotli | ||||||
|  | 
 | ||||||
|  | entrypoint: | ||||||
|  |   command: /bin/sh -l | ||||||
|  | 
 | ||||||
|  | work-dir: /usr/local/searxng/ | ||||||
|  | 
 | ||||||
|  | environment: | ||||||
|  |   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||||||
|  |   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt | ||||||
|  |   HISTFILE: /dev/null | ||||||
|  | 
 | ||||||
|  | archs: | ||||||
|  |   - x86_64 | ||||||
|  |   - aarch64 | ||||||
							
								
								
									
										61
									
								
								container/base.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										61
									
								
								container/base.yml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,61 @@ | |||||||
|  | contents: | ||||||
|  |   keyring: | ||||||
|  |     - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub | ||||||
|  |   repositories: | ||||||
|  |     - https://packages.wolfi.dev/os | ||||||
|  |   packages: | ||||||
|  |     - wolfi-baselayout | ||||||
|  |     - ca-certificates-bundle | ||||||
|  |     - busybox | ||||||
|  |     - python-3.13 | ||||||
|  |     # healthcheck | ||||||
|  |     - wget | ||||||
|  |     # uwsgi | ||||||
|  |     - mailcap | ||||||
|  | 
 | ||||||
|  | entrypoint: | ||||||
|  |   command: /bin/sh -l | ||||||
|  | 
 | ||||||
|  | work-dir: /usr/local/searxng/ | ||||||
|  | 
 | ||||||
|  | accounts: | ||||||
|  |   groups: | ||||||
|  |     - groupname: searxng | ||||||
|  |       gid: 977 | ||||||
|  |   users: | ||||||
|  |     - username: searxng | ||||||
|  |       uid: 977 | ||||||
|  |       shell: /bin/ash | ||||||
|  | 
 | ||||||
|  | environment: | ||||||
|  |   PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||||||
|  |   SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt | ||||||
|  |   HISTFILE: /dev/null | ||||||
|  |   CONFIG_PATH: /etc/searxng | ||||||
|  |   DATA_PATH: /var/cache/searxng | ||||||
|  | 
 | ||||||
|  | paths: | ||||||
|  |   # Workdir | ||||||
|  |   - path: /usr/local/searxng/ | ||||||
|  |     type: directory | ||||||
|  |     uid: 977 | ||||||
|  |     gid: 977 | ||||||
|  |     permissions: 0o755 | ||||||
|  | 
 | ||||||
|  |   # Config volume | ||||||
|  |   - path: /etc/searxng/ | ||||||
|  |     type: directory | ||||||
|  |     uid: 977 | ||||||
|  |     gid: 977 | ||||||
|  |     permissions: 0o755 | ||||||
|  | 
 | ||||||
|  |   # Data volume | ||||||
|  |   - path: /var/cache/searxng/ | ||||||
|  |     type: directory | ||||||
|  |     uid: 977 | ||||||
|  |     gid: 977 | ||||||
|  |     permissions: 0o755 | ||||||
|  | 
 | ||||||
|  | archs: | ||||||
|  |   - x86_64 | ||||||
|  |   - aarch64 | ||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user