[mod] rework container deployment (#4764)

container.yml will run after integration.yml COMPLETES successfully and in master branch.

Style changes, cleanup and improved integration with CI by leveraging the use of
shared cache between all workflows.

* Podman is now supported to build the container images (Docker also received a refactor, merging both build and buildx)
* Container images are being built by Buildah instead of Docker BuildKit.
* Container images are tested before release.
* Splitting "modern" (amd64 & arm64) and "legacy" (armv7) arches on different Dockerfiles allowing future optimizations.

container/Dockerfile

@@ -0,0 +1,100 @@
+FROM docker.io/library/python:3.13-slim AS builder
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    brotli \
+    # uwsgi
+    libpcre3-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /usr/local/searxng/
+
+COPY ./requirements.txt ./requirements.txt
+
+RUN --mount=type=cache,id=pip,target=/root/.cache/pip python -m venv ./venv \
+ && . ./venv/bin/activate \
+ && pip install -r requirements.txt \
+ && pip install "uwsgi~=2.0"
+
+COPY ./searx/ ./searx/
+
+ARG TIMESTAMP_SETTINGS=0
+ARG TIMESTAMP_UWSGI=0
+
+RUN python -m compileall -q searx \
+ && touch -c --date=@$TIMESTAMP_SETTINGS ./searx/settings.yml \
+ && touch -c --date=@$TIMESTAMP_UWSGI ./container/uwsgi.ini \
+ && find /usr/local/searxng/searx/static \
+    \( -name '*.html' -o -name '*.css' -o -name '*.js' -o -name '*.svg' -o -name '*.ttf' -o -name '*.eot' \) \
+    -type f -exec gzip -9 -k {} + -exec brotli --best {} +
+
+ARG SEARXNG_UID=977
+ARG SEARXNG_GID=977
+
+RUN grep -m1 root /etc/group > /tmp/.searxng.group \
+ && grep -m1 root /etc/passwd > /tmp/.searxng.passwd \
+ && echo "searxng:x:$SEARXNG_GID:" >> /tmp/.searxng.group \
+ && echo "searxng:x:$SEARXNG_UID:$SEARXNG_GID:searxng:/usr/local/searxng:/bin/bash" >> /tmp/.searxng.passwd
+
+FROM docker.io/library/python:3.13-slim
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    # healthcheck
+    wget \
+    # uwsgi
+    libpcre3 \
+    libxml2 \
+    mailcap \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --chown=root:root --from=builder /tmp/.searxng.passwd /etc/passwd
+COPY --chown=root:root --from=builder /tmp/.searxng.group /etc/group
+
+ARG LABEL_DATE="0001-01-01T00:00:00Z"
+ARG GIT_URL="unspecified"
+ARG SEARXNG_GIT_VERSION="unspecified"
+ARG LABEL_VCS_REF="unspecified"
+ARG LABEL_VCS_URL="unspecified"
+
+WORKDIR /usr/local/searxng/
+
+COPY --chown=searxng:searxng --from=builder /usr/local/searxng/venv/ ./venv/
+COPY --chown=searxng:searxng --from=builder /usr/local/searxng/searx/ ./searx/
+COPY --chown=searxng:searxng ./container/ ./container/
+
+LABEL org.opencontainers.image.authors="searxng <$GIT_URL>" \
+      org.opencontainers.image.created=$LABEL_DATE \
+      org.opencontainers.image.description="A privacy-respecting, hackable metasearch engine" \
+      org.opencontainers.image.documentation="https://github.com/searxng/searxng-docker" \
+      org.opencontainers.image.licenses="AGPL-3.0-or-later" \
+      org.opencontainers.image.revision=$LABEL_VCS_REF \
+      org.opencontainers.image.source=$LABEL_VCS_URL \
+      org.opencontainers.image.title="searxng" \
+      org.opencontainers.image.url=$LABEL_VCS_URL \
+      org.opencontainers.image.version=$SEARXNG_GIT_VERSION
+
+ENV CONFIG_PATH=/etc/searxng \
+    DATA_PATH=/var/cache/searxng
+
+ENV SEARXNG_VERSION=$SEARXNG_GIT_VERSION \
+    INSTANCE_NAME=searxng \
+    AUTOCOMPLETE="" \
+    BASE_URL="" \
+    BIND_ADDRESS=[::]:8080 \
+    MORTY_KEY="" \
+    MORTY_URL="" \
+    SEARXNG_SETTINGS_PATH=$CONFIG_PATH/settings.yml \
+    UWSGI_SETTINGS_PATH=$CONFIG_PATH/uwsgi.ini \
+    UWSGI_WORKERS=%k \
+    UWSGI_THREADS=4
+
+VOLUME $CONFIG_PATH
+VOLUME $DATA_PATH
+
+EXPOSE 8080
+
+HEALTHCHECK CMD wget --quiet --tries=1 --spider http://localhost:8080/healthz || exit 1
+
+ENTRYPOINT ["/usr/local/searxng/container/docker-entrypoint.sh"]

container/docker-entrypoint.sh

@@ -0,0 +1,167 @@
+#!/bin/sh
+
+help() {
+    cat <<EOF
+Command line:
+  -h  Display this help
+  -d  Dry run to update the configuration files.
+  -f  Always update on the configuration files (existing files are renamed with
+      the .old suffix).  Without this option, the new configuration files are
+      copied with the .new suffix
+Environment variables:
+  INSTANCE_NAME settings.yml : general.instance_name
+  AUTOCOMPLETE  settings.yml : search.autocomplete
+  BASE_URL      settings.yml : server.base_url
+  MORTY_URL     settings.yml : result_proxy.url
+  MORTY_KEY     settings.yml : result_proxy.key
+Volume:
+  /etc/searxng  the docker entry point copies settings.yml and uwsgi.ini in
+                this directory (see the -f command line option)"
+
+EOF
+}
+
+# Parse command line
+FORCE_CONF_UPDATE=0
+DRY_RUN=0
+
+while getopts "fdh" option
+do
+    case $option in
+
+        f) FORCE_CONF_UPDATE=1 ;;
+        d) DRY_RUN=1 ;;
+
+        h)
+            help
+            exit 0
+            ;;
+        *)
+            echo "unknow option ${option}"
+            exit 42
+            ;;
+    esac
+done
+
+echo "SearXNG version $SEARXNG_VERSION"
+
+# helpers to update the configuration files
+patch_uwsgi_settings() {
+    CONF="$1"
+
+    # update uwsg.ini
+    sed -i \
+        -e "s|workers = .*|workers = ${UWSGI_WORKERS:-%k}|g" \
+        -e "s|threads = .*|threads = ${UWSGI_THREADS:-4}|g" \
+        "${CONF}"
+}
+
+patch_searxng_settings() {
+    CONF="$1"
+
+    # Make sure that there is trailing slash at the end of BASE_URL
+    # see https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Shell-Parameter-Expansion
+    export BASE_URL="${BASE_URL%/}/"
+
+    # update settings.yml
+    sed -i \
+        -e "s|base_url: false|base_url: ${BASE_URL}|g" \
+        -e "s/instance_name: \"SearXNG\"/instance_name: \"${INSTANCE_NAME}\"/g" \
+        -e "s/autocomplete: \"\"/autocomplete: \"${AUTOCOMPLETE}\"/g" \
+        -e "s/ultrasecretkey/$(head -c 24 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9')/g" \
+        "${CONF}"
+
+    # Morty configuration
+
+    if [ -n "${MORTY_KEY}" ] && [ -n "${MORTY_URL}" ]; then
+        sed -i -e "s/image_proxy: false/image_proxy: true/g" \
+            "${CONF}"
+        cat >> "${CONF}" <<-EOF
+
+# Morty configuration
+result_proxy:
+   url: ${MORTY_URL}
+   key: !!binary "${MORTY_KEY}"
+EOF
+    fi
+}
+
+update_conf() {
+    FORCE_CONF_UPDATE=$1
+    CONF="$2"
+    NEW_CONF="${2}.new"
+    OLD_CONF="${2}.old"
+    REF_CONF="$3"
+    PATCH_REF_CONF="$4"
+
+    if [ -f "${CONF}" ]; then
+        if [ "${REF_CONF}" -nt "${CONF}" ]; then
+            # There is a new version
+            if [ "$FORCE_CONF_UPDATE" -ne 0 ]; then
+                # Replace the current configuration
+                printf '⚠️  Automatically update %s to the new version\n' "${CONF}"
+                if [ ! -f "${OLD_CONF}" ]; then
+                    printf 'The previous configuration is saved to %s\n' "${OLD_CONF}"
+                    mv "${CONF}" "${OLD_CONF}"
+                fi
+                cp "${REF_CONF}" "${CONF}"
+                $PATCH_REF_CONF "${CONF}"
+            else
+                # Keep the current configuration
+                printf '⚠️  Check new version %s to make sure SearXNG is working properly\n' "${NEW_CONF}"
+                cp "${REF_CONF}" "${NEW_CONF}"
+                $PATCH_REF_CONF "${NEW_CONF}"
+            fi
+        else
+            printf 'Use existing %s\n' "${CONF}"
+        fi
+    else
+        printf 'Create %s\n' "${CONF}"
+        cp "${REF_CONF}" "${CONF}"
+        $PATCH_REF_CONF "${CONF}"
+    fi
+}
+
+# searx compatibility: copy /etc/searx/* to /etc/searxng/*
+SEARX_CONF=0
+if [ -f "/etc/searx/settings.yml" ]; then
+    if  [ ! -f "${SEARXNG_SETTINGS_PATH}" ]; then
+        printf '⚠️  /etc/searx/settings.yml is copied to /etc/searxng\n'
+        cp "/etc/searx/settings.yml" "${SEARXNG_SETTINGS_PATH}"
+    fi
+    SEARX_CONF=1
+fi
+if [ -f "/etc/searx/uwsgi.ini" ]; then
+    printf '⚠️  /etc/searx/uwsgi.ini is ignored. Use the volume /etc/searxng\n'
+    SEARX_CONF=1
+fi
+if [ "$SEARX_CONF" -eq "1" ]; then
+    printf '⚠️  The deprecated volume /etc/searx is mounted. Please update your configuration to use /etc/searxng ⚠️\n'
+    cat << EOF > /etc/searx/deprecated_volume_read_me.txt
+This Docker image uses the volume /etc/searxng
+Update your configuration:
+* remove uwsgi.ini (or very carefully update your existing uwsgi.ini using https://github.com/searxng/searxng/blob/master/container/uwsgi.ini )
+* mount /etc/searxng instead of /etc/searx
+EOF
+fi
+# end of searx compatibility
+
+# make sure there are uwsgi settings
+update_conf "${FORCE_CONF_UPDATE}" "${UWSGI_SETTINGS_PATH}" "/usr/local/searxng/container/uwsgi.ini" "patch_uwsgi_settings"
+
+# make sure there are searxng settings
+update_conf "${FORCE_CONF_UPDATE}" "${SEARXNG_SETTINGS_PATH}" "/usr/local/searxng/searx/settings.yml" "patch_searxng_settings"
+
+# dry run (to update configuration files, then inspect them)
+if [ $DRY_RUN -eq 1 ]; then
+    printf 'Dry run\n'
+    exit
+fi
+
+unset MORTY_KEY
+
+printf 'Listen on %s\n' "${BIND_ADDRESS}"
+
+# Start uwsgi
+# TODO: "--http-socket" will be removed in the future (see uwsgi.ini.new config file): https://github.com/searxng/searxng/pull/4578
+exec /usr/local/searxng/venv/bin/uwsgi --http-socket "${BIND_ADDRESS}" "${UWSGI_SETTINGS_PATH}"

container/legacy/Dockerfile

@@ -0,0 +1,106 @@
+# For armv7 architecture
+
+FROM docker.io/library/python:3.13-slim AS builder
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    brotli \
+    # lxml
+    libxml2-dev \
+    libxslt1-dev \
+    zlib1g-dev \
+    # uwsgi
+    libpcre3-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /usr/local/searxng/
+
+COPY ./requirements.txt ./requirements.txt
+
+RUN --mount=type=cache,id=pip,target=/root/.cache/pip python -m venv ./venv \
+ && . ./venv/bin/activate \
+ && pip install -r requirements.txt \
+ && pip install "uwsgi~=2.0"
+
+COPY ./searx/ ./searx/
+
+ARG TIMESTAMP_SETTINGS=0
+ARG TIMESTAMP_UWSGI=0
+
+RUN python -m compileall -q searx \
+ && touch -c --date=@$TIMESTAMP_SETTINGS ./searx/settings.yml \
+ && touch -c --date=@$TIMESTAMP_UWSGI ./container/uwsgi.ini \
+ && find /usr/local/searxng/searx/static \
+    \( -name '*.html' -o -name '*.css' -o -name '*.js' -o -name '*.svg' -o -name '*.ttf' -o -name '*.eot' \) \
+    -type f -exec gzip -9 -k {} + -exec brotli --best {} +
+
+ARG SEARXNG_UID=977
+ARG SEARXNG_GID=977
+
+RUN grep -m1 root /etc/group > /tmp/.searxng.group \
+ && grep -m1 root /etc/passwd > /tmp/.searxng.passwd \
+ && echo "searxng:x:$SEARXNG_GID:" >> /tmp/.searxng.group \
+ && echo "searxng:x:$SEARXNG_UID:$SEARXNG_GID:searxng:/usr/local/searxng:/bin/bash" >> /tmp/.searxng.passwd
+
+FROM docker.io/library/python:3.13-slim
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    # healthcheck
+    wget \
+    # lxml (ARMv7)
+    libxslt1.1 \
+    # uwsgi
+    libpcre3 \
+    libxml2 \
+    mailcap \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --chown=root:root --from=builder /tmp/.searxng.passwd /etc/passwd
+COPY --chown=root:root --from=builder /tmp/.searxng.group /etc/group
+
+ARG LABEL_DATE="0001-01-01T00:00:00Z"
+ARG GIT_URL="unspecified"
+ARG SEARXNG_GIT_VERSION="unspecified"
+ARG LABEL_VCS_REF="unspecified"
+ARG LABEL_VCS_URL="unspecified"
+
+WORKDIR /usr/local/searxng/
+
+COPY --chown=searxng:searxng --from=builder /usr/local/searxng/venv/ ./venv/
+COPY --chown=searxng:searxng --from=builder /usr/local/searxng/searx/ ./searx/
+COPY --chown=searxng:searxng ./container/ ./container/
+
+LABEL org.opencontainers.image.authors="searxng <$GIT_URL>" \
+      org.opencontainers.image.created=$LABEL_DATE \
+      org.opencontainers.image.description="A privacy-respecting, hackable metasearch engine" \
+      org.opencontainers.image.documentation="https://github.com/searxng/searxng-docker" \
+      org.opencontainers.image.licenses="AGPL-3.0-or-later" \
+      org.opencontainers.image.revision=$LABEL_VCS_REF \
+      org.opencontainers.image.source=$LABEL_VCS_URL \
+      org.opencontainers.image.title="searxng" \
+      org.opencontainers.image.url=$LABEL_VCS_URL \
+      org.opencontainers.image.version=$SEARXNG_GIT_VERSION
+
+ENV CONFIG_PATH=/etc/searxng \
+    DATA_PATH=/var/cache/searxng
+
+ENV SEARXNG_VERSION=$SEARXNG_GIT_VERSION \
+    INSTANCE_NAME=searxng \
+    AUTOCOMPLETE="" \
+    BASE_URL="" \
+    BIND_ADDRESS=[::]:8080 \
+    SEARXNG_SETTINGS_PATH=$CONFIG_PATH/settings.yml \
+    UWSGI_SETTINGS_PATH=$CONFIG_PATH/uwsgi.ini \
+    UWSGI_WORKERS=%k \
+    UWSGI_THREADS=4
+
+VOLUME $CONFIG_PATH
+VOLUME $DATA_PATH
+
+EXPOSE 8080
+
+HEALTHCHECK CMD wget --quiet --tries=1 --spider http://localhost:8080/healthz || exit 1
+
+ENTRYPOINT ["/usr/local/searxng/container/docker-entrypoint.sh"]

container/uwsgi.ini

@@ -0,0 +1,55 @@
+[uwsgi]
+# Listening address
+# default value: [::]:8080 (see Dockerfile)
+http-socket = $(BIND_ADDRESS)
+
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+# default value: %k (= number of CPU core, see Dockerfile)
+workers = $(UWSGI_WORKERS)
+
+# Number of threads per worker
+# default value: 4 (see Dockerfile)
+threads = $(UWSGI_THREADS)
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpreter config
+single-interpreter = true
+master = true
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# Follow SIGTERM convention
+# See https://github.com/searxng/searxng/issues/3427
+die-on-term
+
+# uwsgi serves the static files
+static-map = /static=/usr/local/searxng/searx/static
+static-gzip-all = True
+offload-threads = %k