From 56850945ecf8c8fa1db6589b5178f10a3dfb1788 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Sun, 11 May 2025 22:07:53 +0200 Subject: [PATCH] [enh] container: use Wolfi OS as base image Wolfi OS images are specifically designed for container use. Using a specially designed base image for containers not only reduces maintenance burdens, but improves overall experience for developers (fewer packages we have to track) and end users (smaller images). Discussion here: https://github.com/searxng/searxng/issues/4753 --- container/Dockerfile | 78 +++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 40 deletions(-) diff --git a/container/Dockerfile b/container/Dockerfile index b0530dfec..31c184daa 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,12 +1,10 @@ -FROM docker.io/library/python:3.13-slim AS builder +FROM cgr.dev/chainguard/wolfi-base:latest AS builder -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - brotli \ - # uwsgi - libpcre3-dev \ - && rm -rf /var/lib/apt/lists/* +RUN apk add --no-cache \ + build-base \ + python-3.13-dev \ + py3-pip \ + brotli WORKDIR /usr/local/searxng/ @@ -19,38 +17,40 @@ RUN --mount=type=cache,id=pip,target=/root/.cache/pip python -m venv ./venv \ COPY ./searx/ ./searx/ -ARG TIMESTAMP_SETTINGS=0 -ARG TIMESTAMP_UWSGI=0 +ARG TIMESTAMP_SETTINGS="0" +ARG TIMESTAMP_UWSGI="0" RUN python -m compileall -q searx \ && touch -c --date=@$TIMESTAMP_SETTINGS ./searx/settings.yml \ && touch -c --date=@$TIMESTAMP_UWSGI ./container/uwsgi.ini \ && find /usr/local/searxng/searx/static \ - \( -name '*.html' -o -name '*.css' -o -name '*.js' -o -name '*.svg' -o -name '*.ttf' -o -name '*.eot' \) \ + \( -name "*.html" -o -name "*.css" -o -name "*.js" -o -name "*.svg" -o -name "*.ttf" -o -name "*.eot" \) \ -type f -exec gzip -9 -k {} + -exec brotli --best {} + -ARG SEARXNG_UID=977 -ARG SEARXNG_GID=977 +ARG SEARXNG_UID="977" +ARG SEARXNG_GID="977" RUN grep -m1 root /etc/group > /tmp/.searxng.group \ && grep -m1 root /etc/passwd > /tmp/.searxng.passwd \ && echo "searxng:x:$SEARXNG_GID:" >> /tmp/.searxng.group \ - && echo "searxng:x:$SEARXNG_UID:$SEARXNG_GID:searxng:/usr/local/searxng:/bin/bash" >> /tmp/.searxng.passwd + && echo "searxng:x:$SEARXNG_UID:$SEARXNG_GID:searxng:/usr/local/searxng:/usr/bin/ash" >> /tmp/.searxng.passwd -FROM docker.io/library/python:3.13-slim +FROM scratch -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ +# Prepare base image +COPY --from=builder /tmp/.searxng.passwd /etc/passwd +COPY --from=builder /tmp/.searxng.group /etc/group +COPY --chown=root:root --from=cgr.dev/chainguard/wolfi-base:latest / / +COPY --chown=root:root --from=builder /tmp/.searxng.passwd /etc/passwd +COPY --chown=root:root --from=builder /tmp/.searxng.group /etc/group +RUN rm -rf /home/nonroot/ + +RUN apk add --no-cache \ + python-3.13 \ # healthcheck wget \ # uwsgi - libpcre3 \ - libxml2 \ - mailcap \ - && rm -rf /var/lib/apt/lists/* - -COPY --chown=root:root --from=builder /tmp/.searxng.passwd /etc/passwd -COPY --chown=root:root --from=builder /tmp/.searxng.group /etc/group + mailcap ARG LABEL_DATE="0001-01-01T00:00:00Z" ARG GIT_URL="unspecified" @@ -65,30 +65,28 @@ COPY --chown=searxng:searxng --from=builder /usr/local/searxng/searx/ ./searx/ COPY --chown=searxng:searxng ./container/ ./container/ LABEL org.opencontainers.image.authors="searxng <$GIT_URL>" \ - org.opencontainers.image.created=$LABEL_DATE \ + org.opencontainers.image.created="$LABEL_DATE" \ org.opencontainers.image.description="A privacy-respecting, hackable metasearch engine" \ org.opencontainers.image.documentation="https://github.com/searxng/searxng-docker" \ org.opencontainers.image.licenses="AGPL-3.0-or-later" \ - org.opencontainers.image.revision=$LABEL_VCS_REF \ - org.opencontainers.image.source=$LABEL_VCS_URL \ + org.opencontainers.image.revision="$LABEL_VCS_REF" \ + org.opencontainers.image.source="$LABEL_VCS_URL" \ org.opencontainers.image.title="searxng" \ - org.opencontainers.image.url=$LABEL_VCS_URL \ - org.opencontainers.image.version=$SEARXNG_GIT_VERSION + org.opencontainers.image.url="$LABEL_VCS_URL" \ + org.opencontainers.image.version="$SEARXNG_GIT_VERSION" -ENV CONFIG_PATH=/etc/searxng \ - DATA_PATH=/var/cache/searxng +ENV CONFIG_PATH="/etc/searxng" \ + DATA_PATH="/var/cache/searxng" -ENV SEARXNG_VERSION=$SEARXNG_GIT_VERSION \ - INSTANCE_NAME=searxng \ +ENV SEARXNG_VERSION="$SEARXNG_GIT_VERSION" \ + INSTANCE_NAME="searxng" \ AUTOCOMPLETE="" \ BASE_URL="" \ - BIND_ADDRESS=[::]:8080 \ - MORTY_KEY="" \ - MORTY_URL="" \ - SEARXNG_SETTINGS_PATH=$CONFIG_PATH/settings.yml \ - UWSGI_SETTINGS_PATH=$CONFIG_PATH/uwsgi.ini \ - UWSGI_WORKERS=%k \ - UWSGI_THREADS=4 + BIND_ADDRESS="[::]:8080" \ + SEARXNG_SETTINGS_PATH="$CONFIG_PATH/settings.yml" \ + UWSGI_SETTINGS_PATH="$CONFIG_PATH/uwsgi.ini" \ + UWSGI_WORKERS="%k" \ + UWSGI_THREADS="4" VOLUME $CONFIG_PATH VOLUME $DATA_PATH