How to install SearXNG app? Docker permissions issue

I’m running TrueNAS Scale Dragonfish-24.04.2.2 and tried to install the SearXNG app (app version: 2023.12.31, chart version: 1.2.18) without success.

I apologize for not capturing it, but it would not deploy due to a Docker permissions issue. I use the same host path for all of my apps, so permission shouldn’t be an issue there. I’m guessing there is some environment variable I need to add, but I’m not sure what.

I’m just wondering - has anyone gotten this app to deploy correctly? If so, how did you set it up, because it doesn’t appear to work without additional environment variables provided.

I have the same issue.
I can get searXNG running on a ixVolume, but on
Host Path searXNG is deploying forever.

...
2024-11-18 08:46:51.088854+00:00File "/usr/lib/python3.12/pathlib.py", line 875, in is_dir
2024-11-18 08:46:51.088865+00:00return S_ISDIR(self.stat().st_mode)
2024-11-18 08:46:51.088870+00:00^^^^^^^^^^^
2024-11-18 08:46:51.088950+00:00File "/usr/lib/python3.12/pathlib.py", line 840, in stat
2024-11-18 08:46:51.088956+00:00return os.stat(self, follow_symlinks=follow_symlinks)
2024-11-18 08:46:51.088965+00:00^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-11-18 08:46:51.088970+00:00PermissionError: [Errno 13] Permission denied: '/etc/searxng/settings.yml'
2024-11-18 08:46:51.088975+00:00unable to load app 0 (mountpoint='') (callable not found or import error)
2024-11-18 08:46:51.088979+00:00*** no app loaded. going in full dynamic mode ***
2024-11-18 08:46:55.388687+00:00--- no python application found, check your startup logs for errors ---
2024-11-18 08:46:55.388788+00:00[pid: 22|app: -1|req: -1/1] 127.0.0.1 () {26 vars in 287 bytes} [Mon Nov 18 08:46:55 2024] GET /healthz => generated 21 bytes in 0 msecs (HTTP/1.1 500) 3 headers in 102 bytes (0 switches on core 1)
2024-11-18 08:47:00.441328+00:00--- no python application found, check your startup logs for errors ---
...

When you run it on a Host Path, the directory /etc/searxng/ is missing.

No issues here on ElectricEel-24.10.0.2. The app here is also in a newer version.

App: SearXNG
App Version: 2024.11.15-4b57bc3db
Version: 1.0.29

The app creates two files as root inside the “Config Storage”

root@truenas[/mnt/fast/searxng/_data]# ls -al
total 34
drwxr-xr-x 2 root root     4 Nov 18 10:11 .
drwxr-x--- 3 root root     3 Nov 18 10:11 ..
-rw-r--r-- 1 root root 64207 Nov 18 10:11 settings.yml
-rw-r--r-- 1 root root  1197 Nov 18 10:11 uwsgi.ini

I also run ElectricEel 24.10.0.2 and SearXNG App-Version 1.0.29.
Dataset for SearXNG has the following permissions:

Permissions
Owner: root
Group: root
person owner@ - root  ->  Allow | Full Control
people group@ - root  ->  Allow | Full Control
person User - apps  ->  Allow | Full Control

The uWSGI processes of SearXNG do run as user 977. I suspect that due to how you setup permission on your dataset that the files created inside the share aren’t readable to user 977.

I always use ACL Type Off in my application datasets. Most application in linux haven’t been designed for usage with ACL, so that can always be a source of problem.

My dataset looks as follows:

Dataset: fast/searxng
ACL Type: off

Owner: root
Group: root

Unix Permissions:
User: rwx (read write execute)
Group: rx (read execute, doesn't really matter)
Other: None (Good for security)

I always create a folder inside the dataset that will be mounted inside the docker container. The mounted folder sometimes requires different owner/group, depending on which group/owner the docker container runs as.

i.e. I use /mnt/fast/searxng/_data instead of /mnt/fast/searxng directly:

mkdir /mnt/fast/searxng/_data

Thanks, now it’s working with new user searxng (977).
Is there another hint to get the favicon for the search-results working.

Found it:
https://docs.searxng.org/admin/searx.favicons.html

Created the /etc/searxng/favicons.toml in the shell
and added a storage-path: /var/cache/searxng
Then I added

search:
favicon_resolver: "duckduckgo"

to my settings.yml

Thank you for the assistance. How did you determine that these processes run as user 977? I’m asking to help me debug issues like these in the future, because I did run into a similar issue with another app.

I did end up getting this to deploy by editing the app and applying ACL, allowing user 977 modify access to the “SearXNG Config Storage” under the “Storage Configuration” section. Is this a good or bad way to go? I see you say you use ACL off in application datasets, but I’m not 100% clear on this (I am new to this) because ACL can be applied on the dataset or on the host path in the app settings.

@bacon @Nordlicht-13 I’m also curious - do you have any recommendations for protecting your IP address from your search engine sources?

I see in the SearXNG documentation: “The IP address used will be the IP of the instance, but SearXNG can also be configured to use proxy or Tor.”, but not seeing any details as to how to actually do that.

I looked at the process list to see what processes the container uses and as which user. I use ps auxf or htop to do that. You can also see the processes of a single container using sudo docker top ix-searxng-searxng-1 (where ix-searxng-searxng-1 is the container name or id, which can be taken from sudo docker ps):

USER                PID                 %CPU                %MEM                VSZ                 RSS                 TTY                 STAT                START               TIME                COMMAND
root                1496186             0.0                 0.0                 848                 256                 ?                   Ss                  Nov18               0:01                \_ /sbin/tini -- /usr/local/searxng/dockerfiles/docker-entrypoint.sh
977                 1496226             0.0                 0.0                 20108               8832                ?                   S                   Nov18               0:02                \_ uWSGI master
...

This only works if the container isn’t crashing (which it didn’t in my cause).

In general, if you use the ix app catalog, most containers should run as user/group 999:999. If you launch custom apps you can specify yourself as which user the containers runs as (this doesn’t always work if the container has special needs or isn’t well designed).

Some containers, such as SearXNG, run a process as root and run child processes as a different user. This is the “old” style of running applications which isn’t ideal for containerization.

There is no issue with using ACL and adding user 977 to it.

I never used the ACL option in the host path setting, I don’t know what that does yet. Docker itself doesn’t have any file-system ACL options - at least I’ve never seen one in all the years I’ve used docker.

I use ACL Type Off in the dataset settings. In a linux application server you typically won’t find ACLs being used. They’re mainly used for file sharing application (SMB/NFS). It’s not bad if you use them, but it does add a layer of complexity.

Without ACL, the normal posix permissions (not to be confused with posix ACL) will be used. These are the -rw-r--r-- root root stuff you’ll find often in various tools and outputs. You can easily display that in a table and get a overview over the permissions of every file.

Most linux programs only know how to deal with with posix permissions, and will use chmod / chown / umask to manage them.

If you use ACL (either posix acl or nfs4acl) there will be compatibility layer to convert posix permissions and acl (back and forth). This can be pretty complex - it’s why you have a ACL Mode with four possible options if enable ACL in the dataset options.

In the end, I’m just used to posix permissions after decades of managing linux servers. So that’s what I prefer (for non-file sharing purposes!) :slight_smile:

I’m using Tailscale and Nginx Proxy Manager. Here is a good guide:

And here is a guide for using searXNG with Tailscale:

I use it with Vivalid Browser, where you easily can add custom serach-engines. The URL for that is: Free classifieds - yourdomain.com

Nice searching without google :slight_smile:

I still have permission issues on ElectricEel-24.10.0.2 :frowning:

If I enable ACL, I can edit settings.yml, but app itself won’t work with “python not found” error
If I disable ACL (all is for root), app works, but I can do nothing with the yml - access denied. Even when I update the app, it only creates a settings.yml.new. The only way I found to enable new settings, is via container shell :confused: Probably TrueNAS shell with sudo would also work

Tried the additional _data folder solution, that @bacon suggested, but no luck

Any ideas?

Can you show your storage settings, like this:

And can you show the permission settings, replace the path with what you have in your Host Path:

  • sudo ls -l /mnt/fast/searxng/_data

And if you get an error, please copy&paste the error.

admin@KarmaNAS[~]$ sudo ls -l /mnt/Apps/Data/searxng/_data
[sudo] password for admin: 
total 33
-rw-r--r-- 1 root root 64782 Nov 28 14:28 settings.yml
-rw-r--r-- 1 root root  1197 Nov 28 14:28 uwsgi.ini
admin@KarmaNAS[~]$ 

Both files created on app redeploy

That’s the searxng dataset:
image

Don’t know if that matters, but /mnt/Apps/Data is a SMB share (doesn’t matter for other apps though). That’s how I usually edit configs for apps

That looks good, I don’t see how searxng could have issue with that.

You would run into issues trying to edit that config using SMB due to the files not being writable.

You can switch to nfsv4acl, create a user with id 977 (call it searxng or something) and then in the acl give permission to user with id 977. You can also you give your SMB user permission. That would allow you to edit the config as well as searxng being able to access it.

So searxng dataset has ACL type “Inherit” and parent has this:
image

So I assume that’s good.

I created a new user with ID 977 with searxng as a home directory and now it changed to:
image

Although it seems to be working as expected now (after I added 977 to parent dataset ACL and forced ACL in app storage config for 977 & my SMB UID), is this as it’s supposed to be?

Will keep an eye if settings.yml will be updated now after app update :crossed_fingers:

You might have to explicitly set the ACL Type to “SMB/NFSv4”. You’re screenshot is still showing it using unix permissions.

When you add a user that doesn’t need to login you can leave the home directory as the default (/var/empty).