I hosted searxng on portainer and receive PermissionError and no python application found error

Log:

PermissionError: [Errno 13] Permission denied: '/etc/searxng/settings.yml'

unable to load app 0 (mountpoint='') (callable not found or import error)

*** no app loaded. going in full dynamic mode ***

--- no python application found, check your startup logs for errors ---

[pid: 19|app: -1|req: -1/1] 127.0.0.1 () {28 vars in 330 bytes} [Sat May 17 05:06:00 2025] HEAD /healthz => generated 21 bytes in 0 msecs (HTTP/1.1 500) 3 headers in 102 bytes (0 switches on core 0)

I tried removing cap_drop (as instructed on https://github.com/searxng/searxng-docker/issues/115) but no luck

version: "3.7"

services:
  # caddy:
  #   container_name: caddy
  #   image: docker.io/library/caddy:2-alpine
  #   network_mode: host
  #   restart: unless-stopped
  #   volumes:
  #     - ./Caddyfile:/etc/caddy/Caddyfile:ro
  #     - caddy-data:/data:rw
  #     - caddy-config:/config:rw
  #   environment:
  #     # - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost/}
  #     - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
  #   cap_drop:
  #     - ALL
  #   cap_add:
  #     - NET_BIND_SERVICE
  #   logging:
  #     driver: "json-file"
  #     options:
  #       max-size: "1m"
  #       max-file: "1"

  redis:
    container_name: redis
    image: docker.io/valkey/valkey:8-alpine
    command: valkey-server --save 30 1 --loglevel warning
    restart: unless-stopped
    networks:
      - searxng
    volumes:
      - valkey-data2:/data
    # cap_drop:
    #   - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  searxng:
    container_name: searxng
    image: docker.io/searxng/searxng:latest
    restart: unless-stopped
    networks:
      - searxng
    ports:
      # - "127.0.0.1:8080:8080"
      - "20054:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      # - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
      - SEARXNG_BASE_URL="http://mydomain:20054/"
      - UWSGI_WORKERS=${SEARXNG_UWSGI_WORKERS:-4}
      - UWSGI_THREADS=${SEARXNG_UWSGI_THREADS:-4}
    # cap_drop:
    #   - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

networks:
  searxng:

volumes:
  # caddy-data:
  # caddy-config:
  valkey-data2:

thx a lot!

  • ohshit604@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    have you checked the directory & file permissions with ls -la /Your/SearXNG/WorkingDir ?

    The error in your log is telling you that the container does not have permission to that directory/file, you can essentially bypass this with sudo chmod 777 /Your/SearXNG/WorkingDir/* and sudo chown 1000:1000 /Your/SearXNG/WorkingDir/*

    However, if you’re looking for security best practices this is not advisable but if all you care about is that it works it should be fine.

    • bladewdr@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      I really do not like recommending people chmod 777 anything.

      It encourages bad practices.

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I agree, hence why I left the note at the bottom of that comment, yes it does encourage bad practices but, if all OP cares about is that it works then it should be fine.

        In my other comment I instructed OP to move the volume to their users home directory so they don’t run into permission issues like this again.

    • Override4414@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      I think I do have permission to the directory?

      ~ # ls -la /etc/searxng
      total 72
      drwx------    1 1026     100             42 May 17 04:49 .
      drwxr-xr-x    1 root     root           494 May 17 05:24 ..
      ----------    1 root     root         68667 May 17 04:49 settings.yml
      ----------    1 root     root          1223 May 17 04:49 uwsgi.ini
      

      ___

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        Taking a look at your docker-compose.yml I see this volume mount:

        volumes: 
        - /volume1/SN/Docker/searxng-stack/searxng:/etc/searxng:rw
        

        Whereas /volume1/SN/Docker/searxng-stack/searxng is the directory on your system docker is attempting to use to store the files inside the container from /etc/searxng.

        Example of a volume mount that’ll likely work better for you;

        volumes:
        - /home/YourUser/docker/config/searxng:/etc/searxng:rw
        

        The tilde (~) acts as your current users home directory (aka: /home/YourUser) not owned by root and where docker persistent volumes should be stored.

        Edit: I feel like I was wrong here, given that your run sudo in docker compose up -d the tilde will likely not work here and instead point to the /root directory instead. I’ve updated the above to reflect the appropriate directory for your volume mount.

        After making the change over to that directory and configuring SearXNG how you like re-create your docker container with sudo docker compose up -d —force-recreate

        Apologies for the poor formatting, typing this on mobile.

        Edit:

        Note: if you want to expose the port do not add the 127.0.0.1 like how I have in my docker-compose.yml.

        Edit 2: Corrected some things…

        • Override4414@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Thank you so much, sorry it’s taken so long to reply. I still haven’t had the time, but I will take a closer look when I get the chance.

  • 🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕠𝕕𝕚𝕝𝕖@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Here is my searxng rocker compose:

    services:
      redis:
        container_name: redis
        image: docker.io/valkey/valkey:7-alpine
        command: valkey-server --save 30 1 --loglevel warning
        restart: unless-stopped
        networks:
          - local_bridge
        volumes:
          - ./data/reddis:/data
        cap_drop:
          - ALL
        cap_add:
          - SETGID
          - SETUID
          - DAC_OVERRIDE
        logging:
          driver: "json-file"
          options:
            max-size: "1m"
            max-file: "1"
    
      searxng:
        container_name: searxng
        image: docker.io/searxng/searxng:latest
        restart: unless-stopped
        networks:
          - local_bridge
          - proxy
        volumes:
          - ./data/searxng:/etc/searxng
        environment:
          - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
          - SEARXNG_SECRET=${SEARXNG_SECRET}
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        logging:
          driver: "json-file"
          options:
            max-size: "1m"
            max-file: "1"
    
    networks:
      local_bridge: # local bridge with ipv6 internet access
        driver: bridge
        enable_ipv6: true
      proxy:
        external: true
    

    And my searxng settings:

    searxng/data/searxng/settings.yml
    # see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
    use_default_settings: true
    
    server:
      # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
      limiter: false  # can be disabled for a private instance
      image_proxy: false
    ui:
      static_use_hash: true
      query_in_title: true
      infinite_scroll: true
      default_theme: simple
      theme_args:
        # style of simple theme: auto, light, dark
        simple_style: dark
    redis:
      url: redis://redis:6379/0
    
    
    search:
      safe_search: 0
      autocomplete: 'duckduckgo'
      default_lang: "en"
      formats:
        - html
        - json
    
    
    outgoing:
      # default timeout in seconds, can be override by engine
      request_timeout: 3.0
    
    
    enabled_plugins:
      - 'Hash plugin'
      - 'Basic Calculator'
      - 'Self Informations'
      - 'Tracker URL remover'
      # - 'Ahmia blacklist'
      - 'Hostnames plugin'  # see 'hostnames' configuration below
      - 'Open Access DOI rewrite'
    

    And the proxy network is just the docker network that nginx is connected to. Here is my nginx conf https://github.com/muntedcrocodile/nginxconf .

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Question: What is redis and valkey giving you in this instance? I took a look at my notes and I’ve never invoked redis. Just curious. School me. This is what I spin up:

    spoiler
    services:
      searxng:
        image: searxng/searxng:latest
        container_name: searxng
        ports:
          - "8989:8080"
        volumes:
          - /path/to/searxng/data:/etc/searxng
        environment:
          - SEARXNG_BASE_URL=
          - SEARXNG_INSTANCE_NAME=
          - SEARXNG_CONTACT_INFO=
          - SEARXNG_LANGUAGE=en-US
          - SEARXNG_AUTOCOMPLETE=duckduckgo
          - SEARXNG_THEME=simple
          - SEARXNG_OUTGOING_METHOD=default
          - SEARXNG_ENABLE_METRICS=true
          - SEARXNG_ENABLE_CAPTCHA=false
          - SEARXNG_ENABLE_INFINITE_SCROLL=true
          - SEARXNG_ENABLE_PIWIK_ANALYTICS=false
          - SEARXNG_ENABLE_ADVANCED_SEARCH=true
          - SEARXNG_ENABLE_PRIVATE_RESULTS=true
          - SEARXNG_ENABLE_TORIFICATION=false
          - SEARXNG_ENABLE_HTTPS_EVERYWHERE=true
          - SEARXNG_ENABLE_PROXY=true
          - SEARXNG_ENABLE_PLUGINS=true
        restart: unless-stopped
    
    • Override4414@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Thank you so much, sorry it’s taken so long to reply. I still haven’t had the time, but I will take a closer look when I get the chance.

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        No worries mate. I was just curious. I have never incorporated both those in a searxng stack and was wondering what they brought to the stack.