Upgrading Searx jail to 0.17

Searx is a privacy respecting search proxy aggregating results from different Internet search engines. I have it running in a jail since some time now, and I wanted to upgrade to the latest version 0.17, but this version is not in FreeBSD ports, so I upgraded it manually. Here is a quick writeup how I did it.

1. Bootstrap a new jail

I like to do upgrades by rebuilding jail from scratch, reinstall all software, packages, then put back the data, if there is any. I’ll name the jail searx2, because the old version is still running in another one named searx.

zfs clone rpool/poudriere/stable/12/dist-nokern-20200806@20200806 rpool/jail/searx2

Add new entry in /etc/jail.conf

searx2  { ip4.addr = vlan2|192.168.X.X; }

Start the jail, enter it, and bootstrap pkg

/etc/rc.d/jail start searx2
jexec searx2 sh
pkg

2. Prepare jail packages

# Joe is my preferred editor, bash will be Searx service shell, we also need Git to pull the sources
pkg install bash joe git-lite
# Searx needs a few Python packages
pkg install py37-babel py37-requests py37-yaml py37-pygments py37-werkzeug py37-Flask py37-Flask-Babel py37-lxml py37-dateutil

3. Install Searx from source

Create service account

NAME=searx ID=8888 && pw groupadd -n $NAME -g $ID && pw useradd -n $NAME -g $NAME -u $ID -s /usr/local/bin/bash -w no -d /home/$NAME -m -M 750

Prepare settings file

fetch https://raw.githubusercontent.com/searx/searx/master/searx/settings.yml
mv settings.yml /usr/local/etc/searx-settings.yml
# edit settings, change secret_key, base_url (it runs behing rev.proxy)
joe /usr/local/etc/searx-settings.yml

Pull Searx sources and prepare settings

su searx
cd
git clone https://github.com/searx/searx
cd searx
# start Searx manually to checks if it runs ok and nothing is missing
SEARX_SETTINGS_PATH=/usr/local/etc/searx-settings.yml ./searx/webapp.py

Install Searx as service

Startup rc script is already installed from previous ports version, lets reuse it, cp it from the old jail into new one.

# as root on host, my jails are mounted under /jail
cp /jail/srx/usr/local/etc/rc.d/searx /jail/srx2/usr/local/etc/rc.d/

Then I will edit the rc file to adjust Python version, service account and settings file, here is the diff compared to the existing rc

--- /jail/srx/usr/local/etc/rc.d/searx	2019-03-26 09:27:18.000000000 +0100
+++ /jail/srx2/usr/local/etc/rc.d/searx	2020-09-19 09:51:23.997346000 +0200
@@ -25,14 +25,15 @@
 rcvar=searx_enable
 
 : ${searx_enable:="NO"}
-: ${searx_user:="www"}
-: ${searx_group:="www"}
+: ${searx_user:="searx"}
+: ${searx_group:="searx"}
+: ${searx_conf:="/usr/local/etc/searx-settings.yml"}
 : ${searx_flags:=""}
 
 # daemon
 pidfile="/var/run/${name}.pid"
-python="/usr/local/bin/python2.7"
-script_py="/usr/local/lib/python2.7/site-packages/${name}/webapp.py"
+python="/usr/local/bin/python3.7"
+script_py="/home/${name}/searx/searx/webapp.py"
 command=/usr/sbin/daemon
 procname="daemon"
 command_args=" -c -f -P ${pidfile} ${python} ${script_py}"
@@ -41,6 +42,7 @@
 searx_precmd()
 {
     install -o ${searx_user} /dev/null ${pidfile}
+    export SEARX_SETTINGS_PATH=${searx_conf}
 }
 
 load_rc_config $name

The full final rc startup file

#!/bin/sh
# $FreeBSD: head/www/searx/files/searx.in 463944 2018-03-09 08:34:57Z yuri $

# PROVIDE: searx
# REQUIRE: DAEMON NETWORKING
# BEFORE: LOGIN
# KEYWORD: shutdown

# Add the following lines to /etc/rc.conf to enable searx:
# searx_enable="YES"
#
# searx_enable (bool):	Set to YES to enable searx
#				Default: NO
# searx_conf (str):		searx configuration file
#				Default: ${PREFIX}/etc/searx.conf
# searx_user (str):		searx daemon user
#				Default: searx
# searx_group (str):		searx daemon group
#				Default: searx
# searx_flags (str):		Extra flags passed to searx

. /etc/rc.subr

name="searx"
rcvar=searx_enable

: ${searx_enable:="NO"}
: ${searx_user:="searx"}
: ${searx_group:="searx"}
: ${searx_conf:="/usr/local/etc/searx-settings.yml"}
: ${searx_flags:=""}

# daemon
pidfile="/var/run/${name}.pid"
python="/usr/local/bin/python3.7"
script_py="/home/${name}/searx/searx/webapp.py"
command=/usr/sbin/daemon
procname="daemon"
command_args=" -c -f -P ${pidfile} ${python} ${script_py}"
start_precmd="searx_precmd"

searx_precmd()
{
    install -o ${searx_user} /dev/null ${pidfile}
    export SEARX_SETTINGS_PATH=${searx_conf}
}

load_rc_config $name
run_rc_command "$1"

Enable Searx service to run automagically when jails starts

sysrc search_enable=YES
/usr/local/etc/rc.d/searx start

4. Switch the jails

Now if all looks good, I can switch the jails. Get out from jail and do as root

/etc/rc.d/jail stop srx srx2
zfs rename rpool/jail/srx  rpool/jail/srx_old
zfs rename rpool/jail/srx2 rpool/jail/srx
# sometimes when jail runs for a long time, "zfs rename" could fail
# with "umount error" - in that case force it with "zfs umount -f .."
# before rename, then "zfs mount .." it afterwards
/etc/rc.d/jail start srx

5. H2O conf for Searx

Here is the H2O frontend configuration part for Searx, it’s not public, restricted with a few IP acls.

  "srx.uoga.net:80":
    listen:
      host: 192.168.Y.Y
      port: 80
    paths:
      "/":
        redirect:
          status: 301
          url: "https://srx.uoga.net/"
      "/.well-known/acme-challenge":
        file.dir: "/usr/local/www/dehydrated"

  "srx.uoga.net:443":
    listen:
      host: 192.168.Y.Y
      port: 443
      ssl:
        certificate-file: /usr/local/etc/dehydrated/certs/srx.uoga.net/fullchain.pem
        key-file: /usr/local/etc/dehydrated/certs/srx.uoga.net/privkey.pem
    paths:
      "/":
        mruby.handler: |
          require "trie_addr.rb"
          trie = TrieAddr.new.add(["192.168.A.A/24","192.168.B.B/24"])
          acl {
            allow { trie.match?(addr) }
            allow { addr == "A.B.C.D" }
            deny
          }
        proxy.reverse.url: http://192.168.X.X:8888
        proxy.preserve-host: ON