Commit graph

22 commits

Author SHA1 Message Date
9cbe6a165b Connect Ulysses to searxng network for search engine access
Some checks are pending
CI / Focused test guidance (report-only) (push) Waiting to run
CI / Python syntax (compileall) (push) Waiting to run
CI / JS syntax (node --check) (push) Waiting to run
CI / Python tests (pytest) (push) Waiting to run
Container scan / hadolint (Dockerfile lint) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan, advisory) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan + SARIF upload) (push) Waiting to run
Dependency review / dependency-review (PR gate) (push) Waiting to run
Dependency review / pip-audit (advisory) (push) Waiting to run
ci / docker publish / build (amd64) (push) Waiting to run
ci / docker publish / build (arm64) (push) Waiting to run
ci / docker publish / merge manifest + tag (push) Blocked by required conditions
Secret scan / gitleaks (push) Waiting to run
Workflow security / actionlint (push) Waiting to run
Workflow security / zizmor (Actions SAST) (push) Waiting to run
searxng runs on a separate Docker network (searxng_default) and the
container couldn't reach host-port 8888 due to Docker bridge isolation.
Added searxng_default as external network and attached odysseus service
to it, allowing direct container-to-container communication via
http://searxng:8080.
2026-07-06 23:24:00 -04:00
886d941a65 Point SEARXNG_INSTANCE to standalone searxng at host.docker.internal:8888
Some checks are pending
CI / Focused test guidance (report-only) (push) Waiting to run
CI / Python syntax (compileall) (push) Waiting to run
CI / JS syntax (node --check) (push) Waiting to run
CI / Python tests (pytest) (push) Waiting to run
Container scan / hadolint (Dockerfile lint) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan, advisory) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan + SARIF upload) (push) Waiting to run
Dependency review / dependency-review (PR gate) (push) Waiting to run
Dependency review / pip-audit (advisory) (push) Waiting to run
ci / docker publish / build (amd64) (push) Waiting to run
ci / docker publish / build (arm64) (push) Waiting to run
ci / docker publish / merge manifest + tag (push) Blocked by required conditions
Secret scan / gitleaks (push) Waiting to run
Workflow security / actionlint (push) Waiting to run
Workflow security / zizmor (Actions SAST) (push) Waiting to run
Bundled searxng was removed — the old http://searxng:8080 DNS name
resolves to nothing. Standalone searxng runs on Helm at port 8888,
reachable from container via host.docker.internal.
2026-07-06 22:29:11 -04:00
e7b5274af6 Add LD_LIBRARY_PATH=/app/.local/bin to container env for native llama.cpp binary
Some checks are pending
CI / Focused test guidance (report-only) (push) Waiting to run
CI / Python syntax (compileall) (push) Waiting to run
CI / JS syntax (node --check) (push) Waiting to run
CI / Python tests (pytest) (push) Waiting to run
Container scan / hadolint (Dockerfile lint) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan, advisory) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan + SARIF upload) (push) Waiting to run
Dependency review / dependency-review (PR gate) (push) Waiting to run
Dependency review / pip-audit (advisory) (push) Waiting to run
ci / docker publish / build (amd64) (push) Waiting to run
ci / docker publish / build (arm64) (push) Waiting to run
ci / docker publish / merge manifest + tag (push) Blocked by required conditions
Secret scan / gitleaks (push) Waiting to run
Workflow security / actionlint (push) Waiting to run
Workflow security / zizmor (Actions SAST) (push) Waiting to run
The manual native CUDA build's rpath points to /tmp/llama.cpp/build/bin/
(host build directory) instead of $ORIGIN. Setting LD_LIBRARY_PATH in the
Docker environment ensures the shared libraries are found inside the container
and survives container restarts (unlike the ephemeral ~/.config env file).
2026-07-06 21:56:56 -04:00
4b98744495 ulysses: remove bundled searxng — conflicts with standalone instance at :8888
Some checks are pending
CI / Focused test guidance (report-only) (push) Waiting to run
CI / Python syntax (compileall) (push) Waiting to run
CI / JS syntax (node --check) (push) Waiting to run
CI / Python tests (pytest) (push) Waiting to run
Container scan / hadolint (Dockerfile lint) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan, advisory) (push) Waiting to run
Container scan (Trivy) / Trivy (image scan + SARIF upload) (push) Waiting to run
Dependency review / dependency-review (PR gate) (push) Waiting to run
Dependency review / pip-audit (advisory) (push) Waiting to run
ci / docker publish / build (amd64) (push) Waiting to run
ci / docker publish / build (arm64) (push) Waiting to run
ci / docker publish / merge manifest + tag (push) Blocked by required conditions
Secret scan / gitleaks (push) Waiting to run
Workflow security / actionlint (push) Waiting to run
Workflow security / zizmor (Actions SAST) (push) Waiting to run
2026-07-06 21:26:20 -04:00
Alexandre Teixeira
f38323c3a1
fix(docker): make host Docker socket opt-in (#4902)
* fix(docker): make host socket compose opt-in

* fix(cookbook): gate container Docker access

* fix(docker): gate socket group setup on opt-in

* fix(cookbook): gate generated docker exec serve commands

* fix(cookbook): narrow generated docker exec forms
2026-06-30 19:54:51 +02:00
pewdiepie-archdaemon
75f04bc088 Merge origin/dev into main 2026-06-21 11:08:50 +00:00
pewdiepie-archdaemon
b3e186746a Docker compose: mount docker.sock + install Docker CLI so Cookbook can reach sibling containers
Cookbook now needs to docker-exec into ollama-rocm (and any other sibling
container holding a model server) from inside its own container, so:

- Dockerfile installs the Docker CLI from the static binary tarball
  (the Debian docker.io package ships dockerd but not the client on slim)
- docker-compose.yml bind-mounts /var/run/docker.sock and adds group_add
  for the host docker group (default GID 963)
- entrypoint.sh detects the socket GID, creates a local group with that
  GID, and runs usermod -aG before gosu-dropping to the app user so the
  supplementary group propagates through (gosu strips by default)
2026-06-19 00:32:47 +00:00
RaresKeY
b5edbd3df7
fix(devops): harden docker config defaults (#4349) 2026-06-16 04:03:43 +01:00
Daniel
2adae2bbba
Parameterize Docker Compose volume host paths (#3907) 2026-06-15 20:30:18 +09:00
nubs
865e61450e
fix(upload): configure chat attachment size limit (#2439) 2026-06-07 22:42:24 +02:00
Yiğit Egemen
ec8fbf5d8f
Add support for EMBEDDING_API_KEY (#2691)
* feat: support for embedding API key

* feat: encrypt and decrypt embedding API key

* test: add unit tests for EmbeddingClient authorization header behavior
2026-06-05 14:47:24 +02:00
lekt8
a5282e9748
Pin the SearXNG image so a broken :latest can't block startup (#1419)
odysseus waits on searxng's healthcheck (depends_on: condition: service_healthy),
so when the upstream `searxng:latest` tag is broken the whole app never starts.
The 2026.6.2 image crashes on boot with `KeyError: 'default_doi_resolver'`,
failing the healthcheck and blocking fresh Docker installs (issue #1414).

Pin to the last known-good tag (2026.5.31-7159b8aed) instead of :latest, with a
comment to bump it deliberately after verifying a newer tag boots clean.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 03:56:54 +09:00
pewdiepie-archdaemon
da97f1b9ad Label Docker bind mounts for SELinux 2026-06-02 09:50:35 +09:00
pewdiepie-archdaemon
50b81622e0 Allow Docker startup without env file 2026-06-02 09:49:35 +09:00
tanmayraut45
d2bad10781 Fix searxng container permission errors during setup
A fresh `docker compose up -d` shows the searxng container failing its
healthcheck with permission errors at setup (reported in #721 — the
service comes up under names like `odysseus_searxng_1` and never goes
ready, which then blocks the main odysseus container because of the
`depends_on: searxng: condition: service_healthy` gate).

Root cause: the official `searxng/searxng:latest` image runs as the
non-root `searxng` user but its entrypoint still needs to

1. chown /etc/searxng on first boot so the persisted named volume is
   owned by the searxng user inside the container,
2. su-exec to drop / re-assert privileges before launching uwsgi, and
3. let our wrapper entrypoint (which seeds settings.yml into the named
   volume on first boot) write the file through the volume mount.

Without explicit `cap_add`, the container has neither CHOWN nor
DAC_OVERRIDE nor SETUID/SETGID, so the entrypoint aborts at the first
chown / su-exec / redirection with EACCES. The upstream searxng-docker
compose file solves this with the standard "drop everything, grant only
what's needed" capability pattern.

Fix: mirror the upstream cap_drop ALL / cap_add CHOWN, SETGID, SETUID,
DAC_OVERRIDE on the searxng service. This grants only the four caps the
entrypoint actually needs, matches what searxng-docker ships with, and
leaves ports, volumes, env, healthcheck, and the wrapper entrypoint
unchanged.

Closes #721.
2026-06-02 02:47:30 +05:30
Alexander Kenley
3c6b084f08
Secure by default uplift (#511)
Co-authored-by: Alex Kenley <Alex.Kenley@threatvectorsecurity.com>
2026-06-01 22:30:07 +09:00
Jasper Stubbe
83bab67641
Add explcit docker image source for the podman users (#224)
Co-authored-by: Jasper Stubbe <jasper.stubbe.b@gmail.com>
2026-06-01 02:47:59 +00:00
pewdiepie-archdaemon
c953c078e5 Improve Cookbook serve reliability 2026-06-01 11:43:08 +09:00
pewdiepie-archdaemon
415d115b17 Make Docker web port configurable 2026-06-01 11:20:25 +09:00
pewdiepie-archdaemon
71d74290f0 Generate SearXNG secret on first boot 2026-06-01 11:03:02 +09:00
pewdiepie-archdaemon
fc7f107b22 Improve Ollama setup and model endpoint handling 2026-06-01 10:00:15 +09:00
pewdiepie-archdaemon
e5c99a5eee Odysseus v1.0 2026-05-31 23:58:26 +09:00