From 3389c448bbf0f0982642e33e07d2189f1870cec9 Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Sun, 23 Feb 2025 16:46:06 -0500 Subject: [PATCH 1/6] Start as comfytoo preliminary --- Makefile | 12 +++++------- components/part1-common.Dockerfile | 20 +++++++++++--------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index c023589..c0c735f 100644 --- a/Makefile +++ b/Makefile @@ -4,10 +4,8 @@ SHELL := /bin/bash DOCKER_CMD=docker DOCKER_PRE="NVIDIA_VISIBLE_DEVICES=all" DOCKER_BUILD_ARGS= -##DOCKER_BUILD_ARGS="--no-cache" -#BUILD_DATE=$(shell printf '%(%Y%m%d)T' -1) -BUILD_DATE=20250216 +COMFYUI_NVIDIA_DOCKER_VERSION=comfytoo COMFYUI_CONTAINER_NAME=comfyui-nvidia-docker @@ -41,7 +39,7 @@ ${DOCKER_ALL}: ${DOCKERFILE_DIR} @echo "docker buildx ls | grep -q ${COMFYUI_CONTAINER_NAME} && echo \"builder already exists -- to delete it, use: docker buildx rm ${COMFYUI_CONTAINER_NAME}\" || docker buildx create --name ${COMFYUI_CONTAINER_NAME}" > ${VAR_NT}.cmd @echo "docker buildx use ${COMFYUI_CONTAINER_NAME} || exit 1" >> ${VAR_NT}.cmd @echo "BUILDX_EXPERIMENTAL=1 ${DOCKER_PRE} docker buildx debug --on=error build --progress plain --platform linux/amd64 ${DOCKER_BUILD_ARGS} \\" >> ${VAR_NT}.cmd - @echo " --build-arg BUILD_DATE=\"${BUILD_DATE}\" \\" >> ${VAR_NT}.cmd + @echo " --build-arg COMFYUI_NVIDIA_DOCKER_VERSION=\"${COMFYUI_NVIDIA_DOCKER_VERSION}\" \\" >> ${VAR_NT}.cmd @echo " --build-arg BUILD_BASE=\"$@\" \\" >> ${VAR_NT}.cmd @echo " --tag=\"${COMFYUI_CONTAINER_NAME}:$@\" \\" >> ${VAR_NT}.cmd @echo " -f ${DOCKERFILE_NAME} \\" >> ${VAR_NT}.cmd @@ -95,15 +93,15 @@ LATEST_CANDIDATE=$(shell echo ${COMFYUI_CONTAINER_NAME}:${LATEST_ENTRY}) docker_tag: @if [ `echo ${DOCKER_PRESENT} | wc -w` -eq 0 ]; then echo "No images to tag"; exit 1; fi @echo "== About to tag:" - @for i in ${DOCKER_PRESENT}; do image_out1="${DOCKERHUB_REPO}/$$i-${BUILD_DATE}"; image_out2="${DOCKERHUB_REPO}/$$i-latest"; echo " ++ $$i -> $$image_out1"; echo " ++ $$i -> $$image_out2"; done + @for i in ${DOCKER_PRESENT}; do image_out1="${DOCKERHUB_REPO}/$$i-${COMFYUI_NVIDIA_DOCKER_VERSION}"; image_out2="${DOCKERHUB_REPO}/$$i-latest"; echo " ++ $$i -> $$image_out1"; echo " ++ $$i -> $$image_out2"; done @if echo ${DOCKER_PRESENT} | grep -q ${LATEST_CANDIDATE}; then image_out="${DOCKERHUB_REPO}/${COMFYUI_CONTAINER_NAME}:latest"; echo " ++ ${LATEST_CANDIDATE} -> $$image_out"; else echo " -- Unable to find latest candidate: ${LATEST_CANDIDATE}"; fi @echo "" @echo "tagging for hub.docker.com upload -- Press Ctl+c within 5 seconds to cancel" @for i in 5 4 3 2 1; do echo -n "$$i "; sleep 1; done; echo "" - @for i in ${DOCKER_PRESENT}; do image_out1="${DOCKERHUB_REPO}/$$i-${BUILD_DATE}"; image_out2="${DOCKERHUB_REPO}/$$i-latest"; docker tag $$i $$image_out1; docker tag $$i $$image_out2; done + @for i in ${DOCKER_PRESENT}; do image_out1="${DOCKERHUB_REPO}/$$i-${COMFYUI_NVIDIA_DOCKER_VERSION}"; image_out2="${DOCKERHUB_REPO}/$$i-latest"; docker tag $$i $$image_out1; docker tag $$i $$image_out2; done @if echo ${DOCKER_PRESENT} | grep -q ${LATEST_CANDIDATE}; then image_out="${DOCKERHUB_REPO}/${COMFYUI_CONTAINER_NAME}:latest"; docker tag ${LATEST_CANDIDATE} $$image_out; fi -DOCKERHUB_READY=$(shell for i in ${DOCKER_ALL}; do image="${DOCKERHUB_REPO}/${COMFYUI_CONTAINER_NAME}:$$i"; image1=$$image-${BUILD_DATE}; image2=$$image-latest; if docker images --format "{{.Repository}}:{{.Tag}}" | grep -q $$image1; then echo $$image1; fi; if docker images --format "{{.Repository}}:{{.Tag}}" | grep -q $$image2; then echo $$image2; fi; done) +DOCKERHUB_READY=$(shell for i in ${DOCKER_ALL}; do image="${DOCKERHUB_REPO}/${COMFYUI_CONTAINER_NAME}:$$i"; image1=$$image-${COMFYUI_NVIDIA_DOCKER_VERSION}; image2=$$image-latest; if docker images --format "{{.Repository}}:{{.Tag}}" | grep -q $$image1; then echo $$image1; fi; if docker images --format "{{.Repository}}:{{.Tag}}" | grep -q $$image2; then echo $$image2; fi; done) DOCKERHUB_READY_LATEST=$(shell image="${DOCKERHUB_REPO}/${COMFYUI_CONTAINER_NAME}:latest"; if docker images --format "{{.Repository}}:{{.Tag}}" | grep -q $$image; then echo $$image; else echo ""; fi) diff --git a/components/part1-common.Dockerfile b/components/part1-common.Dockerfile index 9e9022e..72b8f55 100644 --- a/components/part1-common.Dockerfile +++ b/components/part1-common.Dockerfile @@ -48,13 +48,15 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +COPY --chmod=555 init.bash /comfyui-nvidia_init.bash + ##### ComfyUI preparation -# The comfy user will have UID 1024 and GID 1024 +# The comfytoo user will have UID 1024 and GID 1024 ENV COMFYUSER_DIR="/comfy" RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfy \ - && usermod -G users comfy \ - && adduser comfy sudo \ + && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfytoo \ + && usermod -G users comfytoo \ + && adduser comfytoo sudo \ && test -d ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it @@ -62,11 +64,11 @@ ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfy +USER comfytoo WORKDIR ${COMFYUSER_DIR} -COPY --chown=comfy:comfy --chmod=555 init.bash comfyui-nvidia_init.bash -ARG BUILD_DATE="unknown" -LABEL comfyui-nvidia-docker-build=${BUILD_DATE} +ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" +LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} +RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -CMD [ "./comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] From 712349b6ccba998cc90b08f87d1637bf706f4b48 Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Sun, 23 Feb 2025 21:24:55 -0500 Subject: [PATCH 2/6] Always start as comfytoo then switch to comfy --- components/part1-common.Dockerfile | 33 ++++++++++----- init.bash | 66 ++++++++++++------------------ 2 files changed, 49 insertions(+), 50 deletions(-) diff --git a/components/part1-common.Dockerfile b/components/part1-common.Dockerfile index 72b8f55..84cb3f9 100644 --- a/components/part1-common.Dockerfile +++ b/components/part1-common.Dockerfile @@ -48,27 +48,40 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +# Place the init script in / so it can be found by the entrypoint COPY --chmod=555 init.bash /comfyui-nvidia_init.bash ##### ComfyUI preparation -# The comfytoo user will have UID 1024 and GID 1024 -ENV COMFYUSER_DIR="/comfy" -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfytoo \ +# Every sudo group user does not need a password +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + +# Create a new group for the comfy and comfytoo users +RUN groupadd -g 1024 comfy \ + && groupadd -g 1025 comfytoo + +# The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), +# be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) +RUN useradd -u 1024 -U -d /home/comfy -g comfy -s /bin/bash -m comfy \ + && usermod -G users comfy \ + && adduser comfy sudo +RUN useradd -u 1025 -U -d /home/comfytoo -g comfy -s /bin/bash -m comfytoo \ && usermod -G users comfytoo \ - && adduser comfytoo sudo \ - && test -d ${COMFYUSER_DIR} + && adduser comfytoo sudo + +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo + +ENV COMFYUSER_DIR="/comfy" +RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfytoo -WORKDIR ${COMFYUSER_DIR} - ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -CMD [ "/comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file diff --git a/init.bash b/init.bash index f95f568..f9c7ce2 100644 --- a/init.bash +++ b/init.bash @@ -86,18 +86,6 @@ if [ -z "$BASE_DIRECTORY" ]; then BASE_DIRECTORY=$cmd_basedir; fi if [ -z "$BASE_DIRECTORY" ]; then BASE_DIRECTORY=$ignore_value; fi if [ ! -z "$BASE_DIRECTORY" ]; then if [ $BASE_DIRECTORY != $ignore_value ] && [ ! -d "$BASE_DIRECTORY" ]; then error_exit "BASE_DIRECTORY requested but not found or not a directory ($BASE_DIRECTORY)"; fi; fi -# The script is started as comfy -# if the UID/GID are not correct, we create a new comfytoo user with the correct UID/GID which will restart the script -# after the script restart we restart again as comfy -if [ "A${whoami}" == "Acomfytoo" ]; then - echo "-- Not running as comfy, will try to switch to comfy (Docker USER)" - # Make the comfy user (the Docker USER) have the proper UID/GID as well - sudo usermod -u ${WANTED_UID} -o -g ${WANTED_GID} comfy - # restart the script as comfy (Docker USER) with the correct UID/GID this time - sudo su comfy $script_fullname ${WANTED_UID} ${WANTED_GID} ${SECURITY_LEVEL} ${BASE_DIRECTORY} ${cmd_cmdline_base} ${cmd_cmdline_extra} || error_exit "subscript failed" - ok_exit "Clean exit" -fi - it=/etc/image_base.txt if [ ! -f $it ]; then error_exit "$it missing, exiting"; fi echo "-- Base image details (from $it):"; cat $it @@ -117,37 +105,35 @@ BUILD_BASE_RTX50xx="ubuntu24_cuda12.8" echo "-- BUILD_BASE: \"${BUILD_BASE}\"" if test -z ${BUILD_BASE}; then error_exit "Empty BUILD_BASE variable"; fi -# we are running with some given UID/GID, do we need to modify UID/GID -current_uid=`id -u` -current_gid=`id -g` - -do_change="False" - -if [ ! -z "$WANTED_GID" -a "$WANTED_GID" != "$current_gid" ]; then - echo "-- Will attempt to create a new user with GID ${WANTED_GID}" - do_change="True" -fi -if [ ! -z "$WANTED_UID" -a "$WANTED_UID" != "$current_uid" ]; then - echo "-- Will attempt to create a new user with UID ${WANTED_UID}" - do_change="True" -fi - -if [ $do_change == "True" ]; then - # Make a "comfytoo" user - sudo chown -R ${WANTED_UID}:${WANTED_GID} ${COMFYUSER_DIR} - (getent group ${WANTED_GID} || (sudo addgroup --group --gid ${WANTED_GID} comfytoo || true)) - sudo useradd -u ${WANTED_UID} -o -g ${WANTED_GID} -s /bin/bash -d ${COMFYUSER_DIR} -M comfytoo - sudo adduser comfytoo sudo - # Reload the script to bypass limitation (and exit) - sudo su comfytoo $script_fullname ${WANTED_UID} ${WANTED_GID} ${SECURITY_LEVEL} ${BASE_DIRECTORY} ${cmd_cmdline_base} ${cmd_cmdline_extra} || error_exit "subscript failed" +new_gid=`id -g` +new_uid=`id -u` +echo "== user ($whoami)" +echo " uid: $new_uid / WANTED_UID: $WANTED_UID" +echo " gid: $new_gid / WANTED_GID: $WANTED_GID" + +# The script is started as comfytoo +# We are altering the UID/GID of the comfy user to the desired ones and restarting as comfy +if [ "A${whoami}" == "Acomfytoo" ]; then + echo "-- Running as comfytoo, will switch comfy to the desired UID/GID" + # using usermod for the already create comfy user, knowing it is not already in use + # per usermod manual: "You must make certain that the named user is not executing any processes when this command is being executed" + sudo groupmod -o -g ${WANTED_GID} comfy || error_exit "Failed to set GID of comfy user" + sudo usermod -o -u ${WANTED_UID} comfy || error_exit "Failed to set UID of comfy user" + sudo chown -R ${WANTED_UID}:${WANTED_GID} /home/comfy || error_exit "Failed to set owner of /home/comfy" + sudo chown ${WANTED_UID}:${WANTED_GID} ${COMFYUSER_DIR} || error_exit "Failed to set owner of ${COMFYUSER_DIR}" + # restart the script as comfy (Docker USER) with the correct UID/GID this time + sudo su comfy $script_fullname ${WANTED_UID} ${WANTED_GID} ${SECURITY_LEVEL} ${BASE_DIRECTORY} ${cmd_cmdline_base} ${cmd_cmdline_extra} || error_exit "subscript failed" ok_exit "Clean exit" fi -new_gid=`id -g` -new_uid=`id -u` -echo "== user -- uid: $new_uid / gid: $new_gid" -if [ ! -z "$WANTED_GID" -a "$WANTED_GID" != "$new_gid" ]; then echo "Wrong GID ($new_gid), exiting"; exit 0; fi -if [ ! -z "$WANTED_UID" -a "$WANTED_UID" != "$new_uid" ]; then echo "Wrong UID ($new_uid), exiting"; exit 0; fi +# The script is started as comfy +# if the UID/GID are not correct, fail: comfy MUST be running with the correct UID/GID +if [ "A${whoami}" == "Acomfy" ]; then + if [ "$WANTED_GID" != "$new_gid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${current_uid} GID ${current_gid}"; fi + if [ "$WANTED_UID" != "$new_uid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${current_uid} GID ${current_gid}"; fi +else + error_exit "The script cam only be run the comfy or comfytoo users" +fi # We are now running as comfy echo ""; echo "== Running as comfy" From 1c2a60bf844ac0a1ed2787d03a4aa7121d18a77f Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Sun, 23 Feb 2025 21:42:44 -0500 Subject: [PATCH 3/6] directory creation before user switch --- components/part1-common.Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/components/part1-common.Dockerfile b/components/part1-common.Dockerfile index 84cb3f9..883d683 100644 --- a/components/part1-common.Dockerfile +++ b/components/part1-common.Dockerfile @@ -61,17 +61,13 @@ RUN groupadd -g 1024 comfy \ # The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), # be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) -RUN useradd -u 1024 -U -d /home/comfy -g comfy -s /bin/bash -m comfy \ +RUN useradd -u 1024 -d /home/comfy -g comfy -s /bin/bash -m comfy \ && usermod -G users comfy \ && adduser comfy sudo -RUN useradd -u 1025 -U -d /home/comfytoo -g comfy -s /bin/bash -m comfytoo \ +RUN useradd -u 1025 -d /home/comfytoo -g comfytoo -s /bin/bash -m comfytoo \ && usermod -G users comfytoo \ && adduser comfytoo sudo -# We start as comfytoo and will switch to the comfy user AFTER the container is up -# and after having altered the comfy details to match the requested UID/GID -USER comfytoo - ENV COMFYUSER_DIR="/comfy" RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it @@ -84,4 +80,8 @@ ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo + CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file From 45ed787320da31b358259068f6b664386c1f54d0 Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Sun, 23 Feb 2025 22:12:39 -0500 Subject: [PATCH 4/6] preliminary testing completed --- init.bash | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/init.bash b/init.bash index f9c7ce2..12c582d 100644 --- a/init.bash +++ b/init.bash @@ -111,9 +111,9 @@ echo "== user ($whoami)" echo " uid: $new_uid / WANTED_UID: $WANTED_UID" echo " gid: $new_gid / WANTED_GID: $WANTED_GID" -# The script is started as comfytoo -# We are altering the UID/GID of the comfy user to the desired ones and restarting as comfy if [ "A${whoami}" == "Acomfytoo" ]; then + # The script is started as comfytoo -- UID/GID 1025/1025 do not exist by default in Ubuntu so we can check the whoami value + # We are altering the UID/GID of the comfy user to the desired ones and restarting as comfy echo "-- Running as comfytoo, will switch comfy to the desired UID/GID" # using usermod for the already create comfy user, knowing it is not already in use # per usermod manual: "You must make certain that the named user is not executing any processes when this command is being executed" @@ -126,14 +126,11 @@ if [ "A${whoami}" == "Acomfytoo" ]; then ok_exit "Clean exit" fi -# The script is started as comfy -# if the UID/GID are not correct, fail: comfy MUST be running with the correct UID/GID -if [ "A${whoami}" == "Acomfy" ]; then - if [ "$WANTED_GID" != "$new_gid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${current_uid} GID ${current_gid}"; fi - if [ "$WANTED_UID" != "$new_uid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${current_uid} GID ${current_gid}"; fi -else - error_exit "The script cam only be run the comfy or comfytoo users" -fi +# If we are here, the script is started as comfy +# because the whoami value can be any existing user, we can not check against it +# if the UID/GID are not correct, fail: at this point we MUST be running with the correct UID/GID +if [ "$WANTED_GID" != "$new_gid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${new_uid} GID ${new_gid}"; fi +if [ "$WANTED_UID" != "$new_uid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${new_uid} GID ${new_gid}"; fi # We are now running as comfy echo ""; echo "== Running as comfy" From 2ef4b1358a92f9c504f207409e9bbc88d48282a3 Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Mon, 24 Feb 2025 22:00:27 -0500 Subject: [PATCH 5/6] clarified new logic --- init.bash | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/init.bash b/init.bash index 12c582d..515e5e4 100644 --- a/init.bash +++ b/init.bash @@ -42,7 +42,7 @@ ignore_value="VALUE_TO_IGNORE" # everyone can read our files by default umask 0022 -# Write a world-writeable file (preferably inside /tmp within the container) +# Write a world-writeable file (preferably inside /tmp -- ie within the container) write_worldtmpfile() { tmpfile=$1 if [ -z "${tmpfile}" ]; then error_exit "write_worldfile: missing argument"; fi @@ -73,29 +73,35 @@ if [ ! -f $it ]; then error_exit "$it missing, exiting"; fi COMFY_CMDLINE_EXTRA=`cat $it` echo "-- COMFY_CMDLINE_EXTRA: \"${COMFY_CMDLINE_EXTRA}\"" - +# Get user and group id if [ -z "$WANTED_UID" ]; then WANTED_UID=$cmd_wuid; fi if [ -z "$WANTED_UID" ]; then echo "-- No WANTED_UID provided, using comfy user default of 1024"; WANTED_UID=1024; fi if [ -z "$WANTED_GID" ]; then WANTED_GID=$cmd_wgid; fi if [ -z "$WANTED_GID" ]; then echo "-- No WANTED_GID provided, using comfy user default of 1024"; WANTED_GID=1024; fi +# Get security level if [ -z "$SECURITY_LEVEL" ]; then SECURITY_LEVEL=$cmd_seclvl; fi if [ -z "$SECURITY_LEVEL" ]; then echo "-- No SECURITY_LEVEL provided, using comfy default of normal"; SECURITY_LEVEL="normal"; fi + +# Get base directory if [ -z "$BASE_DIRECTORY" ]; then BASE_DIRECTORY=$cmd_basedir; fi if [ -z "$BASE_DIRECTORY" ]; then BASE_DIRECTORY=$ignore_value; fi if [ ! -z "$BASE_DIRECTORY" ]; then if [ $BASE_DIRECTORY != $ignore_value ] && [ ! -d "$BASE_DIRECTORY" ]; then error_exit "BASE_DIRECTORY requested but not found or not a directory ($BASE_DIRECTORY)"; fi; fi +# extract base image information it=/etc/image_base.txt if [ ! -f $it ]; then error_exit "$it missing, exiting"; fi echo "-- Base image details (from $it):"; cat $it +# extract comfy user directory it=/etc/comfyuser_dir if [ ! -f $it ]; then error_exit "$it missing, exiting"; fi COMFYUSER_DIR=`cat $it` echo "-- COMFYUIUSER_DIR: \"${COMFYUSER_DIR}\"" if test -z ${COMFYUSER_DIR}; then error_exit "Empty COMFYUSER_DIR variable"; fi +# extract build base information it=/etc/build_base.txt if [ ! -f $it ]; then error_exit "$it missing, exiting"; fi BUILD_BASE=`cat $it` @@ -105,14 +111,17 @@ BUILD_BASE_RTX50xx="ubuntu24_cuda12.8" echo "-- BUILD_BASE: \"${BUILD_BASE}\"" if test -z ${BUILD_BASE}; then error_exit "Empty BUILD_BASE variable"; fi +# Check user id and group id new_gid=`id -g` new_uid=`id -u` echo "== user ($whoami)" echo " uid: $new_uid / WANTED_UID: $WANTED_UID" echo " gid: $new_gid / WANTED_GID: $WANTED_GID" +# comfytoo is a specfiic user not existing by default on ubuntu, we can check its whomai if [ "A${whoami}" == "Acomfytoo" ]; then - # The script is started as comfytoo -- UID/GID 1025/1025 do not exist by default in Ubuntu so we can check the whoami value + # The script is started as comfytoo -- UID/GID 1025/1025 + # We are altering the UID/GID of the comfy user to the desired ones and restarting as comfy echo "-- Running as comfytoo, will switch comfy to the desired UID/GID" # using usermod for the already create comfy user, knowing it is not already in use @@ -121,18 +130,19 @@ if [ "A${whoami}" == "Acomfytoo" ]; then sudo usermod -o -u ${WANTED_UID} comfy || error_exit "Failed to set UID of comfy user" sudo chown -R ${WANTED_UID}:${WANTED_GID} /home/comfy || error_exit "Failed to set owner of /home/comfy" sudo chown ${WANTED_UID}:${WANTED_GID} ${COMFYUSER_DIR} || error_exit "Failed to set owner of ${COMFYUSER_DIR}" - # restart the script as comfy (Docker USER) with the correct UID/GID this time + # restart the script as comfy set with the correct UID/GID this time + echo "-- Restarting as comfy user with UID ${WANTED_UID} GID ${WANTED_GID}" sudo su comfy $script_fullname ${WANTED_UID} ${WANTED_GID} ${SECURITY_LEVEL} ${BASE_DIRECTORY} ${cmd_cmdline_base} ${cmd_cmdline_extra} || error_exit "subscript failed" ok_exit "Clean exit" fi -# If we are here, the script is started as comfy -# because the whoami value can be any existing user, we can not check against it -# if the UID/GID are not correct, fail: at this point we MUST be running with the correct UID/GID +# If we are here, the script is started as another user than comfytoo +# because the whoami value for the comfy user can be any existing user, we can not check against it +# instead we check if the UID/GID are the expected ones if [ "$WANTED_GID" != "$new_gid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${new_uid} GID ${new_gid}"; fi if [ "$WANTED_UID" != "$new_uid" ]; then error_exit "comfy MUST be running as UID ${WANTED_UID} GID ${WANTED_GID}, current UID ${new_uid} GID ${new_gid}"; fi -# We are now running as comfy +# We are therefore running as comfy echo ""; echo "== Running as comfy" # Confirm we can write to the user directory From d6bb1eafa8fef5609b8398ab8f2bf726f492f57b Mon Sep 17 00:00:00 2001 From: Martial Michel <7586284+mmartial@users.noreply.github.com> Date: Thu, 27 Feb 2025 21:22:08 -0500 Subject: [PATCH 6/6] 20250227 release --- Dockerfile/ubuntu22_cuda12.3.2.Dockerfile | 39 ++++++++++++++++------- Dockerfile/ubuntu22_cuda12.4.1.Dockerfile | 39 ++++++++++++++++------- Dockerfile/ubuntu24_cuda12.5.1.Dockerfile | 39 ++++++++++++++++------- Dockerfile/ubuntu24_cuda12.8.Dockerfile | 39 ++++++++++++++++------- Makefile | 2 +- README.md | 12 +++++-- 6 files changed, 118 insertions(+), 52 deletions(-) diff --git a/Dockerfile/ubuntu22_cuda12.3.2.Dockerfile b/Dockerfile/ubuntu22_cuda12.3.2.Dockerfile index 552b42c..16b793e 100644 --- a/Dockerfile/ubuntu22_cuda12.3.2.Dockerfile +++ b/Dockerfile/ubuntu22_cuda12.3.2.Dockerfile @@ -67,25 +67,40 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +# Place the init script in / so it can be found by the entrypoint +COPY --chmod=555 init.bash /comfyui-nvidia_init.bash + ##### ComfyUI preparation -# The comfy user will have UID 1024 and GID 1024 -ENV COMFYUSER_DIR="/comfy" -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfy \ +# Every sudo group user does not need a password +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + +# Create a new group for the comfy and comfytoo users +RUN groupadd -g 1024 comfy \ + && groupadd -g 1025 comfytoo + +# The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), +# be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) +RUN useradd -u 1024 -d /home/comfy -g comfy -s /bin/bash -m comfy \ && usermod -G users comfy \ - && adduser comfy sudo \ - && test -d ${COMFYUSER_DIR} + && adduser comfy sudo +RUN useradd -u 1025 -d /home/comfytoo -g comfytoo -s /bin/bash -m comfytoo \ + && usermod -G users comfytoo \ + && adduser comfytoo sudo + +ENV COMFYUSER_DIR="/comfy" +RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfy -WORKDIR ${COMFYUSER_DIR} -COPY --chown=comfy:comfy --chmod=555 init.bash comfyui-nvidia_init.bash +ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" +LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} +RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -ARG BUILD_DATE="unknown" -LABEL comfyui-nvidia-docker-build=${BUILD_DATE} +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo -CMD [ "./comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file diff --git a/Dockerfile/ubuntu22_cuda12.4.1.Dockerfile b/Dockerfile/ubuntu22_cuda12.4.1.Dockerfile index e3443a1..dae24ba 100644 --- a/Dockerfile/ubuntu22_cuda12.4.1.Dockerfile +++ b/Dockerfile/ubuntu22_cuda12.4.1.Dockerfile @@ -65,25 +65,40 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +# Place the init script in / so it can be found by the entrypoint +COPY --chmod=555 init.bash /comfyui-nvidia_init.bash + ##### ComfyUI preparation -# The comfy user will have UID 1024 and GID 1024 -ENV COMFYUSER_DIR="/comfy" -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfy \ +# Every sudo group user does not need a password +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + +# Create a new group for the comfy and comfytoo users +RUN groupadd -g 1024 comfy \ + && groupadd -g 1025 comfytoo + +# The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), +# be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) +RUN useradd -u 1024 -d /home/comfy -g comfy -s /bin/bash -m comfy \ && usermod -G users comfy \ - && adduser comfy sudo \ - && test -d ${COMFYUSER_DIR} + && adduser comfy sudo +RUN useradd -u 1025 -d /home/comfytoo -g comfytoo -s /bin/bash -m comfytoo \ + && usermod -G users comfytoo \ + && adduser comfytoo sudo + +ENV COMFYUSER_DIR="/comfy" +RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfy -WORKDIR ${COMFYUSER_DIR} -COPY --chown=comfy:comfy --chmod=555 init.bash comfyui-nvidia_init.bash +ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" +LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} +RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -ARG BUILD_DATE="unknown" -LABEL comfyui-nvidia-docker-build=${BUILD_DATE} +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo -CMD [ "./comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file diff --git a/Dockerfile/ubuntu24_cuda12.5.1.Dockerfile b/Dockerfile/ubuntu24_cuda12.5.1.Dockerfile index 0c0b3a3..715a3a3 100644 --- a/Dockerfile/ubuntu24_cuda12.5.1.Dockerfile +++ b/Dockerfile/ubuntu24_cuda12.5.1.Dockerfile @@ -64,25 +64,40 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +# Place the init script in / so it can be found by the entrypoint +COPY --chmod=555 init.bash /comfyui-nvidia_init.bash + ##### ComfyUI preparation -# The comfy user will have UID 1024 and GID 1024 -ENV COMFYUSER_DIR="/comfy" -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfy \ +# Every sudo group user does not need a password +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + +# Create a new group for the comfy and comfytoo users +RUN groupadd -g 1024 comfy \ + && groupadd -g 1025 comfytoo + +# The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), +# be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) +RUN useradd -u 1024 -d /home/comfy -g comfy -s /bin/bash -m comfy \ && usermod -G users comfy \ - && adduser comfy sudo \ - && test -d ${COMFYUSER_DIR} + && adduser comfy sudo +RUN useradd -u 1025 -d /home/comfytoo -g comfytoo -s /bin/bash -m comfytoo \ + && usermod -G users comfytoo \ + && adduser comfytoo sudo + +ENV COMFYUSER_DIR="/comfy" +RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfy -WORKDIR ${COMFYUSER_DIR} -COPY --chown=comfy:comfy --chmod=555 init.bash comfyui-nvidia_init.bash +ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" +LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} +RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -ARG BUILD_DATE="unknown" -LABEL comfyui-nvidia-docker-build=${BUILD_DATE} +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo -CMD [ "./comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file diff --git a/Dockerfile/ubuntu24_cuda12.8.Dockerfile b/Dockerfile/ubuntu24_cuda12.8.Dockerfile index 471cc6e..75214d8 100644 --- a/Dockerfile/ubuntu24_cuda12.8.Dockerfile +++ b/Dockerfile/ubuntu24_cuda12.8.Dockerfile @@ -62,25 +62,40 @@ ARG BUILD_BASE="unknown" LABEL comfyui-nvidia-docker-build-from=${BUILD_BASE} RUN it="/etc/build_base.txt"; echo ${BUILD_BASE} > $it && chmod 555 $it +# Place the init script in / so it can be found by the entrypoint +COPY --chmod=555 init.bash /comfyui-nvidia_init.bash + ##### ComfyUI preparation -# The comfy user will have UID 1024 and GID 1024 -ENV COMFYUSER_DIR="/comfy" -RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \ - && useradd -u 1024 -U -d ${COMFYUSER_DIR} -s /bin/bash -m comfy \ +# Every sudo group user does not need a password +RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers + +# Create a new group for the comfy and comfytoo users +RUN groupadd -g 1024 comfy \ + && groupadd -g 1025 comfytoo + +# The comfy (resp. comfytoo) user will have UID 1024 (resp. 1025), +# be part of the comfy (resp. comfytoo) and users groups and be sudo capable (passwordless) +RUN useradd -u 1024 -d /home/comfy -g comfy -s /bin/bash -m comfy \ && usermod -G users comfy \ - && adduser comfy sudo \ - && test -d ${COMFYUSER_DIR} + && adduser comfy sudo +RUN useradd -u 1025 -d /home/comfytoo -g comfytoo -s /bin/bash -m comfytoo \ + && usermod -G users comfytoo \ + && adduser comfytoo sudo + +ENV COMFYUSER_DIR="/comfy" +RUN mkdir -p ${COMFYUSER_DIR} RUN it="/etc/comfyuser_dir"; echo ${COMFYUSER_DIR} > $it && chmod 555 $it ENV NVIDIA_VISIBLE_DEVICES=all EXPOSE 8188 -USER comfy -WORKDIR ${COMFYUSER_DIR} -COPY --chown=comfy:comfy --chmod=555 init.bash comfyui-nvidia_init.bash +ARG COMFYUI_NVIDIA_DOCKER_VERSION="unknown" +LABEL comfyui-nvidia-docker-build=${COMFYUI_NVIDIA_DOCKER_VERSION} +RUN echo "COMFYUI_NVIDIA_DOCKER_VERSION: ${COMFYUI_NVIDIA_DOCKER_VERSION}" | tee -a ${BUILD_FILE} -ARG BUILD_DATE="unknown" -LABEL comfyui-nvidia-docker-build=${BUILD_DATE} +# We start as comfytoo and will switch to the comfy user AFTER the container is up +# and after having altered the comfy details to match the requested UID/GID +USER comfytoo -CMD [ "./comfyui-nvidia_init.bash" ] +CMD [ "/comfyui-nvidia_init.bash" ] \ No newline at end of file diff --git a/Makefile b/Makefile index c0c735f..eef16db 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ DOCKER_CMD=docker DOCKER_PRE="NVIDIA_VISIBLE_DEVICES=all" DOCKER_BUILD_ARGS= -COMFYUI_NVIDIA_DOCKER_VERSION=comfytoo +COMFYUI_NVIDIA_DOCKER_VERSION=20250227 COMFYUI_CONTAINER_NAME=comfyui-nvidia-docker diff --git a/README.md b/README.md index 29fff38..10a580a 100644 --- a/README.md +++ b/README.md @@ -157,7 +157,10 @@ The use of the `basedir` is recommended. This folder will be populated at run ti This is possible because of a new CLI option `--basedir` that was added to the code at the end of January 2025. This option will not be available unless ComfyUI is updated for existing installations. When starting, the container image executes the `init.bash` script that performs a few operations: -- Ensure we can use the `WANTED_UID` and `WANTED_GID` as the `comfy` user (the user set to run the container), +- When starting, the container is using the `comfytoo` user. This user has UID/GID 1025/1025 (ie not a value existing by default in a default Ubuntu installation). + - As the `sudo` capable `comfytoo` user, the script will modify the existing `comfy` user to use the `WANTED_UID` and `WANTED_GID` + - Then, it will re-start the initialization script by becoming the newly modified `comfy` user (which can write in the `run` and `basedir` folders with the provided `WANTED_UID` and `WANTED_GID`). +- After restarting as the `comfy` user... - Obtain the latest version of ComfyUI from GitHub if not already present in the mounted `run` folder. - Create the virtual environment (`venv`) if one does not already exist - if one exists, confirm it is the one for this OS+CUDA pair @@ -418,7 +421,7 @@ If the file is not executable, the tool will attempt to make it executable, but ### 5.3.1. WANTED_UID and WANTED_GID -The Linux User ID (`uid`) and Group ID (`gid`) will be used by the `comfy` user within the container. +The `WANTED_UID` and `WANTED_GID` environment variables will be used to set the `comfy` user within the container. It is recommended that those be set to the end-user's `uid` and `gid` to allow the addition of files, models, and other content within the `run` directory. Content to be added within the `run` directory must be created with the `uid` and `gid`. @@ -495,7 +498,9 @@ For example: `python3 /comfy/mnt/custom_nodes/ComfyUI-Manager/cm-cli.py show ins ## 5.5. Shell within the Docker image -Depending on your `WANTED_UID` and `WANTED_GID`, when starting a `docker exec` (or getting a `bash` terminal from `docker compose`), it is possible that the shell is started with incorrect permissions (we will see a `bash: /comfy/.bashrc: Permission denied` error). The `comfy` user is `sudo`-able: run `sudo su comfytoo` to get the proper UID/GID. +When starting a `docker exec -it comfyui-nvidia /bin/bash` (or getting a `bash` terminal from `docker compose`), you will be logged in as the `comfytoo` user. +Switch to the `comfy` user with: `sudo su -l comfy`. +As the `comfy` user you will be using the `WANTED_UID` and `WANTED_GID` provided. You will be able to `cd` into the mounted locations for the `run` and `basedir` folders, `source /comfy/mnt/venv/bin/activate` to get the virtual environment activated (allowing you to perfom `pip3 install` operations), and other operations that the `comfy` user is allowed to perform. ## 5.6. Additional FAQ @@ -628,6 +633,7 @@ Make sure to change file ownership to the user with the `WANTED_UID` and `WANTED # 7. Changelog +- 20250227: Simplified user switching logic using the `comfytoo` user as the default entry point user that will set up the `comfy` user - 20250216: Fix issue with empty `BASE_DIRECTORY` variable - 20250202: Added `BASE_DIRECTORY` variable - 20250116: Happy 2nd Birthday ComfyUI -- added multiple builds for different base Ubuntu OS and CUDA combinations + added `ffmpeg` into the base container.