Tried custom lora for anima base 1.0 and its absolutely amazing.

https://redd.it/1tpx4kg
@rStableDiffusion

Krea 2 open source - soon
https://x.com/viccpoes/status/2059700735001121079

https://redd.it/1tpwu1k
@rStableDiffusion

Lightx2v just released NVFP4 ckpt for WAN 2.2 14b

https://huggingface.co/lightx2v/Wan2.2-NVFP4-Sparse

They're claiming some very significant speed up. They didn't say whether the "Wan2.2-T2V-14B" column includes or excludes Lightning though.

| Resolution | Wan2.2-T2V-14B | Wan2.2-NVFP4-Sparse | Speedup |
|:----------:|----------------|---------------------|---------|
| 480p | 734s | 14.15s | 51.9x |
| 720p | 2668s | 45s | 59.3x |

I have to say though in their examples the NVFP4 motion quality is nowhere near as good.

Hopefully we see it in Comfy soon.

https://redd.it/1tpyydh
@rStableDiffusion

Flux 2 Klein, RTX 3060 12GB: FP8 is almost same as GGUF

Wanted to share a finding that surprised me. Hopefully saves someone else the few weeks I spent on this ( wasting precious time and GPU! ).

**Setup**

* RTX 3060, 12GB VRAM
* ComfyUI (recent build)
* Flux 2 Klein, 1024×1024, my usual sampler / steps / cfg

**What I tried** Conventional wisdom: GGUF quantization helps low-VRAM cards. So I set up an A/B:

* Klein fp8 (baseline)
* Klein Q5 UNET + Q4\_K\_M text encoder GGUF

Ran \~10 generations of each, averaged wall time. Expected GGUF to be meaningfully faster given the 12GB constraint.

**What I found** Both were within 5% of each other on wall time. GGUF didn't buy me the speedup I expected.

The actual speedup came from somewhere I wasn't looking — dropping `--lowvram --reserve-vram 11` from my Comfy launch flags. Switching to default memory management roughly doubled throughput on the same hardware, and it dominated anything quantization could touch.

**Why I think this happens** ( based on my learnings online) Klein at fp8 actually fits in 12GB VRAM without aggressive offload. The `--lowvram` path was causing offload that was the real bottleneck — not model size. Once the flag is gone, Comfy keeps the model resident across calls and the swap overhead disappears. I honestly dont remember why I added that lowvram flag to my comfy launcher.

The cards that "barely fit" the model are the ones that lose the most to low-VRAM helpers. A 3060/12GB is exactly that zone — enough to keep Klein resident if you let it, but the safety-flag defaults push you into offload behavior you don't actually need.

**Takeaway** Before reaching for GGUF on a 3060/12GB, try just running with default memory flags. The "low-VRAM helpers" can themselves be the bottleneck on cards that have just barely enough VRAM not to need them.

Curious whether this holds on other "just barely enough" cards (4070 12GB? 3080 10GB?) or if it's a 3060-specific quirk. Anyone else seeing this?

For those asking:

RTX 3060 12GB
64GB DDR4 RAM
Flux Klein 1024x1024 -- approx time 88s.

My workflow is to first create the images in ZIT and then edit it in Flux Klein. Trying out Qwen Edit as well these days because mulit-angle lora is a big miss in Flux Klein. Any options for multi-angle lora in Klein ?

https://redd.it/1tq3ivh
@rStableDiffusion

InvokeAI 6.13.0 Released

The InvokeAI team is happy to announce that version 6.13.0 just dropped. InvokeAI is a creator-oriented AI image generation platform that offers locally hosted image generation with unparalleled power and usability.

This release is packed with new features:

Support for Qwen Image and Qwen Edit models
Support for Anima models
Support for externally hosted models including GPT Image, Gemini (nano banana), SeeDream and Wan
Major usability improvements in the Canvas, including a Lasso tool and a new Shapes palette
Shared and private galleries and workflows in multi-user mode.
A new workflow node Connector type that makes it easier to lay out multistep workflows
Node packs organize sets of related workflow nodes, making it easier to install other user's workflows and distribute your own
Workflow nodes are now organized functionally, making it easier to find the one you're looking for.

See https://github.com/invoke-ai/InvokeAI/releases/tag/v6.13.0 for the full rundown on new features and bugfixes.

https://redd.it/1tq6fwy
@rStableDiffusion

[Guide] How to securely run ComfyUI on Windows (Docker>WSL2) [RTX 3090, logic can be applied to other hardware]

**What risks you might face when running ComfyUI (or other software running ai models) you ask?**

Literally **ALL** of them, with the added perk that after updating nodes (or some unsafe model files) you get a new bingo of potential malware :D!

Every comfy node is basically a separate, unscanned by security suites Python(AV read them very superficially when prompted, and will not audit its runtime risks)instance that can run ANY instructions set by the creator.

It's like downloading and running random exes on your machine with your AV off.

Most people just block the internet of their software, and thats better than nothing, but just blocking comfy with your firewall only stops outbound connections of nodes, not the payload execution, nor the connection of whatever that might create: from simple miners to leech your GPU or backdoors to use you as a relay for attacks, to infostealers, ransomware, and direct access to your system.

And nodes arent the only problem: scripts to install components, model files and workflows can be malicious as well, adding their own layer of risks.

So, in a scale of risk from 1-10. I would give an unhardened comfy used by a random - 11.

It's basically one giant backdoor we voluntarily install and run lol

Example: [https://www.reddit.com/r/comfyui/comments/1dbls5n/psa\_if\_youve\_used\_the\_comfyui\_llmvision\_node\_from/](https://www.reddit.com/r/comfyui/comments/1dbls5n/psa_if_youve_used_the_comfyui_llmvision_node_from)

After hardening, you will get a risk of like 2-3. Basically you can fuck it up if you try, but most of the threats will be neutralized.

>Is it worth the trouble?

>Depends on your tolerance to risks, and how much you care for the repercussions of a breach. ¯\\(ツ)/¯.

>"But I only use it for gooning" you might say.. Well, someone can get access to your system while you're at it, record you from your webcam, and then blackmail you with the footage of your midget furry ai-generated porn of your deepfaked crush.

>So, yeah, when I said "ALL the risks" its literally **ALL OF THEM.**

>I posted this guide to r/ComfyUI and it got a couple dozen shares but was downvoted to oblivion; so it seems there are parties interested in people NOT hardening their ComfyUI instances and making sure it doesn't get mainstream. Take that into account when downloading random workflows and nodes from reddit or elsewhere!

And so, a couple days ago I was asking around here about how to run Comfyui securely, and got great recommendations from all; and after looking for the options, I decided going with two builds:

1. A separated Linux SSD for Comfy only, to use for experimentation and on its own without other software.
2. An "isolated" docker image running on WSL2 to use in combination with editing software on windows.

Since (1) is quite obvious on its own, I will leave here what I did for the windows build, in case anyone wants to go this path. It takes around 40-60min to build, so ill save you the couple days of headache.

I tried at first building my own image on docker to have more control; but things got into dependency hell, and I dropped the idea in favor of a prebuilt bare public image so I could slowly build it with my own nodes and workflows as I need.

**This guide is for the RTX3090, it gets "technical", but you can feed this to an AI and ask it to give you step-by-step instructions and help you along the way, or to adapt it for your hardware if you have a different GPU (CUDA and Torch related versions will change, you might want another image with a more optimal package for you) and use it as a general base for what you build.**

`TL;DR: Run ComfyUI in a hardened Docker container on Windows 11 that can't phone home, can't touch your system drive, and is one command to switch between daily locked-down use and maintenance/update mode.`

`The short version of everything done:`

* `Models live on a native ext4 virtual drive on your model disk , no slow Windows filesystem

bridge`
* `SageAttention installs once at bootstrap and is skipped forever after via a stamp file`
* `Two shell aliases handle everything: comfy_secure (offline, daily use) and comfy_update (internet on, for installing nodes)`
* `Unknown nodes get reviewed in a throwaway CPU-only sandbox before touching production`
* `The whole thing survives reboots, auto-mounts the model drive at login, and starts itself with Docker Desktop`

# Security / hardening layers overview

|Layer|What it does|
|:-|:-|
|Separate Windows admin account|Never used for daily work. Admin rights isolated. \[Honestly this should be done by everyone regardless; it will remove most of the security threats\]|
|Separate limited Windows account|Daily use account has no admin rights.|
|Separate limited ComfyUI account|Runs Docker. Has no admin rights.|
|WSL2 C: mounted read-only|System drive can't be modified from inside WSL2. Set in `/etc/wsl.conf`.|
|`WANTED_UID / WANTED_GID`|Container drops to your host user's UID/GID. Files in output/run folders are owned by you.|
|`-p 127.0.0.1:8188:8188`|UI only reachable from your own machine. Invisible to router and LAN.|
|`NETWORK_MODE=offline`|Tells ComfyUI-Manager to not attempt any network calls. Stops restart loops in production.|
|`DISABLE_UPGRADES=true`|Prevents `git pull` / `pip upgrade` on every container start. Required for offline mode to not crash.|
|`TORCH_LOCK`|Pins PyTorch/torchvision/torchaudio versions. Prevents accidental CUDA stack upgrade.|
|Models on separate ext4 VHD|Models are on their own filesystem. Easy to backup, resize, or wipe independently.|
|`user_script.bash` stamp files|SageAttention install is skipped on every start after first successful install. Zero overhead offline.|
|Untrusted node sandbox|Separate no-GPU ComfyUI install for reviewing unknown custom nodes before copying to production.|

Why `--network none` / `--internal` were NOT used: ComfyManager and some dependencies were going into death loops with them; Docker `--internal` networks silently break `-p` port publishing \[confirmed open bug in Docker (moby/moby #36174)\]. `--network host` also does not work on Docker Desktop + WSL2 on Windows. `NETWORK_MODE=offline` achieves the Manager-level isolation we need without breaking the UI port.

# Chosen Docker Image

`mmartial/comfyui-nvidia-docker` was chosen because:

* Builds on the official NVIDIA NGC CUDA devel image (not a random Dockerfile)
* All source is public and auditable on GitHub
* Handles UID/GID remapping so files on the host are owned by your user, not root
* Supports `NETWORK_MODE`, `DISABLE_UPGRADES`, `TORCH_LOCK` env vars for production hardening
* Ships optional SageAttention build script (we install it manually via `user_script.bash`)

Tag used: `ubuntu24_cuda12.8-latest` \- matches RTX 3090 (Ampere / sm\_86 / CUDA 12.8)

These are the other options I was considering, in case you have other hardware, or requirements. They go from super general and bloated AF, to really barebones as the one I installed.

|Rank|GitHub Repository|Stars|Primary Registry Image / Usage|Core Deployment Archetype|PyTorch & CUDA Run Environments|
|:-|:-|:-|:-|:-|:-|
|1|AbdBarho/stable-diffusion-webui-docker|7.3k|`docker compose --profile comfy up`|Multi-UI Local Host|Unified CUDA Stack|
|2|YanWenKun/ComfyUI-Docker|1.5k|yanwk/comfyui-boot|Local Workstation & Cloud|CUDA 13.0 & PyTorch 2.11|
|3|ai-dock/comfyui|1,037|[ghcr.io/ai-dock/comfyui](http://ghcr.io/ai-dock/comfyui)|Multi-Process Cloud & GPU Pods|Multi-tag CUDA & PyTorch|
|4|runpod-workers/worker-comfyui|688|runpod/worker-comfyui|Serverless Cloud API Endpoint|Production Serverless API|
|5|Kaouthia/ComfyUI-Docker|100|Custom local build via Compose|Local Desktop WSL2 & Linux|Latest PyTorch on Rebuild|
|6|ashleykleynhans/comfyui-docker|56|ashleykza/comfyui|Dedicated Cloud Pod (RunPod)|CUDA 12.4 / 12.8 & Python 3.11|
|7|ashleykleynhans/runpod-worker-comfyui|21|Custom Serverless Handler|RunPod Serverless API|Native Python Handler Execution|
|8|pixeloven/ComfyUI-Docker|14|GHCR Container Profiles|Core vs. Complete Profiles|CUDA 12.9 &

Native SageAttention|
|9|jamesbrink/docker-comfyui|8|Custom Deployment Config|Enterprise Kubernetes & Podman|CUDA 12.8 (Debian slim base)|

>Why not just any random docker image with cuda and comfy??

>Control, and mitigation of other risks by keeping things "simple". Many of the Docker's images run other stuff that add completixy to their setups, which aside of potential issues, could be used as obfuscation layers for malicious code (e.g Using CONDA for managing everything) by sophysticated attackers.

NOTE: If you seeing this guide months after publishing, throw the image repo into an ai with github access to audit it again; who knows, it could get compromised with time.

# 1. First steps

# Windows accounts

Create three accounts before doing anything else. Keeps blast radius small if something goes wrong.

|Account|Type|Used for|
|:-|:-|:-|
|`admin`|Administrator|Software installs only. Never browse the web from here.|
|`daily`|Standard|Your everyday Windows use. No admin rights.|
|`comfyui`|Standard|Running Docker and ComfyUI only. No admin rights.|

Settings -> Accounts -> Family & other users -> Add someone else.

Create a separate docker user group, and add the comfyui user to it. I will not include the process here, just ask some AI to help you setup a non-privileged account that can run docker from your admin account.

# BIOS - enable virtualization

WSL2 requires hardware virtualization. Reboot into BIOS (usually Del or F2 on POST) and enable:

* Intel: **Intel VT-x** / **Intel Virtualization Technology**
* AMD: **AMD-V** / **SVM Mode**

If this is already on (most modern systems have it enabled), skip.

# Enable WSL2 and Virtual Machine Platform

Open PowerShell as admin:

dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart

Reboot. Then set WSL2 as default and update the kernel:

wsl --set-default-version 2
wsl --update

# Install Ubuntu

wsl --install -d Ubuntu-24.04

This opens a terminal and asks you to create a Linux username and password. Use something simple, this is your WSL2 user. After setup, confirm it's running WSL2:

wsl -l -v
# Should show VERSION 2 next to Ubuntu-24.04

# NVIDIA stuff

Install the standard Game Ready or Studio driver from [nvidia.com](http://nvidia.com) for your GPU. That's all. Do not install CUDA Toolkit on Windows, and do not install any NVIDIA driver inside WSL2, the Windows driver is automatically exposed into WSL2 and Docker containers.

Verify it works inside WSL2 after install:

nvidia-smi
# Should show your RTX 3090 and driver version

# Install Docker Desktop

Download from docker.com/products/docker-desktop. During install:

* Choose **WSL2 backend** (not Hyper-V)
* After install, go to Settings -> Resources -> WSL Integration -> enable for your Ubuntu distro
* Move Docker data off C: to another drive (optional if you have a dedicated system drive, to save space) via Settings -> Resources -> Advanced -> Disk image location. Set it before pulling any images, Docker images are large.

Verify GPU passthrough works:

docker run --rm --gpus all nvidia/cuda:12.8.0-base-ubuntu24.04 nvidia-smi
# Should show your GPU inside the container

# Configure WSL2

Memory and swap limits, WSL2 by default can consume all RAM. Cap it. Create `C:\Users\yourname\.wslconfig`:

[wsl2]
memory=XXGB # adjust to ~half your RAM
swap=8GB
processors=8 # adjust to your core count

C: drive read-only, prevents anything inside WSL2 from modifying your Windows system drive. Inside WSL2:

sudo nano /etc/wsl.conf

[automount]
enabled = true
options = "ro"

Then restart WSL2 from PowerShell:

wsl --shutdown

(You might need to install Nvidia-toolkid and Nvidia-sdi aswell, I already had them, so don't know if the image helps with that)

# Task Scheduler, auto-mount the models VHD at login

After creating the VHD (see Models VHD section), add a Task Scheduler entry so it mounts

automatically when you log into the ComfyUI Windows account.

* Open Task Scheduler -> Create Task
* General tab: name it `Mount ComfyUI Models VHD`, check "Run with highest privileges"
* Triggers tab: New -> At log on -> for your comfyui account
* Actions tab: New -> Start a program
* Program: `powershell.exe`
* Arguments: `-WindowStyle Hidden -Command "wsl --mount --vhd 'E:\comfyui-models.vhdx' --mountpoint /mnt/models --type ext4"`
* Conditions tab: uncheck "Start only if on AC power"

# Fix Docker credential error in WSL2

This error appears the first time you try to pull an image and blocks everything. Fix it once:

mkdir -p ~/.docker
echo '{}' > ~/.docker/config.json

# Prework checklist

* \[ \] Three Windows accounts created (admin / daily / comfyui)
* \[ \] Virtualization enabled in BIOS
* \[ \] WSL2 + Virtual Machine Platform features enabled
* \[ \] Ubuntu 24.04 installed and running as WSL2
* \[ \] NVIDIA Windows driver installed, `nvidia-smi` works inside WSL2
* \[ \] Docker Desktop installed with WSL2 backend, data moved off C:
* \[ \] GPU passthrough verified with `docker run --gpus all nvidia/cuda...`
* \[ \] `.wslconfig` memory limits set
* \[ \] `/etc/wsl.conf` C: read-only set
* \[ \] Task Scheduler entry for VHD auto-mount created
* \[ \] Docker credential fix applied

# Folder structure

~/comfyui-run/ # ComfyUI source, venv, stamps- bind-mounted as /comfy/mnt
~/comfyui-basedir/ # BASE_DIRECTORY. ComfyUI writes outputs/nodes here
custom_nodes/ # Your installed custom nodes
output/ # Generated images
user/ # ComfyUI user config, Manager config
/mnt/models/ # ext4 VHD. all model checkpoints (see VHD section)

# 2. Models VHD (ext4, E: used as example)

To avoid slow reading speeds between WSL2 and NTFS drives, models live on a native ext4 virtual drive.

# Create once

# PowerShell (admin)
New-VHD -Path "E:\comfyui-models.vhdx" -SizeBytes 300GB -Dynamic #Adjust size to whatever you want
Mount-VHD -Path "E:\comfyui-models.vhdx" -NoDriveLetter
Get-Disk | Select Number, FriendlyName, Size # note the disk number
Initialize-Disk -Number [disk number] -PartitionStyle GPT
New-Partition -DiskNumber [disk number] -UseMaximumSize | Format-Volume -FileSystem exFAT

# WSL2
lsblk # find your disk, e.g. /dev/sdX
sudo mkfs.ext4 /dev/sdX
sudo mkdir -p /mnt/models
sudo mount /dev/sdX /mnt/models
sudo chown $(id -u):$(id -g) /mnt/models
sudo blkid /dev/sdX # copy UUID for auto-mount
mkdir -p /mnt/models/{checkpoints,loras,vae,clip,unet,controlnet,upscale_models,embeddings}

# Auto-mount on login (Windows 11 / WSL 0.63+)

This will automate the mounting of the virtual drive every time you launch the ComfyUI Windows user.

# PowerShell (admin), add to Task Scheduler at logon, run with highest privileges
wsl --mount --vhd "E:\comfyui-models.vhdx" --mountpoint /mnt/models --type ext4

# Migrate existing models (modify paths as required)

# WSL2, do this once from the source NTFS path
rsync -ah --progress "/mnt/e/your-old-models-path/" /mnt/models/

# Daily management

|Task|Command|
|:-|:-|
|Add a model|`cp /mnt/e/Downloads/new.safetensors /mnt/models/checkpoints/`|
|Add via Windows|Drag into `wsl.localhostUbuntumntmodelscheckpoints` in Explorer|
|Resize VHD|Stop container -> `Dismount-VHD` \-> `Resize-VHD -SizeBytes 500GB` \-> remount -> `sudo resize2fs /dev/sdX`|
|Backup|Copy `E:comfyui-models.vhdx` to another drive while VHD is unmounted|

# SageAttention install script

I ran into a problem with sageattention installation from the image repo for whatever reason, ended up just going around it. Runs once during bootstrap, then skipped forever via stamp file.

nano \~/comfyui-run/user\_script.bash

#!/bin/bash
set -euo pipefail
VENV_PIP="${VENV:-/comfy/mnt/venv}/bin/pip"
VENV_PY="${VENV:-/comfy/mnt/venv}/bin/python"
STAMPS="/comfy/mnt/.install_stamps"

mkdir -p "$STAMPS"

if [ ! -f "$STAMPS/sageattention" ]; then
echo "[user_script] Installing SageAttention..."
if $VENV_PIP install sageattention --quiet 2>/dev/null; then
echo "[user_script] Installed from wheel."
else
BUILD=$(mktemp -d)
git clone --depth=1 https://github.com/thu-ml/SageAttention "$BUILD/sa"
TORCH_CUDA_ARCH_LIST="8.6" $VENV_PIP install "$BUILD/sa" --no-build-isolation --quiet
rm -rf "$BUILD"
fi
$VENV_PY -c "import sageattention; print('[user_script] SageAttention OK')" \
&& touch "$STAMPS/sageattention" \
|| echo "[user_script] WARNING: import failed"
else
echo "[user_script] SageAttention already installed, skipping."
fi

$VENV_PY - <<'PY'
try:
import sageattention
v = getattr(sageattention, '__version__', 'installed')
print(f" SageAttention: {v}")
except Exception as e:
print(f" SageAttention: not available ({e})")
PY

Save as `~/comfyui-run/user_script.bash` with Ctrl+O> Enter > Ctrl+X ; and `chmod +x` it.

# ComfyUI-Manager offline config

Manager might have issues installing due to the environment. This stops Manager from trying to reach GitHub on every start (causes error spam + restart loops).

mkdir -p ~/comfyui-basedir/user/__manager
cat > ~/comfyui-basedir/user/__manager/config.ini << 'EOF'
[default]
channel_url = local
bypass_ssl = False
skip_migration_check = True
EOF

# 3. Installing ComfyUI

# Bootstrap (run once, internet enabled)

Clones ComfyUI, builds venv, installs PyTorch + CUDA stack, installs SageAttention. Run this the first time, or after a full wipe.

# First-time folder setup
mkdir -p ~/comfyui-run ~/comfyui-basedir/custom_nodes ~/comfyui-basedir/output

# Fix Docker credential error if needed
echo '{}' > ~/.docker/config.json

# Clone ComfyUI-Manager (not included in image)
git clone https://github.com/Comfy-Org/ComfyUI-Manager.git \
~/comfyui-basedir/custom_nodes/ComfyUI-Manager

# Bootstrap run
docker run -it --rm \
--name comfyui-bootstrap \
--gpus all \
--ipc=host \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e SECURITY_LEVEL=normal \
-e USE_UV=true \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest

Wait for `To see the GUI go to:` [`http://0.0.0.0:8188`](http://0.0.0.0:8188), confirm UI loads and SageAttention shows OK in logs, then Ctrl+C.

Once you're in, install all your commonly used trusted workflows/nodes with Manager, and when done, change to the comfy\_secure mode described below.

# 4. Production aliases (edit ~/.bashrc)

Two modes for managing your updates. Only difference is `NETWORK_MODE`. Add these to the bottom of `~/.bashrc`, then `source ~/.bashrc`.

Use:

nano \~/.bashrc

# =====================================================================
# COMFYUI DOCKER PROFILES: RTX 3090 / CUDA 12.8 / UBUNTU 24
# =====================================================================

comfy_secure() {
# Daily use. Manager offline, no outbound calls, fast boot.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false

\
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}

comfy_update() {
# Maintenance mode. Manager online, can install nodes and fetch node lists.
# DISABLE_UPGRADES still on- ComfyUI core and PyTorch stack stay frozen.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in MAINTENANCE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}

Then Ctrl+O to save> Enter > Ctrl+X to get back to the command prompt

# 5. Workflow: installing new custom nodes

# Path A: trusted nodes (ComfyUI-Manager)

Use for well-known nodes from reputable authors you've vetted.

comfy_update -> open 127.0.0.1:8188 -> Manager -> Install Custom Nodes
-> set channel to "Default" -> install what you need
-> comfy_secure

After switching back to `comfy_secure`, the nodes are already in `~/comfyui-basedir/custom_nodes/` and load normally with no internet needed.

# Path B: untrusted / unknown nodes (sandbox)

Use for nodes you found online but haven't reviewed yet. Never install unknown nodes directly into production.

**1. Set up a sandboxed no-GPU ComfyUI on Windows (one time)**

Install the portable ComfyUI Windows build from the official releases page. This runs entirely on CPU, uses no Docker, and has no access to your production venv or models. It's disposable.

**2. Install the suspect node there first**

Open its Manager, install the node, let it run. Review what it does:

* Check `custom_nodes/node-name/` \- read the Python files, look for `requests`, `urllib`, `subprocess`, `eval`, `exec`, outbound URLs
* Run a workflow that exercises it while watching Task Manager network tab for unexpected connections

**3. If it passes review, copy to production**

# Copy the node folder from Windows sandbox into production custom_nodes
cp -r "/mnt/c/Users/yourname/ComfyUI_portable/ComfyUI/custom_nodes/suspect-node" \
~/comfyui-basedir/custom_nodes/

# Switch to update mode so the container can install the node's pip dependencies
comfy_update
# open 127.0.0.1:8188 -> Manager -> Custom Nodes -> the new node -> Install dependencies
# once done:
comfy_secure

# 6. Useful commands

# Watch live logs (to avoid cluttering in the logs the verbose mode is disabled, so if you want
# to see whats happening, you will have to run this)
docker logs -f comfyui-3090

# Get a shell inside the running container
docker exec -it comfyui-3090 bash

# Verify SageAttention is active
docker logs comfyui-3090 | grep -i sage

# Check port is actually bound (should show 127.0.0.1:8188)
docker port comfyui-3090

# Confirm no internet from inside container (should fail in comfy_secure)
docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo "blocked"

# Stop without removing (quick pause)
docker stop comfyui-3090

# Full restart
docker restart comfyui-3090

# Wipe comfy in case something broke to reinstall
rm -rf ~/comfyui-run/*

# 7. Known non-fatal log noise

There might be some error messages in the

logs:

|Message|Cause|Action|
|:-|:-|:-|
|`Failed to perform initial fetching 'custom-node-list.json'`|Manager trying GitHub in offline mode|Normal in `comfy_secure`. Ignored.|
|`WARNING: You need pytorch with cu130 or higher`|comfy-kitchen backend wants newer CUDA|Informational only. sm\_86 works fine.|
|`Cannot connect to comfyregistry`|Manager trying Comfy registry|Normal in offline mode. Ignored.|
|`SageAttention: installed` (no version number)|Some builds don't expose `__version__`|SA is working. Stamp file confirms install.|

NOTE: If something broke during the install or config, and during a second+ bootstrap SageAttention refuses to install, change `COMFY_CMDLINE_EXTRA=` for `COMFY_ARGS=` in the bootstrap/comfy\_update script, it will not try to install SageAttention since its already present in your system.

NOTE2: This will not save you from user mistakes. So be very careful with new nodes from randoms you've seen here; be careful with .pth/pt and unsafe model files; if you gonna add something, paste the repo link to an ai and ask it to do a security audit for suspicious scripts, crontabs, unexpected processes, or connections (you can ask it to create a prompt for that as well so it doesnt miss anything).

You can also audit the images with the following commands in turn order, and then feed that aswell to the AI:

1. Pull the image:sudo docker pull user/comfyui-image
2. Check the image history- shows every layer and command used to build it:sudo docker image history user/comfyui-image
3. Inspect the full image metadata:sudo docker inspect user/comfyui-image
4. Run a shell inside it and look around:sudo docker run --rm -it user/comfyui-image /bin/bash

Once inside the shell you can run:

# Check ComfyUI location
find / -name "main.py" -path "*/ComfyUI/*"
2
>/dev/null

# Check what's installed
pip list

# Check SageAttention version
pip show sageattention

# Check PyTorch version
python3 -c "import torch; print(torch.__version__)"

# Check for anything suspicious in startup scripts
ls /entrypoint* /start* /init*
2
>/dev/null

# Check crontabs
crontab -l
2
>/dev/null

# Check running processes on startup
cat /etc/profile.d/*
2
>/dev/null

Paste the results back and I'll help you audit what's actually in there.

NOTE3: If you have a disc C/system reserved for OS only and with not much space available, I'd suggest you migrate the WSL2 to another disk as it might end up leaving you without free space!

NOTE4: you can improve a bit more comfy\_secure by making the models folder read-only:

`-v /mnt/models:/basedir/models:ro # read-only models in secure mode`

(Or even cutting the connection off completely with --network=none or --internal, but you will have to deal with Manager's death loops)

Hope this helps someone :). It's not the perfect air-gapped setup (someone really willing to hack you, will find ways to break out of confinement and docker), but IMO its the best you can get on windows, to be able to use it combined with Win software (basically switch between accounts, and drag/drop outputs/inputs; without having to use a separate truly air-gapped machine.

Edit:

I was told that there's another way to avoid the Manager "death loops" by using a combined approach with iptables in the comfy\_secure mode, will try it later:

comfy_secure() {
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null

# Flush any previous DOCKER-USER block rules
sudo iptables -F DOCKER-USER

echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal

\
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models:ro \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest

# Wait for container to get its bridge IP
sleep 3
CONTAINER_IP=$(docker inspect -f \
'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' comfyui-3090)

# Block all outbound from container while allowing established (return traffic)
sudo iptables -I DOCKER-USER 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I DOCKER-USER 2 \
-s "$CONTAINER_IP" -j DROP

echo "Network locked. Container IP $CONTAINER_IP cannot reach internet."
echo "Verify: docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo BLOCKED"
}

https://redd.it/1tq46q0
@rStableDiffusion

Upgraded from 12GB VRAM to RTX 5090 + 64GB RAM — what are the highest quality AI image/video models I can realistically run now?

I just upgraded from a pretty limited setup (12GB VRAM where I mostly had to use heavily quantized models, low VRAM workflows, FP8/Q8 stuff, etc.) to an RTX 5090 + 64GB RAM setup and I’m trying to understand what level of AI models/workflows I can actually run now.

Before this I was constantly optimizing around VRAM limits, using smaller checkpoints, aggressive quantization, tiled VAE, low batch sizes, etc. So I honestly don’t know what the “top tier” local experience looks like yet.

Mainly interested in:
Highest quality image generation models
Best realism/detail models
Video generation models
What models actually benefit from full FP16/BF16 now
Whether larger transformers are worth it vs quantized versions
Best workflows in ComfyUI/Wan/LTX/Qwen/Flux/etc
Models that were basically impossible on 12GB VRAM but become practical on a 5090

What are people with 5090/4090-class cards actually using right now for the best quality possible locally?

Which models should always be run FP16/BF16 instead of quantized?
What resolutions/frame counts become realistic now?
Are there any “hidden gem” workflows/models that really scale with high VRAM?
Would love recommendations for both:
Best image generation stack
Best video generation stack

Thanks 🙏

https://redd.it/1tq9ld4
@rStableDiffusion

NoobAI models reccomendations...

It's my first time trying to use NoobAI since i have been using illustrious for years now
but im not sure which one to start with
i found this one and I wonder if its good?
https://civitai.com/models/2167995

also im assuming the V-pred models are better, yes?

https://redd.it/1tqdt8g
@rStableDiffusion