automatically when you log into the ComfyUI Windows account.
* Open Task Scheduler -> Create Task
* General tab: name it `Mount ComfyUI Models VHD`, check "Run with highest privileges"
* Triggers tab: New -> At log on -> for your comfyui account
* Actions tab: New -> Start a program
* Program: `powershell.exe`
* Arguments: `-WindowStyle Hidden -Command "wsl --mount --vhd 'E:\comfyui-models.vhdx' --mountpoint /mnt/models --type ext4"`
* Conditions tab: uncheck "Start only if on AC power"
# Fix Docker credential error in WSL2
This error appears the first time you try to pull an image and blocks everything. Fix it once:
mkdir -p ~/.docker
echo '{}' > ~/.docker/config.json
# Prework checklist
* \[ \] Three Windows accounts created (admin / daily / comfyui)
* \[ \] Virtualization enabled in BIOS
* \[ \] WSL2 + Virtual Machine Platform features enabled
* \[ \] Ubuntu 24.04 installed and running as WSL2
* \[ \] NVIDIA Windows driver installed, `nvidia-smi` works inside WSL2
* \[ \] Docker Desktop installed with WSL2 backend, data moved off C:
* \[ \] GPU passthrough verified with `docker run --gpus all nvidia/cuda...`
* \[ \] `.wslconfig` memory limits set
* \[ \] `/etc/wsl.conf` C: read-only set
* \[ \] Task Scheduler entry for VHD auto-mount created
* \[ \] Docker credential fix applied
# Folder structure
~/comfyui-run/ # ComfyUI source, venv, stamps- bind-mounted as /comfy/mnt
~/comfyui-basedir/ # BASE_DIRECTORY. ComfyUI writes outputs/nodes here
custom_nodes/ # Your installed custom nodes
output/ # Generated images
user/ # ComfyUI user config, Manager config
/mnt/models/ # ext4 VHD. all model checkpoints (see VHD section)
# 2. Models VHD (ext4, E: used as example)
To avoid slow reading speeds between WSL2 and NTFS drives, models live on a native ext4 virtual drive.
# Create once
# PowerShell (admin)
New-VHD -Path "E:\comfyui-models.vhdx" -SizeBytes 300GB -Dynamic #Adjust size to whatever you want
Mount-VHD -Path "E:\comfyui-models.vhdx" -NoDriveLetter
Get-Disk | Select Number, FriendlyName, Size # note the disk number
Initialize-Disk -Number [disk number] -PartitionStyle GPT
New-Partition -DiskNumber [disk number] -UseMaximumSize | Format-Volume -FileSystem exFAT
# WSL2
lsblk # find your disk, e.g. /dev/sdX
sudo mkfs.ext4 /dev/sdX
sudo mkdir -p /mnt/models
sudo mount /dev/sdX /mnt/models
sudo chown $(id -u):$(id -g) /mnt/models
sudo blkid /dev/sdX # copy UUID for auto-mount
mkdir -p /mnt/models/{checkpoints,loras,vae,clip,unet,controlnet,upscale_models,embeddings}
# Auto-mount on login (Windows 11 / WSL 0.63+)
This will automate the mounting of the virtual drive every time you launch the ComfyUI Windows user.
# PowerShell (admin), add to Task Scheduler at logon, run with highest privileges
wsl --mount --vhd "E:\comfyui-models.vhdx" --mountpoint /mnt/models --type ext4
# Migrate existing models (modify paths as required)
# WSL2, do this once from the source NTFS path
rsync -ah --progress "/mnt/e/your-old-models-path/" /mnt/models/
# Daily management
|Task|Command|
|:-|:-|
|Add a model|`cp /mnt/e/Downloads/new.safetensors /mnt/models/checkpoints/`|
|Add via Windows|Drag into `wsl.localhostUbuntumntmodelscheckpoints` in Explorer|
|Resize VHD|Stop container -> `Dismount-VHD` \-> `Resize-VHD -SizeBytes 500GB` \-> remount -> `sudo resize2fs /dev/sdX`|
|Backup|Copy `E:comfyui-models.vhdx` to another drive while VHD is unmounted|
# SageAttention install script
I ran into a problem with sageattention installation from the image repo for whatever reason, ended up just going around it. Runs once during bootstrap, then skipped forever via stamp file.
nano \~/comfyui-run/user\_script.bash
#!/bin/bash
set -euo pipefail
VENV_PIP="${VENV:-/comfy/mnt/venv}/bin/pip"
VENV_PY="${VENV:-/comfy/mnt/venv}/bin/python"
STAMPS="/comfy/mnt/.install_stamps"
* Open Task Scheduler -> Create Task
* General tab: name it `Mount ComfyUI Models VHD`, check "Run with highest privileges"
* Triggers tab: New -> At log on -> for your comfyui account
* Actions tab: New -> Start a program
* Program: `powershell.exe`
* Arguments: `-WindowStyle Hidden -Command "wsl --mount --vhd 'E:\comfyui-models.vhdx' --mountpoint /mnt/models --type ext4"`
* Conditions tab: uncheck "Start only if on AC power"
# Fix Docker credential error in WSL2
This error appears the first time you try to pull an image and blocks everything. Fix it once:
mkdir -p ~/.docker
echo '{}' > ~/.docker/config.json
# Prework checklist
* \[ \] Three Windows accounts created (admin / daily / comfyui)
* \[ \] Virtualization enabled in BIOS
* \[ \] WSL2 + Virtual Machine Platform features enabled
* \[ \] Ubuntu 24.04 installed and running as WSL2
* \[ \] NVIDIA Windows driver installed, `nvidia-smi` works inside WSL2
* \[ \] Docker Desktop installed with WSL2 backend, data moved off C:
* \[ \] GPU passthrough verified with `docker run --gpus all nvidia/cuda...`
* \[ \] `.wslconfig` memory limits set
* \[ \] `/etc/wsl.conf` C: read-only set
* \[ \] Task Scheduler entry for VHD auto-mount created
* \[ \] Docker credential fix applied
# Folder structure
~/comfyui-run/ # ComfyUI source, venv, stamps- bind-mounted as /comfy/mnt
~/comfyui-basedir/ # BASE_DIRECTORY. ComfyUI writes outputs/nodes here
custom_nodes/ # Your installed custom nodes
output/ # Generated images
user/ # ComfyUI user config, Manager config
/mnt/models/ # ext4 VHD. all model checkpoints (see VHD section)
# 2. Models VHD (ext4, E: used as example)
To avoid slow reading speeds between WSL2 and NTFS drives, models live on a native ext4 virtual drive.
# Create once
# PowerShell (admin)
New-VHD -Path "E:\comfyui-models.vhdx" -SizeBytes 300GB -Dynamic #Adjust size to whatever you want
Mount-VHD -Path "E:\comfyui-models.vhdx" -NoDriveLetter
Get-Disk | Select Number, FriendlyName, Size # note the disk number
Initialize-Disk -Number [disk number] -PartitionStyle GPT
New-Partition -DiskNumber [disk number] -UseMaximumSize | Format-Volume -FileSystem exFAT
# WSL2
lsblk # find your disk, e.g. /dev/sdX
sudo mkfs.ext4 /dev/sdX
sudo mkdir -p /mnt/models
sudo mount /dev/sdX /mnt/models
sudo chown $(id -u):$(id -g) /mnt/models
sudo blkid /dev/sdX # copy UUID for auto-mount
mkdir -p /mnt/models/{checkpoints,loras,vae,clip,unet,controlnet,upscale_models,embeddings}
# Auto-mount on login (Windows 11 / WSL 0.63+)
This will automate the mounting of the virtual drive every time you launch the ComfyUI Windows user.
# PowerShell (admin), add to Task Scheduler at logon, run with highest privileges
wsl --mount --vhd "E:\comfyui-models.vhdx" --mountpoint /mnt/models --type ext4
# Migrate existing models (modify paths as required)
# WSL2, do this once from the source NTFS path
rsync -ah --progress "/mnt/e/your-old-models-path/" /mnt/models/
# Daily management
|Task|Command|
|:-|:-|
|Add a model|`cp /mnt/e/Downloads/new.safetensors /mnt/models/checkpoints/`|
|Add via Windows|Drag into `wsl.localhostUbuntumntmodelscheckpoints` in Explorer|
|Resize VHD|Stop container -> `Dismount-VHD` \-> `Resize-VHD -SizeBytes 500GB` \-> remount -> `sudo resize2fs /dev/sdX`|
|Backup|Copy `E:comfyui-models.vhdx` to another drive while VHD is unmounted|
# SageAttention install script
I ran into a problem with sageattention installation from the image repo for whatever reason, ended up just going around it. Runs once during bootstrap, then skipped forever via stamp file.
nano \~/comfyui-run/user\_script.bash
#!/bin/bash
set -euo pipefail
VENV_PIP="${VENV:-/comfy/mnt/venv}/bin/pip"
VENV_PY="${VENV:-/comfy/mnt/venv}/bin/python"
STAMPS="/comfy/mnt/.install_stamps"
mkdir -p "$STAMPS"
if [ ! -f "$STAMPS/sageattention" ]; then
echo "[user_script] Installing SageAttention..."
if $VENV_PIP install sageattention --quiet 2>/dev/null; then
echo "[user_script] Installed from wheel."
else
BUILD=$(mktemp -d)
git clone --depth=1 https://github.com/thu-ml/SageAttention "$BUILD/sa"
TORCH_CUDA_ARCH_LIST="8.6" $VENV_PIP install "$BUILD/sa" --no-build-isolation --quiet
rm -rf "$BUILD"
fi
$VENV_PY -c "import sageattention; print('[user_script] SageAttention OK')" \
&& touch "$STAMPS/sageattention" \
|| echo "[user_script] WARNING: import failed"
else
echo "[user_script] SageAttention already installed, skipping."
fi
$VENV_PY - <<'PY'
try:
import sageattention
v = getattr(sageattention, '__version__', 'installed')
print(f" SageAttention: {v}")
except Exception as e:
print(f" SageAttention: not available ({e})")
PY
Save as `~/comfyui-run/user_script.bash` with Ctrl+O> Enter > Ctrl+X ; and `chmod +x` it.
# ComfyUI-Manager offline config
Manager might have issues installing due to the environment. This stops Manager from trying to reach GitHub on every start (causes error spam + restart loops).
mkdir -p ~/comfyui-basedir/user/__manager
cat > ~/comfyui-basedir/user/__manager/config.ini << 'EOF'
[default]
channel_url = local
bypass_ssl = False
skip_migration_check = True
EOF
# 3. Installing ComfyUI
# Bootstrap (run once, internet enabled)
Clones ComfyUI, builds venv, installs PyTorch + CUDA stack, installs SageAttention. Run this the first time, or after a full wipe.
# First-time folder setup
mkdir -p ~/comfyui-run ~/comfyui-basedir/custom_nodes ~/comfyui-basedir/output
# Fix Docker credential error if needed
echo '{}' > ~/.docker/config.json
# Clone ComfyUI-Manager (not included in image)
git clone https://github.com/Comfy-Org/ComfyUI-Manager.git \
~/comfyui-basedir/custom_nodes/ComfyUI-Manager
# Bootstrap run
docker run -it --rm \
--name comfyui-bootstrap \
--gpus all \
--ipc=host \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e SECURITY_LEVEL=normal \
-e USE_UV=true \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
Wait for `To see the GUI go to:` [`http://0.0.0.0:8188`](http://0.0.0.0:8188), confirm UI loads and SageAttention shows OK in logs, then Ctrl+C.
Once you're in, install all your commonly used trusted workflows/nodes with Manager, and when done, change to the comfy\_secure mode described below.
# 4. Production aliases (edit ~/.bashrc)
Two modes for managing your updates. Only difference is `NETWORK_MODE`. Add these to the bottom of `~/.bashrc`, then `source ~/.bashrc`.
Use:
nano \~/.bashrc
# =====================================================================
# COMFYUI DOCKER PROFILES: RTX 3090 / CUDA 12.8 / UBUNTU 24
# =====================================================================
comfy_secure() {
# Daily use. Manager offline, no outbound calls, fast boot.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false
if [ ! -f "$STAMPS/sageattention" ]; then
echo "[user_script] Installing SageAttention..."
if $VENV_PIP install sageattention --quiet 2>/dev/null; then
echo "[user_script] Installed from wheel."
else
BUILD=$(mktemp -d)
git clone --depth=1 https://github.com/thu-ml/SageAttention "$BUILD/sa"
TORCH_CUDA_ARCH_LIST="8.6" $VENV_PIP install "$BUILD/sa" --no-build-isolation --quiet
rm -rf "$BUILD"
fi
$VENV_PY -c "import sageattention; print('[user_script] SageAttention OK')" \
&& touch "$STAMPS/sageattention" \
|| echo "[user_script] WARNING: import failed"
else
echo "[user_script] SageAttention already installed, skipping."
fi
$VENV_PY - <<'PY'
try:
import sageattention
v = getattr(sageattention, '__version__', 'installed')
print(f" SageAttention: {v}")
except Exception as e:
print(f" SageAttention: not available ({e})")
PY
Save as `~/comfyui-run/user_script.bash` with Ctrl+O> Enter > Ctrl+X ; and `chmod +x` it.
# ComfyUI-Manager offline config
Manager might have issues installing due to the environment. This stops Manager from trying to reach GitHub on every start (causes error spam + restart loops).
mkdir -p ~/comfyui-basedir/user/__manager
cat > ~/comfyui-basedir/user/__manager/config.ini << 'EOF'
[default]
channel_url = local
bypass_ssl = False
skip_migration_check = True
EOF
# 3. Installing ComfyUI
# Bootstrap (run once, internet enabled)
Clones ComfyUI, builds venv, installs PyTorch + CUDA stack, installs SageAttention. Run this the first time, or after a full wipe.
# First-time folder setup
mkdir -p ~/comfyui-run ~/comfyui-basedir/custom_nodes ~/comfyui-basedir/output
# Fix Docker credential error if needed
echo '{}' > ~/.docker/config.json
# Clone ComfyUI-Manager (not included in image)
git clone https://github.com/Comfy-Org/ComfyUI-Manager.git \
~/comfyui-basedir/custom_nodes/ComfyUI-Manager
# Bootstrap run
docker run -it --rm \
--name comfyui-bootstrap \
--gpus all \
--ipc=host \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e SECURITY_LEVEL=normal \
-e USE_UV=true \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
Wait for `To see the GUI go to:` [`http://0.0.0.0:8188`](http://0.0.0.0:8188), confirm UI loads and SageAttention shows OK in logs, then Ctrl+C.
Once you're in, install all your commonly used trusted workflows/nodes with Manager, and when done, change to the comfy\_secure mode described below.
# 4. Production aliases (edit ~/.bashrc)
Two modes for managing your updates. Only difference is `NETWORK_MODE`. Add these to the bottom of `~/.bashrc`, then `source ~/.bashrc`.
Use:
nano \~/.bashrc
# =====================================================================
# COMFYUI DOCKER PROFILES: RTX 3090 / CUDA 12.8 / UBUNTU 24
# =====================================================================
comfy_secure() {
# Daily use. Manager offline, no outbound calls, fast boot.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false
GitHub
GitHub - thu-ml/SageAttention: [ICLR2025, ICML2025, NeurIPS2025 Spotlight] Quantized Attention achieves speedup of 2-5x compared…
[ICLR2025, ICML2025, NeurIPS2025 Spotlight] Quantized Attention achieves speedup of 2-5x compared to FlashAttention, without losing end-to-end metrics across language, image, and video models. - th...
\
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}
comfy_update() {
# Maintenance mode. Manager online, can install nodes and fetch node lists.
# DISABLE_UPGRADES still on- ComfyUI core and PyTorch stack stay frozen.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in MAINTENANCE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}
Then Ctrl+O to save> Enter > Ctrl+X to get back to the command prompt
# 5. Workflow: installing new custom nodes
# Path A: trusted nodes (ComfyUI-Manager)
Use for well-known nodes from reputable authors you've vetted.
comfy_update -> open 127.0.0.1:8188 -> Manager -> Install Custom Nodes
-> set channel to "Default" -> install what you need
-> comfy_secure
After switching back to `comfy_secure`, the nodes are already in `~/comfyui-basedir/custom_nodes/` and load normally with no internet needed.
# Path B: untrusted / unknown nodes (sandbox)
Use for nodes you found online but haven't reviewed yet. Never install unknown nodes directly into production.
**1. Set up a sandboxed no-GPU ComfyUI on Windows (one time)**
Install the portable ComfyUI Windows build from the official releases page. This runs entirely on CPU, uses no Docker, and has no access to your production venv or models. It's disposable.
**2. Install the suspect node there first**
Open its Manager, install the node, let it run. Review what it does:
* Check `custom_nodes/node-name/` \- read the Python files, look for `requests`, `urllib`, `subprocess`, `eval`, `exec`, outbound URLs
* Run a workflow that exercises it while watching Task Manager network tab for unexpected connections
**3. If it passes review, copy to production**
# Copy the node folder from Windows sandbox into production custom_nodes
cp -r "/mnt/c/Users/yourname/ComfyUI_portable/ComfyUI/custom_nodes/suspect-node" \
~/comfyui-basedir/custom_nodes/
# Switch to update mode so the container can install the node's pip dependencies
comfy_update
# open 127.0.0.1:8188 -> Manager -> Custom Nodes -> the new node -> Install dependencies
# once done:
comfy_secure
# 6. Useful commands
# Watch live logs (to avoid cluttering in the logs the verbose mode is disabled, so if you want
# to see whats happening, you will have to run this)
docker logs -f comfyui-3090
# Get a shell inside the running container
docker exec -it comfyui-3090 bash
# Verify SageAttention is active
docker logs comfyui-3090 | grep -i sage
# Check port is actually bound (should show 127.0.0.1:8188)
docker port comfyui-3090
# Confirm no internet from inside container (should fail in comfy_secure)
docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo "blocked"
# Stop without removing (quick pause)
docker stop comfyui-3090
# Full restart
docker restart comfyui-3090
# Wipe comfy in case something broke to reinstall
rm -rf ~/comfyui-run/*
# 7. Known non-fatal log noise
There might be some error messages in the
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}
comfy_update() {
# Maintenance mode. Manager online, can install nodes and fetch node lists.
# DISABLE_UPGRADES still on- ComfyUI core and PyTorch stack stay frozen.
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
echo "Launching ComfyUI in MAINTENANCE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=personal_cloud \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal \
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
}
Then Ctrl+O to save> Enter > Ctrl+X to get back to the command prompt
# 5. Workflow: installing new custom nodes
# Path A: trusted nodes (ComfyUI-Manager)
Use for well-known nodes from reputable authors you've vetted.
comfy_update -> open 127.0.0.1:8188 -> Manager -> Install Custom Nodes
-> set channel to "Default" -> install what you need
-> comfy_secure
After switching back to `comfy_secure`, the nodes are already in `~/comfyui-basedir/custom_nodes/` and load normally with no internet needed.
# Path B: untrusted / unknown nodes (sandbox)
Use for nodes you found online but haven't reviewed yet. Never install unknown nodes directly into production.
**1. Set up a sandboxed no-GPU ComfyUI on Windows (one time)**
Install the portable ComfyUI Windows build from the official releases page. This runs entirely on CPU, uses no Docker, and has no access to your production venv or models. It's disposable.
**2. Install the suspect node there first**
Open its Manager, install the node, let it run. Review what it does:
* Check `custom_nodes/node-name/` \- read the Python files, look for `requests`, `urllib`, `subprocess`, `eval`, `exec`, outbound URLs
* Run a workflow that exercises it while watching Task Manager network tab for unexpected connections
**3. If it passes review, copy to production**
# Copy the node folder from Windows sandbox into production custom_nodes
cp -r "/mnt/c/Users/yourname/ComfyUI_portable/ComfyUI/custom_nodes/suspect-node" \
~/comfyui-basedir/custom_nodes/
# Switch to update mode so the container can install the node's pip dependencies
comfy_update
# open 127.0.0.1:8188 -> Manager -> Custom Nodes -> the new node -> Install dependencies
# once done:
comfy_secure
# 6. Useful commands
# Watch live logs (to avoid cluttering in the logs the verbose mode is disabled, so if you want
# to see whats happening, you will have to run this)
docker logs -f comfyui-3090
# Get a shell inside the running container
docker exec -it comfyui-3090 bash
# Verify SageAttention is active
docker logs comfyui-3090 | grep -i sage
# Check port is actually bound (should show 127.0.0.1:8188)
docker port comfyui-3090
# Confirm no internet from inside container (should fail in comfy_secure)
docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo "blocked"
# Stop without removing (quick pause)
docker stop comfyui-3090
# Full restart
docker restart comfyui-3090
# Wipe comfy in case something broke to reinstall
rm -rf ~/comfyui-run/*
# 7. Known non-fatal log noise
There might be some error messages in the
logs:
|Message|Cause|Action|
|:-|:-|:-|
|`Failed to perform initial fetching 'custom-node-list.json'`|Manager trying GitHub in offline mode|Normal in `comfy_secure`. Ignored.|
|`WARNING: You need pytorch with cu130 or higher`|comfy-kitchen backend wants newer CUDA|Informational only. sm\_86 works fine.|
|`Cannot connect to comfyregistry`|Manager trying Comfy registry|Normal in offline mode. Ignored.|
|`SageAttention: installed` (no version number)|Some builds don't expose `__version__`|SA is working. Stamp file confirms install.|
NOTE: If something broke during the install or config, and during a second+ bootstrap SageAttention refuses to install, change `COMFY_CMDLINE_EXTRA=` for `COMFY_ARGS=` in the bootstrap/comfy\_update script, it will not try to install SageAttention since its already present in your system.
NOTE2: This will not save you from user mistakes. So be very careful with new nodes from randoms you've seen here; be careful with .pth/pt and unsafe model files; if you gonna add something, paste the repo link to an ai and ask it to do a security audit for suspicious scripts, crontabs, unexpected processes, or connections (you can ask it to create a prompt for that as well so it doesnt miss anything).
You can also audit the images with the following commands in turn order, and then feed that aswell to the AI:
1. Pull the image:sudo docker pull user/comfyui-image
2. Check the image history- shows every layer and command used to build it:sudo docker image history user/comfyui-image
3. Inspect the full image metadata:sudo docker inspect user/comfyui-image
4. Run a shell inside it and look around:sudo docker run --rm -it user/comfyui-image /bin/bash
Once inside the shell you can run:
# Check ComfyUI location
find / -name "main.py" -path "*/ComfyUI/*"
2
>/dev/null
# Check what's installed
pip list
# Check SageAttention version
pip show sageattention
# Check PyTorch version
python3 -c "import torch; print(torch.__version__)"
# Check for anything suspicious in startup scripts
ls /entrypoint* /start* /init*
2
>/dev/null
# Check crontabs
crontab -l
2
>/dev/null
# Check running processes on startup
cat /etc/profile.d/*
2
>/dev/null
Paste the results back and I'll help you audit what's actually in there.
NOTE3: If you have a disc C/system reserved for OS only and with not much space available, I'd suggest you migrate the WSL2 to another disk as it might end up leaving you without free space!
NOTE4: you can improve a bit more comfy\_secure by making the models folder read-only:
`-v /mnt/models:/basedir/models:ro # read-only models in secure mode`
(Or even cutting the connection off completely with --network=none or --internal, but you will have to deal with Manager's death loops)
Hope this helps someone :). It's not the perfect air-gapped setup (someone really willing to hack you, will find ways to break out of confinement and docker), but IMO its the best you can get on windows, to be able to use it combined with Win software (basically switch between accounts, and drag/drop outputs/inputs; without having to use a separate truly air-gapped machine.
Edit:
I was told that there's another way to avoid the Manager "death loops" by using a combined approach with iptables in the comfy\_secure mode, will try it later:
comfy_secure() {
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
# Flush any previous DOCKER-USER block rules
sudo iptables -F DOCKER-USER
echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal
|Message|Cause|Action|
|:-|:-|:-|
|`Failed to perform initial fetching 'custom-node-list.json'`|Manager trying GitHub in offline mode|Normal in `comfy_secure`. Ignored.|
|`WARNING: You need pytorch with cu130 or higher`|comfy-kitchen backend wants newer CUDA|Informational only. sm\_86 works fine.|
|`Cannot connect to comfyregistry`|Manager trying Comfy registry|Normal in offline mode. Ignored.|
|`SageAttention: installed` (no version number)|Some builds don't expose `__version__`|SA is working. Stamp file confirms install.|
NOTE: If something broke during the install or config, and during a second+ bootstrap SageAttention refuses to install, change `COMFY_CMDLINE_EXTRA=` for `COMFY_ARGS=` in the bootstrap/comfy\_update script, it will not try to install SageAttention since its already present in your system.
NOTE2: This will not save you from user mistakes. So be very careful with new nodes from randoms you've seen here; be careful with .pth/pt and unsafe model files; if you gonna add something, paste the repo link to an ai and ask it to do a security audit for suspicious scripts, crontabs, unexpected processes, or connections (you can ask it to create a prompt for that as well so it doesnt miss anything).
You can also audit the images with the following commands in turn order, and then feed that aswell to the AI:
1. Pull the image:sudo docker pull user/comfyui-image
2. Check the image history- shows every layer and command used to build it:sudo docker image history user/comfyui-image
3. Inspect the full image metadata:sudo docker inspect user/comfyui-image
4. Run a shell inside it and look around:sudo docker run --rm -it user/comfyui-image /bin/bash
Once inside the shell you can run:
# Check ComfyUI location
find / -name "main.py" -path "*/ComfyUI/*"
2
>/dev/null
# Check what's installed
pip list
# Check SageAttention version
pip show sageattention
# Check PyTorch version
python3 -c "import torch; print(torch.__version__)"
# Check for anything suspicious in startup scripts
ls /entrypoint* /start* /init*
2
>/dev/null
# Check crontabs
crontab -l
2
>/dev/null
# Check running processes on startup
cat /etc/profile.d/*
2
>/dev/null
Paste the results back and I'll help you audit what's actually in there.
NOTE3: If you have a disc C/system reserved for OS only and with not much space available, I'd suggest you migrate the WSL2 to another disk as it might end up leaving you without free space!
NOTE4: you can improve a bit more comfy\_secure by making the models folder read-only:
`-v /mnt/models:/basedir/models:ro # read-only models in secure mode`
(Or even cutting the connection off completely with --network=none or --internal, but you will have to deal with Manager's death loops)
Hope this helps someone :). It's not the perfect air-gapped setup (someone really willing to hack you, will find ways to break out of confinement and docker), but IMO its the best you can get on windows, to be able to use it combined with Win software (basically switch between accounts, and drag/drop outputs/inputs; without having to use a separate truly air-gapped machine.
Edit:
I was told that there's another way to avoid the Manager "death loops" by using a combined approach with iptables in the comfy\_secure mode, will try it later:
comfy_secure() {
docker stop comfyui-3090 2>/dev/null && docker rm comfyui-3090 2>/dev/null
# Flush any previous DOCKER-USER block rules
sudo iptables -F DOCKER-USER
echo "Launching ComfyUI in HARDENED OFFLINE mode..."
docker run -d \
--name comfyui-3090 \
--gpus all \
--ipc=host \
--restart unless-stopped \
-p 127.0.0.1:8188:8188 \
-e WANTED_UID=$(id -u) \
-e WANTED_GID=$(id -g) \
-e BASE_DIRECTORY=/basedir \
-e NETWORK_MODE=offline \
-e TORCH_LOCK="torch==2.11.0+cu128 torchvision==0.26.0+cu128 torchaudio==2.11.0+cu128" \
-e SECURITY_LEVEL=normal
\
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models:ro \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
# Wait for container to get its bridge IP
sleep 3
CONTAINER_IP=$(docker inspect -f \
'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' comfyui-3090)
# Block all outbound from container while allowing established (return traffic)
sudo iptables -I DOCKER-USER 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I DOCKER-USER 2 \
-s "$CONTAINER_IP" -j DROP
echo "Network locked. Container IP $CONTAINER_IP cannot reach internet."
echo "Verify: docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo BLOCKED"
}
https://redd.it/1tq46q0
@rStableDiffusion
-e DISABLE_UPGRADES=true \
-e USE_UV=false \
-e COMFY_CMDLINE_EXTRA="--use-sage-attention" \
-v ~/comfyui-run:/comfy/mnt \
-v ~/comfyui-basedir:/basedir \
-v /mnt/models:/basedir/models:ro \
mmartial/comfyui-nvidia-docker:ubuntu24_cuda12.8-latest
# Wait for container to get its bridge IP
sleep 3
CONTAINER_IP=$(docker inspect -f \
'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' comfyui-3090)
# Block all outbound from container while allowing established (return traffic)
sudo iptables -I DOCKER-USER 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I DOCKER-USER 2 \
-s "$CONTAINER_IP" -j DROP
echo "Network locked. Container IP $CONTAINER_IP cannot reach internet."
echo "Verify: docker exec comfyui-3090 curl -s --max-time 3 https://google.com || echo BLOCKED"
}
https://redd.it/1tq46q0
@rStableDiffusion
Reddit
From the StableDiffusion community on Reddit: [Guide] How to securely run ComfyUI on Windows (Docker>WSL2) [RTX 3090, logic can…
Explore this post and more from the StableDiffusion community
Upgraded from 12GB VRAM to RTX 5090 + 64GB RAM — what are the highest quality AI image/video models I can realistically run now?
I just upgraded from a pretty limited setup (12GB VRAM where I mostly had to use heavily quantized models, low VRAM workflows, FP8/Q8 stuff, etc.) to an RTX 5090 + 64GB RAM setup and I’m trying to understand what level of AI models/workflows I can actually run now.
Before this I was constantly optimizing around VRAM limits, using smaller checkpoints, aggressive quantization, tiled VAE, low batch sizes, etc. So I honestly don’t know what the “top tier” local experience looks like yet.
Mainly interested in:
Highest quality image generation models
Best realism/detail models
Video generation models
What models actually benefit from full FP16/BF16 now
Whether larger transformers are worth it vs quantized versions
Best workflows in ComfyUI/Wan/LTX/Qwen/Flux/etc
Models that were basically impossible on 12GB VRAM but become practical on a 5090
What are people with 5090/4090-class cards actually using right now for the best quality possible locally?
Which models should always be run FP16/BF16 instead of quantized?
What resolutions/frame counts become realistic now?
Are there any “hidden gem” workflows/models that really scale with high VRAM?
Would love recommendations for both:
Best image generation stack
Best video generation stack
Thanks 🙏
https://redd.it/1tq9ld4
@rStableDiffusion
I just upgraded from a pretty limited setup (12GB VRAM where I mostly had to use heavily quantized models, low VRAM workflows, FP8/Q8 stuff, etc.) to an RTX 5090 + 64GB RAM setup and I’m trying to understand what level of AI models/workflows I can actually run now.
Before this I was constantly optimizing around VRAM limits, using smaller checkpoints, aggressive quantization, tiled VAE, low batch sizes, etc. So I honestly don’t know what the “top tier” local experience looks like yet.
Mainly interested in:
Highest quality image generation models
Best realism/detail models
Video generation models
What models actually benefit from full FP16/BF16 now
Whether larger transformers are worth it vs quantized versions
Best workflows in ComfyUI/Wan/LTX/Qwen/Flux/etc
Models that were basically impossible on 12GB VRAM but become practical on a 5090
What are people with 5090/4090-class cards actually using right now for the best quality possible locally?
Which models should always be run FP16/BF16 instead of quantized?
What resolutions/frame counts become realistic now?
Are there any “hidden gem” workflows/models that really scale with high VRAM?
Would love recommendations for both:
Best image generation stack
Best video generation stack
Thanks 🙏
https://redd.it/1tq9ld4
@rStableDiffusion
Reddit
From the StableDiffusion community on Reddit
Explore this post and more from the StableDiffusion community
NoobAI models reccomendations...
It's my first time trying to use NoobAI since i have been using illustrious for years now
but im not sure which one to start with
i found this one and I wonder if its good?
https://civitai.com/models/2167995
also im assuming the V-pred models are better, yes?
https://redd.it/1tqdt8g
@rStableDiffusion
It's my first time trying to use NoobAI since i have been using illustrious for years now
but im not sure which one to start with
i found this one and I wonder if its good?
https://civitai.com/models/2167995
also im assuming the V-pred models are better, yes?
https://redd.it/1tqdt8g
@rStableDiffusion
Civitai
Chenkin Noob XL (CKXL) - v0.5 | NoobAI Checkpoint | Civitai
Model Introduction Model Details Developed by : ChenkinNoob team Model Type : Diffusion-based text-to-image generative model Fine-tuned from : Laxh...