Skip to content

Commit

Permalink
Update base, add auth
Browse files Browse the repository at this point in the history
  • Loading branch information
robballantyne committed Oct 12, 2023
1 parent bd6901f commit 8c62f9c
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 23 deletions.
26 changes: 23 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,14 +162,30 @@ You can use the included `cloudflared` service to make secure connections withou
| `SKIP_ACL` | Set `true` to skip modifying workspace ACL |
| `SSH_PORT` | Set a non-standard port for SSH (default `22`) |
| `SSH_PUBKEY` | Your public key for SSH |
| `WEB_ENABLE_AUTH` | Enable password protection for web services (default `true`) |
| `WEB_USER` | Username for web services (default `user`) |
| `WEB_PASSWORD` | Password for web services (default `password`) |
| `WORKSPACE` | A volume path. Defaults to `/workspace/` |
| `WORKSPACE_SYNC` | Move mamba environments and services to workspace if mounted (default `true`) |

Environment variables can be specified by using any of the standard methods (`docker-compose.yaml`, `docker run -e...`). Additionally, environment variables can also be passed as parameters of `init.sh`.

Passing environment variables to init.sh is usually unnecessary, but is useful for some cloud environments where the full `docker run` command cannot be specified.

Example usage: `docker run -e STANDARD_VAR1="this value" -e STANDARD_VAR2="that value" init.sh EXTRA_VAR="other value"`

## Security

By default, all exposed web services other than the port redirect page are protected by HTTP basic authentication.

The default username is `user` and the password is `password`.

You can set your credentials by passing environment variables as shown above.

The password is stored as a bcrypt hash. If you prefer not to pass a plain text password to the container you can pre-hash and use the variable `WEB_PASSWORD_HASH`.

If you are running the image locally on a trusted network, you may disable authentication by setting the environment variable `WEB_ENABLE_AUTH=false`.

## Provisioning script

It can be useful to perform certain actions when starting a container, such as creating directories and downloading files.
Expand All @@ -181,7 +197,7 @@ The URL must point to a plain text file - GitHub Gists/Pastebin (raw) are suitab
If you are running locally you may instead opt to mount a script at `/opt/ai-dock/bin/provisioning.sh`.

>[!NOTE]
>If configured, `sshd`, `cloudflared`, `rclone`, `jupyter` & `logtail` will be launched before provisioning; `comfyui` will launch after.
>If configured, `sshd`, `caddy`, `cloudflared`, `rclone`, `port redirector` & `logtail` will be launched before provisioning; Any other processes will launch after.

>[!WARNING]
Expand All @@ -200,8 +216,6 @@ Micromamba environments are particularly useful where several software packages
| Environment | Packages |
| -------------- | ----------------------------------------- |
| `base` | micromamba's base environment |
| `system` | `supervisord`, `openssh` `rclone` |
| `fastapi` | `logtail web UI`, `port redirector web UI` |
| `comfyui` | ComfyUI and dependencies |
| `python_[ver]` | `python` |

Expand Down Expand Up @@ -275,6 +289,12 @@ Jupyter's official documentation is available at https://jupyter.org/
>[!NOTE]
>_If you have enabled `CF_QUICK_TUNNELS` a secure `https://[random-auto-generated-sub-domain].trycloudflare.com` link will be created. You can find it at `/var/log/supervisor/quicktunnel-jupyter.log`_
### Caddy

This is a simple webserver acting as a reverse proxy.

Caddy is used to enable basic authentication for all sensitive web services.

### Port Redirector

This is a simple list of links to the web services available inside the container.
Expand Down
50 changes: 31 additions & 19 deletions build/COPY_ROOT/opt/ai-dock/bin/supervisor-comfyui.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,55 +2,67 @@

trap cleanup EXIT

LISTEN_PORT=1818
METRICS_PORT=1918
PROXY_SECURE=true

function cleanup() {
kill $(jobs -p) > /dev/null 2>&1
rm /run/http_ports/$PORT > /dev/null 2>&1
rm /run/http_ports/$PROXY_PORT > /dev/null 2>&1
}

SERVICE="ComfyUI"

if [[ -z $COMFYUI_PORT ]]; then
COMFYUI_PORT=8188
fi

PORT=$COMFYUI_PORT
METRICS_PORT=1188
PROXY_PORT=$COMFYUI_PORT
SERVICE_NAME="ComfyUI"

printf "{\"port\": \"$PORT\", \"metrics_port\": \"$METRICS_PORT\", \"service_name\": \"$SERVICE_NAME\"}" > /run/http_ports/$PORT
file_content=$(
jq --null-input \
--arg listen_port "${LISTEN_PORT}" \
--arg metrics_port "${METRICS_PORT}" \
--arg proxy_port "${PROXY_PORT}" \
--arg proxy_secure "${PROXY_SECURE,,}" \
--arg service_name "${SERVICE_NAME}" \
'$ARGS.named'
)

printf "%s" $file_content > /run/http_ports/$PROXY_PORT

PLATFORM_FLAGS=""
if [[ $XPU_TARGET = "CPU" ]]; then
PLATFORM_FLAGS="--cpu"
fi
BASE_FLAGS="--listen 0.0.0.0 --port ${COMFYUI_PORT} --disable-auto-launch"

if [[ -f /run/provisioning_script ]]; then
micromamba run -n fastapi python /opt/ai-dock/fastapi/logviewer/main.py \
-p $COMFYUI_PORT \
BASE_FLAGS="--listen 127.0.0.1 --port ${LISTEN_PORT} --disable-auto-launch"

# Delay launch until micromamba is ready
if [[ -f /run/workspace_moving || -f /run/provisioning_script ]]; then
/usr/bin/python3 /opt/ai-dock/fastapi/logviewer/main.py \
-p $LISTEN_PORT \
-r 5 \
-s ${SERVICE} \
-u comfyui \
-t "Preparing ${SERVICE}" &
-s "${SERVICE_NAME}" \
-t "Preparing ${SERVICE_NAME}" &
fastapi_pid=$!

while [[ -f /run/provisioning_script ]]; do
while [[ -f /run/workspace_moving || -f /run/provisioning_script ]]; do
sleep 1
done

printf "\nStarting %s... " ${SERVICE:-service}
kill $fastapi_pid && \
printf "\nStarting %s... " ${SERVICE_NAME:-service}
kill $fastapi_pid &
wait -n
printf "OK\n"
else
printf "Starting %s...\n" ${SERVICE}
printf "Starting %s...\n" ${SERVICE_NAME}
fi

kill -9 $(lsof -t -i:$COMFYUI_PORT) > /dev/null 2>&1 &
kill -9 $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
wait -n

cd /opt/ComfyUI
micromamba run -n comfyui python main.py \
${PLATFORM_FLAGS} \
${BASE_FLAGS} \
${COMFYUI_FLAGS}

5 changes: 4 additions & 1 deletion docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,14 @@ services:
- COMFYUI_BRANCH=${COMFYUI_BRANCH:-master}
- COMFYUI_FLAGS=${COMFYUI_FLAGS:-}
- COMFYUI_PORT=${COMFYUI_PORT:-8188}
- JUPYTER_TOKEN=${JUPYTER_TOKEN:-password}
- JUPYTER_MODE=${JUPYTER_MODE:-lab}
# Allows running true SSH alongside provider proxy SSH
- SSH_PORT=${SSH_PORT:-22}
- WORKSPACE=${WORKSPACE:-/workspace}
- WORKSPACE_SYNC=${WORKSPACE_SYNC}
- CF_TUNNEL_TOKEN=${CF_TUNNEL_TOKEN:-}
- CF_QUICK_TUNNELS=${CF_QUICK_TUNNELS:-true}
- WEB_ENABLE_AUTH=${WEB_ENABLE_AUTH}
- WEB_USER=${WEB_USER}
- WEB_PASSWORD=${WEB_PASSWORD}
#- PROVISIONING_SCRIPT=${PROVISIONING_SCRIPT:-}

0 comments on commit 8c62f9c

Please sign in to comment.