Merge pull request #157 from yasinBursali/fix/comfyui-security-hardening

fix(comfyui): harden port binding and security options

Author: Lightheartdevs

dream-server/extensions/services/comfyui/compose.amd.yaml

@@ -9,10 +9,8 @@ services:
     group_add:
       - "${VIDEO_GID:-44}"
       - "${RENDER_GID:-992}"
-    cap_add:
-      - SYS_PTRACE
     security_opt:
-      - seccomp:unconfined
+      - no-new-privileges:true
     shm_size: 8g
     environment:
       - HSA_OVERRIDE_GFX_VERSION=11.5.1
@@ -21,7 +19,7 @@ services:
     volumes:
       - ./data/comfyui/ComfyUI:/opt/ComfyUI
     ports:
-      - "${COMFYUI_PORT:-8188}:8188"
+      - "127.0.0.1:${COMFYUI_PORT:-8188}:8188"
     command: >-
       /bin/sh -c "/opt/comfyui-gfx1151-utils/check-comfyui.sh &&
       python3 /opt/ComfyUI/main.py --listen 0.0.0.0 --use-flash-attention"

dream-server/extensions/services/comfyui/compose.nvidia.yaml

@@ -5,8 +5,10 @@ services:
       dockerfile: Dockerfile
     container_name: dream-comfyui
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     ports:
-      - "${COMFYUI_PORT:-8188}:8188"
+      - "127.0.0.1:${COMFYUI_PORT:-8188}:8188"
     volumes:
       - ./data/comfyui/models:/models
       - ./data/comfyui/output:/output
@@ -15,6 +17,9 @@ services:
     shm_size: '8g'
     deploy:
       resources:
+        limits:
+          cpus: '16.0'
+          memory: 24G
         reservations:
           devices:
             - driver: nvidia