Crabbox docs

Daytona Provider

Daytona Provider

Read this when you are:

  • choosing provider: daytona;
  • configuring Daytona API auth, snapshots, or SSH access;
  • changing internal/providers/daytona.

Daytona is an SSH-lease provider with a delegated execution path. run and warmup create the sandbox from a Daytona snapshot and drive sync and command execution through the Daytona SDK/toolbox APIs (archive upload, extraction, and process execution) — they do not run over SSH. crabbox ssh mints a short-lived Daytona SSH access token, then connects through the normal Crabbox SSH client.

#When to use

Use Daytona when the box image should come from a Daytona snapshot and command execution should stay inside Daytona's toolbox APIs. Reach for AWS, Hetzner, or the static ssh provider instead when you need a normal long-lived SSH lease for Actions hydration, desktop/VNC, or code workflows.

#Commands

crabbox warmup --provider daytona --daytona-snapshot crabbox-ready
crabbox run --provider daytona --daytona-snapshot crabbox-ready -- pnpm test
crabbox run --provider daytona --id swift-crab -- pnpm test:changed
crabbox ssh --provider daytona --id swift-crab
crabbox stop --provider daytona swift-crab

#Live Smoke

The shared live-smoke harness can validate Daytona without a coordinator:

CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=daytona CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh

The smoke requires a snapshot through CRABBOX_DAYTONA_SNAPSHOT, DAYTONA_SNAPSHOT, or daytona.snapshot. It exits before any Daytona run, list, warmup, or stop command when the snapshot is missing, so credentialless machines can verify the guard without mutating provider state. With a snapshot configured, the harness runs one delegated Daytona command and then lists normalized Daytona inventory.

#Auth

Crabbox reads the active Daytona CLI profile when no Daytona auth values are set in the environment or config:

daytona login --api-key ...

You can also supply explicit API-key auth:

export DAYTONA_API_KEY=...

or JWT auth:

export DAYTONA_JWT_TOKEN=...
export DAYTONA_ORGANIZATION_ID=...

DAYTONA_ORGANIZATION_ID is required with JWT auth. Explicit environment values (or Crabbox config values) override the Daytona CLI profile.

Each auth variable also has a CRABBOX_-prefixed form that takes precedence over the unprefixed one: CRABBOX_DAYTONA_API_KEY, CRABBOX_DAYTONA_JWT_TOKEN, CRABBOX_DAYTONA_ORGANIZATION_ID, and CRABBOX_DAYTONA_API_URL.

#Config

provider: daytona
target: linux
daytona:
  apiUrl: https://app.daytona.io/api
  snapshot: crabbox-ready
  target: ""
  user: daytona
  workRoot: /home/daytona/crabbox
  sshGatewayHost: ssh.app.daytona.io
  sshAccessMinutes: 30

The values above are the built-in defaults except for snapshot and target, which are empty by default.

Provider flags:

--daytona-api-url
--daytona-snapshot
--daytona-target
--daytona-user
--daytona-work-root
--daytona-ssh-gateway-host
--daytona-ssh-access-minutes

The non-auth settings can also be set through environment variables: CRABBOX_DAYTONA_SNAPSHOT, CRABBOX_DAYTONA_TARGET, CRABBOX_DAYTONA_USER, CRABBOX_DAYTONA_WORK_ROOT, CRABBOX_DAYTONA_SSH_GATEWAY_HOST, and CRABBOX_DAYTONA_SSH_ACCESS_MINUTES.

#Lifecycle

  1. Create or resolve a Daytona sandbox from daytona.snapshot.
  2. Store Crabbox labels and a local repo claim for the lease.
  3. For run, build the Crabbox sync manifest, stream a gzipped tar archive to
  4. the Daytona toolbox upload endpoint, extract it in the sandbox, and execute the command through the Daytona process APIs.

  5. For ssh, request short-lived SSH access (TTL daytona.sshAccessMinutes),
  6. parse Daytona's sshCommand, and redact the token in normal output.

  7. Delete the sandbox on release unless the lease is kept.

#Capabilities

  • Provider kind: SSH-lease (Linux only).
  • SSH: yes, via a short-lived Daytona SSH access token.
  • Crabbox sync: yes, archive sync through the Daytona toolbox.
  • Desktop / browser / code: no — Daytona has no Crabbox VNC or code surface.
  • Actions hydration: no.
  • Coordinator (broker): no — Daytona always runs direct from the CLI.

#Gotchas

  • daytona.snapshot (or --daytona-snapshot) is required to create a sandbox.
  • The snapshot owns CPU, memory, disk, and installed tooling.

  • --class and --type are rejected; size the sandbox through the snapshot.
  • --id <sandbox-id-or-slug> is required to address an existing sandbox.
  • Daytona run is delegated to the toolbox APIs; it is not core-over-SSH
  • execution. Because of that, the following run options are rejected: --sync-only, --checksum, --force-sync-large, --full-resync, --fresh-pr, --script / --script-stdin, --env-helper, --capture-stdout / --capture-stderr, --capture-on-fail, --download, --artifact-glob, --require-artifact, --emit-proof, and --stop-after.

  • --actions-runner is rejected because it needs a normal SSH lease host.
  • --keep-on-failure keeps a newly created failed sandbox until Daytona
  • auto-stop or an explicit crabbox stop.