Open Source Deployment
This guide will walk you through running Daytona Open Source locally using Docker Compose.
The compose file can be found in the docker folder of the Daytona repository.
Overview
The Docker Compose configuration includes all the necessary services to run Daytona:
- API: Main Daytona application server
- Proxy: Request proxy service
- Runner: Service that hosts the Daytona Runner
- SSH Gateway: Service that handles sandbox SSH access
- Database: PostgreSQL database for data persistence
- Redis: In-memory data store for caching and sessions
- Dex: OIDC authentication provider
- Registry: Docker image registry with web UI
- MinIO: S3-compatible object storage
- MailDev: Email testing service
- Jaeger: Distributed tracing
- PgAdmin: Database administration interface
Quick Start
-
Clone the Daytona repository
-
Run the following command (from the root of the Daytona repo) to start all services:
Terminal window docker compose -f docker/docker-compose.yaml up -d -
Access the services:
- Daytona Dashboard: http://localhost:3000
- Access Credentials: dev@daytona.io
password - Make sure that the default snapshot is active at http://localhost:3000/dashboard/snapshots
- Access Credentials: dev@daytona.io
- PgAdmin: http://localhost:5050
- Registry UI: http://localhost:5100
- MinIO Console: http://localhost:9001 (minioadmin / minioadmin)
- Daytona Dashboard: http://localhost:3000
DNS Setup for Proxy URLs
For local development, you need to resolve *.proxy.localhost domains to 127.0.0.1:
./scripts/setup-proxy-dns.shThis configures dnsmasq with address=/proxy.localhost/127.0.0.1.
Without this setup, SDK examples and direct proxy access won’t work.
Development Notes
- The setup uses shared networking for simplified service communication
- Database and storage data is persisted in Docker volumes
- The registry is configured to allow image deletion for testing
- Sandbox resource limits are disabled due to inability to partition cgroups in DinD environment where the sock is not mounted
Additional Network Options
HTTP Proxy
To configurate an outbound HTTP proxy for the Daytona services, you can set the following environment variables in the docker-compose.yaml file for each service that requires proxy access (the API service is the only that requires outbound access to pull images):
HTTP_PROXY: URL of the HTTP proxy serverHTTPS_PROXY: URL of the HTTPS proxy serverNO_PROXY: Comma-separated list of hostnames or IP addresses that should bypass the proxy
The baseline configuration for the API service should be as follows:
environment: - HTTP_PROXY=<your-proxy> - HTTPS_PROXY=<your-proxy> - NO_PROXY=localhost,runner,dex,registry,minio,jaeger,otel-collector,<your-proxy>Extra CA Certificates
To configure extra CA certificates (for example, paired with DB_TLS env vars), set the following environment variable in the API service:
environment: - NODE_EXTRA_CA_CERTS=/path/to/your/cert-bundle.pembundleThe provided file is a cert bundle. Meaning it can contain multiple CA certificates in PEM format.
Environment Variables
You can customize the deployment by modifying environment variables in the docker-compose.yaml file.
Below is a full list of environment variables with their default values:
API Service
| Variable | Type | Default Value | Description |
|---|---|---|---|
PORT | number | 3000 | API service port |
DB_HOST | string | db | PostgreSQL database hostname |
DB_PORT | number | 5432 | PostgreSQL database port |
DB_USERNAME | string | user | PostgreSQL database username |
DB_PASSWORD | string | pass | PostgreSQL database password |
DB_DATABASE | string | daytona | PostgreSQL database name |
DB_TLS_ENABLED | boolean | false | Enable TLS for database connection |
DB_TLS_REJECT_UNAUTHORIZED | boolean | true | Reject unauthorized TLS certificates |
REDIS_HOST | string | redis | Redis server hostname |
REDIS_PORT | number | 6379 | Redis server port |
OIDC_CLIENT_ID | string | daytona | OIDC client identifier |
OIDC_ISSUER_BASE_URL | string | http://dex:5556/dex | OIDC issuer base URL |
PUBLIC_OIDC_DOMAIN | string | http://localhost:5556/dex | Public OIDC domain |
OIDC_AUDIENCE | string | daytona | OIDC audience identifier |
OIDC_MANAGEMENT_API_ENABLED | boolean | (empty) | Enable OIDC management API |
OIDC_MANAGEMENT_API_CLIENT_ID | string | (empty) | OIDC management API client ID |
OIDC_MANAGEMENT_API_CLIENT_SECRET | string | (empty) | OIDC management API client secret |
OIDC_MANAGEMENT_API_AUDIENCE | string | (empty) | OIDC management API audience |
DEFAULT_SNAPSHOT | string | daytonaio/sandbox:0.4.3 | Default sandbox snapshot image |
DASHBOARD_URL | string | http://localhost:3000/dashboard | Dashboard URL |
DASHBOARD_BASE_API_URL | string | http://localhost:3000 | Dashboard base API URL |
POSTHOG_API_KEY | string | phc_bYtEsdMDrNLydXPD4tufkBrHKgfO2zbycM30LOowYNv | PostHog API key for analytics |
POSTHOG_HOST | string | https://d18ag4dodbta3l.cloudfront.net | PostHog host URL |
POSTHOG_ENVIRONMENT | string | local | PostHog environment identifier |
TRANSIENT_REGISTRY_URL | string | http://registry:6000 | Transient registry URL |
TRANSIENT_REGISTRY_ADMIN | string | admin | Transient registry admin username |
TRANSIENT_REGISTRY_PASSWORD | string | password | Transient registry admin password |
TRANSIENT_REGISTRY_PROJECT_ID | string | daytona | Transient registry project ID |
INTERNAL_REGISTRY_URL | string | http://registry:6000 | Internal registry URL |
INTERNAL_REGISTRY_ADMIN | string | admin | Internal registry admin username |
INTERNAL_REGISTRY_PASSWORD | string | password | Internal registry admin password |
INTERNAL_REGISTRY_PROJECT_ID | string | daytona | Internal registry project ID |
SMTP_HOST | string | maildev | SMTP server hostname |
SMTP_PORT | number | 1025 | SMTP server port |
SMTP_USER | string | (empty) | SMTP username |
SMTP_PASSWORD | string | (empty) | SMTP password |
SMTP_SECURE | boolean | (empty) | Enable SMTP secure connection |
SMTP_EMAIL_FROM | string | "Daytona Team <no-reply@daytona.io>" | SMTP sender email address |
S3_ENDPOINT | string | http://minio:9000 | S3-compatible storage endpoint |
S3_STS_ENDPOINT | string | http://minio:9000/minio/v1/assume-role | S3 STS endpoint |
S3_REGION | string | us-east-1 | S3 region |
S3_ACCESS_KEY | string | minioadmin | S3 access key |
S3_SECRET_KEY | string | minioadmin | S3 secret key |
S3_DEFAULT_BUCKET | string | daytona | S3 default bucket name |
S3_ACCOUNT_ID | string | / | S3 account ID |
S3_ROLE_NAME | string | / | S3 role name |
ENVIRONMENT | string | dev | Application environment |
MAX_AUTO_ARCHIVE_INTERVAL | number | 43200 | Maximum auto-archive interval (seconds) |
OTEL_ENABLED | boolean | true | Enable OpenTelemetry tracing |
OTEL_COLLECTOR_URL | string | http://jaeger:4318/v1/traces | OpenTelemetry collector URL |
MAINTENANCE_MODE | boolean | false | Enable maintenance mode |
PROXY_DOMAIN | string | proxy.localhost:4000 | Proxy domain |
PROXY_PROTOCOL | string | http | Proxy protocol |
PROXY_API_KEY | string | super_secret_key | Proxy API key |
PROXY_TEMPLATE_URL | string | http://{{PORT}}-{{sandboxId}}.proxy.localhost:4000 | Proxy template URL pattern |
PROXY_TOOLBOX_BASE_URL | string | {PROXY_PROTOCOL}://{PROXY_DOMAIN} | Proxy base URL for toolbox requests |
DEFAULT_RUNNER_DOMAIN | string | runner:3003 | Default runner domain |
DEFAULT_RUNNER_API_URL | string | http://runner:3003 | Default runner API URL |
DEFAULT_RUNNER_PROXY_URL | string | http://runner:3003 | Default runner proxy URL |
DEFAULT_RUNNER_API_KEY | string | secret_api_token | Default runner API key |
DEFAULT_RUNNER_CPU | number | 4 | Default runner CPU allocation |
DEFAULT_RUNNER_MEMORY | number | 8 | Default runner memory allocation (GB) |
DEFAULT_RUNNER_DISK | number | 50 | Default runner disk allocation (GB) |
DEFAULT_RUNNER_GPU | number | 0 | Default runner GPU allocation |
DEFAULT_RUNNER_GPU_TYPE | string | none | Default runner GPU type |
DEFAULT_RUNNER_CAPACITY | number | 100 | Default runner capacity |
DEFAULT_RUNNER_REGION | string | us | Default runner region |
DEFAULT_RUNNER_CLASS | string | small | Default runner class |
DEFAULT_ORG_QUOTA_TOTAL_CPU_QUOTA | number | 10000 | Default organization total CPU quota |
DEFAULT_ORG_QUOTA_TOTAL_MEMORY_QUOTA | number | 10000 | Default organization total memory quota |
DEFAULT_ORG_QUOTA_TOTAL_DISK_QUOTA | number | 100000 | Default organization total disk quota |
DEFAULT_ORG_QUOTA_MAX_CPU_PER_SANDBOX | number | 100 | Default organization max CPU per sandbox |
DEFAULT_ORG_QUOTA_MAX_MEMORY_PER_SANDBOX | number | 100 | Default organization max memory per sandbox |
DEFAULT_ORG_QUOTA_MAX_DISK_PER_SANDBOX | number | 1000 | Default organization max disk per sandbox |
DEFAULT_ORG_QUOTA_SNAPSHOT_QUOTA | number | 1000 | Default organization snapshot quota |
DEFAULT_ORG_QUOTA_MAX_SNAPSHOT_SIZE | number | 1000 | Default organization max snapshot size |
DEFAULT_ORG_QUOTA_VOLUME_QUOTA | number | 10000 | Default organization volume quota |
SSH_GATEWAY_API_KEY | string | ssh_secret_api_token | SSH gateway API key |
SSH_GATEWAY_COMMAND | string | ssh -p 2222 {{TOKEN}}@localhost | SSH gateway command template |
RUNNER_DECLARATIVE_BUILD_SCORE_THRESHOLD | number | 10 | Runner declarative build score threshold |
RUNNER_AVAILABILITY_SCORE_THRESHOLD | number | 10 | Runner availability score threshold |
RUN_MIGRATIONS | boolean | true | Enable database migrations on startup |
ADMIN_API_KEY | string | (empty) | Admin API key, auto-generated if empty, used only upon initial setup, not recommended for production |
ADMIN_TOTAL_CPU_QUOTA | number | 0 | Admin total CPU quota, used only upon initial setup |
ADMIN_TOTAL_MEMORY_QUOTA | number | 0 | Admin total memory quota, used only upon initial setup |
ADMIN_TOTAL_DISK_QUOTA | number | 0 | Admin total disk quota, used only upon initial setup |
ADMIN_MAX_CPU_PER_SANDBOX | number | 0 | Admin max CPU per sandbox, used only upon initial setup |
ADMIN_MAX_MEMORY_PER_SANDBOX | number | 0 | Admin max memory per sandbox, used only upon initial setup |
ADMIN_MAX_DISK_PER_SANDBOX | number | 0 | Admin max disk per sandbox, used only upon initial setup |
ADMIN_SNAPSHOT_QUOTA | number | 100 | Admin snapshot quota, used only upon initial setup |
ADMIN_MAX_SNAPSHOT_SIZE | number | 100 | Admin max snapshot size, used only upon initial setup |
ADMIN_VOLUME_QUOTA | number | 0 | Admin volume quota, used only upon initial setup |
Runner
| Variable | Type | Default Value | Description |
|---|---|---|---|
VERSION | string | 0.0.1 | Runner service version |
ENVIRONMENT | string | development | Application environment |
API_PORT | number | 3003 | Runner API service port |
API_TOKEN | string | secret_api_token | Runner API authentication token |
LOG_FILE_PATH | string | /home/daytona/runner/runner.log | Path to runner log file |
RESOURCE_LIMITS_DISABLED | boolean | true | Disable resource limits for sandboxes |
AWS_ENDPOINT_URL | string | http://minio:9000 | AWS S3-compatible storage endpoint |
AWS_REGION | string | us-east-1 | AWS region |
AWS_ACCESS_KEY_ID | string | minioadmin | AWS access key ID |
AWS_SECRET_ACCESS_KEY | string | minioadmin | AWS secret access key |
AWS_DEFAULT_BUCKET | string | daytona | AWS default bucket name |
SERVER_URL | string | http://api:3000/api | Daytona API server URL |
SSH Gateway
| Variable | Type | Default Value | Description |
|---|---|---|---|
API_URL | string | http://api:3000/api | Daytona API URL |
API_KEY | string | ssh_secret_api_token | API authentication key |
SSH_PRIVATE_KEY | string | (Base64-encoded OpenSSH private key) | SSH private key for auth |
SSH_HOST_KEY | string | (Base64-encoded OpenSSH host key) | SSH host key for server |
SSH_GATEWAY_PORT | number | 2222 | SSH gateway listening port |
Proxy
| Variable | Type | Default Value | Description |
|---|---|---|---|
DAYTONA_API_URL | string | http://api:3000/api | Daytona API URL |
PROXY_PORT | number | 4000 | Proxy service port |
PROXY_DOMAIN | string | proxy.localhost:4000 | Proxy domain |
PROXY_API_KEY | string | super_secret_key | Proxy API authentication key |
PROXY_PROTOCOL | string | http | Proxy protocol (http or https) |
OIDC_CLIENT_ID | string | daytona | OIDC client identifier |
OIDC_CLIENT_SECRET | string | (empty) | OIDC client secret |
OIDC_DOMAIN | string | http://dex:5556/dex | OIDC domain |
OIDC_PUBLIC_DOMAIN | string | http://localhost:5556/dex | OIDC public domain |
OIDC_AUDIENCE | string | daytona | OIDC audience identifier |
REDIS_HOST | string | redis | Redis server hostname |
REDIS_PORT | number | 6379 | Redis server port |
TOOLBOX_ONLY_MODE | boolean | false | Allow only toolbox requests |
[OPTIONAL] Configure Auth0 for Authentication
The default compose setup uses a local Dex OIDC provider for authentication. However, you can configure Auth0 as an alternative OIDC provider by following these steps:
Step 1: Create Your Auth0 Tenant
Begin by navigating to https://auth0.com/signup and start the signup process. Choose your account type based on your use case - select Company for business applications or Personal for individual projects.
On the “Let’s get setup” page, you’ll need to enter your application name such as My Daytona and select Single Page Application (SPA) as the application type. For authentication methods, you can start with Email and Password since additional social providers like Google, GitHub, or Facebook can be added later. Once you’ve configured these settings, click Create Application in the bottom right corner.
Step 2: Configure Your Single Page Application
Navigate to Applications > Applications in the left sidebar and select the application you just created. Click the Settings tab and scroll down to find the Application URIs section where you’ll configure the callback and origin URLs.
In the Allowed Callback URIs field, add the following URLs:
http://localhost:3000http://localhost:3000/api/oauth2-redirect.htmlhttp://localhost:4000/callbackhttp://proxy.localhost:4000/callbackFor Allowed Logout URIs, add:
http://localhost:3000And for Allowed Web Origins, add:
http://localhost:3000Remember to click Save Changes at the bottom of the page to apply these configurations.
Step 3: Create Machine-to-Machine Application
You’ll need a Machine-to-Machine application to interact with Auth0’s Management API. Go to Applications > Applications and click Create Application. Choose Machine to Machine Applications as the type and provide a descriptive name like My Management API M2M.
After creating the application, navigate to the APIs tab within your new M2M application. Find and authorize the Auth0 Management API by clicking the toggle or authorize button.
Once authorized, click the dropdown arrow next to the Management API to configure permissions. Grant the following permissions to your M2M application:
read:usersupdate:usersread:connectionscreate:guardian_enrollment_ticketsread:connections_optionsClick Save to apply these permission changes.
Step 4: Set Up Custom API
Your Daytona application will need a custom API to handle authentication and authorization. Navigate to Applications > APIs in the left sidebar and click Create API. Enter a descriptive name such as My Daytona API and provide an identifier like my-daytona-api. The identifier should be a unique string that will be used in your application configuration.
After creating the API, go to the Permissions tab to define the scopes your application will use. Add each of the following permissions with their corresponding descriptions:
| Permission | Description |
|---|---|
read:node | Get workspace node info |
create:node | Create new workspace node record |
create:user | Create user account |
read:users | Get all user accounts |
regenerate-key-pair:users | Regenerate user SSH key-pair |
read:workspaces | Read workspaces (user scope) |
create:registry | Create a new docker registry auth record |
read:registries | Get all docker registry records |
read:registry | Get docker registry record |
write:registry | Create or update docker registry record |
Step 5: Configure Environment Variables
Once you’ve completed all the Auth0 setup steps, you’ll need to configure environment variables in your Daytona deployment. These variables connect your application to the Auth0 services you’ve just configured.
Finding Your Configuration Values
You can find the necessary values in the Auth0 dashboard. For your SPA application settings, go to Applications > Applications, select your SPA app, and click the Settings tab. For your M2M application, follow the same path but select your Machine-to-Machine app instead. Custom API settings are located under Applications > APIs, then select your custom API and go to Settings.
API Service Configuration
Configure the following environment variables for your API service:
OIDC_CLIENT_ID=your_spa_app_client_idOIDC_ISSUER_BASE_URL=your_spa_app_domainOIDC_AUDIENCE=your_custom_api_identifierOIDC_MANAGEMENT_API_ENABLED=trueOIDC_MANAGEMENT_API_CLIENT_ID=your_m2m_app_client_idOIDC_MANAGEMENT_API_CLIENT_SECRET=your_m2m_app_client_secretOIDC_MANAGEMENT_API_AUDIENCE=your_auth0_managment_api_identifierProxy Service Configuration
For your proxy service, configure these environment variables:
OIDC_CLIENT_ID=your_spa_app_client_idOIDC_CLIENT_SECRET=OIDC_DOMAIN=your_spa_app_domainOIDC_AUDIENCE=your_custom_api_identifier (with trailing slash)Note that OIDC_CLIENT_SECRET should remain empty for your proxy environment.