Install Crewship
Crewship ships as a single, statically-linked Go binary with the Next.js frontend embedded viago:embed. There is no Node runtime at
production deploy time, and the only hard dependency is a container
runtime if you intend to run agents (Docker, Podman, Colima, OrbStack,
Apple Containers, or Rancher Desktop).
Pick the install path that matches how you run software locally — the
three below are first-class and tested on every release.
Homebrew
macOS and Linuxbrew — one command, auto-upgrades.
curl | bash
OS-agnostic install script with SHA-256 + cosign verification.
Docker Compose
Containerised, host doesn’t need Go or Node.
Homebrew
The release pipeline publishes two Homebrew formulae on every tag tocrewship-ai/homebrew-tap (PR #444): a full binary that runs the daemon + embedded Next.js UI + CLI, and a CLI-only binary that’s about half the size and only talks to a remote crewshipd.
crewship (full) | crewship-cli | |
|---|---|---|
| Binary size (darwin/arm64, stripped) | 55 MB | 27 MB |
crewship ask / crew / agent / credential / mission (HTTP-only) | ✅ | ✅ |
crewship start (run the daemon) | ✅ | ❌ |
crewship doctor (local Docker / Apple Container detection) | ✅ | ❌ |
crewship admin (direct SQLite recovery) | ✅ | ❌ |
crewship telemetry | ✅ | ❌ |
crewship memory log/show/restore (local audit chain) | ✅ | ❌ |
conflicts: against each other, so Homebrew refuses to install both on one host. Both archives ship the binary under the same name (crewship), so existing scripts keep working when you switch formulae.
Running a daemon-only subcommand from the CLI-only binary produces cobra’s
unknown command "start" error. If you need to bring up a daemon, install the full formula instead.brew tap step. Upgrades follow the normal flow:
curl | bash
The one-liner installer detects your OS and architecture, downloads the matching release archive from GitHub, verifies the SHA-256 against the signedchecksums.txt, and — when cosign is on your PATH — also
verifies the keyless Sigstore signature against the expected GitHub
Actions OIDC identity.
The short
https://crewship.ai/install alias will point at this
script once the project website goes live; until then, fetch it
straight from the repo as shown above.cosign produces a soft warning rather than a hard failure so
the one-liner keeps working for first-time users — install it from
sigstore.dev/cosign
for full supply-chain verification.
Pinning a version
Custom install directory
By default the script prefers a no-sudo user dir on yourPATH
($XDG_BIN_HOME, then ~/.local/bin) and falls back to
/usr/local/bin. Override with:
What the script does
uname -sm→ resolvesOS-arch→ picks the matching release archive.- Downloads the archive and
checksums.txtover TLS. - Computes SHA-256 of the archive, matches against the line in
checksums.txt. - If
cosignis present, verifies the archive’s signature againstEXPECTED_CERT_IDENTITY_RE = https://github.com/crewship-ai/crewship/.github/workflows/release.yml@.*andEXPECTED_OIDC_ISSUER = https://token.actions.githubusercontent.com. - Extracts and moves the
crewshipbinary into the install directory.
scripts/install.sh.
Docker Compose
The repo ships a production-grade compose file atdocker/docker-compose.prod.yml. It builds an image from the
checked-out source, brokers all Docker API access through a
docker-socket-proxy sidecar (so the crewship container never touches
the raw socket), and exposes the single port (8080 by default) on the
host.
Quickstart
NEXTAUTH_SECRET and ENCRYPTION_KEY are required — the compose
file declares them with the ${VAR:?... is required} form, so the
stack refuses to start if either is unset. Provide them via a project-
root .env file (or the compose environment: block, an external
vault, Docker secrets, a Kubernetes secret mount, …).
The server is reachable on http://localhost:8080 once the
healthcheck (/healthz) reports healthy — typically within 10 seconds.
Defaults
| Setting | Default | Override |
|---|---|---|
| Host port | 8080 | CREWSHIP_PORT in .env |
| Database | SQLite at /data/crewship.db (named volume crewship-db) | DATABASE_URL |
| Storage | local FS at /var/lib/crewship (named volume crewship-data) | CREWSHIP_STORAGE_BASE_PATH |
| Logs | /var/log/crewship (named volume crewship-logs) | CREWSHIP_LOG_PATH |
| Container provider | Docker | CREWSHIP_CONTAINER_PROVIDER |
| State backend | bbolt | CREWSHIP_STATE_PROVIDER |
ENCRYPTION_KEY and NEXTAUTH_SECRET are required in the compose
environment: block (the prod compose declares them with
${VAR:?... is required}, so an unset value aborts up). Set them in
.env and they persist across restarts because Compose reads .env
each time the stack starts.
PostgreSQL
PostgreSQL is on the v0.2 roadmap. The beta runs exclusively on
SQLite via
modernc.org/sqlite (single binary, WAL mode, no extra
services). The server accepts only file: DSNs on DATABASE_URL —
there is no Postgres driver in the binary today, so a postgres://
URL will not connect. The commented-out postgres: service block in
docker/docker-compose.prod.yml is a placeholder for that v0.2
work; leave it commented for now.Docker socket: brokered through a socket proxy by default
The prod compose does not mount/var/run/docker.sock into the
crewship container. Instead it ships a
Tecnativa docker-socket-proxy
sidecar that holds the only :ro mount of the raw socket, and points
crewship at it via DOCKER_HOST: tcp://docker-socket-proxy:2375. The
proxy enforces a defaults-deny allow-list (CONTAINERS, EXEC,
IMAGES, NETWORKS, VOLUMES, INFO, POST); widen it explicitly
if you add a feature that needs another endpoint.
The full container threat model is documented in the
Security threat model.
Verifying the install
After any of the three paths:crewship doctor runs the following checks (each PASS / WARN /
FAIL with a one-line detail):
- Container runtime detected and socket responds
- Data directory present (with
--fixit gets created) - Data directory writable
- Database migration version current
- Sidecar binary present
NEXTAUTH_SECRETis set- Server reachable on its configured port
--fix enables safe auto-repairs (currently: create the data
directory if missing). To check whether crash-reporting telemetry is
opted in, use crewship telemetry status instead — that’s a separate
command.
Next stop: quickstart for the first run and admin user
bootstrap. For development work (running the Go server + Next.js dev
server side-by-side), see Developer installation.
Air-gapped / offline installs
Download the release tarball +checksums.txt + (optionally) the
cosign bundle from GitHub Releases on a network-connected machine,
verify it manually with sha256sum -c and cosign verify-blob, and
copy the binary to your target host. The binary has no runtime fetch
behavior — no embedded analytics, no auto-update — so once it’s on
disk you’re done.
For air-gapped Docker hosts, docker save crewship-ai/crewship:v0.1.0-beta.1
into a tarball on a connected machine, transfer, then docker load
on the target.
Related
- Quickstart — first run, admin bootstrap, seeding demo data.
- Developer installation — building from source,
dev.sh, multi-instance layout. - Environment variables — full reference of
CREWSHIP_*knobs. - Telemetry — opt-out before the first start if you prefer.