Installation

Server

Docker Compose

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/docker-compose.yml \
  | docker compose -f - up -d

Opens REST on :7701 and gRPC on :7700. PostgreSQL runs alongside.

Pre-built image

docker run -d \
  -p 7700:7700 -p 7701:7701 \
  -e DATABASE_URL=postgres://user:pass@your-pg:5432/tyr \
  -e TYR_REST_NO_TLS=true \
  ghcr.io/terranchi/tyr/tyr-server:latest

Available tags: latest, vX.Y.Z (stable), edge / main (tip of main), sha-<7> (immutable). See image tags.

Binary

Grab tyr-<arch>-<os>.tar.gz from the Releases page, extract, and run:

tar xzf tyr-x86_64-linux.tar.gz
sudo install tyr-server /usr/local/bin/
DATABASE_URL=postgres://... tyr-server

Source

git clone https://github.com/terranchi/tyr.git
cd tyr
cargo build --release -p tyr-server
cd web && pnpm install && pnpm build
./target/release/tyr-server

Set TYR_WEB_DIR=web/build so the server serves the dashboard.

Agent (tyrd)

Caution

The agent requires Linux kernel 5.15+ with eBPF (CONFIG_BPF=y) and must run as root or with CAP_BPF + CAP_SYS_ADMIN to attach programs.

Install script

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/scripts/install.sh \
  | bash -s -- --component agent \
               --server https://tyr.example.com:7700 \
               --token  <enrollment-token> \
               --name   $(hostname)

Installs tyrd to /usr/local/bin, drops config at /etc/tyr/tyrd.yaml, and installs a tyr-agent.service systemd unit enabled at boot.

Docker

docker run -d --name tyrd \
  --privileged --pid host --network host \
  --cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN \
  --cap-add=PERFMON --cap-add=SYS_PTRACE --cap-add=SYS_RESOURCE \
  -v /sys/kernel/debug:/sys/kernel/debug:ro \
  -v /sys/fs/bpf:/sys/fs/bpf \
  -v /sys/kernel/tracing:/sys/kernel/tracing:ro \
  -v /lib/modules:/lib/modules:ro \
  -v tyr-agent-data:/var/lib/tyr \
  -e TYR_SERVER=https://tyr.example.com:7700 \
  -e TYR_ENROLLMENT_TOKEN=<token> \
  -e TYR_AGENT_NAME=$(hostname) \
  ghcr.io/terranchi/tyr/tyr-agent:latest \
  --server https://tyr.example.com:7700 --name $(hostname) --enforce --tls-capture

Must run on a Linux host — Docker Desktop on Mac/Windows cannot load host eBPF programs.

Binary

tar xzf tyr-x86_64-linux.tar.gz
sudo install tyrd /usr/local/bin/
sudo tyrd --server https://... --name $(hostname) --enforce --tls-capture

CLI (tyr)

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/scripts/install.sh \
  | bash -s -- --component cli

Or grab tyr from any release tarball — it’s a single binary and works on Linux and macOS.

tyr --help
tyr agent list

Image tags

Pre-built multi-arch (linux/amd64 + linux/arm64) images are published to GHCR.

Tag	Published by	Use for
:latest	Release workflow	Production — always a signed release
:vX.Y.Z	Release workflow	Pinning to a specific version
:edge, :main	Edge workflow	Latest main, features in flight
:sha-abc1234	Edge workflow	Reproducible deploys from a commit

docker pull ghcr.io/terranchi/tyr/tyr-server:latest
docker pull ghcr.io/terranchi/tyr/tyr-agent:latest

Uninstall

Script-installed agent:

sudo systemctl stop tyr-agent && sudo systemctl disable tyr-agent
sudo rm /etc/systemd/system/tyr-agent.service
sudo rm /usr/local/bin/tyrd /usr/local/bin/tyr
sudo rm -rf /etc/tyr /var/lib/tyr

Docker Compose stack:

docker compose down -v   # -v also removes Postgres volume

→ Next: Your first policy