Installation

System requirements

Component	Requirement
Server (`tyr-server`)	Linux or macOS, x86_64 or aarch64. PostgreSQL 15+. Any Docker-capable host works.
Agent (`tyrd`)	Linux only. Kernel 5.15+ with `CONFIG_BPF_LSM=y`, BTF (`/sys/kernel/btf/vmlinux`), x86_64 or aarch64. Root or `CAP_BPF` + `CAP_SYS_ADMIN`.
CLI (`tyr`)	Linux or macOS, x86_64 or aarch64.

Verify kernel support for the agent

uname -r                             # ≥ 5.15
cat /sys/kernel/security/lsm         # must include "bpf"
ls /sys/kernel/btf/vmlinux           # must exist

Good out-of-the-box on: Ubuntu 22.04+, Debian 12+, Fedora 36+, Amazon Linux 2023, RHEL 9, Raspberry Pi OS (bookworm, 6.1+). On older kernels, tracepoint-only observation is available, but LSM enforcement is not.

Server

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/docker-compose.yml \
  | docker compose -f - up -d

Opens REST on :7701 and gRPC on :7700. PostgreSQL runs alongside.

docker run -d \
  -p 7700:7700 -p 7701:7701 \
  -e DATABASE_URL=postgres://user:pass@your-pg:5432/tyr \
  -e TYR_REST_NO_TLS=true \
  ghcr.io/terranchi/tyr/tyr-server:latest

Available tags: latest, vX.Y.Z (stable), edge / main (tip of main), sha-<7> (immutable). See image tags.

Grab tyr-<arch>-<os>.tar.gz from the Releases page, extract, and run:

tar xzf tyr-x86_64-linux.tar.gz
sudo install tyr-server /usr/local/bin/
DATABASE_URL=postgres://... tyr-server

git clone https://github.com/terranchi/tyr.git
cd tyr
cargo build --release -p tyr-server
cd web && pnpm install && pnpm build
./target/release/tyr-server

Set TYR_WEB_DIR=web/build so the server serves the dashboard.

Agent (`tyrd`)

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/scripts/install.sh \
  | bash -s -- --component agent \
               --server https://tyr.example.com:7700 \
               --token  <enrollment-token> \
               --name   $(hostname)

Installs tyrd to /usr/local/bin, drops config at /etc/tyr/tyrd.yaml, and installs a tyr-agent.service systemd unit enabled at boot.

docker run -d --name tyrd \
  --privileged --pid host --network host \
  --cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN \
  --cap-add=PERFMON --cap-add=SYS_PTRACE --cap-add=SYS_RESOURCE \
  -v /sys/kernel/debug:/sys/kernel/debug:ro \
  -v /sys/fs/bpf:/sys/fs/bpf \
  -v /sys/kernel/tracing:/sys/kernel/tracing:ro \
  -v /lib/modules:/lib/modules:ro \
  -v tyr-agent-data:/var/lib/tyr \
  -e TYR_SERVER=https://tyr.example.com:7700 \
  -e TYR_ENROLLMENT_TOKEN=<token> \
  -e TYR_AGENT_NAME=$(hostname) \
  ghcr.io/terranchi/tyr/tyr-agent:latest \
  --server https://tyr.example.com:7700 --name $(hostname) --enforce --tls-capture

Must run on a Linux host — Docker Desktop on Mac/Windows cannot load host eBPF programs.

tar xzf tyr-x86_64-linux.tar.gz
sudo install tyrd /usr/local/bin/
sudo tyrd --server https://... --name $(hostname) --enforce --tls-capture

CLI (`tyr`)

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/scripts/install.sh \
  | bash -s -- --component cli

Or grab tyr from any release tarball — it’s a single binary and works on Linux and macOS.

tyr --help
tyr agent list

Image tags

Pre-built multi-arch (linux/amd64 + linux/arm64) images are published to GHCR.

Tag	Published by	Use for
`:latest`	Release workflow	Production — always a signed release
`:vX.Y.Z`	Release workflow	Pinning to a specific version
`:edge`, `:main`	Edge workflow	Latest main, features in flight
`:sha-abc1234`	Edge workflow	Reproducible deploys from a commit

docker pull ghcr.io/terranchi/tyr/tyr-server:latest
docker pull ghcr.io/terranchi/tyr/tyr-agent:latest

Uninstall

Script-installed agent:

sudo systemctl stop tyr-agent && sudo systemctl disable tyr-agent
sudo rm /etc/systemd/system/tyr-agent.service
sudo rm /usr/local/bin/tyrd /usr/local/bin/tyr
sudo rm -rf /etc/tyr /var/lib/tyr

Docker Compose stack:

docker compose down -v   # -v also removes Postgres volume

→ Next: Your first policy