Docker Compose deployment

Tyr ships two compose files:

• docker-compose.yml (repo root) — pulls pre-built images from GHCR. For users.
• deploy/docker-compose.dev.yml — builds from source. For contributors.

User: quickstart compose

curl -sSL https://raw.githubusercontent.com/terranchi/tyr/main/docker-compose.yml -o tyr.yml
docker compose -f tyr.yml up -d

Services:

Service	Image	Exposes
postgres	postgres:17-alpine	5432
tyr-server	ghcr.io/terranchi/tyr/tyr-server:latest	7700 (gRPC), 7701 (REST/UI)
tyr-agent	ghcr.io/terranchi/tyr/tyr-agent:latest	host network, privileged

Bootstrap token

The compose file pre-seeds TYR_BOOTSTRAP_ENROLLMENT_TOKEN=tyr-quickstart-token. This lets the bundled agent enroll without any UI steps. Rotate it for any real deployment:

environment:
  TYR_BOOTSTRAP_ENROLLMENT_TOKEN: "<generate-with-openssl-rand-hex-32>"

Then update the agent to match, or remove it and create per-fleet tokens via tyr enrollment-token create.

Running server-only (Mac/Windows)

Docker Desktop runs in a Linux VM that cannot reach your host kernel, so the agent fails to load eBPF programs. Delete the tyr-agent: service and its volume from docker-compose.yml:

docker compose up -d postgres tyr-server

Note

You can still connect real agents by installing tyrd natively on a Linux box and pointing it at the server. Enrollment works over the network.

Using an external PostgreSQL

services:
  tyr-server:
    environment:
      DATABASE_URL: postgres://user:pass@external-pg.example.com:5432/tyr

Remove the postgres: service and the depends_on: postgres block.

Persistent storage

Two volumes are declared:

• pgdata — the Postgres data directory. Essential, back this up (see Backup & restore).
• tyr-agent-data — agent keys, certificates, policy cache.

Updating images

docker compose pull
docker compose up -d

Pull policy is always in the shipped compose — every up -d will check GHCR.

Contributor: dev compose

git clone https://github.com/terranchi/tyr.git
cd tyr
docker compose -f deploy/docker-compose.dev.yml up --build

This builds tyr-server and tyr-agent from the current working tree. Useful when iterating on Rust code.

Scaling out

A single tyr-server + Postgres handles thousands of agents comfortably. Horizontal scaling is a roadmap item — today, run one server. Agents reconnect automatically if the server restarts.

→ Next: Linux systemd · Kubernetes