Docker Control Plane

Wavry distributes control-plane services as containers only.

Services:

gateway: auth and control APIs
relay: encrypted UDP relay fallback

Raw release binaries for these services are intentionally not published.

Quick Start

Start gateway:

docker compose -f docker/control-plane.compose.yml up -d gateway

Optional relay:

WAVRY_RELAY_MASTER_URL=http://host.docker.internal:8080 \
docker compose -f docker/control-plane.compose.yml --profile relay up -d relay

Check status:

docker compose -f docker/control-plane.compose.yml ps

Images and Tags

Images:

ghcr.io/<owner>/<repo>/gateway
ghcr.io/<owner>/<repo>/relay

Tag policy:

production: pin explicit release tag (vX.Y.Z, vX.Y.Z-canary..., or vX.Y.Z-unstable...)
development: main or latest

Environment Variables

Key values in docker/control-plane.compose.yml:

Variable	Purpose	Default
`WAVRY_CONTROL_PLANE_TAG`	image tag	`latest`
`WAVRY_IMAGE_REPO`	image repo base	`ghcr.io/bybrooklyn/wavry`
`WAVRY_GATEWAY_PORT`	published gateway port	`0` (auto-allocate)
`ADMIN_PANEL_TOKEN`	admin API access token	empty
`WAVRY_RELAY_PORT`	published relay UDP port	`0` (auto-allocate)
`WAVRY_RELAY_HEALTH_PORT`	published relay health HTTP port	`0` (auto-allocate)
`WAVRY_RELAY_MASTER_URL`	relay upstream registration target	`http://host.docker.internal:8080`
`WAVRY_RELAY_MASTER_PUBLIC_KEY`	relay signature verification key	empty
`WAVRY_RELAY_ALLOW_INSECURE_DEV`	insecure relay mode (dev only)	`1`

Auto-allocation avoids local port collisions with other services. To pin ports, set explicit values.

Production Baseline

Before production rollout:

Set WAVRY_RELAY_MASTER_PUBLIC_KEY.
Set WAVRY_RELAY_ALLOW_INSECURE_DEV=0.
Set ADMIN_PANEL_TOKEN to a high-entropy token.
Pin image tags (do not use floating tags).
Put gateway behind TLS termination + ingress controls.
Keep relay health endpoint private (do not expose publicly unless required).

Volumes and Persistence

Default volumes:

gateway: /var/lib/wavry
relay: /var/lib/wavry-relay

Recommendation:

back up gateway persistent state regularly
treat relay state as less critical but keep for diagnostics continuity

Upgrade and Rollback

Upgrade

Update WAVRY_CONTROL_PLANE_TAG.
Pull images:

docker compose -f docker/control-plane.compose.yml pull

Deploy updated containers:

docker compose -f docker/control-plane.compose.yml up -d

Resolve published ports and validate:

docker compose -f docker/control-plane.compose.yml port gateway 3000
docker compose -f docker/control-plane.compose.yml port relay 9091

Rollback

Restore previous known-good tag.
Re-run docker compose ... up -d.
Validate health and session creation path.

Logs and Diagnostics

Tail logs:

docker compose -f docker/control-plane.compose.yml logs -f gateway

docker compose -f docker/control-plane.compose.yml logs -f relay

If relay registration fails:

verify WAVRY_RELAY_MASTER_URL
verify reachability to upstream master
verify master public key configuration for secure mode

Security Notes

relay should not decrypt media payloads
never place secrets directly in source-controlled compose files
use environment injection or secret-management tooling

Quick Start​

Images and Tags​

Environment Variables​

Production Baseline​

Volumes and Persistence​

Upgrade and Rollback​

Upgrade​

Rollback​

Logs and Diagnostics​

Security Notes​

Related Docs​