triton-install/manage-server/install.sh

#!/usr/bin/env bash
# install.sh — Triton Manage Server installer.
#
# Idempotent. Generates secrets on first run, reuses .env afterwards.
# Container-based via Podman or Docker (auto-detected).
#
# Usage:
#   sudo bash install.sh --license-file /path/to/bundle/license.lic
#
# The license bundle (provided by your vendor) is a single file:
#   license.lic   — signed offline licence token
# The vendor's public key is baked into the image at build time.
#
# Flags:
#   --license-file PATH             Path to license.lic from your vendor bundle. Required.
#   --gateway-hostname HOST         Agent mTLS hostname (defaults to current FQDN).
#   --manage-host-ip IP             Host LAN IP — used for "+ This machine".
#   --port PORT                     Host port for the web UI (default: 8082).
#   --image TAG                     Pin a specific manage-server image tag.
#   --no-tls                        Skip the TLS-required sanity check (dev).
set -euo pipefail

SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]:-$0}")" &>/dev/null && pwd)"
cd "$SCRIPT_DIR"

info() { printf '[manage-server] %s\n' "$*"; }
die()  { printf '[manage-server] error: %s\n' "$*" >&2; exit 1; }

# ── arg parsing ──────────────────────────────────────────────────────────
LICENSE_FILE=""
GATEWAY_HOST=""
HOST_IP=""
PORT=""
IMAGE=""
NO_TLS=0
while [[ $# -gt 0 ]]; do
    case "$1" in
        --license-file)          LICENSE_FILE="$2";       shift 2 ;;
        --gateway-hostname)      GATEWAY_HOST="$2";       shift 2 ;;
        --manage-host-ip)        HOST_IP="$2";            shift 2 ;;
        --port)                  PORT="$2";               shift 2 ;;
        --image)                 IMAGE="$2";              shift 2 ;;
        --no-tls)                NO_TLS=1;                shift ;;
        -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
        *) die "unknown flag: $1 (try --help)" ;;
    esac
done

[[ $EUID -eq 0 ]] || die "must run as root"

# ── validate license bundle ──────────────────────────────────────────────
[[ -n "$LICENSE_FILE" ]] || die "--license-file is required (path to license.lic from your vendor bundle)"
[[ -f "$LICENSE_FILE" ]] || die "license file not found: $LICENSE_FILE"

LICENSE_TOKEN="$(cat "$LICENSE_FILE")"

# ── runtime detection ────────────────────────────────────────────────────
if command -v podman-compose >/dev/null 2>&1; then
    COMPOSE=(podman-compose)
    RUNTIME=podman
elif podman compose version >/dev/null 2>&1; then
    COMPOSE=(podman compose)
    RUNTIME=podman
elif docker compose version >/dev/null 2>&1; then
    COMPOSE=(docker compose)
    RUNTIME=docker
else
    die "no compose runtime found. Install podman-compose or docker compose."
fi
info "using runtime: $RUNTIME"

# ── .env bootstrap ───────────────────────────────────────────────────────
ENV_FILE="$SCRIPT_DIR/.env"
if [[ ! -f "$ENV_FILE" ]]; then
    info "writing .env from env.template"
    cp env.template "$ENV_FILE"
    chmod 600 "$ENV_FILE"

    PG_PASS=$(openssl rand -hex 24)
    JWT_KEY=$(openssl rand -hex 32)
    WORKER_KEY=$(openssl rand -hex 16)
    VAULT_KEY=$(openssl rand -hex 32)

    sed -i \
        -e "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$PG_PASS|" \
        -e "s|^TRITON_MANAGE_JWT_SIGNING_KEY=.*|TRITON_MANAGE_JWT_SIGNING_KEY=$JWT_KEY|" \
        -e "s|^TRITON_MANAGE_WORKER_KEY=.*|TRITON_MANAGE_WORKER_KEY=$WORKER_KEY|" \
        -e "s|^TRITON_VAULT_KEY=.*|TRITON_VAULT_KEY=$VAULT_KEY|" \
        "$ENV_FILE"
    info "secrets generated"

    sed -i "s|^TRITON_LICENSE_KEY=.*|TRITON_LICENSE_KEY=$LICENSE_TOKEN|" "$ENV_FILE"
    info "licence configured"

    [[ -n "$GATEWAY_HOST" ]] && sed -i "s|^TRITON_MANAGE_GATEWAY_HOSTNAME=.*|TRITON_MANAGE_GATEWAY_HOSTNAME=$GATEWAY_HOST|" "$ENV_FILE"
    [[ -n "$HOST_IP"            ]] && sed -i "s|^TRITON_MANAGE_HOST_IP=.*|TRITON_MANAGE_HOST_IP=$HOST_IP|" "$ENV_FILE"
    [[ -n "$PORT"               ]] && sed -i "s|^TRITON_MANAGE_HOST_PORT=.*|TRITON_MANAGE_HOST_PORT=$PORT|" "$ENV_FILE"
    [[ -n "$IMAGE"              ]] && sed -i "s|^TRITON_MANAGE_IMAGE=.*|TRITON_MANAGE_IMAGE=$IMAGE|" "$ENV_FILE"

    info ".env created at $ENV_FILE"
    info "  back this up — it contains the JWT signing key, worker key, and vault key"
else
    info "reusing existing .env at $ENV_FILE"
fi

# ── pull latest image ────────────────────────────────────────────────────
info "pulling latest image..."
"${COMPOSE[@]}" --env-file "$ENV_FILE" pull manage-server

# ── start ────────────────────────────────────────────────────────────────
info "starting containers..."
"${COMPOSE[@]}" --env-file "$ENV_FILE" up -d

# ── wait for health ──────────────────────────────────────────────────────
HOST_PORT=$(grep -E '^TRITON_MANAGE_HOST_PORT=' "$ENV_FILE" | cut -d= -f2)
HOST_PORT=${HOST_PORT:-8082}

info "waiting for manage server to become healthy on :${HOST_PORT}..."
for i in $(seq 1 30); do
    CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:${HOST_PORT}/" || echo "000")
    if [[ "$CODE" == "302" || "$CODE" == "200" ]]; then
        info "manage server is up"
        break
    fi
    sleep 2
done

info ""
info "Installation complete. Next steps:"
info "  1. Open http://localhost:${HOST_PORT} (or your public URL)"
info "  2. Complete the setup wizard"
info "  3. Configure TLS via reverse proxy (see docs)"
info ""

# ── machine ID ───────────────────────────────────────────────────────────
# Print the SHA-3-256 hash of /etc/machine-id so the customer can share
# it with the vendor when requesting an offline .lic bound to this host.
# The hash is stable: /etc/machine-id never changes after OS installation.
if [[ -f /etc/machine-id ]]; then
    MACHINE_ID_RAW=$(cat /etc/machine-id | tr -d '[:space:]')
    if command -v python3 >/dev/null 2>&1; then
        MACHINE_ID_HASH=$(python3 -c "import hashlib; print(hashlib.sha3_256('${MACHINE_ID_RAW}'.encode()).hexdigest())")
    elif command -v sha3sum >/dev/null 2>&1; then
        MACHINE_ID_HASH=$(echo -n "$MACHINE_ID_RAW" | sha3sum -a 256 | awk '{print $1}')
    elif command -v openssl >/dev/null 2>&1; then
        MACHINE_ID_HASH=$(printf '%s' "${MACHINE_ID_RAW}" | openssl dgst -sha3-256 -hex 2>/dev/null | awk '{print $2}')
    else
        MACHINE_ID_HASH=""
    fi
    if [[ -n "$MACHINE_ID_HASH" ]]; then
        info "── Host Machine ID ──────────────────────────────────────────────────────"
        info "  Provide this value to your vendor when requesting a host-bound .lic file."
        info "  Machine ID (SHA-3-256): $MACHINE_ID_HASH"
        info "────────────────────────────────────────────────────────────────────────"
    fi
fi
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`#!/usr/bin/env bash`
			`# install.sh — Triton Manage Server installer.`
			`#`
			`# Idempotent. Generates secrets on first run, reuses .env afterwards.`
			`# Container-based via Podman or Docker (auto-detected).`
			`#`
			`# Usage:`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`# sudo bash install.sh --license-file /path/to/bundle/license.lic`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`#`
feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`# The license bundle (provided by your vendor) is a single file:`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`# license.lic — signed offline licence token`
feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`# The vendor's public key is baked into the image at build time.`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`#`
			`# Flags:`
			`# --license-file PATH Path to license.lic from your vendor bundle. Required.`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`# --gateway-hostname HOST Agent mTLS hostname (defaults to current FQDN).`
			`# --manage-host-ip IP Host LAN IP — used for "+ This machine".`
feat(install): add --port flag to set web UI host port at install time Passes --port PORT through to TRITON_MANAGE_HOST_PORT in .env so users can change the default 8082 at install time via the one-liner: curl ... \| sudo bash -s -- --port 9090 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:45:00 +08:00			`# --port PORT Host port for the web UI (default: 8082).`
chore: sync installers from triton v1.0.0-rc.2 2026-05-17 08:33:44 +00:00			`# --image TAG Pin a specific manage-server image tag.`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`# --no-tls Skip the TLS-required sanity check (dev).`
			`set -euo pipefail`

fix(scripts): handle BASH_SOURCE[0] unbound when piped via curl BASH_SOURCE[0] is unset when a script runs via `curl \| bash` (no source file on disk). With `set -u` this triggers "unbound variable" and exits. Fall back to $0 with ${BASH_SOURCE[0]:-$0} so piped execution works. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:38:47 +08:00			`SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]:-$0}")" &>/dev/null && pwd)"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`cd "$SCRIPT_DIR"`

			`info() { printf '[manage-server] %s\n' "$*"; }`
			`die() { printf '[manage-server] error: %s\n' "$*" >&2; exit 1; }`

			`# ── arg parsing ──────────────────────────────────────────────────────────`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`LICENSE_FILE=""`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`GATEWAY_HOST=""`
			`HOST_IP=""`
feat(install): add --port flag to set web UI host port at install time Passes --port PORT through to TRITON_MANAGE_HOST_PORT in .env so users can change the default 8082 at install time via the one-liner: curl ... \| sudo bash -s -- --port 9090 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:45:00 +08:00			`PORT=""`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`IMAGE=""`
			`NO_TLS=0`
			`while [[ $# -gt 0 ]]; do`
			`case "$1" in`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`--license-file) LICENSE_FILE="$2"; shift 2 ;;`
feat(install): add --license-server-pubkey and --license-server-url flags These were documented but never implemented. Without TRITON_MANAGE_LICENSE_SERVER_PUBKEY the server refuses to start. Also add both vars to env.template so users know they exist and what they're for. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:10:06 +08:00			`--gateway-hostname) GATEWAY_HOST="$2"; shift 2 ;;`
			`--manage-host-ip) HOST_IP="$2"; shift 2 ;;`
			`--port) PORT="$2"; shift 2 ;;`
			`--image) IMAGE="$2"; shift 2 ;;`
			`--no-tls) NO_TLS=1; shift ;;`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`-h\|--help) grep '^#' "$0" \| sed 's/^# //;s/^#//'; exit 0 ;;`
			`*) die "unknown flag: $1 (try --help)" ;;`
			`esac`
			`done`

			`[[ $EUID -eq 0 ]] \|\| die "must run as root"`

feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`# ── validate license bundle ──────────────────────────────────────────────`
			`[[ -n "$LICENSE_FILE" ]] \|\| die "--license-file is required (path to license.lic from your vendor bundle)"`
			`[[ -f "$LICENSE_FILE" ]] \|\| die "license file not found: $LICENSE_FILE"`

			`LICENSE_TOKEN="$(cat "$LICENSE_FILE")"`

feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`# ── runtime detection ────────────────────────────────────────────────────`
			`if command -v podman-compose >/dev/null 2>&1; then`
			`COMPOSE=(podman-compose)`
			`RUNTIME=podman`
			`elif podman compose version >/dev/null 2>&1; then`
			`COMPOSE=(podman compose)`
			`RUNTIME=podman`
			`elif docker compose version >/dev/null 2>&1; then`
			`COMPOSE=(docker compose)`
			`RUNTIME=docker`
			`else`
			`die "no compose runtime found. Install podman-compose or docker compose."`
			`fi`
			`info "using runtime: $RUNTIME"`

			`# ── .env bootstrap ───────────────────────────────────────────────────────`
			`ENV_FILE="$SCRIPT_DIR/.env"`
			`if [[ ! -f "$ENV_FILE" ]]; then`
			`info "writing .env from env.template"`
			`cp env.template "$ENV_FILE"`
			`chmod 600 "$ENV_FILE"`

			`PG_PASS=$(openssl rand -hex 24)`
			`JWT_KEY=$(openssl rand -hex 32)`
			`WORKER_KEY=$(openssl rand -hex 16)`
			`VAULT_KEY=$(openssl rand -hex 32)`

			`sed -i \`
			`-e "s\|^POSTGRES_PASSWORD=.*\|POSTGRES_PASSWORD=$PG_PASS\|" \`
			`-e "s\|^TRITON_MANAGE_JWT_SIGNING_KEY=.*\|TRITON_MANAGE_JWT_SIGNING_KEY=$JWT_KEY\|" \`
			`-e "s\|^TRITON_MANAGE_WORKER_KEY=.*\|TRITON_MANAGE_WORKER_KEY=$WORKER_KEY\|" \`
			`-e "s\|^TRITON_VAULT_KEY=.*\|TRITON_VAULT_KEY=$VAULT_KEY\|" \`
			`"$ENV_FILE"`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`info "secrets generated"`

feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`sed -i "s\|^TRITON_LICENSE_KEY=.*\|TRITON_LICENSE_KEY=$LICENSE_TOKEN\|" "$ENV_FILE"`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`info "licence configured"`

feat: remove --license-server-url flag — URL now baked into binary The License Server URL (https://license.tritonscans.com) is compiled into the manage-server binary at release time. No need to pass it during installation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:59:56 +02:00			`[[ -n "$GATEWAY_HOST" ]] && sed -i "s\|^TRITON_MANAGE_GATEWAY_HOSTNAME=.*\|TRITON_MANAGE_GATEWAY_HOSTNAME=$GATEWAY_HOST\|" "$ENV_FILE"`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`[[ -n "$HOST_IP" ]] && sed -i "s\|^TRITON_MANAGE_HOST_IP=.*\|TRITON_MANAGE_HOST_IP=$HOST_IP\|" "$ENV_FILE"`
			`[[ -n "$PORT" ]] && sed -i "s\|^TRITON_MANAGE_HOST_PORT=.*\|TRITON_MANAGE_HOST_PORT=$PORT\|" "$ENV_FILE"`
			`[[ -n "$IMAGE" ]] && sed -i "s\|^TRITON_MANAGE_IMAGE=.*\|TRITON_MANAGE_IMAGE=$IMAGE\|" "$ENV_FILE"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
			`info ".env created at $ENV_FILE"`
chore: sync installers from triton v1.0.0-rc.2 2026-05-17 08:33:44 +00:00			`info " back this up — it contains the JWT signing key, worker key, and vault key"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`else`
			`info "reusing existing .env at $ENV_FILE"`
			`fi`

fix(install): pull latest image before starting containers Without an explicit pull, compose up reuses the locally cached image even when a newer one is available on the registry. This caused the old image (without --chmod=755) to be used on re-runs. Pull first to guarantee the current released image is always used. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:50:53 +08:00			`# ── pull latest image ────────────────────────────────────────────────────`
			`info "pulling latest image..."`
			`"${COMPOSE[@]}" --env-file "$ENV_FILE" pull manage-server`

feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`# ── start ────────────────────────────────────────────────────────────────`
			`info "starting containers..."`
			`"${COMPOSE[@]}" --env-file "$ENV_FILE" up -d`

			`# ── wait for health ──────────────────────────────────────────────────────`
			`HOST_PORT=$(grep -E '^TRITON_MANAGE_HOST_PORT=' "$ENV_FILE" \| cut -d= -f2)`
			`HOST_PORT=${HOST_PORT:-8082}`

			`info "waiting for manage server to become healthy on :${HOST_PORT}..."`
			`for i in $(seq 1 30); do`
			`CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:${HOST_PORT}/" \|\| echo "000")`
			`if [[ "$CODE" == "302" \|\| "$CODE" == "200" ]]; then`
chore: sync installers from triton v1.0.0-rc.2 2026-05-17 08:33:44 +00:00			`info "manage server is up"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`break`
			`fi`
			`sleep 2`
			`done`

			`info ""`
chore: sync installers from triton v1.0.0-rc.2 2026-05-17 08:33:44 +00:00			`info "Installation complete. Next steps:"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`info " 1. Open http://localhost:${HOST_PORT} (or your public URL)"`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`info " 2. Complete the setup wizard"`
chore: sync installers from triton v1.0.0-rc.2 2026-05-17 08:33:44 +00:00			`info " 3. Configure TLS via reverse proxy (see docs)"`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`info ""`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00
fix: print machine ID hash and mount /etc/machine-id for offline .lic binding install.sh now computes and displays the SHA-3-256 hash of /etc/machine-id at the end of every run so the customer can share it with the vendor when requesting an offline .lic bound to this host. The hash is stable — it never changes after OS installation, so re-running install.sh or restarting the container will always show the same value. compose.yaml now mounts /etc/machine-id:ro into the manage-server container so ReadMachineID() can verify the offline .lic binding at startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:29:01 +02:00			`# ── machine ID ───────────────────────────────────────────────────────────`
			`# Print the SHA-3-256 hash of /etc/machine-id so the customer can share`
			`# it with the vendor when requesting an offline .lic bound to this host.`
			`# The hash is stable: /etc/machine-id never changes after OS installation.`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00			`if [[ -f /etc/machine-id ]]; then`
fix: print machine ID hash and mount /etc/machine-id for offline .lic binding install.sh now computes and displays the SHA-3-256 hash of /etc/machine-id at the end of every run so the customer can share it with the vendor when requesting an offline .lic bound to this host. The hash is stable — it never changes after OS installation, so re-running install.sh or restarting the container will always show the same value. compose.yaml now mounts /etc/machine-id:ro into the manage-server container so ReadMachineID() can verify the offline .lic binding at startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:29:01 +02:00			`MACHINE_ID_RAW=$(cat /etc/machine-id \| tr -d '[:space:]')`
			`if command -v python3 >/dev/null 2>&1; then`
			`MACHINE_ID_HASH=$(python3 -c "import hashlib; print(hashlib.sha3_256('${MACHINE_ID_RAW}'.encode()).hexdigest())")`
			`elif command -v sha3sum >/dev/null 2>&1; then`
			`MACHINE_ID_HASH=$(echo -n "$MACHINE_ID_RAW" \| sha3sum -a 256 \| awk '{print $1}')`
			`elif command -v openssl >/dev/null 2>&1; then`
			`MACHINE_ID_HASH=$(printf '%s' "${MACHINE_ID_RAW}" \| openssl dgst -sha3-256 -hex 2>/dev/null \| awk '{print $2}')`
			`else`
			`MACHINE_ID_HASH=""`
			`fi`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00			`if [[ -n "$MACHINE_ID_HASH" ]]; then`
			`info "── Host Machine ID ──────────────────────────────────────────────────────"`
			`info " Provide this value to your vendor when requesting a host-bound .lic file."`
			`info " Machine ID (SHA-3-256): $MACHINE_ID_HASH"`
			`info "────────────────────────────────────────────────────────────────────────"`
			`fi`
			`fi`