From d974d6ca3468b096d8d771c21acfba04069b3830 Mon Sep 17 00:00:00 2001
From: amir-climy <amirrudin.yahaya@gmail.com>
Date: Fri, 22 May 2026 21:19:08 +0800
Subject: [PATCH] feat(install): check/generate machine-id and display binding
 hash

On Linux, ensure /etc/machine-id exists (generate via
systemd-machine-id-setup or urandom fallback if missing).
Compute SHA-3-256 and print both raw ID and hash at install
completion so operators can share it with the licence vendor
for offline/air-gap host binding.

Also mount /etc/machine-id:/etc/machine-id:ro in compose.yaml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 manage-server/compose.yaml |  1 +
 manage-server/install.sh   | 37 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/manage-server/compose.yaml b/manage-server/compose.yaml
index 4a75c54..c456c00 100644
--- a/manage-server/compose.yaml
+++ b/manage-server/compose.yaml
@@ -64,6 +64,7 @@ services:
     volumes:
       - triton-manage-bins:/bins
       - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
+      - /etc/machine-id:/etc/machine-id:ro
     ports:
       - "${TRITON_MANAGE_HOST_PORT:-8082}:8082"
       - "${TRITON_MANAGE_GATEWAY_HOST_PORT:-8443}:8443"
diff --git a/manage-server/install.sh b/manage-server/install.sh
index 075adc0..9298f99 100755
--- a/manage-server/install.sh
+++ b/manage-server/install.sh
@@ -15,7 +15,7 @@
 #                                   Required when not baked into the image at build time.
 #   --no-tls                        Skip the TLS-required sanity check (dev).
 #   --version                       Print script version and exit.
-SCRIPT_VERSION="2026-05-21.4"
+SCRIPT_VERSION="2026-05-22.1"
 set -euo pipefail
 
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
@@ -47,6 +47,34 @@ done
 
 [[ $EUID -eq 0 ]] || die "must run as root"
 
+# ── machine-id ───────────────────────────────────────────────────────────
+# /etc/machine-id is used for offline licence host binding.
+# Ensure it exists; generate one if this is a fresh host.
+MACHINE_ID_HASH=""
+if [[ "$(uname -s)" == "Linux" ]]; then
+    if [[ ! -s /etc/machine-id ]]; then
+        info "generating /etc/machine-id..."
+        if command -v systemd-machine-id-setup >/dev/null 2>&1; then
+            systemd-machine-id-setup
+        else
+            printf '%032x\n' "$(od -An -N16 -tx1 /dev/urandom | tr -d ' \n')" 2>/dev/null \
+                || head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n' | cut -c1-32 > /etc/machine-id
+            chmod 444 /etc/machine-id
+        fi
+        info "/etc/machine-id created"
+    fi
+    if command -v python3 >/dev/null 2>&1; then
+        MACHINE_ID_HASH=$(python3 -c "
+import hashlib, sys
+try:
+    data = open('/etc/machine-id').read().strip()
+    print(hashlib.sha3_256(data.encode()).hexdigest())
+except Exception as e:
+    sys.exit(0)
+" 2>/dev/null || true)
+    fi
+fi
+
 # ── runtime detection ────────────────────────────────────────────────────
 if command -v podman-compose >/dev/null 2>&1; then
     COMPOSE=(podman-compose)
@@ -125,3 +153,10 @@ info "       - Enter your Triton licence server URL and licence ID"
 info "       - Or upload an air-gap licence file"
 info "  3. Configure TLS via reverse proxy (see docs)"
 info ""
+if [[ -n "$MACHINE_ID_HASH" ]]; then
+    info "Machine ID (for offline / air-gap licence binding):"
+    info "  Raw:  $(cat /etc/machine-id 2>/dev/null | tr -d '[:space:]')"
+    info "  Hash: $MACHINE_ID_HASH"
+    info "  Share the Hash with your licence vendor to bind the licence to this host."
+    info ""
+fi