feat(security): add host-bound licence support (/etc/machine-id binding)

- compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 10:19:44 +08:00 · 2026-05-20 10:19:44 +08:00 · f869e9c308
commit f869e9c308
parent d2a19d4df7
3 changed files with 32 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -71,6 +71,24 @@ Also delete all data (irreversible):
 curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall --purge-data
 ```

+## Host-bound licences (optional)
+
+Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
+so it cannot be installed on any other machine.
+
+**To get a host-bound licence:**
+
+1. Run `install.sh` on the target server — the output prints a **Machine ID** line:
+   ```
+   [manage-server] Machine ID (SHA-3-256): <64-hex-chars>
+   ```
+2. Share that value with your vendor when requesting the `.lic` file.
+3. The vendor enters it in the License Portal when generating the offline token.
+4. Install as usual — the Manage Server verifies the binding at every startup.
+
+For air-gapped deployments without host binding the `.lic` file is portable but anyone who
+obtains the file can run a second instance. Host binding removes that risk.
+
 ## Requirements

 - Linux (amd64 or arm64) or macOS
--- a/manage-server/compose.yaml
+++ b/manage-server/compose.yaml
@ -64,6 +64,7 @@ services:
    volumes:
      - triton-manage-bins:/bins
      - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
+      - /etc/machine-id:/etc/machine-id:ro
    ports:
      - "${TRITON_MANAGE_HOST_PORT:-8082}:8082"
      - "${TRITON_MANAGE_GATEWAY_HOST_PORT:-8443}:8443"
--- a/manage-server/install.sh
+++ b/manage-server/install.sh
@ -135,3 +135,16 @@ info "  1. Open http://localhost:${HOST_PORT} (or your public URL)"
 info "  2. Complete the setup wizard"
 info "  3. Configure TLS via reverse proxy (see docs)"
 info ""
+
+# ── display machine-id for host-bound licence generation ─────────────────────
+if [[ -f /etc/machine-id ]]; then
+    RAW_ID="$(cat /etc/machine-id | tr -d '[:space:]')"
+    MACHINE_ID_HASH="$(echo -n "$RAW_ID" | sha3sum -a 256 2>/dev/null | awk '{print $1}' || \
+                       python3 -c "import hashlib,sys; print(hashlib.sha3_256(sys.stdin.buffer.read()).hexdigest())" <<< "$RAW_ID" 2>/dev/null || echo '')"
+    if [[ -n "$MACHINE_ID_HASH" ]]; then
+        info "── Host Machine ID ──────────────────────────────────────────────────────"
+        info "  Provide this value to your vendor when requesting a host-bound .lic file."
+        info "  Machine ID (SHA-3-256): $MACHINE_ID_HASH"
+        info "────────────────────────────────────────────────────────────────────────"
+    fi
+fi