primatekuntech/triton-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): add host-bound licence support (/etc/machine-id binding)

Browse source 
- compose.yaml: mount /etc/machine-id read-only into the manage-server container
- install.sh: print SHA-3-256 of /etc/machine-id after install so customers
  can share it with their vendor when requesting a host-bound .lic file
- README.md: document "Host-bound licences" flow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
amir-climy 2026-05-20 10:19:44 +08:00
parent d2a19d4df7
commit f869e9c308
3 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -71,6 +71,24 @@ Also delete all data (irreversible):
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall --purge-data curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall --purge-data
``` ```
## Host-bound licences (optional)
Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
so it cannot be installed on any other machine.
**To get a host-bound licence:**
1. Run `install.sh` on the target server — the output prints a **Machine ID** line:
```
[manage-server] Machine ID (SHA-3-256): <64-hex-chars>
```
2. Share that value with your vendor when requesting the `.lic` file.
3. The vendor enters it in the License Portal when generating the offline token.
4. Install as usual — the Manage Server verifies the binding at every startup.
For air-gapped deployments without host binding the `.lic` file is portable but anyone who
obtains the file can run a second instance. Host binding removes that risk.
## Requirements ## Requirements
- Linux (amd64 or arm64) or macOS - Linux (amd64 or arm64) or macOS

1
manage-server/compose.yaml
View file

@ -64,6 +64,7 @@ services:
volumes: volumes:
- triton-manage-bins:/bins - triton-manage-bins:/bins
- ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
- /etc/machine-id:/etc/machine-id:ro
ports: ports:
- "${TRITON_MANAGE_HOST_PORT:-8082}:8082" - "${TRITON_MANAGE_HOST_PORT:-8082}:8082"
- "${TRITON_MANAGE_GATEWAY_HOST_PORT:-8443}:8443" - "${TRITON_MANAGE_GATEWAY_HOST_PORT:-8443}:8443"

13
manage-server/install.sh
View file

@ -135,3 +135,16 @@ info " 1. Open http://localhost:${HOST_PORT} (or your public URL)"
info " 2. Complete the setup wizard" info " 2. Complete the setup wizard"
info " 3. Configure TLS via reverse proxy (see docs)" info " 3. Configure TLS via reverse proxy (see docs)"
info "" info ""
# ── display machine-id for host-bound licence generation ─────────────────────
if [[ -f /etc/machine-id ]]; then
RAW_ID="$(cat /etc/machine-id | tr -d '[:space:]')"
MACHINE_ID_HASH="$(echo -n "$RAW_ID" | sha3sum -a 256 2>/dev/null | awk '{print $1}' || \
python3 -c "import hashlib,sys; print(hashlib.sha3_256(sys.stdin.buffer.read()).hexdigest())" <<< "$RAW_ID" 2>/dev/null || echo '')"
if [[ -n "$MACHINE_ID_HASH" ]]; then
info "── Host Machine ID ──────────────────────────────────────────────────────"
info " Provide this value to your vendor when requesting a host-bound .lic file."
info " Machine ID (SHA-3-256): $MACHINE_ID_HASH"
info "────────────────────────────────────────────────────────────────────────"
fi
fi