The previous logic using 'file | grep PGP' was inverted — both
ASCII-armored and binary GPG keys matched the pattern, causing
ASCII-armored keys to be copied directly instead of being
dearmored. This resulted in APT failing with NO_PUBKEY errors
on Debian 12 (bookworm).
Use 'grep BEGIN PGP' to reliably detect ASCII-armored keys and
dearmor them, otherwise copy binary keys directly.
gpg --dearmor creates files with restrictive permissions (600),
which prevents Debian 13's sqv signature verifier from reading
the keyring files. This causes apt update to fail with
'Permission denied' errors for all repositories using custom
GPG keys (adoptium, pgdg, pdm, etc.).
Set chmod 644 after creating .gpg files in both setup_deb822_repo()
and the MongoDB GPG key import in manage_tool_repository().
* fix(archlinux-vm): fix LVM/LVM-thin storage and improve error reporting
- Add catch-all (*) case for storage types (LVM, LVM-thin, zfspool)
Previously only nfs/dir/cifs and btrfs were handled, leaving
DISK_EXT, DISK_REF, and DISK_IMPORT unset on LVM/LVM-thin storage
- Fix error_handler to send numeric exit_code to API instead of
bash command text (which caused 'Unknown error' in telemetry)
- Replace fragile pvesm alloc for EFI disk with Proxmox-managed
:0,efitype=4m (consistent with docker-vm.sh)
- Modernize disk import: auto-detect qm disk import vs qm importdisk,
parse output to get correct disk reference instead of guessing names
- Use --format flag (double dash) consistent with modern Proxmox API
- Remove unused FORMAT variable (EFI type now always set correctly)
- Remove fragile eval-based disk name construction
* fix(vm): fix LVM/LVM-thin storage and error reporting for all VM scripts
- Add catch-all (*) case to storage type detection in all VM scripts
that were missing it (debian-vm, debian-13-vm, ubuntu2204/2404/2504,
nextcloud-vm, owncloud-vm, opnsense-vm, pimox-haos-vm)
- Add catch-all to mikrotik-routeros (had zfspool but not lvm/lvmthin)
- Fix error_handler in ALL 14 VM scripts to send numeric exit_code
to post_update_to_api instead of bash command text, which caused
'Unknown error' in telemetry because the API expects a number
The catch_errors() function in CT scripts overrides the API telemetry
traps set by build.func. This caused on_exit, on_interrupt, and
on_terminate to never call post_update_to_api, leaving telemetry
records permanently stuck on 'installing'.
Changes:
- on_exit: Report orphaned 'installing' records on ANY exit where
post_to_api was called but post_update_to_api was not
- on_interrupt: Call post_update_to_api('failed', '130') before exit
- on_terminate: Call post_update_to_api('failed', '143') before exit
All calls are guarded by POST_UPDATE_DONE flag to prevent duplicates.
EMQX 6.1+ preallocates significant disk space for the MQ feature,
causing high CPU/disk usage on small containers (emqx/emqx#16649).
- Increase default disk from 4GB to 6GB
- Add read -rp prompt during install to optionally disable MQ feature
via mq.enable=false in emqx.conf (reduces disk/CPU overhead)
- Setting is in install script (not CT script) per reviewer feedback
Co-authored-by: sim-san <sim-san@users.noreply.github.com>
The UniFi GPG key at dl.ui.com/unifi/unifi-repo.gpg is already in binary
format. setup_deb822_repo unconditionally ran gpg --dearmor which expects
ASCII-armored input, corrupting binary keys and causing apt to fail with
'Unable to locate package unifi'.
setup_deb822_repo now downloads the key to a temp file first and uses
the file command to detect whether it is already a binary PGP/GPG key.
Binary keys are copied directly; armored keys are dearmored as before.
This also reverts unifi-install.sh back to using setup_deb822_repo for
consistency with all other install scripts.
* fix(tailscale-addon): fix DNS check and keyrings directory issues
- Source /etc/os-release instead of grep to handle quoted values properly
- Use VERSION_CODENAME variable instead of VER for correct URL
- Add fallback DNS resolution methods (host, nslookup, getent) when dig is missing
- Create /usr/share/keyrings directory if it doesn't exist
- Skip DNS check gracefully when no DNS tools are available
Fixes installation failures with 'dig: command not found' and
'No such file or directory' for keyrings path
* Update tools/addon/add-tailscale-lxc.sh
Co-authored-by: Chris <punk.sand7393@fastmail.com>
* Update tools/addon/add-tailscale-lxc.sh
Co-authored-by: Chris <punk.sand7393@fastmail.com>
---------
Co-authored-by: Chris <punk.sand7393@fastmail.com>
Add POST_TO_API_DONE idempotency guard to post_to_api() to prevent
the same telemetry record from being submitted twice with the same
RANDOM_UUID. This mirrors the existing POST_UPDATE_DONE pattern in
post_update_to_api().
post_to_api() is called twice in build.func:
- After storage validation (inside CONTAINER_STORAGE check)
- After create_lxc_container() completes
When both execute, the second call fails with a random_id uniqueness
violation on PocketBase, generating server-side errors.
* fix(debian-13-vm): disable systemd-firstboot and add autologin via virt-customize
Newer Debian 13 (Trixie) nocloud images (Jan 29+) have systemd-firstboot
enabled, which blocks the boot process by prompting for timezone and root
password on the serial console. The noVNC console stalls after auditd checks.
Fix by using virt-customize (like docker-vm.sh) to:
- Disable systemd-firstboot.service and mask it
- Pre-seed timezone to Etc/UTC
- Configure autologin on ttyS0 and tty1 for nocloud images
- Set hostname and clear machine-id for unique IDs
- Install libguestfs-tools if not present
Fixes#11807
* feat(debian-13-vm): add cloud-init selection dialog for default and advanced settings
Add select_cloud_init() function consistent with docker-vm.sh that prompts
the user to choose between Cloud-Init (genericcloud image) and nocloud
(with auto-login) in both default and advanced settings.
Previously, default settings hardcoded CLOUD_INIT=no without asking.
* Remove Go API and extend misc/api.func
Delete the Go-based API (api/main.go, api/go.mod, api/go.sum, api/.env.example) and significantly enhance misc/api.func. The shell telemetry file now includes telemetry configuration, repo source detection, GPU/CPU/RAM detection, expanded explain_exit_code mappings, and refactored post_to_api/post_to_api_vm to send non-blocking telemetry to telemetry.community-scripts.org while respecting DIAGNOSTICS/DEV_MODE and adding richer metadata (cpu/gpu/ram/repo_source). Also updates header/author info and improves privacy/robustness and error handling.
* Start install timer and refine error reporting
Call start_install_timer during build startup and overhaul exit/error reporting.
Changes:
- Invoke start_install_timer early in misc/build.func to track install duration.
- Update api_exit_script comments to reference PocketBase/api.func and adjust ERR/SIGINT/SIGTERM traps to post numeric exit codes (use $? / 130 / 143) instead of command strings.
- Replace the previous explain_exit_code implementation with a conditional fallback: only define explain_exit_code if not already provided (api.func is the canonical source). Expanded and reorganized exit code mappings (curl, timeout, systemd, Node/Python/Postgres/MySQL/MongoDB, Proxmox, etc.).
- In error_handler: stop echoing the container log path (host shows combined log), and post a "failed" update to the API with the exit code before offering container cleanup.
Rationale: these changes make telemetry more consistent and robust (numeric codes), provide a safe fallback for exit descriptions when api.func isn't loaded, and ensure failures are reported to the API prior to any automatic cleanup.
* Report install start/failure to telemetry API
Add telemetry hooks in misc/build.func: call post_to_api at installation start to capture early or immediately-failing installs, and call post_update_to_api with status "failed" and the install exit code when a container installation fails. This improves visibility into install failures for monitoring/telemetry.
Kasm changed their release URL format starting with v1.18.1:
- Old format: kasm_release_1.18.0.09f70a.tar.gz (with hash)
- New format: kasm_release_1.18.1.tar.gz (without hash)
The script now tries both detection methods:
1. First tries to find URL with hash suffix (old format)
2. Falls back to detecting version from service_images URLs and
constructing the new URL format
This fixes the update detection for Kasm v1.18.1 and future versions.
Fixes#11785
