From 779b07d2c2dac3d4a5274f7cfb308e9acaebfc78 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 25 Mar 2026 12:56:16 -0400
Subject: [PATCH] Only try to use ssh_keys if it exists

EL10 changed from using ssh_keys and setgid to just
do setuid root instead.
---
 .../el9-diskless/profiles/default/scripts/imageboot.sh      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/confluent_osdeploy/el9-diskless/profiles/default/scripts/imageboot.sh b/confluent_osdeploy/el9-diskless/profiles/default/scripts/imageboot.sh
index b48ba87f..ec188a2b 100644
--- a/confluent_osdeploy/el9-diskless/profiles/default/scripts/imageboot.sh
+++ b/confluent_osdeploy/el9-diskless/profiles/default/scripts/imageboot.sh
@@ -142,8 +142,10 @@ echo '    EnableSSHKeysign yes' >> $sshconf
 echo '    HostbasedKeyTypes *ed25519*' >> $sshconf
 curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" https://$confluent_whost/confluent-api/self/nodelist > /sysroot/etc/ssh/shosts.equiv
 cp /sysroot/etc/ssh/shosts.equiv /sysroot/root/.shosts
-chmod 640 /sysroot/etc/ssh/*_key
-chroot /sysroot chgrp ssh_keys /etc/ssh/*_key
+if grep ^ssh_keys: /etc/group > /dev/null; then
+    chmod 640 /sysroot/etc/ssh/*_key
+    chroot /sysroot chgrp ssh_keys /etc/ssh/*_key
+fi
 cp /tls/*.pem /sysroot/etc/pki/ca-trust/source/anchors/
 chroot /sysroot/ update-ca-trust
 curl -sf https://$confluent_whost/confluent-public/os/$confluent_profile/scripts/onboot.service > /sysroot/etc/systemd/system/onboot.service