chore(release): Bump version to v0.2.2

doc(fields): Document field substitution

Documentation/cloud-config.md

@@ -0,0 +1,187 @@
+# Customize with Cloud-Config
+
+CoreOS allows you to configure networking, create users, launch systemd units on startup and more. We've designed our implementation to allow the same cloud-config file to work across all of our supported platforms.
+
+Only a subset of [cloud-config functionality][cloud-config] is implemented. A set of custom parameters were added to the cloud-config format that are specific to CoreOS. An example file containing all available options can be found at the bottom of this page.
+
+[cloud-config]: http://cloudinit.readthedocs.org/en/latest/topics/format.html#cloud-config-data
+
+## CoreOS Parameters
+
+### coreos.etcd
+
+The `coreos.etcd.*` options are translated to a partial systemd unit acting as an etcd configuration file.
+We can use the templating feature of coreos-cloudinit to automate etcd configuration with the `$private_ipv4` and `$public_ipv4` fields. For example, the following cloud-config document...
+
+```
+#cloud-config
+
+coreos:
+    etcd:
+        name: node001
+        discovery: https://discovery.etcd.io/3445fa65423d8b04df07f59fb40218f8
+        addr: $public_ipv4:4001
+        peer-addr: $private_ipv4:7001
+```
+
+...will generate a systemd unit drop-in like this:
+
+```
+[Service]
+Environment="ETCD_NAME=node001"
+Environment="ETCD_DISCOVERY=https://discovery.etcd.io/3445fa65423d8b04df07f59fb40218f8"
+Environment="ETCD_ADDR=203.0.113.29:4001"
+Environment="ETCD_PEER_ADDR=192.0.2.13:7001"
+```
+
+For more information about the available configuration options, see the [etcd documentation][etcd-config].
+Note that hyphens in the coreos.etcd.* keys are mapped to underscores.
+
+[etcd-config]: https://github.com/coreos/etcd/blob/master/Documentation/configuration.md
+
+### coreos.units
+
+Arbitrary systemd units may be provided in the `coreos.units` attribute.
+`coreos.units` is a list of objects with the following fields:
+
+- **name**: String representing unit's name. Required.
+- **runtime**: Boolean indicating whether or not to persist the unit across reboots. This is analagous to the `--runtime` argument to `systemd enable`. Default value is false.
+- **content**: Plaintext string representing entire unit file. If no value is provided, the unit is assumed to exist already.
+- **command**: Command to execute on unit: start, stop, reload, restart, try-restart, reload-or-restart, reload-or-try-restart. Default value is restart.
+
+**NOTE:** The command field is ignored for all network, netdev, and link units. The systemd-networkd.service unit will be restarted in their place.
+
+##### Examples
+
+Write a unit to disk, automatically starting it.
+
+```
+#cloud-config
+
+coreos:
+    units:
+      - name: docker-redis.service
+        content: |
+          [Unit]
+          Description=Redis container
+          Author=Me
+          After=docker.service
+
+          [Service]
+          Restart=always
+          ExecStart=/usr/bin/docker start -a redis_server
+          ExecStop=/usr/bin/docker stop -t 2 redis_server
+          
+          [Install]
+          WantedBy=local.target
+```
+
+Start the builtin `etcd` and `fleet` services:
+
+```
+# cloud-config
+
+coreos:
+    units:
+      - name: etcd.service
+        command: start
+      - name: fleet.service
+        command: start
+```
+
+## Cloud-Config Parameters
+
+### ssh_authorized_keys
+
+Provided public SSH keys will be authorized for the `core` user.
+
+The keys will be named "coreos-cloudinit" by default.
+Override this with the `--ssh-key-name` flag when calling `coreos-cloudinit`.
+
+```
+#cloud-config
+
+ssh_authorized_keys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0g+ZTxC7weoIJLUafOgrm+h...
+```
+
+### hostname
+
+The provided value will be used to set the system's hostname.
+This is the local part of a fully-qualified domain name (i.e. `foo` in `foo.example.com`).
+
+```
+#cloud-config
+
+hostname: coreos1
+```
+
+### users
+
+Add or modify users with the `users` directive by providing a list of user objects, each consisting of the following fields.
+Each field is optional and of type string unless otherwise noted.
+All but the `passwd` and `ssh-authorized-keys` fields will be ignored if the user already exists.
+
+- **name**: Required. Login name of user
+- **gecos**: GECOS comment of user
+- **passwd**: Hash of the password to use for this user
+- **homedir**: User's home directory. Defaults to /home/<name>
+- **no-create-home**: Boolean. Skip home directory creation.
+- **primary-group**: Default group for the user. Defaults to a new group created named after the user.
+- **groups**: Add user to these additional groups
+- **no-user-group**: Boolean. Skip default group creation.
+- **ssh-authorized-keys**: List of public SSH keys to authorize for this user
+- **coreos-ssh-import-github**: Authorize SSH keys from Github user
+- **system**: Create the user as a system user. No home directory will be created.
+- **no-log-init**: Boolean. Skip initialization of lastlog and faillog databases.
+
+The following fields are not yet implemented:
+
+- **inactive**: Deactivate the user upon creation
+- **lock-passwd**: Boolean. Disable password login for user
+- **sudo**: Entry to add to /etc/sudoers for user. By default, no sudo access is authorized.
+- **selinux-user**: Corresponding SELinux user
+- **ssh-import-id**: Import SSH keys by ID from Launchpad.
+
+```
+#cloud-config
+
+users:
+  - name: elroy
+  passwd: $6$5s2u6/jR$un0AvWnqilcgaNB3Mkxd5yYv6mTlWfOoCYHZmfi3LDKVltj.E8XNKEcwWm...
+  groups:
+    - staff
+    - docker
+  ssh-authorized-keys:
+    - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0g+ZTxC7weoIJLUafOgrm+h...
+```
+
+#### Generating a password hash
+
+If you choose to use a password instead of an SSH key, generating a safe hash is extremely important to the security of your system. Simplified hashes like md5crypt are trivial to crack on modern GPU hardware. Here are a few ways to generate secure hashes:
+
+```
+# On Debian/Ubuntu (via the package "whois")
+mkpasswd --method=SHA-512 --rounds=4096
+
+# OpenSSL (note: this will only make md5crypt.  While better than plantext it should not be considered fully secure)
+openssl passwd -1
+
+# Python (change password and salt values)
+python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALT\$')"
+
+# Perl (change password and salt values)
+perl -e 'print crypt("password","\$6\$SALT\$") . "\n"'
+```
+
+Using a higher number of rounds will help create more secure passwords, but given enough time, password hashes can be reversed.  On most RPM based distributions there is a tool called mkpasswd available in the `expect` package, but this does not handle "rounds" nor advanced hashing algorithms. 
+
+### write_files
+
+Inject an arbitrary set of files to the local filesystem.
+Provide a list of objects with the following attributes:
+
+- **path**: Absolute location on disk where contents should be written
+- **content**: Data to write at the provided `path`
+- **permissions**: String representing file permissions in octal notation (i.e. '0644')
+- **owner**: User and group that should own the file written to disk. This is equivalent to the `<user>:<group>` argument to `chown <user>:<group> <path>`.

README.md

@@ -1,36 +1,42 @@
 # coreos-cloudinit
 
-coreos-cloudinit allows a user to customize CoreOS machiens by providing either an executable script or a cloud-config document as instance user-data. See below to learn how to use these features.
+coreos-cloudinit enables a user to customize CoreOS machines by providing either a cloud-config document or an executable script through user-data.
 
+## Configuration with cloud-config
 
-## cloud-config
+A subset of the [official cloud-config spec][official-cloud-config] is implemented by coreos-cloudinit.
+Additionally, several [CoreOS-specific options][custom-cloud-config] have been implemented to support interacting with unit files, bootstrapping etcd clusters, and more.
+All supported cloud-config parameters are [documented here][all-cloud-config]. 
 
-Only a subset of [cloud-config functionality][cloud-config] is implemented. A set of custom parameters were added to the cloud-config format that are specific to CoreOS.
+[official-cloud-config]: http://cloudinit.readthedocs.org/en/latest/topics/format.html#cloud-config-data
+[custom-cloud-config]: https://github.com/coreos/coreos-cloudinit/blob/master/Documentation/cloud-config.md#coreos-parameters
+[all-cloud-config]: https://github.com/coreos/coreos-cloudinit/tree/master/Documentation/cloud-config.md
 
-[cloud-config]: http://cloudinit.readthedocs.org/en/latest/topics/format.html#cloud-config-data
+The following is an example cloud-config document:
 
-### Supported cloud-config Parameters
+```
+#cloud-config
 
-#### ssh_authorized_keys
+coreos:
+    units:
+      - name: etcd.service
+        command: start
 
-Provided public SSH keys will be authorized for the `core` user.
+users:
+  - name: core
+    passwd: $1$allJZawX$00S5T756I5PGdQga5qhqv1
 
-The keys will be named "coreos-cloudinit" by default.
-Override this with the `--ssh-key-name` flag when calling `coreos-cloudinit`.
+write_files:
+  - path: /etc/resolv.conf
+    content: |
+        nameserver 192.0.2.2
+        nameserver 192.0.2.3
+```
 
-### Custom cloud-config Parameters
+## Executing a Script
 
-#### coreos.etcd.discovery_url
-
-The value of `coreos.etcd.discovery_url` will be used to discover the instance's etcd peers using the [etcd discovery protocol][disco-proto]. Usage of the [public discovery service][disco-service] is encouraged.
-
-[disco-proto]: https://github.com/coreos/etcd/blob/master/Documentation/discovery-protocol.md
-[disco-service]: http://discovery.etcd.io
-
-
-## user-data Script
-
-Simply set your user-data to a script where the first line is a shebang:
+coreos-cloudinit supports executing user-data as a script instead of parsing it as a cloud-config document.
+Make sure the first line of your user-data is a shebang and coreos-cloudinit will attempt to execute it:
 
 ```
 #!/bin/bash
@@ -38,20 +44,36 @@ Simply set your user-data to a script where the first line is a shebang:
 echo 'Hello, world!'
 ```
 
-## Examples
+## user-data Field Substitution
 
-### Inject an SSH key, bootstrap etcd, and start fleet using a cloud-config
+coreos-cloudinit will replace the following set of tokens in your user-data with system-generated values.
+
+| Token         | Description |
+| ------------- | ----------- |
+| $public_ipv4  | Public IPv4 address of machine |
+| $private_ipv4 | Private IPv4 address of machine |
+
+These values are determined by CoreOS based on the given provider on which your machine is running.
+Read more about provider-specific functionality in the [CoreOS OEM documentation][oem-doc].
+
+[oem-doc]: https://coreos.com/docs/sdk-distributors/distributors/notes-for-distributors/
+
+For example, submitting the following user-data...
 
 ```
 #cloud-config
-
 coreos:
     etcd:
-		discovery_url: https://discovery.etcd.io/827c73219eeb2fa5530027c37bf18877
-    fleet:
-        autostart: yes
-
-ssh_authorized_keys:
-  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0g+ZTxC7weoIJLUafOgrm+h...
+        addr: $public_ipv4:4001
+        peer-addr: $private_ipv4:7001
 ```
 
+...will result in this cloud-config document being executed:
+
+```
+#cloud-config
+coreos:
+    etcd:
+        addr: 203.0.113.29:4001
+        peer-addr: 192.0.2.13:7001
+```

cloudinit/cloud_config.go

@@ -1,60 +0,0 @@
-package cloudinit
-
-import (
-	"log"
-
-	"launchpad.net/goyaml"
-)
-
-const DefaultSSHKeyName = "coreos-cloudinit"
-
-type CloudConfig struct {
-	SSH_Authorized_Keys []string
-	Coreos struct{Etcd struct{ Discovery_URL string }; Fleet struct{ Autostart bool } }
-}
-
-func NewCloudConfig(contents []byte) (*CloudConfig, error) {
-	var cfg CloudConfig
-	err := goyaml.Unmarshal(contents, &cfg)
-	return &cfg, err
-}
-
-func (cc CloudConfig) String() string {
-	bytes, err := goyaml.Marshal(cc)
-	if err == nil {
-		return string(bytes)
-	} else {
-		return ""
-	}
-}
-
-func ApplyCloudConfig(cfg CloudConfig, sshKeyName string) error {
-	if len(cfg.SSH_Authorized_Keys) > 0 {
-		err := AuthorizeSSHKeys(sshKeyName, cfg.SSH_Authorized_Keys)
-		if err == nil {
-			log.Printf("Authorized SSH keys for core user")
-		} else {
-			return err
-		}
-	}
-
-	if cfg.Coreos.Etcd.Discovery_URL != "" {
-		err := PersistEtcdDiscoveryURL(cfg.Coreos.Etcd.Discovery_URL)
-		if err == nil {
-			log.Printf("Consumed etcd discovery url")
-		} else {
-			log.Fatalf("Failed to persist etcd discovery url to filesystem: %v", err)
-		}
-	}
-
-	if cfg.Coreos.Fleet.Autostart {
-		err := StartUnit("fleet.service")
-		if err == nil {
-			log.Printf("Started fleet service.")
-		} else {
-			return err
-		}
-	}
-
-	return nil
-}

cloudinit/cloud_config_test.go

@@ -1,78 +0,0 @@
-package cloudinit
-
-import (
-	"testing"
-)
-
-// Assert that the parsing of a cloud config file "generally works"
-func TestCloudConfigEmpty(t *testing.T) {
-	cfg, err := NewCloudConfig([]byte{})
-	if err != nil {
-		t.Fatalf("Encountered unexpected error :%v", err)
-	}
-
-	keys := cfg.SSH_Authorized_Keys
-	if len(keys) != 0 {
-		t.Error("Parsed incorrect number of SSH keys")
-	}
-
-	if cfg.Coreos.Etcd.Discovery_URL != "" {
-		t.Error("Parsed incorrect value of discovery url")
-	}
-
-	if cfg.Coreos.Fleet.Autostart {
-		t.Error("Expected AutostartFleet not to be defined")
-	}
-}
-
-// Assert that the parsing of a cloud config file "generally works"
-func TestCloudConfig(t *testing.T) {
-	contents := []byte(`
-coreos: 
-  etcd:
-    discovery_url: "https://discovery.etcd.io/827c73219eeb2fa5530027c37bf18877"
-  fleet:
-    autostart: Yes
-ssh_authorized_keys:
-  - foobar
-  - foobaz
-`)
-	cfg, err := NewCloudConfig(contents)
-	if err != nil {
-		t.Fatalf("Encountered unexpected error :%v", err)
-	}
-
-	keys := cfg.SSH_Authorized_Keys
-	if len(keys) != 2 {
-		t.Error("Parsed incorrect number of SSH keys")
-	} else if keys[0] != "foobar" {
-		t.Error("Expected first SSH key to be 'foobar'")
-	} else if keys[1] != "foobaz" {
-		t.Error("Expected first SSH key to be 'foobaz'")
-	}
-
-	if cfg.Coreos.Etcd.Discovery_URL != "https://discovery.etcd.io/827c73219eeb2fa5530027c37bf18877" {
-		t.Error("Failed to parse etcd discovery url")
-	}
-
-	if !cfg.Coreos.Fleet.Autostart {
-		t.Error("Expected AutostartFleet to be true")
-	}
-}
-
-// Assert that our interface conversion doesn't panic
-func TestCloudConfigKeysNotList(t *testing.T) {
-	contents := []byte(`
-ssh_authorized_keys:
-  - foo: bar
-`)
-	cfg, err := NewCloudConfig(contents)
-	if err != nil {
-		t.Fatalf("Encountered unexpected error :%v", err)
-	}
-
-	keys := cfg.SSH_Authorized_Keys
-	if len(keys) != 0 {
-		t.Error("Parsed incorrect number of SSH keys")
-	}
-}

cloudinit/etcd.go

@@ -1,25 +0,0 @@
-package cloudinit
-
-import (
-	"io/ioutil"
-	"log"
-	"os"
-	"path"
-)
-
-const (
-	etcdDiscoveryPath = "/var/run/etcd/bootstrap.disco"
-)
-
-func PersistEtcdDiscoveryURL(url string) error {
-	dir := path.Dir(etcdDiscoveryPath)
-	if _, err := os.Stat(dir); err != nil {
-		log.Printf("Creating directory /var/run/etcd")
-		err := os.MkdirAll(dir, os.FileMode(0644))
-		if err != nil {
-			return err
-		}
-	}
-
-	return ioutil.WriteFile(etcdDiscoveryPath, []byte(url), os.FileMode(0644))
-}

cloudinit/systemd.go

@@ -1,41 +0,0 @@
-package cloudinit
-
-import (
-	"fmt"
-	"log"
-	"path"
-
-	"github.com/coreos/go-systemd/dbus"
-)
-
-type Script []byte
-
-func StartUnit(name string) error {
-	conn, err := dbus.New()
-	if err != nil {
-		return err
-	}
-
-	_, err = conn.StartUnit(name, "replace")
-	return err
-}
-
-func ExecuteScript(scriptPath string) (string, error) {
-	props := []dbus.Property{
-		dbus.PropDescription("Unit generated and executed by coreos-cloudinit on behalf of user"),
-		dbus.PropExecStart([]string{"/bin/bash", scriptPath}, false),
-	}
-
-	base := path.Base(scriptPath)
-	name := fmt.Sprintf("coreos-cloudinit-%s.service", base)
-
-	log.Printf("Creating transient systemd unit '%s'", name)
-
-	conn, err := dbus.New()
-	if err != nil {
-		return "", err
-	}
-
-	_, err = conn.StartTransientUnit(name, "replace", props...)
-	return name, err
-}

cloudinit/user_data.go

@@ -1,30 +0,0 @@
-package cloudinit
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"log"
-	"strings"
-)
-
-func ParseUserData(contents []byte) (interface{}, error) {
-	bytereader := bytes.NewReader(contents)
-	bufreader := bufio.NewReader(bytereader)
-	header, _ := bufreader.ReadString('\n')
-
-	if strings.HasPrefix(header, "#!") {
-		log.Printf("Parsing user-data as script")
-		return Script(contents), nil
-
-	} else if header == "#cloud-config\n" {
-		log.Printf("Parsing user-data as cloud-config")
-		cfg, err := NewCloudConfig(contents)
-		if err != nil {
-			log.Fatal(err.Error())
-		}
-		return *cfg, nil
-	} else {
-		return nil, fmt.Errorf("Unrecognized user-data header: %s", header)
-	}
-}

cloudinit/workspace.go

@@ -1,66 +0,0 @@
-package cloudinit
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path"
-)
-
-func PrepWorkspace(workspace string) error {
-	// Ensure workspace exists and is a directory
-	info, err := os.Stat(workspace)
-	if err == nil {
-		if !info.IsDir() {
-			return fmt.Errorf("%s is not a directory", workspace)
-		}
-	} else {
-		err = os.MkdirAll(workspace, 0644)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Ensure scripts dir in workspace exists and is a directory
-	scripts := path.Join(workspace, "scripts")
-	info, err = os.Stat(scripts)
-	if err == nil {
-		if !info.IsDir() {
-			return fmt.Errorf("%s is not a directory", scripts)
-		}
-	} else {
-		err = os.Mkdir(scripts, 0644)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func PersistScriptInWorkspace(script Script, workspace string) (string, error) {
-	scriptsDir := path.Join(workspace, "scripts")
-	f, err := ioutil.TempFile(scriptsDir, "")
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-
-	f.Chmod(0744)
-
-	_, err = f.Write(script)
-	if err != nil {
-		return "", err
-	}
-
-	// Ensure script has been written to disk before returning, as the
-	// next natural thing to do is execute it
-	f.Sync()
-
-	return f.Name(), nil
-}
-
-func PersistScriptUnitNameInWorkspace(name string, workspace string) error {
-	unitPath := path.Join(workspace, "scripts", "unit-name")
-	return ioutil.WriteFile(unitPath, []byte(name), 644)
-}

coreos-cloudinit.go

@@ -1,24 +1,26 @@
 package main
 
 import (
-	"fmt"
 	"flag"
-	"io/ioutil"
-	"os"
+	"fmt"
 	"log"
+	"os"
+	"strings"
 
-	"github.com/coreos/coreos-cloudinit/cloudinit"
+	"github.com/coreos/coreos-cloudinit/datasource"
+	"github.com/coreos/coreos-cloudinit/initialize"
+	"github.com/coreos/coreos-cloudinit/system"
 )
 
-const version = "0.1.1"
+const version = "0.2.2"
 
 func main() {
-	var userdata []byte
-	var err error
-
 	var printVersion bool
 	flag.BoolVar(&printVersion, "version", false, "Print the version and exit")
 
+	var ignoreFailure bool
+	flag.BoolVar(&ignoreFailure, "ignore-failure", false, "Exits with 0 status in the event of malformed input from user-data")
+
 	var file string
 	flag.StringVar(&file, "from-file", "", "Read user-data from provided file")
 
@@ -29,7 +31,7 @@ func main() {
 	flag.StringVar(&workspace, "workspace", "/var/lib/coreos-cloudinit", "Base directory coreos-cloudinit should use to store data")
 
 	var sshKeyName string
-	flag.StringVar(&sshKeyName, "ssh-key-name", cloudinit.DefaultSSHKeyName, "Add SSH keys to the system with the given name")
+	flag.StringVar(&sshKeyName, "ssh-key-name", initialize.DefaultSSHKeyName, "Add SSH keys to the system with the given name")
 
 	flag.Parse()
 
@@ -43,44 +45,62 @@ func main() {
 		os.Exit(1)
 	}
 
+	var ds datasource.Datasource
 	if file != "" {
-		log.Printf("Reading user-data from file: %s", file)
-		userdata, err = ioutil.ReadFile(file)
-		if err != nil {
-			log.Fatal(err.Error())
-		}
+		ds = datasource.NewLocalFile(file)
 	} else if url != "" {
-		log.Printf("Reading user-data from metadata service")
-		svc := cloudinit.NewMetadataService(url)
-		userdata, err = svc.UserData()
-		if err != nil {
-			log.Fatal(err.Error())
-		}
+		ds = datasource.NewMetadataService(url)
 	} else {
 		fmt.Println("Provide one of --from-file or --from-url")
 		os.Exit(1)
 	}
 
-	parsed, err := cloudinit.ParseUserData(userdata)
+	log.Printf("Fetching user-data from datasource of type %q", ds.Type())
+	userdataBytes, err := ds.Fetch()
 	if err != nil {
-		log.Fatalf("Failed parsing user-data: %v", err)
+		log.Printf("Failed fetching user-data from datasource: %v", err)
+		if ignoreFailure {
+			os.Exit(0)
+		} else {
+			os.Exit(1)
+		}
 	}
 
-	err = cloudinit.PrepWorkspace(workspace)
+	if len(userdataBytes) == 0 {
+		log.Printf("No user data to handle, exiting.")
+		os.Exit(0)
+	}
+
+	env := initialize.NewEnvironment("/", workspace)
+
+	userdata := string(userdataBytes)
+	userdata = env.Apply(userdata)
+
+	parsed, err := ParseUserData(userdata)
+	if err != nil {
+		log.Printf("Failed parsing user-data: %v", err)
+		if ignoreFailure {
+			os.Exit(0)
+		} else {
+			os.Exit(1)
+		}
+	}
+
+	err = initialize.PrepWorkspace(env.Workspace())
 	if err != nil {
 		log.Fatalf("Failed preparing workspace: %v", err)
 	}
 
 	switch t := parsed.(type) {
-	case cloudinit.CloudConfig:
-		err = cloudinit.ApplyCloudConfig(t, sshKeyName)
-	case cloudinit.Script:
+	case initialize.CloudConfig:
+		err = initialize.Apply(t, env)
+	case system.Script:
 		var path string
-		path, err = cloudinit.PersistScriptInWorkspace(t, workspace)
+		path, err = initialize.PersistScriptInWorkspace(t, env.Workspace())
 		if err == nil {
 			var name string
-			name, err = cloudinit.ExecuteScript(path)
-			cloudinit.PersistScriptUnitNameInWorkspace(name, workspace)
+			name, err = system.ExecuteScript(path)
+			initialize.PersistUnitNameInWorkspace(name, workspace)
 		}
 	}
 
@@ -88,3 +108,22 @@ func main() {
 		log.Fatalf("Failed resolving user-data: %v", err)
 	}
 }
+
+func ParseUserData(contents string) (interface{}, error) {
+	header := strings.SplitN(contents, "\n", 2)[0]
+
+	if strings.HasPrefix(header, "#!") {
+		log.Printf("Parsing user-data as script")
+		return system.Script(contents), nil
+
+	} else if header == "#cloud-config" {
+		log.Printf("Parsing user-data as cloud-config")
+		cfg, err := initialize.NewCloudConfig(contents)
+		if err != nil {
+			log.Fatal(err.Error())
+		}
+		return *cfg, nil
+	} else {
+		return nil, fmt.Errorf("Unrecognized user-data header: %s", header)
+	}
+}

datasource/datasource.go

@@ -0,0 +1,6 @@
+package datasource
+
+type Datasource interface {
+	Fetch() ([]byte, error)
+	Type()  string
+}

datasource/file.go

@@ -0,0 +1,21 @@
+package datasource
+
+import (
+	"io/ioutil"
+)
+
+type localFile struct {
+	path string
+}
+
+func NewLocalFile(path string) *localFile {
+	return &localFile{path}
+}
+
+func (self *localFile) Fetch() ([]byte, error) {
+	return ioutil.ReadFile(self.path)
+}
+
+func (self *localFile) Type() string {
+	return "local-file"
+}

datasource/metadata_service.go

@@ -1,4 +1,4 @@
-package cloudinit
+package datasource
 
 import (
 	"io/ioutil"
@@ -14,13 +14,17 @@ func NewMetadataService(url string) *metadataService {
 	return &metadataService{url, http.Client{}}
 }
 
-func (ms *metadataService) UserData() ([]byte, error) {
+func (ms *metadataService) Fetch() ([]byte, error) {
 	resp, err := ms.client.Get(ms.url)
 	if err != nil {
 		return []byte{}, err
 	}
-
 	defer resp.Body.Close()
+
+	if resp.StatusCode / 100 != 2 {
+		return []byte{}, nil
+	}
+
 	respBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
@@ -29,4 +33,6 @@ func (ms *metadataService) UserData() ([]byte, error) {
 	return respBytes, nil
 }
 
-
+func (ms *metadataService) Type() string {
+	return "metadata-service"
+}

initialize/config.go

@@ -0,0 +1,163 @@
+package initialize
+
+import (
+	"fmt"
+	"log"
+	"path"
+
+	"github.com/coreos/coreos-cloudinit/third_party/launchpad.net/goyaml"
+
+	"github.com/coreos/coreos-cloudinit/system"
+)
+
+type CloudConfig struct {
+	SSHAuthorizedKeys []string `yaml:"ssh_authorized_keys"`
+	Coreos            struct {
+		Etcd  EtcdEnvironment
+		Units []system.Unit
+	}
+	WriteFiles []system.File `yaml:"write_files"`
+	Hostname   string
+	Users      []system.User
+}
+
+func NewCloudConfig(contents string) (*CloudConfig, error) {
+	var cfg CloudConfig
+	err := goyaml.Unmarshal([]byte(contents), &cfg)
+	return &cfg, err
+}
+
+func (cc CloudConfig) String() string {
+	bytes, err := goyaml.Marshal(cc)
+	if err != nil {
+		return ""
+	}
+
+	stringified := string(bytes)
+	stringified = fmt.Sprintf("#cloud-config\n%s", stringified)
+
+	return stringified
+}
+
+func Apply(cfg CloudConfig, env *Environment) error {
+	if cfg.Hostname != "" {
+		if err := system.SetHostname(cfg.Hostname); err != nil {
+			return err
+		}
+		log.Printf("Set hostname to %s", cfg.Hostname)
+	}
+
+	if len(cfg.Users) > 0 {
+		for _, user := range cfg.Users {
+			if user.Name == "" {
+				log.Printf("User object has no 'name' field, skipping")
+				continue
+			}
+
+			if system.UserExists(&user) {
+				log.Printf("User '%s' exists, ignoring creation-time fields", user.Name)
+				if user.PasswordHash != "" {
+					log.Printf("Setting '%s' user's password", user.Name)
+					if err := system.SetUserPassword(user.Name, user.PasswordHash); err != nil {
+						log.Printf("Failed setting '%s' user's password: %v", user.Name, err)
+						return err
+					}
+				}
+			} else {
+				log.Printf("Creating user '%s'", user.Name)
+				if err := system.CreateUser(&user); err != nil {
+					log.Printf("Failed creating user '%s': %v", user.Name, err)
+					return err
+				}
+			}
+
+			if len(user.SSHAuthorizedKeys) > 0 {
+				log.Printf("Authorizing %d SSH keys for user '%s'", len(user.SSHAuthorizedKeys), user.Name)
+				if err := system.AuthorizeSSHKeys(user.Name, env.SSHKeyName(), user.SSHAuthorizedKeys); err != nil {
+					return err
+				}
+			}
+			if user.SSHImportGithubUser != "" {
+				log.Printf("Authorizing github user %s SSH keys for CoreOS user '%s'", user.SSHImportGithubUser, user.Name)
+				if err := SSHImportGithubUser(user.Name, user.SSHImportGithubUser); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	if len(cfg.SSHAuthorizedKeys) > 0 {
+		err := system.AuthorizeSSHKeys("core", env.SSHKeyName(), cfg.SSHAuthorizedKeys)
+		if err == nil {
+			log.Printf("Authorized SSH keys for core user")
+		} else {
+			return err
+		}
+	}
+
+	if len(cfg.WriteFiles) > 0 {
+		for _, file := range cfg.WriteFiles {
+			file.Path = path.Join(env.Root(), file.Path)
+			if err := system.WriteFile(&file); err != nil {
+				return err
+			}
+			log.Printf("Wrote file %s to filesystem", file.Path)
+		}
+	}
+
+	if len(cfg.Coreos.Etcd) > 0 {
+		if err := WriteEtcdEnvironment(cfg.Coreos.Etcd, env.Root()); err != nil {
+			log.Fatalf("Failed to write etcd config to filesystem: %v", err)
+		}
+
+		log.Printf("Wrote etcd config file to filesystem")
+	}
+
+	if len(cfg.Coreos.Units) > 0 {
+		commands := make(map[string]string, 0)
+
+		for _, unit := range cfg.Coreos.Units {
+			if unit.Content != "" {
+				log.Printf("Writing unit %s to filesystem", unit.Name)
+				dst, err := system.PlaceUnit(&unit, env.Root())
+				if err != nil {
+					return err
+				}
+				log.Printf("Placed unit %s at %s", unit.Name, dst)
+
+				if unit.Group() != "network" {
+					log.Printf("Enabling unit file %s", dst)
+					if err := system.EnableUnitFile(dst, unit.Runtime); err != nil {
+						return err
+					}
+					log.Printf("Enabled unit %s", unit.Name)
+				} else {
+					log.Printf("Skipping enable for network-like unit %s", unit.Name)
+				}
+			}
+
+			if unit.Group() != "network" {
+				command := unit.Command
+				if command == "" {
+					command = "restart"
+				}
+				commands[unit.Name] = command
+			} else {
+				commands["systemd-networkd.service"] = "restart"
+			}
+		}
+
+		system.DaemonReload()
+
+		for unit, command := range commands {
+			log.Printf("Calling unit command '%s %s'", command, unit)
+			res, err := system.RunUnitCommand(command, unit)
+			if err != nil {
+				return err
+			}
+			log.Printf("Result of '%s %s': %s", command, unit, res)
+		}
+	}
+
+	return nil
+}

initialize/config_test.go

@@ -0,0 +1,234 @@
+package initialize
+
+import (
+	"strings"
+	"testing"
+)
+
+// Assert that the parsing of a cloud config file "generally works"
+func TestCloudConfigEmpty(t *testing.T) {
+	cfg, err := NewCloudConfig("")
+	if err != nil {
+		t.Fatalf("Encountered unexpected error :%v", err)
+	}
+
+	keys := cfg.SSHAuthorizedKeys
+	if len(keys) != 0 {
+		t.Error("Parsed incorrect number of SSH keys")
+	}
+
+	if len(cfg.WriteFiles) != 0 {
+		t.Error("Expected zero WriteFiles")
+	}
+
+	if cfg.Hostname != "" {
+		t.Errorf("Expected hostname to be empty, got '%s'", cfg.Hostname)
+	}
+}
+
+// Assert that the parsing of a cloud config file "generally works"
+func TestCloudConfig(t *testing.T) {
+	contents := `
+coreos: 
+  etcd:
+    discovery: "https://discovery.etcd.io/827c73219eeb2fa5530027c37bf18877"
+  units:
+    - name: 50-eth0.network
+      runtime: yes
+      content: '[Match]
+ 
+    Name=eth47
+ 
+ 
+    [Network]
+ 
+    Address=10.209.171.177/19
+ 
+'
+ssh_authorized_keys:
+  - foobar
+  - foobaz
+write_files:
+  - content: |
+      penny
+      elroy
+    path: /etc/dogepack.conf
+    permissions: '0644'
+    owner: root:dogepack
+hostname: trontastic
+`
+	cfg, err := NewCloudConfig(contents)
+	if err != nil {
+		t.Fatalf("Encountered unexpected error :%v", err)
+	}
+
+	keys := cfg.SSHAuthorizedKeys
+	if len(keys) != 2 {
+		t.Error("Parsed incorrect number of SSH keys")
+	} else if keys[0] != "foobar" {
+		t.Error("Expected first SSH key to be 'foobar'")
+	} else if keys[1] != "foobaz" {
+		t.Error("Expected first SSH key to be 'foobaz'")
+	}
+
+	if len(cfg.WriteFiles) != 1 {
+		t.Error("Failed to parse correct number of write_files")
+	} else {
+		wf := cfg.WriteFiles[0]
+		if wf.Content != "penny\nelroy\n" {
+			t.Errorf("WriteFile has incorrect contents '%s'", wf.Content)
+		}
+		if wf.Encoding != "" {
+			t.Errorf("WriteFile has incorrect encoding %s", wf.Encoding)
+		}
+		if perm, _ := wf.Permissions(); perm != 0644 {
+			t.Errorf("WriteFile has incorrect permissions %s", perm)
+		}
+		if wf.Path != "/etc/dogepack.conf" {
+			t.Errorf("WriteFile has incorrect path %s", wf.Path)
+		}
+		if wf.Owner != "root:dogepack" {
+			t.Errorf("WriteFile has incorrect owner %s", wf.Owner)
+		}
+	}
+
+	if len(cfg.Coreos.Units) != 1 {
+		t.Error("Failed to parse correct number of units")
+	} else {
+		u := cfg.Coreos.Units[0]
+		expect := `[Match]
+Name=eth47
+
+[Network]
+Address=10.209.171.177/19
+`
+		if u.Content != expect {
+			t.Errorf("Unit has incorrect contents '%s'.\nExpected '%s'.", u.Content, expect)
+		}
+		if u.Runtime != true {
+			t.Errorf("Unit has incorrect runtime value")
+		}
+		if u.Name != "50-eth0.network" {
+			t.Errorf("Unit has incorrect name %s", u.Name)
+		}
+		if u.Type() != "network" {
+			t.Errorf("Unit has incorrect type '%s'", u.Type())
+		}
+	}
+
+	if cfg.Hostname != "trontastic" {
+		t.Errorf("Failed to parse hostname")
+	}
+}
+
+// Assert that our interface conversion doesn't panic
+func TestCloudConfigKeysNotList(t *testing.T) {
+	contents := `
+ssh_authorized_keys:
+  - foo: bar
+`
+	cfg, err := NewCloudConfig(contents)
+	if err != nil {
+		t.Fatalf("Encountered unexpected error :%v", err)
+	}
+
+	keys := cfg.SSHAuthorizedKeys
+	if len(keys) != 0 {
+		t.Error("Parsed incorrect number of SSH keys")
+	}
+}
+
+func TestCloudConfigSerializationHeader(t *testing.T) {
+	cfg, _ := NewCloudConfig("")
+	contents := cfg.String()
+	header := strings.SplitN(contents, "\n", 2)[0]
+	if header != "#cloud-config" {
+		t.Fatalf("Serialized config did not have expected header")
+	}
+}
+
+func TestCloudConfigUsers(t *testing.T) {
+	contents := `
+users:
+  - name: elroy
+    passwd: somehash
+    ssh-authorized-keys:
+      - somekey
+    gecos: arbitrary comment
+    homedir: /home/place
+    no-create-home: yes
+    primary-group: things
+    groups:
+      - ping
+      - pong
+    no-user-group: true
+    system: y
+    no-log-init: True
+`
+	cfg, err := NewCloudConfig(contents)
+	if err != nil {
+		t.Fatalf("Encountered unexpected error: %v", err)
+	}
+
+	if len(cfg.Users) != 1 {
+		t.Fatalf("Parsed %d users, expected 1", cfg.Users)
+	}
+
+	user := cfg.Users[0]
+
+	if user.Name != "elroy" {
+		t.Errorf("User name is %q, expected 'elroy'", user.Name)
+	}
+
+	if user.PasswordHash != "somehash" {
+		t.Errorf("User passwd is %q, expected 'somehash'", user.PasswordHash)
+	}
+
+	if keys := user.SSHAuthorizedKeys; len(keys) != 1 {
+		t.Errorf("Parsed %d ssh keys, expected 1", len(keys))
+	} else {
+		key := user.SSHAuthorizedKeys[0]
+		if key != "somekey" {
+			t.Errorf("User SSH key is %q, expected 'somekey'", key)
+		}
+	}
+
+	if user.GECOS != "arbitrary comment" {
+		t.Errorf("Failed to parse gecos field, got %q", user.GECOS)
+	}
+
+	if user.Homedir != "/home/place" {
+		t.Errorf("Failed to parse homedir field, got %q", user.Homedir)
+	}
+
+	if !user.NoCreateHome {
+		t.Errorf("Failed to parse no-create-home field")
+	}
+
+	if user.PrimaryGroup != "things" {
+		t.Errorf("Failed to parse primary-group field, got %q", user.PrimaryGroup)
+	}
+
+	if len(user.Groups) != 2 {
+		t.Errorf("Failed to parse 2 goups, got %d", len(user.Groups))
+	} else {
+		if user.Groups[0] != "ping" {
+			t.Errorf("First group was %q, not expected value 'ping'", user.Groups[0])
+		}
+		if user.Groups[1] != "pong" {
+			t.Errorf("First group was %q, not expected value 'pong'", user.Groups[1])
+		}
+	}
+
+	if !user.NoUserGroup {
+		t.Errorf("Failed to parse no-user-group field")
+	}
+
+	if !user.System {
+		t.Errorf("Failed to parse system field")
+	}
+
+	if !user.NoLogInit {
+		t.Errorf("Failed to parse no-log-init field")
+	}
+}

initialize/env.go

@@ -0,0 +1,47 @@
+package initialize
+
+import (
+	"os"
+	"path"
+	"strings"
+)
+
+const DefaultSSHKeyName = "coreos-cloudinit"
+
+type Environment struct {
+	root          string
+	workspace     string
+	sshKeyName    string
+	substitutions map[string]string
+}
+
+func NewEnvironment(root, workspace string) *Environment {
+	substitutions := map[string]string{
+		"$public_ipv4":  os.Getenv("COREOS_PUBLIC_IPV4"),
+		"$private_ipv4": os.Getenv("COREOS_PRIVATE_IPV4"),
+	}
+	return &Environment{root, workspace, DefaultSSHKeyName, substitutions}
+}
+
+func (self *Environment) Workspace() string {
+	return path.Join(self.root, self.workspace)
+}
+
+func (self *Environment) Root() string {
+	return self.root
+}
+
+func (self *Environment) SSHKeyName() string {
+	return self.sshKeyName
+}
+
+func (self *Environment) SetSSHKeyName(name string) {
+	self.sshKeyName = name
+}
+
+func (self *Environment) Apply(data string) string {
+	for key, val := range self.substitutions {
+		data = strings.Replace(data, key, val, -1)
+	}
+	return data
+}

initialize/env_test.go

@@ -0,0 +1,27 @@
+package initialize
+
+import (
+	"os"
+	"testing"
+)
+
+func TestEnvironmentApply(t *testing.T) {
+	os.Setenv("COREOS_PUBLIC_IPV4", "192.0.2.3")
+	os.Setenv("COREOS_PRIVATE_IPV4", "192.0.2.203")
+	env := NewEnvironment("./", "./")
+	input := `[Service]
+ExecStart=/usr/bin/echo "$public_ipv4"
+ExecStop=/usr/bin/echo $private_ipv4
+ExecStop=/usr/bin/echo $unknown
+`
+	expected := `[Service]
+ExecStart=/usr/bin/echo "192.0.2.3"
+ExecStop=/usr/bin/echo 192.0.2.203
+ExecStop=/usr/bin/echo $unknown
+`
+
+	output := env.Apply(input)
+	if output != expected {
+		t.Fatalf("Environment incorrectly applied.\nOutput:\n%s\nExpected:\n%s", output, expected)
+	}
+}

initialize/etcd.go

@@ -0,0 +1,62 @@
+package initialize
+
+import (
+	"errors"
+	"fmt"
+	"path"
+	"strings"
+
+	"github.com/coreos/coreos-cloudinit/system"
+)
+
+type EtcdEnvironment map[string]string
+
+func (ec EtcdEnvironment) normalized() map[string]string {
+	out := make(map[string]string, len(ec))
+	for key, val := range ec {
+		key = strings.ToUpper(key)
+		key = strings.Replace(key, "-", "_", -1)
+		out[key] = val
+	}
+	return out
+}
+
+func (ec EtcdEnvironment) String() (out string) {
+	norm := ec.normalized()
+
+	if val, ok := norm["DISCOVERY_URL"]; ok {
+		delete(norm, "DISCOVERY_URL")
+		if _, ok := norm["DISCOVERY"]; !ok {
+			norm["DISCOVERY"] = val
+		}
+	}
+
+	out += "[Service]\n"
+
+	for key, val := range norm {
+		out += fmt.Sprintf("Environment=\"ETCD_%s=%s\"\n", key, val)
+	}
+
+	return
+}
+
+// Write an EtcdEnvironment to the appropriate path on disk for etcd.service
+func WriteEtcdEnvironment(env EtcdEnvironment, root string) error {
+	if _, ok := env["name"]; !ok {
+		if machineID := system.MachineID(root); machineID != "" {
+			env["name"] = machineID
+		} else if hostname, err := system.Hostname(); err == nil {
+			env["name"] = hostname
+		} else {
+			return errors.New("Unable to determine default etcd name")
+		}
+	}
+
+	file := system.File{
+		Path: path.Join(root, "run", "systemd", "system", "etcd.service.d", "20-cloudinit.conf"),
+		RawFilePermissions: "0644",
+		Content: env.String(),
+	}
+
+	return system.WriteFile(&file)
+}

initialize/etcd_test.go

@@ -0,0 +1,139 @@
+package initialize
+
+import (
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"syscall"
+	"testing"
+)
+
+func TestEtcdEnvironment(t *testing.T) {
+	cfg := make(EtcdEnvironment, 0)
+	cfg["discovery"] = "http://disco.example.com/foobar"
+	cfg["peer-bind-addr"] = "127.0.0.1:7002"
+
+	env := cfg.String()
+	expect := `[Service]
+Environment="ETCD_DISCOVERY=http://disco.example.com/foobar"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`
+
+	if env != expect {
+		t.Errorf("Generated environment:\n%s\nExpected environment:\n%s", env, expect)
+	}
+}
+
+func TestEtcdEnvironmentDiscoveryURLTranslated(t *testing.T) {
+	cfg := make(EtcdEnvironment, 0)
+	cfg["discovery_url"] = "http://disco.example.com/foobar"
+	cfg["peer-bind-addr"] = "127.0.0.1:7002"
+
+	env := cfg.String()
+	expect := `[Service]
+Environment="ETCD_DISCOVERY=http://disco.example.com/foobar"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`
+
+	if env != expect {
+		t.Errorf("Generated environment:\n%s\nExpected environment:\n%s", env, expect)
+	}
+}
+
+func TestEtcdEnvironmentDiscoveryOverridesDiscoveryURL(t *testing.T) {
+	cfg := make(EtcdEnvironment, 0)
+	cfg["discovery_url"] = "ping"
+	cfg["discovery"] = "pong"
+	cfg["peer-bind-addr"] = "127.0.0.1:7002"
+
+	env := cfg.String()
+	expect := `[Service]
+Environment="ETCD_DISCOVERY=pong"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`
+
+	if env != expect {
+		t.Errorf("Generated environment:\n%s\nExpected environment:\n%s", env, expect)
+	}
+}
+
+func TestEtcdEnvironmentWrittenToDisk(t *testing.T) {
+	ec := EtcdEnvironment{
+		"name": "node001",
+		"discovery": "http://disco.example.com/foobar",
+		"peer-bind-addr": "127.0.0.1:7002",
+	}
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	if err := WriteEtcdEnvironment(ec, dir); err != nil {
+		t.Fatalf("Processing of EtcdEnvironment failed: %v", err)
+	}
+
+	fullPath := path.Join(dir, "run", "systemd", "system", "etcd.service.d", "20-cloudinit.conf")
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0644) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	expect := `[Service]
+Environment="ETCD_NAME=node001"
+Environment="ETCD_DISCOVERY=http://disco.example.com/foobar"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`
+	if string(contents) != expect {
+		t.Fatalf("File has incorrect contents")
+	}
+}
+
+func TestEtcdEnvironmentWrittenToDiskDefaultToMachineID(t *testing.T) {
+	ec := EtcdEnvironment{}
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	os.Mkdir(path.Join(dir, "etc"), os.FileMode(0755))
+	err = ioutil.WriteFile(path.Join(dir, "etc", "machine-id"), []byte("node007"), os.FileMode(0444))
+	if err != nil {
+		t.Fatalf("Failed writing out /etc/machine-id: %v", err)
+	}
+
+	if err := WriteEtcdEnvironment(ec, dir); err != nil {
+		t.Fatalf("Processing of EtcdEnvironment failed: %v", err)
+	}
+
+	fullPath := path.Join(dir, "run", "systemd", "system", "etcd.service.d", "20-cloudinit.conf")
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	expect := `[Service]
+Environment="ETCD_NAME=node007"
+`
+	if string(contents) != expect {
+		t.Fatalf("File has incorrect contents")
+	}
+}
+
+func rmdir(path string) error {
+    cmd := exec.Command("rm", "-rf", path)
+    return cmd.Run()
+}

initialize/github.go

@@ -0,0 +1,52 @@
+package initialize
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/coreos/coreos-cloudinit/system"
+)
+
+type GithubUserKey struct {
+	Id  int    `json:"id"`
+	Key string `json:"key"`
+}
+
+func fetchGithubKeys(github_url string) ([]string, error) {
+	res, err := http.Get(github_url)
+	defer res.Body.Close()
+	if err != nil {
+		return nil, err
+	}
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	var data []GithubUserKey
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return nil, err
+	}
+	keys := make([]string, 0)
+	for _, key := range data {
+		keys = append(keys, key.Key)
+	}
+	return keys, err
+
+}
+
+func SSHImportGithubUser(system_user string, github_user string) error {
+	url := fmt.Sprintf("https://api.github.com/users/%s/keys", github_user)
+	keys, err := fetchGithubKeys(url)
+	if err != nil {
+		return err
+	}
+	key_name := fmt.Sprintf("github-%s", github_user)
+	err = system.AuthorizeSSHKeys(system_user, key_name, keys)
+	if err != nil {
+		return err
+	}
+	return nil
+}

initialize/github_test.go

@@ -0,0 +1,71 @@
+package initialize
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestCloudConfigUsersGithubMarshal(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gh_res := `
+[
+  {
+    "id": 67057,
+    "key": "ssh-dss AAAAB3NzaC1kc3MAAACBAIHAu822ggSkIHrJYvhmBceOSVjuflfQm8RbMMDNVe9relQfuPbN+nxGGTCKzPLebeOcX+Wwi77TPXWwK3BZMglfXxhABlFPsuMb63Tqp94pBYsJdx/iFj9iGo6pKoM1k8ubOcqsUnq+BR9895zRbE7MjdwkGo67+QhCEwvkwAnNAAAAFQCuddVqXLCubzqnWmeHLQE+2GFfHwAAAIBnlXW5h15ndVuwi0htF4oodVSB1KwnTWcuBK+aE1zRs76yvRb0Ws+oifumThDwB/Tec6FQuAfRKfy6piChZqsu5KvL98I+2t5yyi1td+kMvdTnVL2lW44etDKseOcozmknCOmh4Dqvhl/2MwrDAhlPaN08EEq9h3w3mXtNLWH64QAAAIBAzDOKr17llngaKIdDXh+LtXKh87+zfjlTA36/9r2uF2kYE5uApDtu9sPCkt7+YBQt7R8prADPckwAiXwVdk0xijIOpLDBmoydQJJRQ+zTMxvpQmUr/1kUOv0zb+lB657CgvN0vVTmP2swPeMvgntt3C4vw7Ab+O+MS9peOAJbbQ=="
+  },
+  {
+    "id": 3340477,
+    "key": "ssh-dss AAAAB3NzaC1kc3MAAACBANxpzIbTzKTeBRaOIdUxwwGwvDasTfU/PonhbNIuhYjc+xFGvBRTumox2F+luVAKKs4WdvA4nJXaY1OFi6DZftk5Bp4E2JaSzp8ulAzHsMexDdv6LGHGEJj/qdHAL1vHk2K89PpwRFSRZI8XRBLjvkr4ZgBKLG5ZILXPJEPP2j3lAAAAFQCtxoTnV8wy0c4grcGrQ+1sCsD7WQAAAIAqZsW2GviMe1RQrbZT0xAZmI64XRPrnLsoLxycHWlS7r6uUln2c6Ae2MB/YF0d4Kd1XZii9GHj7rrypqEo7MW8uSabhu70nmu1J8m2O3Dsr+4oJLeat9vwPsJV92IKO0jQwjKnAOHOiB9JKGeCw+NfXfogbti9/q38Q6XcS+SI5wAAAIEA1803Y2h+tOOpZXAsNIwl9mRfExWzLQ3L7knwJdznQu/6SW1H/1oyoYLebuk187Qj2UFI5qQ6AZNc49DvohWx0Cg6ABcyubNyoaCjZKWIdxVnItHWNbLe//+tyTu0I2eQwJOORsEPK5gMpf599C7wXQ//DzZOWbTWiHEX52gCTmk="
+  },
+  {
+    "id": 5224438,
+    "key": "ssh-dss AAAAB3NzaC1kc3MAAACBAPKRWdKhzGZuLAJL6M1eM51hWViMqNBC2C6lm2OqGRYLuIf1GJ391widUuSf4wQqnkR22Q9PCmAZ19XCf11wBRMnuw9I/Z3Bt5bXfc+dzFBCmHYGJ6wNSv++H9jxyMb+usmsenWOFZGNO2jN0wrJ4ay8Yt0bwtRU+VCXpuRLszMzAAAAFQDZUIuPjcfK5HLgnwZ/J3lvtvlUjQAAAIEApIkAwLuCQV5j3U6DmI/Y6oELqSUR2purFm8jo8jePFfe1t+ghikgD254/JXlhDCVgY0NLXcak+coJfGCTT23quJ7I5xdpTn/OZO2Q6Woum/bijFC/UWwQbLz0R2nU3DoHv5v6XHQZxuIG4Fsxa91S+vWjZFtI7RuYlBCZA//ANMAAACBAJO0FojzkX6IeaWLqrgu9GTkFwGFazZ+LPH5JOWPoPn1hQKuR32Uf6qNcBZcIjY7SF0P7HF5rLQd6zKZzHqqQQ92MV555NEwjsnJglYU8CaaZsfYooaGPgA1YN7RhTSAuDmUW5Hyfj5BH4NTtrzrvJxIhDoQLf31Fasjw00r4R0O"
+  }
+]
+`
+		fmt.Fprintln(w, gh_res)
+	}))
+	defer ts.Close()
+
+	keys, err := fetchGithubKeys(ts.URL)
+	if err != nil {
+		t.Fatalf("Encountered unexpected error: %v", err)
+	}
+	expected := "ssh-dss AAAAB3NzaC1kc3MAAACBAIHAu822ggSkIHrJYvhmBceOSVjuflfQm8RbMMDNVe9relQfuPbN+nxGGTCKzPLebeOcX+Wwi77TPXWwK3BZMglfXxhABlFPsuMb63Tqp94pBYsJdx/iFj9iGo6pKoM1k8ubOcqsUnq+BR9895zRbE7MjdwkGo67+QhCEwvkwAnNAAAAFQCuddVqXLCubzqnWmeHLQE+2GFfHwAAAIBnlXW5h15ndVuwi0htF4oodVSB1KwnTWcuBK+aE1zRs76yvRb0Ws+oifumThDwB/Tec6FQuAfRKfy6piChZqsu5KvL98I+2t5yyi1td+kMvdTnVL2lW44etDKseOcozmknCOmh4Dqvhl/2MwrDAhlPaN08EEq9h3w3mXtNLWH64QAAAIBAzDOKr17llngaKIdDXh+LtXKh87+zfjlTA36/9r2uF2kYE5uApDtu9sPCkt7+YBQt7R8prADPckwAiXwVdk0xijIOpLDBmoydQJJRQ+zTMxvpQmUr/1kUOv0zb+lB657CgvN0vVTmP2swPeMvgntt3C4vw7Ab+O+MS9peOAJbbQ=="
+	if keys[0] != expected {
+		t.Fatalf("expected %s, got %s", expected, keys[0])
+	}
+	expected = "ssh-dss AAAAB3NzaC1kc3MAAACBAPKRWdKhzGZuLAJL6M1eM51hWViMqNBC2C6lm2OqGRYLuIf1GJ391widUuSf4wQqnkR22Q9PCmAZ19XCf11wBRMnuw9I/Z3Bt5bXfc+dzFBCmHYGJ6wNSv++H9jxyMb+usmsenWOFZGNO2jN0wrJ4ay8Yt0bwtRU+VCXpuRLszMzAAAAFQDZUIuPjcfK5HLgnwZ/J3lvtvlUjQAAAIEApIkAwLuCQV5j3U6DmI/Y6oELqSUR2purFm8jo8jePFfe1t+ghikgD254/JXlhDCVgY0NLXcak+coJfGCTT23quJ7I5xdpTn/OZO2Q6Woum/bijFC/UWwQbLz0R2nU3DoHv5v6XHQZxuIG4Fsxa91S+vWjZFtI7RuYlBCZA//ANMAAACBAJO0FojzkX6IeaWLqrgu9GTkFwGFazZ+LPH5JOWPoPn1hQKuR32Uf6qNcBZcIjY7SF0P7HF5rLQd6zKZzHqqQQ92MV555NEwjsnJglYU8CaaZsfYooaGPgA1YN7RhTSAuDmUW5Hyfj5BH4NTtrzrvJxIhDoQLf31Fasjw00r4R0O"
+	if keys[2] != expected {
+		t.Fatalf("expected %s, got %s", expected, keys[2])
+	}
+
+}
+func TestCloudConfigUsersGithubUser(t *testing.T) {
+
+	contents := `
+users:
+  - name: elroy
+    coreos-ssh-import-github: bcwaldon
+`
+	cfg, err := NewCloudConfig(contents)
+	if err != nil {
+		t.Fatalf("Encountered unexpected error: %v", err)
+	}
+
+	if len(cfg.Users) != 1 {
+		t.Fatalf("Parsed %d users, expected 1", cfg.Users)
+	}
+
+	user := cfg.Users[0]
+
+	if user.Name != "elroy" {
+		t.Errorf("User name is %q, expected 'elroy'", user.Name)
+	}
+
+	if user.SSHImportGithubUser != "bcwaldon" {
+		t.Errorf("github user is %q, expected 'bcwaldon'", user.SSHImportGithubUser)
+	}
+}

initialize/workspace.go

@@ -0,0 +1,48 @@
+package initialize
+
+import (
+	"io/ioutil"
+	"path"
+
+	"github.com/coreos/coreos-cloudinit/system"
+)
+
+func PrepWorkspace(workspace string) error {
+	if err := system.EnsureDirectoryExists(workspace); err != nil {
+		return err
+	}
+
+	scripts := path.Join(workspace, "scripts")
+	if err := system.EnsureDirectoryExists(scripts); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func PersistScriptInWorkspace(script system.Script, workspace string) (string, error) {
+	scriptsPath := path.Join(workspace, "scripts")
+	tmp, err := ioutil.TempFile(scriptsPath, "")
+	if err != nil {
+		return "", err
+	}
+	tmp.Close()
+
+	file := system.File{
+		Path: tmp.Name(),
+		RawFilePermissions: "0744",
+		Content: string(script),
+	}
+
+	err = system.WriteFile(&file)
+	return file.Path, err
+}
+
+func PersistUnitNameInWorkspace(name string, workspace string) error {
+	file := system.File{
+		Path: path.Join(workspace, "scripts", "unit-name"),
+		RawFilePermissions: "0644",
+		Content: name,
+	}
+	return system.WriteFile(&file)
+}

system/file.go

@@ -0,0 +1,77 @@
+package system
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+)
+
+type File struct {
+	Encoding    string
+	Content     string
+	Owner       string
+	Path        string
+	RawFilePermissions string `yaml:"permissions"`
+}
+
+func (f *File) Permissions() (os.FileMode, error) {
+	if f.RawFilePermissions == "" {
+		return os.FileMode(0644), nil
+	}
+
+	// Parse string representation of file mode as octal
+	perm, err := strconv.ParseInt(f.RawFilePermissions, 8, 32)
+	if err != nil {
+		return 0, errors.New("Unable to parse file permissions as octal integer")
+	}
+	return os.FileMode(perm), nil
+}
+
+
+func WriteFile(f *File) error {
+	if f.Encoding != "" {
+		return fmt.Errorf("Unable to write file with encoding %s", f.Encoding)
+	}
+
+	if err := os.MkdirAll(path.Dir(f.Path), os.FileMode(0755)); err != nil {
+		return err
+	}
+
+	perm, err := f.Permissions()
+	if err != nil {
+		return err
+	}
+
+	if err := ioutil.WriteFile(f.Path, []byte(f.Content), perm); err != nil {
+		return err
+	}
+
+	if f.Owner != "" {
+		// We shell out since we don't have a way to look up unix groups natively
+		cmd := exec.Command("chown", f.Owner, f.Path)
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func EnsureDirectoryExists(dir string) error {
+	info, err := os.Stat(dir)
+	if err == nil {
+		if !info.IsDir() {
+			return fmt.Errorf("%s is not a directory", dir)
+		}
+	} else {
+		err = os.MkdirAll(dir, 0755)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

system/file_test.go

@@ -0,0 +1,111 @@
+package system
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"syscall"
+	"testing"
+)
+
+func TestWriteFileUnencodedContent(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	fullPath := path.Join(dir, "tmp", "foo")
+
+	wf := File{
+		Path:        fullPath,
+		Content:     "bar",
+		RawFilePermissions: "0644",
+	}
+
+	if err := WriteFile(&wf); err != nil {
+		t.Fatalf("Processing of WriteFile failed: %v", err)
+	}
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0644) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != "bar" {
+		t.Fatalf("File has incorrect contents")
+	}
+}
+
+func TestWriteFileInvalidPermission(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	wf := File{
+		Path:        path.Join(dir, "tmp", "foo"),
+		Content:     "bar",
+		RawFilePermissions: "pants",
+	}
+
+	if err := WriteFile(&wf); err == nil {
+		t.Fatalf("Expected error to be raised when writing file with invalid permission")
+	}
+}
+
+func TestWriteFilePermissions(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	fullPath := path.Join(dir, "tmp", "foo")
+
+	wf := File{
+		Path:               fullPath,
+		RawFilePermissions: "0755",
+	}
+
+	if err := WriteFile(&wf); err != nil {
+		t.Fatalf("Processing of WriteFile failed: %v", err)
+	}
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0755) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+}
+
+func TestWriteFileEncodedContent(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	wf := File{
+		Path: path.Join(dir, "tmp", "foo"),
+		Content: "",
+		Encoding: "base64",
+	}
+
+	if err := WriteFile(&wf); err == nil {
+		t.Fatalf("Expected error to be raised when writing file with encoding")
+	}
+}

system/ssh_key.go

@@ -1,4 +1,4 @@
-package cloudinit
+package system
 
 import (
 	"fmt"
@@ -10,7 +10,7 @@ import (
 
 // Add the provide SSH public key to the core user's list of
 // authorized keys
-func AuthorizeSSHKeys(name string, keys []string) error {
+func AuthorizeSSHKeys(user string, keysName string, keys []string) error {
 	for i, key := range keys {
 		keys[i] = strings.TrimSpace(key)
 	}
@@ -19,7 +19,7 @@ func AuthorizeSSHKeys(name string, keys []string) error {
 	// also ends with a newline
 	joined := fmt.Sprintf("%s\n", strings.Join(keys, "\n"))
 
-	cmd := exec.Command("update-ssh-keys", "-u", "core", "-a", name)
+	cmd := exec.Command("update-ssh-keys", "-u", user, "-a", keysName)
 	stdin, err := cmd.StdinPipe()
 	if err != nil {
 		return err

system/systemd.go

@@ -0,0 +1,160 @@
+package system
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/coreos/go-systemd/dbus"
+)
+
+// fakeMachineID is placed on non-usr CoreOS images and should
+// never be used as a true MachineID
+const fakeMachineID = "42000000000000000000000000000042"
+
+type Unit struct {
+	Name    string
+	Runtime bool
+	Content string
+	Command string
+}
+
+func (u *Unit) Type() string {
+	ext := filepath.Ext(u.Name)
+	return strings.TrimLeft(ext, ".")
+}
+
+func (u *Unit) Group() (group string) {
+	t := u.Type()
+	if t == "network" || t == "netdev" || t == "link" {
+		group = "network"
+	} else {
+		group = "system"
+	}
+	return
+}
+
+type Script []byte
+
+func PlaceUnit(u *Unit, root string) (string, error) {
+	dir := "etc"
+	if u.Runtime {
+		dir = "run"
+	}
+
+	dst := path.Join(root, dir, "systemd", u.Group())
+	if _, err := os.Stat(dst); os.IsNotExist(err) {
+		if err := os.MkdirAll(dst, os.FileMode(0755)); err != nil {
+			return "", err
+		}
+	}
+
+	dst = path.Join(dst, u.Name)
+
+	file := File{
+		Path: dst,
+		Content: u.Content,
+		RawFilePermissions: "0644",
+	}
+
+	err := WriteFile(&file)
+	if err != nil {
+		return "", err
+	}
+
+	return dst, nil
+}
+
+func EnableUnitFile(file string, runtime bool) error {
+	conn, err := dbus.New()
+	if err != nil {
+		return err
+	}
+
+	files := []string{file}
+	_, _, err = conn.EnableUnitFiles(files, runtime, true)
+	return err
+}
+
+func RunUnitCommand(command, unit string) (string, error) {
+	conn, err := dbus.New()
+	if err != nil {
+		return "", err
+	}
+
+	var fn func(string, string) (string, error)
+	switch command {
+	case "start":
+		fn = conn.StartUnit
+	case "stop":
+		fn = conn.StopUnit
+	case "restart":
+		fn = conn.RestartUnit
+	case "reload":
+		fn = conn.ReloadUnit
+	case "try-restart":
+		fn = conn.TryRestartUnit
+	case "reload-or-restart":
+		fn = conn.ReloadOrRestartUnit
+	case "reload-or-try-restart":
+		fn = conn.ReloadOrTryRestartUnit
+	default:
+		return "", fmt.Errorf("Unsupported systemd command %q", command)
+	}
+
+	return fn(unit, "replace")
+}
+
+func DaemonReload() error {
+	conn, err := dbus.New()
+	if err != nil {
+		return err
+	}
+
+	_, err = conn.Reload()
+	return err
+}
+
+func ExecuteScript(scriptPath string) (string, error) {
+	props := []dbus.Property{
+		dbus.PropDescription("Unit generated and executed by coreos-cloudinit on behalf of user"),
+		dbus.PropExecStart([]string{"/bin/bash", scriptPath}, false),
+	}
+
+	base := path.Base(scriptPath)
+	name := fmt.Sprintf("coreos-cloudinit-%s.service", base)
+
+	log.Printf("Creating transient systemd unit '%s'", name)
+
+	conn, err := dbus.New()
+	if err != nil {
+		return "", err
+	}
+
+	_, err = conn.StartTransientUnit(name, "replace", props...)
+	return name, err
+}
+
+func SetHostname(hostname string) error {
+	return exec.Command("hostnamectl", "set-hostname", hostname).Run()
+}
+
+func Hostname() (string, error) {
+	return os.Hostname()
+}
+
+func MachineID(root string) string {
+	contents, _ := ioutil.ReadFile(path.Join(root, "etc", "machine-id"))
+	id := strings.TrimSpace(string(contents))
+
+	if id == fakeMachineID {
+		id = ""
+	}
+
+	return id
+}

system/systemd_test.go

@@ -0,0 +1,116 @@
+package system
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"syscall"
+	"testing"
+)
+
+func TestPlaceNetworkUnit(t *testing.T) {
+	u := Unit{
+		Name: "50-eth0.network",
+      Runtime: true,
+      Content: `[Match]
+Name=eth47
+
+[Network]
+Address=10.209.171.177/19
+`,
+	}
+
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	if _, err := PlaceUnit(&u, dir); err != nil {
+		t.Fatalf("PlaceUnit failed: %v", err)
+	}
+
+	fullPath := path.Join(dir, "run", "systemd", "network", "50-eth0.network")
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0644) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	expect := `[Match]
+Name=eth47
+
+[Network]
+Address=10.209.171.177/19
+`
+	if string(contents) != expect {
+		t.Fatalf("File has incorrect contents '%s'.\nExpected '%s'", string(contents), expect)
+	}
+}
+
+func TestPlaceMountUnit(t *testing.T) {
+	u := Unit{
+		Name: "media-state.mount",
+      Runtime: false,
+      Content: `[Mount]
+What=/dev/sdb1
+Where=/media/state
+`,
+	}
+
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	if _, err := PlaceUnit(&u, dir); err != nil {
+		t.Fatalf("PlaceUnit failed: %v", err)
+	}
+
+	fullPath := path.Join(dir, "etc", "systemd", "system", "media-state.mount")
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0644) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	expect := `[Mount]
+What=/dev/sdb1
+Where=/media/state
+`
+	if string(contents) != expect {
+		t.Fatalf("File has incorrect contents '%s'.\nExpected '%s'", string(contents), expect)
+	}
+}
+
+func TestMachineID(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer syscall.Rmdir(dir)
+
+	os.Mkdir(path.Join(dir, "etc"), os.FileMode(0755))
+	ioutil.WriteFile(path.Join(dir, "etc", "machine-id"), []byte("node007\n"), os.FileMode(0444))
+
+	if MachineID(dir) != "node007" {
+		t.Fatalf("File has incorrect contents")
+	}
+}

system/user.go

@@ -0,0 +1,107 @@
+package system
+
+import (
+	"fmt"
+	"log"
+	"os/exec"
+	"os/user"
+	"strings"
+)
+
+type User struct {
+	Name                string   `yaml:"name"`
+	PasswordHash        string   `yaml:"passwd"`
+	SSHAuthorizedKeys   []string `yaml:"ssh-authorized-keys"`
+	SSHImportGithubUser string   `yaml:"coreos-ssh-import-github"`
+	GECOS               string   `yaml:"gecos"`
+	Homedir             string   `yaml:"homedir"`
+	NoCreateHome        bool     `yaml:"no-create-home"`
+	PrimaryGroup        string   `yaml:"primary-group"`
+	Groups              []string `yaml:"groups"`
+	NoUserGroup         bool     `yaml:"no-user-group"`
+	System              bool     `yaml:"system"`
+	NoLogInit           bool     `yaml:"no-log-init"`
+}
+
+func UserExists(u *User) bool {
+	_, err := user.Lookup(u.Name)
+	return err == nil
+}
+
+func CreateUser(u *User) error {
+	args := []string{}
+
+	if u.PasswordHash != "" {
+		args = append(args, "--password", u.PasswordHash)
+	}
+
+	if u.GECOS != "" {
+		args = append(args, "--comment", fmt.Sprintf("%q", u.GECOS))
+	}
+
+	if u.Homedir != "" {
+		args = append(args, "--home-dir", u.Homedir)
+	}
+
+	if u.NoCreateHome {
+		args = append(args, "--no-create-home")
+	} else {
+		args = append(args, "--create-home")
+	}
+
+	if u.PrimaryGroup != "" {
+		args = append(args, "--primary-group", u.PrimaryGroup)
+	}
+
+	if len(u.Groups) > 0 {
+		args = append(args, "--groups", strings.Join(u.Groups, ","))
+	}
+
+	if u.NoUserGroup {
+		args = append(args, "--no-user-group")
+	}
+
+	if u.System {
+		args = append(args, "--system")
+	}
+
+	if u.NoLogInit {
+		args = append(args, "--no-log-init")
+	}
+
+	args = append(args, u.Name)
+
+	output, err := exec.Command("useradd", args...).CombinedOutput()
+	if err != nil {
+		log.Printf("Command 'useradd %s' failed: %v\n%s", strings.Join(args, " "), err, output)
+	}
+	return err
+}
+
+func SetUserPassword(user, hash string) error {
+	cmd := exec.Command("/usr/sbin/chpasswd", "-e")
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	arg := fmt.Sprintf("%s:%s", user, hash)
+	_, err = stdin.Write([]byte(arg))
+	if err != nil {
+		return err
+	}
+	stdin.Close()
+
+	err = cmd.Wait()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

test

@@ -4,5 +4,7 @@ echo "Building bin/coreos-cloudinit"
 . build
 
 echo "Running tests..."
-go test -i github.com/coreos/coreos-cloudinit/cloudinit
-go test -v github.com/coreos/coreos-cloudinit/cloudinit
+for pkg in "./initialize ./system"; do
+	go test -i $pkg
+	go test -v $pkg
+done

third_party/github.com/coreos/go-systemd/dbus/dbus.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 )
 
 const signalBuffer = 100

third_party/github.com/coreos/go-systemd/dbus/methods.go

@@ -18,7 +18,7 @@ package dbus
 
 import (
 	"errors"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 )
 
 func (c *Conn) initJobs() {

third_party/github.com/coreos/go-systemd/dbus/properties.go

@@ -17,7 +17,7 @@ limitations under the License.
 package dbus
 
 import (
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 )
 
 // From the systemd docs:

third_party/github.com/coreos/go-systemd/dbus/subscription.go

@@ -20,7 +20,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 )
 
 const (

third_party/github.com/coreos/go-systemd/examples/activation/activation.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/coreos/go-systemd/activation"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/coreos/go-systemd/activation"
 )
 
 func fixListenPid() {

third_party/github.com/coreos/go-systemd/examples/activation/httpserver/httpserver.go

@@ -4,7 +4,7 @@ import (
 	"io"
 	"net/http"
 
-	"github.com/coreos/go-systemd/activation"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/coreos/go-systemd/activation"
 )
 
 func HelloServer(w http.ResponseWriter, req *http.Request) {

third_party/github.com/coreos/go-systemd/examples/activation/listen.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/coreos/go-systemd/activation"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/coreos/go-systemd/activation"
 )
 
 func fixListenPid() {

third_party/github.com/guelfey/go.dbus/_examples/eavesdrop.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"fmt"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/_examples/introspect.go

@@ -2,8 +2,8 @@ package main
 
 import (
 	"encoding/json"
-	"github.com/guelfey/go.dbus"
-	"github.com/guelfey/go.dbus/introspect"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus/introspect"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/_examples/list-names.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"fmt"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/_examples/notification.go

@@ -1,6 +1,6 @@
 package main
 
-import "github.com/guelfey/go.dbus"
+import "github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 
 func main() {
 	conn, err := dbus.SessionBus()

third_party/github.com/guelfey/go.dbus/_examples/prop.go

@@ -2,9 +2,9 @@ package main
 
 import (
 	"fmt"
-	"github.com/guelfey/go.dbus"
-	"github.com/guelfey/go.dbus/introspect"
-	"github.com/guelfey/go.dbus/prop"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus/introspect"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus/prop"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/_examples/server.go

@@ -2,8 +2,8 @@ package main
 
 import (
 	"fmt"
-	"github.com/guelfey/go.dbus"
-	"github.com/guelfey/go.dbus/introspect"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus/introspect"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/_examples/signal.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"fmt"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 	"os"
 )
 

third_party/github.com/guelfey/go.dbus/introspect/call.go

@@ -2,7 +2,7 @@ package introspect
 
 import (
 	"encoding/xml"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 	"strings"
 )
 

third_party/github.com/guelfey/go.dbus/introspect/introspectable.go

@@ -2,7 +2,7 @@ package introspect
 
 import (
 	"encoding/xml"
-	"github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
 	"reflect"
 )
 

third_party/github.com/guelfey/go.dbus/prop/prop.go

@@ -3,8 +3,8 @@
 package prop
 
 import (
-	"github.com/guelfey/go.dbus"
-	"github.com/guelfey/go.dbus/introspect"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus"
+	"github.com/coreos/coreos-cloudinit/third_party/github.com/guelfey/go.dbus/introspect"
 	"sync"
 )