move coreos-cloudinit into config/cloudinit

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>

config/cloudinit/system/env.go

@@ -0,0 +1,52 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// serviceContents generates the contents for a drop-in unit given the config.
+// The argument must be a struct from the 'config' package.
+func serviceContents(e interface{}) string {
+	vars := getEnvVars(e)
+	if len(vars) == 0 {
+		return ""
+	}
+
+	out := "[Service]\n"
+	for _, v := range vars {
+		out += fmt.Sprintf("Environment=\"%s\"\n", v)
+	}
+	return out
+}
+
+func getEnvVars(e interface{}) []string {
+	et := reflect.TypeOf(e)
+	ev := reflect.ValueOf(e)
+
+	vars := []string{}
+	for i := 0; i < et.NumField(); i++ {
+		if val := ev.Field(i).Interface(); !config.IsZero(val) {
+			key := et.Field(i).Tag.Get("env")
+			vars = append(vars, fmt.Sprintf("%s=%v", key, val))
+		}
+	}
+
+	return vars
+}

config/cloudinit/system/env_file.go

@@ -0,0 +1,114 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"regexp"
+	"sort"
+)
+
+type EnvFile struct {
+	Vars map[string]string
+	// mask File.Content, it shouldn't be used.
+	Content interface{} `json:"-" yaml:"-"`
+	*File
+}
+
+// only allow sh compatible identifiers
+var validKey = regexp.MustCompile(`^[a-zA-Z0-9_]+$`)
+
+// match each line, optionally capturing valid identifiers, discarding dos line endings
+var lineLexer = regexp.MustCompile(`(?m)^((?:([a-zA-Z0-9_]+)=)?.*?)\r?\n`)
+
+// mergeEnvContents: Update the existing file contents with new values,
+// preserving variable ordering and all content this code doesn't understand.
+// All new values are appended to the bottom of the old, sorted by key.
+func mergeEnvContents(old []byte, pending map[string]string) []byte {
+	var buf bytes.Buffer
+	var match [][]byte
+
+	// it is awkward for the regex to handle a missing newline gracefully
+	if len(old) != 0 && !bytes.HasSuffix(old, []byte{'\n'}) {
+		old = append(old, byte('\n'))
+	}
+
+	for _, match = range lineLexer.FindAllSubmatch(old, -1) {
+		key := string(match[2])
+		if value, ok := pending[key]; ok {
+			fmt.Fprintf(&buf, "%s=%s\n", key, value)
+			delete(pending, key)
+		} else {
+			fmt.Fprintf(&buf, "%s\n", match[1])
+		}
+	}
+
+	for _, key := range keys(pending) {
+		value := pending[key]
+		fmt.Fprintf(&buf, "%s=%s\n", key, value)
+	}
+
+	return buf.Bytes()
+}
+
+// WriteEnvFile updates an existing env `KEY=value` formated file with
+// new values provided in EnvFile.Vars; File.Content is ignored.
+// Existing ordering and any unknown formatting such as comments are
+// preserved. If no changes are required the file is untouched.
+func WriteEnvFile(ef *EnvFile, root string) error {
+	// validate new keys, mergeEnvContents uses pending to track writes
+	pending := make(map[string]string, len(ef.Vars))
+	for key, value := range ef.Vars {
+		if !validKey.MatchString(key) {
+			return fmt.Errorf("Invalid name %q for %s", key, ef.Path)
+		}
+		pending[key] = value
+	}
+
+	if len(pending) == 0 {
+		return nil
+	}
+
+	oldContent, err := ioutil.ReadFile(path.Join(root, ef.Path))
+	if err != nil {
+		if os.IsNotExist(err) {
+			oldContent = []byte{}
+		} else {
+			return err
+		}
+	}
+
+	newContent := mergeEnvContents(oldContent, pending)
+	if bytes.Equal(oldContent, newContent) {
+		return nil
+	}
+
+	ef.File.Content = string(newContent)
+	_, err = WriteFile(ef.File, root)
+	return err
+}
+
+// keys returns the keys of a map in sorted order
+func keys(m map[string]string) (s []string) {
+	for k := range m {
+		s = append(s, k)
+	}
+	sort.Strings(s)
+	return
+}

config/cloudinit/system/env_file_test.go

@@ -0,0 +1,442 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+	"syscall"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+const (
+	base          = "# a file\nFOO=base\n\nBAR= hi there\n"
+	baseNoNewline = "# a file\nFOO=base\n\nBAR= hi there"
+	baseDos       = "# a file\r\nFOO=base\r\n\r\nBAR= hi there\r\n"
+	expectUpdate  = "# a file\nFOO=test\n\nBAR= hi there\nNEW=a value\n"
+	expectCreate  = "FOO=test\nNEW=a value\n"
+)
+
+var (
+	valueUpdate = map[string]string{
+		"FOO": "test",
+		"NEW": "a value",
+	}
+	valueNoop = map[string]string{
+		"FOO": "base",
+	}
+	valueEmpty   = map[string]string{}
+	valueInvalid = map[string]string{
+		"FOO-X": "test",
+	}
+)
+
+func TestWriteEnvFileUpdate(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(base), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueUpdate,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != expectUpdate {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino == newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was not replaced: %s", fullPath)
+	}
+}
+
+func TestWriteEnvFileUpdateNoNewline(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(baseNoNewline), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueUpdate,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != expectUpdate {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino == newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was not replaced: %s", fullPath)
+	}
+}
+
+func TestWriteEnvFileCreate(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueUpdate,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != expectCreate {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+}
+
+func TestWriteEnvFileNoop(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(base), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueNoop,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != base {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino != newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was replaced: %s", fullPath)
+	}
+}
+
+func TestWriteEnvFileUpdateDos(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(baseDos), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueUpdate,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != expectUpdate {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino == newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was not replaced: %s", fullPath)
+	}
+}
+
+// A middle ground noop, values are unchanged but we did have a value.
+// Seems reasonable to rewrite the file in Unix format anyway.
+func TestWriteEnvFileDos2Unix(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(baseDos), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueNoop,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != base {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino == newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was not replaced: %s", fullPath)
+	}
+}
+
+// If it really is a noop (structure is empty) don't even do dos2unix
+func TestWriteEnvFileEmpty(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(baseDos), 0644)
+
+	oldStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueEmpty,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != baseDos {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	}
+
+	newStat, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if oldStat.Sys().(*syscall.Stat_t).Ino != newStat.Sys().(*syscall.Stat_t).Ino {
+		t.Fatalf("File was replaced: %s", fullPath)
+	}
+}
+
+// no point in creating empty files
+func TestWriteEnvFileEmptyNoCreate(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueEmpty,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err != nil {
+		t.Fatalf("WriteFile failed: %v", err)
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err == nil {
+		t.Fatalf("File has incorrect contents: %q", contents)
+	} else if !os.IsNotExist(err) {
+		t.Fatalf("Unexpected error while reading file: %v", err)
+	}
+}
+
+func TestWriteEnvFilePermFailure(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+	fullPath := path.Join(dir, name)
+	ioutil.WriteFile(fullPath, []byte(base), 0000)
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueUpdate,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if !os.IsPermission(err) {
+		t.Fatalf("Not a pemission denied error: %v", err)
+	}
+}
+
+func TestWriteEnvFileNameFailure(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	name := "foo.conf"
+
+	ef := EnvFile{
+		File: &File{config.File{
+			Path: name,
+		}},
+		Vars: valueInvalid,
+	}
+
+	err = WriteEnvFile(&ef, dir)
+	if err == nil || !strings.HasPrefix(err.Error(), "Invalid name") {
+		t.Fatalf("Not an invalid name error: %v", err)
+	}
+}

config/cloudinit/system/env_test.go

@@ -0,0 +1,69 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"testing"
+)
+
+func TestServiceContents(t *testing.T) {
+	tests := []struct {
+		Config   interface{}
+		Contents string
+	}{
+		{
+			struct{}{},
+			"",
+		},
+		{
+			struct {
+				A string  `env:"A"`
+				B int     `env:"B"`
+				C bool    `env:"C"`
+				D float64 `env:"D"`
+			}{
+				"hi", 1, true, 0.12345,
+			},
+			`[Service]
+Environment="A=hi"
+Environment="B=1"
+Environment="C=true"
+Environment="D=0.12345"
+`,
+		},
+		{
+			struct {
+				A float64 `env:"A"`
+				B float64 `env:"B"`
+				C float64 `env:"C"`
+				D float64 `env:"D"`
+			}{
+				0.000001, 1, 0.9999999, 0.1,
+			},
+			`[Service]
+Environment="A=1e-06"
+Environment="B=1"
+Environment="C=0.9999999"
+Environment="D=0.1"
+`,
+		},
+	}
+
+	for _, tt := range tests {
+		if c := serviceContents(tt.Config); c != tt.Contents {
+			t.Errorf("bad contents (%+v): want %q, got %q", tt, tt.Contents, c)
+		}
+	}
+}

config/cloudinit/system/etc_hosts.go

@@ -0,0 +1,62 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+const DefaultIpv4Address = "127.0.0.1"
+
+type EtcHosts struct {
+	config.EtcHosts
+}
+
+func (eh EtcHosts) generateEtcHosts() (out string, err error) {
+	if eh.EtcHosts != "localhost" {
+		return "", errors.New("Invalid option to manage_etc_hosts")
+	}
+
+	// use the operating system hostname
+	hostname, err := os.Hostname()
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%s %s\n", DefaultIpv4Address, hostname), nil
+
+}
+
+func (eh EtcHosts) File() (*File, error) {
+	if eh.EtcHosts == "" {
+		return nil, nil
+	}
+
+	etcHosts, err := eh.generateEtcHosts()
+	if err != nil {
+		return nil, err
+	}
+
+	return &File{config.File{
+		Path:               path.Join("etc", "hosts"),
+		RawFilePermissions: "0644",
+		Content:            etcHosts,
+	}}, nil
+}

config/cloudinit/system/etc_hosts_test.go

@@ -0,0 +1,60 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestEtcdHostsFile(t *testing.T) {
+	hostname, err := os.Hostname()
+	if err != nil {
+		panic(err)
+	}
+
+	for _, tt := range []struct {
+		config config.EtcHosts
+		file   *File
+		err    error
+	}{
+		{
+			"invalid",
+			nil,
+			fmt.Errorf("Invalid option to manage_etc_hosts"),
+		},
+		{
+			"localhost",
+			&File{config.File{
+				Content:            fmt.Sprintf("127.0.0.1 %s\n", hostname),
+				Path:               "etc/hosts",
+				RawFilePermissions: "0644",
+			}},
+			nil,
+		},
+	} {
+		file, err := EtcHosts{tt.config}.File()
+		if !reflect.DeepEqual(tt.err, err) {
+			t.Errorf("bad error (%q): want %q, got %q", tt.config, tt.err, err)
+		}
+		if !reflect.DeepEqual(tt.file, file) {
+			t.Errorf("bad units (%q): want %#v, got %#v", tt.config, tt.file, file)
+		}
+	}
+}

config/cloudinit/system/etcd.go

@@ -0,0 +1,37 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// Etcd is a top-level structure which embeds its underlying configuration,
+// config.Etcd, and provides the system-specific Unit().
+type Etcd struct {
+	config.Etcd
+}
+
+// Units creates a Unit file drop-in for etcd, using any configured options.
+func (ee Etcd) Units() []Unit {
+	return []Unit{{config.Unit{
+		Name:    "etcd.service",
+		Runtime: true,
+		DropIns: []config.UnitDropIn{{
+			Name:    "20-cloudinit.conf",
+			Content: serviceContents(ee.Etcd),
+		}},
+	}}}
+}

config/cloudinit/system/etcd2.go

@@ -0,0 +1,37 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// Etcd2 is a top-level structure which embeds its underlying configuration,
+// config.Etcd2, and provides the system-specific Unit().
+type Etcd2 struct {
+	config.Etcd2
+}
+
+// Units creates a Unit file drop-in for etcd, using any configured options.
+func (ee Etcd2) Units() []Unit {
+	return []Unit{{config.Unit{
+		Name:    "etcd2.service",
+		Runtime: true,
+		DropIns: []config.UnitDropIn{{
+			Name:    "20-cloudinit.conf",
+			Content: serviceContents(ee.Etcd2),
+		}},
+	}}}
+}

config/cloudinit/system/etcd_test.go

@@ -0,0 +1,79 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestEtcdUnits(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Etcd
+		units  []Unit
+	}{
+		{
+			config.Etcd{},
+			[]Unit{{config.Unit{
+				Name:    "etcd.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{Name: "20-cloudinit.conf"}},
+			}}},
+		},
+		{
+			config.Etcd{
+				Discovery:    "http://disco.example.com/foobar",
+				PeerBindAddr: "127.0.0.1:7002",
+			},
+			[]Unit{{config.Unit{
+				Name:    "etcd.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{
+					Name: "20-cloudinit.conf",
+					Content: `[Service]
+Environment="ETCD_DISCOVERY=http://disco.example.com/foobar"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`,
+				}},
+			}}},
+		},
+		{
+			config.Etcd{
+				Name:         "node001",
+				Discovery:    "http://disco.example.com/foobar",
+				PeerBindAddr: "127.0.0.1:7002",
+			},
+			[]Unit{{config.Unit{
+				Name:    "etcd.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{
+					Name: "20-cloudinit.conf",
+					Content: `[Service]
+Environment="ETCD_DISCOVERY=http://disco.example.com/foobar"
+Environment="ETCD_NAME=node001"
+Environment="ETCD_PEER_BIND_ADDR=127.0.0.1:7002"
+`,
+				}},
+			}}},
+		},
+	} {
+		units := Etcd{tt.config}.Units()
+		if !reflect.DeepEqual(tt.units, units) {
+			t.Errorf("bad units (%+v): want %#v, got %#v", tt.config, tt.units, units)
+		}
+	}
+}

config/cloudinit/system/file.go

@@ -0,0 +1,115 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// File is a top-level structure which embeds its underlying configuration,
+// config.File, and provides the system-specific Permissions().
+type File struct {
+	config.File
+}
+
+func (f *File) Permissions() (os.FileMode, error) {
+	if f.RawFilePermissions == "" {
+		return os.FileMode(0644), nil
+	}
+
+	// Parse string representation of file mode as integer
+	perm, err := strconv.ParseInt(f.RawFilePermissions, 8, 32)
+	if err != nil {
+		return 0, fmt.Errorf("Unable to parse file permissions %q as integer", f.RawFilePermissions)
+	}
+	return os.FileMode(perm), nil
+}
+
+// WriteFile writes given endecoded file to the filesystem
+func WriteFile(f *File, root string) (string, error) {
+	if f.Encoding != "" {
+		return "", fmt.Errorf("Unable to write file with encoding %s", f.Encoding)
+	}
+
+	fullpath := path.Join(root, f.Path)
+	dir := path.Dir(fullpath)
+	log.Printf("Writing file to %q", fullpath)
+
+	if err := EnsureDirectoryExists(dir); err != nil {
+		return "", err
+	}
+
+	perm, err := f.Permissions()
+	if err != nil {
+		return "", err
+	}
+
+	var tmp *os.File
+	// Create a temporary file in the same directory to ensure it's on the same filesystem
+	if tmp, err = ioutil.TempFile(dir, "cloudinit-temp"); err != nil {
+		return "", err
+	}
+
+	if err := ioutil.WriteFile(tmp.Name(), []byte(f.Content), perm); err != nil {
+		return "", err
+	}
+
+	if err := tmp.Close(); err != nil {
+		return "", err
+	}
+
+	// Ensure the permissions are as requested (since WriteFile can be affected by sticky bit)
+	if err := os.Chmod(tmp.Name(), perm); err != nil {
+		return "", err
+	}
+
+	if f.Owner != "" {
+		// We shell out since we don't have a way to look up unix groups natively
+		cmd := exec.Command("chown", f.Owner, tmp.Name())
+		if err := cmd.Run(); err != nil {
+			return "", err
+		}
+	}
+
+	if err := os.Rename(tmp.Name(), fullpath); err != nil {
+		return "", err
+	}
+
+	log.Printf("Wrote file to %q", fullpath)
+	return fullpath, nil
+}
+
+func EnsureDirectoryExists(dir string) error {
+	info, err := os.Stat(dir)
+	if err == nil {
+		if !info.IsDir() {
+			return fmt.Errorf("%s is not a directory", dir)
+		}
+	} else {
+		err = os.MkdirAll(dir, 0755)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

config/cloudinit/system/file_test.go

@@ -0,0 +1,197 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestWriteFileUnencodedContent(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	fn := "foo"
+	fullPath := path.Join(dir, fn)
+
+	wf := File{config.File{
+		Path:               fn,
+		Content:            "bar",
+		RawFilePermissions: "0644",
+	}}
+
+	path, err := WriteFile(&wf, dir)
+	if err != nil {
+		t.Fatalf("Processing of WriteFile failed: %v", err)
+	} else if path != fullPath {
+		t.Fatalf("WriteFile returned bad path: want %s, got %s", fullPath, path)
+	}
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0644) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+
+	contents, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to read expected file: %v", err)
+	}
+
+	if string(contents) != "bar" {
+		t.Fatalf("File has incorrect contents")
+	}
+}
+
+func TestWriteFileInvalidPermission(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	wf := File{config.File{
+		Path:               path.Join(dir, "tmp", "foo"),
+		Content:            "bar",
+		RawFilePermissions: "pants",
+	}}
+
+	if _, err := WriteFile(&wf, dir); err == nil {
+		t.Fatalf("Expected error to be raised when writing file with invalid permission")
+	}
+}
+
+func TestDecimalFilePermissions(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	fn := "foo"
+	fullPath := path.Join(dir, fn)
+
+	wf := File{config.File{
+		Path:               fn,
+		RawFilePermissions: "744",
+	}}
+
+	path, err := WriteFile(&wf, dir)
+	if err != nil {
+		t.Fatalf("Processing of WriteFile failed: %v", err)
+	} else if path != fullPath {
+		t.Fatalf("WriteFile returned bad path: want %s, got %s", fullPath, path)
+	}
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0744) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+}
+
+func TestWriteFilePermissions(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	fn := "foo"
+	fullPath := path.Join(dir, fn)
+
+	wf := File{config.File{
+		Path:               fn,
+		RawFilePermissions: "0755",
+	}}
+
+	path, err := WriteFile(&wf, dir)
+	if err != nil {
+		t.Fatalf("Processing of WriteFile failed: %v", err)
+	} else if path != fullPath {
+		t.Fatalf("WriteFile returned bad path: want %s, got %s", fullPath, path)
+	}
+
+	fi, err := os.Stat(fullPath)
+	if err != nil {
+		t.Fatalf("Unable to stat file: %v", err)
+	}
+
+	if fi.Mode() != os.FileMode(0755) {
+		t.Errorf("File has incorrect mode: %v", fi.Mode())
+	}
+}
+
+func TestWriteFileInvalidEncodedContent(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	content_encodings := []string{
+		"base64",
+		"b64",
+		"gz",
+		"gzip",
+		"gz+base64",
+		"gzip+base64",
+		"gz+b64",
+		"gzip+b64",
+	}
+
+	for _, encoding := range content_encodings {
+		wf := File{config.File{
+			Path:     path.Join(dir, "tmp", "foo"),
+			Content:  "@&*#%invalid data*@&^#*&",
+			Encoding: encoding,
+		}}
+
+		if _, err := WriteFile(&wf, dir); err == nil {
+			t.Fatalf("Expected error to be raised when writing file with encoding")
+		}
+	}
+}
+
+func TestWriteFileUnknownEncodedContent(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	wf := File{config.File{
+		Path:     path.Join(dir, "tmp", "foo"),
+		Content:  "",
+		Encoding: "no-such-encoding",
+	}}
+
+	if _, err := WriteFile(&wf, dir); err == nil {
+		t.Fatalf("Expected error to be raised when writing file with encoding")
+	}
+}

config/cloudinit/system/flannel.go

@@ -0,0 +1,44 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"path"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// flannel is a top-level structure which embeds its underlying configuration,
+// config.Flannel, and provides the system-specific Unit().
+type Flannel struct {
+	config.Flannel
+}
+
+func (fl Flannel) envVars() string {
+	return strings.Join(getEnvVars(fl.Flannel), "\n")
+}
+
+func (fl Flannel) File() (*File, error) {
+	vars := fl.envVars()
+	if vars == "" {
+		return nil, nil
+	}
+	return &File{config.File{
+		Path:               path.Join("run", "flannel", "options.env"),
+		RawFilePermissions: "0644",
+		Content:            vars,
+	}}, nil
+}

config/cloudinit/system/flannel_test.go

@@ -0,0 +1,76 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestFlannelEnvVars(t *testing.T) {
+	for _, tt := range []struct {
+		config   config.Flannel
+		contents string
+	}{
+		{
+			config.Flannel{},
+			"",
+		},
+		{
+			config.Flannel{
+				EtcdEndpoints: "http://12.34.56.78:4001",
+				EtcdPrefix:    "/coreos.com/network/tenant1",
+			},
+			`FLANNELD_ETCD_ENDPOINTS=http://12.34.56.78:4001
+FLANNELD_ETCD_PREFIX=/coreos.com/network/tenant1`,
+		},
+	} {
+		out := Flannel{tt.config}.envVars()
+		if out != tt.contents {
+			t.Errorf("bad contents (%+v): want %q, got %q", tt, tt.contents, out)
+		}
+	}
+}
+
+func TestFlannelFile(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Flannel
+		file   *File
+	}{
+		{
+			config.Flannel{},
+			nil,
+		},
+		{
+			config.Flannel{
+				EtcdEndpoints: "http://12.34.56.78:4001",
+				EtcdPrefix:    "/coreos.com/network/tenant1",
+			},
+			&File{config.File{
+				Path:               "run/flannel/options.env",
+				RawFilePermissions: "0644",
+				Content: `FLANNELD_ETCD_ENDPOINTS=http://12.34.56.78:4001
+FLANNELD_ETCD_PREFIX=/coreos.com/network/tenant1`,
+			}},
+		},
+	} {
+		file, _ := Flannel{tt.config}.File()
+		if !reflect.DeepEqual(tt.file, file) {
+			t.Errorf("bad units (%q): want %#v, got %#v", tt.config, tt.file, file)
+		}
+	}
+}

config/cloudinit/system/fleet.go

@@ -0,0 +1,38 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// Fleet is a top-level structure which embeds its underlying configuration,
+// config.Fleet, and provides the system-specific Unit().
+type Fleet struct {
+	config.Fleet
+}
+
+// Units generates a Unit file drop-in for fleet, if any fleet options were
+// configured in cloud-config
+func (fe Fleet) Units() []Unit {
+	return []Unit{{config.Unit{
+		Name:    "fleet.service",
+		Runtime: true,
+		DropIns: []config.UnitDropIn{{
+			Name:    "20-cloudinit.conf",
+			Content: serviceContents(fe.Fleet),
+		}},
+	}}}
+}

config/cloudinit/system/fleet_test.go

@@ -0,0 +1,58 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestFleetUnits(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Fleet
+		units  []Unit
+	}{
+		{
+			config.Fleet{},
+			[]Unit{{config.Unit{
+				Name:    "fleet.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{Name: "20-cloudinit.conf"}},
+			}}},
+		},
+		{
+			config.Fleet{
+				PublicIP: "12.34.56.78",
+			},
+			[]Unit{{config.Unit{
+				Name:    "fleet.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{
+					Name: "20-cloudinit.conf",
+					Content: `[Service]
+Environment="FLEET_PUBLIC_IP=12.34.56.78"
+`,
+				}},
+			}}},
+		},
+	} {
+		units := Fleet{tt.config}.Units()
+		if !reflect.DeepEqual(units, tt.units) {
+			t.Errorf("bad units (%+v): want %#v, got %#v", tt.config, tt.units, units)
+		}
+	}
+}

config/cloudinit/system/locksmith.go

@@ -0,0 +1,37 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// Locksmith is a top-level structure which embeds its underlying configuration,
+// config.Locksmith, and provides the system-specific Unit().
+type Locksmith struct {
+	config.Locksmith
+}
+
+// Units creates a Unit file drop-in for etcd, using any configured options.
+func (ee Locksmith) Units() []Unit {
+	return []Unit{{config.Unit{
+		Name:    "locksmithd.service",
+		Runtime: true,
+		DropIns: []config.UnitDropIn{{
+			Name:    "20-cloudinit.conf",
+			Content: serviceContents(ee.Locksmith),
+		}},
+	}}}
+}

config/cloudinit/system/locksmith_test.go

@@ -0,0 +1,58 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestLocksmithUnits(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Locksmith
+		units  []Unit
+	}{
+		{
+			config.Locksmith{},
+			[]Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{Name: "20-cloudinit.conf"}},
+			}}},
+		},
+		{
+			config.Locksmith{
+				Endpoint: "12.34.56.78:4001",
+			},
+			[]Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Runtime: true,
+				DropIns: []config.UnitDropIn{{
+					Name: "20-cloudinit.conf",
+					Content: `[Service]
+Environment="LOCKSMITHD_ENDPOINT=12.34.56.78:4001"
+`,
+				}},
+			}}},
+		},
+	} {
+		units := Locksmith{tt.config}.Units()
+		if !reflect.DeepEqual(units, tt.units) {
+			t.Errorf("bad units (%+v): want %#v, got %#v", tt.config, tt.units, units)
+		}
+	}
+}

config/cloudinit/system/networkd.go

@@ -0,0 +1,95 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"log"
+	"net"
+	"os/exec"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+	"github.com/rancher/os/config/cloudinit/network"
+
+	"github.com/docker/docker/pkg/netlink"
+)
+
+func RestartNetwork(interfaces []network.InterfaceGenerator) (err error) {
+	defer func() {
+		if e := restartNetworkd(); e != nil {
+			err = e
+		}
+	}()
+
+	if err = downNetworkInterfaces(interfaces); err != nil {
+		return
+	}
+
+	if err = maybeProbe8012q(interfaces); err != nil {
+		return
+	}
+	return maybeProbeBonding(interfaces)
+}
+
+func downNetworkInterfaces(interfaces []network.InterfaceGenerator) error {
+	sysInterfaceMap := make(map[string]*net.Interface)
+	if systemInterfaces, err := net.Interfaces(); err == nil {
+		for _, iface := range systemInterfaces {
+			iface := iface
+			sysInterfaceMap[iface.Name] = &iface
+		}
+	} else {
+		return err
+	}
+
+	for _, iface := range interfaces {
+		if systemInterface, ok := sysInterfaceMap[iface.Name()]; ok {
+			log.Printf("Taking down interface %q\n", systemInterface.Name)
+			if err := netlink.NetworkLinkDown(systemInterface); err != nil {
+				log.Printf("Error while downing interface %q (%s). Continuing...\n", systemInterface.Name, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func maybeProbe8012q(interfaces []network.InterfaceGenerator) error {
+	for _, iface := range interfaces {
+		if iface.Type() == "vlan" {
+			log.Printf("Probing LKM %q (%q)\n", "8021q", "8021q")
+			return exec.Command("modprobe", "8021q").Run()
+		}
+	}
+	return nil
+}
+
+func maybeProbeBonding(interfaces []network.InterfaceGenerator) error {
+	for _, iface := range interfaces {
+		if iface.Type() == "bond" {
+			args := append([]string{"bonding"}, strings.Split(iface.ModprobeParams(), " ")...)
+			log.Printf("Probing LKM %q (%q)\n", "bonding", args)
+			return exec.Command("modprobe", args...).Run()
+		}
+	}
+	return nil
+}
+
+func restartNetworkd() error {
+	log.Printf("Restarting networkd.service\n")
+	networkd := Unit{config.Unit{Name: "systemd-networkd.service"}}
+	_, err := NewUnitManager("").RunUnitCommand(networkd, "restart")
+	return err
+}

config/cloudinit/system/oem.go

@@ -0,0 +1,46 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"path"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+// OEM is a top-level structure which embeds its underlying configuration,
+// config.OEM, and provides the system-specific File().
+type OEM struct {
+	config.OEM
+}
+
+func (oem OEM) File() (*File, error) {
+	if oem.ID == "" {
+		return nil, nil
+	}
+
+	content := fmt.Sprintf("ID=%s\n", oem.ID)
+	content += fmt.Sprintf("VERSION_ID=%s\n", oem.VersionID)
+	content += fmt.Sprintf("NAME=%q\n", oem.Name)
+	content += fmt.Sprintf("HOME_URL=%q\n", oem.HomeURL)
+	content += fmt.Sprintf("BUG_REPORT_URL=%q\n", oem.BugReportURL)
+
+	return &File{config.File{
+		Path:               path.Join("etc", "oem-release"),
+		RawFilePermissions: "0644",
+		Content:            content,
+	}}, nil
+}

config/cloudinit/system/oem_test.go

@@ -0,0 +1,61 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestOEMFile(t *testing.T) {
+	for _, tt := range []struct {
+		config config.OEM
+		file   *File
+	}{
+		{
+			config.OEM{},
+			nil,
+		},
+		{
+			config.OEM{
+				ID:           "rackspace",
+				Name:         "Rackspace Cloud Servers",
+				VersionID:    "168.0.0",
+				HomeURL:      "https://www.rackspace.com/cloud/servers/",
+				BugReportURL: "https://github.com/coreos/coreos-overlay",
+			},
+			&File{config.File{
+				Path:               "etc/oem-release",
+				RawFilePermissions: "0644",
+				Content: `ID=rackspace
+VERSION_ID=168.0.0
+NAME="Rackspace Cloud Servers"
+HOME_URL="https://www.rackspace.com/cloud/servers/"
+BUG_REPORT_URL="https://github.com/coreos/coreos-overlay"
+`,
+			}},
+		},
+	} {
+		file, err := OEM{tt.config}.File()
+		if err != nil {
+			t.Errorf("bad error (%q): want %v, got %q", tt.config, nil, err)
+		}
+		if !reflect.DeepEqual(tt.file, file) {
+			t.Errorf("bad file (%q): want %#v, got %#v", tt.config, tt.file, file)
+		}
+	}
+}

config/cloudinit/system/ssh_key.go

@@ -0,0 +1,73 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os/exec"
+	"strings"
+)
+
+// Add the provide SSH public key to the core user's list of
+// authorized keys
+func AuthorizeSSHKeys(user string, keysName string, keys []string) error {
+	for i, key := range keys {
+		keys[i] = strings.TrimSpace(key)
+	}
+
+	// join all keys with newlines, ensuring the resulting string
+	// also ends with a newline
+	joined := fmt.Sprintf("%s\n", strings.Join(keys, "\n"))
+
+	cmd := exec.Command("update-ssh-keys", "-u", user, "-a", keysName)
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return err
+	}
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return err
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		stdin.Close()
+		return err
+	}
+
+	_, err = io.WriteString(stdin, joined)
+	if err != nil {
+		return err
+	}
+
+	stdin.Close()
+	stdoutBytes, _ := ioutil.ReadAll(stdout)
+	stderrBytes, _ := ioutil.ReadAll(stderr)
+
+	err = cmd.Wait()
+	if err != nil {
+		return fmt.Errorf("Call to update-ssh-keys failed with %v: %s %s", err, string(stdoutBytes), string(stderrBytes))
+	}
+
+	return nil
+}

config/cloudinit/system/systemd.go

@@ -0,0 +1,205 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+	"github.com/coreos/go-systemd/dbus"
+)
+
+func NewUnitManager(root string) UnitManager {
+	return &systemd{root}
+}
+
+type systemd struct {
+	root string
+}
+
+// fakeMachineID is placed on non-usr CoreOS images and should
+// never be used as a true MachineID
+const fakeMachineID = "42000000000000000000000000000042"
+
+// PlaceUnit writes a unit file at its desired destination, creating parent
+// directories as necessary.
+func (s *systemd) PlaceUnit(u Unit) error {
+	file := File{config.File{
+		Path:               u.Destination(s.root),
+		Content:            u.Content,
+		RawFilePermissions: "0644",
+	}}
+
+	_, err := WriteFile(&file, "/")
+	return err
+}
+
+// PlaceUnitDropIn writes a unit drop-in file at its desired destination,
+// creating parent directories as necessary.
+func (s *systemd) PlaceUnitDropIn(u Unit, d config.UnitDropIn) error {
+	file := File{config.File{
+		Path:               u.DropInDestination(s.root, d),
+		Content:            d.Content,
+		RawFilePermissions: "0644",
+	}}
+
+	_, err := WriteFile(&file, "/")
+	return err
+}
+
+func (s *systemd) EnableUnitFile(u Unit) error {
+	conn, err := dbus.New()
+	if err != nil {
+		return err
+	}
+
+	units := []string{u.Name}
+	_, _, err = conn.EnableUnitFiles(units, u.Runtime, true)
+	return err
+}
+
+func (s *systemd) RunUnitCommand(u Unit, c string) (string, error) {
+	conn, err := dbus.New()
+	if err != nil {
+		return "", err
+	}
+
+	var fn func(string, string) (string, error)
+	switch c {
+	case "start":
+		fn = conn.StartUnit
+	case "stop":
+		fn = conn.StopUnit
+	case "restart":
+		fn = conn.RestartUnit
+	case "reload":
+		fn = conn.ReloadUnit
+	case "try-restart":
+		fn = conn.TryRestartUnit
+	case "reload-or-restart":
+		fn = conn.ReloadOrRestartUnit
+	case "reload-or-try-restart":
+		fn = conn.ReloadOrTryRestartUnit
+	default:
+		return "", fmt.Errorf("Unsupported systemd command %q", c)
+	}
+
+	return fn(u.Name, "replace")
+}
+
+func (s *systemd) DaemonReload() error {
+	conn, err := dbus.New()
+	if err != nil {
+		return err
+	}
+
+	return conn.Reload()
+}
+
+// MaskUnit masks the given Unit by symlinking its unit file to
+// /dev/null, analogous to `systemctl mask`.
+// N.B.: Unlike `systemctl mask`, this function will *remove any existing unit
+// file at the location*, to ensure that the mask will succeed.
+func (s *systemd) MaskUnit(u Unit) error {
+	masked := u.Destination(s.root)
+	if _, err := os.Stat(masked); os.IsNotExist(err) {
+		if err := os.MkdirAll(path.Dir(masked), os.FileMode(0755)); err != nil {
+			return err
+		}
+	} else if err := os.Remove(masked); err != nil {
+		return err
+	}
+	return os.Symlink("/dev/null", masked)
+}
+
+// UnmaskUnit is analogous to systemd's unit_file_unmask. If the file
+// associated with the given Unit is empty or appears to be a symlink to
+// /dev/null, it is removed.
+func (s *systemd) UnmaskUnit(u Unit) error {
+	masked := u.Destination(s.root)
+	ne, err := nullOrEmpty(masked)
+	if os.IsNotExist(err) {
+		return nil
+	} else if err != nil {
+		return err
+	}
+	if !ne {
+		log.Printf("%s is not null or empty, refusing to unmask", masked)
+		return nil
+	}
+	return os.Remove(masked)
+}
+
+// nullOrEmpty checks whether a given path appears to be an empty regular file
+// or a symlink to /dev/null
+func nullOrEmpty(path string) (bool, error) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return false, err
+	}
+	m := fi.Mode()
+	if m.IsRegular() && fi.Size() <= 0 {
+		return true, nil
+	}
+	if m&os.ModeCharDevice > 0 {
+		return true, nil
+	}
+	return false, nil
+}
+
+func ExecuteScript(scriptPath string) (string, error) {
+	props := []dbus.Property{
+		dbus.PropDescription("Unit generated and executed by coreos-cloudinit on behalf of user"),
+		dbus.PropExecStart([]string{"/bin/bash", scriptPath}, false),
+	}
+
+	base := path.Base(scriptPath)
+	name := fmt.Sprintf("coreos-cloudinit-%s.service", base)
+
+	log.Printf("Creating transient systemd unit '%s'", name)
+
+	conn, err := dbus.New()
+	if err != nil {
+		return "", err
+	}
+
+	_, err = conn.StartTransientUnit(name, "replace", props...)
+	return name, err
+}
+
+func SetHostname(hostname string) error {
+	return exec.Command("hostnamectl", "set-hostname", hostname).Run()
+}
+
+func Hostname() (string, error) {
+	return os.Hostname()
+}
+
+func MachineID(root string) string {
+	contents, _ := ioutil.ReadFile(path.Join(root, "etc", "machine-id"))
+	id := strings.TrimSpace(string(contents))
+
+	if id == fakeMachineID {
+		id = ""
+	}
+
+	return id
+}

config/cloudinit/system/systemd_test.go

@@ -0,0 +1,280 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestPlaceUnit(t *testing.T) {
+	tests := []config.Unit{
+		{
+			Name:    "50-eth0.network",
+			Runtime: true,
+			Content: "[Match]\nName=eth47\n\n[Network]\nAddress=10.209.171.177/19\n",
+		},
+		{
+			Name:    "media-state.mount",
+			Content: "[Mount]\nWhat=/dev/sdb1\nWhere=/media/state\n",
+		},
+	}
+
+	for _, tt := range tests {
+		dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+		if err != nil {
+			panic(fmt.Sprintf("Unable to create tempdir: %v", err))
+		}
+
+		u := Unit{tt}
+		sd := &systemd{dir}
+
+		if err := sd.PlaceUnit(u); err != nil {
+			t.Fatalf("PlaceUnit(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		fi, err := os.Stat(u.Destination(dir))
+		if err != nil {
+			t.Fatalf("Stat(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		if mode := fi.Mode(); mode != os.FileMode(0644) {
+			t.Errorf("bad filemode (%+v): want %v, got %v", tt, os.FileMode(0644), mode)
+		}
+
+		c, err := ioutil.ReadFile(u.Destination(dir))
+		if err != nil {
+			t.Fatalf("ReadFile(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		if string(c) != tt.Content {
+			t.Errorf("bad contents (%+v): want %q, got %q", tt, tt.Content, string(c))
+		}
+
+		os.RemoveAll(dir)
+	}
+}
+
+func TestPlaceUnitDropIn(t *testing.T) {
+	tests := []config.Unit{
+		{
+			Name:    "false.service",
+			Runtime: true,
+			DropIns: []config.UnitDropIn{
+				{
+					Name:    "00-true.conf",
+					Content: "[Service]\nExecStart=\nExecStart=/usr/bin/true\n",
+				},
+			},
+		},
+		{
+			Name: "true.service",
+			DropIns: []config.UnitDropIn{
+				{
+					Name:    "00-false.conf",
+					Content: "[Service]\nExecStart=\nExecStart=/usr/bin/false\n",
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+		if err != nil {
+			panic(fmt.Sprintf("Unable to create tempdir: %v", err))
+		}
+
+		u := Unit{tt}
+		sd := &systemd{dir}
+
+		if err := sd.PlaceUnitDropIn(u, u.DropIns[0]); err != nil {
+			t.Fatalf("PlaceUnit(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		fi, err := os.Stat(u.DropInDestination(dir, u.DropIns[0]))
+		if err != nil {
+			t.Fatalf("Stat(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		if mode := fi.Mode(); mode != os.FileMode(0644) {
+			t.Errorf("bad filemode (%+v): want %v, got %v", tt, os.FileMode(0644), mode)
+		}
+
+		c, err := ioutil.ReadFile(u.DropInDestination(dir, u.DropIns[0]))
+		if err != nil {
+			t.Fatalf("ReadFile(): bad error (%+v): want nil, got %s", tt, err)
+		}
+
+		if string(c) != u.DropIns[0].Content {
+			t.Errorf("bad contents (%+v): want %q, got %q", tt, u.DropIns[0].Content, string(c))
+		}
+
+		os.RemoveAll(dir)
+	}
+}
+
+func TestMachineID(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	os.Mkdir(path.Join(dir, "etc"), os.FileMode(0755))
+	ioutil.WriteFile(path.Join(dir, "etc", "machine-id"), []byte("node007\n"), os.FileMode(0444))
+
+	if MachineID(dir) != "node007" {
+		t.Fatalf("File has incorrect contents")
+	}
+}
+
+func TestMaskUnit(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	sd := &systemd{dir}
+
+	// Ensure mask works with units that do not currently exist
+	uf := Unit{config.Unit{Name: "foo.service"}}
+	if err := sd.MaskUnit(uf); err != nil {
+		t.Fatalf("Unable to mask new unit: %v", err)
+	}
+	fooPath := path.Join(dir, "etc", "systemd", "system", "foo.service")
+	fooTgt, err := os.Readlink(fooPath)
+	if err != nil {
+		t.Fatal("Unable to read link", err)
+	}
+	if fooTgt != "/dev/null" {
+		t.Fatal("unit not masked, got unit target", fooTgt)
+	}
+
+	// Ensure mask works with unit files that already exist
+	ub := Unit{config.Unit{Name: "bar.service"}}
+	barPath := path.Join(dir, "etc", "systemd", "system", "bar.service")
+	if _, err := os.Create(barPath); err != nil {
+		t.Fatalf("Error creating new unit file: %v", err)
+	}
+	if err := sd.MaskUnit(ub); err != nil {
+		t.Fatalf("Unable to mask existing unit: %v", err)
+	}
+	barTgt, err := os.Readlink(barPath)
+	if err != nil {
+		t.Fatal("Unable to read link", err)
+	}
+	if barTgt != "/dev/null" {
+		t.Fatal("unit not masked, got unit target", barTgt)
+	}
+}
+
+func TestUnmaskUnit(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	sd := &systemd{dir}
+
+	nilUnit := Unit{config.Unit{Name: "null.service"}}
+	if err := sd.UnmaskUnit(nilUnit); err != nil {
+		t.Errorf("unexpected error from unmasking nonexistent unit: %v", err)
+	}
+
+	uf := Unit{config.Unit{Name: "foo.service", Content: "[Service]\nExecStart=/bin/true"}}
+	dst := uf.Destination(dir)
+	if err := os.MkdirAll(path.Dir(dst), os.FileMode(0755)); err != nil {
+		t.Fatalf("Unable to create unit directory: %v", err)
+	}
+	if _, err := os.Create(dst); err != nil {
+		t.Fatalf("Unable to write unit file: %v", err)
+	}
+
+	if err := ioutil.WriteFile(dst, []byte(uf.Content), 700); err != nil {
+		t.Fatalf("Unable to write unit file: %v", err)
+	}
+	if err := sd.UnmaskUnit(uf); err != nil {
+		t.Errorf("unmask of non-empty unit returned unexpected error: %v", err)
+	}
+	got, _ := ioutil.ReadFile(dst)
+	if string(got) != uf.Content {
+		t.Errorf("unmask of non-empty unit mutated unit contents unexpectedly")
+	}
+
+	ub := Unit{config.Unit{Name: "bar.service"}}
+	dst = ub.Destination(dir)
+	if err := os.Symlink("/dev/null", dst); err != nil {
+		t.Fatalf("Unable to create masked unit: %v", err)
+	}
+	if err := sd.UnmaskUnit(ub); err != nil {
+		t.Errorf("unmask of unit returned unexpected error: %v", err)
+	}
+	if _, err := os.Stat(dst); !os.IsNotExist(err) {
+		t.Errorf("expected %s to not exist after unmask, but got err: %s", dst, err)
+	}
+}
+
+func TestNullOrEmpty(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "coreos-cloudinit-")
+	if err != nil {
+		t.Fatalf("Unable to create tempdir: %v", err)
+	}
+	defer os.RemoveAll(dir)
+
+	non := path.Join(dir, "does_not_exist")
+	ne, err := nullOrEmpty(non)
+	if !os.IsNotExist(err) {
+		t.Errorf("nullOrEmpty on nonexistent file returned bad error: %v", err)
+	}
+	if ne {
+		t.Errorf("nullOrEmpty returned true unxpectedly")
+	}
+
+	regEmpty := path.Join(dir, "regular_empty_file")
+	_, err = os.Create(regEmpty)
+	if err != nil {
+		t.Fatalf("Unable to create tempfile: %v", err)
+	}
+	gotNe, gotErr := nullOrEmpty(regEmpty)
+	if !gotNe || gotErr != nil {
+		t.Errorf("nullOrEmpty of regular empty file returned %t, %v - want true, nil", gotNe, gotErr)
+	}
+
+	reg := path.Join(dir, "regular_file")
+	if err := ioutil.WriteFile(reg, []byte("asdf"), 700); err != nil {
+		t.Fatalf("Unable to create tempfile: %v", err)
+	}
+	gotNe, gotErr = nullOrEmpty(reg)
+	if gotNe || gotErr != nil {
+		t.Errorf("nullOrEmpty of regular file returned %t, %v - want false, nil", gotNe, gotErr)
+	}
+
+	null := path.Join(dir, "null")
+	if err := os.Symlink(os.DevNull, null); err != nil {
+		t.Fatalf("Unable to create /dev/null link: %s", err)
+	}
+	gotNe, gotErr = nullOrEmpty(null)
+	if !gotNe || gotErr != nil {
+		t.Errorf("nullOrEmpty of null symlink returned %t, %v - want true, nil", gotNe, gotErr)
+	}
+
+}

config/cloudinit/system/unit.go

@@ -0,0 +1,82 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+type UnitManager interface {
+	PlaceUnit(unit Unit) error
+	PlaceUnitDropIn(unit Unit, dropIn config.UnitDropIn) error
+	EnableUnitFile(unit Unit) error
+	RunUnitCommand(unit Unit, command string) (string, error)
+	MaskUnit(unit Unit) error
+	UnmaskUnit(unit Unit) error
+	DaemonReload() error
+}
+
+// Unit is a top-level structure which embeds its underlying configuration,
+// config.Unit, and provides the system-specific Destination(), Type(), and
+// Group().
+type Unit struct {
+	config.Unit
+}
+
+// Type returns the extension of the unit (everything that follows the final
+// period).
+func (u Unit) Type() string {
+	ext := filepath.Ext(u.Name)
+	return strings.TrimLeft(ext, ".")
+}
+
+// Group returns "network" or "system" depending on whether or not the unit is
+// a network unit or otherwise.
+func (u Unit) Group() string {
+	switch u.Type() {
+	case "network", "netdev", "link":
+		return "network"
+	default:
+		return "system"
+	}
+}
+
+// Destination builds the appropriate absolute file path for the Unit. The root
+// argument indicates the effective base directory of the system (similar to a
+// chroot).
+func (u Unit) Destination(root string) string {
+	return path.Join(u.prefix(root), u.Name)
+}
+
+// DropInDestination builds the appropriate absolute file path for the
+// UnitDropIn. The root argument indicates the effective base directory of the
+// system (similar to a chroot) and the dropIn argument is the UnitDropIn for
+// which the destination is being calculated.
+func (u Unit) DropInDestination(root string, dropIn config.UnitDropIn) string {
+	return path.Join(u.prefix(root), fmt.Sprintf("%s.d", u.Name), dropIn.Name)
+}
+
+func (u Unit) prefix(root string) string {
+	dir := "etc"
+	if u.Runtime {
+		dir = "run"
+	}
+	return path.Join(root, dir, "systemd", u.Group())
+}

config/cloudinit/system/unit_test.go

@@ -0,0 +1,136 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func TestType(t *testing.T) {
+	tests := []struct {
+		name string
+
+		typ string
+	}{
+		{},
+		{"test.service", "service"},
+		{"hello", ""},
+		{"lots.of.dots", "dots"},
+	}
+
+	for _, tt := range tests {
+		u := Unit{config.Unit{
+			Name: tt.name,
+		}}
+		if typ := u.Type(); tt.typ != typ {
+			t.Errorf("bad type (%+v): want %q, got %q", tt, tt.typ, typ)
+		}
+	}
+}
+
+func TestGroup(t *testing.T) {
+	tests := []struct {
+		name string
+
+		group string
+	}{
+		{"test.service", "system"},
+		{"test.link", "network"},
+		{"test.network", "network"},
+		{"test.netdev", "network"},
+		{"test.conf", "system"},
+	}
+
+	for _, tt := range tests {
+		u := Unit{config.Unit{
+			Name: tt.name,
+		}}
+		if group := u.Group(); tt.group != group {
+			t.Errorf("bad group (%+v): want %q, got %q", tt, tt.group, group)
+		}
+	}
+}
+
+func TestDestination(t *testing.T) {
+	tests := []struct {
+		root    string
+		name    string
+		runtime bool
+
+		destination string
+	}{
+		{
+			root:        "/some/dir",
+			name:        "foobar.service",
+			destination: "/some/dir/etc/systemd/system/foobar.service",
+		},
+		{
+			root:        "/some/dir",
+			name:        "foobar.service",
+			runtime:     true,
+			destination: "/some/dir/run/systemd/system/foobar.service",
+		},
+	}
+
+	for _, tt := range tests {
+		u := Unit{config.Unit{
+			Name:    tt.name,
+			Runtime: tt.runtime,
+		}}
+		if d := u.Destination(tt.root); tt.destination != d {
+			t.Errorf("bad destination (%+v): want %q, got %q", tt, tt.destination, d)
+		}
+	}
+}
+
+func TestDropInDestination(t *testing.T) {
+	tests := []struct {
+		root       string
+		unitName   string
+		dropInName string
+		runtime    bool
+
+		destination string
+	}{
+		{
+			root:        "/some/dir",
+			unitName:    "foo.service",
+			dropInName:  "bar.conf",
+			destination: "/some/dir/etc/systemd/system/foo.service.d/bar.conf",
+		},
+		{
+			root:        "/some/dir",
+			unitName:    "foo.service",
+			dropInName:  "bar.conf",
+			runtime:     true,
+			destination: "/some/dir/run/systemd/system/foo.service.d/bar.conf",
+		},
+	}
+
+	for _, tt := range tests {
+		u := Unit{config.Unit{
+			Name:    tt.unitName,
+			Runtime: tt.runtime,
+			DropIns: []config.UnitDropIn{{
+				Name: tt.dropInName,
+			}},
+		}}
+		if d := u.DropInDestination(tt.root, u.DropIns[0]); tt.destination != d {
+			t.Errorf("bad destination (%+v): want %q, got %q", tt, tt.destination, d)
+		}
+	}
+}

config/cloudinit/system/update.go

@@ -0,0 +1,151 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"reflect"
+	"sort"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+const (
+	locksmithUnit    = "locksmithd.service"
+	updateEngineUnit = "update-engine.service"
+)
+
+// Update is a top-level structure which contains its underlying configuration,
+// config.Update, a function for reading the configuration (the default
+// implementation reading from the filesystem), and provides the system-specific
+// File() and Unit().
+type Update struct {
+	ReadConfig func() (io.Reader, error)
+	config.Update
+}
+
+func DefaultReadConfig() (io.Reader, error) {
+	etcUpdate := path.Join("/etc", "coreos", "update.conf")
+	usrUpdate := path.Join("/usr", "share", "coreos", "update.conf")
+
+	f, err := os.Open(etcUpdate)
+	if os.IsNotExist(err) {
+		f, err = os.Open(usrUpdate)
+	}
+	return f, err
+}
+
+// File generates an `/etc/coreos/update.conf` file (if any update
+// configuration options are set in cloud-config) by either rewriting the
+// existing file on disk, or starting from `/usr/share/coreos/update.conf`
+func (uc Update) File() (*File, error) {
+	if config.IsZero(uc.Update) {
+		return nil, nil
+	}
+	if err := config.AssertStructValid(uc.Update); err != nil {
+		return nil, err
+	}
+
+	// Generate the list of possible substitutions to be performed based on the options that are configured
+	subs := map[string]string{}
+	uct := reflect.TypeOf(uc.Update)
+	ucv := reflect.ValueOf(uc.Update)
+	for i := 0; i < uct.NumField(); i++ {
+		val := ucv.Field(i).String()
+		if val == "" {
+			continue
+		}
+		env := uct.Field(i).Tag.Get("env")
+		subs[env] = fmt.Sprintf("%s=%s", env, val)
+	}
+
+	conf, err := uc.ReadConfig()
+	if err != nil {
+		return nil, err
+	}
+	scanner := bufio.NewScanner(conf)
+
+	var out string
+	for scanner.Scan() {
+		line := scanner.Text()
+		for env, value := range subs {
+			if strings.HasPrefix(line, env) {
+				line = value
+				delete(subs, env)
+				break
+			}
+		}
+		out += line
+		out += "\n"
+		if err := scanner.Err(); err != nil {
+			return nil, err
+		}
+	}
+
+	for _, key := range sortedKeys(subs) {
+		out += subs[key]
+		out += "\n"
+	}
+
+	return &File{config.File{
+		Path:               path.Join("etc", "coreos", "update.conf"),
+		RawFilePermissions: "0644",
+		Content:            out,
+	}}, nil
+}
+
+// Units generates units for the cloud-init initializer to act on:
+// - a locksmith Unit, if "reboot-strategy" was set in cloud-config
+// - an update_engine Unit, if "group" or "server" was set in cloud-config
+func (uc Update) Units() []Unit {
+	var units []Unit
+	if uc.Update.RebootStrategy != "" {
+		ls := &Unit{config.Unit{
+			Name:    locksmithUnit,
+			Command: "restart",
+			Mask:    false,
+			Runtime: true,
+		}}
+
+		if uc.Update.RebootStrategy == "off" {
+			ls.Command = "stop"
+			ls.Mask = true
+		}
+		units = append(units, *ls)
+	}
+
+	if uc.Update.Group != "" || uc.Update.Server != "" {
+		ue := Unit{config.Unit{
+			Name:    updateEngineUnit,
+			Command: "restart",
+		}}
+		units = append(units, ue)
+	}
+
+	return units
+}
+
+func sortedKeys(m map[string]string) (keys []string) {
+	for key := range m {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	return
+}

config/cloudinit/system/update_test.go

@@ -0,0 +1,161 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"io"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func testReadConfig(config string) func() (io.Reader, error) {
+	return func() (io.Reader, error) {
+		return strings.NewReader(config), nil
+	}
+}
+
+func TestUpdateUnits(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Update
+		units  []Unit
+		err    error
+	}{
+		{
+			config: config.Update{},
+		},
+		{
+			config: config.Update{Group: "master", Server: "http://foo.com"},
+			units: []Unit{{config.Unit{
+				Name:    "update-engine.service",
+				Command: "restart",
+			}}},
+		},
+		{
+			config: config.Update{RebootStrategy: "best-effort"},
+			units: []Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Command: "restart",
+				Runtime: true,
+			}}},
+		},
+		{
+			config: config.Update{RebootStrategy: "etcd-lock"},
+			units: []Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Command: "restart",
+				Runtime: true,
+			}}},
+		},
+		{
+			config: config.Update{RebootStrategy: "reboot"},
+			units: []Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Command: "restart",
+				Runtime: true,
+			}}},
+		},
+		{
+			config: config.Update{RebootStrategy: "off"},
+			units: []Unit{{config.Unit{
+				Name:    "locksmithd.service",
+				Command: "stop",
+				Runtime: true,
+				Mask:    true,
+			}}},
+		},
+	} {
+		units := Update{Update: tt.config, ReadConfig: testReadConfig("")}.Units()
+		if !reflect.DeepEqual(tt.units, units) {
+			t.Errorf("bad units (%q): want %#v, got %#v", tt.config, tt.units, units)
+		}
+	}
+}
+
+func TestUpdateFile(t *testing.T) {
+	for _, tt := range []struct {
+		config config.Update
+		orig   string
+		file   *File
+		err    error
+	}{
+		{
+			config: config.Update{},
+		},
+		{
+			config: config.Update{RebootStrategy: "wizzlewazzle"},
+			err:    &config.ErrorValid{Value: "wizzlewazzle", Field: "RebootStrategy", Valid: "^(best-effort|etcd-lock|reboot|off)$"},
+		},
+		{
+			config: config.Update{Group: "master", Server: "http://foo.com"},
+			file: &File{config.File{
+				Content:            "GROUP=master\nSERVER=http://foo.com\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+		{
+			config: config.Update{RebootStrategy: "best-effort"},
+			file: &File{config.File{
+				Content:            "REBOOT_STRATEGY=best-effort\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+		{
+			config: config.Update{RebootStrategy: "etcd-lock"},
+			file: &File{config.File{
+				Content:            "REBOOT_STRATEGY=etcd-lock\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+		{
+			config: config.Update{RebootStrategy: "reboot"},
+			file: &File{config.File{
+				Content:            "REBOOT_STRATEGY=reboot\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+		{
+			config: config.Update{RebootStrategy: "off"},
+			file: &File{config.File{
+				Content:            "REBOOT_STRATEGY=off\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+		{
+			config: config.Update{RebootStrategy: "etcd-lock"},
+			orig:   "SERVER=https://example.com\nGROUP=thegroupc\nREBOOT_STRATEGY=awesome",
+			file: &File{config.File{
+				Content:            "SERVER=https://example.com\nGROUP=thegroupc\nREBOOT_STRATEGY=etcd-lock\n",
+				Path:               "etc/coreos/update.conf",
+				RawFilePermissions: "0644",
+			}},
+		},
+	} {
+		file, err := Update{Update: tt.config, ReadConfig: testReadConfig(tt.orig)}.File()
+		if !reflect.DeepEqual(tt.err, err) {
+			t.Errorf("bad error (%q): want %q, got %q", tt.config, tt.err, err)
+		}
+		if !reflect.DeepEqual(tt.file, file) {
+			t.Errorf("bad units (%q): want %#v, got %#v", tt.config, tt.file, file)
+		}
+	}
+}

config/cloudinit/system/user.go

@@ -0,0 +1,114 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package system
+
+import (
+	"fmt"
+	"log"
+	"os/exec"
+	"os/user"
+	"strings"
+
+	"github.com/rancher/os/config/cloudinit/config"
+)
+
+func UserExists(u *config.User) bool {
+	_, err := user.Lookup(u.Name)
+	return err == nil
+}
+
+func CreateUser(u *config.User) error {
+	args := []string{}
+
+	if u.PasswordHash != "" {
+		args = append(args, "--password", u.PasswordHash)
+	} else {
+		args = append(args, "--password", "*")
+	}
+
+	if u.GECOS != "" {
+		args = append(args, "--comment", fmt.Sprintf("%q", u.GECOS))
+	}
+
+	if u.Homedir != "" {
+		args = append(args, "--home-dir", u.Homedir)
+	}
+
+	if u.NoCreateHome {
+		args = append(args, "--no-create-home")
+	} else {
+		args = append(args, "--create-home")
+	}
+
+	if u.PrimaryGroup != "" {
+		args = append(args, "--gid", u.PrimaryGroup)
+	}
+
+	if len(u.Groups) > 0 {
+		args = append(args, "--groups", strings.Join(u.Groups, ","))
+	}
+
+	if u.NoUserGroup {
+		args = append(args, "--no-user-group")
+	}
+
+	if u.System {
+		args = append(args, "--system")
+	}
+
+	if u.NoLogInit {
+		args = append(args, "--no-log-init")
+	}
+
+	if u.Shell != "" {
+		args = append(args, "--shell", u.Shell)
+	}
+
+	args = append(args, u.Name)
+
+	output, err := exec.Command("useradd", args...).CombinedOutput()
+	if err != nil {
+		log.Printf("Command 'useradd %s' failed: %v\n%s", strings.Join(args, " "), err, output)
+	}
+	return err
+}
+
+func SetUserPassword(user, hash string) error {
+	cmd := exec.Command("/usr/sbin/chpasswd", "-e")
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return err
+	}
+
+	arg := fmt.Sprintf("%s:%s", user, hash)
+	_, err = stdin.Write([]byte(arg))
+	if err != nil {
+		return err
+	}
+	stdin.Close()
+
+	err = cmd.Wait()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}