libexec/nuageinit/nuageinit.7

.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.\" Copyright (c) 2025 Baptiste Daroussin <bapt@FreeBSD.org>
.\" Copyright (c) 2025 Jesús Daniel Colmenares Oviedo <dtxdf@FreeBSD.org>
.\"
.Dd June 26, 2025
.Dt NUAGEINIT 7
.Os
.Sh NAME
.Nm nuageinit
.Nd initialize a cloud-init environment
.Sh DESCRIPTION
The
.Nm
program is used to initialize instances in a cloud environment.
.Nm
runs at the first boot after the system installation.
It is composed of three
.Xr rc 8
scripts:
.Bl -tag -width "nuageinit"
.It Cm nuageinit
This script detects the type of cloud environment and gathers
the configuration data accordingly.
The following cloud environments are supported right now:
.Bl -tag -width "OpenStack"
.It ondisk
A cloud agnostic environment where the disk is provided to the system
with the configuration data on it.
The disk must be formatted using one of the following filesystems:
.Xr cd9660 4
or
.Xr msdosfs 4
and be labelled (via filesystem label) either
.Ar config-2
or
.Ar cidata .
.It OpenStack
The system is running in an
.Lk https://www.openstack.org/ OpenStack environment .
It is detected via the
.Ar smbios.system.product
.Xr smbios 4
description available in
.Xr kenv 2 .
.El
.Pp
Depending on the cloud environment above,
.Nm
will attempt to configure the instance.
This script executes early
after all the local filesystem are mounted but before
the network is configured.
.It Cm nuageinit_post_net
This script is responsible for processing the configurations that are network
dependent:
.Bl -bullet
.It
dealing with packages
.It
dealing with users (which can depend on shell provided by packages)
.El
.It Cm nuageinit_user_data_script
This script is responsible for executing everything which would have
been passed via the configuration to be executed, via the configuration
or because the user_data provided is a script.
.El
.Pp
The default user for nuageinit is a user named
.Va freebsd
with a password set to
.Va freebsd
and a login shell set to
.Va /bin/sh .
.Sh CONFIGURATION
The configuration of
.Nm
is typically provided as metadata by the cloud provider.
The metadata is presented to nuageinit in different forms depending on
the provider:
.Bl -tag -width "config-2"
.It nocloud
If the data is provided via a disk labelled
.Va cidata ,
then the metadata is provided in the form of a file named
.Pa meta-data
in YAML format.
.Nm
will configure the hostname of the instance according to the value of the
following variables
.Va local-hostname
or
.Va hostname .
.It config-2
If the data is provided via a disk labelled
.Va config-2
or if it is fetched from OpenStack,
the metadata is expected in two json files:
.Pp
The
.Pa meta_data.json
file supports the following keys:
.Bl -tag -width "public_keys"
.It Ic hostname
Set the hostname of the instance.
.It Ic public_keys
Append each entry of the array to
.Nm
default user which will be created.
.El
.Pp
The
.Pa network_data.json
file supports the following keys:
.Bl -tag -width "public_keys"
.It Ic links
Array of network interfaces to be configured.
.It Ic networks
Array of network configurations to be set.
.El
.El
.Pp
Along with the metadata, a user data file is provided, either named
.Pa user_data
or
.Pa user-data .
If this file starts with a
.Qq #! ,
it will be executed at the end of the boot via
.Cm nuageinit_user_data_script .
If this file starts with
.Qq #!cloud-config ,
it will be parsed as a YAML configuration file.
All other cases will be ignored.
.Pp
The
.Qq #!cloud-config
configuration entries supported by
.Nm :
.Bl -tag -width "config-2"
.It Ic fqdn
Specify a fully qualified domain name for the instance.
.It Ic hostname
Specify the hostname of the instance if
.Qq Ic fqdn
is not set.
.It Ic timezone
Sets the system timezone based on the value provided.
.Pp
See also
.Xr tzfile 3 Ns .
.It Ic groups
An array of strings or objects to be created:
.Bl -bullet
.It
If the entry is a string,
a group using this string as a name will be created.
.It
if the entry is an object, the
.Qq Ar key
will be used as the name of the group, the
.Qq Ar value
is expected to be a list of members (array), specified by name.
.El
.It Ic ssh_keys
An object of multiple key/values,
.Qq Cm keys
being in the form
.Ar algo_private
or
.Ar algo_public ,
.Qq Cm values
being the actual content of the files in
.Pa /etc/ssh .
.It Ic ssh_authorized_keys
Append each entry of the array to
.Nm
default user which will be created.
.It Ic ssh_pwauth
boolean which determines the value of the
.Qq Ic PasswordAuthentication
configuration in
.Pa /etc/ssh/sshd_config
.It Ic network
Network configuration parameters.
.Pp
Specifying the following parameters from a file named
.Pa network-config
takes precedence over their specification from the
.Ic network
parameter of
.Pa user-data Ns .
.Bl -tag -width "ethernets"
.It Ic ethernets
Mapping representing a generic configuration for existing network interfaces.
.Pp
Each key is an interface name that is only used when no
.Sy match
rule is specified.
If
.Sy match
rules are specified, an arbitrary name can be used
.Po e.g.: id0 Pc Ns .
.Bl -tag -width "nameservers"
.It Ic match
This selects a subset of available physical devices by various hardware properties.
The following configuration will then apply to all matching devices, as soon as
they appear.
All specified properties must match.
The following properties for
creating matches are supported:
.Bl -tag -width "macaddress"
.It Ic macaddress
.No Device's MAC address in the form Sy xx:xx:xx:xx:xx:xx Ns .
Letters should be lowercase.
.It Ic name
Current interface name.
Lua pattern-matching expressions are supported.
.It Ic driver
Interface driver name and unit number of the interface.
Lua pattern-natching expressions
are supported.
.El
.It Ic set-name
When matching on unique properties such as MAC, match rules can be written so that they
match only one device.
Then this property can be used to give that device a more
specific/desirable/nicer name than the default.
.Pp
While multiple properties can be used in a match,
.Sy macaddress
is required for nuageinit to perform the rename.
.It Ic mtu
The MTU key represents a device's Maximum Transmission Unit, the largest size packet
or frame.
.It Ic wakeonlan
Enable wake on LAN.
Off by default.
.It Ic dhcp4
Configure the interface to use DHCP.
.Pp
This takes precedence over
.Sy addresses
when both are specified.
.It Ic addresses
List of strings representing IPv4 or IPv6 addresses.
.It Ic gateway4
Set default gateway for IPv4, for manual address configuration.
This requires setting
.Sy addresses
too.
.Pp
Since only one default router can be configured at a time, this parameter is applied
when processing the first entry, and any others are silently ignored.
.It Ic gateway6
Set default gateway for IPv6, for manual address configuration.
This requires setting
.Sy addresses
too.
.Pp
Since only one default router can be configured at a time, this parameter is applied
when processing the first entry, and any others are silently ignored.
.It Ic nameservers
Set DNS servers and search domains, for manual address configuration.
.Pp
There are two supported fields:
.Bl -tag -width "addresses"
.It Ic search
Search list for host-name lookup.
.It Ic addresses
List of IPv4 or IPv6 name server addresses that the resolver should query.
.El
.El
.El
.It Ic runcmd
An array of commands to be run at the end of the boot process
.It Ic packages
List of packages to be installed.
.It Ic package_update
Update the remote package metadata.
.It Ic package_upgrade
Upgrade the packages installed to their latest version.
.It Ic users
Specify a list of users to be created:
.Bl -tag -width "ssh_authorized_keys"
.It Ic name
Name of the user.
.It Ic gecos
GECOS for the user.
.It Ic homedir
The path of the home directory for the user.
.It Ic primary_group
The main group the user should belong to.
.It Ic groups
The list of other groups the user should belong to.
.It Ic no_create_home
A boolean which determines if the home directory should be created or not.
.It Ic shell
The shell that should be used for the user.
.It Ic ssh_authorized_keys
List of SSH keys for the user.
.It Ic passwd
The encrypted password for the user.
.It Ic plain_text_passwd
The password in plain text for the user.
Ignored if an encrypted password is already provided.
.It Ic locked
Boolean to determine if the user account should be locked.
.It Ic sudo
A string or an array of strings which should be appended to
.Pa ${LOCALBASE}/etc/sudoers.d/90-nuageinit-users
.It Ic doas
A string or an array of strings which should be appended to
.Pa ${LOCALBASE}/etc/doas.conf
.Pp
Instead of hardcoding the username, you can use
.Sy %u Ns ,
which will be replaced by the current username.
.El
.Pp
A special case exist: if the entry is a simple string with the value
.Qq default ,
then the default user is created.
.It Ic chpasswd
Change the passwords for users, it accepts the following keys:
.Bl -tag -width "expire"
.It Ic expire
Boolean to force the user to change their password on first login.
.It Ic users
An array of objects:
.Bl -tag -width "password"
.It Ic user
Specify the user whose password will be changed.
.It Ic password
Specify a text line with the new password or
specify the user whose password will be changed.
.Qq Cm RANDOM
to assign the password randomly.
If the textline starts with
.Qq Cm $x$
where x is a number, then the password is considered encrypted,
otherwise the password is considered plaintext.
.El
.El
.It Ic write_files
An array of objects representing files to be created at first boot.
The files are being created before the installation of any packages
and the creation of the users.
The only mandatory field is:
.Ic path .
It accepts the following keys for each objects:
.Bl -tag -width "permissions"
.It Ic content
The content to be written to the file.
If this key is not existing then an empty file will be created.
.It Ic encoding
Specify the encoding used for content.
If not specified, then plain text is considered.
Only
.Ar b64
and
.Ar base64
are supported for now.
.It Ic path
The path of the file to be created.
.Pq Note intermerdiary directories will not be created .
.It Ic permissions
A string representing the permission of the file in octal.
.It Ic owner
A string representing the owner, two forms are possible:
.Ar user
or
.Ar user:group .
.It Ic append
A boolean to specify the content should be appended to the file if the file
exists.
.It Ic defer
A boolean to specify that the files should be created after the packages are
installed and the users are created.
.El
.El
.Sh EXAMPLES
Here is an example of a YAML configuration for
.Nm :
.Bd -literal
#cloud-config
fqdn: myhost.mynetwork.tld
users:
  - default
  - name: user
    gecos: Foo B. Bar
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr...
packages:
  - neovim
  - git-lite
package_update: true
package_upgrade: true
runcmd:
  - logger -t nuageinit "boot finished"
ssh_keys:
  ed25519_private: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    blabla
    ...
    -----END OPENSSH PRIVATE KEY-----
  ed25519_public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+
network:
  ethernets:
    vtnet0:
      addresses:
        - 192.168.8.2/24
      gateway4: 192.168.8.1
.Ed
.Sh SEE ALSO
.Xr kenv 2 ,
.Xr cd9660 4 ,
.Xr msdosfs 4 ,
.Xr smbios 4 ,
.Xr ssh_config 5 ,
.Xr rc 8
.Sh STANDARDS
.Nm
is believed to conform to the
.Lk https://cloud-init.io/ Cloud Init
specification.
.Sh HISTORY
.Nm
appeared in
.Fx 14.1