From d496192032fe4f999e781ab71f552d454b002dda Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Mon, 9 Jan 2017 03:15:11 -0800 Subject: [PATCH] Rename bootcfg to matchbox in docs, examples, scripts * Verify all examples and docs work correctly * Exclude contrib k8s and systemd which will be updated and verified in a followup commit --- Documentation/api.md | 42 +++--- Documentation/bootkube.md | 6 +- Documentation/cloud-config.md | 6 +- Documentation/config.md | 78 +++++------ Documentation/deployment.md | 130 +++++++++--------- Documentation/dev/develop.md | 6 +- Documentation/dev/release.md | 14 +- Documentation/getting-started-docker.md | 14 +- Documentation/getting-started-rkt.md | 12 +- Documentation/grub.md | 10 +- Documentation/ignition.md | 12 +- Documentation/index.md | 18 +-- Documentation/kubernetes.md | 6 +- Documentation/machine-lifecycle.md | 2 +- Documentation/{bootcfg.md => matchbox.md} | 38 ++--- Documentation/network-booting.md | 4 +- Documentation/network-setup.md | 50 +++---- Documentation/openpgp.md | 14 +- Documentation/rktnetes.md | 6 +- Documentation/torus.md | 6 +- Makefile | 12 +- README.md | 20 +-- build | 4 +- cmd/{bootcfg => matchbox}/main.go | 0 contrib/dnsmasq/README.md | 8 +- contrib/dnsmasq/docker0.conf | 5 +- contrib/dnsmasq/metal0.conf | 3 +- examples/README.md | 10 +- examples/etc/{bootcfg => matchbox}/.gitignore | 0 examples/etc/{bootcfg => matchbox}/README.md | 12 +- examples/etc/{bootcfg => matchbox}/cert-gen | 2 +- .../etc/{bootcfg => matchbox}/openssl.conf | 0 examples/groups/bootkube-install/install.json | 4 +- examples/groups/etcd-install/install.json | 4 +- examples/groups/etcd3-install/install.json | 4 +- examples/groups/k8s-install/install.json | 4 +- examples/groups/k8s-install/node1.json | 2 +- examples/groups/k8s-install/node2.json | 2 +- examples/groups/k8s-install/node3.json | 2 +- examples/groups/k8s/node1.json | 2 +- examples/groups/k8s/node2.json | 2 +- examples/groups/k8s/node3.json | 2 +- examples/groups/rktnetes-install/install.json | 4 +- examples/groups/rktnetes-install/node1.json | 2 +- examples/groups/rktnetes-install/node2.json | 2 +- examples/groups/rktnetes-install/node3.json | 2 +- examples/groups/rktnetes/node1.json | 2 +- examples/groups/rktnetes/node2.json | 2 +- examples/groups/rktnetes/node3.json | 2 +- examples/groups/simple-install/install.json | 4 +- examples/profiles/bootkube-controller.json | 2 +- examples/profiles/bootkube-worker.json | 2 +- examples/profiles/etcd-proxy.json | 2 +- examples/profiles/etcd.json | 2 +- examples/profiles/etcd3-proxy.json | 2 +- examples/profiles/etcd3.json | 2 +- examples/profiles/grub.json | 6 +- examples/profiles/install-reboot.json | 2 +- examples/profiles/install-shutdown.json | 2 +- examples/profiles/k8s-controller.json | 2 +- examples/profiles/k8s-worker.json | 2 +- examples/profiles/simple-install.json | 2 +- examples/profiles/simple.json | 2 +- examples/profiles/torus.json | 2 +- mkdocs.yml | 6 +- scripts/devnet | 30 ++-- scripts/release-files | 6 +- scripts/tls/kube-conf | 12 +- 68 files changed, 343 insertions(+), 341 deletions(-) rename Documentation/{bootcfg.md => matchbox.md} (70%) rename cmd/{bootcfg => matchbox}/main.go (100%) rename examples/etc/{bootcfg => matchbox}/.gitignore (100%) rename examples/etc/{bootcfg => matchbox}/README.md (77%) rename examples/etc/{bootcfg => matchbox}/cert-gen (93%) rename examples/etc/{bootcfg => matchbox}/openssl.conf (100%) diff --git a/Documentation/api.md b/Documentation/api.md index 3bbfc45c..d7795a55 100644 --- a/Documentation/api.md +++ b/Documentation/api.md @@ -5,8 +5,8 @@ Serves a static iPXE boot script which gathers client machine attributes and chainloads to the iPXE endpoint. Use DHCP/TFTP to point iPXE clients to this endpoint as the next-server. - GET http://bootcfg.foo/boot.ipxe - GET http://bootcfg.foo/boot.ipxe.0 // for dnsmasq + GET http://matchbox.foo/boot.ipxe + GET http://matchbox.foo/boot.ipxe.0 // for dnsmasq **Response** @@ -19,7 +19,7 @@ Client's booted with the `/ipxe.boot` endpoint will introspect and make a reques Finds the profile for the machine and renders the network boot config (kernel, options, initrd) as an iPXE script. - GET http://bootcfg.foo/ipxe?label=value + GET http://matchbox.foo/ipxe?label=value **Query Parameters** @@ -32,7 +32,7 @@ Finds the profile for the machine and renders the network boot config (kernel, o **Response** #!ipxe - kernel /assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp} coreos.first_boot=1 coreos.autologin + kernel /assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp} coreos.first_boot=1 coreos.autologin initrd /assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz boot @@ -40,7 +40,7 @@ Finds the profile for the machine and renders the network boot config (kernel, o Finds the profile for the machine and renders the network boot config as a GRUB config. Use DHCP/TFTP to point GRUB clients to this endpoint as the next-server. - GET http://bootcfg.foo/grub?label=value + GET http://matchbox.foo/grub?label=value **Query Parameters** @@ -56,16 +56,16 @@ Finds the profile for the machine and renders the network boot config as a GRUB timeout=1 menuentry "CoreOS" { echo "Loading kernel" - linuxefi "(http;bootcfg.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz" "coreos.autologin" "coreos.config.url=http://bootcfg.foo:8080/ignition" "coreos.first_boot" + linuxefi "(http;matchbox.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz" "coreos.autologin" "coreos.config.url=http://matchbox.foo:8080/ignition" "coreos.first_boot" echo "Loading initrd" - initrdefi "(http;bootcfg.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz" + initrdefi "(http;matchbox.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz" } ## Cloud Config Finds the profile matching the machine and renders the corresponding Cloud-Config with group metadata, selectors, and query params. - GET http://bootcfg.foo/cloud?label=value + GET http://matchbox.foo/cloud?label=value **Query Parameters** @@ -89,7 +89,7 @@ Finds the profile matching the machine and renders the corresponding Cloud-Confi Finds the profile matching the machine and renders the corresponding Ignition Config with group metadata, selectors, and query params. - GET http://bootcfg.foo/ignition?label=value + GET http://matchbox.foo/ignition?label=value **Query Parameters** @@ -116,7 +116,7 @@ Finds the profile matching the machine and renders the corresponding Ignition Co Finds the profile matching the machine and renders the corresponding generic config with group metadata, selectors, and query params. - GET http://bootcfg.foo/generic?label=value + GET http://matchbox.foo/generic?label=value **Query Parameters** @@ -140,7 +140,7 @@ Finds the profile matching the machine and renders the corresponding generic con Finds the matching machine group and renders the group metadata, selectors, and query params in an "env file" style response. - GET http://bootcfg.foo/metadata?mac=52-54-00-a1-9c-ae&foo=bar&count=3&gate=true + GET http://matchbox.foo/metadata?mac=52-54-00-a1-9c-ae&foo=bar&count=3&gate=true **Query Parameters** @@ -168,17 +168,17 @@ OpenPGPG signature endpoints serve detached binary and ASCII armored signatures | Endpoint | Signature Endpoint | ASCII Signature Endpoint | |------------|--------------------|-------------------------| -| iPXE | `http://bootcfg.foo/ipxe.sig` | `http://bootcfg.foo/ipxe.asc` | -| GRUB2 | `http://bootcf.foo/grub.sig` | `http://bootcfg.foo/grub.asc` | -| Ignition | `http://bootcfg.foo/ignition.sig` | `http://bootcfg.foo/ignition.asc` | -| Cloud-Config | `http://bootcfg.foo/cloud.sig` | `http://bootcfg.foo/cloud.asc` | -| Generic | `http://bootcfg.foo/generic.sig` | `http://bootcfg.foo/generic.asc` | -| Metadata | `http://bootcfg.foo/metadata.sig` | `http://bootcfg.foo/metadata.asc` | +| iPXE | `http://matchbox.foo/ipxe.sig` | `http://matchbox.foo/ipxe.asc` | +| GRUB2 | `http://bootcf.foo/grub.sig` | `http://matchbox.foo/grub.asc` | +| Ignition | `http://matchbox.foo/ignition.sig` | `http://matchbox.foo/ignition.asc` | +| Cloud-Config | `http://matchbox.foo/cloud.sig` | `http://matchbox.foo/cloud.asc` | +| Generic | `http://matchbox.foo/generic.sig` | `http://matchbox.foo/generic.asc` | +| Metadata | `http://matchbox.foo/metadata.sig` | `http://matchbox.foo/metadata.asc` | Get a config and its detached ASCII armored signature. - GET http://bootcfg.foo/ipxe?label=value - GET http://bootcfg.foo/ipxe.asc?label=value + GET http://matchbox.foo/ipxe?label=value + GET http://matchbox.foo/ipxe.asc?label=value **Response** @@ -197,9 +197,9 @@ NO+p24BL3PHZyKw0nsrm275C913OxEVgnNZX7TQltaweW23Cd1YBNjcfb3zv+Zo= ## Assets -If you need to serve static assets (e.g. kernel, initrd), `bootcfg` can serve arbitrary assets from the `-assets-path`. +If you need to serve static assets (e.g. kernel, initrd), `matchbox` can serve arbitrary assets from the `-assets-path`. - bootcfg.foo/assets/ + matchbox.foo/assets/ └── coreos └── 1185.3.0 ├── coreos_production_pxe.vmlinuz diff --git a/Documentation/bootkube.md b/Documentation/bootkube.md index 9ab7af4e..094d61af 100644 --- a/Documentation/bootkube.md +++ b/Documentation/bootkube.md @@ -5,9 +5,9 @@ The self-hosted Kubernetes example provisions a 3 node "self-hosted" Kubernetes ## Requirements -Ensure that you've gone through the [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to: +Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to: -* Use rkt or Docker to start `bootcfg` +* Use rkt or Docker to start `matchbox` * Create a network boot environment with `coreos/dnsmasq` * Create the example libvirt client VMs * `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`) @@ -47,7 +47,7 @@ Use the `bootkube` tool to render Kubernetes manifests and credentials into an ` ## Containers -Use rkt or docker to start `bootcfg` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with Docker](getting-started-docker.md) for help. +Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help. Client machines should boot and provision themselves. Local client VMs should network boot CoreOS and become available via SSH in about 1 minute. If you chose `bootkube-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.). diff --git a/Documentation/cloud-config.md b/Documentation/cloud-config.md index 193cebfc..2121d8ce 100644 --- a/Documentation/cloud-config.md +++ b/Documentation/cloud-config.md @@ -5,9 +5,9 @@ CoreOS Cloud-Config is a system for configuring machines with a Cloud-Config file or executable script from user-data. Cloud-Config runs in userspace on each boot and implements a subset of the [cloud-init spec](http://cloudinit.readthedocs.org/en/latest/topics/format.html#cloud-config-data). See the cloud-config [docs](https://coreos.com/os/docs/latest/cloud-config.html) for details. -Cloud-Config template files can be added in `/var/lib/bootcfg/cloud` or in a `cloud` subdirectory of a custom `-data-path`. Template files may contain [Go template](https://golang.org/pkg/text/template/) elements which will be evaluated with group metadata, selectors, and query params. +Cloud-Config template files can be added in `/var/lib/matchbox/cloud` or in a `cloud` subdirectory of a custom `-data-path`. Template files may contain [Go template](https://golang.org/pkg/text/template/) elements which will be evaluated with group metadata, selectors, and query params. - /var/lib/bootcfg + /var/lib/matchbox ├── cloud │   ├── cloud.yaml │   └── script.sh @@ -16,7 +16,7 @@ Cloud-Config template files can be added in `/var/lib/bootcfg/cloud` or in a `cl ## Reference -Reference a Cloud-Config in a [Profile](bootcfg.md#profiles) with `cloud_id`. When PXE booting, use the kernel option `cloud-config-url` to point to `bootcfg` [cloud-config endpoint](api.md#cloud-config). +Reference a Cloud-Config in a [Profile](matchbox.md#profiles) with `cloud_id`. When PXE booting, use the kernel option `cloud-config-url` to point to `matchbox` [cloud-config endpoint](api.md#cloud-config). ## Examples diff --git a/Documentation/config.md b/Documentation/config.md index c6b01488..79a2d0c7 100644 --- a/Documentation/config.md +++ b/Documentation/config.md @@ -5,105 +5,105 @@ Configuration arguments can be provided as flags or as environment variables. | flag | variable | default | example | |------|----------|---------|---------| -| -address | BOOTCFG_ADDRESS | 127.0.0.1:8080 | 0.0.0.0:8080 | -| -log-level | BOOTCFG_LOG_LEVEL | info | critical, error, warning, notice, info, debug | -| -data-path | BOOTCFG_DATA_PATH | /var/lib/bootcfg | ./examples | -| -assets-path | BOOTCFG_ASSETS_PATH | /var/lib/bootcfg/assets | ./examples/assets | -| -rpc-address | BOOTCFG_RPC_ADDRESS | (gRPC API disabled) | 0.0.0.0:8081 | -| -cert-file | BOOTCFG_CERT_FILE | /etc/bootcfg/server.crt | ./examples/etc/bootcfg/server.crt | -| -key-file | BOOTCFG_KEY_FILE | /etc/bootcfg/server.key | ./examples/etc/bootcfg/server.key -| -ca-file | BOOTCFG_CA_FILE | /etc/bootcfg/ca.crt | ./examples/etc/bootcfg/ca.crt | -| -key-ring-path | BOOTCFG_KEY_RING_PATH | (no key ring) | ~/.secrets/vault/bootcfg/secring.gpg | -| (no flag) | BOOTCFG_PASSPHRASE | (no passphrase) | "secret passphrase" | +| -address | MATCHBOX_ADDRESS | 127.0.0.1:8080 | 0.0.0.0:8080 | +| -log-level | MATCHBOX_LOG_LEVEL | info | critical, error, warning, notice, info, debug | +| -data-path | MATCHBOX_DATA_PATH | /var/lib/matchbox | ./examples | +| -assets-path | MATCHBOX_ASSETS_PATH | /var/lib/matchbox/assets | ./examples/assets | +| -rpc-address | MATCHBOX_RPC_ADDRESS | (gRPC API disabled) | 0.0.0.0:8081 | +| -cert-file | MATCHBOX_CERT_FILE | /etc/matchbox/server.crt | ./examples/etc/matchbox/server.crt | +| -key-file | MATCHBOX_KEY_FILE | /etc/matchbox/server.key | ./examples/etc/matchbox/server.key +| -ca-file | MATCHBOX_CA_FILE | /etc/matchbox/ca.crt | ./examples/etc/matchbox/ca.crt | +| -key-ring-path | MATCHBOX_KEY_RING_PATH | (no key ring) | ~/.secrets/vault/matchbox/secring.gpg | +| (no flag) | MATCHBOX_PASSPHRASE | (no passphrase) | "secret passphrase" | ## Files and Directories | Data | Default Location | |:---------|:--------------------------------------------------| -| data | /var/lib/bootcfg/{profiles,groups,ignition,cloud,generic} | -| assets | /var/lib/bootcfg/assets | +| data | /var/lib/matchbox/{profiles,groups,ignition,cloud,generic} | +| assets | /var/lib/matchbox/assets | | gRPC API TLS Credentials | Default Location | |:---------|:--------------------------------------------------| -| CA certificate | /etc/bootcfg/ca.crt | -| Server certificate | /etc/bootcfg/server.crt | -| Server private key | /etc/bootcfg/server.key | -| Client certificate | /etc/bootcfg/client.crt | -| Client private key | /etc/bootcfg/client.key | +| CA certificate | /etc/matchbox/ca.crt | +| Server certificate | /etc/matchbox/server.crt | +| Server private key | /etc/matchbox/server.key | +| Client certificate | /etc/matchbox/client.crt | +| Client private key | /etc/matchbox/client.key | ## Version - ./bin/bootcfg -version - sudo rkt run quay.io/coreos/bootcfg:latest -- -version - sudo docker run quay.io/coreos/bootcfg:latest -version + ./bin/matchbox -version + sudo rkt run quay.io/coreos/matchbox:latest -- -version + sudo docker run quay.io/coreos/matchbox:latest -version ## Usage Run the binary. - ./bin/bootcfg -address=0.0.0.0:8080 -log-level=debug -data-path=examples -assets-path=examples/assets + ./bin/matchbox -address=0.0.0.0:8080 -log-level=debug -data-path=examples -assets-path=examples/assets Run the latest ACI with rkt. - sudo rkt run --mount volume=assets,target=/var/lib/bootcfg/assets --volume assets,kind=host,source=$PWD/examples/assets quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -log-level=debug + sudo rkt run --mount volume=assets,target=/var/lib/matchbox/assets --volume assets,kind=host,source=$PWD/examples/assets quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug Run the latest Docker image. - sudo docker run -p 8080:8080 --rm -v $PWD/examples/assets:/var/lib/bootcfg/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug + sudo docker run -p 8080:8080 --rm -v $PWD/examples/assets:/var/lib/matchbox/assets:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug #### With Examples Mount `examples` to pre-load the [example](../examples/README.md) machine groups and profiles. Run the container with rkt, - sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -log-level=debug + sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug or with Docker. - sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug + sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug ### gRPC API -The gRPC API allows clients with a TLS client certificate and key to make RPC requests to programmatically create or update `bootcfg` resources. The API can be enabled with the `-rpc-address` flag and by providing a TLS server certificate and key with `-cert-file` and `-key-file` and a CA certificate for authenticating clients with `-ca-file`. +The gRPC API allows clients with a TLS client certificate and key to make RPC requests to programmatically create or update `matchbox` resources. The API can be enabled with the `-rpc-address` flag and by providing a TLS server certificate and key with `-cert-file` and `-key-file` and a CA certificate for authenticating clients with `-ca-file`. -Run the binary with TLS credentials from `examples/etc/bootcfg`. +Run the binary with TLS credentials from `examples/etc/matchbox`. - ./bin/bootcfg -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug -data-path=examples -assets-path=examples/assets -cert-file examples/etc/bootcfg/server.crt -key-file examples/etc/bootcfg/server.key -ca-file examples/etc/bootcfg/ca.crt + ./bin/matchbox -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug -data-path=examples -assets-path=examples/assets -cert-file examples/etc/matchbox/server.crt -key-file examples/etc/matchbox/server.key -ca-file examples/etc/matchbox/ca.crt Clients, such as `bootcmd`, verify the server's certificate with a CA bundle passed via `-ca-file` and present a client certificate and key via `-cert-file` and `-key-file` to cal the gRPC API. - ./bin/bootcmd profile list --endpoints 127.0.0.1:8081 --ca-file examples/etc/bootcfg/ca.crt --cert-file examples/etc/bootcfg/client.crt --key-file examples/etc/bootcfg/client.key + ./bin/bootcmd profile list --endpoints 127.0.0.1:8081 --ca-file examples/etc/matchbox/ca.crt --cert-file examples/etc/matchbox/client.crt --key-file examples/etc/matchbox/client.key #### With rkt -Run the ACI with rkt and TLS credentials from `examples/etc/bootcfg`. +Run the ACI with rkt and TLS credentials from `examples/etc/matchbox`. - sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples,readOnly=true --mount volume=config,target=/etc/bootcfg --volume config,kind=host,source=$PWD/examples/etc/bootcfg --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug + sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples,readOnly=true --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=$PWD/examples/etc/matchbox --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug A `bootcmd` client can call the gRPC API running at the IP used in the rkt example. - ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --ca-file examples/etc/bootcfg/ca.crt --cert-file examples/etc/bootcfg/client.crt --key-file examples/etc/bootcfg/client.key + ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --ca-file examples/etc/matchbox/ca.crt --cert-file examples/etc/matchbox/client.crt --key-file examples/etc/matchbox/client.key #### With docker -Run the Docker image with TLS credentials from `examples/etc/bootcfg`. +Run the Docker image with TLS credentials from `examples/etc/matchbox`. - sudo docker run -p 8080:8080 -p 8081:8081 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/etc/bootcfg:/etc/bootcfg:Z,ro -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug + sudo docker run -p 8080:8080 -p 8081:8081 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/etc/matchbox:/etc/matchbox:Z,ro -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug A `bootcmd` client can call the gRPC API running at the IP used in the Docker example. - ./bin/bootcmd profile list --endpoints 127.0.0.1:8081 --ca-file examples/etc/bootcfg/ca.crt --cert-file examples/etc/bootcfg/client.crt --key-file examples/etc/bootcfg/client.key + ./bin/bootcmd profile list --endpoints 127.0.0.1:8081 --ca-file examples/etc/matchbox/ca.crt --cert-file examples/etc/matchbox/client.crt --key-file examples/etc/matchbox/client.key ### OpenPGP [Signing](openpgp.md) Run with the binary with a test key. - export BOOTCFG_PASSPHRASE=test - ./bin/bootcfg -address=0.0.0.0:8080 -key-ring-path bootcfg/sign/fixtures/secring.gpg -data-path=examples -assets-path=examples/assets + export MATCHBOX_PASSPHRASE=test + ./bin/matchbox -address=0.0.0.0:8080 -key-ring-path matchbox/sign/fixtures/secring.gpg -data-path=examples -assets-path=examples/assets Run the ACI with a test key. - sudo rkt run --net=metal0:IP=172.18.0.2 --set-env=BOOTCFG_PASSPHRASE=test --mount volume=secrets,target=/secrets --volume secrets,kind=host,source=$PWD/bootcfg/sign/fixtures --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -key-ring-path secrets/secring.gpg + sudo rkt run --net=metal0:IP=172.18.0.2 --set-env=MATCHBOX_PASSPHRASE=test --mount volume=secrets,target=/secrets --volume secrets,kind=host,source=$PWD/matchbox/sign/fixtures --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -key-ring-path secrets/secring.gpg Run the Docker image with a test key. - sudo docker run -p 8080:8080 --rm --env BOOTCFG_PASSPHRASE=test -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z -v $PWD/bootcfg/sign/fixtures:/secrets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug -key-ring-path secrets/secring.gpg + sudo docker run -p 8080:8080 --rm --env MATCHBOX_PASSPHRASE=test -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z -v $PWD/matchbox/sign/fixtures:/secrets:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug -key-ring-path secrets/secring.gpg diff --git a/Documentation/deployment.md b/Documentation/deployment.md index 94203712..e57b4673 100644 --- a/Documentation/deployment.md +++ b/Documentation/deployment.md @@ -1,11 +1,11 @@ # Installation -This guide walks through deploying the `bootcfg` service on a Linux host (via RPM, rkt, docker, or binary) or on a Kubernetes cluster. +This guide walks through deploying the `matchbox` service on a Linux host (via RPM, rkt, docker, or binary) or on a Kubernetes cluster. ## Provisoner -`bootcfg` is a service for network booting and provisioning machines to create CoreOS clusters. `bootcfg` should be installed on a provisioner machine (CoreOS or any Linux distribution) or cluster (Kubernetes) which can serve configs to client machines in a lab or datacenter. +`matchbox` is a service for network booting and provisioning machines to create CoreOS clusters. `matchbox` should be installed on a provisioner machine (CoreOS or any Linux distribution) or cluster (Kubernetes) which can serve configs to client machines in a lab or datacenter. Choose one of the supported installation options: @@ -44,84 +44,84 @@ $ cd coreos-baremetal-v0.4.2-linux-amd64 ### RPM-based Distro -On an RPM-based provisioner, install the `bootcfg` RPM from the Copr [repository](https://copr.fedorainfracloud.org/coprs/dghubble/bootcfg/) using `dnf` or `yum`. +On an RPM-based provisioner, install the `matchbox` RPM from the Copr [repository](https://copr.fedorainfracloud.org/coprs/dghubble/matchbox/) using `dnf` or `yum`. ```sh -dnf copr enable dghubble/bootcfg -dnf install bootcfg +dnf copr enable dghubble/matchbox +dnf install matchbox # requires yum-plugin-copr -yum copr enable dghubble/bootcfg -yum install bootcfg +yum copr enable dghubble/matchbox +yum install matchbox ``` Alternately, download the repo file and place it in `/etc/yum.repos.d/`. ### CoreOS -On a CoreOS provisioner, rkt run `bootcfg` image with the provided systemd unit. +On a CoreOS provisioner, rkt run `matchbox` image with the provided systemd unit. ```sh -$ sudo cp contrib/systemd/bootcfg-on-coreos.service /etc/systemd/system/bootcfg.service +$ sudo cp contrib/systemd/matchbox-on-coreos.service /etc/systemd/system/matchbox.service ``` ### General Linux -Pre-built binaries are available for general Linux distributions. Copy the `bootcfg` static binary to an appropriate location on the host. +Pre-built binaries are available for general Linux distributions. Copy the `matchbox` static binary to an appropriate location on the host. ```sh -$ sudo cp bootcfg /usr/local/bin +$ sudo cp matchbox /usr/local/bin ``` #### Set Up User/Group -The `bootcfg` service should be run by a non-root user with access to the `bootcfg` data directory (`/var/lib/bootcfg`). Create a `bootcfg` user and group. +The `matchbox` service should be run by a non-root user with access to the `matchbox` data directory (`/var/lib/matchbox`). Create a `matchbox` user and group. ```sh -$ sudo useradd -U bootcfg -$ sudo mkdir -p /var/lib/bootcfg/assets -$ sudo chown -R bootcfg:bootcfg /var/lib/bootcfg +$ sudo useradd -U matchbox +$ sudo mkdir -p /var/lib/matchbox/assets +$ sudo chown -R matchbox:matchbox /var/lib/matchbox ``` #### Create systemd Service -Copy the provided `bootcfg` systemd unit file. +Copy the provided `matchbox` systemd unit file. ```sh -$ sudo cp contrib/systemd/bootcfg-local.service /etc/systemd/system/ +$ sudo cp contrib/systemd/matchbox-local.service /etc/systemd/system/ ``` ## Customization -Customize bootcfg by editing the systemd unit or adding a systemd dropin. Find the complete set of `bootcfg` flags and environment variables at [config](config.md). +Customize matchbox by editing the systemd unit or adding a systemd dropin. Find the complete set of `matchbox` flags and environment variables at [config](config.md). - sudo systemctl edit bootcfg + sudo systemctl edit matchbox By default, the read-only HTTP machine endpoint will be exposed on port **8080**. ```ini -# /etc/systemd/system/bootcfg.service.d/override.conf +# /etc/systemd/system/matchbox.service.d/override.conf [Service] -Environment="BOOTCFG_ADDRESS=0.0.0.0:8080" -Environment="BOOTCFG_LOG_LEVEL=debug" +Environment="MATCHBOX_ADDRESS=0.0.0.0:8080" +Environment="MATCHBOX_LOG_LEVEL=debug" ``` A common customization is enabling the gRPC API to allow clients with a TLS client certificate to change machine configs. ```ini -# /etc/systemd/system/bootcfg.service.d/override.conf +# /etc/systemd/system/matchbox.service.d/override.conf [Service] -Environment="BOOTCFG_ADDRESS=0.0.0.0:8080" -Environment="BOOTCFG_RPC_ADDRESS=0.0.0.0:8081" +Environment="MATCHBOX_ADDRESS=0.0.0.0:8080" +Environment="MATCHBOX_RPC_ADDRESS=0.0.0.0:8081" ``` The Tectonic [Installer](https://tectonic.com/enterprise/docs/latest/install/bare-metal/index.html) uses this API. Tectonic users with a CoreOS provisioner can start with an example that enables it. ```sh -$ sudo cp contrib/systemd/bootcfg-for-tectonic.service /etc/systemd/system/bootcfg.service +$ sudo cp contrib/systemd/matchbox-for-tectonic.service /etc/systemd/system/matchbox.service ``` -Customize `bootcfg` to suit your preferences. +Customize `matchbox` to suit your preferences. ## Firewall @@ -136,58 +136,58 @@ $ sudo firewall-cmd --zone=MYZONE --add-port=8081/tcp --permanent *Skip this unless you need to enable the gRPC API* -The `bootcfg` gRPC API allows client apps (`bootcmd` CLI, Tectonic Installer, etc.) to update how machines are provisioned. TLS credentials are needed for client authentication and to establish a secure communication channel. Client machines (those PXE booting) read from the HTTP endpoints and do not require this setup. +The `matchbox` gRPC API allows client apps (`bootcmd` CLI, Tectonic Installer, etc.) to update how machines are provisioned. TLS credentials are needed for client authentication and to establish a secure communication channel. Client machines (those PXE booting) read from the HTTP endpoints and do not require this setup. -If your organization manages public key infrastructure and a certificate authority, create a server certificate and key for the `bootcfg` service and a client certificate and key for each client tool. +If your organization manages public key infrastructure and a certificate authority, create a server certificate and key for the `matchbox` service and a client certificate and key for each client tool. -Otherwise, generate a self-signed `ca.crt`, a server certificate (`server.crt`, `server.key`), and client credentials (`client.crt`, `client.key`) with the `examples/etc/bootcfg/cert-gen` script. Export the DNS name or IP (discouraged) of the provisioner host. +Otherwise, generate a self-signed `ca.crt`, a server certificate (`server.crt`, `server.key`), and client credentials (`client.crt`, `client.key`) with the `examples/etc/matchbox/cert-gen` script. Export the DNS name or IP (discouraged) of the provisioner host. ```sh -$ cd examples/etc/bootcfg -# DNS or IP Subject Alt Names where bootcfg can be reached -$ export SAN=DNS.1:bootcfg.example.com,IP.1:192.168.1.42 +$ cd examples/etc/matchbox +# DNS or IP Subject Alt Names where matchbox can be reached +$ export SAN=DNS.1:matchbox.example.com,IP.1:192.168.1.42 $ ./cert-gen ``` Place the TLS credentials in the default location: ```sh -$ sudo mkdir -p /etc/bootcfg -$ sudo cp ca.crt server.crt server.key /etc/bootcfg/ +$ sudo mkdir -p /etc/matchbox +$ sudo cp ca.crt server.crt server.key /etc/matchbox/ ``` Save `client.crt`, `client.key`, and `ca.crt` to use with a client tool later. -## Start bootcfg +## Start matchbox -Start the `bootcfg` service and enable it if you'd like it to start on every boot. +Start the `matchbox` service and enable it if you'd like it to start on every boot. ```sh $ sudo systemctl daemon-reload -$ sudo systemctl start bootcfg -$ sudo systemctl enable bootcfg +$ sudo systemctl start matchbox +$ sudo systemctl enable matchbox ``` ## Verify -Verify the bootcfg service is running and can be reached by client machines (those being provisioned). +Verify the matchbox service is running and can be reached by client machines (those being provisioned). ```sh -$ systemctl status bootcfg -$ dig bootcfg.example.com +$ systemctl status matchbox +$ dig matchbox.example.com ``` Verify you receive a response from the HTTP and API endpoints. ```sh -$ curl http://bootcfg.example.com:8080 -bootcfg +$ curl http://matchbox.example.com:8080 +matchbox ``` If you enabled the gRPC API, ```sh -$ openssl s_client -connect bootcfg.example.com:8081 -CAfile /etc/bootcfg/ca.crt -cert examples/etc/bootcfg/client.crt -key examples/etc/bootcfg/client.key +$ openssl s_client -connect matchbox.example.com:8081 -CAfile /etc/matchbox/ca.crt -cert examples/etc/matchbox/client.crt -key examples/etc/matchbox/client.key CONNECTED(00000003) depth=1 CN = fake-ca verify return:1 @@ -203,7 +203,7 @@ Certificate chain ## Download CoreOS (optional) -`bootcfg` can serve CoreOS images in development or lab environments to reduce bandwidth usage and increase the speed of CoreOS PXE boots and installs to disk. +`matchbox` can serve CoreOS images in development or lab environments to reduce bandwidth usage and increase the speed of CoreOS PXE boots and installs to disk. Download a recent CoreOS [release](https://coreos.com/releases/) with signatures. @@ -211,14 +211,14 @@ Download a recent CoreOS [release](https://coreos.com/releases/) with signatures $ ./scripts/get-coreos stable 1185.3.0 . # note the "." 3rd argument ``` -Move the images to `/var/lib/bootcfg/assets`, +Move the images to `/var/lib/matchbox/assets`, ```sh -$ sudo cp -r coreos /var/lib/bootcfg/assets +$ sudo cp -r coreos /var/lib/matchbox/assets ``` ``` -/var/lib/bootcfg/assets/ +/var/lib/matchbox/assets/ ├── coreos │   └── 1185.3.0 │   ├── CoreOS_Image_Signing_Key.asc @@ -233,7 +233,7 @@ $ sudo cp -r coreos /var/lib/bootcfg/assets and verify the images are acessible. ``` -$ curl http://bootcfg.example.com:8080/assets/coreos/1185.3.0/ +$ curl http://matchbox.example.com:8080/assets/coreos/1185.3.0/ 
...
 ```
 
@@ -244,43 +244,43 @@ For large production environments, use a cache proxy or mirror suitable for your
 Review [network setup](https://github.com/coreos/coreos-baremetal/blob/master/Documentation/network-setup.md) with your network administrator to set up DHCP, TFTP, and DNS services on your network. At a high level, your goals are to:
 
 * Chainload PXE firmwares to iPXE
-* Point iPXE client machines to the `bootcfg` iPXE HTTP endpoint `http://bootcfg.example.com:8080/boot.ipxe`
-* Ensure `bootcfg.example.com` resolves to your `bootcfg` deployment
+* Point iPXE client machines to the `matchbox` iPXE HTTP endpoint `http://matchbox.example.com:8080/boot.ipxe`
+* Ensure `matchbox.example.com` resolves to your `matchbox` deployment
 
 CoreOS provides [dnsmasq](https://github.com/coreos/coreos-baremetal/tree/master/contrib/dnsmasq) as `quay.io/coreos/dnsmasq`, if you wish to use rkt or Docker.
 
 ## rkt
 
-Run the most recent tagged and signed `bootcfg` [release](https://github.com/coreos/coreos-baremetal/releases) ACI. Trust the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) for image signature verification.
+Run the most recent tagged and signed `matchbox` [release](https://github.com/coreos/coreos-baremetal/releases) ACI. Trust the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) for image signature verification.
 
 ```sh
-$ sudo rkt trust --prefix coreos.com/bootcfg
+$ sudo rkt trust --prefix coreos.com/matchbox
 # gpg key fingerprint is: 18AD 5014 C99E F7E3 BA5F  6CE9 50BD D3E0 FC8A 365E
-$ sudo rkt run --net=host --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=/var/lib/bootcfg quay.io/coreos/bootcfg:v0.4.2 --mount volume=config,target=/etc/bootcfg --volume config,kind=host,source=/etc/bootcfg,readOnly=true -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+$ sudo rkt run --net=host --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=/var/lib/matchbox quay.io/coreos/matchbox:v0.4.2 --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=/etc/matchbox,readOnly=true -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 ```
 
-Create machine profiles, groups, or Ignition configs at runtime with `bootcmd` or by using your own `/var/lib/bootcfg` volume mounts.
+Create machine profiles, groups, or Ignition configs at runtime with `bootcmd` or by using your own `/var/lib/matchbox` volume mounts.
 
 ## Docker
 
-Run the latest or the most recently tagged `bootcfg` [release](https://github.com/coreos/coreos-baremetal/releases) Docker image.
+Run the latest or the most recently tagged `matchbox` [release](https://github.com/coreos/coreos-baremetal/releases) Docker image.
 
 ```sh
-sudo docker run --net=host --rm -v /var/lib/bootcfg:/var/lib/bootcfg:Z -v /etc/bootcfg:/etc/bootcfg:Z,ro quay.io/coreos/bootcfg:v0.4.2 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+sudo docker run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/coreos/matchbox:v0.4.2 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 ```
 
-Create machine profiles, groups, or Ignition configs at runtime with `bootcmd` or by using your own `/var/lib/bootcfg` volume mounts.
+Create machine profiles, groups, or Ignition configs at runtime with `bootcmd` or by using your own `/var/lib/matchbox` volume mounts.
 
 ## Kubernetes
 
-Create a `bootcfg` Kubernetes `Deployment` and `Service` based on the example manifests provided in [contrib/k8s](../contrib/k8s).
+Create a `matchbox` Kubernetes `Deployment` and `Service` based on the example manifests provided in [contrib/k8s](../contrib/k8s).
 
 ```
-$ kubectl apply -f contrib/k8s/bootcfg-deployment.yaml
-$ kubectl apply -f contrib/k8s/bootcfg-service.yaml
+$ kubectl apply -f contrib/k8s/matchbox-deployment.yaml
+$ kubectl apply -f contrib/k8s/matchbox-service.yaml
 ```
 
-This runs the `bootcfg` service exposed on NodePort `tcp:31488` on each node in the cluster. `BOOTCFG_LOG_LEVEL` is set to debug.
+This runs the `matchbox` service exposed on NodePort `tcp:31488` on each node in the cluster. `MATCHBOX_LOG_LEVEL` is set to debug.
 
 ```sh
 $ kubectl get deployments
@@ -289,8 +289,8 @@ $ kubectl get pods
 $ kubectl logs POD-NAME
 ```
 
-The example manifests use Kubernetes `emptyDir` volumes to back the `bootcfg` FileStore (`/var/lib/bootcfg`). This doesn't provide long-term persistent storage so you may wish to mount your machine groups, profiles, and Ignition configs with a [gitRepo](http://kubernetes.io/docs/user-guide/volumes/#gitrepo) and host image assets on a file server.
+The example manifests use Kubernetes `emptyDir` volumes to back the `matchbox` FileStore (`/var/lib/matchbox`). This doesn't provide long-term persistent storage so you may wish to mount your machine groups, profiles, and Ignition configs with a [gitRepo](http://kubernetes.io/docs/user-guide/volumes/#gitrepo) and host image assets on a file server.
 
 ### Documentation
 
-View the [documentation](https://github.com/coreos/coreos-baremetal#coreos-on-baremetal) for `bootcfg` service docs, tutorials, example clusters and Ignition configs, PXE booting guides, or machine lifecycle guides.
+View the [documentation](https://github.com/coreos/coreos-baremetal#coreos-on-baremetal) for `matchbox` service docs, tutorials, example clusters and Ignition configs, PXE booting guides, or machine lifecycle guides.
diff --git a/Documentation/dev/develop.md b/Documentation/dev/develop.md
index c18b270f..64687d4e 100644
--- a/Documentation/dev/develop.md
+++ b/Documentation/dev/develop.md
@@ -52,14 +52,14 @@ Run the binary.
 
 Run the container image with rkt, on `metal0`.
 
-    sudo rkt --insecure-options=image run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=config,target=/etc/bootcfg --volume config,kind=host,source=$PWD/examples/etc/bootcfg --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd matchbox.aci -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+    sudo rkt --insecure-options=image run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=$PWD/examples/etc/matchbox --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd matchbox.aci -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 
 Alternately, run the Docker image on `docker0`.
 
-    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
+    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
 
 ### bootcmd
 
 Run `bootcmd` against the gRPC API of the service running via rkt.
 
-    ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --cacert examples/etc/bootcfg/ca.crt
+    ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --cacert examples/etc/matchbox/ca.crt
diff --git a/Documentation/dev/release.md b/Documentation/dev/release.md
index cc8ca9f7..8dde3c43 100644
--- a/Documentation/dev/release.md
+++ b/Documentation/dev/release.md
@@ -21,8 +21,8 @@ Tag, sign the release version, and push it to Github.
 
 Travis CI will build the Docker image and push it to Quay.io when the tag is pushed to master. Verify the new image and version.
 
-    sudo docker run quay.io/coreos/bootcfg:$VERSION -version
-    sudo rkt run --no-store quay.io/coreos/bootcfg:$VERSION -- -version
+    sudo docker run quay.io/coreos/matchbox:$VERSION -version
+    sudo rkt run --no-store quay.io/coreos/matchbox:$VERSION -- -version
 
 ## Github Release
 
@@ -37,7 +37,7 @@ Build the release tarballs.
 
 Verify the reported version.
 
-    ./_output/coreos-baremetal-v0.4.2-linux-amd64/bootcfg -version
+    ./_output/coreos-baremetal-v0.4.2-linux-amd64/matchbox -version
 
 ## ACI
 
@@ -47,18 +47,18 @@ Build the rkt ACI on a Linux host with `acbuild`,
 
 Check that the listed version is correct/clean.
 
-    sudo rkt --insecure-options=image run bootcfg.aci -- -version
+    sudo rkt --insecure-options=image run matchbox.aci -- -version
 
 Add the ACI to `output` for signing.
 
-    mv bootcfg.aci _output/bootcfg-$VERSION-linux-amd64.aci
+    mv matchbox.aci _output/matchbox-$VERSION-linux-amd64.aci
 
 ## Signing
 
 Sign the release tarballs and ACI with a [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) subkey.
 
     cd _output
-    gpg2 -a --default-key FC8A365E --detach-sign bootcfg-$VERSION-linux-amd64.aci
+    gpg2 -a --default-key FC8A365E --detach-sign matchbox-$VERSION-linux-amd64.aci
     gpg2 -a --default-key FC8A365E --detach-sign coreos-baremetal-$VERSION-linux-amd64.tar.gz
     gpg2 -a --default-key FC8A365E --detach-sign coreos-baremetal-$VERSION-darwin-amd64.tar.gz
     gpg2 -a --default-key FC8A365E --detach-sign coreos-baremetal-$VERSION-linux-arm.tar.gz
@@ -66,7 +66,7 @@ Sign the release tarballs and ACI with a [CoreOS App Signing Key](https://coreos
 
 Verify the signatures.
 
-    gpg2 --verify bootcfg-$VERSION-linux-amd64.aci.asc bootcfg-$VERSION-linux-amd64.aci
+    gpg2 --verify matchbox-$VERSION-linux-amd64.aci.asc matchbox-$VERSION-linux-amd64.aci
     gpg2 --verify coreos-baremetal-$VERSION-linux-amd64.tar.gz.asc coreos-baremetal-$VERSION-linux-amd64.tar.gz
     gpg2 --verify coreos-baremetal-$VERSION-darwin-amd64.tar.gz.asc coreos-baremetal-$VERSION-darwin-amd64.tar.gz
     gpg2 --verify coreos-baremetal-$VERSION-linux-arm.tar.gz.asc coreos-baremetal-$VERSION-linux-arm.tar.gz
diff --git a/Documentation/getting-started-docker.md b/Documentation/getting-started-docker.md
index 5e003163..427fbd46 100644
--- a/Documentation/getting-started-docker.md
+++ b/Documentation/getting-started-docker.md
@@ -1,7 +1,7 @@
 
 # Getting Started with Docker
 
-In this tutorial, we'll run `bootcfg` on your Linux machine with Docker to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clusters, etcd clusters, and test network setups.
+In this tutorial, we'll run `matchbox` on your Linux machine with Docker to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clusters, etcd clusters, and test network setups.
 
 *Note*: To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
 
@@ -36,14 +36,14 @@ For development convenience, add `/etc/hosts` entries for nodes so they may be r
 
 ## Containers
 
-Run the latest `bootcfg` Docker image from `quay.io/coreos/bootcfg` with the `etcd-docker` example. The container should receive the IP address 172.17.0.2 on the `docker0` bridge.
+Run the latest `matchbox` Docker image from `quay.io/coreos/matchbox` with the `etcd-docker` example. The container should receive the IP address 172.17.0.2 on the `docker0` bridge.
 
-    sudo docker pull quay.io/coreos/bootcfg:latest
-    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug
+    sudo docker pull quay.io/coreos/matchbox:latest
+    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
 
 or run the latest tagged release.
 
-    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z quay.io/coreos/bootcfg:v0.4.2 -address=0.0.0.0:8080 -log-level=debug
+    sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:v0.4.2 -address=0.0.0.0:8080 -log-level=debug
 
 Take a look at the [etcd groups](../examples/groups/etcd) to get an idea of how machines are mapped to Profiles. Explore some endpoints exposed by the service, say for QEMU/KVM node1.
 
@@ -57,7 +57,7 @@ Since the virtual network has no network boot services, use the `dnsmasq` image
 
     sudo docker run --name dnsmasq --cap-add=NET_ADMIN -v $PWD/contrib/dnsmasq/docker0.conf:/etc/dnsmasq.conf:Z quay.io/coreos/dnsmasq -d
 
-In this case, dnsmasq runs a DHCP server allocating IPs to VMs between 172.17.0.43 and 172.17.0.99, resolves `bootcfg.foo` to 172.17.0.2 (the IP where `bootcfg` runs), and points iPXE clients to `http://bootcfg.foo:8080/boot.ipxe`.
+In this case, dnsmasq runs a DHCP server allocating IPs to VMs between 172.17.0.43 and 172.17.0.99, resolves `matchbox.foo` to 172.17.0.2 (the IP where `matchbox` runs), and points iPXE clients to `http://matchbox.foo:8080/boot.ipxe`.
 
 ## Client VMs
 
@@ -97,5 +97,5 @@ Clean up the containers and VM machines.
 
 ## Going Further
 
-Learn more about [bootcfg](bootcfg.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
+Learn more about [matchbox](matchbox.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
 
diff --git a/Documentation/getting-started-rkt.md b/Documentation/getting-started-rkt.md
index 845d186b..af9c037a 100644
--- a/Documentation/getting-started-rkt.md
+++ b/Documentation/getting-started-rkt.md
@@ -1,7 +1,7 @@
 
 # Getting Started with rkt
 
-In this tutorial, we'll run `bootcfg` on your Linux machine with `rkt` and `CNI` to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clustes, etcd clusters, and test network setups.
+In this tutorial, we'll run `matchbox` on your Linux machine with `rkt` and `CNI` to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clustes, etcd clusters, and test network setups.
 
 *Note*: To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
 
@@ -64,13 +64,13 @@ For development convenience, add `/etc/hosts` entries for nodes so they may be r
 
 ## Containers
 
-Run the latest `bootcfg` ACI with rkt and the `etcd` example.
+Run the latest `matchbox` ACI with rkt and the `etcd` example.
 
-    sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -log-level=debug
+    sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug
 
 or run the latest tagged release signed by the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/).
 
-    sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd coreos.com/bootcfg:v0.4.2 -- -address=0.0.0.0:8080 -log-level=debug
+    sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd coreos.com/matchbox:v0.4.2 -- -address=0.0.0.0:8080 -log-level=debug
 
 If you get an error about the IP assignment, stop old pods and run garbage collection.
 
@@ -95,7 +95,7 @@ Run the `coreos.com/dnsmasq` ACI with rkt.
 
     sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=metal0:IP=172.18.0.3 --mount volume=config,target=/etc/dnsmasq.conf --volume config,kind=host,source=$PWD/contrib/dnsmasq/metal0.conf
 
-In this case, dnsmasq runs a DHCP server allocating IPs to VMs between 172.18.0.50 and 172.18.0.99, resolves `bootcfg.foo` to 172.18.0.2 (the IP where `bootcfg` runs), and points iPXE clients to `http://bootcfg.foo:8080/boot.ipxe`.
+In this case, dnsmasq runs a DHCP server allocating IPs to VMs between 172.18.0.50 and 172.18.0.99, resolves `matchbox.foo` to 172.18.0.2 (the IP where `matchbox` runs), and points iPXE clients to `http://matchbox.foo:8080/boot.ipxe`.
 
 ## Client VMs
 
@@ -134,5 +134,5 @@ Press ^] three times to stop a rkt pod. Clean up the VM machines.
 
 ## Going Further
 
-Learn more about [bootcfg](bootcfg.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
+Learn more about [matchbox](matchbox.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
 
diff --git a/Documentation/grub.md b/Documentation/grub.md
index e1383ee3..a118ab88 100644
--- a/Documentation/grub.md
+++ b/Documentation/grub.md
@@ -9,11 +9,11 @@ For local development, install the dependencies for libvirt with UEFI.
 
 * [UEFI with QEMU](https://fedoraproject.org/wiki/Using_UEFI_with_QEMU)
 
-Ensure that you've gone through the [bootcfg with rkt](getting-started-rkt.md) and [bootcfg](bootcfg.md) guides and understand the basics.
+Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) and [matchbox](matchbox.md) guides and understand the basics.
 
 ## Containers
 
-Run `bootcfg` with rkt, but mount the [grub](../examples/groups/grub) group example.
+Run `matchbox` with rkt, but mount the [grub](../examples/groups/grub) group example.
 
 ## Network
 
@@ -23,7 +23,7 @@ On Fedora, add the `metal0` interface to the trusted zone in your firewall confi
 
 Run the `coreos.com/dnsmasq` ACI with rkt.
 
-    sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=metal0:IP=172.18.0.3 -- -d -q --dhcp-range=172.18.0.50,172.18.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;bootcfg.foo:8080)/grub","172.18.0.2" --log-queries --log-dhcp --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --address=/bootcfg.foo/172.18.0.2
+    sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=metal0:IP=172.18.0.3 -- -d -q --dhcp-range=172.18.0.50,172.18.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;matchbox.foo:8080)/grub","172.18.0.2" --log-queries --log-dhcp --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/172.18.0.2
 
 ## Client VM
 
@@ -33,9 +33,9 @@ Create UEFI VM nodes which have known hardware attributes.
 
 ## Docker
 
-If you use Docker, run `bootcfg` according to [bootcfg with Docker](getting-started-docker.md), but mount the [grub](../examples/groups/grub) group example. Then start the `coreos/dnsmasq` Docker image, which bundles a `grub.efi`.
+If you use Docker, run `matchbox` according to [matchbox with Docker](getting-started-docker.md), but mount the [grub](../examples/groups/grub) group example. Then start the `coreos/dnsmasq` Docker image, which bundles a `grub.efi`.
 
-    sudo docker run --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;bootcfg.foo:8080)/grub","172.17.0.2" --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --address=/bootcfg.foo/172.17.0.2
+    sudo docker run --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;matchbox.foo:8080)/grub","172.17.0.2" --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/172.17.0.2
 
 Create a VM to verify the machine network boots.
 
diff --git a/Documentation/ignition.md b/Documentation/ignition.md
index 72758e2e..7c04cf2e 100644
--- a/Documentation/ignition.md
+++ b/Documentation/ignition.md
@@ -5,15 +5,15 @@ Ignition is a system for declaratively provisioning disks during the initramfs,
 
 ## Fuze Configs
 
-Ignition 2.0.0+ configs are versioned, *machine-friendly* JSON documents (which contain encoded file contents). Operators should write and maintain configs in a *human-friendly* format, such as CoreOS [fuze](https://github.com/coreos/fuze) configs. As of `bootcfg` v0.4.0, Fuze configs are the primary way to use CoreOS Ignition.
+Ignition 2.0.0+ configs are versioned, *machine-friendly* JSON documents (which contain encoded file contents). Operators should write and maintain configs in a *human-friendly* format, such as CoreOS [fuze](https://github.com/coreos/fuze) configs. As of `matchbox` v0.4.0, Fuze configs are the primary way to use CoreOS Ignition.
 
-The [Fuze schema](https://github.com/coreos/fuze/blob/master/doc/configuration.md) formalizes and improves upon the YAML to Ignition JSON transform. Fuze provides better support for Ignition 2.0.0+, handles file content encoding, patches Ignition bugs, performs better validations, and lets services (like `bootcfg`) negotiate the Ignition version required by a CoreOS client.
+The [Fuze schema](https://github.com/coreos/fuze/blob/master/doc/configuration.md) formalizes and improves upon the YAML to Ignition JSON transform. Fuze provides better support for Ignition 2.0.0+, handles file content encoding, patches Ignition bugs, performs better validations, and lets services (like `matchbox`) negotiate the Ignition version required by a CoreOS client.
 
 ## Adding Fuze Configs
 
-Fuze template files can be added in the `/var/lib/bootcfg/ignition` directory or in an `ignition` subdirectory of a custom `-data-path`. Template files may contain [Go template](https://golang.org/pkg/text/template/) elements which will be evaluated with group metadata, selectors, and query params.
+Fuze template files can be added in the `/var/lib/matchbox/ignition` directory or in an `ignition` subdirectory of a custom `-data-path`. Template files may contain [Go template](https://golang.org/pkg/text/template/) elements which will be evaluated with group metadata, selectors, and query params.
 
-    /var/lib/bootcfg
+    /var/lib/matchbox
      ├── cloud
      ├── ignition
      │   └── k8s-controller.yaml
@@ -24,11 +24,11 @@ Fuze template files can be added in the `/var/lib/bootcfg/ignition` directory or
 
 ### Reference
 
-Reference an Fuze config in a [Profile](bootcfg.md#profiles) with `ignition_id`. When PXE booting, use the kernel option `coreos.first_boot=1` and `coreos.config.url` to point to the `bootcfg` [Ignition endpoint](api.md#ignition-config).
+Reference an Fuze config in a [Profile](matchbox.md#profiles) with `ignition_id`. When PXE booting, use the kernel option `coreos.first_boot=1` and `coreos.config.url` to point to the `matchbox` [Ignition endpoint](api.md#ignition-config).
 
 ### Migration from v0.3.0
 
-In v0.4.0, `bootcfg` switched to using the CoreOS [fuze](https://github.com/coreos/fuze) library, which formalizes and improves upon the YAML to Ignition JSON transform. Fuze provides better support for Ignition 2.0.0+, handles file content encoding, patches Ignition bugs, and performs better validations.
+In v0.4.0, `matchbox` switched to using the CoreOS [fuze](https://github.com/coreos/fuze) library, which formalizes and improves upon the YAML to Ignition JSON transform. Fuze provides better support for Ignition 2.0.0+, handles file content encoding, patches Ignition bugs, and performs better validations.
 
 Upgrade your Ignition YAML templates to match the [Fuze config schema](https://github.com/coreos/fuze/blob/master/doc/configuration.md). Typically, you'll need to do the following:
 
diff --git a/Documentation/index.md b/Documentation/index.md
index cda0fca2..f090d70d 100644
--- a/Documentation/index.md
+++ b/Documentation/index.md
@@ -9,22 +9,22 @@ Guides and a service for network booting and provisioning CoreOS clusters on vir
 * [Machine Lifecycle](machine-lifecycle.md)
 * [Background: PXE Booting](network-booting.md)
 
-## bootcfg
+## matchbox
 
-`bootcfg` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. Groups match machines based on labels (e.g. MAC, UUID, stage, region) and use named Profiles for provisioning. Network boot endpoints provide PXE, iPXE, and GRUB. `bootcfg` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with [rkt](https://coreos.com/rkt/docs/latest/), or as a Docker container.
+`matchbox` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. Groups match machines based on labels (e.g. MAC, UUID, stage, region) and use named Profiles for provisioning. Network boot endpoints provide PXE, iPXE, and GRUB. `matchbox` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with [rkt](https://coreos.com/rkt/docs/latest/), or as a Docker container.
 
-* [bootcfg Service](bootcfg.md)
-* [Profiles](bootcfg.md#profiles)
-* [Groups](bootcfg.md#groups)
+* [matchbox Service](matchbox.md)
+* [Profiles](matchbox.md#profiles)
+* [Groups](matchbox.md#groups)
 * Machine Configs
     * [Ignition](ignition.md)
     * [Cloud-Config](cloud-config.md)
 * Tutorials (QEMU/KVM)
-    * [bootcfg with rkt](getting-started-rkt.md)
-    * [bootcfg with Docker](getting-started-docker.md)
+    * [matchbox with rkt](getting-started-rkt.md)
+    * [matchbox with Docker](getting-started-docker.md)
 * [Configuration](config.md)
 * [HTTP API](api.md)
-* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/bootcfg/client)
+* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/matchbox/client)
 * Installation
     * [CoreOS / Linux distros](deployment.md)
     * [rkt](deployment.md#rkt) / [docker](deployment.md#docker)
@@ -33,7 +33,7 @@ Guides and a service for network booting and provisioning CoreOS clusters on vir
     * bootcmd CLI (POC)
     * Tectonic Installer ([guide](https://tectonic.com/enterprise/docs/latest/deployer/platform-baremetal.html), [blog](https://tectonic.com/blog/tectonic-1-3-release.html))
 * Backends
-    * [FileStore](bootcfg.md#data)
+    * [FileStore](matchbox.md#data)
 * [Troubleshooting](troubleshooting.md)
 * Going Further
     * [gRPC API Usage](config.md#grpc-api)
diff --git a/Documentation/kubernetes.md b/Documentation/kubernetes.md
index affc7587..f6a3fcf4 100644
--- a/Documentation/kubernetes.md
+++ b/Documentation/kubernetes.md
@@ -5,9 +5,9 @@ The Kubernetes example provisions a 3 node Kubernetes v1.5.1 cluster with one co
 
 ## Requirements
 
-Ensure that you've gone through the [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
+Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
 
-* Use rkt or Docker to start `bootcfg`
+* Use rkt or Docker to start `matchbox`
 * Create a network boot environment with `coreos/dnsmasq`
 * Create the example libvirt client VMs
 * `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
@@ -37,7 +37,7 @@ Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver
 
 ## Containers
 
-Use rkt or docker to start `bootcfg` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with Docker](getting-started-docker.md) for help.
+Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
 
 Client machines should boot and provision themselves. Local client VMs should network boot CoreOS in about a 1 minute and the Kubernetes API should be available after 3-4 minutes (each node downloads a ~160MB Hyperkube). If you chose `k8s-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision Kubernetes clusters on physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.).
 
diff --git a/Documentation/machine-lifecycle.md b/Documentation/machine-lifecycle.md
index 1c263267..8a0293a4 100644
--- a/Documentation/machine-lifecycle.md
+++ b/Documentation/machine-lifecycle.md
@@ -3,7 +3,7 @@
 
 Physical machines [network boot](network-booting.md) in an network boot environment with DHCP/TFTP/DNS services or with [coreos/dnsmasq](../contrib/dnsmasq).
 
-`bootcfg` serves iPXE, GRUB, or Pixiecore boot configs via HTTP to machines based on Group selectors (e.g. UUID, MAC, region, etc.) and machine Profiles. Kernel and initrd images are fetched and booted with Ignition to install CoreOS. The "first boot" Ignition config if fetched and CoreOS is installed.
+`matchbox` serves iPXE, GRUB, or Pixiecore boot configs via HTTP to machines based on Group selectors (e.g. UUID, MAC, region, etc.) and machine Profiles. Kernel and initrd images are fetched and booted with Ignition to install CoreOS. The "first boot" Ignition config if fetched and CoreOS is installed.
 
 CoreOS boots ("first boot" from disk) and runs Ignition to provision its disk with systemd units, files, keys, and more to become a cluster node. Systemd units may fetch metadata from a remote source if needed.
 
diff --git a/Documentation/bootcfg.md b/Documentation/matchbox.md
similarity index 70%
rename from Documentation/bootcfg.md
rename to Documentation/matchbox.md
index 9129366f..76847e3f 100644
--- a/Documentation/bootcfg.md
+++ b/Documentation/matchbox.md
@@ -1,18 +1,18 @@
 
-# bootcfg
+# matchbox
 
-`bootcfg` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. `bootcfg` maintains **Group** definitions which match machines to *profiles* based on labels (e.g. MAC address, UUID, stage, region). A **Profile** is a named set of config templates (e.g. iPXE, GRUB, Ignition config, Cloud-Config, generic configs). The aim is to use CoreOS Linux's early-boot capabilities to provision CoreOS machines.
+`matchbox` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. `matchbox` maintains **Group** definitions which match machines to *profiles* based on labels (e.g. MAC address, UUID, stage, region). A **Profile** is a named set of config templates (e.g. iPXE, GRUB, Ignition config, Cloud-Config, generic configs). The aim is to use CoreOS Linux's early-boot capabilities to provision CoreOS machines.
 
-Network boot endpoints provide PXE, iPXE, GRUB support. `bootcfg` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with rkt, or as a Docker container.
+Network boot endpoints provide PXE, iPXE, GRUB support. `matchbox` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with rkt, or as a Docker container.
 
 ![Bootcfg Overview](img/overview.png)
 
 ## Getting Started
 
-Get started running `bootcfg` on your Linux machine, with rkt or Docker.
+Get started running `matchbox` on your Linux machine, with rkt or Docker.
 
-* [bootcfg with rkt](getting-started-rkt.md)
-* [bootcfg with Docker](getting-started-docker.md)
+* [matchbox with rkt](getting-started-rkt.md)
+* [matchbox with Docker](getting-started-docker.md)
 
 ## Flags
 
@@ -21,15 +21,15 @@ See [configuration](config.md) flags and variables.
 ## API
 
 * [HTTP API](api.md)
-* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/bootcfg/client)
+* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/matchbox/client)
 
 ## Data
 
-A `Store` stores machine Groups, Profiles, and associated Ignition configs, cloud-configs, and generic configs. By default, `bootcfg` uses a `FileStore` to search a `-data-path` for these resources.
+A `Store` stores machine Groups, Profiles, and associated Ignition configs, cloud-configs, and generic configs. By default, `matchbox` uses a `FileStore` to search a `-data-path` for these resources.
 
-Prepare `/var/lib/bootcfg` with `groups`, `profile`, `ignition`, `cloud`, and `generic` subdirectories. You may wish to keep these files under version control.
+Prepare `/var/lib/matchbox` with `groups`, `profile`, `ignition`, `cloud`, and `generic` subdirectories. You may wish to keep these files under version control.
 
-     /var/lib/bootcfg
+     /var/lib/matchbox
      ├── cloud
      │   ├── cloud.yaml.tmpl
      │   └── worker.sh.tmpl
@@ -65,7 +65,7 @@ Profiles reference an Ignition config, Cloud-Config, and/or generic config by na
         "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
         "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
         "args": [
-          "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+          "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
           "coreos.first_boot=yes",
           "coreos.autologin"
         ]
@@ -74,17 +74,17 @@ Profiles reference an Ignition config, Cloud-Config, and/or generic config by na
 
 The `"boot"` settings will be used to render configs to network boot programs such as iPXE, GRUB, or Pixiecore. You may reference remote kernel and initrd assets or [local assets](#assets).
 
-To use Ignition, set the `coreos.config.url` kernel option to reference the `bootcfg` [Ignition endpoint](api.md#ignition-config), which will render the `ignition_id` file. Be sure to add the `coreos.first_boot` option as well.
+To use Ignition, set the `coreos.config.url` kernel option to reference the `matchbox` [Ignition endpoint](api.md#ignition-config), which will render the `ignition_id` file. Be sure to add the `coreos.first_boot` option as well.
 
-To use cloud-config, set the `cloud-config-url` kernel option to reference the `bootcfg` [Cloud-Config endpoint](api.md#cloud-config), which will render the `cloud_id` file.
+To use cloud-config, set the `cloud-config-url` kernel option to reference the `matchbox` [Cloud-Config endpoint](api.md#cloud-config), which will render the `cloud_id` file.
 
 ### Groups
 
 Groups define selectors which match zero or more machines. Machine(s) matching a group will boot and provision according to the group's `Profile`.
 
-Create a group definition with a `Profile` to be applied, selectors for matching machines, and any `metadata` needed to render templated configs. For example `/var/lib/bootcfg/groups/node1.json` matches a single machine with MAC address `52:54:00:89:d8:10`.
+Create a group definition with a `Profile` to be applied, selectors for matching machines, and any `metadata` needed to render templated configs. For example `/var/lib/matchbox/groups/node1.json` matches a single machine with MAC address `52:54:00:89:d8:10`.
 
-    # /var/lib/bootcfg/groups/node1.json
+    # /var/lib/matchbox/groups/node1.json
     {
       "name": "node1",
       "profile": "etcd",
@@ -98,7 +98,7 @@ Create a group definition with a `Profile` to be applied, selectors for matching
       }
     }
 
-Meanwhile, `/var/lib/bootcfg/groups/proxy.json` acts as the default machine group since it has no selectors.
+Meanwhile, `/var/lib/matchbox/groups/proxy.json` acts as the default machine group since it has no selectors.
 
     {
       "name": "etcd-proxy",
@@ -150,9 +150,9 @@ Note that `.request` is reserved for these purposes so group metadata with data
 
 ## Assets
 
-`bootcfg` can serve `-assets-path` static assets at `/assets`. This is helpful for reducing bandwidth usage when serving the kernel and initrd to network booted machines. The default assets-path is `/var/lib/bootcfg/assets` or you can pass `-assets-path=""` to disable asset serving.
+`matchbox` can serve `-assets-path` static assets at `/assets`. This is helpful for reducing bandwidth usage when serving the kernel and initrd to network booted machines. The default assets-path is `/var/lib/matchbox/assets` or you can pass `-assets-path=""` to disable asset serving.
 
-    bootcfg.foo/assets/
+    matchbox.foo/assets/
     └── coreos
         └── VERSION
             ├── coreos_production_pxe.vmlinuz
@@ -164,7 +164,7 @@ See the [get-coreos](../scripts/README.md#get-coreos) script to quickly download
 
 ## Network
 
-`bootcfg` does not implement or exec a DHCP/TFTP server. Read [network setup](network-setup.md) or use the [coreos/dnsmasq](../contrib/dnsmasq) image if you need a quick DHCP, proxyDHCP, TFTP, or DNS setup.
+`matchbox` does not implement or exec a DHCP/TFTP server. Read [network setup](network-setup.md) or use the [coreos/dnsmasq](../contrib/dnsmasq) image if you need a quick DHCP, proxyDHCP, TFTP, or DNS setup.
 
 ## Going Further
 
diff --git a/Documentation/network-booting.md b/Documentation/network-booting.md
index e13661c9..974c0a2d 100644
--- a/Documentation/network-booting.md
+++ b/Documentation/network-booting.md
@@ -49,7 +49,7 @@ This approach has a number of drawbacks. TFTP can be slow, managing config files
 
 ![iPXE flow](img/ipxe.png)
 
-A DHCPOFFER to iPXE client firmware specifies an HTTP boot script such as `http://bootcfg.foo/boot.ipxe`.
+A DHCPOFFER to iPXE client firmware specifies an HTTP boot script such as `http://matchbox.foo/boot.ipxe`.
 
 Here is an example iPXE script for booting the remote CoreOS stable image.
 
@@ -64,7 +64,7 @@ boot
 
 A TFTP server is used only to provide the `undionly.kpxe` boot program to older PXE firmware in order to bootstrap into iPXE.
 
-CoreOS `bootcfg` can render signed iPXE scripts to machines based on their hardware attributes. Setup involves configuring your DHCP server to point iPXE clients to the `bootcfg` [iPXE endpoint](api.md#ipxe).
+CoreOS `matchbox` can render signed iPXE scripts to machines based on their hardware attributes. Setup involves configuring your DHCP server to point iPXE clients to the `matchbox` [iPXE endpoint](api.md#ipxe).
 
 ## DHCP
 
diff --git a/Documentation/network-setup.md b/Documentation/network-setup.md
index 395c2c0f..627c624a 100644
--- a/Documentation/network-setup.md
+++ b/Documentation/network-setup.md
@@ -1,9 +1,9 @@
 
 # Network Setup
 
-This guide shows how to create a DHCP/TFTP/DNS network boot environment to work with `bootcfg` to boot and provision PXE, iPXE, or GRUB2 client machines.
+This guide shows how to create a DHCP/TFTP/DNS network boot environment to work with `matchbox` to boot and provision PXE, iPXE, or GRUB2 client machines.
 
-`bootcfg` serves iPXE scripts or GRUB configs over HTTP to serve as the entrypoint for CoreOS cluster bring-up. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, you can configure your own network services to point to `bootcfg` or use the convenient [coreos/dnsmasq](../contrib/dnsmasq) container image (used in libvirt demos).
+`matchbox` serves iPXE scripts or GRUB configs over HTTP to serve as the entrypoint for CoreOS cluster bring-up. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, you can configure your own network services to point to `matchbox` or use the convenient [coreos/dnsmasq](../contrib/dnsmasq) container image (used in libvirt demos).
 
 *Note*: These are just suggestions. Your network administrator or system administrator should choose the right network setup for your company.
 
@@ -13,14 +13,14 @@ Client hardware must have a network interface which supports PXE or iPXE.
 
 ## Goals
 
-* Add a DNS name which resolves to a `bootcfg` deploy.
+* Add a DNS name which resolves to a `matchbox` deploy.
 * Chainload PXE firmware to iPXE or GRUB2
-* Point iPXE clients to `http://bootcfg.foo:port/boot.ipxe`
-* Point GRUB clients to `http://bootcfg.foo:port/grub`
+* Point iPXE clients to `http://matchbox.foo:port/boot.ipxe`
+* Point GRUB clients to `http://matchbox.foo:port/grub`
 
 ## Setup
 
-Many companies already have DHCP/TFTP configured to "PXE-boot" PXE/iPXE clients. In this case, machines (or a subset of machines) can be made to chainload from `chain http://bootcfg.foo:port/boot.ipxe`. Older PXE clients can be made to chainload into iPXE or GRUB to be able to fetch subsequent configs via HTTP.
+Many companies already have DHCP/TFTP configured to "PXE-boot" PXE/iPXE clients. In this case, machines (or a subset of machines) can be made to chainload from `chain http://matchbox.foo:port/boot.ipxe`. Older PXE clients can be made to chainload into iPXE or GRUB to be able to fetch subsequent configs via HTTP.
 
 On simpler networks, such as what a developer might have at home, a relatively inflexible DHCP server may be in place, with no TFTP server. In this case, a proxy DHCP server can be run alongside a non-PXE capable DHCP server.
 
@@ -32,23 +32,23 @@ The setup of DHCP, TFTP, and DNS services on a network varies greatly. If you wi
 
 ## DNS
 
-Add a DNS entry (e.g. `bootcfg.foo`, `provisoner.mycompany-internal`) that resolves to a deployment of the CoreOS `bootcfg` service from machines you intend to boot and provision.
+Add a DNS entry (e.g. `matchbox.foo`, `provisoner.mycompany-internal`) that resolves to a deployment of the CoreOS `matchbox` service from machines you intend to boot and provision.
 
-    dig bootcfg.foo
+    dig matchbox.foo
 
-If you deployed `bootcfg` to a known IP address (e.g. dedicated host, load balanced endpoint, Kubernetes NodePort) and use `dnsmasq`, a domain name to IPv4/IPv6 address mapping could be added to the `/etc/dnsmasq.conf`.
+If you deployed `matchbox` to a known IP address (e.g. dedicated host, load balanced endpoint, Kubernetes NodePort) and use `dnsmasq`, a domain name to IPv4/IPv6 address mapping could be added to the `/etc/dnsmasq.conf`.
 
     # dnsmasq.conf
-    address=/bootcfg.foo/172.18.0.2
+    address=/matchbox.foo/172.18.0.2
 
 ## iPXE
 
-Servers with DHCP/TFTP/ services which already network boot iPXE clients can use the `chain` command to make clients download and execute the iPXE boot script from `bootcfg`.
+Servers with DHCP/TFTP/ services which already network boot iPXE clients can use the `chain` command to make clients download and execute the iPXE boot script from `matchbox`.
 
     # /var/www/html/ipxe/default.ipxe
-    chain http://bootcfg.foo:8080/boot.ipxe
+    chain http://matchbox.foo:8080/boot.ipxe
 
-You can chainload from a menu entry or use other [iPXE commands](http://ipxe.org/cmd) if you have needs beyond just delegating to the iPXE script served by `bootcfg`.
+You can chainload from a menu entry or use other [iPXE commands](http://ipxe.org/cmd) if you have needs beyond just delegating to the iPXE script served by `matchbox`.
 
 ## GRUB
 
@@ -56,7 +56,7 @@ Needs docs.
 
 ### Configuring DHCP
 
-Configure your DHCP server to supply options to older PXE client firmware to specify the location of an iPXE or GRUB network boot program on your TFTP server. Send clients to the `bootcfg` iPXE script or GRUB config endpoints.
+Configure your DHCP server to supply options to older PXE client firmware to specify the location of an iPXE or GRUB network boot program on your TFTP server. Send clients to the `matchbox` iPXE script or GRUB config endpoints.
 
 Here is an example `/etc/dnsmasq.conf`:
 
@@ -70,15 +70,15 @@ tftp-root=/var/lib/tftpboot
 dhcp-boot=tag:!ipxe,undionly.kpxe
 # if request comes from iPXE user class, set tag "ipxe"
 dhcp-userclass=set:ipxe,iPXE
-# point ipxe tagged requests to the bootcfg iPXE boot script (via HTTP)
-dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe
+# point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
+dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
 
 # verbose
 log-queries
 log-dhcp
 
 # static DNS assignements
-address=/bootcfg.foo/192.168.1.100
+address=/matchbox.foo/192.168.1.100
 
 # (optional) disable DNS and specify alternate
 # port=0
@@ -107,8 +107,8 @@ tftp-root=/var/lib/tftpboot
 pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe
 # if request comes from iPXE user class, set tag "ipxe"
 dhcp-userclass=set:ipxe,iPXE
-# point ipxe tagged requests to the bootcfg iPXE boot script (via HTTP)
-pxe-service=tag:ipxe,x86PC,"iPXE",http://bootcfg.foo:8080/boot.ipxe
+# point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
+pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.foo:8080/boot.ipxe
 
 # verbose
 log-queries
@@ -126,13 +126,13 @@ sudo firewall-cmd --list-services
 With rkt:
 
 ```sh
-sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=host -- -d -q --dhcp-range=192.168.1.1,proxy,255.255.255.0 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe --pxe-service=tag:ipxe,x86PC,"iPXE",http://bootcfg.foo:8080/boot.ipxe --log-queries --log-dhcp
+sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=host -- -d -q --dhcp-range=192.168.1.1,proxy,255.255.255.0 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe --pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.foo:8080/boot.ipxe --log-queries --log-dhcp
 ```
 
 With Docker:
 
 ```sh
-sudo docker run --net=host --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=192.168.1.1,proxy,255.255.255.0 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe --pxe-service=tag:ipxe,x86PC,"iPXE",http://bootcfg.foo:8080/boot.ipxe --log-queries --log-dhcp
+sudo docker run --net=host --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=192.168.1.1,proxy,255.255.255.0 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe --pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.foo:8080/boot.ipxe --log-queries --log-dhcp
 ```
 
 ### Configurable TFTP
@@ -145,7 +145,7 @@ Example `/var/lib/tftpboot/pxelinux.cfg/default`:
     default iPXE
     LABEL iPXE
     KERNEL ipxe.lkrn
-    APPEND dhcp && chain http://bootcfg.foo:8080/boot.ipxe
+    APPEND dhcp && chain http://matchbox.foo:8080/boot.ipxe
 
 Add ipxe.lkrn to `/var/lib/tftpboot` (see [iPXE docs](http://ipxe.org/embed)).
 
@@ -161,16 +161,16 @@ sudo rkt trust --prefix coreos.com/dnsmasq
 ```
 
 ```sh
-sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=host -- -d -q --dhcp-range=192.168.1.3,192.168.1.254 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --address=/bootcfg.foo/192.168.1.2 --log-queries --log-dhcp
+sudo rkt run coreos.com/dnsmasq:v0.3.0 --net=host -- -d -q --dhcp-range=192.168.1.3,192.168.1.254 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/192.168.1.2 --log-queries --log-dhcp
 ```
 
 With Docker:
 
 ```sh
-sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq -d -q --dhcp-range=192.168.1.3,192.168.1.254 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --address=/bootcfg.foo/192.168.1.2 --log-queries --log-dhcp
+sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq -d -q --dhcp-range=192.168.1.3,192.168.1.254 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/192.168.1.2 --log-queries --log-dhcp
 ```
 
-Ensure that `bootcfg.foo` resolves to a `bootcfg` deployment and that you've allowed the services to run in your firewall configuration.
+Ensure that `matchbox.foo` resolves to a `matchbox` deployment and that you've allowed the services to run in your firewall configuration.
 
 ```sh
 sudo firewall-cmd --add-service=dhcp --add-service=tftp --add-service=dns
diff --git a/Documentation/openpgp.md b/Documentation/openpgp.md
index 54763031..9440de0f 100644
--- a/Documentation/openpgp.md
+++ b/Documentation/openpgp.md
@@ -1,19 +1,19 @@
 
 # OpenPGP Signing
 
-The `bootcfg` OpenPGP signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. Each config endpoint has corresponding signature endpoints, typically suffixed with `.sig` or `.asc`.
+The `matchbox` OpenPGP signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. Each config endpoint has corresponding signature endpoints, typically suffixed with `.sig` or `.asc`.
 
-To enable OpenPGP signing, provide the path to a secret keyring containing a single signing key with `-key-ring-path` or by setting `BOOTCFG_KEY_RING_PATH`. If a passphrase is required, set it via the `BOOTCFG_PASSPHRASE` environment variable.
+To enable OpenPGP signing, provide the path to a secret keyring containing a single signing key with `-key-ring-path` or by setting `MATCHBOX_KEY_RING_PATH`. If a passphrase is required, set it via the `MATCHBOX_PASSPHRASE` environment variable.
 
 Here are example signature endpoints without their query parameters.
 
 | Endpoint   | Signature Endpoint | ASCII Signature Endpoint |
 |------------|--------------------|-------------------------|
-| iPXE       | `http://bootcfg.foo/ipxe.sig` | `http://bootcfg.foo/ipxe.asc` |
-| GRUB2      | `http://bootcf.foo/grub.sig` | `http://bootcfg.foo/grub.asc` |
-| Ignition   | `http://bootcfg.foo/ignition.sig` | `http://bootcfg.foo/ignition.asc` |
-| Cloud-Config | `http://bootcfg.foo/cloud.sig` | `http://bootcfg.foo/cloud.asc` |
-| Metadata   | `http://bootcfg.foo/metadata.sig` | `http://bootcfg.foo/metadata.asc` |
+| iPXE       | `http://matchbox.foo/ipxe.sig` | `http://matchbox.foo/ipxe.asc` |
+| GRUB2      | `http://bootcf.foo/grub.sig` | `http://matchbox.foo/grub.asc` |
+| Ignition   | `http://matchbox.foo/ignition.sig` | `http://matchbox.foo/ignition.asc` |
+| Cloud-Config | `http://matchbox.foo/cloud.sig` | `http://matchbox.foo/cloud.asc` |
+| Metadata   | `http://matchbox.foo/metadata.sig` | `http://matchbox.foo/metadata.asc` |
 
 In production, mount your signing keyring and source the passphrase from a [Kubernetes secret](http://kubernetes.io/v1.1/docs/user-guide/secrets.html). Use a signing subkey exported to a keyring by itself, which can be revoked by a primary key, if needed.
 
diff --git a/Documentation/rktnetes.md b/Documentation/rktnetes.md
index 3ad81ca8..fa4ef0bc 100644
--- a/Documentation/rktnetes.md
+++ b/Documentation/rktnetes.md
@@ -4,9 +4,9 @@ The `rktnetes` example provisions a 3 node Kubernetes v1.4.7 cluster with [rkt](
 
 ## Requirements
 
-Ensure that you've gone through the [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
+Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
 
-* Use rkt or Docker to start `bootcfg`
+* Use rkt or Docker to start `matchbox`
 * Create a network boot environment with `coreos/dnsmasq`
 * Create the example libvirt client VMs
 * `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
@@ -36,7 +36,7 @@ Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver
 
 ## Containers
 
-Use rkt or docker to start `bootcfg` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with Docker](getting-started-docker.md) for help.
+Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
 
 Client machines should boot and provision themselves. Local client VMs should network boot CoreOS in about a 1 minute and the Kubernetes API should be available after 3-4 minutes (each node downloads a ~160MB Hyperkube). If you chose `rktnetes-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision Kubernetes clusters on physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.).
 
diff --git a/Documentation/torus.md b/Documentation/torus.md
index a0fc61a1..d7888507 100644
--- a/Documentation/torus.md
+++ b/Documentation/torus.md
@@ -5,9 +5,9 @@ The Torus example provisions a 3 node CoreOS cluster, with `etcd3` and Torus, to
 
 ## Requirements
 
-Ensure that you've gone through the [bootcfg with rkt](getting-started-rkt.md) guide and understand the basics. In particular, you should be able to:
+Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) guide and understand the basics. In particular, you should be able to:
 
-* Use rkt or Docker to start `bootcfg`
+* Use rkt or Docker to start `matchbox`
 * Create a network boot environment with `coreos/dnsmasq`
 * Create the example libvirt client VMs
 * `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
@@ -27,7 +27,7 @@ Download the CoreOS image assets referenced in the target [profile](../examples/
 
 ## Containers
 
-Use rkt or docker to start `bootcfg` and mount `torus` example. Create a network boot environment and power-on your machines. Revisit [bootcfg with rkt](getting-started-rkt.md) or [bootcfg with Docker](getting-started-docker.md) for help.
+Use rkt or docker to start `matchbox` and mount `torus` example. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
 
 Client machines should network boot and provision themselves.
 
diff --git a/Makefile b/Makefile
index e76a7e07..6c67f74e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 
 export CGO_ENABLED:=0
-LD_FLAGS="-w -X github.com/coreos/coreos-baremetal/bootcfg/version.Version=$(shell ./git-version)"
+LD_FLAGS="-w -X github.com/coreos/coreos-baremetal/matchbox/version.Version=$(shell ./git-version)"
 LOCAL_BIN=/usr/local/bin
 
 all: build
@@ -13,7 +13,7 @@ codegen: tools
 	./scripts/codegen
 
 bin/matchbox:
-	go build -o bin/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+	go build -o bin/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 bin/bootcmd:
 	go build -o bin/bootcmd -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcmd
@@ -35,16 +35,16 @@ release: \
 # matchbox
 
 bin/linux-amd64/matchbox:
-	GOOS=linux GOARCH=amd64 go build -o bin/linux-amd64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+	GOOS=linux GOARCH=amd64 go build -o bin/linux-amd64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 bin/linux-arm/matchbox:
-	GOOS=linux GOARCH=arm go build -o bin/linux-arm/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+	GOOS=linux GOARCH=arm go build -o bin/linux-arm/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 bin/linux-arm64/matchbox:
-	GOOS=linux GOARCH=arm64 go build -o bin/linux-arm64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+	GOOS=linux GOARCH=arm64 go build -o bin/linux-arm64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 bin/darwin-amd64/matchbox:
-	GOOS=darwin GOARCH=amd64 go build -o bin/darwin-amd64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+	GOOS=darwin GOARCH=amd64 go build -o bin/darwin-amd64/matchbox -ldflags $(LD_FLAGS) -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 # bootcmd
 
diff --git a/README.md b/README.md
index 839fff70..2041f9ed 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 
 # CoreOS on Baremetal
 
-[![Build Status](https://travis-ci.org/coreos/coreos-baremetal.svg?branch=master)](https://travis-ci.org/coreos/coreos-baremetal) [![GoDoc](https://godoc.org/github.com/coreos/coreos-baremetal?status.png)](https://godoc.org/github.com/coreos/coreos-baremetal) [![Docker Repository on Quay](https://quay.io/repository/coreos/bootcfg/status "Docker Repository on Quay")](https://quay.io/repository/coreos/bootcfg) [![IRC](https://img.shields.io/badge/irc-%23coreos-449FD8.svg)](https://botbot.me/freenode/coreos)
+[![Build Status](https://travis-ci.org/coreos/coreos-baremetal.svg?branch=master)](https://travis-ci.org/coreos/coreos-baremetal) [![GoDoc](https://godoc.org/github.com/coreos/coreos-baremetal?status.png)](https://godoc.org/github.com/coreos/coreos-baremetal) [![Docker Repository on Quay](https://quay.io/repository/coreos/matchbox/status "Docker Repository on Quay")](https://quay.io/repository/coreos/matchbox) [![IRC](https://img.shields.io/badge/irc-%23coreos-449FD8.svg)](https://botbot.me/freenode/coreos)
 
 Guides and a service for network booting and provisioning CoreOS clusters on virtual or physical hardware.
 
@@ -11,22 +11,22 @@ Guides and a service for network booting and provisioning CoreOS clusters on vir
 * [Machine Lifecycle](Documentation/machine-lifecycle.md)
 * [Background: PXE Booting](Documentation/network-booting.md)
 
-## bootcfg
+## matchbox
 
-`bootcfg` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. Groups match machines based on labels (e.g. MAC, UUID, stage, region) and use named Profiles for provisioning. Network boot endpoints provide PXE, iPXE, and GRUB. `bootcfg` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with [rkt](https://coreos.com/rkt/docs/latest/), or as a Docker container.
+`matchbox` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS clusters. Groups match machines based on labels (e.g. MAC, UUID, stage, region) and use named Profiles for provisioning. Network boot endpoints provide PXE, iPXE, and GRUB. `matchbox` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with [rkt](https://coreos.com/rkt/docs/latest/), or as a Docker container.
 
-* [bootcfg Service](Documentation/bootcfg.md)
-* [Profiles](Documentation/bootcfg.md#profiles)
-* [Groups](Documentation/bootcfg.md#groups)
+* [matchbox Service](Documentation/matchbox.md)
+* [Profiles](Documentation/matchbox.md#profiles)
+* [Groups](Documentation/matchbox.md#groups)
 * Config Templates
     * [Ignition](Documentation/ignition.md)
     * [Cloud-Config](Documentation/cloud-config.md)
 * Tutorials (QEMU/KVM/libvirt)
-    * [bootcfg with rkt](Documentation/getting-started-rkt.md)
-    * [bootcfg with Docker](Documentation/getting-started-docker.md)
+    * [matchbox with rkt](Documentation/getting-started-rkt.md)
+    * [matchbox with Docker](Documentation/getting-started-docker.md)
 * [Configuration](Documentation/config.md)
 * [HTTP API](Documentation/api.md)
-* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/bootcfg/client)
+* [gRPC API](https://godoc.org/github.com/coreos/coreos-baremetal/matchbox/client)
 * Installation
     * [CoreOS / Linux distros](Documentation/deployment.md)
     * [rkt](Documentation/deployment.md#rkt) / [docker](Documentation/deployment.md#docker)
@@ -35,7 +35,7 @@ Guides and a service for network booting and provisioning CoreOS clusters on vir
     * bootcmd CLI (POC)
     * Tectonic Installer ([guide](https://tectonic.com/enterprise/docs/latest/deployer/platform-baremetal.html), [blog](https://tectonic.com/blog/tectonic-1-3-release.html))
 * Backends
-    * [FileStore](Documentation/bootcfg.md#data)
+    * [FileStore](Documentation/matchbox.md#data)
 * [Troubleshooting](Documentation/troubleshooting.md)
 * Going Further
     * [gRPC API Usage](Documentation/config.md#grpc-api)
diff --git a/build b/build
index e7312e2b..0fb4746c 100755
--- a/build
+++ b/build
@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
-LD_FLAGS="-w -X github.com/coreos/coreos-baremetal/bootcfg/version.Version=$(./git-version)"
-CGO_ENABLED=0 go build -o bin/matchbox -ldflags "$LD_FLAGS" -a github.com/coreos/coreos-baremetal/cmd/bootcfg
+LD_FLAGS="-w -X github.com/coreos/coreos-baremetal/matchbox/version.Version=$(./git-version)"
+CGO_ENABLED=0 go build -o bin/matchbox -ldflags "$LD_FLAGS" -a github.com/coreos/coreos-baremetal/cmd/matchbox
 
 # bootcmd CLI binary
 CGO_ENABLED=0 go build -o bin/bootcmd -ldflags "$LD_FLAGS" -a github.com/coreos/coreos-baremetal/cmd/bootcmd
diff --git a/cmd/bootcfg/main.go b/cmd/matchbox/main.go
similarity index 100%
rename from cmd/bootcfg/main.go
rename to cmd/matchbox/main.go
diff --git a/contrib/dnsmasq/README.md b/contrib/dnsmasq/README.md
index 9286baf5..d7944046 100644
--- a/contrib/dnsmasq/README.md
+++ b/contrib/dnsmasq/README.md
@@ -29,9 +29,9 @@ Configuration arguments can be provided at the command line. Check the dnsmasq [
 | flag     | description | example |
 |----------|-------------|---------|
 | --dhcp-range | Enable DHCP, lease given range | `172.18,0.50,172.18.0.99`, `192.168.1.1,proxy,255.255.255.0` |
-| --dhcp-boot | DHCP next server option | `http://bootcfg.foo:8080/boot.ipxe` |
+| --dhcp-boot | DHCP next server option | `http://matchbox.foo:8080/boot.ipxe` |
 | --enable-tftp | Enable serving from tftp-root over TFTP | NA |
-| --address | IP address for a domain name | /bootcfg.foo/172.18.0.2 |
+| --address | IP address for a domain name | /matchbox.foo/172.18.0.2 |
 
 ## ACI
 
@@ -45,7 +45,7 @@ Run `dnsmasq.aci` with rkt to run DHCP/proxyDHCP/TFTP/DNS services.
 
 DHCP+TFTP+DNS on the `metal0` bridge:
 
-    sudo rkt --insecure-options=image run dnsmasq.aci --net=metal0 -- -d -q --dhcp-range=172.18.0.50,172.18.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --log-queries --log-dhcp --dhcp-option=3,172.18.0.1 --address=/bootcfg.foo/172.18.0.2
+    sudo rkt --insecure-options=image run dnsmasq.aci --net=metal0 -- -d -q --dhcp-range=172.18.0.50,172.18.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --log-queries --log-dhcp --dhcp-option=3,172.18.0.1 --address=/matchbox.foo/172.18.0.2
 
 ## Docker
 
@@ -59,4 +59,4 @@ Run the Docker image to run DHCP/proxyDHCP/TFTP/DNS services.
 
 DHCP+TFTP+DNS on the `docker0` bridge:
 
-    sudo docker run --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --address=/bootcfg.foo/172.17.0.2
+    sudo docker run --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:#ipxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --address=/matchbox.foo/172.17.0.2
diff --git a/contrib/dnsmasq/docker0.conf b/contrib/dnsmasq/docker0.conf
index 4407eef2..815dfd3a 100644
--- a/contrib/dnsmasq/docker0.conf
+++ b/contrib/dnsmasq/docker0.conf
@@ -11,12 +11,13 @@ tftp-root=/var/lib/tftpboot
 
 dhcp-userclass=set:ipxe,iPXE
 dhcp-boot=tag:#ipxe,undionly.kpxe
-dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe
+dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
 
 log-queries
 log-dhcp
 
-address=/bootcfg.foo/172.17.0.2
+address=/bootcfg.foo/172.18.0.2
+address=/matchbox.foo/172.17.0.2
 address=/node1.example.com/172.17.0.21
 address=/node2.example.com/172.17.0.22
 address=/node3.example.com/172.17.0.23
diff --git a/contrib/dnsmasq/metal0.conf b/contrib/dnsmasq/metal0.conf
index 8632ac6a..e72d0417 100644
--- a/contrib/dnsmasq/metal0.conf
+++ b/contrib/dnsmasq/metal0.conf
@@ -12,12 +12,13 @@ tftp-root=/var/lib/tftpboot
 
 dhcp-userclass=set:ipxe,iPXE
 dhcp-boot=tag:#ipxe,undionly.kpxe
-dhcp-boot=tag:ipxe,http://bootcfg.foo:8080/boot.ipxe
+dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
 
 log-queries
 log-dhcp
 
 address=/bootcfg.foo/172.18.0.2
+address=/matchbox.foo/172.18.0.2
 address=/node1.example.com/172.18.0.21
 address=/node2.example.com/172.18.0.22
 address=/node3.example.com/172.18.0.23
diff --git a/examples/README.md b/examples/README.md
index 11bad236..33d49d2f 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -1,7 +1,7 @@
 
 # Examples
 
-These examples network boot and provision machines into CoreOS clusters using `bootcfg`. You can re-use their profiles to provision your own physical machines.
+These examples network boot and provision machines into CoreOS clusters using `matchbox`. You can re-use their profiles to provision your own physical machines.
 
 | Name       | Description | CoreOS Version | FS | Docs | 
 |------------|-------------|----------------|----|-----------|
@@ -22,11 +22,11 @@ These examples network boot and provision machines into CoreOS clusters using `b
 
 ## Tutorials
 
-Get started running `bootcfg` on your Linux machine to network boot and provision clusters of VMs or physical hardware.
+Get started running `matchbox` on your Linux machine to network boot and provision clusters of VMs or physical hardware.
 
 * Getting Started
-	* [bootcfg with rkt](../Documentation/getting-started-rkt.md)
-	* [bootcfg with Docker](../Documentation/getting-started-docker.md)
+	* [matchbox with rkt](../Documentation/getting-started-rkt.md)
+	* [matchbox with Docker](../Documentation/getting-started-docker.md)
 * [Kubernetes (static manifests)](../Documentation/kubernetes.md)
 * [Kubernetes (rktnetes)](../Documentation/rktnetes.md)
 * [Kubernetes (self-hosted)](../Documentation/bootkube.md)
@@ -41,7 +41,7 @@ Example profiles pass the `coreos.autologin` kernel argument. This skips the pas
 
 Example groups allow `ssh_authorized_keys` to be added for the `core` user as metadata. You might also include this directly in your Ignition.
 
-    # /var/lib/bootcfg/groups/default.json
+    # /var/lib/matchbox/groups/default.json
     {
         "name": "Example Machine Group",
         "profile": "pxe",
diff --git a/examples/etc/bootcfg/.gitignore b/examples/etc/matchbox/.gitignore
similarity index 100%
rename from examples/etc/bootcfg/.gitignore
rename to examples/etc/matchbox/.gitignore
diff --git a/examples/etc/bootcfg/README.md b/examples/etc/matchbox/README.md
similarity index 77%
rename from examples/etc/bootcfg/README.md
rename to examples/etc/matchbox/README.md
index 18eb65e4..d18238e1 100644
--- a/examples/etc/bootcfg/README.md
+++ b/examples/etc/matchbox/README.md
@@ -1,21 +1,21 @@
 
 ## gRPC API Credentials
 
-Create FAKE TLS credentials for running the `bootcfg` gRPC API examples.
+Create FAKE TLS credentials for running the `matchbox` gRPC API examples.
 
-**DO NOT** use these certificates for anything other than running `bootcfg` examples. Use your organization's production PKI for production deployments.
+**DO NOT** use these certificates for anything other than running `matchbox` examples. Use your organization's production PKI for production deployments.
 
-Navigate to the example directory which will be mounted as `/etc/bootcfg` in examples:
+Navigate to the example directory which will be mounted as `/etc/matchbox` in examples:
 
-    cd coreos-baremetal/examples/etc/bootcfg
+    cd coreos-baremetal/examples/etc/matchbox
 
-Set certificate subject alt names which should be used by exporting `SAN`. Use the DNS name or IP at which `bootcfg` is hosted.
+Set certificate subject alt names which should be used by exporting `SAN`. Use the DNS name or IP at which `matchbox` is hosted.
 
     # for examples on metal0 or docker0 bridges
     export SAN=IP.1:127.0.0.1,IP.2:172.18.0.2
 
     # production example
-    export SAN=DNS.1:bootcfg.example.com
+    export SAN=DNS.1:matchbox.example.com
 
 Create a fake `ca.crt`, `server.crt`, `server.key`, `client.crt`, and `client.key`. Type 'Y' when prompted.
 
diff --git a/examples/etc/bootcfg/cert-gen b/examples/etc/matchbox/cert-gen
similarity index 93%
rename from examples/etc/bootcfg/cert-gen
rename to examples/etc/matchbox/cert-gen
index 69a97fa2..bec366da 100755
--- a/examples/etc/bootcfg/cert-gen
+++ b/examples/etc/matchbox/cert-gen
@@ -5,7 +5,7 @@ rm -f ca.key ca.crt server.key server.csr server.crt client.key client.csr clien
 rm -rf certs crl newcerts
 
 if [ -z $SAN ]
-  then echo "Set SAN with a DNS or IP for bootcfg (e.g. export SAN=DNS.1:bootcfg.example.com,IP.1:192.168.1.42)."
+  then echo "Set SAN with a DNS or IP for matchbox (e.g. export SAN=DNS.1:matchbox.example.com,IP.1:192.168.1.42)."
   exit 1
 fi
 
diff --git a/examples/etc/bootcfg/openssl.conf b/examples/etc/matchbox/openssl.conf
similarity index 100%
rename from examples/etc/bootcfg/openssl.conf
rename to examples/etc/matchbox/openssl.conf
diff --git a/examples/groups/bootkube-install/install.json b/examples/groups/bootkube-install/install.json
index dc5b59da..7bd0460e 100644
--- a/examples/groups/bootkube-install/install.json
+++ b/examples/groups/bootkube-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/groups/etcd-install/install.json b/examples/groups/etcd-install/install.json
index dc5b59da..7bd0460e 100644
--- a/examples/groups/etcd-install/install.json
+++ b/examples/groups/etcd-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/groups/etcd3-install/install.json b/examples/groups/etcd3-install/install.json
index dc5b59da..7bd0460e 100644
--- a/examples/groups/etcd3-install/install.json
+++ b/examples/groups/etcd3-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/groups/k8s-install/install.json b/examples/groups/k8s-install/install.json
index dc5b59da..7bd0460e 100644
--- a/examples/groups/k8s-install/install.json
+++ b/examples/groups/k8s-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/groups/k8s-install/node1.json b/examples/groups/k8s-install/node1.json
index 05f34b43..ee8a4399 100644
--- a/examples/groups/k8s-install/node1.json
+++ b/examples/groups/k8s-install/node1.json
@@ -11,7 +11,7 @@
     "domain_name": "node1.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
     "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
     "k8s_pod_network": "10.2.0.0/16",
diff --git a/examples/groups/k8s-install/node2.json b/examples/groups/k8s-install/node2.json
index 5ee0ccc8..ec2b8e19 100644
--- a/examples/groups/k8s-install/node2.json
+++ b/examples/groups/k8s-install/node2.json
@@ -10,7 +10,7 @@
     "container_runtime": "docker",
     "domain_name": "node2.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379"
diff --git a/examples/groups/k8s-install/node3.json b/examples/groups/k8s-install/node3.json
index 75816f0c..334f9029 100644
--- a/examples/groups/k8s-install/node3.json
+++ b/examples/groups/k8s-install/node3.json
@@ -10,7 +10,7 @@
     "container_runtime": "docker",
     "domain_name": "node3.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379"
diff --git a/examples/groups/k8s/node1.json b/examples/groups/k8s/node1.json
index 54d896c8..2d3e1424 100644
--- a/examples/groups/k8s/node1.json
+++ b/examples/groups/k8s/node1.json
@@ -10,7 +10,7 @@
     "domain_name": "node1.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
     "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
     "k8s_pod_network": "10.2.0.0/16",
diff --git a/examples/groups/k8s/node2.json b/examples/groups/k8s/node2.json
index 24463542..032ca8e2 100644
--- a/examples/groups/k8s/node2.json
+++ b/examples/groups/k8s/node2.json
@@ -9,7 +9,7 @@
     "container_runtime": "docker",
     "domain_name": "node2.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
diff --git a/examples/groups/k8s/node3.json b/examples/groups/k8s/node3.json
index 0e33cac5..386f9380 100644
--- a/examples/groups/k8s/node3.json
+++ b/examples/groups/k8s/node3.json
@@ -9,7 +9,7 @@
     "container_runtime": "docker",
     "domain_name": "node3.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
diff --git a/examples/groups/rktnetes-install/install.json b/examples/groups/rktnetes-install/install.json
index dc5b59da..7bd0460e 100644
--- a/examples/groups/rktnetes-install/install.json
+++ b/examples/groups/rktnetes-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/groups/rktnetes-install/node1.json b/examples/groups/rktnetes-install/node1.json
index 865226e3..07ad5f10 100644
--- a/examples/groups/rktnetes-install/node1.json
+++ b/examples/groups/rktnetes-install/node1.json
@@ -11,7 +11,7 @@
     "domain_name": "node1.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
     "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
     "k8s_pod_network": "10.2.0.0/16",
diff --git a/examples/groups/rktnetes-install/node2.json b/examples/groups/rktnetes-install/node2.json
index d460338e..9e64c681 100644
--- a/examples/groups/rktnetes-install/node2.json
+++ b/examples/groups/rktnetes-install/node2.json
@@ -10,7 +10,7 @@
     "container_runtime": "rkt",
     "domain_name": "node2.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379"
diff --git a/examples/groups/rktnetes-install/node3.json b/examples/groups/rktnetes-install/node3.json
index a7d31039..278f690b 100644
--- a/examples/groups/rktnetes-install/node3.json
+++ b/examples/groups/rktnetes-install/node3.json
@@ -10,7 +10,7 @@
     "container_runtime": "rkt",
     "domain_name": "node3.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379"
diff --git a/examples/groups/rktnetes/node1.json b/examples/groups/rktnetes/node1.json
index 998068d2..bec546f1 100644
--- a/examples/groups/rktnetes/node1.json
+++ b/examples/groups/rktnetes/node1.json
@@ -10,7 +10,7 @@
     "domain_name": "node1.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
     "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
     "k8s_pod_network": "10.2.0.0/16",
diff --git a/examples/groups/rktnetes/node2.json b/examples/groups/rktnetes/node2.json
index a21bea4b..a18046bb 100644
--- a/examples/groups/rktnetes/node2.json
+++ b/examples/groups/rktnetes/node2.json
@@ -9,7 +9,7 @@
     "container_runtime": "rkt",
     "domain_name": "node2.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
diff --git a/examples/groups/rktnetes/node3.json b/examples/groups/rktnetes/node3.json
index 31fe2af8..2f73e156 100644
--- a/examples/groups/rktnetes/node3.json
+++ b/examples/groups/rktnetes/node3.json
@@ -9,7 +9,7 @@
     "container_runtime": "rkt",
     "domain_name": "node3.example.com",
     "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://bootcfg.foo:8080/assets",
+    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
     "k8s_controller_endpoint": "https://node1.example.com",
     "k8s_dns_service_ip": "10.3.0.10",
     "k8s_etcd_endpoints": "http://node1.example.com:2379",
diff --git a/examples/groups/simple-install/install.json b/examples/groups/simple-install/install.json
index cac6003f..06ced88c 100644
--- a/examples/groups/simple-install/install.json
+++ b/examples/groups/simple-install/install.json
@@ -5,7 +5,7 @@
   "metadata": {
     "coreos_channel": "stable",
     "coreos_version": "1185.3.0",
-    "ignition_endpoint": "http://bootcfg.foo:8080/ignition",
-    "baseurl": "http://bootcfg.foo:8080/assets/coreos"
+    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
+    "baseurl": "http://matchbox.foo:8080/assets/coreos"
   }
 }
diff --git a/examples/profiles/bootkube-controller.json b/examples/profiles/bootkube-controller.json
index eca4ea38..0f3c43df 100644
--- a/examples/profiles/bootkube-controller.json
+++ b/examples/profiles/bootkube-controller.json
@@ -6,7 +6,7 @@
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
       "root=/dev/sda1",
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/bootkube-worker.json b/examples/profiles/bootkube-worker.json
index 4a5470ad..8ef6ad47 100644
--- a/examples/profiles/bootkube-worker.json
+++ b/examples/profiles/bootkube-worker.json
@@ -6,7 +6,7 @@
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
       "root=/dev/sda1",
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/etcd-proxy.json b/examples/profiles/etcd-proxy.json
index c1f15395..683cbea4 100644
--- a/examples/profiles/etcd-proxy.json
+++ b/examples/profiles/etcd-proxy.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/etcd.json b/examples/profiles/etcd.json
index 53407e56..ab2b1d31 100644
--- a/examples/profiles/etcd.json
+++ b/examples/profiles/etcd.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/etcd3-proxy.json b/examples/profiles/etcd3-proxy.json
index dc456b2c..b4f970d8 100644
--- a/examples/profiles/etcd3-proxy.json
+++ b/examples/profiles/etcd3-proxy.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/etcd3.json b/examples/profiles/etcd3.json
index dc5a7b61..063c4fb6 100644
--- a/examples/profiles/etcd3.json
+++ b/examples/profiles/etcd3.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/grub.json b/examples/profiles/grub.json
index 11778c1c..bbd4db08 100644
--- a/examples/profiles/grub.json
+++ b/examples/profiles/grub.json
@@ -2,10 +2,10 @@
   "id": "grub",
   "name": "CoreOS via GRUB2",
   "boot": {
-    "kernel": "(http;bootcfg.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["(http;bootcfg.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
+    "kernel": "(http;matchbox.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
+    "initrd": ["(http;matchbox.foo:8080)/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition",
+      "coreos.config.url=http://matchbox.foo:8080/ignition",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/install-reboot.json b/examples/profiles/install-reboot.json
index f90c44bd..7bca6aa6 100644
--- a/examples/profiles/install-reboot.json
+++ b/examples/profiles/install-reboot.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/install-shutdown.json b/examples/profiles/install-shutdown.json
index 153206a9..6ac2c508 100644
--- a/examples/profiles/install-shutdown.json
+++ b/examples/profiles/install-shutdown.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/k8s-controller.json b/examples/profiles/k8s-controller.json
index 9a378a1a..c6404003 100644
--- a/examples/profiles/k8s-controller.json
+++ b/examples/profiles/k8s-controller.json
@@ -6,7 +6,7 @@
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
       "root=/dev/sda1",
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/k8s-worker.json b/examples/profiles/k8s-worker.json
index 2eae088c..cc2c26dd 100644
--- a/examples/profiles/k8s-worker.json
+++ b/examples/profiles/k8s-worker.json
@@ -6,7 +6,7 @@
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
       "root=/dev/sda1",
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/simple-install.json b/examples/profiles/simple-install.json
index 77a9d5c6..a11545bf 100644
--- a/examples/profiles/simple-install.json
+++ b/examples/profiles/simple-install.json
@@ -5,7 +5,7 @@
     "kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/examples/profiles/simple.json b/examples/profiles/simple.json
index c5dea8a1..22d1590a 100644
--- a/examples/profiles/simple.json
+++ b/examples/profiles/simple.json
@@ -5,7 +5,7 @@
 		"kernel": "/assets/coreos/1185.3.0/coreos_production_pxe.vmlinuz",
 		"initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
 		"args": [
-			"coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+			"coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
 			"coreos.first_boot=yes",
 			"console=tty0",
 			"console=ttyS0",
diff --git a/examples/profiles/torus.json b/examples/profiles/torus.json
index 86175f7d..bb032c1c 100644
--- a/examples/profiles/torus.json
+++ b/examples/profiles/torus.json
@@ -6,7 +6,7 @@
     "initrd": ["/assets/coreos/1185.3.0/coreos_production_pxe_image.cpio.gz"],
     "args": [
       "root=/dev/sda1",
-      "coreos.config.url=http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
       "coreos.first_boot=yes",
       "console=tty0",
       "console=ttyS0",
diff --git a/mkdocs.yml b/mkdocs.yml
index 7ae6f079..4eb5cc11 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -15,14 +15,14 @@ extra:
 pages:
   - Home: 'index.md'
   - Tutorials:
-    - 'bootcfg with rkt': 'getting-started-rkt.md'
-    - 'bootcfg with docker': 'getting-started-docker.md'
+    - 'matchbox with rkt': 'getting-started-rkt.md'
+    - 'matchbox with docker': 'getting-started-docker.md'
   - Guides:
     - 'Network Setup': 'network-setup.md'
     - 'Machine Lifecycle': 'machine-lifecycle.md'
     - 'Background: PXE Booting': 'network-booting.md'
   - Installation: 'deployment.md'
-  - bootcfg Service: 'bootcfg.md'
+  - matchbox Service: 'matchbox.md'
   - Machine Configs:
     - 'Ignition': 'ignition.md'
     - 'Cloud-Config': 'cloud-config.md'
diff --git a/scripts/devnet b/scripts/devnet
index be34e7a1..f0f11041 100755
--- a/scripts/devnet
+++ b/scripts/devnet
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Create a virtual bridge with PXE services and bootcfg
+# Create a virtual bridge with PXE services and matchbox
 # USAGE: ./scripts/devnet create [example]
 # USAGE: ./scripts/devnet destroy
 set -u
@@ -35,7 +35,7 @@ function main {
 function usage {
   echo "USAGE: ${0##*/} "
   echo "Commands:"
-  echo -e "\tcreate\tcreate bootcfg and PXE services on the bridge"
+  echo -e "\tcreate\tcreate matchbox and PXE services on the bridge"
   echo -e "\tdestroy\tdestroy the services on the bridge"
 }
 
@@ -55,33 +55,33 @@ function create {
   check
 
   if [ -z "$EXAMPLE" ]; then
-    echo "Starting bootcfg"
+    echo "Starting matchbox"
   else
-    echo "Starting bootcfg configured to boot $EXAMPLE"
+    echo "Starting matchbox configured to boot $EXAMPLE"
   fi
 
   if [ -z "$EXAMPLE" ]; then
     # Mount a data volume with assets and enable gRPC
     BOOTCFG_ARGS="-rpc-address=0.0.0.0:8081"
     DATA_MOUNT="--volume data,kind=host,source=$(mktemp -d) \
-    --mount volume=assets,target=/var/lib/bootcfg/assets \
+    --mount volume=assets,target=/var/lib/matchbox/assets \
     --volume assets,kind=host,source=$PWD/examples/assets,readOnly=true"
   else
     # Mount the given EXAMPLE
     DATA_MOUNT="--volume data,kind=host,source=$PWD/examples \
-    --mount volume=groups,target=/var/lib/bootcfg/groups \
+    --mount volume=groups,target=/var/lib/matchbox/groups \
     --volume groups,kind=host,source=$DIR/../examples/groups/$EXAMPLE"
   fi
 
-  systemd-run --unit=dev-bootcfg \
+  systemd-run --unit=dev-matchbox \
     rkt run \
-    --uuid-file-save=/tmp/bootcfg \
+    --uuid-file-save=/tmp/matchbox \
     --net=metal0:IP=172.18.0.2 \
-    --mount volume=config,target=/etc/bootcfg \
-    --volume config,kind=host,source=$PWD/examples/etc/bootcfg,readOnly=true \
-    --mount volume=data,target=/var/lib/bootcfg \
+    --mount volume=config,target=/etc/matchbox \
+    --volume config,kind=host,source=$PWD/examples/etc/matchbox,readOnly=true \
+    --mount volume=data,target=/var/lib/matchbox \
     $DATA_MOUNT \
-    quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -log-level=debug $BOOTCFG_ARGS
+    quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug $BOOTCFG_ARGS
 
   echo "Starting dnsmasq to provide DHCP/TFTP/DNS services"
   systemd-run --unit=dev-dnsmasq \
@@ -94,11 +94,11 @@ function create {
 }
 
 function destroy {
-  rkt stop --uuid-file=/tmp/bootcfg --force
-  rkt rm --uuid-file=/tmp/bootcfg
+  rkt stop --uuid-file=/tmp/matchbox --force
+  rkt rm --uuid-file=/tmp/matchbox
   rkt stop --uuid-file=/tmp/dnsmasq --force
   rkt rm --uuid-file=/tmp/dnsmasq
-  systemctl reset-failed dev-bootcfg
+  systemctl reset-failed dev-matchbox
   systemctl reset-failed dev-dnsmasq
 }
 
diff --git a/scripts/release-files b/scripts/release-files
index b66dbd3a..2824a155 100755
--- a/scripts/release-files
+++ b/scripts/release-files
@@ -18,9 +18,9 @@ cp README.md $DEST
 # scripts
 mkdir -p $SCRIPTS/tls
 cp scripts/get-coreos $SCRIPTS
-cp examples/etc/bootcfg/README.md $SCRIPTS/tls
-cp examples/etc/bootcfg/cert-gen $SCRIPTS/tls
-cp examples/etc/bootcfg/openssl.conf $SCRIPTS/tls
+cp examples/etc/matchbox/README.md $SCRIPTS/tls
+cp examples/etc/matchbox/cert-gen $SCRIPTS/tls
+cp examples/etc/matchbox/openssl.conf $SCRIPTS/tls
 
 # systemd
 mkdir -p $CONTRIB/systemd
diff --git a/scripts/tls/kube-conf b/scripts/tls/kube-conf
index 2376d899..a51bbd0b 100755
--- a/scripts/tls/kube-conf
+++ b/scripts/tls/kube-conf
@@ -33,20 +33,20 @@ cat << EOF > $DEST/kubeconfig
 apiVersion: v1
 kind: Config
 users:
-- name: bootcfg-user
+- name: matchbox-user
   user:
     client-certificate-data: ${ADMIN_CERT_BASE64}
     client-key-data: ${ADMIN_KEY_BASE64}
 clusters:
-- name: bootcfg-cluster
+- name: matchbox-cluster
   cluster:
     certificate-authority-data: ${CA_CERT_BASE64}
     server: https://${MASTER_IP}:443
 contexts:
 - context:
-    cluster: bootcfg-cluster
-    user: bootcfg-user
-  name: bootcfg-context
-current-context: bootcfg-context
+    cluster: matchbox-cluster
+    user: matchbox-user
+  name: matchbox-context
+current-context: matchbox-context
 EOF
 echo "Wrote kubeconfig to $DEST/kubeconfig"