Add v0.9.1 release notes and update docs

* Deprecate rendering Container Linux Configs * Use tools like [poseidon/ct](https://github.com/poseidon/terraform-provider-ct) or [butane](https://coreos.github.io/butane/getting-started/) to validate and convert a Butane Config (`focs` or `flatcar`) to Ignition (for Matchbox to serve) * Please migrate to serving CoreOS Ignition directly, the Container Linux related HTTP and gRPC endpoints will be removed in future
Update README and poseidon/matchbox provider in examples
2026-03-03 03:14:51 +00:00 · 2022-08-01 09:06:24 -07:00 · 2022-07-31 18:21:02 -07:00 · 2022-07-29 22:12:20 -07:00 · 2022-07-29 22:08:49 -07:00 · 2022-07-29 19:01:36 -07:00
814 changed files with 4424 additions and 204828 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,3 @@
-*
-!bin/matchbox
+bin/
+_output/
+
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report a bug to improve the project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- READ: Issues are used to receive focused bug reports from users and to track planned future enhancements by the authors. Topics like support, debugging help, advice, and operation are out of scope and should not use issues-->
+
+**Description**
+
+A clear and concise description of what the bug is.
+
+**Steps to Reproduce**
+
+Provide clear steps to reproduce the bug.
+
+- [ ] Relevant error messages if appropriate (concise, not a dump of everything).
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Environment**
+
+* OS: fedora-coreos, flatcar-linux (include release version)
+* Release: Matchbox version or Git SHA (reporting latest is **not** helpful)
+
+**Possible Solution**
+
+<!-- Most bug reports should have some inkling about solutions. Otherwise, your report may be less of a bug and more of a support request (see top).-->
+
+Link to a PR or description.
+
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security
+    url: https://typhoon.psdn.io/topics/security/
+    about: Report security vulnerabilities
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: weekly
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,26 @@
+name: test
+on:
+  push:
+jobs:
+  build:
+    name: go
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ['1.17', '1.18']
+    steps:
+      - name: setup
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{matrix.go}}
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: tools
+        run: go install golang.org/x/lint/golint@latest
+
+      - name: test
+        run: make
+
--- a/.gitignore
+++ b/.gitignore
@@ -32,5 +32,4 @@ bin/
 _output/
 tools/
 contrib/registry/data
-
-terraform.tfvars
+contrib/rpm/*.tar.gz
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,24 +0,0 @@
-language: go
-sudo: required
-services:
-  - docker
-go:
-  - 1.7.4
-  - 1.8
-  - tip
-matrix:
-  allow_failures:
-    - go: tip
-install:
-  - go get github.com/golang/lint/golint
-script:
-  - make test
-deploy:
-  provider: script
-  script: scripts/travis-docker-push
-  skip_cleanup: true
-  on:
-    branch: master
-    go: '1.8'
-notifications:
-  email: change
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,9 +1,113 @@
-# matchbox
+# Matchbox

 Notable changes between releases.

 ## Latest

+## v0.9.1
+
+* Add dependabot Go module update automation ([#833](https://github.com/poseidon/matchbox/pull/833))
+* Build multi-arch container images (amd64, arm64) ([#823](https://github.com/poseidon/matchbox/pull/823))
+* Update Go version (v1.18.4) and alpine base image (v3.16.1)
+* Move `dnsmasq` container image to its own [repo](https://github.com/poseidon/dnsmasq) ([#840](https://github.com/poseidon/matchbox/pull/840))
+* Deprecate rendering Container Linux Configs
+  * Please migrate to serving CoreOS Ignition directly
+  * Use tools like [poseidon/ct](https://github.com/poseidon/terraform-provider-ct) or [butane](https://coreos.github.io/butane/getting-started/) to validate and convert a Butane Config (`focs` or `flatcar`) to Ignition (for Matchbox to serve)
+
+### Docs/Examples
+
+* Migrate docs website to GitHub Pages ([#976](https://github.com/poseidon/matchbox/pull/976))
+* Update Fedora CoreOS images and configuration ([#972](https://github.com/poseidon/matchbox/pull/972))
+* Update Fedora CoreOS initrd karg for UEFI ([#978](https://github.com/poseidon/matchbox/pull/978))
+* Update Flatcar Linux examples to use Ignition v3.3.0 ([#980](https://github.com/poseidon/matchbox/pull/980))
+
+## v0.9.0
+
+* Refresh docs and examples for Fedora CoreOS and Flatcar Linux ([#815](https://github.com/poseidon/matchbox/pull/815), [#816](https://github.com/poseidon/matchbox/pull/816))
+* Update Kubernetes manifest examples ([#791](https://github.com/poseidon/matchbox/pull/791), [#817](https://github.com/poseidon/matchbox/pull/817))
+* Update Matchbox container image publishing ([#795](https://github.com/poseidon/matchbox/pull/795))
+  * Publish Matchbox images from internal infra to Quay (`quay.io/poseidon/matchbox`)
+  * Update Go version from v1.13.4 to v1.14.9
+  * Update base image from `alpine:3.10` to `alpine:3.12` ([#784](https://github.com/poseidon/matchbox/pull/784))
+* Include `contrib/k8s` in release tarballs ([#788](https://github.com/poseidon/matchbox/pull/788))
+* Remove outdated systemd units ([#817](https://github.com/poseidon/matchbox/pull/817))
+* Remove RPM spec file (Copr publishing stopped in v0.6)
+
+## v0.8.3
+
+* Publish docs to [https://matchbox.psdn.io](https://matchbox.psdn.io/) ([#769](https://github.com/poseidon/matchbox/pull/769))
+* Update Go version from v1.11.7 to v1.13.4 ([#766](https://github.com/poseidon/matchbox/pull/766), [#770](https://github.com/poseidon/matchbox/pull/770))
+* Update container image base from `alpine:3.9` to `alpine:3.10` ([#761](https://github.com/poseidon/matchbox/pull/761))
+* Include `get-fedora-coreos` convenience script ([#763](https://github.com/poseidon/matchbox/pull/763))
+* Remove Kubernetes provisioning examples ([#759](https://github.com/poseidon/matchbox/pull/759))
+* Remove rkt tutorials and docs ([#765](https://github.com/poseidon/matchbox/pull/765))
+
+## v0.8.1 - v0.8.2
+
+Releases `v0.8.1` and `v0.8.2` were not built cleanly
+
+* Release tags and container images have been removed
+* Caused by go get golint (module-aware) mutating `go.mod` on Travis (see [#775](https://github.com/poseidon/matchbox/pull/775), [#777](https://github.com/poseidon/matchbox/pull/777))
+
+## v0.8.0
+
+* Transfer Matchbox repo from coreos to poseidon GitHub Org
+* Publish container images at [quay.io/poseidon/matchbox](https://quay.io/repository/poseidon/matchbox)
+* Build Matchbox with Go v1.11.7 for images and binaries
+* Update container image base from alpine:3.6 to alpine:3.9
+* Render Container Linux Configs as Ignition v2.2.0
+* Validate raw Ignition configs with the v2.2 spec (warn-only)
+  * Fix warnings that v2.2 configs are too new
+
+Note: Release signing key [has changed](https://github.com/poseidon/matchbox/blob/v0.8.0/Documentation/deployment.md) with the project move.
+
+### Examples
+
+* Update Kubernetes example clusters to v1.14.1 (Terraform-based)
+
+## v0.7.1 (2018-11-01)
+
+* Add `kernel_args` variable to the terraform bootkube-install cluster definition
+* Add `get-flatcar` helper script
+* Add optional TLS support to read-only HTTP API
+* Build Matchbox with Go 1.11.1 for images and binaries
+
+### Examples
+
+* Upgrade Kubernetes example clusters to v1.10.0 (Terraform-based)
+* Upgrade Kubernetes example clusters to v1.8.5
+
+## v0.7.0 (2017-12-12)
+
+* Add gRPC API endpoints for managing generic (experimental) templates
+* Update Container Linux config transpiler to v0.5.0
+* Update Ignition to v0.19.0, render v2.1.0 Ignition configs
+* Drop support for Container Linux versions below 1465.0.0 (breaking)
+* Build Matchbox with Go 1.8.5 for images and binaries
+* Remove Profile `Cmdline` map (deprecated in v0.5.0), use `Args` slice instead
+* Remove pixiecore support (deprecated in v0.5.0)
+* Remove `ContextHandler`, `ContextHandlerFunc`, and `NewHandler` from the `matchbox/http` package.
+
+### Examples / Modules
+
+* Upgrade Kubernetes example clusters to v1.8.4
+* Kubernetes examples clusters enable etcd TLS
+* Deploy the Container Linux Update Operator (CLUO) to coordinate reboots of Container Linux nodes in Kubernetes clusters. See the cluster [addon docs](Documentation/cluster-addons.md).
+* Kubernetes examples (terraform and non-terraform) mask locksmithd
+* Terraform modules `bootkube` and `profiles` (Kubernetes) mask locksmithd
+
+## v0.6.1 (2017-05-25)
+
+* Improve the installation documentation
+* Move examples/etc/matchbox/cert-gen to scripts/tls
+* Build Matchbox with Go 1.8.3 for images and binaries
+
+### Examples
+
+* Upgrade self-hosted Kubernetes cluster examples to v1.6.4
+* Add NoSchedule taint to self-hosted Kubernetes controllers
+* Remove static Kubernetes and rktnetes cluster examples
+
 ## v0.6.0 (2017-04-25)

 * New [terraform-provider-matchbox](https://github.com/coreos/terraform-provider-matchbox) plugin for Terraform users!
@@ -22,7 +126,7 @@ Notable changes between releases.
 * Use etcd3 by default in all clusters (remove etcd2 clusters)
 * Add Terraform examples for etcd3 and self-hosted Kubernetes 1.6.1

-## v0.5.0 (2017-01-23) 
+## v0.5.0 (2017-01-23)

 * Rename project to CoreOS `matchbox`!
 * Add Profile `args` field to list kernel args
@@ -104,7 +208,7 @@ Notable changes between releases.
    * Allow Fuze YAML template files for Ignition 2.0.0 (#141)
    * Stop requiring Ignition templates to use file extensions (#176)
 * Logging Improvements:
-    * Add structured loggging with Logrus (#254, #268)
+    * Add structured logging with Logrus (#254, #268)
    * Log requests for bootcfg assets (#214)
    * Show `bootcfg` message at the home path `/`
    * Fix http package log messages (#173)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,77 +1,5 @@
-# How to Contribute
+# Contributing

-CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
-GitHub pull requests.  This document outlines some of the conventions on
-development workflow, commit message formatting, contact points and other
-resources to make it easier to get your contribution accepted.
+## Developer Certificate of Origin

-# Certificate of Origin
-
-By contributing to this project you agree to the Developer Certificate of
-Origin (DCO). This document was created by the Linux Kernel community and is a
-simple statement that you, as a contributor, have the legal right to make the
-contribution. See the [DCO](DCO) file for details.
-
-# Email and Chat
-
-The project currently uses the general CoreOS email list and IRC channel:
- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
-
-Please avoid emailing maintainers found in the MAINTAINERS file directly. They
-are very busy and read the mailing lists.
-
-## Getting Started
-
- Fork the repository on GitHub
- Read the [README](README.md) for build and test instructions
- Play with the project, submit bugs, submit patches!
-
-## Contribution Flow
-
-This is a rough outline of what a contributor's workflow looks like:
-
- Create a topic branch from where you want to base your work (usually master).
- Make commits of logical units.
- Make sure your commit messages are in the proper format (see below).
- Push your changes to a topic branch in your fork of the repository.
- Make sure the tests pass, and add any new tests as appropriate.
- Submit a pull request to the original repository.
-
-Thanks for your contributions!
-
-### Coding Style
-
-CoreOS projects written in Go follow a set of style guidelines that we've documented 
-[here](https://github.com/coreos/docs/tree/master/golang). Please follow them when 
-working on your contributions.
-
-### Format of the Commit Message
-
-We follow a rough convention for commit messages that is designed to answer two
-questions: what changed and why. The subject line should feature the what and
-the body of the commit should describe the why.
-
-```
-scripts: add the test-cluster command
-
-this uses tmux to setup a test cluster that you can easily kill and
-start for debugging.
-
-Fixes #38
-```
-
-The format can be described more formally as follows:
-
-```
-<subsystem>: <what changed>
-<BLANK LINE>
-<why this change was made>
-<BLANK LINE>
-<footer>
-```
-
-The first line is the subject and should be no longer than 70 characters, the
-second line is always blank, and other lines should be wrapped at 80 characters.
-This allows the message to be easier to read on GitHub as well as in various
-git tools.
+By contributing, you agree to the Linux Foundation's Developer Certificate of Origin ([DCO](DCO)). The DCO is a statement that you, the contributor, have the legal right to make your contribution and understand the contribution will be distributed as part of this project.
--- a/10
+++ b/10
@@ -1,5 +1,9 @@
-FROM alpine:3.5
-MAINTAINER Dalton Hubble <dalton.hubble@coreos.com>
-COPY bin/matchbox /matchbox
+FROM docker.io/golang:1.18.4 AS builder
+COPY . src
+RUN cd src && make build
+
+FROM docker.io/alpine:3.16.1
+LABEL maintainer="Dalton Hubble <dghubble@gmail.com>"
+COPY --from=builder /go/src/bin/matchbox /matchbox
 EXPOSE 8080
 ENTRYPOINT ["/matchbox"]
--- a/Documentation/bootkube-upgrades.md
+++ b/Documentation/bootkube-upgrades.md
@@ -1,203 +0,0 @@
-
-# Upgrading self-hosted Kubernetes
-
-[Self-hosted](bootkube.md) Kubernetes clusters schedule Kubernetes components such as the apiserver, kubelet, scheduler, and controller-manager as pods like other applications (except with node selectors). This allows Kubernetes level operations to be performed to upgrade clusters in place, rather than by re-provisioning.
-
-Let's upgrade a self-hosted Kubernetes v1.4.1 cluster to v1.4.3 as an example.
-
-## Inspect
-
-Show the control plane daemonsets and deployments which will need to be updated.
-
-```sh
-$ kubectl get daemonsets -n=kube-system
-NAME             DESIRED   CURRENT   NODE-SELECTOR   AGE
-kube-apiserver   1         1         master=true     5m
-kube-proxy       3         3         <none>          5m
-kubelet          3         3         <none>          5m
-
-$ kubectl get deployments -n=kube-system
-NAME                      DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
-kube-controller-manager   1         1         1            1           5m
-kube-dns-v20              1         1         1            1           5m
-kube-scheduler            1         1         1            1           5m
-```
-
-Check the current Kubernetes version.
-
-```sh
-$ kubectl version
-Client Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0", GitCommit:"a16c0a7f71a6f93c7e0f222d961f4675cd97a46b", GitTreeState:"clean", BuildDate:"2016-09-26T18:16:57Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"linux/amd64"}
-Server Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.1+coreos.0", GitCommit:"b7a02f46b972c5211e5c04fdb1d5b86ac16c00eb", GitTreeState:"clean", BuildDate:"2016-10-11T20:13:55Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"linux/amd64"}
-```
-
-In this case, Kubernetes is `v1.4.1+coreos.0` and our goal is to upgrade to `v1.4.3+coreos.0`. First, update the control plane pods. Then the kubelets and proxies on all nodes.
-
-**Tip**: Follow along with a QEMU/KVM self-hosted Kubernetes cluster the first time, before upgrading your production bare-metal clusters ([tutorial](bootkube.md)).
-
-## Control Plane
-
-### kube-apiserver
-
-Edit the kube-apiserver daemonset. Change the container image name to `quay.io/coreos/hyperkube:v1.4.3_coreos.0`.
-
-```sh
-$ kubectl edit daemonset kube-apiserver -n=kube-system
-```
-
-Since daemonsets don't yet support rolling, manually delete each apiserver one by one and wait for each to be re-scheduled.
-
-```sh
-$ kubectl get pods -n=kube-system
-# WARNING: Self-hosted Kubernetes is still new and this may fail
-$ kubectl delete pod kube-apiserver-s62kb -n=kube-system
-```
-
-If you only have one, your cluster will be temporarily unavailable. Remember the Hyperkube image is quite large and this can take a minute.
-
-```sh
-$ kubectl get pods -n=kube-system
-NAME                                       READY     STATUS    RESTARTS   AGE
-kube-api-checkpoint-node1.example.com      1/1       Running   0          12m
-kube-apiserver-vyg3t                       2/2       Running   0          2m
-kube-controller-manager-1510822774-qebia   1/1       Running   2          12m
-kube-dns-v20-3531996453-0tlv9              3/3       Running   0          12m
-kube-proxy-8jthl                           1/1       Running   0          12m
-kube-proxy-bnvgy                           1/1       Running   0          12m
-kube-proxy-gkyx8                           1/1       Running   0          12m
-kube-scheduler-2099299605-67ezp            1/1       Running   2          12m
-kubelet-exe5k                              1/1       Running   0          12m
-kubelet-p3g98                              1/1       Running   0          12m
-kubelet-quhhg                              1/1       Running   0          12m
-```
-
-### kube-scheduler
-
-Edit the scheduler deployment to rolling update the scheduler. Change the container image name for the hyperkube.
-
-```sh
-$ kubectl edit deployments kube-scheduler -n=kube-system
-```
-
-Wait for the schduler to be deployed.
-
-### kube-controller-manager
-
-Edit the controller-manager deployment to rolling update the controller manager. Change the container image name for the hyperkube.
-
-```sh
-$ kubectl edit deployments kube-controller-manager -n=kube-system
-```
-
-Wait for the controller manager to be deployed.
-
-```sh
-$ kubectl get pods -n=kube-system
-NAME                                       READY     STATUS    RESTARTS   AGE
-kube-api-checkpoint-node1.example.com      1/1       Running   0          28m
-kube-apiserver-vyg3t                       2/2       Running   0          18m
-kube-controller-manager-1709527928-zj8c4   1/1       Running   0          4m
-kube-dns-v20-3531996453-0tlv9              3/3       Running   0          28m
-kube-proxy-8jthl                           1/1       Running   0          28m
-kube-proxy-bnvgy                           1/1       Running   0          28m
-kube-proxy-gkyx8                           1/1       Running   0          28m
-kube-scheduler-2255275287-hti6w            1/1       Running   0          6m
-kubelet-exe5k                              1/1       Running   0          28m
-kubelet-p3g98                              1/1       Running   0          28m
-kubelet-quhhg                              1/1       Running   0          28m
-```
-
-### Verify
-
-At this point, the control plane components have been upgraded to v1.4.3.
-
-```sh
-$ kubectl version
-Client Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0", GitCommit:"a16c0a7f71a6f93c7e0f222d961f4675cd97a46b", GitTreeState:"clean", BuildDate:"2016-09-26T18:16:57Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"linux/amd64"}
-Server Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.3+coreos.0", GitCommit:"7819c84f25e8c661321ee80d6b9fa5f4ff06676f", GitTreeState:"clean", BuildDate:"2016-10-17T21:19:17Z", GoVersion:"go1.6.3", Compiler:"gc", Platform:"linux/amd64"}
-```
-
-Finally, upgrade the kubelets and kube-proxies.
-
-## kubelet and kube-proxy
-
-Show the current kubelet and kube-proxy version on each node.
-
-```sh
-$ kubectl get nodes -o yaml | grep 'kubeletVersion\|kubeProxyVersion'
-    kubeProxyVersion: v1.4.1+coreos.0
-    kubeletVersion: v1.4.1+coreos.0
-    kubeProxyVersion: v1.4.1+coreos.0
-    kubeletVersion: v1.4.1+coreos.0
-    kubeProxyVersion: v1.4.1+coreos.0
-    kubeletVersion: v1.4.1+coreos.0
-```
-
-Edit the kubelet and kube-proxy daemonsets. Change the container image name for the hyperkube.
-
-```sh
-$ kubectl edit daemonset kubelet -n=kube-system
-$ kubectl edit daemonset kube-proxy -n=kube-system
-```
-
-Since daemonsets don't yet support rolling, manually delete each kubelet and each kube-proxy. The daemonset controller will create new (upgraded) replics.
-
-```sh
-$ kubectl get pods -n=kube-system
-$ kubectl delete pod kubelet-quhhg
-...repeat
-$ kubectl delete pod kube-proxy-8jthl -n=kube-system
-...repeat
-
-$ kubectl get pods -n=kube-system
-NAME                                       READY     STATUS    RESTARTS   AGE
-kube-api-checkpoint-node1.example.com      1/1       Running   0          1h
-kube-apiserver-vyg3t                       2/2       Running   0          1h
-kube-controller-manager-1709527928-zj8c4   1/1       Running   0          47m
-kube-dns-v20-3531996453-0tlv9              3/3       Running   0          1h
-kube-proxy-6dbne                           1/1       Running   0          1s
-kube-proxy-sm4jv                           1/1       Running   0          8s
-kube-proxy-xmuao                           1/1       Running   0          14s
-kube-scheduler-2255275287-hti6w            1/1       Running   0          49m
-kubelet-hfdwr                              1/1       Running   0          38s
-kubelet-oia47                              1/1       Running   0          52s
-kubelet-s6dab                              1/1       Running   0          59s
-```
-
-## Verify
-
-Verify that the kubelet and kube-proxy on each node have been upgraded.
-
-```sh
-$ kubectl get nodes -o yaml | grep 'kubeletVersion\|kubeProxyVersion'
-      kubeProxyVersion: v1.4.3+coreos.0
-      kubeletVersion: v1.4.3+coreos.0
-      kubeProxyVersion: v1.4.3+coreos.0
-      kubeletVersion: v1.4.3+coreos.0
-      kubeProxyVersion: v1.4.3+coreos.0
-      kubeletVersion: v1.4.3+coreos.0
-```
-
-Now, Kubernetes components have been upgraded to a new version of Kubernetes!
-
-## Going further
-
-Bare-metal or virtualized self-hosted Kubernetes clusters can be upgraded in place in 5-10 minutes. Here is a bare-metal example:
-
-```sh
-$ kubectl -n=kube-system get pods
-NAME                                       READY     STATUS    RESTARTS   AGE
-kube-api-checkpoint-ibm0.lab.dghubble.io   1/1       Running   0          2d
-kube-apiserver-j6atn                       2/2       Running   0          5m
-kube-controller-manager-1709527928-y05n5   1/1       Running   0          1m
-kube-dns-v20-3531996453-zwbl8              3/3       Running   0          2d
-kube-proxy-e49p5                           1/1       Running   0          14s
-kube-proxy-eu5dc                           1/1       Running   0          8s
-kube-proxy-gjrzq                           1/1       Running   0          3s
-kube-scheduler-2255275287-96n56            1/1       Running   0          2m
-kubelet-9ob0e                              1/1       Running   0          19s
-kubelet-bvwp0                              1/1       Running   0          14s
-kubelet-xlrql                              1/1       Running   0          24s
-```
-
-Check upstream for updates to addons like `kube-dns` or `kube-dashboard` and update them like any other applications. Some kube-system components use version labels and you may wish to clean those up as well.
--- a/Documentation/bootkube.md
+++ b/Documentation/bootkube.md
@@ -1,126 +0,0 @@
-# Self-hosted Kubernetes
-
-The self-hosted Kubernetes example provisions a 3 node "self-hosted" Kubernetes v1.6.1 cluster. On-host kubelets wait for an apiserver to become reachable, then yield to kubelet pods scheduled via daemonset. [bootkube](https://github.com/kubernetes-incubator/bootkube) is run on any controller to bootstrap a temporary apiserver which schedules control plane components as pods before exiting. An etcd cluster backs Kubernetes and coordinates CoreOS auto-updates (enabled for disk installs).
-
-## Requirements
-
-Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
-
-* Use rkt or Docker to start `matchbox`
-* Create a network boot environment with `coreos/dnsmasq`
-* Create the example libvirt client VMs
-* `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
-
-Install [bootkube](https://github.com/kubernetes-incubator/bootkube/releases) v0.4.0 and add it somewhere on your PATH.
-
-```sh
-$ bootkube version
-Version: v0.4.0
-```
-
-## Examples
-
-The [examples](../examples) statically assign IP addresses to libvirt client VMs created by `scripts/libvirt`. The examples can be used for physical machines if you update the MAC addresses. See [network setup](network-setup.md) and [deployment](deployment.md).
-
-* [bootkube](../examples/groups/bootkube) - iPXE boot a self-hosted Kubernetes cluster
-* [bootkube-install](../examples/groups/bootkube-install) - Install a self-hosted Kubernetes cluster
-
-## Assets
-
-Download the CoreOS image assets referenced in the target [profile](../examples/profiles).
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 ./examples/assets
-```
-
-Add your SSH public key to each machine group definition [as shown](../examples/README.md#ssh-keys).
-
-```json
-{
-    "profile": "bootkube-worker",
-    "metadata": {
-        "ssh_authorized_keys": ["ssh-rsa pub-key-goes-here"]
-    }
-}
-```
-
-Use the `bootkube` tool to render Kubernetes manifests and credentials into an `--asset-dir`. Later, `bootkube` will schedule these manifests during bootstrapping and the credentials will be used to access your cluster.
-
-```sh
-$ bootkube render --asset-dir=assets --api-servers=https://node1.example.com:443 --api-server-alt-names=DNS=node1.example.com
-```
-
-## Containers
-
-Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
-
-Client machines should boot and provision themselves. Local client VMs should network boot CoreOS and become available via SSH in about 1 minute. If you chose `bootkube-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.).
-
-## bootkube
-
-We're ready to use bootkube to create a temporary control plane and bootstrap a self-hosted Kubernetes cluster.
-
-Secure copy the `kubeconfig` to `/etc/kubernetes/kubeconfig` on **every** node which will path activate the `kubelet.service`.
-
-```bash
-for node in 'node1' 'node2' 'node3'; do
-    scp assets/auth/kubeconfig core@$node.example.com:/home/core/kubeconfig
-    ssh core@$node.example.com 'sudo mv kubeconfig /etc/kubernetes/kubeconfig'
-done
-```
-
-Secure copy the `bootkube` generated assets to any controller node and run `bootkube-start`.
-
-```sh
-$ scp -r assets core@node1.example.com:/home/core
-$ ssh core@node1.example.com 'sudo mv assets /opt/bootkube/assets && sudo systemctl start bootkube'
-```
-
-Optionally watch the Kubernetes control plane bootstrapping with the bootkube temporary api-server. You will see quite a bit of output.
-
-```sh
-$ ssh core@node1.example.com 'journalctl -f -u bootkube'
-[  299.241291] bootkube[5]:     Pod Status:     kube-api-checkpoint     Running
-[  299.241618] bootkube[5]:     Pod Status:          kube-apiserver     Running
-[  299.241804] bootkube[5]:     Pod Status:          kube-scheduler     Running
-[  299.241993] bootkube[5]:     Pod Status: kube-controller-manager     Running
-[  299.311743] bootkube[5]: All self-hosted control plane components successfully started
-```
-
-You may cleanup the `bootkube` assets on the node, but you should keep the copy on your laptop. It contains a `kubeconfig` used to access the cluster.
-
-## Verify
-
-[Install kubectl](https://coreos.com/kubernetes/docs/latest/configure-kubectl.html) on your laptop. Use the generated kubeconfig to access the Kubernetes cluster. Verify that the cluster is accessible and that the kubelet, apiserver, scheduler, and controller-manager are running as pods.
-
-```sh
-$ KUBECONFIG=assets/auth/kubeconfig
-$ kubectl get nodes
-NAME                STATUS    AGE
-node1.example.com   Ready     3m
-node2.example.com   Ready     3m
-node3.example.com   Ready     3m
-
-$ kubectl get pods --all-namespaces
-NAMESPACE     NAME                                       READY     STATUS    RESTARTS   AGE
-kube-system   checkpoint-installer-p8g8r                 1/1       Running   1          13m
-kube-system   kube-apiserver-s5gnx                       1/1       Running   1          41s
-kube-system   kube-controller-manager-3438979800-jrlnd   1/1       Running   1          13m
-kube-system   kube-controller-manager-3438979800-tkjx7   1/1       Running   1          13m
-kube-system   kube-dns-4101612645-xt55f                  4/4       Running   4          13m
-kube-system   kube-flannel-pl5c2                         2/2       Running   0          13m
-kube-system   kube-flannel-r9t5r                         2/2       Running   3          13m
-kube-system   kube-flannel-vfb0s                         2/2       Running   4          13m
-kube-system   kube-proxy-cvhmj                           1/1       Running   0          13m
-kube-system   kube-proxy-hf9mh                           1/1       Running   1          13m
-kube-system   kube-proxy-kpl73                           1/1       Running   1          13m
-kube-system   kube-scheduler-694795526-1l23b             1/1       Running   1          13m
-kube-system   kube-scheduler-694795526-fks0b             1/1       Running   1          13m
-kube-system   pod-checkpointer-node1.example.com         1/1       Running   2          10m
-```
-
-Try deleting pods to see that the cluster is resilient to failures and machine restarts (CoreOS auto-updates).
-
-## Going further
-
-[Learn](bootkube-upgrades.md) to upgrade a self-hosted Kubernetes cluster.
--- a/Documentation/deployment.md
+++ b/Documentation/deployment.md
@@ -1,309 +0,0 @@
-# Installation
-
-This guide walks through deploying the `matchbox` service on a Linux host (via RPM, rkt, docker, or binary) or on a Kubernetes cluster.
-
-## Provisoner
-
-`matchbox` is a service for network booting and provisioning machines to create Container Linux clusters. `matchbox` should be installed on a provisioner machine (CoreOS or any Linux distribution) or cluster (Kubernetes) which can serve configs to client machines in a lab or datacenter.
-
-Choose one of the supported installation options:
-
-* [CoreOS (rkt)](#coreos)
-* [RPM-based](#rpm-based-distro)
-* [Generic Linux (binary)](#generic-linux)
-* [With rkt](#rkt)
-* [With docker](#docker)
-* [Kubernetes Service](#kubernetes)
-
-## Download
-
-Download the latest matchbox [release](https://github.com/coreos/matchbox/releases) to the provisioner host.
-
-```sh
-$ wget https://github.com/coreos/matchbox/releases/download/v0.6.0/matchbox-v0.6.0-linux-amd64.tar.gz
-$ wget https://github.com/coreos/matchbox/releases/download/v0.6.0/matchbox-v0.6.0-linux-amd64.tar.gz.asc
-```
-
-Verify the release has been signed by the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/).
-
-```sh
-$ gpg --keyserver pgp.mit.edu --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
-$ gpg --verify matchbox-v0.6.0-linux-amd64.tar.gz.asc matchbox-v0.6.0-linux-amd64.tar.gz
-# gpg: Good signature from "CoreOS Application Signing Key <security@coreos.com>"
-```
-
-Untar the release.
-
-```sh
-$ tar xzvf matchbox-v0.6.0-linux-amd64.tar.gz
-$ cd matchbox-v0.6.0-linux-amd64
-```
-
-## Install
-
-### RPM-based distro
-
-On an RPM-based provisioner, install the `matchbox` RPM from the Copr [repository](https://copr.fedorainfracloud.org/coprs/g/CoreOS/matchbox/) using `dnf` or `yum`.
-
-```sh
-dnf copr enable @CoreOS/matchbox
-dnf install matchbox
-```
-
-### CoreOS
-
-On a CoreOS provisioner, rkt run `matchbox` image with the provided systemd unit.
-
-```sh
-$ sudo cp contrib/systemd/matchbox-on-coreos.service /etc/systemd/system/matchbox.service
-```
-
-### Generic Linux
-
-Pre-built binaries are available for generic Linux distributions. Copy the `matchbox` static binary to an appropriate location on the host.
-
-```sh
-$ sudo cp matchbox /usr/local/bin
-```
-
-#### Set up User/Group
-
-The `matchbox` service should be run by a non-root user with access to the `matchbox` data directory (`/var/lib/matchbox`). Create a `matchbox` user and group.
-
-```sh
-$ sudo useradd -U matchbox
-$ sudo mkdir -p /var/lib/matchbox/assets
-$ sudo chown -R matchbox:matchbox /var/lib/matchbox
-```
-
-#### Create systemd service
-
-Copy the provided `matchbox` systemd unit file.
-
-```sh
-$ sudo cp contrib/systemd/matchbox-local.service /etc/systemd/system/
-```
-
-## Customization
-
-Customize matchbox by editing the systemd unit or adding a systemd dropin. Find the complete set of `matchbox` flags and environment variables at [config](config.md).
-
-```sh
-$ sudo systemctl edit matchbox
-```
-
-By default, the read-only HTTP machine endpoint will be exposed on port **8080**.
-
-```ini
-# /etc/systemd/system/matchbox.service.d/override.conf
-[Service]
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-Environment="MATCHBOX_LOG_LEVEL=debug"
-```
-
-A common customization is enabling the gRPC API to allow clients with a TLS client certificate to change machine configs.
-
-```ini
-# /etc/systemd/system/matchbox.service.d/override.conf
-[Service]
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-Environment="MATCHBOX_RPC_ADDRESS=0.0.0.0:8081"
-```
-
-The Tectonic [Installer](https://tectonic.com/enterprise/docs/latest/install/bare-metal/index.html) uses this API. Tectonic users with a CoreOS provisioner can start with an example that enables it.
-
-```sh
-$ sudo cp contrib/systemd/matchbox-for-tectonic.service /etc/systemd/system/matchbox.service
-```
-
-Customize `matchbox` to suit your preferences.
-
-## Firewall
-
-Allow your port choices on the provisioner's firewall so the clients can access the service. Here are the commands for those using `firewalld`:
-
-```sh
-$ sudo firewall-cmd --zone=MYZONE --add-port=8080/tcp --permanent
-$ sudo firewall-cmd --zone=MYZONE --add-port=8081/tcp --permanent
-```
-
-## Generate TLS credentials
-
-*Skip this unless you need to enable the gRPC API*
-
-The `matchbox` gRPC API allows client apps (terraform-provider-matchbox, Tectonic Installer, etc.) to update how machines are provisioned. TLS credentials are needed for client authentication and to establish a secure communication channel. Client machines (those PXE booting) read from the HTTP endpoints and do not require this setup.
-
-If your organization manages public key infrastructure and a certificate authority, create a server certificate and key for the `matchbox` service and a client certificate and key for each client tool.
-
-Otherwise, generate a self-signed `ca.crt`, a server certificate  (`server.crt`, `server.key`), and client credentials (`client.crt`, `client.key`) with the `examples/etc/matchbox/cert-gen` script. Export the DNS name or IP (discouraged) of the provisioner host.
-
-```sh
-$ cd examples/etc/matchbox
-# DNS or IP Subject Alt Names where matchbox can be reached
-$ export SAN=DNS.1:matchbox.example.com,IP.1:192.168.1.42
-$ ./cert-gen
-```
-
-Place the TLS credentials in the default location:
-
-```sh
-$ sudo mkdir -p /etc/matchbox
-$ sudo cp ca.crt server.crt server.key /etc/matchbox/
-```
-
-Save `client.crt`, `client.key`, and `ca.crt` to use with a client tool later.
-
-## Start matchbox
-
-Start the `matchbox` service and enable it if you'd like it to start on every boot.
-
-```sh
-$ sudo systemctl daemon-reload
-$ sudo systemctl start matchbox
-$ sudo systemctl enable matchbox
-```
-
-## Verify
-
-Verify the matchbox service is running and can be reached by client machines (those being provisioned).
-
-```sh
-$ systemctl status matchbox
-$ dig matchbox.example.com
-```
-
-Verify you receive a response from the HTTP and API endpoints.
-
-```sh
-$ curl http://matchbox.example.com:8080
-matchbox
-```
-
-If you enabled the gRPC API,
-
-```sh
-$ openssl s_client -connect matchbox.example.com:8081 -CAfile /etc/matchbox/ca.crt -cert examples/etc/matchbox/client.crt -key examples/etc/matchbox/client.key
-CONNECTED(00000003)
-depth=1 CN = fake-ca
-verify return:1
-depth=0 CN = fake-server
-verify return:1
---
-Certificate chain
- 0 s:/CN=fake-server
-   i:/CN=fake-ca
---
-....
-```
-
-## Download CoreOS (optional)
-
-`matchbox` can serve CoreOS images in development or lab environments to reduce bandwidth usage and increase the speed of CoreOS PXE boots and installs to disk.
-
-Download a recent CoreOS [release](https://coreos.com/releases/) with signatures.
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 .     # note the "." 3rd argument
-```
-
-Move the images to `/var/lib/matchbox/assets`,
-
-```sh
-$ sudo cp -r coreos /var/lib/matchbox/assets
-```
-
-```
-/var/lib/matchbox/assets/
-├── coreos
-│   └── 1298.7.0
-│       ├── CoreOS_Image_Signing_Key.asc
-│       ├── coreos_production_image.bin.bz2
-│       ├── coreos_production_image.bin.bz2.sig
-│       ├── coreos_production_pxe_image.cpio.gz
-│       ├── coreos_production_pxe_image.cpio.gz.sig
-│       ├── coreos_production_pxe.vmlinuz
-│       └── coreos_production_pxe.vmlinuz.sig
-```
-
-and verify the images are acessible.
-
-```sh
-$ curl http://matchbox.example.com:8080/assets/coreos/1298.7.0/
-<pre>...
-```
-
-For large production environments, use a cache proxy or mirror suitable for your environment to serve CoreOS images.
-
-## Network
-
-Review [network setup](https://github.com/coreos/matchbox/blob/master/Documentation/network-setup.md) with your network administrator to set up DHCP, TFTP, and DNS services on your network. At a high level, your goals are to:
-
-* Chainload PXE firmwares to iPXE
-* Point iPXE client machines to the `matchbox` iPXE HTTP endpoint `http://matchbox.example.com:8080/boot.ipxe`
-* Ensure `matchbox.example.com` resolves to your `matchbox` deployment
-
-CoreOS provides [dnsmasq](https://github.com/coreos/matchbox/tree/master/contrib/dnsmasq) as `quay.io/coreos/dnsmasq`, if you wish to use rkt or Docker.
-
-## rkt
-
-Run the container image with rkt.
-
-latest or most recent tagged `matchbox` [release](https://github.com/coreos/matchbox/releases) ACI. Trust the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) for image signature verification.
-
-```sh
-$ sudo rkt run --net=host --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=/var/lib/matchbox quay.io/coreos/matchbox:latest --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=/etc/matchbox,readOnly=true -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
-```
-
-Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`.
-
-## Docker
-
-Run the container image with docker.
-
-```sh
-sudo docker run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
-```
-
-Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`.
-
-## Kubernetes
-
-Install `matchbox` on a Kubernetes cluster by creating a deployment and service.
-
-```sh
-$ kubectl apply -f contrib/k8s/matchbox-deployment.yaml
-$ kubectl apply -f contrib/k8s/matchbox-service.yaml
-$ kubectl get services
-NAME                 CLUSTER-IP   EXTERNAL-IP   PORT(S)             AGE
-matchbox             10.3.0.145   <none>        8080/TCP,8081/TCP   46m
-```
-
-Example manifests in [contrib/k8s](../contrib/k8s) enable the gRPC API to allow client apps to update matchbox objects. Generate TLS server credentials for `matchbox-rpc.example.com` [as shown](#generate-tls-credentials) and create a Kubernetes secret. Alternately, edit the example manifests if you don't need the gRPC API enabled.
-
-```sh
-$ kubectl create secret generic matchbox-rpc --from-file=ca.crt --from-file=server.crt --from-file=server.key
-```
-
-Create an Ingress resource to expose the HTTP read-only and gRPC API endpoints. The Ingress example requires the cluster to have a functioning [Nginx Ingress Controller](https://github.com/kubernetes/ingress).
-
-```sh
-$ kubectl create -f contrib/k8s/matchbox-ingress.yaml
-$ kubectl get ingress
-NAME      HOSTS                                          ADDRESS            PORTS     AGE
-matchbox  matchbox.example.com,matchbox-rpc.example.com  10.128.0.3,10...   80, 443   32m
-```
-
-Add DNS records `matchbox.example.com` and `matchbox-rpc.example.com` to route traffic to the Ingress Controller.
-
-Verify `http://matchbox.example.com` responds with the text "matchbox" and verify gRPC clients can connect to `matchbox-rpc.example.com:443`.
-
-```sh
-$ curl http://matchbox.example.com
-$ openssl s_client -connect matchbox-rpc.example.com:443 -CAfile ca.crt -cert client.crt -key client.key
-```
-
-### Operational notes
-
-* Secrets: Matchbox **can** be run as a public facing service. However, you **must** follow best practices and avoid writing secret material into machine user-data. Instead, load secret materials from an internal secret store.
-* Storage: Example manifests use Kubernetes `emptyDir` volumes to store `matchbox` data. Swap those out for a Kubernetes persistent volume if available.
-
--- a/Documentation/dev/release.md
+++ b/Documentation/dev/release.md
@@ -1,74 +0,0 @@
-
-# Release guide
-
-This guide covers releasing new versions of matchbox.
-
-## Version
-
-Create a release commit which updates old version references.
-
-```sh
-$ export VERSION=v0.6.0
-```
-
-## Tag
-
-Tag, sign the release version, and push it to Github.
-
-```sh
-$ git tag -s vX.Y.Z -m 'vX.Y.Z'
-$ git push origin --tags
-$ git push origin master
-```
-
-## Images
-
-Travis CI will build the Docker image and push it to Quay.io when the tag is pushed to master. Verify the new image and version.
-
-```sh
-$ sudo docker run quay.io/coreos/matchbox:$VERSION -version
-$ sudo rkt run --no-store quay.io/coreos/matchbox:$VERSION -- -version
-```
-
-## Github release
-
-Publish the release on Github with release notes.
-
-## Tarballs
-
-Build the release tarballs.
-
-```sh
-$ make release
-```
-
-Verify the reported version.
-
-```
-./_output/matchbox-v0.6.0-linux-amd64/matchbox -version
-```
-
-## Signing
-
-Sign the release tarballs and ACI with a [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) subkey.
-
-```sh
-$ cd _output
-$ gpg2 -a --default-key FC8A365E --detach-sign matchbox-$VERSION-linux-amd64.tar.gz
-$ gpg2 -a --default-key FC8A365E --detach-sign matchbox-$VERSION-darwin-amd64.tar.gz
-$ gpg2 -a --default-key FC8A365E --detach-sign matchbox-$VERSION-linux-arm.tar.gz
-$ gpg2 -a --default-key FC8A365E --detach-sign matchbox-$VERSION-linux-arm64.tar.gz
-```
-
-Verify the signatures.
-
-```sh
-$ gpg2 --verify matchbox-$VERSION-linux-amd64.tar.gz.asc matchbox-$VERSION-linux-amd64.tar.gz
-$ gpg2 --verify matchbox-$VERSION-darwin-amd64.tar.gz.asc matchbox-$VERSION-darwin-amd64.tar.gz
-$ gpg2 --verify matchbox-$VERSION-linux-arm.tar.gz.asc matchbox-$VERSION-linux-arm.tar.gz
-$ gpg2 --verify matchbox-$VERSION-linux-arm64.tar.gz.asc matchbox-$VERSION-linux-arm64.tar.gz
-```
-
-## Publish
-
-Upload the signed tarball(s) with the Github release. Promote the release from a `pre-release` to an official release.
--- a/Documentation/getting-started-docker.md
+++ b/Documentation/getting-started-docker.md
@@ -1,120 +0,0 @@
-
-# Getting started with Docker
-
-In this tutorial, we'll run `matchbox` on your Linux machine with Docker to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clusters, etcd3 clusters, and test network setups.
-
-*Note*: To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
-
-## Requirements
-
-Install the package dependencies and start the Docker daemon.
-
-```sh
-$ # Fedora
-$ sudo dnf install docker virt-install virt-manager
-$ sudo systemctl start docker
-
-$ # Debian/Ubuntu
-$ # check Docker's docs to install Docker 1.8+ on Debian/Ubuntu
-$ sudo apt-get install virt-manager virtinst qemu-kvm
-```
-
-Clone the [matchbox](https://github.com/coreos/matchbox) source which contains the examples and scripts.
-
-```sh
-$ git clone https://github.com/coreos/matchbox.git
-$ cd matchbox
-```
-
-Download CoreOS image assets referenced by the `etcd-docker` [example](../examples) to `examples/assets`.
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 ./examples/assets
-```
-
-For development convenience, add `/etc/hosts` entries for nodes so they may be referenced by name as you would in production.
-
-```sh
-# /etc/hosts
-...
-172.17.0.21 node1.example.com
-172.17.0.22 node2.example.com
-172.17.0.23 node3.example.com
-```
-
-## Containers
-
-Run the latest `matchbox` Docker image from `quay.io/coreos/matchbox` with the `etcd-docker` example. The container should receive the IP address 172.17.0.2 on the `docker0` bridge.
-
-```sh
-$ sudo docker pull quay.io/coreos/matchbox:latest
-$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd3:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
-```
-
-Take a look at the [etcd3 groups](../examples/groups/etcd3) to get an idea of how machines are mapped to Profiles. Explore some endpoints exposed by the service, say for QEMU/KVM node1.
-
-* iPXE [http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae)
-* Ignition [http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae)
-* Metadata [http://127.0.0.1:8080/metadata?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/metadata?mac=52:54:00:a1:9c:ae)
-
-## Network
-
-Since the virtual network has no network boot services, use the `dnsmasq` image to create an iPXE network boot environment which runs DHCP, DNS, and TFTP.
-
-```sh
-$ sudo docker run --name dnsmasq --cap-add=NET_ADMIN -v $PWD/contrib/dnsmasq/docker0.conf:/etc/dnsmasq.conf:Z quay.io/coreos/dnsmasq -d
-```
-
-In this case, dnsmasq runs a DHCP server allocating IPs to VMs between 172.17.0.43 and 172.17.0.99, resolves `matchbox.foo` to 172.17.0.2 (the IP where `matchbox` runs), and points iPXE clients to `http://matchbox.foo:8080/boot.ipxe`.
-
-## Client VMs
-
-Create QEMU/KVM VMs which have known hardware attributes. The nodes will be attached to the `docker0` bridge, where Docker's containers run.
-
-```sh
-$ sudo ./scripts/libvirt create-docker
-```
-
-You can connect to the serial console of any node. If you provisioned nodes with an SSH key, you can SSH after bring-up.
-
-```sh
-$ sudo virsh console node1
-```
-
-You can also use `virt-manager` to watch the console.
-
-```sh
-$ sudo virt-manager
-```
-
-Use the wrapper script to act on all nodes.
-
-```sh
-$ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
-```
-
-## Verify
-
-The VMs should network boot and provision themselves into a three node etcd3 cluster, with other nodes behaving as etcd3 gateways.
-
-The example profile added autologin so you can verify that etcd3 works between nodes.
-
-```sh
-$ systemctl status etcd-member
-$ ETCDCTL_API=3
-$ etcdctl set /message hello
-$ etcdctl get /message
-```
-## Clean up
-
-Clean up the containers and VM machines.
-
-```sh
-$ sudo docker rm -f dnsmasq
-$ sudo ./scripts/libvirt poweroff
-$ sudo ./scripts/libvirt destroy
-```
-
-## Going further
-
-Learn more about [matchbox](matchbox.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
--- a/Documentation/getting-started-rkt.md
+++ b/Documentation/getting-started-rkt.md
@@ -1,183 +0,0 @@
-# Getting started with rkt
-
-In this tutorial, we'll run `matchbox` on your Linux machine with `rkt` and `CNI` to network boot and provision a cluster of QEMU/KVM CoreOS machines locally. You'll be able to create Kubernetes clustes, etcd3 clusters, and test network setups.
-
-*Note*: To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
-
-## Requirements
-
-Install [rkt](https://coreos.com/rkt/docs/latest/distributions.html) 1.12.0 or higher ([example script](https://github.com/dghubble/phoenix/blob/master/fedora/sources.sh)) and setup rkt [privilege separation](https://coreos.com/rkt/docs/latest/trying-out-rkt.html).
-
-Next, install the package dependencies.
-
-```sh
-# Fedora
-$ sudo dnf install virt-install virt-manager
-
-# Debian/Ubuntu
-$ sudo apt-get install virt-manager virtinst qemu-kvm systemd-container
-```
-
-**Note**: rkt does not yet integrate with SELinux on Fedora. As a workaround, temporarily set enforcement to permissive if you are comfortable (`sudo setenforce Permissive`). Check the rkt [distribution notes](https://github.com/coreos/rkt/blob/master/Documentation/distributions.md) or see the tracking [issue](https://github.com/coreos/rkt/issues/1727).
-
-Clone the [matchbox](https://github.com/coreos/matchbox) source which contains the examples and scripts.
-
-```sh
-$ git clone https://github.com/coreos/matchbox.git
-$ cd matchbox
-```
-
-Download CoreOS image assets referenced by the `etcd` [example](../examples) to `examples/assets`.
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 ./examples/assets
-```
-
-## Network
-
-Define the `metal0` virtual bridge with [CNI](https://github.com/appc/cni).
-
-```bash
-sudo mkdir -p /etc/rkt/net.d
-sudo bash -c 'cat > /etc/rkt/net.d/20-metal.conf << EOF
-{
-  "name": "metal0",
-  "type": "bridge",
-  "bridge": "metal0",
-  "isGateway": true,
-  "ipMasq": true,
-  "ipam": {
-    "type": "host-local",
-    "subnet": "172.18.0.0/24",
-    "routes" : [ { "dst" : "0.0.0.0/0" } ]
-   }
-}
-EOF'
-```
-
-On Fedora, add the `metal0` interface to the trusted zone in your firewall configuration.
-
-```sh
-$ sudo firewall-cmd --add-interface=metal0 --zone=trusted
-$ sudo firewall-cmd --add-interface=metal0 --zone=trusted --permanent
-```
-
-For development convenience, you may wish to add `/etc/hosts` entries for nodes to refer to them by name.
-
-```
-# /etc/hosts
-...
-172.18.0.21 node1.example.com
-172.18.0.22 node2.example.com
-172.18.0.23 node3.example.com
-```
-
-## Containers
-
-Run the `matchbox` and `dnsmasq` services on the `metal0` bridge. `dnsmasq` will run DHCP, DNS, and TFTP services to create a suitable network boot environment. `matchbox` will serve provisioning configs to machines on the network which attempt to PXE boot.
-
-The `devnet` wrapper script rkt runs `matchbox` and `dnsmasq` in systemd transient units. Create can take the name of any example cluster in [examples](../examples).
-
-```sh
-$ sudo ./scripts/devnet create etcd3
-```
-
-Inspect the journal logs or check the status of the systemd services.
-
-```
-$ sudo ./scripts/devnet status
-$ journalctl -f -u dev-matchbox
-$ journalctl -f -u dev-dnsmasq
-```
-
-Take a look at the [etcd3 groups](../examples/groups/etcd3) to get an idea of how machines are mapped to Profiles. Explore some endpoints exposed by the service, say for QEMU/KVM node1.
-
-* iPXE [http://172.18.0.2:8080/ipxe?mac=52:54:00:a1:9c:ae](http://172.18.0.2:8080/ipxe?mac=52:54:00:a1:9c:ae)
-* Ignition [http://172.18.0.2:8080/ignition?mac=52:54:00:a1:9c:ae](http://172.18.0.2:8080/ignition?mac=52:54:00:a1:9c:ae)
-* Metadata [http://172.18.0.2:8080/metadata?mac=52:54:00:a1:9c:ae](http://172.18.0.2:8080/metadata?mac=52:54:00:a1:9c:ae)
-
-### Manual
-
-If you prefer to start the containers yourself, instead of using `devnet`,
-
-```sh
-sudo rkt run --net=metal0:IP=172.18.0.2 \
-  --mount volume=data,target=/var/lib/matchbox \
-  --volume data,kind=host,source=$PWD/examples \
-  --mount volume=groups,target=/var/lib/matchbox/groups \
-  --volume groups,kind=host,source=$PWD/examples/groups/etcd3 \
-  quay.io/coreos/matchbox:v0.6.0 -- -address=0.0.0.0:8080 -log-level=debug
-```
-```sh
-sudo rkt run --net=metal0:IP=172.18.0.3 \
-  --dns=host \
-  --mount volume=config,target=/etc/dnsmasq.conf \
-  --volume config,kind=host,source=$PWD/contrib/dnsmasq/metal0.conf \
-  quay.io/coreos/dnsmasq:v0.4.0 \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE
-```
-
-If you get an error about the IP assignment, stop old pods and run garbage collection.
-
-```sh
-$ sudo rkt gc --grace-period=0
-```
-
-## Client VMs
-
-Create QEMU/KVM VMs which have known hardware attributes. The nodes will be attached to the `metal0` bridge, where your pods run.
-
-```sh
-$ sudo ./scripts/libvirt create
-```
-
-You can connect to the serial console of any node. If you provisioned nodes with an SSH key, you can SSH after bring-up.
-
-```sh
-$ sudo virsh console node1
-```
-
-You can also use `virt-manager` to watch the console.
-
-```sh
-$ sudo virt-manager
-```
-
-Use the wrapper script to act on all nodes.
-
-```sh
-$ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
-```
-
-## Verify
-
-The VMs should network boot and provision themselves into a three node etcd3 cluster, with other nodes behaving as etcd3 gateways.
-
-The example profile added autologin so you can verify that etcd3 works between nodes.
-
-```sh
-$ systemctl status etcd-member
-$ ETCDCTL_API=3
-$ etcdctl set /message hello
-$ etcdctl get /message
-```
-
-## Clean up
-
-Clean up the systemd units running `matchbox` and `dnsmasq`.
-
-```sh
-$ sudo ./scripts/devnet destroy
-```
-
-Clean up VM machines.
-
-```sh
-$ sudo ./scripts/libvirt destroy
-```
-
-Press ^] three times to stop any rkt pod.
-
-## Going further
-
-Learn more about [matchbox](matchbox.md) or explore the other [example](../examples) clusters. Try the [k8s example](kubernetes.md) to produce a TLS-authenticated Kubernetes cluster you can access locally with `kubectl`.
--- a/Documentation/getting-started.md
+++ b/Documentation/getting-started.md
@@ -1,200 +0,0 @@
-# Getting started
-
-In this tutorial, we'll show how to use terraform with `matchbox` to provision Container Linux machines.
-
-You'll install the `matchbox` service, setup a PXE network boot environment, and then use terraform configs to describe your infrastructure and the terraform CLI to create those resources on `matchbox`.
-
-## matchbox
-
-Install `matchbox` on a dedicated server or Kubernetes cluster. Generate TLS credentials and enable the gRPC API as directed. Save the `ca.crt`, `client.crt`, and `client.key` on your local machine (e.g. `~/.matchbox`).
-
-* Installing on [CoreOS / Linux distros](deployment.md)
-* Installing on [Kubernetes](deployment.md#kubernetes)
-* Running with [rkt](deployment.md#rkt) / [docker](deployment.md#docker)
-
-Verify the matchbox read-only HTTP endpoints are accessible.
-
-```sh
-$ curl http://matchbox.example.com:8080
-matchbox
-```
-
-Verify your TLS client certificate and key can be used to access the gRPC API.
-
-```sh
-$ openssl s_client -connect matchbox.example.com:8081 \
-  -CAfile ~/.matchbox/ca.crt \
-  -cert ~/.matchbox/client.crt \
-  -key ~/.matchbox/client.key
-```
-
-## Terraform
-
-Install [Terraform][terraform-dl] v0.9+ on your system.
-
-```sh
-$ terraform version
-Terraform v0.9.2
-```
-
-Add the `terraform-provider-matchbox` plugin binary on your system.
-
-```sh
-$ wget https://github.com/coreos/terraform-provider-matchbox/releases/download/v0.1.0/terraform-provider-matchbox-v0.1.0-linux-amd64.tar.gz
-$ tar xzf terraform-provider-matchbox-v0.1.0-linux-amd64.tar.gz
-```
-
-Add the plugin to your `~/.terraformrc`.
-
-```hcl
-providers {
-  matchbox = "/path/to/terraform-provider-matchbox"
-}
-```
-
-## First cluster
-
-Clone the matchbox source and take a look at the Terraform examples.
-
-```sh
-$ git clone https://github.com/coreos/matchbox.git
-$ cd matchbox/examples/terraform
-```
-
-Let's start with the `simple-install` example. With `simple-install`, any machines which PXE boot from matchbox will install CoreOS to `dev/sda`, reboot, and have your SSH key set. Its not much of a cluster, but we'll get to that later.
-
-```sh
-$ cd simple-install
-```
-
-Configure the variables in `variables.tf` by creating a `terraform.tfvars` file.
-
-```hcl
-matchbox_http_endpoint = "http://matchbox.example.com:8080"
-matchbox_rpc_endpoint = "matchbox.example.com:8081"
-ssh_authorized_key = "YOUR_SSH_KEY"
-```
-
-Terraform can now interact with the matchbox service and create resources.
-
-```sh
-$ terraform plan
-Plan: 4 to add, 0 to change, 0 to destroy.
-```
-
-Let's review the terraform config and learn a bit about matchbox.
-
-#### Provider
-
-Matchbox is configured as a provider platform for bare-metal resources.
-
-```hcl
-// Configure the matchbox provider
-provider "matchbox" {
-  endpoint = "${var.matchbox_rpc_endpoint}"
-  client_cert = "${file("~/.matchbox/client.crt")}"
-  client_key = "${file("~/.matchbox/client.key")}"
-  ca         = "${file("~/.matchbox/ca.crt")}"
-}
-```
-
-#### Profiles
-
-Machine profiles specify the kernel, initrd, kernel args, Container Linux Config, Cloud-config, or other configs used to network boot and provision a bare-metal machine. This profile will PXE boot machines using the current stable Container Linux kernel and initrd (see [assets](api.md#assets) to learn about caching for speed) and supply a Container Linux Config specifying that a disk install and reboot should be performed. Learn more about [Container Linux configs](https://coreos.com/os/docs/latest/configuration.html).
-
-```hcl
-// Create a CoreOS-install profile
-resource "matchbox_profile" "coreos-install" {
-  name = "coreos-install"
-  kernel = "https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz"
-  initrd = [
-    "https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe_image.cpio.gz"
-  ]
-  args = [
-    "coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
-    "coreos.first_boot=yes",
-    "console=tty0",
-    "console=ttyS0",
-  ]
-  container_linux_config = "${file("./cl/coreos-install.yaml.tmpl")}"
-}
-```
-
-#### Groups
-
-Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and template in machine-specific values. This group does not have a `selector` block, so any machines which network boot from matchbox will match this group and be provisioned using the `coreos-install` profile. Machines are matched to the most specific matching group.
-
-```
-resource "matchbox_group" "default" {
-  name = "default"
-  profile = "${matchbox_profile.coreos-install.name}"
-  # no selector means all machines can be matched
-  metadata {
-    ignition_endpoint = "${var.matchbox_http_endpoint}/ignition"
-    ssh_authorized_key = "${var.ssh_authorized_key}"
-  }
-}
-```
-
-### Apply
-
-Apply the terraform configuration.
-
-```sh
-$ terraform apply
-Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
-```
-
-Matchbox serves configs to machines and respects query parameters, if you're interested:
-
-* iPXE default - [/ipxe](http://matchbox.example.com:8080/ipxe)
-* Ignition default - [/ignition](http://matchbox.example.com:8080/ignition)
-* Ignition post-install - [/ignition?os=installed](http://matchbox.example.com:8080/ignition?os=installed)
-* GRUB default - [/grub](http://matchbox.example.com:8080/grub)
-
-## Network
-
-Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts and GRUB configs as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
-
-In the simplest case, an iPXE-enabled network can chain to matchbox,
-
-```
-# /var/www/html/ipxe/default.ipxe
-chain http://matchbox.foo:8080/boot.ipxe
-```
-
-Read [network-setup.md](network-setup.md) for the complete range of options. Network admins have a great amount of flexibility:
-
-* May keep using existing DHCP, TFTP, and DNS services
-* May configure subnets, architectures, or specific machines to delegate to matchbox
-* May place matchbox behind a menu entry (timeout and default to matchbox)
-
-If you've never setup a PXE-enabled network before or you're trying to setup a home lab, checkout the [quay.io/coreos/dnsmasq](https://quay.io/repository/coreos/dnsmasq) container image [copy-paste examples](https://github.com/coreos/matchbox/blob/master/Documentation/network-setup.md#coreosdnsmasq) and see the section about [proxy-DHCP](https://github.com/coreos/matchbox/blob/master/Documentation/network-setup.md#proxy-dhcp).
-
-## Boot
-
-Its time to network boot your machines. Use the BMC's remote management capablities (may be vendor-specific) to set the boot device (on the next boot only) to PXE and power on each machine.
-
-```sh
-$ ipmitool -H node1.example.com -U USER -P PASS power off
-$ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
-$ ipmitool -H node1.example.com -U USER -P PASS power on
-```
-
-Each machine should chainload iPXE, delegate to `matchbox`, receive its iPXE config (or other supported configs) and begin the provisioning process. The `simple-install` example assumes your machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
-
-Once the Container Linux install completes and the machine reboots you can SSH,
-
-```ssh
-$ ssh core@node1.example.com
-```
-
-To re-provision the machine for another purpose, run `terraform apply` and PXE boot it again.
-
-## Going Further
-
-Matchbox can be used to provision multi-node Container Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api.md#assets) server.
-
-[Container Linux configs](https://coreos.com/os/docs/latest/configuration.html) can be used to partition disks and filesystems, write systemd units, write networkd configs or regular files, and create users. Container Linux nodes can be provisioned into a system that meets your needs. Checkout the examples which create a 3 node [etcd](../examples/terraform/etcd3-install) cluster or a 3 node [Kubernetes](../examples/terraform/bootkube-install) cluster.
-
-[terraform-dl]: https://www.terraform.io/downloads.html
--- a/Documentation/grub.md
+++ b/Documentation/grub.md
@@ -1,66 +0,0 @@
-# GRUB2 netboot
-
-Use GRUB to network boot UEFI hardware.
-
-## Requirements
-
-For local development, install the dependencies for libvirt with UEFI.
-
-* [UEFI with QEMU](https://fedoraproject.org/wiki/Using_UEFI_with_QEMU)
-
-Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) and [matchbox](matchbox.md) guides and understand the basics.
-
-## Containers
-
-Run `matchbox` with rkt, but mount the [grub](../examples/groups/grub) group example.
-
-## Network
-
-On Fedora, add the `metal0` interface to the trusted zone in your firewall configuration.
-
-```sh
-$ sudo firewall-cmd --add-interface=metal0 --zone=trusted
-```
-
-Run the `quay.io/coreos/dnsmasq` container image with rkt or docker.
-
-```sh
-sudo rkt run --net=metal0:IP=172.18.0.3 quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
-  -- -d -q \
-  --dhcp-range=172.18.0.50,172.18.0.99 \
-  --enable-tftp \
-  --tftp-root=/var/lib/tftpboot \
-  --dhcp-match=set:efi-bc,option:client-arch,7 \
-  --dhcp-boot=tag:efi-bc,grub.efi \
-  --dhcp-userclass=set:grub,GRUB2 \
-  --dhcp-boot=tag:grub,"(http;matchbox.example.com:8080)/grub","172.18.0.2" \
-  --log-queries \
-  --log-dhcp \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:pxe,undionly.kpxe \
-  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.foo/172.18.0.2
-```
-
-## Client VM
-
-Create UEFI VM nodes which have known hardware attributes.
-
-```sh
-$ sudo ./scripts/libvirt create-uefi
-```
-
-## Docker
-
-If you use Docker, run `matchbox` according to [matchbox with Docker](getting-started-docker.md), but mount the [grub](../examples/groups/grub) group example. Then start the `coreos/dnsmasq` Docker image, which bundles a `grub.efi`.
-
-```sh
-$ sudo docker run --rm --cap-add=NET_ADMIN quay.io/coreos/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;matchbox.foo:8080)/grub","172.17.0.2" --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/172.17.0.2
-```
-
-Create a VM to verify the machine network boots.
-
-```sh
-$ sudo virt-install --name uefi-test --pxe --boot=uefi,network --disk pool=default,size=4 --network=bridge=docker0,model=e1000 --memory=1024 --vcpus=1 --os-type=linux --noautoconsole
-```
--- a/Documentation/img/tectonic-console.png
+++ b/Documentation/img/tectonic-console.png
--- a/Documentation/img/tectonic-installer.png
+++ b/Documentation/img/tectonic-installer.png
--- a/Documentation/kubernetes.md
+++ b/Documentation/kubernetes.md
@@ -1,88 +0,0 @@
-# Kubernetes
-
-The Kubernetes example provisions a 3 node Kubernetes v1.5.5 cluster with one controller, two workers, and TLS authentication. An etcd cluster backs Kubernetes and coordinates CoreOS auto-updates (enabled for disk installs).
-
-## Requirements
-
-Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
-
-* Use rkt or Docker to start `matchbox`
-* Create a network boot environment with `coreos/dnsmasq`
-* Create the example libvirt client VMs
-* `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
-
-## Examples
-
-The [examples](../examples) statically assign IP addresses to libvirt client VMs created by `scripts/libvirt`. VMs are setup on the `metal0` CNI bridge for rkt or the `docker0` bridge for Docker. The examples can be used for physical machines if you update the MAC addresses. See [network setup](network-setup.md) and [deployment](deployment.md).
-
-* [k8s](../examples/groups/k8s) - iPXE boot a Kubernetes cluster
-* [k8s-install](../examples/groups/k8s-install) - Install a Kubernetes cluster to disk
-* [Lab examples](https://github.com/dghubble/metal) - Lab hardware examples
-
-### Assets
-
-Download the CoreOS image assets referenced in the target [profile](../examples/profiles).
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 ./examples/assets
-```
-
-Optionally, add your SSH public key to each machine group definition [as shown](../examples/README.md#ssh-keys).
-
-Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver`, `worker`) with SANs for `node1.example.com`, etc.
-
-```sh
-$ rm -rf examples/assets/tls
-$ ./scripts/tls/k8s-certgen
-```
-
-**Note**: TLS assets are served to any machines which request them, which requires a trusted network. Alternately, provisioning may be tweaked to require TLS assets be securely copied to each host.
-
-## Containers
-
-Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
-
-Client machines should boot and provision themselves. Local client VMs should network boot CoreOS in about a 1 minute and the Kubernetes API should be available after 3-4 minutes (each node downloads a ~160MB Hyperkube). If you chose `k8s-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision Kubernetes clusters on physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.).
-
-## Verify
-
-[Install kubectl](https://coreos.com/kubernetes/docs/latest/configure-kubectl.html) on your laptop. Use the generated kubeconfig to access the Kubernetes cluster created on rkt `metal0` or `docker0`.
-
-```sh
-$ KUBECONFIG=examples/assets/tls/kubeconfig
-$ kubectl get nodes
-NAME                STATUS    AGE
-node1.example.com   Ready     3m
-node2.example.com   Ready     3m
-node3.example.com   Ready     3m
-```
-
-Get all pods.
-
-```sh
-$ kubectl get pods --all-namespaces
-NAMESPACE     NAME                                        READY     STATUS    RESTARTS   AGE
-kube-system   heapster-v1.2.0-4088228293-5xbgg            2/2       Running   0          41m
-kube-system   kube-apiserver-node1.example.com            1/1       Running   0          40m
-kube-system   kube-controller-manager-node1.example.com   1/1       Running   0          40m
-kube-system   kube-dns-782804071-326dd                    4/4       Running   0          41m
-kube-system   kube-dns-autoscaler-2715466192-8bm78        1/1       Running   0          41m
-kube-system   kube-proxy-node1.example.com                1/1       Running   0          41m
-kube-system   kube-proxy-node2.example.com                1/1       Running   0          41m
-kube-system   kube-proxy-node3.example.com                1/1       Running   0          40m
-kube-system   kube-scheduler-node1.example.com            1/1       Running   0          40m
-kube-system   kubernetes-dashboard-3543765157-2nqgh       1/1       Running   0          41m
-```
-
-## Kubernetes Dashboard
-
-Access the Kubernetes Dashboard with `kubeconfig` credentials by port forwarding to the dashboard pod.
-
-```sh
-$ kubectl port-forward kubernetes-dashboard-SOME-ID 9090 -n=kube-system
-Forwarding from 127.0.0.1:9090 -> 9090
-```
-
-Then visit [http://127.0.0.1:9090](http://127.0.0.1:9090/).
-
-<img src='img/kubernetes-dashboard.png' class="img-center" alt="Kubernetes Dashboard"/>
--- a/Documentation/machine-lifecycle.md
+++ b/Documentation/machine-lifecycle.md
@@ -1,15 +0,0 @@
-# Lifecycle of a physical machine
-
-## About boot environment
-
-Physical machines [network boot](network-booting.md) in an network boot environment with DHCP/TFTP/DNS services or with [coreos/dnsmasq](../contrib/dnsmasq).
-
-`matchbox` serves iPXE, GRUB, or Pixiecore boot configs via HTTP to machines based on Group selectors (e.g. UUID, MAC, region, etc.) and machine Profiles. Kernel and initrd images are fetched and booted with Ignition to install CoreOS. The "first boot" Ignition config if fetched and CoreOS is installed.
-
-CoreOS boots ("first boot" from disk) and runs Ignition to provision its disk with systemd units, files, keys, and more to become a cluster node. Systemd units may fetch metadata from a remote source if needed.
-
-Coordinated auto-updates are enabled. Systems like [fleet](https://coreos.com/docs/#fleet) or [Kubernetes](http://kubernetes.io/docs/) coordinate container services. IPMI, vendor utilities, or first-boot are used to re-provision machines into new roles.
-
-## Machine lifecycle
-
-![Machine Lifecycle](img/machine-lifecycle.png)
--- a/Documentation/rktnetes.md
+++ b/Documentation/rktnetes.md
@@ -1,87 +0,0 @@
-# Kubernetes (with rkt)
-
-The `rktnetes` example provisions a 3 node Kubernetes v1.5.5 cluster with [rkt](https://github.com/coreos/rkt) as the container runtime. The cluster has one controller, two workers, and TLS authentication. An etcd cluster backs Kubernetes and coordinates CoreOS auto-updates (enabled for disk installs).
-
-## Requirements
-
-Ensure that you've gone through the [matchbox with rkt](getting-started-rkt.md) or [matchbox with docker](getting-started-docker.md) guide and understand the basics. In particular, you should be able to:
-
-* Use rkt or Docker to start `matchbox`
-* Create a network boot environment with `coreos/dnsmasq`
-* Create the example libvirt client VMs
-* `/etc/hosts` entries for `node[1-3].example.com` (or pass custom names to `k8s-certgen`)
-
-## Examples
-
-The [examples](../examples) statically assign IP addresses to libvirt client VMs created by `scripts/libvirt`. VMs are setup on the `metal0` CNI bridge for rkt or the `docker0` bridge for Docker. The examples can be used for physical machines if you update the MAC addresses. See [network setup](network-setup.md) and [deployment](deployment.md).
-
-* [rktnetes](../examples/groups/rktnetes) - iPXE boot a Kubernetes cluster
-* [rktnetes-install](../examples/groups/rktnetes-install) - Install a Kubernetes cluster to disk
-* [Lab examples](https://github.com/dghubble/metal) - Lab hardware examples
-
-## Assets
-
-Download the CoreOS image assets referenced in the target [profile](../examples/profiles).
-
-```sh
-$ ./scripts/get-coreos stable 1298.7.0 ./examples/assets
-```
-
-Optionally, add your SSH public key to each machine group definition [as shown](../examples/README.md#ssh-keys).
-
-Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver`, `worker`) with SANs for `node1.example.com`, etc.
-
-```sh
-$ rm -rf examples/assets/tls
-$ ./scripts/tls/k8s-certgen
-```
-
-**Note**: TLS assets are served to any machines which request them, which requires a trusted network. Alternately, provisioning may be tweaked to require TLS assets be securely copied to each host.
-
-## Containers
-
-Use rkt or docker to start `matchbox` and mount the desired example resources. Create a network boot environment and power-on your machines. Revisit [matchbox with rkt](getting-started-rkt.md) or [matchbox with Docker](getting-started-docker.md) for help.
-
-Client machines should boot and provision themselves. Local client VMs should network boot CoreOS in about a 1 minute and the Kubernetes API should be available after 3-4 minutes (each node downloads a ~160MB Hyperkube). If you chose `rktnetes-install`, notice that machines install CoreOS and then reboot (in libvirt, you must hit "power" again). Time to network boot and provision Kubernetes clusters on physical hardware depends on a number of factors (POST duration, boot device iteration, network speed, etc.).
-
-## Verify
-
-[Install kubectl](https://coreos.com/kubernetes/docs/latest/configure-kubectl.html) on your laptop. Use the generated kubeconfig to access the Kubernetes cluster created on rkt `metal0` or `docker0`.
-
-```sh
-$ KUBECONFIG=examples/assets/tls/kubeconfig
-$ kubectl get nodes
-NAME                STATUS    AGE
-node1.example.com   Ready     3m
-node2.example.com   Ready     3m
-node3.example.com   Ready     3m
-```
-
-Get all pods.
-
-```sh
-$ kubectl get pods --all-namespaces
-NAMESPACE     NAME                                        READY     STATUS    RESTARTS   AGE
-kube-system   heapster-v1.2.0-4088228293-k3yn8            2/2       Running   0          3m
-kube-system   kube-apiserver-node1.example.com            1/1       Running   0          4m
-kube-system   kube-controller-manager-node1.example.com   1/1       Running   0          3m
-kube-system   kube-dns-v19-l2u8r                          3/3       Running   0          4m
-kube-system   kube-proxy-node1.example.com                1/1       Running   0          3m
-kube-system   kube-proxy-node2.example.com                1/1       Running   0          3m
-kube-system   kube-proxy-node3.example.com                1/1       Running   0          3m
-kube-system   kube-scheduler-node1.example.com            1/1       Running   0          3m
-kube-system   kubernetes-dashboard-v1.4.1-0iy07           1/1       Running   0          4m
-```
-
-## Kubernetes Dashboard
-
-Access the Kubernetes Dashboard with `kubeconfig` credentials by port forwarding to the dashboard pod.
-
-```sh
-$ kubectl port-forward kubernetes-dashboard-v1.4.1-SOME-ID 9090 -n=kube-system
-Forwarding from 127.0.0.1:9090 -> 9090
-```
-
-Then visit [http://127.0.0.1:9090](http://127.0.0.1:9090/).
-
-<img src='img/kubernetes-dashboard.png' class="img-center" alt="Kubernetes Dashboard"/>
--- a/Documentation/troubleshooting.md
+++ b/Documentation/troubleshooting.md
@@ -1,19 +0,0 @@
-# Troubleshooting
-
-## Firewall
-
-Running DHCP or proxyDHCP with `coreos/dnsmasq` on a host requires that the Firewall allow DHCP and TFTP (for chainloading) services to run.
-
-## Port collision
-
-Running DHCP or proxyDHCP can cause port already in use collisions depending on what's running. Fedora runs bootp listening on udp/67 for example. Find the service using the port.
-
-```sh
-$ sudo lsof -i :67
-```
-
-Evaluate whether you can configure the existing service or whether you'd like to stop it and test with `coreos/dnsmasq`.
-
-## No boot filename received
-
-PXE client firmware did not receive a DHCP Offer with PXE-Options after several attempts. If you're using the `coreos/dnsmasq` image with `-d`, each request should log to stdout. Using the wrong `-i` interface is the most common reason DHCP requests are not received. Otherwise, wireshark can be useful for investigating.
--- a/49
+++ b/49
@@ -1,49 +0,0 @@
-properties([
-    [$class: 'BuildDiscarderProperty', strategy: [$class: 'LogRotator', numToKeepStr: '20']],
-    [$class: 'GithubProjectProperty', projectUrlStr: 'https://github.com/coreos/matchbox'],
-    [$class: 'PipelineTriggersJobProperty', triggers: [
-      [$class: 'GitHubPushTrigger'],
-    ]]
-])
-parallel (
-  etcd3: {
-    node('fedora && bare-metal') {
-      stage('etcd3') {
-        timeout(time:3, unit:'MINUTES') {
-          checkout scm
-          sh '''#!/bin/bash -e
-          cat /etc/os-release
-          export ASSETS_DIR=~/assets; ./tests/smoke/etcd3
-          '''
-        }
-      }
-    }
-  },
-  k8s: {
-    node('fedora && bare-metal') {
-      stage('k8s') {
-        timeout(time:12, unit:'MINUTES') {
-          checkout scm          
-          sh '''#!/bin/bash -e
-          cat /etc/os-release
-          export ASSETS_DIR=~/assets; ./tests/smoke/k8s
-          '''
-        }
-      }
-    }
-  },
-  bootkube: {
-    node('fedora && bare-metal') {
-      stage('bootkube') {
-        timeout(time:12, unit:'MINUTES') {
-          checkout scm          
-          sh '''#!/bin/bash -e
-          cat /etc/os-release
-          chmod 600 ./tests/smoke/fake_rsa
-          export ASSETS_DIR=~/assets; ./tests/smoke/bootkube
-          '''
-        }
-      }
-    }
-  }
-)
--- a/79
+++ b/79
@@ -1,55 +1,61 @@
 export CGO_ENABLED:=0
+export GO111MODULE=on

-VERSION=$(shell ./scripts/git-version)
-LD_FLAGS="-w -X github.com/coreos/matchbox/matchbox/version.Version=$(VERSION)"
+DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST))))
+VERSION=$(shell git describe --tags --match=v* --always --dirty)
+LD_FLAGS="-w -X github.com/poseidon/matchbox/matchbox/version.Version=$(VERSION)"

-REPO=github.com/coreos/matchbox
-IMAGE_REPO=coreos/matchbox
-QUAY_REPO=quay.io/coreos/matchbox
+REPO=github.com/poseidon/matchbox
+LOCAL_REPO=poseidon/matchbox
+IMAGE_REPO=quay.io/poseidon/matchbox

-all: build
+.PHONY: all
+all: build test vet lint fmt

+.PHONY: build
 build: clean bin/matchbox

 bin/%:
-	@go build -o bin/$* -v -ldflags $(LD_FLAGS) $(REPO)/cmd/$*
+	@go build -o bin/$* -ldflags $(LD_FLAGS) $(REPO)/cmd/$*

+.PHONY: test
 test:
-	@./scripts/test
+	@go test ./... -cover

-.PHONY: aci
-aci: clean build
-	@sudo ./scripts/build-aci
+.PHONY: vet
+vet:
+	@go vet -all ./...

-.PHONY: docker-image
-docker-image:
-	@sudo docker build --rm=true -t $(IMAGE_REPO):$(VERSION) .
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(IMAGE_REPO):latest
+.PHONY: lint
+lint:
+	@golint -set_exit_status `go list ./... | grep -v pb`

-.PHONY: docker-push
-docker-push: docker-image
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):latest
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):$(VERSION)
-	@sudo docker push $(QUAY_REPO):latest
-	@sudo docker push $(QUAY_REPO):$(VERSION)
+.PHONY: fmt
+fmt:
+	@test -z $$(go fmt ./...)

-.PHONY: vendor
-vendor:
-	@glide update --strip-vendor
-	@glide-vc --use-lock-file --no-tests --only-code
+.PHONY: image
+image: \
+	image-amd64 \
+	image-arm64

-.PHONY: codegen
-codegen: tools
-	@./scripts/codegen
+image-%:
+	buildah bud -f Dockerfile \
+	-t $(LOCAL_REPO):$(VERSION)-$* \
+	--arch $* --override-arch $* \
+	--format=docker .

-.PHONY: tools
-tools: bin/protoc bin/protoc-gen-go
+protoc/%:
+	podman run --security-opt label=disable \
+		-u root \
+		--mount type=bind,src=$(DIR),target=/mnt/code \
+		quay.io/dghubble/protoc:v3.10.1 \
+		--go_out=plugins=grpc,paths=source_relative:. $*

-bin/protoc:
-	@./scripts/get-protoc
-
-bin/protoc-gen-go:
-	@go build -o bin/protoc-gen-go $(REPO)/vendor/github.com/golang/protobuf/protoc-gen-go
+codegen: \
+	protoc/matchbox/storage/storagepb/*.proto \
+	protoc/matchbox/server/serverpb/*.proto \
+	protoc/matchbox/rpc/rpcpb/*.proto

 clean:
 	@rm -rf bin
@@ -69,6 +75,7 @@ bin/linux-amd64/matchbox: GOARGS = GOOS=linux GOARCH=amd64
 bin/linux-arm/matchbox: GOARGS = GOOS=linux GOARCH=arm GOARM=6
 bin/linux-arm64/matchbox: GOARGS = GOOS=linux GOARCH=arm64
 bin/darwin-amd64/matchbox: GOARGS = GOOS=darwin GOARCH=amd64
+bin/linux-ppc64le/matchbox: GOARGS = GOOS=linux GOARCH=ppc64le

 bin/%/matchbox:
 	$(GOARGS) go build -o $@ -ldflags $(LD_FLAGS) -a $(REPO)/cmd/matchbox
@@ -78,7 +85,7 @@ _output/matchbox-%.tar.gz: DEST=_output/$(NAME)
 _output/matchbox-%.tar.gz: bin/%/matchbox
 	mkdir -p $(DEST)
 	cp bin/$*/matchbox $(DEST)
-	./scripts/release-files $(DEST)
+	./scripts/dev/release-files $(DEST)
 	tar zcvf $(DEST).tar.gz -C _output $(NAME)

 .PHONY: all build clean test release
--- a/5
+++ b/5
@@ -1,5 +0,0 @@
-CoreOS Project
-Copyright 2015 CoreOS, Inc
-
-This product includes software developed at CoreOS, Inc.
-(http://www.coreos.com/).
--- a/README.md
+++ b/README.md
@@ -1,67 +1,40 @@
-# matchbox [![Build Status](https://travis-ci.org/coreos/matchbox.svg?branch=master)](https://travis-ci.org/coreos/matchbox) [![GoDoc](https://godoc.org/github.com/coreos/matchbox?status.png)](https://godoc.org/github.com/coreos/matchbox) [![Docker Repository on Quay](https://quay.io/repository/coreos/matchbox/status "Docker Repository on Quay")](https://quay.io/repository/coreos/matchbox) [![IRC](https://img.shields.io/badge/irc-%23coreos-449FD8.svg)](https://botbot.me/freenode/coreos)
+# matchbox

-Network boot and provision Container Linux clusters on virtual or physical hardware.
+[![GoDoc](https://pkg.go.dev/badge/github.com/poseidon/matchbox.svg)](https://pkg.go.dev/github.com/poseidon/matchbox) [![Quay](https://img.shields.io/badge/container-quay-green)](https://quay.io/repository/poseidon/matchbox) [![Workflow](https://github.com/poseidon/matchbox/actions/workflows/test.yaml/badge.svg)](https://github.com/poseidon/matchbox/actions/workflows/test.yaml?query=branch%3Amain) ![Downloads](https://img.shields.io/github/downloads/poseidon/matchbox/total) [![Sponsors](https://img.shields.io/github/sponsors/poseidon?logo=github)](https://github.com/sponsors/poseidon) [![Twitter](https://img.shields.io/badge/follow-news-1da1f2?logo=twitter)](https://twitter.com/poseidonlabs)

-**Announcement**: Matchbox [v0.6.0](https://github.com/coreos/matchbox/releases) is released with a new [Matchbox Terraform Provider][terraform] and [tutorial](Documentation/getting-started.md).
+`matchbox` is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Ignition config.

-## matchbox
+## Features

-`matchbox` is a service that matches machines (based on labels like MAC, UUID, etc.) to profiles to PXE boot and provision Container Linux clusters. Profiles specify the kernel/initrd, kernel arguments, iPXE config, GRUB config, [Container Linux Config][cl-config], [Cloud-Config][cloud-config], or other configs a machine should use. Matchbox can be [installed](Documentation/deployment.md) as a binary, RPM, container image, or deployed on a Kubernetes cluster and it provides an authenticated gRPC API for clients like [terraform][terraform].
+* Chainload via iPXE and match hardware labels
+* Provision Fedora CoreOS or Flatcar Linux (powered by [Ignition](https://github.com/coreos/ignition))
+* Authenticated gRPC API for clients (e.g. Terraform)

-* [Documentation][docs]
-* [matchbox Service](Documentation/matchbox.md)
-* [Profiles](Documentation/matchbox.md#profiles)
-* [Groups](Documentation/matchbox.md#groups)
-* Config Templates
-    * [Container Linux Config][cl-config]
-    * [Cloud-Config][cloud-config]
-* [Configuration](Documentation/config.md)
-* [HTTP API](Documentation/api.md)
-* [gRPC API](https://godoc.org/github.com/coreos/matchbox/matchbox/client)
-* [Background: Machine Lifecycle](Documentation/machine-lifecycle.md)
-* [Background: PXE Booting](Documentation/network-booting.md)
+## Documentation

-### Installation
+* [Docs](https://matchbox.psdn.io/)
+* [Configuration](docs/config.md)
+* [HTTP API](docs/api-http.md) / [gRPC API](docs/api-grpc.md)

-* Installation
-    * Installing on [CoreOS / Linux distros](Documentation/deployment.md)
-    * Installing on [Kubernetes](Documentation/deployment.md#kubernetes)
-    * Running with [rkt](Documentation/deployment.md#rkt) / [docker](Documentation/deployment.md#docker)
-* [Network Setup](Documentation/network-setup.md)
+## Installation

-### Tutorials
+Matchbox can be installed from a binary or a container image.

-* [Getting Started](Documentation/getting-started.md)
+* Install Matchbox as a [binary](docs/deployment.md#matchbox-binary), as a [container image](docs/deployment.md#container-image), or on [Kubernetes](docs/deployment.md#kubernetes)
+* Setup a PXE-enabled [network](docs/network-setup.md)

-Local QEMU/KVM
+## Tutorials

-* [matchbox with rkt](Documentation/getting-started-rkt.md)
-* [matchbox with Docker](Documentation/getting-started-docker.md)
+Start provisioning machines with Fedora CoreOS or Flatcar Linux.

-### Example Clusters
-
-Network boot the [examples](examples) with [QEMU/KVM](scripts/README.md#libvirt) VMs to try them on your Linux laptop.
-
-* Multi-node [self-hosted](Documentation/bootkube.md) Kubernetes cluster
-* [Upgrading](Documentation/bootkube-upgrades.md) self-hosted Kubernetes clusters
-* Multi-node [Kubernetes cluster](Documentation/kubernetes.md)
-* Multi-node [rktnetes](Documentation/rktnetes.md) cluster (i.e. Kubernetes with rkt as the container runtime)
+* [Terraform Usage](docs/getting-started.md)
+  * Fedora CoreOS (PXE install to disk)
+  * Flatcar Linux (PXE install to disk)
+* [Local QEMU/KVM](docs/getting-started-docker.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)

 ## Contrib

-* [dnsmasq](contrib/dnsmasq/README.md) - Run DHCP, TFTP, and DNS services with docker or rkt
-
-## Enterprise
-
-[Tectonic](https://coreos.com/tectonic/) is the enterprise-ready Kubernetes offering from CoreOS (free for 10 nodes!). The [Tectonic Installer](https://coreos.com/tectonic/docs/latest/install/bare-metal/#4-tectonic-installer) app integrates directly with `matchbox` through its gRPC API to provide a rich graphical client for populating `matchbox` with machine configs.
-
-Learn more from our [docs](https://coreos.com/tectonic/docs/latest/) or [blog](https://coreos.com/blog/tectonic-1-5-2.html).
-
-![Tectonic Installer](Documentation/img/tectonic-installer.png)
-
-![Tectonic Console](Documentation/img/tectonic-console.png)
-
-[docs]: https://coreos.com/matchbox/docs/latest
-[terraform]: https://github.com/coreos/terraform-provider-matchbox
-[cl-config]: Documentation/container-linux-config.md
-[cloud-config]: Documentation/cloud-config.md
+* [dnsmasq](contrib/dnsmasq/README.md) - Run DHCP, TFTP, and DNS services as a container
+* [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) - Terraform provider plugin for Matchbox
--- a/cmd/bootcmd/main.go
+++ b/cmd/bootcmd/main.go
@@ -1,6 +1,6 @@
 package main

-import "github.com/coreos/matchbox/matchbox/cli"
+import "github.com/poseidon/matchbox/matchbox/cli"

 func main() {
 	cli.Execute()
--- a/cmd/matchbox/main.go
+++ b/cmd/matchbox/main.go
@@ -7,16 +7,15 @@ import (
 	"net/http"
 	"os"

-	"github.com/Sirupsen/logrus"
 	"github.com/coreos/pkg/flagutil"
-
-	web "github.com/coreos/matchbox/matchbox/http"
-	"github.com/coreos/matchbox/matchbox/rpc"
-	"github.com/coreos/matchbox/matchbox/server"
-	"github.com/coreos/matchbox/matchbox/sign"
-	"github.com/coreos/matchbox/matchbox/storage"
-	"github.com/coreos/matchbox/matchbox/tlsutil"
-	"github.com/coreos/matchbox/matchbox/version"
+	web "github.com/poseidon/matchbox/matchbox/http"
+	"github.com/poseidon/matchbox/matchbox/rpc"
+	"github.com/poseidon/matchbox/matchbox/server"
+	"github.com/poseidon/matchbox/matchbox/sign"
+	"github.com/poseidon/matchbox/matchbox/storage"
+	"github.com/poseidon/matchbox/matchbox/tlsutil"
+	"github.com/poseidon/matchbox/matchbox/version"
+	"github.com/sirupsen/logrus"
 )

 var (
@@ -26,35 +25,44 @@ var (

 func main() {
 	flags := struct {
-		address     string
-		rpcAddress  string
-		dataPath    string
-		assetsPath  string
-		logLevel    string
-		certFile    string
-		keyFile     string
-		caFile      string
-		keyRingPath string
-		version     bool
-		help        bool
+		address      string
+		rpcAddress   string
+		dataPath     string
+		assetsPath   string
+		logLevel     string
+		grpcCAFile   string
+		grpcCertFile string
+		grpcKeyFile  string
+		tlsCertFile  string
+		tlsKeyFile   string
+		tlsEnabled   bool
+		keyRingPath  string
+		version      bool
+		help         bool
 	}{}
 	flag.StringVar(&flags.address, "address", "127.0.0.1:8080", "HTTP listen address")
 	flag.StringVar(&flags.rpcAddress, "rpc-address", "", "RPC listen address")
 	flag.StringVar(&flags.dataPath, "data-path", "/var/lib/matchbox", "Path to data directory")
 	flag.StringVar(&flags.assetsPath, "assets-path", "/var/lib/matchbox/assets", "Path to static assets")

-	// Log levels https://github.com/Sirupsen/logrus/blob/master/logrus.go#L36
+	// Log levels https://github.com/sirupsen/logrus/blob/master/logrus.go#L36
 	flag.StringVar(&flags.logLevel, "log-level", "info", "Set the logging level")

 	// gRPC Server TLS
-	flag.StringVar(&flags.certFile, "cert-file", "/etc/matchbox/server.crt", "Path to the server TLS certificate file")
-	flag.StringVar(&flags.keyFile, "key-file", "/etc/matchbox/server.key", "Path to the server TLS key file")
-	// TLS Client Authentication
-	flag.StringVar(&flags.caFile, "ca-file", "/etc/matchbox/ca.crt", "Path to the CA verify and authenticate client certificates")
+	flag.StringVar(&flags.grpcCertFile, "cert-file", "/etc/matchbox/server.crt", "Path to the server TLS certificate file")
+	flag.StringVar(&flags.grpcKeyFile, "key-file", "/etc/matchbox/server.key", "Path to the server TLS key file")
+
+	// gRPC TLS Client Authentication
+	flag.StringVar(&flags.grpcCAFile, "ca-file", "/etc/matchbox/ca.crt", "Path to the CA verify and authenticate client certificates")

 	// Signing
 	flag.StringVar(&flags.keyRingPath, "key-ring-path", "", "Path to a private keyring file")

+	// SSL flags
+	flag.StringVar(&flags.tlsCertFile, "web-cert-file", "/etc/matchbox/ssl/server.crt", "Path to the server TLS certificate file")
+	flag.StringVar(&flags.tlsKeyFile, "web-key-file", "/etc/matchbox/ssl/server.key", "Path to the server TLS key file")
+	flag.BoolVar(&flags.tlsEnabled, "web-ssl", false, "True to enable HTTPS")
+
 	// subcommands
 	flag.BoolVar(&flags.version, "version", false, "print version and exit")
 	flag.BoolVar(&flags.help, "help", false, "print usage and exit")
@@ -87,16 +95,24 @@ func main() {
 		}
 	}
 	if flags.rpcAddress != "" {
-		if _, err := os.Stat(flags.certFile); err != nil {
+		if _, err := os.Stat(flags.grpcCertFile); err != nil {
 			log.Fatalf("Provide a valid TLS server certificate with -cert-file: %v", err)
 		}
-		if _, err := os.Stat(flags.keyFile); err != nil {
+		if _, err := os.Stat(flags.grpcKeyFile); err != nil {
 			log.Fatalf("Provide a valid TLS server key with -key-file: %v", err)
 		}
-		if _, err := os.Stat(flags.caFile); err != nil {
+		if _, err := os.Stat(flags.grpcCAFile); err != nil {
 			log.Fatalf("Provide a valid TLS certificate authority for authorizing client certificates: %v", err)
 		}
 	}
+	if flags.tlsEnabled {
+		if _, err := os.Stat(flags.tlsCertFile); err != nil {
+			log.Fatalf("Provide a valid SSL server certificate with -web-cert-file: %v", err)
+		}
+		if _, err := os.Stat(flags.tlsKeyFile); err != nil {
+			log.Fatalf("Provide a valid SSL server key with -web-key-file: %v", err)
+		}
+	}

 	// logging setup
 	lvl, err := logrus.ParseLevel(flags.logLevel)
@@ -130,17 +146,17 @@ func main() {
 	// gRPC Server (feature disabled by default)
 	if flags.rpcAddress != "" {
 		log.Infof("Starting matchbox gRPC server on %s", flags.rpcAddress)
-		log.Infof("Using TLS server certificate: %s", flags.certFile)
-		log.Infof("Using TLS server key: %s", flags.keyFile)
-		log.Infof("Using CA certificate: %s to authenticate client certificates", flags.caFile)
+		log.Infof("Using TLS server certificate: %s", flags.grpcCertFile)
+		log.Infof("Using TLS server key: %s", flags.grpcKeyFile)
+		log.Infof("Using CA certificate: %s to authenticate client certificates", flags.grpcCAFile)
 		lis, err := net.Listen("tcp", flags.rpcAddress)
 		if err != nil {
 			log.Fatalf("failed to start listening: %v", err)
 		}
 		tlsinfo := tlsutil.TLSInfo{
-			CertFile: flags.certFile,
-			KeyFile:  flags.keyFile,
-			CAFile:   flags.caFile,
+			CertFile: flags.grpcCertFile,
+			KeyFile:  flags.grpcKeyFile,
+			CAFile:   flags.grpcCAFile,
 		}
 		tlscfg, err := tlsinfo.ServerConfig()
 		if err != nil {
@@ -151,7 +167,6 @@ func main() {
 		defer grpcServer.Stop()
 	}

-	// HTTP Server
 	config := &web.Config{
 		Core:          server,
 		Logger:        log,
@@ -160,9 +175,23 @@ func main() {
 		ArmoredSigner: armoredSigner,
 	}
 	httpServer := web.NewServer(config)
-	log.Infof("Starting matchbox HTTP server on %s", flags.address)
-	err = http.ListenAndServe(flags.address, httpServer.HTTPHandler())
-	if err != nil {
-		log.Fatalf("failed to start listening: %v", err)
+
+	if flags.tlsEnabled {
+		// HTTPS Server
+		log.Infof("Starting matchbox HTTPS server on %s", flags.address)
+		log.Infof("Using SSL server certificate: %s", flags.tlsCertFile)
+		log.Infof("Using SSL server key: %s", flags.tlsKeyFile)
+		err = http.ListenAndServeTLS(flags.address, flags.tlsCertFile, flags.tlsKeyFile, httpServer.HTTPHandler())
+		if err != nil {
+			log.Fatalf("failed to start listening: %v", err)
+		}
+	} else {
+		// HTTP Server
+		log.Infof("Starting matchbox HTTP server on %s", flags.address)
+		err = http.ListenAndServe(flags.address, httpServer.HTTPHandler())
+		if err != nil {
+			log.Fatalf("failed to start listening: %v", err)
+		}
 	}
+
 }
--- a/contrib/dnsmasq/CHANGES.md
+++ b/contrib/dnsmasq/CHANGES.md
@@ -1,13 +0,0 @@
-# dnsmasq
-
-Notable changes image releases. The dnsmasq project [upstream](http://www.thekelleys.org.uk/dnsmasq/doc.html) has its own [changelog](http://www.thekelleys.org.uk/dnsmasq/CHANGELOG).
-
-## v0.4.0
-
-* `dnsmasq` package version 2.76
-* Rebuild with alpine:3.5 base image to receive patches
-* Update CoreOS `grub.efi` to be recent (stable, 1298.7.0)
-
-## v0.3.0
-
-* `dnsmasq` package version 2.75
--- a/contrib/dnsmasq/Dockerfile
+++ b/contrib/dnsmasq/Dockerfile
@@ -1,6 +0,0 @@
-FROM alpine:3.5
-MAINTAINER Dalton Hubble <dalton.hubble@coreos.com>
-RUN apk -U add dnsmasq curl
-COPY tftpboot /var/lib/tftpboot
-EXPOSE 53
-ENTRYPOINT ["/usr/sbin/dnsmasq"]
--- a/contrib/dnsmasq/Makefile
+++ b/contrib/dnsmasq/Makefile
@@ -1,23 +0,0 @@
-VERSION=v0.4.0
-
-IMAGE_REPO=coreos/dnsmasq
-QUAY_REPO=quay.io/coreos/dnsmasq
-
-.PHONY: all
-all: docker-image
-
-.PHONY: undionly
-undionly:
-	@./get-tftp-files
-
-.PHONY: docker-image
-docker-image: undionly
-	@sudo docker build --rm=true -t $(IMAGE_REPO):$(VERSION) .
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(IMAGE_REPO):latest
-
-.PHONY: docker-push
-docker-push:
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):latest
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):$(VERSION)
-	@sudo docker push $(QUAY_REPO):latest
-	@sudo docker push $(QUAY_REPO):$(VERSION)
--- a/contrib/dnsmasq/README.md
+++ b/contrib/dnsmasq/README.md
@@ -1,58 +1,4 @@
-# dnsmasq [![Docker Repository on Quay](https://quay.io/repository/coreos/dnsmasq/status "Docker Repository on Quay")](https://quay.io/repository/coreos/dnsmasq)
+# dnsmasq

-`dnsmasq` provides a container image for running DHCP, proxy DHCP, DNS, and/or TFTP with [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Use it to test different network setups with clusters of network bootable machines.
+Moved to [dnsmasq](https://github.com/poseidon/dnsmasq).

-The image bundles `undionly.kpxe` which chainloads PXE clients to iPXE and `grub.efi` (experimental) which chainloads UEFI architectures to GRUB2.
-
-## Usage
-
-Run the container image as a DHCP, DNS, and TFTP service.
-
-```sh
-sudo rkt run --net=host quay.io/coreos/dnsmasq -- -d -q \
-  --dhcp-range=192.168.1.3,192.168.1.254 \
-  --enable-tftp \
-  --tftp-root=/var/lib/tftpboot \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:#ipxe,undionly.kpxe \
-  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.example.com/192.168.1.2 \
-  --log-queries \
-  --log-dhcp
-```
-
-```sh
-sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq \
-  -d -q \
-  --dhcp-range=192.168.1.3,192.168.1.254 \
-  --enable-tftp --tftp-root=/var/lib/tftpboot \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:#ipxe,undionly.kpxe \
-  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.example/192.168.1.2 \
-  --log-queries \
-  --log-dhcp
-```
-
-Press ^] three times to stop the rkt pod. Press ctrl-C to stop the Docker container.
-
-## Configuration Flags
-
-Configuration arguments can be provided as flags. Check the dnsmasq [man pages](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for a complete list.
-
-| flag     | description | example |
-|----------|-------------|---------|
-| --dhcp-range | Enable DHCP, lease given range | `172.18.0.50,172.18.0.99`, `192.168.1.1,proxy,255.255.255.0` |
-| --dhcp-boot | DHCP next server option | `http://matchbox.foo:8080/boot.ipxe` |
-| --enable-tftp | Enable serving from tftp-root over TFTP | NA |
-| --address | IP address for a domain name | /matchbox.foo/172.18.0.2 |
-
-## Development
-
-Build a container image locally.
-
-    make docker-image
-
-Run the image with Docker on the `docker0` bridge (default).
-
-    sudo docker run --rm --cap-add=NET_ADMIN coreos/dnsmasq -d -q
--- a/contrib/dnsmasq/docker0.conf
+++ b/contrib/dnsmasq/docker0.conf
@@ -1,5 +1,6 @@
 # dnsmasq.conf

+no-daemon
 dhcp-range=172.17.0.50,172.17.0.99
 dhcp-option=3,172.17.0.1
 dhcp-host=52:54:00:a1:9c:ae,172.17.0.21,1h
@@ -10,15 +11,27 @@ dhcp-host=52:54:00:d7:99:c7,172.17.0.24,1h
 enable-tftp
 tftp-root=/var/lib/tftpboot

+# Legacy PXE
+dhcp-match=set:bios,option:client-arch,0
+dhcp-boot=tag:bios,undionly.kpxe
+
+# UEFI
+dhcp-match=set:efi32,option:client-arch,6
+dhcp-boot=tag:efi32,ipxe.efi
+
+dhcp-match=set:efibc,option:client-arch,7
+dhcp-boot=tag:efibc,ipxe.efi
+
+dhcp-match=set:efi64,option:client-arch,9
+dhcp-boot=tag:efi64,ipxe.efi
+
+# iPXE
 dhcp-userclass=set:ipxe,iPXE
-dhcp-boot=tag:#ipxe,undionly.kpxe
-dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
+dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe

 log-queries
 log-dhcp

-address=/bootcfg.foo/172.18.0.2
-address=/matchbox.foo/172.17.0.2
 address=/matchbox.example.com/172.17.0.2
 address=/node1.example.com/172.17.0.21
 address=/node2.example.com/172.17.0.22
--- a/contrib/dnsmasq/get-tftp-files
+++ b/contrib/dnsmasq/get-tftp-files
@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-DEST=${1:-"tftpboot"}
-
-if [ ! -d $DEST ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-curl -s -o $DEST/undionly.kpxe http://boot.ipxe.org/undionly.kpxe
-cp $DEST/undionly.kpxe $DEST/undionly.kpxe.0
-
-# Any vaguely recent CoreOS grub.efi is fine
-curl -s -o $DEST/grub.efi https://stable.release.core-os.net/amd64-usr/1298.7.0/coreos_production_pxe_grub.efi
--- a/contrib/dnsmasq/metal0.conf
+++ b/contrib/dnsmasq/metal0.conf
@@ -13,13 +13,11 @@ tftp-root=/var/lib/tftpboot

 dhcp-userclass=set:ipxe,iPXE
 dhcp-boot=tag:#ipxe,undionly.kpxe
-dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
+dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe

 log-queries
 log-dhcp

-address=/bootcfg.foo/172.18.0.2
-address=/matchbox.foo/172.18.0.2
 address=/matchbox.example.com/172.18.0.2
 address=/node1.example.com/172.18.0.21
 address=/node2.example.com/172.18.0.22
@@ -27,6 +25,3 @@ address=/node3.example.com/172.18.0.23
 address=/node4.example.com/172.18.0.24
 address=/cluster.example.com/172.18.0.21

-# for a Tectonic test, ignore
-address=/tectonic.example.com/172.18.0.22
-address=/tectonic.example.com/172.18.0.23
--- a/contrib/k8s/matchbox-deployment.yaml
+++ b/contrib/k8s/matchbox-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: matchbox
@@ -7,15 +7,20 @@ spec:
  strategy:
    rollingUpdate:
      maxUnavailable: 1
+  selector:
+    matchLabels:
+      name: matchbox
  template:
    metadata:
      labels:
        name: matchbox
-        phase: prod
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: matchbox
-          image: quay.io/coreos/matchbox:v0.6.0
+          image: quay.io/poseidon/matchbox:v0.9.1
          env:
            - name: MATCHBOX_ADDRESS
              value: "0.0.0.0:8080"
@@ -28,10 +33,18 @@ spec:
              containerPort: 8080
            - name: https
              containerPort: 8081
+          livenessProbe:
+            initialDelaySeconds: 5
+            httpGet:
+              path: /
+              port: 8080
          resources:
            requests:
-              cpu: "50m"
-              memory: "50Mi"
+              cpu: 30m
+              memory: 20Mi
+            limits:
+              cpu: 50m
+              memory: 50Mi
          volumeMounts:
            - name: config
              mountPath: /etc/matchbox
@@ -39,9 +52,6 @@ spec:
              mountPath: /var/lib/matchbox
            - name: assets
              mountPath: /var/lib/matchbox/assets
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
-      terminationGracePeriodSeconds: 30
      volumes:
        - name: config
          secret:
--- a/contrib/k8s/ingress.yaml
+++ b/contrib/k8s/ingress.yaml
@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: matchbox
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+  ingressClassName: public
+  # tls ... optional
+  rules:
+    - host: matchbox.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matchbox
+                port:
+                  number: 8080
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: matchbox-rpc
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+spec:
+  ingressClassName: public
+  tls:
+    - hosts:
+        - matchbox-rpc.example.com
+  rules:
+    - host: matchbox-rpc.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matchbox
+                port:
+                  number: 8081
--- a/contrib/k8s/matchbox-ingress.yaml
+++ b/contrib/k8s/matchbox-ingress.yaml
@@ -1,25 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: matchbox
-  annotations:
-    ingress.kubernetes.io/ssl-passthrough: "true"
-spec:
-  tls:
-    - hosts:
-        - matchbox-rpc.example.com
-  rules:
-    - host: matchbox.example.com
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: matchbox
-              servicePort: 8080
-    - host: matchbox-rpc.example.com
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: matchbox
-              servicePort: 8081
--- a/contrib/k8s/matchbox-service.yaml
+++ b/contrib/k8s/matchbox-service.yaml
@@ -6,7 +6,6 @@ spec:
  type: ClusterIP
  selector:
    name: matchbox
-    phase: prod
  ports:
    - name: http
      protocol: TCP
--- a/contrib/systemd/matchbox-for-tectonic.service
+++ b/contrib/systemd/matchbox-for-tectonic.service
@@ -1,24 +0,0 @@
-[Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
-
-[Service]
-Environment="IMAGE=quay.io/coreos/matchbox"
-Environment="VERSION=v0.6.0"
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-Environment="MATCHBOX_RPC_ADDRESS=0.0.0.0:8081"
-Environment="MATCHBOX_LOG_LEVEL=debug"
-ExecStartPre=/usr/bin/mkdir -p /etc/matchbox
-ExecStartPre=/usr/bin/mkdir -p /var/lib/matchbox/assets
-ExecStart=/usr/bin/rkt run \
-  --net=host \
-  --inherit-env \
-  --trust-keys-from-https \
-  --mount volume=data,target=/var/lib/matchbox \
-  --mount volume=config,target=/etc/matchbox \
-  --volume data,kind=host,source=/var/lib/matchbox \
-  --volume config,kind=host,source=/etc/matchbox \
-  ${IMAGE}:${VERSION}
-
-[Install]
-WantedBy=multi-user.target
--- a/contrib/systemd/matchbox-local.service
+++ b/contrib/systemd/matchbox-local.service
@@ -1,16 +0,0 @@
-[Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
-
-[Service]
-User=matchbox
-Group=matchbox
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStart=/usr/local/bin/matchbox
-
-# systemd.exec
-ProtectHome=yes
-ProtectSystem=full
-
-[Install]
-WantedBy=multi-user.target
--- a/contrib/systemd/matchbox-on-coreos.service
+++ b/contrib/systemd/matchbox-on-coreos.service
@@ -1,22 +0,0 @@
-[Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
-
-[Service]
-Environment="IMAGE=quay.io/coreos/matchbox"
-Environment="VERSION=v0.6.0"
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStartPre=/usr/bin/mkdir -p /etc/matchbox
-ExecStartPre=/usr/bin/mkdir -p /var/lib/matchbox/assets
-ExecStart=/usr/bin/rkt run \
-  --net=host \
-  --inherit-env \
-  --trust-keys-from-https \
-  --mount volume=data,target=/var/lib/matchbox \
-  --mount volume=config,target=/etc/matchbox \
-  --volume data,kind=host,source=/var/lib/matchbox \
-  --volume config,kind=host,source=/etc/matchbox \
-  ${IMAGE}:${VERSION}
-
-[Install]
-WantedBy=multi-user.target
--- a/contrib/systemd/matchbox.service
+++ b/contrib/systemd/matchbox.service
@@ -1,16 +1,16 @@
 [Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
+Description=Matchbox Server
+Documentation=https://github.com/poseidon/matchbox

 [Service]
 User=matchbox
 Group=matchbox
 Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStart=/usr/bin/matchbox
+ExecStart=/usr/local/bin/matchbox

 # systemd.exec
 ProtectHome=yes
 ProtectSystem=full

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/docs/CNAME
+++ b/docs/CNAME
@@ -0,0 +1 @@
+matchbox.psdn.io
--- a/docs/api-grpc.md
+++ b/docs/api-grpc.md
@@ -0,0 +1,16 @@
+# gRPC API
+
+## Protos
+
+* [rpc.proto](https://github.com/poseidon/matchbox/blob/master/matchbox/rpc/rpcpb/rpc.proto)
+* [storage.proto](https://github.com/poseidon/matchbox/blob/master/matchbox/storage/storagepb/storage.proto)
+
+## Client Libraries
+
+gRPC client libraries
+
+* [Go](https://godoc.org/github.com/poseidon/matchbox/matchbox/client)
+
+## Client Plugins
+
+* [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox)
--- a/Documentation/api.md
+++ b/Documentation/api.md
@@ -39,8 +39,8 @@ GET http://matchbox.foo/ipxe?label=value

 ```
 #!ipxe
-kernel /assets/coreos/1298.7.0/coreos_production_pxe.vmlinuz coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp} coreos.first_boot=1 coreos.autologin
-initrd  /assets/coreos/1298.7.0/coreos_production_pxe_image.cpio.gz
+kernel /assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp} coreos.first_boot=1 coreos.autologin
+initrd  /assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz
 boot
 ```

@@ -67,15 +67,15 @@ default=0
 timeout=1
 menuentry "CoreOS" {
 echo "Loading kernel"
-linuxefi "(http;matchbox.foo:8080)/assets/coreos/1298.7.0/coreos_production_pxe.vmlinuz" "coreos.autologin" "coreos.config.url=http://matchbox.foo:8080/ignition" "coreos.first_boot"
+linuxefi "(http;matchbox.foo:8080)/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz" "coreos.autologin" "coreos.config.url=http://matchbox.foo:8080/ignition" "coreos.first_boot"
 echo "Loading initrd"
-initrdefi "(http;matchbox.foo:8080)/assets/coreos/1298.7.0/coreos_production_pxe_image.cpio.gz"
+initrdefi "(http;matchbox.foo:8080)/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"
 }
 ```

 ## Cloud config

-Finds the profile matching the machine and renders the corresponding Cloud-Config with group metadata, selectors, and query params.
+DEPRECATED: Finds the profile matching the machine and renders the corresponding Cloud-Config with group metadata, selectors, and query params.

 ```
 GET http://matchbox.foo/cloud?label=value
@@ -101,7 +101,7 @@ coreos:
      command: start
 ```

-## Ignition Config
+## Container Linux Config / Ignition Config

 Finds the profile matching the machine and renders the corresponding Ignition Config with group metadata, selectors, and query params.

@@ -191,7 +191,7 @@ REQUEST_RAW_QUERY=mac=52-54-00-a1-9c-ae&foo=bar&count=3&gate=true

 ## OpenPGP signatures

-OpenPGPG signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. See [OpenPGP Signing](openpgp.md).
+OpenPGP signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. See [OpenPGP Signing](openpgp.md).

 | Endpoint   | Signature Endpoint | ASCII Signature Endpoint |
 |------------|--------------------|-------------------------|
@@ -231,7 +231,7 @@ If you need to serve static assets (e.g. kernel, initrd), `matchbox` can serve a
 ```
 matchbox.foo/assets/
 └── coreos
-    └── 1298.7.0
+    └── 1967.3.0
        ├── coreos_production_pxe.vmlinuz
        └── coreos_production_pxe_image.cpio.gz
    └── 1153.0.0
--- a/Documentation/cloud-config.md
+++ b/Documentation/cloud-config.md
@@ -1,7 +1,7 @@
+# Cloud Config

-# Cloud config
-
-**Note:** We recommend migrating to [Container Linux Configs](container-linux-config.md) for hardware provisioning.
+!!! warning
+    Migrate to [Container Linux Configs](container-linux-config.md). Cloud-Config support will be removed in the future.

 CoreOS Cloud-Config is a system for configuring machines with a Cloud-Config file or executable script from user-data. Cloud-Config runs in userspace on each boot and implements a subset of the [cloud-init spec](http://cloudinit.readthedocs.org/en/latest/topics/format.html#cloud-config-data). See the cloud-config [docs](https://coreos.com/os/docs/latest/cloud-config.html) for details.

@@ -18,13 +18,12 @@ Cloud-Config template files can be added in `/var/lib/matchbox/cloud` or in a `c

 ## Reference

-Reference a Cloud-Config in a [Profile](matchbox.md#profiles) with `cloud_id`. When PXE booting, use the kernel option `cloud-config-url` to point to `matchbox` [cloud-config endpoint](api.md#cloud-config).
+Reference a Cloud-Config in a [Profile](matchbox.md#profiles) with `cloud_id`. When PXE booting, use the kernel option `cloud-config-url` to point to `matchbox` [cloud-config endpoint](api-http.md#cloud-config).

 ## Examples

 Here is an example Cloud-Config which starts some units and writes a file.

-<!-- {% raw %} -->
 ```yaml
 #cloud-config
 coreos:
@@ -40,7 +39,6 @@ write_files:
    content: |
      {{.greeting}}
 ```
-<!-- {% endraw %} -->

 The Cloud-Config [Validator](https://coreos.com/validate/) is also useful for checking your Cloud-Config files for errors.

--- a/Documentation/config.md
+++ b/Documentation/config.md
@@ -35,8 +35,7 @@ Configuration arguments can be provided as flags or as environment variables.

 ```sh
 $ ./bin/matchbox -version
-$ sudo rkt run quay.io/coreos/matchbox:latest -- -version
-$ sudo docker run quay.io/coreos/matchbox:latest -version
+$ sudo docker run quay.io/poseidon/matchbox:latest -version
 ```

 ## Usage
@@ -47,30 +46,18 @@ Run the binary.
 $ ./bin/matchbox -address=0.0.0.0:8080 -log-level=debug -data-path=examples -assets-path=examples/assets
 ```

-Run the latest ACI with rkt.
-
-```sh
-$ sudo rkt run --mount volume=assets,target=/var/lib/matchbox/assets --volume assets,kind=host,source=$PWD/examples/assets quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug
-```
-
 Run the latest Docker image.

 ```sh
-$ sudo docker run -p 8080:8080 --rm -v $PWD/examples/assets:/var/lib/matchbox/assets:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
+$ sudo docker run -p 8080:8080 --rm -v $PWD/examples/assets:/var/lib/matchbox/assets:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
 ```

 ### With examples

-Mount `examples` to pre-load the [example](../examples/README.md) machine groups and profiles. Run the container with rkt,
+Mount `examples` to pre-load the example machine groups and profiles. Run the container.

 ```sh
-$ sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -log-level=debug
-```
-
-or with Docker.
-
-```sh
-$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
+$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
 ```

 ### With gRPC API
@@ -89,26 +76,12 @@ Clients, such as `bootcmd`, verify the server's certificate with a CA bundle pas
 $ ./bin/bootcmd profile list --endpoints 127.0.0.1:8081 --ca-file examples/etc/matchbox/ca.crt --cert-file examples/etc/matchbox/client.crt --key-file examples/etc/matchbox/client.key
 ```

-### With rkt
-
-Run the ACI with rkt and TLS credentials from `examples/etc/matchbox`.
-
-```sh
-$ sudo rkt run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples,readOnly=true --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=$PWD/examples/etc/matchbox --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
-```
-
-A `bootcmd` client can call the gRPC API running at the IP used in the rkt example.
-
-```sh
-$ ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --ca-file examples/etc/matchbox/ca.crt --cert-file examples/etc/matchbox/client.crt --key-file examples/etc/matchbox/client.key
-```
-
 ### With docker

 Run the Docker image with TLS credentials from `examples/etc/matchbox`.

 ```sh
-$ sudo docker run -p 8080:8080 -p 8081:8081 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/etc/matchbox:/etc/matchbox:Z,ro -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+$ sudo docker run -p 8080:8080 -p 8081:8081 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/etc/matchbox:/etc/matchbox:Z,ro -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 ```

 A `bootcmd` client can call the gRPC API running at the IP used in the Docker example.
@@ -126,14 +99,8 @@ $ export MATCHBOX_PASSPHRASE=test
 $ ./bin/matchbox -address=0.0.0.0:8080 -key-ring-path matchbox/sign/fixtures/secring.gpg -data-path=examples -assets-path=examples/assets
 ```

-Run the ACI with a test key.
+Run the container image with a test key.

 ```sh
-$ sudo rkt run --net=metal0:IP=172.18.0.2 --set-env=MATCHBOX_PASSPHRASE=test --mount volume=secrets,target=/secrets --volume secrets,kind=host,source=$PWD/matchbox/sign/fixtures --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/matchbox:latest -- -address=0.0.0.0:8080 -key-ring-path secrets/secring.gpg
-```
-
-Run the Docker image with a test key.
-
-```sh
-$ sudo docker run -p 8080:8080 --rm --env MATCHBOX_PASSPHRASE=test -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z -v $PWD/matchbox/sign/fixtures:/secrets:Z quay.io/coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug -key-ring-path secrets/secring.gpg
+$ sudo docker run -p 8080:8080 --rm --env MATCHBOX_PASSPHRASE=test -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z -v $PWD/matchbox/sign/fixtures:/secrets:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug -key-ring-path secrets/secring.gpg
 ```
--- a/Documentation/container-linux-config.md
+++ b/Documentation/container-linux-config.md
@@ -1,6 +1,6 @@
 # Container Linux Configs

-A Container Linux Config is a YAML document which declares how Container Linux instances' disks should be provisioned on network boot and first-boot from disk. Configs can declare disk paritions, write files (regular files, systemd units, networkd units, etc.), and configure users. See the Container Linux Config [spec](https://coreos.com/os/docs/latest/configuration.html).
+A Container Linux Config is a YAML document which declares how Container Linux instances' disks should be provisioned on network boot and first-boot from disk. Configs can declare disk partitions, write files (regular files, systemd units, networkd units, etc.), and configure users. See the Container Linux Config [spec](https://coreos.com/os/docs/latest/configuration.html).

 ### Ignition

@@ -25,7 +25,7 @@ Container Linux Config templates can be added to the `/var/lib/matchbox/ignition

 ## Referencing in Profiles

-Profiles can include a Container Linux Config for provisioning machines. Specify the Container Linux Config in a [Profile](matchbox.md#profiles) with `ignition_id`. When PXE booting, use the kernel option `coreos.first_boot=1` and `coreos.config.url` to point to the `matchbox` [Ignition endpoint](api.md#ignition-config).
+Profiles can include a Container Linux Config for provisioning machines. Specify the Container Linux Config in a [Profile](matchbox.md#profiles) with `ignition_id`. When PXE booting, use the kernel option `coreos.first_boot=1` and `coreos.config.url` to point to the `matchbox` [Ignition endpoint](api-http.md#ignition-config).

 ## Examples

@@ -75,7 +75,7 @@ passwd:
 ```
 <!-- {% endraw %} -->

-The Ignition config response (formatted) to a query `/ignition?label=value` for a CoreOS instance supporting Ignition 2.0.0 would be:
+The Ignition config response (formatted) to a query `/ignition?label=value` for a Container Linux instance supporting Ignition 2.0.0 would be:

 ```json
 {
--- a/docs/deployment.md
+++ b/docs/deployment.md
@@ -0,0 +1,309 @@
+# Installation
+
+This guide walks through deploying the `matchbox` service on a Linux host (as a binary or container image) or on a Kubernetes cluster.
+
+## Provisoner
+
+Matchbox is a service for network booting and provisioning machines to create Fedora CoreOS or Flatcar Linux clusters. Matchbox may installed on a host server or Kubernetes cluster that can serve configs to client machines in a lab or datacenter.
+
+Choose one of the supported installation options:
+
+* [Matchbox binary](#matchbox-binary)
+* [Container image](#container-image)
+* [Kubernetes manifests](#kubernetes)
+
+## Download
+
+Download the latest Matchbox [release](https://github.com/poseidon/matchbox/releases).
+
+```sh
+$ wget https://github.com/poseidon/matchbox/releases/download/v0.9.1/matchbox-v0.9.1-linux-amd64.tar.gz
+$ wget https://github.com/poseidon/matchbox/releases/download/v0.9.1/matchbox-v0.9.1-linux-amd64.tar.gz.asc
+```
+
+Verify the release has been signed by Dalton Hubble's GPG [Key](https://keyserver.ubuntu.com/pks/lookup?search=0x8F515AD1602065C8&op=vindex)'s signing subkey.
+
+```sh
+$ gpg --keyserver keyserver.ubuntu.com --recv-key 2E3D92BF07D9DDCCB3BAE4A48F515AD1602065C8
+$ gpg --verify matchbox-v0.9.1-linux-amd64.tar.gz.asc matchbox-v0.9.1-linux-amd64.tar.gz
+gpg: Good signature from "Dalton Hubble <dghubble@gmail.com>"
+```
+
+Untar the release.
+
+```sh
+$ tar xzvf matchbox-v0.9.1-linux-amd64.tar.gz
+$ cd matchbox-v0.9.1-linux-amd64
+```
+
+## Install
+
+Run Matchbox as a binary, a container image, or on Kubernetes.
+
+### Matchbox Binary
+
+Pre-built binaries are available for generic Linux distributions. Copy the `matchbox` static binary to an appropriate location on the host.
+
+```sh
+$ sudo cp matchbox /usr/local/bin
+```
+
+#### Set up User/Group
+
+The `matchbox` service should be run by a non-root user with access to the `matchbox` data directory (`/var/lib/matchbox`). Create a `matchbox` user and group.
+
+```sh
+$ sudo useradd -U matchbox
+$ sudo mkdir -p /var/lib/matchbox/assets
+$ sudo chown -R matchbox:matchbox /var/lib/matchbox
+```
+
+#### Create systemd service
+
+Copy the provided `matchbox` systemd unit file.
+
+```sh
+$ sudo cp contrib/systemd/matchbox.service /etc/systemd/system/matchbox.service
+```
+
+#### systemd dropins
+
+Customize Matchbox by editing the systemd unit or adding a systemd dropin. Find the complete set of `matchbox` flags and environment variables at [config](config.md).
+
+```sh
+$ sudo systemctl edit matchbox
+```
+
+By default, the read-only HTTP machine endpoint will be exposed on port **8080**.
+
+```ini
+# /etc/systemd/system/matchbox.service.d/override.conf
+[Service]
+Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
+Environment="MATCHBOX_LOG_LEVEL=debug"
+```
+
+A common customization is enabling the gRPC API to allow clients with a TLS client certificate to change machine configs.
+
+```ini
+# /etc/systemd/system/matchbox.service.d/override.conf
+[Service]
+Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
+Environment="MATCHBOX_RPC_ADDRESS=0.0.0.0:8081"
+```
+
+Customize `matchbox` to suit your preferences.
+
+#### Start
+
+Start the Matchbox service and enable it if you'd like it to start on every boot.
+
+```
+$ sudo systemctl daemon-reload
+$ sudo systemctl start matchbox
+$ sudo systemctl enable matchbox
+```
+
+### Container Image
+
+Run the container image with Podman,
+
+```
+mkdir -p /var/lib/matchbox/assets
+podman run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/poseidon/matchbox:v0.9.1 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+```
+
+Or with Docker,
+
+```
+mkdir -p /var/lib/matchbox/assets
+sudo docker run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/poseidon/matchbox:v0.9.1 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+```
+
+Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`.
+
+### Kubernetes
+
+Install Matchbox on a Kubernetes cluster with the example manifests.
+
+```sh
+$ kubectl apply -R -f contrib/k8s
+$ kubectl get services
+NAME                 CLUSTER-IP   EXTERNAL-IP   PORT(S)             AGE
+matchbox             10.3.0.145   <none>        8080/TCP,8081/TCP   46m
+```
+
+Example manifests in [contrib/k8s](../contrib/k8s) enable the gRPC API to allow client apps to update matchbox objects. Generate TLS server certificates for `matchbox-rpc.example.com` [as shown](#generate-tls-certificates) and create a Kubernetes secret. Alternately, edit the example manifests if you don't need the gRPC API enabled.
+
+```sh
+$ kubectl create secret generic matchbox-rpc --from-file=ca.crt --from-file=server.crt --from-file=server.key
+```
+
+Create an Ingress resource to expose the HTTP read-only and gRPC API endpoints. The Ingress example requires the cluster to have a functioning [Nginx Ingress Controller](https://github.com/kubernetes/ingress).
+
+```sh
+$ kubectl create -f contrib/k8s/matchbox-ingress.yaml
+$ kubectl get ingress
+NAME      HOSTS                                          ADDRESS            PORTS     AGE
+matchbox       matchbox.example.com                      10.128.0.3,10...   80        29m
+matchbox-rpc   matchbox-rpc.example.com                  10.128.0.3,10...   80, 443   29m
+```
+
+Add DNS records `matchbox.example.com` and `matchbox-rpc.example.com` to route traffic to the Ingress Controller.
+
+Verify `http://matchbox.example.com` responds with the text "matchbox" and verify gRPC clients can connect to `matchbox-rpc.example.com:443`.
+
+```sh
+$ curl http://matchbox.example.com
+$ openssl s_client -connect matchbox-rpc.example.com:443 -CAfile ca.crt -cert client.crt -key client.key
+```
+
+## Firewall
+
+Allow your port choices on the provisioner's firewall so the clients can access the service. Here are the commands for those using `firewalld`:
+
+```sh
+$ sudo firewall-cmd --zone=MYZONE --add-port=8080/tcp --permanent
+$ sudo firewall-cmd --zone=MYZONE --add-port=8081/tcp --permanent
+```
+
+## Generate TLS Certificates
+
+The Matchbox gRPC API allows clients (terraform-provider-matchbox) to create and update Matchbox resources. TLS credentials are needed for client authentication and to establish a secure communication channel. Client machines (those PXE booting) read from the HTTP endpoints and do not require this setup.
+
+The `cert-gen` helper script generates a self-signed CA, server certificate, and client certificate. **Prefer your organization's PKI, if possible**
+
+Navigate to the `scripts/tls` directory.
+
+```sh
+$ cd scripts/tls
+```
+
+Export `SAN` to set the Subject Alt Names which should be used in certificates. Provide the fully qualified domain name or IP (discouraged) where Matchbox will be installed.
+
+```sh
+# DNS or IP Subject Alt Names where matchbox runs
+$ export SAN=DNS.1:matchbox.example.com,IP.1:172.17.0.2
+```
+
+Generate a `ca.crt`, `server.crt`, `server.key`, `client.crt`, and `client.key`.
+
+```sh
+$ ./cert-gen
+```
+
+Move TLS credentials to the matchbox server's default location.
+
+```sh
+$ sudo mkdir -p /etc/matchbox
+$ sudo cp ca.crt server.crt server.key /etc/matchbox
+$ sudo chown -R matchbox:matchbox /etc/matchbox
+```
+
+Save `client.crt`, `client.key`, and `ca.crt` for later use (e.g. `~/.matchbox`).
+
+```sh
+$ mkdir -p ~/.matchbox
+$ cp client.crt client.key ca.crt ~/.matchbox/
+```
+
+## Verify
+
+Verify the matchbox service is running and can be reached by client machines (those being provisioned).
+
+```sh
+$ systemctl status matchbox   # Matchbox binary method
+$ dig matchbox.example.com
+```
+
+Verify you receive a response from the HTTP and API endpoints.
+
+```sh
+$ curl http://matchbox.example.com:8080
+matchbox
+```
+
+If you enabled the gRPC API,
+
+```sh
+$ openssl s_client -connect matchbox.example.com:8081 -CAfile scripts/tls/ca.crt -cert scripts/tls/client.crt -key scripts/tls/client.key
+CONNECTED(00000003)
+depth=1 CN = fake-ca
+verify return:1
+depth=0 CN = fake-server
+verify return:1
+---
+Certificate chain
+ 0 s:/CN=fake-server
+   i:/CN=fake-ca
+---
+....
+```
+
+## Download Images (optional)
+
+Matchbox can serve OS images in development or lab environments to reduce bandwidth usage and increase the speed of PXE boots and installs to disk.
+
+Download a recent Fedora CoreOS or Flatcar Linux release.
+
+```
+$ ./scripts/get-fedora-coreos stable 36.20220618.3.1 .
+$ ./scripts/get-flatcar stable 3227.2.0 .
+```
+
+Move the images to `/var/lib/matchbox/assets`,
+
+```
+/var/lib/matchbox/assets/fedora-coreos/
+├── fedora-coreos-36.20220618.3.1-live-initramfs.x86_64.img
+├── fedora-coreos-36.20220618.3.1-live-kernel-x86_64
+├── fedora-coreos-36.20220618.3.1-live-rootfs.x86_64.img
+
+/var/lib/matchbox/assets/flatcar/
+└── 3227.2.0
+    ├── Flatcar_Image_Signing_Key.asc
+    ├── flatcar_production_image.bin.bz2
+    ├── flatcar_production_image.bin.bz2.sig
+    ├── flatcar_production_pxe_image.cpio.gz
+    ├── flatcar_production_pxe_image.cpio.gz.sig
+    ├── flatcar_production_pxe.vmlinuz
+    ├── flatcar_production_pxe.vmlinuz.sig
+    └── version.txt
+```
+
+and verify the images are accessible.
+
+```sh
+$ curl http://matchbox.example.com:8080/assets/fedora-coreos/
+<pre>...
+```
+
+For large production environments, use a cache proxy or mirror suitable for your environment to serve images.
+
+## Network
+
+Review [network setup](https://github.com/poseidon/matchbox/blob/master/docs/network-setup.md) with your network administrator to set up DHCP, TFTP, and DNS services on your network. At a high level, your goals are to:
+
+* Chainload PXE firmwares to iPXE
+* Point iPXE client machines to the `matchbox` iPXE HTTP endpoint `http://matchbox.example.com:8080/boot.ipxe`
+* Ensure `matchbox.example.com` resolves to your `matchbox` deployment
+
+Poseidon provides [dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) as `quay.io/poseidon/dnsmasq`.
+
+# TLS
+
+Matchbox can serve the read-only HTTP API with TLS.
+
+| Name           | Type   | Description |
+|----------------|--------|-------------|
+| -web-ssl       | bool   | true/false  |
+| -web-cert-file | string | Path to the server TLS certificate file |
+| -web-key-file  | string | Path to the server TLS key file |
+
+However, it is more common to use an Ingress Controller (Kubernetes) to terminate TLS.
+
+### Operational notes
+
+* Secrets: Matchbox **can** be run as a public facing service. However, you **must** follow best practices and avoid writing secret material into machine user-data. Instead, load secret materials from an internal secret store.
+* Storage: Example manifests use Kubernetes `emptyDir` volumes to store `matchbox` data. Swap those out for a Kubernetes persistent volume if available.
+
--- a/Documentation/dev/develop.md
+++ b/Documentation/dev/develop.md
@@ -18,13 +18,7 @@ $ make test

 ## Container image

-Build an ACI `matchbox.aci`.
-
-```sh
-$ make aci
-```
-
-Alternately, build a Docker image `coreos/matchbox:latest`.
+Build a container image `coreos/matchbox:latest`.

 ```sh
 $ make docker-image
@@ -34,7 +28,6 @@ $ make docker-image

 ```sh
 $ ./bin/matchbox -version
-$ sudo rkt --insecure-options=image run matchbox.aci -- -version
 $ sudo docker run coreos/matchbox:latest -version
 ```
 ## Run
@@ -45,13 +38,7 @@ Run the binary.
 $ ./bin/matchbox -address=0.0.0.0:8080 -log-level=debug -data-path examples -assets-path examples/assets
 ```

-Run the container image with rkt, on `metal0`.
-
-```sh
-$ sudo rkt --insecure-options=image run --net=metal0:IP=172.18.0.2 --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=$PWD/examples --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=$PWD/examples/etc/matchbox --mount volume=groups,target=/var/lib/matchbox/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd matchbox.aci -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
-```
-
-Alternately, run the Docker image on `docker0`.
+Run the Docker image on `docker0`.

 ```sh
 $ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd:/var/lib/matchbox/groups:Z coreos/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
@@ -59,7 +46,7 @@ $ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD

 ## bootcmd

-Run `bootcmd` against the gRPC API of the service running via rkt.
+Run `bootcmd` against the gRPC API of the service.

 ```sh
 $ ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --cacert examples/etc/matchbox/ca.crt
@@ -67,10 +54,11 @@ $ ./bin/bootcmd profile list --endpoints 172.18.0.2:8081 --cacert examples/etc/m

 ## Vendor

-Use `glide` and `glide-vc` to manage dependencies committed to the `vendor` directory.
+Add or update dependencies in `go.mod` and vendor.

-```sh
-$ make vendor
+```
+make update
+make vendor
 ```

 ## Codegen
--- a/docs/dev/release.md
+++ b/docs/dev/release.md
@@ -0,0 +1,73 @@
+
+# Release guide
+
+This guide covers releasing new versions of matchbox.
+
+## Version
+
+Create a release commit which updates old version references.
+
+```sh
+$ export VERSION=v0.9.1
+```
+
+## Tag
+
+Tag, sign the release version, and push it to Github.
+
+```sh
+$ git tag -s vX.Y.Z -m 'vX.Y.Z'
+$ git push origin --tags
+$ git push origin master
+```
+
+## Images
+
+Travis CI will build the Docker image and push it to Quay.io when the tag is pushed to master. Verify the new image and version.
+
+```sh
+$ sudo docker run quay.io/poseidon/matchbox:$VERSION -version
+```
+
+## Github release
+
+Publish the release on Github with release notes.
+
+## Tarballs
+
+Build the release tarballs.
+
+```sh
+$ make release
+```
+
+Verify the reported version.
+
+```
+./_output/matchbox-v0.9.1-linux-amd64/matchbox -version
+```
+
+## Signing
+
+Release tarballs are signed by Dalton Hubble's GPG [Key](/docs/deployment.md#download)
+
+```sh
+cd _output
+gpg2 --armor --detach-sign matchbox-$VERSION-linux-amd64.tar.gz
+gpg2 --armor --detach-sign matchbox-$VERSION-darwin-amd64.tar.gz
+gpg2 --armor --detach-sign matchbox-$VERSION-linux-arm.tar.gz
+gpg2 --armor --detach-sign matchbox-$VERSION-linux-arm64.tar.gz
+```
+
+Verify the signatures.
+
+```sh
+gpg2 --verify matchbox-$VERSION-linux-amd64.tar.gz.asc matchbox-$VERSION-linux-amd64.tar.gz
+gpg2 --verify matchbox-$VERSION-darwin-amd64.tar.gz.asc matchbox-$VERSION-darwin-amd64.tar.gz
+gpg2 --verify matchbox-$VERSION-linux-arm.tar.gz.asc matchbox-$VERSION-linux-arm.tar.gz
+gpg2 --verify matchbox-$VERSION-linux-arm64.tar.gz.asc matchbox-$VERSION-linux-arm64.tar.gz
+```
+
+## Publish
+
+Upload the signed tarball(s) with the Github release. Promote the release from a `pre-release` to an official release.
--- a/docs/getting-started-docker.md
+++ b/docs/getting-started-docker.md
@@ -0,0 +1,135 @@
+# Getting started with Docker
+
+In this tutorial, we'll run `matchbox` on a Linux machine with Docker to network boot and provision local QEMU/KVM machines as Fedora CoreOS or Flatcar Linux machines. You'll be able to test network setups and Ignition provisioning.
+
+!!! note
+    To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
+
+## Requirements
+
+Install the package dependencies and start the Docker daemon.
+
+```sh
+$ # Fedora
+$ sudo dnf install docker virt-install virt-manager
+$ sudo systemctl start docker
+
+$ # Debian/Ubuntu
+$ # check Docker's docs to install Docker 1.8+ on Debian/Ubuntu
+$ sudo apt-get install virt-manager virtinst qemu-kvm
+```
+
+Clone the [matchbox](https://github.com/poseidon/matchbox) source which contains the examples and scripts.
+
+```sh
+$ git clone https://github.com/poseidon/matchbox.git
+$ cd matchbox
+```
+
+Download Fedora CoreOS or Flatcar Linux image assets to `examples/assets`.
+
+```sh
+$ ./scripts/get-fedora-coreos stable 36.20220618.3.1 ./examples/assets
+$ ./scripts/get-flatcar stable 3227.2.0 ./examples/assets
+```
+
+For development convenience, add `/etc/hosts` entries for nodes so they may be referenced by name.
+
+```sh
+# /etc/hosts
+...
+172.17.0.21 node1.example.com
+172.17.0.22 node2.example.com
+172.17.0.23 node3.example.com
+```
+
+## Containers
+
+Run the `matchbox` and `dnsmasq` services on the `docker0` bridge. `dnsmasq` will run DHCP, DNS and TFTP services to create a suitable network boot environment. `matchbox` will serve configs to machines as they PXE boot.
+
+The `devnet` convenience script can start these services and accepts the name of any example in [examples](https://github.com/poseidon/matchbox/tree/master/examples).
+
+```sh
+$ sudo ./scripts/devnet create fedora-coreos
+```
+
+Inspect the logs.
+
+```
+$ sudo ./scripts/devnet status
+```
+
+Inspect the examples and Matchbox endpoints to see how machines (e.g. node1 with MAC `52:54:00:a1:9c:ae`) are mapped to Profiles, and therefore iPXE and Ignition configs.
+
+* iPXE [http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae)
+* Ignition [http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae)
+* Metadata [http://127.0.0.1:8080/metadata?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/metadata?mac=52:54:00:a1:9c:ae)
+
+### Manual
+
+If you prefer to start the containers yourself, instead of using `devnet`,
+
+```sh
+$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/fedora-coreos:/var/lib/matchbox/groups:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
+$ sudo docker run --name dnsmasq --cap-add=NET_ADMIN -v $PWD/contrib/dnsmasq/docker0.conf:/etc/dnsmasq.conf:Z quay.io/poseidon/dnsmasq -d
+```
+
+## Client VMs
+
+Create QEMU/KVM VMs which have known hardware attributes. The nodes will be attached to the `docker0` bridge, where Docker containers run.
+
+```sh
+$ sudo ./scripts/libvirt create
+```
+
+If you provisioned nodes with an SSH key, you can SSH after bring-up.
+
+```sh
+$ ssh core@node1.example.com
+```
+
+If you set a `console=ttyS0` kernel arg, you can connect to the serial console of any node (ctrl+] to exit).
+
+```
+$ sudo virsh console node1
+```
+
+You can also use `virt-manager` to watch the console.
+
+```sh
+$ sudo virt-manager
+```
+
+Use the wrapper script to act on all nodes.
+
+```sh
+$ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
+```
+
+## Verify
+
+The VMs should network boot and provision themselves as declared.
+
+```
+cat /etc/os-release
+```
+
+## Clean up
+
+Clean up the containers and VM machines.
+
+```sh
+$ sudo ./scripts/devnet destroy
+$ sudo ./scripts/libvirt destroy
+```
+
+## Going Further
+
+Learn more about [matchbox](matchbox.md) or explore the other [examples](https://github.com/poseidon/matchbox/tree/master/examples).
+
+Try different examples and Ignition declarations:
+
+* Declare an SSH authorized public key (see examples README)
+* Declare a systemd unit
+* Declare file or directory content
+
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -0,0 +1,214 @@
+# Getting started
+
+In this tutorial, we'll use `matchbox` with Terraform to provision Fedora CoreOS or Flatcar Linux machines.
+
+We'll install the `matchbox` service, setup a PXE network boot environment, and use Terraform configs to declare infrastructure and apply resources on `matchbox`.
+
+## matchbox
+
+Install `matchbox` on a host server or Kubernetes cluster. Generate TLS credentials and enable the gRPC API as directed. Save the `ca.crt`, `client.crt`, and `client.key` on your local machine (e.g. `~/.matchbox`).
+
+* Installing on a [Linux distro](deployment.md)
+* Installing on [Kubernetes](deployment.md#kubernetes)
+* Running with [docker](deployment.md#docker)
+
+Verify the matchbox read-only HTTP endpoints are accessible.
+
+```sh
+$ curl http://matchbox.example.com:8080
+matchbox
+```
+
+Verify your TLS client certificate and key can be used to access the gRPC API.
+
+```sh
+$ openssl s_client -connect matchbox.example.com:8081 \
+  -CAfile ~/.matchbox/ca.crt \
+  -cert ~/.matchbox/client.crt \
+  -key ~/.matchbox/client.key
+```
+
+## Terraform
+
+Install [Terraform](https://www.terraform.io/downloads.html) v0.13+ on your system.
+
+```sh
+$ terraform version
+Terraform v1.1.8
+```
+
+### Examples
+
+Clone the matchbox source.
+
+```sh
+$ git clone https://github.com/poseidon/matchbox.git
+$ cd matchbox/examples/terraform
+```
+
+Select from the Terraform [examples](https://github.com/poseidon/matchbox/tree/master/examples/terraform). For example,
+
+* `fedora-coreos-install` - PXE boot, install Fedora CoreOS to disk, reboot, and machines come up with your SSH authorized key set
+* `flatcar-install` - PXE boot, install Flatcar Linux to disk, reboot, and machines come up with your SSH authorized key set
+
+These aren't exactly full clusters, but they show declarations and network provisioning.
+
+```sh
+$ cd fedora-coreos-install    # or flatcar-install
+```
+
+!!! note
+    Fedora CoreOS images are only served via HTTPS, so your iPXE firmware must be compiled to support HTTPS downloads.
+
+Let's review the terraform config and learn a bit about Matchbox.
+
+### Provider
+
+Matchbox is configured as a provider platform for bare-metal resources.
+
+```tf
+// Configure the matchbox provider
+provider "matchbox" {
+  endpoint    = var.matchbox_rpc_endpoint
+  client_cert = file("~/.matchbox/client.crt")
+  client_key  = file("~/.matchbox/client.key")
+  ca          = file("~/.matchbox/ca.crt")
+}
+
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.10.0"
+    }
+    matchbox = {
+      source = "poseidon/matchbox"
+      version = "0.5.0"
+    }
+  }
+}
+```
+
+### Profiles
+
+Machine profiles specify the kernel, initrd, kernel args, Ignition Config, and other configs (e.g. templated Container Linux Config, Cloud-config, generic) used to network boot and provision a bare-metal machine. The profile below would PXE boot machines using a Fedora CoreOS kernel and initrd (see [assets](api-http.md#assets) to learn about caching for speed), perform a disk install, reboot (first boot from disk), and use a [Fedora CoreOS Config](https://github.com/coreos/fcct/blob/master/docs/configuration-v1_1.md) to generate an Ignition config to provision.
+
+```tf
+// Fedora CoreOS profile
+resource "matchbox_profile" "fedora-coreos-install" {
+  name  = "worker"
+  kernel = "https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-kernel-x86_64"
+
+  initrd = [
+    "--name main https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img"
+  ]
+
+  args = [
+    "initrd=main",
+    "coreos.live.rootfs_url=https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img",
+    "coreos.inst.install_dev=/dev/sda",
+    "coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}"
+  ]
+
+  raw_ignition = data.ct_config.worker.rendered
+}
+
+data "ct_config" "worker" {
+  content = templatefile("fcc/fedora-coreos.yaml", {
+    ssh_authorized_key = var.ssh_authorized_key
+  })
+  strict = true
+}
+```
+
+### Groups
+
+Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and templates in machine-specific values. The group below does not have a `selector` block, so any machines which network boot from Matchbox will match this group and be provisioned using the `fedora-coreos-install` profile. Machines are matched to the most specific matching group.
+
+```tf
+// Default matcher group for machines
+resource "matchbox_group" "default" {
+  name    = "default"
+  profile = matchbox_profile.fedora-coreos-install.name
+}
+```
+
+### Variables
+
+Some Terraform [variables](https://www.terraform.io/docs/configuration/variables.html) are used in the examples. A quick way to set their value is by creating a `terraform.tfvars` file.
+
+```
+cp terraform.tfvars.example terraform.tfvars
+```
+
+```tf
+matchbox_http_endpoint = "http://matchbox.example.com:8080"
+matchbox_rpc_endpoint  = "matchbox.example.com:8081"
+os_version             = "36.20220618.3.1"
+ssh_authorized_key     = "YOUR_SSH_KEY"
+```
+
+### Apply
+
+Initialize the Terraform workspace. Then plan and apply the resources.
+
+```
+terraform init
+```
+
+```
+$ terraform apply
+Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
+```
+
+Matchbox serves configs to machines and respects query parameters, if you're interested:
+
+* iPXE default - [/ipxe](http://matchbox.example.com:8080/ipxe)
+* Ignition default - [/ignition](http://matchbox.example.com:8080/ignition)
+* Ignition post-install - [/ignition?os=installed](http://matchbox.example.com:8080/ignition?os=installed)
+
+## Network
+
+Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
+
+In the simplest case, an iPXE-enabled network can chain to Matchbox,
+
+```
+# /var/www/html/ipxe/default.ipxe
+chain http://matchbox.foo:8080/boot.ipxe
+```
+
+Read [network-setup.md](network-setup.md) for the complete range of options. Network admins have a great amount of flexibility:
+
+* May keep using existing DHCP, TFTP, and DNS services
+* May configure subnets, architectures, or specific machines to delegate to matchbox
+* May place matchbox behind a menu entry (timeout and default to matchbox)
+
+If you've never setup a PXE-enabled network before or you're trying to setup a home lab, checkout the [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/dnsmasq) container image [copy-paste examples](https://github.com/poseidon/matchbox/blob/master/docs/network-setup.md#poseidondnsmasq) and see the section about [proxy-DHCP](https://github.com/poseidon/matchbox/blob/master/docs/network-setup.md#proxy-dhcp).
+
+## Boot
+
+Its time to network boot your machines. Use the BMC's remote management capabilities (may be vendor-specific) to set the boot device (on the next boot only) to PXE and power on each machine.
+
+```sh
+$ ipmitool -H node1.example.com -U USER -P PASS power off
+$ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
+$ ipmitool -H node1.example.com -U USER -P PASS power on
+```
+
+Each machine should chainload iPXE, delegate to Matchbox, receive its iPXE config (or other supported configs) and begin the provisioning process. The examples assume machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
+
+Once the install completes and the machine reboots, you can SSH.
+
+```ssh
+$ ssh core@node1.example.com
+```
+
+To re-provision the machine for another purpose, run `terraform apply` and PXE boot machines again.
+
+## Going Further
+
+Matchbox can be used to provision multi-node Fedora CoreOS or Flatcar Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api-http.md#assets) server.
+
+[Ignition](https://github.com/coreos/ignition) can be used to partition disks, create file systems, write systemd units, write networkd configs or regular files, and create users. Nodes can be network provisioned into a complete cluster system that meets your needs. For example, see [Typhoon](https://typhoon.psdn.io/fedora-coreos/bare-metal/).
+
--- a/docs/grub.md
+++ b/docs/grub.md
@@ -0,0 +1,33 @@
+# GRUB2 netboot
+
+Use GRUB to network boot UEFI hardware.
+
+## Requirements
+
+For local development, install the dependencies for libvirt with UEFI.
+
+* [UEFI with QEMU](https://fedoraproject.org/wiki/Using_UEFI_with_QEMU)
+
+Ensure that you've gone through the [matchbox with docker](getting-started-docker.md) and [matchbox](matchbox.md) guides and understand the basics.
+
+## Containers
+
+Run `matchbox` according to [matchbox with Docker](getting-started-docker.md), but mount the [grub](../examples/groups/grub) group example. Then start the `poseidon/dnsmasq` Docker image, which bundles a `grub.efi`.
+
+```sh
+$ sudo docker run --rm --cap-add=NET_ADMIN quay.io/poseidon/dnsmasq -d -q --dhcp-range=172.17.0.43,172.17.0.99 --enable-tftp --tftp-root=/var/lib/tftpboot --dhcp-match=set:efi-bc,option:client-arch,7 --dhcp-boot=tag:efi-bc,grub.efi --dhcp-userclass=set:grub,GRUB2 --dhcp-boot=tag:grub,"(http;matchbox.foo:8080)/grub","172.17.0.2" --log-queries --log-dhcp --dhcp-option=3,172.17.0.1 --dhcp-userclass=set:ipxe,iPXE --dhcp-boot=tag:pxe,undionly.kpxe --dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe --address=/matchbox.foo/172.17.0.2
+```
+
+## Client VM
+
+Create UEFI VM nodes which have known hardware attributes.
+
+```sh
+$ sudo ./scripts/libvirt create-uefi
+```
+
+Create a VM to verify the machine network boots.
+
+```sh
+$ sudo virt-install --name uefi-test --boot=uefi,network --disk pool=default,size=4 --network=bridge=docker0,model=e1000 --memory=1024 --vcpus=1 --os-type=linux --noautoconsole
+```
--- a/Documentation/img/ipxe.png
+++ b/Documentation/img/ipxe.png
--- a/Documentation/img/kubernetes-dashboard.png
+++ b/Documentation/img/kubernetes-dashboard.png
--- a/Documentation/img/machine-lifecycle.png
+++ b/Documentation/img/machine-lifecycle.png
--- a/Documentation/img/network-setup-flow.png
+++ b/Documentation/img/network-setup-flow.png
--- a/Documentation/img/overview.png
+++ b/Documentation/img/overview.png
--- a/Documentation/img/proxydhcp.png
+++ b/Documentation/img/proxydhcp.png
--- a/Documentation/img/pxelinux.png
+++ b/Documentation/img/pxelinux.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -0,0 +1,33 @@
+# Matchbox
+
+Matchbox is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Ignition config.
+
+## Features
+
+* Chainload via iPXE and match hardware labels
+* Provision Fedora CoreOS or Flatcar Linux (powered by [Ignition](https://github.com/coreos/ignition))
+* Authenticated gRPC API for clients (e.g. Terraform)
+
+## Installation
+
+Matchbox can be installed from a binary or a container image.
+
+* Install Matchbox as a [binary](deployment.md#matchbox-binary), as a [container image](deployment.md#container-image), or on [Kubernetes](deployment.md#kubernetes)
+* Setup a PXE-enabled [network](network-setup.md)
+
+## Tutorials
+
+Start provisioning machines with Fedora CoreOS or Flatcar Linux.
+
+* [Terraform Usage](getting-started.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)
+* [Local QEMU/KVM](getting-started-docker.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)
+
+## Related
+
+* [dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) - container image to run DHCP, TFTP, and DNS services
+* [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) - Terraform provider plugin for Matchbox
+* [Typhoon](https://typhoon.psdn.io/) - minimal and free Kubernetes distribution, supporting bare-metal
--- a/docs/machine-lifecycle.md
+++ b/docs/machine-lifecycle.md
@@ -0,0 +1,15 @@
+# Lifecycle of a physical machine
+
+## About boot environment
+
+Physical machines [network boot](network-booting.md) in an network boot environment with DHCP/TFTP/DNS services or with [poseidon/dnsmasq](../contrib/dnsmasq).
+
+`matchbox` serves iPXE or GRUB configs via HTTP to machines based on Group selectors (e.g. UUID, MAC, region, etc.) and machine Profiles. Kernel and initrd images are fetched and booted with Ignition to install CoreOS Container Linux. The "first boot" Ignition config if fetched and Container Linux is installed.
+
+Container Linux boots ("first boot" from disk) and runs Ignition to provision its disk with systemd units, files, keys, and more to become a cluster node. Systemd units may fetch metadata from a remote source if needed.
+
+Coordinated auto-updates are enabled. Systems like [fleet](https://coreos.com/docs/#fleet) or [Kubernetes](http://kubernetes.io/docs/) coordinate container services. IPMI, vendor utilities, or first-boot are used to re-provision machines into new roles.
+
+## Machine lifecycle
+
+![Machine Lifecycle](img/machine-lifecycle.png)
--- a/Documentation/matchbox.md
+++ b/Documentation/matchbox.md
@@ -1,16 +1,15 @@
 # matchbox

-`matchbox` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create Container Linux clusters. `matchbox` maintains **Group** definitions which match machines to *profiles* based on labels (e.g. MAC address, UUID, stage, region). A **Profile** is a named set of config templates (e.g. iPXE, GRUB, Ignition config, Cloud-Config, generic configs). The aim is to use CoreOS Linux's early-boot capabilities to provision CoreOS machines.
+`matchbox` is an HTTP and gRPC service that renders signed [Ignition configs](https://coreos.com/ignition/docs/latest/what-is-ignition.html), [cloud-configs](https://coreos.com/os/docs/latest/cloud-config.html), network boot configs, and metadata to machines to create CoreOS Container Linux clusters. `matchbox` maintains **Group** definitions which match machines to *profiles* based on labels (e.g. MAC address, UUID, stage, region). A **Profile** is a named set of config templates (e.g. iPXE, GRUB, Ignition config, Cloud-Config, generic configs). The aim is to use Container Linux's early-boot capabilities to provision Container Linux machines.

-Network boot endpoints provide PXE, iPXE, GRUB support. `matchbox` can be deployed as a binary, as an [appc](https://github.com/appc/spec) container with rkt, or as a Docker container.
+Network boot endpoints provide PXE, iPXE, GRUB support. `matchbox` can be run a binary or as a container.

 ![Bootcfg Overview](img/overview.png)

 ## Getting started

-Get started running `matchbox` on your Linux machine, with rkt or Docker.
+Get started running `matchbox` on your Linux machine, with Docker.

-* [matchbox with rkt](getting-started-rkt.md)
 * [matchbox with Docker](getting-started-docker.md)

 ## Flags
@@ -19,8 +18,8 @@ See [configuration](config.md) flags and variables.

 ## API

-* [HTTP API](api.md)
-* [gRPC API](https://godoc.org/github.com/coreos/matchbox/matchbox/client)
+* [HTTP API](api-http.md)
+* [gRPC API](https://godoc.org/github.com/poseidon/matchbox/matchbox/client)

 ## Data

@@ -59,13 +58,13 @@ Profiles reference an Ignition config, Cloud-Config, and/or generic config by na
 ```json
 {
  "id": "etcd",
-  "name": "CoreOS with etcd2",
+  "name": "Container Linux with etcd2",
  "cloud_id": "",
  "ignition_id": "etcd.yaml",
  "generic_id": "some-service.cfg",
  "boot": {
-    "kernel": "/assets/coreos/1298.7.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["/assets/coreos/1298.7.0/coreos_production_pxe_image.cpio.gz"],
+    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
+    "initrd": ["/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
    "args": [
      "coreos.config.url=http://matchbox.foo:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
      "coreos.first_boot=yes",
@@ -75,11 +74,11 @@ Profiles reference an Ignition config, Cloud-Config, and/or generic config by na
 }
 ```

-The `"boot"` settings will be used to render configs to network boot programs such as iPXE, GRUB, or Pixiecore. You may reference remote kernel and initrd assets or [local assets](#assets).
+The `"boot"` settings will be used to render configs to network boot programs such as iPXE or GRUB. You may reference remote kernel and initrd assets or [local assets](#assets).

-To use Ignition, set the `coreos.config.url` kernel option to reference the `matchbox` [Ignition endpoint](api.md#ignition-config), which will render the `ignition_id` file. Be sure to add the `coreos.first_boot` option as well.
+To use Ignition, set the `coreos.config.url` kernel option to reference the `matchbox` [Ignition endpoint](api-http.md#ignition-config), which will render the `ignition_id` file. Be sure to add the `coreos.first_boot` option as well.

-To use cloud-config, set the `cloud-config-url` kernel option to reference the `matchbox` [Cloud-Config endpoint](api.md#cloud-config), which will render the `cloud_id` file.
+To use cloud-config, set the `cloud-config-url` kernel option to reference the `matchbox` [Cloud-Config endpoint](api-http.md#cloud-config), which will render the `cloud_id` file.

 ### Groups

@@ -173,14 +172,14 @@ matchbox.foo/assets/

 For example, a `Profile` might refer to a local asset `/assets/coreos/VERSION/coreos_production_pxe.vmlinuz` instead of `http://stable.release.core-os.net/amd64-usr/VERSION/coreos_production_pxe.vmlinuz`.

-See the [get-coreos](../scripts/README.md#get-coreos) script to quickly download, verify, and place CoreOS assets.
+See the [get-fedora-coreos](https://github.com/poseidon/matchbox/blob/master/scripts/get-fedora-coreos) or [get-flatcar](https://github.com/poseidon/matchbox/blob/master/scripts/get-flatcar) scripts to quickly download, verify, and place image assets.

 ## Network

-`matchbox` does not implement or exec a DHCP/TFTP server. Read [network setup](network-setup.md) or use the [coreos/dnsmasq](../contrib/dnsmasq) image if you need a quick DHCP, proxyDHCP, TFTP, or DNS setup.
+`matchbox` does not implement or exec a DHCP/TFTP server. Read [network setup](network-setup.md) or use the [poseidon/dnsmasq](../contrib/dnsmasq) image if you need a quick DHCP, proxyDHCP, TFTP, or DNS setup.

 ## Going further

 * [gRPC API Usage](config.md#grpc-api)
-* [Metadata](api.md#metadata)
-* OpenPGP [Signing](api.md#openpgp-signatures)
+* [Metadata](api-http.md#metadata)
+* OpenPGP [Signing](api-http.md#openpgp-signatures)
--- a/Documentation/network-booting.md
+++ b/Documentation/network-booting.md
@@ -15,7 +15,7 @@ The network environment can be set up in a number of ways, which we'll discuss.

 ### Network boot programs

-Machines can be booted and configured with CoreOS using several network boot programs and approaches. Let's review them. If you're new to network booting or unsure which to choose, iPXE is a reasonable and flexible choice.
+Machines can be booted and configured with CoreOS Container Linux using several network boot programs and approaches. Let's review them. If you're new to network booting or unsure which to choose, iPXE is a reasonable and flexible choice.

 #### PXELINUX

@@ -26,7 +26,7 @@ $ mybootdir/pxelinux.cfg/b8945908-d6a6-41a9-611d-74a6ab80b83d
 $ mybootdir/pxelinux.cfg/default
 ```

-Here is an example PXE config file which boots a CoreOS image hosted on the TFTP server.
+Here is an example PXE config file which boots a Container Linux image hosted on the TFTP server.

 ```
 default coreos
@@ -53,7 +53,7 @@ This approach has a number of drawbacks. TFTP can be slow, managing config files

 A DHCPOFFER to iPXE client firmware specifies an HTTP boot script such as `http://matchbox.foo/boot.ipxe`.

-Here is an example iPXE script for booting the remote CoreOS stable image.
+Here is an example iPXE script for booting the remote Container Linux stable image.

 ```
 #!ipxe
@@ -66,7 +66,7 @@ boot

 A TFTP server is used only to provide the `undionly.kpxe` boot program to older PXE firmware in order to bootstrap into iPXE.

-CoreOS `matchbox` can render signed iPXE scripts to machines based on their hardware attributes. Setup involves configuring your DHCP server to point iPXE clients to the `matchbox` [iPXE endpoint](api.md#ipxe).
+CoreOS `matchbox` can render signed iPXE scripts to machines based on their hardware attributes. Setup involves configuring your DHCP server to point iPXE clients to the `matchbox` [iPXE endpoint](api-http.md#ipxe).

 ## DHCP

--- a/Documentation/network-setup.md
+++ b/Documentation/network-setup.md
@@ -1,8 +1,8 @@
 # Network setup

-This guide shows how to create a DHCP/TFTP/DNS network boot environment to work with `matchbox` to boot and provision PXE, iPXE, or GRUB2 client machines.
+This guide shows how to create a DHCP/TFTP/DNS network boot environment to boot and provision BIOS/PXE, iPXE, or UEFI client machines.

-`matchbox` serves iPXE scripts or GRUB configs over HTTP to serve as the entrypoint for CoreOS cluster bring-up. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, you can configure your own network services to point to `matchbox` or use the convenient [coreos/dnsmasq](../contrib/dnsmasq) container image (used in libvirt demos).
+Matchbox serves iPXE scripts over HTTP to serve as the entrypoint for provisioning clusters. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, configure your network environment to point to Matchbox or use the convenient [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/matchbox) container image (used in local QEMU/KVM setup).

 *Note*: These are just suggestions. Your network administrator or system administrator should choose the right network setup for your company.

@@ -13,13 +13,14 @@ Client hardware must have a network interface which supports PXE or iPXE.
 ## Goals

 * Add a DNS name which resolves to a `matchbox` deploy.
-* Chainload PXE firmware to iPXE or GRUB2
-* Point iPXE clients to `http://matchbox.foo:port/boot.ipxe`
-* Point GRUB clients to `http://matchbox.foo:port/grub`
+* Chainload BIOS clients (legacy PXE) to iPXE (undionly.kpxe)
+* Chainload UEFI clients to iPXE (ipxe.efi)
+* Point iPXE clients to `http://matchbox.example.com:port/boot.ipxe`
+* Point GRUB clients to `http://matchbox.example.com:port/grub`

 ## Setup

-Many companies already have DHCP/TFTP configured to "PXE-boot" PXE/iPXE clients. In this case, machines (or a subset of machines) can be made to chainload from `chain http://matchbox.foo:port/boot.ipxe`. Older PXE clients can be made to chainload into iPXE or GRUB to be able to fetch subsequent configs via HTTP.
+Many companies already have DHCP/TFTP configured to "PXE-boot" PXE/iPXE clients. In this case, machines (or a subset of machines) can be made to chainload from `chain http://matchbox.example.com:port/boot.ipxe`. Older PXE clients can be made to chainload into iPXE to be able to fetch subsequent configs via HTTP.

 On simpler networks, such as what a developer might have at home, a relatively inflexible DHCP server may be in place, with no TFTP server. In this case, a proxy DHCP server can be run alongside a non-PXE capable DHCP server.

@@ -27,21 +28,21 @@ This diagram can point you to the **right section(s)** of this document.

 ![Network Setup](img/network-setup-flow.png)

-The setup of DHCP, TFTP, and DNS services on a network varies greatly. If you wish to use rkt or Docker to quickly run DHCP, proxyDHCP TFTP, or DNS services, use [coreos/dnsmasq](#coreosdnsmasq).
+The setup of DHCP, TFTP, and DNS services on a network varies greatly. If you wish to use Docker to quickly run DHCP, proxyDHCP TFTP, or DNS services, use [poseidon/dnsmasq](#poseidondnsmasq).

 ## DNS

-Add a DNS entry (e.g. `matchbox.foo`, `provisoner.mycompany-internal`) that resolves to a deployment of the CoreOS `matchbox` service from machines you intend to boot and provision.
+Add a DNS entry (e.g. `matchbox.example.com`, `provisoner.mycompany-internal`) that resolves to a deployment of the CoreOS `matchbox` service from machines you intend to boot and provision.

 ```sh
-$ dig matchbox.foo
+$ dig matchbox.example.com
 ```

 If you deployed `matchbox` to a known IP address (e.g. dedicated host, load balanced endpoint, Kubernetes NodePort) and use `dnsmasq`, a domain name to IPv4/IPv6 address mapping could be added to the `/etc/dnsmasq.conf`.

 ```
 # dnsmasq.conf
-address=/matchbox.foo/172.18.0.2
+address=/matchbox.example.com/172.18.0.2
 ```

 ## iPXE
@@ -50,7 +51,7 @@ Networks which already run DHCP and TFTP services to network boot PXE/iPXE clien

 ```
 # /var/www/html/ipxe/default.ipxe
-chain http://matchbox.foo:8080/boot.ipxe
+chain http://matchbox.example.com:8080/boot.ipxe
 ```

 You can chainload from a menu entry or use other [iPXE commands](http://ipxe.org/cmd) if you need to do more than simple delegation.
@@ -67,26 +68,35 @@ dhcp-range=192.168.1.1,192.168.1.254,30m
 enable-tftp
 tftp-root=/var/lib/tftpboot

-# if request comes from older PXE ROM, chainload to iPXE (via TFTP)
-dhcp-boot=tag:!ipxe,undionly.kpxe
-# if request comes from iPXE user class, set tag "ipxe"
+# Legacy PXE
+dhcp-match=set:bios,option:client-arch,0
+dhcp-boot=tag:bios,undionly.kpxe
+
+# UEFI
+dhcp-match=set:efi32,option:client-arch,6
+dhcp-boot=tag:efi32,ipxe.efi
+dhcp-match=set:efibc,option:client-arch,7
+dhcp-boot=tag:efibc,ipxe.efi
+dhcp-match=set:efi64,option:client-arch,9
+dhcp-boot=tag:efi64,ipxe.efi
+
+# iPXE - chainload to matchbox ipxe boot script
 dhcp-userclass=set:ipxe,iPXE
-# point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
-dhcp-boot=tag:ipxe,http://matchbox.foo:8080/boot.ipxe
+dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe

 # verbose
 log-queries
 log-dhcp

-# static DNS assignements
-address=/matchbox.foo/192.168.1.100
+# static DNS assignments
+address=/matchbox.example.com/192.168.1.100

 # (optional) disable DNS and specify alternate
 # port=0
 # dhcp-option=6,192.168.1.100
 ```

-Add [unidonly.kpxe](http://boot.ipxe.org/undionly.kpxe) (and undionly.kpxe.0 if using dnsmasq) to your tftp-root (e.g. `/var/lib/tftpboot`).
+Add [ipxe.efi](http://boot.ipxe.org/ipxe.efi) and [unidonly.kpxe](http://boot.ipxe.org/undionly.kpxe) to your tftp-root (e.g. `/var/lib/tftpboot`).

 ```sh
 $ sudo systemctl start dnsmasq
@@ -113,7 +123,7 @@ pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe
 # if request comes from iPXE user class, set tag "ipxe"
 dhcp-userclass=set:ipxe,iPXE
 # point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
-pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.foo:8080/boot.ipxe
+pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.example.com:8080/boot.ipxe

 # verbose
 log-queries
@@ -128,7 +138,7 @@ $ sudo firewall-cmd --add-service=dhcp --add-service=tftp [--add-service=dns]
 $ sudo firewall-cmd --list-services
 ```

-See [dnsmasq](#coreosdnsmasq) below to run dnsmasq with a container.
+See [dnsmasq](#poseidon/dnsmasq) below to run dnsmasq with a container.

 ### Configurable TFTP

@@ -141,40 +151,33 @@ timeout 10
 default iPXE
 LABEL iPXE
 KERNEL ipxe.lkrn
-APPEND dhcp && chain http://matchbox.foo:8080/boot.ipxe
+APPEND dhcp && chain http://matchbox.example.com:8080/boot.ipxe
 ```

 Add ipxe.lkrn to `/var/lib/tftpboot` (see [iPXE docs](http://ipxe.org/embed)).

-## coreos/dnsmasq
+## poseidon/dnsmasq

-The [quay.io/coreos/dnsmasq](https://quay.io/repository/coreos/dnsmasq) container image can run DHCP, TFTP, and DNS services via rkt or docker. The image bundles `undionly.kpxe` and `grub.efi` for convenience. See [contrib/dnsmasq](contrib/dnsmasq) for details.
+The [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/dnsmasq) container image can run DHCP, TFTP, and DNS services via docker. The image bundles `ipxe.efi`, `undionly.kpxe`, and `grub.efi` for convenience. See [contrib/dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) for details.

 Run DHCP, TFTP, and DNS on the host's network:

 ```sh
-sudo rkt run --net=host quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
-  -- -d -q \
-  --dhcp-range=192.168.1.3,192.168.1.254 \
-  --enable-tftp \
-  --tftp-root=/var/lib/tftpboot \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:#ipxe,undionly.kpxe \
-  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.example.com/192.168.1.2 \
-  --log-queries \
-  --log-dhcp
-```
-```sh
-sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq \
+sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/poseidon/dnsmasq \
  -d -q \
  --dhcp-range=192.168.1.3,192.168.1.254 \
  --enable-tftp --tftp-root=/var/lib/tftpboot \
+  --dhcp-match=set:bios,option:client-arch,0 \
+  --dhcp-boot=tag:bios,undionly.kpxe \
+  --dhcp-match=set:efi32,option:client-arch,6 \
+  --dhcp-boot=tag:efi32,ipxe.efi \
+  --dhcp-match=set:efibc,option:client-arch,7 \
+  --dhcp-boot=tag:efibc,ipxe.efi \
+  --dhcp-match=set:efi64,option:client-arch,9 \
+  --dhcp-boot=tag:efi64,ipxe.efi \
  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:#ipxe,undionly.kpxe \
  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.example/192.168.1.2 \
+  --address=/matchbox.example.com/192.168.1.2 \
  --log-queries \
  --log-dhcp
 ```
@@ -182,25 +185,15 @@ sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq \
 Run a proxy-DHCP and TFTP service on the host's network:

 ```sh
-sudo rkt run --net=host quay.io/coreos/dnsmasq \
-  --caps-retain=CAP_NET_ADMIN,CAP_NET_BIND_SERVICE \
-  -- -d -q \
-  --dhcp-range=192.168.1.1,proxy,255.255.255.0 \
-  --enable-tftp --tftp-root=/var/lib/tftpboot \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe \
-  --pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.example.com:8080/boot.ipxe \
-  --log-queries \
-  --log-dhcp
-```
-```sh
-sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/coreos/dnsmasq \
+sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/poseidon/dnsmasq \
  -d -q \
  --dhcp-range=192.168.1.1,proxy,255.255.255.0 \
  --enable-tftp --tftp-root=/var/lib/tftpboot \
  --dhcp-userclass=set:ipxe,iPXE \
  --pxe-service=tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe \
  --pxe-service=tag:ipxe,x86PC,"iPXE",http://matchbox.example.com:8080/boot.ipxe \
+  --pxe-service=tag:#ipxe,X86-64_EFI,"PXE chainload to iPXE UEFI",ipxe.efi \
+  --pxe-service=tag:ipxe,X86-64_EFI,"iPXE UEFI",http:///matchbox.example.com:8080/boot.ipxe \
  --log-queries \
  --log-dhcp
 ```
@@ -211,20 +204,19 @@ Be sure to allow enabled services in your firewall configuration.
 $ sudo firewall-cmd --add-service=dhcp --add-service=tftp --add-service=dns
 ```

-## GRUB
+## UEFI

-Grub can be used to delegate as well.
+### Development

-`grub-mknetdir --net-directory=/var/lib/tftpboot`
+Install the dependencies for [QEMU with UEFI](https://fedoraproject.org/wiki/Using_UEFI_with_QEMU). Walk through the [getting-started-with-docker](getting-started-docker.md) tutorial. Launch client VMs using `create-uefi`.

-/var/lib/tftpboot/boot/grub/grub.cfg:
-```ini
-insmod i386-pc/http.mod
-set root=http,matchbox.foo:8080
-configfile /grub
+Create UEFI QEMU/KVM VMs attached to the `docker0` bridge.
+
+```sh
+$ sudo ./scripts/libvirt create-uefi
 ```

-Make sure to replace variables in the example config files; instead of iPXE variables, use GRUB variables. Check the [GRUB2 manual](https://www.gnu.org/software/grub/manual/grub.html#Network).
+UEFI clients should chainload `ipxe.efi`, load iPXE and Ignition configs from Matchbox, and Container Linux should boot as usual.

 ## Troubleshooting

--- a/Documentation/openpgp.md
+++ b/Documentation/openpgp.md
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -0,0 +1,19 @@
+# Troubleshooting
+
+## Firewall
+
+Running DHCP or proxyDHCP with `poseidon/dnsmasq` on a host requires that the Firewall allow DHCP and TFTP (for chainloading) services to run.
+
+## Port collision
+
+Running DHCP or proxyDHCP can cause port already in use collisions depending on what's running. Fedora runs bootp listening on udp/67 for example. Find the service using the port.
+
+```sh
+$ sudo lsof -i :67
+```
+
+Evaluate whether you can configure the existing service or whether you'd like to stop it and test with `poseidon/dnsmasq`.
+
+## No boot filename received
+
+PXE client firmware did not receive a DHCP Offer with PXE-Options after several attempts. If you're using the `poseidon/dnsmasq` image with `-d`, each request should log to stdout. Using the wrong `-i` interface is the most common reason DHCP requests are not received. Otherwise, wireshark can be useful for investigating.
--- a/examples/README.md
+++ b/examples/README.md
@@ -1,53 +1,62 @@
-
 # Examples

-These examples network boot and provision machines into Container Linux clusters using `matchbox`. You can re-use their profiles to provision your own physical machines.
+Matchbox automates network booting and provisioning of clusters. These examples show how to use Matchbox on-premise or locally with QEMU/KVM.

-| Name       | Description | CoreOS Version | FS | Docs | 
-|------------|-------------|----------------|----|-----------|
-| simple | CoreOS with autologin, using iPXE | stable/1298.7.0 | RAM | [reference](https://coreos.com/os/docs/latest/booting-with-ipxe.html) |
-| simple-install | CoreOS Install, using iPXE | stable/1298.7.0 | RAM | [reference](https://coreos.com/os/docs/latest/booting-with-ipxe.html) |
-| grub | CoreOS via GRUB2 Netboot | stable/1298.7.0 | RAM | NA |
-| etcd3 | A 3 node etcd3 cluster with proxies | stable/1298.7.0 | RAM | None |
-| etcd3-install | Install a 3 node etcd3 cluster to disk | stable/1298.7.0 | Disk | None |
-| k8s | Kubernetes cluster with 1 master, 2 workers, and TLS-authentication | stable/1298.7.0 | Disk | [tutorial](../Documentation/kubernetes.md) |
-| k8s-install | Kubernetes cluster, installed to disk | stable/1298.7.0 | Disk | [tutorial](../Documentation/kubernetes.md) |
-| rktnetes | Kubernetes cluster with rkt container runtime, 1 master, workers, TLS auth (experimental) | stable/1298.7.0 | Disk | [tutorial](../Documentation/rktnetes.md) |
-| rktnetes-install | Kubernetes cluster with rkt container runtime, installed to disk (experimental) | stable/1298.7.0 | Disk | [tutorial](../Documentation/rktnetes.md) |
-| bootkube | iPXE boot a self-hosted Kubernetes cluster (with bootkube) | stable/1298.7.0 | Disk | [tutorial](../Documentation/bootkube.md) |
-| bootkube-install | Install a self-hosted Kubernetes cluster (with bootkube) | stable/1298.7.0 | Disk | [tutorial](../Documentation/bootkube.md) |
+## Terraform Examples

-## Tutorials
+These examples use [Terraform](https://www.terraform.io/intro/) as a client to Matchbox.

-Get started running `matchbox` on your Linux machine to network boot and provision clusters of VMs or physical hardware.
+| Name                          | Description                   |
+|-------------------------------|-------------------------------|
+| [fedora-coreos-install](terraform/fedora-coreos-install) | Fedora CoreOS disk install |
+| [flatcar-install](terraform/flatcar-install) | Flatcar Linux disk install |

-* [Getting Started](../Documentation/getting-started.md)
-	* [matchbox with rkt](../Documentation/getting-started-rkt.md)
-	* [matchbox with Docker](../Documentation/getting-started-docker.md)
-* [Kubernetes (static manifests)](../Documentation/kubernetes.md)
-* [Kubernetes (rktnetes)](../Documentation/rktnetes.md)
-* [Kubernetes (self-hosted)](../Documentation/bootkube.md)
-* [Lab Examples](https://github.com/dghubble/metal)
+### Customization

-## Autologin
+Look through the examples and Terraform modules and use them as a starting point. Learn more about [matchbox](../docs/matchbox.md).

-Example profiles pass the `coreos.autologin` kernel argument. This skips the password prompt for development and troubleshooting and should be removed **before production**.
+## Manual Examples

-## SSH Keys
+These examples mount raw Matchbox objects into a Matchbox server's `/var/lib/matchbox/` directory.

-Example groups allow `ssh_authorized_keys` to be added for the `core` user as metadata. You might also include this directly in your Ignition.
+| Name          | Description                  | FS  | Docs  |
+|---------------|------------------------------|-----|-------|
+| fedora-coreos | Fedora CoreOS live PXE       | RAM | [docs](https://docs.fedoraproject.org/en-US/fedora-coreos/live-booting/) |
+| fedora-coreos-install | Fedora CoreOS install | Disk | [docs](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/) |
+| flatcar       | Flatcar Linux live PXE       | RAM | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) |
+| flatcar-install | Flatcar Linux install      | Disk | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) |

-    # /var/lib/matchbox/groups/default.json
-    {
-        "name": "Example Machine Group",
-        "profile": "pxe",
-        "metadata": {
-            "ssh_authorized_keys": ["ssh-rsa pub-key-goes-here"]
-        }
-    }
+### SSH Access

-## Conditional Variables
+For Fedora CoreOS, add an SSH authorized key to the Butane Config (`ignition/fedora-coreos.yaml`) and regenerate the Ignition Config.

-### "pxe"
+```yaml
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE
+```

-Some examples check the `pxe` variable to determine whether to create a `/dev/sda1` filesystem and partition for PXEing with `root=/dev/sda1` ("pxe":"true") or to write files to the existing filesystem on `/dev/disk/by-label/ROOT` ("pxe":"false").
+```
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < fedora-coreos.yaml > fedora-coreos.ign
+```
+
+For Flatcar Linux, add an SSH authorized key to the Butane config (`ignition/flatcar.yaml` or `ignition/flatcar-install.yaml`) and regenerate the Ignition Config.
+
+```yaml
+variant: flatcar
+version: 1.0.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE
+```
+
+```
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar.yaml > flatcar.ign
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar-install.yaml > flatcar-install.ign
+```
--- a/examples/etc/matchbox/README.md
+++ b/examples/etc/matchbox/README.md
@@ -1,44 +0,0 @@
-
-## gRPC API Credentials
-
-Create FAKE TLS credentials for running the `matchbox` gRPC API examples.
-
-**DO NOT** use these certificates for anything other than running `matchbox` examples. Use your organization's production PKI for production deployments.
-
-Navigate to the example directory which will be mounted as `/etc/matchbox` in examples:
-
-    cd matchbox/examples/etc/matchbox
-
-Set certificate subject alt names which should be used by exporting `SAN`. Use the DNS name or IP at which `matchbox` is hosted.
-
-    # for examples on metal0 or docker0 bridges
-    export SAN=IP.1:127.0.0.1,IP.2:172.18.0.2
-
-    # production example
-    export SAN=DNS.1:matchbox.example.com
-
-Create a fake `ca.crt`, `server.crt`, `server.key`, `client.crt`, and `client.key`. Type 'Y' when prompted.
-
-    $ ./cert-gen
-    Creating FAKE CA, server cert/key, and client cert/key...
-    ...
-    ...
-    ...
-    ******************************************************************
-    WARNING: Generated TLS credentials are ONLY SUITABLE FOR EXAMPLES!
-    Use your organization's production PKI for production deployments!
-
-## Inpsect
-
-Inspect the generated FAKE certificates if desired.
-
-    openssl x509 -noout -text -in ca.crt
-    openssl x509 -noout -text -in server.crt
-    openssl x509 -noout -text -in client.crt
-
-## Verify
-
-Verify that the FAKE server and client certificates were signed by the fake CA.
-
-    openssl verify -CAfile ca.crt server.crt
-    openssl verify -CAfile ca.crt client.crt
--- a/examples/groups/bootkube-install/install.json
+++ b/examples/groups/bootkube-install/install.json
@@ -1,11 +0,0 @@
-{
-  "id": "coreos-install",
-  "name": "CoreOS Install",
-  "profile": "install-reboot",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1298.7.0",
-    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
-    "baseurl": "http://matchbox.foo:8080/assets/coreos"
-  }
-}
--- a/examples/groups/bootkube-install/node1.json
+++ b/examples/groups/bootkube-install/node1.json
@@ -1,18 +0,0 @@
-{
-  "id": "node1",
-  "name": "Controller Node",
-  "profile": "bootkube-controller",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ADD ME"
-    ]
-  }
-}
--- a/examples/groups/bootkube-install/node2.json
+++ b/examples/groups/bootkube-install/node2.json
@@ -1,17 +0,0 @@
-{
-  "id": "node2",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_endpoints": "node1.example.com:2379",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ADD ME"
-    ]
-  }
-}
--- a/examples/groups/bootkube-install/node3.json
+++ b/examples/groups/bootkube-install/node3.json
@@ -1,17 +0,0 @@
-{
-  "id": "node3",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:c3:61:77",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_endpoints": "node1.example.com:2379",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ADD ME"
-    ]
-  }
-}
--- a/examples/groups/bootkube/node1.json
+++ b/examples/groups/bootkube/node1.json
@@ -1,18 +0,0 @@
-{
-  "id": "node1",
-  "name": "Controller Node",
-  "profile": "bootkube-controller",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}
--- a/examples/groups/bootkube/node2.json
+++ b/examples/groups/bootkube/node2.json
@@ -1,17 +0,0 @@
-{
-  "id": "node2",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_endpoints": "node1.example.com:2379",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}
--- a/examples/groups/bootkube/node3.json
+++ b/examples/groups/bootkube/node3.json
@@ -1,17 +0,0 @@
-{
-  "id": "node3",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:c3:61:77"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_endpoints": "node1.example.com:2379",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}
--- a/examples/groups/etcd3-install/gateway.json
+++ b/examples/groups/etcd3-install/gateway.json
@@ -1,11 +0,0 @@
-{
-  "id": "default",
-  "name": "default",
-  "profile": "etcd3-gateway",
-  "selector": {
-    "os": "installed"
-  },
-  "metadata": {
-    "etcd_endpoints": "node1.example.com:2379,node2.example.com:2379,node3.example.com:2379"
-  }
-}
--- a/examples/groups/etcd3-install/install.json
+++ b/examples/groups/etcd3-install/install.json
@@ -1,11 +0,0 @@
-{
-  "id": "coreos-install",
-  "name": "CoreOS Install",
-  "profile": "install-reboot",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1298.7.0",
-    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
-    "baseurl": "http://matchbox.foo:8080/assets/coreos"
-  }
-}
--- a/examples/groups/etcd3-install/node1.json
+++ b/examples/groups/etcd3-install/node1.json
@@ -1,14 +0,0 @@
-{
-  "id": "node1",
-  "name": "etcd Node 1",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_name": "node1",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/etcd3-install/node2.json
+++ b/examples/groups/etcd3-install/node2.json
@@ -1,14 +0,0 @@
-{
-  "id": "node2",
-  "name": "etcd Node 2",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_name": "node2",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/etcd3-install/node3.json
+++ b/examples/groups/etcd3-install/node3.json
@@ -1,14 +0,0 @@
-{
-  "id": "node3",
-  "name": "etcd Node 3",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:c3:61:77",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_name": "node3",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/etcd3/gateway.json
+++ b/examples/groups/etcd3/gateway.json
@@ -1,8 +0,0 @@
-{
-  "id": "default",
-  "name": "default",
-  "profile": "etcd3-gateway",
-  "metadata": {
-    "etcd_endpoints": "node1.example.com:2379,node2.example.com:2379,node3.example.com:2379"
-  }
-}
--- a/examples/groups/etcd3/node1.json
+++ b/examples/groups/etcd3/node1.json
@@ -1,13 +0,0 @@
-{
-  "id": "node1",
-  "name": "etcd Node 1",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_name": "node1",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/etcd3/node2.json
+++ b/examples/groups/etcd3/node2.json
@@ -1,13 +0,0 @@
-{
-  "id": "node2",
-  "name": "etcd Node 2",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_name": "node2",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/etcd3/node3.json
+++ b/examples/groups/etcd3/node3.json
@@ -1,13 +0,0 @@
-{
-  "id": "node3",
-  "name": "etcd Node 3",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:c3:61:77"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_name": "node3",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}
--- a/examples/groups/fedora-coreos-install/default.json
+++ b/examples/groups/fedora-coreos-install/default.json
@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Fedora CoreOS install",
+  "profile": "fedora-coreos-install",
+  "selector": {},
+  "metadata": {}
+}
--- a/examples/groups/fedora-coreos/default.json
+++ b/examples/groups/fedora-coreos/default.json
@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Fedora CoreOS",
+  "profile": "fedora-coreos",
+  "selector": {},
+  "metadata": {}
+}
--- a/examples/groups/flatcar-install/flatcar.json
+++ b/examples/groups/flatcar-install/flatcar.json
@@ -0,0 +1,9 @@
+{
+  "id": "stage-1",
+  "name": "Flatcar Linux",
+  "profile": "flatcar",
+  "selector": {
+    "os": "installed"
+  },
+  "metadata": {}
+}
--- a/examples/groups/flatcar-install/install.json
+++ b/examples/groups/flatcar-install/install.json
@@ -0,0 +1,6 @@
+{
+  "id": "stage-0",
+  "name": "Flatcar Linux install",
+  "profile": "flatcar-install",
+  "metadata": {}
+}
--- a/examples/groups/flatcar/default.json
+++ b/examples/groups/flatcar/default.json
@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Flatcar Linux",
+  "profile": "flatcar",
+  "selector": {},
+  "metadata": {}
+}
--- a/examples/groups/grub/default.json
+++ b/examples/groups/grub/default.json
@@ -1,5 +0,0 @@
-{
-  "id": "default",
-  "name": "GRUB CoreOS alpha",
-  "profile": "grub"
-}
--- a/examples/groups/k8s-install/install.json
+++ b/examples/groups/k8s-install/install.json
@@ -1,11 +0,0 @@
-{
-  "id": "coreos-install",
-  "name": "CoreOS Install",
-  "profile": "install-reboot",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1298.7.0",
-    "ignition_endpoint": "http://matchbox.foo:8080/ignition",
-    "baseurl": "http://matchbox.foo:8080/assets/coreos"
-  }
-}
--- a/examples/groups/k8s-install/node1.json
+++ b/examples/groups/k8s-install/node1.json
@@ -1,20 +0,0 @@
-{
-  "id": "node1",
-  "name": "k8s controller",
-  "profile": "k8s-controller",
-  "selector": {
-    "os": "installed",
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "container_runtime": "docker",
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "k8s_etcd_endpoints": "http://node1.example.com:2379",
-    "k8s_pod_network": "10.2.0.0/16",
-    "k8s_service_ip_range": "10.3.0.0/24"
-  }
-}
--- a/examples/groups/k8s-install/node2.json
+++ b/examples/groups/k8s-install/node2.json
@@ -1,18 +0,0 @@
-{
-  "id": "node2",
-  "name": "k8s worker",
-  "profile": "k8s-worker",
-  "selector": {
-    "os": "installed",
-    "mac": "52:54:00:b2:2f:86"
-  },
-  "metadata": {
-    "container_runtime": "docker",
-    "domain_name": "node2.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
-    "k8s_controller_endpoint": "https://node1.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "k8s_etcd_endpoints": "http://node1.example.com:2379"
-  }
-}
--- a/examples/groups/k8s-install/node3.json
+++ b/examples/groups/k8s-install/node3.json
@@ -1,18 +0,0 @@
-{
-  "id": "node3",
-  "name": "k8s worker",
-  "profile": "k8s-worker",
-  "selector": {
-    "os": "installed",
-    "mac": "52:54:00:c3:61:77"
-  },
-  "metadata": {
-    "container_runtime": "docker",
-    "domain_name": "node3.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
-    "k8s_controller_endpoint": "https://node1.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "k8s_etcd_endpoints": "http://node1.example.com:2379"
-  }
-}
--- a/examples/groups/k8s/node1.json
+++ b/examples/groups/k8s/node1.json
@@ -1,20 +0,0 @@
-{
-  "id": "node1",
-  "name": "k8s controller",
-  "profile": "k8s-controller",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "container_runtime": "docker",
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_cert_endpoint": "http://matchbox.foo:8080/assets",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "k8s_etcd_endpoints": "http://node1.example.com:2379",
-    "k8s_pod_network": "10.2.0.0/16",
-    "k8s_service_ip_range": "10.3.0.0/24",
-    "pxe": "true"
-  }
-}
--- a/Show More
+++ b/Show More