Skip to content

Latest commit



138 lines (122 loc) · 4.46 KB

File metadata and controls

138 lines (122 loc) · 4.46 KB


cloud-init provides a framework for early Ubuntu/Debian guest initialization similar to CloudInit. In VMware and Hyper-V environments it replaces guest customization with more flexible and extensible mechanism. Compared to original cloud-init project it's more lightweight, but with a limited set of features, though extensible through plugins. Python >=3.4 is required.

List of bundled plugins:


Currently the only supported config source is cloud-config.json file stored on cdrom or locally in /var/lib/cloud-init/ directory:

  "HostName": "cloud-init",
  "HDD": [
      "Capacity": 40,
      "DeviceNode": "scsi0:0"
      "Capacity": 10,
      "DeviceNode": "scsi1:0",
      "Label": "data",
      "FileSystem": "ext4",
      "MountPoint": "/home"
  "NIC": [
      "Ip": [
      "Mac": "00:15:5d:2e:21:16",
      "Gw": ""
      "Ip": [
      "Mac": "00:50:56:97:1d:28"
  "DNS": {
    "DomainSearch": [
    "Servers": [
  "Domain": {
    "Name": ""
  "Users": [
      "Name": "localadmin",
      "Groups": [ "admin" ],
      "System": false,
      "Password": [
      "Sudo": "ALL=(ALL) NOPASSWD:ALL",
      "SshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9lsiHoqOH9+rO9RAg0JR2R9eYxCcJAfk67PJS1TGM"

How to install and enable to run on startup:

sudo -H pip3 install git+
cd /etc/systemd/system/
systemctl daemon-reload
systemctl enable cloud-init

Put unencrypted private RSA key (private.pem) to /usr/lib/cloud-init, so that cloud-init can decrypt user passwords supplied via cloud-config.json

To see logs run journalctl -u cloud-init.service

Few things to know:

  • after successful run module disables itself
  • already partitioned disks are not touched
  • disk plugin supports only ext4 filesystem at the moment
  • json used for configuration is saved locally and can be checked at /usr/lib/cloud-init/_cloud-config.json (passwords are cleared)

The module targets Debian-based installations and has been tested on:

  • Debian 8 Jessie / 9 Stretch
  • Ubuntu 16.04 LTS Xenial / 18.04 LTS Bionic

For developers

To develop a new plugin create Python 3 scripts, prepend the name with double-digit number according to the order when the plugin is intended to be run and put it into the plugins folder. cloud_config dict variable is exposed to your script with parsed content of cloud-config.json. Also you can use bundled from tools import run function to execute arbitrary bash commands.

If you need to restart system after plugin execution, set reboot = True before exiting the script, so the module can suspend execution of the next plugin and resume after the system has been restarted. To handle reboots the module keeps a state file in /usr/lib/cloud-init/ directory where it stores the current execution step. To reset the state run cloud-init --set-state 0

openssl rsautl

generate rsa key pair

openssl genrsa -out keypair.pem -aes128 4096

export public key

openssl rsa -in keypair.pem -outform PEM -pubout -out public.pem

export unencrypted private key (to be stored in a template)

openssl rsa -in keypair.pem -out private.pem -outform PEM

encrypt data


New-Password | cmd '/c openssl rsautl -inkey public.pem -pubin -encrypt | openssl enc -base64'


echo 'password' | openssl rsautl -inkey public.pem -pubin -encrypt | openssl enc -base64 > encrypted

decrypt data


cat encrypted | cmd '/c openssl enc -d -base64 | openssl rsautl -inkey private.pem -decrypt'


cat encrypted | openssl enc -d -base64 | openssl rsautl -inkey private.pem -decrypt