diff --git a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh
index 9d843d2d..67ef8234 100644
--- a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh
+++ b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/initqueue/01-confluent.sh
@@ -4,9 +4,9 @@ mkdir -p /etc/confluent
 cat /tls/*.pem > /etc/confluent/ca.pem
 echo -n "" > /tmp/confluent.initq
 TRIES=0
-touch /tmp/confluent.info
+touch /etc/confluent/confluent.info
 cd /sys/class/net
-while ! awk -F'|' '{print $3}' /tmp/confluent.info |grep 2 >& /dev/null && [ "$TRIES" -lt 60 ]; do
+while ! awk -F'|' '{print $3}' /etc/confluent/confluent.info |grep 2 >& /dev/null && [ "$TRIES" -lt 60 ]; do
     TRIES=$((TRIES + 1))
     for currif in *; do
         ip link set $currif up
@@ -18,25 +18,25 @@ nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
 #TODO: blkid --label <whatever> to find mounted api
 
 oum=$(umask)
-python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg > /tmp/confluent.deploycfg
+python /opt/confluent/bin/apiclient /confluent-api/self/deploycfg > /etc/confluent/confluent.deploycfg
 mgridx=$(cat /tmp/confluent.ifidx)
 ifname=$(ip link |grep ^$ifidx:|awk '{print $2}')
 ifname=${ifname%:}
 echo $ifname > /tmp/net.ifaces
 
-dnsdomain=$(grep ^dnsdomain: /tmp/confluent.deploycfg)
+dnsdomain=$(grep ^dnsdomain: /etc/confluent/confluent.deploycfg)
 dnsdomain=${dnsdomain#dnsdomain: }
 hostname=$nodename
 if [ ! -z "$dnsdomain" ] && [ "$dnsdomain" != "null" ]; then
     hostname=$hostname.$dnsdomain
 fi
-mgr=$(grep ^deploy_server: /tmp/confluent.deploycfg)
+mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg)
 mgr=${mgr#deploy_server: }
-profilename=$(grep ^profile: /tmp/confluent.deploycfg)
+profilename=$(grep ^profile: /etc/confluent/confluent.deploycfg)
 profilename=${profilename#profile: }
-proto=$(grep ^protocol: /tmp/confluent.deploycfg)
+proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg)
 proto=${proto#protocol: }
-textconsole=$(grep ^textconsole: /tmp/confluent.deploycfg)
+textconsole=$(grep ^textconsole: /etc/confluent/confluent.deploycfg)
 textconsole=${textconsole#textconsole: }
 if [ $textconsole = "true" ] && ! grep console= /proc/cmdline > /dev/null; then
 	autocons=$(cat /tmp/01-autocons.devnode)
@@ -56,19 +56,19 @@ kickstart=$proto://$mgr/confluent-public/os/$profilename/kickstart
 root=anaconda-net:$proto://$mgr/confluent-public/os/$profilename/distribution
 export kickstart
 export root
-autoconfigmethod=$(grep ipv4_method /tmp/confluent.deploycfg)
+autoconfigmethod=$(grep ipv4_method /etc/confluent/confluent.deploycfg)
 autoconfigmethod=${autoconfigmethod#ipv4_method: }
 if [ "$autoconfigmethod" = "dhcp" ]; then
     echo ip=$ifname:dhcp >>  /etc/cmdline.d/01-confluent.conf
 else
-    v4addr=$(grep ^ipv4_address: /tmp/confluent.deploycfg)
+    v4addr=$(grep ^ipv4_address: /etc/confluent/confluent.deploycfg)
     v4addr=${v4addr#ipv4_address: }
-    v4gw=$(grep ^ipv4_gateway: /tmp/confluent.deploycfg)
+    v4gw=$(grep ^ipv4_gateway: /etc/confluent/confluent.deploycfg)
     v4gw=${v4gw#ipv4_gateway: }
     if [ "$v4gw" = "null" ]; then
         v4gw=""
     fi
-    v4nm=$(grep ipv4_netmask: /tmp/confluent.deploycfg)
+    v4nm=$(grep ipv4_netmask: /etc/confluent/confluent.deploycfg)
     v4nm=${v4nm#ipv4_netmask: }
     echo ip=$v4addr::$v4gw:$v4nm:$hostname:$ifname:none >> /etc/cmdline.d/01-confluent.conf
 fi
@@ -85,5 +85,5 @@ while read -r entry; do
         nameserversec=1
         continue
     fi
-done < /tmp/confluent.deploycfg
+done < /etc/confluent/confluent.deploycfg
 
diff --git a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
index 52eb9ba3..cb307636 100644
--- a/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
+++ b/confluent_osdeploy/rhvh4/initramfs/usr/lib/dracut/hooks/pre-pivot/01-confluent.sh
@@ -6,7 +6,9 @@ done
 
 cat /etc/pki/tls/certs/ca-bundle.crt > $BUNDLENAME
 mkdir -p /sysroot/etc/confluent/
+chmod 700 /sysroot/etc/confluent
 cp -a /tls /sysroot/etc/confluent
+cp -a /etc/confluent/* /sysroot/etc/confluent/
 sed -i 's/install::/install:*:/' /sysroot/etc/shadow
 sed -i 's/root::/root:*:/' /sysroot/etc/shadow
 mkdir -p /sysroot/root/.ssh
@@ -17,10 +19,4 @@ mkdir -p /sysroot/etc/ssh/
 for i in /ssh/*.ca; do
     echo '@cert-authority *' $(cat $i) >> /sysroot/etc/ssh/ssh_known_hosts
 done
-cp /etc/confluent/confluent.apikey /sysroot/etc/
-cp /etc/confluent/confluent.apikey /sysroot/etc/confluent/
-cp /tmp/confluent.deploycfg /sysroot/etc/
-cp /tmp/confluent.deploycfg /sysroot/etc/confluent
 cp /opt/confluent/bin/apiclient /sysroot/etc/confluent
-cp /tmp/confluent.deploycfg /etc/confluent/* /sysroot/etc/confluent
-cp /etc/confluent/confluent.info /sysroot/etc/