set up ONOS to use SSL
diff --git a/roles/onos-vm-install/files/Dockerfile.xos-onos b/roles/onos-vm-install/files/Dockerfile.xos-onos
new file mode 100644
index 0000000..deb28ba
--- /dev/null
+++ b/roles/onos-vm-install/files/Dockerfile.xos-onos
@@ -0,0 +1,17 @@
+# ONOS dockerfile with XOS additions
+
+FROM onosproject/onos
+MAINTAINER Zack Williams <zdw@cs.arizona.edu>
+
+# Include SSL certs
+COPY xos-certs.crt /usr/local/share/ca-certificates/xos-certs.crt
+RUN update-ca-certificates
+
+# Create Java KeyStore from certs
+RUN openssl x509 -in /usr/local/share/ca-certificates/xos-certs.crt -outform der -out /usr/local/share/ca-certificates/xos-certs.der
+RUN keytool -import -noprompt -storepass 222222 -alias xos-certs -file /usr/local/share/ca-certificates/xos-certs.der -keystore /usr/local/share/ca-certificates/xos-certs.jks
+
+# Updated onos-service to use the jks
+COPY onos-service /root/bin/onos-service
+RUN chmod 755 /root/bin/onos-service
+
diff --git a/roles/onos-vm-install/files/docker-compose.yml b/roles/onos-vm-install/files/docker-compose.yml
deleted file mode 100644
index 9b16c4d..0000000
--- a/roles/onos-vm-install/files/docker-compose.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-onos:
-    image: onosproject/onos
-    expose:
-    - "6653"
-    - "8101"
-    - "8181"
-    - "9876"
-    net: host
-    volumes:
-    - ./id_rsa:/root/node_key:ro
diff --git a/roles/onos-vm-install/files/onos-docker-compose.yml b/roles/onos-vm-install/files/onos-docker-compose.yml
new file mode 100644
index 0000000..09255fa
--- /dev/null
+++ b/roles/onos-vm-install/files/onos-docker-compose.yml
@@ -0,0 +1,19 @@
+# ONOS with XOS features for docker-compose
+version: '2'
+
+services:
+
+   xos-onos:
+      build:
+       context: .
+       dockerfile: Dockerfile.xos-onos
+      image: xos/onos
+      expose:
+      - "6653"
+      - "8101"
+      - "8181"
+      - "9876"
+      network_mode: host
+      volumes:
+      - ./id_rsa:/root/node_key:ro
+
diff --git a/roles/onos-vm-install/files/onos-service b/roles/onos-vm-install/files/onos-service
new file mode 100644
index 0000000..7d810c4
--- /dev/null
+++ b/roles/onos-vm-install/files/onos-service
@@ -0,0 +1,53 @@
+#!/bin/bash
+# -----------------------------------------------------------------------------
+# Starts ONOS Apache Karaf container
+# -----------------------------------------------------------------------------
+
+# uncomment the following line for performance testing
+#export JAVA_OPTS="${JAVA_OPTS:--Xms8G -Xmx8G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:+PrintGCDetails -XX:+PrintGCTimeStamps}"
+
+# uncomment the following line for Netty TLS encryption
+# Do modify the keystore location/password and truststore location/password accordingly
+#export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/ubuntu/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/ubuntu/onos.jks -Djavax.net.ssl.trustStorePassword=222222}"
+
+export JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/xos-certs.jks -Djavax.net.ssl.trustStorePassword=222222" 
+
+set -e  # exit on error
+set -u  # exit on undefined variable
+
+# If ONOS_HOME is set, respect its value.
+# If ONOS_HOME is not set (e.g. in the init or service environment),
+# set it based on this script's path.
+ONOS_HOME=${ONOS_HOME:-$(cd $(dirname $0)/.. >/dev/null 2>&1 && pwd)}
+KARAF_ARGS=
+SYS_APPS=drivers
+ONOS_APPS=${ONOS_APPS:-}  # Empty means don't activate any new apps
+
+cd $ONOS_HOME
+
+# Parse out arguments destinted for karaf invocation v. arguments that
+# will be processed in line
+while [ $# -gt 0 ]; do
+  case $1 in
+    apps-clean)
+      # Deactivate all applications
+      find ${ONOS_HOME}/apps -name "active" -exec rm \{\} \;
+      ;;
+    *)
+      KARAF_ARGS+=" $1"
+      ;;
+  esac
+  shift
+done
+
+# Activate the system required applications (SYS_APPS) as well as any
+# specified applications in the var ONOS_APPS
+for app in ${SYS_APPS//,/ } ${ONOS_APPS//,/ }; do
+  if [[ "$app" =~ \. ]]; then
+    touch ${ONOS_HOME}/apps/$app/active
+  else
+    touch ${ONOS_HOME}/apps/org.onosproject.$app/active
+  fi
+done
+
+exec ${ONOS_HOME}/apache-karaf-3.0.5/bin/karaf $KARAF_ARGS
diff --git a/roles/onos-vm-install/files/onos-setup-playbook.yml b/roles/onos-vm-install/files/onos-setup-playbook.yml
index 5a28625..e02b15a 100644
--- a/roles/onos-vm-install/files/onos-setup-playbook.yml
+++ b/roles/onos-vm-install/files/onos-setup-playbook.yml
@@ -62,8 +62,20 @@
        - id_rsa
        - id_rsa.pub
 
+    - name: Copy SSL Certs so docker-compose can find it
+      command: "mv /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt {{ ansible_user_dir }}/cord/xos-certs.crt"
+      creates: "{{ ansible_user_dir }}/cord/xos-certs.crt"
+
+    - name: Copy over files to build XOS variant of ONOS
+      copy:
+        src="~/{{ item }}"
+        dest="{{ ansible_user_dir }}/cord/{{ item }}"
+      with_items:
+       - Dockerfile.xos-onos
+       - onos-service
+
     - name: Copy over docker-compose.yml files
       copy:
-        src=~/docker-compose.yml
+        src=~/onos-docker-compose.yml
         dest={{ ansible_user_dir }}/cord/docker-compose.yml