diff --git a/roles/apt-cacher-ng/defaults/main.yml b/roles/apt-cacher-ng/defaults/main.yml
index ec5a1e1..d7f6698 100644
--- a/roles/apt-cacher-ng/defaults/main.yml
+++ b/roles/apt-cacher-ng/defaults/main.yml
@@ -6,6 +6,7 @@
 
 apt_ssl_sites:
   - apt.dockerproject.org
+  - download.docker.com
   - butler.opencloud.cs.arizona.edu
   - deb.nodesource.com
   - artifacts.elastic.co
diff --git a/roles/compute-node-config/defaults/main.yml b/roles/compute-node-config/defaults/main.yml
index b8fed3c..abeef30 100644
--- a/roles/compute-node-config/defaults/main.yml
+++ b/roles/compute-node-config/defaults/main.yml
@@ -2,8 +2,8 @@
 # compute-node-config/defaults/main.yml
 
 # default site/deployment placeholder names
-site_name: sitename
-deployment_type: deploymenttype
+site_name: placeholder-sitename
+deployment_type: placeholder-deploymenttype
 
 # location of cord_profile on head node
 head_cord_profile_dir: /opt/cord_profile
diff --git a/roles/compute-node-enable/defaults/main.yml b/roles/compute-node-enable/defaults/main.yml
index 6f52840..29eb36d 100644
--- a/roles/compute-node-enable/defaults/main.yml
+++ b/roles/compute-node-enable/defaults/main.yml
@@ -3,3 +3,5 @@
 
 head_cord_profile_dir: "/opt/cord_profile"
 
+xos_admin_user: "xosadmin@opencord.org"
+
diff --git a/roles/copy-credentials/defaults/main.yml b/roles/copy-credentials/defaults/main.yml
index cf19dfd..46ce930 100644
--- a/roles/copy-credentials/defaults/main.yml
+++ b/roles/copy-credentials/defaults/main.yml
@@ -2,3 +2,5 @@
 # copy-credentials/defaults/main.yml
 
 credentials_dir: "{{ playbook_dir }}/credentials"
+
+head_credentials_dir: "/opt/credentials"
diff --git a/roles/copy-credentials/tasks/main.yml b/roles/copy-credentials/tasks/main.yml
index 3d3af3e..c5df349 100644
--- a/roles/copy-credentials/tasks/main.yml
+++ b/roles/copy-credentials/tasks/main.yml
@@ -5,12 +5,12 @@
   become: yes
   synchronize:
     src: "{{ credentials_dir }}/"
-    dest: "/opt/credentials/"
+    dest: "{{ head_credentials_dir }}/"
 
 - name: Set ownership on credentials dir on head node, for MaaS provisioner
   become: yes
   file:
-    dest: "/opt/credentials"
+    dest: "{{ head_credentials_dir }}"
     state: directory
     recurse: yes
     owner: "{{ ansible_user_id }}"
diff --git a/roles/cord-profile/defaults/main.yml b/roles/cord-profile/defaults/main.yml
index 6a30e58..2b9b9f2 100644
--- a/roles/cord-profile/defaults/main.yml
+++ b/roles/cord-profile/defaults/main.yml
@@ -4,10 +4,14 @@
 # where the cord_profile directory is on the config node
 config_cord_profile_dir: "/opt/cord_profile"
 
+head_cord_dir: "/opt/cord"
+
 pki_dir: "{{ playbook_dir }}/pki"
 ssh_pki_dir: "{{ playbook_dir }}/ssh_pki"
 credentials_dir: "{{ playbook_dir }}/credentials"
 
+head_credentials_dir: "/opt/credentials"
+
 # where cord files are copied to on head node
 head_cord_profile_dir: "/opt/cord_profile"
 head_cord_dir: "/opt/cord"
diff --git a/roles/cord-profile/tasks/main.yml b/roles/cord-profile/tasks/main.yml
index 5831a16..f6ed2bc 100644
--- a/roles/cord-profile/tasks/main.yml
+++ b/roles/cord-profile/tasks/main.yml
@@ -2,8 +2,9 @@
 # cord-profile/tasks/main.yml
 # Constructs a CORD service profile directory and configuration files
 
+# if this step fails, may need to include `create-configdirs-become` role to
+# create directory using become.
 - name: Create cord_profile directory
-  become: yes
   file:
     path: "{{ config_cord_profile_dir }}"
     state: directory
diff --git a/roles/cord-profile/templates/docker-compose.yml.j2 b/roles/cord-profile/templates/docker-compose.yml.j2
index fe16161..c10e2d3 100644
--- a/roles/cord-profile/templates/docker-compose.yml.j2
+++ b/roles/cord-profile/templates/docker-compose.yml.j2
@@ -297,7 +297,7 @@
 {% endif %}
     volumes:
       - {{ head_cord_profile_dir }}/node_key:/opt/cord_profile/node_key:ro
-      - /opt/credentials:/opt/xos/services/{{ svc.name }}/credentials:ro
+      - {{ head_credentials_dir }}:/opt/xos/services/{{ svc.name }}/credentials:ro
       - {{ head_cord_profile_dir }}/im_cert_chain.pem:/usr/local/share/ca-certificates/local_certs.crt:ro
 {% if svc.keypair is defined %}
       - {{ head_cord_profile_dir }}/key_import/{{ svc.keypair }}:/opt/xos/services/{{ svc.name }}/keys/{{ svc.keypair }}:ro
diff --git a/roles/create-configdirs-become/defaults/main.yml b/roles/create-configdirs-become/defaults/main.yml
new file mode 100644
index 0000000..e2667d5
--- /dev/null
+++ b/roles/create-configdirs-become/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+# create-configdirs-privileged/defaults/main.yml
+
+# where the cord_profile directory is on the config node
+config_cord_profile_dir: "/opt/cord_profile"
+
+pki_dir: "{{ playbook_dir }}/pki"
+ssh_pki_dir: "{{ playbook_dir }}/ssh_pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
+
+site_name: placeholder-sitename
+
diff --git a/roles/create-configdirs-become/tasks/main.yml b/roles/create-configdirs-become/tasks/main.yml
new file mode 100644
index 0000000..8f53f5d
--- /dev/null
+++ b/roles/create-configdirs-become/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+# create-configdirs-privileged/tasks/main.yml
+
+# This role exists to work around issues with the local scenario, which may not
+# necessarily be run by a user with become (sudo) rights, which causes these
+# director creation tasks to fail when `become: yes` is used.
+
+# become version of directory creation from `cord-profile` role
+- name: Create cord_profile directory, privileged
+  become: yes
+  file:
+    path: "{{ config_cord_profile_dir }}"
+    state: directory
+    mode: 0755
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_gid }}"
+
+# become version of directory creation from `pki-root-ca` role
+- name: Create PKI and credentials directories, privileged
+  become: yes
+  file:
+    dest: "{{ item }}"
+    state: directory
+    owner: "{{ ansible_user_id }}"
+    mode: 0700
+  with_items:
+    - "{{ credentials_dir }}"
+    - "{{ pki_dir }}"
+
+- name: Create root CA directory, privileged
+  become: yes
+  file:
+    dest: "{{ pki_dir }}/root_ca"
+    state: directory
+    owner: "{{ ansible_user_id }}"
+    mode: 0755
+
+# become version of directory creation from `pki-intermediate-ca` role
+- name: Create intermediate CA directory, privileged
+  become: yes
+  file:
+    dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
+    state: directory
+    owner: "{{ ansible_user_id }}"
+    mode: 0755
+
+# become version of directory creation from `ssh-pki` role
+- name: Create SSH CA Directory
+  become: yes
+  file:
+    dest: "{{ item }}"
+    state: directory
+    owner: "{{ ansible_user_id }}"
+    mode: 0700
+  with_items:
+    - "{{ ssh_pki_dir }}"
+    - "{{ ssh_pki_dir }}/ca"
+    - "{{ ssh_pki_dir }}/client_certs"
+    - "{{ ssh_pki_dir }}/host_certs"
+
+
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index a9c7e81..e01d658 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml
@@ -8,6 +8,7 @@
 charm_versions: {}
 
 pki_dir: "{{ playbook_dir }}/pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
 
 site_name: placeholder-sitename
 site_suffix: "{{ site_name }}.test"
diff --git a/roles/juju-setup/templates/juju_config.yml.j2 b/roles/juju-setup/templates/juju_config.yml.j2
index bf157ea..e91e5c2 100644
--- a/roles/juju-setup/templates/juju_config.yml.j2
+++ b/roles/juju-setup/templates/juju_config.yml.j2
@@ -54,7 +54,8 @@
   openstack-origin: "cloud:trusty-kilo"
 
 percona-cluster:
-  max-connections: 20000
+  max-connections: 5000
+  innodb-buffer-pool-size: "20%"
 
 rabbitmq-server:
   ssl: "on"
diff --git a/roles/monitoringservice-config/defaults/main.yml b/roles/monitoringservice-config/defaults/main.yml
index 337a459..a249f4a 100644
--- a/roles/monitoringservice-config/defaults/main.yml
+++ b/roles/monitoringservice-config/defaults/main.yml
@@ -1,6 +1,9 @@
 ---
 # monitoringservice-config/defaults/main.yml
 
+xos_admin_user: "xosadmin@opencord.org"
+xos_admin_pass: "{{ lookup('password', credentials_dir ~ '/xosadmin@opencord.org chars=ascii_letters,digits') }}"
+
 #paths
 config_cord_dir: "/opt/cord"
 head_cord_dir: "/opt/cord"
diff --git a/roles/monitoringservice-onboard/defaults/main.yml b/roles/monitoringservice-onboard/defaults/main.yml
index 42c8d6e..ab5bf37 100644
--- a/roles/monitoringservice-onboard/defaults/main.yml
+++ b/roles/monitoringservice-onboard/defaults/main.yml
@@ -1,6 +1,8 @@
 ---
 # monitoringservice-onboard/defaults/main.yml
 
+xos_admin_user: "xosadmin@opencord.org"
+
 # paths
 head_cord_profile_dir: "/opt/cord_profile"
 
diff --git a/roles/onos-cord-install/tasks/main.yml b/roles/onos-cord-install/tasks/main.yml
index 86ec128..000a73a 100644
--- a/roles/onos-cord-install/tasks/main.yml
+++ b/roles/onos-cord-install/tasks/main.yml
@@ -5,7 +5,7 @@
   docker_image:
     name: "{{ onos_docker_image }}"
 
-- name: Create dest directory
+- name: Create onos_cord directory
   become: yes
   file:
     path: "{{ head_onos_cord_dir }}"
@@ -14,7 +14,7 @@
     group: "{{ ansible_user_gid }}"
     mode: 0755
 
-- name: Copy over SSH key
+- name: Create node_key file with SSH private key for compute nodes
   copy:
     src: "{{ ssh_pki_dir }}/client_certs/{{ pod_sshkey_name }}_sshkey"
     dest: "{{ head_onos_cord_dir }}/node_key"
@@ -30,11 +30,7 @@
     - Dockerfile
     - onos-service
     - org.ops4j.pax.logging.cfg
-
-- name: Copy over ONOS playbook and other files
-  copy:
-    src: "onos-cord-docker-compose.yml"
-    dest: "{{ head_onos_cord_dir }}/docker-compose.yml"
+    - docker-compose.yml
 
 - name: Copy SSL Certs to ONOS so docker-compose can find them
   copy:
@@ -49,11 +45,13 @@
 
 - name: Build xos/onos docker image
   docker_image:
-    name: "xos/onos"
+    name: "xos/onos:{{ deploy_docker_tag }}"
     path: "{{ head_onos_cord_dir }}"
-    dockerfile: "Dockerfile"
+    pull: False
+    force: True
 
 - name: Start ONOS for CORD
   docker_service:
+    project_name: "onoscord"
     project_src: "{{ head_onos_cord_dir }}"
 
diff --git a/roles/onos-cord-install/files/onos-cord-docker-compose.yml b/roles/onos-cord-install/templates/docker-compose.yml.j2
similarity index 75%
rename from roles/onos-cord-install/files/onos-cord-docker-compose.yml
rename to roles/onos-cord-install/templates/docker-compose.yml.j2
index 6a7a1d3..704f83f 100644
--- a/roles/onos-cord-install/files/onos-cord-docker-compose.yml
+++ b/roles/onos-cord-install/templates/docker-compose.yml.j2
@@ -4,10 +4,7 @@
 services:
 
    xos-onos:
-      build:
-       context: .
-       dockerfile: Dockerfile
-      image: xos/onos
+      image: xos/onos:{{ deploy_docker_tag }}
       ports:
        - "6654:6653"
        - "8102:8101"
@@ -16,3 +13,4 @@
       volumes:
       - ./node_key:/root/node_key:ro
       restart: unless-stopped
+
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
index 56a8219..b1cc388 100644
--- a/roles/pki-intermediate-ca/tasks/main.yml
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -1,8 +1,9 @@
 ---
 # pki-intermediate-ca/tasks/main.yml
 
+# if the next two steps fail, may need to include `create-configdirs-become`
+# role to create these directories using become.
 - name: Create PKI directory
-  become: yes
   file:
     dest: "{{ pki_dir }}"
     state: directory
@@ -10,7 +11,6 @@
     mode: 0755
 
 - name: Create intermediate CA directory
-  become: yes
   file:
     dest: "{{ pki_dir }}/{{ site_name }}_im_ca"
     state: directory
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
index fd526e4..c54e8dd 100644
--- a/roles/pki-root-ca/tasks/main.yml
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -1,8 +1,9 @@
 ---
 # pki-root-ca/tasks/main.yml
 
+# if the next two steps fail, may need to include `create-configdirs-become`
+# role to create these directories using become.
 - name: Create PKI and credentials directories
-  become: yes
   file:
     dest: "{{ item }}"
     state: directory
@@ -13,7 +14,6 @@
     - "{{ pki_dir }}"
 
 - name: Create root CA directory
-  become: yes
   file:
     dest: "{{ pki_dir }}/root_ca"
     state: directory
diff --git a/roles/platform-check/defaults/main.yml b/roles/platform-check/defaults/main.yml
deleted file mode 100644
index 8e48e41..0000000
--- a/roles/platform-check/defaults/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# platform-check/defaults/main.yml
-
-config_cord_profile_dir: "/opt/cord_profile"
-head_onos_cord_dir: "/opt/onos-cord/"
-
-xos_ui_port: 9000
-
diff --git a/roles/platform-check/tasks/main.yml b/roles/platform-check/tasks/main.yml
deleted file mode 100644
index bd9347e..0000000
--- a/roles/platform-check/tasks/main.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# platform-check/tasks/main.yml
-
-- name: Ensure br-int exists on all compute nodes (check VTN)
-  shell: ansible -i /etc/maas/ansible/pod-inventory compute -u ubuntu -m shell -s -a "ovs-vsctl br-exists br-int"
-  register: result
-  until: result | success
-  retries: 6
-  delay: 10
-  ignore_errors: yes
-  tags:
-    - skip_ansible_lint # running a sub job
-
-# Work around issues with ONOS intialization
-- name: Restart ONOS when VTN initialization failed
-  when: result | failed
-  shell: docker-compose stop; docker-compose rm -f; docker-compose up -d
-  args:
-    chdir: "{{ head_onos_cord_dir }}"
-  tags:
-    - skip_ansible_lint
-
-- name: Tell XOS to refresh VTN Service and compute nodes
-  when: result | failed
-  xostosca:
-    url: "http://xos.{{ site_suffix }}:{{ xos_ui_port }}/api/utility/tosca/run/"
-    user: "{{ xos_admin_user }}"
-    password:  "{{ xos_admin_pass }}"
-    recipe: "{{ lookup('file', head_cord_profile_dir + '/' + item ) }}"
-  with_items:
-    - openstack.yaml
-    - openstack-compute.yaml
-    - vtn-service.yaml
-
-- name: Pause to work around race in VTN or ONOS synchronizers
-  pause:
-    seconds: 20
-
-- name: Enable VTN for OpenStack Compute nodes
-  when: result | failed
-  xostosca:
-    url: "http://xos.{{ site_suffix }}:{{ xos_ui_port }}/api/utility/tosca/run/"
-    user: "{{ xos_admin_user }}"
-    password:  "{{ xos_admin_pass }}"
-    recipe: "{{ lookup('file', head_cord_profile_dir + '/' + item ) }}"
-  with_items:
-    - openstack-compute-vtn.yaml
-
-- name: Ensure br-int exists on all compute nodes (check VTN #2)
-  when: result | failed
-  shell: ansible -i /etc/maas/ansible/pod-inventory compute -u ubuntu -m shell -s -a "ovs-vsctl br-exists br-int"
-  register: result2
-  until: result2 | success
-  retries: 12
-  delay: 10
-  tags:
-    - skip_ansible_lint # running a sub job
-
diff --git a/roles/prereqs-common/defaults/main.yml b/roles/prereqs-common/defaults/main.yml
index 6c66757..54b8bd2 100644
--- a/roles/prereqs-common/defaults/main.yml
+++ b/roles/prereqs-common/defaults/main.yml
@@ -9,16 +9,3 @@
 dns_check_domain: wiki.opencord.org
 dns_check_ipv4: 52.9.82.207
 
-# obtained from: https://www.iana.org/domains/root/servers
-dns_roots:
-  - 192.5.5.241
-  - 193.0.14.129
-  - 198.41.0.4
-  - 199.7.91.13
-
-http_dl_url: "http://cord.staging.wpengine.com/wp-content/uploads/2016/07/cord-tm-logo.png"
-http_dl_cksum: "sha256:099c777e4c8ad76a066299159622b4fa6bd2515cefafc2851df67f7f4cce6ee8"
-
-https_dl_url: "https://jenkins.opencord.org/static/8d0f081d/images/headshot.png"
-https_dl_cksum: "sha256:690e82fb98ffb2b4b232d9b9cf9cc52eb7972e56a84902f6d1150b75456058c6"
-
diff --git a/roles/prereqs-common/tasks/main.yml b/roles/prereqs-common/tasks/main.yml
index f9ac2cd..c4478e2 100644
--- a/roles/prereqs-common/tasks/main.yml
+++ b/roles/prereqs-common/tasks/main.yml
@@ -30,7 +30,10 @@
 
 - name: DNS Global Root Connectivity Check
   shell: "dig @{{ item }} +trace +short {{ dns_check_domain }} | grep {{ dns_check_ipv4 }}"
-  with_items: "{{ dns_roots }}"
+  with_items:
+    - 192.5.5.241
+    - 198.41.0.4
+    - 199.7.91.13
   register: dns_global_check_result
   until: dns_global_check_result.rc == 0
   retries: 3
@@ -40,16 +43,16 @@
 
 - name: HTTP Download Check
   get_url:
-    url: "{{ http_dl_url }}"
-    checksum: "{{ http_dl_cksum }}"
+    url: "http://cord.staging.wpengine.com/wp-content/uploads/2016/07/cord-tm-logo.png"
+    checksum: "sha256:099c777e4c8ad76a066299159622b4fa6bd2515cefafc2851df67f7f4cce6ee8"
     dest: /tmp/http_dl_check
   retries: 3
   delay: 1
 
 - name: HTTPS Download Check
   get_url:
-    url: "{{ https_dl_url }}"
-    checksum: "{{ https_dl_cksum }}"
+    url: "https://jenkins.opencord.org/static/8d0f081d/images/headshot.png"
+    checksum: "sha256:690e82fb98ffb2b4b232d9b9cf9cc52eb7972e56a84902f6d1150b75456058c6"
     dest: /tmp/https_dl_check
   retries: 3
   delay: 1
diff --git a/roles/ssh-pki/tasks/main.yml b/roles/ssh-pki/tasks/main.yml
index 2cc7c64..df6ced0 100644
--- a/roles/ssh-pki/tasks/main.yml
+++ b/roles/ssh-pki/tasks/main.yml
@@ -1,8 +1,9 @@
 ---
 # ssh-pki/tasks/main.yml
 
+# if this step fails, may need to include `create-configdir-become` role to
+# create directories using become.
 - name: Create SSH CA Directory
-  become: yes
   file:
     dest: "{{ item }}"
     state: directory
diff --git a/roles/xos-test-restore-db/defaults/main.yml b/roles/xos-test-restore-db/defaults/main.yml
new file mode 100644
index 0000000..e16ee75
--- /dev/null
+++ b/roles/xos-test-restore-db/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+# xos-test-restore-db/defaults/main.yml
+
+xos_admin_user: "xosadmin@opencord.org"
+