diff --git a/ansible.cfg b/ansible.cfg
index c86b754..1b10379 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -4,3 +4,6 @@
 forks=20
 timeout=30
 
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=3s
+
diff --git a/prep-headnode-playbook.yml b/prep-headnode-playbook.yml
index b1877db..bca4959 100644
--- a/prep-headnode-playbook.yml
+++ b/prep-headnode-playbook.yml
@@ -48,7 +48,7 @@
   become: yes
   roles:
     - { role: dns-configure, when: not use_maas }
-    - { role: dhcpd, when: not use_maas }
+    - { role: dhcpd, when: not (use_maas or frontend_only) }
 
 - name: Install apt-cacher-ng
   hosts: head
diff --git a/profile_manifests/ecord.yml b/profile_manifests/ecord.yml
index 28de081..e8b2696 100644
--- a/profile_manifests/ecord.yml
+++ b/profile_manifests/ecord.yml
@@ -71,6 +71,8 @@
       - "DNS:xos-core.{{ site_suffix }}"
 
 # Network/DNS settings
+headnode: head1
+
 dns_search:
   - "{{ site_suffix }}"
 
@@ -89,23 +91,31 @@
       - { name: ns1 }
     nodelists:
       - head_lxd_list
+      - physical_node_list
     aliases:
-      - { name: "apt-cache", dest: "head1" }
-      - { name: "cordloghost", dest: "head1" }
-      - { name: "docker", dest: "head1" }
-      - { name: "ns", dest: "head1" }
-      - { name: "ns1", dest: "head1" }
-      - { name: "onos-cord", dest: "head1" }
-      - { name: "xos", dest: "head1" }
-      - { name: "xos-chameleon", dest: "head1" }
-      - { name: "xos-rest-gw", dest: "head1" }
-      - { name: "xos-spa-gui", dest: "head1" }
+      - { name: "apt-cache", dest: "{{ headnode }}" }
+      - { name: "cordloghost", dest: "{{ headnode }}" }
+      - { name: "docker", dest: "{{ headnode }}" }
+      - { name: "ns", dest: "{{ headnode }}" }
+      - { name: "ns1", dest: "{{ headnode }}" }
+      - { name: "onos-cord", dest: "{{ headnode }}" }
+      - { name: "xos", dest: "{{ headnode }}" }
+      - { name: "xos-chameleon", dest: "{{ headnode }}" }
+      - { name: "xos-rest-gw", dest: "{{ headnode }}" }
+      - { name: "xos-gui", dest: "{{ headnode }}" }
 
 unbound_listen_all: True
 
 unbound_interfaces:
   - "{{ mgmt_ipv4_first_octets }}.1/24"
 
+
+physical_node_list:
+  - name: head1
+    ipv4_last_octet: 1
+    aliases:
+      - head
+
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
diff --git a/profile_manifests/mcord.yml b/profile_manifests/mcord.yml
index e934164..6624df2 100644
--- a/profile_manifests/mcord.yml
+++ b/profile_manifests/mcord.yml
@@ -99,6 +99,8 @@
       - "DNS:xos-core.{{ site_suffix }}"
 
 # Network/DNS settings
+headnode: head1
+
 dns_search:
   - "{{ site_suffix }}"
 
@@ -117,23 +119,30 @@
       - { name: ns1 }
     nodelists:
       - head_lxd_list
+      - physical_node_list
     aliases:
-      - { name: "apt-cache", dest: "head1" }
-      - { name: "cordloghost", dest: "head1" }
-      - { name: "docker", dest: "head1" }
-      - { name: "ns", dest: "head1" }
-      - { name: "ns1", dest: "head1" }
-      - { name: "onos-cord", dest: "head1" }
-      - { name: "xos", dest: "head1" }
-      - { name: "xos-chameleon", dest: "head1" }
-      - { name: "xos-rest-gw", dest: "head1" }
-      - { name: "xos-spa-gui", dest: "head1" }
+      - { name: "apt-cache", dest: "{{ headnode }}" }
+      - { name: "cordloghost", dest: "{{ headnode }}" }
+      - { name: "docker", dest: "{{ headnode }}" }
+      - { name: "ns", dest: "{{ headnode }}" }
+      - { name: "ns1", dest: "{{ headnode }}" }
+      - { name: "onos-cord", dest: "{{ headnode }}" }
+      - { name: "xos", dest: "{{ headnode }}" }
+      - { name: "xos-chameleon", dest: "{{ headnode }}" }
+      - { name: "xos-rest-gw", dest: "{{ headnode }}" }
+      - { name: "xos-gui", dest: "{{ headnode }}" }
 
 unbound_listen_all: True
 
 unbound_interfaces:
   - "{{ mgmt_ipv4_first_octets }}.1/24"
 
+physical_node_list:
+  - name: head1
+    ipv4_last_octet: 1
+    aliases:
+      - head
+
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
diff --git a/profile_manifests/opencloud.yml b/profile_manifests/opencloud.yml
index 3fef027..1ab7cef 100644
--- a/profile_manifests/opencloud.yml
+++ b/profile_manifests/opencloud.yml
@@ -9,6 +9,8 @@
 deployment_type: campus
 
 # Feature toggles
+use_maas: False
+use_apt_cache: True
 
 # XOS config
 xos_tosca_config_templates:
@@ -50,6 +52,8 @@
       - "DNS:xos-core.{{ site_suffix }}"
 
 # Network/DNS settings
+headnode: head1
+
 dns_search:
   - "{{ site_suffix }}"
 
@@ -70,16 +74,16 @@
       - head_lxd_list
       - physical_node_list
     aliases:
-      - { name: "apt-cache", dest: "head1" }
-      - { name: "cordloghost", dest: "head1" }
-      - { name: "docker", dest: "head1" }
-      - { name: "ns", dest: "head1" }
-      - { name: "ns1", dest: "head1" }
-      - { name: "onos-cord", dest: "head1" }
-      - { name: "xos", dest: "head1" }
-      - { name: "xos-chameleon", dest: "head1" }
-      - { name: "xos-rest-gw", dest: "head1" }
-      - { name: "xos-spa-gui", dest: "head1" }
+      - { name: "apt-cache", dest: "{{ headnode }}" }
+      - { name: "cordloghost", dest: "{{ headnode }}" }
+      - { name: "docker", dest: "{{ headnode }}" }
+      - { name: "ns", dest: "{{ headnode }}" }
+      - { name: "ns1", dest: "{{ headnode }}" }
+      - { name: "onos-cord", dest: "{{ headnode }}" }
+      - { name: "xos", dest: "{{ headnode }}" }
+      - { name: "xos-chameleon", dest: "{{ headnode }}" }
+      - { name: "xos-rest-gw", dest: "{{ headnode }}" }
+      - { name: "xos-gui", dest: "{{ headnode }}" }
 
 unbound_listen_all: True
 
diff --git a/profile_manifests/rcord.yml b/profile_manifests/rcord.yml
index 55815f3..edc60e0 100644
--- a/profile_manifests/rcord.yml
+++ b/profile_manifests/rcord.yml
@@ -86,6 +86,8 @@
       - "DNS:xos-core.{{ site_suffix }}"
 
 # Network/DNS settings
+headnode: prod
+
 dns_search:
   - "{{ site_suffix }}"
 
@@ -104,23 +106,31 @@
       - { name: ns1 }
     nodelists:
       - head_lxd_list
+      - physical_node_list
     aliases:
-      - { name: "apt-cache", dest: "head1" }
-      - { name: "cordloghost", dest: "head1" }
-      - { name: "docker", dest: "head1" }
-      - { name: "ns", dest: "head1" }
-      - { name: "ns1", dest: "head1" }
-      - { name: "onos-cord", dest: "head1" }
-      - { name: "xos", dest: "head1" }
-      - { name: "xos-chameleon", dest: "head1" }
-      - { name: "xos-rest-gw", dest: "head1" }
-      - { name: "xos-spa-gui", dest: "head1" }
+      - { name: "apt-cache", dest: "{{ headnode }}" }
+      - { name: "cordloghost", dest: "{{ headnode }}" }
+      - { name: "docker", dest: "{{ headnode }}" }
+      - { name: "ns", dest: "{{ headnode }}" }
+      - { name: "ns1", dest: "{{ headnode }}" }
+      - { name: "onos-cord", dest: "{{ headnode }}" }
+      - { name: "xos", dest: "{{ headnode }}" }
+      - { name: "xos-chameleon", dest: "{{ headnode }}" }
+      - { name: "xos-rest-gw", dest: "{{ headnode }}" }
+      - { name: "xos-gui", dest: "{{ headnode }}" }
 
 unbound_listen_all: True
 
 unbound_interfaces:
   - "{{ mgmt_ipv4_first_octets }}.1/24"
 
+physical_node_list:
+  - name: prod
+    ipv4_last_octet: 1
+    aliases:
+      - head1
+      - head
+
 # VTN network configuration
 management_network_cidr: 172.27.0.0/24
 management_network_ip: 172.27.0.1/24
diff --git a/roles/dns-nsd/defaults/main.yml b/roles/dns-nsd/defaults/main.yml
index 5dcbddf..c5ff6e7 100644
--- a/roles/dns-nsd/defaults/main.yml
+++ b/roles/dns-nsd/defaults/main.yml
@@ -5,6 +5,8 @@
 nsd_zonesdir: "/var/nsd/zones"
 nsd_group: "nsd"
 
+nsd_zones: []
+
 # default DNS TTL
 dns_ttl: 3600
 
diff --git a/roles/dns-nsd/tasks/main.yml b/roles/dns-nsd/tasks/main.yml
index bd87f99..56c452c 100644
--- a/roles/dns-nsd/tasks/main.yml
+++ b/roles/dns-nsd/tasks/main.yml
@@ -10,33 +10,41 @@
 
 - name: Ensure that zones directory exists
   file:
-    name={{ nsd_zonesdir }}
-    state=directory
-    mode=0755 owner=root group={{ nsd_group }}
+    name: "{{ nsd_zonesdir }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: "{{ nsd_group }}"
 
 - name: Create nsd.conf from template
   template:
-    src=nsd.conf.j2
-    dest={{ nsd_conf }}
-    mode=0644 owner=root group={{ nsd_group }}
+    src: nsd.conf.j2
+    dest: "{{ nsd_conf }}"
+    mode: 0644
+    owner: root
+    group: "{{ nsd_group }}"
   notify:
     - restart-nsd
 
 - name: create forward zonefiles from template
   template:
-    src=zone.forward.j2
-    dest={{ nsd_zonesdir }}/{{ item.name }}.forward
-    mode=0644 owner=root group={{ nsd_group }}
-  with_items: '{{ nsd_zones }}'
+    src: zone.forward.j2
+    dest: "{{ nsd_zonesdir }}/{{ item.name }}.forward"
+    mode: 0644
+    owner: root
+    group: "{{ nsd_group }}"
+  with_items: "{{ nsd_zones }}"
   notify:
     - reload-nsd
 
 - name: create reverse zonefiles from template
   template:
-    src=zone.reverse.j2
-    dest={{ nsd_zonesdir }}/{{ item.name }}.reverse
-    mode=0644 owner=root group={{ nsd_group }}
-  with_items: '{{ nsd_zones }}'
+    src: zone.reverse.j2
+    dest: "{{ nsd_zonesdir }}/{{ item.name }}.reverse"
+    mode: 0644
+    owner: root
+    group: "{{ nsd_group }}"
+  with_items: "{{ nsd_zones }}"
   notify:
     - reload-nsd
 
diff --git a/roles/dns-unbound/tasks/main.yml b/roles/dns-unbound/tasks/main.yml
index 03a80d3..cfd1546 100644
--- a/roles/dns-unbound/tasks/main.yml
+++ b/roles/dns-unbound/tasks/main.yml
@@ -10,9 +10,11 @@
 
 - name: create unbound.conf from template
   template:
-    src=unbound.conf.j2
-    dest={{ unbound_conf }}
-    mode=0644 owner=root group={{ unbound_group }}
+    src: unbound.conf.j2
+    dest: "{{ unbound_conf }}"
+    mode: 0644
+    owner: root
+    group: "{{ unbound_group }}"
     # validate='unbound-checkconf %s' - can't use, checks path, not just config.
   notify:
    - restart-unbound
diff --git a/roles/docker-install/tasks/main.yml b/roles/docker-install/tasks/main.yml
index c7b7d73..fac17d8 100644
--- a/roles/docker-install/tasks/main.yml
+++ b/roles/docker-install/tasks/main.yml
@@ -30,19 +30,15 @@
     update_cache: yes
     cache_valid_time: 3600
 
-- name: Remove obsolete docker-py pip module
-  become: yes
-  pip:
-    name: docker-py
-    state: absent
-
-- name: Install pip modules for docker and docker-compose
+- name: Install docker-compose, docker python module, imagebuilder deps via pip
   become: yes
   pip:
     name: "{{ item }}"
   with_items:
     - docker>=2.4.2
     - docker-compose>=1.14.0
+    - gitpython
+    - graphviz
 
 - name: Make current user part of the Docker group
   become: yes
@@ -51,3 +47,8 @@
     groups: "docker"
     append: yes
 
+# Doesn't work right now, but reported: https://github.com/ansible/ansible/issues/24794
+# see also http://docs.ansible.com/ansible/intro_configuration.html#openssh-specific-settings
+- name: Reset ssh connection so user gains docker group membership
+  meta: reset_connection
+