Merge "change ssh key for vnaumov"
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index ed8599e..a52fbc6 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -6,8 +6,7 @@
     docker_image_visualizer: "${_param:mcp_docker_registry}/mirantis/external/visualizer:${_param:mcp_version}"
     # openldap:1.1.8
     docker_image_openldap: "${_param:mcp_docker_registry}/mirantis/external/openldap:${_param:mcp_version}"
-    # library/postgres:9.6  #G
-    docker_image_postgresql: "${_param:mcp_docker_registry}/mirantis/external/library/postgres:${_param:mcp_version}"
+    docker_image_postgresql: "${_param:mcp_docker_registry}/mirantis/external/library/postgres:9.6.10"
     # library/mongo:3.4 #G
     docker_image_mongodb: "${_param:mcp_docker_registry}/mirantis/external/library/mongo:${_param:mcp_version}"
     ###
diff --git a/defaults/init.yml b/defaults/init.yml
index e98e3ae..9b2b6cf 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -15,6 +15,7 @@
 - system.defaults.gerrit
 - system.defaults.keepalived
 - system.defaults.salt
+- system.defaults.stacklight
 parameters:
   _param:
     mcp_version: stable
@@ -32,6 +33,8 @@
     # Docker artifact globals
     mcp_docker_registry: 'docker-prod-local.artifactory.mirantis.com'
     mcp_binary_registry: "https://${_param:mcp_docker_registry}/artifactory/binary-prod-local"
+    # Opencontrail globals
+    opencontrail_version: 4.0
     # Other
     salt_control_xenial_image_backend: /var/lib/libvirt/images/backends/xenial.qcow2
     salt_control_trusty_image_backend: /var/lib/libvirt/images/backends/trusty.qcow2
diff --git a/defaults/linux_system_repo.yml b/defaults/linux_system_repo.yml
index 880194f..b38a11c 100644
--- a/defaults/linux_system_repo.yml
+++ b/defaults/linux_system_repo.yml
@@ -14,7 +14,7 @@
     linux_system_repo_mcp_docker_legacy_url: ${_param:linux_system_repo_url}/docker-1.x/
     linux_system_repo_mcp_docker_url: ${_param:linux_system_repo_url}/docker/
     linux_system_repo_mcp_elasticsearch_curator_url: ${_param:linux_system_repo_url}/elasticsearch-curator-5/
-    linux_system_repo_mcp_elasticsearch_url: ${_param:linux_system_repo_url}/elasticsearch-5.x/
+    linux_system_repo_mcp_elasticsearch_url: ${_param:linux_system_repo_url}/elasticsearch-${_param:elasticsearch_version}.x/
     linux_system_repo_mcp_extra_url: ${_param:linux_system_repo_url}/extra/
     linux_system_repo_mcp_glusterfs_url: ${_param:linux_system_repo_url}/glusterfs-${_param:linux_system_repo_mcp_glusterfs_version_number}/
     linux_system_repo_mcp_influxdb_url: ${_param:linux_system_repo_url}/influxdb
@@ -32,6 +32,10 @@
     linux_system_repo_update_mirantis_openstack_url: ${_param:linux_system_repo_update_url}/openstack-${_param:openstack_version}/
     linux_system_repo_hotfix_mirantis_openstack_url: ${_param:linux_system_repo_hotfix_url}/openstack-${_param:openstack_version}/
     #
+    linux_system_repo_opencontrail_url: ${_param:linux_system_repo_url}/opencontrail-${_param:opencontrail_version}/
+    linux_system_repo_update_opencontrail_url: ${_param:linux_system_repo_update_url}/opencontrail-${_param:opencontrail_version}/
+    linux_system_repo_hotfix_opencontrail_url: ${_param:linux_system_repo_hotfix_url}/opencontrail-${_param:opencontrail_version}/
+    #
     linux_system_repo_ubuntu_url: ${_param:linux_system_repo_url}/ubuntu/
     linux_system_repo_update_ubuntu_url: ${_param:linux_system_repo_update_url}/ubuntu/
     linux_system_repo_hotfix_ubuntu_url: ${_param:linux_system_repo_hotfix_url}/ubuntu/
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index b1f814c..23f0332 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -19,8 +19,8 @@
     openstack_memcache_security_strategy: 'ENCRYPT'
     openstack_memcached_proto_tcp_enabled: True
     openstack_memcached_proto_udp_enabled: False
-    openstack_old_version: ocata
     openstack_version: ocata
+    openstack_old_version: ${_param:openstack_version}
     openstack_upgrade_enabled: False
     # Cinder
     cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
@@ -61,8 +61,8 @@
     # Gnocchi
     gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     gnocchi_memcache_secret_key: ''
-    gnocchi_old_version: 4.0
     gnocchi_version: 4.0
+    gnocchi_old_version: ${_param:gnocchi_version}
     gnocchi_upgrade_enabled: ${_param:openstack_upgrade_enabled}
     # Panko
     panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
new file mode 100644
index 0000000..1abbb5e
--- /dev/null
+++ b/defaults/stacklight.yml
@@ -0,0 +1,5 @@
+parameters:
+  _param:
+    # ELK stack versions
+    elasticsearch_version: 5
+    kibana_version: 5
diff --git a/docker/swarm/stack/monitoring/sf_notifier.yml b/docker/swarm/stack/monitoring/sf_notifier.yml
index 1fb416f..a66286a 100644
--- a/docker/swarm/stack/monitoring/sf_notifier.yml
+++ b/docker/swarm/stack/monitoring/sf_notifier.yml
@@ -4,6 +4,7 @@
   _param:
     sf_notifier_workers: 4
     sf_notifier_buffer_size: 32768
+    sf_notifier_alert_id_hash_func: sha256
   docker:
     client:
       stack:
@@ -34,6 +35,7 @@
                 SF_NOTIFIER_WORKERS: ${_param:sf_notifier_workers}
                 SF_NOTIFIER_BUFFER_SIZE: ${_param:sf_notifier_buffer_size}
                 SF_NOTIFIER_APP_PORT: ${prometheus:sf_notifier:uwsgi:bind_port}
+                SF_NOTIFIER_ALERT_ID_HASH_FUNC: ${_param:sf_notifier_alert_id_hash_func}
                 SFDC_AUTH_URL: "${_param:sf_notifier_sfdc_auth_url}"
                 SFDC_USERNAME: "${_param:sf_notifier_sfdc_username}"
                 SFDC_PASSWORD: "${_param:sf_notifier_sfdc_password}"
diff --git a/docker/swarm/stack/postgresql.yml b/docker/swarm/stack/postgresql.yml
index 192b82c..b3936c6 100644
--- a/docker/swarm/stack/postgresql.yml
+++ b/docker/swarm/stack/postgresql.yml
@@ -2,7 +2,8 @@
   _param:
     docker_postgresql_replicas: 1
     postgresql_bind_host: postgresql-db
-    postgresql_bind_port: ${_param:haproxy_postgresql_bind_port}
+    postgresql_bind_port: 5432
+    postgresql_exposed_port: 5432
     postgresql_ssl:
       enabled: false
     postgresql_admin_user: postgres
@@ -14,6 +15,7 @@
           environment:
             POSTGRES_USER: ${_param:postgresql_admin_user}
             POSTGRES_PASSWORD: ${_param:postgresql_admin_user_password}
+            PGDATA: /var/lib/postgresql/data/pgdata
           service:
             postgresql-db:
               image: ${_param:docker_image_postgresql}
@@ -24,8 +26,4 @@
               volumes:
                 - /srv/volumes/postgresql/data:/var/lib/postgresql/data
               ports:
-                - ${_param:haproxy_postgresql_exposed_port}:${_param:haproxy_postgresql_bind_port}
-          network:
-            default:
-              external:
-                name: oss_backend
+                - ${_param:postgresql_exposed_port}:${_param:postgresql_bind_port}
diff --git a/elasticsearch/server/cluster.yml b/elasticsearch/server/cluster.yml
index 1bbe404..76774aa 100644
--- a/elasticsearch/server/cluster.yml
+++ b/elasticsearch/server/cluster.yml
@@ -6,7 +6,6 @@
     java_environment_version: "8"
     java_environment_platform: openjdk
     elasticsearch_cluster_name: elasticsearch
-    elasticsearch_version: 5
   linux:
     system:
       sysctl:
diff --git a/elasticsearch/server/single.yml b/elasticsearch/server/single.yml
index 419513d..a044394 100644
--- a/elasticsearch/server/single.yml
+++ b/elasticsearch/server/single.yml
@@ -2,8 +2,6 @@
 - service.java.environment.openjdk8
 - service.elasticsearch.server.single
 parameters:
-  _param:
-    elasticsearch_version: 5
   linux:
     system:
       sysctl:
diff --git a/etcd/server/cluster.yml b/etcd/server/cluster.yml
index 459d492..d9c1c8b 100644
--- a/etcd/server/cluster.yml
+++ b/etcd/server/cluster.yml
@@ -4,10 +4,19 @@
 - service.etcd.linux
 parameters:
   _param:
-    docker_image_etcd: quay.io/coreos/etcd:v3.3.8
+    docker_image_etcd: quay.io/coreos/etcd:v3.3.10
+    kubernetes_etcd_repo: https://github.com/etcd-io/etcd/releases/download
+    kubernetes_etcd_source: ${_param:kubernetes_etcd_repo}/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
+    kubernetes_etcd_source_hash: md5=dbbe0d021ba497bf9d9cc9963d0c7a4b
   etcd:
     server:
       enabled: true
       image: ${_param:docker_image_etcd}
+      source:
+        engine: archive
+      etcd_source: ${_param:kubernetes_etcd_source}
+      etcd_source_hash: ${_param:kubernetes_etcd_source_hash}
       bind:
-        host: ${_param:cluster_local_address}
\ No newline at end of file
+        host: ${_param:cluster_local_address}
+      ssl:
+        enabled: true
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index 4482324..aef20ce 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -55,36 +55,28 @@
               description: "Stop API services before update"
             TARGET_KERNEL_UPDATES:
               type: string
-              default: "cfg,ctl,prx,msg,dbs"
-              description: "Comma separated list of nodes to update kernel if newer version is available (Valid values are cfg,ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cid,cmp,kvm,osd,gtw-physical)"
+              default: "cfg,msg,dbs"
+              description: "Comma separated list of nodes to update kernel if newer version is available (Valid values are cfg,msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,cid,kvm,osd)"
             TARGET_REBOOT:
               type: string
-              default: "cfg,ctl,prx,msg,dbs"
-              description: "Comma separated list of nodes to reboot after update or physical machine rollback (Valid values are cfg,ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cid,cmp,kvm,osd,gtw-physical)"
+              default: "cfg,msg,dbs"
+              description: "Comma separated list of nodes to reboot after update or physical machine rollback (Valid values are cfg,msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,cid,kvm,osd)"
             TARGET_HIGHSTATE:
               type: string
-              default: "cfg,ctl,prx,msg,dbs"
-              description: "Comma separated list of nodes to run Salt Highstate on after update or physical machine rollback (Valid values are cfg,ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cid,cmp,kvm,osd,gtw-physical)"
+              default: "cfg,msg,dbs"
+              description: "Comma separated list of nodes to run Salt Highstate on after update or physical machine rollback (Valid values are cfg,msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,cid,kvm,osd)"
             TARGET_UPDATES:
               type: string
-              default: "cfg,ctl,prx,msg,dbs"
-              description: "Comma separated list of nodes to update (Valid values are cfg,ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cid,cmp,kvm,osd,gtw-physical)"
+              default: "cfg,msg,dbs"
+              description: "Comma separated list of nodes to update (Valid values are cfg,msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,cid,kvm,osd)"
             TARGET_ROLLBACKS:
               type: string
               default: ""
-              description: "Comma separated list of nodes to rollback (Valid values are ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cmp,kvm,osd,gtw-physical)"
+              description: "Comma separated list of nodes to rollback (Valid values are msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,kvm,osd)"
             TARGET_SNAPSHOT_MERGES:
               type: string
               default: ""
-              description: "Comma separated list of nodes to merge live snapshot for (Valid values are cfg,ctl,prx,msg,dbs,log,mon,mtr,ntw,nal,gtw-virtual,cmn,rgw,cid)"
-            CTL_TARGET:
-              type: string
-              default: "ctl*"
-              description: "Salt targeted CTL nodes (ex. ctl*)"
-            PRX_TARGET:
-              type: string
-              default: "prx*"
-              description: "Salt targeted PRX nodes (ex. prx*)"
+              description: "Comma separated list of nodes to merge live snapshot for (Valid values are cfg,msg,dbs,log,mon,mtr,ntw,nal,cmn,rgw,cid)"
             MSG_TARGET:
               type: string
               default: "msg*"
@@ -125,10 +117,6 @@
               type: string
               default: "cid*"
               description: "Salt targeted CID nodes (ex. cid*)"
-            CMP_TARGET:
-              type: string
-              default: "cmp001*"
-              description: "Salt targeted physical compute nodes (ex. cmp001*)"
             KVM_TARGET:
               type: string
               default: "kvm01*"
@@ -137,10 +125,6 @@
               type: string
               default: "osd001*"
               description: "Salt targeted physical Ceph OSD nodes (ex. osd001*)"
-            GTW_TARGET:
-              type: string
-              default: "gtw01*"
-              description: "Salt targeted physical or virtual GTW nodes (ex. gtw01*)"
             ROLLBACK_PKG_VERSIONS:
               type: string
               default: ""
diff --git a/jenkins/client/job/security/openscap.yml b/jenkins/client/job/security/openscap.yml
index aa8dd6c..74bc15a 100644
--- a/jenkins/client/job/security/openscap.yml
+++ b/jenkins/client/job/security/openscap.yml
@@ -63,5 +63,5 @@
               description: "The tailoring id"
             XCCDF_CPE:
               type: string
-              default: ''
+              default: '/usr/share/mirantis-scap-content/mirantis/cpe/openscap-cpe-dict.xml'
               description: "CPE dictionary or language for applicability checks. (Example: /usr/share/openscap/cpe/openscap-cpe-dict.xml)"
diff --git a/keystone/client/v3/service/contrail.yml b/keystone/client/v3/service/contrail.yml
index 1b5701f..e6277d5 100644
--- a/keystone/client/v3/service/contrail.yml
+++ b/keystone/client/v3/service/contrail.yml
@@ -3,8 +3,28 @@
     contrail_service_protocol: http
   keystone:
     client:
+      server:
+        contrail_identity:
+          admin:
+            user: contrail
+            password: ${_param:opencontrail_admin_password}
+            project: admin
+            host: ${_param:keystone_service_host}
+            port: 5000
+            region_name: ${_param:openstack_region}
+            use_keystoneauth: true
+            protocol: ${_param:keystone_service_protocol}
       resources:
         v3:
+          users:
+            contrail:
+              password: ${_param:opencontrail_admin_password}
+              email: ${_param:admin_email}
+              is_admin: true
+              roles:
+                admin:
+                  name: admin
+                  project_id: admin
           services:
             opencontrail:
               type: contrail
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 745c07a..965f274 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -1,8 +1,6 @@
 classes:
 - service.kibana.server.single
 parameters:
-  _param:
-    kibana_version: 5
   kibana:
     server:
       enabled: true
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 76c1e9a..d015a80 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -6,8 +6,6 @@
     kubernetes_calico_birdcl_repo: ${_param:mcp_binary_registry}/mirantis/projectcalico/bird
     kubernetes_calico_cni_repo: ${_param:mcp_binary_registry}/mirantis/projectcalico/cni-plugin
     kubernetes_hyperkube_repo: ${_param:mcp_binary_registry}/mirantis/kubernetes/hyperkube-binaries
-    kubernetes_contrail_cni_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
-    kubernetes_contrail_network_controller_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes/contrail-integration
     kubernetes_contrail_registry: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}
     kubernetes_netchecker_agent_repo: mirantis
     kubernetes_netchecker_server_repo: mirantis
@@ -26,7 +24,6 @@
     kubernetes_containerd_repo: https://github.com/kubernetes-sigs/cri-tools/releases/download
 
     # component images/binaries
-    kubernetes_docker_package: docker-engine=1.13.1-0~ubuntu-xenial
     kubernetes_calico_image: ${_param:kubernetes_calico_repo}/node:v3.1.3
     kubernetes_calico_kube_controllers_image: ${_param:kubernetes_calico_kube_ctl_repo}/kube-controllers:v3.1.3
     kubernetes_calico_calicoctl_source: ${_param:kubernetes_calico_calicoctl_repo}/calicoctl-v3.1.3
@@ -40,8 +37,6 @@
     kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.11.3-2_1536938897511
     kubernetes_hyperkube_source_hash: md5=159910d99c3ccf77d1e0f7b346edaf40
     kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.11.3-2
-    kubernetes_contrail_cni_image: ${_param:kubernetes_contrail_cni_repo}/contrail-cni:v1.2.0
-    kubernetes_contrail_network_controller_image: ${_param:kubernetes_contrail_network_controller_repo}/contrail-network-controller:v1.2.0
     kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.4.1
     kubernetes_criproxy_version: v0.12.0
     kubernetes_criproxy_checksum: md5=371cacd3d8568eb88425498b48a649dd
@@ -72,6 +67,7 @@
     kubernetes_hyperkube_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/hyperkube-amd64:v1.11.3-2
     kubernetes_calico_cni_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/cni:v3.1.3
     kubernetes_calico_calicoctl_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/ctl:v3.1.3
+    kubernetes_containerd_package: containerd.io=1.2.0-1
 
     kubernetes_opencontrail_controller_image: ${_param:kubernetes_contrail_registry}/opencontrail-controller:${_param:mcp_version}
     kubernetes_opencontrail_analyticsdb_image: ${_param:kubernetes_contrail_registry}/opencontrail-analyticsdb:${_param:mcp_version}
@@ -90,12 +86,11 @@
     kubernetes_genie_enabled: false
     kubernetes_calico_enabled: false
     kubernetes_opencontrail_enabled: false
-    kubernetes_contrail_network_controller_enabled: false
     kubernetes_metallb_enabled: false
     kubernetes_sriov_enabled: false
     kubernetes_telegraf_enabled: false
     kubernetes_ingressnginx_enabled: false
-    kubernetes_containerd_enabled: false
+    kubernetes_containerd_enabled: true
 
     kubernetes_ingressnginx_controller_replicas: 1
 
@@ -121,19 +116,12 @@
       kernel:
         sysctl:
           net.ipv4.ip_forward: 1
-  docker:
-    host:
-      pkgs:
-        - ${_param:kubernetes_docker_package}
-        - python-docker
-      options:
-        bip: 172.31.255.1/24
-        storage-driver: overlay2
 
   kubernetes:
     common:
       containerd:
         enabled: ${_param:kubernetes_containerd_enabled}
+        package: ${_param:kubernetes_containerd_package}
         crictl:
           source: ${_param:kubernetes_containerd_source}
           hash: ${_param:kubernetes_containerd_source_hash}
@@ -167,9 +155,6 @@
           image: ${_param:kubernetes_coredns_image}
           etcd:
             operator_image: ${_param:kubernetes_corends_etcd_operator_image}
-        contrail_network_controller:
-          enabled: ${_param:kubernetes_contrail_network_controller_enabled}
-          image: ${_param:kubernetes_contrail_network_controller_image}
         opencontrail:
           controller:
             image: ${_param:kubernetes_opencontrail_controller_image}
@@ -244,7 +229,6 @@
           cni_image: ${_param:kubernetes_calico_cni_image}
         opencontrail:
           enabled: ${_param:kubernetes_opencontrail_enabled}
-          cni_image: ${_param:kubernetes_contrail_cni_image}
         sriov:
           enabled: ${_param:kubernetes_sriov_enabled}
           source: ${_param:kubernetes_sriov_source}
diff --git a/kubernetes/master/common.yml b/kubernetes/master/common.yml
index f649b4d..03c0f64 100644
--- a/kubernetes/master/common.yml
+++ b/kubernetes/master/common.yml
@@ -29,7 +29,6 @@
           cni_image: ${_param:kubernetes_calico_cni_image}
         opencontrail:
           enabled: ${_param:kubernetes_opencontrail_enabled}
-          cni_image: ${_param:kubernetes_contrail_cni_image}
         sriov:
           enabled: ${_param:kubernetes_sriov_enabled}
           source: ${_param:kubernetes_sriov_source}
diff --git a/kubernetes/pool/cluster.yml b/kubernetes/pool/cluster.yml
index a375748..8fcc6b7 100644
--- a/kubernetes/pool/cluster.yml
+++ b/kubernetes/pool/cluster.yml
@@ -1,6 +1,5 @@
 classes:
 - service.kubernetes.pool.cluster
-- service.docker.host
 - system.kubernetes.common
 parameters:
   kubernetes:
@@ -12,9 +11,3 @@
             enabled: true
           policy:
             enabled: false
-  docker:
-    host:
-      options:
-        iptables: false
-        log-opts:
-          labels: "io.kubernetes.pod.name"
diff --git a/kubernetes/pool/single.yml b/kubernetes/pool/single.yml
index 06178df..94b9434 100644
--- a/kubernetes/pool/single.yml
+++ b/kubernetes/pool/single.yml
@@ -1,14 +1,7 @@
 classes:
 - service.kubernetes.pool.single
-- service.docker.host
 - system.kubernetes.common
 parameters:
   kubernetes:
     pool:
       enabled: true
-  docker:
-    host:
-      options:
-        iptables: false
-        log-opts:
-          labels: "io.kubernetes.pod.name"
diff --git a/linux/system/repo/mcp/apt_mirantis/contrail.yml b/linux/system/repo/mcp/apt_mirantis/contrail.yml
new file mode 100644
index 0000000..da8b03c
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/contrail.yml
@@ -0,0 +1,11 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  linux:
+    system:
+      repo:
+        mcp_opencontrail:
+          source: "deb ${_param:linux_system_repo_opencontrail_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          key: ${_param:linux_system_repo_mirror_mirantis_key}
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/contrail.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/contrail.yml
new file mode 100644
index 0000000..bae4104
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/contrail.yml
@@ -0,0 +1,11 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  linux:
+    system:
+      repo:
+        mcp_opencontrail_hotfix:
+          source: "deb ${_param:linux_system_repo_hotfix_opencontrail_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          key: ${_param:linux_system_repo_mirror_mirantis_key}
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
diff --git a/linux/system/repo/mcp/apt_mirantis/update/contrail.yml b/linux/system/repo/mcp/apt_mirantis/update/contrail.yml
new file mode 100644
index 0000000..503b9ea
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/update/contrail.yml
@@ -0,0 +1,11 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  linux:
+    system:
+      repo:
+        mcp_opencontrail_update:
+          source: "deb ${_param:linux_system_repo_update_opencontrail_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          key: ${_param:linux_system_repo_mirror_mirantis_key}
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
diff --git a/linux/system/repo/mcp/contrail.yml b/linux/system/repo/mcp/contrail.yml
index 3211f78..b0e9994 100644
--- a/linux/system/repo/mcp/contrail.yml
+++ b/linux/system/repo/mcp/contrail.yml
@@ -1,3 +1,4 @@
+# DEPRECATED since 2018.12+ release.
 parameters:
   _param:
     linux_repo_contrail_component: oc311
diff --git a/maas/region/single.yml b/maas/region/single.yml
index e7c7078..309ef34 100644
--- a/maas/region/single.yml
+++ b/maas/region/single.yml
@@ -16,7 +16,24 @@
           xenial:
             extra_pkgs:
               enabled: true
-              pkgs: [ "linux-headers-virtual-hwe-16.04", "linux-image-extra-virtual-hwe-16.04" ]
+              pkgs:
+                - linux-headers-virtual-hwe-16.04
+                - linux-image-extra-virtual-hwe-16.04
+                - acpid
+                - apt-transport-https
+                - bridge-utils
+                - curl
+                - dbus
+                - ethtool
+                - ifenslave
+                - iptables
+                - iputils-ping
+                - lsof
+                - strace
+                - tcpdump
+                - traceroute
+                - vlan
+                - wget
             kernel_package:
               enabled: true
               value: 'linux-image-virtual-hwe-16.04'
diff --git a/neutron/gateway/cluster.yml b/neutron/gateway/cluster.yml
index 6d33684..2a4f4f4 100644
--- a/neutron/gateway/cluster.yml
+++ b/neutron/gateway/cluster.yml
@@ -18,7 +18,7 @@
       vlan_aware_vms: ${_param:neutron_enable_vlan_aware_vms}
       agent_mode: ${_param:neutron_gateway_agent_mode}
       backend:
-        tenant_network_types: ${_param:neutron_tenant_network_types}"
+        tenant_network_types: "${_param:neutron_tenant_network_types}"
       message_queue:
         port: ${_param:openstack_rabbitmq_port}
         members:
diff --git a/opencontrail/compute/cluster4_0.yml b/opencontrail/compute/cluster4_0.yml
index 425f897..3cb1514 100644
--- a/opencontrail/compute/cluster4_0.yml
+++ b/opencontrail/compute/cluster4_0.yml
@@ -15,7 +15,7 @@
         host: ${_param:openstack_control_address}
         port: 35357
         token: ${_param:keystone_service_token}
-        password: ${_param:keystone_admin_password}
+        password: ${_param:opencontrail_admin_password}
       network:
         engine: neutron
         host: ${_param:openstack_control_address}
diff --git a/opencontrail/compute/single4_0.yml b/opencontrail/compute/single4_0.yml
index b48d1d0..b98522d 100644
--- a/opencontrail/compute/single4_0.yml
+++ b/opencontrail/compute/single4_0.yml
@@ -13,7 +13,7 @@
         host: ${_param:control_address}
         port: 35357
         token: ${_param:keystone_service_token}
-        password: ${_param:keystone_admin_password}
+        password: ${_param:opencontrail_admin_password}
       network:
         engine: neutron
         host: ${_param:control_address}