diff --git a/HACKING.rst b/HACKING.rst
index 5f33d77..3c08e67 100644
--- a/HACKING.rst
+++ b/HACKING.rst
@@ -5,10 +5,10 @@
 General
 -------
 
-DevStack is written in POSIX shell script.  This choice was made because
-it best illustrates the configuration steps that this implementation takes
-on setting up and interacting with OpenStack components.  DevStack specifically
-uses Bash and is compatible with Bash 3.
+DevStack is written in UNIX shell script.  It uses a number of bash-isms
+and so is limited to Bash (version 3 and up) and compatible shells.
+Shell script was chosen because it best illustrates the steps used to
+set up and interact with OpenStack components.
 
 DevStack's official repository is located on GitHub at
 https://github.com/openstack-dev/devstack.git.  Besides the master branch that
@@ -54,14 +54,14 @@
 ``TOP_DIR`` should always point there, even if the script itself is located in
 a subdirectory::
 
-    # Keep track of the current devstack directory.
+    # Keep track of the current DevStack directory.
     TOP_DIR=$(cd $(dirname "$0") && pwd)
 
 Many scripts will utilize shared functions from the ``functions`` file.  There are
 also rc files (``stackrc`` and ``openrc``) that are often included to set the primary
 configuration of the user environment::
 
-    # Keep track of the current devstack directory.
+    # Keep track of the current DevStack directory.
     TOP_DIR=$(cd $(dirname "$0") && pwd)
 
     # Import common functions
@@ -100,13 +100,14 @@
 -------
 
 ``stackrc`` is the global configuration file for DevStack.  It is responsible for
-calling ``localrc`` if it exists so configuration can be overridden by the user.
+calling ``local.conf`` (or ``localrc`` if it exists) so local user configuration
+is recognized.
 
 The criteria for what belongs in ``stackrc`` can be vaguely summarized as
 follows:
 
-* All project respositories and branches (for historical reasons)
-* Global configuration that may be referenced in ``localrc``, i.e. ``DEST``, ``DATA_DIR``
+* All project repositories and branches handled directly in ``stack.sh``
+* Global configuration that may be referenced in ``local.conf``, i.e. ``DEST``, ``DATA_DIR``
 * Global service configuration like ``ENABLED_SERVICES``
 * Variables used by multiple services that do not have a clear owner, i.e.
   ``VOLUME_BACKING_FILE_SIZE`` (nova-volumes and cinder) or ``PUBLIC_NETWORK_NAME``
@@ -116,8 +117,9 @@
   not be changed for other reasons but the earlier file needs to dereference a
   variable set in the later file.  This should be rare.
 
-Also, variable declarations in ``stackrc`` do NOT allow overriding (the form
-``FOO=${FOO:-baz}``); if they did then they can already be changed in ``localrc``
+Also, variable declarations in ``stackrc`` before ``local.conf`` is sourced
+do NOT allow overriding (the form
+``FOO=${FOO:-baz}``); if they did then they can already be changed in ``local.conf``
 and can stay in the project file.
 
 
@@ -139,7 +141,9 @@
 Markdown formatting in the comments; use it sparingly.  Specifically, ``stack.sh``
 uses Markdown headers to divide the script into logical sections.
 
-.. _shocco: http://rtomayko.github.com/shocco/
+.. _shocco: https://github.com/dtroyer/shocco/tree/rst_support
+
+The script used to drive <code>shocco</code> is <code>tools/build_docs.sh</code>.
 
 
 Exercises
diff --git a/README.md b/README.md
index 514786c..640fab6 100644
--- a/README.md
+++ b/README.md
@@ -6,35 +6,39 @@
 * To describe working configurations of OpenStack (which code branches work together?  what do config files look like for those branches?)
 * To make it easier for developers to dive into OpenStack so that they can productively contribute without having to understand every part of the system at once
 * To make it easy to prototype cross-project features
-* To sanity-check OpenStack builds (used in gating commits to the primary repos)
+* To provide an environment for the OpenStack CI testing on every commit to the projects
 
-Read more at http://devstack.org (built from the gh-pages branch)
+Read more at http://devstack.org.
 
-IMPORTANT: Be sure to carefully read `stack.sh` and any other scripts you execute before you run them, as they install software and may alter your networking configuration.  We strongly recommend that you run `stack.sh` in a clean and disposable vm when you are first getting started.
-
-# DevStack on Xenserver
-
-If you would like to use Xenserver as the hypervisor, please refer to the instructions in `./tools/xen/README.md`.
-
-# DevStack on Docker
-
-If you would like to use Docker as the hypervisor, please refer to the instructions in `./tools/docker/README.md`.
+IMPORTANT: Be sure to carefully read `stack.sh` and any other scripts you
+execute before you run them, as they install software and will alter your
+networking configuration.  We strongly recommend that you run `stack.sh`
+in a clean and disposable vm when you are first getting started.
 
 # Versions
 
-The devstack master branch generally points to trunk versions of OpenStack components.  For older, stable versions, look for branches named stable/[release] in the DevStack repo.  For example, you can do the following to create a diablo OpenStack cloud:
+The DevStack master branch generally points to trunk versions of OpenStack
+components.  For older, stable versions, look for branches named
+stable/[release] in the DevStack repo.  For example, you can do the
+following to create a grizzly OpenStack cloud:
 
-    git checkout stable/diablo
+    git checkout stable/grizzly
     ./stack.sh
 
-You can also pick specific OpenStack project releases by setting the appropriate `*_BRANCH` variables in `localrc` (look in `stackrc` for the default set).  Usually just before a release there will be milestone-proposed branches that need to be tested::
+You can also pick specific OpenStack project releases by setting the appropriate
+`*_BRANCH` variables in the ``localrc`` section of `local.conf` (look in
+`stackrc` for the default set).  Usually just before a release there will be
+milestone-proposed branches that need to be tested::
 
     GLANCE_REPO=https://github.com/openstack/glance.git
     GLANCE_BRANCH=milestone-proposed
 
 # Start A Dev Cloud
 
-Installing in a dedicated disposable vm is safer than installing on your dev machine!  Plus you can pick one of the supported Linux distros for your VM.  To start a dev cloud run the following NOT AS ROOT (see below for more):
+Installing in a dedicated disposable VM is safer than installing on your
+dev machine!  Plus you can pick one of the supported Linux distros for
+your VM.  To start a dev cloud run the following NOT AS ROOT (see
+**DevStack Execution Environment** below for more on user accounts):
 
     ./stack.sh
 
@@ -45,7 +49,7 @@
 
 We also provide an environment file that you can use to interact with your cloud via CLI:
 
-    # source openrc file to load your environment with osapi and ec2 creds
+    # source openrc file to load your environment with OpenStack CLI creds
     . openrc
     # list instances
     nova list
@@ -61,16 +65,37 @@
 
 DevStack runs rampant over the system it runs on, installing things and uninstalling other things.  Running this on a system you care about is a recipe for disappointment, or worse.  Alas, we're all in the virtualization business here, so run it in a VM.  And take advantage of the snapshot capabilities of your hypervisor of choice to reduce testing cycle times.  You might even save enough time to write one more feature before the next feature freeze...
 
-``stack.sh`` needs to have root access for a lot of tasks, but it also needs to have not-root permissions for most of its work and for all of the OpenStack services.  So ``stack.sh`` specifically does not run if you are root. This is a recent change (Oct 2013) from the previous behaviour of automatically creating a ``stack`` user.  Automatically creating a user account is not always the right response to running as root, so that bit is now an explicit step using ``tools/create-stack-user.sh``.  Run that (as root!) if you do not want to just use your normal login here, which works perfectly fine.
+``stack.sh`` needs to have root access for a lot of tasks, but uses ``sudo``
+for all of those tasks.  However, it needs to be not-root for most of its
+work and for all of the OpenStack services.  ``stack.sh`` specifically
+does not run if started as root.
+
+This is a recent change (Oct 2013) from the previous behaviour of
+automatically creating a ``stack`` user.  Automatically creating
+user accounts is not the right response to running as root, so
+that bit is now an explicit step using ``tools/create-stack-user.sh``. 
+Run that (as root!) or just check it out to see what DevStack's
+expectations are for the account it runs under.  Many people simply
+use their usual login (the default 'ubuntu' login on a UEC image
+for example).
 
 # Customizing
 
-You can override environment variables used in `stack.sh` by creating file name `localrc`.  It is likely that you will need to do this to tweak your networking configuration should you need to access your cloud from a different host.
+You can override environment variables used in `stack.sh` by creating file
+name `local.conf` with a ``locarc`` section as shown below.  It is likely
+that you will need to do this to tweak your networking configuration should
+you need to access your cloud from a different host.
+
+    [[local|localrc]]
+    VARIABLE=value
+
+See the **Local Configuration** section below for more details.
 
 # Database Backend
 
 Multiple database backends are available. The available databases are defined in the lib/databases directory.
-`mysql` is the default database, choose a different one by putting the following in `localrc`:
+`mysql` is the default database, choose a different one by putting the
+following in the `localrc` section:
 
     disable_service mysql
     enable_service postgresql
@@ -81,7 +106,7 @@
 
 Multiple RPC backends are available. Currently, this
 includes RabbitMQ (default), Qpid, and ZeroMQ. Your backend of
-choice may be selected via the `localrc`.
+choice may be selected via the `localrc` section.
 
 Note that selecting more than one RPC backend will result in a failure.
 
@@ -95,9 +120,10 @@
 
 # Apache Frontend
 
-Apache web server is enabled for wsgi services by setting `APACHE_ENABLED_SERVICES` in your localrc. But remember to enable these services at first as above.
+Apache web server is enabled for wsgi services by setting
+`APACHE_ENABLED_SERVICES` in your ``localrc`` section.  Remember to
+enable these services at first as above.
 
-Example:
     APACHE_ENABLED_SERVICES+=keystone,swift
 
 # Swift
@@ -108,23 +134,23 @@
 object services will run directly in screen. The others services like
 replicator, updaters or auditor runs in background.
 
-If you would like to enable Swift you can add this to your `localrc` :
+If you would like to enable Swift you can add this to your `localrc` section:
 
     enable_service s-proxy s-object s-container s-account
 
 If you want a minimal Swift install with only Swift and Keystone you
-can have this instead in your `localrc`:
+can have this instead in your `localrc` section:
 
     disable_all_services
     enable_service key mysql s-proxy s-object s-container s-account
 
 If you only want to do some testing of a real normal swift cluster
 with multiple replicas you can do so by customizing the variable
-`SWIFT_REPLICAS` in your `localrc` (usually to 3).
+`SWIFT_REPLICAS` in your `localrc` section (usually to 3).
 
 # Swift S3
 
-If you are enabling `swift3` in `ENABLED_SERVICES` devstack will
+If you are enabling `swift3` in `ENABLED_SERVICES` DevStack will
 install the swift3 middleware emulation. Swift will be configured to
 act as a S3 endpoint for Keystone so effectively replacing the
 `nova-objectstore`.
@@ -137,7 +163,7 @@
 Basic Setup
 
 In order to enable Neutron a single node setup, you'll need the
-following settings in your `localrc` :
+following settings in your `localrc` section:
 
     disable_service n-net
     enable_service q-svc
@@ -146,12 +172,15 @@
     enable_service q-l3
     enable_service q-meta
     enable_service neutron
-    # Optional, to enable tempest configuration as part of devstack
+    # Optional, to enable tempest configuration as part of DevStack
     enable_service tempest
 
 Then run `stack.sh` as normal.
 
-devstack supports adding specific Neutron configuration flags to the service, Open vSwitch plugin and LinuxBridge plugin configuration files. To make use of this feature, the following variables are defined and can be configured in your `localrc` file:
+DevStack supports setting specific Neutron configuration flags to the
+service, Open vSwitch plugin and LinuxBridge plugin configuration files.
+To make use of this feature, the following variables are defined and can
+be configured in your `localrc` section:
 
     Variable Name             Config File  Section Modified
     -------------------------------------------------------------------------------------
@@ -160,12 +189,14 @@
     Q_AGENT_EXTRA_SRV_OPTS    Plugin       `OVS` (for Open Vswitch) or `LINUX_BRIDGE` (for LinuxBridge)
     Q_SRV_EXTRA_DEFAULT_OPTS  Service      DEFAULT
 
-An example of using the variables in your `localrc` is below:
+An example of using the variables in your `localrc` section is below:
 
     Q_AGENT_EXTRA_AGENT_OPTS=(tunnel_type=vxlan vxlan_udp_port=8472)
     Q_SRV_EXTRA_OPTS=(tenant_network_type=vxlan)
 
-devstack also supports configuring the Neutron ML2 plugin. The ML2 plugin can run with the OVS, LinuxBridge, or Hyper-V agents on compute hosts. A simple way to configure the ml2 plugin is shown below:
+DevStack also supports configuring the Neutron ML2 plugin. The ML2 plugin
+can run with the OVS, LinuxBridge, or Hyper-V agents on compute hosts. A
+simple way to configure the ml2 plugin is shown below:
 
     # VLAN configuration
     Q_PLUGIN=ml2
@@ -179,7 +210,9 @@
     Q_PLUGIN=ml2
     Q_ML2_TENANT_NETWORK_TYPE=vxlan
 
-The above will default in devstack to using the OVS on each compute host. To change this, set the `Q_AGENT` variable to the agent you want to run (e.g. linuxbridge).
+The above will default in DevStack to using the OVS on each compute host.
+To change this, set the `Q_AGENT` variable to the agent you want to run
+(e.g. linuxbridge).
 
     Variable Name                    Notes
     -------------------------------------------------------------------------------------
@@ -194,13 +227,13 @@
 # Heat
 
 Heat is disabled by default. To enable it you'll need the following settings
-in your `localrc` :
+in your `localrc` section:
 
     enable_service heat h-api h-api-cfn h-api-cw h-eng
 
 Heat can also run in standalone mode, and be configured to orchestrate
 on an external OpenStack cloud. To launch only Heat in standalone mode
-you'll need the following settings in your `localrc` :
+you'll need the following settings in your `localrc` section:
 
     disable_all_services
     enable_service rabbit mysql heat h-api h-api-cfn h-api-cw h-eng
@@ -215,9 +248,23 @@
     $ cd /opt/stack/tempest
     $ nosetests tempest/scenario/test_network_basic_ops.py
 
+# DevStack on Xenserver
+
+If you would like to use Xenserver as the hypervisor, please refer to the instructions in `./tools/xen/README.md`.
+
+# DevStack on Docker
+
+If you would like to use Docker as the hypervisor, please refer to the instructions in `./tools/docker/README.md`.
+
 # Additional Projects
 
-DevStack has a hook mechanism to call out to a dispatch script at specific points in the execution if `stack.sh`, `unstack.sh` and `clean.sh`.  This allows higher-level projects, especially those that the lower level projects have no dependency on, to be added to DevStack without modifying the scripts.  Tempest is built this way as an example of how to structure the dispatch script, see `extras.d/80-tempest.sh`.  See `extras.d/README.md` for more information.
+DevStack has a hook mechanism to call out to a dispatch script at specific
+points in the execution of `stack.sh`, `unstack.sh` and `clean.sh`.  This
+allows upper-layer projects, especially those that the lower layer projects
+have no dependency on, to be added to DevStack without modifying the core
+scripts.  Tempest is built this way as an example of how to structure the
+dispatch script, see `extras.d/80-tempest.sh`.  See `extras.d/README.md`
+for more information.
 
 # Multi-Node Setup
 
@@ -232,7 +279,8 @@
     enable_service q-meta
     enable_service neutron
 
-You likely want to change your `localrc` to run a scheduler that will balance VMs across hosts:
+You likely want to change your `localrc` section to run a scheduler that
+will balance VMs across hosts:
 
     SCHEDULER=nova.scheduler.simple.SimpleScheduler
 
@@ -249,7 +297,7 @@
 
 Cells is a new scaling option with a full spec at http://wiki.openstack.org/blueprint-nova-compute-cells.
 
-To setup a cells environment add the following to your `localrc`:
+To setup a cells environment add the following to your `localrc` section:
 
     enable_service n-cell
 
@@ -264,32 +312,41 @@
 
 The new config file ``local.conf`` is an extended-INI format that introduces a new meta-section header that provides some additional information such as a phase name and destination config filename:
 
-  [[ <phase> | <filename> ]]
+    [[ <phase> | <config-file-name> ]]
 
-where <phase> is one of a set of phase names defined by ``stack.sh`` and <filename> is the project config filename.  The filename is eval'ed in the stack.sh context so all environment variables are available and may be used.  Using the project config file variables in the header is strongly suggested (see example of NOVA_CONF below).  If the path of the config file does not exist it is skipped.
+where ``<phase>`` is one of a set of phase names defined by ``stack.sh``
+and ``<config-file-name>`` is the configuration filename.  The filename is
+eval'ed in the ``stack.sh`` context so all environment variables are
+available and may be used.  Using the project config file variables in
+the header is strongly suggested (see the ``NOVA_CONF`` example below).
+If the path of the config file does not exist it is skipped.
 
 The defined phases are:
 
-* local - extracts ``localrc`` from ``local.conf`` before ``stackrc`` is sourced
-* post-config - runs after the layer 2 services are configured and before they are started
-* extra - runs after services are started and before any files in ``extra.d`` are executes
+* **local** - extracts ``localrc`` from ``local.conf`` before ``stackrc`` is sourced
+* **post-config** - runs after the layer 2 services are configured and before they are started
+* **extra** - runs after services are started and before any files in ``extra.d`` are executed
 
 The file is processed strictly in sequence; meta-sections may be specified more than once but if any settings are duplicated the last to appear in the file will be used.
 
-  [[post-config|$NOVA_CONF]]
-  [DEFAULT]
-  use_syslog = True
+    [[post-config|$NOVA_CONF]]
+    [DEFAULT]
+    use_syslog = True
 
-  [osapi_v3]
-  enabled = False
+    [osapi_v3]
+    enabled = False
 
-A specific meta-section ``local:localrc`` is used to provide a default localrc file.  This allows all custom settings for DevStack to be contained in a single file.  ``localrc`` is not overwritten if it exists to preserve compatability.
+A specific meta-section ``local|localrc`` is used to provide a default
+``localrc`` file (actually ``.localrc.auto``).  This allows all custom
+settings for DevStack to be contained in a single file.  If ``localrc``
+exists it will be used instead to preserve backward-compatibility.
 
-  [[local|localrc]]
-  FIXED_RANGE=10.254.1.0/24
-  ADMIN_PASSWORD=speciale
-  LOGFILE=$DEST/logs/stack.sh.log
+    [[local|localrc]]
+    FIXED_RANGE=10.254.1.0/24
+    ADMIN_PASSWORD=speciale
+    LOGFILE=$DEST/logs/stack.sh.log
 
-Note that ``Q_PLUGIN_CONF_FILE`` is unique in that it is assumed to _NOT_ start with a ``/`` (slash) character.  A slash will need to be added:
+Note that ``Q_PLUGIN_CONF_FILE`` is unique in that it is assumed to *NOT*
+start with a ``/`` (slash) character.  A slash will need to be added:
 
-  [[post-config|/$Q_PLUGIN_CONF_FILE]]
+    [[post-config|/$Q_PLUGIN_CONF_FILE]]
diff --git a/exercises/aggregates.sh b/exercises/aggregates.sh
index e2baecd..e5fc7de 100755
--- a/exercises/aggregates.sh
+++ b/exercises/aggregates.sh
@@ -100,7 +100,7 @@
 META_DATA_3_KEY=bar
 
 #ensure no additional metadata is set
-nova aggregate-details $AGGREGATE_ID | egrep "{u'availability_zone': u'$AGGREGATE_A_ZONE'}|{}"
+nova aggregate-details $AGGREGATE_ID | egrep "\|[{u ]*'availability_zone.+$AGGREGATE_A_ZONE'[ }]*\|"
 
 nova aggregate-set-metadata $AGGREGATE_ID ${META_DATA_1_KEY}=123
 nova aggregate-details $AGGREGATE_ID | grep $META_DATA_1_KEY
@@ -117,7 +117,7 @@
 nova aggregate-details $AGGREGATE_ID | grep $META_DATA_2_KEY && die $LINENO "ERROR metadata was not cleared"
 
 nova aggregate-set-metadata $AGGREGATE_ID $META_DATA_3_KEY $META_DATA_1_KEY
-nova aggregate-details $AGGREGATE_ID | egrep "{u'availability_zone': u'$AGGREGATE_A_ZONE'}|{}"
+nova aggregate-details $AGGREGATE_ID | egrep "\|[{u ]*'availability_zone.+$AGGREGATE_A_ZONE'[ }]*\|"
 
 
 # Test aggregate-add/remove-host
diff --git a/exercises/neutron-adv-test.sh b/exercises/neutron-adv-test.sh
index abb29cf..e0c37ef 100755
--- a/exercises/neutron-adv-test.sh
+++ b/exercises/neutron-adv-test.sh
@@ -102,6 +102,7 @@
 # and save it.
 
 TOKEN=`keystone token-get | grep ' id ' | awk '{print $4}'`
+die_if_not_set $LINENO TOKEN "Keystone fail to get token"
 
 # Various functions
 # -----------------
diff --git a/extras.d/README.md b/extras.d/README.md
index 591e438..88e4265 100644
--- a/extras.d/README.md
+++ b/extras.d/README.md
@@ -10,12 +10,11 @@
 names start with a two digit sequence number.  DevStack reserves the sequence
 numbers 00 through 09 and 90 through 99 for its own use.
 
-The scripts are sourced at each hook point so they should not declare anything
-at the top level that would cause a problem, specifically, functions.  This does
-allow the entire `stack.sh` variable space to be available.  The scripts are
+The scripts are sourced at the beginning of each script that calls them. The
+entire `stack.sh` variable space is available.  The scripts are
 sourced with one or more arguments, the first of which defines the hook phase:
 
-arg 1: source | stack | unstack | clean
+    source | stack | unstack | clean
 
     source: always called first in any of the scripts, used to set the
         initial defaults in a lib/* script or similar
diff --git a/functions b/functions
index d969677..4afebe0 100644
--- a/functions
+++ b/functions
@@ -713,7 +713,8 @@
     local section=$2
     local option=$3
     local value=$4
-    if ! grep -q "^\[$section\]" "$file"; then
+
+    if ! grep -q "^\[$section\]" "$file" 2>/dev/null; then
         # Add section at the end
         echo -e "\n[$section]" >>"$file"
     fi
diff --git a/lib/baremetal b/lib/baremetal
index 52af420..f4d8589 100644
--- a/lib/baremetal
+++ b/lib/baremetal
@@ -449,8 +449,10 @@
        "$mac_1" \
        | grep ' id ' | get_field 2 )
     [ $? -eq 0 ] || [ "$id" ] || die $LINENO "Error adding baremetal node"
-    id2=$(nova baremetal-interface-add "$id" "$mac_2" )
-    [ $? -eq 0 ] || [ "$id2" ] || die $LINENO "Error adding interface to barmetal node $id"
+    if [ -n "$mac_2" ]; then
+        id2=$(nova baremetal-interface-add "$id" "$mac_2" )
+        [ $? -eq 0 ] || [ "$id2" ] || die $LINENO "Error adding interface to barmetal node $id"
+    fi
 }
 
 
diff --git a/lib/cinder b/lib/cinder
index 220488a..f6f137c 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -202,15 +202,25 @@
     sudo mv $TEMPFILE /etc/sudoers.d/cinder-rootwrap
 
     cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
-    iniset $CINDER_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $CINDER_API_PASTE_INI filter:authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $CINDER_API_PASTE_INI filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME
-    iniset $CINDER_API_PASTE_INI filter:authtoken admin_user cinder
-    iniset $CINDER_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD
-    iniset $CINDER_API_PASTE_INI filter:authtoken signing_dir $CINDER_AUTH_CACHE_DIR
+
+    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host
+    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port
+    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol
+    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name
+    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user
+    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password
+    inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir
 
     cp $CINDER_DIR/etc/cinder/cinder.conf.sample $CINDER_CONF
+
+    iniset $CINDER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
+    iniset $CINDER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
+    iniset $CINDER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
+    iniset $CINDER_CONF keystone_authtoken admin_user cinder
+    iniset $CINDER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
+    iniset $CINDER_CONF keystone_authtoken signing_dir $CINDER_AUTH_CACHE_DIR
+
     iniset $CINDER_CONF DEFAULT auth_strategy keystone
     iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
     iniset $CINDER_CONF DEFAULT verbose True
diff --git a/lib/ironic b/lib/ironic
index f3b4a72..89d0edc 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -11,6 +11,7 @@
 # ``stack.sh`` calls the entry points in this order:
 #
 # install_ironic
+# install_ironicclient
 # configure_ironic
 # init_ironic
 # start_ironic
@@ -27,6 +28,7 @@
 
 # Set up default directories
 IRONIC_DIR=$DEST/ironic
+IRONICCLIENT_DIR=$DEST/python-ironicclient
 IRONIC_AUTH_CACHE_DIR=${IRONIC_AUTH_CACHE_DIR:-/var/cache/ironic}
 IRONIC_CONF_DIR=${IRONIC_CONF_DIR:-/etc/ironic}
 IRONIC_CONF_FILE=$IRONIC_CONF_DIR/ironic.conf
@@ -45,6 +47,18 @@
 # Functions
 # ---------
 
+# install_ironic() - Collect source and prepare
+function install_ironic() {
+    git_clone $IRONIC_REPO $IRONIC_DIR $IRONIC_BRANCH
+    setup_develop $IRONIC_DIR
+}
+
+# install_ironicclient() - Collect sources and prepare
+function install_ironicclient() {
+    git_clone $IRONICCLIENT_REPO $IRONICCLIENT_DIR $IRONICCLIENT_BRANCH
+    setup_develop $IRONICCLIENT_DIR
+}
+
 # cleanup_ironic() - Remove residual data files, anything left over from previous
 # runs that would need to clean up.
 function cleanup_ironic() {
@@ -170,12 +184,6 @@
     create_ironic_accounts
 }
 
-# install_ironic() - Collect source and prepare
-function install_ironic() {
-    git_clone $IRONIC_REPO $IRONIC_DIR $IRONIC_BRANCH
-    setup_develop $IRONIC_DIR
-}
-
 # start_ironic() - Start running processes, including screen
 function start_ironic() {
     # Start Ironic API server, if enabled.
diff --git a/lib/neutron_plugins/midonet b/lib/neutron_plugins/midonet
index 193055f..074f847 100644
--- a/lib/neutron_plugins/midonet
+++ b/lib/neutron_plugins/midonet
@@ -37,6 +37,18 @@
     iniset $Q_DHCP_CONF_FILE DEFAULT interface_driver $DHCP_INTERFACE_DRIVER
     iniset $Q_DHCP_CONF_FILE DEFAULT use_namespaces True
     iniset $Q_DHCP_CONF_FILE DEFAULT enable_isolated_metadata True
+    if [[ "$MIDONET_API_URI" != "" ]]; then
+        iniset $Q_DHCP_CONF_FILE MIDONET midonet_uri "$MIDONET_API_URI"
+    fi
+    if [[ "$MIDONET_USERNAME" != "" ]]; then
+        iniset $Q_DHCP_CONF_FILE MIDONET username "$MIDONET_USERNAME"
+    fi
+    if [[ "$MIDONET_PASSWORD" != "" ]]; then
+        iniset $Q_DHCP_CONF_FILE MIDONET password "$MIDONET_PASSWORD"
+    fi
+    if [[ "$MIDONET_PROJECT_ID" != "" ]]; then
+        iniset $Q_DHCP_CONF_FILE MIDONET project_id "$MIDONET_PROJECT_ID"
+    fi
 }
 
 function neutron_plugin_configure_l3_agent() {
diff --git a/lib/neutron_plugins/ovs_base b/lib/neutron_plugins/ovs_base
index 2666d8e..1214f3b 100644
--- a/lib/neutron_plugins/ovs_base
+++ b/lib/neutron_plugins/ovs_base
@@ -73,13 +73,7 @@
 }
 
 function _neutron_ovs_base_configure_nova_vif_driver() {
-    # The hybrid VIF driver needs to be specified when Neutron Security Group
-    # is enabled (until vif_security attributes are supported in VIF extension)
-    if [[ "$Q_USE_SECGROUP" == "True" ]]; then
-        NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"}
-    else
-        NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
-    fi
+    NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
 }
 
 # Restore xtrace
diff --git a/lib/neutron_thirdparty/nicira b/lib/neutron_thirdparty/nicira
index 5a20934..3f2a5af 100644
--- a/lib/neutron_thirdparty/nicira
+++ b/lib/neutron_thirdparty/nicira
@@ -18,22 +18,38 @@
 # to an network that allows it to talk to the gateway for
 # testing purposes
 NVP_GATEWAY_NETWORK_INTERFACE=${NVP_GATEWAY_NETWORK_INTERFACE:-eth2}
+# Re-declare floating range as it's needed also in stop_nicira, which
+# is invoked by unstack.sh
+FLOATING_RANGE=${FLOATING_RANGE:-172.24.4.224/28}
 
 function configure_nicira() {
     :
 }
 
 function init_nicira() {
-    die_if_not_set $LINENO NVP_GATEWAY_NETWORK_CIDR "Please, specify CIDR for the gateway network interface."
+    if ! is_set NVP_GATEWAY_NETWORK_CIDR; then
+        NVP_GATEWAY_NETWORK_CIDR=$PUBLIC_NETWORK_GATEWAY/${FLOATING_RANGE#*/}
+        echo "The IP address to set on br-ex was not specified. "
+        echo "Defaulting to "$NVP_GATEWAY_NETWORK_CIDR
+    fi
     # Make sure the interface is up, but not configured
-    sudo ifconfig $NVP_GATEWAY_NETWORK_INTERFACE up
+    sudo ip link dev $NVP_GATEWAY_NETWORK_INTERFACE set up
+    # Save and then flush the IP addresses on the interface
+    addresses=$(ip addr show dev $NVP_GATEWAY_NETWORK_INTERFACE | grep inet | awk {'print $2'})
     sudo ip addr flush $NVP_GATEWAY_NETWORK_INTERFACE
     # Use the PUBLIC Bridge to route traffic to the NVP gateway
     # NOTE(armando-migliaccio): if running in a nested environment this will work
     # only with mac learning enabled, portsecurity and security profiles disabled
+    # The public bridge might not exist for the NVP plugin if Q_USE_DEBUG_COMMAND is off
+    # Try to create it anyway
+    sudo ovs-vsctl --no-wait -- --may-exist add-br $PUBLIC_BRIDGE
     sudo ovs-vsctl -- --may-exist add-port $PUBLIC_BRIDGE $NVP_GATEWAY_NETWORK_INTERFACE
     nvp_gw_net_if_mac=$(ip link show $NVP_GATEWAY_NETWORK_INTERFACE | awk '/ether/ {print $2}')
-    sudo ifconfig $PUBLIC_BRIDGE $NVP_GATEWAY_NETWORK_CIDR hw ether $nvp_gw_net_if_mac
+    sudo ip link dev $PUBLIC_BRIDGE set address $nvp_gw_net_if_mac
+    for address in $addresses; do
+        sudo ip addr add dev $PUBLIC_BRIDGE $address
+    done
+    sudo ip addr add dev $PUBLIC_BRIDGE $NVP_GATEWAY_NETWORK_CIDR
 }
 
 function install_nicira() {
@@ -45,7 +61,21 @@
 }
 
 function stop_nicira() {
-    :
+    if ! is_set NVP_GATEWAY_NETWORK_CIDR; then
+        NVP_GATEWAY_NETWORK_CIDR=$PUBLIC_NETWORK_GATEWAY/${FLOATING_RANGE#*/}
+        echo "The IP address expected on br-ex was not specified. "
+        echo "Defaulting to "$NVP_GATEWAY_NETWORK_CIDR
+    fi
+    sudo ip addr del $NVP_GATEWAY_NETWORK_CIDR dev $PUBLIC_BRIDGE
+    # Save and then flush remaining addresses on the interface
+    addresses=$(ip addr show dev $PUBLIC_BRIDGE | grep inet | awk {'print $2'})
+    sudo ip addr flush $PUBLIC_BRIDGE
+    # Try to detach physical interface from PUBLIC_BRIDGE
+    sudo ovs-vsctl del-port $NVP_GATEWAY_NETWORK_INTERFACE
+    # Restore addresses on NVP_GATEWAY_NETWORK_INTERFACE
+    for address in $addresses; do
+        sudo ip addr add dev $NVP_GATEWAY_NETWORK_INTERFACE $address
+    done
 }
 
 # Restore xtrace
diff --git a/lib/nova b/lib/nova
index 8deb3a0..09332cf 100644
--- a/lib/nova
+++ b/lib/nova
@@ -212,26 +212,24 @@
     configure_nova_rootwrap
 
     if is_service_enabled n-api; then
-        # Use the sample http middleware configuration supplied in the
-        # Nova sources.  This paste config adds the configuration required
-        # for Nova to validate Keystone tokens.
-
         # Remove legacy paste config if present
         rm -f $NOVA_DIR/bin/nova-api-paste.ini
 
         # Get the sample configuration file in place
         cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF_DIR
 
-        iniset $NOVA_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST
+        # Comment out the keystone configs in Nova's api-paste.ini.
+        # We are using nova.conf to configure this instead.
+        inicomment $NOVA_API_PASTE_INI filter:authtoken auth_host
         if is_service_enabled tls-proxy; then
-            iniset $NOVA_API_PASTE_INI filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+            inicomment $NOVA_API_PASTE_INI filter:authtoken auth_protocol
         fi
-        iniset $NOVA_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME
-        iniset $NOVA_API_PASTE_INI filter:authtoken admin_user nova
-        iniset $NOVA_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD
+        inicomment $NOVA_API_PASTE_INI filter:authtoken admin_tenant_name
+        inicomment $NOVA_API_PASTE_INI filter:authtoken admin_user
+        inicomment $NOVA_API_PASTE_INI filter:authtoken admin_password
     fi
 
-    iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR
+    inicomment $NOVA_API_PASTE_INI filter:authtoken signing_dir
 
     if is_service_enabled n-cpu; then
         # Force IP forwarding on, just on case
@@ -379,6 +377,7 @@
     iniset $NOVA_CONF DEFAULT ec2_workers "4"
     iniset $NOVA_CONF DEFAULT metadata_workers "4"
     iniset $NOVA_CONF DEFAULT sql_connection `database_connection_url nova`
+    iniset $NOVA_CONF DEFAULT fatal_deprecations "True"
     iniset $NOVA_CONF DEFAULT instance_name_template "${INSTANCE_NAME_PREFIX}%08x"
     iniset $NOVA_CONF osapi_v3 enabled "True"
 
@@ -394,7 +393,20 @@
             # Set the service port for a proxy to take the original
             iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT"
         fi
+
+        # Add keystone authtoken configuration
+
+        iniset $NOVA_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
+        if is_service_enabled tls-proxy; then
+            iniset $NOVA_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+        fi
+        iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
+        iniset $NOVA_CONF keystone_authtoken admin_user nova
+        iniset $NOVA_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
     fi
+
+    iniset $NOVA_CONF keystone_authtoken signing_dir $NOVA_AUTH_CACHE_DIR
+
     if is_service_enabled cinder; then
         iniset $NOVA_CONF DEFAULT volume_api_class "nova.volume.cinder.API"
     fi
@@ -599,20 +611,10 @@
     fi
 }
 
-# start_nova() - Start running processes, including screen
-function start_nova() {
+# start_nova_compute() - Start the compute process
+function start_nova_compute() {
     NOVA_CONF_BOTTOM=$NOVA_CONF
 
-    # ``screen_it`` checks ``is_service_enabled``, it is not needed here
-    screen_it n-cond "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-conductor"
-
-    if is_service_enabled n-cell; then
-        NOVA_CONF_BOTTOM=$NOVA_CELLS_CONF
-        screen_it n-cond "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-conductor --config-file $NOVA_CELLS_CONF"
-        screen_it n-cell-region "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-cells --config-file $NOVA_CONF"
-        screen_it n-cell-child "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-cells --config-file $NOVA_CELLS_CONF"
-    fi
-
     if [[ "$VIRT_DRIVER" = 'libvirt' ]]; then
         # The group **$LIBVIRT_GROUP** is added to the current user in this script.
         # Use 'sg' to execute nova-compute as a member of the **$LIBVIRT_GROUP** group.
@@ -628,6 +630,22 @@
         fi
         screen_it n-cpu "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-compute --config-file $NOVA_CONF_BOTTOM"
     fi
+}
+
+# start_nova() - Start running processes, including screen
+function start_nova_rest() {
+    NOVA_CONF_BOTTOM=$NOVA_CONF
+
+    # ``screen_it`` checks ``is_service_enabled``, it is not needed here
+    screen_it n-cond "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-conductor"
+
+    if is_service_enabled n-cell; then
+        NOVA_CONF_BOTTOM=$NOVA_CELLS_CONF
+        screen_it n-cond "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-conductor --config-file $NOVA_CELLS_CONF"
+        screen_it n-cell-region "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-cells --config-file $NOVA_CONF"
+        screen_it n-cell-child "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-cells --config-file $NOVA_CELLS_CONF"
+    fi
+
     screen_it n-crt "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-cert"
     screen_it n-net "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-network --config-file $NOVA_CONF_BOTTOM"
     screen_it n-sch "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-scheduler --config-file $NOVA_CONF_BOTTOM"
@@ -644,6 +662,11 @@
         screen_it n-obj "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-objectstore"
 }
 
+function start_nova() {
+    start_nova_compute
+    start_nova_rest
+}
+
 # stop_nova() - Stop running processes (non-screen)
 function stop_nova() {
     # Kill the nova screen windows
diff --git a/lib/nova_plugins/hypervisor-docker b/lib/nova_plugins/hypervisor-docker
index 4c8fc27..427554b 100644
--- a/lib/nova_plugins/hypervisor-docker
+++ b/lib/nova_plugins/hypervisor-docker
@@ -72,7 +72,7 @@
     fi
 
     # Make sure Docker is installed
-    if ! is_package_installed lxc-docker; then
+    if ! is_package_installed lxc-docker-${DOCKER_PACKAGE_VERSION}; then
         die $LINENO "Docker is not installed.  Please run tools/docker/install_docker.sh"
     fi
 
diff --git a/lib/rpc_backend b/lib/rpc_backend
index 63edc07..44c1e44 100644
--- a/lib/rpc_backend
+++ b/lib/rpc_backend
@@ -63,7 +63,7 @@
     if is_service_enabled rabbit; then
         # Obliterate rabbitmq-server
         uninstall_package rabbitmq-server
-        sudo killall epmd
+        sudo killall epmd || sudo killall -9 epmd
         if is_ubuntu; then
             # And the Erlang runtime too
             sudo aptitude purge -y ~nerlang
@@ -86,10 +86,6 @@
         else
             exit_distro_not_supported "zeromq installation"
         fi
-
-        # Necessary directory for socket location.
-        sudo mkdir -p /var/run/openstack
-        sudo chown $STACK_USER /var/run/openstack
     fi
 }
 
diff --git a/lib/tempest b/lib/tempest
index bc0b18d..9f41608 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -266,7 +266,7 @@
     iniset $TEMPEST_CONF boto ssh_user ${DEFAULT_INSTANCE_USER:-cirros}
 
     # Orchestration test image
-    if [ $HEAT_CREATE_TEST_IMAGE == "True" ]; then
+    if [[ "$HEAT_CREATE_TEST_IMAGE" = "True" ]]; then
         disk_image_create /usr/share/tripleo-image-elements "vm fedora heat-cfntools" "i386" "fedora-vm-heat-cfntools-tempest"
         iniset $TEMPEST_CONF orchestration image_ref "fedora-vm-heat-cfntools-tempest"
     fi
diff --git a/stack.sh b/stack.sh
index 89a03b5..f014e8f 100755
--- a/stack.sh
+++ b/stack.sh
@@ -53,7 +53,7 @@
             if [[ -r $TOP_DIR/localrc ]]; then
                 warn $LINENO "localrc and local.conf:[[local]] both exist, using localrc"
             else
-                echo "# Generated file, do not exit" >$TOP_DIR/.localrc.auto
+                echo "# Generated file, do not edit" >$TOP_DIR/.localrc.auto
                 get_meta_section $TOP_DIR/local.conf local $lfile >>$TOP_DIR/.localrc.auto
             fi
         fi
@@ -588,7 +588,9 @@
 source $TOP_DIR/tools/install_prereqs.sh
 
 # Configure an appropriate python environment
-$TOP_DIR/tools/install_pip.sh
+if [[ "$OFFLINE" != "True" ]]; then
+    $TOP_DIR/tools/install_pip.sh
+fi
 
 # Do the ugly hacks for borken packages and distros
 $TOP_DIR/tools/fixup_stuff.sh
@@ -732,6 +734,7 @@
 
 if is_service_enabled ir-api ir-cond; then
     install_ironic
+    install_ironicclient
     configure_ironic
 fi
 
@@ -1174,6 +1177,7 @@
 
 if is_service_enabled g-reg; then
     TOKEN=$(keystone token-get | grep ' id ' | get_field 2)
+    die_if_not_set $LINENO TOKEN "Keystone fail to get token"
 
     if is_baremetal; then
        echo_summary "Creating and uploading baremetal images"
diff --git a/stackrc b/stackrc
index 3f740b5..0151672 100644
--- a/stackrc
+++ b/stackrc
@@ -104,6 +104,10 @@
 IRONIC_REPO=${IRONIC_REPO:-${GIT_BASE}/openstack/ironic.git}
 IRONIC_BRANCH=${IRONIC_BRANCH:-master}
 
+# ironic client
+IRONICCLIENT_REPO=${IRONICCLIENT_REPO:-${GIT_BASE}/openstack/python-ironicclient.git}
+IRONICCLIENT_BRANCH=${IRONICCLIENT_BRANCH:-master}
+
 # unified auth system (manages accounts/tokens)
 KEYSTONE_REPO=${KEYSTONE_REPO:-${GIT_BASE}/openstack/keystone.git}
 KEYSTONE_BRANCH=${KEYSTONE_BRANCH:-master}
diff --git a/tools/create-stack-user.sh b/tools/create-stack-user.sh
old mode 100644
new mode 100755
diff --git a/tools/docker/install_docker.sh b/tools/docker/install_docker.sh
index 289002e..483955b 100755
--- a/tools/docker/install_docker.sh
+++ b/tools/docker/install_docker.sh
@@ -38,7 +38,7 @@
 install_package python-software-properties && \
     sudo sh -c "echo deb $DOCKER_APT_REPO docker main > /etc/apt/sources.list.d/docker.list"
 apt_get update
-install_package --force-yes lxc-docker=${DOCKER_PACKAGE_VERSION} socat
+install_package --force-yes lxc-docker-${DOCKER_PACKAGE_VERSION} socat
 
 # Start the daemon - restart just in case the package ever auto-starts...
 restart_service docker
diff --git a/tools/upload_image.sh b/tools/upload_image.sh
index dd21c9f..d81a5c8 100755
--- a/tools/upload_image.sh
+++ b/tools/upload_image.sh
@@ -33,6 +33,7 @@
 
 # Get a token to authenticate to glance
 TOKEN=$(keystone token-get | grep ' id ' | get_field 2)
+die_if_not_set $LINENO TOKEN "Keystone fail to get token"
 
 # Glance connection info.  Note the port must be specified.
 GLANCE_HOSTPORT=${GLANCE_HOSTPORT:-$GLANCE_HOST:9292}
diff --git a/tools/xen/functions b/tools/xen/functions
index c65d919..b0b077d 100644
--- a/tools/xen/functions
+++ b/tools/xen/functions
@@ -69,11 +69,17 @@
 }
 
 function get_local_sr {
-    xe sr-list name-label="Local storage" --minimal
+    xe pool-list params=default-SR minimal=true
 }
 
 function get_local_sr_path {
-    echo "/var/run/sr-mount/$(get_local_sr)"
+    pbd_path="/var/run/sr-mount/$(get_local_sr)"
+    pbd_device_config_path=`xe pbd-list sr-uuid=$(get_local_sr) params=device-config | grep " path: "`
+    if [ -n "$pbd_device_config_path" ]; then
+        pbd_uuid=`xe pbd-list sr-uuid=$(get_local_sr) minimal=true`
+        pbd_path=`xe pbd-param-get uuid=$pbd_uuid param-name=device-config param-key=path || echo ""`
+    fi
+    echo $pbd_path
 }
 
 function find_ip_by_name() {