diff --git a/files/httpd/apachestatus.conf b/files/httpd/apachestatus.conf
index 41255f4deb..cfd499349f 100644
--- a/files/httpd/apachestatus.conf
+++ b/files/httpd/apachestatus.conf
@@ -2,10 +2,13 @@ ExtendedStatus on
 
 <Location /apache-status>
     SetHandler server-status
+    <IfModule mod_authz_core.c>
+    # Apache 2.4
     <RequireAny>
         Require ip 127.0.0.1
 	Require ip ::1
 	Require host localhost
 	Require valid-user
     </RequireAny>
+    </IfModule>
 </Location>
diff --git a/files/httpd/h2.conf.j2 b/files/httpd/h2.conf.j2
index 2627ea8a32..0f36485f40 100644
--- a/files/httpd/h2.conf.j2
+++ b/files/httpd/h2.conf.j2
@@ -1 +1 @@
-Protocols h2 {% if not inventory_hostname.startswith('proxy') %} h2c {% endif %} http/1.1
+#Protocols h2 {% if not inventory_hostname.startswith('proxy') %} h2c {% endif %} http/1.1
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 93e20433dd..53a3495aa5 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -20,7 +20,7 @@
 - name: restart fedmsg-hub
   command: /usr/local/bin/conditional-restart.sh fedmsg-hub fedmsg-hub
   # Note that, we're cool with arbitrary restarts on bodhi-backend02, just
-  # not bodhi-backend01 or bodhi-backend03.  01 and 03 is where the releng/mash 
+  # not bodhi-backend01 or bodhi-backend03.  01 and 03 is where the releng/mash
   # stuff happens and we # don't want to interrupt that.
   when: inventory_hostname not in ['bodhi-backend01.phx2.fedoraproject.org', 'bodhi-backend03.phx2.fedoraproject.org']
 
@@ -180,3 +180,5 @@
 - name: restart darkserver
   service: name=darkserver state=restarted
 
+- name: restart buildmaster
+  service: name=buildmaster state=restarted
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 1adcf0d772..2e13911491 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -78,7 +78,7 @@ virt_install_command_one_nic: virt-install -n {{ inventory_hostname }}
                   hostname={{ inventory_hostname }} nameserver={{ dns }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none'
                  --network bridge={{ main_bridge }},model=virtio
-                 --autostart --noautoconsole --watchdog default
+                 --autostart --noautoconsole --watchdog default --cpu host
 
 virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -89,7 +89,7 @@ virt_install_command_two_nic: virt-install -n {{ inventory_hostname }}
                   ip={{ eth0_ip }}::{{ gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none
                   ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname }}-nfs:eth1:none'
                  --network bridge={{ main_bridge }},model=virtio --network=bridge={{ nfs_bridge }},model=virtio
-                 --autostart --noautoconsole --watchdog default
+                 --autostart --noautoconsole --watchdog default --cpu host
 
 virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }}
                  --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio
@@ -128,7 +128,7 @@ virt_install_command_rhel6: virt-install -n {{ inventory_hostname }}
                  --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x
                  "ksdevice=eth0 ks={{ ks_url }} ip={{ eth0_ip }} netmask={{ nm }}
                   gateway={{ gw }} dns={{ dns }} console=tty0 console=ttyS0
-                  hostname={{ inventory_hostname }}"
+                  hostname={{ inventory_hostname }}" --cpu host
                  --network=bridge=br0 --autostart --noautoconsole --watchdog default
 
 max_mem_size: "{{ mem_size * 5 }}"
diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs
index 6e0c0e3df9..55434c1f15 100644
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -66,6 +66,7 @@ fedmsg_certs:
   - git.pkgdb2branch.complete
   - git.pkgdb2branch.start
   - logger.log
+  - pagure.git.receive
 - service: scm
   owner: root
   group: packager
diff --git a/inventory/group_vars/pkgs-stg b/inventory/group_vars/pkgs-stg
index 353826b294..ca75ead3c4 100644
--- a/inventory/group_vars/pkgs-stg
+++ b/inventory/group_vars/pkgs-stg
@@ -61,6 +61,7 @@ fedmsg_certs:
   - git.mass_branch.start
   - git.pkgdb2branch.complete
   - git.pkgdb2branch.start
+  - pagure.git.receive
 - service: scm
   owner: root
   group: packager
diff --git a/inventory/group_vars/taskotron-stg-client-hosts b/inventory/group_vars/taskotron-stg-client-hosts
index a8b64350e0..6b05f10289 100644
--- a/inventory/group_vars/taskotron-stg-client-hosts
+++ b/inventory/group_vars/taskotron-stg-client-hosts
@@ -66,7 +66,7 @@ buildslave_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4EOTNfPIvIjCLNRYauVquS2L
 
 buildslave_private_sshkey_file: dev-buildslave-sshkey/dev_buildslave
 buildslave_public_sshkey_file: dev-buildslave-sshkey/dev_buildslave.pub
-buildmaster_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDuEn17zELhxb4AcN2S+3j3zcdi0MO/kK+z9iZq63dTHq+SoHyQjiOrwnvWURQvod0Q9ro9fukSlJ0yJCYv+Y7MGxqvavVDrK4oW5VhzpJzr4UpInaxMleDSHHt13NxNOVBy+Dkb4xkQGdPD472WuBdzGG5OSisaFNX/jAkVO88a/klbvJTH4AmHX+KslAhnV+SSxKt5L+zVDYXXJOBCeVNoGRiVmq2ZJQiWlwT+TGreDXCsjW1anqnV/lLoThWAi+u919ur3uFg1JBKIDHM/JRZZjyfapbTSC/1YPNpBs+KdaSZhcCngqXDmOt1Ax3TR7FXQ344KwWk3VD6gV+065B'
+buildmaster_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaxEBD21YcspXmr1qdbKF1BgjlJLChl6rheTMyEG/n7I6KGa43YPcaEsfxkph1y09qvwkzRakknNkLgJMiTczU+6u82EV9dQfHCO44VdYpEbCCyHfvxRWqKBXD/vr+0BKv2oa44w76fuq/bXBie6pt5URJeQIpGj8SxXSYvuJfMu9MUArSCkiJ+unrPySCic9oeec5rTvnq9nja15dCF9wHeDkzA16la+AsYiAdOjxt7AwVAjvSX6IIM8KqtGaAcs3rwaihIDnzqz+edSTEdLdtkyUVlZuVSGtdRy6LAqQzeEI3SmfEG7ABfwIINS97EVH2kTBeZlZgLnbwGOCkluV'
 
 
 ############################################################
diff --git a/inventory/host_vars/autocloud-web01.phx2.fedoraproject.org b/inventory/host_vars/autocloud-web01.phx2.fedoraproject.org
index b4e11a7eea..cb8d5fd3f6 100644
--- a/inventory/host_vars/autocloud-web01.phx2.fedoraproject.org
+++ b/inventory/host_vars/autocloud-web01.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 
 eth0_ip: 10.5.126.117
 
diff --git a/inventory/host_vars/autocloud-web02.phx2.fedoraproject.org b/inventory/host_vars/autocloud-web02.phx2.fedoraproject.org
index fae8fb456a..e5beaf7279 100644
--- a/inventory/host_vars/autocloud-web02.phx2.fedoraproject.org
+++ b/inventory/host_vars/autocloud-web02.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
 gw: 10.5.126.254
 dns: 10.5.126.21
 
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-25
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/25/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-27
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/27/Server/x86_64/os/
 
 eth0_ip: 10.5.126.118
 
diff --git a/inventory/host_vars/buildvm-ppc64-01.stg.ppc.fedoraproject.org b/inventory/host_vars/buildvm-ppc64-01.stg.ppc.fedoraproject.org
index 794c213c7e..eb390996c3 100644
--- a/inventory/host_vars/buildvm-ppc64-01.stg.ppc.fedoraproject.org
+++ b/inventory/host_vars/buildvm-ppc64-01.stg.ppc.fedoraproject.org
@@ -1,5 +1,5 @@
 ---
-vmhost: ppc8-02.ppc.fedoraproject.org
+vmhost: ppc8-04.ppc.fedoraproject.org
 eth0_ip: 10.5.129.230
 gw: 10.5.129.254
 main_bridge: br1
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index 888c4de249..a5bfe816ea 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -25,6 +25,13 @@
   - role: keytab/service
     kt_location: /etc/kojid/kojid.keytab
     service: compile
+  - role: keytab/service
+    owner_user: root
+    owner_group: root
+    service: innercompose
+    host: "odcs{{ env_suffix }}.fedoraproject.org"
+    kt_location: /etc/kojid/secrets/odcs_inner.keytab
+    when: env == "staging"
 
   tasks:
   - import_tasks: "{{ tasks_path }}/2fa_client.yml"
diff --git a/playbooks/vhost_reboot.yml b/playbooks/vhost_reboot.yml
index 60d40994fd..0a2f1cc0c5 100644
--- a/playbooks/vhost_reboot.yml
+++ b/playbooks/vhost_reboot.yml
@@ -22,7 +22,7 @@
 
   tasks:
   - name: get list of guests
-    virt: command=list_vms
+    virt: command=list_vms state=running
     register: vmlist
 
 #  - name: get info on guests (prereboot)
diff --git a/roles/bodhi2/base/templates/production.ini.j2 b/roles/bodhi2/base/templates/production.ini.j2
index fc304dc561..0457af4434 100644
--- a/roles/bodhi2/base/templates/production.ini.j2
+++ b/roles/bodhi2/base/templates/production.ini.j2
@@ -122,7 +122,7 @@ pungi.conf.rpm = pungi.rpm.conf.j2
 pungi.conf.module = pungi.module.conf.j2
 pungi.labeltype = Update
 pungi.extracmdline = --notification-script=/usr/bin/pungi-fedmsg-notification --notification-script=pungi-wait-for-signed-ostree-handler
-max_concurrent_mashes = 3
+max_concurrent_mashes = 4
 
 ## Our periodic jobs
 #jobs = clean_repo nagmail fix_bug_titles cache_release_data approve_testing_updates
diff --git a/roles/copr/backend/files/provision/builderpb_nova.yml b/roles/copr/backend/files/provision/builderpb_nova.yml
index 9935aac78c..14852fa15f 100644
--- a/roles/copr/backend/files/provision/builderpb_nova.yml
+++ b/roles/copr/backend/files/provision/builderpb_nova.yml
@@ -11,7 +11,7 @@
     keypair: buildsys
     max_spawn_time: 600
     spawning_vm_user: "fedora"
-    image_name: "copr-builder-x86_64-f27"
+    image_name: "copr-builder-x86_64-f27-new-kernel"
 
   tasks:
     - name: generate builder name
diff --git a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml
index 31d3f39386..86c42e293e 100644
--- a/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml
+++ b/roles/copr/backend/files/provision/builderpb_nova_ppc64le.yml
@@ -11,7 +11,7 @@
     keypair: buildsys
     max_spawn_time: 600
     spawning_vm_user: "fedora"
-    image_name: "copr-builder-ppc64le-f27"
+    image_name: "copr-builder-ppc64le-f27-new-kernel"
 
   tasks:
     - name: generate builder name
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index 81a476b5a5..ff5bcae024 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -33,7 +33,7 @@
   ServerAdmin {{ server_admin }}
 
 {% if ansible_distribution == 'Fedora' %}
-  Protocols h2 http/1.1
+  # Protocols h2 http/1.1
 {% endif %}
 
 {% if gzip %}
diff --git a/roles/mirrormanager/mirrorlist_proxy/templates/mirrorlist.service.j2 b/roles/mirrormanager/mirrorlist_proxy/templates/mirrorlist.service.j2
index abcac03db2..470fd9844c 100644
--- a/roles/mirrormanager/mirrorlist_proxy/templates/mirrorlist.service.j2
+++ b/roles/mirrormanager/mirrorlist_proxy/templates/mirrorlist.service.j2
@@ -8,8 +8,10 @@ TimeoutStartSec=0
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/bin/docker run --rm --detach --log-driver none --name %n -v /srv/mirrorlist/data/mirrorlist{{ item }}:/var/lib/mirrormanager:z -v /var/log/mirrormanager:/var/log/mirrormanager:z -p 1808{{ item }}:80 {{ mirrorlist_container_image }} -l /var/log/mirrormanager/%n.log
-ExecStop=/usr/bin/docker stop %n
-TimeoutStopSec=30
+ExecStop=/usr/bin/docker stop --time=1 %n
+# Mirrorlist can't take a signal... but docker stop returns before it actually killed everything.
+ExecStop=/usr/bin/sleep 10
+TimeoutStopSec=180
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/taskotron/buildmaster-configure/tasks/main.yml b/roles/taskotron/buildmaster-configure/tasks/main.yml
index ee7b84e3e4..b78644470e 100644
--- a/roles/taskotron/buildmaster-configure/tasks/main.yml
+++ b/roles/taskotron/buildmaster-configure/tasks/main.yml
@@ -18,9 +18,14 @@
 
 - name: generate buildmaster service file
   template: src=buildmaster.service.j2 dest=/lib/systemd/system/buildmaster.service owner=root group=root mode=0744
+  register: buildmaster_service
+
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: buildmaster_service.changed
 
 - name: start and enable buildmaster service
-  service: name=buildmaster enabled=yes state=started
+  service: name=buildmaster enabled=yes state={{ (buildmaster_service.changed) | ternary('restarted','started') }}
 
 - name: reconfig master
   become: true
diff --git a/roles/taskotron/buildmaster-configure/templates/buildmaster.service.j2 b/roles/taskotron/buildmaster-configure/templates/buildmaster.service.j2
index 47e16fcbe4..9f7b3e33c8 100644
--- a/roles/taskotron/buildmaster-configure/templates/buildmaster.service.j2
+++ b/roles/taskotron/buildmaster-configure/templates/buildmaster.service.j2
@@ -4,7 +4,8 @@ After=network.target
 
 [Service]
 Type=forking
-PIDFile={{ buildmaster_dir }}/twistd.pid
+# disabled because of https://pagure.io/taskotron/issue/236
+#PIDFile={{ buildmaster_dir }}/twistd.pid
 ExecStart=/bin/buildbot start {{ buildmaster_dir }}
 ExecStop=/bin/buildbot stop {{ buildmaster_dir }}
 ExecReload=/bin/buildbot reconfig {{ buildmaster_dir }}
diff --git a/roles/taskotron/buildslave-configure/tasks/main.yml b/roles/taskotron/buildslave-configure/tasks/main.yml
index 5a61a13150..cc82e59357 100644
--- a/roles/taskotron/buildslave-configure/tasks/main.yml
+++ b/roles/taskotron/buildslave-configure/tasks/main.yml
@@ -40,12 +40,16 @@
 - name: generate buildslave service file
   template: src=buildslave.service.j2 dest=/lib/systemd/system/buildslave.service owner=root group=root mode=0744
   when: deployment_type in ['local', 'qa-stg']
+  register: buildslave_service
+
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: deployment_type in ['local', 'qa-stg'] and buildslave_service.changed
 
 - name: start and enable buildslave service
-  service: name=buildslave enabled=yes state=started
+  service: name=buildslave enabled=yes state={{ (buildslave_service.changed) | ternary('restarted','started') }}
   when: deployment_type in ['local', 'qa-stg']
 
-
 - name: create slave
   become: true
   become_user: '{{ item.user }}'
@@ -111,9 +115,14 @@
 - name: generate buildslave service file
   template: src=buildslave@.service.j2 dest=/lib/systemd/system/buildslave@.service owner=root group=root mode=0644
   when: deployment_type in ['dev', 'stg', 'prod']
+  register: buildslave_service
+
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: deployment_type in ['dev', 'stg', 'prod'] and buildslave_service.changed
 
 - name: start and enable buildslave services
-  service: name=buildslave@{{ item.user }} enabled=yes state=started
+  service: name=buildslave@{{ item.user }} enabled=yes state={{ (buildslave_service.changed) | ternary('restarted','started') }}
   with_items:
     - '{{ slaves|default([dict(user="", home="", dir="")]) }}'
   when: deployment_type in ['dev', 'stg', 'prod']
diff --git a/roles/taskotron/buildslave-configure/templates/buildslave.service.j2 b/roles/taskotron/buildslave-configure/templates/buildslave.service.j2
index e8d41a18e1..84e12ffcdc 100644
--- a/roles/taskotron/buildslave-configure/templates/buildslave.service.j2
+++ b/roles/taskotron/buildslave-configure/templates/buildslave.service.j2
@@ -4,7 +4,8 @@ After=network.target
 
 [Service]
 Type=forking
-PIDFile=/home/buildslave/slave/twistd.pid
+# disabled because of https://pagure.io/taskotron/issue/236
+#PIDFile=/home/buildslave/slave/twistd.pid
 ExecStart=/bin/buildslave start /home/buildslave/slave/
 ExecStop=/bin/buildslave stop /home/buildslave/slave/
 User=buildslave
diff --git a/roles/taskotron/buildslave-configure/templates/buildslave@.service.j2 b/roles/taskotron/buildslave-configure/templates/buildslave@.service.j2
index 9d218351dd..6c63f14b2b 100644
--- a/roles/taskotron/buildslave-configure/templates/buildslave@.service.j2
+++ b/roles/taskotron/buildslave-configure/templates/buildslave@.service.j2
@@ -4,13 +4,15 @@ After=network.target
 
 [Service]
 Type=forking
-{% if deployment_type in ['stg', 'prod'] %}
-PIDFile=/home/%i/slave/twistd.pid
+{% if deployment_type in ['prod'] %}
+# disabled because of https://pagure.io/taskotron/issue/236
+#PIDFile=/home/%i/slave/twistd.pid
 ExecStart=/bin/buildslave start /home/%i/slave/
 ExecStop=/bin/buildslave stop /home/%i/slave/
 {% endif %}
-{% if deployment_type in ['dev'] %}
-PIDFile=/srv/buildslaves/%i/slave/twistd.pid
+{% if deployment_type in ['dev', 'stg'] %}
+# disabled because of https://pagure.io/taskotron/issue/236
+#PIDFile=/srv/buildslaves/%i/slave/twistd.pid
 ExecStart=/bin/buildslave start /srv/buildslaves/%i/slave/
 ExecStop=/bin/buildslave stop /srv/buildslaves/%i/slave/
 {% endif %}
diff --git a/roles/virthost/files/rhel7-os.repo b/roles/virthost/files/rhel7-os.repo
index 3dc6faa81d..f802cefbda 100644
--- a/roles/virthost/files/rhel7-os.repo
+++ b/roles/virthost/files/rhel7-os.repo
@@ -1,5 +1,5 @@
 [rhel7-os]
 name = rhel7 os $basearch
-baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openstack-8-rpms
+baseurl=http://infrastructure.fedoraproject.org/repo/rhel/rhel7/$basearch/rhel-7-openstack-10-rpms
 includepkgs=qemu*
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release