diff --git a/docker/centos/binary/barbican/config-external.sh b/docker/centos/binary/barbican/config-external.sh
new file mode 120000
index 0000000000..5a0d7a06c8
--- /dev/null
+++ b/docker/centos/binary/barbican/config-external.sh
@@ -0,0 +1 @@
+../../../common/barbican/config-external.sh
\ No newline at end of file
diff --git a/docker/centos/binary/barbican/config-internal.sh b/docker/centos/binary/barbican/config-internal.sh
new file mode 120000
index 0000000000..393328cd93
--- /dev/null
+++ b/docker/centos/binary/barbican/config-internal.sh
@@ -0,0 +1 @@
+../../../common/barbican/config-internal.sh
\ No newline at end of file
diff --git a/docker/common/barbican/config-external.sh b/docker/common/barbican/config-external.sh
new file mode 100644
index 0000000000..12ca52fb91
--- /dev/null
+++ b/docker/common/barbican/config-external.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+SOURCE="/opt/kolla/barbican/barbican.conf"
+TARGET="/etc/barbican/barbican.conf"
+OWNER="barbican"
+
+if [[ -f "$SOURCE" ]]; then
+    cp $SOURCE $TARGET
+    chown ${OWNER}: $TARGET
+    chmod 0644 $TARGET
+fi
diff --git a/docker/common/barbican/config-internal.sh b/docker/common/barbican/config-internal.sh
new file mode 100644
index 0000000000..1ca4bd1be1
--- /dev/null
+++ b/docker/common/barbican/config-internal.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+set -e
+
+if ! [ "$BARBICAN_DB_PASSWORD" ]; then
+        BARBICAN_DB_PASSWORD=$(openssl rand -hex 15)
+        export BARBICAN_DB_PASSWORD
+fi
+
+check_required_vars KEYSTONE_ADMIN_TOKEN KEYSTONE_ADMIN_SERVICE_HOST \
+                    KEYSTONE_ADMIN_SERVICE_PORT BARBICAN_ADMIN_PASSWORD
+fail_unless_db
+fail_unless_os_service_running keystone
+
+mysql -h ${MARIADB_SERVICE_HOST} -u root -p"${DB_ROOT_PASSWORD}" mysql <<EOF
+CREATE DATABASE IF NOT EXISTS ${BARBICAN_DB_NAME};
+GRANT ALL PRIVILEGES ON barbican.* TO
+    '${BARBICAN_DB_USER}'@'%' IDENTIFIED BY '${BARBICAN_DB_PASSWORD}'
+EOF
+
+# config file setup
+crudini --set /etc/barbican/barbican-api.conf \
+    DEFAULT \
+    sql_connection \
+    "mysql://${BARBICAN_DB_USER}:${BARBICAN_DB_PASSWORD}@${MARIADB_SERVICE_HOST}/${BARBICAN_DB_NAME}"
+crudini --set /etc/barbican/barbican-api.conf \
+    DEFAULT \
+    log_dir \
+    "/var/log/barbican/"
+crudini --set /etc/barbican/barbican-api.conf \
+    DEFAULT \
+    log_file \
+    "/var/log/barbican/barbican.log"
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    pipeline:barbican_api \
+    pipeline \
+    "keystone_authtoken context apiapp"
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    auth_host \
+    ${KEYSTONE_ADMIN_SERVICE_HOST}
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    auth_port \
+    ${KEYSTONE_ADMIN_SERVICE_PORT}
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    auth_protocol \
+    ${KEYSTONE_AUTH_PROTOCOL}
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    admin_tenant_name \
+    ${ADMIN_TENANT_NAME}
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    admin_user \
+    ${BARBICAN_KEYSTONE_USER}
+crudini --set /etc/barbican/barbican-api-paste.ini \
+    filter:keystone_authtoken \
+    admin_password \
+    ${BARBICAN_KEYSTONE_USER}
+
+# create the required keystone entities for barbican
+export SERVICE_TOKEN="${KEYSTONE_ADMIN_TOKEN}"
+export SERVICE_ENDPOINT="${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_ADMIN_SERVICE_HOST}:${KEYSTONE_ADMIN_SERVICE_PORT}/v2.0"
+
+keystone user-get ${BARBICAN_KEYSTONE_USER} > /dev/null 2>&1 || /bin/keystone user-create --name ${BARBICAN_KEYSTONE_USER} --pass ${BARBICAN_ADMIN_PASSWORD}
+
+keystone role-get observer > /dev/null 2>&1 || /bin/keystone role-create --name observer
+keystone role-get creator > /dev/null 2>&1 || /bin/keystone role-create --name creator
+
+keystone user-get ${BARBICAN_KEYSTONE_USER} > /dev/null 2>&1 || /bin/keystone user-role-add --user ${BARBICAN_KEYSTONE_USER} --role admin --tenant ${ADMIN_TENANT_NAME}
+
+# launch Barbican using uwsgi
+exec uwsgi --master --emperor /etc/barbican/vassals
diff --git a/docker/common/barbican/start.sh b/docker/common/barbican/start.sh
index 673aa43393..c0a32e00df 100755
--- a/docker/common/barbican/start.sh
+++ b/docker/common/barbican/start.sh
@@ -1,81 +1,22 @@
 #!/bin/bash
 
-set -e
+set -o errexit
 
-: ${BARBICAN_DB_USER:=barbican}
-: ${BARBICAN_DB_NAME:=barbican}
-: ${KEYSTONE_AUTH_PROTOCOL:=http}
-: ${BARBICAN_KEYSTONE_USER:=barbican}
-: ${ADMIN_TENANT_NAME:=admin}
+CMD="uwsgi"
+ARGS="--master --emperor"
 
-if ! [ "$BARBICAN_DB_PASSWORD" ]; then
-        BARBICAN_DB_PASSWORD=$(openssl rand -hex 15)
-        export BARBICAN_DB_PASSWORD
+# Loading common functions.
+source /opt/kolla/kolla-common.sh
+
+# Config-internal script exec out of this function, it does not return here.
+set_configs
+
+# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
+# of the KOLLA_BOOTSTRAP variable being set, including empty.
+if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
+    su -s /bin/sh -c "barbican-manage db_sync" barbican
+    exit 0
 fi
 
-check_required_vars KEYSTONE_ADMIN_TOKEN KEYSTONE_ADMIN_SERVICE_HOST \
-                    KEYSTONE_ADMIN_SERVICE_PORT BARBICAN_ADMIN_PASSWORD
-fail_unless_db
-fail_unless_os_service_running keystone
+exec $CMD $ARGS
 
-mysql -h ${MARIADB_SERVICE_HOST} -u root -p"${DB_ROOT_PASSWORD}" mysql <<EOF
-CREATE DATABASE IF NOT EXISTS ${BARBICAN_DB_NAME};
-GRANT ALL PRIVILEGES ON barbican.* TO
-    '${BARBICAN_DB_USER}'@'%' IDENTIFIED BY '${BARBICAN_DB_PASSWORD}'
-EOF
-
-# config file setup
-crudini --set /etc/barbican/barbican-api.conf \
-    DEFAULT \
-    sql_connection \
-    "mysql://${BARBICAN_DB_USER}:${BARBICAN_DB_PASSWORD}@${MARIADB_SERVICE_HOST}/${BARBICAN_DB_NAME}"
-crudini --set /etc/barbican/barbican-api.conf \
-    DEFAULT \
-    log_dir \
-    "/var/log/barbican/"
-crudini --set /etc/barbican/barbican-api.conf \
-    DEFAULT \
-    log_file \
-    "/var/log/barbican/barbican.log"
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    pipeline:barbican_api \
-    pipeline \
-    "keystone_authtoken context apiapp"
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    auth_host \
-    ${KEYSTONE_ADMIN_SERVICE_HOST}
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    auth_port \
-    ${KEYSTONE_ADMIN_SERVICE_PORT}
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    auth_protocol \
-    ${KEYSTONE_AUTH_PROTOCOL}
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    admin_tenant_name \
-    ${ADMIN_TENANT_NAME}
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    admin_user \
-    ${BARBICAN_KEYSTONE_USER}
-crudini --set /etc/barbican/barbican-api-paste.ini \
-    filter:keystone_authtoken \
-    admin_password \
-    ${BARBICAN_KEYSTONE_USER}
-
-# create the required keystone entities for barbican
-export SERVICE_TOKEN="${KEYSTONE_ADMIN_TOKEN}"
-export SERVICE_ENDPOINT="${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_ADMIN_SERVICE_HOST}:${KEYSTONE_ADMIN_SERVICE_PORT}/v2.0"
-
-keystone user-get ${BARBICAN_KEYSTONE_USER} > /dev/null 2>&1 || /bin/keystone user-create --name ${BARBICAN_KEYSTONE_USER} --pass ${BARBICAN_ADMIN_PASSWORD}
-
-keystone role-get observer > /dev/null 2>&1 || /bin/keystone role-create --name observer
-keystone role-get creator > /dev/null 2>&1 || /bin/keystone role-create --name creator
-
-keystone user-get ${BARBICAN_KEYSTONE_USER} > /dev/null 2>&1 || /bin/keystone user-role-add --user ${BARBICAN_KEYSTONE_USER} --role admin --tenant ${ADMIN_TENANT_NAME}
-
-# launch Barbican using uwsgi
-exec uwsgi --master --emperor /etc/barbican/vassals
diff --git a/tools/genenv b/tools/genenv
index 3a547c1dbd..95082ee542 100755
--- a/tools/genenv
+++ b/tools/genenv
@@ -235,6 +235,13 @@ CINDER_ENABLED_BACKEND=lvm57
 # Here we define pairs hostname:priority. Priorities have to be unique
 KEEPALIVED_HOST_PRIORITIES=host1:100,host2:99
 
+#Barbican
+BARBICAN_DB_USER=barbican
+BARBICAN_DB_NAME=barbican
+KEYSTONE_AUTH_PROTOCOL=http
+BARBICAN_KEYSTONE_USER=barbican
+ADMIN_TENANT_NAME=admin
+
 # this should use the keystone admin port
 # https://bugs.launchpad.net/kolla/+bug/1469209
 cat > ./openrc <<EOF
@@ -400,6 +407,11 @@ INIT_HEAT_DB=$INIT_HEAT_DB
 INIT_KEYSTONE_DB=$INIT_KEYSTONE_DB
 INIT_NOVA_DB=$INIT_NOVA_DB
 KEEPALIVED_HOST_PRIORITIES=$KEEPALIVED_HOST_PRIORITIES
+BARBICAN_DB_USER=$BARBICAN_DB_USER
+BARBICAN_DB_NAME=$BARBICAN_DB_NAME
+KEYSTONE_AUTH_PROTOCOL=$KEYSTONE_AUTH_PROTOCOL
+BARBICAN_KEYSTONE_USER=$BARBICAN_KEYSTONE_USER
+ADMIN_TENANT_NAME=$ADMIN_TENANT_NAME
 
 EOF
 echo Please customize your FLAT_INTERFACE to a different network then your