diff --git a/docker/services/nova-compute-common.yaml b/deployment/nova/nova-compute-common-container-puppet.yaml
similarity index 100%
rename from docker/services/nova-compute-common.yaml
rename to deployment/nova/nova-compute-common-container-puppet.yaml
diff --git a/puppet/services/nova-compute.yaml b/deployment/nova/nova-compute-container-puppet.yaml
similarity index 52%
rename from puppet/services/nova-compute.yaml
rename to deployment/nova/nova-compute-container-puppet.yaml
index 811b2854bd..6292701994 100644
--- a/puppet/services/nova-compute.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@@ -1,9 +1,24 @@
 heat_template_version: rocky
 
 description: >
-  OpenStack Nova Compute service configured with Puppet
+  OpenStack containerized Nova Compute service
 
 parameters:
+  DockerNovaComputeImage:
+    description: image
+    type: string
+  DockerNovaLibvirtConfigImage:
+    description: The container image to use for the nova_libvirt config_volume
+    type: string
+  DockerNovaComputeUlimit:
+    default: ['nofile=1024']
+    description: ulimit for Nova Compute Container
+    type: comma_delimited_list
+  NovaComputeLoggingSource:
+    type: json
+    default:
+      tag: openstack.nova.compute
+      path: /var/log/containers/nova/nova-compute.log
   ServiceData:
     default: {}
     description: Dictionary packing service data
@@ -30,8 +45,13 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
-  NovaRbdPoolName:
-    default: vms
+  DockerNovaMigrationSshdPort:
+    default: 2022
+    description: Port that dockerized nova migration target sshd service
+                 binds to.
+    type: number
+  CephClientUserName:
+    default: openstack
     type: string
   CephClusterName:
     type: string
@@ -42,8 +62,22 @@ parameters:
       description: >
         The Ceph cluster name must be at least 1 character and contain only
         letters and numbers.
-  CephClientUserName:
-    default: openstack
+  NovaComputeOptVolumes:
+    default: []
+    description: list of optional vo
+    type: comma_delimited_list
+  NovaComputeOptEnvVars:
+    default: []
+    description: list of optional en
+    type: comma_delimited_list
+  EnableInstanceHA:
+    default: false
+    description: Whether to enable an Instance Ha configurarion or not.
+                 This setup requires the Compute role to have the
+                 PacemakerRemote service added to it.
+    type: boolean
+  NovaRbdPoolName:
+    default: vms
     type: string
   CephClientKey:
     description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
@@ -124,11 +158,6 @@ parameters:
   MonitoringSubscriptionNovaCompute:
     default: 'overcloud-nova-compute'
     type: string
-  NovaComputeLoggingSource:
-    type: json
-    default:
-      tag: openstack.nova.compute
-      path: /var/log/nova/nova-compute.log
   UpgradeLevelNovaCompute:
     type: string
     description: Nova Compute upgrade level
@@ -213,22 +242,39 @@ parameters:
     type: string
     tags:
       - role_specific
-
-conditions:
-  enable_live_migration_tunnelled:
-    or:
-      - equals: [{get_param: NovaNfsEnabled}, true]
-      - equals: [{get_param: NovaEnableRbdBackend}, true]
-
-  libvirt_file_backed_memory_enabled:
-    not:
-      or:
-      -  equals: [{get_param: NovaLibvirtFileBackedMemory}, '']
-      -  equals: [{get_param: NovaLibvirtFileBackedMemory}, 0]
+  DeployIdentifier:
+    default: ''
+    type: string
+    description: >
+      Setting this to a unique value will re-run any deployment tasks which
+      perform configuration on a Heat stack-update.
 
 resources:
+
+  ContainersCommon:
+    type: ../../docker/services/containers-common.yaml
+
+  MySQLClient:
+    type: ../../deployment/database/mysql-client.yaml
+
+  NovaComputeCommon:
+    type: ./nova-compute-common-container-puppet.yaml
+    properties:
+      EndpointMap: {get_param: EndpointMap}
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  NovaLogging:
+    type: OS::TripleO::Services::Logging::NovaCommon
+    properties:
+      DockerNovaImage: {get_param: DockerNovaComputeImage}
+      NovaServiceName: 'compute'
+
   NovaBase:
-    type: ./nova-base.yaml
+    type: ../../puppet/services/nova-base.yaml
     properties:
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
@@ -271,6 +317,20 @@ resources:
               NovaLibvirtVolumeUseMultipath: {get_param: NovaLibvirtVolumeUseMultipath}
               NovaHWMachineType: {get_param: NovaHWMachineType}
 
+conditions:
+  enable_instance_ha: {equals: [{get_param: EnableInstanceHA}, true]}
+
+  enable_live_migration_tunnelled:
+    or:
+      - equals: [{get_param: NovaNfsEnabled}, true]
+      - equals: [{get_param: NovaEnableRbdBackend}, true]
+
+  libvirt_file_backed_memory_enabled:
+    not:
+      or:
+      -  equals: [{get_param: NovaLibvirtFileBackedMemory}, '']
+      -  equals: [{get_param: NovaLibvirtFileBackedMemory}, 0]
+
 outputs:
   role_data:
     description: Role data for the Nova Compute service.
@@ -279,6 +339,7 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionNovaCompute}
       config_settings:
         map_merge:
+          - get_attr: [NovaLogging, config_settings]
           - get_attr: [NovaBase, role_data, config_settings]
           - get_attr: [RoleParametersValue, value]
           - nova::compute::libvirt::manage_libvirt_services: false
@@ -355,11 +416,6 @@ outputs:
               - libvirt_file_backed_memory_enabled
               - '1.0'
               - null
-      step_config: |
-        # TODO(emilien): figure how to deal with libvirt profile.
-        # We'll probably treat it like we do with Neutron plugins.
-        # Until then, just include it in the default nova-compute role.
-        include tripleo::profile::base::nova::compute::libvirt
       service_config_settings:
         fluentd:
           tripleo_fluentd_groups_nova_compute:
@@ -370,55 +426,234 @@ outputs:
           tripleo.collectd.plugins.nova_compute:
             - virt
           collectd::plugin::virt::connection: 'qemu:///system'
+      puppet_config:
+        config_volume: nova_libvirt
+        puppet_tags: nova_config,nova_paste_api_ini
+        step_config:
+          list_join:
+            - "\n"
+            - - # TODO(emilien): figure how to deal with libvirt profile.
+                # We'll probably treat it like we do with Neutron plugins.
+                # Until then, just include it in the default nova-compute role.
+                include tripleo::profile::base::nova::compute::libvirt
+              - {get_attr: [MySQLClient, role_data, step_config]}
+        config_image: {get_param: DockerNovaLibvirtConfigImage}
+      kolla_config:
+        /var/lib/kolla/config_files/nova_compute.json:
+          command:
+            list_join:
+            - ' '
+            - - if:
+                - enable_instance_ha
+                - /var/lib/nova/instanceha/check-run-nova-compute
+                - /usr/bin/nova-compute
+              - get_attr: [NovaLogging, cmd_extra_args]
+          config_files:
+            - source: "/var/lib/kolla/config_files/src/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-iscsid/*"
+              dest: "/etc/iscsi/"
+              merge: true
+              preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-ceph/"
+              dest: "/etc/ceph/"
+              merge: true
+              preserve_properties: true
+          permissions:
+            - path: /var/log/nova
+              owner: nova:nova
+              recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/CLUSTER.client.USER.keyring
+                  params:
+                    CLUSTER: {get_param: CephClusterName}
+                    USER: {get_param: CephClientUserName}
+              owner: nova:nova
+              perm: '0600'
+      docker_config_scripts:
+        map_merge:
+          - {get_attr: [ContainersCommon, docker_config_scripts]}
+          - {get_attr: [NovaComputeCommon, docker_config_scripts]}
+      docker_config:
+        step_3:
+          nova_statedir_owner:
+            image: &nova_compute_image {get_param: DockerNovaComputeImage}
+            net: none
+            user: root
+            privileged: false
+            detach: false
+            volumes:
+              - /var/lib/nova:/var/lib/nova:shared,z
+              - /var/lib/docker-config-scripts/:/docker-config-scripts/:z
+            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_statedir_ownership.py"
+            environment:
+              # NOTE: this should force this container to re-run on each
+              # update (scale-out, etc.)
+              - list_join:
+                  - ''
+                  - - 'TRIPLEO_DEPLOY_IDENTIFIER='
+                    - {get_param: DeployIdentifier}
+        step_4:
+          nova_wait_for_placement_service:
+            start_order: 2
+            image: *nova_compute_image
+            user: root
+            net: host
+            privileged: false
+            detach: false
+            volumes:
+              - /var/lib/docker-config-scripts/:/docker-config-scripts/:z
+              - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
+            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_wait_for_placement_service.py"
+          nova_compute:
+            start_order: 3
+            image: *nova_compute_image
+            ulimit: {get_param: DockerNovaComputeUlimit}
+            ipc: host
+            net: host
+            privileged: true
+            user: nova
+            restart: always
+            healthcheck:
+              test:
+                list_join:
+                  - ' '
+                  - - '/openstack/healthcheck'
+                    - yaql:
+                        expression: str($.data.port)
+                        data:
+                          port: {get_attr: [NovaBase, role_data, config_settings, 'nova::rabbit_port']}
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                - {get_attr: [NovaLogging, volumes]}
+                - {get_param: NovaComputeOptVolumes}
+                -
+                  - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
+                  - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
+                  - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+                  - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
+                  - /dev:/dev
+                  - /lib/modules:/lib/modules:ro
+                  - /run:/run
+                  - /var/lib/iscsi:/var/lib/iscsi:z
+                  - /var/lib/nova:/var/lib/nova:shared,z
+                  - /var/lib/libvirt:/var/lib/libvirt:shared,z
+                  - /sys/class/net:/sys/class/net
+                  - /sys/bus/pci:/sys/bus/pci
+            environment:
+              list_concat:
+                - {get_param: NovaComputeOptEnvVars}
+                -
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+        step_5:
+          nova_cellv2_discover_hosts:
+            start_order: 0
+            image: *nova_compute_image
+            net: host
+            detach: false
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                -
+                  - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
+                  - /var/log/containers/nova:/var/log/nova
+                  - /var/lib/docker-config-scripts/:/docker-config-scripts/
+            user: root
+            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_cell_v2_discover_host.py"
       host_prep_tasks:
-        - name: Mount Nova NFS Share
-          vars:
-            nfs_backend_enable: {get_param: NovaNfsEnabled}
-            nfs_share: {get_param: NovaNfsShare}
-            nfs_options: {get_param: NovaNfsOptions}
-          mount: name=/var/lib/nova/instances src="{{nfs_share}}" fstype=nfs4 opts="_netdev,bg,{{nfs_options}},vers=4,nfsvers=4" state=mounted
-          when: nfs_backend_enable|bool
-        - name: is Nova Resume Guests State On Host Boot enabled
-          set_fact:
-            resume_guests_state_on_host_boot_enabled: {get_param: NovaResumeGuestsStateOnHostBoot}
-        - name: install libvirt-guests systemd unit file
-          when: resume_guests_state_on_host_boot_enabled|bool
-          block:
-          - name: libvirt-guests unit to stop nova_api container before shutdown VMs
-            copy:
-              dest: /etc/systemd/system/libvirt-guests.service
-              content: |
-                [Unit]
-                Description=Suspend/Resume Running libvirt Guests
-                Requires=virt-guest-shutdown.target
-                After=network.target
-                After=time-sync.target
-                After=virt-guest-shutdown.target
-                After=docker.service
-                After=paunch-container-shutdown.service
-                After=rhel-push-plugin.service
-                Documentation=man:libvirtd(8)
-                Documentation=https://libvirt.org
+        list_concat:
+        - {get_attr: [NovaLogging, host_prep_tasks]}
+        - - name: Mount Nova NFS Share
+            vars:
+              nfs_backend_enable: {get_param: NovaNfsEnabled}
+              nfs_share: {get_param: NovaNfsShare}
+              nfs_options: {get_param: NovaNfsOptions}
+            mount: name=/var/lib/nova/instances src="{{nfs_share}}" fstype=nfs4 opts="_netdev,bg,{{nfs_options}},vers=4,nfsvers=4" state=mounted
+            when: nfs_backend_enable|bool
+          - name: is Nova Resume Guests State On Host Boot enabled
+            set_fact:
+              resume_guests_state_on_host_boot_enabled: {get_param: NovaResumeGuestsStateOnHostBoot}
+          - name: install libvirt-guests systemd unit file
+            when: resume_guests_state_on_host_boot_enabled|bool
+            block:
+              - name: libvirt-guests unit to stop nova_api container before shutdown VMs
+                copy:
+                  dest: /etc/systemd/system/libvirt-guests.service
+                  content: |
+                    [Unit]
+                    Description=Suspend/Resume Running libvirt Guests
+                    Requires=virt-guest-shutdown.target
+                    After=network.target
+                    After=time-sync.target
+                    After=virt-guest-shutdown.target
+                    After=docker.service
+                    After=paunch-container-shutdown.service
+                    After=rhel-push-plugin.service
+                    Documentation=man:libvirtd(8)
+                    Documentation=https://libvirt.org
 
-                [Service]
-                EnvironmentFile=-/etc/sysconfig/libvirt-guests
-                # Hack just call traditional service until we factor
-                # out the code
-                ExecStart=/usr/libexec/libvirt-guests.sh start
-                ExecStop=/bin/{{container_cli}} stop nova_compute
-                ExecStop=/usr/libexec/libvirt-guests.sh stop
-                Type=oneshot
-                RemainAfterExit=yes
-                StandardOutput=journal+console
-                TimeoutStopSec=0
+                    [Service]
+                    EnvironmentFile=-/etc/sysconfig/libvirt-guests
+                    # Hack just call traditional service until we factor
+                    # out the code
+                    ExecStart=/usr/libexec/libvirt-guests.sh start
+                    ExecStop=/bin/{{container_cli}} stop nova_compute
+                    ExecStop=/usr/libexec/libvirt-guests.sh stop
+                    Type=oneshot
+                    RemainAfterExit=yes
+                    StandardOutput=journal+console
+                    TimeoutStopSec=0
 
-                [Install]
-                WantedBy=multi-user.target
-          - name: libvirt-guests enable VM shutdown on compute reboot/shutdown
-            systemd:
-              name: libvirt-guests
-              enabled: yes
-              daemon_reload: yes
+                    [Install]
+                    WantedBy=multi-user.target
+              - name: libvirt-guests enable VM shutdown on compute reboot/shutdown
+                systemd:
+                  name: libvirt-guests
+                  enabled: yes
+                  daemon_reload: yes
+          - name: create persistent directories
+            file:
+              path: "{{ item.path }}"
+              state: directory
+              setype: "{{ item.setype }}"
+            with_items:
+              - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
+              - { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
+              - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
+          - name: ensure ceph configurations exist
+            file:
+              path: /etc/ceph
+              state: directory
+          - name: is Instance HA enabled
+            set_fact:
+              instance_ha_enabled: {get_param: EnableInstanceHA}
+          - name: enable virt_sandbox_use_netlink for healthcheck
+            seboolean:
+              name: virt_sandbox_use_netlink
+              persistent: yes
+              state: yes
+          - name: install Instance HA recovery script
+            when: instance_ha_enabled|bool
+            block:
+            - name: prepare Instance HA script directory
+              file:
+                path: /var/lib/nova/instanceha
+                state: directory
+            - name: install Instance HA script that runs nova-compute
+              copy:
+                content: {get_file: ../../extraconfig/tasks/instanceha/check-run-nova-compute}
+                dest: /var/lib/nova/instanceha/check-run-nova-compute
+                mode: 0755
+            - name: Get list of instance HA compute nodes
+              command: hiera -c /etc/puppet/hiera.yaml compute_instanceha_short_node_names
+              register: iha_nodes
+            - name: If instance HA is enabled on the node activate the evacuation completed check
+              file: path=/var/lib/nova/instanceha/enabled state=touch
+              when: iha_nodes.stdout|lower | search('"'+ansible_hostname|lower+'"')
       upgrade_tasks:
         - name: Stop nova-compute service
           when: step|int == 1
@@ -438,3 +673,51 @@ outputs:
         - name: Start nova-compute service
           when: step|int == 6
           service: name=openstack-nova-compute state=started
+        - name: Remove openstack-nova-compute and python-nova package during upgrade
+          package:
+            name:
+              - openstack-nova-compute
+              - python-nova
+            state: removed
+          ignore_errors: True
+          when: step|int == 2
+      update_tasks:
+        - name: Remove openstack-nova-compute and python-nova package during upgrade
+          package:
+            name:
+              - openstack-nova-compute
+              - python-nova
+            state: removed
+          ignore_errors: True
+          when: step|int == 2
+      post_upgrade_tasks:
+        - when: step|int == 1
+          import_role:
+            name: tripleo-docker-rm
+          vars:
+            containers_to_rm:
+              - nova_compute
+      fast_forward_upgrade_tasks:
+        - when:
+            - step|int == 0
+            - release == 'ocata'
+          block:
+            - name: Check if nova-compute is deployed
+              command:  systemctl is-enabled --quiet openstack-nova-compute
+              ignore_errors: True
+              register: nova_compute_enabled_result
+            - name: Set fact nova_compute_enabled
+              set_fact:
+                nova_compute_enabled: "{{ nova_compute_enabled_result.rc == 0 }}"
+        - when:
+            - step|int == 1
+            - release == 'ocata'
+          block:
+            - name: Stop and disable nova-compute service
+              service: name=openstack-nova-compute state=stopped
+              when:
+                - nova_compute_enabled|bool
+            - name: Set upgrade marker in nova statedir
+              file: path=/var/lib/nova/upgrade_marker state=touch owner=nova group=nova
+              when:
+                - nova_compute_enabled|bool
diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml
index ddb85635a4..8ab901ad4c 100644
--- a/deployment/nova/nova-ironic-container-puppet.yaml
+++ b/deployment/nova/nova-ironic-container-puppet.yaml
@@ -54,7 +54,7 @@ resources:
     type: ../../deployment/database/mysql-client.yaml
 
   NovaComputeCommon:
-    type: ../../docker/services/nova-compute-common.yaml
+    type: ./nova-compute-common-container-puppet.yaml
     properties:
       EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
@@ -95,9 +95,9 @@ outputs:
         puppet_tags: nova_config,nova_paste_api_ini
         step_config:
           list_join:
-            - "\n"
-            - - include tripleo::profile::base::nova::compute::ironic
-              - {get_attr: [MySQLClient, role_data, step_config]}
+              - "\n"
+              - - include tripleo::profile::base::nova::compute::ironic
+                - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: DockerNovaConfigImage}
       kolla_config:
         /var/lib/kolla/config_files/nova_ironic.json:
diff --git a/docker/services/nova-libvirt.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml
similarity index 69%
rename from docker/services/nova-libvirt.yaml
rename to deployment/nova/nova-libvirt-container-puppet.yaml
index 8a42b3cb85..07a37b3a59 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@@ -160,6 +160,37 @@ parameters:
     description: CLI tool used to manage containers.
     constraints:
       - allowed_values: ['docker', 'podman']
+  NovaComputeLibvirtType:
+    type: string
+    default: kvm
+  LibvirtEnabledPerfEvents:
+    type: comma_delimited_list
+    default: []
+    description: This is a performance event list which could be used as monitor.
+                 For example - ``enabled_perf_events = cmt, mbml, mbmt``
+                 The supported events list can be found in
+                 https://libvirt.org/html/libvirt-libvirt-domain.html ,
+                 which you may need to search key words ``VIR_PERF_PARAM_*``
+  MonitoringSubscriptionNovaLibvirt:
+    default: 'overcloud-nova-libvirt'
+    type: string
+  MigrationSshKey:
+    type: json
+    description: >
+      SSH key for migration.
+      Expects a dictionary with keys 'public_key' and 'private_key'.
+      Values should be identical to SSH public/private key files.
+    default:
+      public_key: ''
+      private_key: ''
+  MigrationSshPort:
+    default: 2022
+    description: Target port for migration over ssh
+    type: number
+  LibvirtTLSPassword:
+    description: The password for the libvirt service when TLS is enabled
+    type: string
+    hidden: true
 
 conditions:
 
@@ -242,41 +273,177 @@ resources:
 
 
   ContainersCommon:
-    type: ./containers-common.yaml
+    type: ../../docker/services/containers-common.yaml
 
   MySQLClient:
     type: ../../deployment/database/mysql-client.yaml
 
-  NovaLibvirtBase:
-    type: ../../puppet/services/nova-libvirt.yaml
+  NovaLibvirtLogging:
+    type: OS::TripleO::Services::Logging::NovaLibvirt
+
+  NovaBase:
+    type: ../../puppet/services/nova-base.yaml
     properties:
-      EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
-  NovaLibvirtLogging:
-    type: OS::TripleO::Services::Logging::NovaLibvirt
-
 outputs:
   role_data:
     description: Role data for the Libvirt service.
     value:
-      service_name: {get_attr: [NovaLibvirtBase, role_data, service_name]}
+      service_name: nova_libvirt
       config_settings:
         map_merge:
-          - get_attr: [NovaLibvirtBase, role_data, config_settings]
+          - get_attr: [NovaBase, role_data, config_settings]
+          - get_attr: [RoleParametersValue, value]
           - get_attr: [NovaLibvirtLogging, config_settings]
-
+          # we include ::nova::compute::libvirt::services in nova/libvirt profile
+          - nova::compute::libvirt::manage_libvirt_services: false
+          # we manage migration in nova common puppet profile
+            nova::compute::libvirt::migration_support: false
+            nova::compute::rbd::libvirt_images_rbd_ceph_conf:
+              list_join:
+              - ''
+              - - '/etc/ceph/'
+                - {get_param: CephClusterName}
+                - '.conf'
+            nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}
+            nova::compute::rbd::rbd_keyring:
+              list_join:
+              - '.'
+              - - 'client'
+                - {get_param: CephClientUserName}
+            nova::compute::rbd::libvirt_rbd_secret_key: {get_param: CephClientKey}
+            nova::compute::rbd::libvirt_rbd_secret_uuid: {get_param: CephClusterFSID}
+            tripleo::profile::base::nova::migration::client::libvirt_enabled: true
+            tripleo::profile::base::nova::migration::client::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
+            tripleo::profile::base::nova::migration::client::ssh_port: {get_param: MigrationSshPort}
+            nova::compute::libvirt::services::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
+            nova::compute::libvirt::libvirt_virt_type: {get_param: NovaComputeLibvirtType}
+            nova::compute::libvirt::libvirt_enabled_perf_events: {get_param: LibvirtEnabledPerfEvents}
+            nova::compute::libvirt::qemu::configure_qemu: true
+            nova::compute::libvirt::qemu::max_files: 32768
+            nova::compute::libvirt::qemu::max_processes: 131072
+            nova::migration::qemu::configure_qemu: true
+            nova::migration::qemu::migration_port_min: 61152
+            nova::migration::qemu::migration_port_max: 61215
+            nova::compute::libvirt::vncserver_listen:
+              str_replace:
+                 template:
+                   "%{hiera('$NETWORK')}"
+                 params:
+                   $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+            rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
+            tripleo::nova_libvirt::firewall_rules:
+              '200 nova_libvirt':
+                dport:
+                  - 16514
+                  - '61152-61215'
+                  - '5900-6923'
+          -
+            if:
+              - use_tls_for_live_migration
+              -
+                generate_service_certificates: true
+                tripleo::profile::base::nova::migration::client::libvirt_tls: true
+                tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
+                nova::migration::libvirt::listen_address:
+                  str_replace:
+                     template:
+                       "%{hiera('$NETWORK')}"
+                     params:
+                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                nova::migration::libvirt::live_migration_inbound_addr:
+                  str_replace:
+                    template:
+                      "%{hiera('fqdn_$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                tripleo::certmonger::ca::libvirt::origin_ca_pem:
+                  if:
+                    - libvirt_specific_ca_unset
+                    - get_param: InternalTLSCAFile
+                    - get_param: LibvirtCACert
+                tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
+                tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
+                libvirt_certificates_specs:
+                  libvirt-server-cert:
+                    service_certificate: '/etc/pki/libvirt/servercert.pem'
+                    service_key: '/etc/pki/libvirt/private/serverkey.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                  libvirt-client-cert:
+                    service_certificate: '/etc/pki/libvirt/clientcert.pem'
+                    service_key: '/etc/pki/libvirt/private/clientkey.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              -
+                nova::migration::libvirt::live_migration_inbound_addr:
+                  str_replace:
+                    template:
+                      "%{hiera('fqdn_$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+          -
+            if:
+              - use_tls_for_vnc
+              -
+                nova::compute::libvirt::qemu::vnc_tls: true
+                nova::compute::libvirt::qemu::vnc_tls_verify: true
+                generate_service_certificates: true
+                tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
+                  if:
+                    - libvirt_vnc_specific_ca_unset
+                    - get_param: InternalTLSVncCAFile
+                    - get_param: LibvirtVncCACert
+                tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
+                libvirt_vnc_certificates_specs:
+                  libvirt-vnc-server-cert:
+                    cacertfile:
+                      if:
+                        - libvirt_vnc_specific_ca_unset
+                        - get_param: InternalTLSVncCAFile
+                        - null
+                    service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
+                    service_key: '/etc/pki/libvirt-vnc/server-key.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              - {}
       puppet_config:
         config_volume: nova_libvirt
         puppet_tags: libvirtd_config,nova_config,file,libvirt_tls_password
         step_config:
           list_join:
             - "\n"
-            - - {get_attr: [NovaLibvirtBase, role_data, step_config]}
+            - - include tripleo::profile::base::nova::libvirt
               - {get_attr: [MySQLClient, role_data, step_config]}
         config_image: {get_param: DockerNovaLibvirtConfigImage}
       kolla_config:
@@ -564,7 +731,28 @@ outputs:
             content: |
               d /var/run/libvirt 0755 root root - -
       metadata_settings:
-        get_attr: [NovaLibvirtBase, role_data, metadata_settings]
+        list_concat:
+          - if:
+            - use_tls_for_live_migration
+            -
+              - service: libvirt
+                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                type: node
+            - null
+          - if:
+            - use_tls_for_vnc
+            -
+              - service: libvirt-vnc
+                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                type: node
+            - null
+          - if:
+            - use_tls_for_nbd
+            -
+              - service: qemu
+                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                type: node
+            - null
       upgrade_tasks: []
       post_upgrade_tasks:
         - when: step|int == 1
diff --git a/puppet/services/nova-libvirt-guests.yaml b/deployment/nova/nova-libvirt-guests-container-puppet.yaml
similarity index 96%
rename from puppet/services/nova-libvirt-guests.yaml
rename to deployment/nova/nova-libvirt-guests-container-puppet.yaml
index c087a07917..d0cc11fa59 100644
--- a/puppet/services/nova-libvirt-guests.yaml
+++ b/deployment/nova/nova-libvirt-guests-container-puppet.yaml
@@ -66,8 +66,6 @@ outputs:
     description: Role data for libvirt-guests
     value:
       service_name: nova_libvirt_guests
-      config_settings:
-        map_merge:
-          - get_attr: [RoleParametersValue, value]
+      config_settings: {get_attr: [RoleParametersValue, value]}
       step_config: |
         include ::tripleo::profile::base::nova::compute::libvirt_guests
diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml
deleted file mode 100644
index e5c0d6e781..0000000000
--- a/docker/services/nova-compute.yaml
+++ /dev/null
@@ -1,367 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  OpenStack containerized Nova Compute service
-
-parameters:
-  DockerNovaComputeImage:
-    description: image
-    type: string
-  DockerNovaLibvirtConfigImage:
-    description: The container image to use for the nova_libvirt config_volume
-    type: string
-  DockerNovaComputeUlimit:
-    default: ['nofile=1024']
-    description: ulimit for Nova Compute Container
-    type: comma_delimited_list
-  NovaComputeLoggingSource:
-    type: json
-    default:
-      tag: openstack.nova.compute
-      path: /var/log/containers/nova/nova-compute.log
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  DockerNovaMigrationSshdPort:
-    default: 2022
-    description: Port that dockerized nova migration target sshd service
-                 binds to.
-    type: number
-  CephClientUserName:
-    default: openstack
-    type: string
-  CephClusterName:
-    type: string
-    default: ceph
-    description: The Ceph cluster name.
-    constraints:
-    - allowed_pattern: "[a-zA-Z0-9]+"
-      description: >
-        The Ceph cluster name must be at least 1 character and contain only
-        letters and numbers.
-  NovaComputeOptVolumes:
-    default: []
-    description: list of optional vo
-    type: comma_delimited_list
-  NovaComputeOptEnvVars:
-    default: []
-    description: list of optional en
-    type: comma_delimited_list
-  EnableInstanceHA:
-    default: false
-    description: Whether to enable an Instance Ha configurarion or not.
-                 This setup requires the Compute role to have the
-                 PacemakerRemote service added to it.
-    type: boolean
-  DeployIdentifier:
-    default: ''
-    type: string
-    description: >
-      Setting this to a unique value will re-run any deployment tasks which
-      perform configuration on a Heat stack-update.
-
-resources:
-
-  ContainersCommon:
-    type: ./containers-common.yaml
-
-  MySQLClient:
-    type: ../../deployment/database/mysql-client.yaml
-
-  NovaComputeCommon:
-    type: ./nova-compute-common.yaml
-    properties:
-      EndpointMap: {get_param: EndpointMap}
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-  NovaComputeBase:
-    type: ../../puppet/services/nova-compute.yaml
-    properties:
-      EndpointMap: {get_param: EndpointMap}
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-  NovaLogging:
-    type: OS::TripleO::Services::Logging::NovaCommon
-    properties:
-      DockerNovaImage: {get_param: DockerNovaComputeImage}
-      NovaServiceName: 'compute'
-
-conditions:
-  enable_instance_ha: {equals: [{get_param: EnableInstanceHA}, true]}
-
-outputs:
-  role_data:
-    description: Role data for the Nova Compute service.
-    value:
-      service_name: {get_attr: [NovaComputeBase, role_data, service_name]}
-      config_settings:
-        map_merge:
-          - get_attr: [NovaComputeBase, role_data, config_settings]
-          - get_attr: [NovaLogging, config_settings]
-      service_config_settings:
-        map_merge:
-          - get_attr: [NovaComputeBase, role_data, service_config_settings]
-          - fluentd:
-              tripleo_fluentd_groups_nova_compute:
-                - nova
-              tripleo_fluentd_sources_nova_compute:
-                - {get_param: NovaComputeLoggingSource}
-      puppet_config:
-        config_volume: nova_libvirt
-        puppet_tags: nova_config,nova_paste_api_ini
-        step_config:
-          list_join:
-            - "\n"
-            - - {get_attr: [NovaComputeBase, role_data, step_config]}
-              - {get_attr: [MySQLClient, role_data, step_config]}
-        config_image: {get_param: DockerNovaLibvirtConfigImage}
-      kolla_config:
-        /var/lib/kolla/config_files/nova_compute.json:
-          command:
-            list_join:
-            - ' '
-            - - if:
-                - enable_instance_ha
-                - /var/lib/nova/instanceha/check-run-nova-compute
-                - /usr/bin/nova-compute
-              - get_attr: [NovaLogging, cmd_extra_args]
-          config_files:
-            - source: "/var/lib/kolla/config_files/src/*"
-              dest: "/"
-              merge: true
-              preserve_properties: true
-            - source: "/var/lib/kolla/config_files/src-iscsid/*"
-              dest: "/etc/iscsi/"
-              merge: true
-              preserve_properties: true
-            - source: "/var/lib/kolla/config_files/src-ceph/"
-              dest: "/etc/ceph/"
-              merge: true
-              preserve_properties: true
-          permissions:
-            - path: /var/log/nova
-              owner: nova:nova
-              recurse: true
-            - path:
-                str_replace:
-                  template: /etc/ceph/CLUSTER.client.USER.keyring
-                  params:
-                    CLUSTER: {get_param: CephClusterName}
-                    USER: {get_param: CephClientUserName}
-              owner: nova:nova
-              perm: '0600'
-      docker_config_scripts:
-        map_merge:
-          - {get_attr: [ContainersCommon, docker_config_scripts]}
-          - {get_attr: [NovaComputeCommon, docker_config_scripts]}
-      docker_config:
-        step_3:
-          nova_statedir_owner:
-            image: &nova_compute_image {get_param: DockerNovaComputeImage}
-            net: none
-            user: root
-            privileged: false
-            detach: false
-            volumes:
-              - /var/lib/nova:/var/lib/nova:shared,z
-              - /var/lib/docker-config-scripts/:/docker-config-scripts/:z
-            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_statedir_ownership.py"
-            environment:
-              # NOTE: this should force this container to re-run on each
-              # update (scale-out, etc.)
-              - list_join:
-                  - ''
-                  - - 'TRIPLEO_DEPLOY_IDENTIFIER='
-                    - {get_param: DeployIdentifier}
-        step_4:
-          nova_wait_for_placement_service:
-            start_order: 2
-            image: *nova_compute_image
-            user: root
-            net: host
-            privileged: false
-            detach: false
-            volumes:
-              - /var/lib/docker-config-scripts/:/docker-config-scripts/:z
-              - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
-            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_wait_for_placement_service.py"
-          nova_compute:
-            start_order: 3
-            image: *nova_compute_image
-            ulimit: {get_param: DockerNovaComputeUlimit}
-            ipc: host
-            net: host
-            privileged: true
-            user: nova
-            restart: always
-            healthcheck:
-              test:
-                list_join:
-                  - ' '
-                  - - '/openstack/healthcheck'
-                    - yaql:
-                        expression: str($.data.port)
-                        data:
-                          port: {get_attr: [NovaComputeBase, role_data, config_settings, 'nova::rabbit_port']}
-            volumes:
-              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
-                - {get_attr: [NovaLogging, volumes]}
-                - {get_param: NovaComputeOptVolumes}
-                -
-                  - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro
-                  - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
-                  - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
-                  - /dev:/dev
-                  - /lib/modules:/lib/modules:ro
-                  - /run:/run
-                  - /var/lib/iscsi:/var/lib/iscsi:z
-                  - /var/lib/nova:/var/lib/nova:shared,z
-                  - /var/lib/libvirt:/var/lib/libvirt:shared,z
-                  - /sys/class/net:/sys/class/net
-                  - /sys/bus/pci:/sys/bus/pci
-            environment:
-              list_concat:
-                - {get_param: NovaComputeOptEnvVars}
-                -
-                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
-        step_5:
-          nova_cellv2_discover_hosts:
-            start_order: 0
-            image: *nova_compute_image
-            net: host
-            detach: false
-            volumes:
-              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
-                -
-                  - /var/lib/config-data/nova_libvirt/etc/my.cnf.d/:/etc/my.cnf.d/:ro
-                  - /var/lib/config-data/nova_libvirt/etc/nova/:/etc/nova/:ro
-                  - /var/log/containers/nova:/var/log/nova
-                  - /var/lib/docker-config-scripts/:/docker-config-scripts/
-            user: root
-            command: "/docker-config-scripts/pyshim.sh /docker-config-scripts/nova_cell_v2_discover_host.py"
-      host_prep_tasks:
-        list_concat:
-        - {get_attr: [NovaLogging, host_prep_tasks]}
-        - {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
-        - - name: create persistent directories
-            file:
-              path: "{{ item.path }}"
-              state: directory
-              setype: "{{ item.setype }}"
-            with_items:
-              - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
-              - { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
-              - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
-          - name: ensure ceph configurations exist
-            file:
-              path: /etc/ceph
-              state: directory
-          - name: is Instance HA enabled
-            set_fact:
-              instance_ha_enabled: {get_param: EnableInstanceHA}
-          - name: enable virt_sandbox_use_netlink for healthcheck
-            seboolean:
-              name: virt_sandbox_use_netlink
-              persistent: yes
-              state: yes
-          - name: install Instance HA recovery script
-            when: instance_ha_enabled|bool
-            block:
-            - name: prepare Instance HA script directory
-              file:
-                path: /var/lib/nova/instanceha
-                state: directory
-            - name: install Instance HA script that runs nova-compute
-              copy:
-                content: {get_file: ../../extraconfig/tasks/instanceha/check-run-nova-compute}
-                dest: /var/lib/nova/instanceha/check-run-nova-compute
-                mode: 0755
-            - name: Get list of instance HA compute nodes
-              command: hiera -c /etc/puppet/hiera.yaml compute_instanceha_short_node_names
-              register: iha_nodes
-            - name: If instance HA is enabled on the node activate the evacuation completed check
-              file: path=/var/lib/nova/instanceha/enabled state=touch
-              when: iha_nodes.stdout|lower | search('"'+ansible_hostname|lower+'"')
-      upgrade_tasks:
-        - name: Remove openstack-nova-compute and python-nova package during upgrade
-          package:
-            name:
-              - openstack-nova-compute
-              - python-nova
-            state: removed
-          ignore_errors: True
-          when: step|int == 2
-      update_tasks:
-        - name: Remove openstack-nova-compute and python-nova package during upgrade
-          package:
-            name:
-              - openstack-nova-compute
-              - python-nova
-            state: removed
-          ignore_errors: True
-          when: step|int == 2
-      post_upgrade_tasks:
-        - when: step|int == 1
-          import_role:
-            name: tripleo-docker-rm
-          vars:
-            containers_to_rm:
-              - nova_compute
-      fast_forward_upgrade_tasks:
-        - when:
-            - step|int == 0
-            - release == 'ocata'
-          block:
-            - name: Check if nova-compute is deployed
-              command:  systemctl is-enabled --quiet openstack-nova-compute
-              ignore_errors: True
-              register: nova_compute_enabled_result
-            - name: Set fact nova_compute_enabled
-              set_fact:
-                nova_compute_enabled: "{{ nova_compute_enabled_result.rc == 0 }}"
-        - when:
-            - step|int == 1
-            - release == 'ocata'
-          block:
-            - name: Stop and disable nova-compute service
-              service: name=openstack-nova-compute state=stopped
-              when:
-                - nova_compute_enabled|bool
-            - name: Set upgrade marker in nova statedir
-              file: path=/var/lib/nova/upgrade_marker state=touch owner=nova group=nova
-              when:
-                - nova_compute_enabled|bool
diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml
index 5e73f042bb..42f130b12f 100644
--- a/environments/baremetal-services.yaml
+++ b/environments/baremetal-services.yaml
@@ -38,10 +38,10 @@ resource_registry:
   OS::TripleO::Services::NeutronOvsAgent: ../deployment/neutron/neutron-ovs-agent-container-puppet.yaml
   OS::TripleO::Services::NeutronServer: ../deployment/neutron/neutron-api-container-puppet.yaml
   OS::TripleO::Services::NovaApi: ../puppet/services/nova-api.yaml
-  OS::TripleO::Services::NovaCompute: ../puppet/services/nova-compute.yaml
+  OS::TripleO::Services::NovaCompute: ../deployment/nova/nova-compute-container-puppet.yaml
   OS::TripleO::Services::NovaConductor: ../puppet/services/nova-conductor.yaml
   OS::TripleO::Services::NovaConsoleauth: ../deployment/nova/nova-consoleauth.yaml
-  OS::TripleO::Services::NovaLibvirt: ../puppet/services/nova-libvirt.yaml
+  OS::TripleO::Services::NovaLibvirt: ../deployment/nova/nova-libvirt-container-puppet.yaml
   OS::TripleO::Services::NovaMetadata: ../deployment/nova/nova-metadata-container-puppet.yaml
   OS::TripleO::Services::NovaMigrationTarget: ../deployment/nova/nova-migration-target-container-puppet.yaml
   OS::TripleO::Services::NovaPlacement: ../puppet/services/nova-placement.yaml
diff --git a/environments/computealt.yaml b/environments/computealt.yaml
index bb84ea087b..8f2978f939 100644
--- a/environments/computealt.yaml
+++ b/environments/computealt.yaml
@@ -8,8 +8,8 @@ resource_registry:
   # If enabling fluentd you'll need provide the following in a specific resource_registry
   # OS::TripleO::Services::FluentdAlt: ../puppet/services/logging/fluentd.yaml
   OS::TripleO::Services::IscsidAlt: ../deployment/iscsid/iscsid-container-puppet.yaml
-  OS::TripleO::Services::NovaComputeAlt: ../puppet/services/nova-compute.yaml
-  OS::TripleO::Services::NovaLibvirtAlt: ../puppet/services/nova-libvirt.yaml
+  OS::TripleO::Services::NovaComputeAlt: ../deployment/nova/nova-compute-container-puppet.yaml
+  OS::TripleO::Services::NovaLibvirtAlt: ../deployment/nova/nova-libvirt-container-puppet.yaml
   OS::TripleO::Services::NovaMigrationTargetAlt: ../deployment/nova/nova-migration-target-container-puppet.yaml
   OS::TripleO::Services::SensuClientAlt: OS::Heat::None
   # If enabling monitoring you'll need provide the following in a specific resource_registry
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index f8e91b4d31..48c043cbac 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -192,11 +192,11 @@ resource_registry:
   OS::TripleO::Services::Sshd: deployment/sshd/sshd-baremetal-puppet.yaml
   OS::TripleO::Services::Redis: docker/services/database/redis.yaml
   OS::TripleO::Services::NovaApi: docker/services/nova-api.yaml
-  OS::TripleO::Services::NovaCompute: docker/services/nova-compute.yaml
+  OS::TripleO::Services::NovaCompute: deployment/nova/nova-compute-container-puppet.yaml
   OS::TripleO::Services::NovaConductor: docker/services/nova-conductor.yaml
   OS::TripleO::Services::NovaConsoleauth: deployment/nova/nova-consoleauth-container-puppet.yaml
-  OS::TripleO::Services::NovaLibvirt: docker/services/nova-libvirt.yaml
-  OS::TripleO::Services::NovaLibvirtGuests: puppet/services/nova-libvirt-guests.yaml
+  OS::TripleO::Services::NovaLibvirt: deployment/nova/nova-libvirt-container-puppet.yaml
+  OS::TripleO::Services::NovaLibvirtGuests: deployment/nova/nova-libvirt-guests-container-puppet.yaml
   OS::TripleO::Services::NovaMetadata: deployment/nova/nova-metadata-container-puppet.yaml
   OS::TripleO::Services::NovaMigrationTarget: deployment/nova/nova-migration-target-container-puppet.yaml
   OS::TripleO::Services::NovaPlacement: docker/services/nova-placement.yaml
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
deleted file mode 100644
index 8676eff023..0000000000
--- a/puppet/services/nova-metadata.yaml
+++ /dev/null
@@ -1,161 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  OpenStack Nova Metadata API service configured with Puppet
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  NovaWorkers:
-    default: 0
-    description: Number of workers for Nova services.
-    type: number
-  NovaPassword:
-    description: The password for the nova service and db account
-    type: string
-    hidden: true
-  KeystoneRegion:
-    type: string
-    default: 'regionOne'
-    description: Keystone region for endpoint
-  NeutronMetadataProxySharedSecret:
-    description: Shared secret to prevent spoofing
-    type: string
-    hidden: true
-  MonitoringSubscriptionNovaMetadata:
-    default: 'overcloud-nova-metadata'
-    type: string
-  NovaMetadataLoggingSource:
-    type: json
-    default:
-      tag: openstack.nova.metadata
-      path: /var/log/httpd/nova_metadata_wsgi_error_ssl.log
-  EnableInternalTLS:
-    type: boolean
-    default: false
-
-conditions:
-  nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
-  is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
-
-resources:
-  ApacheServiceBase:
-    type: ./apache.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-      EnableInternalTLS: {get_param: EnableInternalTLS}
-
-  NovaBase:
-    type: ./nova-base.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-outputs:
-  role_data:
-    description: Role data for the Nova Metadata service.
-    value:
-      service_name: nova_metadata
-      monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
-      config_settings:
-        map_merge:
-        - get_attr: [NovaBase, role_data, config_settings]
-        - get_attr: [ApacheServiceBase, role_data, config_settings]
-        - tripleo::nova_placement::firewall_rules:
-            '139 nova_metadata':
-              dport:
-                - 8775
-                - 13775
-          nova::keystone::authtoken::project_name: 'service'
-          nova::keystone::authtoken::password: {get_param: NovaPassword}
-          nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
-          nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
-          nova::metadata::enable_proxy_headers_parsing: true
-          nova_metadata_wsgi_enabled: true
-          nova::wsgi::apache_metadata::api_port: '8775'
-          nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
-          # NOTE: bind IP is found in Heat replacing the network name with the local node IP
-          # for the given network; replacement examples (eg. for internal_api):
-          # internal_api -> IP
-          # internal_api_uri -> [IP]
-          # internal_api_subnet - > IP/CIDR
-          nova::wsgi::apache_metadata::bind_host:
-            str_replace:
-              template:
-                "%{hiera('$NETWORK')}"
-              params:
-                $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
-          nova::wsgi::apache_metadata::servername:
-            str_replace:
-              template:
-                "%{hiera('fqdn_$NETWORK')}"
-              params:
-                $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
-        -
-          if:
-          - nova_workers_zero
-          - {}
-          - nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
-        -
-          if:
-          - is_neutron_shared_metadata_notempty
-          - nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
-          - {}
-      step_config: |
-        include tripleo::profile::base::nova::metadata
-      service_config_settings:
-        fluentd:
-          tripleo_fluentd_groups_nova_metadata:
-            - nova
-          tripleo_fluentd_sources_nova_metadata:
-            - {get_param: NovaMetadataLoggingSource}
-        keystone:
-          nova::keystone::auth::tenant: 'service'
-          nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
-          nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
-          nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
-          nova::keystone::auth::password: {get_param: NovaPassword}
-          nova::keystone::auth::region: {get_param: KeystoneRegion}
-        mysql:
-          map_merge:
-          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
-          - nova::db::mysql_api::password: {get_param: NovaPassword}
-            nova::db::mysql_api::user: nova_api
-            nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
-            nova::db::mysql_api::dbname: nova_api
-            nova::db::mysql_api::allowed_hosts:
-              - '%'
-              - "%{hiera('mysql_bind_host')}"
diff --git a/sample-env-generator/storage.yaml b/sample-env-generator/storage.yaml
index 9f91671e7f..482c5b96b7 100644
--- a/sample-env-generator/storage.yaml
+++ b/sample-env-generator/storage.yaml
@@ -45,7 +45,7 @@ environments:
     name: storage/nova-nfs
     title: Enable Nova NFS Backend
     files:
-      puppet/services/nova-compute.yaml:
+      deployment/nova/nova-compute-container-puppet.yaml:
         parameters:
           - NovaNfsEnabled
           - NovaNfsShare