diff --git a/.gitignore b/.gitignore index d77203170ab..3db1674f860 100644 --- a/.gitignore +++ b/.gitignore @@ -45,10 +45,13 @@ deps/awsapi-lib/ git-remote-https.exe.stackdump *.swp tools/devcloud/devcloudbox/.vagrant -deps/*.jar -deps/*.war -deps/*.mar *.jar +*.war +*.mar +*.zip +*.iso +*.tar.gz +*.tgz awsapi/modules/* !.gitignore .classpath diff --git a/awsapi/docs/AmazonEC2/EC2-API-tool-setup.txt b/awsapi/docs/AmazonEC2/EC2-API-tool-setup.txt deleted file mode 100644 index d75fcee61c1..00000000000 --- a/awsapi/docs/AmazonEC2/EC2-API-tool-setup.txt +++ /dev/null @@ -1,68 +0,0 @@ -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. - ------------------------------------------------------------ - - -1. Get the EC2 API tool -http://s3.amazonaws.com/ec2-downloads/ec2-api-tools-1.3-62308.zip. Install it by unzipping it - -2. Prepare a API request certificate, if you have Amazon account, Amazon has the service to let you generate and download a X509 certificate and its associated private key - -3. Prepare EC2 command running environment - -Set following environment variables and make them point to the right location. - -EC2_ACCESS_KEY= -EC2_SECRET_KEY= -EC2_HOME: -EC2_CERT: -EC2_PRIVATE_KEY: -EC2_URL: http:///bridge/AmazonEC2 - -4. Generate CloudStack API key -Login to CloudStack management console, you can generate an API key and its secret key pair there. - -5. Inform CloudBridge about the API/security key pair to use - -http:///bridge/rest/AmazonEC2?Action=SetUserKeys&accesskey=&secretkey= - -6. Upload certificate and associate it with the API key -There is not a convenient tool to do that, this has to be done in manual step. following HTML form can be used to submit the certificate, be sure to replace the content -matching with your setup though. -to ec2-service.properties - - - -Save the cert into Cloud's EC2 Service: -

-

- - - - - - - - - -

- -

- - - diff --git a/awsapi/docs/AmazonEC2/EC2-implementation-guide.html b/awsapi/docs/AmazonEC2/EC2-implementation-guide.html deleted file mode 100644 index 737c669dcbd..00000000000 --- a/awsapi/docs/AmazonEC2/EC2-implementation-guide.html +++ /dev/null @@ -1,164 +0,0 @@ - - - -Cloud.com's EC2 API Implementation Guide - - -

Cloud.com's EC2 API Implementation Guide

-3/24/2011 -

Table of Contents

- -

-

1. Configuration Parameters

-Several configuration parameters are required to make Cloud.com's EC2 service work properly. -The following parameters are defined in the file:
<install directory>"/apache-tomcat-6.0.18/conf/ec2-service.properties": -
-managementServer=192.168.154.36
-cloudAPIPort=8080
-WSDLVersion=2010-08-31
-keystore=xes.keystore
-keystorePass=apache
-dbName=cloudsbridge
-dbUser=root
-dbPassword=
-pollInterval1=100
-pollInterval2=100
-pollInterval3=100
-pollInterval4=1000
-pollInterval5=100
-pollInterval6=100
-
-managementServer - FQDN or IP address of a Cloud.com management server. This is the address that -the EC2 service makes Cloud.com REST API calls against.
-cloudAPIPort - The TCP port that the CloudStack, User API is running on. If this property is not defined, -then no port is used by the EC2 service when it queries the CloudStack.
-WSDLVersion - The string that defines the WSDL used by the SOAP API which the REST API also implements. -This string is compared to the "Version=" parameter on each and every authorized REST request.
-keystore - The file name of the keystore used by EC2 which must be placed at the directory: -"../apache-tomcat-6.0.18/webapps/bridge/WEB-INF/classes"
-keystorePass - The password to the EC2 keystore specified by the "keystore" parameter.
-dbName - The MySql database name holding the EC2 service's required tables.
-dbUser= - The user name used to access the "dbName" MySql database.
-dbPassword - The password (if any) the "dbUser" needs to access the EC2 MySql database.
-pollInterval1 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API call: createTemplate. Default value is 100.
-pollInterval2 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API call: deployVirtualMachine. Default value is 100.
-pollInterval3 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API call: createVolume. Default value is 100.
-pollInterval4 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API call: createSnapshot. Default value is 1000.
-pollInterval5 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API calls: deleteSnapshot, deleteTemplate, deleteVolume, attachVolume, detachVolume, disassociateIpAddress, enableStaticNat, disableStaticNat. Default value is 100.
-pollInterval6 - Time in milliseconds between asynchronous job completion polling for the following Cloud.com -API calls: startVirtualMachine, destroyVirtualMachine, stopVirtualMachine. Default value is 100.
-

-
-The following REST calls are used to configure a mapping between Amazon's instance types and CloudStack service offerings: -

-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=SetOfferMapping&amazonoffer=m1.large&cloudoffer=1
-

-The 'amazonoffer' parameter defines the standard Amazon instance types while the 'cloudoffer' parameter defines its associated -CloudStack service offering identifer. The result of this REST call is to save the defined relationship. A second call with the -same value for amazonoffer but with a different cloudoffer value will overwrite a previously saved setting. -
-SetOfferMapping is an authenticated REST call using the same authentication scheme as all other EC2 REST calls. This means that the following standard EC2 REST paramters must also be part of the request: Signature, SignatureMethod, Version, SignatureVersion, and Expires. -A HTTP 200 result code is returned on success and a 404 on failure. -

-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=DeleteOfferMapping&amazonoffer=m1.large
-

-The result of this REST call is to delete any relationship previously defined by a call to the SetOfferMapping call for the -value passed in the 'amazonoffer' parameter.
-DeleteOfferMapping is an authenticated REST call using the same authentication scheme as all other EC2 REST calls. This means that the following standard EC2 REST paramters must also be part of the request: Signature, SignatureMethod, Version, SignatureVersion, and Expires. -A HTTP 200 result code is returned on success and a 404 on failure. -

-Examples of other Amazon instance types are: -{ "m1.small", "m1.large", "m1.xlarge", "c1.medium", "c1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge" }.
-Service offering IDs can be obtained from the following Cloud.com API calls: listServiceOfferings. -Cloud.com's service offerings are configurable and thus can be different per installation, and they -can also be viewed from the Cloud.com's Admin UI. -

-

2. Required 3rd Party Software

-Cloud.com's EC2 service has been built and tested on the following set of 3rd party software: -
-MySql
-apache-tomcat 6.0.18
-axis2 1.5.1
-rampart 1.5 (installed into axis2 for WS-Security)
-used for testing: ec2-api-tools-1.3-53907
-
-

-

3. Maintenance

-As a result of the SetCertificate REST call [1], X509 Certificates used for SOAP authentication are -stored in the following keystore: -
-<install directory>/apache-tomcat-6.0.18/webapps/bridge/WEB-INF/classes/xes.keystore
-
-The keytool [2] command line tool can be used to delete certificates no longer in use. -

-As a result of the SetUserKeys REST call [1], entries are inserted into -the "usercredentials" table of the "cloudbridge" MySql database. -The MySql command line client can be used to delete usercredentials entries no longer in use. -

-

4. Installation Instructions

-

-On the very first install an EC2/S3 MySql database is created by running the following -scripts in the given order: cloudsbridge_db.sql, cloudsbridge_schema.sql, cloudbridge_index.sql -

-After a successful installation the following directory and file structure should exist: -

-<install directory>
-   apache-tomcat-6.0.18
-      conf
-        ec2-service.properties  (EC2 service's configuration parameters)
-        server.xml		
-      lib
-        <many axis2 jar files>	  
-      webapps
-        bridge
-          WEB-INF
-            classes
-               crypto.properties
-               xes.keystore  (holds X509 certificates for SOAP authentication)
-            modules
-               cloud-auth-ec2.mar
-               rampart-1.5.mar 
-               rahas-1.5.mar   
-               addressing-1.5.1.mar
-            services
-               cloud-ec2.aar  (the Axis2 EC2 service)
-
-The "../modules/cloud-auth-ec2.mar" module performs a mapping from an X509 certificate appearing in a SOAP -request (since its signed via WS-Security) to a matching user's Cloud.com API access and secret keys. This association -is first created via the SetUserKeys and SetCertificate REST calls [1]. -

-

5. References

-
    -
  1. Cloud.com's EC2 API User's Guide, 7/15/2010
    2. -
  2. keytool - Key and Certificate Management Tool
    3. -
- - diff --git a/awsapi/docs/AmazonEC2/EC2-local-deploy-using-ant.html b/awsapi/docs/AmazonEC2/EC2-local-deploy-using-ant.html deleted file mode 100644 index 07ba3aa4222..00000000000 --- a/awsapi/docs/AmazonEC2/EC2-local-deploy-using-ant.html +++ /dev/null @@ -1,92 +0,0 @@ - - - -Cloud.com's EC2 local deployment Guide - - -

Cloud.com's EC2 local deployment Guide

-8/30/2010 -8/25/2011 (updated) -

Table of Contents

- -

-

1. Required 3rd Party Software

-1) Following software has to be installed in order to deploy and run cloud-bridge tool: -
-apache-tomcat-6.0.32
-axis2 1.5.1 (http://apache.imghat.com//ws/axis2/1_5/axis2-1.5-bin.zip)
-ant
-java
-mysql
-
-2) Set following environment variables: -
-ANT_HOME
-CATALINA_HOME
-export ANT_HOME
-export JAVA_HOME
-
-3) Go to CATALINA_HOME directory and excute “mkdir temp” (this directory is used for storing temporary axis files) -

-

2. Clone repository

-Clone cloud-bridge repository: -
-git clone git@github.com:alena11081/cloud-bridge.git
-
-

-

3. Build, deploy and run cloud-bridge with ant

-Deployment procedure using ant (build.xml and build-cloud-bridge.xml are config files), execute from cloned cloud-bridge directory:. -
- 
-* ant clean - removes dist directory
-* ant clean-tomcat - cleans up $CATALINA_HOME/webapps/bridge directory
-* ant build-cloud-bridge compiles and places the resulting jars into cloud-bridge/dist:
-
-ls dist/
-cloud-auth-ec2.mar  cloud-auth-s3.mar  cloud-bridge.jar  cloud-ec2.aar  cloud-s3.aar
-
-
-* deploy-axis - copies and unwars cloud-bridge/lib/axis2-webapp-1.5.1.war to $CATALINA_HOME/webapps/bridge directory
-
-ant deploy-cloud-bridge copies files to $CATALINA_HOME/webapps/bridge tomcat directory:
-
-
-- copy cloud-bridge/dist/cloud-ec2.aar and  cloud-s3.aar to $CATALINA_HOME/webapps/bridge/WEB-INF/services
-- copy cloud-bridge/dist/cloud-auth-ec2.mar and cloud-auth-s3.mar to $CATALINA_HOME/webapps/bridge/WEB-INF/modules
-- copy all .mar files from cloud-bridge/modules to $CATALINA_HOME/webapps/bridge/WEB-INF/modules
-- copy cloud-bridge/dist/cloud-bridge.jar to $CATALINA_HOME/webapps/bridge/WEB-INF/lib
-- copy all .jar files from cloud-bridge/lib directory to $CATALINA_HOME/webapps/bridge/WEB-INF/lib
-- copy all .jar files from cloud-bridge/rampartlib directory to $CATALINA_HOME/webapps/bridge/WEB-INF/lib 
-- copy all files from cloud-bridge/conf directory to $CATALINA_HOME/webapps/bridge/WEB-INF/conf
-- copy cloud-bridge/resource/Axis2/axis2.xml to $CATALINA_HOME/webapps/bridge/WEB-INF/conf
-- copy cloud-bridge/web/web.xml to $CATALINA_HOME/webapps/bridge/WEB-INF
-- copy cloud-bridge/resource/AmazonEC2/crypto.properties and xes.keystore to $CATALINA_HOME/webapps/bridge/WEB-INF/classes/
-- remove $CATALINA_HOME/webapps/bridge/WEB-INF/lib/dom4j-1.6.1.jar
-
-
-ant deploydb - execute cloud-bridge/db/mysql/deploy-db-bridge.sh (for Unix). If it's a windows deployment, execute db/mysql/init_db.bat script
-5) Configure ec2-service.properties (see parameters descriptions in resource/AmazonEC2/docs/EC2-implementation-guide.html).
-6) To run application execute "./catalina.sh run" from $CATALINA_HOME/bin directory.
-
-
diff --git a/awsapi/docs/AmazonEC2/EC2-users-guide.html b/awsapi/docs/AmazonEC2/EC2-users-guide.html
deleted file mode 100644
index a51923cc89d..00000000000
--- a/awsapi/docs/AmazonEC2/EC2-users-guide.html
+++ /dev/null
@@ -1,275 +0,0 @@
-
-
-
-Cloud.com's EC2 API User's Guide
-
-
-
Cloud.com's EC2 API User's Guide

-4/17/2010
-
Table of Contents

-
-


-
Part 1. Cloud.com's Specific Implementation Details

-
1. User Registration

-To access Cloud.com's EC2 service via REST follow the instructions in Section 1.1.
-To access Cloud.com's EC2 service via SOAP follow instructions in both Section 1.1 and 1.2 below.  
-

-
1.1 Setting Cloud.com API Keys

-The EC2 service needs to be given the user's Cloud.com API access and secret keys [2] so that it
-can make Cloud.com API calls on the user's behalf.   This is done by the following REST command.
-
-
-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=SetUserKeys&accesskey=<key>&secretkey=<key>
-

-SetUserKeys is an unauthorized REST call.

-A HTTP 200 result code is returned on success and a 401 on failure.
-

-
1.2 Setting a User's X509 Certificate

-EC2 uses WS-Security [4] for authentication on SOAP access.  WS-Security signs the entire SOAP request 
-using a public/private key pair.   The user of Cloud.com's EC2 service must 
-generate a public/private key pair with the public key defined in an X509
-certificate.   The private key is used by a SOAP client in generating
-the WS-Security signature of a SOAP request.  The matching public key is stored on 
-a server and is used to verify the signature on each request.
-

-The following REST command must be used by a Cloud.com's EC2 service user to
-load their certificate into the service.   No access via the SOAP API is
-possible until this step is performed.  Also for this REST command to be 
-successful the instructions in Section 1.1 must be performed first.
-
-
-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=SetCertificate&AWSAccessKeyId=<Cloud.com API AccessKey>&cert=<pem encoded cert>
-

-SetCertificate is an authenticated REST call using the same authentication scheme as all other EC2 REST calls.
-This means that the following standard EC2 REST paramters must also be part of the request: Signature, SignatureMethod, Version, 
-SignatureVersion, and Expires [3].

-A HTTP 200 result code is returned on success and a 404 on failure.
-

-An example of a PEM encoded X509 Certificate is [5]:
-
------BEGIN CERTIFICATE-----
-MIICdzCCAeCgAwIBAgIGAPCRHu3UMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
-AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
-GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0xMDA2MjMxODE4MTZaFw0xMTA2
-MjMxODE4MTZaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
-FQYDVQQLEw5BV1MtRGV2ZWxvcGVyczEVMBMGA1UEAxMMZWZieDQ0eXF1d3E2MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw+RO1QV7t5EbluyAAD11SoZ4ats5t
-DBSta/QB3G9T0y3p2gURrYMDYVJ1BZmyel/DuMANx6UG6Vw+0o0SXOS3mH8Yu/lO
-OOH9WxWiXulGMIrpPCiUpnWMrWhIlHu8mqLLhBx+5k4I92plMfH97BySunbv9zaf
-ZRKXX3cXIYbUMwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
-CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCzKwCQvocPYFki/9
-NORZFTsjcZ8wDQYJKoZIhvcNAQEFBQADgYEAXmIe6+XsNHYIiLGQO6dh8nvHHzDw
-3sltNa7z6BSdNr7WDxpJg9oFUcddQVca1LZsjsqx6dIc1WxQUjPE9oOfSYqQZuMD
-/GOpWyXMb/oJ2MLI1Vp1ABKhHoHUJmPOrIou4UbCifMeD7MFZkezkKDqqH3jQMjA
-4YDNkSWLnJ9xba8=
------END CERTIFICATE-----
-

-

-To remove a previously loaded certificate the user can simply execute
-the following REST command.
-
-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=DeleteCertificate&AWSAccessKeyId=<Cloud.com API AccessKey>
-where the same value for the 'AWSAccessKeyId' parameter as was used in a previous call to SetCertificate.
-

-DeleteCertificate is an authenticated REST call using the same authentication scheme (and having all the same
-required parameters) as all other EC2 REST calls.

-A HTTP 200 result code is returned on success and a 404 on failure.
-

-
2. Endpoints

-For SOAP access the endpoint is:  
-
http://<fqdn-or-ip>:<port>/bridge/services/AmazonEC2

-For REST access the endpoint is:
-
http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2

-

-
-
3. Differences between Amazon's and Cloud.com's EC2 Implementations

-EC2's RegisterImage Function
-

-This function maps to the Cloud.com's API "registerTemplate" function [2].   However the registerTemplate function
-requires the following additional parameters that are not present in the RegisterImage function:
-
-format - the format for the template. Possible values include QCOW2, RAW, and VHD.

-osTypeId - the ID of the OS Type that best represents the OS of this template.

-zoneId - the ID of the zone the template is to be hosted on.

-

-These parameters must be provided for a successful registerTemplate call and thus a RegsiterImage call.
-To accomidate these values we have redefined the "architecture" parameter defined for RegisterImage.
-The Amazon defined valid values are: "i386 | x86_64" and it is of type xsd:string.   Neither of these
-defined values has any meaning in the context of the Cloud.com API.
-
-The new definition of the architecture field is a three part value of the form:
-"<format>:<zoneName>:<osTypeName>", where ":" is the field delimitor.   A valid example
-would be: "VHD:ZONE1:Centos 4.5".   Cloud.com's EC2 code translates the "zoneName" value into a valid zoneId,
-and the "osTypeName" value into a matching osTypeId.  In addition, whereas the architecture field
-is optional in Amazon's definition of RegisterImage, it is required in Cloud.com's modified version.
-

-Another difference for the RegisterImage function concerns the use of the "imageLocation" parameter.
-As defined by Amazon [3]: 
-
-imageLocation - a full path to your AMI manifest in Amazon S3 storage.
-

-As defined for Cloud.com's EC2 implementation:
-
-imageLocation - is a URL of where the template is hosted. Possible URL include http:// and https://
-

-

-EC2's DescribeInstances Function
-

-Only the following list of filters are currently supported:
-
-availability-zone
-hypervisor
-image-id
-instance-id
-instance-type
-instance-state-code
-instance-state-name
-ip-address	
-owner-id
-root-device-name	
-

-

-EC2's DescribeVolumes Function
-

-Only the following list of filters are currently supported:
-
-attachment.attach-time
-attachment.device
-attachment.instance-id
-availability-zone
-create-time
-size
-snapshot-id
-status
-volume-id	
-

-

-EC2's DescribeSnapshots Function
-

-Only the following list of filters are currently supported:
-
-owner-alias
-owner-id (here its the CloudStack API key)
-snapshot-id
-start-time
-status
-volume-id
-volume-size
-

-

-

-EC2's DescribeSecurityGroups Function
-

-Only the following list of filters are currently supported:
-
-description
-group-id
-group-name
-ip-permission.cidr
-ip-permission.from-port
-ip-permission.to-port
-ip-permission.protocol
-owner-id
-

-

-
4. Miscellaneous

-The EC2 service provides a Cloud.com extension to obtain the release version of the EC2 software.
-
-
-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonEC2?Action=CloudEC2Version
-

-CloudEC2Version is an unauthorized REST call.

-An example of a valid response from this function is:
-
-<CloudEC2Version>1.01</CloudEC2Version>
-

-


-
Part 2. Generic EC2 Details

-
List of EC2 Functions Implemented

-Refer to the Amazon EC2 documentation [3] for a description of each function.   
-Also see Part1, section 3 above, for differences between Amazon's and Cloud.com's EC2 implementations.
-
-AllocateAddress
-AssociateAddress
-AttachVolume 
-AuthorizeSecurityGroupIngress
-CreateImage 
-CreateSecurityGroup
-CreateSnapshot
-CreateVolume
-DeleteSecurityGroup
-DeleteSnapshot  
-DeleteVolume   
-DeregisterImage   
-DescribeAvailabilityZones  
-DescribeImageAttribute   
-DescribeImages   
-DescribeInstanceAttribute  
-DescribeInstances  
-DescribeSecurityGroups
-DescribeSnapshots   
-DescribeVolumes  
-DetachVolume
-DisassociateAddress  
-ModifyImageAttribute  
-RebootInstances   
-ReleaseAddress
-RegisterImage  
-RevokeSecurityGroupIngress
-ResetImageAttribute   
-RunInstances  
-StartInstances  
-StopInstances  
-TerminateInstances  
-

-

-
Supported WSDL Version

-http://ec2.amazonaws.com/doc/2010-08-31/

-Amazon EC2 Command Line Tool used for testing was version 1.3-57419.
-

-

-
References

-
    
-
  1. Public-key cryptograph
    2. 
-
  2. Cloud.com's Developer API
    3. 
-
  3. Amazon's EC2 API
    4. 
-
  4. WS-Security
    5. 
-
  5. X.509 Certificates
    6. 
-

-
-
diff --git a/awsapi/docs/AmazonEC2/wsdl2java-command-line.txt b/awsapi/docs/AmazonEC2/wsdl2java-command-line.txt
deleted file mode 100644
index c1b68538e9d..00000000000
--- a/awsapi/docs/AmazonEC2/wsdl2java-command-line.txt
+++ /dev/null
@@ -1,21 +0,0 @@
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-
------------------------------------------------------------
-
-To generate the Java AXIS2 classes from the Amazon EC2 wsdl use the following command line:
-C:\axis2-1.5.1\bin>wsdl2java.bat -ss -sd -ssi -g -p com.amazon.ec2 -ns2p "http://ec2.amazonaws.com/doc/2010-08-31/"=com.amazon.ec2 -uri ec2.wsdl
diff --git a/awsapi/docs/AmazonS3/S3-users-guide.html b/awsapi/docs/AmazonS3/S3-users-guide.html
deleted file mode 100644
index adadd8b97fd..00000000000
--- a/awsapi/docs/AmazonS3/S3-users-guide.html
+++ /dev/null
@@ -1,120 +0,0 @@
-
-
-
-Cloud.com's S3 API User's Guide
-
-
-
Cloud.com's S3 API User's Guide

-3/4/2011                   
-
Table of Contents

-
-


-
Part 1. Cloud.com's Specific Implementation Details

-
User Registration

-The S3 service uses the user's Cloud.com API access and secret keys [1] to implement both
-the REST and SOAP authentication algorithms.  This is done by re-using an EC2 provided REST command.   Once
-this URL is invoked the user has registered for both the S3 service and the EC2 REST service.
-
-http://<fqdn-or-ip>:<port>/bridge/rest/AmazonS3?Action=SetUserKeys&accesskey=<key>&secretkey=<key>
-

-SetUserKeys is an unauthorized REST call.

-A HTTP 200 result code is returned on success and a 401 on failure.
-

-

-
Endpoints

-For SOAP access the endpoint is:  
-
http://<fqdn-or-ip>:<port>/bridge/services/AmazonS3

-
-For the SOAP PutObject function with a DIME attachment [3]:
-
http://<fqdn-or-ip>:<port>/bridge/dime/AmazonS3

-
-For REST access the endpoint is:
-
http://<fqdn-or-ip>:<port>/bridge/rest/AmazonS3

-

-
-
Part 2. Generic S3 Details

-
List of S3 Functions Implemented

-Refer to the Amazon S3 documentation [2] for a description of each function.   
-Also see Part1, section 3 above, for a list of unsupported S3 features.
-
-REST calls:
-GET Service
-DELETE Bucket
-GET Bucket
-GET Bucket acl
-GET Bucket versioning
-PUT Bucket
-PUT Bucket acl
-PUT Bucket versioning
-List Multipart Uploads
-DELETE Object
-GET Object
-GET Object acl
-HEAD Object
-POST Object
-PUT Object
-PUT Object (Copy)
-Initiate Multipart Upload
-Upload Part
-Complete Multipart Upload
-Abort Multipart Upload
-List Parts
-
-SOAP calls:
-ListAllMyBuckets
-CreateBucket
-DeleteBucket
-ListBucket
-GetBucketAccessControlPolicy
-SetBucketAccessControlPolicy
-PutObjectInline
-PutObject
-CopyObject
-GetObject
-GetObjectExtended
-DeleteObject
-GetObjectAccessControlPolicy
-SetObjectAccessControlPolicy
-

-

-
Supported WSDL Version

-http://s3.amazonaws.com/doc/2006-03-01/

-

-

-
References

-
    
-
  1. Cloud.com's Developer API
    2. 
-
  2. Amazon's S3 API
    3. 
-
  3. DIME
    4. 
-

-
-
diff --git a/awsapi/docs/AmazonS3/notes.txt b/awsapi/docs/AmazonS3/notes.txt
deleted file mode 100644
index e9a796880c9..00000000000
--- a/awsapi/docs/AmazonS3/notes.txt
+++ /dev/null
@@ -1,29 +0,0 @@
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-
------------------------------------------------------------
-
-Example of headers for a rest call of copyObject
-
-Authorization: AWS Mark:djdjdjdjdjdjdjdj\n
-Host: Henry2.s3.amazonaws.com\n
-x-amz-copy-source: /Henry1/test1\n
-x-amz-metadata-directive: REPLACE\n
-x-amz-meta-hight: 55 feet\n
-x-amz-meta-width: 13 yards\n
-x-amz-meta-weight: 4 tons\n
-x-amz-acl: public-read\n
diff --git a/awsapi/docs/AmazonS3/wsdl2java-command-line.txt b/awsapi/docs/AmazonS3/wsdl2java-command-line.txt
deleted file mode 100644
index d22b8529502..00000000000
--- a/awsapi/docs/AmazonS3/wsdl2java-command-line.txt
+++ /dev/null
@@ -1,66 +0,0 @@
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-
------------------------------------------------------------
-
-To generate the Java AXIS2 classes from the Amazon EC2 wsdl use the following command line, assuming source definitions in the local directory:
-$ wsdl2java.sh -ss -sd -ssi -g -p com.amazon.s3 -ns2p "http://s3.amazonaws.com/doc/2006-03-01/"=com.amazon.s3 -uri cloud-AmazonS3.wsdl
-
-This runs the wsdl2java code generation tool to produce stubs with asynchronous invocation methods, such as those useful for REST using the com.amazon.s3 package.
-
-This creates the following java source files in the src/com/amazon/s3 subdirectory …
-
-AccessControlList.java				ListAllMyBucketsResponse.java
-AccessControlPolicy.java			ListAllMyBucketsResult.java
-AmazonCustomerByEmail.java			ListBucket.java
-AmazonS3CallbackHandler.java			ListBucketResponse.java
-AmazonS3MessageReceiverInOut.java		ListBucketResult.java
-AmazonS3Skeleton.java				ListEntry.java
-AmazonS3SkeletonInterface.java			ListVersionsResponse.java
-AmazonS3Stub.java				ListVersionsResult.java
-BucketLoggingStatus.java			ListVersionsResultChoice_type0.java
-CanonicalUser.java				LocationConstraint.java
-CopyObject.java					LoggingSettings.java
-CopyObjectResponse.java				MetadataDirective.java
-CopyObjectResult.java				MetadataEntry.java
-CreateBucket.java				MfaDeleteStatus.java
-CreateBucketConfiguration.java			NotificationConfiguration.java
-CreateBucketResponse.java			Payer.java
-CreateBucketResult.java				Permission.java
-DeleteBucket.java				PostResponse.java
-DeleteBucketResponse.java			PrefixEntry.java
-DeleteMarkerEntry.java				PutObject.java
-DeleteObject.java				PutObjectInline.java
-DeleteObjectResponse.java			PutObjectInlineResponse.java
-ExtensionMapper.java				PutObjectResponse.java
-GetBucketAccessControlPolicy.java		PutObjectResult.java
-GetBucketAccessControlPolicyResponse.java	RequestPaymentConfiguration.java
-GetBucketLoggingStatus.java			Result.java
-GetBucketLoggingStatusResponse.java		SetBucketAccessControlPolicy.java
-GetObject.java					SetBucketAccessControlPolicyResponse.java
-GetObjectAccessControlPolicy.java		SetBucketLoggingStatus.java
-GetObjectAccessControlPolicyResponse.java	SetBucketLoggingStatusResponse.java
-GetObjectExtended.java				SetObjectAccessControlPolicy.java
-GetObjectExtendedResponse.java			SetObjectAccessControlPolicyResponse.java
-GetObjectResponse.java				Status.java
-GetObjectResult.java				StorageClass.java
-Grant.java					TopicConfiguration.java
-Grantee.java					User.java
-Group.java					VersionEntry.java
-ListAllMyBuckets.java				VersioningConfiguration.java
-ListAllMyBucketsEntry.java			VersioningStatus.java
-ListAllMyBucketsList.java
diff --git a/client/WEB-INF/classes/resources/messages.properties b/client/WEB-INF/classes/resources/messages.properties
index 1535c314f3a..454974d4654 100644
--- a/client/WEB-INF/classes/resources/messages.properties
+++ b/client/WEB-INF/classes/resources/messages.properties
@@ -17,8 +17,8 @@
 
 
 #new labels (begin) **********************************************************************************************
-
-
+label.isolation.uri=Isolation URI
+label.broadcast.uri=Broadcast URI
 #new labels (end) ************************************************************************************************
 
 
diff --git a/cloud-cli/cloudapis/cloud.py b/cloud-cli/cloudapis/cloud.py
index 1ee9806c978..a0e88805c82 100644
--- a/cloud-cli/cloudapis/cloud.py
+++ b/cloud-cli/cloudapis/cloud.py
@@ -71,10 +71,10 @@ class CloudAPI:
         requests = zip(requests.keys(), requests.values())
         requests.sort(key=lambda x: str.lower(x[0]))
 
-        requestUrl = "&".join(["=".join([request[0], urllib.quote_plus(str(request[1]))]) for request in requests])
-        hashStr = "&".join(["=".join([str.lower(request[0]), urllib.quote_plus(str.lower(str(request[1])))]) for request in requests])
+        requestUrl = "&".join(["=".join([request[0], urllib.quote(str(request[1],""))]) for request in requests])
+        hashStr = "&".join(["=".join([str.lower(request[0]), urllib.quote(str.lower(str(request[1])),"")]) for request in requests])
 
-        sig = urllib.quote_plus(base64.encodestring(hmac.new(self.securityKey, hashStr, hashlib.sha1).digest()).strip())
+        sig = urllib.quote_plus(base64.encodestring(hmac.new(self.securityKey, str.lower(hashStr), hashlib.sha1).digest()).strip())
 
         requestUrl += "&signature=%s"%sig
 
diff --git a/cloud.spec b/cloud.spec
index c1fe56ae7c0..908a41176f3 100644
--- a/cloud.spec
+++ b/cloud.spec
@@ -387,6 +387,16 @@ else
     /sbin/service %{name}-agent condrestart >/dev/null 2>&1 || true
 fi
 
+%post scripts
+mkdir -p %{_libdir}/%{name}/agent
+ln -f -s %{_libdir}/%{name}/common/scripts %{_libdir}/%{name}/agent/
+ln -f -s %{_libdir}/%{name}/common/vms %{_libdir}/%{name}/agent/
+
+%postun scripts
+rm -f %{_libdir}/%{name}/agent/scripts
+rm -f %{_libdir}/%{name}/agent/vms
+rm -fr %{_libdir}/%{name}/agent
+
 %post client
 if [ "$1" == "1" ] ; then
     /sbin/chkconfig --add %{name}-management > /dev/null 2>&1 || true
diff --git a/debian/changelog b/debian/changelog
index c02d7451f06..5406ab35d00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cloud (4.0.0-rc2) unstable; urgency=low
+
+  * Bumping the version to 4.0 RC2
+
+ -- Wido den Hollander   Mon, 24 Sep 2012 11:30:29 +0200
+ 
 cloud (4.0.0-rc1) unstable; urgency=low
 
   * Bumping the version to 4.0 RC1
diff --git a/debian/cloud-scripts.postinst b/debian/cloud-scripts.postinst
new file mode 100644
index 00000000000..5fb542c15ba
--- /dev/null
+++ b/debian/cloud-scripts.postinst
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+case "$1" in
+    configure)
+        # We can safely remove the /usr/lib/cloud/agent directory
+        # All the files in there have moved to the common directory
+        # The agent directory should become a symlink to common
+        if [ -d "/usr/lib/cloud/agent" ]; then
+            rm -fr /usr/lib/cloud/agent
+        fi
+
+        # Now we symlink the common directory to agent for backwards compatibility
+        if [ ! -h "/usr/lib/cloud/agent" ]; then
+            ln -s /usr/lib/cloud/common /usr/lib/cloud/agent
+        fi
+    ;;
+esac
+
diff --git a/debian/cloud-system-iso.postinst b/debian/cloud-system-iso.postinst
new file mode 100644
index 00000000000..5fb542c15ba
--- /dev/null
+++ b/debian/cloud-system-iso.postinst
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+case "$1" in
+    configure)
+        # We can safely remove the /usr/lib/cloud/agent directory
+        # All the files in there have moved to the common directory
+        # The agent directory should become a symlink to common
+        if [ -d "/usr/lib/cloud/agent" ]; then
+            rm -fr /usr/lib/cloud/agent
+        fi
+
+        # Now we symlink the common directory to agent for backwards compatibility
+        if [ ! -h "/usr/lib/cloud/agent" ]; then
+            ln -s /usr/lib/cloud/common /usr/lib/cloud/agent
+        fi
+    ;;
+esac
+
diff --git a/developer/pom.xml b/developer/pom.xml
new file mode 100644
index 00000000000..25e56e0b8b4
--- /dev/null
+++ b/developer/pom.xml
@@ -0,0 +1,174 @@
+
+
+	4.0.0
+	org.apache.cloudstack
+	cloud-developer
+	Apache CloudStack Developer Tools
+	pom
+	
+		org.apache.cloudstack
+		cloudstack
+		4.0.0-SNAPSHOT
+	
+	
+		
+			mysql
+			mysql-connector-java
+			5.1.21
+			runtime
+		
+	
+	
+		install
+	
+
+	
+		
+			deploydb
+			
+				
+					deploydb
+				
+			
+			
+				
+					
+						org.codehaus.mojo
+						properties-maven-plugin
+						1.0-alpha-2
+						
+							
+								initialize
+								
+									read-project-properties
+								
+								
+									
+										${project.parent.basedir}/utils/conf/db.properties
+									
+								
+							
+						
+					
+					
+						maven-antrun-plugin
+						1.7
+						
+							
+								generate-resources
+								
+									run
+								
+								
+									
+										
+										
+											
+											
+										
+									
+								
+							
+						
+					
+					
+						org.codehaus.mojo
+						sql-maven-plugin
+						1.5
+						
+							
+							
+								mysql
+								mysql-connector-java
+								${cs.mysql.version}
+							
+						
+						
+							org.gjt.mm.mysql.Driver
+							jdbc:mysql://${db.cloud.host}:${db.cloud.port}/cloud
+							${db.cloud.username}
+							${db.cloud.password}
+							
+							${maven.test.skip}
+							true
+						
+
+						
+							
+								drop-database
+								process-test-resources
+								
+									execute
+								
+								
+									root
+									${db.cloud.password}
+									jdbc:mysql://${db.cloud.host}:${db.cloud.port}
+									drop database if exists `cloud`
+								
+							
+                            
+                                create-database
+                                process-test-resources
+                                
+                                    execute
+                                
+                                
+                                    root
+                                    ${db.cloud.password}
+                                    jdbc:mysql://${db.cloud.host}:${db.cloud.port}
+                                    create database `cloud`
+                                
+                            
+							
+								create-schema
+								process-test-resources
+								
+									execute
+								
+								
+									
+										${basedir}/target/db/create-schema.sql
+										${basedir}/target/db/templates.sql
+										${basedir}/target/db/create-index-fk.sql
+									
+								
+							
+                            
+                                prefill-schema
+                                process-test-resources
+                                
+                                    execute
+                                
+                                
+                                    INSERT INTO `cloud`.`domain` (id, name, parent, path, owner) VALUES (1, 'ROOT', NULL, '/', 2)
+                                
+                            
+                            
+                                prefill-configuration
+                                process-test-resources
+                                
+                                    execute
+                                
+                                
+                                    INSERT INTO `cloud`.`configuration` (category, instance, component, name, value) VALUES ('Hidden', 'DEFAULT', 'management-server', 'init', 'false')
+                                
+                            
+						
+					
+				
+			
+		
+	
+
+
diff --git a/docs/en-US/add-load-balancer-rule.xml b/docs/en-US/add-load-balancer-rule.xml
index fca54f94734..8cd0da4b7da 100644
--- a/docs/en-US/add-load-balancer-rule.xml
+++ b/docs/en-US/add-load-balancer-rule.xml
@@ -70,10 +70,6 @@
             the algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer
             Rules.
         
-        
-          AutoScale: Click Configure and complete the
-            AutoScale configuration as explained in .
-        
       
     
     
diff --git a/docs/en-US/add-more-clusters.xml b/docs/en-US/add-more-clusters.xml
new file mode 100644
index 00000000000..a2e41e38f84
--- /dev/null
+++ b/docs/en-US/add-more-clusters.xml
@@ -0,0 +1,29 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Add More Clusters (Optional)
+  You need to tell &PRODUCT; about the hosts that it will manage. Hosts exist inside clusters,
+    so before you begin adding hosts to the cloud, you must add at least one cluster.
+  
+  
+  
+  
+

diff --git a/docs/en-US/add-primary-storage.xml b/docs/en-US/add-primary-storage.xml
new file mode 100644
index 00000000000..9c7ad3dc9cf
--- /dev/null
+++ b/docs/en-US/add-primary-storage.xml
@@ -0,0 +1,108 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Adding Primary Storage
+  
+    Ensure that nothing stored on the server. Adding the server to CloudStack will destroy any
+      existing data.
+  
+  When you create a new zone, the first primary storage is added as part of that procedure.
+    You can add primary storage servers at any time, such as when adding a new cluster or adding
+    more servers to an existing cluster.
+  
+    
+      Log in to the &PRODUCT; UI.
+    
+    
+      In the left navigation, choose Infrastructure. In Zones, click View More, then click the
+        zone in which you want to add the primary storage.
+    
+    
+      Click the Compute tab.
+    
+    
+      In the Primary Storage node of the diagram, click View All.
+    
+    
+      Click Add Primary Storage.
+    
+    
+      Provide the following information in the dialog. The information required varies
+        depending on your choice in Protocol.
+      
+        
+          Pod. The pod for the storage device.
+        
+        
+          Cluster. The cluster for the storage device.
+        
+        
+          Name. The name of the storage device
+        
+        
+          Protocol. For XenServer, choose either NFS, iSCSI, or PreSetup. For KVM, choose NFS
+            or SharedMountPoint. For vSphere choose either VMFS (iSCSI or FiberChannel) or
+            NFS
+        
+        
+          Server (for NFS, iSCSI, or PreSetup). The IP address or DNS name of the storage
+            device
+        
+        
+          Server (for VMFS). The IP address or DNS name of the vCenter server.
+        
+        
+          Path (for NFS). In NFS this is the exported path from the server.
+        
+        
+          Path (for VMFS). In vSphere this is a combination of the datacenter name and the
+            datastore name. The format is "/" datacenter name "/" datastore name. For example,
+            "/cloud.dc.VM/cluster1datastore".
+        
+        
+          Path (for SharedMountPoint). With KVM this is the path on each host that is where
+            this primary storage is mounted. For example, "/mnt/primary".
+        
+        
+          SR Name-Label (for PreSetup). Enter the name-label of the SR that has been set up
+            outside &PRODUCT;.
+        
+        
+          Target IQN (for iSCSI). In iSCSI this is the IQN of the target. For example,
+            iqn.1986-03.com.sun:02:01ec9bb549-1271378984
+        
+        
+          Lun # (for iSCSI). In iSCSI this is the LUN number. For example, 3.
+        
+        
+          Tags (optional). The comma-separated list of tags for this storage device. It should
+            be an equivalent set or superset of the tags on your disk offerings
+        
+      
+      The tag sets on primary storage across clusters in a Zone must be identical. For
+        example, if cluster A provides primary storage that has tags T1 and T2, all other clusters
+        in the Zone must also provide primary storage that has tags T1 and T2.
+    
+    
+      Click OK.
+    
+  
+

diff --git a/docs/en-US/add-secondary-storage.xml b/docs/en-US/add-secondary-storage.xml
new file mode 100644
index 00000000000..318a6ea79b6
--- /dev/null
+++ b/docs/en-US/add-secondary-storage.xml
@@ -0,0 +1,48 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Adding Secondary Storage
+  
+    Be sure there is nothing stored on the server. Adding the server to CloudStack will
+      destroy any existing data.
+  
+  When you create a new zone, the first secondary storage is added as part of that procedure.
+    You can add secondary storage servers at any time to add more servers to an existing
+    zone.
+  
+    
+      If you are going to use Swift for cloud-wide secondary storage, you must add the Swift
+        storage to &PRODUCT; before you add the local zone secondary storage servers.
+    
+    
+      To prepare for local zone secondary storage, you should have created and mounted an NFS
+        share during Management Server installation.
+    
+    
+      Make sure you prepared the system VM template during Management Server
+        installation.
+    
+    
+      4. Now that the secondary storage server for per-zone storage is prepared, add it to
+        &PRODUCT;. Secondary storage is added as part of the procedure for adding a new zone.
+    
+  
+

diff --git a/docs/en-US/aws-ec2-configuration.xml b/docs/en-US/aws-ec2-configuration.xml
new file mode 100644
index 00000000000..e1924072168
--- /dev/null
+++ b/docs/en-US/aws-ec2-configuration.xml
@@ -0,0 +1,64 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+  Enabling the AWS API compatible Interface
+  
+    To enable the EC2 compatible service you need to set the configuration variable enable.ec2.apito true. This can be done via the &PRODUCT; GUI by going in Global Settings or via the API.
+  
+  
+    
+      
+        
+      
+      
+        Use the GUI to set the configuration variable to true
+      
+    
+  
+  
+    The easiest is to use the so-called integration port on which you can make unauthenticated calls. In Global Settings set the port to 8096 and subsequently call the updateConfiguration method. The following url shows you how:
+  
+  
+    
+      http://localhost:8096/client/api?command=updateConfiguration&name=enable.ec2.api&value=true
+    
+  
+  
+    Once you have updated enable.ec2.apito true, restart the server.
+  
+  
+    You will also need to define compute service offerings with names compatible with the Amazon EC2 instance types API names (e.g m1.small,m1.large). This is easiest done via the &PRODUCT; GUI. Go under Service Offerings select Compute offering and either create a new compute offering or modify an existing one, ensuring that the name matches an EC2 instance type API name. The snapshot below shows you how:
+  
+  
+    
+      
+        
+      
+    
+      Use the GUI to set the name of a compute service offering to an EC2 instance type API name.
+    
+    
+  
+ 

diff --git a/docs/en-US/aws-ec2-introduction.xml b/docs/en-US/aws-ec2-introduction.xml
new file mode 100644
index 00000000000..c2bfb32bc61
--- /dev/null
+++ b/docs/en-US/aws-ec2-introduction.xml
@@ -0,0 +1,47 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+  Amazon Web Services EC2 Compatible Interface
+    &PRODUCT; can translate Amazon Web Services (AWS) API calls to native &PRODUCT; API calls so that users can continue using existing AWS-compatible tools. This translation service runs as a separate web application in the same tomcat server as the management server of &PRODUCT;, listening on the same port. This Amazon EC2-compatible API is accessible through a SOAP web service as well as the REST query interface.
+    
+	  Expect the SOAP service to be deprecated in new releases in favor of the REST interface.
+     
+    
+      This service was previously enabled by a separate software called CloudBridge, it is now fully integrated with the &PRODUCT; management server.
+      
+    
+    Limitations
+    
+      
+        Supported only in zones that use basic networking.
+      
+      
+        Available in fresh installations of &PRODUCT;. Not available through upgrade of previous versions.
+      
+      
+        If you need to support features such as elastic IP, set up a Citrix NetScaler to provide this service. The commands such as ec2-associate-address will not work without EIP setup. Users running VMs in this zone will be using the NetScaler-enabled network offering (DefaultSharedNetscalerEIP and ELBNetworkOffering).
+      
+    
+

diff --git a/docs/en-US/aws-ec2-requirements.xml b/docs/en-US/aws-ec2-requirements.xml
new file mode 100644
index 00000000000..916cec5fdda
--- /dev/null
+++ b/docs/en-US/aws-ec2-requirements.xml
@@ -0,0 +1,30 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+  System Requirements
+    This interface complies with Amazon's WDSL version dated November 15, 2010, available at http://ec2.amazonaws.com/doc/2010-11-15/. The EC2 command line utilities compatible with it are EC2 tools v. 1.3.6230that can be downloaded at http://s3.amazonaws.com/ec2-downloads/ec2-api-tools-1.3-62308.zip
+    
+    Effort is underway to provide support for a newer API
+

diff --git a/docs/en-US/aws-ec2-supported-commands.xml b/docs/en-US/aws-ec2-supported-commands.xml
new file mode 100644
index 00000000000..77e47bd90a5
--- /dev/null
+++ b/docs/en-US/aws-ec2-supported-commands.xml
@@ -0,0 +1,407 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+  Supported AWS API Calls
+    
+      The following Amazon EC2 commands are supported by &PRODUCT; when the AWS API compatibility feature is enabled. For a few commands, there are differences between the &PRODUCT; and Amazon EC2 versions, and these differences are noted. The underlying SOAP call for each command is also given, for those who have built tools using those calls.
+    
+    Elastic IP Addresses
+    
+      Elastic IP API mapping
+      
+        
+        
+          
+            EC2 command
+            SOAP all
+            &PRODUCT; API call
+          
+        
+        
+          
+            ec2-allocate-address
+            AllocateAddress
+            associateIpAddress
+          
+          
+            ec2-associate-address
+            AssociateAddress
+            enableStaticNat
+          
+          
+            ec2-describe-addresses
+            DescribeAddresses
+            listPublicIpAddresses
+          
+          
+            ec2-diassociate-address
+            DisassociateAddress
+            disableStaticNat
+          
+          
+            ec2-release-address
+            ReleaseAddress
+            disassociateIpAddress
+          
+        
+      
+    

+    Availability Zones
+    
+      Availability Zone API mapping
+        
+          
+          
+            
+              EC2 command
+              SOAP all
+              &PRODUCT; API call
+            
+          
+          
+            
+              ec2-describe-availability-zones
+              DescribeAvailabilityZones
+              listZones
+            
+          
+        
+    

+    Images
+    
+      Images API mapping
+        
+          
+          
+            
+              EC2 command
+              SOAP all
+              &PRODUCT; API call
+            
+          
+          
+            
+              ec2-create-image
+              CreateImage
+              createTemplate
+            
+            
+              ec2-deregister
+              DeregisterImage
+              DeleteTemplate
+            
+            
+              ec2-describe-images
+              DescribeImages
+              listTemplates
+            
+            
+              ec2-register
+              RegisterImage
+              registerTemplate
+            
+          
+        
+    

+    Image Attributes
+    
+      Image Attributes API mapping
+      
+        
+        
+          
+            EC2 command
+            SOAP all
+            &PRODUCT; API call
+          
+        
+        
+          
+            ec2-describe-image-attribute
+            DescribeImageAttribute
+            listTemplatePermissions
+          
+          
+            ec2-modify-image-attribute
+            ModifyImageAttribute
+            updateTemplatePermissions
+          
+          
+            ec2-reset-image-attribute
+            ResetImageAttribute
+            updateTemplatePermissions
+          
+        
+      
+    

+    Instances
+    
+      Instances API mapping
+      
+        
+        
+          
+            EC2 command
+            SOAP all
+            &PRODUCT; API call
+          
+        
+        
+          
+            ec2-describe-instances
+            DescribeInstances
+            listVirtualMachines
+          
+          
+            ec2-run-instances
+            RunInstances
+            deployVirtualMachine
+          
+          
+            ec2-reboot-instances
+            RebootInstances
+            rebootVirtualMachine
+          
+          
+            ec2-start-instances
+            StartInstances
+            startVirtualMachine
+          
+          
+            ec2-stop-instances
+            StopInstances
+            stopVirtualMachine
+          
+          
+            ec2-terminate-instances
+            TerminateInstances
+            destroyVirtualMachine
+          
+        
+      
+    

+    Instance Attributes
+    
+      Instance Attributes Mapping
+      
+        
+        
+          
+            EC2 command
+            SOAP all
+            &PRODUCT; API call
+          
+        
+        
+          
+             ec2-describe-instance-attribute
+             DescribeInstanceAttribute
+             listVirtualMachines
+           
+         
+       
+     

+     Key Pairs
+     
+       Keys Pairs Mapping
+       
+         
+         
+           
+             EC2 command
+             SOAP all
+             &PRODUCT; API call
+           
+         
+         
+           
+             ec2-add-keypair 
+             CreateKeyPair
+             createSSHKeyPair
+           
+           
+             ec2-delete-keypair
+             DeleteKeyPair
+             deleteSSHKeyPair
+           
+           
+             ec2-describe-keypairs
+             DescribeKeyPairs
+             listSSHKeyPairs
+           
+           
+             ec2-import-keypair
+             ImportKeyPair
+             registerSSHKeyPair
+           	
+         
+       
+     

+     Passwords
+     
+       Passwords API Mapping
+       
+         
+         
+           
+             EC2 command
+             SOAP all
+             &PRODUCT; API call
+           
+         
+         
+           
+             ec2-get-password
+             GetPasswordData
+             getVMPassword
+          
+         
+       
+     

+     Security Groups
+     
+       Security Groups API Mapping
+       
+         
+         
+           
+             EC2 command
+             SOAP all
+             &PRODUCT; API call
+           
+         
+         
+           
+             ec2-authorize
+             AuthorizeSecurityGroupIngress
+             authorizeSecurityGroupIngress
+           
+           
+             ec2-add-group
+             CreateSecurityGroup
+             createSecurityGroup
+           
+           
+             ec2-delete-group
+             DeleteSecurityGroup
+             deleteSecurityGroup
+           
+           
+             ec2-describe-group
+             DescribeSecurityGroups
+             listSecurityGroups
+           
+           
+             ec2-revoke
+             RevokeSecurityGroupIngress
+             revokeSecurityGroupIngress
+           
+         
+       
+     

+     Snapshots
+     
+       Snapshots API Mapping
+       
+         
+         
+           
+             EC2 command
+             SOAP all
+             &PRODUCT; API call
+           
+         
+         
+           
+             ec2-create-snapshot
+             CreateSnapshot
+             createSnapshot
+           
+           
+             ec2-delete-snapshot
+             DeleteSnapshot
+             deleteSnapshot
+           
+           
+             ec2-describe-snapshots
+             DescribeSnapshots
+             listSnapshots
+           
+         
+      
+    

+    Volumes
+    
+	  Volumes API Mapping
+        
+         
+         
+           
+             EC2 command
+             SOAP all
+             &PRODUCT; API call
+           
+         
+         
+           
+             ec2-attach-volume
+             AttachVolume
+             attachVolume
+           
+           
+             ec2-create-volume
+             CreateVolume
+             createVolume
+           
+           
+             ec2-delete-volume
+             DeleteVolume
+             deleteVolume
+           
+           
+             ec2-describe-volume
+             DescribeVolume
+             listVolumes
+           
+           
+             ec2-detach-volume
+             DetachVolume
+             detachVolume
+           
+         
+       
+     

+

diff --git a/docs/en-US/aws-ec2-user-setup.xml b/docs/en-US/aws-ec2-user-setup.xml
new file mode 100644
index 00000000000..50c9fe26656
--- /dev/null
+++ b/docs/en-US/aws-ec2-user-setup.xml
@@ -0,0 +1,91 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+

+  User configuration
+  
+    Users of the Amazon EC2 compatible interface will be able to keep their existing EC2 tools and scripts and use them with their &PRODUCT; deployment, by specifyingi the endpoint of the managment server and using the proper user credentials.In order to do this, each user must perform the following configuration steps:
+  
+  
+    
+      
+        Generate user credentials.
+      
+      
+        Register with the service.
+      
+      
+        Setup the environment variables
+      
+    
+  
+
+  
+    To register, a user needs to:
+  
+
+  
+    
+      
+        Obtain his API key and his secret key as well as the DNS name or IP address of the &PRODUCT; server. Obtaining the keys can be done by asking the &PRODUCT; administrator or by using the GUI or via the API.
+      
+    
+	
+      
+        Obtain a self-signed X.509 certificate. It can be generated with the following command:
+      
+      $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/private_key.pem -out /path/to/cert.pem 
+      
+    
+    
+      
+        Register the mapping from the X.509 certificate to the API/Secret keys. Download the following script from http://download.cloud.com/releases/3.0.3/cloudstack-aws-api-register and run it. Substitute the values you obtained from the administrator in the URL below.
+      
+      
+$ cloudstack-aws-api-register --apikey=User’s CloudPlatform API key --secretkey=User’s CloudPlatform Secret key --cert=/path/to/cert.pem --url=http://&PRODUCT;.server:8080/awsapi
+       
+     
+   
+
+   
+     
+       A user with an existing AWS certificate could choose to use the same certificate with &PRODUCT; but note that the public key would be uploaded to the &PRODUCT; management server database.
+     
+   
+
+   
+     To use the EC2 command line tools, setup the environment variable in a similar fashion than with Amazon EC2 service. Specifically, in bash shell:
+     
+       $ export EC2_CERT=/path/to/cert.pem
+       $ export EC2_PRIVATE_KEY=/path/to/private_key.pem
+       $ export EC2_URL=http://&PRODUCT;.server:8080/awsapi
+       $ export EC2_HOME=/path/to/EC2_tools_directory
+     
+   
+
+   
+     The Amazon EC2 command-line tools have a default connection timeout. If you find that EC2 commands are not completing due to timeouts, you can pass a new timeout value as an argument with --connection-timeout TIMEOUT  or --request-timeout TIMEOUT 
+     
+   
+
+

diff --git a/docs/en-US/installation_overview.xml b/docs/en-US/aws-interface-guide.xml
similarity index 65%
rename from docs/en-US/installation_overview.xml
rename to docs/en-US/aws-interface-guide.xml
index eee444e571e..0c42b5bdb07 100644
--- a/docs/en-US/installation_overview.xml
+++ b/docs/en-US/aws-interface-guide.xml
@@ -22,12 +22,11 @@
  under the License.
 -->
 
-
-    Installation Overview
-        
-        
-        
-        
-        
-    
+
+    Amazon Web Service Interface Guide
+    
+    
+    
+    
+    
 
diff --git a/docs/en-US/choosing_a_deployment_architecture.xml b/docs/en-US/choosing_a_deployment_architecture.xml
new file mode 100644
index 00000000000..ec59d8b2bd3
--- /dev/null
+++ b/docs/en-US/choosing_a_deployment_architecture.xml
@@ -0,0 +1,29 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+
+    Choosing a Deployment Architecture
+    The architecture used in a deployment will vary depending on the size and purpose of the deployment. This section contains examples of deployment architecture, including a small-scale deployment useful for test and trial deployments and a fully-redundant large-scale setup for production deployments.
+       
+    
+    
+    
+    
+
diff --git a/docs/en-US/cloud-infrastructure-overview.xml b/docs/en-US/cloud-infrastructure-overview.xml
index 5b467a33d4c..32f2246eeb8 100644
--- a/docs/en-US/cloud-infrastructure-overview.xml
+++ b/docs/en-US/cloud-infrastructure-overview.xml
@@ -42,5 +42,5 @@
         infrastructure_overview.png: Nested organization of a zone
     
     More Information
-    For more information, see .
+    For more information, see documentation on cloud infrastructure concepts.
 
diff --git a/docs/en-US/cloudstack_features.xml b/docs/en-US/cloudstack_features.xml
deleted file mode 100644
index 95825aa2758..00000000000
--- a/docs/en-US/cloudstack_features.xml
+++ /dev/null
@@ -1,66 +0,0 @@
-
-
-%BOOK_ENTITIES;
-]>
-
-
-
-    

-        What Can &PRODUCT; Do?
-        
-        
-            Multiple Hypervisor Support
-        
-        
-            &PRODUCT; works with a variety of hypervisors. A single cloud deployment can contain multiple hypervisor implementations. You have the complete freedom to choose the right hypervisor for your workload. &PRODUCT; is designed to work with open source Xen and KVM hypervisors as well as enterprise-grade hypervisors such as Citrix XenServer, VMware vSphere, and Oracle VM (OVM). You can also provision “bare metal” hosts with no hypervisor (Beta feature. Untested in &PRODUCT; 3.0.x0.)
-        
-        
-            Massively Scalable Infrastructure Management
-        
-        
-            &PRODUCT; can manage tens of thousands of servers installed in multiple geographically distributed datacenters. The centralized management server scales linearly, eliminating the need for intermediate cluster-level management servers. No single component failure can cause cloud-wide outage. Periodic maintenance of the management server can be performed without affecting the functioning of virtual machines running in the cloud.
-        
-        
-            Automatic Configuration Management
-        
-        &PRODUCT; automatically configures each guest virtual machine’s networking and storage settings.
-        
-        &PRODUCT; internally manages a pool of virtual appliances to support the cloud itself. These appliances offer services such as firewalling, routing, DHCP, VPN access, console proxy, storage access, and storage replication. The extensive use of virtual appliances simplifies the installation, configuration, and ongoing management of a cloud deployment.
-        
-        
-            Graphical User Interface
-        
-        &PRODUCT; offers an administrator's Web interface, used for provisioning and managing the cloud, as well as an end-user's Web interface, used for running VMs and managing VM templates. The UI can be customized to reflect the desired service provider or enterprise look and feel.
-        
-        
-            API and Extensibility
-        
-        
-            &PRODUCT; provides an API that gives programmatic access to all the management features available in the UI. The API is maintained and documented. This API enables the creation of command line tools and new user interfaces to suit particular needs. See the Developer’s Guide and API Reference, both available at http://docs.cloud.com/CloudStack_Documentation.
-        
-        
-            The &PRODUCT; platform pluggable allocation architecture allows the creation of new types of allocators for the selection of storage and Hosts. See the Allocator Implementation Guide (http://docs.cloud.com/CloudStack_Documentation/Allocator_Implementation_Guide).
-        
-        
-            High Availability
-        
-        The &PRODUCT; platform has a number of features to increase the availability of the system. The Management Server itself may be deployed in a multi-node installation where the servers are load balanced. MySQL may be configured to use replication to provide for a manual failover in the event of database loss. For the Hosts, the &PRODUCT; platform supports NIC bonding and the use of separate networks for storage as well as iSCSI Multipath.
-        
-    

diff --git a/docs/en-US/cloudstack_installation.ent b/docs/en-US/cloudstack_installation.ent
new file mode 100644
index 00000000000..abb18851bcf
--- /dev/null
+++ b/docs/en-US/cloudstack_installation.ent
@@ -0,0 +1,22 @@
+
+
+
+
+
+
diff --git a/docs/en-US/cloudstack_system_requirements.xml b/docs/en-US/cloudstack_system_requirements.xml
deleted file mode 100644
index 8b5d709c441..00000000000
--- a/docs/en-US/cloudstack_system_requirements.xml
+++ /dev/null
@@ -1,68 +0,0 @@
-
-
-%BOOK_ENTITIES;
-]>
-
-
-
-    

-        Minimum System Requirements
-        
-            The machines that will run the Management Server and MySQL database must meet the following requirements. The same machines can also be used to provide primary and secondary storage, such as via localdisk or NFS. The Management Server may be placed on a virtual machine.
-        
-        
-            Operating system:
-                
-                    Commercial users: Preferred: RHEL 6.2+ 64-bit (https://access.redhat.com/downloads) or CentOS 6.2+ 64-bit (http://isoredirect.centos.org/centos/6/isos/x86_64/). Also supported (v3.0.3 and greater): RHEL and CentOS 5.4-5.x 64-bit
-                    Open-source community users: RHEL 5.4-5.x 64-bit or 6.2+ 64-bit; CentOS 5.4-5.x 64-bit or 6.2+ 64-bit; Ubuntu 10.04 LTS
-                
-            
-            64-bit x86 CPU (more cores results in better performance)
-            4 GB of memory
-            250 GB of local disk (more results in better capability; 500 GB recommended)
-            At least 1 NIC
-            Statically allocated IP address
-            Fully qualified domain name as returned by the hostname command
-        
-        The host is where the cloud services run in the form of guest virtual machines. Each host is one machine that meets the following requirements:
-        
-            Must be 64-bit and must support HVM (Intel-VT or AMD-V enabled). 
-            64-bit x86 CPU (more cores results in better performance)
-            Hardware virtualization support required
-            4 GB of memory
-            36 GB of local disk
-            At least 1 NIC
-            Statically allocated IP Address
-            Latest hotfixes applied to hypervisor software
-            When you deploy &PRODUCT;, the hypervisor host must not have any VMs already running
-        
-        Hosts have additional requirements depending on the hypervisor. See the requirements listed at the top of the Installation section for your chosen hypervisor:
-        
-            Citrix XenServer Installation for &PRODUCT;
-            VMware vSphere Installation and Configuration
-            KVM Installation and Configuration
-            Oracle VM (OVM) Installation and Configuration
-        
-        
-            
-                Be sure you fulfill the additional hypervisor requirements and installation steps provided in this Guide. Hypervisor hosts must be properly prepared to work with &PRODUCT;. For example, the requirements for XenServer are listed under Citrix XenServer Installation for &PRODUCT;.
-            
-        
-    

diff --git a/docs/en-US/cloudstack_whatis.xml b/docs/en-US/cloudstack_whatis.xml
deleted file mode 100644
index 5fea7d40199..00000000000
--- a/docs/en-US/cloudstack_whatis.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-
-
-%BOOK_ENTITIES;
-]>
-
-
-
-
-    

-        What Is &PRODUCT;?
-        Who Should Read This
-        If you are new to &PRODUCT; or you want to learn more about concepts before installing and running &PRODUCT;, read this overview. If you just want to get started, you can skip to Overview of Installation Steps.
-        &PRODUCT; is an open source software platform that pools computing resources to build public, private, and hybrid Infrastructure as a Service (IaaS) clouds. &PRODUCT; manages the network, storage, and compute nodes that make up a cloud infrastructure. Use &PRODUCT; to deploy, manage, and configure cloud computing environments. Typical users are service providers and enterprises. With &PRODUCT;, you can:
-            
-                
-            Set up an on-demand, elastic cloud computing service. Service providers can sell self service virtual machine instances, storage volumes, and networking configurations over the Internet.
-                
-                Set up an on-premise private cloud for use by employees. Rather than managing virtual machines in the same way as physical machines, with &PRODUCT; an enterprise can offer self-service virtual machines to users without involving IT departments.
-                
-            
-        
-    

diff --git a/docs/en-US/configure-package-repository.xml b/docs/en-US/configure-package-repository.xml
new file mode 100644
index 00000000000..0678d202596
--- /dev/null
+++ b/docs/en-US/configure-package-repository.xml
@@ -0,0 +1,46 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+    Configure package repository
+    &PRODUCT; is only distributed from source from the official mirrors. DEB and RPM packages are however build for your convience by third-parties
+    When installing &PRODUCT; it is recommended you use these package repositories for easy installation.
+    
+        These repositories contain both the Management Server and KVM Hypervisor packages.
+    
+    

+        DEB package repository
+        You can add a DEB package repository to your apt sources with the following commands.
+        echo "deb http://cloudstack.apt-get.eu/ubuntu $(lsb_release -s -c) 4.0" > /etc/apt/sources.list.d/cloudstack.list
+        We now have to add the public key to the trusted keys.
+        wget -O - http://cloudstack.apt-get.eu/release.asc|apt-key add -
+        Now update your local apt-cache.
+        apt-get update
+        Your DEB package repository should now be configured and ready for use.
+    

+    

+        RPM package repository
+        TODO
+    

+

\ No newline at end of file
diff --git a/docs/en-US/create-vpn-connection-vpc.xml b/docs/en-US/create-vpn-connection-vpc.xml
new file mode 100644
index 00000000000..1fba09e18fb
--- /dev/null
+++ b/docs/en-US/create-vpn-connection-vpc.xml
@@ -0,0 +1,103 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Creating a VPN Connection
+  
+    
+      Log in to the &PRODUCT; UI as an administrator or end user.
+    
+    
+      In the left navigation, choose Network.
+    
+    
+      In the Select view, select VPC.
+      All the VPCs that you create for the account are listed in the page.
+    
+    
+      Click the Configure button of the VPC to which you want to deploy the VMs.
+      The VPC page is displayed where all the tiers you created are listed in a
+        diagram.
+    
+    
+      Click the Settings icon.
+      The following options are displayed.
+      
+        
+          IP Addresses
+        
+        
+          Gateways
+        
+        
+          Site-to-Site VPN
+        
+        
+          Network ASLs
+        
+      
+    
+    
+      Select Site-to-Site VPN.
+      The Site-to-Site VPN page is displayed.
+    
+    
+      From the Select View drop-down, ensure that VPN Connection is selected.
+    
+    
+      Click Create VPN Connection.
+       The Create VPN Connection dialog is displayed:
+      
+        
+          
+        
+        
+          createvpnconnection.png: creating a vpn connection to the customer
+            gateway.
+        
+      
+    
+    
+      Select the desired customer gateway, then click OK to confirm.
+      Within a few moments, the VPN Connection is displayed.
+      The following information on the VPN connection is displayed:
+      
+        
+          IP Address
+        
+        
+          Gateway
+        
+        
+          State
+        
+        
+          IPSec Preshared Key
+        
+        
+          IKE Policy
+        
+        
+          ESP Policy
+        
+      
+    
+  
+

\ No newline at end of file
diff --git a/docs/en-US/create-vpn-customer-gateway.xml b/docs/en-US/create-vpn-customer-gateway.xml
new file mode 100644
index 00000000000..bf56e36e8b9
--- /dev/null
+++ b/docs/en-US/create-vpn-customer-gateway.xml
@@ -0,0 +1,191 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Creating and Updating a VPN Customer Gateway
+  
+    A VPN customer gateway can be connected to only one VPN gateway at a time.
+  
+  To add a VPN Customer Gateway:
+  
+    
+      Log in to the &PRODUCT; UI as an administrator or end user. 
+    
+    
+      In the left navigation, choose Network.
+    
+    
+      In the Select view, select VPN Customer Gateway.
+    
+    
+      Click Add site-to-site VPN.
+      
+        
+          
+        
+        
+          addvpncustomergateway.png: adding a customer gateway.
+        
+      
+      Provide the following information:
+      
+        
+          Name: A unique name for the VPN customer gateway
+            you create.
+        
+        
+          Gateway: The IP address for the remote
+            gateway.
+        
+        
+          CIDR list: The guest CIDR list of the remote
+            subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list
+            is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be
+            RFC1918-compliant.
+        
+        
+          IPsec Preshared Key: Preshared keying is a method
+            where the endpoints of the VPN share a secret key. This key value is used to
+            authenticate the customer gateway and the VPC VPN gateway to each other. 
+          
+            The IKE peers (VPN end points) authenticate each other by computing and sending a
+              keyed hash of data that includes the Preshared key. If the receiving peer is able to
+              create the same hash independently by using its Preshared key, it knows that both
+              peers must share the same secret, thus authenticating the customer gateway.
+          
+        
+        
+          IKE Encryption: The Internet Key Exchange (IKE)
+            policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and
+            3DES. Authentication is accomplished through the Preshared Keys.
+          
+            The phase-1 is the first phase in the IKE process. In this initial negotiation
+              phase, the two VPN endpoints agree on the methods to be used to provide security for
+              the underlying IP traffic. The phase-1 authenticates the two VPN gateways to each
+              other, by confirming that the remote gateway has a matching Preshared Key.
+          
+        
+        
+          IKE Hash: The IKE hash for phase-1. The supported
+            hash algorithms are SHA1 and MD5.
+        
+        
+          IKE DH: A public-key cryptography protocol which
+            allows two parties to establish a shared secret over an insecure communications channel.
+            The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The
+            supported options are None, Group-5 (1536-bit) and Group-2 (1024-bit).
+        
+        
+          ESP Encryption: Encapsulating Security Payload
+            (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192,
+            AES256, and 3DES.
+          
+            The phase-2 is the second phase in the IKE process. The purpose of IKE phase-2 is
+              to negotiate IPSec security associations (SA) to set up the IPSec tunnel. In phase-2,
+              new keying material is extracted from the Diffie-Hellman key exchange in phase-1, to
+              provide session keys to use in protecting the VPN data flow.
+          
+        
+        
+          ESP Hash: Encapsulating Security Payload (ESP) hash
+            for phase-2. Supported hash algorithms are SHA1 and MD5.
+        
+        
+          Perfect Forward Secrecy: Perfect Forward Secrecy
+            (or PFS) is the property that ensures that a session key derived from a set of long-term
+            public and private keys will not be compromised. This property enforces a new
+            Diffie-Hellman key exchange. It provides the keying material that has greater key
+            material life and thereby greater resistance to cryptographic attacks. The available
+            options are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security of the key
+            exchanges increase as the DH groups grow larger, as does the time of the
+            exchanges.
+          
+            When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways
+              must generate a new set of phase-1 keys. This adds an extra layer of protection that
+              PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new
+              phase-2 SA’s have not been generated from the current phase-1 keying material.
+          
+        
+        
+          IKE Lifetime (seconds): The phase-1 lifetime of the
+            security association in seconds. Default is 86400 seconds (1 day). Whenever the time
+            expires, a new phase-1 exchange is performed.
+        
+        
+          ESP Lifetime (seconds): The phase-2 lifetime of the
+            security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is
+            exceeded, a re-key is initiated to provide a new IPsec encryption and authentication
+            session keys.
+        
+        
+          Dead Peer Detection: A method to detect an
+            unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual
+            router to query the liveliness of its IKE peer at regular intervals. It’s recommended to
+            have the same configuration of DPD on both side of VPN connection.
+        
+      
+    
+    
+      Click OK.
+    
+  
+  
+    Updating and Removing a VPN Customer Gateway
+    You can update a customer gateway either with no VPN connection, or related VPN connection
+      is in error state.
+  
+  
+    
+      Log in to the &PRODUCT; UI as an administrator or end user. 
+    
+    
+      In the left navigation, choose Network.
+    
+    
+      In the Select view, select VPN Customer Gateway.
+    
+    
+      Select the VPN customer gateway you want to work with.
+    
+    
+      To modify the required parameters, click the Edit VPN Customer Gateway button
+          
+            
+          
+          
+            edit.png: button to edit a VPN customer gateway
+          
+        
+    
+    
+      To remove the VPN customer gateway, click the Delete VPN Customer Gateway button
+          
+            
+          
+          
+            delete.png: button to remove a VPN customer gateway
+          
+        
+    
+    
+      Click OK.
+    
+  
+

\ No newline at end of file
diff --git a/docs/en-US/create-vpn-gateway-for-vpc.xml b/docs/en-US/create-vpn-gateway-for-vpc.xml
new file mode 100644
index 00000000000..396a7d9d174
--- /dev/null
+++ b/docs/en-US/create-vpn-gateway-for-vpc.xml
@@ -0,0 +1,80 @@
+
+
+%BOOK_ENTITIES;
+]>
+
+

+  Creating a VPN gateway for the VPC
+  
+    
+      Log in to the &PRODUCT; UI as an administrator or end user.
+    
+    
+      In the left navigation, choose Network.
+    
+    
+      In the Select view, select VPC.
+      All the VPCs that you have created for the account is listed in the page.
+    
+    
+      Click the Configure button of the VPC to which you want to deploy the VMs.
+      The VPC page is displayed where all the tiers you created are listed in a
+        diagram.
+    
+    
+      Click the Settings icon.
+      The following options are displayed.
+      
+        
+          IP Addresses
+        
+        
+          Gateways
+        
+        
+          Site-to-Site VPN
+        
+        
+          Network ACLs
+        
+      
+    
+    
+      Select Site-to-Site VPN.
+      If you are creating the VPN gateway for the first time, selecting Site-to-Site VPN
+        prompts you to create a VPN gateway.
+    
+    
+      In the confirmation dialog, click Yes to confirm.
+      Within a few moments, the VPN gateway is created. You will be prompted to view the
+        details of the VPN gateway you have created. Click Yes to confirm.
+      The following details are displayed in the VPN Gateway page:
+      
+        
+          IP Address
+        
+        
+          Account
+        
+        
+          Domain
+        
+      
+    
+  
+

\ No newline at end of file
diff --git a/docs/en-US/installation.xml b/docs/en-US/installation.xml
index 948931e5768..c5b1afb1847 100644
--- a/docs/en-US/installation.xml
+++ b/docs/en-US/installation.xml
@@ -27,6 +27,7 @@
     
     
     
+    
     
     
 
diff --git a/docs/en-US/large_scale_redundant_setup.xml b/docs/en-US/large_scale_redundant_setup.xml
new file mode 100644
index 00000000000..9eb3190cb62
--- /dev/null
+++ b/docs/en-US/large_scale_redundant_setup.xml
@@ -0,0 +1,42 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+

+    Large-Scale Redundant Setup
+    
+        
+            
+        
+        Large-Scale Redundant Setup
+    
+    This diagram illustrates the network architecture of a large-scale &PRODUCT; deployment.
+    
+        A layer-3 switching layer is at the core of the data center. A router redundancy protocol like VRRP should be deployed. Typically high-end core switches also include firewall modules. Separate firewall appliances may also be used if the layer-3 switch does not have integrated firewall capabilities. The firewalls are configured in NAT mode. The firewalls provide the following functions:
+            		
+	        Forwards HTTP requests and API calls from the Internet to the Management Server. The Management Server resides on the management network.
+	        When the cloud spans multiple zones, the firewalls should enable site-to-site VPN such that servers in different zones can directly reach each other.
+            
+        
+        A layer-2 access switch layer is established for each pod. Multiple switches can be stacked to increase port count. In either case, redundant pairs of layer-2 switches should be deployed.
+        The Management Server cluster (including front-end load balancers, Management Server nodes, and the MySQL database) is connected to the management network through a pair of load balancers.
+        Secondary storage servers are connected to the management network.
+        Each pod contains storage and computing servers. Each storage and computing server should have redundant NICs connected to separate layer-2 access switches.
+    
+

\ No newline at end of file
diff --git a/docs/en-US/management-server-install-prepare-os.xml b/docs/en-US/management-server-install-prepare-os.xml
index ee76a5f1566..ef78731e81a 100644
--- a/docs/en-US/management-server-install-prepare-os.xml
+++ b/docs/en-US/management-server-install-prepare-os.xml
@@ -34,7 +34,7 @@
         
         
             Make sure that the machine can reach the Internet.
-            ping www.google.com
+            ping www.cloudstack.org
         
         
             Turn on NTP for time synchronization.
diff --git a/docs/en-US/multi_node_management_server.xml b/docs/en-US/multi_node_management_server.xml
new file mode 100644
index 00000000000..9dea9499e8d
--- /dev/null
+++ b/docs/en-US/multi_node_management_server.xml
@@ -0,0 +1,36 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+

+    Multi-Node Management Server
+    The &PRODUCT; Management Server is deployed on one or more front-end servers connected to a single MySQL database. Optionally a pair of hardware load balancers distributes requests from the web. A backup management server set may be deployed using MySQL replication at a remote site to add DR capabilities.
+    
+        
+            
+        
+        Multi-Node Management Server
+    
+    The administrator must decide the following.
+    
+        Whether or not load balancers will be used.
+        How many Management Servers will be deployed.
+        Whether MySQL replication will be deployed to enable disaster recovery.
+    
+

\ No newline at end of file
diff --git a/docs/en-US/multi_site_deployment.xml b/docs/en-US/multi_site_deployment.xml
new file mode 100644
index 00000000000..2dce575589a
--- /dev/null
+++ b/docs/en-US/multi_site_deployment.xml
@@ -0,0 +1,50 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+

+    Multi-Site Deployment
+    The &PRODUCT; platform scales well into multiple sites through the use of zones. The following diagram shows an example of a multi-site deployment.
+    
+        
+            
+        
+        Example Of A Multi-Site Deployment
+    
+    Data Center 1 houses the primary Management Server as well as zone 1. The MySQL database is replicated in real time to the secondary Management Server installation in Data Center 2.
+    
+        
+            
+        
+        Separate Storage Network
+    
+    This diagram illustrates a setup with a separate storage network. Each server has four NICs, two connected to pod-level network switches and two connected to storage network switches.
+    There are two ways to configure the storage network:
+    
+         Bonded NIC and redundant switches can be deployed for NFS.  In NFS deployments, redundant switches and bonded NICs still result in one network (one CIDR block+ default gateway address).
+         iSCSI can take advantage of two separate storage networks (two CIDR blocks each with its own default gateway). Multipath iSCSI client can failover and load balance between separate storage networks.
+    
+    
+        
+            
+        
+        NIC Bonding And Multipath I/O
+    
+     This diagram illustrates the differences between NIC bonding and Multipath I/O (MPIO). NIC bonding configuration involves only one network. MPIO involves two separate networks.
+

\ No newline at end of file
diff --git a/docs/en-US/prepare_os.xml b/docs/en-US/prepare_os.xml
deleted file mode 100644
index f0fc201cde7..00000000000
--- a/docs/en-US/prepare_os.xml
+++ /dev/null
@@ -1,106 +0,0 @@
-
-
-%BOOK_ENTITIES;
-]>
-
-
-
-    

-        Prepare the Operating System
-        The OS must be prepared to host the Management Server using the following steps. These steps must be performed on each Management Server node.
-            
-                Log in to your OS as root.
-                Check for a fully qualified hostname.
-                    # hostname --fqdn
-                    This should return a fully qualified hostname such as "kvm1.lab.example.org".  If it does not, edit /etc/hosts so that it does.
-                
-                Set SELinux to be permissive by default.
-                    
-                        Check to see whether SELinux is installed on your machine. If not, you can skip to step 4.
-                            In RHEL or CentOS, SELinux are installed and enabled by default. You can verify this with:
-                            # rpm -qa | grep selinux
-                            In Ubuntu, SELinux is not installed by default. You can verify this with:
-                            # dpkg --list 'selinux'
-                        
-                        Set the SELINUX variable in /etc/selinux/config to “permissive”. This ensures that the permissive setting will be maintained after a system reboot.
-                            In RHEL or CentOS:
-                            # vi /etc/selinux/config
-                            In Ubuntu (do this step only if SELinux was found on the machine in the previous step):
-                            # selinux-config-enforcing permissive                    
-                        
-                        Then set SELinux to permissive starting immediately, without requiring a system reboot.
-                            In CentOS:
-                            # setenforce permissive
-                            In RHEL:
-                            # setenforce 0
-                            In Ubuntu (do this step only if SELinux was found on the machine):
-                            # setenforce permissive
-                        
-                    
-                
-                Make sure that the Management Server can reach the Internet.
-                    # ping www.google.com
-                
-                (RHEL 6.2) If you do not have a Red Hat Network account, you need to prepare a local Yum repository.
-                    
-                        If you are working with a physical host, insert the RHEL 6.2 installation CD. If you are using a VM, attach the RHEL6 ISO.
-                        Mount the CDROM to /media.
-                        Create a repo file at /etc/yum.repos.d/rhel6.repo. In the file, insert the following lines:
-                            
-[rhel]
-name=rhel6
-baseurl=file:///media
-enabled=1
-gpgcheck=0    
-                            
-                        
-                    
-                
-                Turn on NTP for time synchronization.
-                    NTP is required to synchronize the clocks of the servers in your cloud.
-                    
-                        Install NTP.
-                            On RHEL or CentOS:
-                            # yum install ntp
-                            On Ubuntu:
-                            # apt-get install ntp
-                        
-                        Edit the NTP configuration file to point to your NTP server.
-                            # vi /etc/ntp.conf
-                            For example, you can use one of the following:
-                            0.xenserver.pool.ntp.org
-1.xenserver.pool.ntp.org
-2.xenserver.pool.ntp.org
-3.xenserver.pool.ntp.org
-
-                        
-                        Restart the NTP client.
-                            # service ntpd restart
-                        
-                        Make sure NTP will start again upon reboot.
-                            On RHEL or CentOS:
-                            # chkconfig ntpd on
-                            On Ubuntu:
-                            # chkconfig ntp on
-                        
-                    
-                
-            
-    

diff --git a/docs/en-US/primary-storage-add.xml b/docs/en-US/primary-storage-add.xml
index 588d491a07a..5581e9e79b1 100644
--- a/docs/en-US/primary-storage-add.xml
+++ b/docs/en-US/primary-storage-add.xml
@@ -23,6 +23,52 @@
 -->
 
 

-    Adding Primary Storage
-    TODO
+    Add Primary Storage
+    

+    System Requirements for Primary Storage
+    Hardware requirements:
+    
+        Any standards-compliant iSCSI or NFS server that is supported by the underlying hypervisor.
+        The storage server should be a machine with a large number of disks. The disks should ideally be managed by a hardware RAID controller.
+        Minimum required capacity depends on your needs.
+    
+    When setting up primary storage, follow these restrictions:
+    
+        Primary storage cannot be added until a host has been added to the cluster.
+        If you do not provision shared primary storage, you must set the global configuration parameter system.vm.local.storage.required to true, or else you will not be able to start VMs.
+    
+    

+    

+    Adding Primary Stroage
+    When you create a new zone, the first primary storage is added as part of that procedure. You can add primary storage servers at any time, such as when adding a new cluster or adding more servers to an existing cluster.
+    Be sure there is nothing stored on the server. Adding the server to &PRODUCT; will destroy any existing data.
+    
+        Log in to the &PRODUCT; UI (see ).
+        In the left navigation, choose Infrastructure. In Zones, click View More, then click the zone in which you want to add the primary storage.
+        Click the Compute tab.
+        In the Primary Storage node of the diagram, click View All.
+        Click Add Primary Storage.
+        
+        Provide the following information in the dialog. The information required varies depending on your choice in Protocol.
+        
+            Pod. The pod for the storage device.
+            Cluster. The cluster for the storage device.
+            Name. The name of the storage device.
+            Protocol. For XenServer, choose either NFS, iSCSI, or PreSetup.  For KVM, choose NFS or SharedMountPoint.  For vSphere choose either VMFS (iSCSI or FiberChannel) or NFS.
+            Server (for NFS, iSCSI, or PreSetup). The IP address or DNS name of the storage device.
+            Server (for VMFS). The IP address or DNS name of the vCenter server.
+            Path (for NFS). In NFS this is the exported path from the server.
+            Path (for VMFS). In vSphere this is a combination of the datacenter name and the datastore name.  The format is "/" datacenter name "/" datastore name.  For example, "/cloud.dc.VM/cluster1datastore".
+            Path (for SharedMountPoint). With KVM this is the path on each host that is where this primary storage is mounted.  For example, "/mnt/primary".
+            SR Name-Label (for PreSetup). Enter the name-label of the SR that has been set up outside &PRODUCT;.
+            Target IQN (for iSCSI). In iSCSI this is the IQN of the target. For example, iqn.1986-03.com.sun:02:01ec9bb549-1271378984.
+            Lun # (for iSCSI). In iSCSI this is the LUN number. For example, 3.
+            Tags (optional). The comma-separated list of tags for this storage device.  It should be an equivalent set or superset of the tags on your disk offerings..
+        
+        The tag sets on primary storage across clusters in a Zone must be identical.  For example, if cluster A provides primary storage that has tags T1 and T2, all other clusters in the Zone must also provide primary storage that has tags T1 and T2.
+        
+        Click OK.
+    
+
+    

 

diff --git a/docs/en-US/secondary-storage-add.xml b/docs/en-US/secondary-storage-add.xml
index 15e8c742657..e1f45cdec66 100644
--- a/docs/en-US/secondary-storage-add.xml
+++ b/docs/en-US/secondary-storage-add.xml
@@ -23,6 +23,26 @@
 -->
 
 

+    Add Secondary Storage
+    

+    System Requirements for Secondary Storage
+    
+        NFS storage appliance or Linux NFS server
+        (Optional) OpenStack Object Storage (Swift) (see http://swift.openstack.org)
+        100GB minimum capacity
+        A secondary storage device must be located in the same zone as the guest VMs it serves.
+        Each Secondary Storage server must be available to all hosts in the zone.
+    
+    

+    

     Adding Secondary Storage
-    TODO
+    When you create a new zone, the first secondary storage is added as part of that procedure. You can add secondary storage servers at any time to add more servers to an existing zone.
+    Be sure there is nothing stored on the server. Adding the server to &PRODUCT; will destroy any existing data.
+    
+        If you are going to use Swift for cloud-wide secondary storage, you must add the Swift storage to &PRODUCT; before you add the local zone secondary storage servers. See .
+        To prepare for local zone secondary storage, you should have created and mounted an NFS share during Management Server installation. See .See Preparing NFS Shares in the Installation Guide.
+        Make sure you prepared the system VM template during Management Server installation. See .See Prepare the System VM Template in the Installation Guide.
+        Now that the secondary storage server for per-zone storage is prepared, add it to &PRODUCT;. Secondary storage is added as part of the procedure for adding a new zone. See .
+    
+    

 

diff --git a/docs/en-US/separate_storage_network.xml b/docs/en-US/separate_storage_network.xml
new file mode 100644
index 00000000000..c3f6330cb14
--- /dev/null
+++ b/docs/en-US/separate_storage_network.xml
@@ -0,0 +1,24 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+

+    Separate Storage Network
+    In the large-scale redundant setup described in the previous section, storage traffic can overload the management network. A separate storage network is optional for deployments. Storage protocols such as iSCSI are sensitive to network delays. A separate storage network ensures guest network traffic contention does not impact storage performance.
+

\ No newline at end of file
diff --git a/docs/en-US/small_scale_deployment.xml b/docs/en-US/small_scale_deployment.xml
new file mode 100644
index 00000000000..eb509a78d41
--- /dev/null
+++ b/docs/en-US/small_scale_deployment.xml
@@ -0,0 +1,37 @@
+
+%BOOK_ENTITIES;
+]>
+
+
+
+

+    Small-Scale Deployment
+    
+        
+            
+        
+        Small-Scale Deployment
+    
+    This diagram illustrates the network architecture of a small-scale &PRODUCT; deployment.
+    
+        A firewall provides a connection to the Internet. The firewall is configured in NAT mode. The firewall forwards HTTP requests and API calls from the Internet to the Management Server. The Management Server resides on the management network.
+        A layer-2 switch connects all physical servers and storage.
+        A single NFS server functions as both the primary and secondary storage.
+        The Management Server is connected to the management network.
+    
+

\ No newline at end of file
diff --git a/docs/publican-all.cfg b/docs/publican-all.cfg
index d338738f296..897f92b4caa 100644
--- a/docs/publican-all.cfg
+++ b/docs/publican-all.cfg
@@ -25,3 +25,4 @@ docname: cloudstack
 brand: cloudstack
 chunk_first: 1
 chunk_section_depth: 1
+condition: install
diff --git a/docs/publican-install.cfg b/docs/publican-install.cfg
index 708200d460f..64eeed995bb 100644
--- a/docs/publican-install.cfg
+++ b/docs/publican-install.cfg
@@ -24,6 +24,4 @@ docname: cloudstack_installation
 brand: cloudstack
 chunk_first: 1
 chunk_section_depth: 1
-
-
-
+condition: install
diff --git a/patches/systemvm/debian/config/etc/httpd/conf/httpd.conf b/patches/systemvm/debian/config/etc/httpd/conf/httpd.conf
deleted file mode 100644
index e11384ef772..00000000000
--- a/patches/systemvm/debian/config/etc/httpd/conf/httpd.conf
+++ /dev/null
@@ -1,990 +0,0 @@
-#
-# This is the main Apache server configuration file.  It contains the
-# configuration directives that give the server its instructions.
-# See  for detailed information.
-# In particular, see
-# 
-# for a discussion of each configuration directive.
-#
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
-#
-# The configuration directives are grouped into three basic sections:
-#  1. Directives that control the operation of the Apache server process as a
-#     whole (the 'global environment').
-#  2. Directives that define the parameters of the 'main' or 'default' server,
-#     which responds to requests that aren't handled by a virtual host.
-#     These directives also provide default values for the settings
-#     of all virtual hosts.
-#  3. Settings for virtual hosts, which allow Web requests to be sent to
-#     different IP addresses or hostnames and have them handled by the
-#     same Apache server process.
-#
-# Configuration and logfile names: If the filenames you specify for many
-# of the server's control files begin with "/" (or "drive:/" for Win32), the
-# server will use that explicit path.  If the filenames do *not* begin
-# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
-# with ServerRoot set to "/etc/httpd" will be interpreted by the
-# server as "/etc/httpd/logs/foo.log".
-#
-
-### Section 1: Global Environment
-#
-# The directives in this section affect the overall operation of Apache,
-# such as the number of concurrent requests it can handle or where it
-# can find its configuration files.
-#
-
-#
-# Don't give away too much information about all the subcomponents
-# we are running.  Comment out this line if you don't mind remote sites
-# finding out what major optional modules you are running
-ServerTokens OS
-
-#
-# ServerRoot: The top of the directory tree under which the server's
-# configuration, error, and log files are kept.
-#
-# NOTE!  If you intend to place this on an NFS (or otherwise network)
-# mounted filesystem then please read the LockFile documentation
-# (available at );
-# you will save yourself a lot of trouble.
-#
-# Do NOT add a slash at the end of the directory path.
-#
-ServerRoot "/etc/httpd"
-
-#
-# PidFile: The file in which the server should record its process
-# identification number when it starts.
-#
-PidFile run/httpd.pid
-
-#
-# Timeout: The number of seconds before receives and sends time out.
-#
-Timeout 120
-
-#
-# KeepAlive: Whether or not to allow persistent connections (more than
-# one request per connection). Set to "Off" to deactivate.
-#
-KeepAlive Off
-
-#
-# MaxKeepAliveRequests: The maximum number of requests to allow
-# during a persistent connection. Set to 0 to allow an unlimited amount.
-# We recommend you leave this number high, for maximum performance.
-#
-MaxKeepAliveRequests 100
-
-#
-# KeepAliveTimeout: Number of seconds to wait for the next request from the
-# same client on the same connection.
-#
-KeepAliveTimeout 15
-
-##
-## Server-Pool Size Regulation (MPM specific)
-## 
-
-# prefork MPM
-# StartServers: number of server processes to start
-# MinSpareServers: minimum number of server processes which are kept spare
-# MaxSpareServers: maximum number of server processes which are kept spare
-# ServerLimit: maximum value for MaxClients for the lifetime of the server
-# MaxClients: maximum number of server processes allowed to start
-# MaxRequestsPerChild: maximum number of requests a server process serves
-
-StartServers       8
-MinSpareServers    5
-MaxSpareServers   20
-ServerLimit      256
-MaxClients       256
-MaxRequestsPerChild  4000
-
-
-# worker MPM
-# StartServers: initial number of server processes to start
-# MaxClients: maximum number of simultaneous client connections
-# MinSpareThreads: minimum number of worker threads which are kept spare
-# MaxSpareThreads: maximum number of worker threads which are kept spare
-# ThreadsPerChild: constant number of worker threads in each server process
-# MaxRequestsPerChild: maximum number of requests a server process serves
-
-StartServers         2
-MaxClients         150
-MinSpareThreads     25
-MaxSpareThreads     75 
-ThreadsPerChild     25
-MaxRequestsPerChild  0
-
-
-#
-# Listen: Allows you to bind Apache to specific IP addresses and/or
-# ports, in addition to the default. See also the 
-# directive.
-#
-# Change this to Listen on specific IP addresses as shown below to 
-# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
-#
-#Listen 12.34.56.78:80
-Listen 10.1.1.1:80
-
-#
-# Dynamic Shared Object (DSO) Support
-#
-# To be able to use the functionality of a module which was built as a DSO you
-# have to place corresponding `LoadModule' lines at this location so the
-# directives contained in it are actually available _before_ they are used.
-# Statically compiled modules (those listed by `httpd -l') do not need
-# to be loaded here.
-#
-# Example:
-# LoadModule foo_module modules/mod_foo.so
-#
-LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule auth_digest_module modules/mod_auth_digest.so
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authn_alias_module modules/mod_authn_alias.so
-LoadModule authn_anon_module modules/mod_authn_anon.so
-LoadModule authn_dbm_module modules/mod_authn_dbm.so
-LoadModule authn_default_module modules/mod_authn_default.so
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule authz_owner_module modules/mod_authz_owner.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_dbm_module modules/mod_authz_dbm.so
-LoadModule authz_default_module modules/mod_authz_default.so
-LoadModule ldap_module modules/mod_ldap.so
-LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
-LoadModule include_module modules/mod_include.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule logio_module modules/mod_logio.so
-LoadModule env_module modules/mod_env.so
-LoadModule ext_filter_module modules/mod_ext_filter.so
-LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule expires_module modules/mod_expires.so
-LoadModule deflate_module modules/mod_deflate.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule usertrack_module modules/mod_usertrack.so
-LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule mime_module modules/mod_mime.so
-LoadModule dav_module modules/mod_dav.so
-LoadModule status_module modules/mod_status.so
-LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule info_module modules/mod_info.so
-LoadModule dav_fs_module modules/mod_dav_fs.so
-LoadModule vhost_alias_module modules/mod_vhost_alias.so
-LoadModule negotiation_module modules/mod_negotiation.so
-LoadModule dir_module modules/mod_dir.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule speling_module modules/mod_speling.so
-LoadModule userdir_module modules/mod_userdir.so
-LoadModule alias_module modules/mod_alias.so
-LoadModule rewrite_module modules/mod_rewrite.so
-LoadModule proxy_module modules/mod_proxy.so
-LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
-LoadModule proxy_http_module modules/mod_proxy_http.so
-LoadModule proxy_connect_module modules/mod_proxy_connect.so
-LoadModule cache_module modules/mod_cache.so
-LoadModule suexec_module modules/mod_suexec.so
-LoadModule disk_cache_module modules/mod_disk_cache.so
-LoadModule file_cache_module modules/mod_file_cache.so
-LoadModule mem_cache_module modules/mod_mem_cache.so
-LoadModule cgi_module modules/mod_cgi.so
-
-#
-# The following modules are not loaded by default:
-#
-#LoadModule cern_meta_module modules/mod_cern_meta.so
-#LoadModule asis_module modules/mod_asis.so
-
-#
-# Load config files from the config directory "/etc/httpd/conf.d".
-#
-Include conf.d/*.conf
-
-#
-# ExtendedStatus controls whether Apache will generate "full" status
-# information (ExtendedStatus On) or just basic information (ExtendedStatus
-# Off) when the "server-status" handler is called. The default is Off.
-#
-#ExtendedStatus On
-
-#
-# If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.  
-#
-# User/Group: The name (or #number) of the user/group to run httpd as.
-#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
-#  . On HPUX you may not be able to use shared memory as nobody, and the
-#    suggested workaround is to create a user www and use that user.
-#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
-#  when the value of (unsigned)Group is above 60000; 
-#  don't use Group #-1 on these systems!
-#
-User apache
-Group apache
-
-### Section 2: 'Main' server configuration
-#
-# The directives in this section set up the values used by the 'main'
-# server, which responds to any requests that aren't handled by a
-#  definition.  These values also provide defaults for
-# any  containers you may define later in the file.
-#
-# All of these directives may appear inside  containers,
-# in which case these default settings will be overridden for the
-# virtual host being defined.
-#
-
-#
-# ServerAdmin: Your address, where problems with the server should be
-# e-mailed.  This address appears on some server-generated pages, such
-# as error documents.  e.g. admin@your-domain.com
-#
-ServerAdmin root@localhost
-
-#
-# ServerName gives the name and port that the server uses to identify itself.
-# This can often be determined automatically, but we recommend you specify
-# it explicitly to prevent problems during startup.
-#
-# If this is not set to valid DNS name for your host, server-generated
-# redirections will not work.  See also the UseCanonicalName directive.
-#
-# If your host doesn't have a registered DNS name, enter its IP address here.
-# You will have to access it by its address anyway, and this will make 
-# redirections work in a sensible way.
-#
-#ServerName www.example.com:80
-
-#
-# UseCanonicalName: Determines how Apache constructs self-referencing 
-# URLs and the SERVER_NAME and SERVER_PORT variables.
-# When set "Off", Apache will use the Hostname and Port supplied
-# by the client.  When set "On", Apache will use the value of the
-# ServerName directive.
-#
-UseCanonicalName Off
-
-#
-# DocumentRoot: The directory out of which you will serve your
-# documents. By default, all requests are taken from this directory, but
-# symbolic links and aliases may be used to point to other locations.
-#
-DocumentRoot "/var/www/html"
-
-#
-# Each directory to which Apache has access can be configured with respect
-# to which services and features are allowed and/or disabled in that
-# directory (and its subdirectories). 
-#
-# First, we configure the "default" to be a very restrictive set of 
-# features.  
-#
-
-    Options FollowSymLinks
-    AllowOverride None
-
-
-#
-# Note that from this point forward you must specifically allow
-# particular features to be enabled - so if something's not working as
-# you might expect, make sure that you have specifically enabled it
-# below.
-#
-
-#
-# This should be changed to whatever you set DocumentRoot to.
-#
-
-
-#
-# Possible values for the Options directive are "None", "All",
-# or any combination of:
-#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
-#
-# Note that "MultiViews" must be named *explicitly* --- "Options All"
-# doesn't give it to you.
-#
-# The Options directive is both complicated and important.  Please see
-# http://httpd.apache.org/docs/2.2/mod/core.html#options
-# for more information.
-#
-    Options Indexes FollowSymLinks
-
-#
-# AllowOverride controls what directives may be placed in .htaccess files.
-# It can be "All", "None", or any combination of the keywords:
-#   Options FileInfo AuthConfig Limit
-#
-    AllowOverride All
-
-#
-# Controls who can get stuff from this server.
-#
-    Order allow,deny
-    Allow from all
-
-
-
-#
-# UserDir: The name of the directory that is appended onto a user's home
-# directory if a ~user request is received.
-#
-# The path to the end user account 'public_html' directory must be
-# accessible to the webserver userid.  This usually means that ~userid
-# must have permissions of 711, ~userid/public_html must have permissions
-# of 755, and documents contained therein must be world-readable.
-# Otherwise, the client will only receive a "403 Forbidden" message.
-#
-# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
-#
-
-    #
-    # UserDir is disabled by default since it can confirm the presence
-    # of a username on the system (depending on home directory
-    # permissions).
-    #
-    UserDir disable
-
-    #
-    # To enable requests to /~user/ to serve the user's public_html
-    # directory, remove the "UserDir disable" line above, and uncomment
-    # the following line instead:
-    # 
-    #UserDir public_html
-
-
-
-#
-# Control access to UserDir directories.  The following is an example
-# for a site where these directories are restricted to read-only.
-#
-#
-#    AllowOverride FileInfo AuthConfig Limit
-#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
-#    
-#        Order allow,deny
-#        Allow from all
-#    
-#    
-#        Order deny,allow
-#        Deny from all
-#    
-#
-
-#
-# DirectoryIndex: sets the file that Apache will serve if a directory
-# is requested.
-#
-# The index.html.var file (a type-map) is used to deliver content-
-# negotiated documents.  The MultiViews Option can be used for the 
-# same purpose, but it is much slower.
-#
-DirectoryIndex index.html index.html.var
-
-#
-# AccessFileName: The name of the file to look for in each directory
-# for additional configuration directives.  See also the AllowOverride
-# directive.
-#
-AccessFileName .htaccess
-
-#
-# The following lines prevent .htaccess and .htpasswd files from being 
-# viewed by Web clients. 
-#
-
-    Order allow,deny
-    Deny from all
-
-
-#
-# TypesConfig describes where the mime.types file (or equivalent) is
-# to be found.
-#
-TypesConfig /etc/mime.types
-
-#
-# DefaultType is the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value.  If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-#
-DefaultType text/plain
-
-#
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-#
-
-#   MIMEMagicFile /usr/share/magic.mime
-    MIMEMagicFile conf/magic
-
-
-#
-# HostnameLookups: Log the names of clients or just their IP addresses
-# e.g., www.apache.org (on) or 204.62.129.132 (off).
-# The default is off because it'd be overall better for the net if people
-# had to knowingly turn this feature on, since enabling it means that
-# each client request will result in AT LEAST one lookup request to the
-# nameserver.
-#
-HostnameLookups Off
-
-#
-# EnableMMAP: Control whether memory-mapping is used to deliver
-# files (assuming that the underlying OS supports it).
-# The default is on; turn this off if you serve from NFS-mounted 
-# filesystems.  On some systems, turning it off (regardless of
-# filesystem) can improve performance; for details, please see
-# http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
-#
-#EnableMMAP off
-
-#
-# EnableSendfile: Control whether the sendfile kernel support is 
-# used to deliver files (assuming that the OS supports it). 
-# The default is on; turn this off if you serve from NFS-mounted 
-# filesystems.  Please see
-# http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile
-#
-#EnableSendfile off
-
-#
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a 
-# container, error messages relating to that virtual host will be
-# logged here.  If you *do* define an error logfile for a 
-# container, that host's errors will be logged there and not here.
-#
-ErrorLog logs/error_log
-
-#
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
-#
-LogLevel warn
-
-#
-# The following directives define some format nicknames for use with
-# a CustomLog directive (see below).
-#
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-LogFormat "%h %l %u %t \"%r\" %>s %b" common
-LogFormat "%{Referer}i -> %U" referer
-LogFormat "%{User-agent}i" agent
-
-# "combinedio" includes actual counts of actual bytes received (%I) and sent (%O); this
-# requires the mod_logio module to be loaded.
-#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-
-#
-# The location and format of the access logfile (Common Logfile Format).
-# If you do not define any access logfiles within a 
-# container, they will be logged here.  Contrariwise, if you *do*
-# define per- access logfiles, transactions will be
-# logged therein and *not* in this file.
-#
-#CustomLog logs/access_log common
-
-#
-# If you would like to have separate agent and referer logfiles, uncomment
-# the following directives.
-#
-#CustomLog logs/referer_log referer
-#CustomLog logs/agent_log agent
-
-#
-# For a single logfile with access, agent, and referer information
-# (Combined Logfile Format), use the following directive:
-#
-CustomLog logs/access_log combined
-
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of:  On | Off | EMail
-#
-ServerSignature On
-
-#
-# Aliases: Add here as many aliases as you need (with no limit). The format is 
-# Alias fakename realname
-#
-# Note that if you include a trailing / on fakename then the server will
-# require it to be present in the URL.  So "/icons" isn't aliased in this
-# example, only "/icons/".  If the fakename is slash-terminated, then the 
-# realname must also be slash terminated, and if the fakename omits the 
-# trailing slash, the realname must also omit it.
-#
-# We include the /icons/ alias for FancyIndexed directory listings.  If you
-# do not use FancyIndexing, you may comment this out.
-#
-Alias /icons/ "/var/www/icons/"
-
-
-    Options Indexes MultiViews FollowSymLinks
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-
-
-#
-# WebDAV module configuration section.
-# 
-
-    # Location of the WebDAV lock database.
-    DAVLockDB /var/lib/dav/lockdb
-
-
-#
-# ScriptAlias: This controls which directories contain server scripts.
-# ScriptAliases are essentially the same as Aliases, except that
-# documents in the realname directory are treated as applications and
-# run by the server when requested rather than as documents sent to the client.
-# The same rules about trailing "/" apply to ScriptAlias directives as to
-# Alias.
-#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
-
-#
-# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
-# CGI directory exists, if you have that configured.
-#
-
-    AllowOverride None
-    Options None
-    Order allow,deny
-    Allow from all
-
-
-#
-# Redirect allows you to tell clients about documents which used to exist in
-# your server's namespace, but do not anymore. This allows you to tell the
-# clients where to look for the relocated document.
-# Example:
-# Redirect permanent /foo http://www.example.com/bar
-
-#
-# Directives controlling the display of server-generated directory listings.
-#
-
-#
-# IndexOptions: Controls the appearance of server-generated directory
-# listings.
-#
-IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
-
-#
-# AddIcon* directives tell the server which icon to show for different
-# files or filename extensions.  These are only displayed for
-# FancyIndexed directories.
-#
-AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
-
-AddIconByType (TXT,/icons/text.gif) text/*
-AddIconByType (IMG,/icons/image2.gif) image/*
-AddIconByType (SND,/icons/sound2.gif) audio/*
-AddIconByType (VID,/icons/movie.gif) video/*
-
-AddIcon /icons/binary.gif .bin .exe
-AddIcon /icons/binhex.gif .hqx
-AddIcon /icons/tar.gif .tar
-AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
-AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
-AddIcon /icons/a.gif .ps .ai .eps
-AddIcon /icons/layout.gif .html .shtml .htm .pdf
-AddIcon /icons/text.gif .txt
-AddIcon /icons/c.gif .c
-AddIcon /icons/p.gif .pl .py
-AddIcon /icons/f.gif .for
-AddIcon /icons/dvi.gif .dvi
-AddIcon /icons/uuencoded.gif .uu
-AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
-AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
-
-AddIcon /icons/back.gif ..
-AddIcon /icons/hand.right.gif README
-AddIcon /icons/folder.gif ^^DIRECTORY^^
-AddIcon /icons/blank.gif ^^BLANKICON^^
-
-#
-# DefaultIcon is which icon to show for files which do not have an icon
-# explicitly set.
-#
-DefaultIcon /icons/unknown.gif
-
-#
-# AddDescription allows you to place a short description after a file in
-# server-generated indexes.  These are only displayed for FancyIndexed
-# directories.
-# Format: AddDescription "description" filename
-#
-#AddDescription "GZIP compressed document" .gz
-#AddDescription "tar archive" .tar
-#AddDescription "GZIP compressed tar archive" .tgz
-
-#
-# ReadmeName is the name of the README file the server will look for by
-# default, and append to directory listings.
-#
-# HeaderName is the name of a file which should be prepended to
-# directory indexes. 
-ReadmeName README.html
-HeaderName HEADER.html
-
-#
-# IndexIgnore is a set of filenames which directory indexing should ignore
-# and not include in the listing.  Shell-style wildcarding is permitted.
-#
-IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-
-#
-# DefaultLanguage and AddLanguage allows you to specify the language of 
-# a document. You can then use content negotiation to give a browser a 
-# file in a language the user can understand.
-#
-# Specify a default language. This means that all data
-# going out without a specific language tag (see below) will 
-# be marked with this one. You probably do NOT want to set
-# this unless you are sure it is correct for all cases.
-#
-# * It is generally better to not mark a page as 
-# * being a certain language than marking it with the wrong
-# * language!
-#
-# DefaultLanguage nl
-#
-# Note 1: The suffix does not have to be the same as the language
-# keyword --- those with documents in Polish (whose net-standard
-# language code is pl) may wish to use "AddLanguage pl .po" to
-# avoid the ambiguity with the common suffix for perl scripts.
-#
-# Note 2: The example entries below illustrate that in some cases 
-# the two character 'Language' abbreviation is not identical to 
-# the two character 'Country' code for its country,
-# E.g. 'Danmark/dk' versus 'Danish/da'.
-#
-# Note 3: In the case of 'ltz' we violate the RFC by using a three char
-# specifier. There is 'work in progress' to fix this and get
-# the reference data for rfc1766 cleaned up.
-#
-# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
-# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
-# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
-# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
-# Norwegian (no) - Polish (pl) - Portugese (pt)
-# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
-# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
-#
-AddLanguage ca .ca
-AddLanguage cs .cz .cs
-AddLanguage da .dk
-AddLanguage de .de
-AddLanguage el .el
-AddLanguage en .en
-AddLanguage eo .eo
-AddLanguage es .es
-AddLanguage et .et
-AddLanguage fr .fr
-AddLanguage he .he
-AddLanguage hr .hr
-AddLanguage it .it
-AddLanguage ja .ja
-AddLanguage ko .ko
-AddLanguage ltz .ltz
-AddLanguage nl .nl
-AddLanguage nn .nn
-AddLanguage no .no
-AddLanguage pl .po
-AddLanguage pt .pt
-AddLanguage pt-BR .pt-br
-AddLanguage ru .ru
-AddLanguage sv .sv
-AddLanguage zh-CN .zh-cn
-AddLanguage zh-TW .zh-tw
-
-#
-# LanguagePriority allows you to give precedence to some languages
-# in case of a tie during content negotiation.
-#
-# Just list the languages in decreasing order of preference. We have
-# more or less alphabetized them here. You probably want to change this.
-#
-LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
-
-#
-# ForceLanguagePriority allows you to serve a result page rather than
-# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
-# [in case no accepted languages matched the available variants]
-#
-ForceLanguagePriority Prefer Fallback
-
-#
-# Specify a default charset for all content served; this enables
-# interpretation of all content as UTF-8 by default.  To use the 
-# default browser choice (ISO-8859-1), or to allow the META tags
-# in HTML content to override this choice, comment out this
-# directive:
-#
-AddDefaultCharset UTF-8
-
-#
-# AddType allows you to add to or override the MIME configuration
-# file mime.types for specific file types.
-#
-#AddType application/x-tar .tgz
-
-#
-# AddEncoding allows you to have certain browsers uncompress
-# information on the fly. Note: Not all browsers support this.
-# Despite the name similarity, the following Add* directives have nothing
-# to do with the FancyIndexing customization directives above.
-#
-#AddEncoding x-compress .Z
-#AddEncoding x-gzip .gz .tgz
-
-# If the AddEncoding directives above are commented-out, then you
-# probably should define those extensions to indicate media types:
-#
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-#
-# AddHandler allows you to map certain file extensions to "handlers":
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action directive (see below)
-#
-# To use CGI scripts outside of ScriptAliased directories:
-# (You will also need to add "ExecCGI" to the "Options" directive.)
-#
-#AddHandler cgi-script .cgi
-
-#
-# For files that include their own HTTP headers:
-#
-#AddHandler send-as-is asis
-
-#
-# For type maps (negotiated resources):
-# (This is enabled by default to allow the Apache "It Worked" page
-#  to be distributed in multiple languages.)
-#
-AddHandler type-map var
-
-#
-# Filters allow you to process content before it is sent to the client.
-#
-# To parse .shtml files for server-side includes (SSI):
-# (You will also need to add "Includes" to the "Options" directive.)
-#
-AddType text/html .shtml
-AddOutputFilter INCLUDES .shtml
-
-#
-# Action lets you define media types that will execute a script whenever
-# a matching file is called. This eliminates the need for repeated URL
-# pathnames for oft-used CGI file processors.
-# Format: Action media/type /cgi-script/location
-# Format: Action handler-name /cgi-script/location
-#
-
-#
-# Customizable error responses come in three flavors:
-# 1) plain text 2) local redirects 3) external redirects
-#
-# Some examples:
-#ErrorDocument 500 "The server made a boo boo."
-#ErrorDocument 404 /missing.html
-#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
-#ErrorDocument 402 http://www.example.com/subscription_info.html
-#
-
-#
-# Putting this all together, we can internationalize error responses.
-#
-# We use Alias to redirect any /error/HTTP_.html.var response to
-# our collection of by-error message multi-language collections.  We use 
-# includes to substitute the appropriate text.
-#
-# You can modify the messages' appearance without changing any of the
-# default HTTP_.html.var files by adding the line:
-#
-#   Alias /error/include/ "/your/include/path/"
-#
-# which allows you to create your own set of files by starting with the
-# /var/www/error/include/ files and
-# copying them to /your/include/path/, even on a per-VirtualHost basis.
-#
-
-Alias /error/ "/var/www/error/"
-
-
-
-    
-        AllowOverride None
-        Options IncludesNoExec
-        AddOutputFilter Includes html
-        AddHandler type-map var
-        Order allow,deny
-        Allow from all
-        LanguagePriority en es de fr
-        ForceLanguagePriority Prefer Fallback
-    
-
-#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
-#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
-#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
-#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
-#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
-#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
-#    ErrorDocument 410 /error/HTTP_GONE.html.var
-#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
-#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
-#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
-#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
-#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
-#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
-#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
-#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
-#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
-#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
-
-
-
-
-#
-# The following directives modify normal HTTP response behavior to
-# handle known problems with browser implementations.
-#
-BrowserMatch "Mozilla/2" nokeepalive
-BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
-BrowserMatch "RealPlayer 4\.0" force-response-1.0
-BrowserMatch "Java/1\.0" force-response-1.0
-BrowserMatch "JDK/1\.0" force-response-1.0
-
-#
-# The following directive disables redirects on non-GET requests for
-# a directory that does not include the trailing slash.  This fixes a 
-# problem with Microsoft WebFolders which does not appropriately handle 
-# redirects for folders with DAV methods.
-# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
-#
-BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
-BrowserMatch "MS FrontPage" redirect-carefully
-BrowserMatch "^WebDrive" redirect-carefully
-BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
-BrowserMatch "^gnome-vfs/1.0" redirect-carefully
-BrowserMatch "^XML Spy" redirect-carefully
-BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
-
-#
-# Allow server status reports generated by mod_status,
-# with the URL of http://servername/server-status
-# Change the ".example.com" to match your domain to enable.
-#
-#
-#    SetHandler server-status
-#    Order deny,allow
-#    Deny from all
-#    Allow from .example.com
-#
-
-#
-# Allow remote server configuration reports, with the URL of
-#  http://servername/server-info (requires that mod_info.c be loaded).
-# Change the ".example.com" to match your domain to enable.
-#
-#
-#    SetHandler server-info
-#    Order deny,allow
-#    Deny from all
-#    Allow from .example.com
-#
-
-#
-# Proxy Server directives. Uncomment the following lines to
-# enable the proxy server:
-#
-#
-#ProxyRequests On
-#
-#
-#    Order deny,allow
-#    Deny from all
-#    Allow from .example.com
-#
-
-#
-# Enable/disable the handling of HTTP/1.1 "Via:" headers.
-# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
-# Set to one of: Off | On | Full | Block
-#
-#ProxyVia On
-
-#
-# To enable a cache of proxied content, uncomment the following lines.
-# See http://httpd.apache.org/docs/2.2/mod/mod_cache.html for more details.
-#
-#
-#   CacheEnable disk /
-#   CacheRoot "/var/cache/mod_proxy"
-#
-#
-
-#
-# End of proxy directives.
-
-### Section 3: Virtual Hosts
-#
-# VirtualHost: If you want to maintain multiple domains/hostnames on your
-# machine you can setup VirtualHost containers for them. Most configurations
-# use only name-based virtual hosts so the server doesn't need to worry about
-# IP addresses. This is indicated by the asterisks in the directives below.
-#
-# Please see the documentation at 
-# 
-# for further details before you try to setup virtual hosts.
-#
-# You may use the command line option '-S' to verify your virtual host
-# configuration.
-
-#
-# Use name-based virtual hosting.
-#
-#NameVirtualHost *:80
-#
-# NOTE: NameVirtualHost cannot be used without a port specifier 
-# (e.g. :80) if mod_ssl is being used, due to the nature of the
-# SSL protocol.
-#
-
-#
-# VirtualHost example:
-# Almost any Apache directive may go into a VirtualHost container.
-# The first VirtualHost section is used for requests without a known
-# server name.
-#
-#
-#    ServerAdmin webmaster@dummy-host.example.com
-#    DocumentRoot /www/docs/dummy-host.example.com
-#    ServerName dummy-host.example.com
-#    ErrorLog logs/dummy-host.example.com-error_log
-#    CustomLog logs/dummy-host.example.com-access_log common
-#
diff --git a/patches/systemvm/debian/config/etc/logrotate.conf b/patches/systemvm/debian/config/etc/logrotate.conf
index f5a660964d3..59a6242bb4c 100644
--- a/patches/systemvm/debian/config/etc/logrotate.conf
+++ b/patches/systemvm/debian/config/etc/logrotate.conf
@@ -1,32 +1,21 @@
-# see "man logrotate" for details
 # rotate log files daily
 daily
-
 # keep 5 days worth
 rotate 5
-
 # create new (empty) log files after rotating old ones
 create
-
 # use date as a suffix of the rotated file
 dateext
-
-# uncomment this if you want your log files compressed
-#compress
-
 # max size 50M
 size 50M
-
 # RPM packages drop log rotation information into this directory
 include /etc/logrotate.d
-
 # no packages own wtmp and btmp -- we'll rotate them here
 /var/log/wtmp {
     monthly
     create 0664 root utmp
     rotate 1
 }
-
 /var/log/btmp {
     missingok
     monthly
@@ -34,4 +23,3 @@ include /etc/logrotate.d
     rotate 1
 }
 
-# system-specific logs may be also be configured here.
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index 7331c53ea67..590b58e5784 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -48,7 +48,7 @@ destroy_acl_chain() {
 create_acl_chain() {
   destroy_acl_chain
   sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
   sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
   sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
   # drop if no rules match (this will be the last rule in the chain)
diff --git a/patches/systemvm/debian/config/root/redundant_router/keepalived.conf.templ b/patches/systemvm/debian/config/root/redundant_router/keepalived.conf.templ
index fd7235f67e2..e016bc95d35 100644
--- a/patches/systemvm/debian/config/root/redundant_router/keepalived.conf.templ
+++ b/patches/systemvm/debian/config/root/redundant_router/keepalived.conf.templ
@@ -1,5 +1,3 @@
-! Configuration File for keepalived
-
 global_defs {
    router_id [ROUTER_ID]
 }
@@ -36,29 +34,7 @@ vrrp_instance inside_network {
         heartbeat
     }
 
-    #nopreempt
-
-    # notify scripts and alerts are optional
-    #
-    # filenames of scripts to run on transitions
-    # can be unquoted (if just filename)
-    # or quoted (if has parameters)
-    # to MASTER transition
     notify_master "[RROUTER_BIN_PATH]/master.sh"
-    # to BACKUP transition
     notify_backup "[RROUTER_BIN_PATH]/backup.sh"
-    # FAULT transition
     notify_fault "[RROUTER_BIN_PATH]/fault.sh"
- 
-    # for ANY state transition.
-    # "notify" script is called AFTER the
-    # notify_* script(s) and is executed
-    # with 3 arguments provided by keepalived
-    # (ie don't include parameters in the notify line).
-    # arguments
-    # $1 = "GROUP"|"INSTANCE"
-    # $2 = name of group or instance
-    # $3 = target state of transition
-    #     ("MASTER"|"BACKUP"|"FAULT")
-    #notify [RROUTER_BIN_PATH]/notify.sh
 }
diff --git a/patches/systemvm/debian/config/var/lib/misc/dnsmasq.leases b/patches/systemvm/debian/config/var/lib/misc/dnsmasq.leases
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/patches/systemvm/debian/vpn/etc/ipsec.conf b/patches/systemvm/debian/vpn/etc/ipsec.conf
index a1c4bfb52b8..dc363b3a65f 100644
--- a/patches/systemvm/debian/vpn/etc/ipsec.conf
+++ b/patches/systemvm/debian/vpn/etc/ipsec.conf
@@ -1,50 +1,9 @@
-# /etc/ipsec.conf - Openswan IPsec configuration file
-
-# This file:  /usr/share/doc/openswan/ipsec.conf-sample
-#
 # Manual:     ipsec.conf.5
+version	2.0	
 
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-# basic configuration
 config setup
-	# Do not set debug options to debug configuration issues!
-	# plutodebug / klipsdebug = "all", "none" or a combation from below:
-	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
-	# eg:
-	# plutodebug="control parsing"
-	#
-	# enable to get logs per-peer
-	# plutoopts="--perpeerlog"
-	#
-	# Again: only enable plutodebug or klipsdebug when asked by a developer
-	#
-	# NAT-TRAVERSAL support, see README.NAT-Traversal
 	nat_traversal=yes
-	# exclude networks used on server side by adding %v4:!a.b.c.0/24
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
-	# OE is now off by default. Uncomment and change to on, to enable.
-	oe=off
-	# which IPsec stack to use. auto will try netkey, then klips then mast
 	protostack=auto
 	
-
-# Add connections here
-
-# sample VPN connection
-# for more examples, see /etc/ipsec.d/examples/
-#conn sample
-#		# Left security gateway, subnet behind it, nexthop toward right.
-#		left=10.0.0.1
-#		leftsubnet=172.16.0.0/24
-#		leftnexthop=10.22.33.44
-#		# Right security gateway, subnet behind it, nexthop toward left.
-#		right=10.12.12.1
-#		rightsubnet=192.168.0.0/24
-#		rightnexthop=10.101.102.103
-#		# To authorize this connection, but not actually start it, 
-#		# at startup, uncomment this.
-#		#auto=add
-
 include /etc/ipsec.d/*.conf
diff --git a/patches/systemvm/debian/vpn/etc/ipsec.conf.orig b/patches/systemvm/debian/vpn/etc/ipsec.conf.orig
deleted file mode 100644
index d185e6cd502..00000000000
--- a/patches/systemvm/debian/vpn/etc/ipsec.conf.orig
+++ /dev/null
@@ -1,48 +0,0 @@
-# /etc/ipsec.conf - Openswan IPsec configuration file
-
-# This file:  /usr/share/doc/openswan/ipsec.conf-sample
-#
-# Manual:     ipsec.conf.5
-
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-# basic configuration
-config setup
-	# Do not set debug options to debug configuration issues!
-	# plutodebug / klipsdebug = "all", "none" or a combation from below:
-	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
-	# eg:
-	# plutodebug="control parsing"
-	#
-	# enable to get logs per-peer
-	# plutoopts="--perpeerlog"
-	#
-	# Again: only enable plutodebug or klipsdebug when asked by a developer
-	#
-	# NAT-TRAVERSAL support, see README.NAT-Traversal
-	nat_traversal=yes
-	# exclude networks used on server side by adding %v4:!a.b.c.0/24
-	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
-	# OE is now off by default. Uncomment and change to on, to enable.
-	oe=off
-	# which IPsec stack to use. auto will try netkey, then klips then mast
-	protostack=auto
-	
-
-# Add connections here
-
-# sample VPN connection
-# for more examples, see /etc/ipsec.d/examples/
-#conn sample
-#		# Left security gateway, subnet behind it, nexthop toward right.
-#		left=10.0.0.1
-#		leftsubnet=172.16.0.0/24
-#		leftnexthop=10.22.33.44
-#		# Right security gateway, subnet behind it, nexthop toward left.
-#		right=10.12.12.1
-#		rightsubnet=192.168.0.0/24
-#		rightnexthop=10.101.102.103
-#		# To authorize this connection, but not actually start it, 
-#		# at startup, uncomment this.
-#		#auto=add
diff --git a/patches/systemvm/debian/vpn/etc/ipsec.secrets b/patches/systemvm/debian/vpn/etc/ipsec.secrets
index 67ae69886cb..d9a9a43c747 100644
--- a/patches/systemvm/debian/vpn/etc/ipsec.secrets
+++ b/patches/systemvm/debian/vpn/etc/ipsec.secrets
@@ -1,12 +1,2 @@
-# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
-# This file holds shared secrets or RSA private keys for inter-Pluto
-# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
-
-# RSA private key for this host, authenticating it to any other host
-# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
-# or configuration of other implementations, can be extracted conveniently
-# with "ipsec showhostkey".
-
-# this file is managed with debconf and will contain the automatically created RSA keys
 include /var/lib/openswan/ipsec.secrets.inc
 include /etc/ipsec.d/ipsec.*.secrets
diff --git a/patches/systemvm/debian/vpn/etc/ipsec.secrets.orig b/patches/systemvm/debian/vpn/etc/ipsec.secrets.orig
deleted file mode 100644
index 6885545e8e8..00000000000
--- a/patches/systemvm/debian/vpn/etc/ipsec.secrets.orig
+++ /dev/null
@@ -1,11 +0,0 @@
-# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
-# This file holds shared secrets or RSA private keys for inter-Pluto
-# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
-
-# RSA private key for this host, authenticating it to any other host
-# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
-# or configuration of other implementations, can be extracted conveniently
-# with "ipsec showhostkey".
-
-# this file is managed with debconf and will contain the automatically created RSA keys
-include /var/lib/openswan/ipsec.secrets.inc
diff --git a/patches/systemvm/debian/vpn/etc/xl2tpd/xl2tpd.conf.orig b/patches/systemvm/debian/vpn/etc/xl2tpd/xl2tpd.conf.orig
deleted file mode 100644
index 9f2f03a5048..00000000000
--- a/patches/systemvm/debian/vpn/etc/xl2tpd/xl2tpd.conf.orig
+++ /dev/null
@@ -1,76 +0,0 @@
-;
-; Sample l2tpd configuration file
-;
-; This example file should give you some idea of how the options for l2tpd
-; should work.  The best place to look for a list of all options is in
-; the source code itself, until I have the time to write better documetation :)
-; Specifically, the file "file.c" contains a list of commands at the end.
-;
-; You most definitely don't have to spell out everything as it is done here
-;
-; [global]								; Global parameters:
-; port = 1701						 	; * Bind to port 1701
-; auth file = /etc/l2tpd/l2tp-secrets 	; * Where our challenge secrets are
-; access control = yes					; * Refuse connections without IP match
-; rand source = dev                     ; Source for entropy for random
-;                                       ; numbers, options are:
-;                                       ; dev - reads of /dev/urandom
-;                                       ; sys - uses rand()
-;                                       ; egd - reads from egd socket
-;                                       ; egd is not yet implemented
-;
-; [lns default]							; Our fallthrough LNS definition
-; exclusive = no						; * Only permit one tunnel per host
-; ip range = 192.168.0.1-192.168.0.20	; * Allocate from this IP range
-; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
-; ip range = 192.168.0.5				; * But this one is okay
-; ip range = lac1-lac2					; * And anything from lac1 to lac2's IP
-; lac = 192.168.1.4 - 192.168.1.8		; * These can connect as LAC's
-; no lac = untrusted.marko.net			; * This guy can't connect
-; hidden bit = no						; * Use hidden AVP's?
-; local ip = 192.168.1.2				; * Our local IP to use
-; length bit = yes						; * Use length bit in payload?
-; require chap = yes					; * Require CHAP auth. by peer
-; refuse pap = yes						; * Refuse PAP authentication
-; refuse chap = no						; * Refuse CHAP authentication
-; refuse authentication = no			; * Refuse authentication altogether
-; require authentication = yes			; * Require peer to authenticate
-; unix authentication = no				; * Use /etc/passwd for auth.
-; name = myhostname						; * Report this as our hostname
-; ppp debug = no						; * Turn on PPP debugging
-; pppoptfile = /etc/ppp/options.l2tpd.lns	; * ppp options file
-; call rws = 10							; * RWS for call (-1 is valid)
-; tunnel rws = 4						; * RWS for tunnel (must be > 0)
-; flow bit = yes						; * Include sequence numbers
-; challenge = yes						; * Challenge authenticate peer ; 
-; rx bps = 10000000				; Receive tunnel speed
-; tx bps = 10000000				; Transmit tunnel speed
-; bps = 100000					; Define both receive and transmit speed in one option
-
-; [lac marko]							; Example VPN LAC definition
-; lns = lns.marko.net					; * Who is our LNS?
-; lns = lns2.marko.net					; * A backup LNS (not yet used)
-; redial = yes							; * Redial if disconnected?
-; redial timeout = 15					; * Wait n seconds between redials
-; max redials = 5						; * Give up after n consecutive failures
-; hidden bit = yes						; * User hidden AVP's?
-; local ip = 192.168.1.1				; * Force peer to use this IP for us
-; remote ip = 192.168.1.2				; * Force peer to use this as their IP
-; length bit = no						; * Use length bit in payload?
-; require pap = no						; * Require PAP auth. by peer
-; require chap = yes					; * Require CHAP auth. by peer
-; refuse pap = yes						; * Refuse PAP authentication
-; refuse chap = no						; * Refuse CHAP authentication
-; refuse authentication = no			; * Refuse authentication altogether
-; require authentication = yes			; * Require peer to authenticate
-; name = marko							; * Report this as our hostname
-; ppp debug = no						; * Turn on PPP debugging
-; pppoptfile = /etc/ppp/options.l2tpd.marko	; * ppp options file for this lac
-; call rws = 10							; * RWS for call (-1 is valid)
-; tunnel rws = 4						; * RWS for tunnel (must be > 0)
-; flow bit = yes						; * Include sequence numbers
-; challenge = yes						; * Challenge authenticate peer 
-;
-; [lac cisco]							; Another quick LAC
-; lns = cisco.marko.net					; * Required, but can take from default
-; require authentication = yes			
diff --git a/patches/systemvm/debian/xe/xe-linux-distribution.init b/patches/systemvm/debian/xe/xe-linux-distribution.init
deleted file mode 100644
index df6c8455213..00000000000
--- a/patches/systemvm/debian/xe/xe-linux-distribution.init
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/bin/bash
-#
-# xe-linux-distribution	Write Linux distribution information to XenStore.
-#
-# chkconfig: 2345 14 86
-# description: Writes Linux distribution version information to XenStore.
-#
-### BEGIN INIT INFO
-# Provides:          XenServer Virtual Machine Tools
-# Required-Start:    $local_fs
-# Required-Stop:     $local_fs
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: XenServer Virtual Machine daemon providing host integration services
-# Description:       Writes Linux distribution version information to XenStore.
-### END INIT INFO
-
-LANG="C"
-export LANG
-
-if [ -f /etc/init.d/functions ] ; then
-. /etc/init.d/functions
-else
-action()
-{
-    descr=$1 ; shift
-    cmd=$@
-    echo -n "$descr "
-    $cmd
-    ret=$?
-    if [ $ret -eq 0 ] ; then
-	echo "OK"
-    else
-	echo "Failed"
-    fi
-    return $ret
-}
-fi
-
-XE_LINUX_DISTRIBUTION=/usr/sbin/xe-linux-distribution
-XE_LINUX_DISTRIBUTION_CACHE=/var/cache/xe-linux-distribution
-XE_DAEMON=/usr/sbin/xe-daemon
-XE_DAEMON_PIDFILE=/var/run/xe-daemon.pid
-
-if [ ! -x "${XE_LINUX_DISTRIBUTION}" ] ; then
-    exit 0
-fi
-
-start()
-{
-    if [ ! -e /proc/xen/xenbus ] ; then
-	if [ ! -d /proc/xen ] ; then
-	    action $"Mounting xenfs on /proc/xen:" /bin/false
-	    echo "Could not find /proc/xen directory."
-	    echo "You need a post 2.6.29-rc1 kernel with CONFIG_XEN_COMPAT_XENFS=y and CONFIG_XENFS=y|m"
-	    exit 1
-	else 
-	    # This is needed post 2.6.29-rc1 when /proc/xen support was pushed upstream as a xen filesystem
-	    action $"Mounting xenfs on /proc/xen:" mount -t xenfs none /proc/xen
-	fi
-    fi
-
-    if [ -e /proc/xen/capabilities ] && grep -q control_d /proc/xen/capabilities ; then
-	# Do not want daemon in domain 0
-	exit 0
-    fi
-
-    action $"Detecting Linux distribution version:" \
-	${XE_LINUX_DISTRIBUTION} ${XE_LINUX_DISTRIBUTION_CACHE}
-
-    action $"Starting xe daemon: " /bin/true
-    mkdir -p $(dirname ${XE_DAEMON_PIDFILE})
-    # This is equivalent to daemon() in C
-    ( exec &>/dev/null ; ${XE_DAEMON} -p ${XE_DAEMON_PIDFILE} & )
-}
-
-stop()
-{
-    action $"Stopping xe daemon: "   kill -TERM $(cat ${XE_DAEMON_PIDFILE})
-}
-
-# fail silently if not running xen
-if [ ! -d /proc/xen ]; then
-   exit
-fi
-
-case "$1" in
-  start)
-        start
-        ;;
-  stop)
-	stop
-	;;
-  force-reload|restart)
-	stop
-	start
-	;;
-  *)
-        # do not advertise unreasonable commands that there is no reason
-        # to use with this device
-        echo $"Usage: $0 start|restart"
-        exit 1
-esac
-
-exit $?
-
diff --git a/patches/systemvm/debian/xe/xen-vcpu-hotplug.rules b/patches/systemvm/debian/xe/xen-vcpu-hotplug.rules
deleted file mode 100644
index ecb200e2201..00000000000
--- a/patches/systemvm/debian/xe/xen-vcpu-hotplug.rules
+++ /dev/null
@@ -1 +0,0 @@
-ACTION=="add", SUBSYSTEM=="cpu", RUN+="/bin/sh -c '[ ! -e /sys$devpath/online ] || echo 1 > /sys$devpath/online'"
diff --git a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/storage/LibvirtStorageAdaptor.java b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/storage/LibvirtStorageAdaptor.java
index f86f33ab4eb..13818431ef4 100644
--- a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/storage/LibvirtStorageAdaptor.java
+++ b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/storage/LibvirtStorageAdaptor.java
@@ -199,7 +199,7 @@ public class LibvirtStorageAdaptor implements StorageAdaptor {
             sp.create(0);
             return sp;
         } catch (LibvirtException e) {
-            s_logger.debug(e.toString());
+            s_logger.error(e.toString());
             if (sp != null) {
                 try {
                     sp.undefine();
@@ -230,7 +230,7 @@ public class LibvirtStorageAdaptor implements StorageAdaptor {
 
             return sp;
         } catch (LibvirtException e) {
-            s_logger.debug(e.toString());
+            s_logger.error(e.toString());
             if (sp != null) {
                 try {
                     sp.undefine();
@@ -260,7 +260,7 @@ public class LibvirtStorageAdaptor implements StorageAdaptor {
             sp.create(0);
             return sp;
         } catch (LibvirtException e) {
-            s_logger.debug(e.toString());
+            s_logger.error(e.toString());
             if (sp != null) {
                 try {
                     sp.undefine();
@@ -294,7 +294,7 @@ public class LibvirtStorageAdaptor implements StorageAdaptor {
                 s = conn.secretDefineXML(sd.toString());
                 s.setValue(Base64.decodeBase64(userInfoTemp[1]));
             } catch (LibvirtException e) {
-                s_logger.debug(e.toString());
+                s_logger.error(e.toString());
                 if (s != null) {
                     try {
                         s.undefine();
diff --git a/pom.xml b/pom.xml
index a05e60c6aee..0c600bca047 100644
--- a/pom.xml
+++ b/pom.xml
@@ -209,29 +209,11 @@
               deps/XenServerJava/Makefile
               dist/console-proxy/js/jquery.js
               scripts/vm/systemvm/id_rsa.cloud
-              patches/systemvm/debian/xe/xen-vcpu-hotplug.rules
-              patches/systemvm/debian/xe/xe-linux-distribution.init
               patches/systemvm/debian/systemvm.vmx
-              patches/systemvm/debian/config/etc/ssh/sshd_config
-              patches/systemvm/debian/config/etc/logrotate.d/haproxy
-              patches/systemvm/debian/config/etc/logrotate.d/dnsmasq
-              patches/systemvm/debian/config/etc/logrotate.d/apache2
-              patches/systemvm/debian/config/etc/logrotate.d/ppp
-              patches/systemvm/debian/config/etc/logrotate.d/rsyslog
-              patches/systemvm/debian/config/etc/vpcdnsmasq.conf
-              patches/systemvm/debian/config/etc/httpd/conf/httpd.conf
-              patches/systemvm/debian/config/etc/haproxy/haproxy.cfg
-              patches/systemvm/debian/config/etc/apache2/vhostexample.conf
-              patches/systemvm/debian/config/etc/apache2/sites-available/default-ssl
-              patches/systemvm/debian/config/etc/apache2/sites-available/default
-              patches/systemvm/debian/config/etc/apache2/httpd.conf
-              patches/systemvm/debian/config/etc/apache2/ports.conf
               patches/systemvm/debian/config/etc/rsyslog.conf
               patches/systemvm/debian/config/etc/cloud-nic.rules
-              patches/systemvm/debian/config/etc/logrotate.conf
               patches/systemvm/debian/config/etc/init.d/postinit
               patches/systemvm/debian/config/etc/modprobe.d/aesni_intel
-              patches/systemvm/debian/config/etc/sysctl.conf
               patches/systemvm/debian/config/etc/dnsmasq.conf
               patches/systemvm/debian/config/etc/rc.local
               patches/systemvm/debian/config/root/redundant_router/heartbeat.sh.templ
@@ -244,17 +226,9 @@
               patches/systemvm/debian/config/root/redundant_router/master.sh.templ
               patches/systemvm/debian/config/root/redundant_router/conntrackd.conf.templ
               patches/systemvm/debian/config/root/redundant_router/enable_pubip.sh.templ
-              patches/systemvm/debian/config/var/lib/misc/dnsmasq.leases
               patches/systemvm/debian/config/var/www/html/userdata/.htaccess
               patches/systemvm/debian/config/var/www/html/latest/.htaccess
-              patches/systemvm/debian/vpn/etc/ipsec.conf.orig
-              patches/systemvm/debian/vpn/etc/ipsec.secrets.orig
-              patches/systemvm/debian/vpn/etc/ipsec.conf
               patches/systemvm/debian/vpn/etc/ipsec.d/l2tp.conf
-              patches/systemvm/debian/vpn/etc/ppp/options.xl2tpd
-              patches/systemvm/debian/vpn/etc/xl2tpd/xl2tpd.conf
-              patches/systemvm/debian/vpn/etc/xl2tpd/xl2tpd.conf.orig
-              patches/systemvm/debian/vpn/etc/ipsec.secrets
               tools/devcloud/basebuild/puppet-devcloudinitial/files/network.conf
               tools/devcloud/devcloud.cfg
               ui/lib/flot/jquery.colorhelpers.js
@@ -296,6 +270,19 @@
           	512m            
           
         
+      
+        org.apache.maven.plugins
+        maven-jar-plugin
+        2.4
+        
+          
+            
+              true
+              true
+            
+          
+        
+      
       
         org.codehaus.mojo
         build-helper-maven-plugin
@@ -329,6 +316,12 @@
         deps
       
     
+    
+      developer
+      
+        developer
+      
+    
   
 
 
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index e3f3e336e92..21c73ac8dc2 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -360,6 +360,26 @@ def createFile(session, args):
 
     return txt
 
+@echo
+def createFileInDomr(session, args):
+    file_path = args['filepath']
+    file_contents = args['filecontents']
+    domrip = args['domrip']
+    try:
+        tmpfile = util.pread2(['mktemp']).strip()
+        f = open(tmpfile, "w")
+        f.write(file_contents)
+        f.close()
+        target = "root@" + domrip + ":" + file_path
+        util.pread2(['scp','-P','3922','-q','-o','StrictHostKeyChecking=no','-i','/root/.ssh/id_rsa.cloud',tmpfile, target])
+        util.pread2(['rm',tmpfile])
+        txt = 'success'
+    except:
+        util.SMlog(" failed to create HA proxy cfg file ")
+        txt = ''
+
+    return txt
+
 @echo
 def deleteFile(session, args):
     file_path = args["filepath"]
@@ -1452,4 +1472,5 @@ if __name__ == "__main__":
                             "setLinkLocalIP":setLinkLocalIP,
                             "cleanup_rules":cleanup_rules,
                             "bumpUpPriority":bumpUpPriority,
+                            "createFileInDomr":createFileInDomr,
                             "kill_copy_process":kill_copy_process})
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index db678ae694c..ae0f4ec7fa1 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -468,12 +468,14 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager {
         }
 
         checkCustomerGatewayCidrList(guestCidrList);
-        
+
         long accountId = gw.getAccountId();
-        if (_customerGatewayDao.findByGatewayIp(gatewayIp) != null) {
+        Site2SiteCustomerGatewayVO existedGw = _customerGatewayDao.findByGatewayIp(gatewayIp);
+        if (existedGw != null && existedGw.getId() != gw.getId()) {
             throw new InvalidParameterValueException("The customer gateway with ip " + gatewayIp + " already existed in the system!");
         }
-        if (_customerGatewayDao.findByNameAndAccountId(name, accountId) != null) {
+        existedGw = _customerGatewayDao.findByNameAndAccountId(name, accountId);
+        if (existedGw != null && existedGw.getId() != gw.getId()) {
             throw new InvalidParameterValueException("The customer gateway with name " + name + " already existed!");
         }
 
diff --git a/setup/db/create-index-fk.sql b/setup/db/create-index-fk.sql
index 82284d42e2e..62674c6c798 100755
--- a/setup/db/create-index-fk.sql
+++ b/setup/db/create-index-fk.sql
@@ -93,3 +93,5 @@ ALTER TABLE `cloud`.`ssh_keypairs` ADD CONSTRAINT `fk_ssh_keypairs__account_id`
 ALTER TABLE `cloud`.`ssh_keypairs` ADD CONSTRAINT `fk_ssh_keypairs__domain_id` FOREIGN KEY `fk_ssh_keypair__domain_id` (`domain_id`) REFERENCES `domain` (`id`) ON DELETE CASCADE;
 
 ALTER TABLE `cloud`.`usage_event` ADD INDEX `i_usage_event__created`(`created`);
+
+ALTER TABLE `cloud`.`nicira_nvp_nic_map` ADD CONSTRAINT `fk_nicira_nvp_nic_map__nic` FOREIGN KEY `fk_nicira_nvp_nic_map__nic` (`nic`) REFERENCES `nics` (`uuid`) ON DELETE CASCADE;
diff --git a/test/scripts/wget.exe b/test/scripts/wget.exe
deleted file mode 100644
index 1b15a04242a..00000000000
Binary files a/test/scripts/wget.exe and /dev/null differ
diff --git a/tools/build/build_docs.sh b/tools/build/build_docs.sh
new file mode 100755
index 00000000000..34e459f7b94
--- /dev/null
+++ b/tools/build/build_docs.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+sourcedir=~/incubator-cloudstack/
+common_content_dir=/usr/share/publican/Common_Content
+publican_path=/usr/bin/publican
+
+usage(){
+    echo "usage: $0 [-s source dir] [-c publican common content] [-p path to publican]"
+    echo "  -s sets the source directory (defaults to $sourcedir)"
+    echo "  -c sets the public common content directory (defaults to $common_content_dir)"
+    echo "  -p sets the path to the publican binary (defaults to $publican_path)"
+    echo "  -h"
+}
+
+while getopts v:s:c:p:h opt
+do
+    case "$opt" in
+      v)  version="$OPTARG";;
+      s)  sourcedir="$OPTARG";;
+      c)  common_content_dir="$OPTARG";;
+      p)  publican_path="$OPTARG";;
+      h)  usage
+          exit 0;;
+      \?)
+          usage
+          exit 1;;
+    esac
+done
+
+if [ ! -x "$publican_path" ]; then
+    echo "$publican_path doesn't seem like an executeable?"
+    exit 1
+fi
+
+cd $sourcedir/docs
+cp -R /usr/share/publican/Common_Content .
+ln -s $sourcedir/docs/publican-cloudstack Common_Content/cloudstack
+publican build --config=publican-all.cfg --formats html,pdf --langs en-US --common_content=$sourcedir/docs/Common_Content
+rm -r Common_Content
\ No newline at end of file
diff --git a/tools/guest_password/cloud-set-guest-password b/tools/guest_password/cloud-set-guest-password
new file mode 100644
index 00000000000..97e6e3d7bee
--- /dev/null
+++ b/tools/guest_password/cloud-set-guest-password
@@ -0,0 +1,116 @@
+#!/bin/bash
+#
+# Init file for Password Download Client
+#
+# chkconfig: 345 98 02
+# description: Password Download Client
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+# Modify this line to specify the user (default is root)
+user=root
+
+# Add your DHCP lease folders here
+DHCP_FOLDERS="/var/lib/dhclient/* /var/lib/dhcp3/*"
+password_received=0
+file_count=0
+error_count=0
+
+for DHCP_FILE in $DHCP_FOLDERS
+do
+	if [ -f $DHCP_FILE ]
+	then
+		file_count=$((file_count+1))
+		PASSWORD_SERVER_IP=$(grep dhcp-server-identifier $DHCP_FILE | tail -1 | awk '{print $NF}' | tr -d '\;')
+
+		if [ -n $PASSWORD_SERVER_IP ]
+		then
+			logger -t "cloud" "Found password server IP $PASSWORD_SERVER_IP in $DHCP_FILE"
+			logger -t "cloud" "Sending request to password server at $PASSWORD_SERVER_IP"
+			password=$(wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080)
+			password=$(echo $password | tr -d '\r')
+
+			if [ $? -eq 0 ]
+			then
+				logger -t "cloud" "Got response from server at $PASSWORD_SERVER_IP"
+
+				case $password in
+				
+				"")					logger -t "cloud" "Password server at $PASSWORD_SERVER_IP did not have any password for the VM"
+									continue
+									;;
+				
+				"bad_request")		logger -t "cloud" "VM sent an invalid request to password server at $PASSWORD_SERVER_IP"
+									error_count=$((error_count+1))
+									continue
+									;;
+									
+				"saved_password") 	logger -t "cloud" "VM has already saved a password from the password server at $PASSWORD_SERVER_IP"
+									continue
+									;;
+									
+				*)					logger -t "cloud" "VM got a valid password from server at $PASSWORD_SERVER_IP"
+									password_received=1
+									break
+									;;
+									
+				esac
+			else
+				logger -t "cloud" "Failed to send request to password server at $PASSWORD_SERVER_IP"
+				error_count=$((error_count+1))
+			fi
+		else
+			logger -t "cloud" "Could not find password server IP in $DHCP_FILE"
+			error_count=$((error_count+1))
+		fi
+	fi
+done
+
+if [ "$password_received" == "0" ]
+then
+	if [ "$error_count" == "$file_count" ]
+	then
+		logger -t "cloud" "Failed to get password from any server"
+		exit 1
+	else
+		logger -t "cloud" "Did not need to change password."
+		exit 0
+	fi
+fi
+
+logger -t "cloud" "Changing password ..."
+echo $password | passwd --stdin $user
+						
+if [ $? -gt 0 ]
+then
+	usermod -p `mkpasswd -m SHA-512 $password` $user
+		
+	if [ $? -gt 0 ]
+	then
+		logger -t "cloud" "Failed to change password for user $user"
+		exit 1
+	else
+		logger -t "cloud" "Successfully changed password for user $user"
+	fi
+fi
+						
+logger -t "cloud" "Sending acknowledgment to password server at $PASSWORD_SERVER_IP"
+wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080
+exit 0
+
diff --git a/ui/dictionary.jsp b/ui/dictionary.jsp
index f64864ccadf..9457e30af79 100644
--- a/ui/dictionary.jsp
+++ b/ui/dictionary.jsp
@@ -25,6 +25,8 @@ under the License.
 <% long now = System.currentTimeMillis(); %>