diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index 45795d0975f..09062ce4d1f 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -375,6 +375,13 @@ def oo_split(string, separator=','):
     return string.split(separator)
 
 
+def oo_list_to_dict(lst, separator='='):
+    """ This converts a list of ["k=v"] to a dictionary {k: v}.
+    """
+    kvs = [i.split(separator) for i in lst]
+    return {k: v for k, v in kvs}
+
+
 def oo_haproxy_backend_masters(hosts, port):
     """ This takes an array of dicts and returns an array of dicts
         to be used as a backend for the haproxy role
@@ -989,6 +996,7 @@ def filters(self):
             "oo_combine_dict": oo_combine_dict,
             "oo_dict_to_list_of_dict": oo_dict_to_list_of_dict,
             "oo_split": oo_split,
+            "oo_list_to_dict": oo_list_to_dict,
             "oo_filter_list": oo_filter_list,
             "oo_parse_heat_stack_outputs": oo_parse_heat_stack_outputs,
             "oo_parse_named_certificates": oo_parse_named_certificates,
diff --git a/playbooks/openshift-etcd/private/config.yml b/playbooks/openshift-etcd/private/config.yml
index 3d6c79834a8..35407969edd 100644
--- a/playbooks/openshift-etcd/private/config.yml
+++ b/playbooks/openshift-etcd/private/config.yml
@@ -19,7 +19,6 @@
   hosts: oo_etcd_to_config
   any_errors_fatal: true
   roles:
-  - role: os_firewall
   - role: openshift_clock
   - role: openshift_etcd
     etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}"
diff --git a/playbooks/openshift-loadbalancer/private/config.yml b/playbooks/openshift-loadbalancer/private/config.yml
index 78fe663db53..2636d857e65 100644
--- a/playbooks/openshift-loadbalancer/private/config.yml
+++ b/playbooks/openshift-loadbalancer/private/config.yml
@@ -11,13 +11,6 @@
           status: "In Progress"
           start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
 
-- name: Configure firewall load balancers
-  hosts: oo_lb_to_config:!oo_masters_to_config:!oo_nodes_to_config
-  vars:
-    openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}"
-  roles:
-  - role: os_firewall
-
 - name: Configure load balancers
   hosts: oo_lb_to_config
   vars:
diff --git a/playbooks/openshift-master/private/config.yml b/playbooks/openshift-master/private/config.yml
index afb8d6bd199..eb88fb3527d 100644
--- a/playbooks/openshift-master/private/config.yml
+++ b/playbooks/openshift-master/private/config.yml
@@ -180,7 +180,6 @@
                                                 | oo_collect('openshift.common.ip') | default([]) | join(',')
                                                 }}"
   roles:
-  - role: os_firewall
   - role: openshift_master_facts
   - role: openshift_hosted_facts
   - role: openshift_clock
diff --git a/playbooks/openshift-nfs/private/config.yml b/playbooks/openshift-nfs/private/config.yml
index 6ea77e00b03..3625efcc60b 100644
--- a/playbooks/openshift-nfs/private/config.yml
+++ b/playbooks/openshift-nfs/private/config.yml
@@ -14,7 +14,6 @@
 - name: Configure nfs
   hosts: oo_nfs_to_config
   roles:
-  - role: os_firewall
   - role: openshift_storage_nfs
 
 - name: NFS Install Checkpoint End
diff --git a/playbooks/openshift-node/private/configure_nodes.yml b/playbooks/openshift-node/private/configure_nodes.yml
index dc5d7a57ed6..32b288c8b09 100644
--- a/playbooks/openshift-node/private/configure_nodes.yml
+++ b/playbooks/openshift-node/private/configure_nodes.yml
@@ -10,7 +10,6 @@
                                                 | oo_collect('openshift.common.hostname') | default([]) | join (',')
                                                 }}"
   roles:
-  - role: os_firewall
   - role: openshift_clock
   - role: openshift_node
   - role: tuned
diff --git a/playbooks/openshift-node/private/containerized_nodes.yml b/playbooks/openshift-node/private/containerized_nodes.yml
index 5afa83be742..ef07669cb7f 100644
--- a/playbooks/openshift-node/private/containerized_nodes.yml
+++ b/playbooks/openshift-node/private/containerized_nodes.yml
@@ -12,7 +12,6 @@
                                                 }}"
 
   roles:
-  - role: os_firewall
   - role: openshift_clock
   - role: openshift_node
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
diff --git a/playbooks/prerequisites.yml b/playbooks/prerequisites.yml
index 0cc5fcef8cc..7b7868cfe56 100644
--- a/playbooks/prerequisites.yml
+++ b/playbooks/prerequisites.yml
@@ -3,4 +3,10 @@
   vars:
     skip_verison: True
 
+# This is required for container runtime for crio, only needs to run once.
+- name: Configure os_firewall
+  hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_nfs_to_config:oo_nodes_to_config
+  roles:
+  - role: os_firewall
+
 - import_playbook: container-runtime/private/config.yml
diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml
index bd96965ac69..d7eb8663f1b 100644
--- a/roles/container_runtime/defaults/main.yml
+++ b/roles/container_runtime/defaults/main.yml
@@ -59,6 +59,7 @@ docker_default_storage_path: /var/lib/docker
 # Set local versions of facts that must be in json format for container-daemon.json
 # NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
 l_docker_log_options: "{{ l2_docker_log_options | to_json }}"
+l_docker_log_options_dict: "{{ l2_docker_log_options | oo_list_to_dict | to_json }}"
 l_docker_additional_registries: "{{ l2_docker_additional_registries | to_json }}"
 l_docker_blocked_registries: "{{ l2_docker_blocked_registries | to_json }}"
 l_docker_insecure_registries: "{{ l2_docker_insecure_registries | to_json }}"
@@ -81,6 +82,7 @@ l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure
 l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
 l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
 
+
 openshift_crio_image_tag_default: "latest"
 
 l_crt_crio_image_tag_dict:
@@ -127,3 +129,5 @@ l_docker_image_tag: "{{ l_crt_docker_image_tag_dict[openshift_deployment_type] }
 
 l_docker_image_default: "{{ l_docker_image_prepend }}/{{ openshift_docker_service_name }}:{{ l_docker_image_tag }}"
 l_docker_image: "{{ openshift_docker_systemcontainer_image_override | default(l_docker_image_default) }}"
+
+l_is_node_system_container: "{{ (openshift_use_node_system_container | default(openshift_use_system_containers | default(false)) | bool) }}"
diff --git a/roles/container_runtime/tasks/systemcontainer_crio.yml b/roles/container_runtime/tasks/systemcontainer_crio.yml
index 5ea7df65050..61f122f3ceb 100644
--- a/roles/container_runtime/tasks/systemcontainer_crio.yml
+++ b/roles/container_runtime/tasks/systemcontainer_crio.yml
@@ -4,7 +4,7 @@
   fail: msg='Cannot use CRI-O with node configured as a Docker container'
   when:
     - openshift.common.is_containerized | bool
-    - not openshift.common.is_node_system_container | bool
+    - not l_is_node_system_container | bool
 
 - include_tasks: common/pre.yml
 
diff --git a/roles/container_runtime/templates/daemon.json b/roles/container_runtime/templates/daemon.json
index 383963bd363..1a72d812a74 100644
--- a/roles/container_runtime/templates/daemon.json
+++ b/roles/container_runtime/templates/daemon.json
@@ -5,10 +5,10 @@
     "disable-legacy-registry": false,
     "exec-opts": ["native.cgroupdriver=systemd"],
     "insecure-registries": {{ l_docker_insecure_registries }},
-{% if openshift_docker_log_driver is defined  %}
+{% if openshift_docker_log_driver  %}
     "log-driver": "{{ openshift_docker_log_driver }}",
 {%- endif %}
-    "log-opts": {{ l_docker_log_options }},
+    "log-opts": {{ l_docker_log_options_dict }},
     "runtimes": {
 	"oci": {
 	    "path": "/usr/libexec/docker/docker-runc-current"
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index d9f3e920dd2..32c5f495f25 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -44,6 +44,15 @@
 - name: include node installer
   include_tasks: install.yml
 
+- name: Restart cri-o
+  systemd:
+    name: cri-o
+    enabled: yes
+    state: restarted
+  when: openshift_use_crio
+  register: task_result
+  failed_when: task_result|failed and 'could not find the requested service' not in task_result.msg|lower
+
 - name: restart NetworkManager to ensure resolv.conf is present
   systemd:
     name: NetworkManager
diff --git a/roles/openshift_version/defaults/main.yml b/roles/openshift_version/defaults/main.yml
index 01a1a747255..4ebf0b894a7 100644
--- a/roles/openshift_version/defaults/main.yml
+++ b/roles/openshift_version/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
 openshift_protect_installed_version: True
+openshift_use_crio_only: False
diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml
index 5d7683120ac..2d317700a70 100644
--- a/roles/openshift_version/meta/main.yml
+++ b/roles/openshift_version/meta/main.yml
@@ -13,3 +13,5 @@ galaxy_info:
   - cloud
 dependencies:
 - role: lib_utils
+- role: container_runtime
+- role: openshift_facts