diff --git a/manifests/site.pp b/manifests/site.pp
index 6fc551fc8b..0bd6a3ab3a 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -126,7 +126,16 @@ node 'community.openstack.org' {
 
 node 'ci-puppetmaster.openstack.org' {
   class { 'openstack_project::puppetmaster':
-    sysadmins => hiera('sysadmins'),
+    root_rsa_key    => hiera('puppetmaster_root_rsa_key'),
+    override_list   => [
+      'git01.openstack.org',
+      'git02.openstack.org',
+      'git03.openstack.org',
+      'git04.openstack.org',
+      'git05.openstack.org',
+      'review.openstack.org',
+    ],
+    sysadmins       => hiera('sysadmins'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/base.pp b/modules/openstack_project/manifests/base.pp
index 9185eccf0b..e504abd85a 100644
--- a/modules/openstack_project/manifests/base.pp
+++ b/modules/openstack_project/manifests/base.pp
@@ -63,6 +63,25 @@ class openstack_project::base(
     )
   }
 
+  if ! defined(File['/root/.ssh']) {
+    file { '/root/.ssh':
+      ensure => directory,
+      mode   => '0700',
+    }
+  }
+
+  ssh_authorized_key { '/root/.ssh/authorized_keys':
+    ensure  => present,
+    user    => 'root',
+    type    => 'ssh-rsa',
+    key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp',
+    options => [
+      "command=\"${::openstack_project::params::allowed_ssh_command}\"",
+      'from="ci-puppetmaster.openstack.org"',
+    ],
+    require => File['/root/.ssh'],
+  }
+
   # Use upstream puppet and pin to version 2.7.*
   if ($::osfamily == 'Debian') {
     apt::source { 'puppetlabs':
diff --git a/modules/openstack_project/manifests/params.pp b/modules/openstack_project/manifests/params.pp
index 0a098f6894..9350c6802a 100644
--- a/modules/openstack_project/manifests/params.pp
+++ b/modules/openstack_project/manifests/params.pp
@@ -18,4 +18,5 @@ class openstack_project::params {
       fail("Unsupported osfamily: ${::osfamily} The 'openstack_project' module only supports osfamily Debian or RedHat (slaves only).")
     }
   }
+  $allowed_ssh_command = 'timeout -s 9 30 puppet agent --test'
 }
diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp
index 6241202e6b..12c803e75c 100644
--- a/modules/openstack_project/manifests/puppetmaster.pp
+++ b/modules/openstack_project/manifests/puppetmaster.pp
@@ -1,8 +1,12 @@
 # == Class: openstack_project::puppetmaster
 #
 class openstack_project::puppetmaster (
+  $root_rsa_key,
+  $override_list = [],
   $sysadmins = []
 ) {
+  include openstack_project::params
+
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [4505, 4506, 8140],
     sysadmins                 => $sysadmins,
@@ -45,6 +49,25 @@ class openstack_project::puppetmaster (
     mode   => '0750',
     }
 
+  file { '/usr/local/bin/run_remote_puppet':
+    ensure  => present,
+    mode    => '0700',
+    content => template('openstack_project/run_remote_puppet.sh.erb'),
+  }
+
+  if ! defined(File['/root/.ssh']) {
+    file { '/root/.ssh':
+      ensure => directory,
+      mode   => '0700',
+    }
+  }
+
+  file { '/root/.ssh/id_rsa':
+    ensure  => present,
+    mode    => '0400',
+    content => $root_rsa_key,
+  }
+
 # Cloud credentials are stored in this directory for launch-node.py.
   file { '/root/ci-launch':
     ensure => directory,
diff --git a/modules/openstack_project/templates/run_remote_puppet.sh.erb b/modules/openstack_project/templates/run_remote_puppet.sh.erb
new file mode 100755
index 0000000000..f798df7f2c
--- /dev/null
+++ b/modules/openstack_project/templates/run_remote_puppet.sh.erb
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# This function will properly fail if puppet is disabled on the target host
+function run_ssh {
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$1 <%= scope.lookupvar('openstack_project::params::allowed_ssh_command') %>
+    ret=$?
+    # Did we timeout
+    if [ $ret eq 124 ]; the
+        echo "TODO: Timeout instead of other failure. Report this differently."
+    fi
+    return $ret
+}
+
+FULL_LIST=$(puppet cert list -a  | grep '^\+' | awk '{print $2}' | sed 's/"//g')
+OVERRIDE_LIST="
+<% @override_list.each do |host| -%>
+<%= host %>
+<% end -%>
+"
+FILTERED_LIST=""
+for host in $FULL_LIST; do
+    if ! echo $OVERRIDE_LIST | grep $host >/dev/null 2>&1 ; then
+        FILTERED_LIST="$FILTERED_LIST $host"
+    fi
+done
+
+cd /opt/config/production
+
+# Run things that need to be ordered
+for host in $OVERRIDE_LIST; do
+    if ! run_ssh $host ; then
+        break
+    fi
+done
+
+# Now, run everyone else
+echo $FILTERED_LIST | xargs -P 10 -n 1 run_ssh
diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index 37d23b6a43..104c4485bd 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -23,7 +23,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin no
+PermitRootLogin forced-commands-only
 StrictModes yes
 
 RSAAuthentication yes
diff --git a/run_all.sh b/run_all.sh
new file mode 100755
index 0000000000..6f35c43359
--- /dev/null
+++ b/run_all.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+cd /opt/config/production
+git fetch -a && git reset -q --hard @{u}
+./install_modules.sh
+
+# One must touch manifests/site.pp to trick puppet into re-loading modules
+# some times
+touch manifests/site.pp
+
+# Run this as an external script so that the above pull will get new changes
+/usr/local/bin/run_remote_puppet