diff --git a/roles/ceph-rbd/tasks/main.yml b/roles/ceph-rbd/tasks/main.yml
index 260a8ae0f0c89831e3d1dbc63904cba540bacab0..2a28e86964f8a37bfd96795b86b0c4de4e81c1c1 100644
--- a/roles/ceph-rbd/tasks/main.yml
+++ b/roles/ceph-rbd/tasks/main.yml
@@ -23,6 +23,7 @@
   changed_when: ceph_check_image.stdout != ceph_image_name
   command:
     cmd: rbd -n client.{{ ceph_login }} list {{ ceph_pool_name }}
+  ignore_errors: yes
 
 - name: create rbd image
   when:
diff --git a/roles/mediaserver/tasks/main.yml b/roles/mediaserver/tasks/main.yml
index 2a2525924b0ebc750649e497ed6ca90701ab254e..397590ddfca43915afe01c3a12d9b7461eb036bb 100644
--- a/roles/mediaserver/tasks/main.yml
+++ b/roles/mediaserver/tasks/main.yml
@@ -6,6 +6,21 @@
     install_recommends: false
     name: "{{ server_packages }}"
 
+- name: fetch ssh public key
+  register: root_ssh_pubkey
+  slurp:
+    path: /root/.ssh/id_ed25519.pub
+
+- name: register ssh public key as an ansible fact
+  set_fact:
+    pubkey: "{{ root_ssh_pubkey['content'] | b64decode }}"
+
+- name: share ssh public key between cluster members
+  loop: "{{ groups['mediaserver'] }}"
+  authorized_key:
+    user: root
+    key: "{{ hostvars[item]['pubkey'] }}"
+
 - name: resolve domain name to localhost
   when: not in_docker
   notify: restart nginx
@@ -26,6 +41,7 @@
     dest: "{{ item }}"
     mode: push
     copy_links: yes
+    set_remote_user: no
   delegate_to: "{{ groups['mediaserver'][0] }}"
 
 - name: create instances
diff --git a/roles/ocfs2/tasks/main.yml b/roles/ocfs2/tasks/main.yml
index 7791cab5cccaff9afd4bee8f11c1c9f15034b9d3..e1828eb60093076b25592c7c7a3902ea87460216 100644
--- a/roles/ocfs2/tasks/main.yml
+++ b/roles/ocfs2/tasks/main.yml
@@ -26,7 +26,7 @@
   when: inventory_hostname == play_hosts[0]
   filesystem:
     fstype: ocfs2
-    opts: -T mail
+    opts: -T mail -Jblock64
     dev: /dev/rbd0
 
 - name: mount mapped device
diff --git a/roles/sysconfig/handlers/main.yml b/roles/sysconfig/handlers/main.yml
index ee9f0c9a1d6b3920e28c30cb1e2d328257eeb0f8..8a44608f001486e8f4ae6d9a5131313146fa91a2 100644
--- a/roles/sysconfig/handlers/main.yml
+++ b/roles/sysconfig/handlers/main.yml
@@ -12,6 +12,11 @@
     name: cron
     state: restarted
 
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+
 - name: update cache
   apt:
     force_apt_get: true
diff --git a/roles/sysconfig/tasks/main.yml b/roles/sysconfig/tasks/main.yml
index fbc1a3450d056b55adcbc7d9d55d2b204b18dd30..4b0dbe3604c12465c7f5fef54fc13148e76cc227 100644
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -20,6 +20,19 @@
       APT::Periodic::Update-Package-Lists "1";
       APT::Periodic::Unattended-Upgrade "1";
 
+- name: enable root login via ssh with key
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin without-password"
+  notify: restart sshd
+
+- name: remove disabled root login
+  replace:
+    dest: /root/.ssh/authorized_keys
+    regexp: "^no-port-forwarding,(.+) ssh-"
+    replace: "ssh-"
+
 # FIREWALL
 
 - name: firewall