diff --git a/.ansible-lint b/.ansible-lint
index c81871a..094af73 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,19 +1,17 @@
 ---
 use_default_rules: true
 skip_list:
-  # [E503] Tasks that run when changed should likely be handlers
-  # TODO(mnasiadka): Rework roles to do handlers instead of when: *.changed
-  - no-handler
-  # [E208] permissions not mentioned
-  # FIXME(mnasiadka): Rework file/template to include permissions
-  - risky-file-permissions
-  # [unnamed-task] All tasks should be named
-  # FIXME(mgoddard): Add names to all tasks
-  - unnamed-task
-  # [ignore-errors] Use failed_when and specify error conditions instead of using ignore_errors
-  # FIXME(mgoddard): Use failed_when instead of ignore_errors
-  - ignore-errors
-  # Package installs should not use latest
-  - package-latest
-  # Commands should not change things if nothing needs doing
-  - no-changed-when
+ # Experimental
+ - experimental
+ # Use FQCN
+ - fqcn[action]
+ - fqcn[action-core]
+ # Galaxy changelog and runtime defined
+ - galaxy[no-changelog]
+ - galaxy[no-runtime]
+ # don't fail on when at the end of block
+ - key-order[task]
+ # All tasks should be named
+ - name[missing]
+ # Variables names from within roles should use role_name_ as a prefix
+ - var-naming[no-role-prefix]
diff --git a/galaxy.yml b/galaxy.yml
index 6e30cfb..28241e5 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -3,7 +3,8 @@ namespace: openstack
 name: kolla
 version: 1.0.0
 readme: README.md
-authors: OpenStack
+authors:
+  - "OpenStack"
 description: Ansible collection for the OpenStack Kolla project
 license:
   - GPL-3.0-or-later
diff --git a/roles/apparmor_libvirt/tasks/remove-profile.yml b/roles/apparmor_libvirt/tasks/remove-profile.yml
index 8f62c03..8a1da37 100644
--- a/roles/apparmor_libvirt/tasks/remove-profile.yml
+++ b/roles/apparmor_libvirt/tasks/remove-profile.yml
@@ -16,6 +16,7 @@
   args:
     executable: /bin/bash
   become: True
+  changed_when: true
   when:
     - apparmor_libvirtd_profile.stat.exists
     - not apparmor_libvirtd_disable_profile.stat.exists
diff --git a/roles/baremetal/tasks/install.yml b/roles/baremetal/tasks/install.yml
index 97e4aeb..3e5bab6 100644
--- a/roles/baremetal/tasks/install.yml
+++ b/roles/baremetal/tasks/install.yml
@@ -2,6 +2,7 @@
 # TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors
 - block:
     - name: Set firewall default policy
+      # noqa ignore-errors
       become: True
       ufw:
         state: disabled
diff --git a/roles/baremetal/tasks/main.yml b/roles/baremetal/tasks/main.yml
index fb2ad93..dee6359 100644
--- a/roles/baremetal/tasks/main.yml
+++ b/roles/baremetal/tasks/main.yml
@@ -8,7 +8,7 @@
 
 - import_tasks: post-install.yml
 
-- name: configure ceph for zun
+- name: Configure ceph for zun
   include_tasks: configure-ceph-for-zun.yml
   when:
     - zun_configure_for_cinder_ceph | bool
diff --git a/roles/docker/tasks/config.yml b/roles/docker/tasks/config.yml
index 288aa54..7d33163 100644
--- a/roles/docker/tasks/config.yml
+++ b/roles/docker/tasks/config.yml
@@ -3,6 +3,7 @@
   file:
     path: /etc/docker
     state: directory
+    mode: 0755
   become: True
 
 - name: Write docker config
@@ -75,6 +76,7 @@
   template:
     src: docker_systemd_service.j2
     dest: /etc/systemd/system/docker.service.d/kolla.conf
+    mode: 0644
   when: >
     (docker_configure_for_zun | bool and 'zun-compute' in group_names) or
     docker_http_proxy | length > 0 or
diff --git a/roles/docker/tasks/install.yml b/roles/docker/tasks/install.yml
index f8be8db..2901736 100644
--- a/roles/docker/tasks/install.yml
+++ b/roles/docker/tasks/install.yml
@@ -62,8 +62,10 @@
       delay: 10
 
     - name: Ensure containers are running after Docker upgrade
+      # noqa no-changed-when
       command: "docker start {{ running_containers.stdout }}"
       become: true
+      changed_when: true
   when:
     - docker_install_result is changed
     - running_containers.rc == 0
diff --git a/roles/docker/tasks/repo-Debian.yml b/roles/docker/tasks/repo-Debian.yml
index a4f7d66..df2fceb 100644
--- a/roles/docker/tasks/repo-Debian.yml
+++ b/roles/docker/tasks/repo-Debian.yml
@@ -38,6 +38,7 @@
         Package: {{ docker_apt_package }}
         Pin: version {{ docker_apt_package_pin }}
         Pin-Priority: 1000
+    mode: 0644
   become: True
   when: docker_apt_package_pin | length > 0
 
diff --git a/roles/packages/defaults/main.yml b/roles/packages/defaults/main.yml
index f10dcf4..d8de293 100644
--- a/roles/packages/defaults/main.yml
+++ b/roles/packages/defaults/main.yml
@@ -10,7 +10,7 @@ enable_nova_libvirt_container: false
 ubuntu_pkg_install:
  - git
  - iputils-ping
- - "{% if enable_multipathd|bool %}sg3-utils-udev{% endif %}"
+ - "{% if enable_multipathd | bool %}sg3-utils-udev{% endif %}"
  - tzdata
 
 openeuler_pkg_install:
diff --git a/test-requirements.txt b/test-requirements.txt
index 8ccf734..29ada4f 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,10 +1,10 @@
 # linting
-ansible-lint>=4.2.0,!=4.3.0,<6.0.0 # MIT
+ansible-lint>=6.0.0,<6.17.0 # MIT
 bandit>=1.1.0 # Apache-2.0
 bashate>=0.5.1 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 hacking>=3.0.1,<3.1.0 # Apache-2.0
-yamllint>=1.22.0 #GPL3
+yamllint>=1.22.0 # GPL3
 
 # coverage testing
 coverage>=4.0,!=4.4 # Apache-2.0
@@ -16,4 +16,4 @@ stestr>=1.0.0 # Apache-2.0
 testtools>=1.4.0 # MIT
 
 # sanity testing
-ansible-core
+ansible-core>=2.13.0,<2.15.0 # GPL3
diff --git a/tox.ini b/tox.ini
index 7198488..38f1ad8 100644
--- a/tox.ini
+++ b/tox.ini
@@ -128,4 +128,5 @@ commands = bash {toxinidir}/tools/run-ansible-sanity.sh {toxinidir}
 [testenv:ansible-lint]
 deps = {[testenv:linters]deps}
 commands =
+  ansible-galaxy collection install ansible.posix community.general
   ansible-lint -p