Merge pull request #2048 from thaJeztah/19.03_backport_ci_improvements

[19.03 backport] CI and testing improvements
Merge pull request #2061 from thaJeztah/19.03_backport_issue39654
2019-08-22 10:57:08 -07:00 · 2019-08-22 19:55:05 +02:00 · 2019-08-22 19:11:41 +02:00 · 2019-08-22 10:19:01 +02:00 · 2019-08-15 03:19:38 +02:00 · 2019-08-15 03:18:42 +02:00
2618 changed files with 246022 additions and 62134 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,2 +1,6 @@
+.dockerignore
 .git
-build
+.gitignore
+appveyor.yml
+build
+circle.yml
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1,8 +1,7 @@
 # GitHub code owners
 # See https://github.com/blog/2392-introducing-code-owners

-cli/command/stack/**        @vdemeester @silvin-lubecki
-cli/compose/**              @vdemeester
+cli/command/stack/**        @silvin-lubecki
 contrib/completion/bash/**  @albers
 contrib/completion/zsh/**   @sdurrheimer
-docs/**                     @vdemeester @thaJeztah
+docs/**                     @thaJeztah
--- a/.mailmap
+++ b/.mailmap
@ -8,6 +8,7 @@

 Aaron L. Xu <liker.xu@foxmail.com>
 Abhinandan Prativadi <abhi@docker.com>
+Ace Tang <aceapril@126.com>
 Adrien Gallouët <adrien@gallouet.fr> <angt@users.noreply.github.com>
 Ahmed Kamal <email.ahmedkamal@googlemail.com>
 Ahmet Alp Balkan <ahmetb@microsoft.com> <ahmetalpbalkan@gmail.com>
@ -43,6 +44,7 @@ Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@users.noreply.github.com>
 Anuj Bahuguna <anujbahuguna.dev@gmail.com>
 Anuj Bahuguna <anujbahuguna.dev@gmail.com> <abahuguna@fiberlink.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com> <anusha@docker.com>
+Ao Li <la9249@163.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Arnaud Porterie <arnaud.porterie@docker.com> <icecrime@gmail.com>
 Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
@ -65,6 +67,7 @@ Brent Salisbury <brent.salisbury@docker.com> <brent@docker.com>
 Brian Goff <cpuguy83@gmail.com>
 Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.home>
 Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.local>
+Chad Faragher <wyckster@hotmail.com>
 Chander Govindarajan <chandergovind@gmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com> <chaowang@localhost.localdomain>
 Charles Hooper <charles.hooper@dotcloud.com> <chooper@plumata.com>
@ -77,6 +80,7 @@ Chris Dias <cdias@microsoft.com>
 Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
 Christopher Biscardi <biscarch@sketcht.com>
 Christopher Latham <sudosurootdev@gmail.com>
+Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com> <chenchun.feed@gmail.com>
 Corbin Coleman <corbin.coleman@docker.com>
 Cristian Staretu <cristian.staretu@gmail.com>
@ -119,6 +123,7 @@ Doug Davis <dug@us.ibm.com> <duglin@users.noreply.github.com>
 Doug Tangren <d.tangren@gmail.com>
 Elan Ruusamäe <glen@pld-linux.org>
 Elan Ruusamäe <glen@pld-linux.org> <glen@delfi.ee>
+Elango Sivanandam <elango.siva@docker.com>
 Eric G. Noriega <enoriega@vizuri.com> <egnoriega@users.noreply.github.com>
 Eric Hanchrow <ehanchrow@ine.com> <eric.hanchrow@gmail.com>
 Eric Rosenberg <ehaydenr@gmail.com> <ehaydenr@users.noreply.github.com>
@ -153,6 +158,7 @@ Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume.charmes@dotcloud.
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@charmes.net>
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@docker.com>
 Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@dotcloud.com>
+Guillaume Le Floch <glfloch@gmail.com>
 Gurjeet Singh <gurjeet@singh.im> <singh.gurjeet@gmail.com>
 Gustav Sinder <gustav.sinder@gmail.com>
 Günther Jungbluth <gunther@gameslabs.net>
@ -174,14 +180,19 @@ Hu Keping <hukeping@huawei.com>
 Huu Nguyen <huu@prismskylabs.com> <whoshuu@gmail.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
 Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com> <1187766782@qq.com>
+Ian Campbell <ian.campbell@docker.com>
+Ian Campbell <ian.campbell@docker.com> <ijc@docker.com>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
 Jack Laxson <jackjrabbit@gmail.com>
 Jacob Atzen <jacob@jacobatzen.dk> <jatzen@gmail.com>
 Jacob Tomlinson <jacob@tom.linson.uk> <jacobtomlinson@users.noreply.github.com>
 Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Lambert <jake.lambert@volusion.com>
+Jake Lambert <jake.lambert@volusion.com> <32850427+jake-lambert-volusion@users.noreply.github.com>
 Jamie Hannaford <jamie@limetree.org> <jamie.hannaford@rackspace.com>
 Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
 Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr> <jp@moogsoft.com>
 Jean-Tiare Le Bigot <jt@yadutaf.fr> <admin@jtlebi.fr>
 Jeff Anderson <jeff@docker.com> <jefferya@programmerq.net>
 Jeff Nickoloff <jeff.nickoloff@gmail.com> <jeff@allingeek.com>
@ -247,6 +258,8 @@ Konstantin Gribov <grossws@gmail.com>
 Konstantin Pelykh <kpelykh@zettaset.com>
 Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> <kunal.kushwaha@gmail.com>
+Kyle Spiers <kyle@spiers.me>
+Kyle Spiers <kyle@spiers.me> <Kyle@Spiers.me>
 Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
 Lei Jitang <leijitang@huawei.com>
 Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
@ -277,6 +290,7 @@ Marianna Tessel <mtesselh@gmail.com>
 Mark Oates <fl0yd@me.com>
 Markan Patel <mpatel678@gmail.com>
 Markus Kortlang <hyp3rdino@googlemail.com> <markus.kortlang@lhsystems.com>
+Marsh Macy <marsma@microsoft.com>
 Martin Redmond <redmond.martin@gmail.com> <martin@tinychat.com>
 Martin Redmond <redmond.martin@gmail.com> <xgithub@redmond5.com>
 Mary Anthony <mary.anthony@docker.com> <mary@docker.com>
@ -365,6 +379,8 @@ Shukui Yang <yangshukui@huawei.com>
 Shuwei Hao <haosw@cn.ibm.com>
 Shuwei Hao <haosw@cn.ibm.com> <haoshuwei24@gmail.com>
 Sidhartha Mani <sidharthamn@gmail.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Silvin Lubecki <silvin.lubecki@docker.com> <31478878+silvin-lubecki@users.noreply.github.com>
 Sjoerd Langkemper <sjoerd-github@linuxonly.nl> <sjoerd@byte.nl>
 Solomon Hykes <solomon@docker.com> <s@docker.com>
 Solomon Hykes <solomon@docker.com> <solomon.hykes@dotcloud.com>
@ -379,13 +395,18 @@ Stefan Berger <stefanb@linux.vnet.ibm.com>
 Stefan Berger <stefanb@linux.vnet.ibm.com> <stefanb@us.ibm.com>
 Stefan J. Wernli <swernli@microsoft.com> <swernli@ntdev.microsoft.com>
 Stefan S. <tronicum@user.github.com>
+Stefan Scherer <stefan.scherer@docker.com>
+Stefan Scherer <stefan.scherer@docker.com> <scherer_stefan@icloud.com>
 Stephen Day <stevvooe@gmail.com>
-Stephen Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>
 Stephen Day <stevvooe@gmail.com> <stephen.day@docker.com>
+Stephen Day <stevvooe@gmail.com> <stevvooe@users.noreply.github.com>
 Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
+Steve Richards <steve.richards@docker.com> stevejr <>
 Sun Gengze <690388648@qq.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>
+Sunny Gogoi <indiasuny000@gmail.com>
+Sunny Gogoi <indiasuny000@gmail.com> <me@darkowlzz.space>
 Sven Dowideit <SvenDowideit@home.org.au>
 Sven Dowideit <SvenDowideit@home.org.au> <sven@t440s.home.gateway>
 Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@docker.com>
@ -404,6 +425,8 @@ Thomas Gazagnaire <thomas@gazagnaire.org> <thomas@gazagnaire.com>
 Thomas Krzero <thomas.kovatchitch@gmail.com>
 Thomas Léveil <thomasleveil@gmail.com>
 Thomas Léveil <thomasleveil@gmail.com> <thomasleveil@users.noreply.github.com>
+Thomas Riccardi <thomas@deepomatic.com>
+Thomas Riccardi <thomas@deepomatic.com> <riccardi@systran.fr>
 Tibor Vass <teabee89@gmail.com> <tibor@docker.com>
 Tibor Vass <teabee89@gmail.com> <tiborvass@users.noreply.github.com>
 Tim Bart <tim@fewagainstmany.com>
@ -414,6 +437,8 @@ Tim Zju <21651152@zju.edu.cn>
 Timothy Hobbs <timothyhobbs@seznam.cz>
 Toli Kuznets <toli@docker.com>
 Tom Barlow <tomwbarlow@gmail.com>
+Tom Milligan <code@tommilligan.net>
+Tom Milligan <code@tommilligan.net> <tommilligan@users.noreply.github.com>
 Tom Sweeney <tsweeney@redhat.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
 Trishna Guha <trishnaguha17@gmail.com>
@ -440,6 +465,7 @@ Vladimir Rutsky <altsysrq@gmail.com> <iamironbob@gmail.com>
 Walter Stanish <walter@pratyeka.org>
 Wang Guoliang <liangcszzu@163.com>
 Wang Jie <wangjie5@chinaskycloud.com>
+Wang Lei <wanglei@tenxcloud.com>
 Wang Ping <present.wp@icloud.com>
 Wang Xing <hzwangxing@corp.netease.com> <root@localhost>
 Wang Yuexiao <wang.yuexiao@zte.com.cn>
@ -467,11 +493,12 @@ Yu Changchun <yuchangchun1@huawei.com>
 Yu Chengxia <yuchengxia@huawei.com>
 Yu Peng <yu.peng36@zte.com.cn>
 Yu Peng <yu.peng36@zte.com.cn> <yupeng36@zte.com.cn>
+Yue Zhang <zy675793960@yeah.net>
 Zachary Jaffee <zjaffee@us.ibm.com> <zij@case.edu>
 Zachary Jaffee <zjaffee@us.ibm.com> <zjaffee@apache.org>
 ZhangHang <stevezhang2014@gmail.com>
 Zhenkun Bi <bi.zhenkun@zte.com.cn>
 Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhoulin Xie <zhoulin.xie@daocloud.io>
 Zhu Kunjia <zhu.kunjia@zte.com.cn>
 Zou Yu <zouyu7@huawei.com>
-
--- a/76
+++ b/76
@ -8,6 +8,7 @@ Aaron.L.Xu <likexu@harmonycloud.cn>
 Abdur Rehman <abdur_rehman@mentor.com>
 Abhinandan Prativadi <abhi@docker.com>
 Abin Shahab <ashahab@altiscale.com>
+Ace Tang <aceapril@126.com>
 Addam Hardy <addam.hardy@gmail.com>
 Adolfo Ochagavía <aochagavia92@gmail.com>
 Adrien Duermael <adrien@duermael.com>
@ -23,6 +24,7 @@ Albert Callarisa <shark234@gmail.com>
 Aleksa Sarai <asarai@suse.de>
 Alessandro Boch <aboch@tetrationanalytics.com>
 Alex Mavrogiannis <alex.mavrogiannis@docker.com>
+Alex Mayer <amayer5125@gmail.com>
 Alexander Boyd <alex@opengroove.org>
 Alexander Larsson <alexl@redhat.com>
 Alexander Morozov <lk4d4@docker.com>
@ -37,6 +39,7 @@ Amir Goldstein <amir73il@aquasec.com>
 Amit Krishnan <amit.krishnan@oracle.com>
 Amit Shukla <amit.shukla@docker.com>
 Amy Lindburg <amy.lindburg@docker.com>
+Anda Xu <anda.xu@docker.com>
 Andrea Luzzardi <aluzzardi@gmail.com>
 Andreas Köhler <andi5.py@gmx.net>
 Andrew France <andrew@avito.co.uk>
@ -50,10 +53,12 @@ Andy Goldstein <agoldste@redhat.com>
 Andy Rothfusz <github@developersupport.net>
 Anil Madhavapeddy <anil@recoil.org>
 Ankush Agarwal <ankushagarwal11@gmail.com>
+Anne Henmi <anne.henmi@docker.com>
 Anton Polonskiy <anton.polonskiy@gmail.com>
 Antonio Murdaca <antonio.murdaca@gmail.com>
 Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
+Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
@ -63,8 +68,10 @@ Barnaby Gray <barnaby@pickle.me.uk>
 Bastiaan Bakker <bbakker@xebia.com>
 BastianHofmann <bastianhofmann@me.com>
 Ben Bonnefoy <frenchben@docker.com>
+Ben Creasy <ben@bencreasy.com>
 Ben Firshman <ben@firshman.co.uk>
 Benjamin Boudreau <boudreau.benjamin@gmail.com>
+Benoit Sigoure <tsunanet@gmail.com>
 Bhumika Bayani <bhumikabayani@gmail.com>
 Bill Wang <ozbillwang@gmail.com>
 Bin Liu <liubin0329@gmail.com>
@ -73,6 +80,7 @@ Boaz Shuster <ripcurld.github@gmail.com>
 Bogdan Anton <contact@bogdananton.ro>
 Boris Pruessmann <boris@pruessmann.org>
 Bradley Cicenas <bradley.cicenas@gmail.com>
+Brandon Mitchell <git@bmitch.net>
 Brandon Philips <brandon.philips@coreos.com>
 Brent Salisbury <brent.salisbury@docker.com>
 Bret Fisher <bret@bretfisher.com>
@ -89,6 +97,7 @@ Carlos Alexandro Becker <caarlos0@gmail.com>
 Ce Gao <ce.gao@outlook.com>
 Cedric Davies <cedricda@microsoft.com>
 Cezar Sa Espinola <cezarsa@gmail.com>
+Chad Faragher <wyckster@hotmail.com>
 Chao Wang <wangchao.fnst@cn.fujitsu.com>
 Charles Chan <charleswhchan@users.noreply.github.com>
 Charles Law <claw@conduce.com>
@ -109,8 +118,9 @@ Christian Stefanescu <st.chris@gmail.com>
 Christophe Robin <crobin@nekoo.com>
 Christophe Vidal <kriss@krizalys.com>
 Christopher Biscardi <biscarch@sketcht.com>
+Christopher Crone <christopher.crone@docker.com>
 Christopher Jones <tophj@linux.vnet.ibm.com>
-Christy Perez <christy@linux.vnet.ibm.com>
+Christy Norman <christy@linux.vnet.ibm.com>
 Chun Chen <ramichen@tencent.com>
 Clinton Kitson <clintonskitson@gmail.com>
 Coenraad Loubser <coenraad@wish.org.za>
@ -118,6 +128,8 @@ Colin Hebert <hebert.colin@gmail.com>
 Collin Guarino <collin.guarino@gmail.com>
 Colm Hally <colmhally@gmail.com>
 Corey Farrell <git@cfware.com>
+Corey Quon <corey.quon@docker.com>
+Craig Wilhite <crwilhit@microsoft.com>
 Cristian Staretu <cristian.staretu@gmail.com>
 Daehyeok Mun <daehyeok@gmail.com>
 Dafydd Crosby <dtcrsby@gmail.com>
@ -147,6 +159,7 @@ David Cramer <davcrame@cisco.com>
 David Dooling <dooling@gmail.com>
 David Gageot <david@gageot.net>
 David Lechner <david@lechnology.com>
+David Scott <dave@recoil.org>
 David Sheets <dsheets@docker.com>
 David Williamson <david.williamson@docker.com>
 David Xia <dxia@spotify.com>
@ -173,9 +186,12 @@ Dong Chen <dongluo.chen@docker.com>
 Doug Davis <dug@us.ibm.com>
 Drew Erny <drew.erny@docker.com>
 Ed Costello <epc@epcostello.com>
+Elango Sivanandam <elango.siva@docker.com>
 Eli Uriegas <eli.uriegas@docker.com>
 Eli Uriegas <seemethere101@gmail.com>
 Elias Faxö <elias.faxo@tre.se>
+Elliot Luo <956941328@qq.com>
+Eric Curtin <ericcurtin17@gmail.com>
 Eric G. Noriega <enoriega@vizuri.com>
 Eric Rosenberg <ehaydenr@gmail.com>
 Eric Sage <eric.david.sage@gmail.com>
@ -183,7 +199,9 @@ Eric-Olivier Lamey <eo@lamey.me>
 Erica Windisch <erica@windisch.us>
 Erik Hollensbe <github@hollensbe.org>
 Erik St. Martin <alakriti@gmail.com>
+Essam A. Hassan <es.hassan187@gmail.com>
 Ethan Haynes <ethanhaynes@alumni.harvard.edu>
+Euan Kemp <euank@euank.com>
 Eugene Yakubovich <eugene.yakubovich@coreos.com>
 Evan Allrich <evan@unguku.com>
 Evan Hazlett <ejhazlett@gmail.com>
@ -194,10 +212,13 @@ Fabio Falci <fabiofalci@gmail.com>
 Fabrizio Soppelsa <fsoppelsa@mirantis.com>
 Felix Hupfeld <felix@quobyte.com>
 Felix Rabe <felix@rabe.io>
+Filip Jareš <filipjares@gmail.com>
 Flavio Crisciani <flavio.crisciani@docker.com>
 Florian Klein <florian.klein@free.fr>
 Foysal Iqbal <foysal.iqbal.fb@gmail.com>
+François Scala <francois.scala@swiss-as.com>
 Fred Lifton <fred.lifton@docker.com>
+Frederic Hemberger <mail@frederic-hemberger.de>
 Frederick F. Kautz IV <fkautz@redhat.com>
 Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
 Frieder Bluemle <frieder.bluemle@gmail.com>
@ -215,6 +236,7 @@ Grant Reaber <grant.reaber@gmail.com>
 Greg Pflaum <gpflaum@users.noreply.github.com>
 Guilhem Lettron <guilhem+github@lettron.fr>
 Guillaume J. Charmes <guillaume.charmes@docker.com>
+Guillaume Le Floch <glfloch@gmail.com>
 gwx296173 <gaojing3@huawei.com>
 Günther Jungbluth <gunther@gameslabs.net>
 Hakan Özler <hakan.ozler@kodcu.com>
@ -239,12 +261,14 @@ Ignacio Capurro <icapurrofagian@gmail.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Ilya Khlopotov <ilya.khlopotov@gmail.com>
 Ilya Sotkov <ilya@sotkov.com>
+Ioan Eugen Stan <eu@ieugen.ro>
 Isabel Jimenez <contact.isabeljimenez@gmail.com>
 Ivan Grcic <igrcic@gmail.com>
 Ivan Markin <sw@nogoegst.net>
 Jacob Atzen <jacob@jacobatzen.dk>
 Jacob Tomlinson <jacob@tom.linson.uk>
 Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Lambert <jake.lambert@volusion.com>
 Jake Sanders <jsand@google.com>
 James Nesbitt <james.nesbitt@wunderkraut.com>
 James Turnbull <james@lovedthanlost.net>
@ -258,8 +282,9 @@ Jasmine Hegman <jasmine@jhegman.com>
 Jason Heiss <jheiss@aput.net>
 Jason Plum <jplum@devonit.com>
 Jay Kamat <github@jgkamat.33mail.com>
+Jean Rouge <rougej+github@gmail.com>
+Jean-Christophe Sirot <jean-christophe.sirot@docker.com>
 Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
-Jean-Pierre Huynh <jp@moogsoft.com>
 Jeff Lindsay <progrium@gmail.com>
 Jeff Nickoloff <jeff.nickoloff@gmail.com>
 Jeff Silberman <jsilberm@gmail.com>
@ -277,6 +302,7 @@ Jim Galasyn <jim.galasyn@docker.com>
 Jimmy Leger <jimmy.leger@gmail.com>
 Jimmy Song <rootsongjc@gmail.com>
 jimmyxian <jimmyxian2004@yahoo.com.cn>
+Jintao Zhang <zhangjintao9020@gmail.com>
 Joao Fernandes <joao.fernandes@docker.com>
 Joe Doliner <jdoliner@pachyderm.io>
 Joe Gordon <joe.gordon0@gmail.com>
@ -314,7 +340,9 @@ Julien Maitrehenry <julien.maitrehenry@me.com>
 Justas Brazauskas <brazauskasjustas@gmail.com>
 Justin Cormack <justin.cormack@docker.com>
 Justin Simonelis <justin.p.simonelis@gmail.com>
+Justyn Temme <justyntemme@gmail.com>
 Jyrki Puttonen <jyrkiput@gmail.com>
+Jérémie Drouet <jeremie.drouet@gmail.com>
 Jérôme Petazzoni <jerome.petazzoni@docker.com>
 Jörg Thalheim <joerg@higgsboson.tk>
 Kai Blin <kai@samba.org>
@ -350,6 +378,7 @@ Lai Jiangshan <jiangshanlai@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
 Laura Frank <ljfrank@gmail.com>
 Laurent Erignoux <lerignoux@gmail.com>
+Lee Gaines <eightlimbed@gmail.com>
 Lei Jitang <leijitang@huawei.com>
 Lennie <github@consolejunkie.net>
 Leo Gallucci <elgalu3@gmail.com>
@ -357,6 +386,8 @@ Lewis Daly <lewisdaly@me.com>
 Li Yi <denverdino@gmail.com>
 Li Yi <weiyuan.yl@alibaba-inc.com>
 Liang-Chi Hsieh <viirya@gmail.com>
+Lifubang <lifubang@acmcoder.com>
+Lihua Tang <lhtang@alauda.io>
 Lily Guo <lily.guo@docker.com>
 Lin Lu <doraalin@163.com>
 Linus Heckemann <lheckemann@twig-world.com>
@ -384,18 +415,24 @@ Mansi Nahar <mmn4185@rit.edu>
 mapk0y <mapk0y@gmail.com>
 Marc Bihlmaier <marc.bihlmaier@reddoxx.com>
 Marco Mariani <marco.mariani@alterway.fr>
+Marco Vedovati <mvedovati@suse.com>
 Marcus Martins <marcus@docker.com>
 Marianna Tessel <mtesselh@gmail.com>
 Marius Sturm <marius@graylog.com>
 Mark Oates <fl0yd@me.com>
+Marsh Macy <marsma@microsoft.com>
 Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
 Mary Anthony <mary.anthony@docker.com>
+Mason Fish <mason.fish@docker.com>
 Mason Malone <mason.malone@gmail.com>
 Mateusz Major <apkd@users.noreply.github.com>
+Mathieu Champlon <mathieu.champlon@docker.com>
 Matt Gucci <matt9ucci@gmail.com>
 Matt Robenolt <matt@ydekproductions.com>
+Matteo Orefice <matteo.orefice@bites4bits.software>
 Matthew Heon <mheon@redhat.com>
 Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Mauro Porras P <mauroporrasp@gmail.com>
 Max Shytikov <mshytikov@gmail.com>
 Maxime Petazzoni <max@signalfuse.com>
 Mei ChunTao <mei.chuntao@zte.com.cn>
@ -425,9 +462,11 @@ Mike MacCana <mike.maccana@gmail.com>
 mikelinjie <294893458@qq.com>
 Mikhail Vasin <vasin@cloud-tv.ru>
 Milind Chawre <milindchawre@gmail.com>
+Mindaugas Rukas <momomg@gmail.com>
 Misty Stanley-Jones <misty@docker.com>
 Mohammad Banikazemi <mb@us.ibm.com>
 Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohini Anne Dsouza <mohini3917@gmail.com>
 Moorthy RS <rsmoorthy@gmail.com>
 Morgan Bauer <mbauer@us.ibm.com>
 Moysés Borges <moysesb@gmail.com>
@ -435,9 +474,11 @@ Mrunal Patel <mrunalp@gmail.com>
 muicoder <muicoder@gmail.com>
 Muthukumar R <muthur@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
+Mårten Cassel <marten.cassel@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Nahum Shalman <nshalman@omniti.com>
 Nalin Dahyabhai <nalin@redhat.com>
+Nao YONASHIRO <owan.orisano@gmail.com>
 Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
 Natalie Parker <nparker@omnifone.com>
 Nate Brennand <nate.brennand@clever.com>
@ -445,18 +486,22 @@ Nathan Hsieh <hsieh.nathan@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com>
 Nathan McCauley <nathan.mccauley@docker.com>
 Neil Peterson <neilpeterson@outlook.com>
+Nick Adcock <nick.adcock@docker.com>
+Nico Stapelbroek <nstapelbroek@gmail.com>
 Nicola Kabar <nicolaka@gmail.com>
 Nicolas Borboën <ponsfrilus@gmail.com>
 Nicolas De Loof <nicolas.deloof@gmail.com>
 Nikhil Chawla <chawlanikhil24@gmail.com>
 Nikolas Garofil <nikolas.garofil@uantwerpen.be>
 Nikolay Milovanov <nmil@itransformers.net>
+Nir Soffer <nsoffer@redhat.com>
 Nishant Totla <nishanttotla@gmail.com>
 NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
 Noah Treuhaft <noah.treuhaft@docker.com>
 O.S. Tezer <ostezer@gmail.com>
 ohmystack <jun.jiang02@ele.me>
 Olle Jonsson <olle.jonsson@gmail.com>
+Olli Janatuinen <olli.janatuinen@gmail.com>
 Otto Kekäläinen <otto@seravo.fi>
 Ovidio Mallo <ovidio.mallo@gmail.com>
 Pascal Borreli <pascal@borreli.com>
@ -474,12 +519,14 @@ Per Lundberg <per.lundberg@ecraft.com>
 Peter Edge <peter.edge@gmail.com>
 Peter Hsu <shhsu@microsoft.com>
 Peter Jaffe <pjaffe@nevo.com>
+Peter Kehl <peter.kehl@gmail.com>
 Peter Nagy <xificurC@gmail.com>
 Peter Salvatore <peter@psftw.com>
 Peter Waller <p@pwaller.net>
 Phil Estes <estesp@linux.vnet.ibm.com>
 Philip Alexander Etling <paetling@gmail.com>
 Philipp Gillé <philipp.gille@gmail.com>
+Philipp Schmied <pschmied@schutzwerk.com>
 pidster <pid@pidster.com>
 pixelistik <pixelistik@users.noreply.github.com>
 Pratik Karki <prertik@outlook.com>
@ -511,16 +558,21 @@ Roman Dudin <katrmr@gmail.com>
 Rory Hunter <roryhunter2@gmail.com>
 Ross Boucher <rboucher@gmail.com>
 Rubens Figueiredo <r.figueiredo.52@gmail.com>
+Rui Cao <ruicao@alauda.io>
 Ryan Belgrave <rmb1993@gmail.com>
 Ryan Detzel <ryan.detzel@gmail.com>
 Ryan Stelly <ryan.stelly@live.com>
+Ryan Wilson-Perkin <ryanwilsonperkin@gmail.com>
+Ryan Zhang <ryan.zhang@docker.com>
 Sainath Grandhi <sainath.grandhi@intel.com>
 Sakeven Jiang <jc5930@sina.cn>
 Sally O'Malley <somalley@redhat.com>
 Sam Neirinck <sam@samneirinck.com>
 Sambuddha Basu <sambuddhabasu1@gmail.com>
+Sami Tabet <salph.tabet@gmail.com>
 Samuel Karp <skarp@amazon.com>
 Santhosh Manohar <santhosh@docker.com>
+Scott Brenner <scott@scottbrenner.me>
 Scott Collier <emailscottcollier@gmail.com>
 Sean Christopherson <sean.j.christopherson@intel.com>
 Sean Rodman <srodman7689@gmail.com>
@ -548,27 +600,33 @@ Spencer Brown <spencer@spencerbrown.org>
 squeegels <1674195+squeegels@users.noreply.github.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
 Stefan S. <tronicum@user.github.com>
-Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
+Stephane Jeandeaux <stephane.jeandeaux@gmail.com>
 Stephen Day <stevvooe@gmail.com>
 Stephen Rust <srust@blockbridge.com>
 Steve Durrheimer <s.durrheimer@gmail.com>
+Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
+Sune Keller <absukl@almbrand.dk>
 Sungwon Han <sungwon.han@navercorp.com>
+Sunny Gogoi <indiasuny000@gmail.com>
 Sven Dowideit <SvenDowideit@home.org.au>
 Sylvain Baubeau <sbaubeau@redhat.com>
 Sébastien HOUZÉ <cto@verylastroom.com>
 T K Sourabh <sourabhtk37@gmail.com>
 TAGOMORI Satoshi <tagomoris@gmail.com>
+taiji-tech <csuhqg@foxmail.com>
 Taylor Jones <monitorjbl@gmail.com>
+Tejaswini Duggaraju <naduggar@microsoft.com>
 Thatcher Peskens <thatcher@docker.com>
 Thomas Gazagnaire <thomas@gazagnaire.org>
 Thomas Krzero <thomas.kovatchitch@gmail.com>
 Thomas Leonard <thomas.leonard@docker.com>
 Thomas Léveil <thomasleveil@gmail.com>
-Thomas Riccardi <riccardi@systran.fr>
+Thomas Riccardi <thomas@deepomatic.com>
 Thomas Swift <tgs242@gmail.com>
 Tianon Gravi <admwiggin@gmail.com>
 Tianyi Wang <capkurmagati@gmail.com>
@ -585,6 +643,8 @@ Tobias Gesellchen <tobias@gesellix.de>
 Todd Whiteman <todd.whiteman@joyent.com>
 Tom Denham <tom@tomdee.co.uk>
 Tom Fotherby <tom+github@peopleperhour.com>
+Tom Klingenberg <tklingenberg@lastflood.net>
+Tom Milligan <code@tommilligan.net>
 Tom X. Tobin <tomxtobin@tomxtobin.com>
 Tomas Tomecek <ttomecek@redhat.com>
 Tomasz Kopczynski <tomek@kopczynski.net.pl>
@ -597,12 +657,14 @@ Tristan Carel <tristan@cogniteev.com>
 Tycho Andersen <tycho@docker.com>
 Tycho Andersen <tycho@tycho.ws>
 uhayate <uhayate.gong@daocloud.io>
+Ulysses Souza <ulysses.souza@docker.com>
 Umesh Yadav <umesh4257@gmail.com>
 Valentin Lorentz <progval+git@progval.net>
 Veres Lajos <vlajos@gmail.com>
 Victor Vieux <victor.vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Viktor Stanchev <me@viktorstanchev.com>
+Vimal Raghubir <vraghubir0418@gmail.com>
 Vincent Batts <vbatts@redhat.com>
 Vincent Bernat <Vincent.Bernat@exoscale.ch>
 Vincent Demeester <vincent.demeester@docker.com>
@ -610,6 +672,7 @@ Vincent Woo <me@vincentwoo.com>
 Vishnu Kannan <vishnuk@google.com>
 Vivek Goyal <vgoyal@redhat.com>
 Wang Jie <wangjie5@chinaskycloud.com>
+Wang Lei <wanglei@tenxcloud.com>
 Wang Long <long.wanglong@huawei.com>
 Wang Ping <present.wp@icloud.com>
 Wang Xing <hzwangxing@corp.netease.com>
@ -622,6 +685,8 @@ Wes Morgan <cap10morgan@gmail.com>
 Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
 William Henry <whenry@redhat.com>
 Xianglin Gao <xlgao@zju.edu.cn>
+Xiaodong Zhang <a4012017@sina.com>
+Xiaoxi He <xxhe@alauda.io>
 Xinbo Weng <xihuanbo_0521@zju.edu.cn>
 Xuecong Liao <satorulogic@gmail.com>
 Yan Feng <yanfeng2@huawei.com>
@ -633,7 +698,9 @@ Yong Tang <yong.tang.github@outlook.com>
 Yosef Fertel <yfertel@gmail.com>
 Yu Peng <yu.peng36@zte.com.cn>
 Yuan Sun <sunyuan3@huawei.com>
+Yue Zhang <zy675793960@yeah.net>
 Yunxiang Huang <hyxqshk@vip.qq.com>
+Zachary Romero <zacromero3@gmail.com>
 zebrilee <zebrilee@gmail.com>
 Zhang Kun <zkazure@gmail.com>
 Zhang Wei <zhangwei555@huawei.com>
@ -641,6 +708,7 @@ Zhang Wentao <zhangwentao234@huawei.com>
 ZhangHang <stevezhang2014@gmail.com>
 zhenghenghuo <zhenghenghuo@zju.edu.cn>
 Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhoulin Xie <zhoulin.xie@daocloud.io>
 Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
 Álex González <agonzalezro@gmail.com>
 Álvaro Lázaro <alvaro.lazaro.g@gmail.com>
--- a/3
+++ b/3
@ -5,8 +5,9 @@ wrappedNode(label: 'linux && x86_64', cleanWorkspace: true) {

    stage "Run end-to-end test suite"
    sh "docker version"
+    sh "docker info"
    sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
        IMAGE_TAG=clie2e${BUILD_NUMBER} \
-        make -f docker.Makefile test-e2e"
+        DOCKER_BUILDKIT=1 make -f docker.Makefile test-e2e"
  }
 }
--- a/24
+++ b/24
@ -11,15 +11,19 @@ clean: ## remove build artifacts
 	rm -rf ./build/* cli/winresources/rsrc_* ./man/man[1-9] docs/yaml/gen

 .PHONY: test-unit
-test-unit: ## run unit test
-	./scripts/test/unit $(shell go list ./... | grep -vE '/vendor/|/e2e/|/e2eengine/')
+test-unit: ## run unit tests, to change the output format use: GOTESTSUM_FORMAT=(dots|short|standard-quiet|short-verbose|standard-verbose) make test-unit 
+	gotestsum $(TESTFLAGS) -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/')}

 .PHONY: test
 test: test-unit ## run tests

 .PHONY: test-coverage
 test-coverage: ## run test coverage
-	./scripts/test/unit-with-coverage $(shell go list ./... | grep -vE '/vendor/|/e2e/|/e2eengine/')
+	gotestsum -- -coverprofile=coverage.txt $(shell go list ./... | grep -vE '/vendor/|/e2e/')
+
+.PHONY: fmt
+fmt:
+	go list -f {{.Dir}} ./... | xargs gofmt -w -s -d

 .PHONY: lint
 lint: ## run all the lint tools
@ -30,6 +34,10 @@ binary: ## build executable for Linux
 	@echo "WARNING: binary creates a Linux executable. Use cross for macOS or Windows."
 	./scripts/build/binary

+.PHONY: plugins
+plugins: ## build example CLI plugins
+	./scripts/build/plugins
+
 .PHONY: cross
 cross: ## build executable for macOS and Windows
 	./scripts/build/cross
@ -38,10 +46,18 @@ cross: ## build executable for macOS and Windows
 binary-windows: ## build executable for Windows
 	./scripts/build/windows

+.PHONY: plugins-windows
+plugins-windows: ## build example CLI plugins for Windows
+	./scripts/build/plugins-windows
+
 .PHONY: binary-osx
 binary-osx: ## build executable for macOS
 	./scripts/build/osx

+.PHONY: plugins-osx
+plugins-osx: ## build example CLI plugins for macOS
+	./scripts/build/plugins-osx
+
 .PHONY: dynbinary
 dynbinary: ## build dynamically linked binary
 	./scripts/build/dynbinary
@ -69,7 +85,7 @@ shellcheck: ## run shellcheck validation

 .PHONY: help
 help: ## print this help
-	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {gsub("\\\\n",sprintf("\n%22c",""), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)


 cli/compose/schema/bindata.go: cli/compose/schema/data/*.json
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0-dev
+19.03.0-dev
--- a/appveyor.yml
+++ b/appveyor.yml
@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli

 environment:
  GOPATH: c:\gopath
-  GOVERSION: 1.10.3
+  GOVERSION: 1.12.8
  DEPVERSION: v0.4.1

 install:
@ -20,4 +20,4 @@ build_script:
  - ps: .\scripts\make.ps1 -Binary

 test_script:
-  - ps: .\scripts\make.ps1 -TestUnit
+  - ps: .\scripts\make.ps1 -TestUnit
--- a/circle.yml
+++ b/circle.yml
@ -4,39 +4,39 @@ jobs:

  lint:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
          command: docker version
      - run:
          name: "Lint"
          command: |
-            dockerfile=dockerfiles/Dockerfile.lint
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-linter:$CIRCLE_BUILD_NUM .
+            docker build --progress=plain -f dockerfiles/Dockerfile.lint --tag cli-linter:$CIRCLE_BUILD_NUM .
            docker run --rm cli-linter:$CIRCLE_BUILD_NUM

  cross:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    parallelism: 3
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
          name: "Cross"
          command: |
-            dockerfile=dockerfiles/Dockerfile.cross
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
+            docker build --progress=plain -f dockerfiles/Dockerfile.cross --tag cli-builder:$CIRCLE_BUILD_NUM .
            name=cross-$CIRCLE_BUILD_NUM-$CIRCLE_NODE_INDEX
            docker run \
                -e CROSS_GROUP=$CIRCLE_NODE_INDEX \
@ -50,23 +50,28 @@ jobs:

  test:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
          name: "Unit Test with Coverage"
          command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
-            docker run --name \
+            mkdir -p test-results/unit-tests
+            docker build --progress=plain -f dockerfiles/Dockerfile.dev --tag cli-builder:$CIRCLE_BUILD_NUM .
+            docker run \
+                -e GOTESTSUM_JUNITFILE=/tmp/junit.xml \
+                --name \
                test-$CIRCLE_BUILD_NUM cli-builder:$CIRCLE_BUILD_NUM \
                make test-coverage
-
+            docker cp \
+                test-$CIRCLE_BUILD_NUM:/tmp/junit.xml \
+                ./test-results/unit-tests/junit.xml
      - run:
          name: "Upload to Codecov"
          command: |
@ -76,40 +81,45 @@ jobs:
            apk add -U bash curl
            curl -s https://codecov.io/bash | bash || \
                echo 'Codecov failed to upload'
+      - store_test_results:
+          path:  test-results
+      - store_artifacts:
+          path:  test-results

  validate:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
          name: "Validate Vendor, Docs, and Code Generation"
          command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
            rm -f .dockerignore # include .git
-            docker build -f $dockerfile --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
+            docker build --progress=plain -f dockerfiles/Dockerfile.dev --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
            docker run --rm cli-builder-with-git:$CIRCLE_BUILD_NUM \
                make ci-validate
+          no_output_timeout: 15m
  shellcheck:
    working_directory: /work
-    docker: [{image: 'docker:18.03-git'}]
+    docker: [{image: 'docker:18.09-git'}]
+    environment:
+      DOCKER_BUILDKIT: 1
    steps:
      - checkout
      - setup_remote_docker:
-            version: 18.03.1-ce
-            reusable: true
-            exclusive: false
+          version: 18.09.3
+          reusable: true
+          exclusive: false
      - run:
          name: "Run shellcheck"
          command: |
-            dockerfile=dockerfiles/Dockerfile.shellcheck
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-validator:$CIRCLE_BUILD_NUM .
+            docker build --progress=plain -f dockerfiles/Dockerfile.shellcheck --tag cli-validator:$CIRCLE_BUILD_NUM .
            docker run --rm cli-validator:$CIRCLE_BUILD_NUM \
                make shellcheck
 workflows:
--- a/cli-plugins/examples/helloworld/main.go
+++ b/cli-plugins/examples/helloworld/main.go
@ -0,0 +1,106 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli-plugins/plugin"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+func main() {
+	plugin.Run(func(dockerCli command.Cli) *cobra.Command {
+		goodbye := &cobra.Command{
+			Use:   "goodbye",
+			Short: "Say Goodbye instead of Hello",
+			Run: func(cmd *cobra.Command, _ []string) {
+				fmt.Fprintln(dockerCli.Out(), "Goodbye World!")
+			},
+		}
+		apiversion := &cobra.Command{
+			Use:   "apiversion",
+			Short: "Print the API version of the server",
+			RunE: func(_ *cobra.Command, _ []string) error {
+				cli := dockerCli.Client()
+				ping, err := cli.Ping(context.Background())
+				if err != nil {
+					return err
+				}
+				fmt.Println(ping.APIVersion)
+				return nil
+			},
+		}
+
+		exitStatus2 := &cobra.Command{
+			Use:   "exitstatus2",
+			Short: "Exit with status 2",
+			RunE: func(_ *cobra.Command, _ []string) error {
+				fmt.Fprintln(dockerCli.Err(), "Exiting with error status 2")
+				os.Exit(2)
+				return nil
+			},
+		}
+
+		var (
+			who, context  string
+			preRun, debug bool
+		)
+		cmd := &cobra.Command{
+			Use:   "helloworld",
+			Short: "A basic Hello World plugin for tests",
+			PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+				if err := plugin.PersistentPreRunE(cmd, args); err != nil {
+					return err
+				}
+				if preRun {
+					fmt.Fprintf(dockerCli.Err(), "Plugin PersistentPreRunE called")
+				}
+				return nil
+			},
+			RunE: func(cmd *cobra.Command, args []string) error {
+				if debug {
+					fmt.Fprintf(dockerCli.Err(), "Plugin debug mode enabled")
+				}
+
+				switch context {
+				case "Christmas":
+					fmt.Fprintf(dockerCli.Out(), "Merry Christmas!\n")
+					return nil
+				case "":
+					// nothing
+				}
+
+				if who == "" {
+					who, _ = dockerCli.ConfigFile().PluginConfig("helloworld", "who")
+				}
+				if who == "" {
+					who = "World"
+				}
+
+				fmt.Fprintf(dockerCli.Out(), "Hello %s!\n", who)
+				dockerCli.ConfigFile().SetPluginConfig("helloworld", "lastwho", who)
+				return dockerCli.ConfigFile().Save()
+			},
+		}
+
+		flags := cmd.Flags()
+		flags.StringVar(&who, "who", "", "Who are we addressing?")
+		flags.BoolVar(&preRun, "pre-run", false, "Log from prerun hook")
+		// These are intended to deliberately clash with the CLIs own top
+		// level arguments.
+		flags.BoolVarP(&debug, "debug", "D", false, "Enable debug")
+		flags.StringVarP(&context, "context", "c", "", "Is it Christmas?")
+
+		cmd.AddCommand(goodbye, apiversion, exitStatus2)
+		return cmd
+	},
+		manager.Metadata{
+			SchemaVersion: "0.1.0",
+			Vendor:        "Docker Inc.",
+			Version:       "testing",
+			Experimental:  os.Getenv("HELLO_EXPERIMENTAL") != "",
+		})
+}
--- a/cli-plugins/manager/candidate.go
+++ b/cli-plugins/manager/candidate.go
@ -0,0 +1,23 @@
+package manager
+
+import (
+	"os/exec"
+)
+
+// Candidate represents a possible plugin candidate, for mocking purposes
+type Candidate interface {
+	Path() string
+	Metadata() ([]byte, error)
+}
+
+type candidate struct {
+	path string
+}
+
+func (c *candidate) Path() string {
+	return c.path
+}
+
+func (c *candidate) Metadata() ([]byte, error) {
+	return exec.Command(c.path, MetadataSubcommandName).Output()
+}
--- a/cli-plugins/manager/candidate_test.go
+++ b/cli-plugins/manager/candidate_test.go
@ -0,0 +1,101 @@
+package manager
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
+)
+
+type fakeCandidate struct {
+	path              string
+	exec              bool
+	meta              string
+	allowExperimental bool
+}
+
+func (c *fakeCandidate) Path() string {
+	return c.path
+}
+
+func (c *fakeCandidate) Metadata() ([]byte, error) {
+	if !c.exec {
+		return nil, fmt.Errorf("faked a failure to exec %q", c.path)
+	}
+	return []byte(c.meta), nil
+}
+
+func TestValidateCandidate(t *testing.T) {
+	var (
+		goodPluginName = NamePrefix + "goodplugin"
+
+		builtinName  = NamePrefix + "builtin"
+		builtinAlias = NamePrefix + "alias"
+
+		badPrefixPath    = "/usr/local/libexec/cli-plugins/wobble"
+		badNamePath      = "/usr/local/libexec/cli-plugins/docker-123456"
+		goodPluginPath   = "/usr/local/libexec/cli-plugins/" + goodPluginName
+		metaExperimental = `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing", "Experimental": true}`
+	)
+
+	fakeroot := &cobra.Command{Use: "docker"}
+	fakeroot.AddCommand(&cobra.Command{
+		Use: strings.TrimPrefix(builtinName, NamePrefix),
+		Aliases: []string{
+			strings.TrimPrefix(builtinAlias, NamePrefix),
+		},
+	})
+
+	for _, tc := range []struct {
+		name string
+		c    *fakeCandidate
+
+		// Either err or invalid may be non-empty, but not both (both can be empty for a good plugin).
+		err     string
+		invalid string
+	}{
+		/* Each failing one of the tests */
+		{name: "empty path", c: &fakeCandidate{path: ""}, err: "plugin candidate path cannot be empty"},
+		{name: "bad prefix", c: &fakeCandidate{path: badPrefixPath}, err: fmt.Sprintf("does not have %q prefix", NamePrefix)},
+		{name: "bad path", c: &fakeCandidate{path: badNamePath}, invalid: "did not match"},
+		{name: "builtin command", c: &fakeCandidate{path: builtinName}, invalid: `plugin "builtin" duplicates builtin command`},
+		{name: "builtin alias", c: &fakeCandidate{path: builtinAlias}, invalid: `plugin "alias" duplicates an alias of builtin command "builtin"`},
+		{name: "fetch failure", c: &fakeCandidate{path: goodPluginPath, exec: false}, invalid: fmt.Sprintf("failed to fetch metadata: faked a failure to exec %q", goodPluginPath)},
+		{name: "metadata not json", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `xyzzy`}, invalid: "invalid character"},
+		{name: "empty schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{}`}, invalid: `plugin SchemaVersion "" is not valid`},
+		{name: "invalid schemaversion", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "xyzzy"}`}, invalid: `plugin SchemaVersion "xyzzy" is not valid`},
+		{name: "no vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0"}`}, invalid: "plugin metadata does not define a vendor"},
+		{name: "empty vendor", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": ""}`}, invalid: "plugin metadata does not define a vendor"},
+		{name: "experimental required", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental}, invalid: "requires experimental CLI"},
+		// This one should work
+		{name: "valid", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`}},
+		{name: "valid + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: `{"SchemaVersion": "0.1.0", "Vendor": "e2e-testing"}`, allowExperimental: true}},
+		{name: "experimental + allowing experimental", c: &fakeCandidate{path: goodPluginPath, exec: true, meta: metaExperimental, allowExperimental: true}},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			p, err := newPlugin(tc.c, fakeroot, tc.c.allowExperimental)
+			if tc.err != "" {
+				assert.ErrorContains(t, err, tc.err)
+			} else if tc.invalid != "" {
+				assert.NilError(t, err)
+				assert.Assert(t, cmp.ErrorType(p.Err, reflect.TypeOf(&pluginError{})))
+				assert.ErrorContains(t, p.Err, tc.invalid)
+			} else {
+				assert.NilError(t, err)
+				assert.Equal(t, NamePrefix+p.Name, goodPluginName)
+				assert.Equal(t, p.SchemaVersion, "0.1.0")
+				assert.Equal(t, p.Vendor, "e2e-testing")
+			}
+		})
+	}
+}
+
+func TestCandidatePath(t *testing.T) {
+	exp := "/some/path"
+	cand := &candidate{path: exp}
+	assert.Equal(t, exp, cand.Path())
+}
--- a/cli-plugins/manager/cobra.go
+++ b/cli-plugins/manager/cobra.go
@ -0,0 +1,60 @@
+package manager
+
+import (
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+const (
+	// CommandAnnotationPlugin is added to every stub command added by
+	// AddPluginCommandStubs with the value "true" and so can be
+	// used to distinguish plugin stubs from regular commands.
+	CommandAnnotationPlugin = "com.docker.cli.plugin"
+
+	// CommandAnnotationPluginVendor is added to every stub command
+	// added by AddPluginCommandStubs and contains the vendor of
+	// that plugin.
+	CommandAnnotationPluginVendor = "com.docker.cli.plugin.vendor"
+
+	// CommandAnnotationPluginVersion is added to every stub command
+	// added by AddPluginCommandStubs and contains the version of
+	// that plugin.
+	CommandAnnotationPluginVersion = "com.docker.cli.plugin.version"
+
+	// CommandAnnotationPluginInvalid is added to any stub command
+	// added by AddPluginCommandStubs for an invalid command (that
+	// is, one which failed it's candidate test) and contains the
+	// reason for the failure.
+	CommandAnnotationPluginInvalid = "com.docker.cli.plugin-invalid"
+)
+
+// AddPluginCommandStubs adds a stub cobra.Commands for each valid and invalid
+// plugin. The command stubs will have several annotations added, see
+// `CommandAnnotationPlugin*`.
+func AddPluginCommandStubs(dockerCli command.Cli, cmd *cobra.Command) error {
+	plugins, err := ListPlugins(dockerCli, cmd)
+	if err != nil {
+		return err
+	}
+	for _, p := range plugins {
+		vendor := p.Vendor
+		if vendor == "" {
+			vendor = "unknown"
+		}
+		annotations := map[string]string{
+			CommandAnnotationPlugin:        "true",
+			CommandAnnotationPluginVendor:  vendor,
+			CommandAnnotationPluginVersion: p.Version,
+		}
+		if p.Err != nil {
+			annotations[CommandAnnotationPluginInvalid] = p.Err.Error()
+		}
+		cmd.AddCommand(&cobra.Command{
+			Use:         p.Name,
+			Short:       p.ShortDescription,
+			Run:         func(_ *cobra.Command, _ []string) {},
+			Annotations: annotations,
+		})
+	}
+	return nil
+}
--- a/cli-plugins/manager/error.go
+++ b/cli-plugins/manager/error.go
@ -0,0 +1,43 @@
+package manager
+
+import (
+	"github.com/pkg/errors"
+)
+
+// pluginError is set as Plugin.Err by NewPlugin if the plugin
+// candidate fails one of the candidate tests. This exists primarily
+// to implement encoding.TextMarshaller such that rendering a plugin as JSON
+// (e.g. for `docker info -f '{{json .CLIPlugins}}'`) renders the Err
+// field as a useful string and not just `{}`. See
+// https://github.com/golang/go/issues/10748 for some discussion
+// around why the builtin error type doesn't implement this.
+type pluginError struct {
+	cause error
+}
+
+// Error satisfies the core error interface for pluginError.
+func (e *pluginError) Error() string {
+	return e.cause.Error()
+}
+
+// Cause satisfies the errors.causer interface for pluginError.
+func (e *pluginError) Cause() error {
+	return e.cause
+}
+
+// MarshalText marshalls the pluginError into a textual form.
+func (e *pluginError) MarshalText() (text []byte, err error) {
+	return []byte(e.cause.Error()), nil
+}
+
+// wrapAsPluginError wraps an error in a pluginError with an
+// additional message, analogous to errors.Wrapf.
+func wrapAsPluginError(err error, msg string) error {
+	return &pluginError{cause: errors.Wrap(err, msg)}
+}
+
+// NewPluginError creates a new pluginError, analogous to
+// errors.Errorf.
+func NewPluginError(msg string, args ...interface{}) error {
+	return &pluginError{cause: errors.Errorf(msg, args...)}
+}
--- a/cli-plugins/manager/error_test.go
+++ b/cli-plugins/manager/error_test.go
@ -0,0 +1,24 @@
+package manager
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
+	"gotest.tools/assert"
+)
+
+func TestPluginError(t *testing.T) {
+	err := NewPluginError("new error")
+	assert.Error(t, err, "new error")
+
+	inner := fmt.Errorf("testing")
+	err = wrapAsPluginError(inner, "wrapping")
+	assert.Error(t, err, "wrapping: testing")
+	assert.Equal(t, inner, errors.Cause(err))
+
+	actual, err := yaml.Marshal(err)
+	assert.NilError(t, err)
+	assert.Equal(t, "'wrapping: testing'\n", string(actual))
+}
--- a/cli-plugins/manager/manager.go
+++ b/cli-plugins/manager/manager.go
@ -0,0 +1,209 @@
+package manager
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	"github.com/spf13/cobra"
+)
+
+// ReexecEnvvar is the name of an ennvar which is set to the command
+// used to originally invoke the docker CLI when executing a
+// plugin. Assuming $PATH and $CWD remain unchanged this should allow
+// the plugin to re-execute the original CLI.
+const ReexecEnvvar = "DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"
+
+// errPluginNotFound is the error returned when a plugin could not be found.
+type errPluginNotFound string
+
+func (e errPluginNotFound) NotFound() {}
+
+func (e errPluginNotFound) Error() string {
+	return "Error: No such CLI plugin: " + string(e)
+}
+
+type errPluginRequireExperimental string
+
+// Note: errPluginRequireExperimental implements notFound so that the plugin
+// is skipped when listing the plugins.
+func (e errPluginRequireExperimental) NotFound() {}
+
+func (e errPluginRequireExperimental) Error() string {
+	return fmt.Sprintf("plugin candidate %q: requires experimental CLI", string(e))
+}
+
+type notFound interface{ NotFound() }
+
+// IsNotFound is true if the given error is due to a plugin not being found.
+func IsNotFound(err error) bool {
+	if e, ok := err.(*pluginError); ok {
+		err = e.Cause()
+	}
+	_, ok := err.(notFound)
+	return ok
+}
+
+func getPluginDirs(dockerCli command.Cli) ([]string, error) {
+	var pluginDirs []string
+
+	if cfg := dockerCli.ConfigFile(); cfg != nil {
+		pluginDirs = append(pluginDirs, cfg.CLIPluginsExtraDirs...)
+	}
+	pluginDir, err := config.Path("cli-plugins")
+	if err != nil {
+		return nil, err
+	}
+
+	pluginDirs = append(pluginDirs, pluginDir)
+	pluginDirs = append(pluginDirs, defaultSystemPluginDirs...)
+	return pluginDirs, nil
+}
+
+func addPluginCandidatesFromDir(res map[string][]string, d string) error {
+	dentries, err := ioutil.ReadDir(d)
+	if err != nil {
+		return err
+	}
+	for _, dentry := range dentries {
+		switch dentry.Mode() & os.ModeType {
+		case 0, os.ModeSymlink:
+			// Regular file or symlink, keep going
+		default:
+			// Something else, ignore.
+			continue
+		}
+		name := dentry.Name()
+		if !strings.HasPrefix(name, NamePrefix) {
+			continue
+		}
+		name = strings.TrimPrefix(name, NamePrefix)
+		var err error
+		if name, err = trimExeSuffix(name); err != nil {
+			continue
+		}
+		res[name] = append(res[name], filepath.Join(d, dentry.Name()))
+	}
+	return nil
+}
+
+// listPluginCandidates returns a map from plugin name to the list of (unvalidated) Candidates. The list is in descending order of priority.
+func listPluginCandidates(dirs []string) (map[string][]string, error) {
+	result := make(map[string][]string)
+	for _, d := range dirs {
+		// Silently ignore any directories which we cannot
+		// Stat (e.g. due to permissions or anything else) or
+		// which is not a directory.
+		if fi, err := os.Stat(d); err != nil || !fi.IsDir() {
+			continue
+		}
+		if err := addPluginCandidatesFromDir(result, d); err != nil {
+			// Silently ignore paths which don't exist.
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, err // Or return partial result?
+		}
+	}
+	return result, nil
+}
+
+// ListPlugins produces a list of the plugins available on the system
+func ListPlugins(dockerCli command.Cli, rootcmd *cobra.Command) ([]Plugin, error) {
+	pluginDirs, err := getPluginDirs(dockerCli)
+	if err != nil {
+		return nil, err
+	}
+
+	candidates, err := listPluginCandidates(pluginDirs)
+	if err != nil {
+		return nil, err
+	}
+
+	var plugins []Plugin
+	for _, paths := range candidates {
+		if len(paths) == 0 {
+			continue
+		}
+		c := &candidate{paths[0]}
+		p, err := newPlugin(c, rootcmd, dockerCli.ClientInfo().HasExperimental)
+		if err != nil {
+			return nil, err
+		}
+		if !IsNotFound(p.Err) {
+			p.ShadowedPaths = paths[1:]
+			plugins = append(plugins, p)
+		}
+	}
+
+	return plugins, nil
+}
+
+// PluginRunCommand returns an "os/exec".Cmd which when .Run() will execute the named plugin.
+// The rootcmd argument is referenced to determine the set of builtin commands in order to detect conficts.
+// The error returned satisfies the IsNotFound() predicate if no plugin was found or if the first candidate plugin was invalid somehow.
+func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command) (*exec.Cmd, error) {
+	// This uses the full original args, not the args which may
+	// have been provided by cobra to our caller. This is because
+	// they lack e.g. global options which we must propagate here.
+	args := os.Args[1:]
+	if !pluginNameRe.MatchString(name) {
+		// We treat this as "not found" so that callers will
+		// fallback to their "invalid" command path.
+		return nil, errPluginNotFound(name)
+	}
+	exename := addExeSuffix(NamePrefix + name)
+	pluginDirs, err := getPluginDirs(dockerCli)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range pluginDirs {
+		path := filepath.Join(d, exename)
+
+		// We stat here rather than letting the exec tell us
+		// ENOENT because the latter does not distinguish a
+		// file not existing from its dynamic loader or one of
+		// its libraries not existing.
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			continue
+		}
+
+		c := &candidate{path: path}
+		plugin, err := newPlugin(c, rootcmd, dockerCli.ClientInfo().HasExperimental)
+		if err != nil {
+			return nil, err
+		}
+		if plugin.Err != nil {
+			// TODO: why are we not returning plugin.Err?
+
+			err := plugin.Err.(*pluginError).Cause()
+			// if an experimental plugin was invoked directly while experimental mode is off
+			// provide a more useful error message than "not found".
+			if err, ok := err.(errPluginRequireExperimental); ok {
+				return nil, err
+			}
+			return nil, errPluginNotFound(name)
+		}
+		cmd := exec.Command(plugin.Path, args...)
+		// Using dockerCli.{In,Out,Err}() here results in a hang until something is input.
+		// See: - https://github.com/golang/go/issues/10338
+		//      - https://github.com/golang/go/commit/d000e8742a173aa0659584aa01b7ba2834ba28ab
+		// os.Stdin is a *os.File which avoids this behaviour. We don't need the functionality
+		// of the wrappers here anyway.
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+
+		cmd.Env = os.Environ()
+		cmd.Env = append(cmd.Env, ReexecEnvvar+"="+os.Args[0])
+
+		return cmd, nil
+	}
+	return nil, errPluginNotFound(name)
+}
--- a/cli-plugins/manager/manager_test.go
+++ b/cli-plugins/manager/manager_test.go
@ -0,0 +1,114 @@
+package manager
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+)
+
+func TestListPluginCandidates(t *testing.T) {
+	// Populate a selection of directories with various shadowed and bogus/obscure plugin candidates.
+	// For the purposes of this test no contents is required and permissions are irrelevant.
+	dir := fs.NewDir(t, t.Name(),
+		fs.WithDir(
+			"plugins1",
+			fs.WithFile("docker-plugin1", ""),                        // This appears in each directory
+			fs.WithFile("not-a-plugin", ""),                          // Should be ignored
+			fs.WithFile("docker-symlinked1", ""),                     // This and ...
+			fs.WithSymlink("docker-symlinked2", "docker-symlinked1"), // ... this should both appear
+			fs.WithDir("ignored1"),                                   // A directory should be ignored
+		),
+		fs.WithDir(
+			"plugins2",
+			fs.WithFile("docker-plugin1", ""),
+			fs.WithFile("also-not-a-plugin", ""),
+			fs.WithFile("docker-hardlink1", ""),                     // This and ...
+			fs.WithHardlink("docker-hardlink2", "docker-hardlink1"), // ... this should both appear
+			fs.WithDir("ignored2"),
+		),
+		fs.WithDir(
+			"plugins3-target", // Will be referenced as a symlink from below
+			fs.WithFile("docker-plugin1", ""),
+			fs.WithDir("ignored3"),
+			fs.WithSymlink("docker-brokensymlink", "broken"),           // A broken symlink is still a candidate (but would fail tests later)
+			fs.WithFile("non-plugin-symlinked", ""),                    // This shouldn't appear, but ...
+			fs.WithSymlink("docker-symlinked", "non-plugin-symlinked"), // ... this link to it should.
+		),
+		fs.WithSymlink("plugins3", "plugins3-target"),
+		fs.WithFile("/plugins4", ""),
+		fs.WithSymlink("plugins5", "plugins5-nonexistent-target"),
+	)
+	defer dir.Remove()
+
+	var dirs []string
+	for _, d := range []string{"plugins1", "nonexistent", "plugins2", "plugins3", "plugins4", "plugins5"} {
+		dirs = append(dirs, dir.Join(d))
+	}
+
+	candidates, err := listPluginCandidates(dirs)
+	assert.NilError(t, err)
+	exp := map[string][]string{
+		"plugin1": {
+			dir.Join("plugins1", "docker-plugin1"),
+			dir.Join("plugins2", "docker-plugin1"),
+			dir.Join("plugins3", "docker-plugin1"),
+		},
+		"symlinked1": {
+			dir.Join("plugins1", "docker-symlinked1"),
+		},
+		"symlinked2": {
+			dir.Join("plugins1", "docker-symlinked2"),
+		},
+		"hardlink1": {
+			dir.Join("plugins2", "docker-hardlink1"),
+		},
+		"hardlink2": {
+			dir.Join("plugins2", "docker-hardlink2"),
+		},
+		"brokensymlink": {
+			dir.Join("plugins3", "docker-brokensymlink"),
+		},
+		"symlinked": {
+			dir.Join("plugins3", "docker-symlinked"),
+		},
+	}
+
+	assert.DeepEqual(t, candidates, exp)
+}
+
+func TestErrPluginNotFound(t *testing.T) {
+	var err error = errPluginNotFound("test")
+	err.(errPluginNotFound).NotFound()
+	assert.Error(t, err, "Error: No such CLI plugin: test")
+	assert.Assert(t, IsNotFound(err))
+	assert.Assert(t, !IsNotFound(nil))
+}
+
+func TestGetPluginDirs(t *testing.T) {
+	cli := test.NewFakeCli(nil)
+
+	pluginDir, err := config.Path("cli-plugins")
+	assert.NilError(t, err)
+	expected := append([]string{pluginDir}, defaultSystemPluginDirs...)
+
+	var pluginDirs []string
+	pluginDirs, err = getPluginDirs(cli)
+	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
+	assert.NilError(t, err)
+
+	extras := []string{
+		"foo", "bar", "baz",
+	}
+	expected = append(extras, expected...)
+	cli.SetConfigFile(&configfile.ConfigFile{
+		CLIPluginsExtraDirs: extras,
+	})
+	pluginDirs, err = getPluginDirs(cli)
+	assert.DeepEqual(t, expected, pluginDirs)
+	assert.NilError(t, err)
+}
--- a/cli-plugins/manager/manager_unix.go
+++ b/cli-plugins/manager/manager_unix.go
@ -0,0 +1,8 @@
+// +build !windows
+
+package manager
+
+var defaultSystemPluginDirs = []string{
+	"/usr/local/lib/docker/cli-plugins", "/usr/local/libexec/docker/cli-plugins",
+	"/usr/lib/docker/cli-plugins", "/usr/libexec/docker/cli-plugins",
+}
--- a/cli-plugins/manager/manager_windows.go
+++ b/cli-plugins/manager/manager_windows.go
@ -0,0 +1,11 @@
+package manager
+
+import (
+	"os"
+	"path/filepath"
+)
+
+var defaultSystemPluginDirs = []string{
+	filepath.Join(os.Getenv("ProgramData"), "Docker", "cli-plugins"),
+	filepath.Join(os.Getenv("ProgramFiles"), "Docker", "cli-plugins"),
+}
--- a/cli-plugins/manager/metadata.go
+++ b/cli-plugins/manager/metadata.go
@ -0,0 +1,28 @@
+package manager
+
+const (
+	// NamePrefix is the prefix required on all plugin binary names
+	NamePrefix = "docker-"
+
+	// MetadataSubcommandName is the name of the plugin subcommand
+	// which must be supported by every plugin and returns the
+	// plugin metadata.
+	MetadataSubcommandName = "docker-cli-plugin-metadata"
+)
+
+// Metadata provided by the plugin. See docs/extend/cli_plugins.md for canonical information.
+type Metadata struct {
+	// SchemaVersion describes the version of this struct. Mandatory, must be "0.1.0"
+	SchemaVersion string `json:",omitempty"`
+	// Vendor is the name of the plugin vendor. Mandatory
+	Vendor string `json:",omitempty"`
+	// Version is the optional version of this plugin.
+	Version string `json:",omitempty"`
+	// ShortDescription should be suitable for a single line help message.
+	ShortDescription string `json:",omitempty"`
+	// URL is a pointer to the plugin's homepage.
+	URL string `json:",omitempty"`
+	// Experimental specifies whether the plugin is experimental.
+	// Experimental plugins are not displayed on non-experimental CLIs.
+	Experimental bool `json:",omitempty"`
+}
--- a/cli-plugins/manager/plugin.go
+++ b/cli-plugins/manager/plugin.go
@ -0,0 +1,112 @@
+package manager
+
+import (
+	"encoding/json"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+var (
+	pluginNameRe = regexp.MustCompile("^[a-z][a-z0-9]*$")
+)
+
+// Plugin represents a potential plugin with all it's metadata.
+type Plugin struct {
+	Metadata
+
+	Name string `json:",omitempty"`
+	Path string `json:",omitempty"`
+
+	// Err is non-nil if the plugin failed one of the candidate tests.
+	Err error `json:",omitempty"`
+
+	// ShadowedPaths contains the paths of any other plugins which this plugin takes precedence over.
+	ShadowedPaths []string `json:",omitempty"`
+}
+
+// newPlugin determines if the given candidate is valid and returns a
+// Plugin.  If the candidate fails one of the tests then `Plugin.Err`
+// is set, and is always a `pluginError`, but the `Plugin` is still
+// returned with no error. An error is only returned due to a
+// non-recoverable error.
+//
+// nolint: gocyclo
+func newPlugin(c Candidate, rootcmd *cobra.Command, allowExperimental bool) (Plugin, error) {
+	path := c.Path()
+	if path == "" {
+		return Plugin{}, errors.New("plugin candidate path cannot be empty")
+	}
+
+	// The candidate listing process should have skipped anything
+	// which would fail here, so there are all real errors.
+	fullname := filepath.Base(path)
+	if fullname == "." {
+		return Plugin{}, errors.Errorf("unable to determine basename of plugin candidate %q", path)
+	}
+	var err error
+	if fullname, err = trimExeSuffix(fullname); err != nil {
+		return Plugin{}, errors.Wrapf(err, "plugin candidate %q", path)
+	}
+	if !strings.HasPrefix(fullname, NamePrefix) {
+		return Plugin{}, errors.Errorf("plugin candidate %q: does not have %q prefix", path, NamePrefix)
+	}
+
+	p := Plugin{
+		Name: strings.TrimPrefix(fullname, NamePrefix),
+		Path: path,
+	}
+
+	// Now apply the candidate tests, so these update p.Err.
+	if !pluginNameRe.MatchString(p.Name) {
+		p.Err = NewPluginError("plugin candidate %q did not match %q", p.Name, pluginNameRe.String())
+		return p, nil
+	}
+
+	if rootcmd != nil {
+		for _, cmd := range rootcmd.Commands() {
+			// Ignore conflicts with commands which are
+			// just plugin stubs (i.e. from a previous
+			// call to AddPluginCommandStubs).
+			if p := cmd.Annotations[CommandAnnotationPlugin]; p == "true" {
+				continue
+			}
+			if cmd.Name() == p.Name {
+				p.Err = NewPluginError("plugin %q duplicates builtin command", p.Name)
+				return p, nil
+			}
+			if cmd.HasAlias(p.Name) {
+				p.Err = NewPluginError("plugin %q duplicates an alias of builtin command %q", p.Name, cmd.Name())
+				return p, nil
+			}
+		}
+	}
+
+	// We are supposed to check for relevant execute permissions here. Instead we rely on an attempt to execute.
+	meta, err := c.Metadata()
+	if err != nil {
+		p.Err = wrapAsPluginError(err, "failed to fetch metadata")
+		return p, nil
+	}
+
+	if err := json.Unmarshal(meta, &p.Metadata); err != nil {
+		p.Err = wrapAsPluginError(err, "invalid metadata")
+		return p, nil
+	}
+	if p.Experimental && !allowExperimental {
+		p.Err = &pluginError{errPluginRequireExperimental(p.Name)}
+		return p, nil
+	}
+	if p.Metadata.SchemaVersion != "0.1.0" {
+		p.Err = NewPluginError("plugin SchemaVersion %q is not valid, must be 0.1.0", p.Metadata.SchemaVersion)
+		return p, nil
+	}
+	if p.Metadata.Vendor == "" {
+		p.Err = NewPluginError("plugin metadata does not define a vendor")
+		return p, nil
+	}
+	return p, nil
+}
--- a/cli-plugins/manager/suffix_unix.go
+++ b/cli-plugins/manager/suffix_unix.go
@ -0,0 +1,10 @@
+// +build !windows
+
+package manager
+
+func trimExeSuffix(s string) (string, error) {
+	return s, nil
+}
+func addExeSuffix(s string) string {
+	return s
+}
--- a/cli-plugins/manager/suffix_windows.go
+++ b/cli-plugins/manager/suffix_windows.go
@ -0,0 +1,26 @@
+package manager
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// This is made slightly more complex due to needing to be case insensitive.
+func trimExeSuffix(s string) (string, error) {
+	ext := filepath.Ext(s)
+	if ext == "" {
+		return "", errors.Errorf("path %q lacks required file extension", s)
+	}
+
+	exe := ".exe"
+	if !strings.EqualFold(ext, exe) {
+		return "", errors.Errorf("path %q lacks required %q suffix", s, exe)
+	}
+	return strings.TrimSuffix(s, ext), nil
+}
+
+func addExeSuffix(s string) string {
+	return s + ".exe"
+}
--- a/cli-plugins/plugin/plugin.go
+++ b/cli-plugins/plugin/plugin.go
@ -0,0 +1,161 @@
+package plugin
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"sync"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/client"
+	"github.com/spf13/cobra"
+)
+
+// PersistentPreRunE must be called by any plugin command (or
+// subcommand) which uses the cobra `PersistentPreRun*` hook. Plugins
+// which do not make use of `PersistentPreRun*` do not need to call
+// this (although it remains safe to do so). Plugins are recommended
+// to use `PersistenPreRunE` to enable the error to be
+// returned. Should not be called outside of a command's
+// PersistentPreRunE hook and must not be run unless Run has been
+// called.
+var PersistentPreRunE func(*cobra.Command, []string) error
+
+func runPlugin(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) error {
+	tcmd := newPluginCommand(dockerCli, plugin, meta)
+
+	var persistentPreRunOnce sync.Once
+	PersistentPreRunE = func(_ *cobra.Command, _ []string) error {
+		var err error
+		persistentPreRunOnce.Do(func() {
+			var opts []command.InitializeOpt
+			if os.Getenv("DOCKER_CLI_PLUGIN_USE_DIAL_STDIO") != "" {
+				opts = append(opts, withPluginClientConn(plugin.Name()))
+			}
+			err = tcmd.Initialize(opts...)
+		})
+		return err
+	}
+
+	cmd, args, err := tcmd.HandleGlobalFlags()
+	if err != nil {
+		return err
+	}
+	// We've parsed global args already, so reset args to those
+	// which remain.
+	cmd.SetArgs(args)
+	return cmd.Execute()
+}
+
+// Run is the top-level entry point to the CLI plugin framework. It should be called from your plugin's `main()` function.
+func Run(makeCmd func(command.Cli) *cobra.Command, meta manager.Metadata) {
+	dockerCli, err := command.NewDockerCli()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+
+	plugin := makeCmd(dockerCli)
+
+	if err := runPlugin(dockerCli, plugin, meta); err != nil {
+		if sterr, ok := err.(cli.StatusError); ok {
+			if sterr.Status != "" {
+				fmt.Fprintln(dockerCli.Err(), sterr.Status)
+			}
+			// StatusError should only be used for errors, and all errors should
+			// have a non-zero exit status, so never exit with 0
+			if sterr.StatusCode == 0 {
+				os.Exit(1)
+			}
+			os.Exit(sterr.StatusCode)
+		}
+		fmt.Fprintln(dockerCli.Err(), err)
+		os.Exit(1)
+	}
+}
+
+func withPluginClientConn(name string) command.InitializeOpt {
+	return command.WithInitializeClient(func(dockerCli *command.DockerCli) (client.APIClient, error) {
+		cmd := "docker"
+		if x := os.Getenv(manager.ReexecEnvvar); x != "" {
+			cmd = x
+		}
+		var flags []string
+
+		// Accumulate all the global arguments, that is those
+		// up to (but not including) the plugin's name. This
+		// ensures that `docker system dial-stdio` is
+		// evaluating the same set of `--config`, `--tls*` etc
+		// global options as the plugin was called with, which
+		// in turn is the same as what the original docker
+		// invocation was passed.
+		for _, a := range os.Args[1:] {
+			if a == name {
+				break
+			}
+			flags = append(flags, a)
+		}
+		flags = append(flags, "system", "dial-stdio")
+
+		helper, err := connhelper.GetCommandConnectionHelper(cmd, flags...)
+		if err != nil {
+			return nil, err
+		}
+
+		return client.NewClientWithOpts(client.WithDialContext(helper.Dialer))
+	})
+}
+
+func newPluginCommand(dockerCli *command.DockerCli, plugin *cobra.Command, meta manager.Metadata) *cli.TopLevelCommand {
+	name := plugin.Name()
+	fullname := manager.NamePrefix + name
+
+	cmd := &cobra.Command{
+		Use:           fmt.Sprintf("docker [OPTIONS] %s [ARG...]", name),
+		Short:         fullname + " is a Docker CLI plugin",
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			// We can't use this as the hook directly since it is initialised later (in runPlugin)
+			return PersistentPreRunE(cmd, args)
+		},
+		TraverseChildren:      true,
+		DisableFlagsInUseLine: true,
+	}
+	opts, flags := cli.SetupPluginRootCommand(cmd)
+
+	cmd.SetOutput(dockerCli.Out())
+
+	cmd.AddCommand(
+		plugin,
+		newMetadataSubcommand(plugin, meta),
+	)
+
+	cli.DisableFlagsInUseLine(cmd)
+
+	return cli.NewTopLevelCommand(cmd, dockerCli, opts, flags)
+}
+
+func newMetadataSubcommand(plugin *cobra.Command, meta manager.Metadata) *cobra.Command {
+	if meta.ShortDescription == "" {
+		meta.ShortDescription = plugin.Short
+	}
+	cmd := &cobra.Command{
+		Use:    manager.MetadataSubcommandName,
+		Hidden: true,
+		// Suppress the global/parent PersistentPreRunE, which
+		// needlessly initializes the client and tries to
+		// connect to the daemon.
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			enc := json.NewEncoder(os.Stdout)
+			enc.SetEscapeHTML(false)
+			enc.SetIndent("", "     ")
+			return enc.Encode(meta)
+		},
+	}
+	return cmd
+}
--- a/cli/cobra.go
+++ b/cli/cobra.go
@ -2,31 +2,67 @@ package cli

 import (
 	"fmt"
+	"os"
 	"strings"

+	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/docker/cli/cli/command"
+	cliconfig "github.com/docker/cli/cli/config"
+	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/docker/docker/pkg/term"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 )

-// SetupRootCommand sets default usage, help, and error handling for the
-// root command.
-func SetupRootCommand(rootCmd *cobra.Command) {
+// setupCommonRootCommand contains the setup common to
+// SetupRootCommand and SetupPluginRootCommand.
+func setupCommonRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+	opts := cliflags.NewClientOptions()
+	flags := rootCmd.Flags()
+
+	flags.StringVar(&opts.ConfigDir, "config", cliconfig.Dir(), "Location of client config files")
+	opts.Common.InstallFlags(flags)
+
+	cobra.AddTemplateFunc("add", func(a, b int) int { return a + b })
 	cobra.AddTemplateFunc("hasSubCommands", hasSubCommands)
 	cobra.AddTemplateFunc("hasManagementSubCommands", hasManagementSubCommands)
+	cobra.AddTemplateFunc("hasInvalidPlugins", hasInvalidPlugins)
 	cobra.AddTemplateFunc("operationSubCommands", operationSubCommands)
 	cobra.AddTemplateFunc("managementSubCommands", managementSubCommands)
+	cobra.AddTemplateFunc("invalidPlugins", invalidPlugins)
 	cobra.AddTemplateFunc("wrappedFlagUsages", wrappedFlagUsages)
+	cobra.AddTemplateFunc("vendorAndVersion", vendorAndVersion)
+	cobra.AddTemplateFunc("invalidPluginReason", invalidPluginReason)
+	cobra.AddTemplateFunc("isPlugin", isPlugin)
+	cobra.AddTemplateFunc("decoratedName", decoratedName)

 	rootCmd.SetUsageTemplate(usageTemplate)
 	rootCmd.SetHelpTemplate(helpTemplate)
 	rootCmd.SetFlagErrorFunc(FlagErrorFunc)
 	rootCmd.SetHelpCommand(helpCommand)
-	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")

 	rootCmd.PersistentFlags().BoolP("help", "h", false, "Print usage")
 	rootCmd.PersistentFlags().MarkShorthandDeprecated("help", "please use --help")
 	rootCmd.PersistentFlags().Lookup("help").Hidden = true
+
+	return opts, flags, helpCommand
+}
+
+// SetupRootCommand sets default usage, help, and error handling for the
+// root command.
+func SetupRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet, *cobra.Command) {
+	opts, flags, helpCmd := setupCommonRootCommand(rootCmd)
+
+	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")
+
+	return opts, flags, helpCmd
+}
+
+// SetupPluginRootCommand sets default usage, help and error handling for a plugin root command.
+func SetupPluginRootCommand(rootCmd *cobra.Command) (*cliflags.ClientOptions, *pflag.FlagSet) {
+	opts, flags, _ := setupCommonRootCommand(rootCmd)
+	return opts, flags
 }

 // FlagErrorFunc prints an error message which matches the format of the
@ -46,6 +82,98 @@ func FlagErrorFunc(cmd *cobra.Command, err error) error {
 	}
 }

+// TopLevelCommand encapsulates a top-level cobra command (either
+// docker CLI or a plugin) and global flag handling logic necessary
+// for plugins.
+type TopLevelCommand struct {
+	cmd       *cobra.Command
+	dockerCli *command.DockerCli
+	opts      *cliflags.ClientOptions
+	flags     *pflag.FlagSet
+	args      []string
+}
+
+// NewTopLevelCommand returns a new TopLevelCommand object
+func NewTopLevelCommand(cmd *cobra.Command, dockerCli *command.DockerCli, opts *cliflags.ClientOptions, flags *pflag.FlagSet) *TopLevelCommand {
+	return &TopLevelCommand{cmd, dockerCli, opts, flags, os.Args[1:]}
+}
+
+// SetArgs sets the args (default os.Args[:1] used to invoke the command
+func (tcmd *TopLevelCommand) SetArgs(args []string) {
+	tcmd.args = args
+	tcmd.cmd.SetArgs(args)
+}
+
+// SetFlag sets a flag in the local flag set of the top-level command
+func (tcmd *TopLevelCommand) SetFlag(name, value string) {
+	tcmd.cmd.Flags().Set(name, value)
+}
+
+// HandleGlobalFlags takes care of parsing global flags defined on the
+// command, it returns the underlying cobra command and the args it
+// will be called with (or an error).
+//
+// On success the caller is responsible for calling Initialize()
+// before calling `Execute` on the returned command.
+func (tcmd *TopLevelCommand) HandleGlobalFlags() (*cobra.Command, []string, error) {
+	cmd := tcmd.cmd
+
+	// We manually parse the global arguments and find the
+	// subcommand in order to properly deal with plugins. We rely
+	// on the root command never having any non-flag arguments. We
+	// create our own FlagSet so that we can configure it
+	// (e.g. `SetInterspersed` below) in an idempotent way.
+	flags := pflag.NewFlagSet(cmd.Name(), pflag.ContinueOnError)
+
+	// We need !interspersed to ensure we stop at the first
+	// potential command instead of accumulating it into
+	// flags.Args() and then continuing on and finding other
+	// arguments which we try and treat as globals (when they are
+	// actually arguments to the subcommand).
+	flags.SetInterspersed(false)
+
+	// We need the single parse to see both sets of flags.
+	flags.AddFlagSet(cmd.Flags())
+	flags.AddFlagSet(cmd.PersistentFlags())
+	// Now parse the global flags, up to (but not including) the
+	// first command. The result will be that all the remaining
+	// arguments are in `flags.Args()`.
+	if err := flags.Parse(tcmd.args); err != nil {
+		// Our FlagErrorFunc uses the cli, make sure it is initialized
+		if err := tcmd.Initialize(); err != nil {
+			return nil, nil, err
+		}
+		return nil, nil, cmd.FlagErrorFunc()(cmd, err)
+	}
+
+	return cmd, flags.Args(), nil
+}
+
+// Initialize finalises global option parsing and initializes the docker client.
+func (tcmd *TopLevelCommand) Initialize(ops ...command.InitializeOpt) error {
+	tcmd.opts.Common.SetDefaultOptions(tcmd.flags)
+	return tcmd.dockerCli.Initialize(tcmd.opts, ops...)
+}
+
+// VisitAll will traverse all commands from the root.
+// This is different from the VisitAll of cobra.Command where only parents
+// are checked.
+func VisitAll(root *cobra.Command, fn func(*cobra.Command)) {
+	for _, cmd := range root.Commands() {
+		VisitAll(cmd, fn)
+	}
+	fn(root)
+}
+
+// DisableFlagsInUseLine sets the DisableFlagsInUseLine flag on all
+// commands within the tree rooted at cmd.
+func DisableFlagsInUseLine(cmd *cobra.Command) {
+	VisitAll(cmd, func(ccmd *cobra.Command) {
+		// do not add a `[flags]` to the end of the usage line.
+		ccmd.DisableFlagsInUseLine = true
+	})
+}
+
 var helpCommand = &cobra.Command{
 	Use:               "help [command]",
 	Short:             "Help about the command",
@ -63,6 +191,10 @@ var helpCommand = &cobra.Command{
 	},
 }

+func isPlugin(cmd *cobra.Command) bool {
+	return cmd.Annotations[pluginmanager.CommandAnnotationPlugin] == "true"
+}
+
 func hasSubCommands(cmd *cobra.Command) bool {
 	return len(operationSubCommands(cmd)) > 0
 }
@ -71,9 +203,16 @@ func hasManagementSubCommands(cmd *cobra.Command) bool {
 	return len(managementSubCommands(cmd)) > 0
 }

+func hasInvalidPlugins(cmd *cobra.Command) bool {
+	return len(invalidPlugins(cmd)) > 0
+}
+
 func operationSubCommands(cmd *cobra.Command) []*cobra.Command {
 	cmds := []*cobra.Command{}
 	for _, sub := range cmd.Commands() {
+		if isPlugin(sub) {
+			continue
+		}
 		if sub.IsAvailableCommand() && !sub.HasSubCommands() {
 			cmds = append(cmds, sub)
 		}
@ -89,9 +228,34 @@ func wrappedFlagUsages(cmd *cobra.Command) string {
 	return cmd.Flags().FlagUsagesWrapped(width - 1)
 }

+func decoratedName(cmd *cobra.Command) string {
+	decoration := " "
+	if isPlugin(cmd) {
+		decoration = "*"
+	}
+	return cmd.Name() + decoration
+}
+
+func vendorAndVersion(cmd *cobra.Command) string {
+	if vendor, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVendor]; ok && isPlugin(cmd) {
+		version := ""
+		if v, ok := cmd.Annotations[pluginmanager.CommandAnnotationPluginVersion]; ok && v != "" {
+			version = ", " + v
+		}
+		return fmt.Sprintf("(%s%s)", vendor, version)
+	}
+	return ""
+}
+
 func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
 	cmds := []*cobra.Command{}
 	for _, sub := range cmd.Commands() {
+		if isPlugin(sub) {
+			if invalidPluginReason(sub) == "" {
+				cmds = append(cmds, sub)
+			}
+			continue
+		}
 		if sub.IsAvailableCommand() && sub.HasSubCommands() {
 			cmds = append(cmds, sub)
 		}
@ -99,12 +263,29 @@ func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
 	return cmds
 }

+func invalidPlugins(cmd *cobra.Command) []*cobra.Command {
+	cmds := []*cobra.Command{}
+	for _, sub := range cmd.Commands() {
+		if !isPlugin(sub) {
+			continue
+		}
+		if invalidPluginReason(sub) != "" {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+func invalidPluginReason(cmd *cobra.Command) string {
+	return cmd.Annotations[pluginmanager.CommandAnnotationPluginInvalid]
+}
+
 var usageTemplate = `Usage:

 {{- if not .HasSubCommands}}	{{.UseLine}}{{end}}
 {{- if .HasSubCommands}}	{{ .CommandPath}}{{- if .HasAvailableFlags}} [OPTIONS]{{end}} COMMAND{{end}}

-{{ .Short | trim }}
+{{if ne .Long ""}}{{ .Long | trim }}{{ else }}{{ .Short | trim }}{{end}}

 {{- if gt .Aliases 0}}

@ -129,7 +310,7 @@ Options:
 Management Commands:

 {{- range managementSubCommands . }}
-  {{rpad .Name .NamePadding }} {{.Short}}
+  {{rpad (decoratedName .) (add .NamePadding 1)}}{{.Short}}{{ if isPlugin .}} {{vendorAndVersion .}}{{ end}}
 {{- end}}

 {{- end}}
@ -142,6 +323,16 @@ Commands:
 {{- end}}
 {{- end}}

+{{- if hasInvalidPlugins . }}
+
+Invalid Plugins:
+
+{{- range invalidPlugins . }}
+  {{rpad .Name .NamePadding }} {{invalidPluginReason .}}
+{{- end}}
+
+{{- end}}
+
 {{- if .HasSubCommands }}

 Run '{{.CommandPath}} COMMAND --help' for more information on a command.
--- a/cli/cobra_test.go
+++ b/cli/cobra_test.go
@ -0,0 +1,88 @@
+package cli
+
+import (
+	"testing"
+
+	pluginmanager "github.com/docker/cli/cli-plugins/manager"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/spf13/cobra"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVisitAll(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{Use: "sub1"}
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{Use: "sub2"}
+
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	// Take the opportunity to test DisableFlagsInUseLine too
+	DisableFlagsInUseLine(root)
+
+	var visited []string
+	VisitAll(root, func(ccmd *cobra.Command) {
+		visited = append(visited, ccmd.Name())
+		assert.Assert(t, ccmd.DisableFlagsInUseLine, "DisableFlagsInUseLine not set on %q", ccmd.Name())
+	})
+	expected := []string{"sub1sub1", "sub1sub2", "sub1", "sub2", "root"}
+	assert.DeepEqual(t, expected, visited)
+}
+
+func TestVendorAndVersion(t *testing.T) {
+	// Non plugin.
+	assert.Equal(t, vendorAndVersion(&cobra.Command{Use: "test"}), "")
+
+	// Plugins with various lengths of vendor.
+	for _, tc := range []struct {
+		vendor   string
+		version  string
+		expected string
+	}{
+		{vendor: "vendor", expected: "(vendor)"},
+		{vendor: "vendor", version: "testing", expected: "(vendor, testing)"},
+	} {
+		t.Run(tc.vendor, func(t *testing.T) {
+			cmd := &cobra.Command{
+				Use: "test",
+				Annotations: map[string]string{
+					pluginmanager.CommandAnnotationPlugin:        "true",
+					pluginmanager.CommandAnnotationPluginVendor:  tc.vendor,
+					pluginmanager.CommandAnnotationPluginVersion: tc.version,
+				},
+			}
+			assert.Equal(t, vendorAndVersion(cmd), tc.expected)
+		})
+	}
+}
+
+func TestInvalidPlugin(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	sub1 := &cobra.Command{Use: "sub1"}
+	sub1sub1 := &cobra.Command{Use: "sub1sub1"}
+	sub1sub2 := &cobra.Command{Use: "sub1sub2"}
+	sub2 := &cobra.Command{Use: "sub2"}
+
+	assert.Assert(t, is.Len(invalidPlugins(root), 0))
+
+	sub1.Annotations = map[string]string{
+		pluginmanager.CommandAnnotationPlugin:        "true",
+		pluginmanager.CommandAnnotationPluginInvalid: "foo",
+	}
+	root.AddCommand(sub1, sub2)
+	sub1.AddCommand(sub1sub1, sub1sub2)
+
+	assert.DeepEqual(t, invalidPlugins(root), []*cobra.Command{sub1}, cmpopts.IgnoreUnexported(cobra.Command{}))
+}
+
+func TestDecoratedName(t *testing.T) {
+	root := &cobra.Command{Use: "root"}
+	topLevelCommand := &cobra.Command{Use: "pluginTopLevelCommand"}
+	root.AddCommand(topLevelCommand)
+	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand ")
+	topLevelCommand.Annotations = map[string]string{pluginmanager.CommandAnnotationPlugin: "true"}
+	assert.Equal(t, decoratedName(topLevelCommand), "pluginTopLevelCommand*")
+}
--- a/cli/command/builder/cmd.go
+++ b/cli/command/builder/cmd.go
@ -5,18 +5,21 @@ import (

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
 )

 // NewBuilderCommand returns a cobra command for `builder` subcommands
 func NewBuilderCommand(dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "builder",
-		Short: "Manage builds",
-		Args:  cli.NoArgs,
-		RunE:  command.ShowHelp(dockerCli.Err()),
+		Use:         "builder",
+		Short:       "Manage builds",
+		Args:        cli.NoArgs,
+		RunE:        command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{"version": "1.31"},
 	}
 	cmd.AddCommand(
 		NewPruneCommand(dockerCli),
+		image.NewBuildCommand(dockerCli),
 	)
 	return cmd
 }
--- a/cli/command/builder/prune.go
+++ b/cli/command/builder/prune.go
@ -3,29 +3,94 @@ package builder
 import (
 	"context"
 	"fmt"
+	"strings"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
 	units "github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )

+type pruneOptions struct {
+	force       bool
+	all         bool
+	filter      opts.FilterOpt
+	keepStorage opts.MemBytes
+}
+
 // NewPruneCommand returns a new cobra prune command for images
 func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
 	cmd := &cobra.Command{
 		Use:   "prune",
 		Short: "Remove build cache",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			report, err := dockerCli.Client().BuildCachePrune(context.Background())
+			spaceReclaimed, output, err := runPrune(dockerCli, options)
 			if err != nil {
 				return err
 			}
-			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(report.SpaceReclaimed)))
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
 			return nil
 		},
 		Annotations: map[string]string{"version": "1.39"},
 	}

+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images, not just dangling ones")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'unused-for=24h')")
+	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
+
 	return cmd
 }
+
+const (
+	normalWarning   = `WARNING! This will remove all dangling build cache. Are you sure you want to continue?`
+	allCacheWarning = `WARNING! This will remove all build cache. Are you sure you want to continue?`
+)
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
+	pruneFilters := options.filter.Value()
+	pruneFilters = command.PruneFilters(dockerCli, pruneFilters)
+
+	warning := normalWarning
+	if options.all {
+		warning = allCacheWarning
+	}
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return 0, "", nil
+	}
+
+	report, err := dockerCli.Client().BuildCachePrune(context.Background(), types.BuildCachePruneOptions{
+		All:         options.all,
+		KeepStorage: options.keepStorage.Value(),
+		Filters:     pruneFilters,
+	})
+	if err != nil {
+		return 0, "", err
+	}
+
+	if len(report.CachesDeleted) > 0 {
+		var sb strings.Builder
+		sb.WriteString("Deleted build cache objects:\n")
+		for _, id := range report.CachesDeleted {
+			sb.WriteString(id)
+			sb.WriteByte('\n')
+		}
+		output = sb.String()
+	}
+
+	return report.SpaceReclaimed, output, nil
+}
+
+// CachePrune executes a prune command for build cache
+func CachePrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+	return runPrune(dockerCli, pruneOptions{force: true, all: all, filter: filter})
+}
--- a/cli/command/checkpoint/formatter.go
+++ b/cli/command/checkpoint/formatter.go
@ -1,6 +1,9 @@
-package formatter
+package checkpoint

-import "github.com/docker/docker/api/types"
+import (
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+)

 const (
 	defaultCheckpointFormat = "table {{.Name}}"
@ -8,18 +11,18 @@ const (
 	checkpointNameHeader = "CHECKPOINT NAME"
 )

-// NewCheckpointFormat returns a format for use with a checkpoint Context
-func NewCheckpointFormat(source string) Format {
+// NewFormat returns a format for use with a checkpoint Context
+func NewFormat(source string) formatter.Format {
 	switch source {
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		return defaultCheckpointFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// CheckpointWrite writes formatted checkpoints using the Context
-func CheckpointWrite(ctx Context, checkpoints []types.Checkpoint) error {
-	render := func(format func(subContext subContext) error) error {
+// FormatWrite writes formatted checkpoints using the Context
+func FormatWrite(ctx formatter.Context, checkpoints []types.Checkpoint) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, checkpoint := range checkpoints {
 			if err := format(&checkpointContext{c: checkpoint}); err != nil {
 				return err
@ -31,20 +34,20 @@ func CheckpointWrite(ctx Context, checkpoints []types.Checkpoint) error {
 }

 type checkpointContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c types.Checkpoint
 }

 func newCheckpointContext() *checkpointContext {
 	cpCtx := checkpointContext{}
-	cpCtx.header = volumeHeaderContext{
+	cpCtx.Header = formatter.SubHeaderContext{
 		"Name": checkpointNameHeader,
 	}
 	return &cpCtx
 }

 func (c *checkpointContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+	return formatter.MarshalJSON(c)
 }

 func (c *checkpointContext) Name() string {
--- a/cli/command/checkpoint/formatter_test.go
+++ b/cli/command/checkpoint/formatter_test.go
@ -1,20 +1,21 @@
-package formatter
+package checkpoint

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types"
 	"gotest.tools/assert"
 )

 func TestCheckpointContextFormatWrite(t *testing.T) {
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: NewCheckpointFormat(defaultCheckpointFormat)},
+			formatter.Context{Format: NewFormat(defaultCheckpointFormat)},
 			`CHECKPOINT NAME
 checkpoint-1
 checkpoint-2
@ -22,14 +23,14 @@ checkpoint-3
 `,
 		},
 		{
-			Context{Format: NewCheckpointFormat("{{.Name}}")},
+			formatter.Context{Format: NewFormat("{{.Name}}")},
 			`checkpoint-1
 checkpoint-2
 checkpoint-3
 `,
 		},
 		{
-			Context{Format: NewCheckpointFormat("{{.Name}}:")},
+			formatter.Context{Format: NewFormat("{{.Name}}:")},
 			`checkpoint-1:
 checkpoint-2:
 checkpoint-3:
@ -45,7 +46,7 @@ checkpoint-3:
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		err := CheckpointWrite(testcase.context, checkpoints)
+		err := FormatWrite(testcase.context, checkpoints)
 		assert.NilError(t, err)
 		assert.Equal(t, out.String(), testcase.expected)
 	}
--- a/cli/command/checkpoint/list.go
+++ b/cli/command/checkpoint/list.go
@ -48,7 +48,7 @@ func runList(dockerCli command.Cli, container string, opts listOptions) error {

 	cpCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewCheckpointFormat(formatter.TableFormatKey),
+		Format: NewFormat(formatter.TableFormatKey),
 	}
-	return formatter.CheckpointWrite(cpCtx, checkpoints)
+	return FormatWrite(cpCtx, checkpoints)
 }
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@ -3,28 +3,32 @@ package command
 import (
 	"context"
 	"io"
-	"net"
-	"net/http"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
-	"time"
+	"strconv"

-	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/config"
 	cliconfig "github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
-	"github.com/docker/cli/cli/connhelper"
+	dcontext "github.com/docker/cli/cli/context"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/cli/debug"
 	cliflags "github.com/docker/cli/cli/flags"
 	manifeststore "github.com/docker/cli/cli/manifest/store"
 	registryclient "github.com/docker/cli/cli/registry/client"
+	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/cli/version"
 	"github.com/docker/cli/internal/containerizedengine"
 	dopts "github.com/docker/cli/opts"
-	"github.com/docker/docker/api"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/docker/api/types"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/term"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@ -35,18 +39,19 @@ import (

 // Streams is an interface which exposes the standard input and output streams
 type Streams interface {
-	In() *InStream
-	Out() *OutStream
+	In() *streams.In
+	Out() *streams.Out
 	Err() io.Writer
 }

 // Cli represents the docker command line client.
 type Cli interface {
 	Client() client.APIClient
-	Out() *OutStream
+	Out() *streams.Out
 	Err() io.Writer
-	In() *InStream
-	SetIn(in *InStream)
+	In() *streams.In
+	SetIn(in *streams.In)
+	Apply(ops ...DockerCliOption) error
 	ConfigFile() *configfile.ConfigFile
 	ServerInfo() ServerInfo
 	ClientInfo() ClientInfo
@ -55,20 +60,29 @@ type Cli interface {
 	ManifestStore() manifeststore.Store
 	RegistryClient(bool) registryclient.RegistryClient
 	ContentTrustEnabled() bool
-	NewContainerizedEngineClient(sockPath string) (containerizedengine.Client, error)
+	NewContainerizedEngineClient(sockPath string) (clitypes.ContainerizedClient, error)
+	ContextStore() store.Store
+	CurrentContext() string
+	StackOrchestrator(flagValue string) (Orchestrator, error)
+	DockerEndpoint() docker.Endpoint
 }

 // DockerCli is an instance the docker command line client.
 // Instances of the client can be returned from NewDockerCli.
 type DockerCli struct {
-	configFile   *configfile.ConfigFile
-	in           *InStream
-	out          *OutStream
-	err          io.Writer
-	client       client.APIClient
-	serverInfo   ServerInfo
-	clientInfo   ClientInfo
-	contentTrust bool
+	configFile            *configfile.ConfigFile
+	in                    *streams.In
+	out                   *streams.Out
+	err                   io.Writer
+	client                client.APIClient
+	serverInfo            ServerInfo
+	clientInfo            ClientInfo
+	contentTrust          bool
+	newContainerizeClient func(string) (clitypes.ContainerizedClient, error)
+	contextStore          store.Store
+	currentContext        string
+	dockerEndpoint        docker.Endpoint
+	contextStoreConfig    store.Config
 }

 // DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
@ -82,7 +96,7 @@ func (cli *DockerCli) Client() client.APIClient {
 }

 // Out returns the writer used for stdout
-func (cli *DockerCli) Out() *OutStream {
+func (cli *DockerCli) Out() *streams.Out {
 	return cli.out
 }

@ -92,12 +106,12 @@ func (cli *DockerCli) Err() io.Writer {
 }

 // SetIn sets the reader used for stdin
-func (cli *DockerCli) SetIn(in *InStream) {
+func (cli *DockerCli) SetIn(in *streams.In) {
 	cli.in = in
 }

 // In returns the reader used for stdin
-func (cli *DockerCli) In() *InStream {
+func (cli *DockerCli) In() *streams.In {
 	return cli.in
 }

@ -132,6 +146,20 @@ func (cli *DockerCli) ContentTrustEnabled() bool {
 	return cli.contentTrust
 }

+// BuildKitEnabled returns whether buildkit is enabled either through a daemon setting
+// or otherwise the client-side DOCKER_BUILDKIT environment variable
+func BuildKitEnabled(si ServerInfo) (bool, error) {
+	buildkitEnabled := si.BuildkitVersion == types.BuilderBuildKit
+	if buildkitEnv := os.Getenv("DOCKER_BUILDKIT"); buildkitEnv != "" {
+		var err error
+		buildkitEnabled, err = strconv.ParseBool(buildkitEnv)
+		if err != nil {
+			return false, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
+		}
+	}
+	return buildkitEnabled, nil
+}
+
 // ManifestStore returns a store for local manifests
 func (cli *DockerCli) ManifestStore() manifeststore.Store {
 	// TODO: support override default location from config file
@ -147,24 +175,70 @@ func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.Registry
 	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
 }

+// InitializeOpt is the type of the functional options passed to DockerCli.Initialize
+type InitializeOpt func(dockerCli *DockerCli) error
+
+// WithInitializeClient is passed to DockerCli.Initialize by callers who wish to set a particular API Client for use by the CLI.
+func WithInitializeClient(makeClient func(dockerCli *DockerCli) (client.APIClient, error)) InitializeOpt {
+	return func(dockerCli *DockerCli) error {
+		var err error
+		dockerCli.client, err = makeClient(dockerCli)
+		return err
+	}
+}
+
 // Initialize the dockerCli runs initialization that must happen after command
 // line flags are parsed.
-func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
+func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...InitializeOpt) error {
+	var err error
+
+	for _, o := range ops {
+		if err := o(cli); err != nil {
+			return err
+		}
+	}
+	cliflags.SetLogLevel(opts.Common.LogLevel)
+
+	if opts.ConfigDir != "" {
+		cliconfig.SetDir(opts.ConfigDir)
+	}
+
+	if opts.Common.Debug {
+		debug.Enable()
+	}
+
 	cli.configFile = cliconfig.LoadDefaultConfigFile(cli.err)

-	var err error
-	cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
-	if tlsconfig.IsErrEncryptedKey(err) {
-		passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
-		newClient := func(password string) (client.APIClient, error) {
-			opts.Common.TLSOptions.Passphrase = password
-			return NewAPIClientFromFlags(opts.Common, cli.configFile)
-		}
-		cli.client, err = getClientWithPassword(passRetriever, newClient)
+	baseContextStore := store.New(cliconfig.ContextStoreDir(), cli.contextStoreConfig)
+	cli.contextStore = &ContextStoreWithDefault{
+		Store: baseContextStore,
+		Resolver: func() (*DefaultContext, error) {
+			return ResolveDefaultContext(opts.Common, cli.ConfigFile(), cli.contextStoreConfig, cli.Err())
+		},
 	}
+	cli.currentContext, err = resolveContextName(opts.Common, cli.configFile, cli.contextStore)
 	if err != nil {
 		return err
 	}
+	cli.dockerEndpoint, err = resolveDockerEndpoint(cli.contextStore, cli.currentContext)
+	if err != nil {
+		return errors.Wrap(err, "unable to resolve docker endpoint")
+	}
+
+	if cli.client == nil {
+		cli.client, err = newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile)
+		if tlsconfig.IsErrEncryptedKey(err) {
+			passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
+			newClient := func(password string) (client.APIClient, error) {
+				cli.dockerEndpoint.TLSPassword = password
+				return newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile)
+			}
+			cli.client, err = getClientWithPassword(passRetriever, newClient)
+		}
+		if err != nil {
+			return err
+		}
+	}
 	var experimentalValue string
 	// Environment variable always overrides configuration
 	if experimentalValue = os.Getenv("DOCKER_CLI_EXPERIMENTAL"); experimentalValue == "" {
@ -182,6 +256,81 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
 	return nil
 }

+// NewAPIClientFromFlags creates a new APIClient from command line flags
+func NewAPIClientFromFlags(opts *cliflags.CommonOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
+	storeConfig := DefaultContextStoreConfig()
+	store := &ContextStoreWithDefault{
+		Store: store.New(cliconfig.ContextStoreDir(), storeConfig),
+		Resolver: func() (*DefaultContext, error) {
+			return ResolveDefaultContext(opts, configFile, storeConfig, ioutil.Discard)
+		},
+	}
+	contextName, err := resolveContextName(opts, configFile, store)
+	if err != nil {
+		return nil, err
+	}
+	endpoint, err := resolveDockerEndpoint(store, contextName)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to resolve docker endpoint")
+	}
+	return newAPIClientFromEndpoint(endpoint, configFile)
+}
+
+func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigFile) (client.APIClient, error) {
+	clientOpts, err := ep.ClientOpts()
+	if err != nil {
+		return nil, err
+	}
+	customHeaders := configFile.HTTPHeaders
+	if customHeaders == nil {
+		customHeaders = map[string]string{}
+	}
+	customHeaders["User-Agent"] = UserAgent()
+	clientOpts = append(clientOpts, client.WithHTTPHeaders(customHeaders))
+	return client.NewClientWithOpts(clientOpts...)
+}
+
+func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
+	ctxMeta, err := s.GetMetadata(contextName)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	epMeta, err := docker.EndpointFromContext(ctxMeta)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	return docker.WithTLSData(s, contextName, epMeta)
+}
+
+// Resolve the Docker endpoint for the default context (based on config, env vars and CLI flags)
+func resolveDefaultDockerEndpoint(opts *cliflags.CommonOptions) (docker.Endpoint, error) {
+	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+
+	var (
+		skipTLSVerify bool
+		tlsData       *dcontext.TLSData
+	)
+
+	if opts.TLSOptions != nil {
+		skipTLSVerify = opts.TLSOptions.InsecureSkipVerify
+		tlsData, err = dcontext.TLSDataFromFiles(opts.TLSOptions.CAFile, opts.TLSOptions.CertFile, opts.TLSOptions.KeyFile)
+		if err != nil {
+			return docker.Endpoint{}, err
+		}
+	}
+
+	return docker.Endpoint{
+		EndpointMeta: docker.EndpointMeta{
+			Host:          host,
+			SkipTLSVerify: skipTLSVerify,
+		},
+		TLSData: tlsData,
+	}, nil
+}
+
 func isEnabled(value string) (bool, error) {
 	switch value {
 	case "enabled":
@ -233,8 +382,52 @@ func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions
 }

 // NewContainerizedEngineClient returns a containerized engine client
-func (cli *DockerCli) NewContainerizedEngineClient(sockPath string) (containerizedengine.Client, error) {
-	return containerizedengine.NewClient(sockPath)
+func (cli *DockerCli) NewContainerizedEngineClient(sockPath string) (clitypes.ContainerizedClient, error) {
+	return cli.newContainerizeClient(sockPath)
+}
+
+// ContextStore returns the ContextStore
+func (cli *DockerCli) ContextStore() store.Store {
+	return cli.contextStore
+}
+
+// CurrentContext returns the current context name
+func (cli *DockerCli) CurrentContext() string {
+	return cli.currentContext
+}
+
+// StackOrchestrator resolves which stack orchestrator is in use
+func (cli *DockerCli) StackOrchestrator(flagValue string) (Orchestrator, error) {
+	currentContext := cli.CurrentContext()
+	ctxRaw, err := cli.ContextStore().GetMetadata(currentContext)
+	if store.IsErrContextDoesNotExist(err) {
+		// case where the currentContext has been removed (CLI behavior is to fallback to using DOCKER_HOST based resolution)
+		return GetStackOrchestrator(flagValue, "", cli.ConfigFile().StackOrchestrator, cli.Err())
+	}
+	if err != nil {
+		return "", err
+	}
+	ctxMeta, err := GetDockerContext(ctxRaw)
+	if err != nil {
+		return "", err
+	}
+	ctxOrchestrator := string(ctxMeta.StackOrchestrator)
+	return GetStackOrchestrator(flagValue, ctxOrchestrator, cli.ConfigFile().StackOrchestrator, cli.Err())
+}
+
+// DockerEndpoint returns the current docker endpoint
+func (cli *DockerCli) DockerEndpoint() docker.Endpoint {
+	return cli.dockerEndpoint
+}
+
+// Apply all the operation on the cli
+func (cli *DockerCli) Apply(ops ...DockerCliOption) error {
+	for _, op := range ops {
+		if err := op(cli); err != nil {
+			return err
+		}
+	}
+	return nil
 }

 // ServerInfo stores details about the supported features and platform of the
@ -251,61 +444,36 @@ type ClientInfo struct {
 	DefaultVersion  string
 }

-// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
-func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
-	return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, contentTrust: isTrusted}
-}
-
-// NewAPIClientFromFlags creates a new APIClient from command line flags
-func NewAPIClientFromFlags(opts *cliflags.CommonOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
-	unparsedHost, err := getUnparsedServerHost(opts.Hosts)
-	if err != nil {
-		return &client.Client{}, err
+// NewDockerCli returns a DockerCli instance with all operators applied on it.
+// It applies by default the standard streams, the content trust from
+// environment and the default containerized client constructor operations.
+func NewDockerCli(ops ...DockerCliOption) (*DockerCli, error) {
+	cli := &DockerCli{}
+	defaultOps := []DockerCliOption{
+		WithContentTrustFromEnv(),
+		WithContainerizedClient(containerizedengine.NewClient),
 	}
-	var clientOpts []func(*client.Client) error
-	helper, err := connhelper.GetConnectionHelper(unparsedHost)
-	if err != nil {
-		return &client.Client{}, err
+	cli.contextStoreConfig = DefaultContextStoreConfig()
+	ops = append(defaultOps, ops...)
+	if err := cli.Apply(ops...); err != nil {
+		return nil, err
 	}
-	if helper == nil {
-		clientOpts = append(clientOpts, withHTTPClient(opts.TLSOptions))
-		host, err := dopts.ParseHost(opts.TLSOptions != nil, unparsedHost)
-		if err != nil {
-			return &client.Client{}, err
+	if cli.out == nil || cli.in == nil || cli.err == nil {
+		stdin, stdout, stderr := term.StdStreams()
+		if cli.in == nil {
+			cli.in = streams.NewIn(stdin)
+		}
+		if cli.out == nil {
+			cli.out = streams.NewOut(stdout)
+		}
+		if cli.err == nil {
+			cli.err = stderr
 		}
-		clientOpts = append(clientOpts, client.WithHost(host))
-	} else {
-		clientOpts = append(clientOpts, func(c *client.Client) error {
-			httpClient := &http.Client{
-				// No tls
-				// No proxy
-				Transport: &http.Transport{
-					DialContext: helper.Dialer,
-				},
-			}
-			return client.WithHTTPClient(httpClient)(c)
-		})
-		clientOpts = append(clientOpts, client.WithHost(helper.Host))
-		clientOpts = append(clientOpts, client.WithDialContext(helper.Dialer))
 	}
-
-	customHeaders := configFile.HTTPHeaders
-	if customHeaders == nil {
-		customHeaders = map[string]string{}
-	}
-	customHeaders["User-Agent"] = UserAgent()
-	clientOpts = append(clientOpts, client.WithHTTPHeaders(customHeaders))
-
-	verStr := api.DefaultVersion
-	if tmpStr := os.Getenv("DOCKER_API_VERSION"); tmpStr != "" {
-		verStr = tmpStr
-	}
-	clientOpts = append(clientOpts, client.WithVersion(verStr))
-
-	return client.NewClientWithOpts(clientOpts...)
+	return cli, nil
 }

-func getUnparsedServerHost(hosts []string) (string, error) {
+func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
 	var host string
 	switch len(hosts) {
 	case 0:
@ -315,38 +483,65 @@ func getUnparsedServerHost(hosts []string) (string, error) {
 	default:
 		return "", errors.New("Please specify only one -H")
 	}
-	return host, nil
-}

-func withHTTPClient(tlsOpts *tlsconfig.Options) func(*client.Client) error {
-	return func(c *client.Client) error {
-		if tlsOpts == nil {
-			// Use the default HTTPClient
-			return nil
-		}
-
-		opts := *tlsOpts
-		opts.ExclusiveRootPools = true
-		tlsConfig, err := tlsconfig.Client(opts)
-		if err != nil {
-			return err
-		}
-
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
-				DialContext: (&net.Dialer{
-					KeepAlive: 30 * time.Second,
-					Timeout:   30 * time.Second,
-				}).DialContext,
-			},
-			CheckRedirect: client.CheckRedirect,
-		}
-		return client.WithHTTPClient(httpClient)(c)
-	}
+	return dopts.ParseHost(tlsOptions != nil, host)
 }

 // UserAgent returns the user agent string used for making API requests
 func UserAgent() string {
-	return "Docker-Client/" + cli.Version + " (" + runtime.GOOS + ")"
+	return "Docker-Client/" + version.Version + " (" + runtime.GOOS + ")"
+}
+
+// resolveContextName resolves the current context name with the following rules:
+// - setting both --context and --host flags is ambiguous
+// - if --context is set, use this value
+// - if --host flag or DOCKER_HOST is set, fallbacks to use the same logic as before context-store was added
+// for backward compatibility with existing scripts
+// - if DOCKER_CONTEXT is set, use this value
+// - if Config file has a globally set "CurrentContext", use this value
+// - fallbacks to default HOST, uses TLS config from flags/env vars
+func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Reader) (string, error) {
+	if opts.Context != "" && len(opts.Hosts) > 0 {
+		return "", errors.New("Conflicting options: either specify --host or --context, not both")
+	}
+	if opts.Context != "" {
+		return opts.Context, nil
+	}
+	if len(opts.Hosts) > 0 {
+		return DefaultContextName, nil
+	}
+	if _, present := os.LookupEnv("DOCKER_HOST"); present {
+		return DefaultContextName, nil
+	}
+	if ctxName, ok := os.LookupEnv("DOCKER_CONTEXT"); ok {
+		return ctxName, nil
+	}
+	if config != nil && config.CurrentContext != "" {
+		_, err := contextstore.GetMetadata(config.CurrentContext)
+		if store.IsErrContextDoesNotExist(err) {
+			return "", errors.Errorf("Current context %q is not found on the file system, please check your config file at %s", config.CurrentContext, config.Filename)
+		}
+		return config.CurrentContext, err
+	}
+	return DefaultContextName, nil
+}
+
+var defaultStoreEndpoints = []store.NamedTypeGetter{
+	store.EndpointTypeGetter(docker.DockerEndpoint, func() interface{} { return &docker.EndpointMeta{} }),
+}
+
+// RegisterDefaultStoreEndpoints registers a new named endpoint
+// metadata type with the default context store config, so that
+// endpoint will be supported by stores using the config returned by
+// DefaultContextStoreConfig.
+func RegisterDefaultStoreEndpoints(ep ...store.NamedTypeGetter) {
+	defaultStoreEndpoints = append(defaultStoreEndpoints, ep...)
+}
+
+// DefaultContextStoreConfig returns a new store.Config with the default set of endpoints configured.
+func DefaultContextStoreConfig() store.Config {
+	return store.NewConfig(
+		func() interface{} { return &DockerContext{} },
+		defaultStoreEndpoints...,
+	)
 }
--- a/cli/command/cli_options.go
+++ b/cli/command/cli_options.go
@ -0,0 +1,105 @@
+package command
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/cli/streams"
+	clitypes "github.com/docker/cli/types"
+	"github.com/docker/docker/pkg/term"
+)
+
+// DockerCliOption applies a modification on a DockerCli.
+type DockerCliOption func(cli *DockerCli) error
+
+// WithStandardStreams sets a cli in, out and err streams with the standard streams.
+func WithStandardStreams() DockerCliOption {
+	return func(cli *DockerCli) error {
+		// Set terminal emulation based on platform as required.
+		stdin, stdout, stderr := term.StdStreams()
+		cli.in = streams.NewIn(stdin)
+		cli.out = streams.NewOut(stdout)
+		cli.err = stderr
+		return nil
+	}
+}
+
+// WithCombinedStreams uses the same stream for the output and error streams.
+func WithCombinedStreams(combined io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.out = streams.NewOut(combined)
+		cli.err = combined
+		return nil
+	}
+}
+
+// WithInputStream sets a cli input stream.
+func WithInputStream(in io.ReadCloser) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.in = streams.NewIn(in)
+		return nil
+	}
+}
+
+// WithOutputStream sets a cli output stream.
+func WithOutputStream(out io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.out = streams.NewOut(out)
+		return nil
+	}
+}
+
+// WithErrorStream sets a cli error stream.
+func WithErrorStream(err io.Writer) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.err = err
+		return nil
+	}
+}
+
+// WithContentTrustFromEnv enables content trust on a cli from environment variable DOCKER_CONTENT_TRUST value.
+func WithContentTrustFromEnv() DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.contentTrust = false
+		if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
+			if t, err := strconv.ParseBool(e); t || err != nil {
+				// treat any other value as true
+				cli.contentTrust = true
+			}
+		}
+		return nil
+	}
+}
+
+// WithContentTrust enables content trust on a cli.
+func WithContentTrust(enabled bool) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.contentTrust = enabled
+		return nil
+	}
+}
+
+// WithContainerizedClient sets the containerized client constructor on a cli.
+func WithContainerizedClient(containerizedFn func(string) (clitypes.ContainerizedClient, error)) DockerCliOption {
+	return func(cli *DockerCli) error {
+		cli.newContainerizeClient = containerizedFn
+		return nil
+	}
+}
+
+// WithContextEndpointType add support for an additional typed endpoint in the context store
+// Plugins should use this to store additional endpoints configuration in the context store
+func WithContextEndpointType(endpointName string, endpointType store.TypeGetter) DockerCliOption {
+	return func(cli *DockerCli) error {
+		switch endpointName {
+		case docker.DockerEndpoint:
+			return fmt.Errorf("cannot change %q endpoint type", endpointName)
+		}
+		cli.contextStoreConfig.SetEndpoint(endpointName, endpointType)
+		return nil
+	}
+}
--- a/cli/command/cli_options_test.go
+++ b/cli/command/cli_options_test.go
@ -0,0 +1,37 @@
+package command
+
+import (
+	"os"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func contentTrustEnabled(t *testing.T) bool {
+	var cli DockerCli
+	assert.NilError(t, WithContentTrustFromEnv()(&cli))
+	return cli.contentTrust
+}
+
+// NB: Do not t.Parallel() this test -- it messes with the process environment.
+func TestWithContentTrustFromEnv(t *testing.T) {
+	envvar := "DOCKER_CONTENT_TRUST"
+	if orig, ok := os.LookupEnv(envvar); ok {
+		defer func() {
+			os.Setenv(envvar, orig)
+		}()
+	} else {
+		defer func() {
+			os.Unsetenv(envvar)
+		}()
+	}
+
+	os.Setenv(envvar, "true")
+	assert.Assert(t, contentTrustEnabled(t))
+	os.Setenv(envvar, "false")
+	assert.Assert(t, !contentTrustEnabled(t))
+	os.Setenv(envvar, "invalid")
+	assert.Assert(t, contentTrustEnabled(t))
+	os.Unsetenv(envvar)
+	assert.Assert(t, !contentTrustEnabled(t))
+}
--- a/cli/command/cli_test.go
+++ b/cli/command/cli_test.go
@ -1,8 +1,12 @@
 package command

 import (
+	"bytes"
 	"context"
 	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
 	"os"
 	"runtime"
 	"testing"
@ -10,6 +14,7 @@ import (
 	cliconfig "github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/flags"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
@ -43,9 +48,30 @@ func TestNewAPIClientFromFlags(t *testing.T) {
 	assert.Check(t, is.Equal(api.DefaultVersion, apiclient.ClientVersion()))
 }

+func TestNewAPIClientFromFlagsForDefaultSchema(t *testing.T) {
+	host := ":2375"
+	opts := &flags.CommonOptions{Hosts: []string{host}}
+	configFile := &configfile.ConfigFile{
+		HTTPHeaders: map[string]string{
+			"My-Header": "Custom-Value",
+		},
+	}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("tcp://localhost"+host, apiclient.DaemonHost()))
+
+	expectedHeaders := map[string]string{
+		"My-Header":  "Custom-Value",
+		"User-Agent": UserAgent(),
+	}
+	assert.Check(t, is.DeepEqual(expectedHeaders, apiclient.(*client.Client).CustomHTTPHeaders()))
+	assert.Check(t, is.Equal(api.DefaultVersion, apiclient.ClientVersion()))
+}
+
 func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	customVersion := "v3.3.3"
 	defer env.Patch(t, "DOCKER_API_VERSION", customVersion)()
+	defer env.Patch(t, "DOCKER_HOST", ":2375")()

 	opts := &flags.CommonOptions{}
 	configFile := &configfile.ConfigFile{}
@ -54,6 +80,24 @@ func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	assert.Check(t, is.Equal(customVersion, apiclient.ClientVersion()))
 }

+func TestNewAPIClientFromFlagsWithHttpProxyEnv(t *testing.T) {
+	defer env.Patch(t, "HTTP_PROXY", "http://proxy.acme.com:1234")()
+	defer env.Patch(t, "DOCKER_HOST", "tcp://docker.acme.com:2376")()
+
+	opts := &flags.CommonOptions{}
+	configFile := &configfile.ConfigFile{}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	transport, ok := apiclient.HTTPClient().Transport.(*http.Transport)
+	assert.Assert(t, ok)
+	assert.Assert(t, transport.Proxy != nil)
+	request, err := http.NewRequest(http.MethodGet, "tcp://docker.acme.com:2376", nil)
+	assert.NilError(t, err)
+	url, err := transport.Proxy(request)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("http://proxy.acme.com:1234", url.String()))
+}
+
 type fakeClient struct {
 	client.Client
 	pingFunc   func() (types.Ping, error)
@ -150,6 +194,9 @@ func TestExperimentalCLI(t *testing.T) {
 			defer dir.Remove()
 			apiclient := &fakeClient{
 				version: defaultVersion,
+				pingFunc: func() (types.Ping, error) {
+					return types.Ping{Experimental: true, OSType: "linux", APIVersion: defaultVersion}, nil
+				},
 			}

 			cli := &DockerCli{client: apiclient, err: os.Stderr}
@ -226,3 +273,53 @@ func TestGetClientWithPassword(t *testing.T) {
 		})
 	}
 }
+
+func TestNewDockerCliAndOperators(t *testing.T) {
+	// Test default operations and also overriding default ones
+	cli, err := NewDockerCli(
+		WithContentTrust(true),
+		WithContainerizedClient(func(string) (clitypes.ContainerizedClient, error) { return nil, nil }),
+	)
+	assert.NilError(t, err)
+	// Check streams are initialized
+	assert.Check(t, cli.In() != nil)
+	assert.Check(t, cli.Out() != nil)
+	assert.Check(t, cli.Err() != nil)
+	assert.Equal(t, cli.ContentTrustEnabled(), true)
+	client, err := cli.NewContainerizedEngineClient("")
+	assert.NilError(t, err)
+	assert.Equal(t, client, nil)
+
+	// Apply can modify a dockerCli after construction
+	inbuf := bytes.NewBuffer([]byte("input"))
+	outbuf := bytes.NewBuffer(nil)
+	errbuf := bytes.NewBuffer(nil)
+	cli.Apply(
+		WithInputStream(ioutil.NopCloser(inbuf)),
+		WithOutputStream(outbuf),
+		WithErrorStream(errbuf),
+	)
+	// Check input stream
+	inputStream, err := ioutil.ReadAll(cli.In())
+	assert.NilError(t, err)
+	assert.Equal(t, string(inputStream), "input")
+	// Check output stream
+	fmt.Fprintf(cli.Out(), "output")
+	outputStream, err := ioutil.ReadAll(outbuf)
+	assert.NilError(t, err)
+	assert.Equal(t, string(outputStream), "output")
+	// Check error stream
+	fmt.Fprintf(cli.Err(), "error")
+	errStream, err := ioutil.ReadAll(errbuf)
+	assert.NilError(t, err)
+	assert.Equal(t, string(errStream), "error")
+}
+
+func TestInitializeShouldAlwaysCreateTheContextStore(t *testing.T) {
+	cli, err := NewDockerCli()
+	assert.NilError(t, err)
+	assert.NilError(t, cli.Initialize(flags.NewClientOptions(), WithInitializeClient(func(cli *DockerCli) (client.APIClient, error) {
+		return client.NewClientWithOpts()
+	})))
+	assert.Check(t, cli.ContextStore() != nil)
+}
--- a/cli/command/commands/commands.go
+++ b/cli/command/commands/commands.go
@ -2,12 +2,14 @@ package commands

 import (
 	"os"
+	"runtime"

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/builder"
 	"github.com/docker/cli/cli/command/checkpoint"
 	"github.com/docker/cli/cli/command/config"
 	"github.com/docker/cli/cli/command/container"
+	"github.com/docker/cli/cli/command/context"
 	"github.com/docker/cli/cli/command/engine"
 	"github.com/docker/cli/cli/command/image"
 	"github.com/docker/cli/cli/command/manifest"
@ -74,7 +76,6 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {

 		// stack
 		stack.NewStackCommand(dockerCli),
-		stack.NewTopLevelDeployCommand(dockerCli),

 		// swarm
 		swarm.NewSwarmCommand(dockerCli),
@ -85,10 +86,11 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		// volume
 		volume.NewVolumeCommand(dockerCli),

-		// engine
-		engine.NewEngineCommand(dockerCli),
+		// context
+		context.NewContextCommand(dockerCli),

 		// legacy commands may be hidden
+		hide(stack.NewTopLevelDeployCommand(dockerCli)),
 		hide(system.NewEventsCommand(dockerCli)),
 		hide(system.NewInfoCommand(dockerCli)),
 		hide(system.NewInspectCommand(dockerCli)),
@ -124,7 +126,10 @@ func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		hide(image.NewSaveCommand(dockerCli)),
 		hide(image.NewTagCommand(dockerCli)),
 	)
-
+	if runtime.GOOS == "linux" {
+		// engine
+		cmd.AddCommand(engine.NewEngineCommand(dockerCli))
+	}
 }

 func hide(cmd *cobra.Command) *cobra.Command {
--- a/cli/command/config/create.go
+++ b/cli/command/config/create.go
@ -15,16 +15,17 @@ import (
 	"github.com/spf13/cobra"
 )

-type createOptions struct {
-	name           string
-	templateDriver string
-	file           string
-	labels         opts.ListOpts
+// CreateOptions specifies some options that are used when creating a config.
+type CreateOptions struct {
+	Name           string
+	TemplateDriver string
+	File           string
+	Labels         opts.ListOpts
 }

 func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
-	createOpts := createOptions{
-		labels: opts.NewListOpts(opts.ValidateEnv),
+	createOpts := CreateOptions{
+		Labels: opts.NewListOpts(opts.ValidateLabel),
 	}

 	cmd := &cobra.Command{
@ -32,26 +33,27 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 		Short: "Create a config from a file or STDIN",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			createOpts.name = args[0]
-			createOpts.file = args[1]
-			return runConfigCreate(dockerCli, createOpts)
+			createOpts.Name = args[0]
+			createOpts.File = args[1]
+			return RunConfigCreate(dockerCli, createOpts)
 		},
 	}
 	flags := cmd.Flags()
-	flags.VarP(&createOpts.labels, "label", "l", "Config labels")
-	flags.StringVar(&createOpts.templateDriver, "template-driver", "", "Template driver")
-	flags.SetAnnotation("driver", "version", []string{"1.37"})
+	flags.VarP(&createOpts.Labels, "label", "l", "Config labels")
+	flags.StringVar(&createOpts.TemplateDriver, "template-driver", "", "Template driver")
+	flags.SetAnnotation("template-driver", "version", []string{"1.37"})

 	return cmd
 }

-func runConfigCreate(dockerCli command.Cli, options createOptions) error {
+// RunConfigCreate creates a config with the given options.
+func RunConfigCreate(dockerCli command.Cli, options CreateOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

 	var in io.Reader = dockerCli.In()
-	if options.file != "-" {
-		file, err := system.OpenSequential(options.file)
+	if options.File != "-" {
+		file, err := system.OpenSequential(options.File)
 		if err != nil {
 			return err
 		}
@ -61,19 +63,19 @@ func runConfigCreate(dockerCli command.Cli, options createOptions) error {

 	configData, err := ioutil.ReadAll(in)
 	if err != nil {
-		return errors.Errorf("Error reading content from %q: %v", options.file, err)
+		return errors.Errorf("Error reading content from %q: %v", options.File, err)
 	}

 	spec := swarm.ConfigSpec{
 		Annotations: swarm.Annotations{
-			Name:   options.name,
-			Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
+			Name:   options.Name,
+			Labels: opts.ConvertKVStringsToMap(options.Labels.GetAll()),
 		},
 		Data: configData,
 	}
-	if options.templateDriver != "" {
+	if options.TemplateDriver != "" {
 		spec.Templating = &swarm.Driver{
-			Name: options.templateDriver,
+			Name: options.TemplateDriver,
 		}
 	}
 	r, err := client.ConfigCreate(ctx, spec)
--- a/cli/command/config/formatter.go
+++ b/cli/command/config/formatter.go
@ -1,4 +1,4 @@
-package formatter
+package config

 import (
 	"fmt"
@ -6,17 +6,18 @@ import (
 	"time"

 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/inspect"
 	"github.com/docker/docker/api/types/swarm"
 	units "github.com/docker/go-units"
 )

 const (
-	defaultConfigTableFormat           = "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
-	configIDHeader                     = "ID"
-	configCreatedHeader                = "CREATED"
-	configUpdatedHeader                = "UPDATED"
-	configInspectPrettyTemplate Format = `ID:			{{.ID}}
+	defaultConfigTableFormat                     = "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
+	configIDHeader                               = "ID"
+	configCreatedHeader                          = "CREATED"
+	configUpdatedHeader                          = "UPDATED"
+	configInspectPrettyTemplate formatter.Format = `ID:			{{.ID}}
 Name:			{{.Name}}
 {{- if .Labels }}
 Labels:
@ -29,23 +30,23 @@ Data:
 {{.Data}}`
 )

-// NewConfigFormat returns a Format for rendering using a config Context
-func NewConfigFormat(source string, quiet bool) Format {
+// NewFormat returns a Format for rendering using a config Context
+func NewFormat(source string, quiet bool) formatter.Format {
 	switch source {
-	case PrettyFormatKey:
+	case formatter.PrettyFormatKey:
 		return configInspectPrettyTemplate
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		if quiet {
-			return defaultQuietFormat
+			return formatter.DefaultQuietFormat
 		}
 		return defaultConfigTableFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// ConfigWrite writes the context
-func ConfigWrite(ctx Context, configs []swarm.Config) error {
-	render := func(format func(subContext subContext) error) error {
+// FormatWrite writes the context
+func FormatWrite(ctx formatter.Context, configs []swarm.Config) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, config := range configs {
 			configCtx := &configContext{c: config}
 			if err := format(configCtx); err != nil {
@ -60,23 +61,23 @@ func ConfigWrite(ctx Context, configs []swarm.Config) error {
 func newConfigContext() *configContext {
 	cCtx := &configContext{}

-	cCtx.header = map[string]string{
+	cCtx.Header = formatter.SubHeaderContext{
 		"ID":        configIDHeader,
-		"Name":      nameHeader,
+		"Name":      formatter.NameHeader,
 		"CreatedAt": configCreatedHeader,
 		"UpdatedAt": configUpdatedHeader,
-		"Labels":    labelsHeader,
+		"Labels":    formatter.LabelsHeader,
 	}
 	return cCtx
 }

 type configContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c swarm.Config
 }

 func (c *configContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+	return formatter.MarshalJSON(c)
 }

 func (c *configContext) ID() string {
@ -114,12 +115,12 @@ func (c *configContext) Label(name string) string {
 	return c.c.Spec.Annotations.Labels[name]
 }

-// ConfigInspectWrite renders the context for a list of configs
-func ConfigInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) error {
+// InspectFormatWrite renders the context for a list of configs
+func InspectFormatWrite(ctx formatter.Context, refs []string, getRef inspect.GetRefFunc) error {
 	if ctx.Format != configInspectPrettyTemplate {
 		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
 	}
-	render := func(format func(subContext subContext) error) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, ref := range refs {
 			configI, _, err := getRef(ref)
 			if err != nil {
@ -140,7 +141,7 @@ func ConfigInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) e

 type configInspectContext struct {
 	swarm.Config
-	subContext
+	formatter.SubContext
 }

 func (ctx *configInspectContext) ID() string {
--- a/cli/command/config/formatter_test.go
+++ b/cli/command/config/formatter_test.go
@ -1,10 +1,11 @@
-package formatter
+package config

 import (
 	"bytes"
 	"testing"
 	"time"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/swarm"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
@ -13,32 +14,32 @@ import (
 func TestConfigContextFormatWrite(t *testing.T) {
 	// Check default output format (verbose and non-verbose mode) for table headers
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		// Errors
 		{
-			Context{Format: "{{InvalidFunction}}"},
+			formatter.Context{Format: "{{InvalidFunction}}"},
 			`Template parsing error: template: :1: function "InvalidFunction" not defined
 `,
 		},
 		{
-			Context{Format: "{{nil}}"},
+			formatter.Context{Format: "{{nil}}"},
 			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
 `,
 		},
 		// Table format
-		{Context{Format: NewConfigFormat("table", false)},
+		{formatter.Context{Format: NewFormat("table", false)},
 			`ID                  NAME                CREATED                  UPDATED
 1                   passwords           Less than a second ago   Less than a second ago
 2                   id_rsa              Less than a second ago   Less than a second ago
 `},
-		{Context{Format: NewConfigFormat("table {{.Name}}", true)},
+		{formatter.Context{Format: NewFormat("table {{.Name}}", true)},
 			`NAME
 passwords
 id_rsa
 `},
-		{Context{Format: NewConfigFormat("{{.ID}}-{{.Name}}", false)},
+		{formatter.Context{Format: NewFormat("{{.ID}}-{{.Name}}", false)},
 			`1-passwords
 2-id_rsa
 `},
@ -55,7 +56,7 @@ id_rsa
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		if err := ConfigWrite(testcase.context, configs); err != nil {
+		if err := FormatWrite(testcase.context, configs); err != nil {
 			assert.ErrorContains(t, err, testcase.expected)
 		} else {
 			assert.Check(t, is.Equal(out.String(), testcase.expected))
--- a/cli/command/config/inspect.go
+++ b/cli/command/config/inspect.go
@ -11,41 +11,43 @@ import (
 	"github.com/spf13/cobra"
 )

-type inspectOptions struct {
-	names  []string
-	format string
-	pretty bool
+// InspectOptions contains options for the docker config inspect command.
+type InspectOptions struct {
+	Names  []string
+	Format string
+	Pretty bool
 }

 func newConfigInspectCommand(dockerCli command.Cli) *cobra.Command {
-	opts := inspectOptions{}
+	opts := InspectOptions{}
 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] CONFIG [CONFIG...]",
 		Short: "Display detailed information on one or more configs",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.names = args
-			return runConfigInspect(dockerCli, opts)
+			opts.Names = args
+			return RunConfigInspect(dockerCli, opts)
 		},
 	}

-	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-	cmd.Flags().BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	cmd.Flags().StringVarP(&opts.Format, "format", "f", "", "Format the output using the given Go template")
+	cmd.Flags().BoolVar(&opts.Pretty, "pretty", false, "Print the information in a human friendly format")
 	return cmd
 }

-func runConfigInspect(dockerCli command.Cli, opts inspectOptions) error {
+// RunConfigInspect inspects the given Swarm config.
+func RunConfigInspect(dockerCli command.Cli, opts InspectOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	if opts.pretty {
-		opts.format = "pretty"
+	if opts.Pretty {
+		opts.Format = "pretty"
 	}

 	getRef := func(id string) (interface{}, []byte, error) {
 		return client.ConfigInspectWithRaw(ctx, id)
 	}
-	f := opts.format
+	f := opts.Format

 	// check if the user is trying to apply a template to the pretty format, which
 	// is not supported
@ -55,10 +57,10 @@ func runConfigInspect(dockerCli command.Cli, opts inspectOptions) error {

 	configCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewConfigFormat(f, false),
+		Format: NewFormat(f, false),
 	}

-	if err := formatter.ConfigInspectWrite(configCtx, opts.names, getRef); err != nil {
+	if err := InspectFormatWrite(configCtx, opts.Names, getRef); err != nil {
 		return cli.StatusError{StatusCode: 1, Status: err.Error()}
 	}
 	return nil
--- a/cli/command/config/ls.go
+++ b/cli/command/config/ls.go
@ -13,14 +13,15 @@ import (
 	"vbom.ml/util/sortorder"
 )

-type listOptions struct {
-	quiet  bool
-	format string
-	filter opts.FilterOpt
+// ListOptions contains options for the docker config ls command.
+type ListOptions struct {
+	Quiet  bool
+	Format string
+	Filter opts.FilterOpt
 }

 func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
-	listOpts := listOptions{filter: opts.NewFilterOpt()}
+	listOpts := ListOptions{Filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
 		Use:     "ls [OPTIONS]",
@ -28,30 +29,31 @@ func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "List configs",
 		Args:    cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runConfigList(dockerCli, listOpts)
+			return RunConfigList(dockerCli, listOpts)
 		},
 	}

 	flags := cmd.Flags()
-	flags.BoolVarP(&listOpts.quiet, "quiet", "q", false, "Only display IDs")
-	flags.StringVarP(&listOpts.format, "format", "", "", "Pretty-print configs using a Go template")
-	flags.VarP(&listOpts.filter, "filter", "f", "Filter output based on conditions provided")
+	flags.BoolVarP(&listOpts.Quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVarP(&listOpts.Format, "format", "", "", "Pretty-print configs using a Go template")
+	flags.VarP(&listOpts.Filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
 }

-func runConfigList(dockerCli command.Cli, options listOptions) error {
+// RunConfigList lists Swarm configs.
+func RunConfigList(dockerCli command.Cli, options ListOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.filter.Value()})
+	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.Filter.Value()})
 	if err != nil {
 		return err
 	}

-	format := options.format
+	format := options.Format
 	if len(format) == 0 {
-		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.quiet {
+		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.Quiet {
 			format = dockerCli.ConfigFile().ConfigFormat
 		} else {
 			format = formatter.TableFormatKey
@ -64,7 +66,7 @@ func runConfigList(dockerCli command.Cli, options listOptions) error {

 	configCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewConfigFormat(format, options.quiet),
+		Format: NewFormat(format, options.Quiet),
 	}
-	return formatter.ConfigWrite(configCtx, configs)
+	return FormatWrite(configCtx, configs)
 }
--- a/cli/command/config/remove.go
+++ b/cli/command/config/remove.go
@ -11,8 +11,9 @@ import (
 	"github.com/spf13/cobra"
 )

-type removeOptions struct {
-	names []string
+// RemoveOptions contains options for the docker config rm command.
+type RemoveOptions struct {
+	Names []string
 }

 func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
@ -22,21 +23,22 @@ func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "Remove one or more configs",
 		Args:    cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts := removeOptions{
-				names: args,
+			opts := RemoveOptions{
+				Names: args,
 			}
-			return runConfigRemove(dockerCli, opts)
+			return RunConfigRemove(dockerCli, opts)
 		},
 	}
 }

-func runConfigRemove(dockerCli command.Cli, opts removeOptions) error {
+// RunConfigRemove removes the given Swarm configs.
+func RunConfigRemove(dockerCli command.Cli, opts RemoveOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

 	var errs []string

-	for _, name := range opts.names {
+	for _, name := range opts.Names {
 		if err := client.ConfigRemove(ctx, name); err != nil {
 			errs = append(errs, err.Error())
 			continue
--- a/cli/command/container/client_test.go
+++ b/cli/command/container/client_test.go
@ -12,19 +12,24 @@ import (

 type fakeClient struct {
 	client.Client
-	inspectFunc           func(string) (types.ContainerJSON, error)
-	execInspectFunc       func(execID string) (types.ContainerExecInspect, error)
-	execCreateFunc        func(container string, config types.ExecConfig) (types.IDResponse, error)
-	createContainerFunc   func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (container.ContainerCreateCreatedBody, error)
-	containerStartFunc    func(container string, options types.ContainerStartOptions) error
-	imageCreateFunc       func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
-	infoFunc              func() (types.Info, error)
-	containerStatPathFunc func(container, path string) (types.ContainerPathStat, error)
-	containerCopyFromFunc func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	logFunc               func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
-	waitFunc              func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
-	containerListFunc     func(types.ContainerListOptions) ([]types.Container, error)
-	Version               string
+	inspectFunc         func(string) (types.ContainerJSON, error)
+	execInspectFunc     func(execID string) (types.ContainerExecInspect, error)
+	execCreateFunc      func(container string, config types.ExecConfig) (types.IDResponse, error)
+	createContainerFunc func(config *container.Config,
+		hostConfig *container.HostConfig,
+		networkingConfig *network.NetworkingConfig,
+		containerName string) (container.ContainerCreateCreatedBody, error)
+	containerStartFunc      func(container string, options types.ContainerStartOptions) error
+	imageCreateFunc         func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	infoFunc                func() (types.Info, error)
+	containerStatPathFunc   func(container, path string) (types.ContainerPathStat, error)
+	containerCopyFromFunc   func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
+	logFunc                 func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
+	waitFunc                func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
+	containerListFunc       func(types.ContainerListOptions) ([]types.Container, error)
+	containerExportFunc     func(string) (io.ReadCloser, error)
+	containerExecResizeFunc func(id string, options types.ResizeOptions) error
+	Version                 string
 }

 func (f *fakeClient) ContainerList(_ context.Context, options types.ContainerListOptions) ([]types.Container, error) {
@ -124,3 +129,17 @@ func (f *fakeClient) ContainerStart(_ context.Context, container string, options
 	}
 	return nil
 }
+
+func (f *fakeClient) ContainerExport(_ context.Context, container string) (io.ReadCloser, error) {
+	if f.containerExportFunc != nil {
+		return f.containerExportFunc(container)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ContainerExecResize(_ context.Context, id string, options types.ResizeOptions) error {
+	if f.containerExecResizeFunc != nil {
+		return f.containerExecResizeFunc(id, options)
+	}
+	return nil
+}
--- a/cli/command/container/cp.go
+++ b/cli/command/container/cp.go
@ -128,6 +128,10 @@ func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cp
 		}
 	}

+	if err := command.ValidateOutputPath(dstPath); err != nil {
+		return err
+	}
+
 	client := dockerCli.Client()
 	// if client requests to follow symbol link, then must decide target file to be copied
 	var rebaseName string
@ -209,6 +213,11 @@ func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpCo
 		dstStat, err = client.ContainerStatPath(ctx, copyConfig.container, linkTarget)
 	}

+	// Validate the destination path
+	if err := command.ValidateOutputPathFileMode(dstStat.Mode); err != nil {
+		return errors.Wrapf(err, `destination "%s:%s" must be a directory or a regular file`, copyConfig.container, dstPath)
+	}
+
 	// Ignore any error and assume that the parent directory of the destination
 	// path exists, in which case the copy may still succeed. If there is any
 	// type of conflict (e.g., non-directory overwriting an existing directory
--- a/cli/command/container/cp_test.go
+++ b/cli/command/container/cp_test.go
@ -190,3 +190,12 @@ func TestSplitCpArg(t *testing.T) {
 		})
 	}
 }
+
+func TestRunCopyFromContainerToFilesystemIrregularDestination(t *testing.T) {
+	options := copyOptions{source: "container:/dev/null", destination: "/dev/random"}
+	cli := test.NewFakeCli(nil)
+	err := runCopy(cli, options)
+	assert.Assert(t, err != nil)
+	expected := `"/dev/random" must be a directory or a regular file`
+	assert.ErrorContains(t, err, expected)
+}
--- a/cli/command/container/create.go
+++ b/cli/command/container/create.go
@ -5,10 +5,12 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"regexp"

 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@ -59,13 +61,27 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *createOptions, copts *containerOptions) error {
-	containerConfig, err := parse(flags, copts)
+func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, options *createOptions, copts *containerOptions) error {
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
+	newEnv := []string{}
+	for k, v := range proxyConfig {
+		if v == nil {
+			newEnv = append(newEnv, k)
+		} else {
+			newEnv = append(newEnv, fmt.Sprintf("%s=%s", k, *v))
+		}
+	}
+	copts.env = *opts.NewListOptsRef(&newEnv, nil)
+	containerConfig, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	if err != nil {
 		reportError(dockerCli.Err(), "create", err.Error(), true)
 		return cli.StatusError{StatusCode: 125}
 	}
-	response, err := createContainer(context.Background(), dockerCli, containerConfig, opts)
+	if err = validateAPIVersion(containerConfig, dockerCli.Client().ClientVersion()); err != nil {
+		reportError(dockerCli.Err(), "create", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
+	response, err := createContainer(context.Background(), dockerCli, containerConfig, options)
 	if err != nil {
 		return err
 	}
@ -165,6 +181,9 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
 	networkingConfig := containerConfig.NetworkingConfig
 	stderr := dockerCli.Err()

+	warnOnOomKillDisable(*hostConfig, stderr)
+	warnOnLocalhostDNS(*hostConfig, stderr)
+
 	var (
 		trustedRef reference.Canonical
 		namedRef   reference.Named
@ -227,3 +246,32 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
 	err = containerIDFile.Write(response.ID)
 	return &response, err
 }
+
+func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
+	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
+		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
+	}
+}
+
+// check the DNS settings passed via --dns against localhost regexp to warn if
+// they are trying to set a DNS to a localhost address
+func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
+	for _, dnsIP := range hostConfig.DNS {
+		if isLocalhost(dnsIP) {
+			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
+			return
+		}
+	}
+}
+
+// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
+const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
+
+var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
+
+// IsLocalhost returns true if ip matches the localhost IP regular expression.
+// Used for determining if nameserver settings are being passed which are
+// localhost addresses
+func isLocalhost(ip string) bool {
+	return localhostIPRegexp.MatchString(ip)
+}
--- a/cli/command/container/create_test.go
+++ b/cli/command/container/create_test.go
@ -7,9 +7,11 @@ import (
 	"io/ioutil"
 	"os"
 	"runtime"
+	"sort"
 	"strings"
 	"testing"

+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types"
@ -20,6 +22,7 @@ import (
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
 	"gotest.tools/fs"
+	"gotest.tools/golden"
 )

 func TestCIDFileNoOPWithNoFilename(t *testing.T) {
@ -166,6 +169,111 @@ func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
 	}
 }

+func TestNewCreateCommandWithWarnings(t *testing.T) {
+	testCases := []struct {
+		name    string
+		args    []string
+		warning bool
+	}{
+		{
+			name: "container-create-without-oom-kill-disable",
+			args: []string{"image:tag"},
+		},
+		{
+			name: "container-create-oom-kill-disable-false",
+			args: []string{"--oom-kill-disable=false", "image:tag"},
+		},
+		{
+			name:    "container-create-oom-kill-without-memory-limit",
+			args:    []string{"--oom-kill-disable", "image:tag"},
+			warning: true,
+		},
+		{
+			name:    "container-create-oom-kill-true-without-memory-limit",
+			args:    []string{"--oom-kill-disable=true", "image:tag"},
+			warning: true,
+		},
+		{
+			name: "container-create-oom-kill-true-with-memory-limit",
+			args: []string{"--oom-kill-disable=true", "--memory=100M", "image:tag"},
+		},
+		{
+			name:    "container-create-localhost-dns",
+			args:    []string{"--dns=127.0.0.11", "image:tag"},
+			warning: true,
+		},
+		{
+			name:    "container-create-localhost-dns-ipv6",
+			args:    []string{"--dns=::1", "image:tag"},
+			warning: true,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{
+				createContainerFunc: func(config *container.Config,
+					hostConfig *container.HostConfig,
+					networkingConfig *network.NetworkingConfig,
+					containerName string,
+				) (container.ContainerCreateCreatedBody, error) {
+					return container.ContainerCreateCreatedBody{}, nil
+				},
+			})
+			cmd := NewCreateCommand(cli)
+			cmd.SetOutput(ioutil.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			if tc.warning {
+				golden.Assert(t, cli.ErrBuffer().String(), tc.name+".golden")
+			} else {
+				assert.Equal(t, cli.ErrBuffer().String(), "")
+			}
+		})
+	}
+}
+
+func TestCreateContainerWithProxyConfig(t *testing.T) {
+	expected := []string{
+		"HTTP_PROXY=httpProxy",
+		"http_proxy=httpProxy",
+		"HTTPS_PROXY=httpsProxy",
+		"https_proxy=httpsProxy",
+		"NO_PROXY=noProxy",
+		"no_proxy=noProxy",
+		"FTP_PROXY=ftpProxy",
+		"ftp_proxy=ftpProxy",
+	}
+	sort.Strings(expected)
+
+	cli := test.NewFakeCli(&fakeClient{
+		createContainerFunc: func(config *container.Config,
+			hostConfig *container.HostConfig,
+			networkingConfig *network.NetworkingConfig,
+			containerName string,
+		) (container.ContainerCreateCreatedBody, error) {
+			sort.Strings(config.Env)
+			assert.DeepEqual(t, config.Env, expected)
+			return container.ContainerCreateCreatedBody{}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		Proxies: map[string]configfile.ProxyConfig{
+			"default": {
+				HTTPProxy:  "httpProxy",
+				HTTPSProxy: "httpsProxy",
+				NoProxy:    "noProxy",
+				FTPProxy:   "ftpProxy",
+			},
+		},
+	})
+	cmd := NewCreateCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"image:tag"})
+	err := cmd.Execute()
+	assert.NilError(t, err)
+}
+
 type fakeNotFound struct{}

 func (f fakeNotFound) NotFound() bool { return true }
--- a/cli/command/container/diff.go
+++ b/cli/command/container/diff.go
@ -41,7 +41,7 @@ func runDiff(dockerCli command.Cli, opts *diffOptions) error {
 	}
 	diffCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewDiffFormat("{{.Type}} {{.Path}}"),
+		Format: NewDiffFormat("{{.Type}} {{.Path}}"),
 	}
-	return formatter.DiffWrite(diffCtx, changes)
+	return DiffFormatWrite(diffCtx, changes)
 }
--- a/cli/command/container/export.go
+++ b/cli/command/container/export.go
@ -41,6 +41,10 @@ func runExport(dockerCli command.Cli, opts exportOptions) error {
 		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
 	}

+	if err := command.ValidateOutputPath(opts.output); err != nil {
+		return errors.Wrap(err, "failed to export container")
+	}
+
 	clnt := dockerCli.Client()

 	responseBody, err := clnt.ContainerExport(context.Background(), opts.container)
--- a/cli/command/container/export_test.go
+++ b/cli/command/container/export_test.go
@ -0,0 +1,49 @@
+package container
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+)
+
+func TestContainerExportOutputToFile(t *testing.T) {
+	dir := fs.NewDir(t, "export-test")
+	defer dir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerExportFunc: func(container string) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("bar")), nil
+		},
+	})
+	cmd := NewExportCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"-o", dir.Join("foo"), "container"})
+	assert.NilError(t, cmd.Execute())
+
+	expected := fs.Expected(t,
+		fs.WithFile("foo", "bar", fs.MatchAnyFileMode),
+	)
+
+	assert.Assert(t, fs.Equal(dir.Path(), expected))
+}
+
+func TestContainerExportOutputToIrregularFile(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerExportFunc: func(container string) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("foo")), nil
+		},
+	})
+	cmd := NewExportCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"-o", "/dev/random", "container"})
+
+	err := cmd.Execute()
+	assert.Assert(t, err != nil)
+	expected := `"/dev/random" must be a directory or a regular file`
+	assert.ErrorContains(t, err, expected)
+}
--- a/cli/command/container/formatter_diff.go
+++ b/cli/command/container/formatter_diff.go
@ -1,6 +1,7 @@
-package formatter
+package container

 import (
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/archive"
 )
@ -13,18 +14,18 @@ const (
 )

 // NewDiffFormat returns a format for use with a diff Context
-func NewDiffFormat(source string) Format {
+func NewDiffFormat(source string) formatter.Format {
 	switch source {
-	case TableFormatKey:
+	case formatter.TableFormatKey:
 		return defaultDiffTableFormat
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// DiffWrite writes formatted diff using the Context
-func DiffWrite(ctx Context, changes []container.ContainerChangeResponseItem) error {
+// DiffFormatWrite writes formatted diff using the Context
+func DiffFormatWrite(ctx formatter.Context, changes []container.ContainerChangeResponseItem) error {

-	render := func(format func(subContext subContext) error) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, change := range changes {
 			if err := format(&diffContext{c: change}); err != nil {
 				return err
@ -36,13 +37,13 @@ func DiffWrite(ctx Context, changes []container.ContainerChangeResponseItem) err
 }

 type diffContext struct {
-	HeaderContext
+	formatter.HeaderContext
 	c container.ContainerChangeResponseItem
 }

 func newDiffContext() *diffContext {
 	diffCtx := diffContext{}
-	diffCtx.header = map[string]string{
+	diffCtx.Header = formatter.SubHeaderContext{
 		"Type": changeTypeHeader,
 		"Path": pathHeader,
 	}
@ -50,7 +51,7 @@ func newDiffContext() *diffContext {
 }

 func (d *diffContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(d)
+	return formatter.MarshalJSON(d)
 }

 func (d *diffContext) Type() string {
--- a/cli/command/container/formatter_diff_test.go
+++ b/cli/command/container/formatter_diff_test.go
@ -1,9 +1,10 @@
-package formatter
+package container

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/pkg/archive"
 	"gotest.tools/assert"
@ -13,11 +14,11 @@ import (
 func TestDiffContextFormatWrite(t *testing.T) {
 	// Check default output format (verbose and non-verbose mode) for table headers
 	cases := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: NewDiffFormat("table")},
+			formatter.Context{Format: NewDiffFormat("table")},
 			`CHANGE TYPE         PATH
 C                   /var/log/app.log
 A                   /usr/app/app.js
@ -25,7 +26,7 @@ D                   /usr/app/old_app.js
 `,
 		},
 		{
-			Context{Format: NewDiffFormat("table {{.Path}}")},
+			formatter.Context{Format: NewDiffFormat("table {{.Path}}")},
 			`PATH
 /var/log/app.log
 /usr/app/app.js
@ -33,7 +34,7 @@ D                   /usr/app/old_app.js
 `,
 		},
 		{
-			Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
+			formatter.Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
 			`C: /var/log/app.log
 A: /usr/app/app.js
 D: /usr/app/old_app.js
@ -50,7 +51,7 @@ D: /usr/app/old_app.js
 	for _, testcase := range cases {
 		out := bytes.NewBufferString("")
 		testcase.context.Output = out
-		err := DiffWrite(testcase.context, diffs)
+		err := DiffFormatWrite(testcase.context, diffs)
 		if err != nil {
 			assert.Error(t, err, testcase.expected)
 		} else {
--- a/cli/command/container/formatter_stats.go
+++ b/cli/command/container/formatter_stats.go
@ -1,9 +1,10 @@
-package formatter
+package container

 import (
 	"fmt"
 	"sync"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/pkg/stringid"
 	units "github.com/docker/go-units"
 )
@ -40,8 +41,8 @@ type StatsEntry struct {
 	IsInvalid        bool
 }

-// ContainerStats represents an entity to store containers statistics synchronously
-type ContainerStats struct {
+// Stats represents an entity to store containers statistics synchronously
+type Stats struct {
 	mutex sync.Mutex
 	StatsEntry
 	err error
@ -49,7 +50,7 @@ type ContainerStats struct {

 // GetError returns the container statistics error.
 // This is used to determine whether the statistics are valid or not
-func (cs *ContainerStats) GetError() error {
+func (cs *Stats) GetError() error {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	return cs.err
@ -57,7 +58,7 @@ func (cs *ContainerStats) GetError() error {

 // SetErrorAndReset zeroes all the container statistics and store the error.
 // It is used when receiving time out error during statistics collecting to reduce lock overhead
-func (cs *ContainerStats) SetErrorAndReset(err error) {
+func (cs *Stats) SetErrorAndReset(err error) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	cs.CPUPercentage = 0
@ -74,7 +75,7 @@ func (cs *ContainerStats) SetErrorAndReset(err error) {
 }

 // SetError sets container statistics error
-func (cs *ContainerStats) SetError(err error) {
+func (cs *Stats) SetError(err error) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	cs.err = err
@ -84,7 +85,7 @@ func (cs *ContainerStats) SetError(err error) {
 }

 // SetStatistics set the container statistics
-func (cs *ContainerStats) SetStatistics(s StatsEntry) {
+func (cs *Stats) SetStatistics(s StatsEntry) {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	s.Container = cs.Container
@ -92,38 +93,38 @@ func (cs *ContainerStats) SetStatistics(s StatsEntry) {
 }

 // GetStatistics returns container statistics with other meta data such as the container name
-func (cs *ContainerStats) GetStatistics() StatsEntry {
+func (cs *Stats) GetStatistics() StatsEntry {
 	cs.mutex.Lock()
 	defer cs.mutex.Unlock()
 	return cs.StatsEntry
 }

 // NewStatsFormat returns a format for rendering an CStatsContext
-func NewStatsFormat(source, osType string) Format {
-	if source == TableFormatKey {
+func NewStatsFormat(source, osType string) formatter.Format {
+	if source == formatter.TableFormatKey {
 		if osType == winOSType {
-			return Format(winDefaultStatsTableFormat)
+			return formatter.Format(winDefaultStatsTableFormat)
 		}
-		return Format(defaultStatsTableFormat)
+		return formatter.Format(defaultStatsTableFormat)
 	}
-	return Format(source)
+	return formatter.Format(source)
 }

-// NewContainerStats returns a new ContainerStats entity and sets in it the given name
-func NewContainerStats(container string) *ContainerStats {
-	return &ContainerStats{StatsEntry: StatsEntry{Container: container}}
+// NewStats returns a new Stats entity and sets in it the given name
+func NewStats(container string) *Stats {
+	return &Stats{StatsEntry: StatsEntry{Container: container}}
 }

-// ContainerStatsWrite renders the context for a list of containers statistics
-func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string, trunc bool) error {
-	render := func(format func(subContext subContext) error) error {
-		for _, cstats := range containerStats {
-			containerStatsCtx := &containerStatsContext{
+// statsFormatWrite renders the context for a list of containers statistics
+func statsFormatWrite(ctx formatter.Context, Stats []StatsEntry, osType string, trunc bool) error {
+	render := func(format func(subContext formatter.SubContext) error) error {
+		for _, cstats := range Stats {
+			statsCtx := &statsContext{
 				s:     cstats,
 				os:    osType,
 				trunc: trunc,
 			}
-			if err := format(containerStatsCtx); err != nil {
+			if err := format(statsCtx); err != nil {
 				return err
 			}
 		}
@ -133,11 +134,11 @@ func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string
 	if osType == winOSType {
 		memUsage = winMemUseHeader
 	}
-	containerStatsCtx := containerStatsContext{}
-	containerStatsCtx.header = map[string]string{
+	statsCtx := statsContext{}
+	statsCtx.Header = formatter.SubHeaderContext{
 		"Container": containerHeader,
-		"Name":      nameHeader,
-		"ID":        containerIDHeader,
+		"Name":      formatter.NameHeader,
+		"ID":        formatter.ContainerIDHeader,
 		"CPUPerc":   cpuPercHeader,
 		"MemUsage":  memUsage,
 		"MemPerc":   memPercHeader,
@ -145,47 +146,47 @@ func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string
 		"BlockIO":   blockIOHeader,
 		"PIDs":      pidsHeader,
 	}
-	containerStatsCtx.os = osType
-	return ctx.Write(&containerStatsCtx, render)
+	statsCtx.os = osType
+	return ctx.Write(&statsCtx, render)
 }

-type containerStatsContext struct {
-	HeaderContext
+type statsContext struct {
+	formatter.HeaderContext
 	s     StatsEntry
 	os    string
 	trunc bool
 }

-func (c *containerStatsContext) MarshalJSON() ([]byte, error) {
-	return marshalJSON(c)
+func (c *statsContext) MarshalJSON() ([]byte, error) {
+	return formatter.MarshalJSON(c)
 }

-func (c *containerStatsContext) Container() string {
+func (c *statsContext) Container() string {
 	return c.s.Container
 }

-func (c *containerStatsContext) Name() string {
+func (c *statsContext) Name() string {
 	if len(c.s.Name) > 1 {
 		return c.s.Name[1:]
 	}
 	return "--"
 }

-func (c *containerStatsContext) ID() string {
+func (c *statsContext) ID() string {
 	if c.trunc {
 		return stringid.TruncateID(c.s.ID)
 	}
 	return c.s.ID
 }

-func (c *containerStatsContext) CPUPerc() string {
+func (c *statsContext) CPUPerc() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%.2f%%", c.s.CPUPercentage)
 }

-func (c *containerStatsContext) MemUsage() string {
+func (c *statsContext) MemUsage() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("-- / --")
 	}
@ -195,28 +196,28 @@ func (c *containerStatsContext) MemUsage() string {
 	return fmt.Sprintf("%s / %s", units.BytesSize(c.s.Memory), units.BytesSize(c.s.MemoryLimit))
 }

-func (c *containerStatsContext) MemPerc() string {
+func (c *statsContext) MemPerc() string {
 	if c.s.IsInvalid || c.os == winOSType {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%.2f%%", c.s.MemoryPercentage)
 }

-func (c *containerStatsContext) NetIO() string {
+func (c *statsContext) NetIO() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.NetworkRx, 3), units.HumanSizeWithPrecision(c.s.NetworkTx, 3))
 }

-func (c *containerStatsContext) BlockIO() string {
+func (c *statsContext) BlockIO() string {
 	if c.s.IsInvalid {
 		return fmt.Sprintf("--")
 	}
 	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.BlockRead, 3), units.HumanSizeWithPrecision(c.s.BlockWrite, 3))
 }

-func (c *containerStatsContext) PIDs() string {
+func (c *statsContext) PIDs() string {
 	if c.s.IsInvalid || c.os == winOSType {
 		return fmt.Sprintf("--")
 	}
--- a/cli/command/container/formatter_stats_test.go
+++ b/cli/command/container/formatter_stats_test.go
@ -1,9 +1,10 @@
-package formatter
+package container

 import (
 	"bytes"
 	"testing"

+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/pkg/stringid"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
@ -12,7 +13,7 @@ import (
 func TestContainerStatsContext(t *testing.T) {
 	containerID := stringid.GenerateRandomID()

-	var ctx containerStatsContext
+	var ctx statsContext
 	tt := []struct {
 		stats     StatsEntry
 		osType    string
@ -39,7 +40,7 @@ func TestContainerStatsContext(t *testing.T) {
 	}

 	for _, te := range tt {
-		ctx = containerStatsContext{s: te.stats, os: te.osType}
+		ctx = statsContext{s: te.stats, os: te.osType}
 		if v := te.call(); v != te.expValue {
 			t.Fatalf("Expected %q, got %q", te.expValue, v)
 		}
@ -48,34 +49,34 @@ func TestContainerStatsContext(t *testing.T) {

 func TestContainerStatsContextWrite(t *testing.T) {
 	tt := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: "{{InvalidFunction}}"},
+			formatter.Context{Format: "{{InvalidFunction}}"},
 			`Template parsing error: template: :1: function "InvalidFunction" not defined
 `,
 		},
 		{
-			Context{Format: "{{nil}}"},
+			formatter.Context{Format: "{{nil}}"},
 			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
 `,
 		},
 		{
-			Context{Format: "table {{.MemUsage}}"},
+			formatter.Context{Format: "table {{.MemUsage}}"},
 			`MEM USAGE / LIMIT
 20B / 20B
 -- / --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.ID}}  {{.Name}}"},
+			formatter.Context{Format: "{{.Container}}  {{.ID}}  {{.Name}}"},
 			`container1  abcdef  foo
 container2    --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			formatter.Context{Format: "{{.Container}}  {{.CPUPerc}}"},
 			`container1  20.00%
 container2  --
 `,
@ -115,7 +116,7 @@ container2  --
 		}
 		var out bytes.Buffer
 		te.context.Output = &out
-		err := ContainerStatsWrite(te.context, stats, "linux", false)
+		err := statsFormatWrite(te.context, stats, "linux", false)
 		if err != nil {
 			assert.Error(t, err, te.expected)
 		} else {
@ -126,24 +127,24 @@ container2  --

 func TestContainerStatsContextWriteWindows(t *testing.T) {
 	tt := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{Format: "table {{.MemUsage}}"},
+			formatter.Context{Format: "table {{.MemUsage}}"},
 			`PRIV WORKING SET
 20B
 -- / --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			formatter.Context{Format: "{{.Container}}  {{.CPUPerc}}"},
 			`container1  20.00%
 container2  --
 `,
 		},
 		{
-			Context{Format: "{{.Container}}  {{.MemPerc}}  {{.PIDs}}"},
+			formatter.Context{Format: "{{.Container}}  {{.MemPerc}}  {{.PIDs}}"},
 			`container1  --  --
 container2  --  --
 `,
@ -181,7 +182,7 @@ container2  --  --
 		}
 		var out bytes.Buffer
 		te.context.Output = &out
-		err := ContainerStatsWrite(te.context, stats, "windows", false)
+		err := statsFormatWrite(te.context, stats, "windows", false)
 		if err != nil {
 			assert.Error(t, err, te.expected)
 		} else {
@ -194,25 +195,25 @@ func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.Container}}",
 				Output: &out,
 			},
 			"",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}",
 				Output: &out,
 			},
 			"CONTAINER\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.CPUPerc}}",
 				Output: &out,
 			},
@ -221,7 +222,7 @@ func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{}, "linux", false)
+		statsFormatWrite(context.context, []StatsEntry{}, "linux", false)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
@ -232,25 +233,25 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.Container}}",
 				Output: &out,
 			},
 			"",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.MemUsage}}",
 				Output: &out,
 			},
 			"CONTAINER           PRIV WORKING SET\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}",
 				Output: &out,
 			},
@ -259,7 +260,7 @@ func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{}, "windows", false)
+		statsFormatWrite(context.context, []StatsEntry{}, "windows", false)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
@ -270,12 +271,12 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 	var out bytes.Buffer

 	contexts := []struct {
-		context  Context
+		context  formatter.Context
 		trunc    bool
 		expected string
 	}{
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.ID}}",
 				Output: &out,
 			},
@ -283,7 +284,7 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 			"b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
 		},
 		{
-			Context{
+			formatter.Context{
 				Format: "{{.ID}}",
 				Output: &out,
 			},
@ -293,7 +294,7 @@ func TestContainerStatsContextWriteTrunc(t *testing.T) {
 	}

 	for _, context := range contexts {
-		ContainerStatsWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
+		statsFormatWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
 		assert.Check(t, is.Equal(context.expected, out.String()))
 		// Clean buffer
 		out.Reset()
--- a/cli/command/container/logs.go
+++ b/cli/command/container/logs.go
@ -50,6 +50,11 @@ func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
 func runLogs(dockerCli command.Cli, opts *logsOptions) error {
 	ctx := context.Background()

+	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
+	if err != nil {
+		return err
+	}
+
 	options := types.ContainerLogsOptions{
 		ShowStdout: true,
 		ShowStderr: true,
@ -60,17 +65,12 @@ func runLogs(dockerCli command.Cli, opts *logsOptions) error {
 		Tail:       opts.tail,
 		Details:    opts.details,
 	}
-	responseBody, err := dockerCli.Client().ContainerLogs(ctx, opts.container, options)
+	responseBody, err := dockerCli.Client().ContainerLogs(ctx, c.ID, options)
 	if err != nil {
 		return err
 	}
 	defer responseBody.Close()

-	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
-	if err != nil {
-		return err
-	}
-
 	if c.Config.Tty {
 		_, err = io.Copy(dockerCli.Out(), responseBody)
 	} else {
--- a/cli/command/container/opts.go
+++ b/cli/command/container/opts.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"path"
+	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
@ -16,6 +17,8 @@ import (
 	"github.com/docker/docker/api/types/container"
 	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/pkg/signal"
 	"github.com/docker/go-connections/nat"
 	"github.com/pkg/errors"
@ -45,6 +48,7 @@ type containerOptions struct {
 	labels             opts.ListOpts
 	deviceCgroupRules  opts.ListOpts
 	devices            opts.ListOpts
+	gpus               opts.GpuOpts
 	ulimits            *opts.UlimitOpt
 	sysctls            *opts.MapOpts
 	publish            opts.ListOpts
@ -74,6 +78,7 @@ type containerOptions struct {
 	containerIDFile    string
 	entrypoint         string
 	hostname           string
+	domainname         string
 	memory             opts.MemBytes
 	memoryReservation  opts.MemBytes
 	memorySwap         opts.MemSwapBytes
@ -94,7 +99,7 @@ type containerOptions struct {
 	ioMaxBandwidth     opts.MemBytes
 	ioMaxIOps          uint64
 	swappiness         int64
-	netMode            string
+	netMode            opts.NetworkOpt
 	macAddress         string
 	ipv4Address        string
 	ipv6Address        string
@ -139,13 +144,13 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 		deviceReadIOps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
 		deviceWriteBps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleBpsDevice),
 		deviceWriteIOps:   opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
-		devices:           opts.NewListOpts(validateDevice),
+		devices:           opts.NewListOpts(nil), // devices can only be validated after we know the server OS
 		env:               opts.NewListOpts(opts.ValidateEnv),
 		envFile:           opts.NewListOpts(nil),
 		expose:            opts.NewListOpts(nil),
 		extraHosts:        opts.NewListOpts(opts.ValidateExtraHost),
 		groupAdd:          opts.NewListOpts(nil),
-		labels:            opts.NewListOpts(nil),
+		labels:            opts.NewListOpts(opts.ValidateLabel),
 		labelsFile:        opts.NewListOpts(nil),
 		linkLocalIPs:      opts.NewListOpts(nil),
 		links:             opts.NewListOpts(opts.ValidateLink),
@ -164,11 +169,14 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 	flags.VarP(&copts.attach, "attach", "a", "Attach to STDIN, STDOUT or STDERR")
 	flags.Var(&copts.deviceCgroupRules, "device-cgroup-rule", "Add a rule to the cgroup allowed devices list")
 	flags.Var(&copts.devices, "device", "Add a host device to the container")
+	flags.Var(&copts.gpus, "gpus", "GPU devices to add to the container ('all' to pass all GPUs)")
+	flags.SetAnnotation("gpus", "version", []string{"1.40"})
 	flags.VarP(&copts.env, "env", "e", "Set environment variables")
 	flags.Var(&copts.envFile, "env-file", "Read in a file of environment variables")
 	flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
 	flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
 	flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
+	flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
 	flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
 	flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
 	flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
@ -209,8 +217,8 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 	flags.VarP(&copts.publish, "publish", "p", "Publish a container's port(s) to the host")
 	flags.BoolVarP(&copts.publishAll, "publish-all", "P", false, "Publish all exposed ports to random ports")
 	// We allow for both "--net" and "--network", although the latter is the recommended way.
-	flags.StringVar(&copts.netMode, "net", "default", "Connect a container to a network")
-	flags.StringVar(&copts.netMode, "network", "default", "Connect a container to a network")
+	flags.Var(&copts.netMode, "net", "Connect a container to a network")
+	flags.Var(&copts.netMode, "network", "Connect a container to a network")
 	flags.MarkHidden("net")
 	// We allow for both "--net-alias" and "--network-alias", although the latter is the recommended way.
 	flags.Var(&copts.aliases, "net-alias", "Add network-scoped alias for the container")
@ -296,7 +304,7 @@ type containerConfig struct {
 // a HostConfig and returns them with the specified command.
 // If the specified args are not valid, it will return an error.
 // nolint: gocyclo
-func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, error) {
+func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*containerConfig, error) {
 	var (
 		attachStdin  = copts.attach.Get("stdin")
 		attachStdout = copts.attach.Get("stdout")
@ -414,10 +422,22 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		}
 	}

-	// parse device mappings
+	// validate and parse device mappings. Note we do late validation of the
+	// device path (as opposed to during flag parsing), as at the time we are
+	// parsing flags, we haven't yet sent a _ping to the daemon to determine
+	// what operating system it is.
 	deviceMappings := []container.DeviceMapping{}
 	for _, device := range copts.devices.GetAll() {
-		deviceMapping, err := parseDevice(device)
+		var (
+			validated     string
+			deviceMapping container.DeviceMapping
+			err           error
+		)
+		validated, err = validateDevice(device, serverOS)
+		if err != nil {
+			return nil, err
+		}
+		deviceMapping, err = parseDevice(validated, serverOS)
 		if err != nil {
 			return nil, err
 		}
@ -466,6 +486,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		return nil, err
 	}

+	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)
+
 	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
 	if err != nil {
 		return nil, err
@ -530,7 +552,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		CPUQuota:             copts.cpuQuota,
 		CPURealtimePeriod:    copts.cpuRealtimePeriod,
 		CPURealtimeRuntime:   copts.cpuRealtimeRuntime,
-		PidsLimit:            copts.pidsLimit,
+		PidsLimit:            &copts.pidsLimit,
 		BlkioWeight:          copts.blkioWeight,
 		BlkioWeightDevice:    copts.blkioWeightDevice.GetList(),
 		BlkioDeviceReadBps:   copts.deviceReadBps.GetList(),
@ -542,10 +564,12 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		Ulimits:              copts.ulimits.GetList(),
 		DeviceCgroupRules:    copts.deviceCgroupRules.GetAll(),
 		Devices:              deviceMappings,
+		DeviceRequests:       copts.gpus.Value(),
 	}

 	config := &container.Config{
 		Hostname:     copts.hostname,
+		Domainname:   copts.domainname,
 		ExposedPorts: ports,
 		User:         copts.user,
 		Tty:          copts.tty,
@ -593,8 +617,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		DNSOptions:     copts.dnsOptions.GetAllOrEmpty(),
 		ExtraHosts:     copts.extraHosts.GetAll(),
 		VolumesFrom:    copts.volumesFrom.GetAll(),
-		NetworkMode:    container.NetworkMode(copts.netMode),
 		IpcMode:        container.IpcMode(copts.ipcMode),
+		NetworkMode:    container.NetworkMode(copts.netMode.NetworkMode()),
 		PidMode:        pidMode,
 		UTSMode:        utsMode,
 		UsernsMode:     usernsMode,
@ -614,6 +638,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		Sysctls:        copts.sysctls.GetAll(),
 		Runtime:        copts.runtime,
 		Mounts:         mounts,
+		MaskedPaths:    maskedPaths,
+		ReadonlyPaths:  readonlyPaths,
 	}

 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
@ -634,39 +660,9 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 		EndpointsConfig: make(map[string]*networktypes.EndpointSettings),
 	}

-	if copts.ipv4Address != "" || copts.ipv6Address != "" || copts.linkLocalIPs.Len() > 0 {
-		epConfig := &networktypes.EndpointSettings{}
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
-
-		epConfig.IPAMConfig = &networktypes.EndpointIPAMConfig{
-			IPv4Address: copts.ipv4Address,
-			IPv6Address: copts.ipv6Address,
-		}
-
-		if copts.linkLocalIPs.Len() > 0 {
-			epConfig.IPAMConfig.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
-			copy(epConfig.IPAMConfig.LinkLocalIPs, copts.linkLocalIPs.GetAll())
-		}
-	}
-
-	if hostConfig.NetworkMode.IsUserDefined() && len(hostConfig.Links) > 0 {
-		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
-		if epConfig == nil {
-			epConfig = &networktypes.EndpointSettings{}
-		}
-		epConfig.Links = make([]string, len(hostConfig.Links))
-		copy(epConfig.Links, hostConfig.Links)
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
-	}
-
-	if copts.aliases.Len() > 0 {
-		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
-		if epConfig == nil {
-			epConfig = &networktypes.EndpointSettings{}
-		}
-		epConfig.Aliases = make([]string, copts.aliases.Len())
-		copy(epConfig.Aliases, copts.aliases.GetAll())
-		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
+	networkingConfig.EndpointsConfig, err = parseNetworkOpts(copts)
+	if err != nil {
+		return nil, err
 	}

 	return &containerConfig{
@ -676,6 +672,121 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
 	}, nil
 }

+// parseNetworkOpts converts --network advanced options to endpoint-specs, and combines
+// them with the old --network-alias and --links. If returns an error if conflicting options
+// are found.
+//
+// this function may return _multiple_ endpoints, which is not currently supported
+// by the daemon, but may be in future; it's up to the daemon to produce an error
+// in case that is not supported.
+func parseNetworkOpts(copts *containerOptions) (map[string]*networktypes.EndpointSettings, error) {
+	var (
+		endpoints                         = make(map[string]*networktypes.EndpointSettings, len(copts.netMode.Value()))
+		hasUserDefined, hasNonUserDefined bool
+	)
+
+	for i, n := range copts.netMode.Value() {
+		if container.NetworkMode(n.Target).IsUserDefined() {
+			hasUserDefined = true
+		} else {
+			hasNonUserDefined = true
+		}
+		if i == 0 {
+			// The first network corresponds with what was previously the "only"
+			// network, and what would be used when using the non-advanced syntax
+			// `--network-alias`, `--link`, `--ip`, `--ip6`, and `--link-local-ip`
+			// are set on this network, to preserve backward compatibility with
+			// the non-advanced notation
+			if err := applyContainerOptions(&n, copts); err != nil {
+				return nil, err
+			}
+		}
+		ep, err := parseNetworkAttachmentOpt(n)
+		if err != nil {
+			return nil, err
+		}
+		if _, ok := endpoints[n.Target]; ok {
+			return nil, errdefs.InvalidParameter(errors.Errorf("network %q is specified multiple times", n.Target))
+		}
+
+		// For backward compatibility: if no custom options are provided for the network,
+		// and only a single network is specified, omit the endpoint-configuration
+		// on the client (the daemon will still create it when creating the container)
+		if i == 0 && len(copts.netMode.Value()) == 1 {
+			if ep == nil || reflect.DeepEqual(*ep, networktypes.EndpointSettings{}) {
+				continue
+			}
+		}
+		endpoints[n.Target] = ep
+	}
+	if hasUserDefined && hasNonUserDefined {
+		return nil, errdefs.InvalidParameter(errors.New("conflicting options: cannot attach both user-defined and non-user-defined network-modes"))
+	}
+	return endpoints, nil
+}
+
+func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOptions) error {
+	// TODO should copts.MacAddress actually be set on the first network? (currently it's not)
+	// TODO should we error if _any_ advanced option is used? (i.e. forbid to combine advanced notation with the "old" flags (`--network-alias`, `--link`, `--ip`, `--ip6`)?
+	if len(n.Aliases) > 0 && copts.aliases.Len() > 0 {
+		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --network-alias and per-network alias"))
+	}
+	if len(n.Links) > 0 && copts.links.Len() > 0 {
+		return errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --link and per-network links"))
+	}
+	if copts.aliases.Len() > 0 {
+		n.Aliases = make([]string, copts.aliases.Len())
+		copy(n.Aliases, copts.aliases.GetAll())
+	}
+	if copts.links.Len() > 0 {
+		n.Links = make([]string, copts.links.Len())
+		copy(n.Links, copts.links.GetAll())
+	}
+
+	// TODO add IPv4/IPv6 options to the csv notation for --network, and error-out in case of conflicting options
+	n.IPv4Address = copts.ipv4Address
+	n.IPv6Address = copts.ipv6Address
+
+	// TODO should linkLocalIPs be added to the _first_ network only, or to _all_ networks? (should this be a per-network option as well?)
+	if copts.linkLocalIPs.Len() > 0 {
+		n.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
+		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetAll())
+	}
+	return nil
+}
+
+func parseNetworkAttachmentOpt(ep opts.NetworkAttachmentOpts) (*networktypes.EndpointSettings, error) {
+	if strings.TrimSpace(ep.Target) == "" {
+		return nil, errors.New("no name set for network")
+	}
+	if !container.NetworkMode(ep.Target).IsUserDefined() {
+		if len(ep.Aliases) > 0 {
+			return nil, errors.New("network-scoped aliases are only supported for user-defined networks")
+		}
+		if len(ep.Links) > 0 {
+			return nil, errors.New("links are only supported for user-defined networks")
+		}
+	}
+
+	epConfig := &networktypes.EndpointSettings{}
+	epConfig.Aliases = append(epConfig.Aliases, ep.Aliases...)
+	if len(ep.DriverOpts) > 0 {
+		epConfig.DriverOpts = make(map[string]string)
+		epConfig.DriverOpts = ep.DriverOpts
+	}
+	if len(ep.Links) > 0 {
+		epConfig.Links = ep.Links
+	}
+	if ep.IPv4Address != "" || ep.IPv6Address != "" || len(ep.LinkLocalIPs) > 0 {
+		epConfig.IPAMConfig = &networktypes.EndpointIPAMConfig{
+			IPv4Address:  ep.IPv4Address,
+			IPv6Address:  ep.IPv6Address,
+			LinkLocalIPs: ep.LinkLocalIPs,
+		}
+	}
+	return epConfig, nil
+}
+
 func parsePortOpts(publishOpts []string) ([]string, error) {
 	optsList := []string{}
 	for _, publish := range publishOpts {
@ -728,6 +839,25 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 	return securityOpts, nil
 }

+// parseSystemPaths checks if `systempaths=unconfined` security option is set,
+// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
+// list of security options is returned with this option removed, because the
+// `unconfined` option is handled client-side, and should not be sent to the
+// daemon.
+func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {
+	filtered = securityOpts[:0]
+	for _, opt := range securityOpts {
+		if opt == "systempaths=unconfined" {
+			maskedPaths = []string{}
+			readonlyPaths = []string{}
+		} else {
+			filtered = append(filtered, opt)
+		}
+	}
+
+	return filtered, maskedPaths, readonlyPaths
+}
+
 // parses storage options per container into a map
 func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 	m := make(map[string]string)
@ -743,7 +873,19 @@ func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 }

 // parseDevice parses a device mapping string to a container.DeviceMapping struct
-func parseDevice(device string) (container.DeviceMapping, error) {
+func parseDevice(device, serverOS string) (container.DeviceMapping, error) {
+	switch serverOS {
+	case "linux":
+		return parseLinuxDevice(device)
+	case "windows":
+		return parseWindowsDevice(device)
+	}
+	return container.DeviceMapping{}, errors.Errorf("unknown server OS: %s", serverOS)
+}
+
+// parseLinuxDevice parses a device mapping string to a container.DeviceMapping struct
+// knowing that the target is a Linux daemon
+func parseLinuxDevice(device string) (container.DeviceMapping, error) {
 	src := ""
 	dst := ""
 	permissions := "rwm"
@ -777,6 +919,12 @@ func parseDevice(device string) (container.DeviceMapping, error) {
 	return deviceMapping, nil
 }

+// parseWindowsDevice parses a device mapping string to a container.DeviceMapping struct
+// knowing that the target is a Windows daemon
+func parseWindowsDevice(device string) (container.DeviceMapping, error) {
+	return container.DeviceMapping{PathOnHost: device}, nil
+}
+
 // validateDeviceCgroupRule validates a device cgroup rule string format
 // It will make sure 'val' is in the form:
 //    'type major:minor mode'
@ -809,14 +957,23 @@ func validDeviceMode(mode string) bool {
 }

 // validateDevice validates a path for devices
+func validateDevice(val string, serverOS string) (string, error) {
+	switch serverOS {
+	case "linux":
+		return validateLinuxPath(val, validDeviceMode)
+	case "windows":
+		// Windows does validation entirely server-side
+		return val, nil
+	}
+	return "", errors.Errorf("unknown server OS: %s", serverOS)
+}
+
+// validateLinuxPath is the implementation of validateDevice knowing that the
+// target server operating system is a Linux daemon.
 // It will make sure 'val' is in the form:
 //    [host-dir:]container-path[:mode]
 // It also validates the device mode.
-func validateDevice(val string) (string, error) {
-	return validatePath(val, validDeviceMode)
-}
-
-func validatePath(val string, validator func(string) bool) (string, error) {
+func validateLinuxPath(val string, validator func(string) bool) (string, error) {
 	var containerPath string
 	var mode string

@ -866,3 +1023,12 @@ func validateAttach(val string) (string, error) {
 	}
 	return val, errors.Errorf("valid streams are STDIN, STDOUT and STDERR")
 }
+
+func validateAPIVersion(c *containerConfig, serverAPIVersion string) error {
+	for _, m := range c.HostConfig.Mounts {
+		if m.BindOptions != nil && m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") {
+			return errors.Errorf("bind-nonrecursive requires API v1.40 or later")
+		}
+	}
+	return nil
+}
--- a/cli/command/container/opts_test.go
+++ b/cli/command/container/opts_test.go
@ -16,6 +16,7 @@ import (
 	"github.com/spf13/pflag"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
 )

 func TestValidateAttach(t *testing.T) {
@ -48,7 +49,7 @@ func parseRun(args []string) (*container.Config, *container.HostConfig, *network
 		return nil, nil, nil, err
 	}
 	// TODO: fix tests to accept ContainerConfig
-	containerConfig, err := parse(flags, copts)
+	containerConfig, err := parse(flags, copts, runtime.GOOS)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@ -265,14 +266,35 @@ func TestParseHostname(t *testing.T) {
 	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
 	for hostname, expectedHostname := range validHostnames {
 		if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
-			t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
+			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
 		}
 	}
-	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
+	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
 	}
-	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
+	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
+	}
+}
+
+func TestParseHostnameDomainname(t *testing.T) {
+	validDomainnames := map[string]string{
+		"domainname":    "domainname",
+		"domain-name":   "domain-name",
+		"domainname123": "domainname123",
+		"123domainname": "123domainname",
+		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
+	}
+	for domainname, expectedDomainname := range validDomainnames {
+		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
+		}
+	}
+	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
+	}
+	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
 	}
 }

@ -330,6 +352,7 @@ func TestParseWithExpose(t *testing.T) {
 }

 func TestParseDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows") // Windows validates server-side
 	valids := map[string]container.DeviceMapping{
 		"/dev/snd": {
 			PathOnHost:        "/dev/snd",
@ -367,12 +390,145 @@ func TestParseDevice(t *testing.T) {

 }

+func TestParseNetworkConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		flags       []string
+		expected    map[string]*networktypes.EndpointSettings
+		expectedCfg container.HostConfig
+		expectedErr string
+	}{
+		{
+			name:        "single-network-legacy",
+			flags:       []string{"--network", "net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "single-network-advanced",
+			flags:       []string{"--network", "name=net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "single-network-legacy-with-options",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "multiple-network-advanced-mixed",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1,driver-opt=field1=value1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+				"--network", "net2",
+				"--network", "name=net3,alias=web3,driver-opt=field3=value3",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{"field1": "value1"},
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+				"net2": {},
+				"net3": {
+					DriverOpts: map[string]string{"field3": "value3"},
+					Aliases:    []string{"web3"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:  "single-network-advanced-with-options",
+			flags: []string{"--network", "name=net1,alias=web1,alias=web2,driver-opt=field1=value1,driver-opt=field2=value2"},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{
+						"field1": "value1",
+						"field2": "value2",
+					},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "multiple-networks",
+			flags:       []string{"--network", "net1", "--network", "name=net2"},
+			expected:    map[string]*networktypes.EndpointSettings{"net1": {}, "net2": {}},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "conflict-network",
+			flags:       []string{"--network", "duplicate", "--network", "name=duplicate"},
+			expectedErr: `network "duplicate" is specified multiple times`,
+		},
+		{
+			name:        "conflict-options",
+			flags:       []string{"--network", "name=net1,alias=web1", "--network-alias", "web1"},
+			expectedErr: `conflicting options: cannot specify both --network-alias and per-network alias`,
+		},
+		{
+			name:        "invalid-mixed-network-types",
+			flags:       []string{"--network", "name=host", "--network", "net1"},
+			expectedErr: `conflicting options: cannot attach both user-defined and non-user-defined network-modes`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, hConfig, nwConfig, err := parseRun(tc.flags)
+
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+				return
+			}
+
+			assert.NilError(t, err)
+			assert.DeepEqual(t, hConfig.NetworkMode, tc.expectedCfg.NetworkMode)
+			assert.DeepEqual(t, nwConfig.EndpointsConfig, tc.expected)
+		})
+	}
+}
+
 func TestParseModes(t *testing.T) {
 	// pid ko
 	flags, copts := setupRunFlags()
 	args := []string{"--pid=container:", "img", "cmd"}
 	assert.NilError(t, flags.Parse(args))
-	_, err := parse(flags, copts)
+	_, err := parse(flags, copts, runtime.GOOS)
 	assert.ErrorContains(t, err, "--pid: invalid PID mode")

 	// pid ok
@ -594,6 +750,7 @@ func TestParseEntryPoint(t *testing.T) {
 }

 func TestValidateDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows") // Windows validates server-side
 	valid := []string{
 		"/home",
 		"/home:/home",
@ -628,13 +785,13 @@ func TestValidateDevice(t *testing.T) {
 	}

 	for _, path := range valid {
-		if _, err := validateDevice(path); err != nil {
+		if _, err := validateDevice(path, runtime.GOOS); err != nil {
 			t.Fatalf("ValidateDevice(`%q`) should succeed: error %q", path, err)
 		}
 	}

 	for path, expectedError := range invalid {
-		if _, err := validateDevice(path); err == nil {
+		if _, err := validateDevice(path, runtime.GOOS); err == nil {
 			t.Fatalf("ValidateDevice(`%q`) should have failed validation", path)
 		} else {
 			if err.Error() != expectedError {
@ -643,3 +800,57 @@ func TestValidateDevice(t *testing.T) {
 		}
 	}
 }
+
+func TestParseSystemPaths(t *testing.T) {
+	tests := []struct {
+		doc                       string
+		in, out, masked, readonly []string
+	}{
+		{
+			doc: "not set",
+			in:  []string{},
+			out: []string{},
+		},
+		{
+			doc: "not set, preserve other options",
+			in: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+			out: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+		},
+		{
+			doc:      "unconfined",
+			in:       []string{"systempaths=unconfined"},
+			out:      []string{},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc:      "unconfined and other options",
+			in:       []string{"foo=bar", "bar=baz", "systempaths=unconfined"},
+			out:      []string{"foo=bar", "bar=baz"},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc: "unknown option",
+			in:  []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+			out: []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+		},
+	}
+
+	for _, tc := range tests {
+		securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(tc.in)
+		assert.DeepEqual(t, securityOpts, tc.out)
+		assert.DeepEqual(t, maskedPaths, tc.masked)
+		assert.DeepEqual(t, readonlyPaths, tc.readonly)
+	}
+}
--- a/cli/command/container/prune.go
+++ b/cli/command/container/prune.go
@ -73,6 +73,6 @@ func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint6

 // RunPrune calls the Container Prune API
 // This returns the amount of space reclaimed and a detailed output string
-func RunPrune(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
 	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
 }
--- a/cli/command/container/run.go
+++ b/cli/command/container/run.go
@ -6,7 +6,6 @@ import (
 	"io"
 	"net/http/httputil"
 	"os"
-	"regexp"
 	"runtime"
 	"strings"
 	"syscall"
@ -68,37 +67,8 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
-	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
-		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
-	}
-}
-
-// check the DNS settings passed via --dns against localhost regexp to warn if
-// they are trying to set a DNS to a localhost address
-func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
-	for _, dnsIP := range hostConfig.DNS {
-		if isLocalhost(dnsIP) {
-			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
-			return
-		}
-	}
-}
-
-// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
-const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
-
-var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
-
-// IsLocalhost returns true if ip matches the localhost IP regular expression.
-// Used for determining if nameserver settings are being passed which are
-// localhost addresses
-func isLocalhost(ip string) bool {
-	return localhostIPRegexp.MatchString(ip)
-}
-
 func runRun(dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copts *containerOptions) error {
-	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), copts.env.GetAll())
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), opts.ConvertKVStringsToMapWithNil(copts.env.GetAll()))
 	newEnv := []string{}
 	for k, v := range proxyConfig {
 		if v == nil {
@ -108,12 +78,16 @@ func runRun(dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copt
 		}
 	}
 	copts.env = *opts.NewListOptsRef(&newEnv, nil)
-	containerConfig, err := parse(flags, copts)
+	containerConfig, err := parse(flags, copts, dockerCli.ServerInfo().OSType)
 	// just in case the parse does not exit
 	if err != nil {
 		reportError(dockerCli.Err(), "run", err.Error(), true)
 		return cli.StatusError{StatusCode: 125}
 	}
+	if err = validateAPIVersion(containerConfig, dockerCli.Client().ClientVersion()); err != nil {
+		reportError(dockerCli.Err(), "run", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
 	return runContainer(dockerCli, ropts, copts, containerConfig)
 }

@ -124,9 +98,6 @@ func runContainer(dockerCli command.Cli, opts *runOptions, copts *containerOptio
 	stdout, stderr := dockerCli.Out(), dockerCli.Err()
 	client := dockerCli.Client()

-	warnOnOomKillDisable(*hostConfig, stderr)
-	warnOnLocalhostDNS(*hostConfig, stderr)
-
 	config.ArgsEscaped = false

 	if !opts.detach {
--- a/cli/command/container/run_test.go
+++ b/cli/command/container/run_test.go
@ -23,8 +23,7 @@ func TestRunLabel(t *testing.T) {
 		Version: "1.36",
 	})
 	cmd := NewRunCommand(cli)
-	cmd.Flags().Set("detach", "true")
-	cmd.SetArgs([]string{"--label", "foo", "busybox"})
+	cmd.SetArgs([]string{"--detach=true", "--label", "foo", "busybox"})
 	assert.NilError(t, cmd.Execute())
 }

--- a/cli/command/container/stats.go
+++ b/cli/command/container/stats.go
@ -108,7 +108,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 			closeChan <- err
 		}
 		for _, container := range cs {
-			s := formatter.NewContainerStats(container.ID[:12])
+			s := NewStats(container.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -125,7 +125,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		eh := command.InitEventHandler()
 		eh.Handle("create", func(e events.Message) {
 			if opts.all {
-				s := formatter.NewContainerStats(e.ID[:12])
+				s := NewStats(e.ID[:12])
 				if cStats.add(s) {
 					waitFirst.Add(1)
 					go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -134,7 +134,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		})

 		eh.Handle("start", func(e events.Message) {
-			s := formatter.NewContainerStats(e.ID[:12])
+			s := NewStats(e.ID[:12])
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -160,7 +160,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 		// Artificially send creation events for the containers we were asked to
 		// monitor (same code path than we use when monitoring all containers).
 		for _, name := range opts.containers {
-			s := formatter.NewContainerStats(name)
+			s := NewStats(name)
 			if cStats.add(s) {
 				waitFirst.Add(1)
 				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
@ -198,7 +198,7 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 	}
 	statsCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewStatsFormat(format, daemonOSType),
+		Format: NewStatsFormat(format, daemonOSType),
 	}
 	cleanScreen := func() {
 		if !opts.noStream {
@ -210,13 +210,13 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
 	var err error
 	for range time.Tick(500 * time.Millisecond) {
 		cleanScreen()
-		ccstats := []formatter.StatsEntry{}
+		ccstats := []StatsEntry{}
 		cStats.mu.Lock()
 		for _, c := range cStats.cs {
 			ccstats = append(ccstats, c.GetStatistics())
 		}
 		cStats.mu.Unlock()
-		if err = formatter.ContainerStatsWrite(statsCtx, ccstats, daemonOSType, !opts.noTrunc); err != nil {
+		if err = statsFormatWrite(statsCtx, ccstats, daemonOSType, !opts.noTrunc); err != nil {
 			break
 		}
 		if len(cStats.cs) == 0 && !showAll {
--- a/cli/command/container/stats_helpers.go
+++ b/cli/command/container/stats_helpers.go
@ -4,11 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"strings"
 	"sync"
 	"time"

-	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
@ -17,7 +15,7 @@ import (

 type stats struct {
 	mu sync.Mutex
-	cs []*formatter.ContainerStats
+	cs []*Stats
 }

 // daemonOSType is set once we have at least one stat for a container
@ -25,7 +23,7 @@ type stats struct {
 // on the daemon platform.
 var daemonOSType string

-func (s *stats) add(cs *formatter.ContainerStats) bool {
+func (s *stats) add(cs *Stats) bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if _, exists := s.isKnownContainer(cs.Container); !exists {
@ -52,7 +50,7 @@ func (s *stats) isKnownContainer(cid string) (int, bool) {
 	return -1, false
 }

-func collect(ctx context.Context, s *formatter.ContainerStats, cli client.APIClient, streamStats bool, waitFirst *sync.WaitGroup) {
+func collect(ctx context.Context, s *Stats, cli client.APIClient, streamStats bool, waitFirst *sync.WaitGroup) {
 	logrus.Debugf("collecting stats for %s", s.Container)
 	var (
 		getFirst       bool
@ -115,7 +113,7 @@ func collect(ctx context.Context, s *formatter.ContainerStats, cli client.APICli
 				mem = float64(v.MemoryStats.PrivateWorkingSet)
 			}
 			netRx, netTx := calculateNetwork(v.Networks)
-			s.SetStatistics(formatter.StatsEntry{
+			s.SetStatistics(StatsEntry{
 				Name:             v.Name,
 				ID:               v.ID,
 				CPUPercentage:    cpuPercent,
@ -203,10 +201,13 @@ func calculateCPUPercentWindows(v *types.StatsJSON) float64 {
 func calculateBlockIO(blkio types.BlkioStats) (uint64, uint64) {
 	var blkRead, blkWrite uint64
 	for _, bioEntry := range blkio.IoServiceBytesRecursive {
-		switch strings.ToLower(bioEntry.Op) {
-		case "read":
+		if len(bioEntry.Op) == 0 {
+			continue
+		}
+		switch bioEntry.Op[0] {
+		case 'r', 'R':
 			blkRead = blkRead + bioEntry.Value
-		case "write":
+		case 'w', 'W':
 			blkWrite = blkWrite + bioEntry.Value
 		}
 	}
--- a/cli/command/container/stats_unit_test.go
+++ b/cli/command/container/stats_unit_test.go
@ -11,15 +11,20 @@ func TestCalculateBlockIO(t *testing.T) {
 		IoServiceBytesRecursive: []types.BlkioStatEntry{
 			{Major: 8, Minor: 0, Op: "read", Value: 1234},
 			{Major: 8, Minor: 1, Op: "read", Value: 4567},
+			{Major: 8, Minor: 0, Op: "Read", Value: 6},
+			{Major: 8, Minor: 1, Op: "Read", Value: 8},
 			{Major: 8, Minor: 0, Op: "write", Value: 123},
 			{Major: 8, Minor: 1, Op: "write", Value: 456},
+			{Major: 8, Minor: 0, Op: "Write", Value: 6},
+			{Major: 8, Minor: 1, Op: "Write", Value: 8},
+			{Major: 8, Minor: 1, Op: "", Value: 456},
 		},
 	}
 	blkRead, blkWrite := calculateBlockIO(blkio)
-	if blkRead != 5801 {
-		t.Fatalf("blkRead = %d, want 5801", blkRead)
+	if blkRead != 5815 {
+		t.Fatalf("blkRead = %d, want 5815", blkRead)
 	}
-	if blkWrite != 579 {
-		t.Fatalf("blkWrite = %d, want 579", blkWrite)
+	if blkWrite != 593 {
+		t.Fatalf("blkWrite = %d, want 593", blkWrite)
 	}
 }
--- a/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden
+++ b/cli/command/container/testdata/container-create-localhost-dns-ipv6.golden
@ -0,0 +1 @@
+WARNING: Localhost DNS setting (--dns=::1) may fail in containers.
--- a/cli/command/container/testdata/container-create-localhost-dns.golden
+++ b/cli/command/container/testdata/container-create-localhost-dns.golden
@ -0,0 +1 @@
+WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers.
--- a/cli/command/container/testdata/container-create-oom-kill-true-without-memory-limit.golden
+++ b/cli/command/container/testdata/container-create-oom-kill-true-without-memory-limit.golden
@ -0,0 +1 @@
+WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
--- a/cli/command/container/testdata/container-create-oom-kill-without-memory-limit.golden
+++ b/cli/command/container/testdata/container-create-oom-kill-without-memory-limit.golden
@ -0,0 +1 @@
+WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
--- a/cli/command/container/tty.go
+++ b/cli/command/container/tty.go
@ -16,9 +16,9 @@ import (
 )

 // resizeTtyTo resizes tty to specific height and width
-func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) {
+func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) error {
 	if height == 0 && width == 0 {
-		return
+		return nil
 	}

 	options := types.ResizeOptions{
@ -34,19 +34,42 @@ func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id strin
 	}

 	if err != nil {
-		logrus.Debugf("Error resize: %s", err)
+		logrus.Debugf("Error resize: %s\r", err)
+	}
+	return err
+}
+
+// resizeTty is to resize the tty with cli out's tty size
+func resizeTty(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+	height, width := cli.Out().GetTtySize()
+	return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+}
+
+// initTtySize is to init the tty's size to the same as the window, if there is an error, it will retry 5 times.
+func initTtySize(ctx context.Context, cli command.Cli, id string, isExec bool, resizeTtyFunc func(ctx context.Context, cli command.Cli, id string, isExec bool) error) {
+	rttyFunc := resizeTtyFunc
+	if rttyFunc == nil {
+		rttyFunc = resizeTty
+	}
+	if err := rttyFunc(ctx, cli, id, isExec); err != nil {
+		go func() {
+			var err error
+			for retry := 0; retry < 5; retry++ {
+				time.Sleep(10 * time.Millisecond)
+				if err = rttyFunc(ctx, cli, id, isExec); err == nil {
+					break
+				}
+			}
+			if err != nil {
+				fmt.Fprintln(cli.Err(), "failed to resize tty, using default size")
+			}
+		}()
 	}
 }

 // MonitorTtySize updates the container tty size when the terminal tty changes size
 func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool) error {
-	resizeTty := func() {
-		height, width := cli.Out().GetTtySize()
-		resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
-	}
-
-	resizeTty()
-
+	initTtySize(ctx, cli, id, isExec, resizeTty)
 	if runtime.GOOS == "windows" {
 		go func() {
 			prevH, prevW := cli.Out().GetTtySize()
@ -55,7 +78,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 				h, w := cli.Out().GetTtySize()

 				if prevW != w || prevH != h {
-					resizeTty()
+					resizeTty(ctx, cli, id, isExec)
 				}
 				prevH = h
 				prevW = w
@ -66,7 +89,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 		gosignal.Notify(sigchan, signal.SIGWINCH)
 		go func() {
 			for range sigchan {
-				resizeTty()
+				resizeTty(ctx, cli, id, isExec)
 			}
 		}()
 	}
--- a/cli/command/container/tty_test.go
+++ b/cli/command/container/tty_test.go
@ -0,0 +1,30 @@
+package container
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestInitTtySizeErrors(t *testing.T) {
+	expectedError := "failed to resize tty, using default size\n"
+	fakeContainerExecResizeFunc := func(id string, options types.ResizeOptions) error {
+		return errors.Errorf("Error response from daemon: no such exec")
+	}
+	fakeResizeTtyFunc := func(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+		height, width := uint(1024), uint(768)
+		return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+	}
+	ctx := context.Background()
+	cli := test.NewFakeCli(&fakeClient{containerExecResizeFunc: fakeContainerExecResizeFunc})
+	initTtySize(ctx, cli, "8mm8nn8tt8bb", true, fakeResizeTtyFunc)
+	time.Sleep(100 * time.Millisecond)
+	assert.Check(t, is.Equal(expectedError, cli.ErrBuffer().String()))
+}
--- a/cli/command/container/update.go
+++ b/cli/command/container/update.go
@ -27,6 +27,7 @@ type updateOptions struct {
 	memorySwap         opts.MemSwapBytes
 	kernelMemory       opts.MemBytes
 	restartPolicy      string
+	pidsLimit          int64
 	cpus               opts.NanoCPUs

 	nFlag int
@ -65,6 +66,8 @@ func NewUpdateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.Var(&options.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
 	flags.Var(&options.kernelMemory, "kernel-memory", "Kernel memory limit")
 	flags.StringVar(&options.restartPolicy, "restart", "", "Restart policy to apply when a container exits")
+	flags.Int64Var(&options.pidsLimit, "pids-limit", 0, "Tune container pids limit (set -1 for unlimited)")
+	flags.SetAnnotation("pids-limit", "version", []string{"1.40"})

 	flags.Var(&options.cpus, "cpus", "Number of CPUs")
 	flags.SetAnnotation("cpus", "version", []string{"1.29"})
@ -103,6 +106,10 @@ func runUpdate(dockerCli command.Cli, options *updateOptions) error {
 		NanoCPUs:           options.cpus.Value(),
 	}

+	if options.pidsLimit != 0 {
+		resources.PidsLimit = &options.pidsLimit
+	}
+
 	updateConfig := containertypes.UpdateConfig{
 		Resources:     resources,
 		RestartPolicy: restartPolicy,
--- a/cli/command/context.go
+++ b/cli/command/context.go
@ -0,0 +1,27 @@
+package command
+
+import (
+	"errors"
+
+	"github.com/docker/cli/cli/context/store"
+)
+
+// DockerContext is a typed representation of what we put in Context metadata
+type DockerContext struct {
+	Description       string       `json:",omitempty"`
+	StackOrchestrator Orchestrator `json:",omitempty"`
+}
+
+// GetDockerContext extracts metadata from stored context metadata
+func GetDockerContext(storeMetadata store.Metadata) (DockerContext, error) {
+	if storeMetadata.Metadata == nil {
+		// can happen if we save endpoints before assigning a context metadata
+		// it is totally valid, and we should return a default initialized value
+		return DockerContext{}, nil
+	}
+	res, ok := storeMetadata.Metadata.(DockerContext)
+	if !ok {
+		return DockerContext{}, errors.New("context metadata is not a valid DockerContext")
+	}
+	return res, nil
+}
--- a/cli/command/context/cmd.go
+++ b/cli/command/context/cmd.go
@ -0,0 +1,49 @@
+package context
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewContextCommand returns the context cli subcommand
+func NewContextCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "context",
+		Short: "Manage contexts",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newCreateCommand(dockerCli),
+		newListCommand(dockerCli),
+		newUseCommand(dockerCli),
+		newExportCommand(dockerCli),
+		newImportCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newUpdateCommand(dockerCli),
+		newInspectCommand(dockerCli),
+	)
+	return cmd
+}
+
+const restrictedNamePattern = "^[a-zA-Z0-9][a-zA-Z0-9_.+-]+$"
+
+var restrictedNameRegEx = regexp.MustCompile(restrictedNamePattern)
+
+func validateContextName(name string) error {
+	if name == "" {
+		return errors.New("context name cannot be empty")
+	}
+	if name == "default" {
+		return errors.New(`"default" is a reserved context name`)
+	}
+	if !restrictedNameRegEx.MatchString(name) {
+		return fmt.Errorf("context name %q is invalid, names are validated against regexp %q", name, restrictedNamePattern)
+	}
+	return nil
+}
--- a/cli/command/context/create.go
+++ b/cli/command/context/create.go
@ -0,0 +1,199 @@
+package context
+
+import (
+	"bytes"
+	"fmt"
+	"text/tabwriter"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// CreateOptions are the options used for creating a context
+type CreateOptions struct {
+	Name                     string
+	Description              string
+	DefaultStackOrchestrator string
+	Docker                   map[string]string
+	Kubernetes               map[string]string
+	From                     string
+}
+
+func longCreateDescription() string {
+	buf := bytes.NewBuffer(nil)
+	buf.WriteString("Create a context\n\nDocker endpoint config:\n\n")
+	tw := tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range dockerConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nKubernetes endpoint config:\n\n")
+	tw = tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range kubernetesConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nExample:\n\n$ docker context create my-context --description \"some description\" --docker \"host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file\"\n")
+	return buf.String()
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &CreateOptions{}
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] CONTEXT",
+		Short: "Create a context",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Name = args[0]
+			return RunCreate(dockerCli, opts)
+		},
+		Long: longCreateDescription(),
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Description, "description", "", "Description of the context")
+	flags.StringVar(
+		&opts.DefaultStackOrchestrator,
+		"default-stack-orchestrator", "",
+		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
+	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
+	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.StringVar(&opts.From, "from", "", "create context from a named context")
+	return cmd
+}
+
+// RunCreate creates a Docker context
+func RunCreate(cli command.Cli, o *CreateOptions) error {
+	s := cli.ContextStore()
+	if err := checkContextNameForCreation(s, o.Name); err != nil {
+		return err
+	}
+	stackOrchestrator, err := command.NormalizeOrchestrator(o.DefaultStackOrchestrator)
+	if err != nil {
+		return errors.Wrap(err, "unable to parse default-stack-orchestrator")
+	}
+	switch {
+	case o.From == "" && o.Docker == nil && o.Kubernetes == nil:
+		err = createFromExistingContext(s, cli.CurrentContext(), stackOrchestrator, o)
+	case o.From != "":
+		err = createFromExistingContext(s, o.From, stackOrchestrator, o)
+	default:
+		err = createNewContext(o, stackOrchestrator, cli, s)
+	}
+	if err == nil {
+		fmt.Fprintln(cli.Out(), o.Name)
+		fmt.Fprintf(cli.Err(), "Successfully created context %q\n", o.Name)
+	}
+	return err
+}
+
+func createNewContext(o *CreateOptions, stackOrchestrator command.Orchestrator, cli command.Cli, s store.Writer) error {
+	if o.Docker == nil {
+		return errors.New("docker endpoint configuration is required")
+	}
+	contextMetadata := newContextMetadata(stackOrchestrator, o)
+	contextTLSData := store.ContextTLSData{
+		Endpoints: make(map[string]store.EndpointTLSData),
+	}
+	dockerEP, dockerTLS, err := getDockerEndpointMetadataAndTLS(cli, o.Docker)
+	if err != nil {
+		return errors.Wrap(err, "unable to create docker endpoint config")
+	}
+	contextMetadata.Endpoints[docker.DockerEndpoint] = dockerEP
+	if dockerTLS != nil {
+		contextTLSData.Endpoints[docker.DockerEndpoint] = *dockerTLS
+	}
+	if o.Kubernetes != nil {
+		kubernetesEP, kubernetesTLS, err := getKubernetesEndpointMetadataAndTLS(cli, o.Kubernetes)
+		if err != nil {
+			return errors.Wrap(err, "unable to create kubernetes endpoint config")
+		}
+		if kubernetesEP == nil && stackOrchestrator.HasKubernetes() {
+			return errors.Errorf("cannot specify orchestrator %q without configuring a Kubernetes endpoint", stackOrchestrator)
+		}
+		if kubernetesEP != nil {
+			contextMetadata.Endpoints[kubernetes.KubernetesEndpoint] = kubernetesEP
+		}
+		if kubernetesTLS != nil {
+			contextTLSData.Endpoints[kubernetes.KubernetesEndpoint] = *kubernetesTLS
+		}
+	}
+	if err := validateEndpointsAndOrchestrator(contextMetadata); err != nil {
+		return err
+	}
+	if err := s.CreateOrUpdate(contextMetadata); err != nil {
+		return err
+	}
+	if err := s.ResetTLSMaterial(o.Name, &contextTLSData); err != nil {
+		return err
+	}
+	return nil
+}
+
+func checkContextNameForCreation(s store.Reader, name string) error {
+	if err := validateContextName(name); err != nil {
+		return err
+	}
+	if _, err := s.GetMetadata(name); !store.IsErrContextDoesNotExist(err) {
+		if err != nil {
+			return errors.Wrap(err, "error while getting existing contexts")
+		}
+		return errors.Errorf("context %q already exists", name)
+	}
+	return nil
+}
+
+func createFromExistingContext(s store.ReaderWriter, fromContextName string, stackOrchestrator command.Orchestrator, o *CreateOptions) error {
+	if len(o.Docker) != 0 || len(o.Kubernetes) != 0 {
+		return errors.New("cannot use --docker or --kubernetes flags when --from is set")
+	}
+	reader := store.Export(fromContextName, &descriptionAndOrchestratorStoreDecorator{
+		Reader:       s,
+		description:  o.Description,
+		orchestrator: stackOrchestrator,
+	})
+	defer reader.Close()
+	return store.Import(o.Name, s, reader)
+}
+
+type descriptionAndOrchestratorStoreDecorator struct {
+	store.Reader
+	description  string
+	orchestrator command.Orchestrator
+}
+
+func (d *descriptionAndOrchestratorStoreDecorator) GetMetadata(name string) (store.Metadata, error) {
+	c, err := d.Reader.GetMetadata(name)
+	if err != nil {
+		return c, err
+	}
+	typedContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return c, err
+	}
+	if d.description != "" {
+		typedContext.Description = d.description
+	}
+	if d.orchestrator != command.Orchestrator("") {
+		typedContext.StackOrchestrator = d.orchestrator
+	}
+	c.Metadata = typedContext
+	return c, nil
+}
+
+func newContextMetadata(stackOrchestrator command.Orchestrator, o *CreateOptions) store.Metadata {
+	return store.Metadata{
+		Endpoints: make(map[string]interface{}),
+		Metadata: command.DockerContext{
+			Description:       o.Description,
+			StackOrchestrator: stackOrchestrator,
+		},
+		Name: o.Name,
+	}
+}
--- a/cli/command/context/create_test.go
+++ b/cli/command/context/create_test.go
@ -0,0 +1,365 @@
+package context
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	"gotest.tools/env"
+)
+
+func makeFakeCli(t *testing.T, opts ...func(*test.FakeCli)) (*test.FakeCli, func()) {
+	dir, err := ioutil.TempDir("", t.Name())
+	assert.NilError(t, err)
+	storeConfig := store.NewConfig(
+		func() interface{} { return &command.DockerContext{} },
+		store.EndpointTypeGetter(docker.DockerEndpoint, func() interface{} { return &docker.EndpointMeta{} }),
+		store.EndpointTypeGetter(kubernetes.KubernetesEndpoint, func() interface{} { return &kubernetes.EndpointMeta{} }),
+	)
+	store := &command.ContextStoreWithDefault{
+		Store: store.New(dir, storeConfig),
+		Resolver: func() (*command.DefaultContext, error) {
+			return &command.DefaultContext{
+				Meta: store.Metadata{
+					Endpoints: map[string]interface{}{
+						docker.DockerEndpoint: docker.EndpointMeta{
+							Host: "unix:///var/run/docker.sock",
+						},
+					},
+					Metadata: command.DockerContext{
+						Description:       "",
+						StackOrchestrator: command.OrchestratorSwarm,
+					},
+					Name: command.DefaultContextName,
+				},
+				TLS: store.ContextTLSData{},
+			}, nil
+		},
+	}
+	cleanup := func() {
+		os.RemoveAll(dir)
+	}
+	result := test.NewFakeCli(nil, opts...)
+	for _, o := range opts {
+		o(result)
+	}
+	result.SetContextStore(store)
+	return result, cleanup
+}
+
+func withCliConfig(configFile *configfile.ConfigFile) func(*test.FakeCli) {
+	return func(m *test.FakeCli) {
+		m.SetConfigFile(configFile)
+	}
+}
+
+func TestCreateInvalids(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	assert.NilError(t, cli.ContextStore().CreateOrUpdate(store.Metadata{Name: "existing-context"}))
+	tests := []struct {
+		options     CreateOptions
+		expecterErr string
+	}{
+		{
+			expecterErr: `context name cannot be empty`,
+		},
+		{
+			options: CreateOptions{
+				Name: "default",
+			},
+			expecterErr: `"default" is a reserved context name`,
+		},
+		{
+			options: CreateOptions{
+				Name: " ",
+			},
+			expecterErr: `context name " " is invalid`,
+		},
+		{
+			options: CreateOptions{
+				Name: "existing-context",
+			},
+			expecterErr: `context "existing-context" already exists`,
+		},
+		{
+			options: CreateOptions{
+				Name: "invalid-docker-host",
+				Docker: map[string]string{
+					keyHost: "some///invalid/host",
+				},
+			},
+			expecterErr: `unable to parse docker host`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "invalid-orchestrator",
+				DefaultStackOrchestrator: "invalid",
+			},
+			expecterErr: `specified orchestrator "invalid" is invalid, please use either kubernetes, swarm or all`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "orchestrator-kubernetes-no-endpoint",
+				DefaultStackOrchestrator: "kubernetes",
+				Docker:                   map[string]string{},
+			},
+			expecterErr: `cannot specify orchestrator "kubernetes" without configuring a Kubernetes endpoint`,
+		},
+		{
+			options: CreateOptions{
+				Name:                     "orchestrator-all-no-endpoint",
+				DefaultStackOrchestrator: "all",
+				Docker:                   map[string]string{},
+			},
+			expecterErr: `cannot specify orchestrator "all" without configuring a Kubernetes endpoint`,
+		},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.options.Name, func(t *testing.T) {
+			err := RunCreate(cli, &tc.options)
+			assert.ErrorContains(t, err, tc.expecterErr)
+		})
+	}
+}
+
+func assertContextCreateLogging(t *testing.T, cli *test.FakeCli, n string) {
+	assert.Equal(t, n+"\n", cli.OutBuffer().String())
+	assert.Equal(t, fmt.Sprintf("Successfully created context %q\n", n), cli.ErrBuffer().String())
+}
+
+func TestCreateOrchestratorSwarm(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "swarm",
+		Docker:                   map[string]string{},
+	})
+	assert.NilError(t, err)
+	assertContextCreateLogging(t, cli, "test")
+}
+
+func TestCreateOrchestratorEmpty(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:   "test",
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+	assertContextCreateLogging(t, cli, "test")
+}
+
+func validateTestKubeEndpoint(t *testing.T, s store.Reader, name string) {
+	t.Helper()
+	ctxMetadata, err := s.GetMetadata(name)
+	assert.NilError(t, err)
+	kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta)
+	kubeEP, err := kubeMeta.WithTLSData(s, name)
+	assert.NilError(t, err)
+	assert.Equal(t, "https://someserver", kubeEP.Host)
+	assert.Equal(t, "the-ca", string(kubeEP.TLSData.CA))
+	assert.Equal(t, "the-cert", string(kubeEP.TLSData.Cert))
+	assert.Equal(t, "the-key", string(kubeEP.TLSData.Key))
+}
+
+func createTestContextWithKube(t *testing.T, cli command.Cli) {
+	t.Helper()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "all",
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+}
+
+func TestCreateOrchestratorAllKubernetesEndpointFromCurrent(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	assertContextCreateLogging(t, cli, "test")
+	validateTestKubeEndpoint(t, cli.ContextStore(), "test")
+}
+
+func TestCreateFromContext(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		docker               map[string]string
+		kubernetes           map[string]string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "original")
+
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "dummy",
+		Description: "dummy description",
+		Docker: map[string]string{
+			keyHost: "tcp://24.24.24.24:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "dummy")
+
+	cli.SetCurrentContext("dummy")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			cli.ResetOutputBuffers()
+			err := RunCreate(cli, &CreateOptions{
+				From:                     "original",
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+				Docker:                   c.docker,
+				Kubernetes:               c.kubernetes,
+			})
+			assert.NilError(t, err)
+			assertContextCreateLogging(t, cli, c.name)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
+
+func TestCreateFromCurrent(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	cli.ResetOutputBuffers()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assertContextCreateLogging(t, cli, "original")
+
+	cli.SetCurrentContext("original")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			cli.ResetOutputBuffers()
+			err := RunCreate(cli, &CreateOptions{
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+			})
+			assert.NilError(t, err)
+			assertContextCreateLogging(t, cli, c.name)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
--- a/cli/command/context/export-import_test.go
+++ b/cli/command/context/export-import_test.go
@ -0,0 +1,110 @@
+package context
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/cli/streams"
+	"gotest.tools/assert"
+)
+
+func TestExportImportWithFile(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        contextFile,
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), fmt.Sprintf("Written file %q\n", contextFile))
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunImport(cli, "test2", contextFile))
+	context1, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	context2, err := cli.ContextStore().GetMetadata("test2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
+	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
+	assert.Equal(t, "test", context1.Name)
+	assert.Equal(t, "test2", context2.Name)
+
+	assert.Equal(t, "test2\n", cli.OutBuffer().String())
+	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+}
+
+func TestExportImportPipe(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	cli.OutBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        "-",
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), "")
+	cli.SetIn(streams.NewIn(ioutil.NopCloser(bytes.NewBuffer(cli.OutBuffer().Bytes()))))
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunImport(cli, "test2", "-"))
+	context1, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	context2, err := cli.ContextStore().GetMetadata("test2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
+	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
+	assert.Equal(t, "test", context1.Name)
+	assert.Equal(t, "test2", context2.Name)
+
+	assert.Equal(t, "test2\n", cli.OutBuffer().String())
+	assert.Equal(t, "Successfully imported context \"test2\"\n", cli.ErrBuffer().String())
+}
+
+func TestExportKubeconfig(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunExport(cli, &ExportOptions{
+		ContextName: "test",
+		Dest:        contextFile,
+		Kubeconfig:  true,
+	}))
+	assert.Equal(t, cli.ErrBuffer().String(), fmt.Sprintf("Written file %q\n", contextFile))
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name: "test2",
+		Kubernetes: map[string]string{
+			keyKubeconfig: contextFile,
+		},
+		Docker: map[string]string{},
+	}))
+	validateTestKubeEndpoint(t, cli.ContextStore(), "test2")
+}
+
+func TestExportExistingFile(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", t.Name()+"context")
+	assert.NilError(t, err)
+	defer os.RemoveAll(contextDir)
+	contextFile := filepath.Join(contextDir, "exported")
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKube(t, cli)
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, ioutil.WriteFile(contextFile, []byte{}, 0644))
+	err = RunExport(cli, &ExportOptions{ContextName: "test", Dest: contextFile})
+	assert.Assert(t, os.IsExist(err))
+}
--- a/cli/command/context/export.go
+++ b/cli/command/context/export.go
@ -0,0 +1,110 @@
+package context
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// ExportOptions are the options used for exporting a context
+type ExportOptions struct {
+	Kubeconfig  bool
+	ContextName string
+	Dest        string
+}
+
+func newExportCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &ExportOptions{}
+	cmd := &cobra.Command{
+		Use:   "export [OPTIONS] CONTEXT [FILE|-]",
+		Short: "Export a context to a tar or kubeconfig file",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.ContextName = args[0]
+			if len(args) == 2 {
+				opts.Dest = args[1]
+			} else {
+				opts.Dest = opts.ContextName
+				if opts.Kubeconfig {
+					opts.Dest += ".kubeconfig"
+				} else {
+					opts.Dest += ".dockercontext"
+				}
+			}
+			return RunExport(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.Kubeconfig, "kubeconfig", false, "Export as a kubeconfig file")
+	return cmd
+}
+
+func writeTo(dockerCli command.Cli, reader io.Reader, dest string) error {
+	var writer io.Writer
+	var printDest bool
+	if dest == "-" {
+		if dockerCli.Out().IsTerminal() {
+			return errors.New("cowardly refusing to export to a terminal, please specify a file path")
+		}
+		writer = dockerCli.Out()
+	} else {
+		f, err := os.OpenFile(dest, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		writer = f
+		printDest = true
+	}
+	if _, err := io.Copy(writer, reader); err != nil {
+		return err
+	}
+	if printDest {
+		fmt.Fprintf(dockerCli.Err(), "Written file %q\n", dest)
+	}
+	return nil
+}
+
+// RunExport exports a Docker context
+func RunExport(dockerCli command.Cli, opts *ExportOptions) error {
+	if err := validateContextName(opts.ContextName); err != nil && opts.ContextName != command.DefaultContextName {
+		return err
+	}
+	ctxMeta, err := dockerCli.ContextStore().GetMetadata(opts.ContextName)
+	if err != nil {
+		return err
+	}
+	if !opts.Kubeconfig {
+		reader := store.Export(opts.ContextName, dockerCli.ContextStore())
+		defer reader.Close()
+		return writeTo(dockerCli, reader, opts.Dest)
+	}
+	kubernetesEndpointMeta := kubernetes.EndpointFromContext(ctxMeta)
+	if kubernetesEndpointMeta == nil {
+		return fmt.Errorf("context %q has no kubernetes endpoint", opts.ContextName)
+	}
+	kubernetesEndpoint, err := kubernetesEndpointMeta.WithTLSData(dockerCli.ContextStore(), opts.ContextName)
+	if err != nil {
+		return err
+	}
+	kubeConfig := kubernetesEndpoint.KubernetesConfig()
+	rawCfg, err := kubeConfig.RawConfig()
+	if err != nil {
+		return err
+	}
+	data, err := clientcmd.Write(rawCfg)
+	if err != nil {
+		return err
+	}
+	return writeTo(dockerCli, bytes.NewBuffer(data), opts.Dest)
+}
--- a/cli/command/context/import.go
+++ b/cli/command/context/import.go
@ -0,0 +1,51 @@
+package context
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+)
+
+func newImportCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "import CONTEXT FILE|-",
+		Short: "Import a context from a tar or zip file",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return RunImport(dockerCli, args[0], args[1])
+		},
+	}
+	return cmd
+}
+
+// RunImport imports a Docker context
+func RunImport(dockerCli command.Cli, name string, source string) error {
+	if err := checkContextNameForCreation(dockerCli.ContextStore(), name); err != nil {
+		return err
+	}
+
+	var reader io.Reader
+	if source == "-" {
+		reader = dockerCli.In()
+	} else {
+		f, err := os.Open(source)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		reader = f
+	}
+
+	if err := store.Import(name, dockerCli.ContextStore(), reader); err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), name)
+	fmt.Fprintf(dockerCli.Err(), "Successfully imported context %q\n", name)
+	return nil
+}
--- a/cli/command/context/inspect.go
+++ b/cli/command/context/inspect.go
@ -0,0 +1,64 @@
+package context
+
+import (
+	"errors"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format string
+	refs   []string
+}
+
+// newInspectCommand creates a new cobra.Command for `docker image inspect`
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] [CONTEXT] [CONTEXT...]",
+		Short: "Display detailed information on one or more contexts",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.refs = args
+			if len(opts.refs) == 0 {
+				if dockerCli.CurrentContext() == "" {
+					return errors.New("no context specified")
+				}
+				opts.refs = []string{dockerCli.CurrentContext()}
+			}
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	getRefFunc := func(ref string) (interface{}, []byte, error) {
+		c, err := dockerCli.ContextStore().GetMetadata(ref)
+		if err != nil {
+			return nil, nil, err
+		}
+		tlsListing, err := dockerCli.ContextStore().ListTLSFiles(ref)
+		if err != nil {
+			return nil, nil, err
+		}
+		return contextWithTLSListing{
+			Metadata:    c,
+			TLSMaterial: tlsListing,
+			Storage:     dockerCli.ContextStore().GetStorageInfo(ref),
+		}, nil, nil
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
+}
+
+type contextWithTLSListing struct {
+	store.Metadata
+	TLSMaterial map[string]store.EndpointFiles
+	Storage     store.StorageInfo
+}
--- a/cli/command/context/inspect_test.go
+++ b/cli/command/context/inspect_test.go
@ -0,0 +1,24 @@
+package context
+
+import (
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestInspect(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	cli.OutBuffer().Reset()
+	assert.NilError(t, runInspect(cli, inspectOptions{
+		refs: []string{"current"},
+	}))
+	expected := string(golden.Get(t, "inspect.golden"))
+	si := cli.ContextStore().GetStorageInfo("current")
+	expected = strings.Replace(expected, "<METADATA_PATH>", strings.Replace(si.MetadataPath, `\`, `\\`, -1), 1)
+	expected = strings.Replace(expected, "<TLS_PATH>", strings.Replace(si.TLSPath, `\`, `\\`, -1), 1)
+	assert.Equal(t, cli.OutBuffer().String(), expected)
+}
--- a/cli/command/context/list.go
+++ b/cli/command/context/list.go
@ -0,0 +1,96 @@
+package context
+
+import (
+	"fmt"
+	"os"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/context/docker"
+	kubecontext "github.com/docker/cli/cli/context/kubernetes"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+type listOptions struct {
+	format string
+	quiet  bool
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &listOptions{}
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List contexts",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&opts.format, "format", "", "Pretty-print contexts using a Go template")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Only show context names")
+	return cmd
+}
+
+func runList(dockerCli command.Cli, opts *listOptions) error {
+	if opts.format == "" {
+		opts.format = formatter.TableFormatKey
+	}
+	curContext := dockerCli.CurrentContext()
+	contextMap, err := dockerCli.ContextStore().List()
+	if err != nil {
+		return err
+	}
+	var contexts []*formatter.ClientContext
+	for _, rawMeta := range contextMap {
+		meta, err := command.GetDockerContext(rawMeta)
+		if err != nil {
+			return err
+		}
+		dockerEndpoint, err := docker.EndpointFromContext(rawMeta)
+		if err != nil {
+			return err
+		}
+		kubernetesEndpoint := kubecontext.EndpointFromContext(rawMeta)
+		kubEndpointText := ""
+		if kubernetesEndpoint != nil {
+			kubEndpointText = fmt.Sprintf("%s (%s)", kubernetesEndpoint.Host, kubernetesEndpoint.DefaultNamespace)
+		}
+		if rawMeta.Name == command.DefaultContextName {
+			meta.Description = "Current DOCKER_HOST based configuration"
+		}
+		desc := formatter.ClientContext{
+			Name:               rawMeta.Name,
+			Current:            rawMeta.Name == curContext,
+			Description:        meta.Description,
+			StackOrchestrator:  string(meta.StackOrchestrator),
+			DockerEndpoint:     dockerEndpoint.Host,
+			KubernetesEndpoint: kubEndpointText,
+		}
+		contexts = append(contexts, &desc)
+	}
+	sort.Slice(contexts, func(i, j int) bool {
+		return sortorder.NaturalLess(contexts[i].Name, contexts[j].Name)
+	})
+	if err := format(dockerCli, opts, contexts); err != nil {
+		return err
+	}
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprint(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.\n")
+	}
+	return nil
+}
+
+func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {
+	contextCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewClientContextFormat(opts.format, opts.quiet),
+	}
+	return formatter.ClientContextWrite(contextCtx, contexts)
+}
--- a/cli/command/context/list_test.go
+++ b/cli/command/context/list_test.go
@ -0,0 +1,47 @@
+package context
+
+import (
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"gotest.tools/assert"
+	"gotest.tools/env"
+	"gotest.tools/golden"
+)
+
+func createTestContextWithKubeAndSwarm(t *testing.T, cli command.Cli, name string, orchestrator string) {
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     name,
+		DefaultStackOrchestrator: orchestrator,
+		Description:              "description of " + name,
+		Kubernetes:               map[string]string{keyFrom: "default"},
+		Docker:                   map[string]string{keyHost: "https://someswarmserver"},
+	})
+	assert.NilError(t, err)
+}
+
+func TestList(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "unset", "unset")
+	cli.SetCurrentContext("current")
+	cli.OutBuffer().Reset()
+	assert.NilError(t, runList(cli, &listOptions{}))
+	golden.Assert(t, cli.OutBuffer().String(), "list.golden")
+}
+
+func TestListQuiet(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	cli.SetCurrentContext("current")
+	cli.OutBuffer().Reset()
+	assert.NilError(t, runList(cli, &listOptions{quiet: true}))
+	golden.Assert(t, cli.OutBuffer().String(), "quiet-list.golden")
+}
--- a/cli/command/context/options.go
+++ b/cli/command/context/options.go
@ -0,0 +1,219 @@
+package context
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/pkg/errors"
+)
+
+const (
+	keyFrom          = "from"
+	keyHost          = "host"
+	keyCA            = "ca"
+	keyCert          = "cert"
+	keyKey           = "key"
+	keySkipTLSVerify = "skip-tls-verify"
+	keyKubeconfig    = "config-file"
+	keyKubecontext   = "context-override"
+	keyKubenamespace = "namespace-override"
+)
+
+type configKeyDescription struct {
+	name        string
+	description string
+}
+
+var (
+	allowedDockerConfigKeys = map[string]struct{}{
+		keyFrom:          {},
+		keyHost:          {},
+		keyCA:            {},
+		keyCert:          {},
+		keyKey:           {},
+		keySkipTLSVerify: {},
+	}
+	allowedKubernetesConfigKeys = map[string]struct{}{
+		keyFrom:          {},
+		keyKubeconfig:    {},
+		keyKubecontext:   {},
+		keyKubenamespace: {},
+	}
+	dockerConfigKeysDescriptions = []configKeyDescription{
+		{
+			name:        keyFrom,
+			description: "Copy named context's Docker endpoint configuration",
+		},
+		{
+			name:        keyHost,
+			description: "Docker endpoint on which to connect",
+		},
+		{
+			name:        keyCA,
+			description: "Trust certs signed only by this CA",
+		},
+		{
+			name:        keyCert,
+			description: "Path to TLS certificate file",
+		},
+		{
+			name:        keyKey,
+			description: "Path to TLS key file",
+		},
+		{
+			name:        keySkipTLSVerify,
+			description: "Skip TLS certificate validation",
+		},
+	}
+	kubernetesConfigKeysDescriptions = []configKeyDescription{
+		{
+			name:        keyFrom,
+			description: "Copy named context's Kubernetes endpoint configuration",
+		},
+		{
+			name:        keyKubeconfig,
+			description: "Path to a Kubernetes config file",
+		},
+		{
+			name:        keyKubecontext,
+			description: "Overrides the context set in the kubernetes config file",
+		},
+		{
+			name:        keyKubenamespace,
+			description: "Overrides the namespace set in the kubernetes config file",
+		},
+	}
+)
+
+func parseBool(config map[string]string, name string) (bool, error) {
+	strVal, ok := config[name]
+	if !ok {
+		return false, nil
+	}
+	res, err := strconv.ParseBool(strVal)
+	return res, errors.Wrap(err, name)
+}
+
+func validateConfig(config map[string]string, allowedKeys map[string]struct{}) error {
+	var errs []string
+	for k := range config {
+		if _, ok := allowedKeys[k]; !ok {
+			errs = append(errs, fmt.Sprintf("%s: unrecognized config key", k))
+		}
+	}
+	if len(errs) == 0 {
+		return nil
+	}
+	return errors.New(strings.Join(errs, "\n"))
+}
+
+func getDockerEndpoint(dockerCli command.Cli, config map[string]string) (docker.Endpoint, error) {
+	if err := validateConfig(config, allowedDockerConfigKeys); err != nil {
+		return docker.Endpoint{}, err
+	}
+	if contextName, ok := config[keyFrom]; ok {
+		metadata, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return docker.Endpoint{}, err
+		}
+		if ep, ok := metadata.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta); ok {
+			return docker.Endpoint{EndpointMeta: ep}, nil
+		}
+		return docker.Endpoint{}, errors.Errorf("unable to get endpoint from context %q", contextName)
+	}
+	tlsData, err := context.TLSDataFromFiles(config[keyCA], config[keyCert], config[keyKey])
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	skipTLSVerify, err := parseBool(config, keySkipTLSVerify)
+	if err != nil {
+		return docker.Endpoint{}, err
+	}
+	ep := docker.Endpoint{
+		EndpointMeta: docker.EndpointMeta{
+			Host:          config[keyHost],
+			SkipTLSVerify: skipTLSVerify,
+		},
+		TLSData: tlsData,
+	}
+	// try to resolve a docker client, validating the configuration
+	opts, err := ep.ClientOpts()
+	if err != nil {
+		return docker.Endpoint{}, errors.Wrap(err, "invalid docker endpoint options")
+	}
+	if _, err := client.NewClientWithOpts(opts...); err != nil {
+		return docker.Endpoint{}, errors.Wrap(err, "unable to apply docker endpoint options")
+	}
+	return ep, nil
+}
+
+func getDockerEndpointMetadataAndTLS(dockerCli command.Cli, config map[string]string) (docker.EndpointMeta, *store.EndpointTLSData, error) {
+	ep, err := getDockerEndpoint(dockerCli, config)
+	if err != nil {
+		return docker.EndpointMeta{}, nil, err
+	}
+	return ep.EndpointMeta, ep.TLSData.ToStoreTLSData(), nil
+}
+
+func getKubernetesEndpoint(dockerCli command.Cli, config map[string]string) (*kubernetes.Endpoint, error) {
+	if err := validateConfig(config, allowedKubernetesConfigKeys); err != nil {
+		return nil, err
+	}
+	if len(config) == 0 {
+		return nil, nil
+	}
+	if contextName, ok := config[keyFrom]; ok {
+		ctxMeta, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return nil, err
+		}
+		endpointMeta := kubernetes.EndpointFromContext(ctxMeta)
+		if endpointMeta != nil {
+			res, err := endpointMeta.WithTLSData(dockerCli.ContextStore(), dockerCli.CurrentContext())
+			if err != nil {
+				return nil, err
+			}
+			return &res, nil
+		}
+
+		// fallback to env-based kubeconfig
+		kubeconfig := os.Getenv("KUBECONFIG")
+		if kubeconfig == "" {
+			kubeconfig = filepath.Join(homedir.Get(), ".kube/config")
+		}
+		ep, err := kubernetes.FromKubeConfig(kubeconfig, "", "")
+		if err != nil {
+			return nil, err
+		}
+		return &ep, nil
+	}
+	if config[keyKubeconfig] != "" {
+		ep, err := kubernetes.FromKubeConfig(config[keyKubeconfig], config[keyKubecontext], config[keyKubenamespace])
+		if err != nil {
+			return nil, err
+		}
+		return &ep, nil
+	}
+	return nil, nil
+}
+
+func getKubernetesEndpointMetadataAndTLS(dockerCli command.Cli, config map[string]string) (*kubernetes.EndpointMeta, *store.EndpointTLSData, error) {
+	ep, err := getKubernetesEndpoint(dockerCli, config)
+	if err != nil {
+		return nil, nil, err
+	}
+	if ep == nil {
+		return nil, nil, err
+	}
+	return &ep.EndpointMeta, ep.TLSData.ToStoreTLSData(), nil
+}
--- a/cli/command/context/remove.go
+++ b/cli/command/context/remove.go
@ -0,0 +1,68 @@
+package context
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// RemoveOptions are the options used to remove contexts
+type RemoveOptions struct {
+	Force bool
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts RemoveOptions
+	cmd := &cobra.Command{
+		Use:     "rm CONTEXT [CONTEXT...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more contexts",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return RunRemove(dockerCli, opts, args)
+		},
+	}
+	cmd.Flags().BoolVarP(&opts.Force, "force", "f", false, "Force the removal of a context in use")
+	return cmd
+}
+
+// RunRemove removes one or more contexts
+func RunRemove(dockerCli command.Cli, opts RemoveOptions, names []string) error {
+	var errs []string
+	currentCtx := dockerCli.CurrentContext()
+	for _, name := range names {
+		if name == "default" {
+			errs = append(errs, `default: context "default" cannot be removed`)
+		} else if err := doRemove(dockerCli, name, name == currentCtx, opts.Force); err != nil {
+			errs = append(errs, fmt.Sprintf("%s: %s", name, err))
+		} else {
+			fmt.Fprintln(dockerCli.Out(), name)
+		}
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
+
+func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil {
+		return err
+	}
+	if isCurrent {
+		if !force {
+			return errors.New("context is in use, set -f flag to force remove")
+		}
+		// fallback to DOCKER_HOST
+		cfg := dockerCli.ConfigFile()
+		cfg.CurrentContext = ""
+		if err := cfg.Save(); err != nil {
+			return err
+		}
+	}
+	return dockerCli.ContextStore().Remove(name)
+}
--- a/cli/command/context/remove_test.go
+++ b/cli/command/context/remove_test.go
@ -0,0 +1,73 @@
+package context
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/store"
+	"gotest.tools/assert"
+)
+
+func TestRemove(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	assert.NilError(t, RunRemove(cli, RemoveOptions{}, []string{"other"}))
+	_, err := cli.ContextStore().GetMetadata("current")
+	assert.NilError(t, err)
+	_, err = cli.ContextStore().GetMetadata("other")
+	assert.Check(t, store.IsErrContextDoesNotExist(err))
+}
+
+func TestRemoveNotAContext(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	err := RunRemove(cli, RemoveOptions{}, []string{"not-a-context"})
+	assert.ErrorContains(t, err, `context "not-a-context" does not exist`)
+}
+
+func TestRemoveCurrent(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	cli.SetCurrentContext("current")
+	err := RunRemove(cli, RemoveOptions{}, []string{"current"})
+	assert.ErrorContains(t, err, "current: context is in use, set -f flag to force remove")
+}
+
+func TestRemoveCurrentForce(t *testing.T) {
+	configDir, err := ioutil.TempDir("", t.Name()+"config")
+	assert.NilError(t, err)
+	defer os.RemoveAll(configDir)
+	configFilePath := filepath.Join(configDir, "config.json")
+	testCfg := configfile.New(configFilePath)
+	testCfg.CurrentContext = "current"
+	assert.NilError(t, testCfg.Save())
+
+	cli, cleanup := makeFakeCli(t, withCliConfig(testCfg))
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	cli.SetCurrentContext("current")
+	assert.NilError(t, RunRemove(cli, RemoveOptions{Force: true}, []string{"current"}))
+	reloadedConfig, err := config.Load(configDir)
+	assert.NilError(t, err)
+	assert.Equal(t, "", reloadedConfig.CurrentContext)
+}
+
+func TestRemoveDefault(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
+	cli.SetCurrentContext("current")
+	err := RunRemove(cli, RemoveOptions{}, []string{"default"})
+	assert.ErrorContains(t, err, `default: context "default" cannot be removed`)
+}
--- a/cli/command/context/testdata/inspect.golden
+++ b/cli/command/context/testdata/inspect.golden
@ -0,0 +1,31 @@
+[
+    {
+        "Name": "current",
+        "Metadata": {
+            "Description": "description of current",
+            "StackOrchestrator": "all"
+        },
+        "Endpoints": {
+            "docker": {
+                "Host": "https://someswarmserver",
+                "SkipTLSVerify": false
+            },
+            "kubernetes": {
+                "Host": "https://someserver",
+                "SkipTLSVerify": false,
+                "DefaultNamespace": "default"
+            }
+        },
+        "TLSMaterial": {
+            "kubernetes": [
+                "ca.pem",
+                "cert.pem",
+                "key.pem"
+            ]
+        },
+        "Storage": {
+            "MetadataPath": "<METADATA_PATH>",
+            "TLSPath": "<TLS_PATH>"
+        }
+    }
+]
--- a/cli/command/context/testdata/list.golden
+++ b/cli/command/context/testdata/list.golden
@ -0,0 +1,5 @@
+NAME                DESCRIPTION                               DOCKER ENDPOINT               KUBERNETES ENDPOINT            ORCHESTRATOR
+current *           description of current                    https://someswarmserver       https://someserver (default)   all
+default             Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                                  swarm
+other               description of other                      https://someswarmserver       https://someserver (default)   all
+unset               description of unset                      https://someswarmserver       https://someserver (default)   
--- a/cli/command/context/testdata/quiet-list.golden
+++ b/cli/command/context/testdata/quiet-list.golden
@ -0,0 +1,3 @@
+current
+default
+other
--- a/cli/command/context/testdata/test-kubeconfig
+++ b/cli/command/context/testdata/test-kubeconfig
@ -0,0 +1,19 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: dGhlLWNh
+    server: https://someserver
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    user: test-user
+  name: test
+current-context: test
+kind: Config
+preferences: {}
+users:
+- name: test-user
+  user:
+    client-certificate-data: dGhlLWNlcnQ=
+    client-key-data: dGhlLWtleQ==
--- a/cli/command/context/update.go
+++ b/cli/command/context/update.go
@ -0,0 +1,144 @@
+package context
+
+import (
+	"bytes"
+	"fmt"
+	"text/tabwriter"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"github.com/docker/cli/cli/context/store"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// UpdateOptions are the options used to update a context
+type UpdateOptions struct {
+	Name                     string
+	Description              string
+	DefaultStackOrchestrator string
+	Docker                   map[string]string
+	Kubernetes               map[string]string
+}
+
+func longUpdateDescription() string {
+	buf := bytes.NewBuffer(nil)
+	buf.WriteString("Update a context\n\nDocker endpoint config:\n\n")
+	tw := tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range dockerConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nKubernetes endpoint config:\n\n")
+	tw = tabwriter.NewWriter(buf, 20, 1, 3, ' ', 0)
+	fmt.Fprintln(tw, "NAME\tDESCRIPTION")
+	for _, d := range kubernetesConfigKeysDescriptions {
+		fmt.Fprintf(tw, "%s\t%s\n", d.name, d.description)
+	}
+	tw.Flush()
+	buf.WriteString("\nExample:\n\n$ docker context update my-context --description \"some description\" --docker \"host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file\"\n")
+	return buf.String()
+}
+
+func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
+	opts := &UpdateOptions{}
+	cmd := &cobra.Command{
+		Use:   "update [OPTIONS] CONTEXT",
+		Short: "Update a context",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Name = args[0]
+			return RunUpdate(dockerCli, opts)
+		},
+		Long: longUpdateDescription(),
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Description, "description", "", "Description of the context")
+	flags.StringVar(
+		&opts.DefaultStackOrchestrator,
+		"default-stack-orchestrator", "",
+		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
+	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
+	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	return cmd
+}
+
+// RunUpdate updates a Docker context
+func RunUpdate(cli command.Cli, o *UpdateOptions) error {
+	if err := validateContextName(o.Name); err != nil {
+		return err
+	}
+	s := cli.ContextStore()
+	c, err := s.GetMetadata(o.Name)
+	if err != nil {
+		return err
+	}
+	dockerContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return err
+	}
+	if o.DefaultStackOrchestrator != "" {
+		stackOrchestrator, err := command.NormalizeOrchestrator(o.DefaultStackOrchestrator)
+		if err != nil {
+			return errors.Wrap(err, "unable to parse default-stack-orchestrator")
+		}
+		dockerContext.StackOrchestrator = stackOrchestrator
+	}
+	if o.Description != "" {
+		dockerContext.Description = o.Description
+	}
+
+	c.Metadata = dockerContext
+
+	tlsDataToReset := make(map[string]*store.EndpointTLSData)
+
+	if o.Docker != nil {
+		dockerEP, dockerTLS, err := getDockerEndpointMetadataAndTLS(cli, o.Docker)
+		if err != nil {
+			return errors.Wrap(err, "unable to create docker endpoint config")
+		}
+		c.Endpoints[docker.DockerEndpoint] = dockerEP
+		tlsDataToReset[docker.DockerEndpoint] = dockerTLS
+	}
+	if o.Kubernetes != nil {
+		kubernetesEP, kubernetesTLS, err := getKubernetesEndpointMetadataAndTLS(cli, o.Kubernetes)
+		if err != nil {
+			return errors.Wrap(err, "unable to create kubernetes endpoint config")
+		}
+		if kubernetesEP == nil {
+			delete(c.Endpoints, kubernetes.KubernetesEndpoint)
+		} else {
+			c.Endpoints[kubernetes.KubernetesEndpoint] = kubernetesEP
+			tlsDataToReset[kubernetes.KubernetesEndpoint] = kubernetesTLS
+		}
+	}
+	if err := validateEndpointsAndOrchestrator(c); err != nil {
+		return err
+	}
+	if err := s.CreateOrUpdate(c); err != nil {
+		return err
+	}
+	for ep, tlsData := range tlsDataToReset {
+		if err := s.ResetEndpointTLSMaterial(o.Name, ep, tlsData); err != nil {
+			return err
+		}
+	}
+
+	fmt.Fprintln(cli.Out(), o.Name)
+	fmt.Fprintf(cli.Err(), "Successfully updated context %q\n", o.Name)
+	return nil
+}
+
+func validateEndpointsAndOrchestrator(c store.Metadata) error {
+	dockerContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return err
+	}
+	if _, ok := c.Endpoints[kubernetes.KubernetesEndpoint]; !ok && dockerContext.StackOrchestrator.HasKubernetes() {
+		return errors.Errorf("cannot specify orchestrator %q without configuring a Kubernetes endpoint", dockerContext.StackOrchestrator)
+	}
+	return nil
+}
--- a/cli/command/context/update_test.go
+++ b/cli/command/context/update_test.go
@ -0,0 +1,102 @@
+package context
+
+import (
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/kubernetes"
+	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
+)
+
+func TestUpdateDescriptionOnly(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "swarm",
+		Docker:                   map[string]string{},
+	})
+	assert.NilError(t, err)
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, RunUpdate(cli, &UpdateOptions{
+		Name:        "test",
+		Description: "description",
+	}))
+	c, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	dc, err := command.GetDockerContext(c)
+	assert.NilError(t, err)
+	assert.Equal(t, dc.StackOrchestrator, command.OrchestratorSwarm)
+	assert.Equal(t, dc.Description, "description")
+
+	assert.Equal(t, "test\n", cli.OutBuffer().String())
+	assert.Equal(t, "Successfully updated context \"test\"\n", cli.ErrBuffer().String())
+}
+
+func TestUpdateDockerOnly(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "test", "swarm")
+	assert.NilError(t, RunUpdate(cli, &UpdateOptions{
+		Name: "test",
+		Docker: map[string]string{
+			keyHost: "tcp://some-host",
+		},
+	}))
+	c, err := cli.ContextStore().GetMetadata("test")
+	assert.NilError(t, err)
+	dc, err := command.GetDockerContext(c)
+	assert.NilError(t, err)
+	assert.Equal(t, dc.StackOrchestrator, command.OrchestratorSwarm)
+	assert.Equal(t, dc.Description, "description of test")
+	assert.Check(t, cmp.Contains(c.Endpoints, kubernetes.KubernetesEndpoint))
+	assert.Check(t, cmp.Contains(c.Endpoints, docker.DockerEndpoint))
+	assert.Equal(t, c.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta).Host, "tcp://some-host")
+}
+
+func TestUpdateStackOrchestratorStrategy(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	err := RunCreate(cli, &CreateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "swarm",
+		Docker:                   map[string]string{},
+	})
+	assert.NilError(t, err)
+	err = RunUpdate(cli, &UpdateOptions{
+		Name:                     "test",
+		DefaultStackOrchestrator: "kubernetes",
+	})
+	assert.ErrorContains(t, err, `cannot specify orchestrator "kubernetes" without configuring a Kubernetes endpoint`)
+}
+
+func TestUpdateStackOrchestratorStrategyRemoveKubeEndpoint(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	createTestContextWithKubeAndSwarm(t, cli, "test", "kubernetes")
+	err := RunUpdate(cli, &UpdateOptions{
+		Name:       "test",
+		Kubernetes: map[string]string{},
+	})
+	assert.ErrorContains(t, err, `cannot specify orchestrator "kubernetes" without configuring a Kubernetes endpoint`)
+}
+
+func TestUpdateInvalidDockerHost(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	err := RunCreate(cli, &CreateOptions{
+		Name:   "test",
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+	err = RunUpdate(cli, &UpdateOptions{
+		Name: "test",
+		Docker: map[string]string{
+			keyHost: "some///invalid/host",
+		},
+	})
+	assert.ErrorContains(t, err, "unable to parse docker host")
+}
--- a/cli/command/context/use.go
+++ b/cli/command/context/use.go
@ -0,0 +1,48 @@
+package context
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+func newUseCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "use CONTEXT",
+		Short: "Set the current docker context",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			name := args[0]
+			return RunUse(dockerCli, name)
+		},
+	}
+	return cmd
+}
+
+// RunUse set the current Docker context
+func RunUse(dockerCli command.Cli, name string) error {
+	if err := validateContextName(name); err != nil && name != "default" {
+		return err
+	}
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil && name != "default" {
+		return err
+	}
+	configValue := name
+	if configValue == "default" {
+		configValue = ""
+	}
+	dockerConfig := dockerCli.ConfigFile()
+	dockerConfig.CurrentContext = configValue
+	if err := dockerConfig.Save(); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), name)
+	fmt.Fprintf(dockerCli.Err(), "Current context is now %q\n", name)
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprintf(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use %q, either set the global --context flag, or unset DOCKER_HOST environment variable.\n", name)
+	}
+	return nil
+}
--- a/cli/command/context/use_test.go
+++ b/cli/command/context/use_test.go
@ -0,0 +1,49 @@
+package context
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/store"
+	"gotest.tools/assert"
+)
+
+func TestUse(t *testing.T) {
+	configDir, err := ioutil.TempDir("", t.Name()+"config")
+	assert.NilError(t, err)
+	defer os.RemoveAll(configDir)
+	configFilePath := filepath.Join(configDir, "config.json")
+	testCfg := configfile.New(configFilePath)
+	cli, cleanup := makeFakeCli(t, withCliConfig(testCfg))
+	defer cleanup()
+	err = RunCreate(cli, &CreateOptions{
+		Name:   "test",
+		Docker: map[string]string{},
+	})
+	assert.NilError(t, err)
+	assert.NilError(t, newUseCommand(cli).RunE(nil, []string{"test"}))
+	reloadedConfig, err := config.Load(configDir)
+	assert.NilError(t, err)
+	assert.Equal(t, "test", reloadedConfig.CurrentContext)
+
+	// switch back to default
+	cli.OutBuffer().Reset()
+	cli.ErrBuffer().Reset()
+	assert.NilError(t, newUseCommand(cli).RunE(nil, []string{"default"}))
+	reloadedConfig, err = config.Load(configDir)
+	assert.NilError(t, err)
+	assert.Equal(t, "", reloadedConfig.CurrentContext)
+	assert.Equal(t, "default\n", cli.OutBuffer().String())
+	assert.Equal(t, "Current context is now \"default\"\n", cli.ErrBuffer().String())
+}
+
+func TestUseNoExist(t *testing.T) {
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	err := newUseCommand(cli).RunE(nil, []string{"test"})
+	assert.Check(t, store.IsErrContextDoesNotExist(err))
+}
--- a/cli/command/defaultcontextstore.go
+++ b/cli/command/defaultcontextstore.go
@ -0,0 +1,215 @@
+package command
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	cliflags "github.com/docker/cli/cli/flags"
+	"github.com/pkg/errors"
+)
+
+const (
+	// DefaultContextName is the name reserved for the default context (config & env based)
+	DefaultContextName = "default"
+)
+
+// DefaultContext contains the default context data for all endpoints
+type DefaultContext struct {
+	Meta store.Metadata
+	TLS  store.ContextTLSData
+}
+
+// DefaultContextResolver is a function which resolves the default context base on the configuration and the env variables
+type DefaultContextResolver func() (*DefaultContext, error)
+
+// ContextStoreWithDefault implements the store.Store interface with a support for the default context
+type ContextStoreWithDefault struct {
+	store.Store
+	Resolver DefaultContextResolver
+}
+
+// EndpointDefaultResolver is implemented by any EndpointMeta object
+// which wants to be able to populate the store with whatever their default is.
+type EndpointDefaultResolver interface {
+	// ResolveDefault returns values suitable for storing in store.Metadata.Endpoints
+	// and store.ContextTLSData.Endpoints.
+	//
+	// An error is only returned for something fatal, not simply
+	// the lack of a default (e.g. because the config file which
+	// would contain it is missing). If there is no default then
+	// returns nil, nil, nil.
+	ResolveDefault(Orchestrator) (interface{}, *store.EndpointTLSData, error)
+}
+
+// ResolveDefaultContext creates a Metadata for the current CLI invocation parameters
+func ResolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.ConfigFile, storeconfig store.Config, stderr io.Writer) (*DefaultContext, error) {
+	stackOrchestrator, err := GetStackOrchestrator("", "", config.StackOrchestrator, stderr)
+	if err != nil {
+		return nil, err
+	}
+	contextTLSData := store.ContextTLSData{
+		Endpoints: make(map[string]store.EndpointTLSData),
+	}
+	contextMetadata := store.Metadata{
+		Endpoints: make(map[string]interface{}),
+		Metadata: DockerContext{
+			Description:       "",
+			StackOrchestrator: stackOrchestrator,
+		},
+		Name: DefaultContextName,
+	}
+
+	dockerEP, err := resolveDefaultDockerEndpoint(opts)
+	if err != nil {
+		return nil, err
+	}
+	contextMetadata.Endpoints[docker.DockerEndpoint] = dockerEP.EndpointMeta
+	if dockerEP.TLSData != nil {
+		contextTLSData.Endpoints[docker.DockerEndpoint] = *dockerEP.TLSData.ToStoreTLSData()
+	}
+
+	if err := storeconfig.ForeachEndpointType(func(n string, get store.TypeGetter) error {
+		if n == docker.DockerEndpoint { // handled above
+			return nil
+		}
+		ep := get()
+		if i, ok := ep.(EndpointDefaultResolver); ok {
+			meta, tls, err := i.ResolveDefault(stackOrchestrator)
+			if err != nil {
+				return err
+			}
+			if meta == nil {
+				return nil
+			}
+			contextMetadata.Endpoints[n] = meta
+			if tls != nil {
+				contextTLSData.Endpoints[n] = *tls
+			}
+		}
+		// Nothing to be done
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	return &DefaultContext{Meta: contextMetadata, TLS: contextTLSData}, nil
+}
+
+// List implements store.Store's List
+func (s *ContextStoreWithDefault) List() ([]store.Metadata, error) {
+	contextList, err := s.Store.List()
+	if err != nil {
+		return nil, err
+	}
+	defaultContext, err := s.Resolver()
+	if err != nil {
+		return nil, err
+	}
+	return append(contextList, defaultContext.Meta), nil
+}
+
+// CreateOrUpdate is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) CreateOrUpdate(meta store.Metadata) error {
+	if meta.Name == DefaultContextName {
+		return errors.New("default context cannot be created nor updated")
+	}
+	return s.Store.CreateOrUpdate(meta)
+}
+
+// Remove is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) Remove(name string) error {
+	if name == DefaultContextName {
+		return errors.New("default context cannot be removed")
+	}
+	return s.Store.Remove(name)
+}
+
+// GetMetadata implements store.Store's GetMetadata
+func (s *ContextStoreWithDefault) GetMetadata(name string) (store.Metadata, error) {
+	if name == DefaultContextName {
+		defaultContext, err := s.Resolver()
+		if err != nil {
+			return store.Metadata{}, err
+		}
+		return defaultContext.Meta, nil
+	}
+	return s.Store.GetMetadata(name)
+}
+
+// ResetTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetTLSMaterial(name string, data *store.ContextTLSData) error {
+	if name == DefaultContextName {
+		return errors.New("The default context store does not support ResetTLSMaterial")
+	}
+	return s.Store.ResetTLSMaterial(name, data)
+}
+
+// ResetEndpointTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
+	if contextName == DefaultContextName {
+		return errors.New("The default context store does not support ResetEndpointTLSMaterial")
+	}
+	return s.Store.ResetEndpointTLSMaterial(contextName, endpointName, data)
+}
+
+// ListTLSFiles implements store.Store's ListTLSFiles
+func (s *ContextStoreWithDefault) ListTLSFiles(name string) (map[string]store.EndpointFiles, error) {
+	if name == DefaultContextName {
+		defaultContext, err := s.Resolver()
+		if err != nil {
+			return nil, err
+		}
+		tlsfiles := make(map[string]store.EndpointFiles)
+		for epName, epTLSData := range defaultContext.TLS.Endpoints {
+			var files store.EndpointFiles
+			for filename := range epTLSData.Files {
+				files = append(files, filename)
+			}
+			tlsfiles[epName] = files
+		}
+		return tlsfiles, nil
+	}
+	return s.Store.ListTLSFiles(name)
+}
+
+// GetTLSData implements store.Store's GetTLSData
+func (s *ContextStoreWithDefault) GetTLSData(contextName, endpointName, fileName string) ([]byte, error) {
+	if contextName == DefaultContextName {
+		defaultContext, err := s.Resolver()
+		if err != nil {
+			return nil, err
+		}
+		if defaultContext.TLS.Endpoints[endpointName].Files[fileName] == nil {
+			return nil, &noDefaultTLSDataError{endpointName: endpointName, fileName: fileName}
+		}
+		return defaultContext.TLS.Endpoints[endpointName].Files[fileName], nil
+
+	}
+	return s.Store.GetTLSData(contextName, endpointName, fileName)
+}
+
+type noDefaultTLSDataError struct {
+	endpointName string
+	fileName     string
+}
+
+func (e *noDefaultTLSDataError) Error() string {
+	return fmt.Sprintf("tls data for %s/%s/%s does not exist", DefaultContextName, e.endpointName, e.fileName)
+}
+
+// NotFound satisfies interface github.com/docker/docker/errdefs.ErrNotFound
+func (e *noDefaultTLSDataError) NotFound() {}
+
+// IsTLSDataDoesNotExist satisfies github.com/docker/cli/cli/context/store.tlsDataDoesNotExist
+func (e *noDefaultTLSDataError) IsTLSDataDoesNotExist() {}
+
+// GetStorageInfo implements store.Store's GetStorageInfo
+func (s *ContextStoreWithDefault) GetStorageInfo(contextName string) store.StorageInfo {
+	if contextName == DefaultContextName {
+		return store.StorageInfo{MetadataPath: "<IN MEMORY>", TLSPath: "<IN MEMORY>"}
+	}
+	return s.Store.GetStorageInfo(contextName)
+}
--- a/cli/command/defaultcontextstore_test.go
+++ b/cli/command/defaultcontextstore_test.go
@ -0,0 +1,190 @@
+package command
+
+import (
+	"crypto/rand"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/context/docker"
+	"github.com/docker/cli/cli/context/store"
+	cliflags "github.com/docker/cli/cli/flags"
+	"github.com/docker/go-connections/tlsconfig"
+	"gotest.tools/assert"
+	"gotest.tools/env"
+	"gotest.tools/golden"
+)
+
+type endpoint struct {
+	Foo string `json:"a_very_recognizable_field_name"`
+}
+
+type testContext struct {
+	Bar string `json:"another_very_recognizable_field_name"`
+}
+
+var testCfg = store.NewConfig(func() interface{} { return &testContext{} },
+	store.EndpointTypeGetter("ep1", func() interface{} { return &endpoint{} }),
+	store.EndpointTypeGetter("ep2", func() interface{} { return &endpoint{} }),
+)
+
+func testDefaultMetadata() store.Metadata {
+	return store.Metadata{
+		Endpoints: map[string]interface{}{
+			"ep1": endpoint{Foo: "bar"},
+		},
+		Metadata: testContext{Bar: "baz"},
+		Name:     DefaultContextName,
+	}
+}
+
+func testStore(t *testing.T, meta store.Metadata, tls store.ContextTLSData) (store.Store, func()) {
+	//meta := testDefaultMetadata()
+	testDir, err := ioutil.TempDir("", t.Name())
+	assert.NilError(t, err)
+	//defer os.RemoveAll(testDir)
+	store := &ContextStoreWithDefault{
+		Store: store.New(testDir, testCfg),
+		Resolver: func() (*DefaultContext, error) {
+			return &DefaultContext{
+				Meta: meta,
+				TLS:  tls,
+			}, nil
+		},
+	}
+	return store, func() {
+		os.RemoveAll(testDir)
+	}
+}
+
+func TestDefaultContextInitializer(t *testing.T) {
+	cli, err := NewDockerCli()
+	assert.NilError(t, err)
+	defer env.Patch(t, "DOCKER_HOST", "ssh://someswarmserver")()
+	cli.configFile = &configfile.ConfigFile{
+		StackOrchestrator: "swarm",
+	}
+	ctx, err := ResolveDefaultContext(&cliflags.CommonOptions{
+		TLS: true,
+		TLSOptions: &tlsconfig.Options{
+			CAFile: "./testdata/ca.pem",
+		},
+	}, cli.ConfigFile(), DefaultContextStoreConfig(), cli.Err())
+	assert.NilError(t, err)
+	assert.Equal(t, "default", ctx.Meta.Name)
+	assert.Equal(t, OrchestratorSwarm, ctx.Meta.Metadata.(DockerContext).StackOrchestrator)
+	assert.DeepEqual(t, "ssh://someswarmserver", ctx.Meta.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta).Host)
+	golden.Assert(t, string(ctx.TLS.Endpoints[docker.DockerEndpoint].Files["ca.pem"]), "ca.pem")
+}
+
+func TestExportDefaultImport(t *testing.T) {
+	file1 := make([]byte, 1500)
+	rand.Read(file1)
+	file2 := make([]byte, 3700)
+	rand.Read(file2)
+	s, cleanup := testStore(t, testDefaultMetadata(), store.ContextTLSData{
+		Endpoints: map[string]store.EndpointTLSData{
+			"ep2": {
+				Files: map[string][]byte{
+					"file1": file1,
+					"file2": file2,
+				},
+			},
+		},
+	})
+	defer cleanup()
+	r := store.Export("default", s)
+	defer r.Close()
+	err := store.Import("dest", s, r)
+	assert.NilError(t, err)
+
+	srcMeta, err := s.GetMetadata("default")
+	assert.NilError(t, err)
+	destMeta, err := s.GetMetadata("dest")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, destMeta.Metadata, srcMeta.Metadata)
+	assert.DeepEqual(t, destMeta.Endpoints, srcMeta.Endpoints)
+
+	srcFileList, err := s.ListTLSFiles("default")
+	assert.NilError(t, err)
+	destFileList, err := s.ListTLSFiles("dest")
+	assert.NilError(t, err)
+	assert.Equal(t, 1, len(destFileList))
+	assert.Equal(t, 1, len(srcFileList))
+	assert.Equal(t, 2, len(destFileList["ep2"]))
+	assert.Equal(t, 2, len(srcFileList["ep2"]))
+
+	srcData1, err := s.GetTLSData("default", "ep2", "file1")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, file1, srcData1)
+	srcData2, err := s.GetTLSData("default", "ep2", "file2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, file2, srcData2)
+
+	destData1, err := s.GetTLSData("dest", "ep2", "file1")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, file1, destData1)
+	destData2, err := s.GetTLSData("dest", "ep2", "file2")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, file2, destData2)
+}
+
+func TestListDefaultContext(t *testing.T) {
+	meta := testDefaultMetadata()
+	s, cleanup := testStore(t, meta, store.ContextTLSData{})
+	defer cleanup()
+	result, err := s.List()
+	assert.NilError(t, err)
+	assert.Equal(t, 1, len(result))
+	assert.DeepEqual(t, meta, result[0])
+}
+
+func TestGetDefaultContextStorageInfo(t *testing.T) {
+	s, cleanup := testStore(t, testDefaultMetadata(), store.ContextTLSData{})
+	defer cleanup()
+	result := s.GetStorageInfo(DefaultContextName)
+	assert.Equal(t, "<IN MEMORY>", result.MetadataPath)
+	assert.Equal(t, "<IN MEMORY>", result.TLSPath)
+}
+
+func TestGetDefaultContextMetadata(t *testing.T) {
+	meta := testDefaultMetadata()
+	s, cleanup := testStore(t, meta, store.ContextTLSData{})
+	defer cleanup()
+	result, err := s.GetMetadata(DefaultContextName)
+	assert.NilError(t, err)
+	assert.Equal(t, DefaultContextName, result.Name)
+	assert.DeepEqual(t, meta.Metadata, result.Metadata)
+	assert.DeepEqual(t, meta.Endpoints, result.Endpoints)
+}
+
+func TestErrCreateDefault(t *testing.T) {
+	meta := testDefaultMetadata()
+	s, cleanup := testStore(t, meta, store.ContextTLSData{})
+	defer cleanup()
+	err := s.CreateOrUpdate(store.Metadata{
+		Endpoints: map[string]interface{}{
+			"ep1": endpoint{Foo: "bar"},
+		},
+		Metadata: testContext{Bar: "baz"},
+		Name:     "default",
+	})
+	assert.Error(t, err, "default context cannot be created nor updated")
+}
+
+func TestErrRemoveDefault(t *testing.T) {
+	meta := testDefaultMetadata()
+	s, cleanup := testStore(t, meta, store.ContextTLSData{})
+	defer cleanup()
+	err := s.Remove("default")
+	assert.Error(t, err, "default context cannot be removed")
+}
+
+func TestErrTLSDataError(t *testing.T) {
+	meta := testDefaultMetadata()
+	s, cleanup := testStore(t, meta, store.ContextTLSData{})
+	defer cleanup()
+	_, err := s.GetTLSData("default", "noop", "noop")
+	assert.Check(t, store.IsErrTLSDataDoesNotExist(err))
+}
--- a/cli/command/engine/activate.go
+++ b/cli/command/engine/activate.go
@ -3,11 +3,12 @@ package engine
 import (
 	"context"
 	"fmt"
+	"strings"

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/cli/internal/containerizedengine"
 	"github.com/docker/cli/internal/licenseutils"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/licensing/model"
 	"github.com/pkg/errors"
@ -15,19 +16,21 @@ import (
 )

 type activateOptions struct {
-	licenseFile    string
-	version        string
-	registryPrefix string
-	format         string
-	image          string
-	quiet          bool
-	displayOnly    bool
-	sockPath       string
+	licenseFile      string
+	version          string
+	registryPrefix   string
+	format           string
+	image            string
+	quiet            bool
+	displayOnly      bool
+	sockPath         string
+	licenseLoginFunc func(ctx context.Context, authConfig *types.AuthConfig) (licenseutils.HubUser, error)
 }

 // newActivateCommand creates a new `docker engine activate` command
 func newActivateCommand(dockerCli command.Cli) *cobra.Command {
 	var options activateOptions
+	options.licenseLoginFunc = licenseutils.Login

 	cmd := &cobra.Command{
 		Use:   "activate [OPTIONS]",
@ -56,10 +59,10 @@ https://hub.docker.com/ then specify the file with the '--license' flag.

 	flags.StringVar(&options.licenseFile, "license", "", "License File")
 	flags.StringVar(&options.version, "version", "", "Specify engine version (default is to use currently running version)")
-	flags.StringVar(&options.registryPrefix, "registry-prefix", "docker.io/docker", "Override the default location where engine images are pulled")
-	flags.StringVar(&options.image, "engine-image", containerizedengine.EnterpriseEngineImage, "Specify engine image")
+	flags.StringVar(&options.registryPrefix, "registry-prefix", clitypes.RegistryPrefix, "Override the default location where engine images are pulled")
+	flags.StringVar(&options.image, "engine-image", "", "Specify engine image")
 	flags.StringVar(&options.format, "format", "", "Pretty-print licenses using a Go template")
-	flags.BoolVar(&options.displayOnly, "display-only", false, "only display the available licenses and exit")
+	flags.BoolVar(&options.displayOnly, "display-only", false, "only display license information and exit")
 	flags.BoolVar(&options.quiet, "quiet", false, "Only display available licenses by ID")
 	flags.StringVar(&options.sockPath, "containerd", "", "override default location of containerd endpoint")

@ -67,6 +70,9 @@ https://hub.docker.com/ then specify the file with the '--license' flag.
 }

 func runActivate(cli command.Cli, options activateOptions) error {
+	if !isRoot() {
+		return errors.New("this command must be run as a privileged user")
+	}
 	ctx := context.Background()
 	client, err := cli.NewContainerizedEngineClient(options.sockPath)
 	if err != nil {
@ -94,26 +100,48 @@ func runActivate(cli command.Cli, options activateOptions) error {
 			return err
 		}
 	}
-	if err = licenseutils.ApplyLicense(ctx, cli.Client(), license); err != nil {
+	summary, err := licenseutils.GetLicenseSummary(ctx, *license)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(cli.Out(), "License: %s\n", summary)
+	if options.displayOnly {
+		return nil
+	}
+	dclient := cli.Client()
+	if err = licenseutils.ApplyLicense(ctx, dclient, license); err != nil {
 		return err
 	}

-	opts := containerizedengine.EngineInitOptions{
+	// Short circuit if the user didn't specify a version and we're already running enterprise
+	if options.version == "" {
+		serverVersion, err := dclient.ServerVersion(ctx)
+		if err != nil {
+			return err
+		}
+		if strings.Contains(strings.ToLower(serverVersion.Platform.Name), "enterprise") {
+			fmt.Fprintln(cli.Out(), "Successfully activated engine license on existing enterprise engine.")
+			return nil
+		}
+		options.version = serverVersion.Version
+	}
+
+	opts := clitypes.EngineInitOptions{
 		RegistryPrefix: options.registryPrefix,
 		EngineImage:    options.image,
 		EngineVersion:  options.version,
 	}

-	return client.ActivateEngine(ctx, opts, cli.Out(), authConfig,
-		func(ctx context.Context) error {
-			client := cli.Client()
-			_, err := client.Ping(ctx)
-			return err
-		})
+	if err := client.ActivateEngine(ctx, opts, cli.Out(), authConfig); err != nil {
+		return err
+	}
+	fmt.Fprintln(cli.Out(), `Successfully activated engine.
+Restart docker with 'systemctl restart docker' to complete the activation.`)
+	return nil
 }

 func getLicenses(ctx context.Context, authConfig *types.AuthConfig, cli command.Cli, options activateOptions) (*model.IssuedLicense, error) {
-	user, err := licenseutils.Login(ctx, authConfig)
+	user, err := options.licenseLoginFunc(ctx, authConfig)
 	if err != nil {
 		return nil, err
 	}
@ -133,10 +161,10 @@ func getLicenses(ctx context.Context, authConfig *types.AuthConfig, cli command.

 	updatesCtx := formatter.Context{
 		Output: cli.Out(),
-		Format: formatter.NewSubscriptionsFormat(format, options.quiet),
+		Format: NewSubscriptionsFormat(format, options.quiet),
 		Trunc:  false,
 	}
-	if err := formatter.SubscriptionsWrite(updatesCtx, subs); err != nil {
+	if err := SubscriptionsWrite(updatesCtx, subs); err != nil {
 		return nil, err
 	}
 	if options.displayOnly {
--- a/cli/command/engine/activate_test.go
+++ b/cli/command/engine/activate_test.go
@ -1,19 +1,36 @@
 package engine

 import (
+	"context"
 	"fmt"
+	"os"
 	"testing"
+	"time"

-	"github.com/docker/cli/internal/containerizedengine"
+	"github.com/docker/cli/internal/licenseutils"
+	"github.com/docker/cli/internal/test"
+	clitypes "github.com/docker/cli/types"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/licensing"
+	"github.com/docker/licensing/model"
 	"gotest.tools/assert"
+	"gotest.tools/fs"
+	"gotest.tools/golden"
+)
+
+const (
+	// nolint: lll
+	expiredLicense = `{"key_id":"irlYm3b9fdD8hMUXjazF39im7VQSSbAm9tfHK8cKUxJt","private_key":"aH5tTRDAVJpCRS2CRetTQVXIKgWUPfoCHODhDvNPvAbz","authorization":"ewogICAicGF5bG9hZCI6ICJleUpsZUhCcGNtRjBhVzl1SWpvaU1qQXhPQzB3TXkweE9GUXdOem93TURvd01Gb2lMQ0owYjJ0bGJpSTZJbkZtTVMxMlVtRmtialp5YjFaMldXdHJlVXN4VFdKMGNGUmpXR1ozVjA4MVRWZFFTM2cwUnpJd2NIYzlJaXdpYldGNFJXNW5hVzVsY3lJNk1Td2ljMk5oYm01cGJtZEZibUZpYkdWa0lqcDBjblZsTENKc2FXTmxibk5sVkhsd1pTSTZJazltWm14cGJtVWlMQ0owYVdWeUlqb2lVSEp2WkhWamRHbHZiaUo5IiwKICAgInNpZ25hdHVyZXMiOiBbCiAgICAgIHsKICAgICAgICAgImhlYWRlciI6IHsKICAgICAgICAgICAgImp3ayI6IHsKICAgICAgICAgICAgICAgImUiOiAiQVFBQiIsCiAgICAgICAgICAgICAgICJrZXlJRCI6ICJKN0xEOjY3VlI6TDVIWjpVN0JBOjJPNEc6NEFMMzpPRjJOOkpIR0I6RUZUSDo1Q1ZROk1GRU86QUVJVCIsCiAgICAgICAgICAgICAgICJraWQiOiAiSjdMRDo2N1ZSOkw1SFo6VTdCQToyTzRHOjRBTDM6T0YyTjpKSEdCOkVGVEg6NUNWUTpNRkVPOkFFSVQiLAogICAgICAgICAgICAgICAia3R5IjogIlJTQSIsCiAgICAgICAgICAgICAgICJuIjogInlkSXktbFU3bzdQY2VZLTQtcy1DUTVPRWdDeUY4Q3hJY1FJV3VLODRwSWlaY2lZNjczMHlDWW53TFNLVGx3LVU2VUNfUVJlV1Jpb01OTkU1RHM1VFlFWGJHRzZvbG0ycWRXYkJ3Y0NnLTJVVUhfT2NCOVd1UDZnUlBIcE1GTXN4RHpXd3ZheThKVXVIZ1lVTFVwbTFJdi1tcTdscDVuUV9SeHJUMEtaUkFRVFlMRU1FZkd3bTNoTU9fZ2VMUFMtaGdLUHRJSGxrZzZfV2NveFRHb0tQNzlkX3dhSFl4R05sN1doU25laUJTeGJwYlFBS2syMWxnNzk4WGI3dlp5RUFURE1yUlI5TWVFNkFkajVISnBZM0NveVJBUENtYUtHUkNLNHVvWlNvSXUwaEZWbEtVUHliYncwMDBHTy13YTJLTjhVd2dJSW0waTVJMXVXOUdrcTR6akJ5NXpoZ3F1VVhiRzliV1BBT1lycTVRYTgxRHhHY0JsSnlIWUFwLUREUEU5VEdnNHpZbVhqSm54WnFIRWR1R3FkZXZaOFhNSTB1a2ZrR0lJMTR3VU9pTUlJSXJYbEVjQmZfNDZJOGdRV0R6eHljWmVfSkdYLUxBdWF5WHJ5clVGZWhWTlVkWlVsOXdYTmFKQi1rYUNxejVRd2FSOTNzR3ctUVNmdEQwTnZMZTdDeU9ILUU2dmc2U3RfTmVUdmd2OFluaENpWElsWjhIT2ZJd05lN3RFRl9VY3o1T2JQeWttM3R5bHJOVWp0MFZ5QW10dGFjVkkyaUdpaGNVUHJtazRsVklaN1ZEX0xTVy1pN3lvU3VydHBzUFhjZTJwS0RJbzMwbEpHaE9fM0tVbWwyU1VaQ3F6SjF5RW1LcHlzSDVIRFc5Y3NJRkNBM2RlQWpmWlV2TjdVIgogICAgICAgICAgICB9LAogICAgICAgICAgICAiYWxnIjogIlJTMjU2IgogICAgICAgICB9LAogICAgICAgICAic2lnbmF0dXJlIjogIm5saTZIdzRrbW5KcTBSUmRXaGVfbkhZS2VJLVpKenM1U0d5SUpDakh1dWtnVzhBYklpVzFZYWJJR2NqWUt0QTY4dWN6T1hyUXZreGxWQXJLSlgzMDJzN0RpbzcxTlNPRzJVcnhsSjlibDFpd0F3a3ZyTEQ2T0p5MGxGLVg4WnRabXhPVmNQZmwzcmJwZFQ0dnlnWTdNcU1QRXdmb0IxTmlWZDYyZ1cxU2NSREZZcWw3R0FVaFVKNkp4QU15VzVaOXl5YVE0NV8wd0RMUk5mRjA5YWNXeVowTjRxVS1hZjhrUTZUUWZUX05ERzNCR3pRb2V3cHlEajRiMFBHb0diOFhLdDlwekpFdEdxM3lQM25VMFFBbk90a2gwTnZac1l1UFcyUnhDT3lRNEYzVlR3UkF2eF9HSTZrMVRpYmlKNnByUWluUy16Sjh6RE8zUjBuakE3OFBwNXcxcVpaUE9BdmtzZFNSYzJDcVMtcWhpTmF5YUhOVHpVNnpyOXlOZHR2S0o1QjNST0FmNUtjYXNiWURjTnVpeXBUNk90LUtqQ2I1dmYtWVpnc2FRNzJBdFBhSU4yeUpNREZHbmEwM0hpSjMxcTJRUlp5eTZrd3RYaGtwcDhTdEdIcHYxSWRaV09SVWttb0g5SFBzSGk4SExRLTZlM0tEY2x1RUQyMTNpZnljaVhtN0YzdHdaTTNHeDd1UXR1SldHaUlTZ2Z0QW9lVjZfUmI2VThkMmZxNzZuWHYxak5nckRRcE5waEZFd2tCdGRtZHZ2THByZVVYX3BWangza1AxN3pWbXFKNmNOOWkwWUc4WHg2VmRzcUxsRXUxQ2Rhd3Q0eko1M3VHMFlKTjRnUDZwc25yUS1uM0U1aFdlMDJ3d3dBZ3F3bGlPdmd4V1RTeXJyLXY2eDI0IiwKICAgICAgICAgInByb3RlY3RlZCI6ICJleUptYjNKdFlYUk1aVzVuZEdnaU9qRTNNeXdpWm05eWJXRjBWR0ZwYkNJNkltWlJJaXdpZEdsdFpTSTZJakl3TVRjdE1EVXRNRFZVTWpFNk5UYzZNek5hSW4wIgogICAgICB9CiAgIF0KfQ=="}`
 )

 func TestActivateNoContainerd(t *testing.T) {
 	testCli.SetContainerizedEngineClient(
-		func(string) (containerizedengine.Client, error) {
+		func(string) (clitypes.ContainerizedClient, error) {
 			return nil, fmt.Errorf("some error")
 		},
 	)
+	isRoot = func() bool { return true }
 	cmd := newActivateCommand(testCli)
 	cmd.Flags().Set("license", "invalidpath")
 	cmd.SilenceUsage = true
@ -23,15 +40,109 @@ func TestActivateNoContainerd(t *testing.T) {
 }

 func TestActivateBadLicense(t *testing.T) {
-	testCli.SetContainerizedEngineClient(
-		func(string) (containerizedengine.Client, error) {
+	isRoot = func() bool { return true }
+	c := test.NewFakeCli(&verClient{client.Client{}, types.Version{}, nil, types.Info{}, nil})
+	c.SetContainerizedEngineClient(
+		func(string) (clitypes.ContainerizedClient, error) {
 			return &fakeContainerizedEngineClient{}, nil
 		},
 	)
-	cmd := newActivateCommand(testCli)
+	cmd := newActivateCommand(c)
 	cmd.SilenceUsage = true
 	cmd.SilenceErrors = true
 	cmd.Flags().Set("license", "invalidpath")
 	err := cmd.Execute()
-	assert.Error(t, err, "open invalidpath: no such file or directory")
+	assert.Assert(t, os.IsNotExist(err))
+}
+
+func TestActivateExpiredLicenseDryRun(t *testing.T) {
+	dir := fs.NewDir(t, "license", fs.WithFile("docker.lic", expiredLicense, fs.WithMode(0644)))
+	defer dir.Remove()
+	filename := dir.Join("docker.lic")
+	isRoot = func() bool { return true }
+	c := test.NewFakeCli(&verClient{client.Client{}, types.Version{}, nil, types.Info{}, nil})
+	c.SetContainerizedEngineClient(
+		func(string) (clitypes.ContainerizedClient, error) {
+			return &fakeContainerizedEngineClient{}, nil
+		},
+	)
+	cmd := newActivateCommand(c)
+	cmd.SilenceUsage = true
+	cmd.SilenceErrors = true
+	cmd.Flags().Set("license", filename)
+	cmd.Flags().Set("display-only", "true")
+	c.OutBuffer().Reset()
+	err := cmd.Execute()
+	assert.NilError(t, err)
+	golden.Assert(t, c.OutBuffer().String(), "expired-license-display-only.golden")
+}
+
+type mockLicenseClient struct{}
+
+func (c mockLicenseClient) LoginViaAuth(ctx context.Context, username, password string) (authToken string, err error) {
+	return "", fmt.Errorf("not implemented")
+}
+
+func (c mockLicenseClient) GetHubUserOrgs(ctx context.Context, authToken string) (orgs []model.Org, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) GetHubUserByName(ctx context.Context, username string) (user *model.User, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) VerifyLicense(ctx context.Context, license model.IssuedLicense) (res *model.CheckResponse, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) GenerateNewTrialSubscription(ctx context.Context, authToken, dockerID string) (subscriptionID string, err error) {
+	return "", fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) ListSubscriptions(ctx context.Context, authToken, dockerID string) (response []*model.Subscription, err error) {
+	expires := time.Date(2010, time.January, 1, 0, 0, 0, 0, time.UTC)
+	return []*model.Subscription{
+		{
+			State:   "active",
+			Expires: &expires,
+		},
+	}, nil
+}
+func (c mockLicenseClient) ListSubscriptionsDetails(ctx context.Context, authToken, dockerID string) (response []*model.SubscriptionDetail, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) DownloadLicenseFromHub(ctx context.Context, authToken, subscriptionID string) (license *model.IssuedLicense, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) ParseLicense(license []byte) (parsedLicense *model.IssuedLicense, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) StoreLicense(ctx context.Context, dclnt licensing.WrappedDockerClient, licenses *model.IssuedLicense, localRootDir string) error {
+	return fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) LoadLocalLicense(ctx context.Context, dclnt licensing.WrappedDockerClient) (*model.Subscription, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+func (c mockLicenseClient) SummarizeLicense(res *model.CheckResponse, keyID string) *model.Subscription {
+	return nil
+}
+func TestActivateDisplayOnlyHub(t *testing.T) {
+	isRoot = func() bool { return true }
+	c := test.NewFakeCli(&verClient{client.Client{}, types.Version{}, nil, types.Info{}, nil})
+	c.SetContainerizedEngineClient(
+		func(string) (clitypes.ContainerizedClient, error) {
+			return &fakeContainerizedEngineClient{}, nil
+		},
+	)
+
+	hubUser := licenseutils.HubUser{
+		Client: mockLicenseClient{},
+	}
+	options := activateOptions{
+		licenseLoginFunc: func(ctx context.Context, authConfig *types.AuthConfig) (licenseutils.HubUser, error) {
+			return hubUser, nil
+		},
+		displayOnly: true,
+	}
+	c.OutBuffer().Reset()
+	err := runActivate(c, options)
+
+	assert.NilError(t, err)
+	golden.Assert(t, c.OutBuffer().String(), "expired-hub-license-display-only.golden")
 }
--- a/cli/command/engine/activate_unix.go
+++ b/cli/command/engine/activate_unix.go
@ -0,0 +1,13 @@
+// +build !windows
+
+package engine
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+var (
+	isRoot = func() bool {
+		return unix.Geteuid() == 0
+	}
+)
--- a/cli/command/engine/activate_windows.go
+++ b/cli/command/engine/activate_windows.go
@ -0,0 +1,9 @@
+// +build windows
+
+package engine
+
+var (
+	isRoot = func() bool {
+		return true
+	}
+)
--- a/cli/command/engine/auth.go
+++ b/cli/command/engine/auth.go
@ -5,6 +5,7 @@ import (

 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/trust"
+	clitypes "github.com/docker/cli/types"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	registrytypes "github.com/docker/docker/api/types/registry"
@ -13,7 +14,7 @@ import (

 func getRegistryAuth(cli command.Cli, registryPrefix string) (*types.AuthConfig, error) {
 	if registryPrefix == "" {
-		registryPrefix = "docker.io/docker"
+		registryPrefix = clitypes.RegistryPrefix
 	}
 	distributionRef, err := reference.ParseNormalizedNamed(registryPrefix)
 	if err != nil {
--- a/cli/command/engine/check.go
+++ b/cli/command/engine/check.go
@ -7,18 +7,16 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/docker/cli/internal/containerizedengine"
+	"github.com/docker/cli/internal/versions"
+	clitypes "github.com/docker/cli/types"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

-const (
-	releaseNotePrefix = "https://docs.docker.com/releasenotes"
-)
-
 type checkOptions struct {
 	registryPrefix string
 	preReleases    bool
+	engineImage    string
 	downgrades     bool
 	upgrades       bool
 	format         string
@ -38,9 +36,10 @@ func newCheckForUpdatesCommand(dockerCli command.Cli) *cobra.Command {
 		},
 	}
 	flags := cmd.Flags()
-	flags.StringVar(&options.registryPrefix, "registry-prefix", "", "Override the existing location where engine images are pulled")
+	flags.StringVar(&options.registryPrefix, "registry-prefix", clitypes.RegistryPrefix, "Override the existing location where engine images are pulled")
 	flags.BoolVar(&options.downgrades, "downgrades", false, "Report downgrades (default omits older versions)")
 	flags.BoolVar(&options.preReleases, "pre-releases", false, "Include pre-release versions")
+	flags.StringVar(&options.engineImage, "engine-image", "", "Specify engine image (default uses the same image as currently running)")
 	flags.BoolVar(&options.upgrades, "upgrades", true, "Report available upgrades")
 	flags.StringVar(&options.format, "format", "", "Pretty-print updates using a Go template")
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display available versions")
@ -50,54 +49,47 @@ func newCheckForUpdatesCommand(dockerCli command.Cli) *cobra.Command {
 }

 func runCheck(dockerCli command.Cli, options checkOptions) error {
+	if !isRoot() {
+		return errors.New("this command must be run as a privileged user")
+	}
 	ctx := context.Background()
-	client, err := dockerCli.NewContainerizedEngineClient(options.sockPath)
-	if err != nil {
-		return errors.Wrap(err, "unable to access local containerd")
-	}
-	defer client.Close()
-	currentOpts, err := client.GetCurrentEngineVersion(ctx)
+	client := dockerCli.Client()
+	serverVersion, err := client.ServerVersion(ctx)
 	if err != nil {
 		return err
 	}

-	// override with user provided prefix if specified
-	if options.registryPrefix != "" {
-		currentOpts.RegistryPrefix = options.registryPrefix
-	}
-	imageName := currentOpts.RegistryPrefix + "/" + currentOpts.EngineImage
-	currentVersion := currentOpts.EngineVersion
-	versions, err := client.GetEngineVersions(ctx, dockerCli.RegistryClient(false), currentVersion, imageName)
+	availVersions, err := versions.GetEngineVersions(ctx, dockerCli.RegistryClient(false), options.registryPrefix, options.engineImage, serverVersion.Version)
 	if err != nil {
 		return err
 	}

-	availUpdates := []containerizedengine.Update{
-		{Type: "current", Version: currentVersion},
+	availUpdates := []clitypes.Update{
+		{Type: "current", Version: serverVersion.Version},
 	}
-	if len(versions.Patches) > 0 {
+	if len(availVersions.Patches) > 0 {
 		availUpdates = append(availUpdates,
 			processVersions(
-				currentVersion,
+				serverVersion.Version,
 				"patch",
 				options.preReleases,
-				versions.Patches)...)
+				availVersions.Patches)...)
 	}
 	if options.upgrades {
 		availUpdates = append(availUpdates,
 			processVersions(
-				currentVersion,
+				serverVersion.Version,
 				"upgrade",
 				options.preReleases,
-				versions.Upgrades)...)
+				availVersions.Upgrades)...)
 	}
 	if options.downgrades {
 		availUpdates = append(availUpdates,
 			processVersions(
-				currentVersion,
+				serverVersion.Version,
 				"downgrade",
 				options.preReleases,
-				versions.Downgrades)...)
+				availVersions.Downgrades)...)
 	}

 	format := options.format
@ -107,25 +99,25 @@ func runCheck(dockerCli command.Cli, options checkOptions) error {

 	updatesCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.NewUpdatesFormat(format, options.quiet),
+		Format: NewUpdatesFormat(format, options.quiet),
 		Trunc:  false,
 	}
-	return formatter.UpdatesWrite(updatesCtx, availUpdates)
+	return UpdatesWrite(updatesCtx, availUpdates)
 }

 func processVersions(currentVersion, verType string,
 	includePrerelease bool,
-	versions []containerizedengine.DockerVersion) []containerizedengine.Update {
-	availUpdates := []containerizedengine.Update{}
-	for _, ver := range versions {
+	availVersions []clitypes.DockerVersion) []clitypes.Update {
+	availUpdates := []clitypes.Update{}
+	for _, ver := range availVersions {
 		if !includePrerelease && ver.Prerelease() != "" {
 			continue
 		}
 		if ver.Tag != currentVersion {
-			availUpdates = append(availUpdates, containerizedengine.Update{
+			availUpdates = append(availUpdates, clitypes.Update{
 				Type:    verType,
 				Version: ver.Tag,
-				Notes:   fmt.Sprintf("%s/%s", releaseNotePrefix, ver.Tag),
+				Notes:   fmt.Sprintf("%s/%s", clitypes.ReleaseNotePrefix, ver.Tag),
 			})
 		}
 	}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`WARNING: Localhost DNS setting (--dns=::1) may fail in containers.`
				`@ -0,0 +1 @@`
				`WARNING: Localhost DNS setting (--dns=127.0.0.11) may fail in containers.`
				`@ -0,0 +1 @@`
				`WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.`