Merge pull request #3461 from thaJeztah/20.10_bump_go_1.16.15

[20.10] update to go 1.16.15 to address CVE-2022-24921

.circleci/config.yml

@@ -4,13 +4,13 @@ jobs:
 
   lint:
     working_directory: /work
-    docker: [{image: 'docker:19.03-git'}]
+    docker: [{image: 'docker:20.10-git'}]
     environment:
       DOCKER_BUILDKIT: 1
     steps:
       - checkout
       - setup_remote_docker:
-          version: 19.03.12
+          version: 20.10.6
           reusable: true
           exclusive: false
       - run:
@@ -39,7 +39,7 @@ jobs:
 
   cross:
     working_directory: /work
-    docker: [{image: 'docker:19.03-git'}]
+    docker: [{image: 'docker:20.10-git'}]
     environment:
       DOCKER_BUILDKIT: 1
       BUILDX_VERSION: "v0.5.1"
@@ -47,7 +47,7 @@ jobs:
     steps:
       - checkout
       - setup_remote_docker:
-          version: 19.03.12
+          version: 20.10.6
           reusable: true
           exclusive: false
       - run:
@@ -69,13 +69,13 @@ jobs:
 
   test:
     working_directory: /work
-    docker: [{image: 'docker:19.03-git'}]
+    docker: [{image: 'docker:20.10-git'}]
     environment:
       DOCKER_BUILDKIT: 1
     steps:
       - checkout
       - setup_remote_docker:
-          version: 19.03.12
+          version: 20.10.6
           reusable: true
           exclusive: false
       - run:
@@ -116,13 +116,13 @@ jobs:
 
   validate:
     working_directory: /work
-    docker: [{image: 'docker:19.03-git'}]
+    docker: [{image: 'docker:20.10-git'}]
     environment:
       DOCKER_BUILDKIT: 1
     steps:
       - checkout
       - setup_remote_docker:
-          version: 19.03.12
+          version: 20.10.6
           reusable: true
           exclusive: false
       - run:

Dockerfile

@@ -1,20 +1,21 @@
-#syntax=docker/dockerfile:1.2
+# syntax=docker/dockerfile:1.3
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.13.15
+ARG GO_VERSION=1.16.15
+ARG XX_VERSION=1.0.0-rc.2
 
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} AS gostable
-FROM --platform=$BUILDPLATFORM golang:1.16-${BASE_VARIANT} AS golatest	
+FROM --platform=$BUILDPLATFORM golang:1.17rc1-${BASE_VARIANT} AS golatest
 
-FROM gostable AS go-linux	
-FROM golatest AS go-darwin
-FROM golatest AS go-windows-amd64
-FROM golatest AS go-windows-386
-FROM golatest AS go-windows-arm
-FROM --platform=$BUILDPLATFORM tonistiigi/golang:497feff1-${BASE_VARIANT} AS go-windows-arm64
+FROM gostable AS go-linux
+FROM gostable AS go-darwin
+FROM gostable AS go-windows-amd64
+FROM gostable AS go-windows-386
+FROM gostable AS go-windows-arm
+FROM golatest AS go-windows-arm64
 FROM go-windows-${TARGETARCH} AS go-windows
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:620d36a9d7f1e3b102a5c7e8eff12081ac363828b3a44390f24fa8da2d49383d AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
 FROM go-${TARGETOS} AS build-base-alpine
 COPY --from=xx / /

Jenkinsfile

@@ -1,6 +1,6 @@
 pipeline {
     agent {
-        label "linux && x86_64"
+        label "amd64 && ubuntu-1804 && overlay2"
     }
 
     options {
@@ -21,9 +21,9 @@ pipeline {
                     make -f docker.Makefile test-e2e-non-experimental"
             }
         }
-        stage("e2e (non-experimental) - 18.09 engine") {
+        stage("e2e (non-experimental) - 19.03 engine") {
             steps {
-                sh "E2E_ENGINE_VERSION=18.09-dind \
+                sh "E2E_ENGINE_VERSION=19.03-dind \
                   E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
                   IMAGE_TAG=clie2e${BUILD_NUMBER} \
                   make -f docker.Makefile test-e2e-non-experimental"

appveyor.yml

@@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
 
 environment:
   GOPATH: c:\gopath
-  GOVERSION: 1.13.15
+  GOVERSION: 1.16.15
   DEPVERSION: v0.4.1
 
 install:

cli/command/cli.go

@@ -255,7 +255,7 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...Initialize
 		if tlsconfig.IsErrEncryptedKey(err) {
 			passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
 			newClient := func(password string) (client.APIClient, error) {
-				cli.dockerEndpoint.TLSPassword = password
+				cli.dockerEndpoint.TLSPassword = password //nolint: staticcheck // SA1019: cli.dockerEndpoint.TLSPassword is deprecated
 				return newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile)
 			}
 			cli.client, err = getClientWithPassword(passRetriever, newClient)

cli/command/cli_test.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
-	"net/http"
 	"os"
 	"runtime"
 	"testing"
@@ -80,24 +79,6 @@ func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
 	assert.Check(t, is.Equal(customVersion, apiclient.ClientVersion()))
 }
 
-func TestNewAPIClientFromFlagsWithHttpProxyEnv(t *testing.T) {
-	defer env.Patch(t, "HTTP_PROXY", "http://proxy.acme.com:1234")()
-	defer env.Patch(t, "DOCKER_HOST", "tcp://docker.acme.com:2376")()
-
-	opts := &flags.CommonOptions{}
-	configFile := &configfile.ConfigFile{}
-	apiclient, err := NewAPIClientFromFlags(opts, configFile)
-	assert.NilError(t, err)
-	transport, ok := apiclient.HTTPClient().Transport.(*http.Transport)
-	assert.Assert(t, ok)
-	assert.Assert(t, transport.Proxy != nil)
-	request, err := http.NewRequest(http.MethodGet, "tcp://docker.acme.com:2376", nil)
-	assert.NilError(t, err)
-	url, err := transport.Proxy(request)
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal("http://proxy.acme.com:1234", url.String()))
-}
-
 type fakeClient struct {
 	client.Client
 	pingFunc   func() (types.Ping, error)

cli/command/container/create_test.go

@@ -133,7 +133,7 @@ func TestCreateContainerImagePullPolicy(t *testing.T) {
 				return ioutil.NopCloser(strings.NewReader("")), nil
 			},
 			infoFunc: func() (types.Info, error) {
-				return types.Info{IndexServerAddress: "http://indexserver"}, nil
+				return types.Info{IndexServerAddress: "https://indexserver.example.com"}, nil
 			},
 		}
 		cli := test.NewFakeCli(client)

cli/command/context/create.go

@@ -62,8 +62,11 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		&opts.DefaultStackOrchestrator,
 		"default-stack-orchestrator", "",
 		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
+	flags.SetAnnotation("default-stack-orchestrator", "deprecated", nil)
 	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
 	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.SetAnnotation("kubernetes", "kubernetes", nil)
+	flags.SetAnnotation("kubernetes", "deprecated", nil)
 	flags.StringVar(&opts.From, "from", "", "create context from a named context")
 	return cmd
 }

cli/command/context/create_test.go

@@ -169,7 +169,7 @@ func validateTestKubeEndpoint(t *testing.T, s store.Reader, name string) {
 	kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta)
 	kubeEP, err := kubeMeta.WithTLSData(s, name)
 	assert.NilError(t, err)
-	assert.Equal(t, "https://someserver", kubeEP.Host)
+	assert.Equal(t, "https://someserver.example.com", kubeEP.Host)
 	assert.Equal(t, "the-ca", string(kubeEP.TLSData.CA))
 	assert.Equal(t, "the-cert", string(kubeEP.TLSData.Cert))
 	assert.Equal(t, "the-key", string(kubeEP.TLSData.Key))
@@ -287,7 +287,7 @@ func TestCreateFromContext(t *testing.T) {
 			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
 			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
 			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
-			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver.example.com")
 		})
 	}
 }
@@ -361,7 +361,7 @@ func TestCreateFromCurrent(t *testing.T) {
 			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
 			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
 			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
-			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver.example.com")
 		})
 	}
 }

cli/command/context/export.go

@@ -46,6 +46,8 @@ func newExportCommand(dockerCli command.Cli) *cobra.Command {
 
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.Kubeconfig, "kubeconfig", false, "Export as a kubeconfig file")
+	flags.SetAnnotation("kubeconfig", "kubernetes", nil)
+	flags.SetAnnotation("kubeconfig", "deprecated", nil)
 	return cmd
 }
 

cli/command/context/list_test.go

@@ -18,7 +18,7 @@ func createTestContextWithKubeAndSwarm(t *testing.T, cli command.Cli, name strin
 		DefaultStackOrchestrator: orchestrator,
 		Description:              "description of " + name,
 		Kubernetes:               map[string]string{keyFrom: "default"},
-		Docker:                   map[string]string{keyHost: "https://someswarmserver"},
+		Docker:                   map[string]string{keyHost: "https://someswarmserver.example.com"},
 	})
 	assert.NilError(t, err)
 }

cli/command/context/testdata/inspect.golden

@@ -7,11 +7,11 @@
         },
         "Endpoints": {
             "docker": {
-                "Host": "https://someswarmserver",
+                "Host": "https://someswarmserver.example.com",
                 "SkipTLSVerify": false
             },
             "kubernetes": {
-                "Host": "https://someserver",
+                "Host": "https://someserver.example.com",
                 "SkipTLSVerify": false,
                 "DefaultNamespace": "default"
             }

cli/command/context/testdata/list.golden

@@ -1,5 +1,5 @@
-NAME        DESCRIPTION                               DOCKER ENDPOINT               KUBERNETES ENDPOINT            ORCHESTRATOR
-current *   description of current                    https://someswarmserver       https://someserver (default)   all
-default     Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                                  swarm
-other       description of other                      https://someswarmserver       https://someserver (default)   all
-unset       description of unset                      https://someswarmserver       https://someserver (default)   
+NAME        DESCRIPTION                               DOCKER ENDPOINT                       KUBERNETES ENDPOINT                        ORCHESTRATOR
+current *   description of current                    https://someswarmserver.example.com   https://someserver.example.com (default)   all
+default     Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                                                      swarm
+other       description of other                      https://someswarmserver.example.com   https://someserver.example.com (default)   all
+unset       description of unset                      https://someswarmserver.example.com   https://someserver.example.com (default)   

cli/command/context/testdata/test-kubeconfig

@@ -2,7 +2,7 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: dGhlLWNh
-    server: https://someserver
+    server: https://someserver.example.com
   name: test-cluster
 contexts:
 - context:

cli/command/context/update.go

@@ -61,8 +61,11 @@ func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
 		&opts.DefaultStackOrchestrator,
 		"default-stack-orchestrator", "",
 		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
+	flags.SetAnnotation("default-stack-orchestrator", "deprecated", nil)
 	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
 	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.SetAnnotation("kubernetes", "kubernetes", nil)
+	flags.SetAnnotation("kubernetes", "deprecated", nil)
 	return cmd
 }
 

cli/command/image/trust_test.go

@@ -15,17 +15,17 @@ import (
 )
 
 func TestENVTrustServer(t *testing.T) {
-	defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "https://notary-test.com:5000"})()
+	defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "https://notary-test.example.com:5000"})()
 	indexInfo := &registrytypes.IndexInfo{Name: "testserver"}
 	output, err := trust.Server(indexInfo)
-	expectedStr := "https://notary-test.com:5000"
+	expectedStr := "https://notary-test.example.com:5000"
 	if err != nil || output != expectedStr {
 		t.Fatalf("Expected server to be %s, got %s", expectedStr, output)
 	}
 }
 
 func TestHTTPENVTrustServer(t *testing.T) {
-	defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "http://notary-test.com:5000"})()
+	defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "http://notary-test.example.com:5000"})()
 	indexInfo := &registrytypes.IndexInfo{Name: "testserver"}
 	_, err := trust.Server(indexInfo)
 	if err == nil {

cli/command/registry.go

@@ -63,17 +63,14 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 		indexServer := registry.GetAuthConfigKey(index)
 		isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli)
 		authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry)
-		if authConfig == nil {
-			authConfig = &types.AuthConfig{}
-		}
 		if err != nil {
 			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
 		}
-		err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry)
+		err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry)
 		if err != nil {
 			return "", err
 		}
-		return EncodeAuthToBase64(*authConfig)
+		return EncodeAuthToBase64(authConfig)
 	}
 }
 
@@ -92,7 +89,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI
 
 // GetDefaultAuthConfig gets the default auth config given a serverAddress
 // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) {
+func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {
 	if !isDefaultRegistry {
 		serverAddress = registry.ConvertToHostname(serverAddress)
 	}
@@ -101,13 +98,15 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is
 	if checkCredStore {
 		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
 		if err != nil {
-			return nil, err
+			return types.AuthConfig{
+				ServerAddress: serverAddress,
+			}, err
 		}
 	}
 	authconfig.ServerAddress = serverAddress
 	authconfig.IdentityToken = ""
 	res := types.AuthConfig(authconfig)
-	return &res, nil
+	return res, nil
 }
 
 // ConfigureAuth handles prompting of user's username and password if needed

cli/command/registry/login.go

@@ -114,22 +114,19 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 	var response registrytypes.AuthenticateOKBody
 	isDefaultRegistry := serverAddress == authServer
 	authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
-	if authConfig == nil {
-		authConfig = &types.AuthConfig{}
-	}
 	if err == nil && authConfig.Username != "" && authConfig.Password != "" {
-		response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig)
+		response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig)
 	}
 	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
-		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry)
+		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
 		if err != nil {
 			return err
 		}
 
-		response, err = clnt.RegistryLogin(ctx, *authConfig)
+		response, err = clnt.RegistryLogin(ctx, authConfig)
 		if err != nil && client.IsErrConnectionFailed(err) {
 			// If the server isn't responding (yet) attempt to login purely client side
-			response, err = loginClientSide(ctx, *authConfig)
+			response, err = loginClientSide(ctx, authConfig)
 		}
 		// If we (still) have an error, give up
 		if err != nil {
@@ -152,7 +149,7 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 		}
 	}
 
-	if err := creds.Store(configtypes.AuthConfig(*authConfig)); err != nil {
+	if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil {
 		return errors.Errorf("Error saving credentials: %v", err)
 	}
 

cli/command/registry_test.go

@@ -66,10 +66,10 @@ func TestElectAuthServer(t *testing.T) {
 			},
 		},
 		{
-			expectedAuthServer: "https://foo.bar",
+			expectedAuthServer: "https://foo.example.com",
 			expectedWarning:    "",
 			infoFunc: func() (types.Info, error) {
-				return types.Info{IndexServerAddress: "https://foo.bar"}, nil
+				return types.Info{IndexServerAddress: "https://foo.example.com"}, nil
 			},
 		},
 		{
@@ -145,7 +145,21 @@ func TestGetDefaultAuthConfig(t *testing.T) {
 			assert.Check(t, is.Equal(tc.expectedErr, err.Error()))
 		} else {
 			assert.NilError(t, err)
-			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig))
+			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig))
 		}
 	}
 }
+
+func TestGetDefaultAuthConfig_HelperError(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	errBuf := new(bytes.Buffer)
+	cli.SetErr(errBuf)
+	cli.ConfigFile().CredentialsStore = "fake-does-not-exist"
+	serverAddress := "test-server-address"
+	expectedAuthConfig := types.AuthConfig{
+		ServerAddress: serverAddress,
+	}
+	authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/")
+	assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig))
+	assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist"))
+}

cli/command/stack/cmd.go

@@ -69,7 +69,9 @@ func NewStackCommand(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.PersistentFlags()
 	flags.String("kubeconfig", "", "Kubernetes config file")
 	flags.SetAnnotation("kubeconfig", "kubernetes", nil)
+	flags.SetAnnotation("kubeconfig", "deprecated", nil)
 	flags.String("orchestrator", "", "Orchestrator to use (swarm|kubernetes|all)")
+	flags.SetAnnotation("orchestrator", "deprecated", nil)
 	return cmd
 }
 

cli/command/stack/kubernetes/cli.go

@@ -50,6 +50,7 @@ func NewOptions(flags *flag.FlagSet, orchestrator command.Orchestrator) Options
 func AddNamespaceFlag(flags *flag.FlagSet) {
 	flags.String("namespace", "", "Kubernetes namespace to use")
 	flags.SetAnnotation("namespace", "kubernetes", nil)
+	flags.SetAnnotation("namespace", "deprecated", nil)
 }
 
 // WrapCli wraps command.Cli with kubernetes specifics

cli/command/stack/list.go

@@ -30,8 +30,10 @@ func newListCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command
 	flags.StringVar(&opts.Format, "format", "", "Pretty-print stacks using a Go template")
 	flags.StringSliceVar(&opts.Namespaces, "namespace", []string{}, "Kubernetes namespaces to use")
 	flags.SetAnnotation("namespace", "kubernetes", nil)
+	flags.SetAnnotation("namespace", "deprecated", nil)
 	flags.BoolVarP(&opts.AllNamespaces, "all-namespaces", "", false, "List stacks from all Kubernetes namespaces")
 	flags.SetAnnotation("all-namespaces", "kubernetes", nil)
+	flags.SetAnnotation("all-namespaces", "deprecated", nil)
 	return cmd
 }
 

cli/command/swarm/ca_test.go

@@ -104,20 +104,20 @@ func TestDisplayTrustRootInvalidFlags(t *testing.T) {
 			errorMsg: "flag requires the `--rotate` flag to update the CA",
 		},
 		{
-			args:     []string{"--external-ca=protocol=cfssl,url=https://some.com/https/url"},
+			args:     []string{"--external-ca=protocol=cfssl,url=https://some.example.com/https/url"},
 			errorMsg: "flag requires the `--rotate` flag to update the CA",
 		},
 		{ // to make sure we're not erroring because we didn't provide a CA cert and external CA
 			args: []string{
 				"--ca-cert=" + tmpfile,
-				"--external-ca=protocol=cfssl,url=https://some.com/https/url",
+				"--external-ca=protocol=cfssl,url=https://some.example.com/https/url",
 			},
 			errorMsg: "flag requires the `--rotate` flag to update the CA",
 		},
 		{
 			args: []string{
 				"--rotate",
-				"--external-ca=protocol=cfssl,url=https://some.com/https/url",
+				"--external-ca=protocol=cfssl,url=https://some.example.com/https/url",
 			},
 			errorMsg: "rotating to an external CA requires the `--ca-cert` flag to specify the external CA's cert - " +
 				"to add an external CA with the current root CA certificate, use the `update` command instead",
@@ -243,7 +243,7 @@ func TestUpdateSwarmSpecCertAndExternalCA(t *testing.T) {
 		"--rotate",
 		"--detach",
 		"--ca-cert=" + certfile,
-		"--external-ca=protocol=cfssl,url=https://some.external.ca"})
+		"--external-ca=protocol=cfssl,url=https://some.external.ca.example.com"})
 	cmd.SetOut(cli.OutBuffer())
 	assert.NilError(t, cmd.Execute())
 
@@ -253,7 +253,7 @@ func TestUpdateSwarmSpecCertAndExternalCA(t *testing.T) {
 	expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
 		{
 			Protocol: swarm.ExternalCAProtocolCFSSL,
-			URL:      "https://some.external.ca",
+			URL:      "https://some.external.ca.example.com",
 			CACert:   cert,
 			Options:  make(map[string]string),
 		},
@@ -281,7 +281,7 @@ func TestUpdateSwarmSpecCertAndKeyAndExternalCA(t *testing.T) {
 		"--detach",
 		"--ca-cert=" + certfile,
 		"--ca-key=" + keyfile,
-		"--external-ca=protocol=cfssl,url=https://some.external.ca"})
+		"--external-ca=protocol=cfssl,url=https://some.external.ca.example.com"})
 	cmd.SetOut(cli.OutBuffer())
 	assert.NilError(t, cmd.Execute())
 
@@ -291,7 +291,7 @@ func TestUpdateSwarmSpecCertAndKeyAndExternalCA(t *testing.T) {
 	expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
 		{
 			Protocol: swarm.ExternalCAProtocolCFSSL,
-			URL:      "https://some.external.ca",
+			URL:      "https://some.external.ca.example.com",
 			CACert:   cert,
 			Options:  make(map[string]string),
 		},

cli/command/system/info.go

@@ -14,6 +14,7 @@ import (
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )
@@ -211,9 +212,6 @@ func prettyPrintServerInfo(dockerCli command.Cli, info types.Info) []error {
 					for _, o := range so.Options {
 						switch o.Key {
 						case "profile":
-							if o.Value != "default" {
-								fmt.Fprintln(dockerCli.Err(), "  WARNING: You're not using the default seccomp profile")
-							}
 							fmt.Fprintln(dockerCli.Out(), "   Profile:", o.Value)
 						}
 					}
@@ -378,6 +376,9 @@ func printSwarmInfo(dockerCli command.Cli, info types.Info) {
 }
 
 func printServerWarnings(dockerCli command.Cli, info types.Info) {
+	if versions.LessThan(dockerCli.Client().ClientVersion(), "1.42") {
+		printSecurityOptionsWarnings(dockerCli, info)
+	}
 	if len(info.Warnings) > 0 {
 		fmt.Fprintln(dockerCli.Err(), strings.Join(info.Warnings, "\n"))
 		return
@@ -387,6 +388,29 @@ func printServerWarnings(dockerCli command.Cli, info types.Info) {
 	printServerWarningsLegacy(dockerCli, info)
 }
 
+// printSecurityOptionsWarnings prints warnings based on the security options
+// returned by the daemon.
+// DEPRECATED: warnings are now generated by the daemon, and returned in
+// info.Warnings. This function is used to provide backward compatibility with
+// daemons that do not provide these warnings. No new warnings should be added
+// here.
+func printSecurityOptionsWarnings(dockerCli command.Cli, info types.Info) {
+	if info.OSType == "windows" {
+		return
+	}
+	kvs, _ := types.DecodeSecurityOptions(info.SecurityOptions)
+	for _, so := range kvs {
+		if so.Name != "seccomp" {
+			continue
+		}
+		for _, o := range so.Options {
+			if o.Key == "profile" && o.Value != "default" && o.Value != "builtin" {
+				_, _ = fmt.Fprintln(dockerCli.Err(), "WARNING: You're not using the default seccomp profile")
+			}
+		}
+	}
+}
+
 // printServerWarningsLegacy generates warnings based on information returned by the daemon.
 // DEPRECATED: warnings are now generated by the daemon, and returned in
 // info.Warnings. This function is used to provide backward compatibility with

cli/command/system/version.go

@@ -114,6 +114,7 @@ func NewVersionCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
 	flags.StringVar(&opts.kubeConfig, "kubeconfig", "", "Kubernetes config file")
 	flags.SetAnnotation("kubeconfig", "kubernetes", nil)
+	flags.SetAnnotation("kubeconfig", "deprecated", nil)
 
 	return cmd
 }

cli/config/config.go

@@ -104,14 +104,18 @@ func LoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
 	return &configFile, err
 }
 
-// TODO remove this temporary hack, which is used to warn about the deprecated ~/.dockercfg file
-var printLegacyFileWarning bool
-
 // Load reads the configuration files in the given directory, and sets up
 // the auth config information and returns values.
 // FIXME: use the internal golang config parser
 func Load(configDir string) (*configfile.ConfigFile, error) {
-	printLegacyFileWarning = false
+	cfg, _, err := load(configDir)
+	return cfg, err
+}
+
+// TODO remove this temporary hack, which is used to warn about the deprecated ~/.dockercfg file
+// so we can remove the bool return value and collapse this back into `Load`
+func load(configDir string) (*configfile.ConfigFile, bool, error) {
+	printLegacyFileWarning := false
 
 	if configDir == "" {
 		configDir = Dir()
@@ -127,11 +131,11 @@ func Load(configDir string) (*configfile.ConfigFile, error) {
 		if err != nil {
 			err = errors.Wrap(err, filename)
 		}
-		return configFile, err
+		return configFile, printLegacyFileWarning, err
 	} else if !os.IsNotExist(err) {
 		// if file is there but we can't stat it for any reason other
 		// than it doesn't exist then stop
-		return configFile, errors.Wrap(err, filename)
+		return configFile, printLegacyFileWarning, errors.Wrap(err, filename)
 	}
 
 	// Can't find latest config file so check for the old one
@@ -140,16 +144,16 @@ func Load(configDir string) (*configfile.ConfigFile, error) {
 		printLegacyFileWarning = true
 		defer file.Close()
 		if err := configFile.LegacyLoadFromReader(file); err != nil {
-			return configFile, errors.Wrap(err, filename)
+			return configFile, printLegacyFileWarning, errors.Wrap(err, filename)
 		}
 	}
-	return configFile, nil
+	return configFile, printLegacyFileWarning, nil
 }
 
 // LoadDefaultConfigFile attempts to load the default config file and returns
 // an initialized ConfigFile struct if none is found.
 func LoadDefaultConfigFile(stderr io.Writer) *configfile.ConfigFile {
-	configFile, err := Load(Dir())
+	configFile, printLegacyFileWarning, err := load(Dir())
 	if err != nil {
 		fmt.Fprintf(stderr, "WARNING: Error loading config file: %v\n", err)
 	}

cli/config/configfile/file_test.go

@@ -27,16 +27,19 @@ func TestEncodeAuth(t *testing.T) {
 }
 
 func TestProxyConfig(t *testing.T) {
-	httpProxy := "http://proxy.mycorp.com:3128"
-	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
-	ftpProxy := "http://ftpproxy.mycorp.com:21"
-	noProxy := "*.intra.mycorp.com"
-	defaultProxyConfig := ProxyConfig{
-		HTTPProxy:  httpProxy,
-		HTTPSProxy: httpsProxy,
-		FTPProxy:   ftpProxy,
-		NoProxy:    noProxy,
-	}
+	var (
+		httpProxy  = "http://proxy.mycorp.example.com:3128"
+		httpsProxy = "https://user:password@proxy.mycorp.example.com:3129"
+		ftpProxy   = "http://ftpproxy.mycorp.example.com:21"
+		noProxy    = "*.intra.mycorp.example.com"
+
+		defaultProxyConfig = ProxyConfig{
+			HTTPProxy:  httpProxy,
+			HTTPSProxy: httpsProxy,
+			FTPProxy:   ftpProxy,
+			NoProxy:    noProxy,
+		}
+	)
 
 	cfg := ConfigFile{
 		Proxies: map[string]ProxyConfig{
@@ -59,18 +62,21 @@ func TestProxyConfig(t *testing.T) {
 }
 
 func TestProxyConfigOverride(t *testing.T) {
-	httpProxy := "http://proxy.mycorp.com:3128"
-	overrideHTTPProxy := "http://proxy.example.com:3128"
-	overrideNoProxy := ""
-	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
-	ftpProxy := "http://ftpproxy.mycorp.com:21"
-	noProxy := "*.intra.mycorp.com"
-	defaultProxyConfig := ProxyConfig{
-		HTTPProxy:  httpProxy,
-		HTTPSProxy: httpsProxy,
-		FTPProxy:   ftpProxy,
-		NoProxy:    noProxy,
-	}
+	var (
+		httpProxy         = "http://proxy.mycorp.example.com:3128"
+		httpProxyOverride = "http://proxy.example.com:3128"
+		httpsProxy        = "https://user:password@proxy.mycorp.example.com:3129"
+		ftpProxy          = "http://ftpproxy.mycorp.example.com:21"
+		noProxy           = "*.intra.mycorp.example.com"
+		noProxyOverride   = ""
+
+		defaultProxyConfig = ProxyConfig{
+			HTTPProxy:  httpProxy,
+			HTTPSProxy: httpsProxy,
+			FTPProxy:   ftpProxy,
+			NoProxy:    noProxy,
+		}
+	)
 
 	cfg := ConfigFile{
 		Proxies: map[string]ProxyConfig{
@@ -84,46 +90,49 @@ func TestProxyConfigOverride(t *testing.T) {
 	}
 
 	ropts := map[string]*string{
-		"HTTP_PROXY": clone(overrideHTTPProxy),
-		"NO_PROXY":   clone(overrideNoProxy),
+		"HTTP_PROXY": clone(httpProxyOverride),
+		"NO_PROXY":   clone(noProxyOverride),
 	}
 	proxyConfig := cfg.ParseProxyConfig("/var/run/docker.sock", ropts)
 	expected := map[string]*string{
-		"HTTP_PROXY":  &overrideHTTPProxy,
+		"HTTP_PROXY":  &httpProxyOverride,
 		"http_proxy":  &httpProxy,
 		"HTTPS_PROXY": &httpsProxy,
 		"https_proxy": &httpsProxy,
 		"FTP_PROXY":   &ftpProxy,
 		"ftp_proxy":   &ftpProxy,
-		"NO_PROXY":    &overrideNoProxy,
+		"NO_PROXY":    &noProxyOverride,
 		"no_proxy":    &noProxy,
 	}
 	assert.Check(t, is.DeepEqual(expected, proxyConfig))
 }
 
 func TestProxyConfigPerHost(t *testing.T) {
-	httpProxy := "http://proxy.mycorp.com:3128"
-	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
-	ftpProxy := "http://ftpproxy.mycorp.com:21"
-	noProxy := "*.intra.mycorp.com"
+	var (
+		httpProxy  = "http://proxy.mycorp.example.com:3128"
+		httpsProxy = "https://user:password@proxy.mycorp.example.com:3129"
+		ftpProxy   = "http://ftpproxy.mycorp.example.com:21"
+		noProxy    = "*.intra.mycorp.example.com"
 
-	extHTTPProxy := "http://proxy.example.com:3128"
-	extHTTPSProxy := "https://user:password@proxy.example.com:3129"
-	extFTPProxy := "http://ftpproxy.example.com:21"
-	extNoProxy := "*.intra.example.com"
+		extHTTPProxy  = "http://proxy.example.com:3128"
+		extHTTPSProxy = "https://user:password@proxy.example.com:3129"
+		extFTPProxy   = "http://ftpproxy.example.com:21"
+		extNoProxy    = "*.intra.example.com"
 
-	defaultProxyConfig := ProxyConfig{
-		HTTPProxy:  httpProxy,
-		HTTPSProxy: httpsProxy,
-		FTPProxy:   ftpProxy,
-		NoProxy:    noProxy,
-	}
-	externalProxyConfig := ProxyConfig{
-		HTTPProxy:  extHTTPProxy,
-		HTTPSProxy: extHTTPSProxy,
-		FTPProxy:   extFTPProxy,
-		NoProxy:    extNoProxy,
-	}
+		defaultProxyConfig = ProxyConfig{
+			HTTPProxy:  httpProxy,
+			HTTPSProxy: httpsProxy,
+			FTPProxy:   ftpProxy,
+			NoProxy:    noProxy,
+		}
+
+		externalProxyConfig = ProxyConfig{
+			HTTPProxy:  extHTTPProxy,
+			HTTPSProxy: extHTTPSProxy,
+			FTPProxy:   extFTPProxy,
+			NoProxy:    extNoProxy,
+		}
+	)
 
 	cfg := ConfigFile{
 		Proxies: map[string]ProxyConfig{
@@ -226,9 +235,11 @@ func TestGetAllCredentialsCredsStore(t *testing.T) {
 }
 
 func TestGetAllCredentialsCredHelper(t *testing.T) {
-	testCredHelperSuffix := "test_cred_helper"
-	testCredHelperRegistryHostname := "credhelper.com"
-	testExtraCredHelperRegistryHostname := "somethingweird.com"
+	const (
+		testCredHelperSuffix                = "test_cred_helper"
+		testCredHelperRegistryHostname      = "credhelper.com"
+		testExtraCredHelperRegistryHostname = "somethingweird.com"
+	)
 
 	unexpectedCredHelperAuth := types.AuthConfig{
 		Username: "file_store_user",
@@ -265,9 +276,11 @@ func TestGetAllCredentialsCredHelper(t *testing.T) {
 }
 
 func TestGetAllCredentialsFileStoreAndCredHelper(t *testing.T) {
-	testFileStoreRegistryHostname := "example.com"
-	testCredHelperSuffix := "test_cred_helper"
-	testCredHelperRegistryHostname := "credhelper.com"
+	const (
+		testFileStoreRegistryHostname  = "example.com"
+		testCredHelperSuffix           = "test_cred_helper"
+		testCredHelperRegistryHostname = "credhelper.com"
+	)
 
 	expectedFileStoreAuth := types.AuthConfig{
 		Username: "file_store_user",
@@ -301,10 +314,12 @@ func TestGetAllCredentialsFileStoreAndCredHelper(t *testing.T) {
 }
 
 func TestGetAllCredentialsCredStoreAndCredHelper(t *testing.T) {
-	testCredStoreSuffix := "test_creds_store"
-	testCredStoreRegistryHostname := "credstore.com"
-	testCredHelperSuffix := "test_cred_helper"
-	testCredHelperRegistryHostname := "credhelper.com"
+	const (
+		testCredStoreSuffix            = "test_creds_store"
+		testCredStoreRegistryHostname  = "credstore.com"
+		testCredHelperSuffix           = "test_cred_helper"
+		testCredHelperRegistryHostname = "credhelper.com"
+	)
 
 	configFile := New("filename")
 	configFile.CredentialsStore = testCredStoreSuffix
@@ -343,9 +358,11 @@ func TestGetAllCredentialsCredStoreAndCredHelper(t *testing.T) {
 }
 
 func TestGetAllCredentialsCredHelperOverridesDefaultStore(t *testing.T) {
-	testCredStoreSuffix := "test_creds_store"
-	testCredHelperSuffix := "test_cred_helper"
-	testRegistryHostname := "example.com"
+	const (
+		testCredStoreSuffix  = "test_creds_store"
+		testCredHelperSuffix = "test_cred_helper"
+		testRegistryHostname = "example.com"
+	)
 
 	configFile := New("filename")
 	configFile.CredentialsStore = testCredStoreSuffix
@@ -424,38 +441,36 @@ func TestCheckKubernetesConfigurationRaiseAnErrorOnInvalidValue(t *testing.T) {
 		expectError bool
 	}{
 		{
-			"no kubernetes config is valid",
-			nil,
-			false,
+			name: "no kubernetes config is valid",
 		},
 		{
-			"enabled is valid",
-			&KubernetesConfig{AllNamespaces: "enabled"},
-			false,
+			name:   "enabled is valid",
+			config: &KubernetesConfig{AllNamespaces: "enabled"},
 		},
 		{
-			"disabled is valid",
-			&KubernetesConfig{AllNamespaces: "disabled"},
-			false,
+			name:   "disabled is valid",
+			config: &KubernetesConfig{AllNamespaces: "disabled"},
 		},
 		{
-			"empty string is valid",
-			&KubernetesConfig{AllNamespaces: ""},
-			false,
+			name:   "empty string is valid",
+			config: &KubernetesConfig{AllNamespaces: ""},
 		},
 		{
-			"other value is invalid",
-			&KubernetesConfig{AllNamespaces: "unknown"},
-			true,
+			name:        "other value is invalid",
+			config:      &KubernetesConfig{AllNamespaces: "unknown"},
+			expectError: true,
 		},
 	}
-	for _, test := range testCases {
-		err := checkKubernetesConfiguration(test.config)
-		if test.expectError {
-			assert.Assert(t, err != nil, test.name)
-		} else {
-			assert.NilError(t, err, test.name)
-		}
+	for _, tc := range testCases {
+		test := tc
+		t.Run(test.name, func(t *testing.T) {
+			err := checkKubernetesConfiguration(test.config)
+			if test.expectError {
+				assert.Assert(t, err != nil, test.name)
+			} else {
+				assert.NilError(t, err, test.name)
+			}
+		})
 	}
 }
 

cli/config/credentials/file_store_test.go

@@ -70,7 +70,7 @@ func TestFileStoreGet(t *testing.T) {
 
 func TestFileStoreGetAll(t *testing.T) {
 	s1 := "https://example.com"
-	s2 := "https://example2.com"
+	s2 := "https://example2.example.com"
 	f := newStore(map[string]types.AuthConfig{
 		s1: {
 			Auth:          "super_secret_token",
@@ -80,7 +80,7 @@ func TestFileStoreGetAll(t *testing.T) {
 		s2: {
 			Auth:          "super_secret_token2",
 			Email:         "foo@example2.com",
-			ServerAddress: "https://example2.com",
+			ServerAddress: "https://example2.example.com",
 		},
 	})
 

cli/connhelper/connhelper.go

@@ -49,7 +49,7 @@ func getConnectionHelper(daemonURL string, sshFlags []string) (*ConnectionHelper
 			Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args("docker", "system", "dial-stdio")...)...)
 			},
-			Host: "http://docker",
+			Host: "http://docker.example.com",
 		}, nil
 	}
 	// Future version may support plugins via ~/.docker/config.json. e.g. "dind"
@@ -63,6 +63,6 @@ func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper,
 		Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) {
 			return commandconn.New(ctx, cmd, flags...)
 		},
-		Host: "http://docker",
+		Host: "http://docker.example.com",
 	}, nil
 }

cli/context/docker/load.go

@@ -26,7 +26,12 @@ type EndpointMeta = context.EndpointMetaBase
 // a Docker Engine endpoint, with its tls data
 type Endpoint struct {
 	EndpointMeta
-	TLSData     *context.TLSData
+	TLSData *context.TLSData
+
+	// Deprecated: Use of encrypted TLS private keys has been deprecated, and
+	// will be removed in a future release. Golang has deprecated support for
+	// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
+	// design (see https://go-review.googlesource.com/c/go/+/264159).
 	TLSPassword string
 }
 
@@ -66,8 +71,9 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 		}
 
 		var err error
-		if x509.IsEncryptedPEMBlock(pemBlock) {
-			keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
+		// TODO should we follow Golang, and deprecate RFC 1423 encryption, and produce a warning (or just error)? see https://github.com/docker/cli/issues/3212
+		if x509.IsEncryptedPEMBlock(pemBlock) { //nolint: staticcheck // SA1019: x509.IsEncryptedPEMBlock is deprecated, and insecure by design
+			keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword)) //nolint: staticcheck // SA1019: x509.IsEncryptedPEMBlock is deprecated, and insecure by design
 			if err != nil {
 				return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it")
 			}

dockerfiles/Dockerfile.binary-native

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.13.15
+ARG GO_VERSION=1.16.10
 
 FROM    golang:${GO_VERSION}-alpine
 

dockerfiles/Dockerfile.dev

@@ -1,5 +1,6 @@
-# syntax=docker/dockerfile:1.1.7-experimental
-ARG GO_VERSION=1.13.15
+# syntax=docker/dockerfile:1.3
+
+ARG GO_VERSION=1.16.15
 
 FROM golang:${GO_VERSION}-alpine AS golang
 ENV  CGO_ENABLED=0
@@ -9,21 +10,21 @@ ARG ESC_VERSION=v0.2.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \
-    GO111MODULE=on go get github.com/mjibson/esc@${ESC_VERSION}
+    GO111MODULE=on go install github.com/mjibson/esc@${ESC_VERSION}
 
 FROM golang AS gotestsum
 ARG GOTESTSUM_VERSION=v0.4.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \
-    GO111MODULE=on go get gotest.tools/gotestsum@${GOTESTSUM_VERSION}
+    GO111MODULE=on go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
 
 FROM golang AS vndr
 ARG VNDR_VERSION=v0.1.2
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \
-    GO111MODULE=on go get github.com/LK4D4/vndr@${VNDR_VERSION}
+    GO111MODULE=on go install github.com/LK4D4/vndr@${VNDR_VERSION}
 
 FROM golang AS dev
 RUN  apk add --no-cache \
@@ -43,4 +44,5 @@ COPY --from=vndr      /go/bin/* /go/bin/
 COPY --from=gotestsum /go/bin/* /go/bin/
 
 WORKDIR /go/src/github.com/docker/cli
+ENV GO111MODULE=auto
 COPY . .

dockerfiles/Dockerfile.e2e

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.13.15
+ARG GO_VERSION=1.16.10
 
 # Use Debian based image as docker-compose requires glibc.
 FROM golang:${GO_VERSION}-buster

dockerfiles/Dockerfile.lint

@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1.1.3-experimental
+# syntax=docker/dockerfile:1.3
 
-ARG GO_VERSION=1.13.15
+ARG GO_VERSION=1.16.15
 ARG GOLANGCI_LINTER_SHA="v1.21.0"
 
 FROM    golang:${GO_VERSION}-alpine AS build
@@ -13,6 +13,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINTER_SHA}
 
 FROM    golang:${GO_VERSION}-alpine AS lint
+ENV     GO111MODULE=off
 ENV     CGO_ENABLED=0
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
 COPY --from=build /go/bin/golangci-lint /usr/local/bin

docs/deprecated.md

@@ -50,9 +50,11 @@ The table below provides an overview of the current status of deprecated feature
 
 Status     | Feature                                                                                                                            | Deprecated | Remove
 -----------|------------------------------------------------------------------------------------------------------------------------------------|------------|------------
+Deprecated | [Support for encrypted TLS private keys](#support-for-encrypted-tls-private-keys)                                                  | v20.10     | -
+Deprecated | [Kubernetes stack and context support](#kubernetes-stack-and-context-support)                                                      | v20.10     | -
 Deprecated | [Pulling images from non-compliant image registries](#pulling-images-from-non-compliant-image-registries)                          | v20.10     | -
 Deprecated | [Linux containers on Windows (LCOW)](#linux-containers-on-windows-lcow-experimental)                                               | v20.10     | -
-Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options–with-cgroups-v1)                                                      | v20.10     | -
+Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options-with-cgroups-v1)                                                      | v20.10     | -
 Deprecated | [Kernel memory limit](#kernel-memory-limit)                                                                                        | v20.10     | -
 Deprecated | [Classic Swarm and overlay networks using external key/value stores](#classic-swarm-and-overlay-networks-using-cluster-store)      | v20.10     | -
 Deprecated | [Support for the legacy `~/.dockercfg` configuration file for authentication](#support-for-legacy-dockercfg-configuration-files)   | v20.10     | -
@@ -97,6 +99,22 @@ Removed    | [`--api-enable-cors` flag on `dockerd`](#--api-enable-cors-flag-on-
 Removed    | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit)                                                                    | v0.10      | v1.13
 Removed    | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import)                                                  | v0.6.7     | v1.12
 
+### Support for encrypted TLS private keys
+
+**Deprecated in Release: v20.10**
+
+Use of encrypted TLS private keys has been deprecated, and will be removed in a
+future release. Golang has deprecated support for legacy PEM encryption (as
+specified in [RFC 1423](https://datatracker.ietf.org/doc/html/rfc1423)), as it
+is insecure by design (see [https://go-review.googlesource.com/c/go/+/264159](https://go-review.googlesource.com/c/go/+/264159)).
+
+### Kubernetes stack and context support
+
+**Deprecated in Release: v20.10**
+
+Following the deprecation of [Compose on Kubernetes](https://github.com/docker/compose-on-kubernetes), support for
+Kubernetes in the `stack` and `context` commands in the docker CLI is now marked as deprecated as well.
+
 ### Pulling images from non-compliant image registries
 
 **Deprecated in Release: v20.10**
@@ -570,9 +588,9 @@ Log tags are now generated in a standard way across different logging drivers.
 Because of which, the driver specific log tag options `syslog-tag`, `gelf-tag` and
 `fluentd-tag` have been deprecated in favor of the generic `tag` option.
 
-```bash
+```console
 {% raw %}
-docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}"
+$ docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}"
 {% endraw %}
 ```
 

docs/extend/index.md

@@ -55,7 +55,7 @@ enabled, and use it to create a volume.
 
 1.  Install the `sshfs` plugin.
 
-    ```bash
+    ```console
     $ docker plugin install vieux/sshfs
 
     Plugin "vieux/sshfs" is requesting the following privileges:
@@ -74,7 +74,7 @@ enabled, and use it to create a volume.
 
 2.  Check that the plugin is enabled in the output of `docker plugin ls`.
 
-    ```bash
+    ```console
     $ docker plugin ls
 
     ID                    NAME                  TAG                 DESCRIPTION                   ENABLED
@@ -87,7 +87,7 @@ enabled, and use it to create a volume.
 
     This volume can now be mounted into containers.
 
-    ```bash
+    ```console
     $ docker volume create \
       -d vieux/sshfs \
       --name sshvolume \
@@ -96,9 +96,10 @@ enabled, and use it to create a volume.
 
     sshvolume
     ```
+
 4.  Verify that the volume was created successfully.
 
-    ```bash
+    ```console
     $ docker volume ls
 
     DRIVER              NAME
@@ -107,18 +108,19 @@ enabled, and use it to create a volume.
 
 5.  Start a container that uses the volume `sshvolume`.
 
-    ```bash
+    ```console
     $ docker run --rm -v sshvolume:/data busybox ls /data
 
     <content of /remote on machine 1.2.3.4>
     ```
 
 6.  Remove the volume `sshvolume`
-    ```bash
-    docker volume rm sshvolume
+    ```console
+    $ docker volume rm sshvolume
 
     sshvolume
     ```
+
 To disable a plugin, use the `docker plugin disable` command. To completely
 remove it, use the `docker plugin remove` command. For other available
 commands and options, see the
@@ -134,7 +136,7 @@ example, it was created from a Dockerfile:
 >**Note:** The `/run/docker/plugins` directory is mandatory inside of the
 plugin's filesystem for docker to communicate with the plugin.
 
-```bash
+```console
 $ git clone https://github.com/vieux/docker-volume-sshfs
 $ cd docker-volume-sshfs
 $ docker build -t rootfsimage .
@@ -193,13 +195,13 @@ Stdout of a plugin is redirected to dockerd logs. Such entries have a
 `f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62` and their
 corresponding log entries in the docker daemon logs.
 
-```bash
+```console
 $ docker plugin install tiborvass/sample-volume-plugin
 
 INFO[0036] Starting...       Found 0 volumes on startup  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
 ```
 
-```bash
+```console
 $ docker volume create -d tiborvass/sample-volume-plugin samplevol
 
 INFO[0193] Create Called...  Ensuring directory /data/samplevol exists on host...  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
@@ -208,7 +210,7 @@ INFO[0193]                   Created volume samplevol with mountpoint /data/samp
 INFO[0193] Path Called...    Returned path /data/samplevol  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
 ```
 
-```bash
+```console
 $ docker run -v samplevol:/tmp busybox sh
 
 INFO[0421] Get Called...     Found samplevol                plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
@@ -223,7 +225,7 @@ INFO[0421] Unmount Called... Unmounted samplevol            plugin=f52a3df433b9a
 plugins. This is specifically useful to collect plugin logs if they are
 redirected to a file.
 
-```bash
+```console
 $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins list
 
 ID                                                                 PID         STATUS      BUNDLE                                                                                                                                       CREATED                          OWNER
@@ -232,13 +234,14 @@ ID                                                                 PID         S
 c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   14984       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   2018-02-08T21:35:12.321288966Z   root
 ```
 
-```bash
+```console
 $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
 ```
 
 If the plugin has a built-in shell, then exec into the plugin can be done as
 follows:
-```bash
+
+```console
 $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
 ```
 
@@ -251,17 +254,18 @@ the plugin is listening on the said socket. For a well functioning plugin,
 these basic requests should work. Note that plugin sockets are available on the host under `/var/run/docker/plugins/<pluginID>`
 
 
-```bash
-curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List
+```console
+$ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List
 
 {"Mountpoint":"","Err":"","Volumes":[{"Name":"myvol1","Mountpoint":"/data/myvol1"},{"Name":"myvol2","Mountpoint":"/data/myvol2"}],"Volume":null}
 ```
 
-```bash
-curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/45e00a7ce6185d6e365904c8bcf62eb724b1fe307e0d4e7ecc9f6c1eb7bcdb70/plugin.sock http:/NetworkDriver.GetCapabilities
+```console
+$ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/45e00a7ce6185d6e365904c8bcf62eb724b1fe307e0d4e7ecc9f6c1eb7bcdb70/plugin.sock http:/NetworkDriver.GetCapabilities
 
 {"Scope":"local"}
 ```
+
 When using curl 7.5 and above, the URL should be of the form
 `http://hostname/APICall`, where `hostname` is the valid hostname where the
 plugin is installed and `APICall` is the call to the plugin API.

docs/extend/legacy_plugins.md

@@ -72,7 +72,7 @@ The sections below provide an inexhaustive overview of available plugins.
 | [Horcrux Volume Plugin](https://github.com/muthu-r/horcrux)                                        | A volume plugin that allows on-demand, version controlled access to your data. Horcrux is an open-source plugin, written in Go, and supports SCP, [Minio](https://www.minio.io) and Amazon S3.                                                                                                                |
 | [HPE 3Par Volume Plugin](https://github.com/hpe-storage/python-hpedockerplugin/)                   | A volume plugin that supports HPE 3Par and StoreVirtual iSCSI storage arrays.                                                                                                                                                                                                                                 |
 | [Infinit volume plugin](https://infinit.sh/documentation/docker/volume-plugin)                     | A volume plugin that makes it easy to mount and manage Infinit volumes using Docker.                                                                                                                                                                                                                          |
-| [IPFS Volume Plugin](http://github.com/vdemeester/docker-volume-ipfs)                              | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume.                                                                                                                                                                                                            |
+| [IPFS Volume Plugin](https://github.com/vdemeester/docker-volume-ipfs)                              | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume.                                                                                                                                                                                                            |
 | [Keywhiz plugin](https://github.com/calavera/docker-volume-keywhiz)                                | A plugin that provides credentials and secret management using Keywhiz as a central repository.                                                                                                                                                                                                               |
 | [Local Persist Plugin](https://github.com/CWSpear/local-persist)                                   | A volume plugin that extends the default `local` driver's functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to *always persist*, even if the volume is removed via `docker volume rm`.                                                                         |
 | [NetApp Plugin](https://github.com/NetApp/netappdvp) (nDVP)                                        | A volume plugin that provides direct integration with the Docker ecosystem for the NetApp storage portfolio. The nDVP package supports the provisioning and management of storage resources from the storage platform to Docker hosts, with a robust framework for adding additional platforms in the future. |
@@ -80,7 +80,7 @@ The sections below provide an inexhaustive overview of available plugins.
 | [Nimble Storage Volume Plugin](https://connect.nimblestorage.com/community/app-integration/docker) | A volume plug-in that integrates with Nimble Storage Unified Flash Fabric arrays. The plug-in abstracts array volume capabilities to the Docker administrator to allow self-provisioning of secure multi-tenant volumes and clones.                                                                           |
 | [OpenStorage Plugin](https://github.com/libopenstorage/openstorage)                                | A cluster-aware volume plugin that provides volume management for file and block storage solutions.  It implements a vendor neutral specification for implementing extensions such as CoS, encryption, and snapshots. It has example drivers based on FUSE, NFS, NBD and EBS to name a few.                   |
 | [Portworx Volume Plugin](https://github.com/portworx/px-dev)                                       | A volume plugin that turns any server into a scale-out converged compute/storage node, providing container granular storage and highly available volumes across any node, using a shared-nothing storage backend that works with any docker scheduler.                                                        |
-| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume)                                  | A volume plugin that connects Docker to [Quobyte](http://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform.                                                                                                                               |
+| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume)                                  | A volume plugin that connects Docker to [Quobyte](https://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform.                                                                                                                               |
 | [REX-Ray plugin](https://github.com/emccode/rexray)                                                | A volume plugin which is written in Go and provides advanced storage functionality for many platforms including VirtualBox, EC2, Google Compute Engine, OpenStack, and EMC.                                                                                                                                   |
 | [Virtuozzo Storage and Ploop plugin](https://github.com/virtuozzo/docker-volume-ploop)             | A volume plugin with support for Virtuozzo Storage distributed cloud file system as well as ploop devices.                                                                                                                                                                                                    |
 | [VMware vSphere Storage Plugin](https://github.com/vmware/docker-volume-vsphere)                   | Docker Volume Driver for vSphere enables customers to address persistent storage requirements for Docker containers in vSphere environments.                                                                                                                                                                  |

docs/extend/plugin_api.md

@@ -90,7 +90,7 @@ The `TLSConfig` field is optional and TLS will only be verified if this configur
 Plugins should be started before Docker, and stopped after Docker.  For
 example, when packaging a plugin for a platform which supports `systemd`, you
 might use [`systemd` dependencies](
-http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) to
+https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) to
 manage startup and shutdown order.
 
 When upgrading a plugin, you should first stop the Docker daemon, upgrade the
@@ -114,7 +114,7 @@ a `service` file and a `socket` file.
 
 The `service` file (for example `/lib/systemd/system/your-plugin.service`):
 
-```
+```systemd
 [Unit]
 Description=Your plugin
 Before=docker.service
@@ -127,9 +127,10 @@ ExecStart=/usr/lib/docker/your-plugin
 [Install]
 WantedBy=multi-user.target
 ```
+
 The `socket` file (for example `/lib/systemd/system/your-plugin.socket`):
 
-```
+```systemd
 [Unit]
 Description=Your plugin
 
@@ -166,7 +167,8 @@ Plugins are activated via the following "handshake" API call.
 **Request:** empty body
 
 **Response:**
-```
+
+```json
 {
     "Implements": ["VolumeDriver"]
 }

docs/extend/plugins_authorization.md

@@ -114,9 +114,9 @@ Enable the authorization plugin with a dedicated command line flag in the
 `--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID`
 value. This value can be the plugin’s socket or a path to a specification file.
 Authorization plugins can be loaded without restarting the daemon. Refer
-to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reloading) for more information.
+to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reload-behavior) for more information.
 
-```bash
+```console
 $ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
 ```
 
@@ -124,26 +124,26 @@ Docker's authorization subsystem supports multiple `--authorization-plugin` para
 
 ### Calling authorized command (allow)
 
-```bash
+```console
 $ docker pull centos
-...
+<...>
 f1b10cd84249: Pull complete
-...
+<...>
 ```
 
 ### Calling unauthorized command (deny)
 
-```bash
+```console
 $ docker pull centos
-...
+<...>
 docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed.
 ```
 
 ### Error from plugins
 
-```bash
+```console
 $ docker pull centos
-...
+<...>
 docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?.
 ```
 
@@ -180,6 +180,7 @@ should implement the following two methods:
     "Err":   "The error message if things go wrong"
 }
 ```
+
 #### /AuthZPlugin.AuthZRes
 
 **Request**:

docs/extend/plugins_graphdriver.md

@@ -31,7 +31,7 @@ You need to install and enable the plugin and then restart the Docker daemon
 before using the plugin. See the following example for the correct ordering
 of steps.
 
-```
+```console
 $ docker plugin install cpuguy83/docker-overlay2-graphdriver-plugin # this command also enables the driver
 <output suppressed>
 $ pkill dockerd
@@ -309,6 +309,7 @@ Get an archive of the changes between the filesystem layers specified by the `ID
 and `Parent`. `Parent` may be an empty string, in which case there is no parent.
 
 **Response**:
+
 ```
 {% raw %}
 {{ TAR STREAM }}
@@ -354,6 +355,7 @@ Respond with a non-empty string error if an error occurred.
 ### /GraphDriver.ApplyDiff
 
 **Request**:
+
 ```
 {% raw %}
 {{ TAR STREAM }}

docs/extend/plugins_logging.md

@@ -211,6 +211,7 @@ as they come in once the existing logs have been read.
 to determine what set of logs to read.
 
 **Response**:
+
 ```
 {% raw %}{{ log stream }}{% endraw %}
 ```

docs/extend/plugins_network.md

@@ -42,7 +42,7 @@ Once running however, network driver plugins are used just like the built-in
 network drivers: by being mentioned as a driver in network-oriented Docker
 commands. For example,
 
-```bash
+```console
 $ docker network create --driver weave mynet
 ```
 
@@ -51,7 +51,7 @@ Some network driver plugins are listed in [plugins](legacy_plugins.md)
 The `mynet` network is now owned by `weave`, so subsequent commands
 referring to that network will be sent to the plugin,
 
-```bash
+```console
 $ docker run --network=mynet busybox top
 ```
 

docs/extend/plugins_services.md

@@ -29,20 +29,20 @@ node1 is the manager and node2 is the worker.
 
 1.  Prepare manager. In node 1:
 
-    ```bash
+    ```console
     $ docker swarm init
     Swarm initialized: current node (dxn1zf6l61qsb1josjja83ngz) is now a manager.
     ```
 
 2. Join swarm, install plugin and create volume on worker. In node 2:
 
-    ```bash
+    ```console
     $ docker swarm join \
-    --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \
-    192.168.99.100:2377
+      --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \
+      192.168.99.100:2377
     ```
 
-    ```bash
+    ```console
     $ docker plugin install tiborvass/sample-volume-plugin
     latest: Pulling from tiborvass/sample-volume-plugin
     eb9c16fbdc53: Download complete
@@ -51,23 +51,24 @@ node1 is the manager and node2 is the worker.
     Installed plugin tiborvass/sample-volume-plugin
     ```
 
-    ```bash
+    ```console
     $ docker volume create -d tiborvass/sample-volume-plugin --name pluginVol
     ```
 
 3. Create a service using the plugin and volume. In node1:
 
-    ```bash
+    ```console
     $ docker service create --name my-service --mount type=volume,volume-driver=tiborvass/sample-volume-plugin,source=pluginVol,destination=/tmp busybox top
 
     $ docker service ls
     z1sj8bb8jnfn  my-service   replicated  1/1       busybox:latest
     ```
-    docker service ls shows service 1 instance of service running.
+
+    `docker service ls` shows service 1 instance of service running.
 
 4. Observe the task getting scheduled in node 2:
 
-    ```bash
+    ```console
     {% raw %}
     $ docker ps --format '{{.ID}}\t {{.Status}} {{.Names}} {{.Command}}'
     83fc1e842599     Up 2 days my-service.1.9jn59qzn7nbc3m0zt1hij12xs "top"
@@ -87,7 +88,7 @@ Note that node1 is the manager and node2 is the worker.
 1. Install a global scoped network plugin on both manager and worker. On node1
    and node2:
 
-    ```bash
+    ```console
     $ docker plugin install bboreham/weave2
     Plugin "bboreham/weave2" is requesting the following privileges:
     - network: [host]
@@ -102,7 +103,7 @@ Note that node1 is the manager and node2 is the worker.
 
 2. Create a network using plugin on manager. On node1:
 
-    ```bash
+    ```console
     $ docker network create --driver=bboreham/weave2:latest globalnet
 
     $ docker network ls
@@ -115,12 +116,12 @@ containers get scheduled on both manager and worker.
 
     On node 1:
 
-    ```bash
+    ```console
     $ docker service create --network globalnet --name myservice --replicas=8 mrjana/simpleweb simpleweb
 w90drnfzw85nygbie9kb89vpa
     ```
 
-    ```bash
+    ```console
     $ docker ps
     CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS              PORTS               NAMES
     87520965206a        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         5 seconds ago       Up 4 seconds                            myservice.4.ytdzpktmwor82zjxkh118uf1v
@@ -131,7 +132,7 @@ w90drnfzw85nygbie9kb89vpa
 
     On node 2:
 
-    ```bash
+    ```console
     $ docker ps
     CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS                  PORTS               NAMES
     53c0ae7c1dae        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         2 seconds ago       Up Less than a second                       myservice.7.x44tvvdm3iwkt9kif35f7ykz1
@@ -142,14 +143,14 @@ w90drnfzw85nygbie9kb89vpa
 
 4. Scale down the number of instances. On node1:
 
-    ```bash
+    ```console
     $ docker service scale myservice=0
     myservice scaled to 0
     ```
 
 5. Disable and uninstall the plugin on the worker. On node2:
 
-    ```bash
+    ```console
     $ docker plugin rm -f bboreham/weave2
     bboreham/weave2
     ```
@@ -159,12 +160,12 @@ scheduled on the master and not on the worker, because the plugin is not availab
 
     On node 1:
 
-    ```bash
+    ```console
     $ docker service scale myservice=8
     myservice scaled to 8
     ```
 
-    ```bash
+    ```console
     $ docker ps
     CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS              PORTS               NAMES
     cf4b0ec2415e        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.3.r7p5o208jmlzpcbm2ytl3q6n1
@@ -179,7 +180,7 @@ scheduled on the master and not on the worker, because the plugin is not availab
 
     On node 2:
 
-    ```bash
+    ```console
     $ docker ps
     CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
     ```

docs/extend/plugins_volume.md

@@ -54,7 +54,7 @@ flags on the `docker container run` command.  The `--volume` (or `-v`) flag
 accepts a volume name and path on the host, and the `--volume-driver` flag
 accepts a driver type.
 
-```bash
+```console
 $ docker volume create --driver=flocker volumename
 
 $ docker container run -it --volume volumename:/data busybox sh

docs/reference/builder.md

@@ -112,7 +112,7 @@ instructions.
 
 Whenever possible, Docker uses a build-cache to accelerate the `docker build`
 process significantly. This is indicated by the `CACHED` message in the console
-output. (For more information, see the [`Dockerfile` best practices guide](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/):
+output. (For more information, see the [`Dockerfile` best practices guide](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/)):
 
 ```console
 $ docker build -t svendowideit/ambassador .
@@ -159,8 +159,8 @@ implementation. For example, BuildKit can:
 To use the BuildKit backend, you need to set an environment variable
 `DOCKER_BUILDKIT=1` on the CLI before invoking `docker build`.
 
-To learn about the experimental Dockerfile syntax available to BuildKit-based
-builds [refer to the documentation in the BuildKit repository](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md).
+To learn about the Dockerfile syntax available to BuildKit-based
+builds [refer to the documentation in the BuildKit repository](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md).
 
 ## Format
 
@@ -179,7 +179,7 @@ Docker runs instructions in a `Dockerfile` in order. A `Dockerfile` **must
 begin with a `FROM` instruction**. This may be after [parser
 directives](#parser-directives), [comments](#format), and globally scoped
 [ARGs](#arg). The `FROM` instruction specifies the [*Parent
-Image*](https://docs.docker.com/glossary/#parent_image) from which you are
+Image*](https://docs.docker.com/glossary/#parent-image) from which you are
 building. `FROM` may only be preceded by one or more `ARG` instructions, which
 declare arguments that are used in `FROM` lines in the `Dockerfile`.
 
@@ -599,10 +599,10 @@ This file causes the following build behavior:
 
 
 Matching is done using Go's
-[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules.  A
+[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules.  A
 preprocessing step removes leading and trailing whitespace and
 eliminates `.` and `..` elements using Go's
-[filepath.Clean](http://golang.org/pkg/path/filepath/#Clean).  Lines
+[filepath.Clean](https://golang.org/pkg/path/filepath/#Clean).  Lines
 that are blank after preprocessing are ignored.
 
 Beyond Go's filepath.Match rules, Docker also supports a special
@@ -677,7 +677,7 @@ FROM [--platform=<platform>] <image>[@<digest>] [AS <name>]
 ```
 
 The `FROM` instruction initializes a new build stage and sets the
-[*Base Image*](https://docs.docker.com/glossary/#base_image) for subsequent instructions. As such, a
+[*Base Image*](https://docs.docker.com/glossary/#base-image) for subsequent instructions. As such, a
 valid `Dockerfile` must start with a `FROM` instruction. The image can be
 any valid image – it is especially easy to start by **pulling an image** from
 the [*Public Repositories*](https://docs.docker.com/docker-hub/repos/).
@@ -759,6 +759,7 @@ RUN instruction onto the next line. For example, consider these two lines:
 RUN /bin/bash -c 'source $HOME/.bashrc; \
 echo $HOME'
 ```
+
 Together they are equivalent to this single line:
 
 ```dockerfile
@@ -938,6 +939,7 @@ the `--format` option to show just the labels;
 ```console
 $ docker image inspect --format='{{json .Config.Labels}}' myimage
 ```
+
 ```json
 {
   "com.example.vendor": "ACME Incorporated",
@@ -1115,7 +1117,7 @@ directories, their paths are interpreted as relative to the source of
 the context of the build.
 
 Each `<src>` may contain wildcards and matching will be done using Go's
-[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example:
+[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules. For example:
 
 To add all files starting with "hom":
 
@@ -1291,7 +1293,7 @@ directories will be interpreted as relative to the source of the context
 of the build.
 
 Each `<src>` may contain wildcards and matching will be done using Go's
-[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example:
+[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules. For example:
 
 To add all files starting with "hom":
 
@@ -1822,6 +1824,11 @@ RUN pwd
 The output of the final `pwd` command in this `Dockerfile` would be
 `/path/$DIRNAME`
 
+If not specified, the default working directory is `/`. In practice, if you aren't building a Dockerfile from scratch (`FROM scratch`), 
+the `WORKDIR` may likely be set by the base image you're using.
+
+Therefore, to avoid unintended operations in unknown directories, it is best practice to set your `WORKDIR` explicitly.
+
 ## ARG
 
 ```dockerfile
@@ -2171,9 +2178,14 @@ ONBUILD RUN /usr/local/bin/python-build --dir /app/src
 STOPSIGNAL signal
 ```
 
-The `STOPSIGNAL` instruction sets the system call signal that will be sent to the container to exit.
-This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9,
-or a signal name in the format SIGNAME, for instance SIGKILL.
+The `STOPSIGNAL` instruction sets the system call signal that will be sent to the
+container to exit. This signal can be a signal name in the format `SIG<NAME>`,
+for instance `SIGKILL`, or an unsigned number that matches a position in the
+kernel's syscall table, for instance `9`. The default is `SIGTERM` if not
+defined.
+
+The image's default stopsignal can be overridden per container, using the
+`--stop-signal` flag on `docker run` and `docker create`.
 
 ## HEALTHCHECK
 

docs/reference/commandline/attach.md

@@ -84,7 +84,7 @@ containers, see [**Configuration file** section](cli.md#configuration-files).
 
 ### Attach to and detach from a running container
 
-```bash
+```console
 $ docker run -d --name topdemo ubuntu /usr/bin/top -b
 
 $ docker attach topdemo
@@ -130,22 +130,19 @@ $ docker ps -a | grep topdemo
 And in this second example, you can see the exit code returned by the `bash`
 process is returned by the `docker attach` command to its caller too:
 
-```bash
-    $ docker run --name test -d -it debian
+```console
+$ docker run --name test -d -it debian
+275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab
 
-    275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab
+$ docker attach test
+root@f38c87f2a42d:/# exit 13
 
-    $ docker attach test
+exit
 
-    root@f38c87f2a42d:/# exit 13
+$ echo $?
+13
 
-    exit
+$ docker ps -a | grep test
 
-    $ echo $?
-
-    13
-
-    $ docker ps -a | grep test
-
-    275c44472aeb        debian:7            "/bin/bash"         26 seconds ago      Exited (13) 17 seconds ago                         test
+275c44472aeb        debian:7            "/bin/bash"         26 seconds ago      Exited (13) 17 seconds ago                         test
 ```

docs/reference/commandline/build.md

@@ -92,7 +92,7 @@ context.
 For example, run this command to use a directory called `docker` in the branch
 `container`:
 
-```bash
+```console
 $ docker build https://github.com/docker/rootfs.git#container:docker
 ```
 
@@ -120,7 +120,7 @@ Build Syntax Suffix             | Commit Used           | Build Context Used
 
 If you pass an URL to a remote tarball, the URL itself is sent to the daemon:
 
-```bash
+```console
 $ docker build http://server/context.tar.gz
 ```
 
@@ -136,7 +136,7 @@ build context. Tarball contexts must be tar archives conforming to the standard
 Instead of specifying a context, you can pass a single `Dockerfile` in the
 `URL` or pipe the file in via `STDIN`. To pipe a `Dockerfile` from `STDIN`:
 
-```bash
+```console
 $ docker build - < Dockerfile
 ```
 
@@ -176,7 +176,7 @@ build fails, a non-zero failure code will be returned.
 There should be informational output of the reason for failure output to
 `STDERR`:
 
-```bash
+```console
 $ docker build -t fail .
 
 Sending build context to Docker daemon 2.048 kB
@@ -198,7 +198,7 @@ See also:
 
 ### Build with PATH
 
-```bash
+```console
 $ docker build .
 
 Uploading context 10240 bytes
@@ -243,7 +243,7 @@ you must use `--rm=false`. This does not affect the build cache.
 
 ### Build with URL
 
-```bash
+```console
 $ docker build github.com/creack/docker-firefox
 ```
 
@@ -251,7 +251,7 @@ This will clone the GitHub repository and use the cloned repository as context.
 The Dockerfile at the root of the repository is used as Dockerfile. You can
 specify an arbitrary Git repository by using the `git://` or `git@` scheme.
 
-```bash
+```console
 $ docker build -f ctx/Dockerfile http://server/ctx.tar.gz
 
 Downloading context: http://server/ctx.tar.gz [===================>]    240 B/240 B
@@ -277,7 +277,7 @@ ctx/container.cfg /` operation works as expected.
 
 ### Build with -
 
-```bash
+```console
 $ docker build - < Dockerfile
 ```
 
@@ -286,7 +286,7 @@ context, no contents of any local directory will be sent to the Docker daemon.
 Since there is no context, a Dockerfile `ADD` only works if it refers to a
 remote URL.
 
-```bash
+```console
 $ docker build - < context.tar.gz
 ```
 
@@ -295,7 +295,7 @@ formats are: bzip2, gzip and xz.
 
 ### Use a .dockerignore file
 
-```bash
+```console
 $ docker build .
 
 Uploading context 18.829 MB
@@ -334,7 +334,7 @@ files.
 
 ### Tag an image (-t)
 
-```bash
+```console
 $ docker build -t vieux/apache:2.0 .
 ```
 
@@ -348,27 +348,27 @@ version.
 For example, to tag an image both as `whenry/fedora-jboss:latest` and
 `whenry/fedora-jboss:v2.1`, use the following:
 
-```bash
+```console
 $ docker build -t whenry/fedora-jboss:latest -t whenry/fedora-jboss:v2.1 .
 ```
 
 ### Specify a Dockerfile (-f)
 
-```bash
+```console
 $ docker build -f Dockerfile.debug .
 ```
 
 This will use a file called `Dockerfile.debug` for the build instructions
 instead of `Dockerfile`.
 
-```bash
+```console
 $ curl example.com/remote/Dockerfile | docker build -f - .
 ```
 
 The above command will use the current directory as the build context and read
 a Dockerfile from stdin.
 
-```bash
+```console
 $ docker build -f dockerfiles/Dockerfile.debug -t myapp_debug .
 $ docker build -f dockerfiles/Dockerfile.prod  -t myapp_prod .
 ```
@@ -377,7 +377,7 @@ The above commands will build the current build context (as specified by the
 `.`) twice, once using a debug version of a `Dockerfile` and once using a
 production version.
 
-```bash
+```console
 $ cd /home/me/myapp/some/dir/really/deep
 $ docker build -f /home/me/myapp/dockerfiles/debug /home/me/myapp
 $ docker build -f ../../../../dockerfiles/debug /home/me/myapp
@@ -420,7 +420,7 @@ A good example is `http_proxy` or source versions for pulling intermediate
 files. The `ARG` instruction lets Dockerfile authors define values that users
 can set at build-time using the  `--build-arg` flag:
 
-```bash
+```console
 $ docker build --build-arg HTTP_PROXY=http://10.20.30.2:1234 --build-arg FTP_PROXY=http://40.50.60.5:4567 .
 ```
 
@@ -439,7 +439,7 @@ You may also use the `--build-arg` flag without a value, in which case the value
 from the local environment will be propagated into the Docker container being
 built:
 
-```bash
+```console
 $ export HTTP_PROXY=http://10.20.30.2:1234
 $ docker build --build-arg HTTP_PROXY .
 ```
@@ -491,7 +491,7 @@ FROM alpine AS production-env
 ...
 ```
 
-```bash
+```console
 $ docker build -t mybuildimage --target build-env .
 ```
 
@@ -516,7 +516,7 @@ The following example builds an image using the current directory (`.`) as build
 context, and exports the files to a directory named `out` in the current directory.
 If the directory does not exist, Docker creates the directory automatically:
 
-```bash
+```console
 $ docker build -o out .
 ```
 
@@ -525,13 +525,13 @@ thus uses the default (`local`) exporter. The example below shows the equivalent
 using the long-hand CSV syntax, specifying both `type` and `dest` (destination
 path):
 
-```bash
+```console
 $ docker build --output type=local,dest=out .
 ```
 
 Use the `tar` type to export the files as a `.tar` archive:
 
-```bash
+```console
 $ docker build --output type=tar,dest=out.tar .
 ```
 
@@ -540,8 +540,8 @@ case, `-` is specified as destination, which automatically selects the `tar` typ
 and writes the output tarball to standard output, which is then redirected to
 the `out.tar` file:
 
-```bash
-docker build -o - . > out.tar
+```console
+$ docker build -o - . > out.tar
 ```
 
 The `--output` option exports all files from the target stage. A common pattern
@@ -562,7 +562,7 @@ COPY --from=build-stage /go/bin/vndr /
 When building the Dockerfile with the `-o` option, only the files from the final
 stage are exported to the `out` directory, in this case, the `vndr` binary:
 
-```bash
+```console
 $ docker build -o out .
 
 [+] Building 2.3s (7/7) FINISHED
@@ -610,7 +610,7 @@ options) allow pulling layer data for intermediate stages in multi-stage builds.
 The following example builds an image with inline-cache metadata and pushes it
 to a registry, then uses the image as a cache source on another machine:
 
-```bash
+```console
 $ docker build -t myname/myapp --build-arg BUILDKIT_INLINE_CACHE=1 .
 $ docker push myname/myapp
 ```
@@ -618,8 +618,9 @@ $ docker push myname/myapp
 After pushing the image, the image is used as cache source on another machine.
 BuildKit automatically pulls the image from the registry if needed.
 
-```bash
-# on another machine
+On another machine:
+
+```console
 $ docker build --cache-from myname/myapp .
 ```
 
@@ -666,7 +667,7 @@ The `--squash` option has a number of known limitations:
   base image is still supported.
 - When using this option you may see significantly more space used due to
   storing two copies of the image, one for the build cache with all the cache
-  layers in tact, and one for the squashed version.
+  layers intact, and one for the squashed version.
 - While squashing layers may produce smaller images, it may have a negative
   impact on performance, as a single layer takes longer to extract, and
   downloading a single layer cannot be parallelized.
@@ -725,7 +726,7 @@ To enable experimental features, you need to start the Docker daemon with
 
 Then make sure the experimental flag is enabled:
 
-```bash
+```console
 $ docker version -f '{{.Server.Experimental}}'
 true
 ```
@@ -745,15 +746,15 @@ RUN rm /remove_me
 
 An image named `test` is built with `--squash` argument.
 
-```bash
+```console
 $ docker build --squash -t test .
 
-[...]
+<...>
 ```
 
 If everything is right, the history looks like this:
 
-```bash
+```console
 $ docker history test
 
 IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT

docs/reference/commandline/checkpoint.md

@@ -0,0 +1,102 @@
+---
+title: docker checkpoint
+description: "The checkpoint command description and usage"
+keywords: experimental, checkpoint, restore, criu
+experimental: true
+---
+
+## Description
+
+Checkpoint and Restore is an experimental feature that allows you to freeze a running
+container by checkpointing it, which turns its state into a collection of files
+on disk. Later, the container can be restored from the point it was frozen.
+
+This is accomplished using a tool called [CRIU](https://criu.org), which is an
+external dependency of this feature. A good overview of the history of
+checkpoint and restore in Docker is available in this
+[Kubernetes blog post](https://kubernetes.io/blog/2015/07/how-did-quake-demo-from-dockercon-work/).
+
+### Installing CRIU
+
+If you use a Debian system, you can add the CRIU PPA and install with `apt-get`
+[from the criu launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa).
+
+Alternatively, you can [build CRIU from source](https://criu.org/Installation).
+
+You need at least version 2.0 of CRIU to run checkpoint and restore in Docker.
+
+### Use cases for checkpoint and restore
+
+This feature is currently focused on single-host use cases for checkpoint and
+restore. Here are a few:
+
+- Restarting the host machine without stopping/starting containers
+- Speeding up the start time of slow start applications
+- "Rewinding" processes to an earlier point in time
+- "Forensic debugging" of running processes
+
+Another primary use case of checkpoint and restore outside of Docker is the live
+migration of a server from one machine to another. This is possible with the
+current implementation, but not currently a priority (and so the workflow is
+not optimized for the task).
+
+### Using checkpoint and restore
+
+A new top level command `docker checkpoint` is introduced, with three subcommands:
+
+- `docker checkpoint create` (creates a new checkpoint)
+- `docker checkpoint ls` (lists existing checkpoints)
+- `docker checkpoint rm` (deletes an existing checkpoint)
+
+Additionally, a `--checkpoint` flag is added to the `docker container start` command.
+
+The options for `docker checkpoint create`:
+
+```console
+Usage:  docker checkpoint create [OPTIONS] CONTAINER CHECKPOINT
+
+Create a checkpoint from a running container
+
+  --leave-running=false    Leave the container running after checkpoint
+  --checkpoint-dir         Use a custom checkpoint storage directory
+```
+
+And to restore a container:
+
+```console
+Usage:  docker start --checkpoint CHECKPOINT_ID [OTHER OPTIONS] CONTAINER
+```
+
+Example of using checkpoint and restore on a container:
+
+```console
+$ docker run --security-opt=seccomp:unconfined --name cr -d busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
+abc0123
+
+$ docker checkpoint create cr checkpoint1
+
+# <later>
+$ docker start --checkpoint checkpoint1 cr
+abc0123
+```
+
+This process just logs an incrementing counter to stdout. If you run `docker logs`
+in between running/checkpoint/restoring you should see that the counter
+increases while the process is running, stops while it's checkpointed, and
+resumes from the point it left off once you restore.
+
+### Known limitations
+
+seccomp is only supported by CRIU in very up to date kernels.
+
+External terminal (i.e. `docker run -t ..`) is not supported at the moment.
+If you try to create a checkpoint for a container with an external terminal,
+it would fail:
+
+```console
+$ docker checkpoint create cr checkpoint1
+Error response from daemon: Cannot checkpoint container c1: rpc error: code = 2 desc = exit status 1: "criu failed: type NOTIFY errno 0\nlog file: /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log\n"
+
+$ cat /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log
+Error (mount.c:740): mnt: 126:./dev/console doesn't have a proper root mount
+```

docs/reference/commandline/cli.md

@@ -3,7 +3,7 @@ title: "Use the Docker command line"
 description: "Docker's CLI command description and usage"
 keywords: "Docker, Docker documentation, CLI, command line, config.json, CLI configuration file"
 redirect_from:
-  - /go/experimental/
+  - /reference/commandline/cli/
   - /engine/reference/commandline/engine/
   - /engine/reference/commandline/engine_activate/
   - /engine/reference/commandline/engine_check/
@@ -24,7 +24,7 @@ redirect_from:
 To list available commands, either run `docker` with no parameters
 or execute `docker help`:
 
-```bash
+```console
 $ docker
 Usage: docker [OPTIONS] COMMAND [ARG...]
        docker [ --help | -v | --version ]
@@ -78,6 +78,7 @@ line:
 | `DOCKER_HOST`                 | Daemon socket to connect to.                                                                                                          |
 | `DOCKER_STACK_ORCHESTRATOR`   | Configure the default orchestrator to use when using `docker stack` management commands.                                              |
 | `DOCKER_TLS_VERIFY`           | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
+| `BUILDKIT_PROGRESS`           | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](../builder.md#buildkit). Use plain to show container output (default `auto`). |
 
 Because Docker is developed using Go, you can also use any environment
 variables used by the Go runtime. In particular, you may find these useful:
@@ -87,7 +88,7 @@ variables used by the Go runtime. In particular, you may find these useful:
 * `NO_PROXY`
 
 These Go environment variables are case-insensitive. See the
-[Go specification](http://golang.org/pkg/net/http/) for details on these
+[Go specification](https://golang.org/pkg/net/http/) for details on these
 variables.
 
 ## Configuration files
@@ -312,6 +313,9 @@ Experimental features provide early access to future product functionality.
 These features are intended for testing and feedback, and they may change
 between releases without warning or can be removed from a future release.
 
+Starting with Docker 20.10, experimental CLI features are enabled by default,
+and require no configuration to enable them.
+
 ### Notary
 
 If using your own notary server and a self-signed certificate or an internal

docs/reference/commandline/commit.md

@@ -43,7 +43,7 @@ created.  Supported `Dockerfile` instructions:
 
 ### Commit a container
 
-```bash
+```console
 $ docker ps
 
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
@@ -62,7 +62,7 @@ svendowideit/testimage            version3            f5283438590d        16 sec
 
 ### Commit a container with new configurations
 
-```bash
+```console
 $ docker ps
 
 CONTAINER ID       IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
@@ -84,7 +84,7 @@ $ docker inspect -f "{{ .Config.Env }}" f5283438590d
 
 ### Commit a container with new `CMD` and `EXPOSE` instructions
 
-```bash
+```console
 $ docker ps
 
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES

docs/reference/commandline/config_create.md

@@ -33,7 +33,7 @@ For detailed information about using configs, refer to [store configuration data
 
 ### Create a config
 
-```bash
+```console
 $ printf <config> | docker config create my_config -
 
 onakdyv307se2tl7nl20anokv
@@ -46,7 +46,7 @@ onakdyv307se2tl7nl20anokv   my_config           6 seconds ago       6 seconds ag
 
 ### Create a config with a file
 
-```bash
+```console
 $ docker config create my_config ./config.json
 
 dg426haahpi5ezmkkj5kyl3sn
@@ -59,7 +59,7 @@ dg426haahpi5ezmkkj5kyl3sn   my_config           7 seconds ago       7 seconds ag
 
 ### Create a config with labels
 
-```bash
+```console
 $ docker config create \
     --label env=dev \
     --label rev=20170324 \
@@ -68,7 +68,7 @@ $ docker config create \
 eo7jnzguqgtpdah3cm5srfb97
 ```
 
-```bash
+```console
 $ docker config inspect my_config
 
 [

docs/reference/commandline/config_inspect.md

@@ -23,7 +23,7 @@ Inspects the specified config.
 By default, this renders all results in a JSON array. If a format is specified,
 the given template will be executed for each result.
 
-Go's [text/template](http://golang.org/pkg/text/template/) package
+Go's [text/template](https://golang.org/pkg/text/template/) package
 describes all the details of the format.
 
 For detailed information about using configs, refer to [store configuration data using Docker Configs](https://docs.docker.com/engine/swarm/configs/).
@@ -43,14 +43,14 @@ You can inspect a config, either by its *name*, or *ID*
 
 For example, given the following config:
 
-```bash
+```console
 $ docker config ls
 
 ID                          NAME                CREATED             UPDATED
 eo7jnzguqgtpdah3cm5srfb97   my_config           3 minutes ago       3 minutes ago
 ```
 
-```bash
+```console
 $ docker config inspect config.json
 ```
 
@@ -83,7 +83,7 @@ You can use the --format option to obtain specific information about a
 config. The following example command outputs the creation time of the
 config.
 
-```bash
+```console
 $ docker config inspect --format='{{.CreatedAt}}' eo7jnzguqgtpdah3cm5srfb97
 
 2017-03-24 08:15:09.735271783 +0000 UTC

docs/reference/commandline/config_ls.md

@@ -36,7 +36,7 @@ For detailed information about using configs, refer to [store configuration data
 
 ## Examples
 
-```bash
+```console
 $ docker config ls
 
 ID                          NAME                        CREATED             UPDATED
@@ -60,7 +60,7 @@ The currently supported filters are:
 
 The `id` filter matches all or prefix of a config's id.
 
-```bash
+```console
 $ docker config ls -f "id=6697bflskwj1998km1gnnjr38"
 
 ID                          NAME                        CREATED             UPDATED
@@ -75,7 +75,7 @@ a `label` and a value.
 The following filter matches all configs with a `project` label regardless of
 its value:
 
-```bash
+```console
 $ docker config ls --filter label=project
 
 ID                          NAME                        CREATED             UPDATED
@@ -85,7 +85,7 @@ mem02h8n73mybpgqjf0kfi1n0   test_config                 About an hour ago   Abou
 The following filter matches only services with the `project` label with the
 `project-a` value.
 
-```bash
+```console
 $ docker service ls --filter label=project=test
 
 ID                          NAME                        CREATED             UPDATED
@@ -98,7 +98,7 @@ The `name` filter matches on all or prefix of a config's name.
 
 The following filter matches config with a name containing a prefix of `test`.
 
-```bash
+```console
 $ docker config ls --filter name=test_config
 
 ID                          NAME                        CREATED             UPDATED
@@ -128,7 +128,7 @@ output the data exactly as the template declares or, when using the
 The following example uses a template without headers and outputs the
 `ID` and `Name` entries separated by a colon (`:`) for all images:
 
-```bash
+```console
 $ docker config ls --format "{{.ID}}: {{.Name}}"
 
 77af4d6b9913: config-1
@@ -139,7 +139,7 @@ b6fa739cedf5: config-2
 To list all configs with their name and created date in a table format you
 can use:
 
-```bash
+```console
 $ docker config ls --format "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}"
 
 ID                  NAME                      CREATED

docs/reference/commandline/config_rm.md

@@ -35,7 +35,7 @@ For detailed information about using configs, refer to [store configuration data
 
 This example removes a config:
 
-```bash
+```console
 $ docker config rm my_config
 sapth4csdo5b6wz2p5uimh5xg
 ```

docs/reference/commandline/container_prune.md

@@ -26,7 +26,7 @@ Removes all stopped containers.
 
 ### Prune containers
 
-```bash
+```console
 $ docker container prune
 WARNING! This will remove all stopped containers.
 Are you sure you want to continue? [y/N] y
@@ -66,7 +66,7 @@ containers without the specified labels.
 
 The following removes containers created more than 5 minutes ago:
 
-```bash
+```console
 $ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
 
 CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS
@@ -88,7 +88,7 @@ CONTAINER ID        IMAGE               COMMAND             CREATED AT
 
 The following removes containers created before `2017-01-04T13:10:00`:
 
-```bash
+```console
 $ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
 
 CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS

docs/reference/commandline/context_create.md

@@ -62,7 +62,7 @@ kubernetes options. The example below creates the context `my-context`
 with a docker endpoint of `/var/run/docker.sock` and a kubernetes configuration
 sourced from the file `/home/me/my-kube-config`:
 
-```bash
+```console
 $ docker context create \
     --docker host=unix:///var/run/docker.sock \
     --kubernetes config-file=/home/me/my-kube-config \
@@ -75,19 +75,19 @@ Use the `--from=<context-name>` option to create a new context from
 an existing context. The example below creates a new context named `my-context`
 from the existing context `existing-context`:
 
-```bash
+```console
 $ docker context create --from existing-context my-context
 ```
 
 If the `--from` option is not set, the `context` is created from the current context:
 
-```bash
+```console
 $ docker context create my-context
 ```
 
 This can be used to create a context out of an existing `DOCKER_HOST` based script:
 
-```bash
+```console
 $ source my-setup-script.sh
 $ docker context create my-context
 ```
@@ -98,7 +98,7 @@ new context named `my-context` using the docker endpoint configuration from
 the existing context `existing-context` and a kubernetes configuration sourced
 from the file `/home/me/my-kube-config`:
 
-```bash
+```console
 $ docker context create \
     --docker from=existing-context \
     --kubernetes config-file=/home/me/my-kube-config \
@@ -110,7 +110,7 @@ To source only the `kubernetes` configuration from an existing context use the
 context named `my-context` using the kuberentes configuration from the existing
 context `existing-context` and a docker endpoint of `/var/run/docker.sock`:
 
-```bash
+```console
 $ docker context create \
     --docker host=unix:///var/run/docker.sock \
     --kubernetes from=existing-context \

docs/reference/commandline/context_inspect.md

@@ -23,7 +23,7 @@ Inspects one or more contexts.
 
 ### Inspect a context by name
 
-```bash
+```console
 $ docker context inspect "local+aks"
 
 [

docs/reference/commandline/context_ls.md

@@ -25,7 +25,9 @@ Options:
 Use `docker context ls` to print all contexts. The currently active context is
 indicated with an `*`:
 
-```bash
+```console
+$ docker context ls
+
 NAME                DESCRIPTION                               DOCKER ENDPOINT                      KUBERNETES ENDPOINT   ORCHESTRATOR
 default *           Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                                swarm
 production                                                    tcp:///prod.corp.example.com:2376

docs/reference/commandline/context_update.md

@@ -54,7 +54,7 @@ See [context create](context_create.md).
 
 ### Update an existing context
 
-```bash
+```console
 $ docker context update \
     --description "some description" \
     --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file" \

docs/reference/commandline/cp.md

@@ -95,11 +95,11 @@ the user in the container. However, you can still copy such files by manually
 running `tar` in `docker exec`. Both of the following examples do the same thing
 in different ways (consider `SRC_PATH` and `DEST_PATH` are directories):
 
-```bash
+```console
 $ docker exec CONTAINER tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH -
 ```
 
-```bash
+```console
 $ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i CONTAINER tar Cxf DEST_PATH -
 ```
 

docs/reference/commandline/create.md

@@ -109,7 +109,7 @@ Options:
                                       Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes),
                                       or `g` (gigabytes). If you omit the unit, the system uses bytes.
       --stop-signal string            Signal to stop a container (default "SIGTERM")
-      --stop-timeout=10               Timeout (in seconds) to stop a container
+      --stop-timeout int              Timeout (in seconds) to stop a container
       --storage-opt value             Storage driver options for the container (default [])
       --sysctl value                  Sysctl options (default map[])
       --tmpfs value                   Mount a tmpfs directory (default [])
@@ -131,6 +131,7 @@ Options:
       --volumes-from value            Mount volumes from the specified container(s) (default [])
   -w, --workdir string                Working directory inside the container
 ```
+
 ## Description
 
 The `docker create` command creates a writeable container layer over the
@@ -149,7 +150,7 @@ Please see the [run command](run.md) section and the [Docker run reference](../r
 
 ### Create and start a container
 
-```bash
+```console
 $ docker create -t -i fedora bash
 
 6d8af538ec541dd581ebc2a24153a28329acb5268abe5ef868c1f1a261221752
@@ -165,7 +166,7 @@ As of v1.4.0 container volumes are initialized during the `docker create` phase
 (i.e., `docker run` too). For example, this allows you to `create` the `data`
 volume container, and then use it from another container:
 
-```bash
+```console
 $ docker create -v /data --name data ubuntu
 
 240633dfbb98128fa77473d3d9018f6123b99c454b3251427ae190a7d951ad57
@@ -180,7 +181,7 @@ drwxr-xr-x 48 root root 4096 Dec  5 04:11 ..
 Similarly, `create` a host directory bind mounted volume container, which can
 then be used from the subsequent container:
 
-```bash
+```console
 $ docker create -v /home/docker:/docker --name docker ubuntu
 
 9aa88c08f319cd1e4515c3c46b0de7cc9aa75e878357b1e96f91e2c773029f03
@@ -202,7 +203,7 @@ drwxr-xr-x 32 1000 staff 1140 Dec  5 04:01 docker
 
 Set storage driver options per container.
 
-```bash
+```console
 $ docker create -it --storage-opt size=120G fedora /bin/bash
 ```
 
@@ -223,12 +224,11 @@ technology. On Linux, the only supported is the `default` option which uses
 Linux namespaces. On Microsoft Windows, you can specify these values:
 
 
-| Value     | Description                                                                                                                                                   |
-|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `default` | Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value if the
-daemon is running on Windows server, or `hyperv` if running on Windows client.  |
-| `process` | Namespace isolation only.                                                                                                                                     |
-| `hyperv`   | Hyper-V hypervisor partition-based isolation.                                                                                                                  |
+| Value     | Description                                                  |
+| --------- | ------------------------------------------------------------ |
+| `default` | Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value if the daemon is running on Windows server, or `hyperv` if running on Windows client. |
+| `process` | Namespace isolation only.                                    |
+| `hyperv`  | Hyper-V hypervisor partition-based isolation.                |
 
 Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
 
@@ -239,14 +239,14 @@ assigned devices will both be added to the cgroup.allow file and
 created into the container once it is run. This poses a problem when
 a new device needs to be added to running container.
 
-One of the solution is to add a more permissive rule to a container
+One of the solutions is to add a more permissive rule to a container
 allowing it access to a wider range of devices. For example, supposing
 our container needs access to a character device with major `42` and
 any number of minor number (added as new devices appear), the
 following rule would be added:
 
-```
-docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image
+```console
+$ docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image
 ```
 
 Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`

docs/reference/commandline/diff.md

@@ -33,7 +33,7 @@ You can use the full or shortened container ID or the container name set using
 
 Inspect the changes to an `nginx` container:
 
-```bash
+```console
 $ docker diff 1fdfd1f54c1b
 
 C /dev

docs/reference/commandline/dockerd.md

@@ -115,8 +115,8 @@ Options with [] may be specified multiple times.
 uses different binaries for the daemon and client. To run the daemon you
 type `dockerd`.
 
-To run the daemon with debug output, use `dockerd -D` or add `"debug": true` to
-the `daemon.json` file.
+To run the daemon with debug output, use `dockerd --debug` or add `"debug": true`
+to [the `daemon.json` file](#daemon-configuration-file).
 
 > **Enabling experimental features**
 > 
@@ -164,7 +164,7 @@ communication with the daemon.
 > supported anymore for security reasons.
 
 On Systemd based systems, you can communicate with the daemon via
-[Systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html),
+[Systemd socket activation](https://0pointer.de/blog/projects/socket-activation.html),
 use `dockerd -H fd://`. Using `fd://` will work perfectly for most setups but
 you can also specify individual sockets: `dockerd -H fd://3`. If the
 specified socket activated files aren't found, then Docker will exit. You can
@@ -174,20 +174,21 @@ find examples of using Systemd socket activation with Docker and Systemd in the
 You can configure the Docker daemon to listen to multiple sockets at the same
 time using multiple `-H` options:
 
-```bash
-# listen using the default unix socket, and on 2 specific IP addresses on this host.
+The example below runs the daemon listenin on the default unix socket, and
+on 2 specific IP addresses on this host:
 
+```console
 $ sudo dockerd -H unix:///var/run/docker.sock -H tcp://192.168.59.106 -H tcp://10.10.10.2
 ```
 
 The Docker client will honor the `DOCKER_HOST` environment variable to set the
 `-H` flag for the client. Use **one** of the following commands:
 
-```bash
+```console
 $ docker -H tcp://0.0.0.0:2375 ps
 ```
 
-```bash
+```console
 $ export DOCKER_HOST="tcp://0.0.0.0:2375"
 
 $ docker ps
@@ -197,7 +198,7 @@ Setting the `DOCKER_TLS_VERIFY` environment variable to any value other than
 the empty string is equivalent to setting the `--tlsverify` flag. The following
 are equivalent:
 
-```bash
+```console
 $ docker --tlsverify ps
 # or
 $ export DOCKER_TLS_VERIFY=1
@@ -210,7 +211,7 @@ precedence over `HTTP_PROXY`.
 
 The Docker client supports connecting to a remote daemon via SSH:
 
-```
+```console
 $ docker -H ssh://me@example.com:22 ps
 $ docker -H ssh://me@example.com ps
 $ docker -H ssh://example.com ps
@@ -267,22 +268,21 @@ when no `-H` was passed in.
 
 Run Docker in daemon mode:
 
-```bash
+```console
 $ sudo <path to>/dockerd -H 0.0.0.0:5555 &
 ```
 
 Download an `ubuntu` image:
 
-```bash
+```console
 $ docker -H :5555 pull ubuntu
 ```
 
 You can use multiple `-H`, for example, if you want to listen on both
 TCP and a Unix socket
 
-```bash
-# Run docker in daemon mode
-$ sudo <path to>/dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock &
+```console
+$ sudo dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock &
 # Download an ubuntu image, use default Unix socket
 $ docker pull ubuntu
 # OR use the TCP port
@@ -307,12 +307,12 @@ devices, one for data and one for metadata. By default, these block devices
 are created automatically by using loopback mounts of automatically created
 sparse files. Refer to [Devicemapper options](#devicemapper-options) below
 for a way how to customize this setup.
-[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
+[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
 article explains how to tune your existing setup without the use of options.
 
 The `btrfs` driver is very fast for `docker build` - but like `devicemapper`
 does not share executable memory between devices. Use
-`dockerd -s btrfs -g /mnt/btrfs_partition`.
+`dockerd --storage-driver btrfs --data-root /mnt/btrfs_partition`.
 
 The `zfs` driver is probably not as fast as `btrfs` but has a longer track record
 on stability. Thanks to `Single Copy ARC` shared blocks between clones will be
@@ -395,7 +395,7 @@ not use loopback in production. Ensure your Engine daemon has a
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
 ```
 
@@ -406,7 +406,7 @@ device for you.
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.directlvm_device=/dev/xvdf
 ```
 
@@ -416,7 +416,7 @@ Sets the percentage of passed in block device to use for storage.
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.thinp_percent=95
 ```
 
@@ -426,7 +426,7 @@ Sets the percentage of the passed in block device to use for metadata storage.
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.thinp_metapercent=1
 ```
 
@@ -437,7 +437,7 @@ autoextend the available space [100 = disabled]
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.thinp_autoextend_threshold=80
 ```
 
@@ -448,7 +448,7 @@ attempts to autoextend the available space [100 = disabled]
 
 ###### Example:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.thinp_autoextend_percent=20
 ```
 
@@ -467,7 +467,7 @@ new base device size.
 
 ###### Examples
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.basesize=50G
 ```
 
@@ -479,7 +479,7 @@ This value affects the system-wide "base" empty filesystem
 that may already be initialized and inherited by pulled images. Typically,
 a change to this value requires additional steps to take effect:
 
- ```bash
+```console
 $ sudo service docker stop
 
 $ sudo rm -rf /var/lib/docker
@@ -502,7 +502,7 @@ much space.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.loopdatasize=200G
 ```
 
@@ -520,7 +520,7 @@ this much space.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.loopmetadatasize=4G
 ```
 
@@ -531,7 +531,7 @@ options are "ext4" and "xfs". The default is "xfs"
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.fs=ext4
 ```
 
@@ -541,7 +541,7 @@ Specifies extra mkfs arguments to be used when creating the base device.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
 ```
 
@@ -551,7 +551,7 @@ Specifies extra mount options used when mounting the thin devices.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.mountopt=nodiscard
 ```
 
@@ -567,7 +567,7 @@ device.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd \
       --storage-opt dm.datadev=/dev/sdb1 \
       --storage-opt dm.metadatadev=/dev/sdc1
@@ -585,13 +585,13 @@ data, or even better on an SSD.
 If setting up a new metadata pool it is required to be valid. This can be
 achieved by zeroing the first 4k to indicate empty metadata, like this:
 
-```bash
+```console
 $ dd if=/dev/zero of=$metadata_dev bs=4096 count=1
 ```
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd \
       --storage-opt dm.datadev=/dev/sdb1 \
       --storage-opt dm.metadatadev=/dev/sdc1
@@ -604,7 +604,7 @@ blocksize is 64K.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.blocksize=512K
 ```
 
@@ -620,7 +620,7 @@ returned to the system for other use when containers are removed.
 
 ###### Examples
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.blkdiscard=false
 ```
 
@@ -632,11 +632,11 @@ Overrides the `udev` synchronization checks between `devicemapper` and `udev`.
 To view the `udev` sync support of a Docker daemon that is using the
 `devicemapper` driver, run:
 
-```bash
+```console
 $ docker info
-[...]
+<...>
 Udev Sync Supported: true
-[...]
+<...>
 ```
 
 When `udev` sync support is `true`, then `devicemapper` and udev can
@@ -650,7 +650,7 @@ results in errors and failures. (For information on these failures, see
 To allow the `docker` daemon to start, regardless of `udev` sync not being
 supported, set `dm.override_udev_sync_check` to true:
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.override_udev_sync_check=true
 ```
 
@@ -683,7 +683,7 @@ loop trying to remove a busy device.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.use_deferred_removal=true
 ```
 
@@ -701,7 +701,7 @@ Error deleting container: Error response from daemon: Cannot destroy container
 To avoid this failure, enable both deferred device deletion and deferred
 device removal on the daemon.
 
-```bash
+```console
 $ sudo dockerd \
       --storage-opt dm.use_deferred_deletion=true \
       --storage-opt dm.use_deferred_removal=true
@@ -741,7 +741,7 @@ the issue.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.min_free_space=10%
 ```
 
@@ -757,7 +757,7 @@ ENOSPC and will shutdown filesystem.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
 ```
 
@@ -783,7 +783,7 @@ their corresponding levels when output by `dockerd`.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd \
       --log-level debug \
       --storage-opt dm.libdm_log_level=7
@@ -799,7 +799,7 @@ By default docker will pick up the zfs filesystem where docker graph
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
 ```
 
@@ -814,7 +814,7 @@ a container with **--storage-opt size** option, docker should ensure the
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G
 ```
 
@@ -837,7 +837,7 @@ conditions the user can pass any size less then the backing fs size.
 
 ###### Example
 
-```bash
+```console
 $ sudo dockerd -s overlay2 --storage-opt overlay2.size=1G
 ```
 
@@ -959,7 +959,7 @@ By default, the Docker daemon automatically starts `containerd`. If you want to
 control `containerd` startup, manually start `containerd` and pass the path to
 the `containerd` socket using the `--containerd` flag. For example:
 
-```bash
+```console
 $ sudo dockerd --containerd /var/run/dev/docker-containerd.sock
 ```
 
@@ -987,7 +987,7 @@ The following is an example adding 2 runtimes via the configuration:
 
 This is the same example via the command line:
 
-```bash
+```console
 $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
 ```
 
@@ -1009,7 +1009,7 @@ is used on cgroup v2 hosts with systemd available.
 
 This example sets the `cgroupdriver` to `systemd`:
 
-```bash
+```console
 $ sudo dockerd --exec-opt native.cgroupdriver=systemd
 ```
 
@@ -1030,13 +1030,13 @@ value is specified on daemon start, on Windows client, the default is
 
 To set the DNS server for all Docker containers, use:
 
-```bash
+```console
 $ sudo dockerd --dns 8.8.8.8
 ```
 
 To set the DNS search domain for all Docker containers, use:
 
-```bash
+```console
 $ sudo dockerd --dns-search example.com
 ```
 
@@ -1162,7 +1162,7 @@ TLS. To configure the client TLS settings used by the daemon can be configured
 using the `--cluster-store-opt` flag, specifying the paths to PEM encoded
 files. For example:
 
-```bash
+```console
 $ sudo dockerd \
     --cluster-advertise 192.168.1.2:2376 \
     --cluster-store etcd://192.168.1.2:2379 \
@@ -1189,7 +1189,7 @@ organization can purchase or build themselves. You can install one or more
 authorization plugins when you start the Docker `daemon` using the
 `--authorization-plugin=PLUGIN_ID` option.
 
-```bash
+```console
 $ sudo dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
 ```
 
@@ -1210,7 +1210,7 @@ For information about how to create an authorization plugin, refer to the
 ### Daemon user namespace options
 
 The Linux kernel
-[user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html)
+[user namespace support](https://man7.org/linux/man-pages/man7/user_namespaces.7.html)
 provides additional security by enabling a process, and therefore a container,
 to have a unique range of user and group IDs which are outside the traditional
 user and group range utilized by the host system. Potentially the most important
@@ -1233,14 +1233,14 @@ for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be
 set like this:
 
 ```console
-$ DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/dockerd -D -g /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
+$ DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/dockerd --data-root /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
 ```
 
 or
 
 ```console
 $ export DOCKER_TMPDIR=/mnt/disk2/tmp
-$ /usr/local/bin/dockerd -D -g /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
+$ /usr/local/bin/dockerd --data-root /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
 ````
 
 #### Default cgroup parent
@@ -1360,11 +1360,11 @@ This is a full example of the allowed configuration options on Linux:
   "debug": true,
   "default-address-pools": [
     {
-      "base": "172.80.0.0/16",
+      "base": "172.30.0.0/16",
       "size": 24
     },
     {
-      "base": "172.90.0.0/16",
+      "base": "172.31.0.0/16",
       "size": 24
     }
   ],
@@ -1554,7 +1554,7 @@ The list of currently supported options that can be reconfigured is this:
   be used to run containers.
 - `authorization-plugin`: it specifies the authorization plugins to use.
 - `allow-nondistributable-artifacts`: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries.
-- `insecure-registries`: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon's configuration are not in newly reloaded insecure resgitries, these existing ones will be removed from daemon's config.
+- `insecure-registries`: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon's configuration are not in newly reloaded insecure registries, these existing ones will be removed from daemon's config.
 - `registry-mirrors`: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon's configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon's config.
 - `shutdown-timeout`: it replaces the daemon's existing configuration timeout with a new timeout for shutting down all containers.
 - `features`: it explicitly enables or disables specific features.

docs/reference/commandline/events.md

@@ -194,11 +194,11 @@ The currently supported filters are:
 
 If a format (`--format`) is specified, the given template will be executed
 instead of the default
-format. Go's [text/template](http://golang.org/pkg/text/template/) package
+format. Go's [text/template](https://golang.org/pkg/text/template/) package
 describes all the details of the format.
 
 If a format is set to `{{json .}}`, the events are streamed as valid JSON
-Lines. For information about JSON Lines, please refer to http://jsonlines.org/.
+Lines. For information about JSON Lines, please refer to https://jsonlines.org/.
 
 ## Examples
 
@@ -208,13 +208,13 @@ You'll need two shells for this example.
 
 **Shell 1: Listening for events:**
 
-```bash
+```console
 $ docker events
 ```
 
 **Shell 2: Start and Stop containers:**
 
-```bash
+```console
 $ docker create --name test alpine:latest top
 $ docker start test
 $ docker stop test
@@ -239,7 +239,7 @@ To exit the `docker events` command, use `CTRL+C`.
 You can filter the output by an absolute timestamp or relative time on the host
 machine, using the following different time syntaxes:
 
-```bash
+```console
 $ docker events --since 1483283804
 2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
 2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
@@ -292,7 +292,7 @@ $ docker events --since '2017-01-05T00:35:30' --until '2017-01-05T00:36:05'
 The following commands show several different ways to filter the `docker event`
 output.
 
-```bash
+```console
 $ docker events --filter 'event=stop'
 
 2017-01-05T00:40:22.880175420+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
@@ -388,7 +388,7 @@ $ docker events --filter 'scope=swarm'
 
 ### Format the output
 
-```bash
+```console
 $ docker events --filter 'type=container' --format 'Type={{.Type}}  Status={{.Status}}  ID={{.ID}}'
 
 Type=container  Status=create  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
@@ -401,7 +401,7 @@ Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299
 
 #### Format as JSON
 
-```bash
+```console
 $ docker events --format '{{json .}}'
 
 {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..

docs/reference/commandline/exec.md

@@ -46,7 +46,7 @@ not work, but `docker exec -ti my_container sh -c "echo a && echo b"` will.
 
 First, start a container.
 
-```bash
+```console
 $ docker run --name ubuntu_bash --rm -i -t ubuntu bash
 ```
 
@@ -54,7 +54,7 @@ This will create a container named `ubuntu_bash` and start a Bash session.
 
 Next, execute a command on the container.
 
-```bash
+```console
 $ docker exec -d ubuntu_bash touch /tmp/execWorks
 ```
 
@@ -63,7 +63,7 @@ This will create a new file `/tmp/execWorks` inside the running container
 
 Next, execute an interactive `bash` shell on the container.
 
-```bash
+```console
 $ docker exec -it ubuntu_bash bash
 ```
 
@@ -71,7 +71,7 @@ This will create a new Bash session in the container `ubuntu_bash`.
 
 Next, set an environment variable in the current bash session.
 
-```bash
+```console
 $ docker exec -it -e VAR=1 ubuntu_bash bash
 ```
 
@@ -81,14 +81,14 @@ on the current Bash session.
 
 By default `docker exec` command runs in the same working directory set when container was created.
 
-```bash
+```console
 $ docker exec -it ubuntu_bash pwd
 /
 ```
 
 You can select working directory for the command to execute into
 
-```bash
+```console
 $ docker exec -it -w /root ubuntu_bash pwd
 /root
 ```
@@ -98,7 +98,7 @@ $ docker exec -it -w /root ubuntu_bash pwd
 
 If the container is paused, then the `docker exec` command will fail with an error:
 
-```bash
+```console
 $ docker pause test
 
 test

docs/reference/commandline/export.md

@@ -30,10 +30,10 @@ in the user guide for examples on exporting data in a volume.
 
 Each of these commands has the same result.
 
-```bash
+```console
 $ docker export red_panda > latest.tar
 ```
 
-```bash
+```console
 $ docker export --output="latest.tar" red_panda
 ```

docs/reference/commandline/history.md

@@ -24,7 +24,7 @@ Options:
 
 To see how the `docker:latest` image was built:
 
-```bash
+```console
 $ docker history docker
 
 IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
@@ -38,7 +38,7 @@ be51b77efb42        8 days ago          /bin/sh -c apt-get update && apt-get ins
 
 To see how the `docker:apache` image was added to a container's base image:
 
-```bash
+```console
 $ docker history docker:scm
 IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
 2ac9d1098bf1        3 months ago        /bin/bash                                       241.4 MB            Added Apache to Fedora base image
@@ -71,7 +71,7 @@ The following example uses a template without headers and outputs the
 `ID` and `CreatedSince` entries separated by a colon (`:`) for the `busybox`
 image:
 
-```bash
+```console
 $ docker history --format "{{.ID}}: {{.CreatedSince}}" busybox
 
 f6e427c148a7: 4 weeks ago

docs/reference/commandline/image_prune.md

@@ -26,7 +26,7 @@ Remove all dangling images. If `-a` is specified, will also remove all images no
 
 Example output:
 
-```bash
+```console
 $ docker image prune -a
 
 WARNING! This will remove all images without at least one container associated to them.
@@ -101,7 +101,7 @@ images without the specified labels.
 
 The following removes images created before `2017-01-04T00:00:00`:
 
-```bash
+```console
 $ docker images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedAt}}\t{{.Size}}'
 REPOSITORY          TAG                 IMAGE ID            CREATED AT                      SIZE
 foo                 latest              2f287ac753da        2017-01-04 13:42:23 -0800 PST   3.98 MB
@@ -128,7 +128,7 @@ foo                 latest              2f287ac753da        2017-01-04 13:42:23
 
 The following removes images created more than 10 days (`240h`) ago:
 
-```bash
+```console
 $ docker images
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -168,25 +168,25 @@ busybox             latest              e02e811dd08f        2 months ago
 
 The following example removes images with the label `deprecated`:
 
-```bash
+```console
 $ docker image prune --filter="label=deprecated"
 ```
 
 The following example removes images with the label `maintainer` set to `john`:
 
-```bash
+```console
 $ docker image prune --filter="label=maintainer=john"
 ```
 
 This example removes images which have no `maintainer` label:
 
-```bash
+```console
 $ docker image prune --filter="label!=maintainer"
 ```
 
 This example removes images which have a maintainer label not set to `john`:
 
-```bash
+```console
 $ docker image prune --filter="label!=maintainer=john"
 ```
 

docs/reference/commandline/images.md

@@ -48,7 +48,7 @@ uses up the `SIZE` listed only once.
 
 ### List the most recently created images
 
-```bash
+```console
 $ docker images
 
 REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
@@ -72,7 +72,7 @@ given repository.
 
 For example, to list all images in the "java" repository, run this command :
 
-```bash
+```console
 $ docker images java
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -88,7 +88,7 @@ If both `REPOSITORY` and `TAG` are provided, only images matching that
 repository and tag are listed.  To find all local images in the "java"
 repository with tag "8" you can use:
 
-```bash
+```console
 $ docker images java:8
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -97,7 +97,7 @@ java                8                   308e519aac60        6 days ago
 
 If nothing matches `REPOSITORY[:TAG]`, the list is empty.
 
-```bash
+```console
 $ docker images java:0
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -105,7 +105,7 @@ REPOSITORY          TAG                 IMAGE ID            CREATED
 
 ### List the full length image IDs
 
-```bash
+```console
 $ docker images --no-trunc
 
 REPOSITORY                    TAG                 IMAGE ID                                                                  CREATED             SIZE
@@ -127,7 +127,7 @@ called a `digest`. As long as the input used to generate the image is
 unchanged, the digest value is predictable. To list image digest values, use
 the `--digests` flag:
 
-```bash
+```console
 $ docker images --digests
 REPOSITORY                         TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
 localhost:5000/test/busybox        <none>              sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   4986bf8c1536        9 weeks ago         2.43 MB
@@ -153,7 +153,7 @@ The currently supported filters are:
 
 #### Show untagged images (dangling)
 
-```bash
+```console
 $ docker images --filter "dangling=true"
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -173,7 +173,7 @@ using it. By having this flag it allows for batch cleanup.
 
 You can use this in conjunction with `docker rmi ...`:
 
-```bash
+```console
 $ docker rmi $(docker images -f "dangling=true" -q)
 
 8abc22fbb042
@@ -194,7 +194,7 @@ value.
 
 The following filter matches images with the `com.example.version` label regardless of its value.
 
-```bash
+```console
 $ docker images --filter "label=com.example.version"
 
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
@@ -204,7 +204,7 @@ match-me-2          latest              dea752e4e117        About a minute ago
 
 The following filter matches images with the `com.example.version` label with the `1.0` value.
 
-```bash
+```console
 $ docker images --filter "label=com.example.version=1.0"
 
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
@@ -213,7 +213,7 @@ match-me            latest              511136ea3c5a        About a minute ago
 
 In this example, with the `0.1` value, it returns an empty set because no matches were found.
 
-```bash
+```console
 $ docker images --filter "label=com.example.version=0.1"
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
 ```
@@ -223,7 +223,7 @@ REPOSITORY          TAG                 IMAGE ID            CREATED
 The `before` filter shows only images created before the image with
 given id or reference. For example, having these images:
 
-```bash
+```console
 $ docker images
 
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
@@ -234,7 +234,7 @@ image3              latest              511136ea3c5a        25 minutes ago
 
 Filtering with `before` would give:
 
-```bash
+```console
 $ docker images --filter "before=image1"
 
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
@@ -244,7 +244,7 @@ image3              latest              511136ea3c5a        25 minutes ago
 
 Filtering with `since` would give:
 
-```bash
+```console
 $ docker images --filter "since=image3"
 REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
 image1              latest              eeae25ada2aa        4 minutes ago        188.3 MB
@@ -256,7 +256,7 @@ image2              latest              dea752e4e117        9 minutes ago
 The `reference` filter shows only images whose reference matches
 the specified pattern.
 
-```bash
+```console
 $ docker images
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -268,7 +268,7 @@ busybox             glibc               21c16b6787c6        5 weeks ago
 
 Filtering with `reference` would give:
 
-```bash
+```console
 $ docker images --filter=reference='busy*:*libc'
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -278,7 +278,7 @@ busybox             glibc               21c16b6787c6        5 weeks ago
 
 Filtering with multiple `reference` would give, either match A or B:
 
-```bash
+```console
 $ docker images --filter=reference='busy*:uclibc' --filter=reference='busy*:glibc'
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
@@ -310,7 +310,7 @@ output the data exactly as the template declares or, when using the
 The following example uses a template without headers and outputs the
 `ID` and `Repository` entries separated by a colon (`:`) for all images:
 
-```bash
+```console
 $ docker images --format "{{.ID}}: {{.Repository}}"
 
 77af4d6b9913: <none>
@@ -327,7 +327,7 @@ b6fa739cedf5: committ
 To list all images with their repository and tag in a table format you
 can use:
 
-```bash
+```console
 $ docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
 
 IMAGE ID            REPOSITORY                TAG

docs/reference/commandline/import.md

@@ -39,39 +39,39 @@ Supported `Dockerfile` instructions:
 
 This will create a new untagged image.
 
-```bash
-$ docker import http://example.com/exampleimage.tgz
+```console
+$ docker import https://example.com/exampleimage.tgz
 ```
 
 ### Import from a local file
 
-- Import to docker via pipe and `STDIN`.
+Import to docker via pipe and `STDIN`.
 
-  ```bash
-  $ cat exampleimage.tgz | docker import - exampleimagelocal:new
-  ```
+```console
+$ cat exampleimage.tgz | docker import - exampleimagelocal:new
+```
 
-- Import with a commit message.
+Import with a commit message.
 
-  ```bash
-  $ cat exampleimage.tgz | docker import --message "New image imported from tarball" - exampleimagelocal:new
-  ```
+```console
+$ cat exampleimage.tgz | docker import --message "New image imported from tarball" - exampleimagelocal:new
+```
 
-- Import to docker from a local archive.
+Import to docker from a local archive.
 
-  ```bash
-  $ docker import /path/to/exampleimage.tgz
-  ```
+```console
+$ docker import /path/to/exampleimage.tgz
+```
 
 ### Import from a local directory
 
-```bash
+```console
 $ sudo tar -c . | docker import - exampleimagedir
 ```
 
 ### Import from a local directory with new configurations
 
-```bash
+```console
 $ sudo tar -c . | docker import --change "ENV DEBUG=true" - exampleimagedir
 ```
 
@@ -87,6 +87,6 @@ does not match the default operating system, it may be necessary to add
 `--platform`. This would be necessary when importing a Linux image into a Windows
 daemon.
 
-```bash
+```console
 $ docker import --platform=linux .\linuximage.tar
 ```

docs/reference/commandline/info.md

@@ -24,7 +24,7 @@ The number of images shown is the number of unique images. The same image tagged
 under different names is counted only once.
 
 If a format is specified, the given template will be executed instead of the
-default format. Go's [text/template](http://golang.org/pkg/text/template/) package
+default format. Go's [text/template](https://golang.org/pkg/text/template/) package
 describes all the details of the format.
 
 Depending on the storage driver in use, additional information can be shown, such
@@ -44,8 +44,9 @@ The example below shows the output for a daemon running on Red Hat Enterprise Li
 using the `devicemapper` storage driver. As can be seen in the output, additional
 information about the `devicemapper` storage driver is shown:
 
-```bash
+```console
 $ docker info
+
 Client:
  Context:    default
  Debug Mode: false
@@ -104,8 +105,9 @@ Server:
 Here is a sample output for a daemon running on Ubuntu, using the overlay2
 storage driver and a node that is part of a 2-node swarm:
 
-```bash
-$ docker -D info
+```console
+$ docker --debug info
+
 Client:
  Context:    default
  Debug Mode: true
@@ -194,7 +196,7 @@ The global `-D` option causes all `docker` commands to output debug information.
 
 You can also specify the output format:
 
-```bash
+```console
 $ docker info --format '{{json .}}'
 
 {"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}

docs/reference/commandline/inspect.md

@@ -29,7 +29,7 @@ By default, `docker inspect` will render results in a JSON array.
 
 If a format is specified, the given template will be executed for each result.
 
-Go's [text/template](http://golang.org/pkg/text/template/) package
+Go's [text/template](https://golang.org/pkg/text/template/) package
 describes all the details of the format.
 
 ## Specify target type (--type)
@@ -45,7 +45,7 @@ option.
 
 The following example inspects a _volume_ named "myvolume"
 
-```bash
+```console
 $ docker inspect --type=volume myvolume
 ```
 
@@ -56,25 +56,25 @@ $ docker inspect --type=volume myvolume
 For the most part, you can pick out any field from the JSON in a fairly
 straightforward manner.
 
-```bash
+```console
 $ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $INSTANCE_ID
 ```
 
 ### Get an instance's MAC address
 
-```bash
+```console
 $ docker inspect --format='{{range .NetworkSettings.Networks}}{{.MacAddress}}{{end}}' $INSTANCE_ID
 ```
 
 ### Get an instance's log path
 
-```bash
+```console
 $ docker inspect --format='{{.LogPath}}' $INSTANCE_ID
 ```
 
 ### Get an instance's image name
 
-```bash
+```console
 $ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
 ```
 
@@ -83,7 +83,7 @@ $ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
 You can loop over arrays and maps in the results to produce simple text
 output:
 
-```bash
+```console
 $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' $INSTANCE_ID
 ```
 
@@ -97,7 +97,7 @@ numeric public port, you use `index` to find the specific port map, and
 then `index` 0 contains the first object inside of that. Then we ask for
 the `HostPort` field to get the public address.
 
-```bash
+```console
 $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0).HostPort}}' $INSTANCE_ID
 ```
 
@@ -108,6 +108,6 @@ fields, by default you get a Go-style dump of the inner values.
 Docker adds a template function, `json`, which can be applied to get
 results in JSON format.
 
-```bash
+```console
 $ docker inspect --format='{{json .Config}}' $INSTANCE_ID
 ```

docs/reference/commandline/kill.md

@@ -20,8 +20,18 @@ Options:
 
 The `docker kill` subcommand kills one or more containers. The main process
 inside the container is sent `SIGKILL` signal (default), or the signal that is
-specified with the `--signal` option. You can kill a container using the
-container's ID, ID-prefix, or name.
+specified with the `--signal` option. You can reference a container by its
+ID, ID-prefix, or name.
+
+The `--signal` (or `-s` shorthand) flag sets the system call signal that is sent
+to the container. This signal can be a signal name in the format `SIG<NAME>`, for
+instance `SIGINT`, or an unsigned number that matches a position in the kernel's
+syscall table, for instance `2`.
+
+While the default (`SIGKILL`) signal will terminate the container, the signal
+set through `--signal` may be non-terminal, depending on the container's main
+process. For example, the `SIGHUP` signal in most cases will be non-terminal,
+and the container will continue running after receiving the signal.
 
 > **Note**
 >
@@ -32,21 +42,21 @@ container's ID, ID-prefix, or name.
 ## Examples
 
 
-### Send a KILL signal  to a container
+### Send a KILL signal to a container
 
-The following example sends the default `KILL` signal to the container named
+The following example sends the default `SIGKILL` signal to the container named
 `my_container`:
 
-```bash
+```console
 $ docker kill my_container
 ```
 
-### Send a custom signal  to a container
+### Send a custom signal to a container
 
 The following example sends a `SIGHUP` signal to the container named
 `my_container`:
 
-```bash
+```console
 $ docker kill --signal=SIGHUP  my_container
 ```
 
@@ -54,11 +64,11 @@ $ docker kill --signal=SIGHUP  my_container
 You can specify a custom signal either by _name_, or _number_. The `SIG` prefix
 is optional, so the following examples are equivalent:
 
-```bash
+```console
 $ docker kill --signal=SIGHUP my_container
 $ docker kill --signal=HUP my_container
 $ docker kill --signal=1 my_container
 ```
 
-Refer to the [`signal(7)`](http://man7.org/linux/man-pages/man7/signal.7.html)
+Refer to the [`signal(7)`](https://man7.org/linux/man-pages/man7/signal.7.html)
 man-page for a list of standard Linux signals.

docs/reference/commandline/load.md

@@ -18,6 +18,7 @@ Options:
                        The tarball may be compressed with gzip, bzip, or xz
   -q, --quiet          Suppress the load output but still outputs the imported images
 ```
+
 ## Description
 
 Load an image or repository from a tar archive (even if compressed with gzip,
@@ -25,7 +26,7 @@ bzip2, or xz) from a file or STDIN. It restores both images and tags.
 
 ## Examples
 
-```bash
+```console
 $ docker image ls
 
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

docs/reference/commandline/login.md

@@ -30,7 +30,7 @@ Login to a registry.
 If you want to login to a self-hosted registry you can specify this by
 adding the server name.
 
-```bash
+```console
 $ docker login localhost:8080
 ```
 
@@ -44,7 +44,7 @@ or log-files.
 The following example reads a password from a file, and passes it to the
 `docker login` command using `STDIN`:
 
-```bash
+```console
 $ cat ~/my_password.txt | docker login --username foo --password-stdin
 ```
 

docs/reference/commandline/logout.md

@@ -18,7 +18,7 @@ Options:
 
 ## Examples
 
-```bash
+```console
 $ docker logout localhost:8080
 ```
 

docs/reference/commandline/logs.md

@@ -67,7 +67,7 @@ fraction of a second no more than nine digits long. You can combine the
 
 In order to retrieve logs before a specific point in time, run:
 
-```bash
+```console
 $ docker run --name test -d busybox sh -c "while true; do $(echo date); sleep 1; done"
 $ date
 Tue 14 Nov 2017 16:40:00 CET

docs/reference/commandline/manifest.md

@@ -40,8 +40,8 @@ to two images -- one for windows on amd64, and one for darwin on amd64.
 
 ### manifest inspect
 
-```bash
-manifest inspect --help
+```console
+$ docker manifest inspect --help
 
 Usage:  docker manifest inspect [OPTIONS] [MANIFEST_LIST] MANIFEST
 
@@ -55,7 +55,7 @@ Options:
 
 ### manifest create
 
-```bash
+```console
 Usage:  docker manifest create MANIFEST_LIST MANIFEST [MANIFEST...]
 
 Create a local manifest list for annotating and pushing to a registry
@@ -68,7 +68,7 @@ Options:
 
 ### manifest annotate
 
-```bash
+```console
 Usage:  docker manifest annotate [OPTIONS] MANIFEST_LIST MANIFEST
 
 Add additional information to a local image manifest
@@ -85,7 +85,7 @@ Options:
 
 ### manifest push
 
-```bash
+```console
 Usage:  docker manifest push [OPTIONS] MANIFEST_LIST
 
 Push a manifest list to a repository
@@ -113,7 +113,7 @@ default requirements.
 
 ### Inspect an image's manifest object
 
-```bash
+```console
 $ docker manifest inspect hello-world
 {
         "schemaVersion": 2,
@@ -143,7 +143,7 @@ without a tag, or by digest (e.g. `hello-world@sha256:f3b3b28a45160805bb16542c95
 
 Here is an example of inspecting an image's manifest with the `--verbose` flag:
 
-```bash
+```console
 $ docker manifest inspect --verbose hello-world
 {
         "Ref": "docker.io/library/hello-world:latest",
@@ -187,7 +187,7 @@ After you have created your local copy of the manifest list, you may optionally
 Finally, you need to `push` your manifest list to the desired registry. Below are
 descriptions of these three commands, and an example putting them all together.
 
-```bash
+```console
 $ docker manifest create 45.55.81.106:5000/coolapp:v1 \
     45.55.81.106:5000/coolapp-ppc64le-linux:v1 \
     45.55.81.106:5000/coolapp-arm-linux:v1 \
@@ -197,11 +197,11 @@ $ docker manifest create 45.55.81.106:5000/coolapp:v1 \
 Created manifest list 45.55.81.106:5000/coolapp:v1
 ```
 
-```bash
+```console
 $ docker manifest annotate 45.55.81.106:5000/coolapp:v1 45.55.81.106:5000/coolapp-arm-linux --arch arm
 ```
 
-```bash
+```console
 $ docker manifest push 45.55.81.106:5000/coolapp:v1
 Pushed manifest 45.55.81.106:5000/coolapp@sha256:9701edc932223a66e49dd6c894a11db8c2cf4eccd1414f1ec105a623bf16b426 with digest: sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b
 Pushed manifest 45.55.81.106:5000/coolapp@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f with digest: sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a
@@ -213,7 +213,7 @@ sha256:050b213d49d7673ba35014f21454c573dcbec75254a08f4a7c34f66a47c06aba
 
 ### Inspect a manifest list
 
-```bash
+```console
 $ docker manifest inspect coolapp:v1
 {
    "schemaVersion": 2,
@@ -264,7 +264,7 @@ $ docker manifest inspect coolapp:v1
 Here is an example of creating and pushing a manifest list using a known
 insecure registry.
 
-```bash
+```console
 $ docker manifest create --insecure myprivateregistry.mycompany.com/repo/image:1.0 \
     myprivateregistry.mycompany.com/repo/image-linux-ppc64le:1.0 \
     myprivateregistry.mycompany.com/repo/image-linux-s390x:1.0 \

docs/reference/commandline/network_connect.md

@@ -30,7 +30,7 @@ the same network.
 
 ### Connect a running container to a network
 
-```bash
+```console
 $ docker network connect multi-host-network container1
 ```
 
@@ -38,7 +38,7 @@ $ docker network connect multi-host-network container1
 
 You can also use the `docker run --network=<network-name>` option to start a container and immediately connect it to a network.
 
-```bash
+```console
 $ docker run -itd --network=multi-host-network busybox
 ```
 
@@ -46,7 +46,7 @@ $ docker run -itd --network=multi-host-network busybox
 
 You can specify the IP address you want to be assigned to the container's interface.
 
-```bash
+```console
 $ docker network connect --ip 10.10.36.122 multi-host-network container2
 ```
 
@@ -54,7 +54,7 @@ $ docker network connect --ip 10.10.36.122 multi-host-network container2
 
 You can use `--link` option to link another container with a preferred alias
 
-```bash
+```console
 $ docker network connect --link container1:c1 multi-host-network container2
 ```
 
@@ -63,7 +63,7 @@ $ docker network connect --link container1:c1 multi-host-network container2
 `--alias` option can be used to resolve the container by another name in the network
 being connected to.
 
-```bash
+```console
 $ docker network connect --alias db --alias mysql multi-host-network container2
 ```
 
@@ -79,11 +79,11 @@ to specify an `--ip-range` when creating the network, and choose the static IP
 address(es) from outside that range. This ensures that the IP address is not
 given to another container while this container is not on the network.
 
-```bash
+```console
 $ docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 multi-host-network
 ```
 
-```bash
+```console
 $ docker network connect --ip 172.20.128.2 multi-host-network container2
 ```
 

docs/reference/commandline/network_create.md

@@ -45,7 +45,7 @@ on. When you launch a new container with  `docker run` it automatically connects
 this bridge network. You cannot remove this default bridge network, but you can
 create new ones using the `network create` command.
 
-```bash
+```console
 $ docker network create -d bridge my-bridge-network
 ```
 
@@ -75,7 +75,7 @@ discovery and server management tools that can assist your implementation.
 Once you have prepared the `overlay` network prerequisites you simply choose a
 Docker host in the cluster and issue the following to create the network:
 
-```bash
+```console
 $ docker network create -d overlay my-multihost-network
 ```
 
@@ -102,7 +102,7 @@ for more information about different endpoint modes.
 When you start a container, use the `--network` flag to connect it to a network.
 This example adds the `busybox` container to the `mynet` network:
 
-```bash
+```console
 $ docker run -itd --network=mynet busybox
 ```
 
@@ -126,14 +126,14 @@ network. It is purely for ip-addressing purposes. You can override this default
 and specify subnetwork values directly using the `--subnet` option. On a
 `bridge` network you can only create a single subnet:
 
-```bash
+```console
 $ docker network create --driver=bridge --subnet=192.168.0.0/16 br0
 ```
 
 Additionally, you also specify the `--gateway` `--ip-range` and `--aux-address`
 options.
 
-```bash
+```console
 $ docker network create \
   --driver=bridge \
   --subnet=172.28.0.0/16 \
@@ -148,7 +148,7 @@ support it you can create multiple subnetworks. This example uses two `/25`
 subnet mask to adhere to the current guidance of not having more than 256 IPs in
 a single overlay network. Each of the subnetworks has 126 usable addresses.
 
-```bash
+```console
 $ docker network create -d overlay \
   --subnet=192.168.10.0/25 \
   --subnet=192.168.20.0/25 \
@@ -175,7 +175,7 @@ equivalent docker daemon flags used for docker0 bridge:
 | `com.docker.network.bridge.enable_icc`           | `--icc`     | Enable or Disable Inter Container Connectivity        |
 | `com.docker.network.bridge.host_binding_ipv4`    | `--ip`      | Default IP when binding container ports               |
 | `com.docker.network.driver.mtu`                  | `--mtu`     | Set the containers network MTU                        |
-| `com.docker.network.container_interface_prefix`  | -           | Set a custom prefix for container interfaces          |
+| `com.docker.network.container_iface_prefix`      | -           | Set a custom prefix for container interfaces          |
 
 The following arguments can be passed to `docker network create` for any
 network driver, again with their approximate equivalents to `docker daemon`.
@@ -191,7 +191,7 @@ network driver, again with their approximate equivalents to `docker daemon`.
 For example, let's use `-o` or `--opt` options to specify an IP address binding
 when publishing ports:
 
-```bash
+```console
 $ docker network create \
     -o "com.docker.network.bridge.host_binding_ipv4"="172.19.0.1" \
     simple-network
@@ -212,7 +212,7 @@ one ingress network can be created at the time. The network can be removed only
 if no services depend on it. Any option available when creating an overlay network
 is also available when creating the ingress network, besides the `--attachable` option.
 
-```bash
+```console
 $ docker network create -d overlay \
   --subnet=10.11.0.0/16 \
   --ingress \

docs/reference/commandline/network_disconnect.md

@@ -23,7 +23,7 @@ disconnect it from the network.
 
 ## Examples
 
-```bash
+```console
 $ docker network disconnect multi-host-network container1
 ```
 

docs/reference/commandline/network_inspect.md

@@ -27,7 +27,7 @@ all results in a JSON object.
 
 Connect two containers to the default `bridge` network:
 
-```bash
+```console
 $ sudo docker run -itd --name=container1 busybox
 f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27
 
@@ -44,10 +44,10 @@ node are shown.
 
 You can specify an alternate format to execute a given
 template for each result. Go's
-[text/template](http://golang.org/pkg/text/template/) package describes all the
+[text/template](https://golang.org/pkg/text/template/) package describes all the
 details of the format.
 
-```bash
+```console
 $ sudo docker network inspect bridge
 ```
 
@@ -104,13 +104,13 @@ The output is in JSON format, for example:
 
 Create and inspect a user-defined network:
 
-```bash
+```console
 $ docker network create simple-network
 
 69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a
 ```
 
-```bash
+```console
 $ docker network inspect simple-network
 ```
 
@@ -146,7 +146,7 @@ For swarm mode overlay networks `network inspect` also shows the IP address and
 of the peers. Peers are the nodes in the swarm cluster which have at least one task attached
 to the network. Node name is of the format `<hostname>-<unique ID>`.
 
-```bash
+```console
 $ docker network inspect ingress
 ```
 
@@ -213,7 +213,7 @@ and the IPs of the nodes where the tasks are running.
 Following is an example output for an overlay network `ov1` that has one service `s1`
 attached to. service `s1` in this case has three replicas.
 
-```bash
+```console
 $ docker network inspect --verbose ov1
 ```
 

docs/reference/commandline/network_ls.md

@@ -31,8 +31,8 @@ networks that span across multiple hosts in a cluster.
 
 ### List all networks
 
-```bash
-$ sudo docker network ls
+```console
+$ docker network ls
 NETWORK ID          NAME                DRIVER          SCOPE
 7fca4eb8c647        bridge              bridge          local
 9f904ee27bf5        none                null            local
@@ -42,7 +42,7 @@ cf03ee007fb4        host                host            local
 
 Use the `--no-trunc` option to display the full network id:
 
-```bash
+```console
 $ docker network ls --no-trunc
 NETWORK ID                                                         NAME                DRIVER           SCOPE
 18a2866682b85619a026c81b98a5e375bd33e1b0936a26cc497c283d27bae9b3   none                null             local
@@ -74,7 +74,7 @@ The `driver` filter matches networks based on their driver.
 
 The following example matches networks with the `bridge` driver:
 
-```bash
+```console
 $ docker network ls --filter driver=bridge
 NETWORK ID          NAME                DRIVER            SCOPE
 db9db329f835        test1               bridge            local
@@ -88,7 +88,7 @@ The `id` filter matches on all or part of a network's ID.
 The following filter matches all networks with an ID containing the
 `63d1ff1f77b0...` string.
 
-```bash
+```console
 $ docker network ls --filter id=63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161
 NETWORK ID          NAME                DRIVER           SCOPE
 63d1ff1f77b0        dev                 bridge           local
@@ -96,7 +96,7 @@ NETWORK ID          NAME                DRIVER           SCOPE
 
 You can also filter for a substring in an ID as this shows:
 
-```bash
+```console
 $ docker network ls --filter id=95e74588f40d
 NETWORK ID          NAME                DRIVER          SCOPE
 95e74588f40d        foo                 bridge          local
@@ -113,7 +113,7 @@ value.
 
 The following filter matches networks with the `usage` label regardless of its value.
 
-```bash
+```console
 $ docker network ls -f "label=usage"
 NETWORK ID          NAME                DRIVER         SCOPE
 db9db329f835        test1               bridge         local
@@ -122,7 +122,7 @@ f6e212da9dfd        test2               bridge         local
 
 The following filter matches networks with the `usage` label with the `prod` value.
 
-```bash
+```console
 $ docker network ls -f "label=usage=prod"
 NETWORK ID          NAME                DRIVER        SCOPE
 f6e212da9dfd        test2               bridge        local
@@ -134,7 +134,7 @@ The `name` filter matches on all or part of a network's name.
 
 The following filter matches all networks with a name containing the `foobar` string.
 
-```bash
+```console
 $ docker network ls --filter name=foobar
 NETWORK ID          NAME                DRIVER       SCOPE
 06e7eef0a170        foobar              bridge       local
@@ -142,7 +142,7 @@ NETWORK ID          NAME                DRIVER       SCOPE
 
 You can also filter for a substring in a name as this shows:
 
-```bash
+```console
 $ docker network ls --filter name=foo
 NETWORK ID          NAME                DRIVER       SCOPE
 95e74588f40d        foo                 bridge       local
@@ -155,7 +155,7 @@ The `scope` filter matches networks based on their scope.
 
 The following example matches networks with the `swarm` scope:
 
-```bash
+```console
 $ docker network ls --filter scope=swarm
 NETWORK ID          NAME                DRIVER              SCOPE
 xbtm0v4f1lfh        ingress             overlay             swarm
@@ -164,7 +164,7 @@ ic6r88twuu92        swarmnet            overlay             swarm
 
 The following example matches networks with the `local` scope:
 
-```bash
+```console
 $ docker network ls --filter scope=local
 NETWORK ID          NAME                DRIVER              SCOPE
 e85227439ac7        bridge              bridge              local
@@ -180,7 +180,7 @@ The `type` filter supports two values; `builtin` displays predefined networks
 
 The following filter matches all user defined networks:
 
-```bash
+```console
 $ docker network ls --filter type=custom
 NETWORK ID          NAME                DRIVER       SCOPE
 95e74588f40d        foo                 bridge       local
@@ -190,7 +190,7 @@ NETWORK ID          NAME                DRIVER       SCOPE
 By having this flag it allows for batch cleanup. For example, use this filter
 to delete all user defined networks:
 
-```bash
+```console
 $ docker network rm `docker network ls --filter type=custom -q`
 ```
 
@@ -223,7 +223,7 @@ output the data exactly as the template declares or, when using the
 The following example uses a template without headers and outputs the
 `ID` and `Driver` entries separated by a colon (`:`) for all networks:
 
-```bash
+```console
 $ docker network ls --format "{{.ID}}: {{.Driver}}"
 afaaab448eb2: bridge
 d1584f8dc718: host

docs/reference/commandline/network_prune.md

@@ -24,7 +24,7 @@ by any containers.
 
 ## Examples
 
-```bash
+```console
 $ docker network prune
 
 WARNING! This will remove all custom networks not used by at least one container.
@@ -64,7 +64,7 @@ networks without the specified labels.
 The following removes networks created more than 5 minutes ago. Note that
 system networks such as `bridge`, `host`, and `none` will never be pruned:
 
-```bash
+```console
 $ docker network ls
 
 NETWORK ID          NAME                DRIVER              SCOPE

docs/reference/commandline/network_rm.md

@@ -29,8 +29,8 @@ you must first disconnect any containers connected to it.
 
 To remove the network named 'my-network':
 
-```bash
-  $ docker network rm my-network
+```console
+$ docker network rm my-network
 ```
 
 ### Remove multiple networks
@@ -39,8 +39,8 @@ To delete multiple networks in a single `docker network rm` command, provide
 multiple network names or ids. The following example deletes a network with id
 `3695c422697f` and a network named `my-network`:
 
-```bash
-  $ docker network rm 3695c422697f my-network
+```console
+$ docker network rm 3695c422697f my-network
 ```
 
 When you specify multiple networks, the command attempts to delete each in turn.

docs/reference/commandline/node_demote.md

@@ -28,7 +28,7 @@ Demotes an existing manager so that it is no longer a manager.
 
 ## Examples
 
-```bash
+```console
 $ docker node demote <node name>
 ```
 

docs/reference/commandline/node_inspect.md

@@ -22,7 +22,7 @@ Options:
 Returns information about a node. By default, this command renders all results
 in a JSON array. You can specify an alternate format to execute a
 given template for each result. Go's
-[text/template](http://golang.org/pkg/text/template/) package describes all the
+[text/template](https://golang.org/pkg/text/template/) package describes all the
 details of the format.
 
 > **Note**
@@ -36,7 +36,7 @@ details of the format.
 
 ### Inspect a node
 
-```bash
+```console
 $ docker node inspect swarm-manager
 ```
 
@@ -113,7 +113,7 @@ $ docker node inspect swarm-manager
 
 ### Specify an output format
 
-```bash
+```console
 $ docker node inspect --format '{{ .ManagerStatus.Leader }}' self
 
 false
@@ -121,7 +121,7 @@ false
 
 Use `--format=pretty` or the `--pretty` shorthand to pretty-print the output:
 
-```bash
+```console
 $ docker node inspect --format=pretty self
 
 ID:                     e216jshn25ckzbvmwlnh5jr3g

docs/reference/commandline/node_ls.md

@@ -36,7 +36,7 @@ for more information about available filter options.
 
 ## Examples
 
-```bash
+```console
 $ docker node ls
 
 ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
@@ -44,6 +44,7 @@ ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATU
 38ciaotwjuritcdtn9npbnkuz    swarm-worker1   Ready   Active
 e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
 ```
+
 > **Note**
 >
 > In the above example output, there is a hidden column of `.Self` that indicates
@@ -69,7 +70,7 @@ The currently supported filters are:
 
 The `id` filter matches all or part of a node's id.
 
-```bash
+```console
 $ docker node ls -f id=1
 
 ID                         HOSTNAME       STATUS  AVAILABILITY  MANAGER STATUS
@@ -85,7 +86,7 @@ Swarm `node` labels, use [`node.label` instead](#nodelabel).
 
 The following filter matches nodes with the `foo` label regardless of its value.
 
-```bash
+```console
 $ docker node ls -f "label=foo"
 
 ID                         HOSTNAME       STATUS  AVAILABILITY  MANAGER STATUS
@@ -135,7 +136,7 @@ The `membership` filter matches nodes based on the presence of a `membership` an
 
 The following filter matches nodes with the `membership` of `accepted`.
 
-```bash
+```console
 $ docker node ls -f "membership=accepted"
 
 ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
@@ -149,7 +150,7 @@ The `name` filter matches on all or part of a node hostname.
 
 The following filter matches the nodes with a name equal to `swarm-master` string.
 
-```bash
+```console
 $ docker node ls -f name=swarm-manager1
 
 ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
@@ -162,7 +163,7 @@ The `role` filter matches nodes based on the presence of a `role` and a value `w
 
 The following filter matches nodes with the `manager` role.
 
-```bash
+```console
 $ docker node ls -f "role=manager"
 
 ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
@@ -195,8 +196,9 @@ The following example uses a template without headers and outputs the
 `ID`, `Hostname`, and `TLS Status` entries separated by a colon (`:`) for all
 nodes:
 
-```bash
+```console
 $ docker node ls --format "{{.ID}}: {{.Hostname}} {{.TLSStatus}}"
+
 e216jshn25ckzbvmwlnh5jr3g: swarm-manager1 Ready
 35o6tiywb700jesrt3dmllaza: swarm-worker1 Needs Rotation
 ```

docs/reference/commandline/node_promote.md

@@ -28,7 +28,7 @@ Promotes a node to manager. This command can only be executed on a manager node.
 
 ## Examples
 
-```bash
+```console
 $ docker node promote <node name>
 ```
 

docs/reference/commandline/node_ps.md

@@ -36,8 +36,9 @@ information about available filter options.
 
 ## Examples
 
-```bash
+```console
 $ docker node ps swarm-manager1
+
 NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
 redis.1.7q92v0nr1hcgts2amcjyqg3pq   redis:3.0.6  swarm-manager1  Running        Running 5 hours
 redis.6.b465edgho06e318egmgjbqo4o   redis:3.0.6  swarm-manager1  Running        Running 29 seconds
@@ -64,7 +65,7 @@ The `name` filter matches on all or part of a task's name.
 
 The following filter matches all tasks with a name containing the `redis` string.
 
-```bash
+```console
 $ docker node ps -f name=redis swarm-manager1
 
 NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
@@ -79,7 +80,7 @@ redis.10.0tgctg8h8cech4w0k0gwrmr23  redis:3.0.6  swarm-manager1  Running
 
 The `id` filter matches a task's id.
 
-```bash
+```console
 $ docker node ps -f id=bg8c07zzg87di2mufeq51a2qp swarm-manager1
 
 NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
@@ -93,7 +94,7 @@ value.
 
 The following filter matches tasks with the `usage` label regardless of its value.
 
-```bash
+```console
 $ docker node ps -f "label=usage"
 
 NAME                               IMAGE        NODE            DESIRED STATE  CURRENT STATE
@@ -132,8 +133,9 @@ output the data exactly as the template declares or, when using the
 The following example uses a template without headers and outputs the
 `Name` and `Image` entries separated by a colon (`:`) for all tasks:
 
-```bash
+```console
 $ docker node ps --format "{{.Name}}: {{.Image}}"
+
 top.1: busybox
 top.2: busybox
 top.3: busybox

docs/reference/commandline/node_rm.md

@@ -34,11 +34,12 @@ Removes the specified nodes from a swarm.
 
 ### Remove a stopped node from the swarm
 
-```bash
+```console
 $ docker node rm swarm-node-02
 
 Node swarm-node-02 removed from swarm
 ```
+
 ### Attempt to remove a running node from a swarm
 
 Removes the specified nodes from the swarm, but only if the nodes are in the
@@ -58,7 +59,7 @@ compromised or is not behaving as expected, you can use the `--force` option.
 This may cause transient errors or interruptions, depending on the type of task
 being run on the node.
 
-```bash
+```console
 $ docker node rm --force swarm-node-03
 
 Node swarm-node-03 removed from swarm

docs/reference/commandline/node_update.md

@@ -43,7 +43,7 @@ $ docker node update --label-add foo worker1
 
 To add multiple labels to a node, pass the `--label-add` flag for each label:
 
-```bash
+```console
 $ docker node update --label-add foo --label-add bar worker1
 ```
 

docs/reference/commandline/pause.md

@@ -30,7 +30,7 @@ for further details.
 
 ## Examples
 
-```bash
+```console
 $ docker pause my_container
 ```
 

docs/reference/commandline/plugin_create.md

@@ -25,7 +25,7 @@ Creates a plugin. Before creating the plugin, prepare the plugin's root filesyst
 
 The following example shows how to create a sample `plugin`.
 
-```bash
+```console
 $ ls -ls /home/pluginDir
 
 total 4

docs/reference/commandline/plugin_disable.md

@@ -27,7 +27,7 @@ a plugin that has references (e.g., volumes, networks) cannot be disabled.
 The following example shows that the `sample-volume-plugin` plugin is installed
 and enabled:
 
-```bash
+```console
 $ docker plugin ls
 
 ID            NAME                                    DESCRIPTION                ENABLED
@@ -36,7 +36,7 @@ ID            NAME                                    DESCRIPTION
 
 To disable the plugin, use the following command:
 
-```bash
+```console
 $ docker plugin disable tiborvass/sample-volume-plugin
 
 tiborvass/sample-volume-plugin

docs/reference/commandline/plugin_enable.md

@@ -26,7 +26,7 @@ see [`docker plugin install`](plugin_install.md).
 The following example shows that the `sample-volume-plugin` plugin is installed,
 but disabled:
 
-```bash
+```console
 $ docker plugin ls
 
 ID            NAME                                    DESCRIPTION                ENABLED
@@ -35,7 +35,7 @@ ID            NAME                                    DESCRIPTION
 
 To enable the plugin, use the following command:
 
-```bash
+```console
 $ docker plugin enable tiborvass/sample-volume-plugin
 
 tiborvass/sample-volume-plugin

docs/reference/commandline/plugin_inspect.md

@@ -27,7 +27,7 @@ in a JSON array.
 
 The following example example inspects the `tiborvass/sample-volume-plugin` plugin:
 
-```bash
+```console
 $ docker plugin inspect tiborvass/sample-volume-plugin:latest
 ```
 
@@ -144,7 +144,7 @@ Output is in JSON format (output below is formatted for readability):
 
 ### Formatting the output
 
-```bash
+```console
 $ docker plugin inspect -f '{{.Id}}' tiborvass/sample-volume-plugin:latest
 
 8c74c978c434745c3ade82f1bc0acf38d04990eaf494fa507c16d9f1daa99c21

docs/reference/commandline/plugin_install.md

@@ -33,7 +33,7 @@ The following example installs `vieus/sshfs` plugin and [sets](plugin_set.md) it
 Hub and prompt the user to accept the list of privileges that the plugin needs,
 set the plugin's parameters and enable the plugin.
 
-```bash
+```console
 $ docker plugin install vieux/sshfs DEBUG=1
 
 Plugin "vieux/sshfs" is requesting the following privileges:
@@ -46,7 +46,7 @@ vieux/sshfs
 
 After the plugin is installed, it appears in the list of plugins:
 
-```bash
+```console
 $ docker plugin ls
 
 ID             NAME                  DESCRIPTION                ENABLED

docs/reference/commandline/plugin_ls.md

@@ -31,7 +31,7 @@ Refer to the [filtering](#filtering) section for more information about availabl
 
 ## Examples
 
-```bash
+```console
 $ docker plugin ls
 
 ID            NAME                                    DESCRIPTION                ENABLED
@@ -58,7 +58,7 @@ The `capability` filter matches on plugin capabilities. One plugin
 might have multiple capabilities. Currently `volumedriver`, `networkdriver`,
 `ipamdriver`, `logdriver`, `metricscollector`, and `authz` are supported capabilities.
 
-```bash
+```console
 $ docker plugin install --disable vieux/sshfs
 
 Installed plugin vieux/sshfs
@@ -90,7 +90,7 @@ output the data exactly as the template declares or, when using the
 The following example uses a template without headers and outputs the
 `ID` and `Name` entries separated by a colon (`:`) for all plugins:
 
-```bash
+```console
 $ docker plugin ls --format "{{.ID}}: {{.Name}}"
 
 4be01827a72e: vieux/sshfs:latest

docs/reference/commandline/plugin_push.md

@@ -26,7 +26,7 @@ Registry credentials are managed by [docker login](login.md).
 
 The following example shows how to push a sample `user/plugin`.
 
-```bash
+```console
 $ docker plugin ls
 
 ID             NAME                    DESCRIPTION                  ENABLED