diff --git a/components/engine/api/server/router/build/build_routes.go b/components/engine/api/server/router/build/build_routes.go
index 62bcf3f13d..c2a15c0ad3 100644
--- a/components/engine/api/server/router/build/build_routes.go
+++ b/components/engine/api/server/router/build/build_routes.go
@@ -231,8 +231,7 @@ func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *
 	}
 
 	// check if the builder feature has been enabled from daemon as well.
-	if buildOptions.Version == types.BuilderBuildKit &&
-		(br.builderVersion != types.BuilderBuildKit || !br.daemon.HasExperimental()) {
+	if buildOptions.Version == types.BuilderBuildKit && br.builderVersion != "" && br.builderVersion != types.BuilderBuildKit {
 		return errdefs.InvalidParameter(errors.New("buildkit is not enabled on daemon"))
 	}
 
diff --git a/components/engine/api/server/router/session/session.go b/components/engine/api/server/router/session/session.go
index de6d63008a..79ddc134e7 100644
--- a/components/engine/api/server/router/session/session.go
+++ b/components/engine/api/server/router/session/session.go
@@ -24,6 +24,6 @@ func (r *sessionRouter) Routes() []router.Route {
 
 func (r *sessionRouter) initRoutes() {
 	r.routes = []router.Route{
-		router.Experimental(router.NewPostRoute("/session", r.startSession)),
+		router.NewPostRoute("/session", r.startSession),
 	}
 }
diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
index 8ca1f85de0..44f2dfcd96 100644
--- a/components/engine/builder/builder-next/executor_unix.go
+++ b/components/engine/builder/builder-next/executor_unix.go
@@ -18,16 +18,13 @@ import (
 
 const networkName = "bridge"
 
-func init() {
-	// FIXME: https://github.com/moby/moby/issues/37676
-	runcexecutor.DisableSubReaper()
-}
-
 func newExecutor(root string, net libnetwork.NetworkController) (executor.Executor, error) {
+	// FIXME: fix bridge networking
+	_ = bridgeProvider{}
 	return runcexecutor.New(runcexecutor.Opt{
 		Root:              filepath.Join(root, "executor"),
 		CommandCandidates: []string{"docker-runc", "runc"},
-	}, &bridgeProvider{NetworkController: net})
+	}, nil)
 }
 
 type bridgeProvider struct {
diff --git a/components/engine/daemon/cluster/executor/container/container_test.go b/components/engine/daemon/cluster/executor/container/container_test.go
index 1bf6f6cf02..5f967c2f77 100644
--- a/components/engine/daemon/cluster/executor/container/container_test.go
+++ b/components/engine/daemon/cluster/executor/container/container_test.go
@@ -35,3 +35,48 @@ func TestIsolationConversion(t *testing.T) {
 		})
 	}
 }
+
+func TestContainerLabels(t *testing.T) {
+	c := &containerConfig{
+		task: &swarmapi.Task{
+			ID: "real-task.id",
+			Spec: swarmapi.TaskSpec{
+				Runtime: &swarmapi.TaskSpec_Container{
+					Container: &swarmapi.ContainerSpec{
+						Labels: map[string]string{
+							"com.docker.swarm.task":         "user-specified-task",
+							"com.docker.swarm.task.id":      "user-specified-task.id",
+							"com.docker.swarm.task.name":    "user-specified-task.name",
+							"com.docker.swarm.node.id":      "user-specified-node.id",
+							"com.docker.swarm.service.id":   "user-specified-service.id",
+							"com.docker.swarm.service.name": "user-specified-service.name",
+							"this-is-a-user-label":          "this is a user label's value",
+						},
+					},
+				},
+			},
+			ServiceID: "real-service.id",
+			Slot:      123,
+			NodeID:    "real-node.id",
+			Annotations: swarmapi.Annotations{
+				Name: "real-service.name.123.real-task.id",
+			},
+			ServiceAnnotations: swarmapi.Annotations{
+				Name: "real-service.name",
+			},
+		},
+	}
+
+	expected := map[string]string{
+		"com.docker.swarm.task":         "",
+		"com.docker.swarm.task.id":      "real-task.id",
+		"com.docker.swarm.task.name":    "real-service.name.123.real-task.id",
+		"com.docker.swarm.node.id":      "real-node.id",
+		"com.docker.swarm.service.id":   "real-service.id",
+		"com.docker.swarm.service.name": "real-service.name",
+		"this-is-a-user-label":          "this is a user label's value",
+	}
+
+	labels := c.labels()
+	assert.DeepEqual(t, expected, labels)
+}
diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
index 6081b5c8ed..451078d8c5 100644
--- a/components/engine/daemon/config/config.go
+++ b/components/engine/daemon/config/config.go
@@ -54,6 +54,7 @@ var flatOptions = map[string]bool{
 	"log-opts":           true,
 	"runtimes":           true,
 	"default-ulimits":    true,
+	"features":           true,
 }
 
 // skipValidateOptions contains configuration keys
diff --git a/components/engine/daemon/info.go b/components/engine/daemon/info.go
index cc9ad8ac61..9dcfb95f03 100644
--- a/components/engine/daemon/info.go
+++ b/components/engine/daemon/info.go
@@ -68,6 +68,7 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {
 		Isolation:          daemon.defaultIsolation,
 	}
 
+	daemon.fillAPIInfo(v)
 	// Retrieve platform specific info
 	daemon.fillPlatformInfo(v, sysInfo)
 	daemon.fillDriverInfo(v)
@@ -171,6 +172,32 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 	v.SecurityOptions = securityOptions
 }
 
+func (daemon *Daemon) fillAPIInfo(v *types.Info) {
+	const warn string = `
+         Access to the remote API is equivalent to root access on the host. Refer
+         to the 'Docker daemon attack surface' section in the documentation for
+         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface`
+
+	cfg := daemon.configStore
+	for _, host := range cfg.Hosts {
+		// cnf.Hosts is normalized during startup, so should always have a scheme/proto
+		h := strings.SplitN(host, "://", 2)
+		proto := h[0]
+		addr := h[1]
+		if proto != "tcp" {
+			continue
+		}
+		if !cfg.TLS {
+			v.Warnings = append(v.Warnings, fmt.Sprintf("WARNING: API is accessible on http://%s without encryption.%s", addr, warn))
+			continue
+		}
+		if !cfg.TLSVerify {
+			v.Warnings = append(v.Warnings, fmt.Sprintf("WARNING: API is accessible on https://%s without TLS client verification.%s", addr, warn))
+			continue
+		}
+	}
+}
+
 func hostName() string {
 	hostname := ""
 	if hn, err := os.Hostname(); err != nil {
diff --git a/components/engine/integration/system/info_test.go b/components/engine/integration/system/info_test.go
index 2a05dfbb74..b8bdcf0049 100644
--- a/components/engine/integration/system/info_test.go
+++ b/components/engine/integration/system/info_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/docker/docker/internal/test/daemon"
 	"github.com/docker/docker/internal/test/request"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
@@ -40,3 +41,26 @@ func TestInfoAPI(t *testing.T) {
 		assert.Check(t, is.Contains(out, linePrefix))
 	}
 }
+
+func TestInfoAPIWarnings(t *testing.T) {
+	d := daemon.New(t)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	d.StartWithBusybox(t, "--iptables=false", "-H=0.0.0.0:23756", "-H=unix://"+d.Sock())
+	defer d.Stop(t)
+
+	info, err := client.Info(context.Background())
+	assert.NilError(t, err)
+
+	stringsToCheck := []string{
+		"Access to the remote API is equivalent to root access",
+		"http://0.0.0.0:23756",
+	}
+
+	out := fmt.Sprintf("%+v", info)
+	for _, linePrefix := range stringsToCheck {
+		assert.Check(t, is.Contains(out, linePrefix))
+	}
+}
diff --git a/components/engine/vendor.conf b/components/engine/vendor.conf
index b13e022123..4269c9f438 100644
--- a/components/engine/vendor.conf
+++ b/components/engine/vendor.conf
@@ -26,7 +26,7 @@ github.com/imdario/mergo v0.3.6
 golang.org/x/sync 1d60e4601c6fd243af51cc01ddf169918a5407ca
 
 # buildkit
-github.com/moby/buildkit 46f9075ab68a07df2c40ae6e240ce4f9392b3a66 git://github.com/tiborvass/buildkit.git
+github.com/moby/buildkit 49906c62925ed429ec9174a0b6869982967f1a39
 github.com/tonistiigi/fsutil b19464cd1b6a00773b4f2eb7acf9c30426f9df42
 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
 github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
diff --git a/components/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go b/components/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
index 3d19d4e375..2874314198 100644
--- a/components/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
+++ b/components/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
@@ -404,12 +404,6 @@ func (s *forwardIO) writeCloserToFile(wc io.WriteCloser) (*os.File, error) {
 var subReaperOnce sync.Once
 var subReaperError error
 
-// DisableSubReaper prevents setting subreaper on the current process.
-// Do not rely on this function it may change or be removed.
-func DisableSubReaper() {
-	subReaperOnce.Do(func() {})
-}
-
 func setSubReaper() error {
 	subReaperOnce.Do(func() {
 		subReaperError = runcsystem.SetSubreaper(1)
diff --git a/components/engine/vendor/github.com/moby/buildkit/vendor.conf b/components/engine/vendor/github.com/moby/buildkit/vendor.conf
index a08531dbff..7195f48073 100644
--- a/components/engine/vendor/github.com/moby/buildkit/vendor.conf
+++ b/components/engine/vendor/github.com/moby/buildkit/vendor.conf
@@ -14,7 +14,7 @@ google.golang.org/grpc v1.12.0
 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
 golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
 github.com/gogo/protobuf v1.0.0
-github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/gogo/googleapis b23578765ee54ff6bceff57f397d833bf4ca6869
 github.com/golang/protobuf v1.1.0
 github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
 github.com/opencontainers/image-spec v1.0.1