Merge pull request #206 from andrewhsu/rc1

[17.06] bump version to 17.06.2-ce-rc1

CHANGELOG.md

@@ -5,7 +5,83 @@ information on the list of deprecated flags and APIs please have a look at
 https://docs.docker.com/engine/deprecated/ where target removal dates can also
 be found.
 
-## 17.06.0-ce (2017-06-07)
+## 17.06.2-ce (2017-08-DD)
+
+### Client
+
+- Enable TCP keepalive in the client to prevent loss of connection [docker/cli#415](https://github.com/docker/cli/pull/415)
+
+### Runtime
+
+- Devmapper: ensure UdevWait is called after calls to setCookie [moby/moby#33732](https://github.com/moby/moby/pull/33732)
+- Aufs: ensure diff layers are correctly removed to prevent leftover files from using up storage [moby/moby#34587](https://github.com/moby/moby/pull/34587)
+
+### Swarm mode
+
+- Ignore PullOptions for running tasks [docker/swarmkit#2351](https://github.com/docker/swarmkit/pull/2351)
+
+## 17.06.1-ce (2017-08-17)
+
+### Builder
+
+* Fix a regression, where `ADD` from remote URL's extracted archives [#89](https://github.com/docker/docker-ce/pull/89)
+* Fix handling of remote "git@" notation [#100](https://github.com/docker/docker-ce/pull/100)
+* Fix copy `--from` conflict with force pull [#86](https://github.com/docker/docker-ce/pull/86)
+
+### Client
+
+* Make pruning volumes optional when running `docker system prune`, and add a `--volumes` flag [#109](https://github.com/docker/docker-ce/pull/109)
+* Show progress of replicated tasks before they are assigned [#97](https://github.com/docker/docker-ce/pull/97)
+* Fix `docker wait` hanging if the container does not exist [#106](https://github.com/docker/docker-ce/pull/106)
+* If `docker swarm ca` is called without the `--rotate` flag, warn if other flags are passed [#110](https://github.com/docker/docker-ce/pull/110)
+* Fix API version negotiation not working if the daemon returns an error [#115](https://github.com/docker/docker-ce/pull/115)
+* Print an error if "until" filter is combined with "--volumes" on system prune [#154](https://github.com/docker/docker-ce/pull/154)
+
+### Logging
+
+* Fix stderr logging for journald and syslog [#95](https://github.com/docker/docker-ce/pull/95)
+* Fix log readers can block writes indefinitely [#98](https://github.com/docker/docker-ce/pull/98)
+* Fix awslogs driver repeating last event [#151](https://github.com/docker/docker-ce/pull/151)
+
+### Networking
+
+* Fixed issue with driver options not received by network drivers [#127](https://github.com/docker/docker-ce/pull/127)
+* Fixed issue with overlay network IP address reuse [#197](https://github.com/docker/docker-ce/pull/197)
+
+### Plugins
+
+* Make plugin removes more resilient to failure [#91](https://github.com/docker/docker-ce/pull/91)
+
+### Runtime
+
+* Prevent a goroutine leak when healthcheck gets stopped [#90](https://github.com/docker/docker-ce/pull/90)
+* Do not error on relabel when relabel not supported [#92](https://github.com/docker/docker-ce/pull/92)
+* Limit max backoff delay to 2 seconds for GRPC connection [#94](https://github.com/docker/docker-ce/pull/94)
+* Fix issue preventing containers to run when memory cgroup was specified due to bug in certain kernels [#102](https://github.com/docker/docker-ce/pull/102)
+* Fix container not responding to SIGKILL when paused [#102](https://github.com/docker/docker-ce/pull/102)
+* Improve error message if an image for an incompatible OS is loaded [#108](https://github.com/docker/docker-ce/pull/108)
+* Fix a handle leak in go-winio [#112](https://github.com/docker/docker-ce/pull/112)
+* Fix issue upon upgrade, preventing docker from showing running containers when `--live-restore` is enabled [#117](https://github.com/docker/docker-ce/pull/117)
+* Fix bug where services using secrets would fail to start on daemons using the `userns-remap` feature [#121](https://github.com/docker/docker-ce/pull/121)
+* Fix error handling with not-exist errors on remove [#142](https://github.com/docker/docker-ce/pull/142)
+* Fix REST API Swagger representation cannot be loaded with SwaggerUI [#156](https://github.com/docker/docker-ce/pull/156)
+
+### Security
+
+* Redact secret data on "secret create" [#99](https://github.com/docker/docker-ce/pull/99)
+
+### Swarm Mode
+
+* Do not add duplicate platform information to service spec [#107](https://github.com/docker/docker-ce/pull/107)
+* Cluster update and memory issue fixes [#114](https://github.com/docker/docker-ce/pull/114)
+* Changing get network request to return predefined network in swarm [#150](https://github.com/docker/docker-ce/pull/150)
+
+## 17.06.0-ce (2017-06-19)
+
+**NOTE**: Docker 17.06 by default disables communication with legacy (v1) registries. If you
+require interaction with registries that have not yet migrated to the v2 protocol, set the
+`--disable-legacy-registry=false` daemon option. Interaction with v1 registries will be removed
+in Docker 17.12.
 
 ### Builder
 
@@ -25,6 +101,11 @@ be found.
 + Add new `ca ` subcommand to `docker swarm` to allow managing a swarm CA [#docker/cli/48](https://github.com/docker/cli/pull/48)
 + Add credential-spec to compose [#docker/cli/71](https://github.com/docker/cli/pull/71)
 + Add support for csv format options to `--network` and `--network-add` [#docker/cli/62](https://github.com/docker/cli/pull/62) [#33130](https://github.com/moby/moby/pull/33130)
+- Fix stack compose bind-mount volumes on Windows [#docker/cli/136](https://github.com/docker/cli/pull/136)
+- Correctly handle a Docker daemon without registry info [#docker/cli/126](https://github.com/docker/cli/pull/126)
++ Allow --detach and --quiet flags when using --rollback [#docker/cli/144](https://github.com/docker/cli/pull/144)
++ Remove deprecated `--email` flag from `docker login` [#docker/cli/143](https://github.com/docker/cli/pull/143)
+* Adjusted `docker stats` memory output [#docker/cli/80](https://github.com/docker/cli/pull/80)
 
 ### Distribution
 
@@ -40,6 +121,8 @@ be found.
 + Add Support swarm-mode services with node-local networks such as macvlan, ipvlan, bridge, host  [#32981](https://github.com/moby/moby/pull/32981)
 + Pass driver-options to network drivers on service creation [#32981] (https://github.com/moby/moby/pull/33130)
 + Isolate Swarm Control-plane traffic from Application data traffic using --data-path-addr [#32717] (https://github.com/moby/moby/pull/32717)
+* Several improvments to  Service Discovery [#docker/libnetwork/1796](https://github.com/docker/libnetwork/pull/1796)
+* Add DOCKER-USER chain enabling user customization of iptables FORWARD policy [#docker/libnetwork/1675](https://github.com/docker/libnetwork/pull/1675)
 
 ### Packaging
 
@@ -59,6 +142,14 @@ be found.
 + Add daemon option to allow pushing foreign layers [#33151](https://github.com/moby/moby/pull/33151)
 - Fix an issue preventing containerd to be restarted after it died [#32986](https://github.com/moby/moby/pull/32986)
 + Add cluster events to Docker event stream. [#32421](https://github.com/moby/moby/pull/32421)
++ Add support for DNS search on windows [#33311](https://github.com/moby/moby/pull/33311)
+* Upgrade to Go 1.8.3 [#33387](https://github.com/moby/moby/pull/33387)
+- Prevent a containerd crash when journald is restarted [#containerd/930](https://github.com/containerd/containerd/pull/930)
+- Fix healthcheck failures due to invalid environment variables [#33249](https://github.com/moby/moby/pull/33249)
+- Prevent a directory to be created in lieu of the daemon socket when a container mounting it is to be restarted during a shutdown [#30348](https://github.com/moby/moby/pull/33330)
+- Prevent a container to be restarted upon stop if its stop signal is set to `SIGKILL` [#33335](https://github.com/moby/moby/pull/33335)
+- Ensure log drivers get passed the same filename to both StartLogging and StopLogging endpoints [#33583](https://github.com/moby/moby/pull/33583)
+- Remove daemon data structure dump on `SIGUSR1` to avoid a panic [#33598](https://github.com/moby/moby/pull/33598)
 
 ### Security
 
@@ -74,6 +165,14 @@ be found.
 + Add API to rotate swarm CA certificate [#32993](https://github.com/moby/moby/pull/32993)
 * Service digest pining is now handled client side [#32388](https://github.com/moby/moby/pull/32388), [#33239](https://github.com/moby/moby/pull/33239)
 + Placement now also take platform in account [#33144](https://github.com/moby/moby/pull/33144)
+- Fix possible hang when joining fails [#docker-ce/19](https://github.com/docker/docker-ce/pull/19)
+- Fix an issue preventing external CA to be accepted [#33341](https://github.com/moby/moby/pull/33341)
+- Fix possible orchestration panic in mixed version clusters [#swarmkit/2233](https://github.com/docker/swarmkit/pull/2233)
+- Avoid assigning duplicate IPs during initialization [#swarmkit/2237](https://github.com/docker/swarmkit/pull/2237)
+
+### Deprecation
+
+* Disable legacy registry (v1) by default [#33629](https://github.com/moby/moby/pull/33629)
 
 ## 17.05.0-ce (2017-05-04)
 

Makefile

@@ -25,3 +25,6 @@ clean: ## clean the build artifacts
 	-$(MAKE) -C $(CLI_DIR) clean
 	-$(MAKE) -C $(ENGINE_DIR) clean
 	-$(MAKE) -C $(PACKAGING_DIR) clean
+
+vendor: $(CLI_DIR)/build/docker
+	docker run --rm -it -v $(CLI_DIR):/go/src/github.com/docker/cli -v $(ENGINE_DIR):/go/src/github.com/docker/docker docker-cli-dev sh -c 'cd /go/src/github.com/docker/docker && git init && git add . && git -c user.name=user -c user.email=email@example.com commit -m first && cd /go/src/github.com/docker/cli && vndr; rm -rf /go/src/github.com/docker/docker/.git'

VERSION

@@ -1 +1 @@
-17.06.0-ce-rc1
+17.06.2-ce-rc1

components/cli/.gitignore

@@ -2,3 +2,7 @@
 /build/
 cli/winresources/rsrc_386.syso
 cli/winresources/rsrc_amd64.syso
+/man/man1/
+/man/man5/
+/man/man8/
+/docs/yaml/gen/

components/cli/Makefile

@@ -7,13 +7,13 @@ all: binary
 # remove build artifacts
 .PHONY: clean
 clean:
-	@rm -rf ./build/* cli/winresources/rsrc_*
+	@rm -rf ./build/* cli/winresources/rsrc_* ./man/man[1-9] docs/yaml/gen
 
 # run go test
 # the "-tags daemon" part is temporary
 .PHONY: test
 test:
-	@go test -tags daemon -v $(shell go list ./... | grep -v /vendor/)
+	@go test -tags daemon -v $(shell go list ./... | grep -v '/vendor/')
 
 .PHONY: lint
 lint:
@@ -42,6 +42,16 @@ vendor: vendor.conf
 	@vndr 2> /dev/null
 	@scripts/validate/check-git-diff vendor
 
+## generate man pages from go source and markdown
+.PHONY: manpages
+manpages:
+	@scripts/docs/generate-man.sh
+
+## generate documentation YAML files consumed by docs repo
+.PHONY: yamldocs
+yamldocs:
+	@scripts/docs/generate-yaml.sh
+
 cli/compose/schema/bindata.go: cli/compose/schema/data/*.json
 	go generate github.com/docker/cli/cli/compose/schema
 

components/cli/VERSION

@@ -1 +1 @@
-17.06.0-ce-rc1
+17.06.2-ce-rc1

components/cli/cli/command/cli.go

@@ -3,9 +3,11 @@ package command
 import (
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"runtime"
+	"time"
 
 	"github.com/docker/cli/cli"
 	cliconfig "github.com/docker/cli/cli/config"
@@ -285,6 +287,10 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er
 	}
 	tr := &http.Transport{
 		TLSClientConfig: config,
+		DialContext: (&net.Dialer{
+			KeepAlive: 30 * time.Second,
+			Timeout:   30 * time.Second,
+		}).DialContext,
 	}
 	proto, addr, _, err := client.ParseHost(host)
 	if err != nil {

components/cli/cli/command/node/ps_test.go

@@ -103,11 +103,11 @@ func TestNodePs(t *testing.T) {
 			},
 			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
 				return []swarm.Task{
-					*Task(TaskID("taskID1"), ServiceID("failure"),
+					*Task(TaskID("taskID1"), TaskServiceID("failure"),
 						WithStatus(Timestamp(time.Now().Add(-2*time.Hour)), StatusErr("a task error"))),
-					*Task(TaskID("taskID2"), ServiceID("failure"),
+					*Task(TaskID("taskID2"), TaskServiceID("failure"),
 						WithStatus(Timestamp(time.Now().Add(-3*time.Hour)), StatusErr("a task error"))),
-					*Task(TaskID("taskID3"), ServiceID("failure"),
+					*Task(TaskID("taskID3"), TaskServiceID("failure"),
 						WithStatus(Timestamp(time.Now().Add(-4*time.Hour)), StatusErr("a task error"))),
 				}, nil
 			},

components/cli/cli/command/registry.go

@@ -28,7 +28,9 @@ func ElectAuthServer(ctx context.Context, cli Cli) string {
 	// the default registry URL might be Windows specific.
 	serverAddress := registry.IndexServer
 	if info, err := cli.Client().Info(ctx); err != nil {
-		fmt.Fprintf(cli.Out(), "Warning: failed to get default registry endpoint from daemon (%v). Using system default: %s\n", err, serverAddress)
+		fmt.Fprintf(cli.Err(), "Warning: failed to get default registry endpoint from daemon (%v). Using system default: %s\n", err, serverAddress)
+	} else if info.IndexServerAddress == "" {
+		fmt.Fprintf(cli.Err(), "Warning: Empty registry endpoint from daemon. Using system default: %s\n", serverAddress)
 	} else {
 		serverAddress = info.IndexServerAddress
 	}

components/cli/cli/command/registry/login.go

@@ -41,10 +41,6 @@ func NewLoginCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVarP(&opts.user, "username", "u", "", "Username")
 	flags.StringVarP(&opts.password, "password", "p", "", "Password")
 
-	// Deprecated in 1.11: Should be removed in docker 17.06
-	flags.StringVarP(&opts.email, "email", "e", "", "Email")
-	flags.MarkDeprecated("email", "will be removed in 17.06.")
-
 	return cmd
 }
 

components/cli/cli/command/registry_test.go

@@ -0,0 +1,79 @@
+package command_test
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/context"
+
+	// Prevents a circular import with "github.com/docker/cli/cli/internal/test"
+	. "github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	infoFunc func() (types.Info, error)
+}
+
+func (cli *fakeClient) Info(_ context.Context) (types.Info, error) {
+	if cli.infoFunc != nil {
+		return cli.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func TestElectAuthServer(t *testing.T) {
+	testCases := []struct {
+		expectedAuthServer string
+		expectedWarning    string
+		infoFunc           func() (types.Info, error)
+	}{
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: "https://index.docker.io/v1/"}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "Empty registry endpoint from daemon",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: ""}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://foo.bar",
+			expectedWarning:    "",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: "https://foo.bar"}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "failed to get default registry endpoint from daemon",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error getting info")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		buf := new(bytes.Buffer)
+		cli := test.NewFakeCli(&fakeClient{infoFunc: tc.infoFunc}, buf)
+		errBuf := new(bytes.Buffer)
+		cli.SetErr(errBuf)
+		server := ElectAuthServer(context.Background(), cli)
+		assert.Equal(t, tc.expectedAuthServer, server)
+		actual := errBuf.String()
+		if tc.expectedWarning == "" {
+			assert.Empty(t, actual)
+		} else {
+			assert.Contains(t, actual, tc.expectedWarning)
+		}
+	}
+}

components/cli/cli/command/service/parse.go

@@ -12,6 +12,10 @@ import (
 // ParseSecrets retrieves the secrets with the requested names and fills
 // secret IDs into the secret references.
 func ParseSecrets(client client.SecretAPIClient, requestedSecrets []*swarmtypes.SecretReference) ([]*swarmtypes.SecretReference, error) {
+	if len(requestedSecrets) == 0 {
+		return []*swarmtypes.SecretReference{}, nil
+	}
+
 	secretRefs := make(map[string]*swarmtypes.SecretReference)
 	ctx := context.Background()
 
@@ -61,6 +65,10 @@ func ParseSecrets(client client.SecretAPIClient, requestedSecrets []*swarmtypes.
 // ParseConfigs retrieves the configs from the requested names and converts
 // them to config references to use with the spec
 func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.ConfigReference) ([]*swarmtypes.ConfigReference, error) {
+	if len(requestedConfigs) == 0 {
+		return []*swarmtypes.ConfigReference{}, nil
+	}
+
 	configRefs := make(map[string]*swarmtypes.ConfigReference)
 	ctx := context.Background()
 

components/cli/cli/command/service/progress/progress.go

@@ -275,7 +275,11 @@ func (u *replicatedProgressUpdater) update(service swarm.Service, tasks []swarm.
 				continue
 			}
 		}
-		if _, nodeActive := activeNodes[task.NodeID]; nodeActive {
+		if task.NodeID != "" {
+			if _, nodeActive := activeNodes[task.NodeID]; nodeActive {
+				tasksBySlot[task.Slot] = task
+			}
+		} else {
 			tasksBySlot[task.Slot] = task
 		}
 	}

components/cli/cli/command/service/update.go

@@ -131,7 +131,7 @@ func runUpdate(dockerCli *command.DockerCli, flags *pflag.FlagSet, options *serv
 		// Rollback can't be combined with other flags.
 		otherFlagsPassed := false
 		flags.VisitAll(func(f *pflag.Flag) {
-			if f.Name == "rollback" {
+			if f.Name == "rollback" || f.Name == "detach" || f.Name == "quiet" {
 				return
 			}
 			if flags.Changed(f.Name) {

components/cli/cli/command/stack/client_test.go

@@ -4,6 +4,7 @@ import (
 	"strings"
 
 	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/docker/api"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
@@ -14,20 +15,40 @@ import (
 type fakeClient struct {
 	client.Client
 
+	version string
+
 	services []string
 	networks []string
 	secrets  []string
+	configs  []string
 
 	removedServices []string
 	removedNetworks []string
 	removedSecrets  []string
+	removedConfigs  []string
 
-	serviceListFunc   func(options types.ServiceListOptions) ([]swarm.Service, error)
-	networkListFunc   func(options types.NetworkListOptions) ([]types.NetworkResource, error)
-	secretListFunc    func(options types.SecretListOptions) ([]swarm.Secret, error)
-	serviceRemoveFunc func(serviceID string) error
-	networkRemoveFunc func(networkID string) error
-	secretRemoveFunc  func(secretID string) error
+	serviceListFunc    func(options types.ServiceListOptions) ([]swarm.Service, error)
+	networkListFunc    func(options types.NetworkListOptions) ([]types.NetworkResource, error)
+	secretListFunc     func(options types.SecretListOptions) ([]swarm.Secret, error)
+	configListFunc     func(options types.ConfigListOptions) ([]swarm.Config, error)
+	nodeListFunc       func(options types.NodeListOptions) ([]swarm.Node, error)
+	taskListFunc       func(options types.TaskListOptions) ([]swarm.Task, error)
+	nodeInspectWithRaw func(ref string) (swarm.Node, []byte, error)
+	serviceRemoveFunc  func(serviceID string) error
+	networkRemoveFunc  func(networkID string) error
+	secretRemoveFunc   func(secretID string) error
+	configRemoveFunc   func(configID string) error
+}
+
+func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+	return types.Version{
+		Version:    "docker-dev",
+		APIVersion: api.DefaultVersion,
+	}, nil
+}
+
+func (cli *fakeClient) ClientVersion() string {
+	return cli.version
 }
 
 func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
@@ -75,6 +96,42 @@ func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListO
 	return secretsList, nil
 }
 
+func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if cli.configListFunc != nil {
+		return cli.configListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	configsList := []swarm.Config{}
+	for _, name := range cli.configs {
+		if belongToNamespace(name, namespace) {
+			configsList = append(configsList, configFromName(name))
+		}
+	}
+	return configsList, nil
+}
+
+func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	if cli.taskListFunc != nil {
+		return cli.taskListFunc(options)
+	}
+	return []swarm.Task{}, nil
+}
+
+func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	if cli.nodeListFunc != nil {
+		return cli.nodeListFunc(options)
+	}
+	return []swarm.Node{}, nil
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectWithRaw != nil {
+		return cli.nodeInspectWithRaw(ref)
+	}
+	return swarm.Node{}, nil, nil
+}
+
 func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) error {
 	if cli.serviceRemoveFunc != nil {
 		return cli.serviceRemoveFunc(serviceID)
@@ -102,6 +159,15 @@ func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error
 	return nil
 }
 
+func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error {
+	if cli.configRemoveFunc != nil {
+		return cli.configRemoveFunc(configID)
+	}
+
+	cli.removedConfigs = append(cli.removedConfigs, configID)
+	return nil
+}
+
 func serviceFromName(name string) swarm.Service {
 	return swarm.Service{
 		ID: "ID-" + name,
@@ -127,6 +193,15 @@ func secretFromName(name string) swarm.Secret {
 	}
 }
 
+func configFromName(name string) swarm.Config {
+	return swarm.Config{
+		ID: "ID-" + name,
+		Spec: swarm.ConfigSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
 func namespaceFromFilters(filters filters.Args) string {
 	label := filters.Get("label")[0]
 	return strings.TrimPrefix(label, convert.LabelNamespace+"=")

components/cli/cli/command/stack/common.go

@@ -61,3 +61,13 @@ func getStackSecrets(
 		ctx,
 		types.SecretListOptions{Filters: getStackFilter(namespace)})
 }
+
+func getStackConfigs(
+	ctx context.Context,
+	apiclient client.APIClient,
+	namespace string,
+) ([]swarm.Config, error) {
+	return apiclient.ConfigList(
+		ctx,
+		types.ConfigListOptions{Filters: getStackFilter(namespace)})
+}

components/cli/cli/command/stack/deploy.go

@@ -7,6 +7,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/compose/convert"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
@@ -14,12 +15,16 @@ import (
 
 const (
 	defaultNetworkDriver = "overlay"
+	resolveImageAlways   = "always"
+	resolveImageChanged  = "changed"
+	resolveImageNever    = "never"
 )
 
 type deployOptions struct {
 	bundlefile       string
 	composefile      string
 	namespace        string
+	resolveImage     string
 	sendRegistryAuth bool
 	prune            bool
 }
@@ -44,12 +49,19 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command {
 	addRegistryAuthFlag(&opts.sendRegistryAuth, flags)
 	flags.BoolVar(&opts.prune, "prune", false, "Prune services that are no longer referenced")
 	flags.SetAnnotation("prune", "version", []string{"1.27"})
+	flags.StringVar(&opts.resolveImage, "resolve-image", resolveImageAlways,
+		`Query the registry to resolve image digest and supported platforms ("`+resolveImageAlways+`"|"`+resolveImageChanged+`"|"`+resolveImageNever+`")`)
+	flags.SetAnnotation("resolve-image", "version", []string{"1.30"})
 	return cmd
 }
 
 func runDeploy(dockerCli command.Cli, opts deployOptions) error {
 	ctx := context.Background()
 
+	if err := validateResolveImageFlag(dockerCli, &opts); err != nil {
+		return err
+	}
+
 	switch {
 	case opts.bundlefile == "" && opts.composefile == "":
 		return errors.Errorf("Please specify either a bundle file (with --bundle-file) or a Compose file (with --compose-file).")
@@ -62,6 +74,20 @@ func runDeploy(dockerCli command.Cli, opts deployOptions) error {
 	}
 }
 
+// validateResolveImageFlag validates the opts.resolveImage command line option
+// and also turns image resolution off if the version is older than 1.30
+func validateResolveImageFlag(dockerCli command.Cli, opts *deployOptions) error {
+	if opts.resolveImage != resolveImageAlways && opts.resolveImage != resolveImageChanged && opts.resolveImage != resolveImageNever {
+		return errors.Errorf("Invalid option %s for flag --resolve-image", opts.resolveImage)
+	}
+	// client side image resolution should not be done when the supported
+	// server version is older than 1.30
+	if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") {
+		opts.resolveImage = resolveImageNever
+	}
+	return nil
+}
+
 // checkDaemonIsSwarmManager does an Info API call to verify that the daemon is
 // a swarm manager. This is necessary because we must create networks before we
 // create services, but the API call for creating a network does not return a

components/cli/cli/command/stack/deploy_bundlefile.go

@@ -87,5 +87,5 @@ func deployBundle(ctx context.Context, dockerCli command.Cli, opts deployOptions
 	if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil {
 		return err
 	}
-	return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth)
+	return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.resolveImage)
 }

components/cli/cli/command/stack/deploy_composefile.go

@@ -13,6 +13,7 @@ import (
 	"github.com/docker/cli/cli/compose/loader"
 	composetypes "github.com/docker/cli/cli/compose/types"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/swarm"
 	apiclient "github.com/docker/docker/client"
 	dockerclient "github.com/docker/docker/client"
@@ -64,7 +65,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption
 
 	serviceNetworks := getServicesDeclaredNetworks(config.Services)
 	networks, externalNetworks := convert.Networks(namespace, config.Networks, serviceNetworks)
-	if err := validateExternalNetworks(ctx, dockerCli, externalNetworks); err != nil {
+	if err := validateExternalNetworks(ctx, dockerCli.Client(), externalNetworks); err != nil {
 		return err
 	}
 	if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil {
@@ -75,7 +76,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption
 	if err != nil {
 		return err
 	}
-	if err := createSecrets(ctx, dockerCli, namespace, secrets); err != nil {
+	if err := createSecrets(ctx, dockerCli, secrets); err != nil {
 		return err
 	}
 
@@ -83,7 +84,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption
 	if err != nil {
 		return err
 	}
-	if err := createConfigs(ctx, dockerCli, namespace, configs); err != nil {
+	if err := createConfigs(ctx, dockerCli, configs); err != nil {
 		return err
 	}
 
@@ -91,7 +92,7 @@ func deployCompose(ctx context.Context, dockerCli command.Cli, opts deployOption
 	if err != nil {
 		return err
 	}
-	return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth)
+	return deployServices(ctx, dockerCli, services, namespace, opts.sendRegistryAuth, opts.resolveImage)
 }
 
 func getServicesDeclaredNetworks(serviceConfigs []composetypes.ServiceConfig) map[string]struct{} {
@@ -169,30 +170,31 @@ func getConfigFile(filename string) (*composetypes.ConfigFile, error) {
 
 func validateExternalNetworks(
 	ctx context.Context,
-	dockerCli command.Cli,
-	externalNetworks []string) error {
-	client := dockerCli.Client()
-
+	client dockerclient.NetworkAPIClient,
+	externalNetworks []string,
+) error {
 	for _, networkName := range externalNetworks {
-		network, err := client.NetworkInspect(ctx, networkName, false)
-		if err != nil {
-			if dockerclient.IsErrNetworkNotFound(err) {
-				return errors.Errorf("network %q is declared as external, but could not be found. You need to create the network before the stack is deployed (with overlay driver)", networkName)
-			}
-			return err
+		if !container.NetworkMode(networkName).IsUserDefined() {
+			// Networks that are not user defined always exist on all nodes as
+			// local-scoped networks, so there's no need to inspect them.
+			continue
 		}
-		if network.Scope != "swarm" {
-			return errors.Errorf("network %q is declared as external, but it is not in the right scope: %q instead of %q", networkName, network.Scope, "swarm")
+		network, err := client.NetworkInspect(ctx, networkName, false)
+		switch {
+		case dockerclient.IsErrNotFound(err):
+			return errors.Errorf("network %q is declared as external, but could not be found. You need to create a swarm-scoped network before the stack is deployed", networkName)
+		case err != nil:
+			return err
+		case network.Scope != "swarm":
+			return errors.Errorf("network %q is declared as external, but it is not in the right scope: %q instead of \"swarm\"", networkName, network.Scope)
 		}
 	}
-
 	return nil
 }
 
 func createSecrets(
 	ctx context.Context,
 	dockerCli command.Cli,
-	namespace convert.Namespace,
 	secrets []swarm.SecretSpec,
 ) error {
 	client := dockerCli.Client()
@@ -219,7 +221,6 @@ func createSecrets(
 func createConfigs(
 	ctx context.Context,
 	dockerCli command.Cli,
-	namespace convert.Namespace,
 	configs []swarm.ConfigSpec,
 ) error {
 	client := dockerCli.Client()
@@ -286,6 +287,7 @@ func deployServices(
 	services map[string]swarm.ServiceSpec,
 	namespace convert.Namespace,
 	sendAuth bool,
+	resolveImage string,
 ) error {
 	apiClient := dockerCli.Client()
 	out := dockerCli.Out()
@@ -304,9 +306,9 @@ func deployServices(
 		name := namespace.Scope(internalName)
 
 		encodedAuth := ""
+		image := serviceSpec.TaskTemplate.ContainerSpec.Image
 		if sendAuth {
 			// Retrieve encoded auth token from the image reference
-			image := serviceSpec.TaskTemplate.ContainerSpec.Image
 			encodedAuth, err = command.RetrieveAuthTokenFromImage(ctx, dockerCli, image)
 			if err != nil {
 				return err
@@ -316,10 +318,12 @@ func deployServices(
 		if service, exists := existingServiceMap[name]; exists {
 			fmt.Fprintf(out, "Updating service %s (id: %s)\n", name, service.ID)
 
-			updateOpts := types.ServiceUpdateOptions{}
-			if sendAuth {
-				updateOpts.EncodedRegistryAuth = encodedAuth
+			updateOpts := types.ServiceUpdateOptions{EncodedRegistryAuth: encodedAuth}
+
+			if resolveImage == resolveImageAlways || (resolveImage == resolveImageChanged && image != service.Spec.Labels[convert.LabelImage]) {
+				updateOpts.QueryRegistry = true
 			}
+
 			response, err := apiClient.ServiceUpdate(
 				ctx,
 				service.ID,
@@ -337,10 +341,13 @@ func deployServices(
 		} else {
 			fmt.Fprintf(out, "Creating service %s\n", name)
 
-			createOpts := types.ServiceCreateOptions{}
-			if sendAuth {
-				createOpts.EncodedRegistryAuth = encodedAuth
+			createOpts := types.ServiceCreateOptions{EncodedRegistryAuth: encodedAuth}
+
+			// query registry if flag disabling it was not set
+			if resolveImage == resolveImageAlways || resolveImage == resolveImageChanged {
+				createOpts.QueryRegistry = true
 			}
+
 			if _, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts); err != nil {
 				return err
 			}

components/cli/cli/command/stack/deploy_composefile_test.go

@@ -5,9 +5,14 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/docker/cli/cli/internal/test/network"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/testutil"
 	"github.com/docker/docker/pkg/testutil/tempfile"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/net/context"
 )
 
 func TestGetConfigDetails(t *testing.T) {
@@ -26,3 +31,62 @@ services:
 	assert.Len(t, details.ConfigFiles, 1)
 	assert.Len(t, details.Environment, len(os.Environ()))
 }
+
+type notFound struct {
+	error
+}
+
+func (n notFound) NotFound() bool {
+	return true
+}
+
+func TestValidateExternalNetworks(t *testing.T) {
+	var testcases = []struct {
+		inspected       bool
+		noInspect       bool
+		inspectResponse types.NetworkResource
+		inspectError    error
+		expectedMsg     string
+		network         string
+	}{
+		{
+			inspectError: notFound{},
+			expectedMsg:  "could not be found. You need to create a swarm-scoped network",
+		},
+		{
+			inspectError: errors.New("Unexpected"),
+			expectedMsg:  "Unexpected",
+		},
+		{
+			noInspect: true,
+			network:   "host",
+		},
+		{
+			network:     "user",
+			expectedMsg: "is not in the right scope",
+		},
+		{
+			network:         "user",
+			inspectResponse: types.NetworkResource{Scope: "swarm"},
+		},
+	}
+
+	for _, testcase := range testcases {
+		fakeClient := &network.FakeClient{
+			NetworkInspectFunc: func(_ context.Context, _ string, _ bool) (types.NetworkResource, error) {
+				testcase.inspected = true
+				return testcase.inspectResponse, testcase.inspectError
+			},
+		}
+		networks := []string{testcase.network}
+		err := validateExternalNetworks(context.Background(), fakeClient, networks)
+		if testcase.noInspect && testcase.inspected {
+			assert.Fail(t, "expected no network inspect operation but one occurent")
+		}
+		if testcase.expectedMsg == "" {
+			assert.NoError(t, err)
+		} else {
+			testutil.ErrorContains(t, err, testcase.expectedMsg)
+		}
+	}
+}

components/cli/cli/command/stack/list.go

@@ -18,7 +18,7 @@ type listOptions struct {
 	format string
 }
 
-func newListCommand(dockerCli *command.DockerCli) *cobra.Command {
+func newListCommand(dockerCli command.Cli) *cobra.Command {
 	opts := listOptions{}
 
 	cmd := &cobra.Command{
@@ -36,7 +36,7 @@ func newListCommand(dockerCli *command.DockerCli) *cobra.Command {
 	return cmd
 }
 
-func runList(dockerCli *command.DockerCli, opts listOptions) error {
+func runList(dockerCli command.Cli, opts listOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()
 

components/cli/cli/command/stack/list_test.go

@@ -0,0 +1,122 @@
+package stack
+
+import (
+	"bytes"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/testutil"
+	"github.com/docker/docker/pkg/testutil/golden"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestListErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		serviceListFunc func(options types.ServiceListOptions) ([]swarm.Service, error)
+		expectedError   string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			expectedError: "Template parsing error",
+		},
+		{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{}, errors.Errorf("error getting services")
+			},
+			expectedError: "error getting services",
+		},
+		{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			expectedError: "cannot get label",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newListCommand(test.NewFakeCli(&fakeClient{
+			serviceListFunc: tc.serviceListFunc,
+		}, &bytes.Buffer{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestListWithFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cmd := newListCommand(test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-foo",
+					}),
+				)}, nil
+		},
+	}, buf))
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-list-with-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestListWithoutFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cmd := newListCommand(test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-foo",
+					}),
+				)}, nil
+		},
+	}, buf))
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-list-without-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestListOrder(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cmd := newListCommand(test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-foo",
+					}),
+				),
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-bar",
+					}),
+				),
+			}, nil
+		},
+	}, buf))
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-list-sort.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}

components/cli/cli/command/stack/opts_test.go

@@ -0,0 +1,49 @@
+package stack
+
+import (
+	"bytes"
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLoadBundlefileErrors(t *testing.T) {
+	testCases := []struct {
+		namespace     string
+		path          string
+		expectedError error
+	}{
+		{
+			namespace:     "namespace_foo",
+			expectedError: fmt.Errorf("Bundle %s.dab not found", "namespace_foo"),
+		},
+		{
+			namespace:     "namespace_foo",
+			path:          "invalid_path",
+			expectedError: fmt.Errorf("Bundle %s not found", "invalid_path"),
+		},
+		{
+			namespace:     "namespace_foo",
+			path:          filepath.Join("testdata", "bundlefile_with_invalid_syntax"),
+			expectedError: fmt.Errorf("Error reading"),
+		},
+	}
+
+	for _, tc := range testCases {
+		_, err := loadBundlefile(&bytes.Buffer{}, tc.namespace, tc.path)
+		assert.Error(t, err, tc.expectedError)
+	}
+}
+
+func TestLoadBundlefile(t *testing.T) {
+	buf := new(bytes.Buffer)
+
+	namespace := ""
+	path := filepath.Join("testdata", "bundlefile_with_two_services.dab")
+	bundleFile, err := loadBundlefile(buf, namespace, path)
+
+	assert.NoError(t, err)
+	assert.Equal(t, len(bundleFile.Services), 2)
+}

components/cli/cli/command/stack/ps.go

@@ -58,7 +58,7 @@ func runPS(dockerCli command.Cli, options psOptions) error {
 	}
 
 	if len(tasks) == 0 {
-		fmt.Fprintf(dockerCli.Out(), "Nothing found in stack: %s\n", namespace)
+		fmt.Fprintf(dockerCli.Err(), "Nothing found in stack: %s\n", namespace)
 		return nil
 	}
 

components/cli/cli/command/stack/ps_test.go

@@ -0,0 +1,190 @@
+package stack
+
+import (
+	"bytes"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/testutil"
+	"github.com/docker/docker/pkg/testutil/golden"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStackPsErrors(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		taskListFunc  func(options types.TaskListOptions) ([]swarm.Task, error)
+		expectedError string
+	}{
+
+		{
+			args:          []string{},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"foo", "bar"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return nil, errors.Errorf("error getting tasks")
+			},
+			expectedError: "error getting tasks",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newPsCommand(test.NewFakeCli(&fakeClient{
+			taskListFunc: tc.taskListFunc,
+		}, &bytes.Buffer{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestStackPsEmptyStack(t *testing.T) {
+	out := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+	fakeCli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{}, nil
+		},
+	}, out)
+	fakeCli.SetErr(stderr)
+	cmd := newPsCommand(fakeCli)
+	cmd.SetArgs([]string{"foo"})
+
+	assert.NoError(t, cmd.Execute())
+	assert.Equal(t, "", out.String())
+	assert.Equal(t, "Nothing found in stack: foo\n", stderr.String())
+}
+
+func TestStackPsWithQuietOption(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskID("id-foo"))}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("quiet", "true")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-with-quiet-option.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+
+}
+
+func TestStackPsWithNoTruncOption(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskID("xn4cypcov06f2w8gsbaf2lst3"))}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("no-trunc", "true")
+	cmd.Flags().Set("format", "{{ .ID }}")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-with-no-trunc-option.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackPsWithNoResolveOption(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(
+				TaskNodeID("id-node-foo"),
+			)}, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("no-resolve", "true")
+	cmd.Flags().Set("format", "{{ .Node }}")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-with-no-resolve-option.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackPsWithFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskServiceID("service-id-foo"))}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-with-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackPsWithConfigFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskServiceID("service-id-foo"))}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{
+		TasksFormat: "{{ .Name }}",
+	})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-with-config-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackPsWithoutFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(
+				TaskID("id-foo"),
+				TaskServiceID("service-id-foo"),
+				TaskNodeID("id-node"),
+				WithTaskSpec(TaskImage("myimage:mytag")),
+				TaskDesiredState(swarm.TaskStateReady),
+				WithStatus(TaskState(swarm.TaskStateFailed), Timestamp(time.Now().Add(-2*time.Hour))),
+			)}, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newPsCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-ps-without-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}

components/cli/cli/command/stack/remove.go

@@ -8,6 +8,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
@@ -50,18 +51,30 @@ func runRemove(dockerCli command.Cli, opts removeOptions) error {
 			return err
 		}
 
-		secrets, err := getStackSecrets(ctx, client, namespace)
-		if err != nil {
-			return err
+		var secrets []swarm.Secret
+		if versions.GreaterThanOrEqualTo(client.ClientVersion(), "1.25") {
+			secrets, err = getStackSecrets(ctx, client, namespace)
+			if err != nil {
+				return err
+			}
 		}
 
-		if len(services)+len(networks)+len(secrets) == 0 {
-			fmt.Fprintf(dockerCli.Out(), "Nothing found in stack: %s\n", namespace)
+		var configs []swarm.Config
+		if versions.GreaterThanOrEqualTo(client.ClientVersion(), "1.30") {
+			configs, err = getStackConfigs(ctx, client, namespace)
+			if err != nil {
+				return err
+			}
+		}
+
+		if len(services)+len(networks)+len(secrets)+len(configs) == 0 {
+			fmt.Fprintf(dockerCli.Err(), "Nothing found in stack: %s\n", namespace)
 			continue
 		}
 
 		hasError := removeServices(ctx, dockerCli, services)
 		hasError = removeSecrets(ctx, dockerCli, secrets) || hasError
+		hasError = removeConfigs(ctx, dockerCli, configs) || hasError
 		hasError = removeNetworks(ctx, dockerCli, networks) || hasError
 
 		if hasError {
@@ -119,3 +132,18 @@ func removeSecrets(
 	}
 	return err != nil
 }
+
+func removeConfigs(
+	ctx context.Context,
+	dockerCli command.Cli,
+	configs []swarm.Config,
+) bool {
+	var err error
+	for _, config := range configs {
+		fmt.Fprintf(dockerCli.Err(), "Removing config %s\n", config.Spec.Name)
+		if err = dockerCli.Client().ConfigRemove(ctx, config.ID); err != nil {
+			fmt.Fprintf(dockerCli.Err(), "Failed to remove config %s: %s", config.ID, err)
+		}
+	}
+	return err != nil
+}

components/cli/cli/command/stack/remove_test.go

@@ -32,22 +32,68 @@ func TestRemoveStack(t *testing.T) {
 	}
 	allSecretIDs := buildObjectIDs(allSecrets)
 
+	allConfigs := []string{
+		objectName("foo", "config1"),
+		objectName("foo", "config2"),
+		objectName("bar", "config1"),
+	}
+	allConfigIDs := buildObjectIDs(allConfigs)
+
+	// Using API 1.24; removes services, networks, but doesn't remove configs and secrets
 	cli := &fakeClient{
+		version:  "1.24",
 		services: allServices,
 		networks: allNetworks,
 		secrets:  allSecrets,
+		configs:  allConfigs,
 	}
 	cmd := newRemoveCommand(test.NewFakeCli(cli, &bytes.Buffer{}))
 	cmd.SetArgs([]string{"foo", "bar"})
 
+	assert.NoError(t, cmd.Execute())
+	assert.Equal(t, allServiceIDs, cli.removedServices)
+	assert.Equal(t, allNetworkIDs, cli.removedNetworks)
+	assert.Nil(t, cli.removedSecrets)
+	assert.Nil(t, cli.removedConfigs)
+
+	// Using API 1.25; removes services, networks, but doesn't remove configs
+	cli = &fakeClient{
+		version:  "1.25",
+		services: allServices,
+		networks: allNetworks,
+		secrets:  allSecrets,
+		configs:  allConfigs,
+	}
+	cmd = newRemoveCommand(test.NewFakeCli(cli, &bytes.Buffer{}))
+	cmd.SetArgs([]string{"foo", "bar"})
+
 	assert.NoError(t, cmd.Execute())
 	assert.Equal(t, allServiceIDs, cli.removedServices)
 	assert.Equal(t, allNetworkIDs, cli.removedNetworks)
 	assert.Equal(t, allSecretIDs, cli.removedSecrets)
+	assert.Nil(t, cli.removedConfigs)
+
+	// Using API 1.30; removes services, networks, configs, and secrets
+	cli = &fakeClient{
+		version:  "1.30",
+		services: allServices,
+		networks: allNetworks,
+		secrets:  allSecrets,
+		configs:  allConfigs,
+	}
+	cmd = newRemoveCommand(test.NewFakeCli(cli, &bytes.Buffer{}))
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.NoError(t, cmd.Execute())
+	assert.Equal(t, allServiceIDs, cli.removedServices)
+	assert.Equal(t, allNetworkIDs, cli.removedNetworks)
+	assert.Equal(t, allSecretIDs, cli.removedSecrets)
+	assert.Equal(t, allConfigIDs, cli.removedConfigs)
 }
 
-func TestSkipEmptyStack(t *testing.T) {
-	buf := new(bytes.Buffer)
+func TestRemoveStackSkipEmpty(t *testing.T) {
+	out := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
 	allServices := []string{objectName("bar", "service1"), objectName("bar", "service2")}
 	allServiceIDs := buildObjectIDs(allServices)
 
@@ -57,22 +103,31 @@ func TestSkipEmptyStack(t *testing.T) {
 	allSecrets := []string{objectName("bar", "secret1")}
 	allSecretIDs := buildObjectIDs(allSecrets)
 
-	cli := &fakeClient{
+	allConfigs := []string{objectName("bar", "config1")}
+	allConfigIDs := buildObjectIDs(allConfigs)
+
+	fakeClient := &fakeClient{
+		version:  "1.30",
 		services: allServices,
 		networks: allNetworks,
 		secrets:  allSecrets,
+		configs:  allConfigs,
 	}
-	cmd := newRemoveCommand(test.NewFakeCli(cli, buf))
+	fakeCli := test.NewFakeCli(fakeClient, out)
+	fakeCli.SetErr(stderr)
+	cmd := newRemoveCommand(fakeCli)
 	cmd.SetArgs([]string{"foo", "bar"})
 
 	assert.NoError(t, cmd.Execute())
-	assert.Contains(t, buf.String(), "Nothing found in stack: foo")
-	assert.Equal(t, allServiceIDs, cli.removedServices)
-	assert.Equal(t, allNetworkIDs, cli.removedNetworks)
-	assert.Equal(t, allSecretIDs, cli.removedSecrets)
+	assert.Equal(t, "", out.String())
+	assert.Contains(t, stderr.String(), "Nothing found in stack: foo\n")
+	assert.Equal(t, allServiceIDs, fakeClient.removedServices)
+	assert.Equal(t, allNetworkIDs, fakeClient.removedNetworks)
+	assert.Equal(t, allSecretIDs, fakeClient.removedSecrets)
+	assert.Equal(t, allConfigIDs, fakeClient.removedConfigs)
 }
 
-func TestContinueAfterError(t *testing.T) {
+func TestRemoveContinueAfterError(t *testing.T) {
 	allServices := []string{objectName("foo", "service1"), objectName("bar", "service1")}
 	allServiceIDs := buildObjectIDs(allServices)
 
@@ -82,11 +137,16 @@ func TestContinueAfterError(t *testing.T) {
 	allSecrets := []string{objectName("foo", "secret1"), objectName("bar", "secret1")}
 	allSecretIDs := buildObjectIDs(allSecrets)
 
+	allConfigs := []string{objectName("foo", "config1"), objectName("bar", "config1")}
+	allConfigIDs := buildObjectIDs(allConfigs)
+
 	removedServices := []string{}
 	cli := &fakeClient{
+		version:  "1.30",
 		services: allServices,
 		networks: allNetworks,
 		secrets:  allSecrets,
+		configs:  allConfigs,
 
 		serviceRemoveFunc: func(serviceID string) error {
 			removedServices = append(removedServices, serviceID)
@@ -104,4 +164,5 @@ func TestContinueAfterError(t *testing.T) {
 	assert.Equal(t, allServiceIDs, removedServices)
 	assert.Equal(t, allNetworkIDs, cli.removedNetworks)
 	assert.Equal(t, allSecretIDs, cli.removedSecrets)
+	assert.Equal(t, allConfigIDs, cli.removedConfigs)
 }

components/cli/cli/command/stack/services.go

@@ -21,7 +21,7 @@ type servicesOptions struct {
 	namespace string
 }
 
-func newServicesCommand(dockerCli *command.DockerCli) *cobra.Command {
+func newServicesCommand(dockerCli command.Cli) *cobra.Command {
 	options := servicesOptions{filter: opts.NewFilterOpt()}
 
 	cmd := &cobra.Command{
@@ -41,7 +41,7 @@ func newServicesCommand(dockerCli *command.DockerCli) *cobra.Command {
 	return cmd
 }
 
-func runServices(dockerCli *command.DockerCli, options servicesOptions) error {
+func runServices(dockerCli command.Cli, options servicesOptions) error {
 	ctx := context.Background()
 	client := dockerCli.Client()
 
@@ -51,11 +51,9 @@ func runServices(dockerCli *command.DockerCli, options servicesOptions) error {
 		return err
 	}
 
-	out := dockerCli.Out()
-
 	// if no services in this stack, print message and exit 0
 	if len(services) == 0 {
-		fmt.Fprintf(out, "Nothing found in stack: %s\n", options.namespace)
+		fmt.Fprintf(dockerCli.Err(), "Nothing found in stack: %s\n", options.namespace)
 		return nil
 	}
 

components/cli/cli/command/stack/services_test.go

@@ -0,0 +1,182 @@
+package stack
+
+import (
+	"bytes"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/testutil"
+	"github.com/docker/docker/pkg/testutil/golden"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStackServicesErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		serviceListFunc func(options types.ServiceListOptions) ([]swarm.Service, error)
+		nodeListFunc    func(options types.NodeListOptions) ([]swarm.Node, error)
+		taskListFunc    func(options types.TaskListOptions) ([]swarm.Task, error)
+		expectedError   string
+	}{
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return nil, errors.Errorf("error getting services")
+			},
+			expectedError: "error getting services",
+		},
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			nodeListFunc: func(options types.NodeListOptions) ([]swarm.Node, error) {
+				return nil, errors.Errorf("error getting nodes")
+			},
+			expectedError: "error getting nodes",
+		},
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return nil, errors.Errorf("error getting tasks")
+			},
+			expectedError: "error getting tasks",
+		},
+		{
+			args: []string{"foo"},
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			expectedError: "Template parsing error",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			serviceListFunc: tc.serviceListFunc,
+			nodeListFunc:    tc.nodeListFunc,
+			taskListFunc:    tc.taskListFunc,
+		}, &bytes.Buffer{})
+		cli.SetConfigfile(&configfile.ConfigFile{})
+		cmd := newServicesCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestStackServicesEmptyServiceList(t *testing.T) {
+	out := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+	fakeCli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{}, nil
+		},
+	}, out)
+	fakeCli.SetErr(stderr)
+	cmd := newServicesCommand(fakeCli)
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	assert.Equal(t, "", out.String())
+	assert.Equal(t, "Nothing found in stack: foo\n", stderr.String())
+}
+
+func TestStackServicesWithQuietOption(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{*Service(ServiceID("id-foo"))}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newServicesCommand(cli)
+	cmd.Flags().Set("quiet", "true")
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-services-with-quiet-option.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackServicesWithFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(ServiceName("service-name-foo")),
+			}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newServicesCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-services-with-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackServicesWithConfigFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(ServiceName("service-name-foo")),
+			}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{
+		ServicesFormat: "{{ .Name }}",
+	})
+	cmd := newServicesCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-services-with-config-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}
+
+func TestStackServicesWithoutFormat(t *testing.T) {
+	buf := new(bytes.Buffer)
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{*Service(
+				ServiceName("name-foo"),
+				ServiceID("id-foo"),
+				ReplicatedService(2),
+				ServiceImage("busybox:latest"),
+				ServicePort(swarm.PortConfig{
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+					PublishedPort: 0,
+					TargetPort:    3232,
+					Protocol:      swarm.PortConfigProtocolTCP,
+				}),
+			)}, nil
+		},
+	}, buf)
+	cli.SetConfigfile(&configfile.ConfigFile{})
+	cmd := newServicesCommand(cli)
+	cmd.SetArgs([]string{"foo"})
+	assert.NoError(t, cmd.Execute())
+	actual := buf.String()
+	expected := golden.Get(t, []byte(actual), "stack-services-without-format.golden")
+	testutil.EqualNormalizedString(t, testutil.RemoveSpace, actual, string(expected))
+}

components/cli/cli/command/stack/testdata/bundlefile_with_two_services.dab

@@ -0,0 +1,29 @@
+{
+  "Services": {
+    "visualizer": {
+      "Image": "busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f",
+      "Networks": [
+        "webnet"
+      ],
+      "Ports": [
+        {
+          "Port": 8080,
+          "Protocol": "tcp"
+        }
+      ]
+    },
+    "web": {
+      "Image": "busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f",
+      "Networks": [
+        "webnet"
+      ],
+      "Ports": [
+        {
+          "Port": 80,
+          "Protocol": "tcp"
+        }
+      ]
+    }
+  },
+  "Version": "0.1"
+}

components/cli/cli/command/stack/testdata/stack-list-sort.golden

@@ -0,0 +1,3 @@
+NAME                SERVICES
+service-name-bar    1
+service-name-foo    1

components/cli/cli/command/stack/testdata/stack-list-with-format.golden

@@ -0,0 +1 @@
+service-name-foo

components/cli/cli/command/stack/testdata/stack-list-without-format.golden

@@ -0,0 +1,2 @@
+NAME                SERVICES
+service-name-foo    1

components/cli/cli/command/stack/testdata/stack-ps-with-config-format.golden

@@ -0,0 +1 @@
+service-id-foo.1

components/cli/cli/command/stack/testdata/stack-ps-with-format.golden

@@ -0,0 +1 @@
+service-id-foo.1

components/cli/cli/command/stack/testdata/stack-ps-with-no-resolve-option.golden

@@ -0,0 +1 @@
+id-node-foo

components/cli/cli/command/stack/testdata/stack-ps-with-no-trunc-option.golden

@@ -0,0 +1 @@
+xn4cypcov06f2w8gsbaf2lst3

components/cli/cli/command/stack/testdata/stack-ps-with-quiet-option.golden

@@ -0,0 +1 @@
+id-foo

components/cli/cli/command/stack/testdata/stack-ps-without-format.golden

@@ -0,0 +1,2 @@
+ID                  NAME                IMAGE                     NODE                DESIRED STATE       CURRENT STATE                ERROR                              PORTS
+id-foo service-id-foo.1            myimage:mytag                  node-name-bar     Ready               Failed 2 hours ago

components/cli/cli/command/stack/testdata/stack-services-with-config-format.golden

@@ -0,0 +1 @@
+service-name-foo

components/cli/cli/command/stack/testdata/stack-services-with-format.golden

@@ -0,0 +1 @@
+service-name-foo

components/cli/cli/command/stack/testdata/stack-services-with-quiet-option.golden

@@ -0,0 +1 @@
+id-foo

components/cli/cli/command/stack/testdata/stack-services-without-format.golden

@@ -0,0 +1,2 @@
+ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+id-foo              name-foo            replicated          0/2                 busybox:latest      *:0->3232/tcp

components/cli/cli/command/swarm/ca.go

@@ -61,6 +61,11 @@ func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) er
 	}
 
 	if !opts.rotate {
+		for _, f := range []string{flagCACert, flagCAKey, flagCertExpiry, flagExternalCA} {
+			if flags.Changed(f) {
+				return fmt.Errorf("`--%s` flag requires the `--rotate` flag to update the CA", f)
+			}
+		}
 		if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" {
 			fmt.Fprintln(dockerCli.Out(), "No CA information available")
 		} else {
@@ -71,7 +76,7 @@ func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) er
 
 	genRootCA := true
 	spec := &swarmInspect.Spec
-	opts.mergeSwarmSpec(spec, flags)
+	opts.mergeSwarmSpec(spec, flags) // updates the spec given the cert expiry or external CA flag
 	if flags.Changed(flagCACert) {
 		spec.CAConfig.SigningCACert = opts.rootCACert.Contents()
 		genRootCA = false

components/cli/cli/command/system/prune.go

@@ -1,7 +1,9 @@
 package system
 
 import (
+	"bytes"
 	"fmt"
+	"text/template"
 
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -12,9 +14,10 @@ import (
 )
 
 type pruneOptions struct {
-	force  bool
-	all    bool
-	filter opts.FilterOpt
+	force        bool
+	all          bool
+	pruneVolumes bool
+	filter       opts.FilterOpt
 }
 
 // NewPruneCommand creates a new cobra.Command for `docker prune`
@@ -34,6 +37,7 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images not just dangling ones")
+	flags.BoolVar(&options.pruneVolumes, "volumes", false, "Prune volumes")
 	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'label=<key>=<value>')")
 	// "filter" flag is available in 1.28 (docker 17.04) and up
 	flags.SetAnnotation("filter", "version", []string{"1.28"})
@@ -41,38 +45,31 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-const (
-	warning = `WARNING! This will remove:
-	- all stopped containers
-	- all volumes not used by at least one container
-	- all networks not used by at least one container
-	%s
+const confirmationTemplate = `WARNING! This will remove:
+{{- range $_, $warning := . }}
+        - {{ $warning }}
+{{- end }}
 Are you sure you want to continue?`
 
-	danglingImageDesc = "- all dangling images"
-	allImageDesc      = `- all images without at least one container associated to them`
-)
-
 func runPrune(dockerCli command.Cli, options pruneOptions) error {
-	var message string
-
-	if options.all {
-		message = fmt.Sprintf(warning, allImageDesc)
-	} else {
-		message = fmt.Sprintf(warning, danglingImageDesc)
+	// TODO version this once "until" filter is supported for volumes
+	if options.pruneVolumes && options.filter.Value().Include("until") {
+		return fmt.Errorf(`ERROR: The "until" filter is not supported with "--volumes"`)
 	}
-
-	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), message) {
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), confirmationMessage(options)) {
 		return nil
 	}
 
 	var spaceReclaimed uint64
-
-	for _, pruneFn := range []func(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error){
+	pruneFuncs := []func(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error){
 		prune.RunContainerPrune,
-		prune.RunVolumePrune,
 		prune.RunNetworkPrune,
-	} {
+	}
+	if options.pruneVolumes {
+		pruneFuncs = append(pruneFuncs, prune.RunVolumePrune)
+	}
+
+	for _, pruneFn := range pruneFuncs {
 		spc, output, err := pruneFn(dockerCli, options.filter)
 		if err != nil {
 			return err
@@ -96,3 +93,26 @@ func runPrune(dockerCli command.Cli, options pruneOptions) error {
 
 	return nil
 }
+
+// confirmationMessage constructs a confirmation message that depends on the cli options.
+func confirmationMessage(options pruneOptions) string {
+	t := template.Must(template.New("confirmation message").Parse(confirmationTemplate))
+
+	warnings := []string{
+		"all stopped containers",
+		"all networks not used by at least one container",
+	}
+	if options.pruneVolumes {
+		warnings = append(warnings, "all volumes not used by at least one container")
+	}
+	if options.all {
+		warnings = append(warnings, "all images without at least one container associated to them")
+	} else {
+		warnings = append(warnings, "all dangling images")
+	}
+	warnings = append(warnings, "all build cache")
+
+	var buffer bytes.Buffer
+	t.Execute(&buffer, &warnings)
+	return buffer.String()
+}

components/cli/cli/compose/convert/service.go

@@ -18,7 +18,11 @@ import (
 	"github.com/pkg/errors"
 )
 
-const defaultNetwork = "default"
+const (
+	defaultNetwork = "default"
+	// LabelImage is the label used to store image name provided in the compose file
+	LabelImage = "com.docker.stack.image"
+)
 
 // Services from compose-file types to engine API types
 func Services(
@@ -141,6 +145,7 @@ func convertService(
 				TTY:             service.Tty,
 				OpenStdin:       service.StdinOpen,
 				Secrets:         secrets,
+				Configs:         configs,
 				ReadOnly:        service.ReadOnly,
 				Privileges:      &privileges,
 			},
@@ -157,6 +162,9 @@ func convertService(
 		UpdateConfig: convertUpdateConfig(service.Deploy.UpdateConfig),
 	}
 
+	// add an image label to serviceSpec
+	serviceSpec.Labels[LabelImage] = service.Image
+
 	// ServiceSpec.Networks is deprecated and should not have been used by
 	// this package. It is possible to update TaskTemplate.Networks, but it
 	// is not possible to update ServiceSpec.Networks. Unfortunately, we
@@ -222,10 +230,16 @@ func convertServiceNetworks(
 		if networkConfig.External.External {
 			target = networkConfig.External.Name
 		}
-		nets = append(nets, swarm.NetworkAttachmentConfig{
+		netAttachConfig := swarm.NetworkAttachmentConfig{
 			Target:  target,
-			Aliases: append(aliases, name),
-		})
+			Aliases: aliases,
+		}
+		// Only add default aliases to user defined networks. Other networks do
+		// not support aliases.
+		if container.NetworkMode(target).IsUserDefined() {
+			netAttachConfig.Aliases = append(netAttachConfig.Aliases, name)
+		}
+		nets = append(nets, netAttachConfig)
 	}
 
 	sort.Sort(byNetworkTarget(nets))

components/cli/cli/compose/loader/loader.go

@@ -3,6 +3,7 @@ package loader
 import (
 	"fmt"
 	"path"
+	"path/filepath"
 	"reflect"
 	"sort"
 	"strings"
@@ -371,7 +372,16 @@ func resolveVolumePaths(volumes []types.ServiceVolumeConfig, workingDir string,
 			continue
 		}
 
-		volume.Source = absPath(workingDir, expandUser(volume.Source, lookupEnv))
+		filePath := expandUser(volume.Source, lookupEnv)
+		// Check for a Unix absolute path first, to handle a Windows client
+		// with a Unix daemon. This handles a Windows client connecting to a
+		// Unix daemon. Note that this is not required for Docker for Windows
+		// when specifying a local Windows path, because Docker for Windows
+		// translates the Windows path into a valid path within the VM.
+		if !path.IsAbs(filePath) {
+			filePath = absPath(workingDir, filePath)
+		}
+		volume.Source = filePath
 		volumes[i] = volume
 	}
 }
@@ -492,11 +502,11 @@ func LoadConfigObjs(source map[string]interface{}, workingDir string) (map[strin
 	return configs, nil
 }
 
-func absPath(workingDir string, filepath string) string {
-	if path.IsAbs(filepath) {
-		return filepath
+func absPath(workingDir string, filePath string) string {
+	if filepath.IsAbs(filePath) {
+		return filePath
 	}
-	return path.Join(workingDir, filepath)
+	return filepath.Join(workingDir, filePath)
 }
 
 func transformMapStringString(data interface{}) (interface{}, error) {

components/cli/cli/internal/test/builders/service.go

@@ -14,6 +14,7 @@ func Service(builders ...func(*swarm.Service)) *swarm.Service {
 			Annotations: swarm.Annotations{
 				Name: "defaultServiceName",
 			},
+			EndpointSpec: &swarm.EndpointSpec{},
 		},
 	}
 
@@ -24,9 +25,44 @@ func Service(builders ...func(*swarm.Service)) *swarm.Service {
 	return service
 }
 
+// ServiceID sets the service ID
+func ServiceID(ID string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.ID = ID
+	}
+}
+
 // ServiceName sets the service name
 func ServiceName(name string) func(*swarm.Service) {
 	return func(service *swarm.Service) {
 		service.Spec.Annotations.Name = name
 	}
 }
+
+// ServiceLabels sets the service's labels
+func ServiceLabels(labels map[string]string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.Annotations.Labels = labels
+	}
+}
+
+// ReplicatedService sets the number of replicas for the service
+func ReplicatedService(replicas uint64) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.Mode = swarm.ServiceMode{Replicated: &swarm.ReplicatedService{Replicas: &replicas}}
+	}
+}
+
+// ServiceImage sets the service's image
+func ServiceImage(image string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.TaskTemplate = swarm.TaskSpec{ContainerSpec: swarm.ContainerSpec{Image: image}}
+	}
+}
+
+// ServicePort sets the service's port
+func ServicePort(port swarm.PortConfig) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.EndpointSpec.Ports = append(service.Spec.EndpointSpec.Ports, port)
+	}
+}

components/cli/cli/internal/test/builders/task.go

@@ -42,13 +42,34 @@ func TaskID(id string) func(*swarm.Task) {
 	}
 }
 
-// ServiceID sets the task service's ID
-func ServiceID(id string) func(*swarm.Task) {
+// TaskName sets the task name
+func TaskName(name string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Annotations.Name = name
+	}
+}
+
+// TaskServiceID sets the task service's ID
+func TaskServiceID(id string) func(*swarm.Task) {
 	return func(task *swarm.Task) {
 		task.ServiceID = id
 	}
 }
 
+// TaskNodeID sets the task's node id
+func TaskNodeID(id string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.NodeID = id
+	}
+}
+
+// TaskDesiredState sets the task's desired state
+func TaskDesiredState(state swarm.TaskState) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.DesiredState = state
+	}
+}
+
 // WithStatus sets the task status
 func WithStatus(statusBuilders ...func(*swarm.TaskStatus)) func(*swarm.Task) {
 	return func(task *swarm.Task) {
@@ -86,6 +107,13 @@ func StatusErr(err string) func(*swarm.TaskStatus) {
 	}
 }
 
+// TaskState sets the task's current state
+func TaskState(state swarm.TaskState) func(*swarm.TaskStatus) {
+	return func(taskStatus *swarm.TaskStatus) {
+		taskStatus.State = state
+	}
+}
+
 // PortStatus sets the tasks port config status
 // FIXME(vdemeester) should be a sub builder 👼
 func PortStatus(portConfigs []swarm.PortConfig) func(*swarm.TaskStatus) {
@@ -94,6 +122,13 @@ func PortStatus(portConfigs []swarm.PortConfig) func(*swarm.TaskStatus) {
 	}
 }
 
+// WithTaskSpec sets the task spec
+func WithTaskSpec(specBuilders ...func(*swarm.TaskSpec)) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Spec = *TaskSpec(specBuilders...)
+	}
+}
+
 // TaskSpec creates a task spec with default values .
 // Any number of taskSpec function builder can be pass to augment it.
 func TaskSpec(specBuilders ...func(*swarm.TaskSpec)) *swarm.TaskSpec {
@@ -109,3 +144,10 @@ func TaskSpec(specBuilders ...func(*swarm.TaskSpec)) *swarm.TaskSpec {
 
 	return taskSpec
 }
+
+// TaskImage sets the task's image
+func TaskImage(image string) func(*swarm.TaskSpec) {
+	return func(taskSpec *swarm.TaskSpec) {
+		taskSpec.ContainerSpec.Image = image
+	}
+}

components/cli/cli/internal/test/network/client.go

@@ -0,0 +1,56 @@
+package network
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	"golang.org/x/net/context"
+)
+
+// FakeClient is a fake NetworkAPIClient
+type FakeClient struct {
+	NetworkInspectFunc func(ctx context.Context, networkID string, verbose bool) (types.NetworkResource, error)
+}
+
+// NetworkConnect fakes connecting to a network
+func (c *FakeClient) NetworkConnect(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
+	return nil
+}
+
+// NetworkCreate fakes creating a network
+func (c *FakeClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
+	return types.NetworkCreateResponse{}, nil
+}
+
+// NetworkDisconnect fakes disconencting from a network
+func (c *FakeClient) NetworkDisconnect(ctx context.Context, networkID, container string, force bool) error {
+	return nil
+}
+
+// NetworkInspect fakes inspecting a network
+func (c *FakeClient) NetworkInspect(ctx context.Context, networkID string, verbose bool) (types.NetworkResource, error) {
+	if c.NetworkInspectFunc != nil {
+		return c.NetworkInspectFunc(ctx, networkID, verbose)
+	}
+	return types.NetworkResource{}, nil
+}
+
+// NetworkInspectWithRaw fakes inspecting a network with a raw response
+func (c *FakeClient) NetworkInspectWithRaw(ctx context.Context, networkID string, verbose bool) (types.NetworkResource, []byte, error) {
+	return types.NetworkResource{}, nil, nil
+}
+
+// NetworkList fakes listing networks
+func (c *FakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	return nil, nil
+}
+
+// NetworkRemove fakes removing networks
+func (c *FakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+	return nil
+}
+
+// NetworksPrune fakes pruning networks
+func (c *FakeClient) NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
+	return types.NetworksPruneReport{}, nil
+}

components/cli/contrib/completion/bash/docker

@@ -20,6 +20,7 @@
 # For several commands, the amount of completions can be configured by
 # setting environment variables.
 #
+# DOCKER_COMPLETION_SHOW_CONFIG_IDS
 # DOCKER_COMPLETION_SHOW_CONTAINER_IDS
 # DOCKER_COMPLETION_SHOW_NETWORK_IDS
 # DOCKER_COMPLETION_SHOW_NODE_IDS
@@ -61,6 +62,42 @@ __docker_q() {
 	docker ${host:+-H "$host"} ${config:+--config "$config"} 2>/dev/null "$@"
 }
 
+# __docker_configs returns a list of configs. Additional options to
+# `docker config ls` may be specified in order to filter the list, e.g.
+# `__docker_configs --filter label=stage=production`.
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_CONFIG_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_configs() {
+	local format
+	if [ "$1" = "--id" ] ; then
+		format='{{.ID}}'
+		shift
+	elif [ "$1" = "--name" ] ; then
+		format='{{.Name}}'
+		shift
+	elif [ "$DOCKER_COMPLETION_SHOW_CONFIG_IDS" = yes ] ; then
+		format='{{.ID}} {{.Name}}'
+	else
+		format='{{.Name}}'
+	fi
+
+	__docker_q config ls --format "$format" "$@"
+}
+
+# __docker_complete_configs applies completion of configs based on the current value
+# of `$cur` or the value of the optional first option `--cur`, if given.
+__docker_complete_configs() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_configs "$@")" -- "$current") )
+}
+
 # __docker_containers returns a list of containers. Additional options to
 # `docker ps` may be specified in order to filter the list, e.g.
 # `__docker_containers --filter status=running`
@@ -754,7 +791,7 @@ __docker_complete_log_options() {
 	local common_options2="env env-regex labels"
 
 	# awslogs does not implement the $common_options2.
-	local awslogs_options="$common_options1 awslogs-create-group awslogs-group awslogs-region awslogs-stream tag"
+	local awslogs_options="$common_options1 awslogs-create-group awslogs-datetime-format awslogs-group awslogs-multiline-pattern awslogs-region awslogs-stream tag"
 
 	local fluentd_options="$common_options1 $common_options2 fluentd-address fluentd-async-connect fluentd-buffer-limit fluentd-retry-wait fluentd-max-retries tag"
 	local gcplogs_options="$common_options1 $common_options2 gcp-log-cmd gcp-meta-id gcp-meta-name gcp-meta-zone gcp-project"
@@ -1074,6 +1111,117 @@ _docker_checkpoint_rm() {
 }
 
 
+_docker_config() {
+	local subcommands="
+		create
+		inspect
+		ls
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_config_create() {
+	case "$prev" in
+		--label|-l)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --label -l" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--label|-l')
+			if [ $cword -eq $((counter + 1)) ]; then
+				_filedir
+			fi
+			;;
+	esac
+}
+
+_docker_config_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_configs
+			;;
+	esac
+}
+
+_docker_config_list() {
+	_docker_config_ls
+}
+
+_docker_config_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_configs --cur "${cur##*=}" --id
+			return
+			;;
+		name)
+			__docker_complete_configs --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "id label name" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format --filter -f --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_config_remove() {
+	_docker_config_rm
+}
+
+_docker_config_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_configs
+			;;
+	esac
+}
+
+
 _docker_container() {
 	local subcommands="
 		attach
@@ -1413,7 +1561,7 @@ _docker_container_port() {
 _docker_container_prune() {
 	case "$prev" in
 		--filter)
-			COMPREPLY=( $( compgen -W "until" -S = -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
 			__docker_nospace
 			return
 			;;
@@ -2221,6 +2369,7 @@ _docker_image_build() {
 		--cpu-period
 		--cpu-quota
 		--file -f
+		--iidfile
 		--label
 		--memory -m
 		--memory-swap
@@ -2265,7 +2414,7 @@ _docker_image_build() {
 			__docker_complete_image_repos_and_tags
 			return
 			;;
-		--file|-f)
+		--file|-f|--iidfile)
 			_filedir
 			return
 			;;
@@ -2428,7 +2577,7 @@ _docker_image_ls() {
 _docker_image_prune() {
 	case "$prev" in
 		--filter)
-			COMPREPLY=( $( compgen -W "until" -S = -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
 			__docker_nospace
 			return
 			;;
@@ -2704,11 +2853,11 @@ _docker_network_connect() {
 
 _docker_network_create() {
 	case "$prev" in
-		--aux-address|--gateway|--internal|--ip-range|--ipam-opt|--ipv6|--opt|-o|--subnet)
+		--aux-address|--gateway|--ip-range|--ipam-opt|--ipv6|--opt|-o|--subnet)
 			return
 			;;
-		--ipam-driver)
-			COMPREPLY=( $( compgen -W "default" -- "$cur" ) )
+		--config-from)
+			__docker_complete_networks
 			return
 			;;
 		--driver|-d)
@@ -2716,14 +2865,22 @@ _docker_network_create() {
 			__docker_complete_plugins_bundled --type Network --remove host --remove null --add macvlan
 			return
 			;;
+		--ipam-driver)
+			COMPREPLY=( $( compgen -W "default" -- "$cur" ) )
+			return
+			;;
 		--label)
 			return
 			;;
+		--scope)
+			COMPREPLY=( $( compgen -W "local swarm" -- "$cur" ) )
+			return
+			;;
 	esac
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--attachable --aux-address --driver -d --gateway --help --internal --ip-range --ipam-driver --ipam-opt --ipv6 --label --opt -o --subnet" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--attachable --aux-address --config-from --config-only --driver -d --gateway --help --ingress --internal --ip-range --ipam-driver --ipam-opt --ipv6 --label --opt -o --scope --subnet" -- "$cur" ) )
 			;;
 	esac
 }
@@ -2806,7 +2963,7 @@ _docker_network_ls() {
 _docker_network_prune() {
 	case "$prev" in
 		--filter)
-			COMPREPLY=( $( compgen -W "until" -S = -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
 			__docker_nospace
 			return
 			;;
@@ -3038,7 +3195,9 @@ _docker_service_update() {
 # and `docker service update`
 _docker_service_update_and_create() {
 	local options_with_args="
+		--credential-spec
 		--endpoint-mode
+		--entrypoint
 		--env -e
 		--force
 		--health-cmd
@@ -3053,7 +3212,6 @@ _docker_service_update_and_create() {
 		--log-driver
 		--log-opt
 		--mount
-		--network
 		--replicas
 		--reserve-cpu
 		--reserve-memory
@@ -3065,6 +3223,7 @@ _docker_service_update_and_create() {
 		--rollback-failure-action
 		--rollback-max-failure-ratio
 		--rollback-monitor
+		--rollback-order
 		--rollback-parallelism
 		--stop-grace-period
 		--stop-signal
@@ -3072,12 +3231,14 @@ _docker_service_update_and_create() {
 		--update-failure-action
 		--update-max-failure-ratio
 		--update-monitor
+		--update-order
 		--update-parallelism
 		--user -u
 		--workdir -w
 	"
 
 	local boolean_options="
+		--detach=false -d=false
 		--help
 		--no-healthcheck
 		--read-only
@@ -3089,6 +3250,7 @@ _docker_service_update_and_create() {
 
 	if [ "$subcommand" = "create" ] ; then
 		options_with_args="$options_with_args
+			--config
 			--constraint
 			--container-label
 			--dns
@@ -3099,12 +3261,17 @@ _docker_service_update_and_create() {
 			--host
 			--mode
 			--name
+			--network
 			--placement-pref
 			--publish -p
 			--secret
 		"
 
 		case "$prev" in
+			--config)
+				__docker_complete_configs
+				return
+				;;
 			--env-file)
 				_filedir
 				return
@@ -3138,7 +3305,9 @@ _docker_service_update_and_create() {
 	fi
 	if [ "$subcommand" = "update" ] ; then
 		options_with_args="$options_with_args
-			--arg
+			--args
+			--config-add
+			--config-rm
 			--constraint-add
 			--constraint-rm
 			--container-label-add
@@ -3154,6 +3323,8 @@ _docker_service_update_and_create() {
 			--host-add
 			--host-rm
 			--image
+			--network-add
+			--network-rm
 			--placement-pref-add
 			--placement-pref-rm
 			--publish-add
@@ -3164,6 +3335,10 @@ _docker_service_update_and_create() {
 		"
 
 		case "$prev" in
+			--config-add|--config-rm)
+				__docker_complete_configs
+				return
+				;;
 			--group-add|--group-rm)
 				COMPREPLY=( $(compgen -g -- "$cur") )
 				return
@@ -3180,6 +3355,10 @@ _docker_service_update_and_create() {
 				__docker_complete_image_repos_and_tags
 				return
 				;;
+			--network-add|--network-rm)
+				__docker_complete_networks
+				return
+				;;
 			--placement-pref-add|--placement-pref-rm)
 				COMPREPLY=( $( compgen -W "spread" -S = -- "$cur" ) )
 				__docker_nospace
@@ -3240,6 +3419,10 @@ _docker_service_update_and_create() {
 			COMPREPLY=( $( compgen -W "continue pause rollback" -- "$cur" ) )
 			return
 			;;
+		--update-order|--rollback-order)
+			COMPREPLY=( $( compgen -W "start-first stop-first" -- "$cur" ) )
+			return
+			;;
 		--user|-u)
 			__docker_complete_user_group
 			return
@@ -3270,6 +3453,7 @@ _docker_service_update_and_create() {
 
 _docker_swarm() {
 	local subcommands="
+		ca
 		init
 		join
 		join-token
@@ -3290,6 +3474,24 @@ _docker_swarm() {
 	esac
 }
 
+_docker_swarm_ca() {
+	case "$prev" in
+		--ca-cert|--ca-key)
+			_filedir
+			return
+			;;
+		--cert-expiry|--external-ca)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--ca-cert --ca-key --cert-expiry --detach -d --external-ca --help --quiet -q --rotate" -- "$cur" ) )
+			;;
+	esac
+}
+
 _docker_swarm_init() {
 	case "$prev" in
 		--advertise-addr)
@@ -3308,6 +3510,10 @@ _docker_swarm_init() {
 		--cert-expiry|--dispatcher-heartbeat|--external-ca|--max-snapshots|--snapshot-interval|--task-history-limit)
 			return
 			;;
+		--data-path-addr)
+			__docker_complete_local_interfaces
+			return
+			;;
 		--listen-addr)
 			if [[ $cur == *: ]] ; then
 				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
@@ -3321,7 +3527,7 @@ _docker_swarm_init() {
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--advertise-addr --data-path-addr --autolock --availability --cert-expiry --dispatcher-heartbeat --external-ca --force-new-cluster --help --listen-addr --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--advertise-addr --autolock --availability --cert-expiry --data-path-addr --dispatcher-heartbeat --external-ca --force-new-cluster --help --listen-addr --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) )
 			;;
 	esac
 }
@@ -3337,6 +3543,14 @@ _docker_swarm_join() {
 			fi
 			return
 			;;
+		--availability)
+			COMPREPLY=( $( compgen -W "active drain pause" -- "$cur" ) )
+			return
+			;;
+		--data-path-addr)
+			__docker_complete_local_interfaces
+			return
+			;;
 		--listen-addr)
 			if [[ $cur == *: ]] ; then
 				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
@@ -3346,10 +3560,6 @@ _docker_swarm_join() {
 			fi
 			return
 			;;
-		--availability)
-			COMPREPLY=( $( compgen -W "active drain pause" -- "$cur" ) )
-			return
-			;;
 		--token)
 			return
 			;;
@@ -3357,7 +3567,7 @@ _docker_swarm_join() {
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--advertise-addr --data-path-addr --availability --help --listen-addr --token" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--advertise-addr --availability --data-path-addr --help --listen-addr --token" -- "$cur" ) )
 			;;
 		*:)
 			COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
@@ -3721,7 +3931,7 @@ _docker_plugin_ls() {
 	local key=$(__docker_map_key_of_current_option '--filter|-f')
 	case "$key" in
 		capability)
-			COMPREPLY=( $( compgen -W "authz ipamdriver networkdriver volumedriver" -- "${cur##*=}" ) )
+			COMPREPLY=( $( compgen -W "authz ipamdriver logdriver metricscollector networkdriver volumedriver" -- "${cur##*=}" ) )
 			return
 			;;
 		enabled)
@@ -3898,7 +4108,7 @@ _docker_secret_inspect() {
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--format -f --help" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
 			;;
 		*)
 			__docker_complete_secrets
@@ -3942,6 +4152,10 @@ _docker_secret_ls() {
 }
 
 _docker_secret_remove() {
+	_docker_secret_rm
+}
+
+_docker_secret_rm() {
 	case "$cur" in
 		-*)
 			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
@@ -3952,10 +4166,6 @@ _docker_secret_remove() {
 	esac
 }
 
-_docker_secret_rm() {
-	_docker_secret_remove
-}
-
 
 
 _docker_search() {
@@ -4230,13 +4440,16 @@ _docker_system_events() {
 				destroy
 				detach
 				die
+				disable
 				disconnect
+				enable
 				exec_create
 				exec_detach
 				exec_start
 				export
 				health_status
 				import
+				install
 				kill
 				load
 				mount
@@ -4245,6 +4458,7 @@ _docker_system_events() {
 				pull
 				push
 				reload
+				remove
 				rename
 				resize
 				restart
@@ -4270,7 +4484,7 @@ _docker_system_events() {
 			return
 			;;
 		type)
-			COMPREPLY=( $( compgen -W "container daemon image network volume" -- "${cur##*=}" ) )
+			COMPREPLY=( $( compgen -W "container daemon image network plugin volume" -- "${cur##*=}" ) )
 			return
 			;;
 		volume)
@@ -4314,7 +4528,7 @@ _docker_system_info() {
 _docker_system_prune() {
 	case "$prev" in
 		--filter)
-			COMPREPLY=( $( compgen -W "until" -S = -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
 			__docker_nospace
 			return
 			;;
@@ -4322,7 +4536,7 @@ _docker_system_prune() {
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--all -a --force -f --filter --help" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--all -a --force -f --filter --help --volumes" -- "$cur" ) )
 			;;
 	esac
 }
@@ -4433,9 +4647,17 @@ _docker_volume_ls() {
 }
 
 _docker_volume_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label!" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--filter --force -f --help" -- "$cur" ) )
 			;;
 	esac
 }
@@ -4488,6 +4710,7 @@ _docker() {
 	shopt -s extglob
 
 	local management_commands=(
+		config
 		container
 		image
 		network

components/cli/contrib/completion/zsh/_docker

@@ -221,18 +221,19 @@ __docker_get_log_options() {
 
     integer ret=1
     local log_driver=${opt_args[--log-driver]:-"all"}
-    local -a common_options awslogs_options fluentd_options gelf_options journald_options json_file_options logentries_options syslog_options splunk_options
+    local -a common_options common_options2 awslogs_options fluentd_options gelf_options journald_options json_file_options logentries_options syslog_options splunk_options
 
     common_options=("max-buffer-size" "mode")
-    awslogs_options=($common_options "awslogs-region" "awslogs-group" "awslogs-stream" "awslogs-create-group")
-    fluentd_options=($common_options "env" "fluentd-address" "fluentd-async-connect" "fluentd-buffer-limit" "fluentd-retry-wait" "fluentd-max-retries" "labels" "tag")
-    gcplogs_options=($common_options "env" "gcp-log-cmd" "gcp-project" "labels")
-    gelf_options=($common_options "env" "gelf-address" "gelf-compression-level" "gelf-compression-type" "labels" "tag")
-    journald_options=($common_options "env" "labels" "tag")
-    json_file_options=($common_options "env" "labels" "max-file" "max-size")
-    logentries_options=($common_options "logentries-token")
-    syslog_options=($common_options "env" "labels" "syslog-address" "syslog-facility" "syslog-format" "syslog-tls-ca-cert" "syslog-tls-cert" "syslog-tls-key" "syslog-tls-skip-verify" "tag")
-    splunk_options=($common_options "env" "labels" "splunk-caname" "splunk-capath" "splunk-format" "splunk-gzip" "splunk-gzip-level" "splunk-index" "splunk-insecureskipverify" "splunk-source" "splunk-sourcetype" "splunk-token" "splunk-url" "splunk-verify-connection" "tag")
+    common_options2=("env" "env-regex" "labels")
+    awslogs_options=($common_options "awslogs-create-group" "awslogs-datetime-format" "awslogs-group" "awslogs-multiline-pattern" "awslogs-region" "awslogs-stream" "tag")
+    fluentd_options=($common_options $common_options2 "fluentd-address" "fluentd-async-connect" "fluentd-buffer-limit" "fluentd-retry-wait" "fluentd-max-retries" "tag")
+    gcplogs_options=($common_options $common_options2 "gcp-log-cmd" "gcp-meta-id" "gcp-meta-name" "gcp-meta-zone" "gcp-project")
+    gelf_options=($common_options $common_options2 "gelf-address" "gelf-compression-level" "gelf-compression-type" "tag")
+    journald_options=($common_options $common_options2 "tag")
+    json_file_options=($common_options $common_options2 "max-file" "max-size")
+    logentries_options=($common_options $common_options2 "logentries-token" "tag")
+    syslog_options=($common_options $common_options2 "syslog-address" "syslog-facility" "syslog-format" "syslog-tls-ca-cert" "syslog-tls-cert" "syslog-tls-key" "syslog-tls-skip-verify" "tag")
+    splunk_options=($common_options $common_options2 "splunk-caname" "splunk-capath" "splunk-format" "splunk-gzip" "splunk-gzip-level" "splunk-index" "splunk-insecureskipverify" "splunk-source" "splunk-sourcetype" "splunk-token" "splunk-url" "splunk-verify-connection" "tag")
 
     [[ $log_driver = (awslogs|all) ]] && _describe -t awslogs-options "awslogs options" awslogs_options "$@" && ret=0
     [[ $log_driver = (fluentd|all) ]] && _describe -t fluentd-options "fluentd options" fluentd_options "$@" && ret=0
@@ -1960,7 +1961,6 @@ __docker_service_subcommand() {
         "($help)*--mount=[Attach a filesystem mount to the service]:mount: "
         "($help)*--network=[Network attachments]:network: "
         "($help)--no-healthcheck[Disable any container-specified HEALTHCHECK]"
-        "($help)*"{-p=,--publish=}"[Publish a port as a node port]:port: "
         "($help)--read-only[Mount the container's root filesystem as read only]"
         "($help)--replicas=[Number of tasks]:replicas: "
         "($help)--reserve-cpu=[Reserve CPUs]:value: "
@@ -2001,7 +2001,7 @@ __docker_service_subcommand() {
                 "($help)--mode=[Service Mode]:mode:(global replicated)" \
                 "($help)--name=[Service name]:name: " \
                 "($help)*--placement-pref=[Add a placement preference]:pref:__docker_service_complete_placement_pref" \
-                "($help)*--publish=[Publish a port]:port: " \
+                "($help)*"{-p=,--publish=}"[Publish a port as a node port]:port: " \
                 "($help -): :__docker_complete_images" \
                 "($help -):command: _command_names -e" \
                 "($help -)*::arguments: _normal" && ret=0
@@ -2376,7 +2376,8 @@ __docker_system_subcommand() {
                 $opts_help \
                 "($help -a --all)"{-a,--all}"[Remove all unused data, not just dangling ones]" \
                 "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
-                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" \
+                "($help)--volumes=[Remove all unused volumes]" && ret=0
             ;;
         (help)
             _arguments $(__docker_arguments) ":subcommand:__docker_volume_commands" && ret=0
@@ -2620,7 +2621,7 @@ __docker_subcommand() {
                 "($help)--default-gateway-v6[Container default gateway IPv6 address]:IPv6 address: " \
                 "($help)--default-shm-size=[Default shm size for containers]:size:" \
                 "($help)*--default-ulimit=[Default ulimits for containers]:ulimit: " \
-                "($help)--disable-legacy-registry[Disable contacting legacy registries]" \
+                "($help)--disable-legacy-registry[Disable contacting legacy registries (default true)]" \
                 "($help)*--dns=[DNS server to use]:DNS: " \
                 "($help)*--dns-opt=[DNS options to use]:DNS option: " \
                 "($help)*--dns-search=[DNS search domains to use]:DNS search: " \

components/cli/docker.Makefile

@@ -68,5 +68,15 @@ lint: build_linter_image
 vendor: build_docker_image vendor.conf
 	@docker run -ti --rm $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make vendor
 
+## generate man pages from go source and markdown
+.PHONY: manpages
+manpages: build_docker_image
+	@docker run -ti --rm $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make manpages
+
+## Generate documentation YAML files consumed by docs repo
+.PHONY: yamldocs
+yamldocs: build_docker_image
+	@docker run -ti --rm $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make yamldocs
+
 dynbinary: build_cross_image
 	docker run --rm $(ENVVARS) $(MOUNTS) $(CROSS_IMAGE_NAME) make dynbinary

components/cli/dockerfiles/Dockerfile.cross

@@ -1,5 +1,5 @@
 
-FROM    golang:1.8.1
+FROM    golang:1.8.3
 
 # allow replacing httpredir or deb mirror
 ARG     APT_MIRROR=deb.debian.org

components/cli/dockerfiles/Dockerfile.dev

@@ -1,5 +1,5 @@
 
-FROM    golang:1.8-alpine
+FROM    golang:1.8.3-alpine
 
 RUN     apk add -U git make bash coreutils
 

components/cli/dockerfiles/Dockerfile.lint

@@ -1,4 +1,4 @@
-FROM    golang:1.8-alpine
+FROM    golang:1.8.3-alpine
 
 RUN     apk add -U git
 

components/cli/docs/deprecated.md

@@ -138,7 +138,7 @@ on all subcommands (due to it conflicting with, e.g. `-h` / `--hostname` on
 ### `-e` and `--email` flags on `docker login`
 **Deprecated In Release: [v1.11.0](https://github.com/docker/docker/releases/tag/v1.11.0)**
 
-**Target For Removal In Release: v17.06**
+**Removed In Release: [v17.06](https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce)**
 
 The docker login command is removing the ability to automatically register for an account with the target registry if the given username doesn't exist. Due to this change, the email flag is no longer required, and will be deprecated.
 
@@ -292,7 +292,7 @@ of the `--changes` flag that allows to pass `Dockerfile` commands.
 
 **Target For Removal In Release: v17.12**
 
-Version 1.9 adds a flag (`--disable-legacy-registry=false`) which prevents the
+Version 1.8.3 added a flag (`--disable-legacy-registry=false`) which prevents the
 docker daemon from `pull`, `push`, and `login` operations against v1
 registries.  Though enabled by default, this signals the intent to deprecate
 the v1 protocol.

components/cli/docs/extend/legacy_plugins.md

@@ -0,0 +1,103 @@
+---
+redirect_from:
+- "/engine/extend/plugins/"
+title: "Use Docker Engine plugins"
+description: "How to add additional functionality to Docker with plugins extensions"
+keywords: "Examples, Usage, plugins, docker, documentation, user guide"
+---
+
+<!-- This file is maintained within the docker/docker Github
+     repository at https://github.com/docker/docker/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+This document describes the Docker Engine plugins generally available in Docker
+Engine. To view information on plugins managed by Docker,
+refer to [Docker Engine plugin system](index.md).
+
+You can extend the capabilities of the Docker Engine by loading third-party
+plugins. This page explains the types of plugins and provides links to several
+volume and network plugins for Docker.
+
+## Types of plugins
+
+Plugins extend Docker's functionality. They come in specific types.  For
+example, a [volume plugin](plugins_volume.md) might enable Docker
+volumes to persist across multiple Docker hosts and a
+[network plugin](plugins_network.md) might provide network plumbing.
+
+Currently Docker supports authorization, volume and network driver plugins. In the future it
+will support additional plugin types.
+
+## Installing a plugin
+
+Follow the instructions in the plugin's documentation.
+
+## Finding a plugin
+
+The sections below provide an inexhaustive overview of available plugins.
+
+<style>
+#DocumentationText  tr td:first-child { white-space: nowrap;}
+</style>
+
+### Network plugins
+
+| Plugin                                                                             | Description                                                                                                                                                                                                                                                                                                                                            |
+|:-----------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Contiv Networking](https://github.com/contiv/netplugin)                           | An open source network plugin to provide infrastructure and security policies for a multi-tenant micro services deployment, while providing an integration to physical network for non-container workload. Contiv Networking implements the remote driver and IPAM APIs available in Docker 1.9 onwards.                                               |
+| [Kuryr Network Plugin](https://github.com/openstack/kuryr)                         | A network plugin is developed as part of the OpenStack Kuryr project and implements the Docker networking (libnetwork) remote driver API by utilizing Neutron, the OpenStack networking service. It includes an IPAM driver as well.                                                                                                                   |
+| [Weave Network Plugin](https://www.weave.works/docs/net/latest/introducing-weave/) | A network plugin that creates a virtual network that connects your Docker containers - across multiple hosts or clouds and enables automatic discovery of applications. Weave networks are resilient, partition tolerant, secure and work in partially connected networks, and other adverse environments - all configured with delightful simplicity. |
+
+### Volume plugins
+
+| Plugin                                                                                             | Description                                                                                                                                                                                                                                                                                                   |
+|:---------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Azure File Storage plugin](https://github.com/Azure/azurefile-dockervolumedriver)                 | Lets you mount Microsoft [Azure File Storage](https://azure.microsoft.com/blog/azure-file-storage-now-generally-available/) shares to Docker containers as volumes using the SMB 3.0 protocol. [Learn more](https://azure.microsoft.com/blog/persistent-docker-volumes-with-azure-file-storage/).             |
+| [BeeGFS Volume Plugin](https://github.com/RedCoolBeans/docker-volume-beegfs)                       | An open source volume plugin to create persistent volumes in a BeeGFS parallel file system.                                                                                                                                                                                                                   |
+| [Blockbridge plugin](https://github.com/blockbridge/blockbridge-docker-volume)                     | A volume plugin that provides access to an extensible set of container-based persistent storage options. It supports single and multi-host Docker environments with features that include tenant isolation, automated provisioning, encryption, secure deletion, snapshots and QoS.                           |
+| [Contiv Volume Plugin](https://github.com/contiv/volplugin)                                        | An open source volume plugin that provides multi-tenant, persistent, distributed storage with intent based consumption. It has support for Ceph and NFS.                                                                                                                                                      |
+| [Convoy plugin](https://github.com/rancher/convoy)                                                 | A volume plugin for a variety of storage back-ends including device mapper and NFS. It's a simple standalone executable written in Go and provides the framework to support vendor-specific extensions such as snapshots, backups and restore.                                                                |
+| [DigitalOcean Block Storage plugin](https://github.com/omallo/docker-volume-plugin-dostorage)      | Integrates DigitalOcean's [block storage solution](https://www.digitalocean.com/products/storage/) into the Docker ecosystem by automatically attaching a given block storage volume to a DigitalOcean droplet and making the contents of the volume available to Docker containers running on that droplet.  |
+| [DRBD plugin](https://www.drbd.org/en/supported-projects/docker)                                   | A volume plugin that provides highly available storage replicated by [DRBD](https://www.drbd.org). Data written to the docker volume is replicated in a cluster of DRBD nodes.                                                                                                                                |
+| [Flocker plugin](https://clusterhq.com/docker-plugin/)                                             | A volume plugin that provides multi-host portable volumes for Docker, enabling you to run databases and other stateful containers and move them around across a cluster of machines.                                                                                                                          |
+| [Fuxi Volume Plugin](https://github.com/openstack/fuxi)                                            | A volume plugin that is developed as part of the OpenStack Kuryr project and implements the Docker volume plugin API by utilizing Cinder, the OpenStack block storage service.                                                                                                                                |
+| [gce-docker plugin](https://github.com/mcuadros/gce-docker)                                        | A volume plugin able to attach, format and mount Google Compute [persistent-disks](https://cloud.google.com/compute/docs/disks/persistent-disks).                                                                                                                                                             |
+| [GlusterFS plugin](https://github.com/calavera/docker-volume-glusterfs)                            | A volume plugin that provides multi-host volumes management for Docker using GlusterFS.                                                                                                                                                                                                                       |
+| [Horcrux Volume Plugin](https://github.com/muthu-r/horcrux)                                        | A volume plugin that allows on-demand, version controlled access to your data. Horcrux is an open-source plugin, written in Go, and supports SCP, [Minio](https://www.minio.io) and Amazon S3.                                                                                                                |
+| [HPE 3Par Volume Plugin](https://github.com/hpe-storage/python-hpedockerplugin/)                   | A volume plugin that supports HPE 3Par and StoreVirtual iSCSI storage arrays.                                                                                                                                                                                                                                 |
+| [Infinit volume plugin](https://infinit.sh/documentation/docker/volume-plugin)                     | A volume plugin that makes it easy to mount and manage Infinit volumes using Docker.                                                                                                                                                                                                                          |
+| [IPFS Volume Plugin](http://github.com/vdemeester/docker-volume-ipfs)                              | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume.                                                                                                                                                                                                            |
+| [Keywhiz plugin](https://github.com/calavera/docker-volume-keywhiz)                                | A plugin that provides credentials and secret management using Keywhiz as a central repository.                                                                                                                                                                                                               |
+| [Local Persist Plugin](https://github.com/CWSpear/local-persist)                                   | A volume plugin that extends the default `local` driver's functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to *always persist*, even if the volume is removed via `docker volume rm`.                                                                         |
+| [NetApp Plugin](https://github.com/NetApp/netappdvp) (nDVP)                                        | A volume plugin that provides direct integration with the Docker ecosystem for the NetApp storage portfolio. The nDVP package supports the provisioning and management of storage resources from the storage platform to Docker hosts, with a robust framework for adding additional platforms in the future. |
+| [Netshare plugin](https://github.com/ContainX/docker-volume-netshare)                              | A volume plugin that provides volume management for NFS 3/4, AWS EFS and CIFS file systems.                                                                                                                                                                                                                   |
+| [Nimble Storage Volume Plugin](https://connect.nimblestorage.com/community/app-integration/docker) | A volume plug-in that integrates with Nimble Storage Unified Flash Fabric arrays. The plug-in abstracts array volume capabilities to the Docker administrator to allow self-provisioning of secure multi-tenant volumes and clones.                                                                           |
+| [OpenStorage Plugin](https://github.com/libopenstorage/openstorage)                                | A cluster-aware volume plugin that provides volume management for file and block storage solutions.  It implements a vendor neutral specification for implementing extensions such as CoS, encryption, and snapshots. It has example drivers based on FUSE, NFS, NBD and EBS to name a few.                   |
+| [Portworx Volume Plugin](https://github.com/portworx/px-dev)                                       | A volume plugin that turns any server into a scale-out converged compute/storage node, providing container granular storage and highly available volumes across any node, using a shared-nothing storage backend that works with any docker scheduler.                                                        |
+| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume)                                  | A volume plugin that connects Docker to [Quobyte](http://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform.                                                                                                                               |
+| [REX-Ray plugin](https://github.com/emccode/rexray)                                                | A volume plugin which is written in Go and provides advanced storage functionality for many platforms including VirtualBox, EC2, Google Compute Engine, OpenStack, and EMC.                                                                                                                                   |
+| [Virtuozzo Storage and Ploop plugin](https://github.com/virtuozzo/docker-volume-ploop)             | A volume plugin with support for Virtuozzo Storage distributed cloud file system as well as ploop devices.                                                                                                                                                                                                    |
+| [VMware vSphere Storage Plugin](https://github.com/vmware/docker-volume-vsphere)                   | Docker Volume Driver for vSphere enables customers to address persistent storage requirements for Docker containers in vSphere environments.                                                                                                                                                                  |
+
+### Authorization plugins
+
+| Plugin                                                               | Description                                                                                                                                                                                                                                                                                                                          |
+|:---------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Casbin AuthZ Plugin](https://github.com/casbin/casbin-authz-plugin) | An authorization plugin based on [Casbin](https://github.com/casbin/casbin), which supports access control models like ACL, RBAC, ABAC. The access control model can be customized. The policy can be persisted into file or DB.                                                                                                     |
+| [HBM plugin](https://github.com/kassisol/hbm)                        | An authorization plugin that prevents from executing commands with certains parameters.                                                                                                                                                                                                                                              |
+| [Twistlock AuthZ Broker](https://github.com/twistlock/authz)         | A basic extendable authorization plugin that runs directly on the host or inside a container. This plugin allows you to define user policies that it evaluates during authorization. Basic authorization is provided if Docker daemon is started with the --tlsverify flag (username is extracted from the certificate common name). |
+
+## Troubleshooting a plugin
+
+If you are having problems with Docker after loading a plugin, ask the authors
+of the plugin for help. The Docker team may not be able to assist you.
+
+## Writing a plugin
+
+If you are interested in writing a plugin for Docker, or seeing how they work
+under the hood, see the [docker plugins reference](plugin_api.md).

components/cli/docs/extend/plugins_authorization.md

@@ -27,7 +27,7 @@ same is true for callers using Docker's Engine API to contact the daemon. If you
 require greater access control, you can create authorization plugins and add
 them to your Docker daemon configuration. Using an authorization plugin, a
 Docker administrator can configure granular access policies for managing access
-to Docker daemon.
+to the Docker daemon.
 
 Anyone with the appropriate skills can develop an authorization plugin. These
 skills, at their most basic, are knowledge of Docker, understanding of REST, and

components/cli/docs/reference/builder.md

@@ -30,13 +30,13 @@ Practices](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-pr
 ## Usage
 
 The [`docker build`](commandline/build.md) command builds an image from
-a `Dockerfile` and a *context*. The build's context is the files at a specified
-location `PATH` or `URL`. The `PATH` is a directory on your local filesystem.
-The `URL` is a Git repository location.
+a `Dockerfile` and a *context*. The build's context is the set of files at a
+specified location `PATH` or `URL`. The `PATH` is a directory on your local
+filesystem. The `URL` is a Git repository location.
 
 A context is processed recursively. So, a `PATH` includes any subdirectories and
-the `URL` includes the repository and its submodules. A simple build command
-that uses the current directory as context:
+the `URL` includes the repository and its submodules. This example shows a
+build command that uses the current directory as context:
 
     $ docker build .
     Sending build context to Docker daemon  6.51 MB
@@ -94,8 +94,8 @@ instructions.
 Whenever possible, Docker will re-use the intermediate images (cache),
 to accelerate the `docker build` process significantly. This is indicated by
 the `Using cache` message in the console output.
-(For more information, see the [Build cache section](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#/build-cache)) in the
-`Dockerfile` best practices guide:
+(For more information, see the [Build cache section](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#build-cache) in the
+`Dockerfile` best practices guide):
 
     $ docker build -t svendowideit/ambassador .
     Sending build context to Docker daemon 15.36 kB
@@ -138,7 +138,7 @@ be UPPERCASE to distinguish them from arguments more easily.
 Docker runs instructions in a `Dockerfile` in order. A `Dockerfile` **must
 start with a \`FROM\` instruction**. The `FROM` instruction specifies the [*Base
 Image*](glossary.md#base-image) from which you are building. `FROM` may only be
-proceeded by one or more `ARG` instructions, which declare arguments that are used
+preceded by one or more `ARG` instructions, which declare arguments that are used
 in `FROM` lines in the `Dockerfile`.
 
 Docker treats lines that *begin* with `#` as a comment, unless the line is
@@ -499,7 +499,7 @@ valid `Dockerfile` must start with a `FROM` instruction. The image can be
 any valid image – it is especially easy to start by **pulling an image** from 
 the [*Public Repositories*](https://docs.docker.com/engine/tutorials/dockerrepos/).
 
-- `ARG` is the only instruction that may proceed `FROM` in the `Dockerfile`. 
+- `ARG` is the only instruction that may precede `FROM` in the `Dockerfile`.
   See [Understand how ARG and FROM interact](#understand-how-arg-and-from-interact).
 
 - `FROM` can appear multiple times within a single `Dockerfile` to 
@@ -530,15 +530,16 @@ FROM extras:${CODE_VERSION}
 CMD  /code/run-extras
 ```
 
-To use the default value of an `ARG` declared before the first `FROM` use an
-`ARG` instruction without a value:
+An `ARG` declared before a `FROM` is outside of a build stage, so it
+can't be used in any instruction after a `FROM`. To use the default value of
+an `ARG` declared before the first `FROM` use an `ARG` instruction without
+a value inside of a build stage:
 
 ```Dockerfile
-ARG  SETTINGS=default
-
-FROM busybox
-ARG  SETTINGS
-
+ARG VERSION=latest
+FROM busybox:$VERSION
+ARG VERSION
+RUN echo $VERSION > image_version
 ```
 
 ## RUN
@@ -1281,26 +1282,43 @@ This Dockerfile results in an image that causes `docker run`, to
 create a new mount point at `/myvol` and copy the  `greeting` file
 into the newly created volume.
 
-> **Note**:
-> When using Windows-based containers, the destination of a volume inside the
-> container must be one of: a non-existing or empty directory; or a drive other
-> than C:.
+### Notes about specifying volumes
 
-> **Note**:
-> If any build steps change the data within the volume after it has been
-> declared, those changes will be discarded.
+Keep the following things in mind about volumes in the `Dockerfile`.
 
-> **Note**:
-> The list is parsed as a JSON array, which means that
-> you must use double-quotes (") around words not single-quotes (').
+- **Volumes on Windows-based containers**: When using Windows-based containers,
+  the destination of a volume inside the container must be one of:
+  
+  - a non-existing or empty directory
+  - a drive other than `C:`
+
+- **Changing the volume from within the Dockerfile**: If any build steps change the
+  data within the volume after it has been declared, those changes will be discarded.
+
+- **JSON formatting**: The list is parsed as a JSON array.
+  You must enclose words with double quotes (`"`)rather than single quotes (`'`).
+
+- **The host directory is declared at container run-time**: The host directory
+  (the mountpoint) is, by its nature, host-dependent. This is to preserve image
+  portability. since a given host directory can't be guaranteed to be available
+  on all hosts.For this reason, you can't mount a host directory from
+  within the Dockerfile. The `VOLUME` instruction does not support specifying a `host-dir`
+  parameter.  You must specify the mountpoint when you create or run the container.
 
 ## USER
 
-    USER daemon
+    USER <user>[:<group>]
+or
+    USER <UID>[:<GID>]
+
+The `USER` instruction sets the user name (or UID) and optionally the user
+group (or GID) to use when running the image and for any `RUN`, `CMD` and
+`ENTRYPOINT` instructions that follow it in the `Dockerfile`.
+
+> **Warning**:
+> When the user does doesn't have a primary group then the image (or the next
+> instructions) will be run with the `root` group.
 
-The `USER` instruction sets the user name or UID to use when running the image
-and for any `RUN`, `CMD` and `ENTRYPOINT` instructions that follow it in the
-`Dockerfile`.
 
 ## WORKDIR
 
@@ -1311,9 +1329,9 @@ The `WORKDIR` instruction sets the working directory for any `RUN`, `CMD`,
 If the `WORKDIR` doesn't exist, it will be created even if it's not used in any
 subsequent `Dockerfile` instruction.
 
-It can be used multiple times in the one `Dockerfile`. If a relative path
-is provided, it will be relative to the path of the previous `WORKDIR`
-instruction. For example:
+The `WORKDIR` instruction can be used multiple times in a `Dockerfile`. If a
+relative path is provided, it will be relative to the path of the previous
+`WORKDIR` instruction. For example:
 
     WORKDIR /a
     WORKDIR b
@@ -1347,8 +1365,8 @@ defined in the Dockerfile, the build outputs a warning.
 [Warning] One or more build-args [foo] were not consumed.
 ```
 
-The Dockerfile author can define a single variable by specifying `ARG` once or many
-variables by specifying `ARG` more than once. For example, a valid Dockerfile:
+A Dockerfile may include one or more `ARG` instructions. For example,
+the following is a valid Dockerfile:
 
 ```
 FROM busybox
@@ -1357,7 +1375,13 @@ ARG buildno
 ...
 ```
 
-A Dockerfile author may optionally specify a default value for an `ARG` instruction:
+> **Warning:** It is not recommended to use build-time variables for
+>  passing secrets like github keys, user credentials etc. Build-time variable
+>  values are visible to any user of the image with the `docker history` command.
+
+### Default values
+
+An `ARG` instruction can optionally include a default value:
 
 ```
 FROM busybox
@@ -1366,8 +1390,10 @@ ARG buildno=1
 ...
 ```
 
-If an `ARG` value has a default and if there is no value passed at build-time, the
-builder uses the default.
+If an `ARG` instruction has a default value and if there is no value passed
+at build-time, the builder uses the default.
+
+### Scope
 
 An `ARG` variable definition comes into effect from the line on which it is
 defined in the `Dockerfile` not from the argument's use on the command-line or
@@ -1391,9 +1417,21 @@ subsequent line 3. The `USER` at line 4 evaluates to `what_user` as `user` is
 defined and the `what_user` value was passed on the command line. Prior to its definition by an
 `ARG` instruction, any use of a variable results in an empty string.
 
-> **Warning:** It is not recommended to use build-time variables for
->  passing secrets like github keys, user credentials etc. Build-time variable
->  values are visible to any user of the image with the `docker history` command.
+An `ARG` instruction goes out of scope at the end of the build
+stage where it was defined. To use an arg in multiple stages, each stage must
+include the `ARG` instruction.
+
+```
+FROM busybox
+ARG SETTINGS
+RUN ./run/setup $SETTINGS
+
+FROM busybox
+ARG SETTINGS
+RUN ./run/other $SETTINGS
+```
+
+### Using ARG variables
 
 You can use an `ARG` or an `ENV` instruction to specify variables that are
 available to the `RUN` instruction. Environment variables defined using the
@@ -1442,6 +1480,8 @@ from the command line and persist them in the final image by leveraging the
 `ENV` instruction. Variable expansion is only supported for [a limited set of
 Dockerfile instructions.](#environment-replacement)
 
+### Predefined ARGs
+
 Docker has a set of predefined `ARG` variables that you can use without a
 corresponding `ARG` instruction in the Dockerfile.
 

components/cli/docs/reference/commandline/attach.md

@@ -40,7 +40,7 @@ interactively, as though the commands were running directly in your terminal.
 > not be interacting with the terminal at that time.
 
 You can attach to the same contained process multiple times simultaneously,
-even as a different user with the appropriate permissions.
+from different sessions on the Docker host.
 
 To stop a container, use `CTRL-c`. This key sequence sends `SIGKILL` to the
 container. If `--sig-proxy` is true (the default),`CTRL-c` sends a `SIGINT` to

components/cli/docs/reference/commandline/build.md

@@ -63,11 +63,11 @@ Options:
 
 ## Description
 
-Builds Docker images from a Dockerfile and a "context". A build's context is
-the files located in the specified `PATH` or `URL`. The build process can refer
-to any of the files in the context. For example, your build can use an
-[*ADD*](../builder.md#add) instruction to reference a file in the
-context.
+The `docker build` command builds Docker images from a Dockerfile and a
+"context". A build's context is the set of files located in the specified
+`PATH` or `URL`. The build process can refer to any of the files in the
+context. For example, your build can use a [*COPY*](../builder.md#copy)
+instruction to reference a file in the context.
 
 The `URL` parameter can refer to three kinds of resources: Git repositories,
 pre-packaged tarball contexts and plain text files.
@@ -88,7 +88,7 @@ user credentials, VPN's, and so forth.
 
 Git URLs accept context configuration in their fragment section, separated by a
 colon `:`.  The first part represents the reference that Git will check out,
-this can be either a branch, a tag, or a remote reference. The second part
+and can be either a branch, a tag, or a remote reference. The second part
 represents a subdirectory inside the repository that will be used as a build
 context.
 

components/cli/docs/reference/commandline/cli.md

@@ -216,6 +216,7 @@ attach`, `docker exec`, `docker run` or `docker start` command.
 Following is a sample `config.json` file:
 
 ```json
+{% raw %}
 {
   "HttpHeaders": {
     "MyHeader": "MyValue"
@@ -236,6 +237,7 @@ Following is a sample `config.json` file:
     "unicorn.example.com": "vcbait"
   }
 }
+{% endraw %}
 ```
 
 ### Notary

components/cli/docs/reference/commandline/cp.md

@@ -28,6 +28,7 @@ container source to stdout.
 
 Options:
   -L, --follow-link   Always follow symbol link in SRC_PATH
+  -a, --archive       Archive mode (copy all uid/gid information)
       --help          Print usage
 ```
 
@@ -53,7 +54,9 @@ copied recursively with permissions preserved if possible. Ownership is set to
 the user and primary group at the destination. For example, files copied to a
 container are created with `UID:GID` of the root user. Files copied to the local
 machine are created with the `UID:GID` of the user which invoked the `docker cp`
-command.  If you specify the `-L` option, `docker cp` follows any symbolic link
+command. However, if you specify the `-a` option, `docker cp` sets the ownership
+to the user and primary group at the source.
+If you specify the `-L` option, `docker cp` follows any symbolic link
 in the `SRC_PATH`.  `docker cp` does *not* create parent directories for
 `DEST_PATH` if they do not exist.
 
@@ -102,11 +105,11 @@ running `tar` in `docker exec`. Both of the following examples do the same thing
 in different ways (consider `SRC_PATH` and `DEST_PATH` are directories):
 
 ```bash
-$ docker exec foo tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH -
+$ docker exec CONTAINER tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH -
 ```
 
 ```bash
-$ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i foo tar Cxf DEST_PATH -
+$ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i CONTAINER tar Cxf DEST_PATH -
 ```
 
 Using `-` as the `SRC_PATH` streams the contents of `STDIN` as a tar archive.

components/cli/docs/reference/commandline/dockerd.md

@@ -42,7 +42,7 @@ Options:
       --default-gateway-v6 ip                 Container default gateway IPv6 address
       --default-runtime string                Default OCI runtime for containers (default "runc")
       --default-ulimit ulimit                 Default ulimits for containers (default [])
-      --disable-legacy-registry               Disable contacting legacy registries
+      --disable-legacy-registry               Disable contacting legacy registries (default true)
       --dns list                              DNS server to use (default [])
       --dns-opt list                          DNS options to use (default [])
       --dns-search list                       DNS search domains to use (default [])
@@ -901,7 +901,18 @@ system's list of trusted CAs instead of enabling `--insecure-registry`.
 
 ##### Legacy Registries
 
-Enabling `--disable-legacy-registry` forces a docker daemon to only interact with registries which support the V2 protocol.  Specifically, the daemon will not attempt `push`, `pull` and `login` to v1 registries.  The exception to this is `search` which can still be performed on v1 registries.
+Operations against registries supporting only the legacy v1 protocol are
+disabled by default. Specifically, the daemon will not attempt `push`,
+`pull` and `login` to v1 registries. The exception to this is `search`
+which can still be performed on v1 registries.
+
+Add `"disable-legacy-registry":false` to the [daemon configuration
+file](#daemon-configuration-file), or set the
+`--disable-legacy-registry=false` flag, if you need to interact with
+registries that have not yet migrated to the v2 protocol.
+
+Interaction v1 registries will no longer be supported in Docker v17.12,
+and the `disable-legacy-registry` configuration option will be removed.
 
 #### Running a Docker daemon behind an HTTPS_PROXY
 
@@ -958,14 +969,14 @@ $ sudo dockerd \
 
 The currently supported cluster store options are:
 
-| Option                | Description |
-|-----------------------|-------------|
-| `discovery.heartbeat` | Specifies the heartbeat timer in seconds which is used by the daemon as a `keepalive` mechanism to make sure discovery module treats the node as alive in the cluster. If not configured, the default value is 20 seconds. |
+| Option                | Description                                                                                                                                                                                                                   |
+|:----------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `discovery.heartbeat` | Specifies the heartbeat timer in seconds which is used by the daemon as a `keepalive` mechanism to make sure discovery module treats the node as alive in the cluster. If not configured, the default value is 20 seconds.    |
 | `discovery.ttl`       | Specifies the TTL (time-to-live) in seconds which is used by the discovery module to timeout a node if a valid heartbeat is not received within the configured ttl value. If not configured, the default value is 60 seconds. |
-| `kv.cacertfile`       | Specifies the path to a local file with PEM encoded CA certificates to trust. |
-| `kv.certfile`         | Specifies the path to a local file with a PEM encoded certificate. This certificate is used as the client cert for communication with the Key/Value store. |
-| `kv.keyfile`          | Specifies the path to a local file with a PEM encoded private key. This private key is used as the client key for communication with the Key/Value store. |
-| `kv.path`             | Specifies the path in the Key/Value store. If not configured, the default value is 'docker/nodes'. |
+| `kv.cacertfile`       | Specifies the path to a local file with PEM encoded CA certificates to trust.                                                                                                                                                 |
+| `kv.certfile`         | Specifies the path to a local file with a PEM encoded certificate. This certificate is used as the client cert for communication with the Key/Value store.                                                                    |
+| `kv.keyfile`          | Specifies the path to a local file with a PEM encoded private key. This private key is used as the client key for communication with the Key/Value store.                                                                     |
+| `kv.path`             | Specifies the path in the Key/Value store. If not configured, the default value is 'docker/nodes'.                                                                                                                            |
 
 #### Access authorization
 
@@ -994,152 +1005,18 @@ plugin](../../extend/plugins_authorization.md) section in the Docker extend sect
 
 #### Daemon user namespace options
 
-The Linux kernel [user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) provides additional security by enabling
-a process, and therefore a container, to have a unique range of user and
-group IDs which are outside the traditional user and group range utilized by
-the host system. Potentially the most important security improvement is that,
-by default, container processes running as the `root` user will have expected
-administrative privilege (with some restrictions) inside the container but will
-effectively be mapped to an unprivileged `uid` on the host.
+The Linux kernel
+[user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html)
+provides additional security by enabling a process, and therefore a container,
+to have a unique range of user and group IDs which are outside the traditional
+user and group range utilized by the host system. Potentially the most important
+security improvement is that, by default, container processes running as the
+`root` user will have expected administrative privilege (with some restrictions)
+inside the container but will effectively be mapped to an unprivileged `uid` on
+the host.
 
-When user namespace support is enabled, Docker creates a single daemon-wide mapping
-for all containers running on the same engine instance. The mappings will
-utilize the existing subordinate user and group ID feature available on all modern
-Linux distributions.
-The [`/etc/subuid`](http://man7.org/linux/man-pages/man5/subuid.5.html) and
-[`/etc/subgid`](http://man7.org/linux/man-pages/man5/subgid.5.html) files will be
-read for the user, and optional group, specified to the `--userns-remap`
-parameter.  If you do not wish to specify your own user and/or group, you can
-provide `default` as the value to this flag, and a user will be created on your behalf
-and provided subordinate uid and gid ranges. This default user will be named
-`dockremap`, and entries will be created for it in `/etc/passwd` and
-`/etc/group` using your distro's standard user and group creation tools.
-
-> **Note**: The single mapping per-daemon restriction is in place for now
-> because Docker shares image layers from its local cache across all
-> containers running on the engine instance.  Since file ownership must be
-> the same for all containers sharing the same layer content, the decision
-> was made to map the file ownership on `docker pull` to the daemon's user and
-> group mappings so that there is no delay for running containers once the
-> content is downloaded. This design preserves the same performance for `docker
-> pull`, `docker push`, and container startup as users expect with
-> user namespaces disabled.
-
-##### Start the daemon with user namespaces enabled
-
-To enable user namespace support, start the daemon with the
-`--userns-remap` flag, which accepts values in the following formats:
-
- - uid
- - uid:gid
- - username
- - username:groupname
-
-If numeric IDs are provided, translation back to valid user or group names
-will occur so that the subordinate uid and gid information can be read, given
-these resources are name-based, not id-based.  If the numeric ID information
-provided does not exist as entries in `/etc/passwd` or `/etc/group`, daemon
-startup will fail with an error message.
-
-**Example: starting with default Docker user management:**
-
-```bash
-$ sudo dockerd --userns-remap=default
-```
-
-When `default` is provided, Docker will create - or find the existing - user and group
-named `dockremap`. If the user is created, and the Linux distribution has
-appropriate support, the `/etc/subuid` and `/etc/subgid` files will be populated
-with a contiguous 65536 length range of subordinate user and group IDs, starting
-at an offset based on prior entries in those files.  For example, Ubuntu will
-create the following range, based on an existing user named `user1` already owning
-the first 65536 range:
-
-```bash
-$ cat /etc/subuid
-user1:100000:65536
-dockremap:165536:65536
-```
-
-If you have a preferred/self-managed user with subordinate ID mappings already
-configured, you can provide that username or uid to the `--userns-remap` flag.
-If you have a group that doesn't match the username, you may provide the `gid`
-or group name as well; otherwise the username will be used as the group name
-when querying the system for the subordinate group ID range.
-
-The output of `docker info` can be used to determine if the daemon is running
-with user namespaces enabled or not. If the daemon is configured with user
-namespaces, the Security Options entry in the response will list "userns" as
-one of the enabled security features.
-
-##### Behavior differences when user namespaces are enabled
-
-When you start the Docker daemon with `--userns-remap`, Docker segregates the graph directory
-where the images are stored by adding an extra directory with a name corresponding to the
-remapped UID and GID. For example, if the remapped UID and GID begin with `165536`, all
-images and containers running with that remap setting are located in `/var/lib/docker/165536.165536`
-instead of `/var/lib/docker/`.
-
-In addition, the files and directories within the new directory, which correspond to
-images and container layers, are also owned by the new UID and GID. To set the ownership
-correctly, you need to re-pull the images and restart the containers after starting the
-daemon with `--userns-remap`.
-
-##### Detailed information on `subuid`/`subgid` ranges
-
-Given potential advanced use of the subordinate ID ranges by power users, the
-following paragraphs define how the Docker daemon currently uses the range entries
-found within the subordinate range files.
-
-The simplest case is that only one contiguous range is defined for the
-provided user or group. In this case, Docker will use that entire contiguous
-range for the mapping of host uids and gids to the container process.  This
-means that the first ID in the range will be the remapped root user, and the
-IDs above that initial ID will map host ID 1 through the end of the range.
-
-From the example `/etc/subuid` content shown above, the remapped root
-user would be uid 165536.
-
-If the system administrator has set up multiple ranges for a single user or
-group, the Docker daemon will read all the available ranges and use the
-following algorithm to create the mapping ranges:
-
-1. The range segments found for the particular user will be sorted by *start ID* ascending.
-2. Map segments will be created from each range in increasing value with a length matching the length of each segment. Therefore the range segment with the lowest numeric starting value will be equal to the remapped root, and continue up through host uid/gid equal to the range segment length. As an example, if the lowest segment starts at ID 1000 and has a length of 100, then a map of 1000 -> 0 (the remapped root) up through 1100 -> 100 will be created from this segment. If the next segment starts at ID 10000, then the next map will start with mapping 10000 -> 101 up to the length of this second segment. This will continue until no more segments are found in the subordinate files for this user.
-3. If more than five range segments exist for a single user, only the first five will be utilized, matching the kernel's limitation of only five entries in `/proc/self/uid_map` and `proc/self/gid_map`.
-
-##### Disable user namespace for a container
-
-If you enable user namespaces on the daemon, all containers are started
-with user namespaces enabled. In some situations you might want to disable
-this feature for a container, for example, to start a privileged container (see
-[user namespace known restrictions](#user-namespace-known-restrictions)).
-To enable those advanced features for a specific container use `--userns=host`
-in the `run/exec/create` command.
-This option will completely disable user namespace mapping for the container's user.
-
-##### User namespace known restrictions
-
-The following standard Docker features are currently incompatible when
-running a Docker daemon with user namespaces enabled:
-
- - sharing PID or NET namespaces with the host (`--pid=host` or `--net=host`)
- - Using `--privileged` mode flag on `docker run` (unless also specifying `--userns=host`)
-
-In general, user namespaces are an advanced feature and will require
-coordination with other capabilities. For example, if volumes are mounted from
-the host, file ownership will have to be pre-arranged if the user or
-administrator wishes the containers to have expected access to the volume
-contents. Note that when using external volume or graph driver plugins, those
-external software programs must be made aware of user and group mapping ranges
-if they are to work seamlessly with user namespace support.
-
-Finally, while the `root` user inside a user namespaced container process has
-many of the expected admin privileges that go along with being the superuser, the
-Linux kernel has restrictions based on internal knowledge that this is a user namespaced
-process. The most notable restriction that we are aware of at this time is the
-inability to use `mknod`. Permission will be denied for device creation even as
-container `root` inside a user namespace.
+For details about how to use this feature, as well as limitations, see
+[Isolate containers with a user namespace](https://docs.docker.com/engine/security/userns-remap/).
 
 ### Miscellaneous options
 

components/cli/docs/reference/commandline/events.md

@@ -80,9 +80,9 @@ Docker images report the following events:
 
 Docker plugins report the following events:
 
-- `install`
 - `enable`
 - `disable`
+- `install`
 - `remove`
 
 #### Volumes
@@ -90,9 +90,9 @@ Docker plugins report the following events:
 Docker volumes report the following events:
 
 - `create`
+- `destroy`
 - `mount`
 - `unmount`
-- `destroy`
 
 #### Networks
 
@@ -100,8 +100,9 @@ Docker networks report the following events:
 
 - `create`
 - `connect`
-- `disconnect`
 - `destroy`
+- `disconnect`
+- `remove`
 
 #### Daemons
 
@@ -109,6 +110,38 @@ Docker daemons report the following events:
 
 - `reload`
 
+#### Services
+
+Docker services report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Nodes
+
+Docker nodes report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Secrets
+
+Docker secrets report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Configs
+
+Docker configs report the following events:
+
+- `create`
+- `remove`
+- `update`
+
 ### Limiting, filtering, and formatting the output
 
 #### Limit events by time
@@ -149,7 +182,8 @@ The currently supported filters are:
 * label (`label=<key>` or `label=<key>=<value>`)
 * network (`network=<name or id>`)
 * plugin (`plugin=<name or id>`)
-* type (`type=<container or image or volume or network or daemon or plugin>`)
+* scope (`scope=<local or swarm>`)
+* type (`type=<container or image or volume or network or daemon or plugin or service or node or secret or config>`)
 * volume (`volume=<name or id>`)
 
 #### Format
@@ -317,6 +351,29 @@ $ docker events --filter 'type=plugin'
 
 2016-07-25T17:30:14.825557616Z plugin pull ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
 2016-07-25T17:30:14.888127370Z plugin enable ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+
+$ docker events -f type=service
+
+2017-07-12T06:34:07.999446625Z service create wj64st89fzgchxnhiqpn8p4oj (name=reverent_albattani)
+2017-07-12T06:34:21.405496207Z service remove wj64st89fzgchxnhiqpn8p4oj (name=reverent_albattani)
+
+$ docker events -f type=node
+
+2017-07-12T06:21:51.951586759Z node update 3xyz5ttp1a253q74z1thwywk9 (name=ip-172-31-23-42, state.new=ready, state.old=unknown)
+
+$ docker events -f type=secret
+
+2017-07-12T06:32:13.915704367Z secret create s8o6tmlnndrgzbmdilyy5ymju (name=new_secret)
+2017-07-12T06:32:37.052647783Z secret remove s8o6tmlnndrgzbmdilyy5ymju (name=new_secret)
+
+$  docker events -f type=config
+2017-07-12T06:44:13.349037127Z config create u96zlvzdfsyb9sg4mhyxfh3rl (name=abc)
+2017-07-12T06:44:36.327694184Z config remove u96zlvzdfsyb9sg4mhyxfh3rl (name=abc)
+
+$ docker events --filter 'scope=swarm'
+
+2017-07-10T07:46:50.250024503Z service create m8qcxu8081woyof7w3jaax6gk (name=affectionate_wilson)
+2017-07-10T07:47:31.093797134Z secret create 6g5pufzsv438p9tbvl9j94od4 (name=new_secret)
 ```
 
 ### Format the output

components/cli/docs/reference/commandline/exec.md

@@ -76,6 +76,17 @@ $ docker exec -it ubuntu_bash bash
 
 This will create a new Bash session in the container `ubuntu_bash`.
 
+Next, set an environment variable in the current bash session.
+
+```bash
+$ docker exec -it -e VAR=1 ubuntu_bash bash
+```
+
+This will create a new Bash session in the container `ubuntu_bash` with environment 
+variable `$VAR` set to "1". Note that this environment variable will only be valid 
+on the current Bash session.
+
+
 ### Try to run `docker exec` on a paused container
 
 If the container is paused, then the `docker exec` command will fail with an error: