Merge pull request #464 from jose-bigio/18.03_versionBump

[18.03] Version bump for 18.03-ce-rc4

CHANGELOG.md

@@ -4,7 +4,6 @@ https://docs.docker.com/engine/deprecated/ where you can find the target removal
 
 ## 18.03.0-ce (2018-03-DD)
 
-
 ### Builder
 
 * Switch to -buildmode=pie [moby/moby#34369](https://github.com/moby/moby/pull/34369)
@@ -32,6 +31,7 @@ https://docs.docker.com/engine/deprecated/ where you can find the target removal
 * Set a non-zero timeout for HTTP client communication with plugin backend [docker/cli#883](https://github.com/docker/cli/pull/883)
 + Add DOCKER_TLS environment variable for --tls option [docker/cli#863](https://github.com/docker/cli/pull/863)
 + Add --template-driver option for secrets/configs [docker/cli#896](https://github.com/docker/cli/pull/896)
++ Move `docker trust` commands out of experimental [docker/cli#934](https://github.com/docker/cli/pull/934) [docker/cli#935](https://github.com/docker/cli/pull/935) [docker/cli#944](https://github.com/docker/cli/pull/944)
 
 ### Logging
 
@@ -53,6 +53,9 @@ https://docs.docker.com/engine/deprecated/ where you can find the target removal
 * Verbose info is missing for partial overlay ID [moby/moby#35989](https://github.com/moby/moby/pull/35989)
 * Update `FindNetwork` to address network name duplications [moby/moby#30897](https://github.com/moby/moby/pull/30897)
 * Disallow attaching ingress network [docker/swarmkit#2523](https://github.com/docker/swarmkit/pull/2523)
+- Prevent implicit removal of the ingress network [moby/moby#36538](https://github.com/moby/moby/pull/36538)
+- Fix stale HNS endpoints on Windows [moby/moby#36603](https://github.com/moby/moby/pull/36603)
+- IPAM fixes for duplicate IP addresses [docker/libnetwork#2104](https://github.com/docker/libnetwork/pull/2104) [docker/libnetwork#2105](https://github.com/docker/libnetwork/pull/2105)
 
 ### Runtime
 
@@ -101,6 +104,7 @@ https://docs.docker.com/engine/deprecated/ where you can find the target removal
 * Use chroot when mount namespaces aren't provided [moby/moby#36449](https://github.com/moby/moby/pull/36449)
 - Fix systemd slice expansion so that it could be consumed by cAdvisor [moby/moby#36449](https://github.com/moby/moby/pull/36449)
 - Fix devices mounted with wrong uid/gid [moby/moby#36449](https://github.com/moby/moby/pull/36449)
+- Fix read-only containers with IPC private mounts `/dev/shm` read-only [moby/moby#36526](https://github.com/moby/moby/pull/36526)
 
 ### Swarm Mode
 

VERSION

@@ -1 +1 @@
-18.03.0-ce-rc2
+18.03.0-ce-rc4

components/cli/VERSION

@@ -1 +1 @@
-18.03.0-ce-rc2
+18.03.0-ce-rc4

components/cli/cli/command/trust/cmd.go

@@ -9,14 +9,12 @@ import (
 // NewTrustCommand returns a cobra command for `trust` subcommands
 func NewTrustCommand(dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:         "trust",
-		Short:       "Manage trust on Docker images (experimental)",
-		Args:        cli.NoArgs,
-		RunE:        command.ShowHelp(dockerCli.Err()),
-		Annotations: map[string]string{"experimentalCLI": ""},
+		Use:   "trust",
+		Short: "Manage trust on Docker images",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
 	}
 	cmd.AddCommand(
-		newViewCommand(dockerCli),
 		newRevokeCommand(dockerCli),
 		newSignCommand(dockerCli),
 		newTrustKeyCommand(dockerCli),

components/cli/cli/command/trust/inspect.go

@@ -2,6 +2,7 @@ package trust
 
 import (
 	"encoding/json"
+	"fmt"
 	"sort"
 
 	"github.com/docker/cli/cli"
@@ -11,24 +12,55 @@ import (
 	"github.com/theupdateframework/notary/tuf/data"
 )
 
+type inspectOptions struct {
+	remotes []string
+	// FIXME(n4ss): this is consistent with `docker service inspect` but we should provide
+	// a `--format` flag too. (format and pretty-print should be exclusive)
+	prettyPrint bool
+}
+
 func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	options := inspectOptions{}
 	cmd := &cobra.Command{
 		Use:   "inspect IMAGE[:TAG] [IMAGE[:TAG]...]",
 		Short: "Return low-level information about keys and signatures",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runInspect(dockerCli, args)
+			options.remotes = args
+
+			return runInspect(dockerCli, options)
 		},
 	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&options.prettyPrint, "pretty", false, "Print the information in a human friendly format")
+
 	return cmd
 }
 
-func runInspect(dockerCli command.Cli, remotes []string) error {
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	if opts.prettyPrint {
+		var err error
+
+		for index, remote := range opts.remotes {
+			if err = prettyPrintTrustInfo(dockerCli, remote); err != nil {
+				return err
+			}
+
+			// Additional separator between the inspection output of each image
+			if index < len(opts.remotes)-1 {
+				fmt.Fprint(dockerCli.Out(), "\n\n")
+			}
+		}
+
+		return err
+	}
+
 	getRefFunc := func(ref string) (interface{}, []byte, error) {
 		i, err := getRepoTrustInfo(dockerCli, ref)
 		return nil, i, err
 	}
-	return inspect.Inspect(dockerCli.Out(), remotes, "", getRefFunc)
+	return inspect.Inspect(dockerCli.Out(), opts.remotes, "", getRefFunc)
 }
 
 func getRepoTrustInfo(cli command.Cli, remote string) ([]byte, error) {

components/cli/cli/command/trust/inspect_pretty.go

@@ -4,34 +4,21 @@ import (
 	"fmt"
 	"io"
 	"sort"
-	"strings"
 
-	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/formatter"
-	"github.com/spf13/cobra"
 	"github.com/theupdateframework/notary/client"
 )
 
-func newViewCommand(dockerCli command.Cli) *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "view IMAGE[:TAG]",
-		Short: "Display detailed information about keys and signatures",
-		Args:  cli.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return viewTrustInfo(dockerCli, args[0])
-		},
-	}
-	return cmd
-}
-
-func viewTrustInfo(cli command.Cli, remote string) error {
+func prettyPrintTrustInfo(cli command.Cli, remote string) error {
 	signatureRows, adminRolesWithSigs, delegationRoles, err := lookupTrustInfo(cli, remote)
 	if err != nil {
 		return err
 	}
 
 	if len(signatureRows) > 0 {
+		fmt.Fprintf(cli.Out(), "\nSignatures for %s\n\n", remote)
+
 		if err := printSignatures(cli.Out(), signatureRows); err != nil {
 			return err
 		}
@@ -42,14 +29,14 @@ func viewTrustInfo(cli command.Cli, remote string) error {
 
 	// If we do not have additional signers, do not display
 	if len(signerRoleToKeyIDs) > 0 {
-		fmt.Fprintf(cli.Out(), "\nList of signers and their keys for %s:\n\n", strings.Split(remote, ":")[0])
+		fmt.Fprintf(cli.Out(), "\nList of signers and their keys for %s\n\n", remote)
 		if err := printSignerInfo(cli.Out(), signerRoleToKeyIDs); err != nil {
 			return err
 		}
 	}
 
 	// This will always have the root and targets information
-	fmt.Fprintf(cli.Out(), "\nAdministrative keys for %s:\n", strings.Split(remote, ":")[0])
+	fmt.Fprintf(cli.Out(), "\nAdministrative keys for %s\n\n", remote)
 	printSortedAdminKeys(cli.Out(), adminRolesWithSigs)
 	return nil
 }
@@ -57,7 +44,9 @@ func viewTrustInfo(cli command.Cli, remote string) error {
 func printSortedAdminKeys(out io.Writer, adminRoles []client.RoleWithSignatures) {
 	sort.Slice(adminRoles, func(i, j int) bool { return adminRoles[i].Name > adminRoles[j].Name })
 	for _, adminRole := range adminRoles {
-		fmt.Fprintf(out, "%s", formatAdminRole(adminRole))
+		if formattedAdminRole := formatAdminRole(adminRole); formattedAdminRole != "" {
+			fmt.Fprintf(out, "  %s", formattedAdminRole)
+		}
 	}
 }
 

components/cli/cli/command/trust/inspect_pretty_test.go

@@ -16,11 +16,13 @@ import (
 	"github.com/theupdateframework/notary/tuf/data"
 )
 
+// TODO(n4ss): remove common tests with the regular inspect command
+
 type fakeClient struct {
 	dockerClient.Client
 }
 
-func TestTrustViewCommandErrors(t *testing.T) {
+func TestTrustInspectPrettyCommandErrors(t *testing.T) {
 	testCases := []struct {
 		name          string
 		args          []string
@@ -28,12 +30,7 @@ func TestTrustViewCommandErrors(t *testing.T) {
 	}{
 		{
 			name:          "not-enough-args",
-			expectedError: "requires exactly 1 argument",
-		},
-		{
-			name:          "too-many-args",
-			args:          []string{"remote1", "remote2"},
-			expectedError: "requires exactly 1 argument",
+			expectedError: "requires at least 1 argument",
 		},
 		{
 			name:          "sha-reference",
@@ -47,104 +44,115 @@ func TestTrustViewCommandErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		cmd := newViewCommand(
+		cmd := newInspectCommand(
 			test.NewFakeCli(&fakeClient{}))
 		cmd.SetArgs(tc.args)
 		cmd.SetOutput(ioutil.Discard)
+		cmd.Flags().Set("pretty", "true")
 		testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }
 
-func TestTrustViewCommandOfflineErrors(t *testing.T) {
+func TestTrustInspectPrettyCommandOfflineErrors(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getOfflineNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"nonexistent-reg-name.io/image"})
 	cmd.SetOutput(ioutil.Discard)
 	testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
 
 	cli = test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getOfflineNotaryRepository)
-	cmd = newViewCommand(cli)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"nonexistent-reg-name.io/image:tag"})
 	cmd.SetOutput(ioutil.Discard)
 	testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
 }
 
-func TestTrustViewCommandUninitializedErrors(t *testing.T) {
+func TestTrustInspectPrettyCommandUninitializedErrors(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getUninitializedNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"reg/unsigned-img"})
 	cmd.SetOutput(ioutil.Discard)
 	testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img")
 
 	cli = test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getUninitializedNotaryRepository)
-	cmd = newViewCommand(cli)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"reg/unsigned-img:tag"})
 	cmd.SetOutput(ioutil.Discard)
 	testutil.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img:tag")
 }
 
-func TestTrustViewCommandEmptyNotaryRepoErrors(t *testing.T) {
+func TestTrustInspectPrettyCommandEmptyNotaryRepoErrors(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getEmptyTargetsNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"reg/img:unsigned-tag"})
 	cmd.SetOutput(ioutil.Discard)
 	assert.NoError(t, cmd.Execute())
 	assert.Contains(t, cli.OutBuffer().String(), "No signatures for reg/img:unsigned-tag")
-	assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img:")
+	assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img")
 
 	cli = test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getEmptyTargetsNotaryRepository)
-	cmd = newViewCommand(cli)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"reg/img"})
 	cmd.SetOutput(ioutil.Discard)
 	assert.NoError(t, cmd.Execute())
 	assert.Contains(t, cli.OutBuffer().String(), "No signatures for reg/img")
-	assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img:")
+	assert.Contains(t, cli.OutBuffer().String(), "Administrative keys for reg/img")
 }
 
-func TestTrustViewCommandFullRepoWithoutSigners(t *testing.T) {
+func TestTrustInspectPrettyCommandFullRepoWithoutSigners(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getLoadedWithNoSignersNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"signed-repo"})
 	assert.NoError(t, cmd.Execute())
 
-	golden.Assert(t, cli.OutBuffer().String(), "trust-view-full-repo-no-signers.golden")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-full-repo-no-signers.golden")
 }
 
-func TestTrustViewCommandOneTagWithoutSigners(t *testing.T) {
+func TestTrustInspectPrettyCommandOneTagWithoutSigners(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getLoadedWithNoSignersNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"signed-repo:green"})
 	assert.NoError(t, cmd.Execute())
 
-	golden.Assert(t, cli.OutBuffer().String(), "trust-view-one-tag-no-signers.golden")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-one-tag-no-signers.golden")
 }
 
-func TestTrustViewCommandFullRepoWithSigners(t *testing.T) {
+func TestTrustInspectPrettyCommandFullRepoWithSigners(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getLoadedNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"signed-repo"})
 	assert.NoError(t, cmd.Execute())
 
-	golden.Assert(t, cli.OutBuffer().String(), "trust-view-full-repo-with-signers.golden")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-full-repo-with-signers.golden")
 }
 
-func TestTrustViewCommandUnsignedTagInSignedRepo(t *testing.T) {
+func TestTrustInspectPrettyCommandUnsignedTagInSignedRepo(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{})
 	cli.SetNotaryClient(getLoadedNotaryRepository)
-	cmd := newViewCommand(cli)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
 	cmd.SetArgs([]string{"signed-repo:unsigned"})
 	assert.NoError(t, cmd.Execute())
 
-	golden.Assert(t, cli.OutBuffer().String(), "trust-view-unsigned-tag-with-signers.golden")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-unsigned-tag-with-signers.golden")
 }
 
 func TestNotaryRoleToSigner(t *testing.T) {

components/cli/cli/command/trust/inspect_test.go

@@ -18,12 +18,7 @@ func TestTrustInspectCommandErrors(t *testing.T) {
 	}{
 		{
 			name:          "not-enough-args",
-			expectedError: "requires exactly 1 argument",
-		},
-		{
-			name:          "too-many-args",
-			args:          []string{"remote1", "remote2"},
-			expectedError: "requires exactly 1 argument",
+			expectedError: "requires at least 1 argument",
 		},
 		{
 			name:          "sha-reference",
@@ -37,8 +32,9 @@ func TestTrustInspectCommandErrors(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		cmd := newViewCommand(
+		cmd := newInspectCommand(
 			test.NewFakeCli(&fakeClient{}))
+		cmd.Flags().Set("pretty", "true")
 		cmd.SetArgs(tc.args)
 		cmd.SetOutput(ioutil.Discard)
 		testutil.ErrorContains(t, cmd.Execute(), tc.expectedError)

components/cli/cli/command/trust/key.go

@@ -10,7 +10,7 @@ import (
 func newTrustKeyCommand(dockerCli command.Streams) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "key",
-		Short: "Manage keys for signing Docker images (experimental)",
+		Short: "Manage keys for signing Docker images",
 		Args:  cli.NoArgs,
 		RunE:  command.ShowHelp(dockerCli.Err()),
 	}

components/cli/cli/command/trust/signer.go

@@ -10,7 +10,7 @@ import (
 func newTrustSignerCommand(dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "signer",
-		Short: "Manage entities who can sign Docker images (experimental)",
+		Short: "Manage entities who can sign Docker images",
 		Args:  cli.NoArgs,
 		RunE:  command.ShowHelp(dockerCli.Err()),
 	}

components/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-no-signers.golden

@@ -1,6 +1,10 @@
+
+Signatures for signed-repo
+
 SIGNED TAG          DIGEST                     SIGNERS
 green               677265656e2d646967657374   (Repo Admin)
 
-Administrative keys for signed-repo:
-Repository Key:	targetsID
-Root Key:	rootID
+Administrative keys for signed-repo
+
+  Repository Key:	targetsID
+  Root Key:	rootID

components/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-with-signers.golden

@@ -1,14 +1,18 @@
+
+Signatures for signed-repo
+
 SIGNED TAG          DIGEST                     SIGNERS
 blue                626c75652d646967657374     alice
 green               677265656e2d646967657374   (Repo Admin)
 red                 7265642d646967657374       alice, bob
 
-List of signers and their keys for signed-repo:
+List of signers and their keys for signed-repo
 
 SIGNER              KEYS
 alice               A
 bob                 B
 
-Administrative keys for signed-repo:
-Repository Key:	targetsID
-Root Key:	rootID
+Administrative keys for signed-repo
+
+  Repository Key:	targetsID
+  Root Key:	rootID

components/cli/cli/command/trust/testdata/trust-inspect-pretty-one-tag-no-signers.golden

@@ -0,0 +1,10 @@
+
+Signatures for signed-repo:green
+
+SIGNED TAG          DIGEST                     SIGNERS
+green               677265656e2d646967657374   (Repo Admin)
+
+Administrative keys for signed-repo:green
+
+  Repository Key:	targetsID
+  Root Key:	rootID

components/cli/cli/command/trust/testdata/trust-inspect-pretty-unsigned-tag-with-signers.golden

@@ -0,0 +1,14 @@
+
+No signatures for signed-repo:unsigned
+
+
+List of signers and their keys for signed-repo:unsigned
+
+SIGNER              KEYS
+alice               A
+bob                 B
+
+Administrative keys for signed-repo:unsigned
+
+  Repository Key:	targetsID
+  Root Key:	rootID

components/cli/cli/command/trust/testdata/trust-view-one-tag-no-signers.golden

@@ -1,6 +0,0 @@
-SIGNED TAG          DIGEST                     SIGNERS
-green               677265656e2d646967657374   (Repo Admin)
-
-Administrative keys for signed-repo:
-Repository Key:	targetsID
-Root Key:	rootID

components/cli/cli/command/trust/testdata/trust-view-unsigned-tag-with-signers.golden

@@ -1,13 +0,0 @@
-
-No signatures for signed-repo:unsigned
-
-
-List of signers and their keys for signed-repo:
-
-SIGNER              KEYS
-alice               A
-bob                 B
-
-Administrative keys for signed-repo:
-Repository Key:	targetsID
-Root Key:	rootID

components/cli/contrib/completion/bash/docker

@@ -4713,9 +4713,9 @@ _docker_tag() {
 
 _docker_trust() {
 	local subcommands="
+		inspect
 		revoke
 		sign
-		view
 	"
 	__docker_subcommands "$subcommands" && return
 
@@ -4729,6 +4729,20 @@ _docker_trust() {
 	esac
 }
 
+_docker_trust_inspect() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --pretty" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --repo --tag
+			fi
+			;;
+	esac
+}
+
 _docker_trust_revoke() {
 	case "$cur" in
 		-*)
@@ -4757,20 +4771,6 @@ _docker_trust_sign() {
 	esac
 }
 
-_docker_trust_view() {
-	case "$cur" in
-		-*)
-			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
-			;;
-		*)
-			local counter=$(__docker_pos_first_nonflag)
-			if [ "$cword" -eq "$counter" ]; then
-				__docker_complete_images --repo --tag
-			fi
-			;;
-	esac
-}
-
 
 _docker_unpause() {
 	_docker_container_unpause
@@ -4947,6 +4947,7 @@ _docker() {
 		stack
 		swarm
 		system
+		trust
 		volume
 	)
 
@@ -4999,7 +5000,6 @@ _docker() {
 	local experimental_commands=(
 		checkpoint
 		deploy
-		trust
 	)
 
 	local commands=(${management_commands[*]} ${top_level_commands[*]})

components/cli/docs/reference/commandline/trust_inspect.md

@@ -1,7 +1,7 @@
 ---
 title: "trust inspect"
 description: "The inspect command description and usage"
-keywords: "view, notary, trust"
+keywords: "inspect, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli GitHub
@@ -20,6 +20,9 @@ Usage:  docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]
 
 Return low-level information about keys and signatures
 
+Options:
+      --help            Print usage
+      --pretty          Print the information in a human friendly format
 ```
 
 ## Description
@@ -28,12 +31,6 @@ Return low-level information about keys and signatures
 This includes all image tags that are signed, who signed them, and who can sign
 new tags.
 
-`docker trust inspect` prints the trust information in a machine-readable format. Refer to
-[`docker trust view`](trust_view.md) for a human-friendly output.
-
-`docker trust inspect` is currently experimental.
-
-
 ## Examples
 
 ### Get low-level details about signatures for a single image tag
@@ -78,13 +75,13 @@ $ docker trust inspect alpine:latest
 ]
 ```
 
-The `SignedTags` key will list the `SignedTag` name, its `Digest`, and the `Signers` responsible for the signature.
+The `SignedTags` key will list the `SignedTag` name, its `Digest`,
+and the `Signers` responsible for the signature.
 
 `AdministrativeKeys` will list the `Repository` and `Root` keys.
 
-This format mirrors the output of `docker trust view` 
-
-If signers are set up for the repository via other `docker trust` commands, `docker trust inspect` includes a `Signers` key:
+If signers are set up for the repository via other `docker trust`
+commands, `docker trust inspect` includes a `Signers` key:
 
 ```bash
 $ docker trust inspect my-image:purple
@@ -156,14 +153,16 @@ $ docker trust inspect my-image:purple
 ]
 ```
 
-If the image tag is unsigned or unavailable, `docker trust inspect` does not display any signed tags.
+If the image tag is unsigned or unavailable, `docker trust inspect` does not
+display any signed tags.
 
 ```bash
 $ docker trust inspect unsigned-img
 No signatures or cannot access unsigned-img
 ```
 
-However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information:
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information:
 
 ```bash
 $ docker trust inspect alpine:unsigned
@@ -195,7 +194,8 @@ $ docker trust inspect alpine:unsigned
 
 ### Get details about signatures for all image tags in a repository
 
-If no tag is specified, `docker trust inspect` will report details for all signed tags in the repository:
+If no tag is specified, `docker trust inspect` will report details for all
+signed tags in the repository:
 
 ```bash
 $ docker trust inspect alpine
@@ -258,7 +258,8 @@ $ docker trust inspect alpine
 
 ### Get details about signatures for multiple images
 
-`docker trust inspect` can take multiple repositories and images as arguments, and reports the results in an ordered list:
+`docker trust inspect` can take multiple repositories and images as arguments,
+and reports the results in an ordered list:
 
 ```bash
 $ docker trust inspect alpine notary
@@ -362,3 +363,108 @@ $ docker trust inspect alpine notary
     }
 ]
 ```
+
+### Formatting
+
+You can print the inspect output in a human-readable format instead of the default
+JSON output, by using the `--pretty` option:
+
+### Get details about signatures for a single image tag
+
+```bash
+$ docker trust inspect --pretty alpine:latest
+
+SIGNED TAG          DIGEST                                                             SIGNERS
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:latest:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+The `SIGNED TAG` is the signed image tag with a unique content-addressable
+`DIGEST`. `SIGNERS` lists all entities who have signed.
+
+The administrative keys listed specify the root key of trust, as well as
+the administrative repository key. These keys are responsible for modifying
+signers, and rotating keys for the signed repository.
+
+If signers are set up for the repository via other `docker trust` commands,
+`docker trust inspect --pretty` displays them appropriately as a `SIGNER`
+and specify their `KEYS`:
+
+```bash
+$ docker trust inspect --pretty my-image:purple
+SIGNED TAG          DIGEST                                                              SIGNERS
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```
+
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information.
+
+```bash
+$ docker trust inspect --pretty alpine:unsigned
+
+No signatures for alpine:unsigned
+
+
+Administrative keys for alpine:unsigned:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+### Get details about signatures for all image tags in a repository
+
+```bash
+$ docker trust inspect --pretty alpine
+SIGNED TAG          DIGEST                                                             SIGNERS
+2.6                 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b   (Repo Admin)
+2.7                 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   (Repo Admin)
+3.1                 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8   (Repo Admin)
+3.2                 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7   (Repo Admin)
+3.3                 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7   (Repo Admin)
+3.4                 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9   (Repo Admin)
+3.5                 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308   (Repo Admin)
+3.6                 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+edge                79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b   (Repo Admin)
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+Here's an example with signers that are set up by `docker trust` commands:
+
+```bash
+$ docker trust inspect --pretty my-image
+SIGNED TAG          DIGEST                                                              SIGNERS
+red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+green               cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139    alice, bob
+yellow              9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba    carol
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+orange              d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c    alice
+
+List of signers and their keys for my-image:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```

components/cli/docs/reference/commandline/trust_key_generate.md

@@ -1,7 +1,7 @@
 ---
 title: "key generate"
 description: "The key generate command description and usage"
-keywords: "Key, notary, trust"
+keywords: "key, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli Github
@@ -30,8 +30,6 @@ Options:
 `docker trust key generate` generates a key-pair to be used with signing,
  and loads the private key into the local docker trust keystore.
 
-`docker trust key generate` is currently experimental.
-
 ## Examples
 
 ### Generate a key-pair

components/cli/docs/reference/commandline/trust_key_load.md

@@ -1,7 +1,7 @@
 ---
 title: "key load"
 description: "The key load command description and usage"
-keywords: "Key, notary, trust"
+keywords: "key, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli Github
@@ -29,8 +29,6 @@ Options:
 
 `docker trust key load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer add`.
 
-`docker trust key load` is currently experimental.
-
 ## Examples
 
 ### Load a single private key

components/cli/docs/reference/commandline/trust_revoke.md

@@ -29,8 +29,6 @@ Options:
 
 `docker trust revoke` removes signatures from tags in signed repositories.
 
-`docker trust revoke` is currently experimental.
-
 ## Examples
 
 ### Revoke signatures from a signed tag

components/cli/docs/reference/commandline/trust_sign.md

@@ -30,8 +30,6 @@ Options:
 
 `docker trust sign` adds signatures to tags to create signed repositories.
 
-`docker trust sign` is currently experimental.
-
 ## Examples
 
 ### Sign a tag as a repo admin

components/cli/docs/reference/commandline/trust_signer_add.md

@@ -29,8 +29,6 @@ Options:
 
 `docker trust signer add` adds signers to signed repositories.
 
-`docker trust signer add` is currently experimental.
-
 ## Examples
 
 ### Add a signer to a repo

components/cli/docs/reference/commandline/trust_signer_remove.md

@@ -29,8 +29,6 @@ Options:
 
 `docker trust signer remove` removes signers from signed repositories.
 
-`docker trust signer remove` is currently experimental.
-
 ## Examples
 
 ### Remove a signer from a repo

components/cli/docs/reference/commandline/trust_view.md

@@ -1,138 +0,0 @@
----
-title: "trust view"
-description: "The view command description and usage"
-keywords: "view, notary, trust"
----
-
-<!-- This file is maintained within the docker/cli GitHub
-     repository at https://github.com/docker/cli/. Make all
-     pull requests against that repo. If you see this file in
-     another repository, consider it read-only there, as it will
-     periodically be overwritten by the definitive file. Pull
-     requests which include edits to this file in other repositories
-     will be rejected.
--->
-
-# trust view
-
-```markdown
-Usage:  docker trust view IMAGE[:TAG]
-
-Display detailed information about keys and signatures
-
-```
-
-## Description
-
-`docker trust view` provides detailed information on signed repositories.
-This includes all image tags that are signed, who signed them, and who can sign
-new tags.
-
-By default, `docker trust view` renders results in a table.
-
-`docker trust view` is currently experimental.
-
-
-## Examples
-
-### Get details about signatures for a single image tag
-
-
-```bash
-$ docker trust view alpine:latest
-
-SIGNED TAG          DIGEST                                                             SIGNERS
-latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
-
-Administrative keys for alpine:latest:
-Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
-Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
-```
-
-The `SIGNED TAG` is the signed image tag with a unique content-addressable `DIGEST`. `SIGNERS` lists all entities who have signed.
-
-The administrative keys listed specify the root key of trust, as well as the administrative repository key. These keys are responsible for modifying signers, and rotating keys for the signed repository.
-
-If signers are set up for the repository via other `docker trust` commands, `docker trust view` displays them appropriately as a `SIGNER` and specify their `KEYS`:
-
-```bash
-$ docker trust view my-image:purple
-SIGNED TAG          DIGEST                                                              SIGNERS
-purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
-
-List of signers and their keys:
-
-SIGNER              KEYS
-alice               47caae5b3e61, a85aab9d20a4
-bob                 034370bcbd77, 82a66673242c
-carol               b6f9f8e1aab0
-
-Administrative keys for my-image:
-Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
-Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
-```
-
-If the image tag is unsigned or unavailable, `docker trust view` does not display any signed tags.
-
-```bash
-$ docker trust view unsigned-img
-No signatures or cannot access unsigned-img
-```
-
-However, if other tags are signed in the same image repository, `docker trust view` reports relevant key information.
-
-```bash
-$ docker trust view alpine:unsigned
-
-No signatures for alpine:unsigned
-
-
-Administrative keys for alpine:unsigned:
-Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
-Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
-```
-
-### Get details about signatures for all image tags in a repository
-
-```bash
-$ docker trust view alpine
-SIGNED TAG          DIGEST                                                             SIGNERS
-2.6                 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b   (Repo Admin)
-2.7                 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   (Repo Admin)
-3.1                 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8   (Repo Admin)
-3.2                 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7   (Repo Admin)
-3.3                 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7   (Repo Admin)
-3.4                 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9   (Repo Admin)
-3.5                 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308   (Repo Admin)
-3.6                 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
-edge                79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b   (Repo Admin)
-latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
-
-Administrative keys for alpine:
-Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
-Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
-```
-
-Here's an example with signers that are set up by `docker trust` commands:
-
-```bash
-$ docker trust view my-image
-SIGNED TAG          DIGEST                                                              SIGNERS
-red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
-blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
-green               cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139    alice, bob
-yellow              9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba    carol
-purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
-orange              d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c    alice
-
-List of signers and their keys for my-image:
-
-SIGNER              KEYS
-alice               47caae5b3e61, a85aab9d20a4
-bob                 034370bcbd77, 82a66673242c
-carol               b6f9f8e1aab0
-
-Administrative keys for my-image:
-Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
-Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
-```

components/engine/daemon/network.go

@@ -222,6 +222,8 @@ func (daemon *Daemon) releaseIngress(id string) {
 		return
 	}
 
+	daemon.deleteLoadBalancerSandbox(n)
+
 	if err := n.Delete(); err != nil {
 		logrus.Errorf("Failed to delete ingress network %s: %v", n.ID(), err)
 		return

components/engine/daemon/oci_linux.go

@@ -667,7 +667,7 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
 	if s.Root.Readonly {
 		for i, m := range s.Mounts {
 			switch m.Destination {
-			case "/proc", "/dev/pts", "/dev/mqueue", "/dev":
+			case "/proc", "/dev/pts", "/dev/shm", "/dev/mqueue", "/dev":
 				continue
 			}
 			if _, ok := userMounts[m.Destination]; !ok {

components/engine/daemon/oci_linux_test.go

@@ -48,3 +48,41 @@ func TestTmpfsDevShmNoDupMount(t *testing.T) {
 	err = setMounts(&d, &s, c, ms)
 	assert.NoError(t, err)
 }
+
+// TestIpcPrivateVsReadonly checks that in case of IpcMode: private
+// and ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
+// the resulting /dev/shm mount is NOT made read-only.
+// https://github.com/moby/moby/issues/36503
+func TestIpcPrivateVsReadonly(t *testing.T) {
+	d := Daemon{
+		// some empty structs to avoid getting a panic
+		// caused by a null pointer dereference
+		idMappings:  &idtools.IDMappings{},
+		configStore: &config.Config{},
+	}
+	c := &container.Container{
+		HostConfig: &containertypes.HostConfig{
+			IpcMode:        containertypes.IpcMode("private"),
+			ReadonlyRootfs: true,
+		},
+	}
+
+	// We can't call createSpec() so mimick the minimal part
+	// of its code flow, just enough to reproduce the issue.
+	ms, err := d.setupMounts(c)
+	assert.NoError(t, err)
+
+	s := oci.DefaultSpec()
+	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+
+	err = setMounts(&d, &s, c, ms)
+	assert.NoError(t, err)
+
+	// Find the /dev/shm mount in ms, check it does not have ro
+	for _, m := range s.Mounts {
+		if m.Destination != "/dev/shm" {
+			continue
+		}
+		assert.Equal(t, false, inSlice(m.Options, "ro"))
+	}
+}

components/engine/hack/dockerfile/install/containerd.installer

@@ -14,10 +14,15 @@ install_containerd() {
 
 	(
 
-		if [ "$1" == "static" ]; then
-			export BUILDTAGS='static_build netgo'
-			export EXTRA_FLAGS='-buildmod pie'
-			export EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"'
+		export BUILDTAGS='static_build netgo'
+		export EXTRA_FLAGS='-buildmode=pie'
+		export EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"'
+
+		# Reset build flags to nothing if we want a dynbinary
+		if [ "$1" == "dynamic" ]; then
+			export BUILDTAGS=''
+			export EXTRA_FLAGS=''
+			export EXTRA_LDFLAGS=''
 		fi
 
 		make

components/engine/hack/dockerfile/install/proxy.installer

@@ -3,7 +3,7 @@
 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
 # updating the binary version, consider updating github.com/docker/libnetwork
 # in vendor.conf accordingly
-LIBNETWORK_COMMIT=ed2130d117c11c542327b4d5216a5db36770bc65
+LIBNETWORK_COMMIT=1b91bc94094ecfdae41daa465cc0c8df37dfb3dd
 
 install_proxy() {
 	case "$1" in
@@ -23,6 +23,7 @@ install_proxy() {
 
 install_proxy_dynamic() {
 	export PROXY_LDFLAGS="-linkmode=external" install_proxy
+	export BUILD_MODE="-buildmode=pie"
 	_install_proxy
 }
 
@@ -31,7 +32,7 @@ _install_proxy() {
 	git clone https://github.com/docker/libnetwork.git "$GOPATH/src/github.com/docker/libnetwork"
 	cd "$GOPATH/src/github.com/docker/libnetwork"
 	git checkout -q "$LIBNETWORK_COMMIT"
-	go build -buildmode=pie -ldflags="$PROXY_LDFLAGS" -o ${PREFIX}/docker-proxy github.com/docker/libnetwork/cmd/proxy
+	go build $BUILD_MODE -ldflags="$PROXY_LDFLAGS" -o ${PREFIX}/docker-proxy github.com/docker/libnetwork/cmd/proxy
 }
 
 

components/engine/hack/dockerfile/install/runc.installer

@@ -11,7 +11,12 @@ install_runc() {
 	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
 	cd "$GOPATH/src/github.com/opencontainers/runc"
 	git checkout -q "$RUNC_COMMIT"
-	make BUILDTAGS="$RUNC_BUILDTAGS" $1
+	if [ -z "$1" ]; then
+		target=static
+	else
+		target="$1"
+	fi
+	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
 	mkdir -p ${PREFIX}
 	cp runc ${PREFIX}/docker-runc
 }

components/engine/integration-cli/docker_cli_events_unix_test.go

@@ -49,7 +49,7 @@ func (s *DockerSuite) TestEventsRedirectStdout(c *check.C) {
 }
 
 func (s *DockerSuite) TestEventsOOMDisableFalse(c *check.C) {
-	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, swapMemorySupport)
+	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, swapMemorySupport, NotPpc64le)
 
 	errChan := make(chan error)
 	go func() {
@@ -79,7 +79,7 @@ func (s *DockerSuite) TestEventsOOMDisableFalse(c *check.C) {
 }
 
 func (s *DockerSuite) TestEventsOOMDisableTrue(c *check.C) {
-	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, NotArm, swapMemorySupport)
+	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, NotArm, swapMemorySupport, NotPpc64le)
 
 	errChan := make(chan error)
 	observer, err := newEventObserver(c)

components/engine/integration-cli/docker_cli_run_unix_test.go

@@ -615,7 +615,7 @@ func (s *DockerSuite) TestRunWithInvalidPathforBlkioDeviceWriteIOps(c *check.C)
 }
 
 func (s *DockerSuite) TestRunOOMExitCode(c *check.C) {
-	testRequires(c, memoryLimitSupport, swapMemorySupport)
+	testRequires(c, memoryLimitSupport, swapMemorySupport, NotPpc64le)
 	errChan := make(chan error)
 	go func() {
 		defer close(errChan)

components/engine/integration/network/service_test.go

@@ -36,6 +36,9 @@ func TestServiceWithPredefinedNetwork(t *testing.T) {
 		if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
 			config.Timeout = 50 * time.Second
 			config.Delay = 100 * time.Millisecond
+		} else {
+			config.Timeout = 30 * time.Second
+			config.Delay = 100 * time.Millisecond
 		}
 	}
 
@@ -53,6 +56,72 @@ func TestServiceWithPredefinedNetwork(t *testing.T) {
 
 }
 
+const ingressNet = "ingress"
+
+func TestServiceWithIngressNetwork(t *testing.T) {
+	defer setupTest(t)()
+	d := newSwarm(t)
+	defer d.Stop(t)
+
+	client, err := client.NewClientWithOpts(client.WithHost((d.Sock())))
+	require.NoError(t, err)
+
+	pollSettings := func(config *poll.Settings) {
+		if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
+			config.Timeout = 50 * time.Second
+			config.Delay = 100 * time.Millisecond
+		} else {
+			config.Timeout = 30 * time.Second
+			config.Delay = 100 * time.Millisecond
+		}
+	}
+
+	poll.WaitOn(t, swarmIngressReady(client), pollSettings)
+
+	var instances uint64 = 1
+	serviceName := "TestIngressService"
+	serviceSpec := swarmServiceSpec(serviceName, instances)
+	serviceSpec.TaskTemplate.Networks = append(serviceSpec.TaskTemplate.Networks, swarm.NetworkAttachmentConfig{Target: ingressNet})
+	serviceSpec.EndpointSpec = &swarm.EndpointSpec{
+		Ports: []swarm.PortConfig{
+			{
+				Protocol:    swarm.PortConfigProtocolTCP,
+				TargetPort:  80,
+				PublishMode: swarm.PortConfigPublishModeIngress,
+			},
+		},
+	}
+
+	serviceResp, err := client.ServiceCreate(context.Background(), serviceSpec, types.ServiceCreateOptions{
+		QueryRegistry: false,
+	})
+	require.NoError(t, err)
+
+	serviceID := serviceResp.ID
+	poll.WaitOn(t, serviceRunningCount(client, serviceID, instances), pollSettings)
+
+	_, _, err = client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	require.NoError(t, err)
+
+	err = client.ServiceRemove(context.Background(), serviceID)
+	require.NoError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), pollSettings)
+	poll.WaitOn(t, noTasks(client), pollSettings)
+
+	// Ensure that "ingress" is not removed or corrupted
+	time.Sleep(10 * time.Second)
+	netInfo, err := client.NetworkInspect(context.Background(), ingressNet, types.NetworkInspectOptions{
+		Verbose: true,
+		Scope:   "swarm",
+	})
+	require.NoError(t, err, "Ingress network was removed after removing service!")
+	require.NotZero(t, len(netInfo.Containers), "No load balancing endpoints in ingress network")
+	require.NotZero(t, len(netInfo.Peers), "No peers (including self) in ingress network")
+	_, ok := netInfo.Containers["ingress-sbox"]
+	require.True(t, ok, "ingress-sbox not present in ingress network")
+}
+
 func serviceRunningCount(client client.ServiceAPIClient, serviceID string, instances uint64) func(log poll.LogT) poll.Result {
 	return func(log poll.LogT) poll.Result {
 		filter := filters.NewArgs()
@@ -68,3 +137,25 @@ func serviceRunningCount(client client.ServiceAPIClient, serviceID string, insta
 		return poll.Success()
 	}
 }
+
+func swarmIngressReady(client client.NetworkAPIClient) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		netInfo, err := client.NetworkInspect(context.Background(), ingressNet, types.NetworkInspectOptions{
+			Verbose: true,
+			Scope:   "swarm",
+		})
+		if err != nil {
+			return poll.Error(err)
+		}
+		np := len(netInfo.Peers)
+		nc := len(netInfo.Containers)
+		if np == 0 || nc == 0 {
+			return poll.Continue("ingress not ready: %d peers and %d containers", nc, np)
+		}
+		_, ok := netInfo.Containers["ingress-sbox"]
+		if !ok {
+			return poll.Continue("ingress not ready: does not contain the ingress-sbox")
+		}
+		return poll.Success()
+	}
+}

components/engine/vendor.conf

@@ -25,7 +25,7 @@ github.com/google/go-cmp v0.1.0
 
 github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5
 github.com/imdario/mergo 0.2.1
-golang.org/x/sync de49d9dcd27d4f764488181bea099dfe6179bcf0
+golang.org/x/sync fd80eb99c8f653c847d294a001bdf2a3a6f768f5
 
 github.com/moby/buildkit aaff9d591ef128560018433fe61beb802e149de8
 github.com/tonistiigi/fsutil dea3a0da73aee887fc02142d995be764106ac5e2
@@ -33,7 +33,7 @@ github.com/tonistiigi/fsutil dea3a0da73aee887fc02142d995be764106ac5e2
 #get libnetwork packages
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly
-github.com/docker/libnetwork ed2130d117c11c542327b4d5216a5db36770bc65
+github.com/docker/libnetwork 1b91bc94094ecfdae41daa465cc0c8df37dfb3dd
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

components/engine/vendor/github.com/docker/libnetwork/bitseq/sequence.go

@@ -108,6 +108,12 @@ func (s *sequence) getAvailableBit(from uint64) (uint64, uint64, error) {
 		bitSel >>= 1
 		bits++
 	}
+	// Check if the loop exited because it could not
+	// find any available bit int block  starting from
+	// "from". Return invalid pos in that case.
+	if bitSel == 0 {
+		return invalidPos, invalidPos, ErrNoBitAvailable
+	}
 	return bits / 8, bits % 8, nil
 }
 
@@ -313,14 +319,14 @@ func (h *Handle) set(ordinal, start, end uint64, any bool, release bool, serial
 		curr := uint64(0)
 		h.Lock()
 		store = h.store
-		h.Unlock()
 		if store != nil {
+			h.Unlock() // The lock is acquired in the GetObject
 			if err := store.GetObject(datastore.Key(h.Key()...), h); err != nil && err != datastore.ErrKeyNotFound {
 				return ret, err
 			}
+			h.Lock() // Acquire the lock back
 		}
-
-		h.Lock()
+		logrus.Debugf("Received set for ordinal %v, start %v, end %v, any %t, release %t, serial:%v curr:%d \n", ordinal, start, end, any, release, serial, h.curr)
 		if serial {
 			curr = h.curr
 		}
@@ -346,7 +352,6 @@ func (h *Handle) set(ordinal, start, end uint64, any bool, release bool, serial
 
 		// Create a private copy of h and work on it
 		nh := h.getCopy()
-		h.Unlock()
 
 		nh.head = pushReservation(bytePos, bitPos, nh.head, release)
 		if release {
@@ -355,22 +360,25 @@ func (h *Handle) set(ordinal, start, end uint64, any bool, release bool, serial
 			nh.unselected--
 		}
 
-		// Attempt to write private copy to store
-		if err := nh.writeToStore(); err != nil {
-			if _, ok := err.(types.RetryError); !ok {
-				return ret, fmt.Errorf("internal failure while setting the bit: %v", err)
+		if h.store != nil {
+			h.Unlock()
+			// Attempt to write private copy to store
+			if err := nh.writeToStore(); err != nil {
+				if _, ok := err.(types.RetryError); !ok {
+					return ret, fmt.Errorf("internal failure while setting the bit: %v", err)
+				}
+				// Retry
+				continue
 			}
-			// Retry
-			continue
+			h.Lock()
 		}
 
 		// Previous atomic push was succesfull. Save private copy to local copy
-		h.Lock()
-		defer h.Unlock()
 		h.unselected = nh.unselected
 		h.head = nh.head
 		h.dbExists = nh.dbExists
 		h.dbIndex = nh.dbIndex
+		h.Unlock()
 		return ret, nil
 	}
 }
@@ -498,24 +506,40 @@ func (h *Handle) UnmarshalJSON(data []byte) error {
 func getFirstAvailable(head *sequence, start uint64) (uint64, uint64, error) {
 	// Find sequence which contains the start bit
 	byteStart, bitStart := ordinalToPos(start)
-	current, _, _, inBlockBytePos := findSequence(head, byteStart)
-
+	current, _, precBlocks, inBlockBytePos := findSequence(head, byteStart)
 	// Derive the this sequence offsets
 	byteOffset := byteStart - inBlockBytePos
 	bitOffset := inBlockBytePos*8 + bitStart
-	var firstOffset uint64
-	if current == head {
-		firstOffset = byteOffset
-	}
 	for current != nil {
 		if current.block != blockMAX {
+			// If the current block is not full, check if there is any bit
+			// from the current bit in the current block. If not, before proceeding to the
+			// next block node, make sure we check for available bit in the next
+			// instance of the same block. Due to RLE same block signature will be
+			// compressed.
+		retry:
 			bytePos, bitPos, err := current.getAvailableBit(bitOffset)
+			if err != nil && precBlocks == current.count-1 {
+				// This is the last instance in the same block node,
+				// so move to the next block.
+				goto next
+			}
+			if err != nil {
+				// There are some more instances of the same block, so add the offset
+				// and be optimistic that you will find the available bit in the next
+				// instance of the same block.
+				bitOffset = 0
+				byteOffset += blockBytes
+				precBlocks++
+				goto retry
+			}
 			return byteOffset + bytePos, bitPos, err
 		}
 		// Moving to next block: Reset bit offset.
+	next:
 		bitOffset = 0
-		byteOffset += (current.count * blockBytes) - firstOffset
-		firstOffset = 0
+		byteOffset += (current.count * blockBytes) - (precBlocks * blockBytes)
+		precBlocks = 0
 		current = current.next
 	}
 	return invalidPos, invalidPos, ErrNoBitAvailable
@@ -526,19 +550,20 @@ func getFirstAvailable(head *sequence, start uint64) (uint64, uint64, error) {
 // This can be further optimized to check from start till curr in case of a rollover
 func getAvailableFromCurrent(head *sequence, start, curr, end uint64) (uint64, uint64, error) {
 	var bytePos, bitPos uint64
+	var err error
 	if curr != 0 && curr > start {
-		bytePos, bitPos, _ = getFirstAvailable(head, curr)
+		bytePos, bitPos, err = getFirstAvailable(head, curr)
 		ret := posToOrdinal(bytePos, bitPos)
-		if end < ret {
+		if end < ret || err != nil {
 			goto begin
 		}
 		return bytePos, bitPos, nil
 	}
 
 begin:
-	bytePos, bitPos, _ = getFirstAvailable(head, start)
+	bytePos, bitPos, err = getFirstAvailable(head, start)
 	ret := posToOrdinal(bytePos, bitPos)
-	if end < ret {
+	if end < ret || err != nil {
 		return invalidPos, invalidPos, ErrNoBitAvailable
 	}
 	return bytePos, bitPos, nil

components/engine/vendor/github.com/docker/libnetwork/config/config.go

@@ -10,6 +10,7 @@ import (
 	"github.com/docker/libkv/store"
 	"github.com/docker/libnetwork/cluster"
 	"github.com/docker/libnetwork/datastore"
+	"github.com/docker/libnetwork/ipamutils"
 	"github.com/docker/libnetwork/netlabel"
 	"github.com/docker/libnetwork/osl"
 	"github.com/sirupsen/logrus"
@@ -40,6 +41,7 @@ type DaemonCfg struct {
 	DriverCfg              map[string]interface{}
 	ClusterProvider        cluster.Provider
 	NetworkControlPlaneMTU int
+	DefaultAddressPool     []*ipamutils.NetworkToSplit
 }
 
 // ClusterCfg represents cluster configuration
@@ -110,6 +112,13 @@ func OptionDefaultDriver(dd string) Option {
 	}
 }
 
+// OptionDefaultAddressPoolConfig function returns an option setter for default address pool
+func OptionDefaultAddressPoolConfig(addressPool []*ipamutils.NetworkToSplit) Option {
+	return func(c *Config) {
+		c.Daemon.DefaultAddressPool = addressPool
+	}
+}
+
 // OptionDriverConfig returns an option setter for driver configuration.
 func OptionDriverConfig(networkType string, config map[string]interface{}) Option {
 	return func(c *Config) {

components/engine/vendor/github.com/docker/libnetwork/controller.go

@@ -222,7 +222,7 @@ func New(cfgOptions ...config.Option) (NetworkController, error) {
 		}
 	}
 
-	if err = initIPAMDrivers(drvRegistry, nil, c.getStore(datastore.GlobalScope)); err != nil {
+	if err = initIPAMDrivers(drvRegistry, nil, c.getStore(datastore.GlobalScope), c.cfg.Daemon.DefaultAddressPool); err != nil {
 		return nil, err
 	}
 

components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go

@@ -782,7 +782,9 @@ func (d *driver) deleteNetwork(nid string) error {
 			logrus.Warn(err)
 		}
 		if link, err := d.nlh.LinkByName(ep.srcName); err == nil {
-			d.nlh.LinkDel(link)
+			if err := d.nlh.LinkDel(link); err != nil {
+				logrus.WithError(err).Errorf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+			}
 		}
 
 		if err := d.storeDelete(ep); err != nil {
@@ -969,7 +971,9 @@ func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo,
 	}
 	defer func() {
 		if err != nil {
-			d.nlh.LinkDel(host)
+			if err := d.nlh.LinkDel(host); err != nil {
+				logrus.WithError(err).Warnf("Failed to delete host side interface (%s)'s link", hostIfName)
+			}
 		}
 	}()
 
@@ -980,7 +984,9 @@ func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo,
 	}
 	defer func() {
 		if err != nil {
-			d.nlh.LinkDel(sbox)
+			if err := d.nlh.LinkDel(sbox); err != nil {
+				logrus.WithError(err).Warnf("Failed to delete sandbox side interface (%s)'s link", containerIfName)
+			}
 		}
 	}()
 
@@ -1117,7 +1123,9 @@ func (d *driver) DeleteEndpoint(nid, eid string) error {
 	// Try removal of link. Discard error: it is a best effort.
 	// Also make sure defer does not see this error either.
 	if link, err := d.nlh.LinkByName(ep.srcName); err == nil {
-		d.nlh.LinkDel(link)
+		if err := d.nlh.LinkDel(link); err != nil {
+			logrus.WithError(err).Errorf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+		}
 	}
 
 	if err := d.storeDelete(ep); err != nil {

components/engine/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan_endpoint.go

@@ -76,7 +76,9 @@ func (d *driver) DeleteEndpoint(nid, eid string) error {
 		return fmt.Errorf("endpoint id %q not found", eid)
 	}
 	if link, err := ns.NlHandle().LinkByName(ep.srcName); err == nil {
-		ns.NlHandle().LinkDel(link)
+		if err := ns.NlHandle().LinkDel(link); err != nil {
+			logrus.WithError(err).Warnf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+		}
 	}
 
 	if err := d.storeDelete(ep); err != nil {

components/engine/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan_network.go

@@ -150,7 +150,9 @@ func (d *driver) DeleteNetwork(nid string) error {
 	}
 	for _, ep := range n.endpoints {
 		if link, err := ns.NlHandle().LinkByName(ep.srcName); err == nil {
-			ns.NlHandle().LinkDel(link)
+			if err := ns.NlHandle().LinkDel(link); err != nil {
+				logrus.WithError(err).Warnf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+			}
 		}
 
 		if err := d.storeDelete(ep); err != nil {

components/engine/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan_endpoint.go

@@ -81,7 +81,9 @@ func (d *driver) DeleteEndpoint(nid, eid string) error {
 		return fmt.Errorf("endpoint id %q not found", eid)
 	}
 	if link, err := ns.NlHandle().LinkByName(ep.srcName); err == nil {
-		ns.NlHandle().LinkDel(link)
+		if err := ns.NlHandle().LinkDel(link); err != nil {
+			logrus.WithError(err).Warnf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+		}
 	}
 
 	if err := d.storeDelete(ep); err != nil {

components/engine/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan_network.go

@@ -154,7 +154,9 @@ func (d *driver) DeleteNetwork(nid string) error {
 	}
 	for _, ep := range n.endpoints {
 		if link, err := ns.NlHandle().LinkByName(ep.srcName); err == nil {
-			ns.NlHandle().LinkDel(link)
+			if err := ns.NlHandle().LinkDel(link); err != nil {
+				logrus.WithError(err).Warnf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
+			}
 		}
 
 		if err := d.storeDelete(ep); err != nil {

components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go

@@ -242,8 +242,10 @@ func (d *driver) DeleteNetwork(nid string) error {
 
 	for _, ep := range n.endpoints {
 		if ep.ifName != "" {
-			if link, err := ns.NlHandle().LinkByName(ep.ifName); err != nil {
-				ns.NlHandle().LinkDel(link)
+			if link, err := ns.NlHandle().LinkByName(ep.ifName); err == nil {
+				if err := ns.NlHandle().LinkDel(link); err != nil {
+					logrus.WithError(err).Warnf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.ifName, ep.id)
+				}
 			}
 		}
 

components/engine/vendor/github.com/docker/libnetwork/drivers/windows/windows.go

@@ -365,6 +365,22 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d
 
 		config.HnsID = hnsresponse.Id
 		genData[HNSID] = config.HnsID
+
+	} else {
+		// Delete any stale HNS endpoints for this network.
+		if endpoints, err := hcsshim.HNSListEndpointRequest(); err == nil {
+			for _, ep := range endpoints {
+				if ep.VirtualNetwork == config.HnsID {
+					logrus.Infof("Removing stale HNS endpoint %s", ep.Id)
+					_, err = hcsshim.HNSEndpointRequest("DELETE", ep.Id, "")
+					if err != nil {
+						logrus.Warnf("Error removing HNS endpoint %s", ep.Id)
+					}
+				}
+			}
+		} else {
+			logrus.Warnf("Error listing HNS endpoints for network %s", config.HnsID)
+		}
 	}
 
 	n, err := d.getNetwork(id)

components/engine/vendor/github.com/docker/libnetwork/drivers_ipam.go

@@ -6,9 +6,11 @@ import (
 	builtinIpam "github.com/docker/libnetwork/ipams/builtin"
 	nullIpam "github.com/docker/libnetwork/ipams/null"
 	remoteIpam "github.com/docker/libnetwork/ipams/remote"
+	"github.com/docker/libnetwork/ipamutils"
 )
 
-func initIPAMDrivers(r *drvregistry.DrvRegistry, lDs, gDs interface{}) error {
+func initIPAMDrivers(r *drvregistry.DrvRegistry, lDs, gDs interface{}, addressPool []*ipamutils.NetworkToSplit) error {
+	builtinIpam.SetDefaultIPAddressPool(addressPool)
 	for _, fn := range [](func(ipamapi.Callback, interface{}, interface{}) error){
 		builtinIpam.Init,
 		remoteIpam.Init,

components/engine/vendor/github.com/docker/libnetwork/ipam/allocator.go

@@ -402,15 +402,15 @@ func (a *Allocator) getPredefinedPool(as string, ipV6 bool) (*net.IPNet, error)
 			continue
 		}
 		aSpace.Lock()
-		_, ok := aSpace.subnets[SubnetKey{AddressSpace: as, Subnet: nw.String()}]
-		aSpace.Unlock()
-		if ok {
+		if _, ok := aSpace.subnets[SubnetKey{AddressSpace: as, Subnet: nw.String()}]; ok {
+			aSpace.Unlock()
 			continue
 		}
-
 		if !aSpace.contains(as, nw) {
+			aSpace.Unlock()
 			return nw, nil
 		}
+		aSpace.Unlock()
 	}
 
 	return nil, types.NotFoundErrorf("could not find an available, non-overlapping IPv%d address pool among the defaults to assign to the network", v)

components/engine/vendor/github.com/docker/libnetwork/ipams/builtin/builtin_unix.go

@@ -11,6 +11,11 @@ import (
 	"github.com/docker/libnetwork/ipamutils"
 )
 
+var (
+	// defaultAddressPool Stores user configured subnet list
+	defaultAddressPool []*ipamutils.NetworkToSplit
+)
+
 // Init registers the built-in ipam service with libnetwork
 func Init(ic ipamapi.Callback, l, g interface{}) error {
 	var (
@@ -30,7 +35,7 @@ func Init(ic ipamapi.Callback, l, g interface{}) error {
 		}
 	}
 
-	ipamutils.InitNetworks()
+	ipamutils.InitNetworks(GetDefaultIPAddressPool())
 
 	a, err := ipam.NewAllocator(localDs, globalDs)
 	if err != nil {
@@ -41,3 +46,13 @@ func Init(ic ipamapi.Callback, l, g interface{}) error {
 
 	return ic.RegisterIpamDriverWithCapabilities(ipamapi.DefaultIPAM, a, cps)
 }
+
+// SetDefaultIPAddressPool stores default address pool.
+func SetDefaultIPAddressPool(addressPool []*ipamutils.NetworkToSplit) {
+	defaultAddressPool = addressPool
+}
+
+// GetDefaultIPAddressPool returns default address pool.
+func GetDefaultIPAddressPool() []*ipamutils.NetworkToSplit {
+	return defaultAddressPool
+}

components/engine/vendor/github.com/docker/libnetwork/ipams/builtin/builtin_windows.go

@@ -13,6 +13,11 @@ import (
 	windowsipam "github.com/docker/libnetwork/ipams/windowsipam"
 )
 
+var (
+	// defaultAddressPool Stores user configured subnet list
+	defaultAddressPool []*ipamutils.NetworkToSplit
+)
+
 // InitDockerDefault registers the built-in ipam service with libnetwork
 func InitDockerDefault(ic ipamapi.Callback, l, g interface{}) error {
 	var (
@@ -32,7 +37,7 @@ func InitDockerDefault(ic ipamapi.Callback, l, g interface{}) error {
 		}
 	}
 
-	ipamutils.InitNetworks()
+	ipamutils.InitNetworks(nil)
 
 	a, err := ipam.NewAllocator(localDs, globalDs)
 	if err != nil {
@@ -55,3 +60,13 @@ func Init(ic ipamapi.Callback, l, g interface{}) error {
 
 	return initFunc(ic, l, g)
 }
+
+// SetDefaultIPAddressPool stores default address pool .
+func SetDefaultIPAddressPool(addressPool []*ipamutils.NetworkToSplit) {
+	defaultAddressPool = addressPool
+}
+
+// GetDefaultIPAddressPool returns default address pool .
+func GetDefaultIPAddressPool() []*ipamutils.NetworkToSplit {
+	return defaultAddressPool
+}

components/engine/vendor/github.com/docker/libnetwork/ipamutils/utils.go

@@ -2,8 +2,11 @@
 package ipamutils
 
 import (
+	"fmt"
 	"net"
 	"sync"
+
+	"github.com/sirupsen/logrus"
 )
 
 var (
@@ -13,38 +16,81 @@ var (
 	// PredefinedGranularNetworks contains a list of 64K IPv4 private networks with host size 8
 	// (10.x.x.x/24) which do not overlap with the networks in `PredefinedBroadNetworks`
 	PredefinedGranularNetworks []*net.IPNet
+	initNetworksOnce           sync.Once
 
-	initNetworksOnce sync.Once
+	defaultBroadNetwork = []*NetworkToSplit{{"172.17.0.0/16", 16}, {"172.18.0.0/16", 16}, {"172.19.0.0/16", 16},
+		{"172.20.0.0/14", 16}, {"172.24.0.0/14", 16}, {"172.28.0.0/14", 16},
+		{"192.168.0.0/16", 20}}
+	defaultGranularNetwork = []*NetworkToSplit{{"10.0.0.0/8", 24}}
 )
 
-// InitNetworks initializes the pre-defined networks used by the built-in IP allocator
-func InitNetworks() {
+// NetworkToSplit represent a network that has to be split in chunks with mask length Size.
+// Each subnet in the set is derived from the Base pool. Base is to be passed
+// in CIDR format.
+// Example: a Base "10.10.0.0/16 with Size 24 will define the set of 256
+// 10.10.[0-255].0/24 address pools
+type NetworkToSplit struct {
+	Base string `json:"base"`
+	Size int    `json:"size"`
+}
+
+// InitNetworks initializes the broad network pool and the granular network pool
+func InitNetworks(defaultAddressPool []*NetworkToSplit) {
 	initNetworksOnce.Do(func() {
-		PredefinedBroadNetworks = initBroadPredefinedNetworks()
-		PredefinedGranularNetworks = initGranularPredefinedNetworks()
+		// error ingnored should never fail
+		PredefinedGranularNetworks, _ = splitNetworks(defaultGranularNetwork)
+		if defaultAddressPool == nil {
+			defaultAddressPool = defaultBroadNetwork
+		}
+		var err error
+		if PredefinedBroadNetworks, err = splitNetworks(defaultAddressPool); err != nil {
+			logrus.WithError(err).Error("InitAddressPools failed to initialize the default address pool")
+		}
 	})
 }
 
-func initBroadPredefinedNetworks() []*net.IPNet {
-	pl := make([]*net.IPNet, 0, 31)
-	mask := []byte{255, 255, 0, 0}
-	for i := 17; i < 32; i++ {
-		pl = append(pl, &net.IPNet{IP: []byte{172, byte(i), 0, 0}, Mask: mask})
+// splitNetworks takes a slice of networks, split them accordingly and returns them
+func splitNetworks(list []*NetworkToSplit) ([]*net.IPNet, error) {
+	localPools := make([]*net.IPNet, 0, len(list))
+
+	for _, p := range list {
+		_, b, err := net.ParseCIDR(p.Base)
+		if err != nil {
+			return nil, fmt.Errorf("invalid base pool %q: %v", p.Base, err)
+		}
+		ones, _ := b.Mask.Size()
+		if p.Size <= 0 || p.Size < ones {
+			return nil, fmt.Errorf("invalid pools size: %d", p.Size)
+		}
+		localPools = append(localPools, splitNetwork(p.Size, b)...)
 	}
-	mask20 := []byte{255, 255, 240, 0}
-	for i := 0; i < 16; i++ {
-		pl = append(pl, &net.IPNet{IP: []byte{192, 168, byte(i << 4), 0}, Mask: mask20})
-	}
-	return pl
+	return localPools, nil
 }
 
-func initGranularPredefinedNetworks() []*net.IPNet {
-	pl := make([]*net.IPNet, 0, 256*256)
-	mask := []byte{255, 255, 255, 0}
-	for i := 0; i < 256; i++ {
-		for j := 0; j < 256; j++ {
-			pl = append(pl, &net.IPNet{IP: []byte{10, byte(i), byte(j), 0}, Mask: mask})
-		}
+func splitNetwork(size int, base *net.IPNet) []*net.IPNet {
+	one, bits := base.Mask.Size()
+	mask := net.CIDRMask(size, bits)
+	n := 1 << uint(size-one)
+	s := uint(bits - size)
+	list := make([]*net.IPNet, 0, n)
+
+	for i := 0; i < n; i++ {
+		ip := copyIP(base.IP)
+		addIntToIP(ip, uint(i<<s))
+		list = append(list, &net.IPNet{IP: ip, Mask: mask})
+	}
+	return list
+}
+
+func copyIP(from net.IP) net.IP {
+	ip := make([]byte, len(from))
+	copy(ip, from)
+	return ip
+}
+
+func addIntToIP(array net.IP, ordinal uint) {
+	for i := len(array) - 1; i >= 0; i-- {
+		array[i] |= (byte)(ordinal & 0xff)
+		ordinal >>= 8
 	}
-	return pl
 }

components/engine/vendor/github.com/docker/libnetwork/network.go

@@ -959,7 +959,7 @@ func (n *network) delete(force bool) error {
 
 	if len(n.loadBalancerIP) != 0 {
 		endpoints := n.Endpoints()
-		if force || len(endpoints) == 1 {
+		if force || (len(endpoints) == 1 && !n.ingress) {
 			n.deleteLoadBalancerSandbox()
 		}
 		//Reload the network from the store to update the epcnt.

components/engine/vendor/github.com/docker/libnetwork/service_common.go

@@ -9,6 +9,8 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const maxSetStringLen = 350
+
 func (c *controller) addEndpointNameResolution(svcName, svcID, nID, eID, containerName string, vip net.IP, serviceAliases, taskAliases []string, ip net.IP, addService bool, method string) error {
 	n, err := c.NetworkByID(nID)
 	if err != nil {
@@ -285,7 +287,10 @@ func (c *controller) addServiceBinding(svcName, svcID, nID, eID, containerName s
 	ok, entries := s.assignIPToEndpoint(ip.String(), eID)
 	if !ok || entries > 1 {
 		setStr, b := s.printIPToEndpoint(ip.String())
-		logrus.Warnf("addServiceBinding %s possible trainsient state ok:%t entries:%d set:%t %s", eID, ok, entries, b, setStr)
+		if len(setStr) > maxSetStringLen {
+			setStr = setStr[:maxSetStringLen]
+		}
+		logrus.Warnf("addServiceBinding %s possible transient state ok:%t entries:%d set:%t %s", eID, ok, entries, b, setStr)
 	}
 
 	// Add loadbalancer service and backend in all sandboxes in
@@ -353,7 +358,10 @@ func (c *controller) rmServiceBinding(svcName, svcID, nID, eID, containerName st
 	ok, entries := s.removeIPToEndpoint(ip.String(), eID)
 	if !ok || entries > 0 {
 		setStr, b := s.printIPToEndpoint(ip.String())
-		logrus.Warnf("rmServiceBinding %s possible trainsient state ok:%t entries:%d set:%t %s", eID, ok, entries, b, setStr)
+		if len(setStr) > maxSetStringLen {
+			setStr = setStr[:maxSetStringLen]
+		}
+		logrus.Warnf("rmServiceBinding %s possible transient state ok:%t entries:%d set:%t %s", eID, ok, entries, b, setStr)
 	}
 
 	// Remove loadbalancer service(if needed) and backend in all

components/engine/vendor/github.com/docker/libnetwork/vendor.conf

@@ -1,5 +1,5 @@
 github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/BurntSushi/toml f706d00e3de6abe700c994cdd545a1a4915af060
+github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/Microsoft/go-winio v0.4.5
 github.com/Microsoft/hcsshim v0.6.5
 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
@@ -50,5 +50,6 @@ github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
 golang.org/x/crypto 558b6879de74bc843225cde5686419267ff707ca
 golang.org/x/net 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6
 golang.org/x/sys 07c182904dbd53199946ba614a412c61d3c548f5
+golang.org/x/sync fd80eb99c8f653c847d294a001bdf2a3a6f768f5
 github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
 github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb

components/engine/vendor/golang.org/x/sync/README

@@ -1,2 +0,0 @@
-This repository provides Go concurrency primitives in addition to the
-ones provided by the language and "sync" and "sync/atomic" packages.

components/engine/vendor/golang.org/x/sync/README.md

@@ -0,0 +1,18 @@
+# Go Sync
+
+This repository provides Go concurrency primitives in addition to the
+ones provided by the language and "sync" and "sync/atomic" packages.
+
+## Download/Install
+
+The easiest way to install is to run `go get -u golang.org/x/sync`. You can
+also manually git clone the repository to `$GOPATH/src/golang.org/x/sync`.
+
+## Report Issues / Send Patches
+
+This repository uses Gerrit for code changes. To learn how to submit changes to
+this repository, see https://golang.org/doc/contribute.html.
+
+The main issue tracker for the sync repository is located at
+https://github.com/golang/go/issues. Prefix your issue with "x/sync:" in the
+subject line, so it is easy to find.

components/packaging/deb/build-deb

@@ -11,7 +11,7 @@ fi
     set -e
     cd engine
     # I want to rip this install-binaries script out so badly
-    for component in tini proxy runc containerd;do
+    for component in tini "proxy dynamic" "runc all" "containerd dynamic";do
         TMP_GOPATH="/go" hack/dockerfile/install/install.sh $component
     done
 )

components/packaging/rpm/centos-7/docker-ce.spec

@@ -67,7 +67,7 @@ pushd /go/src/github.com/docker/cli
 make VERSION=%{_origversion} GITCOMMIT=%{_gitcommit} dynbinary manpages # cli
 popd
 pushd engine
-for component in tini proxy runc containerd;do
+for component in tini "proxy dynamic" "runc all" "containerd dynamic";do
     TMP_GOPATH="/go" hack/dockerfile/install/install.sh $component
 done
 VERSION=%{_origversion} hack/make.sh dynbinary

components/packaging/rpm/fedora-26/docker-ce.spec

@@ -65,7 +65,7 @@ pushd /go/src/github.com/docker/cli
 make VERSION=%{_origversion} GITCOMMIT=%{_gitcommit} dynbinary manpages # cli
 popd
 pushd engine
-for component in tini proxy runc containerd;do
+for component in tini "proxy dynamic" "runc all" "containerd dynamic";do
     TMP_GOPATH="/go" hack/dockerfile/install/install.sh $component
 done
 VERSION=%{_origversion} hack/make.sh dynbinary

components/packaging/rpm/fedora-27/docker-ce.spec

@@ -66,7 +66,7 @@ pushd /go/src/github.com/docker/cli
 make VERSION=%{_origversion} GITCOMMIT=%{_gitcommit} dynbinary manpages # cli
 popd
 pushd engine
-for component in tini proxy runc containerd;do
+for component in tini "proxy dynamic" "runc all" "containerd dynamic";do
     TMP_GOPATH="/go" hack/dockerfile/install/install.sh $component
 done
 VERSION=%{_origversion} hack/make.sh dynbinary