Merge pull request #1839 from thaJeztah/bump_engine3

bump docker/docker 92a6266c9d4f1bacbfb68d1c6b9c94f673d6cfde

appveyor.yml

@@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
 
 environment:
   GOPATH: c:\gopath
-  GOVERSION: 1.12.1
+  GOVERSION: 1.12.4
   DEPVERSION: v0.4.1
 
 install:
@@ -20,4 +20,4 @@ build_script:
   - ps: .\scripts\make.ps1 -Binary
 
 test_script:
-  - ps: .\scripts\make.ps1 -TestUnit
+  - ps: .\scripts\make.ps1 -TestUnit

cli/command/cli.go

@@ -290,8 +290,8 @@ func newAPIClientFromEndpoint(ep docker.Endpoint, configFile *configfile.ConfigF
 	return client.NewClientWithOpts(clientOpts...)
 }
 
-func resolveDockerEndpoint(s store.Store, contextName string) (docker.Endpoint, error) {
-	ctxMeta, err := s.GetContextMetadata(contextName)
+func resolveDockerEndpoint(s store.Reader, contextName string) (docker.Endpoint, error) {
+	ctxMeta, err := s.GetMetadata(contextName)
 	if err != nil {
 		return docker.Endpoint{}, err
 	}
@@ -399,7 +399,7 @@ func (cli *DockerCli) CurrentContext() string {
 // StackOrchestrator resolves which stack orchestrator is in use
 func (cli *DockerCli) StackOrchestrator(flagValue string) (Orchestrator, error) {
 	currentContext := cli.CurrentContext()
-	ctxRaw, err := cli.ContextStore().GetContextMetadata(currentContext)
+	ctxRaw, err := cli.ContextStore().GetMetadata(currentContext)
 	if store.IsErrContextDoesNotExist(err) {
 		// case where the currentContext has been removed (CLI behavior is to fallback to using DOCKER_HOST based resolution)
 		return GetStackOrchestrator(flagValue, "", cli.ConfigFile().StackOrchestrator, cli.Err())
@@ -500,7 +500,7 @@ func UserAgent() string {
 // - if DOCKER_CONTEXT is set, use this value
 // - if Config file has a globally set "CurrentContext", use this value
 // - fallbacks to default HOST, uses TLS config from flags/env vars
-func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Store) (string, error) {
+func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigFile, contextstore store.Reader) (string, error) {
 	if opts.Context != "" && len(opts.Hosts) > 0 {
 		return "", errors.New("Conflicting options: either specify --host or --context, not both")
 	}
@@ -517,7 +517,7 @@ func resolveContextName(opts *cliflags.CommonOptions, config *configfile.ConfigF
 		return ctxName, nil
 	}
 	if config != nil && config.CurrentContext != "" {
-		_, err := contextstore.GetContextMetadata(config.CurrentContext)
+		_, err := contextstore.GetMetadata(config.CurrentContext)
 		if store.IsErrContextDoesNotExist(err) {
 			return "", errors.Errorf("Current context %q is not found on the file system, please check your config file at %s", config.CurrentContext, config.Filename)
 		}

cli/command/container/opts.go

@@ -485,6 +485,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		return nil, err
 	}
 
+	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)
+
 	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
 	if err != nil {
 		return nil, err
@@ -635,6 +637,8 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		Sysctls:        copts.sysctls.GetAll(),
 		Runtime:        copts.runtime,
 		Mounts:         mounts,
+		MaskedPaths:    maskedPaths,
+		ReadonlyPaths:  readonlyPaths,
 	}
 
 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
@@ -825,6 +829,25 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 	return securityOpts, nil
 }
 
+// parseSystemPaths checks if `systempaths=unconfined` security option is set,
+// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated
+// list of security options is returned with this option removed, because the
+// `unconfined` option is handled client-side, and should not be sent to the
+// daemon.
+func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) {
+	filtered = securityOpts[:0]
+	for _, opt := range securityOpts {
+		if opt == "systempaths=unconfined" {
+			maskedPaths = []string{}
+			readonlyPaths = []string{}
+		} else {
+			filtered = append(filtered, opt)
+		}
+	}
+
+	return filtered, maskedPaths, readonlyPaths
+}
+
 // parses storage options per container into a map
 func parseStorageOpts(storageOpts []string) (map[string]string, error) {
 	m := make(map[string]string)

cli/command/container/opts_test.go

@@ -800,3 +800,57 @@ func TestValidateDevice(t *testing.T) {
 		}
 	}
 }
+
+func TestParseSystemPaths(t *testing.T) {
+	tests := []struct {
+		doc                       string
+		in, out, masked, readonly []string
+	}{
+		{
+			doc: "not set",
+			in:  []string{},
+			out: []string{},
+		},
+		{
+			doc: "not set, preserve other options",
+			in: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+			out: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+		},
+		{
+			doc:      "unconfined",
+			in:       []string{"systempaths=unconfined"},
+			out:      []string{},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc:      "unconfined and other options",
+			in:       []string{"foo=bar", "bar=baz", "systempaths=unconfined"},
+			out:      []string{"foo=bar", "bar=baz"},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc: "unknown option",
+			in:  []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+			out: []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+		},
+	}
+
+	for _, tc := range tests {
+		securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(tc.in)
+		assert.DeepEqual(t, securityOpts, tc.out)
+		assert.DeepEqual(t, maskedPaths, tc.masked)
+		assert.DeepEqual(t, readonlyPaths, tc.readonly)
+	}
+}

cli/command/context.go

@@ -13,7 +13,7 @@ type DockerContext struct {
 }
 
 // GetDockerContext extracts metadata from stored context metadata
-func GetDockerContext(storeMetadata store.ContextMetadata) (DockerContext, error) {
+func GetDockerContext(storeMetadata store.Metadata) (DockerContext, error) {
 	if storeMetadata.Metadata == nil {
 		// can happen if we save endpoints before assigning a context metadata
 		// it is totally valid, and we should return a default initialized value

cli/command/context/create.go

@@ -21,6 +21,7 @@ type CreateOptions struct {
 	DefaultStackOrchestrator string
 	Docker                   map[string]string
 	Kubernetes               map[string]string
+	From                     string
 }
 
 func longCreateDescription() string {
@@ -63,6 +64,7 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 		"Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)")
 	flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint")
 	flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint")
+	flags.StringVar(&opts.From, "from", "", "create context from a named context")
 	return cmd
 }
 
@@ -76,17 +78,20 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	if err != nil {
 		return errors.Wrap(err, "unable to parse default-stack-orchestrator")
 	}
-	contextMetadata := store.ContextMetadata{
-		Endpoints: make(map[string]interface{}),
-		Metadata: command.DockerContext{
-			Description:       o.Description,
-			StackOrchestrator: stackOrchestrator,
-		},
-		Name: o.Name,
+	if o.From == "" && o.Docker == nil && o.Kubernetes == nil {
+		return createFromExistingContext(s, cli.CurrentContext(), stackOrchestrator, o)
 	}
+	if o.From != "" {
+		return createFromExistingContext(s, o.From, stackOrchestrator, o)
+	}
+	return createNewContext(o, stackOrchestrator, cli, s)
+}
+
+func createNewContext(o *CreateOptions, stackOrchestrator command.Orchestrator, cli command.Cli, s store.Writer) error {
 	if o.Docker == nil {
 		return errors.New("docker endpoint configuration is required")
 	}
+	contextMetadata := newContextMetadata(stackOrchestrator, o)
 	contextTLSData := store.ContextTLSData{
 		Endpoints: make(map[string]store.EndpointTLSData),
 	}
@@ -116,10 +121,10 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	if err := validateEndpointsAndOrchestrator(contextMetadata); err != nil {
 		return err
 	}
-	if err := s.CreateOrUpdateContext(contextMetadata); err != nil {
+	if err := s.CreateOrUpdate(contextMetadata); err != nil {
 		return err
 	}
-	if err := s.ResetContextTLSMaterial(o.Name, &contextTLSData); err != nil {
+	if err := s.ResetTLSMaterial(o.Name, &contextTLSData); err != nil {
 		return err
 	}
 	fmt.Fprintln(cli.Out(), o.Name)
@@ -127,11 +132,11 @@ func RunCreate(cli command.Cli, o *CreateOptions) error {
 	return nil
 }
 
-func checkContextNameForCreation(s store.Store, name string) error {
+func checkContextNameForCreation(s store.Reader, name string) error {
 	if err := validateContextName(name); err != nil {
 		return err
 	}
-	if _, err := s.GetContextMetadata(name); !store.IsErrContextDoesNotExist(err) {
+	if _, err := s.GetMetadata(name); !store.IsErrContextDoesNotExist(err) {
 		if err != nil {
 			return errors.Wrap(err, "error while getting existing contexts")
 		}
@@ -139,3 +144,52 @@ func checkContextNameForCreation(s store.Store, name string) error {
 	}
 	return nil
 }
+
+func createFromExistingContext(s store.ReaderWriter, fromContextName string, stackOrchestrator command.Orchestrator, o *CreateOptions) error {
+	if len(o.Docker) != 0 || len(o.Kubernetes) != 0 {
+		return errors.New("cannot use --docker or --kubernetes flags when --from is set")
+	}
+	reader := store.Export(fromContextName, &descriptionAndOrchestratorStoreDecorator{
+		Reader:       s,
+		description:  o.Description,
+		orchestrator: stackOrchestrator,
+	})
+	defer reader.Close()
+	return store.Import(o.Name, s, reader)
+}
+
+type descriptionAndOrchestratorStoreDecorator struct {
+	store.Reader
+	description  string
+	orchestrator command.Orchestrator
+}
+
+func (d *descriptionAndOrchestratorStoreDecorator) GetMetadata(name string) (store.Metadata, error) {
+	c, err := d.Reader.GetMetadata(name)
+	if err != nil {
+		return c, err
+	}
+	typedContext, err := command.GetDockerContext(c)
+	if err != nil {
+		return c, err
+	}
+	if d.description != "" {
+		typedContext.Description = d.description
+	}
+	if d.orchestrator != command.Orchestrator("") {
+		typedContext.StackOrchestrator = d.orchestrator
+	}
+	c.Metadata = typedContext
+	return c, nil
+}
+
+func newContextMetadata(stackOrchestrator command.Orchestrator, o *CreateOptions) store.Metadata {
+	return store.Metadata{
+		Endpoints: make(map[string]interface{}),
+		Metadata: command.DockerContext{
+			Description:       o.Description,
+			StackOrchestrator: stackOrchestrator,
+		},
+		Name: o.Name,
+	}
+}

cli/command/context/create_test.go

@@ -27,7 +27,7 @@ func makeFakeCli(t *testing.T, opts ...func(*test.FakeCli)) (*test.FakeCli, func
 		Store: store.New(dir, storeConfig),
 		Resolver: func() (*command.DefaultContext, error) {
 			return &command.DefaultContext{
-				Meta: store.ContextMetadata{
+				Meta: store.Metadata{
 					Endpoints: map[string]interface{}{
 						docker.DockerEndpoint: docker.EndpointMeta{
 							Host: "unix:///var/run/docker.sock",
@@ -63,7 +63,7 @@ func withCliConfig(configFile *configfile.ConfigFile) func(*test.FakeCli) {
 func TestCreateInvalids(t *testing.T) {
 	cli, cleanup := makeFakeCli(t)
 	defer cleanup()
-	assert.NilError(t, cli.ContextStore().CreateOrUpdateContext(store.ContextMetadata{Name: "existing-context"}))
+	assert.NilError(t, cli.ContextStore().CreateOrUpdate(store.Metadata{Name: "existing-context"}))
 	tests := []struct {
 		options     CreateOptions
 		expecterErr string
@@ -105,13 +105,6 @@ func TestCreateInvalids(t *testing.T) {
 			},
 			expecterErr: `specified orchestrator "invalid" is invalid, please use either kubernetes, swarm or all`,
 		},
-		{
-			options: CreateOptions{
-				Name:                     "orchestrator-swarm-no-endpoint",
-				DefaultStackOrchestrator: "swarm",
-			},
-			expecterErr: `docker endpoint configuration is required`,
-		},
 		{
 			options: CreateOptions{
 				Name:                     "orchestrator-kubernetes-no-endpoint",
@@ -163,9 +156,9 @@ func TestCreateOrchestratorEmpty(t *testing.T) {
 	assert.NilError(t, err)
 }
 
-func validateTestKubeEndpoint(t *testing.T, s store.Store, name string) {
+func validateTestKubeEndpoint(t *testing.T, s store.Reader, name string) {
 	t.Helper()
-	ctxMetadata, err := s.GetContextMetadata(name)
+	ctxMetadata, err := s.GetMetadata(name)
 	assert.NilError(t, err)
 	kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta)
 	kubeEP, err := kubeMeta.WithTLSData(s, name)
@@ -185,7 +178,7 @@ func createTestContextWithKube(t *testing.T, cli command.Cli) {
 		Name:                     "test",
 		DefaultStackOrchestrator: "all",
 		Kubernetes: map[string]string{
-			keyFromCurrent: "true",
+			keyFrom: "default",
 		},
 		Docker: map[string]string{},
 	})
@@ -198,3 +191,157 @@ func TestCreateOrchestratorAllKubernetesEndpointFromCurrent(t *testing.T) {
 	createTestContextWithKube(t, cli)
 	validateTestKubeEndpoint(t, cli.ContextStore(), "test")
 }
+
+func TestCreateFromContext(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		docker               map[string]string
+		kubernetes           map[string]string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "dummy",
+		Description: "dummy description",
+		Docker: map[string]string{
+			keyHost: "tcp://24.24.24.24:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+
+	cli.SetCurrentContext("dummy")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			err := RunCreate(cli, &CreateOptions{
+				From:                     "original",
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+				Docker:                   c.docker,
+				Kubernetes:               c.kubernetes,
+			})
+			assert.NilError(t, err)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}
+
+func TestCreateFromCurrent(t *testing.T) {
+	cases := []struct {
+		name                 string
+		description          string
+		orchestrator         string
+		expectedDescription  string
+		expectedOrchestrator command.Orchestrator
+	}{
+		{
+			name:                 "no-override",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-description",
+			description:          "new description",
+			expectedDescription:  "new description",
+			expectedOrchestrator: command.OrchestratorSwarm,
+		},
+		{
+			name:                 "override-orchestrator",
+			orchestrator:         "kubernetes",
+			expectedDescription:  "original description",
+			expectedOrchestrator: command.OrchestratorKubernetes,
+		},
+	}
+
+	cli, cleanup := makeFakeCli(t)
+	defer cleanup()
+	revert := env.Patch(t, "KUBECONFIG", "./testdata/test-kubeconfig")
+	defer revert()
+	assert.NilError(t, RunCreate(cli, &CreateOptions{
+		Name:        "original",
+		Description: "original description",
+		Docker: map[string]string{
+			keyHost: "tcp://42.42.42.42:2375",
+		},
+		Kubernetes: map[string]string{
+			keyFrom: "default",
+		},
+		DefaultStackOrchestrator: "swarm",
+	}))
+
+	cli.SetCurrentContext("original")
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			err := RunCreate(cli, &CreateOptions{
+				Name:                     c.name,
+				Description:              c.description,
+				DefaultStackOrchestrator: c.orchestrator,
+			})
+			assert.NilError(t, err)
+			newContext, err := cli.ContextStore().GetMetadata(c.name)
+			assert.NilError(t, err)
+			newContextTyped, err := command.GetDockerContext(newContext)
+			assert.NilError(t, err)
+			dockerEndpoint, err := docker.EndpointFromContext(newContext)
+			assert.NilError(t, err)
+			kubeEndpoint := kubernetes.EndpointFromContext(newContext)
+			assert.Check(t, kubeEndpoint != nil)
+			assert.Equal(t, newContextTyped.Description, c.expectedDescription)
+			assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator)
+			assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375")
+			assert.Equal(t, kubeEndpoint.Host, "https://someserver")
+		})
+	}
+}

cli/command/context/export-import_test.go

@@ -29,9 +29,9 @@ func TestExportImportWithFile(t *testing.T) {
 	cli.OutBuffer().Reset()
 	cli.ErrBuffer().Reset()
 	assert.NilError(t, RunImport(cli, "test2", contextFile))
-	context1, err := cli.ContextStore().GetContextMetadata("test")
+	context1, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
-	context2, err := cli.ContextStore().GetContextMetadata("test2")
+	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
 	assert.DeepEqual(t, context1.Metadata, context2.Metadata)
@@ -57,9 +57,9 @@ func TestExportImportPipe(t *testing.T) {
 	cli.OutBuffer().Reset()
 	cli.ErrBuffer().Reset()
 	assert.NilError(t, RunImport(cli, "test2", "-"))
-	context1, err := cli.ContextStore().GetContextMetadata("test")
+	context1, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
-	context2, err := cli.ContextStore().GetContextMetadata("test2")
+	context2, err := cli.ContextStore().GetMetadata("test2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, context1.Endpoints, context2.Endpoints)
 	assert.DeepEqual(t, context1.Metadata, context2.Metadata)

cli/command/context/export.go

@@ -80,7 +80,7 @@ func RunExport(dockerCli command.Cli, opts *ExportOptions) error {
 	if err := validateContextName(opts.ContextName); err != nil && opts.ContextName != command.DefaultContextName {
 		return err
 	}
-	ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(opts.ContextName)
+	ctxMeta, err := dockerCli.ContextStore().GetMetadata(opts.ContextName)
 	if err != nil {
 		return err
 	}

cli/command/context/inspect.go

@@ -40,25 +40,25 @@ func newInspectCommand(dockerCli command.Cli) *cobra.Command {
 
 func runInspect(dockerCli command.Cli, opts inspectOptions) error {
 	getRefFunc := func(ref string) (interface{}, []byte, error) {
-		c, err := dockerCli.ContextStore().GetContextMetadata(ref)
+		c, err := dockerCli.ContextStore().GetMetadata(ref)
 		if err != nil {
 			return nil, nil, err
 		}
-		tlsListing, err := dockerCli.ContextStore().ListContextTLSFiles(ref)
+		tlsListing, err := dockerCli.ContextStore().ListTLSFiles(ref)
 		if err != nil {
 			return nil, nil, err
 		}
 		return contextWithTLSListing{
-			ContextMetadata: c,
-			TLSMaterial:     tlsListing,
-			Storage:         dockerCli.ContextStore().GetContextStorageInfo(ref),
+			Metadata:    c,
+			TLSMaterial: tlsListing,
+			Storage:     dockerCli.ContextStore().GetStorageInfo(ref),
 		}, nil, nil
 	}
 	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
 }
 
 type contextWithTLSListing struct {
-	store.ContextMetadata
+	store.Metadata
 	TLSMaterial map[string]store.EndpointFiles
-	Storage     store.ContextStorageInfo
+	Storage     store.StorageInfo
 }

cli/command/context/inspect_test.go

@@ -17,7 +17,7 @@ func TestInspect(t *testing.T) {
 		refs: []string{"current"},
 	}))
 	expected := string(golden.Get(t, "inspect.golden"))
-	si := cli.ContextStore().GetContextStorageInfo("current")
+	si := cli.ContextStore().GetStorageInfo("current")
 	expected = strings.Replace(expected, "<METADATA_PATH>", strings.Replace(si.MetadataPath, `\`, `\\`, -1), 1)
 	expected = strings.Replace(expected, "<TLS_PATH>", strings.Replace(si.TLSPath, `\`, `\\`, -1), 1)
 	assert.Equal(t, cli.OutBuffer().String(), expected)

cli/command/context/list.go

@@ -2,6 +2,7 @@ package context
 
 import (
 	"fmt"
+	"os"
 	"sort"
 
 	"github.com/docker/cli/cli"
@@ -41,7 +42,7 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 		opts.format = formatter.TableFormatKey
 	}
 	curContext := dockerCli.CurrentContext()
-	contextMap, err := dockerCli.ContextStore().ListContexts()
+	contextMap, err := dockerCli.ContextStore().List()
 	if err != nil {
 		return err
 	}
@@ -76,7 +77,14 @@ func runList(dockerCli command.Cli, opts *listOptions) error {
 	sort.Slice(contexts, func(i, j int) bool {
 		return sortorder.NaturalLess(contexts[i].Name, contexts[j].Name)
 	})
-	return format(dockerCli, opts, contexts)
+	if err := format(dockerCli, opts, contexts); err != nil {
+		return err
+	}
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprint(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.\n")
+	}
+	return nil
 }
 
 func format(dockerCli command.Cli, opts *listOptions, contexts []*formatter.ClientContext) error {

cli/command/context/list_test.go

@@ -17,7 +17,7 @@ func createTestContextWithKubeAndSwarm(t *testing.T, cli command.Cli, name strin
 		Name:                     name,
 		DefaultStackOrchestrator: orchestrator,
 		Description:              "description of " + name,
-		Kubernetes:               map[string]string{keyFromCurrent: "true"},
+		Kubernetes:               map[string]string{keyFrom: "default"},
 		Docker:                   map[string]string{keyHost: "https://someswarmserver"},
 	})
 	assert.NilError(t, err)

cli/command/context/options.go

@@ -18,7 +18,7 @@ import (
 )
 
 const (
-	keyFromCurrent   = "from-current"
+	keyFrom          = "from"
 	keyHost          = "host"
 	keyCA            = "ca"
 	keyCert          = "cert"
@@ -36,7 +36,7 @@ type configKeyDescription struct {
 
 var (
 	allowedDockerConfigKeys = map[string]struct{}{
-		keyFromCurrent:   {},
+		keyFrom:          {},
 		keyHost:          {},
 		keyCA:            {},
 		keyCert:          {},
@@ -44,15 +44,15 @@ var (
 		keySkipTLSVerify: {},
 	}
 	allowedKubernetesConfigKeys = map[string]struct{}{
-		keyFromCurrent:   {},
+		keyFrom:          {},
 		keyKubeconfig:    {},
 		keyKubecontext:   {},
 		keyKubenamespace: {},
 	}
 	dockerConfigKeysDescriptions = []configKeyDescription{
 		{
-			name:        keyFromCurrent,
-			description: "Copy current Docker endpoint configuration",
+			name:        keyFrom,
+			description: "Copy named context's Docker endpoint configuration",
 		},
 		{
 			name:        keyHost,
@@ -77,8 +77,8 @@ var (
 	}
 	kubernetesConfigKeysDescriptions = []configKeyDescription{
 		{
-			name:        keyFromCurrent,
-			description: "Copy current Kubernetes endpoint configuration",
+			name:        keyFrom,
+			description: "Copy named context's Kubernetes endpoint configuration",
 		},
 		{
 			name:        keyKubeconfig,
@@ -121,12 +121,15 @@ func getDockerEndpoint(dockerCli command.Cli, config map[string]string) (docker.
 	if err := validateConfig(config, allowedDockerConfigKeys); err != nil {
 		return docker.Endpoint{}, err
 	}
-	fromCurrent, err := parseBool(config, keyFromCurrent)
-	if err != nil {
-		return docker.Endpoint{}, err
-	}
-	if fromCurrent {
-		return dockerCli.DockerEndpoint(), nil
+	if contextName, ok := config[keyFrom]; ok {
+		metadata, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return docker.Endpoint{}, err
+		}
+		if ep, ok := metadata.Endpoints[docker.DockerEndpoint].(docker.EndpointMeta); ok {
+			return docker.Endpoint{EndpointMeta: ep}, nil
+		}
+		return docker.Endpoint{}, errors.Errorf("unable to get endpoint from context %q", contextName)
 	}
 	tlsData, err := context.TLSDataFromFiles(config[keyCA], config[keyCert], config[keyKey])
 	if err != nil {
@@ -169,25 +172,20 @@ func getKubernetesEndpoint(dockerCli command.Cli, config map[string]string) (*ku
 	if len(config) == 0 {
 		return nil, nil
 	}
-	fromCurrent, err := parseBool(config, keyFromCurrent)
-	if err != nil {
-		return nil, err
-	}
-	if fromCurrent {
-		if dockerCli.CurrentContext() != "" {
-			ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(dockerCli.CurrentContext())
+	if contextName, ok := config[keyFrom]; ok {
+		ctxMeta, err := dockerCli.ContextStore().GetMetadata(contextName)
+		if err != nil {
+			return nil, err
+		}
+		endpointMeta := kubernetes.EndpointFromContext(ctxMeta)
+		if endpointMeta != nil {
+			res, err := endpointMeta.WithTLSData(dockerCli.ContextStore(), dockerCli.CurrentContext())
 			if err != nil {
 				return nil, err
 			}
-			endpointMeta := kubernetes.EndpointFromContext(ctxMeta)
-			if endpointMeta != nil {
-				res, err := endpointMeta.WithTLSData(dockerCli.ContextStore(), dockerCli.CurrentContext())
-				if err != nil {
-					return nil, err
-				}
-				return &res, nil
-			}
+			return &res, nil
 		}
+
 		// fallback to env-based kubeconfig
 		kubeconfig := os.Getenv("KUBECONFIG")
 		if kubeconfig == "" {

cli/command/context/remove.go

@@ -50,7 +50,7 @@ func RunRemove(dockerCli command.Cli, opts RemoveOptions, names []string) error
 }
 
 func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
-	if _, err := dockerCli.ContextStore().GetContextMetadata(name); err != nil {
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil {
 		return err
 	}
 	if isCurrent {
@@ -64,5 +64,5 @@ func doRemove(dockerCli command.Cli, name string, isCurrent, force bool) error {
 			return err
 		}
 	}
-	return dockerCli.ContextStore().RemoveContext(name)
+	return dockerCli.ContextStore().Remove(name)
 }

cli/command/context/remove_test.go

@@ -18,9 +18,9 @@ func TestRemove(t *testing.T) {
 	createTestContextWithKubeAndSwarm(t, cli, "current", "all")
 	createTestContextWithKubeAndSwarm(t, cli, "other", "all")
 	assert.NilError(t, RunRemove(cli, RemoveOptions{}, []string{"other"}))
-	_, err := cli.ContextStore().GetContextMetadata("current")
+	_, err := cli.ContextStore().GetMetadata("current")
 	assert.NilError(t, err)
-	_, err = cli.ContextStore().GetContextMetadata("other")
+	_, err = cli.ContextStore().GetMetadata("other")
 	assert.Check(t, store.IsErrContextDoesNotExist(err))
 }
 

cli/command/context/update.go

@@ -72,7 +72,7 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 		return err
 	}
 	s := cli.ContextStore()
-	c, err := s.GetContextMetadata(o.Name)
+	c, err := s.GetMetadata(o.Name)
 	if err != nil {
 		return err
 	}
@@ -118,11 +118,11 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 	if err := validateEndpointsAndOrchestrator(c); err != nil {
 		return err
 	}
-	if err := s.CreateOrUpdateContext(c); err != nil {
+	if err := s.CreateOrUpdate(c); err != nil {
 		return err
 	}
 	for ep, tlsData := range tlsDataToReset {
-		if err := s.ResetContextEndpointTLSMaterial(o.Name, ep, tlsData); err != nil {
+		if err := s.ResetEndpointTLSMaterial(o.Name, ep, tlsData); err != nil {
 			return err
 		}
 	}
@@ -132,7 +132,7 @@ func RunUpdate(cli command.Cli, o *UpdateOptions) error {
 	return nil
 }
 
-func validateEndpointsAndOrchestrator(c store.ContextMetadata) error {
+func validateEndpointsAndOrchestrator(c store.Metadata) error {
 	dockerContext, err := command.GetDockerContext(c)
 	if err != nil {
 		return err

cli/command/context/update_test.go

@@ -25,7 +25,7 @@ func TestUpdateDescriptionOnly(t *testing.T) {
 		Name:        "test",
 		Description: "description",
 	}))
-	c, err := cli.ContextStore().GetContextMetadata("test")
+	c, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
 	dc, err := command.GetDockerContext(c)
 	assert.NilError(t, err)
@@ -46,7 +46,7 @@ func TestUpdateDockerOnly(t *testing.T) {
 			keyHost: "tcp://some-host",
 		},
 	}))
-	c, err := cli.ContextStore().GetContextMetadata("test")
+	c, err := cli.ContextStore().GetMetadata("test")
 	assert.NilError(t, err)
 	dc, err := command.GetDockerContext(c)
 	assert.NilError(t, err)

cli/command/context/use.go

@@ -2,6 +2,7 @@ package context
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
@@ -25,7 +26,7 @@ func RunUse(dockerCli command.Cli, name string) error {
 	if err := validateContextName(name); err != nil && name != "default" {
 		return err
 	}
-	if _, err := dockerCli.ContextStore().GetContextMetadata(name); err != nil && name != "default" {
+	if _, err := dockerCli.ContextStore().GetMetadata(name); err != nil && name != "default" {
 		return err
 	}
 	configValue := name
@@ -39,5 +40,9 @@ func RunUse(dockerCli command.Cli, name string) error {
 	}
 	fmt.Fprintln(dockerCli.Out(), name)
 	fmt.Fprintf(dockerCli.Err(), "Current context is now %q\n", name)
+	if os.Getenv("DOCKER_HOST") != "" {
+		fmt.Fprintf(dockerCli.Err(), "Warning: DOCKER_HOST environment variable overrides the active context. "+
+			"To use %q, either set the global --context flag, or unset DOCKER_HOST environment variable.\n", name)
+	}
 	return nil
 }

cli/command/defaultcontextstore.go

@@ -22,7 +22,7 @@ const (
 
 // DefaultContext contains the default context data for all enpoints
 type DefaultContext struct {
-	Meta store.ContextMetadata
+	Meta store.Metadata
 	TLS  store.ContextTLSData
 }
 
@@ -35,7 +35,7 @@ type ContextStoreWithDefault struct {
 	Resolver DefaultContextResolver
 }
 
-// resolveDefaultContext creates a ContextMetadata for the current CLI invocation parameters
+// resolveDefaultContext creates a Metadata for the current CLI invocation parameters
 func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.ConfigFile, stderr io.Writer) (*DefaultContext, error) {
 	stackOrchestrator, err := GetStackOrchestrator("", "", config.StackOrchestrator, stderr)
 	if err != nil {
@@ -44,7 +44,7 @@ func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.Conf
 	contextTLSData := store.ContextTLSData{
 		Endpoints: make(map[string]store.EndpointTLSData),
 	}
-	contextMetadata := store.ContextMetadata{
+	contextMetadata := store.Metadata{
 		Endpoints: make(map[string]interface{}),
 		Metadata: DockerContext{
 			Description:       "",
@@ -81,9 +81,9 @@ func resolveDefaultContext(opts *cliflags.CommonOptions, config *configfile.Conf
 	return &DefaultContext{Meta: contextMetadata, TLS: contextTLSData}, nil
 }
 
-// ListContexts implements store.Store's ListContexts
-func (s *ContextStoreWithDefault) ListContexts() ([]store.ContextMetadata, error) {
-	contextList, err := s.Store.ListContexts()
+// List implements store.Store's List
+func (s *ContextStoreWithDefault) List() ([]store.Metadata, error) {
+	contextList, err := s.Store.List()
 	if err != nil {
 		return nil, err
 	}
@@ -94,52 +94,52 @@ func (s *ContextStoreWithDefault) ListContexts() ([]store.ContextMetadata, error
 	return append(contextList, defaultContext.Meta), nil
 }
 
-// CreateOrUpdateContext is not allowed for the default context and fails
-func (s *ContextStoreWithDefault) CreateOrUpdateContext(meta store.ContextMetadata) error {
+// CreateOrUpdate is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) CreateOrUpdate(meta store.Metadata) error {
 	if meta.Name == DefaultContextName {
 		return errors.New("default context cannot be created nor updated")
 	}
-	return s.Store.CreateOrUpdateContext(meta)
+	return s.Store.CreateOrUpdate(meta)
 }
 
-// RemoveContext is not allowed for the default context and fails
-func (s *ContextStoreWithDefault) RemoveContext(name string) error {
+// Remove is not allowed for the default context and fails
+func (s *ContextStoreWithDefault) Remove(name string) error {
 	if name == DefaultContextName {
 		return errors.New("default context cannot be removed")
 	}
-	return s.Store.RemoveContext(name)
+	return s.Store.Remove(name)
 }
 
-// GetContextMetadata implements store.Store's GetContextMetadata
-func (s *ContextStoreWithDefault) GetContextMetadata(name string) (store.ContextMetadata, error) {
+// GetMetadata implements store.Store's GetMetadata
+func (s *ContextStoreWithDefault) GetMetadata(name string) (store.Metadata, error) {
 	if name == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
-			return store.ContextMetadata{}, err
+			return store.Metadata{}, err
 		}
 		return defaultContext.Meta, nil
 	}
-	return s.Store.GetContextMetadata(name)
+	return s.Store.GetMetadata(name)
 }
 
-// ResetContextTLSMaterial is not implemented for default context and fails
-func (s *ContextStoreWithDefault) ResetContextTLSMaterial(name string, data *store.ContextTLSData) error {
+// ResetTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetTLSMaterial(name string, data *store.ContextTLSData) error {
 	if name == DefaultContextName {
-		return errors.New("The default context store does not support ResetContextTLSMaterial")
+		return errors.New("The default context store does not support ResetTLSMaterial")
 	}
-	return s.Store.ResetContextTLSMaterial(name, data)
+	return s.Store.ResetTLSMaterial(name, data)
 }
 
-// ResetContextEndpointTLSMaterial is not implemented for default context and fails
-func (s *ContextStoreWithDefault) ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
+// ResetEndpointTLSMaterial is not implemented for default context and fails
+func (s *ContextStoreWithDefault) ResetEndpointTLSMaterial(contextName string, endpointName string, data *store.EndpointTLSData) error {
 	if contextName == DefaultContextName {
-		return errors.New("The default context store does not support ResetContextEndpointTLSMaterial")
+		return errors.New("The default context store does not support ResetEndpointTLSMaterial")
 	}
-	return s.Store.ResetContextEndpointTLSMaterial(contextName, endpointName, data)
+	return s.Store.ResetEndpointTLSMaterial(contextName, endpointName, data)
 }
 
-// ListContextTLSFiles implements store.Store's ListContextTLSFiles
-func (s *ContextStoreWithDefault) ListContextTLSFiles(name string) (map[string]store.EndpointFiles, error) {
+// ListTLSFiles implements store.Store's ListTLSFiles
+func (s *ContextStoreWithDefault) ListTLSFiles(name string) (map[string]store.EndpointFiles, error) {
 	if name == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
@@ -155,11 +155,11 @@ func (s *ContextStoreWithDefault) ListContextTLSFiles(name string) (map[string]s
 		}
 		return tlsfiles, nil
 	}
-	return s.Store.ListContextTLSFiles(name)
+	return s.Store.ListTLSFiles(name)
 }
 
-// GetContextTLSData implements store.Store's GetContextTLSData
-func (s *ContextStoreWithDefault) GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error) {
+// GetTLSData implements store.Store's GetTLSData
+func (s *ContextStoreWithDefault) GetTLSData(contextName, endpointName, fileName string) ([]byte, error) {
 	if contextName == DefaultContextName {
 		defaultContext, err := s.Resolver()
 		if err != nil {
@@ -171,7 +171,7 @@ func (s *ContextStoreWithDefault) GetContextTLSData(contextName, endpointName, f
 		return defaultContext.TLS.Endpoints[endpointName].Files[fileName], nil
 
 	}
-	return s.Store.GetContextTLSData(contextName, endpointName, fileName)
+	return s.Store.GetTLSData(contextName, endpointName, fileName)
 }
 
 type noDefaultTLSDataError struct {
@@ -189,10 +189,10 @@ func (e *noDefaultTLSDataError) NotFound() {}
 // IsTLSDataDoesNotExist satisfies github.com/docker/cli/cli/context/store.tlsDataDoesNotExist
 func (e *noDefaultTLSDataError) IsTLSDataDoesNotExist() {}
 
-// GetContextStorageInfo implements store.Store's GetContextStorageInfo
-func (s *ContextStoreWithDefault) GetContextStorageInfo(contextName string) store.ContextStorageInfo {
+// GetStorageInfo implements store.Store's GetStorageInfo
+func (s *ContextStoreWithDefault) GetStorageInfo(contextName string) store.StorageInfo {
 	if contextName == DefaultContextName {
-		return store.ContextStorageInfo{MetadataPath: "<IN MEMORY>", TLSPath: "<IN MEMORY>"}
+		return store.StorageInfo{MetadataPath: "<IN MEMORY>", TLSPath: "<IN MEMORY>"}
 	}
-	return s.Store.GetContextStorageInfo(contextName)
+	return s.Store.GetStorageInfo(contextName)
 }

cli/command/defaultcontextstore_test.go

@@ -30,8 +30,8 @@ var testCfg = store.NewConfig(func() interface{} { return &testContext{} },
 	store.EndpointTypeGetter("ep2", func() interface{} { return &endpoint{} }),
 )
 
-func testDefaultMetadata() store.ContextMetadata {
-	return store.ContextMetadata{
+func testDefaultMetadata() store.Metadata {
+	return store.Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@@ -40,7 +40,7 @@ func testDefaultMetadata() store.ContextMetadata {
 	}
 }
 
-func testStore(t *testing.T, meta store.ContextMetadata, tls store.ContextTLSData) (store.Store, func()) {
+func testStore(t *testing.T, meta store.Metadata, tls store.ContextTLSData) (store.Store, func()) {
 	//meta := testDefaultMetadata()
 	testDir, err := ioutil.TempDir("", t.Name())
 	assert.NilError(t, err)
@@ -102,33 +102,33 @@ func TestExportDefaultImport(t *testing.T) {
 	err := store.Import("dest", s, r)
 	assert.NilError(t, err)
 
-	srcMeta, err := s.GetContextMetadata("default")
+	srcMeta, err := s.GetMetadata("default")
 	assert.NilError(t, err)
-	destMeta, err := s.GetContextMetadata("dest")
+	destMeta, err := s.GetMetadata("dest")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, destMeta.Metadata, srcMeta.Metadata)
 	assert.DeepEqual(t, destMeta.Endpoints, srcMeta.Endpoints)
 
-	srcFileList, err := s.ListContextTLSFiles("default")
+	srcFileList, err := s.ListTLSFiles("default")
 	assert.NilError(t, err)
-	destFileList, err := s.ListContextTLSFiles("dest")
+	destFileList, err := s.ListTLSFiles("dest")
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(destFileList))
 	assert.Equal(t, 1, len(srcFileList))
 	assert.Equal(t, 2, len(destFileList["ep2"]))
 	assert.Equal(t, 2, len(srcFileList["ep2"]))
 
-	srcData1, err := s.GetContextTLSData("default", "ep2", "file1")
+	srcData1, err := s.GetTLSData("default", "ep2", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, srcData1)
-	srcData2, err := s.GetContextTLSData("default", "ep2", "file2")
+	srcData2, err := s.GetTLSData("default", "ep2", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, srcData2)
 
-	destData1, err := s.GetContextTLSData("dest", "ep2", "file1")
+	destData1, err := s.GetTLSData("dest", "ep2", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, destData1)
-	destData2, err := s.GetContextTLSData("dest", "ep2", "file2")
+	destData2, err := s.GetTLSData("dest", "ep2", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, destData2)
 }
@@ -137,7 +137,7 @@ func TestListDefaultContext(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	result, err := s.ListContexts()
+	result, err := s.List()
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(result))
 	assert.DeepEqual(t, meta, result[0])
@@ -146,7 +146,7 @@ func TestListDefaultContext(t *testing.T) {
 func TestGetDefaultContextStorageInfo(t *testing.T) {
 	s, cleanup := testStore(t, testDefaultMetadata(), store.ContextTLSData{})
 	defer cleanup()
-	result := s.GetContextStorageInfo(DefaultContextName)
+	result := s.GetStorageInfo(DefaultContextName)
 	assert.Equal(t, "<IN MEMORY>", result.MetadataPath)
 	assert.Equal(t, "<IN MEMORY>", result.TLSPath)
 }
@@ -155,7 +155,7 @@ func TestGetDefaultContextMetadata(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	result, err := s.GetContextMetadata(DefaultContextName)
+	result, err := s.GetMetadata(DefaultContextName)
 	assert.NilError(t, err)
 	assert.Equal(t, DefaultContextName, result.Name)
 	assert.DeepEqual(t, meta.Metadata, result.Metadata)
@@ -166,7 +166,7 @@ func TestErrCreateDefault(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	err := s.CreateOrUpdateContext(store.ContextMetadata{
+	err := s.CreateOrUpdate(store.Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@@ -180,7 +180,7 @@ func TestErrRemoveDefault(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	err := s.RemoveContext("default")
+	err := s.Remove("default")
 	assert.Error(t, err, "default context cannot be removed")
 }
 
@@ -188,6 +188,6 @@ func TestErrTLSDataError(t *testing.T) {
 	meta := testDefaultMetadata()
 	s, cleanup := testStore(t, meta, store.ContextTLSData{})
 	defer cleanup()
-	_, err := s.GetContextTLSData("default", "noop", "noop")
+	_, err := s.GetTLSData("default", "noop", "noop")
 	assert.Check(t, store.IsErrTLSDataDoesNotExist(err))
 }

cli/command/registry/login.go

@@ -143,7 +143,8 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 	creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
 
 	store, isDefault := creds.(isFileStore)
-	if isDefault {
+	// Display a warning if we're storing the users password (not a token)
+	if isDefault && authConfig.Password != "" {
 		err = displayUnencryptedWarning(dockerCli, store.GetFilename())
 		if err != nil {
 			return err

cli/command/registry/login_test.go

@@ -24,6 +24,7 @@ var testAuthErrors = map[string]error{
 }
 
 var expiredPassword = "I_M_EXPIRED"
+var useToken = "I_M_TOKEN"
 
 type fakeClient struct {
 	client.Client
@@ -37,6 +38,11 @@ func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (r
 	if auth.Password == expiredPassword {
 		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
 	}
+	if auth.Password == useToken {
+		return registrytypes.AuthenticateOKBody{
+			IdentityToken: auth.Password,
+		}, nil
+	}
 	err := testAuthErrors[auth.Username]
 	return registrytypes.AuthenticateOKBody{}, err
 }
@@ -90,6 +96,11 @@ func TestRunLogin(t *testing.T) {
 		Username:      validUsername,
 		Password:      expiredPassword,
 	}
+	validIdentityToken := configtypes.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		IdentityToken: useToken,
+	}
 	testCases := []struct {
 		inputLoginOption  loginOptions
 		inputStoredCred   *configtypes.AuthConfig
@@ -134,6 +145,16 @@ func TestRunLogin(t *testing.T) {
 			inputStoredCred: &validAuthConfig,
 			expectedErr:     testAuthErrMsg,
 		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          validUsername,
+				password:      useToken,
+			},
+			inputStoredCred:   &validIdentityToken,
+			expectedErr:       "",
+			expectedSavedCred: validIdentityToken,
+		},
 	}
 	for i, tc := range testCases {
 		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {

cli/command/service/create.go

@@ -8,7 +8,9 @@ import (
 	"github.com/docker/cli/cli/command"
 	cliopts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -95,14 +97,8 @@ func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *serviceOptions
 		service.TaskTemplate.ContainerSpec.Secrets = secrets
 	}
 
-	specifiedConfigs := opts.configs.Value()
-	if len(specifiedConfigs) > 0 {
-		// parse and validate configs
-		configs, err := ParseConfigs(apiClient, specifiedConfigs)
-		if err != nil {
-			return err
-		}
-		service.TaskTemplate.ContainerSpec.Configs = configs
+	if err := setConfigs(apiClient, &service, opts); err != nil {
+		return err
 	}
 
 	if err := resolveServiceImageDigestContentTrust(dockerCli, &service); err != nil {
@@ -141,3 +137,45 @@ func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *serviceOptions
 
 	return waitOnService(ctx, dockerCli, response.ID, opts.quiet)
 }
+
+// setConfigs does double duty: it both sets the ConfigReferences of the
+// service, and it sets the service CredentialSpec. This is because there is an
+// interplay between the CredentialSpec and the Config it depends on.
+func setConfigs(apiClient client.ConfigAPIClient, service *swarm.ServiceSpec, opts *serviceOptions) error {
+	specifiedConfigs := opts.configs.Value()
+	// if the user has requested to use a Config, for the CredentialSpec add it
+	// to the specifiedConfigs as a RuntimeTarget.
+	if cs := opts.credentialSpec.Value(); cs != nil && cs.Config != "" {
+		specifiedConfigs = append(specifiedConfigs, &swarm.ConfigReference{
+			ConfigName: cs.Config,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+	}
+	if len(specifiedConfigs) > 0 {
+		// parse and validate configs
+		configs, err := ParseConfigs(apiClient, specifiedConfigs)
+		if err != nil {
+			return err
+		}
+		service.TaskTemplate.ContainerSpec.Configs = configs
+		// if we have a CredentialSpec Config, find its ID and rewrite the
+		// field on the spec
+		//
+		// we check the opts instead of the service directly because there are
+		// a few layers of nullable objects in the service, which is a PITA
+		// to traverse, but the existence of the option implies that those are
+		// non-null.
+		if cs := opts.credentialSpec.Value(); cs != nil && cs.Config != "" {
+			for _, config := range configs {
+				if config.ConfigName == cs.Config {
+					service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config = config.ConfigID
+					// we've found the right config, no need to keep iterating
+					// through the rest of them.
+					break
+				}
+			}
+		}
+	}
+
+	return nil
+}

cli/command/service/create_test.go

@@ -0,0 +1,271 @@
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+
+	cliopts "github.com/docker/cli/opts"
+)
+
+// fakeConfigAPIClientList is used to let us pass a closure as a
+// ConfigAPIClient, to use as ConfigList. for all the other methods in the
+// interface, it does nothing, not even return an error, so don't use them
+type fakeConfigAPIClientList func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
+
+func (f fakeConfigAPIClientList) ConfigList(ctx context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+	return f(ctx, opts)
+}
+
+func (f fakeConfigAPIClientList) ConfigCreate(_ context.Context, _ swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+	return types.ConfigCreateResponse{}, nil
+}
+
+func (f fakeConfigAPIClientList) ConfigRemove(_ context.Context, _ string) error {
+	return nil
+}
+
+func (f fakeConfigAPIClientList) ConfigInspectWithRaw(_ context.Context, _ string) (swarm.Config, []byte, error) {
+	return swarm.Config{}, nil, nil
+}
+
+func (f fakeConfigAPIClientList) ConfigUpdate(_ context.Context, _ string, _ swarm.Version, _ swarm.ConfigSpec) error {
+	return nil
+}
+
+// TestSetConfigsWithCredSpecAndConfigs tests that the setConfigs function for
+// create correctly looks up the right configs, and correctly handles the
+// credentialSpec
+func TestSetConfigsWithCredSpecAndConfigs(t *testing.T) {
+	// we can't directly access the internal fields of the ConfigOpt struct, so
+	// we need to let it do the parsing
+	configOpt := &cliopts.ConfigOpt{}
+	configOpt.Set("bar")
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				Config: "foo",
+			},
+			source: "config://foo",
+		},
+		configs: *configOpt,
+	}
+
+	// create a service spec. we need to be sure to fill in the nullable
+	// fields, like the code expects
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	// set up a function to use as the list function
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		// we're expecting the filter to have names "foo" and "bar"
+		names := f.Get("name")
+		assert.Equal(t, len(names), 2)
+		assert.Assert(t, is.Contains(names, "foo"))
+		assert.Assert(t, is.Contains(names, "bar"))
+
+		return []swarm.Config{
+			{
+				ID: "fooID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "foo",
+					},
+				},
+			}, {
+				ID: "barID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "bar",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	credSpecConfigValue := service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config
+	assert.Equal(t, credSpecConfigValue, "fooID")
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "fooID",
+		ConfigName: "foo",
+		Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+	}), "expected configRefs to contain foo config")
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "barID",
+		ConfigName: "bar",
+		File: &swarm.ConfigReferenceFileTarget{
+			Name: "bar",
+			// these are the default field values
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}), "expected configRefs to contain bar config")
+}
+
+// TestSetConfigsOnlyCredSpec tests that even if a CredentialSpec is the only
+// config needed, setConfigs still works
+func TestSetConfigsOnlyCredSpec(t *testing.T) {
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				Config: "foo",
+			},
+			source: "config://foo",
+		},
+	}
+
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	// set up a function to use as the list function
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		names := f.Get("name")
+		assert.Equal(t, len(names), 1)
+		assert.Assert(t, is.Contains(names, "foo"))
+
+		return []swarm.Config{
+			{
+				ID: "fooID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "foo",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	credSpecConfigValue := service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config
+	assert.Equal(t, credSpecConfigValue, "fooID")
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "fooID",
+		ConfigName: "foo",
+		Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+	}))
+}
+
+// TestSetConfigsOnlyConfigs verifies setConfigs when only configs (and not a
+// CredentialSpec) is needed.
+func TestSetConfigsOnlyConfigs(t *testing.T) {
+	configOpt := &cliopts.ConfigOpt{}
+	configOpt.Set("bar")
+	opts := &serviceOptions{
+		configs: *configOpt,
+	}
+
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		f := opts.Filters
+
+		names := f.Get("name")
+		assert.Equal(t, len(names), 1)
+		assert.Assert(t, is.Contains(names, "bar"))
+
+		return []swarm.Config{
+			{
+				ID: "barID",
+				Spec: swarm.ConfigSpec{
+					Annotations: swarm.Annotations{
+						Name: "bar",
+					},
+				},
+			},
+		}, nil
+	}
+
+	// now call setConfigs
+	err := setConfigs(fakeClient, service, opts)
+	// verify no error is returned
+	assert.NilError(t, err)
+
+	configRefs := service.TaskTemplate.ContainerSpec.Configs
+	assert.Assert(t, is.Contains(configRefs, &swarm.ConfigReference{
+		ConfigID:   "barID",
+		ConfigName: "bar",
+		File: &swarm.ConfigReferenceFileTarget{
+			Name: "bar",
+			// these are the default field values
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}))
+}
+
+// TestSetConfigsNoConfigs checks that setConfigs works when there are no
+// configs of any kind needed
+func TestSetConfigsNoConfigs(t *testing.T) {
+	// add a credentialSpec that isn't a config
+	opts := &serviceOptions{
+		credentialSpec: credentialSpecOpt{
+			value: &swarm.CredentialSpec{
+				File: "foo",
+			},
+			source: "file://foo",
+		},
+	}
+	service := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: opts.credentialSpec.value,
+				},
+			},
+		},
+	}
+
+	var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+		// assert false -- we should never call this function
+		assert.Assert(t, false, "we should not be listing configs")
+		return nil, nil
+	}
+
+	err := setConfigs(fakeClient, service, opts)
+	assert.NilError(t, err)
+
+	// ensure that the value of the credentialspec has not changed
+	assert.Equal(t, service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.File, "foo")
+	assert.Equal(t, service.TaskTemplate.ContainerSpec.Privileges.CredentialSpec.Config, "")
+}

cli/command/service/opts.go

@@ -16,8 +16,8 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/api/defaults"
-	shlex "github.com/flynn-archive/go-shlex"
 	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/google/shlex"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 )
@@ -331,12 +331,25 @@ func (c *credentialSpecOpt) Set(value string) error {
 	c.source = value
 	c.value = &swarm.CredentialSpec{}
 	switch {
+	case strings.HasPrefix(value, "config://"):
+		// NOTE(dperny): we allow the user to specify the value of
+		// CredentialSpec Config using the Name of the config, but the API
+		// requires the ID of the config. For simplicity, we will parse
+		// whatever value is provided into the "Config" field, but before
+		// making API calls, we may need to swap the Config Name for the ID.
+		// Therefore, this isn't the definitive location for the value of
+		// Config that is passed to the API.
+		c.value.Config = strings.TrimPrefix(value, "config://")
 	case strings.HasPrefix(value, "file://"):
 		c.value.File = strings.TrimPrefix(value, "file://")
 	case strings.HasPrefix(value, "registry://"):
 		c.value.Registry = strings.TrimPrefix(value, "registry://")
+	case value == "":
+		// if the value of the flag is an empty string, that means there is no
+		// CredentialSpec needed. This is useful for removing a CredentialSpec
+		// during a service update.
 	default:
-		return errors.New("Invalid credential spec - value must be prefixed file:// or registry:// followed by a value")
+		return errors.New(`invalid credential spec: value must be prefixed with "config://", "file://", or "registry://"`)
 	}
 
 	return nil
@@ -663,7 +676,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 		EndpointSpec:   options.endpoint.ToEndpointSpec(),
 	}
 
-	if options.credentialSpec.Value() != nil {
+	if options.credentialSpec.String() != "" && options.credentialSpec.Value() != nil {
 		service.TaskTemplate.ContainerSpec.Privileges = &swarm.Privileges{
 			CredentialSpec: options.credentialSpec.Value(),
 		}

cli/command/service/opts_test.go

@@ -14,6 +14,60 @@ import (
 	is "gotest.tools/assert/cmp"
 )
 
+func TestCredentialSpecOpt(t *testing.T) {
+	tests := []struct {
+		name        string
+		in          string
+		value       swarm.CredentialSpec
+		expectedErr string
+	}{
+		{
+			name:  "empty",
+			in:    "",
+			value: swarm.CredentialSpec{},
+		},
+		{
+			name:        "no-prefix",
+			in:          "noprefix",
+			value:       swarm.CredentialSpec{},
+			expectedErr: `invalid credential spec: value must be prefixed with "config://", "file://", or "registry://"`,
+		},
+		{
+			name:  "config",
+			in:    "config://0bt9dmxjvjiqermk6xrop3ekq",
+			value: swarm.CredentialSpec{Config: "0bt9dmxjvjiqermk6xrop3ekq"},
+		},
+		{
+			name:  "file",
+			in:    "file://somefile.json",
+			value: swarm.CredentialSpec{File: "somefile.json"},
+		},
+		{
+			name:  "registry",
+			in:    "registry://testing",
+			value: swarm.CredentialSpec{Registry: "testing"},
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			var cs credentialSpecOpt
+
+			err := cs.Set(tc.in)
+
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+			}
+
+			assert.Equal(t, cs.String(), tc.in)
+			assert.DeepEqual(t, cs.Value(), &tc.value)
+		})
+	}
+}
+
 func TestMemBytesString(t *testing.T) {
 	var mem opts.MemBytes = 1048576
 	assert.Check(t, is.Equal("1MiB", mem.String()))

cli/command/service/parse.go

@@ -70,16 +70,40 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 		return []*swarmtypes.ConfigReference{}, nil
 	}
 
+	// the configRefs map has two purposes: it prevents duplication of config
+	// target filenames, and it it used to get all configs so we can resolve
+	// their IDs. unfortunately, there are other targets for ConfigReferences,
+	// besides just a File; specifically, the Runtime target, which is used for
+	// CredentialSpecs. Therefore, we need to have a list of ConfigReferences
+	// that are not File targets as well. at this time of writing, the only use
+	// for Runtime targets is CredentialSpecs. However, to future-proof this
+	// functionality, we should handle the case where multiple Runtime targets
+	// are in use for the same Config, and we should deduplicate
+	// such ConfigReferences, as no matter how many times the Config is used,
+	// it is only needed to be referenced once.
 	configRefs := make(map[string]*swarmtypes.ConfigReference)
+	runtimeRefs := make(map[string]*swarmtypes.ConfigReference)
 	ctx := context.Background()
 
 	for _, config := range requestedConfigs {
+		// copy the config, so we don't mutate the args
+		configRef := new(swarmtypes.ConfigReference)
+		*configRef = *config
+
+		if config.Runtime != nil {
+			// by assigning to a map based on ConfigName, if the same Config
+			// is required as a Runtime target for multiple purposes, we only
+			// include it once in the final set of configs.
+			runtimeRefs[config.ConfigName] = config
+			// continue, so we skip the logic below for handling file-type
+			// configs
+			continue
+		}
+
 		if _, exists := configRefs[config.File.Name]; exists {
 			return nil, errors.Errorf("duplicate config target for %s not allowed", config.ConfigName)
 		}
 
-		configRef := new(swarmtypes.ConfigReference)
-		*configRef = *config
 		configRefs[config.File.Name] = configRef
 	}
 
@@ -87,6 +111,9 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 	for _, s := range configRefs {
 		args.Add("name", s.ConfigName)
 	}
+	for _, s := range runtimeRefs {
+		args.Add("name", s.ConfigName)
+	}
 
 	configs, err := client.ConfigList(ctx, types.ConfigListOptions{
 		Filters: args,
@@ -114,5 +141,18 @@ func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.
 		addedConfigs = append(addedConfigs, ref)
 	}
 
+	// unfortunately, because the key of configRefs and runtimeRefs is different
+	// values that may collide, we can't just do some fancy trickery to
+	// concat maps, we need to do two separate loops
+	for _, ref := range runtimeRefs {
+		id, ok := foundConfigs[ref.ConfigName]
+		if !ok {
+			return nil, errors.Errorf("config not found: %s", ref.ConfigName)
+		}
+
+		ref.ConfigID = id
+		addedConfigs = append(addedConfigs, ref)
+	}
+
 	return addedConfigs, nil
 }

cli/command/service/update.go

@@ -194,13 +194,18 @@ func runUpdate(dockerCli command.Cli, flags *pflag.FlagSet, options *serviceOpti
 
 	spec.TaskTemplate.ContainerSpec.Secrets = updatedSecrets
 
-	updatedConfigs, err := getUpdatedConfigs(apiClient, flags, spec.TaskTemplate.ContainerSpec.Configs)
+	updatedConfigs, err := getUpdatedConfigs(apiClient, flags, spec.TaskTemplate.ContainerSpec)
 	if err != nil {
 		return err
 	}
 
 	spec.TaskTemplate.ContainerSpec.Configs = updatedConfigs
 
+	// set the credential spec value after get the updated configs, because we
+	// might need the updated configs to set the correct value of the
+	// CredentialSpec.
+	updateCredSpecConfig(flags, spec.TaskTemplate.ContainerSpec)
+
 	// only send auth if flag was set
 	sendAuth, err := flags.GetBool(flagRegistryAuth)
 	if err != nil {
@@ -731,20 +736,56 @@ func getUpdatedSecrets(apiClient client.SecretAPIClient, flags *pflag.FlagSet, s
 	return newSecrets, nil
 }
 
-func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, configs []*swarm.ConfigReference) ([]*swarm.ConfigReference, error) {
-	newConfigs := []*swarm.ConfigReference{}
+func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, spec *swarm.ContainerSpec) ([]*swarm.ConfigReference, error) {
+	var (
+		// credSpecConfigName stores the name of the config specified by the
+		// credential-spec flag. if a Runtime target Config with this name is
+		// already in the containerSpec, then this value will be set to
+		// emptystring in the removeConfigs stage. otherwise, a ConfigReference
+		// will be created to pass to ParseConfigs to get the ConfigID.
+		credSpecConfigName string
+		// credSpecConfigID stores the ID of the credential spec config if that
+		// config is being carried over from the old set of references
+		credSpecConfigID string
+	)
 
-	toRemove := buildToRemoveSet(flags, flagConfigRemove)
-	for _, config := range configs {
-		if _, exists := toRemove[config.ConfigName]; !exists {
-			newConfigs = append(newConfigs, config)
+	if flags.Changed(flagCredentialSpec) {
+		credSpec := flags.Lookup(flagCredentialSpec).Value.(*credentialSpecOpt).Value()
+		credSpecConfigName = credSpec.Config
+	} else {
+		// if the credential spec flag has not changed, then check if there
+		// already is a credentialSpec. if there is one, and it's for a Config,
+		// then it's from the old object, and its value is the config ID. we
+		// need this so we don't remove the config if the credential spec is
+		// not being updated.
+		if spec.Privileges != nil && spec.Privileges.CredentialSpec != nil {
+			if config := spec.Privileges.CredentialSpec.Config; config != "" {
+				credSpecConfigID = config
+			}
 		}
 	}
 
-	if flags.Changed(flagConfigAdd) {
-		values := flags.Lookup(flagConfigAdd).Value.(*opts.ConfigOpt).Value()
+	newConfigs := removeConfigs(flags, spec, credSpecConfigName, credSpecConfigID)
 
-		addConfigs, err := ParseConfigs(apiClient, values)
+	// resolveConfigs is a slice of any new configs that need to have the ID
+	// resolved
+	resolveConfigs := []*swarm.ConfigReference{}
+
+	if flags.Changed(flagConfigAdd) {
+		resolveConfigs = append(resolveConfigs, flags.Lookup(flagConfigAdd).Value.(*opts.ConfigOpt).Value()...)
+	}
+
+	// if credSpecConfigNameis non-empty at this point, it means its a new
+	// config, and we need to resolve its ID accordingly.
+	if credSpecConfigName != "" {
+		resolveConfigs = append(resolveConfigs, &swarm.ConfigReference{
+			ConfigName: credSpecConfigName,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+	}
+
+	if len(resolveConfigs) > 0 {
+		addConfigs, err := ParseConfigs(apiClient, resolveConfigs)
 		if err != nil {
 			return nil, err
 		}
@@ -754,6 +795,42 @@ func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, c
 	return newConfigs, nil
 }
 
+// removeConfigs figures out which configs in the existing spec should be kept
+// after the update.
+func removeConfigs(flags *pflag.FlagSet, spec *swarm.ContainerSpec, credSpecName, credSpecID string) []*swarm.ConfigReference {
+	keepConfigs := []*swarm.ConfigReference{}
+
+	toRemove := buildToRemoveSet(flags, flagConfigRemove)
+	// all configs in spec.Configs should have both a Name and ID, because
+	// they come from an already-accepted spec.
+	for _, config := range spec.Configs {
+		// if the config is a Runtime target, make sure it's still in use right
+		// now, the only use for Runtime target is credential specs.  if, in
+		// the future, more uses are added, then this check will need to be
+		// made more intelligent.
+		if config.Runtime != nil {
+			// if we're carrying over a credential spec explicitly (because the
+			// user passed --credential-spec with the same config name) then we
+			// should match on credSpecName. if we're carrying over a
+			// credential spec implicitly (because the user did not pass any
+			// --credential-spec flag) then we should match on credSpecID. in
+			// either case, we're keeping the config that already exists.
+			if config.ConfigName == credSpecName || config.ConfigID == credSpecID {
+				keepConfigs = append(keepConfigs, config)
+			}
+			// continue the loop, to skip the part where we check if the config
+			// is in toRemove.
+			continue
+		}
+
+		if _, exists := toRemove[config.ConfigName]; !exists {
+			keepConfigs = append(keepConfigs, config)
+		}
+	}
+
+	return keepConfigs
+}
+
 func envKey(value string) string {
 	kv := strings.SplitN(value, "=", 2)
 	return kv[0]
@@ -1220,3 +1297,48 @@ func updateNetworks(ctx context.Context, apiClient client.NetworkAPIClient, flag
 	spec.TaskTemplate.Networks = newNetworks
 	return nil
 }
+
+// updateCredSpecConfig updates the value of the credential spec Config field
+// to the config ID if the credential spec has changed. it mutates the passed
+// spec. it does not handle the case where the credential spec specifies a
+// config that does not exist -- that case is handled as part of
+// getUpdatedConfigs
+func updateCredSpecConfig(flags *pflag.FlagSet, containerSpec *swarm.ContainerSpec) {
+	if flags.Changed(flagCredentialSpec) {
+		credSpecOpt := flags.Lookup(flagCredentialSpec)
+		// if the flag has changed, and the value is empty string, then we
+		// should remove any credential spec that might be present
+		if credSpecOpt.Value.String() == "" {
+			if containerSpec.Privileges != nil {
+				containerSpec.Privileges.CredentialSpec = nil
+			}
+			return
+		}
+
+		// otherwise, set the credential spec to be the parsed value
+		credSpec := credSpecOpt.Value.(*credentialSpecOpt).Value()
+
+		// if this is a Config credential spec, we we still need to replace the
+		// value of credSpec.Config with the config ID instead of Name.
+		if credSpec.Config != "" {
+			for _, config := range containerSpec.Configs {
+				// if the config name matches, then set the config ID. we do
+				// not need to worry about if this is a Runtime target or not.
+				// even if it is not a Runtime target, getUpdatedConfigs
+				// ensures that a Runtime target for this config exists, and
+				// the Name is unique so the ID is correct no matter the
+				// target.
+				if config.ConfigName == credSpec.Config {
+					credSpec.Config = config.ConfigID
+					break
+				}
+			}
+		}
+
+		if containerSpec.Privileges == nil {
+			containerSpec.Privileges = &swarm.Privileges{}
+		}
+
+		containerSpec.Privileges.CredentialSpec = credSpec
+	}
+}

cli/command/service/update_test.go

@@ -925,3 +925,326 @@ func TestUpdateSysCtls(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdateGetUpdatedConfigs(t *testing.T) {
+	// cannedConfigs is a set of configs that we'll use over and over in the
+	// tests. it's a map of Name to Config
+	cannedConfigs := map[string]*swarm.Config{
+		"bar": {
+			ID: "barID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "bar",
+				},
+			},
+		},
+		"cred": {
+			ID: "credID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "cred",
+				},
+			},
+		},
+		"newCred": {
+			ID: "newCredID",
+			Spec: swarm.ConfigSpec{
+				Annotations: swarm.Annotations{
+					Name: "newCred",
+				},
+			},
+		},
+	}
+	// cannedConfigRefs is the same thing, but with config references instead
+	// instead of ID, however, it just maps an arbitrary string value. this is
+	// so we could have multiple config refs using the same config
+	cannedConfigRefs := map[string]*swarm.ConfigReference{
+		"fooRef": {
+			ConfigID:   "fooID",
+			ConfigName: "foo",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "foo",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"barRef": {
+			ConfigID:   "barID",
+			ConfigName: "bar",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "bar",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"bazRef": {
+			ConfigID:   "bazID",
+			ConfigName: "baz",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "baz",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		"credRef": {
+			ConfigID:   "credID",
+			ConfigName: "cred",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
+		"newCredRef": {
+			ConfigID:   "newCredID",
+			ConfigName: "newCred",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
+	}
+
+	type flagVal [2]string
+	type test struct {
+		// the name of the subtest
+		name string
+		// flags are the flags we'll be setting
+		flags []flagVal
+		// oldConfigs are the configs that would already be on the service
+		// it is a slice of strings corresponding to the the key of
+		// cannedConfigRefs
+		oldConfigs []string
+		// oldCredSpec is the credentialSpec being carried over from the old
+		// object
+		oldCredSpec *swarm.CredentialSpec
+		// lookupConfigs are the configs we're expecting to be listed. it is a
+		// slice of strings corresponding to the key of cannedConfigs
+		lookupConfigs []string
+		// expected is the configs we should get as a result. it is a slice of
+		// strings corresponding to the key in cannedConfigRefs
+		expected []string
+	}
+
+	testCases := []test{
+		{
+			name:       "no configs added or removed",
+			oldConfigs: []string{"fooRef"},
+			expected:   []string{"fooRef"},
+		}, {
+			name:          "add a config",
+			flags:         []flagVal{{"config-add", "bar"}},
+			oldConfigs:    []string{"fooRef"},
+			lookupConfigs: []string{"bar"},
+			expected:      []string{"fooRef", "barRef"},
+		}, {
+			name:       "remove a config",
+			flags:      []flagVal{{"config-rm", "bar"}},
+			oldConfigs: []string{"fooRef", "barRef"},
+			expected:   []string{"fooRef"},
+		}, {
+			name:        "include an old credential spec",
+			oldConfigs:  []string{"credRef"},
+			oldCredSpec: &swarm.CredentialSpec{Config: "credID"},
+			expected:    []string{"credRef"},
+		}, {
+			name:          "add a credential spec",
+			oldConfigs:    []string{"fooRef"},
+			flags:         []flagVal{{"credential-spec", "config://cred"}},
+			lookupConfigs: []string{"cred"},
+			expected:      []string{"fooRef", "credRef"},
+		}, {
+			name:          "change a credential spec",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", "config://newCred"}},
+			lookupConfigs: []string{"newCred"},
+			expected:      []string{"fooRef", "newCredRef"},
+		}, {
+			name:          "credential spec no longer config",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", "file://someFile"}},
+			lookupConfigs: []string{},
+			expected:      []string{"fooRef"},
+		}, {
+			name:          "credential spec becomes config",
+			oldConfigs:    []string{"fooRef"},
+			oldCredSpec:   &swarm.CredentialSpec{File: "someFile"},
+			flags:         []flagVal{{"credential-spec", "config://cred"}},
+			lookupConfigs: []string{"cred"},
+			expected:      []string{"fooRef", "credRef"},
+		}, {
+			name:          "remove credential spec",
+			oldConfigs:    []string{"fooRef", "credRef"},
+			oldCredSpec:   &swarm.CredentialSpec{Config: "credID"},
+			flags:         []flagVal{{"credential-spec", ""}},
+			lookupConfigs: []string{},
+			expected:      []string{"fooRef"},
+		}, {
+			name: "just frick my stuff up",
+			// a more complicated test. add barRef, remove bazRef, keep fooRef,
+			// change credentialSpec from credRef to newCredRef
+			oldConfigs:  []string{"fooRef", "bazRef", "credRef"},
+			oldCredSpec: &swarm.CredentialSpec{Config: "cred"},
+			flags: []flagVal{
+				{"config-add", "bar"},
+				{"config-rm", "baz"},
+				{"credential-spec", "config://newCred"},
+			},
+			lookupConfigs: []string{"bar", "newCred"},
+			expected:      []string{"fooRef", "barRef", "newCredRef"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			flags := newUpdateCommand(nil).Flags()
+			for _, f := range tc.flags {
+				flags.Set(f[0], f[1])
+			}
+
+			// fakeConfigAPIClientList is actually defined in create_test.go,
+			// but we'll use it here as well
+			var fakeClient fakeConfigAPIClientList = func(_ context.Context, opts types.ConfigListOptions) ([]swarm.Config, error) {
+				names := opts.Filters.Get("name")
+				assert.Equal(t, len(names), len(tc.lookupConfigs))
+
+				configs := []swarm.Config{}
+				for _, lookup := range tc.lookupConfigs {
+					assert.Assert(t, is.Contains(names, lookup))
+					cfg, ok := cannedConfigs[lookup]
+					assert.Assert(t, ok)
+					configs = append(configs, *cfg)
+				}
+				return configs, nil
+			}
+
+			// build the actual set of old configs and the container spec
+			oldConfigs := []*swarm.ConfigReference{}
+			for _, config := range tc.oldConfigs {
+				cfg, ok := cannedConfigRefs[config]
+				assert.Assert(t, ok)
+				oldConfigs = append(oldConfigs, cfg)
+			}
+
+			containerSpec := &swarm.ContainerSpec{
+				Configs: oldConfigs,
+				Privileges: &swarm.Privileges{
+					CredentialSpec: tc.oldCredSpec,
+				},
+			}
+
+			finalConfigs, err := getUpdatedConfigs(fakeClient, flags, containerSpec)
+			assert.NilError(t, err)
+
+			// ensure that the finalConfigs consists of all of the expected
+			// configs
+			assert.Equal(t, len(finalConfigs), len(tc.expected),
+				"%v final configs, %v expected",
+				len(finalConfigs), len(tc.expected),
+			)
+			for _, expected := range tc.expected {
+				assert.Assert(t, is.Contains(finalConfigs, cannedConfigRefs[expected]))
+			}
+		})
+	}
+}
+
+func TestUpdateCredSpec(t *testing.T) {
+	type testCase struct {
+		// name is the name of the subtest
+		name string
+		// flagVal is the value we're setting flagCredentialSpec to
+		flagVal string
+		// spec is the existing serviceSpec with its configs
+		spec *swarm.ContainerSpec
+		// expected is the expected value of the credential spec after the
+		// function. it may be nil
+		expected *swarm.CredentialSpec
+	}
+
+	testCases := []testCase{
+		{
+			name:     "add file credential spec",
+			flagVal:  "file://somefile",
+			spec:     &swarm.ContainerSpec{},
+			expected: &swarm.CredentialSpec{File: "somefile"},
+		}, {
+			name:    "remove a file credential spec",
+			flagVal: "",
+			spec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						File: "someFile",
+					},
+				},
+			},
+			expected: nil,
+		}, {
+			name:     "remove when no CredentialSpec exists",
+			flagVal:  "",
+			spec:     &swarm.ContainerSpec{},
+			expected: nil,
+		}, {
+			name:    "add a config credenital spec",
+			flagVal: "config://someConfigName",
+			spec: &swarm.ContainerSpec{
+				Configs: []*swarm.ConfigReference{
+					{
+						ConfigName: "someConfigName",
+						ConfigID:   "someConfigID",
+						Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+					},
+				},
+			},
+			expected: &swarm.CredentialSpec{
+				Config: "someConfigID",
+			},
+		}, {
+			name:    "remove a config credential spec",
+			flagVal: "",
+			spec: &swarm.ContainerSpec{
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						Config: "someConfigID",
+					},
+				},
+			},
+			expected: nil,
+		}, {
+			name:    "update a config credential spec",
+			flagVal: "config://someConfigName",
+			spec: &swarm.ContainerSpec{
+				Configs: []*swarm.ConfigReference{
+					{
+						ConfigName: "someConfigName",
+						ConfigID:   "someConfigID",
+						Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+					},
+				},
+				Privileges: &swarm.Privileges{
+					CredentialSpec: &swarm.CredentialSpec{
+						Config: "someDifferentConfigID",
+					},
+				},
+			},
+			expected: &swarm.CredentialSpec{
+				Config: "someConfigID",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			flags := newUpdateCommand(nil).Flags()
+			flags.Set(flagCredentialSpec, tc.flagVal)
+
+			updateCredSpecConfig(flags, tc.spec)
+			// handle the case where tc.spec.Privileges is nil
+			if tc.expected == nil {
+				assert.Assert(t, tc.spec.Privileges == nil || tc.spec.Privileges.CredentialSpec == nil)
+				return
+			}
+
+			assert.Assert(t, tc.spec.Privileges != nil)
+			assert.DeepEqual(t, tc.spec.Privileges.CredentialSpec, tc.expected)
+		})
+	}
+}

cli/command/stack/kubernetes/convert.go

@@ -14,16 +14,17 @@ import (
 	latest "github.com/docker/compose-on-kubernetes/api/compose/v1alpha3"
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta1"
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta2"
+	"github.com/docker/go-connections/nat"
+	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
 	yaml "gopkg.in/yaml.v2"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
-	// pullSecretExtraField is an extra field on ServiceConfigs usable to reference a pull secret
-	pullSecretExtraField = "x-pull-secret"
-	// pullPolicyExtraField is an extra field on ServiceConfigs usable to specify a pull policy
-	pullPolicyExtraField = "x-pull-policy"
+	// kubernatesExtraField is an extra field on ServiceConfigs containing kubernetes-specific extensions to compose format
+	kubernatesExtraField = "x-kubernetes"
 )
 
 // NewStackConverter returns a converter from types.Config (compose) to the specified
@@ -245,10 +246,8 @@ func fromComposeConfigs(s map[string]composeTypes.ConfigObjConfig) map[string]la
 
 func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities composeCapabilities) (latest.ServiceConfig, error) {
 	var (
-		userID     *int64
-		pullSecret string
-		pullPolicy string
-		err        error
+		userID *int64
+		err    error
 	)
 	if s.User != "" {
 		numerical, err := strconv.Atoi(s.User)
@@ -257,20 +256,22 @@ func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities compose
 			userID = &unixUserID
 		}
 	}
-	pullSecret, err = resolveServiceExtra(s, pullSecretExtraField)
+	kubeExtra, err := resolveServiceExtra(s)
 	if err != nil {
 		return latest.ServiceConfig{}, err
 	}
-	pullPolicy, err = resolveServiceExtra(s, pullPolicyExtraField)
+	if kubeExtra.PullSecret != "" && !capabilities.hasPullSecrets {
+		return latest.ServiceConfig{}, errors.Errorf(`stack API version %s does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`, capabilities.apiVersion)
+	}
+	if kubeExtra.PullPolicy != "" && !capabilities.hasPullPolicies {
+		return latest.ServiceConfig{}, errors.Errorf(`stack API version %s does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`, capabilities.apiVersion)
+	}
+
+	internalPorts, err := setupIntraStackNetworking(s, kubeExtra, capabilities)
 	if err != nil {
 		return latest.ServiceConfig{}, err
 	}
-	if pullSecret != "" && !capabilities.hasPullSecrets {
-		return latest.ServiceConfig{}, errors.Errorf("stack API version %s does not support pull secrets (field %q), please use version v1alpha3 or higher", capabilities.apiVersion, pullSecretExtraField)
-	}
-	if pullPolicy != "" && !capabilities.hasPullPolicies {
-		return latest.ServiceConfig{}, errors.Errorf("stack API version %s does not support pull policies (field %q), please use version v1alpha3 or higher", capabilities.apiVersion, pullPolicyExtraField)
-	}
+
 	return latest.ServiceConfig{
 		Name:    s.Name,
 		CapAdd:  s.CapAdd,
@@ -286,40 +287,96 @@ func fromComposeServiceConfig(s composeTypes.ServiceConfig, capabilities compose
 			RestartPolicy: fromComposeRestartPolicy(s.Deploy.RestartPolicy),
 			Placement:     fromComposePlacement(s.Deploy.Placement),
 		},
-		Entrypoint:      s.Entrypoint,
-		Environment:     s.Environment,
-		ExtraHosts:      s.ExtraHosts,
-		Hostname:        s.Hostname,
-		HealthCheck:     fromComposeHealthcheck(s.HealthCheck),
-		Image:           s.Image,
-		Ipc:             s.Ipc,
-		Labels:          s.Labels,
-		Pid:             s.Pid,
-		Ports:           fromComposePorts(s.Ports),
-		Privileged:      s.Privileged,
-		ReadOnly:        s.ReadOnly,
-		Secrets:         fromComposeServiceSecrets(s.Secrets),
-		StdinOpen:       s.StdinOpen,
-		StopGracePeriod: composetypes.ConvertDurationPtr(s.StopGracePeriod),
-		Tmpfs:           s.Tmpfs,
-		Tty:             s.Tty,
-		User:            userID,
-		Volumes:         fromComposeServiceVolumeConfig(s.Volumes),
-		WorkingDir:      s.WorkingDir,
-		PullSecret:      pullSecret,
-		PullPolicy:      pullPolicy,
+		Entrypoint:          s.Entrypoint,
+		Environment:         s.Environment,
+		ExtraHosts:          s.ExtraHosts,
+		Hostname:            s.Hostname,
+		HealthCheck:         fromComposeHealthcheck(s.HealthCheck),
+		Image:               s.Image,
+		Ipc:                 s.Ipc,
+		Labels:              s.Labels,
+		Pid:                 s.Pid,
+		Ports:               fromComposePorts(s.Ports),
+		Privileged:          s.Privileged,
+		ReadOnly:            s.ReadOnly,
+		Secrets:             fromComposeServiceSecrets(s.Secrets),
+		StdinOpen:           s.StdinOpen,
+		StopGracePeriod:     composetypes.ConvertDurationPtr(s.StopGracePeriod),
+		Tmpfs:               s.Tmpfs,
+		Tty:                 s.Tty,
+		User:                userID,
+		Volumes:             fromComposeServiceVolumeConfig(s.Volumes),
+		WorkingDir:          s.WorkingDir,
+		PullSecret:          kubeExtra.PullSecret,
+		PullPolicy:          kubeExtra.PullPolicy,
+		InternalServiceType: kubeExtra.InternalServiceType,
+		InternalPorts:       internalPorts,
 	}, nil
 }
 
-func resolveServiceExtra(s composeTypes.ServiceConfig, field string) (string, error) {
-	if iface, ok := s.Extras[field]; ok {
-		value, ok := iface.(string)
-		if !ok {
-			return "", errors.Errorf("field %q: value %v type is %T, should be a string", field, iface, iface)
-		}
-		return value, nil
+func setupIntraStackNetworking(s composeTypes.ServiceConfig, kubeExtra kubernetesExtra, capabilities composeCapabilities) ([]latest.InternalPort, error) {
+	if kubeExtra.InternalServiceType != latest.InternalServiceTypeAuto && !capabilities.hasIntraStackLoadBalancing {
+		return nil,
+			errors.Errorf(`stack API version %s does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+				capabilities.apiVersion)
 	}
-	return "", nil
+	if !capabilities.hasIntraStackLoadBalancing {
+		return nil, nil
+	}
+	if err := validateInternalServiceType(kubeExtra.InternalServiceType); err != nil {
+		return nil, err
+	}
+	internalPorts, err := toInternalPorts(s.Expose)
+	if err != nil {
+		return nil, err
+	}
+	return internalPorts, nil
+}
+
+func validateInternalServiceType(internalServiceType latest.InternalServiceType) error {
+	switch internalServiceType {
+	case latest.InternalServiceTypeAuto, latest.InternalServiceTypeClusterIP, latest.InternalServiceTypeHeadless:
+	default:
+		return errors.Errorf(`invalid value %q for field "x-kubernetes.internal_service_type", valid values are %q or %q`, internalServiceType,
+			latest.InternalServiceTypeClusterIP,
+			latest.InternalServiceTypeHeadless)
+	}
+	return nil
+}
+
+func toInternalPorts(expose []string) ([]latest.InternalPort, error) {
+	var internalPorts []latest.InternalPort
+	for _, sourcePort := range expose {
+		proto, port := nat.SplitProtoPort(sourcePort)
+		start, end, err := nat.ParsePortRange(port)
+		if err != nil {
+			return nil, errors.Errorf("invalid format for expose: %q, error: %s", sourcePort, err)
+		}
+		for i := start; i <= end; i++ {
+			k8sProto := v1.Protocol(strings.ToUpper(proto))
+			switch k8sProto {
+			case v1.ProtocolSCTP, v1.ProtocolTCP, v1.ProtocolUDP:
+			default:
+				return nil, errors.Errorf("invalid protocol for expose: %q, supported values are %q, %q and %q", sourcePort, v1.ProtocolSCTP, v1.ProtocolTCP, v1.ProtocolUDP)
+			}
+			internalPorts = append(internalPorts, latest.InternalPort{
+				Port:     int32(i),
+				Protocol: k8sProto,
+			})
+		}
+	}
+	return internalPorts, nil
+}
+
+func resolveServiceExtra(s composeTypes.ServiceConfig) (kubernetesExtra, error) {
+	if iface, ok := s.Extras[kubernatesExtraField]; ok {
+		var result kubernetesExtra
+		if err := mapstructure.Decode(iface, &result); err != nil {
+			return kubernetesExtra{}, err
+		}
+		return result, nil
+	}
+	return kubernetesExtra{}, nil
 }
 
 func fromComposePorts(ports []composeTypes.ServicePortConfig) []latest.ServicePortConfig {
@@ -489,14 +546,22 @@ var (
 		apiVersion: "v1beta2",
 	}
 	v1alpha3Capabilities = composeCapabilities{
-		apiVersion:      "v1alpha3",
-		hasPullSecrets:  true,
-		hasPullPolicies: true,
+		apiVersion:                 "v1alpha3",
+		hasPullSecrets:             true,
+		hasPullPolicies:            true,
+		hasIntraStackLoadBalancing: true,
 	}
 )
 
 type composeCapabilities struct {
-	apiVersion      string
-	hasPullSecrets  bool
-	hasPullPolicies bool
+	apiVersion                 string
+	hasPullSecrets             bool
+	hasPullPolicies            bool
+	hasIntraStackLoadBalancing bool
+}
+
+type kubernetesExtra struct {
+	PullSecret          string                     `mapstructure:"pull_secret"`
+	PullPolicy          string                     `mapstructure:"pull_policy"`
+	InternalServiceType latest.InternalServiceType `mapstructure:"internal_service_type"`
 }

cli/command/stack/kubernetes/convert_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/docker/compose-on-kubernetes/api/compose/v1beta2"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -188,8 +189,8 @@ func TestHandlePullSecret(t *testing.T) {
 		version string
 		err     string
 	}{
-		{version: "v1beta1", err: `stack API version v1beta1 does not support pull secrets (field "x-pull-secret"), please use version v1alpha3 or higher`},
-		{version: "v1beta2", err: `stack API version v1beta2 does not support pull secrets (field "x-pull-secret"), please use version v1alpha3 or higher`},
+		{version: "v1beta1", err: `stack API version v1beta1 does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`},
+		{version: "v1beta2", err: `stack API version v1beta2 does not support pull secrets (field "x-kubernetes.pull_secret"), please use version v1alpha3 or higher`},
 		{version: "v1alpha3"},
 	}
 
@@ -215,8 +216,8 @@ func TestHandlePullPolicy(t *testing.T) {
 		version string
 		err     string
 	}{
-		{version: "v1beta1", err: `stack API version v1beta1 does not support pull policies (field "x-pull-policy"), please use version v1alpha3 or higher`},
-		{version: "v1beta2", err: `stack API version v1beta2 does not support pull policies (field "x-pull-policy"), please use version v1alpha3 or higher`},
+		{version: "v1beta1", err: `stack API version v1beta1 does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`},
+		{version: "v1beta2", err: `stack API version v1beta2 does not support pull policies (field "x-kubernetes.pull_policy"), please use version v1alpha3 or higher`},
 		{version: "v1alpha3"},
 	}
 
@@ -235,3 +236,111 @@ func TestHandlePullPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestHandleInternalServiceType(t *testing.T) {
+	cases := []struct {
+		name     string
+		value    string
+		caps     composeCapabilities
+		err      string
+		expected v1alpha3.InternalServiceType
+	}{
+		{
+			name:  "v1beta1",
+			value: "ClusterIP",
+			caps:  v1beta1Capabilities,
+			err:   `stack API version v1beta1 does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+		},
+		{
+			name:  "v1beta2",
+			value: "ClusterIP",
+			caps:  v1beta2Capabilities,
+			err:   `stack API version v1beta2 does not support intra-stack load balancing (field "x-kubernetes.internal_service_type"), please use version v1alpha3 or higher`,
+		},
+		{
+			name:     "v1alpha3",
+			value:    "ClusterIP",
+			caps:     v1alpha3Capabilities,
+			expected: v1alpha3.InternalServiceTypeClusterIP,
+		},
+		{
+			name:  "v1alpha3-invalid",
+			value: "invalid",
+			caps:  v1alpha3Capabilities,
+			err:   `invalid value "invalid" for field "x-kubernetes.internal_service_type", valid values are "ClusterIP" or "Headless"`,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			res, err := fromComposeServiceConfig(composetypes.ServiceConfig{
+				Name:  "test",
+				Image: "test",
+				Extras: map[string]interface{}{
+					"x-kubernetes": map[string]interface{}{
+						"internal_service_type": c.value,
+					},
+				},
+			}, c.caps)
+			if c.err == "" {
+				assert.NilError(t, err)
+				assert.Equal(t, res.InternalServiceType, c.expected)
+			} else {
+				assert.ErrorContains(t, err, c.err)
+			}
+		})
+	}
+}
+
+func TestIgnoreExpose(t *testing.T) {
+	testData := loadTestStackWith(t, "expose")
+	for _, version := range []string{"v1beta1", "v1beta2"} {
+		conv, err := NewStackConverter(version)
+		assert.NilError(t, err)
+		s, err := conv.FromCompose(ioutil.Discard, "test", testData)
+		assert.NilError(t, err)
+		assert.Equal(t, len(s.Spec.Services[0].InternalPorts), 0)
+	}
+}
+
+func TestParseExpose(t *testing.T) {
+	testData := loadTestStackWith(t, "expose")
+	conv, err := NewStackConverter("v1alpha3")
+	assert.NilError(t, err)
+	s, err := conv.FromCompose(ioutil.Discard, "test", testData)
+	assert.NilError(t, err)
+	expected := []v1alpha3.InternalPort{
+		{
+			Port:     1,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     2,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     3,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     4,
+			Protocol: v1.ProtocolTCP,
+		},
+		{
+			Port:     5,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     6,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     7,
+			Protocol: v1.ProtocolUDP,
+		},
+		{
+			Port:     8,
+			Protocol: v1.ProtocolUDP,
+		},
+	}
+	assert.DeepEqual(t, s.Spec.Services[0].InternalPorts, expected)
+}

cli/command/stack/kubernetes/testdata/compose-with-expose.yml

@@ -0,0 +1,9 @@
+version: "3.7"
+services:
+  test:
+    image: "some-image"
+    expose:
+    - "1" # default protocol, single port
+    - "2-4" # default protocol, port range
+    - "5/udp" # specific protocol, single port
+    - "6-8/udp" # specific protocol, port range

cli/command/stack/kubernetes/testdata/compose-with-pull-policy.yml

@@ -2,4 +2,5 @@ version: "3.7"
 services:
   test:
     image: "some-image"
-    x-pull-policy: "Never"
+    x-kubernetes:
+      pull_policy: "Never"

cli/command/stack/kubernetes/testdata/compose-with-pull-secret.yml

@@ -2,4 +2,5 @@ version: "3.7"
 services:
   test:
     image: "some-private-image"
-    x-pull-secret: "some-secret"
+    x-kubernetes:
+      pull_secret: "some-secret"

cli/compose/convert/compose.go

@@ -106,11 +106,23 @@ func Secrets(namespace Namespace, secrets map[string]composetypes.SecretConfig)
 			continue
 		}
 
-		obj, err := fileObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		var obj swarmFileObject
+		var err error
+		if secret.Driver != "" {
+			obj, err = driverObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		} else {
+			obj, err = fileObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		}
 		if err != nil {
 			return nil, err
 		}
 		spec := swarm.SecretSpec{Annotations: obj.Annotations, Data: obj.Data}
+		if secret.Driver != "" {
+			spec.Driver = &swarm.Driver{
+				Name:    secret.Driver,
+				Options: secret.DriverOpts,
+			}
+		}
 		if secret.TemplateDriver != "" {
 			spec.Templating = &swarm.Driver{
 				Name: secret.TemplateDriver,
@@ -149,6 +161,22 @@ type swarmFileObject struct {
 	Data        []byte
 }
 
+func driverObjectConfig(namespace Namespace, name string, obj composetypes.FileObjectConfig) (swarmFileObject, error) {
+	if obj.Name != "" {
+		name = obj.Name
+	} else {
+		name = namespace.Scope(name)
+	}
+
+	return swarmFileObject{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: AddStackLabel(namespace, obj.Labels),
+		},
+		Data: []byte{},
+	}, nil
+}
+
 func fileObjectConfig(namespace Namespace, name string, obj composetypes.FileObjectConfig) (swarmFileObject, error) {
 	data, err := ioutil.ReadFile(obj.File)
 	if err != nil {

cli/compose/convert/service.go

@@ -40,7 +40,7 @@ func Services(
 		if err != nil {
 			return nil, errors.Wrapf(err, "service %s", service.Name)
 		}
-		configs, err := convertServiceConfigObjs(client, namespace, service.Configs, config.Configs)
+		configs, err := convertServiceConfigObjs(client, namespace, service, config.Configs)
 		if err != nil {
 			return nil, errors.Wrapf(err, "service %s", service.Name)
 		}
@@ -109,7 +109,9 @@ func Service(
 	}
 
 	var privileges swarm.Privileges
-	privileges.CredentialSpec, err = convertCredentialSpec(service.CredentialSpec)
+	privileges.CredentialSpec, err = convertCredentialSpec(
+		namespace, service.CredentialSpec, configs,
+	)
 	if err != nil {
 		return swarm.ServiceSpec{}, err
 	}
@@ -286,11 +288,17 @@ func convertServiceSecrets(
 	return secrs, err
 }
 
+// convertServiceConfigObjs takes an API client, a namespace, a ServiceConfig,
+// and a set of compose Config specs, and creates the swarm ConfigReferences
+// required by the serivce. Unlike convertServiceSecrets, this takes the whole
+// ServiceConfig, because some Configs may be needed as a result of other
+// fields (like CredentialSpecs).
+//
 // TODO: fix configs API so that ConfigsAPIClient is not required here
 func convertServiceConfigObjs(
 	client client.ConfigAPIClient,
 	namespace Namespace,
-	configs []composetypes.ServiceConfigObjConfig,
+	service composetypes.ServiceConfig,
 	configSpecs map[string]composetypes.ConfigObjConfig,
 ) ([]*swarm.ConfigReference, error) {
 	refs := []*swarm.ConfigReference{}
@@ -302,7 +310,7 @@ func convertServiceConfigObjs(
 		}
 		return composetypes.FileObjectConfig(configSpec), nil
 	}
-	for _, config := range configs {
+	for _, config := range service.Configs {
 		obj, err := convertFileObject(namespace, composetypes.FileReferenceConfig(config), lookup)
 		if err != nil {
 			return nil, err
@@ -315,6 +323,38 @@ func convertServiceConfigObjs(
 		})
 	}
 
+	// finally, after converting all of the file objects, create any
+	// Runtime-type configs that are needed. these are configs that are not
+	// mounted into the container, but are used in some other way by the
+	// container runtime. Currently, this only means CredentialSpecs, but in
+	// the future it may be used for other fields
+
+	// grab the CredentialSpec out of the Service
+	credSpec := service.CredentialSpec
+	// if the credSpec uses a config, then we should grab the config name, and
+	// create a config reference for it. A File or Registry-type CredentialSpec
+	// does not need this operation.
+	if credSpec.Config != "" {
+		// look up the config in the configSpecs.
+		obj, err := lookup(credSpec.Config)
+		if err != nil {
+			return nil, err
+		}
+
+		// get the actual correct name.
+		name := namespace.Scope(credSpec.Config)
+		if obj.Name != "" {
+			name = obj.Name
+		}
+
+		// now append a Runtime-type config.
+		refs = append(refs, &swarm.ConfigReference{
+			ConfigName: name,
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		})
+
+	}
+
 	confs, err := servicecli.ParseConfigs(client, refs)
 	if err != nil {
 		return nil, err
@@ -342,11 +382,6 @@ func convertFileObject(
 	config composetypes.FileReferenceConfig,
 	lookup func(key string) (composetypes.FileObjectConfig, error),
 ) (swarmReferenceObject, error) {
-	target := config.Target
-	if target == "" {
-		target = config.Source
-	}
-
 	obj, err := lookup(config.Source)
 	if err != nil {
 		return swarmReferenceObject{}, err
@@ -357,6 +392,11 @@ func convertFileObject(
 		source = obj.Name
 	}
 
+	target := config.Target
+	if target == "" {
+		target = config.Source
+	}
+
 	uid := config.UID
 	gid := config.GID
 	if uid == "" {
@@ -599,13 +639,46 @@ func convertDNSConfig(DNS []string, DNSSearch []string) (*swarm.DNSConfig, error
 	return nil, nil
 }
 
-func convertCredentialSpec(spec composetypes.CredentialSpecConfig) (*swarm.CredentialSpec, error) {
-	if spec.File == "" && spec.Registry == "" {
-		return nil, nil
+func convertCredentialSpec(namespace Namespace, spec composetypes.CredentialSpecConfig, refs []*swarm.ConfigReference) (*swarm.CredentialSpec, error) {
+	var o []string
+
+	// Config was added in API v1.40
+	if spec.Config != "" {
+		o = append(o, `"Config"`)
 	}
-	if spec.File != "" && spec.Registry != "" {
-		return nil, errors.New("Invalid credential spec - must provide one of `File` or `Registry`")
+	if spec.File != "" {
+		o = append(o, `"File"`)
+	}
+	if spec.Registry != "" {
+		o = append(o, `"Registry"`)
+	}
+	l := len(o)
+	switch {
+	case l == 0:
+		return nil, nil
+	case l == 2:
+		return nil, errors.Errorf("invalid credential spec: cannot specify both %s and %s", o[0], o[1])
+	case l > 2:
+		return nil, errors.Errorf("invalid credential spec: cannot specify both %s, and %s", strings.Join(o[:l-1], ", "), o[l-1])
 	}
 	swarmCredSpec := swarm.CredentialSpec(spec)
+	// if we're using a swarm Config for the credential spec, over-write it
+	// here with the config ID
+	if swarmCredSpec.Config != "" {
+		for _, config := range refs {
+			if swarmCredSpec.Config == config.ConfigName {
+				swarmCredSpec.Config = config.ConfigID
+				return &swarmCredSpec, nil
+			}
+		}
+		// if none of the configs match, try namespacing
+		for _, config := range refs {
+			if namespace.Scope(swarmCredSpec.Config) == config.ConfigName {
+				swarmCredSpec.Config = config.ConfigID
+				return &swarmCredSpec, nil
+			}
+		}
+		return nil, errors.Errorf("invalid credential spec: spec specifies config %v, but no such config can be found", swarmCredSpec.Config)
+	}
 	return &swarmCredSpec, nil
 }

cli/compose/convert/service_test.go

@@ -314,30 +314,98 @@ func TestConvertDNSConfigSearch(t *testing.T) {
 }
 
 func TestConvertCredentialSpec(t *testing.T) {
-	swarmSpec, err := convertCredentialSpec(composetypes.CredentialSpecConfig{})
-	assert.NilError(t, err)
-	assert.Check(t, is.Nil(swarmSpec))
+	tests := []struct {
+		name        string
+		in          composetypes.CredentialSpecConfig
+		out         *swarm.CredentialSpec
+		configs     []*swarm.ConfigReference
+		expectedErr string
+	}{
+		{
+			name: "empty",
+		},
+		{
+			name:        "config-and-file",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", File: "somefile.json"},
+			expectedErr: `invalid credential spec: cannot specify both "Config" and "File"`,
+		},
+		{
+			name:        "config-and-registry",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "Config" and "Registry"`,
+		},
+		{
+			name:        "file-and-registry",
+			in:          composetypes.CredentialSpecConfig{File: "somefile.json", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "File" and "Registry"`,
+		},
+		{
+			name:        "config-and-file-and-registry",
+			in:          composetypes.CredentialSpecConfig{Config: "0bt9dmxjvjiqermk6xrop3ekq", File: "somefile.json", Registry: "testing"},
+			expectedErr: `invalid credential spec: cannot specify both "Config", "File", and "Registry"`,
+		},
+		{
+			name:        "missing-config-reference",
+			in:          composetypes.CredentialSpecConfig{Config: "missing"},
+			expectedErr: "invalid credential spec: spec specifies config missing, but no such config can be found",
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "someName",
+					ConfigID:   "missing",
+				},
+			},
+		},
+		{
+			name: "namespaced-config",
+			in:   composetypes.CredentialSpecConfig{Config: "name"},
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "namespaced-config_name",
+					ConfigID:   "someID",
+				},
+			},
+			out: &swarm.CredentialSpec{Config: "someID"},
+		},
+		{
+			name: "config",
+			in:   composetypes.CredentialSpecConfig{Config: "someName"},
+			configs: []*swarm.ConfigReference{
+				{
+					ConfigName: "someOtherName",
+					ConfigID:   "someOtherID",
+				}, {
+					ConfigName: "someName",
+					ConfigID:   "someID",
+				},
+			},
+			out: &swarm.CredentialSpec{Config: "someID"},
+		},
+		{
+			name: "file",
+			in:   composetypes.CredentialSpecConfig{File: "somefile.json"},
+			out:  &swarm.CredentialSpec{File: "somefile.json"},
+		},
+		{
+			name: "registry",
+			in:   composetypes.CredentialSpecConfig{Registry: "testing"},
+			out:  &swarm.CredentialSpec{Registry: "testing"},
+		},
+	}
 
-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		File: "/foo",
-	})
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal(swarmSpec.File, "/foo"))
-	assert.Check(t, is.Equal(swarmSpec.Registry, ""))
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			namespace := NewNamespace(tc.name)
+			swarmSpec, err := convertCredentialSpec(namespace, tc.in, tc.configs)
 
-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		Registry: "foo",
-	})
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal(swarmSpec.File, ""))
-	assert.Check(t, is.Equal(swarmSpec.Registry, "foo"))
-
-	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
-		File:     "/asdf",
-		Registry: "foo",
-	})
-	assert.Check(t, is.ErrorContains(err, ""))
-	assert.Check(t, is.Nil(swarmSpec))
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+			} else {
+				assert.NilError(t, err)
+			}
+			assert.DeepEqual(t, swarmSpec, tc.out)
+		})
+	}
 }
 
 func TestConvertUpdateConfigOrder(t *testing.T) {
@@ -467,9 +535,14 @@ func TestConvertServiceSecrets(t *testing.T) {
 
 func TestConvertServiceConfigs(t *testing.T) {
 	namespace := Namespace{name: "foo"}
-	configs := []composetypes.ServiceConfigObjConfig{
-		{Source: "foo_config"},
-		{Source: "bar_config"},
+	service := composetypes.ServiceConfig{
+		Configs: []composetypes.ServiceConfigObjConfig{
+			{Source: "foo_config"},
+			{Source: "bar_config"},
+		},
+		CredentialSpec: composetypes.CredentialSpecConfig{
+			Config: "baz_config",
+		},
 	}
 	configSpecs := map[string]composetypes.ConfigObjConfig{
 		"foo_config": {
@@ -478,18 +551,23 @@ func TestConvertServiceConfigs(t *testing.T) {
 		"bar_config": {
 			Name: "bar_config",
 		},
+		"baz_config": {
+			Name: "baz_config",
+		},
 	}
 	client := &fakeClient{
 		configListFunc: func(opts types.ConfigListOptions) ([]swarm.Config, error) {
 			assert.Check(t, is.Contains(opts.Filters.Get("name"), "foo_config"))
 			assert.Check(t, is.Contains(opts.Filters.Get("name"), "bar_config"))
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "baz_config"))
 			return []swarm.Config{
 				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "foo_config"}}},
 				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "bar_config"}}},
+				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "baz_config"}}},
 			}, nil
 		},
 	}
-	refs, err := convertServiceConfigObjs(client, namespace, configs, configSpecs)
+	refs, err := convertServiceConfigObjs(client, namespace, service, configSpecs)
 	assert.NilError(t, err)
 	expected := []*swarm.ConfigReference{
 		{
@@ -501,6 +579,10 @@ func TestConvertServiceConfigs(t *testing.T) {
 				Mode: 0444,
 			},
 		},
+		{
+			ConfigName: "baz_config",
+			Runtime:    &swarm.ConfigReferenceRuntimeTarget{},
+		},
 		{
 			ConfigName: "foo_config",
 			File: &swarm.ConfigReferenceFileTarget{

cli/compose/loader/loader.go

@@ -634,7 +634,8 @@ func LoadConfigObjs(source map[string]interface{}, details types.ConfigDetails)
 
 func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfig, details types.ConfigDetails) (types.FileObjectConfig, error) {
 	// if "external: true"
-	if obj.External.External {
+	switch {
+	case obj.External.External:
 		// handle deprecated external.name
 		if obj.External.Name != "" {
 			if obj.Name != "" {
@@ -651,7 +652,11 @@ func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfi
 			}
 		}
 		// if not "external: true"
-	} else {
+	case obj.Driver != "":
+		if obj.File != "" {
+			return obj, errors.Errorf("%[1]s %[2]s: %[1]s.driver and %[1]s.file conflict; only use %[1]s.driver", objType, name)
+		}
+	default:
 		obj.File = absPath(details.WorkingDir, obj.File)
 	}
 

cli/compose/loader/loader_test.go

@@ -295,6 +295,20 @@ configs:
 	assert.Assert(t, is.Len(actual.Configs, 1))
 }
 
+func TestLoadV38(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.8"
+services:
+  foo:
+    image: busybox
+    credential_spec:
+      config: "0bt9dmxjvjiqermk6xrop3ekq"
+`)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Equal(actual.Services[0].CredentialSpec.Config, "0bt9dmxjvjiqermk6xrop3ekq"))
+}
+
 func TestParseAndLoad(t *testing.T) {
 	actual, err := loadYAML(sampleYAML)
 	assert.NilError(t, err)
@@ -1586,3 +1600,67 @@ secrets:
 	}
 	assert.DeepEqual(t, config, expected, cmpopts.EquateEmpty())
 }
+
+func TestLoadSecretDriver(t *testing.T) {
+	config, err := loadYAML(`
+version: '3.8'
+services:
+  hello-world:
+    image: redis:alpine
+    secrets:
+      - secret
+    configs:
+      - config
+
+configs:
+  config:
+    name: config
+    external: true
+
+secrets:
+  secret:
+    name: secret
+    driver: secret-bucket
+    driver_opts:
+      OptionA: value for driver option A
+      OptionB: value for driver option B
+`)
+	assert.NilError(t, err)
+	expected := &types.Config{
+		Filename: "filename.yml",
+		Version:  "3.8",
+		Services: types.Services{
+			{
+				Name:  "hello-world",
+				Image: "redis:alpine",
+				Configs: []types.ServiceConfigObjConfig{
+					{
+						Source: "config",
+					},
+				},
+				Secrets: []types.ServiceSecretConfig{
+					{
+						Source: "secret",
+					},
+				},
+			},
+		},
+		Configs: map[string]types.ConfigObjConfig{
+			"config": {
+				Name:     "config",
+				External: types.External{External: true},
+			},
+		},
+		Secrets: map[string]types.SecretConfig{
+			"secret": {
+				Name:   "secret",
+				Driver: "secret-bucket",
+				DriverOpts: map[string]string{
+					"OptionA": "value for driver option A",
+					"OptionB": "value for driver option B",
+				},
+			},
+		},
+	}
+	assert.DeepEqual(t, config, expected, cmpopts.EquateEmpty())
+}

cli/compose/schema/bindata.go

@@ -510,45 +510,45 @@ bnBpPlHfjORjkTRf1wyAwiYqMXd9/G6313QfoXs6/sbZ66r6e179PwAA//8ZL3SpvkUAAA==
 
 	"/data/config_schema_v3.8.json": {
 		local:   "data/config_schema_v3.8.json",
-		size:    18006,
+		size:    18246,
 		modtime: 1518458244,
 		compressed: `
 H4sIAAAAAAAC/+xcS4/juBG++1cI2r1tPwbIIkjmlmNOyTkNj0BTZZvbFMktUp72DvzfAz1bokiRtuXu
-3qQHGEy3VHwU68GvHpofqyRJf9Z0DwVJvybp3hj19fHxNy3FffP0QeLuMUeyNfdffn1snv2U3lXjWF4N
-oVJs2S5r3mSHvzz87aEa3pCYo4KKSG5+A2qaZwi/lwyhGvyUHgA1kyJd362qdwqlAjQMdPo1qTaXJD1J
-92AwrTbIxC6tH5/qGZIk1YAHRgcz9Fv96fF1/see7M6edbDZ+rkixgCKf0/3Vr/+9kTu//jH/X++3P/9
-Ibtf//Lz6HV1vgjbZvkctkwww6To1097ylP706lfmOR5TUz4aO0t4RrGPAsw3yU+h3juyd6J53Z9B89j
-dg6Sl0VQgh3VOzHTLL+M/DRQBBNW2Ybq3TS2Wn4ZhhuvEWK4o3onhpvlr2N41THt3mP67eW++vdUzzk7
-XzPLYH81EyOf5zpOl8/xn2d/oJ6TzEFxeax37j6zhqAAYdL+mJIk3ZSM5/apSwH/qqZ4GjxMkh+2ex/M
-U78f/eZXiv69h5f+PZXCwIupmZpfujkCSZ8Bt4xD7AiCjaZ7jowzbTKJWc6ocY7nZAP8qhkooXvItiiL
-4CzbrOFEOyfqPHgk54bgDqJPVu+LTLM/Ruf6lDJhYAeY3vVj1ydr7GSysGHaNl39Wa8cE6aUqIzk+YgJ
-gkiO1Y6YgUK7+UvSUrDfS/hnS2KwBHveHKVafuIdylJlimBlhfNnn1JZFEQsZZrn8BFx8pNLYmTv7RrD
-V/1qo215uEkitNLhLgLuJuxwKk2XJdJY/3GuHSVJWrI8nnh3DnEh8/G+RVlsANPThHhipKPf1yvXG0v6
-hjABmAlSQFCPEXIQhhGeaQXUpzMOoc2JK4108ynCjmmDRyftyuOp4rzUkMscFIhcZ004dL4fT3PoY6NF
-fU4u5u6nZprqhqr2lloDMw0E6f7C8bIgTMRoCAiDRyVZ4xM/nLMDcch6bTv7GEAcGEpRdB4/DicMxr8o
-qeF6T9vf2i3jd72DWFsWs5VYkGqz3dpeK5lq3vAAhzxU+JrwjDPxvLyKw4tBku2lNpdAsXQPhJs93QN9
-nhk+pBqNltrEKDkryC5MJNj4LtlIyYGIMZGiwXm05MS0uZk5wosBbLqoKAfTyt2uIvXp7yQgigwlcmQH
-wFi8K9VrHOe69ENAIxj4jki/PTRx74yN1j9xPgXYrvvcfmJfibGX26tUCkIrpI2gdUij2jgkm8CRV9oJ
-sY71+xeFR+eHpVGiC+YugiDXB2TjtSwO1HZi54xo0NfFmQMvdPg1UidcY/86O9Yz1DtnfFQZmGqInjl3
-bmQdxtO3DHrVOCYY+4raQwwNTEk0bxKmvfqpV/jQLD6N3GxxRw26Tbg346Xigr0uB+IeoMoNZ3oP+Tlj
-UBpJJY8zDGdWK94YZkK/i5CeQnZgHHYWxy4Yg0DyTAp+jKDUhmAwYaKBlsjMMZPKLI4x3RmwV63vE2Dj
-DVm1g88syf9PlkQfNTWXYWttciYyqUAEbUMbqbIdEgqZAmTSeRQjB5uX2IQGk2k02wnCQ2ZmCrW9MKVg
-TNjYS84K5jcaZ5ooiNcarOaGaDPwLMplz0QI8wFCRGSwJ3jG1VEb5tZzP60iMdC4C6Ce767dyNpJfxb0
-srex9qIft1GVOhjE1TRCZxFXu6Oc/efw0CMZ1eTri/x4u1Kk77y1149GBOMSoWbagKDH+IU2bFJXOTfu
-iou6aiqy86di3LFJtK22nQ5vwoqQVCqPaK5ko79Sbs9Fh+H8wantOWfi2IIJVpRF+jX54otY40/mxtDe
-ygHNAHqf7/0u8bm62XOGc7p8mu/9GPdVnNmcYqVq5zoqhqTBLpX57o5Q5wXTZGMVo5x5W2EAD26AFUZo
-CAaZVR/qsOsQYoH+mFUUwwqQpbkUnhI05wNcu4dt0CjT1WPmVGhAaWvQU69CXdolqCYxeAREXtfBosAL
-guKMEh0CiFck+VFyviH0OWsbrhaq3SqChHPgTBcx6DbNgZPjRZrTFLQI4yVCRmhESaSVlWBG4uVLFuQl
-65atSQJ229gp5uBbE0R9z9j4srGM+y1DbZo0hFTtb2P3v2Cpu1Q5MfCpEp8qMczQ1bGBXkodnEmAZXoK
-VRlbr0gLKGS4c+TalP+kYUVXMMFXgPwoB+Cg3oEAZDQbaYPnypnS3qiKcr1mN9hDctaEmEuoN5Wi2UeM
-57nS1VV+pwLihTI6yrV+ZyKX38+HWQuctuKEggXNrj1obZAwYc7uVbCPRSFsAUFQmDXLac5oJm+0XEJe
-IZD8HUpGLm3rgGkF2DNhI1lXRvIStbniGweno5qLBKYDJiHlWO4Oefvl7JdvFVtSBAP9yq4eypAOzetP
-+txmw4IuPj0QXkZUTy7qN/FlHSIGn5yfXIVk2pEtENrF9H9FNSC1VJlUy1dAwk1G63D+nSlSLOWbo1uy
-Umeo8RG8brkRngT3jb3ucldu15vpkepTn8q6689qHS1ir2Est/86q2aXLV3pN2IMofuoTN2ZCZM3SHxO
-Ev1Ol9ZSfXq0Mzzan13/P56utl+jBr94rKnCH5BeoaER34h8APkvIdZRBaBQnBjIZuzzDbRgcmc7taCl
-+tSC/1EtsJqBBtowLUrNCSi6Y3k1rEH127DJHP9jhS9+827KV0K1Fm1lM8/5grfiwy8zOHnuy4IbAcwF
-2jDdMrVSO6u+6dL+4N7verrxk8/vKz7FcVI0/TFuvGk+nV+Pzsciab76GcCQdVTY7/oo32776T6O93Qi
-jmPjVfX3tPpvAAAA//+mJNa5VkYAAA==
+3qQDBDstFR/15FfFkn+skiT9WdM9FCT9mqR7Y9TXx8fftBT3zdMHibvHHMnW3H/59bF59lN6V41jeTWE
+SrFlu6x5kx3+8vC3h2p4Q2KOCioiufkNqGmeIfxeMoRq8FN6ANRMinR9t6reKZQK0DDQ6dek2lyS9CTd
+g8G02iATu7R+fKpnSJJUAx4YHczQb/Wnx9f5H3uyO3vWwWbr54oYAyj+Pd1b/frbE7n/4x/3//ly//eH
+7H79y8+j15V8EbbN8jlsmWCGSdGvn/aUp/Zfp35hkuc1MeGjtbeEaxjzLMB8l/gc4rkneyee2/UdPI/Z
+OUheFkENdlTvxEyz/DL600ARTNhkG6p3s9hq+WUYbqJGiOGO6p0Ybpa/juFVx7R7j+m3l/vqv6d6ztn5
+mlkG+6uZGMU8lzhdMccvz16gHknmoLg81jt3y6whKECYtBdTkqSbkvHclroU8K9qiqfBwyT5YYf3wTz1
++9FffqPo33t46d9TKQy8mJqp+aUbEUj6DLhlHGJHEGws3SMyzrTJJGY5o8Y5npMN8KtmoITuIduiLIKz
+bLOGE+2cqIvgkZwbgjuIlqzeF5lmf4zk+pQyYWAHmN71Y9cna+xksrBj2j5d/W+9ckyYUqIykucjJggi
+OVY7YgYK7eYvSUvBfi/hny2JwRLseXOUavmJdyhLlSmClRfOyz6lsiiIWMo1z+EjQvKTQ2Lk7+0aw1f9
+aqNtebhJIqzSES4C4SYccCpLlyXS2Phxrh8lSVqyPJ54dw5xIfPxvkVZbADT04R44qSjv9cr1xtL+4Yw
+AZgJUkDQjhFyEIYRnmkF1GczDqXNqas1wQjxpJEHQoqwY9rg0Um78sS0uHg2lEcOCkSusyZxOj/ipzn0
+WdSi0SkXcydZM011llV7S62BmQaCdH/heFkQJmJsCYTBo5KsiZ4fLiyCOGS9tZ0tBhAHhlIU3dkQhygG
+41+U1HB9TO7P95bxuz6UrG3PkliQarPd2l4vmVreUIBDHiokTnjGmXhe3sThxSDJ9lKbS0BbugfCzZ7u
+gT7PDB9SjUZLbWKMnBVkFyYSbHzqbKTkQMSYSNHgPFpyYtoqzhzhxVA3XVSVg2nlbleR+ux3kjpFJh05
+sgNgLDKW6jXjc8GDECQJpsgj0m8PTYY846P1vzifQnHXyW8/sY/E2MPtVSsFoRUmR9A6ZFFtxpJNgMsr
+7YRYx8b9ixKp8xPYKNUFqxxBOOyDvPFWFgd/O7VzRjTo6zLSQRQ6/BppE66xf50d6xnqnTM+/wxMNcTZ
+nDs3sg4j71umx2qcPYxjRR0hhg6mJJo3Sehe49QrfGgWn+Z4trqjBt0mMZyJUnFpYVctcQ9Q5YYzvYf8
+nDEojaSSxzmGs/4V7wwzSeJFSE8hOzAOO4tjF4xBIHkmBT9GUGpDMFha0UBLZOaYSWUWx5juWtmr1fel
+svGGrFuGz3rK/089RR81NZdha21yJjKpQAR9Qxupsh0SCpkCZNIpilGAzUtsUoPJNJrtBOEhNzOF2l5Y
+UjAm7OwlZwXzO42zoBTEaw1Wc0O0GXgWFbJnMoT5BCEiM9gTPOPoqB1z6zmfVpEYaNwvUM93125k7aQ/
+C3rZ21h70Y/bqUodTOJqGqGziKPdcfH954jQIx3V5OuL4ni7UmTsvHXUj0YE44KxZtqAoMf4hTZscgNz
+bt4Vl3XVVGTnL8W4c5NoX217It6EFSGpVB7VXMlGf6TcnosOw/mTUztyzuSxBROsKIv0a/LFl7HGS+bG
+0N6qAc0Ael/s/S7xuTrZc4Zztnya7xIZd2Cc2cZilWrnei+GpMF+lvk+kFCPBtNkY11GOeu2wgAe3AAr
+jNAQDDLrfqjDrkOIBfpj3qIYVoAszaXwlKA5H+Da3W6DlpruPmbOhAaUtgU99SbUlV2CZhKDR0Dk9T1Y
+FHhBUJxRokMA8YoiP0rON4Q+Z6/3skvc8iqChHPgTBcx6DbNgZPjRZbTXGgRxkuEjNCIK5FWV4IZiZcv
+WZCXrFu2Jgn4beOnmINvTRD1OWPjy8Yz7rcMtWnKEFK1f43D/4JX3aXKiYFPk/g0iWGFrs4N9FLm4CwC
+LNN9qMrY+4q0gEKGO0euLflPGlZ0BRN8F5AfRQAO6h0IQEazkTV4jpwp7Y1uUa637AZ7SM6aFHOhNqdm
+HzGR58pQV8WdCogXyuio0PqdiVx+Px9mLSBtxQkFC5pdK2htkDBhzu5VsMWiELaAICjMuuW0ZjRTN1qu
+IK8QSP4OV0Yua+uAaQXYM2EjWVdF8hKzueJrCGegmssEpgMmKeVY7w59+/Xs12+VW1IEA/3Krm7LkA3N
+20/63FbDgiE+PRBeRtyeXNRv4qs6RAw+OT/OCum0I1sgtYvp/4pqQGqpMqmWvwEJNxmtw/V3pkixVGyO
+bslKnanGR4i65UZ4Ctw3jrrLHbldb6ZHq099Keuul9U6WsVex1hu/3VVzb62dJXfiDGE7qMqdWcWTN6g
+8Dkp9DtDWkv1GdHOiGh/dvv/eLbafrca/Daypgp/anqFhUZ8I/IB9L+EWv/n3LLKVzkxkM2w8wa2PEEe
+TltuqT5teWlb/iBWYLU0DaxherU2p6DovuvV8Cat34ZN5viFDl8W6t2U7yLYWrTVzTznCwaRh19m0P7c
+9xE3gskLNJO6dWoVqFZ966j9AwP+0NONn/zcQMWnOE6ufn+M24eanwpYj+RjkTTfLg2i9jqqeOH6EQK7
+ean7MQBPP+U4w19V/z+t/hsAAP//Fd/bF0ZHAAA=
 `,
 	},
 

cli/compose/schema/data/config_schema_v3.8.json

@@ -125,6 +125,7 @@
         "credential_spec": {
           "type": "object",
           "properties": {
+            "config": {"type": "string"},
             "file": {"type": "string"},
             "registry": {"type": "string"}
           },
@@ -538,6 +539,13 @@
           }
         },
         "labels": {"$ref": "#/definitions/list_or_dict"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
         "template_driver": {"type": "string"}
       },
       "patternProperties": {"^x-": {}},

cli/compose/schema/schema_test.go

@@ -92,7 +92,7 @@ func TestValidateCredentialSpecs(t *testing.T) {
 		{version: "3.5", expectedErr: "config"},
 		{version: "3.6", expectedErr: "config"},
 		{version: "3.7", expectedErr: "config"},
-		{version: "3.8", expectedErr: "something"},
+		{version: "3.8"},
 	}
 
 	for _, tc := range tests {
@@ -104,7 +104,7 @@ func TestValidateCredentialSpecs(t *testing.T) {
 					"foo": dict{
 						"image": "busybox",
 						"credential_spec": dict{
-							tc.expectedErr: "foobar",
+							"config": "foobar",
 						},
 					},
 				},

cli/compose/types/types.go

@@ -500,8 +500,7 @@ func (e External) MarshalJSON() ([]byte, error) {
 
 // CredentialSpecConfig for credential spec on Windows
 type CredentialSpecConfig struct {
-	// @TODO Config is not yet in use
-	Config   string `yaml:"-" json:"-"` // Config was added in API v1.40
+	Config   string `yaml:",omitempty" json:"config,omitempty"` // Config was added in API v1.40
 	File     string `yaml:",omitempty" json:"file,omitempty"`
 	Registry string `yaml:",omitempty" json:"registry,omitempty"`
 }
@@ -513,6 +512,8 @@ type FileObjectConfig struct {
 	External       External               `yaml:",omitempty" json:"external,omitempty"`
 	Labels         Labels                 `yaml:",omitempty" json:"labels,omitempty"`
 	Extras         map[string]interface{} `yaml:",inline" json:"-"`
+	Driver         string                 `yaml:",omitempty" json:"driver,omitempty"`
+	DriverOpts     map[string]string      `mapstructure:"driver_opts" yaml:"driver_opts,omitempty" json:"driver_opts,omitempty"`
 	TemplateDriver string                 `mapstructure:"template_driver" yaml:"template_driver,omitempty" json:"template_driver,omitempty"`
 }
 

cli/context/docker/load.go

@@ -31,7 +31,7 @@ type Endpoint struct {
 }
 
 // WithTLSData loads TLS materials for the endpoint
-func WithTLSData(s store.Store, contextName string, m EndpointMeta) (Endpoint, error) {
+func WithTLSData(s store.Reader, contextName string, m EndpointMeta) (Endpoint, error) {
 	tlsData, err := context.LoadTLSData(s, contextName, DockerEndpoint)
 	if err != nil {
 		return Endpoint{}, err
@@ -91,8 +91,8 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 }
 
 // ClientOpts returns a slice of Client options to configure an API client with this endpoint
-func (c *Endpoint) ClientOpts() ([]func(*client.Client) error, error) {
-	var result []func(*client.Client) error
+func (c *Endpoint) ClientOpts() ([]client.Opt, error) {
+	var result []client.Opt
 	if c.Host != "" {
 		helper, err := connhelper.GetConnectionHelper(c.Host)
 		if err != nil {
@@ -153,7 +153,7 @@ func withHTTPClient(tlsConfig *tls.Config) func(*client.Client) error {
 }
 
 // EndpointFromContext parses a context docker endpoint metadata into a typed EndpointMeta structure
-func EndpointFromContext(metadata store.ContextMetadata) (EndpointMeta, error) {
+func EndpointFromContext(metadata store.Metadata) (EndpointMeta, error) {
 	ep, ok := metadata.Endpoints[DockerEndpoint]
 	if !ok {
 		return EndpointMeta{}, errors.New("cannot find docker endpoint in context")

cli/context/kubernetes/endpoint_test.go

@@ -85,15 +85,15 @@ func TestSaveLoadContexts(t *testing.T) {
 	assert.NilError(t, save(store, epDefault, "embed-default-context"))
 	assert.NilError(t, save(store, epContext2, "embed-context2"))
 
-	rawNoTLSMeta, err := store.GetContextMetadata("raw-notls")
+	rawNoTLSMeta, err := store.GetMetadata("raw-notls")
 	assert.NilError(t, err)
-	rawNoTLSSkipMeta, err := store.GetContextMetadata("raw-notls-skip")
+	rawNoTLSSkipMeta, err := store.GetMetadata("raw-notls-skip")
 	assert.NilError(t, err)
-	rawTLSMeta, err := store.GetContextMetadata("raw-tls")
+	rawTLSMeta, err := store.GetMetadata("raw-tls")
 	assert.NilError(t, err)
-	embededDefaultMeta, err := store.GetContextMetadata("embed-default-context")
+	embededDefaultMeta, err := store.GetMetadata("embed-default-context")
 	assert.NilError(t, err)
-	embededContext2Meta, err := store.GetContextMetadata("embed-context2")
+	embededContext2Meta, err := store.GetMetadata("embed-context2")
 	assert.NilError(t, err)
 
 	rawNoTLS := EndpointFromContext(rawNoTLSMeta)
@@ -104,22 +104,22 @@ func TestSaveLoadContexts(t *testing.T) {
 
 	rawNoTLSEP, err := rawNoTLS.WithTLSData(store, "raw-notls")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawNoTLSEP, "https://test", "test", nil, nil, nil, false)
+	checkClientConfig(t, rawNoTLSEP, "https://test", "test", nil, nil, nil, false)
 	rawNoTLSSkipEP, err := rawNoTLSSkip.WithTLSData(store, "raw-notls-skip")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawNoTLSSkipEP, "https://test", "test", nil, nil, nil, true)
+	checkClientConfig(t, rawNoTLSSkipEP, "https://test", "test", nil, nil, nil, true)
 	rawTLSEP, err := rawTLS.WithTLSData(store, "raw-tls")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, rawTLSEP, "https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true)
+	checkClientConfig(t, rawTLSEP, "https://test", "test", []byte("ca"), []byte("cert"), []byte("key"), true)
 	embededDefaultEP, err := embededDefault.WithTLSData(store, "embed-default-context")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, embededDefaultEP, "https://server1", "namespace1", nil, []byte("cert"), []byte("key"), true)
+	checkClientConfig(t, embededDefaultEP, "https://server1", "namespace1", nil, []byte("cert"), []byte("key"), true)
 	embededContext2EP, err := embededContext2.WithTLSData(store, "embed-context2")
 	assert.NilError(t, err)
-	checkClientConfig(t, store, embededContext2EP, "https://server2", "namespace-override", []byte("ca"), []byte("cert"), []byte("key"), false)
+	checkClientConfig(t, embededContext2EP, "https://server2", "namespace-override", []byte("ca"), []byte("cert"), []byte("key"), false)
 }
 
-func checkClientConfig(t *testing.T, s store.Store, ep Endpoint, server, namespace string, ca, cert, key []byte, skipTLSVerify bool) {
+func checkClientConfig(t *testing.T, ep Endpoint, server, namespace string, ca, cert, key []byte, skipTLSVerify bool) {
 	config := ep.KubernetesConfig()
 	cfg, err := config.ClientConfig()
 	assert.NilError(t, err)
@@ -132,17 +132,17 @@ func checkClientConfig(t *testing.T, s store.Store, ep Endpoint, server, namespa
 	assert.Equal(t, skipTLSVerify, cfg.Insecure)
 }
 
-func save(s store.Store, ep Endpoint, name string) error {
-	meta := store.ContextMetadata{
+func save(s store.Writer, ep Endpoint, name string) error {
+	meta := store.Metadata{
 		Endpoints: map[string]interface{}{
 			KubernetesEndpoint: ep.EndpointMeta,
 		},
 		Name: name,
 	}
-	if err := s.CreateOrUpdateContext(meta); err != nil {
+	if err := s.CreateOrUpdate(meta); err != nil {
 		return err
 	}
-	return s.ResetContextEndpointTLSMaterial(name, KubernetesEndpoint, ep.TLSData.ToStoreTLSData())
+	return s.ResetEndpointTLSMaterial(name, KubernetesEndpoint, ep.TLSData.ToStoreTLSData())
 }
 
 func TestSaveLoadGKEConfig(t *testing.T) {
@@ -158,7 +158,7 @@ func TestSaveLoadGKEConfig(t *testing.T) {
 	ep, err := FromKubeConfig("testdata/gke-kubeconfig", "", "")
 	assert.NilError(t, err)
 	assert.NilError(t, save(store, ep, "gke-context"))
-	persistedMetadata, err := store.GetContextMetadata("gke-context")
+	persistedMetadata, err := store.GetMetadata("gke-context")
 	assert.NilError(t, err)
 	persistedEPMeta := EndpointFromContext(persistedMetadata)
 	assert.Check(t, persistedEPMeta != nil)
@@ -183,7 +183,7 @@ func TestSaveLoadEKSConfig(t *testing.T) {
 	ep, err := FromKubeConfig("testdata/eks-kubeconfig", "", "")
 	assert.NilError(t, err)
 	assert.NilError(t, save(store, ep, "eks-context"))
-	persistedMetadata, err := store.GetContextMetadata("eks-context")
+	persistedMetadata, err := store.GetMetadata("eks-context")
 	assert.NilError(t, err)
 	persistedEPMeta := EndpointFromContext(persistedMetadata)
 	assert.Check(t, persistedEPMeta != nil)

cli/context/kubernetes/load.go

@@ -25,7 +25,7 @@ type Endpoint struct {
 }
 
 // WithTLSData loads TLS materials for the endpoint
-func (c *EndpointMeta) WithTLSData(s store.Store, contextName string) (Endpoint, error) {
+func (c *EndpointMeta) WithTLSData(s store.Reader, contextName string) (Endpoint, error) {
 	tlsData, err := context.LoadTLSData(s, contextName, KubernetesEndpoint)
 	if err != nil {
 		return Endpoint{}, err
@@ -62,7 +62,7 @@ func (c *Endpoint) KubernetesConfig() clientcmd.ClientConfig {
 }
 
 // EndpointFromContext extracts kubernetes endpoint info from current context
-func EndpointFromContext(metadata store.ContextMetadata) *EndpointMeta {
+func EndpointFromContext(metadata store.Metadata) *EndpointMeta {
 	ep, ok := metadata.Endpoints[KubernetesEndpoint]
 	if !ok {
 		return nil
@@ -77,8 +77,8 @@ func EndpointFromContext(metadata store.ContextMetadata) *EndpointMeta {
 // ConfigFromContext resolves a kubernetes client config for the specified context.
 // If kubeconfigOverride is specified, use this config file instead of the context defaults.ConfigFromContext
 // if command.ContextDockerHost is specified as the context name, fallsback to the default user's kubeconfig file
-func ConfigFromContext(name string, s store.Store) (clientcmd.ClientConfig, error) {
-	ctxMeta, err := s.GetContextMetadata(name)
+func ConfigFromContext(name string, s store.Reader) (clientcmd.ClientConfig, error) {
+	ctxMeta, err := s.GetMetadata(name)
 	if err != nil {
 		return nil, err
 	}

cli/context/store/metadata_test.go

@@ -10,8 +10,8 @@ import (
 	"gotest.tools/assert/cmp"
 )
 
-func testMetadata(name string) ContextMetadata {
-	return ContextMetadata{
+func testMetadata(name string) Metadata {
+	return Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "bar"},
 		},
@@ -34,7 +34,7 @@ func TestMetadataCreateGetRemove(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir, config: testCfg}
-	expected2 := ContextMetadata{
+	expected2 := Metadata{
 		Endpoints: map[string]interface{}{
 			"ep1": endpoint{Foo: "baz"},
 			"ep2": endpoint{Foo: "bee"},
@@ -82,7 +82,7 @@ func TestMetadataList(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir, config: testCfg}
-	wholeData := []ContextMetadata{
+	wholeData := []Metadata{
 		testMetadata("context1"),
 		testMetadata("context2"),
 		testMetadata("context3"),
@@ -103,7 +103,7 @@ func TestEmptyConfig(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	testee := metadataStore{root: testDir}
-	wholeData := []ContextMetadata{
+	wholeData := []Metadata{
 		testMetadata("context1"),
 		testMetadata("context2"),
 		testMetadata("context3"),
@@ -136,7 +136,7 @@ func TestWithEmbedding(t *testing.T) {
 			Val: "Hello",
 		},
 	}
-	assert.NilError(t, testee.createOrUpdate(ContextMetadata{Metadata: testCtxMeta, Name: "test"}))
+	assert.NilError(t, testee.createOrUpdate(Metadata{Metadata: testCtxMeta, Name: "test"}))
 	res, err := testee.get(contextdirOf("test"))
 	assert.NilError(t, err)
 	assert.Equal(t, testCtxMeta, res.Metadata)

cli/context/store/metadatastore.go

@@ -26,7 +26,7 @@ func (s *metadataStore) contextDir(id contextdir) string {
 	return filepath.Join(s.root, string(id))
 }
 
-func (s *metadataStore) createOrUpdate(meta ContextMetadata) error {
+func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	contextDir := s.contextDir(contextdirOf(meta.Name))
 	if err := os.MkdirAll(contextDir, 0755); err != nil {
 		return err
@@ -56,26 +56,26 @@ func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
 	return reflect.ValueOf(typed).Elem().Interface(), nil
 }
 
-func (s *metadataStore) get(id contextdir) (ContextMetadata, error) {
+func (s *metadataStore) get(id contextdir) (Metadata, error) {
 	contextDir := s.contextDir(id)
 	bytes, err := ioutil.ReadFile(filepath.Join(contextDir, metaFile))
 	if err != nil {
-		return ContextMetadata{}, convertContextDoesNotExist(err)
+		return Metadata{}, convertContextDoesNotExist(err)
 	}
 	var untyped untypedContextMetadata
-	r := ContextMetadata{
+	r := Metadata{
 		Endpoints: make(map[string]interface{}),
 	}
 	if err := json.Unmarshal(bytes, &untyped); err != nil {
-		return ContextMetadata{}, err
+		return Metadata{}, err
 	}
 	r.Name = untyped.Name
 	if r.Metadata, err = parseTypedOrMap(untyped.Metadata, s.config.contextType); err != nil {
-		return ContextMetadata{}, err
+		return Metadata{}, err
 	}
 	for k, v := range untyped.Endpoints {
 		if r.Endpoints[k], err = parseTypedOrMap(v, s.config.endpointTypes[k]); err != nil {
-			return ContextMetadata{}, err
+			return Metadata{}, err
 		}
 	}
 	return r, err
@@ -86,7 +86,7 @@ func (s *metadataStore) remove(id contextdir) error {
 	return os.RemoveAll(contextDir)
 }
 
-func (s *metadataStore) list() ([]ContextMetadata, error) {
+func (s *metadataStore) list() ([]Metadata, error) {
 	ctxDirs, err := listRecursivelyMetadataDirs(s.root)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -94,7 +94,7 @@ func (s *metadataStore) list() ([]ContextMetadata, error) {
 		}
 		return nil, err
 	}
-	var res []ContextMetadata
+	var res []Metadata
 	for _, dir := range ctxDirs {
 		c, err := s.get(contextdir(dir))
 		if err != nil {

cli/context/store/store.go

@@ -18,26 +18,58 @@ import (
 
 // Store provides a context store for easily remembering endpoints configuration
 type Store interface {
-	ListContexts() ([]ContextMetadata, error)
-	CreateOrUpdateContext(meta ContextMetadata) error
-	RemoveContext(name string) error
-	GetContextMetadata(name string) (ContextMetadata, error)
-	ResetContextTLSMaterial(name string, data *ContextTLSData) error
-	ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error
-	ListContextTLSFiles(name string) (map[string]EndpointFiles, error)
-	GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error)
-	GetContextStorageInfo(contextName string) ContextStorageInfo
+	Reader
+	Lister
+	Writer
+	StorageInfoProvider
 }
 
-// ContextMetadata contains metadata about a context and its endpoints
-type ContextMetadata struct {
+// Reader provides read-only (without list) access to context data
+type Reader interface {
+	GetMetadata(name string) (Metadata, error)
+	ListTLSFiles(name string) (map[string]EndpointFiles, error)
+	GetTLSData(contextName, endpointName, fileName string) ([]byte, error)
+}
+
+// Lister provides listing of contexts
+type Lister interface {
+	List() ([]Metadata, error)
+}
+
+// ReaderLister combines Reader and Lister interfaces
+type ReaderLister interface {
+	Reader
+	Lister
+}
+
+// StorageInfoProvider provides more information about storage details of contexts
+type StorageInfoProvider interface {
+	GetStorageInfo(contextName string) StorageInfo
+}
+
+// Writer provides write access to context data
+type Writer interface {
+	CreateOrUpdate(meta Metadata) error
+	Remove(name string) error
+	ResetTLSMaterial(name string, data *ContextTLSData) error
+	ResetEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error
+}
+
+// ReaderWriter combines Reader and Writer interfaces
+type ReaderWriter interface {
+	Reader
+	Writer
+}
+
+// Metadata contains metadata about a context and its endpoints
+type Metadata struct {
 	Name      string                 `json:",omitempty"`
 	Metadata  interface{}            `json:",omitempty"`
 	Endpoints map[string]interface{} `json:",omitempty"`
 }
 
-// ContextStorageInfo contains data about where a given context is stored
-type ContextStorageInfo struct {
+// StorageInfo contains data about where a given context is stored
+type StorageInfo struct {
 	MetadataPath string
 	TLSPath      string
 }
@@ -74,15 +106,15 @@ type store struct {
 	tls  *tlsStore
 }
 
-func (s *store) ListContexts() ([]ContextMetadata, error) {
+func (s *store) List() ([]Metadata, error) {
 	return s.meta.list()
 }
 
-func (s *store) CreateOrUpdateContext(meta ContextMetadata) error {
+func (s *store) CreateOrUpdate(meta Metadata) error {
 	return s.meta.createOrUpdate(meta)
 }
 
-func (s *store) RemoveContext(name string) error {
+func (s *store) Remove(name string) error {
 	id := contextdirOf(name)
 	if err := s.meta.remove(id); err != nil {
 		return patchErrContextName(err, name)
@@ -90,13 +122,13 @@ func (s *store) RemoveContext(name string) error {
 	return patchErrContextName(s.tls.removeAllContextData(id), name)
 }
 
-func (s *store) GetContextMetadata(name string) (ContextMetadata, error) {
+func (s *store) GetMetadata(name string) (Metadata, error) {
 	res, err := s.meta.get(contextdirOf(name))
 	patchErrContextName(err, name)
 	return res, err
 }
 
-func (s *store) ResetContextTLSMaterial(name string, data *ContextTLSData) error {
+func (s *store) ResetTLSMaterial(name string, data *ContextTLSData) error {
 	id := contextdirOf(name)
 	if err := s.tls.removeAllContextData(id); err != nil {
 		return patchErrContextName(err, name)
@@ -114,7 +146,7 @@ func (s *store) ResetContextTLSMaterial(name string, data *ContextTLSData) error
 	return nil
 }
 
-func (s *store) ResetContextEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error {
+func (s *store) ResetEndpointTLSMaterial(contextName string, endpointName string, data *EndpointTLSData) error {
 	id := contextdirOf(contextName)
 	if err := s.tls.removeAllEndpointData(id, endpointName); err != nil {
 		return patchErrContextName(err, contextName)
@@ -130,19 +162,19 @@ func (s *store) ResetContextEndpointTLSMaterial(contextName string, endpointName
 	return nil
 }
 
-func (s *store) ListContextTLSFiles(name string) (map[string]EndpointFiles, error) {
+func (s *store) ListTLSFiles(name string) (map[string]EndpointFiles, error) {
 	res, err := s.tls.listContextData(contextdirOf(name))
 	return res, patchErrContextName(err, name)
 }
 
-func (s *store) GetContextTLSData(contextName, endpointName, fileName string) ([]byte, error) {
+func (s *store) GetTLSData(contextName, endpointName, fileName string) ([]byte, error) {
 	res, err := s.tls.getData(contextdirOf(contextName), endpointName, fileName)
 	return res, patchErrContextName(err, contextName)
 }
 
-func (s *store) GetContextStorageInfo(contextName string) ContextStorageInfo {
+func (s *store) GetStorageInfo(contextName string) StorageInfo {
 	dir := contextdirOf(contextName)
-	return ContextStorageInfo{
+	return StorageInfo{
 		MetadataPath: s.meta.contextDir(dir),
 		TLSPath:      s.tls.contextDir(dir),
 	}
@@ -151,13 +183,13 @@ func (s *store) GetContextStorageInfo(contextName string) ContextStorageInfo {
 // Export exports an existing namespace into an opaque data stream
 // This stream is actually a tarball containing context metadata and TLS materials, but it does
 // not map 1:1 the layout of the context store (don't try to restore it manually without calling store.Import)
-func Export(name string, s Store) io.ReadCloser {
+func Export(name string, s Reader) io.ReadCloser {
 	reader, writer := io.Pipe()
 	go func() {
 		tw := tar.NewWriter(writer)
 		defer tw.Close()
 		defer writer.Close()
-		meta, err := s.GetContextMetadata(name)
+		meta, err := s.GetMetadata(name)
 		if err != nil {
 			writer.CloseWithError(err)
 			return
@@ -179,7 +211,7 @@ func Export(name string, s Store) io.ReadCloser {
 			writer.CloseWithError(err)
 			return
 		}
-		tlsFiles, err := s.ListContextTLSFiles(name)
+		tlsFiles, err := s.ListTLSFiles(name)
 		if err != nil {
 			writer.CloseWithError(err)
 			return
@@ -204,7 +236,7 @@ func Export(name string, s Store) io.ReadCloser {
 				return
 			}
 			for _, fileName := range endpointFiles {
-				data, err := s.GetContextTLSData(name, endpointName, fileName)
+				data, err := s.GetTLSData(name, endpointName, fileName)
 				if err != nil {
 					writer.CloseWithError(err)
 					return
@@ -228,7 +260,7 @@ func Export(name string, s Store) io.ReadCloser {
 }
 
 // Import imports an exported context into a store
-func Import(name string, s Store, reader io.Reader) error {
+func Import(name string, s Writer, reader io.Reader) error {
 	tr := tar.NewReader(reader)
 	tlsData := ContextTLSData{
 		Endpoints: map[string]EndpointTLSData{},
@@ -250,12 +282,12 @@ func Import(name string, s Store, reader io.Reader) error {
 			if err != nil {
 				return err
 			}
-			var meta ContextMetadata
+			var meta Metadata
 			if err := json.Unmarshal(data, &meta); err != nil {
 				return err
 			}
 			meta.Name = name
-			if err := s.CreateOrUpdateContext(meta); err != nil {
+			if err := s.CreateOrUpdate(meta); err != nil {
 				return err
 			}
 		} else if strings.HasPrefix(hdr.Name, "tls/") {
@@ -278,7 +310,7 @@ func Import(name string, s Store, reader io.Reader) error {
 			tlsData.Endpoints[endpointName].Files[fileName] = data
 		}
 	}
-	return s.ResetContextTLSMaterial(name, &tlsData)
+	return s.ResetTLSMaterial(name, &tlsData)
 }
 
 type setContextName interface {

cli/context/store/store_test.go

@@ -27,8 +27,8 @@ func TestExportImport(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	s := New(testDir, testCfg)
-	err = s.CreateOrUpdateContext(
-		ContextMetadata{
+	err = s.CreateOrUpdate(
+		Metadata{
 			Endpoints: map[string]interface{}{
 				"ep1": endpoint{Foo: "bar"},
 			},
@@ -40,7 +40,7 @@ func TestExportImport(t *testing.T) {
 	rand.Read(file1)
 	file2 := make([]byte, 3700)
 	rand.Read(file2)
-	err = s.ResetContextEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
+	err = s.ResetEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
 		Files: map[string][]byte{
 			"file1": file1,
 			"file2": file2,
@@ -51,30 +51,30 @@ func TestExportImport(t *testing.T) {
 	defer r.Close()
 	err = Import("dest", s, r)
 	assert.NilError(t, err)
-	srcMeta, err := s.GetContextMetadata("source")
+	srcMeta, err := s.GetMetadata("source")
 	assert.NilError(t, err)
-	destMeta, err := s.GetContextMetadata("dest")
+	destMeta, err := s.GetMetadata("dest")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, destMeta.Metadata, srcMeta.Metadata)
 	assert.DeepEqual(t, destMeta.Endpoints, srcMeta.Endpoints)
-	srcFileList, err := s.ListContextTLSFiles("source")
+	srcFileList, err := s.ListTLSFiles("source")
 	assert.NilError(t, err)
-	destFileList, err := s.ListContextTLSFiles("dest")
+	destFileList, err := s.ListTLSFiles("dest")
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(destFileList))
 	assert.Equal(t, 1, len(srcFileList))
 	assert.Equal(t, 2, len(destFileList["ep1"]))
 	assert.Equal(t, 2, len(srcFileList["ep1"]))
-	srcData1, err := s.GetContextTLSData("source", "ep1", "file1")
+	srcData1, err := s.GetTLSData("source", "ep1", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, srcData1)
-	srcData2, err := s.GetContextTLSData("source", "ep1", "file2")
+	srcData2, err := s.GetTLSData("source", "ep1", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, srcData2)
-	destData1, err := s.GetContextTLSData("dest", "ep1", "file1")
+	destData1, err := s.GetTLSData("dest", "ep1", "file1")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file1, destData1)
-	destData2, err := s.GetContextTLSData("dest", "ep1", "file2")
+	destData2, err := s.GetTLSData("dest", "ep1", "file2")
 	assert.NilError(t, err)
 	assert.DeepEqual(t, file2, destData2)
 }
@@ -84,8 +84,8 @@ func TestRemove(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	s := New(testDir, testCfg)
-	err = s.CreateOrUpdateContext(
-		ContextMetadata{
+	err = s.CreateOrUpdate(
+		Metadata{
 			Endpoints: map[string]interface{}{
 				"ep1": endpoint{Foo: "bar"},
 			},
@@ -93,15 +93,15 @@ func TestRemove(t *testing.T) {
 			Name:     "source",
 		})
 	assert.NilError(t, err)
-	assert.NilError(t, s.ResetContextEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
+	assert.NilError(t, s.ResetEndpointTLSMaterial("source", "ep1", &EndpointTLSData{
 		Files: map[string][]byte{
 			"file1": []byte("test-data"),
 		},
 	}))
-	assert.NilError(t, s.RemoveContext("source"))
-	_, err = s.GetContextMetadata("source")
+	assert.NilError(t, s.Remove("source"))
+	_, err = s.GetMetadata("source")
 	assert.Check(t, IsErrContextDoesNotExist(err))
-	f, err := s.ListContextTLSFiles("source")
+	f, err := s.ListTLSFiles("source")
 	assert.NilError(t, err)
 	assert.Equal(t, 0, len(f))
 }
@@ -111,7 +111,7 @@ func TestListEmptyStore(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	store := New(testDir, testCfg)
-	result, err := store.ListContexts()
+	result, err := store.List()
 	assert.NilError(t, err)
 	assert.Check(t, len(result) == 0)
 }
@@ -121,7 +121,7 @@ func TestErrHasCorrectContext(t *testing.T) {
 	assert.NilError(t, err)
 	defer os.RemoveAll(testDir)
 	store := New(testDir, testCfg)
-	_, err = store.GetContextMetadata("no-exists")
+	_, err = store.GetMetadata("no-exists")
 	assert.ErrorContains(t, err, "no-exists")
 	assert.Check(t, IsErrContextDoesNotExist(err))
 }

cli/context/tlsdata.go

@@ -42,15 +42,15 @@ func (data *TLSData) ToStoreTLSData() *store.EndpointTLSData {
 }
 
 // LoadTLSData loads TLS data from the store
-func LoadTLSData(s store.Store, contextName, endpointName string) (*TLSData, error) {
-	tlsFiles, err := s.ListContextTLSFiles(contextName)
+func LoadTLSData(s store.Reader, contextName, endpointName string) (*TLSData, error) {
+	tlsFiles, err := s.ListTLSFiles(contextName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to retrieve context tls files for context %q", contextName)
 	}
 	if epTLSFiles, ok := tlsFiles[endpointName]; ok {
 		var tlsData TLSData
 		for _, f := range epTLSFiles {
-			data, err := s.GetContextTLSData(contextName, endpointName, f)
+			data, err := s.GetTLSData(contextName, endpointName, f)
 			if err != nil {
 				return nil, errors.Wrapf(err, "failed to retrieve context tls data for file %q of context %q", f, contextName)
 			}

contrib/completion/bash/docker

@@ -2863,7 +2863,6 @@ _docker_image_build() {
 	"
 
 	local boolean_options="
-		--compress
 		--disable-content-trust=false
 		--force-rm
 		--help
@@ -2872,16 +2871,35 @@ _docker_image_build() {
 		--quiet -q
 		--rm
 	"
+
 	if __docker_server_is_experimental ; then
 		options_with_args+="
 			--platform
 		"
 		boolean_options+="
 			--squash
-			--stream
 		"
 	fi
 
+	if [ "$DOCKER_BUILDKIT" = "1" ] ; then
+		options_with_args+="
+			--output -o
+			--platform
+			--progress
+			--secret
+			--ssh
+		"
+	else
+		boolean_options+="
+			--compress
+		"
+		if __docker_server_is_experimental ; then
+			boolean_options+="
+				--stream
+			"
+		fi
+	fi
+
 	local all_options="$options_with_args $boolean_options"
 
 	case "$prev" in
@@ -2926,6 +2944,10 @@ _docker_image_build() {
 			esac
 			return
 			;;
+		--progress)
+			COMPREPLY=( $( compgen -W "auto plain tty" -- "$cur" ) )
+			return
+			;;
 		--tag|-t)
 			__docker_complete_images --repo --tag
 			return

dockerfiles/Dockerfile.binary-native

@@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine
 
 RUN     apk add -U git bash coreutils gcc musl-dev
 

dockerfiles/Dockerfile.cross

@@ -1,4 +1,4 @@
-FROM	dockercore/golang-cross:1.12.1@sha256:8541e3aea7b2cffb7ac310af250e34551abe2ec180c77d5a81ae3d52a47ac779
+FROM	dockercore/golang-cross:1.12.4
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
 WORKDIR /go/src/github.com/docker/cli
 COPY    . .

dockerfiles/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine
 
 RUN     apk add -U git make bash coreutils ca-certificates curl
 
@@ -16,7 +16,7 @@ RUN     go get -d github.com/mjibson/esc && \
         go build -v -o /usr/bin/esc . && \
         rm -rf /go/src/* /go/pkg/* /go/bin/*
 
-ARG     GOTESTSUM_VERSION=0.3.2
+ARG     GOTESTSUM_VERSION=0.3.4
 RUN     curl -Ls https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz && \
         tar -xf gotestsum.tar.gz gotestsum -C /usr/bin && \
         rm gotestsum.tar.gz

dockerfiles/Dockerfile.e2e

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.12.1
+ARG GO_VERSION=1.12.4
 
 FROM docker/containerd-shim-process:a4d1531 AS containerd-shim-process
 
@@ -24,7 +24,7 @@ ARG NOTARY_VERSION=v0.6.1
 RUN curl -Ls https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
     && chmod +x /usr/local/bin/notary
 
-ARG GOTESTSUM_VERSION=0.3.2
+ARG GOTESTSUM_VERSION=0.3.4
 RUN curl -Ls https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz \
     && tar -xf gotestsum.tar.gz gotestsum \
     && mv gotestsum /usr/local/bin/gotestsum \

dockerfiles/Dockerfile.lint

@@ -1,4 +1,4 @@
-FROM    golang:1.12.1-alpine
+FROM    golang:1.12.4-alpine
 
 RUN     apk add -U git
 

docs/reference/commandline/context_create.md

@@ -23,7 +23,7 @@ Create a context
 Docker endpoint config:
 
 NAME                DESCRIPTION
-from-current        Copy current Docker endpoint configuration
+from                Copy Docker endpoint configuration from an existing context
 host                Docker endpoint on which to connect
 ca                  Trust certs signed only by this CA
 cert                Path to TLS certificate file
@@ -33,14 +33,16 @@ skip-tls-verify     Skip TLS certificate validation
 Kubernetes endpoint config:
 
 NAME                 DESCRIPTION
-from-current         Copy current Kubernetes endpoint configuration
+from                 Copy Kubernetes endpoint configuration from an existing context
 config-file          Path to a Kubernetes config file
 context-override     Overrides the context set in the kubernetes config file
 namespace-override   Overrides the namespace set in the kubernetes config file
 
 Example:
 
-$ docker context create my-context --description "some description" --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file"
+$ docker context create my-context \
+      --description "some description" \
+      --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file"
 
 Options:
       --default-stack-orchestrator string   Default orchestrator for
@@ -52,24 +54,68 @@ Options:
                                             (default [])
       --kubernetes stringToString           set the kubernetes endpoint
                                             (default [])
+      --from string                         Create the context from an existing context
 ```
 
 ## Description
 
-Creates a new `context`. This will allow you to quickly switch the cli configuration to connect to different clusters or single nodes.
+Creates a new `context`. This allows you to quickly switch the cli
+configuration to connect to different clusters or single nodes.
 
-To create a `context` out of an existing `DOCKER_HOST` based script, you can use the `from-current` config key:
+To create a context from scratch provide the docker and, if required,
+kubernetes options. The example below creates the context `my-context`
+with a docker endpoint of `/var/run/docker.sock` and a kubernetes configuration
+sourced from the file `/home/me/my-kube-config`:
+
+```bash
+$ docker context create my-context \
+      --docker host=/var/run/docker.sock \
+      --kubernetes config-file=/home/me/my-kube-config
+```
+
+Use the `--from=<context-name>` option to create a new context from
+an existing context. The example below creates a new context named `my-context`
+from the existing context `existing-context`:
+
+```bash
+$ docker context create my-context --from existing-context
+```
+
+If the `--from` option is not set, the `context` is created from the current context:
+
+```bash
+$ docker context create my-context
+```
+
+This can be used to create a context out of an existing `DOCKER_HOST` based script:
 
 ```bash
 $ source my-setup-script.sh
-$ docker context create my-context --docker "from-current=true"
+$ docker context create my-context
 ```
 
-Similarly, to reference the currently active Kubernetes configuration, you can use `--kubernetes "from-current=true"`:
+To source only the `docker` endpoint configuration from an existing context
+use the `--docker from=<context-name>` option. The example below creates a
+new context named `my-context` using the docker endpoint configuration from
+the existing context `existing-context` and a kubernetes configuration sourced
+from the file `/home/me/my-kube-config`:
 
 ```bash
-$ export KUBECONFIG=/path/to/my/kubeconfig
-$ docker context create my-context --kubernetes "from-current=true" --docker "host=/var/run/docker.sock"
+$ docker context create my-context \
+      --docker from=existing-context \
+      --kubernetes config-file=/home/me/my-kube-config
 ```
 
-Docker and Kubernetes endpoints configurations, as well as default stack orchestrator and description can be modified with `docker context update`
+To source only the `kubernetes` configuration from an existing context use the
+`--kubernetes from=<context-name>` option. The example below creates a new
+context named `my-context` using the kuberentes configuration from the existing
+context `existing-context` and a docker endpoint of `/var/run/docker.sock`:
+
+```bash
+$ docker context create my-context \
+      --docker host=/var/run/docker.sock \
+      --kubernetes from=existing-context
+```
+
+Docker and Kubernetes endpoints configurations, as well as default stack
+orchestrator and description can be modified with `docker context update`

docs/reference/commandline/context_update.md

@@ -23,7 +23,7 @@ Update a context
 Docker endpoint config:
 
 NAME                DESCRIPTION
-from-current        Copy current Docker endpoint configuration
+from                Copy Docker endpoint configuration from an existing context
 host                Docker endpoint on which to connect
 ca                  Trust certs signed only by this CA
 cert                Path to TLS certificate file
@@ -33,7 +33,7 @@ skip-tls-verify     Skip TLS certificate validation
 Kubernetes endpoint config:
 
 NAME                 DESCRIPTION
-from-current         Copy current Kubernetes endpoint configuration
+from                 Copy Kubernetes endpoint configuration from an existing context
 config-file          Path to a Kubernetes config file
 context-override     Overrides the context set in the kubernetes config file
 namespace-override   Overrides the namespace set in the kubernetes config file

internal/test/cli.go

@@ -233,7 +233,7 @@ func (c *FakeCli) StackOrchestrator(flagValue string) (command.Orchestrator, err
 	}
 	ctxOrchestrator := ""
 	if c.currentContext != "" && c.contextStore != nil {
-		meta, err := c.contextStore.GetContextMetadata(c.currentContext)
+		meta, err := c.contextStore.GetMetadata(c.currentContext)
 		if err != nil {
 			return "", err
 		}

vendor.conf

@@ -1,104 +1,102 @@
-cloud.google.com/go 0ebda48a7f143b1cce9eb37a8c1106ac762a3430 # v0.34.0
-github.com/agl/ed25519 5312a61534124124185d41f09206b9fef1d88403
-github.com/asaskevich/govalidator f9ffefc3facfbe0caee3fea233cbb6e8208f4541
-github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/beorn7/perks 3a771d992973f24aa725d07868b467d1ddfceafb
-github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23
-github.com/containerd/containerd ceba56893a76f22cf0126c46d835c80fb3833408
-github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
-github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/coreos/etcd v3.3.9
-github.com/cpuguy83/go-md2man v1.0.8
-github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76 # v1.1.0
-github.com/dgrijalva/jwt-go a2c85815a77d0f951e33ba4db5ae93629a1530af
-github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
-github.com/docker/docker dbe4a30928d418e0570891a09703bcbc0e4997a1
-github.com/docker/compose-on-kubernetes v0.4.21
-github.com/docker/docker-credential-helpers 5241b46610f2491efdf9d1c85f1ddf5b02f6d962
-# the docker/go package contains a customized version of canonical/json
-# and is used by Notary. The package is periodically rebased on current Go versions.
-github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
-github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
-github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
-github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
-github.com/docker/go-units 47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
-github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
-github.com/docker/licensing 9781369abdb5281cdc07a2a446c6df01347ec793
-github.com/docker/swarmkit 18e7e58ea1a5ec016625a636d0d52500eea123bc
-github.com/evanphx/json-patch v4.1.0
-github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
-github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
-github.com/gogo/protobuf v1.2.0
-github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998
-github.com/golang/protobuf v1.2.0
-github.com/google/go-cmp v0.2.0
-github.com/google/gofuzz 24818f796faf91cd76ec7bddd72458fbced7a6c1
-github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
-github.com/google/uuid v1.1.1
-github.com/googleapis/gnostic 7c663266750e7d82587642f65e60bc4083f1f84e # v0.2.0
-github.com/gorilla/mux v1.7.0
-github.com/grpc-ecosystem/grpc-gateway 1a03ca3bad1e1ebadaedd3abb76bc58d4ac8143b
-github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
-github.com/hashicorp/golang-lru 0fb14efe8c47ae851c0034ed7a448854d3d34cf3
-github.com/hashicorp/go-version 23480c0
-github.com/imdario/mergo 7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
-github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0
-github.com/json-iterator/go 0ff49de124c6f76f8494e194af75bde0f1a49a29 # 1.1.6
-github.com/mattn/go-shellwords a72fbe27a1b0ed0df2f02754945044ce1456608b # v1.0.5
-github.com/matttproud/golang_protobuf_extensions v1.0.1
-github.com/Microsoft/hcsshim ba3d6667710fa905116f39a19d059c4c1016be7c
-github.com/Microsoft/go-winio c599b533b43b1363d7d7c6cfda5ede70ed73ff13
-github.com/miekg/pkcs11 6120d95c0e9576ccf4a78ba40855809dca31a9ed
-github.com/mitchellh/mapstructure f15292f7a699fcc1a38a80977f80a046874ba8ac
-github.com/moby/buildkit 62e5542790fe1d1cf9ca6302d5a8b988df99159a
-github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
-github.com/modern-go/reflect2 4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
-github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
-github.com/opencontainers/go-digest v1.0.0-rc1
-github.com/opencontainers/image-spec v1.0.1
-github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
-github.com/pkg/errors ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
-github.com/prometheus/client_golang c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
-github.com/prometheus/client_model 6f3806018612930941127f2a7c6c453ba2c527d2
-github.com/prometheus/common 7600349dcfe1abd18d72d3a1770870d9800a7801
-github.com/prometheus/procfs 7d6f385de8bea29190f15ba9931442a0eaef9af7
-github.com/russross/blackfriday 1d6b8e9301e720b08a8938b8c25c018285885438
-github.com/shurcooL/sanitized_anchor_name 10ef21a441db47d8b13ebcc5fd2310f636973c77
-github.com/sirupsen/logrus 8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
-github.com/spf13/cobra v0.0.3
-# temporary fork with https://github.com/spf13/pflag/pull/170 applied, which isn't merged yet upstream
-github.com/spf13/pflag 4cb166e4f25ac4e8016a3595bbf7ea2e9aa85a2c https://github.com/thaJeztah/pflag.git
-github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
-github.com/theupdateframework/notary v0.6.1
-github.com/tonistiigi/fsutil 3bbb99cdbd76619ab717299830c60f6f2a533a6b
-github.com/jaguilar/vt100 ad4c4a5743050fb7f88ce968dca9422f72a0e3f2 git://github.com/tonistiigi/vt100.git
-github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
-github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
-github.com/xeipuuv/gojsonpointer 4e3ac2762d5f479393488629ee9370b50873b3a6
-github.com/xeipuuv/gojsonreference bd5ef7bd5415a7ac448318e64f11a24cd21e594b
-github.com/xeipuuv/gojsonschema 93e72a773fade158921402d6a24c819b48aba29d
-golang.org/x/crypto b7391e95e576cacdcdd422573063bc057239113d
-golang.org/x/net a680a1efc54dd51c040b3b5ce4939ea3cf2ea0d1
-golang.org/x/oauth2 ef147856a6ddbb60760db74283d2424e98c87bff
-golang.org/x/sync 42b317875d0fa942474b76e1b46a6060d720ae6e
-golang.org/x/sys d455e41777fca6e8a5a79e34a14b8368bc11d9ba
-golang.org/x/text f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
-golang.org/x/time fbb02b2291d28baffd63558aa44b4b56f178d650
-google.golang.org/genproto 02b4e95473316948020af0b7a4f0f22c73929b0e
-google.golang.org/grpc v1.12.0
-gopkg.in/inf.v0 d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
-gopkg.in/yaml.v2 5420a8b6744d3b0345ab293f6fcba19c978f1183 # v2.2.1
-gotest.tools v2.2.0
-k8s.io/api kubernetes-1.14.0
-k8s.io/apimachinery kubernetes-1.14.0
-k8s.io/client-go kubernetes-1.14.0
-k8s.io/klog v0.2.0
-k8s.io/kube-openapi 5e45bb682580c9be5ffa4d27d367f0eeba125c7b
-k8s.io/kubernetes v1.14.0
-k8s.io/utils 21c4ce38f2a793ec01e925ddc31216500183b773
-vbom.ml/util 256737ac55c46798123f754ab7d2c784e2c71783
-sigs.k8s.io/yaml v1.1.0
-github.com/konsorten/go-windows-terminal-sequences v1.0.1
+cloud.google.com/go                                 0ebda48a7f143b1cce9eb37a8c1106ac762a3430 # v0.34.0
+github.com/agl/ed25519                              5312a61534124124185d41f09206b9fef1d88403
+github.com/asaskevich/govalidator                   f9ffefc3facfbe0caee3fea233cbb6e8208f4541
+github.com/Azure/go-ansiterm                        d6e3b3328b783f23731bc4d058875b0371ff8109
+github.com/beorn7/perks                             e7f67b54abbeac9c40a31de0f81159e4cafebd6a
+github.com/containerd/console                       c12b1e7919c14469339a5d38f2f8ed9b64a9de23
+github.com/containerd/containerd                    ceba56893a76f22cf0126c46d835c80fb3833408
+github.com/containerd/continuity                    004b46473808b3e7a4a3049c20e4376c91eb966d
+github.com/containerd/fifo                          a9fb20d87448d386e6d50b1f2e1fa70dcf0de43c
+github.com/containerd/typeurl                       2a93cfde8c20b23de8eb84a5adbc234ddf7a9e8d
+github.com/coreos/etcd                              fca8add78a9d926166eb739b8e4a124434025ba3 # v3.3.9
+github.com/cpuguy83/go-md2man                       20f5889cbdc3c73dbd2862796665e7c465ade7d1 # v1.0.8
+github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
+github.com/dgrijalva/jwt-go                         a2c85815a77d0f951e33ba4db5ae93629a1530af
+github.com/docker/compose-on-kubernetes             7a68f5c914c7e06d7a08dc71608f41811c91f0bc # v0.4.21
+github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/docker/docker                            92a6266c9d4f1bacbfb68d1c6b9c94f673d6cfde
+github.com/docker/docker-credential-helpers         5241b46610f2491efdf9d1c85f1ddf5b02f6d962
+github.com/docker/go                                d30aec9fd63c35133f8f79c3412ad91a3b08be06 # Contains a customized version of canonical/json and is used by Notary. The package is periodically rebased on current Go versions.
+github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
+github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/docker/go-metrics                        d466d4f6fd960e01820085bd7e1a24426ee7ef18
+github.com/docker/go-units                          47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
+github.com/docker/libtrust                          9cbd2a1374f46905c68a4eb3694a130610adc62a
+github.com/docker/licensing                         9781369abdb5281cdc07a2a446c6df01347ec793
+github.com/docker/swarmkit                          59163bf75df38489d4a10392265d27156dc473c5
+github.com/evanphx/json-patch                       72bf35d0ff611848c1dc9df0f976c81192392fa5 # v4.1.0
+github.com/gofrs/flock                              7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
+github.com/gogo/googleapis                          08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/gogo/protobuf                            4cbf7e384e768b4e01799441fdf2a706a5635ae7 # v1.2.0
+github.com/golang/glog                              23def4e6c14b4da8ac2ed8007337bc5eb5007998
+github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0
+github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0
+github.com/google/gofuzz                            24818f796faf91cd76ec7bddd72458fbced7a6c1
+github.com/google/shlex                             c34317bd91bf98fab745d77b03933cf8769299fe
+github.com/google/uuid                              0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
+github.com/googleapis/gnostic                       7c663266750e7d82587642f65e60bc4083f1f84e # v0.2.0
+github.com/gorilla/mux                              a7962380ca08b5a188038c69871b8d3fbdf31e89 # v1.7.0
+github.com/grpc-ecosystem/grpc-gateway              1a03ca3bad1e1ebadaedd3abb76bc58d4ac8143b
+github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/hashicorp/go-version                     23480c0665776210b5fbbac6eaaee40e3e6a96b7
+github.com/hashicorp/golang-lru                     0fb14efe8c47ae851c0034ed7a448854d3d34cf3
+github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
+github.com/inconshreveable/mousetrap                76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0.0
+github.com/jaguilar/vt100                           ad4c4a5743050fb7f88ce968dca9422f72a0e3f2 git://github.com/tonistiigi/vt100.git
+github.com/json-iterator/go                         0ff49de124c6f76f8494e194af75bde0f1a49a29 # 1.1.6
+github.com/konsorten/go-windows-terminal-sequences  f55edac94c9bbba5d6182a4be46d86a2c9b5b50e # v1.0.2
+github.com/mattn/go-shellwords                      a72fbe27a1b0ed0df2f02754945044ce1456608b # v1.0.5
+github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
+github.com/Microsoft/go-winio                       c599b533b43b1363d7d7c6cfda5ede70ed73ff13
+github.com/Microsoft/hcsshim                        ba3d6667710fa905116f39a19d059c4c1016be7c
+github.com/miekg/pkcs11                             6120d95c0e9576ccf4a78ba40855809dca31a9ed
+github.com/mitchellh/mapstructure                   f15292f7a699fcc1a38a80977f80a046874ba8ac
+github.com/moby/buildkit                            b3028967ae6259c9a31c1a1deeccd30fe3469cce
+github.com/modern-go/concurrent                     bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
+github.com/modern-go/reflect2                       4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
+github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/opencontainers/go-digest                 279bed98673dd5bef374d3b6e4b09e2af76183bf # v1.0.0-rc1
+github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1
+github.com/opencontainers/runc                      029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da
+github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
+github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/pkg/errors                               ba968bfe8b2f7e042a574c888954fccecfa385b4 # v0.8.1
+github.com/prometheus/client_golang                 c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
+github.com/prometheus/client_model                  6f3806018612930941127f2a7c6c453ba2c527d2
+github.com/prometheus/common                        7600349dcfe1abd18d72d3a1770870d9800a7801
+github.com/prometheus/procfs                        7d6f385de8bea29190f15ba9931442a0eaef9af7
+github.com/russross/blackfriday                     1d6b8e9301e720b08a8938b8c25c018285885438
+github.com/shurcooL/sanitized_anchor_name           10ef21a441db47d8b13ebcc5fd2310f636973c77
+github.com/sirupsen/logrus                          8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
+github.com/spf13/cobra                              ef82de70bb3f60c65fb8eebacbb2d122ef517385 # v0.0.3
+github.com/spf13/pflag                              4cb166e4f25ac4e8016a3595bbf7ea2e9aa85a2c https://github.com/thaJeztah/pflag.git # temporary fork with https://github.com/spf13/pflag/pull/170 applied, which isn't merged yet upstream
+github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2
+github.com/theupdateframework/notary                d6e1431feb32348e0650bf7551ac5cffd01d857b # v0.6.1
+github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b
+github.com/tonistiigi/units                         6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
+github.com/xeipuuv/gojsonpointer                    4e3ac2762d5f479393488629ee9370b50873b3a6
+github.com/xeipuuv/gojsonreference                  bd5ef7bd5415a7ac448318e64f11a24cd21e594b
+github.com/xeipuuv/gojsonschema                     93e72a773fade158921402d6a24c819b48aba29d
+golang.org/x/crypto                                 38d8ce5564a5b71b2e3a00553993f1b9a7ae852f
+golang.org/x/net                                    eb5bcb51f2a31c7d5141d810b70815c05d9c9146
+golang.org/x/oauth2                                 ef147856a6ddbb60760db74283d2424e98c87bff
+golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c
+golang.org/x/sys                                    4b34438f7a67ee5f45cc6132e2bad873a20324e9
+golang.org/x/text                                   f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
+golang.org/x/time                                   fbb02b2291d28baffd63558aa44b4b56f178d650
+google.golang.org/genproto                          02b4e95473316948020af0b7a4f0f22c73929b0e
+google.golang.org/grpc                              7a6a684ca69eb4cae85ad0a484f2e531598c047b # v1.12.2
+gopkg.in/inf.v0                                     d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
+gopkg.in/yaml.v2                                    5420a8b6744d3b0345ab293f6fcba19c978f1183 # v2.2.1
+gotest.tools                                        1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0
+k8s.io/api                                          40a48860b5abbba9aa891b02b32da429b08d96a0 # kubernetes-1.14.0
+k8s.io/apimachinery                                 d7deff9243b165ee192f5551710ea4285dcfd615 # kubernetes-1.14.0
+k8s.io/client-go                                    6ee68ca5fd8355d024d02f9db0b3b667e8357a0f # kubernetes-1.14.0
+k8s.io/klog                                         71442cd4037d612096940ceb0f3fec3f7fff66e0 # v0.2.0
+k8s.io/kube-openapi                                 5e45bb682580c9be5ffa4d27d367f0eeba125c7b
+k8s.io/kubernetes                                   641856db18352033a0d96dbc99153fa3b27298e5 # v1.14.0
+k8s.io/utils                                        21c4ce38f2a793ec01e925ddc31216500183b773
+sigs.k8s.io/yaml                                    fd68e9863619f6ec2fdd8625fe1f02e7c877e480 # v1.1.0
+vbom.ml/util                                        256737ac55c46798123f754ab7d2c784e2c71783
+
+# DO NOT EDIT BELOW THIS LINE -------- reserved for downstream projects --------

vendor/github.com/containerd/continuity/LICENSE

@@ -1,6 +1,7 @@
+
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -175,28 +176,16 @@
 
    END OF TERMS AND CONDITIONS
 
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
+   Copyright The containerd Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-

vendor/github.com/containerd/continuity/README.md

@@ -72,3 +72,13 @@ If you change the proto file you will need to rebuild the generated Go with `go
 ```console
 $ go generate ./proto
 ```
+
+## Project details
+
+continuity is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.

vendor/github.com/containerd/continuity/fs/copy.go

@@ -32,14 +32,49 @@ var bufferPool = &sync.Pool{
 	},
 }
 
-// CopyDir copies the directory from src to dst.
-// Most efficient copy of files is attempted.
-func CopyDir(dst, src string) error {
-	inodes := map[uint64]string{}
-	return copyDirectory(dst, src, inodes)
+// XAttrErrorHandlers transform a non-nil xattr error.
+// Return nil to ignore an error.
+// xattrKey can be empty for listxattr operation.
+type XAttrErrorHandler func(dst, src, xattrKey string, err error) error
+
+type copyDirOpts struct {
+	xeh XAttrErrorHandler
 }
 
-func copyDirectory(dst, src string, inodes map[uint64]string) error {
+type CopyDirOpt func(*copyDirOpts) error
+
+// WithXAttrErrorHandler allows specifying XAttrErrorHandler
+// If nil XAttrErrorHandler is specified (default), CopyDir stops
+// on a non-nil xattr error.
+func WithXAttrErrorHandler(xeh XAttrErrorHandler) CopyDirOpt {
+	return func(o *copyDirOpts) error {
+		o.xeh = xeh
+		return nil
+	}
+}
+
+// WithAllowXAttrErrors allows ignoring xattr errors.
+func WithAllowXAttrErrors() CopyDirOpt {
+	xeh := func(dst, src, xattrKey string, err error) error {
+		return nil
+	}
+	return WithXAttrErrorHandler(xeh)
+}
+
+// CopyDir copies the directory from src to dst.
+// Most efficient copy of files is attempted.
+func CopyDir(dst, src string, opts ...CopyDirOpt) error {
+	var o copyDirOpts
+	for _, opt := range opts {
+		if err := opt(&o); err != nil {
+			return err
+		}
+	}
+	inodes := map[uint64]string{}
+	return copyDirectory(dst, src, inodes, &o)
+}
+
+func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) error {
 	stat, err := os.Stat(src)
 	if err != nil {
 		return errors.Wrapf(err, "failed to stat %s", src)
@@ -75,7 +110,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string) error {
 
 		switch {
 		case fi.IsDir():
-			if err := copyDirectory(target, source, inodes); err != nil {
+			if err := copyDirectory(target, source, inodes, o); err != nil {
 				return err
 			}
 			continue
@@ -111,7 +146,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string) error {
 			return errors.Wrap(err, "failed to copy file info")
 		}
 
-		if err := copyXAttrs(target, source); err != nil {
+		if err := copyXAttrs(target, source, o.xeh); err != nil {
 			return errors.Wrap(err, "failed to copy xattrs")
 		}
 	}

vendor/github.com/containerd/continuity/fs/copy_linux.go

@@ -59,6 +59,8 @@ func copyFileInfo(fi os.FileInfo, name string) error {
 	return nil
 }
 
+const maxSSizeT = int64(^uint(0) >> 1)
+
 func copyFileContent(dst, src *os.File) error {
 	st, err := src.Stat()
 	if err != nil {
@@ -71,7 +73,16 @@ func copyFileContent(dst, src *os.File) error {
 	dstFd := int(dst.Fd())
 
 	for size > 0 {
-		n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, int(size), 0)
+		// Ensure that we are never trying to copy more than SSIZE_MAX at a
+		// time and at the same time avoids overflows when the file is larger
+		// than 4GB on 32-bit systems.
+		var copySize int
+		if size > maxSSizeT {
+			copySize = int(maxSSizeT)
+		} else {
+			copySize = int(size)
+		}
+		n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, copySize, 0)
 		if err != nil {
 			if (err != unix.ENOSYS && err != unix.EXDEV) || !first {
 				return errors.Wrap(err, "copy file range failed")
@@ -90,18 +101,34 @@ func copyFileContent(dst, src *os.File) error {
 	return nil
 }
 
-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	xattrKeys, err := sysx.LListxattr(src)
 	if err != nil {
-		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+		e := errors.Wrapf(err, "failed to list xattrs on %s", src)
+		if xeh != nil {
+			e = xeh(dst, src, "", e)
+		}
+		return e
 	}
 	for _, xattr := range xattrKeys {
 		data, err := sysx.LGetxattr(src, xattr)
 		if err != nil {
-			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
-			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 	}
 

vendor/github.com/containerd/continuity/fs/copy_unix.go

@@ -69,18 +69,34 @@ func copyFileContent(dst, src *os.File) error {
 	return err
 }
 
-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	xattrKeys, err := sysx.LListxattr(src)
 	if err != nil {
-		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+		e := errors.Wrapf(err, "failed to list xattrs on %s", src)
+		if xeh != nil {
+			e = xeh(dst, src, "", e)
+		}
+		return e
 	}
 	for _, xattr := range xattrKeys {
 		data, err := sysx.LGetxattr(src, xattr)
 		if err != nil {
-			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
-			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+			if xeh != nil {
+				if e = xeh(dst, src, xattr, e); e == nil {
+					continue
+				}
+			}
+			return e
 		}
 	}
 

vendor/github.com/containerd/continuity/fs/copy_windows.go

@@ -40,7 +40,7 @@ func copyFileContent(dst, src *os.File) error {
 	return err
 }
 
-func copyXAttrs(dst, src string) error {
+func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error {
 	return nil
 }
 

vendor/github.com/containerd/fifo/raw.go

@@ -0,0 +1,116 @@
+// +build go1.12
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fifo
+
+import (
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// SyscallConn provides raw access to the fifo's underlying filedescrptor.
+// See syscall.Conn for guarentees provided by this interface.
+func (f *fifo) SyscallConn() (syscall.RawConn, error) {
+	// deterministic check for closed
+	select {
+	case <-f.closed:
+		return nil, errors.New("fifo closed")
+	default:
+	}
+
+	select {
+	case <-f.closed:
+		return nil, errors.New("fifo closed")
+	case <-f.opened:
+		return f.file.SyscallConn()
+	default:
+	}
+
+	// Not opened and not closed, this means open is non-blocking AND it's not open yet
+	// Use rawConn to deal with non-blocking open.
+	rc := &rawConn{f: f, ready: make(chan struct{})}
+	go func() {
+		select {
+		case <-f.closed:
+			return
+		case <-f.opened:
+			rc.raw, rc.err = f.file.SyscallConn()
+			close(rc.ready)
+		}
+	}()
+
+	return rc, nil
+}
+
+type rawConn struct {
+	f     *fifo
+	ready chan struct{}
+	raw   syscall.RawConn
+	err   error
+}
+
+func (r *rawConn) Control(f func(fd uintptr)) error {
+	select {
+	case <-r.f.closed:
+		return errors.New("control of closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Control(f)
+}
+
+func (r *rawConn) Read(f func(fd uintptr) (done bool)) error {
+	if r.f.flag&syscall.O_WRONLY > 0 {
+		return errors.New("reading from write-only fifo")
+	}
+
+	select {
+	case <-r.f.closed:
+		return errors.New("reading of a closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Read(f)
+}
+
+func (r *rawConn) Write(f func(fd uintptr) (done bool)) error {
+	if r.f.flag&(syscall.O_WRONLY|syscall.O_RDWR) == 0 {
+		return errors.New("writing to read-only fifo")
+	}
+
+	select {
+	case <-r.f.closed:
+		return errors.New("writing to a closed fifo")
+	case <-r.ready:
+	}
+
+	if r.err != nil {
+		return r.err
+	}
+
+	return r.raw.Write(f)
+}

vendor/github.com/containerd/fifo/readme.md

@@ -1,6 +1,7 @@
 ### fifo
 
 [![Build Status](https://travis-ci.org/containerd/fifo.svg?branch=master)](https://travis-ci.org/containerd/fifo)
+[![codecov](https://codecov.io/gh/containerd/fifo/branch/master/graph/badge.svg)](https://codecov.io/gh/containerd/fifo)
 
 Go package for handling fifos in a sane way.
 
@@ -30,3 +31,14 @@ func (f *fifo) Write(b []byte) (int, error)
 // before open(2) has returned and fifo was never opened.
 func (f *fifo) Close() error 
 ```
+
+## Project details
+
+The fifo is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.

vendor/github.com/containerd/typeurl/LICENSE

@@ -1,6 +1,7 @@
+
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -175,24 +176,13 @@
 
    END OF TERMS AND CONDITIONS
 
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
+   Copyright The containerd Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

vendor/github.com/containerd/typeurl/README.md

@@ -7,3 +7,13 @@
 A Go package for managing the registration, marshaling, and unmarshaling of encoded types.
 
 This package helps when types are sent over a GRPC API and marshaled as a [protobuf.Any]().
+
+## Project details
+
+**typeurl** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/master/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/master/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/master/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.

vendor/github.com/containerd/typeurl/doc.go

@@ -0,0 +1,83 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package typeurl
+
+// Package typeurl assists with managing the registration, marshaling, and
+// unmarshaling of types encoded as protobuf.Any.
+//
+// A protobuf.Any is a proto message that can contain any arbitrary data. It
+// consists of two components, a TypeUrl and a Value, and its proto definition
+// looks like this:
+//
+//   message Any {
+//     string type_url = 1;
+//     bytes value = 2;
+//   }
+//
+// The TypeUrl is used to distinguish the contents from other proto.Any
+// messages. This typeurl library manages these URLs to enable automagic
+// marshaling and unmarshaling of the contents.
+//
+// For example, consider this go struct:
+//
+//   type Foo struct {
+//     Field1 string
+//     Field2 string
+//   }
+//
+// To use typeurl, types must first be registered. This is typically done in
+// the init function
+//
+//   func init() {
+//      typeurl.Register(&Foo{}, "Foo")
+//   }
+//
+// This will register the type Foo with the url path "Foo". The arguments to
+// Register are variadic, and are used to construct a url path. Consider this
+// example, from the github.com/containerd/containerd/client package:
+//
+//   func init() {
+//     const prefix = "types.containerd.io"
+//     // register TypeUrls for commonly marshaled external types
+//     major := strconv.Itoa(specs.VersionMajor)
+//     typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec")
+//     // this function has more Register calls, which are elided.
+//   }
+//
+// This registers several types under a more complex url, which ends up mapping
+// to `types.containerd.io/opencontainers/runtime-spec/1/Spec` (or some other
+// value for major).
+//
+// Once a type is registered, it can be marshaled to a proto.Any message simply
+// by calling `MarshalAny`, like this:
+//
+//   foo := &Foo{Field1: "value1", Field2: "value2"}
+//   anyFoo, err := typeurl.MarshalAny(foo)
+//
+// MarshalAny will resolve the correct URL for the type. If the type in
+// question implements the proto.Message interface, then it will be marshaled
+// as a proto message. Otherwise, it will be marshaled as json. This means that
+// typeurl will work on any arbitrary data, whether or not it has a proto
+// definition, as long as it can be serialized to json.
+//
+// To unmarshal, the process is simply inverse:
+//
+//   iface, err := typeurl.UnmarshalAny(anyFoo)
+//   foo := iface.(*Foo)
+//
+// The correct type is automatically chosen from the type registry, and the
+// returned interface can be cast straight to that type.

vendor/github.com/containerd/typeurl/types.go

@@ -78,7 +78,10 @@ func Is(any *types.Any, v interface{}) bool {
 	return any.TypeUrl == url
 }
 
-// MarshalAny marshals the value v into an any with the correct TypeUrl
+// MarshalAny marshals the value v into an any with the correct TypeUrl.
+// If the provided object is already a proto.Any message, then it will be
+// returned verbatim. If it is of type proto.Message, it will be marshaled as a
+// protocol buffer. Otherwise, the object will be marshaled to json.
 func MarshalAny(v interface{}) (*types.Any, error) {
 	var marshal func(v interface{}) ([]byte, error)
 	switch t := v.(type) {

vendor/github.com/davecgh/go-spew/LICENSE

@@ -2,7 +2,7 @@ ISC License
 
 Copyright (c) 2012-2016 Dave Collins <dave@davec.name>
 
-Permission to use, copy, modify, and distribute this software for any
+Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 

vendor/github.com/davecgh/go-spew/README.md

@@ -1,12 +1,9 @@
 go-spew
 =======
 
-[![Build Status](https://img.shields.io/travis/davecgh/go-spew.svg)]
-(https://travis-ci.org/davecgh/go-spew) [![ISC License]
-(http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org) [![Coverage Status]
-(https://img.shields.io/coveralls/davecgh/go-spew.svg)]
-(https://coveralls.io/r/davecgh/go-spew?branch=master)
-
+[![Build Status](https://img.shields.io/travis/davecgh/go-spew.svg)](https://travis-ci.org/davecgh/go-spew)
+[![ISC License](http://img.shields.io/badge/license-ISC-blue.svg)](http://copyfree.org)
+[![Coverage Status](https://img.shields.io/coveralls/davecgh/go-spew.svg)](https://coveralls.io/r/davecgh/go-spew?branch=master)
 
 Go-spew implements a deep pretty printer for Go data structures to aid in
 debugging.  A comprehensive suite of tests with 100% test coverage is provided
@@ -21,8 +18,7 @@ post about it
 
 ## Documentation
 
-[![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)]
-(http://godoc.org/github.com/davecgh/go-spew/spew)
+[![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)](http://godoc.org/github.com/davecgh/go-spew/spew)
 
 Full `go doc` style documentation for the project can be viewed online without
 installing this package by using the excellent GoDoc site here:

vendor/github.com/davecgh/go-spew/spew/bypass.go

@@ -16,7 +16,9 @@
 // when the code is not running on Google App Engine, compiled by GopherJS, and
 // "-tags safe" is not added to the go build command line.  The "disableunsafe"
 // tag is deprecated and thus should not be used.
-// +build !js,!appengine,!safe,!disableunsafe
+// Go versions prior to 1.4 are disabled because they use a different layout
+// for interfaces which make the implementation of unsafeReflectValue more complex.
+// +build !js,!appengine,!safe,!disableunsafe,go1.4
 
 package spew
 
@@ -34,80 +36,49 @@ const (
 	ptrSize = unsafe.Sizeof((*byte)(nil))
 )
 
-var (
-	// offsetPtr, offsetScalar, and offsetFlag are the offsets for the
-	// internal reflect.Value fields.  These values are valid before golang
-	// commit ecccf07e7f9d which changed the format.  The are also valid
-	// after commit 82f48826c6c7 which changed the format again to mirror
-	// the original format.  Code in the init function updates these offsets
-	// as necessary.
-	offsetPtr    = uintptr(ptrSize)
-	offsetScalar = uintptr(0)
-	offsetFlag   = uintptr(ptrSize * 2)
+type flag uintptr
 
-	// flagKindWidth and flagKindShift indicate various bits that the
-	// reflect package uses internally to track kind information.
-	//
-	// flagRO indicates whether or not the value field of a reflect.Value is
-	// read-only.
-	//
-	// flagIndir indicates whether the value field of a reflect.Value is
-	// the actual data or a pointer to the data.
-	//
-	// These values are valid before golang commit 90a7c3c86944 which
-	// changed their positions.  Code in the init function updates these
-	// flags as necessary.
-	flagKindWidth = uintptr(5)
-	flagKindShift = uintptr(flagKindWidth - 1)
-	flagRO        = uintptr(1 << 0)
-	flagIndir     = uintptr(1 << 1)
+var (
+	// flagRO indicates whether the value field of a reflect.Value
+	// is read-only.
+	flagRO flag
+
+	// flagAddr indicates whether the address of the reflect.Value's
+	// value may be taken.
+	flagAddr flag
 )
 
-func init() {
-	// Older versions of reflect.Value stored small integers directly in the
-	// ptr field (which is named val in the older versions).  Versions
-	// between commits ecccf07e7f9d and 82f48826c6c7 added a new field named
-	// scalar for this purpose which unfortunately came before the flag
-	// field, so the offset of the flag field is different for those
-	// versions.
-	//
-	// This code constructs a new reflect.Value from a known small integer
-	// and checks if the size of the reflect.Value struct indicates it has
-	// the scalar field. When it does, the offsets are updated accordingly.
-	vv := reflect.ValueOf(0xf00)
-	if unsafe.Sizeof(vv) == (ptrSize * 4) {
-		offsetScalar = ptrSize * 2
-		offsetFlag = ptrSize * 3
-	}
+// flagKindMask holds the bits that make up the kind
+// part of the flags field. In all the supported versions,
+// it is in the lower 5 bits.
+const flagKindMask = flag(0x1f)
 
-	// Commit 90a7c3c86944 changed the flag positions such that the low
-	// order bits are the kind.  This code extracts the kind from the flags
-	// field and ensures it's the correct type.  When it's not, the flag
-	// order has been changed to the newer format, so the flags are updated
-	// accordingly.
-	upf := unsafe.Pointer(uintptr(unsafe.Pointer(&vv)) + offsetFlag)
-	upfv := *(*uintptr)(upf)
-	flagKindMask := uintptr((1<<flagKindWidth - 1) << flagKindShift)
-	if (upfv&flagKindMask)>>flagKindShift != uintptr(reflect.Int) {
-		flagKindShift = 0
-		flagRO = 1 << 5
-		flagIndir = 1 << 6
+// Different versions of Go have used different
+// bit layouts for the flags type. This table
+// records the known combinations.
+var okFlags = []struct {
+	ro, addr flag
+}{{
+	// From Go 1.4 to 1.5
+	ro:   1 << 5,
+	addr: 1 << 7,
+}, {
+	// Up to Go tip.
+	ro:   1<<5 | 1<<6,
+	addr: 1 << 8,
+}}
 
-		// Commit adf9b30e5594 modified the flags to separate the
-		// flagRO flag into two bits which specifies whether or not the
-		// field is embedded.  This causes flagIndir to move over a bit
-		// and means that flagRO is the combination of either of the
-		// original flagRO bit and the new bit.
-		//
-		// This code detects the change by extracting what used to be
-		// the indirect bit to ensure it's set.  When it's not, the flag
-		// order has been changed to the newer format, so the flags are
-		// updated accordingly.
-		if upfv&flagIndir == 0 {
-			flagRO = 3 << 5
-			flagIndir = 1 << 7
-		}
+var flagValOffset = func() uintptr {
+	field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag")
+	if !ok {
+		panic("reflect.Value has no flag field")
 	}
+	return field.Offset
+}()
+
+// flagField returns a pointer to the flag field of a reflect.Value.
+func flagField(v *reflect.Value) *flag {
+	return (*flag)(unsafe.Pointer(uintptr(unsafe.Pointer(v)) + flagValOffset))
 }
 
 // unsafeReflectValue converts the passed reflect.Value into a one that bypasses
@@ -119,34 +90,56 @@ func init() {
 // This allows us to check for implementations of the Stringer and error
 // interfaces to be used for pretty printing ordinarily unaddressable and
 // inaccessible values such as unexported struct fields.
-func unsafeReflectValue(v reflect.Value) (rv reflect.Value) {
-	indirects := 1
-	vt := v.Type()
-	upv := unsafe.Pointer(uintptr(unsafe.Pointer(&v)) + offsetPtr)
-	rvf := *(*uintptr)(unsafe.Pointer(uintptr(unsafe.Pointer(&v)) + offsetFlag))
-	if rvf&flagIndir != 0 {
-		vt = reflect.PtrTo(v.Type())
-		indirects++
-	} else if offsetScalar != 0 {
-		// The value is in the scalar field when it's not one of the
-		// reference types.
-		switch vt.Kind() {
-		case reflect.Uintptr:
-		case reflect.Chan:
-		case reflect.Func:
-		case reflect.Map:
-		case reflect.Ptr:
-		case reflect.UnsafePointer:
-		default:
-			upv = unsafe.Pointer(uintptr(unsafe.Pointer(&v)) +
-				offsetScalar)
+func unsafeReflectValue(v reflect.Value) reflect.Value {
+	if !v.IsValid() || (v.CanInterface() && v.CanAddr()) {
+		return v
+	}
+	flagFieldPtr := flagField(&v)
+	*flagFieldPtr &^= flagRO
+	*flagFieldPtr |= flagAddr
+	return v
+}
+
+// Sanity checks against future reflect package changes
+// to the type or semantics of the Value.flag field.
+func init() {
+	field, ok := reflect.TypeOf(reflect.Value{}).FieldByName("flag")
+	if !ok {
+		panic("reflect.Value has no flag field")
+	}
+	if field.Type.Kind() != reflect.TypeOf(flag(0)).Kind() {
+		panic("reflect.Value flag field has changed kind")
+	}
+	type t0 int
+	var t struct {
+		A t0
+		// t0 will have flagEmbedRO set.
+		t0
+		// a will have flagStickyRO set
+		a t0
+	}
+	vA := reflect.ValueOf(t).FieldByName("A")
+	va := reflect.ValueOf(t).FieldByName("a")
+	vt0 := reflect.ValueOf(t).FieldByName("t0")
+
+	// Infer flagRO from the difference between the flags
+	// for the (otherwise identical) fields in t.
+	flagPublic := *flagField(&vA)
+	flagWithRO := *flagField(&va) | *flagField(&vt0)
+	flagRO = flagPublic ^ flagWithRO
+
+	// Infer flagAddr from the difference between a value
+	// taken from a pointer and not.
+	vPtrA := reflect.ValueOf(&t).Elem().FieldByName("A")
+	flagNoPtr := *flagField(&vA)
+	flagPtr := *flagField(&vPtrA)
+	flagAddr = flagNoPtr ^ flagPtr
+
+	// Check that the inferred flags tally with one of the known versions.
+	for _, f := range okFlags {
+		if flagRO == f.ro && flagAddr == f.addr {
+			return
 		}
 	}
-
-	pv := reflect.NewAt(vt, upv)
-	rv = pv
-	for i := 0; i < indirects; i++ {
-		rv = rv.Elem()
-	}
-	return rv
+	panic("reflect.Value read-only flag has changed semantics")
 }

vendor/github.com/davecgh/go-spew/spew/bypasssafe.go

@@ -16,7 +16,7 @@
 // when the code is running on Google App Engine, compiled by GopherJS, or
 // "-tags safe" is added to the go build command line.  The "disableunsafe"
 // tag is deprecated and thus should not be used.
-// +build js appengine safe disableunsafe
+// +build js appengine safe disableunsafe !go1.4
 
 package spew
 

vendor/github.com/davecgh/go-spew/spew/common.go

@@ -180,7 +180,7 @@ func printComplex(w io.Writer, c complex128, floatPrecision int) {
 	w.Write(closeParenBytes)
 }
 
-// printHexPtr outputs a uintptr formatted as hexidecimal with a leading '0x'
+// printHexPtr outputs a uintptr formatted as hexadecimal with a leading '0x'
 // prefix to Writer w.
 func printHexPtr(w io.Writer, p uintptr) {
 	// Null pointer.

vendor/github.com/davecgh/go-spew/spew/dump.go

@@ -35,16 +35,16 @@ var (
 
 	// cCharRE is a regular expression that matches a cgo char.
 	// It is used to detect character arrays to hexdump them.
-	cCharRE = regexp.MustCompile("^.*\\._Ctype_char$")
+	cCharRE = regexp.MustCompile(`^.*\._Ctype_char$`)
 
 	// cUnsignedCharRE is a regular expression that matches a cgo unsigned
 	// char.  It is used to detect unsigned character arrays to hexdump
 	// them.
-	cUnsignedCharRE = regexp.MustCompile("^.*\\._Ctype_unsignedchar$")
+	cUnsignedCharRE = regexp.MustCompile(`^.*\._Ctype_unsignedchar$`)
 
 	// cUint8tCharRE is a regular expression that matches a cgo uint8_t.
 	// It is used to detect uint8_t arrays to hexdump them.
-	cUint8tCharRE = regexp.MustCompile("^.*\\._Ctype_uint8_t$")
+	cUint8tCharRE = regexp.MustCompile(`^.*\._Ctype_uint8_t$`)
 )
 
 // dumpState contains information about the state of a dump operation.
@@ -143,10 +143,10 @@ func (d *dumpState) dumpPtr(v reflect.Value) {
 	// Display dereferenced value.
 	d.w.Write(openParenBytes)
 	switch {
-	case nilFound == true:
+	case nilFound:
 		d.w.Write(nilAngleBytes)
 
-	case cycleFound == true:
+	case cycleFound:
 		d.w.Write(circularBytes)
 
 	default:

vendor/github.com/davecgh/go-spew/spew/format.go

@@ -182,10 +182,10 @@ func (f *formatState) formatPtr(v reflect.Value) {
 
 	// Display dereferenced value.
 	switch {
-	case nilFound == true:
+	case nilFound:
 		f.fs.Write(nilAngleBytes)
 
-	case cycleFound == true:
+	case cycleFound:
 		f.fs.Write(circularShortBytes)
 
 	default:

vendor/github.com/docker/docker/api/types/filters/parse.go

@@ -5,7 +5,6 @@ package filters // import "github.com/docker/docker/api/types/filters"
 
 import (
 	"encoding/json"
-	"errors"
 	"regexp"
 	"strings"
 
@@ -37,41 +36,6 @@ func NewArgs(initialArgs ...KeyValuePair) Args {
 	return args
 }
 
-// ParseFlag parses a key=value string and adds it to an Args.
-//
-// Deprecated: Use Args.Add()
-func ParseFlag(arg string, prev Args) (Args, error) {
-	filters := prev
-	if len(arg) == 0 {
-		return filters, nil
-	}
-
-	if !strings.Contains(arg, "=") {
-		return filters, ErrBadFormat
-	}
-
-	f := strings.SplitN(arg, "=", 2)
-
-	name := strings.ToLower(strings.TrimSpace(f[0]))
-	value := strings.TrimSpace(f[1])
-
-	filters.Add(name, value)
-
-	return filters, nil
-}
-
-// ErrBadFormat is an error returned when a filter is not in the form key=value
-//
-// Deprecated: this error will be removed in a future version
-var ErrBadFormat = errors.New("bad format of filter (expected name=value)")
-
-// ToParam encodes the Args as args JSON encoded string
-//
-// Deprecated: use ToJSON
-func ToParam(a Args) (string, error) {
-	return ToJSON(a)
-}
-
 // MarshalJSON returns a JSON byte representation of the Args
 func (args Args) MarshalJSON() ([]byte, error) {
 	if len(args.fields) == 0 {
@@ -107,13 +71,6 @@ func ToParamWithVersion(version string, a Args) (string, error) {
 	return ToJSON(a)
 }
 
-// FromParam decodes a JSON encoded string into Args
-//
-// Deprecated: use FromJSON
-func FromParam(p string) (Args, error) {
-	return FromJSON(p)
-}
-
 // FromJSON decodes a JSON encoded string into Args
 func FromJSON(p string) (Args, error) {
 	args := NewArgs()
@@ -275,14 +232,6 @@ func (args Args) FuzzyMatch(key, source string) bool {
 	return false
 }
 
-// Include returns true if the key exists in the mapping
-//
-// Deprecated: use Contains
-func (args Args) Include(field string) bool {
-	_, ok := args.fields[field]
-	return ok
-}
-
 // Contains returns true if the key exists in the mapping
 func (args Args) Contains(field string) bool {
 	_, ok := args.fields[field]

vendor/github.com/docker/docker/client/client.go

@@ -107,7 +107,7 @@ func CheckRedirect(req *http.Request, via []*http.Request) error {
 // It won't send any version information if the version number is empty. It is
 // highly recommended that you set a version or your client may break if the
 // server is upgraded.
-func NewClientWithOpts(ops ...func(*Client) error) (*Client, error) {
+func NewClientWithOpts(ops ...Opt) (*Client, error) {
 	client, err := defaultHTTPClient(DefaultDockerHost)
 	if err != nil {
 		return nil, err

vendor/github.com/docker/docker/client/options.go

@@ -6,12 +6,16 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/docker/go-connections/sockets"
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 )
 
+// Opt is a configuration option to initialize a client
+type Opt func(*Client) error
+
 // FromEnv configures the client with values from environment variables.
 //
 // Supported environment variables:
@@ -55,13 +59,13 @@ func FromEnv(c *Client) error {
 // WithDialer applies the dialer.DialContext to the client transport. This can be
 // used to set the Timeout and KeepAlive settings of the client.
 // Deprecated: use WithDialContext
-func WithDialer(dialer *net.Dialer) func(*Client) error {
+func WithDialer(dialer *net.Dialer) Opt {
 	return WithDialContext(dialer.DialContext)
 }
 
 // WithDialContext applies the dialer to the client transport. This can be
 // used to set the Timeout and KeepAlive settings of the client.
-func WithDialContext(dialContext func(ctx context.Context, network, addr string) (net.Conn, error)) func(*Client) error {
+func WithDialContext(dialContext func(ctx context.Context, network, addr string) (net.Conn, error)) Opt {
 	return func(c *Client) error {
 		if transport, ok := c.client.Transport.(*http.Transport); ok {
 			transport.DialContext = dialContext
@@ -72,7 +76,7 @@ func WithDialContext(dialContext func(ctx context.Context, network, addr string)
 }
 
 // WithHost overrides the client host with the specified one.
-func WithHost(host string) func(*Client) error {
+func WithHost(host string) Opt {
 	return func(c *Client) error {
 		hostURL, err := ParseHostURL(host)
 		if err != nil {
@@ -90,7 +94,7 @@ func WithHost(host string) func(*Client) error {
 }
 
 // WithHTTPClient overrides the client http client with the specified one
-func WithHTTPClient(client *http.Client) func(*Client) error {
+func WithHTTPClient(client *http.Client) Opt {
 	return func(c *Client) error {
 		if client != nil {
 			c.client = client
@@ -99,8 +103,16 @@ func WithHTTPClient(client *http.Client) func(*Client) error {
 	}
 }
 
+// WithTimeout configures the time limit for requests made by the HTTP client
+func WithTimeout(timeout time.Duration) Opt {
+	return func(c *Client) error {
+		c.client.Timeout = timeout
+		return nil
+	}
+}
+
 // WithHTTPHeaders overrides the client default http headers
-func WithHTTPHeaders(headers map[string]string) func(*Client) error {
+func WithHTTPHeaders(headers map[string]string) Opt {
 	return func(c *Client) error {
 		c.customHTTPHeaders = headers
 		return nil
@@ -108,7 +120,7 @@ func WithHTTPHeaders(headers map[string]string) func(*Client) error {
 }
 
 // WithScheme overrides the client scheme with the specified one
-func WithScheme(scheme string) func(*Client) error {
+func WithScheme(scheme string) Opt {
 	return func(c *Client) error {
 		c.scheme = scheme
 		return nil
@@ -116,7 +128,7 @@ func WithScheme(scheme string) func(*Client) error {
 }
 
 // WithTLSClientConfig applies a tls config to the client transport.
-func WithTLSClientConfig(cacertPath, certPath, keyPath string) func(*Client) error {
+func WithTLSClientConfig(cacertPath, certPath, keyPath string) Opt {
 	return func(c *Client) error {
 		opts := tlsconfig.Options{
 			CAFile:             cacertPath,
@@ -136,11 +148,14 @@ func WithTLSClientConfig(cacertPath, certPath, keyPath string) func(*Client) err
 	}
 }
 
-// WithVersion overrides the client version with the specified one
-func WithVersion(version string) func(*Client) error {
+// WithVersion overrides the client version with the specified one. If an empty
+// version is specified, the value will be ignored to allow version negotiation.
+func WithVersion(version string) Opt {
 	return func(c *Client) error {
-		c.version = version
-		c.manualOverride = true
+		if version != "" {
+			c.version = version
+			c.manualOverride = true
+		}
 		return nil
 	}
 }

vendor/github.com/docker/docker/vendor.conf

@@ -1,164 +1,167 @@
-# the following lines are in sorted order, FYI
-github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/Microsoft/hcsshim ba3d6667710fa905116f39a19d059c4c1016be7c
-github.com/Microsoft/go-winio c599b533b43b1363d7d7c6cfda5ede70ed73ff13
-github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
-github.com/go-check/check 4ed411733c5785b40214c70bce814c3a3a689609 https://github.com/cpuguy83/check.git
-github.com/golang/gddo 9b12a26f3fbd7397dee4e20939ddca719d840d2a
-github.com/google/uuid v1.1.1
-github.com/gorilla/mux v1.7.0
-github.com/Microsoft/opengcs a10967154e143a36014584a6f664344e3bb0aa64
-github.com/konsorten/go-windows-terminal-sequences v1.0.1
-github.com/kr/pty 5cf931ef8f
-github.com/mattn/go-shellwords v1.0.3
-github.com/sirupsen/logrus 8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
-github.com/tchap/go-patricia v2.2.6
-github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
-golang.org/x/net a680a1efc54dd51c040b3b5ce4939ea3cf2ea0d1
-golang.org/x/sys d455e41777fca6e8a5a79e34a14b8368bc11d9ba
-github.com/docker/go-units 47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
-github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
-golang.org/x/text f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
-gotest.tools v2.1.0
-github.com/google/go-cmp v0.2.0
+github.com/Azure/go-ansiterm                        d6e3b3328b783f23731bc4d058875b0371ff8109
+github.com/Microsoft/hcsshim                        ba3d6667710fa905116f39a19d059c4c1016be7c
+github.com/Microsoft/go-winio                       c599b533b43b1363d7d7c6cfda5ede70ed73ff13
+github.com/docker/libtrust                          9cbd2a1374f46905c68a4eb3694a130610adc62a
+github.com/go-check/check                           4ed411733c5785b40214c70bce814c3a3a689609 https://github.com/cpuguy83/check.git
+github.com/golang/gddo                              9b12a26f3fbd7397dee4e20939ddca719d840d2a
+github.com/google/uuid                              0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1
+github.com/gorilla/mux                              a7962380ca08b5a188038c69871b8d3fbdf31e89 # v1.7.0
+github.com/Microsoft/opengcs                        a10967154e143a36014584a6f664344e3bb0aa64
 
-github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5
-github.com/imdario/mergo v0.3.6
-golang.org/x/sync 1d60e4601c6fd243af51cc01ddf169918a5407ca
+github.com/konsorten/go-windows-terminal-sequences  f55edac94c9bbba5d6182a4be46d86a2c9b5b50e # v1.0.2
+github.com/kr/pty                                   521317be5ebc228a0f0ede099fa2a0b5ece22e49 # v1.1.4
+github.com/mattn/go-shellwords                      a72fbe27a1b0ed0df2f02754945044ce1456608b # v1.0.5
+github.com/sirupsen/logrus                          8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1
+github.com/tchap/go-patricia                        a7f0089c6f496e8e70402f61733606daa326cac5 # v2.3.0
+github.com/vdemeester/shakers                       24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3 # v0.1.0
+golang.org/x/net                                    eb5bcb51f2a31c7d5141d810b70815c05d9c9146
+golang.org/x/sys                                    4b34438f7a67ee5f45cc6132e2bad873a20324e9
+github.com/docker/go-units                          47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
+github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
+golang.org/x/text                                   f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0
+gotest.tools                                        1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0
+github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0
+
+github.com/RackSec/srslog                           a4725f04ec91af1a91b380da679d6e0c2f061e59
+github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7
+golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c
 
 # buildkit
-github.com/moby/buildkit b3028967ae6259c9a31c1a1deeccd30fe3469cce
-github.com/tonistiigi/fsutil 3bbb99cdbd76619ab717299830c60f6f2a533a6b
-github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
-github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
-github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
-github.com/opentracing-contrib/go-stdlib  b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
-github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
-github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
+github.com/moby/buildkit                            b3028967ae6259c9a31c1a1deeccd30fe3469cce
+github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b
+github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/google/shlex                             6f45313302b9c56850fc17f99e40caebce98c716
+github.com/opentracing-contrib/go-stdlib            b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
+github.com/mitchellh/hashstructure                  2bca23e0e452137f789efbc8610126fd8b94f73b
+github.com/gofrs/flock                              7f43ea2e6a643ad441fc12d0ecc0d3388b300c53 # v0.7.0
 
-#get libnetwork packages
+# libnetwork
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
-github.com/docker/libnetwork ebcade70ad1059b070d0040d798ecca359bc5fed
-github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
-github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
-github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
-github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b
-github.com/hashicorp/memberlist 3d8438da9589e7b608a83ffac1ef8211486bcb7c
-github.com/sean-/seed e2103e2c35297fb7e17febb81e49b312087a2372
-github.com/hashicorp/go-sockaddr 6d291a969b86c4b633730bfc6b8b9d64c3aafed9
-github.com/hashicorp/go-multierror fcdddc395df1ddf4247c69bd436e84cfa0733f7e
-github.com/hashicorp/serf 598c54895cc5a7b1a24a398d635e8c0ea0959870
-github.com/docker/libkv 458977154600b9f23984d9f4b82e79570b5ae12b
-github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
-github.com/vishvananda/netlink b2de5d10e38ecce8607e6b438b6d174f389a004e
+github.com/docker/libnetwork                        48f846327bbe6a0dce0c556e8dc9f5bb939d5c16
+github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/armon/go-radix                           e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
+github.com/armon/go-metrics                         eb0af217e5e9747e41dd5303755356b62d28e3ec
+github.com/hashicorp/go-msgpack                     71c2886f5a673a35f909803f38ece5810165097b
+github.com/hashicorp/memberlist                     3d8438da9589e7b608a83ffac1ef8211486bcb7c
+github.com/sean-/seed                               e2103e2c35297fb7e17febb81e49b312087a2372
+github.com/hashicorp/go-sockaddr                    6d291a969b86c4b633730bfc6b8b9d64c3aafed9
+github.com/hashicorp/go-multierror                  fcdddc395df1ddf4247c69bd436e84cfa0733f7e
+github.com/hashicorp/serf                           598c54895cc5a7b1a24a398d635e8c0ea0959870
+github.com/docker/libkv                             458977154600b9f23984d9f4b82e79570b5ae12b
+github.com/vishvananda/netns                        604eaf189ee867d8c147fafc28def2394e878d25
+github.com/vishvananda/netlink                      b2de5d10e38ecce8607e6b438b6d174f389a004e
 
 # When updating, consider updating TOMLV_COMMIT in hack/dockerfile/install/tomlv.installer accordingly
-github.com/BurntSushi/toml 3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1
-github.com/samuel/go-zookeeper d0e0d8e11f318e000a8cc434616d69e329edc374
-github.com/deckarep/golang-set ef32fa3046d9f249d399f98ebaf9be944430fd1d
-github.com/coreos/etcd v3.3.9
-github.com/coreos/go-semver v0.2.0
-github.com/ugorji/go v1.1.1
-github.com/hashicorp/consul v0.5.2
-github.com/miekg/dns v1.0.7
-github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb
-go.etcd.io/bbolt v1.3.1-etcd.8
+github.com/BurntSushi/toml                          3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1
+github.com/samuel/go-zookeeper                      d0e0d8e11f318e000a8cc434616d69e329edc374
+github.com/deckarep/golang-set                      ef32fa3046d9f249d399f98ebaf9be944430fd1d
+github.com/coreos/etcd                              fca8add78a9d926166eb739b8e4a124434025ba3 # v3.3.9
+github.com/coreos/go-semver                         8ab6407b697782a06568d4b7f1db25550ec2e4c6 # v0.2.0
+github.com/ugorji/go                                b4c50a2b199d93b13dc15e78929cfb23bfdf21ab # v1.1.1
+github.com/hashicorp/consul                         9a9cc9341bb487651a0399e3fc5e1e8a42e62dd9 # v0.5.2
+github.com/miekg/dns                                e57bf427e68187a27e22adceac868350d7a7079b # v1.0.7
+github.com/ishidawataru/sctp                        07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb
+go.etcd.io/bbolt                                    7ee3ded59d4835e10f3e7d0f7603c42aa5e83820 # v1.3.1-etcd.8
 
 # get graph and distribution packages
-github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580
-github.com/vbatts/tar-split v0.11.0
-github.com/opencontainers/go-digest v1.0.0-rc1
+github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
+github.com/vbatts/tar-split                         620714a4c508c880ac1bdda9c8370a2b19af1a55 # v0.11.0
+github.com/opencontainers/go-digest                 279bed98673dd5bef374d3b6e4b09e2af76183bf # v1.0.0-rc1
 
 # get go-zfs packages
-github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa
-github.com/pborman/uuid v1.0
+github.com/mistifyio/go-zfs                         f784269be439d704d3dfa1906f45dd848fed2beb
 
-google.golang.org/grpc v1.12.0
+google.golang.org/grpc                              7a6a684ca69eb4cae85ad0a484f2e531598c047b # v1.12.2
 
 # The version of runc should match the version that is used by the containerd
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
 # This commit does not need to match RUNC_COMMIT as it is used for helper
 # packages but should be newer or equal.
-github.com/opencontainers/runc 2b18fe1d885ee5083ef9f0838fee39b62d653e30
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
-github.com/opencontainers/image-spec v1.0.1
-github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
+github.com/opencontainers/runc                      029124da7af7360afa781a0234d1b083550f797c # v1.0.0-rc7-6-g029124da
+github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
+github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1
+github.com/seccomp/libseccomp-golang                32f571b70023028bd57d9288c20efbcb237f3ce0
 
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
-github.com/coreos/go-systemd v17
-github.com/godbus/dbus v4.0.0
-github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
-github.com/golang/protobuf v1.2.0
+github.com/coreos/go-systemd                        39ca1b05acc7ad1220e09f133283b8859a8b71ab # v17
+github.com/godbus/dbus                              5f6efc7ef2759c81b7ba876593971bfce311eab3 # v4.0.0
+github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2
+github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb46cf8e620ed5 # v1.2.0
 
 # gelf logging driver deps
-github.com/Graylog2/go-gelf 4143646226541087117ff2f83334ea48b3201841
+github.com/Graylog2/go-gelf                         4143646226541087117ff2f83334ea48b3201841
 
-github.com/fluent/fluent-logger-golang v1.3.0
 # fluent-logger-golang deps
-github.com/philhofer/fwd 98c11a7a6ec829d672b03833c3d69a7fae1ca972
-github.com/tinylib/msgp 3b556c64540842d4f82967be066a7f7fffc3adad
+github.com/fluent/fluent-logger-golang              8bbc2356beaf021b04c9bd5cdc76ea5a7ccb40ec # v1.3.0
+github.com/philhofer/fwd                            bb6d471dc95d4fe11e432687f8b70ff496cf3136 # v1.0.0
+github.com/tinylib/msgp                             3b556c64540842d4f82967be066a7f7fffc3adad
 
 # fsnotify
-github.com/fsnotify/fsnotify v1.4.7
+github.com/fsnotify/fsnotify                        1485a34d5d5723fea214f5710708e19a831720e4 # v1.4.7-11-g1485a34
 
 # awslogs deps
-github.com/aws/aws-sdk-go v1.12.66
-github.com/go-ini/ini v1.25.4
-github.com/jmespath/go-jmespath 0b12d6b521d83fc7f755e7cfc1b1fbdd35a01a74
+github.com/aws/aws-sdk-go                           9ed0c8de252f04ac45a65358377103d5a1aa2d92 # v1.12.66
+github.com/go-ini/ini                               300e940a926eb277d3901b20bdfcc54928ad3642 # v1.25.4
+github.com/jmespath/go-jmespath                     0b12d6b521d83fc7f755e7cfc1b1fbdd35a01a74
 
 # logentries
-github.com/bsphere/le_go 7a984a84b5492ae539b79b62fb4a10afc63c7bcf
+github.com/bsphere/le_go                            7a984a84b5492ae539b79b62fb4a10afc63c7bcf
 
 # gcplogs deps
-golang.org/x/oauth2 ec22f46f877b4505e0117eeaab541714644fdd28
-google.golang.org/api de943baf05a022a8f921b544b7827bacaba1aed5
-go.opencensus.io v0.11.0
-cloud.google.com/go v0.23.0
-github.com/googleapis/gax-go v2.0.0
-google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9
+golang.org/x/oauth2                                 ec22f46f877b4505e0117eeaab541714644fdd28
+google.golang.org/api                               de943baf05a022a8f921b544b7827bacaba1aed5
+go.opencensus.io                                    c3ed530f775d85e577ca652cb052a52c078aad26 # v0.11.0
+cloud.google.com/go                                 0fd7230b2a7505833d5f69b75cbd6c9582401479 # v0.23.0
+github.com/googleapis/gax-go                        317e0006254c44a0ac427cc52a0e083ff0b9622f # v2.0.0
+google.golang.org/genproto                          694d95ba50e67b2e363f3483057db5d4910c18f9
 
 # containerd
-github.com/containerd/containerd ceba56893a76f22cf0126c46d835c80fb3833408
-github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d
-github.com/containerd/cgroups 4994991857f9b0ae8dc439551e8bebdbb4bf66c1
-github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23
-github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3
-github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/containerd/ttrpc f02858b1457c5ca3aaec3a0803eb0d59f96e41d6
-github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/containerd/containerd                    ceba56893a76f22cf0126c46d835c80fb3833408
+github.com/containerd/fifo                          a9fb20d87448d386e6d50b1f2e1fa70dcf0de43c
+github.com/containerd/continuity                    004b46473808b3e7a4a3049c20e4376c91eb966d
+github.com/containerd/cgroups                       4994991857f9b0ae8dc439551e8bebdbb4bf66c1
+github.com/containerd/console                       c12b1e7919c14469339a5d38f2f8ed9b64a9de23
+github.com/containerd/go-runc                       7d11b49dc0769f6dbb0d1b19f3d48524d1bad9ad
+github.com/containerd/typeurl                       2a93cfde8c20b23de8eb84a5adbc234ddf7a9e8d
+github.com/containerd/ttrpc                         f02858b1457c5ca3aaec3a0803eb0d59f96e41d6
+github.com/gogo/googleapis                          08a7655d27152912db7aaf4f983275eaf8d128ef
 
 # cluster
-github.com/docker/swarmkit 18e7e58ea1a5ec016625a636d0d52500eea123bc
-github.com/gogo/protobuf v1.2.0
-github.com/cloudflare/cfssl 1.3.2
-github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2
-github.com/google/certificate-transparency-go v1.0.20
-golang.org/x/crypto b7391e95e576cacdcdd422573063bc057239113d
-golang.org/x/time fbb02b2291d28baffd63558aa44b4b56f178d650
-github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad
-github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
-github.com/hashicorp/golang-lru 0fb14efe8c47ae851c0034ed7a448854d3d34cf3
-github.com/coreos/pkg v3
-github.com/pivotal-golang/clock 3fd3c1944c59d9742e1cd333672181cd1a6f9fa0
-github.com/prometheus/client_golang v0.8.0
-github.com/beorn7/perks 3a771d992973f24aa725d07868b467d1ddfceaf
-github.com/prometheus/client_model 6f3806018612930941127f2a7c6c453ba2c527d2
-github.com/prometheus/common 7600349dcfe1abd18d72d3a1770870d9800a7801
-github.com/prometheus/procfs 7d6f385de8bea29190f15ba9931442a0eaef9af7
-github.com/matttproud/golang_protobuf_extensions v1.0.0
-github.com/pkg/errors 645ef00459ed84a119197bfb8d8205042c6df63d # v0.8.0
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
+github.com/docker/swarmkit                          59163bf75df38489d4a10392265d27156dc473c5
+github.com/gogo/protobuf                            4cbf7e384e768b4e01799441fdf2a706a5635ae7 # v1.2.0
+github.com/cloudflare/cfssl                         5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2
+github.com/fernet/fernet-go                         1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2
+github.com/google/certificate-transparency-go       37a384cd035e722ea46e55029093e26687138edf # v1.0.20
+golang.org/x/crypto                                 38d8ce5564a5b71b2e3a00553993f1b9a7ae852f
+golang.org/x/time                                   fbb02b2291d28baffd63558aa44b4b56f178d650
+github.com/hashicorp/go-memdb                       cb9a474f84cc5e41b273b20c6927680b2a8776ad
+github.com/hashicorp/go-immutable-radix             826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
+github.com/hashicorp/golang-lru                     7087cb70de9f7a8bc0a10c375cb0d2280a8edf9c # v0.5.1
+github.com/coreos/pkg                               3ac0863d7acf3bc44daf49afef8919af12f704ef # v3
+code.cloudfoundry.org/clock                         02e53af36e6c978af692887ed449b74026d76fec
+
+# prometheus
+github.com/prometheus/client_golang                 c5b7fccd204277076155f10851dad72b76a49317 # v0.8.0
+github.com/beorn7/perks                             e7f67b54abbeac9c40a31de0f81159e4cafebd6a
+github.com/prometheus/client_model                  6f3806018612930941127f2a7c6c453ba2c527d2
+github.com/prometheus/common                        7600349dcfe1abd18d72d3a1770870d9800a7801
+github.com/prometheus/procfs                        7d6f385de8bea29190f15ba9931442a0eaef9af7
+github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
+github.com/pkg/errors                               645ef00459ed84a119197bfb8d8205042c6df63d # v0.8.0
+github.com/grpc-ecosystem/go-grpc-prometheus        c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0
 
 # cli
-github.com/spf13/cobra v0.0.3
-github.com/spf13/pflag v1.0.1
-github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0
-github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/spf13/cobra                              ef82de70bb3f60c65fb8eebacbb2d122ef517385 # v0.0.3
+github.com/spf13/pflag                              583c0c0531f06d5278b7d917446061adc344b5cd # v1.0.1
+github.com/inconshreveable/mousetrap                76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 # v1.0.0
+github.com/morikuni/aec                             39771216ff4c63d11f5e604076f9c45e8be1067b
 
 # metrics
-github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
+github.com/docker/go-metrics                        d466d4f6fd960e01820085bd7e1a24426ee7ef18
 
-github.com/opencontainers/selinux 0bb7b9fa9ba5c1120e9d22caed4961fca4228408 # v1.2.1
+github.com/opencontainers/selinux                   0bb7b9fa9ba5c1120e9d22caed4961fca4228408 # v1.2.1
+
+# DO NOT EDIT BELOW THIS LINE -------- reserved for downstream projects --------

vendor/github.com/docker/swarmkit/vendor.conf

@@ -8,7 +8,7 @@
 # In >=1.11, those errors were brought back but the string had changed again.
 # After updating GRPC, if integration test failures occur, verify that the
 # string matching there is correct.
-google.golang.org/grpc v1.12.0
+google.golang.org/grpc 7a6a684ca69eb4cae85ad0a484f2e531598c047b # v1.12.2
 github.com/gogo/protobuf v1.0.0
 github.com/golang/protobuf v1.1.0
 github.com/matttproud/golang_protobuf_extensions v1.0.0
@@ -39,7 +39,7 @@ github.com/opencontainers/go-digest v1.0.0-rc1
 github.com/opencontainers/image-spec v1.0.1
 github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb
 
-github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76 # v1.1.0
+github.com/davecgh/go-spew  8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1
 github.com/Microsoft/go-winio v0.4.11
 github.com/sirupsen/logrus v1.0.6
 github.com/beorn7/perks 3a771d992973f24aa725d07868b467d1ddfceaf
@@ -52,15 +52,15 @@ github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad
 github.com/hashicorp/golang-lru 0fb14efe8c47ae851c0034ed7a448854d3d34cf3
 github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
 github.com/phayes/permbits f7e3ac5e859d0b919c5068d581cc4c5d4f4f9bc5
-github.com/pivotal-golang/clock 3fd3c1944c59d9742e1cd333672181cd1a6f9fa0
+code.cloudfoundry.org/clock 02e53af36e6c978af692887ed449b74026d76fec
 github.com/pkg/errors 645ef00459ed84a119197bfb8d8205042c6df63d
-github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2
+github.com/pmezard/go-difflib 792786c7400a136282c1664665ae0a8db921c6c2 # v1.0.0
 github.com/rcrowley/go-metrics 51425a2415d21afadfd55cd93432c0bc69e9598d
 github.com/spf13/cobra 8e91712f174ced10270cf66615e0a9127e7c4de5
 github.com/spf13/pflag 7f60f83a2c81bc3c3c0d5297f61ddfa68da9d3b7
-github.com/stretchr/testify v1.1.4
+github.com/stretchr/testify ffdc059bfe9ce6a4e144ba849dbedead332c6053 # v1.3.0
 go.etcd.io/bbolt v1.3.1-etcd.8
-golang.org/x/crypto 0709b304e793a5edb4a2c0145f281ecdc20838a4
+golang.org/x/crypto b7391e95e576cacdcdd422573063bc057239113d
 golang.org/x/net a680a1efc54dd51c040b3b5ce4939ea3cf2ea0d1
 golang.org/x/sys 90868a75fefd03942536221d7c0e2f84ec62a668
 golang.org/x/text f21a4dfb5e38f5895301dc265a8def02365cc3d0 # v0.3.0

vendor/github.com/flynn-archive/go-shlex/COPYING

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/flynn-archive/go-shlex/README.md

@@ -1,2 +0,0 @@
-go-shlex is a simple lexer for go that supports shell-style quoting,
-commenting, and escaping.

vendor/github.com/flynn-archive/go-shlex/shlex.go

@@ -1,457 +0,0 @@
-/*
-Copyright 2012 Google Inc. All Rights Reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package shlex
-
-/*
-Package shlex implements a simple lexer which splits input in to tokens using
-shell-style rules for quoting and commenting.
-*/
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-)
-
-/*
-A TokenType is a top-level token; a word, space, comment, unknown.
-*/
-type TokenType int
-
-/*
-A RuneTokenType is the type of a UTF-8 character; a character, quote, space, escape.
-*/
-type RuneTokenType int
-
-type lexerState int
-
-type Token struct {
-	tokenType TokenType
-	value     string
-}
-
-/*
-Two tokens are equal if both their types and values are equal. A nil token can
-never equal another token.
-*/
-func (a *Token) Equal(b *Token) bool {
-	if a == nil || b == nil {
-		return false
-	}
-	if a.tokenType != b.tokenType {
-		return false
-	}
-	return a.value == b.value
-}
-
-const (
-	RUNE_CHAR              string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-,/@$*()+=><:;&^%~|!?[]{}"
-	RUNE_SPACE             string = " \t\r\n"
-	RUNE_ESCAPING_QUOTE    string = "\""
-	RUNE_NONESCAPING_QUOTE string = "'"
-	RUNE_ESCAPE                   = "\\"
-	RUNE_COMMENT                  = "#"
-
-	RUNETOKEN_UNKNOWN           RuneTokenType = 0
-	RUNETOKEN_CHAR              RuneTokenType = 1
-	RUNETOKEN_SPACE             RuneTokenType = 2
-	RUNETOKEN_ESCAPING_QUOTE    RuneTokenType = 3
-	RUNETOKEN_NONESCAPING_QUOTE RuneTokenType = 4
-	RUNETOKEN_ESCAPE            RuneTokenType = 5
-	RUNETOKEN_COMMENT           RuneTokenType = 6
-	RUNETOKEN_EOF               RuneTokenType = 7
-
-	TOKEN_UNKNOWN TokenType = 0
-	TOKEN_WORD    TokenType = 1
-	TOKEN_SPACE   TokenType = 2
-	TOKEN_COMMENT TokenType = 3
-
-	STATE_START           lexerState = 0
-	STATE_INWORD          lexerState = 1
-	STATE_ESCAPING        lexerState = 2
-	STATE_ESCAPING_QUOTED lexerState = 3
-	STATE_QUOTED_ESCAPING lexerState = 4
-	STATE_QUOTED          lexerState = 5
-	STATE_COMMENT         lexerState = 6
-
-	INITIAL_TOKEN_CAPACITY int = 100
-)
-
-/*
-A type for classifying characters. This allows for different sorts of
-classifiers - those accepting extended non-ascii chars, or strict posix
-compatibility, for example.
-*/
-type TokenClassifier struct {
-	typeMap map[int32]RuneTokenType
-}
-
-func addRuneClass(typeMap *map[int32]RuneTokenType, runes string, tokenType RuneTokenType) {
-	for _, rune := range runes {
-		(*typeMap)[int32(rune)] = tokenType
-	}
-}
-
-/*
-Create a new classifier for basic ASCII characters.
-*/
-func NewDefaultClassifier() *TokenClassifier {
-	typeMap := map[int32]RuneTokenType{}
-	addRuneClass(&typeMap, RUNE_CHAR, RUNETOKEN_CHAR)
-	addRuneClass(&typeMap, RUNE_SPACE, RUNETOKEN_SPACE)
-	addRuneClass(&typeMap, RUNE_ESCAPING_QUOTE, RUNETOKEN_ESCAPING_QUOTE)
-	addRuneClass(&typeMap, RUNE_NONESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE)
-	addRuneClass(&typeMap, RUNE_ESCAPE, RUNETOKEN_ESCAPE)
-	addRuneClass(&typeMap, RUNE_COMMENT, RUNETOKEN_COMMENT)
-	return &TokenClassifier{
-		typeMap: typeMap}
-}
-
-func (classifier *TokenClassifier) ClassifyRune(rune int32) RuneTokenType {
-	return classifier.typeMap[rune]
-}
-
-/*
-A type for turning an input stream in to a sequence of strings. Whitespace and
-comments are skipped.
-*/
-type Lexer struct {
-	tokenizer *Tokenizer
-}
-
-/*
-Create a new lexer.
-*/
-func NewLexer(r io.Reader) (*Lexer, error) {
-
-	tokenizer, err := NewTokenizer(r)
-	if err != nil {
-		return nil, err
-	}
-	lexer := &Lexer{tokenizer: tokenizer}
-	return lexer, nil
-}
-
-/*
-Return the next word, and an error value. If there are no more words, the error
-will be io.EOF.
-*/
-func (l *Lexer) NextWord() (string, error) {
-	var token *Token
-	var err error
-	for {
-		token, err = l.tokenizer.NextToken()
-		if err != nil {
-			return "", err
-		}
-		switch token.tokenType {
-		case TOKEN_WORD:
-			{
-				return token.value, nil
-			}
-		case TOKEN_COMMENT:
-			{
-				// skip comments
-			}
-		default:
-			{
-				panic(fmt.Sprintf("Unknown token type: %v", token.tokenType))
-			}
-		}
-	}
-	return "", io.EOF
-}
-
-/*
-A type for turning an input stream in to a sequence of typed tokens.
-*/
-type Tokenizer struct {
-	input      *bufio.Reader
-	classifier *TokenClassifier
-}
-
-/*
-Create a new tokenizer.
-*/
-func NewTokenizer(r io.Reader) (*Tokenizer, error) {
-	input := bufio.NewReader(r)
-	classifier := NewDefaultClassifier()
-	tokenizer := &Tokenizer{
-		input:      input,
-		classifier: classifier}
-	return tokenizer, nil
-}
-
-/*
-Scan the stream for the next token.
-
-This uses an internal state machine. It will panic if it encounters a character
-which it does not know how to handle.
-*/
-func (t *Tokenizer) scanStream() (*Token, error) {
-	state := STATE_START
-	var tokenType TokenType
-	value := make([]int32, 0, INITIAL_TOKEN_CAPACITY)
-	var (
-		nextRune     int32
-		nextRuneType RuneTokenType
-		err          error
-	)
-SCAN:
-	for {
-		nextRune, _, err = t.input.ReadRune()
-		nextRuneType = t.classifier.ClassifyRune(nextRune)
-		if err != nil {
-			if err == io.EOF {
-				nextRuneType = RUNETOKEN_EOF
-				err = nil
-			} else {
-				return nil, err
-			}
-		}
-		switch state {
-		case STATE_START: // no runes read yet
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						return nil, io.EOF
-					}
-				case RUNETOKEN_CHAR:
-					{
-						tokenType = TOKEN_WORD
-						value = append(value, nextRune)
-						state = STATE_INWORD
-					}
-				case RUNETOKEN_SPACE:
-					{
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_QUOTED_ESCAPING
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_QUOTED
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_ESCAPING
-					}
-				case RUNETOKEN_COMMENT:
-					{
-						tokenType = TOKEN_COMMENT
-						state = STATE_COMMENT
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Unknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_INWORD: // in a regular word
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_SPACE:
-					{
-						t.input.UnreadRune()
-						break SCAN
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						state = STATE_QUOTED_ESCAPING
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						state = STATE_QUOTED
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						state = STATE_ESCAPING
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_ESCAPING: // the next rune after an escape character
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found after escape character")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						state = STATE_INWORD
-						value = append(value, nextRune)
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_ESCAPING_QUOTED: // the next rune after an escape character, in double quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found after escape character")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						state = STATE_QUOTED_ESCAPING
-						value = append(value, nextRune)
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_QUOTED_ESCAPING: // in escaping double quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found when expecting closing quote.")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_SPACE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						state = STATE_INWORD
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						state = STATE_ESCAPING_QUOTED
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_QUOTED: // in non-escaping single quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found when expecting closing quote.")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						state = STATE_INWORD
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_COMMENT:
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT, RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_SPACE:
-					{
-						if nextRune == '\n' {
-							state = STATE_START
-							break SCAN
-						} else {
-							value = append(value, nextRune)
-						}
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		default:
-			{
-				panic(fmt.Sprintf("Unexpected state: %v", state))
-			}
-		}
-	}
-	token := &Token{
-		tokenType: tokenType,
-		value:     string(value)}
-	return token, err
-}
-
-/*
-Return the next token in the stream, and an error value. If there are no more
-tokens available, the error value will be io.EOF.
-*/
-func (t *Tokenizer) NextToken() (*Token, error) {
-	return t.scanStream()
-}
-
-/*
-Split a string in to a slice of strings, based upon shell-style rules for
-quoting, escaping, and spaces.
-*/
-func Split(s string) ([]string, error) {
-	l, err := NewLexer(strings.NewReader(s))
-	if err != nil {
-		return nil, err
-	}
-	subStrings := []string{}
-	for {
-		word, err := l.NextWord()
-		if err != nil {
-			if err == io.EOF {
-				return subStrings, nil
-			}
-			return subStrings, err
-		}
-		subStrings = append(subStrings, word)
-	}
-	return subStrings, nil
-}

vendor/github.com/google/shlex/shlex.go

@@ -253,7 +253,6 @@ func (t *Tokenizer) scanStream() (*Token, error) {
 					}
 				case spaceRuneClass:
 					{
-						t.input.UnreadRune()
 						token := &Token{
 							tokenType: tokenType,
 							value:     string(value)}

vendor/github.com/konsorten/go-windows-terminal-sequences/README.md

@@ -26,6 +26,7 @@ The tool is sponsored by the [marvin + konsorten GmbH](http://www.konsorten.de).
 We thank all the authors who provided code to this library:
 
 * Felix Kollmann
+* Nicolas Perraut
 
 ## License
 

vendor/github.com/konsorten/go-windows-terminal-sequences/sequences_dummy.go

@@ -0,0 +1,11 @@
+// +build linux darwin
+
+package sequences
+
+import (
+	"fmt"
+)
+
+func EnableVirtualTerminalProcessing(stream uintptr, enable bool) error {
+	return fmt.Errorf("windows only package")
+}

vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c

@@ -249,7 +249,7 @@ static int make_execfd(int *fdtype)
 {
 	int fd = -1;
 	char template[PATH_MAX] = {0};
-	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
+	char *prefix = getenv("_LIBCONTAINER_STATEDIR");
 
 	if (!prefix || *prefix != '/')
 		prefix = "/tmp";
@@ -351,7 +351,7 @@ static int try_bindfd(void)
 {
 	int fd, ret = -1;
 	char template[PATH_MAX] = {0};
-	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
+	char *prefix = getenv("_LIBCONTAINER_STATEDIR");
 
 	if (!prefix || *prefix != '/')
 		prefix = "/tmp";

vendor/github.com/opencontainers/runc/vendor.conf

@@ -5,7 +5,7 @@ github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
 # Core libcontainer functionality.
 github.com/checkpoint-restore/go-criu v3.11
 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
-github.com/opencontainers/selinux v1.0.0-rc1
+github.com/opencontainers/selinux v1.2.1
 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
 github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
 github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16

vendor/github.com/syndtr/gocapability/capability/capability.go

@@ -10,42 +10,42 @@ package capability
 type Capabilities interface {
 	// Get check whether a capability present in the given
 	// capabilities set. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Get(which CapType, what Cap) bool
 
 	// Empty check whether all capability bits of the given capabilities
 	// set are zero. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Empty(which CapType) bool
 
 	// Full check whether all capability bits of the given capabilities
 	// set are one. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Full(which CapType) bool
 
 	// Set sets capabilities of the given capabilities sets. The
 	// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Set(which CapType, caps ...Cap)
 
 	// Unset unsets capabilities of the given capabilities sets. The
 	// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Unset(which CapType, caps ...Cap)
 
 	// Fill sets all bits of the given capabilities kind to one. The
-	// 'kind' value should be one or combination (OR'ed) of CAPS or
-	// BOUNDS.
+	// 'kind' value should be one or combination (OR'ed) of CAPS,
+	// BOUNDS or AMBS.
 	Fill(kind CapType)
 
 	// Clear sets all bits of the given capabilities kind to zero. The
-	// 'kind' value should be one or combination (OR'ed) of CAPS or
-	// BOUNDS.
+	// 'kind' value should be one or combination (OR'ed) of CAPS,
+	// BOUNDS or AMBS.
 	Clear(kind CapType)
 
 	// String return current capabilities state of the given capabilities
 	// set as string. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE BOUNDING or AMBIENT
 	StringCap(which CapType) string
 
 	// String return current capabilities state as string.
@@ -60,13 +60,74 @@ type Capabilities interface {
 	Apply(kind CapType) error
 }
 
-// NewPid create new initialized Capabilities object for given pid when it
-// is nonzero, or for the current pid if pid is 0
+// NewPid initializes a new Capabilities object for given pid when
+// it is nonzero, or for the current process if pid is 0.
+//
+// Deprecated: Replace with NewPid2.  For example, replace:
+//
+//    c, err := NewPid(0)
+//    if err != nil {
+//      return err
+//    }
+//
+// with:
+//
+//    c, err := NewPid2(0)
+//    if err != nil {
+//      return err
+//    }
+//    err = c.Load()
+//    if err != nil {
+//      return err
+//    }
 func NewPid(pid int) (Capabilities, error) {
+	c, err := newPid(pid)
+	if err != nil {
+		return c, err
+	}
+	err = c.Load()
+	return c, err
+}
+
+// NewPid2 initializes a new Capabilities object for given pid when
+// it is nonzero, or for the current process if pid is 0.  This
+// does not load the process's current capabilities; to do that you
+// must call Load explicitly.
+func NewPid2(pid int) (Capabilities, error) {
 	return newPid(pid)
 }
 
-// NewFile create new initialized Capabilities object for given named file.
-func NewFile(name string) (Capabilities, error) {
-	return newFile(name)
+// NewFile initializes a new Capabilities object for given file path.
+//
+// Deprecated: Replace with NewFile2.  For example, replace:
+//
+//    c, err := NewFile(path)
+//    if err != nil {
+//      return err
+//    }
+//
+// with:
+//
+//    c, err := NewFile2(path)
+//    if err != nil {
+//      return err
+//    }
+//    err = c.Load()
+//    if err != nil {
+//      return err
+//    }
+func NewFile(path string) (Capabilities, error) {
+	c, err := newFile(path)
+	if err != nil {
+		return c, err
+	}
+	err = c.Load()
+	return c, err
+}
+
+// NewFile2 creates a new initialized Capabilities object for given
+// file path.  This does not load the process's current capabilities;
+// to do that you must call Load explicitly.
+func NewFile2(path string) (Capabilities, error) {
+	return newFile(path)
 }

vendor/github.com/syndtr/gocapability/capability/capability_linux.go

@@ -103,21 +103,17 @@ func newPid(pid int) (c Capabilities, err error) {
 	case linuxCapVer1:
 		p := new(capsV1)
 		p.hdr.version = capVers
-		p.hdr.pid = pid
+		p.hdr.pid = int32(pid)
 		c = p
 	case linuxCapVer2, linuxCapVer3:
 		p := new(capsV3)
 		p.hdr.version = capVers
-		p.hdr.pid = pid
+		p.hdr.pid = int32(pid)
 		c = p
 	default:
 		err = errUnknownVers
 		return
 	}
-	err = c.Load()
-	if err != nil {
-		c = nil
-	}
 	return
 }
 
@@ -235,9 +231,10 @@ func (c *capsV1) Apply(kind CapType) error {
 }
 
 type capsV3 struct {
-	hdr    capHeader
-	data   [2]capData
-	bounds [2]uint32
+	hdr     capHeader
+	data    [2]capData
+	bounds  [2]uint32
+	ambient [2]uint32
 }
 
 func (c *capsV3) Get(which CapType, what Cap) bool {
@@ -256,6 +253,8 @@ func (c *capsV3) Get(which CapType, what Cap) bool {
 		return (1<<uint(what))&c.data[i].inheritable != 0
 	case BOUNDING:
 		return (1<<uint(what))&c.bounds[i] != 0
+	case AMBIENT:
+		return (1<<uint(what))&c.ambient[i] != 0
 	}
 
 	return false
@@ -275,6 +274,9 @@ func (c *capsV3) getData(which CapType, dest []uint32) {
 	case BOUNDING:
 		dest[0] = c.bounds[0]
 		dest[1] = c.bounds[1]
+	case AMBIENT:
+		dest[0] = c.ambient[0]
+		dest[1] = c.ambient[1]
 	}
 }
 
@@ -313,6 +315,9 @@ func (c *capsV3) Set(which CapType, caps ...Cap) {
 		if which&BOUNDING != 0 {
 			c.bounds[i] |= 1 << uint(what)
 		}
+		if which&AMBIENT != 0 {
+			c.ambient[i] |= 1 << uint(what)
+		}
 	}
 }
 
@@ -336,6 +341,9 @@ func (c *capsV3) Unset(which CapType, caps ...Cap) {
 		if which&BOUNDING != 0 {
 			c.bounds[i] &= ^(1 << uint(what))
 		}
+		if which&AMBIENT != 0 {
+			c.ambient[i] &= ^(1 << uint(what))
+		}
 	}
 }
 
@@ -353,6 +361,10 @@ func (c *capsV3) Fill(kind CapType) {
 		c.bounds[0] = 0xffffffff
 		c.bounds[1] = 0xffffffff
 	}
+	if kind&AMBS == AMBS {
+		c.ambient[0] = 0xffffffff
+		c.ambient[1] = 0xffffffff
+	}
 }
 
 func (c *capsV3) Clear(kind CapType) {
@@ -369,6 +381,10 @@ func (c *capsV3) Clear(kind CapType) {
 		c.bounds[0] = 0
 		c.bounds[1] = 0
 	}
+	if kind&AMBS == AMBS {
+		c.ambient[0] = 0
+		c.ambient[1] = 0
+	}
 }
 
 func (c *capsV3) StringCap(which CapType) (ret string) {
@@ -408,7 +424,11 @@ func (c *capsV3) Load() (err error) {
 		}
 		if strings.HasPrefix(line, "CapB") {
 			fmt.Sscanf(line[4:], "nd:  %08x%08x", &c.bounds[1], &c.bounds[0])
-			break
+			continue
+		}
+		if strings.HasPrefix(line, "CapA") {
+			fmt.Sscanf(line[4:], "mb:  %08x%08x", &c.ambient[1], &c.ambient[0])
+			continue
 		}
 	}
 	f.Close()
@@ -442,7 +462,25 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&CAPS == CAPS {
-		return capset(&c.hdr, &c.data[0])
+		err = capset(&c.hdr, &c.data[0])
+		if err != nil {
+			return
+		}
+	}
+
+	if kind&AMBS == AMBS {
+		for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+			action := pr_CAP_AMBIENT_LOWER
+			if c.Get(AMBIENT, i) {
+				action = pr_CAP_AMBIENT_RAISE
+			}
+			err := prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
+			// Ignore EINVAL as not supported on kernels before 4.3
+			if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
+				err = nil
+				continue
+			}
+		}
 	}
 
 	return
@@ -450,10 +488,6 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 
 func newFile(path string) (c Capabilities, err error) {
 	c = &capsFile{path: path}
-	err = c.Load()
-	if err != nil {
-		c = nil
-	}
 	return
 }
 

vendor/github.com/syndtr/gocapability/capability/enum.go

@@ -20,6 +20,8 @@ func (c CapType) String() string {
 		return "bounding"
 	case CAPS:
 		return "caps"
+	case AMBIENT:
+		return "ambient"
 	}
 	return "unknown"
 }
@@ -29,9 +31,11 @@ const (
 	PERMITTED
 	INHERITABLE
 	BOUNDING
+	AMBIENT
 
 	CAPS   = EFFECTIVE | PERMITTED | INHERITABLE
 	BOUNDS = BOUNDING
+	AMBS   = AMBIENT
 )
 
 //go:generate go run enumgen/gen.go

vendor/github.com/syndtr/gocapability/capability/syscall_linux.go

@@ -13,7 +13,7 @@ import (
 
 type capHeader struct {
 	version uint32
-	pid     int
+	pid     int32
 }
 
 type capData struct {
@@ -38,6 +38,15 @@ func capset(hdr *capHeader, data *capData) (err error) {
 	return
 }
 
+// not yet in syscall
+const (
+	pr_CAP_AMBIENT           = 47
+	pr_CAP_AMBIENT_IS_SET    = uintptr(1)
+	pr_CAP_AMBIENT_RAISE     = uintptr(2)
+	pr_CAP_AMBIENT_LOWER     = uintptr(3)
+	pr_CAP_AMBIENT_CLEAR_ALL = uintptr(4)
+)
+
 func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
 	_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
 	if e1 != 0 {

vendor/golang.org/x/crypto/ssh/terminal/terminal.go

@@ -7,6 +7,7 @@ package terminal
 import (
 	"bytes"
 	"io"
+	"strconv"
 	"sync"
 	"unicode/utf8"
 )
@@ -271,34 +272,44 @@ func (t *Terminal) moveCursorToPos(pos int) {
 }
 
 func (t *Terminal) move(up, down, left, right int) {
-	movement := make([]rune, 3*(up+down+left+right))
-	m := movement
-	for i := 0; i < up; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'A'
-		m = m[3:]
-	}
-	for i := 0; i < down; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'B'
-		m = m[3:]
-	}
-	for i := 0; i < left; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'D'
-		m = m[3:]
-	}
-	for i := 0; i < right; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'C'
-		m = m[3:]
+	m := []rune{}
+
+	// 1 unit up can be expressed as ^[[A or ^[A
+	// 5 units up can be expressed as ^[[5A
+
+	if up == 1 {
+		m = append(m, keyEscape, '[', 'A')
+	} else if up > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(up))...)
+		m = append(m, 'A')
 	}
 
-	t.queue(movement)
+	if down == 1 {
+		m = append(m, keyEscape, '[', 'B')
+	} else if down > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(down))...)
+		m = append(m, 'B')
+	}
+
+	if right == 1 {
+		m = append(m, keyEscape, '[', 'C')
+	} else if right > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(right))...)
+		m = append(m, 'C')
+	}
+
+	if left == 1 {
+		m = append(m, keyEscape, '[', 'D')
+	} else if left > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(left))...)
+		m = append(m, 'D')
+	}
+
+	t.queue(m)
 }
 
 func (t *Terminal) clearLineToRight() {

vendor/golang.org/x/net/context/ctxhttp/ctxhttp.go

@@ -2,18 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build go1.7
-
 // Package ctxhttp provides helper functions for performing context-aware HTTP requests.
 package ctxhttp // import "golang.org/x/net/context/ctxhttp"
 
 import (
+	"context"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
-
-	"golang.org/x/net/context"
 )
 
 // Do sends an HTTP request with the provided http.Client and returns